From: Greg Kroah-Hartman Date: Wed, 22 Nov 2023 19:46:46 +0000 (+0000) Subject: 6.6-stable patches X-Git-Tag: v4.14.331~110 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=278f797bb2ec17f8553808d84dc510eb933f9e96;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: arm64-module-fix-plt-counting-when-config_randomize_base-n.patch arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch clk-visconti-fix-undefined-behavior-bug-in-struct-visconti_pll_provider.patch cpufreq-stats-fix-buffer-overflow-detection-in-trans_stats.patch integrity-powerpc-do-not-select-ca_machine_keyring.patch ksmbd-fix-recursive-locking-in-vfs-helpers.patch ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch ksmbd-handle-malformed-smb1-message.patch mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch mmc-vub300-fix-an-error-code.patch parisc-agp-use-64-bit-le-values-in-sba-iommu-pdir-table.patch parisc-pdc-add-width-field-to-struct-pdc_model.patch parisc-power-add-power-soft-off-when-running-on-qemu.patch pmdomain-imx-make-imx-pgc-power-domain-also-set-the-fwnode.patch powercap-intel_rapl-downgrade-bios-locked-limits-pr_warn-to-pr_debug.patch --- diff --git a/queue-6.6/arm64-module-fix-plt-counting-when-config_randomize_base-n.patch b/queue-6.6/arm64-module-fix-plt-counting-when-config_randomize_base-n.patch new file mode 100644 index 00000000000..7d927b714d0 --- /dev/null +++ b/queue-6.6/arm64-module-fix-plt-counting-when-config_randomize_base-n.patch @@ -0,0 +1,67 @@ +From d35686444fc80950c731e33a2f6ad4a55822be9b Mon Sep 17 00:00:00 2001 +From: Maria Yu +Date: Tue, 24 Oct 2023 09:09:54 +0800 +Subject: arm64: module: Fix PLT counting when CONFIG_RANDOMIZE_BASE=n + +From: Maria Yu + +commit d35686444fc80950c731e33a2f6ad4a55822be9b upstream. + +The counting of module PLTs has been broken when CONFIG_RANDOMIZE_BASE=n +since commit: + + 3e35d303ab7d22c4 ("arm64: module: rework module VA range selection") + +Prior to that commit, when CONFIG_RANDOMIZE_BASE=n, the kernel image and +all modules were placed within a 128M region, and no PLTs were necessary +for B or BL. Hence count_plts() and partition_branch_plt_relas() skipped +handling B and BL when CONFIG_RANDOMIZE_BASE=n. + +After that commit, modules can be placed anywhere within a 2G window +regardless of CONFIG_RANDOMIZE_BASE, and hence PLTs may be necessary for +B and BL even when CONFIG_RANDOMIZE_BASE=n. Unfortunately that commit +failed to update count_plts() and partition_branch_plt_relas() +accordingly. + +Due to this, module_emit_plt_entry() may fail if an insufficient number +of PLT entries have been reserved, resulting in modules failing to load +with -ENOEXEC. + +Fix this by counting PLTs regardless of CONFIG_RANDOMIZE_BASE in +count_plts() and partition_branch_plt_relas(). + +Fixes: 3e35d303ab7d ("arm64: module: rework module VA range selection") +Signed-off-by: Maria Yu +Cc: # 6.5.x +Acked-by: Ard Biesheuvel +Fixes: 3e35d303ab7d ("arm64: module: rework module VA range selection") +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/20231024010954.6768-1-quic_aiquny@quicinc.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/module-plts.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/arch/arm64/kernel/module-plts.c ++++ b/arch/arm64/kernel/module-plts.c +@@ -167,9 +167,6 @@ static unsigned int count_plts(Elf64_Sym + switch (ELF64_R_TYPE(rela[i].r_info)) { + case R_AARCH64_JUMP26: + case R_AARCH64_CALL26: +- if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE)) +- break; +- + /* + * We only have to consider branch targets that resolve + * to symbols that are defined in a different section. +@@ -269,9 +266,6 @@ static int partition_branch_plt_relas(El + { + int i = 0, j = numrels - 1; + +- if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE)) +- return 0; +- + while (i < j) { + if (branch_rela_needs_plt(syms, &rela[i], dstidx)) + i++; diff --git a/queue-6.6/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch b/queue-6.6/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch new file mode 100644 index 00000000000..e2c56d6bb85 --- /dev/null +++ b/queue-6.6/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch @@ -0,0 +1,89 @@ +From 146a15b873353f8ac28dc281c139ff611a3c4848 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 25 Oct 2023 10:21:28 -0700 +Subject: arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer + +From: Nathan Chancellor + +commit 146a15b873353f8ac28dc281c139ff611a3c4848 upstream. + +Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly +byte-swap NOP when compiling for big-endian, and the resulting series of +bytes happened to match the encoding of FNMADD S21, S30, S0, S0. + +This went unnoticed until commit: + + 34f66c4c4d5518c1 ("arm64: Use a positive cpucap for FP/SIMD") + +Prior to that commit, the kernel would always enable the use of FPSIMD +early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of +FNMADD within the kernel was not detected, but could result in the +corruption of user or kernel FPSIMD state. + +After that commit, the instructions happen to trap during boot prior to +FPSIMD being detected and enabled, e.g. + +| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD +| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 +| Hardware name: linux,dummy-virt (DT) +| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +| pc : __pi_strcmp+0x1c/0x150 +| lr : populate_properties+0xe4/0x254 +| sp : ffffd014173d3ad0 +| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000 +| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008 +| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044 +| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005 +| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000 +| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000 +| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000 +| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000 +| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a +| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8 +| Kernel panic - not syncing: Unhandled exception +| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 +| Hardware name: linux,dummy-virt (DT) +| Call trace: +| dump_backtrace+0xec/0x108 +| show_stack+0x18/0x2c +| dump_stack_lvl+0x50/0x68 +| dump_stack+0x18/0x24 +| panic+0x13c/0x340 +| el1t_64_irq_handler+0x0/0x1c +| el1_abort+0x0/0x5c +| el1h_64_sync+0x64/0x68 +| __pi_strcmp+0x1c/0x150 +| unflatten_dt_nodes+0x1e8/0x2d8 +| __unflatten_device_tree+0x5c/0x15c +| unflatten_device_tree+0x38/0x50 +| setup_arch+0x164/0x1e0 +| start_kernel+0x64/0x38c +| __primary_switched+0xbc/0xc4 + +Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is +either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked +commit. + +Closes: https://github.com/ClangBuiltLinux/linux/issues/1948 +Link: https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c +Signed-off-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20231025-disable-arm64-be-ias-b4-llvm-15-v1-1-b25263ed8b23@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1368,6 +1368,8 @@ choice + config CPU_BIG_ENDIAN + bool "Build big-endian kernel" + depends on !LD_IS_LLD || LLD_VERSION >= 130000 ++ # https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c ++ depends on AS_IS_GNU || AS_VERSION >= 150000 + help + Say Y if you plan on running a kernel with a big-endian userspace. + diff --git a/queue-6.6/clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch b/queue-6.6/clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch new file mode 100644 index 00000000000..29585bb9c33 --- /dev/null +++ b/queue-6.6/clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch @@ -0,0 +1,75 @@ +From 99cd4935cb972d0aafb16838bb2aeadbcaf196ce Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Thu, 14 Sep 2023 12:29:52 +0530 +Subject: clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks + +From: Kathiravan Thirumoorthy + +commit 99cd4935cb972d0aafb16838bb2aeadbcaf196ce upstream. + +GPLL, NSS crypto PLL clock rates are fixed and shouldn't be scaled based +on the request from dependent clocks. Doing so will result in the +unexpected behaviour. So drop the CLK_SET_RATE_PARENT flag from the PLL +clocks. + +Cc: stable@vger.kernel.org +Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support") +Signed-off-by: Kathiravan Thirumoorthy +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230913-gpll_cleanup-v2-2-c8ceb1a37680@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-ipq6018.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/clk/qcom/gcc-ipq6018.c ++++ b/drivers/clk/qcom/gcc-ipq6018.c +@@ -72,7 +72,6 @@ static struct clk_fixed_factor gpll0_out + &gpll0_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_fixed_factor_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -86,7 +85,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll0_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -161,7 +159,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll6_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -192,7 +189,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll4_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -243,7 +239,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll2_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -274,7 +269,6 @@ static struct clk_alpha_pll_postdiv nss_ + &nss_crypto_pll_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + diff --git a/queue-6.6/clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch b/queue-6.6/clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch new file mode 100644 index 00000000000..1f4287a052b --- /dev/null +++ b/queue-6.6/clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch @@ -0,0 +1,77 @@ +From e641a070137dd959932c7c222e000d9d941167a2 Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Thu, 14 Sep 2023 12:29:51 +0530 +Subject: clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kathiravan Thirumoorthy + +commit e641a070137dd959932c7c222e000d9d941167a2 upstream. + +GPLL, NSS crypto PLL clock rates are fixed and shouldn't be scaled based +on the request from dependent clocks. Doing so will result in the +unexpected behaviour. So drop the CLK_SET_RATE_PARENT flag from the PLL +clocks. + +Cc: stable@vger.kernel.org +Fixes: b8e7e519625f ("clk: qcom: ipq8074: add remaining PLL’s") +Signed-off-by: Kathiravan Thirumoorthy +Link: https://lore.kernel.org/r/20230913-gpll_cleanup-v2-1-c8ceb1a37680@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-ipq8074.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -75,7 +75,6 @@ static struct clk_fixed_factor gpll0_out + &gpll0_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_fixed_factor_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -121,7 +120,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll2_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -154,7 +152,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll4_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -188,7 +185,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll6_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -201,7 +197,6 @@ static struct clk_fixed_factor gpll6_out + &gpll6_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_fixed_factor_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -266,7 +261,6 @@ static struct clk_alpha_pll_postdiv nss_ + &nss_crypto_pll_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + diff --git a/queue-6.6/clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch b/queue-6.6/clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch new file mode 100644 index 00000000000..b8cb72b05dc --- /dev/null +++ b/queue-6.6/clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch @@ -0,0 +1,109 @@ +From d761bb01c85b22d5b44abe283eb89019693f6595 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 23 Oct 2023 21:30:52 -0600 +Subject: clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data + +From: Gustavo A. R. Silva + +commit d761bb01c85b22d5b44abe283eb89019693f6595 upstream. + +`struct clk_hw_onecell_data` is a flexible structure, which means that +it contains flexible-array member at the bottom, in this case array +`hws`: + +include/linux/clk-provider.h: +1380 struct clk_hw_onecell_data { +1381 unsigned int num; +1382 struct clk_hw *hws[] __counted_by(num); +1383 }; + +This could potentially lead to an overwrite of the objects following +`clk_data` in `struct stratix10_clock_data`, in this case +`void __iomem *base;` at run-time: + +drivers/clk/socfpga/stratix10-clk.h: + 9 struct stratix10_clock_data { + 10 struct clk_hw_onecell_data clk_data; + 11 void __iomem *base; + 12 }; + +There are currently three different places where memory is allocated for +`struct stratix10_clock_data`, including the flex-array `hws` in +`struct clk_hw_onecell_data`: + +drivers/clk/socfpga/clk-agilex.c: +469 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +470 num_clks), GFP_KERNEL); + +drivers/clk/socfpga/clk-agilex.c: +509 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +510 num_clks), GFP_KERNEL); + +drivers/clk/socfpga/clk-s10.c: +400 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +401 num_clks), GFP_KERNEL); + +I'll use just one of them to describe the issue. See below. + +Notice that a total of 440 bytes are allocated for flexible-array member +`hws` at line 469: + +include/dt-bindings/clock/agilex-clock.h: + 70 #define AGILEX_NUM_CLKS 55 + +drivers/clk/socfpga/clk-agilex.c: +459 struct stratix10_clock_data *clk_data; +460 void __iomem *base; +... +466 +467 num_clks = AGILEX_NUM_CLKS; +468 +469 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +470 num_clks), GFP_KERNEL); + +`struct_size(clk_data, clk_data.hws, num_clks)` above translates to +sizeof(struct stratix10_clock_data) + sizeof(struct clk_hw *) * 55 == +16 + 8 * 55 == 16 + 440 + ^^^ + | + allocated bytes for flex-array `hws` + +474 for (i = 0; i < num_clks; i++) +475 clk_data->clk_data.hws[i] = ERR_PTR(-ENOENT); +476 +477 clk_data->base = base; + +and then some data is written into both `hws` and `base` objects. + +Fix this by placing the declaration of object `clk_data` at the end of +`struct stratix10_clock_data`. Also, add a comment to make it clear +that this object must always be last in the structure. + +-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting +ready to enable it globally. + +Fixes: ba7e258425ac ("clk: socfpga: Convert to s10/agilex/n5x to use clk_hw") +Cc: stable@vger.kernel.org +Reviewed-by: Kees Cook +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/1da736106d8e0806aeafa6e471a13ced490eae22.1698117815.git.gustavoars@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/socfpga/stratix10-clk.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/socfpga/stratix10-clk.h ++++ b/drivers/clk/socfpga/stratix10-clk.h +@@ -7,8 +7,10 @@ + #define __STRATIX10_CLK_H + + struct stratix10_clock_data { +- struct clk_hw_onecell_data clk_data; + void __iomem *base; ++ ++ /* Must be last */ ++ struct clk_hw_onecell_data clk_data; + }; + + struct stratix10_pll_clock { diff --git a/queue-6.6/clk-visconti-fix-undefined-behavior-bug-in-struct-visconti_pll_provider.patch b/queue-6.6/clk-visconti-fix-undefined-behavior-bug-in-struct-visconti_pll_provider.patch new file mode 100644 index 00000000000..1c6065a89e3 --- /dev/null +++ b/queue-6.6/clk-visconti-fix-undefined-behavior-bug-in-struct-visconti_pll_provider.patch @@ -0,0 +1,109 @@ +From 5ad1e217a2b23aa046b241183bd9452d259d70d0 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 16 Oct 2023 16:05:27 -0600 +Subject: clk: visconti: Fix undefined behavior bug in struct visconti_pll_provider + +From: Gustavo A. R. Silva + +commit 5ad1e217a2b23aa046b241183bd9452d259d70d0 upstream. + +`struct clk_hw_onecell_data` is a flexible structure, which means that +it contains flexible-array member at the bottom, in this case array +`hws`: + +include/linux/clk-provider.h: +1380 struct clk_hw_onecell_data { +1381 unsigned int num; +1382 struct clk_hw *hws[] __counted_by(num); +1383 }; + +This could potentially lead to an overwrite of the objects following +`clk_data` in `struct visconti_pll_provider`, in this case +`struct device_node *node;`, at run-time: + +drivers/clk/visconti/pll.h: + 16 struct visconti_pll_provider { + 17 void __iomem *reg_base; + 18 struct clk_hw_onecell_data clk_data; + 19 struct device_node *node; + 20 }; + +Notice that a total of 56 bytes are allocated for flexible-array `hws` +at line 328. See below: + +include/dt-bindings/clock/toshiba,tmpv770x.h: + 14 #define TMPV770X_NR_PLL 7 + +drivers/clk/visconti/pll-tmpv770x.c: + 69 ctx = visconti_init_pll(np, reg_base, TMPV770X_NR_PLL); + +drivers/clk/visconti/pll.c: +321 struct visconti_pll_provider * __init visconti_init_pll(struct device_node *np, +322 void __iomem *base, +323 unsigned long nr_plls) +324 { +325 struct visconti_pll_provider *ctx; +... +328 ctx = kzalloc(struct_size(ctx, clk_data.hws, nr_plls), GFP_KERNEL); + +`struct_size(ctx, clk_data.hws, nr_plls)` above translates to +sizeof(struct visconti_pll_provider) + sizeof(struct clk_hw *) * 7 == +24 + 8 * 7 == 24 + 56 + ^^^^ + | + allocated bytes for flex array `hws` + +$ pahole -C visconti_pll_provider drivers/clk/visconti/pll.o +struct visconti_pll_provider { + void * reg_base; /* 0 8 */ + struct clk_hw_onecell_data clk_data; /* 8 8 */ + struct device_node * node; /* 16 8 */ + + /* size: 24, cachelines: 1, members: 3 */ + /* last cacheline: 24 bytes */ +}; + +And then, after the allocation, some data is written into all members +of `struct visconti_pll_provider`: + +332 for (i = 0; i < nr_plls; ++i) +333 ctx->clk_data.hws[i] = ERR_PTR(-ENOENT); +334 +335 ctx->node = np; +336 ctx->reg_base = base; +337 ctx->clk_data.num = nr_plls; + +Fix all these by placing the declaration of object `clk_data` at the +end of `struct visconti_pll_provider`. Also, add a comment to make it +clear that this object must always be last in the structure, and +prevent this bug from being introduced again in the future. + +-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting +ready to enable it globally. + +Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and reset driver") +Cc: stable@vger.kernel.org +Reviewed-by: Kees Cook +Acked-by: Nobuhiro Iwamatsu +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/57a831d94ee2b3889b11525d4ad500356f89576f.1697492890.git.gustavoars@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/visconti/pll.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/visconti/pll.h ++++ b/drivers/clk/visconti/pll.h +@@ -15,8 +15,10 @@ + + struct visconti_pll_provider { + void __iomem *reg_base; +- struct clk_hw_onecell_data clk_data; + struct device_node *node; ++ ++ /* Must be last */ ++ struct clk_hw_onecell_data clk_data; + }; + + #define VISCONTI_PLL_RATE(_rate, _dacen, _dsmen, \ diff --git a/queue-6.6/cpufreq-stats-fix-buffer-overflow-detection-in-trans_stats.patch b/queue-6.6/cpufreq-stats-fix-buffer-overflow-detection-in-trans_stats.patch new file mode 100644 index 00000000000..727c9cdd2fb --- /dev/null +++ b/queue-6.6/cpufreq-stats-fix-buffer-overflow-detection-in-trans_stats.patch @@ -0,0 +1,80 @@ +From ea167a7fc2426f7685c3735e104921c1a20a6d3f Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Tue, 24 Oct 2023 20:30:14 +0200 +Subject: cpufreq: stats: Fix buffer overflow detection in trans_stats() + +From: Christian Marangi + +commit ea167a7fc2426f7685c3735e104921c1a20a6d3f upstream. + +Commit 3c0897c180c6 ("cpufreq: Use scnprintf() for avoiding potential +buffer overflow") switched from snprintf to the more secure scnprintf +but never updated the exit condition for PAGE_SIZE. + +As the commit say and as scnprintf document, what scnprintf returns what +is actually written not counting the '\0' end char. This results in the +case of len exceeding the size, len set to PAGE_SIZE - 1, as it can be +written at max PAGE_SIZE - 1 (as '\0' is not counted) + +Because of len is never set to PAGE_SIZE, the function never break early, +never prints the warning and never return -EFBIG. + +Fix this by changing the condition to PAGE_SIZE - 1 to correctly trigger +the error. + +Cc: 5.10+ # 5.10+ +Fixes: 3c0897c180c6 ("cpufreq: Use scnprintf() for avoiding potential buffer overflow") +Signed-off-by: Christian Marangi +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq_stats.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/cpufreq/cpufreq_stats.c ++++ b/drivers/cpufreq/cpufreq_stats.c +@@ -131,23 +131,23 @@ static ssize_t show_trans_table(struct c + len += sysfs_emit_at(buf, len, " From : To\n"); + len += sysfs_emit_at(buf, len, " : "); + for (i = 0; i < stats->state_num; i++) { +- if (len >= PAGE_SIZE) ++ if (len >= PAGE_SIZE - 1) + break; + len += sysfs_emit_at(buf, len, "%9u ", stats->freq_table[i]); + } +- if (len >= PAGE_SIZE) +- return PAGE_SIZE; ++ if (len >= PAGE_SIZE - 1) ++ return PAGE_SIZE - 1; + + len += sysfs_emit_at(buf, len, "\n"); + + for (i = 0; i < stats->state_num; i++) { +- if (len >= PAGE_SIZE) ++ if (len >= PAGE_SIZE - 1) + break; + + len += sysfs_emit_at(buf, len, "%9u: ", stats->freq_table[i]); + + for (j = 0; j < stats->state_num; j++) { +- if (len >= PAGE_SIZE) ++ if (len >= PAGE_SIZE - 1) + break; + + if (pending) +@@ -157,12 +157,12 @@ static ssize_t show_trans_table(struct c + + len += sysfs_emit_at(buf, len, "%9u ", count); + } +- if (len >= PAGE_SIZE) ++ if (len >= PAGE_SIZE - 1) + break; + len += sysfs_emit_at(buf, len, "\n"); + } + +- if (len >= PAGE_SIZE) { ++ if (len >= PAGE_SIZE - 1) { + pr_warn_once("cpufreq transition table exceeds PAGE_SIZE. Disabling\n"); + return -EFBIG; + } diff --git a/queue-6.6/integrity-powerpc-do-not-select-ca_machine_keyring.patch b/queue-6.6/integrity-powerpc-do-not-select-ca_machine_keyring.patch new file mode 100644 index 00000000000..be6c70a7978 --- /dev/null +++ b/queue-6.6/integrity-powerpc-do-not-select-ca_machine_keyring.patch @@ -0,0 +1,39 @@ +From 3edc22655647378dea01900f7b04e017ff96bda9 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Thu, 7 Sep 2023 18:52:19 +0200 +Subject: integrity: powerpc: Do not select CA_MACHINE_KEYRING + +From: Michal Suchanek + +commit 3edc22655647378dea01900f7b04e017ff96bda9 upstream. + +No other platform needs CA_MACHINE_KEYRING, either. + +This is policy that should be decided by the administrator, not Kconfig +dependencies. + +Cc: stable@vger.kernel.org # v6.6+ +Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement") +Signed-off-by: Michal Suchanek +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/Kconfig | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig +index 232191ee09e3..b6e074ac0227 100644 +--- a/security/integrity/Kconfig ++++ b/security/integrity/Kconfig +@@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING + depends on INTEGRITY_ASYMMETRIC_KEYS + depends on SYSTEM_BLACKLIST_KEYRING + depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS +- select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS +- select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS + help + If set, provide a keyring to which Machine Owner Keys (MOK) may + be added. This keyring shall contain just MOK keys. Unlike keys +-- +2.43.0 + diff --git a/queue-6.6/ksmbd-fix-recursive-locking-in-vfs-helpers.patch b/queue-6.6/ksmbd-fix-recursive-locking-in-vfs-helpers.patch new file mode 100644 index 00000000000..f511d811ae4 --- /dev/null +++ b/queue-6.6/ksmbd-fix-recursive-locking-in-vfs-helpers.patch @@ -0,0 +1,140 @@ +From 807252f028c59b9a3bac4d62ad84761548c10f11 Mon Sep 17 00:00:00 2001 +From: Marios Makassikis +Date: Sat, 14 Oct 2023 12:48:25 +0900 +Subject: ksmbd: fix recursive locking in vfs helpers + +From: Marios Makassikis + +commit 807252f028c59b9a3bac4d62ad84761548c10f11 upstream. + +Running smb2.rename test from Samba smbtorture suite against a kernel built +with lockdep triggers a "possible recursive locking detected" warning. + +This is because mnt_want_write() is called twice with no mnt_drop_write() +in between: + -> ksmbd_vfs_mkdir() + -> ksmbd_vfs_kern_path_create() + -> kern_path_create() + -> filename_create() + -> mnt_want_write() + -> mnt_want_write() + +Fix this by removing the mnt_want_write/mnt_drop_write calls from vfs +helpers that call kern_path_create(). + +Full lockdep trace below: + +============================================ +WARNING: possible recursive locking detected +6.6.0-rc5 #775 Not tainted +-------------------------------------------- +kworker/1:1/32 is trying to acquire lock: +ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: ksmbd_vfs_mkdir+0xe1/0x410 + +but task is already holding lock: +ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(sb_writers#5); + lock(sb_writers#5); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +4 locks held by kworker/1:1/32: + #0: ffff8880064e4138 ((wq_completion)ksmbd-io){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 + #1: ffff888005b0fdd0 ((work_completion)(&work->work)){+.+.}-{0:0}, at: process_one_work+0x40e/0x980 + #2: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260 + #3: ffff8880057ce760 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x123/0x260 + +Cc: stable@vger.kernel.org +Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions") +Signed-off-by: Marios Makassikis +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 23 +++-------------------- + 1 file changed, 3 insertions(+), 20 deletions(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -173,10 +173,6 @@ int ksmbd_vfs_create(struct ksmbd_work * + return err; + } + +- err = mnt_want_write(path.mnt); +- if (err) +- goto out_err; +- + mode |= S_IFREG; + err = vfs_create(mnt_idmap(path.mnt), d_inode(path.dentry), + dentry, mode, true); +@@ -186,9 +182,7 @@ int ksmbd_vfs_create(struct ksmbd_work * + } else { + pr_err("File(%s): creation failed (err:%d)\n", name, err); + } +- mnt_drop_write(path.mnt); + +-out_err: + done_path_create(&path, dentry); + return err; + } +@@ -219,10 +213,6 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *w + return err; + } + +- err = mnt_want_write(path.mnt); +- if (err) +- goto out_err2; +- + idmap = mnt_idmap(path.mnt); + mode |= S_IFDIR; + err = vfs_mkdir(idmap, d_inode(path.dentry), dentry, mode); +@@ -233,21 +223,19 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *w + dentry->d_name.len); + if (IS_ERR(d)) { + err = PTR_ERR(d); +- goto out_err1; ++ goto out_err; + } + if (unlikely(d_is_negative(d))) { + dput(d); + err = -ENOENT; +- goto out_err1; ++ goto out_err; + } + + ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(d)); + dput(d); + } + +-out_err1: +- mnt_drop_write(path.mnt); +-out_err2: ++out_err: + done_path_create(&path, dentry); + if (err) + pr_err("mkdir(%s): creation failed (err:%d)\n", name, err); +@@ -665,16 +653,11 @@ int ksmbd_vfs_link(struct ksmbd_work *wo + goto out3; + } + +- err = mnt_want_write(newpath.mnt); +- if (err) +- goto out3; +- + err = vfs_link(oldpath.dentry, mnt_idmap(newpath.mnt), + d_inode(newpath.dentry), + dentry, NULL); + if (err) + ksmbd_debug(VFS, "vfs_link failed err %d\n", err); +- mnt_drop_write(newpath.mnt); + + out3: + done_path_create(&newpath, dentry); diff --git a/queue-6.6/ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch b/queue-6.6/ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch new file mode 100644 index 00000000000..380dd540b08 --- /dev/null +++ b/queue-6.6/ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch @@ -0,0 +1,74 @@ +From eebff19acaa35820cb09ce2ccb3d21bee2156ffb Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 5 Nov 2023 12:46:24 +0900 +Subject: ksmbd: fix slab out of bounds write in smb_inherit_dacl() + +From: Namjae Jeon + +commit eebff19acaa35820cb09ce2ccb3d21bee2156ffb upstream. + +slab out-of-bounds write is caused by that offsets is bigger than pntsd +allocation size. This patch add the check to validate 3 offsets using +allocation size. + +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22271 +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smbacl.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -1107,6 +1107,7 @@ pass: + struct smb_acl *pdacl; + struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL; + int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size; ++ int pntsd_alloc_size; + + if (parent_pntsd->osidoffset) { + powner_sid = (struct smb_sid *)((char *)parent_pntsd + +@@ -1119,9 +1120,10 @@ pass: + pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4); + } + +- pntsd = kzalloc(sizeof(struct smb_ntsd) + powner_sid_size + +- pgroup_sid_size + sizeof(struct smb_acl) + +- nt_size, GFP_KERNEL); ++ pntsd_alloc_size = sizeof(struct smb_ntsd) + powner_sid_size + ++ pgroup_sid_size + sizeof(struct smb_acl) + nt_size; ++ ++ pntsd = kzalloc(pntsd_alloc_size, GFP_KERNEL); + if (!pntsd) { + rc = -ENOMEM; + goto free_aces_base; +@@ -1136,6 +1138,27 @@ pass: + pntsd->gsidoffset = parent_pntsd->gsidoffset; + pntsd->dacloffset = parent_pntsd->dacloffset; + ++ if ((u64)le32_to_cpu(pntsd->osidoffset) + powner_sid_size > ++ pntsd_alloc_size) { ++ rc = -EINVAL; ++ kfree(pntsd); ++ goto free_aces_base; ++ } ++ ++ if ((u64)le32_to_cpu(pntsd->gsidoffset) + pgroup_sid_size > ++ pntsd_alloc_size) { ++ rc = -EINVAL; ++ kfree(pntsd); ++ goto free_aces_base; ++ } ++ ++ if ((u64)le32_to_cpu(pntsd->dacloffset) + sizeof(struct smb_acl) + nt_size > ++ pntsd_alloc_size) { ++ rc = -EINVAL; ++ kfree(pntsd); ++ goto free_aces_base; ++ } ++ + if (pntsd->osidoffset) { + struct smb_sid *owner_sid = (struct smb_sid *)((char *)pntsd + + le32_to_cpu(pntsd->osidoffset)); diff --git a/queue-6.6/ksmbd-handle-malformed-smb1-message.patch b/queue-6.6/ksmbd-handle-malformed-smb1-message.patch new file mode 100644 index 00000000000..c67583462e7 --- /dev/null +++ b/queue-6.6/ksmbd-handle-malformed-smb1-message.patch @@ -0,0 +1,47 @@ +From 5a5409d90bd05f87fe5623a749ccfbf3f7c7d400 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 7 Nov 2023 21:04:31 +0900 +Subject: ksmbd: handle malformed smb1 message + +From: Namjae Jeon + +commit 5a5409d90bd05f87fe5623a749ccfbf3f7c7d400 upstream. + +If set_smb1_rsp_status() is not implemented, It will cause NULL pointer +dereferece error when client send malformed smb1 message. +This patch add set_smb1_rsp_status() to ignore malformed smb1 message. + +Cc: stable@vger.kernel.org +Reported-by: Robert Morris +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/smb/server/smb_common.c ++++ b/fs/smb/server/smb_common.c +@@ -366,11 +366,22 @@ static int smb1_allocate_rsp_buf(struct + return 0; + } + ++/** ++ * set_smb1_rsp_status() - set error type in smb response header ++ * @work: smb work containing smb response header ++ * @err: error code to set in response ++ */ ++static void set_smb1_rsp_status(struct ksmbd_work *work, __le32 err) ++{ ++ work->send_no_response = 1; ++} ++ + static struct smb_version_ops smb1_server_ops = { + .get_cmd_val = get_smb1_cmd_val, + .init_rsp_hdr = init_smb1_rsp_hdr, + .allocate_rsp_buf = smb1_allocate_rsp_buf, + .check_user_session = smb1_check_user_session, ++ .set_rsp_status = set_smb1_rsp_status, + }; + + static int smb1_negotiate(struct ksmbd_work *work) diff --git a/queue-6.6/mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch b/queue-6.6/mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch new file mode 100644 index 00000000000..46403af1173 --- /dev/null +++ b/queue-6.6/mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch @@ -0,0 +1,104 @@ +From ed9009ad300c0f15a3ecfe9613547b1962bde02c Mon Sep 17 00:00:00 2001 +From: Bean Huo +Date: Mon, 30 Oct 2023 23:48:09 +0100 +Subject: mmc: Add quirk MMC_QUIRK_BROKEN_CACHE_FLUSH for Micron eMMC Q2J54A + +From: Bean Huo + +commit ed9009ad300c0f15a3ecfe9613547b1962bde02c upstream. + +Micron MTFC4GACAJCN eMMC supports cache but requires that flush cache +operation be allowed only after a write has occurred. Otherwise, the +cache flush command or subsequent commands will time out. + +Signed-off-by: Bean Huo +Signed-off-by: Rafael Beims +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231030224809.59245-1-beanhuo@iokpp.de +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 4 +++- + drivers/mmc/core/card.h | 4 ++++ + drivers/mmc/core/mmc.c | 8 ++++++-- + drivers/mmc/core/quirks.h | 7 ++++--- + include/linux/mmc/card.h | 2 ++ + 5 files changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -2381,8 +2381,10 @@ enum mmc_issued mmc_blk_mq_issue_rq(stru + } + ret = mmc_blk_cqe_issue_flush(mq, req); + break; +- case REQ_OP_READ: + case REQ_OP_WRITE: ++ card->written_flag = true; ++ fallthrough; ++ case REQ_OP_READ: + if (host->cqe_enabled) + ret = mmc_blk_cqe_issue_rw_rq(mq, req); + else +--- a/drivers/mmc/core/card.h ++++ b/drivers/mmc/core/card.h +@@ -280,4 +280,8 @@ static inline int mmc_card_broken_sd_cac + return c->quirks & MMC_QUIRK_BROKEN_SD_CACHE; + } + ++static inline int mmc_card_broken_cache_flush(const struct mmc_card *c) ++{ ++ return c->quirks & MMC_QUIRK_BROKEN_CACHE_FLUSH; ++} + #endif +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -2081,13 +2081,17 @@ static int _mmc_flush_cache(struct mmc_h + { + int err = 0; + ++ if (mmc_card_broken_cache_flush(host->card) && !host->card->written_flag) ++ return 0; ++ + if (_mmc_cache_enabled(host)) { + err = mmc_switch(host->card, EXT_CSD_CMD_SET_NORMAL, + EXT_CSD_FLUSH_CACHE, 1, + CACHE_FLUSH_TIMEOUT_MS); + if (err) +- pr_err("%s: cache flush error %d\n", +- mmc_hostname(host), err); ++ pr_err("%s: cache flush error %d\n", mmc_hostname(host), err); ++ else ++ host->card->written_flag = false; + } + + return err; +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -110,11 +110,12 @@ static const struct mmc_fixup __maybe_un + MMC_QUIRK_TRIM_BROKEN), + + /* +- * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to +- * support being used to offload WRITE_ZEROES. ++ * Micron MTFC4GACAJCN-1M supports TRIM but does not appear to support ++ * WRITE_ZEROES offloading. It also supports caching, but the cache can ++ * only be flushed after a write has occurred. + */ + MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc, +- MMC_QUIRK_TRIM_BROKEN), ++ MMC_QUIRK_TRIM_BROKEN | MMC_QUIRK_BROKEN_CACHE_FLUSH), + + /* + * Kingston EMMC04G-M627 advertises TRIM but it does not seems to +--- a/include/linux/mmc/card.h ++++ b/include/linux/mmc/card.h +@@ -295,7 +295,9 @@ struct mmc_card { + #define MMC_QUIRK_BROKEN_HPI (1<<13) /* Disable broken HPI support */ + #define MMC_QUIRK_BROKEN_SD_DISCARD (1<<14) /* Disable broken SD discard support */ + #define MMC_QUIRK_BROKEN_SD_CACHE (1<<15) /* Disable broken SD cache support */ ++#define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */ + ++ bool written_flag; /* Indicates eMMC has been written since power on */ + bool reenable_cmdq; /* Re-enable Command Queue */ + + unsigned int erase_size; /* erase size in sectors */ diff --git a/queue-6.6/mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch b/queue-6.6/mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch new file mode 100644 index 00000000000..116919ec449 --- /dev/null +++ b/queue-6.6/mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch @@ -0,0 +1,35 @@ +From 71956d0cb56c1e5f9feeb4819db87a076418e930 Mon Sep 17 00:00:00 2001 +From: Nitin Yadav +Date: Thu, 26 Oct 2023 11:44:58 +0530 +Subject: mmc: sdhci_am654: fix start loop index for TAP value parsing + +From: Nitin Yadav + +commit 71956d0cb56c1e5f9feeb4819db87a076418e930 upstream. + +ti,otap-del-sel-legacy/ti,itap-del-sel-legacy passed from DT +are currently ignored for all SD/MMC and eMMC modes. Fix this +by making start loop index to MMC_TIMING_LEGACY. + +Fixes: 8ee5fc0e0b3b ("mmc: sdhci_am654: Update OTAPDLY writes") +Signed-off-by: Nitin Yadav +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231026061458.1116276-1-n-yadav@ti.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci_am654.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -598,7 +598,7 @@ static int sdhci_am654_get_otap_delay(st + return 0; + } + +- for (i = MMC_TIMING_MMC_HS; i <= MMC_TIMING_MMC_HS400; i++) { ++ for (i = MMC_TIMING_LEGACY; i <= MMC_TIMING_MMC_HS400; i++) { + + ret = device_property_read_u32(dev, td[i].otap_binding, + &sdhci_am654->otap_del_sel[i]); diff --git a/queue-6.6/mmc-vub300-fix-an-error-code.patch b/queue-6.6/mmc-vub300-fix-an-error-code.patch new file mode 100644 index 00000000000..6ab3c5006af --- /dev/null +++ b/queue-6.6/mmc-vub300-fix-an-error-code.patch @@ -0,0 +1,31 @@ +From b44f9da81783fda72632ef9b0d05ea3f3ca447a5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 2 Nov 2023 10:51:06 +0300 +Subject: mmc: vub300: fix an error code + +From: Dan Carpenter + +commit b44f9da81783fda72632ef9b0d05ea3f3ca447a5 upstream. + +This error path should return -EINVAL instead of success. + +Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") +Signed-off-by: Dan Carpenter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/0769d30c-ad80-421b-bf5d-7d6f5d85604e@moroto.mountain +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/vub300.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/vub300.c ++++ b/drivers/mmc/host/vub300.c +@@ -2309,6 +2309,7 @@ static int vub300_probe(struct usb_inter + vub300->read_only = + (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0; + } else { ++ retval = -EINVAL; + goto error5; + } + usb_set_intfdata(interface, vub300); diff --git a/queue-6.6/parisc-agp-use-64-bit-le-values-in-sba-iommu-pdir-table.patch b/queue-6.6/parisc-agp-use-64-bit-le-values-in-sba-iommu-pdir-table.patch new file mode 100644 index 00000000000..d7b20623afc --- /dev/null +++ b/queue-6.6/parisc-agp-use-64-bit-le-values-in-sba-iommu-pdir-table.patch @@ -0,0 +1,80 @@ +From 86bb854d134f4429feb35d2e05f55c6e036770d2 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 18 Oct 2023 19:24:14 +0200 +Subject: parisc/agp: Use 64-bit LE values in SBA IOMMU PDIR table + +From: Helge Deller + +commit 86bb854d134f4429feb35d2e05f55c6e036770d2 upstream. + +The PDIR table of the System Bus Adapter (SBA) I/O MMU uses 64-bit +little-endian pointers. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v6.4+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/agp/parisc-agp.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/char/agp/parisc-agp.c ++++ b/drivers/char/agp/parisc-agp.c +@@ -38,7 +38,7 @@ static struct _parisc_agp_info { + + int lba_cap_offset; + +- u64 *gatt; ++ __le64 *gatt; + u64 gatt_entries; + + u64 gart_base; +@@ -104,7 +104,7 @@ parisc_agp_create_gatt_table(struct agp_ + int i; + + for (i = 0; i < info->gatt_entries; i++) { +- info->gatt[i] = (unsigned long)agp_bridge->scratch_page; ++ info->gatt[i] = cpu_to_le64(agp_bridge->scratch_page); + } + + return 0; +@@ -158,9 +158,9 @@ parisc_agp_insert_memory(struct agp_memo + for (k = 0; + k < info->io_pages_per_kpage; + k++, j++, paddr += info->io_page_size) { +- info->gatt[j] = ++ info->gatt[j] = cpu_to_le64( + parisc_agp_mask_memory(agp_bridge, +- paddr, type); ++ paddr, type)); + asm_io_fdc(&info->gatt[j]); + } + } +@@ -184,7 +184,7 @@ parisc_agp_remove_memory(struct agp_memo + io_pg_start = info->io_pages_per_kpage * pg_start; + io_pg_count = info->io_pages_per_kpage * mem->page_count; + for (i = io_pg_start; i < io_pg_count + io_pg_start; i++) { +- info->gatt[i] = agp_bridge->scratch_page; ++ info->gatt[i] = cpu_to_le64(agp_bridge->scratch_page); + } + + agp_bridge->driver->tlb_flush(mem); +@@ -204,7 +204,8 @@ parisc_agp_mask_memory(struct agp_bridge + pa |= (ci >> PAGE_SHIFT) & 0xff;/* move CI (8 bits) into lowest byte */ + pa |= SBA_PDIR_VALID_BIT; /* set "valid" bit */ + +- return cpu_to_le64(pa); ++ /* return native (big-endian) PDIR entry */ ++ return pa; + } + + static void +@@ -251,7 +252,8 @@ static int __init + agp_ioc_init(void __iomem *ioc_regs) + { + struct _parisc_agp_info *info = &parisc_agp_info; +- u64 iova_base, *io_pdir, io_tlb_ps; ++ u64 iova_base, io_tlb_ps; ++ __le64 *io_pdir; + int io_tlb_shift; + + printk(KERN_INFO DRVPFX "IO PDIR shared with sba_iommu\n"); diff --git a/queue-6.6/parisc-pdc-add-width-field-to-struct-pdc_model.patch b/queue-6.6/parisc-pdc-add-width-field-to-struct-pdc_model.patch new file mode 100644 index 00000000000..0d398ffbade --- /dev/null +++ b/queue-6.6/parisc-pdc-add-width-field-to-struct-pdc_model.patch @@ -0,0 +1,28 @@ +From 6240553b52c475d9fc9674de0521b77e692f3764 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 22 Oct 2023 11:48:11 +0200 +Subject: parisc/pdc: Add width field to struct pdc_model + +From: Helge Deller + +commit 6240553b52c475d9fc9674de0521b77e692f3764 upstream. + +PDC2.0 specifies the additional PSW-bit field. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/uapi/asm/pdc.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/parisc/include/uapi/asm/pdc.h ++++ b/arch/parisc/include/uapi/asm/pdc.h +@@ -472,6 +472,7 @@ struct pdc_model { /* for PDC_MODEL */ + unsigned long arch_rev; + unsigned long pot_key; + unsigned long curr_key; ++ unsigned long width; /* default of PSW_W bit (1=enabled) */ + }; + + struct pdc_cache_cf { /* for PDC_CACHE (I/D-caches) */ diff --git a/queue-6.6/parisc-power-add-power-soft-off-when-running-on-qemu.patch b/queue-6.6/parisc-power-add-power-soft-off-when-running-on-qemu.patch new file mode 100644 index 00000000000..827238a7af6 --- /dev/null +++ b/queue-6.6/parisc-power-add-power-soft-off-when-running-on-qemu.patch @@ -0,0 +1,48 @@ +From d0c219472980d15f5cbc5c8aec736848bda3f235 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 17 Oct 2023 22:19:53 +0200 +Subject: parisc/power: Add power soft-off when running on qemu + +From: Helge Deller + +commit d0c219472980d15f5cbc5c8aec736848bda3f235 upstream. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/power.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/parisc/power.c ++++ b/drivers/parisc/power.c +@@ -197,6 +197,14 @@ static struct notifier_block parisc_pani + .priority = INT_MAX, + }; + ++/* qemu soft power-off function */ ++static int qemu_power_off(struct sys_off_data *data) ++{ ++ /* this turns the system off via SeaBIOS */ ++ *(int *)data->cb_data = 0; ++ pdc_soft_power_button(1); ++ return NOTIFY_DONE; ++} + + static int __init power_init(void) + { +@@ -226,7 +234,13 @@ static int __init power_init(void) + soft_power_reg); + } + +- power_task = kthread_run(kpowerswd, (void*)soft_power_reg, KTHREAD_NAME); ++ power_task = NULL; ++ if (running_on_qemu && soft_power_reg) ++ register_sys_off_handler(SYS_OFF_MODE_POWER_OFF, SYS_OFF_PRIO_DEFAULT, ++ qemu_power_off, (void *)soft_power_reg); ++ else ++ power_task = kthread_run(kpowerswd, (void*)soft_power_reg, ++ KTHREAD_NAME); + if (IS_ERR(power_task)) { + printk(KERN_ERR DRIVER_NAME ": thread creation failed. Driver not loaded.\n"); + pdc_soft_power_button(0); diff --git a/queue-6.6/pmdomain-imx-make-imx-pgc-power-domain-also-set-the-fwnode.patch b/queue-6.6/pmdomain-imx-make-imx-pgc-power-domain-also-set-the-fwnode.patch new file mode 100644 index 00000000000..1669565802a --- /dev/null +++ b/queue-6.6/pmdomain-imx-make-imx-pgc-power-domain-also-set-the-fwnode.patch @@ -0,0 +1,42 @@ +From 374de39d38f97b0e58cfee88da590b2d056ccf7f Mon Sep 17 00:00:00 2001 +From: Pengfei Li +Date: Sat, 21 Oct 2023 02:59:49 +0800 +Subject: pmdomain: imx: Make imx pgc power domain also set the fwnode + +From: Pengfei Li + +commit 374de39d38f97b0e58cfee88da590b2d056ccf7f upstream. + +Currently, The imx pgc power domain doesn't set the fwnode +pointer, which results in supply regulator device can't get +consumer imx pgc power domain device from fwnode when creating +a link. + +This causes the driver core to instead try to create a link +between the parent gpc device of imx pgc power domain device and +supply regulator device. However, at this point, the gpc device +has already been bound, and the link creation will fail. So adding +the fwnode pointer to the imx pgc power domain device will fix +this issue. + +Signed-off-by: Pengfei Li +Tested-by: Emil Kronborg +Fixes: 3fb16866b51d ("driver core: fw_devlink: Make cycle detection more robust") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231020185949.537083-1-pengfei.li_1@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/gpc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pmdomain/imx/gpc.c ++++ b/drivers/pmdomain/imx/gpc.c +@@ -498,6 +498,7 @@ static int imx_gpc_probe(struct platform + + pd_pdev->dev.parent = &pdev->dev; + pd_pdev->dev.of_node = np; ++ pd_pdev->dev.fwnode = of_fwnode_handle(np); + + ret = platform_device_add(pd_pdev); + if (ret) { diff --git a/queue-6.6/powercap-intel_rapl-downgrade-bios-locked-limits-pr_warn-to-pr_debug.patch b/queue-6.6/powercap-intel_rapl-downgrade-bios-locked-limits-pr_warn-to-pr_debug.patch new file mode 100644 index 00000000000..aff09b18bde --- /dev/null +++ b/queue-6.6/powercap-intel_rapl-downgrade-bios-locked-limits-pr_warn-to-pr_debug.patch @@ -0,0 +1,41 @@ +From a60ec4485f1c72dfece365cf95e6de82bdd74300 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Tue, 24 Oct 2023 22:17:19 +0300 +Subject: powercap: intel_rapl: Downgrade BIOS locked limits pr_warn() to pr_debug() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit a60ec4485f1c72dfece365cf95e6de82bdd74300 upstream. + +Before the refactoring the pr_warn() only triggered when +someone explicitly tried to write to a BIOS locked limit. +After the refactoring the warning is also triggering during +system resume. The user can't do anything about this so +printing scary warnings doesn't make sense + +Keep the printk but make it pr_debug() instead of pr_warn() +to make it clear it's not a serious issue. + +Fixes: 9050a9cd5e4c ("powercap: intel_rapl: Cleanup Power Limits support") +Signed-off-by: Ville Syrjälä +Cc: 6.5+ # 6.5+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/powercap/intel_rapl_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/powercap/intel_rapl_common.c ++++ b/drivers/powercap/intel_rapl_common.c +@@ -892,7 +892,7 @@ static int rapl_write_pl_data(struct rap + return -EINVAL; + + if (rd->rpl[pl].locked) { +- pr_warn("%s:%s:%s locked by BIOS\n", rd->rp->name, rd->name, pl_names[pl]); ++ pr_debug("%s:%s:%s locked by BIOS\n", rd->rp->name, rd->name, pl_names[pl]); + return -EACCES; + } + diff --git a/queue-6.6/series b/queue-6.6/series index 8eebc5138ea..4885ff8e3a9 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -302,3 +302,22 @@ keys-trusted-rollback-init_trusted-consistently.patch pci-keystone-don-t-discard-.remove-callback.patch pci-keystone-don-t-discard-.probe-callback.patch pmdomain-amlogic-fix-mask-for-the-second-nna-mem-pd-domain.patch +arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch +arm64-module-fix-plt-counting-when-config_randomize_base-n.patch +pmdomain-imx-make-imx-pgc-power-domain-also-set-the-fwnode.patch +parisc-agp-use-64-bit-le-values-in-sba-iommu-pdir-table.patch +parisc-pdc-add-width-field-to-struct-pdc_model.patch +parisc-power-add-power-soft-off-when-running-on-qemu.patch +cpufreq-stats-fix-buffer-overflow-detection-in-trans_stats.patch +powercap-intel_rapl-downgrade-bios-locked-limits-pr_warn-to-pr_debug.patch +clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch +clk-visconti-fix-undefined-behavior-bug-in-struct-visconti_pll_provider.patch +integrity-powerpc-do-not-select-ca_machine_keyring.patch +clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch +clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch +ksmbd-fix-recursive-locking-in-vfs-helpers.patch +ksmbd-handle-malformed-smb1-message.patch +ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch +mmc-vub300-fix-an-error-code.patch +mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch +mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch