From: Greg Kroah-Hartman Date: Wed, 22 Nov 2023 19:46:22 +0000 (+0000) Subject: 6.1-stable patches X-Git-Tag: v4.14.331~112 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4f9ceacb23bb6368491bb0e0e2b049e633e1a920;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch ksmbd-handle-malformed-smb1-message.patch mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch mmc-vub300-fix-an-error-code.patch parisc-pdc-add-width-field-to-struct-pdc_model.patch parisc-power-add-power-soft-off-when-running-on-qemu.patch --- diff --git a/queue-6.1/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch b/queue-6.1/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch new file mode 100644 index 00000000000..d0452684095 --- /dev/null +++ b/queue-6.1/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch @@ -0,0 +1,89 @@ +From 146a15b873353f8ac28dc281c139ff611a3c4848 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 25 Oct 2023 10:21:28 -0700 +Subject: arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer + +From: Nathan Chancellor + +commit 146a15b873353f8ac28dc281c139ff611a3c4848 upstream. + +Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly +byte-swap NOP when compiling for big-endian, and the resulting series of +bytes happened to match the encoding of FNMADD S21, S30, S0, S0. + +This went unnoticed until commit: + + 34f66c4c4d5518c1 ("arm64: Use a positive cpucap for FP/SIMD") + +Prior to that commit, the kernel would always enable the use of FPSIMD +early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of +FNMADD within the kernel was not detected, but could result in the +corruption of user or kernel FPSIMD state. + +After that commit, the instructions happen to trap during boot prior to +FPSIMD being detected and enabled, e.g. + +| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD +| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 +| Hardware name: linux,dummy-virt (DT) +| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +| pc : __pi_strcmp+0x1c/0x150 +| lr : populate_properties+0xe4/0x254 +| sp : ffffd014173d3ad0 +| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000 +| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008 +| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044 +| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005 +| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000 +| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000 +| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000 +| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000 +| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a +| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8 +| Kernel panic - not syncing: Unhandled exception +| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 +| Hardware name: linux,dummy-virt (DT) +| Call trace: +| dump_backtrace+0xec/0x108 +| show_stack+0x18/0x2c +| dump_stack_lvl+0x50/0x68 +| dump_stack+0x18/0x24 +| panic+0x13c/0x340 +| el1t_64_irq_handler+0x0/0x1c +| el1_abort+0x0/0x5c +| el1h_64_sync+0x64/0x68 +| __pi_strcmp+0x1c/0x150 +| unflatten_dt_nodes+0x1e8/0x2d8 +| __unflatten_device_tree+0x5c/0x15c +| unflatten_device_tree+0x38/0x50 +| setup_arch+0x164/0x1e0 +| start_kernel+0x64/0x38c +| __primary_switched+0xbc/0xc4 + +Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is +either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked +commit. + +Closes: https://github.com/ClangBuiltLinux/linux/issues/1948 +Link: https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c +Signed-off-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20231025-disable-arm64-be-ias-b4-llvm-15-v1-1-b25263ed8b23@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1304,6 +1304,8 @@ choice + config CPU_BIG_ENDIAN + bool "Build big-endian kernel" + depends on !LD_IS_LLD || LLD_VERSION >= 130000 ++ # https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c ++ depends on AS_IS_GNU || AS_VERSION >= 150000 + help + Say Y if you plan on running a kernel with a big-endian userspace. + diff --git a/queue-6.1/clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch b/queue-6.1/clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch new file mode 100644 index 00000000000..9aa444f1e1e --- /dev/null +++ b/queue-6.1/clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch @@ -0,0 +1,75 @@ +From 99cd4935cb972d0aafb16838bb2aeadbcaf196ce Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Thu, 14 Sep 2023 12:29:52 +0530 +Subject: clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks + +From: Kathiravan Thirumoorthy + +commit 99cd4935cb972d0aafb16838bb2aeadbcaf196ce upstream. + +GPLL, NSS crypto PLL clock rates are fixed and shouldn't be scaled based +on the request from dependent clocks. Doing so will result in the +unexpected behaviour. So drop the CLK_SET_RATE_PARENT flag from the PLL +clocks. + +Cc: stable@vger.kernel.org +Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support") +Signed-off-by: Kathiravan Thirumoorthy +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230913-gpll_cleanup-v2-2-c8ceb1a37680@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-ipq6018.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/clk/qcom/gcc-ipq6018.c ++++ b/drivers/clk/qcom/gcc-ipq6018.c +@@ -75,7 +75,6 @@ static struct clk_fixed_factor gpll0_out + &gpll0_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_fixed_factor_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -89,7 +88,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll0_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -164,7 +162,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll6_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -195,7 +192,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll4_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -246,7 +242,6 @@ static struct clk_alpha_pll_postdiv gpll + &gpll2_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -277,7 +272,6 @@ static struct clk_alpha_pll_postdiv nss_ + &nss_crypto_pll_main.clkr.hw }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + diff --git a/queue-6.1/clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch b/queue-6.1/clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch new file mode 100644 index 00000000000..569c769aec1 --- /dev/null +++ b/queue-6.1/clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch @@ -0,0 +1,77 @@ +From e641a070137dd959932c7c222e000d9d941167a2 Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Thu, 14 Sep 2023 12:29:51 +0530 +Subject: clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kathiravan Thirumoorthy + +commit e641a070137dd959932c7c222e000d9d941167a2 upstream. + +GPLL, NSS crypto PLL clock rates are fixed and shouldn't be scaled based +on the request from dependent clocks. Doing so will result in the +unexpected behaviour. So drop the CLK_SET_RATE_PARENT flag from the PLL +clocks. + +Cc: stable@vger.kernel.org +Fixes: b8e7e519625f ("clk: qcom: ipq8074: add remaining PLL’s") +Signed-off-by: Kathiravan Thirumoorthy +Link: https://lore.kernel.org/r/20230913-gpll_cleanup-v2-1-c8ceb1a37680@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-ipq8074.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -419,7 +419,6 @@ static struct clk_fixed_factor gpll0_out + }, + .num_parents = 1, + .ops = &clk_fixed_factor_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -466,7 +465,6 @@ static struct clk_alpha_pll_postdiv gpll + }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -499,7 +497,6 @@ static struct clk_alpha_pll_postdiv gpll + }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -533,7 +530,6 @@ static struct clk_alpha_pll_postdiv gpll + }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -547,7 +543,6 @@ static struct clk_fixed_factor gpll6_out + }, + .num_parents = 1, + .ops = &clk_fixed_factor_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + +@@ -612,7 +607,6 @@ static struct clk_alpha_pll_postdiv nss_ + }, + .num_parents = 1, + .ops = &clk_alpha_pll_postdiv_ro_ops, +- .flags = CLK_SET_RATE_PARENT, + }, + }; + diff --git a/queue-6.1/clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch b/queue-6.1/clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch new file mode 100644 index 00000000000..b8cb72b05dc --- /dev/null +++ b/queue-6.1/clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch @@ -0,0 +1,109 @@ +From d761bb01c85b22d5b44abe283eb89019693f6595 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 23 Oct 2023 21:30:52 -0600 +Subject: clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data + +From: Gustavo A. R. Silva + +commit d761bb01c85b22d5b44abe283eb89019693f6595 upstream. + +`struct clk_hw_onecell_data` is a flexible structure, which means that +it contains flexible-array member at the bottom, in this case array +`hws`: + +include/linux/clk-provider.h: +1380 struct clk_hw_onecell_data { +1381 unsigned int num; +1382 struct clk_hw *hws[] __counted_by(num); +1383 }; + +This could potentially lead to an overwrite of the objects following +`clk_data` in `struct stratix10_clock_data`, in this case +`void __iomem *base;` at run-time: + +drivers/clk/socfpga/stratix10-clk.h: + 9 struct stratix10_clock_data { + 10 struct clk_hw_onecell_data clk_data; + 11 void __iomem *base; + 12 }; + +There are currently three different places where memory is allocated for +`struct stratix10_clock_data`, including the flex-array `hws` in +`struct clk_hw_onecell_data`: + +drivers/clk/socfpga/clk-agilex.c: +469 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +470 num_clks), GFP_KERNEL); + +drivers/clk/socfpga/clk-agilex.c: +509 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +510 num_clks), GFP_KERNEL); + +drivers/clk/socfpga/clk-s10.c: +400 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +401 num_clks), GFP_KERNEL); + +I'll use just one of them to describe the issue. See below. + +Notice that a total of 440 bytes are allocated for flexible-array member +`hws` at line 469: + +include/dt-bindings/clock/agilex-clock.h: + 70 #define AGILEX_NUM_CLKS 55 + +drivers/clk/socfpga/clk-agilex.c: +459 struct stratix10_clock_data *clk_data; +460 void __iomem *base; +... +466 +467 num_clks = AGILEX_NUM_CLKS; +468 +469 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws, +470 num_clks), GFP_KERNEL); + +`struct_size(clk_data, clk_data.hws, num_clks)` above translates to +sizeof(struct stratix10_clock_data) + sizeof(struct clk_hw *) * 55 == +16 + 8 * 55 == 16 + 440 + ^^^ + | + allocated bytes for flex-array `hws` + +474 for (i = 0; i < num_clks; i++) +475 clk_data->clk_data.hws[i] = ERR_PTR(-ENOENT); +476 +477 clk_data->base = base; + +and then some data is written into both `hws` and `base` objects. + +Fix this by placing the declaration of object `clk_data` at the end of +`struct stratix10_clock_data`. Also, add a comment to make it clear +that this object must always be last in the structure. + +-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting +ready to enable it globally. + +Fixes: ba7e258425ac ("clk: socfpga: Convert to s10/agilex/n5x to use clk_hw") +Cc: stable@vger.kernel.org +Reviewed-by: Kees Cook +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/1da736106d8e0806aeafa6e471a13ced490eae22.1698117815.git.gustavoars@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/socfpga/stratix10-clk.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/socfpga/stratix10-clk.h ++++ b/drivers/clk/socfpga/stratix10-clk.h +@@ -7,8 +7,10 @@ + #define __STRATIX10_CLK_H + + struct stratix10_clock_data { +- struct clk_hw_onecell_data clk_data; + void __iomem *base; ++ ++ /* Must be last */ ++ struct clk_hw_onecell_data clk_data; + }; + + struct stratix10_pll_clock { diff --git a/queue-6.1/ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch b/queue-6.1/ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch new file mode 100644 index 00000000000..380dd540b08 --- /dev/null +++ b/queue-6.1/ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch @@ -0,0 +1,74 @@ +From eebff19acaa35820cb09ce2ccb3d21bee2156ffb Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 5 Nov 2023 12:46:24 +0900 +Subject: ksmbd: fix slab out of bounds write in smb_inherit_dacl() + +From: Namjae Jeon + +commit eebff19acaa35820cb09ce2ccb3d21bee2156ffb upstream. + +slab out-of-bounds write is caused by that offsets is bigger than pntsd +allocation size. This patch add the check to validate 3 offsets using +allocation size. + +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22271 +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smbacl.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -1107,6 +1107,7 @@ pass: + struct smb_acl *pdacl; + struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL; + int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size; ++ int pntsd_alloc_size; + + if (parent_pntsd->osidoffset) { + powner_sid = (struct smb_sid *)((char *)parent_pntsd + +@@ -1119,9 +1120,10 @@ pass: + pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4); + } + +- pntsd = kzalloc(sizeof(struct smb_ntsd) + powner_sid_size + +- pgroup_sid_size + sizeof(struct smb_acl) + +- nt_size, GFP_KERNEL); ++ pntsd_alloc_size = sizeof(struct smb_ntsd) + powner_sid_size + ++ pgroup_sid_size + sizeof(struct smb_acl) + nt_size; ++ ++ pntsd = kzalloc(pntsd_alloc_size, GFP_KERNEL); + if (!pntsd) { + rc = -ENOMEM; + goto free_aces_base; +@@ -1136,6 +1138,27 @@ pass: + pntsd->gsidoffset = parent_pntsd->gsidoffset; + pntsd->dacloffset = parent_pntsd->dacloffset; + ++ if ((u64)le32_to_cpu(pntsd->osidoffset) + powner_sid_size > ++ pntsd_alloc_size) { ++ rc = -EINVAL; ++ kfree(pntsd); ++ goto free_aces_base; ++ } ++ ++ if ((u64)le32_to_cpu(pntsd->gsidoffset) + pgroup_sid_size > ++ pntsd_alloc_size) { ++ rc = -EINVAL; ++ kfree(pntsd); ++ goto free_aces_base; ++ } ++ ++ if ((u64)le32_to_cpu(pntsd->dacloffset) + sizeof(struct smb_acl) + nt_size > ++ pntsd_alloc_size) { ++ rc = -EINVAL; ++ kfree(pntsd); ++ goto free_aces_base; ++ } ++ + if (pntsd->osidoffset) { + struct smb_sid *owner_sid = (struct smb_sid *)((char *)pntsd + + le32_to_cpu(pntsd->osidoffset)); diff --git a/queue-6.1/ksmbd-handle-malformed-smb1-message.patch b/queue-6.1/ksmbd-handle-malformed-smb1-message.patch new file mode 100644 index 00000000000..99cb524dbce --- /dev/null +++ b/queue-6.1/ksmbd-handle-malformed-smb1-message.patch @@ -0,0 +1,47 @@ +From 5a5409d90bd05f87fe5623a749ccfbf3f7c7d400 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 7 Nov 2023 21:04:31 +0900 +Subject: ksmbd: handle malformed smb1 message + +From: Namjae Jeon + +commit 5a5409d90bd05f87fe5623a749ccfbf3f7c7d400 upstream. + +If set_smb1_rsp_status() is not implemented, It will cause NULL pointer +dereferece error when client send malformed smb1 message. +This patch add set_smb1_rsp_status() to ignore malformed smb1 message. + +Cc: stable@vger.kernel.org +Reported-by: Robert Morris +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb_common.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/smb/server/smb_common.c ++++ b/fs/smb/server/smb_common.c +@@ -372,11 +372,22 @@ static int smb1_allocate_rsp_buf(struct + return 0; + } + ++/** ++ * set_smb1_rsp_status() - set error type in smb response header ++ * @work: smb work containing smb response header ++ * @err: error code to set in response ++ */ ++static void set_smb1_rsp_status(struct ksmbd_work *work, __le32 err) ++{ ++ work->send_no_response = 1; ++} ++ + static struct smb_version_ops smb1_server_ops = { + .get_cmd_val = get_smb1_cmd_val, + .init_rsp_hdr = init_smb1_rsp_hdr, + .allocate_rsp_buf = smb1_allocate_rsp_buf, + .check_user_session = smb1_check_user_session, ++ .set_rsp_status = set_smb1_rsp_status, + }; + + static int smb1_negotiate(struct ksmbd_work *work) diff --git a/queue-6.1/mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch b/queue-6.1/mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch new file mode 100644 index 00000000000..49973a94be2 --- /dev/null +++ b/queue-6.1/mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch @@ -0,0 +1,104 @@ +From ed9009ad300c0f15a3ecfe9613547b1962bde02c Mon Sep 17 00:00:00 2001 +From: Bean Huo +Date: Mon, 30 Oct 2023 23:48:09 +0100 +Subject: mmc: Add quirk MMC_QUIRK_BROKEN_CACHE_FLUSH for Micron eMMC Q2J54A + +From: Bean Huo + +commit ed9009ad300c0f15a3ecfe9613547b1962bde02c upstream. + +Micron MTFC4GACAJCN eMMC supports cache but requires that flush cache +operation be allowed only after a write has occurred. Otherwise, the +cache flush command or subsequent commands will time out. + +Signed-off-by: Bean Huo +Signed-off-by: Rafael Beims +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231030224809.59245-1-beanhuo@iokpp.de +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 4 +++- + drivers/mmc/core/card.h | 4 ++++ + drivers/mmc/core/mmc.c | 8 ++++++-- + drivers/mmc/core/quirks.h | 7 ++++--- + include/linux/mmc/card.h | 2 ++ + 5 files changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -2404,8 +2404,10 @@ enum mmc_issued mmc_blk_mq_issue_rq(stru + } + ret = mmc_blk_cqe_issue_flush(mq, req); + break; +- case REQ_OP_READ: + case REQ_OP_WRITE: ++ card->written_flag = true; ++ fallthrough; ++ case REQ_OP_READ: + if (host->cqe_enabled) + ret = mmc_blk_cqe_issue_rw_rq(mq, req); + else +--- a/drivers/mmc/core/card.h ++++ b/drivers/mmc/core/card.h +@@ -280,4 +280,8 @@ static inline int mmc_card_broken_sd_cac + return c->quirks & MMC_QUIRK_BROKEN_SD_CACHE; + } + ++static inline int mmc_card_broken_cache_flush(const struct mmc_card *c) ++{ ++ return c->quirks & MMC_QUIRK_BROKEN_CACHE_FLUSH; ++} + #endif +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -2081,13 +2081,17 @@ static int _mmc_flush_cache(struct mmc_h + { + int err = 0; + ++ if (mmc_card_broken_cache_flush(host->card) && !host->card->written_flag) ++ return 0; ++ + if (_mmc_cache_enabled(host)) { + err = mmc_switch(host->card, EXT_CSD_CMD_SET_NORMAL, + EXT_CSD_FLUSH_CACHE, 1, + CACHE_FLUSH_TIMEOUT_MS); + if (err) +- pr_err("%s: cache flush error %d\n", +- mmc_hostname(host), err); ++ pr_err("%s: cache flush error %d\n", mmc_hostname(host), err); ++ else ++ host->card->written_flag = false; + } + + return err; +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -117,11 +117,12 @@ static const struct mmc_fixup __maybe_un + MMC_QUIRK_TRIM_BROKEN), + + /* +- * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to +- * support being used to offload WRITE_ZEROES. ++ * Micron MTFC4GACAJCN-1M supports TRIM but does not appear to support ++ * WRITE_ZEROES offloading. It also supports caching, but the cache can ++ * only be flushed after a write has occurred. + */ + MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc, +- MMC_QUIRK_TRIM_BROKEN), ++ MMC_QUIRK_TRIM_BROKEN | MMC_QUIRK_BROKEN_CACHE_FLUSH), + + /* + * Some SD cards reports discard support while they don't +--- a/include/linux/mmc/card.h ++++ b/include/linux/mmc/card.h +@@ -295,7 +295,9 @@ struct mmc_card { + #define MMC_QUIRK_BROKEN_HPI (1<<13) /* Disable broken HPI support */ + #define MMC_QUIRK_BROKEN_SD_DISCARD (1<<14) /* Disable broken SD discard support */ + #define MMC_QUIRK_BROKEN_SD_CACHE (1<<15) /* Disable broken SD cache support */ ++#define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */ + ++ bool written_flag; /* Indicates eMMC has been written since power on */ + bool reenable_cmdq; /* Re-enable Command Queue */ + + unsigned int erase_size; /* erase size in sectors */ diff --git a/queue-6.1/mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch b/queue-6.1/mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch new file mode 100644 index 00000000000..4393badce67 --- /dev/null +++ b/queue-6.1/mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch @@ -0,0 +1,35 @@ +From 71956d0cb56c1e5f9feeb4819db87a076418e930 Mon Sep 17 00:00:00 2001 +From: Nitin Yadav +Date: Thu, 26 Oct 2023 11:44:58 +0530 +Subject: mmc: sdhci_am654: fix start loop index for TAP value parsing + +From: Nitin Yadav + +commit 71956d0cb56c1e5f9feeb4819db87a076418e930 upstream. + +ti,otap-del-sel-legacy/ti,itap-del-sel-legacy passed from DT +are currently ignored for all SD/MMC and eMMC modes. Fix this +by making start loop index to MMC_TIMING_LEGACY. + +Fixes: 8ee5fc0e0b3b ("mmc: sdhci_am654: Update OTAPDLY writes") +Signed-off-by: Nitin Yadav +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231026061458.1116276-1-n-yadav@ti.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci_am654.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -597,7 +597,7 @@ static int sdhci_am654_get_otap_delay(st + return 0; + } + +- for (i = MMC_TIMING_MMC_HS; i <= MMC_TIMING_MMC_HS400; i++) { ++ for (i = MMC_TIMING_LEGACY; i <= MMC_TIMING_MMC_HS400; i++) { + + ret = device_property_read_u32(dev, td[i].otap_binding, + &sdhci_am654->otap_del_sel[i]); diff --git a/queue-6.1/mmc-vub300-fix-an-error-code.patch b/queue-6.1/mmc-vub300-fix-an-error-code.patch new file mode 100644 index 00000000000..3b533e384e5 --- /dev/null +++ b/queue-6.1/mmc-vub300-fix-an-error-code.patch @@ -0,0 +1,31 @@ +From b44f9da81783fda72632ef9b0d05ea3f3ca447a5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 2 Nov 2023 10:51:06 +0300 +Subject: mmc: vub300: fix an error code + +From: Dan Carpenter + +commit b44f9da81783fda72632ef9b0d05ea3f3ca447a5 upstream. + +This error path should return -EINVAL instead of success. + +Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") +Signed-off-by: Dan Carpenter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/0769d30c-ad80-421b-bf5d-7d6f5d85604e@moroto.mountain +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/vub300.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/vub300.c ++++ b/drivers/mmc/host/vub300.c +@@ -2311,6 +2311,7 @@ static int vub300_probe(struct usb_inter + vub300->read_only = + (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0; + } else { ++ retval = -EINVAL; + goto error5; + } + usb_set_intfdata(interface, vub300); diff --git a/queue-6.1/parisc-pdc-add-width-field-to-struct-pdc_model.patch b/queue-6.1/parisc-pdc-add-width-field-to-struct-pdc_model.patch new file mode 100644 index 00000000000..0d398ffbade --- /dev/null +++ b/queue-6.1/parisc-pdc-add-width-field-to-struct-pdc_model.patch @@ -0,0 +1,28 @@ +From 6240553b52c475d9fc9674de0521b77e692f3764 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 22 Oct 2023 11:48:11 +0200 +Subject: parisc/pdc: Add width field to struct pdc_model + +From: Helge Deller + +commit 6240553b52c475d9fc9674de0521b77e692f3764 upstream. + +PDC2.0 specifies the additional PSW-bit field. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/uapi/asm/pdc.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/parisc/include/uapi/asm/pdc.h ++++ b/arch/parisc/include/uapi/asm/pdc.h +@@ -472,6 +472,7 @@ struct pdc_model { /* for PDC_MODEL */ + unsigned long arch_rev; + unsigned long pot_key; + unsigned long curr_key; ++ unsigned long width; /* default of PSW_W bit (1=enabled) */ + }; + + struct pdc_cache_cf { /* for PDC_CACHE (I/D-caches) */ diff --git a/queue-6.1/parisc-power-add-power-soft-off-when-running-on-qemu.patch b/queue-6.1/parisc-power-add-power-soft-off-when-running-on-qemu.patch new file mode 100644 index 00000000000..827238a7af6 --- /dev/null +++ b/queue-6.1/parisc-power-add-power-soft-off-when-running-on-qemu.patch @@ -0,0 +1,48 @@ +From d0c219472980d15f5cbc5c8aec736848bda3f235 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 17 Oct 2023 22:19:53 +0200 +Subject: parisc/power: Add power soft-off when running on qemu + +From: Helge Deller + +commit d0c219472980d15f5cbc5c8aec736848bda3f235 upstream. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/power.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/parisc/power.c ++++ b/drivers/parisc/power.c +@@ -197,6 +197,14 @@ static struct notifier_block parisc_pani + .priority = INT_MAX, + }; + ++/* qemu soft power-off function */ ++static int qemu_power_off(struct sys_off_data *data) ++{ ++ /* this turns the system off via SeaBIOS */ ++ *(int *)data->cb_data = 0; ++ pdc_soft_power_button(1); ++ return NOTIFY_DONE; ++} + + static int __init power_init(void) + { +@@ -226,7 +234,13 @@ static int __init power_init(void) + soft_power_reg); + } + +- power_task = kthread_run(kpowerswd, (void*)soft_power_reg, KTHREAD_NAME); ++ power_task = NULL; ++ if (running_on_qemu && soft_power_reg) ++ register_sys_off_handler(SYS_OFF_MODE_POWER_OFF, SYS_OFF_PRIO_DEFAULT, ++ qemu_power_off, (void *)soft_power_reg); ++ else ++ power_task = kthread_run(kpowerswd, (void*)soft_power_reg, ++ KTHREAD_NAME); + if (IS_ERR(power_task)) { + printk(KERN_ERR DRIVER_NAME ": thread creation failed. Driver not loaded.\n"); + pdc_soft_power_button(0); diff --git a/queue-6.1/series b/queue-6.1/series index 1b6b439a0ef..9b0640859fd 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -202,3 +202,14 @@ keys-trusted-tee-refactor-register-shm-usage.patch keys-trusted-rollback-init_trusted-consistently.patch pci-keystone-don-t-discard-.remove-callback.patch pci-keystone-don-t-discard-.probe-callback.patch +arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch +parisc-pdc-add-width-field-to-struct-pdc_model.patch +parisc-power-add-power-soft-off-when-running-on-qemu.patch +clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch +clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch +clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch +ksmbd-handle-malformed-smb1-message.patch +ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch +mmc-vub300-fix-an-error-code.patch +mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch +mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch