From 4e12ecc36507ed9cb504dd82105860334272d04d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Jul 2025 13:24:52 +0200 Subject: [PATCH] 5.15-stable patches added patches: comedi-pcl812-fix-bit-shift-out-of-bounds.patch iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch iio-adc-max1363-reorder-mode_list-entries.patch iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch --- ...i-pcl812-fix-bit-shift-out-of-bounds.patch | 43 +++++++ ...ix-max1363_4x_chans-max1363_8x_chans.patch | 93 +++++++++++++++ ...dc-max1363-reorder-mode_list-entries.patch | 91 +++++++++++++++ ...ce-in-installing-chained-irq-handler.patch | 45 ++++++++ ...ncy-tolerance-from-pm_domain_cpu_gov.patch | 109 ++++++++++++++++++ queue-5.15/series | 7 ++ ...oop-cleanup-resources-in-stack-order.patch | 36 ++++++ ...disable-channels-that-aren-t-enabled.patch | 83 +++++++++++++ 8 files changed, 507 insertions(+) create mode 100644 queue-5.15/comedi-pcl812-fix-bit-shift-out-of-bounds.patch create mode 100644 queue-5.15/iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch create mode 100644 queue-5.15/iio-adc-max1363-reorder-mode_list-entries.patch create mode 100644 queue-5.15/iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch create mode 100644 queue-5.15/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch create mode 100644 queue-5.15/soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch create mode 100644 queue-5.15/soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch diff --git a/queue-5.15/comedi-pcl812-fix-bit-shift-out-of-bounds.patch b/queue-5.15/comedi-pcl812-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..088449b08e --- /dev/null +++ b/queue-5.15/comedi-pcl812-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,43 @@ +From b14b076ce593f72585412fc7fd3747e03a5e3632 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:34:29 +0100 +Subject: comedi: pcl812: Fix bit shift out of bounds + +From: Ian Abbott + +commit b14b076ce593f72585412fc7fd3747e03a5e3632 upstream. + +When checking for a supported IRQ number, the following test is used: + + if ((1 << it->options[1]) & board->irq_bits) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. Valid `it->options[1]` values that select the IRQ +will be in the range [1,15]. The value 0 explicitly disables the use of +interrupts. + +Reported-by: syzbot+32de323b0addb9e114ff@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff +Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707133429.73202-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/pcl812.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/pcl812.c ++++ b/drivers/comedi/drivers/pcl812.c +@@ -1151,7 +1151,8 @@ static int pcl812_attach(struct comedi_d + if (!dev->pacer) + return -ENOMEM; + +- if ((1 << it->options[1]) & board->irq_bits) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & board->irq_bits) { + ret = request_irq(it->options[1], pcl812_interrupt, 0, + dev->board_name, dev); + if (ret == 0) diff --git a/queue-5.15/iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch b/queue-5.15/iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch new file mode 100644 index 0000000000..9d92ef8faf --- /dev/null +++ b/queue-5.15/iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch @@ -0,0 +1,93 @@ +From 6d21f2c2dd843bceefd9455f2919f6bb526797f0 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 16 May 2025 14:38:59 -0300 +Subject: iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] + +From: Fabio Estevam + +commit 6d21f2c2dd843bceefd9455f2919f6bb526797f0 upstream. + +Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"), +booting a board populated with a MAX11601 results in a flood of warnings: + +max1363 1-0064: available_scan_mask 8 subset of 0. Never used +max1363 1-0064: available_scan_mask 9 subset of 0. Never used +max1363 1-0064: available_scan_mask 10 subset of 0. Never used +max1363 1-0064: available_scan_mask 11 subset of 0. Never used +max1363 1-0064: available_scan_mask 12 subset of 0. Never used +max1363 1-0064: available_scan_mask 13 subset of 0. Never used +... + +These warnings are caused by incorrect offsets used for differential +channels in the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros. + +The max1363_mode_table[] defines the differential channel mappings as +follows: + +MAX1363_MODE_DIFF_SINGLE(0, 1, 1 << 12), +MAX1363_MODE_DIFF_SINGLE(2, 3, 1 << 13), +MAX1363_MODE_DIFF_SINGLE(4, 5, 1 << 14), +MAX1363_MODE_DIFF_SINGLE(6, 7, 1 << 15), +MAX1363_MODE_DIFF_SINGLE(8, 9, 1 << 16), +MAX1363_MODE_DIFF_SINGLE(10, 11, 1 << 17), +MAX1363_MODE_DIFF_SINGLE(1, 0, 1 << 18), +MAX1363_MODE_DIFF_SINGLE(3, 2, 1 << 19), +MAX1363_MODE_DIFF_SINGLE(5, 4, 1 << 20), +MAX1363_MODE_DIFF_SINGLE(7, 6, 1 << 21), +MAX1363_MODE_DIFF_SINGLE(9, 8, 1 << 22), +MAX1363_MODE_DIFF_SINGLE(11, 10, 1 << 23), + +Update the macros to follow this same pattern, ensuring that the scan masks +are valid and preventing the warnings. + +Cc: stable@vger.kernel.org +Suggested-by: Jonathan Cameron +Signed-off-by: Fabio Estevam +Acked-by: Matti Vaittinen +Link: https://patch.msgid.link/20250516173900.677821-1-festevam@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/max1363.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/iio/adc/max1363.c ++++ b/drivers/iio/adc/max1363.c +@@ -513,10 +513,10 @@ static const struct iio_event_spec max13 + MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \ + IIO_CHAN_SOFT_TIMESTAMP(8) \ + } + +@@ -611,14 +611,14 @@ static const enum max1363_modes max11608 + MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \ + MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \ + MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \ +- MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \ +- MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \ +- MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \ +- MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \ +- MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \ +- MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \ +- MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \ +- MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \ ++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \ ++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \ ++ MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \ ++ MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \ ++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \ ++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \ ++ MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \ ++ MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \ + IIO_CHAN_SOFT_TIMESTAMP(16) \ + } + static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8); diff --git a/queue-5.15/iio-adc-max1363-reorder-mode_list-entries.patch b/queue-5.15/iio-adc-max1363-reorder-mode_list-entries.patch new file mode 100644 index 0000000000..77ca207b87 --- /dev/null +++ b/queue-5.15/iio-adc-max1363-reorder-mode_list-entries.patch @@ -0,0 +1,91 @@ +From 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 16 May 2025 14:39:00 -0300 +Subject: iio: adc: max1363: Reorder mode_list[] entries + +From: Fabio Estevam + +commit 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 upstream. + +The IIO core issues warnings when a scan mask is a subset of a previous +entry in the available_scan_masks array. + +On a board using a MAX11601, the following warning is observed: + +max1363 1-0064: available_scan_mask 7 subset of 6. Never used + +This occurs because the entries in the max11607_mode_list[] array are not +ordered correctly. To fix this, reorder the entries so that no scan mask is +a subset of an earlier one. + +While at it, reorder the mode_list[] arrays for other supported chips as +well, to prevent similar warnings on different variants. + +Note fixes tag dropped as these were introduced over many commits a long +time back and the side effect until recently was a reduction in sampling +rate due to reading too many channels when only a few were desired. +Now we have a sanity check that reports this error but that is not +where the issue was introduced. + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Estevam +Acked-by: Matti Vaittinen +Link: https://patch.msgid.link/20250516173900.677821-2-festevam@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/max1363.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/iio/adc/max1363.c ++++ b/drivers/iio/adc/max1363.c +@@ -534,23 +534,23 @@ static const struct iio_chan_spec max136 + /* Applies to max1236, max1237 */ + static const enum max1363_modes max1236_mode_list[] = { + _s0, _s1, _s2, _s3, +- s0to1, s0to2, s0to3, ++ s0to1, s0to2, s2to3, s0to3, + d0m1, d2m3, d1m0, d3m2, + d0m1to2m3, d1m0to3m2, +- s2to3, + }; + + /* Applies to max1238, max1239 */ + static const enum max1363_modes max1238_mode_list[] = { + _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, _s8, _s9, _s10, _s11, + s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, ++ s6to7, s6to8, s6to9, s6to10, s6to11, + s0to7, s0to8, s0to9, s0to10, s0to11, + d0m1, d2m3, d4m5, d6m7, d8m9, d10m11, + d1m0, d3m2, d5m4, d7m6, d9m8, d11m10, +- d0m1to2m3, d0m1to4m5, d0m1to6m7, d0m1to8m9, d0m1to10m11, +- d1m0to3m2, d1m0to5m4, d1m0to7m6, d1m0to9m8, d1m0to11m10, +- s6to7, s6to8, s6to9, s6to10, s6to11, +- d6m7to8m9, d6m7to10m11, d7m6to9m8, d7m6to11m10, ++ d0m1to2m3, d0m1to4m5, d0m1to6m7, d6m7to8m9, ++ d0m1to8m9, d6m7to10m11, d0m1to10m11, d1m0to3m2, ++ d1m0to5m4, d1m0to7m6, d7m6to9m8, d1m0to9m8, ++ d7m6to11m10, d1m0to11m10, + }; + + #define MAX1363_12X_CHANS(bits) { \ +@@ -586,16 +586,15 @@ static const struct iio_chan_spec max123 + + static const enum max1363_modes max11607_mode_list[] = { + _s0, _s1, _s2, _s3, +- s0to1, s0to2, s0to3, +- s2to3, ++ s0to1, s0to2, s2to3, ++ s0to3, + d0m1, d2m3, d1m0, d3m2, + d0m1to2m3, d1m0to3m2, + }; + + static const enum max1363_modes max11608_mode_list[] = { + _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, +- s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s0to7, +- s6to7, ++ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s6to7, s0to7, + d0m1, d2m3, d4m5, d6m7, + d1m0, d3m2, d5m4, d7m6, + d0m1to2m3, d0m1to4m5, d0m1to6m7, diff --git a/queue-5.15/iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch b/queue-5.15/iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch new file mode 100644 index 0000000000..cf945148a9 --- /dev/null +++ b/queue-5.15/iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch @@ -0,0 +1,45 @@ +From e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 Mon Sep 17 00:00:00 2001 +From: Chen Ni +Date: Thu, 15 May 2025 16:31:01 +0800 +Subject: iio: adc: stm32-adc: Fix race in installing chained IRQ handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ni + +commit e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 upstream. + +Fix a race where a pending interrupt could be received and the handler +called before the handler's data has been setup, by converting to +irq_set_chained_handler_and_data(). + +Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core") +Signed-off-by: Chen Ni +Reviewed-by: Nuno Sá +Tested-by: Fabrice Gasnier +Reviewed-by: Fabrice Gasnier +Link: https://patch.msgid.link/20250515083101.3811350-1-nichen@iscas.ac.cn +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/stm32-adc-core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -410,10 +410,9 @@ static int stm32_adc_irq_probe(struct pl + return -ENOMEM; + } + +- for (i = 0; i < priv->cfg->num_irqs; i++) { +- irq_set_chained_handler(priv->irq[i], stm32_adc_irq_handler); +- irq_set_handler_data(priv->irq[i], priv); +- } ++ for (i = 0; i < priv->cfg->num_irqs; i++) ++ irq_set_chained_handler_and_data(priv->irq[i], ++ stm32_adc_irq_handler, priv); + + return 0; + } diff --git a/queue-5.15/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch b/queue-5.15/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch new file mode 100644 index 0000000000..05fe8746de --- /dev/null +++ b/queue-5.15/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch @@ -0,0 +1,109 @@ +From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 +From: Maulik Shah +Date: Wed, 9 Jul 2025 14:00:11 +0530 +Subject: pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov + +From: Maulik Shah + +commit 500ba33284416255b9a5b50ace24470b6fe77ea5 upstream. + +pm_domain_cpu_gov is selecting a cluster idle state but does not consider +latency tolerance of child CPUs. This results in deeper cluster idle state +whose latency does not meet latency tolerance requirement. + +Select deeper idle state only if global and device latency tolerance of all +child CPUs meet. + +Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than +domain idle state entry (2150) + exit (1983) usec latency mentioned in +devicetree, demonstrate the issue. + + # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us + +Before: (Usage is incrementing) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 29817 537 8 270 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 30348 542 8 271 0 + +After: (Usage is not incrementing due to latency tolerance) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + +Signed-off-by: Maulik Shah +Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/domain_governor.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain_governor.c ++++ b/drivers/base/power/domain_governor.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -339,6 +340,8 @@ static bool cpu_power_down_ok(struct dev + struct cpuidle_device *dev; + ktime_t domain_wakeup, next_hrtimer; + ktime_t now = ktime_get(); ++ struct device *cpu_dev; ++ s64 cpu_constraint, global_constraint; + s64 idle_duration_ns; + int cpu, i; + +@@ -349,6 +352,7 @@ static bool cpu_power_down_ok(struct dev + if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) + return true; + ++ global_constraint = cpu_latency_qos_limit(); + /* + * Find the next wakeup for any of the online CPUs within the PM domain + * and its subdomains. Note, we only need the genpd->cpus, as it already +@@ -362,8 +366,16 @@ static bool cpu_power_down_ok(struct dev + if (ktime_before(next_hrtimer, domain_wakeup)) + domain_wakeup = next_hrtimer; + } ++ ++ cpu_dev = get_cpu_device(cpu); ++ if (cpu_dev) { ++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); ++ if (cpu_constraint < global_constraint) ++ global_constraint = cpu_constraint; ++ } + } + ++ global_constraint *= NSEC_PER_USEC; + /* The minimum idle duration is from now - until the next wakeup. */ + idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); + if (idle_duration_ns <= 0) +@@ -376,8 +388,10 @@ static bool cpu_power_down_ok(struct dev + */ + i = genpd->state_idx; + do { +- if (idle_duration_ns >= (genpd->states[i].residency_ns + +- genpd->states[i].power_off_latency_ns)) { ++ if ((idle_duration_ns >= (genpd->states[i].residency_ns + ++ genpd->states[i].power_off_latency_ns)) && ++ (global_constraint >= (genpd->states[i].power_on_latency_ns + ++ genpd->states[i].power_off_latency_ns))) { + genpd->state_idx = i; + return true; + } diff --git a/queue-5.15/series b/queue-5.15/series index 33751e98b7..d29d04142c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -20,3 +20,10 @@ memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch mmc-sdhci_am654-workaround-for-errata-i2312.patch +pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch +soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch +soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch +iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch +iio-adc-max1363-reorder-mode_list-entries.patch +iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch +comedi-pcl812-fix-bit-shift-out-of-bounds.patch diff --git a/queue-5.15/soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch b/queue-5.15/soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch new file mode 100644 index 0000000000..0ad530d7c7 --- /dev/null +++ b/queue-5.15/soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch @@ -0,0 +1,36 @@ +From 8481d59be606d2338dbfe14b04cdbd1a3402c150 Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Mon, 16 Jun 2025 22:43:38 +0930 +Subject: soc: aspeed: lpc-snoop: Cleanup resources in stack-order + +From: Andrew Jeffery + +commit 8481d59be606d2338dbfe14b04cdbd1a3402c150 upstream. + +Free the kfifo after unregistering the miscdev in +aspeed_lpc_disable_snoop() as the kfifo is initialised before the +miscdev in aspeed_lpc_enable_snoop(). + +Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") +Cc: stable@vger.kernel.org +Cc: Jean Delvare +Acked-by: Jean Delvare +Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-1-3cdd59c934d3@codeconstruct.com.au +Signed-off-by: Andrew Jeffery +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -264,8 +264,8 @@ static void aspeed_lpc_disable_snoop(str + return; + } + +- kfifo_free(&lpc_snoop->chan[channel].fifo); + misc_deregister(&lpc_snoop->chan[channel].miscdev); ++ kfifo_free(&lpc_snoop->chan[channel].fifo); + } + + static int aspeed_lpc_snoop_probe(struct platform_device *pdev) diff --git a/queue-5.15/soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch b/queue-5.15/soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch new file mode 100644 index 0000000000..fad9dc1bad --- /dev/null +++ b/queue-5.15/soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch @@ -0,0 +1,83 @@ +From 56448e78a6bb4e1a8528a0e2efe94eff0400c247 Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Mon, 16 Jun 2025 22:43:39 +0930 +Subject: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled + +From: Andrew Jeffery + +commit 56448e78a6bb4e1a8528a0e2efe94eff0400c247 upstream. + +Mitigate e.g. the following: + + # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind + ... + [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write + [ 120.373866] [00000004] *pgd=00000000 + [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM + [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE + ... + [ 120.679543] Call trace: + [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac + [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38 + [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200 + ... + +Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver") +Cc: stable@vger.kernel.org +Cc: Jean Delvare +Acked-by: Jean Delvare +Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-2-3cdd59c934d3@codeconstruct.com.au +Signed-off-by: Andrew Jeffery +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -59,6 +59,7 @@ struct aspeed_lpc_snoop_model_data { + }; + + struct aspeed_lpc_snoop_channel { ++ bool enabled; + struct kfifo fifo; + wait_queue_head_t wq; + struct miscdevice miscdev; +@@ -191,6 +192,9 @@ static int aspeed_lpc_enable_snoop(struc + const struct aspeed_lpc_snoop_model_data *model_data = + of_device_get_match_data(dev); + ++ if (WARN_ON(lpc_snoop->chan[channel].enabled)) ++ return -EBUSY; ++ + init_waitqueue_head(&lpc_snoop->chan[channel].wq); + /* Create FIFO datastructure */ + rc = kfifo_alloc(&lpc_snoop->chan[channel].fifo, +@@ -237,6 +241,8 @@ static int aspeed_lpc_enable_snoop(struc + regmap_update_bits(lpc_snoop->regmap, HICRB, + hicrb_en, hicrb_en); + ++ lpc_snoop->chan[channel].enabled = true; ++ + return 0; + + err_misc_deregister: +@@ -249,6 +255,9 @@ err_free_fifo: + static void aspeed_lpc_disable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + int channel) + { ++ if (!lpc_snoop->chan[channel].enabled) ++ return; ++ + switch (channel) { + case 0: + regmap_update_bits(lpc_snoop->regmap, HICR5, +@@ -264,6 +273,8 @@ static void aspeed_lpc_disable_snoop(str + return; + } + ++ lpc_snoop->chan[channel].enabled = false; ++ /* Consider improving safety wrt concurrent reader(s) */ + misc_deregister(&lpc_snoop->chan[channel].miscdev); + kfifo_free(&lpc_snoop->chan[channel].fifo); + } -- 2.47.2