From: Greg Kroah-Hartman Date: Mon, 21 Oct 2024 07:22:20 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.10.228~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1a3fe0d2dcdd8d8b997745bc2393e033283b65c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch drm-vmwgfx-handle-surface-check-failure-correctly.patch iio-adc-ti-ads124s08-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch iio-adc-ti-ads8688-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch iio-dac-ltc1660-add-missing-select-regmap_spi-in-kconfig.patch iio-dac-stm32-dac-core-add-missing-select-regmap_mmio-in-kconfig.patch iio-hid-sensors-fix-an-error-handling-path-in-_hid_sensor_set_report_latency.patch iio-light-opt3001-add-missing-full-scale-range-value.patch iio-proximity-mb1232-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch --- diff --git a/queue-5.4/blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch b/queue-5.4/blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch new file mode 100644 index 00000000000..144754d3974 --- /dev/null +++ b/queue-5.4/blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch @@ -0,0 +1,107 @@ +From e972b08b91ef48488bae9789f03cfedb148667fb Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Tue, 15 Oct 2024 10:59:46 -0700 +Subject: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race + +From: Omar Sandoval + +commit e972b08b91ef48488bae9789f03cfedb148667fb upstream. + +We're seeing crashes from rq_qos_wake_function that look like this: + + BUG: unable to handle page fault for address: ffffafe180a40084 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0 + Oops: Oops: 0002 [#1] PREEMPT SMP PTI + CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40 + Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00 + RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011 + RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084 + RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011 + R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002 + R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003 + FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + try_to_wake_up+0x5a/0x6a0 + rq_qos_wake_function+0x71/0x80 + __wake_up_common+0x75/0xa0 + __wake_up+0x36/0x60 + scale_up.part.0+0x50/0x110 + wb_timer_fn+0x227/0x450 + ... + +So rq_qos_wake_function() calls wake_up_process(data->task), which calls +try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock). + +p comes from data->task, and data comes from the waitqueue entry, which +is stored on the waiter's stack in rq_qos_wait(). Analyzing the core +dump with drgn, I found that the waiter had already woken up and moved +on to a completely unrelated code path, clobbering what was previously +data->task. Meanwhile, the waker was passing the clobbered garbage in +data->task to wake_up_process(), leading to the crash. + +What's happening is that in between rq_qos_wake_function() deleting the +waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding +that it already got a token and returning. The race looks like this: + +rq_qos_wait() rq_qos_wake_function() +============================================================== +prepare_to_wait_exclusive() + data->got_token = true; + list_del_init(&curr->entry); +if (data.got_token) + break; +finish_wait(&rqw->wait, &data.wq); + ^- returns immediately because + list_empty_careful(&wq_entry->entry) + is true +... return, go do something else ... + wake_up_process(data->task) + (NO LONGER VALID!)-^ + +Normally, finish_wait() is supposed to synchronize against the waker. +But, as noted above, it is returning immediately because the waitqueue +entry has already been removed from the waitqueue. + +The bug is that rq_qos_wake_function() is accessing the waitqueue entry +AFTER deleting it. Note that autoremove_wake_function() wakes the waiter +and THEN deletes the waitqueue entry, which is the proper order. + +Fix it by swapping the order. We also need to use +list_del_init_careful() to match the list_empty_careful() in +finish_wait(). + +Fixes: 38cfb5a45ee0 ("blk-wbt: improve waking of tasks") +Cc: stable@vger.kernel.org +Signed-off-by: Omar Sandoval +Acked-by: Tejun Heo +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/d3bee2463a67b1ee597211823bf7ad3721c26e41.1729014591.git.osandov@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-rq-qos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-rq-qos.c ++++ b/block/blk-rq-qos.c +@@ -225,8 +225,8 @@ static int rq_qos_wake_function(struct w + + data->got_token = true; + smp_wmb(); +- list_del_init(&curr->entry); + wake_up_process(data->task); ++ list_del_init_careful(&curr->entry); + return 1; + } + diff --git a/queue-5.4/drm-vmwgfx-handle-surface-check-failure-correctly.patch b/queue-5.4/drm-vmwgfx-handle-surface-check-failure-correctly.patch new file mode 100644 index 00000000000..b7de9367efd --- /dev/null +++ b/queue-5.4/drm-vmwgfx-handle-surface-check-failure-correctly.patch @@ -0,0 +1,37 @@ +From 26498b8d54373d31a621d7dec95c4bd842563b3b Mon Sep 17 00:00:00 2001 +From: Nikolay Kuratov +Date: Wed, 2 Oct 2024 15:24:29 +0300 +Subject: drm/vmwgfx: Handle surface check failure correctly + +From: Nikolay Kuratov + +commit 26498b8d54373d31a621d7dec95c4bd842563b3b upstream. + +Currently if condition (!bo and !vmw_kms_srf_ok()) was met +we go to err_out with ret == 0. +err_out dereferences vfb if ret == 0, but in our case vfb is still NULL. + +Fix this by assigning sensible error to ret. + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Signed-off-by: Nikolay Kuratov +Cc: stable@vger.kernel.org +Fixes: 810b3e1683d0 ("drm/vmwgfx: Support topology greater than texture size") +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20241002122429.1981822-1-kniv@yandex-team.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -1410,6 +1410,7 @@ static struct drm_framebuffer *vmw_kms_f + DRM_ERROR("Surface size cannot exceed %dx%d", + dev_priv->texture_max_width, + dev_priv->texture_max_height); ++ ret = -EINVAL; + goto err_out; + } + diff --git a/queue-5.4/iio-adc-ti-ads124s08-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch b/queue-5.4/iio-adc-ti-ads124s08-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch new file mode 100644 index 00000000000..28b2e7fc0b6 --- /dev/null +++ b/queue-5.4/iio-adc-ti-ads124s08-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch @@ -0,0 +1,35 @@ +From eb143d05def52bc6d193e813018e5fa1a0e47c77 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Thu, 3 Oct 2024 23:04:49 +0200 +Subject: iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig + +From: Javier Carrasco + +commit eb143d05def52bc6d193e813018e5fa1a0e47c77 upstream. + +This driver makes use of triggered buffers, but does not select the +required modules. + +Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. + +Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241003-iio-select-v1-3-67c0385197cd@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -992,6 +992,8 @@ config TI_ADS8688 + config TI_ADS124S08 + tristate "Texas Instruments ADS124S08" + depends on SPI && OF ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + If you say yes here you get support for Texas Instruments ADS124S08 + and ADS124S06 ADC chips diff --git a/queue-5.4/iio-adc-ti-ads8688-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch b/queue-5.4/iio-adc-ti-ads8688-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch new file mode 100644 index 00000000000..587f5d75b4d --- /dev/null +++ b/queue-5.4/iio-adc-ti-ads8688-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch @@ -0,0 +1,36 @@ +From 4c4834fd8696a949d1b1f1c2c5b96e1ad2083b02 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Thu, 3 Oct 2024 23:04:50 +0200 +Subject: iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig + +From: Javier Carrasco + +commit 4c4834fd8696a949d1b1f1c2c5b96e1ad2083b02 upstream. + +This driver makes use of triggered buffers, but does not select the +required modules. + +Fixes: 2a86487786b5 ("iio: adc: ti-ads8688: add trigger and buffer support") +Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. + +Signed-off-by: Javier Carrasco +Reviewed-by: Sean Nyekjaer +Link: https://patch.msgid.link/20241003-iio-select-v1-4-67c0385197cd@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -980,6 +980,8 @@ config TI_ADS8344 + config TI_ADS8688 + tristate "Texas Instruments ADS8688" + depends on SPI && OF ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + If you say yes here you get support for Texas Instruments ADS8684 and + and ADS8688 ADC chips diff --git a/queue-5.4/iio-dac-ltc1660-add-missing-select-regmap_spi-in-kconfig.patch b/queue-5.4/iio-dac-ltc1660-add-missing-select-regmap_spi-in-kconfig.patch new file mode 100644 index 00000000000..06255a8a44e --- /dev/null +++ b/queue-5.4/iio-dac-ltc1660-add-missing-select-regmap_spi-in-kconfig.patch @@ -0,0 +1,33 @@ +From 252ff06a4cb4e572cb3c7fcfa697db96b08a7781 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Thu, 3 Oct 2024 18:49:39 +0200 +Subject: iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig + +From: Javier Carrasco + +commit 252ff06a4cb4e572cb3c7fcfa697db96b08a7781 upstream. + +This driver makes use of regmap_spi, but does not select the required +module. +Add the missing 'select REGMAP_SPI'. + +Fixes: 8316cebd1e59 ("iio: dac: add support for ltc1660") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-7-4019453f8c33@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/dac/Kconfig ++++ b/drivers/iio/dac/Kconfig +@@ -124,6 +124,7 @@ config AD5624R_SPI + config LTC1660 + tristate "Linear Technology LTC1660/LTC1665 DAC SPI driver" + depends on SPI ++ select REGMAP_SPI + help + Say yes here to build support for Linear Technology + LTC1660 and LTC1665 Digital to Analog Converters. diff --git a/queue-5.4/iio-dac-stm32-dac-core-add-missing-select-regmap_mmio-in-kconfig.patch b/queue-5.4/iio-dac-stm32-dac-core-add-missing-select-regmap_mmio-in-kconfig.patch new file mode 100644 index 00000000000..d362610d649 --- /dev/null +++ b/queue-5.4/iio-dac-stm32-dac-core-add-missing-select-regmap_mmio-in-kconfig.patch @@ -0,0 +1,33 @@ +From 27b6aa68a68105086aef9f0cb541cd688e5edea8 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Thu, 3 Oct 2024 18:49:40 +0200 +Subject: iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig + +From: Javier Carrasco + +commit 27b6aa68a68105086aef9f0cb541cd688e5edea8 upstream. + +This driver makes use of regmap_mmio, but does not select the required +module. +Add the missing 'select REGMAP_MMIO'. + +Fixes: 4d4b30526eb8 ("iio: dac: add support for stm32 DAC") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-8-4019453f8c33@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/dac/Kconfig ++++ b/drivers/iio/dac/Kconfig +@@ -347,6 +347,7 @@ config STM32_DAC + + config STM32_DAC_CORE + tristate ++ select REGMAP_MMIO + + config TI_DAC082S085 + tristate "Texas Instruments 8/10/12-bit 2/4-channel DAC driver" diff --git a/queue-5.4/iio-hid-sensors-fix-an-error-handling-path-in-_hid_sensor_set_report_latency.patch b/queue-5.4/iio-hid-sensors-fix-an-error-handling-path-in-_hid_sensor_set_report_latency.patch new file mode 100644 index 00000000000..4a29baa0081 --- /dev/null +++ b/queue-5.4/iio-hid-sensors-fix-an-error-handling-path-in-_hid_sensor_set_report_latency.patch @@ -0,0 +1,34 @@ +From 3a29b84cf7fbf912a6ab1b9c886746f02b74ea25 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Thu, 3 Oct 2024 20:41:12 +0200 +Subject: iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() + +From: Christophe JAILLET + +commit 3a29b84cf7fbf912a6ab1b9c886746f02b74ea25 upstream. + +If hid_sensor_set_report_latency() fails, the error code should be returned +instead of a value likely to be interpreted as 'success'. + +Fixes: 138bc7969c24 ("iio: hid-sensor-hub: Implement batch mode") +Signed-off-by: Christophe JAILLET +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/c50640665f091a04086e5092cf50f73f2055107a.1727980825.git.christophe.jaillet@wanadoo.fr +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c +@@ -33,7 +33,7 @@ static ssize_t _hid_sensor_set_report_la + latency = integer * 1000 + fract / 1000; + ret = hid_sensor_set_report_latency(attrb, latency); + if (ret < 0) +- return len; ++ return ret; + + attrb->latency_ms = hid_sensor_get_report_latency(attrb); + diff --git a/queue-5.4/iio-light-opt3001-add-missing-full-scale-range-value.patch b/queue-5.4/iio-light-opt3001-add-missing-full-scale-range-value.patch new file mode 100644 index 00000000000..9731769804e --- /dev/null +++ b/queue-5.4/iio-light-opt3001-add-missing-full-scale-range-value.patch @@ -0,0 +1,41 @@ +From 530688e39c644543b71bdd9cb45fdfb458a28eaa Mon Sep 17 00:00:00 2001 +From: Emil Gedenryd +Date: Fri, 13 Sep 2024 11:57:02 +0200 +Subject: iio: light: opt3001: add missing full-scale range value + +From: Emil Gedenryd + +commit 530688e39c644543b71bdd9cb45fdfb458a28eaa upstream. + +The opt3001 driver uses predetermined full-scale range values to +determine what exponent to use for event trigger threshold values. +The problem is that one of the values specified in the datasheet is +missing from the implementation. This causes larger values to be +scaled down to an incorrect exponent, effectively reducing the +maximum settable threshold value by a factor of 2. + +Add missing full-scale range array value. + +Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor") +Signed-off-by: Emil Gedenryd +Cc: +Link: https://patch.msgid.link/20240913-add_opt3002-v2-1-69e04f840360@axis.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/opt3001.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/iio/light/opt3001.c ++++ b/drivers/iio/light/opt3001.c +@@ -138,6 +138,10 @@ static const struct opt3001_scale opt300 + .val2 = 400000, + }, + { ++ .val = 41932, ++ .val2 = 800000, ++ }, ++ { + .val = 83865, + .val2 = 600000, + }, diff --git a/queue-5.4/iio-proximity-mb1232-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch b/queue-5.4/iio-proximity-mb1232-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch new file mode 100644 index 00000000000..0e7dfe91bc8 --- /dev/null +++ b/queue-5.4/iio-proximity-mb1232-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch @@ -0,0 +1,35 @@ +From 75461a0b15d7c026924d0001abce0476bbc7eda8 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Thu, 3 Oct 2024 23:04:59 +0200 +Subject: iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig + +From: Javier Carrasco + +commit 75461a0b15d7c026924d0001abce0476bbc7eda8 upstream. + +This driver makes use of triggered buffers, but does not select the +required modules. + +Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. + +Fixes: 16b05261537e ("mb1232.c: add distance iio sensor with i2c") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241003-iio-select-v1-13-67c0385197cd@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/proximity/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/proximity/Kconfig ++++ b/drivers/iio/proximity/Kconfig +@@ -49,6 +49,8 @@ config LIDAR_LITE_V2 + config MB1232 + tristate "MaxSonar I2CXL family ultrasonic sensors" + depends on I2C ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say Y to build a driver for the ultrasonic sensors I2CXL of + MaxBotix which have an i2c interface. It can be used to measure diff --git a/queue-5.4/series b/queue-5.4/series index 11f79f34c45..088ff4df2f9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -362,3 +362,12 @@ kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch s390-sclp_vt220-convert-newlines-to-crlf-instead-of-lfcr.patch kvm-s390-change-virtual-to-physical-address-access-in-diag-0x258-handler.patch x86-cpufeatures-define-x86_feature_amd_ibpb_ret.patch +blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch +drm-vmwgfx-handle-surface-check-failure-correctly.patch +iio-dac-ltc1660-add-missing-select-regmap_spi-in-kconfig.patch +iio-dac-stm32-dac-core-add-missing-select-regmap_mmio-in-kconfig.patch +iio-adc-ti-ads8688-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch +iio-hid-sensors-fix-an-error-handling-path-in-_hid_sensor_set_report_latency.patch +iio-light-opt3001-add-missing-full-scale-range-value.patch +iio-proximity-mb1232-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch +iio-adc-ti-ads124s08-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch