From: Greg Kroah-Hartman Date: Wed, 22 Nov 2023 18:57:38 +0000 (+0000) Subject: 6.1-stable patches X-Git-Tag: v4.14.331~121 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87c1fe3e063146ea724cd2156bbea25e5920f6b5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch keys-trusted-rollback-init_trusted-consistently.patch keys-trusted-tee-refactor-register-shm-usage.patch mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch pci-keystone-don-t-discard-.probe-callback.patch pci-keystone-don-t-discard-.remove-callback.patch regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch watchdog-move-softlockup_panic-back-to-early_param.patch wifi-ath11k-fix-dfs-radar-event-locking.patch wifi-ath11k-fix-gtk-offload-status-event-locking.patch wifi-ath11k-fix-htt-pktlog-locking.patch wifi-ath11k-fix-temperature-event-locking.patch --- diff --git a/queue-6.1/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch b/queue-6.1/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch new file mode 100644 index 00000000000..d1d5265b9bd --- /dev/null +++ b/queue-6.1/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch @@ -0,0 +1,45 @@ +From 0da9eccde3270b832c059ad618bf66e510c75d33 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Mon, 16 Oct 2023 18:08:28 +0200 +Subject: ACPI: resource: Do IRQ override on TongFang GMxXGxx + +From: Werner Sembach + +commit 0da9eccde3270b832c059ad618bf66e510c75d33 upstream. + +The TongFang GMxXGxx/TUXEDO Stellaris/Pollaris Gen5 needs IRQ overriding +for the keyboard to work. + +Adding an entry for this laptop to the override_table makes the internal +keyboard functional. + +Signed-off-by: Werner Sembach +Cc: All applicable +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -500,6 +500,18 @@ static const struct dmi_system_id mainge + } + }, + { ++ /* TongFang GMxXGxx/TUXEDO Polaris 15 Gen5 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GMxXGxx"), ++ }, ++ }, ++ { ++ /* TongFang GM6XGxX/TUXEDO Stellaris 16 Gen5 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GM6XGxX"), ++ }, ++ }, ++ { + .ident = "MAINGEAR Vector Pro 2 17", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), diff --git a/queue-6.1/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch b/queue-6.1/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch new file mode 100644 index 00000000000..dfdf5c0b461 --- /dev/null +++ b/queue-6.1/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch @@ -0,0 +1,82 @@ +From 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Tue, 24 Oct 2023 17:03:35 +0200 +Subject: genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware + +From: Herve Codina + +commit 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 upstream. + +irq_remove_generic_chip() calculates the Linux interrupt number for removing the +handler and interrupt chip based on gc::irq_base as a linear function of +the bit positions of set bits in the @msk argument. + +When the generic chip is present in an irq domain, i.e. created with a call +to irq_alloc_domain_generic_chips(), gc::irq_base contains not the base +Linux interrupt number. It contains the base hardware interrupt for this +chip. It is set to 0 for the first chip in the domain, 0 + N for the next +chip, where $N is the number of hardware interrupts per chip. + +That means the Linux interrupt number cannot be calculated based on +gc::irq_base for irqdomain based chips without a domain map lookup, which +is currently missing. + +Rework the code to take the irqdomain case into account and calculate the +Linux interrupt number by a irqdomain lookup of the domain specific +hardware interrupt number. + +[ tglx: Massage changelog. Reshuffle the logic and add a proper comment. ] + +Fixes: cfefd21e693d ("genirq: Add chip suspend and resume callbacks") +Signed-off-by: Herve Codina +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231024150335.322282-1-herve.codina@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/generic-chip.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/kernel/irq/generic-chip.c ++++ b/kernel/irq/generic-chip.c +@@ -544,21 +544,34 @@ EXPORT_SYMBOL_GPL(irq_setup_alt_chip); + void irq_remove_generic_chip(struct irq_chip_generic *gc, u32 msk, + unsigned int clr, unsigned int set) + { +- unsigned int i = gc->irq_base; ++ unsigned int i, virq; + + raw_spin_lock(&gc_lock); + list_del(&gc->list); + raw_spin_unlock(&gc_lock); + +- for (; msk; msk >>= 1, i++) { ++ for (i = 0; msk; msk >>= 1, i++) { + if (!(msk & 0x01)) + continue; + ++ /* ++ * Interrupt domain based chips store the base hardware ++ * interrupt number in gc::irq_base. Otherwise gc::irq_base ++ * contains the base Linux interrupt number. ++ */ ++ if (gc->domain) { ++ virq = irq_find_mapping(gc->domain, gc->irq_base + i); ++ if (!virq) ++ continue; ++ } else { ++ virq = gc->irq_base + i; ++ } ++ + /* Remove handler first. That will mask the irq line */ +- irq_set_handler(i, NULL); +- irq_set_chip(i, &no_irq_chip); +- irq_set_chip_data(i, NULL); +- irq_modify_status(i, clr, set); ++ irq_set_handler(virq, NULL); ++ irq_set_chip(virq, &no_irq_chip); ++ irq_set_chip_data(virq, NULL); ++ irq_modify_status(virq, clr, set); + } + } + EXPORT_SYMBOL_GPL(irq_remove_generic_chip); diff --git a/queue-6.1/keys-trusted-rollback-init_trusted-consistently.patch b/queue-6.1/keys-trusted-rollback-init_trusted-consistently.patch new file mode 100644 index 00000000000..3c77ab31eb1 --- /dev/null +++ b/queue-6.1/keys-trusted-rollback-init_trusted-consistently.patch @@ -0,0 +1,54 @@ +From 31de287345f41bbfaec36a5c8cbdba035cf76442 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Wed, 11 Oct 2023 02:08:25 +0300 +Subject: KEYS: trusted: Rollback init_trusted() consistently + +From: Jarkko Sakkinen + +commit 31de287345f41bbfaec36a5c8cbdba035cf76442 upstream. + +Do bind neither static calls nor trusted_key_exit() before a successful +init, in order to maintain a consistent state. In addition, depart the +init_trusted() in the case of a real error (i.e. getting back something +else than -ENODEV). + +Reported-by: Linus Torvalds +Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ +Cc: stable@vger.kernel.org # v5.13+ +Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/security/keys/trusted-keys/trusted_core.c ++++ b/security/keys/trusted-keys/trusted_core.c +@@ -358,17 +358,17 @@ static int __init init_trusted(void) + if (!get_random) + get_random = kernel_get_random; + +- static_call_update(trusted_key_seal, +- trusted_key_sources[i].ops->seal); +- static_call_update(trusted_key_unseal, +- trusted_key_sources[i].ops->unseal); +- static_call_update(trusted_key_get_random, +- get_random); +- trusted_key_exit = trusted_key_sources[i].ops->exit; +- migratable = trusted_key_sources[i].ops->migratable; +- + ret = trusted_key_sources[i].ops->init(); +- if (!ret) ++ if (!ret) { ++ static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); ++ static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); ++ static_call_update(trusted_key_get_random, get_random); ++ ++ trusted_key_exit = trusted_key_sources[i].ops->exit; ++ migratable = trusted_key_sources[i].ops->migratable; ++ } ++ ++ if (!ret || ret != -ENODEV) + break; + } + diff --git a/queue-6.1/keys-trusted-tee-refactor-register-shm-usage.patch b/queue-6.1/keys-trusted-tee-refactor-register-shm-usage.patch new file mode 100644 index 00000000000..e1ef940d349 --- /dev/null +++ b/queue-6.1/keys-trusted-tee-refactor-register-shm-usage.patch @@ -0,0 +1,154 @@ +From c745cd1718b7825d69315fe7127e2e289e617598 Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Tue, 22 Aug 2023 16:59:33 +0530 +Subject: KEYS: trusted: tee: Refactor register SHM usage + +From: Sumit Garg + +commit c745cd1718b7825d69315fe7127e2e289e617598 upstream. + +The OP-TEE driver using the old SMC based ABI permits overlapping shared +buffers, but with the new FF-A based ABI each physical page may only +be registered once. + +As the key and blob buffer are allocated adjancently, there is no need +for redundant register shared memory invocation. Also, it is incompatibile +with FF-A based ABI limitation. So refactor register shared memory +implementation to use only single invocation to register both key and blob +buffers. + +[jarkko: Added cc to stable.] +Cc: stable@vger.kernel.org # v5.16+ +Fixes: 4615e5a34b95 ("optee: add FF-A support") +Reported-by: Jens Wiklander +Signed-off-by: Sumit Garg +Tested-by: Jens Wiklander +Reviewed-by: Jens Wiklander +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tee.c | 64 +++++++++---------------------- + 1 file changed, 20 insertions(+), 44 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tee.c ++++ b/security/keys/trusted-keys/trusted_tee.c +@@ -65,24 +65,16 @@ static int trusted_tee_seal(struct trust + int ret; + struct tee_ioctl_invoke_arg inv_arg; + struct tee_param param[4]; +- struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL; ++ struct tee_shm *reg_shm = NULL; + + memset(&inv_arg, 0, sizeof(inv_arg)); + memset(¶m, 0, sizeof(param)); + +- reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, +- p->key_len); +- if (IS_ERR(reg_shm_in)) { +- dev_err(pvt_data.dev, "key shm register failed\n"); +- return PTR_ERR(reg_shm_in); +- } +- +- reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob, +- sizeof(p->blob)); +- if (IS_ERR(reg_shm_out)) { +- dev_err(pvt_data.dev, "blob shm register failed\n"); +- ret = PTR_ERR(reg_shm_out); +- goto out; ++ reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, ++ sizeof(p->key) + sizeof(p->blob)); ++ if (IS_ERR(reg_shm)) { ++ dev_err(pvt_data.dev, "shm register failed\n"); ++ return PTR_ERR(reg_shm); + } + + inv_arg.func = TA_CMD_SEAL; +@@ -90,13 +82,13 @@ static int trusted_tee_seal(struct trust + inv_arg.num_params = 4; + + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT; +- param[0].u.memref.shm = reg_shm_in; ++ param[0].u.memref.shm = reg_shm; + param[0].u.memref.size = p->key_len; + param[0].u.memref.shm_offs = 0; + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT; +- param[1].u.memref.shm = reg_shm_out; ++ param[1].u.memref.shm = reg_shm; + param[1].u.memref.size = sizeof(p->blob); +- param[1].u.memref.shm_offs = 0; ++ param[1].u.memref.shm_offs = sizeof(p->key); + + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param); + if ((ret < 0) || (inv_arg.ret != 0)) { +@@ -107,11 +99,7 @@ static int trusted_tee_seal(struct trust + p->blob_len = param[1].u.memref.size; + } + +-out: +- if (reg_shm_out) +- tee_shm_free(reg_shm_out); +- if (reg_shm_in) +- tee_shm_free(reg_shm_in); ++ tee_shm_free(reg_shm); + + return ret; + } +@@ -124,24 +112,16 @@ static int trusted_tee_unseal(struct tru + int ret; + struct tee_ioctl_invoke_arg inv_arg; + struct tee_param param[4]; +- struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL; ++ struct tee_shm *reg_shm = NULL; + + memset(&inv_arg, 0, sizeof(inv_arg)); + memset(¶m, 0, sizeof(param)); + +- reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob, +- p->blob_len); +- if (IS_ERR(reg_shm_in)) { +- dev_err(pvt_data.dev, "blob shm register failed\n"); +- return PTR_ERR(reg_shm_in); +- } +- +- reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, +- sizeof(p->key)); +- if (IS_ERR(reg_shm_out)) { +- dev_err(pvt_data.dev, "key shm register failed\n"); +- ret = PTR_ERR(reg_shm_out); +- goto out; ++ reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, ++ sizeof(p->key) + sizeof(p->blob)); ++ if (IS_ERR(reg_shm)) { ++ dev_err(pvt_data.dev, "shm register failed\n"); ++ return PTR_ERR(reg_shm); + } + + inv_arg.func = TA_CMD_UNSEAL; +@@ -149,11 +129,11 @@ static int trusted_tee_unseal(struct tru + inv_arg.num_params = 4; + + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT; +- param[0].u.memref.shm = reg_shm_in; ++ param[0].u.memref.shm = reg_shm; + param[0].u.memref.size = p->blob_len; +- param[0].u.memref.shm_offs = 0; ++ param[0].u.memref.shm_offs = sizeof(p->key); + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT; +- param[1].u.memref.shm = reg_shm_out; ++ param[1].u.memref.shm = reg_shm; + param[1].u.memref.size = sizeof(p->key); + param[1].u.memref.shm_offs = 0; + +@@ -166,11 +146,7 @@ static int trusted_tee_unseal(struct tru + p->key_len = param[1].u.memref.size; + } + +-out: +- if (reg_shm_out) +- tee_shm_free(reg_shm_out); +- if (reg_shm_in) +- tee_shm_free(reg_shm_in); ++ tee_shm_free(reg_shm); + + return ret; + } diff --git a/queue-6.1/mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch b/queue-6.1/mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch new file mode 100644 index 00000000000..1fd4bde98a9 --- /dev/null +++ b/queue-6.1/mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch @@ -0,0 +1,72 @@ +From 35f5d94187a6a3a8df2cba54beccca1c2379edb8 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Oct 2023 19:49:20 +0000 +Subject: mm/damon: implement a function for max nr_accesses safe calculation + +From: SeongJae Park + +commit 35f5d94187a6a3a8df2cba54beccca1c2379edb8 upstream. + +Patch series "avoid divide-by-zero due to max_nr_accesses overflow". + +The maximum nr_accesses of given DAMON context can be calculated by +dividing the aggregation interval by the sampling interval. Some logics +in DAMON uses the maximum nr_accesses as a divisor. Hence, the value +shouldn't be zero. Such case is avoided since DAMON avoids setting the +agregation interval as samller than the sampling interval. However, since +nr_accesses is unsigned int while the intervals are unsigned long, the +maximum nr_accesses could be zero while casting. + +Avoid the divide-by-zero by implementing a function that handles the +corner case (first patch), and replaces the vulnerable direct max +nr_accesses calculations (remaining patches). + +Note that the patches for the replacements are divided for broken commits, +to make backporting on required tres easier. Especially, the last patch +is for a patch that not yet merged into the mainline but in mm tree. + + +This patch (of 4): + +The maximum nr_accesses of given DAMON context can be calculated by +dividing the aggregation interval by the sampling interval. Some logics +in DAMON uses the maximum nr_accesses as a divisor. Hence, the value +shouldn't be zero. Such case is avoided since DAMON avoids setting the +agregation interval as samller than the sampling interval. However, since +nr_accesses is unsigned int while the intervals are unsigned long, the +maximum nr_accesses could be zero while casting. Implement a function +that handles the corner case. + +Note that this commit is not fixing the real issue since this is only +introducing the safe function that will replaces the problematic +divisions. The replacements will be made by followup commits, to make +backporting on stable series easier. + +Link: https://lkml.kernel.org/r/20231019194924.100347-1-sj@kernel.org +Link: https://lkml.kernel.org/r/20231019194924.100347-2-sj@kernel.org +Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization") +Signed-off-by: SeongJae Park +Reported-by: Jakub Acs +Cc: [5.16+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/damon.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/include/linux/damon.h ++++ b/include/linux/damon.h +@@ -559,6 +559,13 @@ static inline bool damon_target_has_pid( + return ctx->ops.id == DAMON_OPS_VADDR || ctx->ops.id == DAMON_OPS_FVADDR; + } + ++static inline unsigned int damon_max_nr_accesses(const struct damon_attrs *attrs) ++{ ++ /* {aggr,sample}_interval are unsigned long, hence could overflow */ ++ return min(attrs->aggr_interval / attrs->sample_interval, ++ (unsigned long)UINT_MAX); ++} ++ + + int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive); + int damon_stop(struct damon_ctx **ctxs, int nr_ctxs); diff --git a/queue-6.1/mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch b/queue-6.1/mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch new file mode 100644 index 00000000000..2cb46fced19 --- /dev/null +++ b/queue-6.1/mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch @@ -0,0 +1,40 @@ +From 44063f125af4bb4efd1d500d8091fa33a98af325 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Oct 2023 19:49:23 +0000 +Subject: mm/damon/lru_sort: avoid divide-by-zero in hot threshold calculation + +From: SeongJae Park + +commit 44063f125af4bb4efd1d500d8091fa33a98af325 upstream. + +When calculating the hotness threshold for lru_prio scheme of +DAMON_LRU_SORT, the module divides some values by the maximum nr_accesses. +However, due to the type of the related variables, simple division-based +calculation of the divisor can return zero. As a result, divide-by-zero +is possible. Fix it by using damon_max_nr_accesses(), which handles the +case. + +Link: https://lkml.kernel.org/r/20231019194924.100347-5-sj@kernel.org +Fixes: 40e983cca927 ("mm/damon: introduce DAMON-based LRU-lists Sorting") +Signed-off-by: SeongJae Park +Reported-by: Jakub Acs +Cc: [6.0+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/lru_sort.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/mm/damon/lru_sort.c ++++ b/mm/damon/lru_sort.c +@@ -195,9 +195,7 @@ static int damon_lru_sort_apply_paramete + if (err) + return err; + +- /* aggr_interval / sample_interval is the maximum nr_accesses */ +- hot_thres = damon_lru_sort_mon_attrs.aggr_interval / +- damon_lru_sort_mon_attrs.sample_interval * ++ hot_thres = damon_max_nr_accesses(&damon_lru_sort_mon_attrs) * + hot_thres_access_freq / 1000; + scheme = damon_lru_sort_new_hot_scheme(hot_thres); + if (!scheme) diff --git a/queue-6.1/mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch b/queue-6.1/mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch new file mode 100644 index 00000000000..742b8f3d9a9 --- /dev/null +++ b/queue-6.1/mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch @@ -0,0 +1,48 @@ +From 3bafc47d3c4a2fc4d3b382aeb3c087f8fc84d9fd Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Oct 2023 19:49:22 +0000 +Subject: mm/damon/ops-common: avoid divide-by-zero during region hotness calculation + +From: SeongJae Park + +commit 3bafc47d3c4a2fc4d3b382aeb3c087f8fc84d9fd upstream. + +When calculating the hotness of each region for the under-quota regions +prioritization, DAMON divides some values by the maximum nr_accesses. +However, due to the type of the related variables, simple division-based +calculation of the divisor can return zero. As a result, divide-by-zero +is possible. Fix it by using damon_max_nr_accesses(), which handles the +case. + +Link: https://lkml.kernel.org/r/20231019194924.100347-4-sj@kernel.org +Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization") +Signed-off-by: SeongJae Park +Reported-by: Jakub Acs +Cc: [5.16+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/ops-common.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/mm/damon/ops-common.c ++++ b/mm/damon/ops-common.c +@@ -87,7 +87,6 @@ void damon_pmdp_mkold(pmd_t *pmd, struct + int damon_hot_score(struct damon_ctx *c, struct damon_region *r, + struct damos *s) + { +- unsigned int max_nr_accesses; + int freq_subscore; + unsigned int age_in_sec; + int age_in_log, age_subscore; +@@ -95,8 +94,8 @@ int damon_hot_score(struct damon_ctx *c, + unsigned int age_weight = s->quota.weight_age; + int hotness; + +- max_nr_accesses = c->attrs.aggr_interval / c->attrs.sample_interval; +- freq_subscore = r->nr_accesses * DAMON_MAX_SUBSCORE / max_nr_accesses; ++ freq_subscore = r->nr_accesses * DAMON_MAX_SUBSCORE / ++ damon_max_nr_accesses(&c->attrs); + + age_in_sec = (unsigned long)r->age * c->attrs.aggr_interval / 1000000; + for (age_in_log = 0; age_in_log < DAMON_MAX_AGE_IN_LOG && age_in_sec; diff --git a/queue-6.1/mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch b/queue-6.1/mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch new file mode 100644 index 00000000000..d17e9c4c76a --- /dev/null +++ b/queue-6.1/mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch @@ -0,0 +1,49 @@ +From b4936b544b08ed44949055b92bd25f77759ebafc Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 6 Nov 2023 23:34:06 +0000 +Subject: mm/damon/sysfs: check error from damon_sysfs_update_target() + +From: SeongJae Park + +commit b4936b544b08ed44949055b92bd25f77759ebafc upstream. + +Patch series "mm/damon/sysfs: fix unhandled return values". + +Some of DAMON sysfs interface code is not handling return values from some +functions. As a result, confusing user input handling or NULL-dereference +is possible. Check those properly. + + +This patch (of 3): + +damon_sysfs_update_target() returns error code for failures, but its +caller, damon_sysfs_set_targets() is ignoring that. The update function +seems making no critical change in case of such failures, but the behavior +will look like DAMON sysfs is silently ignoring or only partially +accepting the user input. Fix it. + +Link: https://lkml.kernel.org/r/20231106233408.51159-1-sj@kernel.org +Link: https://lkml.kernel.org/r/20231106233408.51159-2-sj@kernel.org +Fixes: 19467a950b49 ("mm/damon/sysfs: remove requested targets when online-commit inputs") +Signed-off-by: SeongJae Park +Cc: [5.19+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/damon/sysfs.c ++++ b/mm/damon/sysfs.c +@@ -2241,8 +2241,10 @@ static int damon_sysfs_set_targets(struc + + damon_for_each_target_safe(t, next, ctx) { + if (i < sysfs_targets->nr) { +- damon_sysfs_update_target(t, ctx, ++ err = damon_sysfs_update_target(t, ctx, + sysfs_targets->targets_arr[i]); ++ if (err) ++ return err; + } else { + if (damon_target_has_pid(ctx)) + put_pid(t->pid); diff --git a/queue-6.1/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch b/queue-6.1/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch new file mode 100644 index 00000000000..983c71908c6 --- /dev/null +++ b/queue-6.1/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch @@ -0,0 +1,36 @@ +From 57925e16c9f7d18012bcf45bfa658f92c087981a Mon Sep 17 00:00:00 2001 +From: Rong Chen +Date: Thu, 26 Oct 2023 15:31:56 +0800 +Subject: mmc: meson-gx: Remove setting of CMD_CFG_ERROR + +From: Rong Chen + +commit 57925e16c9f7d18012bcf45bfa658f92c087981a upstream. + +For the t7 and older SoC families, the CMD_CFG_ERROR has no effect. +Starting from SoC family C3, setting this bit without SG LINK data +address will cause the controller to generate an IRQ and stop working. + +To fix it, don't set the bit CMD_CFG_ERROR anymore. + +Fixes: 18f92bc02f17 ("mmc: meson-gx: make sure the descriptor is stopped on errors") +Signed-off-by: Rong Chen +Reviewed-by: Jerome Brunet +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231026073156.2868310-1-rong.chen@amlogic.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/meson-gx-mmc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -817,7 +817,6 @@ static void meson_mmc_start_cmd(struct m + + cmd_cfg |= FIELD_PREP(CMD_CFG_CMD_INDEX_MASK, cmd->opcode); + cmd_cfg |= CMD_CFG_OWNER; /* owned by CPU */ +- cmd_cfg |= CMD_CFG_ERROR; /* stop in case of error */ + + meson_mmc_set_response_bits(cmd, &cmd_cfg); + diff --git a/queue-6.1/pci-keystone-don-t-discard-.probe-callback.patch b/queue-6.1/pci-keystone-don-t-discard-.probe-callback.patch new file mode 100644 index 00000000000..5f96aed5507 --- /dev/null +++ b/queue-6.1/pci-keystone-don-t-discard-.probe-callback.patch @@ -0,0 +1,51 @@ +From 7994db905c0fd692cf04c527585f08a91b560144 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Sun, 1 Oct 2023 19:02:54 +0200 +Subject: PCI: keystone: Don't discard .probe() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 7994db905c0fd692cf04c527585f08a91b560144 upstream. + +The __init annotation makes the ks_pcie_probe() function disappear after +booting completes. However a device can also be bound later. In that case, +we try to call ks_pcie_probe(), but the backing memory is likely already +overwritten. + +The right thing to do is do always have the probe callback available. Note +that the (wrong) __refdata annotation prevented this issue to be noticed by +modpost. + +Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") +Link: https://lore.kernel.org/r/20231001170254.2506508-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-keystone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -1101,7 +1101,7 @@ static const struct of_device_id ks_pcie + { }, + }; + +-static int __init ks_pcie_probe(struct platform_device *pdev) ++static int ks_pcie_probe(struct platform_device *pdev) + { + const struct dw_pcie_host_ops *host_ops; + const struct dw_pcie_ep_ops *ep_ops; +@@ -1319,7 +1319,7 @@ static int ks_pcie_remove(struct platfor + return 0; + } + +-static struct platform_driver ks_pcie_driver __refdata = { ++static struct platform_driver ks_pcie_driver = { + .probe = ks_pcie_probe, + .remove = ks_pcie_remove, + .driver = { diff --git a/queue-6.1/pci-keystone-don-t-discard-.remove-callback.patch b/queue-6.1/pci-keystone-don-t-discard-.remove-callback.patch new file mode 100644 index 00000000000..bc102e408b6 --- /dev/null +++ b/queue-6.1/pci-keystone-don-t-discard-.remove-callback.patch @@ -0,0 +1,52 @@ +From 200bddbb3f5202bbce96444fdc416305de14f547 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Sun, 1 Oct 2023 19:02:53 +0200 +Subject: PCI: keystone: Don't discard .remove() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 200bddbb3f5202bbce96444fdc416305de14f547 upstream. + +With CONFIG_PCIE_KEYSTONE=y and ks_pcie_remove() marked with __exit, the +function is discarded from the driver. In this case a bound device can +still get unbound, e.g via sysfs. Then no cleanup code is run resulting in +resource leaks or worse. + +The right thing to do is do always have the remove callback available. +Note that this driver cannot be compiled as a module, so ks_pcie_remove() +was always discarded before this change and modpost couldn't warn about +this issue. Furthermore the __ref annotation also prevents a warning. + +Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") +Link: https://lore.kernel.org/r/20231001170254.2506508-4-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-keystone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -1303,7 +1303,7 @@ err_link: + return ret; + } + +-static int __exit ks_pcie_remove(struct platform_device *pdev) ++static int ks_pcie_remove(struct platform_device *pdev) + { + struct keystone_pcie *ks_pcie = platform_get_drvdata(pdev); + struct device_link **link = ks_pcie->link; +@@ -1321,7 +1321,7 @@ static int __exit ks_pcie_remove(struct + + static struct platform_driver ks_pcie_driver __refdata = { + .probe = ks_pcie_probe, +- .remove = __exit_p(ks_pcie_remove), ++ .remove = ks_pcie_remove, + .driver = { + .name = "keystone-pcie", + .of_match_table = ks_pcie_of_match, diff --git a/queue-6.1/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch b/queue-6.1/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch new file mode 100644 index 00000000000..6b1630dc07c --- /dev/null +++ b/queue-6.1/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch @@ -0,0 +1,90 @@ +From 0ec7731655de196bc1e4af99e495b38778109d22 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 26 Oct 2023 16:49:19 +0100 +Subject: regmap: Ensure range selector registers are updated after cache sync + +From: Mark Brown + +commit 0ec7731655de196bc1e4af99e495b38778109d22 upstream. + +When we sync the register cache we do so with the cache bypassed in order +to avoid overhead from writing the synced values back into the cache. If +the regmap has ranges and the selector register for those ranges is in a +register which is cached this has the unfortunate side effect of meaning +that the physical and cached copies of the selector register can be out of +sync after a cache sync. The cache will have whatever the selector was when +the sync started and the hardware will have the selector for the register +that was synced last. + +Fix this by rewriting all cached selector registers after every sync, +ensuring that the hardware and cache have the same content. This will +result in extra writes that wouldn't otherwise be needed but is simple +so hopefully robust. We don't read from the hardware since not all +devices have physical read support. + +Given that nobody noticed this until now it is likely that we are rarely if +ever hitting this case. + +Reported-by: Hector Martin +Cc: stable@vger.kernel.org +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20231026-regmap-fix-selector-sync-v1-1-633ded82770d@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regcache.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -331,6 +331,11 @@ static int regcache_default_sync(struct + return 0; + } + ++static int rbtree_all(const void *key, const struct rb_node *node) ++{ ++ return 0; ++} ++ + /** + * regcache_sync - Sync the register cache with the hardware. + * +@@ -348,6 +353,7 @@ int regcache_sync(struct regmap *map) + unsigned int i; + const char *name; + bool bypass; ++ struct rb_node *node; + + if (WARN_ON(map->cache_type == REGCACHE_NONE)) + return -EINVAL; +@@ -392,6 +398,30 @@ out: + map->async = false; + map->cache_bypass = bypass; + map->no_sync_defaults = false; ++ ++ /* ++ * If we did any paging with cache bypassed and a cached ++ * paging register then the register and cache state might ++ * have gone out of sync, force writes of all the paging ++ * registers. ++ */ ++ rb_for_each(node, 0, &map->range_tree, rbtree_all) { ++ struct regmap_range_node *this = ++ rb_entry(node, struct regmap_range_node, node); ++ ++ /* If there's nothing in the cache there's nothing to sync */ ++ ret = regcache_read(map, this->selector_reg, &i); ++ if (ret != 0) ++ continue; ++ ++ ret = _regmap_write(map, this->selector_reg, i); ++ if (ret != 0) { ++ dev_err(map->dev, "Failed to write %x = %x: %d\n", ++ this->selector_reg, i, ret); ++ break; ++ } ++ } ++ + map->unlock(map->lock_arg); + + regmap_async_complete(map); diff --git a/queue-6.1/series b/queue-6.1/series index b13394f6749..1b6b439a0ef 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -185,3 +185,20 @@ hvc-xen-fix-event-channel-handling-for-secondary-consoles.patch pci-sysfs-protect-driver-s-d3cold-preference-from-user-space.patch mm-damon-sysfs-remove-requested-targets-when-online-commit-inputs.patch mm-damon-sysfs-update-monitoring-target-regions-for-online-input-commit.patch +watchdog-move-softlockup_panic-back-to-early_param.patch +mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch +mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch +mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch +mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch +acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch +regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch +wifi-ath11k-fix-temperature-event-locking.patch +wifi-ath11k-fix-dfs-radar-event-locking.patch +wifi-ath11k-fix-htt-pktlog-locking.patch +wifi-ath11k-fix-gtk-offload-status-event-locking.patch +mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch +genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch +keys-trusted-tee-refactor-register-shm-usage.patch +keys-trusted-rollback-init_trusted-consistently.patch +pci-keystone-don-t-discard-.remove-callback.patch +pci-keystone-don-t-discard-.probe-callback.patch diff --git a/queue-6.1/watchdog-move-softlockup_panic-back-to-early_param.patch b/queue-6.1/watchdog-move-softlockup_panic-back-to-early_param.patch new file mode 100644 index 00000000000..81fc5bdfdf4 --- /dev/null +++ b/queue-6.1/watchdog-move-softlockup_panic-back-to-early_param.patch @@ -0,0 +1,55 @@ +From 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Fri, 27 Oct 2023 14:46:53 -0700 +Subject: watchdog: move softlockup_panic back to early_param + +From: Krister Johansen + +commit 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb upstream. + +Setting softlockup_panic from do_sysctl_args() causes it to take effect +later in boot. The lockup detector is enabled before SMP is brought +online, but do_sysctl_args runs afterwards. If a user wants to set +softlockup_panic on boot and have it trigger should a softlockup occur +during onlining of the non-boot processors, they could do this prior to +commit f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot +parameters to sysctl aliases"). However, after this commit the value +of softlockup_panic is set too late to be of help for this type of +problem. Restore the prior behavior. + +Signed-off-by: Krister Johansen +Cc: stable@vger.kernel.org +Fixes: f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot parameters to sysctl aliases") +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 1 - + kernel/watchdog.c | 7 +++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1814,7 +1814,6 @@ static const struct sysctl_alias sysctl_ + {"hung_task_panic", "kernel.hung_task_panic" }, + {"numa_zonelist_order", "vm.numa_zonelist_order" }, + {"softlockup_all_cpu_backtrace", "kernel.softlockup_all_cpu_backtrace" }, +- {"softlockup_panic", "kernel.softlockup_panic" }, + { } + }; + +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -183,6 +183,13 @@ static DEFINE_PER_CPU(unsigned long, hrt + static DEFINE_PER_CPU(unsigned long, hrtimer_interrupts_saved); + static unsigned long soft_lockup_nmi_warn; + ++static int __init softlockup_panic_setup(char *str) ++{ ++ softlockup_panic = simple_strtoul(str, NULL, 0); ++ return 1; ++} ++__setup("softlockup_panic=", softlockup_panic_setup); ++ + static int __init nowatchdog_setup(char *str) + { + watchdog_user_enabled = 0; diff --git a/queue-6.1/wifi-ath11k-fix-dfs-radar-event-locking.patch b/queue-6.1/wifi-ath11k-fix-dfs-radar-event-locking.patch new file mode 100644 index 00000000000..a5447e0a670 --- /dev/null +++ b/queue-6.1/wifi-ath11k-fix-dfs-radar-event-locking.patch @@ -0,0 +1,49 @@ +From 3b6c14833165f689cc5928574ebafe52bbce5f1e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:31:15 +0200 +Subject: wifi: ath11k: fix dfs radar event locking + +From: Johan Hovold + +commit 3b6c14833165f689cc5928574ebafe52bbce5f1e upstream. + +The ath11k active pdevs are protected by RCU but the DFS radar event +handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Acked-by: Jeff Johnson +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019153115.26401-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -7729,6 +7729,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event + ev->detector_id, ev->segment_id, ev->timestamp, ev->is_chirp, + ev->freq_offset, ev->sidx); + ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id); + + if (!ar) { +@@ -7746,6 +7748,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event + ieee80211_radar_detected(ar->hw); + + exit: ++ rcu_read_unlock(); ++ + kfree(tb); + } + diff --git a/queue-6.1/wifi-ath11k-fix-gtk-offload-status-event-locking.patch b/queue-6.1/wifi-ath11k-fix-gtk-offload-status-event-locking.patch new file mode 100644 index 00000000000..d8a5e0b49f4 --- /dev/null +++ b/queue-6.1/wifi-ath11k-fix-gtk-offload-status-event-locking.patch @@ -0,0 +1,57 @@ +From 1dea3c0720a146bd7193969f2847ccfed5be2221 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:53:42 +0200 +Subject: wifi: ath11k: fix gtk offload status event locking + +From: Johan Hovold + +commit 1dea3c0720a146bd7193969f2847ccfed5be2221 upstream. + +The ath11k active pdevs are protected by RCU but the gtk offload status +event handling code calling ath11k_mac_get_arvif_by_vdev_id() was not +marked as a read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: a16d9b50cfba ("ath11k: support GTK rekey offload") +Cc: stable@vger.kernel.org # 5.18 +Cc: Carl Huang +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019155342.31631-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -8001,12 +8001,13 @@ static void ath11k_wmi_gtk_offload_statu + return; + } + ++ rcu_read_lock(); ++ + arvif = ath11k_mac_get_arvif_by_vdev_id(ab, ev->vdev_id); + if (!arvif) { + ath11k_warn(ab, "failed to get arvif for vdev_id:%d\n", + ev->vdev_id); +- kfree(tb); +- return; ++ goto exit; + } + + ath11k_dbg(ab, ATH11K_DBG_WMI, "wmi gtk offload event refresh_cnt %d\n", +@@ -8023,6 +8024,8 @@ static void ath11k_wmi_gtk_offload_statu + + ieee80211_gtk_rekey_notify(arvif->vif, arvif->bssid, + (void *)&replay_ctr_be, GFP_ATOMIC); ++exit: ++ rcu_read_unlock(); + + kfree(tb); + } diff --git a/queue-6.1/wifi-ath11k-fix-htt-pktlog-locking.patch b/queue-6.1/wifi-ath11k-fix-htt-pktlog-locking.patch new file mode 100644 index 00000000000..7e617340139 --- /dev/null +++ b/queue-6.1/wifi-ath11k-fix-htt-pktlog-locking.patch @@ -0,0 +1,52 @@ +From 3f77c7d605b29df277d77e9ee75d96e7ad145d2d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 13:25:21 +0200 +Subject: wifi: ath11k: fix htt pktlog locking + +From: Johan Hovold + +commit 3f77c7d605b29df277d77e9ee75d96e7ad145d2d upstream. + +The ath11k active pdevs are protected by RCU but the htt pktlog handling +code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019112521.2071-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -1621,14 +1621,20 @@ static void ath11k_htt_pktlog(struct ath + u8 pdev_id; + + pdev_id = FIELD_GET(HTT_T2H_PPDU_STATS_INFO_PDEV_ID, data->hdr); ++ ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, pdev_id); + if (!ar) { + ath11k_warn(ab, "invalid pdev id %d on htt pktlog\n", pdev_id); +- return; ++ goto out; + } + + trace_ath11k_htt_pktlog(ar, data->payload, hdr->size, + ar->ab->pktlog_defs_checksum); ++ ++out: ++ rcu_read_unlock(); + } + + static void ath11k_htt_backpressure_event_handler(struct ath11k_base *ab, diff --git a/queue-6.1/wifi-ath11k-fix-temperature-event-locking.patch b/queue-6.1/wifi-ath11k-fix-temperature-event-locking.patch new file mode 100644 index 00000000000..981110a028c --- /dev/null +++ b/queue-6.1/wifi-ath11k-fix-temperature-event-locking.patch @@ -0,0 +1,71 @@ +From 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:31:14 +0200 +Subject: wifi: ath11k: fix temperature event locking + +From: Johan Hovold + +commit 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 upstream. + +The ath11k active pdevs are protected by RCU but the temperature event +handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section as reported by RCU lockdep: + + ============================= + WARNING: suspicious RCU usage + 6.6.0-rc6 #7 Not tainted + ----------------------------- + drivers/net/wireless/ath/ath11k/mac.c:638 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + no locks held by swapper/0/0. + ... + Call trace: + ... + lockdep_rcu_suspicious+0x16c/0x22c + ath11k_mac_get_ar_by_pdev_id+0x194/0x1b0 [ath11k] + ath11k_wmi_tlv_op_rx+0xa84/0x2c1c [ath11k] + ath11k_htc_rx_completion_handler+0x388/0x510 [ath11k] + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23 + +Fixes: a41d10348b01 ("ath11k: add thermal sensor device support") +Cc: stable@vger.kernel.org # 5.7 +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019153115.26401-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -7775,15 +7775,19 @@ ath11k_wmi_pdev_temperature_event(struct + ath11k_dbg(ab, ATH11K_DBG_WMI, + "pdev temperature ev temp %d pdev_id %d\n", ev->temp, ev->pdev_id); + ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id); + if (!ar) { + ath11k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev->pdev_id); +- kfree(tb); +- return; ++ goto exit; + } + + ath11k_thermal_event_temperature(ar, ev->temp); + ++exit: ++ rcu_read_unlock(); ++ + kfree(tb); + } +