From: Greg Kroah-Hartman Date: Mon, 13 May 2024 15:36:17 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.19.314~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2061259fe653f5814877f08477913a42ba66931c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-qca-add-missing-firmware-sanity-checks.patch bluetooth-qca-fix-firmware-check-error-path.patch bluetooth-qca-fix-info-leak-when-fetching-board-id.patch bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch bluetooth-qca-fix-nvm-configuration-parsing.patch drm-amd-display-handle-y-carry-over-in-vcp-x.y-calculation.patch drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch drm-i915-bios-fix-parsing-backlight-bdb-data.patch drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch hwmon-pmbus-ucd9000-increase-delay-from-250-to-500us.patch ksmbd-avoid-to-send-duplicate-lease-break-notifications.patch ksmbd-do-not-grant-v2-lease-if-parent-lease-key-and-epoch-are-not-set.patch ksmbd-off-ipv6only-for-both-ipv4-ipv6-binding.patch mm-use-memalloc_nofs_save-in-page_cache_ra_order.patch net-fix-out-of-bounds-access-in-ops_init.patch regulator-core-fix-debugfs-creation-regression.patch spi-microchip-core-qspi-fix-setting-spi-bus-clock-rate.patch --- diff --git a/queue-6.1/bluetooth-qca-add-missing-firmware-sanity-checks.patch b/queue-6.1/bluetooth-qca-add-missing-firmware-sanity-checks.patch new file mode 100644 index 00000000000..52c1233cbce --- /dev/null +++ b/queue-6.1/bluetooth-qca-add-missing-firmware-sanity-checks.patch @@ -0,0 +1,135 @@ +From 2e4edfa1e2bd821a317e7d006517dcf2f3fac68d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 30 Apr 2024 19:07:39 +0200 +Subject: Bluetooth: qca: add missing firmware sanity checks + +From: Johan Hovold + +commit 2e4edfa1e2bd821a317e7d006517dcf2f3fac68d upstream. + +Add the missing sanity checks when parsing the firmware files before +downloading them to avoid accessing and corrupting memory beyond the +vmalloced buffer. + +Fixes: 83e81961ff7e ("Bluetooth: btqca: Introduce generic QCA ROME support") +Cc: stable@vger.kernel.org # 4.10 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 6 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -265,9 +265,10 @@ int qca_send_pre_shutdown_cmd(struct hci + } + EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); + +-static void qca_tlv_check_data(struct hci_dev *hdev, ++static int qca_tlv_check_data(struct hci_dev *hdev, + struct qca_fw_config *config, +- u8 *fw_data, enum qca_btsoc_type soc_type) ++ u8 *fw_data, size_t fw_size, ++ enum qca_btsoc_type soc_type) + { + const u8 *data; + u32 type_len; +@@ -283,6 +284,9 @@ static void qca_tlv_check_data(struct hc + + switch (config->type) { + case ELF_TYPE_PATCH: ++ if (fw_size < 7) ++ return -EINVAL; ++ + config->dnld_mode = QCA_SKIP_EVT_VSE_CC; + config->dnld_type = QCA_SKIP_EVT_VSE_CC; + +@@ -291,6 +295,9 @@ static void qca_tlv_check_data(struct hc + bt_dev_dbg(hdev, "File version : 0x%x", fw_data[6]); + break; + case TLV_TYPE_PATCH: ++ if (fw_size < sizeof(struct tlv_type_hdr) + sizeof(struct tlv_type_patch)) ++ return -EINVAL; ++ + tlv = (struct tlv_type_hdr *)fw_data; + type_len = le32_to_cpu(tlv->type_len); + tlv_patch = (struct tlv_type_patch *)tlv->data; +@@ -330,6 +337,9 @@ static void qca_tlv_check_data(struct hc + break; + + case TLV_TYPE_NVM: ++ if (fw_size < sizeof(struct tlv_type_hdr)) ++ return -EINVAL; ++ + tlv = (struct tlv_type_hdr *)fw_data; + + type_len = le32_to_cpu(tlv->type_len); +@@ -338,17 +348,26 @@ static void qca_tlv_check_data(struct hc + BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); + BT_DBG("Length\t\t : %d bytes", length); + ++ if (fw_size < length + (tlv->data - fw_data)) ++ return -EINVAL; ++ + idx = 0; + data = tlv->data; +- while (idx < length) { ++ while (idx < length - sizeof(struct tlv_type_nvm)) { + tlv_nvm = (struct tlv_type_nvm *)(data + idx); + + tag_id = le16_to_cpu(tlv_nvm->tag_id); + tag_len = le16_to_cpu(tlv_nvm->tag_len); + ++ if (length < idx + sizeof(struct tlv_type_nvm) + tag_len) ++ return -EINVAL; ++ + /* Update NVM tags as needed */ + switch (tag_id) { + case EDL_TAG_ID_HCI: ++ if (tag_len < 3) ++ return -EINVAL; ++ + /* HCI transport layer parameters + * enabling software inband sleep + * onto controller side. +@@ -364,6 +383,9 @@ static void qca_tlv_check_data(struct hc + break; + + case EDL_TAG_ID_DEEP_SLEEP: ++ if (tag_len < 1) ++ return -EINVAL; ++ + /* Sleep enable mask + * enabling deep sleep feature on controller. + */ +@@ -372,14 +394,16 @@ static void qca_tlv_check_data(struct hc + break; + } + +- idx += (sizeof(u16) + sizeof(u16) + 8 + tag_len); ++ idx += sizeof(struct tlv_type_nvm) + tag_len; + } + break; + + default: + BT_ERR("Unknown TLV type %d", config->type); +- break; ++ return -EINVAL; + } ++ ++ return 0; + } + + static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size, +@@ -529,7 +553,9 @@ static int qca_download_firmware(struct + memcpy(data, fw->data, size); + release_firmware(fw); + +- qca_tlv_check_data(hdev, config, data, soc_type); ++ ret = qca_tlv_check_data(hdev, config, data, size, soc_type); ++ if (ret) ++ return ret; + + segment = data; + remain = size; diff --git a/queue-6.1/bluetooth-qca-fix-firmware-check-error-path.patch b/queue-6.1/bluetooth-qca-fix-firmware-check-error-path.patch new file mode 100644 index 00000000000..98a4439b32d --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-firmware-check-error-path.patch @@ -0,0 +1,35 @@ +From 40d442f969fb1e871da6fca73d3f8aef1f888558 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 May 2024 08:37:40 +0200 +Subject: Bluetooth: qca: fix firmware check error path + +From: Johan Hovold + +commit 40d442f969fb1e871da6fca73d3f8aef1f888558 upstream. + +A recent commit fixed the code that parses the firmware files before +downloading them to the controller but introduced a memory leak in case +the sanity checks ever fail. + +Make sure to free the firmware buffer before returning on errors. + +Fixes: f905ae0be4b7 ("Bluetooth: qca: add missing firmware sanity checks") +Cc: stable@vger.kernel.org # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -597,7 +597,7 @@ static int qca_download_firmware(struct + + ret = qca_tlv_check_data(hdev, config, data, size, soc_type); + if (ret) +- return ret; ++ goto out; + + segment = data; + remain = size; diff --git a/queue-6.1/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch b/queue-6.1/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch new file mode 100644 index 00000000000..814f7c835c7 --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-info-leak-when-fetching-board-id.patch @@ -0,0 +1,36 @@ +From 0adcf6be1445ed50bfd4a451a7a782568f270197 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 May 2024 14:34:53 +0200 +Subject: Bluetooth: qca: fix info leak when fetching board id + +From: Johan Hovold + +commit 0adcf6be1445ed50bfd4a451a7a782568f270197 upstream. + +Add the missing sanity check when fetching the board id to avoid leaking +slab data when later requesting the firmware. + +Fixes: a7f8dedb4be2 ("Bluetooth: qca: add support for QCA2066") +Cc: stable@vger.kernel.org # 6.7 +Cc: Tim Jiang +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -235,6 +235,11 @@ static int qca_read_fw_board_id(struct h + goto out; + } + ++ if (skb->len < 3) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + *bid = (edl->data[1] << 8) + edl->data[2]; + bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid); + diff --git a/queue-6.1/bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch b/queue-6.1/bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch new file mode 100644 index 00000000000..ef4f9f0700c --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch @@ -0,0 +1,86 @@ +From cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 1 May 2024 14:34:52 +0200 +Subject: Bluetooth: qca: fix info leak when fetching fw build id + +From: Johan Hovold + +commit cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 upstream. + +Add the missing sanity checks and move the 255-byte build-id buffer off +the stack to avoid leaking stack data through debugfs in case the +build-info reply is malformed. + +Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC") +Cc: stable@vger.kernel.org # 5.12 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++---- + drivers/bluetooth/btqca.h | 1 - + 2 files changed, 21 insertions(+), 5 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -99,7 +99,8 @@ static int qca_read_fw_build_info(struct + { + struct sk_buff *skb; + struct edl_event_hdr *edl; +- char cmd, build_label[QCA_FW_BUILD_VER_LEN]; ++ char *build_label; ++ char cmd; + int build_lbl_len, err = 0; + + bt_dev_dbg(hdev, "QCA read fw build info"); +@@ -114,6 +115,11 @@ static int qca_read_fw_build_info(struct + return err; + } + ++ if (skb->len < sizeof(*edl)) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + edl = (struct edl_event_hdr *)(skb->data); + if (!edl) { + bt_dev_err(hdev, "QCA read fw build info with no header"); +@@ -129,14 +135,25 @@ static int qca_read_fw_build_info(struct + goto out; + } + ++ if (skb->len < sizeof(*edl) + 1) { ++ err = -EILSEQ; ++ goto out; ++ } ++ + build_lbl_len = edl->data[0]; +- if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) { +- memcpy(build_label, edl->data + 1, build_lbl_len); +- *(build_label + build_lbl_len) = '\0'; ++ ++ if (skb->len < sizeof(*edl) + 1 + build_lbl_len) { ++ err = -EILSEQ; ++ goto out; + } + ++ build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL); ++ if (!build_label) ++ goto out; ++ + hci_set_fw_info(hdev, "%s", build_label); + ++ kfree(build_label); + out: + kfree_skb(skb); + return err; +--- a/drivers/bluetooth/btqca.h ++++ b/drivers/bluetooth/btqca.h +@@ -47,7 +47,6 @@ + #define get_soc_ver(soc_id, rom_ver) \ + ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver))) + +-#define QCA_FW_BUILD_VER_LEN 255 + #define QCA_HSP_GF_SOC_ID 0x1200 + #define QCA_HSP_GF_SOC_MASK 0x0000ff00 + diff --git a/queue-6.1/bluetooth-qca-fix-nvm-configuration-parsing.patch b/queue-6.1/bluetooth-qca-fix-nvm-configuration-parsing.patch new file mode 100644 index 00000000000..408375fd2ad --- /dev/null +++ b/queue-6.1/bluetooth-qca-fix-nvm-configuration-parsing.patch @@ -0,0 +1,91 @@ +From a112d3c72a227f2edbb6d8094472cc6e503e52af Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 30 Apr 2024 19:07:40 +0200 +Subject: Bluetooth: qca: fix NVM configuration parsing + +From: Johan Hovold + +commit a112d3c72a227f2edbb6d8094472cc6e503e52af upstream. + +The NVM configuration files used by WCN3988 and WCN3990/1/8 have two +sets of configuration tags that are enclosed by a type-length header of +type four which the current parser fails to account for. + +Instead the driver happily parses random data as if it were valid tags, +something which can lead to the configuration data being corrupted if it +ever encounters the words 0x0011 or 0x001b. + +As is clear from commit b63882549b2b ("Bluetooth: btqca: Fix the NVM +baudrate tag offcet for wcn3991") the intention has always been to +process the configuration data also for WCN3991 and WCN3998 which +encodes the baud rate at a different offset. + +Fix the parser so that it can handle the WCN3xxx configuration files, +which has an enclosing type-length header of type four and two sets of +TLV tags enclosed by a type-length header of type two and three, +respectively. + +Note that only the first set, which contains the tags the driver is +currently looking for, will be parsed for now. + +With the parser fixed, the software in-band sleep bit will now be set +for WCN3991 and WCN3998 (as it is for later controllers) and the default +baud rate 3200000 may be updated by the driver also for WCN3xxx +controllers. + +Notably the deep-sleep feature bit is already set by default in all +configuration files in linux-firmware. + +Fixes: 4219d4686875 ("Bluetooth: btqca: Add wcn3990 firmware download support.") +Cc: stable@vger.kernel.org # 4.19 +Cc: Matthias Kaehlcke +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -278,6 +278,7 @@ static int qca_tlv_check_data(struct hci + struct tlv_type_patch *tlv_patch; + struct tlv_type_nvm *tlv_nvm; + uint8_t nvm_baud_rate = config->user_baud_rate; ++ u8 type; + + config->dnld_mode = QCA_SKIP_EVT_NONE; + config->dnld_type = QCA_SKIP_EVT_NONE; +@@ -343,11 +344,30 @@ static int qca_tlv_check_data(struct hci + tlv = (struct tlv_type_hdr *)fw_data; + + type_len = le32_to_cpu(tlv->type_len); +- length = (type_len >> 8) & 0x00ffffff; ++ length = type_len >> 8; ++ type = type_len & 0xff; + +- BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); ++ /* Some NVM files have more than one set of tags, only parse ++ * the first set when it has type 2 for now. When there is ++ * more than one set there is an enclosing header of type 4. ++ */ ++ if (type == 4) { ++ if (fw_size < 2 * sizeof(struct tlv_type_hdr)) ++ return -EINVAL; ++ ++ tlv++; ++ ++ type_len = le32_to_cpu(tlv->type_len); ++ length = type_len >> 8; ++ type = type_len & 0xff; ++ } ++ ++ BT_DBG("TLV Type\t\t : 0x%x", type); + BT_DBG("Length\t\t : %d bytes", length); + ++ if (type != 2) ++ break; ++ + if (fw_size < length + (tlv->data - fw_data)) + return -EINVAL; + diff --git a/queue-6.1/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calculation.patch b/queue-6.1/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calculation.patch new file mode 100644 index 00000000000..95001aab47d --- /dev/null +++ b/queue-6.1/drm-amd-display-handle-y-carry-over-in-vcp-x.y-calculation.patch @@ -0,0 +1,38 @@ +From 719564737a9ac3d0b49c314450b56cf6f7d71358 Mon Sep 17 00:00:00 2001 +From: George Shen +Date: Thu, 16 Sep 2021 19:55:39 -0400 +Subject: drm/amd/display: Handle Y carry-over in VCP X.Y calculation + +From: George Shen + +commit 719564737a9ac3d0b49c314450b56cf6f7d71358 upstream. + +Theoretically rare corner case where ceil(Y) results in rounding up to +an integer. If this happens, the 1 should be carried over to the X +value. + +CC: stable@vger.kernel.org +Reviewed-by: Rodrigo Siqueira +Signed-off-by: George Shen +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_link_encoder.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_link_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_link_encoder.c +@@ -393,6 +393,12 @@ void dcn31_hpo_dp_link_enc_set_throttled + x), + 25)); + ++ // If y rounds up to integer, carry it over to x. ++ if (y >> 25) { ++ x += 1; ++ y = 0; ++ } ++ + switch (stream_encoder_inst) { + case 0: + REG_SET_2(DP_DPHY_SYM32_VC_RATE_CNTL0, 0, diff --git a/queue-6.1/drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch b/queue-6.1/drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch new file mode 100644 index 00000000000..1b06afbeeda --- /dev/null +++ b/queue-6.1/drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch @@ -0,0 +1,55 @@ +From be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Sun, 14 Apr 2024 13:06:39 -0400 +Subject: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages + +From: Alex Deucher + +commit be4a2a81b6b90d1a47eaeaace4cc8e2cb57b96c7 upstream. + +We don't get the right offset in that case. The GPU has +an unused 4K area of the register BAR space into which you can +remap registers. We remap the HDP flush registers into this +space to allow userspace (CPU or GPU) to flush the HDP when it +updates VRAM. However, on systems with >4K pages, we end up +exposing PAGE_SIZE of MMIO space. + +Fixes: d8e408a82704 ("drm/amdkfd: Expose HDP registers to user space") +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -1106,7 +1106,7 @@ static int kfd_ioctl_alloc_memory_of_gpu + goto err_unlock; + } + offset = dev->adev->rmmio_remap.bus_addr; +- if (!offset) { ++ if (!offset || (PAGE_SIZE > 4096)) { + err = -ENOMEM; + goto err_unlock; + } +@@ -2215,7 +2215,7 @@ static int criu_restore_memory_of_gpu(st + return -EINVAL; + } + offset = pdd->dev->adev->rmmio_remap.bus_addr; +- if (!offset) { ++ if (!offset || (PAGE_SIZE > 4096)) { + pr_err("amdgpu_amdkfd_get_mmio_remap_phys_addr failed\n"); + return -ENOMEM; + } +@@ -2886,6 +2886,9 @@ static int kfd_mmio_mmap(struct kfd_dev + if (vma->vm_end - vma->vm_start != PAGE_SIZE) + return -EINVAL; + ++ if (PAGE_SIZE > 4096) ++ return -EINVAL; ++ + address = dev->adev->rmmio_remap.bus_addr; + + vma->vm_flags |= VM_IO | VM_DONTCOPY | VM_DONTEXPAND | VM_NORESERVE | diff --git a/queue-6.1/drm-i915-bios-fix-parsing-backlight-bdb-data.patch b/queue-6.1/drm-i915-bios-fix-parsing-backlight-bdb-data.patch new file mode 100644 index 00000000000..70d7fa43e0a --- /dev/null +++ b/queue-6.1/drm-i915-bios-fix-parsing-backlight-bdb-data.patch @@ -0,0 +1,88 @@ +From 43b26bdd2ee5cfca80939be910d5b23a50cd7f9d Mon Sep 17 00:00:00 2001 +From: Karthikeyan Ramasubramanian +Date: Wed, 21 Feb 2024 18:06:24 -0700 +Subject: drm/i915/bios: Fix parsing backlight BDB data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Karthikeyan Ramasubramanian + +commit 43b26bdd2ee5cfca80939be910d5b23a50cd7f9d upstream. + +Starting BDB version 239, hdr_dpcd_refresh_timeout is introduced to +backlight BDB data. Commit 700034566d68 ("drm/i915/bios: Define more BDB +contents") updated the backlight BDB data accordingly. This broke the +parsing of backlight BDB data in VBT for versions 236 - 238 (both +inclusive) and hence the backlight controls are not responding on units +with the concerned BDB version. + +backlight_control information has been present in backlight BDB data +from at least BDB version 191 onwards, if not before. Hence this patch +extracts the backlight_control information for BDB version 191 or newer. +Tested on Chromebooks using Jasperlake SoC (reports bdb->version = 236). +Tested on Chromebooks using Raptorlake SoC (reports bdb->version = 251). + +v2: removed checking the block size of the backlight BDB data + [vsyrjala: this is completely safe thanks to commit e163cfb4c96d + ("drm/i915/bios: Make copies of VBT data blocks")] + +Fixes: 700034566d68 ("drm/i915/bios: Define more BDB contents") +Cc: stable@vger.kernel.org +Cc: Jani Nikula +Cc: Ville Syrjälä +Signed-off-by: Karthikeyan Ramasubramanian +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240221180622.v2.1.I0690aa3e96a83a43b3fc33f50395d334b2981826@changeid +Signed-off-by: Ville Syrjälä +(cherry picked from commit c286f6a973c66c0d993ecab9f7162c790e7064c8) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_bios.c | 19 ++++--------------- + drivers/gpu/drm/i915/display/intel_vbt_defs.h | 5 ----- + 2 files changed, 4 insertions(+), 20 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_bios.c ++++ b/drivers/gpu/drm/i915/display/intel_bios.c +@@ -1034,22 +1034,11 @@ parse_lfp_backlight(struct drm_i915_priv + + panel->vbt.backlight.type = INTEL_BACKLIGHT_DISPLAY_DDI; + if (i915->display.vbt.version >= 191) { +- size_t exp_size; ++ const struct lfp_backlight_control_method *method; + +- if (i915->display.vbt.version >= 236) +- exp_size = sizeof(struct bdb_lfp_backlight_data); +- else if (i915->display.vbt.version >= 234) +- exp_size = EXP_BDB_LFP_BL_DATA_SIZE_REV_234; +- else +- exp_size = EXP_BDB_LFP_BL_DATA_SIZE_REV_191; +- +- if (get_blocksize(backlight_data) >= exp_size) { +- const struct lfp_backlight_control_method *method; +- +- method = &backlight_data->backlight_control[panel_type]; +- panel->vbt.backlight.type = method->type; +- panel->vbt.backlight.controller = method->controller; +- } ++ method = &backlight_data->backlight_control[panel_type]; ++ panel->vbt.backlight.type = method->type; ++ panel->vbt.backlight.controller = method->controller; + } + + panel->vbt.backlight.pwm_freq_hz = entry->pwm_freq_hz; +--- a/drivers/gpu/drm/i915/display/intel_vbt_defs.h ++++ b/drivers/gpu/drm/i915/display/intel_vbt_defs.h +@@ -897,11 +897,6 @@ struct lfp_brightness_level { + u16 reserved; + } __packed; + +-#define EXP_BDB_LFP_BL_DATA_SIZE_REV_191 \ +- offsetof(struct bdb_lfp_backlight_data, brightness_level) +-#define EXP_BDB_LFP_BL_DATA_SIZE_REV_234 \ +- offsetof(struct bdb_lfp_backlight_data, brightness_precision_bits) +- + struct bdb_lfp_backlight_data { + u8 entry_size; + struct lfp_backlight_data_entry data[16]; diff --git a/queue-6.1/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch b/queue-6.1/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch new file mode 100644 index 00000000000..46dfb13caaf --- /dev/null +++ b/queue-6.1/drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch @@ -0,0 +1,46 @@ +From a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Thu, 25 Apr 2024 15:27:48 -0400 +Subject: drm/vmwgfx: Fix invalid reads in fence signaled events + +From: Zack Rusin + +commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c upstream. + +Correctly set the length of the drm_event to the size of the structure +that's actually used. + +The length of the drm_event was set to the parent structure instead of +to the drm_vmw_event_fence which is supposed to be read. drm_read +uses the length parameter to copy the event to the user space thus +resuling in oob reads. + +Signed-off-by: Zack Rusin +Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-23566 +Cc: David Airlie +CC: Daniel Vetter +Cc: Zack Rusin +Cc: Broadcom internal kernel review list +Cc: dri-devel@lists.freedesktop.org +Cc: linux-kernel@vger.kernel.org +Cc: # v3.4+ +Reviewed-by: Maaz Mombasawala +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack.rusin@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +@@ -991,7 +991,7 @@ static int vmw_event_fence_action_create + } + + event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; +- event->event.base.length = sizeof(*event); ++ event->event.base.length = sizeof(event->event); + event->event.user_data = user_data; + + ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base); diff --git a/queue-6.1/hwmon-pmbus-ucd9000-increase-delay-from-250-to-500us.patch b/queue-6.1/hwmon-pmbus-ucd9000-increase-delay-from-250-to-500us.patch new file mode 100644 index 00000000000..4614ba9a450 --- /dev/null +++ b/queue-6.1/hwmon-pmbus-ucd9000-increase-delay-from-250-to-500us.patch @@ -0,0 +1,44 @@ +From 26e8383b116d0dbe74e28f86646563ab46d66d83 Mon Sep 17 00:00:00 2001 +From: Lakshmi Yadlapati +Date: Tue, 7 May 2024 14:46:03 -0500 +Subject: hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us + +From: Lakshmi Yadlapati + +commit 26e8383b116d0dbe74e28f86646563ab46d66d83 upstream. + +Following the failure observed with a delay of 250us, experiments were +conducted with various delays. It was found that a delay of 350us +effectively mitigated the issue. + +To provide a more optimal solution while still allowing a margin for +stability, the delay is being adjusted to 500us. + +Signed-off-by: Lakshmi Yadlapati +Link: https://lore.kernel.org/r/20240507194603.1305750-1-lakshmiy@us.ibm.com +Fixes: 8d655e6523764 ("hwmon: (ucd90320) Add minimum delay between bus accesses") +Reviewed-by: Eddie James +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/ucd9000.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/pmbus/ucd9000.c ++++ b/drivers/hwmon/pmbus/ucd9000.c +@@ -80,11 +80,11 @@ struct ucd9000_debugfs_entry { + * It has been observed that the UCD90320 randomly fails register access when + * doing another access right on the back of a register write. To mitigate this + * make sure that there is a minimum delay between a write access and the +- * following access. The 250us is based on experimental data. At a delay of +- * 200us the issue seems to go away. Add a bit of extra margin to allow for ++ * following access. The 500 is based on experimental data. At a delay of ++ * 350us the issue seems to go away. Add a bit of extra margin to allow for + * system to system differences. + */ +-#define UCD90320_WAIT_DELAY_US 250 ++#define UCD90320_WAIT_DELAY_US 500 + + static inline void ucd90320_wait(const struct ucd9000_data *data) + { diff --git a/queue-6.1/ksmbd-avoid-to-send-duplicate-lease-break-notifications.patch b/queue-6.1/ksmbd-avoid-to-send-duplicate-lease-break-notifications.patch new file mode 100644 index 00000000000..47f9e5b1355 --- /dev/null +++ b/queue-6.1/ksmbd-avoid-to-send-duplicate-lease-break-notifications.patch @@ -0,0 +1,63 @@ +From 97c2ec64667bacc49881d2b2dd9afd4d1c3fbaeb Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 1 May 2024 21:44:02 +0900 +Subject: ksmbd: avoid to send duplicate lease break notifications + +From: Namjae Jeon + +commit 97c2ec64667bacc49881d2b2dd9afd4d1c3fbaeb upstream. + +This patch fixes generic/011 when enable smb2 leases. + +if ksmbd sends multiple notifications for a file, cifs increments +the reference count of the file but it does not decrement the count by +the failure of queue_work. +So even if the file is closed, cifs does not send a SMB2_CLOSE request. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -612,13 +612,23 @@ static int oplock_break_pending(struct o + + if (opinfo->op_state == OPLOCK_CLOSING) + return -ENOENT; +- else if (!opinfo->is_lease && opinfo->level <= req_op_level) +- return 1; ++ else if (opinfo->level <= req_op_level) { ++ if (opinfo->is_lease && ++ opinfo->o_lease->state != ++ (SMB2_LEASE_HANDLE_CACHING_LE | ++ SMB2_LEASE_READ_CACHING_LE)) ++ return 1; ++ } + } + +- if (!opinfo->is_lease && opinfo->level <= req_op_level) { +- wake_up_oplock_break(opinfo); +- return 1; ++ if (opinfo->level <= req_op_level) { ++ if (opinfo->is_lease && ++ opinfo->o_lease->state != ++ (SMB2_LEASE_HANDLE_CACHING_LE | ++ SMB2_LEASE_READ_CACHING_LE)) { ++ wake_up_oplock_break(opinfo); ++ return 1; ++ } + } + return 0; + } +@@ -886,7 +896,6 @@ static int oplock_break(struct oplock_in + struct lease *lease = brk_opinfo->o_lease; + + atomic_inc(&brk_opinfo->breaking_cnt); +- + err = oplock_break_pending(brk_opinfo, req_op_level); + if (err) + return err < 0 ? err : 0; diff --git a/queue-6.1/ksmbd-do-not-grant-v2-lease-if-parent-lease-key-and-epoch-are-not-set.patch b/queue-6.1/ksmbd-do-not-grant-v2-lease-if-parent-lease-key-and-epoch-are-not-set.patch new file mode 100644 index 00000000000..df2c087eea5 --- /dev/null +++ b/queue-6.1/ksmbd-do-not-grant-v2-lease-if-parent-lease-key-and-epoch-are-not-set.patch @@ -0,0 +1,62 @@ +From 691aae4f36f9825df6781da4399a1e718951085a Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 1 May 2024 21:58:15 +0900 +Subject: ksmbd: do not grant v2 lease if parent lease key and epoch are not set + +From: Namjae Jeon + +commit 691aae4f36f9825df6781da4399a1e718951085a upstream. + +This patch fix xfstests generic/070 test with smb2 leases = yes. + +cifs.ko doesn't set parent lease key and epoch in create context v2 lease. +ksmbd suppose that parent lease and epoch are vaild if data length is +v2 lease context size and handle directory lease using this values. +ksmbd should hanle it as v1 lease not v2 lease if parent lease key and +epoch are not set in create context v2 lease. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1208,7 +1208,9 @@ int smb_grant_oplock(struct ksmbd_work * + + /* Only v2 leases handle the directory */ + if (S_ISDIR(file_inode(fp->filp)->i_mode)) { +- if (!lctx || lctx->version != 2) ++ if (!lctx || lctx->version != 2 || ++ (lctx->flags != SMB2_LEASE_FLAG_PARENT_LEASE_KEY_SET_LE && ++ !lctx->epoch)) + return 0; + } + +@@ -1470,8 +1472,9 @@ void create_lease_buf(u8 *rbuf, struct l + buf->lcontext.LeaseFlags = lease->flags; + buf->lcontext.Epoch = cpu_to_le16(lease->epoch); + buf->lcontext.LeaseState = lease->state; +- memcpy(buf->lcontext.ParentLeaseKey, lease->parent_lease_key, +- SMB2_LEASE_KEY_SIZE); ++ if (lease->flags == SMB2_LEASE_FLAG_PARENT_LEASE_KEY_SET_LE) ++ memcpy(buf->lcontext.ParentLeaseKey, lease->parent_lease_key, ++ SMB2_LEASE_KEY_SIZE); + buf->ccontext.DataOffset = cpu_to_le16(offsetof + (struct create_lease_v2, lcontext)); + buf->ccontext.DataLength = cpu_to_le32(sizeof(struct lease_context_v2)); +@@ -1536,8 +1539,9 @@ struct lease_ctx_info *parse_lease_state + lreq->flags = lc->lcontext.LeaseFlags; + lreq->epoch = lc->lcontext.Epoch; + lreq->duration = lc->lcontext.LeaseDuration; +- memcpy(lreq->parent_lease_key, lc->lcontext.ParentLeaseKey, +- SMB2_LEASE_KEY_SIZE); ++ if (lreq->flags == SMB2_LEASE_FLAG_PARENT_LEASE_KEY_SET_LE) ++ memcpy(lreq->parent_lease_key, lc->lcontext.ParentLeaseKey, ++ SMB2_LEASE_KEY_SIZE); + lreq->version = 2; + } else { + struct create_lease *lc = (struct create_lease *)cc; diff --git a/queue-6.1/ksmbd-off-ipv6only-for-both-ipv4-ipv6-binding.patch b/queue-6.1/ksmbd-off-ipv6only-for-both-ipv4-ipv6-binding.patch new file mode 100644 index 00000000000..a0d2f20dcd4 --- /dev/null +++ b/queue-6.1/ksmbd-off-ipv6only-for-both-ipv4-ipv6-binding.patch @@ -0,0 +1,42 @@ +From cc00bc83f26eb8f2d8d9f56b949b62fd774d8432 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 1 May 2024 21:41:50 +0900 +Subject: ksmbd: off ipv6only for both ipv4/ipv6 binding +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Namjae Jeon + +commit cc00bc83f26eb8f2d8d9f56b949b62fd774d8432 upstream. + +ΕΛΕΝΗ reported that ksmbd binds to the IPV6 wildcard (::) by default for +ipv4 and ipv6 binding. So IPV4 connections are successful only when +the Linux system parameter bindv6only is set to 0 [default value]. +If this parameter is set to 1, then the ipv6 wildcard only represents +any IPV6 address. Samba creates different sockets for ipv4 and ipv6 +by default. This patch off sk_ipv6only to support IPV4/IPV6 connections +without creating two sockets. + +Cc: stable@vger.kernel.org +Reported-by: ΕΛΕΝΗ ΤΖΑΒΕΛΛΑ +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_tcp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -446,6 +446,10 @@ static int create_socket(struct interfac + sin6.sin6_family = PF_INET6; + sin6.sin6_addr = in6addr_any; + sin6.sin6_port = htons(server_conf.tcp_port); ++ ++ lock_sock(ksmbd_socket->sk); ++ ksmbd_socket->sk->sk_ipv6only = false; ++ release_sock(ksmbd_socket->sk); + } + + ksmbd_tcp_nodelay(ksmbd_socket); diff --git a/queue-6.1/mm-use-memalloc_nofs_save-in-page_cache_ra_order.patch b/queue-6.1/mm-use-memalloc_nofs_save-in-page_cache_ra_order.patch new file mode 100644 index 00000000000..a37907f771d --- /dev/null +++ b/queue-6.1/mm-use-memalloc_nofs_save-in-page_cache_ra_order.patch @@ -0,0 +1,91 @@ +From 30153e4466647a17eebfced13eede5cbe4290e69 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Fri, 26 Apr 2024 19:29:38 +0800 +Subject: mm: use memalloc_nofs_save() in page_cache_ra_order() + +From: Kefeng Wang + +commit 30153e4466647a17eebfced13eede5cbe4290e69 upstream. + +See commit f2c817bed58d ("mm: use memalloc_nofs_save in readahead path"), +ensure that page_cache_ra_order() do not attempt to reclaim file-backed +pages too, or it leads to a deadlock, found issue when test ext4 large +folio. + + INFO: task DataXceiver for:7494 blocked for more than 120 seconds. + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:DataXceiver for state:D stack:0 pid:7494 ppid:1 flags:0x00000200 + Call trace: + __switch_to+0x14c/0x240 + __schedule+0x82c/0xdd0 + schedule+0x58/0xf0 + io_schedule+0x24/0xa0 + __folio_lock+0x130/0x300 + migrate_pages_batch+0x378/0x918 + migrate_pages+0x350/0x700 + compact_zone+0x63c/0xb38 + compact_zone_order+0xc0/0x118 + try_to_compact_pages+0xb0/0x280 + __alloc_pages_direct_compact+0x98/0x248 + __alloc_pages+0x510/0x1110 + alloc_pages+0x9c/0x130 + folio_alloc+0x20/0x78 + filemap_alloc_folio+0x8c/0x1b0 + page_cache_ra_order+0x174/0x308 + ondemand_readahead+0x1c8/0x2b8 + page_cache_async_ra+0x68/0xb8 + filemap_readahead.isra.0+0x64/0xa8 + filemap_get_pages+0x3fc/0x5b0 + filemap_splice_read+0xf4/0x280 + ext4_file_splice_read+0x2c/0x48 [ext4] + vfs_splice_read.part.0+0xa8/0x118 + splice_direct_to_actor+0xbc/0x288 + do_splice_direct+0x9c/0x108 + do_sendfile+0x328/0x468 + __arm64_sys_sendfile64+0x8c/0x148 + invoke_syscall+0x4c/0x118 + el0_svc_common.constprop.0+0xc8/0xf0 + do_el0_svc+0x24/0x38 + el0_svc+0x4c/0x1f8 + el0t_64_sync_handler+0xc0/0xc8 + el0t_64_sync+0x188/0x190 + +Link: https://lkml.kernel.org/r/20240426112938.124740-1-wangkefeng.wang@huawei.com +Fixes: 793917d997df ("mm/readahead: Add large folio readahead") +Signed-off-by: Kefeng Wang +Cc: Matthew Wilcox (Oracle) +Cc: Zhang Yi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/readahead.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -504,6 +504,7 @@ void page_cache_ra_order(struct readahea + pgoff_t index = readahead_index(ractl); + pgoff_t limit = (i_size_read(mapping->host) - 1) >> PAGE_SHIFT; + pgoff_t mark = index + ra->size - ra->async_size; ++ unsigned int nofs; + int err = 0; + gfp_t gfp = readahead_gfp_mask(mapping); + +@@ -520,6 +521,8 @@ void page_cache_ra_order(struct readahea + new_order--; + } + ++ /* See comment in page_cache_ra_unbounded() */ ++ nofs = memalloc_nofs_save(); + filemap_invalidate_lock_shared(mapping); + while (index <= limit) { + unsigned int order = new_order; +@@ -548,6 +551,7 @@ void page_cache_ra_order(struct readahea + + read_pages(ractl); + filemap_invalidate_unlock_shared(mapping); ++ memalloc_nofs_restore(nofs); + + /* + * If there were already pages in the page cache, then we may have diff --git a/queue-6.1/net-fix-out-of-bounds-access-in-ops_init.patch b/queue-6.1/net-fix-out-of-bounds-access-in-ops_init.patch new file mode 100644 index 00000000000..70f74b48b3c --- /dev/null +++ b/queue-6.1/net-fix-out-of-bounds-access-in-ops_init.patch @@ -0,0 +1,66 @@ +From a26ff37e624d12e28077e5b24d2b264f62764ad6 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Thu, 2 May 2024 10:20:06 -0300 +Subject: net: fix out-of-bounds access in ops_init + +From: Thadeu Lima de Souza Cascardo + +commit a26ff37e624d12e28077e5b24d2b264f62764ad6 upstream. + +net_alloc_generic is called by net_alloc, which is called without any +locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It +is read twice, first to allocate an array, then to set s.len, which is +later used to limit the bounds of the array access. + +It is possible that the array is allocated and another thread is +registering a new pernet ops, increments max_gen_ptrs, which is then used +to set s.len with a larger than allocated length for the variable array. + +Fix it by reading max_gen_ptrs only once in net_alloc_generic. If +max_gen_ptrs is later incremented, it will be caught in net_assign_generic. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Fixes: 073862ba5d24 ("netns: fix net_alloc_generic()") +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240502132006.3430840-1-cascardo@igalia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net_namespace.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -68,12 +68,15 @@ DEFINE_COOKIE(net_cookie); + + static struct net_generic *net_alloc_generic(void) + { ++ unsigned int gen_ptrs = READ_ONCE(max_gen_ptrs); ++ unsigned int generic_size; + struct net_generic *ng; +- unsigned int generic_size = offsetof(struct net_generic, ptr[max_gen_ptrs]); ++ ++ generic_size = offsetof(struct net_generic, ptr[gen_ptrs]); + + ng = kzalloc(generic_size, GFP_KERNEL); + if (ng) +- ng->s.len = max_gen_ptrs; ++ ng->s.len = gen_ptrs; + + return ng; + } +@@ -1217,7 +1220,11 @@ static int register_pernet_operations(st + if (error < 0) + return error; + *ops->id = error; +- max_gen_ptrs = max(max_gen_ptrs, *ops->id + 1); ++ /* This does not require READ_ONCE as writers already hold ++ * pernet_ops_rwsem. But WRITE_ONCE is needed to protect ++ * net_alloc_generic. ++ */ ++ WRITE_ONCE(max_gen_ptrs, max(max_gen_ptrs, *ops->id + 1)); + } + error = __register_pernet_operations(list, ops); + if (error) { diff --git a/queue-6.1/regulator-core-fix-debugfs-creation-regression.patch b/queue-6.1/regulator-core-fix-debugfs-creation-regression.patch new file mode 100644 index 00000000000..b8b173dbe30 --- /dev/null +++ b/queue-6.1/regulator-core-fix-debugfs-creation-regression.patch @@ -0,0 +1,76 @@ +From 2a4b49bb58123bad6ec0e07b02845f74c23d5e04 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 9 May 2024 15:33:04 +0200 +Subject: regulator: core: fix debugfs creation regression + +From: Johan Hovold + +commit 2a4b49bb58123bad6ec0e07b02845f74c23d5e04 upstream. + +regulator_get() may sometimes be called more than once for the same +consumer device, something which before commit dbe954d8f163 ("regulator: +core: Avoid debugfs: Directory ... already present! error") resulted in +errors being logged. + +A couple of recent commits broke the handling of such cases so that +attributes are now erroneously created in the debugfs root directory the +second time a regulator is requested and the log is filled with errors +like: + + debugfs: File 'uA_load' in directory '/' already present! + debugfs: File 'min_uV' in directory '/' already present! + debugfs: File 'max_uV' in directory '/' already present! + debugfs: File 'constraint_flags' in directory '/' already present! + +on any further calls. + +Fixes: 2715bb11cfff ("regulator: core: Fix more error checking for debugfs_create_dir()") +Fixes: 08880713ceec ("regulator: core: Streamline debugfs operations") +Cc: stable@vger.kernel.org +Cc: Geert Uytterhoeven +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20240509133304.8883-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/core.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1916,19 +1916,24 @@ static struct regulator *create_regulato + } + } + +- if (err != -EEXIST) ++ if (err != -EEXIST) { + regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs); +- if (IS_ERR(regulator->debugfs)) +- rdev_dbg(rdev, "Failed to create debugfs directory\n"); ++ if (IS_ERR(regulator->debugfs)) { ++ rdev_dbg(rdev, "Failed to create debugfs directory\n"); ++ regulator->debugfs = NULL; ++ } ++ } + +- debugfs_create_u32("uA_load", 0444, regulator->debugfs, +- ®ulator->uA_load); +- debugfs_create_u32("min_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].min_uV); +- debugfs_create_u32("max_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].max_uV); +- debugfs_create_file("constraint_flags", 0444, regulator->debugfs, +- regulator, &constraint_flags_fops); ++ if (regulator->debugfs) { ++ debugfs_create_u32("uA_load", 0444, regulator->debugfs, ++ ®ulator->uA_load); ++ debugfs_create_u32("min_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].min_uV); ++ debugfs_create_u32("max_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].max_uV); ++ debugfs_create_file("constraint_flags", 0444, regulator->debugfs, ++ regulator, &constraint_flags_fops); ++ } + + /* + * Check now if the regulator is an always on regulator - if diff --git a/queue-6.1/series b/queue-6.1/series index a02505b47d2..d2f0e5dcbc2 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -217,3 +217,20 @@ asoc-ti-davinci-mcasp-fix-race-condition-during-probe.patch dyndbg-fix-old-bug_on-in-control-parser.patch slimbus-qcom-ngd-ctrl-add-timeout-for-wait-operation.patch mei-me-add-lunar-lake-point-m-did.patch +drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch +drm-vmwgfx-fix-invalid-reads-in-fence-signaled-events.patch +drm-i915-bios-fix-parsing-backlight-bdb-data.patch +drm-amd-display-handle-y-carry-over-in-vcp-x.y-calculation.patch +net-fix-out-of-bounds-access-in-ops_init.patch +hwmon-pmbus-ucd9000-increase-delay-from-250-to-500us.patch +mm-use-memalloc_nofs_save-in-page_cache_ra_order.patch +regulator-core-fix-debugfs-creation-regression.patch +spi-microchip-core-qspi-fix-setting-spi-bus-clock-rate.patch +ksmbd-off-ipv6only-for-both-ipv4-ipv6-binding.patch +ksmbd-avoid-to-send-duplicate-lease-break-notifications.patch +ksmbd-do-not-grant-v2-lease-if-parent-lease-key-and-epoch-are-not-set.patch +bluetooth-qca-add-missing-firmware-sanity-checks.patch +bluetooth-qca-fix-nvm-configuration-parsing.patch +bluetooth-qca-fix-info-leak-when-fetching-board-id.patch +bluetooth-qca-fix-info-leak-when-fetching-fw-build-id.patch +bluetooth-qca-fix-firmware-check-error-path.patch diff --git a/queue-6.1/spi-microchip-core-qspi-fix-setting-spi-bus-clock-rate.patch b/queue-6.1/spi-microchip-core-qspi-fix-setting-spi-bus-clock-rate.patch new file mode 100644 index 00000000000..f7fed47e727 --- /dev/null +++ b/queue-6.1/spi-microchip-core-qspi-fix-setting-spi-bus-clock-rate.patch @@ -0,0 +1,39 @@ +From ef13561d2b163ac0ae6befa53bca58a26dc3320b Mon Sep 17 00:00:00 2001 +From: Conor Dooley +Date: Wed, 8 May 2024 16:46:51 +0100 +Subject: spi: microchip-core-qspi: fix setting spi bus clock rate + +From: Conor Dooley + +commit ef13561d2b163ac0ae6befa53bca58a26dc3320b upstream. + +Before ORing the new clock rate with the control register value read +from the hardware, the existing clock rate needs to be masked off as +otherwise the existing value will interfere with the new one. + +CC: stable@vger.kernel.org +Fixes: 8596124c4c1b ("spi: microchip-core-qspi: Add support for microchip fpga qspi controllers") +Signed-off-by: Conor Dooley +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20240508-fox-unpiloted-b97e1535627b@spud +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-microchip-core-qspi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-microchip-core-qspi.c b/drivers/spi/spi-microchip-core-qspi.c +index 03d125a71fd9..09f16471c537 100644 +--- a/drivers/spi/spi-microchip-core-qspi.c ++++ b/drivers/spi/spi-microchip-core-qspi.c +@@ -283,6 +283,7 @@ static int mchp_coreqspi_setup_clock(struct mchp_coreqspi *qspi, struct spi_devi + } + + control = readl_relaxed(qspi->regs + REG_CONTROL); ++ control &= ~CONTROL_CLKRATE_MASK; + control |= baud_rate_val << CONTROL_CLKRATE_SHIFT; + writel_relaxed(control, qspi->regs + REG_CONTROL); + control = readl_relaxed(qspi->regs + REG_CONTROL); +-- +2.45.0 +