From 9e9963716dfa138246e5b81c331f044c99968eae Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 11 Jun 2023 23:51:38 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...a7g5ek-fix-debounce-delay-property-f.patch | 37 ++++ ...s-dma-assign-default-clock-rate-for-.patch | 65 +++++++ ...-dts-imx8mn-beacon-fix-spi-cs-pinmux.patch | 48 +++++ ...-mek-correct-gpios-for-usdhc2-cd-and.patch | 38 ++++ ...c7180-lite-fix-sdram-freq-for-miside.patch | 87 +++++++++ ...881x-do-not-set-can_multi_write-flag.patch | 39 ++++ ...8195-afe-pcm-convert-to-platform-rem.patch | 69 +++++++ ...8195-fix-use-after-free-in-driver-re.patch | 173 ++++++++++++++++++ .../eeprom-at24-also-select-regmap.patch | 49 +++++ ...-set-handle-field-to-zero-in-memory-.patch | 39 ++++ ...reading-invalid-status-value-in-atom.patch | 68 +++++++ ...-i2c-adapter-in-.remove-s-error-path.patch | 53 ++++++ ...-__user-string-arg-print-fault-issue.patch | 68 +++++++ queue-5.15/series | 16 ++ ...duse-avoid-empty-string-for-dev-name.patch | 64 +++++++ ...cked-when-setting-getting-vring_base.patch | 85 +++++++++ ...rt-packed-when-setting-getting-vring.patch | 64 +++++++ 17 files changed, 1062 insertions(+) create mode 100644 queue-5.15/arm-dts-at91-sama7g5ek-fix-debounce-delay-property-f.patch create mode 100644 queue-5.15/arm64-dts-imx8-ss-dma-assign-default-clock-rate-for-.patch create mode 100644 queue-5.15/arm64-dts-imx8mn-beacon-fix-spi-cs-pinmux.patch create mode 100644 queue-5.15/arm64-dts-imx8qm-mek-correct-gpios-for-usdhc2-cd-and.patch create mode 100644 queue-5.15/arm64-dts-qcom-sc7180-lite-fix-sdram-freq-for-miside.patch create mode 100644 queue-5.15/asoc-codecs-wsa881x-do-not-set-can_multi_write-flag.patch create mode 100644 queue-5.15/asoc-mediatek-mt8195-afe-pcm-convert-to-platform-rem.patch create mode 100644 queue-5.15/asoc-mediatek-mt8195-fix-use-after-free-in-driver-re.patch create mode 100644 queue-5.15/eeprom-at24-also-select-regmap.patch create mode 100644 queue-5.15/firmware-arm_ffa-set-handle-field-to-zero-in-memory-.patch create mode 100644 queue-5.15/i2c-mv64xxx-fix-reading-invalid-status-value-in-atom.patch create mode 100644 queue-5.15/i2c-sprd-delete-i2c-adapter-in-.remove-s-error-path.patch create mode 100644 queue-5.15/riscv-fix-kprobe-__user-string-arg-print-fault-issue.patch create mode 100644 queue-5.15/vduse-avoid-empty-string-for-dev-name.patch create mode 100644 queue-5.15/vhost-support-packed-when-setting-getting-vring_base.patch create mode 100644 queue-5.15/vhost_vdpa-support-packed-when-setting-getting-vring.patch diff --git a/queue-5.15/arm-dts-at91-sama7g5ek-fix-debounce-delay-property-f.patch b/queue-5.15/arm-dts-at91-sama7g5ek-fix-debounce-delay-property-f.patch new file mode 100644 index 00000000000..4da43ad6390 --- /dev/null +++ b/queue-5.15/arm-dts-at91-sama7g5ek-fix-debounce-delay-property-f.patch @@ -0,0 +1,37 @@ +From 13f0d4c2b9b5b5acb49ad7c52de4d41365cea622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 08:27:50 +0300 +Subject: ARM: dts: at91: sama7g5ek: fix debounce delay property for shdwc + +From: Claudiu Beznea + +[ Upstream commit 6b0db163ff9200a55dc77a652dad1d4b0a853f63 ] + +There is no atmel,shdwc-debouncer property for SHDWC. The right DT property +is debounce-delay-us. Use it. + +Fixes: 16b161bcf5d4 ("ARM: dts: at91: sama7g5: add shdwc node") +Signed-off-by: Claudiu Beznea +Acked-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20230523052750.184223-1-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91-sama7g5ek.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/at91-sama7g5ek.dts b/arch/arm/boot/dts/at91-sama7g5ek.dts +index 2038e387be288..0ba856066ffb2 100644 +--- a/arch/arm/boot/dts/at91-sama7g5ek.dts ++++ b/arch/arm/boot/dts/at91-sama7g5ek.dts +@@ -659,7 +659,7 @@ &sdmmc2 { + }; + + &shdwc { +- atmel,shdwc-debouncer = <976>; ++ debounce-delay-us = <976>; + status = "okay"; + + input@0 { +-- +2.39.2 + diff --git a/queue-5.15/arm64-dts-imx8-ss-dma-assign-default-clock-rate-for-.patch b/queue-5.15/arm64-dts-imx8-ss-dma-assign-default-clock-rate-for-.patch new file mode 100644 index 00000000000..64cb9f6d518 --- /dev/null +++ b/queue-5.15/arm64-dts-imx8-ss-dma-assign-default-clock-rate-for-.patch @@ -0,0 +1,65 @@ +From 0efbe0b5a1623f1732b9b2ceb396f1cf9b18dab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 10:38:54 -0500 +Subject: arm64: dts: imx8-ss-dma: assign default clock rate for lpuarts + +From: Shenwei Wang + +[ Upstream commit ca50d7765587fe0a8351a6e8d9742cfd4811d925 ] + +Add the assigned-clocks and assigned-clock-rates properties for the +LPUARTx nodes. Without these properties, the default clock rate +used would be 0, which can cause the UART ports to fail when open. + +Fixes: 35f4e9d7530f ("arm64: dts: imx8: split adma ss into dma and audio ss") +Signed-off-by: Shenwei Wang +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +index 960a802b8b6ee..c33892711138f 100644 +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -26,6 +26,8 @@ lpuart0: serial@5a060000 { + clocks = <&uart0_lpcg IMX_LPCG_CLK_4>, + <&uart0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "baud"; ++ assigned-clocks = <&clk IMX_SC_R_UART_0 IMX_SC_PM_CLK_PER>; ++ assigned-clock-rates = <80000000>; + power-domains = <&pd IMX_SC_R_UART_0>; + status = "disabled"; + }; +@@ -36,6 +38,8 @@ lpuart1: serial@5a070000 { + clocks = <&uart1_lpcg IMX_LPCG_CLK_4>, + <&uart1_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "baud"; ++ assigned-clocks = <&clk IMX_SC_R_UART_1 IMX_SC_PM_CLK_PER>; ++ assigned-clock-rates = <80000000>; + power-domains = <&pd IMX_SC_R_UART_1>; + status = "disabled"; + }; +@@ -46,6 +50,8 @@ lpuart2: serial@5a080000 { + clocks = <&uart2_lpcg IMX_LPCG_CLK_4>, + <&uart2_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "baud"; ++ assigned-clocks = <&clk IMX_SC_R_UART_2 IMX_SC_PM_CLK_PER>; ++ assigned-clock-rates = <80000000>; + power-domains = <&pd IMX_SC_R_UART_2>; + status = "disabled"; + }; +@@ -56,6 +62,8 @@ lpuart3: serial@5a090000 { + clocks = <&uart3_lpcg IMX_LPCG_CLK_4>, + <&uart3_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "baud"; ++ assigned-clocks = <&clk IMX_SC_R_UART_3 IMX_SC_PM_CLK_PER>; ++ assigned-clock-rates = <80000000>; + power-domains = <&pd IMX_SC_R_UART_3>; + status = "disabled"; + }; +-- +2.39.2 + diff --git a/queue-5.15/arm64-dts-imx8mn-beacon-fix-spi-cs-pinmux.patch b/queue-5.15/arm64-dts-imx8mn-beacon-fix-spi-cs-pinmux.patch new file mode 100644 index 00000000000..ecf60ca0f9a --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mn-beacon-fix-spi-cs-pinmux.patch @@ -0,0 +1,48 @@ +From a5767fa2d2e35acd0b8547ef483b706218c24dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 06:22:54 -0500 +Subject: arm64: dts: imx8mn-beacon: Fix SPI CS pinmux + +From: Adam Ford + +[ Upstream commit 9bf2e534313fcf420367668cc1f30e10469901dc ] + +The final production baseboard had a different chip select than +earlier prototype boards. When the newer board was released, +the SPI stopped working because the wrong pin was used in the device +tree and conflicted with the UART RTS. Fix the pinmux for +production boards. + +Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit") +Signed-off-by: Adam Ford +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-beacon-baseboard.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-baseboard.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-baseboard.dtsi +index e69fd41b46d0e..4fc22448e411f 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-baseboard.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-baseboard.dtsi +@@ -81,7 +81,7 @@ sound { + &ecspi2 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_espi2>; +- cs-gpios = <&gpio5 9 GPIO_ACTIVE_LOW>; ++ cs-gpios = <&gpio5 13 GPIO_ACTIVE_LOW>; + status = "okay"; + + eeprom@0 { +@@ -203,7 +203,7 @@ pinctrl_espi2: espi2grp { + MX8MN_IOMUXC_ECSPI2_SCLK_ECSPI2_SCLK 0x82 + MX8MN_IOMUXC_ECSPI2_MOSI_ECSPI2_MOSI 0x82 + MX8MN_IOMUXC_ECSPI2_MISO_ECSPI2_MISO 0x82 +- MX8MN_IOMUXC_ECSPI1_SS0_GPIO5_IO9 0x41 ++ MX8MN_IOMUXC_ECSPI2_SS0_GPIO5_IO13 0x41 + >; + }; + +-- +2.39.2 + diff --git a/queue-5.15/arm64-dts-imx8qm-mek-correct-gpios-for-usdhc2-cd-and.patch b/queue-5.15/arm64-dts-imx8qm-mek-correct-gpios-for-usdhc2-cd-and.patch new file mode 100644 index 00000000000..a6a68600825 --- /dev/null +++ b/queue-5.15/arm64-dts-imx8qm-mek-correct-gpios-for-usdhc2-cd-and.patch @@ -0,0 +1,38 @@ +From 494b37255d28fc0689c04f63d70a773db697de62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 08:54:21 -0500 +Subject: arm64: dts: imx8qm-mek: correct GPIOs for USDHC2 CD and WP signals + +From: Shenwei Wang + +[ Upstream commit 2b28fc688cdff225c41cdd22857500e187453ed7 ] + +The USDHC2 CD and WP sginal should be on LSIO_GPIO5. + +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Signed-off-by: Shenwei Wang +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +index ce9d3f0b98fc0..607cd6b4e9721 100644 +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -82,8 +82,8 @@ &usdhc2 { + pinctrl-0 = <&pinctrl_usdhc2>; + bus-width = <4>; + vmmc-supply = <®_usdhc2_vmmc>; +- cd-gpios = <&lsio_gpio4 22 GPIO_ACTIVE_LOW>; +- wp-gpios = <&lsio_gpio4 21 GPIO_ACTIVE_HIGH>; ++ cd-gpios = <&lsio_gpio5 22 GPIO_ACTIVE_LOW>; ++ wp-gpios = <&lsio_gpio5 21 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; + +-- +2.39.2 + diff --git a/queue-5.15/arm64-dts-qcom-sc7180-lite-fix-sdram-freq-for-miside.patch b/queue-5.15/arm64-dts-qcom-sc7180-lite-fix-sdram-freq-for-miside.patch new file mode 100644 index 00000000000..60e462b6a8b --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sc7180-lite-fix-sdram-freq-for-miside.patch @@ -0,0 +1,87 @@ +From d0c9e0298c56ffa56f398a326b4a63825f9f349d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 17:19:29 -0700 +Subject: arm64: dts: qcom: sc7180-lite: Fix SDRAM freq for misidentified + sc7180-lite boards + +From: Douglas Anderson + +[ Upstream commit 3a735530c159b75e1402c08abe1ba4eb99a1f7a3 ] + +In general, the three SKUs of sc7180 (lite, normal, and pro) are +handled dynamically. + +The cpufreq table in sc7180.dtsi includes the superset of all CPU +frequencies. The "qcom-cpufreq-hw" driver in Linux shows that we can +dynamically detect which frequencies are actually available on the +currently running CPU and then we can just enable those ones. + +The GPU is similarly dynamic. The nvmem has a fuse in it (see +"gpu_speed_bin" in sc7180.dtsi) that the GPU driver can use to figure +out which frequencies to enable. + +There is one part, however, that is not so dynamic. The way SDRAM +frequency works in sc7180 is that it's tied to cpufreq. At the busiest +cpufreq operating points we'll pick the top supported SDRAM frequency. +They ramp down together. + +For the "pro" SKU of sc7180, we only enable one extra cpufreq step. +That extra cpufreq step runs SDRAM at the same speed as the step +below. Thus, for normal and pro things are OK. There is no sc7180-pro +device tree snippet. + +For the "lite" SKU if sc7180, however, things aren't so easy. The +"lite" SKU drops 3 cpufreq entries but can still run SDRAM at max +frequency. That messed things up with the whole scheme. This is why we +added the "sc7180-lite" fragment in commit 8fd01e01fd6f ("arm64: dts: +qcom: sc7180-lite: Tweak DDR/L3 scaling on SC7180-lite"). + +When the lite scheme came about, it was agreed that the WiFi SKUs of +lazor would _always_ be "lite" and would, in fact, be the only "lite" +devices. Unfortunately, this decision changed and folks didn't realize +that it would be a problem. Specifically, some later lazor WiFi-only +devices were built with "pro" CPUs. + +Building WiFi-only lazor with "pro" CPUs isn't the end of the world. +The SDRAM will ramp up a little sooner than it otherwise would, but +aside from a small power hit things work OK. One problem, though, is +that the SDRAM scaling becomes a bit quirky. Specifically, with the +current tables we'll max out SDRAM frequency at 2.1GHz but then +_lower_ it at 2.2GHz / 2.3GHz only to raise it back to max for 2.4GHz +and 2.55GHz. + +Let's at least fix this so that the SDRAM frequency doesn't go down in +that quirky way. On true "lite" SKUs this change will be a no-op +because the operating points we're touching are disabled. This change +is only useful when a board that thinks it has a "lite" CPU actually +has a "normal" or "pro" one stuffed. + +Fixes: 8fd01e01fd6f ("arm64: dts: qcom: sc7180-lite: Tweak DDR/L3 scaling on SC7180-lite") +Signed-off-by: Douglas Anderson +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230515171929.1.Ic8dee2cb79ce39ffc04eab2a344dde47b2f9459f@changeid +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7180-lite.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sc7180-lite.dtsi b/arch/arm64/boot/dts/qcom/sc7180-lite.dtsi +index d8ed1d7b4ec76..4b306a59d9bec 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180-lite.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180-lite.dtsi +@@ -16,3 +16,11 @@ &cpu6_opp11 { + &cpu6_opp12 { + opp-peak-kBps = <8532000 23347200>; + }; ++ ++&cpu6_opp13 { ++ opp-peak-kBps = <8532000 23347200>; ++}; ++ ++&cpu6_opp14 { ++ opp-peak-kBps = <8532000 23347200>; ++}; +-- +2.39.2 + diff --git a/queue-5.15/asoc-codecs-wsa881x-do-not-set-can_multi_write-flag.patch b/queue-5.15/asoc-codecs-wsa881x-do-not-set-can_multi_write-flag.patch new file mode 100644 index 00000000000..6a6bc79245b --- /dev/null +++ b/queue-5.15/asoc-codecs-wsa881x-do-not-set-can_multi_write-flag.patch @@ -0,0 +1,39 @@ +From 2752cbe2c714273a52731d4faf72f9d54a02ddac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 16:46:05 +0100 +Subject: ASoC: codecs: wsa881x: do not set can_multi_write flag + +From: Srinivas Kandagatla + +[ Upstream commit 6e7a6d4797ef521c0762914610ed682e102b9d36 ] + +regmap-sdw does not support multi register writes, so there is +no point in setting this flag. This also leads to incorrect +programming of WSA codecs with regmap_multi_reg_write() call. + +This invalid configuration should have been rejected by regmap-sdw. + +Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230523154605.4284-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wsa881x.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/codecs/wsa881x.c b/sound/soc/codecs/wsa881x.c +index 0222370ff95de..8559047694873 100644 +--- a/sound/soc/codecs/wsa881x.c ++++ b/sound/soc/codecs/wsa881x.c +@@ -646,7 +646,6 @@ static struct regmap_config wsa881x_regmap_config = { + .readable_reg = wsa881x_readable_register, + .reg_format_endian = REGMAP_ENDIAN_NATIVE, + .val_format_endian = REGMAP_ENDIAN_NATIVE, +- .can_multi_write = true, + }; + + enum { +-- +2.39.2 + diff --git a/queue-5.15/asoc-mediatek-mt8195-afe-pcm-convert-to-platform-rem.patch b/queue-5.15/asoc-mediatek-mt8195-afe-pcm-convert-to-platform-rem.patch new file mode 100644 index 00000000000..c29ff7e7849 --- /dev/null +++ b/queue-5.15/asoc-mediatek-mt8195-afe-pcm-convert-to-platform-rem.patch @@ -0,0 +1,69 @@ +From 0319d75a6aa4b9c01fff57c4b09ce8db14e79d6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 16:06:45 +0100 +Subject: ASoC: mediatek: mt8195-afe-pcm: Convert to platform remove callback + returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 6461fee68064ba970e3ba90241fe5f5e038aa9d4 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Acked-by: Takashi Iwai +Acked-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20230315150745.67084-114-u.kleine-koenig@pengutronix.de +Signed-off-by: Mark Brown +Stable-dep-of: dc93f0dcb436 ("ASoC: mediatek: mt8195: fix use-after-free in driver remove path") +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c +index 2edb40fe27ccb..6c15d45f4a006 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c ++++ b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c +@@ -3237,7 +3237,7 @@ static int mt8195_afe_pcm_dev_probe(struct platform_device *pdev) + return ret; + } + +-static int mt8195_afe_pcm_dev_remove(struct platform_device *pdev) ++static void mt8195_afe_pcm_dev_remove(struct platform_device *pdev) + { + struct mtk_base_afe *afe = platform_get_drvdata(pdev); + +@@ -3248,7 +3248,6 @@ static int mt8195_afe_pcm_dev_remove(struct platform_device *pdev) + mt8195_afe_runtime_suspend(&pdev->dev); + + mt8195_afe_deinit_clock(afe); +- return 0; + } + + static const struct of_device_id mt8195_afe_pcm_dt_match[] = { +@@ -3271,7 +3270,7 @@ static struct platform_driver mt8195_afe_pcm_driver = { + #endif + }, + .probe = mt8195_afe_pcm_dev_probe, +- .remove = mt8195_afe_pcm_dev_remove, ++ .remove_new = mt8195_afe_pcm_dev_remove, + }; + + module_platform_driver(mt8195_afe_pcm_driver); +-- +2.39.2 + diff --git a/queue-5.15/asoc-mediatek-mt8195-fix-use-after-free-in-driver-re.patch b/queue-5.15/asoc-mediatek-mt8195-fix-use-after-free-in-driver-re.patch new file mode 100644 index 00000000000..e9f4f6100f5 --- /dev/null +++ b/queue-5.15/asoc-mediatek-mt8195-fix-use-after-free-in-driver-re.patch @@ -0,0 +1,173 @@ +From c0ede71dbcca03a36d8d877673185ab839cc4a50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 11:33:18 +0800 +Subject: ASoC: mediatek: mt8195: fix use-after-free in driver remove path + +From: Trevor Wu + +[ Upstream commit dc93f0dcb436dfd24a06c5b3c0f4c5cd9296e8e5 ] + +During mt8195_afe_init_clock(), mt8195_audsys_clk_register() was called +followed by several other devm functions. At mt8195_afe_deinit_clock() +located at mt8195_afe_pcm_dev_remove(), mt8195_audsys_clk_unregister() +was called. + +However, there was an issue with the order in which these functions were +called. Specifically, the remove callback of platform_driver was called +before devres released the resource, resulting in a use-after-free issue +during remove time. + +At probe time, the order of calls was: +1. mt8195_audsys_clk_register +2. afe_priv->clk = devm_kcalloc +3. afe_priv->clk[i] = devm_clk_get + +At remove time, the order of calls was: +1. mt8195_audsys_clk_unregister +3. free afe_priv->clk[i] +2. free afe_priv->clk + +To resolve the problem, we can utilize devm_add_action_or_reset() in +mt8195_audsys_clk_register() so that the remove order can be changed to +3->2->1. + +Fixes: 6746cc858259 ("ASoC: mediatek: mt8195: add platform driver") +Signed-off-by: Trevor Wu +Reviewed-by: Douglas Anderson +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230601033318.10408-3-trevor.wu@mediatek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8195/mt8195-afe-clk.c | 5 -- + sound/soc/mediatek/mt8195/mt8195-afe-clk.h | 1 - + sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | 4 -- + sound/soc/mediatek/mt8195/mt8195-audsys-clk.c | 47 ++++++++++--------- + sound/soc/mediatek/mt8195/mt8195-audsys-clk.h | 1 - + 5 files changed, 24 insertions(+), 34 deletions(-) + +diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-clk.c b/sound/soc/mediatek/mt8195/mt8195-afe-clk.c +index 8420b2c71332a..d1939e08d333c 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-afe-clk.c ++++ b/sound/soc/mediatek/mt8195/mt8195-afe-clk.c +@@ -136,11 +136,6 @@ int mt8195_afe_init_clock(struct mtk_base_afe *afe) + return 0; + } + +-void mt8195_afe_deinit_clock(struct mtk_base_afe *afe) +-{ +- mt8195_audsys_clk_unregister(afe); +-} +- + int mt8195_afe_enable_clk(struct mtk_base_afe *afe, struct clk *clk) + { + int ret; +diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-clk.h b/sound/soc/mediatek/mt8195/mt8195-afe-clk.h +index f8e6eeb29a895..24eb2f06682f2 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-afe-clk.h ++++ b/sound/soc/mediatek/mt8195/mt8195-afe-clk.h +@@ -90,7 +90,6 @@ int mt8195_afe_get_mclk_source_clk_id(int sel); + int mt8195_afe_get_mclk_source_rate(struct mtk_base_afe *afe, int apll); + int mt8195_afe_get_default_mclk_source_by_rate(int rate); + int mt8195_afe_init_clock(struct mtk_base_afe *afe); +-void mt8195_afe_deinit_clock(struct mtk_base_afe *afe); + int mt8195_afe_enable_clk(struct mtk_base_afe *afe, struct clk *clk); + void mt8195_afe_disable_clk(struct mtk_base_afe *afe, struct clk *clk); + int mt8195_afe_prepare_clk(struct mtk_base_afe *afe, struct clk *clk); +diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c +index 6c15d45f4a006..4e817542dd745 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c ++++ b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c +@@ -3239,15 +3239,11 @@ static int mt8195_afe_pcm_dev_probe(struct platform_device *pdev) + + static void mt8195_afe_pcm_dev_remove(struct platform_device *pdev) + { +- struct mtk_base_afe *afe = platform_get_drvdata(pdev); +- + snd_soc_unregister_component(&pdev->dev); + + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + mt8195_afe_runtime_suspend(&pdev->dev); +- +- mt8195_afe_deinit_clock(afe); + } + + static const struct of_device_id mt8195_afe_pcm_dt_match[] = { +diff --git a/sound/soc/mediatek/mt8195/mt8195-audsys-clk.c b/sound/soc/mediatek/mt8195/mt8195-audsys-clk.c +index 740aa6ddda0ec..353aa17323648 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-audsys-clk.c ++++ b/sound/soc/mediatek/mt8195/mt8195-audsys-clk.c +@@ -148,6 +148,29 @@ static const struct afe_gate aud_clks[CLK_AUD_NR_CLK] = { + GATE_AUD6(CLK_AUD_GASRC19, "aud_gasrc19", "asm_h_sel", 19), + }; + ++static void mt8195_audsys_clk_unregister(void *data) ++{ ++ struct mtk_base_afe *afe = data; ++ struct mt8195_afe_private *afe_priv = afe->platform_priv; ++ struct clk *clk; ++ struct clk_lookup *cl; ++ int i; ++ ++ if (!afe_priv) ++ return; ++ ++ for (i = 0; i < CLK_AUD_NR_CLK; i++) { ++ cl = afe_priv->lookup[i]; ++ if (!cl) ++ continue; ++ ++ clk = cl->clk; ++ clk_unregister_gate(clk); ++ ++ clkdev_drop(cl); ++ } ++} ++ + int mt8195_audsys_clk_register(struct mtk_base_afe *afe) + { + struct mt8195_afe_private *afe_priv = afe->platform_priv; +@@ -188,27 +211,5 @@ int mt8195_audsys_clk_register(struct mtk_base_afe *afe) + afe_priv->lookup[i] = cl; + } + +- return 0; +-} +- +-void mt8195_audsys_clk_unregister(struct mtk_base_afe *afe) +-{ +- struct mt8195_afe_private *afe_priv = afe->platform_priv; +- struct clk *clk; +- struct clk_lookup *cl; +- int i; +- +- if (!afe_priv) +- return; +- +- for (i = 0; i < CLK_AUD_NR_CLK; i++) { +- cl = afe_priv->lookup[i]; +- if (!cl) +- continue; +- +- clk = cl->clk; +- clk_unregister_gate(clk); +- +- clkdev_drop(cl); +- } ++ return devm_add_action_or_reset(afe->dev, mt8195_audsys_clk_unregister, afe); + } +diff --git a/sound/soc/mediatek/mt8195/mt8195-audsys-clk.h b/sound/soc/mediatek/mt8195/mt8195-audsys-clk.h +index 239d31016ba76..69db2dd1c9e02 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-audsys-clk.h ++++ b/sound/soc/mediatek/mt8195/mt8195-audsys-clk.h +@@ -10,6 +10,5 @@ + #define _MT8195_AUDSYS_CLK_H_ + + int mt8195_audsys_clk_register(struct mtk_base_afe *afe); +-void mt8195_audsys_clk_unregister(struct mtk_base_afe *afe); + + #endif +-- +2.39.2 + diff --git a/queue-5.15/eeprom-at24-also-select-regmap.patch b/queue-5.15/eeprom-at24-also-select-regmap.patch new file mode 100644 index 00000000000..12b1f74a34d --- /dev/null +++ b/queue-5.15/eeprom-at24-also-select-regmap.patch @@ -0,0 +1,49 @@ +From 20f79909f76508239d269eb59cd81eb3efa2f553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 19:54:24 -0700 +Subject: eeprom: at24: also select REGMAP + +From: Randy Dunlap + +[ Upstream commit 7f3c782b3914e510b646a77aedc3adeac2e4a63b ] + +Selecting only REGMAP_I2C can leave REGMAP unset, causing build errors, +so also select REGMAP to prevent the build errors. + +../drivers/misc/eeprom/at24.c:540:42: warning: 'struct regmap_config' declared inside parameter list will not be visible outside of this definition or declaration + 540 | struct regmap_config *regmap_config) +../drivers/misc/eeprom/at24.c: In function 'at24_make_dummy_client': +../drivers/misc/eeprom/at24.c:552:18: error: implicit declaration of function 'devm_regmap_init_i2c' [-Werror=implicit-function-declaration] + 552 | regmap = devm_regmap_init_i2c(dummy_client, regmap_config); +../drivers/misc/eeprom/at24.c:552:16: warning: assignment to 'struct regmap *' from 'int' makes pointer from integer without a cast [-Wint-conversion] + 552 | regmap = devm_regmap_init_i2c(dummy_client, regmap_config); +../drivers/misc/eeprom/at24.c: In function 'at24_probe': +../drivers/misc/eeprom/at24.c:586:16: error: variable 'regmap_config' has initializer but incomplete type + 586 | struct regmap_config regmap_config = { }; +../drivers/misc/eeprom/at24.c:586:30: error: storage size of 'regmap_config' isn't known + 586 | struct regmap_config regmap_config = { }; +../drivers/misc/eeprom/at24.c:586:30: warning: unused variable 'regmap_config' [-Wunused-variable] + +Fixes: 5c015258478e ("eeprom: at24: add basic regmap_i2c support") +Signed-off-by: Randy Dunlap +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/eeprom/Kconfig b/drivers/misc/eeprom/Kconfig +index f0a7531f354c1..2d240bfa819f8 100644 +--- a/drivers/misc/eeprom/Kconfig ++++ b/drivers/misc/eeprom/Kconfig +@@ -6,6 +6,7 @@ config EEPROM_AT24 + depends on I2C && SYSFS + select NVMEM + select NVMEM_SYSFS ++ select REGMAP + select REGMAP_I2C + help + Enable this driver to get read/write support to most I2C EEPROMs +-- +2.39.2 + diff --git a/queue-5.15/firmware-arm_ffa-set-handle-field-to-zero-in-memory-.patch b/queue-5.15/firmware-arm_ffa-set-handle-field-to-zero-in-memory-.patch new file mode 100644 index 00000000000..e8721ef7400 --- /dev/null +++ b/queue-5.15/firmware-arm_ffa-set-handle-field-to-zero-in-memory-.patch @@ -0,0 +1,39 @@ +From f1dfc9538988e7cbd3d8cc931d7bf0135b247560 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 16:07:49 +0200 +Subject: firmware: arm_ffa: Set handle field to zero in memory descriptor + +From: Balint Dobszay + +[ Upstream commit 3aa0519a4780f1b8e11966bd879d4a2934ba455f ] + +As described in the commit 111a833dc5cb ("firmware: arm_ffa: Set +reserved/MBZ fields to zero in the memory descriptors") some fields in +the memory descriptor have to be zeroed explicitly. The handle field is +one of these, but it was left out from that change, fix this now. + +Fixes: 111a833dc5cb ("firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors") +Reported-by: Imre Kis +Signed-off-by: Balint Dobszay +Link: https://lore.kernel.org/r/20230601140749.93812-1-balint.dobszay@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_ffa/driver.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c +index f53d11eff65e0..e4fb0c1ae4869 100644 +--- a/drivers/firmware/arm_ffa/driver.c ++++ b/drivers/firmware/arm_ffa/driver.c +@@ -454,6 +454,7 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 max_fragsize, + ep_mem_access->flag = 0; + ep_mem_access->reserved = 0; + } ++ mem_region->handle = 0; + mem_region->reserved_0 = 0; + mem_region->reserved_1 = 0; + mem_region->ep_count = args->nattrs; +-- +2.39.2 + diff --git a/queue-5.15/i2c-mv64xxx-fix-reading-invalid-status-value-in-atom.patch b/queue-5.15/i2c-mv64xxx-fix-reading-invalid-status-value-in-atom.patch new file mode 100644 index 00000000000..80e122d2953 --- /dev/null +++ b/queue-5.15/i2c-mv64xxx-fix-reading-invalid-status-value-in-atom.patch @@ -0,0 +1,68 @@ +From 68b1702ed3f847e66dd4c48a743a1ac3767ca708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 14:19:40 +0200 +Subject: i2c: mv64xxx: Fix reading invalid status value in atomic mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 5578d0a79b6430fa1543640dd6f2d397d0886ce7 ] + +There seems to be a bug within the mv64xxx I2C controller, wherein the +status register may not necessarily contain valid value immediately +after the IFLG flag is set in the control register. + +My theory is that the controller: +- first sets the IFLG in control register +- then updates the status register +- then raises an interrupt + +This may sometime cause weird bugs when in atomic mode, since in this +mode we do not wait for an interrupt, but instead we poll the control +register for IFLG and read status register immediately after. + +I encountered -ENXIO from mv64xxx_i2c_fsm() due to this issue when using +this driver in atomic mode. + +Note that I've only seen this issue on Armada 385, I don't know whether +other SOCs with this controller are also affected. Also note that this +fix has been in U-Boot for over 4 years [1] without anybody complaining, +so it should not cause regressions. + +[1] https://source.denx.de/u-boot/u-boot/-/commit/d50e29662f78 + +Fixes: 544a8d75f3d6 ("i2c: mv64xxx: Add atomic_xfer method to driver") +Signed-off-by: Marek Behún +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mv64xxx.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-mv64xxx.c b/drivers/i2c/busses/i2c-mv64xxx.c +index 103a05ecc3d6b..9729a71b25672 100644 +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -520,6 +520,17 @@ mv64xxx_i2c_intr(int irq, void *dev_id) + + while (readl(drv_data->reg_base + drv_data->reg_offsets.control) & + MV64XXX_I2C_REG_CONTROL_IFLG) { ++ /* ++ * It seems that sometime the controller updates the status ++ * register only after it asserts IFLG in control register. ++ * This may result in weird bugs when in atomic mode. A delay ++ * of 100 ns before reading the status register solves this ++ * issue. This bug does not seem to appear when using ++ * interrupts. ++ */ ++ if (drv_data->atomic) ++ ndelay(100); ++ + status = readl(drv_data->reg_base + drv_data->reg_offsets.status); + mv64xxx_i2c_fsm(drv_data, status); + mv64xxx_i2c_do_action(drv_data); +-- +2.39.2 + diff --git a/queue-5.15/i2c-sprd-delete-i2c-adapter-in-.remove-s-error-path.patch b/queue-5.15/i2c-sprd-delete-i2c-adapter-in-.remove-s-error-path.patch new file mode 100644 index 00000000000..a6e4bf0d88d --- /dev/null +++ b/queue-5.15/i2c-sprd-delete-i2c-adapter-in-.remove-s-error-path.patch @@ -0,0 +1,53 @@ +From 9019b42b0a0d6ab8433f1efe56c3dc2f58870a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Mar 2023 10:58:19 +0100 +Subject: i2c: sprd: Delete i2c adapter in .remove's error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit ca0aa17f2db3468fd017038d23a78e17388e2f67 ] + +If pm runtime resume fails the .remove callback used to exit early. This +resulted in an error message by the driver core but the device gets +removed anyhow. This lets the registered i2c adapter stay around with an +unbound parent device. + +So only skip clk disabling if resume failed, but do delete the adapter. + +Fixes: 8b9ec0719834 ("i2c: Add Spreadtrum I2C controller driver") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-sprd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-sprd.c b/drivers/i2c/busses/i2c-sprd.c +index 4fe15cd78907e..ffc54fbf814dd 100644 +--- a/drivers/i2c/busses/i2c-sprd.c ++++ b/drivers/i2c/busses/i2c-sprd.c +@@ -576,12 +576,14 @@ static int sprd_i2c_remove(struct platform_device *pdev) + struct sprd_i2c *i2c_dev = platform_get_drvdata(pdev); + int ret; + +- ret = pm_runtime_resume_and_get(i2c_dev->dev); ++ ret = pm_runtime_get_sync(i2c_dev->dev); + if (ret < 0) +- return ret; ++ dev_err(&pdev->dev, "Failed to resume device (%pe)\n", ERR_PTR(ret)); + + i2c_del_adapter(&i2c_dev->adap); +- clk_disable_unprepare(i2c_dev->clk); ++ ++ if (ret >= 0) ++ clk_disable_unprepare(i2c_dev->clk); + + pm_runtime_put_noidle(i2c_dev->dev); + pm_runtime_disable(i2c_dev->dev); +-- +2.39.2 + diff --git a/queue-5.15/riscv-fix-kprobe-__user-string-arg-print-fault-issue.patch b/queue-5.15/riscv-fix-kprobe-__user-string-arg-print-fault-issue.patch new file mode 100644 index 00000000000..361180068b5 --- /dev/null +++ b/queue-5.15/riscv-fix-kprobe-__user-string-arg-print-fault-issue.patch @@ -0,0 +1,68 @@ +From 396e5e547dba6d21c546b1a9f0eb76d621b117c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 15:29:10 +0800 +Subject: riscv: fix kprobe __user string arg print fault issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ruan Jinjie + +[ Upstream commit 99a670b2069c725a7b50318aa681d9cae8f89325 ] + +On riscv qemu platform, when add kprobe event on do_sys_open() to show +filename string arg, it just print fault as follow: + +echo 'p:myprobe do_sys_open dfd=$arg1 filename=+0($arg2):string flags=$arg3 +mode=$arg4' > kprobe_events + +bash-166 [000] ...1. 360.195367: myprobe: (do_sys_open+0x0/0x84) +dfd=0xffffffffffffff9c filename=(fault) flags=0x8241 mode=0x1b6 + +bash-166 [000] ...1. 360.219369: myprobe: (do_sys_open+0x0/0x84) +dfd=0xffffffffffffff9c filename=(fault) flags=0x8241 mode=0x1b6 + +bash-191 [000] ...1. 360.378827: myprobe: (do_sys_open+0x0/0x84) +dfd=0xffffffffffffff9c filename=(fault) flags=0x98800 mode=0x0 + +As riscv do not select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE, +the +0($arg2) addr is processed as a kernel address though it is a +userspace address, cause the above filename=(fault) print. So select +ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE to avoid the issue, after that the +kprobe trace is ok as below: + +bash-166 [000] ...1. 96.767641: myprobe: (do_sys_open+0x0/0x84) +dfd=0xffffffffffffff9c filename="/dev/null" flags=0x8241 mode=0x1b6 + +bash-166 [000] ...1. 96.793751: myprobe: (do_sys_open+0x0/0x84) +dfd=0xffffffffffffff9c filename="/dev/null" flags=0x8241 mode=0x1b6 + +bash-177 [000] ...1. 96.962354: myprobe: (do_sys_open+0x0/0x84) +dfd=0xffffffffffffff9c filename="/sys/kernel/debug/tracing/events/kprobes/" +flags=0x98800 mode=0x0 + +Signed-off-by: Ruan Jinjie +Acked-by: Björn Töpel +Fixes: 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}() only to archs where they work") +Link: https://lore.kernel.org/r/20230504072910.3742842-1-ruanjinjie@huawei.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig +index bf602e38962fa..8dd7f01ee031d 100644 +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -23,6 +23,7 @@ config RISCV + select ARCH_HAS_GIGANTIC_PAGE + select ARCH_HAS_KCOV + select ARCH_HAS_MMIOWB ++ select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE + select ARCH_HAS_PTE_SPECIAL + select ARCH_HAS_SET_DIRECT_MAP if MMU + select ARCH_HAS_SET_MEMORY if MMU +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index b0a3e9164b2..8ac89e645a1 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -68,3 +68,19 @@ rbd-get-snapshot-context-after-exclusive-lock-is-ensured-to-be-held.patch pinctrl-meson-axg-add-missing-gpioa_18-gpio-group.patch usb-usbfs-enforce-page-requirements-for-mmap.patch usb-usbfs-use-consistent-mmap-functions.patch +arm-dts-at91-sama7g5ek-fix-debounce-delay-property-f.patch +asoc-codecs-wsa881x-do-not-set-can_multi_write-flag.patch +arm64-dts-qcom-sc7180-lite-fix-sdram-freq-for-miside.patch +arm64-dts-imx8qm-mek-correct-gpios-for-usdhc2-cd-and.patch +arm64-dts-imx8-ss-dma-assign-default-clock-rate-for-.patch +asoc-mediatek-mt8195-afe-pcm-convert-to-platform-rem.patch +asoc-mediatek-mt8195-fix-use-after-free-in-driver-re.patch +arm64-dts-imx8mn-beacon-fix-spi-cs-pinmux.patch +i2c-mv64xxx-fix-reading-invalid-status-value-in-atom.patch +firmware-arm_ffa-set-handle-field-to-zero-in-memory-.patch +i2c-sprd-delete-i2c-adapter-in-.remove-s-error-path.patch +eeprom-at24-also-select-regmap.patch +riscv-fix-kprobe-__user-string-arg-print-fault-issue.patch +vduse-avoid-empty-string-for-dev-name.patch +vhost-support-packed-when-setting-getting-vring_base.patch +vhost_vdpa-support-packed-when-setting-getting-vring.patch diff --git a/queue-5.15/vduse-avoid-empty-string-for-dev-name.patch b/queue-5.15/vduse-avoid-empty-string-for-dev-name.patch new file mode 100644 index 00000000000..5babe219541 --- /dev/null +++ b/queue-5.15/vduse-avoid-empty-string-for-dev-name.patch @@ -0,0 +1,64 @@ +From 3a0e06b58414573af9e4c4cee132b083ef4fda57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 11:36:26 +0800 +Subject: vduse: avoid empty string for dev name + +From: Sheng Zhao + +[ Upstream commit a90e8608eb0ed93d31ac0feb055f77ce59512542 ] + +Syzkaller hits a kernel WARN when the first character of the dev name +provided is NULL. Solution is to add a NULL check before calling +cdev_device_add() in vduse_create_dev(). + +kobject: (0000000072042169): attempted to be registered with empty name! +WARNING: CPU: 0 PID: 112695 at lib/kobject.c:236 +Call Trace: + kobject_add_varg linux/src/lib/kobject.c:390 [inline] + kobject_add+0xf6/0x150 linux/src/lib/kobject.c:442 + device_add+0x28f/0xc20 linux/src/drivers/base/core.c:2167 + cdev_device_add+0x83/0xc0 linux/src/fs/char_dev.c:546 + vduse_create_dev linux/src/drivers/vdpa/vdpa_user/vduse_dev.c:2254 [inline] + vduse_ioctl+0x7b5/0xf30 linux/src/drivers/vdpa/vdpa_user/vduse_dev.c:2316 + vfs_ioctl linux/src/fs/ioctl.c:47 [inline] + file_ioctl linux/src/fs/ioctl.c:510 [inline] + do_vfs_ioctl+0x14b/0xa80 linux/src/fs/ioctl.c:697 + ksys_ioctl+0x7c/0xa0 linux/src/fs/ioctl.c:714 + __do_sys_ioctl linux/src/fs/ioctl.c:721 [inline] + __se_sys_ioctl linux/src/fs/ioctl.c:719 [inline] + __x64_sys_ioctl+0x42/0x50 linux/src/fs/ioctl.c:719 + do_syscall_64+0x94/0x330 linux/src/arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") +Cc: "Xie Yongji" +Reported-by: Xianjun Zeng +Signed-off-by: Sheng Zhao +Message-Id: <20230530033626.1266794-1-sheng.zhao@bytedance.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Reviewed-by: Xie Yongji +Cc: "Michael S. Tsirkin", "Jason Wang", +Reviewed-by: Xie Yongji +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c +index 3467c75f310a5..30ae4237f3dd4 100644 +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -1254,6 +1254,9 @@ static bool vduse_validate_config(struct vduse_dev_config *config) + if (config->vq_num > 0xffff) + return false; + ++ if (!config->name[0]) ++ return false; ++ + if (!device_is_allowed(config->device_id)) + return false; + +-- +2.39.2 + diff --git a/queue-5.15/vhost-support-packed-when-setting-getting-vring_base.patch b/queue-5.15/vhost-support-packed-when-setting-getting-vring_base.patch new file mode 100644 index 00000000000..404436f24dc --- /dev/null +++ b/queue-5.15/vhost-support-packed-when-setting-getting-vring_base.patch @@ -0,0 +1,85 @@ +From 2ccb6b174fc2525b5056ea81e91d4926b12cfe48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 15:50:30 -0700 +Subject: vhost: support PACKED when setting-getting vring_base + +From: Shannon Nelson + +[ Upstream commit 55d8122f5cd62d5aaa225d7167dcd14a44c850b9 ] + +Use the right structs for PACKED or split vqs when setting and +getting the vring base. + +Fixes: 4c8cf31885f6 ("vhost: introduce vDPA-based backend") +Signed-off-by: Shannon Nelson +Message-Id: <20230424225031.18947-3-shannon.nelson@amd.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 18 +++++++++++++----- + drivers/vhost/vhost.h | 8 ++++++-- + 2 files changed, 19 insertions(+), 7 deletions(-) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index c0f926a9c298f..047fa2faef566 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1628,17 +1628,25 @@ long vhost_vring_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *arg + r = -EFAULT; + break; + } +- if (s.num > 0xffff) { +- r = -EINVAL; +- break; ++ if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) { ++ vq->last_avail_idx = s.num & 0xffff; ++ vq->last_used_idx = (s.num >> 16) & 0xffff; ++ } else { ++ if (s.num > 0xffff) { ++ r = -EINVAL; ++ break; ++ } ++ vq->last_avail_idx = s.num; + } +- vq->last_avail_idx = s.num; + /* Forget the cached index value. */ + vq->avail_idx = vq->last_avail_idx; + break; + case VHOST_GET_VRING_BASE: + s.index = idx; +- s.num = vq->last_avail_idx; ++ if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) ++ s.num = (u32)vq->last_avail_idx | ((u32)vq->last_used_idx << 16); ++ else ++ s.num = vq->last_avail_idx; + if (copy_to_user(argp, &s, sizeof s)) + r = -EFAULT; + break; +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h +index f2675c0aa08ee..6378f020e6d53 100644 +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -86,13 +86,17 @@ struct vhost_virtqueue { + /* The routine to call when the Guest pings us, or timeout. */ + vhost_work_fn_t handle_kick; + +- /* Last available index we saw. */ ++ /* Last available index we saw. ++ * Values are limited to 0x7fff, and the high bit is used as ++ * a wrap counter when using VIRTIO_F_RING_PACKED. */ + u16 last_avail_idx; + + /* Caches available index value from user. */ + u16 avail_idx; + +- /* Last index we used. */ ++ /* Last index we used. ++ * Values are limited to 0x7fff, and the high bit is used as ++ * a wrap counter when using VIRTIO_F_RING_PACKED. */ + u16 last_used_idx; + + /* Used flags */ +-- +2.39.2 + diff --git a/queue-5.15/vhost_vdpa-support-packed-when-setting-getting-vring.patch b/queue-5.15/vhost_vdpa-support-packed-when-setting-getting-vring.patch new file mode 100644 index 00000000000..0b2dea31bee --- /dev/null +++ b/queue-5.15/vhost_vdpa-support-packed-when-setting-getting-vring.patch @@ -0,0 +1,64 @@ +From 1d9831d9b573a0cc45a43558f4220539112f0eac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 15:50:31 -0700 +Subject: vhost_vdpa: support PACKED when setting-getting vring_base + +From: Shannon Nelson + +[ Upstream commit beee7fdb5b56a46415a4992d28dd4c2d06eb52df ] + +Use the right structs for PACKED or split vqs when setting and +getting the vring base. + +Fixes: 4c8cf31885f6 ("vhost: introduce vDPA-based backend") +Signed-off-by: Shannon Nelson +Message-Id: <20230424225031.18947-4-shannon.nelson@amd.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vhost/vdpa.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c +index 299a995326185..9ca8b92d92ae4 100644 +--- a/drivers/vhost/vdpa.c ++++ b/drivers/vhost/vdpa.c +@@ -392,7 +392,14 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd, + if (r) + return r; + +- vq->last_avail_idx = vq_state.split.avail_index; ++ if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) { ++ vq->last_avail_idx = vq_state.packed.last_avail_idx | ++ (vq_state.packed.last_avail_counter << 15); ++ vq->last_used_idx = vq_state.packed.last_used_idx | ++ (vq_state.packed.last_used_counter << 15); ++ } else { ++ vq->last_avail_idx = vq_state.split.avail_index; ++ } + break; + } + +@@ -410,9 +417,15 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd, + break; + + case VHOST_SET_VRING_BASE: +- vq_state.split.avail_index = vq->last_avail_idx; +- if (ops->set_vq_state(vdpa, idx, &vq_state)) +- r = -EINVAL; ++ if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) { ++ vq_state.packed.last_avail_idx = vq->last_avail_idx & 0x7fff; ++ vq_state.packed.last_avail_counter = !!(vq->last_avail_idx & 0x8000); ++ vq_state.packed.last_used_idx = vq->last_used_idx & 0x7fff; ++ vq_state.packed.last_used_counter = !!(vq->last_used_idx & 0x8000); ++ } else { ++ vq_state.split.avail_index = vq->last_avail_idx; ++ } ++ r = ops->set_vq_state(vdpa, idx, &vq_state); + break; + + case VHOST_SET_VRING_CALL: +-- +2.39.2 + -- 2.47.2