From: Greg Kroah-Hartman Date: Tue, 3 Dec 2024 10:34:47 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.325~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8d9d101cca0caa2aa79ea42ecce883b17b3d3041;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-hda-realtek-apply-quirk-for-medion-e15433.patch alsa-hda-realtek-fix-internal-speaker-and-mic-boost-of-infinix-y4-max.patch alsa-hda-realtek-set-pcbeep-to-default-value-for-alc274.patch alsa-hda-realtek-update-alc225-depop-procedure.patch alsa-pcm-add-sanity-null-check-for-the-default-mmap-fault-handler.patch arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch cpufreq-mediatek-hw-fix-wrong-return-value-in-mtk_cpufreq_get_cpu_power.patch gpio-exar-set-value-when-external-pull-up-or-pull-down-is-present.patch hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch jffs2-prevent-rtime-decompress-memory-corruption.patch media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch mtd-spi-nor-core-replace-dummy-buswidth-from-addr-to-data.patch netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch platform-chrome-cros_ec_typec-fix-missing-fwnode-reference-decrement.patch revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch serial-8250-omap-move-pm_runtime_get_sync.patch serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch spi-fix-acpi-deferred-irq-probe.patch ubi-wl-put-source-peb-into-correct-list-if-trying-locking-leb-failed.patch um-net-do-not-use-drvdata-in-release.patch um-ubd-do-not-use-drvdata-in-release.patch um-vector-do-not-use-drvdata-in-release.patch --- diff --git a/queue-5.15/alsa-hda-realtek-apply-quirk-for-medion-e15433.patch b/queue-5.15/alsa-hda-realtek-apply-quirk-for-medion-e15433.patch new file mode 100644 index 00000000000..f603e93e830 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-apply-quirk-for-medion-e15433.patch @@ -0,0 +1,31 @@ +From ca0f79f0286046f6a91c099dc941cf7afae198d6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 28 Nov 2024 08:26:45 +0100 +Subject: ALSA: hda/realtek: Apply quirk for Medion E15433 + +From: Takashi Iwai + +commit ca0f79f0286046f6a91c099dc941cf7afae198d6 upstream. + +Medion E15433 laptop wich ALC269VC (SSID 2782:1705) needs the same +workaround for the missing speaker as another model. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1233298 +Cc: +Link: https://patch.msgid.link/20241128072646.15659-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9546,6 +9546,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x2782, 0x0228, "Infinix ZERO BOOK 13", ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13), + SND_PCI_QUIRK(0x2782, 0x0232, "CHUWI CoreBook XPro", ALC269VB_FIXUP_CHUWI_COREBOOK_XPRO), + SND_PCI_QUIRK(0x2782, 0x1701, "Infinix Y4 Max", ALC269VC_FIXUP_INFINIX_Y4_MAX), ++ SND_PCI_QUIRK(0x2782, 0x1705, "MEDION E15433", ALC269VC_FIXUP_INFINIX_Y4_MAX), + SND_PCI_QUIRK(0x2782, 0x1707, "Vaio VJFE-ADL", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC), + SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED), diff --git a/queue-5.15/alsa-hda-realtek-fix-internal-speaker-and-mic-boost-of-infinix-y4-max.patch b/queue-5.15/alsa-hda-realtek-fix-internal-speaker-and-mic-boost-of-infinix-y4-max.patch new file mode 100644 index 00000000000..e36f4e1e6ad --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-internal-speaker-and-mic-boost-of-infinix-y4-max.patch @@ -0,0 +1,59 @@ +From 5ebe792a5139f1ce6e4aed22bef12e7e2660df96 Mon Sep 17 00:00:00 2001 +From: Dinesh Kumar +Date: Mon, 25 Nov 2024 14:58:42 +0530 +Subject: ALSA: hda/realtek: Fix Internal Speaker and Mic boost of Infinix Y4 Max + +From: Dinesh Kumar + +commit 5ebe792a5139f1ce6e4aed22bef12e7e2660df96 upstream. + +Internal Speaker of Infinix Y4 Max remains muted due to incorrect +Pin configuration, and the Internal Mic records high noise. This patch +corrects the Pin configuration for the Internal Speaker and limits +the Internal Mic boost. +HW Probe for device: https://linux-hardware.org/?probe=6d4386c347 +Test: Internal Speaker works fine, Mic has low noise. + +Signed-off-by: Dinesh Kumar +Cc: +Link: https://patch.msgid.link/20241125092842.13208-1-desikumar81@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6925,6 +6925,7 @@ enum { + ALC269_FIXUP_THINKPAD_ACPI, + ALC269_FIXUP_DMIC_THINKPAD_ACPI, + ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13, ++ ALC269VC_FIXUP_INFINIX_Y4_MAX, + ALC269VB_FIXUP_CHUWI_COREBOOK_XPRO, + ALC255_FIXUP_ACER_MIC_NO_PRESENCE, + ALC255_FIXUP_ASUS_MIC_NO_PRESENCE, +@@ -7237,6 +7238,15 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_LIMIT_INT_MIC_BOOST + }, ++ [ALC269VC_FIXUP_INFINIX_Y4_MAX] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1b, 0x90170150 }, /* use as internal speaker */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_LIMIT_INT_MIC_BOOST ++ }, + [ALC269VB_FIXUP_CHUWI_COREBOOK_XPRO] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -9535,6 +9545,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x2782, 0x0228, "Infinix ZERO BOOK 13", ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13), + SND_PCI_QUIRK(0x2782, 0x0232, "CHUWI CoreBook XPro", ALC269VB_FIXUP_CHUWI_COREBOOK_XPRO), ++ SND_PCI_QUIRK(0x2782, 0x1701, "Infinix Y4 Max", ALC269VC_FIXUP_INFINIX_Y4_MAX), + SND_PCI_QUIRK(0x2782, 0x1707, "Vaio VJFE-ADL", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC), + SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED), diff --git a/queue-5.15/alsa-hda-realtek-set-pcbeep-to-default-value-for-alc274.patch b/queue-5.15/alsa-hda-realtek-set-pcbeep-to-default-value-for-alc274.patch new file mode 100644 index 00000000000..22c437efaf6 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-set-pcbeep-to-default-value-for-alc274.patch @@ -0,0 +1,32 @@ +From 155699ccab7c78cbba69798242b68bc8ac66d5d2 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 21 Nov 2024 16:16:26 +0800 +Subject: ALSA: hda/realtek: Set PCBeep to default value for ALC274 + +From: Kailang Yang + +commit 155699ccab7c78cbba69798242b68bc8ac66d5d2 upstream. + +BIOS Enable PC beep path cause pop noise via speaker during boot time. +Set to default value from driver will solve the issue. + +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/2721bb57e20a44c3826c473e933f9105@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -463,6 +463,8 @@ static void alc_fill_eapd_coef(struct hd + break; + case 0x10ec0234: + case 0x10ec0274: ++ alc_write_coef_idx(codec, 0x6e, 0x0c25); ++ fallthrough; + case 0x10ec0294: + case 0x10ec0700: + case 0x10ec0701: diff --git a/queue-5.15/alsa-hda-realtek-update-alc225-depop-procedure.patch b/queue-5.15/alsa-hda-realtek-update-alc225-depop-procedure.patch new file mode 100644 index 00000000000..e014f653d47 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-update-alc225-depop-procedure.patch @@ -0,0 +1,147 @@ +From 1fd50509fe14a9adc9329e0454b986157a4c155a Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 14 Nov 2024 15:08:07 +0800 +Subject: ALSA: hda/realtek: Update ALC225 depop procedure + +From: Kailang Yang + +commit 1fd50509fe14a9adc9329e0454b986157a4c155a upstream. + +Old procedure has a chance to meet Headphone no output. + +Fixes: da911b1f5e98 ("ALSA: hda/realtek - update ALC225 depop optimize") +Signed-off-by: Kailang Yang +Cc: +Link: https://lore.kernel.org/5a27b016ba9d42b4a4e6dadce50a3ba4@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 95 +++++++++++++++++++----------------------- + 1 file changed, 43 insertions(+), 52 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3748,33 +3748,28 @@ static void alc225_init(struct hda_codec + hp1_pin_sense = snd_hda_jack_detect(codec, hp_pin); + hp2_pin_sense = snd_hda_jack_detect(codec, 0x16); + +- if (hp1_pin_sense || hp2_pin_sense) ++ if (hp1_pin_sense || hp2_pin_sense) { + msleep(2); ++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ + +- alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x16, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); ++ msleep(75); ++ ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x16, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE); + +- if (hp1_pin_sense || spec->ultra_low_power) +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +- if (hp2_pin_sense) +- snd_hda_codec_write(codec, 0x16, 0, +- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +- +- if (hp1_pin_sense || hp2_pin_sense || spec->ultra_low_power) +- msleep(85); +- +- if (hp1_pin_sense || spec->ultra_low_power) +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); +- if (hp2_pin_sense) +- snd_hda_codec_write(codec, 0x16, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT); +- +- if (hp1_pin_sense || hp2_pin_sense || spec->ultra_low_power) +- msleep(100); +- +- alc_update_coef_idx(codec, 0x4a, 3 << 10, 0); +- alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */ ++ msleep(75); ++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */ ++ } + } + + static void alc225_shutup(struct hda_codec *codec) +@@ -3786,36 +3781,35 @@ static void alc225_shutup(struct hda_cod + if (!hp_pin) + hp_pin = 0x21; + +- alc_disable_headset_jack_key(codec); +- /* 3k pull low control for Headset jack. */ +- alc_update_coef_idx(codec, 0x4a, 0, 3 << 10); +- + hp1_pin_sense = snd_hda_jack_detect(codec, hp_pin); + hp2_pin_sense = snd_hda_jack_detect(codec, 0x16); + +- if (hp1_pin_sense || hp2_pin_sense) ++ if (hp1_pin_sense || hp2_pin_sense) { ++ alc_disable_headset_jack_key(codec); ++ /* 3k pull low control for Headset jack. */ ++ alc_update_coef_idx(codec, 0x4a, 0, 3 << 10); + msleep(2); + +- if (hp1_pin_sense || spec->ultra_low_power) +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +- if (hp2_pin_sense) +- snd_hda_codec_write(codec, 0x16, 0, +- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); +- +- if (hp1_pin_sense || hp2_pin_sense || spec->ultra_low_power) +- msleep(85); +- +- if (hp1_pin_sense || spec->ultra_low_power) +- snd_hda_codec_write(codec, hp_pin, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); +- if (hp2_pin_sense) +- snd_hda_codec_write(codec, 0x16, 0, +- AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); +- +- if (hp1_pin_sense || hp2_pin_sense || spec->ultra_low_power) +- msleep(100); +- ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x16, 0, ++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE); ++ ++ msleep(75); ++ ++ if (hp1_pin_sense) ++ snd_hda_codec_write(codec, hp_pin, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); ++ if (hp2_pin_sense) ++ snd_hda_codec_write(codec, 0x16, 0, ++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0); ++ ++ msleep(75); ++ alc_update_coef_idx(codec, 0x4a, 3 << 10, 0); ++ alc_enable_headset_jack_key(codec); ++ } + alc_auto_setup_eapd(codec, false); + alc_shutup_pins(codec); + if (spec->ultra_low_power) { +@@ -3826,9 +3820,6 @@ static void alc225_shutup(struct hda_cod + alc_update_coef_idx(codec, 0x4a, 3<<4, 2<<4); + msleep(30); + } +- +- alc_update_coef_idx(codec, 0x4a, 3 << 10, 0); +- alc_enable_headset_jack_key(codec); + } + + static void alc_default_init(struct hda_codec *codec) diff --git a/queue-5.15/alsa-pcm-add-sanity-null-check-for-the-default-mmap-fault-handler.patch b/queue-5.15/alsa-pcm-add-sanity-null-check-for-the-default-mmap-fault-handler.patch new file mode 100644 index 00000000000..d4ede86bc1a --- /dev/null +++ b/queue-5.15/alsa-pcm-add-sanity-null-check-for-the-default-mmap-fault-handler.patch @@ -0,0 +1,38 @@ +From d2913a07d9037fe7aed4b7e680684163eaed6bc4 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 20 Nov 2024 15:11:02 +0100 +Subject: ALSA: pcm: Add sanity NULL check for the default mmap fault handler + +From: Takashi Iwai + +commit d2913a07d9037fe7aed4b7e680684163eaed6bc4 upstream. + +A driver might allow the mmap access before initializing its +runtime->dma_area properly. Add a proper NULL check before passing to +virt_to_page() for avoiding a panic. + +Reported-by: syzbot+4bf62a7b1d0f4fdb7ae2@syzkaller.appspotmail.com +Cc: +Link: https://patch.msgid.link/20241120141104.7060-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_native.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -3757,9 +3757,11 @@ static vm_fault_t snd_pcm_mmap_data_faul + return VM_FAULT_SIGBUS; + if (substream->ops->page) + page = substream->ops->page(substream, offset); +- else if (!snd_pcm_get_dma_buf(substream)) ++ else if (!snd_pcm_get_dma_buf(substream)) { ++ if (WARN_ON_ONCE(!runtime->dma_area)) ++ return VM_FAULT_SIGBUS; + page = virt_to_page(runtime->dma_area + offset); +- else ++ } else + page = snd_sgbuf_get_page(snd_pcm_get_dma_buf(substream), offset); + if (!page) + return VM_FAULT_SIGBUS; diff --git a/queue-5.15/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch b/queue-5.15/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch new file mode 100644 index 00000000000..944b44a6e66 --- /dev/null +++ b/queue-5.15/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch @@ -0,0 +1,47 @@ +From 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 14 Nov 2024 09:53:32 +0000 +Subject: arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled + +From: Will Deacon + +commit 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c upstream. + +Commit 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of +tpidrro_el0 for native tasks") tried to optimise the context switching +of tpidrro_el0 by eliding the clearing of the register when switching +to a native task with kpti enabled, on the erroneous assumption that +the kpti trampoline entry code would already have taken care of the +write. + +Although the kpti trampoline does zero the register on entry from a +native task, the check in tls_thread_switch() is on the *next* task and +so we can end up leaving a stale, non-zero value in the register if the +previous task was 32-bit. + +Drop the broken optimisation and zero tpidrro_el0 unconditionally when +switching to a native 64-bit task. + +Cc: Mark Rutland +Cc: stable@vger.kernel.org +Fixes: 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks") +Signed-off-by: Will Deacon +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20241114095332.23391-1-will@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -394,7 +394,7 @@ static void tls_thread_switch(struct tas + + if (is_compat_thread(task_thread_info(next))) + write_sysreg(next->thread.uw.tp_value, tpidrro_el0); +- else if (!arm64_kernel_unmapped_at_el0()) ++ else + write_sysreg(0, tpidrro_el0); + + write_sysreg(*task_user_tls(next), tpidr_el0); diff --git a/queue-5.15/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch b/queue-5.15/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch new file mode 100644 index 00000000000..3b82e004c30 --- /dev/null +++ b/queue-5.15/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch @@ -0,0 +1,113 @@ +From 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Mon, 14 Oct 2024 17:29:34 +0800 +Subject: block: fix ordering between checking BLK_MQ_S_STOPPED request adding + +From: Muchun Song + +commit 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 upstream. + +Supposing first scenario with a virtio_blk driver. + +CPU0 CPU1 + +blk_mq_try_issue_directly() + __blk_mq_issue_directly() + q->mq_ops->queue_rq() + virtio_queue_rq() + blk_mq_stop_hw_queue() + virtblk_done() + blk_mq_request_bypass_insert() 1) store + blk_mq_start_stopped_hw_queue() + clear_bit(BLK_MQ_S_STOPPED) 3) store + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) 4) load + return + blk_mq_sched_dispatch_requests() + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) + return + blk_mq_sched_dispatch_requests() + if (blk_mq_hctx_stopped()) 2) load + return + __blk_mq_sched_dispatch_requests() + +Supposing another scenario. + +CPU0 CPU1 + +blk_mq_requeue_work() + blk_mq_insert_request() 1) store + virtblk_done() + blk_mq_start_stopped_hw_queue() + blk_mq_run_hw_queues() clear_bit(BLK_MQ_S_STOPPED) 3) store + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) 4) load + return + blk_mq_sched_dispatch_requests() + if (blk_mq_hctx_stopped()) 2) load + continue + blk_mq_run_hw_queue() + +Both scenarios are similar, the full memory barrier should be inserted +between 1) and 2), as well as between 3) and 4) to make sure that either +CPU0 sees BLK_MQ_S_STOPPED is cleared or CPU1 sees dispatch list. +Otherwise, either CPU will not rerun the hardware queue causing +starvation of the request. + +The easy way to fix it is to add the essential full memory barrier into +helper of blk_mq_hctx_stopped(). In order to not affect the fast path +(hardware queue is not stopped most of the time), we only insert the +barrier into the slow path. Actually, only slow path needs to care about +missing of dispatching the request to the low-level device driver. + +Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism") +Cc: stable@vger.kernel.org +Cc: Muchun Song +Signed-off-by: Muchun Song +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20241014092934.53630-4-songmuchun@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 6 ++++++ + block/blk-mq.h | 13 +++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1813,6 +1813,12 @@ void blk_mq_start_stopped_hw_queue(struc + return; + + clear_bit(BLK_MQ_S_STOPPED, &hctx->state); ++ /* ++ * Pairs with the smp_mb() in blk_mq_hctx_stopped() to order the ++ * clearing of BLK_MQ_S_STOPPED above and the checking of dispatch ++ * list in the subsequent routine. ++ */ ++ smp_mb__after_atomic(); + blk_mq_run_hw_queue(hctx, async); + } + EXPORT_SYMBOL_GPL(blk_mq_start_stopped_hw_queue); +--- a/block/blk-mq.h ++++ b/block/blk-mq.h +@@ -177,6 +177,19 @@ static inline struct blk_mq_tags *blk_mq + + static inline bool blk_mq_hctx_stopped(struct blk_mq_hw_ctx *hctx) + { ++ /* Fast path: hardware queue is not stopped most of the time. */ ++ if (likely(!test_bit(BLK_MQ_S_STOPPED, &hctx->state))) ++ return false; ++ ++ /* ++ * This barrier is used to order adding of dispatch list before and ++ * the test of BLK_MQ_S_STOPPED below. Pairs with the memory barrier ++ * in blk_mq_start_stopped_hw_queue() so that dispatch code could ++ * either see BLK_MQ_S_STOPPED is cleared or dispatch list is not ++ * empty to avoid missing dispatching requests. ++ */ ++ smp_mb(); ++ + return test_bit(BLK_MQ_S_STOPPED, &hctx->state); + } + diff --git a/queue-5.15/cpufreq-mediatek-hw-fix-wrong-return-value-in-mtk_cpufreq_get_cpu_power.patch b/queue-5.15/cpufreq-mediatek-hw-fix-wrong-return-value-in-mtk_cpufreq_get_cpu_power.patch new file mode 100644 index 00000000000..8dbad55a6a8 --- /dev/null +++ b/queue-5.15/cpufreq-mediatek-hw-fix-wrong-return-value-in-mtk_cpufreq_get_cpu_power.patch @@ -0,0 +1,36 @@ +From 172bf5ed04cb6c9e66d58de003938ed5c8756570 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Thu, 7 Nov 2024 19:38:41 +0800 +Subject: cpufreq: mediatek-hw: Fix wrong return value in mtk_cpufreq_get_cpu_power() + +From: Jinjie Ruan + +commit 172bf5ed04cb6c9e66d58de003938ed5c8756570 upstream. + +mtk_cpufreq_get_cpu_power() return 0 if the policy is NULL. Then in +em_create_perf_table(), the later zero check for power is not invalid +as power is uninitialized. As Lukasz suggested, it must return -EINVAL when +the 'policy' is not found. So return -EINVAL to fix it. + +Cc: stable@vger.kernel.org +Fixes: 4855e26bcf4d ("cpufreq: mediatek-hw: Add support for CPUFREQ HW") +Reviewed-by: Lukasz Luba +Suggested-by: Lukasz Luba +Signed-off-by: Jinjie Ruan +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/mediatek-cpufreq-hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cpufreq/mediatek-cpufreq-hw.c ++++ b/drivers/cpufreq/mediatek-cpufreq-hw.c +@@ -60,7 +60,7 @@ mtk_cpufreq_get_cpu_power(unsigned long + + policy = cpufreq_cpu_get_raw(cpu_dev->id); + if (!policy) +- return 0; ++ return -EINVAL; + + data = policy->driver_data; + diff --git a/queue-5.15/gpio-exar-set-value-when-external-pull-up-or-pull-down-is-present.patch b/queue-5.15/gpio-exar-set-value-when-external-pull-up-or-pull-down-is-present.patch new file mode 100644 index 00000000000..9185957f617 --- /dev/null +++ b/queue-5.15/gpio-exar-set-value-when-external-pull-up-or-pull-down-is-present.patch @@ -0,0 +1,78 @@ +From 72cef64180de04a7b055b4773c138d78f4ebdb77 Mon Sep 17 00:00:00 2001 +From: Sai Kumar Cholleti +Date: Tue, 5 Nov 2024 12:45:23 +0530 +Subject: gpio: exar: set value when external pull-up or pull-down is present + +From: Sai Kumar Cholleti + +commit 72cef64180de04a7b055b4773c138d78f4ebdb77 upstream. + +Setting GPIO direction = high, sometimes results in GPIO value = 0. + +If a GPIO is pulled high, the following construction results in the +value being 0 when the desired value is 1: + +$ echo "high" > /sys/class/gpio/gpio336/direction +$ cat /sys/class/gpio/gpio336/value +0 + +Before the GPIO direction is changed from an input to an output, +exar_set_value() is called with value = 1, but since the GPIO is an +input when exar_set_value() is called, _regmap_update_bits() reads a 1 +due to an external pull-up. regmap_set_bits() sets force_write = +false, so the value (1) is not written. When the direction is then +changed, the GPIO becomes an output with the value of 0 (the hardware +default). + +regmap_write_bits() sets force_write = true, so the value is always +written by exar_set_value() and an external pull-up doesn't affect the +outcome of setting direction = high. + +The same can happen when a GPIO is pulled low, but the scenario is a +little more complicated. + +$ echo high > /sys/class/gpio/gpio351/direction +$ cat /sys/class/gpio/gpio351/value +1 + +$ echo in > /sys/class/gpio/gpio351/direction +$ cat /sys/class/gpio/gpio351/value +0 + +$ echo low > /sys/class/gpio/gpio351/direction +$ cat /sys/class/gpio/gpio351/value +1 + +Fixes: 36fb7218e878 ("gpio: exar: switch to using regmap") +Co-developed-by: Matthew McClain +Signed-off-by: Matthew McClain +Signed-off-by: Sai Kumar Cholleti +Cc: stable@vger.kernel.org +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20241105071523.2372032-1-skmr537@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-exar.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-exar.c ++++ b/drivers/gpio/gpio-exar.c +@@ -80,11 +80,13 @@ static void exar_set_value(struct gpio_c + struct exar_gpio_chip *exar_gpio = gpiochip_get_data(chip); + unsigned int addr = exar_offset_to_lvl_addr(exar_gpio, offset); + unsigned int bit = exar_offset_to_bit(exar_gpio, offset); ++ unsigned int bit_value = value ? BIT(bit) : 0; + +- if (value) +- regmap_set_bits(exar_gpio->regmap, addr, BIT(bit)); +- else +- regmap_clear_bits(exar_gpio->regmap, addr, BIT(bit)); ++ /* ++ * regmap_write_bits() forces value to be written when an external ++ * pull up/down might otherwise indicate value was already set. ++ */ ++ regmap_write_bits(exar_gpio->regmap, addr, BIT(bit), bit_value); + } + + static int exar_direction_output(struct gpio_chip *chip, unsigned int offset, diff --git a/queue-5.15/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch b/queue-5.15/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch new file mode 100644 index 00000000000..f625eda07f2 --- /dev/null +++ b/queue-5.15/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch @@ -0,0 +1,41 @@ +From 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 28 Oct 2024 10:39:14 -0700 +Subject: HID: wacom: Interpret tilt data from Intuos Pro BT as signed values + +From: Jason Gerecke + +commit 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 upstream. + +The tilt data contained in the Bluetooth packets of an Intuos Pro are +supposed to be interpreted as signed values. Simply casting the values +to type `char` is not guaranteed to work since it is implementation- +defined whether it is signed or unsigned. At least one user has noticed +the data being reported incorrectly on their system. To ensure that the +data is interpreted properly, we specifically cast to `signed char` +instead. + +Link: https://github.com/linuxwacom/input-wacom/issues/445 +Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") +CC: stable@vger.kernel.org # 4.11+ +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1401,9 +1401,9 @@ static void wacom_intuos_pro2_bt_pen(str + rotation -= 1800; + + input_report_abs(pen_input, ABS_TILT_X, +- (char)frame[7]); ++ (signed char)frame[7]); + input_report_abs(pen_input, ABS_TILT_Y, +- (char)frame[8]); ++ (signed char)frame[8]); + input_report_abs(pen_input, ABS_Z, rotation); + input_report_abs(pen_input, ABS_WHEEL, + get_unaligned_le16(&frame[11])); diff --git a/queue-5.15/jffs2-prevent-rtime-decompress-memory-corruption.patch b/queue-5.15/jffs2-prevent-rtime-decompress-memory-corruption.patch new file mode 100644 index 00000000000..078df2a6d66 --- /dev/null +++ b/queue-5.15/jffs2-prevent-rtime-decompress-memory-corruption.patch @@ -0,0 +1,34 @@ +From fe051552f5078fa02d593847529a3884305a6ffe Mon Sep 17 00:00:00 2001 +From: Kinsey Moore +Date: Tue, 23 Jul 2024 15:58:05 -0500 +Subject: jffs2: Prevent rtime decompress memory corruption + +From: Kinsey Moore + +commit fe051552f5078fa02d593847529a3884305a6ffe upstream. + +The rtime decompression routine does not fully check bounds during the +entirety of the decompression pass and can corrupt memory outside the +decompression buffer if the compressed data is corrupted. This adds the +required check to prevent this failure mode. + +Cc: stable@vger.kernel.org +Signed-off-by: Kinsey Moore +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/compr_rtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/jffs2/compr_rtime.c ++++ b/fs/jffs2/compr_rtime.c +@@ -95,6 +95,9 @@ static int jffs2_rtime_decompress(unsign + + positions[value]=outpos; + if (repeat) { ++ if ((outpos + repeat) >= destlen) { ++ return 1; ++ } + if (backoffs + repeat >= outpos) { + while(repeat) { + cpage_out[outpos++] = cpage_out[backoffs++]; diff --git a/queue-5.15/media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch b/queue-5.15/media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch new file mode 100644 index 00000000000..7d0bb3d5ad2 --- /dev/null +++ b/queue-5.15/media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch @@ -0,0 +1,368 @@ +From 9f070b1862f3411b8bcdfd51a8eaad25286f9deb Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 14 Oct 2024 16:52:41 +0200 +Subject: media: v4l2-core: v4l2-dv-timings: check cvt/gtf result + +From: Hans Verkuil + +commit 9f070b1862f3411b8bcdfd51a8eaad25286f9deb upstream. + +The v4l2_detect_cvt/gtf functions should check the result against the +timing capabilities: these functions calculate the timings, so if they +are out of bounds, they should be rejected. + +To do this, add the struct v4l2_dv_timings_cap as argument to those +functions. + +This required updates to the adv7604 and adv7842 drivers since the +prototype of these functions has now changed. The timings struct +that is passed to v4l2_detect_cvt/gtf in those two drivers is filled +with the timings detected by the hardware. + +The vivid driver was also updated, but an additional check was added: +the width and height specified by VIDIOC_S_DV_TIMINGS has to match the +calculated result, otherwise something went wrong. Note that vivid +*emulates* hardware, so all the values passed to the v4l2_detect_cvt/gtf +functions came from the timings struct that was filled by userspace +and passed on to the driver via VIDIOC_S_DV_TIMINGS. So these fields +can contain random data. Both the constraints check via +struct v4l2_dv_timings_cap and the additional width/height check +ensure that the resulting timings are sane and not messed up by the +v4l2_detect_cvt/gtf calculations. + +Signed-off-by: Hans Verkuil +Fixes: 2576415846bc ("[media] v4l2: move dv-timings related code to v4l2-dv-timings.c") +Cc: stable@vger.kernel.org +Reported-by: syzbot+a828133770f62293563e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-media/000000000000013050062127830a@google.com/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7604.c | 5 + drivers/media/i2c/adv7842.c | 13 +- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 15 ++ + drivers/media/v4l2-core/v4l2-dv-timings.c | 132 ++++++++++++----------- + include/media/v4l2-dv-timings.h | 18 ++- + 5 files changed, 107 insertions(+), 76 deletions(-) + +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -1405,12 +1405,13 @@ static int stdi2dv_timings(struct v4l2_s + if (v4l2_detect_cvt(stdi->lcf + 1, hfreq, stdi->lcvs, 0, + (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | + (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, timings)) ++ false, adv76xx_get_dv_timings_cap(sd, -1), timings)) + return 0; + if (v4l2_detect_gtf(stdi->lcf + 1, hfreq, stdi->lcvs, + (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | + (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, state->aspect_ratio, timings)) ++ false, state->aspect_ratio, ++ adv76xx_get_dv_timings_cap(sd, -1), timings)) + return 0; + + v4l2_dbg(2, debug, sd, +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -1441,14 +1441,15 @@ static int stdi2dv_timings(struct v4l2_s + } + + if (v4l2_detect_cvt(stdi->lcf + 1, hfreq, stdi->lcvs, 0, +- (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | +- (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, timings)) ++ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | ++ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), ++ false, adv7842_get_dv_timings_cap(sd), timings)) + return 0; + if (v4l2_detect_gtf(stdi->lcf + 1, hfreq, stdi->lcvs, +- (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | +- (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, state->aspect_ratio, timings)) ++ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | ++ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), ++ false, state->aspect_ratio, ++ adv7842_get_dv_timings_cap(sd), timings)) + return 0; + + v4l2_dbg(2, debug, sd, +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -1707,12 +1707,19 @@ static bool valid_cvt_gtf_timings(struct + h_freq = (u32)bt->pixelclock / total_h_pixel; + + if (bt->standards == 0 || (bt->standards & V4L2_DV_BT_STD_CVT)) { ++ struct v4l2_dv_timings cvt = {}; ++ + if (v4l2_detect_cvt(total_v_lines, h_freq, bt->vsync, bt->width, +- bt->polarities, bt->interlaced, timings)) ++ bt->polarities, bt->interlaced, ++ &vivid_dv_timings_cap, &cvt) && ++ cvt.bt.width == bt->width && cvt.bt.height == bt->height) { ++ *timings = cvt; + return true; ++ } + } + + if (bt->standards == 0 || (bt->standards & V4L2_DV_BT_STD_GTF)) { ++ struct v4l2_dv_timings gtf = {}; + struct v4l2_fract aspect_ratio; + + find_aspect_ratio(bt->width, bt->height, +@@ -1720,8 +1727,12 @@ static bool valid_cvt_gtf_timings(struct + &aspect_ratio.denominator); + if (v4l2_detect_gtf(total_v_lines, h_freq, bt->vsync, + bt->polarities, bt->interlaced, +- aspect_ratio, timings)) ++ aspect_ratio, &vivid_dv_timings_cap, ++ >f) && ++ gtf.bt.width == bt->width && gtf.bt.height == bt->height) { ++ *timings = gtf; + return true; ++ } + } + return false; + } +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -481,25 +481,28 @@ EXPORT_SYMBOL_GPL(v4l2_calc_timeperframe + * @polarities - the horizontal and vertical polarities (same as struct + * v4l2_bt_timings polarities). + * @interlaced - if this flag is true, it indicates interlaced format +- * @fmt - the resulting timings. ++ * @cap - the v4l2_dv_timings_cap capabilities. ++ * @timings - the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid CVT format. If so, then it will return true, and fmt will be filled + * in with the found CVT timings. + */ +-bool v4l2_detect_cvt(unsigned frame_height, +- unsigned hfreq, +- unsigned vsync, +- unsigned active_width, ++bool v4l2_detect_cvt(unsigned int frame_height, ++ unsigned int hfreq, ++ unsigned int vsync, ++ unsigned int active_width, + u32 polarities, + bool interlaced, +- struct v4l2_dv_timings *fmt) ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *timings) + { +- int v_fp, v_bp, h_fp, h_bp, hsync; +- int frame_width, image_height, image_width; ++ struct v4l2_dv_timings t = {}; ++ int v_fp, v_bp, h_fp, h_bp, hsync; ++ int frame_width, image_height, image_width; + bool reduced_blanking; + bool rb_v2 = false; +- unsigned pix_clk; ++ unsigned int pix_clk; + + if (vsync < 4 || vsync > 8) + return false; +@@ -625,36 +628,39 @@ bool v4l2_detect_cvt(unsigned frame_heig + h_fp = h_blank - hsync - h_bp; + } + +- fmt->type = V4L2_DV_BT_656_1120; +- fmt->bt.polarities = polarities; +- fmt->bt.width = image_width; +- fmt->bt.height = image_height; +- fmt->bt.hfrontporch = h_fp; +- fmt->bt.vfrontporch = v_fp; +- fmt->bt.hsync = hsync; +- fmt->bt.vsync = vsync; +- fmt->bt.hbackporch = frame_width - image_width - h_fp - hsync; ++ t.type = V4L2_DV_BT_656_1120; ++ t.bt.polarities = polarities; ++ t.bt.width = image_width; ++ t.bt.height = image_height; ++ t.bt.hfrontporch = h_fp; ++ t.bt.vfrontporch = v_fp; ++ t.bt.hsync = hsync; ++ t.bt.vsync = vsync; ++ t.bt.hbackporch = frame_width - image_width - h_fp - hsync; + + if (!interlaced) { +- fmt->bt.vbackporch = frame_height - image_height - v_fp - vsync; +- fmt->bt.interlaced = V4L2_DV_PROGRESSIVE; ++ t.bt.vbackporch = frame_height - image_height - v_fp - vsync; ++ t.bt.interlaced = V4L2_DV_PROGRESSIVE; + } else { +- fmt->bt.vbackporch = (frame_height - image_height - 2 * v_fp - ++ t.bt.vbackporch = (frame_height - image_height - 2 * v_fp - + 2 * vsync) / 2; +- fmt->bt.il_vbackporch = frame_height - image_height - 2 * v_fp - +- 2 * vsync - fmt->bt.vbackporch; +- fmt->bt.il_vfrontporch = v_fp; +- fmt->bt.il_vsync = vsync; +- fmt->bt.flags |= V4L2_DV_FL_HALF_LINE; +- fmt->bt.interlaced = V4L2_DV_INTERLACED; ++ t.bt.il_vbackporch = frame_height - image_height - 2 * v_fp - ++ 2 * vsync - t.bt.vbackporch; ++ t.bt.il_vfrontporch = v_fp; ++ t.bt.il_vsync = vsync; ++ t.bt.flags |= V4L2_DV_FL_HALF_LINE; ++ t.bt.interlaced = V4L2_DV_INTERLACED; + } + +- fmt->bt.pixelclock = pix_clk; +- fmt->bt.standards = V4L2_DV_BT_STD_CVT; ++ t.bt.pixelclock = pix_clk; ++ t.bt.standards = V4L2_DV_BT_STD_CVT; + + if (reduced_blanking) +- fmt->bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; ++ t.bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; + ++ if (!v4l2_valid_dv_timings(&t, cap, NULL, NULL)) ++ return false; ++ *timings = t; + return true; + } + EXPORT_SYMBOL_GPL(v4l2_detect_cvt); +@@ -699,22 +705,25 @@ EXPORT_SYMBOL_GPL(v4l2_detect_cvt); + * image height, so it has to be passed explicitly. Usually + * the native screen aspect ratio is used for this. If it + * is not filled in correctly, then 16:9 will be assumed. +- * @fmt - the resulting timings. ++ * @cap - the v4l2_dv_timings_cap capabilities. ++ * @timings - the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid GTF format. If so, then it will return true, and fmt will be filled + * in with the found GTF timings. + */ +-bool v4l2_detect_gtf(unsigned frame_height, +- unsigned hfreq, +- unsigned vsync, +- u32 polarities, +- bool interlaced, +- struct v4l2_fract aspect, +- struct v4l2_dv_timings *fmt) ++bool v4l2_detect_gtf(unsigned int frame_height, ++ unsigned int hfreq, ++ unsigned int vsync, ++ u32 polarities, ++ bool interlaced, ++ struct v4l2_fract aspect, ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *timings) + { ++ struct v4l2_dv_timings t = {}; + int pix_clk; +- int v_fp, v_bp, h_fp, hsync; ++ int v_fp, v_bp, h_fp, hsync; + int frame_width, image_height, image_width; + bool default_gtf; + int h_blank; +@@ -783,36 +792,39 @@ bool v4l2_detect_gtf(unsigned frame_heig + + h_fp = h_blank / 2 - hsync; + +- fmt->type = V4L2_DV_BT_656_1120; +- fmt->bt.polarities = polarities; +- fmt->bt.width = image_width; +- fmt->bt.height = image_height; +- fmt->bt.hfrontporch = h_fp; +- fmt->bt.vfrontporch = v_fp; +- fmt->bt.hsync = hsync; +- fmt->bt.vsync = vsync; +- fmt->bt.hbackporch = frame_width - image_width - h_fp - hsync; ++ t.type = V4L2_DV_BT_656_1120; ++ t.bt.polarities = polarities; ++ t.bt.width = image_width; ++ t.bt.height = image_height; ++ t.bt.hfrontporch = h_fp; ++ t.bt.vfrontporch = v_fp; ++ t.bt.hsync = hsync; ++ t.bt.vsync = vsync; ++ t.bt.hbackporch = frame_width - image_width - h_fp - hsync; + + if (!interlaced) { +- fmt->bt.vbackporch = frame_height - image_height - v_fp - vsync; +- fmt->bt.interlaced = V4L2_DV_PROGRESSIVE; ++ t.bt.vbackporch = frame_height - image_height - v_fp - vsync; ++ t.bt.interlaced = V4L2_DV_PROGRESSIVE; + } else { +- fmt->bt.vbackporch = (frame_height - image_height - 2 * v_fp - ++ t.bt.vbackporch = (frame_height - image_height - 2 * v_fp - + 2 * vsync) / 2; +- fmt->bt.il_vbackporch = frame_height - image_height - 2 * v_fp - +- 2 * vsync - fmt->bt.vbackporch; +- fmt->bt.il_vfrontporch = v_fp; +- fmt->bt.il_vsync = vsync; +- fmt->bt.flags |= V4L2_DV_FL_HALF_LINE; +- fmt->bt.interlaced = V4L2_DV_INTERLACED; ++ t.bt.il_vbackporch = frame_height - image_height - 2 * v_fp - ++ 2 * vsync - t.bt.vbackporch; ++ t.bt.il_vfrontporch = v_fp; ++ t.bt.il_vsync = vsync; ++ t.bt.flags |= V4L2_DV_FL_HALF_LINE; ++ t.bt.interlaced = V4L2_DV_INTERLACED; + } + +- fmt->bt.pixelclock = pix_clk; +- fmt->bt.standards = V4L2_DV_BT_STD_GTF; ++ t.bt.pixelclock = pix_clk; ++ t.bt.standards = V4L2_DV_BT_STD_GTF; + + if (!default_gtf) +- fmt->bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; ++ t.bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; + ++ if (!v4l2_valid_dv_timings(&t, cap, NULL, NULL)) ++ return false; ++ *timings = t; + return true; + } + EXPORT_SYMBOL_GPL(v4l2_detect_gtf); +--- a/include/media/v4l2-dv-timings.h ++++ b/include/media/v4l2-dv-timings.h +@@ -146,15 +146,18 @@ void v4l2_print_dv_timings(const char *d + * @polarities: the horizontal and vertical polarities (same as struct + * v4l2_bt_timings polarities). + * @interlaced: if this flag is true, it indicates interlaced format ++ * @cap: the v4l2_dv_timings_cap capabilities. + * @fmt: the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid CVT format. If so, then it will return true, and fmt will be filled + * in with the found CVT timings. + */ +-bool v4l2_detect_cvt(unsigned frame_height, unsigned hfreq, unsigned vsync, +- unsigned active_width, u32 polarities, bool interlaced, +- struct v4l2_dv_timings *fmt); ++bool v4l2_detect_cvt(unsigned int frame_height, unsigned int hfreq, ++ unsigned int vsync, unsigned int active_width, ++ u32 polarities, bool interlaced, ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *fmt); + + /** + * v4l2_detect_gtf - detect if the given timings follow the GTF standard +@@ -170,15 +173,18 @@ bool v4l2_detect_cvt(unsigned frame_heig + * image height, so it has to be passed explicitly. Usually + * the native screen aspect ratio is used for this. If it + * is not filled in correctly, then 16:9 will be assumed. ++ * @cap: the v4l2_dv_timings_cap capabilities. + * @fmt: the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid GTF format. If so, then it will return true, and fmt will be filled + * in with the found GTF timings. + */ +-bool v4l2_detect_gtf(unsigned frame_height, unsigned hfreq, unsigned vsync, +- u32 polarities, bool interlaced, struct v4l2_fract aspect, +- struct v4l2_dv_timings *fmt); ++bool v4l2_detect_gtf(unsigned int frame_height, unsigned int hfreq, ++ unsigned int vsync, u32 polarities, bool interlaced, ++ struct v4l2_fract aspect, ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *fmt); + + /** + * v4l2_calc_aspect_ratio - calculate the aspect ratio based on bytes diff --git a/queue-5.15/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch b/queue-5.15/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch new file mode 100644 index 00000000000..df00fb11597 --- /dev/null +++ b/queue-5.15/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch @@ -0,0 +1,54 @@ +From ca59f9956d4519ab18ab2270be47c6b8c6ced091 Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Fri, 27 Sep 2024 16:39:02 +0800 +Subject: media: wl128x: Fix atomicity violation in fmc_send_cmd() + +From: Qiu-ji Chen + +commit ca59f9956d4519ab18ab2270be47c6b8c6ced091 upstream. + +Atomicity violation occurs when the fmc_send_cmd() function is executed +simultaneously with the modification of the fmdev->resp_skb value. +Consider a scenario where, after passing the validity check within the +function, a non-null fmdev->resp_skb variable is assigned a null value. +This results in an invalid fmdev->resp_skb variable passing the validity +check. As seen in the later part of the function, skb = fmdev->resp_skb; +when the invalid fmdev->resp_skb passes the check, a null pointer +dereference error may occur at line 478, evt_hdr = (void *)skb->data; + +To address this issue, it is recommended to include the validity check of +fmdev->resp_skb within the locked section of the function. This +modification ensures that the value of fmdev->resp_skb does not change +during the validation process, thereby maintaining its validity. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. + +Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/radio/wl128x/fmdrv_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/radio/wl128x/fmdrv_common.c ++++ b/drivers/media/radio/wl128x/fmdrv_common.c +@@ -465,11 +465,12 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 + jiffies_to_msecs(FM_DRV_TX_TIMEOUT) / 1000); + return -ETIMEDOUT; + } ++ spin_lock_irqsave(&fmdev->resp_skb_lock, flags); + if (!fmdev->resp_skb) { ++ spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); + fmerr("Response SKB is missing\n"); + return -EFAULT; + } +- spin_lock_irqsave(&fmdev->resp_skb_lock, flags); + skb = fmdev->resp_skb; + fmdev->resp_skb = NULL; + spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); diff --git a/queue-5.15/mtd-spi-nor-core-replace-dummy-buswidth-from-addr-to-data.patch b/queue-5.15/mtd-spi-nor-core-replace-dummy-buswidth-from-addr-to-data.patch new file mode 100644 index 00000000000..3c172a34a22 --- /dev/null +++ b/queue-5.15/mtd-spi-nor-core-replace-dummy-buswidth-from-addr-to-data.patch @@ -0,0 +1,44 @@ +From 98d1fb94ce75f39febd456d6d3cbbe58b6678795 Mon Sep 17 00:00:00 2001 +From: Cheng Ming Lin +Date: Tue, 12 Nov 2024 15:52:42 +0800 +Subject: mtd: spi-nor: core: replace dummy buswidth from addr to data + +From: Cheng Ming Lin + +commit 98d1fb94ce75f39febd456d6d3cbbe58b6678795 upstream. + +The default dummy cycle for Macronix SPI NOR flash in Octal Output +Read Mode(1-1-8) is 20. + +Currently, the dummy buswidth is set according to the address bus width. +In the 1-1-8 mode, this means the dummy buswidth is 1. When converting +dummy cycles to bytes, this results in 20 x 1 / 8 = 2 bytes, causing the +host to read data 4 cycles too early. + +Since the protocol data buswidth is always greater than or equal to the +address buswidth. Setting the dummy buswidth to match the data buswidth +increases the likelihood that the dummy cycle-to-byte conversion will be +divisible, preventing the host from reading data prematurely. + +Fixes: 0e30f47232ab ("mtd: spi-nor: add support for DTR protocol") +Cc: stable@vger.kernel.org +Reviewed-by: Pratyush Yadav +Signed-off-by: Cheng Ming Lin +Link: https://lore.kernel.org/r/20241112075242.174010-2-linchengming884@gmail.com +Signed-off-by: Tudor Ambarus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -89,7 +89,7 @@ void spi_nor_spimem_setup_op(const struc + op->addr.buswidth = spi_nor_get_protocol_addr_nbits(proto); + + if (op->dummy.nbytes) +- op->dummy.buswidth = spi_nor_get_protocol_addr_nbits(proto); ++ op->dummy.buswidth = spi_nor_get_protocol_data_nbits(proto); + + if (op->data.nbytes) + op->data.buswidth = spi_nor_get_protocol_data_nbits(proto); diff --git a/queue-5.15/netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch b/queue-5.15/netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch new file mode 100644 index 00000000000..949c81c755e --- /dev/null +++ b/queue-5.15/netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch @@ -0,0 +1,51 @@ +From 35f56c554eb1b56b77b3cf197a6b00922d49033d Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Wed, 13 Nov 2024 22:02:09 +0900 +Subject: netfilter: ipset: add missing range check in bitmap_ip_uadt + +From: Jeongjun Park + +commit 35f56c554eb1b56b77b3cf197a6b00922d49033d upstream. + +When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, +the values of ip and ip_to are slightly swapped. Therefore, the range check +for ip should be done later, but this part is missing and it seems that the +vulnerability occurs. + +So we should add missing range checks and remove unnecessary range checks. + +Cc: +Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com +Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support") +Signed-off-by: Jeongjun Park +Acked-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set *set, struc + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); + if (ret) + return ret; +- if (ip > ip_to) { ++ if (ip > ip_to) + swap(ip, ip_to); +- if (ip < map->first_ip) +- return -IPSET_ERR_BITMAP_RANGE; +- } + } else if (tb[IPSET_ATTR_CIDR]) { + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); + +@@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set *set, struc + ip_to = ip; + } + +- if (ip_to > map->last_ip) ++ if (ip < map->first_ip || ip_to > map->last_ip) + return -IPSET_ERR_BITMAP_RANGE; + + for (; !before(ip_to, ip); ip += map->hosts) { diff --git a/queue-5.15/platform-chrome-cros_ec_typec-fix-missing-fwnode-reference-decrement.patch b/queue-5.15/platform-chrome-cros_ec_typec-fix-missing-fwnode-reference-decrement.patch new file mode 100644 index 00000000000..90ada9c6a34 --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec_typec-fix-missing-fwnode-reference-decrement.patch @@ -0,0 +1,36 @@ +From 9c41f371457bd9a24874e3c7934d9745e87fbc58 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Sun, 13 Oct 2024 15:20:24 +0200 +Subject: platform/chrome: cros_ec_typec: fix missing fwnode reference decrement + +From: Javier Carrasco + +commit 9c41f371457bd9a24874e3c7934d9745e87fbc58 upstream. + +The device_for_each_child_node() macro requires explicit calls to +fwnode_handle_put() upon early exits (return, break, goto) to decrement +the fwnode's refcount, and avoid levaing a node reference behind. + +Add the missing fwnode_handle_put() after the common label for all error +paths. + +Cc: stable@vger.kernel.org +Fixes: fdc6b21e2444 ("platform/chrome: Add Type C connector class driver") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241013-cross_ec_typec_fwnode_handle_put-v2-1-9182b2cd7767@gmail.com +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_typec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -375,6 +375,7 @@ static int cros_typec_init_ports(struct + return 0; + + unregister_ports: ++ fwnode_handle_put(fwnode); + cros_unregister_ports(typec); + return ret; + } diff --git a/queue-5.15/revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch b/queue-5.15/revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch new file mode 100644 index 00000000000..8a866d4af1f --- /dev/null +++ b/queue-5.15/revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch @@ -0,0 +1,66 @@ +From 718632467d88e98816fa01ab12681ef1c2aa56f8 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sat, 30 Nov 2024 16:55:56 +0100 +Subject: Revert "serial: sh-sci: Clean sci_ports[0] after at earlycon exit" + +From: Greg Kroah-Hartman + +commit 718632467d88e98816fa01ab12681ef1c2aa56f8 upstream. + +This reverts commit 3791ea69a4858b81e0277f695ca40f5aae40f312. + +It was reported to cause boot-time issues, so revert it for now. + +Reported-by: Geert Uytterhoeven +Fixes: 3791ea69a485 ("serial: sh-sci: Clean sci_ports[0] after at earlycon exit") +Cc: stable +Cc: Claudiu Beznea +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 28 ---------------------------- + 1 file changed, 28 deletions(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3433,32 +3433,6 @@ sh_early_platform_init_buffer("earlyprin + #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON + static struct plat_sci_port port_cfg __initdata; + +-static int early_console_exit(struct console *co) +-{ +- struct sci_port *sci_port = &sci_ports[0]; +- struct uart_port *port = &sci_port->port; +- unsigned long flags; +- int locked = 1; +- +- if (port->sysrq) +- locked = 0; +- else if (oops_in_progress) +- locked = uart_port_trylock_irqsave(port, &flags); +- else +- uart_port_lock_irqsave(port, &flags); +- +- /* +- * Clean the slot used by earlycon. A new SCI device might +- * map to this slot. +- */ +- memset(sci_ports, 0, sizeof(*sci_port)); +- +- if (locked) +- uart_port_unlock_irqrestore(port, flags); +- +- return 0; +-} +- + static int __init early_console_setup(struct earlycon_device *device, + int type) + { +@@ -3477,8 +3451,6 @@ static int __init early_console_setup(st + SCSCR_RE | SCSCR_TE | port_cfg.scscr); + + device->con->write = serial_console_write; +- device->con->exit = early_console_exit; +- + return 0; + } + static int __init sci_early_console_setup(struct earlycon_device *device, diff --git a/queue-5.15/revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch b/queue-5.15/revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch new file mode 100644 index 00000000000..dac9f1b35d0 --- /dev/null +++ b/queue-5.15/revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch @@ -0,0 +1,81 @@ +From 51cdd69d6a857f527d6d0697a2e1f0fa8bca1005 Mon Sep 17 00:00:00 2001 +From: Michal Vrastil +Date: Wed, 13 Nov 2024 15:54:33 -0800 +Subject: Revert "usb: gadget: composite: fix OS descriptors w_value logic" + +From: Michal Vrastil + +commit 51cdd69d6a857f527d6d0697a2e1f0fa8bca1005 upstream. + +This reverts commit ec6ce7075ef879b91a8710829016005dc8170f17. + +Fix installation of WinUSB driver using OS descriptors. Without the +fix the drivers are not installed correctly and the property +'DeviceInterfaceGUID' is missing on host side. + +The original change was based on the assumption that the interface +number is in the high byte of wValue but it is in the low byte, +instead. Unfortunately, the fix is based on MS documentation which is +also wrong. + +The actual USB request for OS descriptors (using USB analyzer) looks +like: + +Offset 0 1 2 3 4 5 6 7 +0x000 C1 A1 02 00 05 00 0A 00 + +C1: bmRequestType (device to host, vendor, interface) +A1: nas magic number +0002: wValue (2: nas interface) +0005: wIndex (5: get extended property i.e. nas interface GUID) +008E: wLength (142) + +The fix was tested on Windows 10 and Windows 11. + +Cc: stable@vger.kernel.org +Fixes: ec6ce7075ef8 ("usb: gadget: composite: fix OS descriptors w_value logic") +Signed-off-by: Michal Vrastil +Signed-off-by: Elson Roy Serrao +Acked-by: Peter korsgaard +Link: https://lore.kernel.org/r/20241113235433.20244-1-quic_eserrao@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2017,8 +2017,20 @@ unknown: + memset(buf, 0, w_length); + buf[5] = 0x01; + switch (ctrl->bRequestType & USB_RECIP_MASK) { ++ /* ++ * The Microsoft CompatID OS Descriptor Spec(w_index = 0x4) and ++ * Extended Prop OS Desc Spec(w_index = 0x5) state that the ++ * HighByte of wValue is the InterfaceNumber and the LowByte is ++ * the PageNumber. This high/low byte ordering is incorrectly ++ * documented in the Spec. USB analyzer output on the below ++ * request packets show the high/low byte inverted i.e LowByte ++ * is the InterfaceNumber and the HighByte is the PageNumber. ++ * Since we dont support >64KB CompatID/ExtendedProp descriptors, ++ * PageNumber is set to 0. Hence verify that the HighByte is 0 ++ * for below two cases. ++ */ + case USB_RECIP_DEVICE: +- if (w_index != 0x4 || (w_value & 0xff)) ++ if (w_index != 0x4 || (w_value >> 8)) + break; + buf[6] = w_index; + /* Number of ext compat interfaces */ +@@ -2034,9 +2046,9 @@ unknown: + } + break; + case USB_RECIP_INTERFACE: +- if (w_index != 0x5 || (w_value & 0xff)) ++ if (w_index != 0x5 || (w_value >> 8)) + break; +- interface = w_value >> 8; ++ interface = w_value & 0xFF; + if (interface >= MAX_CONFIG_INTERFACES || + !os_desc_cfg->interface[interface]) + break; diff --git a/queue-5.15/serial-8250-omap-move-pm_runtime_get_sync.patch b/queue-5.15/serial-8250-omap-move-pm_runtime_get_sync.patch new file mode 100644 index 00000000000..fddd584565a --- /dev/null +++ b/queue-5.15/serial-8250-omap-move-pm_runtime_get_sync.patch @@ -0,0 +1,48 @@ +From bcc7ba668818dcadd2f1db66b39ed860a63ecf97 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Thu, 31 Oct 2024 12:23:15 -0500 +Subject: serial: 8250: omap: Move pm_runtime_get_sync + +From: Bin Liu + +commit bcc7ba668818dcadd2f1db66b39ed860a63ecf97 upstream. + +Currently in omap_8250_shutdown, the dma->rx_running flag is +set to zero in omap_8250_rx_dma_flush. Next pm_runtime_get_sync +is called, which is a runtime resume call stack which can +re-set the flag. When the call omap_8250_shutdown returns, the +flag is expected to be UN-SET, but this is not the case. This +is causing issues the next time UART is re-opened and +omap_8250_rx_dma is called. Fix by moving pm_runtime_get_sync +before the omap_8250_rx_dma_flush. + +cc: stable@vger.kernel.org +Fixes: 0e31c8d173ab ("tty: serial: 8250_omap: add custom DMA-RX callback") +Signed-off-by: Bin Liu +[Judith: Add commit message] +Signed-off-by: Judith Mendez +Reviewed-by: Kevin Hilman +Tested-by: Kevin Hilman +Link: https://lore.kernel.org/r/20241031172315.453750-1-jm@ti.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_omap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -763,12 +763,12 @@ static void omap_8250_shutdown(struct ua + struct uart_8250_port *up = up_to_u8250p(port); + struct omap8250_priv *priv = port->private_data; + ++ pm_runtime_get_sync(port->dev); ++ + flush_work(&priv->qos_work); + if (up->dma) + omap_8250_rx_dma_flush(up); + +- pm_runtime_get_sync(port->dev); +- + serial_out(up, UART_OMAP_WER, 0); + if (priv->habit & UART_HAS_EFR2) + serial_out(up, UART_OMAP_EFR2, 0x0); diff --git a/queue-5.15/serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch b/queue-5.15/serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch new file mode 100644 index 00000000000..3b2befff197 --- /dev/null +++ b/queue-5.15/serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch @@ -0,0 +1,84 @@ +From 3791ea69a4858b81e0277f695ca40f5aae40f312 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 6 Nov 2024 14:01:12 +0200 +Subject: serial: sh-sci: Clean sci_ports[0] after at earlycon exit + +From: Claudiu Beznea + +commit 3791ea69a4858b81e0277f695ca40f5aae40f312 upstream. + +The early_console_setup() function initializes the sci_ports[0].port with +an object of type struct uart_port obtained from the object of type +struct earlycon_device received as argument by the early_console_setup(). + +It may happen that later, when the rest of the serial ports are probed, +the serial port that was used as earlycon (e.g., port A) to be mapped to a +different position in sci_ports[] and the slot 0 to be used by a different +serial port (e.g., port B), as follows: + +sci_ports[0] = port A +sci_ports[X] = port B + +In this case, the new port mapped at index zero will have associated data +that was used for earlycon. + +In case this happens, after Linux boot, any access to the serial port that +maps on sci_ports[0] (port A) will block the serial port that was used as +earlycon (port B). + +To fix this, add early_console_exit() that clean the sci_ports[0] at +earlycon exit time. + +Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Cc: stable@vger.kernel.org +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20241106120118.1719888-4-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3433,6 +3433,32 @@ sh_early_platform_init_buffer("earlyprin + #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON + static struct plat_sci_port port_cfg __initdata; + ++static int early_console_exit(struct console *co) ++{ ++ struct sci_port *sci_port = &sci_ports[0]; ++ struct uart_port *port = &sci_port->port; ++ unsigned long flags; ++ int locked = 1; ++ ++ if (port->sysrq) ++ locked = 0; ++ else if (oops_in_progress) ++ locked = uart_port_trylock_irqsave(port, &flags); ++ else ++ uart_port_lock_irqsave(port, &flags); ++ ++ /* ++ * Clean the slot used by earlycon. A new SCI device might ++ * map to this slot. ++ */ ++ memset(sci_ports, 0, sizeof(*sci_port)); ++ ++ if (locked) ++ uart_port_unlock_irqrestore(port, flags); ++ ++ return 0; ++} ++ + static int __init early_console_setup(struct earlycon_device *device, + int type) + { +@@ -3451,6 +3477,8 @@ static int __init early_console_setup(st + SCSCR_RE | SCSCR_TE | port_cfg.scscr); + + device->con->write = serial_console_write; ++ device->con->exit = early_console_exit; ++ + return 0; + } + static int __init sci_early_console_setup(struct earlycon_device *device, diff --git a/queue-5.15/series b/queue-5.15/series index 7573f11a25c..84b280de5fe 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -308,3 +308,30 @@ exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch usb-xhci-fix-td-invalidation-under-pending-set-tr-dequeue.patch driver-core-bus-fix-double-free-in-driver-api-bus_register.patch +revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch +serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch +revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch +gpio-exar-set-value-when-external-pull-up-or-pull-down-is-present.patch +netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch +spi-fix-acpi-deferred-irq-probe.patch +mtd-spi-nor-core-replace-dummy-buswidth-from-addr-to-data.patch +cpufreq-mediatek-hw-fix-wrong-return-value-in-mtk_cpufreq_get_cpu_power.patch +platform-chrome-cros_ec_typec-fix-missing-fwnode-reference-decrement.patch +ubi-wl-put-source-peb-into-correct-list-if-trying-locking-leb-failed.patch +um-ubd-do-not-use-drvdata-in-release.patch +um-net-do-not-use-drvdata-in-release.patch +serial-8250-omap-move-pm_runtime_get_sync.patch +jffs2-prevent-rtime-decompress-memory-corruption.patch +um-vector-do-not-use-drvdata-in-release.patch +sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch +arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch +block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch +hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch +media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch +soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch +media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch +alsa-pcm-add-sanity-null-check-for-the-default-mmap-fault-handler.patch +alsa-hda-realtek-update-alc225-depop-procedure.patch +alsa-hda-realtek-set-pcbeep-to-default-value-for-alc274.patch +alsa-hda-realtek-fix-internal-speaker-and-mic-boost-of-infinix-y4-max.patch +alsa-hda-realtek-apply-quirk-for-medion-e15433.patch diff --git a/queue-5.15/sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch b/queue-5.15/sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch new file mode 100644 index 00000000000..e4aa40f4cac --- /dev/null +++ b/queue-5.15/sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch @@ -0,0 +1,64 @@ +From 3c891f7c6a4e90bb1199497552f24b26e46383bc Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 14 Jul 2022 16:41:36 +0800 +Subject: sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK + +From: Huacai Chen + +commit 3c891f7c6a4e90bb1199497552f24b26e46383bc upstream. + +When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected, +cpu_max_bits_warn() generates a runtime warning similar as below when +showing /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) +instead of NR_CPUS to iterate CPUs. + +[ 3.052463] ------------[ cut here ]------------ +[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0 +[ 3.070072] Modules linked in: efivarfs autofs4 +[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052 +[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000 +[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430 +[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff +[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890 +[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa +[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000 +[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000 +[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000 +[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286 +[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c +[ 3.195868] ... +[ 3.199917] Call Trace: +[ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c +[ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88 +[ 3.217625] [<900000000023d268>] __warn+0xd0/0x100 +[ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc +[ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0 +[ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4 +[ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4 +[ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0 +[ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100 +[ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94 +[ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160 +[ 3.281824] ---[ end trace 8b484262b4b8c24c ]--- + +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Reviewed-by: John Paul Adrian Glaubitz +Tested-by: John Paul Adrian Glaubitz +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/cpu/proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/kernel/cpu/proc.c ++++ b/arch/sh/kernel/cpu/proc.c +@@ -132,7 +132,7 @@ static int show_cpuinfo(struct seq_file + + static void *c_start(struct seq_file *m, loff_t *pos) + { +- return *pos < NR_CPUS ? cpu_data + *pos : NULL; ++ return *pos < nr_cpu_ids ? cpu_data + *pos : NULL; + } + static void *c_next(struct seq_file *m, void *v, loff_t *pos) + { diff --git a/queue-5.15/soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch b/queue-5.15/soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch new file mode 100644 index 00000000000..f7c39f88bdb --- /dev/null +++ b/queue-5.15/soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch @@ -0,0 +1,35 @@ +From c9f1efabf8e3b3ff886a42669f7093789dbeca94 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Sun, 13 Oct 2024 15:29:17 +0200 +Subject: soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() + +From: Javier Carrasco + +commit c9f1efabf8e3b3ff886a42669f7093789dbeca94 upstream. + +of_find_compatible_node() requires a call to of_node_put() when the +pointer to the node is not required anymore to decrement its refcount +and avoid leaking memory. + +Add the missing call to of_node_put() after the node has been used. + +Cc: stable@vger.kernel.org +Fixes: e95f287deed2 ("soc: fsl: handle RCPM errata A-008646 on SoC LS1021A") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241013-rcpm-of_node_put-v1-1-9a8e55a01eae@gmail.com +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/fsl/rcpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/soc/fsl/rcpm.c ++++ b/drivers/soc/fsl/rcpm.c +@@ -36,6 +36,7 @@ static void copy_ippdexpcr1_setting(u32 + return; + + regs = of_iomap(np, 0); ++ of_node_put(np); + if (!regs) + return; + diff --git a/queue-5.15/spi-fix-acpi-deferred-irq-probe.patch b/queue-5.15/spi-fix-acpi-deferred-irq-probe.patch new file mode 100644 index 00000000000..e0aea4b3d92 --- /dev/null +++ b/queue-5.15/spi-fix-acpi-deferred-irq-probe.patch @@ -0,0 +1,63 @@ +From d24cfee7f63d6b44d45a67c5662bd1cc48e8b3ca Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Fri, 22 Nov 2024 10:42:24 +0100 +Subject: spi: Fix acpi deferred irq probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stanislaw Gruszka + +commit d24cfee7f63d6b44d45a67c5662bd1cc48e8b3ca upstream. + +When probing spi device take care of deferred probe of ACPI irq gpio +similar like for OF/DT case. + +>From practical standpoint this fixes issue with vsc-tp driver on +Dell XP 9340 laptop, which try to request interrupt with spi->irq +equal to -EPROBE_DEFER and fail to probe with the following error: + +vsc-tp spi-INTC10D0:00: probe with driver vsc-tp failed with error -22 + +Suggested-by: Hans de Goede +Fixes: 33ada67da352 ("ACPI / spi: attach GPIO IRQ from ACPI description to SPI device") +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +Reviewed-by: Hans de Goede +Tested-by: Alexis Lothoré # Dell XPS9320, ov01a10 +Link: https://patch.msgid.link/20241122094224.226773-1-stanislaw.gruszka@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -400,6 +400,16 @@ static int spi_probe(struct device *dev) + spi->irq = 0; + } + ++ if (has_acpi_companion(dev) && spi->irq < 0) { ++ struct acpi_device *adev = to_acpi_device_node(dev->fwnode); ++ ++ spi->irq = acpi_dev_gpio_irq_get(adev, 0); ++ if (spi->irq == -EPROBE_DEFER) ++ return -EPROBE_DEFER; ++ if (spi->irq < 0) ++ spi->irq = 0; ++ } ++ + ret = dev_pm_domain_attach(dev, true); + if (ret) + return ret; +@@ -2406,9 +2416,6 @@ static acpi_status acpi_register_spi_dev + acpi_set_modalias(adev, acpi_device_hid(adev), spi->modalias, + sizeof(spi->modalias)); + +- if (spi->irq < 0) +- spi->irq = acpi_dev_gpio_irq_get(adev, 0); +- + acpi_device_set_enumerated(adev); + + adev->power.flags.ignore_parent = true; diff --git a/queue-5.15/ubi-wl-put-source-peb-into-correct-list-if-trying-locking-leb-failed.patch b/queue-5.15/ubi-wl-put-source-peb-into-correct-list-if-trying-locking-leb-failed.patch new file mode 100644 index 00000000000..2d7f834cacd --- /dev/null +++ b/queue-5.15/ubi-wl-put-source-peb-into-correct-list-if-trying-locking-leb-failed.patch @@ -0,0 +1,61 @@ +From d610020f030bec819f42de327c2bd5437d2766b3 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Mon, 19 Aug 2024 11:26:21 +0800 +Subject: ubi: wl: Put source PEB into correct list if trying locking LEB failed + +From: Zhihao Cheng + +commit d610020f030bec819f42de327c2bd5437d2766b3 upstream. + +During wear-leveing work, the source PEB will be moved into scrub list +when source LEB cannot be locked in ubi_eba_copy_leb(), which is wrong +for non-scrub type source PEB. The problem could bring extra and +ineffective wear-leveing jobs, which makes more or less negative effects +for the life time of flash. Specifically, the process is divided 2 steps: +1. wear_leveling_worker // generate false scrub type PEB + ubi_eba_copy_leb // MOVE_RETRY is returned + leb_write_trylock // trylock failed + scrubbing = 1; + e1 is put into ubi->scrub +2. wear_leveling_worker // schedule false scrub type PEB for wl + scrubbing = 1 + e1 = rb_entry(rb_first(&ubi->scrub)) + +The problem can be reproduced easily by running fsstress on a small +UBIFS partition(<64M, simulated by nandsim) for 5~10mins +(CONFIG_MTD_UBI_FASTMAP=y,CONFIG_MTD_UBI_WL_THRESHOLD=50). Following +message is shown: + ubi0: scrubbed PEB 66 (LEB 0:10), data moved to PEB 165 + +Since scrub type source PEB has set variable scrubbing as '1', and +variable scrubbing is checked before variable keep, so the problem can +be fixed by setting keep variable as 1 directly if the source LEB cannot +be locked. + +Fixes: e801e128b220 ("UBI: fix missing scrub when there is a bit-flip") +CC: stable@vger.kernel.org +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/ubi/wl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -830,7 +830,14 @@ static int wear_leveling_worker(struct u + goto out_not_moved; + } + if (err == MOVE_RETRY) { +- scrubbing = 1; ++ /* ++ * For source PEB: ++ * 1. The scrubbing is set for scrub type PEB, it will ++ * be put back into ubi->scrub list. ++ * 2. Non-scrub type PEB will be put back into ubi->used ++ * list. ++ */ ++ keep = 1; + dst_leb_clean = 1; + goto out_not_moved; + } diff --git a/queue-5.15/um-net-do-not-use-drvdata-in-release.patch b/queue-5.15/um-net-do-not-use-drvdata-in-release.patch new file mode 100644 index 00000000000..c525b7f4f34 --- /dev/null +++ b/queue-5.15/um-net-do-not-use-drvdata-in-release.patch @@ -0,0 +1,74 @@ +From d1db692a9be3b4bd3473b64fcae996afaffe8438 Mon Sep 17 00:00:00 2001 +From: Tiwei Bie +Date: Tue, 5 Nov 2024 00:32:02 +0800 +Subject: um: net: Do not use drvdata in release + +From: Tiwei Bie + +commit d1db692a9be3b4bd3473b64fcae996afaffe8438 upstream. + +The drvdata is not available in release. Let's just use container_of() +to get the uml_net instance. Otherwise, removing a network device will +result in a crash: + +RIP: 0033:net_device_release+0x10/0x6f +RSP: 00000000e20c7c40 EFLAGS: 00010206 +RAX: 000000006002e4e7 RBX: 00000000600f1baf RCX: 00000000624074e0 +RDX: 0000000062778000 RSI: 0000000060551c80 RDI: 00000000627af028 +RBP: 00000000e20c7c50 R08: 00000000603ad594 R09: 00000000e20c7b70 +R10: 000000000000135a R11: 00000000603ad422 R12: 0000000000000000 +R13: 0000000062c7af00 R14: 0000000062406d60 R15: 00000000627700b6 +Kernel panic - not syncing: Segfault with no mm +CPU: 0 UID: 0 PID: 29 Comm: kworker/0:2 Not tainted 6.12.0-rc6-g59b723cd2adb #1 +Workqueue: events mc_work_proc +Stack: + 627af028 62c7af00 e20c7c80 60276fcd + 62778000 603f5820 627af028 00000000 + e20c7cb0 603a2bcd 627af000 62770010 +Call Trace: + [<60276fcd>] device_release+0x70/0xba + [<603a2bcd>] kobject_put+0xba/0xe7 + [<60277265>] put_device+0x19/0x1c + [<60281266>] platform_device_put+0x26/0x29 + [<60281e5f>] platform_device_unregister+0x2c/0x2e + [<6002ec9c>] net_remove+0x63/0x69 + [<60031316>] ? mconsole_reply+0x0/0x50 + [<600310c8>] mconsole_remove+0x160/0x1cc + [<60087d40>] ? __remove_hrtimer+0x38/0x74 + [<60087ff8>] ? hrtimer_try_to_cancel+0x8c/0x98 + [<6006b3cf>] ? dl_server_stop+0x3f/0x48 + [<6006b390>] ? dl_server_stop+0x0/0x48 + [<600672e8>] ? dequeue_entities+0x327/0x390 + [<60038fa6>] ? um_set_signals+0x0/0x43 + [<6003070c>] mc_work_proc+0x77/0x91 + [<60057664>] process_scheduled_works+0x1b3/0x2dd + [<60055f32>] ? assign_work+0x0/0x58 + [<60057f0a>] worker_thread+0x1e9/0x293 + [<6005406f>] ? set_pf_worker+0x0/0x64 + [<6005d65d>] ? arch_local_irq_save+0x0/0x2d + [<6005d748>] ? kthread_exit+0x0/0x3a + [<60057d21>] ? worker_thread+0x0/0x293 + [<6005dbf1>] kthread+0x126/0x12b + [<600219c5>] new_thread_handler+0x85/0xb6 + +Cc: stable@vger.kernel.org +Signed-off-by: Tiwei Bie +Acked-By: Anton Ivanov +Link: https://patch.msgid.link/20241104163203.435515-4-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/drivers/net_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/um/drivers/net_kern.c ++++ b/arch/um/drivers/net_kern.c +@@ -335,7 +335,7 @@ static struct platform_driver uml_net_dr + + static void net_device_release(struct device *dev) + { +- struct uml_net *device = dev_get_drvdata(dev); ++ struct uml_net *device = container_of(dev, struct uml_net, pdev.dev); + struct net_device *netdev = device->dev; + struct uml_net_private *lp = netdev_priv(netdev); + diff --git a/queue-5.15/um-ubd-do-not-use-drvdata-in-release.patch b/queue-5.15/um-ubd-do-not-use-drvdata-in-release.patch new file mode 100644 index 00000000000..571922ced21 --- /dev/null +++ b/queue-5.15/um-ubd-do-not-use-drvdata-in-release.patch @@ -0,0 +1,78 @@ +From 5bee35e5389f450a7eea7318deb9073e9414d3b1 Mon Sep 17 00:00:00 2001 +From: Tiwei Bie +Date: Tue, 5 Nov 2024 00:32:01 +0800 +Subject: um: ubd: Do not use drvdata in release + +From: Tiwei Bie + +commit 5bee35e5389f450a7eea7318deb9073e9414d3b1 upstream. + +The drvdata is not available in release. Let's just use container_of() +to get the ubd instance. Otherwise, removing a ubd device will result +in a crash: + +RIP: 0033:blk_mq_free_tag_set+0x1f/0xba +RSP: 00000000e2083bf0 EFLAGS: 00010246 +RAX: 000000006021463a RBX: 0000000000000348 RCX: 0000000062604d00 +RDX: 0000000004208060 RSI: 00000000605241a0 RDI: 0000000000000348 +RBP: 00000000e2083c10 R08: 0000000062414010 R09: 00000000601603f7 +R10: 000000000000133a R11: 000000006038c4bd R12: 0000000000000000 +R13: 0000000060213a5c R14: 0000000062405d20 R15: 00000000604f7aa0 +Kernel panic - not syncing: Segfault with no mm +CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 6.8.0-rc3-00107-gba3f67c11638 #1 +Workqueue: events mc_work_proc +Stack: + 00000000 604f7ef0 62c5d000 62405d20 + e2083c30 6002c776 6002c755 600e47ff + e2083c60 6025ffe3 04208060 603d36e0 +Call Trace: + [<6002c776>] ubd_device_release+0x21/0x55 + [<6002c755>] ? ubd_device_release+0x0/0x55 + [<600e47ff>] ? kfree+0x0/0x100 + [<6025ffe3>] device_release+0x70/0xba + [<60381d6a>] kobject_put+0xb5/0xe2 + [<6026027b>] put_device+0x19/0x1c + [<6026a036>] platform_device_put+0x26/0x29 + [<6026ac5a>] platform_device_unregister+0x2c/0x2e + [<6002c52e>] ubd_remove+0xb8/0xd6 + [<6002bb74>] ? mconsole_reply+0x0/0x50 + [<6002b926>] mconsole_remove+0x160/0x1cc + [<6002bbbc>] ? mconsole_reply+0x48/0x50 + [<6003379c>] ? um_set_signals+0x3b/0x43 + [<60061c55>] ? update_min_vruntime+0x14/0x70 + [<6006251f>] ? dequeue_task_fair+0x164/0x235 + [<600620aa>] ? update_cfs_group+0x0/0x40 + [<603a0e77>] ? __schedule+0x0/0x3ed + [<60033761>] ? um_set_signals+0x0/0x43 + [<6002af6a>] mc_work_proc+0x77/0x91 + [<600520b4>] process_scheduled_works+0x1af/0x2c3 + [<6004ede3>] ? assign_work+0x0/0x58 + [<600527a1>] worker_thread+0x2f7/0x37a + [<6004ee3b>] ? set_pf_worker+0x0/0x64 + [<6005765d>] ? arch_local_irq_save+0x0/0x2d + [<60058e07>] ? kthread_exit+0x0/0x3a + [<600524aa>] ? worker_thread+0x0/0x37a + [<60058f9f>] kthread+0x130/0x135 + [<6002068e>] new_thread_handler+0x85/0xb6 + +Cc: stable@vger.kernel.org +Signed-off-by: Tiwei Bie +Acked-By: Anton Ivanov +Link: https://patch.msgid.link/20241104163203.435515-3-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/drivers/ubd_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -814,7 +814,7 @@ static int ubd_open_dev(struct ubd *ubd_ + + static void ubd_device_release(struct device *dev) + { +- struct ubd *ubd_dev = dev_get_drvdata(dev); ++ struct ubd *ubd_dev = container_of(dev, struct ubd, pdev.dev); + + blk_mq_free_tag_set(&ubd_dev->tag_set); + *ubd_dev = ((struct ubd) DEFAULT_UBD); diff --git a/queue-5.15/um-vector-do-not-use-drvdata-in-release.patch b/queue-5.15/um-vector-do-not-use-drvdata-in-release.patch new file mode 100644 index 00000000000..62d253e369d --- /dev/null +++ b/queue-5.15/um-vector-do-not-use-drvdata-in-release.patch @@ -0,0 +1,75 @@ +From 51b39d741970742a5c41136241a9c48ac607cf82 Mon Sep 17 00:00:00 2001 +From: Tiwei Bie +Date: Tue, 5 Nov 2024 00:32:03 +0800 +Subject: um: vector: Do not use drvdata in release + +From: Tiwei Bie + +commit 51b39d741970742a5c41136241a9c48ac607cf82 upstream. + +The drvdata is not available in release. Let's just use container_of() +to get the vector_device instance. Otherwise, removing a vector device +will result in a crash: + +RIP: 0033:vector_device_release+0xf/0x50 +RSP: 00000000e187bc40 EFLAGS: 00010202 +RAX: 0000000060028f61 RBX: 00000000600f1baf RCX: 00000000620074e0 +RDX: 000000006220b9c0 RSI: 0000000060551c80 RDI: 0000000000000000 +RBP: 00000000e187bc50 R08: 00000000603ad594 R09: 00000000e187bb70 +R10: 000000000000135a R11: 00000000603ad422 R12: 00000000623ae028 +R13: 000000006287a200 R14: 0000000062006d30 R15: 00000000623700b6 +Kernel panic - not syncing: Segfault with no mm +CPU: 0 UID: 0 PID: 16 Comm: kworker/0:1 Not tainted 6.12.0-rc6-g59b723cd2adb #1 +Workqueue: events mc_work_proc +Stack: + 60028f61 623ae028 e187bc80 60276fcd + 6220b9c0 603f5820 623ae028 00000000 + e187bcb0 603a2bcd 623ae000 62370010 +Call Trace: + [<60028f61>] ? vector_device_release+0x0/0x50 + [<60276fcd>] device_release+0x70/0xba + [<603a2bcd>] kobject_put+0xba/0xe7 + [<60277265>] put_device+0x19/0x1c + [<60281266>] platform_device_put+0x26/0x29 + [<60281e5f>] platform_device_unregister+0x2c/0x2e + [<60029422>] vector_remove+0x52/0x58 + [<60031316>] ? mconsole_reply+0x0/0x50 + [<600310c8>] mconsole_remove+0x160/0x1cc + [<603b19f4>] ? strlen+0x0/0x15 + [<60066611>] ? __dequeue_entity+0x1a9/0x206 + [<600666a7>] ? set_next_entity+0x39/0x63 + [<6006666e>] ? set_next_entity+0x0/0x63 + [<60038fa6>] ? um_set_signals+0x0/0x43 + [<6003070c>] mc_work_proc+0x77/0x91 + [<60057664>] process_scheduled_works+0x1b3/0x2dd + [<60055f32>] ? assign_work+0x0/0x58 + [<60057f0a>] worker_thread+0x1e9/0x293 + [<6005406f>] ? set_pf_worker+0x0/0x64 + [<6005d65d>] ? arch_local_irq_save+0x0/0x2d + [<6005d748>] ? kthread_exit+0x0/0x3a + [<60057d21>] ? worker_thread+0x0/0x293 + [<6005dbf1>] kthread+0x126/0x12b + [<600219c5>] new_thread_handler+0x85/0xb6 + +Cc: stable@vger.kernel.org +Signed-off-by: Tiwei Bie +Acked-By: Anton Ivanov +Link: https://patch.msgid.link/20241104163203.435515-5-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/drivers/vector_kern.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/um/drivers/vector_kern.c ++++ b/arch/um/drivers/vector_kern.c +@@ -826,7 +826,8 @@ static struct platform_driver uml_net_dr + + static void vector_device_release(struct device *dev) + { +- struct vector_device *device = dev_get_drvdata(dev); ++ struct vector_device *device = ++ container_of(dev, struct vector_device, pdev.dev); + struct net_device *netdev = device->dev; + + list_del(&device->list);