From: Greg Kroah-Hartman Date: Fri, 20 Oct 2023 18:04:28 +0000 (+0200) Subject: 6.5-stable patches X-Git-Tag: v4.14.328~82 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=24560ab4c230274c24c222a9b24f367e252fe0cd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch asoc-codecs-wcd938x-fix-regulator-leaks-on-probe-errors.patch asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch asoc-codecs-wcd938x-fix-runtime-pm-imbalance-on-remove.patch asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch drm-edid-add-8-bpc-quirk-to-the-benq-gw2765.patch drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch drm-nouveau-disp-fix-dp-capable-dsm-connectors.patch io_uring-fix-crash-with-ioring_setup_no_mmap-and-invalid-sq-ring-address.patch nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch qed-fix-ll2-rx-buffer-allocation.patch --- diff --git a/queue-6.5/alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch b/queue-6.5/alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch new file mode 100644 index 00000000000..6a56a7451fa --- /dev/null +++ b/queue-6.5/alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch @@ -0,0 +1,35 @@ +From 5dedc9f53eef7ec07b23686381100d03fb259f50 Mon Sep 17 00:00:00 2001 +From: Artem Borisov +Date: Sat, 14 Oct 2023 10:50:42 +0300 +Subject: ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV + +From: Artem Borisov + +commit 5dedc9f53eef7ec07b23686381100d03fb259f50 upstream. + +Enables the SPI-connected Cirrus amp and the required pins +for headset mic detection. + +As of BIOS version 313 it is still necessary to modify the +ACPI table to add the related _DSD properties: + https://gist.github.com/Flex1911/1bce378645fc95a5743671bd5deabfc8 + +Signed-off-by: Artem Borisov +Cc: +Link: https://lore.kernel.org/r/20231014075044.17474-1-dedsa2002@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9738,6 +9738,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301V", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK), ++ SND_PCI_QUIRK(0x1043, 0x1663, "ASUS GU603ZV", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1683, "ASUS UM3402YAR", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x16b2, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), diff --git a/queue-6.5/alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch b/queue-6.5/alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch new file mode 100644 index 00000000000..1ec06aa3d68 --- /dev/null +++ b/queue-6.5/alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch @@ -0,0 +1,76 @@ +From c8c0a03ec1be6b3f3ec1ce91685351235212db19 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Tue, 17 Oct 2023 15:30:24 +0800 +Subject: ALSA: hda/realtek - Fixed ASUS platform headset Mic issue + +From: Kailang Yang + +commit c8c0a03ec1be6b3f3ec1ce91685351235212db19 upstream. + +ASUS platform Headset Mic was disable by default. +Assigned verb table for Mic pin will enable it. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/r/1155d914c20c40569f56d36c79254879@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7009,6 +7009,24 @@ static void alc287_fixup_bind_dacs(struc + 0x0); /* Make sure 0x14 was disable */ + } + } ++/* Fix none verb table of Headset Mic pin */ ++static void alc_fixup_headset_mic(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ static const struct hda_pintbl pincfgs[] = { ++ { 0x19, 0x03a1103c }, ++ { } ++ }; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ alc_update_coef_idx(codec, 0x45, 0xf<<12 | 1<<10, 5<<12); ++ spec->parse_flags |= HDA_PINCFG_HEADSET_MIC; ++ break; ++ } ++} + + + enum { +@@ -7274,6 +7292,7 @@ enum { + ALC245_FIXUP_HP_X360_MUTE_LEDS, + ALC287_FIXUP_THINKPAD_I2S_SPK, + ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD, ++ ALC2XX_FIXUP_HEADSET_MIC, + }; + + /* A special fixup for Lenovo C940 and Yoga Duet 7; +@@ -9372,6 +9391,10 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI, + }, ++ [ALC2XX_FIXUP_HEADSET_MIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_headset_mic, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -10656,6 +10679,8 @@ static const struct snd_hda_pin_quirk al + SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, + {0x19, 0x40000000}, + {0x1a, 0x40000000}), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC2XX_FIXUP_HEADSET_MIC, ++ {0x19, 0x40000000}), + {} + }; + diff --git a/queue-6.5/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch b/queue-6.5/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch new file mode 100644 index 00000000000..541102655b9 --- /dev/null +++ b/queue-6.5/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch @@ -0,0 +1,31 @@ +From 56e85993896b914032d11e32ecbf8415e7b2f621 Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 17 Oct 2023 00:13:28 +0200 +Subject: ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx + +From: Luka Guzenko + +commit 56e85993896b914032d11e32ecbf8415e7b2f621 upstream. + +This HP Laptop uses ALC236 codec with COEF 0x07 controlling the +mute LED. Enable existing quirk for this device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20231016221328.1521674-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9669,6 +9669,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x89c6, "Zbook Fury 17 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x89ca, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x89d3, "HP EliteBook 645 G9 (MB 89D2)", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8a25, "HP Victus 16-d1xxx (MB 8A25)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8a78, "HP Dev One", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x103c, 0x8aa0, "HP ProBook 440 G9 (MB 8A9E)", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.5/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch b/queue-6.5/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch new file mode 100644 index 00000000000..83b0e7870e6 --- /dev/null +++ b/queue-6.5/asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch @@ -0,0 +1,36 @@ +From bfbc79de60c53e5fed505390440b87ef59ee268c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:52 +0200 +Subject: ASoC: codecs: wcd938x: drop bogus bind error handling + +From: Johan Hovold + +commit bfbc79de60c53e5fed505390440b87ef59ee268c upstream. + +Drop the bogus error handling for a soundwire device backcast during +bind() that cannot fail. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-2-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3448,10 +3448,6 @@ static int wcd938x_bind(struct device *d + wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev); + wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x; + wcd938x->tx_sdw_dev = dev_to_sdw_dev(wcd938x->txdev); +- if (!wcd938x->tx_sdw_dev) { +- dev_err(dev, "could not get txslave with matching of dev\n"); +- return -EINVAL; +- } + + /* As TX is main CSR reg interface, which should not be suspended first. + * expicilty add the dependency link */ diff --git a/queue-6.5/asoc-codecs-wcd938x-fix-regulator-leaks-on-probe-errors.patch b/queue-6.5/asoc-codecs-wcd938x-fix-regulator-leaks-on-probe-errors.patch new file mode 100644 index 00000000000..70247de3af6 --- /dev/null +++ b/queue-6.5/asoc-codecs-wcd938x-fix-regulator-leaks-on-probe-errors.patch @@ -0,0 +1,75 @@ +From 69a026a2357ee69983690d07976de44ef26ee38a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:55 +0200 +Subject: ASoC: codecs: wcd938x: fix regulator leaks on probe errors + +From: Johan Hovold + +commit 69a026a2357ee69983690d07976de44ef26ee38a upstream. + +Make sure to disable and free the regulators on probe errors and on +driver unbind. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-5-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3325,8 +3325,10 @@ static int wcd938x_populate_dt_data(stru + return dev_err_probe(dev, ret, "Failed to get supplies\n"); + + ret = regulator_bulk_enable(WCD938X_MAX_SUPPLY, wcd938x->supplies); +- if (ret) ++ if (ret) { ++ regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies); + return dev_err_probe(dev, ret, "Failed to enable supplies\n"); ++ } + + wcd938x_dt_parse_micbias_info(dev, wcd938x); + +@@ -3592,13 +3594,13 @@ static int wcd938x_probe(struct platform + + ret = wcd938x_add_slave_components(wcd938x, dev, &match); + if (ret) +- return ret; ++ goto err_disable_regulators; + + wcd938x_reset(wcd938x); + + ret = component_master_add_with_match(dev, &wcd938x_comp_ops, match); + if (ret) +- return ret; ++ goto err_disable_regulators; + + pm_runtime_set_autosuspend_delay(dev, 1000); + pm_runtime_use_autosuspend(dev); +@@ -3608,11 +3610,21 @@ static int wcd938x_probe(struct platform + pm_runtime_idle(dev); + + return 0; ++ ++err_disable_regulators: ++ regulator_bulk_disable(WCD938X_MAX_SUPPLY, wcd938x->supplies); ++ regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies); ++ ++ return ret; + } + + static void wcd938x_remove(struct platform_device *pdev) + { ++ struct wcd938x_priv *wcd938x = dev_get_drvdata(&pdev->dev); ++ + component_master_del(&pdev->dev, &wcd938x_comp_ops); ++ regulator_bulk_disable(WCD938X_MAX_SUPPLY, wcd938x->supplies); ++ regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies); + } + + #if defined(CONFIG_OF) diff --git a/queue-6.5/asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch b/queue-6.5/asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch new file mode 100644 index 00000000000..5d731248805 --- /dev/null +++ b/queue-6.5/asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch @@ -0,0 +1,133 @@ +From da29b94ed3547cee9d510d02eca4009f2de476cf Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:54 +0200 +Subject: ASoC: codecs: wcd938x: fix resource leaks on bind errors + +From: Johan Hovold + +commit da29b94ed3547cee9d510d02eca4009f2de476cf upstream. + +Add the missing code to release resources on bind errors, including the +references taken by wcd938x_sdw_device_get() which also need to be +dropped on unbind(). + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-4-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 44 ++++++++++++++++++++++++++++++++++---------- + 1 file changed, 34 insertions(+), 10 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3435,7 +3435,8 @@ static int wcd938x_bind(struct device *d + wcd938x->rxdev = wcd938x_sdw_device_get(wcd938x->rxnode); + if (!wcd938x->rxdev) { + dev_err(dev, "could not find slave with matching of node\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_unbind; + } + wcd938x->sdw_priv[AIF1_PB] = dev_get_drvdata(wcd938x->rxdev); + wcd938x->sdw_priv[AIF1_PB]->wcd938x = wcd938x; +@@ -3443,7 +3444,8 @@ static int wcd938x_bind(struct device *d + wcd938x->txdev = wcd938x_sdw_device_get(wcd938x->txnode); + if (!wcd938x->txdev) { + dev_err(dev, "could not find txslave with matching of node\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put_rxdev; + } + wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev); + wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x; +@@ -3454,31 +3456,35 @@ static int wcd938x_bind(struct device *d + if (!device_link_add(wcd938x->rxdev, wcd938x->txdev, DL_FLAG_STATELESS | + DL_FLAG_PM_RUNTIME)) { + dev_err(dev, "could not devlink tx and rx\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put_txdev; + } + + if (!device_link_add(dev, wcd938x->txdev, DL_FLAG_STATELESS | + DL_FLAG_PM_RUNTIME)) { + dev_err(dev, "could not devlink wcd and tx\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_remove_rxtx_link; + } + + if (!device_link_add(dev, wcd938x->rxdev, DL_FLAG_STATELESS | + DL_FLAG_PM_RUNTIME)) { + dev_err(dev, "could not devlink wcd and rx\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_remove_tx_link; + } + + wcd938x->regmap = dev_get_regmap(&wcd938x->tx_sdw_dev->dev, NULL); + if (!wcd938x->regmap) { + dev_err(dev, "could not get TX device regmap\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_remove_rx_link; + } + + ret = wcd938x_irq_init(wcd938x, dev); + if (ret) { + dev_err(dev, "%s: IRQ init failed: %d\n", __func__, ret); +- return ret; ++ goto err_remove_rx_link; + } + + wcd938x->sdw_priv[AIF1_PB]->slave_irq = wcd938x->virq; +@@ -3487,17 +3493,33 @@ static int wcd938x_bind(struct device *d + ret = wcd938x_set_micbias_data(wcd938x); + if (ret < 0) { + dev_err(dev, "%s: bad micbias pdata\n", __func__); +- return ret; ++ goto err_remove_rx_link; + } + + ret = snd_soc_register_component(dev, &soc_codec_dev_wcd938x, + wcd938x_dais, ARRAY_SIZE(wcd938x_dais)); +- if (ret) ++ if (ret) { + dev_err(dev, "%s: Codec registration failed\n", + __func__); ++ goto err_remove_rx_link; ++ } + +- return ret; ++ return 0; + ++err_remove_rx_link: ++ device_link_remove(dev, wcd938x->rxdev); ++err_remove_tx_link: ++ device_link_remove(dev, wcd938x->txdev); ++err_remove_rxtx_link: ++ device_link_remove(wcd938x->rxdev, wcd938x->txdev); ++err_put_txdev: ++ put_device(wcd938x->txdev); ++err_put_rxdev: ++ put_device(wcd938x->rxdev); ++err_unbind: ++ component_unbind_all(dev, wcd938x); ++ ++ return ret; + } + + static void wcd938x_unbind(struct device *dev) +@@ -3508,6 +3530,8 @@ static void wcd938x_unbind(struct device + device_link_remove(dev, wcd938x->txdev); + device_link_remove(dev, wcd938x->rxdev); + device_link_remove(wcd938x->rxdev, wcd938x->txdev); ++ put_device(wcd938x->txdev); ++ put_device(wcd938x->rxdev); + component_unbind_all(dev, wcd938x); + } + diff --git a/queue-6.5/asoc-codecs-wcd938x-fix-runtime-pm-imbalance-on-remove.patch b/queue-6.5/asoc-codecs-wcd938x-fix-runtime-pm-imbalance-on-remove.patch new file mode 100644 index 00000000000..84fac3af399 --- /dev/null +++ b/queue-6.5/asoc-codecs-wcd938x-fix-runtime-pm-imbalance-on-remove.patch @@ -0,0 +1,43 @@ +From 3ebebb2c1eca92a15107b2d7aeff34196fd9e217 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:56 +0200 +Subject: ASoC: codecs: wcd938x: fix runtime PM imbalance on remove + +From: Johan Hovold + +commit 3ebebb2c1eca92a15107b2d7aeff34196fd9e217 upstream. + +Make sure to balance the runtime PM operations, including the disable +count, on driver unbind. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-6-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3620,9 +3620,15 @@ err_disable_regulators: + + static void wcd938x_remove(struct platform_device *pdev) + { +- struct wcd938x_priv *wcd938x = dev_get_drvdata(&pdev->dev); ++ struct device *dev = &pdev->dev; ++ struct wcd938x_priv *wcd938x = dev_get_drvdata(dev); ++ ++ component_master_del(dev, &wcd938x_comp_ops); ++ ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_dont_use_autosuspend(dev); + +- component_master_del(&pdev->dev, &wcd938x_comp_ops); + regulator_bulk_disable(WCD938X_MAX_SUPPLY, wcd938x->supplies); + regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies); + } diff --git a/queue-6.5/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch b/queue-6.5/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch new file mode 100644 index 00000000000..ae7393accb2 --- /dev/null +++ b/queue-6.5/asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch @@ -0,0 +1,37 @@ +From fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:53 +0200 +Subject: ASoC: codecs: wcd938x: fix unbind tear down order + +From: Johan Hovold + +commit fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c upstream. + +Make sure to deregister the component before tearing down the resources +it depends on during unbind(). + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-3-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3504,10 +3504,10 @@ static void wcd938x_unbind(struct device + { + struct wcd938x_priv *wcd938x = dev_get_drvdata(dev); + ++ snd_soc_unregister_component(dev); + device_link_remove(dev, wcd938x->txdev); + device_link_remove(dev, wcd938x->rxdev); + device_link_remove(wcd938x->rxdev, wcd938x->txdev); +- snd_soc_unregister_component(dev); + component_unbind_all(dev, wcd938x); + } + diff --git a/queue-6.5/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch b/queue-6.5/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch new file mode 100644 index 00000000000..ff7b292f2ca --- /dev/null +++ b/queue-6.5/asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch @@ -0,0 +1,56 @@ +From c5c0383082eace13da2ffceeea154db2780165e7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:58 +0200 +Subject: ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors + +From: Johan Hovold + +commit c5c0383082eace13da2ffceeea154db2780165e7 upstream. + +Make sure to balance the runtime PM operations, including the disable +count, on probe errors and on driver unbind. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-8-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x-sdw.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd938x-sdw.c ++++ b/sound/soc/codecs/wcd938x-sdw.c +@@ -1278,7 +1278,18 @@ static int wcd9380_probe(struct sdw_slav + pm_runtime_set_active(dev); + pm_runtime_enable(dev); + +- return component_add(dev, &wcd938x_sdw_component_ops); ++ ret = component_add(dev, &wcd938x_sdw_component_ops); ++ if (ret) ++ goto err_disable_rpm; ++ ++ return 0; ++ ++err_disable_rpm: ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ ++ return ret; + } + + static int wcd9380_remove(struct sdw_slave *pdev) +@@ -1287,6 +1298,10 @@ static int wcd9380_remove(struct sdw_sla + + component_del(dev, &wcd938x_sdw_component_ops); + ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ pm_runtime_dont_use_autosuspend(dev); ++ + return 0; + } + diff --git a/queue-6.5/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch b/queue-6.5/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch new file mode 100644 index 00000000000..e62d0255f84 --- /dev/null +++ b/queue-6.5/asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch @@ -0,0 +1,49 @@ +From f0dfdcbe706462495d47982eecd13a61aabd644d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:55:57 +0200 +Subject: ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind + +From: Johan Hovold + +commit f0dfdcbe706462495d47982eecd13a61aabd644d upstream. + +Make sure to deregister the component when the driver is being unbound +and before the underlying device-managed resources are freed. + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231003155558.27079-7-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x-sdw.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/soc/codecs/wcd938x-sdw.c ++++ b/sound/soc/codecs/wcd938x-sdw.c +@@ -1281,6 +1281,15 @@ static int wcd9380_probe(struct sdw_slav + return component_add(dev, &wcd938x_sdw_component_ops); + } + ++static int wcd9380_remove(struct sdw_slave *pdev) ++{ ++ struct device *dev = &pdev->dev; ++ ++ component_del(dev, &wcd938x_sdw_component_ops); ++ ++ return 0; ++} ++ + static const struct sdw_device_id wcd9380_slave_id[] = { + SDW_SLAVE_ENTRY(0x0217, 0x10d, 0), + {}, +@@ -1320,6 +1329,7 @@ static const struct dev_pm_ops wcd938x_s + + static struct sdw_driver wcd9380_codec_driver = { + .probe = wcd9380_probe, ++ .remove = wcd9380_remove, + .ops = &wcd9380_slave_ops, + .id_table = wcd9380_slave_id, + .driver = { diff --git a/queue-6.5/drm-edid-add-8-bpc-quirk-to-the-benq-gw2765.patch b/queue-6.5/drm-edid-add-8-bpc-quirk-to-the-benq-gw2765.patch new file mode 100644 index 00000000000..3624edf14d3 --- /dev/null +++ b/queue-6.5/drm-edid-add-8-bpc-quirk-to-the-benq-gw2765.patch @@ -0,0 +1,40 @@ +From 88630e91f12677848c0c4a5790ec0d691f8859fa Mon Sep 17 00:00:00 2001 +From: Hamza Mahfooz +Date: Thu, 12 Oct 2023 14:49:27 -0400 +Subject: drm/edid: add 8 bpc quirk to the BenQ GW2765 + +From: Hamza Mahfooz + +commit 88630e91f12677848c0c4a5790ec0d691f8859fa upstream. + +The BenQ GW2765 reports that it supports higher (> 8) bpc modes, but +when trying to set them we end up with a black screen. So, limit it to 8 +bpc modes. + +Cc: stable@vger.kernel.org # 6.5+ +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2610 +Reviewed-by: Harry Wentland +Signed-off-by: Hamza Mahfooz +Link: https://patchwork.freedesktop.org/patch/msgid/20231012184927.133137-1-hamza.mahfooz@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_edid.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c +index 340da8257b51..4b71040ae5be 100644 +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -123,6 +123,9 @@ static const struct edid_quirk { + /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */ + EDID_QUIRK('A', 'E', 'O', 0, EDID_QUIRK_FORCE_6BPC), + ++ /* BenQ GW2765 */ ++ EDID_QUIRK('B', 'N', 'Q', 0x78d6, EDID_QUIRK_FORCE_8BPC), ++ + /* BOE model on HP Pavilion 15-n233sl reports 8 bpc, but is a 6 bpc panel */ + EDID_QUIRK('B', 'O', 'E', 0x78b, EDID_QUIRK_FORCE_6BPC), + +-- +2.42.0 + diff --git a/queue-6.5/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch b/queue-6.5/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch new file mode 100644 index 00000000000..be71f532ee6 --- /dev/null +++ b/queue-6.5/drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch @@ -0,0 +1,52 @@ +From e339c6d628fe66c9b64bf31040a55770952aec57 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 12 Oct 2023 16:28:01 +0300 +Subject: drm/i915: Retry gtt fault when out of fence registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit e339c6d628fe66c9b64bf31040a55770952aec57 upstream. + +If we can't find a free fence register to handle a fault in the GMADR +range just return VM_FAULT_NOPAGE without populating the PTE so that +userspace will retry the access and trigger another fault. Eventually +we should find a free fence and the fault will get properly handled. + +A further improvement idea might be to reserve a fence (or one per CPU?) +for the express purpose of handling faults without having to retry. But +that would require some additional work. + +Looks like this may have gotten broken originally by +commit 39965b376601 ("drm/i915: don't trash the gtt when running out of fences") +as that changed the errno to -EDEADLK which wasn't handle by the gtt +fault code either. But later in commit 2feeb52859fc ("drm/i915/gt: Fix +-EDEADLK handling regression") I changed it again to -ENOBUFS as -EDEADLK +was now getting used for the ww mutex dance. So this fix only makes +sense after that last commit. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9479 +Fixes: 2feeb52859fc ("drm/i915/gt: Fix -EDEADLK handling regression") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20231012132801.16292-1-ville.syrjala@linux.intel.com +Reviewed-by: Andi Shyti +(cherry picked from commit 7f403caabe811b88ab0de3811ff3f4782c415761) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_mman.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c +@@ -235,6 +235,7 @@ static vm_fault_t i915_error_to_vmf_faul + case 0: + case -EAGAIN: + case -ENOSPC: /* transient failure to evict? */ ++ case -ENOBUFS: /* temporarily out of fences? */ + case -ERESTARTSYS: + case -EINTR: + case -EBUSY: diff --git a/queue-6.5/drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch b/queue-6.5/drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch new file mode 100644 index 00000000000..c5ef85f08af --- /dev/null +++ b/queue-6.5/drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch @@ -0,0 +1,67 @@ +From dcc583c225e659d5da34b4ad83914fd6b51e3dbf Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 4 Oct 2023 16:32:24 +0800 +Subject: drm/mediatek: Correctly free sg_table in gem prime vmap + +From: Chen-Yu Tsai + +commit dcc583c225e659d5da34b4ad83914fd6b51e3dbf upstream. + +The MediaTek DRM driver implements GEM PRIME vmap by fetching the +sg_table for the object, iterating through the pages, and then +vmapping them. In essence, unlike the GEM DMA helpers which vmap +when the object is first created or imported, the MediaTek version +does it on request. + +Unfortunately, the code never correctly frees the sg_table contents. +This results in a kernel memory leak. On a Hayato device with a text +console on the internal display, this results in the system running +out of memory in a few days from all the console screen cursor updates. + +Add sg_free_table() to correctly free the contents of the sg_table. This +was missing despite explicitly required by mtk_gem_prime_get_sg_table(). + +Also move the "out" shortcut label to after the kfree() call for the +sg_table. Having sg_free_table() together with kfree() makes more sense. +The shortcut is only used when the object already has a kernel address, +in which case the pointer is NULL and kfree() does nothing. Hence this +change causes no functional change. + +Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") +Cc: +Signed-off-by: Chen-Yu Tsai +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20231004083226.1940055-1-wenst@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_ge + npages = obj->size >> PAGE_SHIFT; + mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL); + if (!mtk_gem->pages) { ++ sg_free_table(sgt); + kfree(sgt); + return -ENOMEM; + } +@@ -248,12 +249,15 @@ int mtk_drm_gem_prime_vmap(struct drm_ge + mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP, + pgprot_writecombine(PAGE_KERNEL)); + if (!mtk_gem->kvaddr) { ++ sg_free_table(sgt); + kfree(sgt); + kfree(mtk_gem->pages); + return -ENOMEM; + } +-out: ++ sg_free_table(sgt); + kfree(sgt); ++ ++out: + iosys_map_set_vaddr(map, mtk_gem->kvaddr); + + return 0; diff --git a/queue-6.5/drm-nouveau-disp-fix-dp-capable-dsm-connectors.patch b/queue-6.5/drm-nouveau-disp-fix-dp-capable-dsm-connectors.patch new file mode 100644 index 00000000000..c583b0fe90f --- /dev/null +++ b/queue-6.5/drm-nouveau-disp-fix-dp-capable-dsm-connectors.patch @@ -0,0 +1,62 @@ +From 4366faf43308bd91c59a20c43a9f853a9c3bb6e4 Mon Sep 17 00:00:00 2001 +From: Karol Herbst +Date: Wed, 11 Oct 2023 13:41:34 +0200 +Subject: drm/nouveau/disp: fix DP capable DSM connectors + +From: Karol Herbst + +commit 4366faf43308bd91c59a20c43a9f853a9c3bb6e4 upstream. + +Just special case DP DSM connectors until we properly figure out how to +deal with this. + +This resolves user regressions on GPUs with such connectors without +reverting the original fix. + +Cc: Lyude Paul +Cc: stable@vger.kernel.org # 6.4+ +Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/255 +Fixes: 2b5d1c29f6c4 ("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts") +Signed-off-by: Karol Herbst +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20231011114134.861818-1-kherbst@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c +index 46b057fe1412..3249e5c1c893 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c +@@ -62,6 +62,18 @@ nvkm_uconn_uevent_gpio(struct nvkm_object *object, u64 token, u32 bits) + return object->client->event(token, &args, sizeof(args.v0)); + } + ++static bool ++nvkm_connector_is_dp_dms(u8 type) ++{ ++ switch (type) { ++ case DCB_CONNECTOR_DMS59_DP0: ++ case DCB_CONNECTOR_DMS59_DP1: ++ return true; ++ default: ++ return false; ++ } ++} ++ + static int + nvkm_uconn_uevent(struct nvkm_object *object, void *argv, u32 argc, struct nvkm_uevent *uevent) + { +@@ -101,7 +113,7 @@ nvkm_uconn_uevent(struct nvkm_object *object, void *argv, u32 argc, struct nvkm_ + if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_GPIO_LO; + if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) { + /* TODO: support DP IRQ on ANX9805 and remove this hack. */ +- if (!outp->info.location) ++ if (!outp->info.location && !nvkm_connector_is_dp_dms(conn->info.type)) + return -EINVAL; + } + +-- +2.42.0 + diff --git a/queue-6.5/io_uring-fix-crash-with-ioring_setup_no_mmap-and-invalid-sq-ring-address.patch b/queue-6.5/io_uring-fix-crash-with-ioring_setup_no_mmap-and-invalid-sq-ring-address.patch new file mode 100644 index 00000000000..c2717f09e66 --- /dev/null +++ b/queue-6.5/io_uring-fix-crash-with-ioring_setup_no_mmap-and-invalid-sq-ring-address.patch @@ -0,0 +1,71 @@ +From 8b51a3956d44ea6ade962874ade14de9a7d16556 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 18 Oct 2023 08:09:27 -0600 +Subject: io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address + +From: Jens Axboe + +commit 8b51a3956d44ea6ade962874ade14de9a7d16556 upstream. + +If we specify a valid CQ ring address but an invalid SQ ring address, +we'll correctly spot this and free the allocated pages and clear them +to NULL. However, we don't clear the ring page count, and hence will +attempt to free the pages again. We've already cleared the address of +the page array when freeing them, but we don't check for that. This +causes the following crash: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +Oops [#1] +Modules linked in: +CPU: 0 PID: 20 Comm: kworker/u2:1 Not tainted 6.6.0-rc5-dirty #56 +Hardware name: ucbbar,riscvemu-bare (DT) +Workqueue: events_unbound io_ring_exit_work +epc : io_pages_free+0x2a/0x58 + ra : io_rings_free+0x3a/0x50 + epc : ffffffff808811a2 ra : ffffffff80881406 sp : ffff8f80000c3cd0 + status: 0000000200000121 badaddr: 0000000000000000 cause: 000000000000000d + [] io_pages_free+0x2a/0x58 + [] io_rings_free+0x3a/0x50 + [] io_ring_exit_work+0x37e/0x424 + [] process_one_work+0x10c/0x1f4 + [] worker_thread+0x252/0x31c + [] kthread+0xc4/0xe0 + [] ret_from_fork+0xa/0x1c + +Check for a NULL array in io_pages_free(), but also clear the page counts +when we free them to be on the safer side. + +Reported-by: rtm@csail.mit.edu +Fixes: 03d89a2de25b ("io_uring: support for user allocated memory for rings/sqes") +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Moyer +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2666,7 +2666,11 @@ static void io_pages_free(struct page ** + + if (!pages) + return; ++ + page_array = *pages; ++ if (!page_array) ++ return; ++ + for (i = 0; i < npages; i++) + unpin_user_page(page_array[i]); + kvfree(page_array); +@@ -2750,7 +2754,9 @@ static void io_rings_free(struct io_ring + ctx->sq_sqes = NULL; + } else { + io_pages_free(&ctx->ring_pages, ctx->n_ring_pages); ++ ctx->n_ring_pages = 0; + io_pages_free(&ctx->sqe_pages, ctx->n_sqe_pages); ++ ctx->n_sqe_pages = 0; + } + } + diff --git a/queue-6.5/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch b/queue-6.5/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch new file mode 100644 index 00000000000..c48d221056a --- /dev/null +++ b/queue-6.5/nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch @@ -0,0 +1,61 @@ +From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 2 Oct 2023 13:54:28 +0300 +Subject: nvmet-tcp: Fix a possible UAF in queue intialization setup + +From: Sagi Grimberg + +commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream. + +From Alon: +"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, +a malicious user can cause a UAF and a double free, which may lead to +RCE (may also lead to an LPE in case the attacker already has local +privileges)." + +Hence, when a queue initialization fails after the ahash requests are +allocated, it is guaranteed that the queue removal async work will be +called, hence leave the deallocation to the queue removal. + +Also, be extra careful not to continue processing the socket, so set +queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. + +Cc: stable@vger.kernel.org +Reported-by: Alon Zahavi +Tested-by: Alon Zahavi +Signed-off-by: Sagi Grimberg +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/tcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -372,6 +372,7 @@ static void nvmet_tcp_fatal_error(struct + + static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) + { ++ queue->rcv_state = NVMET_TCP_RECV_ERR; + if (status == -EPIPE || status == -ECONNRESET) + kernel_sock_shutdown(queue->sock, SHUT_RDWR); + else +@@ -910,15 +911,11 @@ static int nvmet_tcp_handle_icreq(struct + iov.iov_len = sizeof(*icresp); + ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); + if (ret < 0) +- goto free_crypto; ++ return ret; /* queue removal will cleanup */ + + queue->state = NVMET_TCP_Q_LIVE; + nvmet_prepare_receive_pdu(queue); + return 0; +-free_crypto: +- if (queue->hdr_digest || queue->data_digest) +- nvmet_tcp_free_crypto(queue); +- return ret; + } + + static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue, diff --git a/queue-6.5/qed-fix-ll2-rx-buffer-allocation.patch b/queue-6.5/qed-fix-ll2-rx-buffer-allocation.patch new file mode 100644 index 00000000000..0d6665bcdeb --- /dev/null +++ b/queue-6.5/qed-fix-ll2-rx-buffer-allocation.patch @@ -0,0 +1,66 @@ +From 2f3389c73832ad90b63208c0fc281ad080114c7a Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Fri, 13 Oct 2023 18:48:12 +0530 +Subject: qed: fix LL2 RX buffer allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Manish Chopra + +commit 2f3389c73832ad90b63208c0fc281ad080114c7a upstream. + +Driver allocates the LL2 rx buffers from kmalloc() +area to construct the skb using slab_build_skb() + +The required size allocation seems to have overlooked +for accounting both skb_shared_info size and device +placement padding bytes which results into the below +panic when doing skb_put() for a standard MTU sized frame. + +skbuff: skb_over_panic: text:ffffffffc0b0225f len:1514 put:1514 +head:ff3dabceaf39c000 data:ff3dabceaf39c042 tail:0x62c end:0x566 +dev: +… +skb_panic+0x48/0x4a +skb_put.cold+0x10/0x10 +qed_ll2b_complete_rx_packet+0x14f/0x260 [qed] +qed_ll2_rxq_handle_completion.constprop.0+0x169/0x200 [qed] +qed_ll2_rxq_completion+0xba/0x320 [qed] +qed_int_sp_dpc+0x1a7/0x1e0 [qed] + +This patch fixes this by accouting skb_shared_info and device +placement padding size bytes when allocating the buffers. + +Cc: David S. Miller +Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support") +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_ll2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c +@@ -113,7 +113,10 @@ static void qed_ll2b_complete_tx_packet( + static int qed_ll2_alloc_buffer(struct qed_dev *cdev, + u8 **data, dma_addr_t *phys_addr) + { +- *data = kmalloc(cdev->ll2->rx_size, GFP_ATOMIC); ++ size_t size = cdev->ll2->rx_size + NET_SKB_PAD + ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); ++ ++ *data = kmalloc(size, GFP_ATOMIC); + if (!(*data)) { + DP_INFO(cdev, "Failed to allocate LL2 buffer data\n"); + return -ENOMEM; +@@ -2589,7 +2592,7 @@ static int qed_ll2_start(struct qed_dev + INIT_LIST_HEAD(&cdev->ll2->list); + spin_lock_init(&cdev->ll2->lock); + +- cdev->ll2->rx_size = NET_SKB_PAD + ETH_HLEN + ++ cdev->ll2->rx_size = PRM_DMA_PAD_BYTES_NUM + ETH_HLEN + + L1_CACHE_BYTES + params->mtu; + + /* Allocate memory for LL2. diff --git a/queue-6.5/series b/queue-6.5/series index 22465016e0b..5e13fe34b38 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -34,3 +34,20 @@ fs-ntfs3-fix-shift-out-of-bounds-in-ntfs_fill_super.patch fs-ntfs3-fix-deadlock-in-mark_as_free_ex.patch revert-net-wwan-iosm-enable-runtime-pm-support-for-7560.patch netfilter-nft_payload-fix-wrong-mac-header-matching.patch +io_uring-fix-crash-with-ioring_setup_no_mmap-and-invalid-sq-ring-address.patch +nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch +drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch +drm-mediatek-correctly-free-sg_table-in-gem-prime-vmap.patch +drm-nouveau-disp-fix-dp-capable-dsm-connectors.patch +drm-edid-add-8-bpc-quirk-to-the-benq-gw2765.patch +alsa-hda-realtek-fixed-asus-platform-headset-mic-issue.patch +alsa-hda-realtek-add-quirk-for-asus-rog-gu603zv.patch +alsa-hda-relatek-enable-mute-led-on-hp-laptop-15s-fq5xxx.patch +asoc-codecs-wcd938x-sdw-fix-use-after-free-on-driver-unbind.patch +asoc-codecs-wcd938x-sdw-fix-runtime-pm-imbalance-on-probe-errors.patch +asoc-codecs-wcd938x-drop-bogus-bind-error-handling.patch +asoc-codecs-wcd938x-fix-unbind-tear-down-order.patch +asoc-codecs-wcd938x-fix-resource-leaks-on-bind-errors.patch +asoc-codecs-wcd938x-fix-regulator-leaks-on-probe-errors.patch +asoc-codecs-wcd938x-fix-runtime-pm-imbalance-on-remove.patch +qed-fix-ll2-rx-buffer-allocation.patch