From: Greg Kroah-Hartman Date: Mon, 29 Jul 2024 11:07:17 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.103~71 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5093c61c1f0841865a42b9032e39697e3c4148dc;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: drivers-soc-xilinx-check-return-status-of-get_api_version.patch jbd2-avoid-infinite-transaction-commit-loop.patch jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch selftests-landlock-add-cred_transfer-test.patch wifi-mwifiex-fix-interface-type-change.patch --- diff --git a/queue-6.1/drivers-soc-xilinx-check-return-status-of-get_api_version.patch b/queue-6.1/drivers-soc-xilinx-check-return-status-of-get_api_version.patch new file mode 100644 index 00000000000..90a85caa42c --- /dev/null +++ b/queue-6.1/drivers-soc-xilinx-check-return-status-of-get_api_version.patch @@ -0,0 +1,48 @@ +From 9b003e14801cf85a8cebeddc87bc9fc77100fdce Mon Sep 17 00:00:00 2001 +From: Jay Buddhabhatti +Date: Wed, 15 May 2024 04:23:45 -0700 +Subject: drivers: soc: xilinx: check return status of get_api_version() + +From: Jay Buddhabhatti + +commit 9b003e14801cf85a8cebeddc87bc9fc77100fdce upstream. + +Currently return status is not getting checked for get_api_version +and because of that for x86 arch we are getting below smatch error. + + CC drivers/soc/xilinx/zynqmp_power.o +drivers/soc/xilinx/zynqmp_power.c: In function 'zynqmp_pm_probe': +drivers/soc/xilinx/zynqmp_power.c:295:12: warning: 'pm_api_version' is +used uninitialized [-Wuninitialized] + 295 | if (pm_api_version < ZYNQMP_PM_VERSION) + | ^ + CHECK drivers/soc/xilinx/zynqmp_power.c +drivers/soc/xilinx/zynqmp_power.c:295 zynqmp_pm_probe() error: +uninitialized symbol 'pm_api_version'. + +So, check return status of pm_get_api_version and return error in case +of failure to avoid checking uninitialized pm_api_version variable. + +Fixes: b9b3a8be28b3 ("firmware: xilinx: Remove eemi ops for get_api_version") +Signed-off-by: Jay Buddhabhatti +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240515112345.24673-1-jay.buddhabhatti@amd.com +Signed-off-by: Michal Simek +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/xilinx/zynqmp_power.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/soc/xilinx/zynqmp_power.c ++++ b/drivers/soc/xilinx/zynqmp_power.c +@@ -187,7 +187,9 @@ static int zynqmp_pm_probe(struct platfo + u32 pm_api_version; + struct mbox_client *client; + +- zynqmp_pm_get_api_version(&pm_api_version); ++ ret = zynqmp_pm_get_api_version(&pm_api_version); ++ if (ret) ++ return ret; + + /* Check PM API version number */ + if (pm_api_version < ZYNQMP_PM_VERSION) diff --git a/queue-6.1/jbd2-avoid-infinite-transaction-commit-loop.patch b/queue-6.1/jbd2-avoid-infinite-transaction-commit-loop.patch new file mode 100644 index 00000000000..fec5b48ebd1 --- /dev/null +++ b/queue-6.1/jbd2-avoid-infinite-transaction-commit-loop.patch @@ -0,0 +1,101 @@ +From 27ba5b67312a944576addc4df44ac3b709aabede Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 24 Jun 2024 19:01:19 +0200 +Subject: jbd2: avoid infinite transaction commit loop + +From: Jan Kara + +commit 27ba5b67312a944576addc4df44ac3b709aabede upstream. + +Commit 9f356e5a4f12 ("jbd2: Account descriptor blocks into +t_outstanding_credits") started to account descriptor blocks into +transactions outstanding credits. However it didn't appropriately +decrease the maximum amount of credits available to userspace. Thus if +the filesystem requests a transaction smaller than +j_max_transaction_buffers but large enough that when descriptor blocks +are added the size exceeds j_max_transaction_buffers, we confuse +add_transaction_credits() into thinking previous handles have grown the +transaction too much and enter infinite journal commit loop in +start_this_handle() -> add_transaction_credits() trying to create +transaction with enough credits available. + +Fix the problem by properly accounting for transaction space reserved +for descriptor blocks when verifying requested transaction handle size. + +CC: stable@vger.kernel.org +Fixes: 9f356e5a4f12 ("jbd2: Account descriptor blocks into t_outstanding_credits") +Reported-by: Alexander Coffin +Link: https://lore.kernel.org/all/CA+hUFcuGs04JHZ_WzA1zGN57+ehL2qmHOt5a7RMpo+rv6Vyxtw@mail.gmail.com +Signed-off-by: Jan Kara +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20240624170127.3253-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -213,6 +213,13 @@ static void sub_reserved_credits(journal + wake_up(&journal->j_wait_reserved); + } + ++/* Maximum number of blocks for user transaction payload */ ++static int jbd2_max_user_trans_buffers(journal_t *journal) ++{ ++ return journal->j_max_transaction_buffers - ++ journal->j_transaction_overhead_buffers; ++} ++ + /* + * Wait until we can add credits for handle to the running transaction. Called + * with j_state_lock held for reading. Returns 0 if handle joined the running +@@ -262,12 +269,12 @@ __must_hold(&journal->j_state_lock) + * big to fit this handle? Wait until reserved credits are freed. + */ + if (atomic_read(&journal->j_reserved_credits) + total > +- journal->j_max_transaction_buffers) { ++ jbd2_max_user_trans_buffers(journal)) { + read_unlock(&journal->j_state_lock); + jbd2_might_wait_for_commit(journal); + wait_event(journal->j_wait_reserved, + atomic_read(&journal->j_reserved_credits) + total <= +- journal->j_max_transaction_buffers); ++ jbd2_max_user_trans_buffers(journal)); + __acquire(&journal->j_state_lock); /* fake out sparse */ + return 1; + } +@@ -307,14 +314,14 @@ __must_hold(&journal->j_state_lock) + + needed = atomic_add_return(rsv_blocks, &journal->j_reserved_credits); + /* We allow at most half of a transaction to be reserved */ +- if (needed > journal->j_max_transaction_buffers / 2) { ++ if (needed > jbd2_max_user_trans_buffers(journal) / 2) { + sub_reserved_credits(journal, rsv_blocks); + atomic_sub(total, &t->t_outstanding_credits); + read_unlock(&journal->j_state_lock); + jbd2_might_wait_for_commit(journal); + wait_event(journal->j_wait_reserved, + atomic_read(&journal->j_reserved_credits) + rsv_blocks +- <= journal->j_max_transaction_buffers / 2); ++ <= jbd2_max_user_trans_buffers(journal) / 2); + __acquire(&journal->j_state_lock); /* fake out sparse */ + return 1; + } +@@ -344,12 +351,12 @@ static int start_this_handle(journal_t * + * size and limit the number of total credits to not exceed maximum + * transaction size per operation. + */ +- if ((rsv_blocks > journal->j_max_transaction_buffers / 2) || +- (rsv_blocks + blocks > journal->j_max_transaction_buffers)) { ++ if (rsv_blocks > jbd2_max_user_trans_buffers(journal) / 2 || ++ rsv_blocks + blocks > jbd2_max_user_trans_buffers(journal)) { + printk(KERN_ERR "JBD2: %s wants too many credits " + "credits:%d rsv_credits:%d max:%d\n", + current->comm, blocks, rsv_blocks, +- journal->j_max_transaction_buffers); ++ jbd2_max_user_trans_buffers(journal)); + WARN_ON(1); + return -ENOSPC; + } diff --git a/queue-6.1/jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch b/queue-6.1/jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch new file mode 100644 index 00000000000..eb394c400b3 --- /dev/null +++ b/queue-6.1/jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch @@ -0,0 +1,66 @@ +From 4aa99c71e42ad60178c1154ec24e3df9c684fb67 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 24 Jun 2024 19:01:17 +0200 +Subject: jbd2: make jbd2_journal_get_max_txn_bufs() internal + +From: Jan Kara + +commit 4aa99c71e42ad60178c1154ec24e3df9c684fb67 upstream. + +There's no reason to have jbd2_journal_get_max_txn_bufs() public +function. Currently all users are internal and can use +journal->j_max_transaction_buffers instead. This saves some unnecessary +recomputations of the limit as a bonus which becomes important as this +function gets more complex in the following patch. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20240624170127.3253-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/commit.c | 2 +- + fs/jbd2/journal.c | 5 +++++ + include/linux/jbd2.h | 5 ----- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -801,7 +801,7 @@ start_journal_io: + if (first_block < journal->j_tail) + freed += journal->j_last - journal->j_first; + /* Update tail only if we free significant amount of space */ +- if (freed < jbd2_journal_get_max_txn_bufs(journal)) ++ if (freed < journal->j_max_transaction_buffers) + update_tail = 0; + } + J_ASSERT(commit_transaction->t_state == T_COMMIT); +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1532,6 +1532,11 @@ static void journal_fail_superblock(jour + journal->j_sb_buffer = NULL; + } + ++static int jbd2_journal_get_max_txn_bufs(journal_t *journal) ++{ ++ return (journal->j_total_len - journal->j_fc_wbufsize) / 4; ++} ++ + /* + * Given a journal_t structure, initialise the various fields for + * startup of a new journaling session. We use this both when creating +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1665,11 +1665,6 @@ int jbd2_wait_inode_data(journal_t *jour + int jbd2_fc_wait_bufs(journal_t *journal, int num_blks); + int jbd2_fc_release_bufs(journal_t *journal); + +-static inline int jbd2_journal_get_max_txn_bufs(journal_t *journal) +-{ +- return (journal->j_total_len - journal->j_fc_wbufsize) / 4; +-} +- + /* + * is_journal_abort + * diff --git a/queue-6.1/kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch b/queue-6.1/kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch new file mode 100644 index 00000000000..dc42c7b19ed --- /dev/null +++ b/queue-6.1/kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch @@ -0,0 +1,80 @@ +From 32f55e475ce2c4b8b124d335fcfaf1152ba977a1 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 7 Jun 2024 10:26:05 -0700 +Subject: KVM: nVMX: Request immediate exit iff pending nested event needs injection + +From: Sean Christopherson + +commit 32f55e475ce2c4b8b124d335fcfaf1152ba977a1 upstream. + +When requesting an immediate exit from L2 in order to inject a pending +event, do so only if the pending event actually requires manual injection, +i.e. if and only if KVM actually needs to regain control in order to +deliver the event. + +Avoiding the "immediate exit" isn't simply an optimization, it's necessary +to make forward progress, as the "already expired" VMX preemption timer +trick that KVM uses to force a VM-Exit has higher priority than events +that aren't directly injected. + +At present time, this is a glorified nop as all events processed by +vmx_has_nested_events() require injection, but that will not hold true in +the future, e.g. if there's a pending virtual interrupt in vmcs02.RVI. +I.e. if KVM is trying to deliver a virtual interrupt to L2, the expired +VMX preemption timer will trigger VM-Exit before the virtual interrupt is +delivered, and KVM will effectively hang the vCPU in an endless loop of +forced immediate VM-Exits (because the pending virtual interrupt never +goes away). + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240607172609.3205077-3-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 2 +- + arch/x86/kvm/vmx/nested.c | 2 +- + arch/x86/kvm/x86.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1651,7 +1651,7 @@ struct kvm_x86_nested_ops { + bool (*is_exception_vmexit)(struct kvm_vcpu *vcpu, u8 vector, + u32 error_code); + int (*check_events)(struct kvm_vcpu *vcpu); +- bool (*has_events)(struct kvm_vcpu *vcpu); ++ bool (*has_events)(struct kvm_vcpu *vcpu, bool for_injection); + void (*triple_fault)(struct kvm_vcpu *vcpu); + int (*get_state)(struct kvm_vcpu *vcpu, + struct kvm_nested_state __user *user_kvm_nested_state, +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3934,7 +3934,7 @@ static bool nested_vmx_preemption_timer_ + to_vmx(vcpu)->nested.preemption_timer_expired; + } + +-static bool vmx_has_nested_events(struct kvm_vcpu *vcpu) ++static bool vmx_has_nested_events(struct kvm_vcpu *vcpu, bool for_injection) + { + return nested_vmx_preemption_timer_pending(vcpu) || + to_vmx(vcpu)->nested.mtf_pending; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10131,7 +10131,7 @@ static int kvm_check_and_inject_events(s + + if (is_guest_mode(vcpu) && + kvm_x86_ops.nested_ops->has_events && +- kvm_x86_ops.nested_ops->has_events(vcpu)) ++ kvm_x86_ops.nested_ops->has_events(vcpu, true)) + *req_immediate_exit = true; + + /* +@@ -13013,7 +13013,7 @@ static inline bool kvm_vcpu_has_events(s + + if (is_guest_mode(vcpu) && + kvm_x86_ops.nested_ops->has_events && +- kvm_x86_ops.nested_ops->has_events(vcpu)) ++ kvm_x86_ops.nested_ops->has_events(vcpu, false)) + return true; + + if (kvm_xen_has_pending_events(vcpu)) diff --git a/queue-6.1/kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch b/queue-6.1/kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch new file mode 100644 index 00000000000..d84de166a68 --- /dev/null +++ b/queue-6.1/kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch @@ -0,0 +1,60 @@ +From 322a569c4b4188a0da2812f9e952780ce09b74ba Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 7 Jun 2024 10:26:06 -0700 +Subject: KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() + +From: Sean Christopherson + +commit 322a569c4b4188a0da2812f9e952780ce09b74ba upstream. + +Move the non-VMX chunk of the "interrupt blocked" checks to a separate +helper so that KVM can reuse the code to detect if interrupts are blocked +for L2, e.g. to determine if a virtual interrupt _for L2_ is a valid wake +event. If L1 disables HLT-exiting for L2, nested APICv is enabled, and L2 +HLTs, then L2 virtual interrupts are valid wake events, but if and only if +interrupts are unblocked for L2. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240607172609.3205077-4-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 11 ++++++++--- + arch/x86/kvm/vmx/vmx.h | 1 + + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -4980,14 +4980,19 @@ static int vmx_nmi_allowed(struct kvm_vc + return !vmx_nmi_blocked(vcpu); + } + ++bool __vmx_interrupt_blocked(struct kvm_vcpu *vcpu) ++{ ++ return !(vmx_get_rflags(vcpu) & X86_EFLAGS_IF) || ++ (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & ++ (GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS)); ++} ++ + bool vmx_interrupt_blocked(struct kvm_vcpu *vcpu) + { + if (is_guest_mode(vcpu) && nested_exit_on_intr(vcpu)) + return false; + +- return !(vmx_get_rflags(vcpu) & X86_EFLAGS_IF) || +- (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & +- (GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS)); ++ return __vmx_interrupt_blocked(vcpu); + } + + static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu, bool for_injection) +--- a/arch/x86/kvm/vmx/vmx.h ++++ b/arch/x86/kvm/vmx/vmx.h +@@ -413,6 +413,7 @@ u64 construct_eptp(struct kvm_vcpu *vcpu + bool vmx_guest_inject_ac(struct kvm_vcpu *vcpu); + void vmx_update_exception_bitmap(struct kvm_vcpu *vcpu); + bool vmx_nmi_blocked(struct kvm_vcpu *vcpu); ++bool __vmx_interrupt_blocked(struct kvm_vcpu *vcpu); + bool vmx_interrupt_blocked(struct kvm_vcpu *vcpu); + bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu); + void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked); diff --git a/queue-6.1/leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch b/queue-6.1/leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch new file mode 100644 index 00000000000..37930daeaf3 --- /dev/null +++ b/queue-6.1/leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch @@ -0,0 +1,47 @@ +From e41d574b359ccd8d99be65c6f11502efa2b83136 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Tue, 11 Jun 2024 00:40:26 +0200 +Subject: leds: mt6360: Fix memory leak in mt6360_init_isnk_properties() + +From: Javier Carrasco + +commit e41d574b359ccd8d99be65c6f11502efa2b83136 upstream. + +The fwnode_for_each_child_node() loop requires manual intervention to +decrement the child refcount in case of an early return. + +Add the missing calls to fwnode_handle_put(child) to avoid memory leaks +in the error paths. + +Cc: stable@vger.kernel.org +Fixes: 679f8652064b ("leds: Add mt6360 driver") +Signed-off-by: Javier Carrasco +Acked-by: Pavel Machek +Link: https://lore.kernel.org/r/20240611-leds-mt6360-memleak-v1-1-93642eb5011e@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/flash/leds-mt6360.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/leds/flash/leds-mt6360.c ++++ b/drivers/leds/flash/leds-mt6360.c +@@ -637,14 +637,17 @@ static int mt6360_init_isnk_properties(s + + ret = fwnode_property_read_u32(child, "reg", ®); + if (ret || reg > MT6360_LED_ISNK3 || +- priv->leds_active & BIT(reg)) ++ priv->leds_active & BIT(reg)) { ++ fwnode_handle_put(child); + return -EINVAL; ++ } + + ret = fwnode_property_read_u32(child, "color", &color); + if (ret) { + dev_err(priv->dev, + "led %d, no color specified\n", + led->led_no); ++ fwnode_handle_put(child); + return ret; + } + diff --git a/queue-6.1/leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch b/queue-6.1/leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch new file mode 100644 index 00000000000..bb7ce7e97ef --- /dev/null +++ b/queue-6.1/leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch @@ -0,0 +1,55 @@ +From ce068e83976140badb19c7f1307926b4b562fac4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Mon, 27 May 2024 16:27:00 +0300 +Subject: leds: ss4200: Convert PCIBIOS_* return codes to errnos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit ce068e83976140badb19c7f1307926b4b562fac4 upstream. + +ich7_lpc_probe() uses pci_read_config_dword() that returns PCIBIOS_* +codes. The error handling code assumes incorrectly it's a normal errno +and checks for < 0. The return code is returned from the probe function +as is but probe functions should return normal errnos. + +Remove < 0 from the check and convert PCIBIOS_* returns code using +pcibios_err_to_errno() into normal errno before returning it. + +Fixes: a328e95b82c1 ("leds: LED driver for Intel NAS SS4200 series (v5)") +Cc: +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240527132700.14260-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-ss4200.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/leds/leds-ss4200.c ++++ b/drivers/leds/leds-ss4200.c +@@ -356,8 +356,10 @@ static int ich7_lpc_probe(struct pci_dev + + nas_gpio_pci_dev = dev; + status = pci_read_config_dword(dev, PMBASE, &g_pm_io_base); +- if (status) ++ if (status) { ++ status = pcibios_err_to_errno(status); + goto out; ++ } + g_pm_io_base &= 0x00000ff80; + + status = pci_read_config_dword(dev, GPIO_CTRL, &gc); +@@ -369,8 +371,9 @@ static int ich7_lpc_probe(struct pci_dev + } + + status = pci_read_config_dword(dev, GPIO_BASE, &nas_gpio_io_base); +- if (0 > status) { ++ if (status) { + dev_info(&dev->dev, "Unable to read GPIOBASE.\n"); ++ status = pcibios_err_to_errno(status); + goto out; + } + dev_dbg(&dev->dev, ": GPIOBASE = 0x%08x\n", nas_gpio_io_base); diff --git a/queue-6.1/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch b/queue-6.1/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch new file mode 100644 index 00000000000..7e2ac02a43e --- /dev/null +++ b/queue-6.1/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch @@ -0,0 +1,136 @@ +From 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 10 Jun 2024 19:17:49 +0000 +Subject: media: uvcvideo: Fix integer overflow calculating timestamp + +From: Ricardo Ribalda + +commit 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 upstream. + +The function uvc_video_clock_update() supports a single SOF overflow. Or +in other words, the maximum difference between the first ant the last +timestamp can be 4096 ticks or 4.096 seconds. + +This results in a maximum value for y2 of: 0x12FBECA00, that overflows +32bits. +y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + +Extend the size of y2 to u64 to support all its values. + +Without this patch: + # yavta -s 1920x1080 -f YUYV -t 1/5 -c /dev/video0 +Device /dev/v4l/by-id/usb-Shine-Optics_Integrated_Camera_0001-video-index0 opened. +Device `Integrated Camera: Integrated C' on `usb-0000:00:14.0-6' (driver 'uvcvideo') supports video, capture, without mplanes. +Video format set: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Video format: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Current frame rate: 1/5 +Setting frame rate to: 1/5 +Frame rate set: 1/5 +8 buffers requested. +length: 4147200 offset: 0 timestamp type/source: mono/SoE +Buffer 0/0 mapped at address 0x7947ea94c000. +length: 4147200 offset: 4149248 timestamp type/source: mono/SoE +Buffer 1/0 mapped at address 0x7947ea557000. +length: 4147200 offset: 8298496 timestamp type/source: mono/SoE +Buffer 2/0 mapped at address 0x7947ea162000. +length: 4147200 offset: 12447744 timestamp type/source: mono/SoE +Buffer 3/0 mapped at address 0x7947e9d6d000. +length: 4147200 offset: 16596992 timestamp type/source: mono/SoE +Buffer 4/0 mapped at address 0x7947e9978000. +length: 4147200 offset: 20746240 timestamp type/source: mono/SoE +Buffer 5/0 mapped at address 0x7947e9583000. +length: 4147200 offset: 24895488 timestamp type/source: mono/SoE +Buffer 6/0 mapped at address 0x7947e918e000. +length: 4147200 offset: 29044736 timestamp type/source: mono/SoE +Buffer 7/0 mapped at address 0x7947e8d99000. +0 (0) [-] none 0 4147200 B 507.554210 508.874282 242.836 fps ts mono/SoE +1 (1) [-] none 2 4147200 B 508.886298 509.074289 0.751 fps ts mono/SoE +2 (2) [-] none 3 4147200 B 509.076362 509.274307 5.261 fps ts mono/SoE +3 (3) [-] none 4 4147200 B 509.276371 509.474336 5.000 fps ts mono/SoE +4 (4) [-] none 5 4147200 B 509.476394 509.674394 4.999 fps ts mono/SoE +5 (5) [-] none 6 4147200 B 509.676506 509.874345 4.997 fps ts mono/SoE +6 (6) [-] none 7 4147200 B 509.876430 510.074370 5.002 fps ts mono/SoE +7 (7) [-] none 8 4147200 B 510.076434 510.274365 5.000 fps ts mono/SoE +8 (0) [-] none 9 4147200 B 510.276421 510.474333 5.000 fps ts mono/SoE +9 (1) [-] none 10 4147200 B 510.476391 510.674429 5.001 fps ts mono/SoE +10 (2) [-] none 11 4147200 B 510.676434 510.874283 4.999 fps ts mono/SoE +11 (3) [-] none 12 4147200 B 510.886264 511.074349 4.766 fps ts mono/SoE +12 (4) [-] none 13 4147200 B 511.070577 511.274304 5.426 fps ts mono/SoE +13 (5) [-] none 14 4147200 B 511.286249 511.474301 4.637 fps ts mono/SoE +14 (6) [-] none 15 4147200 B 511.470542 511.674251 5.426 fps ts mono/SoE +15 (7) [-] none 16 4147200 B 511.672651 511.874337 4.948 fps ts mono/SoE +16 (0) [-] none 17 4147200 B 511.873988 512.074462 4.967 fps ts mono/SoE +17 (1) [-] none 18 4147200 B 512.075982 512.278296 4.951 fps ts mono/SoE +18 (2) [-] none 19 4147200 B 512.282631 512.482423 4.839 fps ts mono/SoE +19 (3) [-] none 20 4147200 B 518.986637 512.686333 0.149 fps ts mono/SoE +20 (4) [-] none 21 4147200 B 518.342709 512.886386 -1.553 fps ts mono/SoE +21 (5) [-] none 22 4147200 B 517.909812 513.090360 -2.310 fps ts mono/SoE +22 (6) [-] none 23 4147200 B 517.590775 513.294454 -3.134 fps ts mono/SoE +23 (7) [-] none 24 4147200 B 513.298465 513.494335 -0.233 fps ts mono/SoE +24 (0) [-] none 25 4147200 B 513.510273 513.698375 4.721 fps ts mono/SoE +25 (1) [-] none 26 4147200 B 513.698904 513.902327 5.301 fps ts mono/SoE +26 (2) [-] none 27 4147200 B 513.895971 514.102348 5.074 fps ts mono/SoE +27 (3) [-] none 28 4147200 B 514.099091 514.306337 4.923 fps ts mono/SoE +28 (4) [-] none 29 4147200 B 514.310348 514.510567 4.734 fps ts mono/SoE +29 (5) [-] none 30 4147200 B 514.509295 514.710367 5.026 fps ts mono/SoE +30 (6) [-] none 31 4147200 B 521.532513 514.914398 0.142 fps ts mono/SoE +31 (7) [-] none 32 4147200 B 520.885277 515.118385 -1.545 fps ts mono/SoE +32 (0) [-] none 33 4147200 B 520.411140 515.318336 -2.109 fps ts mono/SoE +33 (1) [-] none 34 4147200 B 515.325425 515.522278 -0.197 fps ts mono/SoE +34 (2) [-] none 35 4147200 B 515.538276 515.726423 4.698 fps ts mono/SoE +35 (3) [-] none 36 4147200 B 515.720767 515.930373 5.480 fps ts mono/SoE + +Cc: stable@vger.kernel.org +Fixes: 66847ef013cc ("[media] uvcvideo: Add UVC timestamps support") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240610-hwtimestamp-followup-v1-2-f9eaed7be7f0@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -705,11 +705,11 @@ void uvc_video_clock_update(struct uvc_s + unsigned long flags; + u64 timestamp; + u32 delta_stc; +- u32 y1, y2; ++ u32 y1; + u32 x1, x2; + u32 mean; + u32 sof; +- u64 y; ++ u64 y, y2; + + if (!uvc_hw_timestamps_param) + return; +@@ -749,7 +749,7 @@ void uvc_video_clock_update(struct uvc_s + sof = y; + + uvc_dbg(stream->dev, CLOCK, +- "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %u SOF offset %u)\n", ++ "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %llu SOF offset %u)\n", + stream->dev->name, buf->pts, + y >> 16, div_u64((y & 0xffff) * 1000000, 65536), + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), +@@ -764,7 +764,7 @@ void uvc_video_clock_update(struct uvc_s + goto done; + + y1 = NSEC_PER_SEC; +- y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; ++ y2 = ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + + /* + * Interpolated and host SOF timestamps can wrap around at slightly +@@ -785,7 +785,7 @@ void uvc_video_clock_update(struct uvc_s + timestamp = ktime_to_ns(first->host_time) + y - y1; + + uvc_dbg(stream->dev, CLOCK, +- "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %u)\n", ++ "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %llu)\n", + stream->dev->name, + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), + y, timestamp, vbuf->vb2_buf.timestamp, diff --git a/queue-6.1/selftests-landlock-add-cred_transfer-test.patch b/queue-6.1/selftests-landlock-add-cred_transfer-test.patch new file mode 100644 index 00000000000..83f6f63c39d --- /dev/null +++ b/queue-6.1/selftests-landlock-add-cred_transfer-test.patch @@ -0,0 +1,127 @@ +From cc374782b6ca0fd634482391da977542443d3368 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 24 Jul 2024 16:54:26 +0200 +Subject: selftests/landlock: Add cred_transfer test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit cc374782b6ca0fd634482391da977542443d3368 upstream. + +Check that keyctl(KEYCTL_SESSION_TO_PARENT) preserves the parent's +restrictions. + +Fixes: e1199815b47b ("selftests/landlock: Add user space tests") +Co-developed-by: Jann Horn +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20240724.Ood5aige9she@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/landlock/base_test.c | 74 +++++++++++++++++++++++++++ + tools/testing/selftests/landlock/config | 5 + + 2 files changed, 77 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/landlock/base_test.c ++++ b/tools/testing/selftests/landlock/base_test.c +@@ -9,6 +9,7 @@ + #define _GNU_SOURCE + #include + #include ++#include + #include + #include + #include +@@ -356,4 +357,77 @@ TEST(ruleset_fd_transfer) + ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); + } + ++TEST(cred_transfer) ++{ ++ struct landlock_ruleset_attr ruleset_attr = { ++ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR, ++ }; ++ int ruleset_fd, dir_fd; ++ pid_t child; ++ int status; ++ ++ drop_caps(_metadata); ++ ++ dir_fd = open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC); ++ EXPECT_LE(0, dir_fd); ++ EXPECT_EQ(0, close(dir_fd)); ++ ++ /* Denies opening directories. */ ++ ruleset_fd = ++ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); ++ ASSERT_LE(0, ruleset_fd); ++ EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); ++ ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); ++ EXPECT_EQ(0, close(ruleset_fd)); ++ ++ /* Checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++ ++ /* Needed for KEYCTL_SESSION_TO_PARENT permission checks */ ++ EXPECT_NE(-1, syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, ++ 0, 0)) ++ { ++ TH_LOG("Failed to join session keyring: %s", strerror(errno)); ++ } ++ ++ child = fork(); ++ ASSERT_LE(0, child); ++ if (child == 0) { ++ /* Checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++ ++ /* ++ * KEYCTL_SESSION_TO_PARENT is a no-op unless we have a ++ * different session keyring in the child, so make that happen. ++ */ ++ EXPECT_NE(-1, syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, ++ NULL, 0, 0, 0)); ++ ++ /* ++ * KEYCTL_SESSION_TO_PARENT installs credentials on the parent ++ * that never go through the cred_prepare hook, this path uses ++ * cred_transfer instead. ++ */ ++ EXPECT_EQ(0, syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT, 0, ++ 0, 0, 0)); ++ ++ /* Re-checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++ ++ _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE); ++ return; ++ } ++ ++ EXPECT_EQ(child, waitpid(child, &status, 0)); ++ EXPECT_EQ(1, WIFEXITED(status)); ++ EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); ++ ++ /* Re-checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++} ++ + TEST_HARNESS_MAIN +--- a/tools/testing/selftests/landlock/config ++++ b/tools/testing/selftests/landlock/config +@@ -1,7 +1,8 @@ ++CONFIG_KEYS=y + CONFIG_OVERLAY_FS=y ++CONFIG_SECURITY=y + CONFIG_SECURITY_LANDLOCK=y + CONFIG_SECURITY_PATH=y +-CONFIG_SECURITY=y + CONFIG_SHMEM=y +-CONFIG_TMPFS_XATTR=y + CONFIG_TMPFS=y ++CONFIG_TMPFS_XATTR=y diff --git a/queue-6.1/series b/queue-6.1/series index 123f2da0085..5365102e49f 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -305,3 +305,13 @@ ext4-check-dot-and-dotdot-of-dx_root-before-making-dir-indexed.patch ext4-make-sure-the-first-directory-block-is-not-a-hole.patch io_uring-tighten-task-exit-cancellations.patch trace-pid_list-change-gfp-flags-in-pid_list_fill_irq.patch +selftests-landlock-add-cred_transfer-test.patch +wifi-mwifiex-fix-interface-type-change.patch +drivers-soc-xilinx-check-return-status-of-get_api_version.patch +leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch +leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch +jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch +jbd2-avoid-infinite-transaction-commit-loop.patch +media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch +kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch +kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch diff --git a/queue-6.1/wifi-mwifiex-fix-interface-type-change.patch b/queue-6.1/wifi-mwifiex-fix-interface-type-change.patch new file mode 100644 index 00000000000..f8b00767bf2 --- /dev/null +++ b/queue-6.1/wifi-mwifiex-fix-interface-type-change.patch @@ -0,0 +1,40 @@ +From a17b9f590f6ec2b9f1b12b1db3bf1d181de6b272 Mon Sep 17 00:00:00 2001 +From: Rafael Beims +Date: Fri, 10 May 2024 13:04:58 +0200 +Subject: wifi: mwifiex: Fix interface type change + +From: Rafael Beims + +commit a17b9f590f6ec2b9f1b12b1db3bf1d181de6b272 upstream. + +When changing the interface type we also need to update the bss_num, the +driver private data is searched based on a unique (bss_type, bss_num) +tuple, therefore every time bss_type changes, bss_num must also change. + +This fixes for example an issue in which, after the mode changed, a +wireless scan on the changed interface would not finish, leading to +repeated -EBUSY messages to userspace when other scan requests were +sent. + +Fixes: c606008b7062 ("mwifiex: Properly initialize private structure on interface type changes") +Cc: stable@vger.kernel.org +Signed-off-by: Rafael Beims +Signed-off-by: Francesco Dolcini +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240510110458.15475-1-francesco@dolcini.it +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -926,6 +926,8 @@ mwifiex_init_new_priv_params(struct mwif + return -EOPNOTSUPP; + } + ++ priv->bss_num = mwifiex_get_unused_bss_num(adapter, priv->bss_type); ++ + spin_lock_irqsave(&adapter->main_proc_lock, flags); + adapter->main_locked = false; + spin_unlock_irqrestore(&adapter->main_proc_lock, flags);