From 2097a2d1abf8cd67333e66b5d61c951d74a34ef4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 26 Jan 2024 15:37:57 -0800 Subject: [PATCH] 6.7-stable patches added patches: arm-dts-qcom-sdx55-fix-usb-dp-dm-hs-phy-interrupts.patch arm-dts-qcom-sdx55-fix-usb-ss-wakeup.patch arm64-dts-qcom-sc8180x-fix-usb-dp-dm-hs-phy-interrupts.patch arm64-dts-qcom-sc8180x-fix-usb-ss-wakeup.patch arm64-dts-qcom-sdm670-fix-usb-dp-dm-hs-phy-interrupts.patch arm64-dts-qcom-sdm670-fix-usb-ss-wakeup.patch arm64-dts-qcom-sdm845-fix-usb-dp-dm-hs-phy-interrupts.patch arm64-dts-qcom-sdm845-fix-usb-ss-wakeup.patch arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch arm64-dts-qcom-sm8150-fix-usb-ss-wakeup.patch arm64-entry-fix-arm64_workaround_speculative_unpriv_load.patch arm64-errata-add-cortex-a510-speculative-unprivileged-load-workaround.patch arm64-rename-arm64_workaround_2966298.patch arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch dlm-use-kernel_connect-and-kernel_bind.patch docs-kernel_abi.py-fix-command-injection.patch efi-disable-mirror-feature-during-crashkernel.patch kdump-defer-the-insertion-of-crashkernel-resources.patch lsm-new-security_file_ioctl_compat-hook.patch media-i2c-st-mipid02-correct-format-propagation.patch media-mtk-jpeg-fix-timeout-schedule-error-in-mtk_jpegdec_worker.patch media-mtk-jpeg-fix-use-after-free-bug-due-to-error-path-handling-in-mtk_jpeg_dec_device_run.patch media-videobuf2-dma-sg-fix-vmap-callback.patch mmc-core-use-mrq.sbc-in-close-ended-ffu.patch mmc-mmc_spi-remove-custom-dma-mapped-buffers.patch nouveau-gsp-handle-engines-in-runl-without-nonstall-interrupts.patch nouveau-vmm-don-t-set-addr-on-the-fail-path-to-avoid-warning.patch risc-v-selftests-cbo-ensure-asm-operands-match-constraints.patch riscv-mm-fixup-compat-arch_get_mmap_end.patch riscv-mm-fixup-compat-mode-boot-failure.patch rtc-add-support-for-configuring-the-uip-timeout-for-rtc-reads.patch rtc-adjust-failure-return-code-for-cmos_set_alarm.patch rtc-cmos-use-acpi-alarm-for-non-intel-x86-systems-too.patch rtc-extend-timeout-for-waiting-for-uip-to-clear-to-1s.patch rtc-mc146818-lib-adjust-failure-return-code-for-mc146818_get_time.patch scripts-get_abi-fix-source-path-leak.patch ubifs-ubifs_symlink-fix-memleak-of-inode-i_link-in-error-path.patch --- ...dx55-fix-usb-dp-dm-hs-phy-interrupts.patch | 50 ++ ...arm-dts-qcom-sdx55-fix-usb-ss-wakeup.patch | 37 ++ ...180x-fix-usb-dp-dm-hs-phy-interrupts.patch | 66 +++ ...4-dts-qcom-sc8180x-fix-usb-ss-wakeup.patch | 45 ++ ...m670-fix-usb-dp-dm-hs-phy-interrupts.patch | 50 ++ ...64-dts-qcom-sdm670-fix-usb-ss-wakeup.patch | 37 ++ ...m845-fix-usb-dp-dm-hs-phy-interrupts.patch | 63 +++ ...64-dts-qcom-sdm845-fix-usb-ss-wakeup.patch | 44 ++ ...8150-fix-usb-dp-dm-hs-phy-interrupts.patch | 66 +++ ...64-dts-qcom-sm8150-fix-usb-ss-wakeup.patch | 47 ++ ...4_workaround_speculative_unpriv_load.patch | 134 ++++++ ...ulative-unprivileged-load-workaround.patch | 100 ++++ ...rm64-rename-arm64_workaround_2966298.patch | 81 ++++ ...me_alloc-early-with-existing-storage.patch | 42 ++ ...m-use-kernel_connect-and-kernel_bind.patch | 74 +++ ...-kernel_abi.py-fix-command-injection.patch | 150 ++++++ ...le-mirror-feature-during-crashkernel.patch | 47 ++ ...e-insertion-of-crashkernel-resources.patch | 120 +++++ ...-new-security_file_ioctl_compat-hook.patch | 187 ++++++++ ...t-mipid02-correct-format-propagation.patch | 53 +++ ...schedule-error-in-mtk_jpegdec_worker.patch | 51 ++ ...-handling-in-mtk_jpeg_dec_device_run.patch | 69 +++ ...a-videobuf2-dma-sg-fix-vmap-callback.patch | 44 ++ ...-core-use-mrq.sbc-in-close-ended-ffu.patch | 145 ++++++ ...spi-remove-custom-dma-mapped-buffers.patch | 448 ++++++++++++++++++ ...-in-runl-without-nonstall-interrupts.patch | 66 +++ ...dr-on-the-fail-path-to-avoid-warning.patch | 80 ++++ ...nsure-asm-operands-match-constraints.patch | 55 +++ ...cv-mm-fixup-compat-arch_get_mmap_end.patch | 38 ++ ...cv-mm-fixup-compat-mode-boot-failure.patch | 46 ++ ...guring-the-uip-timeout-for-rtc-reads.patch | 231 +++++++++ ...ilure-return-code-for-cmos_set_alarm.patch | 50 ++ ...-alarm-for-non-intel-x86-systems-too.patch | 70 +++ ...t-for-waiting-for-uip-to-clear-to-1s.patch | 85 ++++ ...re-return-code-for-mc146818_get_time.patch | 44 ++ ...scripts-get_abi-fix-source-path-leak.patch | 40 ++ queue-6.7/series | 37 ++ ...emleak-of-inode-i_link-in-error-path.patch | 56 +++ 38 files changed, 3148 insertions(+) create mode 100644 queue-6.7/arm-dts-qcom-sdx55-fix-usb-dp-dm-hs-phy-interrupts.patch create mode 100644 queue-6.7/arm-dts-qcom-sdx55-fix-usb-ss-wakeup.patch create mode 100644 queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-dp-dm-hs-phy-interrupts.patch create mode 100644 queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-ss-wakeup.patch create mode 100644 queue-6.7/arm64-dts-qcom-sdm670-fix-usb-dp-dm-hs-phy-interrupts.patch create mode 100644 queue-6.7/arm64-dts-qcom-sdm670-fix-usb-ss-wakeup.patch create mode 100644 queue-6.7/arm64-dts-qcom-sdm845-fix-usb-dp-dm-hs-phy-interrupts.patch create mode 100644 queue-6.7/arm64-dts-qcom-sdm845-fix-usb-ss-wakeup.patch create mode 100644 queue-6.7/arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch create mode 100644 queue-6.7/arm64-dts-qcom-sm8150-fix-usb-ss-wakeup.patch create mode 100644 queue-6.7/arm64-entry-fix-arm64_workaround_speculative_unpriv_load.patch create mode 100644 queue-6.7/arm64-errata-add-cortex-a510-speculative-unprivileged-load-workaround.patch create mode 100644 queue-6.7/arm64-rename-arm64_workaround_2966298.patch create mode 100644 queue-6.7/arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch create mode 100644 queue-6.7/dlm-use-kernel_connect-and-kernel_bind.patch create mode 100644 queue-6.7/docs-kernel_abi.py-fix-command-injection.patch create mode 100644 queue-6.7/efi-disable-mirror-feature-during-crashkernel.patch create mode 100644 queue-6.7/kdump-defer-the-insertion-of-crashkernel-resources.patch create mode 100644 queue-6.7/lsm-new-security_file_ioctl_compat-hook.patch create mode 100644 queue-6.7/media-i2c-st-mipid02-correct-format-propagation.patch create mode 100644 queue-6.7/media-mtk-jpeg-fix-timeout-schedule-error-in-mtk_jpegdec_worker.patch create mode 100644 queue-6.7/media-mtk-jpeg-fix-use-after-free-bug-due-to-error-path-handling-in-mtk_jpeg_dec_device_run.patch create mode 100644 queue-6.7/media-videobuf2-dma-sg-fix-vmap-callback.patch create mode 100644 queue-6.7/mmc-core-use-mrq.sbc-in-close-ended-ffu.patch create mode 100644 queue-6.7/mmc-mmc_spi-remove-custom-dma-mapped-buffers.patch create mode 100644 queue-6.7/nouveau-gsp-handle-engines-in-runl-without-nonstall-interrupts.patch create mode 100644 queue-6.7/nouveau-vmm-don-t-set-addr-on-the-fail-path-to-avoid-warning.patch create mode 100644 queue-6.7/risc-v-selftests-cbo-ensure-asm-operands-match-constraints.patch create mode 100644 queue-6.7/riscv-mm-fixup-compat-arch_get_mmap_end.patch create mode 100644 queue-6.7/riscv-mm-fixup-compat-mode-boot-failure.patch create mode 100644 queue-6.7/rtc-add-support-for-configuring-the-uip-timeout-for-rtc-reads.patch create mode 100644 queue-6.7/rtc-adjust-failure-return-code-for-cmos_set_alarm.patch create mode 100644 queue-6.7/rtc-cmos-use-acpi-alarm-for-non-intel-x86-systems-too.patch create mode 100644 queue-6.7/rtc-extend-timeout-for-waiting-for-uip-to-clear-to-1s.patch create mode 100644 queue-6.7/rtc-mc146818-lib-adjust-failure-return-code-for-mc146818_get_time.patch create mode 100644 queue-6.7/scripts-get_abi-fix-source-path-leak.patch create mode 100644 queue-6.7/ubifs-ubifs_symlink-fix-memleak-of-inode-i_link-in-error-path.patch diff --git a/queue-6.7/arm-dts-qcom-sdx55-fix-usb-dp-dm-hs-phy-interrupts.patch b/queue-6.7/arm-dts-qcom-sdx55-fix-usb-dp-dm-hs-phy-interrupts.patch new file mode 100644 index 00000000000..413c7e4efb6 --- /dev/null +++ b/queue-6.7/arm-dts-qcom-sdx55-fix-usb-dp-dm-hs-phy-interrupts.patch @@ -0,0 +1,50 @@ +From de95f139394a5ed82270f005bc441d2e7c1e51b7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Dec 2023 18:31:30 +0100 +Subject: ARM: dts: qcom: sdx55: fix USB DP/DM HS PHY interrupts + +From: Johan Hovold + +commit de95f139394a5ed82270f005bc441d2e7c1e51b7 upstream. + +The USB DP/DM HS PHY interrupts need to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states and to be able to detect disconnect events, which requires +triggering on falling edges. + +A recent commit updated the trigger type but failed to change the +interrupt provider as required. This leads to the current Linux driver +failing to probe instead of printing an error during suspend and USB +wakeup not working as intended. + +Fixes: d0ec3c4c11c3 ("ARM: dts: qcom: sdx55: fix USB wakeup interrupt types") +Fixes: fea4b41022f3 ("ARM: dts: qcom: sdx55: Add USB3 and PHY support") +Cc: stable@vger.kernel.org # 5.12 +Cc: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20231213173131.29436-3-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom/qcom-sdx55.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi ++++ b/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi +@@ -585,10 +585,10 @@ + <&gcc GCC_USB30_MASTER_CLK>; + assigned-clock-rates = <19200000>, <200000000>; + +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 198 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 11 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc 10 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.7/arm-dts-qcom-sdx55-fix-usb-ss-wakeup.patch b/queue-6.7/arm-dts-qcom-sdx55-fix-usb-ss-wakeup.patch new file mode 100644 index 00000000000..c14801c56ed --- /dev/null +++ b/queue-6.7/arm-dts-qcom-sdx55-fix-usb-ss-wakeup.patch @@ -0,0 +1,37 @@ +From 710dd03464e4ab5b3d329768388b165d61958577 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Dec 2023 18:31:31 +0100 +Subject: ARM: dts: qcom: sdx55: fix USB SS wakeup + +From: Johan Hovold + +commit 710dd03464e4ab5b3d329768388b165d61958577 upstream. + +The USB SS PHY interrupt needs to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states. + +Fixes: fea4b41022f3 ("ARM: dts: qcom: sdx55: Add USB3 and PHY support") +Cc: stable@vger.kernel.org # 5.12 +Cc: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20231213173131.29436-4-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom/qcom-sdx55.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi ++++ b/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi +@@ -586,7 +586,7 @@ + assigned-clock-rates = <19200000>, <200000000>; + + interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 198 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 51 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 11 IRQ_TYPE_EDGE_BOTH>, + <&pdc 10 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", diff --git a/queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-dp-dm-hs-phy-interrupts.patch b/queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-dp-dm-hs-phy-interrupts.patch new file mode 100644 index 00000000000..e878d356e20 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-dp-dm-hs-phy-interrupts.patch @@ -0,0 +1,66 @@ +From 687d402bb350b392fa330e9d9d1b917777ee9ed1 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Dec 2023 18:33:59 +0100 +Subject: arm64: dts: qcom: sc8180x: fix USB DP/DM HS PHY interrupts + +From: Johan Hovold + +commit 687d402bb350b392fa330e9d9d1b917777ee9ed1 upstream. + +The USB DP/DM HS PHY interrupts need to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states and to be able to detect disconnect events, which requires +triggering on falling edges. + +A recent commit updated the trigger type but failed to change the +interrupt provider as required. This leads to the current Linux driver +failing to probe instead of printing an error during suspend and USB +wakeup not working as intended. + +Fixes: 0dc0f6da3d43 ("arm64: dts: qcom: sc8180x: fix USB wakeup interrupt types") +Fixes: b080f53a8f44 ("arm64: dts: qcom: sc8180x: Add remoteprocs, wifi and usb nodes") +Cc: stable@vger.kernel.org # 6.5 +Cc: Vinod Koul +Reported-by: Konrad Dybcio +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Tested-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231213173403.29544-2-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sc8180x.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc8180x.dtsi +@@ -2552,10 +2552,10 @@ + usb_prim: usb@a6f8800 { + compatible = "qcom,sc8180x-dwc3", "qcom,dwc3"; + reg = <0 0x0a6f8800 0 0x400>; +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 8 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", + "ss_phy_irq", + "dm_hs_phy_irq", +@@ -2626,10 +2626,10 @@ + "xo"; + resets = <&gcc GCC_USB30_SEC_BCR>; + power-domains = <&gcc USB30_SEC_GDSC>; +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 10 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc 11 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-ss-wakeup.patch b/queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-ss-wakeup.patch new file mode 100644 index 00000000000..5731d52fdb2 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sc8180x-fix-usb-ss-wakeup.patch @@ -0,0 +1,45 @@ +From 0afa885d42d05d30161ab8eab1ebacd993edb82b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 14 Dec 2023 08:43:19 +0100 +Subject: arm64: dts: qcom: sc8180x: fix USB SS wakeup + +From: Johan Hovold + +commit 0afa885d42d05d30161ab8eab1ebacd993edb82b upstream. + +The USB SS PHY interrupt needs to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states. + +Fixes: b080f53a8f44 ("arm64: dts: qcom: sc8180x: Add remoteprocs, wifi and usb nodes") +Cc: stable@vger.kernel.org # 6.5 +Cc: Vinod Koul +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231214074319.11023-4-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sc8180x.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc8180x.dtsi +@@ -2553,7 +2553,7 @@ + compatible = "qcom,sc8180x-dwc3", "qcom,dwc3"; + reg = <0 0x0a6f8800 0 0x400>; + interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 6 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 8 IRQ_TYPE_EDGE_BOTH>, + <&pdc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", +@@ -2627,7 +2627,7 @@ + resets = <&gcc GCC_USB30_SEC_BCR>; + power-domains = <&gcc USB30_SEC_GDSC>; + interrupts-extended = <&intc GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 7 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 10 IRQ_TYPE_EDGE_BOTH>, + <&pdc 11 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", diff --git a/queue-6.7/arm64-dts-qcom-sdm670-fix-usb-dp-dm-hs-phy-interrupts.patch b/queue-6.7/arm64-dts-qcom-sdm670-fix-usb-dp-dm-hs-phy-interrupts.patch new file mode 100644 index 00000000000..b44a77debd2 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sdm670-fix-usb-dp-dm-hs-phy-interrupts.patch @@ -0,0 +1,50 @@ +From c42d12ea105f67b0f137f1e52d5c59d13fe12b1f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 14 Dec 2023 08:43:17 +0100 +Subject: arm64: dts: qcom: sdm670: fix USB DP/DM HS PHY interrupts + +From: Johan Hovold + +commit c42d12ea105f67b0f137f1e52d5c59d13fe12b1f upstream. + +The USB DP/DM HS PHY interrupts need to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states and to be able to detect disconnect events, which requires +triggering on falling edges. + +A recent commit updated the trigger type but failed to change the +interrupt provider as required. This leads to the current Linux driver +failing to probe instead of printing an error during suspend and USB +wakeup not working as intended. + +Fixes: de3b3de30999 ("arm64: dts: qcom: sdm670: fix USB wakeup interrupt types") +Fixes: 07c8ded6e373 ("arm64: dts: qcom: add sdm670 and pixel 3a device trees") +Cc: stable@vger.kernel.org # 6.2 +Cc: Richard Acayan +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Tested-by: Richard Acayan +Link: https://lore.kernel.org/r/20231214074319.11023-2-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm670.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sdm670.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm670.dtsi +@@ -1295,10 +1295,10 @@ + <&gcc GCC_USB30_PRIM_MASTER_CLK>; + assigned-clock-rates = <19200000>, <150000000>; + +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 8 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.7/arm64-dts-qcom-sdm670-fix-usb-ss-wakeup.patch b/queue-6.7/arm64-dts-qcom-sdm670-fix-usb-ss-wakeup.patch new file mode 100644 index 00000000000..6f19d248af2 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sdm670-fix-usb-ss-wakeup.patch @@ -0,0 +1,37 @@ +From 047b2edc35b8db22354b4fba37818b548fc18896 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 14 Dec 2023 08:43:18 +0100 +Subject: arm64: dts: qcom: sdm670: fix USB SS wakeup + +From: Johan Hovold + +commit 047b2edc35b8db22354b4fba37818b548fc18896 upstream. + +The USB SS PHY interrupt needs to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states. + +Fixes: 07c8ded6e373 ("arm64: dts: qcom: add sdm670 and pixel 3a device trees") +Cc: stable@vger.kernel.org # 6.2 +Cc: Richard Acayan +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Tested-by: Richard Acayan +Link: https://lore.kernel.org/r/20231214074319.11023-3-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm670.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/sdm670.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm670.dtsi +@@ -1296,7 +1296,7 @@ + assigned-clock-rates = <19200000>, <150000000>; + + interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 6 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 8 IRQ_TYPE_EDGE_BOTH>, + <&pdc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", diff --git a/queue-6.7/arm64-dts-qcom-sdm845-fix-usb-dp-dm-hs-phy-interrupts.patch b/queue-6.7/arm64-dts-qcom-sdm845-fix-usb-dp-dm-hs-phy-interrupts.patch new file mode 100644 index 00000000000..0c1efa56d27 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sdm845-fix-usb-dp-dm-hs-phy-interrupts.patch @@ -0,0 +1,63 @@ +From 204f9ed4bad6293933179517624143b8f412347c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Dec 2023 18:34:00 +0100 +Subject: arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts + +From: Johan Hovold + +commit 204f9ed4bad6293933179517624143b8f412347c upstream. + +The USB DP/DM HS PHY interrupts need to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states and to be able to detect disconnect events, which requires +triggering on falling edges. + +A recent commit updated the trigger type but failed to change the +interrupt provider as required. This leads to the current Linux driver +failing to probe instead of printing an error during suspend and USB +wakeup not working as intended. + +Fixes: 84ad9ac8d9ca ("arm64: dts: qcom: sdm845: fix USB wakeup interrupt types") +Fixes: ca4db2b538a1 ("arm64: dts: qcom: sdm845: Add USB-related nodes") +Cc: stable@vger.kernel.org # 4.20 +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231213173403.29544-3-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -4053,10 +4053,10 @@ + <&gcc GCC_USB30_PRIM_MASTER_CLK>; + assigned-clock-rates = <19200000>, <150000000>; + +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc_intc 8 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc_intc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + +@@ -4104,10 +4104,10 @@ + <&gcc GCC_USB30_SEC_MASTER_CLK>; + assigned-clock-rates = <19200000>, <150000000>; + +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc_intc 10 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc_intc 11 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.7/arm64-dts-qcom-sdm845-fix-usb-ss-wakeup.patch b/queue-6.7/arm64-dts-qcom-sdm845-fix-usb-ss-wakeup.patch new file mode 100644 index 00000000000..659b2827893 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sdm845-fix-usb-ss-wakeup.patch @@ -0,0 +1,44 @@ +From 971f5d8b0618d09db75184ddd8cca0767514db5d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Dec 2023 18:34:01 +0100 +Subject: arm64: dts: qcom: sdm845: fix USB SS wakeup + +From: Johan Hovold + +commit 971f5d8b0618d09db75184ddd8cca0767514db5d upstream. + +The USB SS PHY interrupts need to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states. + +Fixes: ca4db2b538a1 ("arm64: dts: qcom: sdm845: Add USB-related nodes") +Cc: stable@vger.kernel.org # 4.20 +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231213173403.29544-4-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -4054,7 +4054,7 @@ + assigned-clock-rates = <19200000>, <150000000>; + + interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc_intc 6 IRQ_TYPE_LEVEL_HIGH>, + <&pdc_intc 8 IRQ_TYPE_EDGE_BOTH>, + <&pdc_intc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", +@@ -4105,7 +4105,7 @@ + assigned-clock-rates = <19200000>, <150000000>; + + interrupts-extended = <&intc GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc_intc 7 IRQ_TYPE_LEVEL_HIGH>, + <&pdc_intc 10 IRQ_TYPE_EDGE_BOTH>, + <&pdc_intc 11 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", diff --git a/queue-6.7/arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch b/queue-6.7/arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch new file mode 100644 index 00000000000..1ab9c7cf3c6 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch @@ -0,0 +1,66 @@ +From 134de5e831775e8b178db9b131c1d3769a766982 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Dec 2023 18:34:02 +0100 +Subject: arm64: dts: qcom: sm8150: fix USB DP/DM HS PHY interrupts + +From: Johan Hovold + +commit 134de5e831775e8b178db9b131c1d3769a766982 upstream. + +The USB DP/DM HS PHY interrupts need to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states and to be able to detect disconnect events, which requires +triggering on falling edges. + +A recent commit updated the trigger type but failed to change the +interrupt provider as required. This leads to the current Linux driver +failing to probe instead of printing an error during suspend and USB +wakeup not working as intended. + +Fixes: 54524b6987d1 ("arm64: dts: qcom: sm8150: fix USB wakeup interrupt types") +Fixes: 0c9dde0d2015 ("arm64: dts: qcom: sm8150: Add secondary USB and PHY nodes") +Fixes: b33d2868e8d3 ("arm64: dts: qcom: sm8150: Add USB and PHY device nodes") +Cc: stable@vger.kernel.org # 5.10 +Cc: Jack Pham +Cc: Jonathan Marek +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231213173403.29544-5-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sm8150.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sm8150.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8150.dtsi +@@ -3565,10 +3565,10 @@ + <&gcc GCC_USB30_PRIM_MASTER_CLK>; + assigned-clock-rates = <19200000>, <200000000>; + +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 8 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + +@@ -3618,10 +3618,10 @@ + <&gcc GCC_USB30_SEC_MASTER_CLK>; + assigned-clock-rates = <19200000>, <200000000>; + +- interrupts = , +- , +- , +- ; ++ interrupts-extended = <&intc GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>, ++ <&intc GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 10 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc 11 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.7/arm64-dts-qcom-sm8150-fix-usb-ss-wakeup.patch b/queue-6.7/arm64-dts-qcom-sm8150-fix-usb-ss-wakeup.patch new file mode 100644 index 00000000000..a7b9b61da86 --- /dev/null +++ b/queue-6.7/arm64-dts-qcom-sm8150-fix-usb-ss-wakeup.patch @@ -0,0 +1,47 @@ +From cc4e1da491b84ca05339a19893884cda78f74aef Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Dec 2023 18:34:03 +0100 +Subject: arm64: dts: qcom: sm8150: fix USB SS wakeup + +From: Johan Hovold + +commit cc4e1da491b84ca05339a19893884cda78f74aef upstream. + +The USB SS PHY interrupts need to be provided by the PDC interrupt +controller in order to be able to wake the system up from low-power +states. + +Fixes: 0c9dde0d2015 ("arm64: dts: qcom: sm8150: Add secondary USB and PHY nodes") +Fixes: b33d2868e8d3 ("arm64: dts: qcom: sm8150: Add USB and PHY device nodes") +Cc: stable@vger.kernel.org # 5.10 +Cc: Jack Pham +Cc: Jonathan Marek +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20231213173403.29544-6-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sm8150.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sm8150.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8150.dtsi +@@ -3566,7 +3566,7 @@ + assigned-clock-rates = <19200000>, <200000000>; + + interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 486 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 6 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 8 IRQ_TYPE_EDGE_BOTH>, + <&pdc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", +@@ -3619,7 +3619,7 @@ + assigned-clock-rates = <19200000>, <200000000>; + + interrupts-extended = <&intc GIC_SPI 136 IRQ_TYPE_LEVEL_HIGH>, +- <&intc GIC_SPI 487 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 7 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 10 IRQ_TYPE_EDGE_BOTH>, + <&pdc 11 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", diff --git a/queue-6.7/arm64-entry-fix-arm64_workaround_speculative_unpriv_load.patch b/queue-6.7/arm64-entry-fix-arm64_workaround_speculative_unpriv_load.patch new file mode 100644 index 00000000000..5c7b1e8e340 --- /dev/null +++ b/queue-6.7/arm64-entry-fix-arm64_workaround_speculative_unpriv_load.patch @@ -0,0 +1,134 @@ +From 832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 16 Jan 2024 11:02:20 +0000 +Subject: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD + +From: Mark Rutland + +commit 832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f upstream. + +Currently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't +quite right, as it is supposed to be applied after the last explicit +memory access, but is immediately followed by an LDR. + +The ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to +handle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295, +which are described in: + +* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en +* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en + +In both cases the workaround is described as: + +| If pagetable isolation is disabled, the context switch logic in the +| kernel can be updated to execute the following sequence on affected +| cores before exiting to EL0, and after all explicit memory accesses: +| +| 1. A non-shareable TLBI to any context and/or address, including +| unused contexts or addresses, such as a `TLBI VALE1 Xzr`. +| +| 2. A DSB NSH to guarantee completion of the TLBI. + +The important part being that the TLBI+DSB must be placed "after all +explicit memory accesses". + +Unfortunately, as-implemented, the TLBI+DSB is immediately followed by +an LDR, as we have: + +| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD +| tlbi vale1, xzr +| dsb nsh +| alternative_else_nop_endif +| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 +| ldr lr, [sp, #S_LR] +| add sp, sp, #PT_REGS_SIZE // restore sp +| eret +| alternative_else_nop_endif +| +| [ ... KPTI exception return path ... ] + +This patch fixes this by reworking the logic to place the TLBI+DSB +immediately before the ERET, after all explicit memory accesses. + +The ERET is currently in a separate alternative block, and alternatives +cannot be nested. To account for this, the alternative block for +ARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch +to skip the KPTI logic, with the new shape of the logic being: + +| alternative_insn "b .L_skip_tramp_exit_\@", nop, ARM64_UNMAP_KERNEL_AT_EL0 +| [ ... KPTI exception return path ... ] +| .L_skip_tramp_exit_\@: +| +| ldr lr, [sp, #S_LR] +| add sp, sp, #PT_REGS_SIZE // restore sp +| +| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD +| tlbi vale1, xzr +| dsb nsh +| alternative_else_nop_endif +| eret + +The new structure means that the workaround is only applied when KPTI is +not in use; this is fine as noted in the documented implications of the +erratum: + +| Pagetable isolation between EL0 and higher level ELs prevents the +| issue from occurring. + +... and as per the workaround description quoted above, the workaround +is only necessary "If pagetable isolation is disabled". + +Fixes: 471470bc7052 ("arm64: errata: Add Cortex-A520 speculative unprivileged load workaround") +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: James Morse +Cc: Rob Herring +Cc: Will Deacon +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240116110221.420467-2-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/entry.S | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -428,16 +428,9 @@ alternative_else_nop_endif + ldp x28, x29, [sp, #16 * 14] + + .if \el == 0 +-alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD +- tlbi vale1, xzr +- dsb nsh +-alternative_else_nop_endif +-alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 +- ldr lr, [sp, #S_LR] +- add sp, sp, #PT_REGS_SIZE // restore sp +- eret +-alternative_else_nop_endif + #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 ++ alternative_insn "b .L_skip_tramp_exit_\@", nop, ARM64_UNMAP_KERNEL_AT_EL0 ++ + msr far_el1, x29 + + ldr_this_cpu x30, this_cpu_vector, x29 +@@ -446,7 +439,18 @@ alternative_else_nop_endif + ldr lr, [sp, #S_LR] // restore x30 + add sp, sp, #PT_REGS_SIZE // restore sp + br x29 ++ ++.L_skip_tramp_exit_\@: + #endif ++ ldr lr, [sp, #S_LR] ++ add sp, sp, #PT_REGS_SIZE // restore sp ++ ++ /* This must be after the last explicit memory access */ ++alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD ++ tlbi vale1, xzr ++ dsb nsh ++alternative_else_nop_endif ++ eret + .else + ldr lr, [sp, #S_LR] + add sp, sp, #PT_REGS_SIZE // restore sp diff --git a/queue-6.7/arm64-errata-add-cortex-a510-speculative-unprivileged-load-workaround.patch b/queue-6.7/arm64-errata-add-cortex-a510-speculative-unprivileged-load-workaround.patch new file mode 100644 index 00000000000..84cfa9cd0b9 --- /dev/null +++ b/queue-6.7/arm64-errata-add-cortex-a510-speculative-unprivileged-load-workaround.patch @@ -0,0 +1,100 @@ +From f827bcdafa2a2ac21c91e47f587e8d0c76195409 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Wed, 10 Jan 2024 11:29:21 -0600 +Subject: arm64: errata: Add Cortex-A510 speculative unprivileged load workaround + +From: Rob Herring + +commit f827bcdafa2a2ac21c91e47f587e8d0c76195409 upstream. + +Implement the workaround for ARM Cortex-A510 erratum 3117295. On an +affected Cortex-A510 core, a speculatively executed unprivileged load +might leak data from a privileged load via a cache side channel. The +issue only exists for loads within a translation regime with the same +translation (e.g. same ASID and VMID). Therefore, the issue only affects +the return to EL0. + +The erratum and workaround are the same as ARM Cortex-A520 erratum +2966298, so reuse the existing workaround. + +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/20240110-arm-errata-a510-v1-2-d02bc51aeeee@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arch/arm64/silicon-errata.rst | 2 ++ + arch/arm64/Kconfig | 14 ++++++++++++++ + arch/arm64/kernel/cpu_errata.c | 17 +++++++++++++++-- + 3 files changed, 31 insertions(+), 2 deletions(-) + +--- a/Documentation/arch/arm64/silicon-errata.rst ++++ b/Documentation/arch/arm64/silicon-errata.rst +@@ -71,6 +71,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A510 | #2658417 | ARM64_ERRATUM_2658417 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Cortex-A510 | #3117295 | ARM64_ERRATUM_3117295 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A520 | #2966298 | ARM64_ERRATUM_2966298 | + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A53 | #826319 | ARM64_ERRATUM_826319 | +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1054,6 +1054,20 @@ config ARM64_ERRATUM_2966298 + + If unsure, say Y. + ++config ARM64_ERRATUM_3117295 ++ bool "Cortex-A510: 3117295: workaround for speculatively executed unprivileged load" ++ select ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD ++ default y ++ help ++ This option adds the workaround for ARM Cortex-A510 erratum 3117295. ++ ++ On an affected Cortex-A510 core, a speculatively executed unprivileged ++ load might leak data from a privileged level via a cache side channel. ++ ++ Work around this problem by executing a TLBI before returning to EL0. ++ ++ If unsure, say Y. ++ + config CAVIUM_ERRATUM_22375 + bool "Cavium erratum 22375, 24313" + default y +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -416,6 +416,19 @@ static struct midr_range broken_aarch32_ + }; + #endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */ + ++#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD ++static const struct midr_range erratum_spec_unpriv_load_list[] = { ++#ifdef CONFIG_ARM64_ERRATUM_3117295 ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510), ++#endif ++#ifdef CONFIG_ARM64_ERRATUM_2966298 ++ /* Cortex-A520 r0p0 to r0p1 */ ++ MIDR_REV_RANGE(MIDR_CORTEX_A520, 0, 0, 1), ++#endif ++ {}, ++}; ++#endif ++ + const struct arm64_cpu_capabilities arm64_errata[] = { + #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE + { +@@ -715,10 +728,10 @@ const struct arm64_cpu_capabilities arm6 + #endif + #ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD + { +- .desc = "ARM erratum 2966298", ++ .desc = "ARM errata 2966298, 3117295", + .capability = ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD, + /* Cortex-A520 r0p0 - r0p1 */ +- ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A520, 0, 0, 1), ++ ERRATA_MIDR_RANGE_LIST(erratum_spec_unpriv_load_list), + }, + #endif + #ifdef CONFIG_AMPERE_ERRATUM_AC03_CPU_38 diff --git a/queue-6.7/arm64-rename-arm64_workaround_2966298.patch b/queue-6.7/arm64-rename-arm64_workaround_2966298.patch new file mode 100644 index 00000000000..73f785e2fab --- /dev/null +++ b/queue-6.7/arm64-rename-arm64_workaround_2966298.patch @@ -0,0 +1,81 @@ +From 546b7cde9b1dd36089649101b75266564600ffe5 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Wed, 10 Jan 2024 11:29:20 -0600 +Subject: arm64: Rename ARM64_WORKAROUND_2966298 + +From: Rob Herring + +commit 546b7cde9b1dd36089649101b75266564600ffe5 upstream. + +In preparation to apply ARM64_WORKAROUND_2966298 for multiple errata, +rename the kconfig and capability. No functional change. + +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/20240110-arm-errata-a510-v1-1-d02bc51aeeee@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig | 4 ++++ + arch/arm64/kernel/cpu_errata.c | 4 ++-- + arch/arm64/kernel/entry.S | 2 +- + arch/arm64/tools/cpucaps | 2 +- + 4 files changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1037,8 +1037,12 @@ config ARM64_ERRATUM_2645198 + + If unsure, say Y. + ++config ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD ++ bool ++ + config ARM64_ERRATUM_2966298 + bool "Cortex-A520: 2966298: workaround for speculatively executed unprivileged load" ++ select ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD + default y + help + This option adds the workaround for ARM Cortex-A520 erratum 2966298. +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -713,10 +713,10 @@ const struct arm64_cpu_capabilities arm6 + MIDR_FIXED(MIDR_CPU_VAR_REV(1,1), BIT(25)), + }, + #endif +-#ifdef CONFIG_ARM64_ERRATUM_2966298 ++#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD + { + .desc = "ARM erratum 2966298", +- .capability = ARM64_WORKAROUND_2966298, ++ .capability = ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD, + /* Cortex-A520 r0p0 - r0p1 */ + ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A520, 0, 0, 1), + }, +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -428,7 +428,7 @@ alternative_else_nop_endif + ldp x28, x29, [sp, #16 * 14] + + .if \el == 0 +-alternative_if ARM64_WORKAROUND_2966298 ++alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD + tlbi vale1, xzr + dsb nsh + alternative_else_nop_endif +--- a/arch/arm64/tools/cpucaps ++++ b/arch/arm64/tools/cpucaps +@@ -84,7 +84,6 @@ WORKAROUND_2077057 + WORKAROUND_2457168 + WORKAROUND_2645198 + WORKAROUND_2658417 +-WORKAROUND_2966298 + WORKAROUND_AMPERE_AC03_CPU_38 + WORKAROUND_TRBE_OVERWRITE_FILL_MODE + WORKAROUND_TSB_FLUSH_FAILURE +@@ -100,3 +99,4 @@ WORKAROUND_NVIDIA_CARMEL_CNP + WORKAROUND_QCOM_FALKOR_E1003 + WORKAROUND_REPEAT_TLBI + WORKAROUND_SPECULATIVE_AT ++WORKAROUND_SPECULATIVE_UNPRIV_LOAD diff --git a/queue-6.7/arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch b/queue-6.7/arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch new file mode 100644 index 00000000000..f01f4d8d6c3 --- /dev/null +++ b/queue-6.7/arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch @@ -0,0 +1,42 @@ +From dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 15 Jan 2024 20:15:46 +0000 +Subject: arm64/sme: Always exit sme_alloc() early with existing storage + +From: Mark Brown + +commit dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 upstream. + +When sme_alloc() is called with existing storage and we are not flushing we +will always allocate new storage, both leaking the existing storage and +corrupting the state. Fix this by separating the checks for flushing and +for existing storage as we do for SVE. + +Callers that reallocate (eg, due to changing the vector length) should +call sme_free() themselves. + +Fixes: 5d0a8d2fba50 ("arm64/ptrace: Ensure that SME is set up for target when writing SSVE state") +Signed-off-by: Mark Brown +Cc: +Link: https://lore.kernel.org/r/20240115-arm64-sme-flush-v1-1-7472bd3459b7@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/fpsimd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1245,8 +1245,10 @@ void fpsimd_release_task(struct task_str + */ + void sme_alloc(struct task_struct *task, bool flush) + { +- if (task->thread.sme_state && flush) { +- memset(task->thread.sme_state, 0, sme_state_size(task)); ++ if (task->thread.sme_state) { ++ if (flush) ++ memset(task->thread.sme_state, 0, ++ sme_state_size(task)); + return; + } + diff --git a/queue-6.7/dlm-use-kernel_connect-and-kernel_bind.patch b/queue-6.7/dlm-use-kernel_connect-and-kernel_bind.patch new file mode 100644 index 00000000000..cf079953553 --- /dev/null +++ b/queue-6.7/dlm-use-kernel_connect-and-kernel_bind.patch @@ -0,0 +1,74 @@ +From e9cdebbe23f1aa9a1caea169862f479ab3fa2773 Mon Sep 17 00:00:00 2001 +From: Jordan Rife +Date: Mon, 6 Nov 2023 15:24:38 -0600 +Subject: dlm: use kernel_connect() and kernel_bind() + +From: Jordan Rife + +commit e9cdebbe23f1aa9a1caea169862f479ab3fa2773 upstream. + +Recent changes to kernel_connect() and kernel_bind() ensure that +callers are insulated from changes to the address parameter made by BPF +SOCK_ADDR hooks. This patch wraps direct calls to ops->connect() and +ops->bind() with kernel_connect() and kernel_bind() to protect callers +in such cases. + +Link: https://lore.kernel.org/netdev/9944248dba1bce861375fcce9de663934d933ba9.camel@redhat.com/ +Fixes: d74bad4e74ee ("bpf: Hooks for sys_connect") +Fixes: 4fbac77d2d09 ("bpf: Hooks for sys_bind") +Cc: stable@vger.kernel.org +Signed-off-by: Jordan Rife +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lowcomms.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -1817,8 +1817,8 @@ static int dlm_tcp_bind(struct socket *s + memcpy(&src_addr, &dlm_local_addr[0], sizeof(src_addr)); + make_sockaddr(&src_addr, 0, &addr_len); + +- result = sock->ops->bind(sock, (struct sockaddr *)&src_addr, +- addr_len); ++ result = kernel_bind(sock, (struct sockaddr *)&src_addr, ++ addr_len); + if (result < 0) { + /* This *may* not indicate a critical error */ + log_print("could not bind for connect: %d", result); +@@ -1830,7 +1830,7 @@ static int dlm_tcp_bind(struct socket *s + static int dlm_tcp_connect(struct connection *con, struct socket *sock, + struct sockaddr *addr, int addr_len) + { +- return sock->ops->connect(sock, addr, addr_len, O_NONBLOCK); ++ return kernel_connect(sock, addr, addr_len, O_NONBLOCK); + } + + static int dlm_tcp_listen_validate(void) +@@ -1862,8 +1862,8 @@ static int dlm_tcp_listen_bind(struct so + + /* Bind to our port */ + make_sockaddr(&dlm_local_addr[0], dlm_config.ci_tcp_port, &addr_len); +- return sock->ops->bind(sock, (struct sockaddr *)&dlm_local_addr[0], +- addr_len); ++ return kernel_bind(sock, (struct sockaddr *)&dlm_local_addr[0], ++ addr_len); + } + + static const struct dlm_proto_ops dlm_tcp_ops = { +@@ -1888,12 +1888,12 @@ static int dlm_sctp_connect(struct conne + int ret; + + /* +- * Make sock->ops->connect() function return in specified time, ++ * Make kernel_connect() function return in specified time, + * since O_NONBLOCK argument in connect() function does not work here, + * then, we should restore the default value of this attribute. + */ + sock_set_sndtimeo(sock->sk, 5); +- ret = sock->ops->connect(sock, addr, addr_len, 0); ++ ret = kernel_connect(sock, addr, addr_len, 0); + sock_set_sndtimeo(sock->sk, 0); + return ret; + } diff --git a/queue-6.7/docs-kernel_abi.py-fix-command-injection.patch b/queue-6.7/docs-kernel_abi.py-fix-command-injection.patch new file mode 100644 index 00000000000..dc6ea86aed6 --- /dev/null +++ b/queue-6.7/docs-kernel_abi.py-fix-command-injection.patch @@ -0,0 +1,150 @@ +From 3231dd5862779c2e15633c96133a53205ad660ce Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Mon, 1 Jan 2024 00:59:59 +0100 +Subject: docs: kernel_abi.py: fix command injection + +From: Vegard Nossum + +commit 3231dd5862779c2e15633c96133a53205ad660ce upstream. + +The kernel-abi directive passes its argument straight to the shell. +This is unfortunate and unnecessary. + +Let's always use paths relative to $srctree/Documentation/ and use +subprocess.check_call() instead of subprocess.Popen(shell=True). + +This also makes the code shorter. + +Link: https://fosstodon.org/@jani/111676532203641247 +Reported-by: Jani Nikula +Cc: stable@vger.kernel.org +Signed-off-by: Vegard Nossum +Signed-off-by: Jonathan Corbet +Link: https://lore.kernel.org/r/20231231235959.3342928-2-vegard.nossum@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/abi-obsolete.rst | 2 - + Documentation/admin-guide/abi-removed.rst | 2 - + Documentation/admin-guide/abi-stable.rst | 2 - + Documentation/admin-guide/abi-testing.rst | 2 - + Documentation/sphinx/kernel_abi.py | 56 +++++------------------------ + 5 files changed, 14 insertions(+), 50 deletions(-) + +--- a/Documentation/admin-guide/abi-obsolete.rst ++++ b/Documentation/admin-guide/abi-obsolete.rst +@@ -7,5 +7,5 @@ marked to be removed at some later point + The description of the interface will document the reason why it is + obsolete and when it can be expected to be removed. + +-.. kernel-abi:: $srctree/Documentation/ABI/obsolete ++.. kernel-abi:: ABI/obsolete + :rst: +--- a/Documentation/admin-guide/abi-removed.rst ++++ b/Documentation/admin-guide/abi-removed.rst +@@ -1,5 +1,5 @@ + ABI removed symbols + =================== + +-.. kernel-abi:: $srctree/Documentation/ABI/removed ++.. kernel-abi:: ABI/removed + :rst: +--- a/Documentation/admin-guide/abi-stable.rst ++++ b/Documentation/admin-guide/abi-stable.rst +@@ -10,5 +10,5 @@ for at least 2 years. + Most interfaces (like syscalls) are expected to never change and always + be available. + +-.. kernel-abi:: $srctree/Documentation/ABI/stable ++.. kernel-abi:: ABI/stable + :rst: +--- a/Documentation/admin-guide/abi-testing.rst ++++ b/Documentation/admin-guide/abi-testing.rst +@@ -16,5 +16,5 @@ Programs that use these interfaces are s + name to the description of these interfaces, so that the kernel + developers can easily notify them if any changes occur. + +-.. kernel-abi:: $srctree/Documentation/ABI/testing ++.. kernel-abi:: ABI/testing + :rst: +--- a/Documentation/sphinx/kernel_abi.py ++++ b/Documentation/sphinx/kernel_abi.py +@@ -39,8 +39,6 @@ import sys + import re + import kernellog + +-from os import path +- + from docutils import nodes, statemachine + from docutils.statemachine import ViewList + from docutils.parsers.rst import directives, Directive +@@ -73,60 +71,26 @@ class KernelCmd(Directive): + } + + def run(self): +- + doc = self.state.document + if not doc.settings.file_insertion_enabled: + raise self.warning("docutils: file insertion disabled") + +- env = doc.settings.env +- cwd = path.dirname(doc.current_source) +- cmd = "get_abi.pl rest --enable-lineno --dir " +- cmd += self.arguments[0] +- +- if 'rst' in self.options: +- cmd += " --rst-source" +- +- srctree = path.abspath(os.environ["srctree"]) ++ srctree = os.path.abspath(os.environ["srctree"]) + +- fname = cmd ++ args = [ ++ os.path.join(srctree, 'scripts/get_abi.pl'), ++ 'rest', ++ '--enable-lineno', ++ '--dir', os.path.join(srctree, 'Documentation', self.arguments[0]), ++ ] + +- # extend PATH with $(srctree)/scripts +- path_env = os.pathsep.join([ +- srctree + os.sep + "scripts", +- os.environ["PATH"] +- ]) +- shell_env = os.environ.copy() +- shell_env["PATH"] = path_env +- shell_env["srctree"] = srctree ++ if 'rst' in self.options: ++ args.append('--rst-source') + +- lines = self.runCmd(cmd, shell=True, cwd=cwd, env=shell_env) ++ lines = subprocess.check_output(args, cwd=os.path.dirname(doc.current_source)).decode('utf-8') + nodeList = self.nestedParse(lines, self.arguments[0]) + return nodeList + +- def runCmd(self, cmd, **kwargs): +- u"""Run command ``cmd`` and return its stdout as unicode.""" +- +- try: +- proc = subprocess.Popen( +- cmd +- , stdout = subprocess.PIPE +- , stderr = subprocess.PIPE +- , **kwargs +- ) +- out, err = proc.communicate() +- +- out, err = codecs.decode(out, 'utf-8'), codecs.decode(err, 'utf-8') +- +- if proc.returncode != 0: +- raise self.severe( +- u"command '%s' failed with return code %d" +- % (cmd, proc.returncode) +- ) +- except OSError as exc: +- raise self.severe(u"problems with '%s' directive: %s." +- % (self.name, ErrorString(exc))) +- return out +- + def nestedParse(self, lines, fname): + env = self.state.document.settings.env + content = ViewList() diff --git a/queue-6.7/efi-disable-mirror-feature-during-crashkernel.patch b/queue-6.7/efi-disable-mirror-feature-during-crashkernel.patch new file mode 100644 index 00000000000..2e4ff545163 --- /dev/null +++ b/queue-6.7/efi-disable-mirror-feature-during-crashkernel.patch @@ -0,0 +1,47 @@ +From 7ea6ec4c25294e8bc8788148ef854df92ee8dc5e Mon Sep 17 00:00:00 2001 +From: Ma Wupeng +Date: Tue, 9 Jan 2024 12:15:36 +0800 +Subject: efi: disable mirror feature during crashkernel + +From: Ma Wupeng + +commit 7ea6ec4c25294e8bc8788148ef854df92ee8dc5e upstream. + +If the system has no mirrored memory or uses crashkernel.high while +kernelcore=mirror is enabled on the command line then during crashkernel, +there will be limited mirrored memory and this usually leads to OOM. + +To solve this problem, disable the mirror feature during crashkernel. + +Link: https://lkml.kernel.org/r/20240109041536.3903042-1-mawupeng1@huawei.com +Signed-off-by: Ma Wupeng +Acked-by: Mike Rapoport (IBM) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/mm_init.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/mm/mm_init.c ++++ b/mm/mm_init.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "slab.h" + #include "shuffle.h" +@@ -381,6 +382,11 @@ static void __init find_zone_movable_pfn + goto out; + } + ++ if (is_kdump_kernel()) { ++ pr_warn("The system is under kdump, ignore kernelcore=mirror.\n"); ++ goto out; ++ } ++ + for_each_mem_region(r) { + if (memblock_is_mirror(r)) + continue; diff --git a/queue-6.7/kdump-defer-the-insertion-of-crashkernel-resources.patch b/queue-6.7/kdump-defer-the-insertion-of-crashkernel-resources.patch new file mode 100644 index 00000000000..7c842eb2ca2 --- /dev/null +++ b/queue-6.7/kdump-defer-the-insertion-of-crashkernel-resources.patch @@ -0,0 +1,120 @@ +From 4a693ce65b186fddc1a73621bd6f941e6e3eca21 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Fri, 29 Dec 2023 16:02:13 +0800 +Subject: kdump: defer the insertion of crashkernel resources + +From: Huacai Chen + +commit 4a693ce65b186fddc1a73621bd6f941e6e3eca21 upstream. + +In /proc/iomem, sub-regions should be inserted after their parent, +otherwise the insertion of parent resource fails. But after generic +crashkernel reservation applied, in both RISC-V and ARM64 (LoongArch will +also use generic reservation later on), crashkernel resources are inserted +before their parent, which causes the parent disappear in /proc/iomem. So +we defer the insertion of crashkernel resources to an early_initcall(). + +1, Without 'crashkernel' parameter: + + 100d0100-100d01ff : LOON0001:00 + 100d0100-100d01ff : LOON0001:00 LOON0001:00 + 100e0000-100e0bff : LOON0002:00 + 100e0000-100e0bff : LOON0002:00 LOON0002:00 + 1fe001e0-1fe001e7 : serial + 90400000-fa17ffff : System RAM + f6220000-f622ffff : Reserved + f9ee0000-f9ee3fff : Reserved + fa120000-fa17ffff : Reserved + fa190000-fe0bffff : System RAM + fa190000-fa1bffff : Reserved + fe4e0000-47fffffff : System RAM + 43c000000-441ffffff : Reserved + 47ff98000-47ffa3fff : Reserved + 47ffa4000-47ffa7fff : Reserved + 47ffa8000-47ffabfff : Reserved + 47ffac000-47ffaffff : Reserved + 47ffb0000-47ffb3fff : Reserved + +2, With 'crashkernel' parameter, before this patch: + + 100d0100-100d01ff : LOON0001:00 + 100d0100-100d01ff : LOON0001:00 LOON0001:00 + 100e0000-100e0bff : LOON0002:00 + 100e0000-100e0bff : LOON0002:00 LOON0002:00 + 1fe001e0-1fe001e7 : serial + e6200000-f61fffff : Crash kernel + fa190000-fe0bffff : System RAM + fa190000-fa1bffff : Reserved + fe4e0000-47fffffff : System RAM + 43c000000-441ffffff : Reserved + 47ff98000-47ffa3fff : Reserved + 47ffa4000-47ffa7fff : Reserved + 47ffa8000-47ffabfff : Reserved + 47ffac000-47ffaffff : Reserved + 47ffb0000-47ffb3fff : Reserved + +3, With 'crashkernel' parameter, after this patch: + + 100d0100-100d01ff : LOON0001:00 + 100d0100-100d01ff : LOON0001:00 LOON0001:00 + 100e0000-100e0bff : LOON0002:00 + 100e0000-100e0bff : LOON0002:00 LOON0002:00 + 1fe001e0-1fe001e7 : serial + 90400000-fa17ffff : System RAM + e6200000-f61fffff : Crash kernel + f6220000-f622ffff : Reserved + f9ee0000-f9ee3fff : Reserved + fa120000-fa17ffff : Reserved + fa190000-fe0bffff : System RAM + fa190000-fa1bffff : Reserved + fe4e0000-47fffffff : System RAM + 43c000000-441ffffff : Reserved + 47ff98000-47ffa3fff : Reserved + 47ffa4000-47ffa7fff : Reserved + 47ffa8000-47ffabfff : Reserved + 47ffac000-47ffaffff : Reserved + 47ffb0000-47ffb3fff : Reserved + +Link: https://lkml.kernel.org/r/20231229080213.2622204-1-chenhuacai@loongson.cn +Signed-off-by: Huacai Chen +Fixes: 0ab97169aa05 ("crash_core: add generic function to do reservation") +Cc: Baoquan He +Cc: Zhen Lei +Cc: [6.6+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/crash_core.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/kernel/crash_core.c ++++ b/kernel/crash_core.c +@@ -377,7 +377,6 @@ static int __init reserve_crashkernel_lo + + crashk_low_res.start = low_base; + crashk_low_res.end = low_base + low_size - 1; +- insert_resource(&iomem_resource, &crashk_low_res); + #endif + return 0; + } +@@ -459,8 +458,19 @@ retry: + + crashk_res.start = crash_base; + crashk_res.end = crash_base + crash_size - 1; +- insert_resource(&iomem_resource, &crashk_res); + } ++ ++static __init int insert_crashkernel_resources(void) ++{ ++ if (crashk_res.start < crashk_res.end) ++ insert_resource(&iomem_resource, &crashk_res); ++ ++ if (crashk_low_res.start < crashk_low_res.end) ++ insert_resource(&iomem_resource, &crashk_low_res); ++ ++ return 0; ++} ++early_initcall(insert_crashkernel_resources); + #endif + + int crash_prepare_elf64_headers(struct crash_mem *mem, int need_kernel_map, diff --git a/queue-6.7/lsm-new-security_file_ioctl_compat-hook.patch b/queue-6.7/lsm-new-security_file_ioctl_compat-hook.patch new file mode 100644 index 00000000000..1c3a1da071e --- /dev/null +++ b/queue-6.7/lsm-new-security_file_ioctl_compat-hook.patch @@ -0,0 +1,187 @@ +From f1bb47a31dff6d4b34fb14e99850860ee74bb003 Mon Sep 17 00:00:00 2001 +From: Alfred Piccioni +Date: Tue, 19 Dec 2023 10:09:09 +0100 +Subject: lsm: new security_file_ioctl_compat() hook + +From: Alfred Piccioni + +commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream. + +Some ioctl commands do not require ioctl permission, but are routed to +other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is +done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*). + +However, if a 32-bit process is running on a 64-bit kernel, it emits +32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are +being checked erroneously, which leads to these ioctl operations being +routed to the ioctl permission, rather than the correct file +permissions. + +This was also noted in a RED-PEN finding from a while back - +"/* RED-PEN how should LSM module know it's handling 32bit? */". + +This patch introduces a new hook, security_file_ioctl_compat(), that is +called from the compat ioctl syscall. All current LSMs have been changed +to support this hook. + +Reviewing the three places where we are currently using +security_file_ioctl(), it appears that only SELinux needs a dedicated +compat change; TOMOYO and SMACK appear to be functional without any +change. + +Cc: stable@vger.kernel.org +Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"") +Signed-off-by: Alfred Piccioni +Reviewed-by: Stephen Smalley +[PM: subject tweak, line length fixes, and alignment corrections] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + fs/ioctl.c | 3 +-- + include/linux/lsm_hook_defs.h | 2 ++ + include/linux/security.h | 9 +++++++++ + security/security.c | 18 ++++++++++++++++++ + security/selinux/hooks.c | 28 ++++++++++++++++++++++++++++ + security/smack/smack_lsm.c | 1 + + security/tomoyo/tomoyo.c | 1 + + 7 files changed, 60 insertions(+), 2 deletions(-) + +--- a/fs/ioctl.c ++++ b/fs/ioctl.c +@@ -920,8 +920,7 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned i + if (!f.file) + return -EBADF; + +- /* RED-PEN how should LSM module know it's handling 32bit? */ +- error = security_file_ioctl(f.file, cmd, arg); ++ error = security_file_ioctl_compat(f.file, cmd, arg); + if (error) + goto out; + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -171,6 +171,8 @@ LSM_HOOK(int, 0, file_alloc_security, st + LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file) + LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd, + unsigned long arg) ++LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd, ++ unsigned long arg) + LSM_HOOK(int, 0, mmap_addr, unsigned long addr) + LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -389,6 +389,8 @@ int security_file_permission(struct file + int security_file_alloc(struct file *file); + void security_file_free(struct file *file); + int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); ++int security_file_ioctl_compat(struct file *file, unsigned int cmd, ++ unsigned long arg); + int security_mmap_file(struct file *file, unsigned long prot, + unsigned long flags); + int security_mmap_addr(unsigned long addr); +@@ -986,6 +988,13 @@ static inline int security_file_ioctl(st + { + return 0; + } ++ ++static inline int security_file_ioctl_compat(struct file *file, ++ unsigned int cmd, ++ unsigned long arg) ++{ ++ return 0; ++} + + static inline int security_mmap_file(struct file *file, unsigned long prot, + unsigned long flags) +--- a/security/security.c ++++ b/security/security.c +@@ -2648,6 +2648,24 @@ int security_file_ioctl(struct file *fil + } + EXPORT_SYMBOL_GPL(security_file_ioctl); + ++/** ++ * security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode ++ * @file: associated file ++ * @cmd: ioctl cmd ++ * @arg: ioctl arguments ++ * ++ * Compat version of security_file_ioctl() that correctly handles 32-bit ++ * processes running on 64-bit kernels. ++ * ++ * Return: Returns 0 if permission is granted. ++ */ ++int security_file_ioctl_compat(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ return call_int_hook(file_ioctl_compat, 0, file, cmd, arg); ++} ++EXPORT_SYMBOL_GPL(security_file_ioctl_compat); ++ + static inline unsigned long mmap_prot(struct file *file, unsigned long prot) + { + /* +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3725,6 +3725,33 @@ static int selinux_file_ioctl(struct fil + return error; + } + ++static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ /* ++ * If we are in a 64-bit kernel running 32-bit userspace, we need to ++ * make sure we don't compare 32-bit flags to 64-bit flags. ++ */ ++ switch (cmd) { ++ case FS_IOC32_GETFLAGS: ++ cmd = FS_IOC_GETFLAGS; ++ break; ++ case FS_IOC32_SETFLAGS: ++ cmd = FS_IOC_SETFLAGS; ++ break; ++ case FS_IOC32_GETVERSION: ++ cmd = FS_IOC_GETVERSION; ++ break; ++ case FS_IOC32_SETVERSION: ++ cmd = FS_IOC_SETVERSION; ++ break; ++ default: ++ break; ++ } ++ ++ return selinux_file_ioctl(file, cmd, arg); ++} ++ + static int default_noexec __ro_after_init; + + static int file_map_prot_check(struct file *file, unsigned long prot, int shared) +@@ -7037,6 +7064,7 @@ static struct security_hook_list selinux + LSM_HOOK_INIT(file_permission, selinux_file_permission), + LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), + LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), ++ LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), + LSM_HOOK_INIT(mmap_file, selinux_mmap_file), + LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), + LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4973,6 +4973,7 @@ static struct security_hook_list smack_h + + LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), + LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), ++ LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), + LSM_HOOK_INIT(file_lock, smack_file_lock), + LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), + LSM_HOOK_INIT(mmap_file, smack_mmap_file), +--- a/security/tomoyo/tomoyo.c ++++ b/security/tomoyo/tomoyo.c +@@ -568,6 +568,7 @@ static struct security_hook_list tomoyo_ + LSM_HOOK_INIT(path_rename, tomoyo_path_rename), + LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr), + LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl), ++ LSM_HOOK_INIT(file_ioctl_compat, tomoyo_file_ioctl), + LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod), + LSM_HOOK_INIT(path_chown, tomoyo_path_chown), + LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot), diff --git a/queue-6.7/media-i2c-st-mipid02-correct-format-propagation.patch b/queue-6.7/media-i2c-st-mipid02-correct-format-propagation.patch new file mode 100644 index 00000000000..1173e9ac9d4 --- /dev/null +++ b/queue-6.7/media-i2c-st-mipid02-correct-format-propagation.patch @@ -0,0 +1,53 @@ +From b33cb0cbe2893b96ecbfa16254407153f4b55d16 Mon Sep 17 00:00:00 2001 +From: Alain Volmat +Date: Mon, 13 Nov 2023 15:57:30 +0100 +Subject: media: i2c: st-mipid02: correct format propagation + +From: Alain Volmat + +commit b33cb0cbe2893b96ecbfa16254407153f4b55d16 upstream. + +Use a copy of the struct v4l2_subdev_format when propagating +format from the sink to source pad in order to avoid impacting the +sink format returned to the application. + +Thanks to Jacopo Mondi for pointing the issue. + +Fixes: 6c01e6f3f27b ("media: st-mipid02: Propagate format from sink to source pad") +Signed-off-by: Alain Volmat +Cc: stable@vger.kernel.org +Reviewed-by: Jacopo Mondi +Reviewed-by: Daniel Scally +Reviewed-by: Benjamin Mugnier +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/st-mipid02.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/st-mipid02.c ++++ b/drivers/media/i2c/st-mipid02.c +@@ -770,6 +770,7 @@ static void mipid02_set_fmt_sink(struct + struct v4l2_subdev_format *format) + { + struct mipid02_dev *bridge = to_mipid02_dev(sd); ++ struct v4l2_subdev_format source_fmt; + struct v4l2_mbus_framefmt *fmt; + + format->format.code = get_fmt_code(format->format.code); +@@ -781,8 +782,12 @@ static void mipid02_set_fmt_sink(struct + + *fmt = format->format; + +- /* Propagate the format change to the source pad */ +- mipid02_set_fmt_source(sd, sd_state, format); ++ /* ++ * Propagate the format change to the source pad, taking ++ * care not to update the format pointer given back to user ++ */ ++ source_fmt = *format; ++ mipid02_set_fmt_source(sd, sd_state, &source_fmt); + } + + static int mipid02_set_fmt(struct v4l2_subdev *sd, diff --git a/queue-6.7/media-mtk-jpeg-fix-timeout-schedule-error-in-mtk_jpegdec_worker.patch b/queue-6.7/media-mtk-jpeg-fix-timeout-schedule-error-in-mtk_jpegdec_worker.patch new file mode 100644 index 00000000000..2fcf0441b5d --- /dev/null +++ b/queue-6.7/media-mtk-jpeg-fix-timeout-schedule-error-in-mtk_jpegdec_worker.patch @@ -0,0 +1,51 @@ +From 38e1857933def4b3fafc28cc34ff3bbc84cad2c3 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Mon, 6 Nov 2023 15:48:11 +0100 +Subject: media: mtk-jpeg: Fix timeout schedule error in mtk_jpegdec_worker. + +From: Zheng Wang + +commit 38e1857933def4b3fafc28cc34ff3bbc84cad2c3 upstream. + +In mtk_jpegdec_worker, if error occurs in mtk_jpeg_set_dec_dst, it +will start the timeout worker and invoke v4l2_m2m_job_finish at +the same time. This will break the logic of design for there should +be only one function to call v4l2_m2m_job_finish. But now the timeout +handler and mtk_jpegdec_worker will both invoke it. + +Fix it by start the worker only if mtk_jpeg_set_dec_dst successfully +finished. + +Fixes: da4ede4b7fd6 ("media: mtk-jpeg: move data/code inside CONFIG_OF blocks") +Signed-off-by: Zheng Wang +Signed-off-by: Dmitry Osipenko +Cc: stable@vger.kernel.org +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +@@ -1749,9 +1749,6 @@ retry_select: + v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); + v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); + +- schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, +- msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); +- + mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); + if (mtk_jpeg_set_dec_dst(ctx, + &jpeg_src_buf->dec_param, +@@ -1761,6 +1758,9 @@ retry_select: + goto setdst_end; + } + ++ schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, ++ msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); ++ + spin_lock_irqsave(&comp_jpeg[hw_id]->hw_lock, flags); + ctx->total_frame_num++; + mtk_jpeg_dec_reset(comp_jpeg[hw_id]->reg_base); diff --git a/queue-6.7/media-mtk-jpeg-fix-use-after-free-bug-due-to-error-path-handling-in-mtk_jpeg_dec_device_run.patch b/queue-6.7/media-mtk-jpeg-fix-use-after-free-bug-due-to-error-path-handling-in-mtk_jpeg_dec_device_run.patch new file mode 100644 index 00000000000..e6a38230be2 --- /dev/null +++ b/queue-6.7/media-mtk-jpeg-fix-use-after-free-bug-due-to-error-path-handling-in-mtk_jpeg_dec_device_run.patch @@ -0,0 +1,69 @@ +From 206c857dd17d4d026de85866f1b5f0969f2a109e Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Mon, 6 Nov 2023 15:48:10 +0100 +Subject: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run + +From: Zheng Wang + +commit 206c857dd17d4d026de85866f1b5f0969f2a109e upstream. + +In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with +mtk_jpeg_job_timeout_work. + +In mtk_jpeg_dec_device_run, if error happens in +mtk_jpeg_set_dec_dst, it will finally start the worker while +mark the job as finished by invoking v4l2_m2m_job_finish. + +There are two methods to trigger the bug. If we remove the +module, it which will call mtk_jpeg_remove to make cleanup. +The possible sequence is as follows, which will cause a +use-after-free bug. + +CPU0 CPU1 +mtk_jpeg_dec_... | + start worker | + |mtk_jpeg_job_timeout_work +mtk_jpeg_remove | + v4l2_m2m_release | + kfree(m2m_dev); | + | + | v4l2_m2m_get_curr_priv + | m2m_dev->curr_ctx //use + +If we close the file descriptor, which will call mtk_jpeg_release, +it will have a similar sequence. + +Fix this bug by starting timeout worker only if started jpegdec worker +successfully. Then v4l2_m2m_job_finish will only be called in +either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. + +Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") +Signed-off-by: Zheng Wang +Signed-off-by: Dmitry Osipenko +Cc: stable@vger.kernel.org +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +@@ -1021,13 +1021,13 @@ static void mtk_jpeg_dec_device_run(void + if (ret < 0) + goto dec_end; + +- schedule_delayed_work(&jpeg->job_timeout_work, +- msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); +- + mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); + if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) + goto dec_end; + ++ schedule_delayed_work(&jpeg->job_timeout_work, ++ msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); ++ + spin_lock_irqsave(&jpeg->hw_lock, flags); + mtk_jpeg_dec_reset(jpeg->reg_base); + mtk_jpeg_dec_set_config(jpeg->reg_base, diff --git a/queue-6.7/media-videobuf2-dma-sg-fix-vmap-callback.patch b/queue-6.7/media-videobuf2-dma-sg-fix-vmap-callback.patch new file mode 100644 index 00000000000..ee6f774ec5f --- /dev/null +++ b/queue-6.7/media-videobuf2-dma-sg-fix-vmap-callback.patch @@ -0,0 +1,44 @@ +From 608ca5a60ee47b48fec210aeb7a795a64eb5dcee Mon Sep 17 00:00:00 2001 +From: Michael Grzeschik +Date: Thu, 23 Nov 2023 23:32:05 +0100 +Subject: media: videobuf2-dma-sg: fix vmap callback + +From: Michael Grzeschik + +commit 608ca5a60ee47b48fec210aeb7a795a64eb5dcee upstream. + +For dmabuf import users to be able to use the vaddr from another +videobuf2-dma-sg source, the exporter needs to set a proper vaddr on +vb2_dma_sg_dmabuf_ops_vmap callback. This patch adds vmap on map if +buf->vaddr was not set. + +Cc: stable@kernel.org +Fixes: 7938f4218168 ("dma-buf-map: Rename to iosys-map") +Signed-off-by: Michael Grzeschik +Acked-by: Tomasz Figa +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-dma-sg.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c ++++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c +@@ -487,9 +487,15 @@ vb2_dma_sg_dmabuf_ops_end_cpu_access(str + static int vb2_dma_sg_dmabuf_ops_vmap(struct dma_buf *dbuf, + struct iosys_map *map) + { +- struct vb2_dma_sg_buf *buf = dbuf->priv; ++ struct vb2_dma_sg_buf *buf; ++ void *vaddr; + +- iosys_map_set_vaddr(map, buf->vaddr); ++ buf = dbuf->priv; ++ vaddr = vb2_dma_sg_vaddr(buf->vb, buf); ++ if (!vaddr) ++ return -EINVAL; ++ ++ iosys_map_set_vaddr(map, vaddr); + + return 0; + } diff --git a/queue-6.7/mmc-core-use-mrq.sbc-in-close-ended-ffu.patch b/queue-6.7/mmc-core-use-mrq.sbc-in-close-ended-ffu.patch new file mode 100644 index 00000000000..bb1bebccff9 --- /dev/null +++ b/queue-6.7/mmc-core-use-mrq.sbc-in-close-ended-ffu.patch @@ -0,0 +1,145 @@ +From 4d0c8d0aef6355660b6775d57ccd5d4ea2e15802 Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Wed, 29 Nov 2023 11:25:35 +0200 +Subject: mmc: core: Use mrq.sbc in close-ended ffu + +From: Avri Altman + +commit 4d0c8d0aef6355660b6775d57ccd5d4ea2e15802 upstream. + +Field Firmware Update (ffu) may use close-ended or open ended sequence. +Each such sequence is comprised of a write commands enclosed between 2 +switch commands - to and from ffu mode. So for the close-ended case, it +will be: cmd6->cmd23-cmd25-cmd6. + +Some host controllers however, get confused when multi-block rw is sent +without sbc, and may generate auto-cmd12 which breaks the ffu sequence. +I encountered this issue while testing fwupd (github.com/fwupd/fwupd) +on HP Chromebook x2, a qualcomm based QC-7c, code name - strongbad. + +Instead of a quirk, or hooking the request function of the msm ops, +it would be better to fix the ioctl handling and make it use mrq.sbc +instead of issuing SET_BLOCK_COUNT separately. + +Signed-off-by: Avri Altman +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231129092535.3278-1-avri.altman@wdc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 43 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -400,6 +400,10 @@ struct mmc_blk_ioc_data { + struct mmc_ioc_cmd ic; + unsigned char *buf; + u64 buf_bytes; ++ unsigned int flags; ++#define MMC_BLK_IOC_DROP BIT(0) /* drop this mrq */ ++#define MMC_BLK_IOC_SBC BIT(1) /* use mrq.sbc */ ++ + struct mmc_rpmb_data *rpmb; + }; + +@@ -465,7 +469,7 @@ static int mmc_blk_ioctl_copy_to_user(st + } + + static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md, +- struct mmc_blk_ioc_data *idata) ++ struct mmc_blk_ioc_data **idatas, int i) + { + struct mmc_command cmd = {}, sbc = {}; + struct mmc_data data = {}; +@@ -475,10 +479,18 @@ static int __mmc_blk_ioctl_cmd(struct mm + unsigned int busy_timeout_ms; + int err; + unsigned int target_part; ++ struct mmc_blk_ioc_data *idata = idatas[i]; ++ struct mmc_blk_ioc_data *prev_idata = NULL; + + if (!card || !md || !idata) + return -EINVAL; + ++ if (idata->flags & MMC_BLK_IOC_DROP) ++ return 0; ++ ++ if (idata->flags & MMC_BLK_IOC_SBC) ++ prev_idata = idatas[i - 1]; ++ + /* + * The RPMB accesses comes in from the character device, so we + * need to target these explicitly. Else we just target the +@@ -532,7 +544,7 @@ static int __mmc_blk_ioctl_cmd(struct mm + return err; + } + +- if (idata->rpmb) { ++ if (idata->rpmb || prev_idata) { + sbc.opcode = MMC_SET_BLOCK_COUNT; + /* + * We don't do any blockcount validation because the max size +@@ -540,6 +552,8 @@ static int __mmc_blk_ioctl_cmd(struct mm + * 'Reliable Write' bit here. + */ + sbc.arg = data.blocks | (idata->ic.write_flag & BIT(31)); ++ if (prev_idata) ++ sbc.arg = prev_idata->ic.arg; + sbc.flags = MMC_RSP_R1 | MMC_CMD_AC; + mrq.sbc = &sbc; + } +@@ -557,6 +571,15 @@ static int __mmc_blk_ioctl_cmd(struct mm + mmc_wait_for_req(card->host, &mrq); + memcpy(&idata->ic.response, cmd.resp, sizeof(cmd.resp)); + ++ if (prev_idata) { ++ memcpy(&prev_idata->ic.response, sbc.resp, sizeof(sbc.resp)); ++ if (sbc.error) { ++ dev_err(mmc_dev(card->host), "%s: sbc error %d\n", ++ __func__, sbc.error); ++ return sbc.error; ++ } ++ } ++ + if (cmd.error) { + dev_err(mmc_dev(card->host), "%s: cmd error %d\n", + __func__, cmd.error); +@@ -1034,6 +1057,20 @@ static inline void mmc_blk_reset_success + md->reset_done &= ~type; + } + ++static void mmc_blk_check_sbc(struct mmc_queue_req *mq_rq) ++{ ++ struct mmc_blk_ioc_data **idata = mq_rq->drv_op_data; ++ int i; ++ ++ for (i = 1; i < mq_rq->ioc_count; i++) { ++ if (idata[i - 1]->ic.opcode == MMC_SET_BLOCK_COUNT && ++ mmc_op_multi(idata[i]->ic.opcode)) { ++ idata[i - 1]->flags |= MMC_BLK_IOC_DROP; ++ idata[i]->flags |= MMC_BLK_IOC_SBC; ++ } ++ } ++} ++ + /* + * The non-block commands come back from the block layer after it queued it and + * processed it with all other requests and then they get issued in this +@@ -1061,11 +1098,14 @@ static void mmc_blk_issue_drv_op(struct + if (ret) + break; + } ++ ++ mmc_blk_check_sbc(mq_rq); ++ + fallthrough; + case MMC_DRV_OP_IOCTL_RPMB: + idata = mq_rq->drv_op_data; + for (i = 0, ret = 0; i < mq_rq->ioc_count; i++) { +- ret = __mmc_blk_ioctl_cmd(card, md, idata[i]); ++ ret = __mmc_blk_ioctl_cmd(card, md, idata, i); + if (ret) + break; + } diff --git a/queue-6.7/mmc-mmc_spi-remove-custom-dma-mapped-buffers.patch b/queue-6.7/mmc-mmc_spi-remove-custom-dma-mapped-buffers.patch new file mode 100644 index 00000000000..8e8eacf497d --- /dev/null +++ b/queue-6.7/mmc-mmc_spi-remove-custom-dma-mapped-buffers.patch @@ -0,0 +1,448 @@ +From 84a6be7db9050dd2601c9870f65eab9a665d2d5d Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 8 Dec 2023 00:19:01 +0200 +Subject: mmc: mmc_spi: remove custom DMA mapped buffers + +From: Andy Shevchenko + +commit 84a6be7db9050dd2601c9870f65eab9a665d2d5d upstream. + +There is no need to duplicate what SPI core or individual controller +drivers already do, i.e. mapping the buffers for DMA capable transfers. + +Note, that the code, besides its redundancy, was buggy: strictly speaking +there is no guarantee, while it's true for those which can use this code +(see below), that the SPI host controller _is_ the device which does DMA. + +Also see the Link tags below. + +Additional notes. Currently only two SPI host controller drivers may use +premapped (by the user) DMA buffers: + + - drivers/spi/spi-au1550.c + + - drivers/spi/spi-fsl-spi.c + +Both of them have DMA mapping support code. I don't expect that SPI host +controller code is worse than what has been done in mmc_spi. Hence I do +not expect any regressions here. Otherwise, I'm pretty much sure these +regressions have to be fixed in the respective drivers, and not here. + +That said, remove all related pieces of DMA mapping code from mmc_spi. + +Link: https://lore.kernel.org/linux-mmc/c73b9ba9-1699-2aff-e2fd-b4b4f292a3ca@raspberrypi.org/ +Link: https://stackoverflow.com/questions/67620728/mmc-spi-issue-not-able-to-setup-mmc-sd-card-in-linux +Signed-off-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231207221901.3259962-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmc_spi.c | 186 +-------------------------------------------- + 1 file changed, 5 insertions(+), 181 deletions(-) + +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -15,7 +15,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -119,19 +119,14 @@ struct mmc_spi_host { + struct spi_transfer status; + struct spi_message readback; + +- /* underlying DMA-aware controller, or null */ +- struct device *dma_dev; +- + /* buffer used for commands and for message "overhead" */ + struct scratch *data; +- dma_addr_t data_dma; + + /* Specs say to write ones most of the time, even when the card + * has no need to read its input data; and many cards won't care. + * This is our source of those ones. + */ + void *ones; +- dma_addr_t ones_dma; + }; + + +@@ -147,11 +142,8 @@ static inline int mmc_cs_off(struct mmc_ + return spi_setup(host->spi); + } + +-static int +-mmc_spi_readbytes(struct mmc_spi_host *host, unsigned len) ++static int mmc_spi_readbytes(struct mmc_spi_host *host, unsigned int len) + { +- int status; +- + if (len > sizeof(*host->data)) { + WARN_ON(1); + return -EIO; +@@ -159,19 +151,7 @@ mmc_spi_readbytes(struct mmc_spi_host *h + + host->status.len = len; + +- if (host->dma_dev) +- dma_sync_single_for_device(host->dma_dev, +- host->data_dma, sizeof(*host->data), +- DMA_FROM_DEVICE); +- +- status = spi_sync_locked(host->spi, &host->readback); +- +- if (host->dma_dev) +- dma_sync_single_for_cpu(host->dma_dev, +- host->data_dma, sizeof(*host->data), +- DMA_FROM_DEVICE); +- +- return status; ++ return spi_sync_locked(host->spi, &host->readback); + } + + static int mmc_spi_skip(struct mmc_spi_host *host, unsigned long timeout, +@@ -506,23 +486,11 @@ mmc_spi_command_send(struct mmc_spi_host + t = &host->t; + memset(t, 0, sizeof(*t)); + t->tx_buf = t->rx_buf = data->status; +- t->tx_dma = t->rx_dma = host->data_dma; + t->len = cp - data->status; + t->cs_change = 1; + spi_message_add_tail(t, &host->m); + +- if (host->dma_dev) { +- host->m.is_dma_mapped = 1; +- dma_sync_single_for_device(host->dma_dev, +- host->data_dma, sizeof(*host->data), +- DMA_BIDIRECTIONAL); +- } + status = spi_sync_locked(host->spi, &host->m); +- +- if (host->dma_dev) +- dma_sync_single_for_cpu(host->dma_dev, +- host->data_dma, sizeof(*host->data), +- DMA_BIDIRECTIONAL); + if (status < 0) { + dev_dbg(&host->spi->dev, " ... write returned %d\n", status); + cmd->error = status; +@@ -540,9 +508,6 @@ mmc_spi_command_send(struct mmc_spi_host + * We always provide TX data for data and CRC. The MMC/SD protocol + * requires us to write ones; but Linux defaults to writing zeroes; + * so we explicitly initialize it to all ones on RX paths. +- * +- * We also handle DMA mapping, so the underlying SPI controller does +- * not need to (re)do it for each message. + */ + static void + mmc_spi_setup_data_message( +@@ -552,11 +517,8 @@ mmc_spi_setup_data_message( + { + struct spi_transfer *t; + struct scratch *scratch = host->data; +- dma_addr_t dma = host->data_dma; + + spi_message_init(&host->m); +- if (dma) +- host->m.is_dma_mapped = 1; + + /* for reads, readblock() skips 0xff bytes before finding + * the token; for writes, this transfer issues that token. +@@ -570,8 +532,6 @@ mmc_spi_setup_data_message( + else + scratch->data_token = SPI_TOKEN_SINGLE; + t->tx_buf = &scratch->data_token; +- if (dma) +- t->tx_dma = dma + offsetof(struct scratch, data_token); + spi_message_add_tail(t, &host->m); + } + +@@ -581,7 +541,6 @@ mmc_spi_setup_data_message( + t = &host->t; + memset(t, 0, sizeof(*t)); + t->tx_buf = host->ones; +- t->tx_dma = host->ones_dma; + /* length and actual buffer info are written later */ + spi_message_add_tail(t, &host->m); + +@@ -591,14 +550,9 @@ mmc_spi_setup_data_message( + if (direction == DMA_TO_DEVICE) { + /* the actual CRC may get written later */ + t->tx_buf = &scratch->crc_val; +- if (dma) +- t->tx_dma = dma + offsetof(struct scratch, crc_val); + } else { + t->tx_buf = host->ones; +- t->tx_dma = host->ones_dma; + t->rx_buf = &scratch->crc_val; +- if (dma) +- t->rx_dma = dma + offsetof(struct scratch, crc_val); + } + spi_message_add_tail(t, &host->m); + +@@ -621,10 +575,7 @@ mmc_spi_setup_data_message( + memset(t, 0, sizeof(*t)); + t->len = (direction == DMA_TO_DEVICE) ? sizeof(scratch->status) : 1; + t->tx_buf = host->ones; +- t->tx_dma = host->ones_dma; + t->rx_buf = scratch->status; +- if (dma) +- t->rx_dma = dma + offsetof(struct scratch, status); + t->cs_change = 1; + spi_message_add_tail(t, &host->m); + } +@@ -653,23 +604,13 @@ mmc_spi_writeblock(struct mmc_spi_host * + + if (host->mmc->use_spi_crc) + scratch->crc_val = cpu_to_be16(crc_itu_t(0, t->tx_buf, t->len)); +- if (host->dma_dev) +- dma_sync_single_for_device(host->dma_dev, +- host->data_dma, sizeof(*scratch), +- DMA_BIDIRECTIONAL); + + status = spi_sync_locked(spi, &host->m); +- + if (status != 0) { + dev_dbg(&spi->dev, "write error (%d)\n", status); + return status; + } + +- if (host->dma_dev) +- dma_sync_single_for_cpu(host->dma_dev, +- host->data_dma, sizeof(*scratch), +- DMA_BIDIRECTIONAL); +- + /* + * Get the transmission data-response reply. It must follow + * immediately after the data block we transferred. This reply +@@ -718,8 +659,6 @@ mmc_spi_writeblock(struct mmc_spi_host * + } + + t->tx_buf += t->len; +- if (host->dma_dev) +- t->tx_dma += t->len; + + /* Return when not busy. If we didn't collect that status yet, + * we'll need some more I/O. +@@ -783,30 +722,12 @@ mmc_spi_readblock(struct mmc_spi_host *h + } + leftover = status << 1; + +- if (host->dma_dev) { +- dma_sync_single_for_device(host->dma_dev, +- host->data_dma, sizeof(*scratch), +- DMA_BIDIRECTIONAL); +- dma_sync_single_for_device(host->dma_dev, +- t->rx_dma, t->len, +- DMA_FROM_DEVICE); +- } +- + status = spi_sync_locked(spi, &host->m); + if (status < 0) { + dev_dbg(&spi->dev, "read error %d\n", status); + return status; + } + +- if (host->dma_dev) { +- dma_sync_single_for_cpu(host->dma_dev, +- host->data_dma, sizeof(*scratch), +- DMA_BIDIRECTIONAL); +- dma_sync_single_for_cpu(host->dma_dev, +- t->rx_dma, t->len, +- DMA_FROM_DEVICE); +- } +- + if (bitshift) { + /* Walk through the data and the crc and do + * all the magic to get byte-aligned data. +@@ -841,8 +762,6 @@ mmc_spi_readblock(struct mmc_spi_host *h + } + + t->rx_buf += t->len; +- if (host->dma_dev) +- t->rx_dma += t->len; + + return 0; + } +@@ -857,7 +776,6 @@ mmc_spi_data_do(struct mmc_spi_host *hos + struct mmc_data *data, u32 blk_size) + { + struct spi_device *spi = host->spi; +- struct device *dma_dev = host->dma_dev; + struct spi_transfer *t; + enum dma_data_direction direction = mmc_get_dma_dir(data); + struct scatterlist *sg; +@@ -884,31 +802,8 @@ mmc_spi_data_do(struct mmc_spi_host *hos + */ + for_each_sg(data->sg, sg, data->sg_len, n_sg) { + int status = 0; +- dma_addr_t dma_addr = 0; + void *kmap_addr; + unsigned length = sg->length; +- enum dma_data_direction dir = direction; +- +- /* set up dma mapping for controller drivers that might +- * use DMA ... though they may fall back to PIO +- */ +- if (dma_dev) { +- /* never invalidate whole *shared* pages ... */ +- if ((sg->offset != 0 || length != PAGE_SIZE) +- && dir == DMA_FROM_DEVICE) +- dir = DMA_BIDIRECTIONAL; +- +- dma_addr = dma_map_page(dma_dev, sg_page(sg), 0, +- PAGE_SIZE, dir); +- if (dma_mapping_error(dma_dev, dma_addr)) { +- data->error = -EFAULT; +- break; +- } +- if (direction == DMA_TO_DEVICE) +- t->tx_dma = dma_addr + sg->offset; +- else +- t->rx_dma = dma_addr + sg->offset; +- } + + /* allow pio too; we don't allow highmem */ + kmap_addr = kmap(sg_page(sg)); +@@ -941,8 +836,6 @@ mmc_spi_data_do(struct mmc_spi_host *hos + if (direction == DMA_FROM_DEVICE) + flush_dcache_page(sg_page(sg)); + kunmap(sg_page(sg)); +- if (dma_dev) +- dma_unmap_page(dma_dev, dma_addr, PAGE_SIZE, dir); + + if (status < 0) { + data->error = status; +@@ -977,21 +870,9 @@ mmc_spi_data_do(struct mmc_spi_host *hos + scratch->status[0] = SPI_TOKEN_STOP_TRAN; + + host->early_status.tx_buf = host->early_status.rx_buf; +- host->early_status.tx_dma = host->early_status.rx_dma; + host->early_status.len = statlen; + +- if (host->dma_dev) +- dma_sync_single_for_device(host->dma_dev, +- host->data_dma, sizeof(*scratch), +- DMA_BIDIRECTIONAL); +- + tmp = spi_sync_locked(spi, &host->m); +- +- if (host->dma_dev) +- dma_sync_single_for_cpu(host->dma_dev, +- host->data_dma, sizeof(*scratch), +- DMA_BIDIRECTIONAL); +- + if (tmp < 0) { + if (!data->error) + data->error = tmp; +@@ -1265,52 +1146,6 @@ mmc_spi_detect_irq(int irq, void *mmc) + return IRQ_HANDLED; + } + +-#ifdef CONFIG_HAS_DMA +-static int mmc_spi_dma_alloc(struct mmc_spi_host *host) +-{ +- struct spi_device *spi = host->spi; +- struct device *dev; +- +- if (!spi->master->dev.parent->dma_mask) +- return 0; +- +- dev = spi->master->dev.parent; +- +- host->ones_dma = dma_map_single(dev, host->ones, MMC_SPI_BLOCKSIZE, +- DMA_TO_DEVICE); +- if (dma_mapping_error(dev, host->ones_dma)) +- return -ENOMEM; +- +- host->data_dma = dma_map_single(dev, host->data, sizeof(*host->data), +- DMA_BIDIRECTIONAL); +- if (dma_mapping_error(dev, host->data_dma)) { +- dma_unmap_single(dev, host->ones_dma, MMC_SPI_BLOCKSIZE, +- DMA_TO_DEVICE); +- return -ENOMEM; +- } +- +- dma_sync_single_for_cpu(dev, host->data_dma, sizeof(*host->data), +- DMA_BIDIRECTIONAL); +- +- host->dma_dev = dev; +- return 0; +-} +- +-static void mmc_spi_dma_free(struct mmc_spi_host *host) +-{ +- if (!host->dma_dev) +- return; +- +- dma_unmap_single(host->dma_dev, host->ones_dma, MMC_SPI_BLOCKSIZE, +- DMA_TO_DEVICE); +- dma_unmap_single(host->dma_dev, host->data_dma, sizeof(*host->data), +- DMA_BIDIRECTIONAL); +-} +-#else +-static inline int mmc_spi_dma_alloc(struct mmc_spi_host *host) { return 0; } +-static inline void mmc_spi_dma_free(struct mmc_spi_host *host) {} +-#endif +- + static int mmc_spi_probe(struct spi_device *spi) + { + void *ones; +@@ -1402,24 +1237,17 @@ static int mmc_spi_probe(struct spi_devi + host->powerup_msecs = 250; + } + +- /* preallocate dma buffers */ ++ /* Preallocate buffers */ + host->data = kmalloc(sizeof(*host->data), GFP_KERNEL); + if (!host->data) + goto fail_nobuf1; + +- status = mmc_spi_dma_alloc(host); +- if (status) +- goto fail_dma; +- + /* setup message for status/busy readback */ + spi_message_init(&host->readback); +- host->readback.is_dma_mapped = (host->dma_dev != NULL); + + spi_message_add_tail(&host->status, &host->readback); + host->status.tx_buf = host->ones; +- host->status.tx_dma = host->ones_dma; + host->status.rx_buf = &host->data->status; +- host->status.rx_dma = host->data_dma + offsetof(struct scratch, status); + host->status.cs_change = 1; + + /* register card detect irq */ +@@ -1464,9 +1292,8 @@ static int mmc_spi_probe(struct spi_devi + if (!status) + has_ro = true; + +- dev_info(&spi->dev, "SD/MMC host %s%s%s%s%s\n", ++ dev_info(&spi->dev, "SD/MMC host %s%s%s%s\n", + dev_name(&mmc->class_dev), +- host->dma_dev ? "" : ", no DMA", + has_ro ? "" : ", no WP", + (host->pdata && host->pdata->setpower) + ? "" : ", no poweroff", +@@ -1477,8 +1304,6 @@ static int mmc_spi_probe(struct spi_devi + fail_gpiod_request: + mmc_remove_host(mmc); + fail_glue_init: +- mmc_spi_dma_free(host); +-fail_dma: + kfree(host->data); + fail_nobuf1: + mmc_spi_put_pdata(spi); +@@ -1500,7 +1325,6 @@ static void mmc_spi_remove(struct spi_de + + mmc_remove_host(mmc); + +- mmc_spi_dma_free(host); + kfree(host->data); + kfree(host->ones); + diff --git a/queue-6.7/nouveau-gsp-handle-engines-in-runl-without-nonstall-interrupts.patch b/queue-6.7/nouveau-gsp-handle-engines-in-runl-without-nonstall-interrupts.patch new file mode 100644 index 00000000000..ea01dd7ccf2 --- /dev/null +++ b/queue-6.7/nouveau-gsp-handle-engines-in-runl-without-nonstall-interrupts.patch @@ -0,0 +1,66 @@ +From 205e18c13545ab43cc4fe4930732b4feef551198 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Wed, 10 Jan 2024 11:14:05 +1000 +Subject: nouveau/gsp: handle engines in runl without nonstall interrupts. + +From: Dave Airlie + +commit 205e18c13545ab43cc4fe4930732b4feef551198 upstream. + +It appears on TU106 GPUs (2070), that some of the nvdec engines +are in the runlist but have no valid nonstall interrupt, nouveau +didn't handle that too well. + +This should let nouveau/gsp work on those. + +Cc: stable@vger.kernel.org # v6.7+ +Signed-off-by: Dave Airlie +Link: https://lore.kernel.org/all/20240110011826.3996289-1-airlied@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 4 ++++ + drivers/gpu/drm/nouveau/nvkm/engine/fifo/r535.c | 2 +- + drivers/gpu/drm/nouveau/nvkm/subdev/gsp/base.c | 8 ++------ + 3 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c +@@ -550,6 +550,10 @@ ga100_fifo_nonstall_ctor(struct nvkm_fif + struct nvkm_engn *engn = list_first_entry(&runl->engns, typeof(*engn), head); + + runl->nonstall.vector = engn->func->nonstall(engn); ++ ++ /* if no nonstall vector just keep going */ ++ if (runl->nonstall.vector == -1) ++ continue; + if (runl->nonstall.vector < 0) { + RUNL_ERROR(runl, "nonstall %d", runl->nonstall.vector); + return runl->nonstall.vector; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/r535.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/r535.c +@@ -351,7 +351,7 @@ r535_engn_nonstall(struct nvkm_engn *eng + int ret; + + ret = nvkm_gsp_intr_nonstall(subdev->device->gsp, subdev->type, subdev->inst); +- WARN_ON(ret < 0); ++ WARN_ON(ret == -ENOENT); + return ret; + } + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/base.c +@@ -25,12 +25,8 @@ int + nvkm_gsp_intr_nonstall(struct nvkm_gsp *gsp, enum nvkm_subdev_type type, int inst) + { + for (int i = 0; i < gsp->intr_nr; i++) { +- if (gsp->intr[i].type == type && gsp->intr[i].inst == inst) { +- if (gsp->intr[i].nonstall != ~0) +- return gsp->intr[i].nonstall; +- +- return -EINVAL; +- } ++ if (gsp->intr[i].type == type && gsp->intr[i].inst == inst) ++ return gsp->intr[i].nonstall; + } + + return -ENOENT; diff --git a/queue-6.7/nouveau-vmm-don-t-set-addr-on-the-fail-path-to-avoid-warning.patch b/queue-6.7/nouveau-vmm-don-t-set-addr-on-the-fail-path-to-avoid-warning.patch new file mode 100644 index 00000000000..71211f72c03 --- /dev/null +++ b/queue-6.7/nouveau-vmm-don-t-set-addr-on-the-fail-path-to-avoid-warning.patch @@ -0,0 +1,80 @@ +From cacea81390fd8c8c85404e5eb2adeb83d87a912e Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 18 Jan 2024 06:19:57 +1000 +Subject: nouveau/vmm: don't set addr on the fail path to avoid warning + +From: Dave Airlie + +commit cacea81390fd8c8c85404e5eb2adeb83d87a912e upstream. + +nvif_vmm_put gets called if addr is set, but if the allocation +fails we don't need to call put, otherwise we get a warning like + +[523232.435671] ------------[ cut here ]------------ +[523232.435674] WARNING: CPU: 8 PID: 1505697 at drivers/gpu/drm/nouveau/nvif/vmm.c:68 nvif_vmm_put+0x72/0x80 [nouveau] +[523232.435795] Modules linked in: uinput rfcomm snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink qrtr bnep sunrpc binfmt_misc intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common isst_if_common iwlmvm nfit libnvdimm vfat fat x86_pkg_temp_thermal intel_powerclamp mac80211 snd_soc_avs snd_soc_hda_codec coretemp snd_hda_ext_core snd_soc_core snd_hda_codec_realtek kvm_intel snd_hda_codec_hdmi snd_compress snd_hda_codec_generic ac97_bus snd_pcm_dmaengine snd_hda_intel libarc4 snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm iwlwifi snd_hda_core btusb snd_hwdep btrtl snd_seq btintel irqbypass btbcm rapl snd_seq_device eeepc_wmi btmtk intel_cstate iTCO_wdt cfg80211 snd_pcm asus_wmi bluetooth intel_pmc_bxt iTCO_vendor_support snd_timer ledtrig_audio pktcdvd snd mei_me +[523232.435828] sparse_keymap intel_uncore i2c_i801 platform_profile wmi_bmof mei pcspkr ioatdma soundcore i2c_smbus rfkill idma64 dca joydev acpi_tad loop zram nouveau drm_ttm_helper ttm video drm_exec drm_gpuvm gpu_sched crct10dif_pclmul i2c_algo_bit nvme crc32_pclmul crc32c_intel drm_display_helper polyval_clmulni nvme_core polyval_generic e1000e mxm_wmi cec ghash_clmulni_intel r8169 sha512_ssse3 nvme_common wmi pinctrl_sunrisepoint uas usb_storage ip6_tables ip_tables fuse +[523232.435849] CPU: 8 PID: 1505697 Comm: gnome-shell Tainted: G W 6.6.0-rc7-nvk-uapi+ #12 +[523232.435851] Hardware name: System manufacturer System Product Name/ROG STRIX X299-E GAMING II, BIOS 1301 09/24/2021 +[523232.435852] RIP: 0010:nvif_vmm_put+0x72/0x80 [nouveau] +[523232.435934] Code: 00 00 48 89 e2 be 02 00 00 00 48 c7 04 24 00 00 00 00 48 89 44 24 08 e8 fc bf ff ff 85 +c0 75 0a 48 c7 43 08 00 00 00 00 eb b3 <0f> 0b eb f2 e8 f5 c9 b2 e6 0f 1f 44 00 00 90 90 90 90 90 90 90 90 +[523232.435936] RSP: 0018:ffffc900077ffbd8 EFLAGS: 00010282 +[523232.435937] RAX: 00000000fffffffe RBX: ffffc900077ffc00 RCX: 0000000000000010 +[523232.435938] RDX: 0000000000000010 RSI: ffffc900077ffb38 RDI: ffffc900077ffbd8 +[523232.435940] RBP: ffff888e1c4f2140 R08: 0000000000000000 R09: 0000000000000000 +[523232.435940] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888503811800 +[523232.435941] R13: ffffc900077ffca0 R14: ffff888e1c4f2140 R15: ffff88810317e1e0 +[523232.435942] FS: 00007f933a769640(0000) GS:ffff88905fa00000(0000) knlGS:0000000000000000 +[523232.435943] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[523232.435944] CR2: 00007f930bef7000 CR3: 00000005d0322001 CR4: 00000000003706e0 +[523232.435945] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[523232.435946] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[523232.435964] Call Trace: +[523232.435965] +[523232.435966] ? nvif_vmm_put+0x72/0x80 [nouveau] +[523232.436051] ? __warn+0x81/0x130 +[523232.436055] ? nvif_vmm_put+0x72/0x80 [nouveau] +[523232.436138] ? report_bug+0x171/0x1a0 +[523232.436142] ? handle_bug+0x3c/0x80 +[523232.436144] ? exc_invalid_op+0x17/0x70 +[523232.436145] ? asm_exc_invalid_op+0x1a/0x20 +[523232.436149] ? nvif_vmm_put+0x72/0x80 [nouveau] +[523232.436230] ? nvif_vmm_put+0x64/0x80 [nouveau] +[523232.436342] nouveau_vma_del+0x80/0xd0 [nouveau] +[523232.436506] nouveau_vma_new+0x1a0/0x210 [nouveau] +[523232.436671] nouveau_gem_object_open+0x1d0/0x1f0 [nouveau] +[523232.436835] drm_gem_handle_create_tail+0xd1/0x180 +[523232.436840] drm_prime_fd_to_handle_ioctl+0x12e/0x200 +[523232.436844] ? __pfx_drm_prime_fd_to_handle_ioctl+0x10/0x10 +[523232.436847] drm_ioctl_kernel+0xd3/0x180 +[523232.436849] drm_ioctl+0x26d/0x4b0 +[523232.436851] ? __pfx_drm_prime_fd_to_handle_ioctl+0x10/0x10 +[523232.436855] nouveau_drm_ioctl+0x5a/0xb0 [nouveau] +[523232.437032] __x64_sys_ioctl+0x94/0xd0 +[523232.437036] do_syscall_64+0x5d/0x90 +[523232.437040] ? syscall_exit_to_user_mode+0x2b/0x40 +[523232.437044] ? do_syscall_64+0x6c/0x90 +[523232.437046] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Reported-by: Faith Ekstrand +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20240117213852.295565-1-airlied@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_vmm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nouveau_vmm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_vmm.c +@@ -108,6 +108,9 @@ nouveau_vma_new(struct nouveau_bo *nvbo, + } else { + ret = nvif_vmm_get(&vmm->vmm, PTES, false, mem->mem.page, 0, + mem->mem.size, &tmp); ++ if (ret) ++ goto done; ++ + vma->addr = tmp.addr; + } + diff --git a/queue-6.7/risc-v-selftests-cbo-ensure-asm-operands-match-constraints.patch b/queue-6.7/risc-v-selftests-cbo-ensure-asm-operands-match-constraints.patch new file mode 100644 index 00000000000..09e738d8e0d --- /dev/null +++ b/queue-6.7/risc-v-selftests-cbo-ensure-asm-operands-match-constraints.patch @@ -0,0 +1,55 @@ +From 0de65288d75ff96c30e216557d979fb9342c4323 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Wed, 17 Jan 2024 14:09:34 +0100 +Subject: RISC-V: selftests: cbo: Ensure asm operands match constraints + +From: Andrew Jones + +commit 0de65288d75ff96c30e216557d979fb9342c4323 upstream. + +The 'i' constraint expects a constant operand, which fn and its +constant derivative MK_CBO(fn) are, but passing fn through a function +as a parameter and using a local variable for MK_CBO(fn) allow the +compiler to lose sight of that when no optimization is done. Use +a macro instead of a function and skip the local variable to ensure +the compiler uses constants, matching the asm constraints. + +Reported-by: Yunhui Cui +Closes: https://lore.kernel.org/all/20240117082514.42967-1-cuiyunhui@bytedance.com +Fixes: a29e2a48afe3 ("RISC-V: selftests: Add CBO tests") +Signed-off-by: Andrew Jones +Link: https://lore.kernel.org/r/20240117130933.57514-2-ajones@ventanamicro.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/riscv/hwprobe/cbo.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/tools/testing/selftests/riscv/hwprobe/cbo.c ++++ b/tools/testing/selftests/riscv/hwprobe/cbo.c +@@ -36,16 +36,14 @@ static void sigill_handler(int sig, sigi + regs[0] += 4; + } + +-static void cbo_insn(char *base, int fn) +-{ +- uint32_t insn = MK_CBO(fn); +- +- asm volatile( +- "mv a0, %0\n" +- "li a1, %1\n" +- ".4byte %2\n" +- : : "r" (base), "i" (fn), "i" (insn) : "a0", "a1", "memory"); +-} ++#define cbo_insn(base, fn) \ ++({ \ ++ asm volatile( \ ++ "mv a0, %0\n" \ ++ "li a1, %1\n" \ ++ ".4byte %2\n" \ ++ : : "r" (base), "i" (fn), "i" (MK_CBO(fn)) : "a0", "a1", "memory"); \ ++}) + + static void cbo_inval(char *base) { cbo_insn(base, 0); } + static void cbo_clean(char *base) { cbo_insn(base, 1); } diff --git a/queue-6.7/riscv-mm-fixup-compat-arch_get_mmap_end.patch b/queue-6.7/riscv-mm-fixup-compat-arch_get_mmap_end.patch new file mode 100644 index 00000000000..4668303d0f7 --- /dev/null +++ b/queue-6.7/riscv-mm-fixup-compat-arch_get_mmap_end.patch @@ -0,0 +1,38 @@ +From 97b7ac69be2e5a683e898f5267f659fde52efdd5 Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Fri, 22 Dec 2023 06:57:01 -0500 +Subject: riscv: mm: Fixup compat arch_get_mmap_end + +From: Guo Ren + +commit 97b7ac69be2e5a683e898f5267f659fde52efdd5 upstream. + +When the task is in COMPAT mode, the arch_get_mmap_end should be 2GB, +not TASK_SIZE_64. The TASK_SIZE has contained is_compat_mode() +detection, so change the definition of STACK_TOP_MAX to TASK_SIZE +directly. + +Cc: stable@vger.kernel.org +Fixes: add2cc6b6515 ("RISC-V: mm: Restrict address space for sv39,sv48,sv57") +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Reviewed-by: Leonardo Bras +Reviewed-by: Charlie Jenkins +Link: https://lore.kernel.org/r/20231222115703.2404036-3-guoren@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/include/asm/processor.h ++++ b/arch/riscv/include/asm/processor.h +@@ -16,7 +16,7 @@ + + #ifdef CONFIG_64BIT + #define DEFAULT_MAP_WINDOW (UL(1) << (MMAP_VA_BITS - 1)) +-#define STACK_TOP_MAX TASK_SIZE_64 ++#define STACK_TOP_MAX TASK_SIZE + + #define arch_get_mmap_end(addr, len, flags) \ + ({ \ diff --git a/queue-6.7/riscv-mm-fixup-compat-mode-boot-failure.patch b/queue-6.7/riscv-mm-fixup-compat-mode-boot-failure.patch new file mode 100644 index 00000000000..8bf42bd83c2 --- /dev/null +++ b/queue-6.7/riscv-mm-fixup-compat-mode-boot-failure.patch @@ -0,0 +1,46 @@ +From 5f449e245e5b0d9d63eef6c8968fbdc3a8594407 Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Fri, 22 Dec 2023 06:57:00 -0500 +Subject: riscv: mm: Fixup compat mode boot failure + +From: Guo Ren + +commit 5f449e245e5b0d9d63eef6c8968fbdc3a8594407 upstream. + +In COMPAT mode, the STACK_TOP is DEFAULT_MAP_WINDOW (0x80000000), but +the TASK_SIZE is 0x7fff000. When the user stack is upon 0x7fff000, it +will cause a user segment fault. Sometimes, it would cause boot +failure when the whole rootfs is rv32. + +Freeing unused kernel image (initmem) memory: 2236K +Run /sbin/init as init process +Starting init: /sbin/init exists but couldn't execute it (error -14) +Run /etc/init as init process +... + +Increase the TASK_SIZE to cover STACK_TOP. + +Cc: stable@vger.kernel.org +Fixes: add2cc6b6515 ("RISC-V: mm: Restrict address space for sv39,sv48,sv57") +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Reviewed-by: Leonardo Bras +Reviewed-by: Charlie Jenkins +Link: https://lore.kernel.org/r/20231222115703.2404036-2-guoren@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -881,7 +881,7 @@ static inline pte_t pte_swp_clear_exclus + #define TASK_SIZE_MIN (PGDIR_SIZE_L3 * PTRS_PER_PGD / 2) + + #ifdef CONFIG_COMPAT +-#define TASK_SIZE_32 (_AC(0x80000000, UL) - PAGE_SIZE) ++#define TASK_SIZE_32 (_AC(0x80000000, UL)) + #define TASK_SIZE (test_thread_flag(TIF_32BIT) ? \ + TASK_SIZE_32 : TASK_SIZE_64) + #else diff --git a/queue-6.7/rtc-add-support-for-configuring-the-uip-timeout-for-rtc-reads.patch b/queue-6.7/rtc-add-support-for-configuring-the-uip-timeout-for-rtc-reads.patch new file mode 100644 index 00000000000..f859be7d9d0 --- /dev/null +++ b/queue-6.7/rtc-add-support-for-configuring-the-uip-timeout-for-rtc-reads.patch @@ -0,0 +1,231 @@ +From 120931db07b49252aba2073096b595482d71857c Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 27 Nov 2023 23:36:52 -0600 +Subject: rtc: Add support for configuring the UIP timeout for RTC reads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +commit 120931db07b49252aba2073096b595482d71857c upstream. + +The UIP timeout is hardcoded to 10ms for all RTC reads, but in some +contexts this might not be enough time. Add a timeout parameter to +mc146818_get_time() and mc146818_get_time_callback(). + +If UIP timeout is configured by caller to be >=100 ms and a call +takes this long, log a warning. + +Make all callers use 10ms to ensure no functional changes. + +Cc: # 6.1.y +Fixes: ec5895c0f2d8 ("rtc: mc146818-lib: extract mc146818_avoid_UIP") +Signed-off-by: Mario Limonciello +Tested-by: Mateusz Jończyk +Reviewed-by: Mateusz Jończyk +Acked-by: Mateusz Jończyk +Link: https://lore.kernel.org/r/20231128053653.101798-4-mario.limonciello@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/rtc.c | 2 +- + arch/x86/kernel/hpet.c | 2 +- + arch/x86/kernel/rtc.c | 2 +- + drivers/base/power/trace.c | 2 +- + drivers/rtc/rtc-cmos.c | 6 +++--- + drivers/rtc/rtc-mc146818-lib.c | 37 +++++++++++++++++++++++++++++-------- + include/linux/mc146818rtc.h | 3 ++- + 7 files changed, 38 insertions(+), 16 deletions(-) + +--- a/arch/alpha/kernel/rtc.c ++++ b/arch/alpha/kernel/rtc.c +@@ -80,7 +80,7 @@ init_rtc_epoch(void) + static int + alpha_rtc_read_time(struct device *dev, struct rtc_time *tm) + { +- int ret = mc146818_get_time(tm); ++ int ret = mc146818_get_time(tm, 10); + + if (ret < 0) { + dev_err_ratelimited(dev, "unable to read current time\n"); +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -1438,7 +1438,7 @@ irqreturn_t hpet_rtc_interrupt(int irq, + memset(&curr_time, 0, sizeof(struct rtc_time)); + + if (hpet_rtc_flags & (RTC_UIE | RTC_AIE)) { +- if (unlikely(mc146818_get_time(&curr_time) < 0)) { ++ if (unlikely(mc146818_get_time(&curr_time, 10) < 0)) { + pr_err_ratelimited("unable to read current time from RTC\n"); + return IRQ_HANDLED; + } +--- a/arch/x86/kernel/rtc.c ++++ b/arch/x86/kernel/rtc.c +@@ -67,7 +67,7 @@ void mach_get_cmos_time(struct timespec6 + return; + } + +- if (mc146818_get_time(&tm)) { ++ if (mc146818_get_time(&tm, 10)) { + pr_err("Unable to read current time from RTC\n"); + now->tv_sec = now->tv_nsec = 0; + return; +--- a/drivers/base/power/trace.c ++++ b/drivers/base/power/trace.c +@@ -120,7 +120,7 @@ static unsigned int read_magic_time(void + struct rtc_time time; + unsigned int val; + +- if (mc146818_get_time(&time) < 0) { ++ if (mc146818_get_time(&time, 10) < 0) { + pr_err("Unable to read current time from RTC\n"); + return 0; + } +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -231,7 +231,7 @@ static int cmos_read_time(struct device + if (!pm_trace_rtc_valid()) + return -EIO; + +- ret = mc146818_get_time(t); ++ ret = mc146818_get_time(t, 10); + if (ret < 0) { + dev_err_ratelimited(dev, "unable to read current time\n"); + return ret; +@@ -307,7 +307,7 @@ static int cmos_read_alarm(struct device + * + * Use the mc146818_avoid_UIP() function to avoid this. + */ +- if (!mc146818_avoid_UIP(cmos_read_alarm_callback, &p)) ++ if (!mc146818_avoid_UIP(cmos_read_alarm_callback, 10, &p)) + return -EIO; + + if (!(p.rtc_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) { +@@ -556,7 +556,7 @@ static int cmos_set_alarm(struct device + * + * Use mc146818_avoid_UIP() to avoid this. + */ +- if (!mc146818_avoid_UIP(cmos_set_alarm_callback, &p)) ++ if (!mc146818_avoid_UIP(cmos_set_alarm_callback, 10, &p)) + return -ETIMEDOUT; + + cmos->alarm_expires = rtc_tm_to_time64(&t->time); +--- a/drivers/rtc/rtc-mc146818-lib.c ++++ b/drivers/rtc/rtc-mc146818-lib.c +@@ -8,26 +8,31 @@ + #include + #endif + ++#define UIP_RECHECK_DELAY 100 /* usec */ ++#define UIP_RECHECK_DELAY_MS (USEC_PER_MSEC / UIP_RECHECK_DELAY) ++#define UIP_RECHECK_LOOPS_MS(x) (x / UIP_RECHECK_DELAY_MS) ++ + /* + * Execute a function while the UIP (Update-in-progress) bit of the RTC is +- * unset. ++ * unset. The timeout is configurable by the caller in ms. + * + * Warning: callback may be executed more then once. + */ + bool mc146818_avoid_UIP(void (*callback)(unsigned char seconds, void *param), ++ int timeout, + void *param) + { + int i; + unsigned long flags; + unsigned char seconds; + +- for (i = 0; i < 100; i++) { ++ for (i = 0; UIP_RECHECK_LOOPS_MS(i) < timeout; i++) { + spin_lock_irqsave(&rtc_lock, flags); + + /* + * Check whether there is an update in progress during which the + * readout is unspecified. The maximum update time is ~2ms. Poll +- * every 100 usec for completion. ++ * for completion. + * + * Store the second value before checking UIP so a long lasting + * NMI which happens to hit after the UIP check cannot make +@@ -37,7 +42,7 @@ bool mc146818_avoid_UIP(void (*callback) + + if (CMOS_READ(RTC_FREQ_SELECT) & RTC_UIP) { + spin_unlock_irqrestore(&rtc_lock, flags); +- udelay(100); ++ udelay(UIP_RECHECK_DELAY); + continue; + } + +@@ -56,7 +61,7 @@ bool mc146818_avoid_UIP(void (*callback) + */ + if (CMOS_READ(RTC_FREQ_SELECT) & RTC_UIP) { + spin_unlock_irqrestore(&rtc_lock, flags); +- udelay(100); ++ udelay(UIP_RECHECK_DELAY); + continue; + } + +@@ -72,6 +77,10 @@ bool mc146818_avoid_UIP(void (*callback) + } + spin_unlock_irqrestore(&rtc_lock, flags); + ++ if (UIP_RECHECK_LOOPS_MS(i) >= 100) ++ pr_warn("Reading current time from RTC took around %li ms\n", ++ UIP_RECHECK_LOOPS_MS(i)); ++ + return true; + } + return false; +@@ -84,7 +93,7 @@ EXPORT_SYMBOL_GPL(mc146818_avoid_UIP); + */ + bool mc146818_does_rtc_work(void) + { +- return mc146818_avoid_UIP(NULL, NULL); ++ return mc146818_avoid_UIP(NULL, 10, NULL); + } + EXPORT_SYMBOL_GPL(mc146818_does_rtc_work); + +@@ -130,13 +139,25 @@ static void mc146818_get_time_callback(u + p->ctrl = CMOS_READ(RTC_CONTROL); + } + +-int mc146818_get_time(struct rtc_time *time) ++/** ++ * mc146818_get_time - Get the current time from the RTC ++ * @time: pointer to struct rtc_time to store the current time ++ * @timeout: timeout value in ms ++ * ++ * This function reads the current time from the RTC and stores it in the ++ * provided struct rtc_time. The timeout parameter specifies the maximum ++ * time to wait for the RTC to become ready. ++ * ++ * Return: 0 on success, -ETIMEDOUT if the RTC did not become ready within ++ * the specified timeout, or another error code if an error occurred. ++ */ ++int mc146818_get_time(struct rtc_time *time, int timeout) + { + struct mc146818_get_time_callback_param p = { + .time = time + }; + +- if (!mc146818_avoid_UIP(mc146818_get_time_callback, &p)) { ++ if (!mc146818_avoid_UIP(mc146818_get_time_callback, timeout, &p)) { + memset(time, 0, sizeof(*time)); + return -ETIMEDOUT; + } +--- a/include/linux/mc146818rtc.h ++++ b/include/linux/mc146818rtc.h +@@ -126,10 +126,11 @@ struct cmos_rtc_board_info { + #endif /* ARCH_RTC_LOCATION */ + + bool mc146818_does_rtc_work(void); +-int mc146818_get_time(struct rtc_time *time); ++int mc146818_get_time(struct rtc_time *time, int timeout); + int mc146818_set_time(struct rtc_time *time); + + bool mc146818_avoid_UIP(void (*callback)(unsigned char seconds, void *param), ++ int timeout, + void *param); + + #endif /* _MC146818RTC_H */ diff --git a/queue-6.7/rtc-adjust-failure-return-code-for-cmos_set_alarm.patch b/queue-6.7/rtc-adjust-failure-return-code-for-cmos_set_alarm.patch new file mode 100644 index 00000000000..57f04042145 --- /dev/null +++ b/queue-6.7/rtc-adjust-failure-return-code-for-cmos_set_alarm.patch @@ -0,0 +1,50 @@ +From 1311a8f0d4b23f58bbababa13623aa40b8ad4e0c Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 27 Nov 2023 23:36:51 -0600 +Subject: rtc: Adjust failure return code for cmos_set_alarm() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +commit 1311a8f0d4b23f58bbababa13623aa40b8ad4e0c upstream. + +When mc146818_avoid_UIP() fails to return a valid value, this is because +UIP didn't clear in the timeout period. Adjust the return code in this +case to -ETIMEDOUT. + +Tested-by: Mateusz Jończyk +Reviewed-by: Mateusz Jończyk +Acked-by: Mateusz Jończyk +Cc: +Fixes: cdedc45c579f ("rtc: cmos: avoid UIP when reading alarm time") +Fixes: cd17420ebea5 ("rtc: cmos: avoid UIP when writing alarm time") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20231128053653.101798-3-mario.limonciello@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-cmos.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -292,7 +292,7 @@ static int cmos_read_alarm(struct device + + /* This not only a rtc_op, but also called directly */ + if (!is_valid_irq(cmos->irq)) +- return -EIO; ++ return -ETIMEDOUT; + + /* Basic alarms only support hour, minute, and seconds fields. + * Some also support day and month, for alarms up to a year in +@@ -557,7 +557,7 @@ static int cmos_set_alarm(struct device + * Use mc146818_avoid_UIP() to avoid this. + */ + if (!mc146818_avoid_UIP(cmos_set_alarm_callback, &p)) +- return -EIO; ++ return -ETIMEDOUT; + + cmos->alarm_expires = rtc_tm_to_time64(&t->time); + diff --git a/queue-6.7/rtc-cmos-use-acpi-alarm-for-non-intel-x86-systems-too.patch b/queue-6.7/rtc-cmos-use-acpi-alarm-for-non-intel-x86-systems-too.patch new file mode 100644 index 00000000000..aaa82f65da6 --- /dev/null +++ b/queue-6.7/rtc-cmos-use-acpi-alarm-for-non-intel-x86-systems-too.patch @@ -0,0 +1,70 @@ +From 3d762e21d56370a43478b55e604b4a83dd85aafc Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 6 Nov 2023 10:23:10 -0600 +Subject: rtc: cmos: Use ACPI alarm for non-Intel x86 systems too + +From: Mario Limonciello + +commit 3d762e21d56370a43478b55e604b4a83dd85aafc upstream. + +Intel systems > 2015 have been configured to use ACPI alarm instead +of HPET to avoid s2idle issues. + +Having HPET programmed for wakeup causes problems on AMD systems with +s2idle as well. + +One particular case is that the systemd "SuspendThenHibernate" feature +doesn't work properly on the Framework 13" AMD model. Switching to +using ACPI alarm fixes the issue. + +Adjust the quirk to apply to AMD/Hygon systems from 2021 onwards. +This matches what has been tested and is specifically to avoid potential +risk to older systems. + +Cc: # 6.1+ +Reported-by: +Reported-by: +Closes: https://github.com/systemd/systemd/issues/24279 +Reported-by: Kelvie Wong +Closes: https://community.frame.work/t/systemd-suspend-then-hibernate-wakes-up-after-5-minutes/39392 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20231106162310.85711-1-mario.limonciello@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-cmos.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -818,18 +818,24 @@ static void rtc_wake_off(struct device * + } + + #ifdef CONFIG_X86 +-/* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */ + static void use_acpi_alarm_quirks(void) + { +- if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) ++ switch (boot_cpu_data.x86_vendor) { ++ case X86_VENDOR_INTEL: ++ if (dmi_get_bios_year() < 2015) ++ return; ++ break; ++ case X86_VENDOR_AMD: ++ case X86_VENDOR_HYGON: ++ if (dmi_get_bios_year() < 2021) ++ return; ++ break; ++ default: + return; +- ++ } + if (!is_hpet_enabled()) + return; + +- if (dmi_get_bios_year() < 2015) +- return; +- + use_acpi_alarm = true; + } + #else diff --git a/queue-6.7/rtc-extend-timeout-for-waiting-for-uip-to-clear-to-1s.patch b/queue-6.7/rtc-extend-timeout-for-waiting-for-uip-to-clear-to-1s.patch new file mode 100644 index 00000000000..5d932809443 --- /dev/null +++ b/queue-6.7/rtc-extend-timeout-for-waiting-for-uip-to-clear-to-1s.patch @@ -0,0 +1,85 @@ +From cef9ecc8e938dd48a560f7dd9be1246359248d20 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 27 Nov 2023 23:36:53 -0600 +Subject: rtc: Extend timeout for waiting for UIP to clear to 1s +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +commit cef9ecc8e938dd48a560f7dd9be1246359248d20 upstream. + +Specs don't say anything about UIP being cleared within 10ms. They +only say that UIP won't occur for another 244uS. If a long NMI occurs +while UIP is still updating it might not be possible to get valid +data in 10ms. + +This has been observed in the wild that around s2idle some calls can +take up to 480ms before UIP is clear. + +Adjust callers from outside an interrupt context to wait for up to a +1s instead of 10ms. + +Cc: # 6.1.y +Fixes: ec5895c0f2d8 ("rtc: mc146818-lib: extract mc146818_avoid_UIP") +Reported-by: Carsten Hatger +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217626 +Tested-by: Mateusz Jończyk +Reviewed-by: Mateusz Jończyk +Acked-by: Mateusz Jończyk +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20231128053653.101798-5-mario.limonciello@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/rtc.c | 2 +- + drivers/base/power/trace.c | 2 +- + drivers/rtc/rtc-cmos.c | 2 +- + drivers/rtc/rtc-mc146818-lib.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/rtc.c ++++ b/arch/x86/kernel/rtc.c +@@ -67,7 +67,7 @@ void mach_get_cmos_time(struct timespec6 + return; + } + +- if (mc146818_get_time(&tm, 10)) { ++ if (mc146818_get_time(&tm, 1000)) { + pr_err("Unable to read current time from RTC\n"); + now->tv_sec = now->tv_nsec = 0; + return; +--- a/drivers/base/power/trace.c ++++ b/drivers/base/power/trace.c +@@ -120,7 +120,7 @@ static unsigned int read_magic_time(void + struct rtc_time time; + unsigned int val; + +- if (mc146818_get_time(&time, 10) < 0) { ++ if (mc146818_get_time(&time, 1000) < 0) { + pr_err("Unable to read current time from RTC\n"); + return 0; + } +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -231,7 +231,7 @@ static int cmos_read_time(struct device + if (!pm_trace_rtc_valid()) + return -EIO; + +- ret = mc146818_get_time(t, 10); ++ ret = mc146818_get_time(t, 1000); + if (ret < 0) { + dev_err_ratelimited(dev, "unable to read current time\n"); + return ret; +--- a/drivers/rtc/rtc-mc146818-lib.c ++++ b/drivers/rtc/rtc-mc146818-lib.c +@@ -93,7 +93,7 @@ EXPORT_SYMBOL_GPL(mc146818_avoid_UIP); + */ + bool mc146818_does_rtc_work(void) + { +- return mc146818_avoid_UIP(NULL, 10, NULL); ++ return mc146818_avoid_UIP(NULL, 1000, NULL); + } + EXPORT_SYMBOL_GPL(mc146818_does_rtc_work); + diff --git a/queue-6.7/rtc-mc146818-lib-adjust-failure-return-code-for-mc146818_get_time.patch b/queue-6.7/rtc-mc146818-lib-adjust-failure-return-code-for-mc146818_get_time.patch new file mode 100644 index 00000000000..4aa47d4ad42 --- /dev/null +++ b/queue-6.7/rtc-mc146818-lib-adjust-failure-return-code-for-mc146818_get_time.patch @@ -0,0 +1,44 @@ +From af838635a3eb9b1bc0d98599c101ebca98f31311 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 27 Nov 2023 23:36:50 -0600 +Subject: rtc: mc146818-lib: Adjust failure return code for mc146818_get_time() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +commit af838635a3eb9b1bc0d98599c101ebca98f31311 upstream. + +mc146818_get_time() calls mc146818_avoid_UIP() to avoid fetching the +time while RTC update is in progress (UIP). When this fails, the return +code is -EIO, but actually there was no IO failure. + +The reason for the return from mc146818_avoid_UIP() is that the UIP +wasn't cleared in the time period. Adjust the return code to -ETIMEDOUT +to match the behavior. + +Tested-by: Mateusz Jończyk +Reviewed-by: Mateusz Jończyk +Acked-by: Mateusz Jończyk +Cc: +Fixes: 2a61b0ac5493 ("rtc: mc146818-lib: refactor mc146818_get_time") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20231128053653.101798-2-mario.limonciello@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-mc146818-lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-mc146818-lib.c ++++ b/drivers/rtc/rtc-mc146818-lib.c +@@ -138,7 +138,7 @@ int mc146818_get_time(struct rtc_time *t + + if (!mc146818_avoid_UIP(mc146818_get_time_callback, &p)) { + memset(time, 0, sizeof(*time)); +- return -EIO; ++ return -ETIMEDOUT; + } + + if (!(p.ctrl & RTC_DM_BINARY) || RTC_ALWAYS_BCD) diff --git a/queue-6.7/scripts-get_abi-fix-source-path-leak.patch b/queue-6.7/scripts-get_abi-fix-source-path-leak.patch new file mode 100644 index 00000000000..b5e80a9569a --- /dev/null +++ b/queue-6.7/scripts-get_abi-fix-source-path-leak.patch @@ -0,0 +1,40 @@ +From 5889d6ede53bc17252f79c142387e007224aa554 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Mon, 1 Jan 2024 00:59:58 +0100 +Subject: scripts/get_abi: fix source path leak + +From: Vegard Nossum + +commit 5889d6ede53bc17252f79c142387e007224aa554 upstream. + +The code currently leaks the absolute path of the ABI files into the +rendered documentation. + +There exists code to prevent this, but it is not effective when an +absolute path is passed, which it is when $srctree is used. + +I consider this to be a minimal, stop-gap fix; a better fix would strip +off the actual prefix instead of hacking it off with a regex. + +Link: https://mastodon.social/@vegard/111677490643495163 +Cc: Jani Nikula +Cc: stable@vger.kernel.org +Signed-off-by: Vegard Nossum +Signed-off-by: Jonathan Corbet +Link: https://lore.kernel.org/r/20231231235959.3342928-1-vegard.nossum@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + scripts/get_abi.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/get_abi.pl ++++ b/scripts/get_abi.pl +@@ -98,7 +98,7 @@ sub parse_abi { + $name =~ s,.*/,,; + + my $fn = $file; +- $fn =~ s,Documentation/ABI/,,; ++ $fn =~ s,.*Documentation/ABI/,,; + + my $nametag = "File $fn"; + $data{$nametag}->{what} = "File $name"; diff --git a/queue-6.7/series b/queue-6.7/series index 759de8df931..94779deda5d 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -79,3 +79,40 @@ arm64-dts-qcom-sm8150-fix-usb-wakeup-interrupt-types.patch arm64-dts-qcom-sc8180x-fix-usb-wakeup-interrupt-types.patch arm64-dts-qcom-sc7280-fix-usb_1-wakeup-interrupt-types.patch arm64-dts-qcom-add-missing-vio-supply-for-aw2013.patch +arm-dts-qcom-sdx55-fix-usb-dp-dm-hs-phy-interrupts.patch +arm64-dts-qcom-sdm845-fix-usb-dp-dm-hs-phy-interrupts.patch +arm64-dts-qcom-sdm845-fix-usb-ss-wakeup.patch +arm64-dts-qcom-sm8150-fix-usb-dp-dm-hs-phy-interrupts.patch +arm64-dts-qcom-sm8150-fix-usb-ss-wakeup.patch +arm64-dts-qcom-sc8180x-fix-usb-dp-dm-hs-phy-interrupts.patch +arm64-dts-qcom-sc8180x-fix-usb-ss-wakeup.patch +arm64-dts-qcom-sdm670-fix-usb-dp-dm-hs-phy-interrupts.patch +arm64-dts-qcom-sdm670-fix-usb-ss-wakeup.patch +arm-dts-qcom-sdx55-fix-usb-ss-wakeup.patch +lsm-new-security_file_ioctl_compat-hook.patch +dlm-use-kernel_connect-and-kernel_bind.patch +docs-kernel_abi.py-fix-command-injection.patch +scripts-get_abi-fix-source-path-leak.patch +media-videobuf2-dma-sg-fix-vmap-callback.patch +mmc-core-use-mrq.sbc-in-close-ended-ffu.patch +mmc-mmc_spi-remove-custom-dma-mapped-buffers.patch +media-i2c-st-mipid02-correct-format-propagation.patch +media-mtk-jpeg-fix-timeout-schedule-error-in-mtk_jpegdec_worker.patch +media-mtk-jpeg-fix-use-after-free-bug-due-to-error-path-handling-in-mtk_jpeg_dec_device_run.patch +riscv-mm-fixup-compat-arch_get_mmap_end.patch +riscv-mm-fixup-compat-mode-boot-failure.patch +risc-v-selftests-cbo-ensure-asm-operands-match-constraints.patch +arm64-rename-arm64_workaround_2966298.patch +arm64-errata-add-cortex-a510-speculative-unprivileged-load-workaround.patch +arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch +arm64-entry-fix-arm64_workaround_speculative_unpriv_load.patch +rtc-cmos-use-acpi-alarm-for-non-intel-x86-systems-too.patch +rtc-adjust-failure-return-code-for-cmos_set_alarm.patch +rtc-mc146818-lib-adjust-failure-return-code-for-mc146818_get_time.patch +rtc-add-support-for-configuring-the-uip-timeout-for-rtc-reads.patch +rtc-extend-timeout-for-waiting-for-uip-to-clear-to-1s.patch +nouveau-vmm-don-t-set-addr-on-the-fail-path-to-avoid-warning.patch +nouveau-gsp-handle-engines-in-runl-without-nonstall-interrupts.patch +efi-disable-mirror-feature-during-crashkernel.patch +kdump-defer-the-insertion-of-crashkernel-resources.patch +ubifs-ubifs_symlink-fix-memleak-of-inode-i_link-in-error-path.patch diff --git a/queue-6.7/ubifs-ubifs_symlink-fix-memleak-of-inode-i_link-in-error-path.patch b/queue-6.7/ubifs-ubifs_symlink-fix-memleak-of-inode-i_link-in-error-path.patch new file mode 100644 index 00000000000..7ecdd3a6686 --- /dev/null +++ b/queue-6.7/ubifs-ubifs_symlink-fix-memleak-of-inode-i_link-in-error-path.patch @@ -0,0 +1,56 @@ +From 1e022216dcd248326a5bb95609d12a6815bca4e2 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Fri, 22 Dec 2023 16:54:46 +0800 +Subject: ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path + +From: Zhihao Cheng + +commit 1e022216dcd248326a5bb95609d12a6815bca4e2 upstream. + +For error handling path in ubifs_symlink(), inode will be marked as +bad first, then iput() is invoked. If inode->i_link is initialized by +fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't +be freed by callchain ubifs_free_inode -> fscrypt_free_inode in error +handling path, because make_bad_inode() has changed 'inode->i_mode' as +'S_IFREG'. +Following kmemleak is easy to be reproduced by injecting error in +ubifs_jnl_update() when doing symlink in encryption scenario: + unreferenced object 0xffff888103da3d98 (size 8): + comm "ln", pid 1692, jiffies 4294914701 (age 12.045s) + backtrace: + kmemdup+0x32/0x70 + __fscrypt_encrypt_symlink+0xed/0x1c0 + ubifs_symlink+0x210/0x300 [ubifs] + vfs_symlink+0x216/0x360 + do_symlinkat+0x11a/0x190 + do_syscall_64+0x3b/0xe0 +There are two ways fixing it: + 1. Remove make_bad_inode() in error handling path. We can do that + because ubifs_evict_inode() will do same processes for good + symlink inode and bad symlink inode, for inode->i_nlink checking + is before is_bad_inode(). + 2. Free inode->i_link before marking inode bad. +Method 2 is picked, it has less influence, personally, I think. + +Cc: stable@vger.kernel.org +Fixes: 2c58d548f570 ("fscrypt: cache decrypted symlink target in ->i_link") +Signed-off-by: Zhihao Cheng +Suggested-by: Eric Biggers +Reviewed-by: Eric Biggers +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/ubifs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -1234,6 +1234,8 @@ out_cancel: + dir_ui->ui_size = dir->i_size; + mutex_unlock(&dir_ui->ui_mutex); + out_inode: ++ /* Free inode->i_link before inode is marked as bad. */ ++ fscrypt_free_inode(inode); + make_bad_inode(inode); + iput(inode); + out_fname: -- 2.47.3