From: Sasha Levin Date: Tue, 23 Jul 2024 00:20:21 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.10.1~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d43fb30025ad5eb41e5020976c39f31dd69f2c4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/acpi-ec-abort-address-space-access-upon-error.patch b/queue-5.15/acpi-ec-abort-address-space-access-upon-error.patch new file mode 100644 index 00000000000..04c07d6843b --- /dev/null +++ b/queue-5.15/acpi-ec-abort-address-space-access-upon-error.patch @@ -0,0 +1,45 @@ +From 19363062bfea93e5df96c626b9c2996dde2b01c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 May 2024 23:36:48 +0200 +Subject: ACPI: EC: Abort address space access upon error + +From: Armin Wolf + +[ Upstream commit f6f172dc6a6d7775b2df6adfd1350700e9a847ec ] + +When a multi-byte address space access is requested, acpi_ec_read()/ +acpi_ec_write() is being called multiple times. + +Abort such operations if a single call to acpi_ec_read() / +acpi_ec_write() fails, as the data read from / written to the EC +might be incomplete. + +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 472418a0e0cab..1896ec78e88c7 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1303,10 +1303,13 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + if (ec->busy_polling || bits > 8) + acpi_ec_burst_enable(ec); + +- for (i = 0; i < bytes; ++i, ++address, ++value) ++ for (i = 0; i < bytes; ++i, ++address, ++value) { + result = (function == ACPI_READ) ? + acpi_ec_read(ec, address, value) : + acpi_ec_write(ec, address, *value); ++ if (result < 0) ++ break; ++ } + + if (ec->busy_polling || bits > 8) + acpi_ec_burst_disable(ec); +-- +2.43.0 + diff --git a/queue-5.15/acpi-ec-avoid-returning-ae_ok-on-errors-in-address-s.patch b/queue-5.15/acpi-ec-avoid-returning-ae_ok-on-errors-in-address-s.patch new file mode 100644 index 00000000000..244582ade2f --- /dev/null +++ b/queue-5.15/acpi-ec-avoid-returning-ae_ok-on-errors-in-address-s.patch @@ -0,0 +1,43 @@ +From 3951f873c3bea5c04cba6f34cc02e3aba914ffa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 May 2024 23:36:49 +0200 +Subject: ACPI: EC: Avoid returning AE_OK on errors in address space handler + +From: Armin Wolf + +[ Upstream commit c4bd7f1d78340e63de4d073fd3dbe5391e2996e5 ] + +If an error code other than EINVAL, ENODEV or ETIME is returned +by acpi_ec_read() / acpi_ec_write(), then AE_OK is incorrectly +returned by acpi_ec_space_handler(). + +Fix this by only returning AE_OK on success, and return AE_ERROR +otherwise. + +Signed-off-by: Armin Wolf +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 1896ec78e88c7..59e617ab12a51 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1321,8 +1321,10 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address, + return AE_NOT_FOUND; + case -ETIME: + return AE_TIME; +- default: ++ case 0: + return AE_OK; ++ default: ++ return AE_ERROR; + } + } + +-- +2.43.0 + diff --git a/queue-5.15/alsa-dmaengine-synchronize-dma-channel-after-drop.patch b/queue-5.15/alsa-dmaengine-synchronize-dma-channel-after-drop.patch new file mode 100644 index 00000000000..a11811c5a89 --- /dev/null +++ b/queue-5.15/alsa-dmaengine-synchronize-dma-channel-after-drop.patch @@ -0,0 +1,98 @@ +From 526fa46c4b5107a8c455ab9c4b4bbbbdbb32cb1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 18:02:55 +0530 +Subject: ALSA: dmaengine: Synchronize dma channel after drop() + +From: Jai Luthra + +[ Upstream commit e8343410ddf08fc36a9b9cc7c51a4e53a262d4c6 ] + +Sometimes the stream may be stopped due to XRUN events, in which case +the userspace can call snd_pcm_drop() and snd_pcm_prepare() to stop and +start the stream again. + +In these cases, we must wait for the DMA channel to synchronize before +marking the stream as prepared for playback, as the DMA channel gets +stopped by drop() without any synchronization. Make sure the ALSA core +synchronizes the DMA channel by adding a sync_stop() hook. + +Reviewed-by: Peter Ujfalusi +Signed-off-by: Jai Luthra +Link: https://lore.kernel.org/r/20240611-asoc_next-v3-1-fcfd84b12164@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/dmaengine_pcm.h | 1 + + sound/core/pcm_dmaengine.c | 10 ++++++++++ + sound/soc/soc-generic-dmaengine-pcm.c | 8 ++++++++ + 3 files changed, 19 insertions(+) + +diff --git a/include/sound/dmaengine_pcm.h b/include/sound/dmaengine_pcm.h +index 96666efddb396..6d9c94a570733 100644 +--- a/include/sound/dmaengine_pcm.h ++++ b/include/sound/dmaengine_pcm.h +@@ -34,6 +34,7 @@ snd_pcm_uframes_t snd_dmaengine_pcm_pointer_no_residue(struct snd_pcm_substream + int snd_dmaengine_pcm_open(struct snd_pcm_substream *substream, + struct dma_chan *chan); + int snd_dmaengine_pcm_close(struct snd_pcm_substream *substream); ++int snd_dmaengine_pcm_sync_stop(struct snd_pcm_substream *substream); + + int snd_dmaengine_pcm_open_request_chan(struct snd_pcm_substream *substream, + dma_filter_fn filter_fn, void *filter_data); +diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c +index 0fe93b423c4ed..3e479dca122a0 100644 +--- a/sound/core/pcm_dmaengine.c ++++ b/sound/core/pcm_dmaengine.c +@@ -344,6 +344,16 @@ int snd_dmaengine_pcm_open_request_chan(struct snd_pcm_substream *substream, + } + EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_open_request_chan); + ++int snd_dmaengine_pcm_sync_stop(struct snd_pcm_substream *substream) ++{ ++ struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); ++ ++ dmaengine_synchronize(prtd->dma_chan); ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_sync_stop); ++ + /** + * snd_dmaengine_pcm_close - Close a dmaengine based PCM substream + * @substream: PCM substream +diff --git a/sound/soc/soc-generic-dmaengine-pcm.c b/sound/soc/soc-generic-dmaengine-pcm.c +index 4aa48c74f21a0..fa1f91c34834f 100644 +--- a/sound/soc/soc-generic-dmaengine-pcm.c ++++ b/sound/soc/soc-generic-dmaengine-pcm.c +@@ -323,6 +323,12 @@ static int dmaengine_copy_user(struct snd_soc_component *component, + return 0; + } + ++static int dmaengine_pcm_sync_stop(struct snd_soc_component *component, ++ struct snd_pcm_substream *substream) ++{ ++ return snd_dmaengine_pcm_sync_stop(substream); ++} ++ + static const struct snd_soc_component_driver dmaengine_pcm_component = { + .name = SND_DMAENGINE_PCM_DRV_NAME, + .probe_order = SND_SOC_COMP_ORDER_LATE, +@@ -332,6 +338,7 @@ static const struct snd_soc_component_driver dmaengine_pcm_component = { + .trigger = dmaengine_pcm_trigger, + .pointer = dmaengine_pcm_pointer, + .pcm_construct = dmaengine_pcm_new, ++ .sync_stop = dmaengine_pcm_sync_stop, + }; + + static const struct snd_soc_component_driver dmaengine_pcm_component_process = { +@@ -344,6 +351,7 @@ static const struct snd_soc_component_driver dmaengine_pcm_component_process = { + .pointer = dmaengine_pcm_pointer, + .copy_user = dmaengine_copy_user, + .pcm_construct = dmaengine_pcm_new, ++ .sync_stop = dmaengine_pcm_sync_stop, + }; + + static const char * const dmaengine_pcm_dma_channel_names[] = { +-- +2.43.0 + diff --git a/queue-5.15/alsa-dmaengine_pcm-terminate-dmaengine-before-synchr.patch b/queue-5.15/alsa-dmaengine_pcm-terminate-dmaengine-before-synchr.patch new file mode 100644 index 00000000000..57d436683a3 --- /dev/null +++ b/queue-5.15/alsa-dmaengine_pcm-terminate-dmaengine-before-synchr.patch @@ -0,0 +1,66 @@ +From ad106b47c8326f229c846579fb6a2f527cacd7d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 10:40:18 +0800 +Subject: ALSA: dmaengine_pcm: terminate dmaengine before synchronize + +From: Shengjiu Wang + +[ Upstream commit 6a7db25aad8ce6512b366d2ce1d0e60bac00a09d ] + +When dmaengine supports pause function, in suspend state, +dmaengine_pause() is called instead of dmaengine_terminate_async(), + +In end of playback stream, the runtime->state will go to +SNDRV_PCM_STATE_DRAINING, if system suspend & resume happen +at this time, application will not resume playback stream, the +stream will be closed directly, the dmaengine_terminate_async() +will not be called before the dmaengine_synchronize(), which +violates the call sequence for dmaengine_synchronize(). + +This behavior also happens for capture streams, but there is no +SNDRV_PCM_STATE_DRAINING state for capture. So use +dmaengine_tx_status() to check the DMA status if the status is +DMA_PAUSED, then call dmaengine_terminate_async() to terminate +dmaengine before dmaengine_synchronize(). + +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/1718851218-27803-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_dmaengine.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c +index 3e479dca122a0..9f953ff8b0645 100644 +--- a/sound/core/pcm_dmaengine.c ++++ b/sound/core/pcm_dmaengine.c +@@ -361,6 +361,12 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_sync_stop); + int snd_dmaengine_pcm_close(struct snd_pcm_substream *substream) + { + struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); ++ struct dma_tx_state state; ++ enum dma_status status; ++ ++ status = dmaengine_tx_status(prtd->dma_chan, prtd->cookie, &state); ++ if (status == DMA_PAUSED) ++ dmaengine_terminate_async(prtd->dma_chan); + + dmaengine_synchronize(prtd->dma_chan); + kfree(prtd); +@@ -379,6 +385,12 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_close); + int snd_dmaengine_pcm_close_release_chan(struct snd_pcm_substream *substream) + { + struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); ++ struct dma_tx_state state; ++ enum dma_status status; ++ ++ status = dmaengine_tx_status(prtd->dma_chan, prtd->cookie, &state); ++ if (status == DMA_PAUSED) ++ dmaengine_terminate_async(prtd->dma_chan); + + dmaengine_synchronize(prtd->dma_chan); + dma_release_channel(prtd->dma_chan); +-- +2.43.0 + diff --git a/queue-5.15/alsa-hda-realtek-add-more-codec-id-to-no-shutup-pins.patch b/queue-5.15/alsa-hda-realtek-add-more-codec-id-to-no-shutup-pins.patch new file mode 100644 index 00000000000..05ea0ffb5de --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-more-codec-id-to-no-shutup-pins.patch @@ -0,0 +1,41 @@ +From e924505ff6c1ede659ed7e22562461784101c99c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 14:16:04 +0800 +Subject: ALSA: hda/realtek: Add more codec ID to no shutup pins list + +From: Kailang Yang + +[ Upstream commit 70794b9563fe011988bcf6a081af9777e63e8d37 ] + +If it enter to runtime D3 state, it didn't shutup Headset MIC pin. + +Signed-off-by: Kailang Yang +Link: https://lore.kernel.org/r/8d86f61e7d6f4a03b311e4eb4e5caaef@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6e3772f2d6bcd..aeecc208e7fa0 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -577,10 +577,14 @@ static void alc_shutup_pins(struct hda_codec *codec) + switch (codec->core.vendor_id) { + case 0x10ec0236: + case 0x10ec0256: ++ case 0x10ec0257: + case 0x19e58326: + case 0x10ec0283: ++ case 0x10ec0285: + case 0x10ec0286: ++ case 0x10ec0287: + case 0x10ec0288: ++ case 0x10ec0295: + case 0x10ec0298: + alc_headset_mic_no_shutup(codec); + break; +-- +2.43.0 + diff --git a/queue-5.15/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15-gw0.patch b/queue-5.15/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15-gw0.patch new file mode 100644 index 00000000000..54d82edb863 --- /dev/null +++ b/queue-5.15/alsa-hda-relatek-enable-mute-led-on-hp-laptop-15-gw0.patch @@ -0,0 +1,35 @@ +From 3e5492b920461be302678aafa04bb3d90fd60a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 13:12:02 +0500 +Subject: ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx + +From: Aivaz Latypov + +[ Upstream commit 1d091a98c399c17d0571fa1d91a7123a698446e4 ] + +This HP Laptop uses ALC236 codec with COEF 0x07 controlling +the mute LED. Enable existing quirk for this device. + +Signed-off-by: Aivaz Latypov +Link: https://patch.msgid.link/20240625081217.1049-1-reichaivaz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index aeecc208e7fa0..afc9f1cd9647c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9161,6 +9161,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87f1, "HP ProBook 630 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), +-- +2.43.0 + diff --git a/queue-5.15/arm64-armv8_deprecated-fix-warning-in-isndep-cpuhp-s.patch b/queue-5.15/arm64-armv8_deprecated-fix-warning-in-isndep-cpuhp-s.patch new file mode 100644 index 00000000000..f0fef2274d5 --- /dev/null +++ b/queue-5.15/arm64-armv8_deprecated-fix-warning-in-isndep-cpuhp-s.patch @@ -0,0 +1,51 @@ +From 04d9aca187eae65d12dab86c2fb2e7009a515745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 17:35:01 +0800 +Subject: arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process + +From: Wei Li + +[ Upstream commit 14951beaec93696b092a906baa0f29322cf34004 ] + +The function run_all_insn_set_hw_mode() is registered as startup callback +of 'CPUHP_AP_ARM64_ISNDEP_STARTING', it invokes set_hw_mode() methods of +all emulated instructions. + +As the STARTING callbacks are not expected to fail, if one of the +set_hw_mode() fails, e.g. due to el0 mixed-endian is not supported for +'setend', it will report a warning: + +``` +CPU[2] cannot support the emulation of setend +CPU 2 UP state arm64/isndep:starting (136) failed (-22) +CPU2: Booted secondary processor 0x0000000002 [0x414fd0c1] +``` + +To fix it, add a check for INSN_UNAVAILABLE status and skip the process. + +Signed-off-by: Wei Li +Tested-by: Huisong Li +Link: https://lore.kernel.org/r/20240423093501.3460764-1-liwei391@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/armv8_deprecated.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c +index 91eabe56093d6..91c29979aea79 100644 +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -471,6 +471,9 @@ static int run_all_insn_set_hw_mode(unsigned int cpu) + for (i = 0; i < ARRAY_SIZE(insn_emulations); i++) { + struct insn_emulation *insn = insn_emulations[i]; + bool enable = READ_ONCE(insn->current_mode) == INSN_HW; ++ if (insn->status == INSN_UNAVAILABLE) ++ continue; ++ + if (insn->set_hw_mode && insn->set_hw_mode(enable)) { + pr_warn("CPU[%u] cannot support the emulation of %s", + cpu, insn->name); +-- +2.43.0 + diff --git a/queue-5.15/asoc-ti-davinci-mcasp-set-min-period-size-using-fifo.patch b/queue-5.15/asoc-ti-davinci-mcasp-set-min-period-size-using-fifo.patch new file mode 100644 index 00000000000..7cc1c257618 --- /dev/null +++ b/queue-5.15/asoc-ti-davinci-mcasp-set-min-period-size-using-fifo.patch @@ -0,0 +1,69 @@ +From 87b8bfa990619e7063a36f0fd8709eb44c2668f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 18:02:56 +0530 +Subject: ASoC: ti: davinci-mcasp: Set min period size using FIFO config + +From: Jai Luthra + +[ Upstream commit c5dcf8ab10606e76c1d8a0ec77f27d84a392e874 ] + +The minimum period size was enforced to 64 as older devices integrating +McASP with EDMA used an internal FIFO of 64 samples. + +With UDMA based platforms this internal McASP FIFO is optional, as the +DMA engine internally does some buffering which is already accounted for +when registering the platform. So we should read the actual FIFO +configuration (txnumevt/rxnumevt) instead of hardcoding frames.min to +64. + +Acked-by: Peter Ujfalusi +Signed-off-by: Jai Luthra +Link: https://lore.kernel.org/r/20240611-asoc_next-v3-2-fcfd84b12164@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/davinci-mcasp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/ti/davinci-mcasp.c b/sound/soc/ti/davinci-mcasp.c +index 5b82329f44401..dbd30604816e5 100644 +--- a/sound/soc/ti/davinci-mcasp.c ++++ b/sound/soc/ti/davinci-mcasp.c +@@ -1472,10 +1472,11 @@ static int davinci_mcasp_hw_rule_min_periodsize( + { + struct snd_interval *period_size = hw_param_interval(params, + SNDRV_PCM_HW_PARAM_PERIOD_SIZE); ++ u8 numevt = *((u8 *)rule->private); + struct snd_interval frames; + + snd_interval_any(&frames); +- frames.min = 64; ++ frames.min = numevt; + frames.integer = 1; + + return snd_interval_refine(period_size, &frames); +@@ -1490,6 +1491,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + u32 max_channels = 0; + int i, dir, ret; + int tdm_slots = mcasp->tdm_slots; ++ u8 *numevt; + + /* Do not allow more then one stream per direction */ + if (mcasp->substreams[substream->stream]) +@@ -1589,9 +1591,12 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + return ret; + } + ++ numevt = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ? ++ &mcasp->txnumevt : ++ &mcasp->rxnumevt; + snd_pcm_hw_rule_add(substream->runtime, 0, + SNDRV_PCM_HW_PARAM_PERIOD_SIZE, +- davinci_mcasp_hw_rule_min_periodsize, NULL, ++ davinci_mcasp_hw_rule_min_periodsize, numevt, + SNDRV_PCM_HW_PARAM_PERIOD_SIZE, -1); + + return 0; +-- +2.43.0 + diff --git a/queue-5.15/asoc-ti-omap-hdmi-fix-too-long-driver-name.patch b/queue-5.15/asoc-ti-omap-hdmi-fix-too-long-driver-name.patch new file mode 100644 index 00000000000..4ad45f4974b --- /dev/null +++ b/queue-5.15/asoc-ti-omap-hdmi-fix-too-long-driver-name.patch @@ -0,0 +1,43 @@ +From 93c1b59ab3694f010ce0b0f28a58a73a5bde23da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 14:58:47 +0200 +Subject: ASoC: ti: omap-hdmi: Fix too long driver name + +From: Primoz Fiser + +[ Upstream commit 524d3f126362b6033e92cbe107ae2158d7fbff94 ] + +Set driver name to "HDMI". This simplifies the code and gets rid of +the following error messages: + + ASoC: driver name too long 'HDMI 58040000.encoder' -> 'HDMI_58040000_e' + +Signed-off-by: Primoz Fiser +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20240610125847.773394-1-primoz.fiser@norik.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/omap-hdmi.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/sound/soc/ti/omap-hdmi.c b/sound/soc/ti/omap-hdmi.c +index 3328c02f93c74..1dfe439d13417 100644 +--- a/sound/soc/ti/omap-hdmi.c ++++ b/sound/soc/ti/omap-hdmi.c +@@ -353,11 +353,7 @@ static int omap_hdmi_audio_probe(struct platform_device *pdev) + if (!card) + return -ENOMEM; + +- card->name = devm_kasprintf(dev, GFP_KERNEL, +- "HDMI %s", dev_name(ad->dssdev)); +- if (!card->name) +- return -ENOMEM; +- ++ card->name = "HDMI"; + card->owner = THIS_MODULE; + card->dai_link = + devm_kzalloc(dev, sizeof(*(card->dai_link)), GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-5.15/bluetooth-hci_core-cancel-all-works-upon-hci_unregis.patch b/queue-5.15/bluetooth-hci_core-cancel-all-works-upon-hci_unregis.patch new file mode 100644 index 00000000000..e13e0281fc1 --- /dev/null +++ b/queue-5.15/bluetooth-hci_core-cancel-all-works-upon-hci_unregis.patch @@ -0,0 +1,54 @@ +From 5fc63c15c9da1879cc314762892c324e9a663008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2024 20:00:32 +0900 +Subject: Bluetooth: hci_core: cancel all works upon hci_unregister_dev() + +From: Tetsuo Handa + +[ Upstream commit 0d151a103775dd9645c78c97f77d6e2a5298d913 ] + +syzbot is reporting that calling hci_release_dev() from hci_error_reset() +due to hci_dev_put() from hci_error_reset() can cause deadlock at +destroy_workqueue(), for hci_error_reset() is called from +hdev->req_workqueue which destroy_workqueue() needs to flush. + +We need to make sure that hdev->{rx_work,cmd_work,tx_work} which are +queued into hdev->workqueue and hdev->{power_on,error_reset} which are +queued into hdev->req_workqueue are no longer running by the moment + + destroy_workqueue(hdev->workqueue); + destroy_workqueue(hdev->req_workqueue); + +are called from hci_release_dev(). + +Call cancel_work_sync() on these work items from hci_unregister_dev() +as soon as hdev->list is removed from hci_dev_list. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=da0a9c9721e36db712e8 +Signed-off-by: Tetsuo Handa +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 8a3c867bdff03..fc4e02b3f26ad 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4025,7 +4025,11 @@ void hci_unregister_dev(struct hci_dev *hdev) + list_del(&hdev->list); + write_unlock(&hci_dev_list_lock); + ++ cancel_work_sync(&hdev->rx_work); ++ cancel_work_sync(&hdev->cmd_work); ++ cancel_work_sync(&hdev->tx_work); + cancel_work_sync(&hdev->power_on); ++ cancel_work_sync(&hdev->error_reset); + + if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { + hci_suspend_clear_tasks(hdev); +-- +2.43.0 + diff --git a/queue-5.15/btrfs-qgroup-fix-quota-root-leak-after-quota-disable.patch b/queue-5.15/btrfs-qgroup-fix-quota-root-leak-after-quota-disable.patch new file mode 100644 index 00000000000..51ad7921017 --- /dev/null +++ b/queue-5.15/btrfs-qgroup-fix-quota-root-leak-after-quota-disable.patch @@ -0,0 +1,59 @@ +From fc3adf32717ab4f619282a18abecdc4faba15d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 12:32:00 +0100 +Subject: btrfs: qgroup: fix quota root leak after quota disable failure + +From: Filipe Manana + +[ Upstream commit a7e4c6a3031c74078dba7fa36239d0f4fe476c53 ] + +If during the quota disable we fail when cleaning the quota tree or when +deleting the root from the root tree, we jump to the 'out' label without +ever dropping the reference on the quota root, resulting in a leak of the +root since fs_info->quota_root is no longer pointing to the root (we have +set it to NULL just before those steps). + +Fix this by always doing a btrfs_put_root() call under the 'out' label. +This is a problem that exists since qgroups were first added in 2012 by +commit bed92eae26cc ("Btrfs: qgroup implementation and prototypes"), but +back then we missed a kfree on the quota root and free_extent_buffer() +calls on its root and commit root nodes, since back then roots were not +yet reference counted. + +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index c50cabf69415f..1f5ab51e18dc4 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1196,7 +1196,7 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) + + int btrfs_quota_disable(struct btrfs_fs_info *fs_info) + { +- struct btrfs_root *quota_root; ++ struct btrfs_root *quota_root = NULL; + struct btrfs_trans_handle *trans = NULL; + int ret = 0; + +@@ -1290,9 +1290,9 @@ int btrfs_quota_disable(struct btrfs_fs_info *fs_info) + btrfs_free_tree_block(trans, btrfs_root_id(quota_root), + quota_root->node, 0, 1); + +- btrfs_put_root(quota_root); + + out: ++ btrfs_put_root(quota_root); + mutex_unlock(&fs_info->qgroup_ioctl_lock); + if (ret && trans) + btrfs_end_transaction(trans); +-- +2.43.0 + diff --git a/queue-5.15/bytcr_rt5640-inverse-jack-detect-for-archos-101-cesi.patch b/queue-5.15/bytcr_rt5640-inverse-jack-detect-for-archos-101-cesi.patch new file mode 100644 index 00000000000..d396d0d7279 --- /dev/null +++ b/queue-5.15/bytcr_rt5640-inverse-jack-detect-for-archos-101-cesi.patch @@ -0,0 +1,48 @@ +From 159995760f788095fa404adfa4bd57c7c307ac50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jun 2024 19:02:51 +0200 +Subject: bytcr_rt5640 : inverse jack detect for Archos 101 cesium + +From: Thomas GENTY + +[ Upstream commit e3209a1827646daaab744aa6a5767b1f57fb5385 ] + +When headphones are plugged in, they appear absent; when they are removed, +they appear present. +Add a specific entry in bytcr_rt5640 for this device + +Signed-off-by: Thomas GENTY +Reviewed-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20240608170251.99936-1-tomlohave@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 434679afa7e1a..3d2a0e8cad9a5 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -607,6 +607,17 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF1 | + BYT_RT5640_MCLK_EN), + }, ++ { ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ARCHOS"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "ARCHOS 101 CESIUM"), ++ }, ++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS | ++ BYT_RT5640_JD_NOT_INV | ++ BYT_RT5640_DIFF_MIC | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, + { + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ARCHOS"), +-- +2.43.0 + diff --git a/queue-5.15/can-kvaser_usb-fix-return-value-for-hif_usb_send_reg.patch b/queue-5.15/can-kvaser_usb-fix-return-value-for-hif_usb_send_reg.patch new file mode 100644 index 00000000000..60f61b1067b --- /dev/null +++ b/queue-5.15/can-kvaser_usb-fix-return-value-for-hif_usb_send_reg.patch @@ -0,0 +1,36 @@ +From 47f9ff6d718b4429d420c4f95c84515220e72a0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 12:10:20 +0800 +Subject: can: kvaser_usb: fix return value for hif_usb_send_regout + +From: Chen Ni + +[ Upstream commit 0d34d8163fd87978a6abd792e2d8ad849f4c3d57 ] + +As the potential failure of usb_submit_urb(), it should be better to +return the err variable to catch the error. + +Signed-off-by: Chen Ni +Link: https://lore.kernel.org/all/20240521041020.1519416-1-nichen@iscas.ac.cn +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +index 573d3a66711ab..95ed200553929 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -293,7 +293,7 @@ int kvaser_usb_send_cmd_async(struct kvaser_usb_net_priv *priv, void *cmd, + } + usb_free_urb(urb); + +- return 0; ++ return err; + } + + int kvaser_usb_can_rx_over_error(struct net_device *netdev) +-- +2.43.0 + diff --git a/queue-5.15/drm-radeon-check-bo_va-bo-is-non-null-before-using-i.patch b/queue-5.15/drm-radeon-check-bo_va-bo-is-non-null-before-using-i.patch new file mode 100644 index 00000000000..f4d63666454 --- /dev/null +++ b/queue-5.15/drm-radeon-check-bo_va-bo-is-non-null-before-using-i.patch @@ -0,0 +1,36 @@ +From abac085ddb43be7467aaf638b173a97835cbcddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 14:31:34 +0200 +Subject: drm/radeon: check bo_va->bo is non-NULL before using it + +From: Pierre-Eric Pelloux-Prayer + +[ Upstream commit 6fb15dcbcf4f212930350eaee174bb60ed40a536 ] + +The call to radeon_vm_clear_freed might clear bo_va->bo, so +we have to check it before dereferencing it. + +Signed-off-by: Pierre-Eric Pelloux-Prayer +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c +index 57218263ef3b1..277a313432b28 100644 +--- a/drivers/gpu/drm/radeon/radeon_gem.c ++++ b/drivers/gpu/drm/radeon/radeon_gem.c +@@ -653,7 +653,7 @@ static void radeon_gem_va_update_vm(struct radeon_device *rdev, + if (r) + goto error_unlock; + +- if (bo_va->it.start) ++ if (bo_va->it.start && bo_va->bo) + r = radeon_vm_bo_update(rdev, bo_va, bo_va->bo->tbo.resource); + + error_unlock: +-- +2.43.0 + diff --git a/queue-5.15/drm-vmwgfx-fix-missing-hypervisor_guest-dependency.patch b/queue-5.15/drm-vmwgfx-fix-missing-hypervisor_guest-dependency.patch new file mode 100644 index 00000000000..9f44e9ef2eb --- /dev/null +++ b/queue-5.15/drm-vmwgfx-fix-missing-hypervisor_guest-dependency.patch @@ -0,0 +1,41 @@ +From 986f09119e036a06dcbdff2c7fe6a193d2d1b080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 18:25:10 -0700 +Subject: drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency + +From: Alexey Makhalov + +[ Upstream commit 8c4d6945fe5bd04ff847c3c788abd34ca354ecee ] + +VMWARE_HYPERCALL alternative will not work as intended without VMware guest code +initialization. + + [ bp: note that this doesn't reproduce with newer gccs so it must be + something gcc-9-specific. ] + +Closes: https://lore.kernel.org/oe-kbuild-all/202406152104.FxakP1MB-lkp@intel.com/ +Reported-by: kernel test robot +Signed-off-by: Alexey Makhalov +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20240616012511.198243-1-alexey.makhalov@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/Kconfig b/drivers/gpu/drm/vmwgfx/Kconfig +index c9ce47c448e03..5b9a9fba85421 100644 +--- a/drivers/gpu/drm/vmwgfx/Kconfig ++++ b/drivers/gpu/drm/vmwgfx/Kconfig +@@ -2,7 +2,7 @@ + config DRM_VMWGFX + tristate "DRM driver for VMware Virtual GPU" + depends on DRM && PCI && MMU +- depends on X86 || ARM64 ++ depends on (X86 && HYPERVISOR_GUEST) || ARM64 + select DRM_TTM + select MAPPING_DIRTY_HELPERS + # Only needed for the transitional use of drm_crtc_init - can be removed +-- +2.43.0 + diff --git a/queue-5.15/fs-better-handle-deep-ancestor-chains-in-is_subdir.patch b/queue-5.15/fs-better-handle-deep-ancestor-chains-in-is_subdir.patch new file mode 100644 index 00000000000..417c96d9ef5 --- /dev/null +++ b/queue-5.15/fs-better-handle-deep-ancestor-chains-in-is_subdir.patch @@ -0,0 +1,80 @@ +From 179ff65a799fb00b91450af2b8dd8bf3513677a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 21:03:26 +0200 +Subject: fs: better handle deep ancestor chains in is_subdir() + +From: Christian Brauner + +[ Upstream commit 391b59b045004d5b985d033263ccba3e941a7740 ] + +Jan reported that 'cd ..' may take a long time in deep directory +hierarchies under a bind-mount. If concurrent renames happen it is +possible to livelock in is_subdir() because it will keep retrying. + +Change is_subdir() from simply retrying over and over to retry once and +then acquire the rename lock to handle deep ancestor chains better. The +list of alternatives to this approach were less then pleasant. Change +the scope of rcu lock to cover the whole walk while at it. + +A big thanks to Jan and Linus. Both Jan and Linus had proposed +effectively the same thing just that one version ended up being slightly +more elegant. + +Reported-by: Jan Kara +Signed-off-by: Linus Torvalds +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/dcache.c | 31 ++++++++++++++----------------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/fs/dcache.c b/fs/dcache.c +index 9a29cfdaa5416..43d75e7ee4785 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -3127,28 +3127,25 @@ EXPORT_SYMBOL(d_splice_alias); + + bool is_subdir(struct dentry *new_dentry, struct dentry *old_dentry) + { +- bool result; ++ bool subdir; + unsigned seq; + + if (new_dentry == old_dentry) + return true; + +- do { +- /* for restarting inner loop in case of seq retry */ +- seq = read_seqbegin(&rename_lock); +- /* +- * Need rcu_readlock to protect against the d_parent trashing +- * due to d_move +- */ +- rcu_read_lock(); +- if (d_ancestor(old_dentry, new_dentry)) +- result = true; +- else +- result = false; +- rcu_read_unlock(); +- } while (read_seqretry(&rename_lock, seq)); +- +- return result; ++ /* Access d_parent under rcu as d_move() may change it. */ ++ rcu_read_lock(); ++ seq = read_seqbegin(&rename_lock); ++ subdir = d_ancestor(old_dentry, new_dentry); ++ /* Try lockless once... */ ++ if (read_seqretry(&rename_lock, seq)) { ++ /* ...else acquire lock for progress even on deep chains. */ ++ read_seqlock_excl(&rename_lock); ++ subdir = d_ancestor(old_dentry, new_dentry); ++ read_sequnlock_excl(&rename_lock); ++ } ++ rcu_read_unlock(); ++ return subdir; + } + EXPORT_SYMBOL(is_subdir); + +-- +2.43.0 + diff --git a/queue-5.15/fs-file-fix-the-check-in-find_next_fd.patch b/queue-5.15/fs-file-fix-the-check-in-find_next_fd.patch new file mode 100644 index 00000000000..ac8003a74a1 --- /dev/null +++ b/queue-5.15/fs-file-fix-the-check-in-find_next_fd.patch @@ -0,0 +1,51 @@ +From a605ad14e4fd88a2d7c3736291537bd253d0cb55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 00:06:56 +0800 +Subject: fs/file: fix the check in find_next_fd() + +From: Yuntao Wang + +[ Upstream commit ed8c7fbdfe117abbef81f65428ba263118ef298a ] + +The maximum possible return value of find_next_zero_bit(fdt->full_fds_bits, +maxbit, bitbit) is maxbit. This return value, multiplied by BITS_PER_LONG, +gives the value of bitbit, which can never be greater than maxfd, it can +only be equal to maxfd at most, so the following check 'if (bitbit > maxfd)' +will never be true. + +Moreover, when bitbit equals maxfd, it indicates that there are no unused +fds, and the function can directly return. + +Fix this check. + +Signed-off-by: Yuntao Wang +Link: https://lore.kernel.org/r/20240529160656.209352-1-yuntao.wang@linux.dev +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/file.c b/fs/file.c +index 69a51d37b66d9..b46a4a725a0ef 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -481,12 +481,12 @@ struct files_struct init_files = { + + static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) + { +- unsigned int maxfd = fdt->max_fds; ++ unsigned int maxfd = fdt->max_fds; /* always multiple of BITS_PER_LONG */ + unsigned int maxbit = maxfd / BITS_PER_LONG; + unsigned int bitbit = start / BITS_PER_LONG; + + bitbit = find_next_zero_bit(fdt->full_fds_bits, maxbit, bitbit) * BITS_PER_LONG; +- if (bitbit > maxfd) ++ if (bitbit >= maxfd) + return maxfd; + if (bitbit > start) + start = bitbit; +-- +2.43.0 + diff --git a/queue-5.15/hfsplus-fix-uninit-value-in-copy_name.patch b/queue-5.15/hfsplus-fix-uninit-value-in-copy_name.patch new file mode 100644 index 00000000000..a3abc098abf --- /dev/null +++ b/queue-5.15/hfsplus-fix-uninit-value-in-copy_name.patch @@ -0,0 +1,70 @@ +From 240acec1e122e8c737aada9c9fb0fc3b03d22de9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 13:21:46 +0800 +Subject: hfsplus: fix uninit-value in copy_name + +From: Edward Adam Davis + +[ Upstream commit 0570730c16307a72f8241df12363f76600baf57d ] + +[syzbot reported] +BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 + sized_strscpy+0xc4/0x160 + copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 + hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 + vfs_listxattr fs/xattr.c:493 [inline] + listxattr+0x1f3/0x6b0 fs/xattr.c:840 + path_listxattr fs/xattr.c:864 [inline] + __do_sys_listxattr fs/xattr.c:876 [inline] + __se_sys_listxattr fs/xattr.c:873 [inline] + __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 + x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3877 [inline] + slab_alloc_node mm/slub.c:3918 [inline] + kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 + kmalloc include/linux/slab.h:628 [inline] + hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 + vfs_listxattr fs/xattr.c:493 [inline] + listxattr+0x1f3/0x6b0 fs/xattr.c:840 + path_listxattr fs/xattr.c:864 [inline] + __do_sys_listxattr fs/xattr.c:876 [inline] + __se_sys_listxattr fs/xattr.c:873 [inline] + __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 + x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +[Fix] +When allocating memory to strbuf, initialize memory to 0. + +Reported-and-tested-by: syzbot+efde959319469ff8d4d7@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://lore.kernel.org/r/tencent_8BBB6433BC9E1C1B7B4BDF1BF52574BA8808@qq.com +Reported-and-tested-by: syzbot+01ade747b16e9c8030e0@syzkaller.appspotmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hfsplus/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c +index e2855ceefd394..71fb2f8e91170 100644 +--- a/fs/hfsplus/xattr.c ++++ b/fs/hfsplus/xattr.c +@@ -699,7 +699,7 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size) + return err; + } + +- strbuf = kmalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + ++ strbuf = kzalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + + XATTR_MAC_OSX_PREFIX_LEN + 1, GFP_KERNEL); + if (!strbuf) { + res = -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.15/ila-block-bh-in-ila_output.patch b/queue-5.15/ila-block-bh-in-ila_output.patch new file mode 100644 index 00000000000..976daeb2f57 --- /dev/null +++ b/queue-5.15/ila-block-bh-in-ila_output.patch @@ -0,0 +1,60 @@ +From 07f513cd188682bd5085a2185e12c8988259b207 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 13:26:35 +0000 +Subject: ila: block BH in ila_output() + +From: Eric Dumazet + +[ Upstream commit cf28ff8e4c02e1ffa850755288ac954b6ff0db8c ] + +As explained in commit 1378817486d6 ("tipc: block BH +before using dst_cache"), net/core/dst_cache.c +helpers need to be called with BH disabled. + +ila_output() is called from lwtunnel_output() +possibly from process context, and under rcu_read_lock(). + +We might be interrupted by a softirq, re-enter ila_output() +and corrupt dst_cache data structures. + +Fix the race by using local_bh_disable(). + +Signed-off-by: Eric Dumazet +Acked-by: Paolo Abeni +Link: https://lore.kernel.org/r/20240531132636.2637995-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ila/ila_lwt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ila/ila_lwt.c b/net/ipv6/ila/ila_lwt.c +index 8c1ce78956bae..9d37f7164e732 100644 +--- a/net/ipv6/ila/ila_lwt.c ++++ b/net/ipv6/ila/ila_lwt.c +@@ -58,7 +58,9 @@ static int ila_output(struct net *net, struct sock *sk, struct sk_buff *skb) + return orig_dst->lwtstate->orig_output(net, sk, skb); + } + ++ local_bh_disable(); + dst = dst_cache_get(&ilwt->dst_cache); ++ local_bh_enable(); + if (unlikely(!dst)) { + struct ipv6hdr *ip6h = ipv6_hdr(skb); + struct flowi6 fl6; +@@ -86,8 +88,11 @@ static int ila_output(struct net *net, struct sock *sk, struct sk_buff *skb) + goto drop; + } + +- if (ilwt->connected) ++ if (ilwt->connected) { ++ local_bh_disable(); + dst_cache_set_ip6(&ilwt->dst_cache, dst, &fl6.saddr); ++ local_bh_enable(); ++ } + } + + skb_dst_set(skb, dst); +-- +2.43.0 + diff --git a/queue-5.15/input-elantech-fix-touchpad-state-on-resume-for-leno.patch b/queue-5.15/input-elantech-fix-touchpad-state-on-resume-for-leno.patch new file mode 100644 index 00000000000..87316a3e219 --- /dev/null +++ b/queue-5.15/input-elantech-fix-touchpad-state-on-resume-for-leno.patch @@ -0,0 +1,79 @@ +From 48dce21597703a0057c3d34eacda24f9a3364ca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 16:12:07 +0000 +Subject: Input: elantech - fix touchpad state on resume for Lenovo N24 + +From: Jonathan Denose + +[ Upstream commit a69ce592cbe0417664bc5a075205aa75c2ec1273 ] + +The Lenovo N24 on resume becomes stuck in a state where it +sends incorrect packets, causing elantech_packet_check_v4 to fail. +The only way for the device to resume sending the correct packets is for +it to be disabled and then re-enabled. + +This change adds a dmi check to trigger this behavior on resume. + +Signed-off-by: Jonathan Denose +Link: https://lore.kernel.org/r/20240503155020.v2.1.Ifa0e25ebf968d8f307f58d678036944141ab17e6@changeid +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/elantech.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 4e38229404b4b..b4723ea395eb9 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1476,16 +1476,47 @@ static void elantech_disconnect(struct psmouse *psmouse) + psmouse->private = NULL; + } + ++/* ++ * Some hw_version 4 models fail to properly activate absolute mode on ++ * resume without going through disable/enable cycle. ++ */ ++static const struct dmi_system_id elantech_needs_reenable[] = { ++#if defined(CONFIG_DMI) && defined(CONFIG_X86) ++ { ++ /* Lenovo N24 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "81AF"), ++ }, ++ }, ++#endif ++ { } ++}; ++ + /* + * Put the touchpad back into absolute mode when reconnecting + */ + static int elantech_reconnect(struct psmouse *psmouse) + { ++ int err; ++ + psmouse_reset(psmouse); + + if (elantech_detect(psmouse, 0)) + return -1; + ++ if (dmi_check_system(elantech_needs_reenable)) { ++ err = ps2_command(&psmouse->ps2dev, NULL, PSMOUSE_CMD_DISABLE); ++ if (err) ++ psmouse_warn(psmouse, "failed to deactivate mouse on %s: %d\n", ++ psmouse->ps2dev.serio->phys, err); ++ ++ err = ps2_command(&psmouse->ps2dev, NULL, PSMOUSE_CMD_ENABLE); ++ if (err) ++ psmouse_warn(psmouse, "failed to reactivate mouse on %s: %d\n", ++ psmouse->ps2dev.serio->phys, err); ++ } ++ + if (elantech_set_absolute_mode(psmouse)) { + psmouse_err(psmouse, + "failed to put touchpad back into absolute mode.\n"); +-- +2.43.0 + diff --git a/queue-5.15/input-i8042-add-ayaneo-kun-to-i8042-quirk-table.patch b/queue-5.15/input-i8042-add-ayaneo-kun-to-i8042-quirk-table.patch new file mode 100644 index 00000000000..1dc90eb654e --- /dev/null +++ b/queue-5.15/input-i8042-add-ayaneo-kun-to-i8042-quirk-table.patch @@ -0,0 +1,66 @@ +From 4f1d9abf4a0eb0900b188f6ee03b83f712f78190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 15:43:07 -0700 +Subject: Input: i8042 - add Ayaneo Kun to i8042 quirk table + +From: Tobias Jakobi + +[ Upstream commit 955af6355ddfe35140f9706a635838212a32513b ] + +See the added comment for details. Also fix a typo in the +quirk's define. + +Signed-off-by: Tobias Jakobi +Link: https://lore.kernel.org/r/20240531190100.3874731-1-tjakobi@math.uni-bielefeld.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/i8042-acpipnpio.h | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/serio/i8042-acpipnpio.h b/drivers/input/serio/i8042-acpipnpio.h +index d4792950bcffd..49d87f56cb909 100644 +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -75,7 +75,7 @@ static inline void i8042_write_command(int val) + #define SERIO_QUIRK_PROBE_DEFER BIT(5) + #define SERIO_QUIRK_RESET_ALWAYS BIT(6) + #define SERIO_QUIRK_RESET_NEVER BIT(7) +-#define SERIO_QUIRK_DIECT BIT(8) ++#define SERIO_QUIRK_DIRECT BIT(8) + #define SERIO_QUIRK_DUMBKBD BIT(9) + #define SERIO_QUIRK_NOLOOP BIT(10) + #define SERIO_QUIRK_NOTIMEOUT BIT(11) +@@ -1295,6 +1295,20 @@ static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = { + .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | + SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) + }, ++ { ++ /* ++ * The Ayaneo Kun is a handheld device where some the buttons ++ * are handled by an AT keyboard. The keyboard is usually ++ * detected as raw, but sometimes, usually after a cold boot, ++ * it is detected as translated. Make sure that the keyboard ++ * is always in raw mode. ++ */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "AYANEO"), ++ DMI_MATCH(DMI_BOARD_NAME, "KUN"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_DIRECT) ++ }, + { } + }; + +@@ -1613,7 +1627,7 @@ static void __init i8042_check_quirks(void) + if (quirks & SERIO_QUIRK_RESET_NEVER) + i8042_reset = I8042_RESET_NEVER; + } +- if (quirks & SERIO_QUIRK_DIECT) ++ if (quirks & SERIO_QUIRK_DIRECT) + i8042_direct = true; + if (quirks & SERIO_QUIRK_DUMBKBD) + i8042_dumbkbd = true; +-- +2.43.0 + diff --git a/queue-5.15/input-silead-always-support-10-fingers.patch b/queue-5.15/input-silead-always-support-10-fingers.patch new file mode 100644 index 00000000000..550b14d58f7 --- /dev/null +++ b/queue-5.15/input-silead-always-support-10-fingers.patch @@ -0,0 +1,100 @@ +From 0cfd755db44b002c499f8f8fbcc8c2c6358c38ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 May 2024 21:38:53 +0200 +Subject: Input: silead - Always support 10 fingers + +From: Hans de Goede + +[ Upstream commit 38a38f5a36da9820680d413972cb733349400532 ] + +When support for Silead touchscreens was orginal added some touchscreens +with older firmware versions only supported 5 fingers and this was made +the default requiring the setting of a "silead,max-fingers=10" uint32 +device-property for all touchscreen models which do support 10 fingers. + +There are very few models with the old 5 finger fw, so in practice the +setting of the "silead,max-fingers=10" is boilerplate which needs to +be copy and pasted to every touchscreen config. + +Reporting that 10 fingers are supported on devices which only support +5 fingers doesn't cause any problems for userspace in practice, since +at max 4 finger gestures are supported anyways. Drop the max_fingers +configuration and simply always assume 10 fingers. + +Signed-off-by: Hans de Goede +Acked-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/20240525193854.39130-2-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/silead.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/input/touchscreen/silead.c b/drivers/input/touchscreen/silead.c +index 1ee760bac0cfa..3be59b7239a68 100644 +--- a/drivers/input/touchscreen/silead.c ++++ b/drivers/input/touchscreen/silead.c +@@ -70,7 +70,6 @@ struct silead_ts_data { + struct regulator_bulk_data regulators[2]; + char fw_name[64]; + struct touchscreen_properties prop; +- u32 max_fingers; + u32 chip_id; + struct input_mt_pos pos[SILEAD_MAX_FINGERS]; + int slots[SILEAD_MAX_FINGERS]; +@@ -98,7 +97,7 @@ static int silead_ts_request_input_dev(struct silead_ts_data *data) + input_set_abs_params(data->input, ABS_MT_POSITION_Y, 0, 4095, 0, 0); + touchscreen_parse_properties(data->input, true, &data->prop); + +- input_mt_init_slots(data->input, data->max_fingers, ++ input_mt_init_slots(data->input, SILEAD_MAX_FINGERS, + INPUT_MT_DIRECT | INPUT_MT_DROP_UNUSED | + INPUT_MT_TRACK); + +@@ -145,10 +144,10 @@ static void silead_ts_read_data(struct i2c_client *client) + return; + } + +- if (buf[0] > data->max_fingers) { ++ if (buf[0] > SILEAD_MAX_FINGERS) { + dev_warn(dev, "More touches reported then supported %d > %d\n", +- buf[0], data->max_fingers); +- buf[0] = data->max_fingers; ++ buf[0], SILEAD_MAX_FINGERS); ++ buf[0] = SILEAD_MAX_FINGERS; + } + + touch_nr = 0; +@@ -200,7 +199,6 @@ static void silead_ts_read_data(struct i2c_client *client) + + static int silead_ts_init(struct i2c_client *client) + { +- struct silead_ts_data *data = i2c_get_clientdata(client); + int error; + + error = i2c_smbus_write_byte_data(client, SILEAD_REG_RESET, +@@ -210,7 +208,7 @@ static int silead_ts_init(struct i2c_client *client) + usleep_range(SILEAD_CMD_SLEEP_MIN, SILEAD_CMD_SLEEP_MAX); + + error = i2c_smbus_write_byte_data(client, SILEAD_REG_TOUCH_NR, +- data->max_fingers); ++ SILEAD_MAX_FINGERS); + if (error) + goto i2c_write_err; + usleep_range(SILEAD_CMD_SLEEP_MIN, SILEAD_CMD_SLEEP_MAX); +@@ -437,13 +435,6 @@ static void silead_ts_read_props(struct i2c_client *client) + const char *str; + int error; + +- error = device_property_read_u32(dev, "silead,max-fingers", +- &data->max_fingers); +- if (error) { +- dev_dbg(dev, "Max fingers read error %d\n", error); +- data->max_fingers = 5; /* Most devices handle up-to 5 fingers */ +- } +- + error = device_property_read_string(dev, "firmware-name", &str); + if (!error) + snprintf(data->fw_name, sizeof(data->fw_name), +-- +2.43.0 + diff --git a/queue-5.15/kconfig-gconf-give-a-proper-initial-state-to-the-sav.patch b/queue-5.15/kconfig-gconf-give-a-proper-initial-state-to-the-sav.patch new file mode 100644 index 00000000000..7b172052171 --- /dev/null +++ b/queue-5.15/kconfig-gconf-give-a-proper-initial-state-to-the-sav.patch @@ -0,0 +1,46 @@ +From 81b467c418f9f5dfa241c722d0d436b14d88d43c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Jun 2024 03:20:40 +0900 +Subject: kconfig: gconf: give a proper initial state to the Save button + +From: Masahiro Yamada + +[ Upstream commit 46edf4372e336ef3a61c3126e49518099d2e2e6d ] + +Currently, the initial state of the "Save" button is always active. + +If none of the CONFIG options are changed while loading the .config +file, the "Save" button should be greyed out. + +This can be fixed by calling conf_read() after widget initialization. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/gconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c +index 17adabfd6e6bf..5d1404178e482 100644 +--- a/scripts/kconfig/gconf.c ++++ b/scripts/kconfig/gconf.c +@@ -1481,7 +1481,6 @@ int main(int ac, char *av[]) + + conf_parse(name); + fixup_rootmenu(&rootmenu); +- conf_read(NULL); + + /* Load the interface and connect signals */ + init_main_window(glade_file); +@@ -1489,6 +1488,8 @@ int main(int ac, char *av[]) + init_left_tree(); + init_right_tree(); + ++ conf_read(NULL); ++ + switch (view_mode) { + case SINGLE_VIEW: + display_tree_part(); +-- +2.43.0 + diff --git a/queue-5.15/kconfig-remove-wrong-expr_trans_bool.patch b/queue-5.15/kconfig-remove-wrong-expr_trans_bool.patch new file mode 100644 index 00000000000..aa88768a584 --- /dev/null +++ b/queue-5.15/kconfig-remove-wrong-expr_trans_bool.patch @@ -0,0 +1,158 @@ +From fc90ca06757b1b8842f05d4ab10f0d801cd268a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 01:19:04 +0900 +Subject: kconfig: remove wrong expr_trans_bool() + +From: Masahiro Yamada + +[ Upstream commit 77a92660d8fe8d29503fae768d9f5eb529c88b36 ] + +expr_trans_bool() performs an incorrect transformation. + +[Test Code] + + config MODULES + def_bool y + modules + + config A + def_bool y + select C if B != n + + config B + def_tristate m + + config C + tristate + +[Result] + + CONFIG_MODULES=y + CONFIG_A=y + CONFIG_B=m + CONFIG_C=m + +This output is incorrect because CONFIG_C=y is expected. + +Documentation/kbuild/kconfig-language.rst clearly explains the function +of the '!=' operator: + + If the values of both symbols are equal, it returns 'n', + otherwise 'y'. + +Therefore, the statement: + + select C if B != n + +should be equivalent to: + + select C if y + +Or, more simply: + + select C + +Hence, the symbol C should be selected by the value of A, which is 'y'. + +However, expr_trans_bool() wrongly transforms it to: + + select C if B + +Therefore, the symbol C is selected by (A && B), which is 'm'. + +The comment block of expr_trans_bool() correctly explains its intention: + + * bool FOO!=n => FOO + ^^^^ + +If FOO is bool, FOO!=n can be simplified into FOO. This is correct. + +However, the actual code performs this transformation when FOO is +tristate: + + if (e->left.sym->type == S_TRISTATE) { + ^^^^^^^^^^ + +While it can be fixed to S_BOOLEAN, there is no point in doing so +because expr_tranform() already transforms FOO!=n to FOO when FOO is +bool. (see the "case E_UNEQUAL" part) + +expr_trans_bool() is wrong and unnecessary. + +Signed-off-by: Masahiro Yamada +Acked-by: Randy Dunlap +Signed-off-by: Sasha Levin +--- + scripts/kconfig/expr.c | 29 ----------------------------- + scripts/kconfig/expr.h | 1 - + scripts/kconfig/menu.c | 2 -- + 3 files changed, 32 deletions(-) + +diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c +index 81ebf8108ca74..81dfdf4470f75 100644 +--- a/scripts/kconfig/expr.c ++++ b/scripts/kconfig/expr.c +@@ -396,35 +396,6 @@ static struct expr *expr_eliminate_yn(struct expr *e) + return e; + } + +-/* +- * bool FOO!=n => FOO +- */ +-struct expr *expr_trans_bool(struct expr *e) +-{ +- if (!e) +- return NULL; +- switch (e->type) { +- case E_AND: +- case E_OR: +- case E_NOT: +- e->left.expr = expr_trans_bool(e->left.expr); +- e->right.expr = expr_trans_bool(e->right.expr); +- break; +- case E_UNEQUAL: +- // FOO!=n -> FOO +- if (e->left.sym->type == S_TRISTATE) { +- if (e->right.sym == &symbol_no) { +- e->type = E_SYMBOL; +- e->right.sym = NULL; +- } +- } +- break; +- default: +- ; +- } +- return e; +-} +- + /* + * e1 || e2 -> ? + */ +diff --git a/scripts/kconfig/expr.h b/scripts/kconfig/expr.h +index 9c9caca5bd5f2..c91060e19e477 100644 +--- a/scripts/kconfig/expr.h ++++ b/scripts/kconfig/expr.h +@@ -296,7 +296,6 @@ void expr_free(struct expr *e); + void expr_eliminate_eq(struct expr **ep1, struct expr **ep2); + int expr_eq(struct expr *e1, struct expr *e2); + tristate expr_calc_value(struct expr *e); +-struct expr *expr_trans_bool(struct expr *e); + struct expr *expr_eliminate_dups(struct expr *e); + struct expr *expr_transform(struct expr *e); + int expr_contains_symbol(struct expr *dep, struct symbol *sym); +diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c +index 606ba8a63c24e..8c53d9478be1f 100644 +--- a/scripts/kconfig/menu.c ++++ b/scripts/kconfig/menu.c +@@ -380,8 +380,6 @@ void menu_finalize(struct menu *parent) + dep = expr_transform(dep); + dep = expr_alloc_and(expr_copy(basedep), dep); + dep = expr_eliminate_dups(dep); +- if (menu->sym && menu->sym->type != S_TRISTATE) +- dep = expr_trans_bool(dep); + prop->visible.expr = dep; + + /* +-- +2.43.0 + diff --git a/queue-5.15/kvm-ppc-book3s-hv-prevent-uaf-in-kvm_spapr_tce_attac.patch b/queue-5.15/kvm-ppc-book3s-hv-prevent-uaf-in-kvm_spapr_tce_attac.patch new file mode 100644 index 00000000000..33c20cdcce8 --- /dev/null +++ b/queue-5.15/kvm-ppc-book3s-hv-prevent-uaf-in-kvm_spapr_tce_attac.patch @@ -0,0 +1,148 @@ +From b36ae434f8f6624771e597bc25608162a3a1b3d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 22:29:10 +1000 +Subject: KVM: PPC: Book3S HV: Prevent UAF in + kvm_spapr_tce_attach_iommu_group() + +From: Michael Ellerman + +[ Upstream commit a986fa57fd81a1430e00b3c6cf8a325d6f894a63 ] + +Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). + +It looks up `stt` from tablefd, but then continues to use it after doing +fdput() on the returned fd. After the fdput() the tablefd is free to be +closed by another thread. The close calls kvm_spapr_tce_release() and +then release_spapr_tce_table() (via call_rcu()) which frees `stt`. + +Although there are calls to rcu_read_lock() in +kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent +the UAF, because `stt` is used outside the locked regions. + +With an artifcial delay after the fdput() and a userspace program which +triggers the race, KASAN detects the UAF: + + BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] + Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 + CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 + Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV + Call Trace: + dump_stack_lvl+0xb4/0x108 (unreliable) + print_report+0x2b4/0x6ec + kasan_report+0x118/0x2b0 + __asan_load4+0xb8/0xd0 + kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] + kvm_vfio_set_attr+0x524/0xac0 [kvm] + kvm_device_ioctl+0x144/0x240 [kvm] + sys_ioctl+0x62c/0x1810 + system_call_exception+0x190/0x440 + system_call_vectored_common+0x15c/0x2ec + ... + Freed by task 0: + ... + kfree+0xec/0x3e0 + release_spapr_tce_table+0xd4/0x11c [kvm] + rcu_core+0x568/0x16a0 + handle_softirqs+0x23c/0x920 + do_softirq_own_stack+0x6c/0x90 + do_softirq_own_stack+0x58/0x90 + __irq_exit_rcu+0x218/0x2d0 + irq_exit+0x30/0x80 + arch_local_irq_restore+0x128/0x230 + arch_local_irq_enable+0x1c/0x30 + cpuidle_enter_state+0x134/0x5cc + cpuidle_enter+0x6c/0xb0 + call_cpuidle+0x7c/0x100 + do_idle+0x394/0x410 + cpu_startup_entry+0x60/0x70 + start_secondary+0x3fc/0x410 + start_secondary_prolog+0x10/0x14 + +Fix it by delaying the fdput() until `stt` is no longer in use, which +is effectively the entire function. To keep the patch minimal add a call +to fdput() at each of the existing return paths. Future work can convert +the function to goto or __cleanup style cleanup. + +With the fix in place the test case no longer triggers the UAF. + +Reported-by: Al Viro +Closes: https://lore.kernel.org/all/20240610024437.GA1464458@ZenIV/ +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240614122910.3499489-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_64_vio.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c +index 3cb2e05a7ee83..a8e5eefee794f 100644 +--- a/arch/powerpc/kvm/book3s_64_vio.c ++++ b/arch/powerpc/kvm/book3s_64_vio.c +@@ -117,14 +117,16 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd, + } + rcu_read_unlock(); + +- fdput(f); +- +- if (!found) ++ if (!found) { ++ fdput(f); + return -EINVAL; ++ } + + table_group = iommu_group_get_iommudata(grp); +- if (WARN_ON(!table_group)) ++ if (WARN_ON(!table_group)) { ++ fdput(f); + return -EFAULT; ++ } + + for (i = 0; i < IOMMU_TABLE_GROUP_MAX_TABLES; ++i) { + struct iommu_table *tbltmp = table_group->tables[i]; +@@ -145,8 +147,10 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd, + break; + } + } +- if (!tbl) ++ if (!tbl) { ++ fdput(f); + return -EINVAL; ++ } + + rcu_read_lock(); + list_for_each_entry_rcu(stit, &stt->iommu_tables, next) { +@@ -157,6 +161,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd, + /* stit is being destroyed */ + iommu_tce_table_put(tbl); + rcu_read_unlock(); ++ fdput(f); + return -ENOTTY; + } + /* +@@ -164,6 +169,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd, + * its KVM reference counter and can return. + */ + rcu_read_unlock(); ++ fdput(f); + return 0; + } + rcu_read_unlock(); +@@ -171,6 +177,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd, + stit = kzalloc(sizeof(*stit), GFP_KERNEL); + if (!stit) { + iommu_tce_table_put(tbl); ++ fdput(f); + return -ENOMEM; + } + +@@ -179,6 +186,7 @@ extern long kvm_spapr_tce_attach_iommu_group(struct kvm *kvm, int tablefd, + + list_add_rcu(&stit->next, &stt->iommu_tables); + ++ fdput(f); + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.15/mei-demote-client-disconnect-warning-on-suspend-to-d.patch b/queue-5.15/mei-demote-client-disconnect-warning-on-suspend-to-d.patch new file mode 100644 index 00000000000..0622142c866 --- /dev/null +++ b/queue-5.15/mei-demote-client-disconnect-warning-on-suspend-to-d.patch @@ -0,0 +1,48 @@ +From aa39de1f6faf0bf010abc8daac3e54858ab8eb4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 12:14:15 +0300 +Subject: mei: demote client disconnect warning on suspend to debug + +From: Alexander Usyskin + +[ Upstream commit 1db5322b7e6b58e1b304ce69a50e9dca798ca95b ] + +Change level for the "not connected" client message in the write +callback from error to debug. + +The MEI driver currently disconnects all clients upon system suspend. +This behavior is by design and user-space applications with +open connections before the suspend are expected to handle errors upon +resume, by reopening their handles, reconnecting, +and retrying their operations. + +However, the current driver implementation logs an error message every +time a write operation is attempted on a disconnected client. +Since this is a normal and expected flow after system resume +logging this as an error can be misleading. + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20240530091415.725247-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mei/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c +index 786f7c8f7f619..71f15fba21ad6 100644 +--- a/drivers/misc/mei/main.c ++++ b/drivers/misc/mei/main.c +@@ -327,7 +327,7 @@ static ssize_t mei_write(struct file *file, const char __user *ubuf, + } + + if (!mei_cl_is_connected(cl)) { +- cl_err(dev, cl, "is not connected"); ++ cl_dbg(dev, cl, "is not connected"); + rets = -ENODEV; + goto out; + } +-- +2.43.0 + diff --git a/queue-5.15/mips-fix-compat_sys_lseek-syscall.patch b/queue-5.15/mips-fix-compat_sys_lseek-syscall.patch new file mode 100644 index 00000000000..568c955b97a --- /dev/null +++ b/queue-5.15/mips-fix-compat_sys_lseek-syscall.patch @@ -0,0 +1,38 @@ +From ffc5da0460077f1d4e5d685936b75402d6511178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 18:23:04 +0200 +Subject: mips: fix compat_sys_lseek syscall + +From: Arnd Bergmann + +[ Upstream commit 0d5679a0aae2d8cda72169452c32e5cb88a7ab33 ] + +This is almost compatible, but passing a negative offset should result +in a EINVAL error, but on mips o32 compat mode would seek to a large +32-bit byte offset. + +Use compat_sys_lseek() to correctly sign-extend the argument. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl +index ec1119760cd3c..cd107ca10e69a 100644 +--- a/arch/mips/kernel/syscalls/syscall_o32.tbl ++++ b/arch/mips/kernel/syscalls/syscall_o32.tbl +@@ -27,7 +27,7 @@ + 17 o32 break sys_ni_syscall + # 18 was sys_stat + 18 o32 unused18 sys_ni_syscall +-19 o32 lseek sys_lseek ++19 o32 lseek sys_lseek compat_sys_lseek + 20 o32 getpid sys_getpid + 21 o32 mount sys_mount + 22 o32 umount sys_oldumount +-- +2.43.0 + diff --git a/queue-5.15/net-ipv6-rpl_iptunnel-block-bh-in-rpl_output-and-rpl.patch b/queue-5.15/net-ipv6-rpl_iptunnel-block-bh-in-rpl_output-and-rpl.patch new file mode 100644 index 00000000000..71f81dc82dc --- /dev/null +++ b/queue-5.15/net-ipv6-rpl_iptunnel-block-bh-in-rpl_output-and-rpl.patch @@ -0,0 +1,93 @@ +From 37a6c7eeb418990470f5c0775cfc2b7d44a5ce85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 13:26:33 +0000 +Subject: net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() + +From: Eric Dumazet + +[ Upstream commit db0090c6eb12c31246438b7fe2a8f1b833e7a653 ] + +As explained in commit 1378817486d6 ("tipc: block BH +before using dst_cache"), net/core/dst_cache.c +helpers need to be called with BH disabled. + +Disabling preemption in rpl_output() is not good enough, +because rpl_output() is called from process context, +lwtunnel_output() only uses rcu_read_lock(). + +We might be interrupted by a softirq, re-enter rpl_output() +and corrupt dst_cache data structures. + +Fix the race by using local_bh_disable() instead of +preempt_disable(). + +Apply a similar change in rpl_input(). + +Signed-off-by: Eric Dumazet +Cc: Alexander Aring +Acked-by: Paolo Abeni +Link: https://lore.kernel.org/r/20240531132636.2637995-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/rpl_iptunnel.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c +index ff691d9f4a04f..26adbe7f8a2f0 100644 +--- a/net/ipv6/rpl_iptunnel.c ++++ b/net/ipv6/rpl_iptunnel.c +@@ -212,9 +212,9 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb) + if (unlikely(err)) + goto drop; + +- preempt_disable(); ++ local_bh_disable(); + dst = dst_cache_get(&rlwt->cache); +- preempt_enable(); ++ local_bh_enable(); + + if (unlikely(!dst)) { + struct ipv6hdr *hdr = ipv6_hdr(skb); +@@ -234,9 +234,9 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb) + goto drop; + } + +- preempt_disable(); ++ local_bh_disable(); + dst_cache_set_ip6(&rlwt->cache, dst, &fl6.saddr); +- preempt_enable(); ++ local_bh_enable(); + } + + skb_dst_drop(skb); +@@ -268,9 +268,8 @@ static int rpl_input(struct sk_buff *skb) + return err; + } + +- preempt_disable(); ++ local_bh_disable(); + dst = dst_cache_get(&rlwt->cache); +- preempt_enable(); + + skb_dst_drop(skb); + +@@ -278,14 +277,13 @@ static int rpl_input(struct sk_buff *skb) + ip6_route_input(skb); + dst = skb_dst(skb); + if (!dst->error) { +- preempt_disable(); + dst_cache_set_ip6(&rlwt->cache, dst, + &ipv6_hdr(skb)->saddr); +- preempt_enable(); + } + } else { + skb_dst_set(skb, dst); + } ++ local_bh_enable(); + + err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev)); + if (unlikely(err)) +-- +2.43.0 + diff --git a/queue-5.15/net-mac802154-fix-racy-device-stats-updates-by-dev_s.patch b/queue-5.15/net-mac802154-fix-racy-device-stats-updates-by-dev_s.patch new file mode 100644 index 00000000000..cf697efcefb --- /dev/null +++ b/queue-5.15/net-mac802154-fix-racy-device-stats-updates-by-dev_s.patch @@ -0,0 +1,51 @@ +From 51a0bc3983b391b87f5dd8ba6f1db58af4c392cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 16:07:39 +0800 +Subject: net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and + DEV_STATS_ADD() + +From: Yunshui Jiang + +[ Upstream commit b8ec0dc3845f6c9089573cb5c2c4b05f7fc10728 ] + +mac802154 devices update their dev->stats fields locklessly. Therefore +these counters should be updated atomically. Adopt SMP safe DEV_STATS_INC() +and DEV_STATS_ADD() to achieve this. + +Signed-off-by: Yunshui Jiang +Message-ID: <20240531080739.2608969-1-jiangyunshui@kylinos.cn> +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/tx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c +index c829e4a753256..7cea95d0b78f9 100644 +--- a/net/mac802154/tx.c ++++ b/net/mac802154/tx.c +@@ -34,8 +34,8 @@ void ieee802154_xmit_worker(struct work_struct *work) + if (res) + goto err_tx; + +- dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; ++ DEV_STATS_INC(dev, tx_packets); ++ DEV_STATS_ADD(dev, tx_bytes, skb->len); + + ieee802154_xmit_complete(&local->hw, skb, false); + +@@ -86,8 +86,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + goto err_tx; + } + +- dev->stats.tx_packets++; +- dev->stats.tx_bytes += len; ++ DEV_STATS_INC(dev, tx_packets); ++ DEV_STATS_ADD(dev, tx_bytes, len); + } else { + local->tx_skb = skb; + queue_work(local->workqueue, &local->tx_work); +-- +2.43.0 + diff --git a/queue-5.15/net-usb-qmi_wwan-add-telit-fn912-compositions.patch b/queue-5.15/net-usb-qmi_wwan-add-telit-fn912-compositions.patch new file mode 100644 index 00000000000..7bb03734bc7 --- /dev/null +++ b/queue-5.15/net-usb-qmi_wwan-add-telit-fn912-compositions.patch @@ -0,0 +1,88 @@ +From 1504ee63c32a0e50a8fb71ca7045c0cd4fe832cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 12:22:36 +0200 +Subject: net: usb: qmi_wwan: add Telit FN912 compositions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniele Palmas + +[ Upstream commit 77453e2b015b5ced5b3f45364dd5a72dfc3bdecb ] + +Add the following Telit FN912 compositions: + +0x3000: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=3000 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN912 +S: SerialNumber=92c4c4d8 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x3001: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb +T: Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=3001 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN912 +S: SerialNumber=92c4c4d8 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniele Palmas +Acked-by: Bjørn Mork +Link: https://patch.msgid.link/20240625102236.69539-1-dnlplm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 9bd145732e58b..fb09e95cbc258 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1373,6 +1373,8 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x3000, 0)}, /* Telit FN912 series */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x3001, 0)}, /* Telit FN912 series */ + {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */ + {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */ + {QMI_FIXED_INTF(0x1c9e, 0x9b01, 3)}, /* XS Stick W100-2 from 4G Systems */ +-- +2.43.0 + diff --git a/queue-5.15/null_blk-fix-validation-of-block-size.patch b/queue-5.15/null_blk-fix-validation-of-block-size.patch new file mode 100644 index 00000000000..93a5954b816 --- /dev/null +++ b/queue-5.15/null_blk-fix-validation-of-block-size.patch @@ -0,0 +1,45 @@ +From bba57e7744800fbe5a9b40cb175eef7e342f1de3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 21:26:45 +0200 +Subject: null_blk: fix validation of block size + +From: Andreas Hindborg + +[ Upstream commit c462ecd659b5fce731f1d592285832fd6ad54053 ] + +Block size should be between 512 and PAGE_SIZE and be a power of 2. The current +check does not validate this, so update the check. + +Without this patch, null_blk would Oops due to a null pointer deref when +loaded with bs=1536 [1]. + +Link: https://lore.kernel.org/all/87wmn8mocd.fsf@metaspace.dk/ + +Signed-off-by: Andreas Hindborg +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20240603192645.977968-1-nmi@metaspace.dk +[axboe: remove unnecessary braces and != 0 check] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index ec78d9ad3e9bc..23c4a7b3d4e53 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -1749,8 +1749,8 @@ static int null_validate_conf(struct nullb_device *dev) + return -EINVAL; + } + +- dev->blocksize = round_down(dev->blocksize, 512); +- dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096); ++ if (blk_validate_block_size(dev->blocksize)) ++ return -EINVAL; + + if (dev->queue_mode == NULL_Q_MQ && dev->use_per_node_hctx) { + if (dev->submit_queues != nr_online_nodes) +-- +2.43.0 + diff --git a/queue-5.15/nvme-avoid-double-free-special-payload.patch b/queue-5.15/nvme-avoid-double-free-special-payload.patch new file mode 100644 index 00000000000..4a992fc5694 --- /dev/null +++ b/queue-5.15/nvme-avoid-double-free-special-payload.patch @@ -0,0 +1,37 @@ +From 834a6ca9b6a59c6e7cefcd6613f29e5b52b08200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 18:02:08 +0800 +Subject: nvme: avoid double free special payload + +From: Chunguang Xu + +[ Upstream commit e5d574ab37f5f2e7937405613d9b1a724811e5ad ] + +If a discard request needs to be retried, and that retry may fail before +a new special payload is added, a double free will result. Clear the +RQF_SPECIAL_LOAD when the request is cleaned. + +Signed-off-by: Chunguang Xu +Reviewed-by: Sagi Grimberg +Reviewed-by: Max Gurtovoy +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 960a31e3307a2..93a19588ae92a 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -981,6 +981,7 @@ void nvme_cleanup_cmd(struct request *req) + clear_bit_unlock(0, &ctrl->discard_page_busy); + else + kfree(bvec_virt(&req->special_vec)); ++ req->rq_flags &= ~RQF_SPECIAL_PAYLOAD; + } + } + EXPORT_SYMBOL_GPL(nvme_cleanup_cmd); +-- +2.43.0 + diff --git a/queue-5.15/platform-x86-lg-laptop-change-acpi-device-id.patch b/queue-5.15/platform-x86-lg-laptop-change-acpi-device-id.patch new file mode 100644 index 00000000000..d6779c96ed2 --- /dev/null +++ b/queue-5.15/platform-x86-lg-laptop-change-acpi-device-id.patch @@ -0,0 +1,46 @@ +From bce2263370417eb359eda1b64160c5971fb606d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 01:35:39 +0200 +Subject: platform/x86: lg-laptop: Change ACPI device id +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 58a54f27a0dac81f7fd3514be01012635219a53c ] + +The LGEX0815 ACPI device id is used for handling hotkey events, but +this functionality is already handled by the wireless-hotkey driver. + +The LGEX0820 ACPI device id however is used to manage various +platform features using the WMAB/WMBB ACPI methods. Use this ACPI +device id to avoid blocking the wireless-hotkey driver from probing. + +Tested-by: Agathe Boutmy +Signed-off-by: Armin Wolf +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240606233540.9774-4-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/lg-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c +index 96960f96f775c..807bd4283b979 100644 +--- a/drivers/platform/x86/lg-laptop.c ++++ b/drivers/platform/x86/lg-laptop.c +@@ -718,7 +718,7 @@ static int acpi_remove(struct acpi_device *device) + } + + static const struct acpi_device_id device_ids[] = { +- {"LGEX0815", 0}, ++ {"LGEX0820", 0}, + {"", 0} + }; + MODULE_DEVICE_TABLE(acpi, device_ids); +-- +2.43.0 + diff --git a/queue-5.15/platform-x86-lg-laptop-remove-lgex0815-hotkey-handli.patch b/queue-5.15/platform-x86-lg-laptop-remove-lgex0815-hotkey-handli.patch new file mode 100644 index 00000000000..31efb095a81 --- /dev/null +++ b/queue-5.15/platform-x86-lg-laptop-remove-lgex0815-hotkey-handli.patch @@ -0,0 +1,60 @@ +From ece3ad0c9691b609a8ed54df2c61ce3a339070df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 01:35:38 +0200 +Subject: platform/x86: lg-laptop: Remove LGEX0815 hotkey handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 413c204595ca98a4f33414a948c18d7314087342 ] + +The rfkill hotkey handling is already provided by the wireless-hotkey +driver. Remove the now unnecessary rfkill hotkey handling to avoid +duplicating functionality. + +The ACPI notify handler still prints debugging information when +receiving ACPI notifications to aid in reverse-engineering. + +Tested-by: Agathe Boutmy +Signed-off-by: Armin Wolf +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240606233540.9774-3-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/lg-laptop.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c +index 88b551caeaaf4..96960f96f775c 100644 +--- a/drivers/platform/x86/lg-laptop.c ++++ b/drivers/platform/x86/lg-laptop.c +@@ -83,7 +83,6 @@ static const struct key_entry wmi_keymap[] = { + * this key both sends an event and + * changes backlight level. + */ +- {KE_KEY, 0x80, {KEY_RFKILL} }, + {KE_END, 0} + }; + +@@ -271,14 +270,7 @@ static void wmi_input_setup(void) + + static void acpi_notify(struct acpi_device *device, u32 event) + { +- struct key_entry *key; +- + acpi_handle_debug(device->handle, "notify: %d\n", event); +- if (inited & INIT_SPARSE_KEYMAP) { +- key = sparse_keymap_entry_from_scancode(wmi_input_dev, 0x80); +- if (key && key->type == KE_KEY) +- sparse_keymap_report_entry(wmi_input_dev, key, 1, true); +- } + } + + static ssize_t fan_mode_store(struct device *dev, +-- +2.43.0 + diff --git a/queue-5.15/platform-x86-lg-laptop-use-acpi-device-handle-when-e.patch b/queue-5.15/platform-x86-lg-laptop-use-acpi-device-handle-when-e.patch new file mode 100644 index 00000000000..3aa758ca7a6 --- /dev/null +++ b/queue-5.15/platform-x86-lg-laptop-use-acpi-device-handle-when-e.patch @@ -0,0 +1,311 @@ +From 573792e4223b9dd9000d1fe9f88d0387e031e24e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 01:35:40 +0200 +Subject: platform/x86: lg-laptop: Use ACPI device handle when evaluating + WMAB/WMBB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit b27ea279556121b54d3f45d0529706cf100cdb3a ] + +On the LG Gram 16Z90S, the WMAB and WMBB ACPI methods are not mapped +under \XINI, but instead are mapped under \_SB.XINI. + +The reason for this is that the LGEX0820 ACPI device used by this +driver is mapped at \_SB.XINI, so the ACPI methods where moved as well +to appear below the LGEX0820 ACPI device. + +Fix this by using the ACPI handle from the ACPI device when evaluating +both methods. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218901 +Tested-by: Agathe Boutmy +Signed-off-by: Armin Wolf +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240606233540.9774-5-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/lg-laptop.c | 79 +++++++++++++------------------- + 1 file changed, 33 insertions(+), 46 deletions(-) + +diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c +index 807bd4283b979..5f9fbea8fc3c2 100644 +--- a/drivers/platform/x86/lg-laptop.c ++++ b/drivers/platform/x86/lg-laptop.c +@@ -37,8 +37,6 @@ MODULE_LICENSE("GPL"); + #define WMI_METHOD_WMBB "2B4F501A-BD3C-4394-8DCF-00A7D2BC8210" + #define WMI_EVENT_GUID WMI_EVENT_GUID0 + +-#define WMAB_METHOD "\\XINI.WMAB" +-#define WMBB_METHOD "\\XINI.WMBB" + #define SB_GGOV_METHOD "\\_SB.GGOV" + #define GOV_TLED 0x2020008 + #define WM_GET 1 +@@ -73,7 +71,7 @@ static u32 inited; + + static int battery_limit_use_wmbb; + static struct led_classdev kbd_backlight; +-static enum led_brightness get_kbd_backlight_level(void); ++static enum led_brightness get_kbd_backlight_level(struct device *dev); + + static const struct key_entry wmi_keymap[] = { + {KE_KEY, 0x70, {KEY_F15} }, /* LG control panel (F1) */ +@@ -126,11 +124,10 @@ static int ggov(u32 arg0) + return res; + } + +-static union acpi_object *lg_wmab(u32 method, u32 arg1, u32 arg2) ++static union acpi_object *lg_wmab(struct device *dev, u32 method, u32 arg1, u32 arg2) + { + union acpi_object args[3]; + acpi_status status; +- acpi_handle handle; + struct acpi_object_list arg; + struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; + +@@ -141,29 +138,22 @@ static union acpi_object *lg_wmab(u32 method, u32 arg1, u32 arg2) + args[2].type = ACPI_TYPE_INTEGER; + args[2].integer.value = arg2; + +- status = acpi_get_handle(NULL, (acpi_string) WMAB_METHOD, &handle); +- if (ACPI_FAILURE(status)) { +- pr_err("Cannot get handle"); +- return NULL; +- } +- + arg.count = 3; + arg.pointer = args; + +- status = acpi_evaluate_object(handle, NULL, &arg, &buffer); ++ status = acpi_evaluate_object(ACPI_HANDLE(dev), "WMAB", &arg, &buffer); + if (ACPI_FAILURE(status)) { +- acpi_handle_err(handle, "WMAB: call failed.\n"); ++ dev_err(dev, "WMAB: call failed.\n"); + return NULL; + } + + return buffer.pointer; + } + +-static union acpi_object *lg_wmbb(u32 method_id, u32 arg1, u32 arg2) ++static union acpi_object *lg_wmbb(struct device *dev, u32 method_id, u32 arg1, u32 arg2) + { + union acpi_object args[3]; + acpi_status status; +- acpi_handle handle; + struct acpi_object_list arg; + struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; + u8 buf[32]; +@@ -179,18 +169,12 @@ static union acpi_object *lg_wmbb(u32 method_id, u32 arg1, u32 arg2) + args[2].buffer.length = 32; + args[2].buffer.pointer = buf; + +- status = acpi_get_handle(NULL, (acpi_string)WMBB_METHOD, &handle); +- if (ACPI_FAILURE(status)) { +- pr_err("Cannot get handle"); +- return NULL; +- } +- + arg.count = 3; + arg.pointer = args; + +- status = acpi_evaluate_object(handle, NULL, &arg, &buffer); ++ status = acpi_evaluate_object(ACPI_HANDLE(dev), "WMBB", &arg, &buffer); + if (ACPI_FAILURE(status)) { +- acpi_handle_err(handle, "WMAB: call failed.\n"); ++ dev_err(dev, "WMBB: call failed.\n"); + return NULL; + } + +@@ -221,7 +205,7 @@ static void wmi_notify(u32 value, void *context) + + if (eventcode == 0x10000000) { + led_classdev_notify_brightness_hw_changed( +- &kbd_backlight, get_kbd_backlight_level()); ++ &kbd_backlight, get_kbd_backlight_level(kbd_backlight.dev->parent)); + } else { + key = sparse_keymap_entry_from_scancode( + wmi_input_dev, eventcode); +@@ -286,7 +270,7 @@ static ssize_t fan_mode_store(struct device *dev, + if (ret) + return ret; + +- r = lg_wmab(WM_FAN_MODE, WM_GET, 0); ++ r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0); + if (!r) + return -EIO; + +@@ -297,9 +281,9 @@ static ssize_t fan_mode_store(struct device *dev, + + m = r->integer.value; + kfree(r); +- r = lg_wmab(WM_FAN_MODE, WM_SET, (m & 0xffffff0f) | (value << 4)); ++ r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xffffff0f) | (value << 4)); + kfree(r); +- r = lg_wmab(WM_FAN_MODE, WM_SET, (m & 0xfffffff0) | value); ++ r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xfffffff0) | value); + kfree(r); + + return count; +@@ -311,7 +295,7 @@ static ssize_t fan_mode_show(struct device *dev, + unsigned int status; + union acpi_object *r; + +- r = lg_wmab(WM_FAN_MODE, WM_GET, 0); ++ r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0); + if (!r) + return -EIO; + +@@ -338,7 +322,7 @@ static ssize_t usb_charge_store(struct device *dev, + if (ret) + return ret; + +- r = lg_wmbb(WMBB_USB_CHARGE, WM_SET, value); ++ r = lg_wmbb(dev, WMBB_USB_CHARGE, WM_SET, value); + if (!r) + return -EIO; + +@@ -352,7 +336,7 @@ static ssize_t usb_charge_show(struct device *dev, + unsigned int status; + union acpi_object *r; + +- r = lg_wmbb(WMBB_USB_CHARGE, WM_GET, 0); ++ r = lg_wmbb(dev, WMBB_USB_CHARGE, WM_GET, 0); + if (!r) + return -EIO; + +@@ -380,7 +364,7 @@ static ssize_t reader_mode_store(struct device *dev, + if (ret) + return ret; + +- r = lg_wmab(WM_READER_MODE, WM_SET, value); ++ r = lg_wmab(dev, WM_READER_MODE, WM_SET, value); + if (!r) + return -EIO; + +@@ -394,7 +378,7 @@ static ssize_t reader_mode_show(struct device *dev, + unsigned int status; + union acpi_object *r; + +- r = lg_wmab(WM_READER_MODE, WM_GET, 0); ++ r = lg_wmab(dev, WM_READER_MODE, WM_GET, 0); + if (!r) + return -EIO; + +@@ -422,7 +406,7 @@ static ssize_t fn_lock_store(struct device *dev, + if (ret) + return ret; + +- r = lg_wmab(WM_FN_LOCK, WM_SET, value); ++ r = lg_wmab(dev, WM_FN_LOCK, WM_SET, value); + if (!r) + return -EIO; + +@@ -436,7 +420,7 @@ static ssize_t fn_lock_show(struct device *dev, + unsigned int status; + union acpi_object *r; + +- r = lg_wmab(WM_FN_LOCK, WM_GET, 0); ++ r = lg_wmab(dev, WM_FN_LOCK, WM_GET, 0); + if (!r) + return -EIO; + +@@ -466,9 +450,9 @@ static ssize_t battery_care_limit_store(struct device *dev, + union acpi_object *r; + + if (battery_limit_use_wmbb) +- r = lg_wmbb(WMBB_BATT_LIMIT, WM_SET, value); ++ r = lg_wmbb(&pf_device->dev, WMBB_BATT_LIMIT, WM_SET, value); + else +- r = lg_wmab(WM_BATT_LIMIT, WM_SET, value); ++ r = lg_wmab(&pf_device->dev, WM_BATT_LIMIT, WM_SET, value); + if (!r) + return -EIO; + +@@ -487,7 +471,7 @@ static ssize_t battery_care_limit_show(struct device *dev, + union acpi_object *r; + + if (battery_limit_use_wmbb) { +- r = lg_wmbb(WMBB_BATT_LIMIT, WM_GET, 0); ++ r = lg_wmbb(&pf_device->dev, WMBB_BATT_LIMIT, WM_GET, 0); + if (!r) + return -EIO; + +@@ -498,7 +482,7 @@ static ssize_t battery_care_limit_show(struct device *dev, + + status = r->buffer.pointer[0x10]; + } else { +- r = lg_wmab(WM_BATT_LIMIT, WM_GET, 0); ++ r = lg_wmab(&pf_device->dev, WM_BATT_LIMIT, WM_GET, 0); + if (!r) + return -EIO; + +@@ -540,7 +524,7 @@ static void tpad_led_set(struct led_classdev *cdev, + { + union acpi_object *r; + +- r = lg_wmab(WM_TLED, WM_SET, brightness > LED_OFF); ++ r = lg_wmab(cdev->dev->parent, WM_TLED, WM_SET, brightness > LED_OFF); + kfree(r); + } + +@@ -562,16 +546,16 @@ static void kbd_backlight_set(struct led_classdev *cdev, + val = 0; + if (brightness >= LED_FULL) + val = 0x24; +- r = lg_wmab(WM_KEY_LIGHT, WM_SET, val); ++ r = lg_wmab(cdev->dev->parent, WM_KEY_LIGHT, WM_SET, val); + kfree(r); + } + +-static enum led_brightness get_kbd_backlight_level(void) ++static enum led_brightness get_kbd_backlight_level(struct device *dev) + { + union acpi_object *r; + int val; + +- r = lg_wmab(WM_KEY_LIGHT, WM_GET, 0); ++ r = lg_wmab(dev, WM_KEY_LIGHT, WM_GET, 0); + + if (!r) + return LED_OFF; +@@ -599,7 +583,7 @@ static enum led_brightness get_kbd_backlight_level(void) + + static enum led_brightness kbd_backlight_get(struct led_classdev *cdev) + { +- return get_kbd_backlight_level(); ++ return get_kbd_backlight_level(cdev->dev->parent); + } + + static LED_DEVICE(kbd_backlight, 255, LED_BRIGHT_HW_CHANGED); +@@ -626,6 +610,11 @@ static struct platform_driver pf_driver = { + + static int acpi_add(struct acpi_device *device) + { ++ struct platform_device_info pdev_info = { ++ .fwnode = acpi_fwnode_handle(device), ++ .name = PLATFORM_NAME, ++ .id = PLATFORM_DEVID_NONE, ++ }; + int ret; + const char *product; + int year = 2017; +@@ -637,9 +626,7 @@ static int acpi_add(struct acpi_device *device) + if (ret) + return ret; + +- pf_device = platform_device_register_simple(PLATFORM_NAME, +- PLATFORM_DEVID_NONE, +- NULL, 0); ++ pf_device = platform_device_register_full(&pdev_info); + if (IS_ERR(pf_device)) { + ret = PTR_ERR(pf_device); + pf_device = NULL; +-- +2.43.0 + diff --git a/queue-5.15/platform-x86-wireless-hotkey-add-support-for-lg-airp.patch b/queue-5.15/platform-x86-wireless-hotkey-add-support-for-lg-airp.patch new file mode 100644 index 00000000000..5d098f076d6 --- /dev/null +++ b/queue-5.15/platform-x86-wireless-hotkey-add-support-for-lg-airp.patch @@ -0,0 +1,53 @@ +From f1babc8a0252697789a4056909420a7a1625d5ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 01:35:37 +0200 +Subject: platform/x86: wireless-hotkey: Add support for LG Airplane Button +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 151e78a0b89ee6dec93382dbdf5b1ef83f9c4716 ] + +The LGEX0815 ACPI device is used by the "LG Airplane Mode Button" +Windows driver for handling rfkill requests. When the ACPI device +receives an 0x80 ACPI notification, an rfkill event is to be +send to userspace. + +Add support for the LGEX0815 ACPI device to the driver. + +Tested-by: Agathe Boutmy +Signed-off-by: Armin Wolf +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240606233540.9774-2-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wireless-hotkey.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/platform/x86/wireless-hotkey.c b/drivers/platform/x86/wireless-hotkey.c +index 11c60a2734468..61ae722643e5a 100644 +--- a/drivers/platform/x86/wireless-hotkey.c ++++ b/drivers/platform/x86/wireless-hotkey.c +@@ -19,6 +19,7 @@ MODULE_AUTHOR("Alex Hung"); + MODULE_ALIAS("acpi*:HPQ6001:*"); + MODULE_ALIAS("acpi*:WSTADEF:*"); + MODULE_ALIAS("acpi*:AMDI0051:*"); ++MODULE_ALIAS("acpi*:LGEX0815:*"); + + static struct input_dev *wl_input_dev; + +@@ -26,6 +27,7 @@ static const struct acpi_device_id wl_ids[] = { + {"HPQ6001", 0}, + {"WSTADEF", 0}, + {"AMDI0051", 0}, ++ {"LGEX0815", 0}, + {"", 0}, + }; + +-- +2.43.0 + diff --git a/queue-5.15/powerpc-eeh-avoid-possible-crash-when-edev-pdev-chan.patch b/queue-5.15/powerpc-eeh-avoid-possible-crash-when-edev-pdev-chan.patch new file mode 100644 index 00000000000..f15e279caf8 --- /dev/null +++ b/queue-5.15/powerpc-eeh-avoid-possible-crash-when-edev-pdev-chan.patch @@ -0,0 +1,50 @@ +From 384311d11ba517b637b374947995488301526ebb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 19:32:40 +0530 +Subject: powerpc/eeh: avoid possible crash when edev->pdev changes + +From: Ganesh Goudar + +[ Upstream commit a1216e62d039bf63a539bbe718536ec789a853dd ] + +If a PCI device is removed during eeh_pe_report_edev(), edev->pdev +will change and can cause a crash, hold the PCI rescan/remove lock +while taking a copy of edev->pdev->bus. + +Signed-off-by: Ganesh Goudar +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240617140240.580453-1-ganeshgr@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_pe.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c +index 845e024321d47..a856d9ba42d20 100644 +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -849,6 +849,7 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) + { + struct eeh_dev *edev; + struct pci_dev *pdev; ++ struct pci_bus *bus = NULL; + + if (pe->type & EEH_PE_PHB) + return pe->phb->bus; +@@ -859,9 +860,11 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) + + /* Retrieve the parent PCI bus of first (top) PCI device */ + edev = list_first_entry_or_null(&pe->edevs, struct eeh_dev, entry); ++ pci_lock_rescan_remove(); + pdev = eeh_dev_to_pci_dev(edev); + if (pdev) +- return pdev->bus; ++ bus = pdev->bus; ++ pci_unlock_rescan_remove(); + +- return NULL; ++ return bus; + } +-- +2.43.0 + diff --git a/queue-5.15/powerpc-pseries-whitelist-dtl-slub-object-for-copyin.patch b/queue-5.15/powerpc-pseries-whitelist-dtl-slub-object-for-copyin.patch new file mode 100644 index 00000000000..2d0fdd178a1 --- /dev/null +++ b/queue-5.15/powerpc-pseries-whitelist-dtl-slub-object-for-copyin.patch @@ -0,0 +1,77 @@ +From 038125b6e8054c6068a2cc15cc6103f05d90f593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 23:08:44 +0530 +Subject: powerpc/pseries: Whitelist dtl slub object for copying to userspace + +From: Anjali K + +[ Upstream commit 1a14150e1656f7a332a943154fc486504db4d586 ] + +Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-* +results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as +shown below. + + kernel BUG at mm/usercopy.c:102! + Oops: Exception in kernel mode, sig: 5 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc + scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse + CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85 + Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries + NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8 + REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3) + MSR: 8000000000029033 CR: 2828220f XER: 0000000e + CFAR: c0000000001fdc80 IRQMASK: 0 + [ ... GPRs omitted ... ] + NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0 + LR [c0000000005d23d0] usercopy_abort+0x74/0xb0 + Call Trace: + usercopy_abort+0x74/0xb0 (unreliable) + __check_heap_object+0xf8/0x120 + check_heap_object+0x218/0x240 + __check_object_size+0x84/0x1a4 + dtl_file_read+0x17c/0x2c4 + full_proxy_read+0x8c/0x110 + vfs_read+0xdc/0x3a0 + ksys_read+0x84/0x144 + system_call_exception+0x124/0x330 + system_call_vectored_common+0x15c/0x2ec + --- interrupt: 3000 at 0x7fff81f3ab34 + +Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") +requires that only whitelisted areas in slab/slub objects can be copied to +userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY. +Dtl contains hypervisor dispatch events which are expected to be read by +privileged users. Hence mark this safe for user access. +Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the +entire object. + +Co-developed-by: Vishal Chourasia +Signed-off-by: Vishal Chourasia +Signed-off-by: Anjali K +Reviewed-by: Srikar Dronamraju +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240614173844.746818-1-anjalik@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index d25053755c8b8..309a72518ecc3 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -314,8 +314,8 @@ static int alloc_dispatch_log_kmem_cache(void) + { + void (*ctor)(void *) = get_dtl_cache_ctor(); + +- dtl_cache = kmem_cache_create("dtl", DISPATCH_LOG_BYTES, +- DISPATCH_LOG_BYTES, 0, ctor); ++ dtl_cache = kmem_cache_create_usercopy("dtl", DISPATCH_LOG_BYTES, ++ DISPATCH_LOG_BYTES, 0, 0, DISPATCH_LOG_BYTES, ctor); + if (!dtl_cache) { + pr_warn("Failed to create dispatch trace log buffer cache\n"); + pr_warn("Stolen time statistics will be unreliable\n"); +-- +2.43.0 + diff --git a/queue-5.15/riscv-stacktrace-fix-usage-of-ftrace_graph_ret_addr.patch b/queue-5.15/riscv-stacktrace-fix-usage-of-ftrace_graph_ret_addr.patch new file mode 100644 index 00000000000..c79f6df8668 --- /dev/null +++ b/queue-5.15/riscv-stacktrace-fix-usage-of-ftrace_graph_ret_addr.patch @@ -0,0 +1,49 @@ +From 67e8ffc11e313593fe1941073c59908e69cc4240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 14:58:20 +0000 +Subject: riscv: stacktrace: fix usage of ftrace_graph_ret_addr() + +From: Puranjay Mohan + +[ Upstream commit 393da6cbb2ff89aadc47683a85269f913aa1c139 ] + +ftrace_graph_ret_addr() takes an `idx` integer pointer that is used to +optimize the stack unwinding. Pass it a valid pointer to utilize the +optimizations that might be available in the future. + +The commit is making riscv's usage of ftrace_graph_ret_addr() match +x86_64. + +Signed-off-by: Puranjay Mohan +Reviewed-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20240618145820.62112-1-puranjay@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/stacktrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index 94721c484d638..95b4ad1b6708c 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -34,6 +34,7 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, + bool (*fn)(void *, unsigned long), void *arg) + { + unsigned long fp, sp, pc; ++ int graph_idx = 0; + int level = 0; + + if (regs) { +@@ -70,7 +71,7 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs, + pc = regs->ra; + } else { + fp = frame->fp; +- pc = ftrace_graph_ret_addr(current, NULL, frame->ra, ++ pc = ftrace_graph_ret_addr(current, &graph_idx, frame->ra, + &frame->ra); + if (pc == (unsigned long)ret_from_exception) { + if (unlikely(!__kernel_text_address(pc) || !fn(arg, pc))) +-- +2.43.0 + diff --git a/queue-5.15/s390-sclp-fix-sclp_init-cleanup-on-failure.patch b/queue-5.15/s390-sclp-fix-sclp_init-cleanup-on-failure.patch new file mode 100644 index 00000000000..b9b7dee3b9a --- /dev/null +++ b/queue-5.15/s390-sclp-fix-sclp_init-cleanup-on-failure.patch @@ -0,0 +1,57 @@ +From f8a0232d646daa090a511432d3f495ba3d4b1788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jun 2024 18:09:01 +0200 +Subject: s390/sclp: Fix sclp_init() cleanup on failure + +From: Heiko Carstens + +[ Upstream commit 6434b33faaa063df500af355ee6c3942e0f8d982 ] + +If sclp_init() fails it only partially cleans up: if there are multiple +failing calls to sclp_init() sclp_state_change_event will be added several +times to sclp_reg_list, which results in the following warning: + +------------[ cut here ]------------ +list_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10. +WARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8 +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3 +Krnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 +... +Call Trace: + [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8 +([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8) + [<000003ffe0a8d37e>] sclp_init+0x40e/0x450 + [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0 + [<000003ffe15b77a6>] do_initcalls+0x126/0x150 + [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8 + [<000003ffe0d6650e>] kernel_init+0x2e/0x180 + [<000003ffe000301c>] __ret_from_fork+0x3c/0x60 + [<000003ffe0d759ca>] ret_from_fork+0xa/0x30 + +Fix this by removing sclp_state_change_event from sclp_reg_list when +sclp_init() fails. + +Reviewed-by: Peter Oberparleiter +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/char/sclp.c b/drivers/s390/char/sclp.c +index 2cf7fe131ecec..0830ea42e7c80 100644 +--- a/drivers/s390/char/sclp.c ++++ b/drivers/s390/char/sclp.c +@@ -1292,6 +1292,7 @@ sclp_init(void) + fail_unregister_reboot_notifier: + unregister_reboot_notifier(&sclp_reboot_notifier); + fail_init_state_uninitialized: ++ list_del(&sclp_state_change_event.list); + sclp_init_state = sclp_init_state_uninitialized; + free_page((unsigned long) sclp_read_sccb); + free_page((unsigned long) sclp_init_sccb); +-- +2.43.0 + diff --git a/queue-5.15/scsi-core-alua-i-o-errors-for-alua-state-transitions.patch b/queue-5.15/scsi-core-alua-i-o-errors-for-alua-state-transitions.patch new file mode 100644 index 00000000000..c03012eaebc --- /dev/null +++ b/queue-5.15/scsi-core-alua-i-o-errors-for-alua-state-transitions.patch @@ -0,0 +1,110 @@ +From bf7cc28bebe552ba1fdd3db27242dbda1fa00ca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 May 2024 16:03:44 +0200 +Subject: scsi: core: alua: I/O errors for ALUA state transitions + +From: Martin Wilck + +[ Upstream commit 10157b1fc1a762293381e9145041253420dfc6ad ] + +When a host is configured with a few LUNs and I/O is running, injecting FC +faults repeatedly leads to path recovery problems. The LUNs have 4 paths +each and 3 of them come back active after say an FC fault which makes 2 of +the paths go down, instead of all 4. This happens after several iterations +of continuous FC faults. + +Reason here is that we're returning an I/O error whenever we're +encountering sense code 06/04/0a (LOGICAL UNIT NOT ACCESSIBLE, ASYMMETRIC +ACCESS STATE TRANSITION) instead of retrying. + +[mwilck: The original patch was developed by Rajashekhar M A and Hannes +Reinecke. I moved the code to alua_check_sense() as suggested by Mike +Christie [1]. Evan Milne had raised the question whether pg->state should +be set to transitioning in the UA case [2]. I believe that doing this is +correct. SCSI_ACCESS_STATE_TRANSITIONING by itself doesn't cause I/O +errors. Our handler schedules an RTPG, which will only result in an I/O +error condition if the transitioning timeout expires.] + +[1] https://lore.kernel.org/all/0bc96e82-fdda-4187-148d-5b34f81d4942@oracle.com/ +[2] https://lore.kernel.org/all/CAGtn9r=kicnTDE2o7Gt5Y=yoidHYD7tG8XdMHEBJTBraVEoOCw@mail.gmail.com/ + +Co-developed-by: Rajashekhar M A +Co-developed-by: Hannes Reinecke +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin Wilck +Link: https://lore.kernel.org/r/20240514140344.19538-1-mwilck@suse.com +Reviewed-by: Damien Le Moal +Reviewed-by: Christoph Hellwig +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 31 +++++++++++++++------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index a9c4a5e2ccb90..60792f257c235 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -406,28 +406,40 @@ static char print_alua_state(unsigned char state) + } + } + +-static enum scsi_disposition alua_check_sense(struct scsi_device *sdev, +- struct scsi_sense_hdr *sense_hdr) ++static void alua_handle_state_transition(struct scsi_device *sdev) + { + struct alua_dh_data *h = sdev->handler_data; + struct alua_port_group *pg; + ++ rcu_read_lock(); ++ pg = rcu_dereference(h->pg); ++ if (pg) ++ pg->state = SCSI_ACCESS_STATE_TRANSITIONING; ++ rcu_read_unlock(); ++ alua_check(sdev, false); ++} ++ ++static enum scsi_disposition alua_check_sense(struct scsi_device *sdev, ++ struct scsi_sense_hdr *sense_hdr) ++{ + switch (sense_hdr->sense_key) { + case NOT_READY: + if (sense_hdr->asc == 0x04 && sense_hdr->ascq == 0x0a) { + /* + * LUN Not Accessible - ALUA state transition + */ +- rcu_read_lock(); +- pg = rcu_dereference(h->pg); +- if (pg) +- pg->state = SCSI_ACCESS_STATE_TRANSITIONING; +- rcu_read_unlock(); +- alua_check(sdev, false); ++ alua_handle_state_transition(sdev); + return NEEDS_RETRY; + } + break; + case UNIT_ATTENTION: ++ if (sense_hdr->asc == 0x04 && sense_hdr->ascq == 0x0a) { ++ /* ++ * LUN Not Accessible - ALUA state transition ++ */ ++ alua_handle_state_transition(sdev); ++ return NEEDS_RETRY; ++ } + if (sense_hdr->asc == 0x29 && sense_hdr->ascq == 0x00) { + /* + * Power On, Reset, or Bus Device Reset. +@@ -494,7 +506,8 @@ static int alua_tur(struct scsi_device *sdev) + + retval = scsi_test_unit_ready(sdev, ALUA_FAILOVER_TIMEOUT * HZ, + ALUA_FAILOVER_RETRIES, &sense_hdr); +- if (sense_hdr.sense_key == NOT_READY && ++ if ((sense_hdr.sense_key == NOT_READY || ++ sense_hdr.sense_key == UNIT_ATTENTION) && + sense_hdr.asc == 0x04 && sense_hdr.ascq == 0x0a) + return SCSI_DH_RETRY; + else if (retval) +-- +2.43.0 + diff --git a/queue-5.15/scsi-libsas-fix-exp-attached-device-scan-after-probe.patch b/queue-5.15/scsi-libsas-fix-exp-attached-device-scan-after-probe.patch new file mode 100644 index 00000000000..bd49735aec8 --- /dev/null +++ b/queue-5.15/scsi-libsas-fix-exp-attached-device-scan-after-probe.patch @@ -0,0 +1,75 @@ +From 3c879d466efb4069b752719c8b61e903cbeb0155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 09:17:42 +0000 +Subject: scsi: libsas: Fix exp-attached device scan after probe failure + scanned in again after probe failed + +From: Xingui Yang + +[ Upstream commit ab2068a6fb84751836a84c26ca72b3beb349619d ] + +The expander phy will be treated as broadcast flutter in the next +revalidation after the exp-attached end device probe failed, as follows: + +[78779.654026] sas: broadcast received: 0 +[78779.654037] sas: REVALIDATING DOMAIN on port 0, pid:10 +[78779.654680] sas: ex 500e004aaaaaaa1f phy05 change count has changed +[78779.662977] sas: ex 500e004aaaaaaa1f phy05 originated BROADCAST(CHANGE) +[78779.662986] sas: ex 500e004aaaaaaa1f phy05 new device attached +[78779.663079] sas: ex 500e004aaaaaaa1f phy05:U:8 attached: 500e004aaaaaaa05 (stp) +[78779.693542] hisi_sas_v3_hw 0000:b4:02.0: dev[16:5] found +[78779.701155] sas: done REVALIDATING DOMAIN on port 0, pid:10, res 0x0 +[78779.707864] sas: Enter sas_scsi_recover_host busy: 0 failed: 0 +... +[78835.161307] sas: --- Exit sas_scsi_recover_host: busy: 0 failed: 0 tries: 1 +[78835.171344] sas: sas_probe_sata: for exp-attached device 500e004aaaaaaa05 returned -19 +[78835.180879] hisi_sas_v3_hw 0000:b4:02.0: dev[16:5] is gone +[78835.187487] sas: broadcast received: 0 +[78835.187504] sas: REVALIDATING DOMAIN on port 0, pid:10 +[78835.188263] sas: ex 500e004aaaaaaa1f phy05 change count has changed +[78835.195870] sas: ex 500e004aaaaaaa1f phy05 originated BROADCAST(CHANGE) +[78835.195875] sas: ex 500e004aaaaaaa1f rediscovering phy05 +[78835.196022] sas: ex 500e004aaaaaaa1f phy05:U:A attached: 500e004aaaaaaa05 (stp) +[78835.196026] sas: ex 500e004aaaaaaa1f phy05 broadcast flutter +[78835.197615] sas: done REVALIDATING DOMAIN on port 0, pid:10, res 0x0 + +The cause of the problem is that the related ex_phy's attached_sas_addr was +not cleared after the end device probe failed, so reset it. + +Signed-off-by: Xingui Yang +Link: https://lore.kernel.org/r/20240619091742.25465-1-yangxingui@huawei.com +Reviewed-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_internal.h | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/scsi/libsas/sas_internal.h b/drivers/scsi/libsas/sas_internal.h +index d7a1fb5c10c6e..5028bc394c4f9 100644 +--- a/drivers/scsi/libsas/sas_internal.h ++++ b/drivers/scsi/libsas/sas_internal.h +@@ -111,6 +111,20 @@ static inline void sas_fail_probe(struct domain_device *dev, const char *func, i + func, dev->parent ? "exp-attached" : + "direct-attached", + SAS_ADDR(dev->sas_addr), err); ++ ++ /* ++ * If the device probe failed, the expander phy attached address ++ * needs to be reset so that the phy will not be treated as flutter ++ * in the next revalidation ++ */ ++ if (dev->parent && !dev_is_expander(dev->dev_type)) { ++ struct sas_phy *phy = dev->phy; ++ struct domain_device *parent = dev->parent; ++ struct ex_phy *ex_phy = &parent->ex_dev.ex_phy[phy->number]; ++ ++ memset(ex_phy->attached_sas_addr, 0, SAS_ADDR_SIZE); ++ } ++ + sas_unregister_dev(dev->port, dev); + } + +-- +2.43.0 + diff --git a/queue-5.15/scsi-qedf-don-t-process-stag-work-during-unload-and-.patch b/queue-5.15/scsi-qedf-don-t-process-stag-work-during-unload-and-.patch new file mode 100644 index 00000000000..9310320f412 --- /dev/null +++ b/queue-5.15/scsi-qedf-don-t-process-stag-work-during-unload-and-.patch @@ -0,0 +1,51 @@ +From 7461e34786341594eae2f381e3ed783848f1d998 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 14:40:59 +0530 +Subject: scsi: qedf: Don't process stag work during unload and recovery + +From: Saurav Kashyap + +[ Upstream commit 51071f0831ea975fc045526dd7e17efe669dc6e1 ] + +Stag work can cause issues during unload and recovery, hence don't process +it. + +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20240515091101.18754-2-skashyap@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 18380a932ab61..ab43e15fa8f36 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -4001,6 +4001,22 @@ void qedf_stag_change_work(struct work_struct *work) + struct qedf_ctx *qedf = + container_of(work, struct qedf_ctx, stag_work.work); + ++ if (!qedf) { ++ QEDF_ERR(&qedf->dbg_ctx, "qedf is NULL"); ++ return; ++ } ++ ++ if (test_bit(QEDF_IN_RECOVERY, &qedf->flags)) { ++ QEDF_ERR(&qedf->dbg_ctx, ++ "Already is in recovery, hence not calling software context reset.\n"); ++ return; ++ } ++ ++ if (test_bit(QEDF_UNLOADING, &qedf->flags)) { ++ QEDF_ERR(&qedf->dbg_ctx, "Driver unloading\n"); ++ return; ++ } ++ + printk_ratelimited("[%s]:[%s:%d]:%d: Performing software context reset.", + dev_name(&qedf->pdev->dev), __func__, __LINE__, + qedf->dbg_ctx.host_no); +-- +2.43.0 + diff --git a/queue-5.15/scsi-qedf-set-qed_slowpath_params-to-zero-before-use.patch b/queue-5.15/scsi-qedf-set-qed_slowpath_params-to-zero-before-use.patch new file mode 100644 index 00000000000..8ae30f688c7 --- /dev/null +++ b/queue-5.15/scsi-qedf-set-qed_slowpath_params-to-zero-before-use.patch @@ -0,0 +1,35 @@ +From 3e42d733829a8dc1f15b758fa911b2bb0f1d88a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 14:41:01 +0530 +Subject: scsi: qedf: Set qed_slowpath_params to zero before use + +From: Saurav Kashyap + +[ Upstream commit 6c3bb589debd763dc4b94803ddf3c13b4fcca776 ] + +Zero qed_slowpath_params before use. + +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20240515091101.18754-4-skashyap@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 1900acfee88ed..690d3464f8766 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -3477,6 +3477,7 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) + } + + /* Start the Slowpath-process */ ++ memset(&slowpath_params, 0, sizeof(struct qed_slowpath_params)); + slowpath_params.int_mode = QED_INT_MODE_MSIX; + slowpath_params.drv_major = QEDF_DRIVER_MAJOR_VER; + slowpath_params.drv_minor = QEDF_DRIVER_MINOR_VER; +-- +2.43.0 + diff --git a/queue-5.15/scsi-qedf-wait-for-stag-work-during-unload.patch b/queue-5.15/scsi-qedf-wait-for-stag-work-during-unload.patch new file mode 100644 index 00000000000..9ae04d77c27 --- /dev/null +++ b/queue-5.15/scsi-qedf-wait-for-stag-work-during-unload.patch @@ -0,0 +1,130 @@ +From 4dd92c4c98c066582e3ab80fa5922c7ac617bbd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 14:41:00 +0530 +Subject: scsi: qedf: Wait for stag work during unload + +From: Saurav Kashyap + +[ Upstream commit 78e88472b60936025b83eba57cffa59d3501dc07 ] + +If stag work is already scheduled and unload is called, it can lead to +issues as unload cleans up the work element. Wait for stag work to get +completed before cleanup during unload. + +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20240515091101.18754-3-skashyap@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf.h | 1 + + drivers/scsi/qedf/qedf_main.c | 30 +++++++++++++++++++++++++++--- + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf.h b/drivers/scsi/qedf/qedf.h +index ba94413fe2ead..1d457831f153c 100644 +--- a/drivers/scsi/qedf/qedf.h ++++ b/drivers/scsi/qedf/qedf.h +@@ -354,6 +354,7 @@ struct qedf_ctx { + #define QEDF_IN_RECOVERY 5 + #define QEDF_DBG_STOP_IO 6 + #define QEDF_PROBING 8 ++#define QEDF_STAG_IN_PROGRESS 9 + unsigned long flags; /* Miscellaneous state flags */ + int fipvlan_retries; + u8 num_queues; +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index ab43e15fa8f36..1900acfee88ed 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -318,11 +318,18 @@ static struct fc_seq *qedf_elsct_send(struct fc_lport *lport, u32 did, + */ + if (resp == fc_lport_flogi_resp) { + qedf->flogi_cnt++; ++ qedf->flogi_pending++; ++ ++ if (test_bit(QEDF_UNLOADING, &qedf->flags)) { ++ QEDF_ERR(&qedf->dbg_ctx, "Driver unloading\n"); ++ qedf->flogi_pending = 0; ++ } ++ + if (qedf->flogi_pending >= QEDF_FLOGI_RETRY_CNT) { + schedule_delayed_work(&qedf->stag_work, 2); + return NULL; + } +- qedf->flogi_pending++; ++ + return fc_elsct_send(lport, did, fp, op, qedf_flogi_resp, + arg, timeout); + } +@@ -911,13 +918,14 @@ void qedf_ctx_soft_reset(struct fc_lport *lport) + struct qedf_ctx *qedf; + struct qed_link_output if_link; + ++ qedf = lport_priv(lport); ++ + if (lport->vport) { ++ clear_bit(QEDF_STAG_IN_PROGRESS, &qedf->flags); + printk_ratelimited("Cannot issue host reset on NPIV port.\n"); + return; + } + +- qedf = lport_priv(lport); +- + qedf->flogi_pending = 0; + /* For host reset, essentially do a soft link up/down */ + atomic_set(&qedf->link_state, QEDF_LINK_DOWN); +@@ -937,6 +945,7 @@ void qedf_ctx_soft_reset(struct fc_lport *lport) + if (!if_link.link_up) { + QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, + "Physical link is not up.\n"); ++ clear_bit(QEDF_STAG_IN_PROGRESS, &qedf->flags); + return; + } + /* Flush and wait to make sure link down is processed */ +@@ -949,6 +958,7 @@ void qedf_ctx_soft_reset(struct fc_lport *lport) + "Queue link up work.\n"); + queue_delayed_work(qedf->link_update_wq, &qedf->link_update, + 0); ++ clear_bit(QEDF_STAG_IN_PROGRESS, &qedf->flags); + } + + /* Reset the host by gracefully logging out and then logging back in */ +@@ -3725,6 +3735,7 @@ static void __qedf_remove(struct pci_dev *pdev, int mode) + { + struct qedf_ctx *qedf; + int rc; ++ int cnt = 0; + + if (!pdev) { + QEDF_ERR(NULL, "pdev is NULL.\n"); +@@ -3742,6 +3753,17 @@ static void __qedf_remove(struct pci_dev *pdev, int mode) + return; + } + ++stag_in_prog: ++ if (test_bit(QEDF_STAG_IN_PROGRESS, &qedf->flags)) { ++ QEDF_ERR(&qedf->dbg_ctx, "Stag in progress, cnt=%d.\n", cnt); ++ cnt++; ++ ++ if (cnt < 5) { ++ msleep(500); ++ goto stag_in_prog; ++ } ++ } ++ + if (mode != QEDF_MODE_RECOVERY) + set_bit(QEDF_UNLOADING, &qedf->flags); + +@@ -4017,6 +4039,8 @@ void qedf_stag_change_work(struct work_struct *work) + return; + } + ++ set_bit(QEDF_STAG_IN_PROGRESS, &qedf->flags); ++ + printk_ratelimited("[%s]:[%s:%d]:%d: Performing software context reset.", + dev_name(&qedf->pdev->dev), __func__, __LINE__, + qedf->dbg_ctx.host_no); +-- +2.43.0 + diff --git a/queue-5.15/selftests-openat2-fix-build-warnings-on-ppc64.patch b/queue-5.15/selftests-openat2-fix-build-warnings-on-ppc64.patch new file mode 100644 index 00000000000..34a5a66544c --- /dev/null +++ b/queue-5.15/selftests-openat2-fix-build-warnings-on-ppc64.patch @@ -0,0 +1,44 @@ +From 1741e73ffe207c66431af6be81603138f9f3a676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 13:03:25 +1000 +Subject: selftests/openat2: Fix build warnings on ppc64 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit 84b6df4c49a1cc2854a16937acd5fd3e6315d083 ] + +Fix warnings like: + + openat2_test.c: In function ‘test_openat2_flags’: + openat2_test.c:303:73: warning: format ‘%llX’ expects argument of type + ‘long long unsigned int’, but argument 5 has type ‘__u64’ {aka ‘long + unsigned int’} [-Wformat=] + +By switching to unsigned long long for u64 for ppc64 builds. + +Signed-off-by: Michael Ellerman +Reviewed-by: Muhammad Usama Anjum +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/openat2/openat2_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/openat2/openat2_test.c b/tools/testing/selftests/openat2/openat2_test.c +index 7fb902099de45..f9d2b0ec77564 100644 +--- a/tools/testing/selftests/openat2/openat2_test.c ++++ b/tools/testing/selftests/openat2/openat2_test.c +@@ -5,6 +5,7 @@ + */ + + #define _GNU_SOURCE ++#define __SANE_USERSPACE_TYPES__ // Use ll64 + #include + #include + #include +-- +2.43.0 + diff --git a/queue-5.15/selftests-vdso-fix-clang-build-errors-and-warnings.patch b/queue-5.15/selftests-vdso-fix-clang-build-errors-and-warnings.patch new file mode 100644 index 00000000000..92092b9c451 --- /dev/null +++ b/queue-5.15/selftests-vdso-fix-clang-build-errors-and-warnings.patch @@ -0,0 +1,123 @@ +From 9524010a56c419e62e66154c0c8dfd87c8efbc17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jul 2024 09:57:34 -1000 +Subject: selftests/vDSO: fix clang build errors and warnings + +From: John Hubbard + +[ Upstream commit 73810cd45b99c6c418e1c6a487b52c1e74edb20d ] + +When building with clang, via: + + make LLVM=1 -C tools/testing/selftests + +...there are several warnings, and an error. This fixes all of those and +allows these tests to run and pass. + +1. Fix linker error (undefined reference to memcpy) by providing a local + version of memcpy. + +2. clang complains about using this form: + + if (g = h & 0xf0000000) + +...so factor out the assignment into a separate step. + +3. The code is passing a signed const char* to elf_hash(), which expects + a const unsigned char *. There are several callers, so fix this at + the source by allowing the function to accept a signed argument, and + then converting to unsigned operations, once inside the function. + +4. clang doesn't have __attribute__((externally_visible)) and generates + a warning to that effect. Fortunately, gcc 12 and gcc 13 do not seem + to require that attribute in order to build, run and pass tests here, + so remove it. + +Reviewed-by: Carlos Llamas +Reviewed-by: Edward Liaw +Reviewed-by: Muhammad Usama Anjum +Tested-by: Muhammad Usama Anjum +Signed-off-by: John Hubbard +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/parse_vdso.c | 16 +++++++++++----- + .../selftests/vDSO/vdso_standalone_test_x86.c | 18 ++++++++++++++++-- + 2 files changed, 27 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c +index 413f75620a35b..4ae417372e9eb 100644 +--- a/tools/testing/selftests/vDSO/parse_vdso.c ++++ b/tools/testing/selftests/vDSO/parse_vdso.c +@@ -55,14 +55,20 @@ static struct vdso_info + ELF(Verdef) *verdef; + } vdso_info; + +-/* Straight from the ELF specification. */ +-static unsigned long elf_hash(const unsigned char *name) ++/* ++ * Straight from the ELF specification...and then tweaked slightly, in order to ++ * avoid a few clang warnings. ++ */ ++static unsigned long elf_hash(const char *name) + { + unsigned long h = 0, g; +- while (*name) ++ const unsigned char *uch_name = (const unsigned char *)name; ++ ++ while (*uch_name) + { +- h = (h << 4) + *name++; +- if (g = h & 0xf0000000) ++ h = (h << 4) + *uch_name++; ++ g = h & 0xf0000000; ++ if (g) + h ^= g >> 24; + h &= ~g; + } +diff --git a/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c b/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c +index 8a44ff973ee17..27f6fdf119691 100644 +--- a/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c ++++ b/tools/testing/selftests/vDSO/vdso_standalone_test_x86.c +@@ -18,7 +18,7 @@ + + #include "parse_vdso.h" + +-/* We need a libc functions... */ ++/* We need some libc functions... */ + int strcmp(const char *a, const char *b) + { + /* This implementation is buggy: it never returns -1. */ +@@ -34,6 +34,20 @@ int strcmp(const char *a, const char *b) + return 0; + } + ++/* ++ * The clang build needs this, although gcc does not. ++ * Stolen from lib/string.c. ++ */ ++void *memcpy(void *dest, const void *src, size_t count) ++{ ++ char *tmp = dest; ++ const char *s = src; ++ ++ while (count--) ++ *tmp++ = *s++; ++ return dest; ++} ++ + /* ...and two syscalls. This is x86-specific. */ + static inline long x86_syscall3(long nr, long a0, long a1, long a2) + { +@@ -70,7 +84,7 @@ void to_base10(char *lastdig, time_t n) + } + } + +-__attribute__((externally_visible)) void c_main(void **stack) ++void c_main(void **stack) + { + /* Parse the stack */ + long argc = (long)*stack; +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 17637ed2a37..b2aef28c25b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,2 +1,59 @@ gcc-plugins-rename-last_stmt-for-gcc-14.patch filelock-remove-locks-reliably-when-fcntl-close-race-is-detected.patch +scsi-core-alua-i-o-errors-for-alua-state-transitions.patch +scsi-qedf-don-t-process-stag-work-during-unload-and-.patch +scsi-qedf-wait-for-stag-work-during-unload.patch +scsi-qedf-set-qed_slowpath_params-to-zero-before-use.patch +acpi-ec-abort-address-space-access-upon-error.patch +acpi-ec-avoid-returning-ae_ok-on-errors-in-address-s.patch +tools-power-cpupower-fix-pstate-frequency-reporting-.patch +wifi-mac80211-mesh-init-nonpeer_pm-to-active-by-defa.patch +wifi-mac80211-handle-tasklet-frames-before-stopping.patch +wifi-iwlwifi-mvm-d3-fix-wowlan-command-version-looku.patch +wifi-iwlwifi-mvm-handle-bigtk-cipher-in-kek_kck-cmd.patch +wifi-iwlwifi-mvm-properly-set-6-ghz-channel-direct-p.patch +wifi-mac80211-fix-ubsan-noise-in-ieee80211_prep_hw_s.patch +selftests-openat2-fix-build-warnings-on-ppc64.patch +input-silead-always-support-10-fingers.patch +net-ipv6-rpl_iptunnel-block-bh-in-rpl_output-and-rpl.patch +ila-block-bh-in-ila_output.patch +arm64-armv8_deprecated-fix-warning-in-isndep-cpuhp-s.patch +null_blk-fix-validation-of-block-size.patch +kconfig-gconf-give-a-proper-initial-state-to-the-sav.patch +kconfig-remove-wrong-expr_trans_bool.patch +fs-file-fix-the-check-in-find_next_fd.patch +mei-demote-client-disconnect-warning-on-suspend-to-d.patch +nvme-avoid-double-free-special-payload.patch +wifi-cfg80211-wext-add-extra-siocsiwscan-data-check.patch +kvm-ppc-book3s-hv-prevent-uaf-in-kvm_spapr_tce_attac.patch +drm-vmwgfx-fix-missing-hypervisor_guest-dependency.patch +alsa-hda-realtek-add-more-codec-id-to-no-shutup-pins.patch +mips-fix-compat_sys_lseek-syscall.patch +input-elantech-fix-touchpad-state-on-resume-for-leno.patch +input-i8042-add-ayaneo-kun-to-i8042-quirk-table.patch +bytcr_rt5640-inverse-jack-detect-for-archos-101-cesi.patch +alsa-dmaengine-synchronize-dma-channel-after-drop.patch +asoc-ti-davinci-mcasp-set-min-period-size-using-fifo.patch +asoc-ti-omap-hdmi-fix-too-long-driver-name.patch +can-kvaser_usb-fix-return-value-for-hif_usb_send_reg.patch +s390-sclp-fix-sclp_init-cleanup-on-failure.patch +platform-x86-wireless-hotkey-add-support-for-lg-airp.patch +platform-x86-lg-laptop-remove-lgex0815-hotkey-handli.patch +platform-x86-lg-laptop-change-acpi-device-id.patch +platform-x86-lg-laptop-use-acpi-device-handle-when-e.patch +btrfs-qgroup-fix-quota-root-leak-after-quota-disable.patch +alsa-hda-relatek-enable-mute-led-on-hp-laptop-15-gw0.patch +alsa-dmaengine_pcm-terminate-dmaengine-before-synchr.patch +net-usb-qmi_wwan-add-telit-fn912-compositions.patch +net-mac802154-fix-racy-device-stats-updates-by-dev_s.patch +powerpc-pseries-whitelist-dtl-slub-object-for-copyin.patch +powerpc-eeh-avoid-possible-crash-when-edev-pdev-chan.patch +scsi-libsas-fix-exp-attached-device-scan-after-probe.patch +bluetooth-hci_core-cancel-all-works-upon-hci_unregis.patch +drm-radeon-check-bo_va-bo-is-non-null-before-using-i.patch +fs-better-handle-deep-ancestor-chains-in-is_subdir.patch +riscv-stacktrace-fix-usage-of-ftrace_graph_ret_addr.patch +spi-imx-don-t-expect-dma-for-i.mx-25-35-50-51-53-csp.patch +selftests-vdso-fix-clang-build-errors-and-warnings.patch +hfsplus-fix-uninit-value-in-copy_name.patch +spi-mux-set-ctlr-bits_per_word_mask.patch diff --git a/queue-5.15/spi-imx-don-t-expect-dma-for-i.mx-25-35-50-51-53-csp.patch b/queue-5.15/spi-imx-don-t-expect-dma-for-i.mx-25-35-50-51-53-csp.patch new file mode 100644 index 00000000000..48a354a9ea5 --- /dev/null +++ b/queue-5.15/spi-imx-don-t-expect-dma-for-i.mx-25-35-50-51-53-csp.patch @@ -0,0 +1,50 @@ +From eaf797a4c00646fc44ac869611846d27e70a4d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 11:56:10 +0200 +Subject: spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit ce1dac560a74220f2e53845ec0723b562288aed4 ] + +While in commit 2dd33f9cec90 ("spi: imx: support DMA for imx35") it was +claimed that DMA works on i.MX25, i.MX31 and i.MX35 the respective +device trees don't add DMA channels. The Reference manuals of i.MX31 and +i.MX25 also don't mention the CSPI core being DMA capable. (I didn't +check the others.) + +Since commit e267a5b3ec59 ("spi: spi-imx: Use dev_err_probe for failed +DMA channel requests") this results in an error message + + spi_imx 43fa4000.spi: error -ENODEV: can't get the TX DMA channel! + +during boot. However that isn't fatal and the driver gets loaded just +fine, just without using DMA. + +Signed-off-by: Uwe Kleine-König +Link: https://patch.msgid.link/20240508095610.2146640-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index f201653931d89..c806ee8070e5a 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1016,7 +1016,7 @@ static struct spi_imx_devtype_data imx35_cspi_devtype_data = { + .rx_available = mx31_rx_available, + .reset = mx31_reset, + .fifo_size = 8, +- .has_dmamode = true, ++ .has_dmamode = false, + .dynamic_burst = false, + .has_slavemode = false, + .devtype = IMX35_CSPI, +-- +2.43.0 + diff --git a/queue-5.15/spi-mux-set-ctlr-bits_per_word_mask.patch b/queue-5.15/spi-mux-set-ctlr-bits_per_word_mask.patch new file mode 100644 index 00000000000..ed72925dca1 --- /dev/null +++ b/queue-5.15/spi-mux-set-ctlr-bits_per_word_mask.patch @@ -0,0 +1,36 @@ +From 7b6fd7245efd0f835a2b9f34ad1c35676b089080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 20:05:30 -0500 +Subject: spi: mux: set ctlr->bits_per_word_mask + +From: David Lechner + +[ Upstream commit c8bd922d924bb4ab6c6c488310157d1a27996f31 ] + +Like other SPI controller flags, bits_per_word_mask may be used by a +peripheral driver, so it needs to reflect the capabilities of the +underlying controller. + +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20240708-spi-mux-fix-v1-3-6c8845193128@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-mux.c b/drivers/spi/spi-mux.c +index f5d32ec4634e3..e1af2d8ed51a6 100644 +--- a/drivers/spi/spi-mux.c ++++ b/drivers/spi/spi-mux.c +@@ -156,6 +156,7 @@ static int spi_mux_probe(struct spi_device *spi) + /* supported modes are the same as our parent's */ + ctlr->mode_bits = spi->controller->mode_bits; + ctlr->flags = spi->controller->flags; ++ ctlr->bits_per_word_mask = spi->controller->bits_per_word_mask; + ctlr->transfer_one_message = spi_mux_transfer_one_message; + ctlr->setup = spi_mux_setup; + ctlr->num_chipselect = mux_control_states(priv->mux); +-- +2.43.0 + diff --git a/queue-5.15/tools-power-cpupower-fix-pstate-frequency-reporting-.patch b/queue-5.15/tools-power-cpupower-fix-pstate-frequency-reporting-.patch new file mode 100644 index 00000000000..4a9e6d35439 --- /dev/null +++ b/queue-5.15/tools-power-cpupower-fix-pstate-frequency-reporting-.patch @@ -0,0 +1,82 @@ +From 4ae3e08ac8fa10971c53e5b4f561d10859f79124 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 14:07:06 +0530 +Subject: tools/power/cpupower: Fix Pstate frequency reporting on AMD Family + 1Ah CPUs + +From: Dhananjay Ugwekar + +[ Upstream commit 43cad521c6d228ea0c51e248f8e5b3a6295a2849 ] + +Update cpupower's P-State frequency calculation and reporting with AMD +Family 1Ah+ processors, when using the acpi-cpufreq driver. This is due +to a change in the PStateDef MSR layout in AMD Family 1Ah+. + +Tested on 4th and 5th Gen AMD EPYC system + +Signed-off-by: Ananth Narayan +Signed-off-by: Dhananjay Ugwekar +Reviewed-by: Mario Limonciello +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/helpers/amd.c | 26 +++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/tools/power/cpupower/utils/helpers/amd.c b/tools/power/cpupower/utils/helpers/amd.c +index 97f2c857048e1..e0a7a9b1f6d69 100644 +--- a/tools/power/cpupower/utils/helpers/amd.c ++++ b/tools/power/cpupower/utils/helpers/amd.c +@@ -38,6 +38,16 @@ union core_pstate { + unsigned res1:31; + unsigned en:1; + } pstatedef; ++ /* since fam 1Ah: */ ++ struct { ++ unsigned fid:12; ++ unsigned res1:2; ++ unsigned vid:8; ++ unsigned iddval:8; ++ unsigned idddiv:2; ++ unsigned res2:31; ++ unsigned en:1; ++ } pstatedef2; + unsigned long long val; + }; + +@@ -45,6 +55,10 @@ static int get_did(union core_pstate pstate) + { + int t; + ++ /* Fam 1Ah onward do not use did */ ++ if (cpupower_cpu_info.family >= 0x1A) ++ return 0; ++ + if (cpupower_cpu_info.caps & CPUPOWER_CAP_AMD_PSTATEDEF) + t = pstate.pstatedef.did; + else if (cpupower_cpu_info.family == 0x12) +@@ -58,12 +72,18 @@ static int get_did(union core_pstate pstate) + static int get_cof(union core_pstate pstate) + { + int t; +- int fid, did, cof; ++ int fid, did, cof = 0; + + did = get_did(pstate); + if (cpupower_cpu_info.caps & CPUPOWER_CAP_AMD_PSTATEDEF) { +- fid = pstate.pstatedef.fid; +- cof = 200 * fid / did; ++ if (cpupower_cpu_info.family >= 0x1A) { ++ fid = pstate.pstatedef2.fid; ++ if (fid > 0x0f) ++ cof = (fid * 5); ++ } else { ++ fid = pstate.pstatedef.fid; ++ cof = 200 * fid / did; ++ } + } else { + t = 0x10; + fid = pstate.pstate.fid; +-- +2.43.0 + diff --git a/queue-5.15/wifi-cfg80211-wext-add-extra-siocsiwscan-data-check.patch b/queue-5.15/wifi-cfg80211-wext-add-extra-siocsiwscan-data-check.patch new file mode 100644 index 00000000000..f0ce3510435 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-wext-add-extra-siocsiwscan-data-check.patch @@ -0,0 +1,47 @@ +From 6703607ddd4a5cda6c30ca228e3d1b44c079a945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 06:20:10 +0300 +Subject: wifi: cfg80211: wext: add extra SIOCSIWSCAN data check + +From: Dmitry Antipov + +[ Upstream commit 6ef09cdc5ba0f93826c09d810c141a8d103a80fc ] + +In 'cfg80211_wext_siwscan()', add extra check whether number of +channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed +IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise. + +Reported-by: syzbot+253cd2d2491df77c93ac@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=253cd2d2491df77c93ac +Signed-off-by: Dmitry Antipov +Link: https://msgid.link/20240531032010.451295-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 2898df10a72ae..a444eb84d621e 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2782,10 +2782,14 @@ int cfg80211_wext_siwscan(struct net_device *dev, + wiphy = &rdev->wiphy; + + /* Determine number of channels, needed to allocate creq */ +- if (wreq && wreq->num_channels) ++ if (wreq && wreq->num_channels) { ++ /* Passed from userspace so should be checked */ ++ if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES)) ++ return -EINVAL; + n_channels = wreq->num_channels; +- else ++ } else { + n_channels = ieee80211_get_num_supported_channels(wiphy); ++ } + + creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + + n_channels * sizeof(void *), +-- +2.43.0 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-d3-fix-wowlan-command-version-looku.patch b/queue-5.15/wifi-iwlwifi-mvm-d3-fix-wowlan-command-version-looku.patch new file mode 100644 index 00000000000..0fca69497ef --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-d3-fix-wowlan-command-version-looku.patch @@ -0,0 +1,42 @@ +From c54ce798f07989c7874d63ad5d6f065e91e255cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 17:06:29 +0300 +Subject: wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup + +From: Yedidya Benshimol + +[ Upstream commit b7ffca99313d856f7d1cc89038d9061b128e8e97 ] + +After moving from commands to notificaitons in the d3 resume flow, +removing the WOWLAN_GET_STATUSES and REPLY_OFFLOADS_QUERY_CMD causes +the return of the default value when looking up their version. +Returning zero here results in the driver sending the not supported +NON_QOS_TX_COUNTER_CMD. + +Signed-off-by: Yedidya Benshimol +Reviewed-by: Gregory Greenman +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240510170500.8cabfd580614.If3a0db9851f56041f8f5360959354abd5379224a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +index c4c62bcbe67de..f9b004d139501 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +@@ -1796,7 +1796,8 @@ static bool iwl_mvm_setup_connection_keep(struct iwl_mvm *mvm, + + out: + if (iwl_fw_lookup_notif_ver(mvm->fw, LONG_GROUP, +- WOWLAN_GET_STATUSES, 0) < 10) { ++ WOWLAN_GET_STATUSES, ++ IWL_FW_CMD_VER_UNKNOWN) < 10) { + mvmvif->seqno_valid = true; + /* +0x10 because the set API expects next-to-use, not last-used */ + mvmvif->seqno = le16_to_cpu(status->non_qos_seq_ctr) + 0x10; +-- +2.43.0 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-handle-bigtk-cipher-in-kek_kck-cmd.patch b/queue-5.15/wifi-iwlwifi-mvm-handle-bigtk-cipher-in-kek_kck-cmd.patch new file mode 100644 index 00000000000..669e3822a7c --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-handle-bigtk-cipher-in-kek_kck-cmd.patch @@ -0,0 +1,57 @@ +From fe88a8f5b383b2053c7447f1686f880b66f083fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:27:09 +0300 +Subject: wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd + +From: Yedidya Benshimol + +[ Upstream commit 08b16d1b5997dc378533318e2a9cd73c7a898284 ] + +The BIGTK cipher field was added to the kek_kck_material_cmd +but wasn't assigned. Fix that by differentiating between the +IGTK/BIGTK keys and assign the ciphers fields accordingly. + +Signed-off-by: Yedidya Benshimol +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240513132416.7fd0b22b7267.Ie9b581652b74bd7806980364d59e1b2e78e682c0@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +index f9b004d139501..24c1666b2c88a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +@@ -595,16 +595,25 @@ static void iwl_mvm_wowlan_gtk_type_iter(struct ieee80211_hw *hw, + void *_data) + { + struct wowlan_key_gtk_type_iter *data = _data; ++ __le32 *cipher = NULL; ++ ++ if (key->keyidx == 4 || key->keyidx == 5) ++ cipher = &data->kek_kck_cmd->igtk_cipher; ++ if (key->keyidx == 6 || key->keyidx == 7) ++ cipher = &data->kek_kck_cmd->bigtk_cipher; + + switch (key->cipher) { + default: + return; + case WLAN_CIPHER_SUITE_BIP_GMAC_256: + case WLAN_CIPHER_SUITE_BIP_GMAC_128: +- data->kek_kck_cmd->igtk_cipher = cpu_to_le32(STA_KEY_FLG_GCMP); ++ if (cipher) ++ *cipher = cpu_to_le32(STA_KEY_FLG_GCMP); + return; + case WLAN_CIPHER_SUITE_AES_CMAC: +- data->kek_kck_cmd->igtk_cipher = cpu_to_le32(STA_KEY_FLG_CCM); ++ case WLAN_CIPHER_SUITE_BIP_CMAC_256: ++ if (cipher) ++ *cipher = cpu_to_le32(STA_KEY_FLG_CCM); + return; + case WLAN_CIPHER_SUITE_CCMP: + if (!sta) +-- +2.43.0 + diff --git a/queue-5.15/wifi-iwlwifi-mvm-properly-set-6-ghz-channel-direct-p.patch b/queue-5.15/wifi-iwlwifi-mvm-properly-set-6-ghz-channel-direct-p.patch new file mode 100644 index 00000000000..b5d11f32d88 --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-mvm-properly-set-6-ghz-channel-direct-p.patch @@ -0,0 +1,41 @@ +From 9f117032222b437ca67d2d95406f8238ea1ac2af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 13:27:11 +0300 +Subject: wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option + +From: Ayala Beker + +[ Upstream commit 989830d1cf16bd149bf0690d889a9caef95fb5b1 ] + +Ensure that the 6 GHz channel is configured with a valid direct BSSID, +avoiding any invalid or multicast BSSID addresses. + +Signed-off-by: Ayala Beker +Reviewed-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240513132416.91a631a0fe60.I2ea2616af9b8a2eaf959b156c69cf65a2f1204d4@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index 0605363b62720..8179a7395bcaf 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -1721,7 +1721,10 @@ iwl_mvm_umac_scan_fill_6g_chan_list(struct iwl_mvm *mvm, + break; + } + +- if (k == idex_b && idex_b < SCAN_BSSID_MAX_SIZE) { ++ if (k == idex_b && idex_b < SCAN_BSSID_MAX_SIZE && ++ !WARN_ONCE(!is_valid_ether_addr(scan_6ghz_params[j].bssid), ++ "scan: invalid BSSID at index %u, index_b=%u\n", ++ j, idex_b)) { + memcpy(&pp->bssid_array[idex_b++], + scan_6ghz_params[j].bssid, ETH_ALEN); + } +-- +2.43.0 + diff --git a/queue-5.15/wifi-mac80211-fix-ubsan-noise-in-ieee80211_prep_hw_s.patch b/queue-5.15/wifi-mac80211-fix-ubsan-noise-in-ieee80211_prep_hw_s.patch new file mode 100644 index 00000000000..e958c5bcf16 --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-ubsan-noise-in-ieee80211_prep_hw_s.patch @@ -0,0 +1,80 @@ +From e3d32db6624b601ba01e64d081737225a6b20a7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 18:33:32 +0300 +Subject: wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() + +From: Dmitry Antipov + +[ Upstream commit 92ecbb3ac6f3fe8ae9edf3226c76aa17b6800699 ] + +When testing the previous patch with CONFIG_UBSAN_BOUNDS, I've +noticed the following: + +UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:372:4 +index 0 is out of range for type 'struct ieee80211_channel *[]' +CPU: 0 PID: 1435 Comm: wpa_supplicant Not tainted 6.9.0+ #1 +Hardware name: LENOVO 20UN005QRT/20UN005QRT <...BIOS details...> +Call Trace: + + dump_stack_lvl+0x2d/0x90 + __ubsan_handle_out_of_bounds+0xe7/0x140 + ? timerqueue_add+0x98/0xb0 + ieee80211_prep_hw_scan+0x2db/0x480 [mac80211] + ? __kmalloc+0xe1/0x470 + __ieee80211_start_scan+0x541/0x760 [mac80211] + rdev_scan+0x1f/0xe0 [cfg80211] + nl80211_trigger_scan+0x9b6/0xae0 [cfg80211] + ... + +Since '__ieee80211_start_scan()' leaves 'hw_scan_req->req.n_channels' +uninitialized, actual boundaries of 'hw_scan_req->req.channels' can't +be checked in 'ieee80211_prep_hw_scan()'. Although an initialization +of 'hw_scan_req->req.n_channels' introduces some confusion around +allocated vs. used VLA members, this shouldn't be a problem since +everything is correctly adjusted soon in 'ieee80211_prep_hw_scan()'. + +Cleanup 'kmalloc()' math in '__ieee80211_start_scan()' by using the +convenient 'struct_size()' as well. + +Signed-off-by: Dmitry Antipov +Link: https://msgid.link/20240517153332.18271-2-dmantipov@yandex.ru +[improve (imho) indentation a bit] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/scan.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index e692a2487eb5d..3bf3dd4bafa54 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -729,15 +729,21 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata, + local->hw_scan_ies_bufsize *= n_bands; + } + +- local->hw_scan_req = kmalloc( +- sizeof(*local->hw_scan_req) + +- req->n_channels * sizeof(req->channels[0]) + +- local->hw_scan_ies_bufsize, GFP_KERNEL); ++ local->hw_scan_req = kmalloc(struct_size(local->hw_scan_req, ++ req.channels, ++ req->n_channels) + ++ local->hw_scan_ies_bufsize, ++ GFP_KERNEL); + if (!local->hw_scan_req) + return -ENOMEM; + + local->hw_scan_req->req.ssids = req->ssids; + local->hw_scan_req->req.n_ssids = req->n_ssids; ++ /* None of the channels are actually set ++ * up but let UBSAN know the boundaries. ++ */ ++ local->hw_scan_req->req.n_channels = req->n_channels; ++ + ies = (u8 *)local->hw_scan_req + + sizeof(*local->hw_scan_req) + + req->n_channels * sizeof(req->channels[0]); +-- +2.43.0 + diff --git a/queue-5.15/wifi-mac80211-handle-tasklet-frames-before-stopping.patch b/queue-5.15/wifi-mac80211-handle-tasklet-frames-before-stopping.patch new file mode 100644 index 00000000000..7d185343ddb --- /dev/null +++ b/queue-5.15/wifi-mac80211-handle-tasklet-frames-before-stopping.patch @@ -0,0 +1,83 @@ +From acc1c742d562b654943c6dde6f5afd515201d6da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2024 13:53:19 +0200 +Subject: wifi: mac80211: handle tasklet frames before stopping + +From: Johannes Berg + +[ Upstream commit 177c6ae9725d783f9e96f02593ce8fb2639be22f ] + +The code itself doesn't want to handle frames from the driver +if it's already stopped, but if the tasklet was queued before +and runs after the stop, then all bets are off. Flush queues +before actually stopping, RX should be off at this point since +all the interfaces are removed already, etc. + +Reported-by: syzbot+8830db5d3593b5546d2e@syzkaller.appspotmail.com +Link: https://msgid.link/20240515135318.b05f11385c9a.I41c1b33a2e1814c3a7ef352cd7f2951b91785617@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 2 ++ + net/mac80211/main.c | 10 ++++++++-- + net/mac80211/util.c | 2 ++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 03f8c8bdab765..03c238e68038b 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1803,6 +1803,8 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata, + void ieee80211_configure_filter(struct ieee80211_local *local); + u32 ieee80211_reset_erp_info(struct ieee80211_sub_if_data *sdata); + ++void ieee80211_handle_queued_frames(struct ieee80211_local *local); ++ + u64 ieee80211_mgmt_tx_cookie(struct ieee80211_local *local); + int ieee80211_attach_ack_skb(struct ieee80211_local *local, struct sk_buff *skb, + u64 *cookie, gfp_t gfp); +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 9617ff8e27147..7d62374fe727b 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -220,9 +220,8 @@ u32 ieee80211_reset_erp_info(struct ieee80211_sub_if_data *sdata) + BSS_CHANGED_ERP_SLOT; + } + +-static void ieee80211_tasklet_handler(struct tasklet_struct *t) ++void ieee80211_handle_queued_frames(struct ieee80211_local *local) + { +- struct ieee80211_local *local = from_tasklet(local, t, tasklet); + struct sk_buff *skb; + + while ((skb = skb_dequeue(&local->skb_queue)) || +@@ -247,6 +246,13 @@ static void ieee80211_tasklet_handler(struct tasklet_struct *t) + } + } + ++static void ieee80211_tasklet_handler(struct tasklet_struct *t) ++{ ++ struct ieee80211_local *local = from_tasklet(local, t, tasklet); ++ ++ ieee80211_handle_queued_frames(local); ++} ++ + static void ieee80211_restart_work(struct work_struct *work) + { + struct ieee80211_local *local = +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 354badd32793a..3d47c2dba39da 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2146,6 +2146,8 @@ u32 ieee80211_sta_get_rates(struct ieee80211_sub_if_data *sdata, + + void ieee80211_stop_device(struct ieee80211_local *local) + { ++ ieee80211_handle_queued_frames(local); ++ + ieee80211_led_radio(local, false); + ieee80211_mod_tpt_led_trig(local, 0, IEEE80211_TPT_LEDTRIG_FL_RADIO); + +-- +2.43.0 + diff --git a/queue-5.15/wifi-mac80211-mesh-init-nonpeer_pm-to-active-by-defa.patch b/queue-5.15/wifi-mac80211-mesh-init-nonpeer_pm-to-active-by-defa.patch new file mode 100644 index 00000000000..bdca87762cb --- /dev/null +++ b/queue-5.15/wifi-mac80211-mesh-init-nonpeer_pm-to-active-by-defa.patch @@ -0,0 +1,53 @@ +From c4ea1a56d3308de08915ac5cd484671210f2fe1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 May 2024 16:17:59 +0200 +Subject: wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh + sdata + +From: Nicolas Escande + +[ Upstream commit 6f6291f09a322c1c1578badac8072d049363f4e6 ] + +With a ath9k device I can see that: + iw phy phy0 interface add mesh0 type mp + ip link set mesh0 up + iw dev mesh0 scan + +Will start a scan with the Power Management bit set in the Frame Control Field. +This is because we set this bit depending on the nonpeer_pm variable of the mesh +iface sdata and when there are no active links on the interface it remains to +NL80211_MESH_POWER_UNKNOWN. + +As soon as links starts to be established, it wil switch to +NL80211_MESH_POWER_ACTIVE as it is the value set by befault on the per sta +nonpeer_pm field. +As we want no power save by default, (as expressed with the per sta ini values), +lets init it to the expected default value of NL80211_MESH_POWER_ACTIVE. + +Also please note that we cannot change the default value from userspace prior to +establishing a link as using NL80211_CMD_SET_MESH_CONFIG will not work before +NL80211_CMD_JOIN_MESH has been issued. So too late for our initial scan. + +Signed-off-by: Nicolas Escande +Link: https://msgid.link/20240527141759.299411-1-nico.escande@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 6847fdf934392..6202157f467b1 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1628,6 +1628,7 @@ void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata) + ifmsh->last_preq = jiffies; + ifmsh->next_perr = jiffies; + ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_NONE; ++ ifmsh->nonpeer_pm = NL80211_MESH_POWER_ACTIVE; + /* Allocate all mesh structures when creating the first mesh interface. */ + if (!mesh_allocated) + ieee80211s_init(); +-- +2.43.0 +