From: Sasha Levin Date: Fri, 10 Nov 2023 17:35:11 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v4.14.330~65 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=610a524d905a5649da9b0b9f4242bf06b8e10533;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch b/queue-4.19/acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch new file mode 100644 index 00000000000..13bcabd08c0 --- /dev/null +++ b/queue-4.19/acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch @@ -0,0 +1,62 @@ +From ffb416c52e98dc2b03388de5089d89fc71165dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 20:32:54 +0200 +Subject: ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() + +From: Christophe JAILLET + +[ Upstream commit 48cf49d31994ff97b33c4044e618560ec84d35fb ] + +snprintf() does not return negative values on error. + +To know if the buffer was too small, the returned value needs to be +compared with the length of the passed buffer. If it is greater or +equal, the output has been truncated, so add checks for the truncation +to create_pnp_modalias() and create_of_modalias(). Also make them +return -ENOMEM in that case, as they already do that elsewhere. + +Moreover, the remaining size of the buffer used by snprintf() needs to +be updated after the first write to avoid out-of-bounds access as +already done correctly in create_pnp_modalias(), but not in +create_of_modalias(), so change the latter accordingly. + +Fixes: 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present") +Signed-off-by: Christophe JAILLET +[ rjw: Merge two patches into one, combine changelogs, add subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/device_sysfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c +index f792b149a5745..146be9cdeca5a 100644 +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -164,8 +164,8 @@ static int create_pnp_modalias(struct acpi_device *acpi_dev, char *modalias, + return 0; + + len = snprintf(modalias, size, "acpi:"); +- if (len <= 0) +- return len; ++ if (len >= size) ++ return -ENOMEM; + + size -= len; + +@@ -218,8 +218,10 @@ static int create_of_modalias(struct acpi_device *acpi_dev, char *modalias, + len = snprintf(modalias, size, "of:N%sT", (char *)buf.pointer); + ACPI_FREE(buf.pointer); + +- if (len <= 0) +- return len; ++ if (len >= size) ++ return -ENOMEM; ++ ++ size -= len; + + of_compatible = acpi_dev->data.of_compatible; + if (of_compatible->type == ACPI_TYPE_PACKAGE) { +-- +2.42.0 + diff --git a/queue-4.19/arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch b/queue-4.19/arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch new file mode 100644 index 00000000000..4796685e3ac --- /dev/null +++ b/queue-4.19/arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch @@ -0,0 +1,63 @@ +From 6fefb3920c59d8e29e4824e9b3c2b7fc806c7331 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 15:06:06 +0100 +Subject: ARM: 9321/1: memset: cast the constant byte to unsigned char + +From: Kursad Oney + +[ Upstream commit c0e824661f443b8cab3897006c1bbc69fd0e7bc4 ] + +memset() description in ISO/IEC 9899:1999 (and elsewhere) says: + + The memset function copies the value of c (converted to an + unsigned char) into each of the first n characters of the + object pointed to by s. + +The kernel's arm32 memset does not cast c to unsigned char. This results +in the following code to produce erroneous output: + + char a[128]; + memset(a, -128, sizeof(a)); + +This is because gcc will generally emit the following code before +it calls memset() : + + mov r0, r7 + mvn r1, #127 ; 0x7f + bl 00000000 + +r1 ends up with 0xffffff80 before being used by memset() and the +'a' array will have -128 once in every four bytes while the other +bytes will be set incorrectly to -1 like this (printing the first +8 bytes) : + + test_module: -128 -1 -1 -1 + test_module: -1 -1 -1 -128 + +The change here is to 'and' r1 with 255 before it is used. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Kursad Oney +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/lib/memset.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/lib/memset.S b/arch/arm/lib/memset.S +index ed6d35d9cdb5a..a68688f3f3b3d 100644 +--- a/arch/arm/lib/memset.S ++++ b/arch/arm/lib/memset.S +@@ -19,6 +19,7 @@ + ENTRY(mmioset) + ENTRY(memset) + UNWIND( .fnstart ) ++ and r1, r1, #255 @ cast to unsigned char + ands r3, r0, #3 @ 1 unaligned? + mov ip, r0 @ preserve r0 as return value + bne 6f @ 1 +-- +2.42.0 + diff --git a/queue-4.19/arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch b/queue-4.19/arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch new file mode 100644 index 00000000000..ac75fcf2eb4 --- /dev/null +++ b/queue-4.19/arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch @@ -0,0 +1,51 @@ +From 0ae1296e106da8370fc456d21a586aa3e89f15f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Sep 2023 20:39:13 +0200 +Subject: ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator + +From: Krzysztof Kozlowski + +[ Upstream commit 09f8ee81b6da5f76de8b83c8bfc4475b54e101e0 ] + +Fixed regulator put under "regulators" node will not be populated, +unless simple-bus or something similar is used. Drop the "regulators" +wrapper node to fix this. + +Fixes: 2c5e596524e7 ("ARM: dts: Add MDM9615 dtsi") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20230924183914.51414-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-mdm9615.dtsi | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-mdm9615.dtsi b/arch/arm/boot/dts/qcom-mdm9615.dtsi +index c852b69229c97..26d49f35331b8 100644 +--- a/arch/arm/boot/dts/qcom-mdm9615.dtsi ++++ b/arch/arm/boot/dts/qcom-mdm9615.dtsi +@@ -82,14 +82,12 @@ cxo_board { + }; + }; + +- regulators { +- vsdcc_fixed: vsdcc-regulator { +- compatible = "regulator-fixed"; +- regulator-name = "SDCC Power"; +- regulator-min-microvolt = <2700000>; +- regulator-max-microvolt = <2700000>; +- regulator-always-on; +- }; ++ vsdcc_fixed: vsdcc-regulator { ++ compatible = "regulator-fixed"; ++ regulator-name = "SDCC Power"; ++ regulator-min-microvolt = <2700000>; ++ regulator-max-microvolt = <2700000>; ++ regulator-always-on; + }; + + soc: soc { +-- +2.42.0 + diff --git a/queue-4.19/asoc-ams-delta.c-use-component-after-check.patch b/queue-4.19/asoc-ams-delta.c-use-component-after-check.patch new file mode 100644 index 00000000000..a15ed6105f7 --- /dev/null +++ b/queue-4.19/asoc-ams-delta.c-use-component-after-check.patch @@ -0,0 +1,56 @@ +From 7cf41a750680916400863f216446a0d40f92ae5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 00:09:56 +0000 +Subject: ASoC: ams-delta.c: use component after check + +From: Kuninori Morimoto + +[ Upstream commit bd0f7498bc9084d8cccc5484cd004b40f314b763 ] + + static void cx81801_close() + { + ... +(A) struct snd_soc_dapm_context *dapm = &component->card->dapm; + ... +(B) if (!component) + return; + } + +(A) uses component before NULL check (B). This patch moves it after (B). + +Fixes: d0fdfe34080c ("ASoC: cx20442: replace codec to component") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/3e608474-e99a-4866-ae98-3054a4221f09@moroto.mountain +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87ttqdq623.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/ams-delta.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/omap/ams-delta.c b/sound/soc/omap/ams-delta.c +index 4dce494dfbd3e..ef9fda16ce131 100644 +--- a/sound/soc/omap/ams-delta.c ++++ b/sound/soc/omap/ams-delta.c +@@ -300,7 +300,7 @@ static int cx81801_open(struct tty_struct *tty) + static void cx81801_close(struct tty_struct *tty) + { + struct snd_soc_component *component = tty->disc_data; +- struct snd_soc_dapm_context *dapm = &component->card->dapm; ++ struct snd_soc_dapm_context *dapm; + + del_timer_sync(&cx81801_timer); + +@@ -312,6 +312,8 @@ static void cx81801_close(struct tty_struct *tty) + + v253_ops.close(tty); + ++ dapm = &component->card->dapm; ++ + /* Revert back to default audio input/output constellation */ + snd_soc_dapm_mutex_lock(dapm); + +-- +2.42.0 + diff --git a/queue-4.19/asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch b/queue-4.19/asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch new file mode 100644 index 00000000000..1edacc8fa61 --- /dev/null +++ b/queue-4.19/asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch @@ -0,0 +1,40 @@ +From 797dd3baaa346cbc9e06c386528ba0ce85a9c88d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 10:25:58 +0200 +Subject: ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 168d97844a61db302dec76d44406e9d4d7106b8e ] + +Error path in snd_skl_parse_uuids() shall free last allocated module if +its instance_id allocation fails. + +Fixes: f8e066521192 ("ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case") +Signed-off-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20231026082558.1864910-1-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/skylake/skl-sst-utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/intel/skylake/skl-sst-utils.c b/sound/soc/intel/skylake/skl-sst-utils.c +index 2ae4056178762..9e1e9bac17905 100644 +--- a/sound/soc/intel/skylake/skl-sst-utils.c ++++ b/sound/soc/intel/skylake/skl-sst-utils.c +@@ -317,6 +317,7 @@ int snd_skl_parse_uuids(struct sst_dsp *ctx, const struct firmware *fw, + module->instance_id = devm_kzalloc(ctx->dev, size, GFP_KERNEL); + if (!module->instance_id) { + ret = -ENOMEM; ++ kfree(module); + goto free_uuid_list; + } + +-- +2.42.0 + diff --git a/queue-4.19/can-dev-can_restart-don-t-crash-kernel-if-carrier-is.patch b/queue-4.19/can-dev-can_restart-don-t-crash-kernel-if-carrier-is.patch new file mode 100644 index 00000000000..8c73f19d0ad --- /dev/null +++ b/queue-4.19/can-dev-can_restart-don-t-crash-kernel-if-carrier-is.patch @@ -0,0 +1,46 @@ +From 400ed24ddd57dc2a4aec2a3763ba6d46825f9a76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 21:58:23 +0200 +Subject: can: dev: can_restart(): don't crash kernel if carrier is OK + +From: Marc Kleine-Budde + +[ Upstream commit fe5c9940dfd8ba0c73672dddb30acd1b7a11d4c7 ] + +During testing, I triggered a can_restart() with the netif carrier +being OK [1]. The BUG_ON, which checks if the carrier is OK, results +in a fatal kernel crash. This is neither helpful for debugging nor for +a production system. + +[1] The root cause is a race condition in can_restart() which will be +fixed in the next patch. + +Do not crash the kernel, issue an error message instead, and continue +restarting the CAN device anyway. + +Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") +Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-1-91b5c1fd922c@pengutronix.de +Reviewed-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev/dev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c +index 8738d37f72737..487cb9acdd456 100644 +--- a/drivers/net/can/dev/dev.c ++++ b/drivers/net/can/dev/dev.c +@@ -563,7 +563,8 @@ static void can_restart(struct net_device *dev) + struct can_frame *cf; + int err; + +- BUG_ON(netif_carrier_ok(dev)); ++ if (netif_carrier_ok(dev)) ++ netdev_err(dev, "Attempt to restart for bus-off recovery, but carrier is OK?\n"); + + /* + * No synchronization needed because the device is bus-off and +-- +2.42.0 + diff --git a/queue-4.19/can-dev-can_restart-fix-race-condition-between-contr.patch b/queue-4.19/can-dev-can_restart-fix-race-condition-between-contr.patch new file mode 100644 index 00000000000..8f8f93a1d99 --- /dev/null +++ b/queue-4.19/can-dev-can_restart-fix-race-condition-between-contr.patch @@ -0,0 +1,102 @@ +From c7945991ebdab9f3af8d43a5be22b97002f08bb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 10:25:11 +0200 +Subject: can: dev: can_restart(): fix race condition between controller + restart and netif_carrier_on() + +From: Marc Kleine-Budde + +[ Upstream commit 6841cab8c4504835e4011689cbdb3351dec693fd ] + +This race condition was discovered while updating the at91_can driver +to use can_bus_off(). The following scenario describes how the +converted at91_can driver would behave. + +When a CAN device goes into BUS-OFF state, the driver usually +stops/resets the CAN device and calls can_bus_off(). + +This function sets the netif carrier to off, and (if configured by +user space) schedules a delayed work that calls can_restart() to +restart the CAN device. + +The can_restart() function first checks if the carrier is off and +triggers an error message if the carrier is OK. + +Then it calls the driver's do_set_mode() function to restart the +device, then it sets the netif carrier to on. There is a race window +between these two calls. + +The at91 CAN controller (observed on the sama5d3, a single core 32 bit +ARM CPU) has a hardware limitation. If the device goes into bus-off +while sending a CAN frame, there is no way to abort the sending of +this frame. After the controller is enabled again, another attempt is +made to send it. + +If the bus is still faulty, the device immediately goes back to the +bus-off state. The driver calls can_bus_off(), the netif carrier is +switched off and another can_restart is scheduled. This occurs within +the race window before the original can_restart() handler marks the +netif carrier as OK. This would cause the 2nd can_restart() to be +called with an OK netif carrier, resulting in an error message. + +The flow of the 1st can_restart() looks like this: + +can_restart() + // bail out if netif_carrier is OK + + netif_carrier_ok(dev) + priv->do_set_mode(dev, CAN_MODE_START) + // enable CAN controller + // sama5d3 restarts sending old message + + // CAN devices goes into BUS_OFF, triggers IRQ + +// IRQ handler start + at91_irq() + at91_irq_err_line() + can_bus_off() + netif_carrier_off() + schedule_delayed_work() +// IRQ handler end + + netif_carrier_on() + +The 2nd can_restart() will be called with an OK netif carrier and the +error message will be printed. + +To close the race window, first set the netif carrier to on, then +restart the controller. In case the restart fails with an error code, +roll back the netif carrier to off. + +Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") +Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-2-91b5c1fd922c@pengutronix.de +Reviewed-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev/dev.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c +index 487cb9acdd456..3797d4de254dd 100644 +--- a/drivers/net/can/dev/dev.c ++++ b/drivers/net/can/dev/dev.c +@@ -590,11 +590,12 @@ static void can_restart(struct net_device *dev) + priv->can_stats.restarts++; + + /* Now restart the device */ +- err = priv->do_set_mode(dev, CAN_MODE_START); +- + netif_carrier_on(dev); +- if (err) ++ err = priv->do_set_mode(dev, CAN_MODE_START); ++ if (err) { + netdev_err(dev, "Error %d during restart", err); ++ netif_carrier_off(dev); ++ } + } + + static void can_restart_work(struct work_struct *work) +-- +2.42.0 + diff --git a/queue-4.19/can-dev-move-driver-related-infrastructure-into-sepa.patch b/queue-4.19/can-dev-move-driver-related-infrastructure-into-sepa.patch new file mode 100644 index 00000000000..df1e2df638c --- /dev/null +++ b/queue-4.19/can-dev-move-driver-related-infrastructure-into-sepa.patch @@ -0,0 +1,69 @@ +From 0b56a3ae9a9bfe07906898191698f59b5aecedd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jan 2021 15:19:17 +0100 +Subject: can: dev: move driver related infrastructure into separate subdir + +From: Marc Kleine-Budde + +[ Upstream commit 3e77f70e734584e0ad1038e459ed3fd2400f873a ] + +This patch moves the CAN driver related infrastructure into a separate subdir. +It will be split into more files in the coming patches. + +Reviewed-by: Vincent Mailhol +Link: https://lore.kernel.org/r/20210111141930.693847-3-mkl@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Stable-dep-of: fe5c9940dfd8 ("can: dev: can_restart(): don't crash kernel if carrier is OK") +Signed-off-by: Sasha Levin +--- + drivers/net/can/Makefile | 7 +------ + drivers/net/can/dev/Makefile | 7 +++++++ + drivers/net/can/{ => dev}/dev.c | 0 + drivers/net/can/{ => dev}/rx-offload.c | 0 + 4 files changed, 8 insertions(+), 6 deletions(-) + create mode 100644 drivers/net/can/dev/Makefile + rename drivers/net/can/{ => dev}/dev.c (100%) + rename drivers/net/can/{ => dev}/rx-offload.c (100%) + +diff --git a/drivers/net/can/Makefile b/drivers/net/can/Makefile +index 44922bf29b6a0..93e11f1fee5c6 100644 +--- a/drivers/net/can/Makefile ++++ b/drivers/net/can/Makefile +@@ -7,12 +7,7 @@ obj-$(CONFIG_CAN_VCAN) += vcan.o + obj-$(CONFIG_CAN_VXCAN) += vxcan.o + obj-$(CONFIG_CAN_SLCAN) += slcan.o + +-obj-$(CONFIG_CAN_DEV) += can-dev.o +-can-dev-y += dev.o +-can-dev-y += rx-offload.o +- +-can-dev-$(CONFIG_CAN_LEDS) += led.o +- ++obj-y += dev/ + obj-y += rcar/ + obj-y += spi/ + obj-y += usb/ +diff --git a/drivers/net/can/dev/Makefile b/drivers/net/can/dev/Makefile +new file mode 100644 +index 0000000000000..cba92e6bcf6f5 +--- /dev/null ++++ b/drivers/net/can/dev/Makefile +@@ -0,0 +1,7 @@ ++# SPDX-License-Identifier: GPL-2.0 ++ ++obj-$(CONFIG_CAN_DEV) += can-dev.o ++can-dev-y += dev.o ++can-dev-y += rx-offload.o ++ ++can-dev-$(CONFIG_CAN_LEDS) += led.o +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev/dev.c +similarity index 100% +rename from drivers/net/can/dev.c +rename to drivers/net/can/dev/dev.c +diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/dev/rx-offload.c +similarity index 100% +rename from drivers/net/can/rx-offload.c +rename to drivers/net/can/dev/rx-offload.c +-- +2.42.0 + diff --git a/queue-4.19/chtls-fix-tp-rcv_tstamp-initialization.patch b/queue-4.19/chtls-fix-tp-rcv_tstamp-initialization.patch new file mode 100644 index 00000000000..9d9b782ffd2 --- /dev/null +++ b/queue-4.19/chtls-fix-tp-rcv_tstamp-initialization.patch @@ -0,0 +1,36 @@ +From f85cdab525b15a96e8f120ffe383e2e43207b091 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 12:57:36 +0000 +Subject: chtls: fix tp->rcv_tstamp initialization + +From: Eric Dumazet + +[ Upstream commit 225d9ddbacb102621af6d28ff7bf5a0b4ce249d8 ] + +tp->rcv_tstamp should be set to tcp_jiffies, not tcp_time_stamp(). + +Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition") +Signed-off-by: Eric Dumazet +Cc: Ayush Sawal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/crypto/chelsio/chtls/chtls_cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/chelsio/chtls/chtls_cm.c b/drivers/crypto/chelsio/chtls/chtls_cm.c +index 08ed3ff8b255f..360e153391709 100644 +--- a/drivers/crypto/chelsio/chtls/chtls_cm.c ++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c +@@ -2071,7 +2071,7 @@ static void chtls_rx_ack(struct sock *sk, struct sk_buff *skb) + + if (tp->snd_una != snd_una) { + tp->snd_una = snd_una; +- tp->rcv_tstamp = tcp_time_stamp(tp); ++ tp->rcv_tstamp = tcp_jiffies32; + if (tp->snd_una == tp->snd_nxt && + !csk_flag_nochk(csk, CSK_TX_FAILOVER)) + csk_reset_flag(csk, CSK_TX_WAIT_IDLE); +-- +2.42.0 + diff --git a/queue-4.19/clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch b/queue-4.19/clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch new file mode 100644 index 00000000000..49ba35f01c3 --- /dev/null +++ b/queue-4.19/clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch @@ -0,0 +1,60 @@ +From 552c5976a3de118f5f114c168ade0feff42eea1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 17:01:57 +0300 +Subject: clk: keystone: pll: fix a couple NULL vs IS_ERR() checks + +From: Dan Carpenter + +[ Upstream commit a5d14f8b551eb1551c10053653ee8e27f19672fa ] + +The clk_register_divider() and clk_register_mux() functions returns +error pointers on error but this code checks for NULL. Fix that. + +Fixes: b9e0d40c0d83 ("clk: keystone: add Keystone PLL clock driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/d9da4c97-0da9-499f-9a21-1f8e3f148dc1@moroto.mountain +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/pll.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/keystone/pll.c b/drivers/clk/keystone/pll.c +index 526694c2a6c97..a75ece5992394 100644 +--- a/drivers/clk/keystone/pll.c ++++ b/drivers/clk/keystone/pll.c +@@ -285,12 +285,13 @@ static void __init of_pll_div_clk_init(struct device_node *node) + + clk = clk_register_divider(NULL, clk_name, parent_name, 0, reg, shift, + mask, 0, NULL); +- if (clk) { +- of_clk_add_provider(node, of_clk_src_simple_get, clk); +- } else { ++ if (IS_ERR(clk)) { + pr_err("%s: error registering divider %s\n", __func__, clk_name); + iounmap(reg); ++ return; + } ++ ++ of_clk_add_provider(node, of_clk_src_simple_get, clk); + } + CLK_OF_DECLARE(pll_divider_clock, "ti,keystone,pll-divider-clock", of_pll_div_clk_init); + +@@ -332,9 +333,11 @@ static void __init of_pll_mux_clk_init(struct device_node *node) + clk = clk_register_mux(NULL, clk_name, (const char **)&parents, + ARRAY_SIZE(parents) , 0, reg, shift, mask, + 0, NULL); +- if (clk) +- of_clk_add_provider(node, of_clk_src_simple_get, clk); +- else ++ if (IS_ERR(clk)) { + pr_err("%s: error registering mux %s\n", __func__, clk_name); ++ return; ++ } ++ ++ of_clk_add_provider(node, of_clk_src_simple_get, clk); + } + CLK_OF_DECLARE(pll_mux_clock, "ti,keystone,pll-mux-clock", of_pll_mux_clk_init); +-- +2.42.0 + diff --git a/queue-4.19/clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch b/queue-4.19/clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch new file mode 100644 index 00000000000..7fbc89b15c5 --- /dev/null +++ b/queue-4.19/clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch @@ -0,0 +1,66 @@ +From 0317861cc4bdb5300d0a6aa2168137e5416becc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 10:46:58 +0800 +Subject: clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data + +From: Jiasheng Jiang + +[ Upstream commit 0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3 ] + +Add the check for the return value of mtk_alloc_clk_data() in order to +avoid NULL pointer dereference. + +Fixes: e9862118272a ("clk: mediatek: Add MT2701 clock support") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230901024658.23405-1-jiasheng@iscas.ac.cn +Reviewed-by: Markus Schneider-Pargmann +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt2701.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/clk/mediatek/clk-mt2701.c b/drivers/clk/mediatek/clk-mt2701.c +index 4dda8988b2f09..00e52a94e34fd 100644 +--- a/drivers/clk/mediatek/clk-mt2701.c ++++ b/drivers/clk/mediatek/clk-mt2701.c +@@ -688,6 +688,8 @@ static int mtk_topckgen_init(struct platform_device *pdev) + return PTR_ERR(base); + + clk_data = mtk_alloc_clk_data(CLK_TOP_NR); ++ if (!clk_data) ++ return -ENOMEM; + + mtk_clk_register_fixed_clks(top_fixed_clks, ARRAY_SIZE(top_fixed_clks), + clk_data); +@@ -755,6 +757,8 @@ static void __init mtk_infrasys_init_early(struct device_node *node) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return; + + for (i = 0; i < CLK_INFRA_NR; i++) + infra_clk_data->clks[i] = ERR_PTR(-EPROBE_DEFER); +@@ -781,6 +785,8 @@ static int mtk_infrasys_init(struct platform_device *pdev) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return -ENOMEM; + } else { + for (i = 0; i < CLK_INFRA_NR; i++) { + if (infra_clk_data->clks[i] == ERR_PTR(-EPROBE_DEFER)) +@@ -909,6 +915,8 @@ static int mtk_pericfg_init(struct platform_device *pdev) + return PTR_ERR(base); + + clk_data = mtk_alloc_clk_data(CLK_PERI_NR); ++ if (!clk_data) ++ return -ENOMEM; + + mtk_clk_register_gates(node, peri_clks, ARRAY_SIZE(peri_clks), + clk_data); +-- +2.42.0 + diff --git a/queue-4.19/clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch b/queue-4.19/clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch new file mode 100644 index 00000000000..5e13bf5d537 --- /dev/null +++ b/queue-4.19/clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch @@ -0,0 +1,56 @@ +From 2bd69a2fded94dee528f9c49bfecb2ce06b7f840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 17:34:05 +0800 +Subject: clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data + +From: Jiasheng Jiang + +[ Upstream commit 606f6366a35a3329545e38129804d65ef26ed7d2 ] + +Add the check for the return value of mtk_alloc_clk_data() in order to +avoid NULL pointer dereference. + +Fixes: 96596aa06628 ("clk: mediatek: add clk support for MT6797") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230912093407.21505-3-jiasheng@iscas.ac.cn +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt6797.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/mediatek/clk-mt6797.c b/drivers/clk/mediatek/clk-mt6797.c +index 5702bc974ed99..1ee45f32c1d4e 100644 +--- a/drivers/clk/mediatek/clk-mt6797.c ++++ b/drivers/clk/mediatek/clk-mt6797.c +@@ -396,6 +396,8 @@ static int mtk_topckgen_init(struct platform_device *pdev) + return PTR_ERR(base); + + clk_data = mtk_alloc_clk_data(CLK_TOP_NR); ++ if (!clk_data) ++ return -ENOMEM; + + mtk_clk_register_factors(top_fixed_divs, ARRAY_SIZE(top_fixed_divs), + clk_data); +@@ -554,6 +556,8 @@ static void mtk_infrasys_init_early(struct device_node *node) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return; + + for (i = 0; i < CLK_INFRA_NR; i++) + infra_clk_data->clks[i] = ERR_PTR(-EPROBE_DEFER); +@@ -578,6 +582,8 @@ static int mtk_infrasys_init(struct platform_device *pdev) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return -ENOMEM; + } else { + for (i = 0; i < CLK_INFRA_NR; i++) { + if (infra_clk_data->clks[i] == ERR_PTR(-EPROBE_DEFER)) +-- +2.42.0 + diff --git a/queue-4.19/clk-npcm7xx-fix-incorrect-kfree.patch b/queue-4.19/clk-npcm7xx-fix-incorrect-kfree.patch new file mode 100644 index 00000000000..da617940935 --- /dev/null +++ b/queue-4.19/clk-npcm7xx-fix-incorrect-kfree.patch @@ -0,0 +1,45 @@ +From e7a7d77f123a45d51e1baf6a90115e383e4cb636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Sep 2023 15:31:27 +0200 +Subject: clk: npcm7xx: Fix incorrect kfree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit bbc5080bef4a245106aa8e8d424ba8847ca7c0ca ] + +The corresponding allocation is: + +> npcm7xx_clk_data = kzalloc(struct_size(npcm7xx_clk_data, hws, +> NPCM7XX_NUM_CLOCKS), GFP_KERNEL); + +... so, kfree should be applied to npcm7xx_clk_data, not +npcm7xx_clk_data->hws. + +Fixes: fcfd14369856 ("clk: npcm7xx: add clock controller") +Signed-off-by: Jonathan Neuschäfer +Link: https://lore.kernel.org/r/20230923133127.1815621-1-j.neuschaefer@gmx.net +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-npcm7xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-npcm7xx.c b/drivers/clk/clk-npcm7xx.c +index c5edf8f2fd196..f96e883104144 100644 +--- a/drivers/clk/clk-npcm7xx.c ++++ b/drivers/clk/clk-npcm7xx.c +@@ -647,7 +647,7 @@ static void __init npcm7xx_clk_init(struct device_node *clk_np) + return; + + npcm7xx_init_fail: +- kfree(npcm7xx_clk_data->hws); ++ kfree(npcm7xx_clk_data); + npcm7xx_init_np_err: + iounmap(clk_base); + npcm7xx_init_error: +-- +2.42.0 + diff --git a/queue-4.19/clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch b/queue-4.19/clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch new file mode 100644 index 00000000000..1961ec74a8d --- /dev/null +++ b/queue-4.19/clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch @@ -0,0 +1,57 @@ +From 1558efc5f5b8bba8b5f5b47cd62dde82fb4654a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 13:06:40 +0530 +Subject: clk: qcom: clk-rcg2: Fix clock rate overflow for high parent + frequencies + +From: Devi Priya + +[ Upstream commit f7b7d30158cff246667273bd2a62fc93ee0725d2 ] + +If the parent clock rate is greater than unsigned long max/2 then +integer overflow happens when calculating the clock rate on 32-bit systems. +As RCG2 uses half integer dividers, the clock rate is first being +multiplied by 2 which will overflow the unsigned long max value. +Hence, replace the common pattern of doing 64-bit multiplication +and then a do_div() call with simpler mult_frac call. + +Fixes: bcd61c0f535a ("clk: qcom: Add support for root clock generators (RCGs)") +Signed-off-by: Devi Priya +Reviewed-by: Marijn Suijten +Link: https://lore.kernel.org/r/20230901073640.4973-1-quic_devipriy@quicinc.com +[bjorn: Also drop unnecessary {} around single statements] +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index 04bd29d6aba13..8ac8915903e2c 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -132,17 +132,11 @@ static int clk_rcg2_set_parent(struct clk_hw *hw, u8 index) + static unsigned long + calc_rate(unsigned long rate, u32 m, u32 n, u32 mode, u32 hid_div) + { +- if (hid_div) { +- rate *= 2; +- rate /= hid_div + 1; +- } ++ if (hid_div) ++ rate = mult_frac(rate, 2, hid_div + 1); + +- if (mode) { +- u64 tmp = rate; +- tmp *= m; +- do_div(tmp, n); +- rate = tmp; +- } ++ if (mode) ++ rate = mult_frac(rate, m, n); + + return rate; + } +-- +2.42.0 + diff --git a/queue-4.19/clk-scmi-free-scmi_clk-allocated-when-the-clocks-wit.patch b/queue-4.19/clk-scmi-free-scmi_clk-allocated-when-the-clocks-wit.patch new file mode 100644 index 00000000000..96a518329f5 --- /dev/null +++ b/queue-4.19/clk-scmi-free-scmi_clk-allocated-when-the-clocks-wit.patch @@ -0,0 +1,40 @@ +From 6564543b5ebebf4a642968b2e5df0f354413eaf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 20:36:00 +0100 +Subject: clk: scmi: Free scmi_clk allocated when the clocks with invalid info + are skipped + +From: Sudeep Holla + +[ Upstream commit 3537a75e73f3420614a358d0c8b390ea483cc87d ] + +Add the missing devm_kfree() when we skip the clocks with invalid or +missing information from the firmware. + +Cc: Cristian Marussi +Cc: Michael Turquette +Cc: Stephen Boyd +Cc: linux-clk@vger.kernel.org +Fixes: 6d6a1d82eaef ("clk: add support for clocks provided by SCMI") +Link: https://lore.kernel.org/r/20231004193600.66232-1-sudeep.holla@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-scmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/clk-scmi.c b/drivers/clk/clk-scmi.c +index c65d30bba7005..9d9eed597617b 100644 +--- a/drivers/clk/clk-scmi.c ++++ b/drivers/clk/clk-scmi.c +@@ -170,6 +170,7 @@ static int scmi_clocks_probe(struct scmi_device *sdev) + sclk->info = handle->clk_ops->info_get(handle, idx); + if (!sclk->info) { + dev_dbg(dev, "invalid clock info for idx %d\n", idx); ++ devm_kfree(dev, sclk); + continue; + } + +-- +2.42.0 + diff --git a/queue-4.19/dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch b/queue-4.19/dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch new file mode 100644 index 00000000000..89db69ae0e0 --- /dev/null +++ b/queue-4.19/dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch @@ -0,0 +1,43 @@ +From b09b6fe085161e439e0df62f6cfb7e8de9df494f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 13:13:09 +0200 +Subject: dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() + +From: Christophe JAILLET + +[ Upstream commit 83c761f568733277ce1f7eb9dc9e890649c29a8c ] + +If pxad_alloc_desc() fails on the first dma_pool_alloc() call, then +sw_desc->nb_desc is zero. +In such a case pxad_free_desc() is called and it will BUG_ON(). + +Remove this erroneous BUG_ON(). + +It is also useless, because if "sw_desc->nb_desc == 0", then, on the first +iteration of the for loop, i is -1 and the loop will not be executed. +(both i and sw_desc->nb_desc are 'int') + +Fixes: a57e16cf0333 ("dmaengine: pxa: add pxa dmaengine driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/c8fc5563c9593c914fde41f0f7d1489a21b45a9a.1696676782.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pxa_dma.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index c54986902b9d2..6dfd08dadb12d 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -772,7 +772,6 @@ static void pxad_free_desc(struct virt_dma_desc *vd) + dma_addr_t dma; + struct pxad_desc_sw *sw_desc = to_pxad_sw_desc(vd); + +- BUG_ON(sw_desc->nb_desc == 0); + for (i = sw_desc->nb_desc - 1; i >= 0; i--) { + if (i > 0) + dma = sw_desc->hw_desc[i - 1]->ddadr; +-- +2.42.0 + diff --git a/queue-4.19/dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch b/queue-4.19/dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch new file mode 100644 index 00000000000..48fc046f6e3 --- /dev/null +++ b/queue-4.19/dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch @@ -0,0 +1,48 @@ +From 5933b3c96365b9235afc151032d734d29b601e80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 15:59:59 +0300 +Subject: dmaengine: ti: edma: handle irq_of_parse_and_map() errors + +From: Dan Carpenter + +[ Upstream commit 14f6d317913f634920a640e9047aa2e66f5bdcb7 ] + +Zero is not a valid IRQ for in-kernel code and the irq_of_parse_and_map() +function returns zero on error. So this check for valid IRQs should only +accept values > 0. + +Fixes: 2b6b3b742019 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/") +Signed-off-by: Dan Carpenter +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/f15cb6a7-8449-4f79-98b6-34072f04edbc@moroto.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/edma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c +index 44158fa859737..3a1b37971bef8 100644 +--- a/drivers/dma/ti/edma.c ++++ b/drivers/dma/ti/edma.c +@@ -2303,7 +2303,7 @@ static int edma_probe(struct platform_device *pdev) + if (irq < 0 && node) + irq = irq_of_parse_and_map(node, 0); + +- if (irq >= 0) { ++ if (irq > 0) { + irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccint", + dev_name(dev)); + ret = devm_request_irq(dev, irq, dma_irq_handler, 0, irq_name, +@@ -2319,7 +2319,7 @@ static int edma_probe(struct platform_device *pdev) + if (irq < 0 && node) + irq = irq_of_parse_and_map(node, 2); + +- if (irq >= 0) { ++ if (irq > 0) { + irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccerrint", + dev_name(dev)); + ret = devm_request_irq(dev, irq, dma_ccerr_handler, 0, irq_name, +-- +2.42.0 + diff --git a/queue-4.19/drm-radeon-possible-buffer-overflow.patch b/queue-4.19/drm-radeon-possible-buffer-overflow.patch new file mode 100644 index 00000000000..c39c8dbdbc3 --- /dev/null +++ b/queue-4.19/drm-radeon-possible-buffer-overflow.patch @@ -0,0 +1,47 @@ +From 5238443a93d861024430bd9eafbb150e361f7e11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:33:49 +0800 +Subject: drm/radeon: possible buffer overflow + +From: Konstantin Meskhidze + +[ Upstream commit dd05484f99d16715a88eedfca363828ef9a4c2d4 ] + +Buffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is +checked after access. + +Fixes: 5cc4e5fc293b ("drm/radeon: Cleanup HDMI audio interrupt handling for evergreen") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/evergreen.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 5712d63dca207..da728f7fc42be 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -4815,14 +4815,15 @@ int evergreen_irq_process(struct radeon_device *rdev) + break; + case 44: /* hdmi */ + afmt_idx = src_data; +- if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG)) +- DRM_DEBUG("IH: IH event w/o asserted irq bit?\n"); +- + if (afmt_idx > 5) { + DRM_ERROR("Unhandled interrupt: %d %d\n", + src_id, src_data); + break; + } ++ ++ if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG)) ++ DRM_DEBUG("IH: IH event w/o asserted irq bit?\n"); ++ + afmt_status[afmt_idx] &= ~AFMT_AZ_FORMAT_WTRIG; + queue_hdmi = true; + DRM_DEBUG("IH: HDMI%d\n", afmt_idx + 1); +-- +2.42.0 + diff --git a/queue-4.19/drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch b/queue-4.19/drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch new file mode 100644 index 00000000000..e0f676ddaec --- /dev/null +++ b/queue-4.19/drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch @@ -0,0 +1,60 @@ +From e1828a91ff47089a3806908ce87451b714f9d696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 19:34:31 +0200 +Subject: drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() + +From: Christophe JAILLET + +[ Upstream commit 44b968d0d0868b7a9b7a5c64464ada464ff4d532 ] + +cdn_dp_audio_codec_init() can fail. So add some error handling. + +If component_add() fails, the previous cdn_dp_audio_codec_init() call +should be undone, as already done in the remove function. + +Fixes: 88582f564692 ("drm/rockchip: cdn-dp: Don't unregister audio dev when unbinding") +Signed-off-by: Christophe JAILLET +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/8494a41602fadb7439630921a9779640698f2f9f.1693676045.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/cdn-dp-core.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c +index 3f992e5a75c97..579652f8b42b3 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c +@@ -1156,6 +1156,7 @@ static int cdn_dp_probe(struct platform_device *pdev) + struct cdn_dp_device *dp; + struct extcon_dev *extcon; + struct phy *phy; ++ int ret; + int i; + + dp = devm_kzalloc(dev, sizeof(*dp), GFP_KERNEL); +@@ -1196,9 +1197,19 @@ static int cdn_dp_probe(struct platform_device *pdev) + mutex_init(&dp->lock); + dev_set_drvdata(dev, dp); + +- cdn_dp_audio_codec_init(dp, dev); ++ ret = cdn_dp_audio_codec_init(dp, dev); ++ if (ret) ++ return ret; ++ ++ ret = component_add(dev, &cdn_dp_component_ops); ++ if (ret) ++ goto err_audio_deinit; + +- return component_add(dev, &cdn_dp_component_ops); ++ return 0; ++ ++err_audio_deinit: ++ platform_device_unregister(dp->audio_pdev); ++ return ret; + } + + static int cdn_dp_remove(struct platform_device *pdev) +-- +2.42.0 + diff --git a/queue-4.19/drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch b/queue-4.19/drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch new file mode 100644 index 00000000000..8012bc92875 --- /dev/null +++ b/queue-4.19/drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch @@ -0,0 +1,42 @@ +From d5426f12501beb4921cec3125dc181395fd54f68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 22:33:17 +0000 +Subject: drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs + +From: Jonas Karlman + +[ Upstream commit 13fc28804bf10ca0b7bce3efbba95c534836d7ca ] + +struct rockchip_crtc_state members such as output_type, output_bpc and +enable_afbc is always reset to zero in the atomic_duplicate_state crtc +funcs. + +Fix this by using kmemdup on the subclass rockchip_crtc_state struct. + +Fixes: 4e257d9eee23 ("drm/rockchip: get rid of rockchip_drm_crtc_mode_config") +Signed-off-by: Jonas Karlman +Reviewed-by: Sascha Hauer +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20230621223311.2239547-2-jonas@kwiboo.se +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index 69eb0de9973fb..ea692046be614 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -1091,7 +1091,8 @@ static struct drm_crtc_state *vop_crtc_duplicate_state(struct drm_crtc *crtc) + if (WARN_ON(!crtc->state)) + return NULL; + +- rockchip_state = kzalloc(sizeof(*rockchip_state), GFP_KERNEL); ++ rockchip_state = kmemdup(to_rockchip_crtc_state(crtc->state), ++ sizeof(*rockchip_state), GFP_KERNEL); + if (!rockchip_state) + return NULL; + +-- +2.42.0 + diff --git a/queue-4.19/ext4-move-ix-sanity-check-to-corrent-position.patch b/queue-4.19/ext4-move-ix-sanity-check-to-corrent-position.patch new file mode 100644 index 00000000000..5a7a95dd254 --- /dev/null +++ b/queue-4.19/ext4-move-ix-sanity-check-to-corrent-position.patch @@ -0,0 +1,51 @@ +From b4bd04a4eba3665776dba36102d13ca75c182a8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 09:33:41 +0800 +Subject: ext4: move 'ix' sanity check to corrent position + +From: Gou Hao + +[ Upstream commit af90a8f4a09ec4a3de20142e37f37205d4687f28 ] + +Check 'ix' before it is used. + +Fixes: 80e675f906db ("ext4: optimize memmmove lengths in extent/index insertions") +Signed-off-by: Gou Hao +Link: https://lore.kernel.org/r/20230906013341.7199-1-gouhao@uniontech.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 6c492fca60c41..d931252b7d0d1 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -997,6 +997,11 @@ static int ext4_ext_insert_index(handle_t *handle, struct inode *inode, + ix = curp->p_idx; + } + ++ if (unlikely(ix > EXT_MAX_INDEX(curp->p_hdr))) { ++ EXT4_ERROR_INODE(inode, "ix > EXT_MAX_INDEX!"); ++ return -EFSCORRUPTED; ++ } ++ + len = EXT_LAST_INDEX(curp->p_hdr) - ix + 1; + BUG_ON(len < 0); + if (len > 0) { +@@ -1006,11 +1011,6 @@ static int ext4_ext_insert_index(handle_t *handle, struct inode *inode, + memmove(ix + 1, ix, len * sizeof(struct ext4_extent_idx)); + } + +- if (unlikely(ix > EXT_MAX_INDEX(curp->p_hdr))) { +- EXT4_ERROR_INODE(inode, "ix > EXT_MAX_INDEX!"); +- return -EFSCORRUPTED; +- } +- + ix->ei_block = cpu_to_le32(logical); + ext4_idx_store_pblock(ix, ptr); + le16_add_cpu(&curp->p_hdr->eh_entries, 1); +-- +2.42.0 + diff --git a/queue-4.19/f2fs-fix-to-initialize-map.m_pblk-in-f2fs_precache_e.patch b/queue-4.19/f2fs-fix-to-initialize-map.m_pblk-in-f2fs_precache_e.patch new file mode 100644 index 00000000000..47c10c6928d --- /dev/null +++ b/queue-4.19/f2fs-fix-to-initialize-map.m_pblk-in-f2fs_precache_e.patch @@ -0,0 +1,37 @@ +From 6a3f5a79d2733563ac65520c138790a3e3e6888a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 15:45:52 +0800 +Subject: f2fs: fix to initialize map.m_pblk in f2fs_precache_extents() + +From: Chao Yu + +[ Upstream commit 8b07c1fb0f1ad139373c8253f2fad8bc43fab07d ] + +Otherwise, it may print random physical block address in tracepoint +of f2fs_map_blocks() as below: + +f2fs_map_blocks: dev = (253,16), ino = 2297, file offset = 0, start blkaddr = 0xa356c421, len = 0x0, flags = 0 + +Fixes: c4020b2da4c9 ("f2fs: support F2FS_IOC_PRECACHE_EXTENTS") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 2a7249496c57e..043ce96ac1270 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2892,6 +2892,7 @@ int f2fs_precache_extents(struct inode *inode) + return -EOPNOTSUPP; + + map.m_lblk = 0; ++ map.m_pblk = 0; + map.m_next_pgofs = NULL; + map.m_next_extent = &m_next_extent; + map.m_seg_type = NO_CHECK_TYPE; +-- +2.42.0 + diff --git a/queue-4.19/firmware-ti_sci-mark-driver-as-non-removable.patch b/queue-4.19/firmware-ti_sci-mark-driver-as-non-removable.patch new file mode 100644 index 00000000000..9b7d7ae9671 --- /dev/null +++ b/queue-4.19/firmware-ti_sci-mark-driver-as-non-removable.patch @@ -0,0 +1,113 @@ +From aa23c81f9e5d2a41bac6b0a7b28ca00b297898b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 14:40:26 +0530 +Subject: firmware: ti_sci: Mark driver as non removable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dhruva Gole + +[ Upstream commit 7b7a224b1ba1703583b25a3641ad9798f34d832a ] + +The TI-SCI message protocol provides a way to communicate between +various compute processors with a central system controller entity. It +provides the fundamental device management capability and clock control +in the SOCs that it's used in. + +The remove function failed to do all the necessary cleanup if +there are registered users. Some things are freed however which +likely results in an oops later on. + +Ensure that the driver isn't unbound by suppressing its bind and unbind +sysfs attributes. As the driver is built-in there is no way to remove +device once bound. + +We can also remove the ti_sci_remove call along with the +ti_sci_debugfs_destroy as there are no callers for it any longer. + +Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") +Reported-by: Uwe Kleine-König +Closes: https://lore.kernel.org/linux-arm-kernel/20230216083908.mvmydic5lpi3ogo7@pengutronix.de/ +Suggested-by: Uwe Kleine-König +Acked-by: Uwe Kleine-König +Signed-off-by: Dhruva Gole +Link: https://lore.kernel.org/r/20230921091025.133130-1-d-gole@ti.com +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + drivers/firmware/ti_sci.c | 46 +-------------------------------------- + 1 file changed, 1 insertion(+), 45 deletions(-) + +diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c +index 5e35a66ed0ae9..46acc6440b9a8 100644 +--- a/drivers/firmware/ti_sci.c ++++ b/drivers/firmware/ti_sci.c +@@ -205,19 +205,6 @@ static int ti_sci_debugfs_create(struct platform_device *pdev, + return 0; + } + +-/** +- * ti_sci_debugfs_destroy() - clean up log debug file +- * @pdev: platform device pointer +- * @info: Pointer to SCI entity information +- */ +-static void ti_sci_debugfs_destroy(struct platform_device *pdev, +- struct ti_sci_info *info) +-{ +- if (IS_ERR(info->debug_region)) +- return; +- +- debugfs_remove(info->d); +-} + #else /* CONFIG_DEBUG_FS */ + static inline int ti_sci_debugfs_create(struct platform_device *dev, + struct ti_sci_info *info) +@@ -1937,43 +1924,12 @@ static int ti_sci_probe(struct platform_device *pdev) + return ret; + } + +-static int ti_sci_remove(struct platform_device *pdev) +-{ +- struct ti_sci_info *info; +- struct device *dev = &pdev->dev; +- int ret = 0; +- +- of_platform_depopulate(dev); +- +- info = platform_get_drvdata(pdev); +- +- if (info->nb.notifier_call) +- unregister_restart_handler(&info->nb); +- +- mutex_lock(&ti_sci_list_mutex); +- if (info->users) +- ret = -EBUSY; +- else +- list_del(&info->node); +- mutex_unlock(&ti_sci_list_mutex); +- +- if (!ret) { +- ti_sci_debugfs_destroy(pdev, info); +- +- /* Safe to free channels since no more users */ +- mbox_free_channel(info->chan_tx); +- mbox_free_channel(info->chan_rx); +- } +- +- return ret; +-} +- + static struct platform_driver ti_sci_driver = { + .probe = ti_sci_probe, +- .remove = ti_sci_remove, + .driver = { + .name = "ti-sci", + .of_match_table = of_match_ptr(ti_sci_of_match), ++ .suppress_bind_attrs = true, + }, + }; + module_platform_driver(ti_sci_driver); +-- +2.42.0 + diff --git a/queue-4.19/genirq-matrix-exclude-managed-interrupts-in-irq_matr.patch b/queue-4.19/genirq-matrix-exclude-managed-interrupts-in-irq_matr.patch new file mode 100644 index 00000000000..e77c2d1ecd5 --- /dev/null +++ b/queue-4.19/genirq-matrix-exclude-managed-interrupts-in-irq_matr.patch @@ -0,0 +1,73 @@ +From 617ae9052115f9dd001e682599caf938281fe4f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 15:25:22 +0800 +Subject: genirq/matrix: Exclude managed interrupts in irq_matrix_allocated() + +From: Chen Yu + +[ Upstream commit a0b0bad10587ae2948a7c36ca4ffc206007fbcf3 ] + +When a CPU is about to be offlined, x86 validates that all active +interrupts which are targeted to this CPU can be migrated to the remaining +online CPUs. If not, the offline operation is aborted. + +The validation uses irq_matrix_allocated() to retrieve the number of +vectors which are allocated on the outgoing CPU. The returned number of +allocated vectors includes also vectors which are associated to managed +interrupts. + +That's overaccounting because managed interrupts are: + + - not migrated when the affinity mask of the interrupt targets only + the outgoing CPU + + - migrated to another CPU, but in that case the vector is already + pre-allocated on the potential target CPUs and must not be taken into + account. + +As a consequence the check whether the remaining online CPUs have enough +capacity for migrating the allocated vectors from the outgoing CPU might +fail incorrectly. + +Let irq_matrix_allocated() return only the number of allocated non-managed +interrupts to make this validation check correct. + +[ tglx: Amend changelog and fixup kernel-doc comment ] + +Fixes: 2f75d9e1c905 ("genirq: Implement bitmap matrix allocator") +Reported-by: Wendy Wang +Signed-off-by: Chen Yu +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20231020072522.557846-1-yu.c.chen@intel.com +Signed-off-by: Sasha Levin +--- + kernel/irq/matrix.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c +index 8e586858bcf41..d25edbb87119f 100644 +--- a/kernel/irq/matrix.c ++++ b/kernel/irq/matrix.c +@@ -466,16 +466,16 @@ unsigned int irq_matrix_reserved(struct irq_matrix *m) + } + + /** +- * irq_matrix_allocated - Get the number of allocated irqs on the local cpu ++ * irq_matrix_allocated - Get the number of allocated non-managed irqs on the local CPU + * @m: Pointer to the matrix to search + * +- * This returns number of allocated irqs ++ * This returns number of allocated non-managed interrupts. + */ + unsigned int irq_matrix_allocated(struct irq_matrix *m) + { + struct cpumap *cm = this_cpu_ptr(m->maps); + +- return cm->allocated; ++ return cm->allocated - cm->managed_allocated; + } + + #ifdef CONFIG_GENERIC_IRQ_DEBUGFS +-- +2.42.0 + diff --git a/queue-4.19/hid-cp2112-fix-duplicate-workqueue-initialization.patch b/queue-4.19/hid-cp2112-fix-duplicate-workqueue-initialization.patch new file mode 100644 index 00000000000..a8f2a4ca9f2 --- /dev/null +++ b/queue-4.19/hid-cp2112-fix-duplicate-workqueue-initialization.patch @@ -0,0 +1,50 @@ +From 399e7477c4d8aad33c7f0ef3b691f8fb6a32391c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Sep 2023 16:22:45 -0500 +Subject: hid: cp2112: Fix duplicate workqueue initialization + +From: Danny Kaehn + +[ Upstream commit e3c2d2d144c082dd71596953193adf9891491f42 ] + +Previously the cp2112 driver called INIT_DELAYED_WORK within +cp2112_gpio_irq_startup, resulting in duplicate initilizations of the +workqueue on subsequent IRQ startups following an initial request. This +resulted in a warning in set_work_data in workqueue.c, as well as a rare +NULL dereference within process_one_work in workqueue.c. + +Initialize the workqueue within _probe instead. + +Fixes: 13de9cca514e ("HID: cp2112: add IRQ chip handling") +Signed-off-by: Danny Kaehn +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cp2112.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c +index 875fd8b2eec23..6dc9ee8adb65f 100644 +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -1163,8 +1163,6 @@ static unsigned int cp2112_gpio_irq_startup(struct irq_data *d) + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); + struct cp2112_device *dev = gpiochip_get_data(gc); + +- INIT_DELAYED_WORK(&dev->gpio_poll_worker, cp2112_gpio_poll_callback); +- + if (!dev->gpio_poll) { + dev->gpio_poll = true; + schedule_delayed_work(&dev->gpio_poll_worker, 0); +@@ -1358,6 +1356,8 @@ static int cp2112_probe(struct hid_device *hdev, const struct hid_device_id *id) + girq->default_type = IRQ_TYPE_NONE; + girq->handler = handle_simple_irq; + ++ INIT_DELAYED_WORK(&dev->gpio_poll_worker, cp2112_gpio_poll_callback); ++ + ret = gpiochip_add_data(&dev->gc, dev); + if (ret < 0) { + hid_err(hdev, "error registering gpio chip\n"); +-- +2.42.0 + diff --git a/queue-4.19/hid-cp2112-use-irqchip-template.patch b/queue-4.19/hid-cp2112-use-irqchip-template.patch new file mode 100644 index 00000000000..d32206f4bb4 --- /dev/null +++ b/queue-4.19/hid-cp2112-use-irqchip-template.patch @@ -0,0 +1,77 @@ +From 0c335ac7125c3c8b2d9066b2ea43e4fef7d1a4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 09:56:32 +0200 +Subject: HID: cp2112: Use irqchip template +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +[ Upstream commit 6bfa31756ae905e23050ee10a3b4d3d435122c97 ] + +This makes the driver use the irqchip template to assign +properties to the gpio_irq_chip instead of using the +explicit calls to gpiochip_irqchip_add(). The irqchip is +instead added while adding the gpiochip. + +Cc: Eudean Sun +Cc: Benjamin Tissoires +Cc: Sébastien Szymanski +Signed-off-by: Linus Walleij +Signed-off-by: Jiri Kosina +Stable-dep-of: e3c2d2d144c0 ("hid: cp2112: Fix duplicate workqueue initialization") +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cp2112.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c +index 637a7ce281c61..875fd8b2eec23 100644 +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -1245,6 +1245,7 @@ static int cp2112_probe(struct hid_device *hdev, const struct hid_device_id *id) + struct cp2112_device *dev; + u8 buf[3]; + struct cp2112_smbus_config_report config; ++ struct gpio_irq_chip *girq; + int ret; + + dev = devm_kzalloc(&hdev->dev, sizeof(*dev), GFP_KERNEL); +@@ -1348,6 +1349,15 @@ static int cp2112_probe(struct hid_device *hdev, const struct hid_device_id *id) + dev->gc.can_sleep = 1; + dev->gc.parent = &hdev->dev; + ++ girq = &dev->gc.irq; ++ girq->chip = &cp2112_gpio_irqchip; ++ /* The event comes from the outside so no parent handler */ ++ girq->parent_handler = NULL; ++ girq->num_parents = 0; ++ girq->parents = NULL; ++ girq->default_type = IRQ_TYPE_NONE; ++ girq->handler = handle_simple_irq; ++ + ret = gpiochip_add_data(&dev->gc, dev); + if (ret < 0) { + hid_err(hdev, "error registering gpio chip\n"); +@@ -1363,17 +1373,8 @@ static int cp2112_probe(struct hid_device *hdev, const struct hid_device_id *id) + chmod_sysfs_attrs(hdev); + hid_hw_power(hdev, PM_HINT_NORMAL); + +- ret = gpiochip_irqchip_add(&dev->gc, &cp2112_gpio_irqchip, 0, +- handle_simple_irq, IRQ_TYPE_NONE); +- if (ret) { +- dev_err(dev->gc.parent, "failed to add IRQ chip\n"); +- goto err_sysfs_remove; +- } +- + return ret; + +-err_sysfs_remove: +- sysfs_remove_group(&hdev->dev.kobj, &cp2112_attr_group); + err_gpiochip_remove: + gpiochip_remove(&dev->gc); + err_free_i2c: +-- +2.42.0 + diff --git a/queue-4.19/hwmon-coretemp-fix-potentially-truncated-sysfs-attri.patch b/queue-4.19/hwmon-coretemp-fix-potentially-truncated-sysfs-attri.patch new file mode 100644 index 00000000000..21b6e755a05 --- /dev/null +++ b/queue-4.19/hwmon-coretemp-fix-potentially-truncated-sysfs-attri.patch @@ -0,0 +1,59 @@ +From 62f5b2fa1679f3c3c811076a36ce6146c2f9a051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 20:23:16 +0800 +Subject: hwmon: (coretemp) Fix potentially truncated sysfs attribute name + +From: Zhang Rui + +[ Upstream commit bbfff736d30e5283ad09e748caff979d75ddef7f ] + +When build with W=1 and "-Werror=format-truncation", below error is +observed in coretemp driver, + + drivers/hwmon/coretemp.c: In function 'create_core_data': +>> drivers/hwmon/coretemp.c:393:34: error: '%s' directive output may be truncated writing likely 5 or more bytes into a region of size between 3 and 13 [-Werror=format-truncation=] + 393 | "temp%d_%s", attr_no, suffixes[i]); + | ^~ + drivers/hwmon/coretemp.c:393:26: note: assuming directive output of 5 bytes + 393 | "temp%d_%s", attr_no, suffixes[i]); + | ^~~~~~~~~~~ + drivers/hwmon/coretemp.c:392:17: note: 'snprintf' output 7 or more bytes (assuming 22) into a destination of size 19 + 392 | snprintf(tdata->attr_name[i], CORETEMP_NAME_LENGTH, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 393 | "temp%d_%s", attr_no, suffixes[i]); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +Given that +1. '%d' could take 10 charactors, +2. '%s' could take 10 charactors ("crit_alarm"), +3. "temp", "_" and the NULL terminator take 6 charactors, +fix the problem by increasing CORETEMP_NAME_LENGTH to 28. + +Signed-off-by: Zhang Rui +Fixes: 7108b80a542b ("hwmon/coretemp: Handle large core ID value") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202310200443.iD3tUbbK-lkp@intel.com/ +Link: https://lore.kernel.org/r/20231025122316.836400-1-rui.zhang@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 1b2f750577dad..33371f7a4c0f9 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -54,7 +54,7 @@ MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius"); + #define PKG_SYSFS_ATTR_NO 1 /* Sysfs attribute for package temp */ + #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */ + #define NUM_REAL_CORES 128 /* Number of Real cores per cpu */ +-#define CORETEMP_NAME_LENGTH 19 /* String Length of attrs */ ++#define CORETEMP_NAME_LENGTH 28 /* String Length of attrs */ + #define MAX_CORE_ATTRS 4 /* Maximum no of basic attrs */ + #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1) + #define MAX_CORE_DATA (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO) +-- +2.42.0 + diff --git a/queue-4.19/hwrng-geode-fix-accessing-registers.patch b/queue-4.19/hwrng-geode-fix-accessing-registers.patch new file mode 100644 index 00000000000..d00f21e144f --- /dev/null +++ b/queue-4.19/hwrng-geode-fix-accessing-registers.patch @@ -0,0 +1,58 @@ +From b848f5219bbdc586fea04f592489625fea158f3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Sep 2023 10:34:17 +0200 +Subject: hwrng: geode - fix accessing registers + +From: Jonas Gorski + +[ Upstream commit 464bd8ec2f06707f3773676a1bd2c64832a3c805 ] + +When the membase and pci_dev pointer were moved to a new struct in priv, +the actual membase users were left untouched, and they started reading +out arbitrary memory behind the struct instead of registers. This +unfortunately turned the RNG into a constant number generator, depending +on the content of what was at that offset. + +To fix this, update geode_rng_data_{read,present}() to also get the +membase via amd_geode_priv, and properly read from the right addresses +again. + +Fixes: 9f6ec8dc574e ("hwrng: geode - Fix PCI device refcount leak") +Reported-by: Timur I. Davletshin +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217882 +Tested-by: Timur I. Davletshin +Suggested-by: Jo-Philipp Wich +Signed-off-by: Jonas Gorski +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/geode-rng.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/hw_random/geode-rng.c b/drivers/char/hw_random/geode-rng.c +index 207272979f233..2f8289865ec81 100644 +--- a/drivers/char/hw_random/geode-rng.c ++++ b/drivers/char/hw_random/geode-rng.c +@@ -58,7 +58,8 @@ struct amd_geode_priv { + + static int geode_rng_data_read(struct hwrng *rng, u32 *data) + { +- void __iomem *mem = (void __iomem *)rng->priv; ++ struct amd_geode_priv *priv = (struct amd_geode_priv *)rng->priv; ++ void __iomem *mem = priv->membase; + + *data = readl(mem + GEODE_RNG_DATA_REG); + +@@ -67,7 +68,8 @@ static int geode_rng_data_read(struct hwrng *rng, u32 *data) + + static int geode_rng_data_present(struct hwrng *rng, int wait) + { +- void __iomem *mem = (void __iomem *)rng->priv; ++ struct amd_geode_priv *priv = (struct amd_geode_priv *)rng->priv; ++ void __iomem *mem = priv->membase; + int data, i; + + for (i = 0; i < 20; i++) { +-- +2.42.0 + diff --git a/queue-4.19/i40e-fix-potential-memory-leaks-in-i40e_remove.patch b/queue-4.19/i40e-fix-potential-memory-leaks-in-i40e_remove.patch new file mode 100644 index 00000000000..7ec08b97b3d --- /dev/null +++ b/queue-4.19/i40e-fix-potential-memory-leaks-in-i40e_remove.patch @@ -0,0 +1,50 @@ +From cfa4c8aa1285e8767aeecd44749a96b724c3d53c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 14:42:01 +0200 +Subject: i40e: fix potential memory leaks in i40e_remove() + +From: Andrii Staikov + +[ Upstream commit 5ca636d927a106780451d957734f02589b972e2b ] + +Instead of freeing memory of a single VSI, make sure +the memory for all VSIs is cleared before releasing VSIs. +Add releasing of their resources in a loop with the iteration +number equal to the number of allocated VSIs. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Andrii Staikov +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index a908720535ceb..75a553f4e26f6 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14311,11 +14311,15 @@ static void i40e_remove(struct pci_dev *pdev) + i40e_switch_branch_release(pf->veb[i]); + } + +- /* Now we can shutdown the PF's VSI, just before we kill ++ /* Now we can shutdown the PF's VSIs, just before we kill + * adminq and hmc. + */ +- if (pf->vsi[pf->lan_vsi]) +- i40e_vsi_release(pf->vsi[pf->lan_vsi]); ++ for (i = pf->num_alloc_vsi; i--;) ++ if (pf->vsi[i]) { ++ i40e_vsi_close(pf->vsi[i]); ++ i40e_vsi_release(pf->vsi[i]); ++ pf->vsi[i] = NULL; ++ } + + i40e_cloud_filter_exit(pf); + +-- +2.42.0 + diff --git a/queue-4.19/ipv6-avoid-atomic-fragment-on-gso-packets.patch b/queue-4.19/ipv6-avoid-atomic-fragment-on-gso-packets.patch new file mode 100644 index 00000000000..8ea1c5aa86d --- /dev/null +++ b/queue-4.19/ipv6-avoid-atomic-fragment-on-gso-packets.patch @@ -0,0 +1,54 @@ +From dad2de1b74d83e9d3eb680481ebb786f499a131f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 07:26:40 -0700 +Subject: ipv6: avoid atomic fragment on GSO packets + +From: Yan Zhai + +[ Upstream commit 03d6c848bfb406e9ef6d9846d759e97beaeea113 ] + +When the ipv6 stack output a GSO packet, if its gso_size is larger than +dst MTU, then all segments would be fragmented. However, it is possible +for a GSO packet to have a trailing segment with smaller actual size +than both gso_size as well as the MTU, which leads to an "atomic +fragment". Atomic fragments are considered harmful in RFC-8021. An +Existing report from APNIC also shows that atomic fragments are more +likely to be dropped even it is equivalent to a no-op [1]. + +Add an extra check in the GSO slow output path. For each segment from +the original over-sized packet, if it fits with the path MTU, then avoid +generating an atomic fragment. + +Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1] +Fixes: b210de4f8c97 ("net: ipv6: Validate GSO SKB before finish IPv6 processing") +Reported-by: David Wragg +Signed-off-by: Yan Zhai +Link: https://lore.kernel.org/r/90912e3503a242dca0bc36958b11ed03a2696e5e.1698156966.git.yan@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index ff4d349e13f78..0872df066a4e5 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -153,7 +153,13 @@ ip6_finish_output_gso_slowpath_drop(struct net *net, struct sock *sk, + int err; + + skb_mark_not_on_list(segs); +- err = ip6_fragment(net, sk, segs, ip6_finish_output2); ++ /* Last GSO segment can be smaller than gso_size (and MTU). ++ * Adding a fragment header would produce an "atomic fragment", ++ * which is considered harmful (RFC-8021). Avoid that. ++ */ ++ err = segs->len > mtu ? ++ ip6_fragment(net, sk, segs, ip6_finish_output2) : ++ ip6_finish_output2(net, sk, segs); + if (err && ret == 0) + ret = err; + } +-- +2.42.0 + diff --git a/queue-4.19/ipvlan-properly-track-tx_errors.patch b/queue-4.19/ipvlan-properly-track-tx_errors.patch new file mode 100644 index 00000000000..4f2dbe8734c --- /dev/null +++ b/queue-4.19/ipvlan-properly-track-tx_errors.patch @@ -0,0 +1,81 @@ +From ada711fab55f117de79e17f7cc97d517373ff87c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 13:14:46 +0000 +Subject: ipvlan: properly track tx_errors + +From: Eric Dumazet + +[ Upstream commit ff672b9ffeb3f82135488ac16c5c5eb4b992999b ] + +Both ipvlan_process_v4_outbound() and ipvlan_process_v6_outbound() +increment dev->stats.tx_errors in case of errors. + +Unfortunately there are two issues : + +1) ipvlan_get_stats64() does not propagate dev->stats.tx_errors to user. + +2) Increments are not atomic. KCSAN would complain eventually. + +Use DEV_STATS_INC() to not miss an update, and change ipvlan_get_stats64() +to copy the value back to user. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Eric Dumazet +Cc: Mahesh Bandewar +Link: https://lore.kernel.org/r/20231026131446.3933175-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 8 ++++---- + drivers/net/ipvlan/ipvlan_main.c | 1 + + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 6b6c5a7250a65..ecb10fb249af4 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -448,12 +448,12 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + + err = ip_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) +- dev->stats.tx_errors++; ++ DEV_STATS_INC(dev, tx_errors); + else + ret = NET_XMIT_SUCCESS; + goto out; + err: +- dev->stats.tx_errors++; ++ DEV_STATS_INC(dev, tx_errors); + kfree_skb(skb); + out: + return ret; +@@ -489,12 +489,12 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + + err = ip6_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) +- dev->stats.tx_errors++; ++ DEV_STATS_INC(dev, tx_errors); + else + ret = NET_XMIT_SUCCESS; + goto out; + err: +- dev->stats.tx_errors++; ++ DEV_STATS_INC(dev, tx_errors); + kfree_skb(skb); + out: + return ret; +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index 9fa3c0bd6ec78..6d2ff73b63f8d 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -392,6 +392,7 @@ static void ipvlan_get_stats64(struct net_device *dev, + s->rx_dropped = rx_errs; + s->tx_dropped = tx_drps; + } ++ s->tx_errors = DEV_STATS_READ(dev, tx_errors); + } + + static int ipvlan_vlan_rx_add_vid(struct net_device *dev, __be16 proto, u16 vid) +-- +2.42.0 + diff --git a/queue-4.19/leds-pwm-convert-to-atomic-pwm-api.patch b/queue-4.19/leds-pwm-convert-to-atomic-pwm-api.patch new file mode 100644 index 00000000000..33f8166db9b --- /dev/null +++ b/queue-4.19/leds-pwm-convert-to-atomic-pwm-api.patch @@ -0,0 +1,121 @@ +From 3e4fd67eda787a477872cb3b36ea960316ab5002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 17:54:08 +0100 +Subject: leds: pwm: convert to atomic PWM API +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit dd47a83453e4a5b0d6a91fe702b7fbc1984fb610 ] + +pwm_config(), pwm_enable() and pwm_disable() should get removed in the +long run. So update the driver to use the atomic API that is here to +stay. + +A few side effects: + + - led_pwm_set() now returns an error when setting the PWM fails. + - During .probe() the PWM isn't disabled implicitly by pwm_apply_args() + any more. + +Signed-off-by: Uwe Kleine-König +Tested-by: Jeff LaBundy +Signed-off-by: Pavel Machek +Stable-dep-of: 76fe464c8e64 ("leds: pwm: Don't disable the PWM when the LED should be off") +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pwm.c | 41 +++++++++-------------------------------- + 1 file changed, 9 insertions(+), 32 deletions(-) + +diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c +index dc5c6100a419f..16c78df7a7632 100644 +--- a/drivers/leds/leds-pwm.c ++++ b/drivers/leds/leds-pwm.c +@@ -25,9 +25,8 @@ + struct led_pwm_data { + struct led_classdev cdev; + struct pwm_device *pwm; ++ struct pwm_state pwmstate; + unsigned int active_low; +- unsigned int period; +- int duty; + }; + + struct led_pwm_priv { +@@ -35,37 +34,23 @@ struct led_pwm_priv { + struct led_pwm_data leds[0]; + }; + +-static void __led_pwm_set(struct led_pwm_data *led_dat) +-{ +- int new_duty = led_dat->duty; +- +- pwm_config(led_dat->pwm, new_duty, led_dat->period); +- +- if (new_duty == 0) +- pwm_disable(led_dat->pwm); +- else +- pwm_enable(led_dat->pwm); +-} +- + static int led_pwm_set(struct led_classdev *led_cdev, + enum led_brightness brightness) + { + struct led_pwm_data *led_dat = + container_of(led_cdev, struct led_pwm_data, cdev); + unsigned int max = led_dat->cdev.max_brightness; +- unsigned long long duty = led_dat->period; ++ unsigned long long duty = led_dat->pwmstate.period; + + duty *= brightness; + do_div(duty, max); + + if (led_dat->active_low) +- duty = led_dat->period - duty; +- +- led_dat->duty = duty; +- +- __led_pwm_set(led_dat); ++ duty = led_dat->pwmstate.period - duty; + +- return 0; ++ led_dat->pwmstate.duty_cycle = duty; ++ led_dat->pwmstate.enabled = duty > 0; ++ return pwm_apply_state(led_dat->pwm, &led_dat->pwmstate); + } + + static inline size_t sizeof_pwm_leds_priv(int num_leds) +@@ -84,7 +69,6 @@ static int led_pwm_add(struct device *dev, struct led_pwm_priv *priv, + struct led_pwm *led, struct device_node *child) + { + struct led_pwm_data *led_data = &priv->leds[priv->num_leds]; +- struct pwm_args pargs; + int ret; + + led_data->active_low = led->active_low; +@@ -108,17 +92,10 @@ static int led_pwm_add(struct device *dev, struct led_pwm_priv *priv, + + led_data->cdev.brightness_set_blocking = led_pwm_set; + +- /* +- * FIXME: pwm_apply_args() should be removed when switching to the +- * atomic PWM API. +- */ +- pwm_apply_args(led_data->pwm); +- +- pwm_get_args(led_data->pwm, &pargs); ++ pwm_init_state(led_data->pwm, &led_data->pwmstate); + +- led_data->period = pargs.period; +- if (!led_data->period) +- led_data->period = led->pwm_period_ns; ++ if (!led_data->pwmstate.period) ++ led_data->pwmstate.period = led->pwm_period_ns; + + ret = led_classdev_register(dev, &led_data->cdev); + if (ret == 0) { +-- +2.42.0 + diff --git a/queue-4.19/leds-pwm-don-t-disable-the-pwm-when-the-led-should-b.patch b/queue-4.19/leds-pwm-don-t-disable-the-pwm-when-the-led-should-b.patch new file mode 100644 index 00000000000..67344dec50a --- /dev/null +++ b/queue-4.19/leds-pwm-don-t-disable-the-pwm-when-the-led-should-b.patch @@ -0,0 +1,53 @@ +From eb16627b1dc2f1d9cb2ebdb1453e4894e8a02dd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 21:28:34 +0200 +Subject: leds: pwm: Don't disable the PWM when the LED should be off +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 76fe464c8e64e71b2e4af11edeef0e5d85eeb6aa ] + +Disabling a PWM (i.e. calling pwm_apply_state with .enabled = false) +gives no guarantees what the PWM output does. It might freeze where it +currently is, or go in a High-Z state or drive the active or inactive +state, it might even continue to toggle. + +To ensure that the LED gets really disabled, don't disable the PWM even +when .duty_cycle is zero. + +This fixes disabling a leds-pwm LED on i.MX28. The PWM on this SoC is +one of those that freezes its output on disable, so if you disable an +LED that is full on, it stays on. If you disable a LED with half +brightness it goes off in 50% of the cases and full on in the other 50%. + +Fixes: 41c42ff5dbe2 ("leds: simple driver for pwm driven LEDs") +Reported-by: Rogan Dawes +Reported-by: Fabio Estevam +Signed-off-by: Uwe Kleine-König +Reviewed-by: Fabio Estevam +Link: https://lore.kernel.org/r/20230922192834.1695727-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pwm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c +index 16c78df7a7632..107e635cac245 100644 +--- a/drivers/leds/leds-pwm.c ++++ b/drivers/leds/leds-pwm.c +@@ -49,7 +49,7 @@ static int led_pwm_set(struct led_classdev *led_cdev, + duty = led_dat->pwmstate.period - duty; + + led_dat->pwmstate.duty_cycle = duty; +- led_dat->pwmstate.enabled = duty > 0; ++ led_dat->pwmstate.enabled = true; + return pwm_apply_state(led_dat->pwm, &led_dat->pwmstate); + } + +-- +2.42.0 + diff --git a/queue-4.19/leds-pwm-simplify-if-condition.patch b/queue-4.19/leds-pwm-simplify-if-condition.patch new file mode 100644 index 00000000000..450bf252d65 --- /dev/null +++ b/queue-4.19/leds-pwm-simplify-if-condition.patch @@ -0,0 +1,41 @@ +From ba3a90803ceb1eb8684933e43a5d73f5a94e7a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 17:54:07 +0100 +Subject: leds: pwm: simplify if condition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit b43a8f01fccbfdddbc7f9b2bbad11b7db3fda4e1 ] + +.pwm_period_ns is an unsigned integer. So when led->pwm_period_ns > 0 +is false, we now assign 0 to a value that is already 0, so it doesn't +hurt and we can skip checking the actual value. + +Signed-off-by: Uwe Kleine-König +Tested-by: Jeff LaBundy +Signed-off-by: Pavel Machek +Stable-dep-of: 76fe464c8e64 ("leds: pwm: Don't disable the PWM when the LED should be off") +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pwm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c +index 5d3faae51d59e..dc5c6100a419f 100644 +--- a/drivers/leds/leds-pwm.c ++++ b/drivers/leds/leds-pwm.c +@@ -117,7 +117,7 @@ static int led_pwm_add(struct device *dev, struct led_pwm_priv *priv, + pwm_get_args(led_data->pwm, &pargs); + + led_data->period = pargs.period; +- if (!led_data->period && (led->pwm_period_ns > 0)) ++ if (!led_data->period) + led_data->period = led->pwm_period_ns; + + ret = led_classdev_register(dev, &led_data->cdev); +-- +2.42.0 + diff --git a/queue-4.19/leds-trigger-ledtrig-cpu-fix-output-may-be-truncated.patch b/queue-4.19/leds-trigger-ledtrig-cpu-fix-output-may-be-truncated.patch new file mode 100644 index 00000000000..3a55556153f --- /dev/null +++ b/queue-4.19/leds-trigger-ledtrig-cpu-fix-output-may-be-truncated.patch @@ -0,0 +1,63 @@ +From 5d56a1c4b814631fe8674bd786daf867c9b3f89f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Sep 2023 09:15:38 +0200 +Subject: leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for + 'cpu' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe JAILLET + +[ Upstream commit ff50f53276131a3059e8307d11293af388ed2bcd ] + +In order to teach the compiler that 'trig->name' will never be truncated, +we need to tell it that 'cpu' is not negative. + +When building with W=1, this fixes the following warnings: + + drivers/leds/trigger/ledtrig-cpu.c: In function ‘ledtrig_cpu_init’: + drivers/leds/trigger/ledtrig-cpu.c:155:56: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 5 [-Werror=format-truncation=] + 155 | snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu); + | ^~ + drivers/leds/trigger/ledtrig-cpu.c:155:52: note: directive argument in the range [-2147483648, 7] + 155 | snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu); + | ^~~~~~~ + drivers/leds/trigger/ledtrig-cpu.c:155:17: note: ‘snprintf’ output between 5 and 15 bytes into a destination of size 8 + 155 | snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 8f88731d052d ("led-triggers: create a trigger for CPU activity") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/3f4be7a99933cf8566e630da54f6ab913caac432.1695453322.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/trigger/ledtrig-cpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/leds/trigger/ledtrig-cpu.c b/drivers/leds/trigger/ledtrig-cpu.c +index 1fca1ad00c3b9..19e068cadedfb 100644 +--- a/drivers/leds/trigger/ledtrig-cpu.c ++++ b/drivers/leds/trigger/ledtrig-cpu.c +@@ -134,7 +134,7 @@ static int ledtrig_prepare_down_cpu(unsigned int cpu) + + static int __init ledtrig_cpu_init(void) + { +- int cpu; ++ unsigned int cpu; + int ret; + + /* Supports up to 9999 cpu cores */ +@@ -156,7 +156,7 @@ static int __init ledtrig_cpu_init(void) + if (cpu >= 8) + continue; + +- snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu); ++ snprintf(trig->name, MAX_NAME_LEN, "cpu%u", cpu); + + led_trigger_register_simple(trig->name, &trig->_trig); + } +-- +2.42.0 + diff --git a/queue-4.19/ledtrig-cpu-limit-to-8-cpus.patch b/queue-4.19/ledtrig-cpu-limit-to-8-cpus.patch new file mode 100644 index 00000000000..93e3c983832 --- /dev/null +++ b/queue-4.19/ledtrig-cpu-limit-to-8-cpus.patch @@ -0,0 +1,60 @@ +From 0f5e52ef9de36e1e3dfb8d7fe32a9bd3d448dd3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 11:34:58 +0200 +Subject: ledtrig-cpu: Limit to 8 CPUs + +From: Pavel Machek + +[ Upstream commit abcc131292aa8c7de2c5f0ed76a717436c21de63 ] + +Some machines have thousands of CPUs... and trigger mechanisms was not +really meant for thousands of triggers. I doubt anyone uses this +trigger on many-CPU machine; but if they do, they'll need to do it +properly. + +Signed-off-by: Pavel Machek +Stable-dep-of: ff50f5327613 ("leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'") +Signed-off-by: Sasha Levin +--- + drivers/leds/trigger/ledtrig-cpu.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/trigger/ledtrig-cpu.c b/drivers/leds/trigger/ledtrig-cpu.c +index 66a6260919367..1fca1ad00c3b9 100644 +--- a/drivers/leds/trigger/ledtrig-cpu.c ++++ b/drivers/leds/trigger/ledtrig-cpu.c +@@ -1,14 +1,18 @@ + /* + * ledtrig-cpu.c - LED trigger based on CPU activity + * +- * This LED trigger will be registered for each possible CPU and named as +- * cpu0, cpu1, cpu2, cpu3, etc. ++ * This LED trigger will be registered for first 8 CPUs and named ++ * as cpu0..cpu7. There's additional trigger called cpu that ++ * is on when any CPU is active. ++ * ++ * If you want support for arbitrary number of CPUs, make it one trigger, ++ * with additional sysfs file selecting which CPU to watch. + * + * It can be bound to any LED just like other triggers using either a + * board file or via sysfs interface. + * + * An API named ledtrig_cpu is exported for any user, who want to add CPU +- * activity indication in their code ++ * activity indication in their code. + * + * Copyright 2011 Linus Walleij + * Copyright 2011 - 2012 Bryan Wu +@@ -149,6 +153,9 @@ static int __init ledtrig_cpu_init(void) + for_each_possible_cpu(cpu) { + struct led_trigger_cpu *trig = &per_cpu(cpu_trig, cpu); + ++ if (cpu >= 8) ++ continue; ++ + snprintf(trig->name, MAX_NAME_LEN, "cpu%d", cpu); + + led_trigger_register_simple(trig->name, &trig->_trig); +-- +2.42.0 + diff --git a/queue-4.19/macsec-fix-traffic-counters-statistics.patch b/queue-4.19/macsec-fix-traffic-counters-statistics.patch new file mode 100644 index 00000000000..e049d3c5b9e --- /dev/null +++ b/queue-4.19/macsec-fix-traffic-counters-statistics.patch @@ -0,0 +1,250 @@ +From 59c28829e05ccf75b85235345f3eea32a6cc4895 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 15:38:23 -0700 +Subject: macsec: Fix traffic counters/statistics + +From: Clayton Yager + +[ Upstream commit 91ec9bd57f3524ff3d86bfb7c9ee5a315019733c ] + +OutOctetsProtected, OutOctetsEncrypted, InOctetsValidated, and +InOctetsDecrypted were incrementing by the total number of octets in frames +instead of by the number of octets of User Data in frames. + +The Controlled Port statistics ifOutOctets and ifInOctets were incrementing +by the total number of octets instead of the number of octets of the MSDUs +plus octets of the destination and source MAC addresses. + +The Controlled Port statistics ifInDiscards and ifInErrors were not +incrementing each time the counters they aggregate were. + +The Controlled Port statistic ifInErrors was not included in the output of +macsec_get_stats64 so the value was not present in ip commands output. + +The ReceiveSA counters InPktsNotValid, InPktsNotUsingSA, and InPktsUnusedSA +were not incrementing. + +Signed-off-by: Clayton Yager +Signed-off-by: David S. Miller +Stable-dep-of: ff672b9ffeb3 ("ipvlan: properly track tx_errors") +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 58 +++++++++++++++++++++++++++++++++++++------- + 1 file changed, 49 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index a913ba87209a2..73b1be3450f14 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -322,6 +322,19 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr) + return sa; + } + ++static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc) ++{ ++ struct macsec_rx_sa *sa = NULL; ++ int an; ++ ++ for (an = 0; an < MACSEC_NUM_AN; an++) { ++ sa = macsec_rxsa_get(rx_sc->sa[an]); ++ if (sa) ++ break; ++ } ++ return sa; ++} ++ + static void free_rx_sc_rcu(struct rcu_head *head) + { + struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head); +@@ -566,18 +579,28 @@ static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev) + skb->protocol = eth_hdr(skb)->h_proto; + } + ++static unsigned int macsec_msdu_len(struct sk_buff *skb) ++{ ++ struct macsec_dev *macsec = macsec_priv(skb->dev); ++ struct macsec_secy *secy = &macsec->secy; ++ bool sci_present = macsec_skb_cb(skb)->has_sci; ++ ++ return skb->len - macsec_hdr_len(sci_present) - secy->icv_len; ++} ++ + static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc, + struct macsec_tx_sa *tx_sa) + { ++ unsigned int msdu_len = macsec_msdu_len(skb); + struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats); + + u64_stats_update_begin(&txsc_stats->syncp); + if (tx_sc->encrypt) { +- txsc_stats->stats.OutOctetsEncrypted += skb->len; ++ txsc_stats->stats.OutOctetsEncrypted += msdu_len; + txsc_stats->stats.OutPktsEncrypted++; + this_cpu_inc(tx_sa->stats->OutPktsEncrypted); + } else { +- txsc_stats->stats.OutOctetsProtected += skb->len; ++ txsc_stats->stats.OutOctetsProtected += msdu_len; + txsc_stats->stats.OutPktsProtected++; + this_cpu_inc(tx_sa->stats->OutPktsProtected); + } +@@ -607,9 +630,10 @@ static void macsec_encrypt_done(struct crypto_async_request *base, int err) + aead_request_free(macsec_skb_cb(skb)->req); + + rcu_read_lock_bh(); +- macsec_encrypt_finish(skb, dev); + macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa); +- len = skb->len; ++ /* packet is encrypted/protected so tx_bytes must be calculated */ ++ len = macsec_msdu_len(skb) + 2 * ETH_ALEN; ++ macsec_encrypt_finish(skb, dev); + ret = dev_queue_xmit(skb); + count_tx(dev, ret, len); + rcu_read_unlock_bh(); +@@ -765,6 +789,7 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb, + + macsec_skb_cb(skb)->req = req; + macsec_skb_cb(skb)->tx_sa = tx_sa; ++ macsec_skb_cb(skb)->has_sci = sci_present; + aead_request_set_callback(req, 0, macsec_encrypt_done, skb); + + dev_hold(skb->dev); +@@ -805,15 +830,17 @@ static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsLate++; + u64_stats_update_end(&rxsc_stats->syncp); ++ secy->netdev->stats.rx_dropped++; + return false; + } + + if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) { ++ unsigned int msdu_len = macsec_msdu_len(skb); + u64_stats_update_begin(&rxsc_stats->syncp); + if (hdr->tci_an & MACSEC_TCI_E) +- rxsc_stats->stats.InOctetsDecrypted += skb->len; ++ rxsc_stats->stats.InOctetsDecrypted += msdu_len; + else +- rxsc_stats->stats.InOctetsValidated += skb->len; ++ rxsc_stats->stats.InOctetsValidated += msdu_len; + u64_stats_update_end(&rxsc_stats->syncp); + } + +@@ -826,6 +853,8 @@ static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsNotValid++; + u64_stats_update_end(&rxsc_stats->syncp); ++ this_cpu_inc(rx_sa->stats->InPktsNotValid); ++ secy->netdev->stats.rx_errors++; + return false; + } + +@@ -911,9 +940,9 @@ static void macsec_decrypt_done(struct crypto_async_request *base, int err) + + macsec_finalize_skb(skb, macsec->secy.icv_len, + macsec_extra_len(macsec_skb_cb(skb)->has_sci)); ++ len = skb->len; + macsec_reset_skb(skb, macsec->secy.netdev); + +- len = skb->len; + if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS) + count_rx(dev, len); + +@@ -1055,6 +1084,7 @@ static void handle_not_macsec(struct sk_buff *skb) + u64_stats_update_begin(&secy_stats->syncp); + secy_stats->stats.InPktsNoTag++; + u64_stats_update_end(&secy_stats->syncp); ++ macsec->secy.netdev->stats.rx_dropped++; + continue; + } + +@@ -1165,6 +1195,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&secy_stats->syncp); + secy_stats->stats.InPktsBadTag++; + u64_stats_update_end(&secy_stats->syncp); ++ secy->netdev->stats.rx_errors++; + goto drop_nosa; + } + +@@ -1175,11 +1206,15 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + /* If validateFrames is Strict or the C bit in the + * SecTAG is set, discard + */ ++ struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc); + if (hdr->tci_an & MACSEC_TCI_C || + secy->validate_frames == MACSEC_VALIDATE_STRICT) { + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsNotUsingSA++; + u64_stats_update_end(&rxsc_stats->syncp); ++ secy->netdev->stats.rx_errors++; ++ if (active_rx_sa) ++ this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA); + goto drop_nosa; + } + +@@ -1189,6 +1224,8 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsUnusedSA++; + u64_stats_update_end(&rxsc_stats->syncp); ++ if (active_rx_sa) ++ this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA); + goto deliver; + } + +@@ -1206,6 +1243,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsLate++; + u64_stats_update_end(&rxsc_stats->syncp); ++ macsec->secy.netdev->stats.rx_dropped++; + goto drop; + } + } +@@ -1234,6 +1272,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + deliver: + macsec_finalize_skb(skb, secy->icv_len, + macsec_extra_len(macsec_skb_cb(skb)->has_sci)); ++ len = skb->len; + macsec_reset_skb(skb, secy->netdev); + + if (rx_sa) +@@ -1241,7 +1280,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + macsec_rxsc_put(rx_sc); + + skb_orphan(skb); +- len = skb->len; + ret = gro_cells_receive(&macsec->gro_cells, skb); + if (ret == NET_RX_SUCCESS) + count_rx(dev, len); +@@ -1283,6 +1321,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&secy_stats->syncp); + secy_stats->stats.InPktsNoSCI++; + u64_stats_update_end(&secy_stats->syncp); ++ macsec->secy.netdev->stats.rx_errors++; + continue; + } + +@@ -2737,6 +2776,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, + return NETDEV_TX_OK; + } + ++ len = skb->len; + skb = macsec_encrypt(skb, dev); + if (IS_ERR(skb)) { + if (PTR_ERR(skb) != -EINPROGRESS) +@@ -2747,7 +2787,6 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, + macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa); + + macsec_encrypt_finish(skb, dev); +- len = skb->len; + ret = dev_queue_xmit(skb); + count_tx(dev, ret, len); + return ret; +@@ -2962,6 +3001,7 @@ static void macsec_get_stats64(struct net_device *dev, + + s->rx_dropped = dev->stats.rx_dropped; + s->tx_dropped = dev->stats.tx_dropped; ++ s->rx_errors = dev->stats.rx_errors; + } + + static int macsec_get_iflink(const struct net_device *dev) +-- +2.42.0 + diff --git a/queue-4.19/macsec-use-dev_stats_inc.patch b/queue-4.19/macsec-use-dev_stats_inc.patch new file mode 100644 index 00000000000..64ebec54165 --- /dev/null +++ b/queue-4.19/macsec-use-dev_stats_inc.patch @@ -0,0 +1,146 @@ +From e143654290c6df0daf2d50c7780f486bb8663041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 17:26:52 +0000 +Subject: macsec: use DEV_STATS_INC() + +From: Eric Dumazet + +[ Upstream commit 32d0a49d36a2a306c2e47fe5659361e424f0ed3f ] + +syzbot/KCSAN reported data-races in macsec whenever dev->stats fields +are updated. + +It appears all of these updates can happen from multiple cpus. + +Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Sabrina Dubroca +Signed-off-by: David S. Miller +Stable-dep-of: ff672b9ffeb3 ("ipvlan: properly track tx_errors") +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 73b1be3450f14..e22d336679d12 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -830,7 +830,7 @@ static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsLate++; + u64_stats_update_end(&rxsc_stats->syncp); +- secy->netdev->stats.rx_dropped++; ++ DEV_STATS_INC(secy->netdev, rx_dropped); + return false; + } + +@@ -854,7 +854,7 @@ static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u + rxsc_stats->stats.InPktsNotValid++; + u64_stats_update_end(&rxsc_stats->syncp); + this_cpu_inc(rx_sa->stats->InPktsNotValid); +- secy->netdev->stats.rx_errors++; ++ DEV_STATS_INC(secy->netdev, rx_errors); + return false; + } + +@@ -1084,7 +1084,7 @@ static void handle_not_macsec(struct sk_buff *skb) + u64_stats_update_begin(&secy_stats->syncp); + secy_stats->stats.InPktsNoTag++; + u64_stats_update_end(&secy_stats->syncp); +- macsec->secy.netdev->stats.rx_dropped++; ++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped); + continue; + } + +@@ -1195,7 +1195,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&secy_stats->syncp); + secy_stats->stats.InPktsBadTag++; + u64_stats_update_end(&secy_stats->syncp); +- secy->netdev->stats.rx_errors++; ++ DEV_STATS_INC(secy->netdev, rx_errors); + goto drop_nosa; + } + +@@ -1212,7 +1212,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsNotUsingSA++; + u64_stats_update_end(&rxsc_stats->syncp); +- secy->netdev->stats.rx_errors++; ++ DEV_STATS_INC(secy->netdev, rx_errors); + if (active_rx_sa) + this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA); + goto drop_nosa; +@@ -1243,7 +1243,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&rxsc_stats->syncp); + rxsc_stats->stats.InPktsLate++; + u64_stats_update_end(&rxsc_stats->syncp); +- macsec->secy.netdev->stats.rx_dropped++; ++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped); + goto drop; + } + } +@@ -1284,7 +1284,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + if (ret == NET_RX_SUCCESS) + count_rx(dev, len); + else +- macsec->secy.netdev->stats.rx_dropped++; ++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped); + + rcu_read_unlock(); + +@@ -1321,7 +1321,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + u64_stats_update_begin(&secy_stats->syncp); + secy_stats->stats.InPktsNoSCI++; + u64_stats_update_end(&secy_stats->syncp); +- macsec->secy.netdev->stats.rx_errors++; ++ DEV_STATS_INC(macsec->secy.netdev, rx_errors); + continue; + } + +@@ -1340,7 +1340,7 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) + secy_stats->stats.InPktsUnknownSCI++; + u64_stats_update_end(&secy_stats->syncp); + } else { +- macsec->secy.netdev->stats.rx_dropped++; ++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped); + } + } + +@@ -2772,7 +2772,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, + + if (!secy->operational) { + kfree_skb(skb); +- dev->stats.tx_dropped++; ++ DEV_STATS_INC(dev, tx_dropped); + return NETDEV_TX_OK; + } + +@@ -2780,7 +2780,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, + skb = macsec_encrypt(skb, dev); + if (IS_ERR(skb)) { + if (PTR_ERR(skb) != -EINPROGRESS) +- dev->stats.tx_dropped++; ++ DEV_STATS_INC(dev, tx_dropped); + return NETDEV_TX_OK; + } + +@@ -2999,9 +2999,9 @@ static void macsec_get_stats64(struct net_device *dev, + s->tx_bytes += tmp.tx_bytes; + } + +- s->rx_dropped = dev->stats.rx_dropped; +- s->tx_dropped = dev->stats.tx_dropped; +- s->rx_errors = dev->stats.rx_errors; ++ s->rx_dropped = atomic_long_read(&dev->stats.__rx_dropped); ++ s->tx_dropped = atomic_long_read(&dev->stats.__tx_dropped); ++ s->rx_errors = atomic_long_read(&dev->stats.__rx_errors); + } + + static int macsec_get_iflink(const struct net_device *dev) +-- +2.42.0 + diff --git a/queue-4.19/media-bttv-fix-use-after-free-error-due-to-btv-timeo.patch b/queue-4.19/media-bttv-fix-use-after-free-error-due-to-btv-timeo.patch new file mode 100644 index 00000000000..3da6fe88770 --- /dev/null +++ b/queue-4.19/media-bttv-fix-use-after-free-error-due-to-btv-timeo.patch @@ -0,0 +1,52 @@ +From 6057cea072ea899c2d42fece88c24610c69fc914 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 11:49:42 +0800 +Subject: media: bttv: fix use after free error due to btv->timeout timer + +From: Zheng Wang + +[ Upstream commit bd5b50b329e850d467e7bcc07b2b6bde3752fbda ] + +There may be some a race condition between timer function +bttv_irq_timeout and bttv_remove. The timer is setup in +probe and there is no timer_delete operation in remove +function. When it hit kfree btv, the function might still be +invoked, which will cause use after free bug. + +This bug is found by static analysis, it may be false positive. + +Fix it by adding del_timer_sync invoking to the remove function. + +cpu0 cpu1 + bttv_probe + ->timer_setup + ->bttv_set_dma + ->mod_timer; +bttv_remove + ->kfree(btv); + ->bttv_irq_timeout + ->USE btv + +Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()") +Signed-off-by: Zheng Wang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/bt8xx/bttv-driver.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c +index 2a9d25431d733..fce894574c411 100644 +--- a/drivers/media/pci/bt8xx/bttv-driver.c ++++ b/drivers/media/pci/bt8xx/bttv-driver.c +@@ -4300,6 +4300,7 @@ static void bttv_remove(struct pci_dev *pci_dev) + + /* free resources */ + free_irq(btv->c.pci->irq,btv); ++ del_timer_sync(&btv->timeout); + iounmap(btv->bt848_mmio); + release_mem_region(pci_resource_start(btv->c.pci,0), + pci_resource_len(btv->c.pci,0)); +-- +2.42.0 + diff --git a/queue-4.19/media-dvb-usb-v2-af9035-fix-missing-unlock.patch b/queue-4.19/media-dvb-usb-v2-af9035-fix-missing-unlock.patch new file mode 100644 index 00000000000..8194585ab42 --- /dev/null +++ b/queue-4.19/media-dvb-usb-v2-af9035-fix-missing-unlock.patch @@ -0,0 +1,67 @@ +From 927d5d052989cd0fc7e12879695332b75e9175de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 12:08:45 +0200 +Subject: media: dvb-usb-v2: af9035: fix missing unlock + +From: Hans Verkuil + +[ Upstream commit f31b2cb85f0ee165d78e1c43f6d69f82cc3b2145 ] + +Instead of returning an error, goto the mutex unlock at +the end of the function. + +Fixes smatch warning: + +drivers/media/usb/dvb-usb-v2/af9035.c:467 af9035_i2c_master_xfer() warn: inconsistent returns '&d->i2c_mutex'. + Locked on : 326,387 + Unlocked on: 465,467 + +Signed-off-by: Hans Verkuil +Fixes: 7bf744f2de0a ("media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer") +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/af9035.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c +index 8a83f27875ec9..2ed29a99fee1e 100644 +--- a/drivers/media/usb/dvb-usb-v2/af9035.c ++++ b/drivers/media/usb/dvb-usb-v2/af9035.c +@@ -337,8 +337,10 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { +- if (msg[0].len < 3 || msg[1].len < 1) +- return -EOPNOTSUPP; ++ if (msg[0].len < 3 || msg[1].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } + /* demod access via firmware interface */ + reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -398,8 +400,10 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { +- if (msg[0].len < 3) +- return -EOPNOTSUPP; ++ if (msg[0].len < 3) { ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } + /* demod access via firmware interface */ + reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -474,6 +478,7 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } + ++unlock: + mutex_unlock(&d->i2c_mutex); + + if (ret < 0) +-- +2.42.0 + diff --git a/queue-4.19/media-s3c-camif-avoid-inappropriate-kfree.patch b/queue-4.19/media-s3c-camif-avoid-inappropriate-kfree.patch new file mode 100644 index 00000000000..6641436fb55 --- /dev/null +++ b/queue-4.19/media-s3c-camif-avoid-inappropriate-kfree.patch @@ -0,0 +1,54 @@ +From beead3b83c269b426b80238940e0fdea85e7e3cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 14:55:06 +0300 +Subject: media: s3c-camif: Avoid inappropriate kfree() + +From: Katya Orlova + +[ Upstream commit 61334819aca018c3416ee6c330a08a49c1524fc3 ] + +s3c_camif_register_video_node() works with video_device structure stored +as a field of camif_vp, so it should not be kfreed. +But there is video_device_release() on error path that do it. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") +Signed-off-by: Katya Orlova +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s3c-camif/camif-capture.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c +index c02dce8b4c6c7..6e150fc64e0a0 100644 +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -1142,12 +1142,12 @@ int s3c_camif_register_video_node(struct camif_dev *camif, int idx) + + ret = vb2_queue_init(q); + if (ret) +- goto err_vd_rel; ++ return ret; + + vp->pad.flags = MEDIA_PAD_FL_SINK; + ret = media_entity_pads_init(&vfd->entity, 1, &vp->pad); + if (ret) +- goto err_vd_rel; ++ return ret; + + video_set_drvdata(vfd, vp); + +@@ -1179,8 +1179,6 @@ int s3c_camif_register_video_node(struct camif_dev *camif, int idx) + v4l2_ctrl_handler_free(&vp->ctrl_handler); + err_me_cleanup: + media_entity_cleanup(&vfd->entity); +-err_vd_rel: +- video_device_release(vfd); + return ret; + } + +-- +2.42.0 + diff --git a/queue-4.19/mfd-dln2-fix-double-put-in-dln2_probe.patch b/queue-4.19/mfd-dln2-fix-double-put-in-dln2_probe.patch new file mode 100644 index 00000000000..226d50d64a6 --- /dev/null +++ b/queue-4.19/mfd-dln2-fix-double-put-in-dln2_probe.patch @@ -0,0 +1,37 @@ +From 6ecaa226920c91e27906bd53a35a4d2fe55df10c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 10:41:33 +0800 +Subject: mfd: dln2: Fix double put in dln2_probe + +From: Dinghao Liu + +[ Upstream commit 759c409bc5fc496cbc22cd0b392d3cbb0c0e23eb ] + +The dln2_free() already contains usb_put_dev(). Therefore, +the redundant usb_put_dev() before dln2_free() may lead to +a double free. + +Fixes: 96da8f148396 ("mfd: dln2: Fix memory leak in dln2_probe()") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20230925024134.9683-1-dinghao.liu@zju.edu.cn +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/dln2.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 37217e01f27c0..fe614ba5fec90 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -800,7 +800,6 @@ static int dln2_probe(struct usb_interface *interface, + dln2_stop_rx_urbs(dln2); + + out_free: +- usb_put_dev(dln2->usb_dev); + dln2_free(dln2); + + return ret; +-- +2.42.0 + diff --git a/queue-4.19/misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch b/queue-4.19/misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch new file mode 100644 index 00000000000..7cebb930425 --- /dev/null +++ b/queue-4.19/misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch @@ -0,0 +1,65 @@ +From 818e93facfcdb1bf67fcb008b9b40f25e2f14dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 11:50:20 +0800 +Subject: misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() + +From: Jinjie Ruan + +[ Upstream commit 4d08c3d12b61022501989f9f071514d2d6f77c47 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with hardware interrupts being disabled. +So replace kfree_skb() with dev_kfree_skb_irq() under +spin_lock_irqsave(). Compile tested only. + +Fixes: 53618cc1e51e ("Staging: sources for ST core") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/r/20230823035020.1281892-1-ruanjinjie@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ti-st/st_core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c +index eda8d407be287..e5fbd61f69c8e 100644 +--- a/drivers/misc/ti-st/st_core.c ++++ b/drivers/misc/ti-st/st_core.c +@@ -28,6 +28,7 @@ + #include + + #include ++#include + + extern void st_kim_recv(void *, const unsigned char *, long); + void st_int_recv(void *, const unsigned char *, long); +@@ -436,7 +437,7 @@ static void st_int_enqueue(struct st_data_s *st_gdata, struct sk_buff *skb) + case ST_LL_AWAKE_TO_ASLEEP: + pr_err("ST LL is illegal state(%ld)," + "purging received skb.", st_ll_getstate(st_gdata)); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + break; + case ST_LL_ASLEEP: + skb_queue_tail(&st_gdata->tx_waitq, skb); +@@ -445,7 +446,7 @@ static void st_int_enqueue(struct st_data_s *st_gdata, struct sk_buff *skb) + default: + pr_err("ST LL is illegal state(%ld)," + "purging received skb.", st_ll_getstate(st_gdata)); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + break; + } + +@@ -499,7 +500,7 @@ void st_tx_wakeup(struct st_data_s *st_data) + spin_unlock_irqrestore(&st_data->lock, flags); + break; + } +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + spin_unlock_irqrestore(&st_data->lock, flags); + } + /* if wake-up is set in another context- restart sending */ +-- +2.42.0 + diff --git a/queue-4.19/nd_btt-make-btt-lanes-preemptible.patch b/queue-4.19/nd_btt-make-btt-lanes-preemptible.patch new file mode 100644 index 00000000000..4e85e161856 --- /dev/null +++ b/queue-4.19/nd_btt-make-btt-lanes-preemptible.patch @@ -0,0 +1,94 @@ +From d931c3598ebba22182b4f8b303c830451a12d9d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Sep 2023 07:37:12 +0200 +Subject: nd_btt: Make BTT lanes preemptible + +From: Tomas Glozar + +[ Upstream commit 36c75ce3bd299878fd9b238e9803d3817ddafbf3 ] + +nd_region_acquire_lane uses get_cpu, which disables preemption. This is +an issue on PREEMPT_RT kernels, since btt_write_pg and also +nd_region_acquire_lane itself take a spin lock, resulting in BUG: +sleeping function called from invalid context. + +Fix the issue by replacing get_cpu with smp_process_id and +migrate_disable when needed. This makes BTT operations preemptible, thus +permitting the use of spin_lock. + +BUG example occurring when running ndctl tests on PREEMPT_RT kernel: + +BUG: sleeping function called from invalid context at +kernel/locking/spinlock_rt.c:48 +in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4903, name: +libndctl +preempt_count: 1, expected: 0 +RCU nest depth: 0, expected: 0 +Preemption disabled at: +[] nd_region_acquire_lane+0x15/0x90 [libnvdimm] +Call Trace: + + dump_stack_lvl+0x8e/0xb0 + __might_resched+0x19b/0x250 + rt_spin_lock+0x4c/0x100 + ? btt_write_pg+0x2d7/0x500 [nd_btt] + btt_write_pg+0x2d7/0x500 [nd_btt] + ? local_clock_noinstr+0x9/0xc0 + btt_submit_bio+0x16d/0x270 [nd_btt] + __submit_bio+0x48/0x80 + __submit_bio_noacct+0x7e/0x1e0 + submit_bio_wait+0x58/0xb0 + __blkdev_direct_IO_simple+0x107/0x240 + ? inode_set_ctime_current+0x51/0x110 + ? __pfx_submit_bio_wait_endio+0x10/0x10 + blkdev_write_iter+0x1d8/0x290 + vfs_write+0x237/0x330 + ... + + +Fixes: 5212e11fde4d ("nd_btt: atomic sector updates") +Signed-off-by: Tomas Glozar +Reviewed-by: Ira Weiny +Reviewed-by: Vishal Verma +Signed-off-by: Ira Weiny +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/region_devs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvdimm/region_devs.c b/drivers/nvdimm/region_devs.c +index 609fc450522a1..89539a078623c 100644 +--- a/drivers/nvdimm/region_devs.c ++++ b/drivers/nvdimm/region_devs.c +@@ -947,7 +947,8 @@ unsigned int nd_region_acquire_lane(struct nd_region *nd_region) + { + unsigned int cpu, lane; + +- cpu = get_cpu(); ++ migrate_disable(); ++ cpu = smp_processor_id(); + if (nd_region->num_lanes < nr_cpu_ids) { + struct nd_percpu_lane *ndl_lock, *ndl_count; + +@@ -966,16 +967,15 @@ EXPORT_SYMBOL(nd_region_acquire_lane); + void nd_region_release_lane(struct nd_region *nd_region, unsigned int lane) + { + if (nd_region->num_lanes < nr_cpu_ids) { +- unsigned int cpu = get_cpu(); ++ unsigned int cpu = smp_processor_id(); + struct nd_percpu_lane *ndl_lock, *ndl_count; + + ndl_count = per_cpu_ptr(nd_region->lane, cpu); + ndl_lock = per_cpu_ptr(nd_region->lane, lane); + if (--ndl_count->count == 0) + spin_unlock(&ndl_lock->lock); +- put_cpu(); + } +- put_cpu(); ++ migrate_enable(); + } + EXPORT_SYMBOL(nd_region_release_lane); + +-- +2.42.0 + diff --git a/queue-4.19/net-add-dev_stats_read-helper.patch b/queue-4.19/net-add-dev_stats_read-helper.patch new file mode 100644 index 00000000000..97fbd471fed --- /dev/null +++ b/queue-4.19/net-add-dev_stats_read-helper.patch @@ -0,0 +1,55 @@ +From 62c82c03bd6c6362aa83bd2bcc9a766d258df92d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 08:52:16 +0000 +Subject: net: add DEV_STATS_READ() helper + +From: Eric Dumazet + +[ Upstream commit 0b068c714ca9479d2783cc333fff5bc2d4a6d45c ] + +Companion of DEV_STATS_INC() & DEV_STATS_ADD(). + +This is going to be used in the series. + +Use it in macsec_get_stats64(). + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: ff672b9ffeb3 ("ipvlan: properly track tx_errors") +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 6 +++--- + include/linux/netdevice.h | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index e22d336679d12..54b19977fb675 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2999,9 +2999,9 @@ static void macsec_get_stats64(struct net_device *dev, + s->tx_bytes += tmp.tx_bytes; + } + +- s->rx_dropped = atomic_long_read(&dev->stats.__rx_dropped); +- s->tx_dropped = atomic_long_read(&dev->stats.__tx_dropped); +- s->rx_errors = atomic_long_read(&dev->stats.__rx_errors); ++ s->rx_dropped = DEV_STATS_READ(dev, rx_dropped); ++ s->tx_dropped = DEV_STATS_READ(dev, tx_dropped); ++ s->rx_errors = DEV_STATS_READ(dev, rx_errors); + } + + static int macsec_get_iflink(const struct net_device *dev) +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 744017475b1db..ac87fcc4d44b4 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4853,5 +4853,6 @@ do { \ + #define DEV_STATS_INC(DEV, FIELD) atomic_long_inc(&(DEV)->stats.__##FIELD) + #define DEV_STATS_ADD(DEV, FIELD, VAL) \ + atomic_long_add((VAL), &(DEV)->stats.__##FIELD) ++#define DEV_STATS_READ(DEV, FIELD) atomic_long_read(&(DEV)->stats.__##FIELD) + + #endif /* _LINUX_NETDEVICE_H */ +-- +2.42.0 + diff --git a/queue-4.19/pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch b/queue-4.19/pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch new file mode 100644 index 00000000000..c28d9d56fc3 --- /dev/null +++ b/queue-4.19/pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch @@ -0,0 +1,43 @@ +From f7a021a009b624a0a9971b32db069fc72db6b46d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:25:41 +0800 +Subject: pcmcia: cs: fix possible hung task and memory leak pccardd() + +From: Yang Yingliang + +[ Upstream commit e3ea1b4847e49234e691c0d66bf030bd65bb7f2b ] + +If device_register() returns error in pccardd(), it leads two issues: + +1. The socket_released has never been completed, it will block + pcmcia_unregister_socket(), because of waiting for completion + of socket_released. +2. The device name allocated by dev_set_name() is leaked. + +Fix this two issues by calling put_device() when device_register() fails. +socket_released can be completed in pcmcia_release_socket(), the name can +be freed in kobject_cleanup(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/cs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c +index 182e5ef4ab83d..e99ef7b745aeb 100644 +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -608,6 +608,7 @@ static int pccardd(void *__skt) + dev_warn(&skt->dev, "PCMCIA: unable to register socket\n"); + skt->thread = NULL; + complete(&skt->thread_done); ++ put_device(&skt->dev); + return 0; + } + ret = pccard_sysfs_add_socket(&skt->dev); +-- +2.42.0 + diff --git a/queue-4.19/pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch b/queue-4.19/pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch new file mode 100644 index 00000000000..9f4bfde5655 --- /dev/null +++ b/queue-4.19/pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch @@ -0,0 +1,53 @@ +From 166ef2be24d9b41344391a8e1865a5cd03bb3dfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:29:24 +0800 +Subject: pcmcia: ds: fix possible name leak in error path in + pcmcia_device_add() + +From: Yang Yingliang + +[ Upstream commit 99e1241049a92dd3e9a90a0f91e32ce390133278 ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically. +Therefore, it needs to be freed, which is done by the driver core for +us once all references to the device are gone. Therefore, move the +dev_set_name() call immediately before the call device_register(), which +either succeeds (then the freeing will be done upon subsequent remvoal), +or puts the reference in the error call. Also, it is not unusual that the +return value of dev_set_name is not checked. + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +[linux@dominikbrodowski.net: simplification, commit message modified] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/ds.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c +index e07bd5249f271..3701887be32e8 100644 +--- a/drivers/pcmcia/ds.c ++++ b/drivers/pcmcia/ds.c +@@ -521,9 +521,6 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, + /* by default don't allow DMA */ + p_dev->dma_mask = DMA_MASK_NONE; + p_dev->dev.dma_mask = &p_dev->dma_mask; +- dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no); +- if (!dev_name(&p_dev->dev)) +- goto err_free; + p_dev->devname = kasprintf(GFP_KERNEL, "pcmcia%s", dev_name(&p_dev->dev)); + if (!p_dev->devname) + goto err_free; +@@ -581,6 +578,7 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, + + pcmcia_device_query(p_dev); + ++ dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no); + if (device_register(&p_dev->dev)) { + mutex_lock(&s->ops_mutex); + list_del(&p_dev->socket_device_list); +-- +2.42.0 + diff --git a/queue-4.19/pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch b/queue-4.19/pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch new file mode 100644 index 00000000000..7c8aaa57eca --- /dev/null +++ b/queue-4.19/pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch @@ -0,0 +1,49 @@ +From 5934a730303ec730a0ddf085845d45af7e83e518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:29:23 +0800 +Subject: pcmcia: ds: fix refcount leak in pcmcia_device_add() + +From: Yang Yingliang + +[ Upstream commit 402ab979b29126068e0b596b641422ff7490214c ] + +As the comment of device_register() says, it should use put_device() +to give up the reference in the error path. Then, insofar resources +will be freed in pcmcia_release_dev(), the error path is no longer +needed. In particular, this means that the (previously missing) dropping +of the reference to &p_dev->function_config->ref is now handled by +pcmcia_release_dev(). + +Fixes: 360b65b95bae ("[PATCH] pcmcia: make config_t independent, add reference counting") +Signed-off-by: Yang Yingliang +[linux@dominikbrodowski.net: simplification, commit message rewrite] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/ds.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c +index a9258f641ceed..e07bd5249f271 100644 +--- a/drivers/pcmcia/ds.c ++++ b/drivers/pcmcia/ds.c +@@ -581,8 +581,14 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, + + pcmcia_device_query(p_dev); + +- if (device_register(&p_dev->dev)) +- goto err_unreg; ++ if (device_register(&p_dev->dev)) { ++ mutex_lock(&s->ops_mutex); ++ list_del(&p_dev->socket_device_list); ++ s->device_count--; ++ mutex_unlock(&s->ops_mutex); ++ put_device(&p_dev->dev); ++ return NULL; ++ } + + return p_dev; + +-- +2.42.0 + diff --git a/queue-4.19/platform-x86-wmi-fix-opening-of-char-device.patch b/queue-4.19/platform-x86-wmi-fix-opening-of-char-device.patch new file mode 100644 index 00000000000..17520375d19 --- /dev/null +++ b/queue-4.19/platform-x86-wmi-fix-opening-of-char-device.patch @@ -0,0 +1,69 @@ +From 2fed5d7c671aa3e08fec4c1f803628d21907bbe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 23:10:04 +0200 +Subject: platform/x86: wmi: Fix opening of char device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit eba9ac7abab91c8f6d351460239108bef5e7a0b6 ] + +Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via +file private data"), the miscdevice stores a pointer to itself inside +filp->private_data, which means that private_data will not be NULL when +wmi_char_open() is called. This might cause memory corruption should +wmi_char_open() be unable to find its driver, something which can +happen when the associated WMI device is deleted in wmi_free_devices(). + +Fix the problem by using the miscdevice pointer to retrieve the WMI +device data associated with a char device using container_of(). This +also avoids wmi_char_open() picking a wrong WMI device bound to a +driver with the same name as the original driver. + +Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20231020211005.38216-5-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 20 ++++++-------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 4b58590596184..136347a195ece 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -793,21 +793,13 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + } + static int wmi_char_open(struct inode *inode, struct file *filp) + { +- const char *driver_name = filp->f_path.dentry->d_iname; +- struct wmi_block *wblock; +- struct wmi_block *next; +- +- list_for_each_entry_safe(wblock, next, &wmi_block_list, list) { +- if (!wblock->dev.dev.driver) +- continue; +- if (strcmp(driver_name, wblock->dev.dev.driver->name) == 0) { +- filp->private_data = wblock; +- break; +- } +- } ++ /* ++ * The miscdevice already stores a pointer to itself ++ * inside filp->private_data ++ */ ++ struct wmi_block *wblock = container_of(filp->private_data, struct wmi_block, char_dev); + +- if (!filp->private_data) +- return -ENODEV; ++ filp->private_data = wblock; + + return nonseekable_open(inode, filp); + } +-- +2.42.0 + diff --git a/queue-4.19/platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch b/queue-4.19/platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch new file mode 100644 index 00000000000..cf0b704757d --- /dev/null +++ b/queue-4.19/platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch @@ -0,0 +1,84 @@ +From 00cf18a9a760532cec9e9d98eb321e14e2ea6e84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 23:10:03 +0200 +Subject: platform/x86: wmi: Fix probe failure when failing to register WMI + devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit ed85891a276edaf7a867de0e9acd0837bc3008f2 ] + +When a WMI device besides the first one somehow fails to register, +retval is returned while still containing a negative error code. This +causes the ACPI device fail to probe, leaving behind zombie WMI devices +leading to various errors later. + +Handle the single error path separately and return 0 unconditionally +after trying to register all WMI devices to solve the issue. Also +continue to register WMI devices even if some fail to allocate memory. + +Fixes: 6ee50aaa9a20 ("platform/x86: wmi: Instantiate all devices before adding them") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20231020211005.38216-4-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 387358af685c5..b9d01a652ede2 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -1131,8 +1131,8 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + struct wmi_block *wblock, *next; + union acpi_object *obj; + acpi_status status; +- int retval = 0; + u32 i, total; ++ int retval; + + status = acpi_evaluate_object(device->handle, "_WDG", NULL, &out); + if (ACPI_FAILURE(status)) +@@ -1143,8 +1143,8 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + return -ENXIO; + + if (obj->type != ACPI_TYPE_BUFFER) { +- retval = -ENXIO; +- goto out_free_pointer; ++ kfree(obj); ++ return -ENXIO; + } + + gblock = (const struct guid_block *)obj->buffer.pointer; +@@ -1165,8 +1165,8 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + + wblock = kzalloc(sizeof(struct wmi_block), GFP_KERNEL); + if (!wblock) { +- retval = -ENOMEM; +- break; ++ dev_err(wmi_bus_dev, "Failed to allocate %pUL\n", &gblock[i].guid); ++ continue; + } + + wblock->acpi_device = device; +@@ -1205,9 +1205,9 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + } + } + +-out_free_pointer: +- kfree(out.pointer); +- return retval; ++ kfree(obj); ++ ++ return 0; + } + + /* +-- +2.42.0 + diff --git a/queue-4.19/platform-x86-wmi-remove-unnecessary-initializations.patch b/queue-4.19/platform-x86-wmi-remove-unnecessary-initializations.patch new file mode 100644 index 00000000000..772f02af965 --- /dev/null +++ b/queue-4.19/platform-x86-wmi-remove-unnecessary-initializations.patch @@ -0,0 +1,94 @@ +From 3141391a4e9d4624fb9db0071008af80c97d0702 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:10 +0000 +Subject: platform/x86: wmi: remove unnecessary initializations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 43aacf838ef7384d985ef5385ecb0124f8c70007 ] + +Some pointers are initialized when they are defined, +but they are almost immediately reassigned in the +following lines. Remove these superfluous assignments. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-6-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: eba9ac7abab9 ("platform/x86: wmi: Fix opening of char device") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index b9d01a652ede2..4b58590596184 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -172,7 +172,7 @@ static int get_subobj_info(acpi_handle handle, const char *pathname, + + static acpi_status wmi_method_enable(struct wmi_block *wblock, int enable) + { +- struct guid_block *block = NULL; ++ struct guid_block *block; + char method[5]; + acpi_status status; + acpi_handle handle; +@@ -246,8 +246,8 @@ EXPORT_SYMBOL_GPL(wmi_evaluate_method); + acpi_status wmidev_evaluate_method(struct wmi_device *wdev, u8 instance, + u32 method_id, const struct acpi_buffer *in, struct acpi_buffer *out) + { +- struct guid_block *block = NULL; +- struct wmi_block *wblock = NULL; ++ struct guid_block *block; ++ struct wmi_block *wblock; + acpi_handle handle; + acpi_status status; + struct acpi_object_list input; +@@ -294,7 +294,7 @@ EXPORT_SYMBOL_GPL(wmidev_evaluate_method); + static acpi_status __query_block(struct wmi_block *wblock, u8 instance, + struct acpi_buffer *out) + { +- struct guid_block *block = NULL; ++ struct guid_block *block; + acpi_handle handle; + acpi_status status, wc_status = AE_ERROR; + struct acpi_object_list input; +@@ -409,8 +409,8 @@ EXPORT_SYMBOL_GPL(wmidev_block_query); + acpi_status wmi_set_block(const char *guid_string, u8 instance, + const struct acpi_buffer *in) + { +- struct guid_block *block = NULL; + struct wmi_block *wblock = NULL; ++ struct guid_block *block; + acpi_handle handle; + struct acpi_object_list input; + union acpi_object params[2]; +@@ -794,8 +794,8 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + static int wmi_char_open(struct inode *inode, struct file *filp) + { + const char *driver_name = filp->f_path.dentry->d_iname; +- struct wmi_block *wblock = NULL; +- struct wmi_block *next = NULL; ++ struct wmi_block *wblock; ++ struct wmi_block *next; + + list_for_each_entry_safe(wblock, next, &wmi_block_list, list) { + if (!wblock->dev.dev.driver) +@@ -827,8 +827,8 @@ static long wmi_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + struct wmi_ioctl_buffer __user *input = + (struct wmi_ioctl_buffer __user *) arg; + struct wmi_block *wblock = filp->private_data; +- struct wmi_ioctl_buffer *buf = NULL; +- struct wmi_driver *wdriver = NULL; ++ struct wmi_ioctl_buffer *buf; ++ struct wmi_driver *wdriver; + int ret; + + if (_IOC_TYPE(cmd) != WMI_IOC) +-- +2.42.0 + diff --git a/queue-4.19/rdma-hfi1-workaround-truncation-compilation-error.patch b/queue-4.19/rdma-hfi1-workaround-truncation-compilation-error.patch new file mode 100644 index 00000000000..1c9ec907156 --- /dev/null +++ b/queue-4.19/rdma-hfi1-workaround-truncation-compilation-error.patch @@ -0,0 +1,57 @@ +From e86ffecaef9e7b3f400be818cc2988cbd893bc46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 18:07:31 +0300 +Subject: RDMA/hfi1: Workaround truncation compilation error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +[ Upstream commit d4b2d165714c0ce8777d5131f6e0aad617b7adc4 ] + +Increase name array to be large enough to overcome the following +compilation error. + +drivers/infiniband/hw/hfi1/efivar.c: In function ‘read_hfi1_efi_var’: +drivers/infiniband/hw/hfi1/efivar.c:124:44: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 124 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^ +drivers/infiniband/hw/hfi1/efivar.c:124:9: note: ‘snprintf’ output 2 or more bytes (assuming 65) into a destination of size 64 + 124 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/infiniband/hw/hfi1/efivar.c:133:52: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 133 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^ +drivers/infiniband/hw/hfi1/efivar.c:133:17: note: ‘snprintf’ output 2 or more bytes (assuming 65) into a destination of size 64 + 133 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors +make[6]: *** [scripts/Makefile.build:243: drivers/infiniband/hw/hfi1/efivar.o] Error 1 + +Fixes: c03c08d50b3d ("IB/hfi1: Check upper-case EFI variables") +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/238fa39a8fd60e87a5ad7e1ca6584fcdf32e9519.1698159993.git.leonro@nvidia.com +Acked-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/efivar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/efivar.c b/drivers/infiniband/hw/hfi1/efivar.c +index d106d23016ba0..75e39e403a581 100644 +--- a/drivers/infiniband/hw/hfi1/efivar.c ++++ b/drivers/infiniband/hw/hfi1/efivar.c +@@ -152,7 +152,7 @@ int read_hfi1_efi_var(struct hfi1_devdata *dd, const char *kind, + unsigned long *size, void **return_data) + { + char prefix_name[64]; +- char name[64]; ++ char name[128]; + int result; + int i; + +-- +2.42.0 + diff --git a/queue-4.19/regmap-debugfs-fix-a-erroneous-check-after-snprintf.patch b/queue-4.19/regmap-debugfs-fix-a-erroneous-check-after-snprintf.patch new file mode 100644 index 00000000000..7c7069a6454 --- /dev/null +++ b/queue-4.19/regmap-debugfs-fix-a-erroneous-check-after-snprintf.patch @@ -0,0 +1,37 @@ +From 548e18cc0f5e90758aae973a61b2653d51535fbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 22:04:06 +0200 +Subject: regmap: debugfs: Fix a erroneous check after snprintf() + +From: Christophe JAILLET + +[ Upstream commit d3601857e14de6369f00ae19564f1d817d175d19 ] + +This error handling looks really strange. +Check if the string has been truncated instead. + +Fixes: f0c2319f9f19 ("regmap: Expose the driver name in debugfs") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/8595de2462c490561f70020a6d11f4d6b652b468.1693857825.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap-debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c +index de706734b9214..d114b614a3d11 100644 +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -53,7 +53,7 @@ static ssize_t regmap_name_read_file(struct file *file, + name = map->dev->driver->name; + + ret = snprintf(buf, PAGE_SIZE, "%s\n", name); +- if (ret < 0) { ++ if (ret >= PAGE_SIZE) { + kfree(buf); + return ret; + } +-- +2.42.0 + diff --git a/queue-4.19/sched-rt-provide-migrate_disable-enable-inlines.patch b/queue-4.19/sched-rt-provide-migrate_disable-enable-inlines.patch new file mode 100644 index 00000000000..e21f6703f59 --- /dev/null +++ b/queue-4.19/sched-rt-provide-migrate_disable-enable-inlines.patch @@ -0,0 +1,88 @@ +From bb705ec5872f61f7aace38c77134b95069e8cc70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Feb 2020 20:48:29 +0100 +Subject: sched/rt: Provide migrate_disable/enable() inlines + +From: Thomas Gleixner + +[ Upstream commit 66630058e56b26b3a9cf2625e250a8c592dd0207 ] + +Code which solely needs to prevent migration of a task uses +preempt_disable()/enable() pairs. This is the only reliable way to do so +as setting the task affinity to a single CPU can be undone by a +setaffinity operation from a different task/process. + +RT provides a seperate migrate_disable/enable() mechanism which does not +disable preemption to achieve the semantic requirements of a (almost) fully +preemptible kernel. + +As it is unclear from looking at a given code path whether the intention is +to disable preemption or migration, introduce migrate_disable/enable() +inline functions which can be used to annotate code which merely needs to +disable migration. Map them to preempt_disable/enable() for now. The RT +substitution will be provided later. + +Code which is annotated that way documents that it has no requirement to +protect against reentrancy of a preempting task. Either this is not +required at all or the call sites are already serialized by other means. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Juri Lelli +Cc: Vincent Guittot +Cc: Dietmar Eggemann +Cc: Steven Rostedt +Cc: Ben Segall +Cc: Mel Gorman +Cc: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/878slclv1u.fsf@nanos.tec.linutronix.de +Stable-dep-of: 36c75ce3bd29 ("nd_btt: Make BTT lanes preemptible") +Signed-off-by: Sasha Levin +--- + include/linux/preempt.h | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/include/linux/preempt.h b/include/linux/preempt.h +index c01813c3fbe93..abeec72b4d359 100644 +--- a/include/linux/preempt.h ++++ b/include/linux/preempt.h +@@ -325,4 +325,34 @@ static inline void preempt_notifier_init(struct preempt_notifier *notifier, + + #endif + ++/** ++ * migrate_disable - Prevent migration of the current task ++ * ++ * Maps to preempt_disable() which also disables preemption. Use ++ * migrate_disable() to annotate that the intent is to prevent migration, ++ * but not necessarily preemption. ++ * ++ * Can be invoked nested like preempt_disable() and needs the corresponding ++ * number of migrate_enable() invocations. ++ */ ++static __always_inline void migrate_disable(void) ++{ ++ preempt_disable(); ++} ++ ++/** ++ * migrate_enable - Allow migration of the current task ++ * ++ * Counterpart to migrate_disable(). ++ * ++ * As migrate_disable() can be invoked nested, only the outermost invocation ++ * reenables migration. ++ * ++ * Currently mapped to preempt_enable(). ++ */ ++static __always_inline void migrate_enable(void) ++{ ++ preempt_enable(); ++} ++ + #endif /* __LINUX_PREEMPT_H */ +-- +2.42.0 + diff --git a/queue-4.19/series b/queue-4.19/series index e69de29bb2d..cfd7a3a7a1c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -0,0 +1,67 @@ +vfs-fix-readahead-2-on-block-devices.patch +genirq-matrix-exclude-managed-interrupts-in-irq_matr.patch +i40e-fix-potential-memory-leaks-in-i40e_remove.patch +tcp_metrics-add-missing-barriers-on-delete.patch +tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch +tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch +wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch +can-dev-move-driver-related-infrastructure-into-sepa.patch +can-dev-can_restart-don-t-crash-kernel-if-carrier-is.patch +can-dev-can_restart-fix-race-condition-between-contr.patch +thermal-core-prevent-potential-string-overflow.patch +chtls-fix-tp-rcv_tstamp-initialization.patch +acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch +ipv6-avoid-atomic-fragment-on-gso-packets.patch +macsec-fix-traffic-counters-statistics.patch +macsec-use-dev_stats_inc.patch +net-add-dev_stats_read-helper.patch +ipvlan-properly-track-tx_errors.patch +regmap-debugfs-fix-a-erroneous-check-after-snprintf.patch +clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch +clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch +clk-npcm7xx-fix-incorrect-kfree.patch +clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch +clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch +platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch +platform-x86-wmi-remove-unnecessary-initializations.patch +platform-x86-wmi-fix-opening-of-char-device.patch +hwmon-coretemp-fix-potentially-truncated-sysfs-attri.patch +drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch +drm-radeon-possible-buffer-overflow.patch +drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch +arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch +firmware-ti_sci-mark-driver-as-non-removable.patch +clk-scmi-free-scmi_clk-allocated-when-the-clocks-wit.patch +hwrng-geode-fix-accessing-registers.patch +sched-rt-provide-migrate_disable-enable-inlines.patch +nd_btt-make-btt-lanes-preemptible.patch +hid-cp2112-use-irqchip-template.patch +hid-cp2112-fix-duplicate-workqueue-initialization.patch +arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch +ext4-move-ix-sanity-check-to-corrent-position.patch +rdma-hfi1-workaround-truncation-compilation-error.patch +sh-bios-revive-earlyprintk-support.patch +asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch +asoc-ams-delta.c-use-component-after-check.patch +mfd-dln2-fix-double-put-in-dln2_probe.patch +leds-pwm-simplify-if-condition.patch +leds-pwm-convert-to-atomic-pwm-api.patch +leds-pwm-don-t-disable-the-pwm-when-the-led-should-b.patch +ledtrig-cpu-limit-to-8-cpus.patch +leds-trigger-ledtrig-cpu-fix-output-may-be-truncated.patch +tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch +usb-dwc2-fix-possible-null-pointer-dereference-cause.patch +dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch +misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch +tools-iio-privatize-globals-and-functions-in-iio_gen.patch +tools-iio-iio_generic_buffer-fix-some-integer-type-a.patch +tools-iio-iio_generic_buffer-ensure-alignment.patch +usb-usbip-fix-stub_dev-hub-disconnect.patch +dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch +f2fs-fix-to-initialize-map.m_pblk-in-f2fs_precache_e.patch +pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch +pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch +pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch +media-bttv-fix-use-after-free-error-due-to-btv-timeo.patch +media-s3c-camif-avoid-inappropriate-kfree.patch +media-dvb-usb-v2-af9035-fix-missing-unlock.patch diff --git a/queue-4.19/sh-bios-revive-earlyprintk-support.patch b/queue-4.19/sh-bios-revive-earlyprintk-support.patch new file mode 100644 index 00000000000..e55a96e1a61 --- /dev/null +++ b/queue-4.19/sh-bios-revive-earlyprintk-support.patch @@ -0,0 +1,52 @@ +From a85aef2b98ea236dc35888436beba2d9d9c3060b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 11:46:43 +0200 +Subject: sh: bios: Revive earlyprintk support + +From: Geert Uytterhoeven + +[ Upstream commit 553f7ac78fbb41b2c93ab9b9d78e42274d27daa9 ] + +The SuperH BIOS earlyprintk code is protected by CONFIG_EARLY_PRINTK. +However, when this protection was added, it was missed that SuperH no +longer defines an EARLY_PRINTK config symbol since commit +e76fe57447e88916 ("sh: Remove old early serial console code V2"), so +BIOS earlyprintk can no longer be used. + +Fix this by reviving the EARLY_PRINTK config symbol. + +Fixes: d0380e6c3c0f6edb ("early_printk: consolidate random copies of identical code") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/c40972dfec3dcc6719808d5df388857360262878.1697708489.git.geert+renesas@glider.be +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/Kconfig.debug | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/sh/Kconfig.debug b/arch/sh/Kconfig.debug +index 71acd3d9b9e83..dfc784f897972 100644 +--- a/arch/sh/Kconfig.debug ++++ b/arch/sh/Kconfig.debug +@@ -26,6 +26,17 @@ config STACK_DEBUG + every function call and will therefore incur a major + performance hit. Most users should say N. + ++config EARLY_PRINTK ++ bool "Early printk" ++ depends on SH_STANDARD_BIOS ++ help ++ Say Y here to redirect kernel printk messages to the serial port ++ used by the SH-IPL bootloader, starting very early in the boot ++ process and ending when the kernel's serial console is initialised. ++ This option is only useful while porting the kernel to a new machine, ++ when the kernel may crash or hang before the serial console is ++ initialised. If unsure, say N. ++ + config 4KSTACKS + bool "Use 4Kb for kernel stacks instead of 8Kb" + depends on DEBUG_KERNEL && (MMU || BROKEN) && !PAGE_SIZE_64KB +-- +2.42.0 + diff --git a/queue-4.19/tcp_metrics-add-missing-barriers-on-delete.patch b/queue-4.19/tcp_metrics-add-missing-barriers-on-delete.patch new file mode 100644 index 00000000000..01cbbc422b3 --- /dev/null +++ b/queue-4.19/tcp_metrics-add-missing-barriers-on-delete.patch @@ -0,0 +1,47 @@ +From b745a2db3e83526205a39c51409990dfc2a3a0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 22:03:53 +0000 +Subject: tcp_metrics: add missing barriers on delete + +From: Eric Dumazet + +[ Upstream commit cbc3a153222805d65f821e10f4f78b6afce06f86 ] + +When removing an item from RCU protected list, we must prevent +store-tearing, using rcu_assign_pointer() or WRITE_ONCE(). + +Fixes: 04f721c671656 ("tcp_metrics: Rewrite tcp_metrics_flush_all") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Acked-by: Neal Cardwell +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 7bbd9125b5000..9ad4258cfcbcc 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -913,7 +913,7 @@ static void tcp_metrics_flush_all(struct net *net) + match = net ? net_eq(tm_net(tm), net) : + !refcount_read(&tm_net(tm)->count); + if (match) { +- *pp = tm->tcpm_next; ++ rcu_assign_pointer(*pp, tm->tcpm_next); + kfree_rcu(tm, rcu_head); + } else { + pp = &tm->tcpm_next; +@@ -954,7 +954,7 @@ static int tcp_metrics_nl_cmd_del(struct sk_buff *skb, struct genl_info *info) + if (addr_same(&tm->tcpm_daddr, &daddr) && + (!src || addr_same(&tm->tcpm_saddr, &saddr)) && + net_eq(tm_net(tm), net)) { +- *pp = tm->tcpm_next; ++ rcu_assign_pointer(*pp, tm->tcpm_next); + kfree_rcu(tm, rcu_head); + found = true; + } else { +-- +2.42.0 + diff --git a/queue-4.19/tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch b/queue-4.19/tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch new file mode 100644 index 00000000000..4e2c9684ed7 --- /dev/null +++ b/queue-4.19/tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch @@ -0,0 +1,39 @@ +From 4d91f45dd9ec074fa4e761fc22d8638be67d621b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 22:03:55 +0000 +Subject: tcp_metrics: do not create an entry from tcp_init_metrics() + +From: Eric Dumazet + +[ Upstream commit a135798e6e200ecb2f864cecca6d257ba278370c ] + +tcp_init_metrics() only wants to get metrics if they were +previously stored in the cache. Creating an entry is adding +useless costs, especially when tcp_no_metrics_save is set. + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Acked-by: Neal Cardwell +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 7d486295d75f5..60619b1f4acdc 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -474,7 +474,7 @@ void tcp_init_metrics(struct sock *sk) + goto reset; + + rcu_read_lock(); +- tm = tcp_get_metrics(sk, dst, true); ++ tm = tcp_get_metrics(sk, dst, false); + if (!tm) { + rcu_read_unlock(); + goto reset; +-- +2.42.0 + diff --git a/queue-4.19/tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch b/queue-4.19/tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch new file mode 100644 index 00000000000..a02297eea2e --- /dev/null +++ b/queue-4.19/tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch @@ -0,0 +1,52 @@ +From 96a1fd786a2deec7e30a3176fcabc33f9be95d17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 22:03:54 +0000 +Subject: tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() + +From: Eric Dumazet + +[ Upstream commit 081480014a64a69d901f8ef1ffdd56d6085cf87e ] + +We need to set tp->snd_ssthresh to TCP_INFINITE_SSTHRESH +in the case tcp_get_metrics() fails for some reason. + +Fixes: 9ad7c049f0f7 ("tcp: RFC2988bis + taking RTT sample from 3WHS for the passive open side") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Acked-by: Neal Cardwell +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 9ad4258cfcbcc..7d486295d75f5 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -466,6 +466,10 @@ void tcp_init_metrics(struct sock *sk) + u32 val, crtt = 0; /* cached RTT scaled by 8 */ + + sk_dst_confirm(sk); ++ /* ssthresh may have been reduced unnecessarily during. ++ * 3WHS. Restore it back to its initial default. ++ */ ++ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + if (!dst) + goto reset; + +@@ -484,11 +488,6 @@ void tcp_init_metrics(struct sock *sk) + tp->snd_ssthresh = val; + if (tp->snd_ssthresh > tp->snd_cwnd_clamp) + tp->snd_ssthresh = tp->snd_cwnd_clamp; +- } else { +- /* ssthresh may have been reduced unnecessarily during. +- * 3WHS. Restore it back to its initial default. +- */ +- tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + } + val = tcp_metric_get(tm, TCP_METRIC_REORDERING); + if (val && tp->reordering != val) +-- +2.42.0 + diff --git a/queue-4.19/thermal-core-prevent-potential-string-overflow.patch b/queue-4.19/thermal-core-prevent-potential-string-overflow.patch new file mode 100644 index 00000000000..71678a71eaf --- /dev/null +++ b/queue-4.19/thermal-core-prevent-potential-string-overflow.patch @@ -0,0 +1,47 @@ +From cc87d6105f73eaf42318e675337567940d7975b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 11:59:39 +0300 +Subject: thermal: core: prevent potential string overflow + +From: Dan Carpenter + +[ Upstream commit c99626092efca3061b387043d4a7399bf75fbdd5 ] + +The dev->id value comes from ida_alloc() so it's a number between zero +and INT_MAX. If it's too high then these sprintf()s will overflow. + +Fixes: 203d3d4aa482 ("the generic thermal sysfs driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 6c7825c581b5f..efed0736546dd 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -734,7 +734,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz, + if (result) + goto release_ida; + +- sprintf(dev->attr_name, "cdev%d_trip_point", dev->id); ++ snprintf(dev->attr_name, sizeof(dev->attr_name), "cdev%d_trip_point", ++ dev->id); + sysfs_attr_init(&dev->attr.attr); + dev->attr.attr.name = dev->attr_name; + dev->attr.attr.mode = 0444; +@@ -743,7 +744,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz, + if (result) + goto remove_symbol_link; + +- sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id); ++ snprintf(dev->weight_attr_name, sizeof(dev->weight_attr_name), ++ "cdev%d_weight", dev->id); + sysfs_attr_init(&dev->weight_attr.attr); + dev->weight_attr.attr.name = dev->weight_attr_name; + dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO; +-- +2.42.0 + diff --git a/queue-4.19/tools-iio-iio_generic_buffer-ensure-alignment.patch b/queue-4.19/tools-iio-iio_generic_buffer-ensure-alignment.patch new file mode 100644 index 00000000000..17d4e80aef7 --- /dev/null +++ b/queue-4.19/tools-iio-iio_generic_buffer-ensure-alignment.patch @@ -0,0 +1,65 @@ +From 84ac110377c692c44cd40fbea59f95e896db653d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 12:57:47 +0300 +Subject: tools: iio: iio_generic_buffer ensure alignment + +From: Matti Vaittinen + +[ Upstream commit 2d3dff577dd0ea8fe9637a13822f7603c4a881c8 ] + +The iio_generic_buffer can return garbage values when the total size of +scan data is not a multiple of the largest element in the scan. This can be +demonstrated by reading a scan, consisting, for example of one 4-byte and +one 2-byte element, where the 4-byte element is first in the buffer. + +The IIO generic buffer code does not take into account the last two +padding bytes that are needed to ensure that the 4-byte data for next +scan is correctly aligned. + +Add the padding bytes required to align the next sample with the scan size. + +Signed-off-by: Matti Vaittinen +Fixes: e58537ccce73 ("staging: iio: update example application.") +Link: https://lore.kernel.org/r/ZRvlm4ktNLu+qmlf@dc78bmyyyyyyyyyyyyydt-3.rev.dnainternet.fi +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + tools/iio/iio_generic_buffer.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/tools/iio/iio_generic_buffer.c b/tools/iio/iio_generic_buffer.c +index 8360605f01db8..ca9f33fa51c9f 100644 +--- a/tools/iio/iio_generic_buffer.c ++++ b/tools/iio/iio_generic_buffer.c +@@ -56,9 +56,12 @@ enum autochan { + static unsigned int size_from_channelarray(struct iio_channel_info *channels, int num_channels) + { + unsigned int bytes = 0; +- int i = 0; ++ int i = 0, max = 0; ++ unsigned int misalignment; + + while (i < num_channels) { ++ if (channels[i].bytes > max) ++ max = channels[i].bytes; + if (bytes % channels[i].bytes == 0) + channels[i].location = bytes; + else +@@ -68,6 +71,14 @@ static unsigned int size_from_channelarray(struct iio_channel_info *channels, in + bytes = channels[i].location + channels[i].bytes; + i++; + } ++ /* ++ * We want the data in next sample to also be properly aligned so ++ * we'll add padding at the end if needed. Adding padding only ++ * works for channel data which size is 2^n bytes. ++ */ ++ misalignment = bytes % max; ++ if (misalignment) ++ bytes += max - misalignment; + + return bytes; + } +-- +2.42.0 + diff --git a/queue-4.19/tools-iio-iio_generic_buffer-fix-some-integer-type-a.patch b/queue-4.19/tools-iio-iio_generic_buffer-fix-some-integer-type-a.patch new file mode 100644 index 00000000000..dd881a3a771 --- /dev/null +++ b/queue-4.19/tools-iio-iio_generic_buffer-fix-some-integer-type-a.patch @@ -0,0 +1,74 @@ +From 389523399951e86a8871ea297650f529af364e26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 09:24:07 +0000 +Subject: tools: iio: iio_generic_buffer: Fix some integer type and calculation + +From: Chenyuan Mi + +[ Upstream commit 49d736313d0975ddeb156f4f59801da833f78b30 ] + +In function size_from_channelarray(), the return value 'bytes' is defined +as int type. However, the calcution of 'bytes' in this function is designed +to use the unsigned int type. So it is necessary to change 'bytes' type to +unsigned int to avoid integer overflow. + +The size_from_channelarray() is called in main() function, its return value +is directly multipled by 'buf_len' and then used as the malloc() parameter. +The 'buf_len' is completely controllable by user, thus a multiplication +overflow may occur here. This could allocate an unexpected small area. + +Signed-off-by: Chenyuan Mi +Link: https://lore.kernel.org/r/20230725092407.62545-1-michenyuan@huawei.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: 2d3dff577dd0 ("tools: iio: iio_generic_buffer ensure alignment") +Signed-off-by: Sasha Levin +--- + tools/iio/iio_generic_buffer.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/tools/iio/iio_generic_buffer.c b/tools/iio/iio_generic_buffer.c +index 9a5af0f6592dc..8360605f01db8 100644 +--- a/tools/iio/iio_generic_buffer.c ++++ b/tools/iio/iio_generic_buffer.c +@@ -53,9 +53,9 @@ enum autochan { + * Has the side effect of filling the channels[i].location values used + * in processing the buffer output. + **/ +-static int size_from_channelarray(struct iio_channel_info *channels, int num_channels) ++static unsigned int size_from_channelarray(struct iio_channel_info *channels, int num_channels) + { +- int bytes = 0; ++ unsigned int bytes = 0; + int i = 0; + + while (i < num_channels) { +@@ -346,7 +346,7 @@ int main(int argc, char **argv) + ssize_t read_size; + int dev_num = -1, trig_num = -1; + char *buffer_access = NULL; +- int scan_size; ++ unsigned int scan_size; + int noevents = 0; + int notrigger = 0; + char *dummy; +@@ -616,7 +616,16 @@ int main(int argc, char **argv) + } + + scan_size = size_from_channelarray(channels, num_channels); +- data = malloc(scan_size * buf_len); ++ ++ size_t total_buf_len = scan_size * buf_len; ++ ++ if (scan_size > 0 && total_buf_len / scan_size != buf_len) { ++ ret = -EFAULT; ++ perror("Integer overflow happened when calculate scan_size * buf_len"); ++ goto error; ++ } ++ ++ data = malloc(total_buf_len); + if (!data) { + ret = -ENOMEM; + goto error; +-- +2.42.0 + diff --git a/queue-4.19/tools-iio-privatize-globals-and-functions-in-iio_gen.patch b/queue-4.19/tools-iio-privatize-globals-and-functions-in-iio_gen.patch new file mode 100644 index 00000000000..74ab2b1bbbe --- /dev/null +++ b/queue-4.19/tools-iio-privatize-globals-and-functions-in-iio_gen.patch @@ -0,0 +1,131 @@ +From 348a37e160993f3672f135e2b57d2eabf86e584c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Feb 2021 12:40:42 +0200 +Subject: tools: iio: privatize globals and functions in iio_generic_buffer.c + file + +From: Alexandru Ardelean + +[ Upstream commit ebe5112535b5cf389ca7d337cf6a0c1d885f9880 ] + +Mostly a tidy-up. +But also helps to understand the limits of scope of these functions and +globals. + +Signed-off-by: Alexandru Ardelean +Link: https://lore.kernel.org/r/20210215104043.91251-24-alexandru.ardelean@analog.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: 2d3dff577dd0 ("tools: iio: iio_generic_buffer ensure alignment") +Signed-off-by: Sasha Levin +--- + tools/iio/iio_generic_buffer.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/tools/iio/iio_generic_buffer.c b/tools/iio/iio_generic_buffer.c +index 84545666a09c4..9a5af0f6592dc 100644 +--- a/tools/iio/iio_generic_buffer.c ++++ b/tools/iio/iio_generic_buffer.c +@@ -53,7 +53,7 @@ enum autochan { + * Has the side effect of filling the channels[i].location values used + * in processing the buffer output. + **/ +-int size_from_channelarray(struct iio_channel_info *channels, int num_channels) ++static int size_from_channelarray(struct iio_channel_info *channels, int num_channels) + { + int bytes = 0; + int i = 0; +@@ -72,7 +72,7 @@ int size_from_channelarray(struct iio_channel_info *channels, int num_channels) + return bytes; + } + +-void print1byte(uint8_t input, struct iio_channel_info *info) ++static void print1byte(uint8_t input, struct iio_channel_info *info) + { + /* + * Shift before conversion to avoid sign extension +@@ -89,7 +89,7 @@ void print1byte(uint8_t input, struct iio_channel_info *info) + } + } + +-void print2byte(uint16_t input, struct iio_channel_info *info) ++static void print2byte(uint16_t input, struct iio_channel_info *info) + { + /* First swap if incorrect endian */ + if (info->be) +@@ -112,7 +112,7 @@ void print2byte(uint16_t input, struct iio_channel_info *info) + } + } + +-void print4byte(uint32_t input, struct iio_channel_info *info) ++static void print4byte(uint32_t input, struct iio_channel_info *info) + { + /* First swap if incorrect endian */ + if (info->be) +@@ -135,7 +135,7 @@ void print4byte(uint32_t input, struct iio_channel_info *info) + } + } + +-void print8byte(uint64_t input, struct iio_channel_info *info) ++static void print8byte(uint64_t input, struct iio_channel_info *info) + { + /* First swap if incorrect endian */ + if (info->be) +@@ -171,9 +171,8 @@ void print8byte(uint64_t input, struct iio_channel_info *info) + * to fill the location offsets. + * @num_channels: number of channels + **/ +-void process_scan(char *data, +- struct iio_channel_info *channels, +- int num_channels) ++static void process_scan(char *data, struct iio_channel_info *channels, ++ int num_channels) + { + int k; + +@@ -242,7 +241,7 @@ static int enable_disable_all_channels(char *dev_dir_name, int enable) + return 0; + } + +-void print_usage(void) ++static void print_usage(void) + { + fprintf(stderr, "Usage: generic_buffer [options]...\n" + "Capture, convert and output data from IIO device buffer\n" +@@ -261,12 +260,12 @@ void print_usage(void) + " -w Set delay between reads in us (event-less mode)\n"); + } + +-enum autochan autochannels = AUTOCHANNELS_DISABLED; +-char *dev_dir_name = NULL; +-char *buf_dir_name = NULL; +-bool current_trigger_set = false; ++static enum autochan autochannels = AUTOCHANNELS_DISABLED; ++static char *dev_dir_name = NULL; ++static char *buf_dir_name = NULL; ++static bool current_trigger_set = false; + +-void cleanup(void) ++static void cleanup(void) + { + int ret; + +@@ -298,14 +297,14 @@ void cleanup(void) + } + } + +-void sig_handler(int signum) ++static void sig_handler(int signum) + { + fprintf(stderr, "Caught signal %d\n", signum); + cleanup(); + exit(-signum); + } + +-void register_cleanup(void) ++static void register_cleanup(void) + { + struct sigaction sa = { .sa_handler = sig_handler }; + const int signums[] = { SIGINT, SIGTERM, SIGABRT }; +-- +2.42.0 + diff --git a/queue-4.19/tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch b/queue-4.19/tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch new file mode 100644 index 00000000000..6101f9c6d75 --- /dev/null +++ b/queue-4.19/tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch @@ -0,0 +1,117 @@ +From 82a30bd3e4045998607132ab70b23a01661f1a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 10:33:29 +0800 +Subject: tty: tty_jobctrl: fix pid memleak in disassociate_ctty() + +From: Yi Yang + +[ Upstream commit 11e7f27b79757b6586645d87b95d5b78375ecdfc ] + +There is a pid leakage: +------------------------------ +unreferenced object 0xffff88810c181940 (size 224): + comm "sshd", pid 8191, jiffies 4294946950 (age 524.570s) + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. + ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ + backtrace: + [] kmem_cache_alloc+0x5c6/0x9b0 + [] alloc_pid+0x72/0x570 + [] copy_process+0x1374/0x2470 + [] kernel_clone+0xb7/0x900 + [] __se_sys_clone+0x85/0xb0 + [] __x64_sys_clone+0x2b/0x30 + [] do_syscall_64+0x32/0x80 + [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +It turns out that there is a race condition between disassociate_ctty() and +tty_signal_session_leader(), which caused this leakage. + +The pid memleak is triggered by the following race: +task[sshd] task[bash] +----------------------- ----------------------- + disassociate_ctty(); + spin_lock_irq(¤t->sighand->siglock); + put_pid(current->signal->tty_old_pgrp); + current->signal->tty_old_pgrp = NULL; + tty = tty_kref_get(current->signal->tty); + spin_unlock_irq(¤t->sighand->siglock); +tty_vhangup(); +tty_lock(tty); +... +tty_signal_session_leader(); +spin_lock_irq(&p->sighand->siglock); +... +if (tty->ctrl.pgrp) //tty->ctrl.pgrp is not NULL +p->signal->tty_old_pgrp = get_pid(tty->ctrl.pgrp); //An extra get +spin_unlock_irq(&p->sighand->siglock); +... +tty_unlock(tty); + if (tty) { + tty_lock(tty); + ... + put_pid(tty->ctrl.pgrp); + tty->ctrl.pgrp = NULL; //It's too late + ... + tty_unlock(tty); + } + +The issue is believed to be introduced by commit c8bcd9c5be24 ("tty: +Fix ->session locking") who moves the unlock of siglock in +disassociate_ctty() above "if (tty)", making a small window allowing +tty_signal_session_leader() to kick in. It can be easily reproduced by +adding a delay before "if (tty)" and at the entrance of +tty_signal_session_leader(). + +To fix this issue, we move "put_pid(current->signal->tty_old_pgrp)" after +"tty->ctrl.pgrp = NULL". + +Fixes: c8bcd9c5be24 ("tty: Fix ->session locking") +Signed-off-by: Yi Yang +Co-developed-by: GUO Zihua +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20230831023329.165737-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_jobctrl.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c +index ffcab80ba77d9..73fdd55c6bef9 100644 +--- a/drivers/tty/tty_jobctrl.c ++++ b/drivers/tty/tty_jobctrl.c +@@ -290,12 +290,7 @@ void disassociate_ctty(int on_exit) + return; + } + +- spin_lock_irq(¤t->sighand->siglock); +- put_pid(current->signal->tty_old_pgrp); +- current->signal->tty_old_pgrp = NULL; +- tty = tty_kref_get(current->signal->tty); +- spin_unlock_irq(¤t->sighand->siglock); +- ++ tty = get_current_tty(); + if (tty) { + unsigned long flags; + +@@ -310,6 +305,16 @@ void disassociate_ctty(int on_exit) + tty_kref_put(tty); + } + ++ /* If tty->ctrl.pgrp is not NULL, it may be assigned to ++ * current->signal->tty_old_pgrp in a race condition, and ++ * cause pid memleak. Release current->signal->tty_old_pgrp ++ * after tty->ctrl.pgrp set to NULL. ++ */ ++ spin_lock_irq(¤t->sighand->siglock); ++ put_pid(current->signal->tty_old_pgrp); ++ current->signal->tty_old_pgrp = NULL; ++ spin_unlock_irq(¤t->sighand->siglock); ++ + /* Now clear signal->tty under the lock */ + read_lock(&tasklist_lock); + session_clear_tty(task_session(current)); +-- +2.42.0 + diff --git a/queue-4.19/usb-dwc2-fix-possible-null-pointer-dereference-cause.patch b/queue-4.19/usb-dwc2-fix-possible-null-pointer-dereference-cause.patch new file mode 100644 index 00000000000..e752e9c320f --- /dev/null +++ b/queue-4.19/usb-dwc2-fix-possible-null-pointer-dereference-cause.patch @@ -0,0 +1,69 @@ +From d77d180072f1f518e4e1bacd66f7fbec30e9100f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 10:44:04 +0800 +Subject: usb: dwc2: fix possible NULL pointer dereference caused by driver + concurrency + +From: Jia-Ju Bai + +[ Upstream commit ef307bc6ef04e8c1ea843231db58e3afaafa9fa6 ] + +In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without +holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue(): + + spin_lock_irqsave(&hsotg->lock, flags); + ... + if (!urb->hcpriv) { + dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n"); + goto out; + } + rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv + ... +out: + spin_unlock_irqrestore(&hsotg->lock, flags); + +When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are +concurrently executed, the NULL check of "urb->hcpriv" can be executed +before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used +in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL +pointer dereference. + +This possible bug is found by an experimental static analysis tool +developed by myself. This tool analyzes the locking APIs to extract +function pairs that can be concurrently executed, and then analyzes the +instructions in the paired functions to identify possible concurrency +bugs including data races and atomicity violations. The above possible +bug is reported, when my tool analyzes the source code of Linux 6.5. + +To fix this possible bug, "urb->hcpriv = NULL" should be executed with +holding the lock "hsotg->lock". After using this patch, my tool never +reports the possible bug, with the kernelconfiguration allyesconfig for +x86_64. Because I have no associated hardware, I cannot test the patch +in runtime testing, and just verify it according to the code logic. + +Fixes: 33ad261aa62b ("usb: dwc2: host: spinlock urb_enqueue") +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20230926024404.832096-1-baijiaju@buaa.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index cfda883185838..91fa831328fce 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -4845,8 +4845,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, + if (qh_allocated && qh->channel && qh->channel->qh == qh) + qh->channel->qh = NULL; + fail2: +- spin_unlock_irqrestore(&hsotg->lock, flags); + urb->hcpriv = NULL; ++ spin_unlock_irqrestore(&hsotg->lock, flags); + kfree(qtd); + qtd = NULL; + fail1: +-- +2.42.0 + diff --git a/queue-4.19/usb-usbip-fix-stub_dev-hub-disconnect.patch b/queue-4.19/usb-usbip-fix-stub_dev-hub-disconnect.patch new file mode 100644 index 00000000000..44e869f8078 --- /dev/null +++ b/queue-4.19/usb-usbip-fix-stub_dev-hub-disconnect.patch @@ -0,0 +1,46 @@ +From c6528e2a641ec67a35a04b1ecc8071f2bd9b5a97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:28:10 +0200 +Subject: USB: usbip: fix stub_dev hub disconnect + +From: Jonas Blixt + +[ Upstream commit 97475763484245916735a1aa9a3310a01d46b008 ] + +If a hub is disconnected that has device(s) that's attached to the usbip layer +the disconnect function might fail because it tries to release the port +on an already disconnected hub. + +Fixes: 6080cd0e9239 ("staging: usbip: claim ports used by shared devices") +Signed-off-by: Jonas Blixt +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20230615092810.1215490-1-jonas.blixt@actia.se +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_dev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index c64964c32cc97..ebcb8d52d1e3a 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -497,8 +497,13 @@ static void stub_disconnect(struct usb_device *udev) + /* release port */ + rc = usb_hub_release_port(udev->parent, udev->portnum, + (struct usb_dev_state *) udev); +- if (rc) { +- dev_dbg(&udev->dev, "unable to release port\n"); ++ /* ++ * NOTE: If a HUB disconnect triggered disconnect of the down stream ++ * device usb_hub_release_port will return -ENODEV so we can safely ignore ++ * that error here. ++ */ ++ if (rc && (rc != -ENODEV)) { ++ dev_dbg(&udev->dev, "unable to release port (%i)\n", rc); + return; + } + +-- +2.42.0 + diff --git a/queue-4.19/vfs-fix-readahead-2-on-block-devices.patch b/queue-4.19/vfs-fix-readahead-2-on-block-devices.patch new file mode 100644 index 00000000000..48d3915ad0c --- /dev/null +++ b/queue-4.19/vfs-fix-readahead-2-on-block-devices.patch @@ -0,0 +1,43 @@ +From 34ce9f8e78e2b7b7bb9102a513355957114ccd41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Oct 2023 20:57:04 -0500 +Subject: vfs: fix readahead(2) on block devices + +From: Reuben Hawkins + +[ Upstream commit 7116c0af4b8414b2f19fdb366eea213cbd9d91c2 ] + +Readahead was factored to call generic_fadvise. That refactor added an +S_ISREG restriction which broke readahead on block devices. + +In addition to S_ISREG, this change checks S_ISBLK to fix block device +readahead. There is no change in behavior with any file type besides block +devices in this change. + +Fixes: 3d8f7615319b ("vfs: implement readahead(2) using POSIX_FADV_WILLNEED") +Signed-off-by: Reuben Hawkins +Link: https://lore.kernel.org/r/20231003015704.2415-1-reubenhwk@gmail.com +Reviewed-by: Amir Goldstein +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + mm/readahead.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/readahead.c b/mm/readahead.c +index 4e630143a0ba8..96d0f652222a9 100644 +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -593,7 +593,8 @@ ssize_t ksys_readahead(int fd, loff_t offset, size_t count) + */ + ret = -EINVAL; + if (!f.file->f_mapping || !f.file->f_mapping->a_ops || +- !S_ISREG(file_inode(f.file)->i_mode)) ++ (!S_ISREG(file_inode(f.file)->i_mode) && ++ !S_ISBLK(file_inode(f.file)->i_mode))) + goto out; + + ret = vfs_fadvise(f.file, offset, count, POSIX_FADV_WILLNEED); +-- +2.42.0 + diff --git a/queue-4.19/wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch b/queue-4.19/wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch new file mode 100644 index 00000000000..60c195483ae --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch @@ -0,0 +1,70 @@ +From 52e7716bdd9fbddb08b779f57a37d315a074cda3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 08:23:19 +0300 +Subject: wifi: rtlwifi: fix EDCA limit set by BT coexistence + +From: Dmitry Antipov + +[ Upstream commit 3391ee7f9ea508c375d443cd712c2e699be235b4 ] + +In 'rtl92c_dm_check_edca_turbo()', 'rtl88e_dm_check_edca_turbo()', +and 'rtl8723e_dm_check_edca_turbo()', the DL limit should be set +from the corresponding field of 'rtlpriv->btcoexist' rather than +UL. Compile tested only. + +Fixes: 0529c6b81761 ("rtlwifi: rtl8723ae: Update driver to match 06/28/14 Realtek version") +Fixes: c151aed6aa14 ("rtlwifi: rtl8188ee: Update driver to match Realtek release of 06282014") +Fixes: beb5bc402043 ("rtlwifi: rtl8192c-common: Convert common dynamic management routines for addition of rtl8192se and rtl8192de") +Signed-off-by: Dmitry Antipov +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230928052327.120178-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c +index e05af7d608309..d54ecbe717e7a 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c +@@ -827,7 +827,7 @@ static void rtl88e_dm_check_edca_turbo(struct ieee80211_hw *hw) + } + + if (rtlpriv->btcoexist.bt_edca_dl != 0) { +- edca_be_ul = rtlpriv->btcoexist.bt_edca_dl; ++ edca_be_dl = rtlpriv->btcoexist.bt_edca_dl; + bt_change_edca = true; + } + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c +index 0b5a06ffa4826..ed3ef78e5394e 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c +@@ -663,7 +663,7 @@ static void rtl92c_dm_check_edca_turbo(struct ieee80211_hw *hw) + } + + if (rtlpriv->btcoexist.bt_edca_dl != 0) { +- edca_be_ul = rtlpriv->btcoexist.bt_edca_dl; ++ edca_be_dl = rtlpriv->btcoexist.bt_edca_dl; + bt_change_edca = true; + } + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c +index 42a6fba90ba91..fedde63d9bc5b 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c +@@ -592,7 +592,7 @@ static void rtl8723e_dm_check_edca_turbo(struct ieee80211_hw *hw) + } + + if (rtlpriv->btcoexist.bt_edca_dl != 0) { +- edca_be_ul = rtlpriv->btcoexist.bt_edca_dl; ++ edca_be_dl = rtlpriv->btcoexist.bt_edca_dl; + bt_change_edca = true; + } + +-- +2.42.0 +