From: Greg Kroah-Hartman Date: Thu, 29 Aug 2024 16:26:55 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v4.19.321~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5618e7935ea01801a270dcc2fea3b23de991fc8d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: alsa-hda-realtek-enable-mute-micmute-leds-on-hp-laptop-14-ey0xxx.patch alsa-hda-realtek-support-hp-pavilion-aero-13-bg0xxx-mute-led.patch alsa-seq-skip-event-type-filtering-for-ump-events.patch btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch btrfs-run-delayed-iputs-when-flushing-delalloc.patch drm-amdgpu-mes-fix-mes-ring-buffer-overflow.patch erofs-fix-out-of-bound-access-when-z_erofs_gbuf_growsize-partially-fails.patch loongarch-add-ifdefs-to-fix-lsx-and-lasx-related-warnings.patch loongarch-remove-the-unused-dma-direct.h.patch pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch series smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch tpm-ibmvtpm-call-tpm2_sessions_init-to-initialize-session-support.patch --- diff --git a/queue-6.10/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-laptop-14-ey0xxx.patch b/queue-6.10/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-laptop-14-ey0xxx.patch new file mode 100644 index 00000000000..74544802064 --- /dev/null +++ b/queue-6.10/alsa-hda-realtek-enable-mute-micmute-leds-on-hp-laptop-14-ey0xxx.patch @@ -0,0 +1,31 @@ +From 56314c0d78d6f5a60c8804c517167991a879e14a Mon Sep 17 00:00:00 2001 +From: John Sweeney +Date: Sun, 18 Aug 2024 11:30:15 -0400 +Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Laptop 14-ey0xxx + +From: John Sweeney + +commit 56314c0d78d6f5a60c8804c517167991a879e14a upstream. + +HP Pavilion Plus 14-ey0xxx needs existing quirk +ALC245_FIXUP_HP_X360_MUTE_LEDS to enable its mute/micmute LEDs. + +Signed-off-by: John Sweeney +Cc: +Link: https://patch.msgid.link/E1sfhrD-0007TA-HC@rmmprod05.runbox +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10221,6 +10221,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8c15, "HP Spectre x360 2-in-1 Laptop 14-eu0xxx", ALC245_FIXUP_HP_SPECTRE_X360_EU0XXX), + SND_PCI_QUIRK(0x103c, 0x8c16, "HP Spectre 16", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8c17, "HP Spectre 16", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8c21, "HP Pavilion Plus Laptop 14-ey0XXX", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x8c46, "HP EliteBook 830 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c47, "HP EliteBook 840 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c48, "HP EliteBook 860 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), diff --git a/queue-6.10/alsa-hda-realtek-support-hp-pavilion-aero-13-bg0xxx-mute-led.patch b/queue-6.10/alsa-hda-realtek-support-hp-pavilion-aero-13-bg0xxx-mute-led.patch new file mode 100644 index 00000000000..2bef8df5804 --- /dev/null +++ b/queue-6.10/alsa-hda-realtek-support-hp-pavilion-aero-13-bg0xxx-mute-led.patch @@ -0,0 +1,37 @@ +From 2dc43c5e212036458ed7c5586fb82ee183fee504 Mon Sep 17 00:00:00 2001 +From: Hendrik Borghorst +Date: Sun, 25 Aug 2024 19:43:47 +0200 +Subject: ALSA: hda/realtek: support HP Pavilion Aero 13-bg0xxx Mute LED + +From: Hendrik Borghorst + +commit 2dc43c5e212036458ed7c5586fb82ee183fee504 upstream. + +This patch adds the HP Pavilion Aero 13 (13-bg0xxx) (year 2024) to list of +quirks for keyboard LED mute indication. + +The laptop has two LEDs (one for speaker and one for mic mute). The +pre-existing quirk ALC245_FIXUP_HP_X360_MUTE_LEDS chains both the quirk for +mic and speaker mute. + +Tested on 6.11.0-rc4 with the aforementioned laptop. + +Signed-off-by: Hendrik Borghorst +Cc: +Link: https://patch.msgid.link/20240825174351.5687-1-hendrikborghorst@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10260,6 +10260,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8cbd, "HP Pavilion Aero Laptop 13-bg0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x8cdd, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8cde, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8cdf, "HP SnowWhite", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), diff --git a/queue-6.10/alsa-seq-skip-event-type-filtering-for-ump-events.patch b/queue-6.10/alsa-seq-skip-event-type-filtering-for-ump-events.patch new file mode 100644 index 00000000000..43b0b19a3c0 --- /dev/null +++ b/queue-6.10/alsa-seq-skip-event-type-filtering-for-ump-events.patch @@ -0,0 +1,34 @@ +From 32108c22ac619c32dd6db594319e259b63bfb387 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 19 Aug 2024 10:41:53 +0200 +Subject: ALSA: seq: Skip event type filtering for UMP events + +From: Takashi Iwai + +commit 32108c22ac619c32dd6db594319e259b63bfb387 upstream. + +UMP events don't use the event type field, hence it's invalid to apply +the filter, which may drop the events unexpectedly. +Skip the event filtering for UMP events, instead. + +Fixes: 46397622a3fa ("ALSA: seq: Add UMP support") +Cc: +Link: https://patch.msgid.link/20240819084156.10286-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -537,6 +537,9 @@ static struct snd_seq_client *get_event_ + return NULL; + if (! dest->accept_input) + goto __not_avail; ++ if (snd_seq_ev_is_ump(event)) ++ return dest; /* ok - no filter checks */ ++ + if ((dest->filter & SNDRV_SEQ_FILTER_USE_EVENT) && + ! test_bit(event->type, dest->event_filter)) + goto __not_avail; diff --git a/queue-6.10/btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch b/queue-6.10/btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch new file mode 100644 index 00000000000..773a6e91636 --- /dev/null +++ b/queue-6.10/btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch @@ -0,0 +1,200 @@ +From 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Sat, 17 Aug 2024 18:34:30 +0930 +Subject: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() + +From: Qu Wenruo + +commit 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 upstream. + +[BUG] +There is an internal report that KASAN is reporting use-after-free, with +the following backtrace: + + BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] + Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 + CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] + Call Trace: + dump_stack_lvl+0x61/0x80 + print_address_description.constprop.0+0x5e/0x2f0 + print_report+0x118/0x216 + kasan_report+0x11d/0x1f0 + btrfs_check_read_bio+0xa68/0xb70 [btrfs] + process_one_work+0xce0/0x12a0 + worker_thread+0x717/0x1250 + kthread+0x2e3/0x3c0 + ret_from_fork+0x2d/0x70 + ret_from_fork_asm+0x11/0x20 + + Allocated by task 20917: + kasan_save_stack+0x37/0x60 + kasan_save_track+0x10/0x30 + __kasan_slab_alloc+0x7d/0x80 + kmem_cache_alloc_noprof+0x16e/0x3e0 + mempool_alloc_noprof+0x12e/0x310 + bio_alloc_bioset+0x3f0/0x7a0 + btrfs_bio_alloc+0x2e/0x50 [btrfs] + submit_extent_page+0x4d1/0xdb0 [btrfs] + btrfs_do_readpage+0x8b4/0x12a0 [btrfs] + btrfs_readahead+0x29a/0x430 [btrfs] + read_pages+0x1a7/0xc60 + page_cache_ra_unbounded+0x2ad/0x560 + filemap_get_pages+0x629/0xa20 + filemap_read+0x335/0xbf0 + vfs_read+0x790/0xcb0 + ksys_read+0xfd/0x1d0 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + Freed by task 20917: + kasan_save_stack+0x37/0x60 + kasan_save_track+0x10/0x30 + kasan_save_free_info+0x37/0x50 + __kasan_slab_free+0x4b/0x60 + kmem_cache_free+0x214/0x5d0 + bio_free+0xed/0x180 + end_bbio_data_read+0x1cc/0x580 [btrfs] + btrfs_submit_chunk+0x98d/0x1880 [btrfs] + btrfs_submit_bio+0x33/0x70 [btrfs] + submit_one_bio+0xd4/0x130 [btrfs] + submit_extent_page+0x3ea/0xdb0 [btrfs] + btrfs_do_readpage+0x8b4/0x12a0 [btrfs] + btrfs_readahead+0x29a/0x430 [btrfs] + read_pages+0x1a7/0xc60 + page_cache_ra_unbounded+0x2ad/0x560 + filemap_get_pages+0x629/0xa20 + filemap_read+0x335/0xbf0 + vfs_read+0x790/0xcb0 + ksys_read+0xfd/0x1d0 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[CAUSE] +Although I cannot reproduce the error, the report itself is good enough +to pin down the cause. + +The call trace is the regular endio workqueue context, but the +free-by-task trace is showing that during btrfs_submit_chunk() we +already hit a critical error, and is calling btrfs_bio_end_io() to error +out. And the original endio function called bio_put() to free the whole +bio. + +This means a double freeing thus causing use-after-free, e.g.: + +1. Enter btrfs_submit_bio() with a read bio + The read bio length is 128K, crossing two 64K stripes. + +2. The first run of btrfs_submit_chunk() + +2.1 Call btrfs_map_block(), which returns 64K +2.2 Call btrfs_split_bio() + Now there are two bios, one referring to the first 64K, the other + referring to the second 64K. +2.3 The first half is submitted. + +3. The second run of btrfs_submit_chunk() + +3.1 Call btrfs_map_block(), which by somehow failed + Now we call btrfs_bio_end_io() to handle the error + +3.2 btrfs_bio_end_io() calls the original endio function + Which is end_bbio_data_read(), and it calls bio_put() for the + original bio. + + Now the original bio is freed. + +4. The submitted first 64K bio finished + Now we call into btrfs_check_read_bio() and tries to advance the bio + iter. + But since the original bio (thus its iter) is already freed, we + trigger the above use-after free. + + And even if the memory is not poisoned/corrupted, we will later call + the original endio function, causing a double freeing. + +[FIX] +Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(), +which has the extra check on split bios and do the proper refcounting +for cloned bios. + +Furthermore there is already one extra btrfs_cleanup_bio() call, but +that is duplicated to btrfs_orig_bbio_end_io() call, so remove that +label completely. + +Reported-by: David Sterba +Fixes: 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/bio.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/bio.c ++++ b/fs/btrfs/bio.c +@@ -668,7 +668,6 @@ static bool btrfs_submit_chunk(struct bt + { + struct btrfs_inode *inode = bbio->inode; + struct btrfs_fs_info *fs_info = bbio->fs_info; +- struct btrfs_bio *orig_bbio = bbio; + struct bio *bio = &bbio->bio; + u64 logical = bio->bi_iter.bi_sector << SECTOR_SHIFT; + u64 length = bio->bi_iter.bi_size; +@@ -706,7 +705,7 @@ static bool btrfs_submit_chunk(struct bt + bbio->saved_iter = bio->bi_iter; + ret = btrfs_lookup_bio_sums(bbio); + if (ret) +- goto fail_put_bio; ++ goto fail; + } + + if (btrfs_op(bio) == BTRFS_MAP_WRITE) { +@@ -740,13 +739,13 @@ static bool btrfs_submit_chunk(struct bt + + ret = btrfs_bio_csum(bbio); + if (ret) +- goto fail_put_bio; ++ goto fail; + } else if (use_append || + (btrfs_is_zoned(fs_info) && inode && + inode->flags & BTRFS_INODE_NODATASUM)) { + ret = btrfs_alloc_dummy_sum(bbio); + if (ret) +- goto fail_put_bio; ++ goto fail; + } + } + +@@ -754,12 +753,23 @@ static bool btrfs_submit_chunk(struct bt + done: + return map_length == length; + +-fail_put_bio: +- if (map_length < length) +- btrfs_cleanup_bio(bbio); + fail: + btrfs_bio_counter_dec(fs_info); +- btrfs_bio_end_io(orig_bbio, ret); ++ /* ++ * We have split the original bbio, now we have to end both the current ++ * @bbio and remaining one, as the remaining one will never be submitted. ++ */ ++ if (map_length < length) { ++ struct btrfs_bio *remaining = bbio->private; ++ ++ ASSERT(bbio->bio.bi_pool == &btrfs_clone_bioset); ++ ASSERT(remaining); ++ ++ remaining->bio.bi_status = ret; ++ btrfs_orig_bbio_end_io(remaining); ++ } ++ bbio->bio.bi_status = ret; ++ btrfs_orig_bbio_end_io(bbio); + /* Do not submit another chunk */ + return true; + } diff --git a/queue-6.10/btrfs-run-delayed-iputs-when-flushing-delalloc.patch b/queue-6.10/btrfs-run-delayed-iputs-when-flushing-delalloc.patch new file mode 100644 index 00000000000..56264f3e3e1 --- /dev/null +++ b/queue-6.10/btrfs-run-delayed-iputs-when-flushing-delalloc.patch @@ -0,0 +1,45 @@ +From 2d3447261031503b181dacc549fe65ffe2d93d65 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 21 Aug 2024 15:53:18 -0400 +Subject: btrfs: run delayed iputs when flushing delalloc + +From: Josef Bacik + +commit 2d3447261031503b181dacc549fe65ffe2d93d65 upstream. + +We have transient failures with btrfs/301, specifically in the part +where we do + + for i in $(seq 0 10); do + write 50m to file + rm -f file + done + +Sometimes this will result in a transient quota error, and it's because +sometimes we start writeback on the file which results in a delayed +iput, and thus the rm doesn't actually clean the file up. When we're +flushing the quota space we need to run the delayed iputs to make sure +all the unlinks that we think have completed have actually completed. +This removes the small window where we could fail to find enough space +in our quota. + +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4100,6 +4100,8 @@ static int try_flush_qgroup(struct btrfs + return 0; + } + ++ btrfs_run_delayed_iputs(root->fs_info); ++ btrfs_wait_on_delayed_iputs(root->fs_info); + ret = btrfs_start_delalloc_snapshot(root, true); + if (ret < 0) + goto out; diff --git a/queue-6.10/drm-amdgpu-mes-fix-mes-ring-buffer-overflow.patch b/queue-6.10/drm-amdgpu-mes-fix-mes-ring-buffer-overflow.patch new file mode 100644 index 00000000000..2576f240f97 --- /dev/null +++ b/queue-6.10/drm-amdgpu-mes-fix-mes-ring-buffer-overflow.patch @@ -0,0 +1,93 @@ +From 11752c013f562a1124088a35bd314aa0e9f0e88f Mon Sep 17 00:00:00 2001 +From: Jack Xiao +Date: Thu, 18 Jul 2024 16:38:50 +0800 +Subject: drm/amdgpu/mes: fix mes ring buffer overflow + +From: Jack Xiao + +commit 11752c013f562a1124088a35bd314aa0e9f0e88f upstream. + +wait memory room until enough before writing mes packets +to avoid ring buffer overflow. + +v2: squash in sched_hw_submission fix + +Fixes: de3246254156 ("drm/amdgpu: cleanup MES11 command submission") +Fixes: fffe347e1478 ("drm/amdgpu: cleanup MES12 command submission") +Signed-off-by: Jack Xiao +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 ++ + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 18 ++++++++++++++---- + 2 files changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -212,6 +212,8 @@ int amdgpu_ring_init(struct amdgpu_devic + */ + if (ring->funcs->type == AMDGPU_RING_TYPE_KIQ) + sched_hw_submission = max(sched_hw_submission, 256); ++ if (ring->funcs->type == AMDGPU_RING_TYPE_MES) ++ sched_hw_submission = 8; + else if (ring == &adev->sdma.instance[0].page) + sched_hw_submission = 256; + +--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +@@ -163,7 +163,7 @@ static int mes_v11_0_submit_pkt_and_poll + const char *op_str, *misc_op_str; + unsigned long flags; + u64 status_gpu_addr; +- u32 status_offset; ++ u32 seq, status_offset; + u64 *status_ptr; + signed long r; + int ret; +@@ -191,6 +191,13 @@ static int mes_v11_0_submit_pkt_and_poll + if (r) + goto error_unlock_free; + ++ seq = ++ring->fence_drv.sync_seq; ++ r = amdgpu_fence_wait_polling(ring, ++ seq - ring->fence_drv.num_fences_mask, ++ timeout); ++ if (r < 1) ++ goto error_undo; ++ + api_status = (struct MES_API_STATUS *)((char *)pkt + api_status_off); + api_status->api_completion_fence_addr = status_gpu_addr; + api_status->api_completion_fence_value = 1; +@@ -203,8 +210,7 @@ static int mes_v11_0_submit_pkt_and_poll + mes_status_pkt.header.dwsize = API_FRAME_SIZE_IN_DWORDS; + mes_status_pkt.api_status.api_completion_fence_addr = + ring->fence_drv.gpu_addr; +- mes_status_pkt.api_status.api_completion_fence_value = +- ++ring->fence_drv.sync_seq; ++ mes_status_pkt.api_status.api_completion_fence_value = seq; + + amdgpu_ring_write_multiple(ring, &mes_status_pkt, + sizeof(mes_status_pkt) / 4); +@@ -224,7 +230,7 @@ static int mes_v11_0_submit_pkt_and_poll + dev_dbg(adev->dev, "MES msg=%d was emitted\n", + x_pkt->header.opcode); + +- r = amdgpu_fence_wait_polling(ring, ring->fence_drv.sync_seq, timeout); ++ r = amdgpu_fence_wait_polling(ring, seq, timeout); + if (r < 1 || !*status_ptr) { + + if (misc_op_str) +@@ -247,6 +253,10 @@ static int mes_v11_0_submit_pkt_and_poll + amdgpu_device_wb_free(adev, status_offset); + return 0; + ++error_undo: ++ dev_err(adev->dev, "MES ring buffer is full.\n"); ++ amdgpu_ring_undo(ring); ++ + error_unlock_free: + spin_unlock_irqrestore(&mes->ring_lock, flags); + diff --git a/queue-6.10/erofs-fix-out-of-bound-access-when-z_erofs_gbuf_growsize-partially-fails.patch b/queue-6.10/erofs-fix-out-of-bound-access-when-z_erofs_gbuf_growsize-partially-fails.patch new file mode 100644 index 00000000000..148442522e6 --- /dev/null +++ b/queue-6.10/erofs-fix-out-of-bound-access-when-z_erofs_gbuf_growsize-partially-fails.patch @@ -0,0 +1,45 @@ +From 0005e01e1e875c5e27130c5e2ed0189749d1e08a Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Tue, 20 Aug 2024 16:56:19 +0800 +Subject: erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails + +From: Gao Xiang + +commit 0005e01e1e875c5e27130c5e2ed0189749d1e08a upstream. + +If z_erofs_gbuf_growsize() partially fails on a global buffer due to +memory allocation failure or fault injection (as reported by syzbot [1]), +new pages need to be freed by comparing to the existing pages to avoid +memory leaks. + +However, the old gbuf->pages[] array may not be large enough, which can +lead to null-ptr-deref or out-of-bound access. + +Fix this by checking against gbuf->nrpages in advance. + +[1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com + +Reported-by: syzbot+242ee56aaa9585553766@syzkaller.appspotmail.com +Fixes: d6db47e571dc ("erofs: do not use pagepool in z_erofs_gbuf_growsize()") +Cc: # 6.10+ +Reviewed-by: Chunhai Guo +Reviewed-by: Sandeep Dhavale +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20240820085619.1375963-1-hsiangkao@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/zutil.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/erofs/zutil.c ++++ b/fs/erofs/zutil.c +@@ -111,7 +111,8 @@ int z_erofs_gbuf_growsize(unsigned int n + out: + if (i < z_erofs_gbuf_count && tmp_pages) { + for (j = 0; j < nrpages; ++j) +- if (tmp_pages[j] && tmp_pages[j] != gbuf->pages[j]) ++ if (tmp_pages[j] && (j >= gbuf->nrpages || ++ tmp_pages[j] != gbuf->pages[j])) + __free_page(tmp_pages[j]); + kfree(tmp_pages); + } diff --git a/queue-6.10/loongarch-add-ifdefs-to-fix-lsx-and-lasx-related-warnings.patch b/queue-6.10/loongarch-add-ifdefs-to-fix-lsx-and-lasx-related-warnings.patch new file mode 100644 index 00000000000..1fe08c45ba4 --- /dev/null +++ b/queue-6.10/loongarch-add-ifdefs-to-fix-lsx-and-lasx-related-warnings.patch @@ -0,0 +1,72 @@ +From 80376323e2b6a4559f86b2b4d864848ac25cb054 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Mon, 26 Aug 2024 23:11:32 +0800 +Subject: LoongArch: Add ifdefs to fix LSX and LASX related warnings + +From: Tiezhu Yang + +commit 80376323e2b6a4559f86b2b4d864848ac25cb054 upstream. + +There exist some warnings when building kernel if CONFIG_CPU_HAS_LBT is +set but CONFIG_CPU_HAS_LSX and CONFIG_CPU_HAS_LASX are not set. In this +case, there are no definitions of _restore_lsx & _restore_lasx and there +are also no definitions of kvm_restore_lsx & kvm_restore_lasx in fpu.S +and switch.S respectively, just add some ifdefs to fix these warnings. + + AS arch/loongarch/kernel/fpu.o +arch/loongarch/kernel/fpu.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0 +arch/loongarch/kernel/fpu.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0 + + AS [M] arch/loongarch/kvm/switch.o +arch/loongarch/kvm/switch.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0 +arch/loongarch/kvm/switch.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0 + + MODPOST Module.symvers +ERROR: modpost: "kvm_restore_lsx" [arch/loongarch/kvm/kvm.ko] undefined! +ERROR: modpost: "kvm_restore_lasx" [arch/loongarch/kvm/kvm.ko] undefined! + +Cc: stable@vger.kernel.org # 6.9+ +Fixes: cb8a2ef0848c ("LoongArch: Add ORC stack unwinder support") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202408120955.qls5oNQY-lkp@intel.com/ +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/fpu.S | 4 ++++ + arch/loongarch/kvm/switch.S | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/arch/loongarch/kernel/fpu.S b/arch/loongarch/kernel/fpu.S +index 69a85f2479fb..6ab640101457 100644 +--- a/arch/loongarch/kernel/fpu.S ++++ b/arch/loongarch/kernel/fpu.S +@@ -530,6 +530,10 @@ SYM_FUNC_END(_restore_lasx_context) + + #ifdef CONFIG_CPU_HAS_LBT + STACK_FRAME_NON_STANDARD _restore_fp ++#ifdef CONFIG_CPU_HAS_LSX + STACK_FRAME_NON_STANDARD _restore_lsx ++#endif ++#ifdef CONFIG_CPU_HAS_LASX + STACK_FRAME_NON_STANDARD _restore_lasx + #endif ++#endif +diff --git a/arch/loongarch/kvm/switch.S b/arch/loongarch/kvm/switch.S +index 80e988985a6a..0c292f818492 100644 +--- a/arch/loongarch/kvm/switch.S ++++ b/arch/loongarch/kvm/switch.S +@@ -277,6 +277,10 @@ SYM_DATA(kvm_enter_guest_size, .quad kvm_enter_guest_end - kvm_enter_guest) + + #ifdef CONFIG_CPU_HAS_LBT + STACK_FRAME_NON_STANDARD kvm_restore_fpu ++#ifdef CONFIG_CPU_HAS_LSX + STACK_FRAME_NON_STANDARD kvm_restore_lsx ++#endif ++#ifdef CONFIG_CPU_HAS_LASX + STACK_FRAME_NON_STANDARD kvm_restore_lasx + #endif ++#endif +-- +2.46.0 + diff --git a/queue-6.10/loongarch-remove-the-unused-dma-direct.h.patch b/queue-6.10/loongarch-remove-the-unused-dma-direct.h.patch new file mode 100644 index 00000000000..d887411168a --- /dev/null +++ b/queue-6.10/loongarch-remove-the-unused-dma-direct.h.patch @@ -0,0 +1,40 @@ +From 58aec91efb93338d1cc7acc0a93242613a2a4e5f Mon Sep 17 00:00:00 2001 +From: Miao Wang +Date: Sun, 25 Aug 2024 22:17:39 +0800 +Subject: LoongArch: Remove the unused dma-direct.h + +From: Miao Wang + +commit 58aec91efb93338d1cc7acc0a93242613a2a4e5f upstream. + +dma-direct.h is introduced in commit d4b6f1562a3c3284 ("LoongArch: Add +Non-Uniform Memory Access (NUMA) support"). In commit c78c43fe7d42524c +("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA"), +ARCH_HAS_PHYS_TO_DMA was deselected and the coresponding phys_to_dma()/ +dma_to_phys() functions were removed. However, the unused dma-direct.h +was left behind, which is removed by this patch. + +Cc: +Fixes: c78c43fe7d42 ("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA") +Signed-off-by: Miao Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/dma-direct.h | 11 ----------- + 1 file changed, 11 deletions(-) + delete mode 100644 arch/loongarch/include/asm/dma-direct.h + +--- a/arch/loongarch/include/asm/dma-direct.h ++++ /dev/null +@@ -1,11 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ +-/* +- * Copyright (C) 2020-2022 Loongson Technology Corporation Limited +- */ +-#ifndef _LOONGARCH_DMA_DIRECT_H +-#define _LOONGARCH_DMA_DIRECT_H +- +-dma_addr_t phys_to_dma(struct device *dev, phys_addr_t paddr); +-phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr); +- +-#endif /* _LOONGARCH_DMA_DIRECT_H */ diff --git a/queue-6.10/pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch b/queue-6.10/pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch new file mode 100644 index 00000000000..2650f8725a2 --- /dev/null +++ b/queue-6.10/pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch @@ -0,0 +1,52 @@ +From 128f71fe014fc91efa1407ce549f94a9a9f1072c Mon Sep 17 00:00:00 2001 +From: Huang-Huang Bao +Date: Tue, 9 Jul 2024 18:54:28 +0800 +Subject: pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins + +From: Huang-Huang Bao + +commit 128f71fe014fc91efa1407ce549f94a9a9f1072c upstream. + +The base iomux offsets for each GPIO pin line are accumulatively +calculated based off iomux width flag in rockchip_pinctrl_get_soc_data. +If the iomux width flag is one of IOMUX_WIDTH_4BIT, IOMUX_WIDTH_3BIT or +IOMUX_WIDTH_2BIT, the base offset for next pin line would increase by 8 +bytes, otherwise it would increase by 4 bytes. + +Despite most of GPIO2-B iomux have 2-bit data width, which can be fit +into 4 bytes space with write mask, it actually take 8 bytes width for +whole GPIO2-B line. + +Commit e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 +GPIO2-B pins") wrongly set iomux width flag to 0, causing all base +iomux offset for line after GPIO2-B to be calculated wrong. Fix the +iomux width flag to IOMUX_WIDTH_2BIT so the offset after GPIO2-B is +correctly increased by 8, matching the actual width of GPIO2-B iomux. + +Fixes: e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins") +Cc: stable@vger.kernel.org +Reported-by: Richard Kojedzinszky +Closes: https://lore.kernel.org/linux-rockchip/4f29b743202397d60edfb3c725537415@kojedz.in/ +Tested-by: Richard Kojedzinszky +Signed-off-by: Huang-Huang Bao +Reviewed-by: Heiko Stuebner +Tested-by: Daniel Golle +Tested-by: Trevor Woerner +Link: https://lore.kernel.org/20240709105428.1176375-1-i@eh5.me +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-rockchip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -3800,7 +3800,7 @@ static struct rockchip_pin_bank rk3328_p + PIN_BANK_IOMUX_FLAGS(0, 32, "gpio0", 0, 0, 0, 0), + PIN_BANK_IOMUX_FLAGS(1, 32, "gpio1", 0, 0, 0, 0), + PIN_BANK_IOMUX_FLAGS(2, 32, "gpio2", 0, +- 0, ++ IOMUX_WIDTH_2BIT, + IOMUX_WIDTH_3BIT, + 0), + PIN_BANK_IOMUX_FLAGS(3, 32, "gpio3", diff --git a/queue-6.10/pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch b/queue-6.10/pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch new file mode 100644 index 00000000000..deb93dfaf33 --- /dev/null +++ b/queue-6.10/pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch @@ -0,0 +1,36 @@ +From 1c38a62f15e595346a1106025722869e87ffe044 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 8 Aug 2024 12:13:55 +0800 +Subject: pinctrl: single: fix potential NULL dereference in pcs_get_function() + +From: Ma Ke + +commit 1c38a62f15e595346a1106025722869e87ffe044 upstream. + +pinmux_generic_get_function() can return NULL and the pointer 'function' +was dereferenced without checking against NULL. Add checking of pointer +'function' in pcs_get_function(). + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions") +Signed-off-by: Ma Ke +Link: https://lore.kernel.org/20240808041355.2766009-1-make24@iscas.ac.cn +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-single.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -345,6 +345,8 @@ static int pcs_get_function(struct pinct + return -ENOTSUPP; + fselector = setting->func; + function = pinmux_generic_get_function(pctldev, fselector); ++ if (!function) ++ return -EINVAL; + *func = function->data; + if (!(*func)) { + dev_err(pcs->dev, "%s could not find function%i\n", diff --git a/queue-6.10/series b/queue-6.10/series new file mode 100644 index 00000000000..c24d29d3fe2 --- /dev/null +++ b/queue-6.10/series @@ -0,0 +1,13 @@ +drm-amdgpu-mes-fix-mes-ring-buffer-overflow.patch +erofs-fix-out-of-bound-access-when-z_erofs_gbuf_growsize-partially-fails.patch +alsa-seq-skip-event-type-filtering-for-ump-events.patch +alsa-hda-realtek-enable-mute-micmute-leds-on-hp-laptop-14-ey0xxx.patch +alsa-hda-realtek-support-hp-pavilion-aero-13-bg0xxx-mute-led.patch +loongarch-remove-the-unused-dma-direct.h.patch +loongarch-add-ifdefs-to-fix-lsx-and-lasx-related-warnings.patch +tpm-ibmvtpm-call-tpm2_sessions_init-to-initialize-session-support.patch +btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch +btrfs-run-delayed-iputs-when-flushing-delalloc.patch +smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch +pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch +pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch diff --git a/queue-6.10/smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch b/queue-6.10/smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch new file mode 100644 index 00000000000..223c097c23b --- /dev/null +++ b/queue-6.10/smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch @@ -0,0 +1,33 @@ +From c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 21 Aug 2024 17:18:23 +0200 +Subject: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() + +From: Stefan Metzmacher + +commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream. + +This happens when called from SMB2_read() while using rdma +and reaching the rdma_readwrite_threshold. + +Cc: stable@vger.kernel.org +Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper") +Reviewed-by: David Howells +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4435,7 +4435,7 @@ smb2_new_read_req(void **buf, unsigned i + * If we want to do a RDMA write, fill in and append + * smbd_buffer_descriptor_v1 to the end of read request + */ +- if (smb3_use_rdma_offload(io_parms)) { ++ if (rdata && smb3_use_rdma_offload(io_parms)) { + struct smbd_buffer_descriptor_v1 *v1; + bool need_invalidate = server->dialect == SMB30_PROT_ID; + diff --git a/queue-6.10/tpm-ibmvtpm-call-tpm2_sessions_init-to-initialize-session-support.patch b/queue-6.10/tpm-ibmvtpm-call-tpm2_sessions_init-to-initialize-session-support.patch new file mode 100644 index 00000000000..8be5f905b3e --- /dev/null +++ b/queue-6.10/tpm-ibmvtpm-call-tpm2_sessions_init-to-initialize-session-support.patch @@ -0,0 +1,47 @@ +From 08d08e2e9f0ad1af0044e4747723f66677c35ee9 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 29 Jul 2024 09:29:34 -0400 +Subject: tpm: ibmvtpm: Call tpm2_sessions_init() to initialize session support + +From: Stefan Berger + +commit 08d08e2e9f0ad1af0044e4747723f66677c35ee9 upstream. + +Commit d2add27cf2b8 ("tpm: Add NULL primary creation") introduced +CONFIG_TCG_TPM2_HMAC. When this option is enabled on ppc64 then the +following message appears in the kernel log due to a missing call to +tpm2_sessions_init(). + +[ 2.654549] tpm tpm0: auth session is not active + +Add the missing call to tpm2_session_init() to the ibmvtpm driver to +resolve this issue. + +Cc: stable@vger.kernel.org # v6.10+ +Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_ibmvtpm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index d3989b257f42..1e5b107d1f3b 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -698,6 +698,10 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + rc = tpm2_get_cc_attrs_tbl(chip); + if (rc) + goto init_irq_cleanup; ++ ++ rc = tpm2_sessions_init(chip); ++ if (rc) ++ goto init_irq_cleanup; + } + + return tpm_chip_register(chip); +-- +2.46.0 +