From f8264c0b18691dfcb8c21f901b9710ba0716a93a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 11 Feb 2025 11:03:08 +0100 Subject: [PATCH] 6.1-stable patches added patches: ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch crypto-qce-fix-goto-jump-in-error-path.patch crypto-qce-unregister-previously-registered-algos-in-error-path.patch i3c-master-fix-missing-ret-assignment-in-set_speed.patch io_uring-net-don-t-retry-connect-operation-on-epollerr.patch irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch mailbox-tegra-hsp-clear-mailbox-before-using-message.patch misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch misc-fastrpc-fix-copy-buffer-page-size.patch misc-fastrpc-fix-registered-buffer-page-address.patch mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch nvmem-core-improve-range-check-for-nvmem_cell_write.patch nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch ocfs2-handle-a-symlink-read-error-correctly.patch pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch ptp-ensure-info-enable-callback-is-always-set.patch rtc-zynqmp-fix-optional-clock-name-property.patch rtla-add-trace_instance_stop.patch rtla-osnoise-distinguish-missing-workload-option.patch rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch selftests-mptcp-connect-f-no-reconnect.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch --- ...t-write-outside-the-allocated-buffer.patch | 81 +++++++++++++++++++ ...ypto-qce-fix-goto-jump-in-error-path.patch | 33 ++++++++ ...ously-registered-algos-in-error-path.patch | 52 ++++++++++++ ...-missing-ret-assignment-in-set_speed.patch | 42 ++++++++++ ...-retry-connect-operation-on-epollerr.patch | 55 +++++++++++++ ...-interrupt-as-fiq-when-configured-so.patch | 42 ++++++++++ ...p-clear-mailbox-before-using-message.patch | 68 ++++++++++++++++ ...ce-nodes-properly-in-error-scenarios.patch | 35 ++++++++ ...sc-fastrpc-fix-copy-buffer-page-size.patch | 40 +++++++++ ...c-fix-registered-buffer-page-address.patch | 48 +++++++++++ ...-uninitialized-retlen-in-do_otp_read.patch | 36 +++++++++ ...t-package-before-configuring-channel.patch | 64 +++++++++++++++ ...en-mdio-write-and-read-in-soft_reset.patch | 40 +++++++++ ...unds-checking-in-nci_hci_create_pipe.patch | 36 +++++++++ ...ssible-int-overflows-in-nilfs_fiemap.patch | 58 +++++++++++++ ...ove-range-check-for-nvmem_cell_write.patch | 47 +++++++++++ ...sdam-set-size-in-struct-nvmem_config.patch | 41 ++++++++++ ...ess-conversion-causing-mount-failure.patch | 41 ++++++++++ ...andle-a-symlink-read-error-correctly.patch | 65 +++++++++++++++ ...p-if-platform_get_irq_optional-fails.patch | 44 ++++++++++ ...try-getting-layout-segment-for-reads.patch | 78 ++++++++++++++++++ ...e-info-enable-callback-is-always-set.patch | 54 +++++++++++++ ...qmp-fix-optional-clock-name-property.patch | 44 ++++++++++ queue-6.1/rtla-add-trace_instance_stop.patch | 55 +++++++++++++ ...-distinguish-missing-workload-option.patch | 36 +++++++++ ..._hist-stop-timerlat-tracer-on-signal.patch | 71 ++++++++++++++++ ...t_top-stop-timerlat-tracer-on-signal.patch | 72 +++++++++++++++++ ...lftests-mptcp-connect-f-no-reconnect.patch | 45 +++++++++++ queue-6.1/series | 29 +++++++ ...ck-the-bounds-of-read-write-syscalls.patch | 54 +++++++++++++ 30 files changed, 1506 insertions(+) create mode 100644 queue-6.1/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch create mode 100644 queue-6.1/crypto-qce-fix-goto-jump-in-error-path.patch create mode 100644 queue-6.1/crypto-qce-unregister-previously-registered-algos-in-error-path.patch create mode 100644 queue-6.1/i3c-master-fix-missing-ret-assignment-in-set_speed.patch create mode 100644 queue-6.1/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch create mode 100644 queue-6.1/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch create mode 100644 queue-6.1/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch create mode 100644 queue-6.1/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch create mode 100644 queue-6.1/misc-fastrpc-fix-copy-buffer-page-size.patch create mode 100644 queue-6.1/misc-fastrpc-fix-registered-buffer-page-address.patch create mode 100644 queue-6.1/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch create mode 100644 queue-6.1/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch create mode 100644 queue-6.1/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch create mode 100644 queue-6.1/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch create mode 100644 queue-6.1/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch create mode 100644 queue-6.1/nvmem-core-improve-range-check-for-nvmem_cell_write.patch create mode 100644 queue-6.1/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch create mode 100644 queue-6.1/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch create mode 100644 queue-6.1/ocfs2-handle-a-symlink-read-error-correctly.patch create mode 100644 queue-6.1/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch create mode 100644 queue-6.1/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch create mode 100644 queue-6.1/ptp-ensure-info-enable-callback-is-always-set.patch create mode 100644 queue-6.1/rtc-zynqmp-fix-optional-clock-name-property.patch create mode 100644 queue-6.1/rtla-add-trace_instance_stop.patch create mode 100644 queue-6.1/rtla-osnoise-distinguish-missing-workload-option.patch create mode 100644 queue-6.1/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch create mode 100644 queue-6.1/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch create mode 100644 queue-6.1/selftests-mptcp-connect-f-no-reconnect.patch create mode 100644 queue-6.1/vfio-platform-check-the-bounds-of-read-write-syscalls.patch diff --git a/queue-6.1/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch b/queue-6.1/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch new file mode 100644 index 0000000000..24ab502495 --- /dev/null +++ b/queue-6.1/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch @@ -0,0 +1,81 @@ +From 6e74e53b34b6dec5a50e1404e2680852ec6768d2 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Mon, 27 Jan 2025 16:43:04 +0100 +Subject: ata: libata-sff: Ensure that we cannot write outside the allocated buffer + +From: Niklas Cassel + +commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 upstream. + +reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len +set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to +ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to +write outside the allocated buffer, overwriting random memory. + +While a ATA device is supposed to abort a ATA_NOP command, there does seem +to be a bug either in libata-sff or QEMU, where either this status is not +set, or the status is cleared before read by ata_sff_hsm_move(). +Anyway, that is most likely a separate bug. + +Looking at __atapi_pio_bytes(), it already has a safety check to ensure +that __atapi_pio_bytes() cannot write outside the allocated buffer. + +Add a similar check to ata_pio_sector(), such that also ata_pio_sector() +cannot write outside the allocated buffer. + +Cc: stable@vger.kernel.org +Reported-by: reveliofuzzing +Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/ +Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-sff.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -658,7 +658,7 @@ static void ata_pio_sector(struct ata_qu + { + struct ata_port *ap = qc->ap; + struct page *page; +- unsigned int offset; ++ unsigned int offset, count; + + if (!qc->cursg) { + qc->curbytes = qc->nbytes; +@@ -674,25 +674,27 @@ static void ata_pio_sector(struct ata_qu + page = nth_page(page, (offset >> PAGE_SHIFT)); + offset %= PAGE_SIZE; + +- trace_ata_sff_pio_transfer_data(qc, offset, qc->sect_size); ++ /* don't overrun current sg */ ++ count = min(qc->cursg->length - qc->cursg_ofs, qc->sect_size); ++ ++ trace_ata_sff_pio_transfer_data(qc, offset, count); + + /* + * Split the transfer when it splits a page boundary. Note that the + * split still has to be dword aligned like all ATA data transfers. + */ + WARN_ON_ONCE(offset % 4); +- if (offset + qc->sect_size > PAGE_SIZE) { ++ if (offset + count > PAGE_SIZE) { + unsigned int split_len = PAGE_SIZE - offset; + + ata_pio_xfer(qc, page, offset, split_len); +- ata_pio_xfer(qc, nth_page(page, 1), 0, +- qc->sect_size - split_len); ++ ata_pio_xfer(qc, nth_page(page, 1), 0, count - split_len); + } else { +- ata_pio_xfer(qc, page, offset, qc->sect_size); ++ ata_pio_xfer(qc, page, offset, count); + } + +- qc->curbytes += qc->sect_size; +- qc->cursg_ofs += qc->sect_size; ++ qc->curbytes += count; ++ qc->cursg_ofs += count; + + if (qc->cursg_ofs == qc->cursg->length) { + qc->cursg = sg_next(qc->cursg); diff --git a/queue-6.1/crypto-qce-fix-goto-jump-in-error-path.patch b/queue-6.1/crypto-qce-fix-goto-jump-in-error-path.patch new file mode 100644 index 0000000000..02499c01b8 --- /dev/null +++ b/queue-6.1/crypto-qce-fix-goto-jump-in-error-path.patch @@ -0,0 +1,33 @@ +From 5278275c1758a38199b43530adfc50098f4b41c7 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:29 +0100 +Subject: crypto: qce - fix goto jump in error path + +From: Bartosz Golaszewski + +commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream. + +If qce_check_version() fails, we should jump to err_dma as we already +called qce_dma_request() a couple lines before. + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -236,7 +236,7 @@ static int qce_crypto_probe(struct platf + + ret = qce_check_version(qce); + if (ret) +- goto err_clks; ++ goto err_dma; + + spin_lock_init(&qce->lock); + tasklet_init(&qce->done_tasklet, qce_tasklet_req_done, diff --git a/queue-6.1/crypto-qce-unregister-previously-registered-algos-in-error-path.patch b/queue-6.1/crypto-qce-unregister-previously-registered-algos-in-error-path.patch new file mode 100644 index 0000000000..a0e8f16c51 --- /dev/null +++ b/queue-6.1/crypto-qce-unregister-previously-registered-algos-in-error-path.patch @@ -0,0 +1,52 @@ +From e80cf84b608725303113d6fe98bb727bf7b7a40d Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:30 +0100 +Subject: crypto: qce - unregister previously registered algos in error path + +From: Bartosz Golaszewski + +commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream. + +If we encounter an error when registering alorithms with the crypto +framework, we just bail out and don't unregister the ones we +successfully registered in prior iterations of the loop. + +Add code that goes back over the algos and unregisters them before +returning an error from qce_register_algs(). + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -48,16 +48,19 @@ static void qce_unregister_algs(struct q + static int qce_register_algs(struct qce_device *qce) + { + const struct qce_algo_ops *ops; +- int i, ret = -ENODEV; ++ int i, j, ret = -ENODEV; + + for (i = 0; i < ARRAY_SIZE(qce_ops); i++) { + ops = qce_ops[i]; + ret = ops->register_algs(qce); +- if (ret) +- break; ++ if (ret) { ++ for (j = i - 1; j >= 0; j--) ++ ops->unregister_algs(qce); ++ return ret; ++ } + } + +- return ret; ++ return 0; + } + + static int qce_handle_request(struct crypto_async_request *async_req) diff --git a/queue-6.1/i3c-master-fix-missing-ret-assignment-in-set_speed.patch b/queue-6.1/i3c-master-fix-missing-ret-assignment-in-set_speed.patch new file mode 100644 index 0000000000..89ba2a1157 --- /dev/null +++ b/queue-6.1/i3c-master-fix-missing-ret-assignment-in-set_speed.patch @@ -0,0 +1,42 @@ +From b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Wed, 8 Jan 2025 17:55:33 -0500 +Subject: i3c: master: Fix missing 'ret' assignment in set_speed() + +From: Frank Li + +commit b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 upstream. + +Fix a probe failure in the i3c master driver that occurs when no i3c +devices are connected to the bus. + +The issue arises in `i3c_master_bus_init()` where the `ret` value is not +updated after calling `master->ops->set_speed()`. If no devices are +present, `ret` remains set to `I3C_ERROR_M2`, causing the code to +incorrectly proceed to `err_bus_cleanup`. + +Cc: stable@vger.kernel.org +Fixes: aef79e189ba2 ("i3c: master: support to adjust first broadcast address speed") +Signed-off-by: Frank Li +Reviewed-by: Wolfram Sang +Tested-by: Wolfram Sang +Acked-by: Mukesh Kumar Savaliya +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20250108225533.915334-1-Frank.Li@nxp.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1861,7 +1861,7 @@ static int i3c_master_bus_init(struct i3 + goto err_bus_cleanup; + + if (master->ops->set_speed) { +- master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED); ++ ret = master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED); + if (ret) + goto err_bus_cleanup; + } diff --git a/queue-6.1/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch b/queue-6.1/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch new file mode 100644 index 0000000000..b2f92386b5 --- /dev/null +++ b/queue-6.1/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch @@ -0,0 +1,55 @@ +From 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 30 Jan 2025 08:40:29 -0700 +Subject: io_uring/net: don't retry connect operation on EPOLLERR + +From: Jens Axboe + +commit 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 upstream. + +If a socket is shutdown before the connection completes, POLLERR is set +in the poll mask. However, connect ignores this as it doesn't know, and +attempts the connection again. This may lead to a bogus -ETIMEDOUT +result, where it should have noticed the POLLERR and just returned +-ECONNRESET instead. + +Have the poll logic check for whether or not POLLERR is set in the mask, +and if so, mark the request as failed. Then connect can appropriately +fail the request rather than retry it. + +Reported-by: Sergey Galas +Cc: stable@vger.kernel.org +Link: https://github.com/axboe/liburing/discussions/1335 +Fixes: 3fb1bd688172 ("io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 5 +++++ + io_uring/poll.c | 2 ++ + 2 files changed, 7 insertions(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1486,6 +1486,11 @@ int io_connect(struct io_kiocb *req, uns + io = &__io; + } + ++ if (unlikely(req->flags & REQ_F_FAIL)) { ++ ret = -ECONNRESET; ++ goto out; ++ } ++ + file_flags = force_nonblock ? O_NONBLOCK : 0; + + ret = __sys_connect_file(req->file, &io->address, +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -288,6 +288,8 @@ static int io_poll_check_events(struct i + return IOU_POLL_REISSUE; + } + } ++ if (unlikely(req->cqe.res & EPOLLERR)) ++ req_set_fail(req); + if (req->apoll_events & EPOLLONESHOT) + return IOU_POLL_DONE; + if (io_is_uring_fops(req->file)) diff --git a/queue-6.1/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch b/queue-6.1/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch new file mode 100644 index 0000000000..5a100c5016 --- /dev/null +++ b/queue-6.1/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch @@ -0,0 +1,42 @@ +From 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 Mon Sep 17 00:00:00 2001 +From: Nick Chan +Date: Sun, 19 Jan 2025 00:31:42 +0800 +Subject: irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured so + +From: Nick Chan + +commit 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 upstream. + +The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of +several ways, and since Apple A11 one of the methods is FIQ, but the check +of the configuration register fails to test explicitely for FIQ mode. It +tests whether the IMODE bitfield is zero or not and the PMCRO_IACT bit is +set. That results in false positives when the IMODE bitfield is not zero, +but does not have the mode PMCR0_IMODE_FIQ. + +Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured +to fire FIQs, i.e. the IMODE bitfield value is PMCR0_IMODE_FIQ and +PMCR0_IACT is set. + +Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts") +Signed-off-by: Nick Chan +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250118163554.16733-1-towinchenmi@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-apple-aic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-apple-aic.c ++++ b/drivers/irqchip/irq-apple-aic.c +@@ -555,7 +555,8 @@ static void __exception_irq_entry aic_ha + AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT)); + } + +- if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) { ++ if ((read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & (PMCR0_IMODE | PMCR0_IACT)) == ++ (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) { + int irq; + if (cpumask_test_cpu(smp_processor_id(), + &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff)) diff --git a/queue-6.1/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch b/queue-6.1/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch new file mode 100644 index 0000000000..db0a6fdc56 --- /dev/null +++ b/queue-6.1/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch @@ -0,0 +1,68 @@ +From 0b7f8328f988178b55ee11d772a6e1238c04d29d Mon Sep 17 00:00:00 2001 +From: Pekka Pessi +Date: Mon, 2 Dec 2024 15:35:59 +0530 +Subject: mailbox: tegra-hsp: Clear mailbox before using message + +From: Pekka Pessi + +commit 0b7f8328f988178b55ee11d772a6e1238c04d29d upstream. + +The Tegra RCE (Camera) driver expects the mailbox to be empty before +processing the IVC messages. On RT kernel, the threads processing the +IVC messages (which are invoked after `mbox_chan_received_data()` is +called) may be on a different CPU or running with a higher priority +than the HSP interrupt handler thread. This can cause it to act on the +message before the mailbox gets cleared in the HSP interrupt handler +resulting in a loss of IVC notification. + +Fix this by clearing the mailbox data register before calling +`mbox_chan_received_data()`. + +Fixes: 8f585d14030d ("mailbox: tegra-hsp: Add tegra_hsp_sm_ops") +Fixes: 74c20dd0f892 ("mailbox: tegra-hsp: Add 128-bit shared mailbox support") +Cc: stable@vger.kernel.org +Signed-off-by: Pekka Pessi +Signed-off-by: Kartik Rajput +Acked-by: Thierry Reding +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/tegra-hsp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mailbox/tegra-hsp.c ++++ b/drivers/mailbox/tegra-hsp.c +@@ -388,7 +388,6 @@ static void tegra_hsp_sm_recv32(struct t + value = tegra_hsp_channel_readl(channel, HSP_SM_SHRD_MBOX); + value &= ~HSP_SM_SHRD_MBOX_FULL; + msg = (void *)(unsigned long)value; +- mbox_chan_received_data(channel->chan, msg); + + /* + * Need to clear all bits here since some producers, such as TCU, depend +@@ -398,6 +397,8 @@ static void tegra_hsp_sm_recv32(struct t + * explicitly, so we have to make sure we cover all possible cases. + */ + tegra_hsp_channel_writel(channel, 0x0, HSP_SM_SHRD_MBOX); ++ ++ mbox_chan_received_data(channel->chan, msg); + } + + static const struct tegra_hsp_sm_ops tegra_hsp_sm_32bit_ops = { +@@ -433,7 +434,6 @@ static void tegra_hsp_sm_recv128(struct + value[3] = tegra_hsp_channel_readl(channel, HSP_SHRD_MBOX_TYPE1_DATA3); + + msg = (void *)(unsigned long)value; +- mbox_chan_received_data(channel->chan, msg); + + /* + * Clear data registers and tag. +@@ -443,6 +443,8 @@ static void tegra_hsp_sm_recv128(struct + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA2); + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA3); + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_TAG); ++ ++ mbox_chan_received_data(channel->chan, msg); + } + + static const struct tegra_hsp_sm_ops tegra_hsp_sm_128bit_ops = { diff --git a/queue-6.1/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch b/queue-6.1/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch new file mode 100644 index 0000000000..06c5522c78 --- /dev/null +++ b/queue-6.1/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch @@ -0,0 +1,35 @@ +From 637c20002dc8c347001292664055bfbf56544ec6 Mon Sep 17 00:00:00 2001 +From: Anandu Krishnan E +Date: Fri, 10 Jan 2025 13:42:37 +0000 +Subject: misc: fastrpc: Deregister device nodes properly in error scenarios + +From: Anandu Krishnan E + +commit 637c20002dc8c347001292664055bfbf56544ec6 upstream. + +During fastrpc_rpmsg_probe, if secure device node registration +succeeds but non-secure device node registration fails, the secure +device node deregister is not called during error cleanup. Add proper +exit paths to ensure proper cleanup in case of error. + +Fixes: 3abe3ab3cdab ("misc: fastrpc: add secure domain support") +Cc: stable@kernel.org +Signed-off-by: Anandu Krishnan E +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -2119,7 +2119,7 @@ static int fastrpc_rpmsg_probe(struct rp + + err = fastrpc_device_register(rdev, data, false, domains[domain_id]); + if (err) +- goto fdev_error; ++ goto populate_error; + break; + default: + err = -EINVAL; diff --git a/queue-6.1/misc-fastrpc-fix-copy-buffer-page-size.patch b/queue-6.1/misc-fastrpc-fix-copy-buffer-page-size.patch new file mode 100644 index 0000000000..2922d7bb82 --- /dev/null +++ b/queue-6.1/misc-fastrpc-fix-copy-buffer-page-size.patch @@ -0,0 +1,40 @@ +From e966eae72762ecfdbdb82627e2cda48845b9dd66 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 10 Jan 2025 13:42:39 +0000 +Subject: misc: fastrpc: Fix copy buffer page size + +From: Ekansh Gupta + +commit e966eae72762ecfdbdb82627e2cda48845b9dd66 upstream. + +For non-registered buffer, fastrpc driver copies the buffer and +pass it to the remote subsystem. There is a problem with current +implementation of page size calculation which is not considering +the offset in the calculation. This might lead to passing of +improper and out-of-bounds page size which could result in +memory issue. Calculate page start and page end using the offset +adjusted address instead of absolute address. + +Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation") +Cc: stable@kernel.org +Signed-off-by: Ekansh Gupta +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -961,8 +961,8 @@ static int fastrpc_get_args(u32 kernel, + (pkt_size - rlen); + pages[i].addr = pages[i].addr & PAGE_MASK; + +- pg_start = (args & PAGE_MASK) >> PAGE_SHIFT; +- pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT; ++ pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT; ++ pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT; + pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE; + args = args + mlen; + rlen -= mlen; diff --git a/queue-6.1/misc-fastrpc-fix-registered-buffer-page-address.patch b/queue-6.1/misc-fastrpc-fix-registered-buffer-page-address.patch new file mode 100644 index 0000000000..14ea1740bf --- /dev/null +++ b/queue-6.1/misc-fastrpc-fix-registered-buffer-page-address.patch @@ -0,0 +1,48 @@ +From 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 10 Jan 2025 13:42:38 +0000 +Subject: misc: fastrpc: Fix registered buffer page address + +From: Ekansh Gupta + +commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream. + +For registered buffers, fastrpc driver sends the buffer information +to remote subsystem. There is a problem with current implementation +where the page address is being sent with an offset leading to +improper buffer address on DSP. This is leads to functional failures +as DSP expects base address in page information and extracts offset +information from remote arguments. Mask the offset and pass the base +page address to DSP. + +This issue is observed is a corner case when some buffer which is registered +with fastrpc framework is passed with some offset by user and then the DSP +implementation tried to read the data. As DSP expects base address and takes +care of offsetting with remote arguments, passing an offsetted address will +result in some unexpected data read in DSP. + +All generic usecases usually pass the buffer as it is hence is problem is +not usually observed. If someone tries to pass offsetted buffer and then +tries to compare data at HLOS and DSP end, then the ambiguity will be observed. + +Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") +Cc: stable@kernel.org +Signed-off-by: Ekansh Gupta +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -934,7 +934,7 @@ static int fastrpc_get_args(u32 kernel, + mmap_read_lock(current->mm); + vma = find_vma(current->mm, ctx->args[i].ptr); + if (vma) +- pages[i].addr += ctx->args[i].ptr - ++ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) - + vma->vm_start; + mmap_read_unlock(current->mm); + diff --git a/queue-6.1/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch b/queue-6.1/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch new file mode 100644 index 0000000000..a32bcef9ce --- /dev/null +++ b/queue-6.1/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch @@ -0,0 +1,36 @@ +From 70a71f8151b9879b0950668ce3ad76263261fee0 Mon Sep 17 00:00:00 2001 +From: Ivan Stepchenko +Date: Thu, 14 Nov 2024 16:29:51 +0300 +Subject: mtd: onenand: Fix uninitialized retlen in do_otp_read() + +From: Ivan Stepchenko + +commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream. + +The function do_otp_read() does not set the output parameter *retlen, +which is expected to contain the number of bytes actually read. +As a result, in onenand_otp_walk(), the tmp_retlen variable remains +uninitialized after calling do_otp_walk() and used to change +the values of the buf, len and retlen variables. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Stepchenko +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/onenand/onenand_base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/onenand/onenand_base.c ++++ b/drivers/mtd/nand/onenand/onenand_base.c +@@ -2923,6 +2923,7 @@ static int do_otp_read(struct mtd_info * + ret = ONENAND_IS_4KB_PAGE(this) ? + onenand_mlc_read_ops_nolock(mtd, from, &ops) : + onenand_read_ops_nolock(mtd, from, &ops); ++ *retlen = ops.retlen; + + /* Exit OTP access mode */ + this->command(mtd, ONENAND_CMD_RESET, 0, 0); diff --git a/queue-6.1/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch b/queue-6.1/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch new file mode 100644 index 0000000000..4a1b7a6cb5 --- /dev/null +++ b/queue-6.1/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch @@ -0,0 +1,64 @@ +From 6bb194d036c6e1b329dcdff459338cdd9a54802a Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Thu, 16 Jan 2025 18:29:00 +0300 +Subject: net/ncsi: wait for the last response to Deselect Package before configuring channel + +From: Paul Fertser + +commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream. + +The NCSI state machine as it's currently implemented assumes that +transition to the next logical state is performed either explicitly by +calling `schedule_work(&ndp->work)` to re-queue itself or implicitly +after processing the predefined (ndp->pending_req_num) number of +replies. Thus to avoid the configuration FSM from advancing prematurely +and getting out of sync with the process it's essential to not skip +waiting for a reply. + +This patch makes the code wait for reception of the Deselect Package +response for the last package probed before proceeding to channel +configuration. + +Thanks go to Potin Lai and Cosmo Chou for the initial investigation and +testing. + +Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Fertser +Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-manage.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1385,6 +1385,12 @@ static void ncsi_probe_channel(struct nc + nd->state = ncsi_dev_state_probe_package; + break; + case ncsi_dev_state_probe_package: ++ if (ndp->package_probe_id >= 8) { ++ /* Last package probed, finishing */ ++ ndp->flags |= NCSI_DEV_PROBED; ++ break; ++ } ++ + ndp->pending_req_num = 1; + + nca.type = NCSI_PKT_CMD_SP; +@@ -1501,13 +1507,8 @@ static void ncsi_probe_channel(struct nc + if (ret) + goto error; + +- /* Probe next package */ ++ /* Probe next package after receiving response */ + ndp->package_probe_id++; +- if (ndp->package_probe_id >= 8) { +- /* Probe finished */ +- ndp->flags |= NCSI_DEV_PROBED; +- break; +- } + nd->state = ncsi_dev_state_probe_package; + ndp->active_package = NULL; + break; diff --git a/queue-6.1/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch b/queue-6.1/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch new file mode 100644 index 0000000000..af8b5550cf --- /dev/null +++ b/queue-6.1/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch @@ -0,0 +1,40 @@ +From bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 Mon Sep 17 00:00:00 2001 +From: Milos Reljin +Date: Fri, 24 Jan 2025 10:41:02 +0000 +Subject: net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset + +From: Milos Reljin + +commit bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 upstream. + +In application note (AN13663) for TJA1120, on page 30, there's a figure +with average PHY startup timing values following software reset. +The time it takes for SMI to become operational after software reset +ranges roughly from 500 us to 1500 us. + +This commit adds 2000 us delay after MDIO write which triggers software +reset. Without this delay, soft_reset function returns an error and +prevents successful PHY init. + +Cc: stable@vger.kernel.org +Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103") +Signed-off-by: Milos Reljin +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/AM8P250MB0124D258E5A71041AF2CC322E1E32@AM8P250MB0124.EURP250.PROD.OUTLOOK.COM +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -937,6 +937,8 @@ static int nxp_c45_soft_reset(struct phy + if (ret) + return ret; + ++ usleep_range(2000, 2050); ++ + return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1, + VEND1_DEVICE_CONTROL, ret, + !(ret & DEVICE_CONTROL_RESET), 20000, diff --git a/queue-6.1/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch b/queue-6.1/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch new file mode 100644 index 0000000000..16ada4e4a5 --- /dev/null +++ b/queue-6.1/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch @@ -0,0 +1,36 @@ +From 110b43ef05342d5a11284cc8b21582b698b4ef1c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 17 Jan 2025 12:38:41 +0300 +Subject: NFC: nci: Add bounds checking in nci_hci_create_pipe() + +From: Dan Carpenter + +commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream. + +The "pipe" variable is a u8 which comes from the network. If it's more +than 127, then it results in memory corruption in the caller, +nci_hci_connect_gate(). + +Cc: stable@vger.kernel.org +Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/hci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -540,6 +540,8 @@ static u8 nci_hci_create_pipe(struct nci + + pr_debug("pipe created=%d\n", pipe); + ++ if (pipe >= NCI_HCI_MAX_PIPES) ++ pipe = NCI_HCI_INVALID_PIPE; + return pipe; + } + diff --git a/queue-6.1/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch b/queue-6.1/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch new file mode 100644 index 0000000000..eb3a372d3f --- /dev/null +++ b/queue-6.1/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch @@ -0,0 +1,58 @@ +From 6438ef381c183444f7f9d1de18f22661cba1e946 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Sat, 25 Jan 2025 07:20:53 +0900 +Subject: nilfs2: fix possible int overflows in nilfs_fiemap() + +From: Nikita Zhandarovich + +commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream. + +Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result +by being prepared to go through potentially maxblocks == INT_MAX blocks, +the value in n may experience an overflow caused by left shift of blkbits. + +While it is extremely unlikely to occur, play it safe and cast right hand +expression to wider type to mitigate the issue. + +Found by Linux Verification Center (linuxtesting.org) with static analysis +tool SVACE. + +Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com +Fixes: 622daaff0a89 ("nilfs2: fiemap support") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -1267,7 +1267,7 @@ int nilfs_fiemap(struct inode *inode, st + if (size) { + if (phys && blkphy << blkbits == phys + size) { + /* The current extent goes on */ +- size += n << blkbits; ++ size += (u64)n << blkbits; + } else { + /* Terminate the current extent */ + ret = fiemap_fill_next_extent( +@@ -1280,14 +1280,14 @@ int nilfs_fiemap(struct inode *inode, st + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + } else { + /* Start a new extent */ + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + blkoff += n; + } diff --git a/queue-6.1/nvmem-core-improve-range-check-for-nvmem_cell_write.patch b/queue-6.1/nvmem-core-improve-range-check-for-nvmem_cell_write.patch new file mode 100644 index 0000000000..99ba471e63 --- /dev/null +++ b/queue-6.1/nvmem-core-improve-range-check-for-nvmem_cell_write.patch @@ -0,0 +1,47 @@ +From 31507fc2ad36e0071751a710449db19c85d82a7f Mon Sep 17 00:00:00 2001 +From: Jennifer Berringer +Date: Mon, 30 Dec 2024 14:19:01 +0000 +Subject: nvmem: core: improve range check for nvmem_cell_write() + +From: Jennifer Berringer + +commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream. + +When __nvmem_cell_entry_write() is called for an nvmem cell that does +not need bit shifting, it requires that the len parameter exactly +matches the nvmem cell size. However, when the nvmem cell has a nonzero +bit_offset, it was skipping this check. + +Accepting values of len larger than the cell size results in +nvmem_cell_prepare_write_buffer() trying to write past the end of a heap +buffer that it allocates. Add a check to avoid that problem and instead +return -EINVAL when len doesn't match the number of bits expected by the +nvmem cell when bit_offset is nonzero. + +This check uses cell->nbits in order to allow providing the smaller size +to cells that are shifted into another byte by bit_offset. For example, +a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should +accept a 1-byte write here, although no current callers depend on this. + +Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") +Cc: stable@vger.kernel.org +Signed-off-by: Jennifer Berringer +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -1532,6 +1532,8 @@ static int __nvmem_cell_entry_write(stru + return -EINVAL; + + if (cell->bit_offset || cell->nbits) { ++ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes) ++ return -EINVAL; + buf = nvmem_cell_prepare_write_buffer(cell, buf, len); + if (IS_ERR(buf)) + return PTR_ERR(buf); diff --git a/queue-6.1/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch b/queue-6.1/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch new file mode 100644 index 0000000000..b62d23c0e4 --- /dev/null +++ b/queue-6.1/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch @@ -0,0 +1,41 @@ +From e88f516ea417c71bb3702603ac6af9e95338cfa6 Mon Sep 17 00:00:00 2001 +From: Luca Weiss +Date: Mon, 30 Dec 2024 14:19:00 +0000 +Subject: nvmem: qcom-spmi-sdam: Set size in struct nvmem_config + +From: Luca Weiss + +commit e88f516ea417c71bb3702603ac6af9e95338cfa6 upstream. + +Let the nvmem core know what size the SDAM is, most notably this fixes +the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes +user space work with that file. + + ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem + 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| + 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 00000080 + +Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver") +Cc: stable@vger.kernel.org +Signed-off-by: Luca Weiss +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-6-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/qcom-spmi-sdam.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvmem/qcom-spmi-sdam.c ++++ b/drivers/nvmem/qcom-spmi-sdam.c +@@ -143,6 +143,7 @@ static int sdam_probe(struct platform_de + sdam->sdam_config.id = NVMEM_DEVID_AUTO; + sdam->sdam_config.owner = THIS_MODULE; + sdam->sdam_config.stride = 1; ++ sdam->sdam_config.size = sdam->size; + sdam->sdam_config.word_size = 1; + sdam->sdam_config.reg_read = sdam_read; + sdam->sdam_config.reg_write = sdam_write; diff --git a/queue-6.1/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch b/queue-6.1/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch new file mode 100644 index 0000000000..c7c83d28cd --- /dev/null +++ b/queue-6.1/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch @@ -0,0 +1,41 @@ +From f921da2c34692dfec5f72b5ae347b1bea22bb369 Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Tue, 21 Jan 2025 19:22:03 +0800 +Subject: ocfs2: fix incorrect CPU endianness conversion causing mount failure + +From: Heming Zhao + +commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream. + +Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +introduced a regression bug. The blksz_bits value is already converted to +CPU endian in the previous code; therefore, the code shouldn't use +le32_to_cpu() anymore. + +Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com +Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2342,7 +2342,7 @@ static int ocfs2_verify_volume(struct oc + mlog(ML_ERROR, "found superblock with incorrect block " + "size bits: found %u, should be 9, 10, 11, or 12\n", + blksz_bits); +- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) { ++ } else if ((1 << blksz_bits) != blksz) { + mlog(ML_ERROR, "found superblock with incorrect block " + "size: found %u, should be %u\n", 1 << blksz_bits, blksz); + } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) != diff --git a/queue-6.1/ocfs2-handle-a-symlink-read-error-correctly.patch b/queue-6.1/ocfs2-handle-a-symlink-read-error-correctly.patch new file mode 100644 index 0000000000..94af19fa33 --- /dev/null +++ b/queue-6.1/ocfs2-handle-a-symlink-read-error-correctly.patch @@ -0,0 +1,65 @@ +From 2b4c2094da6d84e69b843dd3317902e977bf64bd Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 5 Dec 2024 17:16:29 +0000 +Subject: ocfs2: handle a symlink read error correctly + +From: Matthew Wilcox (Oracle) + +commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream. + +Patch series "Convert ocfs2 to use folios". + +Mark did a conversion of ocfs2 to use folios and sent it to me as a +giant patch for review ;-) + +So I've redone it as individual patches, and credited Mark for the patches +where his code is substantially the same. It's not a bad way to do it; +his patch had some bugs and my patches had some bugs. Hopefully all our +bugs were different from each other. And hopefully Mark likes all the +changes I made to his code! + + +This patch (of 23): + +If we can't read the buffer, be sure to unlock the page before returning. + +Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org +Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Mark Tinguely +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/symlink.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/symlink.c ++++ b/fs/ocfs2/symlink.c +@@ -65,7 +65,7 @@ static int ocfs2_fast_symlink_read_folio + + if (status < 0) { + mlog_errno(status); +- return status; ++ goto out; + } + + fe = (struct ocfs2_dinode *) bh->b_data; +@@ -76,9 +76,10 @@ static int ocfs2_fast_symlink_read_folio + memcpy(kaddr, link, len + 1); + kunmap_atomic(kaddr); + SetPageUptodate(page); ++out: + unlock_page(page); + brelse(bh); +- return 0; ++ return status; + } + + const struct address_space_operations ocfs2_fast_symlink_aops = { diff --git a/queue-6.1/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch b/queue-6.1/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch new file mode 100644 index 0000000000..b975c23abe --- /dev/null +++ b/queue-6.1/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch @@ -0,0 +1,44 @@ +From 459915f55509f4bfd6076daa1428e28490ddee3b Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Wed, 6 Nov 2024 23:04:39 +0100 +Subject: pinctrl: samsung: fix fwnode refcount cleanup if platform_get_irq_optional() fails + +From: Javier Carrasco + +commit 459915f55509f4bfd6076daa1428e28490ddee3b upstream. + +Commit 50ebd19e3585 ("pinctrl: samsung: drop pin banks references on +error paths") fixed the pin bank references on the error paths of the +probe function, but there is still an error path where this is not done. + +If samsung_pinctrl_get_soc_data() does not fail, the child references +will have acquired, and they will need to be released in the error path +of platform_get_irq_optional(), as it is done in the following error +paths within the probe function. + +Replace the direct return in the error path with a goto instruction to +the cleanup function. + +Cc: stable@vger.kernel.org +Fixes: a382d568f144 ("pinctrl: samsung: Use platform_get_irq_optional() to get the interrupt") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241106-samsung-pinctrl-put-v1-1-de854e26dd03@gmail.com +[krzysztof: change Fixes SHA to point to commit introducing the return + leading to OF node leak] +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -1149,7 +1149,7 @@ static int samsung_pinctrl_probe(struct + + ret = platform_get_irq_optional(pdev, 0); + if (ret < 0 && ret != -ENXIO) +- return ret; ++ goto err_put_banks; + if (ret > 0) + drvdata->irq = ret; + diff --git a/queue-6.1/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch b/queue-6.1/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch new file mode 100644 index 0000000000..725efbbe86 --- /dev/null +++ b/queue-6.1/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch @@ -0,0 +1,78 @@ +From eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Thu, 16 Jan 2025 20:05:39 -0500 +Subject: pnfs/flexfiles: retry getting layout segment for reads + +From: Mike Snitzer + +commit eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca upstream. + +If ff_layout_pg_get_read()'s attempt to get a layout segment results +in -EAGAIN have ff_layout_pg_init_read() retry it after sleeping. + +If "softerr" mount is used, use 'io_maxretrans' to limit the number of +attempts to get a layout segment. + +This fixes a long-standing issue of O_DIRECT reads failing with +-EAGAIN (11) when using flexfiles Client Side Mirroring (CSM). + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -839,6 +839,9 @@ ff_layout_pg_init_read(struct nfs_pageio + struct nfs4_pnfs_ds *ds; + u32 ds_idx; + ++ if (NFS_SERVER(pgio->pg_inode)->flags & ++ (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR)) ++ pgio->pg_maxretrans = io_maxretrans; + retry: + ff_layout_pg_check_layout(pgio, req); + /* Use full layout for now */ +@@ -852,6 +855,8 @@ retry: + if (!pgio->pg_lseg) + goto out_nolseg; + } ++ /* Reset wb_nio, since getting layout segment was successful */ ++ req->wb_nio = 0; + + ds = ff_layout_get_ds_for_read(pgio, &ds_idx); + if (!ds) { +@@ -868,14 +873,24 @@ retry: + pgm->pg_bsize = mirror->mirror_ds->ds_versions[0].rsize; + + pgio->pg_mirror_idx = ds_idx; +- +- if (NFS_SERVER(pgio->pg_inode)->flags & +- (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR)) +- pgio->pg_maxretrans = io_maxretrans; + return; + out_nolseg: +- if (pgio->pg_error < 0) +- return; ++ if (pgio->pg_error < 0) { ++ if (pgio->pg_error != -EAGAIN) ++ return; ++ /* Retry getting layout segment if lower layer returned -EAGAIN */ ++ if (pgio->pg_maxretrans && req->wb_nio++ > pgio->pg_maxretrans) { ++ if (NFS_SERVER(pgio->pg_inode)->flags & NFS_MOUNT_SOFTERR) ++ pgio->pg_error = -ETIMEDOUT; ++ else ++ pgio->pg_error = -EIO; ++ return; ++ } ++ pgio->pg_error = 0; ++ /* Sleep for 1 second before retrying */ ++ ssleep(1); ++ goto retry; ++ } + out_mds: + trace_pnfs_mds_fallback_pg_init_read(pgio->pg_inode, + 0, NFS4_MAX_UINT64, IOMODE_READ, diff --git a/queue-6.1/ptp-ensure-info-enable-callback-is-always-set.patch b/queue-6.1/ptp-ensure-info-enable-callback-is-always-set.patch new file mode 100644 index 0000000000..f69962a34f --- /dev/null +++ b/queue-6.1/ptp-ensure-info-enable-callback-is-always-set.patch @@ -0,0 +1,54 @@ +From fd53aa40e65f518453115b6f56183b0c201db26b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Thu, 23 Jan 2025 08:22:40 +0100 +Subject: ptp: Ensure info->enable callback is always set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit fd53aa40e65f518453115b6f56183b0c201db26b upstream. + +The ioctl and sysfs handlers unconditionally call the ->enable callback. +Not all drivers implement that callback, leading to NULL dereferences. +Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. + +Instead use a dummy callback if no better was specified by the driver. + +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Acked-by: Richard Cochran +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_clock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -188,6 +188,11 @@ static int ptp_getcycles64(struct ptp_cl + return info->gettime64(info, ts); + } + ++static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on) ++{ ++ return -EOPNOTSUPP; ++} ++ + static void ptp_aux_kworker(struct kthread_work *work) + { + struct ptp_clock *ptp = container_of(work, struct ptp_clock, +@@ -250,6 +255,9 @@ struct ptp_clock *ptp_clock_register(str + ptp->info->getcrosscycles = ptp->info->getcrosststamp; + } + ++ if (!ptp->info->enable) ++ ptp->info->enable = ptp_enable; ++ + if (ptp->info->do_aux_work) { + kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker); + ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index); diff --git a/queue-6.1/rtc-zynqmp-fix-optional-clock-name-property.patch b/queue-6.1/rtc-zynqmp-fix-optional-clock-name-property.patch new file mode 100644 index 0000000000..1c83b74f45 --- /dev/null +++ b/queue-6.1/rtc-zynqmp-fix-optional-clock-name-property.patch @@ -0,0 +1,44 @@ +From 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 Mon Sep 17 00:00:00 2001 +From: Michal Simek +Date: Wed, 27 Nov 2024 17:01:22 +0100 +Subject: rtc: zynqmp: Fix optional clock name property + +From: Michal Simek + +commit 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 upstream. + +Clock description in DT binding introduced by commit f69060c14431 +("dt-bindings: rtc: zynqmp: Add clock information") is talking about "rtc" +clock name but driver is checking "rtc_clk" name instead. +Because clock is optional property likely in was never handled properly by +the driver. + +Fixes: 07dcc6f9c762 ("rtc: zynqmp: Add calibration set and get support") +Signed-off-by: Michal Simek +Cc: stable@kernel.org +Reviewed-by: Peter Korsgaard +Link: https://lore.kernel.org/r/cd5f0c9d01ec1f5a240e37a7e0d85b8dacb3a869.1732723280.git.michal.simek@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-zynqmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-zynqmp.c b/drivers/rtc/rtc-zynqmp.c +index 625f708a7caf..f39102b66eac 100644 +--- a/drivers/rtc/rtc-zynqmp.c ++++ b/drivers/rtc/rtc-zynqmp.c +@@ -318,8 +318,8 @@ static int xlnx_rtc_probe(struct platform_device *pdev) + return ret; + } + +- /* Getting the rtc_clk info */ +- xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc_clk"); ++ /* Getting the rtc info */ ++ xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc"); + if (IS_ERR(xrtcdev->rtc_clk)) { + if (PTR_ERR(xrtcdev->rtc_clk) != -EPROBE_DEFER) + dev_warn(&pdev->dev, "Device clock not found.\n"); +-- +2.48.1 + diff --git a/queue-6.1/rtla-add-trace_instance_stop.patch b/queue-6.1/rtla-add-trace_instance_stop.patch new file mode 100644 index 0000000000..bcd1987dab --- /dev/null +++ b/queue-6.1/rtla-add-trace_instance_stop.patch @@ -0,0 +1,55 @@ +From e879b5dcf8d044f3865a32d95cc5b213f314c54f Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:27 +0100 +Subject: rtla: Add trace_instance_stop + +From: Tomas Glozar + +commit e879b5dcf8d044f3865a32d95cc5b213f314c54f upstream. + +Support not only turning trace on for the timerlat tracer, but also +turning it off. + +This will be used in subsequent patches to stop the timerlat tracer +without also wiping the trace buffer. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-2-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/trace.c | 8 ++++++++ + tools/tracing/rtla/src/trace.h | 1 + + 2 files changed, 9 insertions(+) + +--- a/tools/tracing/rtla/src/trace.c ++++ b/tools/tracing/rtla/src/trace.c +@@ -197,6 +197,14 @@ int trace_instance_start(struct trace_in + } + + /* ++ * trace_instance_stop - stop tracing a given rtla instance ++ */ ++int trace_instance_stop(struct trace_instance *trace) ++{ ++ return tracefs_trace_off(trace->inst); ++} ++ ++/* + * trace_events_free - free a list of trace events + */ + static void trace_events_free(struct trace_events *events) +--- a/tools/tracing/rtla/src/trace.h ++++ b/tools/tracing/rtla/src/trace.h +@@ -21,6 +21,7 @@ struct trace_instance { + + int trace_instance_init(struct trace_instance *trace, char *tool_name); + int trace_instance_start(struct trace_instance *trace); ++int trace_instance_stop(struct trace_instance *trace); + void trace_instance_destroy(struct trace_instance *trace); + + struct trace_seq *get_trace_seq(void); diff --git a/queue-6.1/rtla-osnoise-distinguish-missing-workload-option.patch b/queue-6.1/rtla-osnoise-distinguish-missing-workload-option.patch new file mode 100644 index 0000000000..42004e7f89 --- /dev/null +++ b/queue-6.1/rtla-osnoise-distinguish-missing-workload-option.patch @@ -0,0 +1,36 @@ +From 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Tue, 7 Jan 2025 15:48:21 +0100 +Subject: rtla/osnoise: Distinguish missing workload option + +From: Tomas Glozar + +commit 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c upstream. + +osnoise_set_workload returns -1 for both missing OSNOISE_WORKLOAD option +and failure in setting the option. + +Return -1 for missing and -2 for failure to distinguish them. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Link: https://lore.kernel.org/20250107144823.239782-2-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/osnoise.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/osnoise.c ++++ b/tools/tracing/rtla/src/osnoise.c +@@ -693,7 +693,7 @@ int osnoise_set_tracing_thresh(struct os + + retval = osnoise_write_ll_config("tracing_thresh", tracing_thresh); + if (retval < 0) +- return -1; ++ return -2; + + context->tracing_thresh = tracing_thresh; + diff --git a/queue-6.1/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch b/queue-6.1/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch new file mode 100644 index 0000000000..fe812099cf --- /dev/null +++ b/queue-6.1/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch @@ -0,0 +1,71 @@ +From c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:28 +0100 +Subject: rtla/timerlat_hist: Stop timerlat tracer on signal + +From: Tomas Glozar + +commit c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 upstream. + +Currently, when either SIGINT from the user or SIGALRM from the duration +timer is caught by rtla-timerlat, stop_tracing is set to break out of +the main loop. This is not sufficient for cases where the timerlat +tracer is producing more data than rtla can consume, since in that case, +rtla is looping indefinitely inside tracefs_iterate_raw_events, never +reaches the check of stop_tracing and hangs. + +In addition to setting stop_tracing, also stop the timerlat tracer on +received signal (SIGINT or SIGALRM). This will stop new samples so that +the existing samples may be processed and tracefs_iterate_raw_events +eventually exits. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-3-tglozar@redhat.com +Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_hist.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/timerlat_hist.c ++++ b/tools/tracing/rtla/src/timerlat_hist.c +@@ -783,9 +783,12 @@ out_err: + } + + static int stop_tracing; ++static struct trace_instance *hist_inst = NULL; + static void stop_hist(int sig) + { + stop_tracing = 1; ++ if (hist_inst) ++ trace_instance_stop(hist_inst); + } + + /* +@@ -828,6 +831,12 @@ int timerlat_hist_main(int argc, char *a + } + + trace = &tool->trace; ++ /* ++ * Save trace instance into global variable so that SIGINT can stop ++ * the timerlat tracer. ++ * Otherwise, rtla could loop indefinitely when overloaded. ++ */ ++ hist_inst = trace; + + retval = enable_timerlat(trace); + if (retval) { +@@ -894,7 +903,7 @@ int timerlat_hist_main(int argc, char *a + + return_value = 0; + +- if (trace_is_off(&tool->trace, &record->trace)) { ++ if (trace_is_off(&tool->trace, &record->trace) && !stop_tracing) { + printf("rtla timerlat hit stop tracing\n"); + if (params->trace_output) { + printf(" Saving trace to %s\n", params->trace_output); diff --git a/queue-6.1/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch b/queue-6.1/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch new file mode 100644 index 0000000000..394f7931c6 --- /dev/null +++ b/queue-6.1/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch @@ -0,0 +1,72 @@ +From a4dfce7559d75430c464294ddee554be2a413c4a Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:29 +0100 +Subject: rtla/timerlat_top: Stop timerlat tracer on signal + +From: Tomas Glozar + +commit a4dfce7559d75430c464294ddee554be2a413c4a upstream. + +Currently, when either SIGINT from the user or SIGALRM from the duration +timer is caught by rtla-timerlat, stop_tracing is set to break out of +the main loop. This is not sufficient for cases where the timerlat +tracer is producing more data than rtla can consume, since in that case, +rtla is looping indefinitely inside tracefs_iterate_raw_events, never +reaches the check of stop_tracing and hangs. + +In addition to setting stop_tracing, also stop the timerlat tracer on +received signal (SIGINT or SIGALRM). This will stop new samples so that +the existing samples may be processed and tracefs_iterate_raw_events +eventually exits. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-4-tglozar@redhat.com +Fixes: a828cd18bc4a ("rtla: Add timerlat tool and timelart top mode") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_top.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/timerlat_top.c ++++ b/tools/tracing/rtla/src/timerlat_top.c +@@ -575,9 +575,12 @@ out_err: + } + + static int stop_tracing; ++static struct trace_instance *top_inst = NULL; + static void stop_top(int sig) + { + stop_tracing = 1; ++ if (top_inst) ++ trace_instance_stop(top_inst); + } + + /* +@@ -620,6 +623,13 @@ int timerlat_top_main(int argc, char *ar + } + + trace = &top->trace; ++ /* ++ * Save trace instance into global variable so that SIGINT can stop ++ * the timerlat tracer. ++ * Otherwise, rtla could loop indefinitely when overloaded. ++ */ ++ top_inst = trace; ++ + + retval = enable_timerlat(trace); + if (retval) { +@@ -690,7 +700,7 @@ int timerlat_top_main(int argc, char *ar + + return_value = 0; + +- if (trace_is_off(&top->trace, &record->trace)) { ++ if (trace_is_off(&top->trace, &record->trace) && !stop_tracing) { + printf("rtla timerlat hit stop tracing\n"); + if (params->trace_output) { + printf(" Saving trace to %s\n", params->trace_output); diff --git a/queue-6.1/selftests-mptcp-connect-f-no-reconnect.patch b/queue-6.1/selftests-mptcp-connect-f-no-reconnect.patch new file mode 100644 index 0000000000..e381354497 --- /dev/null +++ b/queue-6.1/selftests-mptcp-connect-f-no-reconnect.patch @@ -0,0 +1,45 @@ +From 5368a67307b3b2c347dc8965ac55b888be665934 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 4 Feb 2025 23:19:53 +0100 +Subject: selftests: mptcp: connect: -f: no reconnect + +From: Matthieu Baerts (NGI0) + +commit 5368a67307b3b2c347dc8965ac55b888be665934 upstream. + +The '-f' parameter is there to force the kernel to emit MPTCP FASTCLOSE +by closing the connection with unread bytes in the receive queue. + +The xdisconnect() helper was used to stop the connection, but it does +more than that: it will shut it down, then wait before reconnecting to +the same address. This causes the mptcp_join's "fastclose test" to fail +all the time. + +This failure is due to a recent change, with commit 218cc166321f +("selftests: mptcp: avoid spurious errors on disconnect"), but that went +unnoticed because the test is currently ignored. The recent modification +only shown an existing issue: xdisconnect() doesn't need to be used +here, only the shutdown() part is needed. + +Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250204-net-mptcp-sft-conn-f-v1-1-6b470c72fffa@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1216,7 +1216,7 @@ again: + return ret; + + if (cfg_truncate > 0) { +- xdisconnect(fd); ++ shutdown(fd, SHUT_WR); + } else if (--cfg_repeat > 0) { + xdisconnect(fd); + diff --git a/queue-6.1/series b/queue-6.1/series index 1340604b42..d047e0aa32 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -417,3 +417,32 @@ media-ccs-fix-cleanup-order-in-ccs_probe.patch media-uvcvideo-fix-event-flags-in-uvc_ctrl_send_events.patch media-uvcvideo-remove-redundant-null-assignment.patch mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects.patch +ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch +crypto-qce-fix-goto-jump-in-error-path.patch +crypto-qce-unregister-previously-registered-algos-in-error-path.patch +nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch +nvmem-core-improve-range-check-for-nvmem_cell_write.patch +io_uring-net-don-t-retry-connect-operation-on-epollerr.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +selftests-mptcp-connect-f-no-reconnect.patch +pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch +ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch +ocfs2-handle-a-symlink-read-error-correctly.patch +nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch +mailbox-tegra-hsp-clear-mailbox-before-using-message.patch +nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch +i3c-master-fix-missing-ret-assignment-in-set_speed.patch +irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch +mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch +misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch +misc-fastrpc-fix-registered-buffer-page-address.patch +misc-fastrpc-fix-copy-buffer-page-size.patch +net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch +net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch +rtla-osnoise-distinguish-missing-workload-option.patch +rtla-add-trace_instance_stop.patch +rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch +rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch +pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch +ptp-ensure-info-enable-callback-is-always-set.patch +rtc-zynqmp-fix-optional-clock-name-property.patch diff --git a/queue-6.1/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-6.1/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..ffa9d267e3 --- /dev/null +++ b/queue-6.1/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -396,6 +396,11 @@ static ssize_t vfio_platform_read_mmio(s + + count = min_t(size_t, count, reg->size - off); + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); +@@ -477,6 +482,11 @@ static ssize_t vfio_platform_write_mmio( + + if (off >= reg->size) + return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ ++ if (off >= reg->size) ++ return -EINVAL; + + count = min_t(size_t, count, reg->size - off); + -- 2.39.5