From: Sasha Levin Date: Fri, 5 Jul 2024 19:22:27 +0000 (-0400) Subject: Revert "Fixes for 6.6" X-Git-Tag: v6.6.38~64 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=54976f4e4ff79b4ccc81feda76e486d5f5047149;p=thirdparty%2Fkernel%2Fstable-queue.git Revert "Fixes for 6.6" This reverts commit 93cca388aaad2762c4a6c412115f4d49225d8c0f. Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch b/queue-6.6/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch deleted file mode 100644 index 4cf59b2dd15..00000000000 --- a/queue-6.6/bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch +++ /dev/null @@ -1,59 +0,0 @@ -From e7805ff8132c7c79fd75013d6fded2144f55e198 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 May 2024 12:13:13 +0200 -Subject: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD - -From: Jose E. Marchesi - -[ Upstream commit 009367099eb61a4fc2af44d4eb06b6b4de7de6db ] - -[Changes from V1: - - Use a default branch in the switch statement to initialize `val'.] - -GCC warns that `val' may be used uninitialized in the -BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as: - - [...] - unsigned long long val; \ - [...] \ - switch (__CORE_RELO(s, field, BYTE_SIZE)) { \ - case 1: val = *(const unsigned char *)p; break; \ - case 2: val = *(const unsigned short *)p; break; \ - case 4: val = *(const unsigned int *)p; break; \ - case 8: val = *(const unsigned long long *)p; break; \ - } \ - [...] - val; \ - } \ - -This patch adds a default entry in the switch statement that sets -`val' to zero in order to avoid the warning, and random values to be -used in case __builtin_preserve_field_info returns unexpected values -for BPF_FIELD_BYTE_SIZE. - -Tested in bpf-next master. -No regressions. - -Signed-off-by: Jose E. Marchesi -Signed-off-by: Andrii Nakryiko -Link: https://lore.kernel.org/bpf/20240508101313.16662-1-jose.marchesi@oracle.com -Signed-off-by: Sasha Levin ---- - tools/lib/bpf/bpf_core_read.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h -index 1ac57bb7ac55f..e2b9e8415c044 100644 ---- a/tools/lib/bpf/bpf_core_read.h -+++ b/tools/lib/bpf/bpf_core_read.h -@@ -102,6 +102,7 @@ enum bpf_enum_value_kind { - case 2: val = *(const unsigned short *)p; break; \ - case 4: val = *(const unsigned int *)p; break; \ - case 8: val = *(const unsigned long long *)p; break; \ -+ default: val = 0; break; \ - } \ - val <<= __CORE_RELO(s, field, LSHIFT_U64); \ - if (__CORE_RELO(s, field, SIGNED)) \ --- -2.43.0 - diff --git a/queue-6.6/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch b/queue-6.6/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch deleted file mode 100644 index 24e60b2f7bf..00000000000 --- a/queue-6.6/btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9689d29e2b13030fc6aed3f933fd68db5ee24d66 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 10:34:17 +0800 -Subject: btrfs: scrub: initialize ret in scrub_simple_mirror() to fix - compilation warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Lu Yao - -[ Upstream commit b4e585fffc1cf877112ed231a91f089e85688c2a ] - -The following error message is displayed: - ../fs/btrfs/scrub.c:2152:9: error: ‘ret’ may be used uninitialized - in this function [-Werror=maybe-uninitialized]" - -Compiler version: gcc version: (Debian 10.2.1-6) 10.2.1 20210110 - -Reviewed-by: Boris Burkov -Signed-off-by: Lu Yao -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/scrub.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c -index 819973c37a148..a2d91d9f8a109 100644 ---- a/fs/btrfs/scrub.c -+++ b/fs/btrfs/scrub.c -@@ -2020,7 +2020,7 @@ static int scrub_simple_mirror(struct scrub_ctx *sctx, - struct btrfs_fs_info *fs_info = sctx->fs_info; - const u64 logical_end = logical_start + logical_length; - u64 cur_logical = logical_start; -- int ret; -+ int ret = 0; - - /* The range must be inside the bg */ - ASSERT(logical_start >= bg->start && logical_end <= bg->start + bg->length); --- -2.43.0 - diff --git a/queue-6.6/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch b/queue-6.6/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch deleted file mode 100644 index e74e45324b3..00000000000 --- a/queue-6.6/cdrom-rearrange-last_media_change-check-to-avoid-uni.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1694a095b0798411ee8c1bbd6e7e52323d2f7156 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 23:25:20 +0100 -Subject: cdrom: rearrange last_media_change check to avoid unintentional - overflow - -From: Justin Stitt - -[ Upstream commit efb905aeb44b0e99c0e6b07865b1885ae0471ebf ] - -When running syzkaller with the newly reintroduced signed integer wrap -sanitizer we encounter this splat: - -[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33 -[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long') -[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO -[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 -[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 -[ 366.027518] Call Trace: -[ 366.027523] -[ 366.027533] dump_stack_lvl+0x93/0xd0 -[ 366.027899] handle_overflow+0x171/0x1b0 -[ 366.038787] ata1.00: invalid multi_count 32 ignored -[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10 -[ 366.063932] ? __pm_runtime_resume+0xe6/0x130 -[ 366.071923] sr_block_ioctl+0x15d/0x1d0 -[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10 -[ 366.077642] blkdev_ioctl+0x419/0x500 -[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10 -... - -Historically, the signed integer overflow sanitizer did not work in the -kernel due to its interaction with `-fwrapv` but this has since been -changed [1] in the newest version of Clang. It was re-enabled in the -kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow -sanitizer"). - -Let's rearrange the check to not perform any arithmetic, thus not -tripping the sanitizer. - -Link: https://github.com/llvm/llvm-project/pull/82432 [1] -Closes: https://github.com/KSPP/linux/issues/354 -Cc: linux-hardening@vger.kernel.org -Signed-off-by: Justin Stitt -Link: https://lore.kernel.org/lkml/20240507-b4-sio-ata1-v1-1-810ffac6080a@google.com -Reviewed-by: Phillip Potter -Link: https://lore.kernel.org/lkml/ZjqU0fbzHrlnad8D@equinox -Signed-off-by: Phillip Potter -Link: https://lore.kernel.org/r/20240507222520.1445-2-phil@philpotter.co.uk -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/cdrom/cdrom.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index cc28398059833..01f46caf1f88b 100644 ---- a/drivers/cdrom/cdrom.c -+++ b/drivers/cdrom/cdrom.c -@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_timed_media_change(struct cdrom_device_info *cdi, - return -EFAULT; - - tmp_info.media_flags = 0; -- if (tmp_info.last_media_change - cdi->last_media_change_ms < 0) -+ if (cdi->last_media_change_ms > tmp_info.last_media_change) - tmp_info.media_flags |= MEDIA_CHANGED_FLAG; - - tmp_info.last_media_change = cdi->last_media_change_ms; --- -2.43.0 - diff --git a/queue-6.6/crypto-aead-cipher-zeroize-key-buffer-after-use.patch b/queue-6.6/crypto-aead-cipher-zeroize-key-buffer-after-use.patch deleted file mode 100644 index 098524354f6..00000000000 --- a/queue-6.6/crypto-aead-cipher-zeroize-key-buffer-after-use.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 8e156e3e598e198551948f96cd9efac1de7abdab Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Apr 2024 22:19:15 +0000 -Subject: crypto: aead,cipher - zeroize key buffer after use - -From: Hailey Mothershead - -[ Upstream commit 23e4099bdc3c8381992f9eb975c79196d6755210 ] - -I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding -cryptographic information should be zeroized once they are no longer -needed. Accomplish this by using kfree_sensitive for buffers that -previously held the private key. - -Signed-off-by: Hailey Mothershead -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - crypto/aead.c | 3 +-- - crypto/cipher.c | 3 +-- - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/crypto/aead.c b/crypto/aead.c -index d5ba204ebdbfa..ecab683016b7d 100644 ---- a/crypto/aead.c -+++ b/crypto/aead.c -@@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key, - alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); - memcpy(alignbuffer, key, keylen); - ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen); -- memset(alignbuffer, 0, keylen); -- kfree(buffer); -+ kfree_sensitive(buffer); - return ret; - } - -diff --git a/crypto/cipher.c b/crypto/cipher.c -index 47c77a3e59783..40cae908788ec 100644 ---- a/crypto/cipher.c -+++ b/crypto/cipher.c -@@ -34,8 +34,7 @@ static int setkey_unaligned(struct crypto_cipher *tfm, const u8 *key, - alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); - memcpy(alignbuffer, key, keylen); - ret = cia->cia_setkey(crypto_cipher_tfm(tfm), alignbuffer, keylen); -- memset(alignbuffer, 0, keylen); -- kfree(buffer); -+ kfree_sensitive(buffer); - return ret; - - } --- -2.43.0 - diff --git a/queue-6.6/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch b/queue-6.6/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch deleted file mode 100644 index d77254a5de0..00000000000 --- a/queue-6.6/crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 1328f0a9c093ccdf1dd690c6155514a1782d5065 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 7 Apr 2024 15:59:53 +0800 -Subject: crypto: hisilicon/debugfs - Fix debugfs uninit process issue - -From: Chenghai Huang - -[ Upstream commit 8be0913389718e8d27c4f1d4537b5e1b99ed7739 ] - -During the zip probe process, the debugfs failure does not stop -the probe. When debugfs initialization fails, jumping to the -error branch will also release regs, in addition to its own -rollback operation. - -As a result, it may be released repeatedly during the regs -uninit process. Therefore, the null check needs to be added to -the regs uninit process. - -Signed-off-by: Chenghai Huang -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - drivers/crypto/hisilicon/debugfs.c | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/drivers/crypto/hisilicon/debugfs.c b/drivers/crypto/hisilicon/debugfs.c -index 2cc1591949db7..bd205f1f2279e 100644 ---- a/drivers/crypto/hisilicon/debugfs.c -+++ b/drivers/crypto/hisilicon/debugfs.c -@@ -794,8 +794,14 @@ static void dfx_regs_uninit(struct hisi_qm *qm, - { - int i; - -+ if (!dregs) -+ return; -+ - /* Setting the pointer is NULL to prevent double free */ - for (i = 0; i < reg_len; i++) { -+ if (!dregs[i].regs) -+ continue; -+ - kfree(dregs[i].regs); - dregs[i].regs = NULL; - } -@@ -845,14 +851,21 @@ static struct dfx_diff_registers *dfx_regs_init(struct hisi_qm *qm, - static int qm_diff_regs_init(struct hisi_qm *qm, - struct dfx_diff_registers *dregs, u32 reg_len) - { -+ int ret; -+ - qm->debug.qm_diff_regs = dfx_regs_init(qm, qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); -- if (IS_ERR(qm->debug.qm_diff_regs)) -- return PTR_ERR(qm->debug.qm_diff_regs); -+ if (IS_ERR(qm->debug.qm_diff_regs)) { -+ ret = PTR_ERR(qm->debug.qm_diff_regs); -+ qm->debug.qm_diff_regs = NULL; -+ return ret; -+ } - - qm->debug.acc_diff_regs = dfx_regs_init(qm, dregs, reg_len); - if (IS_ERR(qm->debug.acc_diff_regs)) { - dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); -- return PTR_ERR(qm->debug.acc_diff_regs); -+ ret = PTR_ERR(qm->debug.acc_diff_regs); -+ qm->debug.acc_diff_regs = NULL; -+ return ret; - } - - return 0; -@@ -893,7 +906,9 @@ static int qm_last_regs_init(struct hisi_qm *qm) - static void qm_diff_regs_uninit(struct hisi_qm *qm, u32 reg_len) - { - dfx_regs_uninit(qm, qm->debug.acc_diff_regs, reg_len); -+ qm->debug.acc_diff_regs = NULL; - dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs)); -+ qm->debug.qm_diff_regs = NULL; - } - - /** --- -2.43.0 - diff --git a/queue-6.6/drm-amd-display-check-index-msg_id-before-read-or-wr.patch b/queue-6.6/drm-amd-display-check-index-msg_id-before-read-or-wr.patch deleted file mode 100644 index 52ede053e9d..00000000000 --- a/queue-6.6/drm-amd-display-check-index-msg_id-before-read-or-wr.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 047879bfdfe4d15d7bad3c30b5c32e190f0e29f4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 13:27:43 -0600 -Subject: drm/amd/display: Check index msg_id before read or write - -From: Alex Hung - -[ Upstream commit 59d99deb330af206a4541db0c4da8f73880fba03 ] - -[WHAT] -msg_id is used as an array index and it cannot be a negative value, and -therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1). - -[HOW] -Check whether msg_id is valid before reading and setting. - -This fixes 4 OVERRUN issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -index f7b5583ee609a..8e9caae7c9559 100644 ---- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c -@@ -156,6 +156,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, - uint32_t cur_size = 0; - uint32_t data_offset = 0; - -+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { -+ return MOD_HDCP_STATUS_DDC_FAILURE; -+ } -+ - if (is_dp_hdcp(hdcp)) { - while (buf_len > 0) { - cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); -@@ -215,6 +219,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, - uint32_t cur_size = 0; - uint32_t data_offset = 0; - -+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { -+ return MOD_HDCP_STATUS_DDC_FAILURE; -+ } -+ - if (is_dp_hdcp(hdcp)) { - while (buf_len > 0) { - cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); --- -2.43.0 - diff --git a/queue-6.6/drm-amd-display-check-pipe-offset-before-setting-vbl.patch b/queue-6.6/drm-amd-display-check-pipe-offset-before-setting-vbl.patch deleted file mode 100644 index 6755a63fe8e..00000000000 --- a/queue-6.6/drm-amd-display-check-pipe-offset-before-setting-vbl.patch +++ /dev/null @@ -1,45 +0,0 @@ -From cc600cbe99032c802db435622d27aa5e417f3089 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 18:07:17 -0600 -Subject: drm/amd/display: Check pipe offset before setting vblank - -From: Alex Hung - -[ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ] - -pipe_ctx has a size of MAX_PIPES so checking its index before accessing -the array. - -This fixes an OVERRUN issue reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - .../drm/amd/display/dc/irq/dce110/irq_service_dce110.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -index 44649db5f3e32..5646b7788f02e 100644 ---- a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -+++ b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c -@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service, - info->ext_id); - uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK; - -- struct timing_generator *tg = -- dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; -+ struct timing_generator *tg; -+ -+ if (pipe_offset >= MAX_PIPES) -+ return false; -+ -+ tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; - - if (enable) { - if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) { --- -2.43.0 - diff --git a/queue-6.6/drm-amd-display-fix-uninitialized-variables-in-dm.patch b/queue-6.6/drm-amd-display-fix-uninitialized-variables-in-dm.patch deleted file mode 100644 index 136ede97f4b..00000000000 --- a/queue-6.6/drm-amd-display-fix-uninitialized-variables-in-dm.patch +++ /dev/null @@ -1,86 +0,0 @@ -From bd4555f3068e7291c7320352eb90109d0d95fa7d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 Apr 2024 19:02:56 -0600 -Subject: drm/amd/display: Fix uninitialized variables in DM - -From: Alex Hung - -[ Upstream commit f95bcb041f213a5da3da5fcaf73269bd13dba945 ] - -This fixes 11 UNINIT issues reported by Coverity. - -Reviewed-by: Hersen Wu -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++---- - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 4 ++-- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -index 7ed6bb61fe0ad..c1a0fd47802a0 100644 ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c -@@ -264,7 +264,7 @@ static u32 dm_vblank_get_counter(struct amdgpu_device *adev, int crtc) - static int dm_crtc_get_scanoutpos(struct amdgpu_device *adev, int crtc, - u32 *vbl, u32 *position) - { -- u32 v_blank_start, v_blank_end, h_position, v_position; -+ u32 v_blank_start = 0, v_blank_end = 0, h_position = 0, v_position = 0; - struct amdgpu_crtc *acrtc = NULL; - - if ((crtc < 0) || (crtc >= adev->mode_info.num_crtc)) -@@ -801,7 +801,7 @@ static void dm_handle_hpd_work(struct work_struct *work) - */ - static void dm_dmub_outbox1_low_irq(void *interrupt_params) - { -- struct dmub_notification notify; -+ struct dmub_notification notify = {0}; - struct common_irq_params *irq_params = interrupt_params; - struct amdgpu_device *adev = irq_params->adev; - struct amdgpu_display_manager *dm = &adev->dm; -@@ -6895,7 +6895,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state, - struct amdgpu_dm_connector *aconnector; - struct dm_connector_state *dm_conn_state; - int i, j, ret; -- int vcpi, pbn_div, pbn, slot_num = 0; -+ int vcpi, pbn_div, pbn = 0, slot_num = 0; - - for_each_new_connector_in_state(state, connector, new_con_state, i) { - -@@ -10064,7 +10064,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, - struct dm_crtc_state *dm_old_crtc_state, *dm_new_crtc_state; - struct drm_dp_mst_topology_mgr *mgr; - struct drm_dp_mst_topology_state *mst_state; -- struct dsc_mst_fairness_vars vars[MAX_PIPES]; -+ struct dsc_mst_fairness_vars vars[MAX_PIPES] = {0}; - - trace_amdgpu_dm_atomic_check_begin(state); - -diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -index 2bc37c5a27605..c8609595f324b 100644 ---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c -@@ -1219,7 +1219,7 @@ static ssize_t dp_sdp_message_debugfs_write(struct file *f, const char __user *b - size_t size, loff_t *pos) - { - int r; -- uint8_t data[36]; -+ uint8_t data[36] = {0}; - struct amdgpu_dm_connector *connector = file_inode(f)->i_private; - struct dm_crtc_state *acrtc_state; - uint32_t write_size = 36; -@@ -2929,7 +2929,7 @@ static int psr_read_residency(void *data, u64 *val) - { - struct amdgpu_dm_connector *connector = data; - struct dc_link *link = connector->dc_link; -- u32 residency; -+ u32 residency = 0; - - link->dc->link_srv->edp_get_psr_residency(link, &residency); - --- -2.43.0 - diff --git a/queue-6.6/drm-amd-display-skip-finding-free-audio-for-unknown-.patch b/queue-6.6/drm-amd-display-skip-finding-free-audio-for-unknown-.patch deleted file mode 100644 index 65f72fc086a..00000000000 --- a/queue-6.6/drm-amd-display-skip-finding-free-audio-for-unknown-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 891e1fa8c401e86157567092218e36fa1e662d72 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 13:52:27 -0600 -Subject: drm/amd/display: Skip finding free audio for unknown engine_id - -From: Alex Hung - -[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ] - -[WHY] -ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it -also means it is uninitialized and does not need free audio. - -[HOW] -Skip and return NULL. - -This fixes 2 OVERRUN issues reported by Coverity. - -Reviewed-by: Rodrigo Siqueira -Acked-by: Wayne Lin -Signed-off-by: Alex Hung -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -index 8873acfe309c8..84923c5400d32 100644 ---- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c -@@ -2385,6 +2385,9 @@ static struct audio *find_first_free_audio( - { - int i, available_audio_count; - -+ if (id == ENGINE_ID_UNKNOWN) -+ return NULL; -+ - available_audio_count = pool->audio_count; - - for (i = 0; i < available_audio_count; i++) { --- -2.43.0 - diff --git a/queue-6.6/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch b/queue-6.6/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch deleted file mode 100644 index 5b358d0895d..00000000000 --- a/queue-6.6/drm-amdgpu-fix-the-warning-about-the-expression-int-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From db334bef966745d71474a037f35bcc364132dc70 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 25 Apr 2024 15:16:40 +0800 -Subject: drm/amdgpu: fix the warning about the expression (int)size - len - -From: Jesse Zhang - -[ Upstream commit ea686fef5489ef7a2450a9fdbcc732b837fb46a8 ] - -Converting size from size_t to int may overflow. -v2: keep reverse xmas tree order (Christian) - -Signed-off-by: Jesse Zhang -Reviewed-by: Alex Deucher -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c -index 418ff7cd662da..1c2c9ff9d39df 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c -@@ -2052,12 +2052,13 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f, - struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private; - char reg_offset[11]; - uint32_t *new = NULL, *tmp = NULL; -- int ret, i = 0, len = 0; -+ unsigned int len = 0; -+ int ret, i = 0; - - do { - memset(reg_offset, 0, 11); - if (copy_from_user(reg_offset, buf + len, -- min(10, ((int)size-len)))) { -+ min(10, (size-len)))) { - ret = -EFAULT; - goto error_free; - } --- -2.43.0 - diff --git a/queue-6.6/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch b/queue-6.6/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch deleted file mode 100644 index 71722d838f5..00000000000 --- a/queue-6.6/drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 008e2a1522fe4b34b92c5a312fc933ba30d574cc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 14:06:28 +0800 -Subject: drm/amdgpu: fix uninitialized scalar variable warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Tim Huang - -[ Upstream commit 9a5f15d2a29d06ce5bd50919da7221cda92afb69 ] - -Clear warning that uses uninitialized value fw_size. - -Signed-off-by: Tim Huang -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c -index 053983e9f4aef..0ca51df46cc0d 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c -@@ -1184,7 +1184,8 @@ void amdgpu_gfx_cp_init_microcode(struct amdgpu_device *adev, - fw_size = le32_to_cpu(cp_hdr_v2_0->data_size_bytes); - break; - default: -- break; -+ dev_err(adev->dev, "Invalid ucode id %u\n", ucode_id); -+ return; - } - - if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) { --- -2.43.0 - diff --git a/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warnings.patch b/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warnings.patch deleted file mode 100644 index 5ca398ff51e..00000000000 --- a/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warnings.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 93ff92b586d3979e75d1bd41722366e437e6f417 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 14:47:52 +0800 -Subject: drm/amdgpu: Fix uninitialized variable warnings -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Ma Jun - -[ Upstream commit 60c448439f3b5db9431e13f7f361b4074d0e8594 ] - -return 0 to avoid returning an uninitialized variable r - -Signed-off-by: Ma Jun -Acked-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/aldebaran.c | 2 +- - drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/aldebaran.c b/drivers/gpu/drm/amd/amdgpu/aldebaran.c -index fa6193535d485..7fea4f0f495a3 100644 ---- a/drivers/gpu/drm/amd/amdgpu/aldebaran.c -+++ b/drivers/gpu/drm/amd/amdgpu/aldebaran.c -@@ -100,7 +100,7 @@ static int aldebaran_mode2_suspend_ip(struct amdgpu_device *adev) - adev->ip_blocks[i].status.hw = false; - } - -- return r; -+ return 0; - } - - static int -diff --git a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c -index 8b8086d5c864b..896c7e434d3bc 100644 ---- a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c -+++ b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c -@@ -93,7 +93,7 @@ static int sienna_cichlid_mode2_suspend_ip(struct amdgpu_device *adev) - adev->ip_blocks[i].status.hw = false; - } - -- return r; -+ return 0; - } - - static int --- -2.43.0 - diff --git a/queue-6.6/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch b/queue-6.6/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch deleted file mode 100644 index 78e346a41a3..00000000000 --- a/queue-6.6/drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 1a4ae764e86f236edceb56bb7f40bed6ddb0a3bd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 10:07:51 +0800 -Subject: drm/amdgpu: Initialize timestamp for some legacy SOCs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Ma Jun - -[ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ] - -Initialize the interrupt timestamp for some legacy SOCs -to fix the coverity issue "Uninitialized scalar variable" - -Signed-off-by: Ma Jun -Suggested-by: Christian König -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -index fa6d0adcec206..5978edf7ea71e 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c -@@ -438,6 +438,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev, - - entry.ih = ih; - entry.iv_entry = (const uint32_t *)&ih->ring[ring_index]; -+ -+ /* -+ * timestamp is not supported on some legacy SOCs (cik, cz, iceland, -+ * si and tonga), so initialize timestamp and timestamp_src to 0 -+ */ -+ entry.timestamp = 0; -+ entry.timestamp_src = 0; -+ - amdgpu_ih_decode_iv(adev, &entry); - - trace_amdgpu_iv(ih - &adev->irq.ih, &entry); --- -2.43.0 - diff --git a/queue-6.6/drm-amdgpu-using-uninitialized-value-size-when-calli.patch b/queue-6.6/drm-amdgpu-using-uninitialized-value-size-when-calli.patch deleted file mode 100644 index 42a5830dd80..00000000000 --- a/queue-6.6/drm-amdgpu-using-uninitialized-value-size-when-calli.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 92d30be983a5a31e4b6607832eeb42f465885712 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 24 Apr 2024 17:10:46 +0800 -Subject: drm/amdgpu: Using uninitialized value *size when calling - amdgpu_vce_cs_reloc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Jesse Zhang - -[ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ] - -Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. -V2: To really improve the handling we would actually - need to have a separate value of 0xffffffff.(Christian) - -Signed-off-by: Jesse Zhang -Suggested-by: Christian König -Reviewed-by: Christian König -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c -index 1904edf684071..88a3aa36b41d7 100644 ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c -@@ -742,7 +742,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, - uint32_t created = 0; - uint32_t allocated = 0; - uint32_t tmp, handle = 0; -- uint32_t *size = &tmp; -+ uint32_t dummy = 0xffffffff; -+ uint32_t *size = &dummy; - unsigned int idx; - int i, r = 0; - --- -2.43.0 - diff --git a/queue-6.6/drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch b/queue-6.6/drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch deleted file mode 100644 index b688b7b7f73..00000000000 --- a/queue-6.6/drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch +++ /dev/null @@ -1,72 +0,0 @@ -From c56c11477c0806d163ce25e8c1b0fd3962de8b92 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 Apr 2024 22:19:51 +0200 -Subject: drm/i915: Fix gt reset with GuC submission is disabled - -From: Nirmoy Das - -[ Upstream commit 4d3421e04c5dc38baf15224c051256204f223c15 ] - -Currently intel_gt_reset() kills the GuC and then resets requested -engines. This is problematic because there is a dedicated CSB FIFO -which only GuC can access and if that FIFO fills up, the hardware -will block on the next context switch until there is space that means -the system is effectively hung. If an engine is reset whilst actively -executing a context, a CSB entry will be sent to say that the context -has gone idle. Thus if reset happens on a very busy system then -killing GuC before killing the engines will lead to deadlock because -of filled up CSB FIFO. - -To address this issue, the GuC should be killed only after resetting -the requested engines and before calling intel_gt_init_hw(). - -v2: Improve commit message(John) - -Cc: John Harrison -Signed-off-by: Nirmoy Das -Reviewed-by: John Harrison -Reviewed-by: Andi Shyti -Signed-off-by: Andi Shyti -Link: https://patchwork.freedesktop.org/patch/msgid/20240422201951.633-2-nirmoy.das@intel.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/i915/gt/intel_reset.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/i915/gt/intel_reset.c b/drivers/gpu/drm/i915/gt/intel_reset.c -index 13fb8e5042c58..6c651ef7928b4 100644 ---- a/drivers/gpu/drm/i915/gt/intel_reset.c -+++ b/drivers/gpu/drm/i915/gt/intel_reset.c -@@ -880,8 +880,17 @@ static intel_engine_mask_t reset_prepare(struct intel_gt *gt) - intel_engine_mask_t awake = 0; - enum intel_engine_id id; - -- /* For GuC mode, ensure submission is disabled before stopping ring */ -- intel_uc_reset_prepare(>->uc); -+ /** -+ * For GuC mode with submission enabled, ensure submission -+ * is disabled before stopping ring. -+ * -+ * For GuC mode with submission disabled, ensure that GuC is not -+ * sanitized, do that after engine reset. reset_prepare() -+ * is followed by engine reset which in this mode requires GuC to -+ * process any CSB FIFO entries generated by the resets. -+ */ -+ if (intel_uc_uses_guc_submission(>->uc)) -+ intel_uc_reset_prepare(>->uc); - - for_each_engine(engine, gt, id) { - if (intel_engine_pm_get_if_awake(engine)) -@@ -1228,6 +1237,9 @@ void intel_gt_reset(struct intel_gt *gt, - - intel_overlay_reset(gt->i915); - -+ /* sanitize uC after engine reset */ -+ if (!intel_uc_uses_guc_submission(>->uc)) -+ intel_uc_reset_prepare(>->uc); - /* - * Next we need to restore the context, but we don't use those - * yet either... --- -2.43.0 - diff --git a/queue-6.6/drm-lima-fix-shared-irq-handling-on-driver-remove.patch b/queue-6.6/drm-lima-fix-shared-irq-handling-on-driver-remove.patch deleted file mode 100644 index c1532905fa4..00000000000 --- a/queue-6.6/drm-lima-fix-shared-irq-handling-on-driver-remove.patch +++ /dev/null @@ -1,88 +0,0 @@ -From a40ee90a5de1252188a13b4058970742f0103955 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Apr 2024 00:43:28 +0200 -Subject: drm/lima: fix shared irq handling on driver remove - -From: Erico Nunes - -[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ] - -lima uses a shared interrupt, so the interrupt handlers must be prepared -to be called at any time. At driver removal time, the clocks are -disabled early and the interrupts stay registered until the very end of -the remove process due to the devm usage. -This is potentially a bug as the interrupts access device registers -which assumes clocks are enabled. A crash can be triggered by removing -the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled. -This patch frees the interrupts at each lima device finishing callback -so that the handlers are already unregistered by the time we fully -disable clocks. - -Signed-off-by: Erico Nunes -Signed-off-by: Qiang Yu -Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/lima/lima_gp.c | 2 ++ - drivers/gpu/drm/lima/lima_mmu.c | 5 +++++ - drivers/gpu/drm/lima/lima_pp.c | 4 ++++ - 3 files changed, 11 insertions(+) - -diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c -index 6cf46b653e810..ca3842f719842 100644 ---- a/drivers/gpu/drm/lima/lima_gp.c -+++ b/drivers/gpu/drm/lima/lima_gp.c -@@ -324,7 +324,9 @@ int lima_gp_init(struct lima_ip *ip) - - void lima_gp_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - int lima_gp_pipe_init(struct lima_device *dev) -diff --git a/drivers/gpu/drm/lima/lima_mmu.c b/drivers/gpu/drm/lima/lima_mmu.c -index a1ae6c252dc2b..8ca7047adbaca 100644 ---- a/drivers/gpu/drm/lima/lima_mmu.c -+++ b/drivers/gpu/drm/lima/lima_mmu.c -@@ -118,7 +118,12 @@ int lima_mmu_init(struct lima_ip *ip) - - void lima_mmu_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; -+ -+ if (ip->id == lima_ip_ppmmu_bcast) -+ return; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - void lima_mmu_flush_tlb(struct lima_ip *ip) -diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c -index 54b208a4a768e..d34c9e8840f45 100644 ---- a/drivers/gpu/drm/lima/lima_pp.c -+++ b/drivers/gpu/drm/lima/lima_pp.c -@@ -266,7 +266,9 @@ int lima_pp_init(struct lima_ip *ip) - - void lima_pp_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - int lima_pp_bcast_resume(struct lima_ip *ip) -@@ -299,7 +301,9 @@ int lima_pp_bcast_init(struct lima_ip *ip) - - void lima_pp_bcast_fini(struct lima_ip *ip) - { -+ struct lima_device *dev = ip->dev; - -+ devm_free_irq(dev->dev, ip->irq, ip); - } - - static int lima_pp_task_validate(struct lima_sched_pipe *pipe, --- -2.43.0 - diff --git a/queue-6.6/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch b/queue-6.6/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch deleted file mode 100644 index 67d9e5b517b..00000000000 --- a/queue-6.6/f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch +++ /dev/null @@ -1,142 +0,0 @@ -From ac3a42db0fcfc77f21d669c1b48442f4568bb0ba Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 11:38:47 +0800 -Subject: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - -From: Chao Yu - -[ Upstream commit 4ed886b187f47447ad559619c48c086f432d2b77 ] - -- It missed to check validation of fault attrs in parse_options(), -let's fix to add check condition in f2fs_build_fault_attr(). -- Use f2fs_build_fault_attr() in __sbi_store() to clean up code. - -Signed-off-by: Chao Yu -Signed-off-by: Jaegeuk Kim -Signed-off-by: Sasha Levin ---- - fs/f2fs/f2fs.h | 12 ++++++++---- - fs/f2fs/super.c | 27 ++++++++++++++++++++------- - fs/f2fs/sysfs.c | 14 ++++++++++---- - 3 files changed, 38 insertions(+), 15 deletions(-) - -diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h -index f1fbfa7fb279e..5056af9e0581c 100644 ---- a/fs/f2fs/f2fs.h -+++ b/fs/f2fs/f2fs.h -@@ -69,7 +69,7 @@ enum { - - struct f2fs_fault_info { - atomic_t inject_ops; -- unsigned int inject_rate; -+ int inject_rate; - unsigned int inject_type; - }; - -@@ -4593,10 +4593,14 @@ static inline bool f2fs_need_verity(const struct inode *inode, pgoff_t idx) - } - - #ifdef CONFIG_F2FS_FAULT_INJECTION --extern void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate, -- unsigned int type); -+extern int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, -+ unsigned long type); - #else --#define f2fs_build_fault_attr(sbi, rate, type) do { } while (0) -+static int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, -+ unsigned long type) -+{ -+ return 0; -+} - #endif - - static inline bool is_journalled_quota(struct f2fs_sb_info *sbi) -diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c -index ce50d2253dd80..e022d8233c0a5 100644 ---- a/fs/f2fs/super.c -+++ b/fs/f2fs/super.c -@@ -64,21 +64,31 @@ const char *f2fs_fault_name[FAULT_MAX] = { - [FAULT_BLKADDR] = "invalid blkaddr", - }; - --void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate, -- unsigned int type) -+int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate, -+ unsigned long type) - { - struct f2fs_fault_info *ffi = &F2FS_OPTION(sbi).fault_info; - - if (rate) { -+ if (rate > INT_MAX) -+ return -EINVAL; - atomic_set(&ffi->inject_ops, 0); -- ffi->inject_rate = rate; -+ ffi->inject_rate = (int)rate; - } - -- if (type) -- ffi->inject_type = type; -+ if (type) { -+ if (type >= BIT(FAULT_MAX)) -+ return -EINVAL; -+ ffi->inject_type = (unsigned int)type; -+ } - - if (!rate && !type) - memset(ffi, 0, sizeof(struct f2fs_fault_info)); -+ else -+ f2fs_info(sbi, -+ "build fault injection attr: rate: %lu, type: 0x%lx", -+ rate, type); -+ return 0; - } - #endif - -@@ -869,14 +879,17 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) - case Opt_fault_injection: - if (args->from && match_int(args, &arg)) - return -EINVAL; -- f2fs_build_fault_attr(sbi, arg, F2FS_ALL_FAULT_TYPE); -+ if (f2fs_build_fault_attr(sbi, arg, -+ F2FS_ALL_FAULT_TYPE)) -+ return -EINVAL; - set_opt(sbi, FAULT_INJECTION); - break; - - case Opt_fault_type: - if (args->from && match_int(args, &arg)) - return -EINVAL; -- f2fs_build_fault_attr(sbi, 0, arg); -+ if (f2fs_build_fault_attr(sbi, 0, arg)) -+ return -EINVAL; - set_opt(sbi, FAULT_INJECTION); - break; - #else -diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c -index 6347a55020c6e..180feefc4a9ce 100644 ---- a/fs/f2fs/sysfs.c -+++ b/fs/f2fs/sysfs.c -@@ -457,10 +457,16 @@ static ssize_t __sbi_store(struct f2fs_attr *a, - if (ret < 0) - return ret; - #ifdef CONFIG_F2FS_FAULT_INJECTION -- if (a->struct_type == FAULT_INFO_TYPE && t >= BIT(FAULT_MAX)) -- return -EINVAL; -- if (a->struct_type == FAULT_INFO_RATE && t >= UINT_MAX) -- return -EINVAL; -+ if (a->struct_type == FAULT_INFO_TYPE) { -+ if (f2fs_build_fault_attr(sbi, 0, t)) -+ return -EINVAL; -+ return count; -+ } -+ if (a->struct_type == FAULT_INFO_RATE) { -+ if (f2fs_build_fault_attr(sbi, t, 0)) -+ return -EINVAL; -+ return count; -+ } - #endif - if (a->struct_type == RESERVED_BLOCKS) { - spin_lock(&sbi->stat_lock); --- -2.43.0 - diff --git a/queue-6.6/firmware-dmi-stop-decoding-on-broken-entry.patch b/queue-6.6/firmware-dmi-stop-decoding-on-broken-entry.patch deleted file mode 100644 index 6ff128cce23..00000000000 --- a/queue-6.6/firmware-dmi-stop-decoding-on-broken-entry.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 3376843e98b2f450476713e16264edf1d9fe469b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 18:29:32 +0200 -Subject: firmware: dmi: Stop decoding on broken entry - -From: Jean Delvare - -[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ] - -If a DMI table entry is shorter than 4 bytes, it is invalid. Due to -how DMI table parsing works, it is impossible to safely recover from -such an error, so we have to stop decoding the table. - -Signed-off-by: Jean Delvare -Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/ -Reviewed-by: Michael Kelley -Signed-off-by: Sasha Levin ---- - drivers/firmware/dmi_scan.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c -index 015c95a825d31..ac2a5d2d47463 100644 ---- a/drivers/firmware/dmi_scan.c -+++ b/drivers/firmware/dmi_scan.c -@@ -101,6 +101,17 @@ static void dmi_decode_table(u8 *buf, - (data - buf + sizeof(struct dmi_header)) <= dmi_len) { - const struct dmi_header *dm = (const struct dmi_header *)data; - -+ /* -+ * If a short entry is found (less than 4 bytes), not only it -+ * is invalid, but we cannot reliably locate the next entry. -+ */ -+ if (dm->length < sizeof(struct dmi_header)) { -+ pr_warn(FW_BUG -+ "Corrupted DMI table, offset %zd (only %d entries processed)\n", -+ data - buf, i); -+ break; -+ } -+ - /* - * We want to know the total length (formatted area and - * strings) before decoding to make sure we won't run off the --- -2.43.0 - diff --git a/queue-6.6/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch b/queue-6.6/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch deleted file mode 100644 index 947fba06cde..00000000000 --- a/queue-6.6/i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 39623f78da2b6c9eaf2400e5d554c86c993dd0f4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 12 Apr 2024 12:21:58 +0200 -Subject: i2c: i801: Annotate apanel_addr as __ro_after_init - -From: Heiner Kallweit - -[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ] - -Annotate this variable as __ro_after_init to protect it from being -overwritten later. - -Signed-off-by: Heiner Kallweit -Signed-off-by: Andi Shyti -Signed-off-by: Sasha Levin ---- - drivers/i2c/busses/i2c-i801.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c -index f6bc37f5eb3a3..3410add34aad2 100644 ---- a/drivers/i2c/busses/i2c-i801.c -+++ b/drivers/i2c/busses/i2c-i801.c -@@ -1052,7 +1052,7 @@ static const struct pci_device_id i801_ids[] = { - MODULE_DEVICE_TABLE(pci, i801_ids); - - #if defined CONFIG_X86 && defined CONFIG_DMI --static unsigned char apanel_addr; -+static unsigned char apanel_addr __ro_after_init; - - /* Scan the system ROM for the signature "FJKEYINF" */ - static __init const void __iomem *bios_signature(const void __iomem *bios) --- -2.43.0 - diff --git a/queue-6.6/ib-core-implement-a-limit-on-umad-receive-list.patch b/queue-6.6/ib-core-implement-a-limit-on-umad-receive-list.patch deleted file mode 100644 index ddf503b87ca..00000000000 --- a/queue-6.6/ib-core-implement-a-limit-on-umad-receive-list.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 58224f11c28c44060c1a630389ba38b13e3c4051 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 16 Apr 2024 15:01:44 +0300 -Subject: IB/core: Implement a limit on UMAD receive List - -From: Michael Guralnik - -[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ] - -The existing behavior of ib_umad, which maintains received MAD -packets in an unbounded list, poses a risk of uncontrolled growth. -As user-space applications extract packets from this list, the rate -of extraction may not match the rate of incoming packets, leading -to potential list overflow. - -To address this, we introduce a limit to the size of the list. After -considering typical scenarios, such as OpenSM processing, which can -handle approximately 100k packets per second, and the 1-second retry -timeout for most packets, we set the list size limit to 200k. Packets -received beyond this limit are dropped, assuming they are likely timed -out by the time they are handled by user-space. - -Notably, packets queued on the receive list due to reasons like -timed-out sends are preserved even when the list is full. - -Signed-off-by: Michael Guralnik -Reviewed-by: Mark Zhang -Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c -index f5feca7fa9b9c..2ed749f50a29f 100644 ---- a/drivers/infiniband/core/user_mad.c -+++ b/drivers/infiniband/core/user_mad.c -@@ -63,6 +63,8 @@ MODULE_AUTHOR("Roland Dreier"); - MODULE_DESCRIPTION("InfiniBand userspace MAD packet access"); - MODULE_LICENSE("Dual BSD/GPL"); - -+#define MAX_UMAD_RECV_LIST_SIZE 200000 -+ - enum { - IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS, - IB_UMAD_MAX_AGENTS = 32, -@@ -113,6 +115,7 @@ struct ib_umad_file { - struct mutex mutex; - struct ib_umad_port *port; - struct list_head recv_list; -+ atomic_t recv_list_size; - struct list_head send_list; - struct list_head port_list; - spinlock_t send_lock; -@@ -180,24 +183,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id) - return file->agents_dead ? NULL : file->agent[id]; - } - --static int queue_packet(struct ib_umad_file *file, -- struct ib_mad_agent *agent, -- struct ib_umad_packet *packet) -+static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent, -+ struct ib_umad_packet *packet, bool is_recv_mad) - { - int ret = 1; - - mutex_lock(&file->mutex); - -+ if (is_recv_mad && -+ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE) -+ goto unlock; -+ - for (packet->mad.hdr.id = 0; - packet->mad.hdr.id < IB_UMAD_MAX_AGENTS; - packet->mad.hdr.id++) - if (agent == __get_agent(file, packet->mad.hdr.id)) { - list_add_tail(&packet->list, &file->recv_list); -+ atomic_inc(&file->recv_list_size); - wake_up_interruptible(&file->recv_wait); - ret = 0; - break; - } -- -+unlock: - mutex_unlock(&file->mutex); - - return ret; -@@ -224,7 +231,7 @@ static void send_handler(struct ib_mad_agent *agent, - if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) { - packet->length = IB_MGMT_MAD_HDR; - packet->mad.hdr.status = ETIMEDOUT; -- if (!queue_packet(file, agent, packet)) -+ if (!queue_packet(file, agent, packet, false)) - return; - } - kfree(packet); -@@ -284,7 +291,7 @@ static void recv_handler(struct ib_mad_agent *agent, - rdma_destroy_ah_attr(&ah_attr); - } - -- if (queue_packet(file, agent, packet)) -+ if (queue_packet(file, agent, packet, true)) - goto err2; - return; - -@@ -409,6 +416,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, - - packet = list_entry(file->recv_list.next, struct ib_umad_packet, list); - list_del(&packet->list); -+ atomic_dec(&file->recv_list_size); - - mutex_unlock(&file->mutex); - -@@ -421,6 +429,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, - /* Requeue packet */ - mutex_lock(&file->mutex); - list_add(&packet->list, &file->recv_list); -+ atomic_inc(&file->recv_list_size); - mutex_unlock(&file->mutex); - } else { - if (packet->recv_wc) --- -2.43.0 - diff --git a/queue-6.6/igc-fix-a-log-entry-using-uninitialized-netdev.patch b/queue-6.6/igc-fix-a-log-entry-using-uninitialized-netdev.patch deleted file mode 100644 index 8de418e1f12..00000000000 --- a/queue-6.6/igc-fix-a-log-entry-using-uninitialized-netdev.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 51c576f7a927b06b559f1079fc51da6d316f3774 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 12:24:54 +0200 -Subject: igc: fix a log entry using uninitialized netdev - -From: Corinna Vinschen - -[ Upstream commit 86167183a17e03ec77198897975e9fdfbd53cb0b ] - -During successful probe, igc logs this: - -[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The reason is that igc_ptp_init() is called very early, even before -register_netdev() has been called. So the netdev_info() call works -on a partially uninitialized netdev. - -Fix this by calling igc_ptp_init() after register_netdev(), right -after the media autosense check, just as in igb. Add a comment, -just as in igb. - -Now the log message is fine: - -[ 5.200987] igc 0000:01:00.0 eth0: PHC added - -Signed-off-by: Corinna Vinschen -Reviewed-by: Hariprasad Kelam -Acked-by: Vinicius Costa Gomes -Tested-by: Naama Meir -Signed-off-by: Tony Nguyen -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igc/igc_main.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index e83700ad7e622..5715fc6779117 100644 ---- a/drivers/net/ethernet/intel/igc/igc_main.c -+++ b/drivers/net/ethernet/intel/igc/igc_main.c -@@ -6908,8 +6908,6 @@ static int igc_probe(struct pci_dev *pdev, - device_set_wakeup_enable(&adapter->pdev->dev, - adapter->flags & IGC_FLAG_WOL_SUPPORTED); - -- igc_ptp_init(adapter); -- - igc_tsn_clear_schedule(adapter); - - /* reset the hardware with the new settings */ -@@ -6931,6 +6929,9 @@ static int igc_probe(struct pci_dev *pdev, - /* Check if Media Autosense is enabled */ - adapter->ei = *ei; - -+ /* do hw tstamp init after resetting */ -+ igc_ptp_init(adapter); -+ - /* print pcie link status and MAC address */ - pcie_print_link_status(pdev); - netdev_info(netdev, "MAC: %pM\n", netdev->dev_addr); --- -2.43.0 - diff --git a/queue-6.6/input-ff-core-prefer-struct_size-over-open-coded-ari.patch b/queue-6.6/input-ff-core-prefer-struct_size-over-open-coded-ari.patch deleted file mode 100644 index 98dc938749a..00000000000 --- a/queue-6.6/input-ff-core-prefer-struct_size-over-open-coded-ari.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 834e6e69ff289d42d1cb5ee5c1ed205258284921 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 Apr 2024 17:05:56 +0200 -Subject: Input: ff-core - prefer struct_size over open coded arithmetic - -From: Erick Archer - -[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ] - -This is an effort to get rid of all multiplications from allocation -functions in order to prevent integer overflows [1][2]. - -As the "ff" variable is a pointer to "struct ff_device" and this -structure ends in a flexible array: - -struct ff_device { - [...] - struct file *effect_owners[] __counted_by(max_effects); -}; - -the preferred way in the kernel is to use the struct_size() helper to -do the arithmetic instead of the calculation "size + count * size" in -the kzalloc() function. - -The struct_size() helper returns SIZE_MAX on overflow. So, refactor -the comparison to take advantage of this. - -This way, the code is more readable and safer. - -This code was detected with the help of Coccinelle, and audited and -modified manually. - -Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] -Link: https://github.com/KSPP/linux/issues/160 [2] -Signed-off-by: Erick Archer -Reviewed-by: Kees Cook -Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/ff-core.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c -index 16231fe080b00..609a5f01761bd 100644 ---- a/drivers/input/ff-core.c -+++ b/drivers/input/ff-core.c -@@ -9,8 +9,10 @@ - /* #define DEBUG */ - - #include -+#include - #include - #include -+#include - #include - #include - -@@ -315,9 +317,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects) - return -EINVAL; - } - -- ff_dev_size = sizeof(struct ff_device) + -- max_effects * sizeof(struct file *); -- if (ff_dev_size < max_effects) /* overflow */ -+ ff_dev_size = struct_size(ff, effect_owners, max_effects); -+ if (ff_dev_size == SIZE_MAX) /* overflow */ - return -EINVAL; - - ff = kzalloc(ff_dev_size, GFP_KERNEL); --- -2.43.0 - diff --git a/queue-6.6/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-6.6/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch deleted file mode 100644 index 5a539864bf3..00000000000 --- a/queue-6.6/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch +++ /dev/null @@ -1,41 +0,0 @@ -From f516d8d207bdf2107ee12198fd932431dfeff3e7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 14:10:53 +0800 -Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc - -From: Guanrui Huang - -[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ] - -This BUG_ON() is useless, because the same effect will be obtained -by letting the code run its course and vm being dereferenced, -triggering an exception. - -So just remove this check. - -Signed-off-by: Guanrui Huang -Signed-off-by: Thomas Gleixner -Reviewed-by: Zenghui Yu -Acked-by: Marc Zyngier -Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com -Signed-off-by: Sasha Levin ---- - drivers/irqchip/irq-gic-v3-its.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c -index c7d6e6987166f..350abbb36e04b 100644 ---- a/drivers/irqchip/irq-gic-v3-its.c -+++ b/drivers/irqchip/irq-gic-v3-its.c -@@ -4501,8 +4501,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq - struct page *vprop_page; - int base, nr_ids, i, err = 0; - -- BUG_ON(!vm); -- - bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); - if (!bitmap) - return -ENOMEM; --- -2.43.0 - diff --git a/queue-6.6/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch b/queue-6.6/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch deleted file mode 100644 index 1eb8f683d4d..00000000000 --- a/queue-6.6/jffs2-fix-potential-illegal-address-access-in-jffs2_.patch +++ /dev/null @@ -1,94 +0,0 @@ -From e268bed9ec9cce9658bfe9ac63bf1e4d38ba0ae8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 15:00:46 +0800 -Subject: jffs2: Fix potential illegal address access in jffs2_free_inode - -From: Wang Yong - -[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ] - -During the stress testing of the jffs2 file system,the following -abnormal printouts were found: -[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948 -[ 2430.649622] Mem abort info: -[ 2430.649829] ESR = 0x96000004 -[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits -[ 2430.650564] SET = 0, FnV = 0 -[ 2430.650795] EA = 0, S1PTW = 0 -[ 2430.651032] FSC = 0x04: level 0 translation fault -[ 2430.651446] Data abort info: -[ 2430.651683] ISV = 0, ISS = 0x00000004 -[ 2430.652001] CM = 0, WnR = 0 -[ 2430.652558] [0069696969696948] address between user and kernel address ranges -[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP -[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33 -[ 2430.655008] Hardware name: linux,dummy-virt (DT) -[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) -[ 2430.656142] pc : kfree+0x78/0x348 -[ 2430.656630] lr : jffs2_free_inode+0x24/0x48 -[ 2430.657051] sp : ffff800009eebd10 -[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000 -[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000 -[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14 -[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000 -[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000 -[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19 -[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14 -[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302 -[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342 -[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000 -[ 2430.664217] Call trace: -[ 2430.664528] kfree+0x78/0x348 -[ 2430.664855] jffs2_free_inode+0x24/0x48 -[ 2430.665233] i_callback+0x24/0x50 -[ 2430.665528] rcu_do_batch+0x1ac/0x448 -[ 2430.665892] rcu_core+0x28c/0x3c8 -[ 2430.666151] rcu_core_si+0x18/0x28 -[ 2430.666473] __do_softirq+0x138/0x3cc -[ 2430.666781] irq_exit+0xf0/0x110 -[ 2430.667065] handle_domain_irq+0x6c/0x98 -[ 2430.667447] gic_handle_irq+0xac/0xe8 -[ 2430.667739] call_on_irq_stack+0x28/0x54 -The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of -the jffs_inode_info structure. It was found that all variables in the jffs_inode_info -structure were 5a5a5a5a, except for the first member sem. It is suspected that these -variables are not initialized because they were set to 5a5a5a5a during memory testing, -which is meant to detect uninitialized memory.The sem variable is initialized in the -function jffs2_i_init_once, while other members are initialized in -the function jffs2_init_inode_info. - -The function jffs2_init_inode_info is called after iget_locked, -but in the iget_locked function, the destroy_inode process is triggered, -which releases the inode and consequently, the target member of the inode -is not initialized.In concurrent high pressure scenarios, iget_locked -may enter the destroy_inode branch as described in the code. - -Since the destroy_inode functionality of jffs2 only releases the target, -the fix method is to set target to NULL in jffs2_i_init_once. - -Signed-off-by: Wang Yong -Reviewed-by: Lu Zhongjun -Reviewed-by: Yang Tao -Cc: Xu Xin -Cc: Yang Yang -Signed-off-by: Richard Weinberger -Signed-off-by: Sasha Levin ---- - fs/jffs2/super.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c -index 7ea37f49f1e18..e71f4c94c4483 100644 ---- a/fs/jffs2/super.c -+++ b/fs/jffs2/super.c -@@ -58,6 +58,7 @@ static void jffs2_i_init_once(void *foo) - struct jffs2_inode_info *f = foo; - - mutex_init(&f->sem); -+ f->target = NULL; - inode_init_once(&f->vfs_inode); - } - --- -2.43.0 - diff --git a/queue-6.6/kunit-fix-timeout-message.patch b/queue-6.6/kunit-fix-timeout-message.patch deleted file mode 100644 index 0c61fc9c1dd..00000000000 --- a/queue-6.6/kunit-fix-timeout-message.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 6e35a9fdb36f9fcd67b4c31888d375622eecd911 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Apr 2024 09:46:21 +0200 -Subject: kunit: Fix timeout message -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Mickaël Salaün - -[ Upstream commit 53026ff63bb07c04a0e962a74723eb10ff6f9dc7 ] - -The exit code is always checked, so let's properly handle the -ETIMEDOUT -error code. - -Cc: Brendan Higgins -Cc: Shuah Khan -Reviewed-by: Kees Cook -Reviewed-by: David Gow -Reviewed-by: Rae Moar -Signed-off-by: Mickaël Salaün -Link: https://lore.kernel.org/r/20240408074625.65017-4-mic@digikod.net -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin ---- - lib/kunit/try-catch.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c -index d9d1df28cc52e..9c9e4dcf06d96 100644 ---- a/lib/kunit/try-catch.c -+++ b/lib/kunit/try-catch.c -@@ -78,7 +78,6 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - time_remaining = wait_for_completion_timeout(&try_completion, - kunit_test_timeout()); - if (time_remaining == 0) { -- kunit_err(test, "try timed out\n"); - try_catch->try_result = -ETIMEDOUT; - kthread_stop(task_struct); - } -@@ -93,6 +92,8 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - try_catch->try_result = 0; - else if (exit_code == -EINTR) - kunit_err(test, "wake_up_process() was never called\n"); -+ else if (exit_code == -ETIMEDOUT) -+ kunit_err(test, "try timed out\n"); - else if (exit_code) - kunit_err(test, "Unknown error: %d\n", exit_code); - --- -2.43.0 - diff --git a/queue-6.6/kunit-handle-test-faults.patch b/queue-6.6/kunit-handle-test-faults.patch deleted file mode 100644 index 2cd238dea90..00000000000 --- a/queue-6.6/kunit-handle-test-faults.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 4526a635f191bb9f921c9ca366789050785207d0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 8 Apr 2024 09:46:22 +0200 -Subject: kunit: Handle test faults -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Mickaël Salaün - -[ Upstream commit 3a35c13007dea132a65f07de05c26b87837fadc2 ] - -Previously, when a kernel test thread crashed (e.g. NULL pointer -dereference, general protection fault), the KUnit test hanged for 30 -seconds and exited with a timeout error. - -Fix this issue by waiting on task_struct->vfork_done instead of the -custom kunit_try_catch.try_completion, and track the execution state by -initially setting try_result with -EINTR and only setting it to 0 if -the test passed. - -Fix kunit_generic_run_threadfn_adapter() signature by returning 0 -instead of calling kthread_complete_and_exit(). Because thread's exit -code is never checked, always set it to 0 to make it clear. To make -this explicit, export kthread_exit() for KUnit tests built as module. - -Fix the -EINTR error message, which couldn't be reached until now. - -This is tested with a following patch. - -Cc: Brendan Higgins -Cc: Eric W. Biederman -Cc: Shuah Khan -Reviewed-by: Kees Cook -Reviewed-by: David Gow -Tested-by: Rae Moar -Signed-off-by: Mickaël Salaün -Link: https://lore.kernel.org/r/20240408074625.65017-5-mic@digikod.net -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin ---- - include/kunit/try-catch.h | 3 --- - kernel/kthread.c | 1 + - lib/kunit/try-catch.c | 19 ++++++++++++------- - 3 files changed, 13 insertions(+), 10 deletions(-) - -diff --git a/include/kunit/try-catch.h b/include/kunit/try-catch.h -index c507dd43119d5..7c966a1adbd30 100644 ---- a/include/kunit/try-catch.h -+++ b/include/kunit/try-catch.h -@@ -14,13 +14,11 @@ - - typedef void (*kunit_try_catch_func_t)(void *); - --struct completion; - struct kunit; - - /** - * struct kunit_try_catch - provides a generic way to run code which might fail. - * @test: The test case that is currently being executed. -- * @try_completion: Completion that the control thread waits on while test runs. - * @try_result: Contains any errno obtained while running test case. - * @try: The function, the test case, to attempt to run. - * @catch: The function called if @try bails out. -@@ -46,7 +44,6 @@ struct kunit; - struct kunit_try_catch { - /* private: internal use only. */ - struct kunit *test; -- struct completion *try_completion; - int try_result; - kunit_try_catch_func_t try; - kunit_try_catch_func_t catch; -diff --git a/kernel/kthread.c b/kernel/kthread.c -index 290cbc845225e..2afdba66b729e 100644 ---- a/kernel/kthread.c -+++ b/kernel/kthread.c -@@ -315,6 +315,7 @@ void __noreturn kthread_exit(long result) - kthread->result = result; - do_exit(0); - } -+EXPORT_SYMBOL(kthread_exit); - - /** - * kthread_complete_and_exit - Exit the current kthread. -diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c -index 9c9e4dcf06d96..34d30a6f23054 100644 ---- a/lib/kunit/try-catch.c -+++ b/lib/kunit/try-catch.c -@@ -18,7 +18,7 @@ - void __noreturn kunit_try_catch_throw(struct kunit_try_catch *try_catch) - { - try_catch->try_result = -EFAULT; -- kthread_complete_and_exit(try_catch->try_completion, -EFAULT); -+ kthread_exit(0); - } - EXPORT_SYMBOL_GPL(kunit_try_catch_throw); - -@@ -26,9 +26,12 @@ static int kunit_generic_run_threadfn_adapter(void *data) - { - struct kunit_try_catch *try_catch = data; - -+ try_catch->try_result = -EINTR; - try_catch->try(try_catch->context); -+ if (try_catch->try_result == -EINTR) -+ try_catch->try_result = 0; - -- kthread_complete_and_exit(try_catch->try_completion, 0); -+ return 0; - } - - static unsigned long kunit_test_timeout(void) -@@ -58,13 +61,11 @@ static unsigned long kunit_test_timeout(void) - - void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - { -- DECLARE_COMPLETION_ONSTACK(try_completion); - struct kunit *test = try_catch->test; - struct task_struct *task_struct; - int exit_code, time_remaining; - - try_catch->context = context; -- try_catch->try_completion = &try_completion; - try_catch->try_result = 0; - task_struct = kthread_create(kunit_generic_run_threadfn_adapter, - try_catch, "kunit_try_catch_thread"); -@@ -74,8 +75,12 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - } - get_task_struct(task_struct); - wake_up_process(task_struct); -- -- time_remaining = wait_for_completion_timeout(&try_completion, -+ /* -+ * As for a vfork(2), task_struct->vfork_done (pointing to the -+ * underlying kthread->exited) can be used to wait for the end of a -+ * kernel thread. -+ */ -+ time_remaining = wait_for_completion_timeout(task_struct->vfork_done, - kunit_test_timeout()); - if (time_remaining == 0) { - try_catch->try_result = -ETIMEDOUT; -@@ -91,7 +96,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) - if (exit_code == -EFAULT) - try_catch->try_result = 0; - else if (exit_code == -EINTR) -- kunit_err(test, "wake_up_process() was never called\n"); -+ kunit_err(test, "try faulted\n"); - else if (exit_code == -ETIMEDOUT) - kunit_err(test, "try timed out\n"); - else if (exit_code) --- -2.43.0 - diff --git a/queue-6.6/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch b/queue-6.6/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch deleted file mode 100644 index 0867e87471f..00000000000 --- a/queue-6.6/leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 1fc2f94ab93d9bcabbbd77c9cd70f4e0a1d63e8a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 19:10:32 +0300 -Subject: leds: an30259a: Use devm_mutex_init() for mutex initialization - -From: George Stark - -[ Upstream commit c382e2e3eccb6b7ca8c7aff5092c1668428e7de6 ] - -In this driver LEDs are registered using devm_led_classdev_register() -so they are automatically unregistered after module's remove() is done. -led_classdev_unregister() calls module's led_set_brightness() to turn off -the LEDs and that callback uses mutex which was destroyed already -in module's remove() so use devm API instead. - -Signed-off-by: George Stark -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20240411161032.609544-9-gnstark@salutedevices.com -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - drivers/leds/leds-an30259a.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - -diff --git a/drivers/leds/leds-an30259a.c b/drivers/leds/leds-an30259a.c -index 0216afed3b6e7..decfca447d8a7 100644 ---- a/drivers/leds/leds-an30259a.c -+++ b/drivers/leds/leds-an30259a.c -@@ -283,7 +283,10 @@ static int an30259a_probe(struct i2c_client *client) - if (err < 0) - return err; - -- mutex_init(&chip->mutex); -+ err = devm_mutex_init(&client->dev, &chip->mutex); -+ if (err) -+ return err; -+ - chip->client = client; - i2c_set_clientdata(client, chip); - -@@ -317,17 +320,9 @@ static int an30259a_probe(struct i2c_client *client) - return 0; - - exit: -- mutex_destroy(&chip->mutex); - return err; - } - --static void an30259a_remove(struct i2c_client *client) --{ -- struct an30259a *chip = i2c_get_clientdata(client); -- -- mutex_destroy(&chip->mutex); --} -- - static const struct of_device_id an30259a_match_table[] = { - { .compatible = "panasonic,an30259a", }, - { /* sentinel */ }, -@@ -347,7 +342,6 @@ static struct i2c_driver an30259a_driver = { - .of_match_table = an30259a_match_table, - }, - .probe = an30259a_probe, -- .remove = an30259a_remove, - .id_table = an30259a_id, - }; - --- -2.43.0 - diff --git a/queue-6.6/locking-mutex-introduce-devm_mutex_init.patch b/queue-6.6/locking-mutex-introduce-devm_mutex_init.patch deleted file mode 100644 index 5127ae9a8d4..00000000000 --- a/queue-6.6/locking-mutex-introduce-devm_mutex_init.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 13d66adf56ede1c549b0e9016a11cc133b9ffce8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 19:10:25 +0300 -Subject: locking/mutex: Introduce devm_mutex_init() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: George Stark - -[ Upstream commit 4cd47222e435dec8e3787614924174f53fcfb5ae ] - -Using of devm API leads to a certain order of releasing resources. -So all dependent resources which are not devm-wrapped should be deleted -with respect to devm-release order. Mutex is one of such objects that -often is bound to other resources and has no own devm wrapping. -Since mutex_destroy() actually does nothing in non-debug builds -frequently calling mutex_destroy() is just ignored which is safe for now -but wrong formally and can lead to a problem if mutex_destroy() will be -extended so introduce devm_mutex_init(). - -Suggested-by: Christophe Leroy -Signed-off-by: George Stark -Reviewed-by: Christophe Leroy -Reviewed-by: Andy Shevchenko -Reviewed-by: Marek Behún -Acked-by: Waiman Long -Link: https://lore.kernel.org/r/20240411161032.609544-2-gnstark@salutedevices.com -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - include/linux/mutex.h | 27 +++++++++++++++++++++++++++ - kernel/locking/mutex-debug.c | 12 ++++++++++++ - 2 files changed, 39 insertions(+) - -diff --git a/include/linux/mutex.h b/include/linux/mutex.h -index a33aa9eb9fc3b..5b5630e58407a 100644 ---- a/include/linux/mutex.h -+++ b/include/linux/mutex.h -@@ -21,6 +21,8 @@ - #include - #include - -+struct device; -+ - #ifdef CONFIG_DEBUG_LOCK_ALLOC - # define __DEP_MAP_MUTEX_INITIALIZER(lockname) \ - , .dep_map = { \ -@@ -171,6 +173,31 @@ do { \ - } while (0) - #endif /* CONFIG_PREEMPT_RT */ - -+#ifdef CONFIG_DEBUG_MUTEXES -+ -+int __devm_mutex_init(struct device *dev, struct mutex *lock); -+ -+#else -+ -+static inline int __devm_mutex_init(struct device *dev, struct mutex *lock) -+{ -+ /* -+ * When CONFIG_DEBUG_MUTEXES is off mutex_destroy() is just a nop so -+ * no really need to register it in the devm subsystem. -+ */ -+ return 0; -+} -+ -+#endif -+ -+#define devm_mutex_init(dev, mutex) \ -+({ \ -+ typeof(mutex) mutex_ = (mutex); \ -+ \ -+ mutex_init(mutex_); \ -+ __devm_mutex_init(dev, mutex_); \ -+}) -+ - /* - * See kernel/locking/mutex.c for detailed documentation of these APIs. - * Also see Documentation/locking/mutex-design.rst. -diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c -index bc8abb8549d20..6e6f6071cfa27 100644 ---- a/kernel/locking/mutex-debug.c -+++ b/kernel/locking/mutex-debug.c -@@ -12,6 +12,7 @@ - */ - #include - #include -+#include - #include - #include - #include -@@ -89,6 +90,17 @@ void debug_mutex_init(struct mutex *lock, const char *name, - lock->magic = lock; - } - -+static void devm_mutex_release(void *res) -+{ -+ mutex_destroy(res); -+} -+ -+int __devm_mutex_init(struct device *dev, struct mutex *lock) -+{ -+ return devm_add_action_or_reset(dev, devm_mutex_release, lock); -+} -+EXPORT_SYMBOL_GPL(__devm_mutex_init); -+ - /*** - * mutex_destroy - mark a mutex unusable - * @lock: the mutex to be destroyed --- -2.43.0 - diff --git a/queue-6.6/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch b/queue-6.6/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch deleted file mode 100644 index 9a1c55cb783..00000000000 --- a/queue-6.6/media-dvb-as102-fe-fix-as10x_register_addr-packing.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b9b15405056ee9b2a19b67cc25208d465f2a1b5d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 12:24:37 +0000 -Subject: media: dvb: as102-fe: Fix as10x_register_addr packing - -From: Ricardo Ribalda - -[ Upstream commit 309422d280748c74f57f471559980268ac27732a ] - -This structure is embedded in multiple other structures that are packed, -which conflicts with it being aligned. - -drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access] - -Mark it as being packed. - -Marking the inner struct as 'packed' does not change the layout, since the -whole struct is already packed, it just silences the clang warning. See -also this llvm discussion: - -https://github.com/llvm/llvm-project/issues/55520 - -Signed-off-by: Ricardo Ribalda -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/as102_fe_types.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h -index 297f9520ebf9d..8a4e392c88965 100644 ---- a/drivers/media/dvb-frontends/as102_fe_types.h -+++ b/drivers/media/dvb-frontends/as102_fe_types.h -@@ -174,6 +174,6 @@ struct as10x_register_addr { - uint32_t addr; - /* register mode access */ - uint8_t mode; --}; -+} __packed; - - #endif --- -2.43.0 - diff --git a/queue-6.6/media-dvb-frontends-tda10048-fix-integer-overflow.patch b/queue-6.6/media-dvb-frontends-tda10048-fix-integer-overflow.patch deleted file mode 100644 index 3682657c142..00000000000 --- a/queue-6.6/media-dvb-frontends-tda10048-fix-integer-overflow.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9c513071b00da4816b63d01df488b77e3306cb1c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:05:04 +0100 -Subject: media: dvb-frontends: tda10048: Fix integer overflow - -From: Ricardo Ribalda - -[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ] - -state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer -when multiplied by pll_mfactor. - -Create a new 64 bit variable to hold the calculations. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org -Reported-by: Dan Carpenter -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/tda10048.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c -index 5d5e4e9e4422e..3e725cdcc66bd 100644 ---- a/drivers/media/dvb-frontends/tda10048.c -+++ b/drivers/media/dvb-frontends/tda10048.c -@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) - struct tda10048_config *config = &state->config; - int i; - u32 if_freq_khz; -+ u64 sample_freq; - - dprintk(1, "%s(bw = %d)\n", __func__, bw); - -@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw) - dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor); - - /* Calculate the sample frequency */ -- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45); -- state->sample_freq /= (state->pll_nfactor + 1); -- state->sample_freq /= (state->pll_pfactor + 4); -+ sample_freq = state->xtal_hz; -+ sample_freq *= state->pll_mfactor + 45; -+ do_div(sample_freq, state->pll_nfactor + 1); -+ do_div(sample_freq, state->pll_pfactor + 4); -+ state->sample_freq = sample_freq; - dprintk(1, "- sample_freq = %d\n", state->sample_freq); - - /* Update the I/F */ --- -2.43.0 - diff --git a/queue-6.6/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch b/queue-6.6/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch deleted file mode 100644 index fcfc5fc6604..00000000000 --- a/queue-6.6/media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4f8fbc960e9171d0cf3ce0db8a11c1463822dd1f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:04:47 +0100 -Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div - -From: Ricardo Ribalda - -[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ] - -do_div() divides 64 bits by 32. We were adding a casting to the divider -to 64 bits, for a number that fits perfectly in 32 bits. Remove it. - -Found by cocci: -drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. -drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c -index a348344879433..fd928787207ed 100644 ---- a/drivers/media/dvb-frontends/tda18271c2dd.c -+++ b/drivers/media/dvb-frontends/tda18271c2dd.c -@@ -328,7 +328,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq) - - OscFreq = (u64) freq * (u64) Div; - OscFreq *= (u64) 16384; -- do_div(OscFreq, (u64)16000000); -+ do_div(OscFreq, 16000000); - MainDiv = OscFreq; - - state->m_Regs[MPD] = PostDiv & 0x77; -@@ -352,7 +352,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq) - OscFreq = (u64)freq * (u64)Div; - /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */ - OscFreq *= (u64)16384; -- do_div(OscFreq, (u64)16000000); -+ do_div(OscFreq, 16000000); - CalDiv = OscFreq; - - state->m_Regs[CPD] = PostDiv; --- -2.43.0 - diff --git a/queue-6.6/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch b/queue-6.6/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch deleted file mode 100644 index c2fc2b4f752..00000000000 --- a/queue-6.6/media-dvb-usb-dib0700_devices-add-missing-release_fi.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e12c3a06574796e66faa9ccf0841b03f19be4ba1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 21:17:56 +0000 -Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware() - -From: Ricardo Ribalda - -[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ] - -Add missing release_firmware on the error paths. - -drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415. -drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497. - -Signed-off-by: Ricardo Ribalda -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c -index 3af594134a6de..6ddc205133939 100644 ---- a/drivers/media/usb/dvb-usb/dib0700_devices.c -+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c -@@ -2412,7 +2412,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap) - - adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config); - -- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0; -+ if (!adap->fe_adap[0].fe) { -+ release_firmware(state->frontend_firmware); -+ return -ENODEV; -+ } -+ -+ return 0; - } - - static int dib9090_tuner_attach(struct dvb_usb_adapter *adap) -@@ -2485,8 +2490,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) - dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80); - adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]); - -- if (adap->fe_adap[0].fe == NULL) -+ if (!adap->fe_adap[0].fe) { -+ release_firmware(state->frontend_firmware); - return -ENODEV; -+ } - - i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0); - dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82); -@@ -2494,7 +2501,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap) - fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]); - dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave); - -- return fe_slave == NULL ? -ENODEV : 0; -+ if (!fe_slave) { -+ release_firmware(state->frontend_firmware); -+ return -ENODEV; -+ } -+ -+ return 0; - } - - static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap) --- -2.43.0 - diff --git a/queue-6.6/media-dw2102-don-t-translate-i2c-read-into-write.patch b/queue-6.6/media-dw2102-don-t-translate-i2c-read-into-write.patch deleted file mode 100644 index 78063a7f39d..00000000000 --- a/queue-6.6/media-dw2102-don-t-translate-i2c-read-into-write.patch +++ /dev/null @@ -1,197 +0,0 @@ -From d5721af75c164d8edbe50ec28b2a13abdeb1fb65 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 16 Jan 2022 11:22:36 +0000 -Subject: media: dw2102: Don't translate i2c read into write - -From: Michael Bunk - -[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ] - -The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed -an i2c transaction with a single message must be a write operation and a -transaction with two messages would be a read operation. - -Though this works for the driver code, it leads to problems once the i2c -device is exposed to code not knowing this convention. For example, -I did "insmod i2c-dev" and issued read requests from userspace, which -were translated into write requests and destroyed the EEPROM of my -device. - -So, just check and respect the I2C_M_READ flag, which indicates a read -when set on a message. If it is absent, it is a write message. - -Incidentally, changing from the case statement to a while loop allows -the code to lift the limitation to two i2c messages per transaction. - -There are 4 more *_i2c_transfer functions affected by the same behaviour -and limitation that should be fixed in the same way. - -Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org -Signed-off-by: Michael Bunk -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++----------- - 1 file changed, 73 insertions(+), 47 deletions(-) - -diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c -index b3bb1805829ad..10351308b0d02 100644 ---- a/drivers/media/usb/dvb-usb/dw2102.c -+++ b/drivers/media/usb/dvb-usb/dw2102.c -@@ -716,6 +716,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - { - struct dvb_usb_device *d = i2c_get_adapdata(adap); - struct dw2102_state *state; -+ int j; - - if (!d) - return -ENODEV; -@@ -729,11 +730,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - return -EAGAIN; - } - -- switch (num) { -- case 1: -- switch (msg[0].addr) { -+ j = 0; -+ while (j < num) { -+ switch (msg[j].addr) { - case SU3000_STREAM_CTRL: -- state->data[0] = msg[0].buf[0] + 0x36; -+ state->data[0] = msg[j].buf[0] + 0x36; - state->data[1] = 3; - state->data[2] = 0; - if (dvb_usb_generic_rw(d, state->data, 3, -@@ -745,61 +746,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], - if (dvb_usb_generic_rw(d, state->data, 1, - state->data, 2, 0) < 0) - err("i2c transfer failed."); -- msg[0].buf[1] = state->data[0]; -- msg[0].buf[0] = state->data[1]; -+ msg[j].buf[1] = state->data[0]; -+ msg[j].buf[0] = state->data[1]; - break; - default: -- if (3 + msg[0].len > sizeof(state->data)) { -- warn("i2c wr: len=%d is too big!\n", -- msg[0].len); -+ /* if the current write msg is followed by a another -+ * read msg to/from the same address -+ */ -+ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) && -+ (msg[j].addr == msg[j+1].addr)) { -+ /* join both i2c msgs to one usb read command */ -+ if (4 + msg[j].len > sizeof(state->data)) { -+ warn("i2c combined wr/rd: write len=%d is too big!\n", -+ msg[j].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ if (1 + msg[j+1].len > sizeof(state->data)) { -+ warn("i2c combined wr/rd: read len=%d is too big!\n", -+ msg[j+1].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ -+ state->data[0] = 0x09; -+ state->data[1] = msg[j].len; -+ state->data[2] = msg[j+1].len; -+ state->data[3] = msg[j].addr; -+ memcpy(&state->data[4], msg[j].buf, msg[j].len); -+ -+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4, -+ state->data, msg[j+1].len + 1, 0) < 0) -+ err("i2c transfer failed."); -+ -+ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len); -+ j++; -+ break; -+ } -+ -+ if (msg[j].flags & I2C_M_RD) { -+ /* single read */ -+ if (1 + msg[j].len > sizeof(state->data)) { -+ warn("i2c rd: len=%d is too big!\n", msg[j].len); -+ num = -EOPNOTSUPP; -+ break; -+ } -+ -+ state->data[0] = 0x09; -+ state->data[1] = 0; -+ state->data[2] = msg[j].len; -+ state->data[3] = msg[j].addr; -+ memcpy(&state->data[4], msg[j].buf, msg[j].len); -+ -+ if (dvb_usb_generic_rw(d, state->data, 4, -+ state->data, msg[j].len + 1, 0) < 0) -+ err("i2c transfer failed."); -+ -+ memcpy(msg[j].buf, &state->data[1], msg[j].len); -+ break; -+ } -+ -+ /* single write */ -+ if (3 + msg[j].len > sizeof(state->data)) { -+ warn("i2c wr: len=%d is too big!\n", msg[j].len); - num = -EOPNOTSUPP; - break; - } - -- /* always i2c write*/ - state->data[0] = 0x08; -- state->data[1] = msg[0].addr; -- state->data[2] = msg[0].len; -+ state->data[1] = msg[j].addr; -+ state->data[2] = msg[j].len; - -- memcpy(&state->data[3], msg[0].buf, msg[0].len); -+ memcpy(&state->data[3], msg[j].buf, msg[j].len); - -- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3, -+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3, - state->data, 1, 0) < 0) - err("i2c transfer failed."); -+ } // switch -+ j++; - -- } -- break; -- case 2: -- /* always i2c read */ -- if (4 + msg[0].len > sizeof(state->data)) { -- warn("i2c rd: len=%d is too big!\n", -- msg[0].len); -- num = -EOPNOTSUPP; -- break; -- } -- if (1 + msg[1].len > sizeof(state->data)) { -- warn("i2c rd: len=%d is too big!\n", -- msg[1].len); -- num = -EOPNOTSUPP; -- break; -- } -- -- state->data[0] = 0x09; -- state->data[1] = msg[0].len; -- state->data[2] = msg[1].len; -- state->data[3] = msg[0].addr; -- memcpy(&state->data[4], msg[0].buf, msg[0].len); -- -- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4, -- state->data, msg[1].len + 1, 0) < 0) -- err("i2c transfer failed."); -- -- memcpy(msg[1].buf, &state->data[1], msg[1].len); -- break; -- default: -- warn("more than 2 i2c messages at a time is not handled yet."); -- break; -- } -+ } // while - mutex_unlock(&d->data_mutex); - mutex_unlock(&d->i2c_mutex); - return num; --- -2.43.0 - diff --git a/queue-6.6/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch b/queue-6.6/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch deleted file mode 100644 index 1d815511170..00000000000 --- a/queue-6.6/media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 707121775ab7a1c0a75624b5e39f0a58e0886154 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Dec 2023 09:17:46 +0000 -Subject: media: mediatek: vcodec: Only free buffer VA that is not NULL - -From: Fei Shao - -[ Upstream commit eb005c801ec70ff4307727bd3bd6e8280169ef32 ] - -In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly -called only when the buffer to free exists, there are some instances -that didn't do the check and triggered warnings in practice. - -We believe those checks were forgotten unintentionally. Add the checks -back to fix the warnings. - -Signed-off-by: Fei Shao -Reviewed-by: AngeloGioacchino Del Regno -Signed-off-by: Andrzej Pietrasiewicz -Signed-off-by: Sebastian Fricke -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - .../vcodec/decoder/vdec/vdec_av1_req_lat_if.c | 22 +++++++++++++------ - .../vcodec/encoder/venc/venc_h264_if.c | 5 +++-- - 2 files changed, 18 insertions(+), 9 deletions(-) - -diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c -index 2b6a5adbc4199..b0e2e59f61b5d 100644 ---- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c -+++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c -@@ -1023,18 +1023,26 @@ static void vdec_av1_slice_free_working_buffer(struct vdec_av1_slice_instance *i - int i; - - for (i = 0; i < ARRAY_SIZE(instance->mv); i++) -- mtk_vcodec_mem_free(ctx, &instance->mv[i]); -+ if (instance->mv[i].va) -+ mtk_vcodec_mem_free(ctx, &instance->mv[i]); - - for (i = 0; i < ARRAY_SIZE(instance->seg); i++) -- mtk_vcodec_mem_free(ctx, &instance->seg[i]); -+ if (instance->seg[i].va) -+ mtk_vcodec_mem_free(ctx, &instance->seg[i]); - - for (i = 0; i < ARRAY_SIZE(instance->cdf); i++) -- mtk_vcodec_mem_free(ctx, &instance->cdf[i]); -+ if (instance->cdf[i].va) -+ mtk_vcodec_mem_free(ctx, &instance->cdf[i]); -+ - -- mtk_vcodec_mem_free(ctx, &instance->tile); -- mtk_vcodec_mem_free(ctx, &instance->cdf_temp); -- mtk_vcodec_mem_free(ctx, &instance->cdf_table); -- mtk_vcodec_mem_free(ctx, &instance->iq_table); -+ if (instance->tile.va) -+ mtk_vcodec_mem_free(ctx, &instance->tile); -+ if (instance->cdf_temp.va) -+ mtk_vcodec_mem_free(ctx, &instance->cdf_temp); -+ if (instance->cdf_table.va) -+ mtk_vcodec_mem_free(ctx, &instance->cdf_table); -+ if (instance->iq_table.va) -+ mtk_vcodec_mem_free(ctx, &instance->iq_table); - - instance->level = AV1_RES_NONE; - } -diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c -index a68dac72c4e42..f8145998fcaf7 100644 ---- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c -+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c -@@ -301,11 +301,12 @@ static void h264_enc_free_work_buf(struct venc_h264_inst *inst) - * other buffers need to be freed by AP. - */ - for (i = 0; i < VENC_H264_VPU_WORK_BUF_MAX; i++) { -- if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME) -+ if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME && inst->work_bufs[i].va) - mtk_vcodec_mem_free(inst->ctx, &inst->work_bufs[i]); - } - -- mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf); -+ if (inst->pps_buf.va) -+ mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf); - } - - static int h264_enc_alloc_work_buf(struct venc_h264_inst *inst, bool is_34bit) --- -2.43.0 - diff --git a/queue-6.6/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch b/queue-6.6/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch deleted file mode 100644 index 8a3c0787fd5..00000000000 --- a/queue-6.6/media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 444cc5a99f28c41bcc717b7e7bb82f56a6968f6e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 16:04:50 +0100 -Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels - -From: Ricardo Ribalda - -[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ] - -Use an API that resembles more the actual use of num_channels. - -Found by cocci: -drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363. -drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558. - -Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org -Signed-off-by: Ricardo Ribalda -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c -index 3c2627712fe9d..6f78be3c42d6a 100644 ---- a/drivers/media/usb/s2255/s2255drv.c -+++ b/drivers/media/usb/s2255/s2255drv.c -@@ -247,7 +247,7 @@ struct s2255_vc { - struct s2255_dev { - struct s2255_vc vc[MAX_CHANNELS]; - struct v4l2_device v4l2_dev; -- atomic_t num_channels; -+ refcount_t num_channels; - int frames; - struct mutex lock; /* channels[].vdev.lock */ - struct mutex cmdlock; /* protects cmdbuf */ -@@ -1550,11 +1550,11 @@ static void s2255_video_device_release(struct video_device *vdev) - container_of(vdev, struct s2255_vc, vdev); - - dprintk(dev, 4, "%s, chnls: %d\n", __func__, -- atomic_read(&dev->num_channels)); -+ refcount_read(&dev->num_channels)); - - v4l2_ctrl_handler_free(&vc->hdl); - -- if (atomic_dec_and_test(&dev->num_channels)) -+ if (refcount_dec_and_test(&dev->num_channels)) - s2255_destroy(dev); - return; - } -@@ -1659,7 +1659,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev) - "failed to register video device!\n"); - break; - } -- atomic_inc(&dev->num_channels); -+ refcount_inc(&dev->num_channels); - v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n", - video_device_node_name(&vc->vdev)); - -@@ -1667,11 +1667,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev) - pr_info("Sensoray 2255 V4L driver Revision: %s\n", - S2255_VERSION); - /* if no channels registered, return error and probe will fail*/ -- if (atomic_read(&dev->num_channels) == 0) { -+ if (refcount_read(&dev->num_channels) == 0) { - v4l2_device_unregister(&dev->v4l2_dev); - return ret; - } -- if (atomic_read(&dev->num_channels) != MAX_CHANNELS) -+ if (refcount_read(&dev->num_channels) != MAX_CHANNELS) - pr_warn("s2255: Not all channels available.\n"); - return 0; - } -@@ -2220,7 +2220,7 @@ static int s2255_probe(struct usb_interface *interface, - goto errorFWDATA1; - } - -- atomic_set(&dev->num_channels, 0); -+ refcount_set(&dev->num_channels, 0); - dev->pid = id->idProduct; - dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL); - if (!dev->fw_data) -@@ -2340,12 +2340,12 @@ static void s2255_disconnect(struct usb_interface *interface) - { - struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface)); - int i; -- int channels = atomic_read(&dev->num_channels); -+ int channels = refcount_read(&dev->num_channels); - mutex_lock(&dev->lock); - v4l2_device_disconnect(&dev->v4l2_dev); - mutex_unlock(&dev->lock); - /*see comments in the uvc_driver.c usb disconnect function */ -- atomic_inc(&dev->num_channels); -+ refcount_inc(&dev->num_channels); - /* unregister each video device. */ - for (i = 0; i < channels; i++) - video_unregister_device(&dev->vc[i].vdev); -@@ -2358,7 +2358,7 @@ static void s2255_disconnect(struct usb_interface *interface) - dev->vc[i].vidstatus_ready = 1; - wake_up(&dev->vc[i].wait_vidstatus); - } -- if (atomic_dec_and_test(&dev->num_channels)) -+ if (refcount_dec_and_test(&dev->num_channels)) - s2255_destroy(dev); - dev_info(&interface->dev, "%s\n", __func__); - } --- -2.43.0 - diff --git a/queue-6.6/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch b/queue-6.6/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch deleted file mode 100644 index 16bc45861de..00000000000 --- a/queue-6.6/net-dsa-mv88e6xxx-correct-check-for-empty-list.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 3d2c7d55832703b24e7c6ddb9a635eadf0681ead Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 18:46:45 +0100 -Subject: net: dsa: mv88e6xxx: Correct check for empty list - -From: Simon Horman - -[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ] - -Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO -busses") mv88e6xxx_default_mdio_bus() has checked that the -return value of list_first_entry() is non-NULL. - -This appears to be intended to guard against the list chip->mdios being -empty. However, it is not the correct check as the implementation of -list_first_entry is not designed to return NULL for empty lists. - -Instead, use list_first_entry_or_null() which does return NULL if the -list is empty. - -Flagged by Smatch. -Compile tested only. - -Reviewed-by: Andrew Lunn -Signed-off-by: Simon Horman -Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/dsa/mv88e6xxx/chip.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c -index 9571e1b1e59ef..354d4af134562 100644 ---- a/drivers/net/dsa/mv88e6xxx/chip.c -+++ b/drivers/net/dsa/mv88e6xxx/chip.c -@@ -131,8 +131,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip) - { - struct mv88e6xxx_mdio_bus *mdio_bus; - -- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus, -- list); -+ mdio_bus = list_first_entry_or_null(&chip->mdios, -+ struct mv88e6xxx_mdio_bus, list); - if (!mdio_bus) - return NULL; - --- -2.43.0 - diff --git a/queue-6.6/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch b/queue-6.6/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch deleted file mode 100644 index 3fe73d0eacf..00000000000 --- a/queue-6.6/nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0a4b85a0171cf02957912465811221dba77bde1e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 9 May 2024 07:14:29 +0900 -Subject: nilfs2: convert BUG_ON() in nilfs_finish_roll_forward() to WARN_ON() - -From: Ryusuke Konishi - -[ Upstream commit 0a73eac1ed10097d1799c10dff2172605fd40c75 ] - -The BUG_ON check performed on the return value of __getblk() in -nilfs_finish_roll_forward() assumes that a buffer that has been -successfully read once is retrieved with the same parameters and does not -fail (__getblk() does not return an error due to memory allocation -failure). Also, nilfs_finish_roll_forward() is called at most once during -mount. - -Taking these into consideration, rewrite the check to use WARN_ON() to -avoid using BUG_ON(). - -Link: https://lkml.kernel.org/r/20240508221429.7559-1-konishi.ryusuke@gmail.com -Signed-off-by: Ryusuke Konishi -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - fs/nilfs2/recovery.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c -index a9b8d77c8c1d5..3be374fee5c13 100644 ---- a/fs/nilfs2/recovery.c -+++ b/fs/nilfs2/recovery.c -@@ -698,7 +698,9 @@ static void nilfs_finish_roll_forward(struct the_nilfs *nilfs, - return; - - bh = __getblk(nilfs->ns_bdev, ri->ri_lsegs_start, nilfs->ns_blocksize); -- BUG_ON(!bh); -+ if (WARN_ON(!bh)) -+ return; /* should never happen */ -+ - memset(bh->b_data, 0, bh->b_size); - set_buffer_dirty(bh); - err = sync_dirty_buffer(bh); --- -2.43.0 - diff --git a/queue-6.6/orangefs-fix-out-of-bounds-fsid-access.patch b/queue-6.6/orangefs-fix-out-of-bounds-fsid-access.patch deleted file mode 100644 index daa142a0425..00000000000 --- a/queue-6.6/orangefs-fix-out-of-bounds-fsid-access.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 08f0979e8c7d7c1d6e2e823057701b56fc4109e4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 1 May 2024 16:20:36 -0400 -Subject: orangefs: fix out-of-bounds fsid access - -From: Mike Marshall - -[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ] - -Arnd Bergmann sent a patch to fsdevel, he says: - -"orangefs_statfs() copies two consecutive fields of the superblock into -the statfs structure, which triggers a warning from the string fortification -helpers" - -Jan Kara suggested an alternate way to do the patch to make it more readable. - -I ran both ideas through xfstests and both seem fine. This patch -is based on Jan Kara's suggestion. - -Signed-off-by: Mike Marshall -Signed-off-by: Sasha Levin ---- - fs/orangefs/super.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c -index 4ca8ed410c3cf..24e028c119c1b 100644 ---- a/fs/orangefs/super.c -+++ b/fs/orangefs/super.c -@@ -201,7 +201,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf) - (long)new_op->downcall.resp.statfs.files_avail); - - buf->f_type = sb->s_magic; -- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid)); -+ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id; -+ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id; - buf->f_bsize = new_op->downcall.resp.statfs.block_size; - buf->f_namelen = ORANGEFS_NAME_MAX; - --- -2.43.0 - diff --git a/queue-6.6/perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch b/queue-6.6/perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch deleted file mode 100644 index 65d5aa5ce05..00000000000 --- a/queue-6.6/perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 4eba5668374f467e2f9f2e7f820a422cff5c4ca8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 00:04:06 -0300 -Subject: perf probe: Use zfree() to avoid possibly accessing dangling pointers - -From: Arnaldo Carvalho de Melo - -[ Upstream commit b78854e5c008b01265d78c181332a3bb66c0abdf ] - -When freeing a->b it is good practice to set a->b to NULL using -zfree(&a->b) so that when we have a bug where a reference to a freed 'a' -pointer is kept somewhere, we can more quickly cause a segfault if some -code tries to use a->b. - -Convert one such case in the 'perf probe' codebase. - -Cc: Adrian Hunter -Cc: Ian Rogers -Cc: Jiri Olsa -Cc: Kan Liang -Cc: Namhyung Kim -Link: https://lore.kernel.org/lkml/ZjpBnkL2wO3QJa5W@x1 -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/builtin-probe.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c -index 019fef8da6a8e..003a3bcebfdfc 100644 ---- a/tools/perf/builtin-probe.c -+++ b/tools/perf/builtin-probe.c -@@ -325,7 +325,7 @@ static void cleanup_params(void) - for (i = 0; i < params->nevents; i++) - clear_perf_probe_event(params->events + i); - line_range__clear(¶ms->line_range); -- free(params->target); -+ zfree(¶ms->target); - strfilter__delete(params->filter); - nsinfo__put(params->nsi); - zfree(¶ms); --- -2.43.0 - diff --git a/queue-6.6/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch b/queue-6.6/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch deleted file mode 100644 index 9580cbfebd2..00000000000 --- a/queue-6.6/powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 119192ec5dbbf64fcf640bad32144beb77589658 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 May 2024 17:56:19 +1000 -Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for - CONFIG_PCI=n - -From: Michael Ellerman - -[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ] - -There is code that builds with calls to IO accessors even when -CONFIG_PCI=n, but the actual calls are guarded by runtime checks. - -If not those calls would be faulting, because the page at virtual -address zero is (usually) not mapped into the kernel. As Arnd pointed -out, it is possible a large port value could cause the address to be -above mmap_min_addr which would then access userspace, which would be -a bug. - -To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That -is a value chosen to point into unmapped space between the kernel and -userspace, so any access will always fault. - -Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an -effect on 64-bit. - -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/io.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h -index 59cc25cb4578e..99419e87f5556 100644 ---- a/arch/powerpc/include/asm/io.h -+++ b/arch/powerpc/include/asm/io.h -@@ -37,7 +37,7 @@ extern struct pci_dev *isa_bridge_pcidev; - * define properly based on the platform - */ - #ifndef CONFIG_PCI --#define _IO_BASE 0 -+#define _IO_BASE POISON_POINTER_DELTA - #define _ISA_MEM_BASE 0 - #define PCI_DRAM_OFFSET 0 - #elif defined(CONFIG_PPC32) --- -2.43.0 - diff --git a/queue-6.6/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch b/queue-6.6/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch deleted file mode 100644 index 831b75b9f7c..00000000000 --- a/queue-6.6/powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 0aa6be87450e9562cb55c81d0b001b7aa2e5b5be Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 10:00:06 +0530 -Subject: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. - -From: Mahesh Salgaonkar - -[ Upstream commit 0db880fc865ffb522141ced4bfa66c12ab1fbb70 ] - -nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel -crash when invoked during real mode interrupt handling (e.g. early HMI/MCE -interrupt handler) if percpu allocation comes from vmalloc area. - -Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI() -wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when -percpu allocation is from the embedded first chunk. However with -CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu -allocation can come from the vmalloc area. - -With kernel command line "percpu_alloc=page" we can force percpu allocation -to come from vmalloc area and can see kernel crash in machine_check_early: - -[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110 -[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0 -[ 1.215719] --- interrupt: 200 -[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable) -[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0 -[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8 - -Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu -first chunk is not embedded. - -Reviewed-by: Christophe Leroy -Tested-by: Shirisha Ganta -Signed-off-by: Mahesh Salgaonkar -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240410043006.81577-1-mahesh@linux.ibm.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/interrupt.h | 10 ++++++++++ - arch/powerpc/include/asm/percpu.h | 10 ++++++++++ - arch/powerpc/kernel/setup_64.c | 2 ++ - 3 files changed, 22 insertions(+) - -diff --git a/arch/powerpc/include/asm/interrupt.h b/arch/powerpc/include/asm/interrupt.h -index a4196ab1d0167..5f9d61b2159cc 100644 ---- a/arch/powerpc/include/asm/interrupt.h -+++ b/arch/powerpc/include/asm/interrupt.h -@@ -336,6 +336,14 @@ static inline void interrupt_nmi_enter_prepare(struct pt_regs *regs, struct inte - if (IS_ENABLED(CONFIG_KASAN)) - return; - -+ /* -+ * Likewise, do not use it in real mode if percpu first chunk is not -+ * embedded. With CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there -+ * are chances where percpu allocation can come from vmalloc area. -+ */ -+ if (percpu_first_chunk_is_paged) -+ return; -+ - /* Otherwise, it should be safe to call it */ - nmi_enter(); - } -@@ -351,6 +359,8 @@ static inline void interrupt_nmi_exit_prepare(struct pt_regs *regs, struct inter - // no nmi_exit for a pseries hash guest taking a real mode exception - } else if (IS_ENABLED(CONFIG_KASAN)) { - // no nmi_exit for KASAN in real mode -+ } else if (percpu_first_chunk_is_paged) { -+ // no nmi_exit if percpu first chunk is not embedded - } else { - nmi_exit(); - } -diff --git a/arch/powerpc/include/asm/percpu.h b/arch/powerpc/include/asm/percpu.h -index 8e5b7d0b851c6..634970ce13c6b 100644 ---- a/arch/powerpc/include/asm/percpu.h -+++ b/arch/powerpc/include/asm/percpu.h -@@ -15,6 +15,16 @@ - #endif /* CONFIG_SMP */ - #endif /* __powerpc64__ */ - -+#if defined(CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK) && defined(CONFIG_SMP) -+#include -+DECLARE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged); -+ -+#define percpu_first_chunk_is_paged \ -+ (static_key_enabled(&__percpu_first_chunk_is_paged.key)) -+#else -+#define percpu_first_chunk_is_paged false -+#endif /* CONFIG_PPC64 && CONFIG_SMP */ -+ - #include - - #include -diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c -index 246201d0d879e..394f209536cee 100644 ---- a/arch/powerpc/kernel/setup_64.c -+++ b/arch/powerpc/kernel/setup_64.c -@@ -834,6 +834,7 @@ static __init int pcpu_cpu_to_node(int cpu) - - unsigned long __per_cpu_offset[NR_CPUS] __read_mostly; - EXPORT_SYMBOL(__per_cpu_offset); -+DEFINE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged); - - void __init setup_per_cpu_areas(void) - { -@@ -876,6 +877,7 @@ void __init setup_per_cpu_areas(void) - if (rc < 0) - panic("cannot initialize percpu area (err=%d)", rc); - -+ static_key_enable(&__percpu_first_chunk_is_paged.key); - delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start; - for_each_possible_cpu(cpu) { - __per_cpu_offset[cpu] = delta + pcpu_unit_offsets[cpu]; --- -2.43.0 - diff --git a/queue-6.6/powerpc-dexcr-reset-dexcr-value-across-exec.patch b/queue-6.6/powerpc-dexcr-reset-dexcr-value-across-exec.patch deleted file mode 100644 index 8a8dc0d0d39..00000000000 --- a/queue-6.6/powerpc-dexcr-reset-dexcr-value-across-exec.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 2f507dfbd19c0fd05e85b7ad6e8c3a120a23cc9f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Apr 2024 21:23:19 +1000 -Subject: powerpc/dexcr: Reset DEXCR value across exec - -From: Benjamin Gray - -[ Upstream commit bbd99922d0f4518518282217159666c679c6a0d1 ] - -Inheriting the DEXCR across exec can have security and usability -concerns. If a program is compiled with hash instructions it generally -expects to run with NPHIE enabled. But if the parent process disables -NPHIE then if it's not careful it will be disabled for any children too -and the protection offered by hash checks is basically worthless. - -This patch introduces a per-process reset value that new execs in a -particular process tree are initialized with. This enables fine grained -control over what DEXCR value child processes run with by default. -For example, containers running legacy binaries that expect hash -instructions to act as NOPs could configure the reset value of the -container root to control the default reset value for all members of -the container. - -Signed-off-by: Benjamin Gray -[mpe: Add missing SPDX tag on dexcr.c] -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240417112325.728010-4-bgray@linux.ibm.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/processor.h | 2 +- - arch/powerpc/kernel/Makefile | 1 + - arch/powerpc/kernel/dexcr.c | 23 +++++++++++++++++++++++ - arch/powerpc/kernel/process.c | 7 +++++++ - 4 files changed, 32 insertions(+), 1 deletion(-) - create mode 100644 arch/powerpc/kernel/dexcr.c - -diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h -index 882e31296ea6b..aad85a24134ac 100644 ---- a/arch/powerpc/include/asm/processor.h -+++ b/arch/powerpc/include/asm/processor.h -@@ -261,7 +261,7 @@ struct thread_struct { - unsigned long sier3; - unsigned long hashkeyr; - unsigned long dexcr; -- -+ unsigned long dexcr_onexec; /* Reset value to load on exec */ - #endif - }; - -diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile -index 2919433be3557..24f82b09246cf 100644 ---- a/arch/powerpc/kernel/Makefile -+++ b/arch/powerpc/kernel/Makefile -@@ -88,6 +88,7 @@ obj-$(CONFIG_HAVE_HW_BREAKPOINT) += hw_breakpoint.o - obj-$(CONFIG_PPC_DAWR) += dawr.o - obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_ppc970.o cpu_setup_pa6t.o - obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o -+obj-$(CONFIG_PPC_BOOK3S_64) += dexcr.o - obj-$(CONFIG_PPC_BOOK3S_64) += mce.o mce_power.o - obj-$(CONFIG_PPC_BOOK3E_64) += exceptions-64e.o idle_64e.o - obj-$(CONFIG_PPC_BARRIER_NOSPEC) += security.o -diff --git a/arch/powerpc/kernel/dexcr.c b/arch/powerpc/kernel/dexcr.c -new file mode 100644 -index 0000000000000..d5cd77421088d ---- /dev/null -+++ b/arch/powerpc/kernel/dexcr.c -@@ -0,0 +1,23 @@ -+// SPDX-License-Identifier: GPL-2.0-or-later -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+static int __init init_task_dexcr(void) -+{ -+ if (!early_cpu_has_feature(CPU_FTR_ARCH_31)) -+ return 0; -+ -+ current->thread.dexcr_onexec = mfspr(SPRN_DEXCR); -+ -+ return 0; -+} -+early_initcall(init_task_dexcr) -diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index d482c3fd81d7a..8ab779a3bddeb 100644 ---- a/arch/powerpc/kernel/process.c -+++ b/arch/powerpc/kernel/process.c -@@ -1641,6 +1641,13 @@ void arch_setup_new_exec(void) - current->thread.regs->amr = default_amr; - current->thread.regs->iamr = default_iamr; - #endif -+ -+#ifdef CONFIG_PPC_BOOK3S_64 -+ if (cpu_has_feature(CPU_FTR_ARCH_31)) { -+ current->thread.dexcr = current->thread.dexcr_onexec; -+ mtspr(SPRN_DEXCR, current->thread.dexcr); -+ } -+#endif /* CONFIG_PPC_BOOK3S_64 */ - } - - #ifdef CONFIG_PPC64 --- -2.43.0 - diff --git a/queue-6.6/powerpc-dexcr-track-the-dexcr-per-process.patch b/queue-6.6/powerpc-dexcr-track-the-dexcr-per-process.patch deleted file mode 100644 index 020f0fba1b0..00000000000 --- a/queue-6.6/powerpc-dexcr-track-the-dexcr-per-process.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 0ce55705dc1635b3631caec878c1bed60d30526b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 Apr 2024 21:23:18 +1000 -Subject: powerpc/dexcr: Track the DEXCR per-process - -From: Benjamin Gray - -[ Upstream commit 75171f06c4507c3b6b5a69d793879fb20d108bb1 ] - -Add capability to make the DEXCR act as a per-process SPR. - -We do not yet have an interface for changing the values per task. We -also expect the kernel to use a single DEXCR value across all tasks -while in privileged state, so there is no need to synchronize after -changing it (the userspace aspects will synchronize upon returning to -userspace). - -Signed-off-by: Benjamin Gray -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20240417112325.728010-3-bgray@linux.ibm.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/include/asm/processor.h | 1 + - arch/powerpc/kernel/process.c | 10 ++++++++++ - arch/powerpc/kernel/ptrace/ptrace-view.c | 7 +------ - 3 files changed, 12 insertions(+), 6 deletions(-) - -diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h -index b2c51d337e60c..882e31296ea6b 100644 ---- a/arch/powerpc/include/asm/processor.h -+++ b/arch/powerpc/include/asm/processor.h -@@ -260,6 +260,7 @@ struct thread_struct { - unsigned long sier2; - unsigned long sier3; - unsigned long hashkeyr; -+ unsigned long dexcr; - - #endif - }; -diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c -index 9452a54d356c9..d482c3fd81d7a 100644 ---- a/arch/powerpc/kernel/process.c -+++ b/arch/powerpc/kernel/process.c -@@ -1185,6 +1185,9 @@ static inline void save_sprs(struct thread_struct *t) - - if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) - t->hashkeyr = mfspr(SPRN_HASHKEYR); -+ -+ if (cpu_has_feature(CPU_FTR_ARCH_31)) -+ t->dexcr = mfspr(SPRN_DEXCR); - #endif - } - -@@ -1267,6 +1270,10 @@ static inline void restore_sprs(struct thread_struct *old_thread, - if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE) && - old_thread->hashkeyr != new_thread->hashkeyr) - mtspr(SPRN_HASHKEYR, new_thread->hashkeyr); -+ -+ if (cpu_has_feature(CPU_FTR_ARCH_31) && -+ old_thread->dexcr != new_thread->dexcr) -+ mtspr(SPRN_DEXCR, new_thread->dexcr); - #endif - - } -@@ -1878,6 +1885,9 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) - #ifdef CONFIG_PPC_BOOK3S_64 - if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) - p->thread.hashkeyr = current->thread.hashkeyr; -+ -+ if (cpu_has_feature(CPU_FTR_ARCH_31)) -+ p->thread.dexcr = mfspr(SPRN_DEXCR); - #endif - return 0; - } -diff --git a/arch/powerpc/kernel/ptrace/ptrace-view.c b/arch/powerpc/kernel/ptrace/ptrace-view.c -index 584cf5c3df509..c1819e0a66842 100644 ---- a/arch/powerpc/kernel/ptrace/ptrace-view.c -+++ b/arch/powerpc/kernel/ptrace/ptrace-view.c -@@ -469,12 +469,7 @@ static int dexcr_get(struct task_struct *target, const struct user_regset *regse - if (!cpu_has_feature(CPU_FTR_ARCH_31)) - return -ENODEV; - -- /* -- * The DEXCR is currently static across all CPUs, so we don't -- * store the target's value anywhere, but the static value -- * will also be correct. -- */ -- membuf_store(&to, (u64)lower_32_bits(DEXCR_INIT)); -+ membuf_store(&to, (u64)lower_32_bits(target->thread.dexcr)); - - /* - * Technically the HDEXCR is per-cpu, but a hypervisor can't reasonably --- -2.43.0 - diff --git a/queue-6.6/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch b/queue-6.6/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch deleted file mode 100644 index 43324668838..00000000000 --- a/queue-6.6/powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0735f5cdd392e57aeebae772f1d154e40cbdc45c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 Mar 2021 19:11:10 +0100 -Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Greg Kurz - -[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ] - -All these commands end up peeking into the PACA using the user -originated cpu id as an index. Check the cpu id is valid in order -to prevent xmon to crash. Instead of printing an error, this follows -the same behavior as the "lp s #" command : ignore the buggy cpu id -parameter and fall back to the #-less version of the command. - -Signed-off-by: Greg Kurz -Reviewed-by: Cédric Le Goater -Signed-off-by: Michael Ellerman -Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan -Signed-off-by: Sasha Levin ---- - arch/powerpc/xmon/xmon.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c -index b3b94cd377137..1d815405a3b4f 100644 ---- a/arch/powerpc/xmon/xmon.c -+++ b/arch/powerpc/xmon/xmon.c -@@ -1352,7 +1352,7 @@ static int cpu_cmd(void) - } - termch = cpu; - -- if (!scanhex(&cpu)) { -+ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) { - /* print cpus waiting or in xmon */ - printf("cpus stopped:"); - last_cpu = first_cpu = NR_CPUS; -@@ -2774,7 +2774,7 @@ static void dump_pacas(void) - - termch = c; /* Put c back, it wasn't 'a' */ - -- if (scanhex(&num)) -+ if (scanhex(&num) && num < num_possible_cpus()) - dump_one_paca(num); - else - dump_one_paca(xmon_owner); -@@ -2847,7 +2847,7 @@ static void dump_xives(void) - - termch = c; /* Put c back, it wasn't 'a' */ - -- if (scanhex(&num)) -+ if (scanhex(&num) && num < num_possible_cpus()) - dump_one_xive(num); - else - dump_one_xive(xmon_owner); --- -2.43.0 - diff --git a/queue-6.6/risc-v-kvm-fix-the-initial-sample-period-value.patch b/queue-6.6/risc-v-kvm-fix-the-initial-sample-period-value.patch deleted file mode 100644 index 724ed00ccd6..00000000000 --- a/queue-6.6/risc-v-kvm-fix-the-initial-sample-period-value.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1dc2e35d7fea66c532a8b5faef252c8ee30542b8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 Apr 2024 08:17:26 -0700 -Subject: RISC-V: KVM: Fix the initial sample period value - -From: Atish Patra - -[ Upstream commit 57990ab90ce31aadac0d5a6293f5582e24ff7521 ] - -The initial sample period value when counter value is not assigned -should be set to maximum value supported by the counter width. -Otherwise, it may result in spurious interrupts. - -Reviewed-by: Andrew Jones -Signed-off-by: Atish Patra -Reviewed-by: Anup Patel -Link: https://lore.kernel.org/r/20240420151741.962500-11-atishp@rivosinc.com -Signed-off-by: Anup Patel -Signed-off-by: Sasha Levin ---- - arch/riscv/kvm/vcpu_pmu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c -index 86391a5061dda..cee1b9ca4ec48 100644 ---- a/arch/riscv/kvm/vcpu_pmu.c -+++ b/arch/riscv/kvm/vcpu_pmu.c -@@ -39,7 +39,7 @@ static u64 kvm_pmu_get_sample_period(struct kvm_pmc *pmc) - u64 sample_period; - - if (!pmc->counter_val) -- sample_period = counter_val_mask + 1; -+ sample_period = counter_val_mask; - else - sample_period = (-pmc->counter_val) & counter_val_mask; - --- -2.43.0 - diff --git a/queue-6.6/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch b/queue-6.6/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch deleted file mode 100644 index d1baea95ae8..00000000000 --- a/queue-6.6/riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch +++ /dev/null @@ -1,126 +0,0 @@ -From a4fe10b18b527b13c03e55dc83678740f937ee0d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Mar 2024 21:49:48 -0700 -Subject: riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma - -From: Samuel Holland - -[ Upstream commit 20e03d702e00a3e0269a1d6f9549c2e370492054 ] - -commit 3f1e782998cd ("riscv: add ASID-based tlbflushing methods") added -calls to the sfence.vma instruction with rs2 != x0. These single-ASID -instruction variants are also affected by SiFive errata CIP-1200. - -Until now, the errata workaround was not needed for the single-ASID -sfence.vma variants, because they were only used when the ASID allocator -was enabled, and the affected SiFive platforms do not support multiple -ASIDs. However, we are going to start using those sfence.vma variants -regardless of ASID support, so now we need alternatives covering them. - -Signed-off-by: Samuel Holland -Link: https://lore.kernel.org/r/20240327045035.368512-8-samuel.holland@sifive.com -Signed-off-by: Palmer Dabbelt -Signed-off-by: Sasha Levin ---- - arch/riscv/include/asm/errata_list.h | 12 +++++++++++- - arch/riscv/include/asm/tlbflush.h | 19 ++++++++++++++++++- - arch/riscv/mm/tlbflush.c | 23 ----------------------- - 3 files changed, 29 insertions(+), 25 deletions(-) - -diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h -index b55b434f00591..d3f3c237adad7 100644 ---- a/arch/riscv/include/asm/errata_list.h -+++ b/arch/riscv/include/asm/errata_list.h -@@ -44,11 +44,21 @@ ALTERNATIVE(__stringify(RISCV_PTR do_page_fault), \ - CONFIG_ERRATA_SIFIVE_CIP_453) - #else /* !__ASSEMBLY__ */ - --#define ALT_FLUSH_TLB_PAGE(x) \ -+#define ALT_SFENCE_VMA_ASID(asid) \ -+asm(ALTERNATIVE("sfence.vma x0, %0", "sfence.vma", SIFIVE_VENDOR_ID, \ -+ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ -+ : : "r" (asid) : "memory") -+ -+#define ALT_SFENCE_VMA_ADDR(addr) \ - asm(ALTERNATIVE("sfence.vma %0", "sfence.vma", SIFIVE_VENDOR_ID, \ - ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ - : : "r" (addr) : "memory") - -+#define ALT_SFENCE_VMA_ADDR_ASID(addr, asid) \ -+asm(ALTERNATIVE("sfence.vma %0, %1", "sfence.vma", SIFIVE_VENDOR_ID, \ -+ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \ -+ : : "r" (addr), "r" (asid) : "memory") -+ - /* - * _val is marked as "will be overwritten", so need to set it to 0 - * in the default case. -diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h -index 51664ae4852e7..97711d5bd8ef9 100644 ---- a/arch/riscv/include/asm/tlbflush.h -+++ b/arch/riscv/include/asm/tlbflush.h -@@ -22,10 +22,27 @@ static inline void local_flush_tlb_all(void) - __asm__ __volatile__ ("sfence.vma" : : : "memory"); - } - -+static inline void local_flush_tlb_all_asid(unsigned long asid) -+{ -+ if (asid != FLUSH_TLB_NO_ASID) -+ ALT_SFENCE_VMA_ASID(asid); -+ else -+ local_flush_tlb_all(); -+} -+ - /* Flush one page from local TLB */ - static inline void local_flush_tlb_page(unsigned long addr) - { -- ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory")); -+ ALT_SFENCE_VMA_ADDR(addr); -+} -+ -+static inline void local_flush_tlb_page_asid(unsigned long addr, -+ unsigned long asid) -+{ -+ if (asid != FLUSH_TLB_NO_ASID) -+ ALT_SFENCE_VMA_ADDR_ASID(addr, asid); -+ else -+ local_flush_tlb_page(addr); - } - #else /* CONFIG_MMU */ - #define local_flush_tlb_all() do { } while (0) -diff --git a/arch/riscv/mm/tlbflush.c b/arch/riscv/mm/tlbflush.c -index bdee5de918e06..324e8cd9b5022 100644 ---- a/arch/riscv/mm/tlbflush.c -+++ b/arch/riscv/mm/tlbflush.c -@@ -6,29 +6,6 @@ - #include - #include - --static inline void local_flush_tlb_all_asid(unsigned long asid) --{ -- if (asid != FLUSH_TLB_NO_ASID) -- __asm__ __volatile__ ("sfence.vma x0, %0" -- : -- : "r" (asid) -- : "memory"); -- else -- local_flush_tlb_all(); --} -- --static inline void local_flush_tlb_page_asid(unsigned long addr, -- unsigned long asid) --{ -- if (asid != FLUSH_TLB_NO_ASID) -- __asm__ __volatile__ ("sfence.vma %0, %1" -- : -- : "r" (addr), "r" (asid) -- : "memory"); -- else -- local_flush_tlb_page(addr); --} -- - /* - * Flush entire TLB if number of entries to be flushed is greater - * than the threshold below. --- -2.43.0 - diff --git a/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch b/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch deleted file mode 100644 index 3074917aa7c..00000000000 --- a/queue-6.6/s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch +++ /dev/null @@ -1,47 +0,0 @@ -From b732d944f8364006bfcd4a9d0d9213fb2606f4b4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 Apr 2024 16:30:01 +0200 -Subject: s390: Mark psw in __load_psw_mask() as __unitialized - -From: Sven Schnelle - -[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ] - -Without __unitialized, the following code is generated when -INIT_STACK_ALL_ZERO is enabled: - -86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15) -8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15) -92: c0 10 00 00 00 08 larl %r1, 0xa2 -98: e3 10 f0 a8 00 24 stg %r1, 168(%r15) -9e: b2 b2 f0 a0 lpswe 160(%r15) - -The xc is not adding any security because psw is fully initialized -with the following instructions. Add __unitialized to the psw -definitiation to avoid the superfluous clearing of psw. - -Reviewed-by: Heiko Carstens -Signed-off-by: Sven Schnelle -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - arch/s390/include/asm/processor.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h -index dc17896a001a9..e7338ed540d8f 100644 ---- a/arch/s390/include/asm/processor.h -+++ b/arch/s390/include/asm/processor.h -@@ -308,8 +308,8 @@ static inline void __load_psw(psw_t psw) - */ - static __always_inline void __load_psw_mask(unsigned long mask) - { -+ psw_t psw __uninitialized; - unsigned long addr; -- psw_t psw; - - psw.mask = mask; - --- -2.43.0 - diff --git a/queue-6.6/s390-pkey-wipe-sensitive-data-on-failure.patch b/queue-6.6/s390-pkey-wipe-sensitive-data-on-failure.patch deleted file mode 100644 index 28a2b824d41..00000000000 --- a/queue-6.6/s390-pkey-wipe-sensitive-data-on-failure.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 48ca1500fc87611663502ad99be17c22a277f1db Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 7 May 2024 17:03:18 +0200 -Subject: s390/pkey: Wipe sensitive data on failure - -From: Holger Dengler - -[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ] - -Wipe sensitive data from stack also if the copy_to_user() fails. - -Suggested-by: Heiko Carstens -Reviewed-by: Harald Freudenberger -Reviewed-by: Ingo Franzki -Acked-by: Heiko Carstens -Signed-off-by: Holger Dengler -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - drivers/s390/crypto/pkey_api.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c -index 6cfb6b2340c99..d2ffdf2491da0 100644 ---- a/drivers/s390/crypto/pkey_api.c -+++ b/drivers/s390/crypto/pkey_api.c -@@ -1369,7 +1369,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (rc) - break; - if (copy_to_user(ucs, &kcs, sizeof(kcs))) -- return -EFAULT; -+ rc = -EFAULT; - memzero_explicit(&kcs, sizeof(kcs)); - break; - } -@@ -1404,7 +1404,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, - if (rc) - break; - if (copy_to_user(ucp, &kcp, sizeof(kcp))) -- return -EFAULT; -+ rc = -EFAULT; - memzero_explicit(&kcp, sizeof(kcp)); - break; - } --- -2.43.0 - diff --git a/queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch b/queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch deleted file mode 100644 index 7a3c5483e44..00000000000 --- a/queue-6.6/scsi-mpi3mr-sanitise-num_phys.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f762309d54ca8666623b375738d93cbed14a9e2b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Feb 2024 16:10:13 +0100 -Subject: scsi: mpi3mr: Sanitise num_phys - -From: Tomas Henzl - -[ Upstream commit 3668651def2c1622904e58b0280ee93121f2b10b ] - -Information is stored in mr_sas_port->phy_mask, values larger then size of -this field shouldn't be allowed. - -Signed-off-by: Tomas Henzl -Link: https://lore.kernel.org/r/20240226151013.8653-1-thenzl@redhat.com -Acked-by: Sathya Prakash Veerichetty -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c -index 82b55e9557304..91c2f667a4c0b 100644 ---- a/drivers/scsi/mpi3mr/mpi3mr_transport.c -+++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c -@@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc, - mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node, - mr_sas_port->remote_identify.sas_address, hba_port); - -+ if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8) -+ ioc_info(mrioc, "max port count %u could be too high\n", -+ mr_sas_node->num_phys); -+ - for (i = 0; i < mr_sas_node->num_phys; i++) { - if ((mr_sas_node->phy[i].remote_identify.sas_address != - mr_sas_port->remote_identify.sas_address) || - (mr_sas_node->phy[i].hba_port != hba_port)) - continue; -+ -+ if (i > sizeof(mr_sas_port->phy_mask) * 8) { -+ ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n", -+ i, sizeof(mr_sas_port->phy_mask) * 8); -+ goto out_fail; -+ } - list_add_tail(&mr_sas_node->phy[i].port_siblings, - &mr_sas_port->phy_list); - mr_sas_port->num_phys++; --- -2.43.0 - diff --git a/queue-6.6/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch b/queue-6.6/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch deleted file mode 100644 index 5542597f6ba..00000000000 --- a/queue-6.6/scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 4146af2361ebb36a1e98f09599edb3da307440cc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Apr 2024 11:01:55 -0400 -Subject: scsi: qedf: Make qedf_execute_tmf() non-preemptible - -From: John Meneghini - -[ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ] - -Stop calling smp_processor_id() from preemptible code in -qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel. - -[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646 -[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf] - -Tested-by: Guangwu Zhang -Cc: Saurav Kashyap -Cc: Nilesh Javali -Signed-off-by: John Meneghini -Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com -Acked-by: Saurav Kashyap -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/qedf/qedf_io.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c -index 10fe3383855c0..031e605b3f427 100644 ---- a/drivers/scsi/qedf/qedf_io.c -+++ b/drivers/scsi/qedf/qedf_io.c -@@ -2331,9 +2331,6 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, - io_req->fcport = fcport; - io_req->cmd_type = QEDF_TASK_MGMT_CMD; - -- /* Record which cpu this request is associated with */ -- io_req->cpu = smp_processor_id(); -- - /* Set TM flags */ - io_req->io_req_flags = QEDF_READ; - io_req->data_xfer_len = 0; -@@ -2355,6 +2352,9 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd, - - spin_lock_irqsave(&fcport->rport_lock, flags); - -+ /* Record which cpu this request is associated with */ -+ io_req->cpu = smp_processor_id(); -+ - sqe_idx = qedf_get_sqe_idx(fcport); - sqe = &fcport->sq[sqe_idx]; - memset(sqe, 0, sizeof(struct fcoe_wqe)); --- -2.43.0 - diff --git a/queue-6.6/sctp-prefer-struct_size-over-open-coded-arithmetic.patch b/queue-6.6/sctp-prefer-struct_size-over-open-coded-arithmetic.patch deleted file mode 100644 index af19bbe280a..00000000000 --- a/queue-6.6/sctp-prefer-struct_size-over-open-coded-arithmetic.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 6416a2395a6fbc37fc7c83d2bdd933991ce59a8a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 Apr 2024 19:23:36 +0200 -Subject: sctp: prefer struct_size over open coded arithmetic - -From: Erick Archer - -[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ] - -This is an effort to get rid of all multiplications from allocation -functions in order to prevent integer overflows [1][2]. - -As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this -structure ends in a flexible array: - -struct sctp_assoc_ids { - [...] - sctp_assoc_t gaids_assoc_id[]; -}; - -the preferred way in the kernel is to use the struct_size() helper to -do the arithmetic instead of the calculation "size + size * count" in -the kmalloc() function. - -Also, refactor the code adding the "ids_size" variable to avoid sizing -twice. - -This way, the code is more readable and safer. - -This code was detected with the help of Coccinelle, and audited and -modified manually. - -Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] -Link: https://github.com/KSPP/linux/issues/160 [2] -Signed-off-by: Erick Archer -Acked-by: Xin Long -Reviewed-by: Kees Cook -Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/sctp/socket.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index 6b9fcdb0952a0..225dfacfd233f 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -7118,6 +7118,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, - struct sctp_sock *sp = sctp_sk(sk); - struct sctp_association *asoc; - struct sctp_assoc_ids *ids; -+ size_t ids_size; - u32 num = 0; - - if (sctp_style(sk, TCP)) -@@ -7130,11 +7131,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len, - num++; - } - -- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num) -+ ids_size = struct_size(ids, gaids_assoc_id, num); -+ if (len < ids_size) - return -EINVAL; - -- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num; -- -+ len = ids_size; - ids = kmalloc(len, GFP_USER | __GFP_NOWARN); - if (unlikely(!ids)) - return -ENOMEM; --- -2.43.0 - diff --git a/queue-6.6/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch b/queue-6.6/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch deleted file mode 100644 index c044c31df32..00000000000 --- a/queue-6.6/selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 03801d362788ea4788e54ef80c2c8f3c69f0c8c6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:18 -0700 -Subject: selftests/bpf: adjust dummy_st_ops_success to detect additional error - -From: Eduard Zingerman - -[ Upstream commit 3b3b84aacb4420226576c9732e7b539ca7b79633 ] - -As reported by Jose E. Marchesi in off-list discussion, GCC and LLVM -generate slightly different code for dummy_st_ops_success/test_1(): - - SEC("struct_ops/test_1") - int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) - { - int ret; - - if (!state) - return 0xf2f3f4f5; - - ret = state->val; - state->val = 0x5a; - return ret; - } - - GCC-generated LLVM-generated - ---------------------------- --------------------------- - 0: r1 = *(u64 *)(r1 + 0x0) 0: w0 = -0xd0c0b0b - 1: if r1 == 0x0 goto 5f 1: r1 = *(u64 *)(r1 + 0x0) - 2: r0 = *(s32 *)(r1 + 0x0) 2: if r1 == 0x0 goto 6f - 3: *(u32 *)(r1 + 0x0) = 0x5a 3: r0 = *(u32 *)(r1 + 0x0) - 4: exit 4: w2 = 0x5a - 5: r0 = -0xd0c0b0b 5: *(u32 *)(r1 + 0x0) = r2 - 6: exit 6: exit - -If the 'state' argument is not marked as nullable in -net/bpf/bpf_dummy_struct_ops.c, the verifier would assume that -'r1 == 0x0' is never true: -- for the GCC version, this means that instructions #5-6 would be - marked as dead and removed; -- for the LLVM version, all instructions would be marked as live. - -The test dummy_st_ops/dummy_init_ret_value actually sets the 'state' -parameter to NULL. - -Therefore, when the 'state' argument is not marked as nullable, -the GCC-generated version of the code would trigger a NULL pointer -dereference at instruction #3. - -This patch updates the test_1() test case to always follow a shape -similar to the GCC-generated version above, in order to verify whether -the 'state' nullability is marked correctly. - -Reported-by: Jose E. Marchesi -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-3-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - .../selftests/bpf/progs/dummy_st_ops_success.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -index 1efa746c25dc7..cc7b69b001aae 100644 ---- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -+++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -@@ -11,8 +11,17 @@ int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) - { - int ret; - -- if (!state) -- return 0xf2f3f4f5; -+ /* Check that 'state' nullable status is detected correctly. -+ * If 'state' argument would be assumed non-null by verifier -+ * the code below would be deleted as dead (which it shouldn't). -+ * Hide it from the compiler behind 'asm' block to avoid -+ * unnecessary optimizations. -+ */ -+ asm volatile ( -+ "if %[state] != 0 goto +2;" -+ "r0 = 0xf2f3f4f5;" -+ "exit;" -+ ::[state]"p"(state)); - - ret = state->val; - state->val = 0x5a; --- -2.43.0 - diff --git a/queue-6.6/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch b/queue-6.6/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch deleted file mode 100644 index e0630c98d25..00000000000 --- a/queue-6.6/selftests-bpf-do-not-pass-null-for-non-nullable-para.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 7e20c2230947ae6610737bf6da567b9e2e429491 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:19 -0700 -Subject: selftests/bpf: do not pass NULL for non-nullable params in - dummy_st_ops - -From: Eduard Zingerman - -[ Upstream commit f612210d456a0b969a0adca91e68dbea0e0ea301 ] - -dummy_st_ops.test_2 and dummy_st_ops.test_sleepable do not have their -'state' parameter marked as nullable. Update dummy_st_ops.c to avoid -passing NULL for such parameters, as the next patch would allow kernel -to enforce this restriction. - -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-4-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c | 7 +++++-- - tools/testing/selftests/bpf/progs/dummy_st_ops_success.c | 2 +- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -index f43fcb13d2c46..dd926c00f4146 100644 ---- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -+++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -@@ -98,7 +98,8 @@ static void test_dummy_init_ptr_arg(void) - - static void test_dummy_multiple_args(void) - { -- __u64 args[5] = {0, -100, 0x8a5f, 'c', 0x1234567887654321ULL}; -+ struct bpf_dummy_ops_state st = { 7 }; -+ __u64 args[5] = {(__u64)&st, -100, 0x8a5f, 'c', 0x1234567887654321ULL}; - LIBBPF_OPTS(bpf_test_run_opts, attr, - .ctx_in = args, - .ctx_size_in = sizeof(args), -@@ -115,6 +116,7 @@ static void test_dummy_multiple_args(void) - fd = bpf_program__fd(skel->progs.test_2); - err = bpf_prog_test_run_opts(fd, &attr); - ASSERT_OK(err, "test_run"); -+ args[0] = 7; - for (i = 0; i < ARRAY_SIZE(args); i++) { - snprintf(name, sizeof(name), "arg %zu", i); - ASSERT_EQ(skel->bss->test_2_args[i], args[i], name); -@@ -125,7 +127,8 @@ static void test_dummy_multiple_args(void) - - static void test_dummy_sleepable(void) - { -- __u64 args[1] = {0}; -+ struct bpf_dummy_ops_state st; -+ __u64 args[1] = {(__u64)&st}; - LIBBPF_OPTS(bpf_test_run_opts, attr, - .ctx_in = args, - .ctx_size_in = sizeof(args), -diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -index cc7b69b001aae..ec0c595d47af8 100644 ---- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -+++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c -@@ -34,7 +34,7 @@ SEC("struct_ops/test_2") - int BPF_PROG(test_2, struct bpf_dummy_ops_state *state, int a1, unsigned short a2, - char a3, unsigned long a4) - { -- test_2_args[0] = (unsigned long)state; -+ test_2_args[0] = state->val; - test_2_args[1] = a1; - test_2_args[2] = a2; - test_2_args[3] = a3; --- -2.43.0 - diff --git a/queue-6.6/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch b/queue-6.6/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch deleted file mode 100644 index af52ba04a0f..00000000000 --- a/queue-6.6/selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch +++ /dev/null @@ -1,68 +0,0 @@ -From cd7278af049942234f24d92459f736d850173dab Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 Apr 2024 18:28:21 -0700 -Subject: selftests/bpf: dummy_st_ops should reject 0 for non-nullable params - -From: Eduard Zingerman - -[ Upstream commit 6a2d30d3c5bf9f088dcfd5f3746b04d84f2fab83 ] - -Check if BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs -rejects execution if NULL is passed for non-nullable parameter. - -Signed-off-by: Eduard Zingerman -Link: https://lore.kernel.org/r/20240424012821.595216-6-eddyz87@gmail.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - .../selftests/bpf/prog_tests/dummy_st_ops.c | 27 +++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -index dd926c00f4146..d3d94596ab79c 100644 ---- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -+++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c -@@ -147,6 +147,31 @@ static void test_dummy_sleepable(void) - dummy_st_ops_success__destroy(skel); - } - -+/* dummy_st_ops.test_sleepable() parameter is not marked as nullable, -+ * thus bpf_prog_test_run_opts() below should be rejected as it tries -+ * to pass NULL for this parameter. -+ */ -+static void test_dummy_sleepable_reject_null(void) -+{ -+ __u64 args[1] = {0}; -+ LIBBPF_OPTS(bpf_test_run_opts, attr, -+ .ctx_in = args, -+ .ctx_size_in = sizeof(args), -+ ); -+ struct dummy_st_ops_success *skel; -+ int fd, err; -+ -+ skel = dummy_st_ops_success__open_and_load(); -+ if (!ASSERT_OK_PTR(skel, "dummy_st_ops_load")) -+ return; -+ -+ fd = bpf_program__fd(skel->progs.test_sleepable); -+ err = bpf_prog_test_run_opts(fd, &attr); -+ ASSERT_EQ(err, -EINVAL, "test_run"); -+ -+ dummy_st_ops_success__destroy(skel); -+} -+ - void test_dummy_st_ops(void) - { - if (test__start_subtest("dummy_st_ops_attach")) -@@ -159,6 +184,8 @@ void test_dummy_st_ops(void) - test_dummy_multiple_args(); - if (test__start_subtest("dummy_sleepable")) - test_dummy_sleepable(); -+ if (test__start_subtest("dummy_sleepable_reject_null")) -+ test_dummy_sleepable_reject_null(); - - RUN_TESTS(dummy_st_ops_fail); - } --- -2.43.0 - diff --git a/queue-6.6/selftests-net-fix-uninitialized-variables.patch b/queue-6.6/selftests-net-fix-uninitialized-variables.patch deleted file mode 100644 index 8ca7b77d6d1..00000000000 --- a/queue-6.6/selftests-net-fix-uninitialized-variables.patch +++ /dev/null @@ -1,84 +0,0 @@ -From da5a832a60d201c758e9510d6d832ba59d50a2e7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 May 2024 12:02:04 -0700 -Subject: selftests/net: fix uninitialized variables - -From: John Hubbard - -[ Upstream commit eb709b5f6536636dfb87b85ded0b2af9bb6cd9e6 ] - -When building with clang, via: - - make LLVM=1 -C tools/testing/selftest - -...clang warns about three variables that are not initialized in all -cases: - -1) The opt_ipproto_off variable is used uninitialized if "testname" is -not "ip". Willem de Bruijn pointed out that this is an actual bug, and -suggested the fix that I'm using here (thanks!). - -2) The addr_len is used uninitialized, but only in the assert case, - which bails out, so this is harmless. - -3) The family variable in add_listener() is only used uninitialized in - the error case (neither IPv4 nor IPv6 is specified), so it's also - harmless. - -Fix by initializing each variable. - -Signed-off-by: John Hubbard -Reviewed-by: Willem de Bruijn -Acked-by: Mat Martineau -Link: https://lore.kernel.org/r/20240506190204.28497-1-jhubbard@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/net/gro.c | 3 +++ - tools/testing/selftests/net/ip_local_port_range.c | 2 +- - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 2 +- - 3 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c -index 30024d0ed3739..b204df4f33322 100644 ---- a/tools/testing/selftests/net/gro.c -+++ b/tools/testing/selftests/net/gro.c -@@ -113,6 +113,9 @@ static void setup_sock_filter(int fd) - next_off = offsetof(struct ipv6hdr, nexthdr); - ipproto_off = ETH_HLEN + next_off; - -+ /* Overridden later if exthdrs are used: */ -+ opt_ipproto_off = ipproto_off; -+ - if (strcmp(testname, "ip") == 0) { - if (proto == PF_INET) - optlen = sizeof(struct ip_timestamp); -diff --git a/tools/testing/selftests/net/ip_local_port_range.c b/tools/testing/selftests/net/ip_local_port_range.c -index 75e3fdacdf735..2465ff5bb3a8e 100644 ---- a/tools/testing/selftests/net/ip_local_port_range.c -+++ b/tools/testing/selftests/net/ip_local_port_range.c -@@ -343,7 +343,7 @@ TEST_F(ip_local_port_range, late_bind) - struct sockaddr_in v4; - struct sockaddr_in6 v6; - } addr; -- socklen_t addr_len; -+ socklen_t addr_len = 0; - const int one = 1; - int fd, err; - __u32 range; -diff --git a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c -index 49369c4a5f261..763402dd17742 100644 ---- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c -+++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c -@@ -1239,7 +1239,7 @@ int add_listener(int argc, char *argv[]) - struct sockaddr_storage addr; - struct sockaddr_in6 *a6; - struct sockaddr_in *a4; -- u_int16_t family; -+ u_int16_t family = AF_UNSPEC; - int enable = 1; - int sock; - int err; --- -2.43.0 - diff --git a/queue-6.6/serial-imx-raise-tx-trigger-level-to-8.patch b/queue-6.6/serial-imx-raise-tx-trigger-level-to-8.patch deleted file mode 100644 index 257108fef2a..00000000000 --- a/queue-6.6/serial-imx-raise-tx-trigger-level-to-8.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 89c70fb5cc60a27517a89098fbbd13a4b07d814d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 May 2024 15:37:44 +0200 -Subject: serial: imx: Raise TX trigger level to 8 - -From: Matthias Schiffer - -[ Upstream commit a3d8728ab079951741efa11360df43dbfacba7ab ] - -At the default TX trigger level of 2 in non-DMA mode (meaning that an -interrupt is generated when less than 2 characters are left in the -FIFO), we have observed frequent buffer underruns at 115200 Baud on an -i.MX8M Nano. This can cause communication issues if the receiving side -expects a continuous transfer. - -Increasing the level to 8 makes the UART trigger an interrupt earlier, -giving the kernel enough time to refill the FIFO, at the cost of -triggering one interrupt per ~24 instead of ~30 bytes of transmitted -data (as the i.MX UART has a 32 byte FIFO). - -Signed-off-by: Michael Krummsdorf -Signed-off-by: Matthias Schiffer -Link: https://lore.kernel.org/r/20240508133744.35858-1-matthias.schiffer@ew.tq-group.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/serial/imx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c -index 285e0e1144c4c..a5d0df2ba5c55 100644 ---- a/drivers/tty/serial/imx.c -+++ b/drivers/tty/serial/imx.c -@@ -1320,7 +1320,7 @@ static void imx_uart_clear_rx_errors(struct imx_port *sport) - - } - --#define TXTL_DEFAULT 2 /* reset default */ -+#define TXTL_DEFAULT 8 - #define RXTL_DEFAULT 8 /* 8 characters or aging timer */ - #define TXTL_DMA 8 /* DMA burst setting */ - #define RXTL_DMA 9 /* DMA burst setting */ --- -2.43.0 - diff --git a/queue-6.6/series b/queue-6.6/series deleted file mode 100644 index e1802d94aaa..00000000000 --- a/queue-6.6/series +++ /dev/null @@ -1,64 +0,0 @@ -locking-mutex-introduce-devm_mutex_init.patch -leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch -crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch -drm-lima-fix-shared-irq-handling-on-driver-remove.patch -powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch -media-dvb-as102-fe-fix-as10x_register_addr-packing.patch -media-dvb-usb-dib0700_devices-add-missing-release_fi.patch -ib-core-implement-a-limit-on-umad-receive-list.patch -drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch -scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch -irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch -selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch -selftests-bpf-do-not-pass-null-for-non-nullable-para.patch -selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch -risc-v-kvm-fix-the-initial-sample-period-value.patch -crypto-aead-cipher-zeroize-key-buffer-after-use.patch -media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch -drm-amdgpu-fix-uninitialized-variable-warnings.patch -drm-amdgpu-using-uninitialized-value-size-when-calli.patch -drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch -drm-amd-display-check-index-msg_id-before-read-or-wr.patch -drm-amd-display-check-pipe-offset-before-setting-vbl.patch -drm-amd-display-skip-finding-free-audio-for-unknown-.patch -drm-amd-display-fix-uninitialized-variables-in-dm.patch -drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch -drm-amdgpu-fix-the-warning-about-the-expression-int-.patch -media-dw2102-don-t-translate-i2c-read-into-write.patch -riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch -sctp-prefer-struct_size-over-open-coded-arithmetic.patch -firmware-dmi-stop-decoding-on-broken-entry.patch -input-ff-core-prefer-struct_size-over-open-coded-ari.patch -usb-xhci-prevent-potential-failure-in-handle_tx_even.patch -wifi-mt76-replace-skb_put-with-skb_put_zero.patch -wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch -thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch -net-dsa-mv88e6xxx-correct-check-for-empty-list.patch -media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch -media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch -media-dvb-frontends-tda10048-fix-integer-overflow.patch -powerpc-dexcr-track-the-dexcr-per-process.patch -powerpc-dexcr-reset-dexcr-value-across-exec.patch -i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch -powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch -orangefs-fix-out-of-bounds-fsid-access.patch -kunit-fix-timeout-message.patch -kunit-handle-test-faults.patch -powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch -perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch -selftests-net-fix-uninitialized-variables.patch -igc-fix-a-log-entry-using-uninitialized-netdev.patch -bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch -f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch -scsi-mpi3mr-sanitise-num_phys.patch -serial-imx-raise-tx-trigger-level-to-8.patch -nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch -jffs2-fix-potential-illegal-address-access-in-jffs2_.patch -s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch -s390-pkey-wipe-sensitive-data-on-failure.patch -btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch -cdrom-rearrange-last_media_change-check-to-avoid-uni.patch -tools-power-turbostat-remember-global-max_die_id.patch -vhost-use-virtqueue-mutex-for-swapping-worker.patch -vhost-release-worker-mutex-during-flushes.patch -vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch diff --git a/queue-6.6/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch b/queue-6.6/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch deleted file mode 100644 index 69fc2b64d14..00000000000 --- a/queue-6.6/thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch +++ /dev/null @@ -1,35 +0,0 @@ -From e056b473a8b4edd5d94792abbbff20b16970f508 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 May 2024 15:46:03 +0200 -Subject: thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data - -From: Julien Panis - -[ Upstream commit a1191a77351e25ddf091bb1a231cae12ee598b5d ] - -Verify that lvts_data is not NULL before using it. - -Signed-off-by: Julien Panis -Signed-off-by: Daniel Lezcano -Link: https://lore.kernel.org/r/20240502-mtk-thermal-lvts-data-v1-1-65f1b0bfad37@baylibre.com -Signed-off-by: Sasha Levin ---- - drivers/thermal/mediatek/lvts_thermal.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c -index 666f440b66631..8d0ccf494ba22 100644 ---- a/drivers/thermal/mediatek/lvts_thermal.c -+++ b/drivers/thermal/mediatek/lvts_thermal.c -@@ -1208,6 +1208,8 @@ static int lvts_probe(struct platform_device *pdev) - return -ENOMEM; - - lvts_data = of_device_get_match_data(dev); -+ if (!lvts_data) -+ return -ENODEV; - - lvts_td->clk = devm_clk_get_enabled(dev, NULL); - if (IS_ERR(lvts_td->clk)) --- -2.43.0 - diff --git a/queue-6.6/tools-power-turbostat-remember-global-max_die_id.patch b/queue-6.6/tools-power-turbostat-remember-global-max_die_id.patch deleted file mode 100644 index 574a87ec4c4..00000000000 --- a/queue-6.6/tools-power-turbostat-remember-global-max_die_id.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 33b2094192bf39bf30af964e463042c6e728096c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 21 Apr 2024 11:56:48 -0400 -Subject: tools/power turbostat: Remember global max_die_id - -From: Len Brown - -[ Upstream commit cda203388687aa075db6f8996c3c4549fa518ea8 ] - -This is necessary to gracefully handle sparse die_id's. - -no functional change - -Signed-off-by: Len Brown -Signed-off-by: Sasha Levin ---- - tools/power/x86/turbostat/turbostat.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c -index ffa964ddbacef..6fad5fbfb0f96 100644 ---- a/tools/power/x86/turbostat/turbostat.c -+++ b/tools/power/x86/turbostat/turbostat.c -@@ -566,6 +566,7 @@ struct topo_params { - int num_cpus; - int num_cores; - int max_cpu_num; -+ int max_die_id; - int max_node_num; - int nodes_per_pkg; - int cores_per_node; -@@ -5871,7 +5872,6 @@ void topology_probe() - int i; - int max_core_id = 0; - int max_package_id = 0; -- int max_die_id = 0; - int max_siblings = 0; - - /* Initialize num_cpus, max_cpu_num */ -@@ -5940,8 +5940,8 @@ void topology_probe() - - /* get die information */ - cpus[i].die_id = get_die_id(i); -- if (cpus[i].die_id > max_die_id) -- max_die_id = cpus[i].die_id; -+ if (cpus[i].die_id > topo.max_die_id) -+ topo.max_die_id = cpus[i].die_id; - - /* get numa node information */ - cpus[i].physical_node_id = get_physical_node_id(&cpus[i]); -@@ -5967,9 +5967,9 @@ void topology_probe() - if (!summary_only && topo.cores_per_node > 1) - BIC_PRESENT(BIC_Core); - -- topo.num_die = max_die_id + 1; -+ topo.num_die = topo.max_die_id + 1; - if (debug > 1) -- fprintf(outf, "max_die_id %d, sizing for %d die\n", max_die_id, topo.num_die); -+ fprintf(outf, "max_die_id %d, sizing for %d die\n", topo.max_die_id, topo.num_die); - if (!summary_only && topo.num_die > 1) - BIC_PRESENT(BIC_Die); - --- -2.43.0 - diff --git a/queue-6.6/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch b/queue-6.6/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch deleted file mode 100644 index e1e66445f29..00000000000 --- a/queue-6.6/usb-xhci-prevent-potential-failure-in-handle_tx_even.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 750b747d4a2f3cb907831b8992bdf518d25f1a02 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 Apr 2024 17:02:37 +0300 -Subject: usb: xhci: prevent potential failure in handle_tx_event() for - Transfer events without TRB - -From: Niklas Neronin - -[ Upstream commit 66cb618bf0bb82859875b00eeffaf223557cb416 ] - -Some transfer events don't always point to a TRB, and consequently don't -have a endpoint ring. In these cases, function handle_tx_event() should -not proceed, because if 'ep->skip' is set, the pointer to the endpoint -ring is used. - -To prevent a potential failure and make the code logical, return after -checking the completion code for a Transfer event without TRBs. - -Signed-off-by: Niklas Neronin -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20240429140245.3955523-11-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci-ring.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c -index 8dd85221cd927..592dabc785152 100644 ---- a/drivers/usb/host/xhci-ring.c -+++ b/drivers/usb/host/xhci-ring.c -@@ -2649,16 +2649,17 @@ static int handle_tx_event(struct xhci_hcd *xhci, - else - xhci_handle_halted_endpoint(xhci, ep, NULL, - EP_SOFT_RESET); -- goto cleanup; -+ break; - case COMP_RING_UNDERRUN: - case COMP_RING_OVERRUN: - case COMP_STOPPED_LENGTH_INVALID: -- goto cleanup; -+ break; - default: - xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n", - slot_id, ep_index); - goto err_out; - } -+ return 0; - } - - /* Count current td numbers if ep->skip is set */ --- -2.43.0 - diff --git a/queue-6.6/vhost-release-worker-mutex-during-flushes.patch b/queue-6.6/vhost-release-worker-mutex-during-flushes.patch deleted file mode 100644 index e3bcc163389..00000000000 --- a/queue-6.6/vhost-release-worker-mutex-during-flushes.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 31ffc26384603bb2752f08d7696be57ee52f11f2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Mar 2024 19:47:05 -0500 -Subject: vhost: Release worker mutex during flushes - -From: Mike Christie - -[ Upstream commit ba704ff4e142fd3cfaf3379dd3b3b946754e06e3 ] - -In the next patches where the worker can be killed while in use, we -need to be able to take the worker mutex and kill queued works for -new IO and flushes, and set some new flags to prevent new -__vhost_vq_attach_worker calls from swapping in/out killed workers. - -If we are holding the worker mutex during a flush and the flush's work -is still in the queue, the worker code that will handle the SIGKILL -cleanup won't be able to take the mutex and perform it's cleanup. So -this patch has us drop the worker mutex while waiting for the flush -to complete. - -Signed-off-by: Mike Christie -Message-Id: <20240316004707.45557-8-michael.christie@oracle.com> -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Sasha Levin ---- - drivers/vhost/vhost.c | 44 +++++++++++++++++++++++++++++-------------- - 1 file changed, 30 insertions(+), 14 deletions(-) - -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 67bd947cc556d..069c8a23bff9e 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -276,21 +276,36 @@ void vhost_vq_flush(struct vhost_virtqueue *vq) - EXPORT_SYMBOL_GPL(vhost_vq_flush); - - /** -- * vhost_worker_flush - flush a worker -+ * __vhost_worker_flush - flush a worker - * @worker: worker to flush - * -- * This does not use RCU to protect the worker, so the device or worker -- * mutex must be held. -+ * The worker's flush_mutex must be held. - */ --static void vhost_worker_flush(struct vhost_worker *worker) -+static void __vhost_worker_flush(struct vhost_worker *worker) - { - struct vhost_flush_struct flush; - -+ if (!worker->attachment_cnt) -+ return; -+ - init_completion(&flush.wait_event); - vhost_work_init(&flush.work, vhost_flush_work); - - vhost_worker_queue(worker, &flush.work); -+ /* -+ * Drop mutex in case our worker is killed and it needs to take the -+ * mutex to force cleanup. -+ */ -+ mutex_unlock(&worker->mutex); - wait_for_completion(&flush.wait_event); -+ mutex_lock(&worker->mutex); -+} -+ -+static void vhost_worker_flush(struct vhost_worker *worker) -+{ -+ mutex_lock(&worker->mutex); -+ __vhost_worker_flush(worker); -+ mutex_unlock(&worker->mutex); - } - - void vhost_dev_flush(struct vhost_dev *dev) -@@ -298,15 +313,8 @@ void vhost_dev_flush(struct vhost_dev *dev) - struct vhost_worker *worker; - unsigned long i; - -- xa_for_each(&dev->worker_xa, i, worker) { -- mutex_lock(&worker->mutex); -- if (!worker->attachment_cnt) { -- mutex_unlock(&worker->mutex); -- continue; -- } -+ xa_for_each(&dev->worker_xa, i, worker) - vhost_worker_flush(worker); -- mutex_unlock(&worker->mutex); -- } - } - EXPORT_SYMBOL_GPL(vhost_dev_flush); - -@@ -685,7 +693,6 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - * device wide flushes which doesn't use RCU for execution. - */ - mutex_lock(&old_worker->mutex); -- old_worker->attachment_cnt--; - /* - * We don't want to call synchronize_rcu for every vq during setup - * because it will slow down VM startup. If we haven't done -@@ -696,6 +703,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - mutex_lock(&vq->mutex); - if (!vhost_vq_get_backend(vq) && !vq->kick) { - mutex_unlock(&vq->mutex); -+ -+ old_worker->attachment_cnt--; - mutex_unlock(&old_worker->mutex); - /* - * vsock can queue anytime after VHOST_VSOCK_SET_GUEST_CID. -@@ -711,7 +720,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - /* Make sure new vq queue/flush/poll calls see the new worker */ - synchronize_rcu(); - /* Make sure whatever was queued gets run */ -- vhost_worker_flush(old_worker); -+ __vhost_worker_flush(old_worker); -+ old_worker->attachment_cnt--; - mutex_unlock(&old_worker->mutex); - } - -@@ -764,6 +774,12 @@ static int vhost_free_worker(struct vhost_dev *dev, - mutex_unlock(&worker->mutex); - return -EBUSY; - } -+ /* -+ * A flush might have raced and snuck in before attachment_cnt was set -+ * to zero. Make sure flushes are flushed from the queue before -+ * freeing. -+ */ -+ __vhost_worker_flush(worker); - mutex_unlock(&worker->mutex); - - vhost_worker_destroy(dev, worker); --- -2.43.0 - diff --git a/queue-6.6/vhost-use-virtqueue-mutex-for-swapping-worker.patch b/queue-6.6/vhost-use-virtqueue-mutex-for-swapping-worker.patch deleted file mode 100644 index 6de68faf391..00000000000 --- a/queue-6.6/vhost-use-virtqueue-mutex-for-swapping-worker.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 0dbcc0f96e0e15fd7b95f2cf0e4aa429ecff9caa Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Mar 2024 19:47:04 -0500 -Subject: vhost: Use virtqueue mutex for swapping worker - -From: Mike Christie - -[ Upstream commit 34cf9ba5f00a222dddd9fc71de7c68fdaac7fb97 ] - -__vhost_vq_attach_worker uses the vhost_dev mutex to serialize the -swapping of a virtqueue's worker. This was done for simplicity because -we are already holding that mutex. - -In the next patches where the worker can be killed while in use, we need -finer grained locking because some drivers will hold the vhost_dev mutex -while flushing. However in the SIGKILL handler in the next patches, we -will need to be able to swap workers (set current one to NULL), kill -queued works and stop new flushes while flushes are in progress. - -To prepare us, this has us use the virtqueue mutex for swapping workers -instead of the vhost_dev one. - -Signed-off-by: Mike Christie -Message-Id: <20240316004707.45557-7-michael.christie@oracle.com> -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Sasha Levin ---- - drivers/vhost/vhost.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 88362c0afe452..67bd947cc556d 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -664,16 +664,22 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - { - struct vhost_worker *old_worker; - -- old_worker = rcu_dereference_check(vq->worker, -- lockdep_is_held(&vq->dev->mutex)); -- - mutex_lock(&worker->mutex); -- worker->attachment_cnt++; -- mutex_unlock(&worker->mutex); -+ mutex_lock(&vq->mutex); -+ -+ old_worker = rcu_dereference_check(vq->worker, -+ lockdep_is_held(&vq->mutex)); - rcu_assign_pointer(vq->worker, worker); -+ worker->attachment_cnt++; - -- if (!old_worker) -+ if (!old_worker) { -+ mutex_unlock(&vq->mutex); -+ mutex_unlock(&worker->mutex); - return; -+ } -+ mutex_unlock(&vq->mutex); -+ mutex_unlock(&worker->mutex); -+ - /* - * Take the worker mutex to make sure we see the work queued from - * device wide flushes which doesn't use RCU for execution. --- -2.43.0 - diff --git a/queue-6.6/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch b/queue-6.6/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch deleted file mode 100644 index 10ba90feed9..00000000000 --- a/queue-6.6/vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch +++ /dev/null @@ -1,298 +0,0 @@ -From ed47288271efa5a89f32da858a07b8913080455a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Mar 2024 19:47:06 -0500 -Subject: vhost_task: Handle SIGKILL by flushing work and exiting - -From: Mike Christie - -[ Upstream commit db5247d9bf5c6ade9fd70b4e4897441e0269b233 ] - -Instead of lingering until the device is closed, this has us handle -SIGKILL by: - -1. marking the worker as killed so we no longer try to use it with - new virtqueues and new flush operations. -2. setting the virtqueue to worker mapping so no new works are queued. -3. running all the exiting works. - -Suggested-by: Edward Adam Davis -Reported-and-tested-by: syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com -Message-Id: -Signed-off-by: Mike Christie -Message-Id: <20240316004707.45557-9-michael.christie@oracle.com> -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Sasha Levin ---- - drivers/vhost/vhost.c | 54 +++++++++++++++++++++++++++++--- - drivers/vhost/vhost.h | 2 ++ - include/linux/sched/vhost_task.h | 3 +- - kernel/vhost_task.c | 53 ++++++++++++++++++++----------- - 4 files changed, 88 insertions(+), 24 deletions(-) - -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 069c8a23bff9e..d0238bd741b08 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -285,7 +285,7 @@ static void __vhost_worker_flush(struct vhost_worker *worker) - { - struct vhost_flush_struct flush; - -- if (!worker->attachment_cnt) -+ if (!worker->attachment_cnt || worker->killed) - return; - - init_completion(&flush.wait_event); -@@ -400,7 +400,7 @@ static void vhost_vq_reset(struct vhost_dev *dev, - __vhost_vq_meta_reset(vq); - } - --static bool vhost_worker(void *data) -+static bool vhost_run_work_list(void *data) - { - struct vhost_worker *worker = data; - struct vhost_work *work, *work_next; -@@ -425,6 +425,40 @@ static bool vhost_worker(void *data) - return !!node; - } - -+static void vhost_worker_killed(void *data) -+{ -+ struct vhost_worker *worker = data; -+ struct vhost_dev *dev = worker->dev; -+ struct vhost_virtqueue *vq; -+ int i, attach_cnt = 0; -+ -+ mutex_lock(&worker->mutex); -+ worker->killed = true; -+ -+ for (i = 0; i < dev->nvqs; i++) { -+ vq = dev->vqs[i]; -+ -+ mutex_lock(&vq->mutex); -+ if (worker == -+ rcu_dereference_check(vq->worker, -+ lockdep_is_held(&vq->mutex))) { -+ rcu_assign_pointer(vq->worker, NULL); -+ attach_cnt++; -+ } -+ mutex_unlock(&vq->mutex); -+ } -+ -+ worker->attachment_cnt -= attach_cnt; -+ if (attach_cnt) -+ synchronize_rcu(); -+ /* -+ * Finish vhost_worker_flush calls and any other works that snuck in -+ * before the synchronize_rcu. -+ */ -+ vhost_run_work_list(worker); -+ mutex_unlock(&worker->mutex); -+} -+ - static void vhost_vq_free_iovecs(struct vhost_virtqueue *vq) - { - kfree(vq->indirect); -@@ -639,9 +673,11 @@ static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev) - if (!worker) - return NULL; - -+ worker->dev = dev; - snprintf(name, sizeof(name), "vhost-%d", current->pid); - -- vtsk = vhost_task_create(vhost_worker, worker, name); -+ vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed, -+ worker, name); - if (!vtsk) - goto free_worker; - -@@ -673,6 +709,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - struct vhost_worker *old_worker; - - mutex_lock(&worker->mutex); -+ if (worker->killed) { -+ mutex_unlock(&worker->mutex); -+ return; -+ } -+ - mutex_lock(&vq->mutex); - - old_worker = rcu_dereference_check(vq->worker, -@@ -693,6 +734,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq, - * device wide flushes which doesn't use RCU for execution. - */ - mutex_lock(&old_worker->mutex); -+ if (old_worker->killed) { -+ mutex_unlock(&old_worker->mutex); -+ return; -+ } -+ - /* - * We don't want to call synchronize_rcu for every vq during setup - * because it will slow down VM startup. If we haven't done -@@ -770,7 +816,7 @@ static int vhost_free_worker(struct vhost_dev *dev, - return -ENODEV; - - mutex_lock(&worker->mutex); -- if (worker->attachment_cnt) { -+ if (worker->attachment_cnt || worker->killed) { - mutex_unlock(&worker->mutex); - return -EBUSY; - } -diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h -index f60d5f7bef944..8014d2b359503 100644 ---- a/drivers/vhost/vhost.h -+++ b/drivers/vhost/vhost.h -@@ -28,12 +28,14 @@ struct vhost_work { - - struct vhost_worker { - struct vhost_task *vtsk; -+ struct vhost_dev *dev; - /* Used to serialize device wide flushing with worker swapping. */ - struct mutex mutex; - struct llist_head work_list; - u64 kcov_handle; - u32 id; - int attachment_cnt; -+ bool killed; - }; - - /* Poll a file (eventfd or socket) */ -diff --git a/include/linux/sched/vhost_task.h b/include/linux/sched/vhost_task.h -index 837a23624a66a..3612de6ea1c5d 100644 ---- a/include/linux/sched/vhost_task.h -+++ b/include/linux/sched/vhost_task.h -@@ -5,7 +5,8 @@ - - struct vhost_task; - --struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, -+struct vhost_task *vhost_task_create(bool (*fn)(void *), -+ void (*handle_kill)(void *), void *arg, - const char *name); - void vhost_task_start(struct vhost_task *vtsk); - void vhost_task_stop(struct vhost_task *vtsk); -diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c -index da35e5b7f0473..8800f5acc0071 100644 ---- a/kernel/vhost_task.c -+++ b/kernel/vhost_task.c -@@ -10,38 +10,32 @@ - - enum vhost_task_flags { - VHOST_TASK_FLAGS_STOP, -+ VHOST_TASK_FLAGS_KILLED, - }; - - struct vhost_task { - bool (*fn)(void *data); -+ void (*handle_sigkill)(void *data); - void *data; - struct completion exited; - unsigned long flags; - struct task_struct *task; -+ /* serialize SIGKILL and vhost_task_stop calls */ -+ struct mutex exit_mutex; - }; - - static int vhost_task_fn(void *data) - { - struct vhost_task *vtsk = data; -- bool dead = false; - - for (;;) { - bool did_work; - -- if (!dead && signal_pending(current)) { -+ if (signal_pending(current)) { - struct ksignal ksig; -- /* -- * Calling get_signal will block in SIGSTOP, -- * or clear fatal_signal_pending, but remember -- * what was set. -- * -- * This thread won't actually exit until all -- * of the file descriptors are closed, and -- * the release function is called. -- */ -- dead = get_signal(&ksig); -- if (dead) -- clear_thread_flag(TIF_SIGPENDING); -+ -+ if (get_signal(&ksig)) -+ break; - } - - /* mb paired w/ vhost_task_stop */ -@@ -57,7 +51,19 @@ static int vhost_task_fn(void *data) - schedule(); - } - -+ mutex_lock(&vtsk->exit_mutex); -+ /* -+ * If a vhost_task_stop and SIGKILL race, we can ignore the SIGKILL. -+ * When the vhost layer has called vhost_task_stop it's already stopped -+ * new work and flushed. -+ */ -+ if (!test_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags)) { -+ set_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags); -+ vtsk->handle_sigkill(vtsk->data); -+ } -+ mutex_unlock(&vtsk->exit_mutex); - complete(&vtsk->exited); -+ - do_exit(0); - } - -@@ -78,12 +84,17 @@ EXPORT_SYMBOL_GPL(vhost_task_wake); - * @vtsk: vhost_task to stop - * - * vhost_task_fn ensures the worker thread exits after -- * VHOST_TASK_FLAGS_SOP becomes true. -+ * VHOST_TASK_FLAGS_STOP becomes true. - */ - void vhost_task_stop(struct vhost_task *vtsk) - { -- set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags); -- vhost_task_wake(vtsk); -+ mutex_lock(&vtsk->exit_mutex); -+ if (!test_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags)) { -+ set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags); -+ vhost_task_wake(vtsk); -+ } -+ mutex_unlock(&vtsk->exit_mutex); -+ - /* - * Make sure vhost_task_fn is no longer accessing the vhost_task before - * freeing it below. -@@ -96,14 +107,16 @@ EXPORT_SYMBOL_GPL(vhost_task_stop); - /** - * vhost_task_create - create a copy of a task to be used by the kernel - * @fn: vhost worker function -- * @arg: data to be passed to fn -+ * @handle_sigkill: vhost function to handle when we are killed -+ * @arg: data to be passed to fn and handled_kill - * @name: the thread's name - * - * This returns a specialized task for use by the vhost layer or NULL on - * failure. The returned task is inactive, and the caller must fire it up - * through vhost_task_start(). - */ --struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, -+struct vhost_task *vhost_task_create(bool (*fn)(void *), -+ void (*handle_sigkill)(void *), void *arg, - const char *name) - { - struct kernel_clone_args args = { -@@ -122,8 +135,10 @@ struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg, - if (!vtsk) - return NULL; - init_completion(&vtsk->exited); -+ mutex_init(&vtsk->exit_mutex); - vtsk->data = arg; - vtsk->fn = fn; -+ vtsk->handle_sigkill = handle_sigkill; - - args.fn_arg = vtsk; - --- -2.43.0 - diff --git a/queue-6.6/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch b/queue-6.6/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch deleted file mode 100644 index 4a4b40970c5..00000000000 --- a/queue-6.6/wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 45b41d7da1398b03b51955378e1b15c0501896e7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Mar 2024 19:09:16 +0800 -Subject: wifi: mt76: mt7996: add sanity checks for background radar trigger - -From: StanleyYP Wang - -[ Upstream commit ec55d8e7dfea92daff87f5c01689633f8c4e6a62 ] - -Check if background radar is enabled or not before manually triggering it, -and also add more checks in radar detected event. - -Signed-off-by: StanleyYP Wang -Signed-off-by: Shayne Chen -Signed-off-by: Felix Fietkau -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c | 5 +++++ - drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 ++++- - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c -index 4d40ec7ff57f5..630520c21a47f 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c -+++ b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c -@@ -225,6 +225,11 @@ mt7996_radar_trigger(void *data, u64 val) - if (val > MT_RX_SEL2) - return -EINVAL; - -+ if (val == MT_RX_SEL2 && !dev->rdd2_phy) { -+ dev_err(dev->mt76.dev, "Background radar is not enabled\n"); -+ return -EINVAL; -+ } -+ - return mt7996_mcu_rdd_cmd(dev, RDD_RADAR_EMULATE, - val, 0, 0); - } -diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c -index b4ea7d0a7f5a0..b66f712e1b17b 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c -@@ -339,7 +339,10 @@ mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb) - if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys)) - return; - -- if (dev->rdd2_phy && r->band_idx == MT_RX_SEL2) -+ if (r->band_idx == MT_RX_SEL2 && !dev->rdd2_phy) -+ return; -+ -+ if (r->band_idx == MT_RX_SEL2) - mphy = dev->rdd2_phy->mt76; - else - mphy = dev->mt76.phys[r->band_idx]; --- -2.43.0 - diff --git a/queue-6.6/wifi-mt76-replace-skb_put-with-skb_put_zero.patch b/queue-6.6/wifi-mt76-replace-skb_put-with-skb_put_zero.patch deleted file mode 100644 index 0438276abf4..00000000000 --- a/queue-6.6/wifi-mt76-replace-skb_put-with-skb_put_zero.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 62c20ee8bf2e288bb068a03b46b843c70559d9ed Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Mar 2024 17:02:52 +0100 -Subject: wifi: mt76: replace skb_put with skb_put_zero - -From: Felix Fietkau - -[ Upstream commit 7f819a2f4fbc510e088b49c79addcf1734503578 ] - -Avoid potentially reusing uninitialized data - -Signed-off-by: Felix Fietkau -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +++++----- - drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -index dc4fbab1e1b75..998cfd73764a9 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c -@@ -255,7 +255,7 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len, - }; - u16 ntlv; - -- ptlv = skb_put(skb, len); -+ ptlv = skb_put_zero(skb, len); - memcpy(ptlv, &tlv, sizeof(tlv)); - - ntlv = le16_to_cpu(ntlv_hdr->tlv_num); -@@ -1654,7 +1654,7 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, - set_bit(MT76_HW_SCANNING, &phy->state); - mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; - -- req = (struct mt76_connac_hw_scan_req *)skb_put(skb, sizeof(*req)); -+ req = (struct mt76_connac_hw_scan_req *)skb_put_zero(skb, sizeof(*req)); - - req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7; - req->bss_idx = mvif->idx; -@@ -1782,7 +1782,7 @@ int mt76_connac_mcu_sched_scan_req(struct mt76_phy *phy, - - mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f; - -- req = (struct mt76_connac_sched_scan_req *)skb_put(skb, sizeof(*req)); -+ req = (struct mt76_connac_sched_scan_req *)skb_put_zero(skb, sizeof(*req)); - req->version = 1; - req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7; - -@@ -2416,7 +2416,7 @@ int mt76_connac_mcu_update_gtk_rekey(struct ieee80211_hw *hw, - return -ENOMEM; - - skb_put_data(skb, &hdr, sizeof(hdr)); -- gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put(skb, -+ gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put_zero(skb, - sizeof(*gtk_tlv)); - gtk_tlv->tag = cpu_to_le16(UNI_OFFLOAD_OFFLOAD_GTK_REKEY); - gtk_tlv->len = cpu_to_le16(sizeof(*gtk_tlv)); -@@ -2539,7 +2539,7 @@ mt76_connac_mcu_set_wow_pattern(struct mt76_dev *dev, - return -ENOMEM; - - skb_put_data(skb, &hdr, sizeof(hdr)); -- ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put(skb, sizeof(*ptlv)); -+ ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put_zero(skb, sizeof(*ptlv)); - ptlv->tag = cpu_to_le16(UNI_SUSPEND_WOW_PATTERN); - ptlv->len = cpu_to_le16(sizeof(*ptlv)); - ptlv->data_len = pattern->pattern_len; -diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -index 5d8e985cd7d45..272e55ef8e2d2 100644 ---- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c -@@ -422,7 +422,7 @@ mt7915_mcu_add_nested_subtlv(struct sk_buff *skb, int sub_tag, int sub_len, - .len = cpu_to_le16(sub_len), - }; - -- ptlv = skb_put(skb, sub_len); -+ ptlv = skb_put_zero(skb, sub_len); - memcpy(ptlv, &tlv, sizeof(tlv)); - - le16_add_cpu(sub_ntlv, 1); --- -2.43.0 -