From 985d3c8376de7a5c6462d43e55cb640f1d8d020a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 4 Jan 2023 15:47:42 +0100 Subject: [PATCH] 6.0-stable patches added patches: asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch crypto-ccree-hisilicon-fix-dependencies-to-correct-algorithm.patch crypto-n2-add-missing-hash-statesize.patch device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch drm-connector-send-hotplug-uevent-on-connector-cleanup.patch drm-etnaviv-move-idle-mapping-reaping-into-separate-function.patch drm-etnaviv-reap-idle-mapping-if-it-doesn-t-match-the-softpin-address.patch drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch drm-i915-sdvo-filter-out-invalid-outputs-more-sensibly.patch drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch ima-fix-memory-leak-in-__ima_inode_hash.patch iommu-amd-fix-ill-formed-ivrs_ioapic-ivrs_hpet-and-ivrs_acpihid-options.patch iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch mtd-spi-nor-gigadevice-gd25q256-replace-gd25q256_default_init-with-gd25q256_post_bfpt.patch parisc-add-missing-force-prerequisites-in-makefile.patch parisc-drop-pmd_shift-from-calculation-in-pgtable.h.patch parisc-fix-locking-in-pdc_iodc_print-firmware-call.patch parisc-led-fix-potential-null-ptr-deref-in-start_task.patch pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch pci-sysfs-fix-double-free-in-error-path.patch phy-qcom-qmp-combo-fix-sc8180x-reset.patch remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch remoteproc-imx_dsp_rproc-add-mutex-protection-for-workqueue.patch remoteproc-imx_rproc-correct-i.mx93-dram-mapping.patch risc-v-kexec-fix-memory-leak-of-elf-header-buffer.patch risc-v-kexec-fix-memory-leak-of-fdt-buffer.patch riscv-fixup-compile-error-with-mmu.patch riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch test_kprobes-fix-implicit-declaration-error-of-test_kprobes.patch wifi-wilc1000-sdio-fix-module-autoloading.patch --- ...s-handle-independent-fifo-flush-bits.patch | 112 ++++++++++ ...een-channel-preparation-and-m0-event.patch | 46 ++++ ...dd-support-for-tee-for-pci-id-0x14ca.patch | 49 +++++ ...ix-dependencies-to-correct-algorithm.patch | 52 +++++ ...crypto-n2-add-missing-hash-statesize.patch | 74 +++++++ ...iginal-exceptions-after-copy-failure.patch | 95 ++++++++ ...ch-error-handling-in-__driver_attach.patch | 46 ++++ ...-hotplug-uevent-on-connector-cleanup.patch | 59 +++++ ...pping-reaping-into-separate-function.patch | 88 ++++++++ ...it-doesn-t-match-the-softpin-address.patch | 47 ++++ ...ket-port-selection-for-dual-link-dsi.patch | 40 ++++ ...er-out-invalid-outputs-more-sensibly.patch | 91 ++++++++ ..._unregister-call-in-ingenic_drm_init.patch | 58 +++++ ...-the-box-size-for-the-snooped-cursor.patch | 37 ++++ ...mac-pro-2017-to-uefi-skip-cert-quirk.patch | 32 +++ ...cess-in-ima_restore_measurement_list.patch | 39 ++++ ...-fix-memory-leak-in-__ima_inode_hash.patch | 51 +++++ ...c-ivrs_hpet-and-ivrs_acpihid-options.patch | 207 ++++++++++++++++++ ...ix-ivrs_acpihid-cmdline-parsing-code.patch | 45 ++++ ...-wait-in-unload-when-ipmi-disconnect.patch | 94 ++++++++ ...use-after-free-in-_ipmi_destroy_user.patch | 43 ++++ ...ference-in-imgu_subdev_set_selection.patch | 130 +++++++++++ ...ix-bitmap-chunk-size-overflow-issues.patch | 99 +++++++++ ...size-in-spi_nor_find_best_erase_type.patch | 35 +++ ...default_init-with-gd25q256_post_bfpt.patch | 79 +++++++ ...sing-force-prerequisites-in-makefile.patch | 65 ++++++ ..._shift-from-calculation-in-pgtable.h.patch | 45 ++++ ...king-in-pdc_iodc_print-firmware-call.patch | 82 +++++++ ...tential-null-ptr-deref-in-start_task.patch | 42 ++++ ...ce_is_present-for-vfs-by-checking-pf.patch | 59 +++++ ...-sysfs-fix-double-free-in-error-path.patch | 58 +++++ ...phy-qcom-qmp-combo-fix-sc8180x-reset.patch | 39 ++++ ...pm_relax-when-in-rproc_offline-state.patch | 52 +++++ ...c-add-mutex-protection-for-workqueue.patch | 86 ++++++++ ...mx_rproc-correct-i.mx93-dram-mapping.patch | 35 +++ ...fix-memory-leak-of-elf-header-buffer.patch | 57 +++++ ...-kexec-fix-memory-leak-of-fdt-buffer.patch | 101 +++++++++ .../riscv-fixup-compile-error-with-mmu.patch | 47 ++++ ...remote-harts-about-mmu-cache-updates.patch | 161 ++++++++++++++ ...-ftrace_graph_ret_addr-retp-argument.patch | 36 +++ queue-6.0/series | 42 ++++ ...it-declaration-error-of-test_kprobes.patch | 48 ++++ ...wilc1000-sdio-fix-module-autoloading.patch | 31 +++ 43 files changed, 2834 insertions(+) create mode 100644 queue-6.0/asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch create mode 100644 queue-6.0/bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch create mode 100644 queue-6.0/crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch create mode 100644 queue-6.0/crypto-ccree-hisilicon-fix-dependencies-to-correct-algorithm.patch create mode 100644 queue-6.0/crypto-n2-add-missing-hash-statesize.patch create mode 100644 queue-6.0/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch create mode 100644 queue-6.0/driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch create mode 100644 queue-6.0/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch create mode 100644 queue-6.0/drm-etnaviv-move-idle-mapping-reaping-into-separate-function.patch create mode 100644 queue-6.0/drm-etnaviv-reap-idle-mapping-if-it-doesn-t-match-the-softpin-address.patch create mode 100644 queue-6.0/drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch create mode 100644 queue-6.0/drm-i915-sdvo-filter-out-invalid-outputs-more-sensibly.patch create mode 100644 queue-6.0/drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch create mode 100644 queue-6.0/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch create mode 100644 queue-6.0/efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch create mode 100644 queue-6.0/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch create mode 100644 queue-6.0/ima-fix-memory-leak-in-__ima_inode_hash.patch create mode 100644 queue-6.0/iommu-amd-fix-ill-formed-ivrs_ioapic-ivrs_hpet-and-ivrs_acpihid-options.patch create mode 100644 queue-6.0/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch create mode 100644 queue-6.0/ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch create mode 100644 queue-6.0/ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch create mode 100644 queue-6.0/ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch create mode 100644 queue-6.0/md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch create mode 100644 queue-6.0/mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch create mode 100644 queue-6.0/mtd-spi-nor-gigadevice-gd25q256-replace-gd25q256_default_init-with-gd25q256_post_bfpt.patch create mode 100644 queue-6.0/parisc-add-missing-force-prerequisites-in-makefile.patch create mode 100644 queue-6.0/parisc-drop-pmd_shift-from-calculation-in-pgtable.h.patch create mode 100644 queue-6.0/parisc-fix-locking-in-pdc_iodc_print-firmware-call.patch create mode 100644 queue-6.0/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch create mode 100644 queue-6.0/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch create mode 100644 queue-6.0/pci-sysfs-fix-double-free-in-error-path.patch create mode 100644 queue-6.0/phy-qcom-qmp-combo-fix-sc8180x-reset.patch create mode 100644 queue-6.0/remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch create mode 100644 queue-6.0/remoteproc-imx_dsp_rproc-add-mutex-protection-for-workqueue.patch create mode 100644 queue-6.0/remoteproc-imx_rproc-correct-i.mx93-dram-mapping.patch create mode 100644 queue-6.0/risc-v-kexec-fix-memory-leak-of-elf-header-buffer.patch create mode 100644 queue-6.0/risc-v-kexec-fix-memory-leak-of-fdt-buffer.patch create mode 100644 queue-6.0/riscv-fixup-compile-error-with-mmu.patch create mode 100644 queue-6.0/riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch create mode 100644 queue-6.0/riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch create mode 100644 queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_kprobes.patch create mode 100644 queue-6.0/wifi-wilc1000-sdio-fix-module-autoloading.patch diff --git a/queue-6.0/asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch b/queue-6.0/asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch new file mode 100644 index 00000000000..7ce706c7f83 --- /dev/null +++ b/queue-6.0/asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch @@ -0,0 +1,112 @@ +From 8b3a9ad86239f80ed569e23c3954a311f66481d6 Mon Sep 17 00:00:00 2001 +From: Aidan MacDonald +Date: Sun, 23 Oct 2022 15:33:20 +0100 +Subject: ASoC: jz4740-i2s: Handle independent FIFO flush bits + +From: Aidan MacDonald + +commit 8b3a9ad86239f80ed569e23c3954a311f66481d6 upstream. + +On the JZ4740, there is a single bit that flushes (empties) both +the transmit and receive FIFO. Later SoCs have independent flush +bits for each FIFO. + +Independent FIFOs can be flushed before the snd_soc_dai_active() +check because it won't disturb other active streams. This ensures +that the FIFO we're about to use is always flushed before starting +up. With shared FIFOs we can't do that because if another substream +is active, flushing its FIFO would cause underrun errors. + +This also fixes a bug: since we were only setting the JZ4740's +flush bit, which corresponds to the TX FIFO flush bit on other +SoCs, other SoCs were not having their RX FIFO flushed at all. + +Fixes: 967beb2e8777 ("ASoC: jz4740: Add jz4780 support") +Reviewed-by: Paul Cercueil +Cc: stable@vger.kernel.org +Signed-off-by: Aidan MacDonald +Link: https://lore.kernel.org/r/20221023143328.160866-2-aidanmacdonald.0x0@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/jz4740/jz4740-i2s.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +--- a/sound/soc/jz4740/jz4740-i2s.c ++++ b/sound/soc/jz4740/jz4740-i2s.c +@@ -55,7 +55,8 @@ + #define JZ_AIC_CTRL_MONO_TO_STEREO BIT(11) + #define JZ_AIC_CTRL_SWITCH_ENDIANNESS BIT(10) + #define JZ_AIC_CTRL_SIGNED_TO_UNSIGNED BIT(9) +-#define JZ_AIC_CTRL_FLUSH BIT(8) ++#define JZ_AIC_CTRL_TFLUSH BIT(8) ++#define JZ_AIC_CTRL_RFLUSH BIT(7) + #define JZ_AIC_CTRL_ENABLE_ROR_INT BIT(6) + #define JZ_AIC_CTRL_ENABLE_TUR_INT BIT(5) + #define JZ_AIC_CTRL_ENABLE_RFS_INT BIT(4) +@@ -90,6 +91,8 @@ enum jz47xx_i2s_version { + struct i2s_soc_info { + enum jz47xx_i2s_version version; + struct snd_soc_dai_driver *dai; ++ ++ bool shared_fifo_flush; + }; + + struct jz4740_i2s { +@@ -116,19 +119,44 @@ static inline void jz4740_i2s_write(cons + writel(value, i2s->base + reg); + } + ++static inline void jz4740_i2s_set_bits(const struct jz4740_i2s *i2s, ++ unsigned int reg, uint32_t bits) ++{ ++ uint32_t value = jz4740_i2s_read(i2s, reg); ++ value |= bits; ++ jz4740_i2s_write(i2s, reg, value); ++} ++ + static int jz4740_i2s_startup(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct jz4740_i2s *i2s = snd_soc_dai_get_drvdata(dai); +- uint32_t conf, ctrl; ++ uint32_t conf; + int ret; + ++ /* ++ * When we can flush FIFOs independently, only flush the FIFO ++ * that is starting up. We can do this when the DAI is active ++ * because it does not disturb other active substreams. ++ */ ++ if (!i2s->soc_info->shared_fifo_flush) { ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH); ++ else ++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_RFLUSH); ++ } ++ + if (snd_soc_dai_active(dai)) + return 0; + +- ctrl = jz4740_i2s_read(i2s, JZ_REG_AIC_CTRL); +- ctrl |= JZ_AIC_CTRL_FLUSH; +- jz4740_i2s_write(i2s, JZ_REG_AIC_CTRL, ctrl); ++ /* ++ * When there is a shared flush bit for both FIFOs, the TFLUSH ++ * bit flushes both FIFOs. Flushing while the DAI is active would ++ * cause FIFO underruns in other active substreams so we have to ++ * guard this behind the snd_soc_dai_active() check. ++ */ ++ if (i2s->soc_info->shared_fifo_flush) ++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH); + + ret = clk_prepare_enable(i2s->clk_i2s); + if (ret) +@@ -443,6 +471,7 @@ static struct snd_soc_dai_driver jz4740_ + static const struct i2s_soc_info jz4740_i2s_soc_info = { + .version = JZ_I2S_JZ4740, + .dai = &jz4740_i2s_dai, ++ .shared_fifo_flush = true, + }; + + static const struct i2s_soc_info jz4760_i2s_soc_info = { diff --git a/queue-6.0/bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch b/queue-6.0/bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch new file mode 100644 index 00000000000..03f88058deb --- /dev/null +++ b/queue-6.0/bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch @@ -0,0 +1,46 @@ +From 869a99907faea6d1835b0bd0d0422ae3519c6ea9 Mon Sep 17 00:00:00 2001 +From: Qiang Yu +Date: Sun, 16 Oct 2022 11:05:32 +0800 +Subject: bus: mhi: host: Fix race between channel preparation and M0 event + +From: Qiang Yu + +commit 869a99907faea6d1835b0bd0d0422ae3519c6ea9 upstream. + +There is a race condition where mhi_prepare_channel() updates the +read and write pointers as the base address and in parallel, if +an M0 transition occurs, the tasklet goes ahead and rings +doorbells for all channels with a delta in TRE rings assuming +they are already enabled. This causes a null pointer access. Fix +it by adding a channel enabled check before ringing channel +doorbells. + +Cc: stable@vger.kernel.org # 5.19 +Fixes: a6e2e3522f29 "bus: mhi: core: Add support for PM state transitions" +Signed-off-by: Qiang Yu +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/1665889532-13634-1-git-send-email-quic_qianyu@quicinc.com +[mani: CCed stable list] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/pm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c +index 4a42186ff111..083459028a4b 100644 +--- a/drivers/bus/mhi/host/pm.c ++++ b/drivers/bus/mhi/host/pm.c +@@ -301,7 +301,8 @@ int mhi_pm_m0_transition(struct mhi_controller *mhi_cntrl) + read_lock_irq(&mhi_chan->lock); + + /* Only ring DB if ring is not empty */ +- if (tre_ring->base && tre_ring->wp != tre_ring->rp) ++ if (tre_ring->base && tre_ring->wp != tre_ring->rp && ++ mhi_chan->ch_state == MHI_CH_STATE_ENABLED) + mhi_ring_chan_db(mhi_cntrl, mhi_chan); + read_unlock_irq(&mhi_chan->lock); + } +-- +2.39.0 + diff --git a/queue-6.0/crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch b/queue-6.0/crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch new file mode 100644 index 00000000000..33048b5586a --- /dev/null +++ b/queue-6.0/crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch @@ -0,0 +1,49 @@ +From 10da230a4df1dfe32a58eb09246f5ffe82346f27 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 28 Sep 2022 13:45:05 -0500 +Subject: crypto: ccp - Add support for TEE for PCI ID 0x14CA + +From: Mario Limonciello + +commit 10da230a4df1dfe32a58eb09246f5ffe82346f27 upstream. + +SoCs containing 0x14CA are present both in datacenter parts that +support SEV as well as client parts that support TEE. + +Cc: stable@vger.kernel.org # 5.15+ +Tested-by: Rijo-john Thomas +Signed-off-by: Mario Limonciello +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sp-pci.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -381,6 +381,15 @@ static const struct psp_vdata pspv3 = { + .inten_reg = 0x10690, + .intsts_reg = 0x10694, + }; ++ ++static const struct psp_vdata pspv4 = { ++ .sev = &sevv2, ++ .tee = &teev1, ++ .feature_reg = 0x109fc, ++ .inten_reg = 0x10690, ++ .intsts_reg = 0x10694, ++}; ++ + #endif + + static const struct sp_dev_vdata dev_vdata[] = { +@@ -426,7 +435,7 @@ static const struct sp_dev_vdata dev_vda + { /* 5 */ + .bar = 2, + #ifdef CONFIG_CRYPTO_DEV_SP_PSP +- .psp_vdata = &pspv2, ++ .psp_vdata = &pspv4, + #endif + }, + { /* 6 */ diff --git a/queue-6.0/crypto-ccree-hisilicon-fix-dependencies-to-correct-algorithm.patch b/queue-6.0/crypto-ccree-hisilicon-fix-dependencies-to-correct-algorithm.patch new file mode 100644 index 00000000000..11a4d83f976 --- /dev/null +++ b/queue-6.0/crypto-ccree-hisilicon-fix-dependencies-to-correct-algorithm.patch @@ -0,0 +1,52 @@ +From 2ae6feb1a1f6678fe11864f1b6920ed10b09ad6a Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Fri, 25 Nov 2022 20:18:11 +0800 +Subject: crypto: ccree,hisilicon - Fix dependencies to correct algorithm + +From: Tianjia Zhang + +commit 2ae6feb1a1f6678fe11864f1b6920ed10b09ad6a upstream. + +Commit d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory") moves +the SM3 and SM4 stand-alone library and the algorithm implementation for +the Crypto API into the same directory, and the corresponding relationship +of Kconfig is modified, CONFIG_CRYPTO_SM3/4 corresponds to the stand-alone +library of SM3/4, and CONFIG_CRYPTO_SM3/4_GENERIC corresponds to the +algorithm implementation for the Crypto API. Therefore, it is necessary +for this module to depend on the correct algorithm. + +Fixes: d2825fa9365d ("crypto: sm3,sm4 - move into crypto directory") +Cc: Jason A. Donenfeld +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Tianjia Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/Kconfig | 4 ++-- + drivers/crypto/hisilicon/Kconfig | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/Kconfig ++++ b/drivers/crypto/Kconfig +@@ -790,8 +790,8 @@ config CRYPTO_DEV_CCREE + select CRYPTO_ECB + select CRYPTO_CTR + select CRYPTO_XTS +- select CRYPTO_SM4 +- select CRYPTO_SM3 ++ select CRYPTO_SM4_GENERIC ++ select CRYPTO_SM3_GENERIC + help + Say 'Y' to enable a driver for the REE interface of the Arm + TrustZone CryptoCell family of processors. Currently the +--- a/drivers/crypto/hisilicon/Kconfig ++++ b/drivers/crypto/hisilicon/Kconfig +@@ -26,7 +26,7 @@ config CRYPTO_DEV_HISI_SEC2 + select CRYPTO_SHA1 + select CRYPTO_SHA256 + select CRYPTO_SHA512 +- select CRYPTO_SM4 ++ select CRYPTO_SM4_GENERIC + depends on PCI && PCI_MSI + depends on UACCE || UACCE=n + depends on ARM64 || (COMPILE_TEST && 64BIT) diff --git a/queue-6.0/crypto-n2-add-missing-hash-statesize.patch b/queue-6.0/crypto-n2-add-missing-hash-statesize.patch new file mode 100644 index 00000000000..3661ce94321 --- /dev/null +++ b/queue-6.0/crypto-n2-add-missing-hash-statesize.patch @@ -0,0 +1,74 @@ +From 76a4e874593543a2dff91d249c95bac728df2774 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Thu, 6 Oct 2022 04:34:19 +0000 +Subject: crypto: n2 - add missing hash statesize + +From: Corentin Labbe + +commit 76a4e874593543a2dff91d249c95bac728df2774 upstream. + +Add missing statesize to hash templates. +This is mandatory otherwise no algorithms can be registered as the core +requires statesize to be set. + +CC: stable@kernel.org # 4.3+ +Reported-by: Rolf Eike Beer +Tested-by: Rolf Eike Beer +Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/n2_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/n2_core.c ++++ b/drivers/crypto/n2_core.c +@@ -1229,6 +1229,7 @@ struct n2_hash_tmpl { + const u8 *hash_init; + u8 hw_op_hashsz; + u8 digest_size; ++ u8 statesize; + u8 block_size; + u8 auth_type; + u8 hmac_type; +@@ -1260,6 +1261,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_MD5, + .hw_op_hashsz = MD5_DIGEST_SIZE, + .digest_size = MD5_DIGEST_SIZE, ++ .statesize = sizeof(struct md5_state), + .block_size = MD5_HMAC_BLOCK_SIZE }, + { .name = "sha1", + .hash_zero = sha1_zero_message_hash, +@@ -1268,6 +1270,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA1, + .hw_op_hashsz = SHA1_DIGEST_SIZE, + .digest_size = SHA1_DIGEST_SIZE, ++ .statesize = sizeof(struct sha1_state), + .block_size = SHA1_BLOCK_SIZE }, + { .name = "sha256", + .hash_zero = sha256_zero_message_hash, +@@ -1276,6 +1279,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA256, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA256_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA256_BLOCK_SIZE }, + { .name = "sha224", + .hash_zero = sha224_zero_message_hash, +@@ -1284,6 +1288,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_RESERVED, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA224_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA224_BLOCK_SIZE }, + }; + #define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls) +@@ -1424,6 +1429,7 @@ static int __n2_register_one_ahash(const + + halg = &ahash->halg; + halg->digestsize = tmpl->digest_size; ++ halg->statesize = tmpl->statesize; + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name); diff --git a/queue-6.0/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch b/queue-6.0/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch new file mode 100644 index 00000000000..93799b29a52 --- /dev/null +++ b/queue-6.0/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch @@ -0,0 +1,95 @@ +From e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f Mon Sep 17 00:00:00 2001 +From: Wang Weiyang +Date: Tue, 25 Oct 2022 19:31:01 +0800 +Subject: device_cgroup: Roll back to original exceptions after copy failure + +From: Wang Weiyang + +commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream. + +When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's +exceptions will be cleaned and A's behavior is changed to +DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's +whitelist. If copy failure occurs, just return leaving A to grant +permissions to all devices. And A may grant more permissions than +parent. + +Backup A's whitelist and recover original exceptions after copy +failure. + +Cc: stable@vger.kernel.org +Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") +Signed-off-by: Wang Weiyang +Reviewed-by: Aristeu Rozanski +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -82,6 +82,17 @@ free_and_exit: + return -ENOMEM; + } + ++static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) ++{ ++ struct dev_exception_item *ex, *tmp; ++ ++ lockdep_assert_held(&devcgroup_mutex); ++ ++ list_for_each_entry_safe(ex, tmp, orig, list) { ++ list_move_tail(&ex->list, dest); ++ } ++} ++ + /* + * called under devcgroup_mutex + */ +@@ -604,11 +615,13 @@ static int devcgroup_update_access(struc + int count, rc = 0; + struct dev_exception_item ex; + struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); ++ struct dev_cgroup tmp_devcgrp; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + memset(&ex, 0, sizeof(ex)); ++ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); + b = buffer; + + switch (*b) { +@@ -620,15 +633,27 @@ static int devcgroup_update_access(struc + + if (!may_allow_all(parent)) + return -EPERM; +- dev_exception_clean(devcgroup); +- devcgroup->behavior = DEVCG_DEFAULT_ALLOW; +- if (!parent) ++ if (!parent) { ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(devcgroup); + break; ++ } + ++ INIT_LIST_HEAD(&tmp_devcgrp.exceptions); ++ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, ++ &devcgroup->exceptions); ++ if (rc) ++ return rc; ++ dev_exception_clean(devcgroup); + rc = dev_exceptions_copy(&devcgroup->exceptions, + &parent->exceptions); +- if (rc) ++ if (rc) { ++ dev_exceptions_move(&devcgroup->exceptions, ++ &tmp_devcgrp.exceptions); + return rc; ++ } ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(&tmp_devcgrp); + break; + case DEVCG_DENY: + if (css_has_online_children(&devcgroup->css)) diff --git a/queue-6.0/driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch b/queue-6.0/driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch new file mode 100644 index 00000000000..f2b85e7c3dc --- /dev/null +++ b/queue-6.0/driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch @@ -0,0 +1,46 @@ +From 27c0d217340e47ec995557f61423ef415afba987 Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Tue, 20 Sep 2022 17:14:13 -0700 +Subject: driver core: Fix bus_type.match() error handling in __driver_attach() + +From: Isaac J. Manjarres + +commit 27c0d217340e47ec995557f61423ef415afba987 upstream. + +When a driver registers with a bus, it will attempt to match with every +device on the bus through the __driver_attach() function. Currently, if +the bus_type.match() function encounters an error that is not +-EPROBE_DEFER, __driver_attach() will return a negative error code, which +causes the driver registration logic to stop trying to match with the +remaining devices on the bus. + +This behavior is not correct; a failure while matching a driver to a +device does not mean that the driver won't be able to match and bind +with other devices on the bus. Update the logic in __driver_attach() +to reflect this. + +Fixes: 656b8035b0ee ("ARM: 8524/1: driver cohandle -EPROBE_DEFER from bus_type.match()") +Cc: stable@vger.kernel.org +Cc: Saravana Kannan +Signed-off-by: Isaac J. Manjarres +Link: https://lore.kernel.org/r/20220921001414.4046492-1-isaacmanjarres@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/dd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1162,7 +1162,11 @@ static int __driver_attach(struct device + return 0; + } else if (ret < 0) { + dev_dbg(dev, "Bus failed to match device: %d\n", ret); +- return ret; ++ /* ++ * Driver could not match with device, but may match with ++ * another device on the bus. ++ */ ++ return 0; + } /* ret > 0 means positive match */ + + if (driver_allows_async_probing(drv)) { diff --git a/queue-6.0/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch b/queue-6.0/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch new file mode 100644 index 00000000000..d4560bbec78 --- /dev/null +++ b/queue-6.0/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch @@ -0,0 +1,59 @@ +From 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Mon, 17 Oct 2022 15:32:01 +0000 +Subject: drm/connector: send hotplug uevent on connector cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream. + +A typical DP-MST unplug removes a KMS connector. However care must +be taken to properly synchronize with user-space. The expected +sequence of events is the following: + +1. The kernel notices that the DP-MST port is gone. +2. The kernel marks the connector as disconnected, then sends a + uevent to make user-space re-scan the connector list. +3. User-space notices the connector goes from connected to disconnected, + disables it. +4. Kernel handles the IOCTL disabling the connector. On success, + the very last reference to the struct drm_connector is dropped and + drm_connector_cleanup() is called. +5. The connector is removed from the list, and a uevent is sent to tell + user-space that the connector disappeared. + +The very last step was missing. As a result, user-space thought the +connector still existed and could try to disable it again. Since the +kernel no longer knows about the connector, that would end up with +EINVAL and confused user-space. + +Fix this by sending a hotplug uevent from drm_connector_cleanup(). + +Signed-off-by: Simon Ser +Cc: stable@vger.kernel.org +Cc: Daniel Vetter +Cc: Lyude Paul +Cc: Jonas Ådahl +Tested-by: Jonas Ådahl +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_connector.c ++++ b/drivers/gpu/drm/drm_connector.c +@@ -505,6 +505,9 @@ void drm_connector_cleanup(struct drm_co + mutex_destroy(&connector->mutex); + + memset(connector, 0, sizeof(*connector)); ++ ++ if (dev->registered) ++ drm_sysfs_hotplug_event(dev); + } + EXPORT_SYMBOL(drm_connector_cleanup); + diff --git a/queue-6.0/drm-etnaviv-move-idle-mapping-reaping-into-separate-function.patch b/queue-6.0/drm-etnaviv-move-idle-mapping-reaping-into-separate-function.patch new file mode 100644 index 00000000000..55bfa2cdbef --- /dev/null +++ b/queue-6.0/drm-etnaviv-move-idle-mapping-reaping-into-separate-function.patch @@ -0,0 +1,88 @@ +From 5a40837debaa9dcc71765d32ce1a15be068b6cc2 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Thu, 14 Jul 2022 12:31:42 +0200 +Subject: drm/etnaviv: move idle mapping reaping into separate function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas Stach + +commit 5a40837debaa9dcc71765d32ce1a15be068b6cc2 upstream. + +The same logic is already used in two different places and now +it will also be needed outside of the compilation unit, so split +it into a separate function. + +Cc: stable@vger.kernel.org # 5.19 +Signed-off-by: Lucas Stach +Reviewed-by: Guido Günther +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/etnaviv/etnaviv_mmu.c | 23 +++++++++++++++-------- + drivers/gpu/drm/etnaviv/etnaviv_mmu.h | 1 + + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_mmu.c b/drivers/gpu/drm/etnaviv/etnaviv_mmu.c +index dc1aa738c4f1..55479cb8b1ac 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_mmu.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_mmu.c +@@ -135,6 +135,19 @@ static void etnaviv_iommu_remove_mapping(struct etnaviv_iommu_context *context, + drm_mm_remove_node(&mapping->vram_node); + } + ++void etnaviv_iommu_reap_mapping(struct etnaviv_vram_mapping *mapping) ++{ ++ struct etnaviv_iommu_context *context = mapping->context; ++ ++ lockdep_assert_held(&context->lock); ++ WARN_ON(mapping->use); ++ ++ etnaviv_iommu_remove_mapping(context, mapping); ++ etnaviv_iommu_context_put(mapping->context); ++ mapping->context = NULL; ++ list_del_init(&mapping->mmu_node); ++} ++ + static int etnaviv_iommu_find_iova(struct etnaviv_iommu_context *context, + struct drm_mm_node *node, size_t size) + { +@@ -202,10 +215,7 @@ static int etnaviv_iommu_find_iova(struct etnaviv_iommu_context *context, + * this mapping. + */ + list_for_each_entry_safe(m, n, &list, scan_node) { +- etnaviv_iommu_remove_mapping(context, m); +- etnaviv_iommu_context_put(m->context); +- m->context = NULL; +- list_del_init(&m->mmu_node); ++ etnaviv_iommu_reap_mapping(m); + list_del_init(&m->scan_node); + } + +@@ -257,10 +267,7 @@ static int etnaviv_iommu_insert_exact(struct etnaviv_iommu_context *context, + } + + list_for_each_entry_safe(m, n, &scan_list, scan_node) { +- etnaviv_iommu_remove_mapping(context, m); +- etnaviv_iommu_context_put(m->context); +- m->context = NULL; +- list_del_init(&m->mmu_node); ++ etnaviv_iommu_reap_mapping(m); + list_del_init(&m->scan_node); + } + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_mmu.h b/drivers/gpu/drm/etnaviv/etnaviv_mmu.h +index e4a0b7d09c2e..c01a147f0dfd 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_mmu.h ++++ b/drivers/gpu/drm/etnaviv/etnaviv_mmu.h +@@ -91,6 +91,7 @@ int etnaviv_iommu_map_gem(struct etnaviv_iommu_context *context, + struct etnaviv_vram_mapping *mapping, u64 va); + void etnaviv_iommu_unmap_gem(struct etnaviv_iommu_context *context, + struct etnaviv_vram_mapping *mapping); ++void etnaviv_iommu_reap_mapping(struct etnaviv_vram_mapping *mapping); + + int etnaviv_iommu_get_suballoc_va(struct etnaviv_iommu_context *ctx, + struct etnaviv_vram_mapping *mapping, +-- +2.39.0 + diff --git a/queue-6.0/drm-etnaviv-reap-idle-mapping-if-it-doesn-t-match-the-softpin-address.patch b/queue-6.0/drm-etnaviv-reap-idle-mapping-if-it-doesn-t-match-the-softpin-address.patch new file mode 100644 index 00000000000..12d846a17b2 --- /dev/null +++ b/queue-6.0/drm-etnaviv-reap-idle-mapping-if-it-doesn-t-match-the-softpin-address.patch @@ -0,0 +1,47 @@ +From 332f847212e43d584019a8264895f25cf92aa647 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Thu, 14 Jul 2022 12:31:43 +0200 +Subject: drm/etnaviv: reap idle mapping if it doesn't match the softpin address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas Stach + +commit 332f847212e43d584019a8264895f25cf92aa647 upstream. + +When a idle BO, which is held open by another process, gets freed by +userspace and subsequently referenced again by e.g. importing it again, +userspace may assign a different softpin VA than the last time around. +As the kernel GEM object still exists, we likely have a idle mapping +with the old VA still cached, if it hasn't been reaped in the meantime. + +As the context matches, we then simply try to resurrect this mapping by +increasing the refcount. As the VA in this mapping does not match the +new softpin address, we consequently fail the otherwise valid submit. +Instead of failing, reap the idle mapping. + +Cc: stable@vger.kernel.org # 5.19 +Signed-off-by: Lucas Stach +Reviewed-by: Guido Günther +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/etnaviv/etnaviv_gem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c +@@ -258,7 +258,12 @@ struct etnaviv_vram_mapping *etnaviv_gem + if (mapping->use == 0) { + mutex_lock(&mmu_context->lock); + if (mapping->context == mmu_context) +- mapping->use += 1; ++ if (va && mapping->iova != va) { ++ etnaviv_iommu_reap_mapping(mapping); ++ mapping = NULL; ++ } else { ++ mapping->use += 1; ++ } + else + mapping = NULL; + mutex_unlock(&mmu_context->lock); diff --git a/queue-6.0/drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch b/queue-6.0/drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch new file mode 100644 index 00000000000..6317c92bc36 --- /dev/null +++ b/queue-6.0/drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch @@ -0,0 +1,40 @@ +From f9cdf4130671d767071607d0a7568c9bd36a68d0 Mon Sep 17 00:00:00 2001 +From: Mikko Kovanen +Date: Sat, 26 Nov 2022 13:27:13 +0000 +Subject: drm/i915/dsi: fix VBT send packet port selection for dual link DSI + +From: Mikko Kovanen + +commit f9cdf4130671d767071607d0a7568c9bd36a68d0 upstream. + +intel_dsi->ports contains bitmask of enabled ports and correspondingly +logic for selecting port for VBT packet sending must use port specific +bitmask when deciding appropriate port. + +Fixes: 08c59dde71b7 ("drm/i915/dsi: fix VBT send packet port selection for ICL+") +Cc: stable@vger.kernel.org +Signed-off-by: Mikko Kovanen +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/DBBPR09MB466592B16885D99ABBF2393A91119@DBBPR09MB4665.eurprd09.prod.outlook.com +(cherry picked from commit 8d58bb7991c45f6b60710cc04c9498c6ea96db90) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dsi_vbt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_dsi_vbt.c ++++ b/drivers/gpu/drm/i915/display/intel_dsi_vbt.c +@@ -137,9 +137,9 @@ static enum port intel_dsi_seq_port_to_p + return ffs(intel_dsi->ports) - 1; + + if (seq_port) { +- if (intel_dsi->ports & PORT_B) ++ if (intel_dsi->ports & BIT(PORT_B)) + return PORT_B; +- else if (intel_dsi->ports & PORT_C) ++ else if (intel_dsi->ports & BIT(PORT_C)) + return PORT_C; + } + diff --git a/queue-6.0/drm-i915-sdvo-filter-out-invalid-outputs-more-sensibly.patch b/queue-6.0/drm-i915-sdvo-filter-out-invalid-outputs-more-sensibly.patch new file mode 100644 index 00000000000..82ef59156a9 --- /dev/null +++ b/queue-6.0/drm-i915-sdvo-filter-out-invalid-outputs-more-sensibly.patch @@ -0,0 +1,91 @@ +From cc1e66394daaa7e9f005e2487a84e34a39f9308b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 26 Oct 2022 13:11:27 +0300 +Subject: drm/i915/sdvo: Filter out invalid outputs more sensibly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit cc1e66394daaa7e9f005e2487a84e34a39f9308b upstream. + +We try to filter out the corresponding xxx1 output +if the xxx0 output is not present. But the way that is +being done is pretty awkward. Make it less so. + +Cc: stable@vger.kernel.org +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20221026101134.20865-2-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_sdvo.c | 27 ++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_sdvo.c b/drivers/gpu/drm/i915/display/intel_sdvo.c +index 8852564b5fbf..c38b75fbabd3 100644 +--- a/drivers/gpu/drm/i915/display/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/display/intel_sdvo.c +@@ -2934,16 +2934,33 @@ intel_sdvo_lvds_init(struct intel_sdvo *intel_sdvo, int device) + return false; + } + ++static u16 intel_sdvo_filter_output_flags(u16 flags) ++{ ++ flags &= SDVO_OUTPUT_MASK; ++ ++ /* SDVO requires XXX1 function may not exist unless it has XXX0 function.*/ ++ if (!(flags & SDVO_OUTPUT_TMDS0)) ++ flags &= ~SDVO_OUTPUT_TMDS1; ++ ++ if (!(flags & SDVO_OUTPUT_RGB0)) ++ flags &= ~SDVO_OUTPUT_RGB1; ++ ++ if (!(flags & SDVO_OUTPUT_LVDS0)) ++ flags &= ~SDVO_OUTPUT_LVDS1; ++ ++ return flags; ++} ++ + static bool + intel_sdvo_output_setup(struct intel_sdvo *intel_sdvo, u16 flags) + { +- /* SDVO requires XXX1 function may not exist unless it has XXX0 function.*/ ++ flags = intel_sdvo_filter_output_flags(flags); + + if (flags & SDVO_OUTPUT_TMDS0) + if (!intel_sdvo_dvi_init(intel_sdvo, 0)) + return false; + +- if ((flags & SDVO_TMDS_MASK) == SDVO_TMDS_MASK) ++ if (flags & SDVO_OUTPUT_TMDS1) + if (!intel_sdvo_dvi_init(intel_sdvo, 1)) + return false; + +@@ -2964,7 +2981,7 @@ intel_sdvo_output_setup(struct intel_sdvo *intel_sdvo, u16 flags) + if (!intel_sdvo_analog_init(intel_sdvo, 0)) + return false; + +- if ((flags & SDVO_RGB_MASK) == SDVO_RGB_MASK) ++ if (flags & SDVO_OUTPUT_RGB1) + if (!intel_sdvo_analog_init(intel_sdvo, 1)) + return false; + +@@ -2972,11 +2989,11 @@ intel_sdvo_output_setup(struct intel_sdvo *intel_sdvo, u16 flags) + if (!intel_sdvo_lvds_init(intel_sdvo, 0)) + return false; + +- if ((flags & SDVO_LVDS_MASK) == SDVO_LVDS_MASK) ++ if (flags & SDVO_OUTPUT_LVDS1) + if (!intel_sdvo_lvds_init(intel_sdvo, 1)) + return false; + +- if ((flags & SDVO_OUTPUT_MASK) == 0) { ++ if (flags == 0) { + unsigned char bytes[2]; + + intel_sdvo->controlled_output = 0; +-- +2.39.0 + diff --git a/queue-6.0/drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch b/queue-6.0/drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch new file mode 100644 index 00000000000..9f14fbed538 --- /dev/null +++ b/queue-6.0/drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch @@ -0,0 +1,58 @@ +From 47078311b8efebdefd5b3b2f87e2b02b14f49c66 Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Fri, 4 Nov 2022 06:45:12 +0000 +Subject: drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init() + +From: Yuan Can + +commit 47078311b8efebdefd5b3b2f87e2b02b14f49c66 upstream. + +A problem about modprobe ingenic-drm failed is triggered with the following +log given: + + [ 303.561088] Error: Driver 'ingenic-ipu' is already registered, aborting... + modprobe: ERROR: could not insert 'ingenic_drm': Device or resource busy + +The reason is that ingenic_drm_init() returns platform_driver_register() +directly without checking its return value, if platform_driver_register() +failed, it returns without unregistering ingenic_ipu_driver_ptr, resulting +the ingenic-drm can never be installed later. +A simple call graph is shown as below: + + ingenic_drm_init() + platform_driver_register() # ingenic_ipu_driver_ptr are registered + platform_driver_register() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without unregister ingenic_ipu_driver_ptr + +Fixing this problem by checking the return value of +platform_driver_register() and do platform_unregister_drivers() if +error happened. + +Fixes: fc1acf317b01 ("drm/ingenic: Add support for the IPU") +Signed-off-by: Yuan Can +Cc: stable@vger.kernel.org +Signed-off-by: Paul Cercueil +Link: https://patchwork.freedesktop.org/patch/msgid/20221104064512.8569-1-yuancan@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c ++++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c +@@ -1601,7 +1601,11 @@ static int ingenic_drm_init(void) + return err; + } + +- return platform_driver_register(&ingenic_drm_driver); ++ err = platform_driver_register(&ingenic_drm_driver); ++ if (IS_ENABLED(CONFIG_DRM_INGENIC_IPU) && err) ++ platform_driver_unregister(ingenic_ipu_driver_ptr); ++ ++ return err; + } + module_init(ingenic_drm_init); + diff --git a/queue-6.0/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch b/queue-6.0/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch new file mode 100644 index 00000000000..b961ccd8375 --- /dev/null +++ b/queue-6.0/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch @@ -0,0 +1,37 @@ +From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Tue, 25 Oct 2022 23:19:35 -0400 +Subject: drm/vmwgfx: Validate the box size for the snooped cursor + +From: Zack Rusin + +commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream. + +Invalid userspace dma surface copies could potentially overflow +the memcpy from the surface to the snooped image leading to crashes. +To fix it the dimensions of the copybox have to be validated +against the expected size of the snooped cursor. + +Signed-off-by: Zack Rusin +Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes") +Cc: # v3.2+ +Reviewed-by: Michael Banack +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -309,7 +309,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur + if (cmd->dma.guest.ptr.offset % PAGE_SIZE || + box->x != 0 || box->y != 0 || box->z != 0 || + box->srcx != 0 || box->srcy != 0 || box->srcz != 0 || +- box->d != 1 || box_count != 1) { ++ box->d != 1 || box_count != 1 || ++ box->w > 64 || box->h > 64) { + /* TODO handle none page aligned offsets */ + /* TODO handle more dst & src != 0 */ + /* TODO handle more then one copy */ diff --git a/queue-6.0/efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch b/queue-6.0/efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch new file mode 100644 index 00000000000..dd31c6345c9 --- /dev/null +++ b/queue-6.0/efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch @@ -0,0 +1,32 @@ +From 0be56a116220f9e5731a6609e66a11accfe8d8e2 Mon Sep 17 00:00:00 2001 +From: Aditya Garg +Date: Thu, 27 Oct 2022 10:01:43 +0000 +Subject: efi: Add iMac Pro 2017 to uefi skip cert quirk + +From: Aditya Garg + +commit 0be56a116220f9e5731a6609e66a11accfe8d8e2 upstream. + +The iMac Pro 2017 is also a T2 Mac. Thus add it to the list of uefi skip +cert. + +Cc: stable@vger.kernel.org +Fixes: 155ca952c7ca ("efi: Do not import certificates from UEFI Secure Boot for T2 Macs") +Link: https://lore.kernel.org/linux-integrity/9D46D92F-1381-4F10-989C-1A12CD2FFDD8@live.com/ +Signed-off-by: Aditya Garg +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/platform_certs/load_uefi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c +@@ -35,6 +35,7 @@ static const struct dmi_system_id uefi_s + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") }, ++ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMacPro1,1") }, + { } + }; + diff --git a/queue-6.0/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch b/queue-6.0/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch new file mode 100644 index 00000000000..8fc68be13c1 --- /dev/null +++ b/queue-6.0/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch @@ -0,0 +1,39 @@ +From 11220db412edae8dba58853238f53258268bdb88 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 3 Nov 2022 00:09:49 +0800 +Subject: ima: Fix a potential NULL pointer access in ima_restore_measurement_list + +From: Huaxin Lu + +commit 11220db412edae8dba58853238f53258268bdb88 upstream. + +In restore_template_fmt, when kstrdup fails, a non-NULL value will still be +returned, which causes a NULL pointer access in template_desc_init_fields. + +Fixes: c7d09367702e ("ima: support restoring multiple template formats") +Cc: stable@kernel.org +Co-developed-by: Jiaming Li +Signed-off-by: Jiaming Li +Signed-off-by: Huaxin Lu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_template.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_template.c ++++ b/security/integrity/ima/ima_template.c +@@ -340,8 +340,11 @@ static struct ima_template_desc *restore + + template_desc->name = ""; + template_desc->fmt = kstrdup(template_name, GFP_KERNEL); +- if (!template_desc->fmt) ++ if (!template_desc->fmt) { ++ kfree(template_desc); ++ template_desc = NULL; + goto out; ++ } + + spin_lock(&template_list); + list_add_tail_rcu(&template_desc->list, &defined_templates); diff --git a/queue-6.0/ima-fix-memory-leak-in-__ima_inode_hash.patch b/queue-6.0/ima-fix-memory-leak-in-__ima_inode_hash.patch new file mode 100644 index 00000000000..52a5709360c --- /dev/null +++ b/queue-6.0/ima-fix-memory-leak-in-__ima_inode_hash.patch @@ -0,0 +1,51 @@ +From 8c1d6a050a0f16e0a9d32eaf53b965c77279c6f8 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Wed, 2 Nov 2022 17:30:06 +0100 +Subject: ima: Fix memory leak in __ima_inode_hash() + +From: Roberto Sassu + +commit 8c1d6a050a0f16e0a9d32eaf53b965c77279c6f8 upstream. + +Commit f3cc6b25dcc5 ("ima: always measure and audit files in policy") lets +measurement or audit happen even if the file digest cannot be calculated. + +As a result, iint->ima_hash could have been allocated despite +ima_collect_measurement() returning an error. + +Since ima_hash belongs to a temporary inode metadata structure, declared +at the beginning of __ima_inode_hash(), just add a kfree() call if +ima_collect_measurement() returns an error different from -ENOMEM (in that +case, ima_hash should not have been allocated). + +Cc: stable@vger.kernel.org +Fixes: 280fe8367b0d ("ima: Always return a file measurement in ima_file_hash()") +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index 040b03ddc1c7..4a207a3ef7ef 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -542,8 +542,13 @@ static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, + + rc = ima_collect_measurement(&tmp_iint, file, NULL, 0, + ima_hash_algo, NULL); +- if (rc < 0) ++ if (rc < 0) { ++ /* ima_hash could be allocated in case of failure. */ ++ if (rc != -ENOMEM) ++ kfree(tmp_iint.ima_hash); ++ + return -EOPNOTSUPP; ++ } + + iint = &tmp_iint; + mutex_lock(&iint->mutex); +-- +2.39.0 + diff --git a/queue-6.0/iommu-amd-fix-ill-formed-ivrs_ioapic-ivrs_hpet-and-ivrs_acpihid-options.patch b/queue-6.0/iommu-amd-fix-ill-formed-ivrs_ioapic-ivrs_hpet-and-ivrs_acpihid-options.patch new file mode 100644 index 00000000000..c2e03da2fc3 --- /dev/null +++ b/queue-6.0/iommu-amd-fix-ill-formed-ivrs_ioapic-ivrs_hpet-and-ivrs_acpihid-options.patch @@ -0,0 +1,207 @@ +From 1198d2316dc4265a97d0e8445a22c7a6d17580a4 Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Mon, 19 Sep 2022 10:56:38 -0500 +Subject: iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options + +From: Kim Phillips + +commit 1198d2316dc4265a97d0e8445a22c7a6d17580a4 upstream. + +Currently, these options cause the following libkmod error: + +libkmod: ERROR ../libkmod/libkmod-config.c:489 kcmdline_parse_result: \ + Ignoring bad option on kernel command line while parsing module \ + name: 'ivrs_xxxx[XX:XX' + +Fix by introducing a new parameter format for these options and +throw a warning for the deprecated format. + +Users are still allowed to omit the PCI Segment if zero. + +Adding a Link: to the reason why we're modding the syntax parsing +in the driver and not in libkmod. + +Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/linux-modules/20200310082308.14318-2-lucas.demarchi@intel.com/ +Reported-by: Kim Phillips +Co-developed-by: Suravee Suthikulpanit +Signed-off-by: Suravee Suthikulpanit +Signed-off-by: Kim Phillips +Link: https://lore.kernel.org/r/20220919155638.391481-2-kim.phillips@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/kernel-parameters.txt | 27 ++++++-- + drivers/iommu/amd/init.c | 77 ++++++++++++++++-------- + 2 files changed, 75 insertions(+), 29 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2294,7 +2294,13 @@ + Provide an override to the IOAPIC-ID<->DEVICE-ID + mapping provided in the IVRS ACPI table. + By default, PCI segment is 0, and can be omitted. +- For example: ++ ++ For example, to map IOAPIC-ID decimal 10 to ++ PCI segment 0x1 and PCI device 00:14.0, ++ write the parameter as: ++ ivrs_ioapic=10@0001:00:14.0 ++ ++ Deprecated formats: + * To map IOAPIC-ID decimal 10 to PCI device 00:14.0 + write the parameter as: + ivrs_ioapic[10]=00:14.0 +@@ -2306,7 +2312,13 @@ + Provide an override to the HPET-ID<->DEVICE-ID + mapping provided in the IVRS ACPI table. + By default, PCI segment is 0, and can be omitted. +- For example: ++ ++ For example, to map HPET-ID decimal 10 to ++ PCI segment 0x1 and PCI device 00:14.0, ++ write the parameter as: ++ ivrs_hpet=10@0001:00:14.0 ++ ++ Deprecated formats: + * To map HPET-ID decimal 0 to PCI device 00:14.0 + write the parameter as: + ivrs_hpet[0]=00:14.0 +@@ -2317,15 +2329,20 @@ + ivrs_acpihid [HW,X86-64] + Provide an override to the ACPI-HID:UID<->DEVICE-ID + mapping provided in the IVRS ACPI table. ++ By default, PCI segment is 0, and can be omitted. + + For example, to map UART-HID:UID AMD0020:0 to + PCI segment 0x1 and PCI device ID 00:14.5, + write the parameter as: +- ivrs_acpihid[0001:00:14.5]=AMD0020:0 ++ ivrs_acpihid=AMD0020:0@0001:00:14.5 + +- By default, PCI segment is 0, and can be omitted. +- For example, PCI device 00:14.5 write the parameter as: ++ Deprecated formats: ++ * To map UART-HID:UID AMD0020:0 to PCI segment is 0, ++ PCI device ID 00:14.5, write the parameter as: + ivrs_acpihid[00:14.5]=AMD0020:0 ++ * To map UART-HID:UID AMD0020:0 to PCI segment 0x1 and ++ PCI device ID 00:14.5, write the parameter as: ++ ivrs_acpihid[0001:00:14.5]=AMD0020:0 + + js= [HW,JOY] Analog joystick + See Documentation/input/joydev/joystick.rst. +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -3385,18 +3385,24 @@ static int __init parse_amd_iommu_option + static int __init parse_ivrs_ioapic(char *str) + { + u32 seg = 0, bus, dev, fn; +- int ret, id, i; ++ int id, i; + u32 devid; + +- ret = sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn); +- if (ret != 4) { +- ret = sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn); +- if (ret != 5) { +- pr_err("Invalid command line: ivrs_ioapic%s\n", str); +- return 1; +- } ++ if (sscanf(str, "=%d@%x:%x.%x", &id, &bus, &dev, &fn) == 4 || ++ sscanf(str, "=%d@%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5) ++ goto found; ++ ++ if (sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn) == 4 || ++ sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5) { ++ pr_warn("ivrs_ioapic%s option format deprecated; use ivrs_ioapic=%d@%04x:%02x:%02x.%d instead\n", ++ str, id, seg, bus, dev, fn); ++ goto found; + } + ++ pr_err("Invalid command line: ivrs_ioapic%s\n", str); ++ return 1; ++ ++found: + if (early_ioapic_map_size == EARLY_MAP_SIZE) { + pr_err("Early IOAPIC map overflow - ignoring ivrs_ioapic%s\n", + str); +@@ -3417,18 +3423,24 @@ static int __init parse_ivrs_ioapic(char + static int __init parse_ivrs_hpet(char *str) + { + u32 seg = 0, bus, dev, fn; +- int ret, id, i; ++ int id, i; + u32 devid; + +- ret = sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn); +- if (ret != 4) { +- ret = sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn); +- if (ret != 5) { +- pr_err("Invalid command line: ivrs_hpet%s\n", str); +- return 1; +- } ++ if (sscanf(str, "=%d@%x:%x.%x", &id, &bus, &dev, &fn) == 4 || ++ sscanf(str, "=%d@%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5) ++ goto found; ++ ++ if (sscanf(str, "[%d]=%x:%x.%x", &id, &bus, &dev, &fn) == 4 || ++ sscanf(str, "[%d]=%x:%x:%x.%x", &id, &seg, &bus, &dev, &fn) == 5) { ++ pr_warn("ivrs_hpet%s option format deprecated; use ivrs_hpet=%d@%04x:%02x:%02x.%d instead\n", ++ str, id, seg, bus, dev, fn); ++ goto found; + } + ++ pr_err("Invalid command line: ivrs_hpet%s\n", str); ++ return 1; ++ ++found: + if (early_hpet_map_size == EARLY_MAP_SIZE) { + pr_err("Early HPET map overflow - ignoring ivrs_hpet%s\n", + str); +@@ -3449,19 +3461,36 @@ static int __init parse_ivrs_hpet(char * + static int __init parse_ivrs_acpihid(char *str) + { + u32 seg = 0, bus, dev, fn; +- char *hid, *uid, *p; ++ char *hid, *uid, *p, *addr; + char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; +- int ret, i; ++ int i; + +- ret = sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid); +- if (ret != 4) { +- ret = sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid); +- if (ret != 5) { +- pr_err("Invalid command line: ivrs_acpihid(%s)\n", str); +- return 1; ++ addr = strchr(str, '@'); ++ if (!addr) { ++ if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || ++ sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { ++ pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", ++ str, acpiid, seg, bus, dev, fn); ++ goto found; + } ++ goto not_found; + } + ++ /* We have the '@', make it the terminator to get just the acpiid */ ++ *addr++ = 0; ++ ++ if (sscanf(str, "=%s", acpiid) != 1) ++ goto not_found; ++ ++ if (sscanf(addr, "%x:%x.%x", &bus, &dev, &fn) == 3 || ++ sscanf(addr, "%x:%x:%x.%x", &seg, &bus, &dev, &fn) == 4) ++ goto found; ++ ++not_found: ++ pr_err("Invalid command line: ivrs_acpihid%s\n", str); ++ return 1; ++ ++found: + p = acpiid; + hid = strsep(&p, ":"); + uid = p; diff --git a/queue-6.0/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch b/queue-6.0/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch new file mode 100644 index 00000000000..8b7502cc3ab --- /dev/null +++ b/queue-6.0/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch @@ -0,0 +1,45 @@ +From 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Mon, 19 Sep 2022 10:56:37 -0500 +Subject: iommu/amd: Fix ivrs_acpihid cmdline parsing code + +From: Kim Phillips + +commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream. + +The second (UID) strcmp in acpi_dev_hid_uid_match considers +"0" and "00" different, which can prevent device registration. + +Have the AMD IOMMU driver's ivrs_acpihid parsing code remove +any leading zeroes to make the UID strcmp succeed. Now users +can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect +the same behaviour. + +Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") +Signed-off-by: Kim Phillips +Cc: stable@vger.kernel.org +Cc: Suravee Suthikulpanit +Cc: Joerg Roedel +Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/init.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -3471,6 +3471,13 @@ static int __init parse_ivrs_acpihid(cha + return 1; + } + ++ /* ++ * Ignore leading zeroes after ':', so e.g., AMDI0095:00 ++ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match ++ */ ++ while (*uid == '0' && *(uid + 1)) ++ uid++; ++ + i = early_acpihid_map_size++; + memcpy(early_acpihid_map[i].hid, hid, strlen(hid)); + memcpy(early_acpihid_map[i].uid, uid, strlen(uid)); diff --git a/queue-6.0/ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch b/queue-6.0/ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch new file mode 100644 index 00000000000..252369ea3e8 --- /dev/null +++ b/queue-6.0/ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch @@ -0,0 +1,94 @@ +From f6f1234d98cce69578bfac79df147a1f6660596c Mon Sep 17 00:00:00 2001 +From: Zhang Yuchen +Date: Fri, 7 Oct 2022 17:26:16 +0800 +Subject: ipmi: fix long wait in unload when IPMI disconnect + +From: Zhang Yuchen + +commit f6f1234d98cce69578bfac79df147a1f6660596c upstream. + +When fixing the problem mentioned in PATCH1, we also found +the following problem: + +If the IPMI is disconnected and in the sending process, the +uninstallation driver will be stuck for a long time. + +The main problem is that uninstalling the driver waits for curr_msg to +be sent or HOSED. After stopping tasklet, the only place to trigger the +timeout mechanism is the circular poll in shutdown_smi. + +The poll function delays 10us and calls smi_event_handler(smi_info,10). +Smi_event_handler deducts 10us from kcs->ibf_timeout. + +But the poll func is followed by schedule_timeout_uninterruptible(1). +The time consumed here is not counted in kcs->ibf_timeout. + +So when 10us is deducted from kcs->ibf_timeout, at least 1 jiffies has +actually passed. The waiting time has increased by more than a +hundredfold. + +Now instead of calling poll(). call smi_event_handler() directly and +calculate the elapsed time. + +For verification, you can directly use ebpf to check the kcs-> +ibf_timeout for each call to kcs_event() when IPMI is disconnected. +Decrement at normal rate before unloading. The decrement rate becomes +very slow after unloading. + + $ bpftrace -e 'kprobe:kcs_event {printf("kcs->ibftimeout : %d\n", + *(arg0+584));}' + +Signed-off-by: Zhang Yuchen +Message-Id: <20221007092617.87597-3-zhangyuchen.lcr@bytedance.com> +Signed-off-by: Corey Minyard +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_si_intf.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -2153,6 +2153,20 @@ skip_fallback_noirq: + } + module_init(init_ipmi_si); + ++static void wait_msg_processed(struct smi_info *smi_info) ++{ ++ unsigned long jiffies_now; ++ long time_diff; ++ ++ while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { ++ jiffies_now = jiffies; ++ time_diff = (((long)jiffies_now - (long)smi_info->last_timeout_jiffies) ++ * SI_USEC_PER_JIFFY); ++ smi_event_handler(smi_info, time_diff); ++ schedule_timeout_uninterruptible(1); ++ } ++} ++ + static void shutdown_smi(void *send_info) + { + struct smi_info *smi_info = send_info; +@@ -2187,16 +2201,13 @@ static void shutdown_smi(void *send_info + * in the BMC. Note that timers and CPU interrupts are off, + * so no need for locks. + */ +- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { +- poll(smi_info); +- schedule_timeout_uninterruptible(1); +- } ++ wait_msg_processed(smi_info); ++ + if (smi_info->handlers) + disable_si_irq(smi_info); +- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) { +- poll(smi_info); +- schedule_timeout_uninterruptible(1); +- } ++ ++ wait_msg_processed(smi_info); ++ + if (smi_info->handlers) + smi_info->handlers->cleanup(smi_info->si_sm); + diff --git a/queue-6.0/ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch b/queue-6.0/ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch new file mode 100644 index 00000000000..fd4e29fc548 --- /dev/null +++ b/queue-6.0/ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch @@ -0,0 +1,43 @@ +From a92ce570c81dc0feaeb12a429b4bc65686d17967 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Nov 2022 16:17:43 +0300 +Subject: ipmi: fix use after free in _ipmi_destroy_user() + +From: Dan Carpenter + +commit a92ce570c81dc0feaeb12a429b4bc65686d17967 upstream. + +The intf_free() function frees the "intf" pointer so we cannot +dereference it again on the next line. + +Fixes: cbb79863fc31 ("ipmi: Don't allow device module unload when in use") +Signed-off-by: Dan Carpenter +Message-Id: +Cc: # 5.5+ +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_msghandler.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -1336,6 +1336,7 @@ static void _ipmi_destroy_user(struct ip + unsigned long flags; + struct cmd_rcvr *rcvr; + struct cmd_rcvr *rcvrs = NULL; ++ struct module *owner; + + if (!acquire_ipmi_user(user, &i)) { + /* +@@ -1398,8 +1399,9 @@ static void _ipmi_destroy_user(struct ip + kfree(rcvr); + } + ++ owner = intf->owner; + kref_put(&intf->refcount, intf_free); +- module_put(intf->owner); ++ module_put(owner); + } + + int ipmi_destroy_user(struct ipmi_user *user) diff --git a/queue-6.0/ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch b/queue-6.0/ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch new file mode 100644 index 00000000000..8e5bc199b0c --- /dev/null +++ b/queue-6.0/ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch @@ -0,0 +1,130 @@ +From dc608edf7d45ba0c2ad14c06eccd66474fec7847 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Thu, 8 Sep 2022 00:44:09 +0200 +Subject: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection() + +From: Maximilian Luz + +commit dc608edf7d45ba0c2ad14c06eccd66474fec7847 upstream. + +Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() +with a subdev state of NULL leads to a NULL pointer dereference. This +can currently happen in imgu_subdev_set_selection() when the state +passed in is NULL, as this method first gets pointers to both the "try" +and "active" states and only then decides which to use. + +The same issue has been addressed for imgu_subdev_get_selection() with +commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active +selection access"). However the issue still persists in +imgu_subdev_set_selection(). + +Therefore, apply a similar fix as done in the aforementioned commit to +imgu_subdev_set_selection(). To keep things a bit cleaner, introduce +helper functions for "crop" and "compose" access and use them in both +imgu_subdev_set_selection() and imgu_subdev_get_selection(). + +Fixes: 0d346d2a6f54 ("media: v4l2-subdev: add subdev-wide state struct") +Cc: stable@vger.kernel.org # for v5.14 and later +Signed-off-by: Maximilian Luz +Signed-off-by: Sakari Ailus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/ipu3/ipu3-v4l2.c | 57 +++++++++++++++++++-------------- + 1 file changed, 34 insertions(+), 23 deletions(-) + +--- a/drivers/staging/media/ipu3/ipu3-v4l2.c ++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c +@@ -188,6 +188,28 @@ static int imgu_subdev_set_fmt(struct v4 + return 0; + } + ++static struct v4l2_rect * ++imgu_subdev_get_crop(struct imgu_v4l2_subdev *sd, ++ struct v4l2_subdev_state *sd_state, unsigned int pad, ++ enum v4l2_subdev_format_whence which) ++{ ++ if (which == V4L2_SUBDEV_FORMAT_TRY) ++ return v4l2_subdev_get_try_crop(&sd->subdev, sd_state, pad); ++ else ++ return &sd->rect.eff; ++} ++ ++static struct v4l2_rect * ++imgu_subdev_get_compose(struct imgu_v4l2_subdev *sd, ++ struct v4l2_subdev_state *sd_state, unsigned int pad, ++ enum v4l2_subdev_format_whence which) ++{ ++ if (which == V4L2_SUBDEV_FORMAT_TRY) ++ return v4l2_subdev_get_try_compose(&sd->subdev, sd_state, pad); ++ else ++ return &sd->rect.bds; ++} ++ + static int imgu_subdev_get_selection(struct v4l2_subdev *sd, + struct v4l2_subdev_state *sd_state, + struct v4l2_subdev_selection *sel) +@@ -200,18 +222,12 @@ static int imgu_subdev_get_selection(str + + switch (sel->target) { + case V4L2_SEL_TGT_CROP: +- if (sel->which == V4L2_SUBDEV_FORMAT_TRY) +- sel->r = *v4l2_subdev_get_try_crop(sd, sd_state, +- sel->pad); +- else +- sel->r = imgu_sd->rect.eff; ++ sel->r = *imgu_subdev_get_crop(imgu_sd, sd_state, sel->pad, ++ sel->which); + return 0; + case V4L2_SEL_TGT_COMPOSE: +- if (sel->which == V4L2_SUBDEV_FORMAT_TRY) +- sel->r = *v4l2_subdev_get_try_compose(sd, sd_state, +- sel->pad); +- else +- sel->r = imgu_sd->rect.bds; ++ sel->r = *imgu_subdev_get_compose(imgu_sd, sd_state, sel->pad, ++ sel->which); + return 0; + default: + return -EINVAL; +@@ -223,10 +239,9 @@ static int imgu_subdev_set_selection(str + struct v4l2_subdev_selection *sel) + { + struct imgu_device *imgu = v4l2_get_subdevdata(sd); +- struct imgu_v4l2_subdev *imgu_sd = container_of(sd, +- struct imgu_v4l2_subdev, +- subdev); +- struct v4l2_rect *rect, *try_sel; ++ struct imgu_v4l2_subdev *imgu_sd = ++ container_of(sd, struct imgu_v4l2_subdev, subdev); ++ struct v4l2_rect *rect; + + dev_dbg(&imgu->pci_dev->dev, + "set subdev %u sel which %u target 0x%4x rect [%ux%u]", +@@ -238,22 +253,18 @@ static int imgu_subdev_set_selection(str + + switch (sel->target) { + case V4L2_SEL_TGT_CROP: +- try_sel = v4l2_subdev_get_try_crop(sd, sd_state, sel->pad); +- rect = &imgu_sd->rect.eff; ++ rect = imgu_subdev_get_crop(imgu_sd, sd_state, sel->pad, ++ sel->which); + break; + case V4L2_SEL_TGT_COMPOSE: +- try_sel = v4l2_subdev_get_try_compose(sd, sd_state, sel->pad); +- rect = &imgu_sd->rect.bds; ++ rect = imgu_subdev_get_compose(imgu_sd, sd_state, sel->pad, ++ sel->which); + break; + default: + return -EINVAL; + } + +- if (sel->which == V4L2_SUBDEV_FORMAT_TRY) +- *try_sel = sel->r; +- else +- *rect = sel->r; +- ++ *rect = sel->r; + return 0; + } + diff --git a/queue-6.0/md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch b/queue-6.0/md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch new file mode 100644 index 00000000000..0a03f47688f --- /dev/null +++ b/queue-6.0/md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch @@ -0,0 +1,99 @@ +From 4555211190798b6b6fa2c37667d175bf67945c78 Mon Sep 17 00:00:00 2001 +From: Florian-Ewald Mueller +Date: Tue, 25 Oct 2022 09:37:05 +0200 +Subject: md/bitmap: Fix bitmap chunk size overflow issues + +From: Florian-Ewald Mueller + +commit 4555211190798b6b6fa2c37667d175bf67945c78 upstream. + +- limit bitmap chunk size internal u64 variable to values not overflowing + the u32 bitmap superblock structure variable stored on persistent media +- assign bitmap chunk size internal u64 variable from unsigned values to + avoid possible sign extension artifacts when assigning from a s32 value + +The bug has been there since at least kernel 4.0. +Steps to reproduce it: +1: mdadm -C /dev/mdx -l 1 --bitmap=internal --bitmap-chunk=256M -e 1.2 +-n2 /dev/rnbd1 /dev/rnbd2 +2 resize member device rnbd1 and rnbd2 to 8 TB +3 mdadm --grow /dev/mdx --size=max + +The bitmap_chunksize will overflow without patch. + +Cc: stable@vger.kernel.org + +Signed-off-by: Florian-Ewald Mueller +Signed-off-by: Jack Wang +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-bitmap.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -486,7 +486,7 @@ void md_bitmap_print_sb(struct bitmap *b + sb = kmap_atomic(bitmap->storage.sb_page); + pr_debug("%s: bitmap file superblock:\n", bmname(bitmap)); + pr_debug(" magic: %08x\n", le32_to_cpu(sb->magic)); +- pr_debug(" version: %d\n", le32_to_cpu(sb->version)); ++ pr_debug(" version: %u\n", le32_to_cpu(sb->version)); + pr_debug(" uuid: %08x.%08x.%08x.%08x\n", + le32_to_cpu(*(__le32 *)(sb->uuid+0)), + le32_to_cpu(*(__le32 *)(sb->uuid+4)), +@@ -497,11 +497,11 @@ void md_bitmap_print_sb(struct bitmap *b + pr_debug("events cleared: %llu\n", + (unsigned long long) le64_to_cpu(sb->events_cleared)); + pr_debug(" state: %08x\n", le32_to_cpu(sb->state)); +- pr_debug(" chunksize: %d B\n", le32_to_cpu(sb->chunksize)); +- pr_debug(" daemon sleep: %ds\n", le32_to_cpu(sb->daemon_sleep)); ++ pr_debug(" chunksize: %u B\n", le32_to_cpu(sb->chunksize)); ++ pr_debug(" daemon sleep: %us\n", le32_to_cpu(sb->daemon_sleep)); + pr_debug(" sync size: %llu KB\n", + (unsigned long long)le64_to_cpu(sb->sync_size)/2); +- pr_debug("max write behind: %d\n", le32_to_cpu(sb->write_behind)); ++ pr_debug("max write behind: %u\n", le32_to_cpu(sb->write_behind)); + kunmap_atomic(sb); + } + +@@ -2105,7 +2105,8 @@ int md_bitmap_resize(struct bitmap *bitm + bytes = DIV_ROUND_UP(chunks, 8); + if (!bitmap->mddev->bitmap_info.external) + bytes += sizeof(bitmap_super_t); +- } while (bytes > (space << 9)); ++ } while (bytes > (space << 9) && (chunkshift + BITMAP_BLOCK_SHIFT) < ++ (BITS_PER_BYTE * sizeof(((bitmap_super_t *)0)->chunksize) - 1)); + } else + chunkshift = ffz(~chunksize) - BITMAP_BLOCK_SHIFT; + +@@ -2150,7 +2151,7 @@ int md_bitmap_resize(struct bitmap *bitm + bitmap->counts.missing_pages = pages; + bitmap->counts.chunkshift = chunkshift; + bitmap->counts.chunks = chunks; +- bitmap->mddev->bitmap_info.chunksize = 1 << (chunkshift + ++ bitmap->mddev->bitmap_info.chunksize = 1UL << (chunkshift + + BITMAP_BLOCK_SHIFT); + + blocks = min(old_counts.chunks << old_counts.chunkshift, +@@ -2176,8 +2177,8 @@ int md_bitmap_resize(struct bitmap *bitm + bitmap->counts.missing_pages = old_counts.pages; + bitmap->counts.chunkshift = old_counts.chunkshift; + bitmap->counts.chunks = old_counts.chunks; +- bitmap->mddev->bitmap_info.chunksize = 1 << (old_counts.chunkshift + +- BITMAP_BLOCK_SHIFT); ++ bitmap->mddev->bitmap_info.chunksize = ++ 1UL << (old_counts.chunkshift + BITMAP_BLOCK_SHIFT); + blocks = old_counts.chunks << old_counts.chunkshift; + pr_warn("Could not pre-allocate in-memory bitmap for cluster raid\n"); + break; +@@ -2537,6 +2538,9 @@ chunksize_store(struct mddev *mddev, con + if (csize < 512 || + !is_power_of_2(csize)) + return -EINVAL; ++ if (BITS_PER_LONG > 32 && csize >= (1ULL << (BITS_PER_BYTE * ++ sizeof(((bitmap_super_t *)0)->chunksize)))) ++ return -EOVERFLOW; + mddev->bitmap_info.chunksize = csize; + return len; + } diff --git a/queue-6.0/mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch b/queue-6.0/mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch new file mode 100644 index 00000000000..682c4dbf29a --- /dev/null +++ b/queue-6.0/mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch @@ -0,0 +1,35 @@ +From 2ebc336be08160debfe27f87660cf550d710f3e9 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Fri, 19 Nov 2021 09:14:12 +0100 +Subject: mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type() + +From: Alexander Sverdlin + +commit 2ebc336be08160debfe27f87660cf550d710f3e9 upstream. + +Erase can be zeroed in spi_nor_parse_4bait() or +spi_nor_init_non_uniform_erase_map(). In practice it happened with +mt25qu256a, which supports 4K, 32K, 64K erases with 3b address commands, +but only 4K and 64K erase with 4b address commands. + +Fixes: dc92843159a7 ("mtd: spi-nor: fix erase_type array to indicate current map conf") +Signed-off-by: Alexander Sverdlin +Signed-off-by: Tudor Ambarus +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211119081412.29732-1-alexander.sverdlin@nokia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -1184,6 +1184,8 @@ spi_nor_find_best_erase_type(const struc + continue; + + erase = &map->erase_type[i]; ++ if (!erase->size) ++ continue; + + /* Alignment is not mandatory for overlaid regions */ + if (region->offset & SNOR_OVERLAID_REGION && diff --git a/queue-6.0/mtd-spi-nor-gigadevice-gd25q256-replace-gd25q256_default_init-with-gd25q256_post_bfpt.patch b/queue-6.0/mtd-spi-nor-gigadevice-gd25q256-replace-gd25q256_default_init-with-gd25q256_post_bfpt.patch new file mode 100644 index 00000000000..3ce6cbffb47 --- /dev/null +++ b/queue-6.0/mtd-spi-nor-gigadevice-gd25q256-replace-gd25q256_default_init-with-gd25q256_post_bfpt.patch @@ -0,0 +1,79 @@ +From 4dc49062a7e9c0c7261807fb855df1c611eb78c3 Mon Sep 17 00:00:00 2001 +From: Yaliang Wang +Date: Mon, 17 Oct 2022 01:19:01 +0800 +Subject: mtd: spi-nor: gigadevice: gd25q256: replace gd25q256_default_init with gd25q256_post_bfpt + +From: Yaliang Wang + +commit 4dc49062a7e9c0c7261807fb855df1c611eb78c3 upstream. + +When utilizing PARSE_SFDP to initialize the flash parameter, the +deprecated initializing method spi_nor_init_params_deprecated() and the +function spi_nor_manufacturer_init_params() within it will never be +executed, which results in the default_init hook function will also never +be executed. + +This is okay for 'D' generation of GD25Q256, because 'D' generation is +implementing the JESD216B standards, it has QER field defined in BFPT, +parsing the SFDP can properly set the quad_enable function. The 'E' +generation also implements the JESD216B standards, and it has the same +status register definitions as 'D' generation, parsing the SFDP to set +the quad_enable function should also work for 'E' generation. + +However, the same thing can't apply to 'C' generation. 'C' generation +'GD25Q256C' implements the JESD216 standards, and it doesn't have the +QER field defined in BFPT, since it does have QE bit in status register +1, the quad_enable hook needs to be tweaked to properly set the +quad_enable function, this can be done in post_bfpt fixup hook. + +Fixes: 047275f7de18 ("mtd: spi-nor: gigadevice: gd25q256: Init flash based on SFDP") +Reported-by: kernel test robot +Signed-off-by: Yaliang Wang +[tudor.ambarus@microchip.com: Update comment in gd25q256_post_bfpt] +Signed-off-by: Tudor Ambarus +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221016171901.1483542-2-yaliang.wang@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/gigadevice.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/mtd/spi-nor/gigadevice.c ++++ b/drivers/mtd/spi-nor/gigadevice.c +@@ -8,19 +8,29 @@ + + #include "core.h" + +-static void gd25q256_default_init(struct spi_nor *nor) ++static int ++gd25q256_post_bfpt(struct spi_nor *nor, ++ const struct sfdp_parameter_header *bfpt_header, ++ const struct sfdp_bfpt *bfpt) + { + /* +- * Some manufacturer like GigaDevice may use different +- * bit to set QE on different memories, so the MFR can't +- * indicate the quad_enable method for this case, we need +- * to set it in the default_init fixup hook. ++ * GD25Q256C supports the first version of JESD216 which does not define ++ * the Quad Enable methods. Overwrite the default Quad Enable method. ++ * ++ * GD25Q256 GENERATION | SFDP MAJOR VERSION | SFDP MINOR VERSION ++ * GD25Q256C | SFDP_JESD216_MAJOR | SFDP_JESD216_MINOR ++ * GD25Q256D | SFDP_JESD216_MAJOR | SFDP_JESD216B_MINOR ++ * GD25Q256E | SFDP_JESD216_MAJOR | SFDP_JESD216B_MINOR + */ +- nor->params->quad_enable = spi_nor_sr1_bit6_quad_enable; ++ if (bfpt_header->major == SFDP_JESD216_MAJOR && ++ bfpt_header->minor == SFDP_JESD216_MINOR) ++ nor->params->quad_enable = spi_nor_sr1_bit6_quad_enable; ++ ++ return 0; + } + + static const struct spi_nor_fixups gd25q256_fixups = { +- .default_init = gd25q256_default_init, ++ .post_bfpt = gd25q256_post_bfpt, + }; + + static const struct flash_info gigadevice_nor_parts[] = { diff --git a/queue-6.0/parisc-add-missing-force-prerequisites-in-makefile.patch b/queue-6.0/parisc-add-missing-force-prerequisites-in-makefile.patch new file mode 100644 index 00000000000..1e080eac199 --- /dev/null +++ b/queue-6.0/parisc-add-missing-force-prerequisites-in-makefile.patch @@ -0,0 +1,65 @@ +From 9086e6017957c5cd6ea28d94b70e0d513d6b7800 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 17 Dec 2022 20:05:43 +0100 +Subject: parisc: Add missing FORCE prerequisites in Makefile + +From: Helge Deller + +commit 9086e6017957c5cd6ea28d94b70e0d513d6b7800 upstream. + +Fix those make warnings: + arch/parisc/kernel/vdso32/Makefile:30: FORCE prerequisite is missing + arch/parisc/kernel/vdso64/Makefile:30: FORCE prerequisite is missing + +Add the missing FORCE prerequisites for all build targets identified by +"make help". + +Fixes: e1f86d7b4b2a5213 ("kbuild: warn if FORCE is missing for if_changed(_dep,_rule) and filechk") +Signed-off-by: Helge Deller +Cc: # 5.18+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/vdso32/Makefile | 4 ++-- + arch/parisc/kernel/vdso64/Makefile | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/parisc/kernel/vdso32/Makefile ++++ b/arch/parisc/kernel/vdso32/Makefile +@@ -26,7 +26,7 @@ $(obj)/vdso32_wrapper.o : $(obj)/vdso32. + + # Force dependency (incbin is bad) + # link rule for the .so file, .lds has to be first +-$(obj)/vdso32.so: $(src)/vdso32.lds $(obj-vdso32) $(obj-cvdso32) $(VDSO_LIBGCC) ++$(obj)/vdso32.so: $(src)/vdso32.lds $(obj-vdso32) $(obj-cvdso32) $(VDSO_LIBGCC) FORCE + $(call if_changed,vdso32ld) + + # assembly rules for the .S files +@@ -38,7 +38,7 @@ $(obj-cvdso32): %.o: %.c FORCE + + # actual build commands + quiet_cmd_vdso32ld = VDSO32L $@ +- cmd_vdso32ld = $(CROSS32CC) $(c_flags) -Wl,-T $^ -o $@ ++ cmd_vdso32ld = $(CROSS32CC) $(c_flags) -Wl,-T $(filter-out FORCE, $^) -o $@ + quiet_cmd_vdso32as = VDSO32A $@ + cmd_vdso32as = $(CROSS32CC) $(a_flags) -c -o $@ $< + quiet_cmd_vdso32cc = VDSO32C $@ +--- a/arch/parisc/kernel/vdso64/Makefile ++++ b/arch/parisc/kernel/vdso64/Makefile +@@ -26,7 +26,7 @@ $(obj)/vdso64_wrapper.o : $(obj)/vdso64. + + # Force dependency (incbin is bad) + # link rule for the .so file, .lds has to be first +-$(obj)/vdso64.so: $(src)/vdso64.lds $(obj-vdso64) $(VDSO_LIBGCC) ++$(obj)/vdso64.so: $(src)/vdso64.lds $(obj-vdso64) $(VDSO_LIBGCC) FORCE + $(call if_changed,vdso64ld) + + # assembly rules for the .S files +@@ -35,7 +35,7 @@ $(obj-vdso64): %.o: %.S FORCE + + # actual build commands + quiet_cmd_vdso64ld = VDSO64L $@ +- cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $^ -o $@ ++ cmd_vdso64ld = $(CC) $(c_flags) -Wl,-T $(filter-out FORCE, $^) -o $@ + quiet_cmd_vdso64as = VDSO64A $@ + cmd_vdso64as = $(CC) $(a_flags) -c -o $@ $< + diff --git a/queue-6.0/parisc-drop-pmd_shift-from-calculation-in-pgtable.h.patch b/queue-6.0/parisc-drop-pmd_shift-from-calculation-in-pgtable.h.patch new file mode 100644 index 00000000000..93b97ebdc7c --- /dev/null +++ b/queue-6.0/parisc-drop-pmd_shift-from-calculation-in-pgtable.h.patch @@ -0,0 +1,45 @@ +From fe94cb1a614d2df2764d49ac959d8b7e4cb98e15 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 14 Dec 2022 22:17:57 +0100 +Subject: parisc: Drop PMD_SHIFT from calculation in pgtable.h + +From: Helge Deller + +commit fe94cb1a614d2df2764d49ac959d8b7e4cb98e15 upstream. + +PMD_SHIFT isn't defined if CONFIG_PGTABLE_LEVELS == 3, and as +such the kernel test robot found this warning: + + In file included from include/linux/pgtable.h:6, + from arch/parisc/kernel/head.S:23: + arch/parisc/include/asm/pgtable.h:169:32: warning: "PMD_SHIFT" is not defined, evaluates to 0 [-Wundef] + 169 | #if (KERNEL_INITIAL_ORDER) >= (PMD_SHIFT) + +Avoid the warning by using PLD_SHIFT and BITS_PER_PTE. + +Signed-off-by: Helge Deller +Reported-by: kernel test robot +Cc: # 6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h +index ecd028854469..68ae77069d23 100644 +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -166,8 +166,8 @@ extern void __update_cache(pte_t pte); + + /* This calculates the number of initial pages we need for the initial + * page tables */ +-#if (KERNEL_INITIAL_ORDER) >= (PMD_SHIFT) +-# define PT_INITIAL (1 << (KERNEL_INITIAL_ORDER - PMD_SHIFT)) ++#if (KERNEL_INITIAL_ORDER) >= (PLD_SHIFT + BITS_PER_PTE) ++# define PT_INITIAL (1 << (KERNEL_INITIAL_ORDER - PLD_SHIFT - BITS_PER_PTE)) + #else + # define PT_INITIAL (1) /* all initial PTEs fit into one page */ + #endif +-- +2.39.0 + diff --git a/queue-6.0/parisc-fix-locking-in-pdc_iodc_print-firmware-call.patch b/queue-6.0/parisc-fix-locking-in-pdc_iodc_print-firmware-call.patch new file mode 100644 index 00000000000..b831f31d56c --- /dev/null +++ b/queue-6.0/parisc-fix-locking-in-pdc_iodc_print-firmware-call.patch @@ -0,0 +1,82 @@ +From 7236aae5f81f3efbd93d0601e74fc05994bc2580 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 26 Nov 2022 21:29:31 +0100 +Subject: parisc: Fix locking in pdc_iodc_print() firmware call + +From: Helge Deller + +commit 7236aae5f81f3efbd93d0601e74fc05994bc2580 upstream. + +Utilize pdc_lock spinlock to protect parallel modifications of the +iodc_dbuf[] buffer, check length to prevent buffer overflow of +iodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong +indentings. + +Signed-off-by: Helge Deller +Cc: # 6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/firmware.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/arch/parisc/kernel/firmware.c b/arch/parisc/kernel/firmware.c +index 6a7e315bcc2e..a115315d88e6 100644 +--- a/arch/parisc/kernel/firmware.c ++++ b/arch/parisc/kernel/firmware.c +@@ -1288,9 +1288,8 @@ void pdc_io_reset_devices(void) + + #endif /* defined(BOOTLOADER) */ + +-/* locked by pdc_console_lock */ +-static int __attribute__((aligned(8))) iodc_retbuf[32]; +-static char __attribute__((aligned(64))) iodc_dbuf[4096]; ++/* locked by pdc_lock */ ++static char iodc_dbuf[4096] __page_aligned_bss; + + /** + * pdc_iodc_print - Console print using IODC. +@@ -1307,6 +1306,9 @@ int pdc_iodc_print(const unsigned char *str, unsigned count) + unsigned int i; + unsigned long flags; + ++ count = min_t(unsigned int, count, sizeof(iodc_dbuf)); ++ ++ spin_lock_irqsave(&pdc_lock, flags); + for (i = 0; i < count;) { + switch(str[i]) { + case '\n': +@@ -1322,12 +1324,11 @@ int pdc_iodc_print(const unsigned char *str, unsigned count) + } + + print: +- spin_lock_irqsave(&pdc_lock, flags); +- real32_call(PAGE0->mem_cons.iodc_io, +- (unsigned long)PAGE0->mem_cons.hpa, ENTRY_IO_COUT, +- PAGE0->mem_cons.spa, __pa(PAGE0->mem_cons.dp.layers), +- __pa(iodc_retbuf), 0, __pa(iodc_dbuf), i, 0); +- spin_unlock_irqrestore(&pdc_lock, flags); ++ real32_call(PAGE0->mem_cons.iodc_io, ++ (unsigned long)PAGE0->mem_cons.hpa, ENTRY_IO_COUT, ++ PAGE0->mem_cons.spa, __pa(PAGE0->mem_cons.dp.layers), ++ __pa(pdc_result), 0, __pa(iodc_dbuf), i, 0); ++ spin_unlock_irqrestore(&pdc_lock, flags); + + return i; + } +@@ -1354,10 +1355,11 @@ int pdc_iodc_getc(void) + real32_call(PAGE0->mem_kbd.iodc_io, + (unsigned long)PAGE0->mem_kbd.hpa, ENTRY_IO_CIN, + PAGE0->mem_kbd.spa, __pa(PAGE0->mem_kbd.dp.layers), +- __pa(iodc_retbuf), 0, __pa(iodc_dbuf), 1, 0); ++ __pa(pdc_result), 0, __pa(iodc_dbuf), 1, 0); + + ch = *iodc_dbuf; +- status = *iodc_retbuf; ++ /* like convert_to_wide() but for first return value only: */ ++ status = *(int *)&pdc_result; + spin_unlock_irqrestore(&pdc_lock, flags); + + if (status == 0) +-- +2.39.0 + diff --git a/queue-6.0/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch b/queue-6.0/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch new file mode 100644 index 00000000000..1c7ff41b29f --- /dev/null +++ b/queue-6.0/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch @@ -0,0 +1,42 @@ +From 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 10:45:14 +0800 +Subject: parisc: led: Fix potential null-ptr-deref in start_task() + +From: Shang XiaoJing + +commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream. + +start_task() calls create_singlethread_workqueue() and not checked the +ret value, which may return NULL. And a null-ptr-deref may happen: + +start_task() + create_singlethread_workqueue() # failed, led_wq is NULL + queue_delayed_work() + queue_delayed_work_on() + __queue_delayed_work() # warning here, but continue + __queue_work() # access wq->flags, null-ptr-deref + +Check the ret value and return -ENOMEM if it is NULL. + +Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.") +Signed-off-by: Shang XiaoJing +Signed-off-by: Helge Deller +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/led.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/parisc/led.c ++++ b/drivers/parisc/led.c +@@ -137,6 +137,9 @@ static int start_task(void) + + /* Create the work queue and queue the LED task */ + led_wq = create_singlethread_workqueue("led_wq"); ++ if (!led_wq) ++ return -ENOMEM; ++ + queue_delayed_work(led_wq, &led_task, 0); + + return 0; diff --git a/queue-6.0/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch b/queue-6.0/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch new file mode 100644 index 00000000000..b61bb278963 --- /dev/null +++ b/queue-6.0/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch @@ -0,0 +1,59 @@ +From 98b04dd0b4577894520493d96bc4623387767445 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Wed, 26 Oct 2022 02:11:21 -0400 +Subject: PCI: Fix pci_device_is_present() for VFs by checking PF + +From: Michael S. Tsirkin + +commit 98b04dd0b4577894520493d96bc4623387767445 upstream. + +pci_device_is_present() previously didn't work for VFs because it reads the +Vendor and Device ID, which are 0xffff for VFs, which looks like they +aren't present. Check the PF instead. + +Wei Gong reported that if virtio I/O is in progress when the driver is +unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O +operation hangs, which may result in output like this: + + task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 + Call Trace: + schedule+0x4f/0xc0 + blk_mq_freeze_queue_wait+0x69/0xa0 + blk_mq_freeze_queue+0x1b/0x20 + blk_cleanup_queue+0x3d/0xd0 + virtblk_remove+0x3c/0xb0 [virtio_blk] + virtio_dev_remove+0x4b/0x80 + ... + device_unregister+0x1b/0x60 + unregister_virtio_device+0x18/0x30 + virtio_pci_remove+0x41/0x80 + pci_device_remove+0x3e/0xb0 + +This happened because pci_device_is_present(VF) returned "false" in +virtio_pci_remove(), so it called virtio_break_device(). The broken vq +meant that vring_interrupt() skipped the vq.callback() that would have +completed the virtio I/O operation via virtblk_done(). + +[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag] +Link: https://lore.kernel.org/r/20221026060912.173250-1-mst@redhat.com +Reported-by: Wei Gong +Tested-by: Wei Gong +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -6462,6 +6462,8 @@ bool pci_device_is_present(struct pci_de + { + u32 v; + ++ /* Check PF if pdev is a VF, since VF Vendor/Device IDs are 0xffff */ ++ pdev = pci_physfn(pdev); + if (pci_dev_is_disconnected(pdev)) + return false; + return pci_bus_read_dev_vendor_id(pdev->bus, pdev->devfn, &v, 0); diff --git a/queue-6.0/pci-sysfs-fix-double-free-in-error-path.patch b/queue-6.0/pci-sysfs-fix-double-free-in-error-path.patch new file mode 100644 index 00000000000..1d1c7be1258 --- /dev/null +++ b/queue-6.0/pci-sysfs-fix-double-free-in-error-path.patch @@ -0,0 +1,58 @@ +From aa382ffa705bea9931ec92b6f3c70e1fdb372195 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Tue, 8 Nov 2022 17:05:59 -0600 +Subject: PCI/sysfs: Fix double free in error path + +From: Sascha Hauer + +commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream. + +When pci_create_attr() fails, pci_remove_resource_files() is called which +will iterate over the res_attr[_wc] arrays and frees every non NULL entry. +To avoid a double free here set the array entry only after it's clear we +successfully initialized it. + +Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails") +Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/ +Signed-off-by: Sascha Hauer +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1174,11 +1174,9 @@ static int pci_create_attr(struct pci_de + + sysfs_bin_attr_init(res_attr); + if (write_combine) { +- pdev->res_attr_wc[num] = res_attr; + sprintf(res_attr_name, "resource%d_wc", num); + res_attr->mmap = pci_mmap_resource_wc; + } else { +- pdev->res_attr[num] = res_attr; + sprintf(res_attr_name, "resource%d", num); + if (pci_resource_flags(pdev, num) & IORESOURCE_IO) { + res_attr->read = pci_read_resource_io; +@@ -1196,10 +1194,17 @@ static int pci_create_attr(struct pci_de + res_attr->size = pci_resource_len(pdev, num); + res_attr->private = (void *)(unsigned long)num; + retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr); +- if (retval) ++ if (retval) { + kfree(res_attr); ++ return retval; ++ } ++ ++ if (write_combine) ++ pdev->res_attr_wc[num] = res_attr; ++ else ++ pdev->res_attr[num] = res_attr; + +- return retval; ++ return 0; + } + + /** diff --git a/queue-6.0/phy-qcom-qmp-combo-fix-sc8180x-reset.patch b/queue-6.0/phy-qcom-qmp-combo-fix-sc8180x-reset.patch new file mode 100644 index 00000000000..8286dd829df --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-combo-fix-sc8180x-reset.patch @@ -0,0 +1,39 @@ +From 910dd4883d757af5faac92590f33f0f7da963032 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 14 Nov 2022 09:13:43 +0100 +Subject: phy: qcom-qmp-combo: fix sc8180x reset + +From: Johan Hovold + +commit 910dd4883d757af5faac92590f33f0f7da963032 upstream. + +The SC8180X has two resets but the DP configuration erroneously +described only one. + +In case the DP part of the PHY is initialised before the USB part (e.g. +depending on probe order), then only the first reset would be asserted. + +Fixes: 1633802cd4ac ("phy: qcom: qmp: Add SC8180x USB/DP combo") +Cc: stable@vger.kernel.org # 5.15 +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20221114081346.5116-4-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -959,8 +959,8 @@ static const struct qmp_phy_cfg sc8180x_ + + .clk_list = qmp_v3_phy_clk_l, + .num_clks = ARRAY_SIZE(qmp_v3_phy_clk_l), +- .reset_list = sc7180_usb3phy_reset_l, +- .num_resets = ARRAY_SIZE(sc7180_usb3phy_reset_l), ++ .reset_list = msm8996_usb3phy_reset_l, ++ .num_resets = ARRAY_SIZE(msm8996_usb3phy_reset_l), + .vreg_list = qmp_phy_vreg_l, + .num_vregs = ARRAY_SIZE(qmp_phy_vreg_l), + .regs = qmp_v3_usb3phy_regs_layout, diff --git a/queue-6.0/remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch b/queue-6.0/remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch new file mode 100644 index 00000000000..74ca92ba2fe --- /dev/null +++ b/queue-6.0/remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch @@ -0,0 +1,52 @@ +From 11c7f9e3131ad14b27a957496088fa488b153a48 Mon Sep 17 00:00:00 2001 +From: Maria Yu +Date: Tue, 6 Dec 2022 09:59:57 +0800 +Subject: remoteproc: core: Do pm_relax when in RPROC_OFFLINE state + +From: Maria Yu + +commit 11c7f9e3131ad14b27a957496088fa488b153a48 upstream. + +Make sure that pm_relax() happens even when the remoteproc +is stopped before the crash handler work is scheduled. + +Signed-off-by: Maria Yu +Cc: stable +Fixes: a781e5aa5911 ("remoteproc: core: Prevent system suspend during remoteproc recovery") +Link: https://lore.kernel.org/r/20221206015957.2616-2-quic_aiquny@quicinc.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/remoteproc_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1954,12 +1954,18 @@ static void rproc_crash_handler_work(str + + mutex_lock(&rproc->lock); + +- if (rproc->state == RPROC_CRASHED || rproc->state == RPROC_OFFLINE) { ++ if (rproc->state == RPROC_CRASHED) { + /* handle only the first crash detected */ + mutex_unlock(&rproc->lock); + return; + } + ++ if (rproc->state == RPROC_OFFLINE) { ++ /* Don't recover if the remote processor was stopped */ ++ mutex_unlock(&rproc->lock); ++ goto out; ++ } ++ + rproc->state = RPROC_CRASHED; + dev_err(dev, "handling crash #%u in %s\n", ++rproc->crash_cnt, + rproc->name); +@@ -1969,6 +1975,7 @@ static void rproc_crash_handler_work(str + if (!rproc->recovery_disabled) + rproc_trigger_recovery(rproc); + ++out: + pm_relax(rproc->dev.parent); + } + diff --git a/queue-6.0/remoteproc-imx_dsp_rproc-add-mutex-protection-for-workqueue.patch b/queue-6.0/remoteproc-imx_dsp_rproc-add-mutex-protection-for-workqueue.patch new file mode 100644 index 00000000000..c9bf5943044 --- /dev/null +++ b/queue-6.0/remoteproc-imx_dsp_rproc-add-mutex-protection-for-workqueue.patch @@ -0,0 +1,86 @@ +From 47e6ab07018edebf94ce873cf50a05ec76ff2dde Mon Sep 17 00:00:00 2001 +From: Shengjiu Wang +Date: Fri, 30 Sep 2022 15:50:16 +0800 +Subject: remoteproc: imx_dsp_rproc: Add mutex protection for workqueue + +From: Shengjiu Wang + +commit 47e6ab07018edebf94ce873cf50a05ec76ff2dde upstream. + +The workqueue may execute late even after remoteproc is stopped or +stopping, some resources (rpmsg device and endpoint) have been +released in rproc_stop_subdevices(), then rproc_vq_interrupt() +accessing these resources will cause kennel dump. + +Call trace: + virtqueue_add_split+0x1ac/0x560 + virtqueue_add_inbuf+0x4c/0x60 + rpmsg_recv_done+0x15c/0x294 + vring_interrupt+0x6c/0xa4 + rproc_vq_interrupt+0x30/0x50 + imx_dsp_rproc_vq_work+0x24/0x40 [imx_dsp_rproc] + process_one_work+0x1d0/0x354 + worker_thread+0x13c/0x470 + kthread+0x154/0x160 + ret_from_fork+0x10/0x20 + +Add mutex protection in imx_dsp_rproc_vq_work(), if the state is +not running, then just skip calling rproc_vq_interrupt(). + +Also the flush workqueue operation can't be added in rproc stop +for the same reason. The call sequence is + +rproc_shutdown +-> rproc_stop + ->rproc_stop_subdevices + ->rproc->ops->stop() + ->imx_dsp_rproc_stop + ->flush_work + -> rproc_vq_interrupt + +The resource needed by rproc_vq_interrupt has been released in +rproc_stop_subdevices, so flush_work is not safe to be called in +imx_dsp_rproc_stop. + +Fixes: ec0e5549f358 ("remoteproc: imx_dsp_rproc: Add remoteproc driver for DSP on i.MX") +Signed-off-by: Shengjiu Wang +Reviewed-by: Peng Fan +Cc: stable +Link: https://lore.kernel.org/r/1664524216-19949-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/imx_dsp_rproc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/remoteproc/imx_dsp_rproc.c ++++ b/drivers/remoteproc/imx_dsp_rproc.c +@@ -347,9 +347,6 @@ static int imx_dsp_rproc_stop(struct rpr + struct device *dev = rproc->dev.parent; + int ret = 0; + +- /* Make sure work is finished */ +- flush_work(&priv->rproc_work); +- + if (rproc->state == RPROC_CRASHED) { + priv->flags &= ~REMOTE_IS_READY; + return 0; +@@ -432,9 +429,18 @@ static void imx_dsp_rproc_vq_work(struct + { + struct imx_dsp_rproc *priv = container_of(work, struct imx_dsp_rproc, + rproc_work); ++ struct rproc *rproc = priv->rproc; ++ ++ mutex_lock(&rproc->lock); ++ ++ if (rproc->state != RPROC_RUNNING) ++ goto unlock_mutex; + + rproc_vq_interrupt(priv->rproc, 0); + rproc_vq_interrupt(priv->rproc, 1); ++ ++unlock_mutex: ++ mutex_unlock(&rproc->lock); + } + + /** diff --git a/queue-6.0/remoteproc-imx_rproc-correct-i.mx93-dram-mapping.patch b/queue-6.0/remoteproc-imx_rproc-correct-i.mx93-dram-mapping.patch new file mode 100644 index 00000000000..623187e5f75 --- /dev/null +++ b/queue-6.0/remoteproc-imx_rproc-correct-i.mx93-dram-mapping.patch @@ -0,0 +1,35 @@ +From ee18f2715e85f4ef051851a0c4831ee7ad7d83b3 Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Wed, 2 Nov 2022 19:14:10 +0800 +Subject: remoteproc: imx_rproc: Correct i.MX93 DRAM mapping + +From: Peng Fan + +commit ee18f2715e85f4ef051851a0c4831ee7ad7d83b3 upstream. + +According to updated reference mannual, the M33 DRAM view of +0x[C,D]0000000 maps to A55 0xC0000000, so correct it. + +Fixes: 9222fabf0e39 ("remoteproc: imx_rproc: Support i.MX93") +Signed-off-by: Peng Fan +Cc: stable +Link: https://lore.kernel.org/r/20221102111410.38737-1-peng.fan@oss.nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/imx_rproc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -113,8 +113,8 @@ static const struct imx_rproc_att imx_rp + { 0x80000000, 0x80000000, 0x10000000, 0 }, + { 0x90000000, 0x80000000, 0x10000000, 0 }, + +- { 0xC0000000, 0xa0000000, 0x10000000, 0 }, +- { 0xD0000000, 0xa0000000, 0x10000000, 0 }, ++ { 0xC0000000, 0xC0000000, 0x10000000, 0 }, ++ { 0xD0000000, 0xC0000000, 0x10000000, 0 }, + }; + + static const struct imx_rproc_att imx_rproc_att_imx8mn[] = { diff --git a/queue-6.0/risc-v-kexec-fix-memory-leak-of-elf-header-buffer.patch b/queue-6.0/risc-v-kexec-fix-memory-leak-of-elf-header-buffer.patch new file mode 100644 index 00000000000..487a8e99386 --- /dev/null +++ b/queue-6.0/risc-v-kexec-fix-memory-leak-of-elf-header-buffer.patch @@ -0,0 +1,57 @@ +From cbc32023ddbdf4baa3d9dc513a2184a84080a5a2 Mon Sep 17 00:00:00 2001 +From: Li Huafei +Date: Fri, 4 Nov 2022 17:56:58 +0800 +Subject: RISC-V: kexec: Fix memory leak of elf header buffer + +From: Li Huafei + +commit cbc32023ddbdf4baa3d9dc513a2184a84080a5a2 upstream. + +This is reported by kmemleak detector: + +unreferenced object 0xff2000000403d000 (size 4096): + comm "kexec", pid 146, jiffies 4294900633 (age 64.792s) + hex dump (first 32 bytes): + 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............ + 04 00 f3 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000566ca97c>] kmemleak_vmalloc+0x3c/0xbe + [<00000000979283d8>] __vmalloc_node_range+0x3ac/0x560 + [<00000000b4b3712a>] __vmalloc_node+0x56/0x62 + [<00000000854f75e2>] vzalloc+0x2c/0x34 + [<00000000e9a00db9>] crash_prepare_elf64_headers+0x80/0x30c + [<0000000067e8bf48>] elf_kexec_load+0x3e8/0x4ec + [<0000000036548e09>] kexec_image_load_default+0x40/0x4c + [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322 + [<0000000040c62c03>] ret_from_syscall+0x0/0x2 + +In elf_kexec_load(), a buffer is allocated via vzalloc() to store elf +headers. While it's not freed back to system when kdump kernel is +reloaded or unloaded, or when image->elf_header is successfully set and +then fails to load kdump kernel for some reason. Fix it by freeing the +buffer in arch_kimage_file_post_load_cleanup(). + +Fixes: 8acea455fafa ("RISC-V: Support for kexec_file on panic") +Signed-off-by: Li Huafei +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/r/20221104095658.141222-2-lihuafei1@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/elf_kexec.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/riscv/kernel/elf_kexec.c ++++ b/arch/riscv/kernel/elf_kexec.c +@@ -26,6 +26,10 @@ int arch_kimage_file_post_load_cleanup(s + kvfree(image->arch.fdt); + image->arch.fdt = NULL; + ++ vfree(image->elf_headers); ++ image->elf_headers = NULL; ++ image->elf_headers_sz = 0; ++ + return kexec_image_post_load_cleanup_default(image); + } + diff --git a/queue-6.0/risc-v-kexec-fix-memory-leak-of-fdt-buffer.patch b/queue-6.0/risc-v-kexec-fix-memory-leak-of-fdt-buffer.patch new file mode 100644 index 00000000000..d2ff92f4174 --- /dev/null +++ b/queue-6.0/risc-v-kexec-fix-memory-leak-of-fdt-buffer.patch @@ -0,0 +1,101 @@ +From 96df59b1ae23f5c11698c3c2159aeb2ecd4944a4 Mon Sep 17 00:00:00 2001 +From: Li Huafei +Date: Fri, 4 Nov 2022 17:56:57 +0800 +Subject: RISC-V: kexec: Fix memory leak of fdt buffer + +From: Li Huafei + +commit 96df59b1ae23f5c11698c3c2159aeb2ecd4944a4 upstream. + +This is reported by kmemleak detector: + +unreferenced object 0xff60000082864000 (size 9588): + comm "kexec", pid 146, jiffies 4294900634 (age 64.788s) + hex dump (first 32 bytes): + d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@ + 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............ + backtrace: + [<00000000f95b17c4>] kmemleak_alloc+0x34/0x3e + [<00000000b9ec8e3e>] kmalloc_order+0x9c/0xc4 + [<00000000a95cf02e>] kmalloc_order_trace+0x34/0xb6 + [<00000000f01e68b4>] __kmalloc+0x5c2/0x62a + [<000000002bd497b2>] kvmalloc_node+0x66/0xd6 + [<00000000906542fa>] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea + [<00000000e1166bde>] elf_kexec_load+0x206/0x4ec + [<0000000036548e09>] kexec_image_load_default+0x40/0x4c + [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322 + [<0000000040c62c03>] ret_from_syscall+0x0/0x2 + +In elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt. +While it's not freed back to system when kexec kernel is reloaded or +unloaded. Then memory leak is caused. Fix it by introducing riscv +specific function arch_kimage_file_post_load_cleanup(), and freeing the +buffer there. + +Fixes: 6261586e0c91 ("RISC-V: Add kexec_file support") +Signed-off-by: Li Huafei +Reviewed-by: Conor Dooley +Reviewed-by: Liao Chang +Link: https://lore.kernel.org/r/20221104095658.141222-1-lihuafei1@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/kexec.h | 5 +++++ + arch/riscv/kernel/elf_kexec.c | 10 ++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/arch/riscv/include/asm/kexec.h b/arch/riscv/include/asm/kexec.h +index eee260e8ab30..2b56769cb530 100644 +--- a/arch/riscv/include/asm/kexec.h ++++ b/arch/riscv/include/asm/kexec.h +@@ -39,6 +39,7 @@ crash_setup_regs(struct pt_regs *newregs, + #define ARCH_HAS_KIMAGE_ARCH + + struct kimage_arch { ++ void *fdt; /* For CONFIG_KEXEC_FILE */ + unsigned long fdt_addr; + }; + +@@ -62,6 +63,10 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi, + const Elf_Shdr *relsec, + const Elf_Shdr *symtab); + #define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add ++ ++struct kimage; ++int arch_kimage_file_post_load_cleanup(struct kimage *image); ++#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup + #endif + + #endif +diff --git a/arch/riscv/kernel/elf_kexec.c b/arch/riscv/kernel/elf_kexec.c +index 0cb94992c15b..ff30fcb43f47 100644 +--- a/arch/riscv/kernel/elf_kexec.c ++++ b/arch/riscv/kernel/elf_kexec.c +@@ -21,6 +21,14 @@ + #include + #include + ++int arch_kimage_file_post_load_cleanup(struct kimage *image) ++{ ++ kvfree(image->arch.fdt); ++ image->arch.fdt = NULL; ++ ++ return kexec_image_post_load_cleanup_default(image); ++} ++ + static int riscv_kexec_elf_load(struct kimage *image, struct elfhdr *ehdr, + struct kexec_elf_info *elf_info, unsigned long old_pbase, + unsigned long new_pbase) +@@ -298,6 +306,8 @@ static void *elf_kexec_load(struct kimage *image, char *kernel_buf, + pr_err("Error add DTB kbuf ret=%d\n", ret); + goto out_free_fdt; + } ++ /* Cache the fdt buffer address for memory cleanup */ ++ image->arch.fdt = fdt; + pr_notice("Loaded device tree at 0x%lx\n", kbuf.mem); + goto out; + +-- +2.39.0 + diff --git a/queue-6.0/riscv-fixup-compile-error-with-mmu.patch b/queue-6.0/riscv-fixup-compile-error-with-mmu.patch new file mode 100644 index 00000000000..ad83cf9a80d --- /dev/null +++ b/queue-6.0/riscv-fixup-compile-error-with-mmu.patch @@ -0,0 +1,47 @@ +From c528ef0888b75f673f7d48022de8d31d5b451e8c Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Wed, 7 Dec 2022 04:11:12 -0500 +Subject: riscv: Fixup compile error with !MMU + +From: Guo Ren + +commit c528ef0888b75f673f7d48022de8d31d5b451e8c upstream. + +Current nommu_virt_defconfig can't compile: + +In file included from +arch/riscv/kernel/crash_core.c:3: +arch/riscv/kernel/crash_core.c: +In function 'arch_crash_save_vmcoreinfo': +arch/riscv/kernel/crash_core.c:8:27: +error: 'VA_BITS' undeclared (first use in this function) + 8 | VMCOREINFO_NUMBER(VA_BITS); + | ^~~~~~~ + +Add MMU dependency for KEXEC_FILE. + +Fixes: 6261586e0c91 ("RISC-V: Add kexec_file support") +Reported-by: Conor Dooley +Reported-by: kernel test robot +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Tested-by: Conor Dooley +Link: https://lore.kernel.org/r/20221207091112.2258674-1-guoren@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -493,7 +493,7 @@ config KEXEC_FILE + select KEXEC_CORE + select KEXEC_ELF + select HAVE_IMA_KEXEC if IMA +- depends on 64BIT ++ depends on 64BIT && MMU + help + This is new version of kexec system call. This system call is + file based and takes file descriptors as system call argument diff --git a/queue-6.0/riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch b/queue-6.0/riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch new file mode 100644 index 00000000000..e232417ec4f --- /dev/null +++ b/queue-6.0/riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch @@ -0,0 +1,161 @@ +From 4bd1d80efb5af640f99157f39b50fb11326ce641 Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich +Date: Mon, 29 Aug 2022 23:52:19 +0300 +Subject: riscv: mm: notify remote harts about mmu cache updates + +From: Sergey Matyukevich + +commit 4bd1d80efb5af640f99157f39b50fb11326ce641 upstream. + +Current implementation of update_mmu_cache function performs local TLB +flush. It does not take into account ASID information. Besides, it does +not take into account other harts currently running the same mm context +or possible migration of the running context to other harts. Meanwhile +TLB flush is not performed for every context switch if ASID support +is enabled. + +Patch [1] proposed to add ASID support to update_mmu_cache to avoid +flushing local TLB entirely. This patch takes into account other +harts currently running the same mm context as well as possible +migration of this context to other harts. + +For this purpose the approach from flush_icache_mm is reused. Remote +harts currently running the same mm context are informed via SBI calls +that they need to flush their local TLBs. All the other harts are marked +as needing a deferred TLB flush when this mm context runs on them. + +[1] https://lore.kernel.org/linux-riscv/20220821013926.8968-1-tjytimi@163.com/ + +Signed-off-by: Sergey Matyukevich +Fixes: 65d4b9c53017 ("RISC-V: Implement ASID allocator") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/linux-riscv/20220829205219.283543-1-geomatsi@gmail.com/#t +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/mmu.h | 2 ++ + arch/riscv/include/asm/pgtable.h | 2 +- + arch/riscv/include/asm/tlbflush.h | 18 ++++++++++++++++++ + arch/riscv/mm/context.c | 10 ++++++++++ + arch/riscv/mm/tlbflush.c | 28 +++++++++++----------------- + 5 files changed, 42 insertions(+), 18 deletions(-) + +--- a/arch/riscv/include/asm/mmu.h ++++ b/arch/riscv/include/asm/mmu.h +@@ -19,6 +19,8 @@ typedef struct { + #ifdef CONFIG_SMP + /* A local icache flush is needed before user execution can resume. */ + cpumask_t icache_stale_mask; ++ /* A local tlb flush is needed before user execution can resume. */ ++ cpumask_t tlb_stale_mask; + #endif + } mm_context_t; + +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -415,7 +415,7 @@ static inline void update_mmu_cache(stru + * Relying on flush_tlb_fix_spurious_fault would suffice, but + * the extra traps reduce performance. So, eagerly SFENCE.VMA. + */ +- local_flush_tlb_page(address); ++ flush_tlb_page(vma, address); + } + + static inline void update_mmu_cache_pmd(struct vm_area_struct *vma, +--- a/arch/riscv/include/asm/tlbflush.h ++++ b/arch/riscv/include/asm/tlbflush.h +@@ -22,6 +22,24 @@ static inline void local_flush_tlb_page( + { + ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory")); + } ++ ++static inline void local_flush_tlb_all_asid(unsigned long asid) ++{ ++ __asm__ __volatile__ ("sfence.vma x0, %0" ++ : ++ : "r" (asid) ++ : "memory"); ++} ++ ++static inline void local_flush_tlb_page_asid(unsigned long addr, ++ unsigned long asid) ++{ ++ __asm__ __volatile__ ("sfence.vma %0, %1" ++ : ++ : "r" (addr), "r" (asid) ++ : "memory"); ++} ++ + #else /* CONFIG_MMU */ + #define local_flush_tlb_all() do { } while (0) + #define local_flush_tlb_page(addr) do { } while (0) +--- a/arch/riscv/mm/context.c ++++ b/arch/riscv/mm/context.c +@@ -196,6 +196,16 @@ switch_mm_fast: + + if (need_flush_tlb) + local_flush_tlb_all(); ++#ifdef CONFIG_SMP ++ else { ++ cpumask_t *mask = &mm->context.tlb_stale_mask; ++ ++ if (cpumask_test_cpu(cpu, mask)) { ++ cpumask_clear_cpu(cpu, mask); ++ local_flush_tlb_all_asid(cntx & asid_mask); ++ } ++ } ++#endif + } + + static void set_mm_noasid(struct mm_struct *mm) +--- a/arch/riscv/mm/tlbflush.c ++++ b/arch/riscv/mm/tlbflush.c +@@ -5,23 +5,7 @@ + #include + #include + #include +- +-static inline void local_flush_tlb_all_asid(unsigned long asid) +-{ +- __asm__ __volatile__ ("sfence.vma x0, %0" +- : +- : "r" (asid) +- : "memory"); +-} +- +-static inline void local_flush_tlb_page_asid(unsigned long addr, +- unsigned long asid) +-{ +- __asm__ __volatile__ ("sfence.vma %0, %1" +- : +- : "r" (addr), "r" (asid) +- : "memory"); +-} ++#include + + void flush_tlb_all(void) + { +@@ -31,6 +15,7 @@ void flush_tlb_all(void) + static void __sbi_tlb_flush_range(struct mm_struct *mm, unsigned long start, + unsigned long size, unsigned long stride) + { ++ struct cpumask *pmask = &mm->context.tlb_stale_mask; + struct cpumask *cmask = mm_cpumask(mm); + unsigned int cpuid; + bool broadcast; +@@ -44,6 +29,15 @@ static void __sbi_tlb_flush_range(struct + if (static_branch_unlikely(&use_asid_allocator)) { + unsigned long asid = atomic_long_read(&mm->context.id); + ++ /* ++ * TLB will be immediately flushed on harts concurrently ++ * executing this MM context. TLB flush on other harts ++ * is deferred until this MM context migrates there. ++ */ ++ cpumask_setall(pmask); ++ cpumask_clear_cpu(cpuid, pmask); ++ cpumask_andnot(pmask, pmask, cmask); ++ + if (broadcast) { + sbi_remote_sfence_vma_asid(cmask, start, size, asid); + } else if (size <= stride) { diff --git a/queue-6.0/riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch b/queue-6.0/riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch new file mode 100644 index 00000000000..6c4d1a449d9 --- /dev/null +++ b/queue-6.0/riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch @@ -0,0 +1,36 @@ +From 5c3022e4a616d800cf5f4c3a981d7992179e44a1 Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Wed, 9 Nov 2022 01:49:36 -0500 +Subject: riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument + +From: Guo Ren + +commit 5c3022e4a616d800cf5f4c3a981d7992179e44a1 upstream. + +The 'retp' is a pointer to the return address on the stack, so we +must pass the current return address pointer as the 'retp' +argument to ftrace_push_return_trace(). Not parent function's +return address on the stack. + +Fixes: b785ec129bd9 ("riscv/ftrace: Add HAVE_FUNCTION_GRAPH_RET_ADDR_PTR support") +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Link: https://lore.kernel.org/r/20221109064937.3643993-2-guoren@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/stacktrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -58,7 +58,7 @@ void notrace walk_stackframe(struct task + } else { + fp = frame->fp; + pc = ftrace_graph_ret_addr(current, NULL, frame->ra, +- (unsigned long *)(fp - 8)); ++ &frame->ra); + } + + } diff --git a/queue-6.0/series b/queue-6.0/series index 4fe727befb7..8ed935f8dbf 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -87,3 +87,45 @@ rtc-ds1347-fix-value-written-to-century-register.patch drm-amdgpu-fix-mmhub-register-base-coding-error.patch block-mq-deadline-fix-dd_finish_request-for-zoned-devices.patch block-mq-deadline-do-not-break-sequential-write-streams-to-zoned-hdds.patch +md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch +efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch +wifi-wilc1000-sdio-fix-module-autoloading.patch +asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch +ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch +ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch +mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch +ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch +ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch +mtd-spi-nor-gigadevice-gd25q256-replace-gd25q256_default_init-with-gd25q256_post_bfpt.patch +ima-fix-memory-leak-in-__ima_inode_hash.patch +crypto-ccree-hisilicon-fix-dependencies-to-correct-algorithm.patch +pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch +pci-sysfs-fix-double-free-in-error-path.patch +risc-v-kexec-fix-memory-leak-of-fdt-buffer.patch +riscv-fixup-compile-error-with-mmu.patch +risc-v-kexec-fix-memory-leak-of-elf-header-buffer.patch +riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch +riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch +crypto-n2-add-missing-hash-statesize.patch +crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch +driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch +bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch +phy-qcom-qmp-combo-fix-sc8180x-reset.patch +iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch +iommu-amd-fix-ill-formed-ivrs_ioapic-ivrs_hpet-and-ivrs_acpihid-options.patch +test_kprobes-fix-implicit-declaration-error-of-test_kprobes.patch +remoteproc-imx_dsp_rproc-add-mutex-protection-for-workqueue.patch +remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch +remoteproc-imx_rproc-correct-i.mx93-dram-mapping.patch +parisc-led-fix-potential-null-ptr-deref-in-start_task.patch +parisc-fix-locking-in-pdc_iodc_print-firmware-call.patch +parisc-add-missing-force-prerequisites-in-makefile.patch +parisc-drop-pmd_shift-from-calculation-in-pgtable.h.patch +device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch +drm-connector-send-hotplug-uevent-on-connector-cleanup.patch +drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch +drm-etnaviv-move-idle-mapping-reaping-into-separate-function.patch +drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch +drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch +drm-etnaviv-reap-idle-mapping-if-it-doesn-t-match-the-softpin-address.patch +drm-i915-sdvo-filter-out-invalid-outputs-more-sensibly.patch diff --git a/queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_kprobes.patch b/queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_kprobes.patch new file mode 100644 index 00000000000..eb12c1e5f53 --- /dev/null +++ b/queue-6.0/test_kprobes-fix-implicit-declaration-error-of-test_kprobes.patch @@ -0,0 +1,48 @@ +From 63a4dc0a0bb0e9bfeb2c88ccda81abdde4cdd6b8 Mon Sep 17 00:00:00 2001 +From: Li Hua +Date: Mon, 21 Nov 2022 11:06:20 +0800 +Subject: test_kprobes: Fix implicit declaration error of test_kprobes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Li Hua + +commit 63a4dc0a0bb0e9bfeb2c88ccda81abdde4cdd6b8 upstream. + +If KPROBES_SANITY_TEST and ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled, but +STACKTRACE is not set. Build failed as below: + +lib/test_kprobes.c: In function ‘stacktrace_return_handler’: +lib/test_kprobes.c:228:8: error: implicit declaration of function ‘stack_trace_save’; did you mean ‘stacktrace_driver’? [-Werror=implicit-function-declaration] + ret = stack_trace_save(stack_buf, STACK_BUF_SIZE, 0); + ^~~~~~~~~~~~~~~~ + stacktrace_driver +cc1: all warnings being treated as errors +scripts/Makefile.build:250: recipe for target 'lib/test_kprobes.o' failed +make[2]: *** [lib/test_kprobes.o] Error 1 + +To fix this error, Select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled. + +Link: https://lore.kernel.org/all/20221121030620.63181-1-hucool.lihua@huawei.com/ + +Fixes: 1f6d3a8f5e39 ("kprobes: Add a test case for stacktrace from kretprobe handler") +Cc: stable@vger.kernel.org +Signed-off-by: Li Hua +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -2080,6 +2080,7 @@ config TEST_MIN_HEAP + config TEST_SORT + tristate "Array-based sort test" if !KUNIT_ALL_TESTS + depends on KUNIT ++ select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE + default KUNIT_ALL_TESTS + help + This option enables the self-test function of 'sort()' at boot, diff --git a/queue-6.0/wifi-wilc1000-sdio-fix-module-autoloading.patch b/queue-6.0/wifi-wilc1000-sdio-fix-module-autoloading.patch new file mode 100644 index 00000000000..5d9667755e0 --- /dev/null +++ b/queue-6.0/wifi-wilc1000-sdio-fix-module-autoloading.patch @@ -0,0 +1,31 @@ +From 57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3 Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Thu, 27 Oct 2022 19:12:21 +0200 +Subject: wifi: wilc1000: sdio: fix module autoloading + +From: Michael Walle + +commit 57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3 upstream. + +There are no SDIO module aliases included in the driver, therefore, +module autoloading isn't working. Add the proper MODULE_DEVICE_TABLE(). + +Cc: stable@vger.kernel.org +Signed-off-by: Michael Walle +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221027171221.491937-1-michael@walle.cc +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/microchip/wilc1000/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/microchip/wilc1000/sdio.c ++++ b/drivers/net/wireless/microchip/wilc1000/sdio.c +@@ -20,6 +20,7 @@ static const struct sdio_device_id wilc_ + { SDIO_DEVICE(SDIO_VENDOR_ID_MICROCHIP_WILC, SDIO_DEVICE_ID_MICROCHIP_WILC1000) }, + { }, + }; ++MODULE_DEVICE_TABLE(sdio, wilc_sdio_ids); + + #define WILC_SDIO_BLOCK_SIZE 512 + -- 2.47.3