From 8a2d11775ef3bb414fa68f1f99315bc7c8a0bb4f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 10 Apr 2024 11:57:04 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...b-handle-quirk-to-calculate-payload-.patch | 72 ++++++++ ...-rockchip-fix-rk3328-hdmi-ports-node.patch | 49 +++++ ...-rockchip-fix-rk3399-hdmi-ports-node.patch | 65 +++++++ ...n-dmi-remap-for-rebranded-intel-nuc-.patch | 73 ++++++++ ...skip-dummy-codec-when-adding-platfor.patch | 42 +++++ ...ve-exception-handling-in-batadv_thro.patch | 71 ++++++++ ...n-directly-after-a-failed-batadv_dat.patch | 55 ++++++ ...-division-by-zero-in-blk_rq_stat_sum.patch | 40 +++++ ...l-fix-null-ptr-deref-in-btintel_read.patch | 36 ++++ ...btmtk-add-module_firmware-for-mt7922.patch | 53 ++++++ ...ware-version-string-character-counts.patch | 137 ++++++++++++++ ...dle-invalid-inode-or-root-reference-.patch | 48 +++++ ...nk-tree-lookup-error-in-btrfs_reloca.patch | 56 ++++++ ...e-path-ref-underflow-in-header-itera.patch | 43 +++++ ...i-host-add-mhi_pm_sys_err_fail-state.patch | 157 ++++++++++++++++ ...register-cpufreq-cooling-on-cpu-hotp.patch | 94 ++++++++++ ...tential-overflow-in-integer-multipli.patch | 57 ++++++ ...k-pages-on-dma_set_decrypted-failure.patch | 67 +++++++ ...nvme-add-quirks-for-device-126f-2262.patch | 52 ++++++ ...ix-potential-ioremap-memory-leaks-in.patch | 91 ++++++++++ ...md-display-fix-nanosec-stat-overflow.patch | 45 +++++ ...ation-quirks-add-quirk-for-gpd-win-m.patch | 52 ++++++ ...n-t-check-if-plane-state-fb-state-fb.patch | 105 +++++++++++ ...for-block-bitmap-corrupt-state-in-mb.patch | 44 +++++ ...it-inconsistent-quota-data-when-erro.patch | 70 ++++++++ ...-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch | 47 +++++ ...vision-by-zero-in-fb_videomode_from_.patch | 51 ++++++ ...pmp-return-directly-after-a-failed-k.patch | 44 +++++ ...-vsi-index-for-vfs-instead-of-pf-vsi.patch | 104 +++++++++++ ...eycode-for-display-refresh-rate-togg.patch | 43 +++++ ...magis-use-field_get-where-applicable.patch | 87 +++++++++ ...rmi4-fail-probing-if-memory-allocati.patch | 42 +++++ ...n-imagis-correct-the-maximum-touch-a.patch | 37 ++++ ...pcode-specific-data-for-an-early-fai.patch | 105 +++++++++++ queue-6.1/ionic-set-adminq-irq-affinity.patch | 43 +++++ ...-with-bad-root-inode-but-good-joliet.patch | 60 +++++++ ...orted-this-null-pointer-dereference-.patch | 32 ++++ ...donly-1-for-make_warnings_file-test-.patch | 41 +++++ ...rf-evlist-avoid-out-of-bounds-access.patch | 126 +++++++++++++ .../media-sta2x11-fix-irq-handler-cast.patch | 62 +++++++ ...eturn-einval-in-the-internal-methods.patch | 51 ++++++ ...verflow-debug-check-to-pull-push-hel.patch | 87 +++++++++ ...tnl-pressure-in-smc_pnet_create_pnet.patch | 96 ++++++++++ ...les-discard-table-flag-update-with-p.patch | 63 +++++++ ...les-release-batch-on-table-validatio.patch | 84 +++++++++ ...les-release-mutex-after-nft_gc_seq_e.patch | 62 +++++++ ...c-flush-kernel-log-buffer-at-the-end.patch | 50 ++++++ ...lbr-discard-erroneous-branch-entries.patch | 49 +++++ ...checker-limit-cfg-reg-enum-checks-to.patch | 49 +++++ ...chscreen_dmi-add-an-extra-entry-for-.patch | 45 +++++ ...a-null-pointer-check-to-the-psz_kmsg.patch | 37 ++++ ...air-rcu-tasks-trace-quiescence-check.patch | 46 +++++ ...cm-add-timeout-to-cm_destroy_id-wait.patch | 102 +++++++++++ ...lock-asus-b1400ceae-from-suspend-to-.patch | 58 ++++++ ...read_once-to-read-cpu_buffer-commit_.patch | 42 +++++ ...ssible-memory-leak-in-lpfc_rcv_padis.patch | 45 +++++ queue-6.1/series | 71 ++++++++ ...size-of-rpc_wait_queue.qlen-from-uns.patch | 87 +++++++++ ...all-sb_bread-with-pointers_lock-held.patch | 94 ++++++++++ ...e-polling-delay-passive-0-when-absen.patch | 56 ++++++ ...-the-domain-powered-when-usb4-port-i.patch | 167 ++++++++++++++++++ ...eplace-seekdir-in-iio_generic_buffer.patch | 45 +++++ ...energy_perf_policy-fix-file-leak-in-.patch | 35 ++++ ...ark-incomplete-frames-with-uvc_strea.patch | 39 ++++ ...ly-defined-function-checkdone-if-qui.patch | 47 +++++ ...add-generic-tcpci-fallback-compatibl.patch | 36 ++++ ...run-time-warning-in-dg_dispatch_as_h.patch | 80 +++++++++ ...ease-mhi-channel-buffer-length-to-8k.patch | 92 ++++++++++ ...ix-lna-selection-in-ath_ant_try_scan.patch | 43 +++++ ...d-dmi-nvram-filename-quirk-for-acepc.patch | 50 ++++++ ...e-add-the-pci-device-id-for-new-hard.patch | 36 ++++ ...nlarge-rx-dma-buffer-to-consider-siz.patch | 40 +++++ 72 files changed, 4582 insertions(+) create mode 100644 queue-6.1/alsa-firewire-lib-handle-quirk-to-calculate-payload-.patch create mode 100644 queue-6.1/arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch create mode 100644 queue-6.1/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch create mode 100644 queue-6.1/asoc-intel-common-dmi-remap-for-rebranded-intel-nuc-.patch create mode 100644 queue-6.1/asoc-soc-core.c-skip-dummy-codec-when-adding-platfor.patch create mode 100644 queue-6.1/batman-adv-improve-exception-handling-in-batadv_thro.patch create mode 100644 queue-6.1/batman-adv-return-directly-after-a-failed-batadv_dat.patch create mode 100644 queue-6.1/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch create mode 100644 queue-6.1/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch create mode 100644 queue-6.1/bluetooth-btmtk-add-module_firmware-for-mt7922.patch create mode 100644 queue-6.1/bnx2x-fix-firmware-version-string-character-counts.patch create mode 100644 queue-6.1/btrfs-export-handle-invalid-inode-or-root-reference-.patch create mode 100644 queue-6.1/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch create mode 100644 queue-6.1/btrfs-send-handle-path-ref-underflow-in-header-itera.patch create mode 100644 queue-6.1/bus-mhi-host-add-mhi_pm_sys_err_fail-state.patch create mode 100644 queue-6.1/cpufreq-don-t-unregister-cpufreq-cooling-on-cpu-hotp.patch create mode 100644 queue-6.1/cpuidle-avoid-potential-overflow-in-integer-multipli.patch create mode 100644 queue-6.1/dma-direct-leak-pages-on-dma_set_decrypted-failure.patch create mode 100644 queue-6.1/drivers-nvme-add-quirks-for-device-126f-2262.patch create mode 100644 queue-6.1/drm-amd-amdgpu-fix-potential-ioremap-memory-leaks-in.patch create mode 100644 queue-6.1/drm-amd-display-fix-nanosec-stat-overflow.patch create mode 100644 queue-6.1/drm-panel-orientation-quirks-add-quirk-for-gpd-win-m.patch create mode 100644 queue-6.1/drm-vc4-don-t-check-if-plane-state-fb-state-fb.patch create mode 100644 queue-6.1/ext4-add-a-hint-for-block-bitmap-corrupt-state-in-mb.patch create mode 100644 queue-6.1/ext4-forbid-commit-inconsistent-quota-data-when-erro.patch create mode 100644 queue-6.1/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch create mode 100644 queue-6.1/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch create mode 100644 queue-6.1/firmware-tegra-bpmp-return-directly-after-a-failed-k.patch create mode 100644 queue-6.1/ice-use-relative-vsi-index-for-vfs-instead-of-pf-vsi.patch create mode 100644 queue-6.1/input-allocate-keycode-for-display-refresh-rate-togg.patch create mode 100644 queue-6.1/input-imagis-use-field_get-where-applicable.patch create mode 100644 queue-6.1/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch create mode 100644 queue-6.1/input-touchscreen-imagis-correct-the-maximum-touch-a.patch create mode 100644 queue-6.1/io_uring-clear-opcode-specific-data-for-an-early-fai.patch create mode 100644 queue-6.1/ionic-set-adminq-irq-affinity.patch create mode 100644 queue-6.1/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch create mode 100644 queue-6.1/julia-lawall-reported-this-null-pointer-dereference-.patch create mode 100644 queue-6.1/ktest-force-buildonly-1-for-make_warnings_file-test-.patch create mode 100644 queue-6.1/libperf-evlist-avoid-out-of-bounds-access.patch create mode 100644 queue-6.1/media-sta2x11-fix-irq-handler-cast.patch create mode 100644 queue-6.1/net-pcs-xpcs-return-einval-in-the-internal-methods.patch create mode 100644 queue-6.1/net-skbuff-add-overflow-debug-check-to-pull-push-hel.patch create mode 100644 queue-6.1/net-smc-reduce-rtnl-pressure-in-smc_pnet_create_pnet.patch create mode 100644 queue-6.1/netfilter-nf_tables-discard-table-flag-update-with-p.patch create mode 100644 queue-6.1/netfilter-nf_tables-release-batch-on-table-validatio.patch create mode 100644 queue-6.1/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch create mode 100644 queue-6.1/panic-flush-kernel-log-buffer-at-the-end.patch create mode 100644 queue-6.1/perf-x86-amd-lbr-discard-erroneous-branch-entries.patch create mode 100644 queue-6.1/pinctrl-renesas-checker-limit-cfg-reg-enum-checks-to.patch create mode 100644 queue-6.1/platform-x86-touchscreen_dmi-add-an-extra-entry-for-.patch create mode 100644 queue-6.1/pstore-zone-add-a-null-pointer-check-to-the-psz_kmsg.patch create mode 100644 queue-6.1/rcu-tasks-repair-rcu-tasks-trace-quiescence-check.patch create mode 100644 queue-6.1/rdma-cm-add-timeout-to-cm_destroy_id-wait.patch create mode 100644 queue-6.1/revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch create mode 100644 queue-6.1/ring-buffer-use-read_once-to-read-cpu_buffer-commit_.patch create mode 100644 queue-6.1/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch create mode 100644 queue-6.1/series create mode 100644 queue-6.1/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch create mode 100644 queue-6.1/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch create mode 100644 queue-6.1/thermal-of-assume-polling-delay-passive-0-when-absen.patch create mode 100644 queue-6.1/thunderbolt-keep-the-domain-powered-when-usb4-port-i.patch create mode 100644 queue-6.1/tools-iio-replace-seekdir-in-iio_generic_buffer.patch create mode 100644 queue-6.1/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch create mode 100644 queue-6.1/usb-gadget-uvc-mark-incomplete-frames-with-uvc_strea.patch create mode 100644 queue-6.1/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch create mode 100644 queue-6.1/usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch create mode 100644 queue-6.1/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch create mode 100644 queue-6.1/wifi-ath11k-decrease-mhi-channel-buffer-length-to-8k.patch create mode 100644 queue-6.1/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch create mode 100644 queue-6.1/wifi-brcmfmac-add-dmi-nvram-filename-quirk-for-acepc.patch create mode 100644 queue-6.1/wifi-iwlwifi-pcie-add-the-pci-device-id-for-new-hard.patch create mode 100644 queue-6.1/wifi-rtw89-pci-enlarge-rx-dma-buffer-to-consider-siz.patch diff --git a/queue-6.1/alsa-firewire-lib-handle-quirk-to-calculate-payload-.patch b/queue-6.1/alsa-firewire-lib-handle-quirk-to-calculate-payload-.patch new file mode 100644 index 0000000000..744fbe7dca --- /dev/null +++ b/queue-6.1/alsa-firewire-lib-handle-quirk-to-calculate-payload-.patch @@ -0,0 +1,72 @@ +From a57707c91e84db36f4a2dbb6cd82e9a5c73a8b0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Feb 2024 16:41:27 +0900 +Subject: ALSA: firewire-lib: handle quirk to calculate payload quadlets as + data block counter + +From: Takashi Sakamoto + +[ Upstream commit 4a486439d2ca85752c46711f373b6ddc107bb35d ] + +Miglia Harmony Audio (OXFW970) has a quirk to put the number of +accumulated quadlets in CIP payload into the dbc field of CIP header. + +This commit handles the quirk in the packet processing layer. + +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20240218074128.95210-4-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/amdtp-stream.c | 12 ++++++++---- + sound/firewire/amdtp-stream.h | 4 ++++ + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/sound/firewire/amdtp-stream.c b/sound/firewire/amdtp-stream.c +index f8b644cb9157a..8753125683692 100644 +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -771,10 +771,14 @@ static int check_cip_header(struct amdtp_stream *s, const __be32 *buf, + } else { + unsigned int dbc_interval; + +- if (*data_blocks > 0 && s->ctx_data.tx.dbc_interval > 0) +- dbc_interval = s->ctx_data.tx.dbc_interval; +- else +- dbc_interval = *data_blocks; ++ if (!(s->flags & CIP_DBC_IS_PAYLOAD_QUADLETS)) { ++ if (*data_blocks > 0 && s->ctx_data.tx.dbc_interval > 0) ++ dbc_interval = s->ctx_data.tx.dbc_interval; ++ else ++ dbc_interval = *data_blocks; ++ } else { ++ dbc_interval = payload_length / sizeof(__be32); ++ } + + lost = dbc != ((*data_block_counter + dbc_interval) & 0xff); + } +diff --git a/sound/firewire/amdtp-stream.h b/sound/firewire/amdtp-stream.h +index 1f957c946c956..cf9ab347277f2 100644 +--- a/sound/firewire/amdtp-stream.h ++++ b/sound/firewire/amdtp-stream.h +@@ -37,6 +37,9 @@ + * the value of current SYT_INTERVAL; e.g. initial value is not zero. + * @CIP_UNAWARE_SYT: For outgoing packet, the value in SYT field of CIP is 0xffff. + * For incoming packet, the value in SYT field of CIP is not handled. ++ * @CIP_DBC_IS_PAYLOAD_QUADLETS: Available for incoming packet, and only effective with ++ * CIP_DBC_IS_END_EVENT flag. The value of dbc field is the number of accumulated quadlets ++ * in CIP payload, instead of the number of accumulated data blocks. + */ + enum cip_flags { + CIP_NONBLOCKING = 0x00, +@@ -51,6 +54,7 @@ enum cip_flags { + CIP_NO_HEADER = 0x100, + CIP_UNALIGHED_DBC = 0x200, + CIP_UNAWARE_SYT = 0x400, ++ CIP_DBC_IS_PAYLOAD_QUADLETS = 0x800, + }; + + /** +-- +2.43.0 + diff --git a/queue-6.1/arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch b/queue-6.1/arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch new file mode 100644 index 0000000000..ee8be2d809 --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch @@ -0,0 +1,49 @@ +From 004c762b9032fb9e9ad5d565c7005442ef5bfc00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 22:17:08 +0100 +Subject: arm64: dts: rockchip: fix rk3328 hdmi ports node + +From: Johan Jonker + +[ Upstream commit 1d00ba4700d1e0f88ae70d028d2e17e39078fa1c ] + +Fix rk3328 hdmi ports node so that it matches the +rockchip,dw-hdmi.yaml binding. + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/e5dea3b7-bf84-4474-9530-cc2da3c41104@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +index 905a50aa5dc38..d42846efff2fe 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +@@ -741,11 +741,20 @@ hdmi: hdmi@ff3c0000 { + status = "disabled"; + + ports { +- hdmi_in: port { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ hdmi_in: port@0 { ++ reg = <0>; ++ + hdmi_in_vop: endpoint { + remote-endpoint = <&vop_out_hdmi>; + }; + }; ++ ++ hdmi_out: port@1 { ++ reg = <1>; ++ }; + }; + }; + +-- +2.43.0 + diff --git a/queue-6.1/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch b/queue-6.1/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch new file mode 100644 index 0000000000..c87a06119d --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch @@ -0,0 +1,65 @@ +From 05a51f0a79eb4fd03e99cc06f6f2fce74d73f3fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 22:17:31 +0100 +Subject: arm64: dts: rockchip: fix rk3399 hdmi ports node + +From: Johan Jonker + +[ Upstream commit f051b6ace7ffcc48d6d1017191f167c0a85799f6 ] + +Fix rk3399 hdmi ports node so that it matches the +rockchip,dw-hdmi.yaml binding. + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/a6ab6f75-3b80-40b1-bd30-3113e14becdd@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +index a7e6eccb14cc6..8363cc13ec517 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi +@@ -1906,6 +1906,7 @@ simple-audio-card,codec { + hdmi: hdmi@ff940000 { + compatible = "rockchip,rk3399-dw-hdmi"; + reg = <0x0 0xff940000 0x0 0x20000>; ++ reg-io-width = <4>; + interrupts = ; + clocks = <&cru PCLK_HDMI_CTRL>, + <&cru SCLK_HDMI_SFR>, +@@ -1914,13 +1915,16 @@ hdmi: hdmi@ff940000 { + <&cru PLL_VPLL>; + clock-names = "iahb", "isfr", "cec", "grf", "ref"; + power-domains = <&power RK3399_PD_HDCP>; +- reg-io-width = <4>; + rockchip,grf = <&grf>; + #sound-dai-cells = <0>; + status = "disabled"; + + ports { +- hdmi_in: port { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ hdmi_in: port@0 { ++ reg = <0>; + #address-cells = <1>; + #size-cells = <0>; + +@@ -1933,6 +1937,10 @@ hdmi_in_vopl: endpoint@1 { + remote-endpoint = <&vopl_out_hdmi>; + }; + }; ++ ++ hdmi_out: port@1 { ++ reg = <1>; ++ }; + }; + }; + +-- +2.43.0 + diff --git a/queue-6.1/asoc-intel-common-dmi-remap-for-rebranded-intel-nuc-.patch b/queue-6.1/asoc-intel-common-dmi-remap-for-rebranded-intel-nuc-.patch new file mode 100644 index 0000000000..fb4dd07e47 --- /dev/null +++ b/queue-6.1/asoc-intel-common-dmi-remap-for-rebranded-intel-nuc-.patch @@ -0,0 +1,73 @@ +From 8679fe9bcaab91b65ab4e7fb9ee5875f0e3afb5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Feb 2024 10:55:40 -0600 +Subject: ASoC: Intel: common: DMI remap for rebranded Intel NUC M15 (LAPRC710) + laptops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: mosomate + +[ Upstream commit c13e03126a5be90781084437689724254c8226e1 ] + +Added DMI quirk to handle the rebranded variants of Intel NUC M15 +(LAPRC710) laptops. The DMI matching is based on motherboard +attributes. + +Link: https://github.com/thesofproject/linux/issues/4218 +Signed-off-by: Máté Mosonyi +Reviewed-by: Bard Liao +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20240208165545.93811-20-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/soundwire/dmi-quirks.c | 8 ++++++++ + sound/soc/intel/boards/sof_sdw.c | 11 +++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/drivers/soundwire/dmi-quirks.c b/drivers/soundwire/dmi-quirks.c +index 9ebdd0cd0b1cf..91ab97a456fa9 100644 +--- a/drivers/soundwire/dmi-quirks.c ++++ b/drivers/soundwire/dmi-quirks.c +@@ -130,6 +130,14 @@ static const struct dmi_system_id adr_remap_quirk_table[] = { + }, + .driver_data = (void *)intel_rooks_county, + }, ++ { ++ /* quirk used for NUC15 LAPRC710 skew */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_BOARD_NAME, "LAPRC710"), ++ }, ++ .driver_data = (void *)intel_rooks_county, ++ }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc"), +diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c +index 985012f2003e2..d1e6e4208c376 100644 +--- a/sound/soc/intel/boards/sof_sdw.c ++++ b/sound/soc/intel/boards/sof_sdw.c +@@ -224,6 +224,17 @@ static const struct dmi_system_id sof_sdw_quirk_table[] = { + SOF_SDW_PCH_DMIC | + RT711_JD2_100K), + }, ++ { ++ /* NUC15 LAPRC710 skews */ ++ .callback = sof_sdw_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_BOARD_NAME, "LAPRC710"), ++ }, ++ .driver_data = (void *)(SOF_SDW_TGL_HDMI | ++ SOF_SDW_PCH_DMIC | ++ RT711_JD2_100K), ++ }, + /* TigerLake-SDCA devices */ + { + .callback = sof_sdw_quirk_cb, +-- +2.43.0 + diff --git a/queue-6.1/asoc-soc-core.c-skip-dummy-codec-when-adding-platfor.patch b/queue-6.1/asoc-soc-core.c-skip-dummy-codec-when-adding-platfor.patch new file mode 100644 index 0000000000..8ede412298 --- /dev/null +++ b/queue-6.1/asoc-soc-core.c-skip-dummy-codec-when-adding-platfor.patch @@ -0,0 +1,42 @@ +From 3a014b9ff4098911ac1a2b0aae31cc4ae75e2de9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 15:56:06 +0900 +Subject: ASoC: soc-core.c: Skip dummy codec when adding platforms + +From: Chancel Liu + +[ Upstream commit 23fb6bc2696119391ec3a92ccaffe50e567c515e ] + +When pcm_runtime is adding platform components it will scan all +registered components. In case of DPCM FE/BE some DAI links will +configure dummy platform. However both dummy codec and dummy platform +are using "snd-soc-dummy" as component->name. Dummy codec should be +skipped when adding platforms otherwise there'll be overflow and UBSAN +complains. + +Reported-by: Zhipeng Wang +Signed-off-by: Chancel Liu +Link: https://msgid.link/r/20240305065606.3778642-1-chancel.liu@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index a409fbed8f34c..6a4101dc15a54 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1020,6 +1020,9 @@ int snd_soc_add_pcm_runtime(struct snd_soc_card *card, + if (!snd_soc_is_matching_component(platform, component)) + continue; + ++ if (snd_soc_component_is_dummy(component) && component->num_dai) ++ continue; ++ + snd_soc_rtd_add_component(rtd, component); + } + } +-- +2.43.0 + diff --git a/queue-6.1/batman-adv-improve-exception-handling-in-batadv_thro.patch b/queue-6.1/batman-adv-improve-exception-handling-in-batadv_thro.patch new file mode 100644 index 0000000000..b80437cf6c --- /dev/null +++ b/queue-6.1/batman-adv-improve-exception-handling-in-batadv_thro.patch @@ -0,0 +1,71 @@ +From 554f5e367b3e57d59cf35c2683f15cf333ffb499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 07:52:21 +0100 +Subject: batman-adv: Improve exception handling in batadv_throw_uevent() + +From: Markus Elfring + +[ Upstream commit 5593e9abf1cf2bf096366d8c7fd933bc69d561ce ] + +The kfree() function was called in up to three cases by +the batadv_throw_uevent() function during error handling +even if the passed variable contained a null pointer. +This issue was detected by using the Coccinelle software. + +* Thus adjust jump targets. + +* Reorder kfree() calls at the end. + +Signed-off-by: Markus Elfring +Acked-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/main.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c +index e8a4499155667..100e43f5e85aa 100644 +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -688,29 +688,31 @@ int batadv_throw_uevent(struct batadv_priv *bat_priv, enum batadv_uev_type type, + "%s%s", BATADV_UEV_TYPE_VAR, + batadv_uev_type_str[type]); + if (!uevent_env[0]) +- goto out; ++ goto report_error; + + uevent_env[1] = kasprintf(GFP_ATOMIC, + "%s%s", BATADV_UEV_ACTION_VAR, + batadv_uev_action_str[action]); + if (!uevent_env[1]) +- goto out; ++ goto free_first_env; + + /* If the event is DEL, ignore the data field */ + if (action != BATADV_UEV_DEL) { + uevent_env[2] = kasprintf(GFP_ATOMIC, + "%s%s", BATADV_UEV_DATA_VAR, data); + if (!uevent_env[2]) +- goto out; ++ goto free_second_env; + } + + ret = kobject_uevent_env(bat_kobj, KOBJ_CHANGE, uevent_env); +-out: +- kfree(uevent_env[0]); +- kfree(uevent_env[1]); + kfree(uevent_env[2]); ++free_second_env: ++ kfree(uevent_env[1]); ++free_first_env: ++ kfree(uevent_env[0]); + + if (ret) ++report_error: + batadv_dbg(BATADV_DBG_BATMAN, bat_priv, + "Impossible to send uevent for (%s,%s,%s) event (err: %d)\n", + batadv_uev_type_str[type], +-- +2.43.0 + diff --git a/queue-6.1/batman-adv-return-directly-after-a-failed-batadv_dat.patch b/queue-6.1/batman-adv-return-directly-after-a-failed-batadv_dat.patch new file mode 100644 index 0000000000..4453dec753 --- /dev/null +++ b/queue-6.1/batman-adv-return-directly-after-a-failed-batadv_dat.patch @@ -0,0 +1,55 @@ +From f99d284ea3834e000ae1a7bacdae73e1ac9334e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 07:27:45 +0100 +Subject: batman-adv: Return directly after a failed + batadv_dat_select_candidates() in batadv_dat_forward_data() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit ffc15626c861f811f9778914be004fcf43810a91 ] + +The kfree() function was called in one case by +the batadv_dat_forward_data() function during error handling +even if the passed variable contained a null pointer. +This issue was detected by using the Coccinelle software. + +* Thus return directly after a batadv_dat_select_candidates() call failed + at the beginning. + +* Delete the label “out” which became unnecessary with this refactoring. + +Signed-off-by: Markus Elfring +Acked-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/distributed-arp-table.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c +index a0233252032dc..521d4952eb515 100644 +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -684,7 +684,7 @@ static bool batadv_dat_forward_data(struct batadv_priv *bat_priv, + + cand = batadv_dat_select_candidates(bat_priv, ip, vid); + if (!cand) +- goto out; ++ return ret; + + batadv_dbg(BATADV_DBG_DAT, bat_priv, "DHT_SEND for %pI4\n", &ip); + +@@ -728,7 +728,6 @@ static bool batadv_dat_forward_data(struct batadv_priv *bat_priv, + batadv_orig_node_put(cand[i].orig_node); + } + +-out: + kfree(cand); + return ret; + } +-- +2.43.0 + diff --git a/queue-6.1/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch b/queue-6.1/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch new file mode 100644 index 0000000000..8f503be72d --- /dev/null +++ b/queue-6.1/block-prevent-division-by-zero-in-blk_rq_stat_sum.patch @@ -0,0 +1,40 @@ +From 052297b239cfaea825361dd4d0156f579434e79c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 16:45:09 +0300 +Subject: block: prevent division by zero in blk_rq_stat_sum() + +From: Roman Smirnov + +[ Upstream commit 93f52fbeaf4b676b21acfe42a5152620e6770d02 ] + +The expression dst->nr_samples + src->nr_samples may +have zero value on overflow. It is necessary to add +a check to avoid division by zero. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Signed-off-by: Roman Smirnov +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20240305134509.23108-1-r.smirnov@omp.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-stat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-stat.c b/block/blk-stat.c +index da9407b7d4abf..41be89ecaf20e 100644 +--- a/block/blk-stat.c ++++ b/block/blk-stat.c +@@ -28,7 +28,7 @@ void blk_rq_stat_init(struct blk_rq_stat *stat) + /* src is a per-cpu stat, mean isn't initialized */ + void blk_rq_stat_sum(struct blk_rq_stat *dst, struct blk_rq_stat *src) + { +- if (!src->nr_samples) ++ if (dst->nr_samples + src->nr_samples <= dst->nr_samples) + return; + + dst->min = min(dst->min, src->min); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch b/queue-6.1/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch new file mode 100644 index 0000000000..41c3e7e81e --- /dev/null +++ b/queue-6.1/bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch @@ -0,0 +1,36 @@ +From 76b84cfc40f02eccc56938a5209053439056c22c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 12:40:34 +0800 +Subject: Bluetooth: btintel: Fix null ptr deref in btintel_read_version + +From: Edward Adam Davis + +[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ] + +If hci_cmd_sync_complete() is triggered and skb is NULL, then +hdev->req_skb is NULL, which will cause this issue. + +Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index bbad1207cdfd8..c77c06b84d86c 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -405,7 +405,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver) + struct sk_buff *skb; + + skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT); +- if (IS_ERR(skb)) { ++ if (IS_ERR_OR_NULL(skb)) { + bt_dev_err(hdev, "Reading Intel version information failed (%ld)", + PTR_ERR(skb)); + return PTR_ERR(skb); +-- +2.43.0 + diff --git a/queue-6.1/bluetooth-btmtk-add-module_firmware-for-mt7922.patch b/queue-6.1/bluetooth-btmtk-add-module_firmware-for-mt7922.patch new file mode 100644 index 0000000000..f2f6569088 --- /dev/null +++ b/queue-6.1/bluetooth-btmtk-add-module_firmware-for-mt7922.patch @@ -0,0 +1,53 @@ +From 6c17d2308d5540a71fa84b8e244cc5ada7b1d1a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Feb 2024 11:29:14 +0100 +Subject: Bluetooth: btmtk: Add MODULE_FIRMWARE() for MT7922 + +From: Takashi Iwai + +[ Upstream commit 3e465a07cdf444140f16bc57025c23fcafdde997 ] + +Since dracut refers to the module info for defining the required +firmware files and btmtk driver doesn't provide the firmware info for +MT7922, the generate initrd misses the firmware, resulting in the +broken Bluetooth. + +This patch simply adds the MODULE_FIRMWARE() for the missing entry +for covering that. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1214133 +Signed-off-by: Takashi Iwai +Reviewed-by: Paul Menzel +Reviewed-by: Matthias Brugger +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtk.c | 1 + + drivers/bluetooth/btmtk.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c +index 809762d64fc65..b77e337778a44 100644 +--- a/drivers/bluetooth/btmtk.c ++++ b/drivers/bluetooth/btmtk.c +@@ -288,4 +288,5 @@ MODULE_LICENSE("GPL"); + MODULE_FIRMWARE(FIRMWARE_MT7622); + MODULE_FIRMWARE(FIRMWARE_MT7663); + MODULE_FIRMWARE(FIRMWARE_MT7668); ++MODULE_FIRMWARE(FIRMWARE_MT7922); + MODULE_FIRMWARE(FIRMWARE_MT7961); +diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h +index 2a88ea8e475e8..ee0b1d27aa5c0 100644 +--- a/drivers/bluetooth/btmtk.h ++++ b/drivers/bluetooth/btmtk.h +@@ -4,6 +4,7 @@ + #define FIRMWARE_MT7622 "mediatek/mt7622pr2h.bin" + #define FIRMWARE_MT7663 "mediatek/mt7663pr2h.bin" + #define FIRMWARE_MT7668 "mediatek/mt7668pr2h.bin" ++#define FIRMWARE_MT7922 "mediatek/BT_RAM_CODE_MT7922_1_1_hdr.bin" + #define FIRMWARE_MT7961 "mediatek/BT_RAM_CODE_MT7961_1_2_hdr.bin" + + #define HCI_EV_WMT 0xe4 +-- +2.43.0 + diff --git a/queue-6.1/bnx2x-fix-firmware-version-string-character-counts.patch b/queue-6.1/bnx2x-fix-firmware-version-string-character-counts.patch new file mode 100644 index 0000000000..da7c8d4196 --- /dev/null +++ b/queue-6.1/bnx2x-fix-firmware-version-string-character-counts.patch @@ -0,0 +1,137 @@ +From 1df3a8c6a9caaab3243f02d7d90c73d5e32c471d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 20:10:48 -0800 +Subject: bnx2x: Fix firmware version string character counts + +From: Kees Cook + +[ Upstream commit 5642c82b9463c3263c086efb002516244bd4c668 ] + +A potential string truncation was reported in bnx2x_fill_fw_str(), +when a long bp->fw_ver and a long phy_fw_ver might coexist, but seems +unlikely with real-world hardware. + +Use scnprintf() to indicate the intent that truncations are tolerated. + +While reading this code, I found a collection of various buffer size +counting issues. None looked like they might lead to a buffer overflow +with current code (the small buffers are 20 bytes and might only ever +consume 10 bytes twice with a trailing %NUL). However, early truncation +(due to a %NUL in the middle of the string) might be happening under +likely rare conditions. Regardless fix the formatters and related +functions: + +- Switch from a separate strscpy() to just adding an additional "%s" to + the format string that immediately follows it in bnx2x_fill_fw_str(). +- Use sizeof() universally instead of using unbound defines. +- Fix bnx2x_7101_format_ver() and bnx2x_null_format_ver() to report the + number of characters written, not including the trailing %NUL (as + already done with the other firmware formatting functions). +- Require space for at least 1 byte in bnx2x_get_ext_phy_fw_version() + for the trailing %NUL. +- Correct the needed buffer size in bnx2x_3_seq_format_ver(). + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202401260858.jZN6vD1k-lkp@intel.com/ +Cc: Ariel Elior +Cc: Sudarsana Kalluru +Cc: Manish Chopra +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20240126041044.work.220-kees@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 9 +++++---- + .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 +- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 14 +++++++------- + 3 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index 4950fde82d175..b04c5b51eb598 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -147,10 +147,11 @@ void bnx2x_fill_fw_str(struct bnx2x *bp, char *buf, size_t buf_len) + + phy_fw_ver[0] = '\0'; + bnx2x_get_ext_phy_fw_version(&bp->link_params, +- phy_fw_ver, PHY_FW_VER_LEN); +- strscpy(buf, bp->fw_ver, buf_len); +- snprintf(buf + strlen(bp->fw_ver), 32 - strlen(bp->fw_ver), +- "bc %d.%d.%d%s%s", ++ phy_fw_ver, sizeof(phy_fw_ver)); ++ /* This may become truncated. */ ++ scnprintf(buf, buf_len, ++ "%sbc %d.%d.%d%s%s", ++ bp->fw_ver, + (bp->common.bc_ver & 0xff0000) >> 16, + (bp->common.bc_ver & 0xff00) >> 8, + (bp->common.bc_ver & 0xff), +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +index bda3ccc28eca6..f920976c36f0c 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +@@ -1132,7 +1132,7 @@ static void bnx2x_get_drvinfo(struct net_device *dev, + } + + memset(version, 0, sizeof(version)); +- bnx2x_fill_fw_str(bp, version, ETHTOOL_FWVERS_LEN); ++ bnx2x_fill_fw_str(bp, version, sizeof(version)); + strlcat(info->fw_version, version, sizeof(info->fw_version)); + + strscpy(info->bus_info, pci_name(bp->pdev), sizeof(info->bus_info)); +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c +index 02808513ffe45..ea310057fe3af 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c +@@ -6163,8 +6163,8 @@ static void bnx2x_link_int_ack(struct link_params *params, + + static int bnx2x_null_format_ver(u32 spirom_ver, u8 *str, u16 *len) + { +- str[0] = '\0'; +- (*len)--; ++ if (*len) ++ str[0] = '\0'; + return 0; + } + +@@ -6173,7 +6173,7 @@ static int bnx2x_format_ver(u32 num, u8 *str, u16 *len) + u16 ret; + + if (*len < 10) { +- /* Need more than 10chars for this format */ ++ /* Need more than 10 chars for this format */ + bnx2x_null_format_ver(num, str, len); + return -EINVAL; + } +@@ -6188,8 +6188,8 @@ static int bnx2x_3_seq_format_ver(u32 num, u8 *str, u16 *len) + { + u16 ret; + +- if (*len < 10) { +- /* Need more than 10chars for this format */ ++ if (*len < 9) { ++ /* Need more than 9 chars for this format */ + bnx2x_null_format_ver(num, str, len); + return -EINVAL; + } +@@ -6208,7 +6208,7 @@ int bnx2x_get_ext_phy_fw_version(struct link_params *params, u8 *version, + int status = 0; + u8 *ver_p = version; + u16 remain_len = len; +- if (version == NULL || params == NULL) ++ if (version == NULL || params == NULL || len == 0) + return -EINVAL; + bp = params->bp; + +@@ -11546,7 +11546,7 @@ static int bnx2x_7101_format_ver(u32 spirom_ver, u8 *str, u16 *len) + str[2] = (spirom_ver & 0xFF0000) >> 16; + str[3] = (spirom_ver & 0xFF000000) >> 24; + str[4] = '\0'; +- *len -= 5; ++ *len -= 4; + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/btrfs-export-handle-invalid-inode-or-root-reference-.patch b/queue-6.1/btrfs-export-handle-invalid-inode-or-root-reference-.patch new file mode 100644 index 0000000000..c6b0a7de63 --- /dev/null +++ b/queue-6.1/btrfs-export-handle-invalid-inode-or-root-reference-.patch @@ -0,0 +1,48 @@ +From e4e1bcd8d60754c092e2237ceabcec213e4366b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 21:19:18 +0100 +Subject: btrfs: export: handle invalid inode or root reference in + btrfs_get_parent() + +From: David Sterba + +[ Upstream commit 26b66d1d366a375745755ca7365f67110bbf6bd5 ] + +The get_parent handler looks up a parent of a given dentry, this can be +either a subvolume or a directory. The search is set up with offset -1 +but it's never expected to find such item, as it would break allowed +range of inode number or a root id. This means it's a corruption (ext4 +also returns this error code). + +Reviewed-by: Josef Bacik +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/export.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c +index fab7eb76e53b2..58b0f04d7123f 100644 +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -161,8 +161,15 @@ struct dentry *btrfs_get_parent(struct dentry *child) + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto fail; ++ if (ret == 0) { ++ /* ++ * Key with offset of -1 found, there would have to exist an ++ * inode with such number or a root with such id. ++ */ ++ ret = -EUCLEAN; ++ goto fail; ++ } + +- BUG_ON(ret == 0); /* Key with offset of -1 found */ + if (path->slots[0] == 0) { + ret = -ENOENT; + goto fail; +-- +2.43.0 + diff --git a/queue-6.1/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch b/queue-6.1/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch new file mode 100644 index 0000000000..26fac5137f --- /dev/null +++ b/queue-6.1/btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch @@ -0,0 +1,56 @@ +From 2b190514d164b73d61f4d22d4e6c565dc3f02e30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jan 2024 23:42:29 +0100 +Subject: btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() + +From: David Sterba + +[ Upstream commit 7411055db5ce64f836aaffd422396af0075fdc99 ] + +The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption, +as it could be caused only by two impossible conditions: + +- at first the search key is set up to look for a chunk tree item, with + offset -1, this is an inexact search and the key->offset will contain + the correct offset upon a successful search, a valid chunk tree item + cannot have an offset -1 + +- after first successful search, the found_key corresponds to a chunk + item, the offset is decremented by 1 before the next loop, it's + impossible to find a chunk item there due to alignment and size + constraints + +Reviewed-by: Josef Bacik +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 03cfb425ea4ea..ab5d410d560e7 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3381,7 +3381,17 @@ static int btrfs_relocate_sys_chunks(struct btrfs_fs_info *fs_info) + mutex_unlock(&fs_info->reclaim_bgs_lock); + goto error; + } +- BUG_ON(ret == 0); /* Corruption */ ++ if (ret == 0) { ++ /* ++ * On the first search we would find chunk tree with ++ * offset -1, which is not possible. On subsequent ++ * loops this would find an existing item on an invalid ++ * offset (one less than the previous one, wrong ++ * alignment and size). ++ */ ++ ret = -EUCLEAN; ++ goto error; ++ } + + ret = btrfs_previous_item(chunk_root, path, key.objectid, + key.type); +-- +2.43.0 + diff --git a/queue-6.1/btrfs-send-handle-path-ref-underflow-in-header-itera.patch b/queue-6.1/btrfs-send-handle-path-ref-underflow-in-header-itera.patch new file mode 100644 index 0000000000..1f24d921d5 --- /dev/null +++ b/queue-6.1/btrfs-send-handle-path-ref-underflow-in-header-itera.patch @@ -0,0 +1,43 @@ +From 159caf9c3eb45340f8c1c37494686f531c529be4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 22:47:13 +0100 +Subject: btrfs: send: handle path ref underflow in header iterate_inode_ref() + +From: David Sterba + +[ Upstream commit 3c6ee34c6f9cd12802326da26631232a61743501 ] + +Change BUG_ON to proper error handling if building the path buffer +fails. The pointers are not printed so we don't accidentally leak kernel +addresses. + +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 9f7ffd9ef6fd7..754a9fb0165fa 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -1015,7 +1015,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, + ret = PTR_ERR(start); + goto out; + } +- BUG_ON(start < p->buf); ++ if (unlikely(start < p->buf)) { ++ btrfs_err(root->fs_info, ++ "send: path ref buffer underflow for key (%llu %u %llu)", ++ found_key->objectid, ++ found_key->type, ++ found_key->offset); ++ ret = -EINVAL; ++ goto out; ++ } + } + p->start = start; + } else { +-- +2.43.0 + diff --git a/queue-6.1/bus-mhi-host-add-mhi_pm_sys_err_fail-state.patch b/queue-6.1/bus-mhi-host-add-mhi_pm_sys_err_fail-state.patch new file mode 100644 index 0000000000..10caba8c91 --- /dev/null +++ b/queue-6.1/bus-mhi-host-add-mhi_pm_sys_err_fail-state.patch @@ -0,0 +1,157 @@ +From cef1a7dbc7ddc135730424972b950319c81dd1d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 11:08:00 -0700 +Subject: bus: mhi: host: Add MHI_PM_SYS_ERR_FAIL state + +From: Jeffrey Hugo + +[ Upstream commit bce3f770684cc1d91ff9edab431b71ac991faf29 ] + +When processing a SYSERR, if the device does not respond to the MHI_RESET +from the host, the host will be stuck in a difficult to recover state. +The host will remain in MHI_PM_SYS_ERR_PROCESS and not clean up the host +channels. Clients will not be notified of the SYSERR via the destruction +of their channel devices, which means clients may think that the device is +still up. Subsequent SYSERR events such as a device fatal error will not +be processed as the state machine cannot transition from PROCESS back to +DETECT. The only way to recover from this is to unload the mhi module +(wipe the state machine state) or for the mhi controller to initiate +SHUTDOWN. + +This issue was discovered by stress testing soc_reset events on AIC100 +via the sysfs node. + +soc_reset is processed entirely in hardware. When the register write +hits the endpoint hardware, it causes the soc to reset without firmware +involvement. In stress testing, there is a rare race where soc_reset N +will cause the soc to reset and PBL to signal SYSERR (fatal error). If +soc_reset N+1 is triggered before PBL can process the MHI_RESET from the +host, then the soc will reset again, and re-run PBL from the beginning. +This will cause PBL to lose all state. PBL will be waiting for the host +to respond to the new syserr, but host will be stuck expecting the +previous MHI_RESET to be processed. + +Additionally, the AMSS EE firmware (QSM) was hacked to synthetically +reproduce the issue by simulating a FW hang after the QSM issued a +SYSERR. In this case, soc_reset would not recover the device. + +For this failure case, to recover the device, we need a state similar to +PROCESS, but can transition to DETECT. There is not a viable existing +state to use. POR has the needed transitions, but assumes the device is +in a good state and could allow the host to attempt to use the device. +Allowing PROCESS to transition to DETECT invites the possibility of +parallel SYSERR processing which could get the host and device out of +sync. + +Thus, invent a new state - MHI_PM_SYS_ERR_FAIL + +This essentially a holding state. It allows us to clean up the host +elements that are based on the old state of the device (channels), but +does not allow us to directly advance back to an operational state. It +does allow the detection and processing of another SYSERR which may +recover the device, or allows the controller to do a clean shutdown. + +Signed-off-by: Jeffrey Hugo +Reviewed-by: Carl Vanderlip +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20240112180800.536733-1-quic_jhugo@quicinc.com +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/host/init.c | 1 + + drivers/bus/mhi/host/internal.h | 9 ++++++--- + drivers/bus/mhi/host/pm.c | 20 +++++++++++++++++--- + 3 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c +index 04fbccff65ac2..60c1df048fa20 100644 +--- a/drivers/bus/mhi/host/init.c ++++ b/drivers/bus/mhi/host/init.c +@@ -62,6 +62,7 @@ static const char * const mhi_pm_state_str[] = { + [MHI_PM_STATE_FW_DL_ERR] = "Firmware Download Error", + [MHI_PM_STATE_SYS_ERR_DETECT] = "SYS ERROR Detect", + [MHI_PM_STATE_SYS_ERR_PROCESS] = "SYS ERROR Process", ++ [MHI_PM_STATE_SYS_ERR_FAIL] = "SYS ERROR Failure", + [MHI_PM_STATE_SHUTDOWN_PROCESS] = "SHUTDOWN Process", + [MHI_PM_STATE_LD_ERR_FATAL_DETECT] = "Linkdown or Error Fatal Detect", + }; +diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h +index 01fd10a399b61..6abf09da4f618 100644 +--- a/drivers/bus/mhi/host/internal.h ++++ b/drivers/bus/mhi/host/internal.h +@@ -88,6 +88,7 @@ enum mhi_pm_state { + MHI_PM_STATE_FW_DL_ERR, + MHI_PM_STATE_SYS_ERR_DETECT, + MHI_PM_STATE_SYS_ERR_PROCESS, ++ MHI_PM_STATE_SYS_ERR_FAIL, + MHI_PM_STATE_SHUTDOWN_PROCESS, + MHI_PM_STATE_LD_ERR_FATAL_DETECT, + MHI_PM_STATE_MAX +@@ -104,14 +105,16 @@ enum mhi_pm_state { + #define MHI_PM_FW_DL_ERR BIT(7) + #define MHI_PM_SYS_ERR_DETECT BIT(8) + #define MHI_PM_SYS_ERR_PROCESS BIT(9) +-#define MHI_PM_SHUTDOWN_PROCESS BIT(10) ++#define MHI_PM_SYS_ERR_FAIL BIT(10) ++#define MHI_PM_SHUTDOWN_PROCESS BIT(11) + /* link not accessible */ +-#define MHI_PM_LD_ERR_FATAL_DETECT BIT(11) ++#define MHI_PM_LD_ERR_FATAL_DETECT BIT(12) + + #define MHI_REG_ACCESS_VALID(pm_state) ((pm_state & (MHI_PM_POR | MHI_PM_M0 | \ + MHI_PM_M2 | MHI_PM_M3_ENTER | MHI_PM_M3_EXIT | \ + MHI_PM_SYS_ERR_DETECT | MHI_PM_SYS_ERR_PROCESS | \ +- MHI_PM_SHUTDOWN_PROCESS | MHI_PM_FW_DL_ERR))) ++ MHI_PM_SYS_ERR_FAIL | MHI_PM_SHUTDOWN_PROCESS | \ ++ MHI_PM_FW_DL_ERR))) + #define MHI_PM_IN_ERROR_STATE(pm_state) (pm_state >= MHI_PM_FW_DL_ERR) + #define MHI_PM_IN_FATAL_STATE(pm_state) (pm_state == MHI_PM_LD_ERR_FATAL_DETECT) + #define MHI_DB_ACCESS_VALID(mhi_cntrl) (mhi_cntrl->pm_state & mhi_cntrl->db_access) +diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c +index 8a4362d75fc43..27f8a40f288cf 100644 +--- a/drivers/bus/mhi/host/pm.c ++++ b/drivers/bus/mhi/host/pm.c +@@ -36,7 +36,10 @@ + * M0 <--> M0 + * M0 -> FW_DL_ERR + * M0 -> M3_ENTER -> M3 -> M3_EXIT --> M0 +- * L1: SYS_ERR_DETECT -> SYS_ERR_PROCESS --> POR ++ * L1: SYS_ERR_DETECT -> SYS_ERR_PROCESS ++ * SYS_ERR_PROCESS -> SYS_ERR_FAIL ++ * SYS_ERR_FAIL -> SYS_ERR_DETECT ++ * SYS_ERR_PROCESS --> POR + * L2: SHUTDOWN_PROCESS -> LD_ERR_FATAL_DETECT + * SHUTDOWN_PROCESS -> DISABLE + * L3: LD_ERR_FATAL_DETECT <--> LD_ERR_FATAL_DETECT +@@ -93,7 +96,12 @@ static const struct mhi_pm_transitions dev_state_transitions[] = { + }, + { + MHI_PM_SYS_ERR_PROCESS, +- MHI_PM_POR | MHI_PM_SHUTDOWN_PROCESS | ++ MHI_PM_POR | MHI_PM_SYS_ERR_FAIL | MHI_PM_SHUTDOWN_PROCESS | ++ MHI_PM_LD_ERR_FATAL_DETECT ++ }, ++ { ++ MHI_PM_SYS_ERR_FAIL, ++ MHI_PM_SYS_ERR_DETECT | MHI_PM_SHUTDOWN_PROCESS | + MHI_PM_LD_ERR_FATAL_DETECT + }, + /* L2 States */ +@@ -624,7 +632,13 @@ static void mhi_pm_sys_error_transition(struct mhi_controller *mhi_cntrl) + !in_reset, timeout); + if (!ret || in_reset) { + dev_err(dev, "Device failed to exit MHI Reset state\n"); +- goto exit_sys_error_transition; ++ write_lock_irq(&mhi_cntrl->pm_lock); ++ cur_state = mhi_tryset_pm_state(mhi_cntrl, ++ MHI_PM_SYS_ERR_FAIL); ++ write_unlock_irq(&mhi_cntrl->pm_lock); ++ /* Shutdown may have occurred, otherwise cleanup now */ ++ if (cur_state != MHI_PM_SYS_ERR_FAIL) ++ goto exit_sys_error_transition; + } + + /* +-- +2.43.0 + diff --git a/queue-6.1/cpufreq-don-t-unregister-cpufreq-cooling-on-cpu-hotp.patch b/queue-6.1/cpufreq-don-t-unregister-cpufreq-cooling-on-cpu-hotp.patch new file mode 100644 index 0000000000..db2289b06f --- /dev/null +++ b/queue-6.1/cpufreq-don-t-unregister-cpufreq-cooling-on-cpu-hotp.patch @@ -0,0 +1,94 @@ +From 4e8292e599d5b1bf0f09cd5f41b3ef2a92fef8e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 13:42:07 +0530 +Subject: cpufreq: Don't unregister cpufreq cooling on CPU hotplug + +From: Viresh Kumar + +[ Upstream commit c4d61a529db788d2e52654f5b02c8d1de4952c5b ] + +Offlining a CPU and bringing it back online is a common operation and it +happens frequently during system suspend/resume, where the non-boot CPUs +are hotplugged out during suspend and brought back at resume. + +The cpufreq core already tries to make this path as fast as possible as +the changes are only temporary in nature and full cleanup of resources +isn't required in this case. For example the drivers can implement +online()/offline() callbacks to avoid a lot of tear down of resources. + +On similar lines, there is no need to unregister the cpufreq cooling +device during suspend / resume, but only while the policy is getting +removed. + +Moreover, unregistering the cpufreq cooling device is resulting in an +unwanted outcome, where the system suspend is eventually aborted in the +process. Currently, during system suspend the cpufreq core unregisters +the cooling device, which in turn removes a kobject using device_del() +and that generates a notification to the userspace via uevent broadcast. +This causes system suspend to abort in some setups. + +This was also earlier reported (indirectly) by Roman [1]. Maybe there is +another way around to fixing that problem properly, but this change +makes sense anyways. + +Move the registering and unregistering of the cooling device to policy +creation and removal times onlyy. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218521 +Reported-by: Manaf Meethalavalappu Pallikunhi +Reported-by: Roman Stratiienko +Link: https://patchwork.kernel.org/project/linux-pm/patch/20220710164026.541466-1-r.stratiienko@gmail.com/ [1] +Tested-by: Manaf Meethalavalappu Pallikunhi +Signed-off-by: Viresh Kumar +Reviewed-by: Dhruva Gole +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index c8912756fc06d..91efa23e0e8f3 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1525,7 +1525,8 @@ static int cpufreq_online(unsigned int cpu) + if (cpufreq_driver->ready) + cpufreq_driver->ready(policy); + +- if (cpufreq_thermal_control_enabled(cpufreq_driver)) ++ /* Register cpufreq cooling only for a new policy */ ++ if (new_policy && cpufreq_thermal_control_enabled(cpufreq_driver)) + policy->cdev = of_cpufreq_cooling_register(policy); + + pr_debug("initialization complete\n"); +@@ -1609,11 +1610,6 @@ static void __cpufreq_offline(unsigned int cpu, struct cpufreq_policy *policy) + else + policy->last_policy = policy->policy; + +- if (cpufreq_thermal_control_enabled(cpufreq_driver)) { +- cpufreq_cooling_unregister(policy->cdev); +- policy->cdev = NULL; +- } +- + if (has_target()) + cpufreq_exit_governor(policy); + +@@ -1674,6 +1670,15 @@ static void cpufreq_remove_dev(struct device *dev, struct subsys_interface *sif) + return; + } + ++ /* ++ * Unregister cpufreq cooling once all the CPUs of the policy are ++ * removed. ++ */ ++ if (cpufreq_thermal_control_enabled(cpufreq_driver)) { ++ cpufreq_cooling_unregister(policy->cdev); ++ policy->cdev = NULL; ++ } ++ + /* We did light-weight exit earlier, do full tear down now */ + if (cpufreq_driver->offline) + cpufreq_driver->exit(policy); +-- +2.43.0 + diff --git a/queue-6.1/cpuidle-avoid-potential-overflow-in-integer-multipli.patch b/queue-6.1/cpuidle-avoid-potential-overflow-in-integer-multipli.patch new file mode 100644 index 0000000000..f360d2c968 --- /dev/null +++ b/queue-6.1/cpuidle-avoid-potential-overflow-in-integer-multipli.patch @@ -0,0 +1,57 @@ +From 046097ceea21472b5a7b5a25edf12864044a19e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 11:14:42 +0800 +Subject: cpuidle: Avoid potential overflow in integer multiplication + +From: C Cheng + +[ Upstream commit 88390dd788db485912ee7f9a8d3d56fc5265d52f ] + +In detail: + +In C language, when you perform a multiplication operation, if +both operands are of int type, the multiplication operation is +performed on the int type, and then the result is converted to +the target type. This means that if the product of int type +multiplication exceeds the range that int type can represent, +an overflow will occur even if you store the result in a +variable of int64_t type. + +For a multiplication of two int values, it is better to use +mul_u32_u32() rather than s->exit_latency_ns = s->exit_latency * +NSEC_PER_USEC to avoid potential overflow happenning. + +Signed-off-by: C Cheng +Signed-off-by: Bo Ye +Reviewed-by: AngeloGioacchino Del Regno +[ rjw: New subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/driver.c b/drivers/cpuidle/driver.c +index f70aa17e2a8e0..c594e28adddf3 100644 +--- a/drivers/cpuidle/driver.c ++++ b/drivers/cpuidle/driver.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include "cpuidle.h" + +@@ -185,7 +186,7 @@ static void __cpuidle_driver_init(struct cpuidle_driver *drv) + s->target_residency_ns = 0; + + if (s->exit_latency > 0) +- s->exit_latency_ns = s->exit_latency * NSEC_PER_USEC; ++ s->exit_latency_ns = mul_u32_u32(s->exit_latency, NSEC_PER_USEC); + else if (s->exit_latency_ns < 0) + s->exit_latency_ns = 0; + } +-- +2.43.0 + diff --git a/queue-6.1/dma-direct-leak-pages-on-dma_set_decrypted-failure.patch b/queue-6.1/dma-direct-leak-pages-on-dma_set_decrypted-failure.patch new file mode 100644 index 0000000000..91033652cc --- /dev/null +++ b/queue-6.1/dma-direct-leak-pages-on-dma_set_decrypted-failure.patch @@ -0,0 +1,67 @@ +From 2196b479b9c31c31a68970cc5bbeb991b14a7569 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 16:17:21 -0800 +Subject: dma-direct: Leak pages on dma_set_decrypted() failure + +From: Rick Edgecombe + +[ Upstream commit b9fa16949d18e06bdf728a560f5c8af56d2bdcaf ] + +On TDX it is possible for the untrusted host to cause +set_memory_encrypted() or set_memory_decrypted() to fail such that an +error is returned and the resulting memory is shared. Callers need to +take care to handle these errors to avoid returning decrypted (shared) +memory to the page allocator, which could lead to functional or security +issues. + +DMA could free decrypted/shared pages if dma_set_decrypted() fails. This +should be a rare case. Just leak the pages in this case instead of +freeing them. + +Signed-off-by: Rick Edgecombe +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/direct.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c +index 63859a101ed83..d4215739efc71 100644 +--- a/kernel/dma/direct.c ++++ b/kernel/dma/direct.c +@@ -296,7 +296,7 @@ void *dma_direct_alloc(struct device *dev, size_t size, + } else { + ret = page_address(page); + if (dma_set_decrypted(dev, ret, size)) +- goto out_free_pages; ++ goto out_leak_pages; + } + + memset(ret, 0, size); +@@ -317,6 +317,8 @@ void *dma_direct_alloc(struct device *dev, size_t size, + out_free_pages: + __dma_direct_free_pages(dev, page, size); + return NULL; ++out_leak_pages: ++ return NULL; + } + + void dma_direct_free(struct device *dev, size_t size, +@@ -379,12 +381,11 @@ struct page *dma_direct_alloc_pages(struct device *dev, size_t size, + + ret = page_address(page); + if (dma_set_decrypted(dev, ret, size)) +- goto out_free_pages; ++ goto out_leak_pages; + memset(ret, 0, size); + *dma_handle = phys_to_dma_direct(dev, page_to_phys(page)); + return page; +-out_free_pages: +- __dma_direct_free_pages(dev, page, size); ++out_leak_pages: + return NULL; + } + +-- +2.43.0 + diff --git a/queue-6.1/drivers-nvme-add-quirks-for-device-126f-2262.patch b/queue-6.1/drivers-nvme-add-quirks-for-device-126f-2262.patch new file mode 100644 index 0000000000..4191fa11fc --- /dev/null +++ b/queue-6.1/drivers-nvme-add-quirks-for-device-126f-2262.patch @@ -0,0 +1,52 @@ +From f7106ea1690c98573ac8038da0e2e15937acdb54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Mar 2024 03:27:49 +0800 +Subject: drivers/nvme: Add quirks for device 126f:2262 + +From: Jiawei Fu (iBug) + +[ Upstream commit e89086c43f0500bc7c4ce225495b73b8ce234c1f ] + +This commit adds NVME_QUIRK_NO_DEEPEST_PS and NVME_QUIRK_BOGUS_NID for +device [126f:2262], which appears to be a generic VID:PID pair used for +many SSDs based on the Silicon Motion SM2262/SM2262EN controller. + +Two of my SSDs with this VID:PID pair exhibit the same behavior: + + * They frequently have trouble exiting the deepest power state (5), + resulting in the entire disk unresponsive. + Verified by setting nvme_core.default_ps_max_latency_us=10000 and + observing them behaving normally. + * They produce all-zero nguid and eui64 with `nvme id-ns` command. + +The offending products are: + + * HP SSD EX950 1TB + * HIKVISION C2000Pro 2TB + +Signed-off-by: Jiawei Fu +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 3d01290994d89..5ff09f2cacab7 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3471,6 +3471,9 @@ static const struct pci_device_id nvme_id_table[] = { + NVME_QUIRK_BOGUS_NID, }, + { PCI_VDEVICE(REDHAT, 0x0010), /* Qemu emulated controller */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x126f, 0x2262), /* Silicon Motion generic */ ++ .driver_data = NVME_QUIRK_NO_DEEPEST_PS | ++ NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x126f, 0x2263), /* Silicon Motion unidentified */ + .driver_data = NVME_QUIRK_NO_NS_DESC_LIST | + NVME_QUIRK_BOGUS_NID, }, +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-amdgpu-fix-potential-ioremap-memory-leaks-in.patch b/queue-6.1/drm-amd-amdgpu-fix-potential-ioremap-memory-leaks-in.patch new file mode 100644 index 0000000000..f54722c83b --- /dev/null +++ b/queue-6.1/drm-amd-amdgpu-fix-potential-ioremap-memory-leaks-in.patch @@ -0,0 +1,91 @@ +From a4ace0cab6b18623e4b692fdd6a1dd917720a0b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 17:08:16 +0530 +Subject: drm/amd/amdgpu: Fix potential ioremap() memory leaks in + amdgpu_device_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit eb4f139888f636614dab3bcce97ff61cefc4b3a7 ] + +This ensures that the memory mapped by ioremap for adev->rmmio, is +properly handled in amdgpu_device_init(). If the function exits early +due to an error, the memory is unmapped. If the function completes +successfully, the memory remains mapped. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337 + +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index b11690a816e73..e4eb906806a51 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3713,8 +3713,10 @@ int amdgpu_device_init(struct amdgpu_device *adev, + * early on during init and before calling to RREG32. + */ + adev->reset_domain = amdgpu_reset_create_reset_domain(SINGLE_DEVICE, "amdgpu-reset-dev"); +- if (!adev->reset_domain) +- return -ENOMEM; ++ if (!adev->reset_domain) { ++ r = -ENOMEM; ++ goto unmap_memory; ++ } + + /* detect hw virtualization here */ + amdgpu_detect_virtualization(adev); +@@ -3722,18 +3724,18 @@ int amdgpu_device_init(struct amdgpu_device *adev, + r = amdgpu_device_get_job_timeout_settings(adev); + if (r) { + dev_err(adev->dev, "invalid lockup_timeout parameter syntax\n"); +- return r; ++ goto unmap_memory; + } + + /* early init functions */ + r = amdgpu_device_ip_early_init(adev); + if (r) +- return r; ++ goto unmap_memory; + + /* Get rid of things like offb */ + r = drm_aperture_remove_conflicting_pci_framebuffers(adev->pdev, &amdgpu_kms_driver); + if (r) +- return r; ++ goto unmap_memory; + + /* Enable TMZ based on IP_VERSION */ + amdgpu_gmc_tmz_set(adev); +@@ -3743,7 +3745,7 @@ int amdgpu_device_init(struct amdgpu_device *adev, + if (adev->gmc.xgmi.supported) { + r = adev->gfxhub.funcs->get_xgmi_info(adev); + if (r) +- return r; ++ goto unmap_memory; + } + + /* enable PCIE atomic ops */ +@@ -3999,6 +4001,8 @@ int amdgpu_device_init(struct amdgpu_device *adev, + failed: + amdgpu_vf_error_trans_all(adev); + ++unmap_memory: ++ iounmap(adev->rmmio); + return r; + } + +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-fix-nanosec-stat-overflow.patch b/queue-6.1/drm-amd-display-fix-nanosec-stat-overflow.patch new file mode 100644 index 0000000000..bd98aebdc7 --- /dev/null +++ b/queue-6.1/drm-amd-display-fix-nanosec-stat-overflow.patch @@ -0,0 +1,45 @@ +From 0c60c4fb611c2146df9702a147e3bafdd5520c3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 11:53:52 -0400 +Subject: drm/amd/display: Fix nanosec stat overflow + +From: Aric Cyr + +[ Upstream commit 14d68acfd04b39f34eea7bea65dda652e6db5bf6 ] + +[Why] +Nanosec stats can overflow on long running systems potentially causing +statistic logging issues. + +[How] +Use 64bit types for nanosec stats to ensure no overflow. + +Reviewed-by: Rodrigo Siqueira +Tested-by: Daniel Wheeler +Signed-off-by: Aric Cyr +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/inc/mod_stats.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h +index 4220fd8fdd60c..54cd86060f4d6 100644 +--- a/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h ++++ b/drivers/gpu/drm/amd/display/modules/inc/mod_stats.h +@@ -57,10 +57,10 @@ void mod_stats_update_event(struct mod_stats *mod_stats, + unsigned int length); + + void mod_stats_update_flip(struct mod_stats *mod_stats, +- unsigned long timestamp_in_ns); ++ unsigned long long timestamp_in_ns); + + void mod_stats_update_vupdate(struct mod_stats *mod_stats, +- unsigned long timestamp_in_ns); ++ unsigned long long timestamp_in_ns); + + void mod_stats_update_freesync(struct mod_stats *mod_stats, + unsigned int v_total_min, +-- +2.43.0 + diff --git a/queue-6.1/drm-panel-orientation-quirks-add-quirk-for-gpd-win-m.patch b/queue-6.1/drm-panel-orientation-quirks-add-quirk-for-gpd-win-m.patch new file mode 100644 index 0000000000..dd018d883c --- /dev/null +++ b/queue-6.1/drm-panel-orientation-quirks-add-quirk-for-gpd-win-m.patch @@ -0,0 +1,52 @@ +From 7603ef3a5bd7aee631a887153bfb0f32748527f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 22:01:50 -0500 +Subject: drm: panel-orientation-quirks: Add quirk for GPD Win Mini + +From: Samuel Dionne-Riel + +[ Upstream commit 2f862fdc0fd802e728b6ca96bc78ec3f01bf161e ] + +This adds a DMI orientation quirk for the GPD Win Mini panel. + +Signed-off-by: Samuel Dionne-Riel +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20231222030149.3740815-2-samuel@dionne-riel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index d5c15292ae937..3fe5e6439c401 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -117,6 +117,12 @@ static const struct drm_dmi_panel_orientation_data lcd1080x1920_leftside_up = { + .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP, + }; + ++static const struct drm_dmi_panel_orientation_data lcd1080x1920_rightside_up = { ++ .width = 1080, ++ .height = 1920, ++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, ++}; ++ + static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = { + .width = 1200, + .height = 1920, +@@ -279,6 +285,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "G1618-03") + }, + .driver_data = (void *)&lcd720x1280_rightside_up, ++ }, { /* GPD Win Mini */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "G1617-01") ++ }, ++ .driver_data = (void *)&lcd1080x1920_rightside_up, + }, { /* I.T.Works TW891 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."), +-- +2.43.0 + diff --git a/queue-6.1/drm-vc4-don-t-check-if-plane-state-fb-state-fb.patch b/queue-6.1/drm-vc4-don-t-check-if-plane-state-fb-state-fb.patch new file mode 100644 index 0000000000..34dfbceba5 --- /dev/null +++ b/queue-6.1/drm-vc4-don-t-check-if-plane-state-fb-state-fb.patch @@ -0,0 +1,105 @@ +From 8cfb8ef75cd2a9a4e9d13a966f96e3b9a6a2eb65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 14:58:36 -0300 +Subject: drm/vc4: don't check if plane->state->fb == state->fb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9 ] + +Currently, when using non-blocking commits, we can see the following +kernel warning: + +[ 110.908514] ------------[ cut here ]------------ +[ 110.908529] refcount_t: underflow; use-after-free. +[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0 +[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 +[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32 +[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) +[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0 +[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0 +[ 110.909170] sp : ffffffc00913b9c0 +[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60 +[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480 +[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78 +[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000 +[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004 +[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003 +[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00 +[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572 +[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000 +[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001 +[ 110.909434] Call trace: +[ 110.909441] refcount_dec_not_one+0xb8/0xc0 +[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4] +[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4] +[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper] +[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4] +[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper] +[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper] +[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm] +[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm] +[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm] +[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm] +[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4 +[ 110.914873] invoke_syscall+0x4c/0x114 +[ 110.914897] el0_svc_common+0xd0/0x118 +[ 110.914917] do_el0_svc+0x38/0xd0 +[ 110.914936] el0_svc+0x30/0x8c +[ 110.914958] el0t_64_sync_handler+0x84/0xf0 +[ 110.914979] el0t_64_sync+0x18c/0x190 +[ 110.914996] ---[ end trace 0000000000000000 ]--- + +This happens because, although `prepare_fb` and `cleanup_fb` are +perfectly balanced, we cannot guarantee consistency in the check +plane->state->fb == state->fb. This means that sometimes we can increase +the refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The +opposite can also be true. + +In fact, the struct drm_plane .state shouldn't be accessed directly +but instead, the `drm_atomic_get_new_plane_state()` helper function should +be used. So, we could stick to this check, but using +`drm_atomic_get_new_plane_state()`. But actually, this check is not really +needed. We can increase and decrease the refcount symmetrically without +problems. + +This is going to make the code more simple and consistent. + +Signed-off-by: Maíra Canal +Acked-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20240105175908.242000-1-mcanal@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_plane.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c +index eb08020154f30..7e6648b277b25 100644 +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -1415,9 +1415,6 @@ static int vc4_prepare_fb(struct drm_plane *plane, + + drm_gem_plane_helper_prepare_fb(plane, state); + +- if (plane->state->fb == state->fb) +- return 0; +- + return vc4_bo_inc_usecnt(bo); + } + +@@ -1426,7 +1423,7 @@ static void vc4_cleanup_fb(struct drm_plane *plane, + { + struct vc4_bo *bo; + +- if (plane->state->fb == state->fb || !state->fb) ++ if (!state->fb) + return; + + bo = to_vc4_bo(&drm_fb_dma_get_gem_obj(state->fb, 0)->base); +-- +2.43.0 + diff --git a/queue-6.1/ext4-add-a-hint-for-block-bitmap-corrupt-state-in-mb.patch b/queue-6.1/ext4-add-a-hint-for-block-bitmap-corrupt-state-in-mb.patch new file mode 100644 index 0000000000..104b506706 --- /dev/null +++ b/queue-6.1/ext4-add-a-hint-for-block-bitmap-corrupt-state-in-mb.patch @@ -0,0 +1,44 @@ +From 4bbdb472cc81a25cbf69abae99ee384e28021b2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 14:11:54 +0800 +Subject: ext4: add a hint for block bitmap corrupt state in mb_groups + +From: Zhang Yi + +[ Upstream commit 68ee261fb15457ecb17e3683cb4e6a4792ca5b71 ] + +If one group is marked as block bitmap corrupted, its free blocks cannot +be used and its free count is also deducted from the global +sbi->s_freeclusters_counter. User might be confused about the absent +free space because we can't query the information about corrupted block +groups except unreliable error messages in syslog. So add a hint to show +block bitmap corrupted groups in mb_groups. + +Signed-off-by: Zhang Yi +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240119061154.1525781-1-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index bc0ca45a5d817..a843f964332c2 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2905,7 +2905,10 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v) + for (i = 0; i <= 13; i++) + seq_printf(seq, " %-5u", i <= blocksize_bits + 1 ? + sg.info.bb_counters[i] : 0); +- seq_puts(seq, " ]\n"); ++ seq_puts(seq, " ]"); ++ if (EXT4_MB_GRP_BBITMAP_CORRUPT(&sg.info)) ++ seq_puts(seq, " Block bitmap corrupted!"); ++ seq_puts(seq, "\n"); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.1/ext4-forbid-commit-inconsistent-quota-data-when-erro.patch b/queue-6.1/ext4-forbid-commit-inconsistent-quota-data-when-erro.patch new file mode 100644 index 0000000000..054fea65b3 --- /dev/null +++ b/queue-6.1/ext4-forbid-commit-inconsistent-quota-data-when-erro.patch @@ -0,0 +1,70 @@ +From c2c42ead81dcddbf53cb3eb1afc2616c55cc766f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 14:29:08 +0800 +Subject: ext4: forbid commit inconsistent quota data when errors=remount-ro + +From: Ye Bin + +[ Upstream commit d8b945fa475f13d787df00c26a6dc45a3e2e1d1d ] + +There's issue as follows When do IO fault injection test: +Quota error (device dm-3): find_block_dqentry: Quota for id 101 referenced but not present +Quota error (device dm-3): qtree_read_dquot: Can't read quota structure for id 101 +Quota error (device dm-3): do_check_range: Getting block 2021161007 out of range 1-186 +Quota error (device dm-3): qtree_read_dquot: Can't read quota structure for id 661 + +Now, ext4_write_dquot()/ext4_acquire_dquot()/ext4_release_dquot() may commit +inconsistent quota data even if process failed. This may lead to filesystem +corruption. +To ensure filesystem consistent when errors=remount-ro there is need to call +ext4_handle_error() to abort journal. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240119062908.3598806-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 601e097e17207..274542d869d0c 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6751,6 +6751,10 @@ static int ext4_write_dquot(struct dquot *dquot) + if (IS_ERR(handle)) + return PTR_ERR(handle); + ret = dquot_commit(dquot); ++ if (ret < 0) ++ ext4_error_err(dquot->dq_sb, -ret, ++ "Failed to commit dquot type %d", ++ dquot->dq_id.type); + err = ext4_journal_stop(handle); + if (!ret) + ret = err; +@@ -6767,6 +6771,10 @@ static int ext4_acquire_dquot(struct dquot *dquot) + if (IS_ERR(handle)) + return PTR_ERR(handle); + ret = dquot_acquire(dquot); ++ if (ret < 0) ++ ext4_error_err(dquot->dq_sb, -ret, ++ "Failed to acquire dquot type %d", ++ dquot->dq_id.type); + err = ext4_journal_stop(handle); + if (!ret) + ret = err; +@@ -6786,6 +6794,10 @@ static int ext4_release_dquot(struct dquot *dquot) + return PTR_ERR(handle); + } + ret = dquot_release(dquot); ++ if (ret < 0) ++ ext4_error_err(dquot->dq_sb, -ret, ++ "Failed to release dquot type %d", ++ dquot->dq_id.type); + err = ext4_journal_stop(handle); + if (!ret) + ret = err; +-- +2.43.0 + diff --git a/queue-6.1/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch b/queue-6.1/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch new file mode 100644 index 0000000000..be929d3a44 --- /dev/null +++ b/queue-6.1/fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch @@ -0,0 +1,47 @@ +From e82f492043b73dfe12c4bbaa7c74d99f1cb1ff0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 14:35:43 +0300 +Subject: fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 + +From: Aleksandr Burakov + +[ Upstream commit bc87bb342f106a0402186bcb588fcbe945dced4b ] + +There are some actions with value 'tmp' but 'dst_addr' is checked instead. +It is obvious that a copy-paste error was made here and the value +of variable 'tmp' should be checked here. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Aleksandr Burakov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/via/accel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/via/accel.c b/drivers/video/fbdev/via/accel.c +index 0a1bc7a4d7853..1e04026f08091 100644 +--- a/drivers/video/fbdev/via/accel.c ++++ b/drivers/video/fbdev/via/accel.c +@@ -115,7 +115,7 @@ static int hw_bitblt_1(void __iomem *engine, u8 op, u32 width, u32 height, + + if (op != VIA_BITBLT_FILL) { + tmp = src_mem ? 0 : src_addr; +- if (dst_addr & 0xE0000007) { ++ if (tmp & 0xE0000007) { + printk(KERN_WARNING "hw_bitblt_1: Unsupported source " + "address %X\n", tmp); + return -EINVAL; +@@ -260,7 +260,7 @@ static int hw_bitblt_2(void __iomem *engine, u8 op, u32 width, u32 height, + writel(tmp, engine + 0x18); + + tmp = src_mem ? 0 : src_addr; +- if (dst_addr & 0xE0000007) { ++ if (tmp & 0xE0000007) { + printk(KERN_WARNING "hw_bitblt_2: Unsupported source " + "address %X\n", tmp); + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.1/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch b/queue-6.1/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch new file mode 100644 index 0000000000..c858ace318 --- /dev/null +++ b/queue-6.1/fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch @@ -0,0 +1,51 @@ +From fe6a7d6bdb5004c5b5e57e94be16d60769df9473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 11:13:44 +0300 +Subject: fbmon: prevent division by zero in fb_videomode_from_videomode() + +From: Roman Smirnov + +[ Upstream commit c2d953276b8b27459baed1277a4fdd5dd9bd4126 ] + +The expression htotal * vtotal can have a zero value on +overflow. It is necessary to prevent division by zero like in +fb_var_to_videomode(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Signed-off-by: Roman Smirnov +Reviewed-by: Sergey Shtylyov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmon.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbmon.c b/drivers/video/fbdev/core/fbmon.c +index b0e690f41025a..9ca99da3a56a0 100644 +--- a/drivers/video/fbdev/core/fbmon.c ++++ b/drivers/video/fbdev/core/fbmon.c +@@ -1311,7 +1311,7 @@ int fb_get_mode(int flags, u32 val, struct fb_var_screeninfo *var, struct fb_inf + int fb_videomode_from_videomode(const struct videomode *vm, + struct fb_videomode *fbmode) + { +- unsigned int htotal, vtotal; ++ unsigned int htotal, vtotal, total; + + fbmode->xres = vm->hactive; + fbmode->left_margin = vm->hback_porch; +@@ -1344,8 +1344,9 @@ int fb_videomode_from_videomode(const struct videomode *vm, + vtotal = vm->vactive + vm->vfront_porch + vm->vback_porch + + vm->vsync_len; + /* prevent division by zero */ +- if (htotal && vtotal) { +- fbmode->refresh = vm->pixelclock / (htotal * vtotal); ++ total = htotal * vtotal; ++ if (total) { ++ fbmode->refresh = vm->pixelclock / total; + /* a mode must have htotal and vtotal != 0 or it is invalid */ + } else { + fbmode->refresh = 0; +-- +2.43.0 + diff --git a/queue-6.1/firmware-tegra-bpmp-return-directly-after-a-failed-k.patch b/queue-6.1/firmware-tegra-bpmp-return-directly-after-a-failed-k.patch new file mode 100644 index 0000000000..1085442e3b --- /dev/null +++ b/queue-6.1/firmware-tegra-bpmp-return-directly-after-a-failed-k.patch @@ -0,0 +1,44 @@ +From 1d940913112e7d73579abcbc9d036f2120dbf8e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Dec 2023 20:03:56 +0100 +Subject: firmware: tegra: bpmp: Return directly after a failed kzalloc() in + get_filename() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit 1315848f1f8a0100cb6f8a7187bc320c5d98947f ] + +The kfree() function was called in one case by +the get_filename() function during error handling +even if the passed variable contained a null pointer. +This issue was detected by using the Coccinelle software. + +Thus return directly after a call of the function “kzalloc” failed +at the beginning. + +Signed-off-by: Markus Elfring +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/firmware/tegra/bpmp-debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/tegra/bpmp-debugfs.c b/drivers/firmware/tegra/bpmp-debugfs.c +index 9d3874cdaaeef..34e4152477f3b 100644 +--- a/drivers/firmware/tegra/bpmp-debugfs.c ++++ b/drivers/firmware/tegra/bpmp-debugfs.c +@@ -81,7 +81,7 @@ static const char *get_filename(struct tegra_bpmp *bpmp, + + root_path_buf = kzalloc(root_path_buf_len, GFP_KERNEL); + if (!root_path_buf) +- goto out; ++ return NULL; + + root_path = dentry_path(bpmp->debugfs_mirror, root_path_buf, + root_path_buf_len); +-- +2.43.0 + diff --git a/queue-6.1/ice-use-relative-vsi-index-for-vfs-instead-of-pf-vsi.patch b/queue-6.1/ice-use-relative-vsi-index-for-vfs-instead-of-pf-vsi.patch new file mode 100644 index 0000000000..78d6ea4ee6 --- /dev/null +++ b/queue-6.1/ice-use-relative-vsi-index-for-vfs-instead-of-pf-vsi.patch @@ -0,0 +1,104 @@ +From ae3285e72c1cf49775b755aec12324142fca375c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 14:06:37 -0800 +Subject: ice: use relative VSI index for VFs instead of PF VSI number + +From: Jacob Keller + +[ Upstream commit 11fbb1bfb5bc8c98b2d7db9da332b5e568f4aaab ] + +When initializing over virtchnl, the PF is required to pass a VSI ID to the +VF as part of its capabilities exchange. The VF driver reports this value +back to the PF in a variety of commands. The PF driver validates that this +value matches the value it sent to the VF. + +Some hardware families such as the E700 series could use this value when +reading RSS registers or communicating directly with firmware over the +Admin Queue. + +However, E800 series hardware does not support any of these interfaces and +the VF's only use for this value is to report it back to the PF. Thus, +there is no requirement that this value be an actual VSI ID value of any +kind. + +The PF driver already does not trust that the VF sends it a real VSI ID. +The VSI structure is always looked up from the VF structure. The PF does +validate that the VSI ID provided matches a VSI associated with the VF, but +otherwise does not use the VSI ID for any purpose. + +Instead of reporting the VSI number relative to the PF space, report a +fixed value of 1. When communicating with the VF over virtchnl, validate +that the VSI number is returned appropriately. + +This avoids leaking information about the firmware of the PF state. +Currently the ice driver only supplies a VF with a single VSI. However, it +appears that virtchnl has some support for allowing multiple VSIs. I did +not attempt to implement this. However, space is left open to allow further +relative indexes if additional VSIs are provided in future feature +development. For this reason, keep the ice_vc_isvalid_vsi_id function in +place to allow extending it for multiple VSIs in the future. + +This change will also simplify handling of live migration in a future +series. Since we no longer will provide a real VSI number to the VF, there +will be no need to keep track of this number when migrating to a new host. + +Signed-off-by: Jacob Keller +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_virtchnl.c | 9 ++------- + drivers/net/ethernet/intel/ice/ice_virtchnl.h | 9 +++++++++ + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +index 4b71392f60df1..e64bef490a174 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +@@ -493,7 +493,7 @@ static int ice_vc_get_vf_res_msg(struct ice_vf *vf, u8 *msg) + vfres->rss_lut_size = ICE_VSIQF_HLUT_ARRAY_SIZE; + vfres->max_mtu = ice_vc_get_max_frame_size(vf); + +- vfres->vsi_res[0].vsi_id = vf->lan_vsi_num; ++ vfres->vsi_res[0].vsi_id = ICE_VF_VSI_ID; + vfres->vsi_res[0].vsi_type = VIRTCHNL_VSI_SRIOV; + vfres->vsi_res[0].num_queue_pairs = vsi->num_txq; + ether_addr_copy(vfres->vsi_res[0].default_mac_addr, +@@ -539,12 +539,7 @@ static void ice_vc_reset_vf_msg(struct ice_vf *vf) + */ + bool ice_vc_isvalid_vsi_id(struct ice_vf *vf, u16 vsi_id) + { +- struct ice_pf *pf = vf->pf; +- struct ice_vsi *vsi; +- +- vsi = ice_find_vsi(pf, vsi_id); +- +- return (vsi && (vsi->vf == vf)); ++ return vsi_id == ICE_VF_VSI_ID; + } + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.h b/drivers/net/ethernet/intel/ice/ice_virtchnl.h +index b5a3fd8adbb4e..6073d3b2d2d65 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.h ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.h +@@ -18,6 +18,15 @@ + */ + #define ICE_MAX_MACADDR_PER_VF 18 + ++/* VFs only get a single VSI. For ice hardware, the VF does not need to know ++ * its VSI index. However, the virtchnl interface requires a VSI number, ++ * mainly due to legacy hardware. ++ * ++ * Since the VF doesn't need this information, report a static value to the VF ++ * instead of leaking any information about the PF or hardware setup. ++ */ ++#define ICE_VF_VSI_ID 1 ++ + struct ice_virtchnl_ops { + int (*get_ver_msg)(struct ice_vf *vf, u8 *msg); + int (*get_vf_res_msg)(struct ice_vf *vf, u8 *msg); +-- +2.43.0 + diff --git a/queue-6.1/input-allocate-keycode-for-display-refresh-rate-togg.patch b/queue-6.1/input-allocate-keycode-for-display-refresh-rate-togg.patch new file mode 100644 index 0000000000..010db95ea3 --- /dev/null +++ b/queue-6.1/input-allocate-keycode-for-display-refresh-rate-togg.patch @@ -0,0 +1,43 @@ +From 1b39e3f212b030bf860bbeb9423b5839a74ac6cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Mar 2024 12:31:41 +0100 +Subject: Input: allocate keycode for Display refresh rate toggle +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gergo Koteles + +[ Upstream commit cfeb98b95fff25c442f78a6f616c627bc48a26b7 ] + +Newer Lenovo Yogas and Legions with 60Hz/90Hz displays send a wmi event +when Fn + R is pressed. This is intended for use to switch between the +two refresh rates. + +Allocate a new KEY_REFRESH_RATE_TOGGLE keycode for it. + +Signed-off-by: Gergo Koteles +Acked-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/15a5d08c84cf4d7b820de34ebbcf8ae2502fb3ca.1710065750.git.soyer@irl.hu +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + include/uapi/linux/input-event-codes.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h +index 7ad931a329706..1ce8a91349e9f 100644 +--- a/include/uapi/linux/input-event-codes.h ++++ b/include/uapi/linux/input-event-codes.h +@@ -602,6 +602,7 @@ + + #define KEY_ALS_TOGGLE 0x230 /* Ambient light sensor */ + #define KEY_ROTATE_LOCK_TOGGLE 0x231 /* Display rotation lock */ ++#define KEY_REFRESH_RATE_TOGGLE 0x232 /* Display refresh rate toggle */ + + #define KEY_BUTTONCONFIG 0x240 /* AL Button Configuration */ + #define KEY_TASKMANAGER 0x241 /* AL Task/Project Manager */ +-- +2.43.0 + diff --git a/queue-6.1/input-imagis-use-field_get-where-applicable.patch b/queue-6.1/input-imagis-use-field_get-where-applicable.patch new file mode 100644 index 0000000000..186b601226 --- /dev/null +++ b/queue-6.1/input-imagis-use-field_get-where-applicable.patch @@ -0,0 +1,87 @@ +From f8b816e540c450d74160f977458497918f470f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Mar 2024 21:18:05 -0800 +Subject: Input: imagis - use FIELD_GET where applicable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duje Mihanović + +[ Upstream commit c0ca3dbd03d66c6b9e044f48720e6ab5cef37ae5 ] + +Instead of manually extracting certain bits from registers with binary +ANDs and shifts, the FIELD_GET macro can be used. With this in mind, the +*_SHIFT macros can be dropped. + +Signed-off-by: Duje Mihanović +Link: https://lore.kernel.org/r/20240306-b4-imagis-keys-v3-1-2c429afa8420@skole.hr +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/imagis.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/input/touchscreen/imagis.c b/drivers/input/touchscreen/imagis.c +index b667914a44f1d..2636e1c9435d8 100644 +--- a/drivers/input/touchscreen/imagis.c ++++ b/drivers/input/touchscreen/imagis.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + ++#include + #include + #include + #include +@@ -23,12 +24,9 @@ + #define IST3038C_I2C_RETRY_COUNT 3 + #define IST3038C_MAX_FINGER_NUM 10 + #define IST3038C_X_MASK GENMASK(23, 12) +-#define IST3038C_X_SHIFT 12 + #define IST3038C_Y_MASK GENMASK(11, 0) + #define IST3038C_AREA_MASK GENMASK(27, 24) +-#define IST3038C_AREA_SHIFT 24 + #define IST3038C_FINGER_COUNT_MASK GENMASK(15, 12) +-#define IST3038C_FINGER_COUNT_SHIFT 12 + #define IST3038C_FINGER_STATUS_MASK GENMASK(9, 0) + + struct imagis_ts { +@@ -92,8 +90,7 @@ static irqreturn_t imagis_interrupt(int irq, void *dev_id) + goto out; + } + +- finger_count = (intr_message & IST3038C_FINGER_COUNT_MASK) >> +- IST3038C_FINGER_COUNT_SHIFT; ++ finger_count = FIELD_GET(IST3038C_FINGER_COUNT_MASK, intr_message); + if (finger_count > IST3038C_MAX_FINGER_NUM) { + dev_err(&ts->client->dev, + "finger count %d is more than maximum supported\n", +@@ -101,7 +98,7 @@ static irqreturn_t imagis_interrupt(int irq, void *dev_id) + goto out; + } + +- finger_pressed = intr_message & IST3038C_FINGER_STATUS_MASK; ++ finger_pressed = FIELD_GET(IST3038C_FINGER_STATUS_MASK, intr_message); + + for (i = 0; i < finger_count; i++) { + error = imagis_i2c_read_reg(ts, +@@ -118,12 +115,11 @@ static irqreturn_t imagis_interrupt(int irq, void *dev_id) + input_mt_report_slot_state(ts->input_dev, MT_TOOL_FINGER, + finger_pressed & BIT(i)); + touchscreen_report_pos(ts->input_dev, &ts->prop, +- (finger_status & IST3038C_X_MASK) >> +- IST3038C_X_SHIFT, +- finger_status & IST3038C_Y_MASK, 1); ++ FIELD_GET(IST3038C_X_MASK, finger_status), ++ FIELD_GET(IST3038C_Y_MASK, finger_status), ++ true); + input_report_abs(ts->input_dev, ABS_MT_TOUCH_MAJOR, +- (finger_status & IST3038C_AREA_MASK) >> +- IST3038C_AREA_SHIFT); ++ FIELD_GET(IST3038C_AREA_MASK, finger_status)); + } + + input_mt_sync_frame(ts->input_dev); +-- +2.43.0 + diff --git a/queue-6.1/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch b/queue-6.1/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch new file mode 100644 index 0000000000..5614ae500d --- /dev/null +++ b/queue-6.1/input-synaptics-rmi4-fail-probing-if-memory-allocati.patch @@ -0,0 +1,42 @@ +From 690a6ea23f3799507825e7baeb2e5a5f59671a3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 11:37:59 -0800 +Subject: Input: synaptics-rmi4 - fail probing if memory allocation for "phys" + fails + +From: Kunwu Chan + +[ Upstream commit bc4996184d56cfaf56d3811ac2680c8a0e2af56e ] + +While input core can work with input->phys set to NULL userspace might +depend on it, so better fail probing if allocation fails. The system must +be in a pretty bad shape for it to happen anyway. + +Signed-off-by: Kunwu Chan +Link: https://lore.kernel.org/r/20240117073124.143636-1-chentao@kylinos.cn +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/rmi4/rmi_driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c +index 258d5fe3d395c..aa32371f04af6 100644 +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -1196,7 +1196,11 @@ static int rmi_driver_probe(struct device *dev) + } + rmi_driver_set_input_params(rmi_dev, data->input); + data->input->phys = devm_kasprintf(dev, GFP_KERNEL, +- "%s/input0", dev_name(dev)); ++ "%s/input0", dev_name(dev)); ++ if (!data->input->phys) { ++ retval = -ENOMEM; ++ goto err; ++ } + } + + retval = rmi_init_functions(data); +-- +2.43.0 + diff --git a/queue-6.1/input-touchscreen-imagis-correct-the-maximum-touch-a.patch b/queue-6.1/input-touchscreen-imagis-correct-the-maximum-touch-a.patch new file mode 100644 index 0000000000..13ba8f0f71 --- /dev/null +++ b/queue-6.1/input-touchscreen-imagis-correct-the-maximum-touch-a.patch @@ -0,0 +1,37 @@ +From 16ddfdceb3cd1721c5114a3be9f76d2f5d88e0ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Mar 2024 17:41:00 +0100 +Subject: input/touchscreen: imagis: Correct the maximum touch area value + +From: Markuss Broks + +[ Upstream commit 54a62ed17a705ef1ac80ebca2b62136b19243e19 ] + +As specified in downstream IST3038B driver and proved by testing, +the correct maximum reported value of touch area is 16. + +Signed-off-by: Markuss Broks +Signed-off-by: Karel Balej +Link: https://lore.kernel.org/r/20240301164659.13240-2-karelb@gimli.ms.mff.cuni.cz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/imagis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/imagis.c b/drivers/input/touchscreen/imagis.c +index e2697e6c6d2a0..b667914a44f1d 100644 +--- a/drivers/input/touchscreen/imagis.c ++++ b/drivers/input/touchscreen/imagis.c +@@ -210,7 +210,7 @@ static int imagis_init_input_dev(struct imagis_ts *ts) + + input_set_capability(input_dev, EV_ABS, ABS_MT_POSITION_X); + input_set_capability(input_dev, EV_ABS, ABS_MT_POSITION_Y); +- input_set_abs_params(input_dev, ABS_MT_TOUCH_MAJOR, 0, 255, 0, 0); ++ input_set_abs_params(input_dev, ABS_MT_TOUCH_MAJOR, 0, 16, 0, 0); + + touchscreen_parse_properties(input_dev, true, &ts->prop); + if (!ts->prop.max_x || !ts->prop.max_y) { +-- +2.43.0 + diff --git a/queue-6.1/io_uring-clear-opcode-specific-data-for-an-early-fai.patch b/queue-6.1/io_uring-clear-opcode-specific-data-for-an-early-fai.patch new file mode 100644 index 0000000000..ddbaa10887 --- /dev/null +++ b/queue-6.1/io_uring-clear-opcode-specific-data-for-an-early-fai.patch @@ -0,0 +1,105 @@ +From 9e9f0fd22d163657c752a4b38e0b43a5707e6c3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Mar 2024 09:51:40 -0600 +Subject: io_uring: clear opcode specific data for an early failure + +From: Jens Axboe + +[ Upstream commit e21e1c45e1fe2e31732f40256b49c04e76a17cee ] + +If failure happens before the opcode prep handler is called, ensure that +we clear the opcode specific area of the request, which holds data +specific to that request type. This prevents errors where opcode +handlers either don't get to clear per-request private data since prep +isn't even called. + +Reported-and-tested-by: syzbot+f8e9a371388aa62ecab4@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 415248c1f82c6..68f1b6f8699a6 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1978,6 +1978,13 @@ static void io_init_req_drain(struct io_kiocb *req) + } + } + ++static __cold int io_init_fail_req(struct io_kiocb *req, int err) ++{ ++ /* ensure per-opcode data is cleared if we fail before prep */ ++ memset(&req->cmd.data, 0, sizeof(req->cmd.data)); ++ return err; ++} ++ + static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, + const struct io_uring_sqe *sqe) + __must_hold(&ctx->uring_lock) +@@ -1998,29 +2005,29 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, + + if (unlikely(opcode >= IORING_OP_LAST)) { + req->opcode = 0; +- return -EINVAL; ++ return io_init_fail_req(req, -EINVAL); + } + def = &io_op_defs[opcode]; + if (unlikely(sqe_flags & ~SQE_COMMON_FLAGS)) { + /* enforce forwards compatibility on users */ + if (sqe_flags & ~SQE_VALID_FLAGS) +- return -EINVAL; ++ return io_init_fail_req(req, -EINVAL); + if (sqe_flags & IOSQE_BUFFER_SELECT) { + if (!def->buffer_select) +- return -EOPNOTSUPP; ++ return io_init_fail_req(req, -EOPNOTSUPP); + req->buf_index = READ_ONCE(sqe->buf_group); + } + if (sqe_flags & IOSQE_CQE_SKIP_SUCCESS) + ctx->drain_disabled = true; + if (sqe_flags & IOSQE_IO_DRAIN) { + if (ctx->drain_disabled) +- return -EOPNOTSUPP; ++ return io_init_fail_req(req, -EOPNOTSUPP); + io_init_req_drain(req); + } + } + if (unlikely(ctx->restricted || ctx->drain_active || ctx->drain_next)) { + if (ctx->restricted && !io_check_restriction(ctx, req, sqe_flags)) +- return -EACCES; ++ return io_init_fail_req(req, -EACCES); + /* knock it to the slow queue path, will be drained there */ + if (ctx->drain_active) + req->flags |= REQ_F_FORCE_ASYNC; +@@ -2033,9 +2040,9 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, + } + + if (!def->ioprio && sqe->ioprio) +- return -EINVAL; ++ return io_init_fail_req(req, -EINVAL); + if (!def->iopoll && (ctx->flags & IORING_SETUP_IOPOLL)) +- return -EINVAL; ++ return io_init_fail_req(req, -EINVAL); + + if (def->needs_file) { + struct io_submit_state *state = &ctx->submit_state; +@@ -2059,12 +2066,12 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, + + req->creds = xa_load(&ctx->personalities, personality); + if (!req->creds) +- return -EINVAL; ++ return io_init_fail_req(req, -EINVAL); + get_cred(req->creds); + ret = security_uring_override_creds(req->creds); + if (ret) { + put_cred(req->creds); +- return ret; ++ return io_init_fail_req(req, ret); + } + req->flags |= REQ_F_CREDS; + } +-- +2.43.0 + diff --git a/queue-6.1/ionic-set-adminq-irq-affinity.patch b/queue-6.1/ionic-set-adminq-irq-affinity.patch new file mode 100644 index 0000000000..50698bb402 --- /dev/null +++ b/queue-6.1/ionic-set-adminq-irq-affinity.patch @@ -0,0 +1,43 @@ +From b68df20f36acc938a7253b2b04c4b537701e195c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 09:59:01 -0800 +Subject: ionic: set adminq irq affinity + +From: Shannon Nelson + +[ Upstream commit c699f35d658f3c21b69ed24e64b2ea26381e941d ] + +We claim to have the AdminQ on our irq0 and thus cpu id 0, +but we need to be sure we set the affinity hint to try to +keep it there. + +Signed-off-by: Shannon Nelson +Reviewed-by: Brett Creeley +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index fcc3faecb0600..d33cf8ee7c336 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -3216,9 +3216,12 @@ static int ionic_lif_adminq_init(struct ionic_lif *lif) + + napi_enable(&qcq->napi); + +- if (qcq->flags & IONIC_QCQ_F_INTR) ++ if (qcq->flags & IONIC_QCQ_F_INTR) { ++ irq_set_affinity_hint(qcq->intr.vector, ++ &qcq->intr.affinity_mask); + ionic_intr_mask(idev->intr_ctrl, qcq->intr.index, + IONIC_INTR_MASK_CLEAR); ++ } + + qcq->flags |= IONIC_QCQ_F_INITED; + +-- +2.43.0 + diff --git a/queue-6.1/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch b/queue-6.1/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch new file mode 100644 index 0000000000..185b7137f1 --- /dev/null +++ b/queue-6.1/isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch @@ -0,0 +1,60 @@ +From af80f879092bd81c4e3bb24744ae7e402709ce41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 19:21:32 -0700 +Subject: isofs: handle CDs with bad root inode but good Joliet root directory + +From: Alex Henrie + +[ Upstream commit 4243bf80c79211a8ca2795401add9c4a3b1d37ca ] + +I have a CD copy of the original Tom Clancy's Ghost Recon game from +2001. The disc mounts without error on Windows, but on Linux mounting +fails with the message "isofs_fill_super: get root inode failed". The +error originates in isofs_read_inode, which returns -EIO because de_len +is 0. The superblock on this disc appears to be intentionally corrupt as +a form of copy protection. + +When the root inode is unusable, instead of giving up immediately, try +to continue with the Joliet file table. This fixes the Ghost Recon CD +and probably other copy-protected CDs too. + +Signed-off-by: Alex Henrie +Signed-off-by: Jan Kara +Message-Id: <20240208022134.451490-1-alexhenrie24@gmail.com> +Signed-off-by: Sasha Levin +--- + fs/isofs/inode.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index df9d70588b600..8a6c7fdc1d5fc 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -908,8 +908,22 @@ static int isofs_fill_super(struct super_block *s, void *data, int silent) + * we then decide whether to use the Joliet descriptor. + */ + inode = isofs_iget(s, sbi->s_firstdatazone, 0); +- if (IS_ERR(inode)) +- goto out_no_root; ++ ++ /* ++ * Fix for broken CDs with a corrupt root inode but a correct Joliet ++ * root directory. ++ */ ++ if (IS_ERR(inode)) { ++ if (joliet_level && sbi->s_firstdatazone != first_data_zone) { ++ printk(KERN_NOTICE ++ "ISOFS: root inode is unusable. " ++ "Disabling Rock Ridge and switching to Joliet."); ++ sbi->s_rock = 0; ++ inode = NULL; ++ } else { ++ goto out_no_root; ++ } ++ } + + /* + * Fix for broken CDs with Rock Ridge and empty ISO root directory but +-- +2.43.0 + diff --git a/queue-6.1/julia-lawall-reported-this-null-pointer-dereference-.patch b/queue-6.1/julia-lawall-reported-this-null-pointer-dereference-.patch new file mode 100644 index 0000000000..59da6a106c --- /dev/null +++ b/queue-6.1/julia-lawall-reported-this-null-pointer-dereference-.patch @@ -0,0 +1,32 @@ +From f32893dd0aa1cdec0c1e062f09561a4ebac522bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 15:57:53 -0500 +Subject: Julia Lawall reported this null pointer dereference, this should fix + it. + +From: Mike Marshall + +[ Upstream commit 9bf93dcfc453fae192fe5d7874b89699e8f800ac ] + +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c +index 5254256a224d7..4ca8ed410c3cf 100644 +--- a/fs/orangefs/super.c ++++ b/fs/orangefs/super.c +@@ -527,7 +527,7 @@ struct dentry *orangefs_mount(struct file_system_type *fst, + sb->s_fs_info = kzalloc(sizeof(struct orangefs_sb_info_s), GFP_KERNEL); + if (!ORANGEFS_SB(sb)) { + d = ERR_PTR(-ENOMEM); +- goto free_sb_and_op; ++ goto free_op; + } + + ret = orangefs_fill_sb(sb, +-- +2.43.0 + diff --git a/queue-6.1/ktest-force-buildonly-1-for-make_warnings_file-test-.patch b/queue-6.1/ktest-force-buildonly-1-for-make_warnings_file-test-.patch new file mode 100644 index 0000000000..e0304a4649 --- /dev/null +++ b/queue-6.1/ktest-force-buildonly-1-for-make_warnings_file-test-.patch @@ -0,0 +1,41 @@ +From 48e093164699d121ac5dd6859df8138d865ad528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 12:28:08 -0300 +Subject: ktest: force $buildonly = 1 for 'make_warnings_file' test type + +From: Ricardo B. Marliere + +[ Upstream commit 07283c1873a4d0eaa0e822536881bfdaea853910 ] + +The test type "make_warnings_file" should have no mandatory configuration +parameters other than the ones required by the "build" test type, because +its purpose is to create a file with build warnings that may or may not be +used by other subsequent tests. Currently, the only way to use it as a +stand-alone test is by setting POWER_CYCLE, CONSOLE, SSH_USER, +BUILD_TARGET, TARGET_IMAGE, REBOOT_TYPE and GRUB_MENU. + +Link: https://lkml.kernel.org/r/20240315-ktest-v2-1-c5c20a75f6a3@marliere.net + +Cc: John Hawley +Signed-off-by: Ricardo B. Marliere +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index e6c381498e632..449e45bd69665 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -836,6 +836,7 @@ sub set_value { + if ($lvalue =~ /^(TEST|BISECT|CONFIG_BISECT)_TYPE(\[.*\])?$/ && + $prvalue !~ /^(config_|)bisect$/ && + $prvalue !~ /^build$/ && ++ $prvalue !~ /^make_warnings_file$/ && + $buildonly) { + + # Note if a test is something other than build, then we +-- +2.43.0 + diff --git a/queue-6.1/libperf-evlist-avoid-out-of-bounds-access.patch b/queue-6.1/libperf-evlist-avoid-out-of-bounds-access.patch new file mode 100644 index 0000000000..c3c6ea5783 --- /dev/null +++ b/queue-6.1/libperf-evlist-avoid-out-of-bounds-access.patch @@ -0,0 +1,126 @@ +From 1ef9fdebb20e025ddee5b128736f36d442877e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 23:07:57 -0800 +Subject: libperf evlist: Avoid out-of-bounds access + +From: Ian Rogers + +[ Upstream commit 1947b92464c3268381604bbe2ac977a3fd78192f ] + +Parallel testing appears to show a race between allocating and setting +evsel ids. As there is a bounds check on the xyarray it yields a segv +like: + +``` +AddressSanitizer:DEADLYSIGNAL + +================================================================= + +==484408==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 + +==484408==The signal is caused by a WRITE memory access. + +==484408==Hint: address points to the zero page. + + #0 0x55cef5d4eff4 in perf_evlist__id_hash tools/lib/perf/evlist.c:256 + #1 0x55cef5d4f132 in perf_evlist__id_add tools/lib/perf/evlist.c:274 + #2 0x55cef5d4f545 in perf_evlist__id_add_fd tools/lib/perf/evlist.c:315 + #3 0x55cef5a1923f in store_evsel_ids util/evsel.c:3130 + #4 0x55cef5a19400 in evsel__store_ids util/evsel.c:3147 + #5 0x55cef5888204 in __run_perf_stat tools/perf/builtin-stat.c:832 + #6 0x55cef5888c06 in run_perf_stat tools/perf/builtin-stat.c:960 + #7 0x55cef58932db in cmd_stat tools/perf/builtin-stat.c:2878 +... +``` + +Avoid this crash by early exiting the perf_evlist__id_add_fd and +perf_evlist__id_add is the access is out-of-bounds. + +Signed-off-by: Ian Rogers +Cc: Yang Jihong +Signed-off-by: Namhyung Kim +Link: https://lore.kernel.org/r/20240229070757.796244-1-irogers@google.com +Signed-off-by: Sasha Levin +--- + tools/lib/perf/evlist.c | 18 ++++++++++++------ + tools/lib/perf/include/internal/evlist.h | 4 ++-- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c +index 61b637f29b827..b871923c7e5cd 100644 +--- a/tools/lib/perf/evlist.c ++++ b/tools/lib/perf/evlist.c +@@ -233,10 +233,10 @@ u64 perf_evlist__read_format(struct perf_evlist *evlist) + + static void perf_evlist__id_hash(struct perf_evlist *evlist, + struct perf_evsel *evsel, +- int cpu, int thread, u64 id) ++ int cpu_map_idx, int thread, u64 id) + { + int hash; +- struct perf_sample_id *sid = SID(evsel, cpu, thread); ++ struct perf_sample_id *sid = SID(evsel, cpu_map_idx, thread); + + sid->id = id; + sid->evsel = evsel; +@@ -254,21 +254,27 @@ void perf_evlist__reset_id_hash(struct perf_evlist *evlist) + + void perf_evlist__id_add(struct perf_evlist *evlist, + struct perf_evsel *evsel, +- int cpu, int thread, u64 id) ++ int cpu_map_idx, int thread, u64 id) + { +- perf_evlist__id_hash(evlist, evsel, cpu, thread, id); ++ if (!SID(evsel, cpu_map_idx, thread)) ++ return; ++ ++ perf_evlist__id_hash(evlist, evsel, cpu_map_idx, thread, id); + evsel->id[evsel->ids++] = id; + } + + int perf_evlist__id_add_fd(struct perf_evlist *evlist, + struct perf_evsel *evsel, +- int cpu, int thread, int fd) ++ int cpu_map_idx, int thread, int fd) + { + u64 read_data[4] = { 0, }; + int id_idx = 1; /* The first entry is the counter value */ + u64 id; + int ret; + ++ if (!SID(evsel, cpu_map_idx, thread)) ++ return -1; ++ + ret = ioctl(fd, PERF_EVENT_IOC_ID, &id); + if (!ret) + goto add; +@@ -297,7 +303,7 @@ int perf_evlist__id_add_fd(struct perf_evlist *evlist, + id = read_data[id_idx]; + + add: +- perf_evlist__id_add(evlist, evsel, cpu, thread, id); ++ perf_evlist__id_add(evlist, evsel, cpu_map_idx, thread, id); + return 0; + } + +diff --git a/tools/lib/perf/include/internal/evlist.h b/tools/lib/perf/include/internal/evlist.h +index 850f07070036c..cf77db75291b9 100644 +--- a/tools/lib/perf/include/internal/evlist.h ++++ b/tools/lib/perf/include/internal/evlist.h +@@ -127,11 +127,11 @@ u64 perf_evlist__read_format(struct perf_evlist *evlist); + + void perf_evlist__id_add(struct perf_evlist *evlist, + struct perf_evsel *evsel, +- int cpu, int thread, u64 id); ++ int cpu_map_idx, int thread, u64 id); + + int perf_evlist__id_add_fd(struct perf_evlist *evlist, + struct perf_evsel *evsel, +- int cpu, int thread, int fd); ++ int cpu_map_idx, int thread, int fd); + + void perf_evlist__reset_id_hash(struct perf_evlist *evlist); + +-- +2.43.0 + diff --git a/queue-6.1/media-sta2x11-fix-irq-handler-cast.patch b/queue-6.1/media-sta2x11-fix-irq-handler-cast.patch new file mode 100644 index 0000000000..afcc9582cb --- /dev/null +++ b/queue-6.1/media-sta2x11-fix-irq-handler-cast.patch @@ -0,0 +1,62 @@ +From f9a1be016dca09631e01a2bd68797298393c1bd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 10:54:47 +0100 +Subject: media: sta2x11: fix irq handler cast + +From: Arnd Bergmann + +[ Upstream commit 3de49ae81c3a0f83a554ecbce4c08e019f30168e ] + +clang-16 warns about casting incompatible function pointers: + +drivers/media/pci/sta2x11/sta2x11_vip.c:1057:6: error: cast from 'irqreturn_t (*)(int, struct sta2x11_vip *)' (aka 'enum irqreturn (*)(int, struct sta2x11_vip *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] + +Change the prototype of the irq handler to the regular version with a +local variable to adjust the argument type. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +[hverkuil: update argument documentation] +Signed-off-by: Sasha Levin +--- + drivers/media/pci/sta2x11/sta2x11_vip.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/pci/sta2x11/sta2x11_vip.c b/drivers/media/pci/sta2x11/sta2x11_vip.c +index 8535e49a4c4f9..1f7ab56de4a00 100644 +--- a/drivers/media/pci/sta2x11/sta2x11_vip.c ++++ b/drivers/media/pci/sta2x11/sta2x11_vip.c +@@ -756,7 +756,7 @@ static const struct video_device video_dev_template = { + /** + * vip_irq - interrupt routine + * @irq: Number of interrupt ( not used, correct number is assumed ) +- * @vip: local data structure containing all information ++ * @data: local data structure containing all information + * + * check for both frame interrupts set ( top and bottom ). + * check FIFO overflow, but limit number of log messages after open. +@@ -766,8 +766,9 @@ static const struct video_device video_dev_template = { + * + * IRQ_HANDLED, interrupt done. + */ +-static irqreturn_t vip_irq(int irq, struct sta2x11_vip *vip) ++static irqreturn_t vip_irq(int irq, void *data) + { ++ struct sta2x11_vip *vip = data; + unsigned int status; + + status = reg_read(vip, DVP_ITS); +@@ -1049,9 +1050,7 @@ static int sta2x11_vip_init_one(struct pci_dev *pdev, + + spin_lock_init(&vip->slock); + +- ret = request_irq(pdev->irq, +- (irq_handler_t) vip_irq, +- IRQF_SHARED, KBUILD_MODNAME, vip); ++ ret = request_irq(pdev->irq, vip_irq, IRQF_SHARED, KBUILD_MODNAME, vip); + if (ret) { + dev_err(&pdev->dev, "request_irq failed\n"); + ret = -ENODEV; +-- +2.43.0 + diff --git a/queue-6.1/net-pcs-xpcs-return-einval-in-the-internal-methods.patch b/queue-6.1/net-pcs-xpcs-return-einval-in-the-internal-methods.patch new file mode 100644 index 0000000000..fdd425e003 --- /dev/null +++ b/queue-6.1/net-pcs-xpcs-return-einval-in-the-internal-methods.patch @@ -0,0 +1,51 @@ +From 69135b638fa739f854a2ef7b936b7380dc006760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 20:58:22 +0300 +Subject: net: pcs: xpcs: Return EINVAL in the internal methods + +From: Serge Semin + +[ Upstream commit f5151005d379d9ce42e327fd3b2d2aaef61cda81 ] + +In particular the xpcs_soft_reset() and xpcs_do_config() functions +currently return -1 if invalid auto-negotiation mode is specified. That +value might be then passed to the generic kernel subsystems which require +a standard kernel errno value. Even though the erroneous conditions are +very specific (memory corruption or buggy driver implementation) using a +hard-coded -1 literal doesn't seem correct anyway especially when it comes +to passing it higher to the network subsystem or printing to the system +log. Convert the hard-coded error values to -EINVAL then. + +Signed-off-by: Serge Semin +Tested-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/pcs/pcs-xpcs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/pcs/pcs-xpcs.c b/drivers/net/pcs/pcs-xpcs.c +index 3f882bce37f42..d126273daab4f 100644 +--- a/drivers/net/pcs/pcs-xpcs.c ++++ b/drivers/net/pcs/pcs-xpcs.c +@@ -262,7 +262,7 @@ static int xpcs_soft_reset(struct dw_xpcs *xpcs, + dev = MDIO_MMD_VEND2; + break; + default: +- return -1; ++ return -EINVAL; + } + + ret = xpcs_write(xpcs, dev, MDIO_CTRL1, MDIO_CTRL1_RESET); +@@ -904,7 +904,7 @@ int xpcs_do_config(struct dw_xpcs *xpcs, phy_interface_t interface, + return ret; + break; + default: +- return -1; ++ return -EINVAL; + } + + if (compat->pma_config) { +-- +2.43.0 + diff --git a/queue-6.1/net-skbuff-add-overflow-debug-check-to-pull-push-hel.patch b/queue-6.1/net-skbuff-add-overflow-debug-check-to-pull-push-hel.patch new file mode 100644 index 0000000000..d8f301af84 --- /dev/null +++ b/queue-6.1/net-skbuff-add-overflow-debug-check-to-pull-push-hel.patch @@ -0,0 +1,87 @@ +From a97a18335f5b323d47dd683aa6cdc1b1e26c5210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 12:36:57 +0100 +Subject: net: skbuff: add overflow debug check to pull/push helpers + +From: Florian Westphal + +[ Upstream commit 219eee9c0d16f1b754a8b85275854ab17df0850a ] + +syzbot managed to trigger following splat: +BUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50 +Read of size 1 at addr ffff888208a4000e by task a.out/2313 +[..] + __skb_flow_dissect+0x4a3b/0x5e50 + __skb_get_hash+0xb4/0x400 + ip_tunnel_xmit+0x77e/0x26f0 + ipip_tunnel_xmit+0x298/0x410 + .. + +Analysis shows that the skb has a valid ->head, but bogus ->data +pointer. + +skb->data gets its bogus value via the neigh layer, which does: + +1556 __skb_pull(skb, skb_network_offset(skb)); + +... and the skb was already dodgy at this point: + +skb_network_offset(skb) returns a negative value due to an +earlier overflow of skb->network_header (u16). __skb_pull thus +"adjusts" skb->data by a huge offset, pointing outside skb->head +area. + +Allow debug builds to splat when we try to pull/push more than +INT_MAX bytes. + +After this, the syzkaller reproducer yields a more precise splat +before the flow dissector attempts to read off skb->data memory: + +WARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400 + ip_finish_output2+0xb25/0xed0 + iptunnel_xmit+0x4ff/0x870 + ipgre_xmit+0x78e/0xbb0 + +Signed-off-by: Florian Westphal +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240216113700.23013-1-fw@strlen.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index c4a8520dc748f..1326a935b6fad 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2603,6 +2603,8 @@ static inline void skb_put_u8(struct sk_buff *skb, u8 val) + void *skb_push(struct sk_buff *skb, unsigned int len); + static inline void *__skb_push(struct sk_buff *skb, unsigned int len) + { ++ DEBUG_NET_WARN_ON_ONCE(len > INT_MAX); ++ + skb->data -= len; + skb->len += len; + return skb->data; +@@ -2611,6 +2613,8 @@ static inline void *__skb_push(struct sk_buff *skb, unsigned int len) + void *skb_pull(struct sk_buff *skb, unsigned int len); + static inline void *__skb_pull(struct sk_buff *skb, unsigned int len) + { ++ DEBUG_NET_WARN_ON_ONCE(len > INT_MAX); ++ + skb->len -= len; + if (unlikely(skb->len < skb->data_len)) { + #if defined(CONFIG_DEBUG_NET) +@@ -2634,6 +2638,8 @@ void *__pskb_pull_tail(struct sk_buff *skb, int delta); + + static inline bool pskb_may_pull(struct sk_buff *skb, unsigned int len) + { ++ DEBUG_NET_WARN_ON_ONCE(len > INT_MAX); ++ + if (likely(len <= skb_headlen(skb))) + return true; + if (unlikely(len > skb->len)) +-- +2.43.0 + diff --git a/queue-6.1/net-smc-reduce-rtnl-pressure-in-smc_pnet_create_pnet.patch b/queue-6.1/net-smc-reduce-rtnl-pressure-in-smc_pnet_create_pnet.patch new file mode 100644 index 0000000000..42b8eca0b6 --- /dev/null +++ b/queue-6.1/net-smc-reduce-rtnl-pressure-in-smc_pnet_create_pnet.patch @@ -0,0 +1,96 @@ +From bd4d6c6865c0b8d76dc0f16057900cbdec22c986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Mar 2024 10:07:44 +0000 +Subject: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() + +From: Eric Dumazet + +[ Upstream commit 00af2aa93b76b1bade471ad0d0525d4d29ca5cc0 ] + +Many syzbot reports show extreme rtnl pressure, and many of them hint +that smc acquires rtnl in netns creation for no good reason [1] + +This patch returns early from smc_pnet_net_init() +if there is no netdevice yet. + +I am not even sure why smc_pnet_create_pnetids_list() even exists, +because smc_pnet_netdev_event() is also calling +smc_pnet_add_base_pnetid() when handling NETDEV_UP event. + +[1] extract of typical syzbot reports + +2 locks held by syz-executor.3/12252: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.4/12253: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.1/12257: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.2/12261: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.0/12265: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.3/12268: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.4/12271: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.1/12274: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 +2 locks held by syz-executor.2/12280: + #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] + #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 + +Signed-off-by: Eric Dumazet +Cc: Wenjia Zhang +Cc: Jan Karcher +Cc: "D. Wythe" +Cc: Tony Lu +Cc: Wen Gu +Reviewed-by: Wenjia Zhang +Link: https://lore.kernel.org/r/20240302100744.3868021-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/smc_pnet.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c +index 25fb2fd186e22..21b8bf23e4ee6 100644 +--- a/net/smc/smc_pnet.c ++++ b/net/smc/smc_pnet.c +@@ -802,6 +802,16 @@ static void smc_pnet_create_pnetids_list(struct net *net) + u8 ndev_pnetid[SMC_MAX_PNETID_LEN]; + struct net_device *dev; + ++ /* Newly created netns do not have devices. ++ * Do not even acquire rtnl. ++ */ ++ if (list_empty(&net->dev_base_head)) ++ return; ++ ++ /* Note: This might not be needed, because smc_pnet_netdev_event() ++ * is also calling smc_pnet_add_base_pnetid() when handling ++ * NETDEV_UP event. ++ */ + rtnl_lock(); + for_each_netdev(net, dev) + smc_pnet_add_base_pnetid(net, dev, ndev_pnetid); +-- +2.43.0 + diff --git a/queue-6.1/netfilter-nf_tables-discard-table-flag-update-with-p.patch b/queue-6.1/netfilter-nf_tables-discard-table-flag-update-with-p.patch new file mode 100644 index 0000000000..9da8190bb7 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-discard-table-flag-update-with-p.patch @@ -0,0 +1,63 @@ +From e79c94c47faaf57868b8fa7359b491a0d7d55218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 23:18:34 +0200 +Subject: netfilter: nf_tables: discard table flag update with pending + basechain deletion + +From: Pablo Neira Ayuso + +commit 1bc83a019bbe268be3526406245ec28c2458a518 upstream. + +Hook unregistration is deferred to the commit phase, same occurs with +hook updates triggered by the table dormant flag. When both commands are +combined, this results in deleting a basechain while leaving its hook +still registered in the core. + +Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e7b31c2c92df2..8152a69d82681 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1192,6 +1192,24 @@ static void nf_tables_table_disable(struct net *net, struct nft_table *table) + #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ + __NFT_TABLE_F_WAS_AWAKEN) + ++static bool nft_table_pending_update(const struct nft_ctx *ctx) ++{ ++ struct nftables_pernet *nft_net = nft_pernet(ctx->net); ++ struct nft_trans *trans; ++ ++ if (ctx->table->flags & __NFT_TABLE_F_UPDATE) ++ return true; ++ ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->ctx.table == ctx->table && ++ trans->msg_type == NFT_MSG_DELCHAIN && ++ nft_is_base_chain(trans->ctx.chain)) ++ return true; ++ } ++ ++ return false; ++} ++ + static int nf_tables_updtable(struct nft_ctx *ctx) + { + struct nft_trans *trans; +@@ -1215,7 +1233,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx) + return -EOPNOTSUPP; + + /* No dormant off/on/off/on games in single transaction */ +- if (ctx->table->flags & __NFT_TABLE_F_UPDATE) ++ if (nft_table_pending_update(ctx)) + return -EINVAL; + + trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, +-- +2.43.0 + diff --git a/queue-6.1/netfilter-nf_tables-release-batch-on-table-validatio.patch b/queue-6.1/netfilter-nf_tables-release-batch-on-table-validatio.patch new file mode 100644 index 0000000000..0158c4b148 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-release-batch-on-table-validatio.patch @@ -0,0 +1,84 @@ +From 1bcc57ba8d1bfd4fd44578a4d97e8a7a2490f9e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 23:18:32 +0200 +Subject: netfilter: nf_tables: release batch on table validation from abort + path + +From: Pablo Neira Ayuso + +commit a45e6889575c2067d3c0212b6bc1022891e65b91 upstream. + +Unlike early commit path stage which triggers a call to abort, an +explicit release of the batch is required on abort, otherwise mutex is +released and commit_list remains in place. + +Add WARN_ON_ONCE to ensure commit_list is empty from the abort path +before releasing the mutex. + +After this patch, commit_list is always assumed to be empty before +grabbing the mutex, therefore + + 03c1f1ef1584 ("netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()") + +only needs to release the pending modules for registration. + +Cc: stable@vger.kernel.org +Fixes: c0391b6ab810 ("netfilter: nf_tables: missing validation from the abort path") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8d38cd5047692..6b032a90e2b15 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9902,10 +9902,11 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + struct nft_trans *trans, *next; + LIST_HEAD(set_update_list); + struct nft_trans_elem *te; ++ int err = 0; + + if (action == NFNL_ABORT_VALIDATE && + nf_tables_validate(net) < 0) +- return -EAGAIN; ++ err = -EAGAIN; + + list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, + list) { +@@ -10081,7 +10082,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + else + nf_tables_module_autoload_cleanup(net); + +- return 0; ++ return err; + } + + static int nf_tables_abort(struct net *net, struct sk_buff *skb, +@@ -10095,6 +10096,8 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb, + ret = __nf_tables_abort(net, action); + nft_gc_seq_end(nft_net, gc_seq); + ++ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); ++ + mutex_unlock(&nft_net->commit_mutex); + + return ret; +@@ -10892,9 +10895,10 @@ static void __net_exit nf_tables_exit_net(struct net *net) + + gc_seq = nft_gc_seq_begin(nft_net); + +- if (!list_empty(&nft_net->commit_list) || +- !list_empty(&nft_net->module_list)) +- __nf_tables_abort(net, NFNL_ABORT_NONE); ++ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); ++ ++ if (!list_empty(&nft_net->module_list)) ++ nf_tables_module_autoload_cleanup(net); + + __nft_release_tables(net); + +-- +2.43.0 + diff --git a/queue-6.1/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch b/queue-6.1/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch new file mode 100644 index 0000000000..a658c27f0f --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch @@ -0,0 +1,62 @@ +From fbc9d5616321424411f25cf6245f5bcc61821b10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 23:18:33 +0200 +Subject: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort + path + +From: Pablo Neira Ayuso + +commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream. + +The commit mutex should not be released during the critical section +between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC +worker could collect expired objects and get the released commit lock +within the same GC sequence. + +nf_tables_module_autoload() temporarily releases the mutex to load +module dependencies, then it goes back to replay the transaction again. +Move it at the end of the abort phase after nft_gc_seq_end() is called. + +Cc: stable@vger.kernel.org +Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path") +Reported-by: Kuan-Ting Chen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 6b032a90e2b15..e7b31c2c92df2 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10077,11 +10077,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + nf_tables_abort_release(trans); + } + +- if (action == NFNL_ABORT_AUTOLOAD) +- nf_tables_module_autoload(net); +- else +- nf_tables_module_autoload_cleanup(net); +- + return err; + } + +@@ -10098,6 +10093,14 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb, + + WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); + ++ /* module autoload needs to happen after GC sequence update because it ++ * temporarily releases and grabs mutex again. ++ */ ++ if (action == NFNL_ABORT_AUTOLOAD) ++ nf_tables_module_autoload(net); ++ else ++ nf_tables_module_autoload_cleanup(net); ++ + mutex_unlock(&nft_net->commit_mutex); + + return ret; +-- +2.43.0 + diff --git a/queue-6.1/panic-flush-kernel-log-buffer-at-the-end.patch b/queue-6.1/panic-flush-kernel-log-buffer-at-the-end.patch new file mode 100644 index 0000000000..d02dc455ea --- /dev/null +++ b/queue-6.1/panic-flush-kernel-log-buffer-at-the-end.patch @@ -0,0 +1,50 @@ +From 336a0042fb4c0ed408686cf412e706424d9014d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 14:47:02 +0106 +Subject: panic: Flush kernel log buffer at the end + +From: John Ogness + +[ Upstream commit d988d9a9b9d180bfd5c1d353b3b176cb90d6861b ] + +If the kernel crashes in a context where printk() calls always +defer printing (such as in NMI or inside a printk_safe section) +then the final panic messages will be deferred to irq_work. But +if irq_work is not available, the messages will not get printed +unless explicitly flushed. The result is that the final +"end Kernel panic" banner does not get printed. + +Add one final flush after the last printk() call to make sure +the final panic messages make it out as well. + +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Link: https://lore.kernel.org/r/20240207134103.1357162-14-john.ogness@linutronix.de +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/panic.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/panic.c b/kernel/panic.c +index 63e94f3bd8dcd..e6c2bf04a32c0 100644 +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -441,6 +441,14 @@ void panic(const char *fmt, ...) + + /* Do not scroll important messages printed above */ + suppress_printk = 1; ++ ++ /* ++ * The final messages may not have been printed if in a context that ++ * defers printing (such as NMI) and irq_work is not available. ++ * Explicitly flush the kernel log buffer one last time. ++ */ ++ console_flush_on_panic(CONSOLE_FLUSH_PENDING); ++ + local_irq_enable(); + for (i = 0; ; i += PANIC_TIMER_STEP) { + touch_softlockup_watchdog(); +-- +2.43.0 + diff --git a/queue-6.1/perf-x86-amd-lbr-discard-erroneous-branch-entries.patch b/queue-6.1/perf-x86-amd-lbr-discard-erroneous-branch-entries.patch new file mode 100644 index 0000000000..fe88922984 --- /dev/null +++ b/queue-6.1/perf-x86-amd-lbr-discard-erroneous-branch-entries.patch @@ -0,0 +1,49 @@ +From d4d225dc83f34d3aa87a9da7b8bd13d440c88cc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jan 2024 16:36:25 +0530 +Subject: perf/x86/amd/lbr: Discard erroneous branch entries + +From: Sandipan Das + +[ Upstream commit 29297ffffb0bf388778bd4b581a43cee6929ae65 ] + +The Revision Guide for AMD Family 19h Model 10-1Fh processors declares +Erratum 1452 which states that non-branch entries may erroneously be +recorded in the Last Branch Record (LBR) stack with the valid and +spec bits set. + +Such entries can be recognized by inspecting bit 61 of the corresponding +LastBranchStackToIp register. This bit is currently reserved but if found +to be set, the associated branch entry should be discarded. + +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Link: https://bugzilla.kernel.org/attachment.cgi?id=305518 +Link: https://lore.kernel.org/r/3ad2aa305f7396d41a40e3f054f740d464b16b7f.1706526029.git.sandipan.das@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/lbr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/events/amd/lbr.c b/arch/x86/events/amd/lbr.c +index b8fe74e8e0a60..48f4095f500d4 100644 +--- a/arch/x86/events/amd/lbr.c ++++ b/arch/x86/events/amd/lbr.c +@@ -173,9 +173,11 @@ void amd_pmu_lbr_read(void) + + /* + * Check if a branch has been logged; if valid = 0, spec = 0 +- * then no branch was recorded ++ * then no branch was recorded; if reserved = 1 then an ++ * erroneous branch was recorded (see Erratum 1452) + */ +- if (!entry.to.split.valid && !entry.to.split.spec) ++ if ((!entry.to.split.valid && !entry.to.split.spec) || ++ entry.to.split.reserved) + continue; + + perf_clear_branch_entry_bitfields(br + out); +-- +2.43.0 + diff --git a/queue-6.1/pinctrl-renesas-checker-limit-cfg-reg-enum-checks-to.patch b/queue-6.1/pinctrl-renesas-checker-limit-cfg-reg-enum-checks-to.patch new file mode 100644 index 0000000000..0b61bd26d6 --- /dev/null +++ b/queue-6.1/pinctrl-renesas-checker-limit-cfg-reg-enum-checks-to.patch @@ -0,0 +1,49 @@ +From e03c1708df6d47a0fbce1d9abb3813b4959a5c7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 14:43:38 +0100 +Subject: pinctrl: renesas: checker: Limit cfg reg enum checks to provided IDs + +From: Geert Uytterhoeven + +[ Upstream commit 3803584a4e9b65bb5b013f862f55c5055aa86c25 ] + +If the number of provided enum IDs in a variable width config register +description does not match the expected number, the checker uses the +expected number for validating the individual enum IDs. + +However, this may cause out-of-bounds accesses on the array holding the +enum IDs, leading to bogus enum_id conflict warnings. Worse, if the bug +is an incorrect bit field description (e.g. accidentally using "12" +instead of "-12" for a reserved field), thousands of warnings may be +printed, overflowing the kernel log buffer. + +Fix this by limiting the enum ID check to the number of provided enum +IDs. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/c7385f44f2faebb8856bcbb4e908d846fc1531fb.1705930809.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/renesas/core.c b/drivers/pinctrl/renesas/core.c +index c91102d3f1d15..1c7f8caf7f7cd 100644 +--- a/drivers/pinctrl/renesas/core.c ++++ b/drivers/pinctrl/renesas/core.c +@@ -921,9 +921,11 @@ static void __init sh_pfc_check_cfg_reg(const char *drvname, + sh_pfc_err("reg 0x%x: var_field_width declares %u instead of %u bits\n", + cfg_reg->reg, rw, cfg_reg->reg_width); + +- if (n != cfg_reg->nr_enum_ids) ++ if (n != cfg_reg->nr_enum_ids) { + sh_pfc_err("reg 0x%x: enum_ids[] has %u instead of %u values\n", + cfg_reg->reg, cfg_reg->nr_enum_ids, n); ++ n = cfg_reg->nr_enum_ids; ++ } + + check_enum_ids: + sh_pfc_check_reg_enums(drvname, cfg_reg->reg, cfg_reg->enum_ids, n); +-- +2.43.0 + diff --git a/queue-6.1/platform-x86-touchscreen_dmi-add-an-extra-entry-for-.patch b/queue-6.1/platform-x86-touchscreen_dmi-add-an-extra-entry-for-.patch new file mode 100644 index 0000000000..02e27ff749 --- /dev/null +++ b/queue-6.1/platform-x86-touchscreen_dmi-add-an-extra-entry-for-.patch @@ -0,0 +1,45 @@ +From 9866c0a2545308e3e98f6d3ccef4ca50a4b48f4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Feb 2024 22:40:17 +0000 +Subject: platform/x86: touchscreen_dmi: Add an extra entry for a variant of + the Chuwi Vi8 tablet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alban Boyé + +[ Upstream commit 1266e2efb7512dbf20eac820ca2ed34de6b1c3e7 ] + +Signed-off-by: Alban Boyé +Link: https://lore.kernel.org/r/20240227223919.11587-1-alban.boye@protonmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/touchscreen_dmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c +index 11d72a3533552..399b97b54dd0f 100644 +--- a/drivers/platform/x86/touchscreen_dmi.c ++++ b/drivers/platform/x86/touchscreen_dmi.c +@@ -1177,6 +1177,15 @@ const struct dmi_system_id touchscreen_dmi_table[] = { + DMI_MATCH(DMI_BIOS_VERSION, "CHUWI.D86JLBNR"), + }, + }, ++ { ++ /* Chuwi Vi8 dual-boot (CWI506) */ ++ .driver_data = (void *)&chuwi_vi8_data, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "i86"), ++ DMI_MATCH(DMI_BIOS_VERSION, "CHUWI2.D86JHBNR02"), ++ }, ++ }, + { + /* Chuwi Vi8 Plus (CWI519) */ + .driver_data = (void *)&chuwi_vi8_plus_data, +-- +2.43.0 + diff --git a/queue-6.1/pstore-zone-add-a-null-pointer-check-to-the-psz_kmsg.patch b/queue-6.1/pstore-zone-add-a-null-pointer-check-to-the-psz_kmsg.patch new file mode 100644 index 0000000000..3e5a1b064d --- /dev/null +++ b/queue-6.1/pstore-zone-add-a-null-pointer-check-to-the-psz_kmsg.patch @@ -0,0 +1,37 @@ +From b11fd3e7b6af221b7d4e76117cf52427229a9e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 18:02:06 +0800 +Subject: pstore/zone: Add a null pointer check to the psz_kmsg_read + +From: Kunwu Chan + +[ Upstream commit 98bc7e26e14fbb26a6abf97603d59532475e97f8 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +Signed-off-by: Kunwu Chan +Link: https://lore.kernel.org/r/20240118100206.213928-1-chentao@kylinos.cn +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/zone.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/pstore/zone.c b/fs/pstore/zone.c +index 2770746bb7aa1..abca117725c81 100644 +--- a/fs/pstore/zone.c ++++ b/fs/pstore/zone.c +@@ -973,6 +973,8 @@ static ssize_t psz_kmsg_read(struct pstore_zone *zone, + char *buf = kasprintf(GFP_KERNEL, "%s: Total %d times\n", + kmsg_dump_reason_str(record->reason), + record->count); ++ if (!buf) ++ return -ENOMEM; + hlen = strlen(buf); + record->buf = krealloc(buf, hlen + size, GFP_KERNEL); + if (!record->buf) { +-- +2.43.0 + diff --git a/queue-6.1/rcu-tasks-repair-rcu-tasks-trace-quiescence-check.patch b/queue-6.1/rcu-tasks-repair-rcu-tasks-trace-quiescence-check.patch new file mode 100644 index 0000000000..0b563766fe --- /dev/null +++ b/queue-6.1/rcu-tasks-repair-rcu-tasks-trace-quiescence-check.patch @@ -0,0 +1,46 @@ +From 5aca326b8ef12decce747927124008e1de957c4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 09:33:29 -0800 +Subject: rcu-tasks: Repair RCU Tasks Trace quiescence check + +From: Paul E. McKenney + +[ Upstream commit 2eb52fa8900e642b3b5054c4bf9776089d2a935f ] + +The context-switch-time check for RCU Tasks Trace quiescence expects +current->trc_reader_special.b.need_qs to be zero, and if so, updates +it to TRC_NEED_QS_CHECKED. This is backwards, because if this value +is zero, there is no RCU Tasks Trace grace period in flight, an thus +no need for a quiescent state. Instead, when a grace period starts, +this field is set to TRC_NEED_QS. + +This commit therefore changes the check from zero to TRC_NEED_QS. + +Reported-by: Steven Rostedt +Signed-off-by: Paul E. McKenney +Tested-by: Steven Rostedt (Google) +Signed-off-by: Boqun Feng +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index 319698087d66a..6858cae98da9e 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -205,9 +205,9 @@ void rcu_tasks_trace_qs_blkd(struct task_struct *t); + do { \ + int ___rttq_nesting = READ_ONCE((t)->trc_reader_nesting); \ + \ +- if (likely(!READ_ONCE((t)->trc_reader_special.b.need_qs)) && \ ++ if (unlikely(READ_ONCE((t)->trc_reader_special.b.need_qs) == TRC_NEED_QS) && \ + likely(!___rttq_nesting)) { \ +- rcu_trc_cmpxchg_need_qs((t), 0, TRC_NEED_QS_CHECKED); \ ++ rcu_trc_cmpxchg_need_qs((t), TRC_NEED_QS, TRC_NEED_QS_CHECKED); \ + } else if (___rttq_nesting && ___rttq_nesting != INT_MIN && \ + !READ_ONCE((t)->trc_reader_special.b.blocked)) { \ + rcu_tasks_trace_qs_blkd(t); \ +-- +2.43.0 + diff --git a/queue-6.1/rdma-cm-add-timeout-to-cm_destroy_id-wait.patch b/queue-6.1/rdma-cm-add-timeout-to-cm_destroy_id-wait.patch new file mode 100644 index 0000000000..f301ee8c3d --- /dev/null +++ b/queue-6.1/rdma-cm-add-timeout-to-cm_destroy_id-wait.patch @@ -0,0 +1,102 @@ +From b8dd9257523a11fddede0b124419672838bd04d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 22:33:23 -0800 +Subject: RDMA/cm: add timeout to cm_destroy_id wait + +From: Manjunath Patil + +[ Upstream commit 96d9cbe2f2ff7abde021bac75eafaceabe9a51fa ] + +Add timeout to cm_destroy_id, so that userspace can trigger any data +collection that would help in analyzing the cause of delay in destroying +the cm_id. + +New noinline function helps dtrace/ebpf programs to hook on to it. +Existing functionality isn't changed except triggering a probe-able new +function at every timeout interval. + +We have seen cases where CM messages stuck with MAD layer (either due to +software bug or faulty HCA), leading to cm_id getting stuck in the +following call stack. This patch helps in resolving such issues faster. + +kernel: ... INFO: task XXXX:56778 blocked for more than 120 seconds. +... + Call Trace: + __schedule+0x2bc/0x895 + schedule+0x36/0x7c + schedule_timeout+0x1f6/0x31f + ? __slab_free+0x19c/0x2ba + wait_for_completion+0x12b/0x18a + ? wake_up_q+0x80/0x73 + cm_destroy_id+0x345/0x610 [ib_cm] + ib_destroy_cm_id+0x10/0x20 [ib_cm] + rdma_destroy_id+0xa8/0x300 [rdma_cm] + ucma_destroy_id+0x13e/0x190 [rdma_ucm] + ucma_write+0xe0/0x160 [rdma_ucm] + __vfs_write+0x3a/0x16d + vfs_write+0xb2/0x1a1 + ? syscall_trace_enter+0x1ce/0x2b8 + SyS_write+0x5c/0xd3 + do_syscall_64+0x79/0x1b9 + entry_SYSCALL_64_after_hwframe+0x16d/0x0 + +Signed-off-by: Manjunath Patil +Link: https://lore.kernel.org/r/20240309063323.458102-1-manjunath.b.patil@oracle.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cm.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index b7f9023442890..462a10d6a5762 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -34,6 +34,7 @@ MODULE_AUTHOR("Sean Hefty"); + MODULE_DESCRIPTION("InfiniBand CM"); + MODULE_LICENSE("Dual BSD/GPL"); + ++#define CM_DESTROY_ID_WAIT_TIMEOUT 10000 /* msecs */ + static const char * const ibcm_rej_reason_strs[] = { + [IB_CM_REJ_NO_QP] = "no QP", + [IB_CM_REJ_NO_EEC] = "no EEC", +@@ -1025,10 +1026,20 @@ static void cm_reset_to_idle(struct cm_id_private *cm_id_priv) + } + } + ++static noinline void cm_destroy_id_wait_timeout(struct ib_cm_id *cm_id) ++{ ++ struct cm_id_private *cm_id_priv; ++ ++ cm_id_priv = container_of(cm_id, struct cm_id_private, id); ++ pr_err("%s: cm_id=%p timed out. state=%d refcnt=%d\n", __func__, ++ cm_id, cm_id->state, refcount_read(&cm_id_priv->refcount)); ++} ++ + static void cm_destroy_id(struct ib_cm_id *cm_id, int err) + { + struct cm_id_private *cm_id_priv; + struct cm_work *work; ++ int ret; + + cm_id_priv = container_of(cm_id, struct cm_id_private, id); + spin_lock_irq(&cm_id_priv->lock); +@@ -1135,7 +1146,14 @@ static void cm_destroy_id(struct ib_cm_id *cm_id, int err) + + xa_erase(&cm.local_id_table, cm_local_id(cm_id->local_id)); + cm_deref_id(cm_id_priv); +- wait_for_completion(&cm_id_priv->comp); ++ do { ++ ret = wait_for_completion_timeout(&cm_id_priv->comp, ++ msecs_to_jiffies( ++ CM_DESTROY_ID_WAIT_TIMEOUT)); ++ if (!ret) /* timeout happened */ ++ cm_destroy_id_wait_timeout(cm_id); ++ } while (!ret); ++ + while ((work = cm_dequeue_work(cm_id_priv)) != NULL) + cm_free_work(work); + +-- +2.43.0 + diff --git a/queue-6.1/revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch b/queue-6.1/revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch new file mode 100644 index 0000000000..cdce07add6 --- /dev/null +++ b/queue-6.1/revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch @@ -0,0 +1,58 @@ +From 8b8f4bad979c48dfa4e7f81e229085a164cb6838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Feb 2024 08:53:16 +0100 +Subject: Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by + default" + +From: Daniel Drake + +[ Upstream commit cb98555fcd8eee98c30165537c7e394f3a66e809 ] + +This reverts commit d52848620de00cde4a3a5df908e231b8c8868250, which was +originally put in place to work around a s2idle failure on this platform +where the NVMe device was inaccessible upon resume. + +After extended testing, we found that the firmware's implementation of S3 +is buggy and intermittently fails to wake up the system. We need to revert +to s2idle mode. + +The NVMe issue has now been solved more precisely in the commit titled +"PCI: Disable D3cold on Asus B1400 PCI-NVMe bridge" + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215742 +Link: https://lore.kernel.org/r/20240228075316.7404-2-drake@endlessos.org +Signed-off-by: Daniel Drake +Signed-off-by: Bjorn Helgaas +Acked-by: Jian-Hong Pan +Acked-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/sleep.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c +index 539c12fbd2f14..6026e20f022a2 100644 +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -385,18 +385,6 @@ static const struct dmi_system_id acpisleep_dmi_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_NAME, "20GGA00L00"), + }, + }, +- /* +- * ASUS B1400CEAE hangs on resume from suspend (see +- * https://bugzilla.kernel.org/show_bug.cgi?id=215742). +- */ +- { +- .callback = init_default_s3, +- .ident = "ASUS B1400CEAE", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_NAME, "ASUS EXPERTBOOK B1400CEAE"), +- }, +- }, + {}, + }; + +-- +2.43.0 + diff --git a/queue-6.1/ring-buffer-use-read_once-to-read-cpu_buffer-commit_.patch b/queue-6.1/ring-buffer-use-read_once-to-read-cpu_buffer-commit_.patch new file mode 100644 index 0000000000..99fcbecde0 --- /dev/null +++ b/queue-6.1/ring-buffer-use-read_once-to-read-cpu_buffer-commit_.patch @@ -0,0 +1,42 @@ +From c0474cdf91c01cc745b2da97f95dfe58459ffe8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Mar 2024 12:42:21 +0800 +Subject: ring-buffer: use READ_ONCE() to read cpu_buffer->commit_page in + concurrent environment + +From: linke li + +[ Upstream commit f1e30cb6369251c03f63c564006f96a54197dcc4 ] + +In function ring_buffer_iter_empty(), cpu_buffer->commit_page is read +while other threads may change it. It may cause the time_stamp that read +in the next line come from a different page. Use READ_ONCE() to avoid +having to reason about compiler optimizations now and in future. + +Link: https://lore.kernel.org/linux-trace-kernel/tencent_DFF7D3561A0686B5E8FC079150A02505180A@qq.com + +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Signed-off-by: linke li +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 431a922e5c89e..d2947de3021a9 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4431,7 +4431,7 @@ int ring_buffer_iter_empty(struct ring_buffer_iter *iter) + cpu_buffer = iter->cpu_buffer; + reader = cpu_buffer->reader_page; + head_page = cpu_buffer->head_page; +- commit_page = cpu_buffer->commit_page; ++ commit_page = READ_ONCE(cpu_buffer->commit_page); + commit_ts = commit_page->page->time_stamp; + + /* +-- +2.43.0 + diff --git a/queue-6.1/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch b/queue-6.1/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch new file mode 100644 index 0000000000..d03ea57df4 --- /dev/null +++ b/queue-6.1/scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch @@ -0,0 +1,45 @@ +From 81fefa7f1ca7db2204c744daedd6f18937950310 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jan 2024 10:50:57 -0800 +Subject: scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() + +From: Justin Tee + +[ Upstream commit 2ae917d4bcab80ab304b774d492e2fcd6c52c06b ] + +The call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an +unsuccessful status. In such cases, the elsiocb is not issued, the +completion is not called, and thus the elsiocb resource is leaked. + +Check return value after calling lpfc_sli4_resume_rpi() and conditionally +release the elsiocb resource. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240131185112.149731-3-justintee8345@gmail.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index b86ff9fcdf0c6..f21396a0ba9d0 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -748,8 +748,10 @@ lpfc_rcv_padisc(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + /* Save the ELS cmd */ + elsiocb->drvrTimeout = cmd; + +- lpfc_sli4_resume_rpi(ndlp, +- lpfc_mbx_cmpl_resume_rpi, elsiocb); ++ if (lpfc_sli4_resume_rpi(ndlp, ++ lpfc_mbx_cmpl_resume_rpi, ++ elsiocb)) ++ kfree(elsiocb); + goto out; + } + } +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..4381d90890 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,71 @@ +wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch +bnx2x-fix-firmware-version-string-character-counts.patch +batman-adv-return-directly-after-a-failed-batadv_dat.patch +batman-adv-improve-exception-handling-in-batadv_thro.patch +wifi-rtw89-pci-enlarge-rx-dma-buffer-to-consider-siz.patch +vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch +wifi-iwlwifi-pcie-add-the-pci-device-id-for-new-hard.patch +panic-flush-kernel-log-buffer-at-the-end.patch +cpuidle-avoid-potential-overflow-in-integer-multipli.patch +arm64-dts-rockchip-fix-rk3328-hdmi-ports-node.patch +arm64-dts-rockchip-fix-rk3399-hdmi-ports-node.patch +ionic-set-adminq-irq-affinity.patch +net-skbuff-add-overflow-debug-check-to-pull-push-hel.patch +firmware-tegra-bpmp-return-directly-after-a-failed-k.patch +wifi-brcmfmac-add-dmi-nvram-filename-quirk-for-acepc.patch +pstore-zone-add-a-null-pointer-check-to-the-psz_kmsg.patch +tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch +net-pcs-xpcs-return-einval-in-the-internal-methods.patch +dma-direct-leak-pages-on-dma_set_decrypted-failure.patch +wifi-ath11k-decrease-mhi-channel-buffer-length-to-8k.patch +cpufreq-don-t-unregister-cpufreq-cooling-on-cpu-hotp.patch +btrfs-handle-chunk-tree-lookup-error-in-btrfs_reloca.patch +btrfs-export-handle-invalid-inode-or-root-reference-.patch +btrfs-send-handle-path-ref-underflow-in-header-itera.patch +ice-use-relative-vsi-index-for-vfs-instead-of-pf-vsi.patch +net-smc-reduce-rtnl-pressure-in-smc_pnet_create_pnet.patch +bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch +bluetooth-btmtk-add-module_firmware-for-mt7922.patch +drm-vc4-don-t-check-if-plane-state-fb-state-fb.patch +input-synaptics-rmi4-fail-probing-if-memory-allocati.patch +drm-panel-orientation-quirks-add-quirk-for-gpd-win-m.patch +pinctrl-renesas-checker-limit-cfg-reg-enum-checks-to.patch +sysv-don-t-call-sb_bread-with-pointers_lock-held.patch +scsi-lpfc-fix-possible-memory-leak-in-lpfc_rcv_padis.patch +isofs-handle-cds-with-bad-root-inode-but-good-joliet.patch +asoc-intel-common-dmi-remap-for-rebranded-intel-nuc-.patch +rcu-tasks-repair-rcu-tasks-trace-quiescence-check.patch +julia-lawall-reported-this-null-pointer-dereference-.patch +media-sta2x11-fix-irq-handler-cast.patch +alsa-firewire-lib-handle-quirk-to-calculate-payload-.patch +ext4-add-a-hint-for-block-bitmap-corrupt-state-in-mb.patch +ext4-forbid-commit-inconsistent-quota-data-when-erro.patch +drm-amd-display-fix-nanosec-stat-overflow.patch +drm-amd-amdgpu-fix-potential-ioremap-memory-leaks-in.patch +sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch +revert-acpi-pm-block-asus-b1400ceae-from-suspend-to-.patch +libperf-evlist-avoid-out-of-bounds-access.patch +input-touchscreen-imagis-correct-the-maximum-touch-a.patch +block-prevent-division-by-zero-in-blk_rq_stat_sum.patch +rdma-cm-add-timeout-to-cm_destroy_id-wait.patch +input-imagis-use-field_get-where-applicable.patch +input-allocate-keycode-for-display-refresh-rate-togg.patch +platform-x86-touchscreen_dmi-add-an-extra-entry-for-.patch +perf-x86-amd-lbr-discard-erroneous-branch-entries.patch +ktest-force-buildonly-1-for-make_warnings_file-test-.patch +ring-buffer-use-read_once-to-read-cpu_buffer-commit_.patch +tools-iio-replace-seekdir-in-iio_generic_buffer.patch +bus-mhi-host-add-mhi_pm_sys_err_fail-state.patch +usb-gadget-uvc-mark-incomplete-frames-with-uvc_strea.patch +thunderbolt-keep-the-domain-powered-when-usb4-port-i.patch +usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch +usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch +thermal-of-assume-polling-delay-passive-0-when-absen.patch +asoc-soc-core.c-skip-dummy-codec-when-adding-platfor.patch +fbdev-viafb-fix-typo-in-hw_bitblt_1-and-hw_bitblt_2.patch +io_uring-clear-opcode-specific-data-for-an-early-fai.patch +drivers-nvme-add-quirks-for-device-126f-2262.patch +fbmon-prevent-division-by-zero-in-fb_videomode_from_.patch +netfilter-nf_tables-release-batch-on-table-validatio.patch +netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch +netfilter-nf_tables-discard-table-flag-update-with-p.patch diff --git a/queue-6.1/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch b/queue-6.1/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch new file mode 100644 index 0000000000..01c174fe73 --- /dev/null +++ b/queue-6.1/sunrpc-increase-size-of-rpc_wait_queue.qlen-from-uns.patch @@ -0,0 +1,87 @@ +From 47a9bebeafd6d676de48ea5aac1af8e0af0e55cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jan 2024 11:38:25 -0800 +Subject: SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to + unsigned int + +From: Dai Ngo + +[ Upstream commit 2c35f43b5a4b9cdfaa6fdd946f5a212615dac8eb ] + +When the NFS client is under extreme load the rpc_wait_queue.qlen counter +can be overflowed. Here is an instant of the backlog queue overflow in a +real world environment shown by drgn helper: + +rpc_task_stats(rpc_clnt): +------------------------- +rpc_clnt: 0xffff92b65d2bae00 +rpc_xprt: 0xffff9275db64f000 + Queue: sending[64887] pending[524] backlog[30441] binding[0] +XMIT task: 0xffff925c6b1d8e98 + WRITE: 750654 + __dta_call_status_580: 65463 + __dta_call_transmit_status_579: 1 + call_reserveresult: 685189 + nfs_client_init_is_complete: 1 + COMMIT: 584 + call_reserveresult: 573 + __dta_call_status_580: 11 + ACCESS: 1 + __dta_call_status_580: 1 + GETATTR: 10 + __dta_call_status_580: 4 + call_reserveresult: 6 +751249 tasks for server 111.222.333.444 +Total tasks: 751249 + +count_rpc_wait_queues(xprt): +---------------------------- +**** rpc_xprt: 0xffff9275db64f000 num_reqs: 65511 +wait_queue: xprt_binding[0] cnt: 0 +wait_queue: xprt_binding[1] cnt: 0 +wait_queue: xprt_binding[2] cnt: 0 +wait_queue: xprt_binding[3] cnt: 0 +rpc_wait_queue[xprt_binding].qlen: 0 maxpriority: 0 +wait_queue: xprt_sending[0] cnt: 0 +wait_queue: xprt_sending[1] cnt: 64887 +wait_queue: xprt_sending[2] cnt: 0 +wait_queue: xprt_sending[3] cnt: 0 +rpc_wait_queue[xprt_sending].qlen: 64887 maxpriority: 3 +wait_queue: xprt_pending[0] cnt: 524 +wait_queue: xprt_pending[1] cnt: 0 +wait_queue: xprt_pending[2] cnt: 0 +wait_queue: xprt_pending[3] cnt: 0 +rpc_wait_queue[xprt_pending].qlen: 524 maxpriority: 0 +wait_queue: xprt_backlog[0] cnt: 0 +wait_queue: xprt_backlog[1] cnt: 685801 +wait_queue: xprt_backlog[2] cnt: 0 +wait_queue: xprt_backlog[3] cnt: 0 +rpc_wait_queue[xprt_backlog].qlen: 30441 maxpriority: 3 [task cnt mismatch] + +There is no effect on operations when this overflow occurs. However +it causes confusion when trying to diagnose the performance problem. + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h +index 8ada7dc802d30..8f9bee0e21c3b 100644 +--- a/include/linux/sunrpc/sched.h ++++ b/include/linux/sunrpc/sched.h +@@ -186,7 +186,7 @@ struct rpc_wait_queue { + unsigned char maxpriority; /* maximum priority (0 if queue is not a priority queue) */ + unsigned char priority; /* current priority */ + unsigned char nr; /* # tasks remaining for cookie */ +- unsigned short qlen; /* total # tasks waiting in queue */ ++ unsigned int qlen; /* total # tasks waiting in queue */ + struct rpc_timer timer_list; + #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) || IS_ENABLED(CONFIG_TRACEPOINTS) + const char * name; +-- +2.43.0 + diff --git a/queue-6.1/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch b/queue-6.1/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch new file mode 100644 index 0000000000..f97806df3b --- /dev/null +++ b/queue-6.1/sysv-don-t-call-sb_bread-with-pointers_lock-held.patch @@ -0,0 +1,94 @@ +From d519304706b2066e323a1e53048fbf28449b990d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 21:04:50 +0900 +Subject: sysv: don't call sb_bread() with pointers_lock held + +From: Tetsuo Handa + +[ Upstream commit f123dc86388cb669c3d6322702dc441abc35c31e ] + +syzbot is reporting sleep in atomic context in SysV filesystem [1], for +sb_bread() is called with rw_spinlock held. + +A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug +and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by +"Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. + +Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the +former bug by moving pointers_lock lock to the callers, but instead +introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made +this problem easier to hit). + +Al Viro suggested that why not to do like get_branch()/get_block()/ +find_shared() in Minix filesystem does. And doing like that is almost a +revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() + from with find_shared() is called without write_lock(&pointers_lock). + +Reported-by: syzbot +Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f +Suggested-by: Al Viro +Signed-off-by: Tetsuo Handa +Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKURA.ne.jp +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/sysv/itree.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c +index 9925cfe571595..17c7d76770a0a 100644 +--- a/fs/sysv/itree.c ++++ b/fs/sysv/itree.c +@@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) + return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); + } + +-/* +- * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) +- */ + static Indirect *get_branch(struct inode *inode, + int depth, + int offsets[], +@@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode, + bh = sb_bread(sb, block); + if (!bh) + goto failure; ++ read_lock(&pointers_lock); + if (!verify_chain(chain, p)) + goto changed; + add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); ++ read_unlock(&pointers_lock); + if (!p->key) + goto no_block; + } + return NULL; + + changed: ++ read_unlock(&pointers_lock); + brelse(bh); + *err = -EAGAIN; + goto no_block; +@@ -218,9 +218,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b + goto out; + + reread: +- read_lock(&pointers_lock); + partial = get_branch(inode, depth, offsets, chain, &err); +- read_unlock(&pointers_lock); + + /* Simplest case - block found, no allocation needed */ + if (!partial) { +@@ -290,9 +288,9 @@ static Indirect *find_shared(struct inode *inode, + *top = 0; + for (k = depth; k > 1 && !offsets[k-1]; k--) + ; ++ partial = get_branch(inode, k, offsets, chain, &err); + + write_lock(&pointers_lock); +- partial = get_branch(inode, k, offsets, chain, &err); + if (!partial) + partial = chain + k-1; + /* +-- +2.43.0 + diff --git a/queue-6.1/thermal-of-assume-polling-delay-passive-0-when-absen.patch b/queue-6.1/thermal-of-assume-polling-delay-passive-0-when-absen.patch new file mode 100644 index 0000000000..ba0a6b2805 --- /dev/null +++ b/queue-6.1/thermal-of-assume-polling-delay-passive-0-when-absen.patch @@ -0,0 +1,56 @@ +From 14c64c185d36b71c95d94084b73804b698a27b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jan 2024 13:11:16 +0100 +Subject: thermal/of: Assume polling-delay(-passive) 0 when absent + +From: Konrad Dybcio + +[ Upstream commit 488164006a281986d95abbc4b26e340c19c4c85b ] + +Currently, thermal zones associated with providers that have interrupts +for signaling hot/critical trips are required to set a polling-delay +of 0 to indicate no polling. This feels a bit backwards. + +Change the code such that "no polling delay" also means "no polling". + +Suggested-by: Bjorn Andersson +Signed-off-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Bjorn Andersson +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240125-topic-thermal-v1-2-3c9d4dced138@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_of.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c +index 4104743dbc17e..202dce0d2e309 100644 +--- a/drivers/thermal/thermal_of.c ++++ b/drivers/thermal/thermal_of.c +@@ -337,14 +337,18 @@ static int thermal_of_monitor_init(struct device_node *np, int *delay, int *pdel + int ret; + + ret = of_property_read_u32(np, "polling-delay-passive", pdelay); +- if (ret < 0) { +- pr_err("%pOFn: missing polling-delay-passive property\n", np); ++ if (ret == -EINVAL) { ++ *pdelay = 0; ++ } else if (ret < 0) { ++ pr_err("%pOFn: Couldn't get polling-delay-passive: %d\n", np, ret); + return ret; + } + + ret = of_property_read_u32(np, "polling-delay", delay); +- if (ret < 0) { +- pr_err("%pOFn: missing polling-delay property\n", np); ++ if (ret == -EINVAL) { ++ *delay = 0; ++ } else if (ret < 0) { ++ pr_err("%pOFn: Couldn't get polling-delay: %d\n", np, ret); + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.1/thunderbolt-keep-the-domain-powered-when-usb4-port-i.patch b/queue-6.1/thunderbolt-keep-the-domain-powered-when-usb4-port-i.patch new file mode 100644 index 0000000000..2d99708a0c --- /dev/null +++ b/queue-6.1/thunderbolt-keep-the-domain-powered-when-usb4-port-i.patch @@ -0,0 +1,167 @@ +From 9730608c2a1338f56e5605844c13f844ee5fea56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jan 2024 15:55:55 +0200 +Subject: thunderbolt: Keep the domain powered when USB4 port is in redrive + mode + +From: Mika Westerberg + +[ Upstream commit a75e0684efe567ae5f6a8e91a8360c4c1773cf3a ] + +If a DiplayPort cable is directly connected to the host routers USB4 +port, there is no tunnel involved but the port is in "redrive" mode +meaning that it is re-driving the DisplayPort signals from its +DisplayPort source. In this case we need to keep the domain powered on +otherwise once the domain enters D3cold the connected monitor blanks +too. + +Since this happens only on Intel Barlow Ridge add a quirk that takes +runtime PM reference if we detect that the USB4 port entered redrive +mode (and release it once it exits the mode). + +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/quirks.c | 14 +++++++++++ + drivers/thunderbolt/tb.c | 49 +++++++++++++++++++++++++++++++++++- + drivers/thunderbolt/tb.h | 4 +++ + 3 files changed, 66 insertions(+), 1 deletion(-) + +diff --git a/drivers/thunderbolt/quirks.c b/drivers/thunderbolt/quirks.c +index 4ab3803e10c83..638cb5fb22c11 100644 +--- a/drivers/thunderbolt/quirks.c ++++ b/drivers/thunderbolt/quirks.c +@@ -42,6 +42,12 @@ static void quirk_usb3_maximum_bandwidth(struct tb_switch *sw) + } + } + ++static void quirk_block_rpm_in_redrive(struct tb_switch *sw) ++{ ++ sw->quirks |= QUIRK_KEEP_POWER_IN_DP_REDRIVE; ++ tb_sw_dbg(sw, "preventing runtime PM in DP redrive mode\n"); ++} ++ + struct tb_quirk { + u16 hw_vendor_id; + u16 hw_device_id; +@@ -85,6 +91,14 @@ static const struct tb_quirk tb_quirks[] = { + quirk_usb3_maximum_bandwidth }, + { 0x8087, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HUB_40G_BRIDGE, 0x0000, 0x0000, + quirk_usb3_maximum_bandwidth }, ++ /* ++ * Block Runtime PM in DP redrive mode for Intel Barlow Ridge host ++ * controllers. ++ */ ++ { 0x8087, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI, 0x0000, 0x0000, ++ quirk_block_rpm_in_redrive }, ++ { 0x8087, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI, 0x0000, 0x0000, ++ quirk_block_rpm_in_redrive }, + /* + * CLx is not supported on AMD USB4 Yellow Carp and Pink Sardine platforms. + */ +diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c +index e1eb092ad1d67..e83269dc2b067 100644 +--- a/drivers/thunderbolt/tb.c ++++ b/drivers/thunderbolt/tb.c +@@ -1050,6 +1050,49 @@ static void tb_tunnel_dp(struct tb *tb) + pm_runtime_put_autosuspend(&in->sw->dev); + } + ++static void tb_enter_redrive(struct tb_port *port) ++{ ++ struct tb_switch *sw = port->sw; ++ ++ if (!(sw->quirks & QUIRK_KEEP_POWER_IN_DP_REDRIVE)) ++ return; ++ ++ /* ++ * If we get hot-unplug for the DP IN port of the host router ++ * and the DP resource is not available anymore it means there ++ * is a monitor connected directly to the Type-C port and we are ++ * in "redrive" mode. For this to work we cannot enter RTD3 so ++ * we bump up the runtime PM reference count here. ++ */ ++ if (!tb_port_is_dpin(port)) ++ return; ++ if (tb_route(sw)) ++ return; ++ if (!tb_switch_query_dp_resource(sw, port)) { ++ port->redrive = true; ++ pm_runtime_get(&sw->dev); ++ tb_port_dbg(port, "enter redrive mode, keeping powered\n"); ++ } ++} ++ ++static void tb_exit_redrive(struct tb_port *port) ++{ ++ struct tb_switch *sw = port->sw; ++ ++ if (!(sw->quirks & QUIRK_KEEP_POWER_IN_DP_REDRIVE)) ++ return; ++ ++ if (!tb_port_is_dpin(port)) ++ return; ++ if (tb_route(sw)) ++ return; ++ if (port->redrive && tb_switch_query_dp_resource(sw, port)) { ++ port->redrive = false; ++ pm_runtime_put(&sw->dev); ++ tb_port_dbg(port, "exit redrive mode\n"); ++ } ++} ++ + static void tb_dp_resource_unavailable(struct tb *tb, struct tb_port *port) + { + struct tb_port *in, *out; +@@ -1066,7 +1109,10 @@ static void tb_dp_resource_unavailable(struct tb *tb, struct tb_port *port) + } + + tunnel = tb_find_tunnel(tb, TB_TUNNEL_DP, in, out); +- tb_deactivate_and_free_tunnel(tunnel); ++ if (tunnel) ++ tb_deactivate_and_free_tunnel(tunnel); ++ else ++ tb_enter_redrive(port); + list_del_init(&port->list); + + /* +@@ -1092,6 +1138,7 @@ static void tb_dp_resource_available(struct tb *tb, struct tb_port *port) + tb_port_dbg(port, "DP %s resource available\n", + tb_port_is_dpin(port) ? "IN" : "OUT"); + list_add_tail(&port->list, &tcm->dp_resources); ++ tb_exit_redrive(port); + + /* Look for suitable DP IN <-> DP OUT pairs now */ + tb_tunnel_dp(tb); +diff --git a/drivers/thunderbolt/tb.h b/drivers/thunderbolt/tb.h +index f79cae48a8eab..b3fec5f8e20cd 100644 +--- a/drivers/thunderbolt/tb.h ++++ b/drivers/thunderbolt/tb.h +@@ -27,6 +27,8 @@ + #define QUIRK_FORCE_POWER_LINK_CONTROLLER BIT(0) + /* Disable CLx if not supported */ + #define QUIRK_NO_CLX BIT(1) ++/* Need to keep power on while USB4 port is in redrive mode */ ++#define QUIRK_KEEP_POWER_IN_DP_REDRIVE BIT(2) + + /** + * struct tb_nvm - Structure holding NVM information +@@ -254,6 +256,7 @@ struct tb_switch { + * DMA paths through this port. + * @max_bw: Maximum possible bandwidth through this adapter if set to + * non-zero. ++ * @redrive: For DP IN, if true the adapter is in redrive mode. + * + * In USB4 terminology this structure represents an adapter (protocol or + * lane adapter). +@@ -280,6 +283,7 @@ struct tb_port { + unsigned int ctl_credits; + unsigned int dma_credits; + unsigned int max_bw; ++ bool redrive; + }; + + /** +-- +2.43.0 + diff --git a/queue-6.1/tools-iio-replace-seekdir-in-iio_generic_buffer.patch b/queue-6.1/tools-iio-replace-seekdir-in-iio_generic_buffer.patch new file mode 100644 index 0000000000..0600835c8f --- /dev/null +++ b/queue-6.1/tools-iio-replace-seekdir-in-iio_generic_buffer.patch @@ -0,0 +1,45 @@ +From 059efb72058cc5ef04af20b15d94462c5dc5644c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jan 2024 12:32:20 +0200 +Subject: tools: iio: replace seekdir() in iio_generic_buffer + +From: Petre Rodan + +[ Upstream commit 4e6500bfa053dc133021f9c144261b77b0ba7dc8 ] + +Replace seekdir() with rewinddir() in order to fix a localized glibc bug. + +One of the glibc patches that stable Gentoo is using causes an improper +directory stream positioning bug on 32bit arm. That in turn ends up as a +floating point exception in iio_generic_buffer. + +The attached patch provides a fix by using an equivalent function which +should not cause trouble for other distros and is easier to reason about +in general as it obviously always goes back to to the start. + +https://sourceware.org/bugzilla/show_bug.cgi?id=31212 + +Signed-off-by: Petre Rodan +Link: https://lore.kernel.org/r/20240108103224.3986-1-petre.rodan@subdimension.ro +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + tools/iio/iio_utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c +index 6a00a6eecaef0..c5c5082cb24e5 100644 +--- a/tools/iio/iio_utils.c ++++ b/tools/iio/iio_utils.c +@@ -376,7 +376,7 @@ int build_channel_array(const char *device_dir, int buffer_idx, + goto error_close_dir; + } + +- seekdir(dp, 0); ++ rewinddir(dp); + while (ent = readdir(dp), ent) { + if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"), + "_en") == 0) { +-- +2.43.0 + diff --git a/queue-6.1/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch b/queue-6.1/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch new file mode 100644 index 0000000000..9fa9097c2a --- /dev/null +++ b/queue-6.1/tools-power-x86_energy_perf_policy-fix-file-leak-in-.patch @@ -0,0 +1,35 @@ +From 88556acad28fd5ec928ee311477de30b6d16b7f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 16:19:56 -0800 +Subject: tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() + +From: Samasth Norway Ananda + +[ Upstream commit f85450f134f0b4ca7e042dc3dc89155656a2299d ] + +In function get_pkg_num() if fopen_or_die() succeeds it returns a file +pointer to be used. But fclose() is never called before returning from +the function. + +Signed-off-by: Samasth Norway Ananda +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +index 5fd9e594079cf..ebda9c366b2ba 100644 +--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c ++++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +@@ -1241,6 +1241,7 @@ unsigned int get_pkg_num(int cpu) + retval = fscanf(fp, "%d\n", &pkg); + if (retval != 1) + errx(1, "%s: failed to parse", pathname); ++ fclose(fp); + return pkg; + } + +-- +2.43.0 + diff --git a/queue-6.1/usb-gadget-uvc-mark-incomplete-frames-with-uvc_strea.patch b/queue-6.1/usb-gadget-uvc-mark-incomplete-frames-with-uvc_strea.patch new file mode 100644 index 0000000000..f0c4cb95bc --- /dev/null +++ b/queue-6.1/usb-gadget-uvc-mark-incomplete-frames-with-uvc_strea.patch @@ -0,0 +1,39 @@ +From e0e26f6ff194dcac7430a7197e18a87a5bf12d73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Feb 2024 00:37:55 +0100 +Subject: usb: gadget: uvc: mark incomplete frames with UVC_STREAM_ERR + +From: Michael Grzeschik + +[ Upstream commit 2a3b7af120477d0571b815ccb8600cafd5ebf02f ] + +If an frame was transmitted incomplete to the host, we set the +UVC_STREAM_ERR bit in the header for the last request that is going +to be queued. This way the host will know that it should drop the +frame instead of trying to display the corrupted content. + +Signed-off-by: Michael Grzeschik +Link: https://lore.kernel.org/r/20240214-uvc-error-tag-v1-2-37659a3877fe@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/uvc_video.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c +index e81865978299c..be48d5ab17c7b 100644 +--- a/drivers/usb/gadget/function/uvc_video.c ++++ b/drivers/usb/gadget/function/uvc_video.c +@@ -35,6 +35,9 @@ uvc_video_encode_header(struct uvc_video *video, struct uvc_buffer *buf, + + data[1] = UVC_STREAM_EOH | video->fid; + ++ if (video->queue.flags & UVC_QUEUE_DROP_INCOMPLETE) ++ data[1] |= UVC_STREAM_ERR; ++ + if (video->queue.buf_used == 0 && ts.tv_sec) { + /* dwClockFrequency is 48 MHz */ + u32 pts = ((u64)ts.tv_sec * USEC_PER_SEC + ts.tv_nsec / NSEC_PER_USEC) * 48; +-- +2.43.0 + diff --git a/queue-6.1/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch b/queue-6.1/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch new file mode 100644 index 0000000000..aa14bbf1c6 --- /dev/null +++ b/queue-6.1/usb-sl811-hcd-only-defined-function-checkdone-if-qui.patch @@ -0,0 +1,47 @@ +From 0d75800a089010e19d70ef7748250117613d4195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 11:13:51 +0000 +Subject: usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined + +From: Colin Ian King + +[ Upstream commit 12f371e2b6cb4b79c788f1f073992e115f4ca918 ] + +Function checkdone is only required if QUIRK2 is defined, so add +appropriate #if / #endif around the function. + +Cleans up clang scan build warning: +drivers/usb/host/sl811-hcd.c:588:18: warning: unused function +'checkdone' [-Wunused-function] + +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20240307111351.1982382-1-colin.i.king@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/sl811-hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/sl811-hcd.c b/drivers/usb/host/sl811-hcd.c +index b8b90eec91078..48478eb712119 100644 +--- a/drivers/usb/host/sl811-hcd.c ++++ b/drivers/usb/host/sl811-hcd.c +@@ -585,6 +585,7 @@ done(struct sl811 *sl811, struct sl811h_ep *ep, u8 bank) + finish_request(sl811, ep, urb, urbstat); + } + ++#ifdef QUIRK2 + static inline u8 checkdone(struct sl811 *sl811) + { + u8 ctl; +@@ -616,6 +617,7 @@ static inline u8 checkdone(struct sl811 *sl811) + #endif + return irqstat; + } ++#endif + + static irqreturn_t sl811h_irq(struct usb_hcd *hcd) + { +-- +2.43.0 + diff --git a/queue-6.1/usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch b/queue-6.1/usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch new file mode 100644 index 0000000000..d965fc1416 --- /dev/null +++ b/queue-6.1/usb-typec-tcpci-add-generic-tcpci-fallback-compatibl.patch @@ -0,0 +1,36 @@ +From ac6fb91d496c1b75c3dd6fa2c219a0d7df70b022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Feb 2024 22:09:01 +0100 +Subject: usb: typec: tcpci: add generic tcpci fallback compatible + +From: Marco Felsch + +[ Upstream commit 8774ea7a553e2aec323170d49365b59af0a2b7e0 ] + +The driver already support the tcpci binding for the i2c_device_id so +add the support for the of_device_id too. + +Signed-off-by: Marco Felsch +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240222210903.208901-3-m.felsch@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/typec/tcpm/tcpci.c b/drivers/usb/typec/tcpm/tcpci.c +index 816945913ed0d..f649769912e53 100644 +--- a/drivers/usb/typec/tcpm/tcpci.c ++++ b/drivers/usb/typec/tcpm/tcpci.c +@@ -875,6 +875,7 @@ MODULE_DEVICE_TABLE(i2c, tcpci_id); + #ifdef CONFIG_OF + static const struct of_device_id tcpci_of_match[] = { + { .compatible = "nxp,ptn5110", }, ++ { .compatible = "tcpci", }, + {}, + }; + MODULE_DEVICE_TABLE(of, tcpci_of_match); +-- +2.43.0 + diff --git a/queue-6.1/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch b/queue-6.1/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch new file mode 100644 index 0000000000..f93aaa95ba --- /dev/null +++ b/queue-6.1/vmci-fix-memcpy-run-time-warning-in-dg_dispatch_as_h.patch @@ -0,0 +1,80 @@ +From 44e38f08cd359455835c27f6660c56aa19daf4d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 08:40:00 -0800 +Subject: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() + +From: Harshit Mogalapalli + +[ Upstream commit 19b070fefd0d024af3daa7329cbc0d00de5302ec ] + +Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. + +memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg" +at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24) + +WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237 +dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237 + +Some code commentry, based on my understanding: + +544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size) +/// This is 24 + payload_size + +memcpy(&dg_info->msg, dg, dg_size); + Destination = dg_info->msg ---> this is a 24 byte + structure(struct vmci_datagram) + Source = dg --> this is a 24 byte structure (struct vmci_datagram) + Size = dg_size = 24 + payload_size + +{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32. + + 35 struct delayed_datagram_info { + 36 struct datagram_entry *entry; + 37 struct work_struct work; + 38 bool in_dg_host_queue; + 39 /* msg and msg_payload must be together. */ + 40 struct vmci_datagram msg; + 41 u8 msg_payload[]; + 42 }; + +So those extra bytes of payload are copied into msg_payload[], a run time +warning is seen while fuzzing with Syzkaller. + +One possible way to fix the warning is to split the memcpy() into +two parts -- one -- direct assignment of msg and second taking care of payload. + +Gustavo quoted: +"Under FORTIFY_SOURCE we should not copy data across multiple members +in a structure." + +Reported-by: syzkaller +Suggested-by: Vegard Nossum +Suggested-by: Gustavo A. R. Silva +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c +index f50d22882476f..d1d8224c8800c 100644 +--- a/drivers/misc/vmw_vmci/vmci_datagram.c ++++ b/drivers/misc/vmw_vmci/vmci_datagram.c +@@ -234,7 +234,8 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg) + + dg_info->in_dg_host_queue = true; + dg_info->entry = dst_entry; +- memcpy(&dg_info->msg, dg, dg_size); ++ dg_info->msg = *dg; ++ memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size); + + INIT_WORK(&dg_info->work, dg_delayed_dispatch); + schedule_work(&dg_info->work); +-- +2.43.0 + diff --git a/queue-6.1/wifi-ath11k-decrease-mhi-channel-buffer-length-to-8k.patch b/queue-6.1/wifi-ath11k-decrease-mhi-channel-buffer-length-to-8k.patch new file mode 100644 index 0000000000..c7efb323b3 --- /dev/null +++ b/queue-6.1/wifi-ath11k-decrease-mhi-channel-buffer-length-to-8k.patch @@ -0,0 +1,92 @@ +From 7fa94059b68c963f5c8131b079f9061942b9ad41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 13:31:11 +0800 +Subject: wifi: ath11k: decrease MHI channel buffer length to 8KB + +From: Baochen Qiang + +[ Upstream commit 1cca1bddf9ef080503c15378cecf4877f7510015 ] + +Currently buf_len field of ath11k_mhi_config_qca6390 is assigned +with 0, making MHI use a default size, 64KB, to allocate channel +buffers. This is likely to fail in some scenarios where system +memory is highly fragmented and memory compaction or reclaim is +not allowed. + +There is a fail report which is caused by it: +kworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0 +CPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb +Workqueue: events_unbound async_run_entry_fn +Call Trace: + + dump_stack_lvl+0x47/0x60 + warn_alloc+0x13a/0x1b0 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __alloc_pages_direct_compact+0xab/0x210 + __alloc_pages_slowpath.constprop.0+0xd3e/0xda0 + __alloc_pages+0x32d/0x350 + ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] + __kmalloc_large_node+0x72/0x110 + __kmalloc+0x37c/0x480 + ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] + ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] + mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] + __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] + ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814] + device_for_each_child+0x5c/0xa0 + ? __pfx_pci_pm_resume+0x10/0x10 + ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e] + ? srso_alias_return_thunk+0x5/0xfbef5 + ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec] + ? srso_alias_return_thunk+0x5/0xfbef5 + dpm_run_callback+0x8c/0x1e0 + device_resume+0x104/0x340 + ? __pfx_dpm_watchdog_handler+0x10/0x10 + async_resume+0x1d/0x30 + async_run_entry_fn+0x32/0x120 + process_one_work+0x168/0x330 + worker_thread+0x2f5/0x410 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xe8/0x120 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +Actually those buffers are used only by QMI target -> host communication. +And for WCN6855 and QCA6390, the largest packet size for that is less +than 6KB. So change buf_len field to 8KB, which results in order 1 +allocation if page size is 4KB. In this way, we can at least save some +memory, and as well as decrease the possibility of allocation failure +in those scenarios. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 + +Reported-by: Vlastimil Babka +Closes: https://lore.kernel.org/ath11k/96481a45-3547-4d23-ad34-3a8f1d90c1cd@suse.cz/ +Signed-off-by: Baochen Qiang +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240223053111.29170-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mhi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c +index a62ee05c54097..4bea36cc71085 100644 +--- a/drivers/net/wireless/ath/ath11k/mhi.c ++++ b/drivers/net/wireless/ath/ath11k/mhi.c +@@ -105,7 +105,7 @@ static struct mhi_controller_config ath11k_mhi_config_qca6390 = { + .max_channels = 128, + .timeout_ms = 2000, + .use_bounce_buf = false, +- .buf_len = 0, ++ .buf_len = 8192, + .num_channels = ARRAY_SIZE(ath11k_mhi_channels_qca6390), + .ch_cfg = ath11k_mhi_channels_qca6390, + .num_events = ARRAY_SIZE(ath11k_mhi_events_qca6390), +-- +2.43.0 + diff --git a/queue-6.1/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch b/queue-6.1/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch new file mode 100644 index 0000000000..45a3b28b96 --- /dev/null +++ b/queue-6.1/wifi-ath9k-fix-lna-selection-in-ath_ant_try_scan.patch @@ -0,0 +1,43 @@ +From 741218864a3ffe7ac0d08a2768d8ff813b9f15b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Dec 2023 13:29:03 +0200 +Subject: wifi: ath9k: fix LNA selection in ath_ant_try_scan() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit d6b27eb997ef9a2aa51633b3111bc4a04748e6d3 ] + +In 'ath_ant_try_scan()', (most likely) the 2nd LNA's signal +strength should be used in comparison against RSSI when +selecting first LNA as the main one. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231211172502.25202-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/antenna.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/antenna.c b/drivers/net/wireless/ath/ath9k/antenna.c +index 988222cea9dfe..acc84e6711b0e 100644 +--- a/drivers/net/wireless/ath/ath9k/antenna.c ++++ b/drivers/net/wireless/ath/ath9k/antenna.c +@@ -643,7 +643,7 @@ static void ath_ant_try_scan(struct ath_ant_comb *antcomb, + conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1; + conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_PLUS_LNA2; + } else if (antcomb->rssi_sub > +- antcomb->rssi_lna1) { ++ antcomb->rssi_lna2) { + /* set to A-B */ + conf->main_lna_conf = ATH_ANT_DIV_COMB_LNA1; + conf->alt_lna_conf = ATH_ANT_DIV_COMB_LNA1_MINUS_LNA2; +-- +2.43.0 + diff --git a/queue-6.1/wifi-brcmfmac-add-dmi-nvram-filename-quirk-for-acepc.patch b/queue-6.1/wifi-brcmfmac-add-dmi-nvram-filename-quirk-for-acepc.patch new file mode 100644 index 0000000000..6588c39889 --- /dev/null +++ b/queue-6.1/wifi-brcmfmac-add-dmi-nvram-filename-quirk-for-acepc.patch @@ -0,0 +1,50 @@ +From bb90b1a6842ce4db78374b45cb195b64f76a8efc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 22:36:49 +0100 +Subject: wifi: brcmfmac: Add DMI nvram filename quirk for ACEPC W5 Pro + +From: Hans de Goede + +[ Upstream commit 32167707aa5e7ae4b160c18be79d85a7b4fdfcfb ] + +The ACEPC W5 Pro HDMI stick contains quite generic names in the sys_vendor +and product_name DMI strings, without this patch brcmfmac will try to load: +"brcmfmac43455-sdio.$(DEFAULT_STRING)-$(DEFAULT_STRING).txt" as nvram file +which is both too generic and messy with the $ symbols in the name. + +The ACEPC W5 Pro uses the same Ampak AP6255 module as the ACEPC T8 +and the nvram for the T8 is already in linux-firmware, so point the new +DMI nvram filename quirk to the T8 nvram file. + +Signed-off-by: Hans de Goede +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240216213649.251718-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c +index 86ff174936a9a..c3a602197662b 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c +@@ -82,6 +82,15 @@ static const struct dmi_system_id dmi_platform_data[] = { + }, + .driver_data = (void *)&acepc_t8_data, + }, ++ { ++ /* ACEPC W5 Pro Cherry Trail Z8350 HDMI stick, same wifi as the T8 */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "T3 MRD"), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "3"), ++ DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."), ++ }, ++ .driver_data = (void *)&acepc_t8_data, ++ }, + { + /* Chuwi Hi8 Pro with D2D3_Hi8Pro.233 BIOS */ + .matches = { +-- +2.43.0 + diff --git a/queue-6.1/wifi-iwlwifi-pcie-add-the-pci-device-id-for-new-hard.patch b/queue-6.1/wifi-iwlwifi-pcie-add-the-pci-device-id-for-new-hard.patch new file mode 100644 index 0000000000..60bcec8196 --- /dev/null +++ b/queue-6.1/wifi-iwlwifi-pcie-add-the-pci-device-id-for-new-hard.patch @@ -0,0 +1,36 @@ +From 45d80315d19d66419d0c34e3bd60331a101871e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jan 2024 21:22:00 +0200 +Subject: wifi: iwlwifi: pcie: Add the PCI device id for new hardware + +From: Mukesh Sisodiya + +[ Upstream commit 6770eee75148ba10c0c051885379714773e00b48 ] + +Add the support for a new PCI device id. + +Signed-off-by: Mukesh Sisodiya +Reviewed-by: Gregory Greenman +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240129211905.fde32107e0a3.I597cff4f340e4bed12b7568a0ad504bd4b2c1cf8@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 4d4db5f6836be..7f30e6add9933 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -505,6 +505,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + + /* Bz devices */ + {IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)}, ++ {IWL_PCI_DEVICE(0x272D, PCI_ANY_ID, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0xA840, PCI_ANY_ID, iwl_bz_trans_cfg)}, + {IWL_PCI_DEVICE(0x7740, PCI_ANY_ID, iwl_bz_trans_cfg)}, +-- +2.43.0 + diff --git a/queue-6.1/wifi-rtw89-pci-enlarge-rx-dma-buffer-to-consider-siz.patch b/queue-6.1/wifi-rtw89-pci-enlarge-rx-dma-buffer-to-consider-siz.patch new file mode 100644 index 0000000000..b0cb78e202 --- /dev/null +++ b/queue-6.1/wifi-rtw89-pci-enlarge-rx-dma-buffer-to-consider-siz.patch @@ -0,0 +1,40 @@ +From db141438337c889f3ca1b8253178e9201c9f7f74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Jan 2024 15:18:26 +0800 +Subject: wifi: rtw89: pci: enlarge RX DMA buffer to consider size of RX + descriptor + +From: Ping-Ke Shih + +[ Upstream commit c108b4a50dd7650941d4f4ec5c161655a73711db ] + +Hardware puts RX descriptor and packet in RX DMA buffer, so it could be +over one buffer size if packet size is 11454, and then it will be split +into two segments. WiFi 7 chips use larger size of RX descriptor, so +enlarge DMA buffer size according to RX descriptor to have better +performance and simple flow. + +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240121071826.10159-5-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/pci.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/pci.h b/drivers/net/wireless/realtek/rtw89/pci.h +index 179740607778a..d982c5dc0889f 100644 +--- a/drivers/net/wireless/realtek/rtw89/pci.h ++++ b/drivers/net/wireless/realtek/rtw89/pci.h +@@ -546,7 +546,7 @@ + #define RTW89_PCI_TXWD_NUM_MAX 512 + #define RTW89_PCI_TXWD_PAGE_SIZE 128 + #define RTW89_PCI_ADDRINFO_MAX 4 +-#define RTW89_PCI_RX_BUF_SIZE 11460 ++#define RTW89_PCI_RX_BUF_SIZE (11454 + 40) /* +40 for rtw89_rxdesc_long_v2 */ + + #define RTW89_PCI_POLL_BDRAM_RST_CNT 100 + #define RTW89_PCI_MULTITAG 8 +-- +2.43.0 + -- 2.39.5