From: Greg Kroah-Hartman Date: Mon, 24 Mar 2025 16:11:59 +0000 (-0700) Subject: 5.10-stable patches X-Git-Tag: v6.1.132~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a280ae1a11236f74712089c58bf373dd62b475c6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch i2c-omap-fix-irq-storms.patch mmc-atmel-mci-add-missing-clk_disable_unprepare.patch proc-fix-uaf-in-proc_get_inode.patch regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch soc-qcom-pdr-fix-the-potential-deadlock.patch --- diff --git a/queue-5.10/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch b/queue-5.10/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch new file mode 100644 index 0000000000..b8298def33 --- /dev/null +++ b/queue-5.10/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch @@ -0,0 +1,42 @@ +From 379c590113ce46f605439d4887996c60ab8820cc Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 10 Mar 2025 14:12:20 +0100 +Subject: ARM: shmobile: smp: Enforce shmobile_smp_* alignment + +From: Geert Uytterhoeven + +commit 379c590113ce46f605439d4887996c60ab8820cc upstream. + +When the addresses of the shmobile_smp_mpidr, shmobile_smp_fn, and +shmobile_smp_arg variables are not multiples of 4 bytes, secondary CPU +bring-up fails: + + smp: Bringing up secondary CPUs ... + CPU1: failed to come online + CPU2: failed to come online + CPU3: failed to come online + smp: Brought up 1 node, 1 CPU + +Fix this by adding the missing alignment directive. + +Fixes: 4e960f52fce16a3b ("ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss") +Closes: https://lore.kernel.org/r/CAMuHMdU=QR-JLgEHKWpsr6SbaZRc-Hz9r91JfpP8c3n2G-OjqA@mail.gmail.com +Signed-off-by: Geert Uytterhoeven +Tested-by: Lad Prabhakar +Link: https://lore.kernel.org/c499234d559a0d95ad9472883e46077311051cd8.1741612208.git.geert+renesas@glider.be +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-shmobile/headsmp.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-shmobile/headsmp.S ++++ b/arch/arm/mach-shmobile/headsmp.S +@@ -136,6 +136,7 @@ ENDPROC(shmobile_smp_sleep) + .long shmobile_smp_arg - 1b + + .bss ++ .align 2 + .globl shmobile_smp_mpidr + shmobile_smp_mpidr: + .space NR_CPUS * 4 diff --git a/queue-5.10/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch b/queue-5.10/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch new file mode 100644 index 0000000000..05f8e1c12c --- /dev/null +++ b/queue-5.10/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch @@ -0,0 +1,85 @@ +From ffcef3df680c437ca33ff434be18ec24d72907c2 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Sun, 2 Mar 2025 19:48:04 +0100 +Subject: arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi + +From: Dragan Simic + +commit ffcef3df680c437ca33ff434be18ec24d72907c2 upstream. + +Add missing "vpcie0v9-supply" and "vpcie1v8-supply" properties to the "pcie0" +node in the Pine64 RockPro64 board dtsi file. This eliminates the following +warnings from the kernel log: + + rockchip-pcie f8000000.pcie: supply vpcie1v8 not found, using dummy regulator + rockchip-pcie f8000000.pcie: supply vpcie0v9 not found, using dummy regulator + +These additions improve the accuracy of hardware description of the RockPro64 +and, in theory, they should result in no functional changes to the way board +works after the changes, because the "vcca_0v9" and "vcca_1v8" regulators are +always enabled. [1][2] However, extended reliability testing, performed by +Chris, [3] has proven that the age-old issues with some PCI Express cards, +when used with a Pine64 RockPro64, are also resolved. + +Those issues were already mentioned in the commit 43853e843aa6 (arm64: dts: +rockchip: Remove unsupported node from the Pinebook Pro dts, 2024-04-01), +together with a brief description of the out-of-tree enumeration delay patch +that reportedly resolves those issues. In a nutshell, booting a RockPro64 +with some PCI Express cards attached to it caused a kernel oops. [4] + +Symptomatically enough, to the commit author's best knowledge, only the Pine64 +RockPro64, out of all RK3399-based boards and devices supported upstream, has +been reported to suffer from those PCI Express issues, and only the RockPro64 +had some of the PCI Express supplies missing in its DT. Thus, perhaps some +weird timing issues exist that caused the "vcca_1v8" always-on regulator, +which is part of the RK808 PMIC, to actually not be enabled before the PCI +Express is initialized and enumerated on the RockPro64, causing oopses with +some PCIe cards, and the aforementioned enumeration delay patch [4] probably +acted as just a workaround for the underlying timing issue. + +Admittedly, the Pine64 RockPro64 is a bit specific board by having a standard +PCI Express slot, allowing use of various standard cards, but pretty much +standard PCI Express cards have been attached to other RK3399 boards as well, +and the commit author is unaware ot such issues reported for them. + +It's quite hard to be sure that the PCI Express issues are fully resolved by +these additions to the DT, without some really extensive and time-consuming +testing. However, these additions to the DT can result in good things and +improvements anyway, making them perfectly safe from the standpoint of being +unable to do any harm or cause some unforeseen regressions. + +These changes apply to the both supported hardware revisions of the Pine64 +RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] + +[1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf +[2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf +[3] https://z9.de/hedgedoc/s/nF4d5G7rg#reboot-tests-for-PCIe-improvements +[4] https://lore.kernel.org/lkml/20230509153912.515218-1-vincenzopalazzodev@gmail.com/T/#u + +Fixes: bba821f5479e ("arm64: dts: rockchip: add PCIe nodes on rk3399-rockpro64") +Cc: stable@vger.kernel.org +Cc: Vincenzo Palazzo +Cc: Peter Geis +Cc: Bjorn Helgaas +Reported-by: Diederik de Haas +Tested-by: Chris Vogel +Signed-off-by: Dragan Simic +Tested-by: Diederik de Haas +Link: https://lore.kernel.org/r/b39cfd7490d8194f053bf3971f13a43472d1769e.1740941097.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +@@ -546,6 +546,8 @@ + num-lanes = <4>; + pinctrl-names = "default"; + pinctrl-0 = <&pcie_perst>; ++ vpcie0v9-supply = <&vcca_0v9>; ++ vpcie1v8-supply = <&vcca_1v8>; + vpcie12v-supply = <&vcc12v_dcin>; + vpcie3v3-supply = <&vcc3v3_pcie>; + status = "okay"; diff --git a/queue-5.10/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch b/queue-5.10/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch new file mode 100644 index 0000000000..8a4897ef7e --- /dev/null +++ b/queue-5.10/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch @@ -0,0 +1,56 @@ +From 548b0c5de7619ef53bbde5590700693f2f6d2a56 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 2 Feb 2025 17:04:13 +0100 +Subject: batman-adv: Ignore own maximum aggregation size during RX + +From: Sven Eckelmann + +commit 548b0c5de7619ef53bbde5590700693f2f6d2a56 upstream. + +An OGMv1 and OGMv2 packet receive processing were not only limited by the +number of bytes in the received packet but also by the nodes maximum +aggregation packet size limit. But this limit is relevant for TX and not +for RX. It must not be enforced by batadv_(i)v_ogm_aggr_packet to avoid +loss of information in case of a different limit for sender and receiver. + +This has a minor side effect for B.A.T.M.A.N. IV because the +batadv_iv_ogm_aggr_packet is also used for the preprocessing for the TX. +But since the aggregation code itself will not allow more than +BATADV_MAX_AGGREGATION_BYTES bytes, this check was never triggering (in +this context) prior of removing it. + +Cc: stable@vger.kernel.org +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 3 +-- + net/batman-adv/bat_v_ogm.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -326,8 +326,7 @@ batadv_iv_ogm_aggr_packet(int buff_pos, + /* check if there is enough space for the optional TVLV */ + next_buff_pos += ntohs(ogm_packet->tvlv_len); + +- return (next_buff_pos <= packet_len) && +- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); ++ return next_buff_pos <= packet_len; + } + + /* send a batman ogm to a given interface */ +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -850,8 +850,7 @@ batadv_v_ogm_aggr_packet(int buff_pos, i + /* check if there is enough space for the optional TVLV */ + next_buff_pos += ntohs(ogm2_packet->tvlv_len); + +- return (next_buff_pos <= packet_len) && +- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); ++ return next_buff_pos <= packet_len; + } + + /** diff --git a/queue-5.10/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch b/queue-5.10/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch new file mode 100644 index 0000000000..3195f1a634 --- /dev/null +++ b/queue-5.10/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch @@ -0,0 +1,44 @@ +From dd8689b52a24807c2d5ce0a17cb26dc87f75235c Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Tue, 11 Mar 2025 14:14:59 +0300 +Subject: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() + +From: Nikita Zhandarovich + +commit dd8689b52a24807c2d5ce0a17cb26dc87f75235c upstream. + +On the off chance that command stream passed from userspace via +ioctl() call to radeon_vce_cs_parse() is weirdly crafted and +first command to execute is to encode (case 0x03000001), the function +in question will attempt to call radeon_vce_cs_reloc() with size +argument that has not been properly initialized. Specifically, 'size' +will point to 'tmp' variable before the latter had a chance to be +assigned any value. + +Play it safe and init 'tmp' with 0, thus ensuring that +radeon_vce_cs_reloc() will catch an early error in cases like these. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_vce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_vce.c ++++ b/drivers/gpu/drm/radeon/radeon_vce.c +@@ -558,7 +558,7 @@ int radeon_vce_cs_parse(struct radeon_cs + { + int session_idx = -1; + bool destroyed = false, created = false, allocated = false; +- uint32_t tmp, handle = 0; ++ uint32_t tmp = 0, handle = 0; + uint32_t *size = &tmp; + int i, r = 0; + diff --git a/queue-5.10/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch b/queue-5.10/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch new file mode 100644 index 0000000000..b1699992b8 --- /dev/null +++ b/queue-5.10/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch @@ -0,0 +1,68 @@ +From 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Thu, 13 Mar 2025 11:43:26 -0300 +Subject: drm/v3d: Don't run jobs that have errors flagged in its fence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 upstream. + +The V3D driver still relies on `drm_sched_increase_karma()` and +`drm_sched_resubmit_jobs()` for resubmissions when a timeout occurs. +The function `drm_sched_increase_karma()` marks the job as guilty, while +`drm_sched_resubmit_jobs()` sets an error (-ECANCELED) in the DMA fence of +that guilty job. + +Because of this, we must check whether the job’s DMA fence has been +flagged with an error before executing the job. Otherwise, the same guilty +job may be resubmitted indefinitely, causing repeated GPU resets. + +This patch adds a check for an error on the job's fence to prevent running +a guilty job that was previously flagged when the GPU timed out. + +Note that the CPU and CACHE_CLEAN queues do not require this check, as +their jobs are executed synchronously once the DRM scheduler starts them. + +Cc: stable@vger.kernel.org +Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.") +Fixes: 1584f16ca96e ("drm/v3d: Add support for submitting jobs to the TFU.") +Reviewed-by: Iago Toral Quiroga +Signed-off-by: Maíra Canal +Link: https://patchwork.freedesktop.org/patch/msgid/20250313-v3d-gpu-reset-fixes-v4-1-c1e780d8e096@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_sched.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/v3d/v3d_sched.c ++++ b/drivers/gpu/drm/v3d/v3d_sched.c +@@ -188,11 +188,15 @@ v3d_tfu_job_run(struct drm_sched_job *sc + struct drm_device *dev = &v3d->drm; + struct dma_fence *fence; + ++ if (unlikely(job->base.base.s_fence->finished.error)) ++ return NULL; ++ ++ v3d->tfu_job = job; ++ + fence = v3d_fence_create(v3d, V3D_TFU); + if (IS_ERR(fence)) + return NULL; + +- v3d->tfu_job = job; + if (job->base.irq_fence) + dma_fence_put(job->base.irq_fence); + job->base.irq_fence = dma_fence_get(fence); +@@ -226,6 +230,9 @@ v3d_csd_job_run(struct drm_sched_job *sc + struct dma_fence *fence; + int i; + ++ if (unlikely(job->base.base.s_fence->finished.error)) ++ return NULL; ++ + v3d->csd_job = job; + + v3d_invalidate_caches(v3d); diff --git a/queue-5.10/i2c-omap-fix-irq-storms.patch b/queue-5.10/i2c-omap-fix-irq-storms.patch new file mode 100644 index 0000000000..ff9f8f6694 --- /dev/null +++ b/queue-5.10/i2c-omap-fix-irq-storms.patch @@ -0,0 +1,112 @@ +From 285df995f90e3d61d97f327d34b9659d92313314 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Fri, 28 Feb 2025 15:04:20 +0100 +Subject: i2c: omap: fix IRQ storms + +From: Andreas Kemnade + +commit 285df995f90e3d61d97f327d34b9659d92313314 upstream. + +On the GTA04A5 writing a reset command to the gyroscope causes IRQ +storms because NACK IRQs are enabled and therefore triggered but not +acked. + +Sending a reset command to the gyroscope by +i2cset 1 0x69 0x14 0xb6 +with an additional debug print in the ISR (not the thread) itself +causes + +[ 363.353515] i2c i2c-1: ioctl, cmd=0x720, arg=0xbe801b00 +[ 363.359039] omap_i2c 48072000.i2c: addr: 0x0069, len: 2, flags: 0x0, stop: 1 +[ 363.366180] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x1110) +[ 363.371673] omap_i2c 48072000.i2c: IRQ (ISR = 0x0010) +[ 363.376892] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +[ 363.382263] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +[ 363.387664] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +repeating till infinity +[...] +(0x2 = NACK, 0x100 = Bus free, which is not enabled) +Apparently no other IRQ bit gets set, so this stalls. + +Do not ignore enabled interrupts and make sure they are acked. +If the NACK IRQ is not needed, it should simply not enabled, but +according to the above log, caring about it is necessary unless +the Bus free IRQ is enabled and handled. The assumption that is +will always come with a ARDY IRQ, which was the idea behind +ignoring it, proves wrong. +It is true for simple reads from an unused address. + +To still avoid the i2cdetect trouble which is the reason for +commit c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"), +avoid doing much about NACK in omap_i2c_xfer_data() which is used +by both IRQ mode and polling mode, so also the false detection fix +is extended to polling usage and IRQ storms are avoided. + +By changing this, the hardirq handler is not needed anymore to filter +stuff. + +The mentioned gyro reset now just causes a -ETIMEDOUT instead of +hanging the system. + +Fixes: c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"). +CC: stable@kernel.org +Signed-off-by: Andreas Kemnade +Tested-by: Nishanth Menon +Reviewed-by: Aniket Limaye +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250228140420.379498-1-andreas@kemnade.info +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-omap.c | 26 +++++++------------------- + 1 file changed, 7 insertions(+), 19 deletions(-) + +--- a/drivers/i2c/busses/i2c-omap.c ++++ b/drivers/i2c/busses/i2c-omap.c +@@ -1049,23 +1049,6 @@ static int omap_i2c_transmit_data(struct + return 0; + } + +-static irqreturn_t +-omap_i2c_isr(int irq, void *dev_id) +-{ +- struct omap_i2c_dev *omap = dev_id; +- irqreturn_t ret = IRQ_HANDLED; +- u16 mask; +- u16 stat; +- +- stat = omap_i2c_read_reg(omap, OMAP_I2C_STAT_REG); +- mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG) & ~OMAP_I2C_STAT_NACK; +- +- if (stat & mask) +- ret = IRQ_WAKE_THREAD; +- +- return ret; +-} +- + static int omap_i2c_xfer_data(struct omap_i2c_dev *omap) + { + u16 bits; +@@ -1096,8 +1079,13 @@ static int omap_i2c_xfer_data(struct oma + } + + if (stat & OMAP_I2C_STAT_NACK) { +- err |= OMAP_I2C_STAT_NACK; ++ omap->cmd_err |= OMAP_I2C_STAT_NACK; + omap_i2c_ack_stat(omap, OMAP_I2C_STAT_NACK); ++ ++ if (!(stat & ~OMAP_I2C_STAT_NACK)) { ++ err = -EAGAIN; ++ break; ++ } + } + + if (stat & OMAP_I2C_STAT_AL) { +@@ -1475,7 +1463,7 @@ omap_i2c_probe(struct platform_device *p + IRQF_NO_SUSPEND, pdev->name, omap); + else + r = devm_request_threaded_irq(&pdev->dev, omap->irq, +- omap_i2c_isr, omap_i2c_isr_thread, ++ NULL, omap_i2c_isr_thread, + IRQF_NO_SUSPEND | IRQF_ONESHOT, + pdev->name, omap); + diff --git a/queue-5.10/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch b/queue-5.10/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch new file mode 100644 index 0000000000..93a618fb4f --- /dev/null +++ b/queue-5.10/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch @@ -0,0 +1,39 @@ +From e51a349d2dcf1df8422dabb90b2f691dc7df6f92 Mon Sep 17 00:00:00 2001 +From: Gu Bowen +Date: Tue, 25 Feb 2025 10:28:56 +0800 +Subject: mmc: atmel-mci: Add missing clk_disable_unprepare() + +From: Gu Bowen + +commit e51a349d2dcf1df8422dabb90b2f691dc7df6f92 upstream. + +The error path when atmci_configure_dma() set dma fails in atmci driver +does not correctly disable the clock. +Add the missing clk_disable_unprepare() to the error path for pair with +clk_prepare_enable(). + +Fixes: 467e081d23e6 ("mmc: atmel-mci: use probe deferring if dma controller is not ready yet") +Signed-off-by: Gu Bowen +Acked-by: Aubin Constans +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250225022856.3452240-1-gubowen5@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/atmel-mci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/atmel-mci.c ++++ b/drivers/mmc/host/atmel-mci.c +@@ -2507,8 +2507,10 @@ static int atmci_probe(struct platform_d + /* Get MCI capabilities and set operations according to it */ + atmci_get_cap(host); + ret = atmci_configure_dma(host); +- if (ret == -EPROBE_DEFER) ++ if (ret == -EPROBE_DEFER) { ++ clk_disable_unprepare(host->mck); + goto err_dma_probe_defer; ++ } + if (ret == 0) { + host->prepare_data = &atmci_prepare_data_dma; + host->submit_data = &atmci_submit_data_dma; diff --git a/queue-5.10/proc-fix-uaf-in-proc_get_inode.patch b/queue-5.10/proc-fix-uaf-in-proc_get_inode.patch new file mode 100644 index 0000000000..292a9145b7 --- /dev/null +++ b/queue-5.10/proc-fix-uaf-in-proc_get_inode.patch @@ -0,0 +1,177 @@ +From 654b33ada4ab5e926cd9c570196fefa7bec7c1df Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Sat, 1 Mar 2025 15:06:24 +0300 +Subject: proc: fix UAF in proc_get_inode() + +From: Ye Bin + +commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream. + +Fix race between rmmod and /proc/XXX's inode instantiation. + +The bug is that pde->proc_ops don't belong to /proc, it belongs to a +module, therefore dereferencing it after /proc entry has been registered +is a bug unless use_pde/unuse_pde() pair has been used. + +use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops +never changes so information necessary for inode instantiation can be +saved _before_ proc_register() in PDE itself and used later, avoiding +pde->proc_ops->... dereference. + + rmmod lookup +sys_delete_module + proc_lookup_de + pde_get(de); + proc_get_inode(dir->i_sb, de); + mod->exit() + proc_remove + remove_proc_subtree + proc_entry_rundown(de); + free_module(mod); + + if (S_ISREG(inode->i_mode)) + if (de->proc_ops->proc_read_iter) + --> As module is already freed, will trigger UAF + +BUG: unable to handle page fault for address: fffffbfff80a702b +PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 +Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) +RIP: 0010:proc_get_inode+0x302/0x6e0 +RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 +RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 +RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 +RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 +R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 +R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 +FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + proc_lookup_de+0x11f/0x2e0 + __lookup_slow+0x188/0x350 + walk_component+0x2ab/0x4f0 + path_lookupat+0x120/0x660 + filename_lookup+0x1ce/0x560 + vfs_statx+0xac/0x150 + __do_sys_newstat+0x96/0x110 + do_syscall_64+0x5f/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +[adobriyan@gmail.com: don't do 2 atomic ops on the common path] +Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183 +Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression") +Signed-off-by: Ye Bin +Signed-off-by: Alexey Dobriyan +Cc: Al Viro +Cc: David S. Miller +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/generic.c | 10 +++++++++- + fs/proc/inode.c | 6 +++--- + fs/proc/internal.h | 14 ++++++++++++++ + include/linux/proc_fs.h | 7 +++++-- + 4 files changed, 31 insertions(+), 6 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -563,10 +563,16 @@ struct proc_dir_entry *proc_create_reg(c + return p; + } + +-static inline void pde_set_flags(struct proc_dir_entry *pde) ++static void pde_set_flags(struct proc_dir_entry *pde) + { + if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) + pde->flags |= PROC_ENTRY_PERMANENT; ++ if (pde->proc_ops->proc_read_iter) ++ pde->flags |= PROC_ENTRY_proc_read_iter; ++#ifdef CONFIG_COMPAT ++ if (pde->proc_ops->proc_compat_ioctl) ++ pde->flags |= PROC_ENTRY_proc_compat_ioctl; ++#endif + } + + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, +@@ -630,6 +636,7 @@ struct proc_dir_entry *proc_create_seq_p + p->proc_ops = &proc_seq_ops; + p->seq_ops = ops; + p->state_size = state_size; ++ pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_seq_private); +@@ -660,6 +667,7 @@ struct proc_dir_entry *proc_create_singl + return NULL; + p->proc_ops = &proc_single_ops; + p->single_show = show; ++ pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_single_data); +--- a/fs/proc/inode.c ++++ b/fs/proc/inode.c +@@ -684,13 +684,13 @@ struct inode *proc_get_inode(struct supe + + if (S_ISREG(inode->i_mode)) { + inode->i_op = de->proc_iops; +- if (de->proc_ops->proc_read_iter) ++ if (pde_has_proc_read_iter(de)) + inode->i_fop = &proc_iter_file_ops; + else + inode->i_fop = &proc_reg_file_ops; + #ifdef CONFIG_COMPAT +- if (de->proc_ops->proc_compat_ioctl) { +- if (de->proc_ops->proc_read_iter) ++ if (pde_has_proc_compat_ioctl(de)) { ++ if (pde_has_proc_read_iter(de)) + inode->i_fop = &proc_iter_file_ops_compat; + else + inode->i_fop = &proc_reg_file_ops_compat; +--- a/fs/proc/internal.h ++++ b/fs/proc/internal.h +@@ -79,6 +79,20 @@ static inline bool pde_is_permanent(cons + return pde->flags & PROC_ENTRY_PERMANENT; + } + ++static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde) ++{ ++ return pde->flags & PROC_ENTRY_proc_read_iter; ++} ++ ++static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde) ++{ ++#ifdef CONFIG_COMPAT ++ return pde->flags & PROC_ENTRY_proc_compat_ioctl; ++#else ++ return false; ++#endif ++} ++ + extern struct kmem_cache *proc_dir_entry_cache; + void pde_free(struct proc_dir_entry *pde); + +--- a/include/linux/proc_fs.h ++++ b/include/linux/proc_fs.h +@@ -20,10 +20,13 @@ enum { + * If in doubt, ignore this flag. + */ + #ifdef MODULE +- PROC_ENTRY_PERMANENT = 0U, ++ PROC_ENTRY_PERMANENT = 0U, + #else +- PROC_ENTRY_PERMANENT = 1U << 0, ++ PROC_ENTRY_PERMANENT = 1U << 0, + #endif ++ ++ PROC_ENTRY_proc_read_iter = 1U << 1, ++ PROC_ENTRY_proc_compat_ioctl = 1U << 2, + }; + + struct proc_ops { diff --git a/queue-5.10/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch b/queue-5.10/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch new file mode 100644 index 0000000000..c5cc4a2090 --- /dev/null +++ b/queue-5.10/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch @@ -0,0 +1,57 @@ +From 2c7a50bec4958f1d1c84d19cde518d0e96a676fd Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Thu, 13 Mar 2025 11:27:39 +0100 +Subject: regulator: check that dummy regulator has been probed before using it + +From: Christian Eggers + +commit 2c7a50bec4958f1d1c84d19cde518d0e96a676fd upstream. + +Due to asynchronous driver probing there is a chance that the dummy +regulator hasn't already been probed when first accessing it. + +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Link: https://patch.msgid.link/20250313103051.32430-3-ceggers@arri.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/core.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1924,6 +1924,10 @@ static int regulator_resolve_supply(stru + + if (have_full_constraints()) { + r = dummy_regulator_rdev; ++ if (!r) { ++ ret = -EPROBE_DEFER; ++ goto out; ++ } + get_device(&r->dev); + } else { + dev_err(dev, "Failed to resolve %s-supply for %s\n", +@@ -1941,6 +1945,10 @@ static int regulator_resolve_supply(stru + goto out; + } + r = dummy_regulator_rdev; ++ if (!r) { ++ ret = -EPROBE_DEFER; ++ goto out; ++ } + get_device(&r->dev); + } + +@@ -2049,8 +2057,10 @@ struct regulator *_regulator_get(struct + * enabled, even if it isn't hooked up, and just + * provide a dummy. + */ +- dev_warn(dev, "supply %s not found, using dummy regulator\n", id); + rdev = dummy_regulator_rdev; ++ if (!rdev) ++ return ERR_PTR(-EPROBE_DEFER); ++ dev_warn(dev, "supply %s not found, using dummy regulator\n", id); + get_device(&rdev->dev); + break; + diff --git a/queue-5.10/series b/queue-5.10/series index a8c97b57db..a827d617e0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -79,3 +79,13 @@ ipv6-fix-memleak-of-nhc_pcpu_rth_output-in-fib_check.patch ipv6-set-errno-after-ip_fib_metrics_init-in-ip6_rout.patch net-atm-fix-use-after-free-in-lec_send.patch net-neighbor-add-missing-policy-for-ndtpa_queue_lenb.patch +i2c-omap-fix-irq-storms.patch +drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch +regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch +arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch +mmc-atmel-mci-add-missing-clk_disable_unprepare.patch +proc-fix-uaf-in-proc_get_inode.patch +arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch +batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch +soc-qcom-pdr-fix-the-potential-deadlock.patch +drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch diff --git a/queue-5.10/soc-qcom-pdr-fix-the-potential-deadlock.patch b/queue-5.10/soc-qcom-pdr-fix-the-potential-deadlock.patch new file mode 100644 index 0000000000..339ad4e6ad --- /dev/null +++ b/queue-5.10/soc-qcom-pdr-fix-the-potential-deadlock.patch @@ -0,0 +1,90 @@ +From 2eeb03ad9f42dfece63051be2400af487ddb96d2 Mon Sep 17 00:00:00 2001 +From: Saranya R +Date: Wed, 12 Feb 2025 22:07:20 +0530 +Subject: soc: qcom: pdr: Fix the potential deadlock + +From: Saranya R + +commit 2eeb03ad9f42dfece63051be2400af487ddb96d2 upstream. + +When some client process A call pdr_add_lookup() to add the look up for +the service and does schedule locator work, later a process B got a new +server packet indicating locator is up and call pdr_locator_new_server() +which eventually sets pdr->locator_init_complete to true which process A +sees and takes list lock and queries domain list but it will timeout due +to deadlock as the response will queued to the same qmi->wq and it is +ordered workqueue and process B is not able to complete new server +request work due to deadlock on list lock. + +Fix it by removing the unnecessary list iteration as the list iteration +is already being done inside locator work, so avoid it here and just +call schedule_work() here. + + Process A Process B + + process_scheduled_works() +pdr_add_lookup() qmi_data_ready_work() + process_scheduled_works() pdr_locator_new_server() + pdr->locator_init_complete=true; + pdr_locator_work() + mutex_lock(&pdr->list_lock); + + pdr_locate_service() mutex_lock(&pdr->list_lock); + + pdr_get_domain_list() + pr_err("PDR: %s get domain list + txn wait failed: %d\n", + req->service_name, + ret); + +Timeout error log due to deadlock: + +" + PDR: tms/servreg get domain list txn wait failed: -110 + PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 +" + +Thanks to Bjorn and Johan for letting me know that this commit also fixes +an audio regression when using the in-kernel pd-mapper as that makes it +easier to hit this race. [1] + +Link: https://lore.kernel.org/lkml/Zqet8iInnDhnxkT9@hovoldconsulting.com/ # [1] +Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers") +CC: stable@vger.kernel.org +Reviewed-by: Bjorn Andersson +Tested-by: Bjorn Andersson +Tested-by: Johan Hovold +Signed-off-by: Saranya R +Co-developed-by: Mukesh Ojha +Signed-off-by: Mukesh Ojha +Link: https://lore.kernel.org/r/20250212163720.1577876-1-mukesh.ojha@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/pdr_interface.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/soc/qcom/pdr_interface.c ++++ b/drivers/soc/qcom/pdr_interface.c +@@ -74,7 +74,6 @@ static int pdr_locator_new_server(struct + { + struct pdr_handle *pdr = container_of(qmi, struct pdr_handle, + locator_hdl); +- struct pdr_service *pds; + + mutex_lock(&pdr->lock); + /* Create a local client port for QMI communication */ +@@ -86,12 +85,7 @@ static int pdr_locator_new_server(struct + mutex_unlock(&pdr->lock); + + /* Service pending lookup requests */ +- mutex_lock(&pdr->list_lock); +- list_for_each_entry(pds, &pdr->lookups, node) { +- if (pds->need_locator_lookup) +- schedule_work(&pdr->locator_work); +- } +- mutex_unlock(&pdr->list_lock); ++ schedule_work(&pdr->locator_work); + + return 0; + }