From 9abbbc3887bfdae5b014889d726d774edde88e43 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 28 May 2023 17:46:02 +0100 Subject: [PATCH] 5.15-stable patches added patches: bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch cifs-mapchars-mount-option-ignored.patch coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch net-fix-skb-leak-in-__skb_tstamp_tx.patch octeontx2-pf-fix-tsov6-offload.patch power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch power-supply-leds-fix-blink-to-led-on-transition.patch power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch regulator-pca9450-fix-buck2-enable_mask.patch selftests-fib_tests-mute-cleanup-error-message.patch xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch --- ...32-bit-narrow-loads-of-64-bit-fields.patch | 58 ++++++++ .../cifs-mapchars-mount-option-ignored.patch | 46 ++++++ ...in-tmc_etr_buf_insert_barrier_packet.patch | 40 ++++++ ...r-remove-is-present-before-executing.patch | 66 +++++++++ ...-device-names-for-logical-partitions.patch | 131 ++++++++++++++++++ ...-behavior-in-bit-shift-for-sb_nouser.patch | 77 ++++++++++ ...ut-of-bounds-access-in-ipv6_find_tlv.patch | 36 +++++ .../net-fix-skb-leak-in-__skb_tstamp_tx.patch | 43 ++++++ .../octeontx2-pf-fix-tsov6-offload.patch | 36 +++++ ...o-bq27xxx_battery_current_and_status.patch | 72 ++++++++++ ...q27xxx_battery_update-race-condition.patch | 92 ++++++++++++ ...y-bq27xxx-fix-i2c-irq-race-on-remove.patch | 44 ++++++ ...nterval-handling-and-races-on-remove.patch | 94 +++++++++++++ ...-leds-fix-blink-to-led-on-transition.patch | 51 +++++++ ...k_autocancel-in-mt6360_charger_probe.patch | 32 +++++ ...ger-fix-inhibited-bit-for-status-reg.patch | 31 +++++ ...ulator-pca9450-fix-buck2-enable_mask.patch | 43 ++++++ ...fib_tests-mute-cleanup-error-message.patch | 45 ++++++ queue-5.15/series | 19 +++ ...frees-with-pvcalls_new_active_socket.patch | 60 ++++++++ 20 files changed, 1116 insertions(+) create mode 100644 queue-5.15/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch create mode 100644 queue-5.15/cifs-mapchars-mount-option-ignored.patch create mode 100644 queue-5.15/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch create mode 100644 queue-5.15/firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch create mode 100644 queue-5.15/firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch create mode 100644 queue-5.15/fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch create mode 100644 queue-5.15/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch create mode 100644 queue-5.15/net-fix-skb-leak-in-__skb_tstamp_tx.patch create mode 100644 queue-5.15/octeontx2-pf-fix-tsov6-offload.patch create mode 100644 queue-5.15/power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch create mode 100644 queue-5.15/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch create mode 100644 queue-5.15/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch create mode 100644 queue-5.15/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch create mode 100644 queue-5.15/power-supply-leds-fix-blink-to-led-on-transition.patch create mode 100644 queue-5.15/power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch create mode 100644 queue-5.15/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch create mode 100644 queue-5.15/regulator-pca9450-fix-buck2-enable_mask.patch create mode 100644 queue-5.15/selftests-fib_tests-mute-cleanup-error-message.patch create mode 100644 queue-5.15/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch diff --git a/queue-5.15/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch b/queue-5.15/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch new file mode 100644 index 00000000000..57b605afcc9 --- /dev/null +++ b/queue-5.15/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch @@ -0,0 +1,58 @@ +From 0613d8ca9ab382caabe9ed2dceb429e9781e443f Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 18 May 2023 11:25:28 +0100 +Subject: bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields + +From: Will Deacon + +commit 0613d8ca9ab382caabe9ed2dceb429e9781e443f upstream. + +A narrow load from a 64-bit context field results in a 64-bit load +followed potentially by a 64-bit right-shift and then a bitwise AND +operation to extract the relevant data. + +In the case of a 32-bit access, an immediate mask of 0xffffffff is used +to construct a 64-bit BPP_AND operation which then sign-extends the mask +value and effectively acts as a glorified no-op. For example: + +0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0) + +results in the following code generation for a 64-bit field: + + ldr x7, [x7] // 64-bit load + mov x10, #0xffffffffffffffff + and x7, x7, x10 + +Fix the mask generation so that narrow loads always perform a 32-bit AND +operation: + + ldr x7, [x7] // 64-bit load + mov w10, #0xffffffff + and w7, w7, w10 + +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: John Fastabend +Cc: Krzesimir Nowak +Cc: Andrey Ignatov +Acked-by: Yonghong Song +Fixes: 31fd85816dbe ("bpf: permits narrower load from bpf program context fields") +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20230518102528.1341-1-will@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -12391,7 +12391,7 @@ static int convert_ctx_accesses(struct b + insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH, + insn->dst_reg, + shift); +- insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, ++ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, + (1ULL << size * 8) - 1); + } + } diff --git a/queue-5.15/cifs-mapchars-mount-option-ignored.patch b/queue-5.15/cifs-mapchars-mount-option-ignored.patch new file mode 100644 index 00000000000..c68d45575b8 --- /dev/null +++ b/queue-5.15/cifs-mapchars-mount-option-ignored.patch @@ -0,0 +1,46 @@ +From cb8b02fd6343228966324528adf920bfb8b8e681 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 24 May 2023 03:26:19 -0500 +Subject: cifs: mapchars mount option ignored + +From: Steve French + +commit cb8b02fd6343228966324528adf920bfb8b8e681 upstream. + +There are two ways that special characters (not allowed in some +other operating systems like Windows, but allowed in POSIX) have +been mapped in the past ("SFU" and "SFM" mappings) to allow them +to be stored in a range reserved for special chars. The default +for Linux has been to use "mapposix" (ie the SFM mapping) but +the conversion to the new mount API in the 5.11 kernel broke +the ability to override the default mapping of the reserved +characters (like '?' and '*' and '\') via "mapchars" mount option. + +This patch fixes that - so can now mount with "mapchars" +mount option to override the default ("mapposix" ie SFM) mapping. + +Reported-by: Tyler Spivey +Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/fs_context.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -884,6 +884,14 @@ static int smb3_fs_context_parse_param(s + ctx->sfu_remap = false; /* disable SFU mapping */ + } + break; ++ case Opt_mapchars: ++ if (result.negated) ++ ctx->sfu_remap = false; ++ else { ++ ctx->sfu_remap = true; ++ ctx->remap = false; /* disable SFM (mapposix) mapping */ ++ } ++ break; + case Opt_user_xattr: + if (result.negated) + ctx->no_xattr = 1; diff --git a/queue-5.15/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch b/queue-5.15/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch new file mode 100644 index 00000000000..cc70ea84bd1 --- /dev/null +++ b/queue-5.15/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch @@ -0,0 +1,40 @@ +From f67bc15e526bb9920683ad6c1891ff9e08981335 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Apr 2023 13:42:41 +0300 +Subject: coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() + +From: Dan Carpenter + +commit f67bc15e526bb9920683ad6c1891ff9e08981335 upstream. + +This code generates a Smatch warning: + + drivers/hwtracing/coresight/coresight-tmc-etr.c:947 tmc_etr_buf_insert_barrier_packet() + error: uninitialized symbol 'bufp'. + +The problem is that if tmc_sg_table_get_data() returns -EINVAL, then +when we test if "len < CORESIGHT_BARRIER_PKT_SIZE", the negative "len" +value is type promoted to a high unsigned long value which is greater +than CORESIGHT_BARRIER_PKT_SIZE. Fix this bug by adding an explicit +check for error codes. + +Fixes: 75f4e3619fe2 ("coresight: tmc-etr: Add transparent buffer management") +Signed-off-by: Dan Carpenter +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/7d33e244-d8b9-4c27-9653-883a13534b01@kili.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -926,7 +926,7 @@ tmc_etr_buf_insert_barrier_packet(struct + + len = tmc_etr_buf_get_data(etr_buf, offset, + CORESIGHT_BARRIER_PKT_SIZE, &bufp); +- if (WARN_ON(len < CORESIGHT_BARRIER_PKT_SIZE)) ++ if (WARN_ON(len < 0 || len < CORESIGHT_BARRIER_PKT_SIZE)) + return -EINVAL; + coresight_insert_barrier_packet(bufp); + return offset + CORESIGHT_BARRIER_PKT_SIZE; diff --git a/queue-5.15/firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch b/queue-5.15/firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch new file mode 100644 index 00000000000..e0227af86c5 --- /dev/null +++ b/queue-5.15/firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch @@ -0,0 +1,66 @@ +From b71b55248a580e9c9befc4ae060539f1f8e477da Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Thu, 20 Apr 2023 16:06:01 +0100 +Subject: firmware: arm_ffa: Check if ffa_driver remove is present before executing + +From: Sudeep Holla + +commit b71b55248a580e9c9befc4ae060539f1f8e477da upstream. + +Currently ffa_drv->remove() is called unconditionally from +ffa_device_remove(). Since the driver registration doesn't check for it +and allows it to be registered without .remove callback, we need to check +for the presence of it before executing it from ffa_device_remove() to +above a NULL pointer dereference like the one below: + + | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + | Mem abort info: + | ESR = 0x0000000086000004 + | EC = 0x21: IABT (current EL), IL = 32 bits + | SET = 0, FnV = 0 + | EA = 0, S1PTW = 0 + | FSC = 0x04: level 0 translation fault + | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000 + | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 + | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP + | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6 + | Hardware name: FVP Base RevC (DT) + | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c) + | pc : 0x0 + | lr : ffa_device_remove+0x20/0x2c + | Call trace: + | 0x0 + | device_release_driver_internal+0x16c/0x260 + | driver_detach+0x90/0xd0 + | bus_remove_driver+0xdc/0x11c + | driver_unregister+0x30/0x54 + | ffa_driver_unregister+0x14/0x20 + | cleanup_module+0x18/0xeec + | __arm64_sys_delete_module+0x234/0x378 + | invoke_syscall+0x40/0x108 + | el0_svc_common+0xb4/0xf0 + | do_el0_svc+0x30/0xa4 + | el0_svc+0x2c/0x7c + | el0t_64_sync_handler+0x84/0xf0 + | el0t_64_sync+0x190/0x194 + +Fixes: 244f5d597e1e ("firmware: arm_ffa: Add missing remove callback to ffa_bus_type") +Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-1-d9108e43a176@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_ffa/bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/arm_ffa/bus.c ++++ b/drivers/firmware/arm_ffa/bus.c +@@ -53,7 +53,8 @@ static void ffa_device_remove(struct dev + { + struct ffa_driver *ffa_drv = to_ffa_driver(dev->driver); + +- ffa_drv->remove(to_ffa_dev(dev)); ++ if (ffa_drv->remove) ++ ffa_drv->remove(to_ffa_dev(dev)); + } + + static int ffa_device_uevent(struct device *dev, struct kobj_uevent_env *env) diff --git a/queue-5.15/firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch b/queue-5.15/firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch new file mode 100644 index 00000000000..0209404216f --- /dev/null +++ b/queue-5.15/firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch @@ -0,0 +1,131 @@ +From 19b8766459c41c6f318f8a548cc1c66dffd18363 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Thu, 20 Apr 2023 16:06:03 +0100 +Subject: firmware: arm_ffa: Fix FFA device names for logical partitions + +From: Sudeep Holla + +commit 19b8766459c41c6f318f8a548cc1c66dffd18363 upstream. + +Each physical partition can provide multiple services each with UUID. +Each such service can be presented as logical partition with a unique +combination of VM ID and UUID. The number of distinct UUID in a system +will be less than or equal to the number of logical partitions. + +However, currently it fails to register more than one logical partition +or service within a physical partition as the device name contains only +VM ID while both VM ID and UUID are maintained in the partition information. +The kernel complains with the below message: + + | sysfs: cannot create duplicate filename '/devices/arm-ffa-8001' + | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7 #8 + | Hardware name: FVP Base RevC (DT) + | Call trace: + | dump_backtrace+0xf8/0x118 + | show_stack+0x18/0x24 + | dump_stack_lvl+0x50/0x68 + | dump_stack+0x18/0x24 + | sysfs_create_dir_ns+0xe0/0x13c + | kobject_add_internal+0x220/0x3d4 + | kobject_add+0x94/0x100 + | device_add+0x144/0x5d8 + | device_register+0x20/0x30 + | ffa_device_register+0x88/0xd8 + | ffa_setup_partitions+0x108/0x1b8 + | ffa_init+0x2ec/0x3a4 + | do_one_initcall+0xcc/0x240 + | do_initcall_level+0x8c/0xac + | do_initcalls+0x54/0x94 + | do_basic_setup+0x1c/0x28 + | kernel_init_freeable+0x100/0x16c + | kernel_init+0x20/0x1a0 + | ret_from_fork+0x10/0x20 + | kobject_add_internal failed for arm-ffa-8001 with -EEXIST, don't try to + | register things with the same name in the same directory. + | arm_ffa arm-ffa: unable to register device arm-ffa-8001 err=-17 + | ARM FF-A: ffa_setup_partitions: failed to register partition ID 0x8001 + +By virtue of being random enough to avoid collisions when generated in a +distributed system, there is no way to compress UUID keys to the number +of bits required to identify each. We can eliminate '-' in the name but +it is not worth eliminating 4 bytes and add unnecessary logic for doing +that. Also v1.0 doesn't provide the UUID of the partitions which makes +it hard to use the same for the device name. + +So to keep it simple, let us alloc an ID using ida_alloc() and append the +same to "arm-ffa" to make up a unique device name. Also stash the id value +in ffa_dev to help freeing the ID later when the device is destroyed. + +Fixes: e781858488b9 ("firmware: arm_ffa: Add initial FFA bus support for device enumeration") +Reported-by: Lucian Paul-Trifu +Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-3-d9108e43a176@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_ffa/bus.c | 16 +++++++++++++--- + include/linux/arm_ffa.h | 1 + + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/arm_ffa/bus.c ++++ b/drivers/firmware/arm_ffa/bus.c +@@ -15,6 +15,8 @@ + + #include "common.h" + ++static DEFINE_IDA(ffa_bus_id); ++ + static int ffa_device_match(struct device *dev, struct device_driver *drv) + { + const struct ffa_device_id *id_table; +@@ -131,6 +133,7 @@ static void ffa_release_device(struct de + { + struct ffa_device *ffa_dev = to_ffa_dev(dev); + ++ ida_free(&ffa_bus_id, ffa_dev->id); + kfree(ffa_dev); + } + +@@ -170,18 +173,24 @@ bool ffa_device_is_valid(struct ffa_devi + + struct ffa_device *ffa_device_register(const uuid_t *uuid, int vm_id) + { +- int ret; ++ int id, ret; + struct device *dev; + struct ffa_device *ffa_dev; + ++ id = ida_alloc_min(&ffa_bus_id, 1, GFP_KERNEL); ++ if (id < 0) ++ return NULL; ++ + ffa_dev = kzalloc(sizeof(*ffa_dev), GFP_KERNEL); +- if (!ffa_dev) ++ if (!ffa_dev) { ++ ida_free(&ffa_bus_id, id); + return NULL; ++ } + + dev = &ffa_dev->dev; + dev->bus = &ffa_bus_type; + dev->release = ffa_release_device; +- dev_set_name(&ffa_dev->dev, "arm-ffa-%04x", vm_id); ++ dev_set_name(&ffa_dev->dev, "arm-ffa-%d", id); + + ffa_dev->vm_id = vm_id; + uuid_copy(&ffa_dev->uuid, uuid); +@@ -216,4 +225,5 @@ void arm_ffa_bus_exit(void) + { + ffa_devices_unregister(); + bus_unregister(&ffa_bus_type); ++ ida_destroy(&ffa_bus_id); + } +--- a/include/linux/arm_ffa.h ++++ b/include/linux/arm_ffa.h +@@ -13,6 +13,7 @@ + + /* FFA Bus/Device/Driver related */ + struct ffa_device { ++ u32 id; + int vm_id; + bool mode_32bit; + uuid_t uuid; diff --git a/queue-5.15/fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch b/queue-5.15/fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch new file mode 100644 index 00000000000..ea0488b9200 --- /dev/null +++ b/queue-5.15/fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch @@ -0,0 +1,77 @@ +From f15afbd34d8fadbd375f1212e97837e32bc170cc Mon Sep 17 00:00:00 2001 +From: Hao Ge +Date: Mon, 24 Apr 2023 13:18:35 +0800 +Subject: fs: fix undefined behavior in bit shift for SB_NOUSER + +From: Hao Ge + +commit f15afbd34d8fadbd375f1212e97837e32bc170cc upstream. + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. It was spotted by UBSAN. + +So let's just fix this by using the BIT() helper for all SB_* flags. + +Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags") +Signed-off-by: Hao Ge +Message-Id: <20230424051835.374204-1-gehao@kylinos.cn> +[brauner@kernel.org: use BIT() for all SB_* flags] +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/fs.h | 42 +++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1398,29 +1398,29 @@ extern int send_sigurg(struct fown_struc + * sb->s_flags. Note that these mirror the equivalent MS_* flags where + * represented in both. + */ +-#define SB_RDONLY 1 /* Mount read-only */ +-#define SB_NOSUID 2 /* Ignore suid and sgid bits */ +-#define SB_NODEV 4 /* Disallow access to device special files */ +-#define SB_NOEXEC 8 /* Disallow program execution */ +-#define SB_SYNCHRONOUS 16 /* Writes are synced at once */ +-#define SB_MANDLOCK 64 /* Allow mandatory locks on an FS */ +-#define SB_DIRSYNC 128 /* Directory modifications are synchronous */ +-#define SB_NOATIME 1024 /* Do not update access times. */ +-#define SB_NODIRATIME 2048 /* Do not update directory access times */ +-#define SB_SILENT 32768 +-#define SB_POSIXACL (1<<16) /* VFS does not apply the umask */ +-#define SB_INLINECRYPT (1<<17) /* Use blk-crypto for encrypted files */ +-#define SB_KERNMOUNT (1<<22) /* this is a kern_mount call */ +-#define SB_I_VERSION (1<<23) /* Update inode I_version field */ +-#define SB_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */ ++#define SB_RDONLY BIT(0) /* Mount read-only */ ++#define SB_NOSUID BIT(1) /* Ignore suid and sgid bits */ ++#define SB_NODEV BIT(2) /* Disallow access to device special files */ ++#define SB_NOEXEC BIT(3) /* Disallow program execution */ ++#define SB_SYNCHRONOUS BIT(4) /* Writes are synced at once */ ++#define SB_MANDLOCK BIT(6) /* Allow mandatory locks on an FS */ ++#define SB_DIRSYNC BIT(7) /* Directory modifications are synchronous */ ++#define SB_NOATIME BIT(10) /* Do not update access times. */ ++#define SB_NODIRATIME BIT(11) /* Do not update directory access times */ ++#define SB_SILENT BIT(15) ++#define SB_POSIXACL BIT(16) /* VFS does not apply the umask */ ++#define SB_INLINECRYPT BIT(17) /* Use blk-crypto for encrypted files */ ++#define SB_KERNMOUNT BIT(22) /* this is a kern_mount call */ ++#define SB_I_VERSION BIT(23) /* Update inode I_version field */ ++#define SB_LAZYTIME BIT(25) /* Update the on-disk [acm]times lazily */ + + /* These sb flags are internal to the kernel */ +-#define SB_SUBMOUNT (1<<26) +-#define SB_FORCE (1<<27) +-#define SB_NOSEC (1<<28) +-#define SB_BORN (1<<29) +-#define SB_ACTIVE (1<<30) +-#define SB_NOUSER (1<<31) ++#define SB_SUBMOUNT BIT(26) ++#define SB_FORCE BIT(27) ++#define SB_NOSEC BIT(28) ++#define SB_BORN BIT(29) ++#define SB_ACTIVE BIT(30) ++#define SB_NOUSER BIT(31) + + /* These flags relate to encoding and casefolding */ + #define SB_ENC_STRICT_MODE_FL (1 << 0) diff --git a/queue-5.15/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch b/queue-5.15/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch new file mode 100644 index 00000000000..6ef0c1a7d37 --- /dev/null +++ b/queue-5.15/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch @@ -0,0 +1,36 @@ +From 878ecb0897f4737a4c9401f3523fd49589025671 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Tue, 23 May 2023 08:29:44 +0000 +Subject: ipv6: Fix out-of-bounds access in ipv6_find_tlv() + +From: Gavrilov Ilia + +commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream. + +optlen is fetched without checking whether there is more than one byte to parse. +It can lead to out-of-bounds access. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: c61a40432509 ("[IPV6]: Find option offset by type.") +Signed-off-by: Gavrilov Ilia +Reviewed-by: Jiri Pirko +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/exthdrs_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/exthdrs_core.c ++++ b/net/ipv6/exthdrs_core.c +@@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff * + optlen = 1; + break; + default: ++ if (len < 2) ++ goto bad; + optlen = nh[offset + 1] + 2; + if (optlen > len) + goto bad; diff --git a/queue-5.15/net-fix-skb-leak-in-__skb_tstamp_tx.patch b/queue-5.15/net-fix-skb-leak-in-__skb_tstamp_tx.patch new file mode 100644 index 00000000000..f76ef355cdf --- /dev/null +++ b/queue-5.15/net-fix-skb-leak-in-__skb_tstamp_tx.patch @@ -0,0 +1,43 @@ +From 8a02fb71d7192ff1a9a47c9d937624966c6e09af Mon Sep 17 00:00:00 2001 +From: Pratyush Yadav +Date: Mon, 22 May 2023 17:30:20 +0200 +Subject: net: fix skb leak in __skb_tstamp_tx() + +From: Pratyush Yadav + +commit 8a02fb71d7192ff1a9a47c9d937624966c6e09af upstream. + +Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with +TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with +zerocopy skbs. But it ended up adding a leak of its own. When +skb_orphan_frags_rx() fails, the function just returns, leaking the skb +it just cloned. Free it before returning. + +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc. + +Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") +Signed-off-by: Pratyush Yadav +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230522153020.32422-1-ptyadav@amazon.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4961,8 +4961,10 @@ void __skb_tstamp_tx(struct sk_buff *ori + } else { + skb = skb_clone(orig_skb, GFP_ATOMIC); + +- if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) ++ if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { ++ kfree_skb(skb); + return; ++ } + } + if (!skb) + return; diff --git a/queue-5.15/octeontx2-pf-fix-tsov6-offload.patch b/queue-5.15/octeontx2-pf-fix-tsov6-offload.patch new file mode 100644 index 00000000000..1a67135cd7f --- /dev/null +++ b/queue-5.15/octeontx2-pf-fix-tsov6-offload.patch @@ -0,0 +1,36 @@ +From de678ca38861f2eb58814048076dcf95ed1b5bf9 Mon Sep 17 00:00:00 2001 +From: Sunil Goutham +Date: Thu, 18 May 2023 12:10:42 +0530 +Subject: octeontx2-pf: Fix TSOv6 offload + +From: Sunil Goutham + +commit de678ca38861f2eb58814048076dcf95ed1b5bf9 upstream. + +HW adds segment size to the payload length +in the IPv6 header. Fix payload length to +just TCP header length instead of 'TCP header +size + IPv6 header size'. + +Fixes: 86d7476078b8 ("octeontx2-pf: TCP segmentation offload support") +Signed-off-by: Sunil Goutham +Signed-off-by: Ratheesh Kannoth +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -574,9 +574,7 @@ static void otx2_sqe_add_ext(struct otx2 + htons(ext->lso_sb - skb_network_offset(skb)); + } else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) { + ext->lso_format = pfvf->hw.lso_tsov6_idx; +- +- ipv6_hdr(skb)->payload_len = +- htons(ext->lso_sb - skb_network_offset(skb)); ++ ipv6_hdr(skb)->payload_len = htons(tcp_hdrlen(skb)); + } else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) { + __be16 l3_proto = vlan_get_protocol(skb); + struct udphdr *udph = udp_hdr(skb); diff --git a/queue-5.15/power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch b/queue-5.15/power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch new file mode 100644 index 00000000000..8f7ae1efcf8 --- /dev/null +++ b/queue-5.15/power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch @@ -0,0 +1,72 @@ +From 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:35 +0200 +Subject: power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status() + +From: Hans de Goede + +commit 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 upstream. + +Add a cache parameter to bq27xxx_battery_current_and_status() so that +it can optionally use cached flags instead of re-reading them itself. + +This is a preparation patch for making bq27xxx_battery_update() check +the status and have it call power_supply_changed() on status changes. + +Fixes: 297a533b3e62 ("bq27x00: Cache battery registers") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1846,7 +1846,8 @@ static bool bq27xxx_battery_is_full(stru + static int bq27xxx_battery_current_and_status( + struct bq27xxx_device_info *di, + union power_supply_propval *val_curr, +- union power_supply_propval *val_status) ++ union power_supply_propval *val_status, ++ struct bq27xxx_reg_cache *cache) + { + bool single_flags = (di->opts & BQ27XXX_O_ZERO); + int curr; +@@ -1858,10 +1859,14 @@ static int bq27xxx_battery_current_and_s + return curr; + } + +- flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags); +- if (flags < 0) { +- dev_err(di->dev, "error reading flags\n"); +- return flags; ++ if (cache) { ++ flags = cache->flags; ++ } else { ++ flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags); ++ if (flags < 0) { ++ dev_err(di->dev, "error reading flags\n"); ++ return flags; ++ } + } + + if (di->opts & BQ27XXX_O_ZERO) { +@@ -2007,7 +2012,7 @@ static int bq27xxx_battery_get_property( + + switch (psp) { + case POWER_SUPPLY_PROP_STATUS: +- ret = bq27xxx_battery_current_and_status(di, NULL, val); ++ ret = bq27xxx_battery_current_and_status(di, NULL, val, NULL); + break; + case POWER_SUPPLY_PROP_VOLTAGE_NOW: + ret = bq27xxx_battery_voltage(di, val); +@@ -2016,7 +2021,7 @@ static int bq27xxx_battery_get_property( + val->intval = di->cache.flags < 0 ? 0 : 1; + break; + case POWER_SUPPLY_PROP_CURRENT_NOW: +- ret = bq27xxx_battery_current_and_status(di, val, NULL); ++ ret = bq27xxx_battery_current_and_status(di, val, NULL, NULL); + break; + case POWER_SUPPLY_PROP_CAPACITY: + ret = bq27xxx_simple_value(di->cache.capacity, val); diff --git a/queue-5.15/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch b/queue-5.15/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch new file mode 100644 index 00000000000..94f325bbb54 --- /dev/null +++ b/queue-5.15/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch @@ -0,0 +1,92 @@ +From 5c34c0aef185dcd10881847b9ebf20046aa77cb4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:32 +0200 +Subject: power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition + +From: Hans de Goede + +commit 5c34c0aef185dcd10881847b9ebf20046aa77cb4 upstream. + +bq27xxx_battery_update() assumes / requires that it is only run once, +not multiple times at the same time. But there are 3 possible callers: + +1. bq27xxx_battery_poll() delayed_work item handler +2. bq27xxx_battery_irq_handler_thread() I2C IRQ handler +3. bq27xxx_battery_setup() + +And there is no protection against these racing with each other, +fix this race condition by making all callers take di->lock: + +- Rename bq27xxx_battery_update() to bq27xxx_battery_update_unlocked() + +- Add new bq27xxx_battery_update() which takes di->lock and then calls + bq27xxx_battery_update_unlocked() + +- Make stale cache check code in bq27xxx_battery_get_property(), which + already takes di->lock directly to check the jiffies, call + bq27xxx_battery_update_unlocked() instead of messing with + the delayed_work item + +- Make bq27xxx_battery_update_unlocked() mod the delayed-work item + so that the next poll is delayed to poll_interval milliseconds after + the last update independent of the source of the update + +Fixes: 740b755a3b34 ("bq27x00: Poll battery state") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1755,7 +1755,7 @@ static int bq27xxx_battery_read_health(s + return POWER_SUPPLY_HEALTH_GOOD; + } + +-void bq27xxx_battery_update(struct bq27xxx_device_info *di) ++static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di) + { + struct bq27xxx_reg_cache cache = {0, }; + bool has_ci_flag = di->opts & BQ27XXX_O_HAS_CI; +@@ -1806,6 +1806,16 @@ void bq27xxx_battery_update(struct bq27x + di->cache = cache; + + di->last_update = jiffies; ++ ++ if (poll_interval > 0) ++ mod_delayed_work(system_wq, &di->work, poll_interval * HZ); ++} ++ ++void bq27xxx_battery_update(struct bq27xxx_device_info *di) ++{ ++ mutex_lock(&di->lock); ++ bq27xxx_battery_update_unlocked(di); ++ mutex_unlock(&di->lock); + } + EXPORT_SYMBOL_GPL(bq27xxx_battery_update); + +@@ -1816,9 +1826,6 @@ static void bq27xxx_battery_poll(struct + work.work); + + bq27xxx_battery_update(di); +- +- if (poll_interval > 0) +- schedule_delayed_work(&di->work, poll_interval * HZ); + } + + static bool bq27xxx_battery_is_full(struct bq27xxx_device_info *di, int flags) +@@ -1991,10 +1998,8 @@ static int bq27xxx_battery_get_property( + struct bq27xxx_device_info *di = power_supply_get_drvdata(psy); + + mutex_lock(&di->lock); +- if (time_is_before_jiffies(di->last_update + 5 * HZ)) { +- cancel_delayed_work_sync(&di->work); +- bq27xxx_battery_poll(&di->work.work); +- } ++ if (time_is_before_jiffies(di->last_update + 5 * HZ)) ++ bq27xxx_battery_update_unlocked(di); + mutex_unlock(&di->lock); + + if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0) diff --git a/queue-5.15/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch b/queue-5.15/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch new file mode 100644 index 00000000000..f6c47bb4c62 --- /dev/null +++ b/queue-5.15/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch @@ -0,0 +1,44 @@ +From 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:33 +0200 +Subject: power: supply: bq27xxx: Fix I2C IRQ race on remove + +From: Hans de Goede + +commit 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 upstream. + +devm_request_threaded_irq() requested IRQs are only free-ed after +the driver's remove function has ran. So the IRQ could trigger and +call bq27xxx_battery_update() after bq27xxx_battery_teardown() has +already run. + +Switch to explicitly free-ing the IRQ in bq27xxx_battery_i2c_remove() +to fix this. + +Fixes: 8807feb91b76 ("power: bq27xxx_battery: Add interrupt handling support") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -179,7 +179,7 @@ static int bq27xxx_battery_i2c_probe(str + i2c_set_clientdata(client, di); + + if (client->irq) { +- ret = devm_request_threaded_irq(&client->dev, client->irq, ++ ret = request_threaded_irq(client->irq, + NULL, bq27xxx_battery_irq_handler_thread, + IRQF_ONESHOT, + di->name, di); +@@ -209,6 +209,7 @@ static int bq27xxx_battery_i2c_remove(st + { + struct bq27xxx_device_info *di = i2c_get_clientdata(client); + ++ free_irq(client->irq, di); + bq27xxx_battery_teardown(di); + + mutex_lock(&battery_mutex); diff --git a/queue-5.15/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch b/queue-5.15/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch new file mode 100644 index 00000000000..841cbed07f7 --- /dev/null +++ b/queue-5.15/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch @@ -0,0 +1,94 @@ +From c00bc80462afc7963f449d7f21d896d2f629cacc Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:34 +0200 +Subject: power: supply: bq27xxx: Fix poll_interval handling and races on remove + +From: Hans de Goede + +commit c00bc80462afc7963f449d7f21d896d2f629cacc upstream. + +Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 +to avoid bq27xxx_battery_update() requeuing the delayed_work item. + +There are 2 problems with this: + +1. If the driver is unbound through sysfs, rather then the module being + rmmod-ed, this changes poll_interval unexpectedly + +2. This is racy, after it being set poll_interval could be changed + before bq27xxx_battery_update() checks it through + /sys/module/bq27xxx_battery/parameters/poll_interval + +Fix this by added a removed attribute to struct bq27xxx_device_info and +using that instead of setting poll_interval to 0. + +There also is another poll_interval related race on remove(), writing +/sys/module/bq27xxx_battery/parameters/poll_interval will requeue +the delayed_work item for all devices on the bq27xxx_battery_devices +list and the device being removed was only removed from that list +after cancelling the delayed_work item. + +Fix this by moving the removal from the bq27xxx_battery_devices list +to before cancelling the delayed_work item. + +Fixes: 8cfaaa811894 ("bq27x00_battery: Fix OOPS caused by unregistring bq27x00 driver") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 22 +++++++++------------- + include/linux/power/bq27xxx_battery.h | 1 + + 2 files changed, 10 insertions(+), 13 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1807,7 +1807,7 @@ static void bq27xxx_battery_update_unloc + + di->last_update = jiffies; + +- if (poll_interval > 0) ++ if (!di->removed && poll_interval > 0) + mod_delayed_work(system_wq, &di->work, poll_interval * HZ); + } + +@@ -2138,22 +2138,18 @@ EXPORT_SYMBOL_GPL(bq27xxx_battery_setup) + + void bq27xxx_battery_teardown(struct bq27xxx_device_info *di) + { +- /* +- * power_supply_unregister call bq27xxx_battery_get_property which +- * call bq27xxx_battery_poll. +- * Make sure that bq27xxx_battery_poll will not call +- * schedule_delayed_work again after unregister (which cause OOPS). +- */ +- poll_interval = 0; +- +- cancel_delayed_work_sync(&di->work); +- +- power_supply_unregister(di->bat); +- + mutex_lock(&bq27xxx_list_lock); + list_del(&di->list); + mutex_unlock(&bq27xxx_list_lock); + ++ /* Set removed to avoid bq27xxx_battery_update() re-queuing the work */ ++ mutex_lock(&di->lock); ++ di->removed = true; ++ mutex_unlock(&di->lock); ++ ++ cancel_delayed_work_sync(&di->work); ++ ++ power_supply_unregister(di->bat); + mutex_destroy(&di->lock); + } + EXPORT_SYMBOL_GPL(bq27xxx_battery_teardown); +--- a/include/linux/power/bq27xxx_battery.h ++++ b/include/linux/power/bq27xxx_battery.h +@@ -68,6 +68,7 @@ struct bq27xxx_device_info { + struct bq27xxx_access_methods bus; + struct bq27xxx_reg_cache cache; + int charge_design_full; ++ bool removed; + unsigned long last_update; + struct delayed_work work; + struct power_supply *bat; diff --git a/queue-5.15/power-supply-leds-fix-blink-to-led-on-transition.patch b/queue-5.15/power-supply-leds-fix-blink-to-led-on-transition.patch new file mode 100644 index 00000000000..5f59bd5809c --- /dev/null +++ b/queue-5.15/power-supply-leds-fix-blink-to-led-on-transition.patch @@ -0,0 +1,51 @@ +From e4484643991e0f6b89060092563f0dbab9450cbb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 13 Apr 2023 12:09:41 +0200 +Subject: power: supply: leds: Fix blink to LED on transition + +From: Hans de Goede + +commit e4484643991e0f6b89060092563f0dbab9450cbb upstream. + +When a battery's status changes from charging to full then +the charging-blink-full-solid trigger tries to change +the LED from blinking to solid/on. + +As is documented in include/linux/leds.h to deactivate blinking / +to make the LED solid a LED_OFF must be send: + +""" + * Deactivate blinking again when the brightness is set to LED_OFF + * via the brightness_set() callback. +""" + +led_set_brighness() calls with a brightness value other then 0 / LED_OFF +merely change the brightness of the LED in its on state while it is +blinking. + +So power_supply_update_bat_leds() must first send a LED_OFF event +before the LED_FULL to disable blinking. + +Fixes: 6501f728c56f ("power_supply: Add new LED trigger charging-blink-solid-full") +Signed-off-by: Hans de Goede +Reviewed-by: Vasily Khoruzhick +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/power_supply_leds.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/power_supply_leds.c ++++ b/drivers/power/supply/power_supply_leds.c +@@ -34,8 +34,9 @@ static void power_supply_update_bat_leds + led_trigger_event(psy->charging_full_trig, LED_FULL); + led_trigger_event(psy->charging_trig, LED_OFF); + led_trigger_event(psy->full_trig, LED_FULL); +- led_trigger_event(psy->charging_blink_full_solid_trig, +- LED_FULL); ++ /* Going from blink to LED on requires a LED_OFF event to stop blink */ ++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_OFF); ++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_FULL); + break; + case POWER_SUPPLY_STATUS_CHARGING: + led_trigger_event(psy->charging_full_trig, LED_FULL); diff --git a/queue-5.15/power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch b/queue-5.15/power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch new file mode 100644 index 00000000000..714e1720f59 --- /dev/null +++ b/queue-5.15/power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch @@ -0,0 +1,32 @@ +From 4cbb0d358883a27e432714b5256f0362946f5e25 Mon Sep 17 00:00:00 2001 +From: Kang Chen +Date: Mon, 27 Feb 2023 11:14:10 +0800 +Subject: power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe + +From: Kang Chen + +commit 4cbb0d358883a27e432714b5256f0362946f5e25 upstream. + +devm_work_autocancel may fail, add a check and return early. + +Fixes: 0402e8ebb8b86 ("power: supply: mt6360_charger: add MT6360 charger support") +Signed-off-by: Kang Chen +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/mt6360_charger.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/mt6360_charger.c ++++ b/drivers/power/supply/mt6360_charger.c +@@ -799,7 +799,9 @@ static int mt6360_charger_probe(struct p + mci->vinovp = 6500000; + mutex_init(&mci->chgdet_lock); + platform_set_drvdata(pdev, mci); +- devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work); ++ ret = devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work); ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "Failed to set delayed work\n"); + + ret = device_property_read_u32(&pdev->dev, "richtek,vinovp-microvolt", &mci->vinovp); + if (ret) diff --git a/queue-5.15/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch b/queue-5.15/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch new file mode 100644 index 00000000000..78794c29e0b --- /dev/null +++ b/queue-5.15/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch @@ -0,0 +1,31 @@ +From b2f2a3c9800208b0db2c2e34b05323757117faa2 Mon Sep 17 00:00:00 2001 +From: Daisuke Nojiri +Date: Mon, 24 Apr 2023 11:25:58 -0700 +Subject: power: supply: sbs-charger: Fix INHIBITED bit for Status reg + +From: Daisuke Nojiri + +commit b2f2a3c9800208b0db2c2e34b05323757117faa2 upstream. + +CHARGE_INHIBITED bit position of the ChargerStatus register is actually +0 not 1. This patch corrects it. + +Fixes: feb583e37f8a8 ("power: supply: add sbs-charger driver") +Signed-off-by: Daisuke Nojiri +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/sbs-charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/sbs-charger.c ++++ b/drivers/power/supply/sbs-charger.c +@@ -24,7 +24,7 @@ + #define SBS_CHARGER_REG_STATUS 0x13 + #define SBS_CHARGER_REG_ALARM_WARNING 0x16 + +-#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(1) ++#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(0) + #define SBS_CHARGER_STATUS_RES_COLD BIT(9) + #define SBS_CHARGER_STATUS_RES_HOT BIT(10) + #define SBS_CHARGER_STATUS_BATTERY_PRESENT BIT(14) diff --git a/queue-5.15/regulator-pca9450-fix-buck2-enable_mask.patch b/queue-5.15/regulator-pca9450-fix-buck2-enable_mask.patch new file mode 100644 index 00000000000..6307bf9bf2f --- /dev/null +++ b/queue-5.15/regulator-pca9450-fix-buck2-enable_mask.patch @@ -0,0 +1,43 @@ +From d67dada3e2524514b09496b9ee1df22d4507a280 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Fri, 12 May 2023 10:19:34 +0200 +Subject: regulator: pca9450: Fix BUCK2 enable_mask + +From: Alexander Stein + +commit d67dada3e2524514b09496b9ee1df22d4507a280 upstream. + +This fixes a copy & paste error. +No functional change intended, BUCK1_ENMODE_MASK equals BUCK2_ENMODE_MASK. + +Fixes: 0935ff5f1f0a ("regulator: pca9450: add pca9450 pmic driver") +Originally-from: Robin Gong +--- + drivers/regulator/pca9450-regulator.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -256,7 +256,7 @@ static const struct pca9450_regulator_de + .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0, + .vsel_mask = BUCK2OUT_DVS0_MASK, + .enable_reg = PCA9450_REG_BUCK2CTRL, +- .enable_mask = BUCK1_ENMODE_MASK, ++ .enable_mask = BUCK2_ENMODE_MASK, + .ramp_reg = PCA9450_REG_BUCK2CTRL, + .ramp_mask = BUCK2_RAMP_MASK, + .ramp_delay_table = pca9450_dvs_buck_ramp_table, +@@ -494,7 +494,7 @@ static const struct pca9450_regulator_de + .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0, + .vsel_mask = BUCK2OUT_DVS0_MASK, + .enable_reg = PCA9450_REG_BUCK2CTRL, +- .enable_mask = BUCK1_ENMODE_MASK, ++ .enable_mask = BUCK2_ENMODE_MASK, + .ramp_reg = PCA9450_REG_BUCK2CTRL, + .ramp_mask = BUCK2_RAMP_MASK, + .ramp_delay_table = pca9450_dvs_buck_ramp_table, diff --git a/queue-5.15/selftests-fib_tests-mute-cleanup-error-message.patch b/queue-5.15/selftests-fib_tests-mute-cleanup-error-message.patch new file mode 100644 index 00000000000..47cb677c5ca --- /dev/null +++ b/queue-5.15/selftests-fib_tests-mute-cleanup-error-message.patch @@ -0,0 +1,45 @@ +From d226b1df361988f885c298737d6019c863a25f26 Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Thu, 18 May 2023 12:37:59 +0800 +Subject: selftests: fib_tests: mute cleanup error message + +From: Po-Hsu Lin + +commit d226b1df361988f885c298737d6019c863a25f26 upstream. + +In the end of the test, there will be an error message induced by the +`ip netns del ns1` command in cleanup() + + Tests passed: 201 + Tests failed: 0 + Cannot remove namespace file "/run/netns/ns1": No such file or directory + +This can even be reproduced with just `./fib_tests.sh -h` as we're +calling cleanup() on exit. + +Redirect the error message to /dev/null to mute it. + +V2: Update commit message and fixes tag. +V3: resubmit due to missing netdev ML in V2 + +Fixes: b60417a9f2b8 ("selftest: fib_tests: Always cleanup before exit") +Signed-off-by: Po-Hsu Lin +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fib_tests.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -68,7 +68,7 @@ setup() + cleanup() + { + $IP link del dev dummy0 &> /dev/null +- ip netns del ns1 ++ ip netns del ns1 &> /dev/null + ip netns del ns2 &> /dev/null + } + diff --git a/queue-5.15/series b/queue-5.15/series index fb2f6a099a0..00b289a5f8c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -33,3 +33,22 @@ usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch usb-sisusbvga-add-endpoint-checks.patch media-radio-shark-add-endpoint-checks.patch asoc-lpass-fix-for-kasan-use_after_free-out-of-bounds.patch +net-fix-skb-leak-in-__skb_tstamp_tx.patch +selftests-fib_tests-mute-cleanup-error-message.patch +octeontx2-pf-fix-tsov6-offload.patch +bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch +ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch +cifs-mapchars-mount-option-ignored.patch +power-supply-leds-fix-blink-to-led-on-transition.patch +power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch +power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch +power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch +power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch +power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch +power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch +firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch +firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch +fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch +regulator-pca9450-fix-buck2-enable_mask.patch +coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch +xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch diff --git a/queue-5.15/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch b/queue-5.15/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch new file mode 100644 index 00000000000..605fae26b17 --- /dev/null +++ b/queue-5.15/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch @@ -0,0 +1,60 @@ +From 8fafac202d18230bb9926bda48e563fd2cce2a4f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 3 May 2023 18:11:35 +0300 +Subject: xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() + +From: Dan Carpenter + +commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream. + +In the pvcalls_new_active_socket() function, most error paths call +pvcalls_back_release_active(fedata->dev, fedata, map) which calls +sock_release() on "sock". The bug is that the caller also frees sock. + +Fix this by making every error path in pvcalls_new_active_socket() +release the sock, and don't free it in the caller. + +Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command") +Signed-off-by: Dan Carpenter +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/pvcalls-back.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/xen/pvcalls-back.c ++++ b/drivers/xen/pvcalls-back.c +@@ -321,8 +321,10 @@ static struct sock_mapping *pvcalls_new_ + void *page; + + map = kzalloc(sizeof(*map), GFP_KERNEL); +- if (map == NULL) ++ if (map == NULL) { ++ sock_release(sock); + return NULL; ++ } + + map->fedata = fedata; + map->sock = sock; +@@ -414,10 +416,8 @@ static int pvcalls_back_connect(struct x + req->u.connect.ref, + req->u.connect.evtchn, + sock); +- if (!map) { ++ if (!map) + ret = -EFAULT; +- sock_release(sock); +- } + + out: + rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++); +@@ -558,7 +558,6 @@ static void __pvcalls_back_accept(struct + sock); + if (!map) { + ret = -EFAULT; +- sock_release(sock); + goto out_error; + } + -- 2.47.3