From 6b8f80d23cefc603c2ad0645946453553ffd73c4 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 1 Feb 2024 11:55:37 -0500 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...g-fix-null-pointer-dereference-check.patch | 59 +++++ ...uirk-for-the-colorful-x15-at-23-lapt.patch | 51 ++++ ...e-of-read_seqbegin_or_lock-in-afs_fi.patch | 89 +++++++ ...hda-intel-add-hda_arl-pci-id-support.patch | 41 +++ .../arm-dts-imx-use-flash-0-0-pattern.patch | 81 ++++++ queue-5.4/arm-dts-imx1-fix-sram-node.patch | 53 ++++ ...-28-fix-the-dma-controller-node-name.patch | 53 ++++ ...nsa-use-preferred-i2c-gpios-properti.patch | 61 +++++ ...ts-imx25-27-eukrea-fix-rtc-node-name.patch | 52 ++++ queue-5.4/arm-dts-imx25-27-pass-timing0.patch | 138 ++++++++++ .../arm-dts-imx27-apf27dev-fix-led-name.patch | 39 +++ queue-5.4/arm-dts-imx27-fix-sram-node.patch | 37 +++ ...dts-imx7d-fix-coresight-funnel-ports.patch | 60 +++++ .../arm-dts-imx7s-fix-lcdif-compatible.patch | 39 +++ ...imx7s-fix-nand-controller-size-cells.patch | 38 +++ ...-rockchip-fix-rk3036-hdmi-ports-node.patch | 51 ++++ ...sm8996-fix-in-ports-is-a-required-pr.patch | 63 +++++ ...sm8998-fix-out-ports-is-a-required-p.patch | 88 +++++++ ...undefined-snd_soc_dapm_nopm-argument.patch | 37 +++ ...nk-ack-before-setting-connection-in-.patch | 117 +++++++++ ...fix-io-hang-from-sbitmap-wakeup-race.patch | 72 ++++++ ...-integer-overflow-in-bvec_try_merge_.patch | 36 +++ ...nomem-instead-of-bug-in-alb_upper_de.patch | 69 +++++ ...need_defer-parameters-to-.map_fd_put.patch | 173 +++++++++++++ ...eadlock-or-deadcode-of-misusing-dget.patch | 63 +++++ ...x-memory-leak-in-hi3620_mmc_clk_init.patch | 41 +++ ...8-fix-memory-leak-in-pxa168_clk_init.patch | 51 ++++ ...32-crc32-fix-parsing-list-of-devices.patch | 46 ++++ ...make-flip_timestamp_in_us-a-64-bit-v.patch | 43 ++++ ...fence-check-in-to_amdgpu_amdkfd_fenc.patch | 45 ++++ ...m-amdgpu-let-kfd-sync-with-vm-fences.patch | 42 ++++ ...se-adev-pm.fw-before-return-in-amdgp.patch | 48 ++++ ...le-fix-use-of-uninitialized-variable.patch | 43 ++++ ...drm_atomic_helper_shutdown-at-shutdo.patch | 86 +++++++ ...er-fix-use-of-uninitialized-variable.patch | 42 ++++ ...i-dsi-fix-detach-call-without-attach.patch | 138 ++++++++++ ...dpu-ratelimit-framedone-timeout-msgs.patch | 62 +++++ ...tfs-reject-casefold-directory-inodes.patch | 46 ++++ ...e-resizing-failures-due-to-oversized.patch | 133 ++++++++++ ...stent-between-segment-fstrim-and-ful.patch | 66 +++++ ...unnecessary-check-from-alloc_flex_gd.patch | 44 ++++ ...-type-of-flexbg_size-to-unsigned-int.patch | 89 +++++++ ...k-return-value-of-f2fs_reserve_new_b.patch | 69 +++++ ...st_dput-handle-underflows-gracefully.patch | 78 ++++++ ...ray-index-out-of-bounds-in-dbadjtree.patch | 99 ++++++++ queue-5.4/fs-kernfs-dir-obey-s_isgid.patch | 58 +++++ ...n-make-pfn-accessors-statics-inlines.patch | 68 +++++ ...pc87360-bounds-check-data-innr-usage.patch | 60 +++++ ...update-maximum-prescaler-value-for-i.patch | 59 +++++ .../ib-ipoib-fix-mcast-list-locking.patch | 94 +++++++ ...ray-index-out-of-bounds-in-dbadjtree.patch | 237 ++++++++++++++++++ ...rray-index-out-of-bounds-in-dinewext.patch | 78 ++++++ ...-slab-out-of-bounds-read-in-dtsearch.patch | 45 ++++ .../jfs-fix-uaf-in-jfs_evict_inode.patch | 50 ++++ ...kvm-s390-fix-setting-of-fpc-register.patch | 70 ++++++ ...ic-don-t-register-panic-notifier-if-.patch | 43 ++++ ...pointer-dereference-in-bpf_object__c.patch | 73 ++++++ .../libsubcmd-fix-memory-leak-in-uniq.patch | 62 +++++ ...the-array-consult-the-superblock-of-.patch | 155 ++++++++++++ ...ix-an-error-code-problem-in-ddb_prob.patch | 34 +++ ...ip-rga-fix-swizzling-for-rgb-formats.patch | 74 ++++++ ...xed-high-volume-of-stk1160_dbg-messa.patch | 47 ++++ ...m335x_tscadc-fix-ti-soc-dependencies.patch | 35 +++ ...2c-add-missing-setting-of-the-reg_ct.patch | 60 +++++ .../pci-add-intel_hda_arl-to-pci_ids.h.patch | 41 +++ ...set-quirk-for-nvidia-spectrum-device.patch | 62 +++++ ...equester-id-when-no-error-info-found.patch | 69 +++++ ...rride-amd-usb-controller-if-required.patch | 55 ++++ ...x-stdev_release-crash-after-surprise.patch | 104 ++++++++ ...rrow-startup-race-when-creating-the-.patch | 82 ++++++ .../perf-fix-the-nr_addr_filters-fix.patch | 50 ++++ queue-5.4/pnp-acpi-fix-fortify-warning.patch | 83 ++++++ ...-build-error-due-to-is_valid_bugaddr.patch | 48 ++++ ...-validate-size-for-vector-operations.patch | 71 ++++++ ...uild-failures-due-to-arch_reserved_k.patch | 68 +++++ ...ull-pointer-dereference-in-pgtable_c.patch | 49 ++++ ..._must_withdraw-is-only-needed-for-co.patch | 56 +++++ ...rash-when-setting-number-of-cpus-to-.patch | 47 ++++ ...rror-code-return-in-ipoib_mcast_join.patch | 34 +++ ...nly-increment-use_count-when-enable_.patch | 113 +++++++++ ...ce_conn_rcu-fix-the-usage-of-read_se.patch | 46 ++++ ...le-setting-of-fpc-register-correctly.patch | 71 ++++++ ...csi-libfc-don-t-schedule-abort-twice.patch | 68 +++++ ...up-timeout-error-in-fc_fcp_rec_error.patch | 37 +++ ...ssible-file-string-name-overflow-whe.patch | 64 +++++ ...x-pyperf180-compilation-failure-with.patch | 83 ++++++ ...tisfy-compiler-by-having-explicit-re.patch | 35 +++ queue-5.4/series | 101 ++++++++ ...c-fix-a-suspicious-rcu-usage-warning.patch | 121 +++++++++ ...y-index-out-of-bounds-in-dtsplitroot.patch | 77 ++++++ .../um-don-t-use-vfprintf-for-os_info.patch | 72 ++++++ ...ming-clash-between-uml-and-scheduler.patch | 82 ++++++ ...ix-return-type-of-uml_net_start_xmit.patch | 53 ++++ ...hardcoded-quirk-value-with-bit-macro.patch | 39 +++ ...-directive-writing-between-1-and-11-.patch | 84 +++++++ ...otential-array-index-out-of-bounds-r.patch | 61 +++++ ...x-rcu-dereference-in-__cfg80211_bss_.patch | 38 +++ ...ee-beacon_ies-when-overridden-from-h.patch | 44 ++++ ...art-beacon-queue-when-hardware-reset.patch | 79 ++++++ ...d-additional-usb-ids-for-rtl8192eu-d.patch | 48 ++++ ...8723-be-ae-using-calculate_bit_shift.patch | 77 ++++++ ...al-mce-s-page-as-poison-to-avoid-pan.patch | 83 ++++++ 102 files changed, 6868 insertions(+) create mode 100644 queue-5.4/acpi-extlog-fix-null-pointer-dereference-check.patch create mode 100644 queue-5.4/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch create mode 100644 queue-5.4/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch create mode 100644 queue-5.4/alsa-hda-intel-add-hda_arl-pci-id-support.patch create mode 100644 queue-5.4/arm-dts-imx-use-flash-0-0-pattern.patch create mode 100644 queue-5.4/arm-dts-imx1-fix-sram-node.patch create mode 100644 queue-5.4/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch create mode 100644 queue-5.4/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch create mode 100644 queue-5.4/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch create mode 100644 queue-5.4/arm-dts-imx25-27-pass-timing0.patch create mode 100644 queue-5.4/arm-dts-imx27-apf27dev-fix-led-name.patch create mode 100644 queue-5.4/arm-dts-imx27-fix-sram-node.patch create mode 100644 queue-5.4/arm-dts-imx7d-fix-coresight-funnel-ports.patch create mode 100644 queue-5.4/arm-dts-imx7s-fix-lcdif-compatible.patch create mode 100644 queue-5.4/arm-dts-imx7s-fix-nand-controller-size-cells.patch create mode 100644 queue-5.4/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch create mode 100644 queue-5.4/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch create mode 100644 queue-5.4/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch create mode 100644 queue-5.4/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch create mode 100644 queue-5.4/audit-send-netlink-ack-before-setting-connection-in-.patch create mode 100644 queue-5.4/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch create mode 100644 queue-5.4/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch create mode 100644 queue-5.4/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch create mode 100644 queue-5.4/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch create mode 100644 queue-5.4/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch create mode 100644 queue-5.4/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch create mode 100644 queue-5.4/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch create mode 100644 queue-5.4/crypto-stm32-crc32-fix-parsing-list-of-devices.patch create mode 100644 queue-5.4/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch create mode 100644 queue-5.4/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch create mode 100644 queue-5.4/drm-amdgpu-let-kfd-sync-with-vm-fences.patch create mode 100644 queue-5.4/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch create mode 100644 queue-5.4/drm-drm_file-fix-use-of-uninitialized-variable.patch create mode 100644 queue-5.4/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch create mode 100644 queue-5.4/drm-framebuffer-fix-use-of-uninitialized-variable.patch create mode 100644 queue-5.4/drm-mipi-dsi-fix-detach-call-without-attach.patch create mode 100644 queue-5.4/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch create mode 100644 queue-5.4/ecryptfs-reject-casefold-directory-inodes.patch create mode 100644 queue-5.4/ext4-avoid-online-resizing-failures-due-to-oversized.patch create mode 100644 queue-5.4/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch create mode 100644 queue-5.4/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch create mode 100644 queue-5.4/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch create mode 100644 queue-5.4/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch create mode 100644 queue-5.4/fast_dput-handle-underflows-gracefully.patch create mode 100644 queue-5.4/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch create mode 100644 queue-5.4/fs-kernfs-dir-obey-s_isgid.patch create mode 100644 queue-5.4/hexagon-make-pfn-accessors-statics-inlines.patch create mode 100644 queue-5.4/hwmon-pc87360-bounds-check-data-innr-usage.patch create mode 100644 queue-5.4/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch create mode 100644 queue-5.4/ib-ipoib-fix-mcast-list-locking.patch create mode 100644 queue-5.4/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch create mode 100644 queue-5.4/jfs-fix-array-index-out-of-bounds-in-dinewext.patch create mode 100644 queue-5.4/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch create mode 100644 queue-5.4/jfs-fix-uaf-in-jfs_evict_inode.patch create mode 100644 queue-5.4/kvm-s390-fix-setting-of-fpc-register.patch create mode 100644 queue-5.4/leds-trigger-panic-don-t-register-panic-notifier-if-.patch create mode 100644 queue-5.4/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch create mode 100644 queue-5.4/libsubcmd-fix-memory-leak-in-uniq.patch create mode 100644 queue-5.4/md-whenassemble-the-array-consult-the-superblock-of-.patch create mode 100644 queue-5.4/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch create mode 100644 queue-5.4/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch create mode 100644 queue-5.4/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch create mode 100644 queue-5.4/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch create mode 100644 queue-5.4/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch create mode 100644 queue-5.4/pci-add-intel_hda_arl-to-pci_ids.h.patch create mode 100644 queue-5.4/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch create mode 100644 queue-5.4/pci-aer-decode-requester-id-when-no-error-info-found.patch create mode 100644 queue-5.4/pci-only-override-amd-usb-controller-if-required.patch create mode 100644 queue-5.4/pci-switchtec-fix-stdev_release-crash-after-surprise.patch create mode 100644 queue-5.4/perf-core-fix-narrow-startup-race-when-creating-the-.patch create mode 100644 queue-5.4/perf-fix-the-nr_addr_filters-fix.patch create mode 100644 queue-5.4/pnp-acpi-fix-fortify-warning.patch create mode 100644 queue-5.4/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch create mode 100644 queue-5.4/powerpc-lib-validate-size-for-vector-operations.patch create mode 100644 queue-5.4/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch create mode 100644 queue-5.4/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch create mode 100644 queue-5.4/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch create mode 100644 queue-5.4/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch create mode 100644 queue-5.4/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch create mode 100644 queue-5.4/regulator-core-only-increment-use_count-when-enable_.patch create mode 100644 queue-5.4/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch create mode 100644 queue-5.4/s390-ptrace-handle-setting-of-fpc-register-correctly.patch create mode 100644 queue-5.4/scsi-libfc-don-t-schedule-abort-twice.patch create mode 100644 queue-5.4/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch create mode 100644 queue-5.4/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch create mode 100644 queue-5.4/selftests-bpf-fix-pyperf180-compilation-failure-with.patch create mode 100644 queue-5.4/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch create mode 100644 queue-5.4/sunrpc-fix-a-suspicious-rcu-usage-warning.patch create mode 100644 queue-5.4/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch create mode 100644 queue-5.4/um-don-t-use-vfprintf-for-os_info.patch create mode 100644 queue-5.4/um-fix-naming-clash-between-uml-and-scheduler.patch create mode 100644 queue-5.4/um-net-fix-return-type-of-uml_net_start_xmit.patch create mode 100644 queue-5.4/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch create mode 100644 queue-5.4/virtio_net-fix-d-directive-writing-between-1-and-11-.patch create mode 100644 queue-5.4/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch create mode 100644 queue-5.4/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch create mode 100644 queue-5.4/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch create mode 100644 queue-5.4/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch create mode 100644 queue-5.4/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch create mode 100644 queue-5.4/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch create mode 100644 queue-5.4/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch diff --git a/queue-5.4/acpi-extlog-fix-null-pointer-dereference-check.patch b/queue-5.4/acpi-extlog-fix-null-pointer-dereference-check.patch new file mode 100644 index 00000000000..4a6c6606b1d --- /dev/null +++ b/queue-5.4/acpi-extlog-fix-null-pointer-dereference-check.patch @@ -0,0 +1,59 @@ +From e6b74a32b0ce14f3db5f28a9322dd8c3944541aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 13:00:37 -0500 +Subject: ACPI: extlog: fix NULL pointer dereference check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prarit Bhargava + +[ Upstream commit 72d9b9747e78979510e9aafdd32eb99c7aa30dd1 ] + +The gcc plugin -fanalyzer [1] tries to detect various +patterns of incorrect behaviour. The tool reports: + +drivers/acpi/acpi_extlog.c: In function ‘extlog_exit’: +drivers/acpi/acpi_extlog.c:307:12: warning: check of ‘extlog_l1_addr’ for NULL after already dereferencing it [-Wanalyzer-deref-before-check] + | + | 306 | ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; + | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ + | | | + | | (1) pointer ‘extlog_l1_addr’ is dereferenced here + | 307 | if (extlog_l1_addr) + | | ~ + | | | + | | (2) pointer ‘extlog_l1_addr’ is checked for NULL here but it was already dereferenced at (1) + | + +Fix the NULL pointer dereference check in extlog_exit(). + +Link: https://gcc.gnu.org/onlinedocs/gcc-10.1.0/gcc/Static-Analyzer-Options.html # [1] + +Signed-off-by: Prarit Bhargava +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_extlog.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c +index 4c05c3828c9e..5dc91aa0ed61 100644 +--- a/drivers/acpi/acpi_extlog.c ++++ b/drivers/acpi/acpi_extlog.c +@@ -316,9 +316,10 @@ static void __exit extlog_exit(void) + { + edac_set_report_status(old_edac_report_status); + mce_unregister_decode_chain(&extlog_mce_dec); +- ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; +- if (extlog_l1_addr) ++ if (extlog_l1_addr) { ++ ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; + acpi_os_unmap_iomem(extlog_l1_addr, l1_size); ++ } + if (elog_addr) + acpi_os_unmap_iomem(elog_addr, elog_size); + release_mem_region(elog_base, elog_size); +-- +2.43.0 + diff --git a/queue-5.4/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch b/queue-5.4/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch new file mode 100644 index 00000000000..d9202debfc3 --- /dev/null +++ b/queue-5.4/acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch @@ -0,0 +1,51 @@ +From b192e1aab8c0addf53af959aedde81dd41edcb2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Nov 2023 21:59:13 +0800 +Subject: ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop + +From: Yuluo Qiu + +[ Upstream commit 143176a46bdd3bfbe9ba2462bf94458e80d65ebf ] + +The Colorful X15 AT 23 ACPI video-bus device report spurious +ACPI_VIDEO_NOTIFY_CYCLE events resulting in spurious KEY_SWITCHVIDEOMODE +events being reported to userspace (and causing trouble there) when +an external screen plugged in. + +Add a quirk setting the report_key_events mask to +REPORT_BRIGHTNESS_KEY_EVENTS so that the ACPI_VIDEO_NOTIFY_CYCLE +events will be ignored, while still reporting brightness up/down +hotkey-presses to userspace normally. + +Signed-off-by: Yuluo Qiu +Co-developed-by: Celeste Liu +Signed-off-by: Celeste Liu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 9648ec76de2b..fd33fdbaffa9 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -568,6 +568,15 @@ static const struct dmi_system_id video_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 3350"), + }, + }, ++ { ++ .callback = video_set_report_key_events, ++ .driver_data = (void *)((uintptr_t)REPORT_BRIGHTNESS_KEY_EVENTS), ++ .ident = "COLORFUL X15 AT 23", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "COLORFUL"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X15 AT 23"), ++ }, ++ }, + /* + * Some machines change the brightness themselves when a brightness + * hotkey gets pressed, despite us telling them not to. In this case +-- +2.43.0 + diff --git a/queue-5.4/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch b/queue-5.4/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch new file mode 100644 index 00000000000..c28b762002c --- /dev/null +++ b/queue-5.4/afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch @@ -0,0 +1,89 @@ +From b32bb11696c691b5117c9f8b914acb6d22f83803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 12:56:14 +0100 +Subject: afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() + +From: Oleg Nesterov + +[ Upstream commit 1702e0654ca9a7bcd7c7619c8a5004db58945b71 ] + +David Howells says: + + (5) afs_find_server(). + + There could be a lot of servers in the list and each server can have + multiple addresses, so I think this would be better with an exclusive + second pass. + + The server list isn't likely to change all that often, but when it does + change, there's a good chance several servers are going to be + added/removed one after the other. Further, this is only going to be + used for incoming cache management/callback requests from the server, + which hopefully aren't going to happen too often - but it is remotely + drivable. + + (6) afs_find_server_by_uuid(). + + Similarly to (5), there could be a lot of servers to search through, but + they are in a tree not a flat list, so it should be faster to process. + Again, it's not likely to change that often and, again, when it does + change it's likely to involve multiple changes. This can be driven + remotely by an incoming cache management request but is mostly going to + be driven by setting up or reconfiguring a volume's server list - + something that also isn't likely to happen often. + +Make the "seq" counter odd on the 2nd pass, otherwise read_seqbegin_or_lock() +never takes the lock. + +Signed-off-by: Oleg Nesterov +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20231130115614.GA21581@redhat.com/ +Signed-off-by: Sasha Levin +--- + fs/afs/server.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/afs/server.c b/fs/afs/server.c +index d3a9288f7556..44985ca6602e 100644 +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -35,7 +35,7 @@ struct afs_server *afs_find_server(struct afs_net *net, + const struct afs_addr_list *alist; + struct afs_server *server = NULL; + unsigned int i; +- int seq = 0, diff; ++ int seq = 1, diff; + + rcu_read_lock(); + +@@ -43,6 +43,7 @@ struct afs_server *afs_find_server(struct afs_net *net, + if (server) + afs_put_server(net, server, afs_server_trace_put_find_rsq); + server = NULL; ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ + read_seqbegin_or_lock(&net->fs_addr_lock, &seq); + + if (srx->transport.family == AF_INET6) { +@@ -98,7 +99,7 @@ struct afs_server *afs_find_server_by_uuid(struct afs_net *net, const uuid_t *uu + { + struct afs_server *server = NULL; + struct rb_node *p; +- int diff, seq = 0; ++ int diff, seq = 1; + + _enter("%pU", uuid); + +@@ -110,7 +111,7 @@ struct afs_server *afs_find_server_by_uuid(struct afs_net *net, const uuid_t *uu + if (server) + afs_put_server(net, server, afs_server_trace_put_uuid_rsq); + server = NULL; +- ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ + read_seqbegin_or_lock(&net->fs_lock, &seq); + + p = net->fs_servers.rb_node; +-- +2.43.0 + diff --git a/queue-5.4/alsa-hda-intel-add-hda_arl-pci-id-support.patch b/queue-5.4/alsa-hda-intel-add-hda_arl-pci-id-support.patch new file mode 100644 index 00000000000..094775bc65e --- /dev/null +++ b/queue-5.4/alsa-hda-intel-add-hda_arl-pci-id-support.patch @@ -0,0 +1,41 @@ +From 026a1ab5559f2d4b17ac4913c0fa462148b41583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 15:27:07 -0600 +Subject: ALSA: hda: Intel: add HDA_ARL PCI ID support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit a31014ebad617868c246d3985ff80d891f03711e ] + +Yet another PCI ID. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Kai Vehmanen +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20231204212710.185976-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 0bf2e2656721..cc9b8b6595c8 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2527,6 +2527,8 @@ static const struct pci_device_id azx_ids[] = { + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, + { PCI_DEVICE(0x8086, 0x4b58), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE}, ++ /* Arrow Lake */ ++ { PCI_DEVICE_DATA(INTEL, HDA_ARL, AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE) }, + /* Broxton-P(Apollolake) */ + { PCI_DEVICE(0x8086, 0x5a98), + .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON }, +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx-use-flash-0-0-pattern.patch b/queue-5.4/arm-dts-imx-use-flash-0-0-pattern.patch new file mode 100644 index 00000000000..e5874c62a3d --- /dev/null +++ b/queue-5.4/arm-dts-imx-use-flash-0-0-pattern.patch @@ -0,0 +1,81 @@ +From e643596796176d17a6d4ee4bf337fb8cd50d1061 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:36:05 -0300 +Subject: ARM: dts: imx: Use flash@0,0 pattern + +From: Fabio Estevam + +[ Upstream commit 1e1d7cc478fb16816de09740e3c323c0c188d58f ] + +Per mtd-physmap.yaml, 'nor@0,0' is not a valid node pattern. + +Change it to 'flash@0,0' to fix the following dt-schema warning: + +imx1-ads.dtb: nor@0,0: $nodename:0: 'nor@0,0' does not match '^(flash|.*sram|nand)(@.*)?$' + from schema $id: http://devicetree.org/schemas/mtd/mtd-physmap.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx1-ads.dts | 2 +- + arch/arm/boot/dts/imx1-apf9328.dts | 2 +- + arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi | 2 +- + arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx1-ads.dts b/arch/arm/boot/dts/imx1-ads.dts +index 5833fb6f15d8..2c817c4a4c68 100644 +--- a/arch/arm/boot/dts/imx1-ads.dts ++++ b/arch/arm/boot/dts/imx1-ads.dts +@@ -65,7 +65,7 @@ + pinctrl-0 = <&pinctrl_weim>; + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + compatible = "cfi-flash"; + reg = <0 0x00000000 0x02000000>; + bank-width = <4>; +diff --git a/arch/arm/boot/dts/imx1-apf9328.dts b/arch/arm/boot/dts/imx1-apf9328.dts +index 77b21aa7a146..27e72b07b517 100644 +--- a/arch/arm/boot/dts/imx1-apf9328.dts ++++ b/arch/arm/boot/dts/imx1-apf9328.dts +@@ -45,7 +45,7 @@ + pinctrl-0 = <&pinctrl_weim>; + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + compatible = "cfi-flash"; + reg = <0 0x00000000 0x02000000>; + bank-width = <2>; +diff --git a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +index 4b83e2918b55..c7e923584878 100644 +--- a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi ++++ b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +@@ -90,7 +90,7 @@ + &weim { + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + #address-cells = <1>; + #size-cells = <1>; + compatible = "cfi-flash"; +diff --git a/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi b/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi +index 3d10273177e9..a5fdc2fd4ce5 100644 +--- a/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi ++++ b/arch/arm/boot/dts/imx27-phytec-phycore-som.dtsi +@@ -322,7 +322,7 @@ + &weim { + status = "okay"; + +- nor: nor@0,0 { ++ nor: flash@0,0 { + compatible = "cfi-flash"; + reg = <0 0x00000000 0x02000000>; + bank-width = <2>; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx1-fix-sram-node.patch b/queue-5.4/arm-dts-imx1-fix-sram-node.patch new file mode 100644 index 00000000000..fb42dde9e64 --- /dev/null +++ b/queue-5.4/arm-dts-imx1-fix-sram-node.patch @@ -0,0 +1,53 @@ +From d2065afaa656ca0be9dbba4302bf399f0edb484d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:39:21 -0300 +Subject: ARM: dts: imx1: Fix sram node + +From: Fabio Estevam + +[ Upstream commit c248e535973088ba7071ff6f26ab7951143450af ] + +Per sram.yaml, address-cells, size-cells and ranges are mandatory. + +The node name should be sram. + +Change the node name and pass the required properties to fix the +following dt-schema warnings: + +imx1-apf9328.dtb: esram@300000: $nodename:0: 'esram@300000' does not match '^sram(@.*)?' + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# +imx1-apf9328.dtb: esram@300000: '#address-cells' is a required property + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# +imx1-apf9328.dtb: esram@300000: '#size-cells' is a required property + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# +imx1-apf9328.dtb: esram@300000: 'ranges' is a required property + from schema $id: http://devicetree.org/schemas/sram/sram.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx1.dtsi | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx1.dtsi b/arch/arm/boot/dts/imx1.dtsi +index b30448cde582..a74870d03a67 100644 +--- a/arch/arm/boot/dts/imx1.dtsi ++++ b/arch/arm/boot/dts/imx1.dtsi +@@ -268,9 +268,12 @@ + status = "disabled"; + }; + +- esram: esram@300000 { ++ esram: sram@300000 { + compatible = "mmio-sram"; + reg = <0x00300000 0x20000>; ++ ranges = <0 0x00300000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch b/queue-5.4/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch new file mode 100644 index 00000000000..15eb3330423 --- /dev/null +++ b/queue-5.4/arm-dts-imx23-28-fix-the-dma-controller-node-name.patch @@ -0,0 +1,53 @@ +From 4e3885e961fe3bcb588943edd17d3451efbf0ccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 07:26:31 -0300 +Subject: ARM: dts: imx23/28: Fix the DMA controller node name + +From: Fabio Estevam + +[ Upstream commit 858d83ca4b50bbc8693d95cc94310e6d791fb2e6 ] + +Per fsl,mxs-dma.yaml, the node name should be 'dma-controller'. + +Change it to fix the following dt-schema warning. + +imx28-apf28.dtb: dma-apbx@80024000: $nodename:0: 'dma-apbx@80024000' does not match '^dma-controller(@.*)?$' + from schema $id: http://devicetree.org/schemas/dma/fsl,mxs-dma.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx23.dtsi | 2 +- + arch/arm/boot/dts/imx28.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx23.dtsi b/arch/arm/boot/dts/imx23.dtsi +index 42700d7f8bf7..ba1705595b29 100644 +--- a/arch/arm/boot/dts/imx23.dtsi ++++ b/arch/arm/boot/dts/imx23.dtsi +@@ -406,7 +406,7 @@ + status = "disabled"; + }; + +- dma_apbx: dma-apbx@80024000 { ++ dma_apbx: dma-controller@80024000 { + compatible = "fsl,imx23-dma-apbx"; + reg = <0x80024000 0x2000>; + interrupts = <7 5 9 26 +diff --git a/arch/arm/boot/dts/imx28.dtsi b/arch/arm/boot/dts/imx28.dtsi +index 235c69bd181f..26dc6c9e1e6c 100644 +--- a/arch/arm/boot/dts/imx28.dtsi ++++ b/arch/arm/boot/dts/imx28.dtsi +@@ -982,7 +982,7 @@ + status = "disabled"; + }; + +- dma_apbx: dma-apbx@80024000 { ++ dma_apbx: dma-controller@80024000 { + compatible = "fsl,imx28-dma-apbx"; + reg = <0x80024000 0x2000>; + interrupts = <78 79 66 0 +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch b/queue-5.4/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch new file mode 100644 index 00000000000..09fadc5288c --- /dev/null +++ b/queue-5.4/arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch @@ -0,0 +1,61 @@ +From 274589b9d3869cfa4339587ec6f5ebc3ae481722 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 07:12:12 -0300 +Subject: ARM: dts: imx23-sansa: Use preferred i2c-gpios properties + +From: Fabio Estevam + +[ Upstream commit e3aa1a82fb20ee97597022f6528823a8ab82bde6 ] + +The 'gpios' property to describe the SDA and SCL GPIOs is considered +deprecated according to i2c-gpio.yaml. + +Switch to the preferred 'sda-gpios' and 'scl-gpios' properties. + +This fixes the following schema warnings: + +imx23-sansa.dtb: i2c-0: 'sda-gpios' is a required property + from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml# +imx23-sansa.dtb: i2c-0: 'scl-gpios' is a required property + from schema $id: http://devicetree.org/schemas/i2c/i2c-gpio.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx23-sansa.dts | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/imx23-sansa.dts b/arch/arm/boot/dts/imx23-sansa.dts +index 46057d9bf555..c2efcc20ae80 100644 +--- a/arch/arm/boot/dts/imx23-sansa.dts ++++ b/arch/arm/boot/dts/imx23-sansa.dts +@@ -175,10 +175,8 @@ + #address-cells = <1>; + #size-cells = <0>; + compatible = "i2c-gpio"; +- gpios = < +- &gpio1 24 0 /* SDA */ +- &gpio1 22 0 /* SCL */ +- >; ++ sda-gpios = <&gpio1 24 0>; ++ scl-gpios = <&gpio1 22 0>; + i2c-gpio,delay-us = <2>; /* ~100 kHz */ + }; + +@@ -186,10 +184,8 @@ + #address-cells = <1>; + #size-cells = <0>; + compatible = "i2c-gpio"; +- gpios = < +- &gpio0 31 0 /* SDA */ +- &gpio0 30 0 /* SCL */ +- >; ++ sda-gpios = <&gpio0 31 0>; ++ scl-gpios = <&gpio0 30 0>; + i2c-gpio,delay-us = <2>; /* ~100 kHz */ + + touch: touch@20 { +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch b/queue-5.4/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch new file mode 100644 index 00000000000..88d49f02825 --- /dev/null +++ b/queue-5.4/arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch @@ -0,0 +1,52 @@ +From 4b3949311d5b1252ab9f8fa1e0a688b9616dc2c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 08:58:26 -0300 +Subject: ARM: dts: imx25/27-eukrea: Fix RTC node name + +From: Fabio Estevam + +[ Upstream commit 68c711b882c262e36895547cddea2c2d56ce611d ] + +Node names should be generic. Use 'rtc' as node name to fix +the following dt-schema warning: + +imx25-eukrea-mbimxsd25-baseboard.dtb: pcf8563@51: $nodename:0: 'pcf8563@51' does not match '^rtc(@.*|-([0-9]|[1-9][0-9]+))?$' + from schema $id: http://devicetree.org/schemas/rtc/nxp,pcf8563.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi | 2 +- + arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi b/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi +index 0703f62d10d1..93a6e4e680b4 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi ++++ b/arch/arm/boot/dts/imx25-eukrea-cpuimx25.dtsi +@@ -27,7 +27,7 @@ + pinctrl-0 = <&pinctrl_i2c1>; + status = "okay"; + +- pcf8563@51 { ++ rtc@51 { + compatible = "nxp,pcf8563"; + reg = <0x51>; + }; +diff --git a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +index 74110bbcd9d4..4b83e2918b55 100644 +--- a/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi ++++ b/arch/arm/boot/dts/imx27-eukrea-cpuimx27.dtsi +@@ -33,7 +33,7 @@ + pinctrl-0 = <&pinctrl_i2c1>; + status = "okay"; + +- pcf8563@51 { ++ rtc@51 { + compatible = "nxp,pcf8563"; + reg = <0x51>; + }; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx25-27-pass-timing0.patch b/queue-5.4/arm-dts-imx25-27-pass-timing0.patch new file mode 100644 index 00000000000..5c2c8507be6 --- /dev/null +++ b/queue-5.4/arm-dts-imx25-27-pass-timing0.patch @@ -0,0 +1,138 @@ +From 958cac7b0c7f34fbb91d066e0d1d1c31dc7f2ba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 17:14:05 -0300 +Subject: ARM: dts: imx25/27: Pass timing0 + +From: Fabio Estevam + +[ Upstream commit 11ab7ad6f795ae23c398a4a5c56505d3dab27c4c ] + +Per display-timings.yaml, the 'timing' pattern should be used to +describe the display timings. + +Change it accordingly to fix the following dt-schema warning: + +imx27-apf27dev.dtb: display-timings: '800x480' does not match any of the regexes: '^timing', 'pinctrl-[0-9]+' + from schema $id: http://devicetree.org/schemas/display/panel/display-timings.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts | 2 +- + arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts | 2 +- + arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts | 2 +- + arch/arm/boot/dts/imx25-pdk.dts | 2 +- + arch/arm/boot/dts/imx27-apf27dev.dts | 2 +- + arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts | 2 +- + arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 2 +- + arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts +index 7d4301b22b90..1ed3fb7b9ce6 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts ++++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-cmo-qvga.dts +@@ -16,7 +16,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&qvga_timings>; +- qvga_timings: 320x240 { ++ qvga_timings: timing0 { + clock-frequency = <6500000>; + hactive = <320>; + vactive = <240>; +diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts +index 80a7f96de4c6..64b2ffac463b 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts ++++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-svga.dts +@@ -16,7 +16,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&dvi_svga_timings>; +- dvi_svga_timings: 800x600 { ++ dvi_svga_timings: timing0 { + clock-frequency = <40000000>; + hactive = <800>; + vactive = <600>; +diff --git a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts +index 24027a1fb46d..fb074bfdaa8d 100644 +--- a/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts ++++ b/arch/arm/boot/dts/imx25-eukrea-mbimxsd25-baseboard-dvi-vga.dts +@@ -16,7 +16,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&dvi_vga_timings>; +- dvi_vga_timings: 640x480 { ++ dvi_vga_timings: timing0 { + clock-frequency = <31250000>; + hactive = <640>; + vactive = <480>; +diff --git a/arch/arm/boot/dts/imx25-pdk.dts b/arch/arm/boot/dts/imx25-pdk.dts +index 05cccd12624c..876b101ce3e6 100644 +--- a/arch/arm/boot/dts/imx25-pdk.dts ++++ b/arch/arm/boot/dts/imx25-pdk.dts +@@ -78,7 +78,7 @@ + bus-width = <18>; + display-timings { + native-mode = <&wvga_timings>; +- wvga_timings: 640x480 { ++ wvga_timings: timing0 { + hactive = <640>; + vactive = <480>; + hback-porch = <45>; +diff --git a/arch/arm/boot/dts/imx27-apf27dev.dts b/arch/arm/boot/dts/imx27-apf27dev.dts +index 6f1e8ce9e76e..68fcb5ce9a9e 100644 +--- a/arch/arm/boot/dts/imx27-apf27dev.dts ++++ b/arch/arm/boot/dts/imx27-apf27dev.dts +@@ -16,7 +16,7 @@ + fsl,pcr = <0xfae80083>; /* non-standard but required */ + display-timings { + native-mode = <&timing0>; +- timing0: 800x480 { ++ timing0: timing0 { + clock-frequency = <33000033>; + hactive = <800>; + vactive = <480>; +diff --git a/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts b/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts +index 9c3ec82ec7e5..50fa0bd4c8a1 100644 +--- a/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts ++++ b/arch/arm/boot/dts/imx27-eukrea-mbimxsd27-baseboard.dts +@@ -16,7 +16,7 @@ + + display-timings { + native-mode = <&timing0>; +- timing0: 320x240 { ++ timing0: timing0 { + clock-frequency = <6500000>; + hactive = <320>; + vactive = <240>; +diff --git a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +index 188639738dc3..7f36af150a25 100644 +--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +@@ -19,7 +19,7 @@ + fsl,pcr = <0xf0c88080>; /* non-standard but required */ + display-timings { + native-mode = <&timing0>; +- timing0: 640x480 { ++ timing0: timing0 { + hactive = <640>; + vactive = <480>; + hback-porch = <112>; +diff --git a/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts b/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts +index bf883e45576a..39e0fcb12d23 100644 +--- a/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycore-rdk.dts +@@ -19,7 +19,7 @@ + + display-timings { + native-mode = <&timing0>; +- timing0: 240x320 { ++ timing0: timing0 { + clock-frequency = <5500000>; + hactive = <240>; + vactive = <320>; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx27-apf27dev-fix-led-name.patch b/queue-5.4/arm-dts-imx27-apf27dev-fix-led-name.patch new file mode 100644 index 00000000000..5b334813693 --- /dev/null +++ b/queue-5.4/arm-dts-imx27-apf27dev-fix-led-name.patch @@ -0,0 +1,39 @@ +From b010a740a6c931f4631ded4cc5e09d04182b5aa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 17:19:05 -0300 +Subject: ARM: dts: imx27-apf27dev: Fix LED name + +From: Fabio Estevam + +[ Upstream commit dc35e253d032b959d92e12f081db5b00db26ae64 ] + +Per leds-gpio.yaml, the led names should start with 'led'. + +Change it to fix the following dt-schema warning: + +imx27-apf27dev.dtb: leds: 'user' does not match any of the regexes: '(^led-[0-9a-f]$|led)', 'pinctrl-[0-9]+' + from schema $id: http://devicetree.org/schemas/leds/leds-gpio.yaml# + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx27-apf27dev.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx27-apf27dev.dts b/arch/arm/boot/dts/imx27-apf27dev.dts +index 68fcb5ce9a9e..3d9bb7fc3be2 100644 +--- a/arch/arm/boot/dts/imx27-apf27dev.dts ++++ b/arch/arm/boot/dts/imx27-apf27dev.dts +@@ -47,7 +47,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_gpio_leds>; + +- user { ++ led-user { + label = "Heartbeat"; + gpios = <&gpio6 14 GPIO_ACTIVE_HIGH>; + linux,default-trigger = "heartbeat"; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx27-fix-sram-node.patch b/queue-5.4/arm-dts-imx27-fix-sram-node.patch new file mode 100644 index 00000000000..083ac395719 --- /dev/null +++ b/queue-5.4/arm-dts-imx27-fix-sram-node.patch @@ -0,0 +1,37 @@ +From 6834720e88a2a744d674807190fad5eb87d0478b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:39:20 -0300 +Subject: ARM: dts: imx27: Fix sram node + +From: Fabio Estevam + +[ Upstream commit 2fb7b2a2f06bb3f8321cf26c33e4e820c5b238b6 ] + +Per sram.yaml, address-cells, size-cells and ranges are mandatory. + +Pass them to fix the following dt-schema warnings: + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx27.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx27.dtsi b/arch/arm/boot/dts/imx27.dtsi +index 3652f5556b29..eb0dac710044 100644 +--- a/arch/arm/boot/dts/imx27.dtsi ++++ b/arch/arm/boot/dts/imx27.dtsi +@@ -588,6 +588,9 @@ + iram: iram@ffff4c00 { + compatible = "mmio-sram"; + reg = <0xffff4c00 0xb400>; ++ ranges = <0 0xffff4c00 0xb400>; ++ #address-cells = <1>; ++ #size-cells = <1>; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx7d-fix-coresight-funnel-ports.patch b/queue-5.4/arm-dts-imx7d-fix-coresight-funnel-ports.patch new file mode 100644 index 00000000000..33699d70b59 --- /dev/null +++ b/queue-5.4/arm-dts-imx7d-fix-coresight-funnel-ports.patch @@ -0,0 +1,60 @@ +From cc69d30d425112fcf591f44b11d9965196c30aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 10:15:53 +0200 +Subject: ARM: dts: imx7d: Fix coresight funnel ports + +From: Alexander Stein + +[ Upstream commit 0d4ac04fa7c3f6dc263dba6f575a2ec7a2d4eca8 ] + +imx7d uses two ports for 'in-ports', so the syntax port@ has to +be used. imx7d has both port and port@1 nodes present, raising these +error: +funnel@30041000: in-ports: More than one condition true in oneOf schema +funnel@30041000: Unevaluated properties are not allowed +('in-ports' was unexpected) + +Fix this by also using port@0 for imx7s as well. + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7d.dtsi | 3 --- + arch/arm/boot/dts/imx7s.dtsi | 6 +++++- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7d.dtsi b/arch/arm/boot/dts/imx7d.dtsi +index 8b65ca8b5f30..2b9d0b1bd982 100644 +--- a/arch/arm/boot/dts/imx7d.dtsi ++++ b/arch/arm/boot/dts/imx7d.dtsi +@@ -204,9 +204,6 @@ + }; + + &ca_funnel_in_ports { +- #address-cells = <1>; +- #size-cells = <0>; +- + port@1 { + reg = <1>; + ca_funnel_in_port1: endpoint { +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 7ce541fcac76..33e9c210fd2f 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -183,7 +183,11 @@ + clock-names = "apb_pclk"; + + ca_funnel_in_ports: in-ports { +- port { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ port@0 { ++ reg = <0>; + ca_funnel_in_port0: endpoint { + remote-endpoint = <&etm0_out_port>; + }; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx7s-fix-lcdif-compatible.patch b/queue-5.4/arm-dts-imx7s-fix-lcdif-compatible.patch new file mode 100644 index 00000000000..27bae1ca8d7 --- /dev/null +++ b/queue-5.4/arm-dts-imx7s-fix-lcdif-compatible.patch @@ -0,0 +1,39 @@ +From adc92b73391a3a37596bd26715f9325fbfb25eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 10:15:54 +0200 +Subject: ARM: dts: imx7s: Fix lcdif compatible + +From: Alexander Stein + +[ Upstream commit 5f55da4cc37051cda600ea870ce8cf29f1297715 ] + +imx7d-lcdif is compatible to imx6sx-lcdif. MXSFB_V6 supports overlay +by using LCDC_AS_CTRL register. This registers used by overlay plane: +* LCDC_AS_CTRL +* LCDC_AS_BUF +* LCDC_AS_NEXT_BUF +are listed in i.MX7D RM as well. + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 33e9c210fd2f..a7ed880b12fc 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -769,7 +769,7 @@ + }; + + lcdif: lcdif@30730000 { +- compatible = "fsl,imx7d-lcdif", "fsl,imx28-lcdif"; ++ compatible = "fsl,imx7d-lcdif", "fsl,imx6sx-lcdif"; + reg = <0x30730000 0x10000>; + interrupts = ; + clocks = <&clks IMX7D_LCDIF_PIXEL_ROOT_CLK>, +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx7s-fix-nand-controller-size-cells.patch b/queue-5.4/arm-dts-imx7s-fix-nand-controller-size-cells.patch new file mode 100644 index 00000000000..5d30c643303 --- /dev/null +++ b/queue-5.4/arm-dts-imx7s-fix-nand-controller-size-cells.patch @@ -0,0 +1,38 @@ +From 1ed22c684635e4e34b3bbcb5fd8d941227ebdec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 10:15:55 +0200 +Subject: ARM: dts: imx7s: Fix nand-controller #size-cells + +From: Alexander Stein + +[ Upstream commit 4aadb841ed49bada1415c48c44d21f5b69e01299 ] + +nand-controller.yaml bindings says #size-cells shall be set to 0. +Fixes the dtbs_check warning: +arch/arm/boot/dts/nxp/imx/imx7s-mba7.dtb: nand-controller@33002000: + #size-cells:0:0: 0 was expected + from schema $id: http://devicetree.org/schemas/mtd/gpmi-nand.yaml# + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index a7ed880b12fc..8e86841ef4e6 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -1217,7 +1217,7 @@ + gpmi: gpmi-nand@33002000{ + compatible = "fsl,imx7d-gpmi-nand"; + #address-cells = <1>; +- #size-cells = <1>; ++ #size-cells = <0>; + reg = <0x33002000 0x2000>, <0x33004000 0x4000>; + reg-names = "gpmi-nand", "bch"; + interrupts = ; +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch b/queue-5.4/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch new file mode 100644 index 00000000000..f68207ffbf9 --- /dev/null +++ b/queue-5.4/arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch @@ -0,0 +1,51 @@ +From 244ac96875a6e83ea518b8f119899842301e2f01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 18:40:27 +0100 +Subject: ARM: dts: rockchip: fix rk3036 hdmi ports node + +From: Johan Jonker + +[ Upstream commit 27ded76ef0fcfcf939914532aae575cf23c221b4 ] + +Fix hdmi ports node so that it matches the +rockchip,inno-hdmi.yaml binding. + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/9a2afac1-ed5c-382d-02b0-b2f5f1af3abb@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3036.dtsi | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi +index d282a7b638d8..cc2d596da7d4 100644 +--- a/arch/arm/boot/dts/rk3036.dtsi ++++ b/arch/arm/boot/dts/rk3036.dtsi +@@ -337,12 +337,20 @@ + pinctrl-0 = <&hdmi_ctl>; + status = "disabled"; + +- hdmi_in: port { ++ ports { + #address-cells = <1>; + #size-cells = <0>; +- hdmi_in_vop: endpoint@0 { ++ ++ hdmi_in: port@0 { + reg = <0>; +- remote-endpoint = <&vop_out_hdmi>; ++ ++ hdmi_in_vop: endpoint { ++ remote-endpoint = <&vop_out_hdmi>; ++ }; ++ }; ++ ++ hdmi_out: port@1 { ++ reg = <1>; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.4/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch b/queue-5.4/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch new file mode 100644 index 00000000000..36bede6b457 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch @@ -0,0 +1,63 @@ +From 8be562ab07398fe70519cc73ab0f2ca86609ced8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 23:26:29 -0800 +Subject: arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property + +From: Mao Jinlong + +[ Upstream commit 9a6fc510a6a3ec150cb7450aec1e5f257e6fc77b ] + +Add the inport of funnel@3023000 to fix 'in-ports' is a required property +warning. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Mao Jinlong +Link: https://lore.kernel.org/r/20231210072633.4243-3-quic_jinlmao@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index f1d3c51ea8d0..fb9556f57f55 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -433,6 +433,19 @@ + }; + }; + ++ etm { ++ compatible = "qcom,coresight-remote-etm"; ++ ++ out-ports { ++ port { ++ modem_etm_out_funnel_in2: endpoint { ++ remote-endpoint = ++ <&funnel_in2_in_modem_etm>; ++ }; ++ }; ++ }; ++ }; ++ + psci { + compatible = "arm,psci-1.0"; + method = "smc"; +@@ -736,6 +749,14 @@ + clocks = <&rpmcc RPM_QDSS_CLK>, <&rpmcc RPM_QDSS_A_CLK>; + clock-names = "apb_pclk", "atclk"; + ++ in-ports { ++ port { ++ funnel_in2_in_modem_etm: endpoint { ++ remote-endpoint = ++ <&modem_etm_out_funnel_in2>; ++ }; ++ }; ++ }; + + out-ports { + port { +-- +2.43.0 + diff --git a/queue-5.4/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch b/queue-5.4/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch new file mode 100644 index 00000000000..e1d466a86f8 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch @@ -0,0 +1,88 @@ +From b019ad172df33a26dd8fa1ba57c7115a7960ec5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Dec 2023 23:26:30 -0800 +Subject: arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property + +From: Mao Jinlong + +[ Upstream commit ae5ee3562a2519214b12228545e88a203dd68bbd ] + +out-ports is a required property for coresight ETM. Add out-ports for +ETM nodes to fix the warning. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Mao Jinlong +Link: https://lore.kernel.org/r/20231210072633.4243-4-quic_jinlmao@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8998.dtsi | 32 +++++++++++++++++---------- + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8998.dtsi b/arch/arm64/boot/dts/qcom/msm8998.dtsi +index dcb79003ca0e..9cb7163c5714 100644 +--- a/arch/arm64/boot/dts/qcom/msm8998.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8998.dtsi +@@ -1396,9 +1396,11 @@ + + cpu = <&CPU4>; + +- port{ +- etm4_out: endpoint { +- remote-endpoint = <&apss_funnel_in4>; ++ out-ports { ++ port{ ++ etm4_out: endpoint { ++ remote-endpoint = <&apss_funnel_in4>; ++ }; + }; + }; + }; +@@ -1413,9 +1415,11 @@ + + cpu = <&CPU5>; + +- port{ +- etm5_out: endpoint { +- remote-endpoint = <&apss_funnel_in5>; ++ out-ports { ++ port{ ++ etm5_out: endpoint { ++ remote-endpoint = <&apss_funnel_in5>; ++ }; + }; + }; + }; +@@ -1430,9 +1434,11 @@ + + cpu = <&CPU6>; + +- port{ +- etm6_out: endpoint { +- remote-endpoint = <&apss_funnel_in6>; ++ out-ports { ++ port{ ++ etm6_out: endpoint { ++ remote-endpoint = <&apss_funnel_in6>; ++ }; + }; + }; + }; +@@ -1447,9 +1453,11 @@ + + cpu = <&CPU7>; + +- port{ +- etm7_out: endpoint { +- remote-endpoint = <&apss_funnel_in7>; ++ out-ports { ++ port{ ++ etm7_out: endpoint { ++ remote-endpoint = <&apss_funnel_in7>; ++ }; + }; + }; + }; +-- +2.43.0 + diff --git a/queue-5.4/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch b/queue-5.4/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch new file mode 100644 index 00000000000..3eaf2384f7c --- /dev/null +++ b/queue-5.4/asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch @@ -0,0 +1,37 @@ +From 515fe69c9eef79fbca099c0ab15bab4ad51d7f7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 14:07:51 +0200 +Subject: ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument + +From: Cristian Ciocaltea + +[ Upstream commit 67c7666fe808c3a7af3cc6f9d0a3dd3acfd26115 ] + +The virtual widget example makes use of an undefined SND_SOC_DAPM_NOPM +argument passed to SND_SOC_DAPM_MIXER(). Replace with the correct +SND_SOC_NOPM definition. + +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20231121120751.77355-1-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/sound/soc/dapm.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/sound/soc/dapm.rst b/Documentation/sound/soc/dapm.rst +index 8e44107933ab..c3154ce6e1b2 100644 +--- a/Documentation/sound/soc/dapm.rst ++++ b/Documentation/sound/soc/dapm.rst +@@ -234,7 +234,7 @@ corresponding soft power control. In this case it is necessary to create + a virtual widget - a widget with no control bits e.g. + :: + +- SND_SOC_DAPM_MIXER("AC97 Mixer", SND_SOC_DAPM_NOPM, 0, 0, NULL, 0), ++ SND_SOC_DAPM_MIXER("AC97 Mixer", SND_SOC_NOPM, 0, 0, NULL, 0), + + This can be used to merge to signal paths together in software. + +-- +2.43.0 + diff --git a/queue-5.4/audit-send-netlink-ack-before-setting-connection-in-.patch b/queue-5.4/audit-send-netlink-ack-before-setting-connection-in-.patch new file mode 100644 index 00000000000..e70e95ce7ae --- /dev/null +++ b/queue-5.4/audit-send-netlink-ack-before-setting-connection-in-.patch @@ -0,0 +1,117 @@ +From 6a78427d3c52f579e9bf35e18dc13e66291ed798 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 09:23:51 +0000 +Subject: audit: Send netlink ACK before setting connection in auditd_set + +From: Chris Riches + +[ Upstream commit 022732e3d846e197539712e51ecada90ded0572a ] + +When auditd_set sets the auditd_conn pointer, audit messages can +immediately be put on the socket by other kernel threads. If the backlog +is large or the rate is high, this can immediately fill the socket +buffer. If the audit daemon requested an ACK for this operation, a full +socket buffer causes the ACK to get dropped, also setting ENOBUFS on the +socket. + +To avoid this race and ensure ACKs get through, fast-track the ACK in +this specific case to ensure it is sent before auditd_conn is set. + +Signed-off-by: Chris Riches +[PM: fix some tab vs space damage] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 805b0c9972d3..39e84d65d253 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -484,15 +484,19 @@ static void auditd_conn_free(struct rcu_head *rcu) + * @pid: auditd PID + * @portid: auditd netlink portid + * @net: auditd network namespace pointer ++ * @skb: the netlink command from the audit daemon ++ * @ack: netlink ack flag, cleared if ack'd here + * + * Description: + * This function will obtain and drop network namespace references as + * necessary. Returns zero on success, negative values on failure. + */ +-static int auditd_set(struct pid *pid, u32 portid, struct net *net) ++static int auditd_set(struct pid *pid, u32 portid, struct net *net, ++ struct sk_buff *skb, bool *ack) + { + unsigned long flags; + struct auditd_connection *ac_old, *ac_new; ++ struct nlmsghdr *nlh; + + if (!pid || !net) + return -EINVAL; +@@ -504,6 +508,13 @@ static int auditd_set(struct pid *pid, u32 portid, struct net *net) + ac_new->portid = portid; + ac_new->net = get_net(net); + ++ /* send the ack now to avoid a race with the queue backlog */ ++ if (*ack) { ++ nlh = nlmsg_hdr(skb); ++ netlink_ack(skb, nlh, 0, NULL); ++ *ack = false; ++ } ++ + spin_lock_irqsave(&auditd_conn_lock, flags); + ac_old = rcu_dereference_protected(auditd_conn, + lockdep_is_held(&auditd_conn_lock)); +@@ -1198,7 +1209,8 @@ static int audit_replace(struct pid *pid) + return auditd_send_unicast_skb(skb); + } + +-static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ++static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, ++ bool *ack) + { + u32 seq; + void *data; +@@ -1290,7 +1302,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + /* register a new auditd connection */ + err = auditd_set(req_pid, + NETLINK_CB(skb).portid, +- sock_net(NETLINK_CB(skb).sk)); ++ sock_net(NETLINK_CB(skb).sk), ++ skb, ack); + if (audit_enabled != AUDIT_OFF) + audit_log_config_change("audit_pid", + new_pid, +@@ -1529,9 +1542,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + * Parse the provided skb and deal with any messages that may be present, + * malformed skbs are discarded. + */ +-static void audit_receive(struct sk_buff *skb) ++static void audit_receive(struct sk_buff *skb) + { + struct nlmsghdr *nlh; ++ bool ack; + /* + * len MUST be signed for nlmsg_next to be able to dec it below 0 + * if the nlmsg_len was not aligned +@@ -1544,9 +1558,12 @@ static void audit_receive(struct sk_buff *skb) + + audit_ctl_lock(); + while (nlmsg_ok(nlh, len)) { +- err = audit_receive_msg(skb, nlh); +- /* if err or if this message says it wants a response */ +- if (err || (nlh->nlmsg_flags & NLM_F_ACK)) ++ ack = nlh->nlmsg_flags & NLM_F_ACK; ++ err = audit_receive_msg(skb, nlh, &ack); ++ ++ /* send an ack if the user asked for one and audit_receive_msg ++ * didn't already do it, or if there was an error. */ ++ if (ack || err) + netlink_ack(skb, nlh, err, NULL); + + nlh = nlmsg_next(nlh, &len); +-- +2.43.0 + diff --git a/queue-5.4/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch b/queue-5.4/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch new file mode 100644 index 00000000000..0607b5f6e10 --- /dev/null +++ b/queue-5.4/blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch @@ -0,0 +1,72 @@ +From 1aac82da835d9150b56a859d4aa3ad1a74072076 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jan 2024 20:26:26 +0800 +Subject: blk-mq: fix IO hang from sbitmap wakeup race + +From: Ming Lei + +[ Upstream commit 5266caaf5660529e3da53004b8b7174cab6374ed ] + +In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered +with the following blk_mq_get_driver_tag() in case of getting driver +tag failure. + +Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe +the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime +blk_mq_mark_tag_wait() can't get driver tag successfully. + +This issue can be reproduced by running the following test in loop, and +fio hang can be observed in < 30min when running it on my test VM +in laptop. + + modprobe -r scsi_debug + modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 + dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename` + fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \ + --runtime=100 --numjobs=40 --time_based --name=test \ + --ioengine=libaio + +Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which +is just fine in case of running out of tag. + +Cc: Jan Kara +Cc: Kemeng Shi +Reported-by: Changhui Zhong +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20240112122626.4181044-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 325a5944b4cb..03f4eb37dfc7 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1153,6 +1153,22 @@ static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx, + wait->flags &= ~WQ_FLAG_EXCLUSIVE; + __add_wait_queue(wq, wait); + ++ /* ++ * Add one explicit barrier since blk_mq_get_driver_tag() may ++ * not imply barrier in case of failure. ++ * ++ * Order adding us to wait queue and allocating driver tag. ++ * ++ * The pair is the one implied in sbitmap_queue_wake_up() which ++ * orders clearing sbitmap tag bits and waitqueue_active() in ++ * __sbitmap_queue_wake_up(), since waitqueue_active() is lockless ++ * ++ * Otherwise, re-order of adding wait queue and getting driver tag ++ * may cause __sbitmap_queue_wake_up() to wake up nothing because ++ * the waitqueue_active() may not observe us in wait queue. ++ */ ++ smp_mb(); ++ + /* + * It's possible that a tag was freed in the window between the + * allocation failure and adding the hardware queue to the wait +-- +2.43.0 + diff --git a/queue-5.4/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch b/queue-5.4/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch new file mode 100644 index 00000000000..84d50ef703f --- /dev/null +++ b/queue-5.4/block-prevent-an-integer-overflow-in-bvec_try_merge_.patch @@ -0,0 +1,36 @@ +From 64aefea1e61a84f402e6506c0305d51ed72a127a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 18:34:18 +0100 +Subject: block: prevent an integer overflow in bvec_try_merge_hw_page + +From: Christoph Hellwig + +[ Upstream commit 3f034c374ad55773c12dd8f3c1607328e17c0072 ] + +Reordered a check to avoid a possible overflow when adding len to bv_len. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20231204173419.782378-2-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bio.c b/block/bio.c +index 6bdb95174adc..e3d3e75c97e0 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -710,7 +710,7 @@ static bool bio_try_merge_pc_page(struct request_queue *q, struct bio *bio, + + if ((addr1 | mask) != (addr2 | mask)) + return false; +- if (bv->bv_len + len > queue_max_segment_size(q)) ++ if (len > queue_max_segment_size(q) - bv->bv_len) + return false; + return __bio_try_merge_page(bio, page, len, offset, same_page); + } +-- +2.43.0 + diff --git a/queue-5.4/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch b/queue-5.4/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch new file mode 100644 index 00000000000..fd4c686c951 --- /dev/null +++ b/queue-5.4/bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch @@ -0,0 +1,69 @@ +From 26ab7897586afb8155d02400d23362f70c9ff8a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Nov 2023 16:16:53 +0800 +Subject: bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk + +From: Zhengchao Shao + +[ Upstream commit d6b83f1e3707c4d60acfa58afd3515e17e5d5384 ] + +If failed to allocate "tags" or could not find the final upper device from +start_dev's upper list in bond_verify_device_path(), only the loopback +detection of the current upper device should be affected, and the system is +no need to be panic. +So return -ENOMEM in alb_upper_dev_walk to stop walking, print some warn +information when failed to allocate memory for vlan tags in +bond_verify_device_path. + +I also think that the following function calls +netdev_walk_all_upper_dev_rcu +---->>>alb_upper_dev_walk +---------->>>bond_verify_device_path +From this way, "end device" can eventually be obtained from "start device" +in bond_verify_device_path, IS_ERR(tags) could be instead of +IS_ERR_OR_NULL(tags) in alb_upper_dev_walk. + +Signed-off-by: Zhengchao Shao +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/20231118081653.1481260-1-shaozhengchao@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_alb.c | 3 ++- + drivers/net/bonding/bond_main.c | 5 ++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c +index 6df78a36bafd..342e23e56192 100644 +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -970,7 +970,8 @@ static int alb_upper_dev_walk(struct net_device *upper, void *_data) + if (netif_is_macvlan(upper) && !strict_match) { + tags = bond_verify_device_path(bond->dev, upper, 0); + if (IS_ERR_OR_NULL(tags)) +- BUG(); ++ return -ENOMEM; ++ + alb_send_lp_vid(slave, upper->dev_addr, + tags[0].vlan_proto, tags[0].vlan_id); + kfree(tags); +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index bb1c6743222e..352afabf8571 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2482,8 +2482,11 @@ struct bond_vlan_tag *bond_verify_device_path(struct net_device *start_dev, + + if (start_dev == end_dev) { + tags = kcalloc(level + 1, sizeof(*tags), GFP_ATOMIC); +- if (!tags) ++ if (!tags) { ++ net_err_ratelimited("%s: %s: Failed to allocate tags\n", ++ __func__, start_dev->name); + return ERR_PTR(-ENOMEM); ++ } + tags[level].vlan_proto = VLAN_N_VID; + return tags; + } +-- +2.43.0 + diff --git a/queue-5.4/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch b/queue-5.4/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch new file mode 100644 index 00000000000..42e5b334ac8 --- /dev/null +++ b/queue-5.4/bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch @@ -0,0 +1,173 @@ +From 066657fa5c66be7e7a8a84754cc8c31360f8d4aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 22:04:20 +0800 +Subject: bpf: Add map and need_defer parameters to .map_fd_put_ptr() + +From: Hou Tao + +[ Upstream commit 20c20bd11a0702ce4dc9300c3da58acf551d9725 ] + +map is the pointer of outer map, and need_defer needs some explanation. +need_defer tells the implementation to defer the reference release of +the passed element and ensure that the element is still alive before +the bpf program, which may manipulate it, exits. + +The following three cases will invoke map_fd_put_ptr() and different +need_defer values will be passed to these callers: + +1) release the reference of the old element in the map during map update + or map deletion. The release must be deferred, otherwise the bpf + program may incur use-after-free problem, so need_defer needs to be + true. +2) release the reference of the to-be-added element in the error path of + map update. The to-be-added element is not visible to any bpf + program, so it is OK to pass false for need_defer parameter. +3) release the references of all elements in the map during map release. + Any bpf program which has access to the map must have been exited and + released, so need_defer=false will be OK. + +These two parameters will be used by the following patches to fix the +potential use-after-free problem for map-in-map. + +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20231204140425.1480317-3-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 6 +++++- + kernel/bpf/arraymap.c | 12 +++++++----- + kernel/bpf/hashtab.c | 6 +++--- + kernel/bpf/map_in_map.c | 2 +- + kernel/bpf/map_in_map.h | 2 +- + 5 files changed, 17 insertions(+), 11 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 5705cda3c4c4..6107b537245a 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -49,7 +49,11 @@ struct bpf_map_ops { + /* funcs called by prog_array and perf_event_array map */ + void *(*map_fd_get_ptr)(struct bpf_map *map, struct file *map_file, + int fd); +- void (*map_fd_put_ptr)(void *ptr); ++ /* If need_defer is true, the implementation should guarantee that ++ * the to-be-put element is still alive before the bpf program, which ++ * may manipulate it, exists. ++ */ ++ void (*map_fd_put_ptr)(struct bpf_map *map, void *ptr, bool need_defer); + u32 (*map_gen_lookup)(struct bpf_map *map, struct bpf_insn *insn_buf); + u32 (*map_fd_sys_lookup_elem)(void *ptr); + void (*map_seq_show_elem)(struct bpf_map *map, void *key, +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index 1c65ce0098a9..81ed9b79f401 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -542,7 +542,7 @@ int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file, + + old_ptr = xchg(array->ptrs + index, new_ptr); + if (old_ptr) +- map->ops->map_fd_put_ptr(old_ptr); ++ map->ops->map_fd_put_ptr(map, old_ptr, true); + + return 0; + } +@@ -558,7 +558,7 @@ static int fd_array_map_delete_elem(struct bpf_map *map, void *key) + + old_ptr = xchg(array->ptrs + index, NULL); + if (old_ptr) { +- map->ops->map_fd_put_ptr(old_ptr); ++ map->ops->map_fd_put_ptr(map, old_ptr, true); + return 0; + } else { + return -ENOENT; +@@ -582,8 +582,9 @@ static void *prog_fd_array_get_ptr(struct bpf_map *map, + return prog; + } + +-static void prog_fd_array_put_ptr(void *ptr) ++static void prog_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { ++ /* bpf_prog is freed after one RCU or tasks trace grace period */ + bpf_prog_put(ptr); + } + +@@ -694,8 +695,9 @@ static void *perf_event_fd_array_get_ptr(struct bpf_map *map, + return ee; + } + +-static void perf_event_fd_array_put_ptr(void *ptr) ++static void perf_event_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { ++ /* bpf_perf_event is freed after one RCU grace period */ + bpf_event_entry_free_rcu(ptr); + } + +@@ -736,7 +738,7 @@ static void *cgroup_fd_array_get_ptr(struct bpf_map *map, + return cgroup_get_from_fd(fd); + } + +-static void cgroup_fd_array_put_ptr(void *ptr) ++static void cgroup_fd_array_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { + /* cgroup_put free cgrp after a rcu grace period */ + cgroup_put(ptr); +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 03a67583f6fb..f1dec90f3a52 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -674,7 +674,7 @@ static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l) + + if (map->ops->map_fd_put_ptr) { + ptr = fd_htab_map_get_ptr(map, l); +- map->ops->map_fd_put_ptr(ptr); ++ map->ops->map_fd_put_ptr(map, ptr, true); + } + } + +@@ -1426,7 +1426,7 @@ static void fd_htab_map_free(struct bpf_map *map) + hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { + void *ptr = fd_htab_map_get_ptr(map, l); + +- map->ops->map_fd_put_ptr(ptr); ++ map->ops->map_fd_put_ptr(map, ptr, false); + } + } + +@@ -1467,7 +1467,7 @@ int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file, + + ret = htab_map_update_elem(map, key, &ptr, map_flags); + if (ret) +- map->ops->map_fd_put_ptr(ptr); ++ map->ops->map_fd_put_ptr(map, ptr, false); + + return ret; + } +diff --git a/kernel/bpf/map_in_map.c b/kernel/bpf/map_in_map.c +index fab4fb134547..7fe5a73aff07 100644 +--- a/kernel/bpf/map_in_map.c ++++ b/kernel/bpf/map_in_map.c +@@ -106,7 +106,7 @@ void *bpf_map_fd_get_ptr(struct bpf_map *map, + return inner_map; + } + +-void bpf_map_fd_put_ptr(void *ptr) ++void bpf_map_fd_put_ptr(struct bpf_map *map, void *ptr, bool need_defer) + { + /* ptr->ops->map_free() has to go through one + * rcu grace period by itself. +diff --git a/kernel/bpf/map_in_map.h b/kernel/bpf/map_in_map.h +index a507bf6ef8b9..d296890813cc 100644 +--- a/kernel/bpf/map_in_map.h ++++ b/kernel/bpf/map_in_map.h +@@ -15,7 +15,7 @@ bool bpf_map_meta_equal(const struct bpf_map *meta0, + const struct bpf_map *meta1); + void *bpf_map_fd_get_ptr(struct bpf_map *map, struct file *map_file, + int ufd); +-void bpf_map_fd_put_ptr(void *ptr); ++void bpf_map_fd_put_ptr(struct bpf_map *map, void *ptr, bool need_defer); + u32 bpf_map_fd_sys_lookup_elem(void *ptr); + + #endif +-- +2.43.0 + diff --git a/queue-5.4/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch b/queue-5.4/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch new file mode 100644 index 00000000000..61032ccf58a --- /dev/null +++ b/queue-5.4/ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch @@ -0,0 +1,63 @@ +From 4c66c1a8f753532019756bc71f302cd2d5a5334c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 13:26:18 +0800 +Subject: ceph: fix deadlock or deadcode of misusing dget() + +From: Xiubo Li + +[ Upstream commit b493ad718b1f0357394d2cdecbf00a44a36fa085 ] + +The lock order is incorrect between denty and its parent, we should +always make sure that the parent get the lock first. + +But since this deadcode is never used and the parent dir will always +be set from the callers, let's just remove it. + +Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV +Reported-by: Al Viro +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 4e88cb990723..45b8f6741f8d 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -4304,12 +4304,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, + struct inode *dir, + int mds, int drop, int unless) + { +- struct dentry *parent = NULL; + struct ceph_mds_request_release *rel = *p; + struct ceph_dentry_info *di = ceph_dentry(dentry); + int force = 0; + int ret; + ++ /* This shouldn't happen */ ++ BUG_ON(!dir); ++ + /* + * force an record for the directory caps if we have a dentry lease. + * this is racy (can't take i_ceph_lock and d_lock together), but it +@@ -4319,14 +4321,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, + spin_lock(&dentry->d_lock); + if (di->lease_session && di->lease_session->s_mds == mds) + force = 1; +- if (!dir) { +- parent = dget(dentry->d_parent); +- dir = d_inode(parent); +- } + spin_unlock(&dentry->d_lock); + + ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); +- dput(parent); + + spin_lock(&dentry->d_lock); + if (ret && di->lease_session && di->lease_session->s_mds == mds) { +-- +2.43.0 + diff --git a/queue-5.4/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch b/queue-5.4/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch new file mode 100644 index 00000000000..e9c1aab9e73 --- /dev/null +++ b/queue-5.4/clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch @@ -0,0 +1,41 @@ +From 40ed37de57523526972d3209b4845923af850b2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 00:50:40 +0800 +Subject: clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() + +From: Kuan-Wei Chiu + +[ Upstream commit bfbea9e5667cfa9552c3d88f023386f017f6c308 ] + +In cases where kcalloc() fails for the 'clk_data->clks' allocation, the +code path does not handle the failure gracefully, potentially leading +to a memory leak. This fix ensures proper cleanup by freeing the +allocated memory for 'clk_data' before returning. + +Signed-off-by: Kuan-Wei Chiu +Link: https://lore.kernel.org/r/20231210165040.3407545-1-visitorckw@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/hisilicon/clk-hi3620.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/hisilicon/clk-hi3620.c b/drivers/clk/hisilicon/clk-hi3620.c +index a3d04c7c3da8..eb9c139babc3 100644 +--- a/drivers/clk/hisilicon/clk-hi3620.c ++++ b/drivers/clk/hisilicon/clk-hi3620.c +@@ -467,8 +467,10 @@ static void __init hi3620_mmc_clk_init(struct device_node *node) + return; + + clk_data->clks = kcalloc(num, sizeof(*clk_data->clks), GFP_KERNEL); +- if (!clk_data->clks) ++ if (!clk_data->clks) { ++ kfree(clk_data); + return; ++ } + + for (i = 0; i < num; i++) { + struct hisi_mmc_clock *mmc_clk = &hi3620_mmc_clks[i]; +-- +2.43.0 + diff --git a/queue-5.4/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch b/queue-5.4/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch new file mode 100644 index 00000000000..abfc0840408 --- /dev/null +++ b/queue-5.4/clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch @@ -0,0 +1,51 @@ +From 0424499de9286b878afe54acaf24c9d837273c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 01:52:32 +0800 +Subject: clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() + +From: Kuan-Wei Chiu + +[ Upstream commit 2fbabea626b6467eb4e6c4cb7a16523da12e43b4 ] + +In cases where mapping of mpmu/apmu/apbc registers fails, the code path +does not handle the failure gracefully, potentially leading to a memory +leak. This fix ensures proper cleanup by freeing the allocated memory +for 'pxa_unit' before returning. + +Signed-off-by: Kuan-Wei Chiu +Link: https://lore.kernel.org/r/20231210175232.3414584-1-visitorckw@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mmp/clk-of-pxa168.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/mmp/clk-of-pxa168.c b/drivers/clk/mmp/clk-of-pxa168.c +index f110c02e83cb..9674c6c06dca 100644 +--- a/drivers/clk/mmp/clk-of-pxa168.c ++++ b/drivers/clk/mmp/clk-of-pxa168.c +@@ -258,18 +258,21 @@ static void __init pxa168_clk_init(struct device_node *np) + pxa_unit->mpmu_base = of_iomap(np, 0); + if (!pxa_unit->mpmu_base) { + pr_err("failed to map mpmu registers\n"); ++ kfree(pxa_unit); + return; + } + + pxa_unit->apmu_base = of_iomap(np, 1); + if (!pxa_unit->apmu_base) { + pr_err("failed to map apmu registers\n"); ++ kfree(pxa_unit); + return; + } + + pxa_unit->apbc_base = of_iomap(np, 2); + if (!pxa_unit->apbc_base) { + pr_err("failed to map apbc registers\n"); ++ kfree(pxa_unit); + return; + } + +-- +2.43.0 + diff --git a/queue-5.4/crypto-stm32-crc32-fix-parsing-list-of-devices.patch b/queue-5.4/crypto-stm32-crc32-fix-parsing-list-of-devices.patch new file mode 100644 index 00000000000..eede36d53c6 --- /dev/null +++ b/queue-5.4/crypto-stm32-crc32-fix-parsing-list-of-devices.patch @@ -0,0 +1,46 @@ +From 30868c72e111bae374b1877cd39331f33ed097b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Dec 2023 12:17:24 +0100 +Subject: crypto: stm32/crc32 - fix parsing list of devices + +From: Thomas Bourgoin + +[ Upstream commit 0eaef675b94c746900dcea7f6c41b9a103ed5d53 ] + +smatch warnings: +drivers/crypto/stm32/stm32-crc32.c:108 stm32_crc_get_next_crc() warn: +can 'crc' even be NULL? + +Use list_first_entry_or_null instead of list_first_entry to retrieve +the first device registered. +The function list_first_entry always return a non NULL pointer even if +the list is empty. Hence checking if the pointer returned is NULL does +not tell if the list is empty or not. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/ +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202311281111.ou2oUL2i-lkp@intel.com/ +Signed-off-by: Thomas Bourgoin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-crc32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/stm32/stm32-crc32.c b/drivers/crypto/stm32/stm32-crc32.c +index 2ecc970f5cae..b66e06818afc 100644 +--- a/drivers/crypto/stm32/stm32-crc32.c ++++ b/drivers/crypto/stm32/stm32-crc32.c +@@ -98,7 +98,7 @@ static struct stm32_crc *stm32_crc_get_next_crc(void) + struct stm32_crc *crc; + + spin_lock_bh(&crc_list.lock); +- crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list); ++ crc = list_first_entry_or_null(&crc_list.dev_list, struct stm32_crc, list); + if (crc) + list_move_tail(&crc->list, &crc_list.dev_list); + spin_unlock_bh(&crc_list.lock); +-- +2.43.0 + diff --git a/queue-5.4/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch b/queue-5.4/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch new file mode 100644 index 00000000000..ae3a2c05a59 --- /dev/null +++ b/queue-5.4/drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch @@ -0,0 +1,43 @@ +From 8a65ffba14c5269ee808358b12b782374492e690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 12:01:05 -0500 +Subject: drm/amd/display: make flip_timestamp_in_us a 64-bit variable + +From: Josip Pavic + +[ Upstream commit 6fb12518ca58412dc51054e2a7400afb41328d85 ] + +[Why] +This variable currently overflows after about 71 minutes. This doesn't +cause any known functional issues but it does make debugging more +difficult. + +[How] +Make it a 64-bit variable. + +Reviewed-by: Aric Cyr +Acked-by: Wayne Lin +Signed-off-by: Josip Pavic +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dc_hw_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dc_hw_types.h b/drivers/gpu/drm/amd/display/dc/dc_hw_types.h +index 0b8700a8a94a..c6281d4a18ce 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc_hw_types.h ++++ b/drivers/gpu/drm/amd/display/dc/dc_hw_types.h +@@ -423,7 +423,7 @@ struct dc_cursor_position { + }; + + struct dc_cursor_mi_param { +- unsigned int pixel_clk_khz; ++ unsigned long long pixel_clk_khz; + unsigned int ref_clk_khz; + struct rect viewport; + struct fixed31_32 h_scale_ratio; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch b/queue-5.4/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch new file mode 100644 index 00000000000..73f998dbbc7 --- /dev/null +++ b/queue-5.4/drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch @@ -0,0 +1,45 @@ +From 969755def309836d73f205e10cd442a1c3d2f16d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Dec 2023 12:54:44 +0530 +Subject: drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit bf2ad4fb8adca89374b54b225d494e0b1956dbea ] + +Return value of container_of(...) can't be null, so null check is not +required for 'fence'. Hence drop its NULL check. + +Fixes the below: +drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c:93 to_amdgpu_amdkfd_fence() warn: can 'fence' even be NULL? + +Cc: Felix Kuehling +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c +index 3107b9575929..eef7517c9d24 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_fence.c +@@ -88,7 +88,7 @@ struct amdgpu_amdkfd_fence *to_amdgpu_amdkfd_fence(struct dma_fence *f) + return NULL; + + fence = container_of(f, struct amdgpu_amdkfd_fence, base); +- if (fence && f->ops == &amdkfd_fence_ops) ++ if (f->ops == &amdkfd_fence_ops) + return fence; + + return NULL; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-let-kfd-sync-with-vm-fences.patch b/queue-5.4/drm-amdgpu-let-kfd-sync-with-vm-fences.patch new file mode 100644 index 00000000000..7e45e0bfd11 --- /dev/null +++ b/queue-5.4/drm-amdgpu-let-kfd-sync-with-vm-fences.patch @@ -0,0 +1,42 @@ +From 718221b1b5110347ad709e50c23b9f3d857990cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 16:17:23 -0500 +Subject: drm/amdgpu: Let KFD sync with VM fences +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Kuehling + +[ Upstream commit ec9ba4821fa52b5efdbc4cdf0a77497990655231 ] + +Change the rules for amdgpu_sync_resv to let KFD synchronize with VM +fences on page table reservations. This fixes intermittent memory +corruption after evictions when using amdgpu_vm_handle_moved to update +page tables for VM mappings managed through render nodes. + +Signed-off-by: Felix Kuehling +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c +index 95e5e93edd18..7e840e560513 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c +@@ -218,7 +218,8 @@ int amdgpu_sync_resv(struct amdgpu_device *adev, + */ + fence_owner = amdgpu_sync_get_owner(f); + if (fence_owner == AMDGPU_FENCE_OWNER_KFD && +- owner != AMDGPU_FENCE_OWNER_UNDEFINED) ++ owner != AMDGPU_FENCE_OWNER_UNDEFINED && ++ owner != AMDGPU_FENCE_OWNER_KFD) + continue; + + if (amdgpu_sync_same_dev(adev, f)) { +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch b/queue-5.4/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch new file mode 100644 index 00000000000..14ada941f24 --- /dev/null +++ b/queue-5.4/drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch @@ -0,0 +1,48 @@ +From d282a21333543123e8950eaa84bfcd79b924eaf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 18:13:11 +0530 +Subject: drm/amdgpu: Release 'adev->pm.fw' before return in + 'amdgpu_device_need_post()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit 8a44fdd3cf91debbd09b43bd2519ad2b2486ccf4 ] + +In function 'amdgpu_device_need_post(struct amdgpu_device *adev)' - +'adev->pm.fw' may not be released before return. + +Using the function release_firmware() to release adev->pm.fw. + +Thus fixing the below: +drivers/gpu/drm/amd/amdgpu/amdgpu_device.c:1571 amdgpu_device_need_post() warn: 'adev->pm.fw' from request_firmware() not released on lines: 1554. + +Cc: Monk Liu +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Suggested-by: Lijo Lazar +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index e5032eb9ae29..9dcb38bab0e1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -847,6 +847,7 @@ bool amdgpu_device_need_post(struct amdgpu_device *adev) + return true; + + fw_ver = *((uint32_t *)adev->pm.fw->data + 69); ++ release_firmware(adev->pm.fw); + if (fw_ver < 0x00160e00) + return true; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-drm_file-fix-use-of-uninitialized-variable.patch b/queue-5.4/drm-drm_file-fix-use-of-uninitialized-variable.patch new file mode 100644 index 00000000000..6de1330ce5b --- /dev/null +++ b/queue-5.4/drm-drm_file-fix-use-of-uninitialized-variable.patch @@ -0,0 +1,43 @@ +From 369df2162f8c8a9ec9bcc2a5a9de1e039bcd4a61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 15:14:03 +0200 +Subject: drm/drm_file: fix use of uninitialized variable + +From: Tomi Valkeinen + +[ Upstream commit 1d3062fad9c7313fff9970a88e0538a24480ffb8 ] + +smatch reports: + +drivers/gpu/drm/drm_file.c:967 drm_show_memory_stats() error: uninitialized symbol 'supported_status'. + +'supported_status' is only set in one code path. I'm not familiar with +the code to say if that path will always be ran in real life, but +whether that is the case or not, I think it is good to initialize +'supported_status' to 0 to silence the warning (and possibly fix a bug). + +Reviewed-by: Laurent Pinchart +Acked-by: Maxime Ripard +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-1-c22b2444f5f5@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c +index ea34bc991858..e27a15a6fe79 100644 +--- a/drivers/gpu/drm/drm_file.c ++++ b/drivers/gpu/drm/drm_file.c +@@ -369,7 +369,7 @@ int drm_open(struct inode *inode, struct file *filp) + { + struct drm_device *dev; + struct drm_minor *minor; +- int retcode; ++ int retcode = 0; + int need_setup = 0; + + minor = drm_minor_acquire(iminor(inode)); +-- +2.43.0 + diff --git a/queue-5.4/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch b/queue-5.4/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch new file mode 100644 index 00000000000..5d0287917f0 --- /dev/null +++ b/queue-5.4/drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch @@ -0,0 +1,86 @@ +From 873d013c0ea72d9f68705490037e0804ae68386d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 12:26:52 -0700 +Subject: drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time + +From: Douglas Anderson + +[ Upstream commit 16ac5b21b31b439f03cdf44c153c5f5af94fb3eb ] + +Based on grepping through the source code this driver appears to be +missing a call to drm_atomic_helper_shutdown() at system shutdown time +and at driver unbind time. Among other things, this means that if a +panel is in use that it won't be cleanly powered off at system +shutdown time. + +The fact that we should call drm_atomic_helper_shutdown() in the case +of OS shutdown/restart and at driver remove (or unbind) time comes +straight out of the kernel doc "driver instance overview" in +drm_drv.c. + +A few notes about this fix: +- When adding drm_atomic_helper_shutdown() to the unbind path, I added + it after drm_kms_helper_poll_fini() since that's when other drivers + seemed to have it. +- Technically with a previous patch, ("drm/atomic-helper: + drm_atomic_helper_shutdown(NULL) should be a noop"), we don't + actually need to check to see if our "drm" pointer is NULL before + calling drm_atomic_helper_shutdown(). We'll leave the "if" test in, + though, so that this patch can land without any dependencies. It + could potentially be removed later. +- This patch also makes sure to set the drvdata to NULL in the case of + bind errors to make sure that shutdown can't access freed data. + +Suggested-by: Maxime Ripard +Reviewed-by: Maxime Ripard +Signed-off-by: Douglas Anderson +Tested-by: Marek Szyprowski +Reviewed-by: Marek Szyprowski +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_drv.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.c b/drivers/gpu/drm/exynos/exynos_drm_drv.c +index ba0f868b2477..29577a7eaea8 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_drv.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_drv.c +@@ -346,6 +346,7 @@ static int exynos_drm_bind(struct device *dev) + drm_mode_config_cleanup(drm); + exynos_drm_cleanup_dma(drm); + kfree(private); ++ dev_set_drvdata(dev, NULL); + err_free_drm: + drm_dev_put(drm); + +@@ -360,6 +361,7 @@ static void exynos_drm_unbind(struct device *dev) + + exynos_drm_fbdev_fini(drm); + drm_kms_helper_poll_fini(drm); ++ drm_atomic_helper_shutdown(drm); + + component_unbind_all(drm->dev, drm); + drm_mode_config_cleanup(drm); +@@ -397,9 +399,18 @@ static int exynos_drm_platform_remove(struct platform_device *pdev) + return 0; + } + ++static void exynos_drm_platform_shutdown(struct platform_device *pdev) ++{ ++ struct drm_device *drm = platform_get_drvdata(pdev); ++ ++ if (drm) ++ drm_atomic_helper_shutdown(drm); ++} ++ + static struct platform_driver exynos_drm_platform_driver = { + .probe = exynos_drm_platform_probe, + .remove = exynos_drm_platform_remove, ++ .shutdown = exynos_drm_platform_shutdown, + .driver = { + .name = "exynos-drm", + .pm = &exynos_drm_pm_ops, +-- +2.43.0 + diff --git a/queue-5.4/drm-framebuffer-fix-use-of-uninitialized-variable.patch b/queue-5.4/drm-framebuffer-fix-use-of-uninitialized-variable.patch new file mode 100644 index 00000000000..b51a44ff39e --- /dev/null +++ b/queue-5.4/drm-framebuffer-fix-use-of-uninitialized-variable.patch @@ -0,0 +1,42 @@ +From 9fdab60ad6c11654429d0928e7bd7981b637c3f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 15:14:04 +0200 +Subject: drm/framebuffer: Fix use of uninitialized variable + +From: Tomi Valkeinen + +[ Upstream commit f9af8f0c1dc567a5a6a6318ff324c45d80d4a60f ] + +smatch reports: + +drivers/gpu/drm/drm_framebuffer.c:654 drm_mode_getfb2_ioctl() error: uninitialized symbol 'ret'. + +'ret' is possibly not set when there are no errors, causing the error +above. I can't say if that ever happens in real-life, but in any case I +think it is good to initialize 'ret' to 0. + +Reviewed-by: Laurent Pinchart +Acked-by: Maxime Ripard +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-2-c22b2444f5f5@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_framebuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c +index 57564318ceea..e85fbbbc07f8 100644 +--- a/drivers/gpu/drm/drm_framebuffer.c ++++ b/drivers/gpu/drm/drm_framebuffer.c +@@ -580,7 +580,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev, + struct drm_framebuffer *fb; + unsigned flags; + int num_clips; +- int ret; ++ int ret = 0; + + if (!drm_core_check_feature(dev, DRIVER_MODESET)) + return -EOPNOTSUPP; +-- +2.43.0 + diff --git a/queue-5.4/drm-mipi-dsi-fix-detach-call-without-attach.patch b/queue-5.4/drm-mipi-dsi-fix-detach-call-without-attach.patch new file mode 100644 index 00000000000..4eae3cc77c7 --- /dev/null +++ b/queue-5.4/drm-mipi-dsi-fix-detach-call-without-attach.patch @@ -0,0 +1,138 @@ +From 7a5173caa141b90580ab7ef522c7f9f7864b9e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 13:50:32 +0300 +Subject: drm/mipi-dsi: Fix detach call without attach + +From: Tomi Valkeinen + +[ Upstream commit 90d50b8d85834e73536fdccd5aa913b30494fef0 ] + +It's been reported that DSI host driver's detach can be called without +the attach ever happening: + +https://lore.kernel.org/all/20230412073954.20601-1-tony@atomide.com/ + +After reading the code, I think this is what happens: + +We have a DSI host defined in the device tree and a DSI peripheral under +that host (i.e. an i2c device using the DSI as data bus doesn't exhibit +this behavior). + +The host driver calls mipi_dsi_host_register(), which causes (via a few +functions) mipi_dsi_device_add() to be called for the DSI peripheral. So +now we have a DSI device under the host, but attach hasn't been called. + +Normally the probing of the devices continues, and eventually the DSI +peripheral's driver will call mipi_dsi_attach(), attaching the +peripheral. + +However, if the host driver's probe encounters an error after calling +mipi_dsi_host_register(), and before the peripheral has called +mipi_dsi_attach(), the host driver will do cleanups and return an error +from its probe function. The cleanups include calling +mipi_dsi_host_unregister(). + +mipi_dsi_host_unregister() will call two functions for all its DSI +peripheral devices: mipi_dsi_detach() and mipi_dsi_device_unregister(). +The latter makes sense, as the device exists, but the former may be +wrong as attach has not necessarily been done. + +To fix this, track the attached state of the peripheral, and only detach +from mipi_dsi_host_unregister() if the peripheral was attached. + +Note that I have only tested this with a board with an i2c DSI +peripheral, not with a "pure" DSI peripheral. + +However, slightly related, the unregister machinery still seems broken. +E.g. if the DSI host driver is unbound, it'll detach and unregister the +DSI peripherals. After that, when the DSI peripheral driver unbound +it'll call detach either directly or using the devm variant, leading to +a crash. And probably the driver will crash if it happens, for some +reason, to try to send a message via the DSI bus. + +But that's another topic. + +Tested-by: H. Nikolaus Schaller +Acked-by: Maxime Ripard +Reviewed-by: Sebastian Reichel +Tested-by: Tony Lindgren +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20230921-dsi-detach-fix-v1-1-d0de2d1621d9@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 17 +++++++++++++++-- + include/drm/drm_mipi_dsi.h | 2 ++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index 17a96f1d9234..963918dc8ad8 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -300,7 +300,8 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv) + { + struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev); + +- mipi_dsi_detach(dsi); ++ if (dsi->attached) ++ mipi_dsi_detach(dsi); + mipi_dsi_device_unregister(dsi); + + return 0; +@@ -323,11 +324,18 @@ EXPORT_SYMBOL(mipi_dsi_host_unregister); + int mipi_dsi_attach(struct mipi_dsi_device *dsi) + { + const struct mipi_dsi_host_ops *ops = dsi->host->ops; ++ int ret; + + if (!ops || !ops->attach) + return -ENOSYS; + +- return ops->attach(dsi->host, dsi); ++ ret = ops->attach(dsi->host, dsi); ++ if (ret) ++ return ret; ++ ++ dsi->attached = true; ++ ++ return 0; + } + EXPORT_SYMBOL(mipi_dsi_attach); + +@@ -339,9 +347,14 @@ int mipi_dsi_detach(struct mipi_dsi_device *dsi) + { + const struct mipi_dsi_host_ops *ops = dsi->host->ops; + ++ if (WARN_ON(!dsi->attached)) ++ return -EINVAL; ++ + if (!ops || !ops->detach) + return -ENOSYS; + ++ dsi->attached = false; ++ + return ops->detach(dsi->host, dsi); + } + EXPORT_SYMBOL(mipi_dsi_detach); +diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h +index 3057511c88e6..46a84d6b531d 100644 +--- a/include/drm/drm_mipi_dsi.h ++++ b/include/drm/drm_mipi_dsi.h +@@ -160,6 +160,7 @@ struct mipi_dsi_device_info { + * struct mipi_dsi_device - DSI peripheral device + * @host: DSI host for this peripheral + * @dev: driver model device node for this peripheral ++ * @attached: the DSI device has been successfully attached + * @name: DSI peripheral chip type + * @channel: virtual channel assigned to the peripheral + * @format: pixel format for video mode +@@ -175,6 +176,7 @@ struct mipi_dsi_device_info { + struct mipi_dsi_device { + struct mipi_dsi_host *host; + struct device dev; ++ bool attached; + + char name[DSI_DEV_NAME_SIZE]; + unsigned int channel; +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch b/queue-5.4/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch new file mode 100644 index 00000000000..1007a5adc9d --- /dev/null +++ b/queue-5.4/drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch @@ -0,0 +1,62 @@ +From 17f17140e6c747887b94aa249955332244c90af8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 10:19:55 -0800 +Subject: drm/msm/dpu: Ratelimit framedone timeout msgs + +From: Rob Clark + +[ Upstream commit 2b72e50c62de60ad2d6bcd86aa38d4ccbdd633f2 ] + +When we start getting these, we get a *lot*. So ratelimit it to not +flood dmesg. + +Signed-off-by: Rob Clark +Reviewed-by: Abhinav Kumar +Reviewed-by: Marijn Suijten +Patchwork: https://patchwork.freedesktop.org/patch/571584/ +Link: https://lore.kernel.org/r/20231211182000.218088-1-robdclark@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 5 ++++- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +index 99d449ce4a07..03d671d23bf7 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -44,6 +44,9 @@ + (p) ? ((p)->hw_pp ? (p)->hw_pp->idx - PINGPONG_0 : -1) : -1, \ + ##__VA_ARGS__) + ++#define DPU_ERROR_ENC_RATELIMITED(e, fmt, ...) DPU_ERROR_RATELIMITED("enc%d " fmt,\ ++ (e) ? (e)->base.base.id : -1, ##__VA_ARGS__) ++ + /* + * Two to anticipate panels that can do cmd/vid dynamic switching + * plan is to create all possible physical encoder types, and switch between +@@ -2151,7 +2154,7 @@ static void dpu_encoder_frame_done_timeout(struct timer_list *t) + return; + } + +- DPU_ERROR_ENC(dpu_enc, "frame done timeout\n"); ++ DPU_ERROR_ENC_RATELIMITED(dpu_enc, "frame done timeout\n"); + + event = DPU_ENCODER_FRAME_EVENT_ERROR; + trace_dpu_enc_frame_done_timeout(DRMID(drm_enc), event); +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h +index 4c889aabdaf9..6a4813505c33 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h +@@ -50,6 +50,7 @@ + } while (0) + + #define DPU_ERROR(fmt, ...) pr_err("[dpu error]" fmt, ##__VA_ARGS__) ++#define DPU_ERROR_RATELIMITED(fmt, ...) pr_err_ratelimited("[dpu error]" fmt, ##__VA_ARGS__) + + /** + * ktime_compare_safe - compare two ktime structures +-- +2.43.0 + diff --git a/queue-5.4/ecryptfs-reject-casefold-directory-inodes.patch b/queue-5.4/ecryptfs-reject-casefold-directory-inodes.patch new file mode 100644 index 00000000000..cf500fa51d7 --- /dev/null +++ b/queue-5.4/ecryptfs-reject-casefold-directory-inodes.patch @@ -0,0 +1,46 @@ +From 643379352e4254e55a490bf0d76fc8d1b05f65df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 14:38:12 -0400 +Subject: ecryptfs: Reject casefold directory inodes + +From: Gabriel Krisman Bertazi + +[ Upstream commit cd72c7ef5fed44272272a105b1da22810c91be69 ] + +Even though it seems to be able to resolve some names of +case-insensitive directories, the lack of d_hash and d_compare means we +end up with a broken state in the d_cache. Considering it was never a +goal to support these two together, and we are preparing to use +d_revalidate in case-insensitive filesystems, which would make the +combination even more broken, reject any attempt to get a casefolded +inode from ecryptfs. + +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + fs/ecryptfs/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c +index e23752d9a79f..c867a0d62f36 100644 +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -76,6 +76,14 @@ static struct inode *__ecryptfs_get_inode(struct inode *lower_inode, + + if (lower_inode->i_sb != ecryptfs_superblock_to_lower(sb)) + return ERR_PTR(-EXDEV); ++ ++ /* Reject dealing with casefold directories. */ ++ if (IS_CASEFOLDED(lower_inode)) { ++ pr_err_ratelimited("%s: Can't handle casefolded directory.\n", ++ __func__); ++ return ERR_PTR(-EREMOTE); ++ } ++ + if (!igrab(lower_inode)) + return ERR_PTR(-ESTALE); + inode = iget5_locked(sb, (unsigned long)lower_inode, +-- +2.43.0 + diff --git a/queue-5.4/ext4-avoid-online-resizing-failures-due-to-oversized.patch b/queue-5.4/ext4-avoid-online-resizing-failures-due-to-oversized.patch new file mode 100644 index 00000000000..10078a3b771 --- /dev/null +++ b/queue-5.4/ext4-avoid-online-resizing-failures-due-to-oversized.patch @@ -0,0 +1,133 @@ +From d0f82559a7203c08c7659a72f7828c1a1a09dee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 09:30:56 +0800 +Subject: ext4: avoid online resizing failures due to oversized flex bg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baokun Li + +[ Upstream commit 5d1935ac02ca5aee364a449a35e2977ea84509b0 ] + +When we online resize an ext4 filesystem with a oversized flexbg_size, + + mkfs.ext4 -F -G 67108864 $dev -b 4096 100M + mount $dev $dir + resize2fs $dev 16G + +the following WARN_ON is triggered: +================================================================== +WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550 +Modules linked in: sg(E) +CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314 +RIP: 0010:__alloc_pages+0x411/0x550 +Call Trace: + + __kmalloc_large_node+0xa2/0x200 + __kmalloc+0x16e/0x290 + ext4_resize_fs+0x481/0xd80 + __ext4_ioctl+0x1616/0x1d90 + ext4_ioctl+0x12/0x20 + __x64_sys_ioctl+0xf0/0x150 + do_syscall_64+0x3b/0x90 +================================================================== + +This is because flexbg_size is too large and the size of the new_group_data +array to be allocated exceeds MAX_ORDER. Currently, the minimum value of +MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding +maximum number of groups that can be allocated is: + + (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845 + +And the value that is down-aligned to the power of 2 is 16384. Therefore, +this value is defined as MAX_RESIZE_BG, and the number of groups added +each time does not exceed this value during resizing, and is added multiple +times to complete the online resizing. The difference is that the metadata +in a flex_bg may be more dispersed. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231023013057.2117948-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 682596f3205f..409b4ad28e71 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -227,10 +227,17 @@ struct ext4_new_flex_group_data { + in the flex group */ + __u16 *bg_flags; /* block group flags of groups + in @groups */ ++ ext4_group_t resize_bg; /* number of allocated ++ new_group_data */ + ext4_group_t count; /* number of groups in @groups + */ + }; + ++/* ++ * Avoiding memory allocation failures due to too many groups added each time. ++ */ ++#define MAX_RESIZE_BG 16384 ++ + /* + * alloc_flex_gd() allocates a ext4_new_flex_group_data with size of + * @flexbg_size. +@@ -245,14 +252,18 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size) + if (flex_gd == NULL) + goto out3; + +- flex_gd->count = flexbg_size; +- flex_gd->groups = kmalloc_array(flexbg_size, ++ if (unlikely(flexbg_size > MAX_RESIZE_BG)) ++ flex_gd->resize_bg = MAX_RESIZE_BG; ++ else ++ flex_gd->resize_bg = flexbg_size; ++ ++ flex_gd->groups = kmalloc_array(flex_gd->resize_bg, + sizeof(struct ext4_new_group_data), + GFP_NOFS); + if (flex_gd->groups == NULL) + goto out2; + +- flex_gd->bg_flags = kmalloc_array(flexbg_size, sizeof(__u16), ++ flex_gd->bg_flags = kmalloc_array(flex_gd->resize_bg, sizeof(__u16), + GFP_NOFS); + if (flex_gd->bg_flags == NULL) + goto out1; +@@ -1581,8 +1592,7 @@ static int ext4_flex_group_add(struct super_block *sb, + + static int ext4_setup_next_flex_gd(struct super_block *sb, + struct ext4_new_flex_group_data *flex_gd, +- ext4_fsblk_t n_blocks_count, +- unsigned int flexbg_size) ++ ext4_fsblk_t n_blocks_count) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; +@@ -1606,7 +1616,7 @@ static int ext4_setup_next_flex_gd(struct super_block *sb, + BUG_ON(last); + ext4_get_group_no_and_offset(sb, n_blocks_count - 1, &n_group, &last); + +- last_group = group | (flexbg_size - 1); ++ last_group = group | (flex_gd->resize_bg - 1); + if (last_group > n_group) + last_group = n_group; + +@@ -2103,8 +2113,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + /* Add flex groups. Note that a regular group is a + * flex group with 1 group. + */ +- while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count, +- flexbg_size)) { ++ while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count)) { + if (jiffies - last_update_time > HZ * 10) { + if (last_update_time) + ext4_msg(sb, KERN_INFO, +-- +2.43.0 + diff --git a/queue-5.4/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch b/queue-5.4/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch new file mode 100644 index 00000000000..7082d763b1d --- /dev/null +++ b/queue-5.4/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch @@ -0,0 +1,66 @@ +From 8e7833e394e0560ab9b6b75a0cd755cd30252939 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 09:09:19 +0800 +Subject: ext4: fix inconsistent between segment fstrim and full fstrim + +From: Ye Bin + +[ Upstream commit 68da4c44b994aea797eb9821acb3a4a36015293e ] + +Suppose we issue two FITRIM ioctls for ranges [0,15] and [16,31] with +mininum length of trimmed range set to 8 blocks. If we have say a range of +blocks 10-22 free, this range will not be trimmed because it straddles the +boundary of the two FITRIM ranges and neither part is big enough. This is a +bit surprising to some users that call FITRIM on smaller ranges of blocks +to limit impact on the system. Also XFS trims all free space extents that +overlap with the specified range so we are inconsistent among filesystems. +Let's change ext4_try_to_trim_range() to consider for trimming the whole +free space extent that straddles the end of specified range, not just the +part of it within the range. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231216010919.1995851-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 00b2459819b3..0745330228cf 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5216,13 +5216,15 @@ static int ext4_try_to_trim_range(struct super_block *sb, + struct ext4_buddy *e4b, ext4_grpblk_t start, + ext4_grpblk_t max, ext4_grpblk_t minblocks) + { +- ext4_grpblk_t next, count, free_count; ++ ext4_grpblk_t next, count, free_count, last, origin_start; + bool set_trimmed = false; + void *bitmap; + ++ last = ext4_last_grp_cluster(sb, e4b->bd_group); + bitmap = e4b->bd_bitmap; +- if (start == 0 && max >= ext4_last_grp_cluster(sb, e4b->bd_group)) ++ if (start == 0 && max >= last) + set_trimmed = true; ++ origin_start = start; + start = max(e4b->bd_info->bb_first_free, start); + count = 0; + free_count = 0; +@@ -5231,7 +5233,10 @@ static int ext4_try_to_trim_range(struct super_block *sb, + start = mb_find_next_zero_bit(bitmap, max + 1, start); + if (start > max) + break; +- next = mb_find_next_bit(bitmap, max + 1, start); ++ ++ next = mb_find_next_bit(bitmap, last + 1, start); ++ if (origin_start == 0 && next >= last) ++ set_trimmed = true; + + if ((next - start) >= minblocks) { + int ret = ext4_trim_extent(sb, start, next - start, e4b); +-- +2.43.0 + diff --git a/queue-5.4/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch b/queue-5.4/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch new file mode 100644 index 00000000000..bbb5e0c3fcc --- /dev/null +++ b/queue-5.4/ext4-remove-unnecessary-check-from-alloc_flex_gd.patch @@ -0,0 +1,44 @@ +From f88afc80fda6aa364f17470b7c1cdb7534efbdf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 09:30:55 +0800 +Subject: ext4: remove unnecessary check from alloc_flex_gd() + +From: Baokun Li + +[ Upstream commit b099eb87de105cf07cad731ded6fb40b2675108b ] + +In commit 967ac8af4475 ("ext4: fix potential integer overflow in +alloc_flex_gd()"), an overflow check is added to alloc_flex_gd() to +prevent the allocated memory from being smaller than expected due to +the overflow. However, after kmalloc() is replaced with kmalloc_array() +in commit 6da2ec56059c ("treewide: kmalloc() -> kmalloc_array()"), the +kmalloc_array() function has an overflow check, so the above problem +will not occur. Therefore, the extra check is removed. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231023013057.2117948-3-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index ae768fdbafa8..682596f3205f 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -245,10 +245,7 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size) + if (flex_gd == NULL) + goto out3; + +- if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data)) +- goto out2; + flex_gd->count = flexbg_size; +- + flex_gd->groups = kmalloc_array(flexbg_size, + sizeof(struct ext4_new_group_data), + GFP_NOFS); +-- +2.43.0 + diff --git a/queue-5.4/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch b/queue-5.4/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch new file mode 100644 index 00000000000..5d864e83786 --- /dev/null +++ b/queue-5.4/ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch @@ -0,0 +1,89 @@ +From 03fbdad34fe1eee41573af2150a5660e5a75a0e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 09:30:54 +0800 +Subject: ext4: unify the type of flexbg_size to unsigned int + +From: Baokun Li + +[ Upstream commit 658a52344fb139f9531e7543a6e0015b630feb38 ] + +The maximum value of flexbg_size is 2^31, but the maximum value of int +is (2^31 - 1), so overflow may occur when the type of flexbg_size is +declared as int. + +For example, when uninit_mask is initialized in ext4_alloc_group_tables(), +if flexbg_size == 2^31, the initialized uninit_mask is incorrect, and this +may causes set_flexbg_block_bitmap() to trigger a BUG_ON(). + +Therefore, the flexbg_size type is declared as unsigned int to avoid +overflow and memory waste. + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231023013057.2117948-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 3616c437bea6..ae768fdbafa8 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -237,7 +237,7 @@ struct ext4_new_flex_group_data { + * + * Returns NULL on failure otherwise address of the allocated structure. + */ +-static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) ++static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size) + { + struct ext4_new_flex_group_data *flex_gd; + +@@ -292,7 +292,7 @@ static void free_flex_gd(struct ext4_new_flex_group_data *flex_gd) + */ + static int ext4_alloc_group_tables(struct super_block *sb, + struct ext4_new_flex_group_data *flex_gd, +- int flexbg_size) ++ unsigned int flexbg_size) + { + struct ext4_new_group_data *group_data = flex_gd->groups; + ext4_fsblk_t start_blk; +@@ -393,12 +393,12 @@ static int ext4_alloc_group_tables(struct super_block *sb, + group = group_data[0].group; + + printk(KERN_DEBUG "EXT4-fs: adding a flex group with " +- "%d groups, flexbg size is %d:\n", flex_gd->count, ++ "%u groups, flexbg size is %u:\n", flex_gd->count, + flexbg_size); + + for (i = 0; i < flex_gd->count; i++) { + ext4_debug( +- "adding %s group %u: %u blocks (%d free, %d mdata blocks)\n", ++ "adding %s group %u: %u blocks (%u free, %u mdata blocks)\n", + ext4_bg_has_super(sb, group + i) ? "normal" : + "no-super", group + i, + group_data[i].blocks_count, +@@ -1585,7 +1585,7 @@ static int ext4_flex_group_add(struct super_block *sb, + static int ext4_setup_next_flex_gd(struct super_block *sb, + struct ext4_new_flex_group_data *flex_gd, + ext4_fsblk_t n_blocks_count, +- unsigned long flexbg_size) ++ unsigned int flexbg_size) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; +@@ -1963,8 +1963,9 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + ext4_fsblk_t o_blocks_count; + ext4_fsblk_t n_blocks_count_retry = 0; + unsigned long last_update_time = 0; +- int err = 0, flexbg_size = 1 << sbi->s_log_groups_per_flex; ++ int err = 0; + int meta_bg; ++ unsigned int flexbg_size = ext4_flex_bg_size(sbi); + + /* See if the device is actually as big as what was requested */ + bh = sb_bread(sb, n_blocks_count - 1); +-- +2.43.0 + diff --git a/queue-5.4/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch b/queue-5.4/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch new file mode 100644 index 00000000000..2b108c66668 --- /dev/null +++ b/queue-5.4/f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch @@ -0,0 +1,69 @@ +From 58a8d0c4744ad46cd5997fbd7ebe2618b45776af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Nov 2023 14:25:56 +0800 +Subject: f2fs: fix to check return value of f2fs_reserve_new_block() + +From: Chao Yu + +[ Upstream commit 956fa1ddc132e028f3b7d4cf17e6bfc8cb36c7fd ] + +Let's check return value of f2fs_reserve_new_block() in do_recover_data() +rather than letting it fails silently. + +Also refactoring check condition on return value of f2fs_reserve_new_block() +as below: +- trigger f2fs_bug_on() only for ENOSPC case; +- use do-while statement to avoid redundant codes; + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/recovery.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index da123c6d3ce0..7e30326b296c 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -611,7 +611,16 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, + */ + if (dest == NEW_ADDR) { + f2fs_truncate_data_blocks_range(&dn, 1); +- f2fs_reserve_new_block(&dn); ++ do { ++ err = f2fs_reserve_new_block(&dn); ++ if (err == -ENOSPC) { ++ f2fs_bug_on(sbi, 1); ++ break; ++ } ++ } while (err && ++ IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)); ++ if (err) ++ goto err; + continue; + } + +@@ -619,12 +628,14 @@ static int do_recover_data(struct f2fs_sb_info *sbi, struct inode *inode, + if (f2fs_is_valid_blkaddr(sbi, dest, META_POR)) { + + if (src == NULL_ADDR) { +- err = f2fs_reserve_new_block(&dn); +- while (err && +- IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)) ++ do { + err = f2fs_reserve_new_block(&dn); +- /* We should not get -ENOSPC */ +- f2fs_bug_on(sbi, err); ++ if (err == -ENOSPC) { ++ f2fs_bug_on(sbi, 1); ++ break; ++ } ++ } while (err && ++ IS_ENABLED(CONFIG_F2FS_FAULT_INJECTION)); + if (err) + goto err; + } +-- +2.43.0 + diff --git a/queue-5.4/fast_dput-handle-underflows-gracefully.patch b/queue-5.4/fast_dput-handle-underflows-gracefully.patch new file mode 100644 index 00000000000..e7dc6dd3b62 --- /dev/null +++ b/queue-5.4/fast_dput-handle-underflows-gracefully.patch @@ -0,0 +1,78 @@ +From d976a01bbc4ff41b1ef80e5ba863b33a97e3da12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 01:08:54 -0400 +Subject: fast_dput(): handle underflows gracefully + +From: Al Viro + +[ Upstream commit 504e08cebe1d4e1efe25f915234f646e74a364a8 ] + +If refcount is less than 1, we should just warn, unlock dentry and +return true, so that the caller doesn't try to do anything else. + +Taking care of that leaves the rest of "lockref_put_return() has +failed" case equivalent to "decrement refcount and rejoin the +normal slow path after the point where we grab ->d_lock". + +NOTE: lockref_put_return() is strictly a fastpath thing - unlike +the rest of lockref primitives, it does not contain a fallback. +Caller (and it looks like fast_dput() is the only legitimate one +in the entire kernel) has to do that itself. Reasons for +lockref_put_return() failures: + * ->d_lock held by somebody + * refcount <= 0 + * ... or an architecture not supporting lockref use of +cmpxchg - sparc, anything non-SMP, config with spinlock debugging... + +We could add a fallback, but it would be a clumsy API - we'd have +to distinguish between: + (1) refcount > 1 - decremented, lock not held on return + (2) refcount < 1 - left alone, probably no sense to hold the lock + (3) refcount is 1, no cmphxcg - decremented, lock held on return + (4) refcount is 1, cmphxcg supported - decremented, lock *NOT* held + on return. +We want to return with no lock held in case (4); that's the whole point of that +thing. We very much do not want to have the fallback in case (3) return without +a lock, since the caller might have to retake it in that case. +So it wouldn't be more convenient than doing the fallback in the caller and +it would be very easy to screw up, especially since the test coverage would +suck - no way to test (3) and (4) on the same kernel build. + +Reviewed-by: Christian Brauner +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/dcache.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/dcache.c b/fs/dcache.c +index b2a7f1765f0b..43864a276faa 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -740,12 +740,12 @@ static inline bool fast_dput(struct dentry *dentry) + */ + if (unlikely(ret < 0)) { + spin_lock(&dentry->d_lock); +- if (dentry->d_lockref.count > 1) { +- dentry->d_lockref.count--; ++ if (WARN_ON_ONCE(dentry->d_lockref.count <= 0)) { + spin_unlock(&dentry->d_lock); + return true; + } +- return false; ++ dentry->d_lockref.count--; ++ goto locked; + } + + /* +@@ -796,6 +796,7 @@ static inline bool fast_dput(struct dentry *dentry) + * else could have killed it and marked it dead. Either way, we + * don't need to do anything else. + */ ++locked: + if (dentry->d_lockref.count) { + spin_unlock(&dentry->d_lock); + return true; +-- +2.43.0 + diff --git a/queue-5.4/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch b/queue-5.4/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch new file mode 100644 index 00000000000..a285820a5da --- /dev/null +++ b/queue-5.4/fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch @@ -0,0 +1,99 @@ +From e4b5e70b35ba03e77fdc9053964649d03ebba701 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Oct 2023 23:46:37 +0500 +Subject: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree + +From: Osama Muhammad + +[ Upstream commit 9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68 ] + +Syzkaller reported the following issue: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6 +index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]') +CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 + dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 + dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 + dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] + dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 + txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 + txUpdateMap+0x342/0x9e0 + txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] + jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 + kthread+0x2d3/0x370 kernel/kthread.c:388 + ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +================================================================================ +Kernel panic - not syncing: UBSAN: panic_on_warn set ... +CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + panic+0x30f/0x770 kernel/panic.c:340 + check_panic_on_warn+0x82/0xa0 kernel/panic.c:236 + ubsan_epilogue lib/ubsan.c:223 [inline] + __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348 + dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 + dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 + dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 + dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] + dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 + txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 + txUpdateMap+0x342/0x9e0 + txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] + jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 + kthread+0x2d3/0x370 kernel/kthread.c:388 + ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 + +Kernel Offset: disabled +Rebooting in 86400 seconds.. + +The issue is caused when the value of lp becomes greater than +CTLTREESIZE which is the max size of stree. Adding a simple check +solves this issue. + +Dave: +As the function returns a void, good error handling +would require a more intrusive code reorganization, so I modified +Osama's patch at use WARN_ON_ONCE for lack of a cleaner option. + +The patch is tested via syzbot. + +Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb +Signed-off-by: Osama Muhammad +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index ea330ce921b1..e8c1f3738c39 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2935,6 +2935,9 @@ static void dbAdjTree(dmtree_t * tp, int leafno, int newval) + /* is the current value the same as the old value ? if so, + * there is nothing to do. + */ ++ if (WARN_ON_ONCE(lp >= CTLTREESIZE)) ++ return; ++ + if (tp->dmt_stree[lp] == newval) + return; + +-- +2.43.0 + diff --git a/queue-5.4/fs-kernfs-dir-obey-s_isgid.patch b/queue-5.4/fs-kernfs-dir-obey-s_isgid.patch new file mode 100644 index 00000000000..352a7d53e6a --- /dev/null +++ b/queue-5.4/fs-kernfs-dir-obey-s_isgid.patch @@ -0,0 +1,58 @@ +From 830b7886415bafcf475aadc295b64eb928f189d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Dec 2023 10:33:10 +0100 +Subject: fs/kernfs/dir: obey S_ISGID + +From: Max Kellermann + +[ Upstream commit 5133bee62f0ea5d4c316d503cc0040cac5637601 ] + +Handling of S_ISGID is usually done by inode_init_owner() in all other +filesystems, but kernfs doesn't use that function. In kernfs, struct +kernfs_node is the primary data structure, and struct inode is only +created from it on demand. Therefore, inode_init_owner() can't be +used and we need to imitate its behavior. + +S_ISGID support is useful for the cgroup filesystem; it allows +subtrees managed by an unprivileged process to retain a certain owner +gid, which then enables sharing access to the subtree with another +unprivileged process. + +-- +v1 -> v2: minor coding style fix (comment) + +Signed-off-by: Max Kellermann +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20231208093310.297233-2-max.kellermann@ionos.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/kernfs/dir.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c +index d2068566c0b8..d3a602ea795b 100644 +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -702,6 +702,18 @@ struct kernfs_node *kernfs_new_node(struct kernfs_node *parent, + { + struct kernfs_node *kn; + ++ if (parent->mode & S_ISGID) { ++ /* this code block imitates inode_init_owner() for ++ * kernfs ++ */ ++ ++ if (parent->iattr) ++ gid = parent->iattr->ia_gid; ++ ++ if (flags & KERNFS_DIR) ++ mode |= S_ISGID; ++ } ++ + kn = __kernfs_new_node(kernfs_root(parent), parent, + name, mode, uid, gid, flags); + if (kn) { +-- +2.43.0 + diff --git a/queue-5.4/hexagon-make-pfn-accessors-statics-inlines.patch b/queue-5.4/hexagon-make-pfn-accessors-statics-inlines.patch new file mode 100644 index 00000000000..c14c2e81964 --- /dev/null +++ b/queue-5.4/hexagon-make-pfn-accessors-statics-inlines.patch @@ -0,0 +1,68 @@ +From c1a197811f9c734797534e605c0f4d3dd577b50a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Nov 2023 14:28:15 +0100 +Subject: Hexagon: Make pfn accessors statics inlines + +From: Linus Walleij + +[ Upstream commit d6e81532b10d8deb2bc30f7b44f09534876893e3 ] + +Making virt_to_pfn() a static inline taking a strongly typed +(const void *) makes the contract of a passing a pointer of that +type to the function explicit and exposes any misuse of the +macro virt_to_pfn() acting polymorphic and accepting many types +such as (void *), (unitptr_t) or (unsigned long) as arguments +without warnings. + +For symmetry do the same with pfn_to_virt(). + +For compiletime resolution of __pa() we need PAGE_OFFSET which +was not available to __pa() and resolved by the preprocessor +wherever __pa() was used. Fix this by explicitly including + where required, following the pattern of the +architectures page.h file. + +Acked-by: Brian Cain +Signed-off-by: Linus Walleij +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/hexagon/include/asm/page.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/arch/hexagon/include/asm/page.h b/arch/hexagon/include/asm/page.h +index ee31f36f48f3..62976e38a963 100644 +--- a/arch/hexagon/include/asm/page.h ++++ b/arch/hexagon/include/asm/page.h +@@ -78,6 +78,9 @@ typedef struct page *pgtable_t; + #define __pgd(x) ((pgd_t) { (x) }) + #define __pgprot(x) ((pgprot_t) { (x) }) + ++/* Needed for PAGE_OFFSET used in the macro right below */ ++#include ++ + /* + * We need a __pa and a __va routine for kernel space. + * MIPS says they're only used during mem_init. +@@ -127,8 +130,16 @@ static inline void clear_page(void *page) + */ + #define page_to_phys(page) (page_to_pfn(page) << PAGE_SHIFT) + +-#define virt_to_pfn(kaddr) (__pa(kaddr) >> PAGE_SHIFT) +-#define pfn_to_virt(pfn) __va((pfn) << PAGE_SHIFT) ++static inline unsigned long virt_to_pfn(const void *kaddr) ++{ ++ return __pa(kaddr) >> PAGE_SHIFT; ++} ++ ++static inline void *pfn_to_virt(unsigned long pfn) ++{ ++ return (void *)((unsigned long)__va(pfn) << PAGE_SHIFT); ++} ++ + + #define page_to_virt(page) __va(page_to_phys(page)) + +-- +2.43.0 + diff --git a/queue-5.4/hwmon-pc87360-bounds-check-data-innr-usage.patch b/queue-5.4/hwmon-pc87360-bounds-check-data-innr-usage.patch new file mode 100644 index 00000000000..445258b6cdd --- /dev/null +++ b/queue-5.4/hwmon-pc87360-bounds-check-data-innr-usage.patch @@ -0,0 +1,60 @@ +From fdbba7c9106a4bbd4764380244b63b58ad4ffd4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 12:02:07 -0800 +Subject: hwmon: (pc87360) Bounds check data->innr usage + +From: Kees Cook + +[ Upstream commit 4265eb062a7303e537ab3792ade31f424c3c5189 ] + +Without visibility into the initializers for data->innr, GCC suspects +using it as an index could walk off the end of the various 14-element +arrays in data. Perform an explicit clamp to the array size. Silences +the following warning with GCC 12+: + +../drivers/hwmon/pc87360.c: In function 'pc87360_update_device': +../drivers/hwmon/pc87360.c:341:49: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] + 341 | data->in_max[i] = pc87360_read_value(data, + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ + 342 | LD_IN, i, + | ~~~~~~~~~ + 343 | PC87365_REG_IN_MAX); + | ~~~~~~~~~~~~~~~~~~~ +../drivers/hwmon/pc87360.c:209:12: note: at offset 255 into destination object 'in_max' of size 14 + 209 | u8 in_max[14]; /* Register value */ + | ^~~~~~ + +Cc: Jim Cromie +Cc: Jean Delvare +Cc: Guenter Roeck +Cc: linux-hwmon@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20231130200207.work.679-kees@kernel.org +[groeck: Added comment into code clarifying context] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pc87360.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pc87360.c b/drivers/hwmon/pc87360.c +index 94f4b8b4a2ba..0cf603c8c9f9 100644 +--- a/drivers/hwmon/pc87360.c ++++ b/drivers/hwmon/pc87360.c +@@ -1605,7 +1605,11 @@ static struct pc87360_data *pc87360_update_device(struct device *dev) + } + + /* Voltages */ +- for (i = 0; i < data->innr; i++) { ++ /* ++ * The min() below does not have any practical meaning and is ++ * only needed to silence a warning observed with gcc 12+. ++ */ ++ for (i = 0; i < min(data->innr, ARRAY_SIZE(data->in)); i++) { + data->in_status[i] = pc87360_read_value(data, LD_IN, i, + PC87365_REG_IN_STATUS); + /* Clear bits */ +-- +2.43.0 + diff --git a/queue-5.4/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch b/queue-5.4/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch new file mode 100644 index 00000000000..b8c10a7a19d --- /dev/null +++ b/queue-5.4/i3c-master-cdns-update-maximum-prescaler-value-for-i.patch @@ -0,0 +1,59 @@ +From 764a4dd0a3e66db7d229ae5fc63c9a04cdb9346d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Dec 2023 14:41:23 +0530 +Subject: i3c: master: cdns: Update maximum prescaler value for i2c clock + +From: Harshit Shah + +[ Upstream commit 374c13f9080a1b9835a5ed3e7bea93cf8e2dc262 ] + +As per the Cadence IP document fixed the I2C clock divider value limit from +16 bits instead of 10 bits. Without this change setting up the I2C clock to +low frequencies will not work as the prescaler value might be greater than +10 bit number. + +I3C clock divider value is 10 bits only. Updating the macro names for both. + +Signed-off-by: Harshit Shah +Link: https://lore.kernel.org/r/1703927483-28682-1-git-send-email-harshitshah.opendev@gmail.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/i3c-master-cdns.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c +index cc0944e2d330..6e0621e730fa 100644 +--- a/drivers/i3c/master/i3c-master-cdns.c ++++ b/drivers/i3c/master/i3c-master-cdns.c +@@ -74,7 +74,8 @@ + #define PRESCL_CTRL0 0x14 + #define PRESCL_CTRL0_I2C(x) ((x) << 16) + #define PRESCL_CTRL0_I3C(x) (x) +-#define PRESCL_CTRL0_MAX GENMASK(9, 0) ++#define PRESCL_CTRL0_I3C_MAX GENMASK(9, 0) ++#define PRESCL_CTRL0_I2C_MAX GENMASK(15, 0) + + #define PRESCL_CTRL1 0x18 + #define PRESCL_CTRL1_PP_LOW_MASK GENMASK(15, 8) +@@ -1212,7 +1213,7 @@ static int cdns_i3c_master_bus_init(struct i3c_master_controller *m) + return -EINVAL; + + pres = DIV_ROUND_UP(sysclk_rate, (bus->scl_rate.i3c * 4)) - 1; +- if (pres > PRESCL_CTRL0_MAX) ++ if (pres > PRESCL_CTRL0_I3C_MAX) + return -ERANGE; + + bus->scl_rate.i3c = sysclk_rate / ((pres + 1) * 4); +@@ -1225,7 +1226,7 @@ static int cdns_i3c_master_bus_init(struct i3c_master_controller *m) + max_i2cfreq = bus->scl_rate.i2c; + + pres = (sysclk_rate / (max_i2cfreq * 5)) - 1; +- if (pres > PRESCL_CTRL0_MAX) ++ if (pres > PRESCL_CTRL0_I2C_MAX) + return -ERANGE; + + bus->scl_rate.i2c = sysclk_rate / ((pres + 1) * 5); +-- +2.43.0 + diff --git a/queue-5.4/ib-ipoib-fix-mcast-list-locking.patch b/queue-5.4/ib-ipoib-fix-mcast-list-locking.patch new file mode 100644 index 00000000000..2e73b9a3c20 --- /dev/null +++ b/queue-5.4/ib-ipoib-fix-mcast-list-locking.patch @@ -0,0 +1,94 @@ +From 15413d0c8a77481582f8968b8c0e08c72b23e20a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 09:07:45 +0100 +Subject: IB/ipoib: Fix mcast list locking + +From: Daniel Vacek + +[ Upstream commit 4f973e211b3b1c6d36f7c6a19239d258856749f9 ] + +Releasing the `priv->lock` while iterating the `priv->multicast_list` in +`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to +remove the items while in the middle of iteration. If the mcast is removed +while the lock was dropped, the for loop spins forever resulting in a hard +lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel): + + Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below) + -----------------------------------+----------------------------------- + ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work) + spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...) + list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev) + &priv->multicast_list, list) | + ipoib_mcast_join(dev, mcast) | + spin_unlock_irq(&priv->lock) | + | spin_lock_irqsave(&priv->lock, flags) + | list_for_each_entry_safe(mcast, tmcast, + | &priv->multicast_list, list) + | list_del(&mcast->list); + | list_add_tail(&mcast->list, &remove_list) + | spin_unlock_irqrestore(&priv->lock, flags) + spin_lock_irq(&priv->lock) | + | ipoib_mcast_remove_list(&remove_list) + (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast, + `priv->multicast_list` and we keep | remove_list, list) + spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done) + the other thread which is blocked | + and the list is still valid on | + it's stack.) + +Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent +eventual sleeps. +Unfortunately we could not reproduce the lockup and confirm this fix but +based on the code review I think this fix should address such lockups. + +crash> bc 31 +PID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: "kworker/u72:2" +-- + [exception RIP: ipoib_mcast_join_task+0x1b1] + RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002 + RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000 + work (&priv->mcast_task{,.work}) + RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000 + &mcast->list + RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000 + R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00 + mcast + R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8 + dev priv (&priv->lock) &priv->multicast_list (aka head) + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +index 805df1fcba84..de82fb0cb1d5 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -543,21 +543,17 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast) + /* SM supports sendonly-fullmember, otherwise fallback to full-member */ + rec.join_state = SENDONLY_FULLMEMBER_JOIN; + } +- spin_unlock_irq(&priv->lock); + + multicast = ib_sa_join_multicast(&ipoib_sa_client, priv->ca, priv->port, +- &rec, comp_mask, GFP_KERNEL, ++ &rec, comp_mask, GFP_ATOMIC, + ipoib_mcast_join_complete, mcast); +- spin_lock_irq(&priv->lock); + if (IS_ERR(multicast)) { + ret = PTR_ERR(multicast); + ipoib_warn(priv, "ib_sa_join_multicast failed, status %d\n", ret); + /* Requeue this join task with a backoff delay */ + __ipoib_mcast_schedule_join_thread(priv, mcast, 1); + clear_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); +- spin_unlock_irq(&priv->lock); + complete(&mcast->done); +- spin_lock_irq(&priv->lock); + return ret; + } + return 0; +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch new file mode 100644 index 00000000000..f4548a3c031 --- /dev/null +++ b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch @@ -0,0 +1,237 @@ +From e268c32554471f7d2b61931367f424f6c2a6be93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 17:33:56 +0530 +Subject: jfs: fix array-index-out-of-bounds in dbAdjTree + +From: Manas Ghandat + +[ Upstream commit 74ecdda68242b174920fe7c6133a856fb7d8559b ] + +Currently there is a bound check missing in the dbAdjTree while +accessing the dmt_stree. To add the required check added the bool is_ctl +which is required to determine the size as suggest in the following +commit. +https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/ + +Reported-by: syzbot+39ba34a099ac2e9bd3cb@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=39ba34a099ac2e9bd3cb +Signed-off-by: Manas Ghandat +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 60 ++++++++++++++++++++++++----------------------- + 1 file changed, 31 insertions(+), 29 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index e8c1f3738c39..deb54efb5601 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -63,10 +63,10 @@ + */ + static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + int nblocks); +-static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval); +-static int dbBackSplit(dmtree_t * tp, int leafno); +-static int dbJoin(dmtree_t * tp, int leafno, int newval); +-static void dbAdjTree(dmtree_t * tp, int leafno, int newval); ++static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl); ++static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl); ++static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl); ++static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl); + static int dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, + int level); + static int dbAllocAny(struct bmap * bmp, s64 nblocks, int l2nb, s64 * results); +@@ -2171,7 +2171,7 @@ static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno, + * system. + */ + if (dp->tree.stree[word] == NOFREE) +- dbBackSplit((dmtree_t *) & dp->tree, word); ++ dbBackSplit((dmtree_t *)&dp->tree, word, false); + + dbAllocBits(bmp, dp, blkno, nblocks); + } +@@ -2257,7 +2257,7 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + * the binary system of the leaves if need be. + */ + dbSplit(tp, word, BUDMIN, +- dbMaxBud((u8 *) & dp->wmap[word])); ++ dbMaxBud((u8 *)&dp->wmap[word]), false); + + word += 1; + } else { +@@ -2297,7 +2297,7 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + * system of the leaves to reflect the current + * allocation (size). + */ +- dbSplit(tp, word, size, NOFREE); ++ dbSplit(tp, word, size, NOFREE, false); + + /* get the number of dmap words handled */ + nw = BUDSIZE(size, BUDMIN); +@@ -2404,7 +2404,7 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + /* update the leaf for this dmap word. + */ + rc = dbJoin(tp, word, +- dbMaxBud((u8 *) & dp->wmap[word])); ++ dbMaxBud((u8 *)&dp->wmap[word]), false); + if (rc) + return rc; + +@@ -2437,7 +2437,7 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, + + /* update the leaf. + */ +- rc = dbJoin(tp, word, size); ++ rc = dbJoin(tp, word, size, false); + if (rc) + return rc; + +@@ -2589,14 +2589,14 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + * that it is at the front of a binary buddy system. + */ + if (oldval == NOFREE) { +- rc = dbBackSplit((dmtree_t *) dcp, leafno); ++ rc = dbBackSplit((dmtree_t *)dcp, leafno, true); + if (rc) + return rc; + oldval = dcp->stree[ti]; + } +- dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval); ++ dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval, true); + } else { +- rc = dbJoin((dmtree_t *) dcp, leafno, newval); ++ rc = dbJoin((dmtree_t *) dcp, leafno, newval, true); + if (rc) + return rc; + } +@@ -2625,7 +2625,7 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + */ + if (alloc) { + dbJoin((dmtree_t *) dcp, leafno, +- oldval); ++ oldval, true); + } else { + /* the dbJoin() above might have + * caused a larger binary buddy system +@@ -2635,9 +2635,9 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + */ + if (dcp->stree[ti] == NOFREE) + dbBackSplit((dmtree_t *) +- dcp, leafno); ++ dcp, leafno, true); + dbSplit((dmtree_t *) dcp, leafno, +- dcp->budmin, oldval); ++ dcp->budmin, oldval, true); + } + + /* release the buffer and return the error. +@@ -2685,7 +2685,7 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) + * + * serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit; + */ +-static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) ++static void dbSplit(dmtree_t *tp, int leafno, int splitsz, int newval, bool is_ctl) + { + int budsz; + int cursz; +@@ -2707,7 +2707,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) + while (cursz >= splitsz) { + /* update the buddy's leaf with its new value. + */ +- dbAdjTree(tp, leafno ^ budsz, cursz); ++ dbAdjTree(tp, leafno ^ budsz, cursz, is_ctl); + + /* on to the next size and buddy. + */ +@@ -2719,7 +2719,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) + /* adjust the dmap tree to reflect the specified leaf's new + * value. + */ +- dbAdjTree(tp, leafno, newval); ++ dbAdjTree(tp, leafno, newval, is_ctl); + } + + +@@ -2750,7 +2750,7 @@ static void dbSplit(dmtree_t * tp, int leafno, int splitsz, int newval) + * + * serialization: IREAD_LOCK(ipbmap) or IWRITE_LOCK(ipbmap) held on entry/exit; + */ +-static int dbBackSplit(dmtree_t * tp, int leafno) ++static int dbBackSplit(dmtree_t *tp, int leafno, bool is_ctl) + { + int budsz, bud, w, bsz, size; + int cursz; +@@ -2801,7 +2801,7 @@ static int dbBackSplit(dmtree_t * tp, int leafno) + * system in two. + */ + cursz = leaf[bud] - 1; +- dbSplit(tp, bud, cursz, cursz); ++ dbSplit(tp, bud, cursz, cursz, is_ctl); + break; + } + } +@@ -2829,7 +2829,7 @@ static int dbBackSplit(dmtree_t * tp, int leafno) + * + * RETURN VALUES: none + */ +-static int dbJoin(dmtree_t * tp, int leafno, int newval) ++static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl) + { + int budsz, buddy; + s8 *leaf; +@@ -2884,12 +2884,12 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval) + if (leafno < buddy) { + /* leafno is the left buddy. + */ +- dbAdjTree(tp, buddy, NOFREE); ++ dbAdjTree(tp, buddy, NOFREE, is_ctl); + } else { + /* buddy is the left buddy and becomes + * leafno. + */ +- dbAdjTree(tp, leafno, NOFREE); ++ dbAdjTree(tp, leafno, NOFREE, is_ctl); + leafno = buddy; + } + +@@ -2902,7 +2902,7 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval) + + /* update the leaf value. + */ +- dbAdjTree(tp, leafno, newval); ++ dbAdjTree(tp, leafno, newval, is_ctl); + + return 0; + } +@@ -2923,21 +2923,23 @@ static int dbJoin(dmtree_t * tp, int leafno, int newval) + * + * RETURN VALUES: none + */ +-static void dbAdjTree(dmtree_t * tp, int leafno, int newval) ++static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) + { + int lp, pp, k; +- int max; ++ int max, size; ++ ++ size = is_ctl ? CTLTREESIZE : TREESIZE; + + /* pick up the index of the leaf for this leafno. + */ + lp = leafno + le32_to_cpu(tp->dmt_leafidx); + ++ if (WARN_ON_ONCE(lp >= size || lp < 0)) ++ return; ++ + /* is the current value the same as the old value ? if so, + * there is nothing to do. + */ +- if (WARN_ON_ONCE(lp >= CTLTREESIZE)) +- return; +- + if (tp->dmt_stree[lp] == newval) + return; + +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-array-index-out-of-bounds-in-dinewext.patch b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-dinewext.patch new file mode 100644 index 00000000000..110fb991881 --- /dev/null +++ b/queue-5.4/jfs-fix-array-index-out-of-bounds-in-dinewext.patch @@ -0,0 +1,78 @@ +From d82d58dde233929b192cc0944a7119c9151821e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Dec 2023 09:36:22 +0800 +Subject: jfs: fix array-index-out-of-bounds in diNewExt + +From: Edward Adam Davis + +[ Upstream commit 49f9637aafa6e63ba686c13cb8549bf5e6920402 ] + +[Syz report] +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2 +index -878706688 is out of range for type 'struct iagctl[128]' +CPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360 + diAllocExt fs/jfs/jfs_imap.c:1949 [inline] + diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666 + diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587 + ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 + jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225 + vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106 + do_mkdirat+0x264/0x3a0 fs/namei.c:4129 + __do_sys_mkdir fs/namei.c:4149 [inline] + __se_sys_mkdir fs/namei.c:4147 [inline] + __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7fcb7e6a0b57 +Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053 +RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57 +RDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140 +RBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +[Analysis] +When the agstart is too large, it can cause agno overflow. + +[Fix] +After obtaining agno, if the value is invalid, exit the subsequent process. + +Reported-and-tested-by: syzbot+553d90297e6d2f50dbc7@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis + +Modified the test from agno > MAXAG to agno >= MAXAG based on linux-next +report by kernel test robot (Dan Carpenter). + +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 14f918a4831d..b0965f3ef186 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -2181,6 +2181,9 @@ static int diNewExt(struct inomap * imap, struct iag * iagp, int extno) + /* get the ag and iag numbers for this iag. + */ + agno = BLKTOAG(le64_to_cpu(iagp->agstart), sbi); ++ if (agno >= MAXAG || agno < 0) ++ return -EIO; ++ + iagno = le32_to_cpu(iagp->iagnum); + + /* check if this is the last free extent within the +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch b/queue-5.4/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch new file mode 100644 index 00000000000..fe720629905 --- /dev/null +++ b/queue-5.4/jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch @@ -0,0 +1,45 @@ +From 3022d51a435395c43e3fcc96ea83eff2d38e2d49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 11:39:07 +0530 +Subject: jfs: fix slab-out-of-bounds Read in dtSearch + +From: Manas Ghandat + +[ Upstream commit fa5492ee89463a7590a1449358002ff7ef63529f ] + +Currently while searching for current page in the sorted entry table +of the page there is a out of bound access. Added a bound check to fix +the error. + +Dave: +Set return code to -EIO + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202310241724.Ed02yUz9-lkp@intel.com/ +Signed-off-by: Manas Ghandat +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index a6d42e49d156..077a87e53020 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -633,6 +633,11 @@ int dtSearch(struct inode *ip, struct component_name * key, ino_t * data, + for (base = 0, lim = p->header.nextindex; lim; lim >>= 1) { + index = base + (lim >> 1); + ++ if (stbl[index] < 0) { ++ rc = -EIO; ++ goto out; ++ } ++ + if (p->header.flag & BT_LEAF) { + /* uppercase leaf name to compare */ + cmp = +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-uaf-in-jfs_evict_inode.patch b/queue-5.4/jfs-fix-uaf-in-jfs_evict_inode.patch new file mode 100644 index 00000000000..8cc5427d894 --- /dev/null +++ b/queue-5.4/jfs-fix-uaf-in-jfs_evict_inode.patch @@ -0,0 +1,50 @@ +From 64503ab70885b0da1f9b7d93efed95b8dcd480b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 13:39:04 +0800 +Subject: jfs: fix uaf in jfs_evict_inode + +From: Edward Adam Davis + +[ Upstream commit e0e1958f4c365e380b17ccb35617345b31ef7bf3 ] + +When the execution of diMount(ipimap) fails, the object ipimap that has been +released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs +when rcu_core() calls jfs_free_node(). + +Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as +ipimap. + +Reported-and-tested-by: syzbot+01cf2dbcbe2022454388@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_mount.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c +index d41733540df9..459324f3570a 100644 +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -171,15 +171,15 @@ int jfs_mount(struct super_block *sb) + } + jfs_info("jfs_mount: ipimap:0x%p", ipimap); + +- /* map further access of per fileset inodes by the fileset inode */ +- sbi->ipimap = ipimap; +- + /* initialize fileset inode allocation map */ + if ((rc = diMount(ipimap))) { + jfs_err("jfs_mount: diMount failed w/rc = %d", rc); + goto err_ipimap; + } + ++ /* map further access of per fileset inodes by the fileset inode */ ++ sbi->ipimap = ipimap; ++ + return rc; + + /* +-- +2.43.0 + diff --git a/queue-5.4/kvm-s390-fix-setting-of-fpc-register.patch b/queue-5.4/kvm-s390-fix-setting-of-fpc-register.patch new file mode 100644 index 00000000000..06e6e40ac6d --- /dev/null +++ b/queue-5.4/kvm-s390-fix-setting-of-fpc-register.patch @@ -0,0 +1,70 @@ +From 177a230d7314e400f6aa61f9a587585ca8934da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 18:56:00 +0100 +Subject: KVM: s390: fix setting of fpc register + +From: Heiko Carstens + +[ Upstream commit b988b1bb0053c0dcd26187d29ef07566a565cf55 ] + +kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control +(fpc) register of a guest cpu. The new value is tested for validity by +temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the host process: +if an interrupt happens while the value is temporarily loaded into the fpc +register, and within interrupt context floating point or vector registers +are used, the current fp/vx registers are saved with save_fpu_regs() +assuming they belong to user space and will be loaded into fp/vx registers +when returning to user space. + +test_fp_ctl() restores the original user space / host process fpc register +value, however it will be discarded, when returning to user space. + +In result the host process will incorrectly continue to run with the value +that was supposed to be used for a guest cpu. + +Fix this by simply removing the test. There is another test right before +the SIE context is entered which will handles invalid values. + +This results in a change of behaviour: invalid values will now be accepted +instead of that the ioctl fails with -EINVAL. This seems to be acceptable, +given that this interface is most likely not used anymore, and this is in +addition the same behaviour implemented with the memory mapped interface +(replace invalid values with zero) - see sync_regs() in kvm-s390.c. + +Reviewed-by: Christian Borntraeger +Reviewed-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index b11eb11e2f49..6a1b46e85dac 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3348,10 +3348,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + + vcpu_load(vcpu); + +- if (test_fp_ctl(fpu->fpc)) { +- ret = -EINVAL; +- goto out; +- } + vcpu->run->s.regs.fpc = fpu->fpc; + if (MACHINE_HAS_VX) + convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs, +@@ -3359,7 +3355,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + else + memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs)); + +-out: + vcpu_put(vcpu); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.4/leds-trigger-panic-don-t-register-panic-notifier-if-.patch b/queue-5.4/leds-trigger-panic-don-t-register-panic-notifier-if-.patch new file mode 100644 index 00000000000..c9e6bdce8cf --- /dev/null +++ b/queue-5.4/leds-trigger-panic-don-t-register-panic-notifier-if-.patch @@ -0,0 +1,43 @@ +From 7f7f21fb920b0e03c123fae4511c6246e2789789 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Dec 2023 21:05:33 +0100 +Subject: leds: trigger: panic: Don't register panic notifier if creating the + trigger failed + +From: Heiner Kallweit + +[ Upstream commit afacb21834bb02785ddb0c3ec197208803b74faa ] + +It doesn't make sense to register the panic notifier if creating the +panic trigger failed. + +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/8a61e229-5388-46c7-919a-4d18cc7362b2@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/trigger/ledtrig-panic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/trigger/ledtrig-panic.c b/drivers/leds/trigger/ledtrig-panic.c +index 5751cd032f9d..4bf232465dfd 100644 +--- a/drivers/leds/trigger/ledtrig-panic.c ++++ b/drivers/leds/trigger/ledtrig-panic.c +@@ -63,10 +63,13 @@ static long led_panic_blink(int state) + + static int __init ledtrig_panic_init(void) + { ++ led_trigger_register_simple("panic", &trigger); ++ if (!trigger) ++ return -ENOMEM; ++ + atomic_notifier_chain_register(&panic_notifier_list, + &led_trigger_panic_nb); + +- led_trigger_register_simple("panic", &trigger); + panic_blink = led_panic_blink; + return 0; + } +-- +2.43.0 + diff --git a/queue-5.4/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch b/queue-5.4/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch new file mode 100644 index 00000000000..c2a1547ff07 --- /dev/null +++ b/queue-5.4/libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch @@ -0,0 +1,73 @@ +From 5508c8cae8ee384c83fd83b2a7915bf089d2d082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 11:39:47 +0800 +Subject: libbpf: Fix NULL pointer dereference in + bpf_object__collect_prog_relos + +From: Mingyi Zhang + +[ Upstream commit fc3a5534e2a8855427403113cbeb54af5837bbe0 ] + +An issue occurred while reading an ELF file in libbpf.c during fuzzing: + + Program received signal SIGSEGV, Segmentation fault. + 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + 4206 in libbpf.c + (gdb) bt + #0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206 + #1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706 + #2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437 + #3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497 + #4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16 + #5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one () + #6 0x000000000087ad92 in tracing::span::Span::in_scope () + #7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir () + #8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} () + #9 0x00000000005f2601 in main () + (gdb) + +scn_data was null at this code(tools/lib/bpf/src/libbpf.c): + + if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) { + +The scn_data is derived from the code above: + + scn = elf_sec_by_idx(obj, sec_idx); + scn_data = elf_sec_data(obj, scn); + + relo_sec_name = elf_sec_str(obj, shdr->sh_name); + sec_name = elf_sec_name(obj, scn); + if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL + return -EINVAL; + +In certain special scenarios, such as reading a malformed ELF file, +it is possible that scn_data may be a null pointer + +Signed-off-by: Mingyi Zhang +Signed-off-by: Xin Liu +Signed-off-by: Changye Wu +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@huawei.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index b8849812449c..4a62a4f051df 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1497,6 +1497,8 @@ static int bpf_object__sanitize_and_load_btf(struct bpf_object *obj) + + bpf_object__sanitize_btf(obj); + bpf_object__sanitize_btf_ext(obj); ++ if (!scn_data) ++ return -LIBBPF_ERRNO__FORMAT; + + err = btf__load(obj->btf); + if (err) { +-- +2.43.0 + diff --git a/queue-5.4/libsubcmd-fix-memory-leak-in-uniq.patch b/queue-5.4/libsubcmd-fix-memory-leak-in-uniq.patch new file mode 100644 index 00000000000..297717874e0 --- /dev/null +++ b/queue-5.4/libsubcmd-fix-memory-leak-in-uniq.patch @@ -0,0 +1,62 @@ +From 58fbd6e53316c3020c83550d97443ef030be5977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 16:05:13 -0800 +Subject: libsubcmd: Fix memory leak in uniq() + +From: Ian Rogers + +[ Upstream commit ad30469a841b50dbb541df4d6971d891f703c297 ] + +uniq() will write one command name over another causing the overwritten +string to be leaked. Fix by doing a pass that removes duplicates and a +second that removes the holes. + +Signed-off-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Chenyuan Mi +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231208000515.1693746-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/subcmd/help.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c +index 2859f107abc8..4260c8b4257b 100644 +--- a/tools/lib/subcmd/help.c ++++ b/tools/lib/subcmd/help.c +@@ -50,11 +50,21 @@ void uniq(struct cmdnames *cmds) + if (!cmds->cnt) + return; + +- for (i = j = 1; i < cmds->cnt; i++) +- if (strcmp(cmds->names[i]->name, cmds->names[i-1]->name)) +- cmds->names[j++] = cmds->names[i]; +- ++ for (i = 1; i < cmds->cnt; i++) { ++ if (!strcmp(cmds->names[i]->name, cmds->names[i-1]->name)) ++ zfree(&cmds->names[i - 1]); ++ } ++ for (i = 0, j = 0; i < cmds->cnt; i++) { ++ if (cmds->names[i]) { ++ if (i == j) ++ j++; ++ else ++ cmds->names[j++] = cmds->names[i]; ++ } ++ } + cmds->cnt = j; ++ while (j < i) ++ cmds->names[j++] = NULL; + } + + void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes) +-- +2.43.0 + diff --git a/queue-5.4/md-whenassemble-the-array-consult-the-superblock-of-.patch b/queue-5.4/md-whenassemble-the-array-consult-the-superblock-of-.patch new file mode 100644 index 00000000000..fc40a019f80 --- /dev/null +++ b/queue-5.4/md-whenassemble-the-array-consult-the-superblock-of-.patch @@ -0,0 +1,155 @@ +From ae6218d82166203ff6480f22b0ede9bc1c703cd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Dec 2023 14:24:31 +0200 +Subject: md: Whenassemble the array, consult the superblock of the freshest + device + +From: Alex Lyakas + +[ Upstream commit dc1cc22ed58f11d58d8553c5ec5f11cbfc3e3039 ] + +Upon assembling the array, both kernel and mdadm allow the devices to have event +counter difference of 1, and still consider them as up-to-date. +However, a device whose event count is behind by 1, may in fact not be up-to-date, +and array resync with such a device may cause data corruption. +To avoid this, consult the superblock of the freshest device about the status +of a device, whose event counter is behind by 1. + +Signed-off-by: Alex Lyakas +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/1702470271-16073-1-git-send-email-alex.lyakas@zadara.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 54 ++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 44 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index a006f3a9554b..61c3e8df1b55 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -1098,6 +1098,7 @@ struct super_type { + struct md_rdev *refdev, + int minor_version); + int (*validate_super)(struct mddev *mddev, ++ struct md_rdev *freshest, + struct md_rdev *rdev); + void (*sync_super)(struct mddev *mddev, + struct md_rdev *rdev); +@@ -1236,8 +1237,9 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor + + /* + * validate_super for 0.90.0 ++ * note: we are not using "freshest" for 0.9 superblock + */ +-static int super_90_validate(struct mddev *mddev, struct md_rdev *rdev) ++static int super_90_validate(struct mddev *mddev, struct md_rdev *freshest, struct md_rdev *rdev) + { + mdp_disk_t *desc; + mdp_super_t *sb = page_address(rdev->sb_page); +@@ -1752,7 +1754,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_ + return ret; + } + +-static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev) ++static int super_1_validate(struct mddev *mddev, struct md_rdev *freshest, struct md_rdev *rdev) + { + struct mdp_superblock_1 *sb = page_address(rdev->sb_page); + __u64 ev1 = le64_to_cpu(sb->events); +@@ -1848,13 +1850,15 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev) + } + } else if (mddev->pers == NULL) { + /* Insist of good event counter while assembling, except for +- * spares (which don't need an event count) */ +- ++ev1; ++ * spares (which don't need an event count). ++ * Similar to mdadm, we allow event counter difference of 1 ++ * from the freshest device. ++ */ + if (rdev->desc_nr >= 0 && + rdev->desc_nr < le32_to_cpu(sb->max_dev) && + (le16_to_cpu(sb->dev_roles[rdev->desc_nr]) < MD_DISK_ROLE_MAX || + le16_to_cpu(sb->dev_roles[rdev->desc_nr]) == MD_DISK_ROLE_JOURNAL)) +- if (ev1 < mddev->events) ++ if (ev1 + 1 < mddev->events) + return -EINVAL; + } else if (mddev->bitmap) { + /* If adding to array with a bitmap, then we can accept an +@@ -1875,8 +1879,38 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev) + rdev->desc_nr >= le32_to_cpu(sb->max_dev)) { + role = MD_DISK_ROLE_SPARE; + rdev->desc_nr = -1; +- } else ++ } else if (mddev->pers == NULL && freshest && ev1 < mddev->events) { ++ /* ++ * If we are assembling, and our event counter is smaller than the ++ * highest event counter, we cannot trust our superblock about the role. ++ * It could happen that our rdev was marked as Faulty, and all other ++ * superblocks were updated with +1 event counter. ++ * Then, before the next superblock update, which typically happens when ++ * remove_and_add_spares() removes the device from the array, there was ++ * a crash or reboot. ++ * If we allow current rdev without consulting the freshest superblock, ++ * we could cause data corruption. ++ * Note that in this case our event counter is smaller by 1 than the ++ * highest, otherwise, this rdev would not be allowed into array; ++ * both kernel and mdadm allow event counter difference of 1. ++ */ ++ struct mdp_superblock_1 *freshest_sb = page_address(freshest->sb_page); ++ u32 freshest_max_dev = le32_to_cpu(freshest_sb->max_dev); ++ ++ if (rdev->desc_nr >= freshest_max_dev) { ++ /* this is unexpected, better not proceed */ ++ pr_warn("md: %s: rdev[%pg]: desc_nr(%d) >= freshest(%pg)->sb->max_dev(%u)\n", ++ mdname(mddev), rdev->bdev, rdev->desc_nr, ++ freshest->bdev, freshest_max_dev); ++ return -EUCLEAN; ++ } ++ ++ role = le16_to_cpu(freshest_sb->dev_roles[rdev->desc_nr]); ++ pr_debug("md: %s: rdev[%pg]: role=%d(0x%x) according to freshest %pg\n", ++ mdname(mddev), rdev->bdev, role, role, freshest->bdev); ++ } else { + role = le16_to_cpu(sb->dev_roles[rdev->desc_nr]); ++ } + switch(role) { + case MD_DISK_ROLE_SPARE: /* spare */ + break; +@@ -2780,7 +2814,7 @@ static int add_bound_rdev(struct md_rdev *rdev) + * and should be added immediately. + */ + super_types[mddev->major_version]. +- validate_super(mddev, rdev); ++ validate_super(mddev, NULL/*freshest*/, rdev); + if (add_journal) + mddev_suspend(mddev); + err = mddev->pers->hot_add_disk(mddev, rdev); +@@ -3690,7 +3724,7 @@ static int analyze_sbs(struct mddev *mddev) + } + + super_types[mddev->major_version]. +- validate_super(mddev, freshest); ++ validate_super(mddev, NULL/*freshest*/, freshest); + + i = 0; + rdev_for_each_safe(rdev, tmp, mddev) { +@@ -3705,7 +3739,7 @@ static int analyze_sbs(struct mddev *mddev) + } + if (rdev != freshest) { + if (super_types[mddev->major_version]. +- validate_super(mddev, rdev)) { ++ validate_super(mddev, freshest, rdev)) { + pr_warn("md: kicking non-fresh %s from array!\n", + bdevname(rdev->bdev,b)); + md_kick_rdev_from_array(rdev); +@@ -6610,7 +6644,7 @@ static int add_new_disk(struct mddev *mddev, mdu_disk_info_t *info) + rdev->saved_raid_disk = rdev->raid_disk; + } else + super_types[mddev->major_version]. +- validate_super(mddev, rdev); ++ validate_super(mddev, NULL/*freshest*/, rdev); + if ((info->state & (1<raid_disk != info->raid_disk) { + /* This was a hot-add request, but events doesn't +-- +2.43.0 + diff --git a/queue-5.4/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch b/queue-5.4/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch new file mode 100644 index 00000000000..fc28cbd8856 --- /dev/null +++ b/queue-5.4/media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch @@ -0,0 +1,34 @@ +From 6acb9cc503d2a4fe89f18b144da139685dc84ce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 17:17:23 +0800 +Subject: media: ddbridge: fix an error code problem in ddb_probe + +From: Su Hui + +[ Upstream commit 09b4195021be69af1e1936cca995712a6d0f2562 ] + +Error code is assigned to 'stat', return 'stat' rather than '-1'. + +Signed-off-by: Su Hui +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ddbridge/ddbridge-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/ddbridge/ddbridge-main.c b/drivers/media/pci/ddbridge/ddbridge-main.c +index 03dc9924fa2c..bb7fb6402d6e 100644 +--- a/drivers/media/pci/ddbridge/ddbridge-main.c ++++ b/drivers/media/pci/ddbridge/ddbridge-main.c +@@ -247,7 +247,7 @@ static int ddb_probe(struct pci_dev *pdev, + ddb_unmap(dev); + pci_set_drvdata(pdev, NULL); + pci_disable_device(pdev); +- return -1; ++ return stat; + } + + /****************************************************************************/ +-- +2.43.0 + diff --git a/queue-5.4/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch b/queue-5.4/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch new file mode 100644 index 00000000000..1db41e9bdff --- /dev/null +++ b/queue-5.4/media-rockchip-rga-fix-swizzling-for-rgb-formats.patch @@ -0,0 +1,74 @@ +From 6fae7a2d90bb99568aab4bee05f6f4717ec07e04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Oct 2023 13:00:22 +0200 +Subject: media: rockchip: rga: fix swizzling for RGB formats + +From: Michael Tretter + +[ Upstream commit 9e7dc39260edac180c206bb6149595a40eabae3e ] + +When using 32 bit RGB formats, the RGA on the rk3568 produces wrong +colors as the wrong color channels are read or written. The reason is +that the format description for the channel swizzeling is wrong and the +wrong bits are configured. For example, when converting ARGB32 to NV12, +the alpha channel is used as blue channel.. This doesn't happen if the +color format is the same on both sides. + +Fix the color_swap settings of the formats to correctly handle 32 bit +RGB formats. + +For RGA_COLOR_FMT_XBGR8888, the RGA_COLOR_ALPHA_SWAP bit doesn't have an +effect. Thus, it isn't possible to handle the V4L2_PIX_FMT_XRGB32. Thus, +it is removed from the list of supported formats. + +Signed-off-by: Michael Tretter +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c +index e9ff12b6b5bb..302da68075b2 100644 +--- a/drivers/media/platform/rockchip/rga/rga.c ++++ b/drivers/media/platform/rockchip/rga/rga.c +@@ -187,25 +187,16 @@ static int rga_setup_ctrls(struct rga_ctx *ctx) + static struct rga_fmt formats[] = { + { + .fourcc = V4L2_PIX_FMT_ARGB32, +- .color_swap = RGA_COLOR_RB_SWAP, ++ .color_swap = RGA_COLOR_ALPHA_SWAP, + .hw_format = RGA_COLOR_FMT_ABGR8888, + .depth = 32, + .uv_factor = 1, + .y_div = 1, + .x_div = 1, + }, +- { +- .fourcc = V4L2_PIX_FMT_XRGB32, +- .color_swap = RGA_COLOR_RB_SWAP, +- .hw_format = RGA_COLOR_FMT_XBGR8888, +- .depth = 32, +- .uv_factor = 1, +- .y_div = 1, +- .x_div = 1, +- }, + { + .fourcc = V4L2_PIX_FMT_ABGR32, +- .color_swap = RGA_COLOR_ALPHA_SWAP, ++ .color_swap = RGA_COLOR_RB_SWAP, + .hw_format = RGA_COLOR_FMT_ABGR8888, + .depth = 32, + .uv_factor = 1, +@@ -214,7 +205,7 @@ static struct rga_fmt formats[] = { + }, + { + .fourcc = V4L2_PIX_FMT_XBGR32, +- .color_swap = RGA_COLOR_ALPHA_SWAP, ++ .color_swap = RGA_COLOR_RB_SWAP, + .hw_format = RGA_COLOR_FMT_XBGR8888, + .depth = 32, + .uv_factor = 1, +-- +2.43.0 + diff --git a/queue-5.4/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch b/queue-5.4/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch new file mode 100644 index 00000000000..b42e10067f4 --- /dev/null +++ b/queue-5.4/media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch @@ -0,0 +1,47 @@ +From 7896c487c7c2353ede4d64753c54828b705b0940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Nov 2023 14:32:36 +0530 +Subject: media: stk1160: Fixed high volume of stk1160_dbg messages + +From: Ghanshyam Agrawal + +[ Upstream commit b3695e86d25aafbe175dd51f6aaf6f68d341d590 ] + +The function stk1160_dbg gets called too many times, which causes +the output to get flooded with messages. Since stk1160_dbg uses +printk, it is now replaced with printk_ratelimited. + +Suggested-by: Phillip Potter +Signed-off-by: Ghanshyam Agrawal +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/stk1160/stk1160-video.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c +index 202b084f65a2..4cf540d1b250 100644 +--- a/drivers/media/usb/stk1160/stk1160-video.c ++++ b/drivers/media/usb/stk1160/stk1160-video.c +@@ -107,8 +107,7 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + + /* + * TODO: These stk1160_dbg are very spammy! +- * We should 1) check why we are getting them +- * and 2) add ratelimit. ++ * We should check why we are getting them. + * + * UPDATE: One of the reasons (the only one?) for getting these + * is incorrect standard (mismatch between expected and configured). +@@ -151,7 +150,7 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + + /* Let the bug hunt begin! sanity checks! */ + if (lencopy < 0) { +- stk1160_dbg("copy skipped: negative lencopy\n"); ++ printk_ratelimited(KERN_DEBUG "copy skipped: negative lencopy\n"); + return; + } + +-- +2.43.0 + diff --git a/queue-5.4/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch b/queue-5.4/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch new file mode 100644 index 00000000000..fc7990d3145 --- /dev/null +++ b/queue-5.4/mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch @@ -0,0 +1,35 @@ +From 1d6703d843576cefb9928ea95ccf205b3c15e28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 15:56:39 +0000 +Subject: mfd: ti_am335x_tscadc: Fix TI SoC dependencies + +From: Peter Robinson + +[ Upstream commit 284d16c456e5d4b143f375b8ccc4038ab3f4ee0f ] + +The ti_am335x_tscadc is specific to some TI SoCs, update +the dependencies for those SoCs and compile testing. + +Signed-off-by: Peter Robinson +Link: https://lore.kernel.org/r/20231220155643.445849-1-pbrobinson@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/Kconfig b/drivers/mfd/Kconfig +index 43169f25da1f..385db201fe9a 100644 +--- a/drivers/mfd/Kconfig ++++ b/drivers/mfd/Kconfig +@@ -1299,6 +1299,7 @@ config MFD_DAVINCI_VOICECODEC + + config MFD_TI_AM335X_TSCADC + tristate "TI ADC / Touch Screen chip support" ++ depends on ARCH_OMAP2PLUS || ARCH_K3 || COMPILE_TEST + select MFD_CORE + select REGMAP + select REGMAP_MMIO +-- +2.43.0 + diff --git a/queue-5.4/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch b/queue-5.4/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch new file mode 100644 index 00000000000..4af4b235ef4 --- /dev/null +++ b/queue-5.4/misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch @@ -0,0 +1,60 @@ +From ae0edb3b68b294a121fc8339be2749d4001b5453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Dec 2023 19:34:02 +0100 +Subject: misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback + +From: Hans de Goede + +[ Upstream commit b1b9f7a494400c0c39f8cd83de3aaa6111c55087 ] + +The lis3lv02d_i2c driver was missing a line to set the lis3_dev's +reg_ctrl callback. + +lis3_reg_ctrl(on) is called from the init callback, but due to +the missing reg_ctrl callback the regulators where never turned off +again leading to the following oops/backtrace when detaching the driver: + +[ 82.313527] ------------[ cut here ]------------ +[ 82.313546] WARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put+0x219/0x230 +... +[ 82.313695] RIP: 0010:_regulator_put+0x219/0x230 +... +[ 82.314767] Call Trace: +[ 82.314770] +[ 82.314772] ? _regulator_put+0x219/0x230 +[ 82.314777] ? __warn+0x81/0x170 +[ 82.314784] ? _regulator_put+0x219/0x230 +[ 82.314791] ? report_bug+0x18d/0x1c0 +[ 82.314801] ? handle_bug+0x3c/0x80 +[ 82.314806] ? exc_invalid_op+0x13/0x60 +[ 82.314812] ? asm_exc_invalid_op+0x16/0x20 +[ 82.314845] ? _regulator_put+0x219/0x230 +[ 82.314857] regulator_bulk_free+0x39/0x60 +[ 82.314865] i2c_device_remove+0x22/0xb0 + +Add the missing setting of the callback so that the regulators +properly get turned off again when not used. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20231224183402.95640-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/lis3lv02d/lis3lv02d_i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c +index 52555d2e824b..ab1db760ba4e 100644 +--- a/drivers/misc/lis3lv02d/lis3lv02d_i2c.c ++++ b/drivers/misc/lis3lv02d/lis3lv02d_i2c.c +@@ -151,6 +151,7 @@ static int lis3lv02d_i2c_probe(struct i2c_client *client, + lis3_dev.init = lis3_i2c_init; + lis3_dev.read = lis3_i2c_read; + lis3_dev.write = lis3_i2c_write; ++ lis3_dev.reg_ctrl = lis3_reg_ctrl; + lis3_dev.irq = client->irq; + lis3_dev.ac = lis3lv02d_axis_map; + lis3_dev.pm_dev = &client->dev; +-- +2.43.0 + diff --git a/queue-5.4/pci-add-intel_hda_arl-to-pci_ids.h.patch b/queue-5.4/pci-add-intel_hda_arl-to-pci_ids.h.patch new file mode 100644 index 00000000000..b04098a198c --- /dev/null +++ b/queue-5.4/pci-add-intel_hda_arl-to-pci_ids.h.patch @@ -0,0 +1,41 @@ +From b03111847462b450ab4c28990755b6f96808d911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 15:27:06 -0600 +Subject: PCI: add INTEL_HDA_ARL to pci_ids.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 5ec42bf04d72fd6d0a6855810cc779e0ee31dfd7 ] + +The PCI ID insertion follows the increasing order in the table, but +this hardware follows MTL (MeteorLake). + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Kai Vehmanen +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20231204212710.185976-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/linux/pci_ids.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h +index fcacf2334704..d8b188643a87 100644 +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -3011,6 +3011,7 @@ + #define PCI_DEVICE_ID_INTEL_82443GX_0 0x71a0 + #define PCI_DEVICE_ID_INTEL_82443GX_2 0x71a2 + #define PCI_DEVICE_ID_INTEL_82372FB_1 0x7601 ++#define PCI_DEVICE_ID_INTEL_HDA_ARL 0x7728 + #define PCI_DEVICE_ID_INTEL_SCH_LPC 0x8119 + #define PCI_DEVICE_ID_INTEL_SCH_IDE 0x811a + #define PCI_DEVICE_ID_INTEL_E6XX_CU 0x8183 +-- +2.43.0 + diff --git a/queue-5.4/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch b/queue-5.4/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch new file mode 100644 index 00000000000..b0f6b8f1b59 --- /dev/null +++ b/queue-5.4/pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch @@ -0,0 +1,62 @@ +From d2004d418029e310418ad880808d6e5f9f49658a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Nov 2023 13:17:16 +0100 +Subject: PCI: Add no PM reset quirk for NVIDIA Spectrum devices + +From: Ido Schimmel + +[ Upstream commit 3ed48c80b28d8dcd584d6ddaf00c75b7673e1a05 ] + +Spectrum-{1,2,3,4} devices report that a D3hot->D0 transition causes a +reset (i.e., they advertise NoSoftRst-). However, this transition does +not have any effect on the device: It continues to be operational and +network ports remain up. Advertising this support makes it seem as if a +PM reset is viable for these devices. Mark it as unavailable to skip it +when testing reset methods. + +Before: + + # cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method + pm bus + +After: + + # cat /sys/bus/pci/devices/0000\:03\:00.0/reset_method + bus + +Signed-off-by: Ido Schimmel +Acked-by: Bjorn Helgaas +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index cc8f2ce1e881..d1fab1d27e4d 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3626,6 +3626,19 @@ static void quirk_no_pm_reset(struct pci_dev *dev) + DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_VENDOR_ID_ATI, PCI_ANY_ID, + PCI_CLASS_DISPLAY_VGA, 8, quirk_no_pm_reset); + ++/* ++ * Spectrum-{1,2,3,4} devices report that a D3hot->D0 transition causes a reset ++ * (i.e., they advertise NoSoftRst-). However, this transition does not have ++ * any effect on the device: It continues to be operational and network ports ++ * remain up. Advertising this support makes it seem as if a PM reset is viable ++ * for these devices. Mark it as unavailable to skip it when testing reset ++ * methods. ++ */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcb84, quirk_no_pm_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf6c, quirk_no_pm_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf70, quirk_no_pm_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MELLANOX, 0xcf80, quirk_no_pm_reset); ++ + /* + * Thunderbolt controllers with broken MSI hotplug signaling: + * Entire 1st generation (Light Ridge, Eagle Ridge, Light Peak) and part +-- +2.43.0 + diff --git a/queue-5.4/pci-aer-decode-requester-id-when-no-error-info-found.patch b/queue-5.4/pci-aer-decode-requester-id-when-no-error-info-found.patch new file mode 100644 index 00000000000..ab2a03c9057 --- /dev/null +++ b/queue-5.4/pci-aer-decode-requester-id-when-no-error-info-found.patch @@ -0,0 +1,69 @@ +From 3110707047b8890889b6f6c32d9f1e3967b1c971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 16:42:30 -0600 +Subject: PCI/AER: Decode Requester ID when no error info found + +From: Bjorn Helgaas + +[ Upstream commit 1291b716bbf969e101d517bfb8ba18d958f758b8 ] + +When a device with AER detects an error, it logs error information in its +own AER Error Status registers. It may send an Error Message to the Root +Port (RCEC in the case of an RCiEP), which logs the fact that an Error +Message was received (Root Error Status) and the Requester ID of the +message source (Error Source Identification). + +aer_print_port_info() prints the Requester ID from the Root Port Error +Source in the usual Linux "bb:dd.f" format, but when find_source_device() +finds no error details in the hierarchy below the Root Port, it printed the +raw Requester ID without decoding it. + +Decode the Requester ID in the usual Linux format so it matches other +messages. + +Sample message changes: + + - pcieport 0000:00:1c.5: AER: Correctable error received: 0000:00:1c.5 + - pcieport 0000:00:1c.5: AER: can't find device of ID00e5 + + pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5 + + pcieport 0000:00:1c.5: AER: found no error details for 0000:00:1c.5 + +Link: https://lore.kernel.org/r/20231206224231.732765-3-helgaas@kernel.org +Signed-off-by: Bjorn Helgaas +Reviewed-by: Jonathan Cameron +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pcie/aer.c b/drivers/pci/pcie/aer.c +index aec1748cc821..6b5c9f7916fa 100644 +--- a/drivers/pci/pcie/aer.c ++++ b/drivers/pci/pcie/aer.c +@@ -782,7 +782,7 @@ static void aer_print_port_info(struct pci_dev *dev, struct aer_err_info *info) + u8 bus = info->id >> 8; + u8 devfn = info->id & 0xff; + +- pci_info(dev, "%s%s error received: %04x:%02x:%02x.%d\n", ++ pci_info(dev, "%s%s error message received from %04x:%02x:%02x.%d\n", + info->multi_error_valid ? "Multiple " : "", + aer_error_severity_string[info->severity], + pci_domain_nr(dev->bus), bus, PCI_SLOT(devfn), +@@ -968,7 +968,12 @@ static bool find_source_device(struct pci_dev *parent, + pci_walk_bus(parent->subordinate, find_device_iter, e_info); + + if (!e_info->error_dev_num) { +- pci_info(parent, "can't find device of ID%04x\n", e_info->id); ++ u8 bus = e_info->id >> 8; ++ u8 devfn = e_info->id & 0xff; ++ ++ pci_info(parent, "found no error details for %04x:%02x:%02x.%d\n", ++ pci_domain_nr(parent->bus), bus, PCI_SLOT(devfn), ++ PCI_FUNC(devfn)); + return false; + } + return true; +-- +2.43.0 + diff --git a/queue-5.4/pci-only-override-amd-usb-controller-if-required.patch b/queue-5.4/pci-only-override-amd-usb-controller-if-required.patch new file mode 100644 index 00000000000..f317a192c85 --- /dev/null +++ b/queue-5.4/pci-only-override-amd-usb-controller-if-required.patch @@ -0,0 +1,55 @@ +From ac2406e52f61753ebc2b72acb08bf7c6d1f32258 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:04:36 -0300 +Subject: PCI: Only override AMD USB controller if required + +From: Guilherme G. Piccoli + +[ Upstream commit e585a37e5061f6d5060517aed1ca4ccb2e56a34c ] + +By running a Van Gogh device (Steam Deck), the following message +was noticed in the kernel log: + + pci 0000:04:00.3: PCI class overridden (0x0c03fe -> 0x0c03fe) so dwc3 driver can claim this instead of xhci + +Effectively this means the quirk executed but changed nothing, since the +class of this device was already the proper one (likely adjusted by newer +firmware versions). + +Check and perform the override only if necessary. + +Link: https://lore.kernel.org/r/20231120160531.361552-1-gpiccoli@igalia.com +Signed-off-by: Guilherme G. Piccoli +Signed-off-by: Bjorn Helgaas +Cc: Huang Rui +Cc: Vicki Pfau +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index d1fab1d27e4d..821e71a45849 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -609,10 +609,13 @@ static void quirk_amd_dwc_class(struct pci_dev *pdev) + { + u32 class = pdev->class; + +- /* Use "USB Device (not host controller)" class */ +- pdev->class = PCI_CLASS_SERIAL_USB_DEVICE; +- pci_info(pdev, "PCI class overridden (%#08x -> %#08x) so dwc3 driver can claim this instead of xhci\n", +- class, pdev->class); ++ if (class != PCI_CLASS_SERIAL_USB_DEVICE) { ++ /* Use "USB Device (not host controller)" class */ ++ pdev->class = PCI_CLASS_SERIAL_USB_DEVICE; ++ pci_info(pdev, ++ "PCI class overridden (%#08x -> %#08x) so dwc3 driver can claim this instead of xhci\n", ++ class, pdev->class); ++ } + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_NL_USB, + quirk_amd_dwc_class); +-- +2.43.0 + diff --git a/queue-5.4/pci-switchtec-fix-stdev_release-crash-after-surprise.patch b/queue-5.4/pci-switchtec-fix-stdev_release-crash-after-surprise.patch new file mode 100644 index 00000000000..5705a8d118e --- /dev/null +++ b/queue-5.4/pci-switchtec-fix-stdev_release-crash-after-surprise.patch @@ -0,0 +1,104 @@ +From eaf5e209f119fbd97a09de3c80ed6787b557dfac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 20:23:16 -0800 +Subject: PCI: switchtec: Fix stdev_release() crash after surprise hot remove + +From: Daniel Stodden + +[ Upstream commit df25461119d987b8c81d232cfe4411e91dcabe66 ] + +A PCI device hot removal may occur while stdev->cdev is held open. The call +to stdev_release() then happens during close or exit, at a point way past +switchtec_pci_remove(). Otherwise the last ref would vanish with the +trailing put_device(), just before return. + +At that later point in time, the devm cleanup has already removed the +stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted +one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause +a fatal page fault, and the subsequent dma_free_coherent(), if reached, +would pass a stale &stdev->pdev->dev pointer. + +Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after +stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent +future accidents. + +Reproducible via the script at +https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com + +Link: https://lore.kernel.org/r/20231122042316.91208-2-dns@arista.com +Signed-off-by: Daniel Stodden +Signed-off-by: Bjorn Helgaas +Reviewed-by: Logan Gunthorpe +Reviewed-by: Dmitry Safonov +Signed-off-by: Sasha Levin +--- + drivers/pci/switch/switchtec.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c +index 2c9c3061894b..0037f368f62b 100644 +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1082,13 +1082,6 @@ static void stdev_release(struct device *dev) + { + struct switchtec_dev *stdev = to_stdev(dev); + +- if (stdev->dma_mrpc) { +- iowrite32(0, &stdev->mmio_mrpc->dma_en); +- flush_wc_buf(stdev); +- writeq(0, &stdev->mmio_mrpc->dma_addr); +- dma_free_coherent(&stdev->pdev->dev, sizeof(*stdev->dma_mrpc), +- stdev->dma_mrpc, stdev->dma_mrpc_dma_addr); +- } + kfree(stdev); + } + +@@ -1131,7 +1124,7 @@ static struct switchtec_dev *stdev_create(struct pci_dev *pdev) + return ERR_PTR(-ENOMEM); + + stdev->alive = true; +- stdev->pdev = pdev; ++ stdev->pdev = pci_dev_get(pdev); + INIT_LIST_HEAD(&stdev->mrpc_queue); + mutex_init(&stdev->mrpc_mutex); + stdev->mrpc_busy = 0; +@@ -1165,6 +1158,7 @@ static struct switchtec_dev *stdev_create(struct pci_dev *pdev) + return stdev; + + err_put: ++ pci_dev_put(stdev->pdev); + put_device(&stdev->dev); + return ERR_PTR(rc); + } +@@ -1407,6 +1401,18 @@ static int switchtec_init_pci(struct switchtec_dev *stdev, + return 0; + } + ++static void switchtec_exit_pci(struct switchtec_dev *stdev) ++{ ++ if (stdev->dma_mrpc) { ++ iowrite32(0, &stdev->mmio_mrpc->dma_en); ++ flush_wc_buf(stdev); ++ writeq(0, &stdev->mmio_mrpc->dma_addr); ++ dma_free_coherent(&stdev->pdev->dev, sizeof(*stdev->dma_mrpc), ++ stdev->dma_mrpc, stdev->dma_mrpc_dma_addr); ++ stdev->dma_mrpc = NULL; ++ } ++} ++ + static int switchtec_pci_probe(struct pci_dev *pdev, + const struct pci_device_id *id) + { +@@ -1464,6 +1470,9 @@ static void switchtec_pci_remove(struct pci_dev *pdev) + ida_simple_remove(&switchtec_minor_ida, MINOR(stdev->dev.devt)); + dev_info(&stdev->dev, "unregistered.\n"); + stdev_kill(stdev); ++ switchtec_exit_pci(stdev); ++ pci_dev_put(stdev->pdev); ++ stdev->pdev = NULL; + put_device(&stdev->dev); + } + +-- +2.43.0 + diff --git a/queue-5.4/perf-core-fix-narrow-startup-race-when-creating-the-.patch b/queue-5.4/perf-core-fix-narrow-startup-race-when-creating-the-.patch new file mode 100644 index 00000000000..606c89a844e --- /dev/null +++ b/queue-5.4/perf-core-fix-narrow-startup-race-when-creating-the-.patch @@ -0,0 +1,82 @@ +From 7406d9694fcddc5bc66f63311ab4820d89bf0bcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 15:09:09 +0200 +Subject: perf/core: Fix narrow startup race when creating the perf + nr_addr_filters sysfs file + +From: Greg KH + +[ Upstream commit 652ffc2104ec1f69dd4a46313888c33527145ccf ] + +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/2023061204-decal-flyable-6090@gregkh +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 40 ++++++++++++++++++++++++++++------------ + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 1e62a567b0d7..3ec29a27d877 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10080,9 +10080,32 @@ static DEVICE_ATTR_RW(perf_event_mux_interval_ms); + static struct attribute *pmu_dev_attrs[] = { + &dev_attr_type.attr, + &dev_attr_perf_event_mux_interval_ms.attr, ++ &dev_attr_nr_addr_filters.attr, ++ NULL, ++}; ++ ++static umode_t pmu_dev_is_visible(struct kobject *kobj, struct attribute *a, int n) ++{ ++ struct device *dev = kobj_to_dev(kobj); ++ struct pmu *pmu = dev_get_drvdata(dev); ++ ++ if (!pmu->nr_addr_filters) ++ return 0; ++ ++ return a->mode; ++ ++ return 0; ++} ++ ++static struct attribute_group pmu_dev_attr_group = { ++ .is_visible = pmu_dev_is_visible, ++ .attrs = pmu_dev_attrs, ++}; ++ ++static const struct attribute_group *pmu_dev_groups[] = { ++ &pmu_dev_attr_group, + NULL, + }; +-ATTRIBUTE_GROUPS(pmu_dev); + + static int pmu_bus_running; + static struct bus_type pmu_bus = { +@@ -10118,18 +10141,11 @@ static int pmu_dev_alloc(struct pmu *pmu) + if (ret) + goto free_dev; + +- /* For PMUs with address filters, throw in an extra attribute: */ +- if (pmu->nr_addr_filters) +- ret = device_create_file(pmu->dev, &dev_attr_nr_addr_filters); +- +- if (ret) +- goto del_dev; +- +- if (pmu->attr_update) ++ if (pmu->attr_update) { + ret = sysfs_update_groups(&pmu->dev->kobj, pmu->attr_update); +- +- if (ret) +- goto del_dev; ++ if (ret) ++ goto del_dev; ++ } + + out: + return ret; +-- +2.43.0 + diff --git a/queue-5.4/perf-fix-the-nr_addr_filters-fix.patch b/queue-5.4/perf-fix-the-nr_addr_filters-fix.patch new file mode 100644 index 00000000000..ad297e3efb0 --- /dev/null +++ b/queue-5.4/perf-fix-the-nr_addr_filters-fix.patch @@ -0,0 +1,50 @@ +From c7e08af3b3bf5ec00ec3516f844dfe93297c8fd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 11:07:56 +0100 +Subject: perf: Fix the nr_addr_filters fix + +From: Peter Zijlstra + +[ Upstream commit 388a1fb7da6aaa1970c7e2a7d7fcd983a87a8484 ] + +Thomas reported that commit 652ffc2104ec ("perf/core: Fix narrow +startup race when creating the perf nr_addr_filters sysfs file") made +the entire attribute group vanish, instead of only the nr_addr_filters +attribute. + +Additionally a stray return. + +Insufficient coffee was involved with both writing and merging the +patch. + +Fixes: 652ffc2104ec ("perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file") +Reported-by: Thomas Richter +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Thomas Richter +Link: https://lkml.kernel.org/r/20231122100756.GP8262@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 3ec29a27d877..f18a5bbc66ef 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10089,12 +10089,10 @@ static umode_t pmu_dev_is_visible(struct kobject *kobj, struct attribute *a, int + struct device *dev = kobj_to_dev(kobj); + struct pmu *pmu = dev_get_drvdata(dev); + +- if (!pmu->nr_addr_filters) ++ if (n == 2 && !pmu->nr_addr_filters) + return 0; + + return a->mode; +- +- return 0; + } + + static struct attribute_group pmu_dev_attr_group = { +-- +2.43.0 + diff --git a/queue-5.4/pnp-acpi-fix-fortify-warning.patch b/queue-5.4/pnp-acpi-fix-fortify-warning.patch new file mode 100644 index 00000000000..7b0454854e5 --- /dev/null +++ b/queue-5.4/pnp-acpi-fix-fortify-warning.patch @@ -0,0 +1,83 @@ +From 18ecd48a2c9c568776358b7f3a582fb5cc3e278b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 05:52:10 +0300 +Subject: PNP: ACPI: fix fortify warning + +From: Dmitry Antipov + +[ Upstream commit ba3f5058db437d919f8468db50483dd9028ff688 ] + +When compiling with gcc version 14.0.0 20231126 (experimental) +and CONFIG_FORTIFY_SOURCE=y, I've noticed the following: + +In file included from ./include/linux/string.h:295, + from ./include/linux/bitmap.h:12, + from ./include/linux/cpumask.h:12, + from ./arch/x86/include/asm/paravirt.h:17, + from ./arch/x86/include/asm/cpuid.h:62, + from ./arch/x86/include/asm/processor.h:19, + from ./arch/x86/include/asm/cpufeature.h:5, + from ./arch/x86/include/asm/thread_info.h:53, + from ./include/linux/thread_info.h:60, + from ./arch/x86/include/asm/preempt.h:9, + from ./include/linux/preempt.h:79, + from ./include/linux/spinlock.h:56, + from ./include/linux/mmzone.h:8, + from ./include/linux/gfp.h:7, + from ./include/linux/slab.h:16, + from ./include/linux/resource_ext.h:11, + from ./include/linux/acpi.h:13, + from drivers/pnp/pnpacpi/rsparser.c:11: +In function 'fortify_memcpy_chk', + inlined from 'pnpacpi_parse_allocated_vendor' at drivers/pnp/pnpacpi/rsparser.c:158:3, + inlined from 'pnpacpi_allocated_resource' at drivers/pnp/pnpacpi/rsparser.c:249:3: +./include/linux/fortify-string.h:588:25: warning: call to '__read_overflow2_field' +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 588 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +According to the comments in include/linux/fortify-string.h, 'memcpy()', +'memmove()' and 'memset()' must not be used beyond individual struct +members to ensure that the compiler can enforce protection against +buffer overflows, and, IIUC, this also applies to partial copies from +the particular member ('vendor->byte_data' in this case). So it should +be better (and safer) to do both copies at once (and 'byte_data' of +'struct acpi_resource_vendor_typed' seems to be a good candidate for +'__counted_by(byte_length)' as well). + +Signed-off-by: Dmitry Antipov +Reviewed-by: Kees Cook +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pnp/pnpacpi/rsparser.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/pnp/pnpacpi/rsparser.c b/drivers/pnp/pnpacpi/rsparser.c +index da78dc77aed3..9879deb4dc0b 100644 +--- a/drivers/pnp/pnpacpi/rsparser.c ++++ b/drivers/pnp/pnpacpi/rsparser.c +@@ -151,13 +151,13 @@ static int vendor_resource_matches(struct pnp_dev *dev, + static void pnpacpi_parse_allocated_vendor(struct pnp_dev *dev, + struct acpi_resource_vendor_typed *vendor) + { +- if (vendor_resource_matches(dev, vendor, &hp_ccsr_uuid, 16)) { +- u64 start, length; ++ struct { u64 start, length; } range; + +- memcpy(&start, vendor->byte_data, sizeof(start)); +- memcpy(&length, vendor->byte_data + 8, sizeof(length)); +- +- pnp_add_mem_resource(dev, start, start + length - 1, 0); ++ if (vendor_resource_matches(dev, vendor, &hp_ccsr_uuid, ++ sizeof(range))) { ++ memcpy(&range, vendor->byte_data, sizeof(range)); ++ pnp_add_mem_resource(dev, range.start, range.start + ++ range.length - 1, 0); + } + } + +-- +2.43.0 + diff --git a/queue-5.4/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch b/queue-5.4/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch new file mode 100644 index 00000000000..cc8e166a902 --- /dev/null +++ b/queue-5.4/powerpc-fix-build-error-due-to-is_valid_bugaddr.patch @@ -0,0 +1,48 @@ +From fe3a46c527c09019de10212c56225aca7dd1e305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 22:44:33 +1100 +Subject: powerpc: Fix build error due to is_valid_bugaddr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit f8d3555355653848082c351fa90775214fb8a4fa ] + +With CONFIG_GENERIC_BUG=n the build fails with: + + arch/powerpc/kernel/traps.c:1442:5: error: no previous prototype for ‘is_valid_bugaddr’ [-Werror=missing-prototypes] + 1442 | int is_valid_bugaddr(unsigned long addr) + | ^~~~~~~~~~~~~~~~ + +The prototype is only defined, and the function is only needed, when +CONFIG_GENERIC_BUG=y, so move the implementation under that. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231130114433.3053544-2-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/traps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 70b99246dec4..402a05f3a484 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1424,10 +1424,12 @@ static int emulate_instruction(struct pt_regs *regs) + return -EINVAL; + } + ++#ifdef CONFIG_GENERIC_BUG + int is_valid_bugaddr(unsigned long addr) + { + return is_kernel_addr(addr); + } ++#endif + + #ifdef CONFIG_MATH_EMULATION + static int emulate_math(struct pt_regs *regs) +-- +2.43.0 + diff --git a/queue-5.4/powerpc-lib-validate-size-for-vector-operations.patch b/queue-5.4/powerpc-lib-validate-size-for-vector-operations.patch new file mode 100644 index 00000000000..f05ea483a1f --- /dev/null +++ b/queue-5.4/powerpc-lib-validate-size-for-vector-operations.patch @@ -0,0 +1,71 @@ +From ae072cd756ed11a06b7eb08ce7f9ebe7917ed543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 12:47:05 +0530 +Subject: powerpc/lib: Validate size for vector operations + +From: Naveen N Rao + +[ Upstream commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 ] + +Some of the fp/vmx code in sstep.c assume a certain maximum size for the +instructions being emulated. The size of those operations however is +determined separately in analyse_instr(). + +Add a check to validate the assumption on the maximum size of the +operations, so as to prevent any unintended kernel stack corruption. + +Signed-off-by: Naveen N Rao +Reviewed-by: Gustavo A. R. Silva +Build-tested-by: Gustavo A. R. Silva +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/lib/sstep.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c +index 27650cd5857f..490162fb0893 100644 +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -469,6 +469,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea, + } u; + + nb = GETSIZE(op->type); ++ if (nb > sizeof(u)) ++ return -EINVAL; + if (!address_ok(regs, ea, nb)) + return -EFAULT; + rn = op->reg; +@@ -519,6 +521,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea, + } u; + + nb = GETSIZE(op->type); ++ if (nb > sizeof(u)) ++ return -EINVAL; + if (!address_ok(regs, ea, nb)) + return -EFAULT; + rn = op->reg; +@@ -563,6 +567,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea, + u8 b[sizeof(__vector128)]; + } u = {}; + ++ if (size > sizeof(u)) ++ return -EINVAL; ++ + if (!address_ok(regs, ea & ~0xfUL, 16)) + return -EFAULT; + /* align to multiple of size */ +@@ -590,6 +597,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea, + u8 b[sizeof(__vector128)]; + } u; + ++ if (size > sizeof(u)) ++ return -EINVAL; ++ + if (!address_ok(regs, ea & ~0xfUL, 16)) + return -EFAULT; + /* align to multiple of size */ +-- +2.43.0 + diff --git a/queue-5.4/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch b/queue-5.4/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch new file mode 100644 index 00000000000..bc0e6492089 --- /dev/null +++ b/queue-5.4/powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch @@ -0,0 +1,68 @@ +From 83e1a89dfd45625bc53ce99ba4fd25bb42a4e784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 22:44:32 +1100 +Subject: powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit d8c3f243d4db24675b653f0568bb65dae34e6455 ] + +With NUMA=n and FA_DUMP=y or PRESERVE_FA_DUMP=y the build fails with: + + arch/powerpc/kernel/fadump.c:1739:22: error: no previous prototype for ‘arch_reserved_kernel_pages’ [-Werror=missing-prototypes] + 1739 | unsigned long __init arch_reserved_kernel_pages(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ + +The prototype for arch_reserved_kernel_pages() is in include/linux/mm.h, +but it's guarded by __HAVE_ARCH_RESERVED_KERNEL_PAGES. The powerpc +headers define __HAVE_ARCH_RESERVED_KERNEL_PAGES in asm/mmzone.h, which +is not included into the generic headers when NUMA=n. + +Move the definition of __HAVE_ARCH_RESERVED_KERNEL_PAGES into asm/mmu.h +which is included regardless of NUMA=n. + +Additionally the ifdef around __HAVE_ARCH_RESERVED_KERNEL_PAGES needs to +also check for CONFIG_PRESERVE_FA_DUMP. + +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231130114433.3053544-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/mmu.h | 4 ++++ + arch/powerpc/include/asm/mmzone.h | 3 --- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/include/asm/mmu.h b/arch/powerpc/include/asm/mmu.h +index 0699cfeeb8c9..2141ae7441a9 100644 +--- a/arch/powerpc/include/asm/mmu.h ++++ b/arch/powerpc/include/asm/mmu.h +@@ -375,5 +375,9 @@ extern void *abatron_pteptrs[2]; + #include + #endif + ++#if defined(CONFIG_FA_DUMP) || defined(CONFIG_PRESERVE_FA_DUMP) ++#define __HAVE_ARCH_RESERVED_KERNEL_PAGES ++#endif ++ + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_MMU_H_ */ +diff --git a/arch/powerpc/include/asm/mmzone.h b/arch/powerpc/include/asm/mmzone.h +index 91c69ff53a8a..50c2198c2c76 100644 +--- a/arch/powerpc/include/asm/mmzone.h ++++ b/arch/powerpc/include/asm/mmzone.h +@@ -42,9 +42,6 @@ u64 memory_hotplug_max(void); + #else + #define memory_hotplug_max() memblock_end_of_DRAM() + #endif /* CONFIG_NEED_MULTIPLE_NODES */ +-#ifdef CONFIG_FA_DUMP +-#define __HAVE_ARCH_RESERVED_KERNEL_PAGES +-#endif + + #endif /* __KERNEL__ */ + #endif /* _ASM_MMZONE_H_ */ +-- +2.43.0 + diff --git a/queue-5.4/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch b/queue-5.4/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch new file mode 100644 index 00000000000..8a37b95aea4 --- /dev/null +++ b/queue-5.4/powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch @@ -0,0 +1,49 @@ +From faa246a364a2243b1ee4506f4d12cdadf49b5612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Dec 2023 10:32:23 +0800 +Subject: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add + +From: Kunwu Chan + +[ Upstream commit f46c8a75263f97bda13c739ba1c90aced0d3b071 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +Suggested-by: Christophe Leroy +Suggested-by: Michael Ellerman +Signed-off-by: Kunwu Chan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231204023223.2447523-1-chentao@kylinos.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/init-common.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/mm/init-common.c b/arch/powerpc/mm/init-common.c +index a84da92920f7..e7b9cc90fd9e 100644 +--- a/arch/powerpc/mm/init-common.c ++++ b/arch/powerpc/mm/init-common.c +@@ -104,7 +104,7 @@ void pgtable_cache_add(unsigned int shift) + * as to leave enough 0 bits in the address to contain it. */ + unsigned long minalign = max(MAX_PGTABLE_INDEX_SIZE + 1, + HUGEPD_SHIFT_MASK + 1); +- struct kmem_cache *new; ++ struct kmem_cache *new = NULL; + + /* It would be nice if this was a BUILD_BUG_ON(), but at the + * moment, gcc doesn't seem to recognize is_power_of_2 as a +@@ -117,7 +117,8 @@ void pgtable_cache_add(unsigned int shift) + + align = max_t(unsigned long, align, minalign); + name = kasprintf(GFP_KERNEL, "pgtable-2^%d", shift); +- new = kmem_cache_create(name, table_size, align, 0, ctor(shift)); ++ if (name) ++ new = kmem_cache_create(name, table_size, align, 0, ctor(shift)); + if (!new) + panic("Could not allocate pgtable cache for order %d", shift); + +-- +2.43.0 + diff --git a/queue-5.4/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch b/queue-5.4/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch new file mode 100644 index 00000000000..64d9d1b2f48 --- /dev/null +++ b/queue-5.4/powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch @@ -0,0 +1,56 @@ +From d28518c2effd681bf1ce2aa2980be82f66cacb1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 13:28:09 +1100 +Subject: powerpc: pmd_move_must_withdraw() is only needed for + CONFIG_TRANSPARENT_HUGEPAGE + +From: Stephen Rothwell + +[ Upstream commit 0d555b57ee660d8a871781c0eebf006e855e918d ] + +The linux-next build of powerpc64 allnoconfig fails with: + + arch/powerpc/mm/book3s64/pgtable.c:557:5: error: no previous prototype for 'pmd_move_must_withdraw' + 557 | int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl, + | ^~~~~~~~~~~~~~~~~~~~~~ + +Caused by commit: + + c6345dfa6e3e ("Makefile.extrawarn: turn on missing-prototypes globally") + +Fix it by moving the function definition under +CONFIG_TRANSPARENT_HUGEPAGE like the prototype. The function is only +called when CONFIG_TRANSPARENT_HUGEPAGE=y. + +Signed-off-by: Stephen Rothwell +[mpe: Flesh out change log from linux-next patch] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231127132809.45c2b398@canb.auug.org.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/pgtable.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c +index 2bf7e1b4fd82..c4890f4b0b6c 100644 +--- a/arch/powerpc/mm/book3s64/pgtable.c ++++ b/arch/powerpc/mm/book3s64/pgtable.c +@@ -442,6 +442,7 @@ void ptep_modify_prot_commit(struct vm_area_struct *vma, unsigned long addr, + set_pte_at(vma->vm_mm, addr, ptep, pte); + } + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE + /* + * For hash translation mode, we use the deposited table to store hash slot + * information and they are stored at PTRS_PER_PMD offset from related pmd +@@ -463,6 +464,7 @@ int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl, + + return true; + } ++#endif + + /* + * Does the CPU support tlbie? +-- +2.43.0 + diff --git a/queue-5.4/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch b/queue-5.4/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch new file mode 100644 index 00000000000..b2bad7438d9 --- /dev/null +++ b/queue-5.4/pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch @@ -0,0 +1,47 @@ +From b30d4f36bec8e02b68bace340f6a8c7cfaa2fc86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 10:36:32 +0800 +Subject: pstore/ram: Fix crash when setting number of cpus to an odd number + +From: Weichen Chen + +[ Upstream commit d49270a04623ce3c0afddbf3e984cb245aa48e9c ] + +When the number of cpu cores is adjusted to 7 or other odd numbers, +the zone size will become an odd number. +The address of the zone will become: + addr of zone0 = BASE + addr of zone1 = BASE + zone_size + addr of zone2 = BASE + zone_size*2 + ... +The address of zone1/3/5/7 will be mapped to non-alignment va. +Eventually crashes will occur when accessing these va. + +So, use ALIGN_DOWN() to make sure the zone size is even +to avoid this bug. + +Signed-off-by: Weichen Chen +Reviewed-by: Matthias Brugger +Tested-by: "Guilherme G. Piccoli" +Link: https://lore.kernel.org/r/20230224023632.6840-1-weichen.chen@mediatek.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/ram.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index 65cbc8a60ca3..9f83d8eba0e6 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -563,6 +563,7 @@ static int ramoops_init_przs(const char *name, + } + + zone_sz = mem_sz / *cnt; ++ zone_sz = ALIGN_DOWN(zone_sz, 2); + if (!zone_sz) { + dev_err(dev, "%s zone size == 0\n", name); + goto fail; +-- +2.43.0 + diff --git a/queue-5.4/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch b/queue-5.4/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch new file mode 100644 index 00000000000..b4dca41b83e --- /dev/null +++ b/queue-5.4/rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch @@ -0,0 +1,34 @@ +From bd9ca53e1dfa4e7774df18d84f73aa028311d8a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Nov 2023 14:03:15 +0100 +Subject: RDMA/IPoIB: Fix error code return in ipoib_mcast_join + +From: Jack Wang + +[ Upstream commit 753fff78f430704548f45eda52d6d55371a52c0f ] + +Return the error code in case of ib_sa_join_multicast fail. + +Signed-off-by: Jack Wang +Link: https://lore.kernel.org/r/20231121130316.126364-2-jinpu.wang@ionos.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +index b9e9562f5034..805df1fcba84 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -558,6 +558,7 @@ static int ipoib_mcast_join(struct net_device *dev, struct ipoib_mcast *mcast) + spin_unlock_irq(&priv->lock); + complete(&mcast->done); + spin_lock_irq(&priv->lock); ++ return ret; + } + return 0; + } +-- +2.43.0 + diff --git a/queue-5.4/regulator-core-only-increment-use_count-when-enable_.patch b/queue-5.4/regulator-core-only-increment-use_count-when-enable_.patch new file mode 100644 index 00000000000..4e88e91a779 --- /dev/null +++ b/queue-5.4/regulator-core-only-increment-use_count-when-enable_.patch @@ -0,0 +1,113 @@ +From 2bcc603ce3c0fdccc6642c4b425b7f1a0f116815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 15:42:31 +0800 +Subject: regulator: core: Only increment use_count when enable_count changes + +From: Rui Zhang + +[ Upstream commit 7993d3a9c34f609c02171e115fd12c10e2105ff4 ] + +The use_count of a regulator should only be incremented when the +enable_count changes from 0 to 1. Similarly, the use_count should +only be decremented when the enable_count changes from 1 to 0. + +In the previous implementation, use_count was sometimes decremented +to 0 when some consumer called unbalanced disable, +leading to unexpected disable even the regulator is enabled by +other consumers. With this change, the use_count accurately reflects +the number of users which the regulator is enabled. + +This should make things more robust in the case where a consumer does +leak references. + +Signed-off-by: Rui Zhang +Link: https://lore.kernel.org/r/20231103074231.8031-1-zr.zhang@vivo.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 56 +++++++++++++++++++++------------------- + 1 file changed, 30 insertions(+), 26 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 87d0cd6f49ca..894915892eaf 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -2658,7 +2658,8 @@ static int _regulator_enable(struct regulator *regulator) + /* Fallthrough on positive return values - already enabled */ + } + +- rdev->use_count++; ++ if (regulator->enable_count == 1) ++ rdev->use_count++; + + return 0; + +@@ -2736,37 +2737,40 @@ static int _regulator_disable(struct regulator *regulator) + + lockdep_assert_held_once(&rdev->mutex.base); + +- if (WARN(rdev->use_count <= 0, ++ if (WARN(regulator->enable_count == 0, + "unbalanced disables for %s\n", rdev_get_name(rdev))) + return -EIO; + +- /* are we the last user and permitted to disable ? */ +- if (rdev->use_count == 1 && +- (rdev->constraints && !rdev->constraints->always_on)) { +- +- /* we are last user */ +- if (regulator_ops_is_valid(rdev, REGULATOR_CHANGE_STATUS)) { +- ret = _notifier_call_chain(rdev, +- REGULATOR_EVENT_PRE_DISABLE, +- NULL); +- if (ret & NOTIFY_STOP_MASK) +- return -EINVAL; +- +- ret = _regulator_do_disable(rdev); +- if (ret < 0) { +- rdev_err(rdev, "failed to disable\n"); +- _notifier_call_chain(rdev, +- REGULATOR_EVENT_ABORT_DISABLE, ++ if (regulator->enable_count == 1) { ++ /* disabling last enable_count from this regulator */ ++ /* are we the last user and permitted to disable ? */ ++ if (rdev->use_count == 1 && ++ (rdev->constraints && !rdev->constraints->always_on)) { ++ ++ /* we are last user */ ++ if (regulator_ops_is_valid(rdev, REGULATOR_CHANGE_STATUS)) { ++ ret = _notifier_call_chain(rdev, ++ REGULATOR_EVENT_PRE_DISABLE, ++ NULL); ++ if (ret & NOTIFY_STOP_MASK) ++ return -EINVAL; ++ ++ ret = _regulator_do_disable(rdev); ++ if (ret < 0) { ++ rdev_err(rdev, "failed to disable\n"); ++ _notifier_call_chain(rdev, ++ REGULATOR_EVENT_ABORT_DISABLE, ++ NULL); ++ return ret; ++ } ++ _notifier_call_chain(rdev, REGULATOR_EVENT_DISABLE, + NULL); +- return ret; + } +- _notifier_call_chain(rdev, REGULATOR_EVENT_DISABLE, +- NULL); +- } + +- rdev->use_count = 0; +- } else if (rdev->use_count > 1) { +- rdev->use_count--; ++ rdev->use_count = 0; ++ } else if (rdev->use_count > 1) { ++ rdev->use_count--; ++ } + } + + if (ret == 0) +-- +2.43.0 + diff --git a/queue-5.4/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch b/queue-5.4/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch new file mode 100644 index 00000000000..82f66a0bdc9 --- /dev/null +++ b/queue-5.4/rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch @@ -0,0 +1,46 @@ +From c4c413829ebd69ccf9311119b0efa2048ae443d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 17:48:46 +0100 +Subject: rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() + +From: Oleg Nesterov + +[ Upstream commit bad1a11c0f061aa073bab785389fe04f19ba02e1 ] + +rxrpc_find_service_conn_rcu() should make the "seq" counter odd on the +second pass, otherwise read_seqbegin_or_lock() never takes the lock. + +Signed-off-by: Oleg Nesterov +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20231117164846.GA10410@redhat.com/ +Signed-off-by: Sasha Levin +--- + net/rxrpc/conn_service.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/rxrpc/conn_service.c b/net/rxrpc/conn_service.c +index 21da48e3d2e5..7ad4b4e9341e 100644 +--- a/net/rxrpc/conn_service.c ++++ b/net/rxrpc/conn_service.c +@@ -25,7 +25,7 @@ struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer, + struct rxrpc_conn_proto k; + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + struct rb_node *p; +- unsigned int seq = 0; ++ unsigned int seq = 1; + + k.epoch = sp->hdr.epoch; + k.cid = sp->hdr.cid & RXRPC_CIDMASK; +@@ -35,6 +35,7 @@ struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer, + * under just the RCU read lock, so we have to check for + * changes. + */ ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ + read_seqbegin_or_lock(&peer->service_conn_lock, &seq); + + p = rcu_dereference_raw(peer->service_conns.rb_node); +-- +2.43.0 + diff --git a/queue-5.4/s390-ptrace-handle-setting-of-fpc-register-correctly.patch b/queue-5.4/s390-ptrace-handle-setting-of-fpc-register-correctly.patch new file mode 100644 index 00000000000..847c0d7686d --- /dev/null +++ b/queue-5.4/s390-ptrace-handle-setting-of-fpc-register-correctly.patch @@ -0,0 +1,71 @@ +From 47a662ab7b0f024e84cdc973fff8882e98a37a0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Nov 2023 18:55:59 +0100 +Subject: s390/ptrace: handle setting of fpc register correctly + +From: Heiko Carstens + +[ Upstream commit 8b13601d19c541158a6e18b278c00ba69ae37829 ] + +If the content of the floating point control (fpc) register of a traced +process is modified with the ptrace interface the new value is tested for +validity by temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the tracing process: +if an interrupt happens while the value is temporarily loaded into the +fpc register, and within interrupt context floating point or vector +registers are used, the current fp/vx registers are saved with +save_fpu_regs() assuming they belong to user space and will be loaded into +fp/vx registers when returning to user space. + +test_fp_ctl() restores the original user space fpc register value, however +it will be discarded, when returning to user space. + +In result the tracer will incorrectly continue to run with the value that +was supposed to be used for the traced process. + +Fix this by saving fpu register contents with save_fpu_regs() before using +test_fp_ctl(). + +Reviewed-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/ptrace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 34ca344039bb..05e1367c23d5 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -413,6 +413,7 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if ((unsigned int) data != 0 || + test_fp_ctl(data >> (BITS_PER_LONG - 32))) + return -EINVAL; +@@ -773,6 +774,7 @@ static int __poke_user_compat(struct task_struct *child, + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if (test_fp_ctl(tmp)) + return -EINVAL; + child->thread.fpu.fpc = data; +@@ -1006,9 +1008,7 @@ static int s390_fpregs_set(struct task_struct *target, + int rc = 0; + freg_t fprs[__NUM_FPRS]; + +- if (target == current) +- save_fpu_regs(); +- ++ save_fpu_regs(); + if (MACHINE_HAS_VX) + convert_vx_to_fp(fprs, target->thread.fpu.vxrs); + else +-- +2.43.0 + diff --git a/queue-5.4/scsi-libfc-don-t-schedule-abort-twice.patch b/queue-5.4/scsi-libfc-don-t-schedule-abort-twice.patch new file mode 100644 index 00000000000..8c7ac01ef16 --- /dev/null +++ b/queue-5.4/scsi-libfc-don-t-schedule-abort-twice.patch @@ -0,0 +1,68 @@ +From 972d002cc94c6f2bb15504f4d80165299258a912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:58:30 +0100 +Subject: scsi: libfc: Don't schedule abort twice + +From: Hannes Reinecke + +[ Upstream commit b57c4db5d23b9df0118a25e2441c9288edd73710 ] + +The current FC error recovery is sending up to three REC (recovery) frames +in 10 second intervals, and as a final step sending an ABTS after 30 +seconds for the command itself. Unfortunately sending an ABTS is also the +action for the SCSI abort handler, and the default timeout for SCSI +commands is also 30 seconds. This causes two ABTS to be scheduled, with the +libfc one slightly earlier. The ABTS scheduled by SCSI EH then sees the +command to be already aborted, and will always return with a 'GOOD' status +irrespective on the actual result from the first ABTS. This causes the +SCSI EH abort handler to always succeed, and SCSI EH never to be engaged. +Fix this by not issuing an ABTS when a SCSI command is present for the +exchange, but rather wait for the abort scheduled from SCSI EH. And warn +if an abort is already scheduled to avoid similar errors in the future. + +Signed-off-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20231129165832.224100-2-hare@kernel.org +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_fcp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c +index bf2cc9656e19..22e286f920f4 100644 +--- a/drivers/scsi/libfc/fc_fcp.c ++++ b/drivers/scsi/libfc/fc_fcp.c +@@ -270,6 +270,11 @@ static int fc_fcp_send_abort(struct fc_fcp_pkt *fsp) + if (!fsp->seq_ptr) + return -EINVAL; + ++ if (fsp->state & FC_SRB_ABORT_PENDING) { ++ FC_FCP_DBG(fsp, "abort already pending\n"); ++ return -EBUSY; ++ } ++ + per_cpu_ptr(fsp->lp->stats, get_cpu())->FcpPktAborts++; + put_cpu(); + +@@ -1698,11 +1703,12 @@ static void fc_fcp_recovery(struct fc_fcp_pkt *fsp, u8 code) + fsp->status_code = code; + fsp->cdb_status = 0; + fsp->io_status = 0; +- /* +- * if this fails then we let the scsi command timer fire and +- * scsi-ml escalate. +- */ +- fc_fcp_send_abort(fsp); ++ if (!fsp->cmd) ++ /* ++ * Only abort non-scsi commands; otherwise let the ++ * scsi command timer fire and scsi-ml escalate. ++ */ ++ fc_fcp_send_abort(fsp); + } + + /** +-- +2.43.0 + diff --git a/queue-5.4/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch b/queue-5.4/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch new file mode 100644 index 00000000000..a3295e286cf --- /dev/null +++ b/queue-5.4/scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch @@ -0,0 +1,37 @@ +From ca1fd1a060d1e680095831a44d0c2161445c5219 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 17:58:31 +0100 +Subject: scsi: libfc: Fix up timeout error in fc_fcp_rec_error() + +From: Hannes Reinecke + +[ Upstream commit 53122a49f49796beb2c4a1bb702303b66347e29f ] + +We should set the status to FC_TIMED_OUT when a timeout error is passed to +fc_fcp_rec_error(). + +Signed-off-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20231129165832.224100-3-hare@kernel.org +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_fcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c +index 22e286f920f4..5e00ee0645f2 100644 +--- a/drivers/scsi/libfc/fc_fcp.c ++++ b/drivers/scsi/libfc/fc_fcp.c +@@ -1685,7 +1685,7 @@ static void fc_fcp_rec_error(struct fc_fcp_pkt *fsp, struct fc_frame *fp) + if (fsp->recov_retry++ < FC_MAX_RECOV_RETRY) + fc_fcp_rec(fsp); + else +- fc_fcp_recovery(fsp, FC_ERROR); ++ fc_fcp_recovery(fsp, FC_TIMED_OUT); + break; + } + fc_fcp_unlock_pkt(fsp); +-- +2.43.0 + diff --git a/queue-5.4/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch b/queue-5.4/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch new file mode 100644 index 00000000000..7cccf713397 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch @@ -0,0 +1,64 @@ +From 1fd7748e9923d8759c7349629a627124e94fa4d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Oct 2023 12:12:17 -0700 +Subject: scsi: lpfc: Fix possible file string name overflow when updating + firmware + +From: Justin Tee + +[ Upstream commit f5779b529240b715f0e358489ad0ed933bf77c97 ] + +Because file_name and phba->ModelName are both declared a size 80 bytes, +the extra ".grp" file extension could cause an overflow into file_name. + +Define a ELX_FW_NAME_SIZE macro with value 84. 84 incorporates the 4 extra +characters from ".grp". file_name is changed to be declared as a char and +initialized to zeros i.e. null chars. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc.h | 1 + + drivers/scsi/lpfc/lpfc_init.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 088b764aefa4..7ce0d94cdc01 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -32,6 +32,7 @@ + struct lpfc_sli2_slim; + + #define ELX_MODEL_NAME_SIZE 80 ++#define ELX_FW_NAME_SIZE 84 + + #define LPFC_PCI_DEV_LP 0x1 + #define LPFC_PCI_DEV_OC 0x2 +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index af5238ab6309..f5e509381563 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -12527,7 +12527,7 @@ lpfc_write_firmware(const struct firmware *fw, void *context) + int + lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade) + { +- uint8_t file_name[ELX_MODEL_NAME_SIZE]; ++ char file_name[ELX_FW_NAME_SIZE] = {0}; + int ret; + const struct firmware *fw; + +@@ -12536,7 +12536,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade) + LPFC_SLI_INTF_IF_TYPE_2) + return -EPERM; + +- snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName); ++ scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName); + + if (fw_upgrade == INT_FW_UPGRADE) { + ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_HOTPLUG, +-- +2.43.0 + diff --git a/queue-5.4/selftests-bpf-fix-pyperf180-compilation-failure-with.patch b/queue-5.4/selftests-bpf-fix-pyperf180-compilation-failure-with.patch new file mode 100644 index 00000000000..cab3d61784e --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-pyperf180-compilation-failure-with.patch @@ -0,0 +1,83 @@ +From 012aa03e5c050ce59496d9bf78b82be07751e0cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 11:36:44 -0800 +Subject: selftests/bpf: Fix pyperf180 compilation failure with clang18 + +From: Yonghong Song + +[ Upstream commit 100888fb6d8a185866b1520031ee7e3182b173de ] + +With latest clang18 (main branch of llvm-project repo), when building bpf selftests, + [~/work/bpf-next (master)]$ make -C tools/testing/selftests/bpf LLVM=1 -j + +The following compilation error happens: + fatal error: error in backend: Branch target out of insn range + ... + Stack dump: + 0. Program arguments: clang -g -Wall -Werror -D__TARGET_ARCH_x86 -mlittle-endian + -I/home/yhs/work/bpf-next/tools/testing/selftests/bpf/tools/include + -I/home/yhs/work/bpf-next/tools/testing/selftests/bpf -I/home/yhs/work/bpf-next/tools/include/uapi + -I/home/yhs/work/bpf-next/tools/testing/selftests/usr/include -idirafter + /home/yhs/work/llvm-project/llvm/build.18/install/lib/clang/18/include -idirafter /usr/local/include + -idirafter /usr/include -Wno-compare-distinct-pointer-types -DENABLE_ATOMICS_TESTS -O2 --target=bpf + -c progs/pyperf180.c -mcpu=v3 -o /home/yhs/work/bpf-next/tools/testing/selftests/bpf/pyperf180.bpf.o + 1. parser at end of file + 2. Code generation + ... + +The compilation failure only happens to cpu=v2 and cpu=v3. cpu=v4 is okay +since cpu=v4 supports 32-bit branch target offset. + +The above failure is due to upstream llvm patch [1] where some inlining behavior +are changed in clang18. + +To workaround the issue, previously all 180 loop iterations are fully unrolled. +The bpf macro __BPF_CPU_VERSION__ (implemented in clang18 recently) is used to avoid +unrolling changes if cpu=v4. If __BPF_CPU_VERSION__ is not available and the +compiler is clang18, the unrollng amount is unconditionally reduced. + + [1] https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e + +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Tested-by: Alan Maguire +Link: https://lore.kernel.org/bpf/20231110193644.3130906-1-yonghong.song@linux.dev +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/pyperf180.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/tools/testing/selftests/bpf/progs/pyperf180.c b/tools/testing/selftests/bpf/progs/pyperf180.c +index c39f559d3100..42c4a8b62e36 100644 +--- a/tools/testing/selftests/bpf/progs/pyperf180.c ++++ b/tools/testing/selftests/bpf/progs/pyperf180.c +@@ -1,4 +1,26 @@ + // SPDX-License-Identifier: GPL-2.0 + // Copyright (c) 2019 Facebook + #define STACK_MAX_LEN 180 ++ ++/* llvm upstream commit at clang18 ++ * https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e ++ * changed inlining behavior and caused compilation failure as some branch ++ * target distance exceeded 16bit representation which is the maximum for ++ * cpu v1/v2/v3. Macro __BPF_CPU_VERSION__ is later implemented in clang18 ++ * to specify which cpu version is used for compilation. So a smaller ++ * unroll_count can be set if __BPF_CPU_VERSION__ is less than 4, which ++ * reduced some branch target distances and resolved the compilation failure. ++ * ++ * To capture the case where a developer/ci uses clang18 but the corresponding ++ * repo checkpoint does not have __BPF_CPU_VERSION__, a smaller unroll_count ++ * will be set as well to prevent potential compilation failures. ++ */ ++#ifdef __BPF_CPU_VERSION__ ++#if __BPF_CPU_VERSION__ < 4 ++#define UNROLL_COUNT 90 ++#endif ++#elif __clang_major__ == 18 ++#define UNROLL_COUNT 90 ++#endif ++ + #include "pyperf.h" +-- +2.43.0 + diff --git a/queue-5.4/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch b/queue-5.4/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch new file mode 100644 index 00000000000..abc03cdd42e --- /dev/null +++ b/queue-5.4/selftests-bpf-satisfy-compiler-by-having-explicit-re.patch @@ -0,0 +1,35 @@ +From dfd29d08520d583a476465f466aedcda19de51af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Nov 2023 20:37:44 -0700 +Subject: selftests/bpf: satisfy compiler by having explicit return in btf test + +From: Andrii Nakryiko + +[ Upstream commit f4c7e887324f5776eef6e6e47a90e0ac8058a7a8 ] + +Some compilers complain about get_pprint_mapv_size() not returning value +in some code paths. Fix with explicit return. + +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20231102033759.2541186-3-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_btf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/test_btf.c b/tools/testing/selftests/bpf/test_btf.c +index f641eb292a88..a821ff121e03 100644 +--- a/tools/testing/selftests/bpf/test_btf.c ++++ b/tools/testing/selftests/bpf/test_btf.c +@@ -4663,6 +4663,7 @@ static size_t get_pprint_mapv_size(enum pprint_mapv_kind_t mapv_kind) + #endif + + assert(0); ++ return 0; + } + + static void set_pprint_mapv(enum pprint_mapv_kind_t mapv_kind, +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 7d7a1fdc25c..5eccc8d94ae 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -58,3 +58,104 @@ spi-bcm-qspi-fix-sfdp-bfpt-read-by-usig-mspi-read.patch mips-call-lose_fpu-0-before-initializing-fcr31-in-mips_set_personality_nan.patch tick-sched-preserve-number-of-idle-sleeps-across-cpu-hotplug-events.patch x86-entry-ia32-ensure-s32-is-sign-extended-to-s64.patch +powerpc-mm-fix-null-pointer-dereference-in-pgtable_c.patch +powerpc-fix-build-error-due-to-is_valid_bugaddr.patch +powerpc-mm-fix-build-failures-due-to-arch_reserved_k.patch +powerpc-pmd_move_must_withdraw-is-only-needed-for-co.patch +powerpc-lib-validate-size-for-vector-operations.patch +x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch +perf-core-fix-narrow-startup-race-when-creating-the-.patch +regulator-core-only-increment-use_count-when-enable_.patch +audit-send-netlink-ack-before-setting-connection-in-.patch +acpi-video-add-quirk-for-the-colorful-x15-at-23-lapt.patch +pnp-acpi-fix-fortify-warning.patch +acpi-extlog-fix-null-pointer-dereference-check.patch +fs-jfs-ubsan-array-index-out-of-bounds-in-dbadjtree.patch +ubsan-array-index-out-of-bounds-in-dtsplitroot.patch +jfs-fix-slab-out-of-bounds-read-in-dtsearch.patch +jfs-fix-array-index-out-of-bounds-in-dbadjtree.patch +jfs-fix-uaf-in-jfs_evict_inode.patch +pstore-ram-fix-crash-when-setting-number-of-cpus-to-.patch +crypto-stm32-crc32-fix-parsing-list-of-devices.patch +afs-fix-the-usage-of-read_seqbegin_or_lock-in-afs_fi.patch +rxrpc_find_service_conn_rcu-fix-the-usage-of-read_se.patch +jfs-fix-array-index-out-of-bounds-in-dinewext.patch +hexagon-make-pfn-accessors-statics-inlines.patch +s390-ptrace-handle-setting-of-fpc-register-correctly.patch +kvm-s390-fix-setting-of-fpc-register.patch +sunrpc-fix-a-suspicious-rcu-usage-warning.patch +ecryptfs-reject-casefold-directory-inodes.patch +ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch +ext4-unify-the-type-of-flexbg_size-to-unsigned-int.patch +ext4-remove-unnecessary-check-from-alloc_flex_gd.patch +ext4-avoid-online-resizing-failures-due-to-oversized.patch +wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch +selftests-bpf-satisfy-compiler-by-having-explicit-re.patch +selftests-bpf-fix-pyperf180-compilation-failure-with.patch +scsi-lpfc-fix-possible-file-string-name-overflow-whe.patch +pci-add-no-pm-reset-quirk-for-nvidia-spectrum-device.patch +bonding-return-enomem-instead-of-bug-in-alb_upper_de.patch +arm-dts-imx7d-fix-coresight-funnel-ports.patch +arm-dts-imx7s-fix-lcdif-compatible.patch +arm-dts-imx7s-fix-nand-controller-size-cells.patch +wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch +bpf-add-map-and-need_defer-parameters-to-.map_fd_put.patch +scsi-libfc-don-t-schedule-abort-twice.patch +scsi-libfc-fix-up-timeout-error-in-fc_fcp_rec_error.patch +arm-dts-rockchip-fix-rk3036-hdmi-ports-node.patch +arm-dts-imx25-27-eukrea-fix-rtc-node-name.patch +arm-dts-imx-use-flash-0-0-pattern.patch +arm-dts-imx27-fix-sram-node.patch +arm-dts-imx1-fix-sram-node.patch +arm-dts-imx25-27-pass-timing0.patch +arm-dts-imx27-apf27dev-fix-led-name.patch +arm-dts-imx23-sansa-use-preferred-i2c-gpios-properti.patch +arm-dts-imx23-28-fix-the-dma-controller-node-name.patch +block-prevent-an-integer-overflow-in-bvec_try_merge_.patch +md-whenassemble-the-array-consult-the-superblock-of-.patch +arm64-dts-qcom-msm8996-fix-in-ports-is-a-required-pr.patch +arm64-dts-qcom-msm8998-fix-out-ports-is-a-required-p.patch +wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch +libbpf-fix-null-pointer-dereference-in-bpf_object__c.patch +wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch +wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch +f2fs-fix-to-check-return-value-of-f2fs_reserve_new_b.patch +asoc-doc-fix-undefined-snd_soc_dapm_nopm-argument.patch +fast_dput-handle-underflows-gracefully.patch +rdma-ipoib-fix-error-code-return-in-ipoib_mcast_join.patch +drm-drm_file-fix-use-of-uninitialized-variable.patch +drm-framebuffer-fix-use-of-uninitialized-variable.patch +drm-mipi-dsi-fix-detach-call-without-attach.patch +media-stk1160-fixed-high-volume-of-stk1160_dbg-messa.patch +media-rockchip-rga-fix-swizzling-for-rgb-formats.patch +pci-add-intel_hda_arl-to-pci_ids.h.patch +alsa-hda-intel-add-hda_arl-pci-id-support.patch +hwmon-pc87360-bounds-check-data-innr-usage.patch +drm-exynos-call-drm_atomic_helper_shutdown-at-shutdo.patch +ib-ipoib-fix-mcast-list-locking.patch +media-ddbridge-fix-an-error-code-problem-in-ddb_prob.patch +drm-msm-dpu-ratelimit-framedone-timeout-msgs.patch +clk-hi3620-fix-memory-leak-in-hi3620_mmc_clk_init.patch +clk-mmp-pxa168-fix-memory-leak-in-pxa168_clk_init.patch +drm-amd-display-make-flip_timestamp_in_us-a-64-bit-v.patch +drm-amdgpu-let-kfd-sync-with-vm-fences.patch +drm-amdgpu-drop-fence-check-in-to_amdgpu_amdkfd_fenc.patch +leds-trigger-panic-don-t-register-panic-notifier-if-.patch +um-fix-naming-clash-between-uml-and-scheduler.patch +um-don-t-use-vfprintf-for-os_info.patch +um-net-fix-return-type-of-uml_net_start_xmit.patch +i3c-master-cdns-update-maximum-prescaler-value-for-i.patch +mfd-ti_am335x_tscadc-fix-ti-soc-dependencies.patch +pci-only-override-amd-usb-controller-if-required.patch +pci-switchtec-fix-stdev_release-crash-after-surprise.patch +usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch +fs-kernfs-dir-obey-s_isgid.patch +pci-aer-decode-requester-id-when-no-error-info-found.patch +misc-lis3lv02d_i2c-add-missing-setting-of-the-reg_ct.patch +libsubcmd-fix-memory-leak-in-uniq.patch +virtio_net-fix-d-directive-writing-between-1-and-11-.patch +blk-mq-fix-io-hang-from-sbitmap-wakeup-race.patch +ceph-fix-deadlock-or-deadcode-of-misusing-dget.patch +drm-amdgpu-release-adev-pm.fw-before-return-in-amdgp.patch +perf-fix-the-nr_addr_filters-fix.patch +wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch diff --git a/queue-5.4/sunrpc-fix-a-suspicious-rcu-usage-warning.patch b/queue-5.4/sunrpc-fix-a-suspicious-rcu-usage-warning.patch new file mode 100644 index 00000000000..a483f28386e --- /dev/null +++ b/queue-5.4/sunrpc-fix-a-suspicious-rcu-usage-warning.patch @@ -0,0 +1,121 @@ +From 8ca71f14f5187077a8f3ee7fe07033c2ff14241a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 17:06:18 -0500 +Subject: SUNRPC: Fix a suspicious RCU usage warning + +From: Anna Schumaker + +[ Upstream commit 31b62908693c90d4d07db597e685d9f25a120073 ] + +I received the following warning while running cthon against an ontap +server running pNFS: + +[ 57.202521] ============================= +[ 57.202522] WARNING: suspicious RCU usage +[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted +[ 57.202525] ----------------------------- +[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!! +[ 57.202527] + other info that might help us debug this: + +[ 57.202528] + rcu_scheduler_active = 2, debug_locks = 1 +[ 57.202529] no locks held by test5/3567. +[ 57.202530] + stack backtrace: +[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e +[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022 +[ 57.202536] Call Trace: +[ 57.202537] +[ 57.202540] dump_stack_lvl+0x77/0xb0 +[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0 +[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] +[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a] +[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a] +[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202866] write_cache_pages+0x265/0x450 +[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202913] do_writepages+0xd2/0x230 +[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80 +[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80 +[ 57.202924] filemap_write_and_wait_range+0xd9/0x170 +[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] +[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] +[ 57.202969] __se_sys_close+0x46/0xd0 +[ 57.202972] do_syscall_64+0x68/0x100 +[ 57.202975] ? do_syscall_64+0x77/0x100 +[ 57.202976] ? do_syscall_64+0x77/0x100 +[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76 +[ 57.202982] RIP: 0033:0x7fe2b12e4a94 +[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3 +[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 +[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94 +[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003 +[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49 +[ 57.202993] R10: 00007fe2b11f8300 R11: 0000000000000202 R12: 0000000000000000 +[ 57.202994] R13: 00007ffe857dfd80 R14: 00007fe2b1445000 R15: 0000000000000000 +[ 57.202999] + +The problem seems to be that two out of three callers aren't taking the +rcu_read_lock() before calling the list_for_each_entry_rcu() function in +rpc_xprt_switch_has_addr(). I fix this by having +rpc_xprt_switch_has_addr() unconditionaly take the rcu_read_lock(), +which is okay to do recursively in the case that the lock has already +been taken by a caller. + +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtmultipath.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprtmultipath.c b/net/sunrpc/xprtmultipath.c +index 78c075a68c04..a11e80d17830 100644 +--- a/net/sunrpc/xprtmultipath.c ++++ b/net/sunrpc/xprtmultipath.c +@@ -253,8 +253,9 @@ struct rpc_xprt *xprt_iter_current_entry(struct rpc_xprt_iter *xpi) + return xprt_switch_find_current_entry(head, xpi->xpi_cursor); + } + +-bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, +- const struct sockaddr *sap) ++static ++bool __rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, ++ const struct sockaddr *sap) + { + struct list_head *head; + struct rpc_xprt *pos; +@@ -273,6 +274,18 @@ bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, + return false; + } + ++bool rpc_xprt_switch_has_addr(struct rpc_xprt_switch *xps, ++ const struct sockaddr *sap) ++{ ++ bool res; ++ ++ rcu_read_lock(); ++ res = __rpc_xprt_switch_has_addr(xps, sap); ++ rcu_read_unlock(); ++ ++ return res; ++} ++ + static + struct rpc_xprt *xprt_switch_find_next_entry(struct list_head *head, + const struct rpc_xprt *cur) +-- +2.43.0 + diff --git a/queue-5.4/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch b/queue-5.4/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch new file mode 100644 index 00000000000..4dbb389908d --- /dev/null +++ b/queue-5.4/ubsan-array-index-out-of-bounds-in-dtsplitroot.patch @@ -0,0 +1,77 @@ +From 222cab5e1c6be35eb65d17846eb393b3dd298ff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Oct 2023 00:10:28 +0500 +Subject: UBSAN: array-index-out-of-bounds in dtSplitRoot + +From: Osama Muhammad + +[ Upstream commit 27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16 ] + +Syzkaller reported the following issue: + +oop0: detected capacity change from 0 to 32768 + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 +index -2 is out of range for type 'struct dtslot [128]' +CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 + dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 + dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] + dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 + jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 + vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 + do_mkdirat+0x279/0x550 fs/namei.c:4038 + __do_sys_mkdirat fs/namei.c:4053 [inline] + __se_sys_mkdirat fs/namei.c:4051 [inline] + __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fcdc0113fd9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 +RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 +RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 +R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 +R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 + + +The issue is caused when the value of fsi becomes less than -1. +The check to break the loop when fsi value becomes -1 is present +but syzbot was able to produce value less than -1 which cause the error. +This patch simply add the change for the values less than 0. + +The patch is tested via syzbot. + +Reported-and-tested-by: syzbot+d4b1df2e9d4ded6488ec@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=d4b1df2e9d4ded6488ec +Signed-off-by: Osama Muhammad +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index 3acc954f7c04..a6d42e49d156 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -1970,7 +1970,7 @@ static int dtSplitRoot(tid_t tid, + do { + f = &rp->slot[fsi]; + fsi = f->next; +- } while (fsi != -1); ++ } while (fsi >= 0); + + f->next = n; + } +-- +2.43.0 + diff --git a/queue-5.4/um-don-t-use-vfprintf-for-os_info.patch b/queue-5.4/um-don-t-use-vfprintf-for-os_info.patch new file mode 100644 index 00000000000..728418044c6 --- /dev/null +++ b/queue-5.4/um-don-t-use-vfprintf-for-os_info.patch @@ -0,0 +1,72 @@ +From cd96d2f2df22cc827804adb55f132b0e5a624f40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Nov 2023 12:03:41 +0100 +Subject: um: Don't use vfprintf() for os_info() + +From: Benjamin Berg + +[ Upstream commit 236f9fe39b02c15fa5530b53e9cca48354394389 ] + +The threads allocated inside the kernel have only a single page of +stack. Unfortunately, the vfprintf function in standard glibc may use +too much stack-space, overflowing it. + +To make os_info safe to be used by helper threads, use the kernel +vscnprintf function into a smallish buffer and write out the information +to stderr. + +Signed-off-by: Benjamin Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/os-Linux/util.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/um/os-Linux/util.c b/arch/um/os-Linux/util.c +index ecf2f390fad2..b76ac4df5da5 100644 +--- a/arch/um/os-Linux/util.c ++++ b/arch/um/os-Linux/util.c +@@ -166,23 +166,38 @@ __uml_setup("quiet", quiet_cmd_param, + "quiet\n" + " Turns off information messages during boot.\n\n"); + ++/* ++ * The os_info/os_warn functions will be called by helper threads. These ++ * have a very limited stack size and using the libc formatting functions ++ * may overflow the stack. ++ * So pull in the kernel vscnprintf and use that instead with a fixed ++ * on-stack buffer. ++ */ ++int vscnprintf(char *buf, size_t size, const char *fmt, va_list args); ++ + void os_info(const char *fmt, ...) + { ++ char buf[256]; + va_list list; ++ int len; + + if (quiet_info) + return; + + va_start(list, fmt); +- vfprintf(stderr, fmt, list); ++ len = vscnprintf(buf, sizeof(buf), fmt, list); ++ fwrite(buf, len, 1, stderr); + va_end(list); + } + + void os_warn(const char *fmt, ...) + { ++ char buf[256]; + va_list list; ++ int len; + + va_start(list, fmt); +- vfprintf(stderr, fmt, list); ++ len = vscnprintf(buf, sizeof(buf), fmt, list); ++ fwrite(buf, len, 1, stderr); + va_end(list); + } +-- +2.43.0 + diff --git a/queue-5.4/um-fix-naming-clash-between-uml-and-scheduler.patch b/queue-5.4/um-fix-naming-clash-between-uml-and-scheduler.patch new file mode 100644 index 00000000000..d1a3ac6870a --- /dev/null +++ b/queue-5.4/um-fix-naming-clash-between-uml-and-scheduler.patch @@ -0,0 +1,82 @@ +From b5ca63621ffcea765056008a5f4fb3b94e892515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 15:34:44 +0100 +Subject: um: Fix naming clash between UML and scheduler + +From: Anton Ivanov + +[ Upstream commit 541d4e4d435c8b9bfd29f70a1da4a2db97794e0a ] + +__cant_sleep was already used and exported by the scheduler. +The name had to be changed to a UML specific one. + +Signed-off-by: Anton Ivanov +Reviewed-by: Peter Lafreniere +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/shared/kern_util.h | 2 +- + arch/um/kernel/process.c | 2 +- + arch/um/os-Linux/helper.c | 6 +++--- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/um/include/shared/kern_util.h b/arch/um/include/shared/kern_util.h +index ccafb62e8cce..42dc0e47d3ad 100644 +--- a/arch/um/include/shared/kern_util.h ++++ b/arch/um/include/shared/kern_util.h +@@ -49,7 +49,7 @@ extern void do_uml_exitcalls(void); + * Are we disallowed to sleep? Used to choose between GFP_KERNEL and + * GFP_ATOMIC. + */ +-extern int __cant_sleep(void); ++extern int __uml_cant_sleep(void); + extern int get_current_pid(void); + extern int copy_from_user_proc(void *to, void *from, int size); + extern int cpu(void); +diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c +index d71dd7725bef..f185d19fd9b6 100644 +--- a/arch/um/kernel/process.c ++++ b/arch/um/kernel/process.c +@@ -258,7 +258,7 @@ void arch_cpu_idle(void) + local_irq_enable(); + } + +-int __cant_sleep(void) { ++int __uml_cant_sleep(void) { + return in_atomic() || irqs_disabled() || in_interrupt(); + /* Is in_interrupt() really needed? */ + } +diff --git a/arch/um/os-Linux/helper.c b/arch/um/os-Linux/helper.c +index 9fa6e4187d4f..57a27555092f 100644 +--- a/arch/um/os-Linux/helper.c ++++ b/arch/um/os-Linux/helper.c +@@ -45,7 +45,7 @@ int run_helper(void (*pre_exec)(void *), void *pre_data, char **argv) + unsigned long stack, sp; + int pid, fds[2], ret, n; + +- stack = alloc_stack(0, __cant_sleep()); ++ stack = alloc_stack(0, __uml_cant_sleep()); + if (stack == 0) + return -ENOMEM; + +@@ -69,7 +69,7 @@ int run_helper(void (*pre_exec)(void *), void *pre_data, char **argv) + data.pre_data = pre_data; + data.argv = argv; + data.fd = fds[1]; +- data.buf = __cant_sleep() ? uml_kmalloc(PATH_MAX, UM_GFP_ATOMIC) : ++ data.buf = __uml_cant_sleep() ? uml_kmalloc(PATH_MAX, UM_GFP_ATOMIC) : + uml_kmalloc(PATH_MAX, UM_GFP_KERNEL); + pid = clone(helper_child, (void *) sp, CLONE_VM, &data); + if (pid < 0) { +@@ -116,7 +116,7 @@ int run_helper_thread(int (*proc)(void *), void *arg, unsigned int flags, + unsigned long stack, sp; + int pid, status, err; + +- stack = alloc_stack(0, __cant_sleep()); ++ stack = alloc_stack(0, __uml_cant_sleep()); + if (stack == 0) + return -ENOMEM; + +-- +2.43.0 + diff --git a/queue-5.4/um-net-fix-return-type-of-uml_net_start_xmit.patch b/queue-5.4/um-net-fix-return-type-of-uml_net_start_xmit.patch new file mode 100644 index 00000000000..a32db15981b --- /dev/null +++ b/queue-5.4/um-net-fix-return-type-of-uml_net_start_xmit.patch @@ -0,0 +1,53 @@ +From 44800fc0b6d77e4ed2cc4da7543e6edd28160c3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 09:49:46 -0700 +Subject: um: net: Fix return type of uml_net_start_xmit() + +From: Nathan Chancellor + +[ Upstream commit 7d748f60a4b82b50bf25fad1bd42d33f049f76aa ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +warning in clang aims to catch these at compile time, which reveals: + + arch/um/drivers/net_kern.c:353:21: warning: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Wincompatible-function-pointer-types-strict] + 353 | .ndo_start_xmit = uml_net_start_xmit, + | ^~~~~~~~~~~~~~~~~~ + 1 warning generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of uml_net_start_xmit() +to match the prototype's to resolve the warning. While UML does not +currently implement support for kCFI, it could in the future, which +means this warning becomes a fatal CFI failure at run time. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310031340.v1vPh207-lkp@intel.com/ +Acked-by: Anton Ivanov +Signed-off-by: Nathan Chancellor +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/net_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/drivers/net_kern.c b/arch/um/drivers/net_kern.c +index 327b728f7244..db15a456482f 100644 +--- a/arch/um/drivers/net_kern.c ++++ b/arch/um/drivers/net_kern.c +@@ -204,7 +204,7 @@ static int uml_net_close(struct net_device *dev) + return 0; + } + +-static int uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t uml_net_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct uml_net_private *lp = netdev_priv(dev); + unsigned long flags; +-- +2.43.0 + diff --git a/queue-5.4/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch b/queue-5.4/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch new file mode 100644 index 00000000000..8de976eec46 --- /dev/null +++ b/queue-5.4/usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch @@ -0,0 +1,39 @@ +From d14a9ea9392eef771265f9549832b5958fe9976b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 19:18:28 +0100 +Subject: usb: hub: Replace hardcoded quirk value with BIT() macro + +From: Hardik Gajjar + +[ Upstream commit 6666ea93d2c422ebeb8039d11e642552da682070 ] + +This patch replaces the hardcoded quirk value in the macro with +BIT(). + +Signed-off-by: Hardik Gajjar +Reviewed-by: Alan Stern +Link: https://lore.kernel.org/r/20231205181829.127353-1-hgajjar@de.adit-jv.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 9a1954e9f6f1..8e55eadb8feb 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -44,8 +44,8 @@ + #define USB_VENDOR_TEXAS_INSTRUMENTS 0x0451 + #define USB_PRODUCT_TUSB8041_USB3 0x8140 + #define USB_PRODUCT_TUSB8041_USB2 0x8142 +-#define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 +-#define HUB_QUIRK_DISABLE_AUTOSUSPEND 0x02 ++#define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND BIT(0) ++#define HUB_QUIRK_DISABLE_AUTOSUSPEND BIT(1) + + #define USB_TP_TRANSMISSION_DELAY 40 /* ns */ + #define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */ +-- +2.43.0 + diff --git a/queue-5.4/virtio_net-fix-d-directive-writing-between-1-and-11-.patch b/queue-5.4/virtio_net-fix-d-directive-writing-between-1-and-11-.patch new file mode 100644 index 00000000000..fdc2b0a628d --- /dev/null +++ b/queue-5.4/virtio_net-fix-d-directive-writing-between-1-and-11-.patch @@ -0,0 +1,84 @@ +From f6d9303775adb20d35e48ad1fc7f016274fe1902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jan 2024 10:09:02 +0800 +Subject: =?UTF-8?q?virtio=5Fnet:=20Fix=20"=E2=80=98%d=E2=80=99=20directive?= + =?UTF-8?q?=20writing=20between=201=20and=2011=20bytes=20into=20a=20region?= + =?UTF-8?q?=20of=20size=2010"=20warnings?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhu Yanjun + +[ Upstream commit e3fe8d28c67bf6c291e920c6d04fa22afa14e6e4 ] + +Fix the warnings when building virtio_net driver. + +" +drivers/net/virtio_net.c: In function ‘init_vqs’: +drivers/net/virtio_net.c:4551:48: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 10 [-Wformat-overflow=] + 4551 | sprintf(vi->rq[i].name, "input.%d", i); + | ^~ +In function ‘virtnet_find_vqs’, + inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8: +drivers/net/virtio_net.c:4551:41: note: directive argument in the range [-2147483643, 65534] + 4551 | sprintf(vi->rq[i].name, "input.%d", i); + | ^~~~~~~~~~ +drivers/net/virtio_net.c:4551:17: note: ‘sprintf’ output between 8 and 18 bytes into a destination of size 16 + 4551 | sprintf(vi->rq[i].name, "input.%d", i); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/net/virtio_net.c: In function ‘init_vqs’: +drivers/net/virtio_net.c:4552:49: warning: ‘%d’ directive writing between 1 and 11 bytes into a region of size 9 [-Wformat-overflow=] + 4552 | sprintf(vi->sq[i].name, "output.%d", i); + | ^~ +In function ‘virtnet_find_vqs’, + inlined from ‘init_vqs’ at drivers/net/virtio_net.c:4645:8: +drivers/net/virtio_net.c:4552:41: note: directive argument in the range [-2147483643, 65534] + 4552 | sprintf(vi->sq[i].name, "output.%d", i); + | ^~~~~~~~~~~ +drivers/net/virtio_net.c:4552:17: note: ‘sprintf’ output between 9 and 19 bytes into a destination of size 16 + 4552 | sprintf(vi->sq[i].name, "output.%d", i); + +" + +Reviewed-by: Xuan Zhuo +Signed-off-by: Zhu Yanjun +Link: https://lore.kernel.org/r/20240104020902.2753599-1-yanjun.zhu@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index f6a6678f43b9..4faf3275b1f6 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -2864,10 +2864,11 @@ static int virtnet_find_vqs(struct virtnet_info *vi) + { + vq_callback_t **callbacks; + struct virtqueue **vqs; +- int ret = -ENOMEM; +- int i, total_vqs; + const char **names; ++ int ret = -ENOMEM; ++ int total_vqs; + bool *ctx; ++ u16 i; + + /* We expect 1 RX virtqueue followed by 1 TX virtqueue, followed by + * possible N-1 RX/TX queue pairs used in multiqueue mode, followed by +@@ -2904,8 +2905,8 @@ static int virtnet_find_vqs(struct virtnet_info *vi) + for (i = 0; i < vi->max_queue_pairs; i++) { + callbacks[rxq2vq(i)] = skb_recv_done; + callbacks[txq2vq(i)] = skb_xmit_done; +- sprintf(vi->rq[i].name, "input.%d", i); +- sprintf(vi->sq[i].name, "output.%d", i); ++ sprintf(vi->rq[i].name, "input.%u", i); ++ sprintf(vi->sq[i].name, "output.%u", i); + names[rxq2vq(i)] = vi->rq[i].name; + names[txq2vq(i)] = vi->sq[i].name; + if (ctx) +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch b/queue-5.4/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch new file mode 100644 index 00000000000..4fc17475a60 --- /dev/null +++ b/queue-5.4/wifi-ath9k-fix-potential-array-index-out-of-bounds-r.patch @@ -0,0 +1,61 @@ +From bcebaa2e6f570caf7967ae9aeb78b24bfe2afd2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 20:31:04 +0200 +Subject: wifi: ath9k: Fix potential array-index-out-of-bounds read in + ath9k_htc_txstatus() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minsuk Kang + +[ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ] + +Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug +occurs when txs->cnt, data from a URB provided by a USB device, is +bigger than the size of the array txs->txstatus, which is +HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug +handling code after the check. Make the function return if that is the +case. + +Found by a modified version of syzkaller. + +UBSAN: array-index-out-of-bounds in htc_drv_txrx.c +index 13 is out of range for type '__wmi_event_txstatus [12]' +Call Trace: + ath9k_htc_txstatus + ath9k_wmi_event_tasklet + tasklet_action_common + __do_softirq + irq_exit_rxu + sysvec_apic_timer_interrupt + +Signed-off-by: Minsuk Kang +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index ee021738bef0..be4fa41bdb12 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -647,9 +647,10 @@ void ath9k_htc_txstatus(struct ath9k_htc_priv *priv, void *wmi_event) + struct ath9k_htc_tx_event *tx_pend; + int i; + +- for (i = 0; i < txs->cnt; i++) { +- WARN_ON(txs->cnt > HTC_MAX_TX_STATUS); ++ if (WARN_ON_ONCE(txs->cnt > HTC_MAX_TX_STATUS)) ++ return; + ++ for (i = 0; i < txs->cnt; i++) { + __txs = &txs->txstatus[i]; + + skb = ath9k_htc_tx_get_packet(priv, __txs); +-- +2.43.0 + diff --git a/queue-5.4/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch b/queue-5.4/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch new file mode 100644 index 00000000000..0808bdb0a87 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-rcu-dereference-in-__cfg80211_bss_.patch @@ -0,0 +1,38 @@ +From 8cd78bdd64689a1868bd821549415ef0edccb3ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jan 2024 20:13:51 +0800 +Subject: wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update + +From: Edward Adam Davis + +[ Upstream commit 1184950e341c11b6f82bc5b59564411d9537ab27 ] + +Replace rcu_dereference() with rcu_access_pointer() since we hold +the lock here (and aren't in an RCU critical section). + +Fixes: 32af9a9e1069 ("wifi: cfg80211: free beacon_ies when overridden from hidden BSS") +Reported-and-tested-by: syzbot+864a269c27ee06b58374@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://msgid.link/tencent_BF8F0DF0258C8DBF124CDDE4DD8D992DCF07@qq.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index f3a957f2bc49..a1c53d4b6711 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1295,7 +1295,7 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + &hidden->hidden_list); + hidden->refcount++; + +- ies = (void *)rcu_dereference(new->pub.beacon_ies); ++ ies = (void *)rcu_access_pointer(new->pub.beacon_ies); + rcu_assign_pointer(new->pub.beacon_ies, + hidden->pub.beacon_ies); + if (ies) +-- +2.43.0 + diff --git a/queue-5.4/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch b/queue-5.4/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch new file mode 100644 index 00000000000..67be9e08f7d --- /dev/null +++ b/queue-5.4/wifi-cfg80211-free-beacon_ies-when-overridden-from-h.patch @@ -0,0 +1,44 @@ +From feda0c3eee901572e7da23cb1e6b900785e87f0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Dec 2023 13:41:41 +0200 +Subject: wifi: cfg80211: free beacon_ies when overridden from hidden BSS + +From: Benjamin Berg + +[ Upstream commit 32af9a9e1069e55bc02741fb00ac9d0ca1a2eaef ] + +This is a more of a cosmetic fix. The branch will only be taken if +proberesp_ies is set, which implies that beacon_ies is not set unless we +are connected to an AP that just did a channel switch. And, in that case +we should have found the BSS in the internal storage to begin with. + +Signed-off-by: Benjamin Berg +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20231220133549.b898e22dadff.Id8c4c10aedd176ef2e18a4cad747b299f150f9df@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index e35c54ba2fd5..f3a957f2bc49 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1294,8 +1294,12 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + list_add(&new->hidden_list, + &hidden->hidden_list); + hidden->refcount++; ++ ++ ies = (void *)rcu_dereference(new->pub.beacon_ies); + rcu_assign_pointer(new->pub.beacon_ies, + hidden->pub.beacon_ies); ++ if (ies) ++ kfree_rcu(ies, rcu_head); + } + } else { + /* +-- +2.43.0 + diff --git a/queue-5.4/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch b/queue-5.4/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch new file mode 100644 index 00000000000..8934a4340f9 --- /dev/null +++ b/queue-5.4/wifi-rt2x00-restart-beacon-queue-when-hardware-reset.patch @@ -0,0 +1,79 @@ +From 89409eb482fe50c03c491cfd448987a92f6aef7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Nov 2023 16:58:00 +0800 +Subject: wifi: rt2x00: restart beacon queue when hardware reset + +From: Shiji Yang + +[ Upstream commit a11d965a218f0cd95b13fe44d0bcd8a20ce134a8 ] + +When a hardware reset is triggered, all registers are reset, so all +queues are forced to stop in hardware interface. However, mac80211 +will not automatically stop the queue. If we don't manually stop the +beacon queue, the queue will be deadlocked and unable to start again. +This patch fixes the issue where Apple devices cannot connect to the +AP after calling ieee80211_restart_hw(). + +Signed-off-by: Shiji Yang +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/TYAP286MB031530EB6D98DCE4DF20766CBCA4A@TYAP286MB0315.JPNP286.PROD.OUTLOOK.COM +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 3 +++ + drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 11 +++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c +index c3eab767bc21..f504f3529407 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c +@@ -101,6 +101,7 @@ void rt2x00lib_disable_radio(struct rt2x00_dev *rt2x00dev) + rt2x00link_stop_tuner(rt2x00dev); + rt2x00queue_stop_queues(rt2x00dev); + rt2x00queue_flush_queues(rt2x00dev, true); ++ rt2x00queue_stop_queue(rt2x00dev->bcn); + + /* + * Disable radio. +@@ -1283,6 +1284,7 @@ int rt2x00lib_start(struct rt2x00_dev *rt2x00dev) + rt2x00dev->intf_ap_count = 0; + rt2x00dev->intf_sta_count = 0; + rt2x00dev->intf_associated = 0; ++ rt2x00dev->intf_beaconing = 0; + + /* Enable the radio */ + retval = rt2x00lib_enable_radio(rt2x00dev); +@@ -1310,6 +1312,7 @@ void rt2x00lib_stop(struct rt2x00_dev *rt2x00dev) + rt2x00dev->intf_ap_count = 0; + rt2x00dev->intf_sta_count = 0; + rt2x00dev->intf_associated = 0; ++ rt2x00dev->intf_beaconing = 0; + } + + static inline void rt2x00lib_set_if_combinations(struct rt2x00_dev *rt2x00dev) +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +index beb20c5faf5f..a0fb167b58fe 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -578,6 +578,17 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw, + */ + if (changes & BSS_CHANGED_BEACON_ENABLED) { + mutex_lock(&intf->beacon_skb_mutex); ++ ++ /* ++ * Clear the 'enable_beacon' flag and clear beacon because ++ * the beacon queue has been stopped after hardware reset. ++ */ ++ if (test_bit(DEVICE_STATE_RESET, &rt2x00dev->flags) && ++ intf->enable_beacon) { ++ intf->enable_beacon = false; ++ rt2x00queue_clear_beacon(rt2x00dev, vif); ++ } ++ + if (!bss_conf->enable_beacon && intf->enable_beacon) { + rt2x00dev->intf_beaconing--; + intf->enable_beacon = false; +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch b/queue-5.4/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch new file mode 100644 index 00000000000..387a195bf20 --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-add-additional-usb-ids-for-rtl8192eu-d.patch @@ -0,0 +1,48 @@ +From 00c3cdb7b92261d8c2e44c48dbd8bb5b71123e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Dec 2023 20:30:17 +0800 +Subject: wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices + +From: Zenm Chen + +[ Upstream commit 4e87ca403e2008b9e182239e1abbf6876a55eb33 ] + +Add additional USB IDs found in the vendor driver from +https://github.com/Mange/rtl8192eu-linux-driver to support more +RTL8192EU devices. + +Signed-off-by: Zenm Chen +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231217123017.1982-1-zenmchen@gmail.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 2648b30aab76..0d9e31746fd2 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -6362,6 +6362,18 @@ static const struct usb_device_id dev_table[] = { + .driver_info = (unsigned long)&rtl8192eu_fops}, + {USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x818c, 0xff, 0xff, 0xff), + .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* D-Link DWA-131 rev C1 */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3312, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* TP-Link TL-WN8200ND V2 */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0126, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* Mercusys MW300UM */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0100, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, ++/* Mercusys MW300UH */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0104, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192eu_fops}, + #endif + { } + }; +-- +2.43.0 + diff --git a/queue-5.4/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch b/queue-5.4/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch new file mode 100644 index 00000000000..58f8f6c3524 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-rtl8723-be-ae-using-calculate_bit_shift.patch @@ -0,0 +1,77 @@ +From e6e4fdbee2d7858794092758380bb91229dfec15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Dec 2023 14:57:39 +0800 +Subject: wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() + +From: Su Hui + +[ Upstream commit 5c16618bc06a41ad68fd8499a21d35ef57ca06c2 ] + +Using calculate_bit_shift() to replace rtl8723_phy_calculate_bit_shift(). +And fix an undefined bitwise shift behavior problem. + +Signed-off-by: Su Hui +Signed-off-by: Kalle Valo +Link: https://msgid.link/20231219065739.1895666-12-suhui@nfschina.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c | 6 +++--- + drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c +index 54a3aec1dfa7..bc42bfc394a5 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c +@@ -50,7 +50,7 @@ u32 rtl8723e_phy_query_rf_reg(struct ieee80211_hw *hw, + rfpath, regaddr); + } + +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); +@@ -82,7 +82,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw, + original_value = rtl8723_phy_rf_serial_read(hw, + rfpath, + regaddr); +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +@@ -91,7 +91,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw, + rtl8723_phy_rf_serial_write(hw, rfpath, regaddr, data); + } else { + if (bitmask != RFREG_OFFSET_MASK) { +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = + ((original_value & (~bitmask)) | + (data << bitshift)); +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c +index aa8a0950fcea..d753e3d15bdb 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c +@@ -42,7 +42,7 @@ u32 rtl8723be_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath, + spin_lock_irqsave(&rtlpriv->locks.rf_lock, flags); + + original_value = rtl8723_phy_rf_serial_read(hw, rfpath, regaddr); +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + readback_value = (original_value & bitmask) >> bitshift; + + spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags); +@@ -70,7 +70,7 @@ void rtl8723be_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path path, + if (bitmask != RFREG_OFFSET_MASK) { + original_value = rtl8723_phy_rf_serial_read(hw, path, + regaddr); +- bitshift = rtl8723_phy_calculate_bit_shift(bitmask); ++ bitshift = calculate_bit_shift(bitmask); + data = ((original_value & (~bitmask)) | + (data << bitshift)); + } +-- +2.43.0 + diff --git a/queue-5.4/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch b/queue-5.4/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch new file mode 100644 index 00000000000..1825101f3e9 --- /dev/null +++ b/queue-5.4/x86-mce-mark-fatal-mce-s-page-as-poison-to-avoid-pan.patch @@ -0,0 +1,83 @@ +From 0da0082f6ac3d647fb27848fcdbd4b83dc6b5243 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 08:39:03 +0800 +Subject: x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump + kernel + +From: Zhiquan Li + +[ Upstream commit 9f3b130048bfa2e44a8cfb1b616f826d9d5d8188 ] + +Memory errors don't happen very often, especially fatal ones. However, +in large-scale scenarios such as data centers, that probability +increases with the amount of machines present. + +When a fatal machine check happens, mce_panic() is called based on the +severity grading of that error. The page containing the error is not +marked as poison. + +However, when kexec is enabled, tools like makedumpfile understand when +pages are marked as poison and do not touch them so as not to cause +a fatal machine check exception again while dumping the previous +kernel's memory. + +Therefore, mark the page containing the error as poisoned so that the +kexec'ed kernel can avoid accessing the page. + + [ bp: Rewrite commit message and comment. ] + +Co-developed-by: Youquan Song +Signed-off-by: Youquan Song +Signed-off-by: Zhiquan Li +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Naoya Horiguchi +Link: https://lore.kernel.org/r/20231014051754.3759099-1-zhiquan1.li@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/core.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 9b98a7d8ac60..84c0e5c2518c 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -42,6 +42,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -315,6 +316,7 @@ static noinstr void mce_panic(const char *msg, struct mce *final, char *exp) + struct llist_node *pending; + struct mce_evt_llist *l; + int apei_err = 0; ++ struct page *p; + + /* + * Allow instrumentation around external facilities usage. Not that it +@@ -370,6 +372,20 @@ static noinstr void mce_panic(const char *msg, struct mce *final, char *exp) + if (!fake_panic) { + if (panic_timeout == 0) + panic_timeout = mca_cfg.panic_timeout; ++ ++ /* ++ * Kdump skips the poisoned page in order to avoid ++ * touching the error bits again. Poison the page even ++ * if the error is fatal and the machine is about to ++ * panic. ++ */ ++ if (kexec_crash_loaded()) { ++ if (final && (final->status & MCI_STATUS_ADDRV)) { ++ p = pfn_to_online_page(final->addr >> PAGE_SHIFT); ++ if (p) ++ SetPageHWPoison(p); ++ } ++ } + panic(msg); + } else + pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg); +-- +2.43.0 + -- 2.47.3