Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/acpi-arm64-adjust-error-handling-procedure-in-gtdt_p.patch b/queue-4.19/acpi-arm64-adjust-error-handling-procedure-in-gtdt_p.patch
new file mode 100644 (file)
index 0000000..d05982c
--- /dev/null
+++ b/queue-4.19/acpi-arm64-adjust-error-handling-procedure-in-gtdt_p.patch
@@ -0,0 +1,46 @@
+From 3ccd365cff1390c89db34d4c2ffae1bebe240b4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 13:12:39 +0300
+Subject: acpi/arm64: Adjust error handling procedure in
+ gtdt_parse_timer_block()
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 1a9de2f6fda69d5f105dd8af776856a66abdaa64 ]
+
+In case of error in gtdt_parse_timer_block() invalid 'gtdt_frame'
+will be used in 'do {} while (i-- >= 0 && gtdt_frame--);' statement block
+because do{} block will be executed even if 'i == 0'.
+
+Adjust error handling procedure by replacing 'i-- >= 0' with 'i-- > 0'.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: a712c3ed9b8a ("acpi/arm64: Add memory-mapped timer support in GTDT driver")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Aleksandr Mishin <amishin@t-argos.ru>
+Link: https://lore.kernel.org/r/20240827101239.22020-1-amishin@t-argos.ru
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/arm64/gtdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
+index 7a181a8a9bf04..a8aecdcdae7e6 100644
+--- a/drivers/acpi/arm64/gtdt.c
++++ b/drivers/acpi/arm64/gtdt.c
+@@ -286,7 +286,7 @@ static int __init gtdt_parse_timer_block(struct acpi_gtdt_timer_block *block,
+               if (frame->virt_irq > 0)
+                       acpi_unregister_gsi(gtdt_frame->virtual_timer_interrupt);
+               frame->virt_irq = 0;
+-      } while (i-- >= 0 && gtdt_frame--);
++      } while (i-- > 0 && gtdt_frame--);
+ 
+       return -EINVAL;
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/alsa-6fire-release-resources-at-card-release.patch b/queue-4.19/alsa-6fire-release-resources-at-card-release.patch
new file mode 100644 (file)
index 0000000..1f77285
--- /dev/null
+++ b/queue-4.19/alsa-6fire-release-resources-at-card-release.patch
@@ -0,0 +1,78 @@
+From 1df4555ef79b120c62ef3ec3e6567b0c9e028c29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 12:10:39 +0100
+Subject: ALSA: 6fire: Release resources at card release
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit a0810c3d6dd2d29a9b92604d682eacd2902ce947 ]
+
+The current 6fire code tries to release the resources right after the
+call of usb6fire_chip_abort().  But at this moment, the card object
+might be still in use (as we're calling snd_card_free_when_closed()).
+
+For avoid potential UAFs, move the release of resources to the card's
+private_free instead of the manual call of usb6fire_chip_destroy() at
+the USB disconnect callback.
+
+Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241113111042.15058-6-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/6fire/chip.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/sound/usb/6fire/chip.c b/sound/usb/6fire/chip.c
+index 17d5e3ee6d738..f5a9b7a0b5851 100644
+--- a/sound/usb/6fire/chip.c
++++ b/sound/usb/6fire/chip.c
+@@ -66,8 +66,10 @@ static void usb6fire_chip_abort(struct sfire_chip *chip)
+       }
+ }
+ 
+-static void usb6fire_chip_destroy(struct sfire_chip *chip)
++static void usb6fire_card_free(struct snd_card *card)
+ {
++      struct sfire_chip *chip = card->private_data;
++
+       if (chip) {
+               if (chip->pcm)
+                       usb6fire_pcm_destroy(chip);
+@@ -77,8 +79,6 @@ static void usb6fire_chip_destroy(struct sfire_chip *chip)
+                       usb6fire_comm_destroy(chip);
+               if (chip->control)
+                       usb6fire_control_destroy(chip);
+-              if (chip->card)
+-                      snd_card_free(chip->card);
+       }
+ }
+ 
+@@ -141,6 +141,7 @@ static int usb6fire_chip_probe(struct usb_interface *intf,
+       chip->regidx = regidx;
+       chip->intf_count = 1;
+       chip->card = card;
++      card->private_free = usb6fire_card_free;
+ 
+       ret = usb6fire_comm_init(chip);
+       if (ret < 0)
+@@ -167,7 +168,7 @@ static int usb6fire_chip_probe(struct usb_interface *intf,
+       return 0;
+ 
+ destroy_chip:
+-      usb6fire_chip_destroy(chip);
++      snd_card_free(card);
+       return ret;
+ }
+ 
+@@ -186,7 +187,6 @@ static void usb6fire_chip_disconnect(struct usb_interface *intf)
+ 
+                       chip->shutdown = true;
+                       usb6fire_chip_abort(chip);
+-                      usb6fire_chip_destroy(chip);
+               }
+       }
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/alsa-caiaq-use-snd_card_free_when_closed-at-disconne.patch b/queue-4.19/alsa-caiaq-use-snd_card_free_when_closed-at-disconne.patch
new file mode 100644 (file)
index 0000000..a1e5d7d
--- /dev/null
+++ b/queue-4.19/alsa-caiaq-use-snd_card_free_when_closed-at-disconne.patch
@@ -0,0 +1,168 @@
+From cb15c9b5d7bb837b5695275ccc781517c5adeb72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 12:10:38 +0100
+Subject: ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c ]
+
+The USB disconnect callback is supposed to be short and not too-long
+waiting.  OTOH, the current code uses snd_card_free() at
+disconnection, but this waits for the close of all used fds, hence it
+can take long.  It eventually blocks the upper layer USB ioctls, which
+may trigger a soft lockup.
+
+An easy workaround is to replace snd_card_free() with
+snd_card_free_when_closed().  This variant returns immediately while
+the release of resources is done asynchronously by the card device
+release at the last close.
+
+This patch also splits the code to the disconnect and the free phases;
+the former is called immediately at the USB disconnect callback while
+the latter is called from the card destructor.
+
+Fixes: 523f1dce3743 ("[ALSA] Add Native Instrument usb audio device support")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241113111042.15058-5-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/caiaq/audio.c  | 10 ++++++++--
+ sound/usb/caiaq/audio.h  |  1 +
+ sound/usb/caiaq/device.c | 19 +++++++++++++++----
+ sound/usb/caiaq/input.c  | 12 +++++++++---
+ sound/usb/caiaq/input.h  |  1 +
+ 5 files changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/sound/usb/caiaq/audio.c b/sound/usb/caiaq/audio.c
+index c6108a3d7f8f8..9c6a2295d45af 100644
+--- a/sound/usb/caiaq/audio.c
++++ b/sound/usb/caiaq/audio.c
+@@ -890,14 +890,20 @@ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *cdev)
+       return 0;
+ }
+ 
+-void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev)
++void snd_usb_caiaq_audio_disconnect(struct snd_usb_caiaqdev *cdev)
+ {
+       struct device *dev = caiaqdev_to_dev(cdev);
+ 
+       dev_dbg(dev, "%s(%p)\n", __func__, cdev);
+       stream_stop(cdev);
++}
++
++void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev)
++{
++      struct device *dev = caiaqdev_to_dev(cdev);
++
++      dev_dbg(dev, "%s(%p)\n", __func__, cdev);
+       free_urbs(cdev->data_urbs_in);
+       free_urbs(cdev->data_urbs_out);
+       kfree(cdev->data_cb_info);
+ }
+-
+diff --git a/sound/usb/caiaq/audio.h b/sound/usb/caiaq/audio.h
+index 869bf6264d6a0..07f5d064456cf 100644
+--- a/sound/usb/caiaq/audio.h
++++ b/sound/usb/caiaq/audio.h
+@@ -3,6 +3,7 @@
+ #define CAIAQ_AUDIO_H
+ 
+ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *cdev);
++void snd_usb_caiaq_audio_disconnect(struct snd_usb_caiaqdev *cdev);
+ void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev);
+ 
+ #endif /* CAIAQ_AUDIO_H */
+diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
+index d55ca48de3ea3..4df7f37aa670b 100644
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -402,6 +402,17 @@ static void setup_card(struct snd_usb_caiaqdev *cdev)
+               dev_err(dev, "Unable to set up control system (ret=%d)\n", ret);
+ }
+ 
++static void card_free(struct snd_card *card)
++{
++      struct snd_usb_caiaqdev *cdev = caiaqdev(card);
++
++#ifdef CONFIG_SND_USB_CAIAQ_INPUT
++      snd_usb_caiaq_input_free(cdev);
++#endif
++      snd_usb_caiaq_audio_free(cdev);
++      usb_reset_device(cdev->chip.dev);
++}
++
+ static int create_card(struct usb_device *usb_dev,
+                      struct usb_interface *intf,
+                      struct snd_card **cardp)
+@@ -515,6 +526,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
+                      cdev->vendor_name, cdev->product_name, usbpath);
+ 
+       setup_card(cdev);
++      card->private_free = card_free;
+       return 0;
+ 
+  err_kill_urb:
+@@ -560,15 +572,14 @@ static void snd_disconnect(struct usb_interface *intf)
+       snd_card_disconnect(card);
+ 
+ #ifdef CONFIG_SND_USB_CAIAQ_INPUT
+-      snd_usb_caiaq_input_free(cdev);
++      snd_usb_caiaq_input_disconnect(cdev);
+ #endif
+-      snd_usb_caiaq_audio_free(cdev);
++      snd_usb_caiaq_audio_disconnect(cdev);
+ 
+       usb_kill_urb(&cdev->ep1_in_urb);
+       usb_kill_urb(&cdev->midi_out_urb);
+ 
+-      snd_card_free(card);
+-      usb_reset_device(interface_to_usbdev(intf));
++      snd_card_free_when_closed(card);
+ }
+ 
+ 
+diff --git a/sound/usb/caiaq/input.c b/sound/usb/caiaq/input.c
+index 19951e1dbbb01..a01a242f5c995 100644
+--- a/sound/usb/caiaq/input.c
++++ b/sound/usb/caiaq/input.c
+@@ -842,15 +842,21 @@ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev)
+       return ret;
+ }
+ 
+-void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev)
++void snd_usb_caiaq_input_disconnect(struct snd_usb_caiaqdev *cdev)
+ {
+       if (!cdev || !cdev->input_dev)
+               return;
+ 
+       usb_kill_urb(cdev->ep4_in_urb);
++      input_unregister_device(cdev->input_dev);
++}
++
++void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev)
++{
++      if (!cdev || !cdev->input_dev)
++              return;
++
+       usb_free_urb(cdev->ep4_in_urb);
+       cdev->ep4_in_urb = NULL;
+-
+-      input_unregister_device(cdev->input_dev);
+       cdev->input_dev = NULL;
+ }
+diff --git a/sound/usb/caiaq/input.h b/sound/usb/caiaq/input.h
+index c42891e7be884..fbe267f85d025 100644
+--- a/sound/usb/caiaq/input.h
++++ b/sound/usb/caiaq/input.h
+@@ -4,6 +4,7 @@
+ 
+ void snd_usb_caiaq_input_dispatch(struct snd_usb_caiaqdev *cdev, char *buf, unsigned int len);
+ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev);
++void snd_usb_caiaq_input_disconnect(struct snd_usb_caiaqdev *cdev);
+ void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev);
+ 
+ #endif
+-- 
+2.43.0
+

diff --git a/queue-4.19/alsa-us122l-use-snd_card_free_when_closed-at-disconn.patch b/queue-4.19/alsa-us122l-use-snd_card_free_when_closed-at-disconn.patch
new file mode 100644 (file)
index 0000000..bc26101
--- /dev/null
+++ b/queue-4.19/alsa-us122l-use-snd_card_free_when_closed-at-disconn.patch
@@ -0,0 +1,50 @@
+From f5c72e1fc761df233a8b1669956c4b07294a8d8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 12:10:36 +0100
+Subject: ALSA: us122l: Use snd_card_free_when_closed() at disconnection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b7df09bb348016943f56b09dcaafe221e3f73947 ]
+
+The USB disconnect callback is supposed to be short and not too-long
+waiting.  OTOH, the current code uses snd_card_free() at
+disconnection, but this waits for the close of all used fds, hence it
+can take long.  It eventually blocks the upper layer USB ioctls, which
+may trigger a soft lockup.
+
+An easy workaround is to replace snd_card_free() with
+snd_card_free_when_closed().  This variant returns immediately while
+the release of resources is done asynchronously by the card device
+release at the last close.
+
+The loop of us122l->mmap_count check is dropped as well.  The check is
+useless for the asynchronous operation with *_when_closed().
+
+Fixes: 030a07e44129 ("ALSA: Add USB US122L driver")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241113111042.15058-3-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/usx2y/us122l.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/sound/usb/usx2y/us122l.c b/sound/usb/usx2y/us122l.c
+index 8082f7b077f18..eac2e4d0e7d94 100644
+--- a/sound/usb/usx2y/us122l.c
++++ b/sound/usb/usx2y/us122l.c
+@@ -649,10 +649,7 @@ static void snd_us122l_disconnect(struct usb_interface *intf)
+       usb_put_intf(usb_ifnum_to_if(us122l->dev, 1));
+       usb_put_dev(us122l->dev);
+ 
+-      while (atomic_read(&us122l->mmap_count))
+-              msleep(500);
+-
+-      snd_card_free(card);
++      snd_card_free_when_closed(card);
+ }
+ 
+ static int snd_us122l_suspend(struct usb_interface *intf, pm_message_t message)
+-- 
+2.43.0
+

diff --git a/queue-4.19/apparmor-fix-do-simple-duplicate-message-elimination.patch b/queue-4.19/apparmor-fix-do-simple-duplicate-message-elimination.patch
new file mode 100644 (file)
index 0000000..a402ddd
--- /dev/null
+++ b/queue-4.19/apparmor-fix-do-simple-duplicate-message-elimination.patch
@@ -0,0 +1,35 @@
+From 77340497be1140da8d8f213644052ce32db7185a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jun 2023 10:03:16 +0800
+Subject: apparmor: fix 'Do simple duplicate message elimination'
+
+From: chao liu <liuzgyid@outlook.com>
+
+[ Upstream commit 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a ]
+
+Multiple profiles shared 'ent->caps', so some logs missed.
+
+Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
+Signed-off-by: chao liu <liuzgyid@outlook.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/capability.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
+index 752f73980e308..8c99e8150bab9 100644
+--- a/security/apparmor/capability.c
++++ b/security/apparmor/capability.c
+@@ -98,6 +98,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
+               return error;
+       } else {
+               aa_put_profile(ent->profile);
++              if (profile != ent->profile)
++                      cap_clear(ent->caps);
+               ent->profile = aa_get_profile(profile);
+               cap_raise(ent->caps, cap);
+       }
+-- 
+2.43.0
+

diff --git a/queue-4.19/arm-dts-cubieboard4-fix-dcdc5-regulator-constraints.patch b/queue-4.19/arm-dts-cubieboard4-fix-dcdc5-regulator-constraints.patch
new file mode 100644 (file)
index 0000000..12b957a
--- /dev/null
+++ b/queue-4.19/arm-dts-cubieboard4-fix-dcdc5-regulator-constraints.patch
@@ -0,0 +1,56 @@
+From 6260e2e26a6bf8096266b0a7a7895c1b14027b97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 23:29:16 +0100
+Subject: ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit dd36ad71ad65968f97630808bc8d605c929b128e ]
+
+The DCDC5 voltage rail in the X-Powers AXP809 PMIC has a resolution of
+50mV, so the currently enforced limits of 1.475 and 1.525 volts cannot
+be set, when the existing regulator value is beyond this range.
+
+This will lead to the whole regulator driver to give up and fail
+probing, which in turn will hang the system, as essential devices depend
+on the PMIC.
+In this case a bug in U-Boot set the voltage to 1.75V (meant for DCDC4),
+and the AXP driver's attempt to correct this lead to this error:
+==================
+[    4.447653] axp20x-rsb sunxi-rsb-3a3: AXP20X driver loaded
+[    4.450066] vcc-dram: Bringing 1750000uV into 1575000-1575000uV
+[    4.460272] vcc-dram: failed to apply 1575000-1575000uV constraint: -EINVAL
+[    4.474788] axp20x-regulator axp20x-regulator.0: Failed to register dcdc5
+[    4.482276] axp20x-regulator axp20x-regulator.0: probe with driver axp20x-regulator failed with error -22
+==================
+
+Set the limits to values that can be programmed, so any correction will
+be successful.
+
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Fixes: 1e1dea72651b ("ARM: dts: sun9i: cubieboard4: Add AXP809 PMIC device node and regulators")
+Link: https://patch.msgid.link/20241007222916.19013-1-andre.przywara@arm.com
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sun9i-a80-cubieboard4.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts b/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts
+index 85da85faf869a..0e37ae46348ad 100644
+--- a/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts
++++ b/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts
+@@ -253,8 +253,8 @@ reg_dcdc4: dcdc4 {
+ 
+                       reg_dcdc5: dcdc5 {
+                               regulator-always-on;
+-                              regulator-min-microvolt = <1425000>;
+-                              regulator-max-microvolt = <1575000>;
++                              regulator-min-microvolt = <1450000>;
++                              regulator-max-microvolt = <1550000>;
+                               regulator-name = "vcc-dram";
+                       };
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/bpf-fix-the-xdp_adjust_tail-sample-prog-issue.patch b/queue-4.19/bpf-fix-the-xdp_adjust_tail-sample-prog-issue.patch
new file mode 100644 (file)
index 0000000..60a3e85
--- /dev/null
+++ b/queue-4.19/bpf-fix-the-xdp_adjust_tail-sample-prog-issue.patch
@@ -0,0 +1,41 @@
+From 00fbeaf44e2a064f084abfb16b0d4469d7d9eafa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 10:41:15 +0800
+Subject: bpf: Fix the xdp_adjust_tail sample prog issue
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 4236f114a3ffbbfd217436c08852e94cae372f57 ]
+
+During the xdp_adjust_tail test, probabilistic failure occurs and SKB package
+is discarded by the kernel. After checking the issues by tracking SKB package,
+it is identified that they were caused by checksum errors. Refer to checksum
+of the arch/arm64/include/asm/checksum.h for fixing.
+
+v2: Based on Alexei Starovoitov's suggestions, it is necessary to keep the code
+ implementation consistent.
+
+Fixes: c6ffd1ff7856 (bpf: add bpf_xdp_adjust_tail sample prog)
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20240930024115.52841-1-chenyuan_fl@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdp_adjust_tail_kern.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/samples/bpf/xdp_adjust_tail_kern.c b/samples/bpf/xdp_adjust_tail_kern.c
+index 411fdb21f8bcf..9783754bdd8bb 100644
+--- a/samples/bpf/xdp_adjust_tail_kern.c
++++ b/samples/bpf/xdp_adjust_tail_kern.c
+@@ -54,6 +54,7 @@ static __always_inline void swap_mac(void *data, struct ethhdr *orig_eth)
+ 
+ static __always_inline __u16 csum_fold_helper(__u32 csum)
+ {
++      csum = (csum & 0xffff) + (csum >> 16);
+       return ~((csum & 0xffff) + (csum >> 16));
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/clk-axi-clkgen-use-devm_platform_ioremap_resource-sh.patch b/queue-4.19/clk-axi-clkgen-use-devm_platform_ioremap_resource-sh.patch
new file mode 100644 (file)
index 0000000..511708b
--- /dev/null
+++ b/queue-4.19/clk-axi-clkgen-use-devm_platform_ioremap_resource-sh.patch
@@ -0,0 +1,47 @@
+From a2c06c2c6efab5d2b3869aa5e972d72188bc2434 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Feb 2021 17:12:45 +0200
+Subject: clk: axi-clkgen: use devm_platform_ioremap_resource() short-hand
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+[ Upstream commit 6ba7ea7630fb03c1ce01508bdf89f5bb39b38e54 ]
+
+No major functional change. Noticed while checking the driver code that
+this could be used.
+Saves two lines.
+
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Link: https://lore.kernel.org/r/20210201151245.21845-5-alexandru.ardelean@analog.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: c64ef7e4851d ("clk: clk-axi-clkgen: make sure to enable the AXI bus clock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-axi-clkgen.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c
+index 48d11f2598e84..7289da51b74f1 100644
+--- a/drivers/clk/clk-axi-clkgen.c
++++ b/drivers/clk/clk-axi-clkgen.c
+@@ -414,7 +414,6 @@ static int axi_clkgen_probe(struct platform_device *pdev)
+       struct clk_init_data init;
+       const char *parent_names[2];
+       const char *clk_name;
+-      struct resource *mem;
+       unsigned int i;
+       int ret;
+ 
+@@ -429,8 +428,7 @@ static int axi_clkgen_probe(struct platform_device *pdev)
+       if (!axi_clkgen)
+               return -ENOMEM;
+ 
+-      mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+-      axi_clkgen->base = devm_ioremap_resource(&pdev->dev, mem);
++      axi_clkgen->base = devm_platform_ioremap_resource(pdev, 0);
+       if (IS_ERR(axi_clkgen->base))
+               return PTR_ERR(axi_clkgen->base);
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/clk-clk-axi-clkgen-make-sure-to-enable-the-axi-bus-c.patch b/queue-4.19/clk-clk-axi-clkgen-make-sure-to-enable-the-axi-bus-c.patch
new file mode 100644 (file)
index 0000000..9bd8bfd
--- /dev/null
+++ b/queue-4.19/clk-clk-axi-clkgen-make-sure-to-enable-the-axi-bus-c.patch
@@ -0,0 +1,82 @@
+From eddfb873cd6e33d4e8b02aea98089cd1feecf2d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 14:59:42 +0100
+Subject: clk: clk-axi-clkgen: make sure to enable the AXI bus clock
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+[ Upstream commit c64ef7e4851d1a9abbb7f7833e4936973ac5ba79 ]
+
+In order to access the registers of the HW, we need to make sure that
+the AXI bus clock is enabled. Hence let's increase the number of clocks
+by one.
+
+In order to keep backward compatibility and make sure old DTs still work
+we check if clock-names is available or not. If it is, then we can
+disambiguate between really having the AXI clock or a parent clock and
+so we can enable the bus clock. If not, we fallback to what was done
+before and don't explicitly enable the AXI bus clock.
+
+Note that if clock-names is given, the axi clock must be the last one in
+the phandle array (also enforced in the DT bindings) so that we can reuse
+as much code as possible.
+
+Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20241029-axi-clkgen-fix-axiclk-v2-2-bc5e0733ad76@analog.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-axi-clkgen.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c
+index 7289da51b74f1..f1e276ce28d46 100644
+--- a/drivers/clk/clk-axi-clkgen.c
++++ b/drivers/clk/clk-axi-clkgen.c
+@@ -9,6 +9,7 @@
+  */
+ 
+ #include <linux/platform_device.h>
++#include <linux/clk.h>
+ #include <linux/clk-provider.h>
+ #include <linux/slab.h>
+ #include <linux/io.h>
+@@ -414,6 +415,7 @@ static int axi_clkgen_probe(struct platform_device *pdev)
+       struct clk_init_data init;
+       const char *parent_names[2];
+       const char *clk_name;
++      struct clk *axi_clk;
+       unsigned int i;
+       int ret;
+ 
+@@ -433,8 +435,24 @@ static int axi_clkgen_probe(struct platform_device *pdev)
+               return PTR_ERR(axi_clkgen->base);
+ 
+       init.num_parents = of_clk_get_parent_count(pdev->dev.of_node);
+-      if (init.num_parents < 1 || init.num_parents > 2)
+-              return -EINVAL;
++
++      axi_clk = devm_clk_get_enabled(&pdev->dev, "s_axi_aclk");
++      if (!IS_ERR(axi_clk)) {
++              if (init.num_parents < 2 || init.num_parents > 3)
++                      return -EINVAL;
++
++              init.num_parents -= 1;
++      } else {
++              /*
++               * Legacy... So that old DTs which do not have clock-names still
++               * work. In this case we don't explicitly enable the AXI bus
++               * clock.
++               */
++              if (PTR_ERR(axi_clk) != -ENOENT)
++                      return PTR_ERR(axi_clk);
++              if (init.num_parents < 1 || init.num_parents > 2)
++                      return -EINVAL;
++      }
+ 
+       for (i = 0; i < init.num_parents; i++) {
+               parent_names[i] = of_clk_get_parent_name(pdev->dev.of_node, i);
+-- 
+2.43.0
+

diff --git a/queue-4.19/cpufreq-loongson2-unregister-platform_driver-on-fail.patch b/queue-4.19/cpufreq-loongson2-unregister-platform_driver-on-fail.patch
new file mode 100644 (file)
index 0000000..2169d8e
--- /dev/null
+++ b/queue-4.19/cpufreq-loongson2-unregister-platform_driver-on-fail.patch
@@ -0,0 +1,39 @@
+From 5d33ebd64e2a4aa96ea899f5518d43aea1b48d04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 17:06:15 +0800
+Subject: cpufreq: loongson2: Unregister platform_driver on failure
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 5f856d71ccdf89b4bac0ff70ebb0bb582e7f7f18 ]
+
+When cpufreq_register_driver() returns error, the cpufreq_init() returns
+without unregister platform_driver, fix by add missing
+platform_driver_unregister() when cpufreq_register_driver() failed.
+
+Fixes: f8ede0f700f5 ("MIPS: Loongson 2F: Add CPU frequency scaling support")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/loongson2_cpufreq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/loongson2_cpufreq.c b/drivers/cpufreq/loongson2_cpufreq.c
+index da344696beed7..1f4d0cf3a53c9 100644
+--- a/drivers/cpufreq/loongson2_cpufreq.c
++++ b/drivers/cpufreq/loongson2_cpufreq.c
+@@ -166,7 +166,9 @@ static int __init cpufreq_init(void)
+ 
+       ret = cpufreq_register_driver(&loongson2_cpufreq_driver);
+ 
+-      if (!ret && !nowait) {
++      if (ret) {
++              platform_driver_unregister(&platform_driver);
++      } else if (!nowait) {
+               saved_cpu_wait = cpu_wait;
+               cpu_wait = loongson2_cpu_wait;
+       }
+-- 
+2.43.0
+

diff --git a/queue-4.19/crypto-bcm-add-error-check-in-the-ahash_hmac_init-fu.patch b/queue-4.19/crypto-bcm-add-error-check-in-the-ahash_hmac_init-fu.patch
new file mode 100644 (file)
index 0000000..34165de
--- /dev/null
+++ b/queue-4.19/crypto-bcm-add-error-check-in-the-ahash_hmac_init-fu.patch
@@ -0,0 +1,47 @@
+From 0099f84707c3c85d96b0258fb16556db437911ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 12:17:45 +0000
+Subject: crypto: bcm - add error check in the ahash_hmac_init function
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit 19630cf57233e845b6ac57c9c969a4888925467b ]
+
+The ahash_init functions may return fails. The ahash_hmac_init should
+not return ok when ahash_init returns error. For an example, ahash_init
+will return -ENOMEM when allocation memory is error.
+
+Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/bcm/cipher.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/bcm/cipher.c b/drivers/crypto/bcm/cipher.c
+index c63992fbbc988..4349961982cc9 100644
+--- a/drivers/crypto/bcm/cipher.c
++++ b/drivers/crypto/bcm/cipher.c
+@@ -2510,6 +2510,7 @@ static int ahash_hmac_setkey(struct crypto_ahash *ahash, const u8 *key,
+ 
+ static int ahash_hmac_init(struct ahash_request *req)
+ {
++      int ret;
+       struct iproc_reqctx_s *rctx = ahash_request_ctx(req);
+       struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+       struct iproc_ctx_s *ctx = crypto_ahash_ctx(tfm);
+@@ -2519,7 +2520,9 @@ static int ahash_hmac_init(struct ahash_request *req)
+       flow_log("ahash_hmac_init()\n");
+ 
+       /* init the context as a hash */
+-      ahash_init(req);
++      ret = ahash_init(req);
++      if (ret)
++              return ret;
+ 
+       if (!spu_no_incr_hash(ctx)) {
+               /* SPU-M can do incr hashing but needs sw for outer HMAC */
+-- 
+2.43.0
+

diff --git a/queue-4.19/crypto-cavium-fix-an-error-handling-path-in-cpt_ucod.patch b/queue-4.19/crypto-cavium-fix-an-error-handling-path-in-cpt_ucod.patch
new file mode 100644 (file)
index 0000000..cace243
--- /dev/null
+++ b/queue-4.19/crypto-cavium-fix-an-error-handling-path-in-cpt_ucod.patch
@@ -0,0 +1,38 @@
+From 5fee11d0d29b6047b0d59962390157d303b7cd8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 18:22:27 +0100
+Subject: crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 572b7cf08403b6c67dfe0dc3e0f2efb42443254f ]
+
+If do_cpt_init() fails, a previous dma_alloc_coherent() call needs to be
+undone.
+
+Add the needed dma_free_coherent() before returning.
+
+Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/cpt/cptpf_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
+index 7e1d95b85b270..c6781bbbdc5ff 100644
+--- a/drivers/crypto/cavium/cpt/cptpf_main.c
++++ b/drivers/crypto/cavium/cpt/cptpf_main.c
+@@ -306,6 +306,8 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
+ 
+       ret = do_cpt_init(cpt, mcode);
+       if (ret) {
++              dma_free_coherent(&cpt->pdev->dev, mcode->code_size,
++                                mcode->code, mcode->phys_base);
+               dev_err(dev, "do_cpt_init failed with ret: %d\n", ret);
+               goto fw_release;
+       }
+-- 
+2.43.0
+

diff --git a/queue-4.19/crypto-cavium-fix-the-if-condition-to-exit-loop-afte.patch b/queue-4.19/crypto-cavium-fix-the-if-condition-to-exit-loop-afte.patch
new file mode 100644 (file)
index 0000000..8553d9c
--- /dev/null
+++ b/queue-4.19/crypto-cavium-fix-the-if-condition-to-exit-loop-afte.patch
@@ -0,0 +1,53 @@
+From 361d725a84dd73adc5c4d958c49a15eec346c28e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 10:23:10 -0600
+Subject: crypto: cavium - Fix the if condition to exit loop after timeout
+
+From: Everest K.C <everestkc@everestkc.com.np>
+
+[ Upstream commit 53d91ca76b6c426c546542a44c78507b42008c9e ]
+
+The while loop breaks in the first run because of incorrect
+if condition. It also causes the statements after the if to
+appear dead.
+Fix this by changing the condition from if(timeout--) to
+if(!timeout--).
+
+This bug was reported by Coverity Scan.
+Report:
+CID 1600859: (#1 of 1): Logically dead code (DEADCODE)
+dead_error_line: Execution cannot reach this statement: udelay(30UL);
+
+Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
+Signed-off-by: Everest K.C. <everestkc@everestkc.com.np>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/cpt/cptpf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
+index 7416f30ee976d..7e1d95b85b270 100644
+--- a/drivers/crypto/cavium/cpt/cptpf_main.c
++++ b/drivers/crypto/cavium/cpt/cptpf_main.c
+@@ -48,7 +48,7 @@ static void cpt_disable_cores(struct cpt_device *cpt, u64 coremask,
+               dev_err(dev, "Cores still busy %llx", coremask);
+               grp = cpt_read_csr64(cpt->reg_base,
+                                    CPTX_PF_EXEC_BUSY(0));
+-              if (timeout--)
++              if (!timeout--)
+                       break;
+ 
+               udelay(CSR_DELAY);
+@@ -398,7 +398,7 @@ static void cpt_disable_all_cores(struct cpt_device *cpt)
+               dev_err(dev, "Cores still busy");
+               grp = cpt_read_csr64(cpt->reg_base,
+                                    CPTX_PF_EXEC_BUSY(0));
+-              if (timeout--)
++              if (!timeout--)
+                       break;
+ 
+               udelay(CSR_DELAY);
+-- 
+2.43.0
+

diff --git a/queue-4.19/crypto-pcrypt-call-crypto-layer-directly-when-padata.patch b/queue-4.19/crypto-pcrypt-call-crypto-layer-directly-when-padata.patch
new file mode 100644 (file)
index 0000000..1dc1dea
--- /dev/null
+++ b/queue-4.19/crypto-pcrypt-call-crypto-layer-directly-when-padata.patch
@@ -0,0 +1,59 @@
+From 5e575f31d34c7b4c347be80e62d07ad745d8d4e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 02:09:35 +0000
+Subject: crypto: pcrypt - Call crypto layer directly when padata_do_parallel()
+ return -EBUSY
+
+From: Yi Yang <yiyang13@huawei.com>
+
+[ Upstream commit 662f2f13e66d3883b9238b0b96b17886179e60e2 ]
+
+Since commit 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for
+PADATA_RESET"), the pcrypt encryption and decryption operations return
+-EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is
+generated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns
+-EAGAIN, the unnecessary panic will occur when panic_on_warn set 1.
+Fix this issue by calling crypto layer directly without parallelization
+in that case.
+
+Fixes: 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for PADATA_RESET")
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/pcrypt.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
+index 1e9de81ef84fa..d18e18141cb05 100644
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -174,8 +174,10 @@ static int pcrypt_aead_encrypt(struct aead_request *req)
+       err = pcrypt_do_parallel(padata, &ctx->cb_cpu, &pencrypt);
+       if (!err)
+               return -EINPROGRESS;
+-      if (err == -EBUSY)
+-              return -EAGAIN;
++      if (err == -EBUSY) {
++              /* try non-parallel mode */
++              return crypto_aead_encrypt(creq);
++      }
+ 
+       return err;
+ }
+@@ -220,8 +222,10 @@ static int pcrypt_aead_decrypt(struct aead_request *req)
+       err = pcrypt_do_parallel(padata, &ctx->cb_cpu, &pdecrypt);
+       if (!err)
+               return -EINPROGRESS;
+-      if (err == -EBUSY)
+-              return -EAGAIN;
++      if (err == -EBUSY) {
++              /* try non-parallel mode */
++              return crypto_aead_decrypt(creq);
++      }
+ 
+       return err;
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-etnaviv-consolidate-hardware-fence-handling-in-e.patch b/queue-4.19/drm-etnaviv-consolidate-hardware-fence-handling-in-e.patch
new file mode 100644 (file)
index 0000000..4a2e4dd
--- /dev/null
+++ b/queue-4.19/drm-etnaviv-consolidate-hardware-fence-handling-in-e.patch
@@ -0,0 +1,91 @@
+From ec0a2e4d98d46c042417869ae06c9aac93e65b9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Nov 2018 18:12:39 +0100
+Subject: drm/etnaviv: consolidate hardware fence handling in etnaviv_gpu
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit 3283ee771c88bdf28d427b7ff0831a13213a812c ]
+
+This is the only place in the driver that should have to deal with
+the raw hardware fences. To avoid any further confusion, consolidate
+the fence handling in this file and remove any traces of this from
+the header files.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Stable-dep-of: 37dc4737447a ("drm/etnaviv: hold GPU lock across perfmon sampling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_drv.h | 11 -----------
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c |  8 +++++++-
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.h |  5 -----
+ 3 files changed, 7 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.h b/drivers/gpu/drm/etnaviv/etnaviv_drv.h
+index b2930d1fe97c0..51b7bdf5748bc 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.h
+@@ -108,17 +108,6 @@ static inline size_t size_vstruct(size_t nelem, size_t elem_size, size_t base)
+       return base + nelem * elem_size;
+ }
+ 
+-/* returns true if fence a comes after fence b */
+-static inline bool fence_after(u32 a, u32 b)
+-{
+-      return (s32)(a - b) > 0;
+-}
+-
+-static inline bool fence_after_eq(u32 a, u32 b)
+-{
+-      return (s32)(a - b) >= 0;
+-}
+-
+ /*
+  * Etnaviv timeouts are specified wrt CLOCK_MONOTONIC, not jiffies.
+  * We need to calculate the timeout in terms of number of jiffies
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index 37ae15dc4fc6d..0ec4dc4cab1c4 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -1038,7 +1038,7 @@ static bool etnaviv_fence_signaled(struct dma_fence *fence)
+ {
+       struct etnaviv_fence *f = to_etnaviv_fence(fence);
+ 
+-      return fence_completed(f->gpu, f->base.seqno);
++      return (s32)(f->gpu->completed_fence - f->base.seqno) >= 0;
+ }
+ 
+ static void etnaviv_fence_release(struct dma_fence *fence)
+@@ -1077,6 +1077,12 @@ static struct dma_fence *etnaviv_gpu_fence_alloc(struct etnaviv_gpu *gpu)
+       return &f->base;
+ }
+ 
++/* returns true if fence a comes after fence b */
++static inline bool fence_after(u32 a, u32 b)
++{
++      return (s32)(a - b) > 0;
++}
++
+ /*
+  * event management:
+  */
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+index 039e0509af6ab..939a415b7a9b2 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+@@ -162,11 +162,6 @@ static inline u32 gpu_read(struct etnaviv_gpu *gpu, u32 reg)
+       return readl(gpu->mmio + reg);
+ }
+ 
+-static inline bool fence_completed(struct etnaviv_gpu *gpu, u32 fence)
+-{
+-      return fence_after_eq(gpu->completed_fence, fence);
+-}
+-
+ int etnaviv_gpu_get_param(struct etnaviv_gpu *gpu, u32 param, u64 *value);
+ 
+ int etnaviv_gpu_init(struct etnaviv_gpu *gpu);
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-etnaviv-dump-fix-sparse-warnings.patch b/queue-4.19/drm-etnaviv-dump-fix-sparse-warnings.patch
new file mode 100644 (file)
index 0000000..24b23d3
--- /dev/null
+++ b/queue-4.19/drm-etnaviv-dump-fix-sparse-warnings.patch
@@ -0,0 +1,67 @@
+From 8766778b7be4449d134033042cbcd898a413318a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Dec 2020 20:51:10 +0100
+Subject: drm/etnaviv: dump: fix sparse warnings
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 03a2753936e85beb8239fd20ae3fb2ce90209212 ]
+
+This patch fixes the following sparse warnings, by adding the missing endianess
+conversion functions.
+
+| etnaviv/etnaviv_dump.c:78:26: warning: restricted __le32 degrades to integer
+| etnaviv/etnaviv_dump.c:88:26: warning: incorrect type in assignment (different base types)
+| etnaviv/etnaviv_dump.c:88:26:    expected restricted __le32 [usertype] reg
+| etnaviv/etnaviv_dump.c:88:26:    got unsigned short const
+| etnaviv/etnaviv_dump.c:89:28: warning: incorrect type in assignment (different base types)
+| etnaviv/etnaviv_dump.c:89:28:    expected restricted __le32 [usertype] value
+| etnaviv/etnaviv_dump.c:89:28:    got unsigned int
+| etnaviv/etnaviv_dump.c:210:43: warning: incorrect type in assignment (different base types)
+| etnaviv/etnaviv_dump.c:210:43:    expected restricted __le32
+| etnaviv/etnaviv_dump.c:210:43:    got long
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Stable-dep-of: 37dc4737447a ("drm/etnaviv: hold GPU lock across perfmon sampling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_dump.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_dump.c b/drivers/gpu/drm/etnaviv/etnaviv_dump.c
+index 9d839b4fd8f78..15bc7f20aed92 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_dump.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_dump.c
+@@ -73,7 +73,7 @@ static void etnaviv_core_dump_header(struct core_dump_iterator *iter,
+       hdr->file_size = cpu_to_le32(data_end - iter->data);
+ 
+       iter->hdr++;
+-      iter->data += hdr->file_size;
++      iter->data += le32_to_cpu(hdr->file_size);
+ }
+ 
+ static void etnaviv_core_dump_registers(struct core_dump_iterator *iter,
+@@ -83,8 +83,8 @@ static void etnaviv_core_dump_registers(struct core_dump_iterator *iter,
+       unsigned int i;
+ 
+       for (i = 0; i < ARRAY_SIZE(etnaviv_dump_registers); i++, reg++) {
+-              reg->reg = etnaviv_dump_registers[i];
+-              reg->value = gpu_read(gpu, etnaviv_dump_registers[i]);
++              reg->reg = cpu_to_le32(etnaviv_dump_registers[i]);
++              reg->value = cpu_to_le32(gpu_read(gpu, etnaviv_dump_registers[i]));
+       }
+ 
+       etnaviv_core_dump_header(iter, ETDUMP_BUF_REG, reg);
+@@ -220,7 +220,7 @@ void etnaviv_core_dump(struct etnaviv_gpu *gpu)
+               if (!IS_ERR(pages)) {
+                       int j;
+ 
+-                      iter.hdr->data[0] = bomap - bomap_start;
++                      iter.hdr->data[0] = cpu_to_le32((bomap - bomap_start));
+ 
+                       for (j = 0; j < obj->base.size >> PAGE_SHIFT; j++)
+                               *bomap++ = cpu_to_le64(page_to_phys(*pages++));
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-etnaviv-fix-power-register-offset-on-gc300.patch b/queue-4.19/drm-etnaviv-fix-power-register-offset-on-gc300.patch
new file mode 100644 (file)
index 0000000..17bc7c2
--- /dev/null
+++ b/queue-4.19/drm-etnaviv-fix-power-register-offset-on-gc300.patch
@@ -0,0 +1,158 @@
+From 53945a15bfcbd90e0d297d7754d4eaf760e561fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 13:29:39 -0700
+Subject: drm/etnaviv: fix power register offset on GC300
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit 61a6920bb604df3a0e389a2a9479e1e233e4461d ]
+
+Older GC300 revisions have their power registers at an offset of 0x200
+rather than 0x100. Add new gpu_read_power and gpu_write_power functions
+to encapsulate accesses to the power addresses and fix the addresses.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Stable-dep-of: 37dc4737447a ("drm/etnaviv: hold GPU lock across perfmon sampling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_dump.c |  7 ++++++-
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c  | 20 ++++++++++----------
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.h  | 21 +++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_dump.c b/drivers/gpu/drm/etnaviv/etnaviv_dump.c
+index 15bc7f20aed92..1112972e58954 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_dump.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_dump.c
+@@ -81,10 +81,15 @@ static void etnaviv_core_dump_registers(struct core_dump_iterator *iter,
+ {
+       struct etnaviv_dump_registers *reg = iter->data;
+       unsigned int i;
++      u32 read_addr;
+ 
+       for (i = 0; i < ARRAY_SIZE(etnaviv_dump_registers); i++, reg++) {
++              read_addr = etnaviv_dump_registers[i];
++              if (read_addr >= VIVS_PM_POWER_CONTROLS &&
++                  read_addr <= VIVS_PM_PULSE_EATER)
++                      read_addr = gpu_fix_power_address(gpu, read_addr);
+               reg->reg = cpu_to_le32(etnaviv_dump_registers[i]);
+-              reg->value = cpu_to_le32(gpu_read(gpu, etnaviv_dump_registers[i]));
++              reg->value = cpu_to_le32(gpu_read(gpu, read_addr));
+       }
+ 
+       etnaviv_core_dump_header(iter, ETDUMP_BUF_REG, reg);
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index 0ec4dc4cab1c4..ef82ad6251077 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -540,7 +540,7 @@ static void etnaviv_gpu_enable_mlcg(struct etnaviv_gpu *gpu)
+       u32 pmc, ppc;
+ 
+       /* enable clock gating */
+-      ppc = gpu_read(gpu, VIVS_PM_POWER_CONTROLS);
++      ppc = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+       ppc |= VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+ 
+       /* Disable stall module clock gating for 4.3.0.1 and 4.3.0.2 revs */
+@@ -548,9 +548,9 @@ static void etnaviv_gpu_enable_mlcg(struct etnaviv_gpu *gpu)
+           gpu->identity.revision == 0x4302)
+               ppc |= VIVS_PM_POWER_CONTROLS_DISABLE_STALL_MODULE_CLOCK_GATING;
+ 
+-      gpu_write(gpu, VIVS_PM_POWER_CONTROLS, ppc);
++      gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, ppc);
+ 
+-      pmc = gpu_read(gpu, VIVS_PM_MODULE_CONTROLS);
++      pmc = gpu_read_power(gpu, VIVS_PM_MODULE_CONTROLS);
+ 
+       /* Disable PA clock gating for GC400+ without bugfix except for GC420 */
+       if (gpu->identity.model >= chipModel_GC400 &&
+@@ -579,7 +579,7 @@ static void etnaviv_gpu_enable_mlcg(struct etnaviv_gpu *gpu)
+       pmc |= VIVS_PM_MODULE_CONTROLS_DISABLE_MODULE_CLOCK_GATING_RA_HZ;
+       pmc |= VIVS_PM_MODULE_CONTROLS_DISABLE_MODULE_CLOCK_GATING_RA_EZ;
+ 
+-      gpu_write(gpu, VIVS_PM_MODULE_CONTROLS, pmc);
++      gpu_write_power(gpu, VIVS_PM_MODULE_CONTROLS, pmc);
+ }
+ 
+ void etnaviv_gpu_start_fe(struct etnaviv_gpu *gpu, u32 address, u16 prefetch)
+@@ -620,11 +620,11 @@ static void etnaviv_gpu_setup_pulse_eater(struct etnaviv_gpu *gpu)
+           (gpu->identity.features & chipFeatures_PIPE_3D))
+       {
+               /* Performance fix: disable internal DFS */
+-              pulse_eater = gpu_read(gpu, VIVS_PM_PULSE_EATER);
++              pulse_eater = gpu_read_power(gpu, VIVS_PM_PULSE_EATER);
+               pulse_eater |= BIT(18);
+       }
+ 
+-      gpu_write(gpu, VIVS_PM_PULSE_EATER, pulse_eater);
++      gpu_write_power(gpu, VIVS_PM_PULSE_EATER, pulse_eater);
+ }
+ 
+ static void etnaviv_gpu_hw_init(struct etnaviv_gpu *gpu)
+@@ -1238,9 +1238,9 @@ static void sync_point_perfmon_sample_pre(struct etnaviv_gpu *gpu,
+       u32 val;
+ 
+       /* disable clock gating */
+-      val = gpu_read(gpu, VIVS_PM_POWER_CONTROLS);
++      val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+       val &= ~VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+-      gpu_write(gpu, VIVS_PM_POWER_CONTROLS, val);
++      gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, val);
+ 
+       /* enable debug register */
+       val = gpu_read(gpu, VIVS_HI_CLOCK_CONTROL);
+@@ -1271,9 +1271,9 @@ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+       gpu_write(gpu, VIVS_HI_CLOCK_CONTROL, val);
+ 
+       /* enable clock gating */
+-      val = gpu_read(gpu, VIVS_PM_POWER_CONTROLS);
++      val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+       val |= VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+-      gpu_write(gpu, VIVS_PM_POWER_CONTROLS, val);
++      gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, val);
+ }
+ 
+ 
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+index 939a415b7a9b2..dedc44e484a0f 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+@@ -11,6 +11,7 @@
+ 
+ #include "etnaviv_cmdbuf.h"
+ #include "etnaviv_drv.h"
++#include "common.xml.h"
+ 
+ struct etnaviv_gem_submit;
+ struct etnaviv_vram_mapping;
+@@ -162,6 +163,26 @@ static inline u32 gpu_read(struct etnaviv_gpu *gpu, u32 reg)
+       return readl(gpu->mmio + reg);
+ }
+ 
++static inline u32 gpu_fix_power_address(struct etnaviv_gpu *gpu, u32 reg)
++{
++      /* Power registers in GC300 < 2.0 are offset by 0x100 */
++      if (gpu->identity.model == chipModel_GC300 &&
++          gpu->identity.revision < 0x2000)
++              reg += 0x100;
++
++      return reg;
++}
++
++static inline void gpu_write_power(struct etnaviv_gpu *gpu, u32 reg, u32 data)
++{
++      writel(data, gpu->mmio + gpu_fix_power_address(gpu, reg));
++}
++
++static inline u32 gpu_read_power(struct etnaviv_gpu *gpu, u32 reg)
++{
++      return readl(gpu->mmio + gpu_fix_power_address(gpu, reg));
++}
++
+ int etnaviv_gpu_get_param(struct etnaviv_gpu *gpu, u32 param, u64 *value);
+ 
+ int etnaviv_gpu_init(struct etnaviv_gpu *gpu);
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-etnaviv-hold-gpu-lock-across-perfmon-sampling.patch b/queue-4.19/drm-etnaviv-hold-gpu-lock-across-perfmon-sampling.patch
new file mode 100644 (file)
index 0000000..4cdaf64
--- /dev/null
+++ b/queue-4.19/drm-etnaviv-hold-gpu-lock-across-perfmon-sampling.patch
@@ -0,0 +1,78 @@
+From a484e829e85830f08b671df071851d3ab36bbdd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jul 2024 22:00:09 +0200
+Subject: drm/etnaviv: hold GPU lock across perfmon sampling
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit 37dc4737447a7667f8e9ec790dac251da057eb27 ]
+
+The perfmon sampling mutates shared GPU state (e.g. VIVS_HI_CLOCK_CONTROL
+to select the pipe for the perf counter reads). To avoid clashing with
+other functions mutating the same state (e.g. etnaviv_gpu_update_clock)
+the perfmon sampling needs to hold the GPU lock.
+
+Fixes: 68dc0b295dcb ("drm/etnaviv: use 'sync points' for performance monitor requests")
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index ef82ad6251077..dec636b96531b 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -1237,6 +1237,8 @@ static void sync_point_perfmon_sample_pre(struct etnaviv_gpu *gpu,
+ {
+       u32 val;
+ 
++      mutex_lock(&gpu->lock);
++
+       /* disable clock gating */
+       val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+       val &= ~VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+@@ -1248,6 +1250,8 @@ static void sync_point_perfmon_sample_pre(struct etnaviv_gpu *gpu,
+       gpu_write(gpu, VIVS_HI_CLOCK_CONTROL, val);
+ 
+       sync_point_perfmon_sample(gpu, event, ETNA_PM_PROCESS_PRE);
++
++      mutex_unlock(&gpu->lock);
+ }
+ 
+ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+@@ -1257,13 +1261,9 @@ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+       unsigned int i;
+       u32 val;
+ 
+-      sync_point_perfmon_sample(gpu, event, ETNA_PM_PROCESS_POST);
+-
+-      for (i = 0; i < submit->nr_pmrs; i++) {
+-              const struct etnaviv_perfmon_request *pmr = submit->pmrs + i;
++      mutex_lock(&gpu->lock);
+ 
+-              *pmr->bo_vma = pmr->sequence;
+-      }
++      sync_point_perfmon_sample(gpu, event, ETNA_PM_PROCESS_POST);
+ 
+       /* disable debug register */
+       val = gpu_read(gpu, VIVS_HI_CLOCK_CONTROL);
+@@ -1274,6 +1274,14 @@ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+       val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+       val |= VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+       gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, val);
++
++      mutex_unlock(&gpu->lock);
++
++      for (i = 0; i < submit->nr_pmrs; i++) {
++              const struct etnaviv_perfmon_request *pmr = submit->pmrs + i;
++
++              *pmr->bo_vma = pmr->sequence;
++      }
+ }
+ 
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-fsl-dcu-convert-to-linux-irq-interfaces.patch b/queue-4.19/drm-fsl-dcu-convert-to-linux-irq-interfaces.patch
new file mode 100644 (file)
index 0000000..f75fef1
--- /dev/null
+++ b/queue-4.19/drm-fsl-dcu-convert-to-linux-irq-interfaces.patch
@@ -0,0 +1,160 @@
+From 8da59e00c00315fd1e9f9381c9c68b35dcee9765 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 11:06:54 +0200
+Subject: drm/fsl-dcu: Convert to Linux IRQ interfaces
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 03ac16e584e496230903ba20f2b4bbfd942a16b4 ]
+
+Drop the DRM IRQ midlayer in favor of Linux IRQ interfaces. DRM's
+IRQ helpers are mostly useful for UMS drivers. Modern KMS drivers
+don't benefit from using it. DRM IRQ callbacks are now being called
+directly or inlined.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210803090704.32152-5-tzimmermann@suse.de
+Stable-dep-of: ffcde9e44d3e ("drm: fsl-dcu: enable PIXCLK on LS1021A")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 77 ++++++++++++++---------
+ 1 file changed, 46 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+index c087ebc0ad4ed..7cc449e206435 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+@@ -53,7 +53,7 @@ static const struct regmap_config fsl_dcu_regmap_config = {
+       .volatile_reg = fsl_dcu_drm_is_volatile_reg,
+ };
+ 
+-static void fsl_dcu_irq_uninstall(struct drm_device *dev)
++static void fsl_dcu_irq_reset(struct drm_device *dev)
+ {
+       struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
+ 
+@@ -61,6 +61,45 @@ static void fsl_dcu_irq_uninstall(struct drm_device *dev)
+       regmap_write(fsl_dev->regmap, DCU_INT_MASK, ~0);
+ }
+ 
++static irqreturn_t fsl_dcu_drm_irq(int irq, void *arg)
++{
++      struct drm_device *dev = arg;
++      struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
++      unsigned int int_status;
++      int ret;
++
++      ret = regmap_read(fsl_dev->regmap, DCU_INT_STATUS, &int_status);
++      if (ret) {
++              dev_err(dev->dev, "read DCU_INT_STATUS failed\n");
++              return IRQ_NONE;
++      }
++
++      if (int_status & DCU_INT_STATUS_VBLANK)
++              drm_handle_vblank(dev, 0);
++
++      regmap_write(fsl_dev->regmap, DCU_INT_STATUS, int_status);
++
++      return IRQ_HANDLED;
++}
++
++static int fsl_dcu_irq_install(struct drm_device *dev, unsigned int irq)
++{
++      if (irq == IRQ_NOTCONNECTED)
++              return -ENOTCONN;
++
++      fsl_dcu_irq_reset(dev);
++
++      return request_irq(irq, fsl_dcu_drm_irq, 0, dev->driver->name, dev);
++}
++
++static void fsl_dcu_irq_uninstall(struct drm_device *dev)
++{
++      struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
++
++      fsl_dcu_irq_reset(dev);
++      free_irq(fsl_dev->irq, dev);
++}
++
+ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+ {
+       struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
+@@ -75,13 +114,13 @@ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+       ret = drm_vblank_init(dev, dev->mode_config.num_crtc);
+       if (ret < 0) {
+               dev_err(dev->dev, "failed to initialize vblank\n");
+-              goto done;
++              goto done_vblank;
+       }
+ 
+-      ret = drm_irq_install(dev, fsl_dev->irq);
++      ret = fsl_dcu_irq_install(dev, fsl_dev->irq);
+       if (ret < 0) {
+               dev_err(dev->dev, "failed to install IRQ handler\n");
+-              goto done;
++              goto done_irq;
+       }
+ 
+       if (legacyfb_depth != 16 && legacyfb_depth != 24 &&
+@@ -92,11 +131,11 @@ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+       }
+ 
+       return 0;
+-done:
++done_irq:
+       drm_kms_helper_poll_fini(dev);
+ 
+       drm_mode_config_cleanup(dev);
+-      drm_irq_uninstall(dev);
++done_vblank:
+       dev->dev_private = NULL;
+ 
+       return ret;
+@@ -108,32 +147,11 @@ static void fsl_dcu_unload(struct drm_device *dev)
+       drm_kms_helper_poll_fini(dev);
+ 
+       drm_mode_config_cleanup(dev);
+-      drm_irq_uninstall(dev);
++      fsl_dcu_irq_uninstall(dev);
+ 
+       dev->dev_private = NULL;
+ }
+ 
+-static irqreturn_t fsl_dcu_drm_irq(int irq, void *arg)
+-{
+-      struct drm_device *dev = arg;
+-      struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
+-      unsigned int int_status;
+-      int ret;
+-
+-      ret = regmap_read(fsl_dev->regmap, DCU_INT_STATUS, &int_status);
+-      if (ret) {
+-              dev_err(dev->dev, "read DCU_INT_STATUS failed\n");
+-              return IRQ_NONE;
+-      }
+-
+-      if (int_status & DCU_INT_STATUS_VBLANK)
+-              drm_handle_vblank(dev, 0);
+-
+-      regmap_write(fsl_dev->regmap, DCU_INT_STATUS, int_status);
+-
+-      return IRQ_HANDLED;
+-}
+-
+ DEFINE_DRM_GEM_CMA_FOPS(fsl_dcu_drm_fops);
+ 
+ static struct drm_driver fsl_dcu_drm_driver = {
+@@ -141,9 +159,6 @@ static struct drm_driver fsl_dcu_drm_driver = {
+                               | DRIVER_PRIME | DRIVER_ATOMIC,
+       .load                   = fsl_dcu_load,
+       .unload                 = fsl_dcu_unload,
+-      .irq_handler            = fsl_dcu_drm_irq,
+-      .irq_preinstall         = fsl_dcu_irq_uninstall,
+-      .irq_uninstall          = fsl_dcu_irq_uninstall,
+       DRM_GEM_CMA_DRIVER_OPS,
+       .fops                   = &fsl_dcu_drm_fops,
+       .name                   = "fsl-dcu-drm",
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-fsl-dcu-drop-drm_gem_prime_export-import.patch b/queue-4.19/drm-fsl-dcu-drop-drm_gem_prime_export-import.patch
new file mode 100644 (file)
index 0000000..619e4c4
--- /dev/null
+++ b/queue-4.19/drm-fsl-dcu-drop-drm_gem_prime_export-import.patch
@@ -0,0 +1,43 @@
+From fa00f9cd5b38ab30b3bca89790189bce728a7f39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2019 22:35:31 +0200
+Subject: drm/fsl-dcu: Drop drm_gem_prime_export/import
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+[ Upstream commit 40e546c5f9ca0054087ce5ee04de96a4f28e9a97 ]
+
+They're the default.
+
+Aside: Would be really nice to switch the others over to
+drm_gem_object_funcs.
+
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Acked-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Cc: Stefan Agner <stefan@agner.ch>
+Cc: Alison Wang <alison.wang@nxp.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190614203615.12639-16-daniel.vetter@ffwll.ch
+Stable-dep-of: ffcde9e44d3e ("drm: fsl-dcu: enable PIXCLK on LS1021A")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+index 15816141e5fbe..3eab7b4c16b2b 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+@@ -148,8 +148,6 @@ static struct drm_driver fsl_dcu_drm_driver = {
+       .gem_vm_ops             = &drm_gem_cma_vm_ops,
+       .prime_handle_to_fd     = drm_gem_prime_handle_to_fd,
+       .prime_fd_to_handle     = drm_gem_prime_fd_to_handle,
+-      .gem_prime_import       = drm_gem_prime_import,
+-      .gem_prime_export       = drm_gem_prime_export,
+       .gem_prime_get_sg_table = drm_gem_cma_prime_get_sg_table,
+       .gem_prime_import_sg_table = drm_gem_cma_prime_import_sg_table,
+       .gem_prime_vmap         = drm_gem_cma_prime_vmap,
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-fsl-dcu-enable-pixclk-on-ls1021a.patch b/queue-4.19/drm-fsl-dcu-enable-pixclk-on-ls1021a.patch
new file mode 100644 (file)
index 0000000..ffe79bb
--- /dev/null
+++ b/queue-4.19/drm-fsl-dcu-enable-pixclk-on-ls1021a.patch
@@ -0,0 +1,88 @@
+From 0fa1af0f28b410b701fe570b7fe2d8fd8bc53506 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 07:55:51 +0200
+Subject: drm: fsl-dcu: enable PIXCLK on LS1021A
+
+From: Matthias Schiffer <matthias.schiffer@tq-group.com>
+
+[ Upstream commit ffcde9e44d3e18fde3d18bfff8d9318935413bfd ]
+
+The PIXCLK needs to be enabled in SCFG before accessing certain DCU
+registers, or the access will hang. For simplicity, the PIXCLK is enabled
+unconditionally, resulting in increased power consumption.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Fixes: 109eee2f2a18 ("drm/layerscape: Add Freescale DCU DRM driver")
+Acked-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240926055552.1632448-2-alexander.stein@ew.tq-group.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/Kconfig           |  1 +
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 15 +++++++++++++++
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h |  3 +++
+ 3 files changed, 19 insertions(+)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/Kconfig b/drivers/gpu/drm/fsl-dcu/Kconfig
+index 14a72c4c496d2..b48ea7b987eff 100644
+--- a/drivers/gpu/drm/fsl-dcu/Kconfig
++++ b/drivers/gpu/drm/fsl-dcu/Kconfig
+@@ -8,6 +8,7 @@ config DRM_FSL_DCU
+       select DRM_PANEL
+       select REGMAP_MMIO
+       select VIDEOMODE_HELPERS
++      select MFD_SYSCON if SOC_LS1021A
+       help
+         Choose this option if you have an Freescale DCU chipset.
+         If M is selected the module will be called fsl-dcu-drm.
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+index 7cc449e206435..4529c7390e768 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+@@ -103,6 +103,7 @@ static void fsl_dcu_irq_uninstall(struct drm_device *dev)
+ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+ {
+       struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
++      struct regmap *scfg;
+       int ret;
+ 
+       ret = fsl_dcu_drm_modeset_init(fsl_dev);
+@@ -111,6 +112,20 @@ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+               return ret;
+       }
+ 
++      scfg = syscon_regmap_lookup_by_compatible("fsl,ls1021a-scfg");
++      if (PTR_ERR(scfg) != -ENODEV) {
++              /*
++               * For simplicity, enable the PIXCLK unconditionally,
++               * resulting in increased power consumption. Disabling
++               * the clock in PM or on unload could be implemented as
++               * a future improvement.
++               */
++              ret = regmap_update_bits(scfg, SCFG_PIXCLKCR, SCFG_PIXCLKCR_PXCEN,
++                                       SCFG_PIXCLKCR_PXCEN);
++              if (ret < 0)
++                      return dev_err_probe(dev->dev, ret, "failed to enable pixclk\n");
++      }
++
+       ret = drm_vblank_init(dev, dev->mode_config.num_crtc);
+       if (ret < 0) {
+               dev_err(dev->dev, "failed to initialize vblank\n");
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
+index cb87bb74cb87a..75d7681d8df41 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
+@@ -164,6 +164,9 @@
+ #define FSL_DCU_ARGB4444              12
+ #define FSL_DCU_YUV422                        14
+ 
++#define SCFG_PIXCLKCR                 0x28
++#define SCFG_PIXCLKCR_PXCEN           BIT(31)
++
+ #define VF610_LAYER_REG_NUM           9
+ #define LS1021A_LAYER_REG_NUM         10
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-fsl-dcu-set-gem-cma-functions-with-drm_gem_cma_d.patch b/queue-4.19/drm-fsl-dcu-set-gem-cma-functions-with-drm_gem_cma_d.patch
new file mode 100644 (file)
index 0000000..d3d9c23
--- /dev/null
+++ b/queue-4.19/drm-fsl-dcu-set-gem-cma-functions-with-drm_gem_cma_d.patch
@@ -0,0 +1,42 @@
+From 4ec820ed8c6309a50836b84a87036a3503d0bc2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 09:32:15 +0200
+Subject: drm/fsl-dcu: Set GEM CMA functions with DRM_GEM_CMA_DRIVER_OPS
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 6a32e55d18b34a787f7beaacc912b30b58022646 ]
+
+DRM_GEM_CMA_DRIVER_OPS sets the functions in struct drm_driver
+to their defaults. No functional changes are made.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200605073247.4057-12-tzimmermann@suse.de
+Stable-dep-of: ffcde9e44d3e ("drm: fsl-dcu: enable PIXCLK on LS1021A")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+index a21c348f9a5e4..c087ebc0ad4ed 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+@@ -144,12 +144,7 @@ static struct drm_driver fsl_dcu_drm_driver = {
+       .irq_handler            = fsl_dcu_drm_irq,
+       .irq_preinstall         = fsl_dcu_irq_uninstall,
+       .irq_uninstall          = fsl_dcu_irq_uninstall,
+-      .gem_create_object      = drm_gem_cma_create_object_default_funcs,
+-      .prime_handle_to_fd     = drm_gem_prime_handle_to_fd,
+-      .prime_fd_to_handle     = drm_gem_prime_fd_to_handle,
+-      .gem_prime_import_sg_table = drm_gem_cma_prime_import_sg_table,
+-      .gem_prime_mmap         = drm_gem_cma_prime_mmap,
+-      .dumb_create            = drm_gem_cma_dumb_create,
++      DRM_GEM_CMA_DRIVER_OPS,
+       .fops                   = &fsl_dcu_drm_fops,
+       .name                   = "fsl-dcu-drm",
+       .desc                   = "Freescale DCU DRM",
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-fsl-dcu-use-drm_fbdev_generic_setup.patch b/queue-4.19/drm-fsl-dcu-use-drm_fbdev_generic_setup.patch
new file mode 100644 (file)
index 0000000..80230f2
--- /dev/null
+++ b/queue-4.19/drm-fsl-dcu-use-drm_fbdev_generic_setup.patch
@@ -0,0 +1,130 @@
+From a27dc355a8bce61aa9f16615f779c149f51fabe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Oct 2018 22:13:33 +0200
+Subject: drm/fsl-dcu: Use drm_fbdev_generic_setup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Noralf Trønnes <noralf@tronnes.org>
+
+[ Upstream commit f4d26fa9136427d3cb2959cee13e0900b8004850 ]
+
+The CMA helper is already using the drm_fb_helper_generic_probe part of
+the generic fbdev emulation. This patch makes full use of the generic
+fbdev emulation by using its drm_client callbacks. This means that
+drm_mode_config_funcs->output_poll_changed and drm_driver->lastclose are
+now handled by the emulation code. Additionally fbdev unregister happens
+automatically on drm_dev_unregister().
+
+The drm_fbdev_generic_setup() call is put after drm_dev_register() in the
+driver. This is done to highlight the fact that fbdev emulation is an
+internal client that makes use of the driver, it is not part of the
+driver as such. If fbdev setup fails, an error is printed, but the driver
+succeeds probing.
+
+Cc: Stefan Agner <stefan@agner.ch>
+Cc: Alison Wang <alison.wang@nxp.com>
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Acked-by: Stefan Agner <stefan@agner.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181025201340.34227-3-noralf@tronnes.org
+Stable-dep-of: ffcde9e44d3e ("drm: fsl-dcu: enable PIXCLK on LS1021A")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 25 +++--------------------
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h |  1 -
+ 2 files changed, 3 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+index 80232321a244a..15816141e5fbe 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+@@ -26,6 +26,7 @@
+ #include <drm/drm_atomic_helper.h>
+ #include <drm/drm_crtc_helper.h>
+ #include <drm/drm_fb_cma_helper.h>
++#include <drm/drm_fb_helper.h>
+ #include <drm/drm_gem_cma_helper.h>
+ #include <drm/drm_modeset_helper.h>
+ 
+@@ -89,20 +90,11 @@ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+                       "Invalid legacyfb_depth.  Defaulting to 24bpp\n");
+               legacyfb_depth = 24;
+       }
+-      fsl_dev->fbdev = drm_fbdev_cma_init(dev, legacyfb_depth, 1);
+-      if (IS_ERR(fsl_dev->fbdev)) {
+-              ret = PTR_ERR(fsl_dev->fbdev);
+-              fsl_dev->fbdev = NULL;
+-              goto done;
+-      }
+ 
+       return 0;
+ done:
+       drm_kms_helper_poll_fini(dev);
+ 
+-      if (fsl_dev->fbdev)
+-              drm_fbdev_cma_fini(fsl_dev->fbdev);
+-
+       drm_mode_config_cleanup(dev);
+       drm_irq_uninstall(dev);
+       dev->dev_private = NULL;
+@@ -112,14 +104,9 @@ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+ 
+ static void fsl_dcu_unload(struct drm_device *dev)
+ {
+-      struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
+-
+       drm_atomic_helper_shutdown(dev);
+       drm_kms_helper_poll_fini(dev);
+ 
+-      if (fsl_dev->fbdev)
+-              drm_fbdev_cma_fini(fsl_dev->fbdev);
+-
+       drm_mode_config_cleanup(dev);
+       drm_irq_uninstall(dev);
+ 
+@@ -147,19 +134,11 @@ static irqreturn_t fsl_dcu_drm_irq(int irq, void *arg)
+       return IRQ_HANDLED;
+ }
+ 
+-static void fsl_dcu_drm_lastclose(struct drm_device *dev)
+-{
+-      struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
+-
+-      drm_fbdev_cma_restore_mode(fsl_dev->fbdev);
+-}
+-
+ DEFINE_DRM_GEM_CMA_FOPS(fsl_dcu_drm_fops);
+ 
+ static struct drm_driver fsl_dcu_drm_driver = {
+       .driver_features        = DRIVER_HAVE_IRQ | DRIVER_GEM | DRIVER_MODESET
+                               | DRIVER_PRIME | DRIVER_ATOMIC,
+-      .lastclose              = fsl_dcu_drm_lastclose,
+       .load                   = fsl_dcu_load,
+       .unload                 = fsl_dcu_unload,
+       .irq_handler            = fsl_dcu_drm_irq,
+@@ -355,6 +334,8 @@ static int fsl_dcu_drm_probe(struct platform_device *pdev)
+       if (ret < 0)
+               goto unref;
+ 
++      drm_fbdev_generic_setup(drm, legacyfb_depth);
++
+       return 0;
+ 
+ unref:
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
+index 93bfb98012d46..cb87bb74cb87a 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
+@@ -191,7 +191,6 @@ struct fsl_dcu_drm_device {
+       /*protects hardware register*/
+       spinlock_t irq_lock;
+       struct drm_device *drm;
+-      struct drm_fbdev_cma *fbdev;
+       struct drm_crtc crtc;
+       struct drm_encoder encoder;
+       struct fsl_dcu_drm_connector connector;
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-fsl-dcu-use-gem-cma-object-functions.patch b/queue-4.19/drm-fsl-dcu-use-gem-cma-object-functions.patch
new file mode 100644 (file)
index 0000000..2884fb6
--- /dev/null
+++ b/queue-4.19/drm-fsl-dcu-use-gem-cma-object-functions.patch
@@ -0,0 +1,52 @@
+From 6fa71916025e93c3b96848b32adb4601acc46aa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 09:32:14 +0200
+Subject: drm/fsl-dcu: Use GEM CMA object functions
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 929027087f527ef1d9e906e4ebeca7eb3a36042e ]
+
+Create GEM objects with drm_gem_cma_create_object_default_funcs(), which
+allocates the object and sets CMA's default object functions. Corresponding
+callbacks in struct drm_driver are cleared. No functional changes are made.
+
+Driver and object-function instances use the same callback functions, with
+the exception of vunmap. The implementation of vunmap is empty and left out
+in CMA's default object functions.
+
+v3:
+       * convert to DRIVER_OPS macro in a separate patch
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200605073247.4057-11-tzimmermann@suse.de
+Stable-dep-of: ffcde9e44d3e ("drm: fsl-dcu: enable PIXCLK on LS1021A")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+index 3eab7b4c16b2b..a21c348f9a5e4 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+@@ -144,14 +144,10 @@ static struct drm_driver fsl_dcu_drm_driver = {
+       .irq_handler            = fsl_dcu_drm_irq,
+       .irq_preinstall         = fsl_dcu_irq_uninstall,
+       .irq_uninstall          = fsl_dcu_irq_uninstall,
+-      .gem_free_object_unlocked = drm_gem_cma_free_object,
+-      .gem_vm_ops             = &drm_gem_cma_vm_ops,
++      .gem_create_object      = drm_gem_cma_create_object_default_funcs,
+       .prime_handle_to_fd     = drm_gem_prime_handle_to_fd,
+       .prime_fd_to_handle     = drm_gem_prime_fd_to_handle,
+-      .gem_prime_get_sg_table = drm_gem_cma_prime_get_sg_table,
+       .gem_prime_import_sg_table = drm_gem_cma_prime_import_sg_table,
+-      .gem_prime_vmap         = drm_gem_cma_prime_vmap,
+-      .gem_prime_vunmap       = drm_gem_cma_prime_vunmap,
+       .gem_prime_mmap         = drm_gem_cma_prime_mmap,
+       .dumb_create            = drm_gem_cma_dumb_create,
+       .fops                   = &fsl_dcu_drm_fops,
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-i915-gtt-enable-full-ppgtt-by-default-everywhere.patch b/queue-4.19/drm-i915-gtt-enable-full-ppgtt-by-default-everywhere.patch
new file mode 100644 (file)
index 0000000..9c7c6a1
--- /dev/null
+++ b/queue-4.19/drm-i915-gtt-enable-full-ppgtt-by-default-everywhere.patch
@@ -0,0 +1,57 @@
+From c7c86da98184db682dbccd378c003911da94f178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jul 2018 10:57:50 +0100
+Subject: drm/i915/gtt: Enable full-ppgtt by default everywhere
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 79556df293b2efbb3ccebb6db02120d62e348b44 ]
+
+We should we have all the kinks worked out and full-ppgtt now works
+reliably on gen7 (Ivybridge, Valleyview/Baytrail and Haswell). If we can
+let userspace have full control over their own ppgtt, it makes softpinning
+far more effective, in turn making GPU dispatch far more efficient by
+virtue of better mm segregation.  On the other hand, switching over to a
+different GTT for every client does incur noticeable overhead, but only
+for very lightweight tasks.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: Matthew Auld <matthew.william.auld@gmail.com>
+Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Jason Ekstrand <jason.ekstrand@intel.com>
+Cc: Kenneth Graunke <kenneth@whitecape.org>
+Acked-by: Kenneth Graunke <kenneth@whitecape.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180717095751.1034-1-chris@chris-wilson.co.uk
+Stable-dep-of: ffcde9e44d3e ("drm: fsl-dcu: enable PIXCLK on LS1021A")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
+index d4c6aa7fbac8d..0b5b45fe0fe78 100644
+--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
+@@ -180,13 +180,11 @@ int intel_sanitize_enable_ppgtt(struct drm_i915_private *dev_priv,
+               return 0;
+       }
+ 
+-      if (HAS_LOGICAL_RING_CONTEXTS(dev_priv)) {
+-              if (has_full_48bit_ppgtt)
+-                      return 3;
++      if (has_full_48bit_ppgtt)
++              return 3;
+ 
+-              if (has_full_ppgtt)
+-                      return 2;
+-      }
++      if (has_full_ppgtt)
++              return 2;
+ 
+       return 1;
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-imx-ipuv3-use-irqf_no_autoen-flag-in-request_irq.patch b/queue-4.19/drm-imx-ipuv3-use-irqf_no_autoen-flag-in-request_irq.patch
new file mode 100644 (file)
index 0000000..96f810e
--- /dev/null
+++ b/queue-4.19/drm-imx-ipuv3-use-irqf_no_autoen-flag-in-request_irq.patch
@@ -0,0 +1,48 @@
+From 2b902ef13f113929c4ff47637fc10a16dc4d3774 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 16:30:18 +0800
+Subject: drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 40004709a3d3b07041a473a163ca911ef04ab8bd ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 47b1be5c0f4e ("staging: imx/drm: request irq only after adding the crtc")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240912083020.3720233-4-ruanjinjie@huawei.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
+index 824c90dca7306..0bd1f9903f1aa 100644
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -389,14 +389,12 @@ static int ipu_crtc_init(struct ipu_crtc *ipu_crtc,
+       }
+ 
+       ipu_crtc->irq = ipu_plane_irq(ipu_crtc->plane[0]);
+-      ret = devm_request_irq(ipu_crtc->dev, ipu_crtc->irq, ipu_irq_handler, 0,
+-                      "imx_drm", ipu_crtc);
++      ret = devm_request_irq(ipu_crtc->dev, ipu_crtc->irq, ipu_irq_handler,
++                             IRQF_NO_AUTOEN, "imx_drm", ipu_crtc);
+       if (ret < 0) {
+               dev_err(ipu_crtc->dev, "irq request failed with %d.\n", ret);
+               goto err_put_plane1_res;
+       }
+-      /* Only enable IRQ when we actually need it to trigger work. */
+-      disable_irq(ipu_crtc->irq);
+ 
+       return 0;
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-mm-mark-drm_mm_interval_tree-functions-with-__ma.patch b/queue-4.19/drm-mm-mark-drm_mm_interval_tree-functions-with-__ma.patch
new file mode 100644 (file)
index 0000000..3a80892
--- /dev/null
+++ b/queue-4.19/drm-mm-mark-drm_mm_interval_tree-functions-with-__ma.patch
@@ -0,0 +1,52 @@
+From f66c800ff539f193d6f457d79cfd8903b68a3b3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 18:46:40 +0300
+Subject: drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 53bd7c1c0077db533472ae32799157758302ef48 ]
+
+The INTERVAL_TREE_DEFINE() uncoditionally provides a bunch of helper
+functions which in some cases may be not used. This, in particular,
+prevents kernel builds with clang, `make W=1` and CONFIG_WERROR=y:
+
+.../drm/drm_mm.c:152:1: error: unused function 'drm_mm_interval_tree_insert' [-Werror,-Wunused-function]
+  152 | INTERVAL_TREE_DEFINE(struct drm_mm_node, rb,
+      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  153 |                      u64, __subtree_last,
+      |                      ~~~~~~~~~~~~~~~~~~~~
+  154 |                      START, LAST, static inline, drm_mm_interval_tree)
+      |                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fix this by marking drm_mm_interval_tree*() functions with __maybe_unused.
+
+See also commit 6863f5643dd7 ("kbuild: allow Clang to find unused static
+inline functions for W=1 build").
+
+Fixes: 202b52b7fbf7 ("drm: Track drm_mm nodes with an interval tree")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240829154640.1120050-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_mm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_mm.c b/drivers/gpu/drm/drm_mm.c
+index 3cc5fbd78ee20..d7d9fc093c30f 100644
+--- a/drivers/gpu/drm/drm_mm.c
++++ b/drivers/gpu/drm/drm_mm.c
+@@ -164,7 +164,7 @@ static void show_leaks(struct drm_mm *mm) { }
+ 
+ INTERVAL_TREE_DEFINE(struct drm_mm_node, rb,
+                    u64, __subtree_last,
+-                   START, LAST, static inline, drm_mm_interval_tree)
++                   START, LAST, static inline __maybe_unused, drm_mm_interval_tree)
+ 
+ struct drm_mm_node *
+ __drm_mm_interval_first(const struct drm_mm *mm, u64 start, u64 last)
+-- 
+2.43.0
+

diff --git a/queue-4.19/drm-omap-fix-locking-in-omap_gem_new_dmabuf.patch b/queue-4.19/drm-omap-fix-locking-in-omap_gem_new_dmabuf.patch
new file mode 100644 (file)
index 0000000..7e0c267
--- /dev/null
+++ b/queue-4.19/drm-omap-fix-locking-in-omap_gem_new_dmabuf.patch
@@ -0,0 +1,76 @@
+From 001034ede578c02cfb31607667ac612ef14a827e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 16:50:29 +0300
+Subject: drm/omap: Fix locking in omap_gem_new_dmabuf()
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit e6a1c4037227539373c8cf484ace83833e2ad6a2 ]
+
+omap_gem_new_dmabuf() creates the new gem object, and then takes and
+holds the omap_obj->lock for the rest of the function. This has two
+issues:
+
+- omap_gem_free_object(), which is called in the error paths, also takes
+  the same lock, leading to deadlock
+- Even if the above wouldn't happen, in the error cases
+  omap_gem_new_dmabuf() still unlocks omap_obj->lock, even after the
+  omap_obj has already been freed.
+
+Furthermore, I don't think there's any reason to take the lock at all,
+as the object was just created and not yet shared with anyone else.
+
+To fix all this, drop taking the lock.
+
+Fixes: 3cbd0c587b12 ("drm/omap: gem: Replace struct_mutex usage with omap_obj private lock")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/511b99d7-aade-4f92-bd3e-63163a13d617@stanley.mountain/
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240806-omapdrm-misc-fixes-v1-3-15d31aea0831@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/omapdrm/omap_gem.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
+index 4ba5d035c5909..4834c1846e435 100644
+--- a/drivers/gpu/drm/omapdrm/omap_gem.c
++++ b/drivers/gpu/drm/omapdrm/omap_gem.c
+@@ -1253,8 +1253,6 @@ struct drm_gem_object *omap_gem_new_dmabuf(struct drm_device *dev, size_t size,
+ 
+       omap_obj = to_omap_bo(obj);
+ 
+-      mutex_lock(&omap_obj->lock);
+-
+       omap_obj->sgt = sgt;
+ 
+       if (sgt->orig_nents == 1) {
+@@ -1270,8 +1268,7 @@ struct drm_gem_object *omap_gem_new_dmabuf(struct drm_device *dev, size_t size,
+               pages = kcalloc(npages, sizeof(*pages), GFP_KERNEL);
+               if (!pages) {
+                       omap_gem_free_object(obj);
+-                      obj = ERR_PTR(-ENOMEM);
+-                      goto done;
++                      return ERR_PTR(-ENOMEM);
+               }
+ 
+               omap_obj->pages = pages;
+@@ -1284,13 +1281,10 @@ struct drm_gem_object *omap_gem_new_dmabuf(struct drm_device *dev, size_t size,
+ 
+               if (WARN_ON(i != npages)) {
+                       omap_gem_free_object(obj);
+-                      obj = ERR_PTR(-ENOMEM);
+-                      goto done;
++                      return ERR_PTR(-ENOMEM);
+               }
+       }
+ 
+-done:
+-      mutex_unlock(&omap_obj->lock);
+       return obj;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/dt-bindings-clock-adi-axi-clkgen-convert-old-binding.patch b/queue-4.19/dt-bindings-clock-adi-axi-clkgen-convert-old-binding.patch
new file mode 100644 (file)
index 0000000..712bbfd
--- /dev/null
+++ b/queue-4.19/dt-bindings-clock-adi-axi-clkgen-convert-old-binding.patch
@@ -0,0 +1,127 @@
+From 87f8ff4ae23b8b9a3aea2faf8b177e606ec42545 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 17:34:20 +0300
+Subject: dt-bindings: clock: adi,axi-clkgen: convert old binding to yaml
+ format
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+[ Upstream commit bd91abb218e0ac4a7402d6c25d383e2a706bb511 ]
+
+This change converts the old binding for the AXI clkgen driver to a yaml
+format.
+
+As maintainers, added:
+ - Lars-Peter Clausen <lars@metafoo.de> - as original author of driver &
+   binding
+ - Michael Hennerich <michael.hennerich@analog.com> - as supporter of
+   Analog Devices drivers
+
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Link: https://lore.kernel.org/r/20201013143421.84188-1-alexandru.ardelean@analog.com
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 47f3f5a82a31 ("dt-bindings: clock: axi-clkgen: include AXI clk")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/clock/adi,axi-clkgen.yaml        | 53 +++++++++++++++++++
+ .../devicetree/bindings/clock/axi-clkgen.txt  | 25 ---------
+ 2 files changed, 53 insertions(+), 25 deletions(-)
+ create mode 100644 Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
+ delete mode 100644 Documentation/devicetree/bindings/clock/axi-clkgen.txt
+
+diff --git a/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml b/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
+new file mode 100644
+index 0000000000000..0d06387184d68
+--- /dev/null
++++ b/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
+@@ -0,0 +1,53 @@
++# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
++%YAML 1.2
++---
++$id: http://devicetree.org/schemas/clock/adi,axi-clkgen.yaml#
++$schema: http://devicetree.org/meta-schemas/core.yaml#
++
++title: Binding for Analog Devices AXI clkgen pcore clock generator
++
++maintainers:
++  - Lars-Peter Clausen <lars@metafoo.de>
++  - Michael Hennerich <michael.hennerich@analog.com>
++
++description: |
++  The axi_clkgen IP core is a software programmable clock generator,
++  that can be synthesized on various FPGA platforms.
++
++  Link: https://wiki.analog.com/resources/fpga/docs/axi_clkgen
++
++properties:
++  compatible:
++    enum:
++      - adi,axi-clkgen-2.00.a
++
++  clocks:
++    description:
++      Specifies the reference clock(s) from which the output frequency is
++      derived. This must either reference one clock if only the first clock
++      input is connected or two if both clock inputs are connected.
++    minItems: 1
++    maxItems: 2
++
++  '#clock-cells':
++    const: 0
++
++  reg:
++    maxItems: 1
++
++required:
++  - compatible
++  - reg
++  - clocks
++  - '#clock-cells'
++
++additionalProperties: false
++
++examples:
++  - |
++    clock-controller@ff000000 {
++      compatible = "adi,axi-clkgen-2.00.a";
++      #clock-cells = <0>;
++      reg = <0xff000000 0x1000>;
++      clocks = <&osc 1>;
++    };
+diff --git a/Documentation/devicetree/bindings/clock/axi-clkgen.txt b/Documentation/devicetree/bindings/clock/axi-clkgen.txt
+deleted file mode 100644
+index aca94fe9416f0..0000000000000
+--- a/Documentation/devicetree/bindings/clock/axi-clkgen.txt
++++ /dev/null
+@@ -1,25 +0,0 @@
+-Binding for the axi-clkgen clock generator
+-
+-This binding uses the common clock binding[1].
+-
+-[1] Documentation/devicetree/bindings/clock/clock-bindings.txt
+-
+-Required properties:
+-- compatible : shall be "adi,axi-clkgen-1.00.a" or "adi,axi-clkgen-2.00.a".
+-- #clock-cells : from common clock binding; Should always be set to 0.
+-- reg : Address and length of the axi-clkgen register set.
+-- clocks : Phandle and clock specifier for the parent clock(s). This must
+-      either reference one clock if only the first clock input is connected or two
+-      if both clock inputs are connected. For the later case the clock connected
+-      to the first input must be specified first.
+-
+-Optional properties:
+-- clock-output-names : From common clock binding.
+-
+-Example:
+-      clock@ff000000 {
+-              compatible = "adi,axi-clkgen";
+-              #clock-cells = <0>;
+-              reg = <0xff000000 0x1000>;
+-              clocks = <&osc 1>;
+-      };
+-- 
+2.43.0
+

diff --git a/queue-4.19/dt-bindings-clock-axi-clkgen-include-axi-clk.patch b/queue-4.19/dt-bindings-clock-axi-clkgen-include-axi-clk.patch
new file mode 100644 (file)
index 0000000..2c4b60a
--- /dev/null
+++ b/queue-4.19/dt-bindings-clock-axi-clkgen-include-axi-clk.patch
@@ -0,0 +1,72 @@
+From cf3a684075448568745fe372d3366d8d9f1e3851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 14:59:41 +0100
+Subject: dt-bindings: clock: axi-clkgen: include AXI clk
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+[ Upstream commit 47f3f5a82a31527e027929c5cec3dd1ef5ef30f5 ]
+
+In order to access the registers of the HW, we need to make sure that
+the AXI bus clock is enabled. Hence let's increase the number of clocks
+by one and add clock-names to differentiate between parent clocks and
+the bus clock.
+
+Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20241029-axi-clkgen-fix-axiclk-v2-1-bc5e0733ad76@analog.com
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/clock/adi,axi-clkgen.yaml        | 22 +++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml b/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
+index 0d06387184d68..bb2eec3021a09 100644
+--- a/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
++++ b/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
+@@ -25,9 +25,21 @@ properties:
+     description:
+       Specifies the reference clock(s) from which the output frequency is
+       derived. This must either reference one clock if only the first clock
+-      input is connected or two if both clock inputs are connected.
+-    minItems: 1
+-    maxItems: 2
++      input is connected or two if both clock inputs are connected. The last
++      clock is the AXI bus clock that needs to be enabled so we can access the
++      core registers.
++    minItems: 2
++    maxItems: 3
++
++  clock-names:
++    oneOf:
++      - items:
++          - const: clkin1
++          - const: s_axi_aclk
++      - items:
++          - const: clkin1
++          - const: clkin2
++          - const: s_axi_aclk
+ 
+   '#clock-cells':
+     const: 0
+@@ -39,6 +51,7 @@ required:
+   - compatible
+   - reg
+   - clocks
++  - clock-names
+   - '#clock-cells'
+ 
+ additionalProperties: false
+@@ -49,5 +62,6 @@ examples:
+       compatible = "adi,axi-clkgen-2.00.a";
+       #clock-cells = <0>;
+       reg = <0xff000000 0x1000>;
+-      clocks = <&osc 1>;
++      clocks = <&osc 1>, <&clkc 15>;
++      clock-names = "clkin1", "s_axi_aclk";
+     };
+-- 
+2.43.0
+

diff --git a/queue-4.19/edac-fsl_ddr-fix-bad-bit-shift-operations.patch b/queue-4.19/edac-fsl_ddr-fix-bad-bit-shift-operations.patch
new file mode 100644 (file)
index 0000000..f1f515f
--- /dev/null
+++ b/queue-4.19/edac-fsl_ddr-fix-bad-bit-shift-operations.patch
@@ -0,0 +1,75 @@
+From 6c8b185b5c641d9ed8a388976c21d89c3401b230 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 16:31:11 -0400
+Subject: EDAC/fsl_ddr: Fix bad bit shift operations
+
+From: Priyanka Singh <priyanka.singh@nxp.com>
+
+[ Upstream commit 9ec22ac4fe766c6abba845290d5139a3fbe0153b ]
+
+Fix undefined behavior caused by left-shifting a negative value in the
+expression:
+
+    cap_high ^ (1 << (bad_data_bit - 32))
+
+The variable bad_data_bit ranges from 0 to 63. When it is less than 32,
+bad_data_bit - 32 becomes negative, and left-shifting by a negative
+value in C is undefined behavior.
+
+Fix this by combining cap_high and cap_low into a 64-bit variable.
+
+  [ bp: Massage commit message, simplify error bits handling. ]
+
+Fixes: ea2eb9a8b620 ("EDAC, fsl-ddr: Separate FSL DDR driver from MPC85xx")
+Signed-off-by: Priyanka Singh <priyanka.singh@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20241016-imx95_edac-v3-3-86ae6fc2756a@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/fsl_ddr_edac.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/edac/fsl_ddr_edac.c b/drivers/edac/fsl_ddr_edac.c
+index efc8276d1d9cc..1b06a0bb90abb 100644
+--- a/drivers/edac/fsl_ddr_edac.c
++++ b/drivers/edac/fsl_ddr_edac.c
+@@ -327,21 +327,25 @@ static void fsl_mc_check(struct mem_ctl_info *mci)
+        * TODO: Add support for 32-bit wide buses
+        */
+       if ((err_detect & DDR_EDE_SBE) && (bus_width == 64)) {
++              u64 cap = (u64)cap_high << 32 | cap_low;
++              u32 s = syndrome;
++
+               sbe_ecc_decode(cap_high, cap_low, syndrome,
+                               &bad_data_bit, &bad_ecc_bit);
+ 
+-              if (bad_data_bit != -1)
+-                      fsl_mc_printk(mci, KERN_ERR,
+-                              "Faulty Data bit: %d\n", bad_data_bit);
+-              if (bad_ecc_bit != -1)
+-                      fsl_mc_printk(mci, KERN_ERR,
+-                              "Faulty ECC bit: %d\n", bad_ecc_bit);
++              if (bad_data_bit >= 0) {
++                      fsl_mc_printk(mci, KERN_ERR, "Faulty Data bit: %d\n", bad_data_bit);
++                      cap ^= 1ULL << bad_data_bit;
++              }
++
++              if (bad_ecc_bit >= 0) {
++                      fsl_mc_printk(mci, KERN_ERR, "Faulty ECC bit: %d\n", bad_ecc_bit);
++                      s ^= 1 << bad_ecc_bit;
++              }
+ 
+               fsl_mc_printk(mci, KERN_ERR,
+                       "Expected Data / ECC:\t%#8.8x_%08x / %#2.2x\n",
+-                      cap_high ^ (1 << (bad_data_bit - 32)),
+-                      cap_low ^ (1 << bad_data_bit),
+-                      syndrome ^ (1 << bad_ecc_bit));
++                      upper_32_bits(cap), lower_32_bits(cap), s);
+       }
+ 
+       fsl_mc_printk(mci, KERN_ERR,
+-- 
+2.43.0
+

diff --git a/queue-4.19/fbdev-sh7760fb-alloc-dma-memory-from-hardware-device.patch b/queue-4.19/fbdev-sh7760fb-alloc-dma-memory-from-hardware-device.patch
new file mode 100644 (file)
index 0000000..f3c00de
--- /dev/null
+++ b/queue-4.19/fbdev-sh7760fb-alloc-dma-memory-from-hardware-device.patch
@@ -0,0 +1,65 @@
+From 3eb35dfa3f5817dffbd97797e6da28c3f8036f72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 13:07:02 +0200
+Subject: fbdev/sh7760fb: Alloc DMA memory from hardware device
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 8404e56f4bc1d1a65bfc98450ba3dae5e653dda1 ]
+
+Pass the hardware device to the DMA helpers dma_alloc_coherent() and
+dma_free_coherent(). The fbdev device that is currently being used is
+a software device and does not provide DMA memory. Also update the
+related dev_*() output statements similarly.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230613110953.24176-28-tzimmermann@suse.de
+Stable-dep-of: f89d17ae2ac4 ("fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sh7760fb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/video/fbdev/sh7760fb.c b/drivers/video/fbdev/sh7760fb.c
+index 96de91d766230..c8ba3aeb32778 100644
+--- a/drivers/video/fbdev/sh7760fb.c
++++ b/drivers/video/fbdev/sh7760fb.c
+@@ -362,7 +362,7 @@ static void sh7760fb_free_mem(struct fb_info *info)
+       if (!info->screen_base)
+               return;
+ 
+-      dma_free_coherent(info->dev, info->screen_size,
++      dma_free_coherent(info->device, info->screen_size,
+                         info->screen_base, par->fbdma);
+ 
+       par->fbdma = 0;
+@@ -411,14 +411,14 @@ static int sh7760fb_alloc_mem(struct fb_info *info)
+       if (vram < PAGE_SIZE)
+               vram = PAGE_SIZE;
+ 
+-      fbmem = dma_alloc_coherent(info->dev, vram, &par->fbdma, GFP_KERNEL);
++      fbmem = dma_alloc_coherent(info->device, vram, &par->fbdma, GFP_KERNEL);
+ 
+       if (!fbmem)
+               return -ENOMEM;
+ 
+       if ((par->fbdma & SH7760FB_DMA_MASK) != SH7760FB_DMA_MASK) {
+               sh7760fb_free_mem(info);
+-              dev_err(info->dev, "kernel gave me memory at 0x%08lx, which is"
++              dev_err(info->device, "kernel gave me memory at 0x%08lx, which is"
+                       "unusable for the LCDC\n", (unsigned long)par->fbdma);
+               return -ENOMEM;
+       }
+@@ -489,7 +489,7 @@ static int sh7760fb_probe(struct platform_device *pdev)
+ 
+       ret = sh7760fb_alloc_mem(info);
+       if (ret) {
+-              dev_dbg(info->dev, "framebuffer memory allocation failed!\n");
++              dev_dbg(info->device, "framebuffer memory allocation failed!\n");
+               goto out_unmap;
+       }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/fbdev-sh7760fb-fix-a-possible-memory-leak-in-sh7760f.patch b/queue-4.19/fbdev-sh7760fb-fix-a-possible-memory-leak-in-sh7760f.patch
new file mode 100644 (file)
index 0000000..1ebc4c7
--- /dev/null
+++ b/queue-4.19/fbdev-sh7760fb-fix-a-possible-memory-leak-in-sh7760f.patch
@@ -0,0 +1,43 @@
+From be35f6e5a868e7b17bbd6e4764317e9f1869a150 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 11:56:34 +0800
+Subject: fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit f89d17ae2ac42931be2a0153fecbf8533280c927 ]
+
+When information such as info->screen_base is not ready, calling
+sh7760fb_free_mem() does not release memory correctly. Call
+dma_free_coherent() instead.
+
+Fixes: 4a25e41831ee ("video: sh7760fb: SH7760/SH7763 LCDC framebuffer driver")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sh7760fb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/sh7760fb.c b/drivers/video/fbdev/sh7760fb.c
+index c8ba3aeb32778..d4ef70b178859 100644
+--- a/drivers/video/fbdev/sh7760fb.c
++++ b/drivers/video/fbdev/sh7760fb.c
+@@ -412,12 +412,11 @@ static int sh7760fb_alloc_mem(struct fb_info *info)
+               vram = PAGE_SIZE;
+ 
+       fbmem = dma_alloc_coherent(info->device, vram, &par->fbdma, GFP_KERNEL);
+-
+       if (!fbmem)
+               return -ENOMEM;
+ 
+       if ((par->fbdma & SH7760FB_DMA_MASK) != SH7760FB_DMA_MASK) {
+-              sh7760fb_free_mem(info);
++              dma_free_coherent(info->device, vram, fbmem, par->fbdma);
+               dev_err(info->device, "kernel gave me memory at 0x%08lx, which is"
+                       "unusable for the LCDC\n", (unsigned long)par->fbdma);
+               return -ENOMEM;
+-- 
+2.43.0
+

diff --git a/queue-4.19/firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch b/queue-4.19/firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch
new file mode 100644 (file)
index 0000000..0dacff7
--- /dev/null
+++ b/queue-4.19/firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch
@@ -0,0 +1,93 @@
+From 3aace79204a629223ef553b383a4c6aff4447922 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 11:21:15 +0800
+Subject: firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
+
+From: Luo Qiu <luoqiu@kylinsec.com.cn>
+
+[ Upstream commit 109aa654f85c5141e813b2cd1bd36d90be678407 ]
+
+Fix a kernel crash with the below call trace when the SCPI firmware
+returns OPP count of zero.
+
+dvfs_info.opp_count may be zero on some platforms during the reboot
+test, and the kernel will crash after dereferencing the pointer to
+kcalloc(info->count, sizeof(*opp), GFP_KERNEL).
+
+  |  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
+  |  Mem abort info:
+  |    ESR = 0x96000004
+  |    Exception class = DABT (current EL), IL = 32 bits
+  |    SET = 0, FnV = 0
+  |    EA = 0, S1PTW = 0
+  |  Data abort info:
+  |    ISV = 0, ISS = 0x00000004
+  |    CM = 0, WnR = 0
+  |  user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000faefa08c
+  |  [0000000000000028] pgd=0000000000000000
+  |  Internal error: Oops: 96000004 [#1] SMP
+  |  scpi-hwmon: probe of PHYT000D:00 failed with error -110
+  |  Process systemd-udevd (pid: 1701, stack limit = 0x00000000aaede86c)
+  |  CPU: 2 PID: 1701 Comm: systemd-udevd Not tainted 4.19.90+ #1
+  |  Hardware name: PHYTIUM LTD Phytium FT2000/4/Phytium FT2000/4, BIOS
+  |  pstate: 60000005 (nZCv daif -PAN -UAO)
+  |  pc : scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
+  |  lr : clk_register+0x438/0x720
+  |  Call trace:
+  |   scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
+  |   devm_clk_hw_register+0x50/0xa0
+  |   scpi_clk_ops_init.isra.2+0xa0/0x138 [clk_scpi]
+  |   scpi_clocks_probe+0x528/0x70c [clk_scpi]
+  |   platform_drv_probe+0x58/0xa8
+  |   really_probe+0x260/0x3d0
+  |   driver_probe_device+0x12c/0x148
+  |   device_driver_attach+0x74/0x98
+  |   __driver_attach+0xb4/0xe8
+  |   bus_for_each_dev+0x88/0xe0
+  |   driver_attach+0x30/0x40
+  |   bus_add_driver+0x178/0x2b0
+  |   driver_register+0x64/0x118
+  |   __platform_driver_register+0x54/0x60
+  |   scpi_clocks_driver_init+0x24/0x1000 [clk_scpi]
+  |   do_one_initcall+0x54/0x220
+  |   do_init_module+0x54/0x1c8
+  |   load_module+0x14a4/0x1668
+  |   __se_sys_finit_module+0xf8/0x110
+  |   __arm64_sys_finit_module+0x24/0x30
+  |   el0_svc_common+0x78/0x170
+  |   el0_svc_handler+0x38/0x78
+  |   el0_svc+0x8/0x340
+  |  Code: 937d7c00 a94153f3 a8c27bfd f9400421 (b8606820)
+  |  ---[ end trace 06feb22469d89fa8 ]---
+  |  Kernel panic - not syncing: Fatal exception
+  |  SMP: stopping secondary CPUs
+  |  Kernel Offset: disabled
+  |  CPU features: 0x10,a0002008
+  |  Memory Limit: none
+
+Fixes: 8cb7cf56c9fe ("firmware: add support for ARM System Control and Power Interface(SCPI) protocol")
+Signed-off-by: Luo Qiu <luoqiu@kylinsec.com.cn>
+Message-Id: <55A2F7A784391686+20241101032115.275977-1-luoqiu@kylinsec.com.cn>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index 1ce27bb9deada..2745a596e1d18 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -638,6 +638,9 @@ static struct scpi_dvfs_info *scpi_dvfs_get_info(u8 domain)
+       if (ret)
+               return ERR_PTR(ret);
+ 
++      if (!buf.opp_count)
++              return ERR_PTR(-ENOENT);
++
+       info = kmalloc(sizeof(*info), GFP_KERNEL);
+       if (!info)
+               return ERR_PTR(-ENOMEM);
+-- 
+2.43.0
+

diff --git a/queue-4.19/hfsplus-don-t-query-the-device-logical-block-size-mu.patch b/queue-4.19/hfsplus-don-t-query-the-device-logical-block-size-mu.patch
new file mode 100644 (file)
index 0000000..c264be4
--- /dev/null
+++ b/queue-4.19/hfsplus-don-t-query-the-device-logical-block-size-mu.patch
@@ -0,0 +1,139 @@
+From 3c7795ce74b9a7e3d75a321cb41d57bf9ba22b66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 08:41:09 -0300
+Subject: hfsplus: don't query the device logical block size multiple times
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 1c82587cb57687de3f18ab4b98a8850c789bedcf ]
+
+Devices block sizes may change. One of these cases is a loop device by
+using ioctl LOOP_SET_BLOCK_SIZE.
+
+While this may cause other issues like IO being rejected, in the case of
+hfsplus, it will allocate a block by using that size and potentially write
+out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the
+latter function reads a different io_size.
+
+Using a new min_io_size initally set to sb_min_blocksize works for the
+purposes of the original fix, since it will be set to the max between
+HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the
+max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not
+initialized.
+
+Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024
+and 4096.
+
+The produced KASAN report before the fix looks like this:
+
+[  419.944641] ==================================================================
+[  419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a
+[  419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678
+[  419.947612]
+[  419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84
+[  419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[  419.950035] Call Trace:
+[  419.950384]  <TASK>
+[  419.950676]  dump_stack_lvl+0x57/0x78
+[  419.951212]  ? hfsplus_read_wrapper+0x659/0xa0a
+[  419.951830]  print_report+0x14c/0x49e
+[  419.952361]  ? __virt_addr_valid+0x267/0x278
+[  419.952979]  ? kmem_cache_debug_flags+0xc/0x1d
+[  419.953561]  ? hfsplus_read_wrapper+0x659/0xa0a
+[  419.954231]  kasan_report+0x89/0xb0
+[  419.954748]  ? hfsplus_read_wrapper+0x659/0xa0a
+[  419.955367]  hfsplus_read_wrapper+0x659/0xa0a
+[  419.955948]  ? __pfx_hfsplus_read_wrapper+0x10/0x10
+[  419.956618]  ? do_raw_spin_unlock+0x59/0x1a9
+[  419.957214]  ? _raw_spin_unlock+0x1a/0x2e
+[  419.957772]  hfsplus_fill_super+0x348/0x1590
+[  419.958355]  ? hlock_class+0x4c/0x109
+[  419.958867]  ? __pfx_hfsplus_fill_super+0x10/0x10
+[  419.959499]  ? __pfx_string+0x10/0x10
+[  419.960006]  ? lock_acquire+0x3e2/0x454
+[  419.960532]  ? bdev_name.constprop.0+0xce/0x243
+[  419.961129]  ? __pfx_bdev_name.constprop.0+0x10/0x10
+[  419.961799]  ? pointer+0x3f0/0x62f
+[  419.962277]  ? __pfx_pointer+0x10/0x10
+[  419.962761]  ? vsnprintf+0x6c4/0xfba
+[  419.963178]  ? __pfx_vsnprintf+0x10/0x10
+[  419.963621]  ? setup_bdev_super+0x376/0x3b3
+[  419.964029]  ? snprintf+0x9d/0xd2
+[  419.964344]  ? __pfx_snprintf+0x10/0x10
+[  419.964675]  ? lock_acquired+0x45c/0x5e9
+[  419.965016]  ? set_blocksize+0x139/0x1c1
+[  419.965381]  ? sb_set_blocksize+0x6d/0xae
+[  419.965742]  ? __pfx_hfsplus_fill_super+0x10/0x10
+[  419.966179]  mount_bdev+0x12f/0x1bf
+[  419.966512]  ? __pfx_mount_bdev+0x10/0x10
+[  419.966886]  ? vfs_parse_fs_string+0xce/0x111
+[  419.967293]  ? __pfx_vfs_parse_fs_string+0x10/0x10
+[  419.967702]  ? __pfx_hfsplus_mount+0x10/0x10
+[  419.968073]  legacy_get_tree+0x104/0x178
+[  419.968414]  vfs_get_tree+0x86/0x296
+[  419.968751]  path_mount+0xba3/0xd0b
+[  419.969157]  ? __pfx_path_mount+0x10/0x10
+[  419.969594]  ? kmem_cache_free+0x1e2/0x260
+[  419.970311]  do_mount+0x99/0xe0
+[  419.970630]  ? __pfx_do_mount+0x10/0x10
+[  419.971008]  __do_sys_mount+0x199/0x1c9
+[  419.971397]  do_syscall_64+0xd0/0x135
+[  419.971761]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[  419.972233] RIP: 0033:0x7c3cb812972e
+[  419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48
+[  419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
+[  419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e
+[  419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: 00007ffe306325d0
+[  419.976363] RBP: 00007ffe30632720 R08: 00007ffe30632610 R09: 0000000000000000
+[  419.977034] R10: 0000000000200008 R11: 0000000000000286 R12: 0000000000000000
+[  419.977713] R13: 00007ffe306328e8 R14: 00005a0eb298bc68 R15: 00007c3cb8356000
+[  419.978375]  </TASK>
+[  419.978589]
+
+Fixes: 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://lore.kernel.org/r/20241107114109.839253-1-cascardo@igalia.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/hfsplus_fs.h | 3 ++-
+ fs/hfsplus/wrapper.c    | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index e9b13f771990b..2d6f2c62230a3 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -156,6 +156,7 @@ struct hfsplus_sb_info {
+ 
+       /* Runtime variables */
+       u32 blockoffset;
++      u32 min_io_size;
+       sector_t part_start;
+       sector_t sect_count;
+       int fs_shift;
+@@ -306,7 +307,7 @@ struct hfsplus_readdir_data {
+  */
+ static inline unsigned short hfsplus_min_io_size(struct super_block *sb)
+ {
+-      return max_t(unsigned short, bdev_logical_block_size(sb->s_bdev),
++      return max_t(unsigned short, HFSPLUS_SB(sb)->min_io_size,
+                    HFSPLUS_SECTOR_SIZE);
+ }
+ 
+diff --git a/fs/hfsplus/wrapper.c b/fs/hfsplus/wrapper.c
+index 08c1580bdf7ad..eb76ba8e8fec0 100644
+--- a/fs/hfsplus/wrapper.c
++++ b/fs/hfsplus/wrapper.c
+@@ -170,6 +170,8 @@ int hfsplus_read_wrapper(struct super_block *sb)
+       if (!blocksize)
+               goto out;
+ 
++      sbi->min_io_size = blocksize;
++
+       if (hfsplus_get_last_session(sb, &part_start, &part_size))
+               goto out;
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/initramfs-avoid-filename-buffer-overrun.patch b/queue-4.19/initramfs-avoid-filename-buffer-overrun.patch
new file mode 100644 (file)
index 0000000..6205df7
--- /dev/null
+++ b/queue-4.19/initramfs-avoid-filename-buffer-overrun.patch
@@ -0,0 +1,118 @@
+From 7e4b665830759038c21c46f22de52b58f74782bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 03:55:10 +0000
+Subject: initramfs: avoid filename buffer overrun
+
+From: David Disseldorp <ddiss@suse.de>
+
+[ Upstream commit e017671f534dd3f568db9e47b0583e853d2da9b5 ]
+
+The initramfs filename field is defined in
+Documentation/driver-api/early-userspace/buffer-format.rst as:
+
+ 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data
+...
+ 55 ============= ================== =========================
+ 56 Field name    Field size         Meaning
+ 57 ============= ================== =========================
+...
+ 70 c_namesize    8 bytes            Length of filename, including final \0
+
+When extracting an initramfs cpio archive, the kernel's do_name() path
+handler assumes a zero-terminated path at @collected, passing it
+directly to filp_open() / init_mkdir() / init_mknod().
+
+If a specially crafted cpio entry carries a non-zero-terminated filename
+and is followed by uninitialized memory, then a file may be created with
+trailing characters that represent the uninitialized memory. The ability
+to create an initramfs entry would imply already having full control of
+the system, so the buffer overrun shouldn't be considered a security
+vulnerability.
+
+Append the output of the following bash script to an existing initramfs
+and observe any created /initramfs_test_fname_overrunAA* path. E.g.
+  ./reproducer.sh | gzip >> /myinitramfs
+
+It's easiest to observe non-zero uninitialized memory when the output is
+gzipped, as it'll overflow the heap allocated @out_buf in __gunzip(),
+rather than the initrd_start+initrd_size block.
+
+---- reproducer.sh ----
+nilchar="A"    # change to "\0" to properly zero terminate / pad
+magic="070701"
+ino=1
+mode=$(( 0100777 ))
+uid=0
+gid=0
+nlink=1
+mtime=1
+filesize=0
+devmajor=0
+devminor=1
+rdevmajor=0
+rdevminor=0
+csum=0
+fname="initramfs_test_fname_overrun"
+namelen=$(( ${#fname} + 1 ))   # plus one to account for terminator
+
+printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \
+       $magic $ino $mode $uid $gid $nlink $mtime $filesize \
+       $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname
+
+termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) ))
+printf "%.s${nilchar}" $(seq 1 $termpadlen)
+---- reproducer.sh ----
+
+Symlink filename fields handled in do_symlink() won't overrun past the
+data segment, due to the explicit zero-termination of the symlink
+target.
+
+Fix filename buffer overrun by aborting the initramfs FSM if any cpio
+entry doesn't carry a zero-terminator at the expected (name_len - 1)
+offset.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Link: https://lore.kernel.org/r/20241030035509.20194-2-ddiss@suse.de
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index fceede4cff6e4..59901e5197775 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -323,6 +323,15 @@ static int __init do_name(void)
+ {
+       state = SkipIt;
+       next_state = Reset;
++
++      /* name_len > 0 && name_len <= PATH_MAX checked in do_header */
++      if (collected[name_len - 1] != '\0') {
++              pr_err("initramfs name without nulterm: %.*s\n",
++                     (int)name_len, collected);
++              error("malformed archive");
++              return 1;
++      }
++
+       if (strcmp(collected, "TRAILER!!!") == 0) {
+               free_hash();
+               return 0;
+@@ -385,6 +394,12 @@ static int __init do_copy(void)
+ 
+ static int __init do_symlink(void)
+ {
++      if (collected[name_len - 1] != '\0') {
++              pr_err("initramfs symlink without nulterm: %.*s\n",
++                     (int)name_len, collected);
++              error("malformed archive");
++              return 1;
++      }
+       collected[N_ALIGN(name_len) + body_len] = '\0';
+       clean_path(collected, 0);
+       ksys_symlink(collected + N_ALIGN(name_len), collected);
+-- 
+2.43.0
+

diff --git a/queue-4.19/m68k-coldfire-device.c-only-build-fec-when-hw-macros.patch b/queue-4.19/m68k-coldfire-device.c-only-build-fec-when-hw-macros.patch
new file mode 100644 (file)
index 0000000..4a1f5ff
--- /dev/null
+++ b/queue-4.19/m68k-coldfire-device.c-only-build-fec-when-hw-macros.patch
@@ -0,0 +1,77 @@
+From 9718d21044cbda3671564ffce9cf62ccc6d24549 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 22:43:15 +0100
+Subject: m68k: coldfire/device.c: only build FEC when HW macros are defined
+
+From: Antonio Quartulli <antonio@mandelbit.com>
+
+[ Upstream commit 63a24cf8cc330e5a68ebd2e20ae200096974c475 ]
+
+When CONFIG_FEC is set (due to COMPILE_TEST) along with
+CONFIG_M54xx, coldfire/device.c has compile errors due to
+missing MCFEC_* and MCF_IRQ_FEC_* symbols.
+
+Make the whole FEC blocks dependent on having the HW macros
+defined, rather than on CONFIG_FEC itself.
+
+This fix is very similar to commit e6e1e7b19fa1 ("m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined")
+
+Fixes: b7ce7f0d0efc ("m68knommu: merge common ColdFire FEC platform setup code")
+To: Greg Ungerer <gerg@linux-m68k.org>
+To: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: linux-m68k@lists.linux-m68k.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
+Signed-off-by: Greg Ungerer <gerg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/coldfire/device.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/m68k/coldfire/device.c b/arch/m68k/coldfire/device.c
+index 908d58347790d..b900931669adc 100644
+--- a/arch/m68k/coldfire/device.c
++++ b/arch/m68k/coldfire/device.c
+@@ -89,7 +89,7 @@ static struct platform_device mcf_uart = {
+       .dev.platform_data      = mcf_uart_platform_data,
+ };
+ 
+-#if IS_ENABLED(CONFIG_FEC)
++#ifdef MCFFEC_BASE0
+ 
+ #ifdef CONFIG_M5441x
+ #define FEC_NAME      "enet-fec"
+@@ -141,6 +141,7 @@ static struct platform_device mcf_fec0 = {
+               .platform_data          = FEC_PDATA,
+       }
+ };
++#endif /* MCFFEC_BASE0 */
+ 
+ #ifdef MCFFEC_BASE1
+ static struct resource mcf_fec1_resources[] = {
+@@ -178,7 +179,6 @@ static struct platform_device mcf_fec1 = {
+       }
+ };
+ #endif /* MCFFEC_BASE1 */
+-#endif /* CONFIG_FEC */
+ 
+ #if IS_ENABLED(CONFIG_SPI_COLDFIRE_QSPI)
+ /*
+@@ -478,12 +478,12 @@ static struct platform_device mcf_i2c5 = {
+ 
+ static struct platform_device *mcf_devices[] __initdata = {
+       &mcf_uart,
+-#if IS_ENABLED(CONFIG_FEC)
++#ifdef MCFFEC_BASE0
+       &mcf_fec0,
++#endif
+ #ifdef MCFFEC_BASE1
+       &mcf_fec1,
+ #endif
+-#endif
+ #if IS_ENABLED(CONFIG_SPI_COLDFIRE_QSPI)
+       &mcf_qspi,
+ #endif
+-- 
+2.43.0
+

diff --git a/queue-4.19/m68k-mcfgpio-fix-incorrect-register-offset-for-confi.patch b/queue-4.19/m68k-mcfgpio-fix-incorrect-register-offset-for-confi.patch
new file mode 100644 (file)
index 0000000..8819f29
--- /dev/null
+++ b/queue-4.19/m68k-mcfgpio-fix-incorrect-register-offset-for-confi.patch
@@ -0,0 +1,37 @@
+From fde2998f3ed675462303d8a61a2a9224a16b4293 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 09:24:35 +0200
+Subject: m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
+
+From: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
+
+[ Upstream commit f212140962c93cd5da43283a18e31681540fc23d ]
+
+Fix a typo in the CONFIG_M5441x preprocessor condition, where the GPIO
+register offset was incorrectly set to 8 instead of 0. This prevented
+proper GPIO configuration for m5441x targets.
+
+Fixes: bea8bcb12da0 ("m68knommu: Add support for the Coldfire m5441x.")
+Signed-off-by: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
+Signed-off-by: Greg Ungerer <gerg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/mcfgpio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/include/asm/mcfgpio.h b/arch/m68k/include/asm/mcfgpio.h
+index 66203c334c6ff..6c5d70defc1ea 100644
+--- a/arch/m68k/include/asm/mcfgpio.h
++++ b/arch/m68k/include/asm/mcfgpio.h
+@@ -152,7 +152,7 @@ static inline void gpio_free(unsigned gpio)
+  * read-modify-write as well as those controlled by the EPORT and GPIO modules.
+  */
+ #define MCFGPIO_SCR_START             40
+-#elif defined(CONFIGM5441x)
++#elif defined(CONFIG_M5441x)
+ /* The m5441x EPORT doesn't have its own GPIO port, uses PORT C */
+ #define MCFGPIO_SCR_START             0
+ #else
+-- 
+2.43.0
+

diff --git a/queue-4.19/m68k-mvme147-fix-scsi-controller-irq-numbers.patch b/queue-4.19/m68k-mvme147-fix-scsi-controller-irq-numbers.patch
new file mode 100644 (file)
index 0000000..86fabe3
--- /dev/null
+++ b/queue-4.19/m68k-mvme147-fix-scsi-controller-irq-numbers.patch
@@ -0,0 +1,46 @@
+From 79add15d78e4d90b154f26def5a18fcf40c202f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 13:29:47 +1000
+Subject: m68k: mvme147: Fix SCSI controller IRQ numbers
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 47bc874427382018fa2e3e982480e156271eee70 ]
+
+Sometime long ago the m68k IRQ code was refactored and the interrupt
+numbers for SCSI controller on this board ended up wrong, and it hasn't
+worked since.
+
+The PCC adds 0x40 to the vector for its interrupts so they end up in
+the user interrupt range. Hence, the kernel number should be the kernel
+offset for user interrupt range + the PCC interrupt number.
+
+Fixes: 200a3d352cd5 ("[PATCH] m68k: convert VME irq code")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Reviewed-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/0e7636a21a0274eea35bfd5d874459d5078e97cc.1727926187.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/mvme147hw.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/m68k/include/asm/mvme147hw.h b/arch/m68k/include/asm/mvme147hw.h
+index 9c7ff67c5ffd6..46ce392db6fc6 100644
+--- a/arch/m68k/include/asm/mvme147hw.h
++++ b/arch/m68k/include/asm/mvme147hw.h
+@@ -90,8 +90,8 @@ struct pcc_regs {
+ #define M147_SCC_B_ADDR               0xfffe3000
+ #define M147_SCC_PCLK         5000000
+ 
+-#define MVME147_IRQ_SCSI_PORT (IRQ_USER+0x45)
+-#define MVME147_IRQ_SCSI_DMA  (IRQ_USER+0x46)
++#define MVME147_IRQ_SCSI_PORT (IRQ_USER + 5)
++#define MVME147_IRQ_SCSI_DMA  (IRQ_USER + 6)
+ 
+ /* SCC interrupts, for MVME147 */
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/m68k-mvme147-reinstate-early-console.patch b/queue-4.19/m68k-mvme147-reinstate-early-console.patch
new file mode 100644 (file)
index 0000000..9e5322c
--- /dev/null
+++ b/queue-4.19/m68k-mvme147-reinstate-early-console.patch
@@ -0,0 +1,113 @@
+From 5a660cbd52ee0363a9b12d35489ebd4729a8c03f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 10:51:24 +1100
+Subject: m68k: mvme147: Reinstate early console
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 077b33b9e2833ff25050d986178a2c4c4036cbac ]
+
+Commit a38eaa07a0ce ("m68k/mvme147: config.c - Remove unused
+functions"), removed the console functionality for the mvme147 instead
+of wiring it up to an early console.  Put the console write function
+back and wire it up like mvme16x does so it's possible to see Linux boot
+on this fine hardware once more.
+
+Fixes: a38eaa07a0ce ("m68k/mvme147: config.c - Remove unused functions")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Co-developed-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/a82e8f0068a8722996a0ccfe666abb5e0a5c120d.1730850684.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/early_printk.c |  5 ++++-
+ arch/m68k/mvme147/config.c      | 30 ++++++++++++++++++++++++++++++
+ arch/m68k/mvme147/mvme147.h     |  6 ++++++
+ 3 files changed, 40 insertions(+), 1 deletion(-)
+ create mode 100644 arch/m68k/mvme147/mvme147.h
+
+diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
+index 3cc944df04f65..f11ef9f1f56fc 100644
+--- a/arch/m68k/kernel/early_printk.c
++++ b/arch/m68k/kernel/early_printk.c
+@@ -13,6 +13,7 @@
+ #include <asm/setup.h>
+ 
+ 
++#include "../mvme147/mvme147.h"
+ #include "../mvme16x/mvme16x.h"
+ 
+ asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
+@@ -22,7 +23,9 @@ static void __ref debug_cons_write(struct console *c,
+ {
+ #if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+       defined(CONFIG_COLDFIRE))
+-      if (MACH_IS_MVME16x)
++      if (MACH_IS_MVME147)
++              mvme147_scc_write(c, s, n);
++      else if (MACH_IS_MVME16x)
+               mvme16x_cons_write(c, s, n);
+       else
+               debug_cons_nputs(s, n);
+diff --git a/arch/m68k/mvme147/config.c b/arch/m68k/mvme147/config.c
+index 93c68d2b8e0ea..36ff897765745 100644
+--- a/arch/m68k/mvme147/config.c
++++ b/arch/m68k/mvme147/config.c
+@@ -35,6 +35,7 @@
+ #include <asm/machdep.h>
+ #include <asm/mvme147hw.h>
+ 
++#include "mvme147.h"
+ 
+ static void mvme147_get_model(char *model);
+ extern void mvme147_sched_init(irq_handler_t handler);
+@@ -164,3 +165,32 @@ int mvme147_hwclk(int op, struct rtc_time *t)
+       }
+       return 0;
+ }
++
++static void scc_delay(void)
++{
++      __asm__ __volatile__ ("nop; nop;");
++}
++
++static void scc_write(char ch)
++{
++      do {
++              scc_delay();
++      } while (!(in_8(M147_SCC_A_ADDR) & BIT(2)));
++      scc_delay();
++      out_8(M147_SCC_A_ADDR, 8);
++      scc_delay();
++      out_8(M147_SCC_A_ADDR, ch);
++}
++
++void mvme147_scc_write(struct console *co, const char *str, unsigned int count)
++{
++      unsigned long flags;
++
++      local_irq_save(flags);
++      while (count--) {
++              if (*str == '\n')
++                      scc_write('\r');
++              scc_write(*str++);
++      }
++      local_irq_restore(flags);
++}
+diff --git a/arch/m68k/mvme147/mvme147.h b/arch/m68k/mvme147/mvme147.h
+new file mode 100644
+index 0000000000000..140bc98b0102a
+--- /dev/null
++++ b/arch/m68k/mvme147/mvme147.h
+@@ -0,0 +1,6 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++struct console;
++
++/* config.c */
++void mvme147_scc_write(struct console *co, const char *str, unsigned int count);
+-- 
+2.43.0
+

diff --git a/queue-4.19/m68k-mvme16x-add-and-use-mvme16x.h.patch b/queue-4.19/m68k-mvme16x-add-and-use-mvme16x.h.patch
new file mode 100644 (file)
index 0000000..461c451
--- /dev/null
+++ b/queue-4.19/m68k-mvme16x-add-and-use-mvme16x.h.patch
@@ -0,0 +1,76 @@
+From d0efcdd08f259fb897142f00c9b69541ec631092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 16:08:25 +0200
+Subject: m68k: mvme16x: Add and use "mvme16x.h"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit dcec33c1fc4ab63983d93ffb0d82b68fc5775b88 ]
+
+When building with W=1:
+
+    arch/m68k/mvme16x/config.c:208:6: warning: no previous prototype for ‘mvme16x_cons_write’ [-Wmissing-prototypes]
+      208 | void mvme16x_cons_write(struct console *co, const char *str, unsigned count)
+         |      ^~~~~~~~~~~~~~~~~~
+
+Fix this by introducing a new header file "mvme16x.h" for holding the
+prototypes of functions implemented in arch/m68k/mvme16x/.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/6200cc3b26fad215c4524748af04692e38c5ecd2.1694613528.git.geert@linux-m68k.org
+Stable-dep-of: 077b33b9e283 ("m68k: mvme147: Reinstate early console")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/early_printk.c | 4 ++--
+ arch/m68k/mvme16x/config.c      | 2 ++
+ arch/m68k/mvme16x/mvme16x.h     | 6 ++++++
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 arch/m68k/mvme16x/mvme16x.h
+
+diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
+index 7d3fe08a48eb0..3cc944df04f65 100644
+--- a/arch/m68k/kernel/early_printk.c
++++ b/arch/m68k/kernel/early_printk.c
+@@ -12,8 +12,8 @@
+ #include <linux/string.h>
+ #include <asm/setup.h>
+ 
+-extern void mvme16x_cons_write(struct console *co,
+-                             const char *str, unsigned count);
++
++#include "../mvme16x/mvme16x.h"
+ 
+ asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
+ 
+diff --git a/arch/m68k/mvme16x/config.c b/arch/m68k/mvme16x/config.c
+index 5feb3ab484d08..bb658e0a5be5a 100644
+--- a/arch/m68k/mvme16x/config.c
++++ b/arch/m68k/mvme16x/config.c
+@@ -38,6 +38,8 @@
+ #include <asm/machdep.h>
+ #include <asm/mvme16xhw.h>
+ 
++#include "mvme16x.h"
++
+ extern t_bdid mvme_bdid;
+ 
+ static MK48T08ptr_t volatile rtc = (MK48T08ptr_t)MVME_RTC_BASE;
+diff --git a/arch/m68k/mvme16x/mvme16x.h b/arch/m68k/mvme16x/mvme16x.h
+new file mode 100644
+index 0000000000000..159c34b700394
+--- /dev/null
++++ b/arch/m68k/mvme16x/mvme16x.h
+@@ -0,0 +1,6 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++struct console;
++
++/* config.c */
++void mvme16x_cons_write(struct console *co, const char *str, unsigned count);
+-- 
+2.43.0
+

diff --git a/queue-4.19/marvell-pxa168_eth-fix-call-balance-of-pep-clk-handl.patch b/queue-4.19/marvell-pxa168_eth-fix-call-balance-of-pep-clk-handl.patch
new file mode 100644 (file)
index 0000000..664b2f1
--- /dev/null
+++ b/queue-4.19/marvell-pxa168_eth-fix-call-balance-of-pep-clk-handl.patch
@@ -0,0 +1,68 @@
+From 5ed444d5f6c4e613d8000c823dcad9124202b2fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 23:06:58 +0300
+Subject: marvell: pxa168_eth: fix call balance of pep->clk handling routines
+
+From: Vitalii Mordan <mordan@ispras.ru>
+
+[ Upstream commit b032ae57d4fe2b2445e3bc190db6fcaa8c102f68 ]
+
+If the clock pep->clk was not enabled in pxa168_eth_probe,
+it should not be disabled in any path.
+
+Conversely, if it was enabled in pxa168_eth_probe, it must be disabled
+in all error paths to ensure proper cleanup.
+
+Use the devm_clk_get_enabled helper function to ensure proper call balance
+for pep->clk.
+
+Found by Linux Verification Center (linuxtesting.org) with Klever.
+
+Fixes: a49f37eed22b ("net: add Fast Ethernet driver for PXA168.")
+Signed-off-by: Vitalii Mordan <mordan@ispras.ru>
+Link: https://patch.msgid.link/20241121200658.2203871-1-mordan@ispras.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/pxa168_eth.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/pxa168_eth.c b/drivers/net/ethernet/marvell/pxa168_eth.c
+index 0d6a4e47e7a50..962d7046801cf 100644
+--- a/drivers/net/ethernet/marvell/pxa168_eth.c
++++ b/drivers/net/ethernet/marvell/pxa168_eth.c
+@@ -1417,18 +1417,15 @@ static int pxa168_eth_probe(struct platform_device *pdev)
+ 
+       printk(KERN_NOTICE "PXA168 10/100 Ethernet Driver\n");
+ 
+-      clk = devm_clk_get(&pdev->dev, NULL);
++      clk = devm_clk_get_enabled(&pdev->dev, NULL);
+       if (IS_ERR(clk)) {
+-              dev_err(&pdev->dev, "Fast Ethernet failed to get clock\n");
++              dev_err(&pdev->dev, "Fast Ethernet failed to get and enable clock\n");
+               return -ENODEV;
+       }
+-      clk_prepare_enable(clk);
+ 
+       dev = alloc_etherdev(sizeof(struct pxa168_eth_private));
+-      if (!dev) {
+-              err = -ENOMEM;
+-              goto err_clk;
+-      }
++      if (!dev)
++              return -ENOMEM;
+ 
+       platform_set_drvdata(pdev, dev);
+       pep = netdev_priv(dev);
+@@ -1541,8 +1538,6 @@ static int pxa168_eth_probe(struct platform_device *pdev)
+       mdiobus_free(pep->smi_bus);
+ err_netdev:
+       free_netdev(dev);
+-err_clk:
+-      clk_disable_unprepare(clk);
+       return err;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/mfd-da9052-spi-change-read-mask-to-write-mask.patch b/queue-4.19/mfd-da9052-spi-change-read-mask-to-write-mask.patch
new file mode 100644 (file)
index 0000000..50088e0
--- /dev/null
+++ b/queue-4.19/mfd-da9052-spi-change-read-mask-to-write-mask.patch
@@ -0,0 +1,38 @@
+From 5369580dccd99fbf2154bcc5a14c88d946bb2a7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 12:19:53 +0200
+Subject: mfd: da9052-spi: Change read-mask to write-mask
+
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+[ Upstream commit 2e3378f6c79a1b3f7855ded1ef306ea4406352ed ]
+
+Driver has mixed up the R/W bit.
+The LSB bit is set on write rather than read.
+Change it to avoid nasty things to happen.
+
+Fixes: e9e9d3973594 ("mfd: da9052: Avoid setting read_flag_mask for da9052-i2c driver")
+Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+Link: https://lore.kernel.org/r/20240925-da9052-v2-1-f243e4505b07@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/da9052-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/da9052-spi.c b/drivers/mfd/da9052-spi.c
+index abfb11818fdc5..5fb5af5108ab9 100644
+--- a/drivers/mfd/da9052-spi.c
++++ b/drivers/mfd/da9052-spi.c
+@@ -42,7 +42,7 @@ static int da9052_spi_probe(struct spi_device *spi)
+       spi_set_drvdata(spi, da9052);
+ 
+       config = da9052_regmap_config;
+-      config.read_flag_mask = 1;
++      config.write_flag_mask = 1;
+       config.reg_bits = 7;
+       config.pad_bits = 1;
+       config.val_bits = 8;
+-- 
+2.43.0
+

diff --git a/queue-4.19/mfd-rt5033-fix-missing-regmap_del_irq_chip.patch b/queue-4.19/mfd-rt5033-fix-missing-regmap_del_irq_chip.patch
new file mode 100644 (file)
index 0000000..b31fcee
--- /dev/null
+++ b/queue-4.19/mfd-rt5033-fix-missing-regmap_del_irq_chip.patch
@@ -0,0 +1,39 @@
+From b45f41dab46d9c6b50a75224c7af2b745da37544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 23:41:06 +0800
+Subject: mfd: rt5033: Fix missing regmap_del_irq_chip()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit d256d612f47529ed0b332298e2d5ea981a4dd5b8 ]
+
+Fix missing call to regmap_del_irq_chip() in error handling path by
+using devm_regmap_add_irq_chip().
+
+Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1730302867-8391-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/rt5033.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/rt5033.c b/drivers/mfd/rt5033.c
+index 94cdad91c0657..71f35bfac3f28 100644
+--- a/drivers/mfd/rt5033.c
++++ b/drivers/mfd/rt5033.c
+@@ -85,8 +85,8 @@ static int rt5033_i2c_probe(struct i2c_client *i2c,
+       }
+       dev_info(&i2c->dev, "Device found Device ID: %04x\n", dev_id);
+ 
+-      ret = regmap_add_irq_chip(rt5033->regmap, rt5033->irq,
+-                      IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
++      ret = devm_regmap_add_irq_chip(rt5033->dev, rt5033->regmap,
++                      rt5033->irq, IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+                       0, &rt5033_irq_chip, &rt5033->irq_data);
+       if (ret) {
+               dev_err(&i2c->dev, "Failed to request IRQ %d: %d\n",
+-- 
+2.43.0
+

diff --git a/queue-4.19/misc-apds990x-fix-missing-pm_runtime_disable.patch b/queue-4.19/misc-apds990x-fix-missing-pm_runtime_disable.patch
new file mode 100644 (file)
index 0000000..1895315
--- /dev/null
+++ b/queue-4.19/misc-apds990x-fix-missing-pm_runtime_disable.patch
@@ -0,0 +1,67 @@
+From 4c9e1cfb9b3531760be4f217c3d50a32b54da108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 11:55:56 +0800
+Subject: misc: apds990x: Fix missing pm_runtime_disable()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 3c5d8b819d27012264edd17e6ae7fffda382fe44 ]
+
+The pm_runtime_disable() is missing in probe error path,
+so add it to fix it.
+
+Fixes: 92b1f84d46b2 ("drivers/misc: driver for APDS990X ALS and proximity sensors")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20240923035556.3009105-1-ruanjinjie@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/apds990x.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/misc/apds990x.c b/drivers/misc/apds990x.c
+index ed9412d750b74..871d2d42db938 100644
+--- a/drivers/misc/apds990x.c
++++ b/drivers/misc/apds990x.c
+@@ -1163,7 +1163,7 @@ static int apds990x_probe(struct i2c_client *client,
+               err = chip->pdata->setup_resources();
+               if (err) {
+                       err = -EINVAL;
+-                      goto fail3;
++                      goto fail4;
+               }
+       }
+ 
+@@ -1171,7 +1171,7 @@ static int apds990x_probe(struct i2c_client *client,
+                               apds990x_attribute_group);
+       if (err < 0) {
+               dev_err(&chip->client->dev, "Sysfs registration failed\n");
+-              goto fail4;
++              goto fail5;
+       }
+ 
+       err = request_threaded_irq(client->irq, NULL,
+@@ -1182,15 +1182,17 @@ static int apds990x_probe(struct i2c_client *client,
+       if (err) {
+               dev_err(&client->dev, "could not get IRQ %d\n",
+                       client->irq);
+-              goto fail5;
++              goto fail6;
+       }
+       return err;
+-fail5:
++fail6:
+       sysfs_remove_group(&chip->client->dev.kobj,
+                       &apds990x_attribute_group[0]);
+-fail4:
++fail5:
+       if (chip->pdata && chip->pdata->release_resources)
+               chip->pdata->release_resources();
++fail4:
++      pm_runtime_disable(&client->dev);
+ fail3:
+       regulator_bulk_disable(ARRAY_SIZE(chip->regs), chip->regs);
+ fail2:
+-- 
+2.43.0
+

diff --git a/queue-4.19/mmc-mmc_spi-drop-buggy-snprintf.patch b/queue-4.19/mmc-mmc_spi-drop-buggy-snprintf.patch
new file mode 100644 (file)
index 0000000..b070904
--- /dev/null
+++ b/queue-4.19/mmc-mmc_spi-drop-buggy-snprintf.patch
@@ -0,0 +1,66 @@
+From 0aa968c61d92897d14a08f0cfb1b85b04c8569ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 18:01:34 +0200
+Subject: mmc: mmc_spi: drop buggy snprintf()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit 328bda09cc91b3d93bc64f4a4dadc44313dd8140 ]
+
+GCC 13 complains about the truncated output of snprintf():
+
+drivers/mmc/host/mmc_spi.c: In function ‘mmc_spi_response_get’:
+drivers/mmc/host/mmc_spi.c:227:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+  227 |         snprintf(tag, sizeof(tag), "  ... CMD%d response SPI_%s",
+      |                                                                ^
+drivers/mmc/host/mmc_spi.c:227:9: note: ‘snprintf’ output between 26 and 43 bytes into a destination of size 32
+  227 |         snprintf(tag, sizeof(tag), "  ... CMD%d response SPI_%s",
+      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  228 |                 cmd->opcode, maptype(cmd));
+
+Drop it and fold the string it generates into the only place where it's
+emitted - the dev_dbg() call at the end of the function.
+
+Fixes: 15a0580ced08 ("mmc_spi host driver")
+Suggested-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://lore.kernel.org/r/20241008160134.69934-1-brgl@bgdev.pl
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmc_spi.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
+index 24795454d1066..008a47842de0a 100644
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -269,10 +269,6 @@ static int mmc_spi_response_get(struct mmc_spi_host *host,
+       u8      leftover = 0;
+       unsigned short rotator;
+       int     i;
+-      char    tag[32];
+-
+-      snprintf(tag, sizeof(tag), "  ... CMD%d response SPI_%s",
+-              cmd->opcode, maptype(cmd));
+ 
+       /* Except for data block reads, the whole response will already
+        * be stored in the scratch buffer.  It's somewhere after the
+@@ -422,8 +418,9 @@ static int mmc_spi_response_get(struct mmc_spi_host *host,
+       }
+ 
+       if (value < 0)
+-              dev_dbg(&host->spi->dev, "%s: resp %04x %08x\n",
+-                      tag, cmd->resp[0], cmd->resp[1]);
++              dev_dbg(&host->spi->dev,
++                      "  ... CMD%d response SPI_%s: resp %04x %08x\n",
++                      cmd->opcode, maptype(cmd), cmd->resp[0], cmd->resp[1]);
+ 
+       /* disable chipselect on errors and some success cases */
+       if (value >= 0 && cs_on)
+-- 
+2.43.0
+

diff --git a/queue-4.19/mtd-rawnand-atmel-fix-possible-memory-leak.patch b/queue-4.19/mtd-rawnand-atmel-fix-possible-memory-leak.patch
new file mode 100644 (file)
index 0000000..95310d8
--- /dev/null
+++ b/queue-4.19/mtd-rawnand-atmel-fix-possible-memory-leak.patch
@@ -0,0 +1,70 @@
+From 61c30ea917524b390edfe20c5da15fdd223cc272 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 22:31:49 +0200
+Subject: mtd: rawnand: atmel: Fix possible memory leak
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit 6d734f1bfc336aaea91313a5632f2f197608fadd ]
+
+The pmecc "user" structure is allocated in atmel_pmecc_create_user() and
+was supposed to be freed with atmel_pmecc_destroy_user(), but this other
+helper is never called. One solution would be to find the proper
+location to call the destructor, but the trend today is to switch to
+device managed allocations, which in this case fits pretty well.
+
+Replace kzalloc() by devm_kzalloc() and drop the destructor entirely.
+
+Reported-by: "Dr. David Alan Gilbert" <linux@treblig.org>
+Closes: https://lore.kernel.org/all/ZvmIvRJCf6VhHvpo@gallifrey/
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20241001203149.387655-1-miquel.raynal@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/pmecc.c | 8 +-------
+ drivers/mtd/nand/raw/atmel/pmecc.h | 2 --
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c
+index 9d3997840889b..8880e0401e6c4 100644
+--- a/drivers/mtd/nand/raw/atmel/pmecc.c
++++ b/drivers/mtd/nand/raw/atmel/pmecc.c
+@@ -365,7 +365,7 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc,
+       size = ALIGN(size, sizeof(s32));
+       size += (req->ecc.strength + 1) * sizeof(s32) * 3;
+ 
+-      user = kzalloc(size, GFP_KERNEL);
++      user = devm_kzalloc(pmecc->dev, size, GFP_KERNEL);
+       if (!user)
+               return ERR_PTR(-ENOMEM);
+ 
+@@ -411,12 +411,6 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc,
+ }
+ EXPORT_SYMBOL_GPL(atmel_pmecc_create_user);
+ 
+-void atmel_pmecc_destroy_user(struct atmel_pmecc_user *user)
+-{
+-      kfree(user);
+-}
+-EXPORT_SYMBOL_GPL(atmel_pmecc_destroy_user);
+-
+ static int get_strength(struct atmel_pmecc_user *user)
+ {
+       const int *strengths = user->pmecc->caps->strengths;
+diff --git a/drivers/mtd/nand/raw/atmel/pmecc.h b/drivers/mtd/nand/raw/atmel/pmecc.h
+index 808f1be0d6ad7..1b6ac2ce73f49 100644
+--- a/drivers/mtd/nand/raw/atmel/pmecc.h
++++ b/drivers/mtd/nand/raw/atmel/pmecc.h
+@@ -59,8 +59,6 @@ struct atmel_pmecc *devm_atmel_pmecc_get(struct device *dev);
+ struct atmel_pmecc_user *
+ atmel_pmecc_create_user(struct atmel_pmecc *pmecc,
+                       struct atmel_pmecc_user_req *req);
+-void atmel_pmecc_destroy_user(struct atmel_pmecc_user *user);
+-
+ void atmel_pmecc_reset(struct atmel_pmecc *pmecc);
+ int atmel_pmecc_enable(struct atmel_pmecc_user *user, int op);
+ void atmel_pmecc_disable(struct atmel_pmecc_user *user);
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-rfkill-gpio-add-check-for-clk_enable.patch b/queue-4.19/net-rfkill-gpio-add-check-for-clk_enable.patch
new file mode 100644 (file)
index 0000000..9b5ddb9
--- /dev/null
+++ b/queue-4.19/net-rfkill-gpio-add-check-for-clk_enable.patch
@@ -0,0 +1,44 @@
+From bf7adf67698193517beb69ba73f6f3d447146059 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 14:53:41 -0500
+Subject: net: rfkill: gpio: Add check for clk_enable()
+
+From: Mingwei Zheng <zmw12306@gmail.com>
+
+[ Upstream commit 8251e7621b25ccdb689f1dd9553b8789e3745ea1 ]
+
+Add check for the return value of clk_enable() to catch the potential
+error.
+
+Fixes: 7176ba23f8b5 ("net: rfkill: add generic gpio rfkill driver")
+Signed-off-by: Mingwei Zheng <zmw12306@gmail.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Link: https://patch.msgid.link/20241108195341.1853080-1-zmw12306@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rfkill/rfkill-gpio.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
+index 7524544a965fc..c1df7054c2f08 100644
+--- a/net/rfkill/rfkill-gpio.c
++++ b/net/rfkill/rfkill-gpio.c
+@@ -44,8 +44,12 @@ static int rfkill_gpio_set_power(void *data, bool blocked)
+ {
+       struct rfkill_gpio_data *rfkill = data;
+ 
+-      if (!blocked && !IS_ERR(rfkill->clk) && !rfkill->clk_enabled)
+-              clk_enable(rfkill->clk);
++      if (!blocked && !IS_ERR(rfkill->clk) && !rfkill->clk_enabled) {
++              int ret = clk_enable(rfkill->clk);
++
++              if (ret)
++                      return ret;
++      }
+ 
+       gpiod_set_value_cansleep(rfkill->shutdown_gpio, !blocked);
+       gpiod_set_value_cansleep(rfkill->reset_gpio, !blocked);
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-stmmac-dwmac-socfpga-set-rx-watchdog-interrupt-a.patch b/queue-4.19/net-stmmac-dwmac-socfpga-set-rx-watchdog-interrupt-a.patch
new file mode 100644 (file)
index 0000000..1e394ef
--- /dev/null
+++ b/queue-4.19/net-stmmac-dwmac-socfpga-set-rx-watchdog-interrupt-a.patch
@@ -0,0 +1,50 @@
+From 4d47bcd003580d7e8332e0b7006f5bf71ce5cd07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 15:12:55 +0100
+Subject: net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 407618d66dba55e7db1278872e8be106808bbe91 ]
+
+On DWMAC3 and later, there's a RX Watchdog interrupt that's used for
+interrupt coalescing. It's known to be buggy on some platforms, and
+dwmac-socfpga appears to be one of them. Changing the interrupt
+coalescing from ethtool doesn't appear to have any effect here.
+
+Without disabling RIWT (Received Interrupt Watchdog Timer, I
+believe...), we observe latencies while receiving traffic that amount to
+around ~0.4ms. This was discovered with NTP but can be easily reproduced
+with a simple ping. Without this patch :
+
+64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.657 ms
+
+With this patch :
+
+64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.254 ms
+
+Fixes: 801d233b7302 ("net: stmmac: Add SOCFPGA glue driver")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20241122141256.764578-1-maxime.chevallier@bootlin.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c
+index 33407df6bea69..9176fbee5ed6c 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c
+@@ -346,6 +346,8 @@ static int socfpga_dwmac_probe(struct platform_device *pdev)
+       plat_dat->bsp_priv = dwmac;
+       plat_dat->fix_mac_speed = socfpga_dwmac_fix_mac_speed;
+ 
++      plat_dat->riwt_off = 1;
++
+       ret = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
+       if (ret)
+               goto err_remove_config_dt;
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-usb-lan78xx-fix-memory-leak-on-device-unplug-by-.patch b/queue-4.19/net-usb-lan78xx-fix-memory-leak-on-device-unplug-by-.patch
new file mode 100644 (file)
index 0000000..e15f712
--- /dev/null
+++ b/queue-4.19/net-usb-lan78xx-fix-memory-leak-on-device-unplug-by-.patch
@@ -0,0 +1,51 @@
+From cb818847a889b82e9ae92215737c1273f30d3a1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Nov 2024 14:05:58 +0100
+Subject: net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY
+ device
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit ae7370e61c5d8f5bcefc2d4fca724bd4e9bbf789 ]
+
+Add calls to `phy_device_free` after `fixed_phy_unregister` to fix a
+memory leak that occurs when the device is unplugged. This ensures
+proper cleanup of pseudo fixed-link PHYs.
+
+Fixes: 89b36fb5e532 ("lan78xx: Lan7801 Support for Fixed PHY")
+Cc: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20241116130558.1352230-2-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index f56f45c924de0..de07d90038205 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2204,6 +2204,7 @@ static int lan78xx_phy_init(struct lan78xx_net *dev)
+               if (dev->chipid == ID_REV_CHIP_ID_7801_) {
+                       if (phy_is_pseudo_fixed_link(phydev)) {
+                               fixed_phy_unregister(phydev);
++                              phy_device_free(phydev);
+                       } else {
+                               phy_unregister_fixup_for_uid(PHY_KSZ9031RNX,
+                                                            0xfffffff0);
+@@ -3884,8 +3885,10 @@ static void lan78xx_disconnect(struct usb_interface *intf)
+ 
+       phy_disconnect(net->phydev);
+ 
+-      if (phy_is_pseudo_fixed_link(phydev))
++      if (phy_is_pseudo_fixed_link(phydev)) {
+               fixed_phy_unregister(phydev);
++              phy_device_free(phydev);
++      }
+ 
+       unregister_netdev(net);
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-usb-lan78xx-fix-refcounting-and-autosuspend-on-i.patch b/queue-4.19/net-usb-lan78xx-fix-refcounting-and-autosuspend-on-i.patch
new file mode 100644 (file)
index 0000000..ff7eeff
--- /dev/null
+++ b/queue-4.19/net-usb-lan78xx-fix-refcounting-and-autosuspend-on-i.patch
@@ -0,0 +1,49 @@
+From 33975e96364ab9fae05af3059af0b1a237aed002 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 15:03:51 +0100
+Subject: net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL
+ configuration
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit e863ff806f72098bccaf8fa89c80d9ad6187c3b0 ]
+
+Validate Wake-on-LAN (WoL) options in `lan78xx_set_wol` before calling
+`usb_autopm_get_interface`. This prevents USB autopm refcounting issues
+and ensures the adapter can properly enter autosuspend when invalid WoL
+options are provided.
+
+Fixes: eb9ad088f966 ("lan78xx: Check for supported Wake-on-LAN modes")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://patch.msgid.link/20241118140351.2398166-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index de07d90038205..44c2433b55a76 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -1440,13 +1440,13 @@ static int lan78xx_set_wol(struct net_device *netdev,
+       struct lan78xx_priv *pdata = (struct lan78xx_priv *)(dev->data[0]);
+       int ret;
+ 
++      if (wol->wolopts & ~WAKE_ALL)
++              return -EINVAL;
++
+       ret = usb_autopm_get_interface(dev->intf);
+       if (ret < 0)
+               return ret;
+ 
+-      if (wol->wolopts & ~WAKE_ALL)
+-              return -EINVAL;
+-
+       pdata->wol = wol->wolopts;
+ 
+       device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
+-- 
+2.43.0
+

diff --git a/queue-4.19/netpoll-use-rcu_access_pointer-in-netpoll_poll_lock.patch b/queue-4.19/netpoll-use-rcu_access_pointer-in-netpoll_poll_lock.patch
new file mode 100644 (file)
index 0000000..3d363b1
--- /dev/null
+++ b/queue-4.19/netpoll-use-rcu_access_pointer-in-netpoll_poll_lock.patch
@@ -0,0 +1,45 @@
+From ebaa57229d64abbc8640c61ebb61ef7f7d5b6b08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 03:15:18 -0800
+Subject: netpoll: Use rcu_access_pointer() in netpoll_poll_lock
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit a57d5a72f8dec7db8a79d0016fb0a3bdecc82b56 ]
+
+The ndev->npinfo pointer in netpoll_poll_lock() is RCU-protected but is
+being accessed directly for a NULL check. While no RCU read lock is held
+in this context, we should still use proper RCU primitives for
+consistency and correctness.
+
+Replace the direct NULL check with rcu_access_pointer(), which is the
+appropriate primitive when only checking for NULL without dereferencing
+the pointer. This function provides the necessary ordering guarantees
+without requiring RCU read-side protection.
+
+Fixes: bea3348eef27 ("[NET]: Make NAPI polling independent of struct net_device objects.")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-2-a1888dcb4a02@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netpoll.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/netpoll.h b/include/linux/netpoll.h
+index 3ef82d3a78db5..c47f74e6bd2cb 100644
+--- a/include/linux/netpoll.h
++++ b/include/linux/netpoll.h
+@@ -80,7 +80,7 @@ static inline void *netpoll_poll_lock(struct napi_struct *napi)
+ {
+       struct net_device *dev = napi->dev;
+ 
+-      if (dev && dev->npinfo) {
++      if (dev && rcu_access_pointer(dev->npinfo)) {
+               int owner = smp_processor_id();
+ 
+               while (cmpxchg(&napi->poll_owner, -1, owner) != -1)
+-- 
+2.43.0
+

diff --git a/queue-4.19/nfsd-cap-the-number-of-bytes-copied-by-nfs4_reset_re.patch b/queue-4.19/nfsd-cap-the-number-of-bytes-copied-by-nfs4_reset_re.patch
new file mode 100644 (file)
index 0000000..ac6d591
--- /dev/null
+++ b/queue-4.19/nfsd-cap-the-number-of-bytes-copied-by-nfs4_reset_re.patch
@@ -0,0 +1,37 @@
+From 36e540a9f1d0cae7cf35de08a930080122010bc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 11:03:56 -0400
+Subject: NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit f64ea4af43161bb86ffc77e6aeb5bcf5c3229df0 ]
+
+It's only current caller already length-checks the string, but let's
+be safe.
+
+Fixes: 0964a3d3f1aa ("[PATCH] knfsd: nfsd4 reboot dirname fix")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4recover.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
+index 5188f9f70c78c..e986e9e0c93f7 100644
+--- a/fs/nfsd/nfs4recover.c
++++ b/fs/nfsd/nfs4recover.c
+@@ -596,7 +596,8 @@ nfs4_reset_recoverydir(char *recdir)
+               return status;
+       status = -ENOTDIR;
+       if (d_is_dir(path.dentry)) {
+-              strcpy(user_recovery_dirname, recdir);
++              strscpy(user_recovery_dirname, recdir,
++                      sizeof(user_recovery_dirname));
+               status = 0;
+       }
+       path_put(&path);
+-- 
+2.43.0
+

diff --git a/queue-4.19/nfsd-prevent-null-dereference-in-nfsd4_process_cb_up.patch b/queue-4.19/nfsd-prevent-null-dereference-in-nfsd4_process_cb_up.patch
new file mode 100644 (file)
index 0000000..45ce1f1
--- /dev/null
+++ b/queue-4.19/nfsd-prevent-null-dereference-in-nfsd4_process_cb_up.patch
@@ -0,0 +1,37 @@
+From b681176e2772e1af459d6987e8f2a612051b6e59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 11:03:53 -0400
+Subject: NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 1e02c641c3a43c88cecc08402000418e15578d38 ]
+
+@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no
+available backchannel session, setup_callback_client() will try to
+dereference @ses and segfault.
+
+Fixes: dcbeaa68dbbd ("nfsd4: allow backchannel recovery")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4callback.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
+index e6c7448d3d89a..8ca4c12dd22ec 100644
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -1134,6 +1134,8 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb)
+               ses = c->cn_session;
+       }
+       spin_unlock(&clp->cl_lock);
++      if (!c)
++              return;
+ 
+       err = setup_callback_client(clp, &conn, ses);
+       if (err) {
+-- 
+2.43.0
+

diff --git a/queue-4.19/ocfs2-fix-uninitialized-value-in-ocfs2_file_read_ite.patch b/queue-4.19/ocfs2-fix-uninitialized-value-in-ocfs2_file_read_ite.patch
new file mode 100644 (file)
index 0000000..52c36b6
--- /dev/null
+++ b/queue-4.19/ocfs2-fix-uninitialized-value-in-ocfs2_file_read_ite.patch
@@ -0,0 +1,98 @@
+From f003b9074dd195e0ff924ba606cdad4662bbd6ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 12:17:36 +0300
+Subject: ocfs2: fix uninitialized value in ocfs2_file_read_iter()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit adc77b19f62d7e80f98400b2fca9d700d2afdd6f ]
+
+Syzbot has reported the following KMSAN splat:
+
+BUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80
+ ocfs2_file_read_iter+0x9a4/0xf80
+ __io_read+0x8d4/0x20f0
+ io_read+0x3e/0xf0
+ io_issue_sqe+0x42b/0x22c0
+ io_wq_submit_work+0xaf9/0xdc0
+ io_worker_handle_work+0xd13/0x2110
+ io_wq_worker+0x447/0x1410
+ ret_from_fork+0x6f/0x90
+ ret_from_fork_asm+0x1a/0x30
+
+Uninit was created at:
+ __alloc_pages_noprof+0x9a7/0xe00
+ alloc_pages_mpol_noprof+0x299/0x990
+ alloc_pages_noprof+0x1bf/0x1e0
+ allocate_slab+0x33a/0x1250
+ ___slab_alloc+0x12ef/0x35e0
+ kmem_cache_alloc_bulk_noprof+0x486/0x1330
+ __io_alloc_req_refill+0x84/0x560
+ io_submit_sqes+0x172f/0x2f30
+ __se_sys_io_uring_enter+0x406/0x41c0
+ __x64_sys_io_uring_enter+0x11f/0x1a0
+ x64_sys_call+0x2b54/0x3ba0
+ do_syscall_64+0xcd/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Since an instance of 'struct kiocb' may be passed from the block layer
+with 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()'
+and use it from where 'ocfs2_dio_end_io()' might take care, i.e. in
+'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'.
+
+Link: https://lkml.kernel.org/r/20241029091736.1501946-1-dmantipov@yandex.ru
+Fixes: 7cdfc3a1c397 ("ocfs2: Remember rw lock level during direct io")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+a73e253cca4f0230a5a5@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a73e253cca4f0230a5a5
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/aops.h | 2 ++
+ fs/ocfs2/file.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/fs/ocfs2/aops.h b/fs/ocfs2/aops.h
+index 3494a62ed749c..c1c2189029903 100644
+--- a/fs/ocfs2/aops.h
++++ b/fs/ocfs2/aops.h
+@@ -86,6 +86,8 @@ enum ocfs2_iocb_lock_bits {
+       OCFS2_IOCB_NUM_LOCKS
+ };
+ 
++#define ocfs2_iocb_init_rw_locked(iocb) \
++      (iocb->private = NULL)
+ #define ocfs2_iocb_clear_rw_locked(iocb) \
+       clear_bit(OCFS2_IOCB_RW_LOCK, (unsigned long *)&iocb->private)
+ #define ocfs2_iocb_rw_locked_level(iocb) \
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 9062002fd56c6..08cd712b433c8 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2412,6 +2412,8 @@ static ssize_t ocfs2_file_write_iter(struct kiocb *iocb,
+       } else
+               inode_lock(inode);
+ 
++      ocfs2_iocb_init_rw_locked(iocb);
++
+       /*
+        * Concurrent O_DIRECT writes are allowed with
+        * mount_option "coherency=buffered".
+@@ -2558,6 +2560,8 @@ static ssize_t ocfs2_file_read_iter(struct kiocb *iocb,
+       if (!direct_io && nowait)
+               return -EOPNOTSUPP;
+ 
++      ocfs2_iocb_init_rw_locked(iocb);
++
+       /*
+        * buffered reads protect themselves in ->readpage().  O_DIRECT reads
+        * need locks to protect pending reads from racing with truncate.
+-- 
+2.43.0
+

diff --git a/queue-4.19/pci-cpqphp-fix-pcibios_-return-value-confusion.patch b/queue-4.19/pci-cpqphp-fix-pcibios_-return-value-confusion.patch
new file mode 100644 (file)
index 0000000..009fed6
--- /dev/null
+++ b/queue-4.19/pci-cpqphp-fix-pcibios_-return-value-confusion.patch
@@ -0,0 +1,85 @@
+From c7f5d988ee15e4d4d5d1e6c000586aa396af5c52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 12:11:37 +0300
+Subject: PCI: cpqphp: Fix PCIBIOS_* return value confusion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit e2226dbc4a4919d9c8bd9293299b532090bdf020 ]
+
+Code in and related to PCI_RefinedAccessConfig() has three types of return
+type confusion:
+
+ - PCI_RefinedAccessConfig() tests pci_bus_read_config_dword() return value
+   against -1.
+
+ - PCI_RefinedAccessConfig() returns both -1 and PCIBIOS_* return codes.
+
+ - Callers of PCI_RefinedAccessConfig() only test for -1.
+
+Make PCI_RefinedAccessConfig() return PCIBIOS_* codes consistently and
+adapt callers accordingly.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/20241022091140.3504-2-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/cpqphp_pci.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pci/hotplug/cpqphp_pci.c b/drivers/pci/hotplug/cpqphp_pci.c
+index a20875da4ec70..ce6eb71a63599 100644
+--- a/drivers/pci/hotplug/cpqphp_pci.c
++++ b/drivers/pci/hotplug/cpqphp_pci.c
+@@ -135,11 +135,13 @@ int cpqhp_unconfigure_device(struct pci_func *func)
+ static int PCI_RefinedAccessConfig(struct pci_bus *bus, unsigned int devfn, u8 offset, u32 *value)
+ {
+       u32 vendID = 0;
++      int ret;
+ 
+-      if (pci_bus_read_config_dword(bus, devfn, PCI_VENDOR_ID, &vendID) == -1)
+-              return -1;
++      ret = pci_bus_read_config_dword(bus, devfn, PCI_VENDOR_ID, &vendID);
++      if (ret != PCIBIOS_SUCCESSFUL)
++              return PCIBIOS_DEVICE_NOT_FOUND;
+       if (PCI_POSSIBLE_ERROR(vendID))
+-              return -1;
++              return PCIBIOS_DEVICE_NOT_FOUND;
+       return pci_bus_read_config_dword(bus, devfn, offset, value);
+ }
+ 
+@@ -200,13 +202,15 @@ static int PCI_ScanBusForNonBridge(struct controller *ctrl, u8 bus_num, u8 *dev_
+ {
+       u16 tdevice;
+       u32 work;
++      int ret;
+       u8 tbus;
+ 
+       ctrl->pci_bus->number = bus_num;
+ 
+       for (tdevice = 0; tdevice < 0xFF; tdevice++) {
+               /* Scan for access first */
+-              if (PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work) == -1)
++              ret = PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work);
++              if (ret)
+                       continue;
+               dbg("Looking for nonbridge bus_num %d dev_num %d\n", bus_num, tdevice);
+               /* Yep we got one. Not a bridge ? */
+@@ -218,7 +222,8 @@ static int PCI_ScanBusForNonBridge(struct controller *ctrl, u8 bus_num, u8 *dev_
+       }
+       for (tdevice = 0; tdevice < 0xFF; tdevice++) {
+               /* Scan for access first */
+-              if (PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work) == -1)
++              ret = PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work);
++              if (ret)
+                       continue;
+               dbg("Looking for bridge bus_num %d dev_num %d\n", bus_num, tdevice);
+               /* Yep we got one. bridge ? */
+-- 
+2.43.0
+

diff --git a/queue-4.19/pci-cpqphp-use-pci_possible_error-to-check-config-re.patch b/queue-4.19/pci-cpqphp-use-pci_possible_error-to-check-config-re.patch
new file mode 100644 (file)
index 0000000..79efe4f
--- /dev/null
+++ b/queue-4.19/pci-cpqphp-use-pci_possible_error-to-check-config-re.patch
@@ -0,0 +1,54 @@
+From d60c8742bb71d58b812b300ffb0ee753eec4cc23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 14:50:50 +0800
+Subject: PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
+
+From: weiyufeng <weiyufeng@kylinos.cn>
+
+[ Upstream commit a18a025c2fb5fbf2d1d0606ea0d7441ac90e9c39 ]
+
+When config pci_ops.read() can detect failed PCI transactions, the data
+returned to the CPU is PCI_ERROR_RESPONSE (~0 or 0xffffffff).
+
+Obviously a successful PCI config read may *also* return that data if a
+config register happens to contain ~0, so it doesn't definitively indicate
+an error unless we know the register cannot contain ~0.
+
+Use PCI_POSSIBLE_ERROR() to check the response we get when we read data
+from hardware.  This unifies PCI error response checking and makes error
+checks consistent and easier to find.
+
+Link: https://lore.kernel.org/r/b12005c0d57bb9d4c8b486724d078b7bd92f8321.1637243717.git.naveennaidu479@gmail.com
+Signed-off-by: Naveen Naidu <naveennaidu479@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Stable-dep-of: e2226dbc4a49 ("PCI: cpqphp: Fix PCIBIOS_* return value confusion")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/cpqphp_pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/hotplug/cpqphp_pci.c b/drivers/pci/hotplug/cpqphp_pci.c
+index 1b2b3f3b648bc..a20875da4ec70 100644
+--- a/drivers/pci/hotplug/cpqphp_pci.c
++++ b/drivers/pci/hotplug/cpqphp_pci.c
+@@ -138,7 +138,7 @@ static int PCI_RefinedAccessConfig(struct pci_bus *bus, unsigned int devfn, u8 o
+ 
+       if (pci_bus_read_config_dword(bus, devfn, PCI_VENDOR_ID, &vendID) == -1)
+               return -1;
+-      if (vendID == 0xffffffff)
++      if (PCI_POSSIBLE_ERROR(vendID))
+               return -1;
+       return pci_bus_read_config_dword(bus, devfn, offset, value);
+ }
+@@ -251,7 +251,7 @@ static int PCI_GetBusDevHelper(struct controller *ctrl, u8 *bus_num, u8 *dev_num
+                       *dev_num = tdevice;
+                       ctrl->pci_bus->number = tbus;
+                       pci_bus_read_config_dword(ctrl->pci_bus, *dev_num, PCI_VENDOR_ID, &work);
+-                      if (!nobridge || (work == 0xffffffff))
++                      if (!nobridge || PCI_POSSIBLE_ERROR(work))
+                               return 0;
+ 
+                       dbg("bus_num %d devfn %d\n", *bus_num, *dev_num);
+-- 
+2.43.0
+

diff --git a/queue-4.19/perf-probe-correct-demangled-symbols-in-c-program.patch b/queue-4.19/perf-probe-correct-demangled-symbols-in-c-program.patch
new file mode 100644 (file)
index 0000000..9a146a0
--- /dev/null
+++ b/queue-4.19/perf-probe-correct-demangled-symbols-in-c-program.patch
@@ -0,0 +1,141 @@
+From 43a21c0c8fb22bf23bef6768ed561afa41d56fb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 15:14:32 +0100
+Subject: perf probe: Correct demangled symbols in C++ program
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 314909f13cc12d47c468602c37dace512d225eeb ]
+
+An issue can be observed when probe C++ demangled symbol with steps:
+
+  # nm test_cpp_mangle | grep print_data
+    0000000000000c94 t _GLOBAL__sub_I__Z10print_datai
+    0000000000000afc T _Z10print_datai
+    0000000000000b38 T _Z10print_dataR5Point
+
+  # perf probe -x /home/niayan01/test_cpp_mangle -F --demangle
+    ...
+    print_data(Point&)
+    print_data(int)
+    ...
+
+  # perf --debug verbose=3 probe -x test_cpp_mangle --add "test=print_data(int)"
+    probe-definition(0): test=print_data(int)
+    symbol:print_data(int) file:(null) line:0 offset:0 return:0 lazy:(null)
+    0 arguments
+    Open Debuginfo file: /home/niayan01/test_cpp_mangle
+    Try to find probe point from debuginfo.
+    Symbol print_data(int) address found : afc
+    Matched function: print_data [2ccf]
+    Probe point found: print_data+0
+    Found 1 probe_trace_events.
+    Opening /sys/kernel/tracing//uprobe_events write=1
+    Opening /sys/kernel/tracing//README write=0
+    Writing event: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0xb38
+    ...
+
+When tried to probe symbol "print_data(int)", the log shows:
+
+    Symbol print_data(int) address found : afc
+
+The found address is 0xafc - which is right with verifying the output
+result from nm. Afterwards when write event, the command uses offset
+0xb38 in the last log, which is a wrong address.
+
+The dwarf_diename() gets a common function name, in above case, it
+returns string "print_data". As a result, the tool parses the offset
+based on the common name. This leads to probe at the wrong symbol
+"print_data(Point&)".
+
+To fix the issue, use the die_get_linkage_name() function to retrieve
+the distinct linkage name - this is the mangled name for the C++ case.
+Based on this unique name, the tool can get a correct offset for
+probing. Based on DWARF doc, it is possible the linkage name is missed
+in the DIE, it rolls back to use dwarf_diename().
+
+After:
+
+  # perf --debug verbose=3 probe -x test_cpp_mangle --add "test=print_data(int)"
+    probe-definition(0): test=print_data(int)
+    symbol:print_data(int) file:(null) line:0 offset:0 return:0 lazy:(null)
+    0 arguments
+    Open Debuginfo file: /home/niayan01/test_cpp_mangle
+    Try to find probe point from debuginfo.
+    Symbol print_data(int) address found : afc
+    Matched function: print_data [2d06]
+    Probe point found: print_data+0
+    Found 1 probe_trace_events.
+    Opening /sys/kernel/tracing//uprobe_events write=1
+    Opening /sys/kernel/tracing//README write=0
+    Writing event: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0xafc
+    Added new event:
+      probe_test_cpp_mangle:test (on print_data(int) in /home/niayan01/test_cpp_mangle)
+
+    You can now use it in all perf tools, such as:
+
+            perf record -e probe_test_cpp_mangle:test -aR sleep 1
+
+  # perf --debug verbose=3 probe -x test_cpp_mangle --add "test2=print_data(Point&)"
+    probe-definition(0): test2=print_data(Point&)
+    symbol:print_data(Point&) file:(null) line:0 offset:0 return:0 lazy:(null)
+    0 arguments
+    Open Debuginfo file: /home/niayan01/test_cpp_mangle
+    Try to find probe point from debuginfo.
+    Symbol print_data(Point&) address found : b38
+    Matched function: print_data [2ccf]
+    Probe point found: print_data+0
+    Found 1 probe_trace_events.
+    Opening /sys/kernel/tracing//uprobe_events write=1
+    Parsing probe_events: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0x0000000000000afc
+    Group:probe_test_cpp_mangle Event:test probe:p
+    Opening /sys/kernel/tracing//README write=0
+    Writing event: p:probe_test_cpp_mangle/test2 /home/niayan01/test_cpp_mangle:0xb38
+    Added new event:
+      probe_test_cpp_mangle:test2 (on print_data(Point&) in /home/niayan01/test_cpp_mangle)
+
+    You can now use it in all perf tools, such as:
+
+            perf record -e probe_test_cpp_mangle:test2 -aR sleep 1
+
+Fixes: fb1587d869a3 ("perf probe: List probes with line number and file name")
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/r/20241012141432.877894-1-leo.yan@arm.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 4da4ec2552463..38b8a657196d9 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1593,8 +1593,21 @@ int debuginfo__find_probe_point(struct debuginfo *dbg, unsigned long addr,
+ 
+       /* Find a corresponding function (name, baseline and baseaddr) */
+       if (die_find_realfunc(&cudie, (Dwarf_Addr)addr, &spdie)) {
+-              /* Get function entry information */
+-              func = basefunc = dwarf_diename(&spdie);
++              /*
++               * Get function entry information.
++               *
++               * As described in the document DWARF Debugging Information
++               * Format Version 5, section 2.22 Linkage Names, "mangled names,
++               * are used in various ways, ... to distinguish multiple
++               * entities that have the same name".
++               *
++               * Firstly try to get distinct linkage name, if fail then
++               * rollback to get associated name in DIE.
++               */
++              func = basefunc = die_get_linkage_name(&spdie);
++              if (!func)
++                      func = basefunc = dwarf_diename(&spdie);
++
+               if (!func ||
+                   die_entrypc(&spdie, &baseaddr) != 0 ||
+                   dwarf_decl_line(&spdie, &baseline) != 0) {
+-- 
+2.43.0
+

diff --git a/queue-4.19/power-supply-core-remove-might_sleep-from-power_supp.patch b/queue-4.19/power-supply-core-remove-might_sleep-from-power_supp.patch
new file mode 100644 (file)
index 0000000..20e6ac6
--- /dev/null
+++ b/queue-4.19/power-supply-core-remove-might_sleep-from-power_supp.patch
@@ -0,0 +1,44 @@
+From 64ffc78b31a83016db778984fcf42b00faf6dfe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 12:39:14 -0700
+Subject: power: supply: core: Remove might_sleep() from power_supply_put()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit f6da4553ff24a5d1c959c9627c965323adc3d307 ]
+
+The put_device() call in power_supply_put() may call
+power_supply_dev_release(). The latter function does not sleep so
+power_supply_put() doesn't sleep either. Hence, remove the might_sleep()
+call from power_supply_put(). This patch suppresses false positive
+complaints about calling a sleeping function from atomic context if
+power_supply_put() is called from atomic context.
+
+Cc: Kyle Tso <kyletso@google.com>
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Fixes: 1a352462b537 ("power_supply: Add power_supply_put for decrementing device reference counter")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240917193914.47566-1-bvanassche@acm.org
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/power_supply_core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c
+index 3715a6c2955b2..b89d89455bcb3 100644
+--- a/drivers/power/supply/power_supply_core.c
++++ b/drivers/power/supply/power_supply_core.c
+@@ -482,8 +482,6 @@ EXPORT_SYMBOL_GPL(power_supply_get_by_name);
+  */
+ void power_supply_put(struct power_supply *psy)
+ {
+-      might_sleep();
+-
+       atomic_dec(&psy->use_cnt);
+       put_device(&psy->dev);
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/powerpc-sstep-make-emulate_vsx_load-and-emulate_vsx_.patch b/queue-4.19/powerpc-sstep-make-emulate_vsx_load-and-emulate_vsx_.patch
new file mode 100644 (file)
index 0000000..2b76470
--- /dev/null
+++ b/queue-4.19/powerpc-sstep-make-emulate_vsx_load-and-emulate_vsx_.patch
@@ -0,0 +1,76 @@
+From 5283916ad311503a8163bdfa9bf65ca8544c81aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 15:03:49 +0200
+Subject: powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit a26c4dbb3d9c1821cb0fc11cb2dbc32d5bf3463b ]
+
+These functions are not used outside of sstep.c
+
+Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/20241001130356.14664-1-msuchanek@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/sstep.h |  5 -----
+ arch/powerpc/lib/sstep.c         | 12 ++++--------
+ 2 files changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/sstep.h b/arch/powerpc/include/asm/sstep.h
+index 4547891a684be..b1449ed56fce2 100644
+--- a/arch/powerpc/include/asm/sstep.h
++++ b/arch/powerpc/include/asm/sstep.h
+@@ -164,9 +164,4 @@ extern int emulate_step(struct pt_regs *regs, unsigned int instr);
+  */
+ extern int emulate_loadstore(struct pt_regs *regs, struct instruction_op *op);
+ 
+-extern void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
+-                           const void *mem, bool cross_endian);
+-extern void emulate_vsx_store(struct instruction_op *op,
+-                            const union vsx_reg *reg, void *mem,
+-                            bool cross_endian);
+ extern int emulate_dcbz(unsigned long ea, struct pt_regs *regs);
+diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
+index 3da6290e3cccb..8c645e0072c6f 100644
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -667,8 +667,8 @@ static nokprobe_inline int emulate_stq(struct pt_regs *regs, unsigned long ea,
+ #endif /* __powerpc64 */
+ 
+ #ifdef CONFIG_VSX
+-void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
+-                    const void *mem, bool rev)
++static nokprobe_inline void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
++                                           const void *mem, bool rev)
+ {
+       int size, read_size;
+       int i, j;
+@@ -748,11 +748,9 @@ void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
+               break;
+       }
+ }
+-EXPORT_SYMBOL_GPL(emulate_vsx_load);
+-NOKPROBE_SYMBOL(emulate_vsx_load);
+ 
+-void emulate_vsx_store(struct instruction_op *op, const union vsx_reg *reg,
+-                     void *mem, bool rev)
++static nokprobe_inline void emulate_vsx_store(struct instruction_op *op, const union vsx_reg *reg,
++                                            void *mem, bool rev)
+ {
+       int size, write_size;
+       int i, j;
+@@ -824,8 +822,6 @@ void emulate_vsx_store(struct instruction_op *op, const union vsx_reg *reg,
+               break;
+       }
+ }
+-EXPORT_SYMBOL_GPL(emulate_vsx_store);
+-NOKPROBE_SYMBOL(emulate_vsx_store);
+ 
+ static nokprobe_inline int do_vsx_load(struct instruction_op *op,
+                                      unsigned long ea, struct pt_regs *regs,
+-- 
+2.43.0
+

diff --git a/queue-4.19/powerpc-vdso-flag-vdso64-entry-points-as-functions.patch b/queue-4.19/powerpc-vdso-flag-vdso64-entry-points-as-functions.patch
new file mode 100644 (file)
index 0000000..18963c7
--- /dev/null
+++ b/queue-4.19/powerpc-vdso-flag-vdso64-entry-points-as-functions.patch
@@ -0,0 +1,112 @@
+From c1713baa987a8769490384fcb8d7090cf9b38774 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 00:17:57 +0200
+Subject: powerpc/vdso: Flag VDSO64 entry points as functions
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 0161bd38c24312853ed5ae9a425a1c41c4ac674a ]
+
+On powerpc64 as shown below by readelf, vDSO functions symbols have
+type NOTYPE.
+
+$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
+ELF Header:
+  Magic:   7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
+  Class:                             ELF64
+  Data:                              2's complement, big endian
+  Version:                           1 (current)
+  OS/ABI:                            UNIX - System V
+  ABI Version:                       0
+  Type:                              DYN (Shared object file)
+  Machine:                           PowerPC64
+  Version:                           0x1
+...
+
+Symbol table '.dynsym' contains 12 entries:
+   Num:    Value          Size Type    Bind   Vis      Ndx Name
+...
+     1: 0000000000000524    84 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
+...
+     4: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  ABS LINUX_2.6.15
+     5: 00000000000006c0    48 NOTYPE  GLOBAL DEFAULT    8 __[...]@@LINUX_2.6.15
+
+Symbol table '.symtab' contains 56 entries:
+   Num:    Value          Size Type    Bind   Vis      Ndx Name
+...
+    45: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  ABS LINUX_2.6.15
+    46: 00000000000006c0    48 NOTYPE  GLOBAL DEFAULT    8 __kernel_getcpu
+    47: 0000000000000524    84 NOTYPE  GLOBAL DEFAULT    8 __kernel_clock_getres
+
+To overcome that, commit ba83b3239e65 ("selftests: vDSO: fix vDSO
+symbols lookup for powerpc64") was applied to have selftests also
+look for NOTYPE symbols, but the correct fix should be to flag VDSO
+entry points as functions.
+
+The original commit that brought VDSO support into powerpc/64 has the
+following explanation:
+
+    Note that the symbols exposed by the vDSO aren't "normal" function symbols, apps
+    can't be expected to link against them directly, the vDSO's are both seen
+    as if they were linked at 0 and the symbols just contain offsets to the
+    various functions.  This is done on purpose to avoid a relocation step
+    (ppc64 functions normally have descriptors with abs addresses in them).
+    When glibc uses those functions, it's expected to use it's own trampolines
+    that know how to reach them.
+
+The descriptors it's talking about are the OPD function descriptors
+used on ABI v1 (big endian). But it would be more correct for a text
+symbol to have type function, even if there's no function descriptor
+for it.
+
+glibc has a special case already for handling the VDSO symbols which
+creates a fake opd pointing at the kernel symbol. So changing the VDSO
+symbol type to function shouldn't affect that.
+
+For ABI v2, there is no function descriptors and VDSO functions can
+safely have function type.
+
+So lets flag VDSO entry points as functions and revert the
+selftest change.
+
+Link: https://github.com/mpe/linux-fullhistory/commit/5f2dd691b62da9d9cc54b938f8b29c22c93cb805
+Fixes: ba83b3239e65 ("selftests: vDSO: fix vDSO symbols lookup for powerpc64")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-By: Segher Boessenkool <segher@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/b6ad2f1ee9887af3ca5ecade2a56f4acda517a85.1728512263.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/vdso.h           | 1 +
+ tools/testing/selftests/vDSO/parse_vdso.c | 3 +--
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/vdso.h b/arch/powerpc/include/asm/vdso.h
+index b5e1f8f8a05c2..64bf8612f479e 100644
+--- a/arch/powerpc/include/asm/vdso.h
++++ b/arch/powerpc/include/asm/vdso.h
+@@ -49,6 +49,7 @@ int vdso_getcpu_init(void);
+ 
+ #define V_FUNCTION_BEGIN(name)                \
+       .globl name;                    \
++      .type name,@function;           \
+       name:                           \
+ 
+ #define V_FUNCTION_END(name)          \
+diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
+index 540f9a284e9f0..9ef3ad3789c17 100644
+--- a/tools/testing/selftests/vDSO/parse_vdso.c
++++ b/tools/testing/selftests/vDSO/parse_vdso.c
+@@ -238,8 +238,7 @@ void *vdso_sym(const char *version, const char *name)
+               ELF(Sym) *sym = &vdso_info.symtab[chain];
+ 
+               /* Check for a defined global or weak function w/ right name. */
+-              if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC &&
+-                  ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE)
++              if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC)
+                       continue;
+               if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL &&
+                   ELF64_ST_BIND(sym->st_info) != STB_WEAK)
+-- 
+2.43.0
+

diff --git a/queue-4.19/rdma-bnxt_re-check-cqe-flags-to-know-imm_data-vs-inv.patch b/queue-4.19/rdma-bnxt_re-check-cqe-flags-to-know-imm_data-vs-inv.patch
new file mode 100644 (file)
index 0000000..ba1219e
--- /dev/null
+++ b/queue-4.19/rdma-bnxt_re-check-cqe-flags-to-know-imm_data-vs-inv.patch
@@ -0,0 +1,80 @@
+From 8ce3dc7f6f1f6f4e69538460345ebc7f9e840745 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2024 03:06:54 -0700
+Subject: RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
+
+From: Kashyap Desai <kashyap.desai@broadcom.com>
+
+[ Upstream commit 808ca6de989c598bc5af1ae0ad971a66077efac0 ]
+
+Invalidate rkey is cpu endian and immediate data is in big endian format.
+Both immediate data and invalidate the remote key returned by
+HW is in little endian format.
+
+While handling the commit in fixes tag, the difference between
+immediate data and invalidate rkey endianness was not considered.
+
+Without changes of this patch, Kernel ULP was failing while processing
+inv_rkey.
+
+dmesg log snippet -
+nvme nvme0: Bogus remote invalidation for rkey 0x2000019Fix in this patch
+
+Do endianness conversion based on completion queue entry flag.
+Also, the HW completions are already converted to host endianness in
+bnxt_qplib_cq_process_res_rc and bnxt_qplib_cq_process_res_ud and there
+is no need to convert it again in bnxt_re_poll_cq. Modified the union to
+hold the correct data type.
+
+Fixes: 95b087f87b78 ("bnxt_re: Fix imm_data endianness")
+Signed-off-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://patch.msgid.link/1730110014-20755-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +++++--
+ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index e2c93a50fe762..9b6ebf6356983 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -3110,7 +3110,7 @@ static void bnxt_re_process_res_shadow_qp_wc(struct bnxt_re_qp *qp,
+       wc->byte_len = orig_cqe->length;
+       wc->qp = &qp1_qp->ib_qp;
+ 
+-      wc->ex.imm_data = cpu_to_be32(le32_to_cpu(orig_cqe->immdata));
++      wc->ex.imm_data = cpu_to_be32(orig_cqe->immdata);
+       wc->src_qp = orig_cqe->src_qp;
+       memcpy(wc->smac, orig_cqe->smac, ETH_ALEN);
+       if (bnxt_re_is_vlan_pkt(orig_cqe, &vlan_id, &sl)) {
+@@ -3231,7 +3231,10 @@ int bnxt_re_poll_cq(struct ib_cq *ib_cq, int num_entries, struct ib_wc *wc)
+                               continue;
+                       }
+                       wc->qp = &qp->ib_qp;
+-                      wc->ex.imm_data = cpu_to_be32(le32_to_cpu(cqe->immdata));
++                      if (cqe->flags & CQ_RES_RC_FLAGS_IMM)
++                              wc->ex.imm_data = cpu_to_be32(cqe->immdata);
++                      else
++                              wc->ex.invalidate_rkey = cqe->invrkey;
+                       wc->src_qp = cqe->src_qp;
+                       memcpy(wc->smac, cqe->smac, ETH_ALEN);
+                       wc->port_num = 1;
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+index aed0c53d84be2..6c0129231c07b 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+@@ -349,7 +349,7 @@ struct bnxt_qplib_cqe {
+       u32                             length;
+       u64                             wr_id;
+       union {
+-              __le32                  immdata;
++              u32                     immdata;
+               u32                     invrkey;
+       };
+       u64                             qp_handle;
+-- 
+2.43.0
+

diff --git a/queue-4.19/regmap-irq-set-lockdep-class-for-hierarchical-irq-do.patch b/queue-4.19/regmap-irq-set-lockdep-class-for-hierarchical-irq-do.patch
new file mode 100644 (file)
index 0000000..a990204
--- /dev/null
+++ b/queue-4.19/regmap-irq-set-lockdep-class-for-hierarchical-irq-do.patch
@@ -0,0 +1,85 @@
+From 520ff2f50346e605b0a7a32cee87f6bffd8e1b4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 18:55:53 +0200
+Subject: regmap: irq: Set lockdep class for hierarchical IRQ domains
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 953e549471cabc9d4980f1da2e9fa79f4c23da06 ]
+
+Lockdep gives a false positive splat as it can't distinguish the lock
+which is taken by different IRQ descriptors from different IRQ chips
+that are organized in a way of a hierarchy:
+
+   ======================================================
+   WARNING: possible circular locking dependency detected
+   6.12.0-rc5-next-20241101-00148-g9fabf8160b53 #562 Tainted: G        W
+   ------------------------------------------------------
+   modprobe/141 is trying to acquire lock:
+   ffff899446947868 (intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock){+.+.}-{4:4}, at: regmap_update_bits_base+0x33/0x90
+
+   but task is already holding lock:
+   ffff899446947c68 (&d->lock){+.+.}-{4:4}, at: __setup_irq+0x682/0x790
+
+   which lock already depends on the new lock.
+
+   -> #3 (&d->lock){+.+.}-{4:4}:
+   -> #2 (&desc->request_mutex){+.+.}-{4:4}:
+   -> #1 (ipclock){+.+.}-{4:4}:
+   -> #0 (intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock){+.+.}-{4:4}:
+
+   Chain exists of:
+     intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock --> &desc->request_mutex --> &d->lock
+
+    Possible unsafe locking scenario:
+
+          CPU0                    CPU1
+          ----                    ----
+     lock(&d->lock);
+                                  lock(&desc->request_mutex);
+                                  lock(&d->lock);
+     lock(intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock);
+
+    *** DEADLOCK ***
+
+   3 locks held by modprobe/141:
+    #0: ffff8994419368f8 (&dev->mutex){....}-{4:4}, at: __driver_attach+0xf6/0x250
+    #1: ffff89944690b250 (&desc->request_mutex){+.+.}-{4:4}, at: __setup_irq+0x1a2/0x790
+    #2: ffff899446947c68 (&d->lock){+.+.}-{4:4}, at: __setup_irq+0x682/0x790
+
+Set a lockdep class when we map the IRQ so that it doesn't warn about
+a lockdep bug that doesn't exist.
+
+Fixes: 4af8be67fd99 ("regmap: Convert regmap_irq to use irq_domain")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20241101165553.4055617-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-irq.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c
+index 982c7ac311b85..aeb4961d14b95 100644
+--- a/drivers/base/regmap/regmap-irq.c
++++ b/drivers/base/regmap/regmap-irq.c
+@@ -391,12 +391,16 @@ static irqreturn_t regmap_irq_thread(int irq, void *d)
+               return IRQ_NONE;
+ }
+ 
++static struct lock_class_key regmap_irq_lock_class;
++static struct lock_class_key regmap_irq_request_class;
++
+ static int regmap_irq_map(struct irq_domain *h, unsigned int virq,
+                         irq_hw_number_t hw)
+ {
+       struct regmap_irq_chip_data *data = h->host_data;
+ 
+       irq_set_chip_data(virq, data);
++      irq_set_lockdep_class(virq, &regmap_irq_lock_class, &regmap_irq_request_class);
+       irq_set_chip(virq, &data->irq_chip);
+       irq_set_nested_thread(virq, 1);
+       irq_set_parent(virq, data->irq);
+-- 
+2.43.0
+

diff --git a/queue-4.19/rpmsg-glink-add-tx_data_cont-command-while-sending.patch b/queue-4.19/rpmsg-glink-add-tx_data_cont-command-while-sending.patch
new file mode 100644 (file)
index 0000000..dca9a4d
--- /dev/null
+++ b/queue-4.19/rpmsg-glink-add-tx_data_cont-command-while-sending.patch
@@ -0,0 +1,92 @@
+From c6c89bb582c1f3750bebd70e346b3916eb522bb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 10:48:13 +0530
+Subject: rpmsg: glink: Add TX_DATA_CONT command while sending
+
+From: Arun Kumar Neelakantam <aneela@codeaurora.org>
+
+[ Upstream commit 8956927faed366b60b0355f4a4317a10e281ced7 ]
+
+With current design the transport can send packets of size upto
+FIFO_SIZE which is 16k and return failure for all packets above 16k.
+
+Add TX_DATA_CONT command to send packets greater than 16k by splitting
+into 8K chunks.
+
+Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
+Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/1596086296-28529-4-git-send-email-deesin@codeaurora.org
+Stable-dep-of: 06c59d97f63c ("rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 38 +++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index 48d2fb187a1bf..5a3ed96af87b8 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -1276,6 +1276,8 @@ static int __qcom_glink_send(struct glink_channel *channel,
+       } __packed req;
+       int ret;
+       unsigned long flags;
++      int chunk_size = len;
++      int left_size = 0;
+ 
+       if (!glink->intentless) {
+               while (!intent) {
+@@ -1309,18 +1311,46 @@ static int __qcom_glink_send(struct glink_channel *channel,
+               iid = intent->id;
+       }
+ 
++      if (wait && chunk_size > SZ_8K) {
++              chunk_size = SZ_8K;
++              left_size = len - chunk_size;
++      }
+       req.msg.cmd = cpu_to_le16(RPM_CMD_TX_DATA);
+       req.msg.param1 = cpu_to_le16(channel->lcid);
+       req.msg.param2 = cpu_to_le32(iid);
+-      req.chunk_size = cpu_to_le32(len);
+-      req.left_size = cpu_to_le32(0);
++      req.chunk_size = cpu_to_le32(chunk_size);
++      req.left_size = cpu_to_le32(left_size);
+ 
+-      ret = qcom_glink_tx(glink, &req, sizeof(req), data, len, wait);
++      ret = qcom_glink_tx(glink, &req, sizeof(req), data, chunk_size, wait);
+ 
+       /* Mark intent available if we failed */
+-      if (ret && intent)
++      if (ret && intent) {
+               intent->in_use = false;
++              return ret;
++      }
+ 
++      while (left_size > 0) {
++              data = (void *)((char *)data + chunk_size);
++              chunk_size = left_size;
++              if (chunk_size > SZ_8K)
++                      chunk_size = SZ_8K;
++              left_size -= chunk_size;
++
++              req.msg.cmd = cpu_to_le16(RPM_CMD_TX_DATA_CONT);
++              req.msg.param1 = cpu_to_le16(channel->lcid);
++              req.msg.param2 = cpu_to_le32(iid);
++              req.chunk_size = cpu_to_le32(chunk_size);
++              req.left_size = cpu_to_le32(left_size);
++
++              ret = qcom_glink_tx(glink, &req, sizeof(req), data,
++                                  chunk_size, wait);
++
++              /* Mark intent available if we failed */
++              if (ret && intent) {
++                      intent->in_use = false;
++                      break;
++              }
++      }
+       return ret;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/rpmsg-glink-fix-glink-command-prefix.patch b/queue-4.19/rpmsg-glink-fix-glink-command-prefix.patch
new file mode 100644 (file)
index 0000000..14b9b25
--- /dev/null
+++ b/queue-4.19/rpmsg-glink-fix-glink-command-prefix.patch
@@ -0,0 +1,284 @@
+From b102cf68f9b567325c2376a3099463eb3db0b572 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 14:59:33 -0800
+Subject: rpmsg: glink: Fix GLINK command prefix
+
+From: Bjorn Andersson <quic_bjorande@quicinc.com>
+
+[ Upstream commit 4e816d0318fdfe8932da80dbf04ba318b13e4b3a ]
+
+The upstream GLINK driver was first introduced to communicate with the
+RPM on MSM8996, presumably as an artifact from that era the command
+defines was prefixed RPM_CMD, while they actually are GLINK_CMDs.
+
+Let's rename these, to keep things tidy. No functional change.
+
+Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com>
+Reviewed-by: Chris Lew <quic_clew@quicinc.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230214225933.2025595-1-quic_bjorande@quicinc.com
+Stable-dep-of: 06c59d97f63c ("rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 98 +++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 49 deletions(-)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index 3db5beb338cd3..d283d876d39ce 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -191,20 +191,20 @@ struct glink_channel {
+ 
+ static const struct rpmsg_endpoint_ops glink_endpoint_ops;
+ 
+-#define RPM_CMD_VERSION                       0
+-#define RPM_CMD_VERSION_ACK           1
+-#define RPM_CMD_OPEN                  2
+-#define RPM_CMD_CLOSE                 3
+-#define RPM_CMD_OPEN_ACK              4
+-#define RPM_CMD_INTENT                        5
+-#define RPM_CMD_RX_DONE                       6
+-#define RPM_CMD_RX_INTENT_REQ         7
+-#define RPM_CMD_RX_INTENT_REQ_ACK     8
+-#define RPM_CMD_TX_DATA                       9
+-#define RPM_CMD_CLOSE_ACK             11
+-#define RPM_CMD_TX_DATA_CONT          12
+-#define RPM_CMD_READ_NOTIF            13
+-#define RPM_CMD_RX_DONE_W_REUSE               14
++#define GLINK_CMD_VERSION             0
++#define GLINK_CMD_VERSION_ACK         1
++#define GLINK_CMD_OPEN                        2
++#define GLINK_CMD_CLOSE                       3
++#define GLINK_CMD_OPEN_ACK            4
++#define GLINK_CMD_INTENT              5
++#define GLINK_CMD_RX_DONE             6
++#define GLINK_CMD_RX_INTENT_REQ               7
++#define GLINK_CMD_RX_INTENT_REQ_ACK   8
++#define GLINK_CMD_TX_DATA             9
++#define GLINK_CMD_CLOSE_ACK           11
++#define GLINK_CMD_TX_DATA_CONT                12
++#define GLINK_CMD_READ_NOTIF          13
++#define GLINK_CMD_RX_DONE_W_REUSE     14
+ 
+ #define GLINK_FEATURE_INTENTLESS      BIT(1)
+ 
+@@ -313,7 +313,7 @@ static void qcom_glink_send_read_notify(struct qcom_glink *glink)
+ {
+       struct glink_msg msg;
+ 
+-      msg.cmd = cpu_to_le16(RPM_CMD_READ_NOTIF);
++      msg.cmd = cpu_to_le16(GLINK_CMD_READ_NOTIF);
+       msg.param1 = 0;
+       msg.param2 = 0;
+ 
+@@ -375,7 +375,7 @@ static int qcom_glink_send_version(struct qcom_glink *glink)
+ {
+       struct glink_msg msg;
+ 
+-      msg.cmd = cpu_to_le16(RPM_CMD_VERSION);
++      msg.cmd = cpu_to_le16(GLINK_CMD_VERSION);
+       msg.param1 = cpu_to_le16(GLINK_VERSION_1);
+       msg.param2 = cpu_to_le32(glink->features);
+ 
+@@ -386,7 +386,7 @@ static void qcom_glink_send_version_ack(struct qcom_glink *glink)
+ {
+       struct glink_msg msg;
+ 
+-      msg.cmd = cpu_to_le16(RPM_CMD_VERSION_ACK);
++      msg.cmd = cpu_to_le16(GLINK_CMD_VERSION_ACK);
+       msg.param1 = cpu_to_le16(GLINK_VERSION_1);
+       msg.param2 = cpu_to_le32(glink->features);
+ 
+@@ -398,7 +398,7 @@ static void qcom_glink_send_open_ack(struct qcom_glink *glink,
+ {
+       struct glink_msg msg;
+ 
+-      msg.cmd = cpu_to_le16(RPM_CMD_OPEN_ACK);
++      msg.cmd = cpu_to_le16(GLINK_CMD_OPEN_ACK);
+       msg.param1 = cpu_to_le16(channel->rcid);
+       msg.param2 = cpu_to_le32(0);
+ 
+@@ -424,11 +424,11 @@ static void qcom_glink_handle_intent_req_ack(struct qcom_glink *glink,
+ }
+ 
+ /**
+- * qcom_glink_send_open_req() - send a RPM_CMD_OPEN request to the remote
++ * qcom_glink_send_open_req() - send a GLINK_CMD_OPEN request to the remote
+  * @glink: Ptr to the glink edge
+  * @channel: Ptr to the channel that the open req is sent
+  *
+- * Allocates a local channel id and sends a RPM_CMD_OPEN message to the remote.
++ * Allocates a local channel id and sends a GLINK_CMD_OPEN message to the remote.
+  * Will return with refcount held, regardless of outcome.
+  *
+  * Returns 0 on success, negative errno otherwise.
+@@ -457,7 +457,7 @@ static int qcom_glink_send_open_req(struct qcom_glink *glink,
+ 
+       channel->lcid = ret;
+ 
+-      req.msg.cmd = cpu_to_le16(RPM_CMD_OPEN);
++      req.msg.cmd = cpu_to_le16(GLINK_CMD_OPEN);
+       req.msg.param1 = cpu_to_le16(channel->lcid);
+       req.msg.param2 = cpu_to_le32(name_len);
+       strcpy(req.name, channel->name);
+@@ -482,7 +482,7 @@ static void qcom_glink_send_close_req(struct qcom_glink *glink,
+ {
+       struct glink_msg req;
+ 
+-      req.cmd = cpu_to_le16(RPM_CMD_CLOSE);
++      req.cmd = cpu_to_le16(GLINK_CMD_CLOSE);
+       req.param1 = cpu_to_le16(channel->lcid);
+       req.param2 = 0;
+ 
+@@ -494,7 +494,7 @@ static void qcom_glink_send_close_ack(struct qcom_glink *glink,
+ {
+       struct glink_msg req;
+ 
+-      req.cmd = cpu_to_le16(RPM_CMD_CLOSE_ACK);
++      req.cmd = cpu_to_le16(GLINK_CMD_CLOSE_ACK);
+       req.param1 = cpu_to_le16(rcid);
+       req.param2 = 0;
+ 
+@@ -525,7 +525,7 @@ static void qcom_glink_rx_done_work(struct work_struct *work)
+               iid = intent->id;
+               reuse = intent->reuse;
+ 
+-              cmd.id = reuse ? RPM_CMD_RX_DONE_W_REUSE : RPM_CMD_RX_DONE;
++              cmd.id = reuse ? GLINK_CMD_RX_DONE_W_REUSE : GLINK_CMD_RX_DONE;
+               cmd.lcid = cid;
+               cmd.liid = iid;
+ 
+@@ -637,7 +637,7 @@ static int qcom_glink_send_intent_req_ack(struct qcom_glink *glink,
+ {
+       struct glink_msg msg;
+ 
+-      msg.cmd = cpu_to_le16(RPM_CMD_RX_INTENT_REQ_ACK);
++      msg.cmd = cpu_to_le16(GLINK_CMD_RX_INTENT_REQ_ACK);
+       msg.param1 = cpu_to_le16(channel->lcid);
+       msg.param2 = cpu_to_le32(granted);
+ 
+@@ -668,7 +668,7 @@ static int qcom_glink_advertise_intent(struct qcom_glink *glink,
+       } __packed;
+       struct command cmd;
+ 
+-      cmd.id = cpu_to_le16(RPM_CMD_INTENT);
++      cmd.id = cpu_to_le16(GLINK_CMD_INTENT);
+       cmd.lcid = cpu_to_le16(channel->lcid);
+       cmd.count = cpu_to_le32(1);
+       cmd.size = cpu_to_le32(intent->size);
+@@ -1033,42 +1033,42 @@ static irqreturn_t qcom_glink_native_intr(int irq, void *data)
+               param2 = le32_to_cpu(msg.param2);
+ 
+               switch (cmd) {
+-              case RPM_CMD_VERSION:
+-              case RPM_CMD_VERSION_ACK:
+-              case RPM_CMD_CLOSE:
+-              case RPM_CMD_CLOSE_ACK:
+-              case RPM_CMD_RX_INTENT_REQ:
++              case GLINK_CMD_VERSION:
++              case GLINK_CMD_VERSION_ACK:
++              case GLINK_CMD_CLOSE:
++              case GLINK_CMD_CLOSE_ACK:
++              case GLINK_CMD_RX_INTENT_REQ:
+                       ret = qcom_glink_rx_defer(glink, 0);
+                       break;
+-              case RPM_CMD_OPEN_ACK:
++              case GLINK_CMD_OPEN_ACK:
+                       ret = qcom_glink_rx_open_ack(glink, param1);
+                       qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+                       break;
+-              case RPM_CMD_OPEN:
++              case GLINK_CMD_OPEN:
+                       ret = qcom_glink_rx_defer(glink, param2);
+                       break;
+-              case RPM_CMD_TX_DATA:
+-              case RPM_CMD_TX_DATA_CONT:
++              case GLINK_CMD_TX_DATA:
++              case GLINK_CMD_TX_DATA_CONT:
+                       ret = qcom_glink_rx_data(glink, avail);
+                       break;
+-              case RPM_CMD_READ_NOTIF:
++              case GLINK_CMD_READ_NOTIF:
+                       qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+ 
+                       mbox_send_message(glink->mbox_chan, NULL);
+                       mbox_client_txdone(glink->mbox_chan, 0);
+                       break;
+-              case RPM_CMD_INTENT:
++              case GLINK_CMD_INTENT:
+                       qcom_glink_handle_intent(glink, param1, param2, avail);
+                       break;
+-              case RPM_CMD_RX_DONE:
++              case GLINK_CMD_RX_DONE:
+                       qcom_glink_handle_rx_done(glink, param1, param2, false);
+                       qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+                       break;
+-              case RPM_CMD_RX_DONE_W_REUSE:
++              case GLINK_CMD_RX_DONE_W_REUSE:
+                       qcom_glink_handle_rx_done(glink, param1, param2, true);
+                       qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+                       break;
+-              case RPM_CMD_RX_INTENT_REQ_ACK:
++              case GLINK_CMD_RX_INTENT_REQ_ACK:
+                       qcom_glink_handle_intent_req_ack(glink, param1, param2);
+                       qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+                       break;
+@@ -1271,7 +1271,7 @@ static int qcom_glink_request_intent(struct qcom_glink *glink,
+ 
+       reinit_completion(&channel->intent_req_comp);
+ 
+-      cmd.id = RPM_CMD_RX_INTENT_REQ;
++      cmd.id = GLINK_CMD_RX_INTENT_REQ;
+       cmd.cid = channel->lcid;
+       cmd.size = size;
+ 
+@@ -1345,7 +1345,7 @@ static int __qcom_glink_send(struct glink_channel *channel,
+               chunk_size = SZ_8K;
+               left_size = len - chunk_size;
+       }
+-      req.msg.cmd = cpu_to_le16(RPM_CMD_TX_DATA);
++      req.msg.cmd = cpu_to_le16(GLINK_CMD_TX_DATA);
+       req.msg.param1 = cpu_to_le16(channel->lcid);
+       req.msg.param2 = cpu_to_le32(iid);
+       req.chunk_size = cpu_to_le32(chunk_size);
+@@ -1366,7 +1366,7 @@ static int __qcom_glink_send(struct glink_channel *channel,
+                       chunk_size = SZ_8K;
+               left_size -= chunk_size;
+ 
+-              req.msg.cmd = cpu_to_le16(RPM_CMD_TX_DATA_CONT);
++              req.msg.cmd = cpu_to_le16(GLINK_CMD_TX_DATA_CONT);
+               req.msg.param1 = cpu_to_le16(channel->lcid);
+               req.msg.param2 = cpu_to_le32(iid);
+               req.chunk_size = cpu_to_le32(chunk_size);
+@@ -1605,22 +1605,22 @@ static void qcom_glink_work(struct work_struct *work)
+               param2 = le32_to_cpu(msg->param2);
+ 
+               switch (cmd) {
+-              case RPM_CMD_VERSION:
++              case GLINK_CMD_VERSION:
+                       qcom_glink_receive_version(glink, param1, param2);
+                       break;
+-              case RPM_CMD_VERSION_ACK:
++              case GLINK_CMD_VERSION_ACK:
+                       qcom_glink_receive_version_ack(glink, param1, param2);
+                       break;
+-              case RPM_CMD_OPEN:
++              case GLINK_CMD_OPEN:
+                       qcom_glink_rx_open(glink, param1, msg->data);
+                       break;
+-              case RPM_CMD_CLOSE:
++              case GLINK_CMD_CLOSE:
+                       qcom_glink_rx_close(glink, param1);
+                       break;
+-              case RPM_CMD_CLOSE_ACK:
++              case GLINK_CMD_CLOSE_ACK:
+                       qcom_glink_rx_close_ack(glink, param1);
+                       break;
+-              case RPM_CMD_RX_INTENT_REQ:
++              case GLINK_CMD_RX_INTENT_REQ:
+                       qcom_glink_handle_intent_req(glink, param1, param2);
+                       break;
+               default:
+-- 
+2.43.0
+

diff --git a/queue-4.19/rpmsg-glink-send-read_notify-command-in-fifo-full-ca.patch b/queue-4.19/rpmsg-glink-send-read_notify-command-in-fifo-full-ca.patch
new file mode 100644 (file)
index 0000000..3c9e201
--- /dev/null
+++ b/queue-4.19/rpmsg-glink-send-read_notify-command-in-fifo-full-ca.patch
@@ -0,0 +1,123 @@
+From dc3fc3e6e06efe794e6429da93217a29b68b4165 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 10:48:16 +0530
+Subject: rpmsg: glink: Send READ_NOTIFY command in FIFO full case
+
+From: Arun Kumar Neelakantam <aneela@codeaurora.org>
+
+[ Upstream commit b16a37e1846c9573a847a56fa2f31ba833dae45a ]
+
+The current design sleeps unconditionally in TX FIFO full case and
+wakeup only after sleep timer expires which adds random delays in
+clients TX path.
+
+Avoid sleep and use READ_NOTIFY command so that writer can be woken up
+when remote notifies about read completion by sending IRQ.
+
+Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
+Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/1596086296-28529-7-git-send-email-deesin@codeaurora.org
+Stable-dep-of: 06c59d97f63c ("rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 36 ++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index 5a3ed96af87b8..3db5beb338cd3 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -92,6 +92,8 @@ struct glink_core_rx_intent {
+  * @rcids:    idr of all channels with a known remote channel id
+  * @features: remote features
+  * @intentless:       flag to indicate that there is no intent
++ * @tx_avail_notify: Waitqueue for pending tx tasks
++ * @sent_read_notify: flag to check cmd sent or not
+  */
+ struct qcom_glink {
+       struct device *dev;
+@@ -118,6 +120,8 @@ struct qcom_glink {
+       unsigned long features;
+ 
+       bool intentless;
++      wait_queue_head_t tx_avail_notify;
++      bool sent_read_notify;
+ };
+ 
+ enum {
+@@ -305,6 +309,20 @@ static void qcom_glink_tx_write(struct qcom_glink *glink,
+       glink->tx_pipe->write(glink->tx_pipe, hdr, hlen, data, dlen);
+ }
+ 
++static void qcom_glink_send_read_notify(struct qcom_glink *glink)
++{
++      struct glink_msg msg;
++
++      msg.cmd = cpu_to_le16(RPM_CMD_READ_NOTIF);
++      msg.param1 = 0;
++      msg.param2 = 0;
++
++      qcom_glink_tx_write(glink, &msg, sizeof(msg), NULL, 0);
++
++      mbox_send_message(glink->mbox_chan, NULL);
++      mbox_client_txdone(glink->mbox_chan, 0);
++}
++
+ static int qcom_glink_tx(struct qcom_glink *glink,
+                        const void *hdr, size_t hlen,
+                        const void *data, size_t dlen, bool wait)
+@@ -325,12 +343,21 @@ static int qcom_glink_tx(struct qcom_glink *glink,
+                       goto out;
+               }
+ 
++              if (!glink->sent_read_notify) {
++                      glink->sent_read_notify = true;
++                      qcom_glink_send_read_notify(glink);
++              }
++
+               /* Wait without holding the tx_lock */
+               spin_unlock_irqrestore(&glink->tx_lock, flags);
+ 
+-              usleep_range(10000, 15000);
++              wait_event_timeout(glink->tx_avail_notify,
++                                 qcom_glink_tx_avail(glink) >= tlen, 10 * HZ);
+ 
+               spin_lock_irqsave(&glink->tx_lock, flags);
++
++              if (qcom_glink_tx_avail(glink) >= tlen)
++                      glink->sent_read_notify = false;
+       }
+ 
+       qcom_glink_tx_write(glink, hdr, hlen, data, dlen);
+@@ -991,6 +1018,9 @@ static irqreturn_t qcom_glink_native_intr(int irq, void *data)
+       unsigned int cmd;
+       int ret = 0;
+ 
++      /* To wakeup any blocking writers */
++      wake_up_all(&glink->tx_avail_notify);
++
+       for (;;) {
+               avail = qcom_glink_rx_avail(glink);
+               if (avail < sizeof(msg))
+@@ -1530,6 +1560,9 @@ static void qcom_glink_rx_close_ack(struct qcom_glink *glink, unsigned int lcid)
+       struct glink_channel *channel;
+       unsigned long flags;
+ 
++      /* To wakeup any blocking writers */
++      wake_up_all(&glink->tx_avail_notify);
++
+       spin_lock_irqsave(&glink->idr_lock, flags);
+       channel = idr_find(&glink->lcids, lcid);
+       if (WARN(!channel, "close ack on unknown channel\n")) {
+@@ -1636,6 +1669,7 @@ struct qcom_glink *qcom_glink_native_probe(struct device *dev,
+       spin_lock_init(&glink->rx_lock);
+       INIT_LIST_HEAD(&glink->rx_queue);
+       INIT_WORK(&glink->rx_work, qcom_glink_work);
++      init_waitqueue_head(&glink->tx_avail_notify);
+ 
+       spin_lock_init(&glink->idr_lock);
+       idr_init(&glink->lcids);
+-- 
+2.43.0
+

diff --git a/queue-4.19/rpmsg-glink-use-only-lower-16-bits-of-param2-for-cmd.patch b/queue-4.19/rpmsg-glink-use-only-lower-16-bits-of-param2-for-cmd.patch
new file mode 100644 (file)
index 0000000..28c65bf
--- /dev/null
+++ b/queue-4.19/rpmsg-glink-use-only-lower-16-bits-of-param2-for-cmd.patch
@@ -0,0 +1,44 @@
+From dd186f3d9318e05f0d332ccb3f3481852baad345 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 19:59:35 -0400
+Subject: rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name
+ length
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 06c59d97f63c1b8af521fa5aef8a716fb988b285 ]
+
+The name len field of the CMD_OPEN packet is only 16-bits and the upper
+16-bits of "param2" are a different "prio" field, which can be nonzero in
+certain situations, and CMD_OPEN packets can be unexpectedly dropped
+because of this.
+
+Fix this by masking out the upper 16 bits of param2.
+
+Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241007235935.6216-1-jonathan@marek.ca
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index d283d876d39ce..233975267f73c 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -1045,7 +1045,8 @@ static irqreturn_t qcom_glink_native_intr(int irq, void *data)
+                       qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+                       break;
+               case GLINK_CMD_OPEN:
+-                      ret = qcom_glink_rx_defer(glink, param2);
++                      /* upper 16 bits of param2 are the "prio" field */
++                      ret = qcom_glink_rx_defer(glink, param2 & 0xffff);
+                       break;
+               case GLINK_CMD_TX_DATA:
+               case GLINK_CMD_TX_DATA_CONT:
+-- 
+2.43.0
+

diff --git a/queue-4.19/s390-syscalls-avoid-creation-of-arch-arch-directory.patch b/queue-4.19/s390-syscalls-avoid-creation-of-arch-arch-directory.patch
new file mode 100644 (file)
index 0000000..7cddce8
--- /dev/null
+++ b/queue-4.19/s390-syscalls-avoid-creation-of-arch-arch-directory.patch
@@ -0,0 +1,54 @@
+From 24b09dfada5a4fa0490fe706d43b7866cac9098c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2024 22:45:52 +0900
+Subject: s390/syscalls: Avoid creation of arch/arch/ directory
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 0708967e2d56e370231fd07defa0d69f9ad125e8 ]
+
+Building the kernel with ARCH=s390 creates a weird arch/arch/ directory.
+
+  $ find arch/arch
+  arch/arch
+  arch/arch/s390
+  arch/arch/s390/include
+  arch/arch/s390/include/generated
+  arch/arch/s390/include/generated/asm
+  arch/arch/s390/include/generated/uapi
+  arch/arch/s390/include/generated/uapi/asm
+
+The root cause is 'targets' in arch/s390/kernel/syscalls/Makefile,
+where the relative path is incorrect.
+
+Strictly speaking, 'targets' was not necessary in the first place
+because this Makefile uses 'filechk' instead of 'if_changed'.
+
+However, this commit keeps it, as it will be useful when converting
+'filechk' to 'if_changed' later.
+
+Fixes: 5c75824d915e ("s390/syscalls: add Makefile to generate system call header files")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20241111134603.2063226-1-masahiroy@kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/syscalls/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/syscalls/Makefile b/arch/s390/kernel/syscalls/Makefile
+index 4d929edc80a62..b801966c94e92 100644
+--- a/arch/s390/kernel/syscalls/Makefile
++++ b/arch/s390/kernel/syscalls/Makefile
+@@ -12,7 +12,7 @@ kapi-hdrs-y := $(kapi)/unistd_nr.h
+ uapi-hdrs-y := $(uapi)/unistd_32.h
+ uapi-hdrs-y += $(uapi)/unistd_64.h
+ 
+-targets += $(addprefix ../../../,$(gen-y) $(kapi-hdrs-y) $(uapi-hdrs-y))
++targets += $(addprefix ../../../../,$(gen-y) $(kapi-hdrs-y) $(uapi-hdrs-y))
+ 
+ PHONY += kapi uapi
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/scsi-bfa-fix-use-after-free-in-bfad_im_module_exit.patch b/queue-4.19/scsi-bfa-fix-use-after-free-in-bfad_im_module_exit.patch
new file mode 100644 (file)
index 0000000..3940651
--- /dev/null
+++ b/queue-4.19/scsi-bfa-fix-use-after-free-in-bfad_im_module_exit.patch
@@ -0,0 +1,109 @@
+From c26e2be4d3b6e0d1f37204c075e96bb2e291f1c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2024 09:18:09 +0800
+Subject: scsi: bfa: Fix use-after-free in bfad_im_module_exit()
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 178b8f38932d635e90f5f0e9af1986c6f4a89271 ]
+
+BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20
+Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303
+
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x95/0xe0
+ print_report+0xcb/0x620
+ kasan_report+0xbd/0xf0
+ __lock_acquire+0x2aca/0x3a20
+ lock_acquire+0x19b/0x520
+ _raw_spin_lock+0x2b/0x40
+ attribute_container_unregister+0x30/0x160
+ fc_release_transport+0x19/0x90 [scsi_transport_fc]
+ bfad_im_module_exit+0x23/0x60 [bfa]
+ bfad_init+0xdb/0xff0 [bfa]
+ do_one_initcall+0xdc/0x550
+ do_init_module+0x22d/0x6b0
+ load_module+0x4e96/0x5ff0
+ init_module_from_file+0xcd/0x130
+ idempotent_init_module+0x330/0x620
+ __x64_sys_finit_module+0xb3/0x110
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Allocated by task 25303:
+ kasan_save_stack+0x24/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ fc_attach_transport+0x4f/0x4740 [scsi_transport_fc]
+ bfad_im_module_init+0x17/0x80 [bfa]
+ bfad_init+0x23/0xff0 [bfa]
+ do_one_initcall+0xdc/0x550
+ do_init_module+0x22d/0x6b0
+ load_module+0x4e96/0x5ff0
+ init_module_from_file+0xcd/0x130
+ idempotent_init_module+0x330/0x620
+ __x64_sys_finit_module+0xb3/0x110
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 25303:
+ kasan_save_stack+0x24/0x50
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x60
+ __kasan_slab_free+0x38/0x50
+ kfree+0x212/0x480
+ bfad_im_module_init+0x7e/0x80 [bfa]
+ bfad_init+0x23/0xff0 [bfa]
+ do_one_initcall+0xdc/0x550
+ do_init_module+0x22d/0x6b0
+ load_module+0x4e96/0x5ff0
+ init_module_from_file+0xcd/0x130
+ idempotent_init_module+0x330/0x620
+ __x64_sys_finit_module+0xb3/0x110
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Above issue happens as follows:
+
+bfad_init
+  error = bfad_im_module_init()
+    fc_release_transport(bfad_im_scsi_transport_template);
+  if (error)
+    goto ext;
+
+ext:
+  bfad_im_module_exit();
+    fc_release_transport(bfad_im_scsi_transport_template);
+    --> Trigger double release
+
+Don't call bfad_im_module_exit() if bfad_im_module_init() failed.
+
+Fixes: 7725ccfda597 ("[SCSI] bfa: Brocade BFA FC SCSI driver")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Link: https://lore.kernel.org/r/20241023011809.63466-1-yebin@huaweicloud.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfad.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/bfa/bfad.c b/drivers/scsi/bfa/bfad.c
+index bd7e6a6fc1f18..7a2a9b05ed091 100644
+--- a/drivers/scsi/bfa/bfad.c
++++ b/drivers/scsi/bfa/bfad.c
+@@ -1711,9 +1711,8 @@ bfad_init(void)
+ 
+       error = bfad_im_module_init();
+       if (error) {
+-              error = -ENOMEM;
+               printk(KERN_WARNING "bfad_im_module_init failure\n");
+-              goto ext;
++              return -ENOMEM;
+       }
+ 
+       if (strcmp(FCPI_NAME, " fcpim") == 0)
+-- 
+2.43.0
+

diff --git a/queue-4.19/scsi-fusion-remove-unused-variable-rc.patch b/queue-4.19/scsi-fusion-remove-unused-variable-rc.patch
new file mode 100644 (file)
index 0000000..db1bd7f
--- /dev/null
+++ b/queue-4.19/scsi-fusion-remove-unused-variable-rc.patch
@@ -0,0 +1,46 @@
+From 1ba38e216bdd0b0116933d0258382b2a825fe368 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 16:44:17 +0800
+Subject: scsi: fusion: Remove unused variable 'rc'
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit bd65694223f7ad11c790ab63ad1af87a771192ee ]
+
+The return value of scsi_device_reprobe() is currently ignored in
+_scsih_reprobe_lun(). Fixing the calling code to deal with the potential
+error is non-trivial, so for now just WARN_ON().
+
+The handling of scsi_device_reprobe()'s return value refers to
+_scsih_reprobe_lun() and the following link:
+
+https://lore.kernel.org/all/094fdbf57487af4f395238c0525b2a560c8f68f0.1469766027.git.calvinowens@fb.com/
+
+Fixes: f99be43b3024 ("[SCSI] fusion: power pc and miscellaneous bug fixs")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20241024084417.154655-1-zengheng4@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/message/fusion/mptsas.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
+index b8cf2658649ee..7c8924dff17ff 100644
+--- a/drivers/message/fusion/mptsas.c
++++ b/drivers/message/fusion/mptsas.c
+@@ -4206,10 +4206,8 @@ mptsas_find_phyinfo_by_phys_disk_num(MPT_ADAPTER *ioc, u8 phys_disk_num,
+ static void
+ mptsas_reprobe_lun(struct scsi_device *sdev, void *data)
+ {
+-      int rc;
+-
+       sdev->no_uld_attach = data ? 1 : 0;
+-      rc = scsi_device_reprobe(sdev);
++      WARN_ON(scsi_device_reprobe(sdev));
+ }
+ 
+ static void
+-- 
+2.43.0
+

diff --git a/queue-4.19/scsi-qedi-fix-a-possible-memory-leak-in-qedi_alloc_a.patch b/queue-4.19/scsi-qedi-fix-a-possible-memory-leak-in-qedi_alloc_a.patch
new file mode 100644 (file)
index 0000000..64e0bd2
--- /dev/null
+++ b/queue-4.19/scsi-qedi-fix-a-possible-memory-leak-in-qedi_alloc_a.patch
@@ -0,0 +1,37 @@
+From 194a54941ec3cb80750eca4f5aa93ce596f26af2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 20:57:11 +0800
+Subject: scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 95bbdca4999bc59a72ebab01663d421d6ce5775d ]
+
+Hook "qedi_ops->common->sb_init = qed_sb_init" does not release the DMA
+memory sb_virt when it fails. Add dma_free_coherent() to free it. This
+is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().
+
+Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20241026125711.484-3-thunder.leizhen@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
+index 7a179cfc01ed2..15567e60216ec 100644
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -357,6 +357,7 @@ static int qedi_alloc_and_init_sb(struct qedi_ctx *qedi,
+       ret = qedi_ops->common->sb_init(qedi->cdev, sb_info, sb_virt, sb_phys,
+                                      sb_id, QED_SB_TYPE_STORAGE);
+       if (ret) {
++              dma_free_coherent(&qedi->pdev->dev, sizeof(*sb_virt), sb_virt, sb_phys);
+               QEDI_ERR(&qedi->dbg_ctx,
+                        "Status block initialization failed for id = %d.\n",
+                         sb_id);
+-- 
+2.43.0
+

diff --git a/queue-4.19/series b/queue-4.19/series
index 1a553c0aedfd6a42a132fe5feddd2a66fea5951b..24bedfd211a57e8521c56ddcfaf6e32a93835b16 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -14,3 +14,85 @@ x86-amd_nb-fix-compile-testing-without-config_amd_nb.patch
 net-usb-qmi_wwan-add-quectel-rg650v.patch
 proc-softirqs-replace-seq_printf-with-seq_put_decima.patch
 nvme-fix-metadata-handling-in-nvme-passthrough.patch
+initramfs-avoid-filename-buffer-overrun.patch
+m68k-mvme147-fix-scsi-controller-irq-numbers.patch
+m68k-mvme16x-add-and-use-mvme16x.h.patch
+m68k-mvme147-reinstate-early-console.patch
+acpi-arm64-adjust-error-handling-procedure-in-gtdt_p.patch
+s390-syscalls-avoid-creation-of-arch-arch-directory.patch
+hfsplus-don-t-query-the-device-logical-block-size-mu.patch
+edac-fsl_ddr-fix-bad-bit-shift-operations.patch
+crypto-pcrypt-call-crypto-layer-directly-when-padata.patch
+crypto-cavium-fix-the-if-condition-to-exit-loop-afte.patch
+crypto-bcm-add-error-check-in-the-ahash_hmac_init-fu.patch
+crypto-cavium-fix-an-error-handling-path-in-cpt_ucod.patch
+time-fix-references-to-_msecs_to_jiffies-handling-of.patch
+soc-ti-smartreflex-use-irqf_no_autoen-flag-in-reques.patch
+soc-qcom-geni-se-fix-array-underflow-in-geni_se_clk_.patch
+mmc-mmc_spi-drop-buggy-snprintf.patch
+arm-dts-cubieboard4-fix-dcdc5-regulator-constraints.patch
+regmap-irq-set-lockdep-class-for-hierarchical-irq-do.patch
+firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch
+drm-mm-mark-drm_mm_interval_tree-functions-with-__ma.patch
+wifi-ath9k-add-range-check-for-conn_rsp_epid-in-htc_.patch
+drm-omap-fix-locking-in-omap_gem_new_dmabuf.patch
+drm-imx-ipuv3-use-irqf_no_autoen-flag-in-request_irq.patch
+bpf-fix-the-xdp_adjust_tail-sample-prog-issue.patch
+wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch
+drm-i915-gtt-enable-full-ppgtt-by-default-everywhere.patch
+drm-fsl-dcu-use-drm_fbdev_generic_setup.patch
+drm-fsl-dcu-drop-drm_gem_prime_export-import.patch
+drm-fsl-dcu-use-gem-cma-object-functions.patch
+drm-fsl-dcu-set-gem-cma-functions-with-drm_gem_cma_d.patch
+drm-fsl-dcu-convert-to-linux-irq-interfaces.patch
+drm-fsl-dcu-enable-pixclk-on-ls1021a.patch
+drm-etnaviv-consolidate-hardware-fence-handling-in-e.patch
+drm-etnaviv-dump-fix-sparse-warnings.patch
+drm-etnaviv-fix-power-register-offset-on-gc300.patch
+drm-etnaviv-hold-gpu-lock-across-perfmon-sampling.patch
+net-rfkill-gpio-add-check-for-clk_enable.patch
+alsa-us122l-use-snd_card_free_when_closed-at-disconn.patch
+alsa-caiaq-use-snd_card_free_when_closed-at-disconne.patch
+alsa-6fire-release-resources-at-card-release.patch
+netpoll-use-rcu_access_pointer-in-netpoll_poll_lock.patch
+trace-trace_event_perf-remove-duplicate-samples-on-t.patch
+powerpc-vdso-flag-vdso64-entry-points-as-functions.patch
+mfd-da9052-spi-change-read-mask-to-write-mask.patch
+cpufreq-loongson2-unregister-platform_driver-on-fail.patch
+mtd-rawnand-atmel-fix-possible-memory-leak.patch
+rdma-bnxt_re-check-cqe-flags-to-know-imm_data-vs-inv.patch
+mfd-rt5033-fix-missing-regmap_del_irq_chip.patch
+scsi-bfa-fix-use-after-free-in-bfad_im_module_exit.patch
+scsi-fusion-remove-unused-variable-rc.patch
+scsi-qedi-fix-a-possible-memory-leak-in-qedi_alloc_a.patch
+ocfs2-fix-uninitialized-value-in-ocfs2_file_read_ite.patch
+powerpc-sstep-make-emulate_vsx_load-and-emulate_vsx_.patch
+fbdev-sh7760fb-alloc-dma-memory-from-hardware-device.patch
+fbdev-sh7760fb-fix-a-possible-memory-leak-in-sh7760f.patch
+dt-bindings-clock-adi-axi-clkgen-convert-old-binding.patch
+dt-bindings-clock-axi-clkgen-include-axi-clk.patch
+clk-axi-clkgen-use-devm_platform_ioremap_resource-sh.patch
+clk-clk-axi-clkgen-make-sure-to-enable-the-axi-bus-c.patch
+perf-probe-correct-demangled-symbols-in-c-program.patch
+pci-cpqphp-use-pci_possible_error-to-check-config-re.patch
+pci-cpqphp-fix-pcibios_-return-value-confusion.patch
+m68k-mcfgpio-fix-incorrect-register-offset-for-confi.patch
+m68k-coldfire-device.c-only-build-fec-when-hw-macros.patch
+rpmsg-glink-add-tx_data_cont-command-while-sending.patch
+rpmsg-glink-send-read_notify-command-in-fifo-full-ca.patch
+rpmsg-glink-fix-glink-command-prefix.patch
+rpmsg-glink-use-only-lower-16-bits-of-param2-for-cmd.patch
+nfsd-prevent-null-dereference-in-nfsd4_process_cb_up.patch
+nfsd-cap-the-number-of-bytes-copied-by-nfs4_reset_re.patch
+vfio-pci-properly-hide-first-in-list-pcie-extended-c.patch
+power-supply-core-remove-might_sleep-from-power_supp.patch
+net-usb-lan78xx-fix-memory-leak-on-device-unplug-by-.patch
+tg3-set-coherent-dma-mask-bits-to-31-for-bcm57766-ch.patch
+net-usb-lan78xx-fix-refcounting-and-autosuspend-on-i.patch
+marvell-pxa168_eth-fix-call-balance-of-pep-clk-handl.patch
+net-stmmac-dwmac-socfpga-set-rx-watchdog-interrupt-a.patch
+usb-using-mutex-lock-and-supporting-o_nonblock-flag-.patch
+usb-chaoskey-fail-open-after-removal.patch
+usb-chaoskey-fix-possible-deadlock-chaoskey_list_loc.patch
+misc-apds990x-fix-missing-pm_runtime_disable.patch
+apparmor-fix-do-simple-duplicate-message-elimination.patch

diff --git a/queue-4.19/soc-qcom-geni-se-fix-array-underflow-in-geni_se_clk_.patch b/queue-4.19/soc-qcom-geni-se-fix-array-underflow-in-geni_se_clk_.patch
new file mode 100644 (file)
index 0000000..8cb2644
--- /dev/null
+++ b/queue-4.19/soc-qcom-geni-se-fix-array-underflow-in-geni_se_clk_.patch
@@ -0,0 +1,40 @@
+From 6951f915fc8dad7ad6003adf666167537e9bd9b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 10:51:31 +0300
+Subject: soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 78261cb08f06c93d362cab5c5034bf5899bc7552 ]
+
+This loop is supposed to break if the frequency returned from
+clk_round_rate() is the same as on the previous iteration.  However,
+that check doesn't make sense on the first iteration through the loop.
+It leads to reading before the start of these->clk_perf_tbl[] array.
+
+Fixes: eddac5af0654 ("soc: qcom: Add GENI based QUP Wrapper driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/8cd12678-f44a-4b16-a579-c8f11175ee8c@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/qcom-geni-se.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/qcom-geni-se.c b/drivers/soc/qcom/qcom-geni-se.c
+index 7369b061929bb..4e1c6c5ea9c92 100644
+--- a/drivers/soc/qcom/qcom-geni-se.c
++++ b/drivers/soc/qcom/qcom-geni-se.c
+@@ -542,7 +542,8 @@ int geni_se_clk_tbl_get(struct geni_se *se, unsigned long **tbl)
+ 
+       for (i = 0; i < MAX_CLK_PERF_LEVEL; i++) {
+               freq = clk_round_rate(se->clk, freq + 1);
+-              if (freq <= 0 || freq == se->clk_perf_tbl[i - 1])
++              if (freq <= 0 ||
++                  (i > 0 && freq == se->clk_perf_tbl[i - 1]))
+                       break;
+               se->clk_perf_tbl[i] = freq;
+       }
+-- 
+2.43.0
+

diff --git a/queue-4.19/soc-ti-smartreflex-use-irqf_no_autoen-flag-in-reques.patch b/queue-4.19/soc-ti-smartreflex-use-irqf_no_autoen-flag-in-reques.patch
new file mode 100644 (file)
index 0000000..5b2706d
--- /dev/null
+++ b/queue-4.19/soc-ti-smartreflex-use-irqf_no_autoen-flag-in-reques.patch
@@ -0,0 +1,45 @@
+From 09ee7c1cfe436b0b98ce8d42af6f5512dc5412b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 11:41:47 +0800
+Subject: soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 16a0a69244240cfa32c525c021c40f85e090557a ]
+
+If request_irq() fails in sr_late_init(), there is no need to enable
+the irq, and if it succeeds, disable_irq() after request_irq() still has
+a time gap in which interrupts can come.
+
+request_irq() with IRQF_NO_AUTOEN flag will disable IRQ auto-enable when
+request IRQ.
+
+Fixes: 1279ba5916f6 ("OMAP3+: SR: disable interrupt by default")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20240912034147.3014213-1-ruanjinjie@huawei.com
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/avs/smartreflex.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/avs/smartreflex.c b/drivers/power/avs/smartreflex.c
+index 5ac122cd25b8c..015a406d67b8d 100644
+--- a/drivers/power/avs/smartreflex.c
++++ b/drivers/power/avs/smartreflex.c
+@@ -217,10 +217,10 @@ static int sr_late_init(struct omap_sr *sr_info)
+ 
+       if (sr_class->notify && sr_class->notify_flags && sr_info->irq) {
+               ret = devm_request_irq(&sr_info->pdev->dev, sr_info->irq,
+-                                     sr_interrupt, 0, sr_info->name, sr_info);
++                                     sr_interrupt, IRQF_NO_AUTOEN,
++                                     sr_info->name, sr_info);
+               if (ret)
+                       goto error;
+-              disable_irq(sr_info->irq);
+       }
+ 
+       if (pdata && pdata->enable_on_init)
+-- 
+2.43.0
+

diff --git a/queue-4.19/tg3-set-coherent-dma-mask-bits-to-31-for-bcm57766-ch.patch b/queue-4.19/tg3-set-coherent-dma-mask-bits-to-31-for-bcm57766-ch.patch
new file mode 100644 (file)
index 0000000..59494ce
--- /dev/null
+++ b/queue-4.19/tg3-set-coherent-dma-mask-bits-to-31-for-bcm57766-ch.patch
@@ -0,0 +1,61 @@
+From 9ed97e2a4ef5c7090951703a626f22951c223cd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 21:57:41 -0800
+Subject: tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
+
+From: Pavan Chebbi <pavan.chebbi@broadcom.com>
+
+[ Upstream commit 614f4d166eeeb9bd709b0ad29552f691c0f45776 ]
+
+The hardware on Broadcom 1G chipsets have a known limitation
+where they cannot handle DMA addresses that cross over 4GB.
+When such an address is encountered, the hardware sets the
+address overflow error bit in the DMA status register and
+triggers a reset.
+
+However, BCM57766 hardware is setting the overflow bit and
+triggering a reset in some cases when there is no actual
+underlying address overflow. The hardware team analyzed the
+issue and concluded that it is happening when the status
+block update has an address with higher (b16 to b31) bits
+as 0xffff following a previous update that had lowest bits
+as 0xffff.
+
+To work around this bug in the BCM57766 hardware, set the
+coherent dma mask from the current 64b to 31b. This will
+ensure that upper bits of the status block DMA address are
+always at most 0x7fff, thus avoiding the improper overflow
+check described above. This work around is intended for only
+status block and ring memories and has no effect on TX and
+RX buffers as they do not require coherent memory.
+
+Fixes: 72f2afb8a685 ("[TG3]: Add DMA address workaround")
+Reported-by: Salam Noureddine <noureddine@arista.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Link: https://patch.msgid.link/20241119055741.147144-1-pavan.chebbi@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index af0186a527a36..d7419c65d9e38 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -17866,6 +17866,9 @@ static int tg3_init_one(struct pci_dev *pdev,
+       } else
+               persist_dma_mask = dma_mask = DMA_BIT_MASK(64);
+ 
++      if (tg3_asic_rev(tp) == ASIC_REV_57766)
++              persist_dma_mask = DMA_BIT_MASK(31);
++
+       /* Configure DMA attributes. */
+       if (dma_mask > DMA_BIT_MASK(32)) {
+               err = pci_set_dma_mask(pdev, dma_mask);
+-- 
+2.43.0
+

diff --git a/queue-4.19/time-fix-references-to-_msecs_to_jiffies-handling-of.patch b/queue-4.19/time-fix-references-to-_msecs_to_jiffies-handling-of.patch
new file mode 100644 (file)
index 0000000..4a9db45
--- /dev/null
+++ b/queue-4.19/time-fix-references-to-_msecs_to_jiffies-handling-of.patch
@@ -0,0 +1,55 @@
+From 412a0738dafd7bc397620588a782b1002dce719d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 13:01:41 +0200
+Subject: time: Fix references to _msecs_to_jiffies() handling of values
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+[ Upstream commit 92b043fd995a63a57aae29ff85a39b6f30cd440c ]
+
+The details about the handling of the "normal" values were moved
+to the _msecs_to_jiffies() helpers in commit ca42aaf0c861 ("time:
+Refactor msecs_to_jiffies"). However, the same commit still mentioned
+__msecs_to_jiffies() in the added documentation.
+
+Thus point to _msecs_to_jiffies() instead.
+
+Fixes: ca42aaf0c861 ("time: Refactor msecs_to_jiffies")
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20241025110141.157205-2-ojeda@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/jiffies.h | 2 +-
+ kernel/time/time.c      | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
+index fa928242567db..add50d10f4102 100644
+--- a/include/linux/jiffies.h
++++ b/include/linux/jiffies.h
+@@ -349,7 +349,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
+  * - all other values are converted to jiffies by either multiplying
+  *   the input value by a factor or dividing it with a factor and
+  *   handling any 32-bit overflows.
+- *   for the details see __msecs_to_jiffies()
++ *   for the details see _msecs_to_jiffies()
+  *
+  * msecs_to_jiffies() checks for the passed in value being a constant
+  * via __builtin_constant_p() allowing gcc to eliminate most of the
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index f7d4fa5ddb9e2..4087cf51142c0 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -576,7 +576,7 @@ EXPORT_SYMBOL(ns_to_timespec64);
+  * - all other values are converted to jiffies by either multiplying
+  *   the input value by a factor or dividing it with a factor and
+  *   handling any 32-bit overflows.
+- *   for the details see __msecs_to_jiffies()
++ *   for the details see _msecs_to_jiffies()
+  *
+  * msecs_to_jiffies() checks for the passed in value being a constant
+  * via __builtin_constant_p() allowing gcc to eliminate most of the
+-- 
+2.43.0
+

diff --git a/queue-4.19/trace-trace_event_perf-remove-duplicate-samples-on-t.patch b/queue-4.19/trace-trace_event_perf-remove-duplicate-samples-on-t.patch
new file mode 100644 (file)
index 0000000..75fa723
--- /dev/null
+++ b/queue-4.19/trace-trace_event_perf-remove-duplicate-samples-on-t.patch
@@ -0,0 +1,83 @@
+From e5cfc4af95550e65753e227b406ab0a5b930fcc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 03:13:47 +0100
+Subject: trace/trace_event_perf: remove duplicate samples on the first
+ tracepoint event
+
+From: Levi Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit afe5960dc208fe069ddaaeb0994d857b24ac19d1 ]
+
+When a tracepoint event is created with attr.freq = 1,
+'hwc->period_left' is not initialized correctly. As a result,
+in the perf_swevent_overflow() function, when the first time the event occurs,
+it calculates the event overflow and the perf_swevent_set_period() returns 3,
+this leads to the event are recorded for three duplicate times.
+
+Step to reproduce:
+    1. Enable the tracepoint event & starting tracing
+         $ echo 1 > /sys/kernel/tracing/events/module/module_free
+         $ echo 1 > /sys/kernel/tracing/tracing_on
+
+    2. Record with perf
+         $ perf record -a --strict-freq -F 1 -e "module:module_free"
+
+    3. Trigger module_free event.
+         $ modprobe -i sunrpc
+         $ modprobe -r sunrpc
+
+Result:
+     - Trace pipe result:
+         $ cat trace_pipe
+         modprobe-174509  [003] .....  6504.868896: module_free: sunrpc
+
+     - perf sample:
+         modprobe  174509 [003]  6504.868980: module:module_free: sunrpc
+         modprobe  174509 [003]  6504.868980: module:module_free: sunrpc
+         modprobe  174509 [003]  6504.868980: module:module_free: sunrpc
+
+By setting period_left via perf_swevent_set_period() as other sw_event did,
+This problem could be solved.
+
+After patch:
+     - Trace pipe result:
+         $ cat trace_pipe
+         modprobe 1153096 [068] 613468.867774: module:module_free: xfs
+
+     - perf sample
+         modprobe 1153096 [068] 613468.867794: module:module_free: xfs
+
+Link: https://lore.kernel.org/20240913021347.595330-1-yeoreum.yun@arm.com
+Fixes: bd2b5b12849a ("perf_counter: More aggressive frequency adjustment")
+Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_event_perf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c
+index 5e68447588b7c..22cce5dc0e287 100644
+--- a/kernel/trace/trace_event_perf.c
++++ b/kernel/trace/trace_event_perf.c
+@@ -349,10 +349,16 @@ void perf_uprobe_destroy(struct perf_event *p_event)
+ int perf_trace_add(struct perf_event *p_event, int flags)
+ {
+       struct trace_event_call *tp_event = p_event->tp_event;
++      struct hw_perf_event *hwc = &p_event->hw;
+ 
+       if (!(flags & PERF_EF_START))
+               p_event->hw.state = PERF_HES_STOPPED;
+ 
++      if (is_sampling_event(p_event)) {
++              hwc->last_period = hwc->sample_period;
++              perf_swevent_set_period(p_event);
++      }
++
+       /*
+        * If TRACE_REG_PERF_ADD returns false; no custom action was performed
+        * and we need to take the default action of enqueueing our event on
+-- 
+2.43.0
+

diff --git a/queue-4.19/usb-chaoskey-fail-open-after-removal.patch b/queue-4.19/usb-chaoskey-fail-open-after-removal.patch
new file mode 100644 (file)
index 0000000..4093719
--- /dev/null
+++ b/queue-4.19/usb-chaoskey-fail-open-after-removal.patch
@@ -0,0 +1,146 @@
+From 133717afc60116870920a2b71dd6dcf13b49572c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 15:21:41 +0200
+Subject: USB: chaoskey: fail open after removal
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 422dc0a4d12d0b80dd3aab3fe5943f665ba8f041 ]
+
+chaoskey_open() takes the lock only to increase the
+counter of openings. That means that the mutual exclusion
+with chaoskey_disconnect() cannot prevent an increase
+of the counter and chaoskey_open() returning a success.
+
+If that race is hit, chaoskey_disconnect() will happily
+free all resources associated with the device after
+it has dropped the lock, as it has read the counter
+as zero.
+
+To prevent this race chaoskey_open() has to check
+the presence of the device under the lock.
+However, the current per device lock cannot be used,
+because it is a part of the data structure to be
+freed. Hence an additional global mutex is needed.
+The issue is as old as the driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+422188bce66e76020e55@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422188bce66e76020e55
+Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
+Rule: add
+Link: https://lore.kernel.org/stable/20241002132201.552578-1-oneukum%40suse.com
+Link: https://lore.kernel.org/r/20241002132201.552578-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/chaoskey.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c
+index 87067c3d6109b..32fa7fd50c380 100644
+--- a/drivers/usb/misc/chaoskey.c
++++ b/drivers/usb/misc/chaoskey.c
+@@ -27,6 +27,8 @@ static struct usb_class_driver chaoskey_class;
+ static int chaoskey_rng_read(struct hwrng *rng, void *data,
+                            size_t max, bool wait);
+ 
++static DEFINE_MUTEX(chaoskey_list_lock);
++
+ #define usb_dbg(usb_if, format, arg...) \
+       dev_dbg(&(usb_if)->dev, format, ## arg)
+ 
+@@ -231,6 +233,7 @@ static void chaoskey_disconnect(struct usb_interface *interface)
+       if (dev->hwrng_registered)
+               hwrng_unregister(&dev->hwrng);
+ 
++      mutex_lock(&chaoskey_list_lock);
+       usb_deregister_dev(interface, &chaoskey_class);
+ 
+       usb_set_intfdata(interface, NULL);
+@@ -245,6 +248,7 @@ static void chaoskey_disconnect(struct usb_interface *interface)
+       } else
+               mutex_unlock(&dev->lock);
+ 
++      mutex_unlock(&chaoskey_list_lock);
+       usb_dbg(interface, "disconnect done");
+ }
+ 
+@@ -252,6 +256,7 @@ static int chaoskey_open(struct inode *inode, struct file *file)
+ {
+       struct chaoskey *dev;
+       struct usb_interface *interface;
++      int rv = 0;
+ 
+       /* get the interface from minor number and driver information */
+       interface = usb_find_interface(&chaoskey_driver, iminor(inode));
+@@ -267,18 +272,23 @@ static int chaoskey_open(struct inode *inode, struct file *file)
+       }
+ 
+       file->private_data = dev;
++      mutex_lock(&chaoskey_list_lock);
+       mutex_lock(&dev->lock);
+-      ++dev->open;
++      if (dev->present)
++              ++dev->open;
++      else
++              rv = -ENODEV;
+       mutex_unlock(&dev->lock);
++      mutex_unlock(&chaoskey_list_lock);
+ 
+-      usb_dbg(interface, "open success");
+-      return 0;
++      return rv;
+ }
+ 
+ static int chaoskey_release(struct inode *inode, struct file *file)
+ {
+       struct chaoskey *dev = file->private_data;
+       struct usb_interface *interface;
++      int rv = 0;
+ 
+       if (dev == NULL)
+               return -ENODEV;
+@@ -287,14 +297,15 @@ static int chaoskey_release(struct inode *inode, struct file *file)
+ 
+       usb_dbg(interface, "release");
+ 
++      mutex_lock(&chaoskey_list_lock);
+       mutex_lock(&dev->lock);
+ 
+       usb_dbg(interface, "open count at release is %d", dev->open);
+ 
+       if (dev->open <= 0) {
+               usb_dbg(interface, "invalid open count (%d)", dev->open);
+-              mutex_unlock(&dev->lock);
+-              return -ENODEV;
++              rv = -ENODEV;
++              goto bail;
+       }
+ 
+       --dev->open;
+@@ -303,13 +314,15 @@ static int chaoskey_release(struct inode *inode, struct file *file)
+               if (dev->open == 0) {
+                       mutex_unlock(&dev->lock);
+                       chaoskey_free(dev);
+-              } else
+-                      mutex_unlock(&dev->lock);
+-      } else
+-              mutex_unlock(&dev->lock);
+-
++                      goto destruction;
++              }
++      }
++bail:
++      mutex_unlock(&dev->lock);
++destruction:
++      mutex_lock(&chaoskey_list_lock);
+       usb_dbg(interface, "release success");
+-      return 0;
++      return rv;
+ }
+ 
+ static void chaos_read_callback(struct urb *urb)
+-- 
+2.43.0
+

diff --git a/queue-4.19/usb-chaoskey-fix-possible-deadlock-chaoskey_list_loc.patch b/queue-4.19/usb-chaoskey-fix-possible-deadlock-chaoskey_list_loc.patch
new file mode 100644 (file)
index 0000000..3d7dbbe
--- /dev/null
+++ b/queue-4.19/usb-chaoskey-fix-possible-deadlock-chaoskey_list_loc.patch
@@ -0,0 +1,154 @@
+From 03e19a37bce4bd05a18100ea1fe4af5636a8aaf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 22:52:07 +0800
+Subject: USB: chaoskey: Fix possible deadlock chaoskey_list_lock
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit d73dc7b182be4238b75278bfae16afb4c5564a58 ]
+
+[Syzbot reported two possible deadlocks]
+The first possible deadlock is:
+WARNING: possible recursive locking detected
+6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted
+--------------------------------------------
+syz-executor363/2651 is trying to acquire lock:
+ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x15d/0x2c0 drivers/usb/misc/chaoskey.c:322
+
+but task is already holding lock:
+ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x7f/0x2c0 drivers/usb/misc/chaoskey.c:299
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+       CPU0
+       ----
+  lock(chaoskey_list_lock);
+  lock(chaoskey_list_lock);
+
+ *** DEADLOCK ***
+
+The second possible deadlock is:
+WARNING: possible circular locking dependency detected
+6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted
+------------------------------------------------------
+kworker/0:2/804 is trying to acquire lock:
+ffffffff899dadb0 (minor_rwsem){++++}-{3:3}, at: usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186
+
+but task is already holding lock:
+ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_disconnect+0xa8/0x2a0 drivers/usb/misc/chaoskey.c:235
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (chaoskey_list_lock){+.+.}-{3:3}:
+       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
+       __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752
+       chaoskey_open+0xdd/0x220 drivers/usb/misc/chaoskey.c:274
+       usb_open+0x186/0x220 drivers/usb/core/file.c:47
+       chrdev_open+0x237/0x6a0 fs/char_dev.c:414
+       do_dentry_open+0x6cb/0x1390 fs/open.c:958
+       vfs_open+0x82/0x3f0 fs/open.c:1088
+       do_open fs/namei.c:3774 [inline]
+       path_openat+0x1e6a/0x2d60 fs/namei.c:3933
+       do_filp_open+0x1dc/0x430 fs/namei.c:3960
+       do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
+       do_sys_open fs/open.c:1430 [inline]
+       __do_sys_openat fs/open.c:1446 [inline]
+       __se_sys_openat fs/open.c:1441 [inline]
+       __x64_sys_openat+0x175/0x210 fs/open.c:1441
+       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+       entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+-> #0 (minor_rwsem){++++}-{3:3}:
+       check_prev_add kernel/locking/lockdep.c:3161 [inline]
+       check_prevs_add kernel/locking/lockdep.c:3280 [inline]
+       validate_chain kernel/locking/lockdep.c:3904 [inline]
+       __lock_acquire+0x250b/0x3ce0 kernel/locking/lockdep.c:5202
+       lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
+       down_write+0x93/0x200 kernel/locking/rwsem.c:1577
+       usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186
+       chaoskey_disconnect+0xb7/0x2a0 drivers/usb/misc/chaoskey.c:236
+       usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
+       device_remove drivers/base/dd.c:569 [inline]
+       device_remove+0x122/0x170 drivers/base/dd.c:561
+       __device_release_driver drivers/base/dd.c:1273 [inline]
+       device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
+       bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
+       device_del+0x396/0x9f0 drivers/base/core.c:3864
+       usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
+       usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
+       hub_port_connect drivers/usb/core/hub.c:5361 [inline]
+       hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
+       port_event drivers/usb/core/hub.c:5821 [inline]
+       hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5903
+       process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
+       process_scheduled_works kernel/workqueue.c:3310 [inline]
+       worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
+       kthread+0x2c1/0x3a0 kernel/kthread.c:389
+       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+       CPU0                    CPU1
+       ----                    ----
+  lock(chaoskey_list_lock);
+                               lock(minor_rwsem);
+                               lock(chaoskey_list_lock);
+  lock(minor_rwsem);
+
+ *** DEADLOCK ***
+[Analysis]
+The first is AA lock, it because wrong logic, it need a unlock.
+The second is AB lock, it needs to rearrange the order of lock usage.
+
+Fixes: 422dc0a4d12d ("USB: chaoskey: fail open after removal")
+Reported-by: syzbot+685e14d04fe35692d3bc@syzkaller.appspotmail.com
+Reported-by: syzbot+1f8ca5ee82576ec01f12@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=685e14d04fe35692d3bc
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Tested-by: syzbot+685e14d04fe35692d3bc@syzkaller.appspotmail.com
+Reported-by: syzbot+5f1ce62e956b7b19610e@syzkaller.appspotmail.com
+Tested-by: syzbot+5f1ce62e956b7b19610e@syzkaller.appspotmail.com
+Tested-by: syzbot+1f8ca5ee82576ec01f12@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/tencent_84EB865C89862EC22EE94CB3A7C706C59206@qq.com
+Cc: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/chaoskey.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c
+index 32fa7fd50c380..d99d424c05a7a 100644
+--- a/drivers/usb/misc/chaoskey.c
++++ b/drivers/usb/misc/chaoskey.c
+@@ -233,10 +233,10 @@ static void chaoskey_disconnect(struct usb_interface *interface)
+       if (dev->hwrng_registered)
+               hwrng_unregister(&dev->hwrng);
+ 
+-      mutex_lock(&chaoskey_list_lock);
+       usb_deregister_dev(interface, &chaoskey_class);
+ 
+       usb_set_intfdata(interface, NULL);
++      mutex_lock(&chaoskey_list_lock);
+       mutex_lock(&dev->lock);
+ 
+       dev->present = false;
+@@ -320,7 +320,7 @@ static int chaoskey_release(struct inode *inode, struct file *file)
+ bail:
+       mutex_unlock(&dev->lock);
+ destruction:
+-      mutex_lock(&chaoskey_list_lock);
++      mutex_unlock(&chaoskey_list_lock);
+       usb_dbg(interface, "release success");
+       return rv;
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/usb-using-mutex-lock-and-supporting-o_nonblock-flag-.patch b/queue-4.19/usb-using-mutex-lock-and-supporting-o_nonblock-flag-.patch
new file mode 100644 (file)
index 0000000..b8a5272
--- /dev/null
+++ b/queue-4.19/usb-using-mutex-lock-and-supporting-o_nonblock-flag-.patch
@@ -0,0 +1,130 @@
+From b7a42762bc73998ab33c4fae8486466f7763d7b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 19:34:03 +0900
+Subject: usb: using mutex lock and supporting O_NONBLOCK flag in
+ iowarrior_read()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit 44feafbaa66ec86232b123bb8437a6a262442025 ]
+
+iowarrior_read() uses the iowarrior dev structure, but does not use any
+lock on the structure. This can cause various bugs including data-races,
+so it is more appropriate to use a mutex lock to safely protect the
+iowarrior dev structure. When using a mutex lock, you should split the
+branch to prevent blocking when the O_NONBLOCK flag is set.
+
+In addition, it is unnecessary to check for NULL on the iowarrior dev
+structure obtained by reading file->private_data. Therefore, it is
+better to remove the check.
+
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://lore.kernel.org/r/20240919103403.3986-1-aha310510@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/iowarrior.c | 46 ++++++++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index 8b04d27059203..44a70e0334680 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -281,28 +281,45 @@ static ssize_t iowarrior_read(struct file *file, char __user *buffer,
+       struct iowarrior *dev;
+       int read_idx;
+       int offset;
++      int retval;
+ 
+       dev = file->private_data;
+ 
++      if (file->f_flags & O_NONBLOCK) {
++              retval = mutex_trylock(&dev->mutex);
++              if (!retval)
++                      return -EAGAIN;
++      } else {
++              retval = mutex_lock_interruptible(&dev->mutex);
++              if (retval)
++                      return -ERESTARTSYS;
++      }
++
+       /* verify that the device wasn't unplugged */
+-      if (!dev || !dev->present)
+-              return -ENODEV;
++      if (!dev->present) {
++              retval = -ENODEV;
++              goto exit;
++      }
+ 
+       dev_dbg(&dev->interface->dev, "minor %d, count = %zd\n",
+               dev->minor, count);
+ 
+       /* read count must be packet size (+ time stamp) */
+       if ((count != dev->report_size)
+-          && (count != (dev->report_size + 1)))
+-              return -EINVAL;
++          && (count != (dev->report_size + 1))) {
++              retval = -EINVAL;
++              goto exit;
++      }
+ 
+       /* repeat until no buffer overrun in callback handler occur */
+       do {
+               atomic_set(&dev->overflow_flag, 0);
+               if ((read_idx = read_index(dev)) == -1) {
+                       /* queue empty */
+-                      if (file->f_flags & O_NONBLOCK)
+-                              return -EAGAIN;
++                      if (file->f_flags & O_NONBLOCK) {
++                              retval = -EAGAIN;
++                              goto exit;
++                      }
+                       else {
+                               //next line will return when there is either new data, or the device is unplugged
+                               int r = wait_event_interruptible(dev->read_wait,
+@@ -313,28 +330,37 @@ static ssize_t iowarrior_read(struct file *file, char __user *buffer,
+                                                                 -1));
+                               if (r) {
+                                       //we were interrupted by a signal
+-                                      return -ERESTART;
++                                      retval = -ERESTART;
++                                      goto exit;
+                               }
+                               if (!dev->present) {
+                                       //The device was unplugged
+-                                      return -ENODEV;
++                                      retval = -ENODEV;
++                                      goto exit;
+                               }
+                               if (read_idx == -1) {
+                                       // Can this happen ???
+-                                      return 0;
++                                      retval = 0;
++                                      goto exit;
+                               }
+                       }
+               }
+ 
+               offset = read_idx * (dev->report_size + 1);
+               if (copy_to_user(buffer, dev->read_queue + offset, count)) {
+-                      return -EFAULT;
++                      retval = -EFAULT;
++                      goto exit;
+               }
+       } while (atomic_read(&dev->overflow_flag));
+ 
+       read_idx = ++read_idx == MAX_INTERRUPT_BUFFER ? 0 : read_idx;
+       atomic_set(&dev->read_idx, read_idx);
++      mutex_unlock(&dev->mutex);
+       return count;
++
++exit:
++      mutex_unlock(&dev->mutex);
++      return retval;
+ }
+ 
+ /*
+-- 
+2.43.0
+

diff --git a/queue-4.19/vfio-pci-properly-hide-first-in-list-pcie-extended-c.patch b/queue-4.19/vfio-pci-properly-hide-first-in-list-pcie-extended-c.patch
new file mode 100644 (file)
index 0000000..de58c45
--- /dev/null
+++ b/queue-4.19/vfio-pci-properly-hide-first-in-list-pcie-extended-c.patch
@@ -0,0 +1,115 @@
+From 722d687d3c0be27766acf803a1877d6c734c86a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2024 16:27:39 +0200
+Subject: vfio/pci: Properly hide first-in-list PCIe extended capability
+
+From: Avihai Horon <avihaih@nvidia.com>
+
+[ Upstream commit fe4bf8d0b6716a423b16495d55b35d3fe515905d ]
+
+There are cases where a PCIe extended capability should be hidden from
+the user. For example, an unknown capability (i.e., capability with ID
+greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally
+chosen to be hidden from the user.
+
+Hiding a capability is done by virtualizing and modifying the 'Next
+Capability Offset' field of the previous capability so it points to the
+capability after the one that should be hidden.
+
+The special case where the first capability in the list should be hidden
+is handled differently because there is no previous capability that can
+be modified. In this case, the capability ID and version are zeroed
+while leaving the next pointer intact. This hides the capability and
+leaves an anchor for the rest of the capability list.
+
+However, today, hiding the first capability in the list is not done
+properly if the capability is unknown, as struct
+vfio_pci_core_device->pci_config_map is set to the capability ID during
+initialization but the capability ID is not properly checked later when
+used in vfio_config_do_rw(). This leads to the following warning [1] and
+to an out-of-bounds access to ecap_perms array.
+
+Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater
+than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct
+read only access instead of the ecap_perms array.
+
+Note that this is safe since the above is the only case where cap_id can
+exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which
+are already checked before).
+
+[1]
+
+WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
+CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1
+(snip)
+Call Trace:
+ <TASK>
+ ? show_regs+0x69/0x80
+ ? __warn+0x8d/0x140
+ ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
+ ? report_bug+0x18f/0x1a0
+ ? handle_bug+0x63/0xa0
+ ? exc_invalid_op+0x19/0x70
+ ? asm_exc_invalid_op+0x1b/0x20
+ ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
+ ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]
+ vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]
+ vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]
+ vfio_device_fops_read+0x27/0x40 [vfio]
+ vfs_read+0xbd/0x340
+ ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]
+ ? __rseq_handle_notify_resume+0xa4/0x4b0
+ __x64_sys_pread64+0x96/0xc0
+ x64_sys_call+0x1c3d/0x20d0
+ do_syscall_64+0x4d/0x120
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver")
+Signed-off-by: Avihai Horon <avihaih@nvidia.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Tested-by: Yi Liu <yi.l.liu@intel.com>
+Link: https://lore.kernel.org/r/20241124142739.21698-1-avihaih@nvidia.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_config.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
+index 86e917f1cc211..0f20e2d977d48 100644
+--- a/drivers/vfio/pci/vfio_pci_config.c
++++ b/drivers/vfio/pci/vfio_pci_config.c
+@@ -315,6 +315,10 @@ static int vfio_virt_config_read(struct vfio_pci_device *vdev, int pos,
+       return count;
+ }
+ 
++static struct perm_bits direct_ro_perms = {
++      .readfn = vfio_direct_config_read,
++};
++
+ /* Default capability regions to read-only, no-virtualization */
+ static struct perm_bits cap_perms[PCI_CAP_ID_MAX + 1] = {
+       [0 ... PCI_CAP_ID_MAX] = { .readfn = vfio_direct_config_read }
+@@ -1837,9 +1841,17 @@ static ssize_t vfio_config_do_rw(struct vfio_pci_device *vdev, char __user *buf,
+               cap_start = *ppos;
+       } else {
+               if (*ppos >= PCI_CFG_SPACE_SIZE) {
+-                      WARN_ON(cap_id > PCI_EXT_CAP_ID_MAX);
++                      /*
++                       * We can get a cap_id that exceeds PCI_EXT_CAP_ID_MAX
++                       * if we're hiding an unknown capability at the start
++                       * of the extended capability list.  Use default, ro
++                       * access, which will virtualize the id and next values.
++                       */
++                      if (cap_id > PCI_EXT_CAP_ID_MAX)
++                              perm = &direct_ro_perms;
++                      else
++                              perm = &ecap_perms[cap_id];
+ 
+-                      perm = &ecap_perms[cap_id];
+                       cap_start = vfio_find_cap_start(vdev, *ppos);
+               } else {
+                       WARN_ON(cap_id > PCI_CAP_ID_MAX);
+-- 
+2.43.0
+

diff --git a/queue-4.19/wifi-ath9k-add-range-check-for-conn_rsp_epid-in-htc_.patch b/queue-4.19/wifi-ath9k-add-range-check-for-conn_rsp_epid-in-htc_.patch
new file mode 100644 (file)
index 0000000..856036e
--- /dev/null
+++ b/queue-4.19/wifi-ath9k-add-range-check-for-conn_rsp_epid-in-htc_.patch
@@ -0,0 +1,61 @@
+From 8e6141192ea6cf9bba49702f300c027300cc38a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Sep 2024 12:06:03 +0300
+Subject: wifi: ath9k: add range check for conn_rsp_epid in
+ htc_connect_service()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit 8619593634cbdf5abf43f5714df49b04e4ef09ab ]
+
+I found the following bug in my fuzzer:
+
+  UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
+  index 255 is out of range for type 'htc_endpoint [22]'
+  CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+  Workqueue: events request_firmware_work_func
+  Call Trace:
+   <TASK>
+   dump_stack_lvl+0x180/0x1b0
+   __ubsan_handle_out_of_bounds+0xd4/0x130
+   htc_issue_send.constprop.0+0x20c/0x230
+   ? _raw_spin_unlock_irqrestore+0x3c/0x70
+   ath9k_wmi_cmd+0x41d/0x610
+   ? mark_held_locks+0x9f/0xe0
+   ...
+
+Since this bug has been confirmed to be caused by insufficient verification
+of conn_rsp_epid, I think it would be appropriate to add a range check for
+conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240909103855.68006-1-aha310510@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index d5e5f9cf4ca86..762403dfbb36d 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -297,6 +297,9 @@ int htc_connect_service(struct htc_target *target,
+               return -ETIMEDOUT;
+       }
+ 
++      if (target->conn_rsp_epid < 0 || target->conn_rsp_epid >= ENDPOINT_MAX)
++              return -EINVAL;
++
+       *conn_rsp_epid = target->conn_rsp_epid;
+       return 0;
+ err:
+-- 
+2.43.0
+

diff --git a/queue-4.19/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch b/queue-4.19/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch
new file mode 100644 (file)
index 0000000..719ac19
--- /dev/null
+++ b/queue-4.19/wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch
@@ -0,0 +1,56 @@
+From f8133afa34560704249b809f44207120190aa5ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 01:20:54 +0300
+Subject: wifi: mwifiex: Fix memcpy() field-spanning write warning in
+ mwifiex_config_scan()
+
+From: Alper Nebi Yasak <alpernebiyasak@gmail.com>
+
+[ Upstream commit d241a139c2e9f8a479f25c75ebd5391e6a448500 ]
+
+Replace one-element array with a flexible-array member in `struct
+mwifiex_ie_types_wildcard_ssid_params` to fix the following warning
+on a MT8173 Chromebook (mt8173-elm-hana):
+
+[  356.775250] ------------[ cut here ]------------
+[  356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)
+[  356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]
+
+The "(size 6)" above is exactly the length of the SSID of the network
+this device was connected to. The source of the warning looks like:
+
+    ssid_len = user_scan_in->ssid_list[i].ssid_len;
+    [...]
+    memcpy(wildcard_ssid_tlv->ssid,
+           user_scan_in->ssid_list[i].ssid, ssid_len);
+
+There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this
+struct, but it already didn't account for the size of the one-element
+array, so it doesn't need to be changed.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20241007222301.24154-1-alpernebiyasak@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
+index bfa482cf464ff..c8bf6e559dc56 100644
+--- a/drivers/net/wireless/marvell/mwifiex/fw.h
++++ b/drivers/net/wireless/marvell/mwifiex/fw.h
+@@ -853,7 +853,7 @@ struct mwifiex_ietypes_chanstats {
+ struct mwifiex_ie_types_wildcard_ssid_params {
+       struct mwifiex_ie_types_header header;
+       u8 max_ssid_length;
+-      u8 ssid[1];
++      u8 ssid[];
+ } __packed;
+ 
+ #define TSF_DATA_SIZE            8
+-- 
+2.43.0
+