From a0ce172e5c7bac724404e90a4351e26d9210ecf7 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 5 Jul 2024 15:22:28 -0400 Subject: [PATCH] Revert "Fixes for 6.9" This reverts commit 7615eef8605a43c783f7884247480857a9142834. Signed-off-by: Sasha Levin --- ...ialized-value-in-bpf_core_read_bitfi.patch | 59 ---- ...mmy_struct_ops-program-params-for-te.patch | 102 ------ ...my_struct_ops.test_1-parameter-as-nu.patch | 60 ---- ...ialize-ret-in-scrub_simple_mirror-to.patch | 44 --- ...last_media_change-check-to-avoid-uni.patch | 71 ----- ...-cipher-zeroize-key-buffer-after-use.patch | 53 ---- ...-debugfs-fix-debugfs-uninit-process-.patch | 82 ----- ...silicon-sec2-fix-for-register-offset.patch | 35 -- ...y-add-null-pointer-check-for-kzalloc.patch | 230 -------------- ...assert-when-failing-to-find-index-by.patch | 56 ---- ...check-index-msg_id-before-read-or-wr.patch | 56 ---- ...check-pipe-offset-before-setting-vbl.patch | 45 --- ...do-not-return-negative-stream-id-for.patch | 48 --- ...fix-overlapping-copy-within-dml_core.patch | 46 --- ...ay-fix-uninitialized-variables-in-dm.patch | 86 ----- ...skip-finding-free-audio-for-unknown-.patch | 44 --- ...update-pipe-topology-log-to-support-.patch | 167 ---------- ...ouble-free-err_addr-pointer-warnings.patch | 36 --- ...he-warning-about-the-expression-int-.patch | 43 --- ...ninitialized-scalar-variable-warning.patch | 39 --- ...-fix-uninitialized-variable-warnings.patch | 52 --- ...alize-timestamp-for-some-legacy-socs.patch | 46 --- ...-uninitialized-value-size-when-calli.patch | 43 --- ...reset-with-guc-submission-is-disable.patch | 72 ----- ...shared-irq-handling-on-driver-remove.patch | 88 ------ ...-runtime_pm-protection-to-xe_live_kt.patch | 62 ---- ...ation-of-fault-attrs-in-f2fs_build_f.patch | 142 --------- ...re-dmi-stop-decoding-on-broken-entry.patch | 46 --- ...stopped-queues-when-reading-nic-stat.patch | 146 --------- ...otate-apanel_addr-as-__ro_after_init.patch | 35 -- ...plement-a-limit-on-umad-receive-list.patch | 125 -------- ...log-entry-using-uninitialized-netdev.patch | 61 ---- ...efer-struct_size-over-open-coded-ari.patch | 73 ----- ...ts-remove-bug_on-in-its_vpe_irq_doma.patch | 41 --- ...ial-illegal-address-access-in-jffs2_.patch | 94 ------ queue-6.9/kunit-fix-timeout-message.patch | 53 ---- ...-do-not-spam-logs-with-fortify-warns.patch | 46 --- queue-6.9/kunit-handle-test-faults.patch | 152 --------- ...e-devm_mutex_init-for-mutex-initiali.patch | 69 ---- ...devm_mutex_init-for-mutex-initializa.patch | 70 ---- ...king-mutex-introduce-devm_mutex_init.patch | 114 ------- ...2-fe-fix-as10x_register_addr-packing.patch | 44 --- ...ntends-tda10048-fix-integer-overflow.patch | 53 ---- ...nds-tda18271c2dd-remove-casting-duri.patch | 49 --- ...b0700_devices-add-missing-release_fi.patch | 68 ---- ...-don-t-translate-i2c-read-into-write.patch | 197 ------------ ...2102-fix-a-potential-buffer-overflow.patch | 40 --- ...mipid02-use-the-correct-div-function.patch | 40 --- ...codec-only-free-buffer-va-that-is-no.patch | 87 ----- ...refcount_t-instead-of-atomic_t-for-n.patch | 109 ------- ...358746-use-the-correct-div_-function.patch | 39 --- ...void-calling-bug-when-warn-is-enough.patch | 42 --- ...88e6xxx-correct-check-for-empty-list.patch | 50 --- ...ug_on-in-nilfs_finish_roll_forward-t.patch | 45 --- ...angefs-fix-out-of-bounds-fsid-access.patch | 43 --- ...se-zfree-to-avoid-possibly-accessing.patch | 45 --- ...free-to-avoid-possibly-accessing-dan.patch | 45 --- ...-lock-avoid-memory-leaks-from-strdup.patch | 70 ---- ...free-to-avoid-possibly-accessing-dan.patch | 44 --- ...io_base-to-poison_pointer_delta-not-.patch | 49 --- ...i_enter-nmi_exit-in-real-mode-interr.patch | 116 ------- ...-dexcr-reset-dexcr-value-across-exec.patch | 111 ------- ...pc-dexcr-track-the-dexcr-per-process.patch | 96 ------ ...check-cpu-id-in-commands-c-dp-and-dx.patch | 61 ---- ...-fix-the-initial-sample-period-value.patch | 39 --- ...ve-cip-1200-workaround-to-single-asi.patch | 126 -------- ...-in-__load_psw_mask-as-__unitialized.patch | 47 --- ...ree_sensitive-to-fix-coccinelle-warn.patch | 63 ---- ...opies-of-clear-key-structures-on-fai.patch | 86 ----- ...-copies-of-protected-and-secure-keys.patch | 248 --------------- ...-pkey-wipe-sensitive-data-on-failure.patch | 47 --- queue-6.9/scsi-mpi3mr-sanitise-num_phys.patch | 50 --- ...ake-qedf_execute_tmf-non-preemptible.patch | 54 ---- ...ruct_size-over-open-coded-arithmetic.patch | 74 ----- ...just-dummy_st_ops_success-to-detect-.patch | 89 ------ ...-not-pass-null-for-non-nullable-para.patch | 72 ----- ...mmy_st_ops-should-reject-0-for-non-n.patch | 68 ---- ...ests-net-fix-uninitialized-variables.patch | 84 ----- ...sctrl-fix-non-contiguous-cbm-for-amd.patch | 90 ------ ...rial-imx-raise-tx-trigger-level-to-8.patch | 45 --- queue-6.9/series | 91 ------ ...mediatek-lvts_thermal-check-null-ptr.patch | 35 -- ...ostat-avoid-possible-memory-corrupti.patch | 136 -------- ...turbostat-remember-global-max_die_id.patch | 66 ---- ...-potential-failure-in-handle_tx_even.patch | 54 ---- ...-release-worker-mutex-during-flushes.patch | 134 -------- ...-virtqueue-mutex-for-swapping-worker.patch | 67 ---- ...e-sigkill-by-flushing-work-and-exiti.patch | 298 ------------------ .../virtio-pci-check-if-is_avq-is-null.patch | 48 --- ...-add-sanity-checks-for-background-ra.patch | 56 ---- ...76-replace-skb_put-with-skb_put_zero.patch | 83 ----- ...an-offload-prohibit-all-6-ghz-channe.patch | 40 --- 92 files changed, 6965 deletions(-) delete mode 100644 queue-6.9/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch delete mode 100644 queue-6.9/bpf-check-bpf_dummy_struct_ops-program-params-for-te.patch delete mode 100644 queue-6.9/bpf-mark-bpf_dummy_struct_ops.test_1-parameter-as-nu.patch delete mode 100644 queue-6.9/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch delete mode 100644 queue-6.9/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch delete mode 100644 queue-6.9/crypto-aead-cipher-zeroize-key-buffer-after-use.patch delete mode 100644 queue-6.9/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch delete mode 100644 queue-6.9/crypto-hisilicon-sec2-fix-for-register-offset.patch delete mode 100644 queue-6.9/drm-amd-display-add-null-pointer-check-for-kzalloc.patch delete mode 100644 queue-6.9/drm-amd-display-assert-when-failing-to-find-index-by.patch delete mode 100644 queue-6.9/drm-amd-display-check-index-msg_id-before-read-or-wr.patch delete mode 100644 queue-6.9/drm-amd-display-check-pipe-offset-before-setting-vbl.patch delete mode 100644 queue-6.9/drm-amd-display-do-not-return-negative-stream-id-for.patch delete mode 100644 queue-6.9/drm-amd-display-fix-overlapping-copy-within-dml_core.patch delete mode 100644 queue-6.9/drm-amd-display-fix-uninitialized-variables-in-dm.patch delete mode 100644 queue-6.9/drm-amd-display-skip-finding-free-audio-for-unknown-.patch delete mode 100644 queue-6.9/drm-amd-display-update-pipe-topology-log-to-support-.patch delete mode 100644 queue-6.9/drm-amdgpu-fix-double-free-err_addr-pointer-warnings.patch delete mode 100644 queue-6.9/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch delete mode 100644 queue-6.9/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch delete mode 100644 queue-6.9/drm-amdgpu-fix-uninitialized-variable-warnings.patch delete mode 100644 queue-6.9/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch delete mode 100644 queue-6.9/drm-amdgpu-using-uninitialized-value-size-when-calli.patch delete mode 100644 queue-6.9/drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch delete mode 100644 queue-6.9/drm-lima-fix-shared-irq-handling-on-driver-remove.patch delete mode 100644 queue-6.9/drm-xe-add-outer-runtime_pm-protection-to-xe_live_kt.patch delete mode 100644 queue-6.9/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch delete mode 100644 queue-6.9/firmware-dmi-stop-decoding-on-broken-entry.patch delete mode 100644 queue-6.9/gve-account-for-stopped-queues-when-reading-nic-stat.patch delete mode 100644 queue-6.9/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch delete mode 100644 queue-6.9/ib-core-implement-a-limit-on-umad-receive-list.patch delete mode 100644 queue-6.9/igc-fix-a-log-entry-using-uninitialized-netdev.patch delete mode 100644 queue-6.9/input-ff-core-prefer-struct_size-over-open-coded-ari.patch delete mode 100644 queue-6.9/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch delete mode 100644 queue-6.9/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch delete mode 100644 queue-6.9/kunit-fix-timeout-message.patch delete mode 100644 queue-6.9/kunit-fortify-do-not-spam-logs-with-fortify-warns.patch delete mode 100644 queue-6.9/kunit-handle-test-faults.patch delete mode 100644 queue-6.9/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch delete mode 100644 queue-6.9/leds-mlxreg-use-devm_mutex_init-for-mutex-initializa.patch delete mode 100644 queue-6.9/locking-mutex-introduce-devm_mutex_init.patch delete mode 100644 queue-6.9/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch delete mode 100644 queue-6.9/media-dvb-frontends-tda10048-fix-integer-overflow.patch delete mode 100644 queue-6.9/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch delete mode 100644 queue-6.9/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch delete mode 100644 queue-6.9/media-dw2102-don-t-translate-i2c-read-into-write.patch delete mode 100644 queue-6.9/media-dw2102-fix-a-potential-buffer-overflow.patch delete mode 100644 queue-6.9/media-i2c-st-mipid02-use-the-correct-div-function.patch delete mode 100644 queue-6.9/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch delete mode 100644 queue-6.9/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch delete mode 100644 queue-6.9/media-tc358746-use-the-correct-div_-function.patch delete mode 100644 queue-6.9/net-dql-avoid-calling-bug-when-warn-is-enough.patch delete mode 100644 queue-6.9/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch delete mode 100644 queue-6.9/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch delete mode 100644 queue-6.9/orangefs-fix-out-of-bounds-fsid-access.patch delete mode 100644 queue-6.9/perf-callchain-use-zfree-to-avoid-possibly-accessing.patch delete mode 100644 queue-6.9/perf-kwork-use-zfree-to-avoid-possibly-accessing-dan.patch delete mode 100644 queue-6.9/perf-lock-avoid-memory-leaks-from-strdup.patch delete mode 100644 queue-6.9/perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch delete mode 100644 queue-6.9/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch delete mode 100644 queue-6.9/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch delete mode 100644 queue-6.9/powerpc-dexcr-reset-dexcr-value-across-exec.patch delete mode 100644 queue-6.9/powerpc-dexcr-track-the-dexcr-per-process.patch delete mode 100644 queue-6.9/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch delete mode 100644 queue-6.9/risc-v-kvm-fix-the-initial-sample-period-value.patch delete mode 100644 queue-6.9/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch delete mode 100644 queue-6.9/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch delete mode 100644 queue-6.9/s390-pkey-use-kfree_sensitive-to-fix-coccinelle-warn.patch delete mode 100644 queue-6.9/s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch delete mode 100644 queue-6.9/s390-pkey-wipe-copies-of-protected-and-secure-keys.patch delete mode 100644 queue-6.9/s390-pkey-wipe-sensitive-data-on-failure.patch delete mode 100644 queue-6.9/scsi-mpi3mr-sanitise-num_phys.patch delete mode 100644 queue-6.9/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch delete mode 100644 queue-6.9/sctp-prefer-struct_size-over-open-coded-arithmetic.patch delete mode 100644 queue-6.9/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch delete mode 100644 queue-6.9/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch delete mode 100644 queue-6.9/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch delete mode 100644 queue-6.9/selftests-net-fix-uninitialized-variables.patch delete mode 100644 queue-6.9/selftests-resctrl-fix-non-contiguous-cbm-for-amd.patch delete mode 100644 queue-6.9/serial-imx-raise-tx-trigger-level-to-8.patch delete mode 100644 queue-6.9/series delete mode 100644 queue-6.9/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch delete mode 100644 queue-6.9/tools-power-turbostat-avoid-possible-memory-corrupti.patch delete mode 100644 queue-6.9/tools-power-turbostat-remember-global-max_die_id.patch delete mode 100644 queue-6.9/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch delete mode 100644 queue-6.9/vhost-release-worker-mutex-during-flushes.patch delete mode 100644 queue-6.9/vhost-use-virtqueue-mutex-for-swapping-worker.patch delete mode 100644 queue-6.9/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch delete mode 100644 queue-6.9/virtio-pci-check-if-is_avq-is-null.patch delete mode 100644 queue-6.9/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch delete mode 100644 queue-6.9/wifi-mt76-replace-skb_put-with-skb_put_zero.patch delete mode 100644 queue-6.9/wifi-rtw89-fw-scan-offload-prohibit-all-6-ghz-channe.patch diff --git a/queue-6.9/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch b/queue-6.9/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch deleted file mode 100644 index 4de744234ac..00000000000 --- a/queue-6.9/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 252981897ed165e23d8d65a75edbbe7d20a6fb44 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 May 2024 12:13:13 +0200 -Subject: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD - -From: Jose E. Marchesi - -[ Upstream commit 009367099eb61a4fc2af44d4eb06b6b4de7de6db ] - -[Changes from V1: - - Use a default branch in the switch statement to initialize `val'.] - -GCC warns that `val' may be used uninitialized in the -BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as: - - [...] - unsigned long long val; \ - [...] \ - switch (__CORE_RELO(s, field, BYTE_SIZE)) { \ - case 1: val = *(const unsigned char *)p; break; \ - case 2: val = *(const unsigned short *)p; break; \ - case 4: val = *(const unsigned int *)p; break; \ - case 8: val = *(const unsigned long long *)p; break; \ - } \ - [...] - val; \ - } \ - -This patch adds a default entry in the switch statement that sets -`val' to zero in order to avoid the warning, and random values to be -used in case __builtin_preserve_field_info returns unexpected values -for BPF_FIELD_BYTE_SIZE. - -Tested in bpf-next master. -No regressions. - -Signed-off-by: Jose E. Marchesi -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/bpf/20240508101313.16662-1-jose.marchesi@oracle.com -Signed-off-by: Sasha Levin ---- - tools/lib/bpf/bpf_core_read.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h -index 1ce738d91685a..670726353aa50 100644 ---- a/tools/lib/bpf/bpf_core_read.h -+++ b/tools/lib/bpf/bpf_core_read.h -@@ -104,6 +104,7 @@ enum bpf_enum_value_kind { - case 2: val = *(const unsigned short *)p; break; \ - case 4: val = *(const unsigned int *)p; break; \ - case 8: val = *(const unsigned long long *)p; break; \ -+ default: val = 0; break; \ - } \ - val <<= __CORE_RELO(s, field, LSHIFT_U64); \ - if (__CORE_RELO(s, field, SIGNED)) \ --- -2.43.0 - diff --git a/queue-6.9/bpf-check-bpf_dummy_struct_ops-program-params-for-te.patch b/queue-6.9/bpf-check-bpf_dummy_struct_ops-program-params-for-te.patch deleted file mode 100644 index 1d32b3b16f1..00000000000 --- a/queue-6.9/bpf-check-bpf_dummy_struct_ops-program-params-for-te.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 9f9fc46ce0d05f4fb35a1c8b33a5e152f43ca850 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:20 -0700 -Subject: bpf: check bpf_dummy_struct_ops program params for test runs - -From: Eduard Zingerman - -[ Upstream commit 980ca8ceeae69ddf362870ea9183f389ae26324a ] - -When doing BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs, -reject execution when NULL is passed for non-nullable params. -For programs with non-nullable params verifier assumes that -such params are never NULL and thus might optimize out NULL checks. - -Suggested-by: Kui-Feng Lee -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-5-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - net/bpf/bpf_dummy_struct_ops.c | 51 +++++++++++++++++++++++++++++++++- - 1 file changed, 50 insertions(+), 1 deletion(-) - -diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c -index fdbe30ad8db2f..7236349cf0598 100644 ---- a/net/bpf/bpf_dummy_struct_ops.c -+++ b/net/bpf/bpf_dummy_struct_ops.c -@@ -79,6 +79,51 @@ static int dummy_ops_call_op(void *image, struct bpf_dummy_ops_test_args *args) - args->args[3], args->args[4]); - } - -+static const struct bpf_ctx_arg_aux *find_ctx_arg_info(struct bpf_prog_aux *aux, int offset) -+{ -+ int i; -+ -+ for (i = 0; i < aux->ctx_arg_info_size; i++) -+ if (aux->ctx_arg_info[i].offset == offset) -+ return &aux->ctx_arg_info[i]; -+ -+ return NULL; -+} -+ -+/* There is only one check at the moment: -+ * - zero should not be passed for pointer parameters not marked as nullable. -+ */ -+static int check_test_run_args(struct bpf_prog *prog, struct bpf_dummy_ops_test_args *args) -+{ -+ const struct btf_type *func_proto = prog->aux->attach_func_proto; -+ -+ for (u32 arg_no = 0; arg_no < btf_type_vlen(func_proto) ; ++arg_no) { -+ const struct btf_param *param = &btf_params(func_proto)[arg_no]; -+ const struct bpf_ctx_arg_aux *info; -+ const struct btf_type *t; -+ int offset; -+ -+ if (args->args[arg_no] != 0) -+ continue; -+ -+ /* Program is validated already, so there is no need -+ * to check if t is NULL. -+ */ -+ t = btf_type_skip_modifiers(bpf_dummy_ops_btf, param->type, NULL); -+ if (!btf_type_is_ptr(t)) -+ continue; -+ -+ offset = btf_ctx_arg_offset(bpf_dummy_ops_btf, func_proto, arg_no); -+ info = find_ctx_arg_info(prog->aux, offset); -+ if (info && (info->reg_type & PTR_MAYBE_NULL)) -+ continue; -+ -+ return -EINVAL; -+ } -+ -+ return 0; -+} -+ - extern const struct bpf_link_ops bpf_struct_ops_link_lops; - - int bpf_struct_ops_test_run(struct bpf_prog *prog, const union bpf_attr *kattr, -@@ -87,7 +132,7 @@ int bpf_struct_ops_test_run(struct bpf_prog *prog, const union bpf_attr *kattr, - const struct bpf_struct_ops *st_ops = &bpf_bpf_dummy_ops; - const struct btf_type *func_proto; - struct bpf_dummy_ops_test_args *args; -- struct bpf_tramp_links *tlinks; -+ struct bpf_tramp_links *tlinks = NULL; - struct bpf_tramp_link *link = NULL; - void *image = NULL; - unsigned int op_idx; -@@ -109,6 +154,10 @@ int bpf_struct_ops_test_run(struct bpf_prog *prog, const union bpf_attr *kattr, - if (IS_ERR(args)) - return PTR_ERR(args); - -+ err = check_test_run_args(prog, args); -+ if (err) -+ goto out; -+ - tlinks = kcalloc(BPF_TRAMP_MAX, sizeof(*tlinks), GFP_KERNEL); - if (!tlinks) { - err = -ENOMEM; --- -2.43.0 - diff --git a/queue-6.9/bpf-mark-bpf_dummy_struct_ops.test_1-parameter-as-nu.patch b/queue-6.9/bpf-mark-bpf_dummy_struct_ops.test_1-parameter-as-nu.patch deleted file mode 100644 index 9a651444b43..00000000000 --- a/queue-6.9/bpf-mark-bpf_dummy_struct_ops.test_1-parameter-as-nu.patch +++ /dev/null @@ -1,60 +0,0 @@ -From a646d2ce12649b55d96e003af7f7232199a9a4fe Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:17 -0700 -Subject: bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable - -From: Eduard Zingerman - -[ Upstream commit 1479eaff1f16983d8fda7c5a08a586c21891087d ] - -Test case dummy_st_ops/dummy_init_ret_value passes NULL as the first -parameter of the test_1() function. Mark this parameter as nullable to -make verifier aware of such possibility. -Otherwise, NULL check in the test_1() code: - - SEC("struct_ops/test_1") - int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) - { - if (!state) - return ...; - - ... access state ... - } - -Might be removed by verifier, thus triggering NULL pointer dereference -under certain conditions. - -Reported-by: Jose E. Marchesi -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-2-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - net/bpf/bpf_dummy_struct_ops.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c -index de33dc1b0daad..fdbe30ad8db2f 100644 ---- a/net/bpf/bpf_dummy_struct_ops.c -+++ b/net/bpf/bpf_dummy_struct_ops.c -@@ -230,7 +230,7 @@ static void bpf_dummy_unreg(void *kdata) - { - } - --static int bpf_dummy_test_1(struct bpf_dummy_ops_state *cb) -+static int bpf_dummy_ops__test_1(struct bpf_dummy_ops_state *cb__nullable) - { - return 0; - } -@@ -247,7 +247,7 @@ static int bpf_dummy_test_sleepable(struct bpf_dummy_ops_state *cb) - } - - static struct bpf_dummy_ops __bpf_bpf_dummy_ops = { -- .test_1 = bpf_dummy_test_1, -+ .test_1 = bpf_dummy_ops__test_1, - .test_2 = bpf_dummy_test_2, - .test_sleepable = bpf_dummy_test_sleepable, - }; --- -2.43.0 - diff --git a/queue-6.9/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch b/queue-6.9/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch deleted file mode 100644 index df23d92b0b9..00000000000 --- a/queue-6.9/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 6ba30b8e7b5e3c8f9d393e9c2979e6ad8bffe08f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 10:34:17 +0800 -Subject: btrfs: scrub: initialize ret in scrub_simple_mirror() to fix - compilation warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Lu Yao - -[ Upstream commit b4e585fffc1cf877112ed231a91f089e85688c2a ] - -The following error message is displayed: - ../fs/btrfs/scrub.c:2152:9: error: ‘ret’ may be used uninitialized - in this function [-Werror=maybe-uninitialized]" - -Compiler version: gcc version: (Debian 10.2.1-6) 10.2.1 20210110 - -Reviewed-by: Boris Burkov -Signed-off-by: Lu Yao -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/scrub.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c -index 4b22cfe9a98cb..afd6932f5e895 100644 ---- a/fs/btrfs/scrub.c -+++ b/fs/btrfs/scrub.c -@@ -2100,7 +2100,7 @@ static int scrub_simple_mirror(struct scrub_ctx *sctx, - struct btrfs_fs_info *fs_info = sctx->fs_info; - const u64 logical_end = logical_start + logical_length; - u64 cur_logical = logical_start; -- int ret; -+ int ret = 0; - - /* The range must be inside the bg */ - ASSERT(logical_start >= bg->start && logical_end <= bg->start + bg->length); --- -2.43.0 - diff --git a/queue-6.9/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch b/queue-6.9/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch deleted file mode 100644 index 420775ee655..00000000000 --- a/queue-6.9/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 568bc8b1918755080ea7abc6f874a10dda99767d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 23:25:20 +0100 -Subject: cdrom: rearrange last_media_change check to avoid unintentional - overflow - -From: Justin Stitt - -[ Upstream commit efb905aeb44b0e99c0e6b07865b1885ae0471ebf ] - -When running syzkaller with the newly reintroduced signed integer wrap -sanitizer we encounter this splat: - -[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33 -[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long') -[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO -[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 -[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 -[ 366.027518] Call Trace: -[ 366.027523] -[ 366.027533] dump_stack_lvl+0x93/0xd0 -[ 366.027899] handle_overflow+0x171/0x1b0 -[ 366.038787] ata1.00: invalid multi_count 32 ignored -[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10 -[ 366.063932] ? __pm_runtime_resume+0xe6/0x130 -[ 366.071923] sr_block_ioctl+0x15d/0x1d0 -[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10 -[ 366.077642] blkdev_ioctl+0x419/0x500 -[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10 -... - -Historically, the signed integer overflow sanitizer did not work in the -kernel due to its interaction with `-fwrapv` but this has since been -changed [1] in the newest version of Clang. It was re-enabled in the -kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow -sanitizer"). - -Let's rearrange the check to not perform any arithmetic, thus not -tripping the sanitizer. - -Link: https://github.com/llvm/llvm-project/pull/82432 [1] -Closes: https://github.com/KSPP/linux/issues/354 -Cc: linux-hardening@vger.kernel.org -Signed-off-by: Justin Stitt -Link: https://lore.kernel.org/lkml/20240507-b4-sio-ata1-v1-1-810ffac6080a@google.com -Reviewed-by: Phillip Potter -Link: https://lore.kernel.org/lkml/ZjqU0fbzHrlnad8D@equinox -Signed-off-by: Phillip Potter -Link: https://lore.kernel.org/r/20240507222520.1445-2-phil@philpotter.co.uk -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/cdrom/cdrom.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index a5e07270e0d41..20c90ebb3a3f6 100644 ---- a/drivers/cdrom/cdrom.c -+++ b/drivers/cdrom/cdrom.c -@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_timed_media_change(struct cdrom_device_info *cdi, - return -EFAULT; - - tmp_info.media_flags = 0; -- if (tmp_info.last_media_change - cdi->last_media_change_ms < 0) -+ if (cdi->last_media_change_ms > tmp_info.last_media_change) - tmp_info.media_flags |= MEDIA_CHANGED_FLAG; - - tmp_info.last_media_change = cdi->last_media_change_ms; --- -2.43.0 - diff --git a/queue-6.9/crypto-aead-cipher-zeroize-key-buffer-after-use.patch b/queue-6.9/crypto-aead-cipher-zeroize-key-buffer-after-use.patch deleted file mode 100644 index e1c60de355b..00000000000 --- a/queue-6.9/crypto-aead-cipher-zeroize-key-buffer-after-use.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f78157a3bc89aa3f7b7c661be20b83e92aa8ee37 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Apr 2024 22:19:15 +0000 -Subject: crypto: aead,cipher - zeroize key buffer after use - -From: Hailey Mothershead - -[ Upstream commit 23e4099bdc3c8381992f9eb975c79196d6755210 ] - -I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding -cryptographic information should be zeroized once they are no longer -needed. Accomplish this by using kfree_sensitive for buffers that -previously held the private key. - -Signed-off-by: Hailey Mothershead -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - crypto/aead.c | 3 +-- - crypto/cipher.c | 3 +-- - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/crypto/aead.c b/crypto/aead.c -index 54906633566a2..5f3c1954d8e5d 100644 ---- a/crypto/aead.c -+++ b/crypto/aead.c -@@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key, - alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); - memcpy(alignbuffer, key, keylen); - ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen); -- memset(alignbuffer, 0, keylen); -- kfree(buffer); -+ kfree_sensitive(buffer); - return ret; - } - -diff --git a/crypto/cipher.c b/crypto/cipher.c -index 47c77a3e59783..40cae908788ec 100644 ---- a/crypto/cipher.c -+++ b/crypto/cipher.c -@@ -34,8 +34,7 @@ static int setkey_unaligned(struct crypto_cipher *tfm, const u8 *key, - alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); - memcpy(alignbuffer, key, keylen); - ret = cia->cia_setkey(crypto_cipher_tfm(tfm), alignbuffer, keylen); -- memset(alignbuffer, 0, keylen); -- kfree(buffer); -+ kfree_sensitive(buffer); - return ret; - - } --- -2.43.0 - diff --git a/queue-6.9/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch b/queue-6.9/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch deleted file mode 100644 index 417c2b0f31c..00000000000 --- a/queue-6.9/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 957f8dd9bee35149643a587007e8f7bd2da7d56d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 7 Apr 2024 15:59:53 +0800 -Subject: crypto: hisilicon/debugfs - Fix debugfs uninit process issue - -From: Chenghai Huang - -[ Upstream commit 8be0913389718e8d27c4f1d4537b5e1b99ed7739 ] - -During the zip probe process, the debugfs failure does not stop -the probe. When debugfs initialization fails, jumping to the -error branch will also release regs, in addition to its own -rollback operation. - -As a result, it may be released repeatedly during the regs -uninit process. Therefore, the null check needs to be added to -the regs uninit process. - -Signed-off-by: Chenghai Huang -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - drivers/crypto/hisilicon/debugfs.c | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/drivers/crypto/hisilicon/debugfs.c b/drivers/crypto/hisilicon/debugfs.c -index cd67fa348ca72..6351a452878dd 100644 ---- a/drivers/crypto/hisilicon/debugfs.c -+++ b/drivers/crypto/hisilicon/debugfs.c -@@ -809,8 +809,14 @@ static void dfx_regs_uninit(struct hisi_qm *qm, - { - int i; - -+ if (!dregs) -+ return; -+ - /* Setting the pointer is NULL to prevent double free */ - for (i = 0; i < reg_len; i++) { -+ if (!dregs[i].regs) -+ continue; -+ - kfree(dregs[i].regs); - dregs[i].regs = NULL; - } -@@ -860,14 +866,21 @@ static struct dfx_diff_registers *dfx_regs_init(struct hisi_qm *qm, - static int qm_diff_regs_init(struct hisi_qm *qm, - struct dfx_diff_registers *dregs, u32 reg_len) - { -+ int ret; -+ - qm->debug.qm_diff_regs = dfx_regs_init(qm, qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); -- if (IS_ERR(qm->debug.qm_diff_regs)) -- return PTR_ERR(qm->debug.qm_diff_regs); -+ if (IS_ERR(qm->debug.qm_diff_regs)) { -+ ret = PTR_ERR(qm->debug.qm_diff_regs); -+ qm->debug.qm_diff_regs = NULL; -+ return ret; -+ } - - qm->debug.acc_diff_regs = dfx_regs_init(qm, dregs, reg_len); - if (IS_ERR(qm->debug.acc_diff_regs)) { - dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); -- return PTR_ERR(qm->debug.acc_diff_regs); -+ ret = PTR_ERR(qm->debug.acc_diff_regs); -+ qm->debug.acc_diff_regs = NULL; -+ return ret; - } - - return 0; -@@ -908,7 +921,9 @@ static int qm_last_regs_init(struct hisi_qm *qm) - static void qm_diff_regs_uninit(struct hisi_qm *qm, u32 reg_len) - { - dfx_regs_uninit(qm, qm->debug.acc_diff_regs, reg_len); -+ qm->debug.acc_diff_regs = NULL; - dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); -+ qm->debug.qm_diff_regs = NULL; - } - - /** --- -2.43.0 - diff --git a/queue-6.9/crypto-hisilicon-sec2-fix-for-register-offset.patch b/queue-6.9/crypto-hisilicon-sec2-fix-for-register-offset.patch deleted file mode 100644 index a33e39d6981..00000000000 --- a/queue-6.9/crypto-hisilicon-sec2-fix-for-register-offset.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b542142a2c2efdebf2270505dd590a627001b76e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 09:19:22 +0800 -Subject: crypto: hisilicon/sec2 - fix for register offset - -From: Wenkai Lin - -[ Upstream commit 6117af86365916e4202b5a709c155f7e6e5df810 ] - -The offset of SEC_CORE_ENABLE_BITMAP should be 0 instead of 32, -it cause a kasan shift-out-bounds warning, fix it. - -Signed-off-by: Wenkai Lin -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - drivers/crypto/hisilicon/sec2/sec_main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/crypto/hisilicon/sec2/sec_main.c b/drivers/crypto/hisilicon/sec2/sec_main.c -index c290d8937b19c..fabea0d650297 100644 ---- a/drivers/crypto/hisilicon/sec2/sec_main.c -+++ b/drivers/crypto/hisilicon/sec2/sec_main.c -@@ -152,7 +152,7 @@ static const struct hisi_qm_cap_info sec_basic_info[] = { - {SEC_CORE_TYPE_NUM_CAP, 0x313c, 16, GENMASK(3, 0), 0x1, 0x1, 0x1}, - {SEC_CORE_NUM_CAP, 0x313c, 8, GENMASK(7, 0), 0x4, 0x4, 0x4}, - {SEC_CORES_PER_CLUSTER_NUM_CAP, 0x313c, 0, GENMASK(7, 0), 0x4, 0x4, 0x4}, -- {SEC_CORE_ENABLE_BITMAP, 0x3140, 32, GENMASK(31, 0), 0x17F, 0x17F, 0xF}, -+ {SEC_CORE_ENABLE_BITMAP, 0x3140, 0, GENMASK(31, 0), 0x17F, 0x17F, 0xF}, - {SEC_DRV_ALG_BITMAP_LOW, 0x3144, 0, GENMASK(31, 0), 0x18050CB, 0x18050CB, 0x18670CF}, - {SEC_DRV_ALG_BITMAP_HIGH, 0x3148, 0, GENMASK(31, 0), 0x395C, 0x395C, 0x395C}, - {SEC_DEV_ALG_BITMAP_LOW, 0x314c, 0, GENMASK(31, 0), 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF}, --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-add-null-pointer-check-for-kzalloc.patch b/queue-6.9/drm-amd-display-add-null-pointer-check-for-kzalloc.patch deleted file mode 100644 index a73fd1d09ce..00000000000 --- a/queue-6.9/drm-amd-display-add-null-pointer-check-for-kzalloc.patch +++ /dev/null @@ -1,230 +0,0 @@ -From 123f9f1e01fbc870fa0172b32e60a67c337378b0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 12:27:34 -0400 -Subject: drm/amd/display: Add NULL pointer check for kzalloc - -From: Hersen Wu - -[ Upstream commit 8e65a1b7118acf6af96449e1e66b7adbc9396912 ] - -[Why & How] -Check return pointer of kzalloc before using it. - -Reviewed-by: Alex Hung -Acked-by: Wayne Lin -Signed-off-by: Hersen Wu -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - .../gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c | 8 ++++++++ - .../gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c | 8 ++++++++ - .../drm/amd/display/dc/resource/dcn30/dcn30_resource.c | 3 +++ - .../drm/amd/display/dc/resource/dcn31/dcn31_resource.c | 5 +++++ - .../drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 5 +++++ - .../drm/amd/display/dc/resource/dcn315/dcn315_resource.c | 2 ++ - .../drm/amd/display/dc/resource/dcn316/dcn316_resource.c | 2 ++ - .../drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 5 +++++ - .../drm/amd/display/dc/resource/dcn321/dcn321_resource.c | 2 ++ - .../drm/amd/display/dc/resource/dcn35/dcn35_resource.c | 2 ++ - .../drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 2 ++ - 11 files changed, 44 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c -index 3271c8c7905dd..4e036356b6a89 100644 ---- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c -+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c -@@ -560,11 +560,19 @@ void dcn3_clk_mgr_construct( - dce_clock_read_ss_info(clk_mgr); - - clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); -+ if (!clk_mgr->base.bw_params) { -+ BREAK_TO_DEBUGGER(); -+ return; -+ } - - /* need physical address of table to give to PMFW */ - clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, - DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), - &clk_mgr->wm_range_table_addr); -+ if (!clk_mgr->wm_range_table) { -+ BREAK_TO_DEBUGGER(); -+ return; -+ } - } - - void dcn3_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) -diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c -index e506e4f969ca9..dda1173be35ea 100644 ---- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c -+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c -@@ -1208,11 +1208,19 @@ void dcn32_clk_mgr_construct( - clk_mgr->smu_present = false; - - clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); -+ if (!clk_mgr->base.bw_params) { -+ BREAK_TO_DEBUGGER(); -+ return; -+ } - - /* need physical address of table to give to PMFW */ - clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, - DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), - &clk_mgr->wm_range_table_addr); -+ if (!clk_mgr->wm_range_table) { -+ BREAK_TO_DEBUGGER(); -+ return; -+ } - } - - void dcn32_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c -index ecc477ef8e3b7..b427a98066c11 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c -@@ -2050,6 +2050,9 @@ bool dcn30_validate_bandwidth(struct dc *dc, - - BW_VAL_TRACE_COUNT(); - -+ if (!pipes) -+ goto validate_fail; -+ - DC_FP_START(); - out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); - DC_FP_END(); -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c -index 2fb1d00ff9654..f38de5391176f 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c -@@ -1311,6 +1311,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, - &hpo_dp_link_enc_regs[inst], -@@ -1767,6 +1769,9 @@ bool dcn31_validate_bandwidth(struct dc *dc, - - BW_VAL_TRACE_COUNT(); - -+ if (!pipes) -+ goto validate_fail; -+ - DC_FP_START(); - out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); - DC_FP_END(); -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c -index c97391edb5ff7..2791fc45bb8c7 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c -@@ -1384,6 +1384,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, - &hpo_dp_link_enc_regs[inst], -@@ -1744,6 +1746,9 @@ bool dcn314_validate_bandwidth(struct dc *dc, - - BW_VAL_TRACE_COUNT(); - -+ if (!pipes) -+ goto validate_fail; -+ - if (filter_modes_for_single_channel_workaround(dc, context)) - goto validate_fail; - -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c -index 515ba435f759c..4ce0f4bf1d9bb 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c -@@ -1309,6 +1309,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, - &hpo_dp_link_enc_regs[inst], -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c -index b9753d4606f89..efa5627b0c50a 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c -@@ -1306,6 +1306,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, - &hpo_dp_link_enc_regs[inst], -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c -index ce1754cc1f463..1f5a91b764828 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c -@@ -1304,6 +1304,8 @@ static struct hpo_dp_link_encoder *dcn32_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - #undef REG_STRUCT - #define REG_STRUCT hpo_dp_link_enc_regs -@@ -1751,6 +1753,9 @@ static bool dml1_validate(struct dc *dc, struct dc_state *context, bool fast_val - - BW_VAL_TRACE_COUNT(); - -+ if (!pipes) -+ goto validate_fail; -+ - DC_FP_START(); - out = dcn32_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate); - DC_FP_END(); -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c -index 296a0a8e71459..e83d340ed6260 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c -@@ -1288,6 +1288,8 @@ static struct hpo_dp_link_encoder *dcn321_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - #undef REG_STRUCT - #define REG_STRUCT hpo_dp_link_enc_regs -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c -index 5d52853cac96a..cf0cb5cf4b5b2 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c -@@ -1368,6 +1368,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - #undef REG_STRUCT - #define REG_STRUCT hpo_dp_link_enc_regs -diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c -index 909e14261f9b4..116b59123199f 100644 ---- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c -@@ -1348,6 +1348,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create( - - /* allocate HPO link encoder */ - hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); -+ if (!hpo_dp_enc31) -+ return NULL; /* out of memory */ - - #undef REG_STRUCT - #define REG_STRUCT hpo_dp_link_enc_regs --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-assert-when-failing-to-find-index-by.patch b/queue-6.9/drm-amd-display-assert-when-failing-to-find-index-by.patch deleted file mode 100644 index f7f360ae04b..00000000000 --- a/queue-6.9/drm-amd-display-assert-when-failing-to-find-index-by.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 1b896e3682a95de51d7837819795a342e0026de0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 12:02:17 -0600 -Subject: drm/amd/display: ASSERT when failing to find index by plane/stream id - -From: Alex Hung - -[ Upstream commit 01eb50e53c1ce505bf449348d433181310288765 ] - -[WHY] -find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns -an array index and they return -1 when not found; however, -1 is not a -valid index number. - -[HOW] -When this happens, call ASSERT(), and return a positive number (which is -fewer than callers' array size) instead. - -This fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c -index a52c594e1ba4b..e1f1b5dd13203 100644 ---- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c -+++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c -@@ -88,7 +88,8 @@ static int find_disp_cfg_idx_by_plane_id(struct dml2_dml_to_dc_pipe_mapping *map - return i; - } - -- return -1; -+ ASSERT(false); -+ return __DML2_WRAPPER_MAX_STREAMS_PLANES__; - } - - static int find_disp_cfg_idx_by_stream_id(struct dml2_dml_to_dc_pipe_mapping *mapping, unsigned int stream_id) -@@ -100,7 +101,8 @@ static int find_disp_cfg_idx_by_stream_id(struct dml2_dml_to_dc_pipe_mapping *ma - return i; - } - -- return -1; -+ ASSERT(false); -+ return __DML2_WRAPPER_MAX_STREAMS_PLANES__; - } - - // The master pipe of a stream is defined as the top pipe in odm slice 0 --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-check-index-msg_id-before-read-or-wr.patch b/queue-6.9/drm-amd-display-check-index-msg_id-before-read-or-wr.patch deleted file mode 100644 index 6ef316cadef..00000000000 --- a/queue-6.9/drm-amd-display-check-index-msg_id-before-read-or-wr.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 46bedd3686c547711bf8870f1d29c81e56a4dfca Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 13:27:43 -0600 -Subject: drm/amd/display: Check index msg_id before read or write - -From: Alex Hung - -[ Upstream commit 59d99deb330af206a4541db0c4da8f73880fba03 ] - -[WHAT] -msg_id is used as an array index and it cannot be a negative value, and -therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1). - -[HOW] -Check whether msg_id is valid before reading and setting. - -This fixes 4 OVERRUN issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -index f7b5583ee609a..8e9caae7c9559 100644 ---- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -@@ -156,6 +156,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, - uint32_t cur_size = 0; - uint32_t data_offset = 0; - -+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { -+ return MOD_HDCP_STATUS_DDC_FAILURE; -+ } -+ - if (is_dp_hdcp(hdcp)) { - while (buf_len > 0) { - cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); -@@ -215,6 +219,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, - uint32_t cur_size = 0; - uint32_t data_offset = 0; - -+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { -+ return MOD_HDCP_STATUS_DDC_FAILURE; -+ } -+ - if (is_dp_hdcp(hdcp)) { - while (buf_len > 0) { - cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-check-pipe-offset-before-setting-vbl.patch b/queue-6.9/drm-amd-display-check-pipe-offset-before-setting-vbl.patch deleted file mode 100644 index 67f101a8a2d..00000000000 --- a/queue-6.9/drm-amd-display-check-pipe-offset-before-setting-vbl.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a2efef7c29643b7c10a2348d15d26be9c67f4921 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 18:07:17 -0600 -Subject: drm/amd/display: Check pipe offset before setting vblank - -From: Alex Hung - -[ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ] - -pipe_ctx has a size of MAX_PIPES so checking its index before accessing -the array. - -This fixes an OVERRUN issue reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - .../drm/amd/display/dc/irq/dce110/irq_service_dce110.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -index 1c0d89e675da5..bb576a9c5fdbd 100644 ---- a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -+++ b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service, - info->ext_id); - uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK; - -- struct timing_generator *tg = -- dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; -+ struct timing_generator *tg; -+ -+ if (pipe_offset >= MAX_PIPES) -+ return false; -+ -+ tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; - - if (enable) { - if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) { --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-do-not-return-negative-stream-id-for.patch b/queue-6.9/drm-amd-display-do-not-return-negative-stream-id-for.patch deleted file mode 100644 index 44d960ef492..00000000000 --- a/queue-6.9/drm-amd-display-do-not-return-negative-stream-id-for.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 10a075d25dd3bfc84be145a9b6f8b643ec1cd924 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 13:43:14 -0600 -Subject: drm/amd/display: Do not return negative stream id for array - -From: Alex Hung - -[ Upstream commit 3ac31c9a707dd1c7c890b95333182f955e9dcb57 ] - -[WHY] -resource_stream_to_stream_idx returns an array index and it return -1 -when not found; however, -1 is not a valid array index number. - -[HOW] -When this happens, call ASSERT(), and return a zero instead. - -This fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -index d0bdfdf270ac9..ab598e1f088cf 100644 ---- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -@@ -2216,6 +2216,13 @@ static int resource_stream_to_stream_idx(struct dc_state *state, - stream_idx = i; - break; - } -+ -+ /* never return negative array index */ -+ if (stream_idx == -1) { -+ ASSERT(0); -+ return 0; -+ } -+ - return stream_idx; - } - --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-fix-overlapping-copy-within-dml_core.patch b/queue-6.9/drm-amd-display-fix-overlapping-copy-within-dml_core.patch deleted file mode 100644 index 44204862278..00000000000 --- a/queue-6.9/drm-amd-display-fix-overlapping-copy-within-dml_core.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 7a353aa09c0959d1bd7559054e2a7d96a2b780a2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 10:57:37 -0400 -Subject: drm/amd/display: Fix overlapping copy within - dml_core_mode_programming - -From: Hersen Wu - -[ Upstream commit f1fd8a0a54e6d23a6d16ee29159f247862460fd1 ] - -[WHY] -&mode_lib->mp.Watermark and &locals->Watermark are -the same address. memcpy may lead to unexpected behavior. - -[HOW] -memmove should be used. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Reviewed-by: Alex Hung -Signed-off-by: Hersen Wu -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c -index 9be5ebf3a8c0b..79cd4c4790439 100644 ---- a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c -+++ b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c -@@ -9460,8 +9460,10 @@ void dml_core_mode_programming(struct display_mode_lib_st *mode_lib, const struc - - /* Copy the calculated watermarks to mp.Watermark as the getter functions are - * implemented by the DML team to copy the calculated values from the mp.Watermark interface. -+ * &mode_lib->mp.Watermark and &locals->Watermark are the same address, memcpy may lead to -+ * unexpected behavior. memmove should be used. - */ -- memcpy(&mode_lib->mp.Watermark, CalculateWatermarks_params->Watermark, sizeof(struct Watermarks)); -+ memmove(&mode_lib->mp.Watermark, CalculateWatermarks_params->Watermark, sizeof(struct Watermarks)); - - for (k = 0; k < mode_lib->ms.num_active_planes; ++k) { - if (mode_lib->ms.cache_display_cfg.writeback.WritebackEnable[k] == true) { --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-fix-uninitialized-variables-in-dm.patch b/queue-6.9/drm-amd-display-fix-uninitialized-variables-in-dm.patch deleted file mode 100644 index 69b7432653a..00000000000 --- a/queue-6.9/drm-amd-display-fix-uninitialized-variables-in-dm.patch +++ /dev/null @@ -1,86 +0,0 @@ -From e6117b99bc86cdda150e4da8d87f87e428719301 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Apr 2024 19:02:56 -0600 -Subject: drm/amd/display: Fix uninitialized variables in DM - -From: Alex Hung - -[ Upstream commit f95bcb041f213a5da3da5fcaf73269bd13dba945 ] - -This fixes 11 UNINIT issues reported by Coverity. - -Reviewed-by: Hersen Wu -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++---- - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 4 ++-- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -index f866a02f4f489..2152e40ee1c27 100644 ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -@@ -274,7 +274,7 @@ static u32 dm_vblank_get_counter(struct amdgpu_device *adev, int crtc) - static int dm_crtc_get_scanoutpos(struct amdgpu_device *adev, int crtc, - u32 *vbl, u32 *position) - { -- u32 v_blank_start, v_blank_end, h_position, v_position; -+ u32 v_blank_start = 0, v_blank_end = 0, h_position = 0, v_position = 0; - struct amdgpu_crtc *acrtc = NULL; - struct dc *dc = adev->dm.dc; - -@@ -848,7 +848,7 @@ static void dm_handle_hpd_work(struct work_struct *work) - */ - static void dm_dmub_outbox1_low_irq(void *interrupt_params) - { -- struct dmub_notification notify; -+ struct dmub_notification notify = {0}; - struct common_irq_params *irq_params = interrupt_params; - struct amdgpu_device *adev = irq_params->adev; - struct amdgpu_display_manager *dm = &adev->dm; -@@ -7192,7 +7192,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state, - struct amdgpu_dm_connector *aconnector; - struct dm_connector_state *dm_conn_state; - int i, j, ret; -- int vcpi, pbn_div, pbn, slot_num = 0; -+ int vcpi, pbn_div, pbn = 0, slot_num = 0; - - for_each_new_connector_in_state(state, connector, new_con_state, i) { - -@@ -10595,7 +10595,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, - struct dm_crtc_state *dm_old_crtc_state, *dm_new_crtc_state; - struct drm_dp_mst_topology_mgr *mgr; - struct drm_dp_mst_topology_state *mst_state; -- struct dsc_mst_fairness_vars vars[MAX_PIPES]; -+ struct dsc_mst_fairness_vars vars[MAX_PIPES] = {0}; - - trace_amdgpu_dm_atomic_check_begin(state); - -diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -index c7715a17f388b..4d7a5d470b1ea 100644 ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -@@ -1249,7 +1249,7 @@ static ssize_t dp_sdp_message_debugfs_write(struct file *f, const char __user *b - size_t size, loff_t *pos) - { - int r; -- uint8_t data[36]; -+ uint8_t data[36] = {0}; - struct amdgpu_dm_connector *connector = file_inode(f)->i_private; - struct dm_crtc_state *acrtc_state; - uint32_t write_size = 36; -@@ -2960,7 +2960,7 @@ static int psr_read_residency(void *data, u64 *val) - { - struct amdgpu_dm_connector *connector = data; - struct dc_link *link = connector->dc_link; -- u32 residency; -+ u32 residency = 0; - - link->dc->link_srv->edp_get_psr_residency(link, &residency); - --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-skip-finding-free-audio-for-unknown-.patch b/queue-6.9/drm-amd-display-skip-finding-free-audio-for-unknown-.patch deleted file mode 100644 index 6cd7909d359..00000000000 --- a/queue-6.9/drm-amd-display-skip-finding-free-audio-for-unknown-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 34ad20100d711bd63d4d378066a02233c1d3566e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 13:52:27 -0600 -Subject: drm/amd/display: Skip finding free audio for unknown engine_id - -From: Alex Hung - -[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ] - -[WHY] -ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it -also means it is uninitialized and does not need free audio. - -[HOW] -Skip and return NULL. - -This fixes 2 OVERRUN issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -index ec4bf9432bdb1..37a8e530cc951 100644 ---- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -@@ -3117,6 +3117,9 @@ static struct audio *find_first_free_audio( - { - int i, available_audio_count; - -+ if (id == ENGINE_ID_UNKNOWN) -+ return NULL; -+ - available_audio_count = pool->audio_count; - - for (i = 0; i < available_audio_count; i++) { --- -2.43.0 - diff --git a/queue-6.9/drm-amd-display-update-pipe-topology-log-to-support-.patch b/queue-6.9/drm-amd-display-update-pipe-topology-log-to-support-.patch deleted file mode 100644 index 49a82166951..00000000000 --- a/queue-6.9/drm-amd-display-update-pipe-topology-log-to-support-.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 25523baf443a89ca345af9d4d841f23b27a76396 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Mar 2024 10:06:51 -0400 -Subject: drm/amd/display: update pipe topology log to support subvp - -From: Wenjing Liu - -[ Upstream commit 5db346c256bbacc634ff515a1a9202cd4b61d8c7 ] - -[why] -There is an ambiguity in subvp pipe topology log. The log doesn't show -subvp relation to main stream and it is not clear that certain stream -is an internal stream for subvp pipes. - -[how] -Separate subvp pipe topology logging from main pipe topology. Log main -stream indices instead of the internal stream for subvp pipes. -The following is a sample log showing 2 streams with subvp enabled on -both: - - pipe topology update - ________________________ -| plane0 slice0 stream0| -|DPP1----OPP1----OTG1----| -| plane0 slice0 stream1| -|DPP0----OPP0----OTG0----| -| (phantom pipes) | -| plane0 slice0 stream0| -|DPP3----OPP3----OTG3----| -| plane0 slice0 stream1| -|DPP2----OPP2----OTG2----| -|________________________| - -Reviewed-by: Alvin Lee -Acked-by: Roman Li -Signed-off-by: Wenjing Liu -Tested-by: Daniel Wheeler -Signed-off-by: Alex Deucher -Stable-dep-of: 3ac31c9a707d ("drm/amd/display: Do not return negative stream id for array") -Signed-off-by: Sasha Levin ---- - .../gpu/drm/amd/display/dc/core/dc_resource.c | 96 +++++++++++++------ - 1 file changed, 65 insertions(+), 31 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -index 37a8e530cc951..d0bdfdf270ac9 100644 ---- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -@@ -2168,50 +2168,84 @@ static void resource_log_pipe(struct dc *dc, struct pipe_ctx *pipe, - } - } - --void resource_log_pipe_topology_update(struct dc *dc, struct dc_state *state) -+static void resource_log_pipe_for_stream(struct dc *dc, struct dc_state *state, -+ struct pipe_ctx *otg_master, int stream_idx) - { -- struct pipe_ctx *otg_master; - struct pipe_ctx *opp_heads[MAX_PIPES]; - struct pipe_ctx *dpp_pipes[MAX_PIPES]; - -- int stream_idx, slice_idx, dpp_idx, plane_idx, slice_count, dpp_count; -+ int slice_idx, dpp_idx, plane_idx, slice_count, dpp_count; - bool is_primary; - DC_LOGGER_INIT(dc->ctx->logger); - -+ slice_count = resource_get_opp_heads_for_otg_master(otg_master, -+ &state->res_ctx, opp_heads); -+ for (slice_idx = 0; slice_idx < slice_count; slice_idx++) { -+ plane_idx = -1; -+ if (opp_heads[slice_idx]->plane_state) { -+ dpp_count = resource_get_dpp_pipes_for_opp_head( -+ opp_heads[slice_idx], -+ &state->res_ctx, -+ dpp_pipes); -+ for (dpp_idx = 0; dpp_idx < dpp_count; dpp_idx++) { -+ is_primary = !dpp_pipes[dpp_idx]->top_pipe || -+ dpp_pipes[dpp_idx]->top_pipe->plane_state != dpp_pipes[dpp_idx]->plane_state; -+ if (is_primary) -+ plane_idx++; -+ resource_log_pipe(dc, dpp_pipes[dpp_idx], -+ stream_idx, slice_idx, -+ plane_idx, slice_count, -+ is_primary); -+ } -+ } else { -+ resource_log_pipe(dc, opp_heads[slice_idx], -+ stream_idx, slice_idx, plane_idx, -+ slice_count, true); -+ } -+ -+ } -+} -+ -+static int resource_stream_to_stream_idx(struct dc_state *state, -+ struct dc_stream_state *stream) -+{ -+ int i, stream_idx = -1; -+ -+ for (i = 0; i < state->stream_count; i++) -+ if (state->streams[i] == stream) { -+ stream_idx = i; -+ break; -+ } -+ return stream_idx; -+} -+ -+void resource_log_pipe_topology_update(struct dc *dc, struct dc_state *state) -+{ -+ struct pipe_ctx *otg_master; -+ int stream_idx, phantom_stream_idx; -+ DC_LOGGER_INIT(dc->ctx->logger); -+ - DC_LOG_DC(" pipe topology update"); - DC_LOG_DC(" ________________________"); - for (stream_idx = 0; stream_idx < state->stream_count; stream_idx++) { -+ if (state->streams[stream_idx]->is_phantom) -+ continue; -+ - otg_master = resource_get_otg_master_for_stream( - &state->res_ctx, state->streams[stream_idx]); -- if (!otg_master || otg_master->stream_res.tg == NULL) { -- DC_LOG_DC("topology update: otg_master NULL stream_idx %d!\n", stream_idx); -- return; -- } -- slice_count = resource_get_opp_heads_for_otg_master(otg_master, -- &state->res_ctx, opp_heads); -- for (slice_idx = 0; slice_idx < slice_count; slice_idx++) { -- plane_idx = -1; -- if (opp_heads[slice_idx]->plane_state) { -- dpp_count = resource_get_dpp_pipes_for_opp_head( -- opp_heads[slice_idx], -- &state->res_ctx, -- dpp_pipes); -- for (dpp_idx = 0; dpp_idx < dpp_count; dpp_idx++) { -- is_primary = !dpp_pipes[dpp_idx]->top_pipe || -- dpp_pipes[dpp_idx]->top_pipe->plane_state != dpp_pipes[dpp_idx]->plane_state; -- if (is_primary) -- plane_idx++; -- resource_log_pipe(dc, dpp_pipes[dpp_idx], -- stream_idx, slice_idx, -- plane_idx, slice_count, -- is_primary); -- } -- } else { -- resource_log_pipe(dc, opp_heads[slice_idx], -- stream_idx, slice_idx, plane_idx, -- slice_count, true); -- } -+ resource_log_pipe_for_stream(dc, state, otg_master, stream_idx); -+ } -+ if (state->phantom_stream_count > 0) { -+ DC_LOG_DC(" | (phantom pipes) |"); -+ for (stream_idx = 0; stream_idx < state->stream_count; stream_idx++) { -+ if (state->stream_status[stream_idx].mall_stream_config.type != SUBVP_MAIN) -+ continue; - -+ phantom_stream_idx = resource_stream_to_stream_idx(state, -+ state->stream_status[stream_idx].mall_stream_config.paired_stream); -+ otg_master = resource_get_otg_master_for_stream( -+ &state->res_ctx, state->streams[phantom_stream_idx]); -+ resource_log_pipe_for_stream(dc, state, otg_master, stream_idx); - } - } - DC_LOG_DC(" |________________________|\n"); --- -2.43.0 - diff --git a/queue-6.9/drm-amdgpu-fix-double-free-err_addr-pointer-warnings.patch b/queue-6.9/drm-amdgpu-fix-double-free-err_addr-pointer-warnings.patch deleted file mode 100644 index e18de4905b9..00000000000 --- a/queue-6.9/drm-amdgpu-fix-double-free-err_addr-pointer-warnings.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6cec449a3847d9aeaa6e6b7bf86554ffdc122238 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 13:32:39 +0800 -Subject: drm/amdgpu: fix double free err_addr pointer warnings - -From: Bob Zhou - -[ Upstream commit 506c245f3f1cd989cb89811a7f06e04ff8813a0d ] - -In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages -will be run many times so that double free err_addr in some special case. -So set the err_addr to NULL to avoid the warnings. - -Signed-off-by: Bob Zhou -Acked-by: Alex Deucher -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c -index 20436f81856ad..6f7451e3ee87e 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c -@@ -170,6 +170,7 @@ static void amdgpu_umc_handle_bad_pages(struct amdgpu_device *adev, - } - - kfree(err_data->err_addr); -+ err_data->err_addr = NULL; - - mutex_unlock(&con->page_retirement_lock); - } --- -2.43.0 - diff --git a/queue-6.9/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch b/queue-6.9/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch deleted file mode 100644 index 1befcac62f8..00000000000 --- a/queue-6.9/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From f436040614dee230c9461118a558d3489ad1c549 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 25 Apr 2024 15:16:40 +0800 -Subject: drm/amdgpu: fix the warning about the expression (int)size - len - -From: Jesse Zhang - -[ Upstream commit ea686fef5489ef7a2450a9fdbcc732b837fb46a8 ] - -Converting size from size_t to int may overflow. -v2: keep reverse xmas tree order (Christian) - -Signed-off-by: Jesse Zhang -Reviewed-by: Alex Deucher -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c -index f5d0fa207a88b..b62ae3c91a9db 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c -@@ -2065,12 +2065,13 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f, - struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private; - char reg_offset[11]; - uint32_t *new = NULL, *tmp = NULL; -- int ret, i = 0, len = 0; -+ unsigned int len = 0; -+ int ret, i = 0; - - do { - memset(reg_offset, 0, 11); - if (copy_from_user(reg_offset, buf + len, -- min(10, ((int)size-len)))) { -+ min(10, (size-len)))) { - ret = -EFAULT; - goto error_free; - } --- -2.43.0 - diff --git a/queue-6.9/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch b/queue-6.9/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch deleted file mode 100644 index 641b11d5963..00000000000 --- a/queue-6.9/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch +++ /dev/null @@ -1,39 +0,0 @@ -From bfa29931198a43d5c728e15b4f83c5d01e39c6ac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 14:06:28 +0800 -Subject: drm/amdgpu: fix uninitialized scalar variable warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Tim Huang - -[ Upstream commit 9a5f15d2a29d06ce5bd50919da7221cda92afb69 ] - -Clear warning that uses uninitialized value fw_size. - -Signed-off-by: Tim Huang -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c -index 55d5508987ffe..1d955652f3ba6 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c -@@ -1206,7 +1206,8 @@ void amdgpu_gfx_cp_init_microcode(struct amdgpu_device *adev, - fw_size = le32_to_cpu(cp_hdr_v2_0->data_size_bytes); - break; - default: -- break; -+ dev_err(adev->dev, "Invalid ucode id %u\n", ucode_id); -+ return; - } - - if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) { --- -2.43.0 - diff --git a/queue-6.9/drm-amdgpu-fix-uninitialized-variable-warnings.patch b/queue-6.9/drm-amdgpu-fix-uninitialized-variable-warnings.patch deleted file mode 100644 index 1f41b1f9285..00000000000 --- a/queue-6.9/drm-amdgpu-fix-uninitialized-variable-warnings.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 1f1bd67b18122db385bcc31599b4092d178840e6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 14:47:52 +0800 -Subject: drm/amdgpu: Fix uninitialized variable warnings -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Ma Jun - -[ Upstream commit 60c448439f3b5db9431e13f7f361b4074d0e8594 ] - -return 0 to avoid returning an uninitialized variable r - -Signed-off-by: Ma Jun -Acked-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/aldebaran.c | 2 +- - drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/aldebaran.c b/drivers/gpu/drm/amd/amdgpu/aldebaran.c -index 576067d66bb9a..d0a8da67dc2a1 100644 ---- a/drivers/gpu/drm/amd/amdgpu/aldebaran.c -+++ b/drivers/gpu/drm/amd/amdgpu/aldebaran.c -@@ -97,7 +97,7 @@ static int aldebaran_mode2_suspend_ip(struct amdgpu_device *adev) - adev->ip_blocks[i].status.hw = false; - } - -- return r; -+ return 0; - } - - static int -diff --git a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c -index 93f6772d1b241..481217c32d853 100644 ---- a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c -+++ b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c -@@ -92,7 +92,7 @@ static int sienna_cichlid_mode2_suspend_ip(struct amdgpu_device *adev) - adev->ip_blocks[i].status.hw = false; - } - -- return r; -+ return 0; - } - - static int --- -2.43.0 - diff --git a/queue-6.9/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch b/queue-6.9/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch deleted file mode 100644 index cedfd117036..00000000000 --- a/queue-6.9/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 6476173d04aae6846d89f6274f8ef1f4481f435e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 10:07:51 +0800 -Subject: drm/amdgpu: Initialize timestamp for some legacy SOCs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Ma Jun - -[ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ] - -Initialize the interrupt timestamp for some legacy SOCs -to fix the coverity issue "Uninitialized scalar variable" - -Signed-off-by: Ma Jun -Suggested-by: Christian König -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -index 7e6d09730e6d3..665c63f552787 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -@@ -445,6 +445,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev, - - entry.ih = ih; - entry.iv_entry = (const uint32_t *)&ih->ring[ring_index]; -+ -+ /* -+ * timestamp is not supported on some legacy SOCs (cik, cz, iceland, -+ * si and tonga), so initialize timestamp and timestamp_src to 0 -+ */ -+ entry.timestamp = 0; -+ entry.timestamp_src = 0; -+ - amdgpu_ih_decode_iv(adev, &entry); - - trace_amdgpu_iv(ih - &adev->irq.ih, &entry); --- -2.43.0 - diff --git a/queue-6.9/drm-amdgpu-using-uninitialized-value-size-when-calli.patch b/queue-6.9/drm-amdgpu-using-uninitialized-value-size-when-calli.patch deleted file mode 100644 index 8033e735567..00000000000 --- a/queue-6.9/drm-amdgpu-using-uninitialized-value-size-when-calli.patch +++ /dev/null @@ -1,43 +0,0 @@ -From f4e8cc762ffa716a41a2304d278ee531f9ee18d6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Apr 2024 17:10:46 +0800 -Subject: drm/amdgpu: Using uninitialized value *size when calling - amdgpu_vce_cs_reloc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Jesse Zhang - -[ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ] - -Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. -V2: To really improve the handling we would actually - need to have a separate value of 0xffffffff.(Christian) - -Signed-off-by: Jesse Zhang -Suggested-by: Christian König -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c -index 59acf424a078f..968ca2c84ef7e 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c -@@ -743,7 +743,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, - uint32_t created = 0; - uint32_t allocated = 0; - uint32_t tmp, handle = 0; -- uint32_t *size = &tmp; -+ uint32_t dummy = 0xffffffff; -+ uint32_t *size = &dummy; - unsigned int idx; - int i, r = 0; - --- -2.43.0 - diff --git a/queue-6.9/drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch b/queue-6.9/drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch deleted file mode 100644 index f8f037d3f4d..00000000000 --- a/queue-6.9/drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 140cfdb5925ec9d0ba45c84da0af821839109852 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 22:19:51 +0200 -Subject: drm/i915: Fix gt reset with GuC submission is disabled - -From: Nirmoy Das - -[ Upstream commit 4d3421e04c5dc38baf15224c051256204f223c15 ] - -Currently intel_gt_reset() kills the GuC and then resets requested -engines. This is problematic because there is a dedicated CSB FIFO -which only GuC can access and if that FIFO fills up, the hardware -will block on the next context switch until there is space that means -the system is effectively hung. If an engine is reset whilst actively -executing a context, a CSB entry will be sent to say that the context -has gone idle. Thus if reset happens on a very busy system then -killing GuC before killing the engines will lead to deadlock because -of filled up CSB FIFO. - -To address this issue, the GuC should be killed only after resetting -the requested engines and before calling intel_gt_init_hw(). - -v2: Improve commit message(John) - -Cc: John Harrison -Signed-off-by: Nirmoy Das -Reviewed-by: John Harrison -Reviewed-by: Andi Shyti -Signed-off-by: Andi Shyti -Link: https://patchwork.freedesktop.org/patch/msgid/20240422201951.633-2-nirmoy.das@intel.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/i915/gt/intel_reset.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/i915/gt/intel_reset.c b/drivers/gpu/drm/i915/gt/intel_reset.c -index c8e9aa41fdeac..4b04b9a295846 100644 ---- a/drivers/gpu/drm/i915/gt/intel_reset.c -+++ b/drivers/gpu/drm/i915/gt/intel_reset.c -@@ -879,8 +879,17 @@ static intel_engine_mask_t reset_prepare(struct intel_gt *gt) - intel_engine_mask_t awake = 0; - enum intel_engine_id id; - -- /* For GuC mode, ensure submission is disabled before stopping ring */ -- intel_uc_reset_prepare(>->uc); -+ /** -+ * For GuC mode with submission enabled, ensure submission -+ * is disabled before stopping ring. -+ * -+ * For GuC mode with submission disabled, ensure that GuC is not -+ * sanitized, do that after engine reset. reset_prepare() -+ * is followed by engine reset which in this mode requires GuC to -+ * process any CSB FIFO entries generated by the resets. -+ */ -+ if (intel_uc_uses_guc_submission(>->uc)) -+ intel_uc_reset_prepare(>->uc); - - for_each_engine(engine, gt, id) { - if (intel_engine_pm_get_if_awake(engine)) -@@ -1227,6 +1236,9 @@ void intel_gt_reset(struct intel_gt *gt, - - intel_overlay_reset(gt->i915); - -+ /* sanitize uC after engine reset */ -+ if (!intel_uc_uses_guc_submission(>->uc)) -+ intel_uc_reset_prepare(>->uc); - /* - * Next we need to restore the context, but we don't use those - * yet either... --- -2.43.0 - diff --git a/queue-6.9/drm-lima-fix-shared-irq-handling-on-driver-remove.patch b/queue-6.9/drm-lima-fix-shared-irq-handling-on-driver-remove.patch deleted file mode 100644 index e211d0fc283..00000000000 --- a/queue-6.9/drm-lima-fix-shared-irq-handling-on-driver-remove.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 57b952fa323b63b42116a5e994c9704a99f17a63 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Apr 2024 00:43:28 +0200 -Subject: drm/lima: fix shared irq handling on driver remove - -From: Erico Nunes - -[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ] - -lima uses a shared interrupt, so the interrupt handlers must be prepared -to be called at any time. At driver removal time, the clocks are -disabled early and the interrupts stay registered until the very end of -the remove process due to the devm usage. -This is potentially a bug as the interrupts access device registers -which assumes clocks are enabled. A crash can be triggered by removing -the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled. -This patch frees the interrupts at each lima device finishing callback -so that the handlers are already unregistered by the time we fully -disable clocks. - -Signed-off-by: Erico Nunes -Signed-off-by: Qiang Yu -Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/lima/lima_gp.c | 2 ++ - drivers/gpu/drm/lima/lima_mmu.c | 5 +++++ - drivers/gpu/drm/lima/lima_pp.c | 4 ++++ - 3 files changed, 11 insertions(+) - -diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c -index e15295071533b..3282997a0358d 100644 ---- a/drivers/gpu/drm/lima/lima_gp.c -+++ b/drivers/gpu/drm/lima/lima_gp.c -@@ -345,7 +345,9 @@ int lima_gp_init(struct lima_ip *ip) - - void lima_gp_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - int lima_gp_pipe_init(struct lima_device *dev) -diff --git a/drivers/gpu/drm/lima/lima_mmu.c b/drivers/gpu/drm/lima/lima_mmu.c -index e18317c5ca8c1..6611e2836bf0d 100644 ---- a/drivers/gpu/drm/lima/lima_mmu.c -+++ b/drivers/gpu/drm/lima/lima_mmu.c -@@ -118,7 +118,12 @@ int lima_mmu_init(struct lima_ip *ip) - - void lima_mmu_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; -+ -+ if (ip->id == lima_ip_ppmmu_bcast) -+ return; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - void lima_mmu_flush_tlb(struct lima_ip *ip) -diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c -index a4a2ffe6527c2..eaab4788dff49 100644 ---- a/drivers/gpu/drm/lima/lima_pp.c -+++ b/drivers/gpu/drm/lima/lima_pp.c -@@ -286,7 +286,9 @@ int lima_pp_init(struct lima_ip *ip) - - void lima_pp_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - int lima_pp_bcast_resume(struct lima_ip *ip) -@@ -319,7 +321,9 @@ int lima_pp_bcast_init(struct lima_ip *ip) - - void lima_pp_bcast_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - static int lima_pp_task_validate(struct lima_sched_pipe *pipe, --- -2.43.0 - diff --git a/queue-6.9/drm-xe-add-outer-runtime_pm-protection-to-xe_live_kt.patch b/queue-6.9/drm-xe-add-outer-runtime_pm-protection-to-xe_live_kt.patch deleted file mode 100644 index c33547518b9..00000000000 --- a/queue-6.9/drm-xe-add-outer-runtime_pm-protection-to-xe_live_kt.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9e8db88dae57d179bca6fe67a508efd170a79a15 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Apr 2024 16:39:52 -0400 -Subject: drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf - -From: Rodrigo Vivi - -[ Upstream commit f9116f658a6217b101e3b4e89f845775b6fb05d9 ] - -Any kunit doing any memory access should get their own runtime_pm -outer references since they don't use the standard driver API -entries. In special this dma_buf from the same driver. - -Found by pre-merge CI on adding WARN calls for unprotected -inner callers: - -<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver -<4> [318.639957] ------------[ cut here ]------------ -<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection -<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe] - -Cc: Matthew Auld -Cc: Francois Dugast -Reviewed-by: Matthew Brost -Link: https://patchwork.freedesktop.org/patch/msgid/20240417203952.25503-10-rodrigo.vivi@intel.com -Signed-off-by: Rodrigo Vivi -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/xe/tests/xe_dma_buf.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/gpu/drm/xe/tests/xe_dma_buf.c b/drivers/gpu/drm/xe/tests/xe_dma_buf.c -index 9f6d571d7fa9c..a3d2dd42adf96 100644 ---- a/drivers/gpu/drm/xe/tests/xe_dma_buf.c -+++ b/drivers/gpu/drm/xe/tests/xe_dma_buf.c -@@ -12,6 +12,7 @@ - #include "tests/xe_pci_test.h" - - #include "xe_pci.h" -+#include "xe_pm.h" - - static bool p2p_enabled(struct dma_buf_test_params *params) - { -@@ -259,6 +260,7 @@ static int dma_buf_run_device(struct xe_device *xe) - const struct dma_buf_test_params *params; - struct kunit *test = xe_cur_kunit(); - -+ xe_pm_runtime_get(xe); - for (params = test_params; params->mem_mask; ++params) { - struct dma_buf_test_params p = *params; - -@@ -266,6 +268,7 @@ static int dma_buf_run_device(struct xe_device *xe) - test->priv = &p; - xe_test_dmabuf_import_same_driver(xe); - } -+ xe_pm_runtime_put(xe); - - /* A non-zero return would halt iteration over driver devices */ - return 0; --- -2.43.0 - diff --git a/queue-6.9/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch b/queue-6.9/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch deleted file mode 100644 index 8b075a315a8..00000000000 --- a/queue-6.9/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch +++ /dev/null @@ -1,142 +0,0 @@ -From c8f7b65ea26c37a31466693378eb104f280b2974 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 11:38:47 +0800 -Subject: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - -From: Chao Yu - -[ Upstream commit 4ed886b187f47447ad559619c48c086f432d2b77 ] - -- It missed to check validation of fault attrs in parse_options(), -let's fix to add check condition in f2fs_build_fault_attr(). -- Use f2fs_build_fault_attr() in __sbi_store() to clean up code. - -Signed-off-by: Chao Yu -Signed-off-by: Jaegeuk Kim -Signed-off-by: Sasha Levin ---- - fs/f2fs/f2fs.h | 12 ++++++++---- - fs/f2fs/super.c | 27 ++++++++++++++++++++------- - fs/f2fs/sysfs.c | 14 ++++++++++---- - 3 files changed, 38 insertions(+), 15 deletions(-) - -diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h -index 07b3675ea1694..f5adb9942c4c4 100644 ---- a/fs/f2fs/f2fs.h -+++ b/fs/f2fs/f2fs.h -@@ -72,7 +72,7 @@ enum { - - struct f2fs_fault_info { - atomic_t inject_ops; -- unsigned int inject_rate; -+ int inject_rate; - unsigned int inject_type; - }; - -@@ -4597,10 +4597,14 @@ static inline bool f2fs_need_verity(const struct inode *inode, pgoff_t idx) - } - - #ifdef CONFIG_F2FS_FAULT_INJECTION --extern void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate, -- unsigned int type); -+extern int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, -+ unsigned long type); - #else --#define f2fs_build_fault_attr(sbi, rate, type) do { } while (0) -+static int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, -+ unsigned long type) -+{ -+ return 0; -+} - #endif - - static inline bool is_journalled_quota(struct f2fs_sb_info *sbi) -diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c -index 2f75a7dfc311d..0c3ebe4d9026d 100644 ---- a/fs/f2fs/super.c -+++ b/fs/f2fs/super.c -@@ -66,21 +66,31 @@ const char *f2fs_fault_name[FAULT_MAX] = { - [FAULT_NO_SEGMENT] = "no free segment", - }; - --void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate, -- unsigned int type) -+int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, -+ unsigned long type) - { - struct f2fs_fault_info *ffi = &F2FS_OPTION(sbi).fault_info; - - if (rate) { -+ if (rate > INT_MAX) -+ return -EINVAL; - atomic_set(&ffi->inject_ops, 0); -- ffi->inject_rate = rate; -+ ffi->inject_rate = (int)rate; - } - -- if (type) -- ffi->inject_type = type; -+ if (type) { -+ if (type >= BIT(FAULT_MAX)) -+ return -EINVAL; -+ ffi->inject_type = (unsigned int)type; -+ } - - if (!rate && !type) - memset(ffi, 0, sizeof(struct f2fs_fault_info)); -+ else -+ f2fs_info(sbi, -+ "build fault injection attr: rate: %lu, type: 0x%lx", -+ rate, type); -+ return 0; - } - #endif - -@@ -886,14 +896,17 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) - case Opt_fault_injection: - if (args->from && match_int(args, &arg)) - return -EINVAL; -- f2fs_build_fault_attr(sbi, arg, F2FS_ALL_FAULT_TYPE); -+ if (f2fs_build_fault_attr(sbi, arg, -+ F2FS_ALL_FAULT_TYPE)) -+ return -EINVAL; - set_opt(sbi, FAULT_INJECTION); - break; - - case Opt_fault_type: - if (args->from && match_int(args, &arg)) - return -EINVAL; -- f2fs_build_fault_attr(sbi, 0, arg); -+ if (f2fs_build_fault_attr(sbi, 0, arg)) -+ return -EINVAL; - set_opt(sbi, FAULT_INJECTION); - break; - #else -diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c -index a568ce96cf563..7aa3844e7a808 100644 ---- a/fs/f2fs/sysfs.c -+++ b/fs/f2fs/sysfs.c -@@ -484,10 +484,16 @@ static ssize_t __sbi_store(struct f2fs_attr *a, - if (ret < 0) - return ret; - #ifdef CONFIG_F2FS_FAULT_INJECTION -- if (a->struct_type == FAULT_INFO_TYPE && t >= BIT(FAULT_MAX)) -- return -EINVAL; -- if (a->struct_type == FAULT_INFO_RATE && t >= UINT_MAX) -- return -EINVAL; -+ if (a->struct_type == FAULT_INFO_TYPE) { -+ if (f2fs_build_fault_attr(sbi, 0, t)) -+ return -EINVAL; -+ return count; -+ } -+ if (a->struct_type == FAULT_INFO_RATE) { -+ if (f2fs_build_fault_attr(sbi, t, 0)) -+ return -EINVAL; -+ return count; -+ } - #endif - if (a->struct_type == RESERVED_BLOCKS) { - spin_lock(&sbi->stat_lock); --- -2.43.0 - diff --git a/queue-6.9/firmware-dmi-stop-decoding-on-broken-entry.patch b/queue-6.9/firmware-dmi-stop-decoding-on-broken-entry.patch deleted file mode 100644 index 0dfb785f9b4..00000000000 --- a/queue-6.9/firmware-dmi-stop-decoding-on-broken-entry.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ed5aa8ef90f1ae4db7f8e3b7a958fff977108d03 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 18:29:32 +0200 -Subject: firmware: dmi: Stop decoding on broken entry - -From: Jean Delvare - -[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ] - -If a DMI table entry is shorter than 4 bytes, it is invalid. Due to -how DMI table parsing works, it is impossible to safely recover from -such an error, so we have to stop decoding the table. - -Signed-off-by: Jean Delvare -Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/ -Reviewed-by: Michael Kelley -Signed-off-by: Sasha Levin ---- - drivers/firmware/dmi_scan.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index 015c95a825d31..ac2a5d2d47463 100644 ---- a/drivers/firmware/dmi_scan.c -+++ b/drivers/firmware/dmi_scan.c -@@ -101,6 +101,17 @@ static void dmi_decode_table(u8 *buf, - (data - buf + sizeof(struct dmi_header)) <= dmi_len) { - const struct dmi_header *dm = (const struct dmi_header *)data; - -+ /* -+ * If a short entry is found (less than 4 bytes), not only it -+ * is invalid, but we cannot reliably locate the next entry. -+ */ -+ if (dm->length < sizeof(struct dmi_header)) { -+ pr_warn(FW_BUG -+ "Corrupted DMI table, offset %zd (only %d entries processed)\n", -+ data - buf, i); -+ break; -+ } -+ - /* - * We want to know the total length (formatted area and - * strings) before decoding to make sure we won't run off the --- -2.43.0 - diff --git a/queue-6.9/gve-account-for-stopped-queues-when-reading-nic-stat.patch b/queue-6.9/gve-account-for-stopped-queues-when-reading-nic-stat.patch deleted file mode 100644 index e707086d803..00000000000 --- a/queue-6.9/gve-account-for-stopped-queues-when-reading-nic-stat.patch +++ /dev/null @@ -1,146 +0,0 @@ -From c07c27b54e57eba9c50b917cb5914ed06f196085 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 May 2024 23:25:47 +0000 -Subject: gve: Account for stopped queues when reading NIC stats - -From: Shailend Chand - -[ Upstream commit af9bcf910b1f86244f39e15e701b2dc564b469a6 ] - -We now account for the fact that the NIC might send us stats for a -subset of queues. Without this change, gve_get_ethtool_stats might make -an invalid access on the priv->stats_report->stats array. - -Tested-by: Mina Almasry -Reviewed-by: Praveen Kaligineedi -Reviewed-by: Harshitha Ramamurthy -Signed-off-by: Shailend Chand -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/google/gve/gve_ethtool.c | 41 ++++++++++++++++--- - 1 file changed, 35 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c -index 9aebfb843d9d1..ae90c09c56a89 100644 ---- a/drivers/net/ethernet/google/gve/gve_ethtool.c -+++ b/drivers/net/ethernet/google/gve/gve_ethtool.c -@@ -8,6 +8,7 @@ - #include "gve.h" - #include "gve_adminq.h" - #include "gve_dqo.h" -+#include "gve_utils.h" - - static void gve_get_drvinfo(struct net_device *netdev, - struct ethtool_drvinfo *info) -@@ -165,6 +166,8 @@ gve_get_ethtool_stats(struct net_device *netdev, - struct stats *report_stats; - int *rx_qid_to_stats_idx; - int *tx_qid_to_stats_idx; -+ int num_stopped_rxqs = 0; -+ int num_stopped_txqs = 0; - struct gve_priv *priv; - bool skip_nic_stats; - unsigned int start; -@@ -181,12 +184,23 @@ gve_get_ethtool_stats(struct net_device *netdev, - sizeof(int), GFP_KERNEL); - if (!rx_qid_to_stats_idx) - return; -+ for (ring = 0; ring < priv->rx_cfg.num_queues; ring++) { -+ rx_qid_to_stats_idx[ring] = -1; -+ if (!gve_rx_was_added_to_block(priv, ring)) -+ num_stopped_rxqs++; -+ } - tx_qid_to_stats_idx = kmalloc_array(num_tx_queues, - sizeof(int), GFP_KERNEL); - if (!tx_qid_to_stats_idx) { - kfree(rx_qid_to_stats_idx); - return; - } -+ for (ring = 0; ring < num_tx_queues; ring++) { -+ tx_qid_to_stats_idx[ring] = -1; -+ if (!gve_tx_was_added_to_block(priv, ring)) -+ num_stopped_txqs++; -+ } -+ - for (rx_pkts = 0, rx_bytes = 0, rx_hsplit_pkt = 0, - rx_skb_alloc_fail = 0, rx_buf_alloc_fail = 0, - rx_desc_err_dropped_pkt = 0, rx_hsplit_unsplit_pkt = 0, -@@ -260,7 +274,13 @@ gve_get_ethtool_stats(struct net_device *netdev, - /* For rx cross-reporting stats, start from nic rx stats in report */ - base_stats_idx = GVE_TX_STATS_REPORT_NUM * num_tx_queues + - GVE_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues; -- max_stats_idx = NIC_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues + -+ /* The boundary between driver stats and NIC stats shifts if there are -+ * stopped queues. -+ */ -+ base_stats_idx += NIC_RX_STATS_REPORT_NUM * num_stopped_rxqs + -+ NIC_TX_STATS_REPORT_NUM * num_stopped_txqs; -+ max_stats_idx = NIC_RX_STATS_REPORT_NUM * -+ (priv->rx_cfg.num_queues - num_stopped_rxqs) + - base_stats_idx; - /* Preprocess the stats report for rx, map queue id to start index */ - skip_nic_stats = false; -@@ -274,6 +294,10 @@ gve_get_ethtool_stats(struct net_device *netdev, - skip_nic_stats = true; - break; - } -+ if (queue_id < 0 || queue_id >= priv->rx_cfg.num_queues) { -+ net_err_ratelimited("Invalid rxq id in NIC stats\n"); -+ continue; -+ } - rx_qid_to_stats_idx[queue_id] = stats_idx; - } - /* walk RX rings */ -@@ -308,11 +332,11 @@ gve_get_ethtool_stats(struct net_device *netdev, - data[i++] = rx->rx_copybreak_pkt; - data[i++] = rx->rx_copied_pkt; - /* stats from NIC */ -- if (skip_nic_stats) { -+ stats_idx = rx_qid_to_stats_idx[ring]; -+ if (skip_nic_stats || stats_idx < 0) { - /* skip NIC rx stats */ - i += NIC_RX_STATS_REPORT_NUM; - } else { -- stats_idx = rx_qid_to_stats_idx[ring]; - for (j = 0; j < NIC_RX_STATS_REPORT_NUM; j++) { - u64 value = - be64_to_cpu(report_stats[stats_idx + j].value); -@@ -338,7 +362,8 @@ gve_get_ethtool_stats(struct net_device *netdev, - - /* For tx cross-reporting stats, start from nic tx stats in report */ - base_stats_idx = max_stats_idx; -- max_stats_idx = NIC_TX_STATS_REPORT_NUM * num_tx_queues + -+ max_stats_idx = NIC_TX_STATS_REPORT_NUM * -+ (num_tx_queues - num_stopped_txqs) + - max_stats_idx; - /* Preprocess the stats report for tx, map queue id to start index */ - skip_nic_stats = false; -@@ -352,6 +377,10 @@ gve_get_ethtool_stats(struct net_device *netdev, - skip_nic_stats = true; - break; - } -+ if (queue_id < 0 || queue_id >= num_tx_queues) { -+ net_err_ratelimited("Invalid txq id in NIC stats\n"); -+ continue; -+ } - tx_qid_to_stats_idx[queue_id] = stats_idx; - } - /* walk TX rings */ -@@ -383,11 +412,11 @@ gve_get_ethtool_stats(struct net_device *netdev, - data[i++] = gve_tx_load_event_counter(priv, tx); - data[i++] = tx->dma_mapping_error; - /* stats from NIC */ -- if (skip_nic_stats) { -+ stats_idx = tx_qid_to_stats_idx[ring]; -+ if (skip_nic_stats || stats_idx < 0) { - /* skip NIC tx stats */ - i += NIC_TX_STATS_REPORT_NUM; - } else { -- stats_idx = tx_qid_to_stats_idx[ring]; - for (j = 0; j < NIC_TX_STATS_REPORT_NUM; j++) { - u64 value = - be64_to_cpu(report_stats[stats_idx + j].value); --- -2.43.0 - diff --git a/queue-6.9/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch b/queue-6.9/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch deleted file mode 100644 index 1aa2a92fd29..00000000000 --- a/queue-6.9/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a844c91ee52f5f6ad3771e7005ae637342465e67 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 12 Apr 2024 12:21:58 +0200 -Subject: i2c: i801: Annotate apanel_addr as __ro_after_init - -From: Heiner Kallweit - -[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ] - -Annotate this variable as __ro_after_init to protect it from being -overwritten later. - -Signed-off-by: Heiner Kallweit -Signed-off-by: Andi Shyti -Signed-off-by: Sasha Levin ---- - drivers/i2c/busses/i2c-i801.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c -index 79870dd7a0146..fafd999b4bcb2 100644 ---- a/drivers/i2c/busses/i2c-i801.c -+++ b/drivers/i2c/busses/i2c-i801.c -@@ -1059,7 +1059,7 @@ static const struct pci_device_id i801_ids[] = { - MODULE_DEVICE_TABLE(pci, i801_ids); - - #if defined CONFIG_X86 && defined CONFIG_DMI --static unsigned char apanel_addr; -+static unsigned char apanel_addr __ro_after_init; - - /* Scan the system ROM for the signature "FJKEYINF" */ - static __init const void __iomem *bios_signature(const void __iomem *bios) --- -2.43.0 - diff --git a/queue-6.9/ib-core-implement-a-limit-on-umad-receive-list.patch b/queue-6.9/ib-core-implement-a-limit-on-umad-receive-list.patch deleted file mode 100644 index 649560c2687..00000000000 --- a/queue-6.9/ib-core-implement-a-limit-on-umad-receive-list.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 310dad60ed3d64c8247b8b4ba83a954391d3b67f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 16 Apr 2024 15:01:44 +0300 -Subject: IB/core: Implement a limit on UMAD receive List - -From: Michael Guralnik - -[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ] - -The existing behavior of ib_umad, which maintains received MAD -packets in an unbounded list, poses a risk of uncontrolled growth. -As user-space applications extract packets from this list, the rate -of extraction may not match the rate of incoming packets, leading -to potential list overflow. - -To address this, we introduce a limit to the size of the list. After -considering typical scenarios, such as OpenSM processing, which can -handle approximately 100k packets per second, and the 1-second retry -timeout for most packets, we set the list size limit to 200k. Packets -received beyond this limit are dropped, assuming they are likely timed -out by the time they are handled by user-space. - -Notably, packets queued on the receive list due to reasons like -timed-out sends are preserved even when the list is full. - -Signed-off-by: Michael Guralnik -Reviewed-by: Mark Zhang -Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c -index f5feca7fa9b9c..2ed749f50a29f 100644 ---- a/drivers/infiniband/core/user_mad.c -+++ b/drivers/infiniband/core/user_mad.c -@@ -63,6 +63,8 @@ MODULE_AUTHOR("Roland Dreier"); - MODULE_DESCRIPTION("InfiniBand userspace MAD packet access"); - MODULE_LICENSE("Dual BSD/GPL"); - -+#define MAX_UMAD_RECV_LIST_SIZE 200000 -+ - enum { - IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS, - IB_UMAD_MAX_AGENTS = 32, -@@ -113,6 +115,7 @@ struct ib_umad_file { - struct mutex mutex; - struct ib_umad_port *port; - struct list_head recv_list; -+ atomic_t recv_list_size; - struct list_head send_list; - struct list_head port_list; - spinlock_t send_lock; -@@ -180,24 +183,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id) - return file->agents_dead ? NULL : file->agent[id]; - } - --static int queue_packet(struct ib_umad_file *file, -- struct ib_mad_agent *agent, -- struct ib_umad_packet *packet) -+static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent, -+ struct ib_umad_packet *packet, bool is_recv_mad) - { - int ret = 1; - - mutex_lock(&file->mutex); - -+ if (is_recv_mad && -+ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE) -+ goto unlock; -+ - for (packet->mad.hdr.id = 0; - packet->mad.hdr.id < IB_UMAD_MAX_AGENTS; - packet->mad.hdr.id++) - if (agent == __get_agent(file, packet->mad.hdr.id)) { - list_add_tail(&packet->list, &file->recv_list); -+ atomic_inc(&file->recv_list_size); - wake_up_interruptible(&file->recv_wait); - ret = 0; - break; - } -- -+unlock: - mutex_unlock(&file->mutex); - - return ret; -@@ -224,7 +231,7 @@ static void send_handler(struct ib_mad_agent *agent, - if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) { - packet->length = IB_MGMT_MAD_HDR; - packet->mad.hdr.status = ETIMEDOUT; -- if (!queue_packet(file, agent, packet)) -+ if (!queue_packet(file, agent, packet, false)) - return; - } - kfree(packet); -@@ -284,7 +291,7 @@ static void recv_handler(struct ib_mad_agent *agent, - rdma_destroy_ah_attr(&ah_attr); - } - -- if (queue_packet(file, agent, packet)) -+ if (queue_packet(file, agent, packet, true)) - goto err2; - return; - -@@ -409,6 +416,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, - - packet = list_entry(file->recv_list.next, struct ib_umad_packet, list); - list_del(&packet->list); -+ atomic_dec(&file->recv_list_size); - - mutex_unlock(&file->mutex); - -@@ -421,6 +429,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, - /* Requeue packet */ - mutex_lock(&file->mutex); - list_add(&packet->list, &file->recv_list); -+ atomic_inc(&file->recv_list_size); - mutex_unlock(&file->mutex); - } else { - if (packet->recv_wc) --- -2.43.0 - diff --git a/queue-6.9/igc-fix-a-log-entry-using-uninitialized-netdev.patch b/queue-6.9/igc-fix-a-log-entry-using-uninitialized-netdev.patch deleted file mode 100644 index b9c92ea5417..00000000000 --- a/queue-6.9/igc-fix-a-log-entry-using-uninitialized-netdev.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 12e6541b166fca2f0e697f69ae13810079785830 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 12:24:54 +0200 -Subject: igc: fix a log entry using uninitialized netdev - -From: Corinna Vinschen - -[ Upstream commit 86167183a17e03ec77198897975e9fdfbd53cb0b ] - -During successful probe, igc logs this: - -[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The reason is that igc_ptp_init() is called very early, even before -register_netdev() has been called. So the netdev_info() call works -on a partially uninitialized netdev. - -Fix this by calling igc_ptp_init() after register_netdev(), right -after the media autosense check, just as in igb. Add a comment, -just as in igb. - -Now the log message is fine: - -[ 5.200987] igc 0000:01:00.0 eth0: PHC added - -Signed-off-by: Corinna Vinschen -Reviewed-by: Hariprasad Kelam -Acked-by: Vinicius Costa Gomes -Tested-by: Naama Meir -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igc/igc_main.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index 58bc96021bb4c..07feb951be749 100644 ---- a/drivers/net/ethernet/intel/igc/igc_main.c -+++ b/drivers/net/ethernet/intel/igc/igc_main.c -@@ -6932,8 +6932,6 @@ static int igc_probe(struct pci_dev *pdev, - device_set_wakeup_enable(&adapter->pdev->dev, - adapter->flags & IGC_FLAG_WOL_SUPPORTED); - -- igc_ptp_init(adapter); -- - igc_tsn_clear_schedule(adapter); - - /* reset the hardware with the new settings */ -@@ -6955,6 +6953,9 @@ static int igc_probe(struct pci_dev *pdev, - /* Check if Media Autosense is enabled */ - adapter->ei = *ei; - -+ /* do hw tstamp init after resetting */ -+ igc_ptp_init(adapter); -+ - /* print pcie link status and MAC address */ - pcie_print_link_status(pdev); - netdev_info(netdev, "MAC: %pM\n", netdev->dev_addr); --- -2.43.0 - diff --git a/queue-6.9/input-ff-core-prefer-struct_size-over-open-coded-ari.patch b/queue-6.9/input-ff-core-prefer-struct_size-over-open-coded-ari.patch deleted file mode 100644 index 69b8349e221..00000000000 --- a/queue-6.9/input-ff-core-prefer-struct_size-over-open-coded-ari.patch +++ /dev/null @@ -1,73 +0,0 @@ -From c61a2db5579326987ddd4064e7f79613ae387544 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 Apr 2024 17:05:56 +0200 -Subject: Input: ff-core - prefer struct_size over open coded arithmetic - -From: Erick Archer - -[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ] - -This is an effort to get rid of all multiplications from allocation -functions in order to prevent integer overflows [1][2]. - -As the "ff" variable is a pointer to "struct ff_device" and this -structure ends in a flexible array: - -struct ff_device { - [...] - struct file *effect_owners[] __counted_by(max_effects); -}; - -the preferred way in the kernel is to use the struct_size() helper to -do the arithmetic instead of the calculation "size + count * size" in -the kzalloc() function. - -The struct_size() helper returns SIZE_MAX on overflow. So, refactor -the comparison to take advantage of this. - -This way, the code is more readable and safer. - -This code was detected with the help of Coccinelle, and audited and -modified manually. - -Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] -Link: https://github.com/KSPP/linux/issues/160 [2] -Signed-off-by: Erick Archer -Reviewed-by: Kees Cook -Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/ff-core.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c -index 16231fe080b00..609a5f01761bd 100644 ---- a/drivers/input/ff-core.c -+++ b/drivers/input/ff-core.c -@@ -9,8 +9,10 @@ - /* #define DEBUG */ - - #include -+#include - #include - #include -+#include - #include - #include - -@@ -315,9 +317,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects) - return -EINVAL; - } - -- ff_dev_size = sizeof(struct ff_device) + -- max_effects * sizeof(struct file *); -- if (ff_dev_size < max_effects) /* overflow */ -+ ff_dev_size = struct_size(ff, effect_owners, max_effects); -+ if (ff_dev_size == SIZE_MAX) /* overflow */ - return -EINVAL; - - ff = kzalloc(ff_dev_size, GFP_KERNEL); --- -2.43.0 - diff --git a/queue-6.9/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-6.9/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch deleted file mode 100644 index 40c57cdf649..00000000000 --- a/queue-6.9/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 165e2e832f661cd06ff3f87043318c308ac7e6c0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 14:10:53 +0800 -Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc - -From: Guanrui Huang - -[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] - -This BUG_ON() is useless, because the same effect will be obtained -by letting the code run its course and vm being dereferenced, -triggering an exception. - -So just remove this check. - -Signed-off-by: Guanrui Huang -Signed-off-by: Thomas Gleixner -Reviewed-by: Zenghui Yu -Acked-by: Marc Zyngier -Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com -Signed-off-by: Sasha Levin ---- - drivers/irqchip/irq-gic-v3-its.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c -index 6dbac6ec778ee..33fa6b7f41c93 100644 ---- a/drivers/irqchip/irq-gic-v3-its.c -+++ b/drivers/irqchip/irq-gic-v3-its.c -@@ -4507,8 +4507,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq - struct page *vprop_page; - int base, nr_ids, i, err = 0; - -- BUG_ON(!vm); -- - bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); - if (!bitmap) - return -ENOMEM; --- -2.43.0 - diff --git a/queue-6.9/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch b/queue-6.9/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch deleted file mode 100644 index 2682d6be776..00000000000 --- a/queue-6.9/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch +++ /dev/null @@ -1,94 +0,0 @@ -From ab9fa85942c3c62a4af059971874863f80f2a49c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 15:00:46 +0800 -Subject: jffs2: Fix potential illegal address access in jffs2_free_inode - -From: Wang Yong - -[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ] - -During the stress testing of the jffs2 file system,the following -abnormal printouts were found: -[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 -[ 2430.649622] Mem abort info: -[ 2430.649829] ESR = 0x96000004 -[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits -[ 2430.650564] SET = 0, FnV = 0 -[ 2430.650795] EA = 0, S1PTW = 0 -[ 2430.651032] FSC = 0x04: level 0 translation fault -[ 2430.651446] Data abort info: -[ 2430.651683] ISV = 0, ISS = 0x00000004 -[ 2430.652001] CM = 0, WnR = 0 -[ 2430.652558] [0069696969696948] address between user and kernel address ranges -[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP -[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 -[ 2430.655008] Hardware name: linux,dummy-virt (DT) -[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) -[ 2430.656142] pc : kfree+0x78/0x348 -[ 2430.656630] lr : jffs2_free_inode+0x24/0x48 -[ 2430.657051] sp : ffff800009eebd10 -[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 -[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 -[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 -[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 -[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 -[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 -[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 -[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 -[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 -[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 -[ 2430.664217] Call trace: -[ 2430.664528] kfree+0x78/0x348 -[ 2430.664855] jffs2_free_inode+0x24/0x48 -[ 2430.665233] i_callback+0x24/0x50 -[ 2430.665528] rcu_do_batch+0x1ac/0x448 -[ 2430.665892] rcu_core+0x28c/0x3c8 -[ 2430.666151] rcu_core_si+0x18/0x28 -[ 2430.666473] __do_softirq+0x138/0x3cc -[ 2430.666781] irq_exit+0xf0/0x110 -[ 2430.667065] handle_domain_irq+0x6c/0x98 -[ 2430.667447] gic_handle_irq+0xac/0xe8 -[ 2430.667739] call_on_irq_stack+0x28/0x54 -The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of -the jffs_inode_info structure. It was found that all variables in the jffs_inode_info -structure were 5a5a5a5a, except for the first member sem. It is suspected that these -variables are not initialized because they were set to 5a5a5a5a during memory testing, -which is meant to detect uninitialized memory.The sem variable is initialized in the -function jffs2_i_init_once, while other members are initialized in -the function jffs2_init_inode_info. - -The function jffs2_init_inode_info is called after iget_locked, -but in the iget_locked function, the destroy_inode process is triggered, -which releases the inode and consequently, the target member of the inode -is not initialized.In concurrent high pressure scenarios, iget_locked -may enter the destroy_inode branch as described in the code. - -Since the destroy_inode functionality of jffs2 only releases the target, -the fix method is to set target to NULL in jffs2_i_init_once. - -Signed-off-by: Wang Yong -Reviewed-by: Lu Zhongjun -Reviewed-by: Yang Tao -Cc: Xu Xin -Cc: Yang Yang -Signed-off-by: Richard Weinberger -Signed-off-by: Sasha Levin ---- - fs/jffs2/super.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c -index aede1be4dc0cd..4545f885c41ef 100644 ---- a/fs/jffs2/super.c -+++ b/fs/jffs2/super.c -@@ -58,6 +58,7 @@ static void jffs2_i_init_once(void *foo) - struct jffs2_inode_info *f = foo; - - mutex_init(&f->sem); -+ f->target = NULL; - inode_init_once(&f->vfs_inode); - } - --- -2.43.0 - diff --git a/queue-6.9/kunit-fix-timeout-message.patch b/queue-6.9/kunit-fix-timeout-message.patch deleted file mode 100644 index 0b25d4e0c0d..00000000000 --- a/queue-6.9/kunit-fix-timeout-message.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 99f00ff82cdd1ce17c9da0762c98336656618578 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Apr 2024 09:46:21 +0200 -Subject: kunit: Fix timeout message -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Mickaël Salaün - -[ Upstream commit 53026ff63bb07c04a0e962a74723eb10ff6f9dc7 ] - -The exit code is always checked, so let's properly handle the -ETIMEDOUT -error code. - -Cc: Brendan Higgins -Cc: Shuah Khan -Reviewed-by: Kees Cook -Reviewed-by: David Gow -Reviewed-by: Rae Moar -Signed-off-by: Mickaël Salaün -Link: https://lore.kernel.org/r/20240408074625.65017-4-mic@digikod.net -Signed-off-by: Shuah Khan -Stable-dep-of: 3a35c13007de ("kunit: Handle test faults") -Signed-off-by: Sasha Levin ---- - lib/kunit/try-catch.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c -index d9d1df28cc52e..9c9e4dcf06d96 100644 ---- a/lib/kunit/try-catch.c -+++ b/lib/kunit/try-catch.c -@@ -78,7 +78,6 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - time_remaining = wait_for_completion_timeout(&try_completion, - kunit_test_timeout()); - if (time_remaining == 0) { -- kunit_err(test, "try timed out\n"); - try_catch->try_result = -ETIMEDOUT; - kthread_stop(task_struct); - } -@@ -93,6 +92,8 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - try_catch->try_result = 0; - else if (exit_code == -EINTR) - kunit_err(test, "wake_up_process() was never called\n"); -+ else if (exit_code == -ETIMEDOUT) -+ kunit_err(test, "try timed out\n"); - else if (exit_code) - kunit_err(test, "Unknown error: %d\n", exit_code); - --- -2.43.0 - diff --git a/queue-6.9/kunit-fortify-do-not-spam-logs-with-fortify-warns.patch b/queue-6.9/kunit-fortify-do-not-spam-logs-with-fortify-warns.patch deleted file mode 100644 index 37ed9ad9f15..00000000000 --- a/queue-6.9/kunit-fortify-do-not-spam-logs-with-fortify-warns.patch +++ /dev/null @@ -1,46 +0,0 @@ -From c66d6d1564c97a1713de1e0b8db3edb268c2bb75 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 12:43:40 -0700 -Subject: kunit/fortify: Do not spam logs with fortify WARNs - -From: Kees Cook - -[ Upstream commit 091f79e8de44736a1e677701d67334bba5b749e3 ] - -When running KUnit fortify tests, we're already doing precise tracking -of which warnings are getting hit. Don't fill the logs with WARNs unless -we've been explicitly built with DEBUG enabled. - -Link: https://lore.kernel.org/r/20240429194342.2421639-2-keescook@chromium.org -Signed-off-by: Kees Cook -Signed-off-by: Sasha Levin ---- - lib/fortify_kunit.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c -index fdba0eaf19a59..ad29721b956bc 100644 ---- a/lib/fortify_kunit.c -+++ b/lib/fortify_kunit.c -@@ -15,10 +15,17 @@ - */ - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt - -+/* We don't need to fill dmesg with the fortify WARNs during testing. */ -+#ifdef DEBUG -+# define FORTIFY_REPORT_KUNIT(x...) __fortify_report(x) -+#else -+# define FORTIFY_REPORT_KUNIT(x...) do { } while (0) -+#endif -+ - /* Redefine fortify_panic() to track failures. */ - void fortify_add_kunit_error(int write); - #define fortify_panic(func, write, avail, size, retfail) do { \ -- __fortify_report(FORTIFY_REASON(func, write), avail, size); \ -+ FORTIFY_REPORT_KUNIT(FORTIFY_REASON(func, write), avail, size); \ - fortify_add_kunit_error(write); \ - return (retfail); \ - } while (0) --- -2.43.0 - diff --git a/queue-6.9/kunit-handle-test-faults.patch b/queue-6.9/kunit-handle-test-faults.patch deleted file mode 100644 index 0cc529de1f8..00000000000 --- a/queue-6.9/kunit-handle-test-faults.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 51adb59ba989a2ac8ce80f5fb324f32f19303d89 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Apr 2024 09:46:22 +0200 -Subject: kunit: Handle test faults -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Mickaël Salaün - -[ Upstream commit 3a35c13007dea132a65f07de05c26b87837fadc2 ] - -Previously, when a kernel test thread crashed (e.g. NULL pointer -dereference, general protection fault), the KUnit test hanged for 30 -seconds and exited with a timeout error. - -Fix this issue by waiting on task_struct->vfork_done instead of the -custom kunit_try_catch.try_completion, and track the execution state by -initially setting try_result with -EINTR and only setting it to 0 if -the test passed. - -Fix kunit_generic_run_threadfn_adapter() signature by returning 0 -instead of calling kthread_complete_and_exit(). Because thread's exit -code is never checked, always set it to 0 to make it clear. To make -this explicit, export kthread_exit() for KUnit tests built as module. - -Fix the -EINTR error message, which couldn't be reached until now. - -This is tested with a following patch. - -Cc: Brendan Higgins -Cc: Eric W. Biederman -Cc: Shuah Khan -Reviewed-by: Kees Cook -Reviewed-by: David Gow -Tested-by: Rae Moar -Signed-off-by: Mickaël Salaün -Link: https://lore.kernel.org/r/20240408074625.65017-5-mic@digikod.net -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin ---- - include/kunit/try-catch.h | 3 --- - kernel/kthread.c | 1 + - lib/kunit/try-catch.c | 19 ++++++++++++------- - 3 files changed, 13 insertions(+), 10 deletions(-) - -diff --git a/include/kunit/try-catch.h b/include/kunit/try-catch.h -index c507dd43119d5..7c966a1adbd30 100644 ---- a/include/kunit/try-catch.h -+++ b/include/kunit/try-catch.h -@@ -14,13 +14,11 @@ - - typedef void (*kunit_try_catch_func_t)(void *); - --struct completion; - struct kunit; - - /** - * struct kunit_try_catch - provides a generic way to run code which might fail. - * @test: The test case that is currently being executed. -- * @try_completion: Completion that the control thread waits on while test runs. - * @try_result: Contains any errno obtained while running test case. - * @try: The function, the test case, to attempt to run. - * @catch: The function called if @try bails out. -@@ -46,7 +44,6 @@ struct kunit; - struct kunit_try_catch { - /* private: internal use only. */ - struct kunit *test; -- struct completion *try_completion; - int try_result; - kunit_try_catch_func_t try; - kunit_try_catch_func_t catch; -diff --git a/kernel/kthread.c b/kernel/kthread.c -index c5e40830c1f2d..f7be976ff88af 100644 ---- a/kernel/kthread.c -+++ b/kernel/kthread.c -@@ -315,6 +315,7 @@ void __noreturn kthread_exit(long result) - kthread->result = result; - do_exit(0); - } -+EXPORT_SYMBOL(kthread_exit); - - /** - * kthread_complete_and_exit - Exit the current kthread. -diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c -index 9c9e4dcf06d96..34d30a6f23054 100644 ---- a/lib/kunit/try-catch.c -+++ b/lib/kunit/try-catch.c -@@ -18,7 +18,7 @@ - void __noreturn kunit_try_catch_throw(struct kunit_try_catch *try_catch) - { - try_catch->try_result = -EFAULT; -- kthread_complete_and_exit(try_catch->try_completion, -EFAULT); -+ kthread_exit(0); - } - EXPORT_SYMBOL_GPL(kunit_try_catch_throw); - -@@ -26,9 +26,12 @@ static int kunit_generic_run_threadfn_adapter(void *data) - { - struct kunit_try_catch *try_catch = data; - -+ try_catch->try_result = -EINTR; - try_catch->try(try_catch->context); -+ if (try_catch->try_result == -EINTR) -+ try_catch->try_result = 0; - -- kthread_complete_and_exit(try_catch->try_completion, 0); -+ return 0; - } - - static unsigned long kunit_test_timeout(void) -@@ -58,13 +61,11 @@ static unsigned long kunit_test_timeout(void) - - void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - { -- DECLARE_COMPLETION_ONSTACK(try_completion); - struct kunit *test = try_catch->test; - struct task_struct *task_struct; - int exit_code, time_remaining; - - try_catch->context = context; -- try_catch->try_completion = &try_completion; - try_catch->try_result = 0; - task_struct = kthread_create(kunit_generic_run_threadfn_adapter, - try_catch, "kunit_try_catch_thread"); -@@ -74,8 +75,12 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - } - get_task_struct(task_struct); - wake_up_process(task_struct); -- -- time_remaining = wait_for_completion_timeout(&try_completion, -+ /* -+ * As for a vfork(2), task_struct->vfork_done (pointing to the -+ * underlying kthread->exited) can be used to wait for the end of a -+ * kernel thread. -+ */ -+ time_remaining = wait_for_completion_timeout(task_struct->vfork_done, - kunit_test_timeout()); - if (time_remaining == 0) { - try_catch->try_result = -ETIMEDOUT; -@@ -91,7 +96,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - if (exit_code == -EFAULT) - try_catch->try_result = 0; - else if (exit_code == -EINTR) -- kunit_err(test, "wake_up_process() was never called\n"); -+ kunit_err(test, "try faulted\n"); - else if (exit_code == -ETIMEDOUT) - kunit_err(test, "try timed out\n"); - else if (exit_code) --- -2.43.0 - diff --git a/queue-6.9/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch b/queue-6.9/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch deleted file mode 100644 index d7fad4fabd2..00000000000 --- a/queue-6.9/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch +++ /dev/null @@ -1,69 +0,0 @@ -From de7d6677d6f2a268dd8c42428315070a32bf0fc2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 19:10:32 +0300 -Subject: leds: an30259a: Use devm_mutex_init() for mutex initialization - -From: George Stark - -[ Upstream commit c382e2e3eccb6b7ca8c7aff5092c1668428e7de6 ] - -In this driver LEDs are registered using devm_led_classdev_register() -so they are automatically unregistered after module's remove() is done. -led_classdev_unregister() calls module's led_set_brightness() to turn off -the LEDs and that callback uses mutex which was destroyed already -in module's remove() so use devm API instead. - -Signed-off-by: George Stark -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20240411161032.609544-9-gnstark@salutedevices.com -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - drivers/leds/leds-an30259a.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - -diff --git a/drivers/leds/leds-an30259a.c b/drivers/leds/leds-an30259a.c -index 0216afed3b6e7..decfca447d8a7 100644 ---- a/drivers/leds/leds-an30259a.c -+++ b/drivers/leds/leds-an30259a.c -@@ -283,7 +283,10 @@ static int an30259a_probe(struct i2c_client *client) - if (err < 0) - return err; - -- mutex_init(&chip->mutex); -+ err = devm_mutex_init(&client->dev, &chip->mutex); -+ if (err) -+ return err; -+ - chip->client = client; - i2c_set_clientdata(client, chip); - -@@ -317,17 +320,9 @@ static int an30259a_probe(struct i2c_client *client) - return 0; - - exit: -- mutex_destroy(&chip->mutex); - return err; - } - --static void an30259a_remove(struct i2c_client *client) --{ -- struct an30259a *chip = i2c_get_clientdata(client); -- -- mutex_destroy(&chip->mutex); --} -- - static const struct of_device_id an30259a_match_table[] = { - { .compatible = "panasonic,an30259a", }, - { /* sentinel */ }, -@@ -347,7 +342,6 @@ static struct i2c_driver an30259a_driver = { - .of_match_table = an30259a_match_table, - }, - .probe = an30259a_probe, -- .remove = an30259a_remove, - .id_table = an30259a_id, - }; - --- -2.43.0 - diff --git a/queue-6.9/leds-mlxreg-use-devm_mutex_init-for-mutex-initializa.patch b/queue-6.9/leds-mlxreg-use-devm_mutex_init-for-mutex-initializa.patch deleted file mode 100644 index 9a4fed131b5..00000000000 --- a/queue-6.9/leds-mlxreg-use-devm_mutex_init-for-mutex-initializa.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 896e10aad28baa03d4974a2bce51e42522872231 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 19:10:31 +0300 -Subject: leds: mlxreg: Use devm_mutex_init() for mutex initialization - -From: George Stark - -[ Upstream commit efc347b9efee1c2b081f5281d33be4559fa50a16 ] - -In this driver LEDs are registered using devm_led_classdev_register() -so they are automatically unregistered after module's remove() is done. -led_classdev_unregister() calls module's led_set_brightness() to turn off -the LEDs and that callback uses mutex which was destroyed already -in module's remove() so use devm API instead. - -Signed-off-by: George Stark -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20240411161032.609544-8-gnstark@salutedevices.com -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - drivers/leds/leds-mlxreg.c | 14 +++++--------- - 1 file changed, 5 insertions(+), 9 deletions(-) - -diff --git a/drivers/leds/leds-mlxreg.c b/drivers/leds/leds-mlxreg.c -index 5595788d98d20..1b70de72376cc 100644 ---- a/drivers/leds/leds-mlxreg.c -+++ b/drivers/leds/leds-mlxreg.c -@@ -256,6 +256,7 @@ static int mlxreg_led_probe(struct platform_device *pdev) - { - struct mlxreg_core_platform_data *led_pdata; - struct mlxreg_led_priv_data *priv; -+ int err; - - led_pdata = dev_get_platdata(&pdev->dev); - if (!led_pdata) { -@@ -267,26 +268,21 @@ static int mlxreg_led_probe(struct platform_device *pdev) - if (!priv) - return -ENOMEM; - -- mutex_init(&priv->access_lock); -+ err = devm_mutex_init(&pdev->dev, &priv->access_lock); -+ if (err) -+ return err; -+ - priv->pdev = pdev; - priv->pdata = led_pdata; - - return mlxreg_led_config(priv); - } - --static void mlxreg_led_remove(struct platform_device *pdev) --{ -- struct mlxreg_led_priv_data *priv = dev_get_drvdata(&pdev->dev); -- -- mutex_destroy(&priv->access_lock); --} -- - static struct platform_driver mlxreg_led_driver = { - .driver = { - .name = "leds-mlxreg", - }, - .probe = mlxreg_led_probe, -- .remove_new = mlxreg_led_remove, - }; - - module_platform_driver(mlxreg_led_driver); --- -2.43.0 - diff --git a/queue-6.9/locking-mutex-introduce-devm_mutex_init.patch b/queue-6.9/locking-mutex-introduce-devm_mutex_init.patch deleted file mode 100644 index 37b4591e72c..00000000000 --- a/queue-6.9/locking-mutex-introduce-devm_mutex_init.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 5cafcf9acd1f83e360182f161b965eb345be12be Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 19:10:25 +0300 -Subject: locking/mutex: Introduce devm_mutex_init() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: George Stark - -[ Upstream commit 4cd47222e435dec8e3787614924174f53fcfb5ae ] - -Using of devm API leads to a certain order of releasing resources. -So all dependent resources which are not devm-wrapped should be deleted -with respect to devm-release order. Mutex is one of such objects that -often is bound to other resources and has no own devm wrapping. -Since mutex_destroy() actually does nothing in non-debug builds -frequently calling mutex_destroy() is just ignored which is safe for now -but wrong formally and can lead to a problem if mutex_destroy() will be -extended so introduce devm_mutex_init(). - -Suggested-by: Christophe Leroy -Signed-off-by: George Stark -Reviewed-by: Christophe Leroy -Reviewed-by: Andy Shevchenko -Reviewed-by: Marek Behún -Acked-by: Waiman Long -Link: https://lore.kernel.org/r/20240411161032.609544-2-gnstark@salutedevices.com -Signed-off-by: Lee Jones -Stable-dep-of: efc347b9efee ("leds: mlxreg: Use devm_mutex_init() for mutex initialization") -Signed-off-by: Sasha Levin ---- - include/linux/mutex.h | 27 +++++++++++++++++++++++++++ - kernel/locking/mutex-debug.c | 12 ++++++++++++ - 2 files changed, 39 insertions(+) - -diff --git a/include/linux/mutex.h b/include/linux/mutex.h -index 67edc4ca2beeb..a561c629d89f0 100644 ---- a/include/linux/mutex.h -+++ b/include/linux/mutex.h -@@ -22,6 +22,8 @@ - #include - #include - -+struct device; -+ - #ifdef CONFIG_DEBUG_LOCK_ALLOC - # define __DEP_MAP_MUTEX_INITIALIZER(lockname) \ - , .dep_map = { \ -@@ -117,6 +119,31 @@ do { \ - } while (0) - #endif /* CONFIG_PREEMPT_RT */ - -+#ifdef CONFIG_DEBUG_MUTEXES -+ -+int __devm_mutex_init(struct device *dev, struct mutex *lock); -+ -+#else -+ -+static inline int __devm_mutex_init(struct device *dev, struct mutex *lock) -+{ -+ /* -+ * When CONFIG_DEBUG_MUTEXES is off mutex_destroy() is just a nop so -+ * no really need to register it in the devm subsystem. -+ */ -+ return 0; -+} -+ -+#endif -+ -+#define devm_mutex_init(dev, mutex) \ -+({ \ -+ typeof(mutex) mutex_ = (mutex); \ -+ \ -+ mutex_init(mutex_); \ -+ __devm_mutex_init(dev, mutex_); \ -+}) -+ - /* - * See kernel/locking/mutex.c for detailed documentation of these APIs. - * Also see Documentation/locking/mutex-design.rst. -diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c -index bc8abb8549d20..6e6f6071cfa27 100644 ---- a/kernel/locking/mutex-debug.c -+++ b/kernel/locking/mutex-debug.c -@@ -12,6 +12,7 @@ - */ - #include - #include -+#include - #include - #include - #include -@@ -89,6 +90,17 @@ void debug_mutex_init(struct mutex *lock, const char *name, - lock->magic = lock; - } - -+static void devm_mutex_release(void *res) -+{ -+ mutex_destroy(res); -+} -+ -+int __devm_mutex_init(struct device *dev, struct mutex *lock) -+{ -+ return devm_add_action_or_reset(dev, devm_mutex_release, lock); -+} -+EXPORT_SYMBOL_GPL(__devm_mutex_init); -+ - /*** - * mutex_destroy - mark a mutex unusable - * @lock: the mutex to be destroyed --- -2.43.0 - diff --git a/queue-6.9/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch b/queue-6.9/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch deleted file mode 100644 index c19eb7f5bcc..00000000000 --- a/queue-6.9/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1ec233cc664eb0b133656144b8268dffa1fc6f61 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 12:24:37 +0000 -Subject: media: dvb: as102-fe: Fix as10x_register_addr packing - -From: Ricardo Ribalda - -[ Upstream commit 309422d280748c74f57f471559980268ac27732a ] - -This structure is embedded in multiple other structures that are packed, -which conflicts with it being aligned. - -drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access] - -Mark it as being packed. - -Marking the inner struct as 'packed' does not change the layout, since the -whole struct is already packed, it just silences the clang warning. See -also this llvm discussion: - -https://github.com/llvm/llvm-project/issues/55520 - -Signed-off-by: Ricardo Ribalda -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/as102_fe_types.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h -index 297f9520ebf9d..8a4e392c88965 100644 ---- a/drivers/media/dvb-frontends/as102_fe_types.h -+++ b/drivers/media/dvb-frontends/as102_fe_types.h -@@ -174,6 +174,6 @@ struct as10x_register_addr { - uint32_t addr; - /* register mode access */ - uint8_t mode; --}; -+} __packed; - - #endif --- -2.43.0 - diff --git a/queue-6.9/media-dvb-frontends-tda10048-fix-integer-overflow.patch b/queue-6.9/media-dvb-frontends-tda10048-fix-integer-overflow.patch deleted file mode 100644 index a74597a5537..00000000000 --- a/queue-6.9/media-dvb-frontends-tda10048-fix-integer-overflow.patch +++ /dev/null @@ -1,53 +0,0 @@ -From c462c6c5b39d08e0e80e5cdad2d395038ef59d95 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:05:04 +0100 -Subject: media: dvb-frontends: tda10048: Fix integer overflow - -From: Ricardo Ribalda - -[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ] - -state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer -when multiplied by pll_mfactor. - -Create a new 64 bit variable to hold the calculations. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org -Reported-by: Dan Carpenter -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/tda10048.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c -index 5d5e4e9e4422e..3e725cdcc66bd 100644 ---- a/drivers/media/dvb-frontends/tda10048.c -+++ b/drivers/media/dvb-frontends/tda10048.c -@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) - struct tda10048_config *config = &state->config; - int i; - u32 if_freq_khz; -+ u64 sample_freq; - - dprintk(1, "%s(bw = %d)\n", __func__, bw); - -@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) - dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor); - - /* Calculate the sample frequency */ -- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45); -- state->sample_freq /= (state->pll_nfactor + 1); -- state->sample_freq /= (state->pll_pfactor + 4); -+ sample_freq = state->xtal_hz; -+ sample_freq *= state->pll_mfactor + 45; -+ do_div(sample_freq, state->pll_nfactor + 1); -+ do_div(sample_freq, state->pll_pfactor + 4); -+ state->sample_freq = sample_freq; - dprintk(1, "- sample_freq = %d\n", state->sample_freq); - - /* Update the I/F */ --- -2.43.0 - diff --git a/queue-6.9/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch b/queue-6.9/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch deleted file mode 100644 index 37b48502621..00000000000 --- a/queue-6.9/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 8761dc836e5d1e3314e18ae1e4673ff446953d64 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:04:47 +0100 -Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div - -From: Ricardo Ribalda - -[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ] - -do_div() divides 64 bits by 32. We were adding a casting to the divider -to 64 bits, for a number that fits perfectly in 32 bits. Remove it. - -Found by cocci: -drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. -drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c -index a348344879433..fd928787207ed 100644 ---- a/drivers/media/dvb-frontends/tda18271c2dd.c -+++ b/drivers/media/dvb-frontends/tda18271c2dd.c -@@ -328,7 +328,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq) - - OscFreq = (u64) freq * (u64) Div; - OscFreq *= (u64) 16384; -- do_div(OscFreq, (u64)16000000); -+ do_div(OscFreq, 16000000); - MainDiv = OscFreq; - - state->m_Regs[MPD] = PostDiv & 0x77; -@@ -352,7 +352,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq) - OscFreq = (u64)freq * (u64)Div; - /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */ - OscFreq *= (u64)16384; -- do_div(OscFreq, (u64)16000000); -+ do_div(OscFreq, 16000000); - CalDiv = OscFreq; - - state->m_Regs[CPD] = PostDiv; --- -2.43.0 - diff --git a/queue-6.9/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch b/queue-6.9/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch deleted file mode 100644 index 12dbb48739e..00000000000 --- a/queue-6.9/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5eb380aea028cb5b41851e0bcd0b043af3fac0e4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 21:17:56 +0000 -Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware() - -From: Ricardo Ribalda - -[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ] - -Add missing release_firmware on the error paths. - -drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415. -drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497. - -Signed-off-by: Ricardo Ribalda -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c -index 3af594134a6de..6ddc205133939 100644 ---- a/drivers/media/usb/dvb-usb/dib0700_devices.c -+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c -@@ -2412,7 +2412,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap) - - adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config); - -- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0; -+ if (!adap->fe_adap[0].fe) { -+ release_firmware(state->frontend_firmware); -+ return -ENODEV; -+ } -+ -+ return 0; - } - - static int dib9090_tuner_attach(struct dvb_usb_adapter *adap) -@@ -2485,8 +2490,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) - dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80); - adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]); - -- if (adap->fe_adap[0].fe == NULL) -+ if (!adap->fe_adap[0].fe) { -+ release_firmware(state->frontend_firmware); - return -ENODEV; -+ } - - i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0); - dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82); -@@ -2494,7 +2501,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) - fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]); - dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave); - -- return fe_slave == NULL ? -ENODEV : 0; -+ if (!fe_slave) { -+ release_firmware(state->frontend_firmware); -+ return -ENODEV; -+ } -+ -+ return 0; - } - - static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap) --- -2.43.0 - diff --git a/queue-6.9/media-dw2102-don-t-translate-i2c-read-into-write.patch b/queue-6.9/media-dw2102-don-t-translate-i2c-read-into-write.patch deleted file mode 100644 index 31ca8c1e1e0..00000000000 --- a/queue-6.9/media-dw2102-don-t-translate-i2c-read-into-write.patch +++ /dev/null @@ -1,197 +0,0 @@ -From 3fa5c0c9c0b63dac2d5f61b50259b194597f9ae2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 16 Jan 2022 11:22:36 +0000 -Subject: media: dw2102: Don't translate i2c read into write - -From: Michael Bunk - -[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ] - -The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed -an i2c transaction with a single message must be a write operation and a -transaction with two messages would be a read operation. - -Though this works for the driver code, it leads to problems once the i2c -device is exposed to code not knowing this convention. For example, -I did "insmod i2c-dev" and issued read requests from userspace, which -were translated into write requests and destroyed the EEPROM of my -device. - -So, just check and respect the I2C_M_READ flag, which indicates a read -when set on a message. If it is absent, it is a write message. - -Incidentally, changing from the case statement to a while loop allows -the code to lift the limitation to two i2c messages per transaction. - -There are 4 more *_i2c_transfer functions affected by the same behaviour -and limitation that should be fixed in the same way. - -Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org -Signed-off-by: Michael Bunk -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++----------- - 1 file changed, 73 insertions(+), 47 deletions(-) - -diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c -index b3bb1805829ad..10351308b0d02 100644 ---- a/drivers/media/usb/dvb-usb/dw2102.c -+++ b/drivers/media/usb/dvb-usb/dw2102.c -@@ -716,6 +716,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - { - struct dvb_usb_device *d = i2c_get_adapdata(adap); - struct dw2102_state *state; -+ int j; - - if (!d) - return -ENODEV; -@@ -729,11 +730,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - return -EAGAIN; - } - -- switch (num) { -- case 1: -- switch (msg[0].addr) { -+ j = 0; -+ while (j < num) { -+ switch (msg[j].addr) { - case SU3000_STREAM_CTRL: -- state->data[0] = msg[0].buf[0] + 0x36; -+ state->data[0] = msg[j].buf[0] + 0x36; - state->data[1] = 3; - state->data[2] = 0; - if (dvb_usb_generic_rw(d, state->data, 3, -@@ -745,61 +746,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - if (dvb_usb_generic_rw(d, state->data, 1, - state->data, 2, 0) < 0) - err("i2c transfer failed."); -- msg[0].buf[1] = state->data[0]; -- msg[0].buf[0] = state->data[1]; -+ msg[j].buf[1] = state->data[0]; -+ msg[j].buf[0] = state->data[1]; - break; - default: -- if (3 + msg[0].len > sizeof(state->data)) { -- warn("i2c wr: len=%d is too big!\n", -- msg[0].len); -+ /* if the current write msg is followed by a another -+ * read msg to/from the same address -+ */ -+ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) && -+ (msg[j].addr == msg[j+1].addr)) { -+ /* join both i2c msgs to one usb read command */ -+ if (4 + msg[j].len > sizeof(state->data)) { -+ warn("i2c combined wr/rd: write len=%d is too big!\n", -+ msg[j].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ if (1 + msg[j+1].len > sizeof(state->data)) { -+ warn("i2c combined wr/rd: read len=%d is too big!\n", -+ msg[j+1].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ -+ state->data[0] = 0x09; -+ state->data[1] = msg[j].len; -+ state->data[2] = msg[j+1].len; -+ state->data[3] = msg[j].addr; -+ memcpy(&state->data[4], msg[j].buf, msg[j].len); -+ -+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4, -+ state->data, msg[j+1].len + 1, 0) < 0) -+ err("i2c transfer failed."); -+ -+ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len); -+ j++; -+ break; -+ } -+ -+ if (msg[j].flags & I2C_M_RD) { -+ /* single read */ -+ if (1 + msg[j].len > sizeof(state->data)) { -+ warn("i2c rd: len=%d is too big!\n", msg[j].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ -+ state->data[0] = 0x09; -+ state->data[1] = 0; -+ state->data[2] = msg[j].len; -+ state->data[3] = msg[j].addr; -+ memcpy(&state->data[4], msg[j].buf, msg[j].len); -+ -+ if (dvb_usb_generic_rw(d, state->data, 4, -+ state->data, msg[j].len + 1, 0) < 0) -+ err("i2c transfer failed."); -+ -+ memcpy(msg[j].buf, &state->data[1], msg[j].len); -+ break; -+ } -+ -+ /* single write */ -+ if (3 + msg[j].len > sizeof(state->data)) { -+ warn("i2c wr: len=%d is too big!\n", msg[j].len); - num = -EOPNOTSUPP; - break; - } - -- /* always i2c write*/ - state->data[0] = 0x08; -- state->data[1] = msg[0].addr; -- state->data[2] = msg[0].len; -+ state->data[1] = msg[j].addr; -+ state->data[2] = msg[j].len; - -- memcpy(&state->data[3], msg[0].buf, msg[0].len); -+ memcpy(&state->data[3], msg[j].buf, msg[j].len); - -- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3, -+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3, - state->data, 1, 0) < 0) - err("i2c transfer failed."); -+ } // switch -+ j++; - -- } -- break; -- case 2: -- /* always i2c read */ -- if (4 + msg[0].len > sizeof(state->data)) { -- warn("i2c rd: len=%d is too big!\n", -- msg[0].len); -- num = -EOPNOTSUPP; -- break; -- } -- if (1 + msg[1].len > sizeof(state->data)) { -- warn("i2c rd: len=%d is too big!\n", -- msg[1].len); -- num = -EOPNOTSUPP; -- break; -- } -- -- state->data[0] = 0x09; -- state->data[1] = msg[0].len; -- state->data[2] = msg[1].len; -- state->data[3] = msg[0].addr; -- memcpy(&state->data[4], msg[0].buf, msg[0].len); -- -- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4, -- state->data, msg[1].len + 1, 0) < 0) -- err("i2c transfer failed."); -- -- memcpy(msg[1].buf, &state->data[1], msg[1].len); -- break; -- default: -- warn("more than 2 i2c messages at a time is not handled yet."); -- break; -- } -+ } // while - mutex_unlock(&d->data_mutex); - mutex_unlock(&d->i2c_mutex); - return num; --- -2.43.0 - diff --git a/queue-6.9/media-dw2102-fix-a-potential-buffer-overflow.patch b/queue-6.9/media-dw2102-fix-a-potential-buffer-overflow.patch deleted file mode 100644 index fe463ec5c3b..00000000000 --- a/queue-6.9/media-dw2102-fix-a-potential-buffer-overflow.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 35066f469b7d0191abed58810cb6e44df8e43d2c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 15:15:05 +0100 -Subject: media: dw2102: fix a potential buffer overflow - -From: Mauro Carvalho Chehab - -[ Upstream commit 1c73d0b29d04bf4082e7beb6a508895e118ee30d ] - -As pointed by smatch: - drivers/media/usb/dvb-usb/dw2102.c:802 su3000_i2c_transfer() error: __builtin_memcpy() '&state->data[4]' too small (64 vs 67) - -That seemss to be due to a wrong copy-and-paste. - -Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write") - -Reported-by: Hans Verkuil -Reviewed-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb/dw2102.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c -index 10351308b0d02..f31d3835430e7 100644 ---- a/drivers/media/usb/dvb-usb/dw2102.c -+++ b/drivers/media/usb/dvb-usb/dw2102.c -@@ -786,7 +786,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - - if (msg[j].flags & I2C_M_RD) { - /* single read */ -- if (1 + msg[j].len > sizeof(state->data)) { -+ if (4 + msg[j].len > sizeof(state->data)) { - warn("i2c rd: len=%d is too big!\n", msg[j].len); - num = -EOPNOTSUPP; - break; --- -2.43.0 - diff --git a/queue-6.9/media-i2c-st-mipid02-use-the-correct-div-function.patch b/queue-6.9/media-i2c-st-mipid02-use-the-correct-div-function.patch deleted file mode 100644 index d53816bbd9c..00000000000 --- a/queue-6.9/media-i2c-st-mipid02-use-the-correct-div-function.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3bd9e0465f3b882cdf041a108b52cfea5683e0ac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:05:00 +0100 -Subject: media: i2c: st-mipid02: Use the correct div function - -From: Ricardo Ribalda - -[ Upstream commit 22dccf029e4a67ad5aa62537c47ece9f24c8f970 ] - -link_freq does not fit in 32 bits. - -Found by cocci: -drivers/media/i2c/st-mipid02.c:329:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_s64 instead. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-21-3c4865f5a4b0@chromium.org -Reviewed-by: Benjamin Mugnier -Reviewed-by: Sakari Ailus -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/i2c/st-mipid02.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/i2c/st-mipid02.c b/drivers/media/i2c/st-mipid02.c -index f250640729ca4..b947a55281f0e 100644 ---- a/drivers/media/i2c/st-mipid02.c -+++ b/drivers/media/i2c/st-mipid02.c -@@ -326,7 +326,7 @@ static int mipid02_configure_from_rx_speed(struct mipid02_dev *bridge, - } - - dev_dbg(&client->dev, "detect link_freq = %lld Hz", link_freq); -- do_div(ui_4, link_freq); -+ ui_4 = div64_u64(ui_4, link_freq); - bridge->r.clk_lane_reg1 |= ui_4 << 2; - - return 0; --- -2.43.0 - diff --git a/queue-6.9/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch b/queue-6.9/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch deleted file mode 100644 index 4f7ec0d3108..00000000000 --- a/queue-6.9/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 1736310d42875655e3a421d0e54452e32c7c349d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Dec 2023 09:17:46 +0000 -Subject: media: mediatek: vcodec: Only free buffer VA that is not NULL - -From: Fei Shao - -[ Upstream commit eb005c801ec70ff4307727bd3bd6e8280169ef32 ] - -In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly -called only when the buffer to free exists, there are some instances -that didn't do the check and triggered warnings in practice. - -We believe those checks were forgotten unintentionally. Add the checks -back to fix the warnings. - -Signed-off-by: Fei Shao -Reviewed-by: AngeloGioacchino Del Regno -Signed-off-by: Andrzej Pietrasiewicz -Signed-off-by: Sebastian Fricke -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - .../vcodec/decoder/vdec/vdec_av1_req_lat_if.c | 22 +++++++++++++------ - .../vcodec/encoder/venc/venc_h264_if.c | 5 +++-- - 2 files changed, 18 insertions(+), 9 deletions(-) - -diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c -index 2b6a5adbc4199..b0e2e59f61b5d 100644 ---- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c -+++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c -@@ -1023,18 +1023,26 @@ static void vdec_av1_slice_free_working_buffer(struct vdec_av1_slice_instance *i - int i; - - for (i = 0; i < ARRAY_SIZE(instance->mv); i++) -- mtk_vcodec_mem_free(ctx, &instance->mv[i]); -+ if (instance->mv[i].va) -+ mtk_vcodec_mem_free(ctx, &instance->mv[i]); - - for (i = 0; i < ARRAY_SIZE(instance->seg); i++) -- mtk_vcodec_mem_free(ctx, &instance->seg[i]); -+ if (instance->seg[i].va) -+ mtk_vcodec_mem_free(ctx, &instance->seg[i]); - - for (i = 0; i < ARRAY_SIZE(instance->cdf); i++) -- mtk_vcodec_mem_free(ctx, &instance->cdf[i]); -+ if (instance->cdf[i].va) -+ mtk_vcodec_mem_free(ctx, &instance->cdf[i]); -+ - -- mtk_vcodec_mem_free(ctx, &instance->tile); -- mtk_vcodec_mem_free(ctx, &instance->cdf_temp); -- mtk_vcodec_mem_free(ctx, &instance->cdf_table); -- mtk_vcodec_mem_free(ctx, &instance->iq_table); -+ if (instance->tile.va) -+ mtk_vcodec_mem_free(ctx, &instance->tile); -+ if (instance->cdf_temp.va) -+ mtk_vcodec_mem_free(ctx, &instance->cdf_temp); -+ if (instance->cdf_table.va) -+ mtk_vcodec_mem_free(ctx, &instance->cdf_table); -+ if (instance->iq_table.va) -+ mtk_vcodec_mem_free(ctx, &instance->iq_table); - - instance->level = AV1_RES_NONE; - } -diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c -index a68dac72c4e42..f8145998fcaf7 100644 ---- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c -+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c -@@ -301,11 +301,12 @@ static void h264_enc_free_work_buf(struct venc_h264_inst *inst) - * other buffers need to be freed by AP. - */ - for (i = 0; i < VENC_H264_VPU_WORK_BUF_MAX; i++) { -- if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME) -+ if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME && inst->work_bufs[i].va) - mtk_vcodec_mem_free(inst->ctx, &inst->work_bufs[i]); - } - -- mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf); -+ if (inst->pps_buf.va) -+ mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf); - } - - static int h264_enc_alloc_work_buf(struct venc_h264_inst *inst, bool is_34bit) --- -2.43.0 - diff --git a/queue-6.9/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch b/queue-6.9/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch deleted file mode 100644 index 973dbd4fb73..00000000000 --- a/queue-6.9/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 8a213cc181b719dbc3c69db7d5acfb8df30a599d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:04:50 +0100 -Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels - -From: Ricardo Ribalda - -[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ] - -Use an API that resembles more the actual use of num_channels. - -Found by cocci: -drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363. -drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c -index 8e1de1e8bd127..a6e450181fd01 100644 ---- a/drivers/media/usb/s2255/s2255drv.c -+++ b/drivers/media/usb/s2255/s2255drv.c -@@ -247,7 +247,7 @@ struct s2255_vc { - struct s2255_dev { - struct s2255_vc vc[MAX_CHANNELS]; - struct v4l2_device v4l2_dev; -- atomic_t num_channels; -+ refcount_t num_channels; - int frames; - struct mutex lock; /* channels[].vdev.lock */ - struct mutex cmdlock; /* protects cmdbuf */ -@@ -1550,11 +1550,11 @@ static void s2255_video_device_release(struct video_device *vdev) - container_of(vdev, struct s2255_vc, vdev); - - dprintk(dev, 4, "%s, chnls: %d\n", __func__, -- atomic_read(&dev->num_channels)); -+ refcount_read(&dev->num_channels)); - - v4l2_ctrl_handler_free(&vc->hdl); - -- if (atomic_dec_and_test(&dev->num_channels)) -+ if (refcount_dec_and_test(&dev->num_channels)) - s2255_destroy(dev); - return; - } -@@ -1659,7 +1659,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev) - "failed to register video device!\n"); - break; - } -- atomic_inc(&dev->num_channels); -+ refcount_inc(&dev->num_channels); - v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n", - video_device_node_name(&vc->vdev)); - -@@ -1667,11 +1667,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev) - pr_info("Sensoray 2255 V4L driver Revision: %s\n", - S2255_VERSION); - /* if no channels registered, return error and probe will fail*/ -- if (atomic_read(&dev->num_channels) == 0) { -+ if (refcount_read(&dev->num_channels) == 0) { - v4l2_device_unregister(&dev->v4l2_dev); - return ret; - } -- if (atomic_read(&dev->num_channels) != MAX_CHANNELS) -+ if (refcount_read(&dev->num_channels) != MAX_CHANNELS) - pr_warn("s2255: Not all channels available.\n"); - return 0; - } -@@ -2221,7 +2221,7 @@ static int s2255_probe(struct usb_interface *interface, - goto errorFWDATA1; - } - -- atomic_set(&dev->num_channels, 0); -+ refcount_set(&dev->num_channels, 0); - dev->pid = id->idProduct; - dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL); - if (!dev->fw_data) -@@ -2341,12 +2341,12 @@ static void s2255_disconnect(struct usb_interface *interface) - { - struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface)); - int i; -- int channels = atomic_read(&dev->num_channels); -+ int channels = refcount_read(&dev->num_channels); - mutex_lock(&dev->lock); - v4l2_device_disconnect(&dev->v4l2_dev); - mutex_unlock(&dev->lock); - /*see comments in the uvc_driver.c usb disconnect function */ -- atomic_inc(&dev->num_channels); -+ refcount_inc(&dev->num_channels); - /* unregister each video device. */ - for (i = 0; i < channels; i++) - video_unregister_device(&dev->vc[i].vdev); -@@ -2359,7 +2359,7 @@ static void s2255_disconnect(struct usb_interface *interface) - dev->vc[i].vidstatus_ready = 1; - wake_up(&dev->vc[i].wait_vidstatus); - } -- if (atomic_dec_and_test(&dev->num_channels)) -+ if (refcount_dec_and_test(&dev->num_channels)) - s2255_destroy(dev); - dev_info(&interface->dev, "%s\n", __func__); - } --- -2.43.0 - diff --git a/queue-6.9/media-tc358746-use-the-correct-div_-function.patch b/queue-6.9/media-tc358746-use-the-correct-div_-function.patch deleted file mode 100644 index b5a6d330c55..00000000000 --- a/queue-6.9/media-tc358746-use-the-correct-div_-function.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ba4e2b39664b01e17ace2d068fa580e17a95bb9b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:05:01 +0100 -Subject: media: tc358746: Use the correct div_ function - -From: Ricardo Ribalda - -[ Upstream commit d77731382f57b9c18664a13c7e197285060ebf93 ] - -fin does not fit in 32 bits in some arches. - -Found by cocci: -drivers/media/i2c/tc358746.c:847:2-8: WARNING: do_div() does a 64-by-32 division, please consider using div64_ul instead. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-22-3c4865f5a4b0@chromium.org -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/i2c/tc358746.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/media/i2c/tc358746.c b/drivers/media/i2c/tc358746.c -index d676adc4401bb..edf79107adc51 100644 ---- a/drivers/media/i2c/tc358746.c -+++ b/drivers/media/i2c/tc358746.c -@@ -844,8 +844,7 @@ static unsigned long tc358746_find_pll_settings(struct tc358746 *tc358746, - continue; - - tmp = fout * postdiv; -- do_div(tmp, fin); -- mul = tmp; -+ mul = div64_ul(tmp, fin); - if (mul > 511) - continue; - --- -2.43.0 - diff --git a/queue-6.9/net-dql-avoid-calling-bug-when-warn-is-enough.patch b/queue-6.9/net-dql-avoid-calling-bug-when-warn-is-enough.patch deleted file mode 100644 index dde676fc59c..00000000000 --- a/queue-6.9/net-dql-avoid-calling-bug-when-warn-is-enough.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 97608e6156ec689642b1b200f2e7646216837ed6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 12:22:29 -0700 -Subject: net: dql: Avoid calling BUG() when WARN() is enough - -From: Breno Leitao - -[ Upstream commit 4854b463c4b27c94a7de86d16ad84f235f4c1a72 ] - -If the dql_queued() function receives an invalid argument, WARN about it -and continue, instead of crashing the kernel. - -This was raised by checkpatch, when I am refactoring this code (see -following patch/commit) - - WARNING: Do not crash the kernel unless it is absolutely unavoidable--use WARN_ON_ONCE() plus recovery code (if feasible) instead of BUG() or variants - -Signed-off-by: Breno Leitao -Link: https://lore.kernel.org/r/20240411192241.2498631-2-leitao@debian.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/linux/dynamic_queue_limits.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/include/linux/dynamic_queue_limits.h b/include/linux/dynamic_queue_limits.h -index 5693a4be0d9a9..ff9c65841ae8d 100644 ---- a/include/linux/dynamic_queue_limits.h -+++ b/include/linux/dynamic_queue_limits.h -@@ -91,7 +91,8 @@ static inline void dql_queued(struct dql *dql, unsigned int count) - { - unsigned long map, now, now_hi, i; - -- BUG_ON(count > DQL_MAX_OBJECT); -+ if (WARN_ON_ONCE(count > DQL_MAX_OBJECT)) -+ return; - - dql->last_obj_cnt = count; - --- -2.43.0 - diff --git a/queue-6.9/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch b/queue-6.9/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch deleted file mode 100644 index eff84cd9f9b..00000000000 --- a/queue-6.9/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 134afc8e46bc6c022302c5108b242e84db1dfb88 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 18:46:45 +0100 -Subject: net: dsa: mv88e6xxx: Correct check for empty list - -From: Simon Horman - -[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ] - -Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO -busses") mv88e6xxx_default_mdio_bus() has checked that the -return value of list_first_entry() is non-NULL. - -This appears to be intended to guard against the list chip->mdios being -empty. However, it is not the correct check as the implementation of -list_first_entry is not designed to return NULL for empty lists. - -Instead, use list_first_entry_or_null() which does return NULL if the -list is empty. - -Flagged by Smatch. -Compile tested only. - -Reviewed-by: Andrew Lunn -Signed-off-by: Simon Horman -Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c -index 5a202edfec371..80741e506f422 100644 ---- a/drivers/net/dsa/mv88e6xxx/chip.c -+++ b/drivers/net/dsa/mv88e6xxx/chip.c -@@ -131,8 +131,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip) - { - struct mv88e6xxx_mdio_bus *mdio_bus; - -- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus, -- list); -+ mdio_bus = list_first_entry_or_null(&chip->mdios, -+ struct mv88e6xxx_mdio_bus, list); - if (!mdio_bus) - return NULL; - --- -2.43.0 - diff --git a/queue-6.9/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch b/queue-6.9/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch deleted file mode 100644 index 06620f4f967..00000000000 --- a/queue-6.9/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9ceb0f150995e76cf0458a7a2ce737f598402ac5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 9 May 2024 07:14:29 +0900 -Subject: nilfs2: convert BUG_ON() in nilfs_finish_roll_forward() to WARN_ON() - -From: Ryusuke Konishi - -[ Upstream commit 0a73eac1ed10097d1799c10dff2172605fd40c75 ] - -The BUG_ON check performed on the return value of __getblk() in -nilfs_finish_roll_forward() assumes that a buffer that has been -successfully read once is retrieved with the same parameters and does not -fail (__getblk() does not return an error due to memory allocation -failure). Also, nilfs_finish_roll_forward() is called at most once during -mount. - -Taking these into consideration, rewrite the check to use WARN_ON() to -avoid using BUG_ON(). - -Link: https://lkml.kernel.org/r/20240508221429.7559-1-konishi.ryusuke@gmail.com -Signed-off-by: Ryusuke Konishi -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - fs/nilfs2/recovery.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c -index 49a70c68bf3c0..3d58961aff299 100644 ---- a/fs/nilfs2/recovery.c -+++ b/fs/nilfs2/recovery.c -@@ -698,7 +698,9 @@ static void nilfs_finish_roll_forward(struct the_nilfs *nilfs, - return; - - bh = __getblk(nilfs->ns_bdev, ri->ri_lsegs_start, nilfs->ns_blocksize); -- BUG_ON(!bh); -+ if (WARN_ON(!bh)) -+ return; /* should never happen */ -+ - memset(bh->b_data, 0, bh->b_size); - set_buffer_dirty(bh); - err = sync_dirty_buffer(bh); --- -2.43.0 - diff --git a/queue-6.9/orangefs-fix-out-of-bounds-fsid-access.patch b/queue-6.9/orangefs-fix-out-of-bounds-fsid-access.patch deleted file mode 100644 index 26cb9543811..00000000000 --- a/queue-6.9/orangefs-fix-out-of-bounds-fsid-access.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 59dadff2806a11e5c3d90e087fd477195750ba6f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 May 2024 16:20:36 -0400 -Subject: orangefs: fix out-of-bounds fsid access - -From: Mike Marshall - -[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] - -Arnd Bergmann sent a patch to fsdevel, he says: - -"orangefs_statfs() copies two consecutive fields of the superblock into -the statfs structure, which triggers a warning from the string fortification -helpers" - -Jan Kara suggested an alternate way to do the patch to make it more readable. - -I ran both ideas through xfstests and both seem fine. This patch -is based on Jan Kara's suggestion. - -Signed-off-by: Mike Marshall -Signed-off-by: Sasha Levin ---- - fs/orangefs/super.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c -index 34849b4a3243c..907765673765c 100644 ---- a/fs/orangefs/super.c -+++ b/fs/orangefs/super.c -@@ -201,7 +201,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) - (long)new_op->downcall.resp.statfs.files_avail); - - buf->f_type = sb->s_magic; -- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); -+ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; -+ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; - buf->f_bsize = new_op->downcall.resp.statfs.block_size; - buf->f_namelen = ORANGEFS_NAME_MAX; - --- -2.43.0 - diff --git a/queue-6.9/perf-callchain-use-zfree-to-avoid-possibly-accessing.patch b/queue-6.9/perf-callchain-use-zfree-to-avoid-possibly-accessing.patch deleted file mode 100644 index effd5927f11..00000000000 --- a/queue-6.9/perf-callchain-use-zfree-to-avoid-possibly-accessing.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 11b5876f845943552c187b12fe863e59019df77e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 00:04:06 -0300 -Subject: perf callchain: Use zfree() to avoid possibly accessing dangling - pointers - -From: Arnaldo Carvalho de Melo - -[ Upstream commit 54ef362e4daa4a4ecfa2abdc251b21564d27784e ] - -When freeing a->b it is good practice to set a->b to NULL using -zfree(&a->b) so that when we have a bug where a reference to a freed 'a' -pointer is kept somewhere, we can more quickly cause a segfault if some -code tries to use a->b. - -Convert one such case in the callchain code. - -Cc: Adrian Hunter -Cc: Ian Rogers -Cc: Jiri Olsa -Cc: Kan Liang -Cc: Namhyung Kim -Link: https://lore.kernel.org/lkml/ZjmcGobQ8E52EyjJ@x1 -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/util/callchain.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/util/callchain.c b/tools/perf/util/callchain.c -index 7517d16c02ec9..3a7d55dd6ee57 100644 ---- a/tools/perf/util/callchain.c -+++ b/tools/perf/util/callchain.c -@@ -606,7 +606,7 @@ fill_node(struct callchain_node *node, struct callchain_cursor *cursor) - call->brtype_stat = zalloc(sizeof(*call->brtype_stat)); - if (!call->brtype_stat) { - perror("not enough memory for the code path branch statistics"); -- free(call->brtype_stat); -+ zfree(&call->brtype_stat); - return -ENOMEM; - } - } --- -2.43.0 - diff --git a/queue-6.9/perf-kwork-use-zfree-to-avoid-possibly-accessing-dan.patch b/queue-6.9/perf-kwork-use-zfree-to-avoid-possibly-accessing-dan.patch deleted file mode 100644 index 88514172272..00000000000 --- a/queue-6.9/perf-kwork-use-zfree-to-avoid-possibly-accessing-dan.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 91ce55177a4cf5f07bf9b21434146fd176a04960 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 00:04:06 -0300 -Subject: perf kwork: Use zfree() to avoid possibly accessing dangling pointers - -From: Arnaldo Carvalho de Melo - -[ Upstream commit 07fde75306667f60b5cee6f10c4115efbc719b96 ] - -When freeing a->b it is good practice to set a->b to NULL using -zfree(&a->b) so that when we have a bug where a reference to a freed 'a' -pointer is kept somewhere, we can more quickly cause a segfault if some -code tries to use a->b. - -Convert one such case in the 'perf kwork' codebase. - -Cc: Adrian Hunter -Cc: Ian Rogers -Cc: Jiri Olsa -Cc: Kan Liang -Cc: Namhyung Kim -Cc: Yang Jihong -Link: https://lore.kernel.org/lkml/Zjmc5EiN6zmWZj4r@x1 -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/builtin-kwork.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/builtin-kwork.c b/tools/perf/builtin-kwork.c -index 0092b9b39611d..56e3f3a5e03a2 100644 ---- a/tools/perf/builtin-kwork.c -+++ b/tools/perf/builtin-kwork.c -@@ -2230,7 +2230,7 @@ static int perf_kwork__top(struct perf_kwork *kwork) - perf_kwork__top_report(kwork); - - out: -- free(kwork->top_stat.cpus_runtime); -+ zfree(&kwork->top_stat.cpus_runtime); - return ret; - } - --- -2.43.0 - diff --git a/queue-6.9/perf-lock-avoid-memory-leaks-from-strdup.patch b/queue-6.9/perf-lock-avoid-memory-leaks-from-strdup.patch deleted file mode 100644 index 4c0b4563a2a..00000000000 --- a/queue-6.9/perf-lock-avoid-memory-leaks-from-strdup.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 4ac1d5a285a46e516eb927354c2ab2f389e17f04 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 May 2024 22:31:23 -0700 -Subject: perf lock: Avoid memory leaks from strdup() - -From: Ian Rogers - -[ Upstream commit 5ecab785396055c3d6f2207bf80be9feacdd7ddc ] - -Leak sanitizer complains about the strdup-ed arguments not being freed -and given cmd_record doesn't modify the given strings, remove the -strdups. - -Original discussion in this patch: - - https://lore.kernel.org/lkml/20240430184156.1824083-1-irogers@google.com/ - -Suggested-by: Namhyung Kim -Signed-off-by: Ian Rogers -Acked-by: Namhyung Kim -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Kan Liang -Cc: Mark Rutland -Cc: Peter Zijlstra -Cc: zhaimingbing -Link: https://lore.kernel.org/r/20240509053123.1918093-1-irogers@google.com -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/builtin-lock.c | 18 ++++-------------- - 1 file changed, 4 insertions(+), 14 deletions(-) - -diff --git a/tools/perf/builtin-lock.c b/tools/perf/builtin-lock.c -index 230461280e452..7007d26fe6548 100644 ---- a/tools/perf/builtin-lock.c -+++ b/tools/perf/builtin-lock.c -@@ -2275,23 +2275,13 @@ static int __cmd_record(int argc, const char **argv) - return -ENOMEM; - - for (i = 0; i < ARRAY_SIZE(record_args); i++) -- rec_argv[i] = strdup(record_args[i]); -+ rec_argv[i] = record_args[i]; - - for (j = 0; j < nr_tracepoints; j++) { -- const char *ev_name; -- -- if (has_lock_stat) -- ev_name = strdup(lock_tracepoints[j].name); -- else -- ev_name = strdup(contention_tracepoints[j].name); -- -- if (!ev_name) { -- free(rec_argv); -- return -ENOMEM; -- } -- - rec_argv[i++] = "-e"; -- rec_argv[i++] = ev_name; -+ rec_argv[i++] = has_lock_stat -+ ? lock_tracepoints[j].name -+ : contention_tracepoints[j].name; - } - - for (j = 0; j < nr_callgraph_args; j++, i++) --- -2.43.0 - diff --git a/queue-6.9/perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch b/queue-6.9/perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch deleted file mode 100644 index 5ac57f918f0..00000000000 --- a/queue-6.9/perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 74cfcd07c9f67597302457c0cd002f032a5a0511 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 00:04:06 -0300 -Subject: perf probe: Use zfree() to avoid possibly accessing dangling pointers - -From: Arnaldo Carvalho de Melo - -[ Upstream commit b78854e5c008b01265d78c181332a3bb66c0abdf ] - -When freeing a->b it is good practice to set a->b to NULL using -zfree(&a->b) so that when we have a bug where a reference to a freed 'a' -pointer is kept somewhere, we can more quickly cause a segfault if some -code tries to use a->b. - -Convert one such case in the 'perf probe' codebase. - -Cc: Adrian Hunter -Cc: Ian Rogers -Cc: Jiri Olsa -Cc: Kan Liang -Cc: Namhyung Kim -Link: https://lore.kernel.org/lkml/ZjpBnkL2wO3QJa5W@x1 -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/builtin-probe.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c -index 019fef8da6a8e..003a3bcebfdfc 100644 ---- a/tools/perf/builtin-probe.c -+++ b/tools/perf/builtin-probe.c -@@ -325,7 +325,7 @@ static void cleanup_params(void) - for (i = 0; i < params->nevents; i++) - clear_perf_probe_event(params->events + i); - line_range__clear(¶ms->line_range); -- free(params->target); -+ zfree(¶ms->target); - strfilter__delete(params->filter); - nsinfo__put(params->nsi); - zfree(¶ms); --- -2.43.0 - diff --git a/queue-6.9/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch b/queue-6.9/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch deleted file mode 100644 index e749fbef6f7..00000000000 --- a/queue-6.9/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From eb7454cd23d3c1f9241c8450952bc5a3628e6ccc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 May 2024 17:56:19 +1000 -Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for - CONFIG_PCI=n - -From: Michael Ellerman - -[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ] - -There is code that builds with calls to IO accessors even when -CONFIG_PCI=n, but the actual calls are guarded by runtime checks. - -If not those calls would be faulting, because the page at virtual -address zero is (usually) not mapped into the kernel. As Arnd pointed -out, it is possible a large port value could cause the address to be -above mmap_min_addr which would then access userspace, which would be -a bug. - -To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That -is a value chosen to point into unmapped space between the kernel and -userspace, so any access will always fault. - -Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an -effect on 64-bit. - -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/io.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h -index ba2e13bb879dc..048e3705af20b 100644 ---- a/arch/powerpc/include/asm/io.h -+++ b/arch/powerpc/include/asm/io.h -@@ -37,7 +37,7 @@ extern struct pci_dev *isa_bridge_pcidev; - * define properly based on the platform - */ - #ifndef CONFIG_PCI --#define _IO_BASE 0 -+#define _IO_BASE POISON_POINTER_DELTA - #define _ISA_MEM_BASE 0 - #define PCI_DRAM_OFFSET 0 - #elif defined(CONFIG_PPC32) --- -2.43.0 - diff --git a/queue-6.9/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch b/queue-6.9/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch deleted file mode 100644 index c1b410c8e1c..00000000000 --- a/queue-6.9/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 8836d0e335422aff019e5f9590d553fb56979614 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 10:00:06 +0530 -Subject: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. - -From: Mahesh Salgaonkar - -[ Upstream commit 0db880fc865ffb522141ced4bfa66c12ab1fbb70 ] - -nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel -crash when invoked during real mode interrupt handling (e.g. early HMI/MCE -interrupt handler) if percpu allocation comes from vmalloc area. - -Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI() -wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when -percpu allocation is from the embedded first chunk. However with -CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu -allocation can come from the vmalloc area. - -With kernel command line "percpu_alloc=page" we can force percpu allocation -to come from vmalloc area and can see kernel crash in machine_check_early: - -[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110 -[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0 -[ 1.215719] --- interrupt: 200 -[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable) -[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0 -[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8 - -Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu -first chunk is not embedded. - -Reviewed-by: Christophe Leroy -Tested-by: Shirisha Ganta -Signed-off-by: Mahesh Salgaonkar -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240410043006.81577-1-mahesh@linux.ibm.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/interrupt.h | 10 ++++++++++ - arch/powerpc/include/asm/percpu.h | 10 ++++++++++ - arch/powerpc/kernel/setup_64.c | 2 ++ - 3 files changed, 22 insertions(+) - -diff --git a/arch/powerpc/include/asm/interrupt.h b/arch/powerpc/include/asm/interrupt.h -index 7b610864b3645..2d6c886b40f44 100644 ---- a/arch/powerpc/include/asm/interrupt.h -+++ b/arch/powerpc/include/asm/interrupt.h -@@ -336,6 +336,14 @@ static inline void interrupt_nmi_enter_prepare(struct pt_regs *regs, struct inte - if (IS_ENABLED(CONFIG_KASAN)) - return; - -+ /* -+ * Likewise, do not use it in real mode if percpu first chunk is not -+ * embedded. With CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there -+ * are chances where percpu allocation can come from vmalloc area. -+ */ -+ if (percpu_first_chunk_is_paged) -+ return; -+ - /* Otherwise, it should be safe to call it */ - nmi_enter(); - } -@@ -351,6 +359,8 @@ static inline void interrupt_nmi_exit_prepare(struct pt_regs *regs, struct inter - // no nmi_exit for a pseries hash guest taking a real mode exception - } else if (IS_ENABLED(CONFIG_KASAN)) { - // no nmi_exit for KASAN in real mode -+ } else if (percpu_first_chunk_is_paged) { -+ // no nmi_exit if percpu first chunk is not embedded - } else { - nmi_exit(); - } -diff --git a/arch/powerpc/include/asm/percpu.h b/arch/powerpc/include/asm/percpu.h -index 8e5b7d0b851c6..634970ce13c6b 100644 ---- a/arch/powerpc/include/asm/percpu.h -+++ b/arch/powerpc/include/asm/percpu.h -@@ -15,6 +15,16 @@ - #endif /* CONFIG_SMP */ - #endif /* __powerpc64__ */ - -+#if defined(CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK) && defined(CONFIG_SMP) -+#include -+DECLARE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged); -+ -+#define percpu_first_chunk_is_paged \ -+ (static_key_enabled(&__percpu_first_chunk_is_paged.key)) -+#else -+#define percpu_first_chunk_is_paged false -+#endif /* CONFIG_PPC64 && CONFIG_SMP */ -+ - #include - - #include -diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c -index 2f19d5e944852..ae36a129789ff 100644 ---- a/arch/powerpc/kernel/setup_64.c -+++ b/arch/powerpc/kernel/setup_64.c -@@ -834,6 +834,7 @@ static __init int pcpu_cpu_to_node(int cpu) - - unsigned long __per_cpu_offset[NR_CPUS] __read_mostly; - EXPORT_SYMBOL(__per_cpu_offset); -+DEFINE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged); - - void __init setup_per_cpu_areas(void) - { -@@ -876,6 +877,7 @@ void __init setup_per_cpu_areas(void) - if (rc < 0) - panic("cannot initialize percpu area (err=%d)", rc); - -+ static_key_enable(&__percpu_first_chunk_is_paged.key); - delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start; - for_each_possible_cpu(cpu) { - __per_cpu_offset[cpu] = delta + pcpu_unit_offsets[cpu]; --- -2.43.0 - diff --git a/queue-6.9/powerpc-dexcr-reset-dexcr-value-across-exec.patch b/queue-6.9/powerpc-dexcr-reset-dexcr-value-across-exec.patch deleted file mode 100644 index b64e4a4c24f..00000000000 --- a/queue-6.9/powerpc-dexcr-reset-dexcr-value-across-exec.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 6cc084737ca2b0ca4e934bd9ef56de6572a0a78d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Apr 2024 21:23:19 +1000 -Subject: powerpc/dexcr: Reset DEXCR value across exec - -From: Benjamin Gray - -[ Upstream commit bbd99922d0f4518518282217159666c679c6a0d1 ] - -Inheriting the DEXCR across exec can have security and usability -concerns. If a program is compiled with hash instructions it generally -expects to run with NPHIE enabled. But if the parent process disables -NPHIE then if it's not careful it will be disabled for any children too -and the protection offered by hash checks is basically worthless. - -This patch introduces a per-process reset value that new execs in a -particular process tree are initialized with. This enables fine grained -control over what DEXCR value child processes run with by default. -For example, containers running legacy binaries that expect hash -instructions to act as NOPs could configure the reset value of the -container root to control the default reset value for all members of -the container. - -Signed-off-by: Benjamin Gray -[mpe: Add missing SPDX tag on dexcr.c] -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240417112325.728010-4-bgray@linux.ibm.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/processor.h | 2 +- - arch/powerpc/kernel/Makefile | 1 + - arch/powerpc/kernel/dexcr.c | 23 +++++++++++++++++++++++ - arch/powerpc/kernel/process.c | 7 +++++++ - 4 files changed, 32 insertions(+), 1 deletion(-) - create mode 100644 arch/powerpc/kernel/dexcr.c - -diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h -index 882e31296ea6b..aad85a24134ac 100644 ---- a/arch/powerpc/include/asm/processor.h -+++ b/arch/powerpc/include/asm/processor.h -@@ -261,7 +261,7 @@ struct thread_struct { - unsigned long sier3; - unsigned long hashkeyr; - unsigned long dexcr; -- -+ unsigned long dexcr_onexec; /* Reset value to load on exec */ - #endif - }; - -diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile -index d3282fbea4f2f..1d183b077948b 100644 ---- a/arch/powerpc/kernel/Makefile -+++ b/arch/powerpc/kernel/Makefile -@@ -87,6 +87,7 @@ obj-$(CONFIG_HAVE_HW_BREAKPOINT) += hw_breakpoint.o - obj-$(CONFIG_PPC_DAWR) += dawr.o - obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_ppc970.o cpu_setup_pa6t.o - obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o -+obj-$(CONFIG_PPC_BOOK3S_64) += dexcr.o - obj-$(CONFIG_PPC_BOOK3S_64) += mce.o mce_power.o - obj-$(CONFIG_PPC_BOOK3E_64) += exceptions-64e.o idle_64e.o - obj-$(CONFIG_PPC_BARRIER_NOSPEC) += security.o -diff --git a/arch/powerpc/kernel/dexcr.c b/arch/powerpc/kernel/dexcr.c -new file mode 100644 -index 0000000000000..d5cd77421088d ---- /dev/null -+++ b/arch/powerpc/kernel/dexcr.c -@@ -0,0 +1,23 @@ -+// SPDX-License-Identifier: GPL-2.0-or-later -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+static int __init init_task_dexcr(void) -+{ -+ if (!early_cpu_has_feature(CPU_FTR_ARCH_31)) -+ return 0; -+ -+ current->thread.dexcr_onexec = mfspr(SPRN_DEXCR); -+ -+ return 0; -+} -+early_initcall(init_task_dexcr) -diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index d482c3fd81d7a..8ab779a3bddeb 100644 ---- a/arch/powerpc/kernel/process.c -+++ b/arch/powerpc/kernel/process.c -@@ -1641,6 +1641,13 @@ void arch_setup_new_exec(void) - current->thread.regs->amr = default_amr; - current->thread.regs->iamr = default_iamr; - #endif -+ -+#ifdef CONFIG_PPC_BOOK3S_64 -+ if (cpu_has_feature(CPU_FTR_ARCH_31)) { -+ current->thread.dexcr = current->thread.dexcr_onexec; -+ mtspr(SPRN_DEXCR, current->thread.dexcr); -+ } -+#endif /* CONFIG_PPC_BOOK3S_64 */ - } - - #ifdef CONFIG_PPC64 --- -2.43.0 - diff --git a/queue-6.9/powerpc-dexcr-track-the-dexcr-per-process.patch b/queue-6.9/powerpc-dexcr-track-the-dexcr-per-process.patch deleted file mode 100644 index 82db2c8396e..00000000000 --- a/queue-6.9/powerpc-dexcr-track-the-dexcr-per-process.patch +++ /dev/null @@ -1,96 +0,0 @@ -From ba33c3208fcf93b99f56b592bad789eea09cf167 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Apr 2024 21:23:18 +1000 -Subject: powerpc/dexcr: Track the DEXCR per-process - -From: Benjamin Gray - -[ Upstream commit 75171f06c4507c3b6b5a69d793879fb20d108bb1 ] - -Add capability to make the DEXCR act as a per-process SPR. - -We do not yet have an interface for changing the values per task. We -also expect the kernel to use a single DEXCR value across all tasks -while in privileged state, so there is no need to synchronize after -changing it (the userspace aspects will synchronize upon returning to -userspace). - -Signed-off-by: Benjamin Gray -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240417112325.728010-3-bgray@linux.ibm.com -Stable-dep-of: bbd99922d0f4 ("powerpc/dexcr: Reset DEXCR value across exec") -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/processor.h | 1 + - arch/powerpc/kernel/process.c | 10 ++++++++++ - arch/powerpc/kernel/ptrace/ptrace-view.c | 7 +------ - 3 files changed, 12 insertions(+), 6 deletions(-) - -diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h -index b2c51d337e60c..882e31296ea6b 100644 ---- a/arch/powerpc/include/asm/processor.h -+++ b/arch/powerpc/include/asm/processor.h -@@ -260,6 +260,7 @@ struct thread_struct { - unsigned long sier2; - unsigned long sier3; - unsigned long hashkeyr; -+ unsigned long dexcr; - - #endif - }; -diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 9452a54d356c9..d482c3fd81d7a 100644 ---- a/arch/powerpc/kernel/process.c -+++ b/arch/powerpc/kernel/process.c -@@ -1185,6 +1185,9 @@ static inline void save_sprs(struct thread_struct *t) - - if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) - t->hashkeyr = mfspr(SPRN_HASHKEYR); -+ -+ if (cpu_has_feature(CPU_FTR_ARCH_31)) -+ t->dexcr = mfspr(SPRN_DEXCR); - #endif - } - -@@ -1267,6 +1270,10 @@ static inline void restore_sprs(struct thread_struct *old_thread, - if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE) && - old_thread->hashkeyr != new_thread->hashkeyr) - mtspr(SPRN_HASHKEYR, new_thread->hashkeyr); -+ -+ if (cpu_has_feature(CPU_FTR_ARCH_31) && -+ old_thread->dexcr != new_thread->dexcr) -+ mtspr(SPRN_DEXCR, new_thread->dexcr); - #endif - - } -@@ -1878,6 +1885,9 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) - #ifdef CONFIG_PPC_BOOK3S_64 - if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) - p->thread.hashkeyr = current->thread.hashkeyr; -+ -+ if (cpu_has_feature(CPU_FTR_ARCH_31)) -+ p->thread.dexcr = mfspr(SPRN_DEXCR); - #endif - return 0; - } -diff --git a/arch/powerpc/kernel/ptrace/ptrace-view.c b/arch/powerpc/kernel/ptrace/ptrace-view.c -index 584cf5c3df509..c1819e0a66842 100644 ---- a/arch/powerpc/kernel/ptrace/ptrace-view.c -+++ b/arch/powerpc/kernel/ptrace/ptrace-view.c -@@ -469,12 +469,7 @@ static int dexcr_get(struct task_struct *target, const struct user_regset *regse - if (!cpu_has_feature(CPU_FTR_ARCH_31)) - return -ENODEV; - -- /* -- * The DEXCR is currently static across all CPUs, so we don't -- * store the target's value anywhere, but the static value -- * will also be correct. -- */ -- membuf_store(&to, (u64)lower_32_bits(DEXCR_INIT)); -+ membuf_store(&to, (u64)lower_32_bits(target->thread.dexcr)); - - /* - * Technically the HDEXCR is per-cpu, but a hypervisor can't reasonably --- -2.43.0 - diff --git a/queue-6.9/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch b/queue-6.9/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch deleted file mode 100644 index bbd90371ae3..00000000000 --- a/queue-6.9/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch +++ /dev/null @@ -1,61 +0,0 @@ -From bba686e5a0524a1791cd549828587ebd9d429532 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 Mar 2021 19:11:10 +0100 -Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Greg Kurz - -[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ] - -All these commands end up peeking into the PACA using the user -originated cpu id as an index. Check the cpu id is valid in order -to prevent xmon to crash. Instead of printing an error, this follows -the same behavior as the "lp s #" command : ignore the buggy cpu id -parameter and fall back to the #-less version of the command. - -Signed-off-by: Greg Kurz -Reviewed-by: Cédric Le Goater -Signed-off-by: Michael Ellerman -Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan -Signed-off-by: Sasha Levin ---- - arch/powerpc/xmon/xmon.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c -index d79d6633f3336..bd4813bad317e 100644 ---- a/arch/powerpc/xmon/xmon.c -+++ b/arch/powerpc/xmon/xmon.c -@@ -1350,7 +1350,7 @@ static int cpu_cmd(void) - } - termch = cpu; - -- if (!scanhex(&cpu)) { -+ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) { - /* print cpus waiting or in xmon */ - printf("cpus stopped:"); - last_cpu = first_cpu = NR_CPUS; -@@ -2772,7 +2772,7 @@ static void dump_pacas(void) - - termch = c; /* Put c back, it wasn't 'a' */ - -- if (scanhex(&num)) -+ if (scanhex(&num) && num < num_possible_cpus()) - dump_one_paca(num); - else - dump_one_paca(xmon_owner); -@@ -2845,7 +2845,7 @@ static void dump_xives(void) - - termch = c; /* Put c back, it wasn't 'a' */ - -- if (scanhex(&num)) -+ if (scanhex(&num) && num < num_possible_cpus()) - dump_one_xive(num); - else - dump_one_xive(xmon_owner); --- -2.43.0 - diff --git a/queue-6.9/risc-v-kvm-fix-the-initial-sample-period-value.patch b/queue-6.9/risc-v-kvm-fix-the-initial-sample-period-value.patch deleted file mode 100644 index 8fb363ae780..00000000000 --- a/queue-6.9/risc-v-kvm-fix-the-initial-sample-period-value.patch +++ /dev/null @@ -1,39 +0,0 @@ -From fbc0f1a6506c1bb36f680bdb9972edcb6b697ec6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 Apr 2024 08:17:26 -0700 -Subject: RISC-V: KVM: Fix the initial sample period value - -From: Atish Patra - -[ Upstream commit 57990ab90ce31aadac0d5a6293f5582e24ff7521 ] - -The initial sample period value when counter value is not assigned -should be set to maximum value supported by the counter width. -Otherwise, it may result in spurious interrupts. - -Reviewed-by: Andrew Jones -Signed-off-by: Atish Patra -Reviewed-by: Anup Patel -Link: https://lore.kernel.org/r/20240420151741.962500-11-atishp@rivosinc.com -Signed-off-by: Anup Patel -Signed-off-by: Sasha Levin ---- - arch/riscv/kvm/vcpu_pmu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c -index 86391a5061dda..cee1b9ca4ec48 100644 ---- a/arch/riscv/kvm/vcpu_pmu.c -+++ b/arch/riscv/kvm/vcpu_pmu.c -@@ -39,7 +39,7 @@ static u64 kvm_pmu_get_sample_period(struct kvm_pmc *pmc) - u64 sample_period; - - if (!pmc->counter_val) -- sample_period = counter_val_mask + 1; -+ sample_period = counter_val_mask; - else - sample_period = (-pmc->counter_val) & counter_val_mask; - --- -2.43.0 - diff --git a/queue-6.9/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch b/queue-6.9/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch deleted file mode 100644 index ceaa48d9304..00000000000 --- a/queue-6.9/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 9eea2e65c02ffff6a6023dec9246ac310f598d73 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Mar 2024 21:49:48 -0700 -Subject: riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma - -From: Samuel Holland - -[ Upstream commit 20e03d702e00a3e0269a1d6f9549c2e370492054 ] - -commit 3f1e782998cd ("riscv: add ASID-based tlbflushing methods") added -calls to the sfence.vma instruction with rs2 != x0. These single-ASID -instruction variants are also affected by SiFive errata CIP-1200. - -Until now, the errata workaround was not needed for the single-ASID -sfence.vma variants, because they were only used when the ASID allocator -was enabled, and the affected SiFive platforms do not support multiple -ASIDs. However, we are going to start using those sfence.vma variants -regardless of ASID support, so now we need alternatives covering them. - -Signed-off-by: Samuel Holland -Link: https://lore.kernel.org/r/20240327045035.368512-8-samuel.holland@sifive.com -Signed-off-by: Palmer Dabbelt -Signed-off-by: Sasha Levin ---- - arch/riscv/include/asm/errata_list.h | 12 +++++++++++- - arch/riscv/include/asm/tlbflush.h | 19 ++++++++++++++++++- - arch/riscv/mm/tlbflush.c | 23 ----------------------- - 3 files changed, 29 insertions(+), 25 deletions(-) - -diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h -index efd851e1b4832..7c8a71a526a30 100644 ---- a/arch/riscv/include/asm/errata_list.h -+++ b/arch/riscv/include/asm/errata_list.h -@@ -43,11 +43,21 @@ ALTERNATIVE(__stringify(RISCV_PTR do_page_fault), \ - CONFIG_ERRATA_SIFIVE_CIP_453) - #else /* !__ASSEMBLY__ */ - --#define ALT_FLUSH_TLB_PAGE(x) \ -+#define ALT_SFENCE_VMA_ASID(asid) \ -+asm(ALTERNATIVE("sfence.vma x0, %0", "sfence.vma", SIFIVE_VENDOR_ID, \ -+ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ -+ : : "r" (asid) : "memory") -+ -+#define ALT_SFENCE_VMA_ADDR(addr) \ - asm(ALTERNATIVE("sfence.vma %0", "sfence.vma", SIFIVE_VENDOR_ID, \ - ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ - : : "r" (addr) : "memory") - -+#define ALT_SFENCE_VMA_ADDR_ASID(addr, asid) \ -+asm(ALTERNATIVE("sfence.vma %0, %1", "sfence.vma", SIFIVE_VENDOR_ID, \ -+ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ -+ : : "r" (addr), "r" (asid) : "memory") -+ - /* - * _val is marked as "will be overwritten", so need to set it to 0 - * in the default case. -diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h -index 4112cc8d1d69f..79dada53d7eb5 100644 ---- a/arch/riscv/include/asm/tlbflush.h -+++ b/arch/riscv/include/asm/tlbflush.h -@@ -22,10 +22,27 @@ static inline void local_flush_tlb_all(void) - __asm__ __volatile__ ("sfence.vma" : : : "memory"); - } - -+static inline void local_flush_tlb_all_asid(unsigned long asid) -+{ -+ if (asid != FLUSH_TLB_NO_ASID) -+ ALT_SFENCE_VMA_ASID(asid); -+ else -+ local_flush_tlb_all(); -+} -+ - /* Flush one page from local TLB */ - static inline void local_flush_tlb_page(unsigned long addr) - { -- ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory")); -+ ALT_SFENCE_VMA_ADDR(addr); -+} -+ -+static inline void local_flush_tlb_page_asid(unsigned long addr, -+ unsigned long asid) -+{ -+ if (asid != FLUSH_TLB_NO_ASID) -+ ALT_SFENCE_VMA_ADDR_ASID(addr, asid); -+ else -+ local_flush_tlb_page(addr); - } - #else /* CONFIG_MMU */ - #define local_flush_tlb_all() do { } while (0) -diff --git a/arch/riscv/mm/tlbflush.c b/arch/riscv/mm/tlbflush.c -index 07d743f87b3f6..a6f788774856b 100644 ---- a/arch/riscv/mm/tlbflush.c -+++ b/arch/riscv/mm/tlbflush.c -@@ -7,29 +7,6 @@ - #include - #include - --static inline void local_flush_tlb_all_asid(unsigned long asid) --{ -- if (asid != FLUSH_TLB_NO_ASID) -- __asm__ __volatile__ ("sfence.vma x0, %0" -- : -- : "r" (asid) -- : "memory"); -- else -- local_flush_tlb_all(); --} -- --static inline void local_flush_tlb_page_asid(unsigned long addr, -- unsigned long asid) --{ -- if (asid != FLUSH_TLB_NO_ASID) -- __asm__ __volatile__ ("sfence.vma %0, %1" -- : -- : "r" (addr), "r" (asid) -- : "memory"); -- else -- local_flush_tlb_page(addr); --} -- - /* - * Flush entire TLB if number of entries to be flushed is greater - * than the threshold below. --- -2.43.0 - diff --git a/queue-6.9/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch b/queue-6.9/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch deleted file mode 100644 index 3aadfce4887..00000000000 --- a/queue-6.9/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch +++ /dev/null @@ -1,47 +0,0 @@ -From fbefa91f32ea61f24ad0138a3eec2f7bd0d57eb2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 16:30:01 +0200 -Subject: s390: Mark psw in __load_psw_mask() as __unitialized - -From: Sven Schnelle - -[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ] - -Without __unitialized, the following code is generated when -INIT_STACK_ALL_ZERO is enabled: - -86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15) -8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15) -92: c0 10 00 00 00 08 larl %r1, 0xa2 -98: e3 10 f0 a8 00 24 stg %r1, 168(%r15) -9e: b2 b2 f0 a0 lpswe 160(%r15) - -The xc is not adding any security because psw is fully initialized -with the following instructions. Add __unitialized to the psw -definitiation to avoid the superfluous clearing of psw. - -Reviewed-by: Heiko Carstens -Signed-off-by: Sven Schnelle -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - arch/s390/include/asm/processor.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h -index bbbdc5abe2b2c..a589547ee0200 100644 ---- a/arch/s390/include/asm/processor.h -+++ b/arch/s390/include/asm/processor.h -@@ -305,8 +305,8 @@ static inline void __load_psw(psw_t psw) - */ - static __always_inline void __load_psw_mask(unsigned long mask) - { -+ psw_t psw __uninitialized; - unsigned long addr; -- psw_t psw; - - psw.mask = mask; - --- -2.43.0 - diff --git a/queue-6.9/s390-pkey-use-kfree_sensitive-to-fix-coccinelle-warn.patch b/queue-6.9/s390-pkey-use-kfree_sensitive-to-fix-coccinelle-warn.patch deleted file mode 100644 index 0901c8c905c..00000000000 --- a/queue-6.9/s390-pkey-use-kfree_sensitive-to-fix-coccinelle-warn.patch +++ /dev/null @@ -1,63 +0,0 @@ -From ee1cb15fe67b1b5a4b0b3c1da927528b814cbeaa Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 22:13:52 +0100 -Subject: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings - -From: Jules Irenge - -[ Upstream commit 22e6824622e8a8889df0f8fc4ed5aea0e702a694 ] - -Replace memzero_explicit() and kfree() with kfree_sensitive() to fix -warnings reported by Coccinelle: - -WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) -WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) -WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770) - -Signed-off-by: Jules Irenge -Reviewed-by: Holger Dengler -Link: https://lore.kernel.org/r/ZjqZkNi_JUJu73Rg@octinomon.home -Signed-off-by: Heiko Carstens -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - drivers/s390/crypto/pkey_api.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c -index dccf664a3d957..933894065623e 100644 ---- a/drivers/s390/crypto/pkey_api.c -+++ b/drivers/s390/crypto/pkey_api.c -@@ -1503,8 +1503,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = pkey_keyblob2pkey(kkey, ktp.keylen, ktp.protkey.protkey, - &ktp.protkey.len, &ktp.protkey.type); - pr_debug("%s pkey_keyblob2pkey()=%d\n", __func__, rc); -- memzero_explicit(kkey, ktp.keylen); -- kfree(kkey); -+ kfree_sensitive(kkey); - if (rc) - break; - if (copy_to_user(utp, &ktp, sizeof(ktp))) -@@ -1640,8 +1639,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - &ktp.protkey.type); - pr_debug("%s pkey_keyblob2pkey2()=%d\n", __func__, rc); - kfree(apqns); -- memzero_explicit(kkey, ktp.keylen); -- kfree(kkey); -+ kfree_sensitive(kkey); - if (rc) - break; - if (copy_to_user(utp, &ktp, sizeof(ktp))) -@@ -1767,8 +1765,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - protkey, &protkeylen, &ktp.pkeytype); - pr_debug("%s pkey_keyblob2pkey3()=%d\n", __func__, rc); - kfree(apqns); -- memzero_explicit(kkey, ktp.keylen); -- kfree(kkey); -+ kfree_sensitive(kkey); - if (rc) { - kfree(protkey); - break; --- -2.43.0 - diff --git a/queue-6.9/s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch b/queue-6.9/s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch deleted file mode 100644 index 6e1084b5c63..00000000000 --- a/queue-6.9/s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 484e17ac652b4cf304a746145fbad0f7f388dee5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 17:03:19 +0200 -Subject: s390/pkey: Wipe copies of clear-key structures on failure - -From: Holger Dengler - -[ Upstream commit d65d76a44ffe74c73298ada25b0f578680576073 ] - -Wipe all sensitive data from stack for all IOCTLs, which convert a -clear-key into a protected- or secure-key. - -Reviewed-by: Harald Freudenberger -Reviewed-by: Ingo Franzki -Acked-by: Heiko Carstens -Signed-off-by: Holger Dengler -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - drivers/s390/crypto/pkey_api.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c -index 179287157c2fe..1aa78a74fbade 100644 ---- a/drivers/s390/crypto/pkey_api.c -+++ b/drivers/s390/crypto/pkey_api.c -@@ -1374,9 +1374,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype, - kcs.clrkey.clrkey, kcs.seckey.seckey); - pr_debug("%s cca_clr2seckey()=%d\n", __func__, rc); -- if (rc) -- break; -- if (copy_to_user(ucs, &kcs, sizeof(kcs))) -+ if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs))) - rc = -EFAULT; - memzero_explicit(&kcs, sizeof(kcs)); - break; -@@ -1409,9 +1407,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - kcp.protkey.protkey, - &kcp.protkey.len, &kcp.protkey.type); - pr_debug("%s pkey_clr2protkey()=%d\n", __func__, rc); -- if (rc) -- break; -- if (copy_to_user(ucp, &kcp, sizeof(kcp))) -+ if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp))) - rc = -EFAULT; - memzero_explicit(&kcp, sizeof(kcp)); - break; -@@ -1562,11 +1558,14 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (copy_from_user(&kcs, ucs, sizeof(kcs))) - return -EFAULT; - apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries); -- if (IS_ERR(apqns)) -+ if (IS_ERR(apqns)) { -+ memzero_explicit(&kcs, sizeof(kcs)); - return PTR_ERR(apqns); -+ } - kkey = kzalloc(klen, GFP_KERNEL); - if (!kkey) { - kfree(apqns); -+ memzero_explicit(&kcs, sizeof(kcs)); - return -ENOMEM; - } - rc = pkey_clr2seckey2(apqns, kcs.apqn_entries, -@@ -1576,15 +1575,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - kfree(apqns); - if (rc) { - kfree(kkey); -+ memzero_explicit(&kcs, sizeof(kcs)); - break; - } - if (kcs.key) { - if (kcs.keylen < klen) { - kfree(kkey); -+ memzero_explicit(&kcs, sizeof(kcs)); - return -EINVAL; - } - if (copy_to_user(kcs.key, kkey, klen)) { - kfree(kkey); -+ memzero_explicit(&kcs, sizeof(kcs)); - return -EFAULT; - } - } --- -2.43.0 - diff --git a/queue-6.9/s390-pkey-wipe-copies-of-protected-and-secure-keys.patch b/queue-6.9/s390-pkey-wipe-copies-of-protected-and-secure-keys.patch deleted file mode 100644 index 268e2f529d7..00000000000 --- a/queue-6.9/s390-pkey-wipe-copies-of-protected-and-secure-keys.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 61b8ed485bf0012e2dc8f7af15e19ea76c79281d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 17:03:20 +0200 -Subject: s390/pkey: Wipe copies of protected- and secure-keys - -From: Holger Dengler - -[ Upstream commit f2ebdadd85af4f4d0cae1e5d009c70eccc78c207 ] - -Although the clear-key of neither protected- nor secure-keys is -accessible, this key material should only be visible to the calling -process. So wipe all copies of protected- or secure-keys from stack, -even in case of an error. - -Reviewed-by: Harald Freudenberger -Reviewed-by: Ingo Franzki -Acked-by: Heiko Carstens -Signed-off-by: Holger Dengler -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - drivers/s390/crypto/pkey_api.c | 80 ++++++++++++++++------------------ - 1 file changed, 37 insertions(+), 43 deletions(-) - -diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c -index 1aa78a74fbade..ffc0b5db55c29 100644 ---- a/drivers/s390/crypto/pkey_api.c -+++ b/drivers/s390/crypto/pkey_api.c -@@ -1359,10 +1359,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = cca_genseckey(kgs.cardnr, kgs.domain, - kgs.keytype, kgs.seckey.seckey); - pr_debug("%s cca_genseckey()=%d\n", __func__, rc); -- if (rc) -- break; -- if (copy_to_user(ugs, &kgs, sizeof(kgs))) -- return -EFAULT; -+ if (!rc && copy_to_user(ugs, &kgs, sizeof(kgs))) -+ rc = -EFAULT; -+ memzero_explicit(&kgs, sizeof(kgs)); - break; - } - case PKEY_CLR2SECK: { -@@ -1390,10 +1389,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - ksp.seckey.seckey, ksp.protkey.protkey, - &ksp.protkey.len, &ksp.protkey.type); - pr_debug("%s cca_sec2protkey()=%d\n", __func__, rc); -- if (rc) -- break; -- if (copy_to_user(usp, &ksp, sizeof(ksp))) -- return -EFAULT; -+ if (!rc && copy_to_user(usp, &ksp, sizeof(ksp))) -+ rc = -EFAULT; -+ memzero_explicit(&ksp, sizeof(ksp)); - break; - } - case PKEY_CLR2PROTK: { -@@ -1437,10 +1435,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = pkey_skey2pkey(ksp.seckey.seckey, ksp.protkey.protkey, - &ksp.protkey.len, &ksp.protkey.type); - pr_debug("%s pkey_skey2pkey()=%d\n", __func__, rc); -- if (rc) -- break; -- if (copy_to_user(usp, &ksp, sizeof(ksp))) -- return -EFAULT; -+ if (!rc && copy_to_user(usp, &ksp, sizeof(ksp))) -+ rc = -EFAULT; -+ memzero_explicit(&ksp, sizeof(ksp)); - break; - } - case PKEY_VERIFYKEY: { -@@ -1452,10 +1449,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain, - &kvk.keysize, &kvk.attributes); - pr_debug("%s pkey_verifykey()=%d\n", __func__, rc); -- if (rc) -- break; -- if (copy_to_user(uvk, &kvk, sizeof(kvk))) -- return -EFAULT; -+ if (!rc && copy_to_user(uvk, &kvk, sizeof(kvk))) -+ rc = -EFAULT; -+ memzero_explicit(&kvk, sizeof(kvk)); - break; - } - case PKEY_GENPROTK: { -@@ -1468,10 +1464,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = pkey_genprotkey(kgp.keytype, kgp.protkey.protkey, - &kgp.protkey.len, &kgp.protkey.type); - pr_debug("%s pkey_genprotkey()=%d\n", __func__, rc); -- if (rc) -- break; -- if (copy_to_user(ugp, &kgp, sizeof(kgp))) -- return -EFAULT; -+ if (!rc && copy_to_user(ugp, &kgp, sizeof(kgp))) -+ rc = -EFAULT; -+ memzero_explicit(&kgp, sizeof(kgp)); - break; - } - case PKEY_VERIFYPROTK: { -@@ -1483,6 +1478,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = pkey_verifyprotkey(kvp.protkey.protkey, - kvp.protkey.len, kvp.protkey.type); - pr_debug("%s pkey_verifyprotkey()=%d\n", __func__, rc); -+ memzero_explicit(&kvp, sizeof(kvp)); - break; - } - case PKEY_KBLOB2PROTK: { -@@ -1500,10 +1496,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - &ktp.protkey.len, &ktp.protkey.type); - pr_debug("%s pkey_keyblob2pkey()=%d\n", __func__, rc); - kfree_sensitive(kkey); -- if (rc) -- break; -- if (copy_to_user(utp, &ktp, sizeof(ktp))) -- return -EFAULT; -+ if (!rc && copy_to_user(utp, &ktp, sizeof(ktp))) -+ rc = -EFAULT; -+ memzero_explicit(&ktp, sizeof(ktp)); - break; - } - case PKEY_GENSECK2: { -@@ -1529,23 +1524,23 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - pr_debug("%s pkey_genseckey2()=%d\n", __func__, rc); - kfree(apqns); - if (rc) { -- kfree(kkey); -+ kfree_sensitive(kkey); - break; - } - if (kgs.key) { - if (kgs.keylen < klen) { -- kfree(kkey); -+ kfree_sensitive(kkey); - return -EINVAL; - } - if (copy_to_user(kgs.key, kkey, klen)) { -- kfree(kkey); -+ kfree_sensitive(kkey); - return -EFAULT; - } - } - kgs.keylen = klen; - if (copy_to_user(ugs, &kgs, sizeof(kgs))) - rc = -EFAULT; -- kfree(kkey); -+ kfree_sensitive(kkey); - break; - } - case PKEY_CLR2SECK2: { -@@ -1574,18 +1569,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - pr_debug("%s pkey_clr2seckey2()=%d\n", __func__, rc); - kfree(apqns); - if (rc) { -- kfree(kkey); -+ kfree_sensitive(kkey); - memzero_explicit(&kcs, sizeof(kcs)); - break; - } - if (kcs.key) { - if (kcs.keylen < klen) { -- kfree(kkey); -+ kfree_sensitive(kkey); - memzero_explicit(&kcs, sizeof(kcs)); - return -EINVAL; - } - if (copy_to_user(kcs.key, kkey, klen)) { -- kfree(kkey); -+ kfree_sensitive(kkey); - memzero_explicit(&kcs, sizeof(kcs)); - return -EFAULT; - } -@@ -1594,7 +1589,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (copy_to_user(ucs, &kcs, sizeof(kcs))) - rc = -EFAULT; - memzero_explicit(&kcs, sizeof(kcs)); -- kfree(kkey); -+ kfree_sensitive(kkey); - break; - } - case PKEY_VERIFYKEY2: { -@@ -1611,7 +1606,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - &kvk.cardnr, &kvk.domain, - &kvk.type, &kvk.size, &kvk.flags); - pr_debug("%s pkey_verifykey2()=%d\n", __func__, rc); -- kfree(kkey); -+ kfree_sensitive(kkey); - if (rc) - break; - if (copy_to_user(uvk, &kvk, sizeof(kvk))) -@@ -1642,10 +1637,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - pr_debug("%s pkey_keyblob2pkey2()=%d\n", __func__, rc); - kfree(apqns); - kfree_sensitive(kkey); -- if (rc) -- break; -- if (copy_to_user(utp, &ktp, sizeof(ktp))) -- return -EFAULT; -+ if (!rc && copy_to_user(utp, &ktp, sizeof(ktp))) -+ rc = -EFAULT; -+ memzero_explicit(&ktp, sizeof(ktp)); - break; - } - case PKEY_APQNS4K: { -@@ -1673,7 +1667,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - rc = pkey_apqns4key(kkey, kak.keylen, kak.flags, - apqns, &nr_apqns); - pr_debug("%s pkey_apqns4key()=%d\n", __func__, rc); -- kfree(kkey); -+ kfree_sensitive(kkey); - if (rc && rc != -ENOSPC) { - kfree(apqns); - break; -@@ -1759,7 +1753,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - protkey = kmalloc(protkeylen, GFP_KERNEL); - if (!protkey) { - kfree(apqns); -- kfree(kkey); -+ kfree_sensitive(kkey); - return -ENOMEM; - } - rc = pkey_keyblob2pkey3(apqns, ktp.apqn_entries, -@@ -1769,20 +1763,20 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - kfree(apqns); - kfree_sensitive(kkey); - if (rc) { -- kfree(protkey); -+ kfree_sensitive(protkey); - break; - } - if (ktp.pkey && ktp.pkeylen) { - if (protkeylen > ktp.pkeylen) { -- kfree(protkey); -+ kfree_sensitive(protkey); - return -EINVAL; - } - if (copy_to_user(ktp.pkey, protkey, protkeylen)) { -- kfree(protkey); -+ kfree_sensitive(protkey); - return -EFAULT; - } - } -- kfree(protkey); -+ kfree_sensitive(protkey); - ktp.pkeylen = protkeylen; - if (copy_to_user(utp, &ktp, sizeof(ktp))) - return -EFAULT; --- -2.43.0 - diff --git a/queue-6.9/s390-pkey-wipe-sensitive-data-on-failure.patch b/queue-6.9/s390-pkey-wipe-sensitive-data-on-failure.patch deleted file mode 100644 index 0d8f32c84eb..00000000000 --- a/queue-6.9/s390-pkey-wipe-sensitive-data-on-failure.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f04b46aba2e14ac69da14cd22ccb780a423c3675 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 17:03:18 +0200 -Subject: s390/pkey: Wipe sensitive data on failure - -From: Holger Dengler - -[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ] - -Wipe sensitive data from stack also if the copy_to_user() fails. - -Suggested-by: Heiko Carstens -Reviewed-by: Harald Freudenberger -Reviewed-by: Ingo Franzki -Acked-by: Heiko Carstens -Signed-off-by: Holger Dengler -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - drivers/s390/crypto/pkey_api.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c -index 933894065623e..179287157c2fe 100644 ---- a/drivers/s390/crypto/pkey_api.c -+++ b/drivers/s390/crypto/pkey_api.c -@@ -1377,7 +1377,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (rc) - break; - if (copy_to_user(ucs, &kcs, sizeof(kcs))) -- return -EFAULT; -+ rc = -EFAULT; - memzero_explicit(&kcs, sizeof(kcs)); - break; - } -@@ -1412,7 +1412,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (rc) - break; - if (copy_to_user(ucp, &kcp, sizeof(kcp))) -- return -EFAULT; -+ rc = -EFAULT; - memzero_explicit(&kcp, sizeof(kcp)); - break; - } --- -2.43.0 - diff --git a/queue-6.9/scsi-mpi3mr-sanitise-num_phys.patch b/queue-6.9/scsi-mpi3mr-sanitise-num_phys.patch deleted file mode 100644 index 61498c6f13b..00000000000 --- a/queue-6.9/scsi-mpi3mr-sanitise-num_phys.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 1c0ea30e307ae991630cf9a6713c62f80aa8fffb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Feb 2024 16:10:13 +0100 -Subject: scsi: mpi3mr: Sanitise num_phys - -From: Tomas Henzl - -[ Upstream commit 3668651def2c1622904e58b0280ee93121f2b10b ] - -Information is stored in mr_sas_port->phy_mask, values larger then size of -this field shouldn't be allowed. - -Signed-off-by: Tomas Henzl -Link: https://lore.kernel.org/r/20240226151013.8653-1-thenzl@redhat.com -Acked-by: Sathya Prakash Veerichetty -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c -index d32ad46318cb0..7ca9a7c2709cf 100644 ---- a/drivers/scsi/mpi3mr/mpi3mr_transport.c -+++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c -@@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, - mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, - mr_sas_port->remote_identify.sas_address, hba_port); - -+ if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8) -+ ioc_info(mrioc, "max port count %u could be too high\n", -+ mr_sas_node->num_phys); -+ - for (i = 0; i < mr_sas_node->num_phys; i++) { - if ((mr_sas_node->phy[i].remote_identify.sas_address != - mr_sas_port->remote_identify.sas_address) || - (mr_sas_node->phy[i].hba_port != hba_port)) - continue; -+ -+ if (i > sizeof(mr_sas_port->phy_mask) * 8) { -+ ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n", -+ i, sizeof(mr_sas_port->phy_mask) * 8); -+ goto out_fail; -+ } - list_add_tail(&mr_sas_node->phy[i].port_siblings, - &mr_sas_port->phy_list); - mr_sas_port->num_phys++; --- -2.43.0 - diff --git a/queue-6.9/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch b/queue-6.9/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch deleted file mode 100644 index 8139d6d2811..00000000000 --- a/queue-6.9/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 9bb505f2aee07da0274c8e3a8ccd24bbf90d68ce Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Apr 2024 11:01:55 -0400 -Subject: scsi: qedf: Make qedf_execute_tmf() non-preemptible - -From: John Meneghini - -[ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ] - -Stop calling smp_processor_id() from preemptible code in -qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. - -[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 -[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf] - -Tested-by: Guangwu Zhang -Cc: Saurav Kashyap -Cc: Nilesh Javali -Signed-off-by: John Meneghini -Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com -Acked-by: Saurav Kashyap -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qedf/qedf_io.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c -index bf921caaf6aea..054a51713d556 100644 ---- a/drivers/scsi/qedf/qedf_io.c -+++ b/drivers/scsi/qedf/qedf_io.c -@@ -2324,9 +2324,6 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, u64 tm_lun, - io_req->fcport = fcport; - io_req->cmd_type = QEDF_TASK_MGMT_CMD; - -- /* Record which cpu this request is associated with */ -- io_req->cpu = smp_processor_id(); -- - /* Set TM flags */ - io_req->io_req_flags = QEDF_READ; - io_req->data_xfer_len = 0; -@@ -2349,6 +2346,9 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, u64 tm_lun, - - spin_lock_irqsave(&fcport->rport_lock, flags); - -+ /* Record which cpu this request is associated with */ -+ io_req->cpu = smp_processor_id(); -+ - sqe_idx = qedf_get_sqe_idx(fcport); - sqe = &fcport->sq[sqe_idx]; - memset(sqe, 0, sizeof(struct fcoe_wqe)); --- -2.43.0 - diff --git a/queue-6.9/sctp-prefer-struct_size-over-open-coded-arithmetic.patch b/queue-6.9/sctp-prefer-struct_size-over-open-coded-arithmetic.patch deleted file mode 100644 index c40a5714f3e..00000000000 --- a/queue-6.9/sctp-prefer-struct_size-over-open-coded-arithmetic.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 32dbd9c0747eb81feea74cce8f2672033b039c62 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 Apr 2024 19:23:36 +0200 -Subject: sctp: prefer struct_size over open coded arithmetic - -From: Erick Archer - -[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ] - -This is an effort to get rid of all multiplications from allocation -functions in order to prevent integer overflows [1][2]. - -As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this -structure ends in a flexible array: - -struct sctp_assoc_ids { - [...] - sctp_assoc_t gaids_assoc_id[]; -}; - -the preferred way in the kernel is to use the struct_size() helper to -do the arithmetic instead of the calculation "size + size * count" in -the kmalloc() function. - -Also, refactor the code adding the "ids_size" variable to avoid sizing -twice. - -This way, the code is more readable and safer. - -This code was detected with the help of Coccinelle, and audited and -modified manually. - -Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] -Link: https://github.com/KSPP/linux/issues/160 [2] -Signed-off-by: Erick Archer -Acked-by: Xin Long -Reviewed-by: Kees Cook -Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/sctp/socket.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index c67679a41044f..13b3998c6177f 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -7119,6 +7119,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, - struct sctp_sock *sp = sctp_sk(sk); - struct sctp_association *asoc; - struct sctp_assoc_ids *ids; -+ size_t ids_size; - u32 num = 0; - - if (sctp_style(sk, TCP)) -@@ -7131,11 +7132,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, - num++; - } - -- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num) -+ ids_size = struct_size(ids, gaids_assoc_id, num); -+ if (len < ids_size) - return -EINVAL; - -- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; -- -+ len = ids_size; - ids = kmalloc(len, GFP_USER | __GFP_NOWARN); - if (unlikely(!ids)) - return -ENOMEM; --- -2.43.0 - diff --git a/queue-6.9/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch b/queue-6.9/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch deleted file mode 100644 index c58366e9caa..00000000000 --- a/queue-6.9/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 79cc3985d2b89c82da5004bc6cdbaf61a2901594 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:18 -0700 -Subject: selftests/bpf: adjust dummy_st_ops_success to detect additional error - -From: Eduard Zingerman - -[ Upstream commit 3b3b84aacb4420226576c9732e7b539ca7b79633 ] - -As reported by Jose E. Marchesi in off-list discussion, GCC and LLVM -generate slightly different code for dummy_st_ops_success/test_1(): - - SEC("struct_ops/test_1") - int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) - { - int ret; - - if (!state) - return 0xf2f3f4f5; - - ret = state->val; - state->val = 0x5a; - return ret; - } - - GCC-generated LLVM-generated - ---------------------------- --------------------------- - 0: r1 = *(u64 *)(r1 + 0x0) 0: w0 = -0xd0c0b0b - 1: if r1 == 0x0 goto 5f 1: r1 = *(u64 *)(r1 + 0x0) - 2: r0 = *(s32 *)(r1 + 0x0) 2: if r1 == 0x0 goto 6f - 3: *(u32 *)(r1 + 0x0) = 0x5a 3: r0 = *(u32 *)(r1 + 0x0) - 4: exit 4: w2 = 0x5a - 5: r0 = -0xd0c0b0b 5: *(u32 *)(r1 + 0x0) = r2 - 6: exit 6: exit - -If the 'state' argument is not marked as nullable in -net/bpf/bpf_dummy_struct_ops.c, the verifier would assume that -'r1 == 0x0' is never true: -- for the GCC version, this means that instructions #5-6 would be - marked as dead and removed; -- for the LLVM version, all instructions would be marked as live. - -The test dummy_st_ops/dummy_init_ret_value actually sets the 'state' -parameter to NULL. - -Therefore, when the 'state' argument is not marked as nullable, -the GCC-generated version of the code would trigger a NULL pointer -dereference at instruction #3. - -This patch updates the test_1() test case to always follow a shape -similar to the GCC-generated version above, in order to verify whether -the 'state' nullability is marked correctly. - -Reported-by: Jose E. Marchesi -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-3-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - .../selftests/bpf/progs/dummy_st_ops_success.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -index 1efa746c25dc7..cc7b69b001aae 100644 ---- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -+++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -@@ -11,8 +11,17 @@ int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) - { - int ret; - -- if (!state) -- return 0xf2f3f4f5; -+ /* Check that 'state' nullable status is detected correctly. -+ * If 'state' argument would be assumed non-null by verifier -+ * the code below would be deleted as dead (which it shouldn't). -+ * Hide it from the compiler behind 'asm' block to avoid -+ * unnecessary optimizations. -+ */ -+ asm volatile ( -+ "if %[state] != 0 goto +2;" -+ "r0 = 0xf2f3f4f5;" -+ "exit;" -+ ::[state]"p"(state)); - - ret = state->val; - state->val = 0x5a; --- -2.43.0 - diff --git a/queue-6.9/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch b/queue-6.9/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch deleted file mode 100644 index 36dc3de1855..00000000000 --- a/queue-6.9/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 505deb3b087eb1fc0408abf02afbbbcfc8e4deec Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:19 -0700 -Subject: selftests/bpf: do not pass NULL for non-nullable params in - dummy_st_ops - -From: Eduard Zingerman - -[ Upstream commit f612210d456a0b969a0adca91e68dbea0e0ea301 ] - -dummy_st_ops.test_2 and dummy_st_ops.test_sleepable do not have their -'state' parameter marked as nullable. Update dummy_st_ops.c to avoid -passing NULL for such parameters, as the next patch would allow kernel -to enforce this restriction. - -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-4-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c | 7 +++++-- - tools/testing/selftests/bpf/progs/dummy_st_ops_success.c | 2 +- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -index f43fcb13d2c46..dd926c00f4146 100644 ---- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -+++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -@@ -98,7 +98,8 @@ static void test_dummy_init_ptr_arg(void) - - static void test_dummy_multiple_args(void) - { -- __u64 args[5] = {0, -100, 0x8a5f, 'c', 0x1234567887654321ULL}; -+ struct bpf_dummy_ops_state st = { 7 }; -+ __u64 args[5] = {(__u64)&st, -100, 0x8a5f, 'c', 0x1234567887654321ULL}; - LIBBPF_OPTS(bpf_test_run_opts, attr, - .ctx_in = args, - .ctx_size_in = sizeof(args), -@@ -115,6 +116,7 @@ static void test_dummy_multiple_args(void) - fd = bpf_program__fd(skel->progs.test_2); - err = bpf_prog_test_run_opts(fd, &attr); - ASSERT_OK(err, "test_run"); -+ args[0] = 7; - for (i = 0; i < ARRAY_SIZE(args); i++) { - snprintf(name, sizeof(name), "arg %zu", i); - ASSERT_EQ(skel->bss->test_2_args[i], args[i], name); -@@ -125,7 +127,8 @@ static void test_dummy_multiple_args(void) - - static void test_dummy_sleepable(void) - { -- __u64 args[1] = {0}; -+ struct bpf_dummy_ops_state st; -+ __u64 args[1] = {(__u64)&st}; - LIBBPF_OPTS(bpf_test_run_opts, attr, - .ctx_in = args, - .ctx_size_in = sizeof(args), -diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -index cc7b69b001aae..ec0c595d47af8 100644 ---- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -+++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -@@ -34,7 +34,7 @@ SEC("struct_ops/test_2") - int BPF_PROG(test_2, struct bpf_dummy_ops_state *state, int a1, unsigned short a2, - char a3, unsigned long a4) - { -- test_2_args[0] = (unsigned long)state; -+ test_2_args[0] = state->val; - test_2_args[1] = a1; - test_2_args[2] = a2; - test_2_args[3] = a3; --- -2.43.0 - diff --git a/queue-6.9/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch b/queue-6.9/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch deleted file mode 100644 index ab5322c8293..00000000000 --- a/queue-6.9/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch +++ /dev/null @@ -1,68 +0,0 @@ -From af5ee2c5cb5e8e1f6352e3b6a3021ed74b2a8791 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:21 -0700 -Subject: selftests/bpf: dummy_st_ops should reject 0 for non-nullable params - -From: Eduard Zingerman - -[ Upstream commit 6a2d30d3c5bf9f088dcfd5f3746b04d84f2fab83 ] - -Check if BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs -rejects execution if NULL is passed for non-nullable parameter. - -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-6-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - .../selftests/bpf/prog_tests/dummy_st_ops.c | 27 +++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -index dd926c00f4146..d3d94596ab79c 100644 ---- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -+++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -@@ -147,6 +147,31 @@ static void test_dummy_sleepable(void) - dummy_st_ops_success__destroy(skel); - } - -+/* dummy_st_ops.test_sleepable() parameter is not marked as nullable, -+ * thus bpf_prog_test_run_opts() below should be rejected as it tries -+ * to pass NULL for this parameter. -+ */ -+static void test_dummy_sleepable_reject_null(void) -+{ -+ __u64 args[1] = {0}; -+ LIBBPF_OPTS(bpf_test_run_opts, attr, -+ .ctx_in = args, -+ .ctx_size_in = sizeof(args), -+ ); -+ struct dummy_st_ops_success *skel; -+ int fd, err; -+ -+ skel = dummy_st_ops_success__open_and_load(); -+ if (!ASSERT_OK_PTR(skel, "dummy_st_ops_load")) -+ return; -+ -+ fd = bpf_program__fd(skel->progs.test_sleepable); -+ err = bpf_prog_test_run_opts(fd, &attr); -+ ASSERT_EQ(err, -EINVAL, "test_run"); -+ -+ dummy_st_ops_success__destroy(skel); -+} -+ - void test_dummy_st_ops(void) - { - if (test__start_subtest("dummy_st_ops_attach")) -@@ -159,6 +184,8 @@ void test_dummy_st_ops(void) - test_dummy_multiple_args(); - if (test__start_subtest("dummy_sleepable")) - test_dummy_sleepable(); -+ if (test__start_subtest("dummy_sleepable_reject_null")) -+ test_dummy_sleepable_reject_null(); - - RUN_TESTS(dummy_st_ops_fail); - } --- -2.43.0 - diff --git a/queue-6.9/selftests-net-fix-uninitialized-variables.patch b/queue-6.9/selftests-net-fix-uninitialized-variables.patch deleted file mode 100644 index e6e82e313ea..00000000000 --- a/queue-6.9/selftests-net-fix-uninitialized-variables.patch +++ /dev/null @@ -1,84 +0,0 @@ -From cf8b2ee6911a5fb06239774c761c1cde61cd2b14 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 May 2024 12:02:04 -0700 -Subject: selftests/net: fix uninitialized variables - -From: John Hubbard - -[ Upstream commit eb709b5f6536636dfb87b85ded0b2af9bb6cd9e6 ] - -When building with clang, via: - - make LLVM=1 -C tools/testing/selftest - -...clang warns about three variables that are not initialized in all -cases: - -1) The opt_ipproto_off variable is used uninitialized if "testname" is -not "ip". Willem de Bruijn pointed out that this is an actual bug, and -suggested the fix that I'm using here (thanks!). - -2) The addr_len is used uninitialized, but only in the assert case, - which bails out, so this is harmless. - -3) The family variable in add_listener() is only used uninitialized in - the error case (neither IPv4 nor IPv6 is specified), so it's also - harmless. - -Fix by initializing each variable. - -Signed-off-by: John Hubbard -Reviewed-by: Willem de Bruijn -Acked-by: Mat Martineau -Link: https://lore.kernel.org/r/20240506190204.28497-1-jhubbard@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/net/gro.c | 3 +++ - tools/testing/selftests/net/ip_local_port_range.c | 2 +- - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 2 +- - 3 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c -index 353e1e867fbb2..6038b96ecee88 100644 ---- a/tools/testing/selftests/net/gro.c -+++ b/tools/testing/selftests/net/gro.c -@@ -119,6 +119,9 @@ static void setup_sock_filter(int fd) - next_off = offsetof(struct ipv6hdr, nexthdr); - ipproto_off = ETH_HLEN + next_off; - -+ /* Overridden later if exthdrs are used: */ -+ opt_ipproto_off = ipproto_off; -+ - if (strcmp(testname, "ip") == 0) { - if (proto == PF_INET) - optlen = sizeof(struct ip_timestamp); -diff --git a/tools/testing/selftests/net/ip_local_port_range.c b/tools/testing/selftests/net/ip_local_port_range.c -index 193b82745fd87..29451d2244b75 100644 ---- a/tools/testing/selftests/net/ip_local_port_range.c -+++ b/tools/testing/selftests/net/ip_local_port_range.c -@@ -359,7 +359,7 @@ TEST_F(ip_local_port_range, late_bind) - struct sockaddr_in v4; - struct sockaddr_in6 v6; - } addr; -- socklen_t addr_len; -+ socklen_t addr_len = 0; - const int one = 1; - int fd, err; - __u32 range; -diff --git a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c -index 7426a2cbd4a03..7ad5a59adff2b 100644 ---- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c -+++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c -@@ -1276,7 +1276,7 @@ int add_listener(int argc, char *argv[]) - struct sockaddr_storage addr; - struct sockaddr_in6 *a6; - struct sockaddr_in *a4; -- u_int16_t family; -+ u_int16_t family = AF_UNSPEC; - int enable = 1; - int sock; - int err; --- -2.43.0 - diff --git a/queue-6.9/selftests-resctrl-fix-non-contiguous-cbm-for-amd.patch b/queue-6.9/selftests-resctrl-fix-non-contiguous-cbm-for-amd.patch deleted file mode 100644 index 0bba0a00195..00000000000 --- a/queue-6.9/selftests-resctrl-fix-non-contiguous-cbm-for-amd.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 52d1d4fa34e30d4ec27a5ae145858f1dab380300 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 11 Jun 2024 17:18:30 -0500 -Subject: selftests/resctrl: Fix non-contiguous CBM for AMD -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Babu Moger - -[ Upstream commit 48236960c06d32370bfa6f2cc408e786873262c8 ] - -The non-contiguous CBM test fails on AMD with: -Starting L3_NONCONT_CAT test ... -Mounting resctrl to "/sys/fs/resctrl" -CPUID output doesn't match 'sparse_masks' file content! -not ok 5 L3_NONCONT_CAT: test - -AMD always supports non-contiguous CBM but does not report it via CPUID. - -Fix the non-contiguous CBM test to use CPUID to discover non-contiguous -CBM support only on Intel. - -Fixes: ae638551ab64 ("selftests/resctrl: Add non-contiguous CBMs CAT test") -Signed-off-by: Babu Moger -Reviewed-by: Reinette Chatre -Reviewed-by: Ilpo Järvinen -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/resctrl/cat_test.c | 32 +++++++++++++++------- - 1 file changed, 22 insertions(+), 10 deletions(-) - -diff --git a/tools/testing/selftests/resctrl/cat_test.c b/tools/testing/selftests/resctrl/cat_test.c -index 4cb991be8e31b..178a41d4bb1be 100644 ---- a/tools/testing/selftests/resctrl/cat_test.c -+++ b/tools/testing/selftests/resctrl/cat_test.c -@@ -294,11 +294,30 @@ static int cat_run_test(const struct resctrl_test *test, const struct user_param - return ret; - } - -+static bool arch_supports_noncont_cat(const struct resctrl_test *test) -+{ -+ unsigned int eax, ebx, ecx, edx; -+ -+ /* AMD always supports non-contiguous CBM. */ -+ if (get_vendor() == ARCH_AMD) -+ return true; -+ -+ /* Intel support for non-contiguous CBM needs to be discovered. */ -+ if (!strcmp(test->resource, "L3")) -+ __cpuid_count(0x10, 1, eax, ebx, ecx, edx); -+ else if (!strcmp(test->resource, "L2")) -+ __cpuid_count(0x10, 2, eax, ebx, ecx, edx); -+ else -+ return false; -+ -+ return ((ecx >> 3) & 1); -+} -+ - static int noncont_cat_run_test(const struct resctrl_test *test, - const struct user_params *uparams) - { - unsigned long full_cache_mask, cont_mask, noncont_mask; -- unsigned int eax, ebx, ecx, edx, sparse_masks; -+ unsigned int sparse_masks; - int bit_center, ret; - char schemata[64]; - -@@ -307,15 +326,8 @@ static int noncont_cat_run_test(const struct resctrl_test *test, - if (ret) - return ret; - -- if (!strcmp(test->resource, "L3")) -- __cpuid_count(0x10, 1, eax, ebx, ecx, edx); -- else if (!strcmp(test->resource, "L2")) -- __cpuid_count(0x10, 2, eax, ebx, ecx, edx); -- else -- return -EINVAL; -- -- if (sparse_masks != ((ecx >> 3) & 1)) { -- ksft_print_msg("CPUID output doesn't match 'sparse_masks' file content!\n"); -+ if (arch_supports_noncont_cat(test) != sparse_masks) { -+ ksft_print_msg("Hardware and kernel differ on non-contiguous CBM support!\n"); - return 1; - } - --- -2.43.0 - diff --git a/queue-6.9/serial-imx-raise-tx-trigger-level-to-8.patch b/queue-6.9/serial-imx-raise-tx-trigger-level-to-8.patch deleted file mode 100644 index d7143e8c82d..00000000000 --- a/queue-6.9/serial-imx-raise-tx-trigger-level-to-8.patch +++ /dev/null @@ -1,45 +0,0 @@ -From cfe347b1579dfc56d712668c4c7c600eae38a176 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 May 2024 15:37:44 +0200 -Subject: serial: imx: Raise TX trigger level to 8 - -From: Matthias Schiffer - -[ Upstream commit a3d8728ab079951741efa11360df43dbfacba7ab ] - -At the default TX trigger level of 2 in non-DMA mode (meaning that an -interrupt is generated when less than 2 characters are left in the -FIFO), we have observed frequent buffer underruns at 115200 Baud on an -i.MX8M Nano. This can cause communication issues if the receiving side -expects a continuous transfer. - -Increasing the level to 8 makes the UART trigger an interrupt earlier, -giving the kernel enough time to refill the FIFO, at the cost of -triggering one interrupt per ~24 instead of ~30 bytes of transmitted -data (as the i.MX UART has a 32 byte FIFO). - -Signed-off-by: Michael Krummsdorf -Signed-off-by: Matthias Schiffer -Link: https://lore.kernel.org/r/20240508133744.35858-1-matthias.schiffer@ew.tq-group.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/serial/imx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c -index 9552228d21614..f63cdd6794419 100644 ---- a/drivers/tty/serial/imx.c -+++ b/drivers/tty/serial/imx.c -@@ -1314,7 +1314,7 @@ static void imx_uart_clear_rx_errors(struct imx_port *sport) - - } - --#define TXTL_DEFAULT 2 /* reset default */ -+#define TXTL_DEFAULT 8 - #define RXTL_DEFAULT 8 /* 8 characters or aging timer */ - #define TXTL_DMA 8 /* DMA burst setting */ - #define RXTL_DMA 9 /* DMA burst setting */ --- -2.43.0 - diff --git a/queue-6.9/series b/queue-6.9/series deleted file mode 100644 index 3f874c41a3a..00000000000 --- a/queue-6.9/series +++ /dev/null @@ -1,91 +0,0 @@ -selftests-resctrl-fix-non-contiguous-cbm-for-amd.patch -locking-mutex-introduce-devm_mutex_init.patch -leds-mlxreg-use-devm_mutex_init-for-mutex-initializa.patch -leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch -crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch -drm-lima-fix-shared-irq-handling-on-driver-remove.patch -powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch -media-dvb-as102-fe-fix-as10x_register_addr-packing.patch -media-dvb-usb-dib0700_devices-add-missing-release_fi.patch -net-dql-avoid-calling-bug-when-warn-is-enough.patch -wifi-rtw89-fw-scan-offload-prohibit-all-6-ghz-channe.patch -drm-xe-add-outer-runtime_pm-protection-to-xe_live_kt.patch -ib-core-implement-a-limit-on-umad-receive-list.patch -drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch -scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch -irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch -bpf-mark-bpf_dummy_struct_ops.test_1-parameter-as-nu.patch -selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch -selftests-bpf-do-not-pass-null-for-non-nullable-para.patch -bpf-check-bpf_dummy_struct_ops-program-params-for-te.patch -selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch -risc-v-kvm-fix-the-initial-sample-period-value.patch -crypto-aead-cipher-zeroize-key-buffer-after-use.patch -media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch -drm-amdgpu-fix-uninitialized-variable-warnings.patch -drm-amdgpu-using-uninitialized-value-size-when-calli.patch -drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch -drm-amdgpu-fix-double-free-err_addr-pointer-warnings.patch -drm-amd-display-add-null-pointer-check-for-kzalloc.patch -drm-amd-display-check-index-msg_id-before-read-or-wr.patch -drm-amd-display-check-pipe-offset-before-setting-vbl.patch -drm-amd-display-skip-finding-free-audio-for-unknown-.patch -drm-amd-display-fix-overlapping-copy-within-dml_core.patch -drm-amd-display-update-pipe-topology-log-to-support-.patch -drm-amd-display-do-not-return-negative-stream-id-for.patch -drm-amd-display-assert-when-failing-to-find-index-by.patch -drm-amd-display-fix-uninitialized-variables-in-dm.patch -drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch -drm-amdgpu-fix-the-warning-about-the-expression-int-.patch -media-dw2102-don-t-translate-i2c-read-into-write.patch -riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch -media-dw2102-fix-a-potential-buffer-overflow.patch -sctp-prefer-struct_size-over-open-coded-arithmetic.patch -firmware-dmi-stop-decoding-on-broken-entry.patch -kunit-fortify-do-not-spam-logs-with-fortify-warns.patch -input-ff-core-prefer-struct_size-over-open-coded-ari.patch -usb-xhci-prevent-potential-failure-in-handle_tx_even.patch -wifi-mt76-replace-skb_put-with-skb_put_zero.patch -wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch -thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch -net-dsa-mv88e6xxx-correct-check-for-empty-list.patch -media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch -media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch -media-i2c-st-mipid02-use-the-correct-div-function.patch -media-tc358746-use-the-correct-div_-function.patch -media-dvb-frontends-tda10048-fix-integer-overflow.patch -crypto-hisilicon-sec2-fix-for-register-offset.patch -powerpc-dexcr-track-the-dexcr-per-process.patch -powerpc-dexcr-reset-dexcr-value-across-exec.patch -gve-account-for-stopped-queues-when-reading-nic-stat.patch -i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch -powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch -orangefs-fix-out-of-bounds-fsid-access.patch -kunit-fix-timeout-message.patch -kunit-handle-test-faults.patch -powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch -perf-callchain-use-zfree-to-avoid-possibly-accessing.patch -perf-kwork-use-zfree-to-avoid-possibly-accessing-dan.patch -perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch -selftests-net-fix-uninitialized-variables.patch -igc-fix-a-log-entry-using-uninitialized-netdev.patch -bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch -f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch -scsi-mpi3mr-sanitise-num_phys.patch -serial-imx-raise-tx-trigger-level-to-8.patch -perf-lock-avoid-memory-leaks-from-strdup.patch -nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch -jffs2-fix-potential-illegal-address-access-in-jffs2_.patch -s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch -s390-pkey-use-kfree_sensitive-to-fix-coccinelle-warn.patch -s390-pkey-wipe-sensitive-data-on-failure.patch -s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch -s390-pkey-wipe-copies-of-protected-and-secure-keys.patch -btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch -cdrom-rearrange-last_media_change-check-to-avoid-uni.patch -tools-power-turbostat-remember-global-max_die_id.patch -tools-power-turbostat-avoid-possible-memory-corrupti.patch -vhost-use-virtqueue-mutex-for-swapping-worker.patch -vhost-release-worker-mutex-during-flushes.patch -vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch -virtio-pci-check-if-is_avq-is-null.patch diff --git a/queue-6.9/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch b/queue-6.9/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch deleted file mode 100644 index 29f9aa28c15..00000000000 --- a/queue-6.9/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch +++ /dev/null @@ -1,35 +0,0 @@ -From f661d9769e871177067c3f21a5038a48f2df7538 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 May 2024 15:46:03 +0200 -Subject: thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data - -From: Julien Panis - -[ Upstream commit a1191a77351e25ddf091bb1a231cae12ee598b5d ] - -Verify that lvts_data is not NULL before using it. - -Signed-off-by: Julien Panis -Signed-off-by: Daniel Lezcano -Link: https://lore.kernel.org/r/20240502-mtk-thermal-lvts-data-v1-1-65f1b0bfad37@baylibre.com -Signed-off-by: Sasha Levin ---- - drivers/thermal/mediatek/lvts_thermal.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c -index 6b9422bd8795d..25f836c00e226 100644 ---- a/drivers/thermal/mediatek/lvts_thermal.c -+++ b/drivers/thermal/mediatek/lvts_thermal.c -@@ -1250,6 +1250,8 @@ static int lvts_probe(struct platform_device *pdev) - return -ENOMEM; - - lvts_data = of_device_get_match_data(dev); -+ if (!lvts_data) -+ return -ENODEV; - - lvts_td->clk = devm_clk_get_enabled(dev, NULL); - if (IS_ERR(lvts_td->clk)) --- -2.43.0 - diff --git a/queue-6.9/tools-power-turbostat-avoid-possible-memory-corrupti.patch b/queue-6.9/tools-power-turbostat-avoid-possible-memory-corrupti.patch deleted file mode 100644 index 2e9075d0bdd..00000000000 --- a/queue-6.9/tools-power-turbostat-avoid-possible-memory-corrupti.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 95cf21337764888b34ec6903145fac2e926aa3d5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 May 2024 15:39:08 +0200 -Subject: tools/power turbostat: Avoid possible memory corruption due to sparse - topology IDs - -From: Patryk Wlazlyn - -[ Upstream commit 3559ea813ad3a9627934325c68ad05b18008a077 ] - -Save the highest core and package id when parsing topology to -allocate enough memory when get_rapl_counters() is called with a core or -a package id as a domain. - -Note that RAPL domains are per-package on Intel, but per-core on AMD. -Thus, the RAPL code effectively runs in different modes on those two -product lines. - -Signed-off-by: Patryk Wlazlyn -Signed-off-by: Len Brown -Signed-off-by: Sasha Levin ---- - tools/power/x86/turbostat/turbostat.c | 25 +++++++++++++++++++------ - 1 file changed, 19 insertions(+), 6 deletions(-) - -diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c -index 25417c3a47ab6..5d80d193e5bee 100644 ---- a/tools/power/x86/turbostat/turbostat.c -+++ b/tools/power/x86/turbostat/turbostat.c -@@ -1022,6 +1022,7 @@ struct rapl_counter_info_t { - - /* struct rapl_counter_info_t for each RAPL domain */ - struct rapl_counter_info_t *rapl_counter_info_perdomain; -+unsigned int rapl_counter_info_perdomain_size; - - #define RAPL_COUNTER_FLAG_USE_MSR_SUM (1u << 1) - -@@ -1415,6 +1416,8 @@ struct topo_params { - int allowed_cpus; - int allowed_cores; - int max_cpu_num; -+ int max_core_id; -+ int max_package_id; - int max_die_id; - int max_node_num; - int nodes_per_pkg; -@@ -3369,15 +3372,18 @@ void write_rapl_counter(struct rapl_counter *rc, struct rapl_counter_info_t *rci - rc->scale = rci->scale[idx]; - } - --int get_rapl_counters(int cpu, int domain, struct core_data *c, struct pkg_data *p) -+int get_rapl_counters(int cpu, unsigned int domain, struct core_data *c, struct pkg_data *p) - { - unsigned long long perf_data[NUM_RAPL_COUNTERS + 1]; -- struct rapl_counter_info_t *rci = &rapl_counter_info_perdomain[domain]; -+ struct rapl_counter_info_t *rci; - - if (debug) - fprintf(stderr, "%s: cpu%d domain%d\n", __func__, cpu, domain); - - assert(rapl_counter_info_perdomain); -+ assert(domain < rapl_counter_info_perdomain_size); -+ -+ rci = &rapl_counter_info_perdomain[domain]; - - /* - * If we have any perf counters to read, read them all now, in bulk -@@ -4181,7 +4187,7 @@ void free_fd_rapl_percpu(void) - if (!rapl_counter_info_perdomain) - return; - -- const int num_domains = platform->has_per_core_rapl ? topo.num_cores : topo.num_packages; -+ const int num_domains = rapl_counter_info_perdomain_size; - - for (int domain_id = 0; domain_id < num_domains; ++domain_id) { - if (rapl_counter_info_perdomain[domain_id].fd_perf != -1) -@@ -4189,6 +4195,8 @@ void free_fd_rapl_percpu(void) - } - - free(rapl_counter_info_perdomain); -+ rapl_counter_info_perdomain = NULL; -+ rapl_counter_info_perdomain_size = 0; - } - - void free_all_buffers(void) -@@ -6479,17 +6487,18 @@ void linux_perf_init(void) - - void rapl_perf_init(void) - { -- const int num_domains = platform->has_per_core_rapl ? topo.num_cores : topo.num_packages; -+ const unsigned int num_domains = (platform->has_per_core_rapl ? topo.max_core_id : topo.max_package_id) + 1; - bool *domain_visited = calloc(num_domains, sizeof(bool)); - - rapl_counter_info_perdomain = calloc(num_domains, sizeof(*rapl_counter_info_perdomain)); - if (rapl_counter_info_perdomain == NULL) - err(-1, "calloc rapl_counter_info_percpu"); -+ rapl_counter_info_perdomain_size = num_domains; - - /* - * Initialize rapl_counter_info_percpu - */ -- for (int domain_id = 0; domain_id < num_domains; ++domain_id) { -+ for (unsigned int domain_id = 0; domain_id < num_domains; ++domain_id) { - struct rapl_counter_info_t *rci = &rapl_counter_info_perdomain[domain_id]; - - rci->fd_perf = -1; -@@ -6509,7 +6518,7 @@ void rapl_perf_init(void) - bool has_counter = 0; - double scale; - enum rapl_unit unit; -- int next_domain; -+ unsigned int next_domain; - - memset(domain_visited, 0, num_domains * sizeof(*domain_visited)); - -@@ -6522,6 +6531,8 @@ void rapl_perf_init(void) - next_domain = - platform->has_per_core_rapl ? cpus[cpu].physical_core_id : cpus[cpu].physical_package_id; - -+ assert(next_domain < num_domains); -+ - if (domain_visited[next_domain]) - continue; - -@@ -7104,6 +7115,8 @@ void topology_probe(bool startup) - if (cpus[i].thread_id == 0) - topo.num_cores++; - } -+ topo.max_core_id = max_core_id; -+ topo.max_package_id = max_package_id; - - topo.cores_per_node = max_core_id + 1; - if (debug > 1) --- -2.43.0 - diff --git a/queue-6.9/tools-power-turbostat-remember-global-max_die_id.patch b/queue-6.9/tools-power-turbostat-remember-global-max_die_id.patch deleted file mode 100644 index 954898c94ca..00000000000 --- a/queue-6.9/tools-power-turbostat-remember-global-max_die_id.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 75c47b3c2d9b42c87e2ff0ab083cfe7aff7b5a99 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 21 Apr 2024 11:56:48 -0400 -Subject: tools/power turbostat: Remember global max_die_id - -From: Len Brown - -[ Upstream commit cda203388687aa075db6f8996c3c4549fa518ea8 ] - -This is necessary to gracefully handle sparse die_id's. - -no functional change - -Signed-off-by: Len Brown -Stable-dep-of: 3559ea813ad3 ("tools/power turbostat: Avoid possible memory corruption due to sparse topology IDs") -Signed-off-by: Sasha Levin ---- - tools/power/x86/turbostat/turbostat.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c -index 8071a3ef2a2e8..25417c3a47ab6 100644 ---- a/tools/power/x86/turbostat/turbostat.c -+++ b/tools/power/x86/turbostat/turbostat.c -@@ -1415,6 +1415,7 @@ struct topo_params { - int allowed_cpus; - int allowed_cores; - int max_cpu_num; -+ int max_die_id; - int max_node_num; - int nodes_per_pkg; - int cores_per_node; -@@ -6967,7 +6968,6 @@ void topology_probe(bool startup) - int i; - int max_core_id = 0; - int max_package_id = 0; -- int max_die_id = 0; - int max_siblings = 0; - - /* Initialize num_cpus, max_cpu_num */ -@@ -7084,8 +7084,8 @@ void topology_probe(bool startup) - - /* get die information */ - cpus[i].die_id = get_die_id(i); -- if (cpus[i].die_id > max_die_id) -- max_die_id = cpus[i].die_id; -+ if (cpus[i].die_id > topo.max_die_id) -+ topo.max_die_id = cpus[i].die_id; - - /* get numa node information */ - cpus[i].physical_node_id = get_physical_node_id(&cpus[i]); -@@ -7111,9 +7111,9 @@ void topology_probe(bool startup) - if (!summary_only && topo.cores_per_node > 1) - BIC_PRESENT(BIC_Core); - -- topo.num_die = max_die_id + 1; -+ topo.num_die = topo.max_die_id + 1; - if (debug > 1) -- fprintf(outf, "max_die_id %d, sizing for %d die\n", max_die_id, topo.num_die); -+ fprintf(outf, "max_die_id %d, sizing for %d die\n", topo.max_die_id, topo.num_die); - if (!summary_only && topo.num_die > 1) - BIC_PRESENT(BIC_Die); - --- -2.43.0 - diff --git a/queue-6.9/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch b/queue-6.9/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch deleted file mode 100644 index 799b7b80d10..00000000000 --- a/queue-6.9/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 5c67d0b0496878cbaea0874ae859d9c33ae9bf49 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 17:02:37 +0300 -Subject: usb: xhci: prevent potential failure in handle_tx_event() for - Transfer events without TRB - -From: Niklas Neronin - -[ Upstream commit 66cb618bf0bb82859875b00eeffaf223557cb416 ] - -Some transfer events don't always point to a TRB, and consequently don't -have a endpoint ring. In these cases, function handle_tx_event() should -not proceed, because if 'ep->skip' is set, the pointer to the endpoint -ring is used. - -To prevent a potential failure and make the code logical, return after -checking the completion code for a Transfer event without TRBs. - -Signed-off-by: Niklas Neronin -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20240429140245.3955523-11-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci-ring.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c -index 48d745e9f9730..48028bab57e34 100644 ---- a/drivers/usb/host/xhci-ring.c -+++ b/drivers/usb/host/xhci-ring.c -@@ -2658,16 +2658,17 @@ static int handle_tx_event(struct xhci_hcd *xhci, - else - xhci_handle_halted_endpoint(xhci, ep, NULL, - EP_SOFT_RESET); -- goto cleanup; -+ break; - case COMP_RING_UNDERRUN: - case COMP_RING_OVERRUN: - case COMP_STOPPED_LENGTH_INVALID: -- goto cleanup; -+ break; - default: - xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n", - slot_id, ep_index); - goto err_out; - } -+ return 0; - } - - /* Count current td numbers if ep->skip is set */ --- -2.43.0 - diff --git a/queue-6.9/vhost-release-worker-mutex-during-flushes.patch b/queue-6.9/vhost-release-worker-mutex-during-flushes.patch deleted file mode 100644 index 5a7de960031..00000000000 --- a/queue-6.9/vhost-release-worker-mutex-during-flushes.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 59c4e571cdfafd66c81e3b4796c441d8755862b5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Mar 2024 19:47:05 -0500 -Subject: vhost: Release worker mutex during flushes - -From: Mike Christie - -[ Upstream commit ba704ff4e142fd3cfaf3379dd3b3b946754e06e3 ] - -In the next patches where the worker can be killed while in use, we -need to be able to take the worker mutex and kill queued works for -new IO and flushes, and set some new flags to prevent new -__vhost_vq_attach_worker calls from swapping in/out killed workers. - -If we are holding the worker mutex during a flush and the flush's work -is still in the queue, the worker code that will handle the SIGKILL -cleanup won't be able to take the mutex and perform it's cleanup. So -this patch has us drop the worker mutex while waiting for the flush -to complete. - -Signed-off-by: Mike Christie -Message-Id: <20240316004707.45557-8-michael.christie@oracle.com> -Signed-off-by: Michael S. Tsirkin -Stable-dep-of: db5247d9bf5c ("vhost_task: Handle SIGKILL by flushing work and exiting") -Signed-off-by: Sasha Levin ---- - drivers/vhost/vhost.c | 44 +++++++++++++++++++++++++++++-------------- - 1 file changed, 30 insertions(+), 14 deletions(-) - -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 113b6a42719b7..5580b24934015 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -276,21 +276,36 @@ void vhost_vq_flush(struct vhost_virtqueue *vq) - EXPORT_SYMBOL_GPL(vhost_vq_flush); - - /** -- * vhost_worker_flush - flush a worker -+ * __vhost_worker_flush - flush a worker - * @worker: worker to flush - * -- * This does not use RCU to protect the worker, so the device or worker -- * mutex must be held. -+ * The worker's flush_mutex must be held. - */ --static void vhost_worker_flush(struct vhost_worker *worker) -+static void __vhost_worker_flush(struct vhost_worker *worker) - { - struct vhost_flush_struct flush; - -+ if (!worker->attachment_cnt) -+ return; -+ - init_completion(&flush.wait_event); - vhost_work_init(&flush.work, vhost_flush_work); - - vhost_worker_queue(worker, &flush.work); -+ /* -+ * Drop mutex in case our worker is killed and it needs to take the -+ * mutex to force cleanup. -+ */ -+ mutex_unlock(&worker->mutex); - wait_for_completion(&flush.wait_event); -+ mutex_lock(&worker->mutex); -+} -+ -+static void vhost_worker_flush(struct vhost_worker *worker) -+{ -+ mutex_lock(&worker->mutex); -+ __vhost_worker_flush(worker); -+ mutex_unlock(&worker->mutex); - } - - void vhost_dev_flush(struct vhost_dev *dev) -@@ -298,15 +313,8 @@ void vhost_dev_flush(struct vhost_dev *dev) - struct vhost_worker *worker; - unsigned long i; - -- xa_for_each(&dev->worker_xa, i, worker) { -- mutex_lock(&worker->mutex); -- if (!worker->attachment_cnt) { -- mutex_unlock(&worker->mutex); -- continue; -- } -+ xa_for_each(&dev->worker_xa, i, worker) - vhost_worker_flush(worker); -- mutex_unlock(&worker->mutex); -- } - } - EXPORT_SYMBOL_GPL(vhost_dev_flush); - -@@ -685,7 +693,6 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - * device wide flushes which doesn't use RCU for execution. - */ - mutex_lock(&old_worker->mutex); -- old_worker->attachment_cnt--; - /* - * We don't want to call synchronize_rcu for every vq during setup - * because it will slow down VM startup. If we haven't done -@@ -696,6 +703,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - mutex_lock(&vq->mutex); - if (!vhost_vq_get_backend(vq) && !vq->kick) { - mutex_unlock(&vq->mutex); -+ -+ old_worker->attachment_cnt--; - mutex_unlock(&old_worker->mutex); - /* - * vsock can queue anytime after VHOST_VSOCK_SET_GUEST_CID. -@@ -711,7 +720,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - /* Make sure new vq queue/flush/poll calls see the new worker */ - synchronize_rcu(); - /* Make sure whatever was queued gets run */ -- vhost_worker_flush(old_worker); -+ __vhost_worker_flush(old_worker); -+ old_worker->attachment_cnt--; - mutex_unlock(&old_worker->mutex); - } - -@@ -764,6 +774,12 @@ static int vhost_free_worker(struct vhost_dev *dev, - mutex_unlock(&worker->mutex); - return -EBUSY; - } -+ /* -+ * A flush might have raced and snuck in before attachment_cnt was set -+ * to zero. Make sure flushes are flushed from the queue before -+ * freeing. -+ */ -+ __vhost_worker_flush(worker); - mutex_unlock(&worker->mutex); - - vhost_worker_destroy(dev, worker); --- -2.43.0 - diff --git a/queue-6.9/vhost-use-virtqueue-mutex-for-swapping-worker.patch b/queue-6.9/vhost-use-virtqueue-mutex-for-swapping-worker.patch deleted file mode 100644 index 8e6dc70d1f0..00000000000 --- a/queue-6.9/vhost-use-virtqueue-mutex-for-swapping-worker.patch +++ /dev/null @@ -1,67 +0,0 @@ -From c328ed941e422d14183e42757d2a10339bd9940a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Mar 2024 19:47:04 -0500 -Subject: vhost: Use virtqueue mutex for swapping worker - -From: Mike Christie - -[ Upstream commit 34cf9ba5f00a222dddd9fc71de7c68fdaac7fb97 ] - -__vhost_vq_attach_worker uses the vhost_dev mutex to serialize the -swapping of a virtqueue's worker. This was done for simplicity because -we are already holding that mutex. - -In the next patches where the worker can be killed while in use, we need -finer grained locking because some drivers will hold the vhost_dev mutex -while flushing. However in the SIGKILL handler in the next patches, we -will need to be able to swap workers (set current one to NULL), kill -queued works and stop new flushes while flushes are in progress. - -To prepare us, this has us use the virtqueue mutex for swapping workers -instead of the vhost_dev one. - -Signed-off-by: Mike Christie -Message-Id: <20240316004707.45557-7-michael.christie@oracle.com> -Signed-off-by: Michael S. Tsirkin -Stable-dep-of: db5247d9bf5c ("vhost_task: Handle SIGKILL by flushing work and exiting") -Signed-off-by: Sasha Levin ---- - drivers/vhost/vhost.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 8995730ce0bfc..113b6a42719b7 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -664,16 +664,22 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - { - struct vhost_worker *old_worker; - -- old_worker = rcu_dereference_check(vq->worker, -- lockdep_is_held(&vq->dev->mutex)); -- - mutex_lock(&worker->mutex); -- worker->attachment_cnt++; -- mutex_unlock(&worker->mutex); -+ mutex_lock(&vq->mutex); -+ -+ old_worker = rcu_dereference_check(vq->worker, -+ lockdep_is_held(&vq->mutex)); - rcu_assign_pointer(vq->worker, worker); -+ worker->attachment_cnt++; - -- if (!old_worker) -+ if (!old_worker) { -+ mutex_unlock(&vq->mutex); -+ mutex_unlock(&worker->mutex); - return; -+ } -+ mutex_unlock(&vq->mutex); -+ mutex_unlock(&worker->mutex); -+ - /* - * Take the worker mutex to make sure we see the work queued from - * device wide flushes which doesn't use RCU for execution. --- -2.43.0 - diff --git a/queue-6.9/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch b/queue-6.9/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch deleted file mode 100644 index 4d8ccdc56ed..00000000000 --- a/queue-6.9/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch +++ /dev/null @@ -1,298 +0,0 @@ -From cbdab0e5428685d180c514b75039740c49dde9cf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Mar 2024 19:47:06 -0500 -Subject: vhost_task: Handle SIGKILL by flushing work and exiting - -From: Mike Christie - -[ Upstream commit db5247d9bf5c6ade9fd70b4e4897441e0269b233 ] - -Instead of lingering until the device is closed, this has us handle -SIGKILL by: - -1. marking the worker as killed so we no longer try to use it with - new virtqueues and new flush operations. -2. setting the virtqueue to worker mapping so no new works are queued. -3. running all the exiting works. - -Suggested-by: Edward Adam Davis -Reported-and-tested-by: syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com -Message-Id: -Signed-off-by: Mike Christie -Message-Id: <20240316004707.45557-9-michael.christie@oracle.com> -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Sasha Levin ---- - drivers/vhost/vhost.c | 54 +++++++++++++++++++++++++++++--- - drivers/vhost/vhost.h | 2 ++ - include/linux/sched/vhost_task.h | 3 +- - kernel/vhost_task.c | 53 ++++++++++++++++++++----------- - 4 files changed, 88 insertions(+), 24 deletions(-) - -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 5580b24934015..1740a5f1f35e7 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -285,7 +285,7 @@ static void __vhost_worker_flush(struct vhost_worker *worker) - { - struct vhost_flush_struct flush; - -- if (!worker->attachment_cnt) -+ if (!worker->attachment_cnt || worker->killed) - return; - - init_completion(&flush.wait_event); -@@ -400,7 +400,7 @@ static void vhost_vq_reset(struct vhost_dev *dev, - __vhost_vq_meta_reset(vq); - } - --static bool vhost_worker(void *data) -+static bool vhost_run_work_list(void *data) - { - struct vhost_worker *worker = data; - struct vhost_work *work, *work_next; -@@ -425,6 +425,40 @@ static bool vhost_worker(void *data) - return !!node; - } - -+static void vhost_worker_killed(void *data) -+{ -+ struct vhost_worker *worker = data; -+ struct vhost_dev *dev = worker->dev; -+ struct vhost_virtqueue *vq; -+ int i, attach_cnt = 0; -+ -+ mutex_lock(&worker->mutex); -+ worker->killed = true; -+ -+ for (i = 0; i < dev->nvqs; i++) { -+ vq = dev->vqs[i]; -+ -+ mutex_lock(&vq->mutex); -+ if (worker == -+ rcu_dereference_check(vq->worker, -+ lockdep_is_held(&vq->mutex))) { -+ rcu_assign_pointer(vq->worker, NULL); -+ attach_cnt++; -+ } -+ mutex_unlock(&vq->mutex); -+ } -+ -+ worker->attachment_cnt -= attach_cnt; -+ if (attach_cnt) -+ synchronize_rcu(); -+ /* -+ * Finish vhost_worker_flush calls and any other works that snuck in -+ * before the synchronize_rcu. -+ */ -+ vhost_run_work_list(worker); -+ mutex_unlock(&worker->mutex); -+} -+ - static void vhost_vq_free_iovecs(struct vhost_virtqueue *vq) - { - kfree(vq->indirect); -@@ -639,9 +673,11 @@ static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev) - if (!worker) - return NULL; - -+ worker->dev = dev; - snprintf(name, sizeof(name), "vhost-%d", current->pid); - -- vtsk = vhost_task_create(vhost_worker, worker, name); -+ vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed, -+ worker, name); - if (!vtsk) - goto free_worker; - -@@ -673,6 +709,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - struct vhost_worker *old_worker; - - mutex_lock(&worker->mutex); -+ if (worker->killed) { -+ mutex_unlock(&worker->mutex); -+ return; -+ } -+ - mutex_lock(&vq->mutex); - - old_worker = rcu_dereference_check(vq->worker, -@@ -693,6 +734,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - * device wide flushes which doesn't use RCU for execution. - */ - mutex_lock(&old_worker->mutex); -+ if (old_worker->killed) { -+ mutex_unlock(&old_worker->mutex); -+ return; -+ } -+ - /* - * We don't want to call synchronize_rcu for every vq during setup - * because it will slow down VM startup. If we haven't done -@@ -770,7 +816,7 @@ static int vhost_free_worker(struct vhost_dev *dev, - return -ENODEV; - - mutex_lock(&worker->mutex); -- if (worker->attachment_cnt) { -+ if (worker->attachment_cnt || worker->killed) { - mutex_unlock(&worker->mutex); - return -EBUSY; - } -diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h -index 9e942fcda5c3f..dc94e6a7d3c22 100644 ---- a/drivers/vhost/vhost.h -+++ b/drivers/vhost/vhost.h -@@ -28,12 +28,14 @@ struct vhost_work { - - struct vhost_worker { - struct vhost_task *vtsk; -+ struct vhost_dev *dev; - /* Used to serialize device wide flushing with worker swapping. */ - struct mutex mutex; - struct llist_head work_list; - u64 kcov_handle; - u32 id; - int attachment_cnt; -+ bool killed; - }; - - /* Poll a file (eventfd or socket) */ -diff --git a/include/linux/sched/vhost_task.h b/include/linux/sched/vhost_task.h -index bc60243d43b36..25446c5d35081 100644 ---- a/include/linux/sched/vhost_task.h -+++ b/include/linux/sched/vhost_task.h -@@ -4,7 +4,8 @@ - - struct vhost_task; - --struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, -+struct vhost_task *vhost_task_create(bool (*fn)(void *), -+ void (*handle_kill)(void *), void *arg, - const char *name); - void vhost_task_start(struct vhost_task *vtsk); - void vhost_task_stop(struct vhost_task *vtsk); -diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c -index da35e5b7f0473..8800f5acc0071 100644 ---- a/kernel/vhost_task.c -+++ b/kernel/vhost_task.c -@@ -10,38 +10,32 @@ - - enum vhost_task_flags { - VHOST_TASK_FLAGS_STOP, -+ VHOST_TASK_FLAGS_KILLED, - }; - - struct vhost_task { - bool (*fn)(void *data); -+ void (*handle_sigkill)(void *data); - void *data; - struct completion exited; - unsigned long flags; - struct task_struct *task; -+ /* serialize SIGKILL and vhost_task_stop calls */ -+ struct mutex exit_mutex; - }; - - static int vhost_task_fn(void *data) - { - struct vhost_task *vtsk = data; -- bool dead = false; - - for (;;) { - bool did_work; - -- if (!dead && signal_pending(current)) { -+ if (signal_pending(current)) { - struct ksignal ksig; -- /* -- * Calling get_signal will block in SIGSTOP, -- * or clear fatal_signal_pending, but remember -- * what was set. -- * -- * This thread won't actually exit until all -- * of the file descriptors are closed, and -- * the release function is called. -- */ -- dead = get_signal(&ksig); -- if (dead) -- clear_thread_flag(TIF_SIGPENDING); -+ -+ if (get_signal(&ksig)) -+ break; - } - - /* mb paired w/ vhost_task_stop */ -@@ -57,7 +51,19 @@ static int vhost_task_fn(void *data) - schedule(); - } - -+ mutex_lock(&vtsk->exit_mutex); -+ /* -+ * If a vhost_task_stop and SIGKILL race, we can ignore the SIGKILL. -+ * When the vhost layer has called vhost_task_stop it's already stopped -+ * new work and flushed. -+ */ -+ if (!test_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags)) { -+ set_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags); -+ vtsk->handle_sigkill(vtsk->data); -+ } -+ mutex_unlock(&vtsk->exit_mutex); - complete(&vtsk->exited); -+ - do_exit(0); - } - -@@ -78,12 +84,17 @@ EXPORT_SYMBOL_GPL(vhost_task_wake); - * @vtsk: vhost_task to stop - * - * vhost_task_fn ensures the worker thread exits after -- * VHOST_TASK_FLAGS_SOP becomes true. -+ * VHOST_TASK_FLAGS_STOP becomes true. - */ - void vhost_task_stop(struct vhost_task *vtsk) - { -- set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags); -- vhost_task_wake(vtsk); -+ mutex_lock(&vtsk->exit_mutex); -+ if (!test_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags)) { -+ set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags); -+ vhost_task_wake(vtsk); -+ } -+ mutex_unlock(&vtsk->exit_mutex); -+ - /* - * Make sure vhost_task_fn is no longer accessing the vhost_task before - * freeing it below. -@@ -96,14 +107,16 @@ EXPORT_SYMBOL_GPL(vhost_task_stop); - /** - * vhost_task_create - create a copy of a task to be used by the kernel - * @fn: vhost worker function -- * @arg: data to be passed to fn -+ * @handle_sigkill: vhost function to handle when we are killed -+ * @arg: data to be passed to fn and handled_kill - * @name: the thread's name - * - * This returns a specialized task for use by the vhost layer or NULL on - * failure. The returned task is inactive, and the caller must fire it up - * through vhost_task_start(). - */ --struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, -+struct vhost_task *vhost_task_create(bool (*fn)(void *), -+ void (*handle_sigkill)(void *), void *arg, - const char *name) - { - struct kernel_clone_args args = { -@@ -122,8 +135,10 @@ struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, - if (!vtsk) - return NULL; - init_completion(&vtsk->exited); -+ mutex_init(&vtsk->exit_mutex); - vtsk->data = arg; - vtsk->fn = fn; -+ vtsk->handle_sigkill = handle_sigkill; - - args.fn_arg = vtsk; - --- -2.43.0 - diff --git a/queue-6.9/virtio-pci-check-if-is_avq-is-null.patch b/queue-6.9/virtio-pci-check-if-is_avq-is-null.patch deleted file mode 100644 index 245f76c1cf5..00000000000 --- a/queue-6.9/virtio-pci-check-if-is_avq-is-null.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 413a4b9a517f947f3ee006d1558d66b66a162e89 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 16 Mar 2024 13:25:54 +0800 -Subject: virtio-pci: Check if is_avq is NULL - -From: Li Zhang - -[ Upstream commit c8fae27d141a32a1624d0d0d5419d94252824498 ] - -[bug] -In the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved -to determine whether it is admin virtqueue, but this function vp_dev->is_avq - may be empty. For installations, virtio_pci_legacy does not assign a value - to vp_dev->is_avq. - -[fix] -Check whether it is vp_dev->is_avq before use. - -[test] -Test with virsh Attach device -Before this patch, the following command would crash the guest system - -After applying the patch, everything seems to be working fine. - -Signed-off-by: Li Zhang -Message-Id: <1710566754-3532-1-git-send-email-zhanglikernel@gmail.com> -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Sasha Levin ---- - drivers/virtio/virtio_pci_common.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c -index 584af7816532b..f6b0b00e4599f 100644 ---- a/drivers/virtio/virtio_pci_common.c -+++ b/drivers/virtio/virtio_pci_common.c -@@ -236,7 +236,7 @@ void vp_del_vqs(struct virtio_device *vdev) - int i; - - list_for_each_entry_safe(vq, n, &vdev->vqs, list) { -- if (vp_dev->is_avq(vdev, vq->index)) -+ if (vp_dev->is_avq && vp_dev->is_avq(vdev, vq->index)) - continue; - - if (vp_dev->per_vq_vectors) { --- -2.43.0 - diff --git a/queue-6.9/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch b/queue-6.9/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch deleted file mode 100644 index 493ef3096be..00000000000 --- a/queue-6.9/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 7e4ea06e7a122918416d37f40a5f3b268018b151 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Mar 2024 19:09:16 +0800 -Subject: wifi: mt76: mt7996: add sanity checks for background radar trigger - -From: StanleyYP Wang - -[ Upstream commit ec55d8e7dfea92daff87f5c01689633f8c4e6a62 ] - -Check if background radar is enabled or not before manually triggering it, -and also add more checks in radar detected event. - -Signed-off-by: StanleyYP Wang -Signed-off-by: Shayne Chen -Signed-off-by: Felix Fietkau -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c | 5 +++++ - drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 ++++- - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c -index 9bd953586b041..62c03d088925c 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c -+++ b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c -@@ -225,6 +225,11 @@ mt7996_radar_trigger(void *data, u64 val) - if (val > MT_RX_SEL2) - return -EINVAL; - -+ if (val == MT_RX_SEL2 && !dev->rdd2_phy) { -+ dev_err(dev->mt76.dev, "Background radar is not enabled\n"); -+ return -EINVAL; -+ } -+ - return mt7996_mcu_rdd_cmd(dev, RDD_RADAR_EMULATE, - val, 0, 0); - } -diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c -index e86c05d0eecc9..bc3b2babb094d 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c -@@ -355,7 +355,10 @@ mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb) - if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys)) - return; - -- if (dev->rdd2_phy && r->band_idx == MT_RX_SEL2) -+ if (r->band_idx == MT_RX_SEL2 && !dev->rdd2_phy) -+ return; -+ -+ if (r->band_idx == MT_RX_SEL2) - mphy = dev->rdd2_phy->mt76; - else - mphy = dev->mt76.phys[r->band_idx]; --- -2.43.0 - diff --git a/queue-6.9/wifi-mt76-replace-skb_put-with-skb_put_zero.patch b/queue-6.9/wifi-mt76-replace-skb_put-with-skb_put_zero.patch deleted file mode 100644 index f2ceeb1dc0f..00000000000 --- a/queue-6.9/wifi-mt76-replace-skb_put-with-skb_put_zero.patch +++ /dev/null @@ -1,83 +0,0 @@ -From b2b2d3b4f8e1ed1a294d94298de18e23f04f7783 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Mar 2024 17:02:52 +0100 -Subject: wifi: mt76: replace skb_put with skb_put_zero - -From: Felix Fietkau - -[ Upstream commit 7f819a2f4fbc510e088b49c79addcf1734503578 ] - -Avoid potentially reusing uninitialized data - -Signed-off-by: Felix Fietkau -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +++++----- - drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -index fb8bd50eb7de8..5521c0ea5b261 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -@@ -257,7 +257,7 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len, - }; - u16 ntlv; - -- ptlv = skb_put(skb, len); -+ ptlv = skb_put_zero(skb, len); - memcpy(ptlv, &tlv, sizeof(tlv)); - - ntlv = le16_to_cpu(ntlv_hdr->tlv_num); -@@ -1670,7 +1670,7 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, - set_bit(MT76_HW_SCANNING, &phy->state); - mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; - -- req = (struct mt76_connac_hw_scan_req *)skb_put(skb, sizeof(*req)); -+ req = (struct mt76_connac_hw_scan_req *)skb_put_zero(skb, sizeof(*req)); - - req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7; - req->bss_idx = mvif->idx; -@@ -1798,7 +1798,7 @@ int mt76_connac_mcu_sched_scan_req(struct mt76_phy *phy, - - mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; - -- req = (struct mt76_connac_sched_scan_req *)skb_put(skb, sizeof(*req)); -+ req = (struct mt76_connac_sched_scan_req *)skb_put_zero(skb, sizeof(*req)); - req->version = 1; - req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7; - -@@ -2321,7 +2321,7 @@ int mt76_connac_mcu_update_gtk_rekey(struct ieee80211_hw *hw, - return -ENOMEM; - - skb_put_data(skb, &hdr, sizeof(hdr)); -- gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put(skb, -+ gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put_zero(skb, - sizeof(*gtk_tlv)); - gtk_tlv->tag = cpu_to_le16(UNI_OFFLOAD_OFFLOAD_GTK_REKEY); - gtk_tlv->len = cpu_to_le16(sizeof(*gtk_tlv)); -@@ -2446,7 +2446,7 @@ mt76_connac_mcu_set_wow_pattern(struct mt76_dev *dev, - return -ENOMEM; - - skb_put_data(skb, &hdr, sizeof(hdr)); -- ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put(skb, sizeof(*ptlv)); -+ ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put_zero(skb, sizeof(*ptlv)); - ptlv->tag = cpu_to_le16(UNI_SUSPEND_WOW_PATTERN); - ptlv->len = cpu_to_le16(sizeof(*ptlv)); - ptlv->data_len = pattern->pattern_len; -diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -index d90f98c500399..b7157bdb3103f 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -@@ -424,7 +424,7 @@ mt7915_mcu_add_nested_subtlv(struct sk_buff *skb, int sub_tag, int sub_len, - .len = cpu_to_le16(sub_len), - }; - -- ptlv = skb_put(skb, sub_len); -+ ptlv = skb_put_zero(skb, sub_len); - memcpy(ptlv, &tlv, sizeof(tlv)); - - le16_add_cpu(sub_ntlv, 1); --- -2.43.0 - diff --git a/queue-6.9/wifi-rtw89-fw-scan-offload-prohibit-all-6-ghz-channe.patch b/queue-6.9/wifi-rtw89-fw-scan-offload-prohibit-all-6-ghz-channe.patch deleted file mode 100644 index 5f77c547b89..00000000000 --- a/queue-6.9/wifi-rtw89-fw-scan-offload-prohibit-all-6-ghz-channe.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0f7e9c9428e1a7a3865fd89b7531284940283d36 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 12 Apr 2024 19:57:23 +0800 -Subject: wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz - sband - -From: Zong-Zhe Yang - -[ Upstream commit bb38626f3f97e16e6d368a9ff6daf320f3fe31d9 ] - -We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz -sband will be NULL even if it is WiFi 7 chip. So, add NULL handling here -to avoid crash. - -Signed-off-by: Zong-Zhe Yang -Signed-off-by: Ping-Ke Shih -Link: https://msgid.link/20240412115729.8316-3-pkshih@realtek.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/realtek/rtw89/fw.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c -index 6c75ebbb21caa..ef86389545ffb 100644 ---- a/drivers/net/wireless/realtek/rtw89/fw.c -+++ b/drivers/net/wireless/realtek/rtw89/fw.c -@@ -4646,6 +4646,10 @@ static void rtw89_scan_get_6g_disabled_chan(struct rtw89_dev *rtwdev, - u8 i, idx; - - sband = rtwdev->hw->wiphy->bands[NL80211_BAND_6GHZ]; -+ if (!sband) { -+ option->prohib_chan = U64_MAX; -+ return; -+ } - - for (i = 0; i < sband->n_channels; i++) { - chan = &sband->channels[i]; --- -2.43.0 - -- 2.47.3