From 4a87fd3dc5f3d71aa3679e4b1e7de385e5821987 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 1 Feb 2024 11:55:37 -0500 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...mory-failure-flags-as-mf_action_requ.patch | 144 +++++++ ...g-fix-null-pointer-dereference-check.patch | 59 +++ ...uirk-for-the-colorful-x15-at-23-lapt.patch | 51 +++ ...e-of-read_seqbegin_or_lock-in-afs_fi.patch | 89 ++++ ...e-of-read_seqbegin_or_lock-in-afs_lo.patch | 54 +++ ...hda-intel-add-hda_arl-pci-id-support.patch | 41 ++ ...dspcfg-add-filters-for-arl-s-and-arl.patch | 49 +++ ...fer-to-correct-stream-index-at-loops.patch | 70 +++ .../arm-dts-imx-use-flash-0-0-pattern.patch | 81 ++++ queue-5.10/arm-dts-imx1-fix-sram-node.patch | 53 +++ ...-28-fix-the-dma-controller-node-name.patch | 53 +++ ...nsa-use-preferred-i2c-gpios-properti.patch | 61 +++ ...ts-imx25-27-eukrea-fix-rtc-node-name.patch | 52 +++ .../arm-dts-imx25-27-pass-timing0.patch | 138 ++++++ ...-imx25-fix-the-iim-compatible-string.patch | 40 ++ .../arm-dts-imx27-apf27dev-fix-led-name.patch | 39 ++ queue-5.10/arm-dts-imx27-fix-sram-node.patch | 37 ++ ...dts-imx7d-fix-coresight-funnel-ports.patch | 60 +++ .../arm-dts-imx7s-fix-lcdif-compatible.patch | 39 ++ ...imx7s-fix-nand-controller-size-cells.patch | 38 ++ ...-rockchip-fix-rk3036-hdmi-ports-node.patch | 51 +++ ...sm8996-fix-in-ports-is-a-required-pr.patch | 63 +++ ...sm8998-fix-out-ports-is-a-required-p.patch | 88 ++++ ...undefined-snd_soc_dapm_nopm-argument.patch | 37 ++ ...nk-ack-before-setting-connection-in-.patch | 117 +++++ ...fix-io-hang-from-sbitmap-wakeup-race.patch | 72 ++++ ...-integer-overflow-in-bvec_try_merge_.patch | 36 ++ ...v-check-for-unlikely-string-overflow.patch | 88 ++++ ...ap-fix-possible-multiple-reject-send.patch | 42 ++ ...t-both-wideband_speech-and-le_states.patch | 35 ++ ...nomem-instead-of-bug-in-alb_upper_de.patch | 69 +++ ...need_defer-parameters-to-.map_fd_put.patch | 173 ++++++++ ...tch.count-as-zero-before-batched-upd.patch | 51 +++ ...eadlock-or-deadcode-of-misusing-dget.patch | 63 +++ ...x-memory-leak-in-hi3620_mmc_clk_init.patch | 41 ++ ...8-fix-memory-leak-in-pxa168_clk_init.patch | 51 +++ ...32-crc32-fix-parsing-list-of-devices.patch | 46 ++ ...p-accessing-objects-after-releasing-.patch | 407 ++++++++++++++++++ ...v3-don-t-expose-sw_incr-event-in-sys.patch | 55 +++ ...splay-fix-tiled-display-misalignment.patch | 43 ++ ...make-flip_timestamp_in_us-a-64-bit-v.patch | 43 ++ ...y-fix-kzalloc-parameter-atom_tonga_p.patch | 47 ++ ...fence-check-in-to_amdgpu_amdkfd_fenc.patch | 45 ++ ...m-amdgpu-let-kfd-sync-with-vm-fences.patch | 42 ++ ...se-adev-pm.fw-before-return-in-amdgp.patch | 48 +++ ...le-fix-use-of-uninitialized-variable.patch | 43 ++ ...drm_atomic_helper_shutdown-at-shutdo.patch | 86 ++++ queue-5.10/drm-fix-color-lut-rounding.patch | 100 +++++ ...er-fix-use-of-uninitialized-variable.patch | 42 ++ ...i-dsi-fix-detach-call-without-attach.patch | 138 ++++++ ...dpu-ratelimit-framedone-timeout-msgs.patch | 62 +++ ...-mul_u32_u32-requires-linux-math64.h.patch | 45 ++ ...tfs-reject-casefold-directory-inodes.patch | 46 ++ ...e-resizing-failures-due-to-oversized.patch | 133 ++++++ ...stent-between-segment-fstrim-and-ful.patch | 66 +++ ...unnecessary-check-from-alloc_flex_gd.patch | 44 ++ ...-type-of-flexbg_size-to-unsigned-int.patch | 89 ++++ ...k-return-value-of-f2fs_reserve_new_b.patch | 69 +++ ...ointers-on-zoned-device-after-roll-f.patch | 37 ++ ...st_dput-handle-underflows-gracefully.patch | 78 ++++ ...ray-index-out-of-bounds-in-dbadjtree.patch | 99 +++++ queue-5.10/fs-kernfs-dir-obey-s_isgid.patch | 58 +++ ...n-make-pfn-accessors-statics-inlines.patch | 68 +++ ...pc87360-bounds-check-data-innr-usage.patch | 60 +++ ...update-maximum-prescaler-value-for-i.patch | 59 +++ ...isable-behavior-to-block-all-traffic.patch | 123 ++++++ .../ib-ipoib-fix-mcast-list-locking.patch | 94 ++++ .../ionic-pass-opcode-to-devcmd_wait.patch | 63 +++ ...ray-index-out-of-bounds-in-dbadjtree.patch | 237 ++++++++++ ...rray-index-out-of-bounds-in-dinewext.patch | 78 ++++ ...-slab-out-of-bounds-read-in-dtsearch.patch | 45 ++ .../jfs-fix-uaf-in-jfs_evict_inode.patch | 50 +++ ...kvm-s390-fix-setting-of-fpc-register.patch | 70 +++ ...ic-don-t-register-panic-notifier-if-.patch | 43 ++ ...pointer-dereference-in-bpf_object__c.patch | 73 ++++ .../libsubcmd-fix-memory-leak-in-uniq.patch | 62 +++ ...the-array-consult-the-superblock-of-.patch | 155 +++++++ ...ix-an-error-code-problem-in-ddb_prob.patch | 34 ++ ...ip-rga-fix-swizzling-for-rgb-formats.patch | 74 ++++ ...xed-high-volume-of-stk1160_dbg-messa.patch | 47 ++ ...m335x_tscadc-fix-ti-soc-dependencies.patch | 35 ++ ...2c-add-missing-setting-of-the-reg_ct.patch | 60 +++ ...x-fix-mv88e6352_serdes_get_stats-err.patch | 93 ++++ ...void-excessive-sleeps-in-polled-mode.patch | 139 ++++++ .../pci-add-intel_hda_arl-to-pci_ids.h.patch | 41 ++ ...set-quirk-for-nvidia-spectrum-device.patch | 62 +++ ...equester-id-when-no-error-info-found.patch | 69 +++ ...rride-amd-usb-controller-if-required.patch | 55 +++ ...x-stdev_release-crash-after-surprise.patch | 104 +++++ ...rrow-startup-race-when-creating-the-.patch | 82 ++++ .../perf-fix-the-nr_addr_filters-fix.patch | 50 +++ ...chronize-devfreq_monitor_-start-stop.patch | 167 +++++++ queue-5.10/pnp-acpi-fix-fortify-warning.patch | 83 ++++ ...-build-error-due-to-is_valid_bugaddr.patch | 48 +++ ...-validate-size-for-vector-operations.patch | 71 +++ ...uild-failures-due-to-arch_reserved_k.patch | 68 +++ ...ull-pointer-dereference-in-pgtable_c.patch | 49 +++ ..._must_withdraw-is-only-needed-for-co.patch | 56 +++ ...rash-when-setting-number-of-cpus-to-.patch | 47 ++ ...rror-code-return-in-ipoib_mcast_join.patch | 34 ++ ...nly-increment-use_count-when-enable_.patch | 113 +++++ ...ce_conn_rcu-fix-the-usage-of-read_se.patch | 46 ++ ...le-setting-of-fpc-register-correctly.patch | 71 +++ ...ort-new-pci-device-ids-1883-and-1886.patch | 70 +++ ...csi-libfc-don-t-schedule-abort-twice.patch | 68 +++ ...up-timeout-error-in-fc_fcp_rec_error.patch | 37 ++ ...ssible-file-string-name-overflow-whe.patch | 64 +++ ...x-pyperf180-compilation-failure-with.patch | 83 ++++ ...tisfy-compiler-by-having-explicit-re.patch | 35 ++ queue-5.10/series | 127 ++++++ ...c-fix-a-suspicious-rcu-usage-warning.patch | 121 ++++++ ...cktrmios-with-cap_checkpoint_restore.patch | 63 +++ ...y-index-out-of-bounds-in-dtsplitroot.patch | 77 ++++ .../um-don-t-use-vfprintf-for-os_info.patch | 72 ++++ ...ming-clash-between-uml-and-scheduler.patch | 82 ++++ ...ix-return-type-of-uml_net_start_xmit.patch | 53 +++ ...hardcoded-quirk-value-with-bit-macro.patch | 39 ++ ...-directive-writing-between-1-and-11-.patch | 84 ++++ ...t-keep-wdtctrl-bit-3-unmodified-for-.patch | 71 +++ ...otential-array-index-out-of-bounds-r.patch | 61 +++ ...x-rcu-dereference-in-__cfg80211_bss_.patch | 38 ++ ...ee-beacon_ies-when-overridden-from-h.patch | 44 ++ ...art-beacon-queue-when-hardware-reset.patch | 79 ++++ ...d-additional-usb-ids-for-rtl8192eu-d.patch | 48 +++ ...8723-be-ae-using-calculate_bit_shift.patch | 77 ++++ ...t-ignore-nmis-during-very-early-boot.patch | 94 ++++ ...al-mce-s-page-as-poison-to-avoid-pan.patch | 83 ++++ ...he-abuse-of-underlying-struct-page-i.patch | 151 +++++++ 128 files changed, 9235 insertions(+) create mode 100644 queue-5.10/acpi-apei-set-memory-failure-flags-as-mf_action_requ.patch create mode 100644 queue-5.10/acpi-extlog-fix-null-pointer-dereference-check.patch create mode 100644 queue-5.10/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch create mode 100644 queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch create mode 100644 queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_lo.patch create mode 100644 queue-5.10/alsa-hda-intel-add-hda_arl-pci-id-support.patch create mode 100644 queue-5.10/alsa-hda-intel-dspcfg-add-filters-for-arl-s-and-arl.patch create mode 100644 queue-5.10/alsa-hda-refer-to-correct-stream-index-at-loops.patch create mode 100644 queue-5.10/arm-dts-imx-use-flash-0-0-pattern.patch create mode 100644 queue-5.10/arm-dts-imx1-fix-sram-node.patch create mode 100644 queue-5.10/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch create mode 100644 queue-5.10/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch create mode 100644 queue-5.10/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch create mode 100644 queue-5.10/arm-dts-imx25-27-pass-timing0.patch create mode 100644 queue-5.10/arm-dts-imx25-fix-the-iim-compatible-string.patch create mode 100644 queue-5.10/arm-dts-imx27-apf27dev-fix-led-name.patch create mode 100644 queue-5.10/arm-dts-imx27-fix-sram-node.patch create mode 100644 queue-5.10/arm-dts-imx7d-fix-coresight-funnel-ports.patch create mode 100644 queue-5.10/arm-dts-imx7s-fix-lcdif-compatible.patch create mode 100644 queue-5.10/arm-dts-imx7s-fix-nand-controller-size-cells.patch create mode 100644 queue-5.10/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch create mode 100644 queue-5.10/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch create mode 100644 queue-5.10/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch create mode 100644 queue-5.10/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch create mode 100644 queue-5.10/audit-send-netlink-ack-before-setting-connection-in-.patch create mode 100644 queue-5.10/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch create mode 100644 queue-5.10/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch create mode 100644 queue-5.10/block-rnbd-srv-check-for-unlikely-string-overflow.patch create mode 100644 queue-5.10/bluetooth-l2cap-fix-possible-multiple-reject-send.patch create mode 100644 queue-5.10/bluetooth-qca-set-both-wideband_speech-and-le_states.patch create mode 100644 queue-5.10/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch create mode 100644 queue-5.10/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch create mode 100644 queue-5.10/bpf-set-uattr-batch.count-as-zero-before-batched-upd.patch create mode 100644 queue-5.10/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch create mode 100644 queue-5.10/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch create mode 100644 queue-5.10/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch create mode 100644 queue-5.10/crypto-stm32-crc32-fix-parsing-list-of-devices.patch create mode 100644 queue-5.10/debugobjects-stop-accessing-objects-after-releasing-.patch create mode 100644 queue-5.10/drivers-perf-pmuv3-don-t-expose-sw_incr-event-in-sys.patch create mode 100644 queue-5.10/drm-amd-display-fix-tiled-display-misalignment.patch create mode 100644 queue-5.10/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch create mode 100644 queue-5.10/drm-amd-powerplay-fix-kzalloc-parameter-atom_tonga_p.patch create mode 100644 queue-5.10/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch create mode 100644 queue-5.10/drm-amdgpu-let-kfd-sync-with-vm-fences.patch create mode 100644 queue-5.10/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch create mode 100644 queue-5.10/drm-drm_file-fix-use-of-uninitialized-variable.patch create mode 100644 queue-5.10/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch create mode 100644 queue-5.10/drm-fix-color-lut-rounding.patch create mode 100644 queue-5.10/drm-framebuffer-fix-use-of-uninitialized-variable.patch create mode 100644 queue-5.10/drm-mipi-dsi-fix-detach-call-without-attach.patch create mode 100644 queue-5.10/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch create mode 100644 queue-5.10/drm-using-mul_u32_u32-requires-linux-math64.h.patch create mode 100644 queue-5.10/ecryptfs-reject-casefold-directory-inodes.patch create mode 100644 queue-5.10/ext4-avoid-online-resizing-failures-due-to-oversized.patch create mode 100644 queue-5.10/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch create mode 100644 queue-5.10/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch create mode 100644 queue-5.10/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch create mode 100644 queue-5.10/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch create mode 100644 queue-5.10/f2fs-fix-write-pointers-on-zoned-device-after-roll-f.patch create mode 100644 queue-5.10/fast_dput-handle-underflows-gracefully.patch create mode 100644 queue-5.10/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch create mode 100644 queue-5.10/fs-kernfs-dir-obey-s_isgid.patch create mode 100644 queue-5.10/hexagon-make-pfn-accessors-statics-inlines.patch create mode 100644 queue-5.10/hwmon-pc87360-bounds-check-data-innr-usage.patch create mode 100644 queue-5.10/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch create mode 100644 queue-5.10/i40e-fix-vf-disable-behavior-to-block-all-traffic.patch create mode 100644 queue-5.10/ib-ipoib-fix-mcast-list-locking.patch create mode 100644 queue-5.10/ionic-pass-opcode-to-devcmd_wait.patch create mode 100644 queue-5.10/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch create mode 100644 queue-5.10/jfs-fix-array-index-out-of-bounds-in-dinewext.patch create mode 100644 queue-5.10/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch create mode 100644 queue-5.10/jfs-fix-uaf-in-jfs_evict_inode.patch create mode 100644 queue-5.10/kvm-s390-fix-setting-of-fpc-register.patch create mode 100644 queue-5.10/leds-trigger-panic-don-t-register-panic-notifier-if-.patch create mode 100644 queue-5.10/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch create mode 100644 queue-5.10/libsubcmd-fix-memory-leak-in-uniq.patch create mode 100644 queue-5.10/md-whenassemble-the-array-consult-the-superblock-of-.patch create mode 100644 queue-5.10/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch create mode 100644 queue-5.10/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch create mode 100644 queue-5.10/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch create mode 100644 queue-5.10/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch create mode 100644 queue-5.10/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch create mode 100644 queue-5.10/net-dsa-mv88e6xxx-fix-mv88e6352_serdes_get_stats-err.patch create mode 100644 queue-5.10/net-mvmdio-avoid-excessive-sleeps-in-polled-mode.patch create mode 100644 queue-5.10/pci-add-intel_hda_arl-to-pci_ids.h.patch create mode 100644 queue-5.10/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch create mode 100644 queue-5.10/pci-aer-decode-requester-id-when-no-error-info-found.patch create mode 100644 queue-5.10/pci-only-override-amd-usb-controller-if-required.patch create mode 100644 queue-5.10/pci-switchtec-fix-stdev_release-crash-after-surprise.patch create mode 100644 queue-5.10/perf-core-fix-narrow-startup-race-when-creating-the-.patch create mode 100644 queue-5.10/perf-fix-the-nr_addr_filters-fix.patch create mode 100644 queue-5.10/pm-devfreq-synchronize-devfreq_monitor_-start-stop.patch create mode 100644 queue-5.10/pnp-acpi-fix-fortify-warning.patch create mode 100644 queue-5.10/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch create mode 100644 queue-5.10/powerpc-lib-validate-size-for-vector-operations.patch create mode 100644 queue-5.10/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch create mode 100644 queue-5.10/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch create mode 100644 queue-5.10/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch create mode 100644 queue-5.10/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch create mode 100644 queue-5.10/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch create mode 100644 queue-5.10/regulator-core-only-increment-use_count-when-enable_.patch create mode 100644 queue-5.10/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch create mode 100644 queue-5.10/s390-ptrace-handle-setting-of-fpc-register-correctly.patch create mode 100644 queue-5.10/scsi-arcmsr-support-new-pci-device-ids-1883-and-1886.patch create mode 100644 queue-5.10/scsi-libfc-don-t-schedule-abort-twice.patch create mode 100644 queue-5.10/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch create mode 100644 queue-5.10/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch create mode 100644 queue-5.10/selftests-bpf-fix-pyperf180-compilation-failure-with.patch create mode 100644 queue-5.10/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch create mode 100644 queue-5.10/sunrpc-fix-a-suspicious-rcu-usage-warning.patch create mode 100644 queue-5.10/tty-allow-tiocslcktrmios-with-cap_checkpoint_restore.patch create mode 100644 queue-5.10/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch create mode 100644 queue-5.10/um-don-t-use-vfprintf-for-os_info.patch create mode 100644 queue-5.10/um-fix-naming-clash-between-uml-and-scheduler.patch create mode 100644 queue-5.10/um-net-fix-return-type-of-uml_net_start_xmit.patch create mode 100644 queue-5.10/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch create mode 100644 queue-5.10/virtio_net-fix-d-directive-writing-between-1-and-11-.patch create mode 100644 queue-5.10/watchdog-it87_wdt-keep-wdtctrl-bit-3-unmodified-for-.patch create mode 100644 queue-5.10/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch create mode 100644 queue-5.10/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch create mode 100644 queue-5.10/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch create mode 100644 queue-5.10/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch create mode 100644 queue-5.10/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch create mode 100644 queue-5.10/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch create mode 100644 queue-5.10/x86-boot-ignore-nmis-during-very-early-boot.patch create mode 100644 queue-5.10/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch create mode 100644 queue-5.10/xen-gntdev-fix-the-abuse-of-underlying-struct-page-i.patch diff --git a/queue-5.10/acpi-apei-set-memory-failure-flags-as-mf_action_requ.patch b/queue-5.10/acpi-apei-set-memory-failure-flags-as-mf_action_requ.patch new file mode 100644 index 00000000000..1cc23894c94 --- /dev/null +++ b/queue-5.10/acpi-apei-set-memory-failure-flags-as-mf_action_requ.patch @@ -0,0 +1,144 @@ +From cac5d4f9d76ae7e87db6bf9986af7cdc8982ae73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 14:45:18 +0800 +Subject: ACPI: APEI: set memory failure flags as MF_ACTION_REQUIRED on + synchronous events + +From: Shuai Xue + +[ Upstream commit a70297d2213253853e95f5b49651f924990c6d3b ] + +There are two major types of uncorrected recoverable (UCR) errors : + + - Synchronous error: The error is detected and raised at the point of + the consumption in the execution flow, e.g. when a CPU tries to + access a poisoned cache line. The CPU will take a synchronous error + exception such as Synchronous External Abort (SEA) on Arm64 and + Machine Check Exception (MCE) on X86. OS requires to take action (for + example, offline failure page/kill failure thread) to recover this + uncorrectable error. + + - Asynchronous error: The error is detected out of processor execution + context, e.g. when an error is detected by a background scrubber. + Some data in the memory are corrupted. But the data have not been + consumed. OS is optional to take action to recover this uncorrectable + error. + +When APEI firmware first is enabled, a platform may describe one error +source for the handling of synchronous errors (e.g. MCE or SEA notification +), or for handling asynchronous errors (e.g. SCI or External Interrupt +notification). In other words, we can distinguish synchronous errors by +APEI notification. For synchronous errors, kernel will kill the current +process which accessing the poisoned page by sending SIGBUS with +BUS_MCEERR_AR. In addition, for asynchronous errors, kernel will notify the +process who owns the poisoned page by sending SIGBUS with BUS_MCEERR_AO in +early kill mode. However, the GHES driver always sets mf_flags to 0 so that +all synchronous errors are handled as asynchronous errors in memory failure. + +To this end, set memory failure flags as MF_ACTION_REQUIRED on synchronous +events. + +Signed-off-by: Shuai Xue +Tested-by: Ma Wupeng +Reviewed-by: Kefeng Wang +Reviewed-by: Xiaofei Tan +Reviewed-by: Baolin Wang +Reviewed-by: James Morse +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 8678e162181f..160606af8b4f 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -99,6 +99,20 @@ static inline bool is_hest_type_generic_v2(struct ghes *ghes) + return ghes->generic->header.type == ACPI_HEST_TYPE_GENERIC_ERROR_V2; + } + ++/* ++ * A platform may describe one error source for the handling of synchronous ++ * errors (e.g. MCE or SEA), or for handling asynchronous errors (e.g. SCI ++ * or External Interrupt). On x86, the HEST notifications are always ++ * asynchronous, so only SEA on ARM is delivered as a synchronous ++ * notification. ++ */ ++static inline bool is_hest_sync_notify(struct ghes *ghes) ++{ ++ u8 notify_type = ghes->generic->notify.type; ++ ++ return notify_type == ACPI_HEST_NOTIFY_SEA; ++} ++ + /* + * This driver isn't really modular, however for the time being, + * continuing to use module_param is the easiest way to remain +@@ -461,7 +475,7 @@ static bool ghes_do_memory_failure(u64 physical_addr, int flags) + } + + static bool ghes_handle_memory_failure(struct acpi_hest_generic_data *gdata, +- int sev) ++ int sev, bool sync) + { + int flags = -1; + int sec_sev = ghes_severity(gdata->error_severity); +@@ -475,7 +489,7 @@ static bool ghes_handle_memory_failure(struct acpi_hest_generic_data *gdata, + (gdata->flags & CPER_SEC_ERROR_THRESHOLD_EXCEEDED)) + flags = MF_SOFT_OFFLINE; + if (sev == GHES_SEV_RECOVERABLE && sec_sev == GHES_SEV_RECOVERABLE) +- flags = 0; ++ flags = sync ? MF_ACTION_REQUIRED : 0; + + if (flags != -1) + return ghes_do_memory_failure(mem_err->physical_addr, flags); +@@ -483,9 +497,11 @@ static bool ghes_handle_memory_failure(struct acpi_hest_generic_data *gdata, + return false; + } + +-static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, int sev) ++static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, ++ int sev, bool sync) + { + struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); ++ int flags = sync ? MF_ACTION_REQUIRED : 0; + bool queued = false; + int sec_sev, i; + char *p; +@@ -510,7 +526,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata, int s + * and don't filter out 'corrected' error here. + */ + if (is_cache && has_pa) { +- queued = ghes_do_memory_failure(err_info->physical_fault_addr, 0); ++ queued = ghes_do_memory_failure(err_info->physical_fault_addr, flags); + p += err_info->length; + continue; + } +@@ -631,6 +647,7 @@ static bool ghes_do_proc(struct ghes *ghes, + const guid_t *fru_id = &guid_null; + char *fru_text = ""; + bool queued = false; ++ bool sync = is_hest_sync_notify(ghes); + + sev = ghes_severity(estatus->error_severity); + apei_estatus_for_each_section(estatus, gdata) { +@@ -648,13 +665,13 @@ static bool ghes_do_proc(struct ghes *ghes, + ghes_edac_report_mem_error(sev, mem_err); + + arch_apei_report_mem_error(sev, mem_err); +- queued = ghes_handle_memory_failure(gdata, sev); ++ queued = ghes_handle_memory_failure(gdata, sev, sync); + } + else if (guid_equal(sec_type, &CPER_SEC_PCIE)) { + ghes_handle_aer(gdata); + } + else if (guid_equal(sec_type, &CPER_SEC_PROC_ARM)) { +- queued = ghes_handle_arm_hw_error(gdata, sev); ++ queued = ghes_handle_arm_hw_error(gdata, sev, sync); + } else { + void *err = acpi_hest_get_payload(gdata); + +-- +2.43.0 + diff --git a/queue-5.10/acpi-extlog-fix-null-pointer-dereference-check.patch b/queue-5.10/acpi-extlog-fix-null-pointer-dereference-check.patch new file mode 100644 index 00000000000..fb01c622c0d --- /dev/null +++ b/queue-5.10/acpi-extlog-fix-null-pointer-dereference-check.patch @@ -0,0 +1,59 @@ +From 0adb883f933c9c8a1de2ed224a996c9a13af4de3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 13:00:37 -0500 +Subject: ACPI: extlog: fix NULL pointer dereference check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prarit Bhargava + +[ Upstream commit 72d9b9747e78979510e9aafdd32eb99c7aa30dd1 ] + +The gcc plugin -fanalyzer [1] tries to detect various +patterns of incorrect behaviour. The tool reports: + +drivers/acpi/acpi_extlog.c: In function ‘extlog_exit’: +drivers/acpi/acpi_extlog.c:307:12: warning: check of ‘extlog_l1_addr’ for NULL after already dereferencing it [-Wanalyzer-deref-before-check] + | + | 306 | ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; + | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ + | | | + | | (1) pointer ‘extlog_l1_addr’ is dereferenced here + | 307 | if (extlog_l1_addr) + | | ~ + | | | + | | (2) pointer ‘extlog_l1_addr’ is checked for NULL here but it was already dereferenced at (1) + | + +Fix the NULL pointer dereference check in extlog_exit(). + +Link: https://gcc.gnu.org/onlinedocs/gcc-10.1.0/gcc/Static-Analyzer-Options.html # [1] + +Signed-off-by: Prarit Bhargava +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_extlog.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c +index 088db2356998..0a84d5afd37c 100644 +--- a/drivers/acpi/acpi_extlog.c ++++ b/drivers/acpi/acpi_extlog.c +@@ -308,9 +308,10 @@ static int __init extlog_init(void) + static void __exit extlog_exit(void) + { + mce_unregister_decode_chain(&extlog_mce_dec); +- ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; +- if (extlog_l1_addr) ++ if (extlog_l1_addr) { ++ ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; + acpi_os_unmap_iomem(extlog_l1_addr, l1_size); ++ } + if (elog_addr) + acpi_os_unmap_iomem(elog_addr, elog_size); + release_mem_region(elog_base, elog_size); +-- +2.43.0 + diff --git a/queue-5.10/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch b/queue-5.10/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch new file mode 100644 index 00000000000..a4679a16ad6 --- /dev/null +++ b/queue-5.10/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch @@ -0,0 +1,51 @@ +From 9af7f41afbc0b12d5ba0cc9f9c111c51d8a6aa11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Nov 2023 21:59:13 +0800 +Subject: ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop + +From: Yuluo Qiu + +[ Upstream commit 143176a46bdd3bfbe9ba2462bf94458e80d65ebf ] + +The Colorful X15 AT 23 ACPI video-bus device report spurious +ACPI_VIDEO_NOTIFY_CYCLE events resulting in spurious KEY_SWITCHVIDEOMODE +events being reported to userspace (and causing trouble there) when +an external screen plugged in. + +Add a quirk setting the report_key_events mask to +REPORT_BRIGHTNESS_KEY_EVENTS so that the ACPI_VIDEO_NOTIFY_CYCLE +events will be ignored, while still reporting brightness up/down +hotkey-presses to userspace normally. + +Signed-off-by: Yuluo Qiu +Co-developed-by: Celeste Liu +Signed-off-by: Celeste Liu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 9d384656323a..b2364ac455f3 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -568,6 +568,15 @@ static const struct dmi_system_id video_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 3350"), + }, + }, ++ { ++ .callback = video_set_report_key_events, ++ .driver_data = (void *)((uintptr_t)REPORT_BRIGHTNESS_KEY_EVENTS), ++ .ident = "COLORFUL X15 AT 23", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "COLORFUL"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X15 AT 23"), ++ }, ++ }, + /* + * Some machines change the brightness themselves when a brightness + * hotkey gets pressed, despite us telling them not to. In this case +-- +2.43.0 + diff --git a/queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch b/queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch new file mode 100644 index 00000000000..00805d85cdb --- /dev/null +++ b/queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch @@ -0,0 +1,89 @@ +From 7aa888276ec9fae49edd3ba038716d4fac48108b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 12:56:14 +0100 +Subject: afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() + +From: Oleg Nesterov + +[ Upstream commit 1702e0654ca9a7bcd7c7619c8a5004db58945b71 ] + +David Howells says: + + (5) afs_find_server(). + + There could be a lot of servers in the list and each server can have + multiple addresses, so I think this would be better with an exclusive + second pass. + + The server list isn't likely to change all that often, but when it does + change, there's a good chance several servers are going to be + added/removed one after the other. Further, this is only going to be + used for incoming cache management/callback requests from the server, + which hopefully aren't going to happen too often - but it is remotely + drivable. + + (6) afs_find_server_by_uuid(). + + Similarly to (5), there could be a lot of servers to search through, but + they are in a tree not a flat list, so it should be faster to process. + Again, it's not likely to change that often and, again, when it does + change it's likely to involve multiple changes. This can be driven + remotely by an incoming cache management request but is mostly going to + be driven by setting up or reconfiguring a volume's server list - + something that also isn't likely to happen often. + +Make the "seq" counter odd on the 2nd pass, otherwise read_seqbegin_or_lock() +never takes the lock. + +Signed-off-by: Oleg Nesterov +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20231130115614.GA21581@redhat.com/ +Signed-off-by: Sasha Levin +--- + fs/afs/server.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/afs/server.c b/fs/afs/server.c +index 684a2b02b9ff..733e3c470f7e 100644 +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -27,7 +27,7 @@ struct afs_server *afs_find_server(struct afs_net *net, + const struct afs_addr_list *alist; + struct afs_server *server = NULL; + unsigned int i; +- int seq = 0, diff; ++ int seq = 1, diff; + + rcu_read_lock(); + +@@ -35,6 +35,7 @@ struct afs_server *afs_find_server(struct afs_net *net, + if (server) + afs_unuse_server_notime(net, server, afs_server_trace_put_find_rsq); + server = NULL; ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ + read_seqbegin_or_lock(&net->fs_addr_lock, &seq); + + if (srx->transport.family == AF_INET6) { +@@ -90,7 +91,7 @@ struct afs_server *afs_find_server_by_uuid(struct afs_net *net, const uuid_t *uu + { + struct afs_server *server = NULL; + struct rb_node *p; +- int diff, seq = 0; ++ int diff, seq = 1; + + _enter("%pU", uuid); + +@@ -102,7 +103,7 @@ struct afs_server *afs_find_server_by_uuid(struct afs_net *net, const uuid_t *uu + if (server) + afs_unuse_server(net, server, afs_server_trace_put_uuid_rsq); + server = NULL; +- ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ + read_seqbegin_or_lock(&net->fs_lock, &seq); + + p = net->fs_servers.rb_node; +-- +2.43.0 + diff --git a/queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_lo.patch b/queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_lo.patch new file mode 100644 index 00000000000..a6d395f73ee --- /dev/null +++ b/queue-5.10/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_lo.patch @@ -0,0 +1,54 @@ +From fc9d6bc94447ff10105f84dfc16fe24919f9da52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 12:56:06 +0100 +Subject: afs: fix the usage of read_seqbegin_or_lock() in + afs_lookup_volume_rcu() + +From: Oleg Nesterov + +[ Upstream commit 4121b4337146b64560d1e46ebec77196d9287802 ] + +David Howells says: + + (2) afs_lookup_volume_rcu(). + + There can be a lot of volumes known by a system. A thousand would + require a 10-step walk and this is drivable by remote operation, so I + think this should probably take a lock on the second pass too. + +Make the "seq" counter odd on the 2nd pass, otherwise read_seqbegin_or_lock() +never takes the lock. + +Signed-off-by: Oleg Nesterov +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20231130115606.GA21571@redhat.com/ +Signed-off-by: Sasha Levin +--- + fs/afs/callback.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/callback.c b/fs/afs/callback.c +index 7d9b23d981bf..229308c7f744 100644 +--- a/fs/afs/callback.c ++++ b/fs/afs/callback.c +@@ -70,13 +70,14 @@ static struct afs_volume *afs_lookup_volume_rcu(struct afs_cell *cell, + { + struct afs_volume *volume = NULL; + struct rb_node *p; +- int seq = 0; ++ int seq = 1; + + do { + /* Unfortunately, rbtree walking doesn't give reliable results + * under just the RCU read lock, so we have to check for + * changes. + */ ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ + read_seqbegin_or_lock(&cell->volume_lock, &seq); + + p = rcu_dereference_raw(cell->volumes.rb_node); +-- +2.43.0 + diff --git a/queue-5.10/alsa-hda-intel-add-hda_arl-pci-id-support.patch b/queue-5.10/alsa-hda-intel-add-hda_arl-pci-id-support.patch new file mode 100644 index 00000000000..f4d680fa912 --- /dev/null +++ b/queue-5.10/alsa-hda-intel-add-hda_arl-pci-id-support.patch @@ -0,0 +1,41 @@ +From 08cd3a59c4e9c2b76aa21873bdc26efe0303a189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 15:27:07 -0600 +Subject: ALSA: hda: Intel: add HDA_ARL PCI ID support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit a31014ebad617868c246d3985ff80d891f03711e ] + +Yet another PCI ID. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Kai Vehmanen +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20231204212710.185976-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 12c6eb76fca3..a3c6a5eeba3a 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2581,6 +2581,8 @@ static const struct pci_device_id azx_ids[] = { + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + { PCI_DEVICE(0x8086, 0x4b58), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* Arrow Lake */ ++ { PCI_DEVICE_DATA(INTEL, HDA_ARL, AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE) }, + /* Broxton-P(Apollolake) */ + { PCI_DEVICE(0x8086, 0x5a98), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON }, +-- +2.43.0 + diff --git a/queue-5.10/alsa-hda-intel-dspcfg-add-filters-for-arl-s-and-arl.patch b/queue-5.10/alsa-hda-intel-dspcfg-add-filters-for-arl-s-and-arl.patch new file mode 100644 index 00000000000..35f8b965a7d --- /dev/null +++ b/queue-5.10/alsa-hda-intel-dspcfg-add-filters-for-arl-s-and-arl.patch @@ -0,0 +1,49 @@ +From e449ce0f8c184374d076df9dc81effff0fc13664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 15:27:08 -0600 +Subject: ALSA: hda: intel-dspcfg: add filters for ARL-S and ARL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 7a9d6bbe8a663c817080be55d9fecf19a4a8fd8f ] + +Same usual filters, SOF is required for DMIC and/or SoundWire support. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Kai Vehmanen +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20231204212710.185976-4-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-dsp-config.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c +index 48c78388c1d2..ea0a2b1d23a3 100644 +--- a/sound/hda/intel-dsp-config.c ++++ b/sound/hda/intel-dsp-config.c +@@ -372,6 +372,16 @@ static const struct config_entry config_table[] = { + .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE, + .device = 0x7e28, + }, ++ /* ArrowLake-S */ ++ { ++ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE, ++ .device = PCI_DEVICE_ID_INTEL_HDA_ARL_S, ++ }, ++ /* ArrowLake */ ++ { ++ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE, ++ .device = PCI_DEVICE_ID_INTEL_HDA_ARL, ++ }, + #endif + + /* Lunar Lake */ +-- +2.43.0 + diff --git a/queue-5.10/alsa-hda-refer-to-correct-stream-index-at-loops.patch b/queue-5.10/alsa-hda-refer-to-correct-stream-index-at-loops.patch new file mode 100644 index 00000000000..906d81d26f4 --- /dev/null +++ b/queue-5.10/alsa-hda-refer-to-correct-stream-index-at-loops.patch @@ -0,0 +1,70 @@ +From e98520902edb934e308a0dcd0abe8bd9020868c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 16:41:25 +0100 +Subject: ALSA: hda: Refer to correct stream index at loops + +From: Takashi Iwai + +[ Upstream commit 26257869672fd4a06a60c2da841e15fb2cb47bbe ] + +In a couple of loops over the all streams, we check the bitmap against +the loop counter. A more correct reference would be, however, the +index of each stream, instead. + +This patch corrects the check of bitmaps to the stream index. + +Note that this change doesn't fix anything for now; all existing +drivers set up the stream indices properly, hence the loop count is +always equal with the stream index. That said, this change is only +for consistency. + +Link: https://lore.kernel.org/r/20231121154125.4888-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/hdac_stream.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c +index 5570722458ca..e510bf09967d 100644 +--- a/sound/hda/hdac_stream.c ++++ b/sound/hda/hdac_stream.c +@@ -605,17 +605,15 @@ void snd_hdac_stream_timecounter_init(struct hdac_stream *azx_dev, + struct hdac_stream *s; + bool inited = false; + u64 cycle_last = 0; +- int i = 0; + + list_for_each_entry(s, &bus->stream_list, list) { +- if (streams & (1 << i)) { ++ if ((streams & (1 << s->index))) { + azx_timecounter_init(s, inited, cycle_last); + if (!inited) { + inited = true; + cycle_last = s->tc.cycle_last; + } + } +- i++; + } + + snd_pcm_gettime(runtime, &runtime->trigger_tstamp); +@@ -660,14 +658,13 @@ void snd_hdac_stream_sync(struct hdac_stream *azx_dev, bool start, + unsigned int streams) + { + struct hdac_bus *bus = azx_dev->bus; +- int i, nwait, timeout; ++ int nwait, timeout; + struct hdac_stream *s; + + for (timeout = 5000; timeout; timeout--) { + nwait = 0; +- i = 0; + list_for_each_entry(s, &bus->stream_list, list) { +- if (!(streams & (1 << i++))) ++ if (!(streams & (1 << s->index))) + continue; + + if (start) { +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx-use-flash-0-0-pattern.patch b/queue-5.10/arm-dts-imx-use-flash-0-0-pattern.patch new file mode 100644 index 00000000000..26d9d99a023 --- /dev/null +++ b/queue-5.10/arm-dts-imx-use-flash-0-0-pattern.patch @@ -0,0 +1,81 @@ +From 4cfff7f5b72012c14cc18d77f9ac27739a5563bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:36:05 -0300 +Subject: ARM: dts: imx: Use flash@0,0 pattern + +From: Fabio Estevam + +[ Upstream commit 1e1d7cc478fb16816de09740e3c323c0c188d58f ] + +Per mtd-physmap.yaml, 'nor@0,0' is not a valid node pattern. + +Change it to 'flash@0,0' to fix the following dt-schema warning: + +imx1-ads.dtb: nor@0,0: $nodename:0: 'nor@0,0' does not match '^(flash|.*sram|nand)(@.*)?$' + from schema $id: http://devicetree.org/schemas/mtd/mtd-physmap.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx1-ads.dts | 2 +- + arch/arm/boot/dts/imx1-apf9328.dts | 2 +- + arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi | 2 +- + arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx1-ads.dts b/arch/arm/boot/dts/imx1-ads.dts +index 5833fb6f15d8..2c817c4a4c68 100644 +--- a/arch/arm/boot/dts/imx1-ads.dts ++++ b/arch/arm/boot/dts/imx1-ads.dts +@@ -65,7 +65,7 @@ + pinctrl-0 = <&pinctrl_weim>; + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + compatible = "cfi-flash"; + reg = <0 0x00000000 0x02000000>; + bank-width = <4>; +diff --git a/arch/arm/boot/dts/imx1-apf9328.dts b/arch/arm/boot/dts/imx1-apf9328.dts +index 77b21aa7a146..27e72b07b517 100644 +--- a/arch/arm/boot/dts/imx1-apf9328.dts ++++ b/arch/arm/boot/dts/imx1-apf9328.dts +@@ -45,7 +45,7 @@ + pinctrl-0 = <&pinctrl_weim>; + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + compatible = "cfi-flash"; + reg = <0 0x00000000 0x02000000>; + bank-width = <2>; +diff --git a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +index 4b83e2918b55..c7e923584878 100644 +--- a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi ++++ b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +@@ -90,7 +90,7 @@ + &weim { + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + #address-cells = <1>; + #size-cells = <1>; + compatible = "cfi-flash"; +diff --git a/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi b/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi +index 3d10273177e9..a5fdc2fd4ce5 100644 +--- a/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi ++++ b/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi +@@ -322,7 +322,7 @@ + &weim { + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + compatible = "cfi-flash"; + reg = <0 0x00000000 0x02000000>; + bank-width = <2>; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx1-fix-sram-node.patch b/queue-5.10/arm-dts-imx1-fix-sram-node.patch new file mode 100644 index 00000000000..32fd28202f1 --- /dev/null +++ b/queue-5.10/arm-dts-imx1-fix-sram-node.patch @@ -0,0 +1,53 @@ +From 838d9c9f24f540ffa670c7c053a22256b2ec2c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:39:21 -0300 +Subject: ARM: dts: imx1: Fix sram node + +From: Fabio Estevam + +[ Upstream commit c248e535973088ba7071ff6f26ab7951143450af ] + +Per sram.yaml, address-cells, size-cells and ranges are mandatory. + +The node name should be sram. + +Change the node name and pass the required properties to fix the +following dt-schema warnings: + +imx1-apf9328.dtb: esram@300000: $nodename:0: 'esram@300000' does not match '^sram(@.*)?' + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# +imx1-apf9328.dtb: esram@300000: '#address-cells' is a required property + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# +imx1-apf9328.dtb: esram@300000: '#size-cells' is a required property + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# +imx1-apf9328.dtb: esram@300000: 'ranges' is a required property + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx1.dtsi | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx1.dtsi b/arch/arm/boot/dts/imx1.dtsi +index 9b940987864c..8d6e900a9081 100644 +--- a/arch/arm/boot/dts/imx1.dtsi ++++ b/arch/arm/boot/dts/imx1.dtsi +@@ -268,9 +268,12 @@ + status = "disabled"; + }; + +- esram: esram@300000 { ++ esram: sram@300000 { + compatible = "mmio-sram"; + reg = <0x00300000 0x20000>; ++ ranges = <0 0x00300000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch b/queue-5.10/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch new file mode 100644 index 00000000000..1a8734044a6 --- /dev/null +++ b/queue-5.10/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch @@ -0,0 +1,53 @@ +From bb321cd65794677fd61d0b09a0d69e6cb35881cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 07:26:31 -0300 +Subject: ARM: dts: imx23/28: Fix the DMA controller node name + +From: Fabio Estevam + +[ Upstream commit 858d83ca4b50bbc8693d95cc94310e6d791fb2e6 ] + +Per fsl,mxs-dma.yaml, the node name should be 'dma-controller'. + +Change it to fix the following dt-schema warning. + +imx28-apf28.dtb: dma-apbx@80024000: $nodename:0: 'dma-apbx@80024000' does not match '^dma-controller(@.*)?$' + from schema $id: http://devicetree.org/schemas/dma/fsl,mxs-dma.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx23.dtsi | 2 +- + arch/arm/boot/dts/imx28.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx23.dtsi b/arch/arm/boot/dts/imx23.dtsi +index ce3d6360a7ef..b236d23f8071 100644 +--- a/arch/arm/boot/dts/imx23.dtsi ++++ b/arch/arm/boot/dts/imx23.dtsi +@@ -414,7 +414,7 @@ + status = "disabled"; + }; + +- dma_apbx: dma-apbx@80024000 { ++ dma_apbx: dma-controller@80024000 { + compatible = "fsl,imx23-dma-apbx"; + reg = <0x80024000 0x2000>; + interrupts = <7 5 9 26 +diff --git a/arch/arm/boot/dts/imx28.dtsi b/arch/arm/boot/dts/imx28.dtsi +index 6cab8b66db80..23ef4a322995 100644 +--- a/arch/arm/boot/dts/imx28.dtsi ++++ b/arch/arm/boot/dts/imx28.dtsi +@@ -982,7 +982,7 @@ + status = "disabled"; + }; + +- dma_apbx: dma-apbx@80024000 { ++ dma_apbx: dma-controller@80024000 { + compatible = "fsl,imx28-dma-apbx"; + reg = <0x80024000 0x2000>; + interrupts = <78 79 66 0 +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch b/queue-5.10/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch new file mode 100644 index 00000000000..5b133fea5a3 --- /dev/null +++ b/queue-5.10/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch @@ -0,0 +1,61 @@ +From 8e58e1cbcecbcee4c6ea51691bb79dc352261727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 07:12:12 -0300 +Subject: ARM: dts: imx23-sansa: Use preferred i2c-gpios properties + +From: Fabio Estevam + +[ Upstream commit e3aa1a82fb20ee97597022f6528823a8ab82bde6 ] + +The 'gpios' property to describe the SDA and SCL GPIOs is considered +deprecated according to i2c-gpio.yaml. + +Switch to the preferred 'sda-gpios' and 'scl-gpios' properties. + +This fixes the following schema warnings: + +imx23-sansa.dtb: i2c-0: 'sda-gpios' is a required property + from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml# +imx23-sansa.dtb: i2c-0: 'scl-gpios' is a required property + from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx23-sansa.dts | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/imx23-sansa.dts b/arch/arm/boot/dts/imx23-sansa.dts +index 46057d9bf555..c2efcc20ae80 100644 +--- a/arch/arm/boot/dts/imx23-sansa.dts ++++ b/arch/arm/boot/dts/imx23-sansa.dts +@@ -175,10 +175,8 @@ + #address-cells = <1>; + #size-cells = <0>; + compatible = "i2c-gpio"; +- gpios = < +- &gpio1 24 0 /* SDA */ +- &gpio1 22 0 /* SCL */ +- >; ++ sda-gpios = <&gpio1 24 0>; ++ scl-gpios = <&gpio1 22 0>; + i2c-gpio,delay-us = <2>; /* ~100 kHz */ + }; + +@@ -186,10 +184,8 @@ + #address-cells = <1>; + #size-cells = <0>; + compatible = "i2c-gpio"; +- gpios = < +- &gpio0 31 0 /* SDA */ +- &gpio0 30 0 /* SCL */ +- >; ++ sda-gpios = <&gpio0 31 0>; ++ scl-gpios = <&gpio0 30 0>; + i2c-gpio,delay-us = <2>; /* ~100 kHz */ + + touch: touch@20 { +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch b/queue-5.10/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch new file mode 100644 index 00000000000..04677cdb3a3 --- /dev/null +++ b/queue-5.10/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch @@ -0,0 +1,52 @@ +From 2585f444dfb8feee6914069af3a1e7c7cafdb916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 08:58:26 -0300 +Subject: ARM: dts: imx25/27-eukrea: Fix RTC node name + +From: Fabio Estevam + +[ Upstream commit 68c711b882c262e36895547cddea2c2d56ce611d ] + +Node names should be generic. Use 'rtc' as node name to fix +the following dt-schema warning: + +imx25-eukrea-mbimxsd25-baseboard.dtb: pcf8563@51: $nodename:0: 'pcf8563@51' does not match '^rtc(@.*|-([0-9]|[1-9][0-9]+))?$' + from schema $id: http://devicetree.org/schemas/rtc/nxp,pcf8563.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi | 2 +- + arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi b/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi +index 0703f62d10d1..93a6e4e680b4 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi ++++ b/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi +@@ -27,7 +27,7 @@ + pinctrl-0 = <&pinctrl_i2c1>; + status = "okay"; + +- pcf8563@51 { ++ rtc@51 { + compatible = "nxp,pcf8563"; + reg = <0x51>; + }; +diff --git a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +index 74110bbcd9d4..4b83e2918b55 100644 +--- a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi ++++ b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +@@ -33,7 +33,7 @@ + pinctrl-0 = <&pinctrl_i2c1>; + status = "okay"; + +- pcf8563@51 { ++ rtc@51 { + compatible = "nxp,pcf8563"; + reg = <0x51>; + }; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx25-27-pass-timing0.patch b/queue-5.10/arm-dts-imx25-27-pass-timing0.patch new file mode 100644 index 00000000000..26a672e9ae8 --- /dev/null +++ b/queue-5.10/arm-dts-imx25-27-pass-timing0.patch @@ -0,0 +1,138 @@ +From 4e43727da99c3cf4a381fbf0ccfae3339d266c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 17:14:05 -0300 +Subject: ARM: dts: imx25/27: Pass timing0 + +From: Fabio Estevam + +[ Upstream commit 11ab7ad6f795ae23c398a4a5c56505d3dab27c4c ] + +Per display-timings.yaml, the 'timing' pattern should be used to +describe the display timings. + +Change it accordingly to fix the following dt-schema warning: + +imx27-apf27dev.dtb: display-timings: '800x480' does not match any of the regexes: '^timing', 'pinctrl-[0-9]+' + from schema $id: http://devicetree.org/schemas/display/panel/display-timings.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts | 2 +- + arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts | 2 +- + arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts | 2 +- + arch/arm/boot/dts/imx25-pdk.dts | 2 +- + arch/arm/boot/dts/imx27-apf27dev.dts | 2 +- + arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +- + arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 2 +- + arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts +index 7d4301b22b90..1ed3fb7b9ce6 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts ++++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts +@@ -16,7 +16,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&qvga_timings>; +- qvga_timings: 320x240 { ++ qvga_timings: timing0 { + clock-frequency = <6500000>; + hactive = <320>; + vactive = <240>; +diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts +index 80a7f96de4c6..64b2ffac463b 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts ++++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts +@@ -16,7 +16,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&dvi_svga_timings>; +- dvi_svga_timings: 800x600 { ++ dvi_svga_timings: timing0 { + clock-frequency = <40000000>; + hactive = <800>; + vactive = <600>; +diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts +index 24027a1fb46d..fb074bfdaa8d 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts ++++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts +@@ -16,7 +16,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&dvi_vga_timings>; +- dvi_vga_timings: 640x480 { ++ dvi_vga_timings: timing0 { + clock-frequency = <31250000>; + hactive = <640>; + vactive = <480>; +diff --git a/arch/arm/boot/dts/imx25-pdk.dts b/arch/arm/boot/dts/imx25-pdk.dts +index fb66884d8a2f..59b40d13a640 100644 +--- a/arch/arm/boot/dts/imx25-pdk.dts ++++ b/arch/arm/boot/dts/imx25-pdk.dts +@@ -78,7 +78,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&wvga_timings>; +- wvga_timings: 640x480 { ++ wvga_timings: timing0 { + hactive = <640>; + vactive = <480>; + hback-porch = <45>; +diff --git a/arch/arm/boot/dts/imx27-apf27dev.dts b/arch/arm/boot/dts/imx27-apf27dev.dts +index 6f1e8ce9e76e..68fcb5ce9a9e 100644 +--- a/arch/arm/boot/dts/imx27-apf27dev.dts ++++ b/arch/arm/boot/dts/imx27-apf27dev.dts +@@ -16,7 +16,7 @@ + fsl,pcr = <0xfae80083>; /* non-standard but required */ + display-timings { + native-mode = <&timing0>; +- timing0: 800x480 { ++ timing0: timing0 { + clock-frequency = <33000033>; + hactive = <800>; + vactive = <480>; +diff --git a/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts b/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts +index 9c3ec82ec7e5..50fa0bd4c8a1 100644 +--- a/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts ++++ b/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts +@@ -16,7 +16,7 @@ + + display-timings { + native-mode = <&timing0>; +- timing0: 320x240 { ++ timing0: timing0 { + clock-frequency = <6500000>; + hactive = <320>; + vactive = <240>; +diff --git a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +index 188639738dc3..7f36af150a25 100644 +--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +@@ -19,7 +19,7 @@ + fsl,pcr = <0xf0c88080>; /* non-standard but required */ + display-timings { + native-mode = <&timing0>; +- timing0: 640x480 { ++ timing0: timing0 { + hactive = <640>; + vactive = <480>; + hback-porch = <112>; +diff --git a/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts b/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts +index 344e77790152..d133b9f08b3a 100644 +--- a/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts +@@ -19,7 +19,7 @@ + + display-timings { + native-mode = <&timing0>; +- timing0: 240x320 { ++ timing0: timing0 { + clock-frequency = <5500000>; + hactive = <240>; + vactive = <320>; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx25-fix-the-iim-compatible-string.patch b/queue-5.10/arm-dts-imx25-fix-the-iim-compatible-string.patch new file mode 100644 index 00000000000..b026d35ca20 --- /dev/null +++ b/queue-5.10/arm-dts-imx25-fix-the-iim-compatible-string.patch @@ -0,0 +1,40 @@ +From 7c8ae83419696953f3823f23ef0a3f0e34b113a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 17:00:33 -0300 +Subject: ARM: dts: imx25: Fix the iim compatible string + +From: Fabio Estevam + +[ Upstream commit f0b929f58719fc57a4926ab4fc972f185453d6a5 ] + +Per imx-iim.yaml, the compatible string should only contain a single +entry. + +Use it as "fsl,imx25-iim" to fix the following dt-schema warning: + +imx25-karo-tx25.dtb: efuse@53ff0000: compatible: ['fsl,imx25-iim', 'fsl,imx27-iim'] is too long + from schema $id: http://devicetree.org/schemas/nvmem/imx-iim.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx25.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx25.dtsi b/arch/arm/boot/dts/imx25.dtsi +index d24b1da18766..99886ba36724 100644 +--- a/arch/arm/boot/dts/imx25.dtsi ++++ b/arch/arm/boot/dts/imx25.dtsi +@@ -543,7 +543,7 @@ + }; + + iim: efuse@53ff0000 { +- compatible = "fsl,imx25-iim", "fsl,imx27-iim"; ++ compatible = "fsl,imx25-iim"; + reg = <0x53ff0000 0x4000>; + interrupts = <19>; + clocks = <&clks 99>; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx27-apf27dev-fix-led-name.patch b/queue-5.10/arm-dts-imx27-apf27dev-fix-led-name.patch new file mode 100644 index 00000000000..6c8d64bf80f --- /dev/null +++ b/queue-5.10/arm-dts-imx27-apf27dev-fix-led-name.patch @@ -0,0 +1,39 @@ +From 5fa03ca959fc3059857edbeb9d7a9d4a5eb80a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 17:19:05 -0300 +Subject: ARM: dts: imx27-apf27dev: Fix LED name + +From: Fabio Estevam + +[ Upstream commit dc35e253d032b959d92e12f081db5b00db26ae64 ] + +Per leds-gpio.yaml, the led names should start with 'led'. + +Change it to fix the following dt-schema warning: + +imx27-apf27dev.dtb: leds: 'user' does not match any of the regexes: '(^led-[0-9a-f]$|led)', 'pinctrl-[0-9]+' + from schema $id: http://devicetree.org/schemas/leds/leds-gpio.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx27-apf27dev.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx27-apf27dev.dts b/arch/arm/boot/dts/imx27-apf27dev.dts +index 68fcb5ce9a9e..3d9bb7fc3be2 100644 +--- a/arch/arm/boot/dts/imx27-apf27dev.dts ++++ b/arch/arm/boot/dts/imx27-apf27dev.dts +@@ -47,7 +47,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_gpio_leds>; + +- user { ++ led-user { + label = "Heartbeat"; + gpios = <&gpio6 14 GPIO_ACTIVE_HIGH>; + linux,default-trigger = "heartbeat"; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx27-fix-sram-node.patch b/queue-5.10/arm-dts-imx27-fix-sram-node.patch new file mode 100644 index 00000000000..c91577cb12e --- /dev/null +++ b/queue-5.10/arm-dts-imx27-fix-sram-node.patch @@ -0,0 +1,37 @@ +From 64bc6b30146abbbd8bf6939619e0fb36b9085601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:39:20 -0300 +Subject: ARM: dts: imx27: Fix sram node + +From: Fabio Estevam + +[ Upstream commit 2fb7b2a2f06bb3f8321cf26c33e4e820c5b238b6 ] + +Per sram.yaml, address-cells, size-cells and ranges are mandatory. + +Pass them to fix the following dt-schema warnings: + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx27.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx27.dtsi b/arch/arm/boot/dts/imx27.dtsi +index 7bc132737a37..8ae24c865521 100644 +--- a/arch/arm/boot/dts/imx27.dtsi ++++ b/arch/arm/boot/dts/imx27.dtsi +@@ -588,6 +588,9 @@ + iram: sram@ffff4c00 { + compatible = "mmio-sram"; + reg = <0xffff4c00 0xb400>; ++ ranges = <0 0xffff4c00 0xb400>; ++ #address-cells = <1>; ++ #size-cells = <1>; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx7d-fix-coresight-funnel-ports.patch b/queue-5.10/arm-dts-imx7d-fix-coresight-funnel-ports.patch new file mode 100644 index 00000000000..fb0ea9a1bb5 --- /dev/null +++ b/queue-5.10/arm-dts-imx7d-fix-coresight-funnel-ports.patch @@ -0,0 +1,60 @@ +From 01fc1cd926e1b08f6fccaae1f6692ec6935f950d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 10:15:53 +0200 +Subject: ARM: dts: imx7d: Fix coresight funnel ports + +From: Alexander Stein + +[ Upstream commit 0d4ac04fa7c3f6dc263dba6f575a2ec7a2d4eca8 ] + +imx7d uses two ports for 'in-ports', so the syntax port@ has to +be used. imx7d has both port and port@1 nodes present, raising these +error: +funnel@30041000: in-ports: More than one condition true in oneOf schema +funnel@30041000: Unevaluated properties are not allowed +('in-ports' was unexpected) + +Fix this by also using port@0 for imx7s as well. + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7d.dtsi | 3 --- + arch/arm/boot/dts/imx7s.dtsi | 6 +++++- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7d.dtsi b/arch/arm/boot/dts/imx7d.dtsi +index b0bcfa9094a3..8ad3e60fd7d1 100644 +--- a/arch/arm/boot/dts/imx7d.dtsi ++++ b/arch/arm/boot/dts/imx7d.dtsi +@@ -209,9 +209,6 @@ + }; + + &ca_funnel_in_ports { +- #address-cells = <1>; +- #size-cells = <0>; +- + port@1 { + reg = <1>; + ca_funnel_in_port1: endpoint { +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 03bde2fb9bb1..622c60bd8b75 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -173,7 +173,11 @@ + clock-names = "apb_pclk"; + + ca_funnel_in_ports: in-ports { +- port { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ port@0 { ++ reg = <0>; + ca_funnel_in_port0: endpoint { + remote-endpoint = <&etm0_out_port>; + }; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx7s-fix-lcdif-compatible.patch b/queue-5.10/arm-dts-imx7s-fix-lcdif-compatible.patch new file mode 100644 index 00000000000..4108d988513 --- /dev/null +++ b/queue-5.10/arm-dts-imx7s-fix-lcdif-compatible.patch @@ -0,0 +1,39 @@ +From 1963a207eb34fa066c22fe7ff61f25876aae2cfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 10:15:54 +0200 +Subject: ARM: dts: imx7s: Fix lcdif compatible + +From: Alexander Stein + +[ Upstream commit 5f55da4cc37051cda600ea870ce8cf29f1297715 ] + +imx7d-lcdif is compatible to imx6sx-lcdif. MXSFB_V6 supports overlay +by using LCDC_AS_CTRL register. This registers used by overlay plane: +* LCDC_AS_CTRL +* LCDC_AS_BUF +* LCDC_AS_NEXT_BUF +are listed in i.MX7D RM as well. + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 622c60bd8b75..31ccf65d159b 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -773,7 +773,7 @@ + }; + + lcdif: lcdif@30730000 { +- compatible = "fsl,imx7d-lcdif", "fsl,imx28-lcdif"; ++ compatible = "fsl,imx7d-lcdif", "fsl,imx6sx-lcdif"; + reg = <0x30730000 0x10000>; + interrupts = ; + clocks = <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>, +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-imx7s-fix-nand-controller-size-cells.patch b/queue-5.10/arm-dts-imx7s-fix-nand-controller-size-cells.patch new file mode 100644 index 00000000000..62eb225751a --- /dev/null +++ b/queue-5.10/arm-dts-imx7s-fix-nand-controller-size-cells.patch @@ -0,0 +1,38 @@ +From 216b1e65785cecabe2ba161399da536409fc6225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 10:15:55 +0200 +Subject: ARM: dts: imx7s: Fix nand-controller #size-cells + +From: Alexander Stein + +[ Upstream commit 4aadb841ed49bada1415c48c44d21f5b69e01299 ] + +nand-controller.yaml bindings says #size-cells shall be set to 0. +Fixes the dtbs_check warning: +arch/arm/boot/dts/nxp/imx/imx7s-mba7.dtb: nand-controller@33002000: + #size-cells:0:0: 0 was expected + from schema $id: http://devicetree.org/schemas/mtd/gpmi-nand.yaml# + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 31ccf65d159b..b4cab6a21437 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1235,7 +1235,7 @@ + gpmi: nand-controller@33002000{ + compatible = "fsl,imx7d-gpmi-nand"; + #address-cells = <1>; +- #size-cells = <1>; ++ #size-cells = <0>; + reg = <0x33002000 0x2000>, <0x33004000 0x4000>; + reg-names = "gpmi-nand", "bch"; + interrupts = ; +-- +2.43.0 + diff --git a/queue-5.10/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch b/queue-5.10/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch new file mode 100644 index 00000000000..bf17d951d0c --- /dev/null +++ b/queue-5.10/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch @@ -0,0 +1,51 @@ +From 7512b4e414a5b145b560f1435fc7464dcbc7c22c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 18:40:27 +0100 +Subject: ARM: dts: rockchip: fix rk3036 hdmi ports node + +From: Johan Jonker + +[ Upstream commit 27ded76ef0fcfcf939914532aae575cf23c221b4 ] + +Fix hdmi ports node so that it matches the +rockchip,inno-hdmi.yaml binding. + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/9a2afac1-ed5c-382d-02b0-b2f5f1af3abb@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3036.dtsi | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi +index 093567022386..5f47b638f532 100644 +--- a/arch/arm/boot/dts/rk3036.dtsi ++++ b/arch/arm/boot/dts/rk3036.dtsi +@@ -336,12 +336,20 @@ + pinctrl-0 = <&hdmi_ctl>; + status = "disabled"; + +- hdmi_in: port { ++ ports { + #address-cells = <1>; + #size-cells = <0>; +- hdmi_in_vop: endpoint@0 { ++ ++ hdmi_in: port@0 { + reg = <0>; +- remote-endpoint = <&vop_out_hdmi>; ++ ++ hdmi_in_vop: endpoint { ++ remote-endpoint = <&vop_out_hdmi>; ++ }; ++ }; ++ ++ hdmi_out: port@1 { ++ reg = <1>; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch b/queue-5.10/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch new file mode 100644 index 00000000000..d5ddf279df6 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch @@ -0,0 +1,63 @@ +From ea47e0d8170bfeb644cb9d21a4d99b297e047f7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 23:26:29 -0800 +Subject: arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property + +From: Mao Jinlong + +[ Upstream commit 9a6fc510a6a3ec150cb7450aec1e5f257e6fc77b ] + +Add the inport of funnel@3023000 to fix 'in-ports' is a required property +warning. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Mao Jinlong +Link: https://lore.kernel.org/r/20231210072633.4243-3-quic_jinlmao@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index 0bc5fefb7a49..d766f3b5c03e 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -139,6 +139,19 @@ + reg = <0 0 0 0>; + }; + ++ etm { ++ compatible = "qcom,coresight-remote-etm"; ++ ++ out-ports { ++ port { ++ modem_etm_out_funnel_in2: endpoint { ++ remote-endpoint = ++ <&funnel_in2_in_modem_etm>; ++ }; ++ }; ++ }; ++ }; ++ + psci { + compatible = "arm,psci-1.0"; + method = "smc"; +@@ -1374,6 +1387,14 @@ + clocks = <&rpmcc RPM_QDSS_CLK>, <&rpmcc RPM_QDSS_A_CLK>; + clock-names = "apb_pclk", "atclk"; + ++ in-ports { ++ port { ++ funnel_in2_in_modem_etm: endpoint { ++ remote-endpoint = ++ <&modem_etm_out_funnel_in2>; ++ }; ++ }; ++ }; + + out-ports { + port { +-- +2.43.0 + diff --git a/queue-5.10/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch b/queue-5.10/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch new file mode 100644 index 00000000000..8a323358da0 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch @@ -0,0 +1,88 @@ +From 6d654be3732be4547cc2a4cf26d3e33c5c33b47a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 23:26:30 -0800 +Subject: arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property + +From: Mao Jinlong + +[ Upstream commit ae5ee3562a2519214b12228545e88a203dd68bbd ] + +out-ports is a required property for coresight ETM. Add out-ports for +ETM nodes to fix the warning. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Mao Jinlong +Link: https://lore.kernel.org/r/20231210072633.4243-4-quic_jinlmao@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8998.dtsi | 32 +++++++++++++++++---------- + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8998.dtsi b/arch/arm64/boot/dts/qcom/msm8998.dtsi +index 7c8d69ca91cf..ca8e7848769a 100644 +--- a/arch/arm64/boot/dts/qcom/msm8998.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi +@@ -1577,9 +1577,11 @@ + + cpu = <&CPU4>; + +- port{ +- etm4_out: endpoint { +- remote-endpoint = <&apss_funnel_in4>; ++ out-ports { ++ port{ ++ etm4_out: endpoint { ++ remote-endpoint = <&apss_funnel_in4>; ++ }; + }; + }; + }; +@@ -1594,9 +1596,11 @@ + + cpu = <&CPU5>; + +- port{ +- etm5_out: endpoint { +- remote-endpoint = <&apss_funnel_in5>; ++ out-ports { ++ port{ ++ etm5_out: endpoint { ++ remote-endpoint = <&apss_funnel_in5>; ++ }; + }; + }; + }; +@@ -1611,9 +1615,11 @@ + + cpu = <&CPU6>; + +- port{ +- etm6_out: endpoint { +- remote-endpoint = <&apss_funnel_in6>; ++ out-ports { ++ port{ ++ etm6_out: endpoint { ++ remote-endpoint = <&apss_funnel_in6>; ++ }; + }; + }; + }; +@@ -1628,9 +1634,11 @@ + + cpu = <&CPU7>; + +- port{ +- etm7_out: endpoint { +- remote-endpoint = <&apss_funnel_in7>; ++ out-ports { ++ port{ ++ etm7_out: endpoint { ++ remote-endpoint = <&apss_funnel_in7>; ++ }; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.10/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch b/queue-5.10/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch new file mode 100644 index 00000000000..b411acc152a --- /dev/null +++ b/queue-5.10/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch @@ -0,0 +1,37 @@ +From 5b5e76abd023348c6a675feef1600aa893d104f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 14:07:51 +0200 +Subject: ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument + +From: Cristian Ciocaltea + +[ Upstream commit 67c7666fe808c3a7af3cc6f9d0a3dd3acfd26115 ] + +The virtual widget example makes use of an undefined SND_SOC_DAPM_NOPM +argument passed to SND_SOC_DAPM_MIXER(). Replace with the correct +SND_SOC_NOPM definition. + +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20231121120751.77355-1-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/sound/soc/dapm.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/sound/soc/dapm.rst b/Documentation/sound/soc/dapm.rst +index 8e44107933ab..c3154ce6e1b2 100644 +--- a/Documentation/sound/soc/dapm.rst ++++ b/Documentation/sound/soc/dapm.rst +@@ -234,7 +234,7 @@ corresponding soft power control. In this case it is necessary to create + a virtual widget - a widget with no control bits e.g. + :: + +- SND_SOC_DAPM_MIXER("AC97 Mixer", SND_SOC_DAPM_NOPM, 0, 0, NULL, 0), ++ SND_SOC_DAPM_MIXER("AC97 Mixer", SND_SOC_NOPM, 0, 0, NULL, 0), + + This can be used to merge to signal paths together in software. + +-- +2.43.0 + diff --git a/queue-5.10/audit-send-netlink-ack-before-setting-connection-in-.patch b/queue-5.10/audit-send-netlink-ack-before-setting-connection-in-.patch new file mode 100644 index 00000000000..e8c20565d2e --- /dev/null +++ b/queue-5.10/audit-send-netlink-ack-before-setting-connection-in-.patch @@ -0,0 +1,117 @@ +From f33d952c4bf365694a0dd91ac910ae048e2c2839 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 09:23:51 +0000 +Subject: audit: Send netlink ACK before setting connection in auditd_set + +From: Chris Riches + +[ Upstream commit 022732e3d846e197539712e51ecada90ded0572a ] + +When auditd_set sets the auditd_conn pointer, audit messages can +immediately be put on the socket by other kernel threads. If the backlog +is large or the rate is high, this can immediately fill the socket +buffer. If the audit daemon requested an ACK for this operation, a full +socket buffer causes the ACK to get dropped, also setting ENOBUFS on the +socket. + +To avoid this race and ensure ACKs get through, fast-track the ACK in +this specific case to ensure it is sent before auditd_conn is set. + +Signed-off-by: Chris Riches +[PM: fix some tab vs space damage] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/kernel/audit.c b/kernel/audit.c +index aeec86ed4708..2ab04e0a7441 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -490,15 +490,19 @@ static void auditd_conn_free(struct rcu_head *rcu) + * @pid: auditd PID + * @portid: auditd netlink portid + * @net: auditd network namespace pointer ++ * @skb: the netlink command from the audit daemon ++ * @ack: netlink ack flag, cleared if ack'd here + * + * Description: + * This function will obtain and drop network namespace references as + * necessary. Returns zero on success, negative values on failure. + */ +-static int auditd_set(struct pid *pid, u32 portid, struct net *net) ++static int auditd_set(struct pid *pid, u32 portid, struct net *net, ++ struct sk_buff *skb, bool *ack) + { + unsigned long flags; + struct auditd_connection *ac_old, *ac_new; ++ struct nlmsghdr *nlh; + + if (!pid || !net) + return -EINVAL; +@@ -510,6 +514,13 @@ static int auditd_set(struct pid *pid, u32 portid, struct net *net) + ac_new->portid = portid; + ac_new->net = get_net(net); + ++ /* send the ack now to avoid a race with the queue backlog */ ++ if (*ack) { ++ nlh = nlmsg_hdr(skb); ++ netlink_ack(skb, nlh, 0, NULL); ++ *ack = false; ++ } ++ + spin_lock_irqsave(&auditd_conn_lock, flags); + ac_old = rcu_dereference_protected(auditd_conn, + lockdep_is_held(&auditd_conn_lock)); +@@ -1203,7 +1214,8 @@ static int audit_replace(struct pid *pid) + return auditd_send_unicast_skb(skb); + } + +-static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ++static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, ++ bool *ack) + { + u32 seq; + void *data; +@@ -1296,7 +1308,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + /* register a new auditd connection */ + err = auditd_set(req_pid, + NETLINK_CB(skb).portid, +- sock_net(NETLINK_CB(skb).sk)); ++ sock_net(NETLINK_CB(skb).sk), ++ skb, ack); + if (audit_enabled != AUDIT_OFF) + audit_log_config_change("audit_pid", + new_pid, +@@ -1541,9 +1554,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + * Parse the provided skb and deal with any messages that may be present, + * malformed skbs are discarded. + */ +-static void audit_receive(struct sk_buff *skb) ++static void audit_receive(struct sk_buff *skb) + { + struct nlmsghdr *nlh; ++ bool ack; + /* + * len MUST be signed for nlmsg_next to be able to dec it below 0 + * if the nlmsg_len was not aligned +@@ -1556,9 +1570,12 @@ static void audit_receive(struct sk_buff *skb) + + audit_ctl_lock(); + while (nlmsg_ok(nlh, len)) { +- err = audit_receive_msg(skb, nlh); +- /* if err or if this message says it wants a response */ +- if (err || (nlh->nlmsg_flags & NLM_F_ACK)) ++ ack = nlh->nlmsg_flags & NLM_F_ACK; ++ err = audit_receive_msg(skb, nlh, &ack); ++ ++ /* send an ack if the user asked for one and audit_receive_msg ++ * didn't already do it, or if there was an error. */ ++ if (ack || err) + netlink_ack(skb, nlh, err, NULL); + + nlh = nlmsg_next(nlh, &len); +-- +2.43.0 + diff --git a/queue-5.10/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch b/queue-5.10/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch new file mode 100644 index 00000000000..ba1b0f28a00 --- /dev/null +++ b/queue-5.10/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch @@ -0,0 +1,72 @@ +From 0609bcb07548d483ca83f7357b1342791b9523db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 20:26:26 +0800 +Subject: blk-mq: fix IO hang from sbitmap wakeup race + +From: Ming Lei + +[ Upstream commit 5266caaf5660529e3da53004b8b7174cab6374ed ] + +In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered +with the following blk_mq_get_driver_tag() in case of getting driver +tag failure. + +Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe +the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime +blk_mq_mark_tag_wait() can't get driver tag successfully. + +This issue can be reproduced by running the following test in loop, and +fio hang can be observed in < 30min when running it on my test VM +in laptop. + + modprobe -r scsi_debug + modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 + dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename` + fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \ + --runtime=100 --numjobs=40 --time_based --name=test \ + --ioengine=libaio + +Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which +is just fine in case of running out of tag. + +Cc: Jan Kara +Cc: Kemeng Shi +Reported-by: Changhui Zhong +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20240112122626.4181044-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index e153a36c9ba3..a7a31d7090ae 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1188,6 +1188,22 @@ static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx, + wait->flags &= ~WQ_FLAG_EXCLUSIVE; + __add_wait_queue(wq, wait); + ++ /* ++ * Add one explicit barrier since blk_mq_get_driver_tag() may ++ * not imply barrier in case of failure. ++ * ++ * Order adding us to wait queue and allocating driver tag. ++ * ++ * The pair is the one implied in sbitmap_queue_wake_up() which ++ * orders clearing sbitmap tag bits and waitqueue_active() in ++ * __sbitmap_queue_wake_up(), since waitqueue_active() is lockless ++ * ++ * Otherwise, re-order of adding wait queue and getting driver tag ++ * may cause __sbitmap_queue_wake_up() to wake up nothing because ++ * the waitqueue_active() may not observe us in wait queue. ++ */ ++ smp_mb(); ++ + /* + * It's possible that a tag was freed in the window between the + * allocation failure and adding the hardware queue to the wait +-- +2.43.0 + diff --git a/queue-5.10/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch b/queue-5.10/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch new file mode 100644 index 00000000000..71ba27115eb --- /dev/null +++ b/queue-5.10/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch @@ -0,0 +1,36 @@ +From 0a3cd18f654595ffa337baa77e28d64d08ce05a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 18:34:18 +0100 +Subject: block: prevent an integer overflow in bvec_try_merge_hw_page + +From: Christoph Hellwig + +[ Upstream commit 3f034c374ad55773c12dd8f3c1607328e17c0072 ] + +Reordered a check to avoid a possible overflow when adding len to bv_len. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20231204173419.782378-2-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bio.c b/block/bio.c +index b729f0240082..6f7a1aa9ea22 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -770,7 +770,7 @@ static bool bio_try_merge_hw_seg(struct request_queue *q, struct bio *bio, + + if ((addr1 | mask) != (addr2 | mask)) + return false; +- if (bv->bv_len + len > queue_max_segment_size(q)) ++ if (len > queue_max_segment_size(q) - bv->bv_len) + return false; + return __bio_try_merge_page(bio, page, len, offset, same_page); + } +-- +2.43.0 + diff --git a/queue-5.10/block-rnbd-srv-check-for-unlikely-string-overflow.patch b/queue-5.10/block-rnbd-srv-check-for-unlikely-string-overflow.patch new file mode 100644 index 00000000000..a6d70b4b725 --- /dev/null +++ b/queue-5.10/block-rnbd-srv-check-for-unlikely-string-overflow.patch @@ -0,0 +1,88 @@ +From 7f34513978a4de631949341fb570ba078fe2d797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 13:47:42 -0800 +Subject: block/rnbd-srv: Check for unlikely string overflow + +From: Kees Cook + +[ Upstream commit 9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41 ] + +Since "dev_search_path" can technically be as large as PATH_MAX, +there was a risk of truncation when copying it and a second string +into "full_path" since it was also PATH_MAX sized. The W=1 builds were +reporting this warning: + +drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra': +drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=] + 616 | snprintf(full_path, PATH_MAX, "%s/%s", + | ^~ +In function 'rnbd_srv_get_full_path', + inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096 + 616 | snprintf(full_path, PATH_MAX, "%s/%s", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 617 | dev_search_path, dev_name); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To fix this, unconditionally check for truncation (as was already done +for the case where "%SESSNAME%" was present). + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202312100355.lHoJPgKy-lkp@intel.com/ +Cc: Md. Haris Iqbal +Cc: Jack Wang +Cc: Jens Axboe +Cc: +Signed-off-by: Kees Cook +Acked-by: Guoqing Jiang +Acked-by: Jack Wang +Link: https://lore.kernel.org/r/20231212214738.work.169-kees@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rnbd/rnbd-srv.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/block/rnbd/rnbd-srv.c b/drivers/block/rnbd/rnbd-srv.c +index e1bc8b4cd592..9c5d52335e17 100644 +--- a/drivers/block/rnbd/rnbd-srv.c ++++ b/drivers/block/rnbd/rnbd-srv.c +@@ -591,6 +591,7 @@ static char *rnbd_srv_get_full_path(struct rnbd_srv_session *srv_sess, + { + char *full_path; + char *a, *b; ++ int len; + + full_path = kmalloc(PATH_MAX, GFP_KERNEL); + if (!full_path) +@@ -602,19 +603,19 @@ static char *rnbd_srv_get_full_path(struct rnbd_srv_session *srv_sess, + */ + a = strnstr(dev_search_path, "%SESSNAME%", sizeof(dev_search_path)); + if (a) { +- int len = a - dev_search_path; ++ len = a - dev_search_path; + + len = snprintf(full_path, PATH_MAX, "%.*s/%s/%s", len, + dev_search_path, srv_sess->sessname, dev_name); +- if (len >= PATH_MAX) { +- pr_err("Too long path: %s, %s, %s\n", +- dev_search_path, srv_sess->sessname, dev_name); +- kfree(full_path); +- return ERR_PTR(-EINVAL); +- } + } else { +- snprintf(full_path, PATH_MAX, "%s/%s", +- dev_search_path, dev_name); ++ len = snprintf(full_path, PATH_MAX, "%s/%s", ++ dev_search_path, dev_name); ++ } ++ if (len >= PATH_MAX) { ++ pr_err("Too long path: %s, %s, %s\n", ++ dev_search_path, srv_sess->sessname, dev_name); ++ kfree(full_path); ++ return ERR_PTR(-EINVAL); + } + + /* eliminitate duplicated slashes */ +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-l2cap-fix-possible-multiple-reject-send.patch b/queue-5.10/bluetooth-l2cap-fix-possible-multiple-reject-send.patch new file mode 100644 index 00000000000..d396db6a7b2 --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-possible-multiple-reject-send.patch @@ -0,0 +1,42 @@ +From 928f1846e0795dae64c1f47f57335d3457cbf703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 09:10:22 +0100 +Subject: Bluetooth: L2CAP: Fix possible multiple reject send +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frédéric Danis + +[ Upstream commit 96a3398b467ab8aada3df2f3a79f4b7835d068b8 ] + +In case of an incomplete command or a command with a null identifier 2 +reject packets will be sent, one with the identifier and one with 0. +Consuming the data of the command will prevent it. +This allows to send a reject packet for each corrupted command in a +multi-command packet. + +Signed-off-by: Frédéric Danis +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index cf78a48085ed..a752032e12fc 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6522,7 +6522,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn, + if (len > skb->len || !cmd->ident) { + BT_DBG("corrupted command"); + l2cap_sig_send_rej(conn, cmd->ident); +- break; ++ skb_pull(skb, len > skb->len ? skb->len : len); ++ continue; + } + + err = l2cap_bredr_sig_cmd(conn, cmd, len, skb->data); +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-qca-set-both-wideband_speech-and-le_states.patch b/queue-5.10/bluetooth-qca-set-both-wideband_speech-and-le_states.patch new file mode 100644 index 00000000000..e4cb9f538d6 --- /dev/null +++ b/queue-5.10/bluetooth-qca-set-both-wideband_speech-and-le_states.patch @@ -0,0 +1,35 @@ +From 9b167afc50599c4ded51471d3e88762f39dc77ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Nov 2023 14:02:46 +0800 +Subject: Bluetooth: qca: Set both WIDEBAND_SPEECH and LE_STATES quirks for + QCA2066 + +From: Zijun Hu + +[ Upstream commit 5d192b697c7417254cdd9edc3d5e9e0364eb9045 ] + +Set both WIDEBAND_SPEECH_SUPPORTED and VALID_LE_STATES quirks +for QCA2066. + +Signed-off-by: Zijun Hu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index bc0850d3f7d2..6e0c0762fbab 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1814,6 +1814,7 @@ static const struct qca_device_data qca_soc_data_wcn3998 = { + static const struct qca_device_data qca_soc_data_qca6390 = { + .soc_type = QCA_QCA6390, + .num_vregs = 0, ++ .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES, + }; + + static void qca_power_shutdown(struct hci_uart *hu) +-- +2.43.0 + diff --git a/queue-5.10/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch b/queue-5.10/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch new file mode 100644 index 00000000000..51e38a7cdec --- /dev/null +++ b/queue-5.10/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch @@ -0,0 +1,69 @@ +From 8f33d29fe5baf7f6fcf7d8060b72afb6dd07d72c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Nov 2023 16:16:53 +0800 +Subject: bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk + +From: Zhengchao Shao + +[ Upstream commit d6b83f1e3707c4d60acfa58afd3515e17e5d5384 ] + +If failed to allocate "tags" or could not find the final upper device from +start_dev's upper list in bond_verify_device_path(), only the loopback +detection of the current upper device should be affected, and the system is +no need to be panic. +So return -ENOMEM in alb_upper_dev_walk to stop walking, print some warn +information when failed to allocate memory for vlan tags in +bond_verify_device_path. + +I also think that the following function calls +netdev_walk_all_upper_dev_rcu +---->>>alb_upper_dev_walk +---------->>>bond_verify_device_path +From this way, "end device" can eventually be obtained from "start device" +in bond_verify_device_path, IS_ERR(tags) could be instead of +IS_ERR_OR_NULL(tags) in alb_upper_dev_walk. + +Signed-off-by: Zhengchao Shao +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20231118081653.1481260-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_alb.c | 3 ++- + drivers/net/bonding/bond_main.c | 5 ++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c +index 64ba465741a7..81a5e7622ea7 100644 +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -971,7 +971,8 @@ static int alb_upper_dev_walk(struct net_device *upper, + if (netif_is_macvlan(upper) && !strict_match) { + tags = bond_verify_device_path(bond->dev, upper, 0); + if (IS_ERR_OR_NULL(tags)) +- BUG(); ++ return -ENOMEM; ++ + alb_send_lp_vid(slave, upper->dev_addr, + tags[0].vlan_proto, tags[0].vlan_id); + kfree(tags); +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 50fabba04248..506d6fdbfacc 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2777,8 +2777,11 @@ struct bond_vlan_tag *bond_verify_device_path(struct net_device *start_dev, + + if (start_dev == end_dev) { + tags = kcalloc(level + 1, sizeof(*tags), GFP_ATOMIC); +- if (!tags) ++ if (!tags) { ++ net_err_ratelimited("%s: %s: Failed to allocate tags\n", ++ __func__, start_dev->name); + return ERR_PTR(-ENOMEM); ++ } + tags[level].vlan_proto = VLAN_N_VID; + return tags; + } +-- +2.43.0 + diff --git a/queue-5.10/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch b/queue-5.10/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch new file mode 100644 index 00000000000..db8c487e4d8 --- /dev/null +++ b/queue-5.10/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch @@ -0,0 +1,173 @@ +From 168f32fcc3cdfb611c0575ee9ffc5f1dd796b7c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 22:04:20 +0800 +Subject: bpf: Add map and need_defer parameters to .map_fd_put_ptr() + +From: Hou Tao + +[ Upstream commit 20c20bd11a0702ce4dc9300c3da58acf551d9725 ] + +map is the pointer of outer map, and need_defer needs some explanation. +need_defer tells the implementation to defer the reference release of +the passed element and ensure that the element is still alive before +the bpf program, which may manipulate it, exits. + +The following three cases will invoke map_fd_put_ptr() and different +need_defer values will be passed to these callers: + +1) release the reference of the old element in the map during map update + or map deletion. The release must be deferred, otherwise the bpf + program may incur use-after-free problem, so need_defer needs to be + true. +2) release the reference of the to-be-added element in the error path of + map update. The to-be-added element is not visible to any bpf + program, so it is OK to pass false for need_defer parameter. +3) release the references of all elements in the map during map release. + Any bpf program which has access to the map must have been exited and + released, so need_defer=false will be OK. + +These two parameters will be used by the following patches to fix the +potential use-after-free problem for map-in-map. + +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20231204140425.1480317-3-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 6 +++++- + kernel/bpf/arraymap.c | 12 +++++++----- + kernel/bpf/hashtab.c | 6 +++--- + kernel/bpf/map_in_map.c | 2 +- + kernel/bpf/map_in_map.h | 2 +- + 5 files changed, 17 insertions(+), 11 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 8f4379e93ad4..bfdf40be5360 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -82,7 +82,11 @@ struct bpf_map_ops { + /* funcs called by prog_array and perf_event_array map */ + void *(*map_fd_get_ptr)(struct bpf_map *map, struct file *map_file, + int fd); +- void (*map_fd_put_ptr)(void *ptr); ++ /* If need_defer is true, the implementation should guarantee that ++ * the to-be-put element is still alive before the bpf program, which ++ * may manipulate it, exists. ++ */ ++ void (*map_fd_put_ptr)(struct bpf_map *map, void *ptr, bool need_defer); + int (*map_gen_lookup)(struct bpf_map *map, struct bpf_insn *insn_buf); + u32 (*map_fd_sys_lookup_elem)(void *ptr); + void (*map_seq_show_elem)(struct bpf_map *map, void *key, +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index f241bda2679d..5102338129d5 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -764,7 +764,7 @@ int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file, + } + + if (old_ptr) +- map->ops->map_fd_put_ptr(old_ptr); ++ map->ops->map_fd_put_ptr(map, old_ptr, true); + return 0; + } + +@@ -787,7 +787,7 @@ static int fd_array_map_delete_elem(struct bpf_map *map, void *key) + } + + if (old_ptr) { +- map->ops->map_fd_put_ptr(old_ptr); ++ map->ops->map_fd_put_ptr(map, old_ptr, true); + return 0; + } else { + return -ENOENT; +@@ -811,8 +811,9 @@ static void *prog_fd_array_get_ptr(struct bpf_map *map, + return prog; + } + +-static void prog_fd_array_put_ptr(void *ptr) ++static void prog_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { ++ /* bpf_prog is freed after one RCU or tasks trace grace period */ + bpf_prog_put(ptr); + } + +@@ -1139,8 +1140,9 @@ static void *perf_event_fd_array_get_ptr(struct bpf_map *map, + return ee; + } + +-static void perf_event_fd_array_put_ptr(void *ptr) ++static void perf_event_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { ++ /* bpf_perf_event is freed after one RCU grace period */ + bpf_event_entry_free_rcu(ptr); + } + +@@ -1195,7 +1197,7 @@ static void *cgroup_fd_array_get_ptr(struct bpf_map *map, + return cgroup_get_from_fd(fd); + } + +-static void cgroup_fd_array_put_ptr(void *ptr) ++static void cgroup_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { + /* cgroup_put free cgrp after a rcu grace period */ + cgroup_put(ptr); +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 0ce445aadfdf..ec8497314272 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -786,7 +786,7 @@ static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l) + + if (map->ops->map_fd_put_ptr) { + ptr = fd_htab_map_get_ptr(map, l); +- map->ops->map_fd_put_ptr(ptr); ++ map->ops->map_fd_put_ptr(map, ptr, true); + } + } + +@@ -2023,7 +2023,7 @@ static void fd_htab_map_free(struct bpf_map *map) + hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { + void *ptr = fd_htab_map_get_ptr(map, l); + +- map->ops->map_fd_put_ptr(ptr); ++ map->ops->map_fd_put_ptr(map, ptr, false); + } + } + +@@ -2064,7 +2064,7 @@ int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file, + + ret = htab_map_update_elem(map, key, &ptr, map_flags); + if (ret) +- map->ops->map_fd_put_ptr(ptr); ++ map->ops->map_fd_put_ptr(map, ptr, false); + + return ret; + } +diff --git a/kernel/bpf/map_in_map.c b/kernel/bpf/map_in_map.c +index 39ab0b68cade..0cf4cb685810 100644 +--- a/kernel/bpf/map_in_map.c ++++ b/kernel/bpf/map_in_map.c +@@ -100,7 +100,7 @@ void *bpf_map_fd_get_ptr(struct bpf_map *map, + return inner_map; + } + +-void bpf_map_fd_put_ptr(void *ptr) ++void bpf_map_fd_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { + /* ptr->ops->map_free() has to go through one + * rcu grace period by itself. +diff --git a/kernel/bpf/map_in_map.h b/kernel/bpf/map_in_map.h +index bcb7534afb3c..7d61602354de 100644 +--- a/kernel/bpf/map_in_map.h ++++ b/kernel/bpf/map_in_map.h +@@ -13,7 +13,7 @@ struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd); + void bpf_map_meta_free(struct bpf_map *map_meta); + void *bpf_map_fd_get_ptr(struct bpf_map *map, struct file *map_file, + int ufd); +-void bpf_map_fd_put_ptr(void *ptr); ++void bpf_map_fd_put_ptr(struct bpf_map *map, void *ptr, bool need_defer); + u32 bpf_map_fd_sys_lookup_elem(void *ptr); + + #endif +-- +2.43.0 + diff --git a/queue-5.10/bpf-set-uattr-batch.count-as-zero-before-batched-upd.patch b/queue-5.10/bpf-set-uattr-batch.count-as-zero-before-batched-upd.patch new file mode 100644 index 00000000000..666a02b311d --- /dev/null +++ b/queue-5.10/bpf-set-uattr-batch.count-as-zero-before-batched-upd.patch @@ -0,0 +1,51 @@ +From bc9603533b9ee0f7f52ed9b55010f40bc489bc02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 18:23:53 +0800 +Subject: bpf: Set uattr->batch.count as zero before batched update or deletion + +From: Hou Tao + +[ Upstream commit 06e5c999f10269a532304e89a6adb2fbfeb0593c ] + +generic_map_{delete,update}_batch() doesn't set uattr->batch.count as +zero before it tries to allocate memory for key. If the memory +allocation fails, the value of uattr->batch.count will be incorrect. + +Fix it by setting uattr->batch.count as zero beore batched update or +deletion. + +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20231208102355.2628918-6-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index aaad2dce2be6..16affa09db5c 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1285,6 +1285,9 @@ int generic_map_delete_batch(struct bpf_map *map, + if (!max_count) + return 0; + ++ if (put_user(0, &uattr->batch.count)) ++ return -EFAULT; ++ + key = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN); + if (!key) + return -ENOMEM; +@@ -1343,6 +1346,9 @@ int generic_map_update_batch(struct bpf_map *map, + if (!max_count) + return 0; + ++ if (put_user(0, &uattr->batch.count)) ++ return -EFAULT; ++ + key = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN); + if (!key) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.10/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch b/queue-5.10/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch new file mode 100644 index 00000000000..6f5761cbe00 --- /dev/null +++ b/queue-5.10/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch @@ -0,0 +1,63 @@ +From c16a88d8f5627e7b992acde8bc144d2943a60f46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 13:26:18 +0800 +Subject: ceph: fix deadlock or deadcode of misusing dget() + +From: Xiubo Li + +[ Upstream commit b493ad718b1f0357394d2cdecbf00a44a36fa085 ] + +The lock order is incorrect between denty and its parent, we should +always make sure that the parent get the lock first. + +But since this deadcode is never used and the parent dir will always +be set from the callers, let's just remove it. + +Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV +Reported-by: Al Viro +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 432dc2a16e28..b0cf79b0dc49 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -4598,12 +4598,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, + struct inode *dir, + int mds, int drop, int unless) + { +- struct dentry *parent = NULL; + struct ceph_mds_request_release *rel = *p; + struct ceph_dentry_info *di = ceph_dentry(dentry); + int force = 0; + int ret; + ++ /* This shouldn't happen */ ++ BUG_ON(!dir); ++ + /* + * force an record for the directory caps if we have a dentry lease. + * this is racy (can't take i_ceph_lock and d_lock together), but it +@@ -4613,14 +4615,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, + spin_lock(&dentry->d_lock); + if (di->lease_session && di->lease_session->s_mds == mds) + force = 1; +- if (!dir) { +- parent = dget(dentry->d_parent); +- dir = d_inode(parent); +- } + spin_unlock(&dentry->d_lock); + + ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); +- dput(parent); + + spin_lock(&dentry->d_lock); + if (ret && di->lease_session && di->lease_session->s_mds == mds) { +-- +2.43.0 + diff --git a/queue-5.10/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch b/queue-5.10/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch new file mode 100644 index 00000000000..f471701de34 --- /dev/null +++ b/queue-5.10/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch @@ -0,0 +1,41 @@ +From 22d6c7608534bf4a2fc66a60b25c8ff77e9f7dad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 00:50:40 +0800 +Subject: clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() + +From: Kuan-Wei Chiu + +[ Upstream commit bfbea9e5667cfa9552c3d88f023386f017f6c308 ] + +In cases where kcalloc() fails for the 'clk_data->clks' allocation, the +code path does not handle the failure gracefully, potentially leading +to a memory leak. This fix ensures proper cleanup by freeing the +allocated memory for 'clk_data' before returning. + +Signed-off-by: Kuan-Wei Chiu +Link: https://lore.kernel.org/r/20231210165040.3407545-1-visitorckw@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/hisilicon/clk-hi3620.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/hisilicon/clk-hi3620.c b/drivers/clk/hisilicon/clk-hi3620.c +index a3d04c7c3da8..eb9c139babc3 100644 +--- a/drivers/clk/hisilicon/clk-hi3620.c ++++ b/drivers/clk/hisilicon/clk-hi3620.c +@@ -467,8 +467,10 @@ static void __init hi3620_mmc_clk_init(struct device_node *node) + return; + + clk_data->clks = kcalloc(num, sizeof(*clk_data->clks), GFP_KERNEL); +- if (!clk_data->clks) ++ if (!clk_data->clks) { ++ kfree(clk_data); + return; ++ } + + for (i = 0; i < num; i++) { + struct hisi_mmc_clock *mmc_clk = &hi3620_mmc_clks[i]; +-- +2.43.0 + diff --git a/queue-5.10/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch b/queue-5.10/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch new file mode 100644 index 00000000000..71437324b55 --- /dev/null +++ b/queue-5.10/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch @@ -0,0 +1,51 @@ +From fae1d92f22deda98d5c89991027e4a0de729efc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 01:52:32 +0800 +Subject: clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() + +From: Kuan-Wei Chiu + +[ Upstream commit 2fbabea626b6467eb4e6c4cb7a16523da12e43b4 ] + +In cases where mapping of mpmu/apmu/apbc registers fails, the code path +does not handle the failure gracefully, potentially leading to a memory +leak. This fix ensures proper cleanup by freeing the allocated memory +for 'pxa_unit' before returning. + +Signed-off-by: Kuan-Wei Chiu +Link: https://lore.kernel.org/r/20231210175232.3414584-1-visitorckw@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mmp/clk-of-pxa168.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/mmp/clk-of-pxa168.c b/drivers/clk/mmp/clk-of-pxa168.c +index f110c02e83cb..9674c6c06dca 100644 +--- a/drivers/clk/mmp/clk-of-pxa168.c ++++ b/drivers/clk/mmp/clk-of-pxa168.c +@@ -258,18 +258,21 @@ static void __init pxa168_clk_init(struct device_node *np) + pxa_unit->mpmu_base = of_iomap(np, 0); + if (!pxa_unit->mpmu_base) { + pr_err("failed to map mpmu registers\n"); ++ kfree(pxa_unit); + return; + } + + pxa_unit->apmu_base = of_iomap(np, 1); + if (!pxa_unit->apmu_base) { + pr_err("failed to map apmu registers\n"); ++ kfree(pxa_unit); + return; + } + + pxa_unit->apbc_base = of_iomap(np, 2); + if (!pxa_unit->apbc_base) { + pr_err("failed to map apbc registers\n"); ++ kfree(pxa_unit); + return; + } + +-- +2.43.0 + diff --git a/queue-5.10/crypto-stm32-crc32-fix-parsing-list-of-devices.patch b/queue-5.10/crypto-stm32-crc32-fix-parsing-list-of-devices.patch new file mode 100644 index 00000000000..e0ee1927a40 --- /dev/null +++ b/queue-5.10/crypto-stm32-crc32-fix-parsing-list-of-devices.patch @@ -0,0 +1,46 @@ +From 577edf1b8c2885365510c2999cde3fe5dbfd0896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 12:17:24 +0100 +Subject: crypto: stm32/crc32 - fix parsing list of devices + +From: Thomas Bourgoin + +[ Upstream commit 0eaef675b94c746900dcea7f6c41b9a103ed5d53 ] + +smatch warnings: +drivers/crypto/stm32/stm32-crc32.c:108 stm32_crc_get_next_crc() warn: +can 'crc' even be NULL? + +Use list_first_entry_or_null instead of list_first_entry to retrieve +the first device registered. +The function list_first_entry always return a non NULL pointer even if +the list is empty. Hence checking if the pointer returned is NULL does +not tell if the list is empty or not. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/ +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/ +Signed-off-by: Thomas Bourgoin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-crc32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c +index 90a920e7f664..c439be1650c8 100644 +--- a/drivers/crypto/stm32/stm32-crc32.c ++++ b/drivers/crypto/stm32/stm32-crc32.c +@@ -104,7 +104,7 @@ static struct stm32_crc *stm32_crc_get_next_crc(void) + struct stm32_crc *crc; + + spin_lock_bh(&crc_list.lock); +- crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list); ++ crc = list_first_entry_or_null(&crc_list.dev_list, struct stm32_crc, list); + if (crc) + list_move_tail(&crc->list, &crc_list.dev_list); + spin_unlock_bh(&crc_list.lock); +-- +2.43.0 + diff --git a/queue-5.10/debugobjects-stop-accessing-objects-after-releasing-.patch b/queue-5.10/debugobjects-stop-accessing-objects-after-releasing-.patch new file mode 100644 index 00000000000..c2b7b3b14f2 --- /dev/null +++ b/queue-5.10/debugobjects-stop-accessing-objects-after-releasing-.patch @@ -0,0 +1,407 @@ +From 9c41c4d1e499304da25dad9ee9c5608b0504e9ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 23:39:07 +0200 +Subject: debugobjects: Stop accessing objects after releasing hash bucket lock + +From: Andrzej Hajda + +[ Upstream commit 9bb6362652f3f4d74a87d572a91ee1b38e673ef6 ] + +After release of the hashbucket lock the tracking object can be modified or +freed by a concurrent thread. Using it in such a case is error prone, even +for printing the object state: + + 1. T1 tries to deactivate destroyed object, debugobjects detects it, + hash bucket lock is released. + + 2. T2 preempts T1 and frees the tracking object. + + 3. The freed tracking object is allocated and initialized for a + different to be tracked kernel object. + + 4. T1 resumes and reports error for wrong kernel object. + +Create a local copy of the tracking object before releasing the hash bucket +lock and use the local copy for reporting and fixups to prevent this. + +Signed-off-by: Andrzej Hajda +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20231025-debugobjects_fix-v3-1-2bc3bf7084c2@intel.com +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 200 ++++++++++++++++++--------------------------- + 1 file changed, 78 insertions(+), 122 deletions(-) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 4dd9283f6fea..b055741a5a4d 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -612,9 +612,8 @@ static void debug_objects_fill_pool(void) + static void + __debug_object_init(void *addr, const struct debug_obj_descr *descr, int onstack) + { +- enum debug_obj_state state; ++ struct debug_obj *obj, o; + struct debug_bucket *db; +- struct debug_obj *obj; + unsigned long flags; + + debug_objects_fill_pool(); +@@ -635,24 +634,18 @@ __debug_object_init(void *addr, const struct debug_obj_descr *descr, int onstack + case ODEBUG_STATE_INIT: + case ODEBUG_STATE_INACTIVE: + obj->state = ODEBUG_STATE_INIT; +- break; +- +- case ODEBUG_STATE_ACTIVE: +- state = obj->state; +- raw_spin_unlock_irqrestore(&db->lock, flags); +- debug_print_object(obj, "init"); +- debug_object_fixup(descr->fixup_init, addr, state); +- return; +- +- case ODEBUG_STATE_DESTROYED: + raw_spin_unlock_irqrestore(&db->lock, flags); +- debug_print_object(obj, "init"); + return; + default: + break; + } + ++ o = *obj; + raw_spin_unlock_irqrestore(&db->lock, flags); ++ debug_print_object(&o, "init"); ++ ++ if (o.state == ODEBUG_STATE_ACTIVE) ++ debug_object_fixup(descr->fixup_init, addr, o.state); + } + + /** +@@ -693,11 +686,9 @@ EXPORT_SYMBOL_GPL(debug_object_init_on_stack); + int debug_object_activate(void *addr, const struct debug_obj_descr *descr) + { + struct debug_obj o = { .object = addr, .state = ODEBUG_STATE_NOTAVAILABLE, .descr = descr }; +- enum debug_obj_state state; + struct debug_bucket *db; + struct debug_obj *obj; + unsigned long flags; +- int ret; + + if (!debug_objects_enabled) + return 0; +@@ -709,49 +700,38 @@ int debug_object_activate(void *addr, const struct debug_obj_descr *descr) + raw_spin_lock_irqsave(&db->lock, flags); + + obj = lookup_object_or_alloc(addr, db, descr, false, true); +- if (likely(!IS_ERR_OR_NULL(obj))) { +- bool print_object = false; +- ++ if (unlikely(!obj)) { ++ raw_spin_unlock_irqrestore(&db->lock, flags); ++ debug_objects_oom(); ++ return 0; ++ } else if (likely(!IS_ERR(obj))) { + switch (obj->state) { +- case ODEBUG_STATE_INIT: +- case ODEBUG_STATE_INACTIVE: +- obj->state = ODEBUG_STATE_ACTIVE; +- ret = 0; +- break; +- + case ODEBUG_STATE_ACTIVE: +- state = obj->state; +- raw_spin_unlock_irqrestore(&db->lock, flags); +- debug_print_object(obj, "activate"); +- ret = debug_object_fixup(descr->fixup_activate, addr, state); +- return ret ? 0 : -EINVAL; +- + case ODEBUG_STATE_DESTROYED: +- print_object = true; +- ret = -EINVAL; ++ o = *obj; + break; ++ case ODEBUG_STATE_INIT: ++ case ODEBUG_STATE_INACTIVE: ++ obj->state = ODEBUG_STATE_ACTIVE; ++ fallthrough; + default: +- ret = 0; +- break; ++ raw_spin_unlock_irqrestore(&db->lock, flags); ++ return 0; + } +- raw_spin_unlock_irqrestore(&db->lock, flags); +- if (print_object) +- debug_print_object(obj, "activate"); +- return ret; + } + + raw_spin_unlock_irqrestore(&db->lock, flags); ++ debug_print_object(&o, "activate"); + +- /* If NULL the allocation has hit OOM */ +- if (!obj) { +- debug_objects_oom(); +- return 0; ++ switch (o.state) { ++ case ODEBUG_STATE_ACTIVE: ++ case ODEBUG_STATE_NOTAVAILABLE: ++ if (debug_object_fixup(descr->fixup_activate, addr, o.state)) ++ return 0; ++ fallthrough; ++ default: ++ return -EINVAL; + } +- +- /* Object is neither static nor tracked. It's not initialized */ +- debug_print_object(&o, "activate"); +- ret = debug_object_fixup(descr->fixup_activate, addr, ODEBUG_STATE_NOTAVAILABLE); +- return ret ? 0 : -EINVAL; + } + EXPORT_SYMBOL_GPL(debug_object_activate); + +@@ -762,10 +742,10 @@ EXPORT_SYMBOL_GPL(debug_object_activate); + */ + void debug_object_deactivate(void *addr, const struct debug_obj_descr *descr) + { ++ struct debug_obj o = { .object = addr, .state = ODEBUG_STATE_NOTAVAILABLE, .descr = descr }; + struct debug_bucket *db; + struct debug_obj *obj; + unsigned long flags; +- bool print_object = false; + + if (!debug_objects_enabled) + return; +@@ -777,33 +757,24 @@ void debug_object_deactivate(void *addr, const struct debug_obj_descr *descr) + obj = lookup_object(addr, db); + if (obj) { + switch (obj->state) { ++ case ODEBUG_STATE_DESTROYED: ++ break; + case ODEBUG_STATE_INIT: + case ODEBUG_STATE_INACTIVE: + case ODEBUG_STATE_ACTIVE: +- if (!obj->astate) +- obj->state = ODEBUG_STATE_INACTIVE; +- else +- print_object = true; +- break; +- +- case ODEBUG_STATE_DESTROYED: +- print_object = true; +- break; ++ if (obj->astate) ++ break; ++ obj->state = ODEBUG_STATE_INACTIVE; ++ fallthrough; + default: +- break; ++ raw_spin_unlock_irqrestore(&db->lock, flags); ++ return; + } ++ o = *obj; + } + + raw_spin_unlock_irqrestore(&db->lock, flags); +- if (!obj) { +- struct debug_obj o = { .object = addr, +- .state = ODEBUG_STATE_NOTAVAILABLE, +- .descr = descr }; +- +- debug_print_object(&o, "deactivate"); +- } else if (print_object) { +- debug_print_object(obj, "deactivate"); +- } ++ debug_print_object(&o, "deactivate"); + } + EXPORT_SYMBOL_GPL(debug_object_deactivate); + +@@ -814,11 +785,9 @@ EXPORT_SYMBOL_GPL(debug_object_deactivate); + */ + void debug_object_destroy(void *addr, const struct debug_obj_descr *descr) + { +- enum debug_obj_state state; ++ struct debug_obj *obj, o; + struct debug_bucket *db; +- struct debug_obj *obj; + unsigned long flags; +- bool print_object = false; + + if (!debug_objects_enabled) + return; +@@ -828,32 +797,31 @@ void debug_object_destroy(void *addr, const struct debug_obj_descr *descr) + raw_spin_lock_irqsave(&db->lock, flags); + + obj = lookup_object(addr, db); +- if (!obj) +- goto out_unlock; ++ if (!obj) { ++ raw_spin_unlock_irqrestore(&db->lock, flags); ++ return; ++ } + + switch (obj->state) { ++ case ODEBUG_STATE_ACTIVE: ++ case ODEBUG_STATE_DESTROYED: ++ break; + case ODEBUG_STATE_NONE: + case ODEBUG_STATE_INIT: + case ODEBUG_STATE_INACTIVE: + obj->state = ODEBUG_STATE_DESTROYED; +- break; +- case ODEBUG_STATE_ACTIVE: +- state = obj->state; ++ fallthrough; ++ default: + raw_spin_unlock_irqrestore(&db->lock, flags); +- debug_print_object(obj, "destroy"); +- debug_object_fixup(descr->fixup_destroy, addr, state); + return; +- +- case ODEBUG_STATE_DESTROYED: +- print_object = true; +- break; +- default: +- break; + } +-out_unlock: ++ ++ o = *obj; + raw_spin_unlock_irqrestore(&db->lock, flags); +- if (print_object) +- debug_print_object(obj, "destroy"); ++ debug_print_object(&o, "destroy"); ++ ++ if (o.state == ODEBUG_STATE_ACTIVE) ++ debug_object_fixup(descr->fixup_destroy, addr, o.state); + } + EXPORT_SYMBOL_GPL(debug_object_destroy); + +@@ -864,9 +832,8 @@ EXPORT_SYMBOL_GPL(debug_object_destroy); + */ + void debug_object_free(void *addr, const struct debug_obj_descr *descr) + { +- enum debug_obj_state state; ++ struct debug_obj *obj, o; + struct debug_bucket *db; +- struct debug_obj *obj; + unsigned long flags; + + if (!debug_objects_enabled) +@@ -877,24 +844,26 @@ void debug_object_free(void *addr, const struct debug_obj_descr *descr) + raw_spin_lock_irqsave(&db->lock, flags); + + obj = lookup_object(addr, db); +- if (!obj) +- goto out_unlock; ++ if (!obj) { ++ raw_spin_unlock_irqrestore(&db->lock, flags); ++ return; ++ } + + switch (obj->state) { + case ODEBUG_STATE_ACTIVE: +- state = obj->state; +- raw_spin_unlock_irqrestore(&db->lock, flags); +- debug_print_object(obj, "free"); +- debug_object_fixup(descr->fixup_free, addr, state); +- return; ++ break; + default: + hlist_del(&obj->node); + raw_spin_unlock_irqrestore(&db->lock, flags); + free_object(obj); + return; + } +-out_unlock: ++ ++ o = *obj; + raw_spin_unlock_irqrestore(&db->lock, flags); ++ debug_print_object(&o, "free"); ++ ++ debug_object_fixup(descr->fixup_free, addr, o.state); + } + EXPORT_SYMBOL_GPL(debug_object_free); + +@@ -946,10 +915,10 @@ void + debug_object_active_state(void *addr, const struct debug_obj_descr *descr, + unsigned int expect, unsigned int next) + { ++ struct debug_obj o = { .object = addr, .state = ODEBUG_STATE_NOTAVAILABLE, .descr = descr }; + struct debug_bucket *db; + struct debug_obj *obj; + unsigned long flags; +- bool print_object = false; + + if (!debug_objects_enabled) + return; +@@ -962,28 +931,19 @@ debug_object_active_state(void *addr, const struct debug_obj_descr *descr, + if (obj) { + switch (obj->state) { + case ODEBUG_STATE_ACTIVE: +- if (obj->astate == expect) +- obj->astate = next; +- else +- print_object = true; +- break; +- ++ if (obj->astate != expect) ++ break; ++ obj->astate = next; ++ raw_spin_unlock_irqrestore(&db->lock, flags); ++ return; + default: +- print_object = true; + break; + } ++ o = *obj; + } + + raw_spin_unlock_irqrestore(&db->lock, flags); +- if (!obj) { +- struct debug_obj o = { .object = addr, +- .state = ODEBUG_STATE_NOTAVAILABLE, +- .descr = descr }; +- +- debug_print_object(&o, "active_state"); +- } else if (print_object) { +- debug_print_object(obj, "active_state"); +- } ++ debug_print_object(&o, "active_state"); + } + EXPORT_SYMBOL_GPL(debug_object_active_state); + +@@ -991,12 +951,10 @@ EXPORT_SYMBOL_GPL(debug_object_active_state); + static void __debug_check_no_obj_freed(const void *address, unsigned long size) + { + unsigned long flags, oaddr, saddr, eaddr, paddr, chunks; +- const struct debug_obj_descr *descr; +- enum debug_obj_state state; ++ int cnt, objs_checked = 0; ++ struct debug_obj *obj, o; + struct debug_bucket *db; + struct hlist_node *tmp; +- struct debug_obj *obj; +- int cnt, objs_checked = 0; + + saddr = (unsigned long) address; + eaddr = saddr + size; +@@ -1018,12 +976,10 @@ static void __debug_check_no_obj_freed(const void *address, unsigned long size) + + switch (obj->state) { + case ODEBUG_STATE_ACTIVE: +- descr = obj->descr; +- state = obj->state; ++ o = *obj; + raw_spin_unlock_irqrestore(&db->lock, flags); +- debug_print_object(obj, "free"); +- debug_object_fixup(descr->fixup_free, +- (void *) oaddr, state); ++ debug_print_object(&o, "free"); ++ debug_object_fixup(o.descr->fixup_free, (void *)oaddr, o.state); + goto repeat; + default: + hlist_del(&obj->node); +-- +2.43.0 + diff --git a/queue-5.10/drivers-perf-pmuv3-don-t-expose-sw_incr-event-in-sys.patch b/queue-5.10/drivers-perf-pmuv3-don-t-expose-sw_incr-event-in-sys.patch new file mode 100644 index 00000000000..94e63a64561 --- /dev/null +++ b/queue-5.10/drivers-perf-pmuv3-don-t-expose-sw_incr-event-in-sys.patch @@ -0,0 +1,55 @@ +From 1a1ba8208b58f1cd6286626654fe609a30e6940e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 11:58:47 +0000 +Subject: drivers/perf: pmuv3: don't expose SW_INCR event in sysfs + +From: Mark Rutland + +[ Upstream commit ca6f537e459e2da4b331fe8928d1a0b0f9301f42 ] + +The SW_INCR event is somewhat unusual, and depends on the specific HW +counter that it is programmed into. When programmed into PMEVCNTR, +SW_INCR will count any writes to PMSWINC_EL0 with bit n set, ignoring +writes to SW_INCR with bit n clear. + +Event rotation means that there's no fixed relationship between +perf_events and HW counters, so this isn't all that useful. + +Further, we program PMUSERENR.{SW,EN}=={0,0}, which causes EL0 writes to +PMSWINC_EL0 to be trapped and handled as UNDEFINED, resulting in a +SIGILL to userspace. + +Given that, it's not a good idea to expose SW_INCR in sysfs. Hide it as +we did for CHAIN back in commit: + + 4ba2578fa7b55701 ("arm64: perf: don't expose CHAIN event in sysfs") + +Signed-off-by: Mark Rutland +Cc: Will Deacon +Link: https://lore.kernel.org/r/20231204115847.2993026-1-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/perf_event.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c +index cdb3d4549b3a..8e428f8dd108 100644 +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -171,7 +171,11 @@ armv8pmu_events_sysfs_show(struct device *dev, + }).attr.attr) + + static struct attribute *armv8_pmuv3_event_attrs[] = { +- ARMV8_EVENT_ATTR(sw_incr, ARMV8_PMUV3_PERFCTR_SW_INCR), ++ /* ++ * Don't expose the sw_incr event in /sys. It's not usable as writes to ++ * PMSWINC_EL0 will trap as PMUSERENR.{SW,EN}=={0,0} and event rotation ++ * means we don't have a fixed event<->counter relationship regardless. ++ */ + ARMV8_EVENT_ATTR(l1i_cache_refill, ARMV8_PMUV3_PERFCTR_L1I_CACHE_REFILL), + ARMV8_EVENT_ATTR(l1i_tlb_refill, ARMV8_PMUV3_PERFCTR_L1I_TLB_REFILL), + ARMV8_EVENT_ATTR(l1d_cache_refill, ARMV8_PMUV3_PERFCTR_L1D_CACHE_REFILL), +-- +2.43.0 + diff --git a/queue-5.10/drm-amd-display-fix-tiled-display-misalignment.patch b/queue-5.10/drm-amd-display-fix-tiled-display-misalignment.patch new file mode 100644 index 00000000000..97a787c6a9d --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-tiled-display-misalignment.patch @@ -0,0 +1,43 @@ +From 024723545e4ee7d8c74e2ce857cc3f789384f2c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Nov 2023 00:04:36 -0500 +Subject: drm/amd/display: Fix tiled display misalignment + +From: Meenakshikumar Somasundaram + +[ Upstream commit c4b8394e76adba4f50a3c2696c75b214a291e24a ] + +[Why] +When otg workaround is applied during clock update, otgs of +tiled display went out of sync. + +[How] +To call dc_trigger_sync() after clock update to sync otgs again. + +Reviewed-by: Nicholas Kazlauskas +Acked-by: Hamza Mahfooz +Signed-off-by: Meenakshikumar Somasundaram +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 36a9e9c84ed4..272252cd0500 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1440,6 +1440,10 @@ static enum dc_status dc_commit_state_no_check(struct dc *dc, struct dc_state *c + wait_for_no_pipes_pending(dc, context); + /* pplib is notified if disp_num changed */ + dc->hwss.optimize_bandwidth(dc, context); ++ /* Need to do otg sync again as otg could be out of sync due to otg ++ * workaround applied during clock update ++ */ ++ dc_trigger_sync(dc, context); + } + + context->stream_mask = get_stream_mask(dc, context); +-- +2.43.0 + diff --git a/queue-5.10/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch b/queue-5.10/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch new file mode 100644 index 00000000000..a7703834faa --- /dev/null +++ b/queue-5.10/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch @@ -0,0 +1,43 @@ +From 47d1ee1c6eba8de17ed4b1994f7f052339ea904f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 12:01:05 -0500 +Subject: drm/amd/display: make flip_timestamp_in_us a 64-bit variable + +From: Josip Pavic + +[ Upstream commit 6fb12518ca58412dc51054e2a7400afb41328d85 ] + +[Why] +This variable currently overflows after about 71 minutes. This doesn't +cause any known functional issues but it does make debugging more +difficult. + +[How] +Make it a 64-bit variable. + +Reviewed-by: Aric Cyr +Acked-by: Wayne Lin +Signed-off-by: Josip Pavic +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dc_hw_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dc_hw_types.h b/drivers/gpu/drm/amd/display/dc/dc_hw_types.h +index 1a87bc3da826..b36d4c5d0eca 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc_hw_types.h ++++ b/drivers/gpu/drm/amd/display/dc/dc_hw_types.h +@@ -426,7 +426,7 @@ struct dc_cursor_position { + }; + + struct dc_cursor_mi_param { +- unsigned int pixel_clk_khz; ++ unsigned long long pixel_clk_khz; + unsigned int ref_clk_khz; + struct rect viewport; + struct fixed31_32 h_scale_ratio; +-- +2.43.0 + diff --git a/queue-5.10/drm-amd-powerplay-fix-kzalloc-parameter-atom_tonga_p.patch b/queue-5.10/drm-amd-powerplay-fix-kzalloc-parameter-atom_tonga_p.patch new file mode 100644 index 00000000000..9b8311bd4bd --- /dev/null +++ b/queue-5.10/drm-amd-powerplay-fix-kzalloc-parameter-atom_tonga_p.patch @@ -0,0 +1,47 @@ +From 02b410bc61c3606cfd4301473eedf89a00df9c69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jan 2024 12:05:09 +0530 +Subject: drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in + 'get_platform_power_management_table()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit 6616b5e1999146b1304abe78232af810080c67e3 ] + +In 'struct phm_ppm_table *ptr' allocation using kzalloc, an incorrect +structure type is passed to sizeof() in kzalloc, larger structure types +were used, thus using correct type 'struct phm_ppm_table' fixes the +below: + +drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/process_pptables_v1_0.c:203 get_platform_power_management_table() warn: struct type mismatch 'phm_ppm_table vs _ATOM_Tonga_PPM_Table' + +Cc: Eric Huang +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c +index b760f95e7fa7..5998c78ad536 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/process_pptables_v1_0.c +@@ -204,7 +204,7 @@ static int get_platform_power_management_table( + struct pp_hwmgr *hwmgr, + ATOM_Tonga_PPM_Table *atom_ppm_table) + { +- struct phm_ppm_table *ptr = kzalloc(sizeof(ATOM_Tonga_PPM_Table), GFP_KERNEL); ++ struct phm_ppm_table *ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); + struct phm_ppt_v1_information *pp_table_information = + (struct phm_ppt_v1_information *)(hwmgr->pptable); + +-- +2.43.0 + diff --git a/queue-5.10/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch b/queue-5.10/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch new file mode 100644 index 00000000000..7d0a8801c48 --- /dev/null +++ b/queue-5.10/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch @@ -0,0 +1,45 @@ +From 6ddbfc3c03c0dc85d16a8444bd352735365ca371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Dec 2023 12:54:44 +0530 +Subject: drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit bf2ad4fb8adca89374b54b225d494e0b1956dbea ] + +Return value of container_of(...) can't be null, so null check is not +required for 'fence'. Hence drop its NULL check. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c:93 to_amdgpu_amdkfd_fence() warn: can 'fence' even be NULL? + +Cc: Felix Kuehling +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c +index 3107b9575929..eef7517c9d24 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c +@@ -88,7 +88,7 @@ struct amdgpu_amdkfd_fence *to_amdgpu_amdkfd_fence(struct dma_fence *f) + return NULL; + + fence = container_of(f, struct amdgpu_amdkfd_fence, base); +- if (fence && f->ops == &amdkfd_fence_ops) ++ if (f->ops == &amdkfd_fence_ops) + return fence; + + return NULL; +-- +2.43.0 + diff --git a/queue-5.10/drm-amdgpu-let-kfd-sync-with-vm-fences.patch b/queue-5.10/drm-amdgpu-let-kfd-sync-with-vm-fences.patch new file mode 100644 index 00000000000..777699f18ce --- /dev/null +++ b/queue-5.10/drm-amdgpu-let-kfd-sync-with-vm-fences.patch @@ -0,0 +1,42 @@ +From 02560304d2493185cc0ae016411175cd195af5a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 16:17:23 -0500 +Subject: drm/amdgpu: Let KFD sync with VM fences +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Kuehling + +[ Upstream commit ec9ba4821fa52b5efdbc4cdf0a77497990655231 ] + +Change the rules for amdgpu_sync_resv to let KFD synchronize with VM +fences on page table reservations. This fixes intermittent memory +corruption after evictions when using amdgpu_vm_handle_moved to update +page tables for VM mappings managed through render nodes. + +Signed-off-by: Felix Kuehling +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c +index 8ea6c49529e7..6a22bc41c205 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c +@@ -241,7 +241,8 @@ int amdgpu_sync_resv(struct amdgpu_device *adev, struct amdgpu_sync *sync, + + /* Never sync to VM updates either. */ + if (fence_owner == AMDGPU_FENCE_OWNER_VM && +- owner != AMDGPU_FENCE_OWNER_UNDEFINED) ++ owner != AMDGPU_FENCE_OWNER_UNDEFINED && ++ owner != AMDGPU_FENCE_OWNER_KFD) + continue; + + /* Ignore fences depending on the sync mode */ +-- +2.43.0 + diff --git a/queue-5.10/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch b/queue-5.10/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch new file mode 100644 index 00000000000..ccb9072a6b0 --- /dev/null +++ b/queue-5.10/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch @@ -0,0 +1,48 @@ +From 616c32f3d09a37067aa68ab4208ccc1ddf84065b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 18:13:11 +0530 +Subject: drm/amdgpu: Release 'adev->pm.fw' before return in + 'amdgpu_device_need_post()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit 8a44fdd3cf91debbd09b43bd2519ad2b2486ccf4 ] + +In function 'amdgpu_device_need_post(struct amdgpu_device *adev)' - +'adev->pm.fw' may not be released before return. + +Using the function release_firmware() to release adev->pm.fw. + +Thus fixing the below: +drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:1571 amdgpu_device_need_post() warn: 'adev->pm.fw' from request_firmware() not released on lines: 1554. + +Cc: Monk Liu +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Suggested-by: Lijo Lazar +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index a093f1b27724..e833c02fabff 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1184,6 +1184,7 @@ bool amdgpu_device_need_post(struct amdgpu_device *adev) + return true; + + fw_ver = *((uint32_t *)adev->pm.fw->data + 69); ++ release_firmware(adev->pm.fw); + if (fw_ver < 0x00160e00) + return true; + } +-- +2.43.0 + diff --git a/queue-5.10/drm-drm_file-fix-use-of-uninitialized-variable.patch b/queue-5.10/drm-drm_file-fix-use-of-uninitialized-variable.patch new file mode 100644 index 00000000000..a1da35a71e7 --- /dev/null +++ b/queue-5.10/drm-drm_file-fix-use-of-uninitialized-variable.patch @@ -0,0 +1,43 @@ +From e620fe5c6350379b06b449239effa877ef698824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 15:14:03 +0200 +Subject: drm/drm_file: fix use of uninitialized variable + +From: Tomi Valkeinen + +[ Upstream commit 1d3062fad9c7313fff9970a88e0538a24480ffb8 ] + +smatch reports: + +drivers/gpu/drm/drm_file.c:967 drm_show_memory_stats() error: uninitialized symbol 'supported_status'. + +'supported_status' is only set in one code path. I'm not familiar with +the code to say if that path will always be ran in real life, but +whether that is the case or not, I think it is good to initialize +'supported_status' to 0 to silence the warning (and possibly fix a bug). + +Reviewed-by: Laurent Pinchart +Acked-by: Maxime Ripard +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-1-c22b2444f5f5@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c +index 537e7de8e9c3..93da7b5d785b 100644 +--- a/drivers/gpu/drm/drm_file.c ++++ b/drivers/gpu/drm/drm_file.c +@@ -411,7 +411,7 @@ int drm_open(struct inode *inode, struct file *filp) + { + struct drm_device *dev; + struct drm_minor *minor; +- int retcode; ++ int retcode = 0; + int need_setup = 0; + + minor = drm_minor_acquire(iminor(inode)); +-- +2.43.0 + diff --git a/queue-5.10/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch b/queue-5.10/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch new file mode 100644 index 00000000000..d3c97f6c647 --- /dev/null +++ b/queue-5.10/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch @@ -0,0 +1,86 @@ +From 40556a967543eb289857602119cf598b97b337db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 12:26:52 -0700 +Subject: drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time + +From: Douglas Anderson + +[ Upstream commit 16ac5b21b31b439f03cdf44c153c5f5af94fb3eb ] + +Based on grepping through the source code this driver appears to be +missing a call to drm_atomic_helper_shutdown() at system shutdown time +and at driver unbind time. Among other things, this means that if a +panel is in use that it won't be cleanly powered off at system +shutdown time. + +The fact that we should call drm_atomic_helper_shutdown() in the case +of OS shutdown/restart and at driver remove (or unbind) time comes +straight out of the kernel doc "driver instance overview" in +drm_drv.c. + +A few notes about this fix: +- When adding drm_atomic_helper_shutdown() to the unbind path, I added + it after drm_kms_helper_poll_fini() since that's when other drivers + seemed to have it. +- Technically with a previous patch, ("drm/atomic-helper: + drm_atomic_helper_shutdown(NULL) should be a noop"), we don't + actually need to check to see if our "drm" pointer is NULL before + calling drm_atomic_helper_shutdown(). We'll leave the "if" test in, + though, so that this patch can land without any dependencies. It + could potentially be removed later. +- This patch also makes sure to set the drvdata to NULL in the case of + bind errors to make sure that shutdown can't access freed data. + +Suggested-by: Maxime Ripard +Reviewed-by: Maxime Ripard +Signed-off-by: Douglas Anderson +Tested-by: Marek Szyprowski +Reviewed-by: Marek Szyprowski +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_drv.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.c b/drivers/gpu/drm/exynos/exynos_drm_drv.c +index dbd80f1e4c78..7e13c1550083 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_drv.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_drv.c +@@ -344,6 +344,7 @@ static int exynos_drm_bind(struct device *dev) + drm_mode_config_cleanup(drm); + exynos_drm_cleanup_dma(drm); + kfree(private); ++ dev_set_drvdata(dev, NULL); + err_free_drm: + drm_dev_put(drm); + +@@ -358,6 +359,7 @@ static void exynos_drm_unbind(struct device *dev) + + exynos_drm_fbdev_fini(drm); + drm_kms_helper_poll_fini(drm); ++ drm_atomic_helper_shutdown(drm); + + component_unbind_all(drm->dev, drm); + drm_mode_config_cleanup(drm); +@@ -395,9 +397,18 @@ static int exynos_drm_platform_remove(struct platform_device *pdev) + return 0; + } + ++static void exynos_drm_platform_shutdown(struct platform_device *pdev) ++{ ++ struct drm_device *drm = platform_get_drvdata(pdev); ++ ++ if (drm) ++ drm_atomic_helper_shutdown(drm); ++} ++ + static struct platform_driver exynos_drm_platform_driver = { + .probe = exynos_drm_platform_probe, + .remove = exynos_drm_platform_remove, ++ .shutdown = exynos_drm_platform_shutdown, + .driver = { + .name = "exynos-drm", + .pm = &exynos_drm_pm_ops, +-- +2.43.0 + diff --git a/queue-5.10/drm-fix-color-lut-rounding.patch b/queue-5.10/drm-fix-color-lut-rounding.patch new file mode 100644 index 00000000000..a6724d5e254 --- /dev/null +++ b/queue-5.10/drm-fix-color-lut-rounding.patch @@ -0,0 +1,100 @@ +From a14d465b46cbe0834b8d90a959ad050f703f17b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 16:13:59 +0300 +Subject: drm: Fix color LUT rounding +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit c6fbb6bca10838485b820e8a26c23996f77ce580 ] + +The current implementation of drm_color_lut_extract() +generates weird results. Eg. if we go through all the +values for 16->8bpc conversion we see the following pattern: + +in out (count) + 0 - 7f -> 0 (128) + 80 - 17f -> 1 (256) + 180 - 27f -> 2 (256) + 280 - 37f -> 3 (256) +... +fb80 - fc7f -> fc (256) +fc80 - fd7f -> fd (256) +fd80 - fe7f -> fe (256) +fe80 - ffff -> ff (384) + +So less values map to 0 and more values map 0xff, which +doesn't seem particularly great. + +To get just the same number of input values to map to +the same output values we'd just need to drop the rounding +entrirely. But perhaps a better idea would be to follow the +OpenGL int<->float conversion rules, in which case we get +the following results: + +in out (count) + 0 - 80 -> 0 (129) + 81 - 181 -> 1 (257) + 182 - 282 -> 2 (257) + 283 - 383 -> 3 (257) +... +fc7c - fd7c -> fc (257) +fd7d - fe7d -> fd (257) +fe7e - ff7e -> fe (257) +ff7f - ffff -> ff (129) + +Note that since the divisor is constant the compiler +is able to optimize away the integer division in most +cases. The only exception is the _ULL() case on 32bit +architectures since that gets emitted as inline asm +via do_div() and thus the compiler doesn't get to +optimize it. + +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20231013131402.24072-2-ville.syrjala@linux.intel.com +Reviewed-by: Chaitanya Kumar Borah +Reviewed-by: Jani Nikula +Acked-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + include/drm/drm_color_mgmt.h | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/include/drm/drm_color_mgmt.h b/include/drm/drm_color_mgmt.h +index 81c298488b0c..54b2b2467bfd 100644 +--- a/include/drm/drm_color_mgmt.h ++++ b/include/drm/drm_color_mgmt.h +@@ -36,20 +36,17 @@ struct drm_plane; + * + * Extract a degamma/gamma LUT value provided by user (in the form of + * &drm_color_lut entries) and round it to the precision supported by the +- * hardware. ++ * hardware, following OpenGL int<->float conversion rules ++ * (see eg. OpenGL 4.6 specification - 2.3.5 Fixed-Point Data Conversions). + */ + static inline u32 drm_color_lut_extract(u32 user_input, int bit_precision) + { +- u32 val = user_input; +- u32 max = 0xffff >> (16 - bit_precision); +- +- /* Round only if we're not using full precision. */ +- if (bit_precision < 16) { +- val += 1UL << (16 - bit_precision - 1); +- val >>= 16 - bit_precision; +- } +- +- return clamp_val(val, 0, max); ++ if (bit_precision > 16) ++ return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(user_input, (1 << bit_precision) - 1), ++ (1 << 16) - 1); ++ else ++ return DIV_ROUND_CLOSEST(user_input * ((1 << bit_precision) - 1), ++ (1 << 16) - 1); + } + + u64 drm_color_ctm_s31_32_to_qm_n(u64 user_input, u32 m, u32 n); +-- +2.43.0 + diff --git a/queue-5.10/drm-framebuffer-fix-use-of-uninitialized-variable.patch b/queue-5.10/drm-framebuffer-fix-use-of-uninitialized-variable.patch new file mode 100644 index 00000000000..c86dc6570fe --- /dev/null +++ b/queue-5.10/drm-framebuffer-fix-use-of-uninitialized-variable.patch @@ -0,0 +1,42 @@ +From a7d546bdbc9fe63627d97546f0487a7a649fdb4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 15:14:04 +0200 +Subject: drm/framebuffer: Fix use of uninitialized variable + +From: Tomi Valkeinen + +[ Upstream commit f9af8f0c1dc567a5a6a6318ff324c45d80d4a60f ] + +smatch reports: + +drivers/gpu/drm/drm_framebuffer.c:654 drm_mode_getfb2_ioctl() error: uninitialized symbol 'ret'. + +'ret' is possibly not set when there are no errors, causing the error +above. I can't say if that ever happens in real-life, but in any case I +think it is good to initialize 'ret' to 0. + +Reviewed-by: Laurent Pinchart +Acked-by: Maxime Ripard +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-2-c22b2444f5f5@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_framebuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c +index 2f5b0c2bb0fe..e490ef42441f 100644 +--- a/drivers/gpu/drm/drm_framebuffer.c ++++ b/drivers/gpu/drm/drm_framebuffer.c +@@ -570,7 +570,7 @@ int drm_mode_getfb2_ioctl(struct drm_device *dev, + struct drm_mode_fb_cmd2 *r = data; + struct drm_framebuffer *fb; + unsigned int i; +- int ret; ++ int ret = 0; + + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-5.10/drm-mipi-dsi-fix-detach-call-without-attach.patch b/queue-5.10/drm-mipi-dsi-fix-detach-call-without-attach.patch new file mode 100644 index 00000000000..75a6f7c9370 --- /dev/null +++ b/queue-5.10/drm-mipi-dsi-fix-detach-call-without-attach.patch @@ -0,0 +1,138 @@ +From 1d2899a8d21c3519c7baa07c8f6ff8af7c2de368 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 13:50:32 +0300 +Subject: drm/mipi-dsi: Fix detach call without attach + +From: Tomi Valkeinen + +[ Upstream commit 90d50b8d85834e73536fdccd5aa913b30494fef0 ] + +It's been reported that DSI host driver's detach can be called without +the attach ever happening: + +https://lore.kernel.org/all/20230412073954.20601-1-tony@atomide.com/ + +After reading the code, I think this is what happens: + +We have a DSI host defined in the device tree and a DSI peripheral under +that host (i.e. an i2c device using the DSI as data bus doesn't exhibit +this behavior). + +The host driver calls mipi_dsi_host_register(), which causes (via a few +functions) mipi_dsi_device_add() to be called for the DSI peripheral. So +now we have a DSI device under the host, but attach hasn't been called. + +Normally the probing of the devices continues, and eventually the DSI +peripheral's driver will call mipi_dsi_attach(), attaching the +peripheral. + +However, if the host driver's probe encounters an error after calling +mipi_dsi_host_register(), and before the peripheral has called +mipi_dsi_attach(), the host driver will do cleanups and return an error +from its probe function. The cleanups include calling +mipi_dsi_host_unregister(). + +mipi_dsi_host_unregister() will call two functions for all its DSI +peripheral devices: mipi_dsi_detach() and mipi_dsi_device_unregister(). +The latter makes sense, as the device exists, but the former may be +wrong as attach has not necessarily been done. + +To fix this, track the attached state of the peripheral, and only detach +from mipi_dsi_host_unregister() if the peripheral was attached. + +Note that I have only tested this with a board with an i2c DSI +peripheral, not with a "pure" DSI peripheral. + +However, slightly related, the unregister machinery still seems broken. +E.g. if the DSI host driver is unbound, it'll detach and unregister the +DSI peripherals. After that, when the DSI peripheral driver unbound +it'll call detach either directly or using the devm variant, leading to +a crash. And probably the driver will crash if it happens, for some +reason, to try to send a message via the DSI bus. + +But that's another topic. + +Tested-by: H. Nikolaus Schaller +Acked-by: Maxime Ripard +Reviewed-by: Sebastian Reichel +Tested-by: Tony Lindgren +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20230921-dsi-detach-fix-v1-1-d0de2d1621d9@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 17 +++++++++++++++-- + include/drm/drm_mipi_dsi.h | 2 ++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index 0c806e99e869..83918ac1f608 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -300,7 +300,8 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv) + { + struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev); + +- mipi_dsi_detach(dsi); ++ if (dsi->attached) ++ mipi_dsi_detach(dsi); + mipi_dsi_device_unregister(dsi); + + return 0; +@@ -323,11 +324,18 @@ EXPORT_SYMBOL(mipi_dsi_host_unregister); + int mipi_dsi_attach(struct mipi_dsi_device *dsi) + { + const struct mipi_dsi_host_ops *ops = dsi->host->ops; ++ int ret; + + if (!ops || !ops->attach) + return -ENOSYS; + +- return ops->attach(dsi->host, dsi); ++ ret = ops->attach(dsi->host, dsi); ++ if (ret) ++ return ret; ++ ++ dsi->attached = true; ++ ++ return 0; + } + EXPORT_SYMBOL(mipi_dsi_attach); + +@@ -339,9 +347,14 @@ int mipi_dsi_detach(struct mipi_dsi_device *dsi) + { + const struct mipi_dsi_host_ops *ops = dsi->host->ops; + ++ if (WARN_ON(!dsi->attached)) ++ return -EINVAL; ++ + if (!ops || !ops->detach) + return -ENOSYS; + ++ dsi->attached = false; ++ + return ops->detach(dsi->host, dsi); + } + EXPORT_SYMBOL(mipi_dsi_detach); +diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h +index 31ba85a4110a..3c0d1495c062 100644 +--- a/include/drm/drm_mipi_dsi.h ++++ b/include/drm/drm_mipi_dsi.h +@@ -161,6 +161,7 @@ struct mipi_dsi_device_info { + * struct mipi_dsi_device - DSI peripheral device + * @host: DSI host for this peripheral + * @dev: driver model device node for this peripheral ++ * @attached: the DSI device has been successfully attached + * @name: DSI peripheral chip type + * @channel: virtual channel assigned to the peripheral + * @format: pixel format for video mode +@@ -176,6 +177,7 @@ struct mipi_dsi_device_info { + struct mipi_dsi_device { + struct mipi_dsi_host *host; + struct device dev; ++ bool attached; + + char name[DSI_DEV_NAME_SIZE]; + unsigned int channel; +-- +2.43.0 + diff --git a/queue-5.10/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch b/queue-5.10/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch new file mode 100644 index 00000000000..963cb09cdb7 --- /dev/null +++ b/queue-5.10/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch @@ -0,0 +1,62 @@ +From e1b78791073acd0b13da23f7079abe23aeb31d67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 10:19:55 -0800 +Subject: drm/msm/dpu: Ratelimit framedone timeout msgs + +From: Rob Clark + +[ Upstream commit 2b72e50c62de60ad2d6bcd86aa38d4ccbdd633f2 ] + +When we start getting these, we get a *lot*. So ratelimit it to not +flood dmesg. + +Signed-off-by: Rob Clark +Reviewed-by: Abhinav Kumar +Reviewed-by: Marijn Suijten +Patchwork: https://patchwork.freedesktop.org/patch/571584/ +Link: https://lore.kernel.org/r/20231211182000.218088-1-robdclark@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 5 ++++- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +index 408fc6c8a6df..44033a639419 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -45,6 +45,9 @@ + (p) ? ((p)->hw_pp ? (p)->hw_pp->idx - PINGPONG_0 : -1) : -1, \ + ##__VA_ARGS__) + ++#define DPU_ERROR_ENC_RATELIMITED(e, fmt, ...) DPU_ERROR_RATELIMITED("enc%d " fmt,\ ++ (e) ? (e)->base.base.id : -1, ##__VA_ARGS__) ++ + /* + * Two to anticipate panels that can do cmd/vid dynamic switching + * plan is to create all possible physical encoder types, and switch between +@@ -2135,7 +2138,7 @@ static void dpu_encoder_frame_done_timeout(struct timer_list *t) + return; + } + +- DPU_ERROR_ENC(dpu_enc, "frame done timeout\n"); ++ DPU_ERROR_ENC_RATELIMITED(dpu_enc, "frame done timeout\n"); + + event = DPU_ENCODER_FRAME_EVENT_ERROR; + trace_dpu_enc_frame_done_timeout(DRMID(drm_enc), event); +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h +index 1c0e4c0c9ffb..bb7c7e437242 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h +@@ -52,6 +52,7 @@ + } while (0) + + #define DPU_ERROR(fmt, ...) pr_err("[dpu error]" fmt, ##__VA_ARGS__) ++#define DPU_ERROR_RATELIMITED(fmt, ...) pr_err_ratelimited("[dpu error]" fmt, ##__VA_ARGS__) + + /** + * ktime_compare_safe - compare two ktime structures +-- +2.43.0 + diff --git a/queue-5.10/drm-using-mul_u32_u32-requires-linux-math64.h.patch b/queue-5.10/drm-using-mul_u32_u32-requires-linux-math64.h.patch new file mode 100644 index 00000000000..f6bfa3e6d99 --- /dev/null +++ b/queue-5.10/drm-using-mul_u32_u32-requires-linux-math64.h.patch @@ -0,0 +1,45 @@ +From 15aefc05571da4bf4c51fa2bbbd38f96295f9781 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:34 +1100 +Subject: drm: using mul_u32_u32() requires linux/math64.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Rothwell + +[ Upstream commit 933a2a376fb3f22ba4774f74233571504ac56b02 ] + +Some pending include file cleanups produced this error: + +In file included from include/linux/kernel.h:27, + from drivers/gpu/ipu-v3/ipu-dp.c:7: +include/drm/drm_color_mgmt.h: In function 'drm_color_lut_extract': +include/drm/drm_color_mgmt.h:45:46: error: implicit declaration of function 'mul_u32_u32' [-Werror=implicit-function-declaration] + 45 | return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(user_input, (1 << bit_precision) - 1), + | ^~~~~~~~~~~ + +Fixes: c6fbb6bca108 ("drm: Fix color LUT rounding") +Signed-off-by: Stephen Rothwell +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20231219145734.13e40e1e@canb.auug.org.au +Signed-off-by: Sasha Levin +--- + include/drm/drm_color_mgmt.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/drm/drm_color_mgmt.h b/include/drm/drm_color_mgmt.h +index 54b2b2467bfd..ed81741036d7 100644 +--- a/include/drm/drm_color_mgmt.h ++++ b/include/drm/drm_color_mgmt.h +@@ -24,6 +24,7 @@ + #define __DRM_COLOR_MGMT_H__ + + #include ++#include + #include + + struct drm_crtc; +-- +2.43.0 + diff --git a/queue-5.10/ecryptfs-reject-casefold-directory-inodes.patch b/queue-5.10/ecryptfs-reject-casefold-directory-inodes.patch new file mode 100644 index 00000000000..57aba0309ad --- /dev/null +++ b/queue-5.10/ecryptfs-reject-casefold-directory-inodes.patch @@ -0,0 +1,46 @@ +From 33dbd685deb6a9736e092d5bb2a58aea0ccfd057 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 14:38:12 -0400 +Subject: ecryptfs: Reject casefold directory inodes + +From: Gabriel Krisman Bertazi + +[ Upstream commit cd72c7ef5fed44272272a105b1da22810c91be69 ] + +Even though it seems to be able to resolve some names of +case-insensitive directories, the lack of d_hash and d_compare means we +end up with a broken state in the d_cache. Considering it was never a +goal to support these two together, and we are preparing to use +d_revalidate in case-insensitive filesystems, which would make the +combination even more broken, reject any attempt to get a casefolded +inode from ecryptfs. + +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + fs/ecryptfs/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c +index e23752d9a79f..c867a0d62f36 100644 +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -76,6 +76,14 @@ static struct inode *__ecryptfs_get_inode(struct inode *lower_inode, + + if (lower_inode->i_sb != ecryptfs_superblock_to_lower(sb)) + return ERR_PTR(-EXDEV); ++ ++ /* Reject dealing with casefold directories. */ ++ if (IS_CASEFOLDED(lower_inode)) { ++ pr_err_ratelimited("%s: Can't handle casefolded directory.\n", ++ __func__); ++ return ERR_PTR(-EREMOTE); ++ } ++ + if (!igrab(lower_inode)) + return ERR_PTR(-ESTALE); + inode = iget5_locked(sb, (unsigned long)lower_inode, +-- +2.43.0 + diff --git a/queue-5.10/ext4-avoid-online-resizing-failures-due-to-oversized.patch b/queue-5.10/ext4-avoid-online-resizing-failures-due-to-oversized.patch new file mode 100644 index 00000000000..760e272098a --- /dev/null +++ b/queue-5.10/ext4-avoid-online-resizing-failures-due-to-oversized.patch @@ -0,0 +1,133 @@ +From a5cae33b1c1b65ad750fea08a6aa40605609f9cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 09:30:56 +0800 +Subject: ext4: avoid online resizing failures due to oversized flex bg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +[ Upstream commit 5d1935ac02ca5aee364a449a35e2977ea84509b0 ] + +When we online resize an ext4 filesystem with a oversized flexbg_size, + + mkfs.ext4 -F -G 67108864 $dev -b 4096 100M + mount $dev $dir + resize2fs $dev 16G + +the following WARN_ON is triggered: +================================================================== +WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550 +Modules linked in: sg(E) +CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314 +RIP: 0010:__alloc_pages+0x411/0x550 +Call Trace: + + __kmalloc_large_node+0xa2/0x200 + __kmalloc+0x16e/0x290 + ext4_resize_fs+0x481/0xd80 + __ext4_ioctl+0x1616/0x1d90 + ext4_ioctl+0x12/0x20 + __x64_sys_ioctl+0xf0/0x150 + do_syscall_64+0x3b/0x90 +================================================================== + +This is because flexbg_size is too large and the size of the new_group_data +array to be allocated exceeds MAX_ORDER. Currently, the minimum value of +MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding +maximum number of groups that can be allocated is: + + (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845 + +And the value that is down-aligned to the power of 2 is 16384. Therefore, +this value is defined as MAX_RESIZE_BG, and the number of groups added +each time does not exceed this value during resizing, and is added multiple +times to complete the online resizing. The difference is that the metadata +in a flex_bg may be more dispersed. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231023013057.2117948-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 66ce3d118203..06e0eaf2ea4e 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -227,10 +227,17 @@ struct ext4_new_flex_group_data { + in the flex group */ + __u16 *bg_flags; /* block group flags of groups + in @groups */ ++ ext4_group_t resize_bg; /* number of allocated ++ new_group_data */ + ext4_group_t count; /* number of groups in @groups + */ + }; + ++/* ++ * Avoiding memory allocation failures due to too many groups added each time. ++ */ ++#define MAX_RESIZE_BG 16384 ++ + /* + * alloc_flex_gd() allocates a ext4_new_flex_group_data with size of + * @flexbg_size. +@@ -245,14 +252,18 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size) + if (flex_gd == NULL) + goto out3; + +- flex_gd->count = flexbg_size; +- flex_gd->groups = kmalloc_array(flexbg_size, ++ if (unlikely(flexbg_size > MAX_RESIZE_BG)) ++ flex_gd->resize_bg = MAX_RESIZE_BG; ++ else ++ flex_gd->resize_bg = flexbg_size; ++ ++ flex_gd->groups = kmalloc_array(flex_gd->resize_bg, + sizeof(struct ext4_new_group_data), + GFP_NOFS); + if (flex_gd->groups == NULL) + goto out2; + +- flex_gd->bg_flags = kmalloc_array(flexbg_size, sizeof(__u16), ++ flex_gd->bg_flags = kmalloc_array(flex_gd->resize_bg, sizeof(__u16), + GFP_NOFS); + if (flex_gd->bg_flags == NULL) + goto out1; +@@ -1559,8 +1570,7 @@ static int ext4_flex_group_add(struct super_block *sb, + + static int ext4_setup_next_flex_gd(struct super_block *sb, + struct ext4_new_flex_group_data *flex_gd, +- ext4_fsblk_t n_blocks_count, +- unsigned int flexbg_size) ++ ext4_fsblk_t n_blocks_count) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; +@@ -1584,7 +1594,7 @@ static int ext4_setup_next_flex_gd(struct super_block *sb, + BUG_ON(last); + ext4_get_group_no_and_offset(sb, n_blocks_count - 1, &n_group, &last); + +- last_group = group | (flexbg_size - 1); ++ last_group = group | (flex_gd->resize_bg - 1); + if (last_group > n_group) + last_group = n_group; + +@@ -2081,8 +2091,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + /* Add flex groups. Note that a regular group is a + * flex group with 1 group. + */ +- while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count, +- flexbg_size)) { ++ while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count)) { + if (jiffies - last_update_time > HZ * 10) { + if (last_update_time) + ext4_msg(sb, KERN_INFO, +-- +2.43.0 + diff --git a/queue-5.10/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch b/queue-5.10/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch new file mode 100644 index 00000000000..9da756e3b75 --- /dev/null +++ b/queue-5.10/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch @@ -0,0 +1,66 @@ +From e7a183fa1dd2314ab0e490849a15ac75935354ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 09:09:19 +0800 +Subject: ext4: fix inconsistent between segment fstrim and full fstrim + +From: Ye Bin + +[ Upstream commit 68da4c44b994aea797eb9821acb3a4a36015293e ] + +Suppose we issue two FITRIM ioctls for ranges [0,15] and [16,31] with +mininum length of trimmed range set to 8 blocks. If we have say a range of +blocks 10-22 free, this range will not be trimmed because it straddles the +boundary of the two FITRIM ranges and neither part is big enough. This is a +bit surprising to some users that call FITRIM on smaller ranges of blocks +to limit impact on the system. Also XFS trims all free space extents that +overlap with the specified range so we are inconsistent among filesystems. +Let's change ext4_try_to_trim_range() to consider for trimming the whole +free space extent that straddles the end of specified range, not just the +part of it within the range. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231216010919.1995851-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 39d03e0ef78b..9bec75847b85 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5916,13 +5916,15 @@ static int ext4_try_to_trim_range(struct super_block *sb, + struct ext4_buddy *e4b, ext4_grpblk_t start, + ext4_grpblk_t max, ext4_grpblk_t minblocks) + { +- ext4_grpblk_t next, count, free_count; ++ ext4_grpblk_t next, count, free_count, last, origin_start; + bool set_trimmed = false; + void *bitmap; + ++ last = ext4_last_grp_cluster(sb, e4b->bd_group); + bitmap = e4b->bd_bitmap; +- if (start == 0 && max >= ext4_last_grp_cluster(sb, e4b->bd_group)) ++ if (start == 0 && max >= last) + set_trimmed = true; ++ origin_start = start; + start = max(e4b->bd_info->bb_first_free, start); + count = 0; + free_count = 0; +@@ -5931,7 +5933,10 @@ static int ext4_try_to_trim_range(struct super_block *sb, + start = mb_find_next_zero_bit(bitmap, max + 1, start); + if (start > max) + break; +- next = mb_find_next_bit(bitmap, max + 1, start); ++ ++ next = mb_find_next_bit(bitmap, last + 1, start); ++ if (origin_start == 0 && next >= last) ++ set_trimmed = true; + + if ((next - start) >= minblocks) { + int ret = ext4_trim_extent(sb, start, next - start, e4b); +-- +2.43.0 + diff --git a/queue-5.10/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch b/queue-5.10/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch new file mode 100644 index 00000000000..05667664b9d --- /dev/null +++ b/queue-5.10/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch @@ -0,0 +1,44 @@ +From 0c22ee8c6f15e4aa0052082e31262cf531ee0566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 09:30:55 +0800 +Subject: ext4: remove unnecessary check from alloc_flex_gd() + +From: Baokun Li + +[ Upstream commit b099eb87de105cf07cad731ded6fb40b2675108b ] + +In commit 967ac8af4475 ("ext4: fix potential integer overflow in +alloc_flex_gd()"), an overflow check is added to alloc_flex_gd() to +prevent the allocated memory from being smaller than expected due to +the overflow. However, after kmalloc() is replaced with kmalloc_array() +in commit 6da2ec56059c ("treewide: kmalloc() -> kmalloc_array()"), the +kmalloc_array() function has an overflow check, so the above problem +will not occur. Therefore, the extra check is removed. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231023013057.2117948-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 96d278688fd7..66ce3d118203 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -245,10 +245,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size) + if (flex_gd == NULL) + goto out3; + +- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data)) +- goto out2; + flex_gd->count = flexbg_size; +- + flex_gd->groups = kmalloc_array(flexbg_size, + sizeof(struct ext4_new_group_data), + GFP_NOFS); +-- +2.43.0 + diff --git a/queue-5.10/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch b/queue-5.10/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch new file mode 100644 index 00000000000..449d4bb1a6a --- /dev/null +++ b/queue-5.10/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch @@ -0,0 +1,89 @@ +From 6a32cc48394ced15827dc1b3c53890049ef17c1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 09:30:54 +0800 +Subject: ext4: unify the type of flexbg_size to unsigned int + +From: Baokun Li + +[ Upstream commit 658a52344fb139f9531e7543a6e0015b630feb38 ] + +The maximum value of flexbg_size is 2^31, but the maximum value of int +is (2^31 - 1), so overflow may occur when the type of flexbg_size is +declared as int. + +For example, when uninit_mask is initialized in ext4_alloc_group_tables(), +if flexbg_size == 2^31, the initialized uninit_mask is incorrect, and this +may causes set_flexbg_block_bitmap() to trigger a BUG_ON(). + +Therefore, the flexbg_size type is declared as unsigned int to avoid +overflow and memory waste. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231023013057.2117948-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 9b4199a1e039..96d278688fd7 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -237,7 +237,7 @@ struct ext4_new_flex_group_data { + * + * Returns NULL on failure otherwise address of the allocated structure. + */ +-static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) ++static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size) + { + struct ext4_new_flex_group_data *flex_gd; + +@@ -292,7 +292,7 @@ static void free_flex_gd(struct ext4_new_flex_group_data *flex_gd) + */ + static int ext4_alloc_group_tables(struct super_block *sb, + struct ext4_new_flex_group_data *flex_gd, +- int flexbg_size) ++ unsigned int flexbg_size) + { + struct ext4_new_group_data *group_data = flex_gd->groups; + ext4_fsblk_t start_blk; +@@ -393,12 +393,12 @@ static int ext4_alloc_group_tables(struct super_block *sb, + group = group_data[0].group; + + printk(KERN_DEBUG "EXT4-fs: adding a flex group with " +- "%d groups, flexbg size is %d:\n", flex_gd->count, ++ "%u groups, flexbg size is %u:\n", flex_gd->count, + flexbg_size); + + for (i = 0; i < flex_gd->count; i++) { + ext4_debug( +- "adding %s group %u: %u blocks (%d free, %d mdata blocks)\n", ++ "adding %s group %u: %u blocks (%u free, %u mdata blocks)\n", + ext4_bg_has_super(sb, group + i) ? "normal" : + "no-super", group + i, + group_data[i].blocks_count, +@@ -1563,7 +1563,7 @@ static int ext4_flex_group_add(struct super_block *sb, + static int ext4_setup_next_flex_gd(struct super_block *sb, + struct ext4_new_flex_group_data *flex_gd, + ext4_fsblk_t n_blocks_count, +- unsigned long flexbg_size) ++ unsigned int flexbg_size) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; +@@ -1941,8 +1941,9 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + ext4_fsblk_t o_blocks_count; + ext4_fsblk_t n_blocks_count_retry = 0; + unsigned long last_update_time = 0; +- int err = 0, flexbg_size = 1 << sbi->s_log_groups_per_flex; ++ int err = 0; + int meta_bg; ++ unsigned int flexbg_size = ext4_flex_bg_size(sbi); + + /* See if the device is actually as big as what was requested */ + bh = ext4_sb_bread(sb, n_blocks_count - 1, 0); +-- +2.43.0 + diff --git a/queue-5.10/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch b/queue-5.10/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch new file mode 100644 index 00000000000..095512a30c5 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch @@ -0,0 +1,69 @@ +From 870dcbf40411c47ec8939f327cbf431b1296cb44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Nov 2023 14:25:56 +0800 +Subject: f2fs: fix to check return value of f2fs_reserve_new_block() + +From: Chao Yu + +[ Upstream commit 956fa1ddc132e028f3b7d4cf17e6bfc8cb36c7fd ] + +Let's check return value of f2fs_reserve_new_block() in do_recover_data() +rather than letting it fails silently. + +Also refactoring check condition on return value of f2fs_reserve_new_block() +as below: +- trigger f2fs_bug_on() only for ENOSPC case; +- use do-while statement to avoid redundant codes; + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/recovery.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index c3c527afdd07..2700e0fdd3e0 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -641,7 +641,16 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, + */ + if (dest == NEW_ADDR) { + f2fs_truncate_data_blocks_range(&dn, 1); +- f2fs_reserve_new_block(&dn); ++ do { ++ err = f2fs_reserve_new_block(&dn); ++ if (err == -ENOSPC) { ++ f2fs_bug_on(sbi, 1); ++ break; ++ } ++ } while (err && ++ IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)); ++ if (err) ++ goto err; + continue; + } + +@@ -649,12 +658,14 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, + if (f2fs_is_valid_blkaddr(sbi, dest, META_POR)) { + + if (src == NULL_ADDR) { +- err = f2fs_reserve_new_block(&dn); +- while (err && +- IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)) ++ do { + err = f2fs_reserve_new_block(&dn); +- /* We should not get -ENOSPC */ +- f2fs_bug_on(sbi, err); ++ if (err == -ENOSPC) { ++ f2fs_bug_on(sbi, 1); ++ break; ++ } ++ } while (err && ++ IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)); + if (err) + goto err; + } +-- +2.43.0 + diff --git a/queue-5.10/f2fs-fix-write-pointers-on-zoned-device-after-roll-f.patch b/queue-5.10/f2fs-fix-write-pointers-on-zoned-device-after-roll-f.patch new file mode 100644 index 00000000000..edbfdbde018 --- /dev/null +++ b/queue-5.10/f2fs-fix-write-pointers-on-zoned-device-after-roll-f.patch @@ -0,0 +1,37 @@ +From 58376bb6c5136defc9a202a0749f36936c874e3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Dec 2023 00:08:57 -0800 +Subject: f2fs: fix write pointers on zoned device after roll forward + +From: Jaegeuk Kim + +[ Upstream commit 9dad4d964291295ef48243d4e03972b85138bc9f ] + +1. do roll forward recovery +2. update current segments pointers +3. fix the entire zones' write pointers +4. do checkpoint + +Reviewed-by: Daeho Jeong +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/recovery.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index 2700e0fdd3e0..cd56af93df42 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -855,6 +855,8 @@ int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only) + if (!err && fix_curseg_write_pointer && !f2fs_readonly(sbi->sb) && + f2fs_sb_has_blkzoned(sbi)) { + err = f2fs_fix_curseg_write_pointer(sbi); ++ if (!err) ++ err = f2fs_check_write_pointer(sbi); + ret = err; + } + +-- +2.43.0 + diff --git a/queue-5.10/fast_dput-handle-underflows-gracefully.patch b/queue-5.10/fast_dput-handle-underflows-gracefully.patch new file mode 100644 index 00000000000..2b9bcc795c7 --- /dev/null +++ b/queue-5.10/fast_dput-handle-underflows-gracefully.patch @@ -0,0 +1,78 @@ +From c870288e0b13b9c5f347dd833d3eab80f16acfe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 01:08:54 -0400 +Subject: fast_dput(): handle underflows gracefully + +From: Al Viro + +[ Upstream commit 504e08cebe1d4e1efe25f915234f646e74a364a8 ] + +If refcount is less than 1, we should just warn, unlock dentry and +return true, so that the caller doesn't try to do anything else. + +Taking care of that leaves the rest of "lockref_put_return() has +failed" case equivalent to "decrement refcount and rejoin the +normal slow path after the point where we grab ->d_lock". + +NOTE: lockref_put_return() is strictly a fastpath thing - unlike +the rest of lockref primitives, it does not contain a fallback. +Caller (and it looks like fast_dput() is the only legitimate one +in the entire kernel) has to do that itself. Reasons for +lockref_put_return() failures: + * ->d_lock held by somebody + * refcount <= 0 + * ... or an architecture not supporting lockref use of +cmpxchg - sparc, anything non-SMP, config with spinlock debugging... + +We could add a fallback, but it would be a clumsy API - we'd have +to distinguish between: + (1) refcount > 1 - decremented, lock not held on return + (2) refcount < 1 - left alone, probably no sense to hold the lock + (3) refcount is 1, no cmphxcg - decremented, lock held on return + (4) refcount is 1, cmphxcg supported - decremented, lock *NOT* held + on return. +We want to return with no lock held in case (4); that's the whole point of that +thing. We very much do not want to have the fallback in case (3) return without +a lock, since the caller might have to retake it in that case. +So it wouldn't be more convenient than doing the fallback in the caller and +it would be very easy to screw up, especially since the test coverage would +suck - no way to test (3) and (4) on the same kernel build. + +Reviewed-by: Christian Brauner +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/dcache.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/dcache.c b/fs/dcache.c +index ea0485861d93..976c7474d62a 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -759,12 +759,12 @@ static inline bool fast_dput(struct dentry *dentry) + */ + if (unlikely(ret < 0)) { + spin_lock(&dentry->d_lock); +- if (dentry->d_lockref.count > 1) { +- dentry->d_lockref.count--; ++ if (WARN_ON_ONCE(dentry->d_lockref.count <= 0)) { + spin_unlock(&dentry->d_lock); + return true; + } +- return false; ++ dentry->d_lockref.count--; ++ goto locked; + } + + /* +@@ -815,6 +815,7 @@ static inline bool fast_dput(struct dentry *dentry) + * else could have killed it and marked it dead. Either way, we + * don't need to do anything else. + */ ++locked: + if (dentry->d_lockref.count) { + spin_unlock(&dentry->d_lock); + return true; +-- +2.43.0 + diff --git a/queue-5.10/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch b/queue-5.10/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch new file mode 100644 index 00000000000..74c629cc037 --- /dev/null +++ b/queue-5.10/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch @@ -0,0 +1,99 @@ +From 3ffb2e81bce7b461801d9cd019dea3b00160e702 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 23:46:37 +0500 +Subject: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree + +From: Osama Muhammad + +[ Upstream commit 9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68 ] + +Syzkaller reported the following issue: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6 +index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]') +CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 + dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 + dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 + dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] + dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 + txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 + txUpdateMap+0x342/0x9e0 + txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] + jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 + kthread+0x2d3/0x370 kernel/kthread.c:388 + ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +================================================================================ +Kernel panic - not syncing: UBSAN: panic_on_warn set ... +CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + panic+0x30f/0x770 kernel/panic.c:340 + check_panic_on_warn+0x82/0xa0 kernel/panic.c:236 + ubsan_epilogue lib/ubsan.c:223 [inline] + __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348 + dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 + dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 + dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 + dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] + dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 + txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 + txUpdateMap+0x342/0x9e0 + txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] + jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 + kthread+0x2d3/0x370 kernel/kthread.c:388 + ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +Kernel Offset: disabled +Rebooting in 86400 seconds.. + +The issue is caused when the value of lp becomes greater than +CTLTREESIZE which is the max size of stree. Adding a simple check +solves this issue. + +Dave: +As the function returns a void, good error handling +would require a more intrusive code reorganization, so I modified +Osama's patch at use WARN_ON_ONCE for lack of a cleaner option. + +The patch is tested via syzbot. + +Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb +Signed-off-by: Osama Muhammad +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 72eb5ed54c2a..985beb1c654d 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2935,6 +2935,9 @@ static void dbAdjTree(dmtree_t * tp, int leafno, int newval) + /* is the current value the same as the old value ? if so, + * there is nothing to do. + */ ++ if (WARN_ON_ONCE(lp >= CTLTREESIZE)) ++ return; ++ + if (tp->dmt_stree[lp] == newval) + return; + +-- +2.43.0 + diff --git a/queue-5.10/fs-kernfs-dir-obey-s_isgid.patch b/queue-5.10/fs-kernfs-dir-obey-s_isgid.patch new file mode 100644 index 00000000000..f24e618ae18 --- /dev/null +++ b/queue-5.10/fs-kernfs-dir-obey-s_isgid.patch @@ -0,0 +1,58 @@ +From 860ea09b901b3fb6d409b7b785912cac53804eb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 10:33:10 +0100 +Subject: fs/kernfs/dir: obey S_ISGID + +From: Max Kellermann + +[ Upstream commit 5133bee62f0ea5d4c316d503cc0040cac5637601 ] + +Handling of S_ISGID is usually done by inode_init_owner() in all other +filesystems, but kernfs doesn't use that function. In kernfs, struct +kernfs_node is the primary data structure, and struct inode is only +created from it on demand. Therefore, inode_init_owner() can't be +used and we need to imitate its behavior. + +S_ISGID support is useful for the cgroup filesystem; it allows +subtrees managed by an unprivileged process to retain a certain owner +gid, which then enables sharing access to the subtree with another +unprivileged process. + +-- +v1 -> v2: minor coding style fix (comment) + +Signed-off-by: Max Kellermann +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20231208093310.297233-2-max.kellermann@ionos.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/kernfs/dir.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c +index c91ee05cce74..0ba056e06e48 100644 +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -696,6 +696,18 @@ struct kernfs_node *kernfs_new_node(struct kernfs_node *parent, + { + struct kernfs_node *kn; + ++ if (parent->mode & S_ISGID) { ++ /* this code block imitates inode_init_owner() for ++ * kernfs ++ */ ++ ++ if (parent->iattr) ++ gid = parent->iattr->ia_gid; ++ ++ if (flags & KERNFS_DIR) ++ mode |= S_ISGID; ++ } ++ + kn = __kernfs_new_node(kernfs_root(parent), parent, + name, mode, uid, gid, flags); + if (kn) { +-- +2.43.0 + diff --git a/queue-5.10/hexagon-make-pfn-accessors-statics-inlines.patch b/queue-5.10/hexagon-make-pfn-accessors-statics-inlines.patch new file mode 100644 index 00000000000..2e08a11edd8 --- /dev/null +++ b/queue-5.10/hexagon-make-pfn-accessors-statics-inlines.patch @@ -0,0 +1,68 @@ +From 239406643c60bd7c448c5b3a1ef1138ac2c4cb90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Nov 2023 14:28:15 +0100 +Subject: Hexagon: Make pfn accessors statics inlines + +From: Linus Walleij + +[ Upstream commit d6e81532b10d8deb2bc30f7b44f09534876893e3 ] + +Making virt_to_pfn() a static inline taking a strongly typed +(const void *) makes the contract of a passing a pointer of that +type to the function explicit and exposes any misuse of the +macro virt_to_pfn() acting polymorphic and accepting many types +such as (void *), (unitptr_t) or (unsigned long) as arguments +without warnings. + +For symmetry do the same with pfn_to_virt(). + +For compiletime resolution of __pa() we need PAGE_OFFSET which +was not available to __pa() and resolved by the preprocessor +wherever __pa() was used. Fix this by explicitly including + where required, following the pattern of the +architectures page.h file. + +Acked-by: Brian Cain +Signed-off-by: Linus Walleij +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/hexagon/include/asm/page.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/arch/hexagon/include/asm/page.h b/arch/hexagon/include/asm/page.h +index 7cbf719c578e..2d8c681c3469 100644 +--- a/arch/hexagon/include/asm/page.h ++++ b/arch/hexagon/include/asm/page.h +@@ -78,6 +78,9 @@ typedef struct page *pgtable_t; + #define __pgd(x) ((pgd_t) { (x) }) + #define __pgprot(x) ((pgprot_t) { (x) }) + ++/* Needed for PAGE_OFFSET used in the macro right below */ ++#include ++ + /* + * We need a __pa and a __va routine for kernel space. + * MIPS says they're only used during mem_init. +@@ -126,8 +129,16 @@ static inline void clear_page(void *page) + */ + #define page_to_phys(page) (page_to_pfn(page) << PAGE_SHIFT) + +-#define virt_to_pfn(kaddr) (__pa(kaddr) >> PAGE_SHIFT) +-#define pfn_to_virt(pfn) __va((pfn) << PAGE_SHIFT) ++static inline unsigned long virt_to_pfn(const void *kaddr) ++{ ++ return __pa(kaddr) >> PAGE_SHIFT; ++} ++ ++static inline void *pfn_to_virt(unsigned long pfn) ++{ ++ return (void *)((unsigned long)__va(pfn) << PAGE_SHIFT); ++} ++ + + #define page_to_virt(page) __va(page_to_phys(page)) + +-- +2.43.0 + diff --git a/queue-5.10/hwmon-pc87360-bounds-check-data-innr-usage.patch b/queue-5.10/hwmon-pc87360-bounds-check-data-innr-usage.patch new file mode 100644 index 00000000000..11a4a91f2e8 --- /dev/null +++ b/queue-5.10/hwmon-pc87360-bounds-check-data-innr-usage.patch @@ -0,0 +1,60 @@ +From 870b52ed1cd6d610437943c732fdf45c6396c6c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 12:02:07 -0800 +Subject: hwmon: (pc87360) Bounds check data->innr usage + +From: Kees Cook + +[ Upstream commit 4265eb062a7303e537ab3792ade31f424c3c5189 ] + +Without visibility into the initializers for data->innr, GCC suspects +using it as an index could walk off the end of the various 14-element +arrays in data. Perform an explicit clamp to the array size. Silences +the following warning with GCC 12+: + +../drivers/hwmon/pc87360.c: In function 'pc87360_update_device': +../drivers/hwmon/pc87360.c:341:49: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] + 341 | data->in_max[i] = pc87360_read_value(data, + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ + 342 | LD_IN, i, + | ~~~~~~~~~ + 343 | PC87365_REG_IN_MAX); + | ~~~~~~~~~~~~~~~~~~~ +../drivers/hwmon/pc87360.c:209:12: note: at offset 255 into destination object 'in_max' of size 14 + 209 | u8 in_max[14]; /* Register value */ + | ^~~~~~ + +Cc: Jim Cromie +Cc: Jean Delvare +Cc: Guenter Roeck +Cc: linux-hwmon@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20231130200207.work.679-kees@kernel.org +[groeck: Added comment into code clarifying context] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pc87360.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pc87360.c b/drivers/hwmon/pc87360.c +index 94f4b8b4a2ba..0cf603c8c9f9 100644 +--- a/drivers/hwmon/pc87360.c ++++ b/drivers/hwmon/pc87360.c +@@ -1605,7 +1605,11 @@ static struct pc87360_data *pc87360_update_device(struct device *dev) + } + + /* Voltages */ +- for (i = 0; i < data->innr; i++) { ++ /* ++ * The min() below does not have any practical meaning and is ++ * only needed to silence a warning observed with gcc 12+. ++ */ ++ for (i = 0; i < min(data->innr, ARRAY_SIZE(data->in)); i++) { + data->in_status[i] = pc87360_read_value(data, LD_IN, i, + PC87365_REG_IN_STATUS); + /* Clear bits */ +-- +2.43.0 + diff --git a/queue-5.10/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch b/queue-5.10/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch new file mode 100644 index 00000000000..02e46481386 --- /dev/null +++ b/queue-5.10/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch @@ -0,0 +1,59 @@ +From 30d15f2face6d238f84aa0d4e517943c8c8e4f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Dec 2023 14:41:23 +0530 +Subject: i3c: master: cdns: Update maximum prescaler value for i2c clock + +From: Harshit Shah + +[ Upstream commit 374c13f9080a1b9835a5ed3e7bea93cf8e2dc262 ] + +As per the Cadence IP document fixed the I2C clock divider value limit from +16 bits instead of 10 bits. Without this change setting up the I2C clock to +low frequencies will not work as the prescaler value might be greater than +10 bit number. + +I3C clock divider value is 10 bits only. Updating the macro names for both. + +Signed-off-by: Harshit Shah +Link: https://lore.kernel.org/r/1703927483-28682-1-git-send-email-harshitshah.opendev@gmail.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/i3c-master-cdns.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c +index 6b9df33ac561..6b126fce5a9e 100644 +--- a/drivers/i3c/master/i3c-master-cdns.c ++++ b/drivers/i3c/master/i3c-master-cdns.c +@@ -77,7 +77,8 @@ + #define PRESCL_CTRL0 0x14 + #define PRESCL_CTRL0_I2C(x) ((x) << 16) + #define PRESCL_CTRL0_I3C(x) (x) +-#define PRESCL_CTRL0_MAX GENMASK(9, 0) ++#define PRESCL_CTRL0_I3C_MAX GENMASK(9, 0) ++#define PRESCL_CTRL0_I2C_MAX GENMASK(15, 0) + + #define PRESCL_CTRL1 0x18 + #define PRESCL_CTRL1_PP_LOW_MASK GENMASK(15, 8) +@@ -1234,7 +1235,7 @@ static int cdns_i3c_master_bus_init(struct i3c_master_controller *m) + return -EINVAL; + + pres = DIV_ROUND_UP(sysclk_rate, (bus->scl_rate.i3c * 4)) - 1; +- if (pres > PRESCL_CTRL0_MAX) ++ if (pres > PRESCL_CTRL0_I3C_MAX) + return -ERANGE; + + bus->scl_rate.i3c = sysclk_rate / ((pres + 1) * 4); +@@ -1247,7 +1248,7 @@ static int cdns_i3c_master_bus_init(struct i3c_master_controller *m) + max_i2cfreq = bus->scl_rate.i2c; + + pres = (sysclk_rate / (max_i2cfreq * 5)) - 1; +- if (pres > PRESCL_CTRL0_MAX) ++ if (pres > PRESCL_CTRL0_I2C_MAX) + return -ERANGE; + + bus->scl_rate.i2c = sysclk_rate / ((pres + 1) * 5); +-- +2.43.0 + diff --git a/queue-5.10/i40e-fix-vf-disable-behavior-to-block-all-traffic.patch b/queue-5.10/i40e-fix-vf-disable-behavior-to-block-all-traffic.patch new file mode 100644 index 00000000000..5c7887b5e0b --- /dev/null +++ b/queue-5.10/i40e-fix-vf-disable-behavior-to-block-all-traffic.patch @@ -0,0 +1,123 @@ +From fef7bae14069a09fda40b481b7e9be207ec28355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 15:24:12 +0100 +Subject: i40e: Fix VF disable behavior to block all traffic + +From: Andrii Staikov + +[ Upstream commit 31deb12e85c35ddd2c037f0107d05d8674cab2c0 ] + +Currently, if a VF is disabled using the +'ip link set dev $ETHX vf $VF_NUM state disable' command, the VF is still +able to receive traffic. + +Fix the behavior of the 'ip link set dev $ETHX vf $VF_NUM state disable' +to completely shutdown the VF's queues making it entirely disabled and +not able to receive or send any traffic. + +Modify the behavior of the 'ip link set $ETHX vf $VF_NUM state enable' +command to make a VF do reinitialization bringing the queues back up. + +Co-developed-by: Aleksandr Loktionov +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Jan Sokolowski +Reviewed-by: Wojciech Drewek +Reviewed-by: Przemek Kitszel +Signed-off-by: Andrii Staikov +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 32 +++++++++++++++++++ + .../ethernet/intel/i40e/i40e_virtchnl_pf.h | 1 + + 2 files changed, 33 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 7b0ed15f4df3..f79795cc9152 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -2545,6 +2545,14 @@ static int i40e_vc_enable_queues_msg(struct i40e_vf *vf, u8 *msg) + i40e_status aq_ret = 0; + int i; + ++ if (vf->is_disabled_from_host) { ++ aq_ret = -EPERM; ++ dev_info(&pf->pdev->dev, ++ "Admin has disabled VF %d, will not enable queues\n", ++ vf->vf_id); ++ goto error_param; ++ } ++ + if (!test_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states)) { + aq_ret = I40E_ERR_PARAM; + goto error_param; +@@ -4587,9 +4595,12 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link) + struct i40e_pf *pf = np->vsi->back; + struct virtchnl_pf_event pfe; + struct i40e_hw *hw = &pf->hw; ++ struct i40e_vsi *vsi; ++ unsigned long q_map; + struct i40e_vf *vf; + int abs_vf_id; + int ret = 0; ++ int tmp; + + if (test_and_set_bit(__I40E_VIRTCHNL_OP_PENDING, pf->state)) { + dev_warn(&pf->pdev->dev, "Unable to configure VFs, other operation is pending.\n"); +@@ -4612,6 +4623,9 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link) + switch (link) { + case IFLA_VF_LINK_STATE_AUTO: + vf->link_forced = false; ++ vf->is_disabled_from_host = false; ++ /* reset needed to reinit VF resources */ ++ i40e_vc_reset_vf(vf, true); + pfe.event_data.link_event.link_status = + pf->hw.phy.link_info.link_info & I40E_AQ_LINK_UP; + pfe.event_data.link_event.link_speed = +@@ -4621,6 +4635,9 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link) + case IFLA_VF_LINK_STATE_ENABLE: + vf->link_forced = true; + vf->link_up = true; ++ vf->is_disabled_from_host = false; ++ /* reset needed to reinit VF resources */ ++ i40e_vc_reset_vf(vf, true); + pfe.event_data.link_event.link_status = true; + pfe.event_data.link_event.link_speed = VIRTCHNL_LINK_SPEED_40GB; + break; +@@ -4629,6 +4646,21 @@ int i40e_ndo_set_vf_link_state(struct net_device *netdev, int vf_id, int link) + vf->link_up = false; + pfe.event_data.link_event.link_status = false; + pfe.event_data.link_event.link_speed = 0; ++ ++ vsi = pf->vsi[vf->lan_vsi_idx]; ++ q_map = BIT(vsi->num_queue_pairs) - 1; ++ ++ vf->is_disabled_from_host = true; ++ ++ /* Try to stop both Tx&Rx rings even if one of the calls fails ++ * to ensure we stop the rings even in case of errors. ++ * If any of them returns with an error then the first ++ * error that occurred will be returned. ++ */ ++ tmp = i40e_ctrl_vf_tx_rings(vsi, q_map, false); ++ ret = i40e_ctrl_vf_rx_rings(vsi, q_map, false); ++ ++ ret = tmp ? tmp : ret; + break; + default: + ret = -EINVAL; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +index bd497cc5303a..97e9c34d7c6c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +@@ -98,6 +98,7 @@ struct i40e_vf { + bool link_forced; + bool link_up; /* only valid if VF link is forced */ + bool spoofchk; ++ bool is_disabled_from_host; /* PF ctrl of VF enable/disable */ + u16 num_vlan; + + /* ADq related variables */ +-- +2.43.0 + diff --git a/queue-5.10/ib-ipoib-fix-mcast-list-locking.patch b/queue-5.10/ib-ipoib-fix-mcast-list-locking.patch new file mode 100644 index 00000000000..a261d14b9b2 --- /dev/null +++ b/queue-5.10/ib-ipoib-fix-mcast-list-locking.patch @@ -0,0 +1,94 @@ +From 83b96c3e85f1212ff4075f246d6df943c4ca2836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 09:07:45 +0100 +Subject: IB/ipoib: Fix mcast list locking + +From: Daniel Vacek + +[ Upstream commit 4f973e211b3b1c6d36f7c6a19239d258856749f9 ] + +Releasing the `priv->lock` while iterating the `priv->multicast_list` in +`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to +remove the items while in the middle of iteration. If the mcast is removed +while the lock was dropped, the for loop spins forever resulting in a hard +lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel): + + Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below) + -----------------------------------+----------------------------------- + ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work) + spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...) + list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev) + &priv->multicast_list, list) | + ipoib_mcast_join(dev, mcast) | + spin_unlock_irq(&priv->lock) | + | spin_lock_irqsave(&priv->lock, flags) + | list_for_each_entry_safe(mcast, tmcast, + | &priv->multicast_list, list) + | list_del(&mcast->list); + | list_add_tail(&mcast->list, &remove_list) + | spin_unlock_irqrestore(&priv->lock, flags) + spin_lock_irq(&priv->lock) | + | ipoib_mcast_remove_list(&remove_list) + (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast, + `priv->multicast_list` and we keep | remove_list, list) + spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done) + the other thread which is blocked | + and the list is still valid on | + it's stack.) + +Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent +eventual sleeps. +Unfortunately we could not reproduce the lockup and confirm this fix but +based on the code review I think this fix should address such lockups. + +crash> bc 31 +PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2" +-- + [exception RIP: ipoib_mcast_join_task+0x1b1] + RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002 + RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000 + work (&priv->mcast_task{,.work}) + RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 + &mcast->list + RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000 + R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 + mcast + R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 + dev priv (&priv->lock) &priv->multicast_list (aka head) + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +index 5633809dc61e..e009123c703b 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -542,21 +542,17 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast) + /* SM supports sendonly-fullmember, otherwise fallback to full-member */ + rec.join_state = SENDONLY_FULLMEMBER_JOIN; + } +- spin_unlock_irq(&priv->lock); + + multicast = ib_sa_join_multicast(&ipoib_sa_client, priv->ca, priv->port, +- &rec, comp_mask, GFP_KERNEL, ++ &rec, comp_mask, GFP_ATOMIC, + ipoib_mcast_join_complete, mcast); +- spin_lock_irq(&priv->lock); + if (IS_ERR(multicast)) { + ret = PTR_ERR(multicast); + ipoib_warn(priv, "ib_sa_join_multicast failed, status %d\n", ret); + /* Requeue this join task with a backoff delay */ + __ipoib_mcast_schedule_join_thread(priv, mcast, 1); + clear_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); +- spin_unlock_irq(&priv->lock); + complete(&mcast->done); +- spin_lock_irq(&priv->lock); + return ret; + } + return 0; +-- +2.43.0 + diff --git a/queue-5.10/ionic-pass-opcode-to-devcmd_wait.patch b/queue-5.10/ionic-pass-opcode-to-devcmd_wait.patch new file mode 100644 index 00000000000..63b67d52dcf --- /dev/null +++ b/queue-5.10/ionic-pass-opcode-to-devcmd_wait.patch @@ -0,0 +1,63 @@ +From d6f816720b1484be9ee6dc1fa80217c0b0b1e0e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 10:57:57 -0800 +Subject: ionic: pass opcode to devcmd_wait + +From: Shannon Nelson + +[ Upstream commit 24f110240c03c6b5368f1203bac72883d511e606 ] + +Don't rely on the PCI memory for the devcmd opcode because we +read a 0xff value if the PCI bus is broken, which can cause us +to report a bogus dev_cmd opcode later. + +Signed-off-by: Shannon Nelson +Reviewed-by: Brett Creeley +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_dev.c | 1 + + drivers/net/ethernet/pensando/ionic/ionic_dev.h | 1 + + drivers/net/ethernet/pensando/ionic/ionic_main.c | 2 +- + 3 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.c b/drivers/net/ethernet/pensando/ionic/ionic_dev.c +index dc5fbc2704f3..b5f681918f6e 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.c +@@ -200,6 +200,7 @@ void ionic_dev_cmd_comp(struct ionic_dev *idev, union ionic_dev_cmd_comp *comp) + + void ionic_dev_cmd_go(struct ionic_dev *idev, union ionic_dev_cmd *cmd) + { ++ idev->opcode = cmd->cmd.opcode; + memcpy_toio(&idev->dev_cmd_regs->cmd, cmd, sizeof(*cmd)); + iowrite32(0, &idev->dev_cmd_regs->done); + iowrite32(1, &idev->dev_cmd_regs->doorbell); +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +index 64d27e8e0772..1ce0d307a9d0 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h ++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h +@@ -136,6 +136,7 @@ struct ionic_dev { + unsigned long last_hb_time; + u32 last_hb; + u8 last_fw_status; ++ u8 opcode; + + u64 __iomem *db_pages; + dma_addr_t phy_db_pages; +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_main.c b/drivers/net/ethernet/pensando/ionic/ionic_main.c +index 00b6985edea0..694e710244e6 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_main.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_main.c +@@ -333,7 +333,7 @@ int ionic_dev_cmd_wait(struct ionic *ionic, unsigned long max_seconds) + */ + max_wait = jiffies + (max_seconds * HZ); + try_again: +- opcode = readb(&idev->dev_cmd_regs->cmd.cmd.opcode); ++ opcode = idev->opcode; + start_time = jiffies; + do { + done = ionic_dev_cmd_done(idev); +-- +2.43.0 + diff --git a/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch new file mode 100644 index 00000000000..2d24adc93d7 --- /dev/null +++ b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch @@ -0,0 +1,237 @@ +From 215f0cf378169883bb3433bd3f794c14f70380f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 17:33:56 +0530 +Subject: jfs: fix array-index-out-of-bounds in dbAdjTree + +From: Manas Ghandat + +[ Upstream commit 74ecdda68242b174920fe7c6133a856fb7d8559b ] + +Currently there is a bound check missing in the dbAdjTree while +accessing the dmt_stree. To add the required check added the bool is_ctl +which is required to determine the size as suggest in the following +commit. +https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/ + +Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb +Signed-off-by: Manas Ghandat +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 60 ++++++++++++++++++++++++----------------------- + 1 file changed, 31 insertions(+), 29 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 985beb1c654d..9b6849b9bfdb 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -63,10 +63,10 @@ + */ + static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + int nblocks); +-static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval); +-static int dbBackSplit(dmtree_t * tp, int leafno); +-static int dbJoin(dmtree_t * tp, int leafno, int newval); +-static void dbAdjTree(dmtree_t * tp, int leafno, int newval); ++static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl); ++static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl); ++static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl); ++static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl); + static int dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, + int level); + static int dbAllocAny(struct bmap * bmp, s64 nblocks, int l2nb, s64 * results); +@@ -2171,7 +2171,7 @@ static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno, + * system. + */ + if (dp->tree.stree[word] == NOFREE) +- dbBackSplit((dmtree_t *) & dp->tree, word); ++ dbBackSplit((dmtree_t *)&dp->tree, word, false); + + dbAllocBits(bmp, dp, blkno, nblocks); + } +@@ -2257,7 +2257,7 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + * the binary system of the leaves if need be. + */ + dbSplit(tp, word, BUDMIN, +- dbMaxBud((u8 *) & dp->wmap[word])); ++ dbMaxBud((u8 *)&dp->wmap[word]), false); + + word += 1; + } else { +@@ -2297,7 +2297,7 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + * system of the leaves to reflect the current + * allocation (size). + */ +- dbSplit(tp, word, size, NOFREE); ++ dbSplit(tp, word, size, NOFREE, false); + + /* get the number of dmap words handled */ + nw = BUDSIZE(size, BUDMIN); +@@ -2404,7 +2404,7 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + /* update the leaf for this dmap word. + */ + rc = dbJoin(tp, word, +- dbMaxBud((u8 *) & dp->wmap[word])); ++ dbMaxBud((u8 *)&dp->wmap[word]), false); + if (rc) + return rc; + +@@ -2437,7 +2437,7 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + + /* update the leaf. + */ +- rc = dbJoin(tp, word, size); ++ rc = dbJoin(tp, word, size, false); + if (rc) + return rc; + +@@ -2589,14 +2589,14 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + * that it is at the front of a binary buddy system. + */ + if (oldval == NOFREE) { +- rc = dbBackSplit((dmtree_t *) dcp, leafno); ++ rc = dbBackSplit((dmtree_t *)dcp, leafno, true); + if (rc) + return rc; + oldval = dcp->stree[ti]; + } +- dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval); ++ dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval, true); + } else { +- rc = dbJoin((dmtree_t *) dcp, leafno, newval); ++ rc = dbJoin((dmtree_t *) dcp, leafno, newval, true); + if (rc) + return rc; + } +@@ -2625,7 +2625,7 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + */ + if (alloc) { + dbJoin((dmtree_t *) dcp, leafno, +- oldval); ++ oldval, true); + } else { + /* the dbJoin() above might have + * caused a larger binary buddy system +@@ -2635,9 +2635,9 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + */ + if (dcp->stree[ti] == NOFREE) + dbBackSplit((dmtree_t *) +- dcp, leafno); ++ dcp, leafno, true); + dbSplit((dmtree_t *) dcp, leafno, +- dcp->budmin, oldval); ++ dcp->budmin, oldval, true); + } + + /* release the buffer and return the error. +@@ -2685,7 +2685,7 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + * + * serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit; + */ +-static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) ++static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl) + { + int budsz; + int cursz; +@@ -2707,7 +2707,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) + while (cursz >= splitsz) { + /* update the buddy's leaf with its new value. + */ +- dbAdjTree(tp, leafno ^ budsz, cursz); ++ dbAdjTree(tp, leafno ^ budsz, cursz, is_ctl); + + /* on to the next size and buddy. + */ +@@ -2719,7 +2719,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) + /* adjust the dmap tree to reflect the specified leaf's new + * value. + */ +- dbAdjTree(tp, leafno, newval); ++ dbAdjTree(tp, leafno, newval, is_ctl); + } + + +@@ -2750,7 +2750,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) + * + * serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit; + */ +-static int dbBackSplit(dmtree_t * tp, int leafno) ++static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl) + { + int budsz, bud, w, bsz, size; + int cursz; +@@ -2801,7 +2801,7 @@ static int dbBackSplit(dmtree_t * tp, int leafno) + * system in two. + */ + cursz = leaf[bud] - 1; +- dbSplit(tp, bud, cursz, cursz); ++ dbSplit(tp, bud, cursz, cursz, is_ctl); + break; + } + } +@@ -2829,7 +2829,7 @@ static int dbBackSplit(dmtree_t * tp, int leafno) + * + * RETURN VALUES: none + */ +-static int dbJoin(dmtree_t * tp, int leafno, int newval) ++static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl) + { + int budsz, buddy; + s8 *leaf; +@@ -2884,12 +2884,12 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval) + if (leafno < buddy) { + /* leafno is the left buddy. + */ +- dbAdjTree(tp, buddy, NOFREE); ++ dbAdjTree(tp, buddy, NOFREE, is_ctl); + } else { + /* buddy is the left buddy and becomes + * leafno. + */ +- dbAdjTree(tp, leafno, NOFREE); ++ dbAdjTree(tp, leafno, NOFREE, is_ctl); + leafno = buddy; + } + +@@ -2902,7 +2902,7 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval) + + /* update the leaf value. + */ +- dbAdjTree(tp, leafno, newval); ++ dbAdjTree(tp, leafno, newval, is_ctl); + + return 0; + } +@@ -2923,21 +2923,23 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval) + * + * RETURN VALUES: none + */ +-static void dbAdjTree(dmtree_t * tp, int leafno, int newval) ++static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) + { + int lp, pp, k; +- int max; ++ int max, size; ++ ++ size = is_ctl ? CTLTREESIZE : TREESIZE; + + /* pick up the index of the leaf for this leafno. + */ + lp = leafno + le32_to_cpu(tp->dmt_leafidx); + ++ if (WARN_ON_ONCE(lp >= size || lp < 0)) ++ return; ++ + /* is the current value the same as the old value ? if so, + * there is nothing to do. + */ +- if (WARN_ON_ONCE(lp >= CTLTREESIZE)) +- return; +- + if (tp->dmt_stree[lp] == newval) + return; + +-- +2.43.0 + diff --git a/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dinewext.patch b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dinewext.patch new file mode 100644 index 00000000000..116baa31477 --- /dev/null +++ b/queue-5.10/jfs-fix-array-index-out-of-bounds-in-dinewext.patch @@ -0,0 +1,78 @@ +From 316f0a238d13fdb3eefb70d2120f61e6f75cfa6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 09:36:22 +0800 +Subject: jfs: fix array-index-out-of-bounds in diNewExt + +From: Edward Adam Davis + +[ Upstream commit 49f9637aafa6e63ba686c13cb8549bf5e6920402 ] + +[Syz report] +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2 +index -878706688 is out of range for type 'struct iagctl[128]' +CPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360 + diAllocExt fs/jfs/jfs_imap.c:1949 [inline] + diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666 + diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587 + ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 + jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225 + vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106 + do_mkdirat+0x264/0x3a0 fs/namei.c:4129 + __do_sys_mkdir fs/namei.c:4149 [inline] + __se_sys_mkdir fs/namei.c:4147 [inline] + __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7fcb7e6a0b57 +Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053 +RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57 +RDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140 +RBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +[Analysis] +When the agstart is too large, it can cause agno overflow. + +[Fix] +After obtaining agno, if the value is invalid, exit the subsequent process. + +Reported-and-tested-by: syzbot+553d90297e6d2f50dbc7@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis + +Modified the test from agno > MAXAG to agno >= MAXAG based on linux-next +report by kernel test robot (Dan Carpenter). + +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 14f918a4831d..b0965f3ef186 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -2181,6 +2181,9 @@ static int diNewExt(struct inomap * imap, struct iag * iagp, int extno) + /* get the ag and iag numbers for this iag. + */ + agno = BLKTOAG(le64_to_cpu(iagp->agstart), sbi); ++ if (agno >= MAXAG || agno < 0) ++ return -EIO; ++ + iagno = le32_to_cpu(iagp->iagnum); + + /* check if this is the last free extent within the +-- +2.43.0 + diff --git a/queue-5.10/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch b/queue-5.10/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch new file mode 100644 index 00000000000..793cb9d1a07 --- /dev/null +++ b/queue-5.10/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch @@ -0,0 +1,45 @@ +From 371e45c09fa6482fe421cf54441993181c197ba6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 11:39:07 +0530 +Subject: jfs: fix slab-out-of-bounds Read in dtSearch + +From: Manas Ghandat + +[ Upstream commit fa5492ee89463a7590a1449358002ff7ef63529f ] + +Currently while searching for current page in the sorted entry table +of the page there is a out of bound access. Added a bound check to fix +the error. + +Dave: +Set return code to -EIO + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202310241724.Ed02yUz9-lkp@intel.com/ +Signed-off-by: Manas Ghandat +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index fafcb90219cf..a222a9d71887 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -633,6 +633,11 @@ int dtSearch(struct inode *ip, struct component_name * key, ino_t * data, + for (base = 0, lim = p->header.nextindex; lim; lim >>= 1) { + index = base + (lim >> 1); + ++ if (stbl[index] < 0) { ++ rc = -EIO; ++ goto out; ++ } ++ + if (p->header.flag & BT_LEAF) { + /* uppercase leaf name to compare */ + cmp = +-- +2.43.0 + diff --git a/queue-5.10/jfs-fix-uaf-in-jfs_evict_inode.patch b/queue-5.10/jfs-fix-uaf-in-jfs_evict_inode.patch new file mode 100644 index 00000000000..ebd4090aa8b --- /dev/null +++ b/queue-5.10/jfs-fix-uaf-in-jfs_evict_inode.patch @@ -0,0 +1,50 @@ +From e0b4add42d09720d1c544045e038565d6722ab2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 13:39:04 +0800 +Subject: jfs: fix uaf in jfs_evict_inode + +From: Edward Adam Davis + +[ Upstream commit e0e1958f4c365e380b17ccb35617345b31ef7bf3 ] + +When the execution of diMount(ipimap) fails, the object ipimap that has been +released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs +when rcu_core() calls jfs_free_node(). + +Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as +ipimap. + +Reported-and-tested-by: syzbot+01cf2dbcbe2022454388@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_mount.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c +index aa4ff7bcaff2..55702b31ab3c 100644 +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -172,15 +172,15 @@ int jfs_mount(struct super_block *sb) + } + jfs_info("jfs_mount: ipimap:0x%p", ipimap); + +- /* map further access of per fileset inodes by the fileset inode */ +- sbi->ipimap = ipimap; +- + /* initialize fileset inode allocation map */ + if ((rc = diMount(ipimap))) { + jfs_err("jfs_mount: diMount failed w/rc = %d", rc); + goto err_ipimap; + } + ++ /* map further access of per fileset inodes by the fileset inode */ ++ sbi->ipimap = ipimap; ++ + return rc; + + /* +-- +2.43.0 + diff --git a/queue-5.10/kvm-s390-fix-setting-of-fpc-register.patch b/queue-5.10/kvm-s390-fix-setting-of-fpc-register.patch new file mode 100644 index 00000000000..dad616a0c59 --- /dev/null +++ b/queue-5.10/kvm-s390-fix-setting-of-fpc-register.patch @@ -0,0 +1,70 @@ +From c28022224ade93104480c1946cbae4823fb39d93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 18:56:00 +0100 +Subject: KVM: s390: fix setting of fpc register + +From: Heiko Carstens + +[ Upstream commit b988b1bb0053c0dcd26187d29ef07566a565cf55 ] + +kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control +(fpc) register of a guest cpu. The new value is tested for validity by +temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the host process: +if an interrupt happens while the value is temporarily loaded into the fpc +register, and within interrupt context floating point or vector registers +are used, the current fp/vx registers are saved with save_fpu_regs() +assuming they belong to user space and will be loaded into fp/vx registers +when returning to user space. + +test_fp_ctl() restores the original user space / host process fpc register +value, however it will be discarded, when returning to user space. + +In result the host process will incorrectly continue to run with the value +that was supposed to be used for a guest cpu. + +Fix this by simply removing the test. There is another test right before +the SIE context is entered which will handles invalid values. + +This results in a change of behaviour: invalid values will now be accepted +instead of that the ioctl fails with -EINVAL. This seems to be acceptable, +given that this interface is most likely not used anymore, and this is in +addition the same behaviour implemented with the memory mapped interface +(replace invalid values with zero) - see sync_regs() in kvm-s390.c. + +Reviewed-by: Christian Borntraeger +Reviewed-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 7a326d03087a..f6c27b44766f 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3649,10 +3649,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + + vcpu_load(vcpu); + +- if (test_fp_ctl(fpu->fpc)) { +- ret = -EINVAL; +- goto out; +- } + vcpu->run->s.regs.fpc = fpu->fpc; + if (MACHINE_HAS_VX) + convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs, +@@ -3660,7 +3656,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + else + memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs)); + +-out: + vcpu_put(vcpu); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.10/leds-trigger-panic-don-t-register-panic-notifier-if-.patch b/queue-5.10/leds-trigger-panic-don-t-register-panic-notifier-if-.patch new file mode 100644 index 00000000000..a8b5beea41b --- /dev/null +++ b/queue-5.10/leds-trigger-panic-don-t-register-panic-notifier-if-.patch @@ -0,0 +1,43 @@ +From b2eefa29bc93129e471a7e0069cce49711394a3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 21:05:33 +0100 +Subject: leds: trigger: panic: Don't register panic notifier if creating the + trigger failed + +From: Heiner Kallweit + +[ Upstream commit afacb21834bb02785ddb0c3ec197208803b74faa ] + +It doesn't make sense to register the panic notifier if creating the +panic trigger failed. + +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/8a61e229-5388-46c7-919a-4d18cc7362b2@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/trigger/ledtrig-panic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/trigger/ledtrig-panic.c b/drivers/leds/trigger/ledtrig-panic.c +index 5751cd032f9d..4bf232465dfd 100644 +--- a/drivers/leds/trigger/ledtrig-panic.c ++++ b/drivers/leds/trigger/ledtrig-panic.c +@@ -63,10 +63,13 @@ static long led_panic_blink(int state) + + static int __init ledtrig_panic_init(void) + { ++ led_trigger_register_simple("panic", &trigger); ++ if (!trigger) ++ return -ENOMEM; ++ + atomic_notifier_chain_register(&panic_notifier_list, + &led_trigger_panic_nb); + +- led_trigger_register_simple("panic", &trigger); + panic_blink = led_panic_blink; + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch b/queue-5.10/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch new file mode 100644 index 00000000000..9b3c42a0d3c --- /dev/null +++ b/queue-5.10/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch @@ -0,0 +1,73 @@ +From 8cced0065821117fbd6f203f7f0c47d8add550df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 11:39:47 +0800 +Subject: libbpf: Fix NULL pointer dereference in + bpf_object__collect_prog_relos + +From: Mingyi Zhang + +[ Upstream commit fc3a5534e2a8855427403113cbeb54af5837bbe0 ] + +An issue occurred while reading an ELF file in libbpf.c during fuzzing: + + Program received signal SIGSEGV, Segmentation fault. + 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + 4206 in libbpf.c + (gdb) bt + #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706 + #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437 + #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497 + #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16 + #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one () + #6 0x000000000087ad92 in tracing::span::Span::in_scope () + #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir () + #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} () + #9 0x00000000005f2601 in main () + (gdb) + +scn_data was null at this code(tools/lib/bpf/src/libbpf.c): + + if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) { + +The scn_data is derived from the code above: + + scn = elf_sec_by_idx(obj, sec_idx); + scn_data = elf_sec_data(obj, scn); + + relo_sec_name = elf_sec_str(obj, shdr->sh_name); + sec_name = elf_sec_name(obj, scn); + if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL + return -EINVAL; + +In certain special scenarios, such as reading a malformed ELF file, +it is possible that scn_data may be a null pointer + +Signed-off-by: Mingyi Zhang +Signed-off-by: Xin Liu +Signed-off-by: Changye Wu +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@huawei.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 015ed8253f73..0cbb1b43065f 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -3514,6 +3514,8 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, GElf_Shdr *shdr, Elf_Data + __u32 insn_idx; + GElf_Sym sym; + GElf_Rel rel; ++ if (!scn_data) ++ return -LIBBPF_ERRNO__FORMAT; + + relo_sec_name = elf_sec_str(obj, shdr->sh_name); + sec_name = elf_sec_name(obj, elf_sec_by_idx(obj, sec_idx)); +-- +2.43.0 + diff --git a/queue-5.10/libsubcmd-fix-memory-leak-in-uniq.patch b/queue-5.10/libsubcmd-fix-memory-leak-in-uniq.patch new file mode 100644 index 00000000000..8f6096a200e --- /dev/null +++ b/queue-5.10/libsubcmd-fix-memory-leak-in-uniq.patch @@ -0,0 +1,62 @@ +From c99e765e6df250a1c27d2a6631c3547422883539 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 16:05:13 -0800 +Subject: libsubcmd: Fix memory leak in uniq() + +From: Ian Rogers + +[ Upstream commit ad30469a841b50dbb541df4d6971d891f703c297 ] + +uniq() will write one command name over another causing the overwritten +string to be leaked. Fix by doing a pass that removes duplicates and a +second that removes the holes. + +Signed-off-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Chenyuan Mi +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231208000515.1693746-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/subcmd/help.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c +index bf02d62a3b2b..42f57b640f11 100644 +--- a/tools/lib/subcmd/help.c ++++ b/tools/lib/subcmd/help.c +@@ -50,11 +50,21 @@ void uniq(struct cmdnames *cmds) + if (!cmds->cnt) + return; + +- for (i = j = 1; i < cmds->cnt; i++) +- if (strcmp(cmds->names[i]->name, cmds->names[i-1]->name)) +- cmds->names[j++] = cmds->names[i]; +- ++ for (i = 1; i < cmds->cnt; i++) { ++ if (!strcmp(cmds->names[i]->name, cmds->names[i-1]->name)) ++ zfree(&cmds->names[i - 1]); ++ } ++ for (i = 0, j = 0; i < cmds->cnt; i++) { ++ if (cmds->names[i]) { ++ if (i == j) ++ j++; ++ else ++ cmds->names[j++] = cmds->names[i]; ++ } ++ } + cmds->cnt = j; ++ while (j < i) ++ cmds->names[j++] = NULL; + } + + void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes) +-- +2.43.0 + diff --git a/queue-5.10/md-whenassemble-the-array-consult-the-superblock-of-.patch b/queue-5.10/md-whenassemble-the-array-consult-the-superblock-of-.patch new file mode 100644 index 00000000000..9a667f5ae01 --- /dev/null +++ b/queue-5.10/md-whenassemble-the-array-consult-the-superblock-of-.patch @@ -0,0 +1,155 @@ +From 3369f553ae8bf6ac8e79542124e1ecd3dc25099b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:24:31 +0200 +Subject: md: Whenassemble the array, consult the superblock of the freshest + device + +From: Alex Lyakas + +[ Upstream commit dc1cc22ed58f11d58d8553c5ec5f11cbfc3e3039 ] + +Upon assembling the array, both kernel and mdadm allow the devices to have event +counter difference of 1, and still consider them as up-to-date. +However, a device whose event count is behind by 1, may in fact not be up-to-date, +and array resync with such a device may cause data corruption. +To avoid this, consult the superblock of the freshest device about the status +of a device, whose event counter is behind by 1. + +Signed-off-by: Alex Lyakas +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/1702470271-16073-1-git-send-email-alex.lyakas@zadara.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 54 ++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 44 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 6efe49f7bdf5..03d2e31dda2f 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -1179,6 +1179,7 @@ struct super_type { + struct md_rdev *refdev, + int minor_version); + int (*validate_super)(struct mddev *mddev, ++ struct md_rdev *freshest, + struct md_rdev *rdev); + void (*sync_super)(struct mddev *mddev, + struct md_rdev *rdev); +@@ -1317,8 +1318,9 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor + + /* + * validate_super for 0.90.0 ++ * note: we are not using "freshest" for 0.9 superblock + */ +-static int super_90_validate(struct mddev *mddev, struct md_rdev *rdev) ++static int super_90_validate(struct mddev *mddev, struct md_rdev *freshest, struct md_rdev *rdev) + { + mdp_disk_t *desc; + mdp_super_t *sb = page_address(rdev->sb_page); +@@ -1833,7 +1835,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_ + return ret; + } + +-static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev) ++static int super_1_validate(struct mddev *mddev, struct md_rdev *freshest, struct md_rdev *rdev) + { + struct mdp_superblock_1 *sb = page_address(rdev->sb_page); + __u64 ev1 = le64_to_cpu(sb->events); +@@ -1929,13 +1931,15 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev) + } + } else if (mddev->pers == NULL) { + /* Insist of good event counter while assembling, except for +- * spares (which don't need an event count) */ +- ++ev1; ++ * spares (which don't need an event count). ++ * Similar to mdadm, we allow event counter difference of 1 ++ * from the freshest device. ++ */ + if (rdev->desc_nr >= 0 && + rdev->desc_nr < le32_to_cpu(sb->max_dev) && + (le16_to_cpu(sb->dev_roles[rdev->desc_nr]) < MD_DISK_ROLE_MAX || + le16_to_cpu(sb->dev_roles[rdev->desc_nr]) == MD_DISK_ROLE_JOURNAL)) +- if (ev1 < mddev->events) ++ if (ev1 + 1 < mddev->events) + return -EINVAL; + } else if (mddev->bitmap) { + /* If adding to array with a bitmap, then we can accept an +@@ -1956,8 +1960,38 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev) + rdev->desc_nr >= le32_to_cpu(sb->max_dev)) { + role = MD_DISK_ROLE_SPARE; + rdev->desc_nr = -1; +- } else ++ } else if (mddev->pers == NULL && freshest && ev1 < mddev->events) { ++ /* ++ * If we are assembling, and our event counter is smaller than the ++ * highest event counter, we cannot trust our superblock about the role. ++ * It could happen that our rdev was marked as Faulty, and all other ++ * superblocks were updated with +1 event counter. ++ * Then, before the next superblock update, which typically happens when ++ * remove_and_add_spares() removes the device from the array, there was ++ * a crash or reboot. ++ * If we allow current rdev without consulting the freshest superblock, ++ * we could cause data corruption. ++ * Note that in this case our event counter is smaller by 1 than the ++ * highest, otherwise, this rdev would not be allowed into array; ++ * both kernel and mdadm allow event counter difference of 1. ++ */ ++ struct mdp_superblock_1 *freshest_sb = page_address(freshest->sb_page); ++ u32 freshest_max_dev = le32_to_cpu(freshest_sb->max_dev); ++ ++ if (rdev->desc_nr >= freshest_max_dev) { ++ /* this is unexpected, better not proceed */ ++ pr_warn("md: %s: rdev[%pg]: desc_nr(%d) >= freshest(%pg)->sb->max_dev(%u)\n", ++ mdname(mddev), rdev->bdev, rdev->desc_nr, ++ freshest->bdev, freshest_max_dev); ++ return -EUCLEAN; ++ } ++ ++ role = le16_to_cpu(freshest_sb->dev_roles[rdev->desc_nr]); ++ pr_debug("md: %s: rdev[%pg]: role=%d(0x%x) according to freshest %pg\n", ++ mdname(mddev), rdev->bdev, role, role, freshest->bdev); ++ } else { + role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]); ++ } + switch(role) { + case MD_DISK_ROLE_SPARE: /* spare */ + break; +@@ -2896,7 +2930,7 @@ static int add_bound_rdev(struct md_rdev *rdev) + * and should be added immediately. + */ + super_types[mddev->major_version]. +- validate_super(mddev, rdev); ++ validate_super(mddev, NULL/*freshest*/, rdev); + if (add_journal) + mddev_suspend(mddev); + err = mddev->pers->hot_add_disk(mddev, rdev); +@@ -3814,7 +3848,7 @@ static int analyze_sbs(struct mddev *mddev) + } + + super_types[mddev->major_version]. +- validate_super(mddev, freshest); ++ validate_super(mddev, NULL/*freshest*/, freshest); + + i = 0; + rdev_for_each_safe(rdev, tmp, mddev) { +@@ -3829,7 +3863,7 @@ static int analyze_sbs(struct mddev *mddev) + } + if (rdev != freshest) { + if (super_types[mddev->major_version]. +- validate_super(mddev, rdev)) { ++ validate_super(mddev, freshest, rdev)) { + pr_warn("md: kicking non-fresh %s from array!\n", + bdevname(rdev->bdev,b)); + md_kick_rdev_from_array(rdev); +@@ -6817,7 +6851,7 @@ int md_add_new_disk(struct mddev *mddev, struct mdu_disk_info_s *info) + rdev->saved_raid_disk = rdev->raid_disk; + } else + super_types[mddev->major_version]. +- validate_super(mddev, rdev); ++ validate_super(mddev, NULL/*freshest*/, rdev); + if ((info->state & (1<raid_disk != info->raid_disk) { + /* This was a hot-add request, but events doesn't +-- +2.43.0 + diff --git a/queue-5.10/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch b/queue-5.10/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch new file mode 100644 index 00000000000..d33f457f640 --- /dev/null +++ b/queue-5.10/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch @@ -0,0 +1,34 @@ +From 282c8bb85021b4f7424cd16d2bd3938876356cf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:17:23 +0800 +Subject: media: ddbridge: fix an error code problem in ddb_probe + +From: Su Hui + +[ Upstream commit 09b4195021be69af1e1936cca995712a6d0f2562 ] + +Error code is assigned to 'stat', return 'stat' rather than '-1'. + +Signed-off-by: Su Hui +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ddbridge/ddbridge-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/ddbridge/ddbridge-main.c b/drivers/media/pci/ddbridge/ddbridge-main.c +index 03dc9924fa2c..bb7fb6402d6e 100644 +--- a/drivers/media/pci/ddbridge/ddbridge-main.c ++++ b/drivers/media/pci/ddbridge/ddbridge-main.c +@@ -247,7 +247,7 @@ static int ddb_probe(struct pci_dev *pdev, + ddb_unmap(dev); + pci_set_drvdata(pdev, NULL); + pci_disable_device(pdev); +- return -1; ++ return stat; + } + + /****************************************************************************/ +-- +2.43.0 + diff --git a/queue-5.10/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch b/queue-5.10/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch new file mode 100644 index 00000000000..d4648fbc9ba --- /dev/null +++ b/queue-5.10/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch @@ -0,0 +1,74 @@ +From 77b48efe551f1385bb9522ed8a07925b121d82f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 13:00:22 +0200 +Subject: media: rockchip: rga: fix swizzling for RGB formats + +From: Michael Tretter + +[ Upstream commit 9e7dc39260edac180c206bb6149595a40eabae3e ] + +When using 32 bit RGB formats, the RGA on the rk3568 produces wrong +colors as the wrong color channels are read or written. The reason is +that the format description for the channel swizzeling is wrong and the +wrong bits are configured. For example, when converting ARGB32 to NV12, +the alpha channel is used as blue channel.. This doesn't happen if the +color format is the same on both sides. + +Fix the color_swap settings of the formats to correctly handle 32 bit +RGB formats. + +For RGA_COLOR_FMT_XBGR8888, the RGA_COLOR_ALPHA_SWAP bit doesn't have an +effect. Thus, it isn't possible to handle the V4L2_PIX_FMT_XRGB32. Thus, +it is removed from the list of supported formats. + +Signed-off-by: Michael Tretter +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c +index e3246344fb72..bcbbd1408b36 100644 +--- a/drivers/media/platform/rockchip/rga/rga.c ++++ b/drivers/media/platform/rockchip/rga/rga.c +@@ -187,25 +187,16 @@ static int rga_setup_ctrls(struct rga_ctx *ctx) + static struct rga_fmt formats[] = { + { + .fourcc = V4L2_PIX_FMT_ARGB32, +- .color_swap = RGA_COLOR_RB_SWAP, ++ .color_swap = RGA_COLOR_ALPHA_SWAP, + .hw_format = RGA_COLOR_FMT_ABGR8888, + .depth = 32, + .uv_factor = 1, + .y_div = 1, + .x_div = 1, + }, +- { +- .fourcc = V4L2_PIX_FMT_XRGB32, +- .color_swap = RGA_COLOR_RB_SWAP, +- .hw_format = RGA_COLOR_FMT_XBGR8888, +- .depth = 32, +- .uv_factor = 1, +- .y_div = 1, +- .x_div = 1, +- }, + { + .fourcc = V4L2_PIX_FMT_ABGR32, +- .color_swap = RGA_COLOR_ALPHA_SWAP, ++ .color_swap = RGA_COLOR_RB_SWAP, + .hw_format = RGA_COLOR_FMT_ABGR8888, + .depth = 32, + .uv_factor = 1, +@@ -214,7 +205,7 @@ static struct rga_fmt formats[] = { + }, + { + .fourcc = V4L2_PIX_FMT_XBGR32, +- .color_swap = RGA_COLOR_ALPHA_SWAP, ++ .color_swap = RGA_COLOR_RB_SWAP, + .hw_format = RGA_COLOR_FMT_XBGR8888, + .depth = 32, + .uv_factor = 1, +-- +2.43.0 + diff --git a/queue-5.10/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch b/queue-5.10/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch new file mode 100644 index 00000000000..355705eed68 --- /dev/null +++ b/queue-5.10/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch @@ -0,0 +1,47 @@ +From 3538a2728d09316690bea3bb646e8c209648acf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Nov 2023 14:32:36 +0530 +Subject: media: stk1160: Fixed high volume of stk1160_dbg messages + +From: Ghanshyam Agrawal + +[ Upstream commit b3695e86d25aafbe175dd51f6aaf6f68d341d590 ] + +The function stk1160_dbg gets called too many times, which causes +the output to get flooded with messages. Since stk1160_dbg uses +printk, it is now replaced with printk_ratelimited. + +Suggested-by: Phillip Potter +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/stk1160/stk1160-video.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c +index 202b084f65a2..4cf540d1b250 100644 +--- a/drivers/media/usb/stk1160/stk1160-video.c ++++ b/drivers/media/usb/stk1160/stk1160-video.c +@@ -107,8 +107,7 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + + /* + * TODO: These stk1160_dbg are very spammy! +- * We should 1) check why we are getting them +- * and 2) add ratelimit. ++ * We should check why we are getting them. + * + * UPDATE: One of the reasons (the only one?) for getting these + * is incorrect standard (mismatch between expected and configured). +@@ -151,7 +150,7 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + + /* Let the bug hunt begin! sanity checks! */ + if (lencopy < 0) { +- stk1160_dbg("copy skipped: negative lencopy\n"); ++ printk_ratelimited(KERN_DEBUG "copy skipped: negative lencopy\n"); + return; + } + +-- +2.43.0 + diff --git a/queue-5.10/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch b/queue-5.10/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch new file mode 100644 index 00000000000..e8976e46049 --- /dev/null +++ b/queue-5.10/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch @@ -0,0 +1,35 @@ +From a7a7a96bbbabb422c8fee34d1f700f72d3240007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 15:56:39 +0000 +Subject: mfd: ti_am335x_tscadc: Fix TI SoC dependencies + +From: Peter Robinson + +[ Upstream commit 284d16c456e5d4b143f375b8ccc4038ab3f4ee0f ] + +The ti_am335x_tscadc is specific to some TI SoCs, update +the dependencies for those SoCs and compile testing. + +Signed-off-by: Peter Robinson +Link: https://lore.kernel.org/r/20231220155643.445849-1-pbrobinson@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/Kconfig b/drivers/mfd/Kconfig +index b8847ae04d93..c5c6608ccc84 100644 +--- a/drivers/mfd/Kconfig ++++ b/drivers/mfd/Kconfig +@@ -1382,6 +1382,7 @@ config MFD_DAVINCI_VOICECODEC + + config MFD_TI_AM335X_TSCADC + tristate "TI ADC / Touch Screen chip support" ++ depends on ARCH_OMAP2PLUS || ARCH_K3 || COMPILE_TEST + select MFD_CORE + select REGMAP + select REGMAP_MMIO +-- +2.43.0 + diff --git a/queue-5.10/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch b/queue-5.10/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch new file mode 100644 index 00000000000..f30c980ec31 --- /dev/null +++ b/queue-5.10/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch @@ -0,0 +1,60 @@ +From 1726aaef9a92ea90ffdf3087d9b6682eed7ab44c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 19:34:02 +0100 +Subject: misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback + +From: Hans de Goede + +[ Upstream commit b1b9f7a494400c0c39f8cd83de3aaa6111c55087 ] + +The lis3lv02d_i2c driver was missing a line to set the lis3_dev's +reg_ctrl callback. + +lis3_reg_ctrl(on) is called from the init callback, but due to +the missing reg_ctrl callback the regulators where never turned off +again leading to the following oops/backtrace when detaching the driver: + +[ 82.313527] ------------[ cut here ]------------ +[ 82.313546] WARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put+0x219/0x230 +... +[ 82.313695] RIP: 0010:_regulator_put+0x219/0x230 +... +[ 82.314767] Call Trace: +[ 82.314770] +[ 82.314772] ? _regulator_put+0x219/0x230 +[ 82.314777] ? __warn+0x81/0x170 +[ 82.314784] ? _regulator_put+0x219/0x230 +[ 82.314791] ? report_bug+0x18d/0x1c0 +[ 82.314801] ? handle_bug+0x3c/0x80 +[ 82.314806] ? exc_invalid_op+0x13/0x60 +[ 82.314812] ? asm_exc_invalid_op+0x16/0x20 +[ 82.314845] ? _regulator_put+0x219/0x230 +[ 82.314857] regulator_bulk_free+0x39/0x60 +[ 82.314865] i2c_device_remove+0x22/0xb0 + +Add the missing setting of the callback so that the regulators +properly get turned off again when not used. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20231224183402.95640-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/lis3lv02d/lis3lv02d_i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c +index 52555d2e824b..ab1db760ba4e 100644 +--- a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c ++++ b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c +@@ -151,6 +151,7 @@ static int lis3lv02d_i2c_probe(struct i2c_client *client, + lis3_dev.init = lis3_i2c_init; + lis3_dev.read = lis3_i2c_read; + lis3_dev.write = lis3_i2c_write; ++ lis3_dev.reg_ctrl = lis3_reg_ctrl; + lis3_dev.irq = client->irq; + lis3_dev.ac = lis3lv02d_axis_map; + lis3_dev.pm_dev = &client->dev; +-- +2.43.0 + diff --git a/queue-5.10/net-dsa-mv88e6xxx-fix-mv88e6352_serdes_get_stats-err.patch b/queue-5.10/net-dsa-mv88e6xxx-fix-mv88e6352_serdes_get_stats-err.patch new file mode 100644 index 00000000000..09d59487ffd --- /dev/null +++ b/queue-5.10/net-dsa-mv88e6xxx-fix-mv88e6352_serdes_get_stats-err.patch @@ -0,0 +1,93 @@ +From 37066a683da0acc1867f90f57a588e3b03996b05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Dec 2023 14:50:24 +0100 +Subject: net: dsa: mv88e6xxx: Fix mv88e6352_serdes_get_stats error path + +From: Tobias Waldekranz + +[ Upstream commit fc82a08ae795ee6b73fb6b50785f7be248bec7b5 ] + +mv88e6xxx_get_stats, which collects stats from various sources, +expects all callees to return the number of stats read. If an error +occurs, 0 should be returned. + +Prevent future mishaps of this kind by updating the return type to +reflect this contract. + +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Signed-off-by: Tobias Waldekranz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.h | 4 ++-- + drivers/net/dsa/mv88e6xxx/serdes.c | 8 ++++---- + drivers/net/dsa/mv88e6xxx/serdes.h | 8 ++++---- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h +index 51a7ff44478e..67e52c481504 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.h ++++ b/drivers/net/dsa/mv88e6xxx/chip.h +@@ -536,8 +536,8 @@ struct mv88e6xxx_ops { + int (*serdes_get_sset_count)(struct mv88e6xxx_chip *chip, int port); + int (*serdes_get_strings)(struct mv88e6xxx_chip *chip, int port, + uint8_t *data); +- int (*serdes_get_stats)(struct mv88e6xxx_chip *chip, int port, +- uint64_t *data); ++ size_t (*serdes_get_stats)(struct mv88e6xxx_chip *chip, int port, ++ uint64_t *data); + + /* SERDES registers for ethtool */ + int (*serdes_get_regs_len)(struct mv88e6xxx_chip *chip, int port); +diff --git a/drivers/net/dsa/mv88e6xxx/serdes.c b/drivers/net/dsa/mv88e6xxx/serdes.c +index 6920e62c864d..9494d75eec62 100644 +--- a/drivers/net/dsa/mv88e6xxx/serdes.c ++++ b/drivers/net/dsa/mv88e6xxx/serdes.c +@@ -314,8 +314,8 @@ static uint64_t mv88e6352_serdes_get_stat(struct mv88e6xxx_chip *chip, + return val; + } + +-int mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, +- uint64_t *data) ++size_t mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, ++ uint64_t *data) + { + struct mv88e6xxx_port *mv88e6xxx_port = &chip->ports[port]; + struct mv88e6352_serdes_hw_stat *stat; +@@ -631,8 +631,8 @@ static uint64_t mv88e6390_serdes_get_stat(struct mv88e6xxx_chip *chip, int lane, + return reg[0] | ((u64)reg[1] << 16) | ((u64)reg[2] << 32); + } + +-int mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, +- uint64_t *data) ++size_t mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, ++ uint64_t *data) + { + struct mv88e6390_serdes_hw_stat *stat; + int lane; +diff --git a/drivers/net/dsa/mv88e6xxx/serdes.h b/drivers/net/dsa/mv88e6xxx/serdes.h +index 14315f26228a..035688659b50 100644 +--- a/drivers/net/dsa/mv88e6xxx/serdes.h ++++ b/drivers/net/dsa/mv88e6xxx/serdes.h +@@ -116,13 +116,13 @@ irqreturn_t mv88e6390_serdes_irq_status(struct mv88e6xxx_chip *chip, int port, + int mv88e6352_serdes_get_sset_count(struct mv88e6xxx_chip *chip, int port); + int mv88e6352_serdes_get_strings(struct mv88e6xxx_chip *chip, + int port, uint8_t *data); +-int mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, +- uint64_t *data); ++size_t mv88e6352_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, ++ uint64_t *data); + int mv88e6390_serdes_get_sset_count(struct mv88e6xxx_chip *chip, int port); + int mv88e6390_serdes_get_strings(struct mv88e6xxx_chip *chip, + int port, uint8_t *data); +-int mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, +- uint64_t *data); ++size_t mv88e6390_serdes_get_stats(struct mv88e6xxx_chip *chip, int port, ++ uint64_t *data); + + int mv88e6352_serdes_get_regs_len(struct mv88e6xxx_chip *chip, int port); + void mv88e6352_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p); +-- +2.43.0 + diff --git a/queue-5.10/net-mvmdio-avoid-excessive-sleeps-in-polled-mode.patch b/queue-5.10/net-mvmdio-avoid-excessive-sleeps-in-polled-mode.patch new file mode 100644 index 00000000000..4a38826ff99 --- /dev/null +++ b/queue-5.10/net-mvmdio-avoid-excessive-sleeps-in-polled-mode.patch @@ -0,0 +1,139 @@ +From 6c1cb4db1450d5c1be6016b7940624d0b52618a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 11:08:10 +0100 +Subject: net: mvmdio: Avoid excessive sleeps in polled mode + +From: Tobias Waldekranz + +[ Upstream commit 7dd12fe34686d89c332b1a05104d18d728591f0a ] + +Before this change, when operating in polled mode, i.e. no IRQ is +available, every individual C45 access would be hit with a 150us sleep +after the bus access. + +For example, on a board with a CN9130 SoC connected to an MV88X3310 +PHY, a single C45 read would take around 165us: + + root@infix:~$ mdio f212a600.mdio-mii mmd 4:1 bench 0xc003 + Performed 1000 reads in 165ms + +By replacing the long sleep with a tighter poll loop, we observe a 10x +increase in bus throughput: + + root@infix:~$ mdio f212a600.mdio-mii mmd 4:1 bench 0xc003 + Performed 1000 reads in 15ms + +Signed-off-by: Tobias Waldekranz +Reviewed-by: Andrew Lunn +Tested-by: Andrew Lunn +Link: https://lore.kernel.org/r/20231204100811.2708884-3-tobias@waldekranz.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvmdio.c | 53 ++++++++------------------- + 1 file changed, 16 insertions(+), 37 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c +index d14762d93640..28967a7b8df2 100644 +--- a/drivers/net/ethernet/marvell/mvmdio.c ++++ b/drivers/net/ethernet/marvell/mvmdio.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -56,11 +57,6 @@ + * - Armada 370 (Globalscale Mirabox): 41us to 43us (Polled) + */ + #define MVMDIO_SMI_TIMEOUT 1000 /* 1000us = 1ms */ +-#define MVMDIO_SMI_POLL_INTERVAL_MIN 45 +-#define MVMDIO_SMI_POLL_INTERVAL_MAX 55 +- +-#define MVMDIO_XSMI_POLL_INTERVAL_MIN 150 +-#define MVMDIO_XSMI_POLL_INTERVAL_MAX 160 + + struct orion_mdio_dev { + void __iomem *regs; +@@ -82,8 +78,6 @@ enum orion_mdio_bus_type { + + struct orion_mdio_ops { + int (*is_done)(struct orion_mdio_dev *); +- unsigned int poll_interval_min; +- unsigned int poll_interval_max; + }; + + /* Wait for the SMI unit to be ready for another operation +@@ -92,34 +86,23 @@ static int orion_mdio_wait_ready(const struct orion_mdio_ops *ops, + struct mii_bus *bus) + { + struct orion_mdio_dev *dev = bus->priv; +- unsigned long timeout = usecs_to_jiffies(MVMDIO_SMI_TIMEOUT); +- unsigned long end = jiffies + timeout; +- int timedout = 0; ++ unsigned long timeout; ++ int done; + +- while (1) { +- if (ops->is_done(dev)) ++ if (dev->err_interrupt <= 0) { ++ if (!read_poll_timeout_atomic(ops->is_done, done, done, 2, ++ MVMDIO_SMI_TIMEOUT, false, dev)) ++ return 0; ++ } else { ++ /* wait_event_timeout does not guarantee a delay of at ++ * least one whole jiffie, so timeout must be no less ++ * than two. ++ */ ++ timeout = max(usecs_to_jiffies(MVMDIO_SMI_TIMEOUT), 2); ++ ++ if (wait_event_timeout(dev->smi_busy_wait, ++ ops->is_done(dev), timeout)) + return 0; +- else if (timedout) +- break; +- +- if (dev->err_interrupt <= 0) { +- usleep_range(ops->poll_interval_min, +- ops->poll_interval_max); +- +- if (time_is_before_jiffies(end)) +- ++timedout; +- } else { +- /* wait_event_timeout does not guarantee a delay of at +- * least one whole jiffie, so timeout must be no less +- * than two. +- */ +- if (timeout < 2) +- timeout = 2; +- wait_event_timeout(dev->smi_busy_wait, +- ops->is_done(dev), timeout); +- +- ++timedout; +- } + } + + dev_err(bus->parent, "Timeout: SMI busy for too long\n"); +@@ -133,8 +116,6 @@ static int orion_mdio_smi_is_done(struct orion_mdio_dev *dev) + + static const struct orion_mdio_ops orion_mdio_smi_ops = { + .is_done = orion_mdio_smi_is_done, +- .poll_interval_min = MVMDIO_SMI_POLL_INTERVAL_MIN, +- .poll_interval_max = MVMDIO_SMI_POLL_INTERVAL_MAX, + }; + + static int orion_mdio_smi_read(struct mii_bus *bus, int mii_id, +@@ -198,8 +179,6 @@ static int orion_mdio_xsmi_is_done(struct orion_mdio_dev *dev) + + static const struct orion_mdio_ops orion_mdio_xsmi_ops = { + .is_done = orion_mdio_xsmi_is_done, +- .poll_interval_min = MVMDIO_XSMI_POLL_INTERVAL_MIN, +- .poll_interval_max = MVMDIO_XSMI_POLL_INTERVAL_MAX, + }; + + static int orion_mdio_xsmi_read(struct mii_bus *bus, int mii_id, +-- +2.43.0 + diff --git a/queue-5.10/pci-add-intel_hda_arl-to-pci_ids.h.patch b/queue-5.10/pci-add-intel_hda_arl-to-pci_ids.h.patch new file mode 100644 index 00000000000..288a790c162 --- /dev/null +++ b/queue-5.10/pci-add-intel_hda_arl-to-pci_ids.h.patch @@ -0,0 +1,41 @@ +From 556231b29b53a673fc708728c1af15e35281e573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 15:27:06 -0600 +Subject: PCI: add INTEL_HDA_ARL to pci_ids.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 5ec42bf04d72fd6d0a6855810cc779e0ee31dfd7 ] + +The PCI ID insertion follows the increasing order in the table, but +this hardware follows MTL (MeteorLake). + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Kai Vehmanen +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20231204212710.185976-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/linux/pci_ids.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index 1a41147b22e8..80744a7b5e33 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -3020,6 +3020,7 @@ + #define PCI_DEVICE_ID_INTEL_82443GX_0 0x71a0 + #define PCI_DEVICE_ID_INTEL_82443GX_2 0x71a2 + #define PCI_DEVICE_ID_INTEL_82372FB_1 0x7601 ++#define PCI_DEVICE_ID_INTEL_HDA_ARL 0x7728 + #define PCI_DEVICE_ID_INTEL_SCH_LPC 0x8119 + #define PCI_DEVICE_ID_INTEL_SCH_IDE 0x811a + #define PCI_DEVICE_ID_INTEL_E6XX_CU 0x8183 +-- +2.43.0 + diff --git a/queue-5.10/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch b/queue-5.10/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch new file mode 100644 index 00000000000..ba25e21622a --- /dev/null +++ b/queue-5.10/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch @@ -0,0 +1,62 @@ +From b2f4b1a01c811f4faa815d891d7b631043f95215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Nov 2023 13:17:16 +0100 +Subject: PCI: Add no PM reset quirk for NVIDIA Spectrum devices + +From: Ido Schimmel + +[ Upstream commit 3ed48c80b28d8dcd584d6ddaf00c75b7673e1a05 ] + +Spectrum-{1,2,3,4} devices report that a D3hot->D0 transition causes a +reset (i.e., they advertise NoSoftRst-). However, this transition does +not have any effect on the device: It continues to be operational and +network ports remain up. Advertising this support makes it seem as if a +PM reset is viable for these devices. Mark it as unavailable to skip it +when testing reset methods. + +Before: + + # cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method + pm bus + +After: + + # cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method + bus + +Signed-off-by: Ido Schimmel +Acked-by: Bjorn Helgaas +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 21661feeeeb6..03a30734cdc6 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3638,6 +3638,19 @@ static void quirk_no_pm_reset(struct pci_dev *dev) + DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_VENDOR_ID_ATI, PCI_ANY_ID, + PCI_CLASS_DISPLAY_VGA, 8, quirk_no_pm_reset); + ++/* ++ * Spectrum-{1,2,3,4} devices report that a D3hot->D0 transition causes a reset ++ * (i.e., they advertise NoSoftRst-). However, this transition does not have ++ * any effect on the device: It continues to be operational and network ports ++ * remain up. Advertising this support makes it seem as if a PM reset is viable ++ * for these devices. Mark it as unavailable to skip it when testing reset ++ * methods. ++ */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcb84, quirk_no_pm_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf6c, quirk_no_pm_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf70, quirk_no_pm_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf80, quirk_no_pm_reset); ++ + /* + * Thunderbolt controllers with broken MSI hotplug signaling: + * Entire 1st generation (Light Ridge, Eagle Ridge, Light Peak) and part +-- +2.43.0 + diff --git a/queue-5.10/pci-aer-decode-requester-id-when-no-error-info-found.patch b/queue-5.10/pci-aer-decode-requester-id-when-no-error-info-found.patch new file mode 100644 index 00000000000..9c17e6c6349 --- /dev/null +++ b/queue-5.10/pci-aer-decode-requester-id-when-no-error-info-found.patch @@ -0,0 +1,69 @@ +From 0b5fb7c67131738c725c82e511f27747481a14e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 16:42:30 -0600 +Subject: PCI/AER: Decode Requester ID when no error info found + +From: Bjorn Helgaas + +[ Upstream commit 1291b716bbf969e101d517bfb8ba18d958f758b8 ] + +When a device with AER detects an error, it logs error information in its +own AER Error Status registers. It may send an Error Message to the Root +Port (RCEC in the case of an RCiEP), which logs the fact that an Error +Message was received (Root Error Status) and the Requester ID of the +message source (Error Source Identification). + +aer_print_port_info() prints the Requester ID from the Root Port Error +Source in the usual Linux "bb:dd.f" format, but when find_source_device() +finds no error details in the hierarchy below the Root Port, it printed the +raw Requester ID without decoding it. + +Decode the Requester ID in the usual Linux format so it matches other +messages. + +Sample message changes: + + - pcieport 0000:00:1c.5: AER: Correctable error received: 0000:00:1c.5 + - pcieport 0000:00:1c.5: AER: can't find device of ID00e5 + + pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5 + + pcieport 0000:00:1c.5: AER: found no error details for 0000:00:1c.5 + +Link: https://lore.kernel.org/r/20231206224231.732765-3-helgaas@kernel.org +Signed-off-by: Bjorn Helgaas +Reviewed-by: Jonathan Cameron +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pcie/aer.c b/drivers/pci/pcie/aer.c +index 9564b74003f0..d58b02237075 100644 +--- a/drivers/pci/pcie/aer.c ++++ b/drivers/pci/pcie/aer.c +@@ -741,7 +741,7 @@ static void aer_print_port_info(struct pci_dev *dev, struct aer_err_info *info) + u8 bus = info->id >> 8; + u8 devfn = info->id & 0xff; + +- pci_info(dev, "%s%s error received: %04x:%02x:%02x.%d\n", ++ pci_info(dev, "%s%s error message received from %04x:%02x:%02x.%d\n", + info->multi_error_valid ? "Multiple " : "", + aer_error_severity_string[info->severity], + pci_domain_nr(dev->bus), bus, PCI_SLOT(devfn), +@@ -926,7 +926,12 @@ static bool find_source_device(struct pci_dev *parent, + pci_walk_bus(parent->subordinate, find_device_iter, e_info); + + if (!e_info->error_dev_num) { +- pci_info(parent, "can't find device of ID%04x\n", e_info->id); ++ u8 bus = e_info->id >> 8; ++ u8 devfn = e_info->id & 0xff; ++ ++ pci_info(parent, "found no error details for %04x:%02x:%02x.%d\n", ++ pci_domain_nr(parent->bus), bus, PCI_SLOT(devfn), ++ PCI_FUNC(devfn)); + return false; + } + return true; +-- +2.43.0 + diff --git a/queue-5.10/pci-only-override-amd-usb-controller-if-required.patch b/queue-5.10/pci-only-override-amd-usb-controller-if-required.patch new file mode 100644 index 00000000000..ca9269ed56b --- /dev/null +++ b/queue-5.10/pci-only-override-amd-usb-controller-if-required.patch @@ -0,0 +1,55 @@ +From ed1b6c5d59c469c1001eb78e71b86cff85dd3e40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:04:36 -0300 +Subject: PCI: Only override AMD USB controller if required + +From: Guilherme G. Piccoli + +[ Upstream commit e585a37e5061f6d5060517aed1ca4ccb2e56a34c ] + +By running a Van Gogh device (Steam Deck), the following message +was noticed in the kernel log: + + pci 0000:04:00.3: PCI class overridden (0x0c03fe -> 0x0c03fe) so dwc3 driver can claim this instead of xhci + +Effectively this means the quirk executed but changed nothing, since the +class of this device was already the proper one (likely adjusted by newer +firmware versions). + +Check and perform the override only if necessary. + +Link: https://lore.kernel.org/r/20231120160531.361552-1-gpiccoli@igalia.com +Signed-off-by: Guilherme G. Piccoli +Signed-off-by: Bjorn Helgaas +Cc: Huang Rui +Cc: Vicki Pfau +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 03a30734cdc6..b67aea8d8f19 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -609,10 +609,13 @@ static void quirk_amd_dwc_class(struct pci_dev *pdev) + { + u32 class = pdev->class; + +- /* Use "USB Device (not host controller)" class */ +- pdev->class = PCI_CLASS_SERIAL_USB_DEVICE; +- pci_info(pdev, "PCI class overridden (%#08x -> %#08x) so dwc3 driver can claim this instead of xhci\n", +- class, pdev->class); ++ if (class != PCI_CLASS_SERIAL_USB_DEVICE) { ++ /* Use "USB Device (not host controller)" class */ ++ pdev->class = PCI_CLASS_SERIAL_USB_DEVICE; ++ pci_info(pdev, ++ "PCI class overridden (%#08x -> %#08x) so dwc3 driver can claim this instead of xhci\n", ++ class, pdev->class); ++ } + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_NL_USB, + quirk_amd_dwc_class); +-- +2.43.0 + diff --git a/queue-5.10/pci-switchtec-fix-stdev_release-crash-after-surprise.patch b/queue-5.10/pci-switchtec-fix-stdev_release-crash-after-surprise.patch new file mode 100644 index 00000000000..419c4b492d5 --- /dev/null +++ b/queue-5.10/pci-switchtec-fix-stdev_release-crash-after-surprise.patch @@ -0,0 +1,104 @@ +From d286bfc181bd218530ad6e397ba74421af74a822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 20:23:16 -0800 +Subject: PCI: switchtec: Fix stdev_release() crash after surprise hot remove + +From: Daniel Stodden + +[ Upstream commit df25461119d987b8c81d232cfe4411e91dcabe66 ] + +A PCI device hot removal may occur while stdev->cdev is held open. The call +to stdev_release() then happens during close or exit, at a point way past +switchtec_pci_remove(). Otherwise the last ref would vanish with the +trailing put_device(), just before return. + +At that later point in time, the devm cleanup has already removed the +stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted +one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause +a fatal page fault, and the subsequent dma_free_coherent(), if reached, +would pass a stale &stdev->pdev->dev pointer. + +Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after +stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent +future accidents. + +Reproducible via the script at +https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com + +Link: https://lore.kernel.org/r/20231122042316.91208-2-dns@arista.com +Signed-off-by: Daniel Stodden +Signed-off-by: Bjorn Helgaas +Reviewed-by: Logan Gunthorpe +Reviewed-by: Dmitry Safonov +Signed-off-by: Sasha Levin +--- + drivers/pci/switch/switchtec.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c +index ba52459928f7..5cea3ad290c5 100644 +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1251,13 +1251,6 @@ static void stdev_release(struct device *dev) + { + struct switchtec_dev *stdev = to_stdev(dev); + +- if (stdev->dma_mrpc) { +- iowrite32(0, &stdev->mmio_mrpc->dma_en); +- flush_wc_buf(stdev); +- writeq(0, &stdev->mmio_mrpc->dma_addr); +- dma_free_coherent(&stdev->pdev->dev, sizeof(*stdev->dma_mrpc), +- stdev->dma_mrpc, stdev->dma_mrpc_dma_addr); +- } + kfree(stdev); + } + +@@ -1301,7 +1294,7 @@ static struct switchtec_dev *stdev_create(struct pci_dev *pdev) + return ERR_PTR(-ENOMEM); + + stdev->alive = true; +- stdev->pdev = pdev; ++ stdev->pdev = pci_dev_get(pdev); + INIT_LIST_HEAD(&stdev->mrpc_queue); + mutex_init(&stdev->mrpc_mutex); + stdev->mrpc_busy = 0; +@@ -1335,6 +1328,7 @@ static struct switchtec_dev *stdev_create(struct pci_dev *pdev) + return stdev; + + err_put: ++ pci_dev_put(stdev->pdev); + put_device(&stdev->dev); + return ERR_PTR(rc); + } +@@ -1587,6 +1581,18 @@ static int switchtec_init_pci(struct switchtec_dev *stdev, + return 0; + } + ++static void switchtec_exit_pci(struct switchtec_dev *stdev) ++{ ++ if (stdev->dma_mrpc) { ++ iowrite32(0, &stdev->mmio_mrpc->dma_en); ++ flush_wc_buf(stdev); ++ writeq(0, &stdev->mmio_mrpc->dma_addr); ++ dma_free_coherent(&stdev->pdev->dev, sizeof(*stdev->dma_mrpc), ++ stdev->dma_mrpc, stdev->dma_mrpc_dma_addr); ++ stdev->dma_mrpc = NULL; ++ } ++} ++ + static int switchtec_pci_probe(struct pci_dev *pdev, + const struct pci_device_id *id) + { +@@ -1646,6 +1652,9 @@ static void switchtec_pci_remove(struct pci_dev *pdev) + ida_simple_remove(&switchtec_minor_ida, MINOR(stdev->dev.devt)); + dev_info(&stdev->dev, "unregistered.\n"); + stdev_kill(stdev); ++ switchtec_exit_pci(stdev); ++ pci_dev_put(stdev->pdev); ++ stdev->pdev = NULL; + put_device(&stdev->dev); + } + +-- +2.43.0 + diff --git a/queue-5.10/perf-core-fix-narrow-startup-race-when-creating-the-.patch b/queue-5.10/perf-core-fix-narrow-startup-race-when-creating-the-.patch new file mode 100644 index 00000000000..1bc0c7e8b54 --- /dev/null +++ b/queue-5.10/perf-core-fix-narrow-startup-race-when-creating-the-.patch @@ -0,0 +1,82 @@ +From cccdb7d5e7f195df6c3b5484cff22077268da0e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 15:09:09 +0200 +Subject: perf/core: Fix narrow startup race when creating the perf + nr_addr_filters sysfs file + +From: Greg KH + +[ Upstream commit 652ffc2104ec1f69dd4a46313888c33527145ccf ] + +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/2023061204-decal-flyable-6090@gregkh +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 40 ++++++++++++++++++++++++++++------------ + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index afedd008e0af..ab5b75f3b886 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10855,9 +10855,32 @@ static DEVICE_ATTR_RW(perf_event_mux_interval_ms); + static struct attribute *pmu_dev_attrs[] = { + &dev_attr_type.attr, + &dev_attr_perf_event_mux_interval_ms.attr, ++ &dev_attr_nr_addr_filters.attr, ++ NULL, ++}; ++ ++static umode_t pmu_dev_is_visible(struct kobject *kobj, struct attribute *a, int n) ++{ ++ struct device *dev = kobj_to_dev(kobj); ++ struct pmu *pmu = dev_get_drvdata(dev); ++ ++ if (!pmu->nr_addr_filters) ++ return 0; ++ ++ return a->mode; ++ ++ return 0; ++} ++ ++static struct attribute_group pmu_dev_attr_group = { ++ .is_visible = pmu_dev_is_visible, ++ .attrs = pmu_dev_attrs, ++}; ++ ++static const struct attribute_group *pmu_dev_groups[] = { ++ &pmu_dev_attr_group, + NULL, + }; +-ATTRIBUTE_GROUPS(pmu_dev); + + static int pmu_bus_running; + static struct bus_type pmu_bus = { +@@ -10893,18 +10916,11 @@ static int pmu_dev_alloc(struct pmu *pmu) + if (ret) + goto free_dev; + +- /* For PMUs with address filters, throw in an extra attribute: */ +- if (pmu->nr_addr_filters) +- ret = device_create_file(pmu->dev, &dev_attr_nr_addr_filters); +- +- if (ret) +- goto del_dev; +- +- if (pmu->attr_update) ++ if (pmu->attr_update) { + ret = sysfs_update_groups(&pmu->dev->kobj, pmu->attr_update); +- +- if (ret) +- goto del_dev; ++ if (ret) ++ goto del_dev; ++ } + + out: + return ret; +-- +2.43.0 + diff --git a/queue-5.10/perf-fix-the-nr_addr_filters-fix.patch b/queue-5.10/perf-fix-the-nr_addr_filters-fix.patch new file mode 100644 index 00000000000..0c8b56aca55 --- /dev/null +++ b/queue-5.10/perf-fix-the-nr_addr_filters-fix.patch @@ -0,0 +1,50 @@ +From a70fc098380663e9c8827b1ed94fc284c5f73e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 11:07:56 +0100 +Subject: perf: Fix the nr_addr_filters fix + +From: Peter Zijlstra + +[ Upstream commit 388a1fb7da6aaa1970c7e2a7d7fcd983a87a8484 ] + +Thomas reported that commit 652ffc2104ec ("perf/core: Fix narrow +startup race when creating the perf nr_addr_filters sysfs file") made +the entire attribute group vanish, instead of only the nr_addr_filters +attribute. + +Additionally a stray return. + +Insufficient coffee was involved with both writing and merging the +patch. + +Fixes: 652ffc2104ec ("perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file") +Reported-by: Thomas Richter +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Thomas Richter +Link: https://lkml.kernel.org/r/20231122100756.GP8262@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index ab5b75f3b886..bd569cf23569 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10864,12 +10864,10 @@ static umode_t pmu_dev_is_visible(struct kobject *kobj, struct attribute *a, int + struct device *dev = kobj_to_dev(kobj); + struct pmu *pmu = dev_get_drvdata(dev); + +- if (!pmu->nr_addr_filters) ++ if (n == 2 && !pmu->nr_addr_filters) + return 0; + + return a->mode; +- +- return 0; + } + + static struct attribute_group pmu_dev_attr_group = { +-- +2.43.0 + diff --git a/queue-5.10/pm-devfreq-synchronize-devfreq_monitor_-start-stop.patch b/queue-5.10/pm-devfreq-synchronize-devfreq_monitor_-start-stop.patch new file mode 100644 index 00000000000..f261621ae3b --- /dev/null +++ b/queue-5.10/pm-devfreq-synchronize-devfreq_monitor_-start-stop.patch @@ -0,0 +1,167 @@ +From e4e3e646475b3bbaff021251a795c5c526883510 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Nov 2023 02:41:58 +0530 +Subject: PM / devfreq: Synchronize devfreq_monitor_[start/stop] + +From: Mukesh Ojha + +[ Upstream commit aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6 ] + +There is a chance if a frequent switch of the governor +done in a loop result in timer list corruption where +timer cancel being done from two place one from +cancel_delayed_work_sync() and followed by expire_timers() +can be seen from the traces[1]. + +while true +do + echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor + echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor +done + +It looks to be issue with devfreq driver where +device_monitor_[start/stop] need to synchronized so that +delayed work should get corrupted while it is either +being queued or running or being cancelled. + +Let's use polling flag and devfreq lock to synchronize the +queueing the timer instance twice and work data being +corrupted. + +[1] +... +.. +-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428 +-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c +-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428 +kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227 +vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428 +vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428 +vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532 +vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428 +xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428 + +[2] + + 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a +[ 9436.261664][ C4] Mem abort info: +[ 9436.261666][ C4] ESR = 0x96000044 +[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits +[ 9436.261671][ C4] SET = 0, FnV = 0 +[ 9436.261673][ C4] EA = 0, S1PTW = 0 +[ 9436.261675][ C4] Data abort info: +[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044 +[ 9436.261680][ C4] CM = 0, WnR = 1 +[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges +[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP +[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0 +... + +[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1 +[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT) +[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--) +[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438 +[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438 +[ 9436.262168][ C4] sp : ffffffc010023dd0 +[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18 +[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008 +[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280 +[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122 +[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80 +[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038 +[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201 +[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100 +[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8 +[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff +[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122 +[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8 +[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101 +[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff889edc155c +[ 9436.262227][ C4] x1 : ffffff8001005200 x0 : ffffff80444f0428 +[ 9436.262232][ C4] Call trace: +[ 9436.262236][ C4] expire_timers+0x9c/0x438 +[ 9436.262240][ C4] __run_timers+0x1f0/0x330 +[ 9436.262245][ C4] run_timer_softirq+0x28/0x58 +[ 9436.262255][ C4] efi_header_end+0x168/0x5ec +[ 9436.262265][ C4] __irq_exit_rcu+0x108/0x124 +[ 9436.262274][ C4] __handle_domain_irq+0x118/0x1e4 +[ 9436.262282][ C4] gic_handle_irq.30369+0x6c/0x2bc +[ 9436.262286][ C4] el0_irq_naked+0x60/0x6c + +Link: https://lore.kernel.org/all/1700860318-4025-1-git-send-email-quic_mojha@quicinc.com/ +Reported-by: Joyyoung Huang +Acked-by: MyungJoo Ham +Signed-off-by: Mukesh Ojha +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index 42c1eed44529..216594b86119 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -438,10 +438,14 @@ static void devfreq_monitor(struct work_struct *work) + if (err) + dev_err(&devfreq->dev, "dvfs failed with (%d) error\n", err); + ++ if (devfreq->stop_polling) ++ goto out; ++ + queue_delayed_work(devfreq_wq, &devfreq->work, + msecs_to_jiffies(devfreq->profile->polling_ms)); +- mutex_unlock(&devfreq->lock); + ++out: ++ mutex_unlock(&devfreq->lock); + trace_devfreq_monitor(devfreq); + } + +@@ -459,6 +463,10 @@ void devfreq_monitor_start(struct devfreq *devfreq) + if (devfreq->governor->interrupt_driven) + return; + ++ mutex_lock(&devfreq->lock); ++ if (delayed_work_pending(&devfreq->work)) ++ goto out; ++ + switch (devfreq->profile->timer) { + case DEVFREQ_TIMER_DEFERRABLE: + INIT_DEFERRABLE_WORK(&devfreq->work, devfreq_monitor); +@@ -467,12 +475,16 @@ void devfreq_monitor_start(struct devfreq *devfreq) + INIT_DELAYED_WORK(&devfreq->work, devfreq_monitor); + break; + default: +- return; ++ goto out; + } + + if (devfreq->profile->polling_ms) + queue_delayed_work(devfreq_wq, &devfreq->work, + msecs_to_jiffies(devfreq->profile->polling_ms)); ++ ++out: ++ devfreq->stop_polling = false; ++ mutex_unlock(&devfreq->lock); + } + EXPORT_SYMBOL(devfreq_monitor_start); + +@@ -489,6 +501,14 @@ void devfreq_monitor_stop(struct devfreq *devfreq) + if (devfreq->governor->interrupt_driven) + return; + ++ mutex_lock(&devfreq->lock); ++ if (devfreq->stop_polling) { ++ mutex_unlock(&devfreq->lock); ++ return; ++ } ++ ++ devfreq->stop_polling = true; ++ mutex_unlock(&devfreq->lock); + cancel_delayed_work_sync(&devfreq->work); + } + EXPORT_SYMBOL(devfreq_monitor_stop); +-- +2.43.0 + diff --git a/queue-5.10/pnp-acpi-fix-fortify-warning.patch b/queue-5.10/pnp-acpi-fix-fortify-warning.patch new file mode 100644 index 00000000000..d01ae67c269 --- /dev/null +++ b/queue-5.10/pnp-acpi-fix-fortify-warning.patch @@ -0,0 +1,83 @@ +From d64b99aac72174c053261c93524fb01ad95190cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 05:52:10 +0300 +Subject: PNP: ACPI: fix fortify warning + +From: Dmitry Antipov + +[ Upstream commit ba3f5058db437d919f8468db50483dd9028ff688 ] + +When compiling with gcc version 14.0.0 20231126 (experimental) +and CONFIG_FORTIFY_SOURCE=y, I've noticed the following: + +In file included from ./include/linux/string.h:295, + from ./include/linux/bitmap.h:12, + from ./include/linux/cpumask.h:12, + from ./arch/x86/include/asm/paravirt.h:17, + from ./arch/x86/include/asm/cpuid.h:62, + from ./arch/x86/include/asm/processor.h:19, + from ./arch/x86/include/asm/cpufeature.h:5, + from ./arch/x86/include/asm/thread_info.h:53, + from ./include/linux/thread_info.h:60, + from ./arch/x86/include/asm/preempt.h:9, + from ./include/linux/preempt.h:79, + from ./include/linux/spinlock.h:56, + from ./include/linux/mmzone.h:8, + from ./include/linux/gfp.h:7, + from ./include/linux/slab.h:16, + from ./include/linux/resource_ext.h:11, + from ./include/linux/acpi.h:13, + from drivers/pnp/pnpacpi/rsparser.c:11: +In function 'fortify_memcpy_chk', + inlined from 'pnpacpi_parse_allocated_vendor' at drivers/pnp/pnpacpi/rsparser.c:158:3, + inlined from 'pnpacpi_allocated_resource' at drivers/pnp/pnpacpi/rsparser.c:249:3: +./include/linux/fortify-string.h:588:25: warning: call to '__read_overflow2_field' +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 588 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +According to the comments in include/linux/fortify-string.h, 'memcpy()', +'memmove()' and 'memset()' must not be used beyond individual struct +members to ensure that the compiler can enforce protection against +buffer overflows, and, IIUC, this also applies to partial copies from +the particular member ('vendor->byte_data' in this case). So it should +be better (and safer) to do both copies at once (and 'byte_data' of +'struct acpi_resource_vendor_typed' seems to be a good candidate for +'__counted_by(byte_length)' as well). + +Signed-off-by: Dmitry Antipov +Reviewed-by: Kees Cook +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pnp/pnpacpi/rsparser.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/pnp/pnpacpi/rsparser.c b/drivers/pnp/pnpacpi/rsparser.c +index da78dc77aed3..9879deb4dc0b 100644 +--- a/drivers/pnp/pnpacpi/rsparser.c ++++ b/drivers/pnp/pnpacpi/rsparser.c +@@ -151,13 +151,13 @@ static int vendor_resource_matches(struct pnp_dev *dev, + static void pnpacpi_parse_allocated_vendor(struct pnp_dev *dev, + struct acpi_resource_vendor_typed *vendor) + { +- if (vendor_resource_matches(dev, vendor, &hp_ccsr_uuid, 16)) { +- u64 start, length; ++ struct { u64 start, length; } range; + +- memcpy(&start, vendor->byte_data, sizeof(start)); +- memcpy(&length, vendor->byte_data + 8, sizeof(length)); +- +- pnp_add_mem_resource(dev, start, start + length - 1, 0); ++ if (vendor_resource_matches(dev, vendor, &hp_ccsr_uuid, ++ sizeof(range))) { ++ memcpy(&range, vendor->byte_data, sizeof(range)); ++ pnp_add_mem_resource(dev, range.start, range.start + ++ range.length - 1, 0); + } + } + +-- +2.43.0 + diff --git a/queue-5.10/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch b/queue-5.10/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch new file mode 100644 index 00000000000..65022316a2f --- /dev/null +++ b/queue-5.10/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch @@ -0,0 +1,48 @@ +From 4336baef047e3a64bdcb2cda851a37a3532c1ec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 22:44:33 +1100 +Subject: powerpc: Fix build error due to is_valid_bugaddr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit f8d3555355653848082c351fa90775214fb8a4fa ] + +With CONFIG_GENERIC_BUG=n the build fails with: + + arch/powerpc/kernel/traps.c:1442:5: error: no previous prototype for ‘is_valid_bugaddr’ [-Werror=missing-prototypes] + 1442 | int is_valid_bugaddr(unsigned long addr) + | ^~~~~~~~~~~~~~~~ + +The prototype is only defined, and the function is only needed, when +CONFIG_GENERIC_BUG=y, so move the implementation under that. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231130114433.3053544-2-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/traps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 5e5a2448ae79..b0e87dce2b9a 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1432,10 +1432,12 @@ static int emulate_instruction(struct pt_regs *regs) + return -EINVAL; + } + ++#ifdef CONFIG_GENERIC_BUG + int is_valid_bugaddr(unsigned long addr) + { + return is_kernel_addr(addr); + } ++#endif + + #ifdef CONFIG_MATH_EMULATION + static int emulate_math(struct pt_regs *regs) +-- +2.43.0 + diff --git a/queue-5.10/powerpc-lib-validate-size-for-vector-operations.patch b/queue-5.10/powerpc-lib-validate-size-for-vector-operations.patch new file mode 100644 index 00000000000..301c2c37d2a --- /dev/null +++ b/queue-5.10/powerpc-lib-validate-size-for-vector-operations.patch @@ -0,0 +1,71 @@ +From d41bbbca1f759ec9770a711ce27b2ed4fb43814d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 12:47:05 +0530 +Subject: powerpc/lib: Validate size for vector operations + +From: Naveen N Rao + +[ Upstream commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 ] + +Some of the fp/vmx code in sstep.c assume a certain maximum size for the +instructions being emulated. The size of those operations however is +determined separately in analyse_instr(). + +Add a check to validate the assumption on the maximum size of the +operations, so as to prevent any unintended kernel stack corruption. + +Signed-off-by: Naveen N Rao +Reviewed-by: Gustavo A. R. Silva +Build-tested-by: Gustavo A. R. Silva +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/lib/sstep.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c +index 2d19655328f1..ca4733fbd02d 100644 +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -512,6 +512,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea, + } u; + + nb = GETSIZE(op->type); ++ if (nb > sizeof(u)) ++ return -EINVAL; + if (!address_ok(regs, ea, nb)) + return -EFAULT; + rn = op->reg; +@@ -562,6 +564,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea, + } u; + + nb = GETSIZE(op->type); ++ if (nb > sizeof(u)) ++ return -EINVAL; + if (!address_ok(regs, ea, nb)) + return -EFAULT; + rn = op->reg; +@@ -606,6 +610,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea, + u8 b[sizeof(__vector128)]; + } u = {}; + ++ if (size > sizeof(u)) ++ return -EINVAL; ++ + if (!address_ok(regs, ea & ~0xfUL, 16)) + return -EFAULT; + /* align to multiple of size */ +@@ -633,6 +640,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea, + u8 b[sizeof(__vector128)]; + } u; + ++ if (size > sizeof(u)) ++ return -EINVAL; ++ + if (!address_ok(regs, ea & ~0xfUL, 16)) + return -EFAULT; + /* align to multiple of size */ +-- +2.43.0 + diff --git a/queue-5.10/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch b/queue-5.10/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch new file mode 100644 index 00000000000..3881c22ae08 --- /dev/null +++ b/queue-5.10/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch @@ -0,0 +1,68 @@ +From 1904620705c5d0f668e68136be3e891e005e42f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 22:44:32 +1100 +Subject: powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit d8c3f243d4db24675b653f0568bb65dae34e6455 ] + +With NUMA=n and FA_DUMP=y or PRESERVE_FA_DUMP=y the build fails with: + + arch/powerpc/kernel/fadump.c:1739:22: error: no previous prototype for ‘arch_reserved_kernel_pages’ [-Werror=missing-prototypes] + 1739 | unsigned long __init arch_reserved_kernel_pages(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ + +The prototype for arch_reserved_kernel_pages() is in include/linux/mm.h, +but it's guarded by __HAVE_ARCH_RESERVED_KERNEL_PAGES. The powerpc +headers define __HAVE_ARCH_RESERVED_KERNEL_PAGES in asm/mmzone.h, which +is not included into the generic headers when NUMA=n. + +Move the definition of __HAVE_ARCH_RESERVED_KERNEL_PAGES into asm/mmu.h +which is included regardless of NUMA=n. + +Additionally the ifdef around __HAVE_ARCH_RESERVED_KERNEL_PAGES needs to +also check for CONFIG_PRESERVE_FA_DUMP. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231130114433.3053544-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/mmu.h | 4 ++++ + arch/powerpc/include/asm/mmzone.h | 3 --- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/include/asm/mmu.h b/arch/powerpc/include/asm/mmu.h +index 255a1837e9f7..3a5a27318a0e 100644 +--- a/arch/powerpc/include/asm/mmu.h ++++ b/arch/powerpc/include/asm/mmu.h +@@ -390,5 +390,9 @@ extern void *abatron_pteptrs[2]; + #include + #endif + ++#if defined(CONFIG_FA_DUMP) || defined(CONFIG_PRESERVE_FA_DUMP) ++#define __HAVE_ARCH_RESERVED_KERNEL_PAGES ++#endif ++ + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_MMU_H_ */ +diff --git a/arch/powerpc/include/asm/mmzone.h b/arch/powerpc/include/asm/mmzone.h +index 6cda76b57c5d..bd1a8d7256ff 100644 +--- a/arch/powerpc/include/asm/mmzone.h ++++ b/arch/powerpc/include/asm/mmzone.h +@@ -42,9 +42,6 @@ u64 memory_hotplug_max(void); + #else + #define memory_hotplug_max() memblock_end_of_DRAM() + #endif /* CONFIG_NEED_MULTIPLE_NODES */ +-#ifdef CONFIG_FA_DUMP +-#define __HAVE_ARCH_RESERVED_KERNEL_PAGES +-#endif + + #ifdef CONFIG_MEMORY_HOTPLUG + extern int create_section_mapping(unsigned long start, unsigned long end, +-- +2.43.0 + diff --git a/queue-5.10/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch b/queue-5.10/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch new file mode 100644 index 00000000000..1bc42155e77 --- /dev/null +++ b/queue-5.10/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch @@ -0,0 +1,49 @@ +From 2c06f221333e5e11c0b05ec8bb773d710fecb6e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 10:32:23 +0800 +Subject: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add + +From: Kunwu Chan + +[ Upstream commit f46c8a75263f97bda13c739ba1c90aced0d3b071 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +Suggested-by: Christophe Leroy +Suggested-by: Michael Ellerman +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231204023223.2447523-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/init-common.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/mm/init-common.c b/arch/powerpc/mm/init-common.c +index 8e0d792ac296..52a20c97e46e 100644 +--- a/arch/powerpc/mm/init-common.c ++++ b/arch/powerpc/mm/init-common.c +@@ -111,7 +111,7 @@ void pgtable_cache_add(unsigned int shift) + * as to leave enough 0 bits in the address to contain it. */ + unsigned long minalign = max(MAX_PGTABLE_INDEX_SIZE + 1, + HUGEPD_SHIFT_MASK + 1); +- struct kmem_cache *new; ++ struct kmem_cache *new = NULL; + + /* It would be nice if this was a BUILD_BUG_ON(), but at the + * moment, gcc doesn't seem to recognize is_power_of_2 as a +@@ -124,7 +124,8 @@ void pgtable_cache_add(unsigned int shift) + + align = max_t(unsigned long, align, minalign); + name = kasprintf(GFP_KERNEL, "pgtable-2^%d", shift); +- new = kmem_cache_create(name, table_size, align, 0, ctor(shift)); ++ if (name) ++ new = kmem_cache_create(name, table_size, align, 0, ctor(shift)); + if (!new) + panic("Could not allocate pgtable cache for order %d", shift); + +-- +2.43.0 + diff --git a/queue-5.10/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch b/queue-5.10/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch new file mode 100644 index 00000000000..d5a2ad5d982 --- /dev/null +++ b/queue-5.10/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch @@ -0,0 +1,56 @@ +From c0034269570f8c63bf260dadcfe32aadbf6a57d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 13:28:09 +1100 +Subject: powerpc: pmd_move_must_withdraw() is only needed for + CONFIG_TRANSPARENT_HUGEPAGE + +From: Stephen Rothwell + +[ Upstream commit 0d555b57ee660d8a871781c0eebf006e855e918d ] + +The linux-next build of powerpc64 allnoconfig fails with: + + arch/powerpc/mm/book3s64/pgtable.c:557:5: error: no previous prototype for 'pmd_move_must_withdraw' + 557 | int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl, + | ^~~~~~~~~~~~~~~~~~~~~~ + +Caused by commit: + + c6345dfa6e3e ("Makefile.extrawarn: turn on missing-prototypes globally") + +Fix it by moving the function definition under +CONFIG_TRANSPARENT_HUGEPAGE like the prototype. The function is only +called when CONFIG_TRANSPARENT_HUGEPAGE=y. + +Signed-off-by: Stephen Rothwell +[mpe: Flesh out change log from linux-next patch] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231127132809.45c2b398@canb.auug.org.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/pgtable.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c +index e18ae50a275c..a86d932a7c30 100644 +--- a/arch/powerpc/mm/book3s64/pgtable.c ++++ b/arch/powerpc/mm/book3s64/pgtable.c +@@ -446,6 +446,7 @@ void ptep_modify_prot_commit(struct vm_area_struct *vma, unsigned long addr, + set_pte_at(vma->vm_mm, addr, ptep, pte); + } + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE + /* + * For hash translation mode, we use the deposited table to store hash slot + * information and they are stored at PTRS_PER_PMD offset from related pmd +@@ -467,6 +468,7 @@ int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl, + + return true; + } ++#endif + + /* + * Does the CPU support tlbie? +-- +2.43.0 + diff --git a/queue-5.10/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch b/queue-5.10/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch new file mode 100644 index 00000000000..0d53be33b1a --- /dev/null +++ b/queue-5.10/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch @@ -0,0 +1,47 @@ +From e9fd4e683ba9fa0fec2417df5ad107ed2605965a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 10:36:32 +0800 +Subject: pstore/ram: Fix crash when setting number of cpus to an odd number + +From: Weichen Chen + +[ Upstream commit d49270a04623ce3c0afddbf3e984cb245aa48e9c ] + +When the number of cpu cores is adjusted to 7 or other odd numbers, +the zone size will become an odd number. +The address of the zone will become: + addr of zone0 = BASE + addr of zone1 = BASE + zone_size + addr of zone2 = BASE + zone_size*2 + ... +The address of zone1/3/5/7 will be mapped to non-alignment va. +Eventually crashes will occur when accessing these va. + +So, use ALIGN_DOWN() to make sure the zone size is even +to avoid this bug. + +Signed-off-by: Weichen Chen +Reviewed-by: Matthias Brugger +Tested-by: "Guilherme G. Piccoli" +Link: https://lore.kernel.org/r/20230224023632.6840-1-weichen.chen@mediatek.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/ram.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index 98e579ce0d63..44fc3b396288 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -519,6 +519,7 @@ static int ramoops_init_przs(const char *name, + } + + zone_sz = mem_sz / *cnt; ++ zone_sz = ALIGN_DOWN(zone_sz, 2); + if (!zone_sz) { + dev_err(dev, "%s zone size == 0\n", name); + goto fail; +-- +2.43.0 + diff --git a/queue-5.10/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch b/queue-5.10/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch new file mode 100644 index 00000000000..d21f9ee53b9 --- /dev/null +++ b/queue-5.10/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch @@ -0,0 +1,34 @@ +From cc1955a73d23a7a05eb5d0a714a07e4573d77f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 14:03:15 +0100 +Subject: RDMA/IPoIB: Fix error code return in ipoib_mcast_join + +From: Jack Wang + +[ Upstream commit 753fff78f430704548f45eda52d6d55371a52c0f ] + +Return the error code in case of ib_sa_join_multicast fail. + +Signed-off-by: Jack Wang +Link: https://lore.kernel.org/r/20231121130316.126364-2-jinpu.wang@ionos.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +index 86e4ed64e4e2..5633809dc61e 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -557,6 +557,7 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast) + spin_unlock_irq(&priv->lock); + complete(&mcast->done); + spin_lock_irq(&priv->lock); ++ return ret; + } + return 0; + } +-- +2.43.0 + diff --git a/queue-5.10/regulator-core-only-increment-use_count-when-enable_.patch b/queue-5.10/regulator-core-only-increment-use_count-when-enable_.patch new file mode 100644 index 00000000000..b1026a73677 --- /dev/null +++ b/queue-5.10/regulator-core-only-increment-use_count-when-enable_.patch @@ -0,0 +1,113 @@ +From 83ce26d5a5c9183b37f5f25d38f9295094992059 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 15:42:31 +0800 +Subject: regulator: core: Only increment use_count when enable_count changes + +From: Rui Zhang + +[ Upstream commit 7993d3a9c34f609c02171e115fd12c10e2105ff4 ] + +The use_count of a regulator should only be incremented when the +enable_count changes from 0 to 1. Similarly, the use_count should +only be decremented when the enable_count changes from 1 to 0. + +In the previous implementation, use_count was sometimes decremented +to 0 when some consumer called unbalanced disable, +leading to unexpected disable even the regulator is enabled by +other consumers. With this change, the use_count accurately reflects +the number of users which the regulator is enabled. + +This should make things more robust in the case where a consumer does +leak references. + +Signed-off-by: Rui Zhang +Link: https://lore.kernel.org/r/20231103074231.8031-1-zr.zhang@vivo.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 56 +++++++++++++++++++++------------------- + 1 file changed, 30 insertions(+), 26 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 51c4f604d3b2..54330eb0d03b 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -2768,7 +2768,8 @@ static int _regulator_enable(struct regulator *regulator) + /* Fallthrough on positive return values - already enabled */ + } + +- rdev->use_count++; ++ if (regulator->enable_count == 1) ++ rdev->use_count++; + + return 0; + +@@ -2846,37 +2847,40 @@ static int _regulator_disable(struct regulator *regulator) + + lockdep_assert_held_once(&rdev->mutex.base); + +- if (WARN(rdev->use_count <= 0, ++ if (WARN(regulator->enable_count == 0, + "unbalanced disables for %s\n", rdev_get_name(rdev))) + return -EIO; + +- /* are we the last user and permitted to disable ? */ +- if (rdev->use_count == 1 && +- (rdev->constraints && !rdev->constraints->always_on)) { +- +- /* we are last user */ +- if (regulator_ops_is_valid(rdev, REGULATOR_CHANGE_STATUS)) { +- ret = _notifier_call_chain(rdev, +- REGULATOR_EVENT_PRE_DISABLE, +- NULL); +- if (ret & NOTIFY_STOP_MASK) +- return -EINVAL; +- +- ret = _regulator_do_disable(rdev); +- if (ret < 0) { +- rdev_err(rdev, "failed to disable: %pe\n", ERR_PTR(ret)); +- _notifier_call_chain(rdev, +- REGULATOR_EVENT_ABORT_DISABLE, ++ if (regulator->enable_count == 1) { ++ /* disabling last enable_count from this regulator */ ++ /* are we the last user and permitted to disable ? */ ++ if (rdev->use_count == 1 && ++ (rdev->constraints && !rdev->constraints->always_on)) { ++ ++ /* we are last user */ ++ if (regulator_ops_is_valid(rdev, REGULATOR_CHANGE_STATUS)) { ++ ret = _notifier_call_chain(rdev, ++ REGULATOR_EVENT_PRE_DISABLE, ++ NULL); ++ if (ret & NOTIFY_STOP_MASK) ++ return -EINVAL; ++ ++ ret = _regulator_do_disable(rdev); ++ if (ret < 0) { ++ rdev_err(rdev, "failed to disable: %pe\n", ERR_PTR(ret)); ++ _notifier_call_chain(rdev, ++ REGULATOR_EVENT_ABORT_DISABLE, ++ NULL); ++ return ret; ++ } ++ _notifier_call_chain(rdev, REGULATOR_EVENT_DISABLE, + NULL); +- return ret; + } +- _notifier_call_chain(rdev, REGULATOR_EVENT_DISABLE, +- NULL); +- } + +- rdev->use_count = 0; +- } else if (rdev->use_count > 1) { +- rdev->use_count--; ++ rdev->use_count = 0; ++ } else if (rdev->use_count > 1) { ++ rdev->use_count--; ++ } + } + + if (ret == 0) +-- +2.43.0 + diff --git a/queue-5.10/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch b/queue-5.10/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch new file mode 100644 index 00000000000..b79fa1d310b --- /dev/null +++ b/queue-5.10/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch @@ -0,0 +1,46 @@ +From 1551751b3929c7a734abb2e0ef3736c6cddb1000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 17:48:46 +0100 +Subject: rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() + +From: Oleg Nesterov + +[ Upstream commit bad1a11c0f061aa073bab785389fe04f19ba02e1 ] + +rxrpc_find_service_conn_rcu() should make the "seq" counter odd on the +second pass, otherwise read_seqbegin_or_lock() never takes the lock. + +Signed-off-by: Oleg Nesterov +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20231117164846.GA10410@redhat.com/ +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_service.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/rxrpc/conn_service.c b/net/rxrpc/conn_service.c +index 68508166bbc0..af0e95ef992d 100644 +--- a/net/rxrpc/conn_service.c ++++ b/net/rxrpc/conn_service.c +@@ -31,7 +31,7 @@ struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer, + struct rxrpc_conn_proto k; + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + struct rb_node *p; +- unsigned int seq = 0; ++ unsigned int seq = 1; + + k.epoch = sp->hdr.epoch; + k.cid = sp->hdr.cid & RXRPC_CIDMASK; +@@ -41,6 +41,7 @@ struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer, + * under just the RCU read lock, so we have to check for + * changes. + */ ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ + read_seqbegin_or_lock(&peer->service_conn_lock, &seq); + + p = rcu_dereference_raw(peer->service_conns.rb_node); +-- +2.43.0 + diff --git a/queue-5.10/s390-ptrace-handle-setting-of-fpc-register-correctly.patch b/queue-5.10/s390-ptrace-handle-setting-of-fpc-register-correctly.patch new file mode 100644 index 00000000000..d8d0efeb6a1 --- /dev/null +++ b/queue-5.10/s390-ptrace-handle-setting-of-fpc-register-correctly.patch @@ -0,0 +1,71 @@ +From 23b244393a59ce6a81f97f75fda694b3e190f50f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 18:55:59 +0100 +Subject: s390/ptrace: handle setting of fpc register correctly + +From: Heiko Carstens + +[ Upstream commit 8b13601d19c541158a6e18b278c00ba69ae37829 ] + +If the content of the floating point control (fpc) register of a traced +process is modified with the ptrace interface the new value is tested for +validity by temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the tracing process: +if an interrupt happens while the value is temporarily loaded into the +fpc register, and within interrupt context floating point or vector +registers are used, the current fp/vx registers are saved with +save_fpu_regs() assuming they belong to user space and will be loaded into +fp/vx registers when returning to user space. + +test_fp_ctl() restores the original user space fpc register value, however +it will be discarded, when returning to user space. + +In result the tracer will incorrectly continue to run with the value that +was supposed to be used for the traced process. + +Fix this by saving fpu register contents with save_fpu_regs() before using +test_fp_ctl(). + +Reviewed-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 3009bb527252..f381caddd905 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -411,6 +411,7 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if ((unsigned int) data != 0 || + test_fp_ctl(data >> (BITS_PER_LONG - 32))) + return -EINVAL; +@@ -771,6 +772,7 @@ static int __poke_user_compat(struct task_struct *child, + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if (test_fp_ctl(tmp)) + return -EINVAL; + child->thread.fpu.fpc = data; +@@ -1010,9 +1012,7 @@ static int s390_fpregs_set(struct task_struct *target, + int rc = 0; + freg_t fprs[__NUM_FPRS]; + +- if (target == current) +- save_fpu_regs(); +- ++ save_fpu_regs(); + if (MACHINE_HAS_VX) + convert_vx_to_fp(fprs, target->thread.fpu.vxrs); + else +-- +2.43.0 + diff --git a/queue-5.10/scsi-arcmsr-support-new-pci-device-ids-1883-and-1886.patch b/queue-5.10/scsi-arcmsr-support-new-pci-device-ids-1883-and-1886.patch new file mode 100644 index 00000000000..a1ef597669e --- /dev/null +++ b/queue-5.10/scsi-arcmsr-support-new-pci-device-ids-1883-and-1886.patch @@ -0,0 +1,70 @@ +From 394d8291a332facf917dd3f0f31d8450d258ee25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 17:50:27 +0800 +Subject: scsi: arcmsr: Support new PCI device IDs 1883 and 1886 + +From: ching Huang + +[ Upstream commit 41c8a1a1e90fa4721f856bf3cf71211fd16d6434 ] + +Add support for Areca RAID controllers with PCI device IDs 1883 and 1886. + +Signed-off-by: ching Huang +Link: https://lore.kernel.org/r/7732e743eaad57681b1552eec9c6a86c76dbe459.camel@areca.com.tw +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arcmsr/arcmsr.h | 4 ++++ + drivers/scsi/arcmsr/arcmsr_hba.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/scsi/arcmsr/arcmsr.h b/drivers/scsi/arcmsr/arcmsr.h +index 5d054d5c70a5..f2e587e66e19 100644 +--- a/drivers/scsi/arcmsr/arcmsr.h ++++ b/drivers/scsi/arcmsr/arcmsr.h +@@ -77,9 +77,13 @@ struct device_attribute; + #ifndef PCI_DEVICE_ID_ARECA_1203 + #define PCI_DEVICE_ID_ARECA_1203 0x1203 + #endif ++#ifndef PCI_DEVICE_ID_ARECA_1883 ++#define PCI_DEVICE_ID_ARECA_1883 0x1883 ++#endif + #ifndef PCI_DEVICE_ID_ARECA_1884 + #define PCI_DEVICE_ID_ARECA_1884 0x1884 + #endif ++#define PCI_DEVICE_ID_ARECA_1886_0 0x1886 + #define PCI_DEVICE_ID_ARECA_1886 0x188A + #define ARCMSR_HOURS (1000 * 60 * 60 * 4) + #define ARCMSR_MINUTES (1000 * 60 * 60) +diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c +index 9294a2c677b3..199b102f31a2 100644 +--- a/drivers/scsi/arcmsr/arcmsr_hba.c ++++ b/drivers/scsi/arcmsr/arcmsr_hba.c +@@ -208,8 +208,12 @@ static struct pci_device_id arcmsr_device_id_table[] = { + .driver_data = ACB_ADAPTER_TYPE_A}, + {PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1880), + .driver_data = ACB_ADAPTER_TYPE_C}, ++ {PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1883), ++ .driver_data = ACB_ADAPTER_TYPE_C}, + {PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1884), + .driver_data = ACB_ADAPTER_TYPE_E}, ++ {PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1886_0), ++ .driver_data = ACB_ADAPTER_TYPE_F}, + {PCI_DEVICE(PCI_VENDOR_ID_ARECA, PCI_DEVICE_ID_ARECA_1886), + .driver_data = ACB_ADAPTER_TYPE_F}, + {0, 0}, /* Terminating entry */ +@@ -4701,9 +4705,11 @@ static const char *arcmsr_info(struct Scsi_Host *host) + case PCI_DEVICE_ID_ARECA_1680: + case PCI_DEVICE_ID_ARECA_1681: + case PCI_DEVICE_ID_ARECA_1880: ++ case PCI_DEVICE_ID_ARECA_1883: + case PCI_DEVICE_ID_ARECA_1884: + type = "SAS/SATA"; + break; ++ case PCI_DEVICE_ID_ARECA_1886_0: + case PCI_DEVICE_ID_ARECA_1886: + type = "NVMe/SAS/SATA"; + break; +-- +2.43.0 + diff --git a/queue-5.10/scsi-libfc-don-t-schedule-abort-twice.patch b/queue-5.10/scsi-libfc-don-t-schedule-abort-twice.patch new file mode 100644 index 00000000000..5d752dcbf46 --- /dev/null +++ b/queue-5.10/scsi-libfc-don-t-schedule-abort-twice.patch @@ -0,0 +1,68 @@ +From f99105d036ec38c0c34650ccab130fbe416d790d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:58:30 +0100 +Subject: scsi: libfc: Don't schedule abort twice + +From: Hannes Reinecke + +[ Upstream commit b57c4db5d23b9df0118a25e2441c9288edd73710 ] + +The current FC error recovery is sending up to three REC (recovery) frames +in 10 second intervals, and as a final step sending an ABTS after 30 +seconds for the command itself. Unfortunately sending an ABTS is also the +action for the SCSI abort handler, and the default timeout for SCSI +commands is also 30 seconds. This causes two ABTS to be scheduled, with the +libfc one slightly earlier. The ABTS scheduled by SCSI EH then sees the +command to be already aborted, and will always return with a 'GOOD' status +irrespective on the actual result from the first ABTS. This causes the +SCSI EH abort handler to always succeed, and SCSI EH never to be engaged. +Fix this by not issuing an ABTS when a SCSI command is present for the +exchange, but rather wait for the abort scheduled from SCSI EH. And warn +if an abort is already scheduled to avoid similar errors in the future. + +Signed-off-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20231129165832.224100-2-hare@kernel.org +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_fcp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c +index 7cfeb6886237..6f005ada489b 100644 +--- a/drivers/scsi/libfc/fc_fcp.c ++++ b/drivers/scsi/libfc/fc_fcp.c +@@ -270,6 +270,11 @@ static int fc_fcp_send_abort(struct fc_fcp_pkt *fsp) + if (!fsp->seq_ptr) + return -EINVAL; + ++ if (fsp->state & FC_SRB_ABORT_PENDING) { ++ FC_FCP_DBG(fsp, "abort already pending\n"); ++ return -EBUSY; ++ } ++ + per_cpu_ptr(fsp->lp->stats, get_cpu())->FcpPktAborts++; + put_cpu(); + +@@ -1700,11 +1705,12 @@ static void fc_fcp_recovery(struct fc_fcp_pkt *fsp, u8 code) + fsp->status_code = code; + fsp->cdb_status = 0; + fsp->io_status = 0; +- /* +- * if this fails then we let the scsi command timer fire and +- * scsi-ml escalate. +- */ +- fc_fcp_send_abort(fsp); ++ if (!fsp->cmd) ++ /* ++ * Only abort non-scsi commands; otherwise let the ++ * scsi command timer fire and scsi-ml escalate. ++ */ ++ fc_fcp_send_abort(fsp); + } + + /** +-- +2.43.0 + diff --git a/queue-5.10/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch b/queue-5.10/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch new file mode 100644 index 00000000000..1aae886c845 --- /dev/null +++ b/queue-5.10/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch @@ -0,0 +1,37 @@ +From 6180b984fbd1c99e0217665aa47fa86d8a9db2f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:58:31 +0100 +Subject: scsi: libfc: Fix up timeout error in fc_fcp_rec_error() + +From: Hannes Reinecke + +[ Upstream commit 53122a49f49796beb2c4a1bb702303b66347e29f ] + +We should set the status to FC_TIMED_OUT when a timeout error is passed to +fc_fcp_rec_error(). + +Signed-off-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20231129165832.224100-3-hare@kernel.org +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_fcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c +index 6f005ada489b..61c12dde967e 100644 +--- a/drivers/scsi/libfc/fc_fcp.c ++++ b/drivers/scsi/libfc/fc_fcp.c +@@ -1686,7 +1686,7 @@ static void fc_fcp_rec_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp) + if (fsp->recov_retry++ < FC_MAX_RECOV_RETRY) + fc_fcp_rec(fsp); + else +- fc_fcp_recovery(fsp, FC_ERROR); ++ fc_fcp_recovery(fsp, FC_TIMED_OUT); + break; + } + fc_fcp_unlock_pkt(fsp); +-- +2.43.0 + diff --git a/queue-5.10/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch b/queue-5.10/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch new file mode 100644 index 00000000000..cc93bcd65c4 --- /dev/null +++ b/queue-5.10/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch @@ -0,0 +1,64 @@ +From 55d94d69c07074bccc7d2cd55a57446fbd57c149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 12:12:17 -0700 +Subject: scsi: lpfc: Fix possible file string name overflow when updating + firmware + +From: Justin Tee + +[ Upstream commit f5779b529240b715f0e358489ad0ed933bf77c97 ] + +Because file_name and phba->ModelName are both declared a size 80 bytes, +the extra ".grp" file extension could cause an overflow into file_name. + +Define a ELX_FW_NAME_SIZE macro with value 84. 84 incorporates the 4 extra +characters from ".grp". file_name is changed to be declared as a char and +initialized to zeros i.e. null chars. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc.h | 1 + + drivers/scsi/lpfc/lpfc_init.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 03bc472f302a..cf69f831a725 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -32,6 +32,7 @@ + struct lpfc_sli2_slim; + + #define ELX_MODEL_NAME_SIZE 80 ++#define ELX_FW_NAME_SIZE 84 + + #define LPFC_PCI_DEV_LP 0x1 + #define LPFC_PCI_DEV_OC 0x2 +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 1bb3c96a04bd..5f2009327a59 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -13026,7 +13026,7 @@ lpfc_write_firmware(const struct firmware *fw, void *context) + int + lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade) + { +- uint8_t file_name[ELX_MODEL_NAME_SIZE]; ++ char file_name[ELX_FW_NAME_SIZE] = {0}; + int ret; + const struct firmware *fw; + +@@ -13035,7 +13035,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade) + LPFC_SLI_INTF_IF_TYPE_2) + return -EPERM; + +- snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName); ++ scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName); + + if (fw_upgrade == INT_FW_UPGRADE) { + ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_HOTPLUG, +-- +2.43.0 + diff --git a/queue-5.10/selftests-bpf-fix-pyperf180-compilation-failure-with.patch b/queue-5.10/selftests-bpf-fix-pyperf180-compilation-failure-with.patch new file mode 100644 index 00000000000..b4fbb99a780 --- /dev/null +++ b/queue-5.10/selftests-bpf-fix-pyperf180-compilation-failure-with.patch @@ -0,0 +1,83 @@ +From acbab276dd3fb14978740cdcf3f7adbbda3bb84e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 11:36:44 -0800 +Subject: selftests/bpf: Fix pyperf180 compilation failure with clang18 + +From: Yonghong Song + +[ Upstream commit 100888fb6d8a185866b1520031ee7e3182b173de ] + +With latest clang18 (main branch of llvm-project repo), when building bpf selftests, + [~/work/bpf-next (master)]$ make -C tools/testing/selftests/bpf LLVM=1 -j + +The following compilation error happens: + fatal error: error in backend: Branch target out of insn range + ... + Stack dump: + 0. Program arguments: clang -g -Wall -Werror -D__TARGET_ARCH_x86 -mlittle-endian + -I/home/yhs/work/bpf-next/tools/testing/selftests/bpf/tools/include + -I/home/yhs/work/bpf-next/tools/testing/selftests/bpf -I/home/yhs/work/bpf-next/tools/include/uapi + -I/home/yhs/work/bpf-next/tools/testing/selftests/usr/include -idirafter + /home/yhs/work/llvm-project/llvm/build.18/install/lib/clang/18/include -idirafter /usr/local/include + -idirafter /usr/include -Wno-compare-distinct-pointer-types -DENABLE_ATOMICS_TESTS -O2 --target=bpf + -c progs/pyperf180.c -mcpu=v3 -o /home/yhs/work/bpf-next/tools/testing/selftests/bpf/pyperf180.bpf.o + 1. parser at end of file + 2. Code generation + ... + +The compilation failure only happens to cpu=v2 and cpu=v3. cpu=v4 is okay +since cpu=v4 supports 32-bit branch target offset. + +The above failure is due to upstream llvm patch [1] where some inlining behavior +are changed in clang18. + +To workaround the issue, previously all 180 loop iterations are fully unrolled. +The bpf macro __BPF_CPU_VERSION__ (implemented in clang18 recently) is used to avoid +unrolling changes if cpu=v4. If __BPF_CPU_VERSION__ is not available and the +compiler is clang18, the unrollng amount is unconditionally reduced. + + [1] https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e + +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Tested-by: Alan Maguire +Link: https://lore.kernel.org/bpf/20231110193644.3130906-1-yonghong.song@linux.dev +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/pyperf180.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/tools/testing/selftests/bpf/progs/pyperf180.c b/tools/testing/selftests/bpf/progs/pyperf180.c +index c39f559d3100..42c4a8b62e36 100644 +--- a/tools/testing/selftests/bpf/progs/pyperf180.c ++++ b/tools/testing/selftests/bpf/progs/pyperf180.c +@@ -1,4 +1,26 @@ + // SPDX-License-Identifier: GPL-2.0 + // Copyright (c) 2019 Facebook + #define STACK_MAX_LEN 180 ++ ++/* llvm upstream commit at clang18 ++ * https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e ++ * changed inlining behavior and caused compilation failure as some branch ++ * target distance exceeded 16bit representation which is the maximum for ++ * cpu v1/v2/v3. Macro __BPF_CPU_VERSION__ is later implemented in clang18 ++ * to specify which cpu version is used for compilation. So a smaller ++ * unroll_count can be set if __BPF_CPU_VERSION__ is less than 4, which ++ * reduced some branch target distances and resolved the compilation failure. ++ * ++ * To capture the case where a developer/ci uses clang18 but the corresponding ++ * repo checkpoint does not have __BPF_CPU_VERSION__, a smaller unroll_count ++ * will be set as well to prevent potential compilation failures. ++ */ ++#ifdef __BPF_CPU_VERSION__ ++#if __BPF_CPU_VERSION__ < 4 ++#define UNROLL_COUNT 90 ++#endif ++#elif __clang_major__ == 18 ++#define UNROLL_COUNT 90 ++#endif ++ + #include "pyperf.h" +-- +2.43.0 + diff --git a/queue-5.10/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch b/queue-5.10/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch new file mode 100644 index 00000000000..7ca7bdaa411 --- /dev/null +++ b/queue-5.10/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch @@ -0,0 +1,35 @@ +From e8940a7ee48cba9a2aa5844b1e6a29a9f4943163 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 20:37:44 -0700 +Subject: selftests/bpf: satisfy compiler by having explicit return in btf test + +From: Andrii Nakryiko + +[ Upstream commit f4c7e887324f5776eef6e6e47a90e0ac8058a7a8 ] + +Some compilers complain about get_pprint_mapv_size() not returning value +in some code paths. Fix with explicit return. + +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20231102033759.2541186-3-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/btf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/btf.c b/tools/testing/selftests/bpf/prog_tests/btf.c +index 28d22265b825..cbdc2839904e 100644 +--- a/tools/testing/selftests/bpf/prog_tests/btf.c ++++ b/tools/testing/selftests/bpf/prog_tests/btf.c +@@ -4611,6 +4611,7 @@ static size_t get_pprint_mapv_size(enum pprint_mapv_kind_t mapv_kind) + #endif + + assert(0); ++ return 0; + } + + static void set_pprint_mapv(enum pprint_mapv_kind_t mapv_kind, +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 13852f3ca74..b15db60dd50 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -99,3 +99,130 @@ mips-call-lose_fpu-0-before-initializing-fcr31-in-mips_set_personality_nan.patch tick-sched-preserve-number-of-idle-sleeps-across-cpu-hotplug-events.patch x86-entry-ia32-ensure-s32-is-sign-extended-to-s64.patch cifs-fix-off-by-one-in-smb2_query_info_init.patch +powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch +drivers-perf-pmuv3-don-t-expose-sw_incr-event-in-sys.patch +powerpc-fix-build-error-due-to-is_valid_bugaddr.patch +powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch +x86-boot-ignore-nmis-during-very-early-boot.patch +powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch +powerpc-lib-validate-size-for-vector-operations.patch +x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch +perf-core-fix-narrow-startup-race-when-creating-the-.patch +debugobjects-stop-accessing-objects-after-releasing-.patch +regulator-core-only-increment-use_count-when-enable_.patch +audit-send-netlink-ack-before-setting-connection-in-.patch +acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch +pnp-acpi-fix-fortify-warning.patch +acpi-extlog-fix-null-pointer-dereference-check.patch +pm-devfreq-synchronize-devfreq_monitor_-start-stop.patch +acpi-apei-set-memory-failure-flags-as-mf_action_requ.patch +fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch +ubsan-array-index-out-of-bounds-in-dtsplitroot.patch +jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch +jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch +jfs-fix-uaf-in-jfs_evict_inode.patch +pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch +crypto-stm32-crc32-fix-parsing-list-of-devices.patch +afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_lo.patch +afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch +rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch +jfs-fix-array-index-out-of-bounds-in-dinewext.patch +hexagon-make-pfn-accessors-statics-inlines.patch +s390-ptrace-handle-setting-of-fpc-register-correctly.patch +kvm-s390-fix-setting-of-fpc-register.patch +sunrpc-fix-a-suspicious-rcu-usage-warning.patch +ecryptfs-reject-casefold-directory-inodes.patch +ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch +ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch +ext4-remove-unnecessary-check-from-alloc_flex_gd.patch +ext4-avoid-online-resizing-failures-due-to-oversized.patch +wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch +selftests-bpf-satisfy-compiler-by-having-explicit-re.patch +selftests-bpf-fix-pyperf180-compilation-failure-with.patch +scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch +pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch +bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch +scsi-arcmsr-support-new-pci-device-ids-1883-and-1886.patch +arm-dts-imx7d-fix-coresight-funnel-ports.patch +arm-dts-imx7s-fix-lcdif-compatible.patch +arm-dts-imx7s-fix-nand-controller-size-cells.patch +wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch +bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch +scsi-libfc-don-t-schedule-abort-twice.patch +scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch +net-mvmdio-avoid-excessive-sleeps-in-polled-mode.patch +bpf-set-uattr-batch.count-as-zero-before-batched-upd.patch +arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch +arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch +arm-dts-imx-use-flash-0-0-pattern.patch +arm-dts-imx27-fix-sram-node.patch +arm-dts-imx1-fix-sram-node.patch +ionic-pass-opcode-to-devcmd_wait.patch +block-rnbd-srv-check-for-unlikely-string-overflow.patch +arm-dts-imx25-fix-the-iim-compatible-string.patch +arm-dts-imx25-27-pass-timing0.patch +arm-dts-imx27-apf27dev-fix-led-name.patch +arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch +arm-dts-imx23-28-fix-the-dma-controller-node-name.patch +net-dsa-mv88e6xxx-fix-mv88e6352_serdes_get_stats-err.patch +block-prevent-an-integer-overflow-in-bvec_try_merge_.patch +md-whenassemble-the-array-consult-the-superblock-of-.patch +arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch +arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch +wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch +libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch +wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch +wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch +bluetooth-qca-set-both-wideband_speech-and-le_states.patch +bluetooth-l2cap-fix-possible-multiple-reject-send.patch +i40e-fix-vf-disable-behavior-to-block-all-traffic.patch +f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch +alsa-hda-refer-to-correct-stream-index-at-loops.patch +asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch +drm-fix-color-lut-rounding.patch +fast_dput-handle-underflows-gracefully.patch +rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch +drm-amd-display-fix-tiled-display-misalignment.patch +f2fs-fix-write-pointers-on-zoned-device-after-roll-f.patch +drm-drm_file-fix-use-of-uninitialized-variable.patch +drm-framebuffer-fix-use-of-uninitialized-variable.patch +drm-mipi-dsi-fix-detach-call-without-attach.patch +media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch +media-rockchip-rga-fix-swizzling-for-rgb-formats.patch +pci-add-intel_hda_arl-to-pci_ids.h.patch +alsa-hda-intel-add-hda_arl-pci-id-support.patch +alsa-hda-intel-dspcfg-add-filters-for-arl-s-and-arl.patch +hwmon-pc87360-bounds-check-data-innr-usage.patch +drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch +ib-ipoib-fix-mcast-list-locking.patch +media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch +drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch +clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch +clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch +watchdog-it87_wdt-keep-wdtctrl-bit-3-unmodified-for-.patch +drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch +drm-amdgpu-let-kfd-sync-with-vm-fences.patch +drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch +leds-trigger-panic-don-t-register-panic-notifier-if-.patch +um-fix-naming-clash-between-uml-and-scheduler.patch +um-don-t-use-vfprintf-for-os_info.patch +um-net-fix-return-type-of-uml_net_start_xmit.patch +i3c-master-cdns-update-maximum-prescaler-value-for-i.patch +xen-gntdev-fix-the-abuse-of-underlying-struct-page-i.patch +mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch +pci-only-override-amd-usb-controller-if-required.patch +pci-switchtec-fix-stdev_release-crash-after-surprise.patch +usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch +tty-allow-tiocslcktrmios-with-cap_checkpoint_restore.patch +fs-kernfs-dir-obey-s_isgid.patch +pci-aer-decode-requester-id-when-no-error-info-found.patch +misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch +libsubcmd-fix-memory-leak-in-uniq.patch +virtio_net-fix-d-directive-writing-between-1-and-11-.patch +blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch +ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch +drm-amd-powerplay-fix-kzalloc-parameter-atom_tonga_p.patch +drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch +perf-fix-the-nr_addr_filters-fix.patch +wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch +drm-using-mul_u32_u32-requires-linux-math64.h.patch diff --git a/queue-5.10/sunrpc-fix-a-suspicious-rcu-usage-warning.patch b/queue-5.10/sunrpc-fix-a-suspicious-rcu-usage-warning.patch new file mode 100644 index 00000000000..40d115fb21b --- /dev/null +++ b/queue-5.10/sunrpc-fix-a-suspicious-rcu-usage-warning.patch @@ -0,0 +1,121 @@ +From aeec7d244bf68a6014c733ca03ca27fe4478b814 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 17:06:18 -0500 +Subject: SUNRPC: Fix a suspicious RCU usage warning + +From: Anna Schumaker + +[ Upstream commit 31b62908693c90d4d07db597e685d9f25a120073 ] + +I received the following warning while running cthon against an ontap +server running pNFS: + +[ 57.202521] ============================= +[ 57.202522] WARNING: suspicious RCU usage +[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted +[ 57.202525] ----------------------------- +[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!! +[ 57.202527] + other info that might help us debug this: + +[ 57.202528] + rcu_scheduler_active = 2, debug_locks = 1 +[ 57.202529] no locks held by test5/3567. +[ 57.202530] + stack backtrace: +[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e +[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022 +[ 57.202536] Call Trace: +[ 57.202537] +[ 57.202540] dump_stack_lvl+0x77/0xb0 +[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0 +[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a] +[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a] +[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202866] write_cache_pages+0x265/0x450 +[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202913] do_writepages+0xd2/0x230 +[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80 +[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80 +[ 57.202924] filemap_write_and_wait_range+0xd9/0x170 +[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202969] __se_sys_close+0x46/0xd0 +[ 57.202972] do_syscall_64+0x68/0x100 +[ 57.202975] ? do_syscall_64+0x77/0x100 +[ 57.202976] ? do_syscall_64+0x77/0x100 +[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76 +[ 57.202982] RIP: 0033:0x7fe2b12e4a94 +[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3 +[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 +[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94 +[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003 +[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49 +[ 57.202993] R10: 00007fe2b11f8300 R11: 0000000000000202 R12: 0000000000000000 +[ 57.202994] R13: 00007ffe857dfd80 R14: 00007fe2b1445000 R15: 0000000000000000 +[ 57.202999] + +The problem seems to be that two out of three callers aren't taking the +rcu_read_lock() before calling the list_for_each_entry_rcu() function in +rpc_xprt_switch_has_addr(). I fix this by having +rpc_xprt_switch_has_addr() unconditionaly take the rcu_read_lock(), +which is okay to do recursively in the case that the lock has already +been taken by a caller. + +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtmultipath.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprtmultipath.c b/net/sunrpc/xprtmultipath.c +index 78c075a68c04..a11e80d17830 100644 +--- a/net/sunrpc/xprtmultipath.c ++++ b/net/sunrpc/xprtmultipath.c +@@ -253,8 +253,9 @@ struct rpc_xprt *xprt_iter_current_entry(struct rpc_xprt_iter *xpi) + return xprt_switch_find_current_entry(head, xpi->xpi_cursor); + } + +-bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, +- const struct sockaddr *sap) ++static ++bool __rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, ++ const struct sockaddr *sap) + { + struct list_head *head; + struct rpc_xprt *pos; +@@ -273,6 +274,18 @@ bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, + return false; + } + ++bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, ++ const struct sockaddr *sap) ++{ ++ bool res; ++ ++ rcu_read_lock(); ++ res = __rpc_xprt_switch_has_addr(xps, sap); ++ rcu_read_unlock(); ++ ++ return res; ++} ++ + static + struct rpc_xprt *xprt_switch_find_next_entry(struct list_head *head, + const struct rpc_xprt *cur) +-- +2.43.0 + diff --git a/queue-5.10/tty-allow-tiocslcktrmios-with-cap_checkpoint_restore.patch b/queue-5.10/tty-allow-tiocslcktrmios-with-cap_checkpoint_restore.patch new file mode 100644 index 00000000000..86fe14fe9ce --- /dev/null +++ b/queue-5.10/tty-allow-tiocslcktrmios-with-cap_checkpoint_restore.patch @@ -0,0 +1,63 @@ +From f34988d5f48064fd0e192bb31a752a2aedd9b767 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 15:36:56 +0100 +Subject: tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE + +From: Adrian Reber + +[ Upstream commit e0f25b8992345aa5f113da2815f5add98738c611 ] + +The capability CAP_CHECKPOINT_RESTORE was introduced to allow non-root +users to checkpoint and restore processes as non-root with CRIU. + +This change extends CAP_CHECKPOINT_RESTORE to enable the CRIU option +'--shell-job' as non-root. CRIU's man-page describes the '--shell-job' +option like this: + + Allow one to dump shell jobs. This implies the restored task will + inherit session and process group ID from the criu itself. This option + also allows to migrate a single external tty connection, to migrate + applications like top. + +TIOCSLCKTRMIOS can only be done if the process has CAP_SYS_ADMIN and +this change extends it to CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE. + +With this change it is possible to checkpoint and restore processes +which have a tty connection as non-root if CAP_CHECKPOINT_RESTORE is +set. + +Acked-by: Christian Brauner +Signed-off-by: Adrian Reber +Acked-by: Andrei Vagin +Link: https://lore.kernel.org/r/20231208143656.1019-1-areber@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_ioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c +index 12a30329abdb..7ae2630cb750 100644 +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -763,7 +763,7 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file, + ret = -EFAULT; + return ret; + case TIOCSLCKTRMIOS: +- if (!capable(CAP_SYS_ADMIN)) ++ if (!checkpoint_restore_ns_capable(&init_user_ns)) + return -EPERM; + copy_termios_locked(real_tty, &kterm); + if (user_termios_to_kernel_termios(&kterm, +@@ -780,7 +780,7 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file, + ret = -EFAULT; + return ret; + case TIOCSLCKTRMIOS: +- if (!capable(CAP_SYS_ADMIN)) ++ if (!checkpoint_restore_ns_capable(&init_user_ns)) + return -EPERM; + copy_termios_locked(real_tty, &kterm); + if (user_termios_to_kernel_termios_1(&kterm, +-- +2.43.0 + diff --git a/queue-5.10/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch b/queue-5.10/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch new file mode 100644 index 00000000000..827c049dce1 --- /dev/null +++ b/queue-5.10/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch @@ -0,0 +1,77 @@ +From 2affcca4705e4a51a4305f43b3aa2841cda7a52f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Oct 2023 00:10:28 +0500 +Subject: UBSAN: array-index-out-of-bounds in dtSplitRoot + +From: Osama Muhammad + +[ Upstream commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16 ] + +Syzkaller reported the following issue: + +oop0: detected capacity change from 0 to 32768 + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 +index -2 is out of range for type 'struct dtslot [128]' +CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 + dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 + dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] + dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 + jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 + vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 + do_mkdirat+0x279/0x550 fs/namei.c:4038 + __do_sys_mkdirat fs/namei.c:4053 [inline] + __se_sys_mkdirat fs/namei.c:4051 [inline] + __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fcdc0113fd9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 +RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 +RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 +R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 +R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 + + +The issue is caused when the value of fsi becomes less than -1. +The check to break the loop when fsi value becomes -1 is present +but syzbot was able to produce value less than -1 which cause the error. +This patch simply add the change for the values less than 0. + +The patch is tested via syzbot. + +Reported-and-tested-by: syzbot+d4b1df2e9d4ded6488ec@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=d4b1df2e9d4ded6488ec +Signed-off-by: Osama Muhammad +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index 837d42f61464..fafcb90219cf 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -1970,7 +1970,7 @@ static int dtSplitRoot(tid_t tid, + do { + f = &rp->slot[fsi]; + fsi = f->next; +- } while (fsi != -1); ++ } while (fsi >= 0); + + f->next = n; + } +-- +2.43.0 + diff --git a/queue-5.10/um-don-t-use-vfprintf-for-os_info.patch b/queue-5.10/um-don-t-use-vfprintf-for-os_info.patch new file mode 100644 index 00000000000..e3517885eb7 --- /dev/null +++ b/queue-5.10/um-don-t-use-vfprintf-for-os_info.patch @@ -0,0 +1,72 @@ +From ffaafa3ae5475f001cc07801b7f57491d8673e03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 12:03:41 +0100 +Subject: um: Don't use vfprintf() for os_info() + +From: Benjamin Berg + +[ Upstream commit 236f9fe39b02c15fa5530b53e9cca48354394389 ] + +The threads allocated inside the kernel have only a single page of +stack. Unfortunately, the vfprintf function in standard glibc may use +too much stack-space, overflowing it. + +To make os_info safe to be used by helper threads, use the kernel +vscnprintf function into a smallish buffer and write out the information +to stderr. + +Signed-off-by: Benjamin Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/os-Linux/util.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/um/os-Linux/util.c b/arch/um/os-Linux/util.c +index 07327425d06e..56d9589e1cd1 100644 +--- a/arch/um/os-Linux/util.c ++++ b/arch/um/os-Linux/util.c +@@ -166,23 +166,38 @@ __uml_setup("quiet", quiet_cmd_param, + "quiet\n" + " Turns off information messages during boot.\n\n"); + ++/* ++ * The os_info/os_warn functions will be called by helper threads. These ++ * have a very limited stack size and using the libc formatting functions ++ * may overflow the stack. ++ * So pull in the kernel vscnprintf and use that instead with a fixed ++ * on-stack buffer. ++ */ ++int vscnprintf(char *buf, size_t size, const char *fmt, va_list args); ++ + void os_info(const char *fmt, ...) + { ++ char buf[256]; + va_list list; ++ int len; + + if (quiet_info) + return; + + va_start(list, fmt); +- vfprintf(stderr, fmt, list); ++ len = vscnprintf(buf, sizeof(buf), fmt, list); ++ fwrite(buf, len, 1, stderr); + va_end(list); + } + + void os_warn(const char *fmt, ...) + { ++ char buf[256]; + va_list list; ++ int len; + + va_start(list, fmt); +- vfprintf(stderr, fmt, list); ++ len = vscnprintf(buf, sizeof(buf), fmt, list); ++ fwrite(buf, len, 1, stderr); + va_end(list); + } +-- +2.43.0 + diff --git a/queue-5.10/um-fix-naming-clash-between-uml-and-scheduler.patch b/queue-5.10/um-fix-naming-clash-between-uml-and-scheduler.patch new file mode 100644 index 00000000000..d80f960be66 --- /dev/null +++ b/queue-5.10/um-fix-naming-clash-between-uml-and-scheduler.patch @@ -0,0 +1,82 @@ +From f73bfff3aaaec40caaa2c961f09c83541049ec69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 15:34:44 +0100 +Subject: um: Fix naming clash between UML and scheduler + +From: Anton Ivanov + +[ Upstream commit 541d4e4d435c8b9bfd29f70a1da4a2db97794e0a ] + +__cant_sleep was already used and exported by the scheduler. +The name had to be changed to a UML specific one. + +Signed-off-by: Anton Ivanov +Reviewed-by: Peter Lafreniere +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/shared/kern_util.h | 2 +- + arch/um/kernel/process.c | 2 +- + arch/um/os-Linux/helper.c | 6 +++--- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/um/include/shared/kern_util.h b/arch/um/include/shared/kern_util.h +index 9c08e728a675..83171f9e0912 100644 +--- a/arch/um/include/shared/kern_util.h ++++ b/arch/um/include/shared/kern_util.h +@@ -51,7 +51,7 @@ extern void do_uml_exitcalls(void); + * Are we disallowed to sleep? Used to choose between GFP_KERNEL and + * GFP_ATOMIC. + */ +-extern int __cant_sleep(void); ++extern int __uml_cant_sleep(void); + extern int get_current_pid(void); + extern int copy_from_user_proc(void *to, void *from, int size); + extern int cpu(void); +diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c +index e6c9b11b2033..76faaf1082ce 100644 +--- a/arch/um/kernel/process.c ++++ b/arch/um/kernel/process.c +@@ -221,7 +221,7 @@ void arch_cpu_idle(void) + raw_local_irq_enable(); + } + +-int __cant_sleep(void) { ++int __uml_cant_sleep(void) { + return in_atomic() || irqs_disabled() || in_interrupt(); + /* Is in_interrupt() really needed? */ + } +diff --git a/arch/um/os-Linux/helper.c b/arch/um/os-Linux/helper.c +index 9fa6e4187d4f..57a27555092f 100644 +--- a/arch/um/os-Linux/helper.c ++++ b/arch/um/os-Linux/helper.c +@@ -45,7 +45,7 @@ int run_helper(void (*pre_exec)(void *), void *pre_data, char **argv) + unsigned long stack, sp; + int pid, fds[2], ret, n; + +- stack = alloc_stack(0, __cant_sleep()); ++ stack = alloc_stack(0, __uml_cant_sleep()); + if (stack == 0) + return -ENOMEM; + +@@ -69,7 +69,7 @@ int run_helper(void (*pre_exec)(void *), void *pre_data, char **argv) + data.pre_data = pre_data; + data.argv = argv; + data.fd = fds[1]; +- data.buf = __cant_sleep() ? uml_kmalloc(PATH_MAX, UM_GFP_ATOMIC) : ++ data.buf = __uml_cant_sleep() ? uml_kmalloc(PATH_MAX, UM_GFP_ATOMIC) : + uml_kmalloc(PATH_MAX, UM_GFP_KERNEL); + pid = clone(helper_child, (void *) sp, CLONE_VM, &data); + if (pid < 0) { +@@ -116,7 +116,7 @@ int run_helper_thread(int (*proc)(void *), void *arg, unsigned int flags, + unsigned long stack, sp; + int pid, status, err; + +- stack = alloc_stack(0, __cant_sleep()); ++ stack = alloc_stack(0, __uml_cant_sleep()); + if (stack == 0) + return -ENOMEM; + +-- +2.43.0 + diff --git a/queue-5.10/um-net-fix-return-type-of-uml_net_start_xmit.patch b/queue-5.10/um-net-fix-return-type-of-uml_net_start_xmit.patch new file mode 100644 index 00000000000..6db3098d32c --- /dev/null +++ b/queue-5.10/um-net-fix-return-type-of-uml_net_start_xmit.patch @@ -0,0 +1,53 @@ +From 0fc09f04a979a752ee13a527ff19c32a1e6e53f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:49:46 -0700 +Subject: um: net: Fix return type of uml_net_start_xmit() + +From: Nathan Chancellor + +[ Upstream commit 7d748f60a4b82b50bf25fad1bd42d33f049f76aa ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +warning in clang aims to catch these at compile time, which reveals: + + arch/um/drivers/net_kern.c:353:21: warning: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Wincompatible-function-pointer-types-strict] + 353 | .ndo_start_xmit = uml_net_start_xmit, + | ^~~~~~~~~~~~~~~~~~ + 1 warning generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of uml_net_start_xmit() +to match the prototype's to resolve the warning. While UML does not +currently implement support for kCFI, it could in the future, which +means this warning becomes a fatal CFI failure at run time. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310031340.v1vPh207-lkp@intel.com/ +Acked-by: Anton Ivanov +Signed-off-by: Nathan Chancellor +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/net_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/drivers/net_kern.c b/arch/um/drivers/net_kern.c +index 1802cf4ef5a5..ee55333255d0 100644 +--- a/arch/um/drivers/net_kern.c ++++ b/arch/um/drivers/net_kern.c +@@ -204,7 +204,7 @@ static int uml_net_close(struct net_device *dev) + return 0; + } + +-static int uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct uml_net_private *lp = netdev_priv(dev); + unsigned long flags; +-- +2.43.0 + diff --git a/queue-5.10/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch b/queue-5.10/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch new file mode 100644 index 00000000000..9e4bb86aad5 --- /dev/null +++ b/queue-5.10/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch @@ -0,0 +1,39 @@ +From 024855d26852d63554603cceda7af8b3e1295266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 19:18:28 +0100 +Subject: usb: hub: Replace hardcoded quirk value with BIT() macro + +From: Hardik Gajjar + +[ Upstream commit 6666ea93d2c422ebeb8039d11e642552da682070 ] + +This patch replaces the hardcoded quirk value in the macro with +BIT(). + +Signed-off-by: Hardik Gajjar +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20231205181829.127353-1-hgajjar@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 331f41c6cc75..a3a7dd7d3326 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -46,8 +46,8 @@ + #define USB_VENDOR_TEXAS_INSTRUMENTS 0x0451 + #define USB_PRODUCT_TUSB8041_USB3 0x8140 + #define USB_PRODUCT_TUSB8041_USB2 0x8142 +-#define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 +-#define HUB_QUIRK_DISABLE_AUTOSUSPEND 0x02 ++#define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND BIT(0) ++#define HUB_QUIRK_DISABLE_AUTOSUSPEND BIT(1) + + #define USB_TP_TRANSMISSION_DELAY 40 /* ns */ + #define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */ +-- +2.43.0 + diff --git a/queue-5.10/virtio_net-fix-d-directive-writing-between-1-and-11-.patch b/queue-5.10/virtio_net-fix-d-directive-writing-between-1-and-11-.patch new file mode 100644 index 00000000000..0c0d1e54a4f --- /dev/null +++ b/queue-5.10/virtio_net-fix-d-directive-writing-between-1-and-11-.patch @@ -0,0 +1,84 @@ +From 6e82ab74595ca520e884a7f946e1db3c7c9658ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jan 2024 10:09:02 +0800 +Subject: =?UTF-8?q?virtio=5Fnet:=20Fix=20"=E2=80=98%d=E2=80=99=20directive?= + =?UTF-8?q?=20writing=20between=201=20and=2011=20bytes=20into=20a=20region?= + =?UTF-8?q?=20of=20size=2010"=20warnings?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhu Yanjun + +[ Upstream commit e3fe8d28c67bf6c291e920c6d04fa22afa14e6e4 ] + +Fix the warnings when building virtio_net driver. + +" +drivers/net/virtio_net.c: In function ‘init_vqs’: +drivers/net/virtio_net.c:4551:48: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 10 [-Wformat-overflow=] + 4551 | sprintf(vi->rq[i].name, "input.%d", i); + | ^~ +In function ‘virtnet_find_vqs’, + inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8: +drivers/net/virtio_net.c:4551:41: note: directive argument in the range [-2147483643, 65534] + 4551 | sprintf(vi->rq[i].name, "input.%d", i); + | ^~~~~~~~~~ +drivers/net/virtio_net.c:4551:17: note: ‘sprintf’ output between 8 and 18 bytes into a destination of size 16 + 4551 | sprintf(vi->rq[i].name, "input.%d", i); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/net/virtio_net.c: In function ‘init_vqs’: +drivers/net/virtio_net.c:4552:49: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 9 [-Wformat-overflow=] + 4552 | sprintf(vi->sq[i].name, "output.%d", i); + | ^~ +In function ‘virtnet_find_vqs’, + inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8: +drivers/net/virtio_net.c:4552:41: note: directive argument in the range [-2147483643, 65534] + 4552 | sprintf(vi->sq[i].name, "output.%d", i); + | ^~~~~~~~~~~ +drivers/net/virtio_net.c:4552:17: note: ‘sprintf’ output between 9 and 19 bytes into a destination of size 16 + 4552 | sprintf(vi->sq[i].name, "output.%d", i); + +" + +Reviewed-by: Xuan Zhuo +Signed-off-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20240104020902.2753599-1-yanjun.zhu@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 2fd5d2b7a209..4029c56dfcf0 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -2819,10 +2819,11 @@ static int virtnet_find_vqs(struct virtnet_info *vi) + { + vq_callback_t **callbacks; + struct virtqueue **vqs; +- int ret = -ENOMEM; +- int i, total_vqs; + const char **names; ++ int ret = -ENOMEM; ++ int total_vqs; + bool *ctx; ++ u16 i; + + /* We expect 1 RX virtqueue followed by 1 TX virtqueue, followed by + * possible N-1 RX/TX queue pairs used in multiqueue mode, followed by +@@ -2859,8 +2860,8 @@ static int virtnet_find_vqs(struct virtnet_info *vi) + for (i = 0; i < vi->max_queue_pairs; i++) { + callbacks[rxq2vq(i)] = skb_recv_done; + callbacks[txq2vq(i)] = skb_xmit_done; +- sprintf(vi->rq[i].name, "input.%d", i); +- sprintf(vi->sq[i].name, "output.%d", i); ++ sprintf(vi->rq[i].name, "input.%u", i); ++ sprintf(vi->sq[i].name, "output.%u", i); + names[rxq2vq(i)] = vi->rq[i].name; + names[txq2vq(i)] = vi->sq[i].name; + if (ctx) +-- +2.43.0 + diff --git a/queue-5.10/watchdog-it87_wdt-keep-wdtctrl-bit-3-unmodified-for-.patch b/queue-5.10/watchdog-it87_wdt-keep-wdtctrl-bit-3-unmodified-for-.patch new file mode 100644 index 00000000000..227bf4e9ed3 --- /dev/null +++ b/queue-5.10/watchdog-it87_wdt-keep-wdtctrl-bit-3-unmodified-for-.patch @@ -0,0 +1,71 @@ +From c3fc8645139b6ca937828cb6f2360f1c4d6a2066 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 10:45:25 +0100 +Subject: watchdog: it87_wdt: Keep WDTCTRL bit 3 unmodified for IT8784/IT8786 + +From: Werner Fischer + +[ Upstream commit d12971849d71781c1e4ffd1117d4878ce233d319 ] + +WDTCTRL bit 3 sets the mode choice for the clock input of IT8784/IT8786. +Some motherboards require this bit to be set to 1 (= PCICLK mode), +otherwise the watchdog functionality gets broken. The BIOS of those +motherboards sets WDTCTRL bit 3 already to 1. + +Instead of setting all bits of WDTCTRL to 0 by writing 0x00 to it, keep +bit 3 of it unchanged for IT8784/IT8786 chips. In this way, bit 3 keeps +the status as set by the BIOS of the motherboard. + +Watchdog tests have been successful with this patch with the following +systems: + IT8784: Thomas-Krenn LES plus v2 (YANLING YL-KBRL2 V2) + IT8786: Thomas-Krenn LES plus v3 (YANLING YL-CLU L2) + IT8786: Thomas-Krenn LES network 6L v2 (YANLING YL-CLU6L) + +Link: https://lore.kernel.org/all/140b264d-341f-465b-8715-dacfe84b3f71@roeck-us.net/ + +Signed-off-by: Werner Fischer +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20231213094525.11849-4-devlists@wefi.net +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/it87_wdt.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/it87_wdt.c b/drivers/watchdog/it87_wdt.c +index 2b4831842162..6340ca058f89 100644 +--- a/drivers/watchdog/it87_wdt.c ++++ b/drivers/watchdog/it87_wdt.c +@@ -263,6 +263,7 @@ static struct watchdog_device wdt_dev = { + static int __init it87_wdt_init(void) + { + u8 chip_rev; ++ u8 ctrl; + int rc; + + rc = superio_enter(); +@@ -321,7 +322,18 @@ static int __init it87_wdt_init(void) + + superio_select(GPIO); + superio_outb(WDT_TOV1, WDTCFG); +- superio_outb(0x00, WDTCTRL); ++ ++ switch (chip_type) { ++ case IT8784_ID: ++ case IT8786_ID: ++ ctrl = superio_inb(WDTCTRL); ++ ctrl &= 0x08; ++ superio_outb(ctrl, WDTCTRL); ++ break; ++ default: ++ superio_outb(0x00, WDTCTRL); ++ } ++ + superio_exit(); + + if (timeout < 1 || timeout > max_units * 60) { +-- +2.43.0 + diff --git a/queue-5.10/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch b/queue-5.10/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch new file mode 100644 index 00000000000..6082d011bee --- /dev/null +++ b/queue-5.10/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch @@ -0,0 +1,61 @@ +From 05eb444d63666550b8b9e3cb7ffd8615c1f895ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 20:31:04 +0200 +Subject: wifi: ath9k: Fix potential array-index-out-of-bounds read in + ath9k_htc_txstatus() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minsuk Kang + +[ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ] + +Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug +occurs when txs->cnt, data from a URB provided by a USB device, is +bigger than the size of the array txs->txstatus, which is +HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug +handling code after the check. Make the function return if that is the +case. + +Found by a modified version of syzkaller. + +UBSAN: array-index-out-of-bounds in htc_drv_txrx.c +index 13 is out of range for type '__wmi_event_txstatus [12]' +Call Trace: + ath9k_htc_txstatus + ath9k_wmi_event_tasklet + tasklet_action_common + __do_softirq + irq_exit_rxu + sysvec_apic_timer_interrupt + +Signed-off-by: Minsuk Kang +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 622fc7f17040..5037142c5a82 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -647,9 +647,10 @@ void ath9k_htc_txstatus(struct ath9k_htc_priv *priv, void *wmi_event) + struct ath9k_htc_tx_event *tx_pend; + int i; + +- for (i = 0; i < txs->cnt; i++) { +- WARN_ON(txs->cnt > HTC_MAX_TX_STATUS); ++ if (WARN_ON_ONCE(txs->cnt > HTC_MAX_TX_STATUS)) ++ return; + ++ for (i = 0; i < txs->cnt; i++) { + __txs = &txs->txstatus[i]; + + skb = ath9k_htc_tx_get_packet(priv, __txs); +-- +2.43.0 + diff --git a/queue-5.10/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch b/queue-5.10/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch new file mode 100644 index 00000000000..6518af29f95 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch @@ -0,0 +1,38 @@ +From 1ff8a08a9ac54067bb447b9cc662175efbbc2de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 20:13:51 +0800 +Subject: wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update + +From: Edward Adam Davis + +[ Upstream commit 1184950e341c11b6f82bc5b59564411d9537ab27 ] + +Replace rcu_dereference() with rcu_access_pointer() since we hold +the lock here (and aren't in an RCU critical section). + +Fixes: 32af9a9e1069 ("wifi: cfg80211: free beacon_ies when overridden from hidden BSS") +Reported-and-tested-by: syzbot+864a269c27ee06b58374@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://msgid.link/tencent_BF8F0DF0258C8DBF124CDDE4DD8D992DCF07@qq.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 6f0a01038db1..a6c289a61d30 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1802,7 +1802,7 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + &hidden->hidden_list); + hidden->refcount++; + +- ies = (void *)rcu_dereference(new->pub.beacon_ies); ++ ies = (void *)rcu_access_pointer(new->pub.beacon_ies); + rcu_assign_pointer(new->pub.beacon_ies, + hidden->pub.beacon_ies); + if (ies) +-- +2.43.0 + diff --git a/queue-5.10/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch b/queue-5.10/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch new file mode 100644 index 00000000000..ab6dcc53175 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch @@ -0,0 +1,44 @@ +From 510b69f014fec3b7afe5503250704fe6c4536933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 13:41:41 +0200 +Subject: wifi: cfg80211: free beacon_ies when overridden from hidden BSS + +From: Benjamin Berg + +[ Upstream commit 32af9a9e1069e55bc02741fb00ac9d0ca1a2eaef ] + +This is a more of a cosmetic fix. The branch will only be taken if +proberesp_ies is set, which implies that beacon_ies is not set unless we +are connected to an AP that just did a channel switch. And, in that case +we should have found the BSS in the internal storage to begin with. + +Signed-off-by: Benjamin Berg +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231220133549.b898e22dadff.Id8c4c10aedd176ef2e18a4cad747b299f150f9df@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 1e6dfe204ff3..6f0a01038db1 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1801,8 +1801,12 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + list_add(&new->hidden_list, + &hidden->hidden_list); + hidden->refcount++; ++ ++ ies = (void *)rcu_dereference(new->pub.beacon_ies); + rcu_assign_pointer(new->pub.beacon_ies, + hidden->pub.beacon_ies); ++ if (ies) ++ kfree_rcu(ies, rcu_head); + } + } else { + /* +-- +2.43.0 + diff --git a/queue-5.10/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch b/queue-5.10/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch new file mode 100644 index 00000000000..f613a543f96 --- /dev/null +++ b/queue-5.10/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch @@ -0,0 +1,79 @@ +From b1d44bb3df2eb8abce4ba8cab9e257fe471f9399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Nov 2023 16:58:00 +0800 +Subject: wifi: rt2x00: restart beacon queue when hardware reset + +From: Shiji Yang + +[ Upstream commit a11d965a218f0cd95b13fe44d0bcd8a20ce134a8 ] + +When a hardware reset is triggered, all registers are reset, so all +queues are forced to stop in hardware interface. However, mac80211 +will not automatically stop the queue. If we don't manually stop the +beacon queue, the queue will be deadlocked and unable to start again. +This patch fixes the issue where Apple devices cannot connect to the +AP after calling ieee80211_restart_hw(). + +Signed-off-by: Shiji Yang +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/TYAP286MB031530EB6D98DCE4DF20766CBCA4A@TYAP286MB0315.JPNP286.PROD.OUTLOOK.COM +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 3 +++ + drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 11 +++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c +index b04f76551ca4..be3c153ab3b0 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c +@@ -101,6 +101,7 @@ void rt2x00lib_disable_radio(struct rt2x00_dev *rt2x00dev) + rt2x00link_stop_tuner(rt2x00dev); + rt2x00queue_stop_queues(rt2x00dev); + rt2x00queue_flush_queues(rt2x00dev, true); ++ rt2x00queue_stop_queue(rt2x00dev->bcn); + + /* + * Disable radio. +@@ -1272,6 +1273,7 @@ int rt2x00lib_start(struct rt2x00_dev *rt2x00dev) + rt2x00dev->intf_ap_count = 0; + rt2x00dev->intf_sta_count = 0; + rt2x00dev->intf_associated = 0; ++ rt2x00dev->intf_beaconing = 0; + + /* Enable the radio */ + retval = rt2x00lib_enable_radio(rt2x00dev); +@@ -1298,6 +1300,7 @@ void rt2x00lib_stop(struct rt2x00_dev *rt2x00dev) + rt2x00dev->intf_ap_count = 0; + rt2x00dev->intf_sta_count = 0; + rt2x00dev->intf_associated = 0; ++ rt2x00dev->intf_beaconing = 0; + } + + static inline void rt2x00lib_set_if_combinations(struct rt2x00_dev *rt2x00dev) +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +index 2f68a31072ae..795bd3b0ebd8 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -599,6 +599,17 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw, + */ + if (changes & BSS_CHANGED_BEACON_ENABLED) { + mutex_lock(&intf->beacon_skb_mutex); ++ ++ /* ++ * Clear the 'enable_beacon' flag and clear beacon because ++ * the beacon queue has been stopped after hardware reset. ++ */ ++ if (test_bit(DEVICE_STATE_RESET, &rt2x00dev->flags) && ++ intf->enable_beacon) { ++ intf->enable_beacon = false; ++ rt2x00queue_clear_beacon(rt2x00dev, vif); ++ } ++ + if (!bss_conf->enable_beacon && intf->enable_beacon) { + rt2x00dev->intf_beaconing--; + intf->enable_beacon = false; +-- +2.43.0 + diff --git a/queue-5.10/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch b/queue-5.10/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch new file mode 100644 index 00000000000..9c7f99fb3c4 --- /dev/null +++ b/queue-5.10/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch @@ -0,0 +1,48 @@ +From 7a10c33cf053066409add7fa01a523d91d64579c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Dec 2023 20:30:17 +0800 +Subject: wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices + +From: Zenm Chen + +[ Upstream commit 4e87ca403e2008b9e182239e1abbf6876a55eb33 ] + +Add additional USB IDs found in the vendor driver from +https://github.com/Mange/rtl8192eu-linux-driver to support more +RTL8192EU devices. + +Signed-off-by: Zenm Chen +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231217123017.1982-1-zenmchen@gmail.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 004778faf3d0..3051fb358fdd 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -6973,6 +6973,18 @@ static const struct usb_device_id dev_table[] = { + .driver_info = (unsigned long)&rtl8192eu_fops}, + {USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x818c, 0xff, 0xff, 0xff), + .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* D-Link DWA-131 rev C1 */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3312, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* TP-Link TL-WN8200ND V2 */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0126, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* Mercusys MW300UM */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0100, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* Mercusys MW300UH */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0104, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, + #endif + { } + }; +-- +2.43.0 + diff --git a/queue-5.10/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch b/queue-5.10/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..0e8aa80673b --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch @@ -0,0 +1,77 @@ +From 8482971dd22e2e5a6d99414eb310ae36d2eea771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:39 +0800 +Subject: wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 5c16618bc06a41ad68fd8499a21d35ef57ca06c2 ] + +Using calculate_bit_shift() to replace rtl8723_phy_calculate_bit_shift(). +And fix an undefined bitwise shift behavior problem. + +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-12-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c | 6 +++--- + drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c +index fa0eed434d4f..d26dda8e46fd 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c +@@ -49,7 +49,7 @@ u32 rtl8723e_phy_query_rf_reg(struct ieee80211_hw *hw, + rfpath, regaddr); + } + +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock(&rtlpriv->locks.rf_lock); +@@ -80,7 +80,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = rtl8723_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +@@ -89,7 +89,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw, + rtl8723_phy_rf_serial_write(hw, rfpath, regaddr, data); + } else { + if (bitmask != RFREG_OFFSET_MASK) { +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c +index f09f55b0468a..35dfea54ae9c 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c +@@ -41,7 +41,7 @@ u32 rtl8723be_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + spin_lock(&rtlpriv->locks.rf_lock); + + original_value = rtl8723_phy_rf_serial_read(hw, rfpath, regaddr); +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock(&rtlpriv->locks.rf_lock); +@@ -68,7 +68,7 @@ void rtl8723be_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path path, + if (bitmask != RFREG_OFFSET_MASK) { + original_value = rtl8723_phy_rf_serial_read(hw, path, + regaddr); +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((original_value & (~bitmask)) | + (data << bitshift)); + } +-- +2.43.0 + diff --git a/queue-5.10/x86-boot-ignore-nmis-during-very-early-boot.patch b/queue-5.10/x86-boot-ignore-nmis-during-very-early-boot.patch new file mode 100644 index 00000000000..7438ae67137 --- /dev/null +++ b/queue-5.10/x86-boot-ignore-nmis-during-very-early-boot.patch @@ -0,0 +1,94 @@ +From 955042e02ba8f297e9dbcf8cc6d1ce7e613b5e10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 15:44:49 -0500 +Subject: x86/boot: Ignore NMIs during very early boot + +From: Jun'ichi Nomura + +[ Upstream commit 78a509fba9c9b1fcb77f95b7c6be30da3d24823a ] + +When there are two racing NMIs on x86, the first NMI invokes NMI handler and +the 2nd NMI is latched until IRET is executed. + +If panic on NMI and panic kexec are enabled, the first NMI triggers +panic and starts booting the next kernel via kexec. Note that the 2nd +NMI is still latched. During the early boot of the next kernel, once +an IRET is executed as a result of a page fault, then the 2nd NMI is +unlatched and invokes the NMI handler. + +However, NMI handler is not set up at the early stage of boot, which +results in a boot failure. + +Avoid such problems by setting up a NOP handler for early NMIs. + +[ mingo: Refined the changelog. ] + +Signed-off-by: Jun'ichi Nomura +Signed-off-by: Derek Barbosa +Signed-off-by: Ingo Molnar +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Andy Lutomirski +Cc: "H. Peter Anvin" +Cc: Peter Zijlstra +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/ident_map_64.c | 5 +++++ + arch/x86/boot/compressed/idt_64.c | 1 + + arch/x86/boot/compressed/idt_handlers_64.S | 1 + + arch/x86/boot/compressed/misc.h | 1 + + 4 files changed, 8 insertions(+) + +diff --git a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c +index f4a2e6d373b2..1e4eb3894ec4 100644 +--- a/arch/x86/boot/compressed/ident_map_64.c ++++ b/arch/x86/boot/compressed/ident_map_64.c +@@ -367,3 +367,8 @@ void do_boot_page_fault(struct pt_regs *regs, unsigned long error_code) + */ + add_identity_map(address, end); + } ++ ++void do_boot_nmi_trap(struct pt_regs *regs, unsigned long error_code) ++{ ++ /* Empty handler to ignore NMI during early boot */ ++} +diff --git a/arch/x86/boot/compressed/idt_64.c b/arch/x86/boot/compressed/idt_64.c +index 804a502ee0d2..eb30bb20c33b 100644 +--- a/arch/x86/boot/compressed/idt_64.c ++++ b/arch/x86/boot/compressed/idt_64.c +@@ -45,6 +45,7 @@ void load_stage2_idt(void) + boot_idt_desc.address = (unsigned long)boot_idt; + + set_idt_entry(X86_TRAP_PF, boot_page_fault); ++ set_idt_entry(X86_TRAP_NMI, boot_nmi_trap); + + #ifdef CONFIG_AMD_MEM_ENCRYPT + set_idt_entry(X86_TRAP_VC, boot_stage2_vc); +diff --git a/arch/x86/boot/compressed/idt_handlers_64.S b/arch/x86/boot/compressed/idt_handlers_64.S +index 22890e199f5b..4d03c8562f63 100644 +--- a/arch/x86/boot/compressed/idt_handlers_64.S ++++ b/arch/x86/boot/compressed/idt_handlers_64.S +@@ -70,6 +70,7 @@ SYM_FUNC_END(\name) + .code64 + + EXCEPTION_HANDLER boot_page_fault do_boot_page_fault error_code=1 ++EXCEPTION_HANDLER boot_nmi_trap do_boot_nmi_trap error_code=0 + + #ifdef CONFIG_AMD_MEM_ENCRYPT + EXCEPTION_HANDLER boot_stage1_vc do_vc_no_ghcb error_code=1 +diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h +index d9a631c5973c..0ccc32718483 100644 +--- a/arch/x86/boot/compressed/misc.h ++++ b/arch/x86/boot/compressed/misc.h +@@ -156,6 +156,7 @@ extern struct desc_ptr boot_idt_desc; + + /* IDT Entry Points */ + void boot_page_fault(void); ++void boot_nmi_trap(void); + void boot_stage1_vc(void); + void boot_stage2_vc(void); + +-- +2.43.0 + diff --git a/queue-5.10/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch b/queue-5.10/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch new file mode 100644 index 00000000000..361d9595e85 --- /dev/null +++ b/queue-5.10/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch @@ -0,0 +1,83 @@ +From 9e0a601c7d474cce01bdacc72d43fe85ab2324d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 08:39:03 +0800 +Subject: x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump + kernel + +From: Zhiquan Li + +[ Upstream commit 9f3b130048bfa2e44a8cfb1b616f826d9d5d8188 ] + +Memory errors don't happen very often, especially fatal ones. However, +in large-scale scenarios such as data centers, that probability +increases with the amount of machines present. + +When a fatal machine check happens, mce_panic() is called based on the +severity grading of that error. The page containing the error is not +marked as poison. + +However, when kexec is enabled, tools like makedumpfile understand when +pages are marked as poison and do not touch them so as not to cause +a fatal machine check exception again while dumping the previous +kernel's memory. + +Therefore, mark the page containing the error as poisoned so that the +kexec'ed kernel can avoid accessing the page. + + [ bp: Rewrite commit message and comment. ] + +Co-developed-by: Youquan Song +Signed-off-by: Youquan Song +Signed-off-by: Zhiquan Li +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Naoya Horiguchi +Link: https://lore.kernel.org/r/20231014051754.3759099-1-zhiquan1.li@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 0b7c81389c50..18a6ed2afca0 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -274,6 +275,7 @@ static noinstr void mce_panic(const char *msg, struct mce *final, char *exp) + struct llist_node *pending; + struct mce_evt_llist *l; + int apei_err = 0; ++ struct page *p; + + /* + * Allow instrumentation around external facilities usage. Not that it +@@ -329,6 +331,20 @@ static noinstr void mce_panic(const char *msg, struct mce *final, char *exp) + if (!fake_panic) { + if (panic_timeout == 0) + panic_timeout = mca_cfg.panic_timeout; ++ ++ /* ++ * Kdump skips the poisoned page in order to avoid ++ * touching the error bits again. Poison the page even ++ * if the error is fatal and the machine is about to ++ * panic. ++ */ ++ if (kexec_crash_loaded()) { ++ if (final && (final->status & MCI_STATUS_ADDRV)) { ++ p = pfn_to_online_page(final->addr >> PAGE_SHIFT); ++ if (p) ++ SetPageHWPoison(p); ++ } ++ } + panic(msg); + } else + pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg); +-- +2.43.0 + diff --git a/queue-5.10/xen-gntdev-fix-the-abuse-of-underlying-struct-page-i.patch b/queue-5.10/xen-gntdev-fix-the-abuse-of-underlying-struct-page-i.patch new file mode 100644 index 00000000000..bc16d9eb81a --- /dev/null +++ b/queue-5.10/xen-gntdev-fix-the-abuse-of-underlying-struct-page-i.patch @@ -0,0 +1,151 @@ +From 70413aeb0018e4eb131e9fec45a40527955d5588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Jan 2024 12:34:26 +0200 +Subject: xen/gntdev: Fix the abuse of underlying struct page in DMA-buf import +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oleksandr Tyshchenko + +[ Upstream commit 2d2db7d40254d5fb53b11ebd703cd1ed0c5de7a1 ] + +DO NOT access the underlying struct page of an sg table exported +by DMA-buf in dmabuf_imp_to_refs(), this is not allowed. +Please see drivers/dma-buf/dma-buf.c:mangle_sg_table() for details. + +Fortunately, here (for special Xen device) we can avoid using +pages and calculate gfns directly from dma addresses provided by +the sg table. + +Suggested-by: Daniel Vetter +Signed-off-by: Oleksandr Tyshchenko +Acked-by: Christian König +Reviewed-by: Stefano Stabellini +Acked-by: Daniel Vetter +Link: https://lore.kernel.org/r/20240107103426.2038075-1-olekstysh@gmail.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/gntdev-dmabuf.c | 50 ++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c +index 4c13cbc99896..398ea69c176c 100644 +--- a/drivers/xen/gntdev-dmabuf.c ++++ b/drivers/xen/gntdev-dmabuf.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -56,7 +57,7 @@ struct gntdev_dmabuf { + + /* Number of pages this buffer has. */ + int nr_pages; +- /* Pages of this buffer. */ ++ /* Pages of this buffer (only for dma-buf export). */ + struct page **pages; + }; + +@@ -490,7 +491,7 @@ static int dmabuf_exp_from_refs(struct gntdev_priv *priv, int flags, + /* DMA buffer import support. */ + + static int +-dmabuf_imp_grant_foreign_access(struct page **pages, u32 *refs, ++dmabuf_imp_grant_foreign_access(unsigned long *gfns, u32 *refs, + int count, int domid) + { + grant_ref_t priv_gref_head; +@@ -513,7 +514,7 @@ dmabuf_imp_grant_foreign_access(struct page **pages, u32 *refs, + } + + gnttab_grant_foreign_access_ref(cur_ref, domid, +- xen_page_to_gfn(pages[i]), 0); ++ gfns[i], 0); + refs[i] = cur_ref; + } + +@@ -535,7 +536,6 @@ static void dmabuf_imp_end_foreign_access(u32 *refs, int count) + + static void dmabuf_imp_free_storage(struct gntdev_dmabuf *gntdev_dmabuf) + { +- kfree(gntdev_dmabuf->pages); + kfree(gntdev_dmabuf->u.imp.refs); + kfree(gntdev_dmabuf); + } +@@ -555,12 +555,6 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count) + if (!gntdev_dmabuf->u.imp.refs) + goto fail; + +- gntdev_dmabuf->pages = kcalloc(count, +- sizeof(gntdev_dmabuf->pages[0]), +- GFP_KERNEL); +- if (!gntdev_dmabuf->pages) +- goto fail; +- + gntdev_dmabuf->nr_pages = count; + + for (i = 0; i < count; i++) +@@ -582,7 +576,8 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev, + struct dma_buf *dma_buf; + struct dma_buf_attachment *attach; + struct sg_table *sgt; +- struct sg_page_iter sg_iter; ++ struct sg_dma_page_iter sg_iter; ++ unsigned long *gfns; + int i; + + dma_buf = dma_buf_get(fd); +@@ -630,26 +625,31 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev, + + gntdev_dmabuf->u.imp.sgt = sgt; + +- /* Now convert sgt to array of pages and check for page validity. */ ++ gfns = kcalloc(count, sizeof(*gfns), GFP_KERNEL); ++ if (!gfns) { ++ ret = ERR_PTR(-ENOMEM); ++ goto fail_unmap; ++ } ++ ++ /* ++ * Now convert sgt to array of gfns without accessing underlying pages. ++ * It is not allowed to access the underlying struct page of an sg table ++ * exported by DMA-buf, but since we deal with special Xen dma device here ++ * (not a normal physical one) look at the dma addresses in the sg table ++ * and then calculate gfns directly from them. ++ */ + i = 0; +- for_each_sgtable_page(sgt, &sg_iter, 0) { +- struct page *page = sg_page_iter_page(&sg_iter); +- /* +- * Check if page is valid: this can happen if we are given +- * a page from VRAM or other resources which are not backed +- * by a struct page. +- */ +- if (!pfn_valid(page_to_pfn(page))) { +- ret = ERR_PTR(-EINVAL); +- goto fail_unmap; +- } ++ for_each_sgtable_dma_page(sgt, &sg_iter, 0) { ++ dma_addr_t addr = sg_page_iter_dma_address(&sg_iter); ++ unsigned long pfn = bfn_to_pfn(XEN_PFN_DOWN(dma_to_phys(dev, addr))); + +- gntdev_dmabuf->pages[i++] = page; ++ gfns[i++] = pfn_to_gfn(pfn); + } + +- ret = ERR_PTR(dmabuf_imp_grant_foreign_access(gntdev_dmabuf->pages, ++ ret = ERR_PTR(dmabuf_imp_grant_foreign_access(gfns, + gntdev_dmabuf->u.imp.refs, + count, domid)); ++ kfree(gfns); + if (IS_ERR(ret)) + goto fail_end_access; + +-- +2.43.0 + -- 2.47.3