From: Sasha Levin Date: Mon, 14 Apr 2025 10:35:47 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v6.12.24~108 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a82c2f4e61e73db6ec739843d464a35b5d0b9c3c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/ahci-add-pci-id-for-marvell-88se9215-sata-controller.patch b/queue-5.15/ahci-add-pci-id-for-marvell-88se9215-sata-controller.patch new file mode 100644 index 0000000000..c5cd4200ae --- /dev/null +++ b/queue-5.15/ahci-add-pci-id-for-marvell-88se9215-sata-controller.patch @@ -0,0 +1,39 @@ +From e0cebc1d355e48ea25891b6cbec46542beb835cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 10:20:30 +0100 +Subject: ahci: add PCI ID for Marvell 88SE9215 SATA Controller + +From: Daniel Kral + +[ Upstream commit 885251dc35767b1c992f6909532ca366c830814a ] + +Add support for Marvell Technology Group Ltd. 88SE9215 SATA 6 Gb/s +controller, which is e.g. used in the DAWICONTROL DC-614e RAID bus +controller and was not automatically recognized before. + +Tested with a DAWICONTROL DC-614e RAID bus controller. + +Signed-off-by: Daniel Kral +Link: https://lore.kernel.org/r/20250304092030.37108-1-d.kral@proxmox.com +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index ff5f83c5af00e..408a25956f6e0 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -595,6 +595,8 @@ static const struct pci_device_id ahci_pci_tbl[] = { + .driver_data = board_ahci_yes_fbs }, + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3), + .driver_data = board_ahci_yes_fbs }, ++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9215), ++ .driver_data = board_ahci_yes_fbs }, + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), + .driver_data = board_ahci_yes_fbs }, + { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */ +-- +2.39.5 + diff --git a/queue-5.15/alsa-hda-intel-fix-optimus-when-gpu-has-no-sound.patch b/queue-5.15/alsa-hda-intel-fix-optimus-when-gpu-has-no-sound.patch new file mode 100644 index 0000000000..b603eec0b4 --- /dev/null +++ b/queue-5.15/alsa-hda-intel-fix-optimus-when-gpu-has-no-sound.patch @@ -0,0 +1,66 @@ +From 5abd7f577f234119131dc22cceb762055fa84345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Feb 2025 23:46:01 +0200 +Subject: ALSA: hda: intel: Fix Optimus when GPU has no sound + +From: Maxim Mikityanskiy + +[ Upstream commit 2b360ba9a4936486380bc30d1eabceb40a714d98 ] + +quirk_nvidia_hda() forcefully enables HDA controller on all NVIDIA GPUs, +because some buggy BIOSes leave it disabled. However, some dual-GPU +laptops do not have a functional HDA controller in DGPU, and BIOS +disables it on purpose. After quirk_nvidia_hda() reenables this dummy +HDA controller, attempting to probe it fails at azx_first_init(), which +is too late to cancel the probe, as it happens in azx_probe_continue(). + +The sna_hda_intel driver calls azx_free() and stops the chip, however, +it stays probed, and from the runtime PM point of view, the device +remains active (it was set as active by the PCI subsystem on probe). It +prevents vga_switcheroo from turning off the DGPU, because +pci_create_device_link() syncs power management for video and audio +devices. + +Affected devices should be added to driver_denylist to prevent them from +probing early. This patch helps identify such devices by printing a +warning, and also forces the device to the suspended state to allow +vga_switcheroo turn off DGPU. + +Signed-off-by: Maxim Mikityanskiy +Link: https://patch.msgid.link/20250208214602.39607-2-maxtram95@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 16c7fbb84276a..5f0e7765b8bd6 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1365,8 +1365,21 @@ static void azx_free(struct azx *chip) + if (use_vga_switcheroo(hda)) { + if (chip->disabled && hda->probe_continued) + snd_hda_unlock_devices(&chip->bus); +- if (hda->vga_switcheroo_registered) ++ if (hda->vga_switcheroo_registered) { + vga_switcheroo_unregister_client(chip->pci); ++ ++ /* Some GPUs don't have sound, and azx_first_init fails, ++ * leaving the device probed but non-functional. As long ++ * as it's probed, the PCI subsystem keeps its runtime ++ * PM status as active. Force it to suspended (as we ++ * actually stop the chip) to allow GPU to suspend via ++ * vga_switcheroo, and print a warning. ++ */ ++ dev_warn(&pci->dev, "GPU sound probed, but not operational: please add a quirk to driver_denylist\n"); ++ pm_runtime_disable(&pci->dev); ++ pm_runtime_set_suspended(&pci->dev); ++ pm_runtime_enable(&pci->dev); ++ } + } + + if (bus->chip_init) { +-- +2.39.5 + diff --git a/queue-5.15/alsa-usb-audio-fix-cme-quirk-for-uf-series-keyboards.patch b/queue-5.15/alsa-usb-audio-fix-cme-quirk-for-uf-series-keyboards.patch new file mode 100644 index 0000000000..c930e0a882 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-cme-quirk-for-uf-series-keyboards.patch @@ -0,0 +1,123 @@ +From 96f6be6a86fd5b3264818a7882e73f25b6cfee8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 23:16:17 +0100 +Subject: ALSA: usb-audio: Fix CME quirk for UF series keyboards + +From: Ricard Wanderlof + +[ Upstream commit c2820405ba55a38932aa2177f026b70064296663 ] + +Fix quirk for CME master keyboards so it not only handles +sysex but also song position pointer, MIDI timing clock, start +and stop messages, and active sensing. All of these can be +output by the CME UF series master keyboards. + +Tested with a CME UF6 in a desktop Linux environment as +well as on the Zynthian Raspberry Pi based platform. + +Signed-off-by: Ricard Wanderlof +Link: https://patch.msgid.link/20250313-cme-fix-v1-1-d404889e4de8@butoba.net +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/midi.c | 80 ++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 74 insertions(+), 6 deletions(-) + +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index a56c1a69b422a..c6586da43a048 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -489,16 +489,84 @@ static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep, + + /* + * CME protocol: like the standard protocol, but SysEx commands are sent as a +- * single USB packet preceded by a 0x0F byte. ++ * single USB packet preceded by a 0x0F byte, as are system realtime ++ * messages and MIDI Active Sensing. ++ * Also, multiple messages can be sent in the same packet. + */ + static void snd_usbmidi_cme_input(struct snd_usb_midi_in_endpoint *ep, + uint8_t *buffer, int buffer_length) + { +- if (buffer_length < 2 || (buffer[0] & 0x0f) != 0x0f) +- snd_usbmidi_standard_input(ep, buffer, buffer_length); +- else +- snd_usbmidi_input_data(ep, buffer[0] >> 4, +- &buffer[1], buffer_length - 1); ++ int remaining = buffer_length; ++ ++ /* ++ * CME send sysex, song position pointer, system realtime ++ * and active sensing using CIN 0x0f, which in the standard ++ * is only intended for single byte unparsed data. ++ * So we need to interpret these here before sending them on. ++ * By default, we assume single byte data, which is true ++ * for system realtime (midi clock, start, stop and continue) ++ * and active sensing, and handle the other (known) cases ++ * separately. ++ * In contrast to the standard, CME does not split sysex ++ * into multiple 4-byte packets, but lumps everything together ++ * into one. In addition, CME can string multiple messages ++ * together in the same packet; pressing the Record button ++ * on an UF6 sends a sysex message directly followed ++ * by a song position pointer in the same packet. ++ * For it to have any reasonable meaning, a sysex message ++ * needs to be at least 3 bytes in length (0xf0, id, 0xf7), ++ * corresponding to a packet size of 4 bytes, and the ones sent ++ * by CME devices are 6 or 7 bytes, making the packet fragments ++ * 7 or 8 bytes long (six or seven bytes plus preceding CN+CIN byte). ++ * For the other types, the packet size is always 4 bytes, ++ * as per the standard, with the data size being 3 for SPP ++ * and 1 for the others. ++ * Thus all packet fragments are at least 4 bytes long, so we can ++ * skip anything that is shorter; this also conveniantly skips ++ * packets with size 0, which CME devices continuously send when ++ * they have nothing better to do. ++ * Another quirk is that sometimes multiple messages are sent ++ * in the same packet. This has been observed for midi clock ++ * and active sensing i.e. 0x0f 0xf8 0x00 0x00 0x0f 0xfe 0x00 0x00, ++ * but also multiple note ons/offs, and control change together ++ * with MIDI clock. Similarly, some sysex messages are followed by ++ * the song position pointer in the same packet, and occasionally ++ * additionally by a midi clock or active sensing. ++ * We handle this by looping over all data and parsing it along the way. ++ */ ++ while (remaining >= 4) { ++ int source_length = 4; /* default */ ++ ++ if ((buffer[0] & 0x0f) == 0x0f) { ++ int data_length = 1; /* default */ ++ ++ if (buffer[1] == 0xf0) { ++ /* Sysex: Find EOX and send on whole message. */ ++ /* To kick off the search, skip the first ++ * two bytes (CN+CIN and SYSEX (0xf0). ++ */ ++ uint8_t *tmp_buf = buffer + 2; ++ int tmp_length = remaining - 2; ++ ++ while (tmp_length > 1 && *tmp_buf != 0xf7) { ++ tmp_buf++; ++ tmp_length--; ++ } ++ data_length = tmp_buf - buffer; ++ source_length = data_length + 1; ++ } else if (buffer[1] == 0xf2) { ++ /* Three byte song position pointer */ ++ data_length = 3; ++ } ++ snd_usbmidi_input_data(ep, buffer[0] >> 4, ++ &buffer[1], data_length); ++ } else { ++ /* normal channel events */ ++ snd_usbmidi_standard_input(ep, buffer, source_length); ++ } ++ buffer += source_length; ++ remaining -= source_length; ++ } + } + + /* +-- +2.39.5 + diff --git a/queue-5.15/arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch b/queue-5.15/arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch new file mode 100644 index 0000000000..a4e455fbe3 --- /dev/null +++ b/queue-5.15/arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch @@ -0,0 +1,44 @@ +From 8fd081e427dbabdfb5f4195fa2bc8281c542a4bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 13:11:09 -0800 +Subject: arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD + +From: Douglas Anderson + +[ Upstream commit 401c3333bb2396aa52e4121887a6f6a6e2f040bc ] + +Add a definition for the Qualcomm Kryo 300-series Gold cores. + +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Douglas Anderson +Acked-by: Trilok Soni +Link: https://lore.kernel.org/r/20241219131107.v3.1.I18e0288742871393228249a768e5d56ea65d93dc@changeid +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index 7dfaad0fa17b7..f3729ef92e570 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -111,6 +111,7 @@ + #define QCOM_CPU_PART_KRYO 0x200 + #define QCOM_CPU_PART_KRYO_2XX_GOLD 0x800 + #define QCOM_CPU_PART_KRYO_2XX_SILVER 0x801 ++#define QCOM_CPU_PART_KRYO_3XX_GOLD 0x802 + #define QCOM_CPU_PART_KRYO_3XX_SILVER 0x803 + #define QCOM_CPU_PART_KRYO_4XX_GOLD 0x804 + #define QCOM_CPU_PART_KRYO_4XX_SILVER 0x805 +@@ -170,6 +171,7 @@ + #define MIDR_QCOM_KRYO MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO) + #define MIDR_QCOM_KRYO_2XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_GOLD) + #define MIDR_QCOM_KRYO_2XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_2XX_SILVER) ++#define MIDR_QCOM_KRYO_3XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_GOLD) + #define MIDR_QCOM_KRYO_3XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_3XX_SILVER) + #define MIDR_QCOM_KRYO_4XX_GOLD MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_GOLD) + #define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER) +-- +2.39.5 + diff --git a/queue-5.15/asoc-fsl_audmix-register-card-device-depends-on-dais.patch b/queue-5.15/asoc-fsl_audmix-register-card-device-depends-on-dais.patch new file mode 100644 index 0000000000..e4a678346c --- /dev/null +++ b/queue-5.15/asoc-fsl_audmix-register-card-device-depends-on-dais.patch @@ -0,0 +1,53 @@ +From b49199c7138e1ac2e159a0cd71f4ef0a84b38746 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 18:05:08 +0800 +Subject: ASoC: fsl_audmix: register card device depends on 'dais' property + +From: Shengjiu Wang + +[ Upstream commit 294a60e5e9830045c161181286d44ce669f88833 ] + +In order to make the audmix device linked by audio graph card, make +'dais' property to be optional. + +If 'dais' property exists, then register the imx-audmix card driver. +otherwise, it should be linked by audio graph card. + +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20250226100508.2352568-5-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_audmix.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/fsl/fsl_audmix.c b/sound/soc/fsl/fsl_audmix.c +index f931288e256ca..9c46b25cc6541 100644 +--- a/sound/soc/fsl/fsl_audmix.c ++++ b/sound/soc/fsl/fsl_audmix.c +@@ -500,11 +500,17 @@ static int fsl_audmix_probe(struct platform_device *pdev) + goto err_disable_pm; + } + +- priv->pdev = platform_device_register_data(dev, "imx-audmix", 0, NULL, 0); +- if (IS_ERR(priv->pdev)) { +- ret = PTR_ERR(priv->pdev); +- dev_err(dev, "failed to register platform: %d\n", ret); +- goto err_disable_pm; ++ /* ++ * If dais property exist, then register the imx-audmix card driver. ++ * otherwise, it should be linked by audio graph card. ++ */ ++ if (of_find_property(pdev->dev.of_node, "dais", NULL)) { ++ priv->pdev = platform_device_register_data(dev, "imx-audmix", 0, NULL, 0); ++ if (IS_ERR(priv->pdev)) { ++ ret = PTR_ERR(priv->pdev); ++ dev_err(dev, "failed to register platform: %d\n", ret); ++ goto err_disable_pm; ++ } + } + + return 0; +-- +2.39.5 + diff --git a/queue-5.15/ata-libata-eh-do-not-use-atapi-dma-for-a-device-limi.patch b/queue-5.15/ata-libata-eh-do-not-use-atapi-dma-for-a-device-limi.patch new file mode 100644 index 0000000000..64d9e767f6 --- /dev/null +++ b/queue-5.15/ata-libata-eh-do-not-use-atapi-dma-for-a-device-limi.patch @@ -0,0 +1,57 @@ +From d68a31d70b18bfa8d266b0c3d0db2099f8aff763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 02:54:23 +0100 +Subject: ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode + +From: Niklas Cassel + +[ Upstream commit 91ec84f8eaddbc93d7c62e363d68aeb7b89879c7 ] + +atapi_eh_request_sense() currently uses ATAPI DMA if the SATA controller +has ATA_FLAG_PIO_DMA (PIO cmds via DMA) set. + +However, ATA_FLAG_PIO_DMA is a flag that can be set by a low-level driver +on a port at initialization time, before any devices are scanned. + +If a controller detects a connected device that only supports PIO, we set +the flag ATA_DFLAG_PIO. + +Modify atapi_eh_request_sense() to not use ATAPI DMA if the connected +device only supports PIO. + +Reported-by: Philip Pemberton +Closes: https://lore.kernel.org/linux-ide/c6722ee8-5e21-4169-af59-cbbae9edc02f@philpem.me.uk/ +Tested-by: Philip Pemberton +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250221015422.20687-2-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-eh.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 10742d72f44fb..f0b690b39bf7a 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -1479,8 +1479,15 @@ unsigned int atapi_eh_request_sense(struct ata_device *dev, + tf.flags |= ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE; + tf.command = ATA_CMD_PACKET; + +- /* is it pointless to prefer PIO for "safety reasons"? */ +- if (ap->flags & ATA_FLAG_PIO_DMA) { ++ /* ++ * Do not use DMA if the connected device only supports PIO, even if the ++ * port prefers PIO commands via DMA. ++ * ++ * Ideally, we should call atapi_check_dma() to check if it is safe for ++ * the LLD to use DMA for REQUEST_SENSE, but we don't have a qc. ++ * Since we can't check the command, perhaps we should only use pio? ++ */ ++ if ((ap->flags & ATA_FLAG_PIO_DMA) && !(dev->flags & ATA_DFLAG_PIO)) { + tf.protocol = ATAPI_PROT_DMA; + tf.feature |= ATAPI_PKT_DMA; + } else { +-- +2.39.5 + diff --git a/queue-5.15/bluetooth-hci_uart-fix-race-during-initialization.patch b/queue-5.15/bluetooth-hci_uart-fix-race-during-initialization.patch new file mode 100644 index 0000000000..c2c5ea6e9d --- /dev/null +++ b/queue-5.15/bluetooth-hci_uart-fix-race-during-initialization.patch @@ -0,0 +1,49 @@ +From 1a4743ff0f63f0998f98cbaf38a58c70d5c82480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2025 21:43:26 +0300 +Subject: Bluetooth: hci_uart: fix race during initialization + +From: Arseniy Krasnov + +[ Upstream commit 366ceff495f902182d42b6f41525c2474caf3f9a ] + +'hci_register_dev()' calls power up function, which is executed by +kworker - 'hci_power_on()'. This function does access to bluetooth chip +using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'. +Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and +if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after +'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will +be executed before setting this bit. In that case HCI init logic fails. + +Patch moves setting of 'HCI_UART_PROTO_READY' before calling function +'hci_uart_register_dev()'. + +Signed-off-by: Arseniy Krasnov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index be51528afed9d..fbbd832e4def1 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -706,12 +706,13 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id) + + hu->proto = p; + ++ set_bit(HCI_UART_PROTO_READY, &hu->flags); ++ + err = hci_uart_register_dev(hu); + if (err) { + return err; + } + +- set_bit(HCI_UART_PROTO_READY, &hu->flags); + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.15/drivers-base-devres-allow-to-release-group-on-device.patch b/queue-5.15/drivers-base-devres-allow-to-release-group-on-device.patch new file mode 100644 index 0000000000..a9f434c184 --- /dev/null +++ b/queue-5.15/drivers-base-devres-allow-to-release-group-on-device.patch @@ -0,0 +1,76 @@ +From 314fbf86ab3370b58adfb364fa55adf6037d0825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 16:10:41 -0800 +Subject: drivers: base: devres: Allow to release group on device release + +From: Lucas De Marchi + +[ Upstream commit 8e1ddfada4530939a8cb64ee9251aef780474274 ] + +When releasing a device, if the release action causes a group to be +released, a warning is emitted because it can't find the group. This +happens because devres_release_all() moves the entire list to a todo +list and also move the group markers. Considering r* normal resource +nodes and g1 a group resource node: + + g1 -----------. + v v + r1 -> r2 -> g1[0] -> r3-> g[1] -> r4 + +After devres_release_all(), dev->devres_head becomes empty and the todo +list it iterates on becomes: + + g1 + v + r1 -> r2 -> r3-> r4 -> g1[0] + +When a call to component_del() is made and takes down the aggregate +device, a warning like this happen: + + RIP: 0010:devres_release_group+0x362/0x530 + ... + Call Trace: + + component_unbind+0x156/0x380 + component_unbind_all+0x1d0/0x270 + mei_component_master_unbind+0x28/0x80 [mei_hdcp] + take_down_aggregate_device+0xc1/0x160 + component_del+0x1c6/0x3e0 + intel_hdcp_component_fini+0xf1/0x170 [xe] + xe_display_fini+0x1e/0x40 [xe] + +Because the devres group corresponding to the hdcp component cannot be +found. Just ignore this corner case: if the dev->devres_head is empty +and the caller is trying to remove a group, it's likely in the process +of device cleanup so just ignore it instead of warning. + +Acked-by: Greg Kroah-Hartman +Reviewed-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20250222001051.3012936-2-lucas.demarchi@intel.com +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/base/devres.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/base/devres.c b/drivers/base/devres.c +index d3f59028dec73..58e8e2be26ac7 100644 +--- a/drivers/base/devres.c ++++ b/drivers/base/devres.c +@@ -682,6 +682,13 @@ int devres_release_group(struct device *dev, void *id) + spin_unlock_irqrestore(&dev->devres_lock, flags); + + release_nodes(dev, &todo); ++ } else if (list_empty(&dev->devres_head)) { ++ /* ++ * dev is probably dying via devres_release_all(): groups ++ * have already been removed and are on the process of ++ * being released - don't touch and don't warn. ++ */ ++ spin_unlock_irqrestore(&dev->devres_lock, flags); + } else { + WARN_ON(1); + spin_unlock_irqrestore(&dev->devres_lock, flags); +-- +2.39.5 + diff --git a/queue-5.15/drm-allow-encoder-mode_set-even-when-connectors-chan.patch b/queue-5.15/drm-allow-encoder-mode_set-even-when-connectors-chan.patch new file mode 100644 index 0000000000..92e0bd9d0e --- /dev/null +++ b/queue-5.15/drm-allow-encoder-mode_set-even-when-connectors-chan.patch @@ -0,0 +1,48 @@ +From da739d3abbc6265b54817b67c34990414c2e1a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 13:18:42 -0800 +Subject: drm: allow encoder mode_set even when connectors change for crtc + +From: Abhinav Kumar + +[ Upstream commit 7e182cb4f5567f53417b762ec0d679f0b6f0039d ] + +In certain use-cases, a CRTC could switch between two encoders +and because the mode being programmed on the CRTC remains +the same during this switch, the CRTC's mode_changed remains false. +In such cases, the encoder's mode_set also gets skipped. + +Skipping mode_set on the encoder for such cases could cause an issue +because even though the same CRTC mode was being used, the encoder +type could have changed like the CRTC could have switched from a +real time encoder to a writeback encoder OR vice-versa. + +Allow encoder's mode_set to happen even when connectors changed on a +CRTC and not just when the mode changed. + +Signed-off-by: Abhinav Kumar +Signed-off-by: Jessica Zhang +Reviewed-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20241211-abhinavk-modeset-fix-v3-1-0de4bf3e7c32@quicinc.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_atomic_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c +index 2c3883d79f531..bd01d925769db 100644 +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1279,7 +1279,7 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state) + mode = &new_crtc_state->mode; + adjusted_mode = &new_crtc_state->adjusted_mode; + +- if (!new_crtc_state->mode_changed) ++ if (!new_crtc_state->mode_changed && !new_crtc_state->connectors_changed) + continue; + + DRM_DEBUG_ATOMIC("modeset on [ENCODER:%d:%s]\n", +-- +2.39.5 + diff --git a/queue-5.15/drm-amd-display-update-cursor-request-mode-to-the-be.patch b/queue-5.15/drm-amd-display-update-cursor-request-mode-to-the-be.patch new file mode 100644 index 0000000000..1e6893f166 --- /dev/null +++ b/queue-5.15/drm-amd-display-update-cursor-request-mode-to-the-be.patch @@ -0,0 +1,96 @@ +From 731f5c9fe67c9bb57d652f7454d62f554df905f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 16:11:48 +0800 +Subject: drm/amd/display: Update Cursor request mode to the beginning prefetch + always + +From: Zhikai Zhai + +[ Upstream commit 4a4077b4b63a8404efd6d37fc2926f03fb25bace ] + +[Why] +The double buffer cursor registers is updated by the cursor +vupdate event. There is a gap between vupdate and cursor data +fetch if cursor fetch data reletive to cursor position. +Cursor corruption will happen if we update the cursor surface +in this gap. + +[How] +Modify the cursor request mode to the beginning prefetch always +and avoid wraparound calculation issues. + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Zhikai Zhai +Signed-off-by: Zaeem Mohamed +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 22 ++++++++----------- + .../gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 2 +- + 2 files changed, 10 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index bc603c8af3b66..b31c31c39783f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -1838,20 +1838,11 @@ static void delay_cursor_until_vupdate(struct dc *dc, struct pipe_ctx *pipe_ctx) + dc->hwss.get_position(&pipe_ctx, 1, &position); + vpos = position.vertical_count; + +- /* Avoid wraparound calculation issues */ +- vupdate_start += stream->timing.v_total; +- vupdate_end += stream->timing.v_total; +- vpos += stream->timing.v_total; +- + if (vpos <= vupdate_start) { + /* VPOS is in VACTIVE or back porch. */ + lines_to_vupdate = vupdate_start - vpos; +- } else if (vpos > vupdate_end) { +- /* VPOS is in the front porch. */ +- return; + } else { +- /* VPOS is in VUPDATE. */ +- lines_to_vupdate = 0; ++ lines_to_vupdate = stream->timing.v_total - vpos + vupdate_start; + } + + /* Calculate time until VUPDATE in microseconds. */ +@@ -1859,13 +1850,18 @@ static void delay_cursor_until_vupdate(struct dc *dc, struct pipe_ctx *pipe_ctx) + stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz; + us_to_vupdate = lines_to_vupdate * us_per_line; + ++ /* Stall out until the cursor update completes. */ ++ if (vupdate_end < vupdate_start) ++ vupdate_end += stream->timing.v_total; ++ ++ /* Position is in the range of vupdate start and end*/ ++ if (lines_to_vupdate > stream->timing.v_total - vupdate_end + vupdate_start) ++ us_to_vupdate = 0; ++ + /* 70 us is a conservative estimate of cursor update time*/ + if (us_to_vupdate > 70) + return; + +- /* Stall out until the cursor update completes. */ +- if (vupdate_end < vupdate_start) +- vupdate_end += stream->timing.v_total; + us_vupdate = (vupdate_end - vupdate_start + 1) * us_per_line; + udelay(us_to_vupdate + us_vupdate); + } +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c +index 127055044cf1a..faab14e343a4e 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c +@@ -44,7 +44,7 @@ void hubp31_set_unbounded_requesting(struct hubp *hubp, bool enable) + struct dcn20_hubp *hubp2 = TO_DCN20_HUBP(hubp); + + REG_UPDATE(DCHUBP_CNTL, HUBP_UNBOUNDED_REQ_MODE, enable); +- REG_UPDATE(CURSOR_CONTROL, CURSOR_REQ_MODE, enable); ++ REG_UPDATE(CURSOR_CONTROL, CURSOR_REQ_MODE, 1); + } + + void hubp31_soft_reset(struct hubp *hubp, bool reset) +-- +2.39.5 + diff --git a/queue-5.15/drm-amdkfd-clamp-queue-size-to-minimum.patch b/queue-5.15/drm-amdkfd-clamp-queue-size-to-minimum.patch new file mode 100644 index 0000000000..a8aad11710 --- /dev/null +++ b/queue-5.15/drm-amdkfd-clamp-queue-size-to-minimum.patch @@ -0,0 +1,66 @@ +From a8c6d2ef123a976f154a250a610aa8124476a20c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 18:08:02 -0500 +Subject: drm/amdkfd: clamp queue size to minimum + +From: David Yat Sin + +[ Upstream commit e90711946b53590371ecce32e8fcc381a99d6333 ] + +If queue size is less than minimum, clamp it to minimum to prevent +underflow when writing queue mqd. + +Signed-off-by: David Yat Sin +Reviewed-by: Jay Cornwall +Reviewed-by: Harish Kasiviswanathan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++++++++++ + include/uapi/linux/kfd_ioctl.h | 2 ++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +index 34c466e8eee98..7b2111be3019a 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -191,6 +191,11 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties, + return -EINVAL; + } + ++ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) { ++ args->ring_size = KFD_MIN_QUEUE_RING_SIZE; ++ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE"); ++ } ++ + if (!access_ok((const void __user *) args->read_pointer_address, + sizeof(uint32_t))) { + pr_err("Can't access read pointer\n"); +@@ -395,6 +400,11 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p, + return -EINVAL; + } + ++ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) { ++ args->ring_size = KFD_MIN_QUEUE_RING_SIZE; ++ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE"); ++ } ++ + properties.queue_address = args->ring_base_address; + properties.queue_size = args->ring_size; + properties.queue_percent = args->queue_percentage; +diff --git a/include/uapi/linux/kfd_ioctl.h b/include/uapi/linux/kfd_ioctl.h +index af96af174dc47..48d747f3ee8db 100644 +--- a/include/uapi/linux/kfd_ioctl.h ++++ b/include/uapi/linux/kfd_ioctl.h +@@ -50,6 +50,8 @@ struct kfd_ioctl_get_version_args { + #define KFD_MAX_QUEUE_PERCENTAGE 100 + #define KFD_MAX_QUEUE_PRIORITY 15 + ++#define KFD_MIN_QUEUE_RING_SIZE 1024 ++ + struct kfd_ioctl_create_queue_args { + __u64 ring_base_address; /* to KFD */ + __u64 write_pointer_address; /* from KFD */ +-- +2.39.5 + diff --git a/queue-5.15/drm-amdkfd-fix-pqm_destroy_queue-race-with-gpu-reset.patch b/queue-5.15/drm-amdkfd-fix-pqm_destroy_queue-race-with-gpu-reset.patch new file mode 100644 index 0000000000..798fcb2149 --- /dev/null +++ b/queue-5.15/drm-amdkfd-fix-pqm_destroy_queue-race-with-gpu-reset.patch @@ -0,0 +1,36 @@ +From cc587088792a2a1c3cd68bf607062ec3d49a58ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 16:02:13 -0500 +Subject: drm/amdkfd: Fix pqm_destroy_queue race with GPU reset + +From: Philip Yang + +[ Upstream commit 7919b4cad5545ed93778f11881ceee72e4dbed66 ] + +If GPU in reset, destroy_queue return -EIO, pqm_destroy_queue should +delete the queue from process_queue_list and free the resource. + +Signed-off-by: Philip Yang +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 243dd1efcdbf5..7a298158ed11a 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -384,7 +384,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid) + pr_err("Pasid 0x%x destroy queue %d failed, ret %d\n", + pqm->process->pasid, + pqn->q->properties.queue_id, retval); +- if (retval != -ETIME) ++ if (retval != -ETIME && retval != -EIO) + goto err_destroy_queue; + } + +-- +2.39.5 + diff --git a/queue-5.15/drm-bridge-panel-forbid-initializing-a-panel-with-un.patch b/queue-5.15/drm-bridge-panel-forbid-initializing-a-panel-with-un.patch new file mode 100644 index 0000000000..9e29ef39c0 --- /dev/null +++ b/queue-5.15/drm-bridge-panel-forbid-initializing-a-panel-with-un.patch @@ -0,0 +1,57 @@ +From a8d46b6a2f07f629f78a79570bea0d90ed55c813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 13:57:44 +0100 +Subject: drm/bridge: panel: forbid initializing a panel with unknown connector + type + +From: Luca Ceresoli + +[ Upstream commit b296955b3a740ecc8b3b08e34fd64f1ceabb8fb4 ] + +Having an DRM_MODE_CONNECTOR_Unknown connector type is considered bad, and +drm_panel_bridge_add_typed() and derivatives are deprecated for this. + +drm_panel_init() won't prevent initializing a panel with a +DRM_MODE_CONNECTOR_Unknown connector type. Luckily there are no in-tree +users doing it, so take this as an opportinuty to document a valid +connector type must be passed. + +Returning an error if this rule is violated is not possible because +drm_panel_init() is a void function. Add at least a warning to make any +violations noticeable, especially to non-upstream drivers. + +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Luca Ceresoli +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20250214-drm-assorted-cleanups-v7-5-88ca5827d7af@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c +index 7fd3de89ed079..acd29b4f43f84 100644 +--- a/drivers/gpu/drm/drm_panel.c ++++ b/drivers/gpu/drm/drm_panel.c +@@ -49,7 +49,7 @@ static LIST_HEAD(panel_list); + * @dev: parent device of the panel + * @funcs: panel operations + * @connector_type: the connector type (DRM_MODE_CONNECTOR_*) corresponding to +- * the panel interface ++ * the panel interface (must NOT be DRM_MODE_CONNECTOR_Unknown) + * + * Initialize the panel structure for subsequent registration with + * drm_panel_add(). +@@ -57,6 +57,9 @@ static LIST_HEAD(panel_list); + void drm_panel_init(struct drm_panel *panel, struct device *dev, + const struct drm_panel_funcs *funcs, int connector_type) + { ++ if (connector_type == DRM_MODE_CONNECTOR_Unknown) ++ DRM_WARN("%s: %s: a valid connector type is required!\n", __func__, dev_name(dev)); ++ + INIT_LIST_HEAD(&panel->list); + panel->dev = dev; + panel->funcs = funcs; +-- +2.39.5 + diff --git a/queue-5.15/drm-mediatek-mtk_dpi-explicitly-manage-tvd-clock-in-.patch b/queue-5.15/drm-mediatek-mtk_dpi-explicitly-manage-tvd-clock-in-.patch new file mode 100644 index 0000000000..0083f5403b --- /dev/null +++ b/queue-5.15/drm-mediatek-mtk_dpi-explicitly-manage-tvd-clock-in-.patch @@ -0,0 +1,69 @@ +From 450d86ef72b316d93bff14239fc743b78def4ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 16:48:02 +0100 +Subject: drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off + +From: AngeloGioacchino Del Regno + +[ Upstream commit 473c33f5ce651365468503c76f33158aaa1c7dd2 ] + +In preparation for adding support for MT8195's HDMI reserved +DPI, add calls to clk_prepare_enable() / clk_disable_unprepare() +for the TVD clock: in this particular case, the aforementioned +clock is not (and cannot be) parented to neither pixel or engine +clocks hence it won't get enabled automatically by the clock +framework. + +Please note that on all of the currently supported MediaTek +platforms, the TVD clock is always a parent of either pixel or +engine clocks, and this means that the common clock framework +is already enabling this clock before the children. +On such platforms, this commit will only increase the refcount +of the TVD clock without any functional change. + +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20250217154836.108895-10-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dpi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c +index 94c6bd3b00823..9518672dc21b3 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dpi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dpi.c +@@ -389,6 +389,7 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi) + + mtk_dpi_disable(dpi); + clk_disable_unprepare(dpi->pixel_clk); ++ clk_disable_unprepare(dpi->tvd_clk); + clk_disable_unprepare(dpi->engine_clk); + } + +@@ -405,6 +406,12 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi) + goto err_refcount; + } + ++ ret = clk_prepare_enable(dpi->tvd_clk); ++ if (ret) { ++ dev_err(dpi->dev, "Failed to enable tvd pll: %d\n", ret); ++ goto err_engine; ++ } ++ + ret = clk_prepare_enable(dpi->pixel_clk); + if (ret) { + dev_err(dpi->dev, "Failed to enable pixel clock: %d\n", ret); +@@ -414,6 +421,8 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi) + return 0; + + err_pixel: ++ clk_disable_unprepare(dpi->tvd_clk); ++err_engine: + clk_disable_unprepare(dpi->engine_clk); + err_refcount: + dpi->refcount--; +-- +2.39.5 + diff --git a/queue-5.15/drm-panel-orientation-quirks-add-new-quirk-for-gpd-w.patch b/queue-5.15/drm-panel-orientation-quirks-add-new-quirk-for-gpd-w.patch new file mode 100644 index 0000000000..ae73f6a6c1 --- /dev/null +++ b/queue-5.15/drm-panel-orientation-quirks-add-new-quirk-for-gpd-w.patch @@ -0,0 +1,45 @@ +From 3898246f28d678cfe3bf4ffc57974c88e05dff7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 22:24:52 +0000 +Subject: drm: panel-orientation-quirks: Add new quirk for GPD Win 2 + +From: Andrew Wyatt + +[ Upstream commit a860eb9c6ba6cdbf32e3e01a606556e5a90a2931 ] + +Some GPD Win 2 units shipped with the correct DMI strings. + +Add a DMI match to correctly rotate the panel on these units. + +Signed-off-by: Andrew Wyatt +Signed-off-by: John Edwards +Tested-by: Paco Avelar +Reviewed-by: Thomas Zimmermann +Reviewed-by: Hans de Goede +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-5-uejji@uejji.net +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 6bb8d4502ca8e..6fc9d638ccd23 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -235,6 +235,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"), + }, + .driver_data = (void *)&gpd_win2, ++ }, { /* GPD Win 2 (correct DMI strings) */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "WIN2") ++ }, ++ .driver_data = (void *)&lcd720x1280_rightside_up, + }, { /* GPD Win 3 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"), +-- +2.39.5 + diff --git a/queue-5.15/drm-panel-orientation-quirks-add-support-for-ayaneo-.patch b/queue-5.15/drm-panel-orientation-quirks-add-support-for-ayaneo-.patch new file mode 100644 index 0000000000..5340559100 --- /dev/null +++ b/queue-5.15/drm-panel-orientation-quirks-add-support-for-ayaneo-.patch @@ -0,0 +1,45 @@ +From 2f56d5177328acd8eee5cd6d3db2ff2601685a11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 22:24:49 +0000 +Subject: drm: panel-orientation-quirks: Add support for AYANEO 2S + +From: Andrew Wyatt + +[ Upstream commit eb8f1e3e8ee10cff591d4a47437dfd34d850d454 ] + +AYANEO 2S uses the same panel and orientation as the AYANEO 2. + +Update the AYANEO 2 DMI match to also match AYANEO 2S. + +Signed-off-by: Andrew Wyatt +Signed-off-by: John Edwards +Tested-by: John Edwards +Reviewed-by: Thomas Zimmermann +Reviewed-by: Hans de Goede +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-2-uejji@uejji.net +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index bf90a5be956fe..6bb8d4502ca8e 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -166,10 +166,10 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, +- }, { /* AYA NEO AYANEO 2 */ ++ }, { /* AYA NEO AYANEO 2/2S */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"), +- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* AYA NEO 2021 */ +-- +2.39.5 + diff --git a/queue-5.15/ext4-ignore-xattrs-past-end.patch b/queue-5.15/ext4-ignore-xattrs-past-end.patch new file mode 100644 index 0000000000..9f04bd3085 --- /dev/null +++ b/queue-5.15/ext4-ignore-xattrs-past-end.patch @@ -0,0 +1,146 @@ +From 0057086d3b8fc42af30cddcfec6bfc1a391ab4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 13:57:50 +0530 +Subject: ext4: ignore xattrs past end + +From: Bhupesh + +[ Upstream commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd ] + +Once inside 'ext4_xattr_inode_dec_ref_all' we should +ignore xattrs entries past the 'end' entry. + +This fixes the following KASAN reported issue: + +================================================================== +BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 +Read of size 4 at addr ffff888012c120c4 by task repro/2065 + +CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x1fd/0x300 + ? tcp_gro_dev_warn+0x260/0x260 + ? _printk+0xc0/0x100 + ? read_lock_is_recursive+0x10/0x10 + ? irq_work_queue+0x72/0xf0 + ? __virt_addr_valid+0x17b/0x4b0 + print_address_description+0x78/0x390 + print_report+0x107/0x1f0 + ? __virt_addr_valid+0x17b/0x4b0 + ? __virt_addr_valid+0x3ff/0x4b0 + ? __phys_addr+0xb5/0x160 + ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 + kasan_report+0xcc/0x100 + ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 + ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 + ? ext4_xattr_delete_inode+0xd30/0xd30 + ? __ext4_journal_ensure_credits+0x5f0/0x5f0 + ? __ext4_journal_ensure_credits+0x2b/0x5f0 + ? inode_update_timestamps+0x410/0x410 + ext4_xattr_delete_inode+0xb64/0xd30 + ? ext4_truncate+0xb70/0xdc0 + ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 + ? __ext4_mark_inode_dirty+0x670/0x670 + ? ext4_journal_check_start+0x16f/0x240 + ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 + ext4_evict_inode+0xc8c/0xff0 + ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 + ? do_raw_spin_unlock+0x53/0x8a0 + ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 + evict+0x4ac/0x950 + ? proc_nr_inodes+0x310/0x310 + ? trace_ext4_drop_inode+0xa2/0x220 + ? _raw_spin_unlock+0x1a/0x30 + ? iput+0x4cb/0x7e0 + do_unlinkat+0x495/0x7c0 + ? try_break_deleg+0x120/0x120 + ? 0xffffffff81000000 + ? __check_object_size+0x15a/0x210 + ? strncpy_from_user+0x13e/0x250 + ? getname_flags+0x1dc/0x530 + __x64_sys_unlinkat+0xc8/0xf0 + do_syscall_64+0x65/0x110 + entry_SYSCALL_64_after_hwframe+0x67/0x6f +RIP: 0033:0x434ffd +Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 +RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 +RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd +RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 +RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 + + +The buggy address belongs to the object at ffff888012c12000 + which belongs to the cache filp of size 360 +The buggy address is located 196 bytes inside of + freed 360-byte region [ffff888012c12000, ffff888012c12168) + +The buggy address belongs to the physical page: +page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 +head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x40(head|node=0|zone=0) +page_type: f5(slab) +raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 +raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 +head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 +head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 +head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 +head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc + ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Reported-by: syzbot+b244bda78289b00204ed@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed +Suggested-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Bhupesh +Link: https://patch.msgid.link/20250128082751.124948-2-bhupesh@igalia.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/xattr.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index a22c85bf8ae96..d9f57a60f7b9b 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1127,15 +1127,24 @@ ext4_xattr_inode_dec_ref_all(handle_t *handle, struct inode *parent, + { + struct inode *ea_inode; + struct ext4_xattr_entry *entry; ++ struct ext4_iloc iloc; + bool dirty = false; + unsigned int ea_ino; + int err; + int credits; ++ void *end; ++ ++ if (block_csum) ++ end = (void *)bh->b_data + bh->b_size; ++ else { ++ ext4_get_inode_loc(parent, &iloc); ++ end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size; ++ } + + /* One credit for dec ref on ea_inode, one for orphan list addition, */ + credits = 2 + extra_credits; + +- for (entry = first; !IS_LAST_ENTRY(entry); ++ for (entry = first; (void *)entry < end && !IS_LAST_ENTRY(entry); + entry = EXT4_XATTR_NEXT(entry)) { + if (!entry->e_value_inum) + continue; +-- +2.39.5 + diff --git a/queue-5.15/ext4-protect-ext4_release_dquot-against-freezing.patch b/queue-5.15/ext4-protect-ext4_release_dquot-against-freezing.patch new file mode 100644 index 0000000000..e149283ebc --- /dev/null +++ b/queue-5.15/ext4-protect-ext4_release_dquot-against-freezing.patch @@ -0,0 +1,74 @@ +From 04978377a8d90573d27bd21d7af39669aa6f5f58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 18:08:55 +0530 +Subject: ext4: protect ext4_release_dquot against freezing + +From: Ojaswin Mujoo + +[ Upstream commit 530fea29ef82e169cd7fe048c2b7baaeb85a0028 ] + +Protect ext4_release_dquot against freezing so that we +don't try to start a transaction when FS is frozen, leading +to warnings. + +Further, avoid taking the freeze protection if a transaction +is already running so that we don't need end up in a deadlock +as described in + + 46e294efc355 ext4: fix deadlock with fs freezing and EA inodes + +Suggested-by: Jan Kara +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20241121123855.645335-3-ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 541cfd118fbc7..8a103b0755348 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6212,12 +6212,25 @@ static int ext4_release_dquot(struct dquot *dquot) + { + int ret, err; + handle_t *handle; ++ bool freeze_protected = false; ++ ++ /* ++ * Trying to sb_start_intwrite() in a running transaction ++ * can result in a deadlock. Further, running transactions ++ * are already protected from freezing. ++ */ ++ if (!ext4_journal_current_handle()) { ++ sb_start_intwrite(dquot->dq_sb); ++ freeze_protected = true; ++ } + + handle = ext4_journal_start(dquot_to_inode(dquot), EXT4_HT_QUOTA, + EXT4_QUOTA_DEL_BLOCKS(dquot->dq_sb)); + if (IS_ERR(handle)) { + /* Release dquot anyway to avoid endless cycle in dqput() */ + dquot_release(dquot); ++ if (freeze_protected) ++ sb_end_intwrite(dquot->dq_sb); + return PTR_ERR(handle); + } + ret = dquot_release(dquot); +@@ -6228,6 +6241,10 @@ static int ext4_release_dquot(struct dquot *dquot) + err = ext4_journal_stop(handle); + if (!ret) + ret = err; ++ ++ if (freeze_protected) ++ sb_end_intwrite(dquot->dq_sb); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.15/f2fs-fix-to-avoid-out-of-bounds-access-in-f2fs_trunc.patch b/queue-5.15/f2fs-fix-to-avoid-out-of-bounds-access-in-f2fs_trunc.patch new file mode 100644 index 0000000000..3fbd99cc23 --- /dev/null +++ b/queue-5.15/f2fs-fix-to-avoid-out-of-bounds-access-in-f2fs_trunc.patch @@ -0,0 +1,94 @@ +From ad874bcf9fb751aa3123213e798873842e13e6ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 11:47:38 +0800 +Subject: f2fs: fix to avoid out-of-bounds access in + f2fs_truncate_inode_blocks() + +From: Chao Yu + +[ Upstream commit e6494977bd4a83862118a05f57a8df40256951c0 ] + +syzbot reports an UBSAN issue as below: + +------------[ cut here ]------------ +UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 +index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]') +CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 + get_nid fs/f2fs/node.h:381 [inline] + f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181 + f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808 + f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836 + f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886 + f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093 + aio_write+0x56b/0x7c0 fs/aio.c:1633 + io_submit_one+0x8a7/0x18a0 fs/aio.c:2052 + __do_sys_io_submit fs/aio.c:2111 [inline] + __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f238798cde9 + +index 18446744073709550692 (decimal, unsigned long long) += 0xfffffffffffffc64 (hexadecimal, unsigned long long) += -924 (decimal, long long) + +In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to +access .i_nid[-924], it means both offset[0] and level should zero. + +The possible case should be in f2fs_do_truncate_blocks(), we try to +truncate inode size to zero, however, dn.ofs_in_node is zero and +dn.node_page is not an inode page, so it fails to truncate inode page, +and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result +in this issue. + + if (dn.ofs_in_node || IS_INODE(dn.node_page)) { + f2fs_truncate_data_blocks_range(&dn, count); + free_from += count; + } + +I guess the reason why dn.node_page is not an inode page could be: there +are multiple nat entries share the same node block address, once the node +block address was reused, f2fs_get_node_page() may load a non-inode block. + +Let's add a sanity check for such condition to avoid out-of-bounds access +issue. + +Reported-by: syzbot+6653f10281a1badc749e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/66fdcdf3.050a0220.40bef.0025.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index b6758887540f2..ae6d65f2ea06a 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1105,7 +1105,14 @@ int f2fs_truncate_inode_blocks(struct inode *inode, pgoff_t from) + trace_f2fs_truncate_inode_blocks_enter(inode, from); + + level = get_node_path(inode, from, offset, noffset); +- if (level < 0) { ++ if (level <= 0) { ++ if (!level) { ++ level = -EFSCORRUPTED; ++ f2fs_err(sbi, "%s: inode ino=%lx has corrupted node block, from:%lu addrs:%u", ++ __func__, inode->i_ino, ++ from, ADDRS_PER_INODE(inode)); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } + trace_f2fs_truncate_inode_blocks_exit(inode, level); + return level; + } +-- +2.39.5 + diff --git a/queue-5.15/fbdev-omapfb-add-plane-value-check.patch b/queue-5.15/fbdev-omapfb-add-plane-value-check.patch new file mode 100644 index 0000000000..457f71d0f7 --- /dev/null +++ b/queue-5.15/fbdev-omapfb-add-plane-value-check.patch @@ -0,0 +1,57 @@ +From ddbb18bc18b9612449524f0e2fda67ee7ae33ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 21:19:52 +0000 +Subject: fbdev: omapfb: Add 'plane' value check + +From: Leonid Arapov + +[ Upstream commit 3e411827f31db7f938a30a3c7a7599839401ec30 ] + +Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB +of the enum parameter plane. + +The value of this parameter is initialized in dss_init_overlays and in the +current state of the code it cannot take this value so it's not a real +problem. + +For the purposes of defensive coding it wouldn't be superfluous to check +the parameter value, because some functions down the call stack process +this value correctly and some not. + +For example, in dispc_ovl_setup_global_alpha it may lead to buffer +overflow. + +Add check for this value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE static +analysis tool. + +Signed-off-by: Leonid Arapov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +index b2d6e6df21615..d852bef1d507f 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c +@@ -2751,9 +2751,13 @@ int dispc_ovl_setup(enum omap_plane plane, const struct omap_overlay_info *oi, + bool mem_to_mem) + { + int r; +- enum omap_overlay_caps caps = dss_feat_get_overlay_caps(plane); ++ enum omap_overlay_caps caps; + enum omap_channel channel; + ++ if (plane == OMAP_DSS_WB) ++ return -EINVAL; ++ ++ caps = dss_feat_get_overlay_caps(plane); + channel = dispc_ovl_get_channel_out(plane); + + DSSDBG("dispc_ovl_setup %d, pa %pad, pa_uv %pad, sw %d, %d,%d, %dx%d ->" +-- +2.39.5 + diff --git a/queue-5.15/fs-jfs-cast-inactags-to-s64-to-prevent-potential-ove.patch b/queue-5.15/fs-jfs-cast-inactags-to-s64-to-prevent-potential-ove.patch new file mode 100644 index 0000000000..4d4cbbbf9a --- /dev/null +++ b/queue-5.15/fs-jfs-cast-inactags-to-s64-to-prevent-potential-ove.patch @@ -0,0 +1,51 @@ +From cab007f6bef9555c80750e843b1497a8a071d550 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 12:43:49 +0300 +Subject: fs/jfs: cast inactags to s64 to prevent potential overflow + +From: Rand Deeb + +[ Upstream commit 70ca3246ad201b53a9f09380b3f29d8bac320383 ] + +The expression "inactags << bmp->db_agl2size" in the function +dbFinalizeBmap() is computed using int operands. Although the +values (inactags and db_agl2size) are derived from filesystem +parameters and are usually small, there is a theoretical risk that +the shift could overflow a 32-bit int if extreme values occur. + +According to the C standard, shifting a signed 32-bit int can lead +to undefined behavior if the result exceeds its range. In our +case, an overflow could miscalculate free blocks, potentially +leading to erroneous filesystem accounting. + +To ensure the arithmetic is performed in 64-bit space, we cast +"inactags" to s64 before shifting. This defensive fix prevents any +risk of overflow and complies with kernel coding best practices. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rand Deeb +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index e6cbe4c982c58..38319be806e10 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3732,8 +3732,8 @@ void dbFinalizeBmap(struct inode *ipbmap) + * system size is not a multiple of the group size). + */ + inactfree = (inactags && ag_rem) ? +- ((inactags - 1) << bmp->db_agl2size) + ag_rem +- : inactags << bmp->db_agl2size; ++ (((s64)inactags - 1) << bmp->db_agl2size) + ag_rem ++ : ((s64)inactags << bmp->db_agl2size); + + /* determine how many free blocks are in the active + * allocation groups plus the average number of free blocks +-- +2.39.5 + diff --git a/queue-5.15/fs-jfs-prevent-integer-overflow-in-ag-size-calculati.patch b/queue-5.15/fs-jfs-prevent-integer-overflow-in-ag-size-calculati.patch new file mode 100644 index 0000000000..64929e4195 --- /dev/null +++ b/queue-5.15/fs-jfs-prevent-integer-overflow-in-ag-size-calculati.patch @@ -0,0 +1,56 @@ +From 71d99695030e8b3e33f24d61cce05ab50af2d386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 12:52:31 +0300 +Subject: fs/jfs: Prevent integer overflow in AG size calculation + +From: Rand Deeb + +[ Upstream commit 7fcbf789629cdb9fbf4e2172ce31136cfed11e5e ] + +The JFS filesystem calculates allocation group (AG) size using 1 << +l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB +aggregates on 32-bit systems), this 32-bit shift operation causes undefined +behavior and improper AG sizing. + +On 32-bit architectures: +- Left-shifting 1 by 32+ bits results in 0 due to integer overflow +- This creates invalid AG sizes (0 or garbage values) in +sbi->bmap->db_agsize +- Subsequent block allocations would reference invalid AG structures +- Could lead to: + - Filesystem corruption during extend operations + - Kernel crashes due to invalid memory accesses + - Security vulnerabilities via malformed on-disk structures + +Fix by casting to s64 before shifting: +bmp->db_agsize = (s64)1 << l2agsize; + +This ensures 64-bit arithmetic even on 32-bit architectures. The cast +matches the data type of db_agsize (s64) and follows similar patterns in +JFS block calculation code. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rand Deeb +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 38319be806e10..99e9885cbb444 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -3469,7 +3469,7 @@ int dbExtendFS(struct inode *ipbmap, s64 blkno, s64 nblocks) + oldl2agsize = bmp->db_agl2size; + + bmp->db_agl2size = l2agsize; +- bmp->db_agsize = 1 << l2agsize; ++ bmp->db_agsize = (s64)1 << l2agsize; + + /* compute new number of AG */ + agno = bmp->db_numag; +-- +2.39.5 + diff --git a/queue-5.15/hid-pidff-convert-infinite-length-from-linux-api-to-.patch b/queue-5.15/hid-pidff-convert-infinite-length-from-linux-api-to-.patch new file mode 100644 index 0000000000..98df06bb58 --- /dev/null +++ b/queue-5.15/hid-pidff-convert-infinite-length-from-linux-api-to-.patch @@ -0,0 +1,67 @@ +From 218337b399a08bf804ca193e07fac0582a973c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2025 12:38:45 +0100 +Subject: HID: pidff: Convert infinite length from Linux API to PID standard +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Pakuła + +[ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ] + +Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL), +Linux doesn't actually define anythi as of now, while USB PID defines +NULL (0xffff). Most PID devices do not expect a 0-length effect and +can't interpret it as infinite. This change fixes Force Feedback for +most PID compliant devices. + +As most games depend on updating the values of already playing infinite +effects, this is crucial to ensure they will actually work. + +Previously, users had to rely on third-party software to do this conversion +and make their PID devices usable. + +Co-developed-by: Makarenko Oleg +Signed-off-by: Makarenko Oleg +Signed-off-by: Tomasz Pakuła +Reviewed-by: Michał Kopeć +Reviewed-by: Paul Dino Jones +Tested-by: Paul Dino Jones +Tested-by: Cristóferson Bueno +Tested-by: Pablo Cisneros +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/usbhid/hid-pidff.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c +index 3b4ee21cd8111..5fe4422bb5bad 100644 +--- a/drivers/hid/usbhid/hid-pidff.c ++++ b/drivers/hid/usbhid/hid-pidff.c +@@ -21,6 +21,7 @@ + #include "usbhid.h" + + #define PID_EFFECTS_MAX 64 ++#define PID_INFINITE 0xffff + + /* Report usage table used to put reports into an array */ + +@@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff, + pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0]; + pidff->set_effect_type->value[0] = + pidff->create_new_effect_type->value[0]; +- pidff->set_effect[PID_DURATION].value[0] = effect->replay.length; ++ ++ /* Convert infinite length from Linux API (0) ++ to PID standard (NULL) if needed */ ++ pidff->set_effect[PID_DURATION].value[0] = ++ effect->replay.length == 0 ? PID_INFINITE : effect->replay.length; ++ + pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button; + pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] = + effect->trigger.interval; +-- +2.39.5 + diff --git a/queue-5.15/hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch b/queue-5.15/hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch new file mode 100644 index 0000000000..a8a81461da --- /dev/null +++ b/queue-5.15/hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch @@ -0,0 +1,124 @@ +From 7ae43c59c5827813c29fbf5c1abbfa6840fcf8ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2025 12:38:46 +0100 +Subject: HID: pidff: Do not send effect envelope if it's empty +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Pakuła + +[ Upstream commit 8876fc1884f5b39550c8387ff3176396c988541d ] + +Envelope struct is always initialized, but the envelope itself is +optional as described in USB PID Device class definition 1.0. + +5.1.1.1 Type Specific Block Offsets +... +4) Effects that do not use Condition Blocks use 1 Parameter Block and +an *optional* Envelope Block. + +Sending out "empty" envelope breaks force feedback on some devices with +games that use SINE effect + offset to emulate constant force effect, as +well as generally breaking Constant/Periodic effects. One of the affected +brands is Moza Racing. + +This change prevents the envelope from being sent if it contains all +0 values while keeping the old behavior of only sending it, if it differs +from the old one. + +Changes in v6: +- Simplify the checks to make them clearer +- Fix possible null pointer dereference while calling + pidff_needs_set_envelope + +Signed-off-by: Tomasz Pakuła +Reviewed-by: Michał Kopeć +Reviewed-by: Paul Dino Jones +Tested-by: Paul Dino Jones +Tested-by: Cristóferson Bueno +Tested-by: Pablo Cisneros +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/usbhid/hid-pidff.c | 42 +++++++++++++++++++--------------- + 1 file changed, 24 insertions(+), 18 deletions(-) + +diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c +index 5fe4422bb5bad..a01c1b2ab2f4c 100644 +--- a/drivers/hid/usbhid/hid-pidff.c ++++ b/drivers/hid/usbhid/hid-pidff.c +@@ -262,10 +262,22 @@ static void pidff_set_envelope_report(struct pidff_device *pidff, + static int pidff_needs_set_envelope(struct ff_envelope *envelope, + struct ff_envelope *old) + { +- return envelope->attack_level != old->attack_level || +- envelope->fade_level != old->fade_level || ++ bool needs_new_envelope; ++ needs_new_envelope = envelope->attack_level != 0 || ++ envelope->fade_level != 0 || ++ envelope->attack_length != 0 || ++ envelope->fade_length != 0; ++ ++ if (!needs_new_envelope) ++ return false; ++ ++ if (!old) ++ return needs_new_envelope; ++ ++ return envelope->attack_level != old->attack_level || ++ envelope->fade_level != old->fade_level || + envelope->attack_length != old->attack_length || +- envelope->fade_length != old->fade_length; ++ envelope->fade_length != old->fade_length; + } + + /* +@@ -580,11 +592,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect, + pidff_set_effect_report(pidff, effect); + if (!old || pidff_needs_set_constant(effect, old)) + pidff_set_constant_force_report(pidff, effect); +- if (!old || +- pidff_needs_set_envelope(&effect->u.constant.envelope, +- &old->u.constant.envelope)) +- pidff_set_envelope_report(pidff, +- &effect->u.constant.envelope); ++ if (pidff_needs_set_envelope(&effect->u.constant.envelope, ++ old ? &old->u.constant.envelope : NULL)) ++ pidff_set_envelope_report(pidff, &effect->u.constant.envelope); + break; + + case FF_PERIODIC: +@@ -619,11 +629,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect, + pidff_set_effect_report(pidff, effect); + if (!old || pidff_needs_set_periodic(effect, old)) + pidff_set_periodic_report(pidff, effect); +- if (!old || +- pidff_needs_set_envelope(&effect->u.periodic.envelope, +- &old->u.periodic.envelope)) +- pidff_set_envelope_report(pidff, +- &effect->u.periodic.envelope); ++ if (pidff_needs_set_envelope(&effect->u.periodic.envelope, ++ old ? &old->u.periodic.envelope : NULL)) ++ pidff_set_envelope_report(pidff, &effect->u.periodic.envelope); + break; + + case FF_RAMP: +@@ -637,11 +645,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect, + pidff_set_effect_report(pidff, effect); + if (!old || pidff_needs_set_ramp(effect, old)) + pidff_set_ramp_force_report(pidff, effect); +- if (!old || +- pidff_needs_set_envelope(&effect->u.ramp.envelope, +- &old->u.ramp.envelope)) +- pidff_set_envelope_report(pidff, +- &effect->u.ramp.envelope); ++ if (pidff_needs_set_envelope(&effect->u.ramp.envelope, ++ old ? &old->u.ramp.envelope : NULL)) ++ pidff_set_envelope_report(pidff, &effect->u.ramp.envelope); + break; + + case FF_SPRING: +-- +2.39.5 + diff --git a/queue-5.15/hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch b/queue-5.15/hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch new file mode 100644 index 0000000000..ffa17e6335 --- /dev/null +++ b/queue-5.15/hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch @@ -0,0 +1,68 @@ +From 91a03639d050e0d6ec4b66da5c5c3f84532463ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2025 12:39:02 +0100 +Subject: HID: pidff: Fix null pointer dereference in pidff_find_fields +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Pakuła + +[ Upstream commit 22a05462c3d0eee15154faf8d13c49e6295270a5 ] + +This function triggered a null pointer dereference if used to search for +a report that isn't implemented on the device. This happened both for +optional and required reports alike. + +The same logic was applied to pidff_find_special_field and although +pidff_init_fields should return an error earlier if one of the required +reports is missing, future modifications could change this logic and +resurface this possible null pointer dereference again. + +LKML bug report: +https://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com + +Reported-by: Nolan Nicholson +Signed-off-by: Tomasz Pakuła +Reviewed-by: Michał Kopeć +Reviewed-by: Paul Dino Jones +Tested-by: Paul Dino Jones +Tested-by: Cristóferson Bueno +Tested-by: Pablo Cisneros +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/usbhid/hid-pidff.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c +index a01c1b2ab2f4c..26cb331b646ca 100644 +--- a/drivers/hid/usbhid/hid-pidff.c ++++ b/drivers/hid/usbhid/hid-pidff.c +@@ -770,6 +770,11 @@ static void pidff_set_autocenter(struct input_dev *dev, u16 magnitude) + static int pidff_find_fields(struct pidff_usage *usage, const u8 *table, + struct hid_report *report, int count, int strict) + { ++ if (!report) { ++ pr_debug("pidff_find_fields, null report\n"); ++ return -1; ++ } ++ + int i, j, k, found; + + for (k = 0; k < count; k++) { +@@ -883,6 +888,11 @@ static int pidff_reports_ok(struct pidff_device *pidff) + static struct hid_field *pidff_find_special_field(struct hid_report *report, + int usage, int enforce_min) + { ++ if (!report) { ++ pr_debug("pidff_find_special_field, null report\n"); ++ return NULL; ++ } ++ + int i; + + for (i = 0; i < report->maxfield; i++) { +-- +2.39.5 + diff --git a/queue-5.15/jfs-add-sanity-check-for-agwidth-in-dbmount.patch b/queue-5.15/jfs-add-sanity-check-for-agwidth-in-dbmount.patch new file mode 100644 index 0000000000..34d2b4d896 --- /dev/null +++ b/queue-5.15/jfs-add-sanity-check-for-agwidth-in-dbmount.patch @@ -0,0 +1,41 @@ +From 15bb90f75a736a31aac5853b05b30ac7b33a5df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 19:24:19 +0800 +Subject: jfs: add sanity check for agwidth in dbMount + +From: Edward Adam Davis + +[ Upstream commit ddf2846f22e8575d6b4b6a66f2100f168b8cd73d ] + +The width in dmapctl of the AG is zero, it trigger a divide error when +calculating the control page level in dbAllocAG. + +To avoid this issue, add a check for agwidth in dbAllocAG. + +Reported-and-tested-by: syzbot+7c808908291a569281a9@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7c808908291a569281a9 +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 99e9885cbb444..cd6ba0c96d77b 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -204,6 +204,10 @@ int dbMount(struct inode *ipbmap) + bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel); + bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight); + bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); ++ if (!bmp->db_agwidth) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } + bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); + bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); + if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG || +-- +2.39.5 + diff --git a/queue-5.15/jfs-fix-uninit-value-access-of-imap-allocated-in-the.patch b/queue-5.15/jfs-fix-uninit-value-access-of-imap-allocated-in-the.patch new file mode 100644 index 0000000000..7820f02675 --- /dev/null +++ b/queue-5.15/jfs-fix-uninit-value-access-of-imap-allocated-in-the.patch @@ -0,0 +1,84 @@ +From e203097b34092da4bdea4044cc6b8c91ed117820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2025 22:02:11 +0800 +Subject: jfs: Fix uninit-value access of imap allocated in the diMount() + function + +From: Zhongqiu Han + +[ Upstream commit 9629d7d66c621671d9a47afe27ca9336bfc8a9ea ] + +syzbot reports that hex_dump_to_buffer is using uninit-value: + +===================================================== +BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 +hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 +print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276 +diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876 +jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156 +evict+0x723/0xd10 fs/inode.c:796 +iput_final fs/inode.c:1946 [inline] +iput+0x97b/0xdb0 fs/inode.c:1972 +txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367 +txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] +jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733 +kthread+0x6b9/0xef0 kernel/kthread.c:464 +ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148 +ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + +Uninit was created at: +slab_post_alloc_hook mm/slub.c:4121 [inline] +slab_alloc_node mm/slub.c:4164 [inline] +__kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320 +kmalloc_noprof include/linux/slab.h:901 [inline] +diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105 +jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176 +jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523 +get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636 +get_tree_bdev+0x37/0x50 fs/super.c:1659 +jfs_get_tree+0x34/0x40 fs/jfs/super.c:635 +vfs_get_tree+0xb1/0x5a0 fs/super.c:1814 +do_new_mount+0x71f/0x15e0 fs/namespace.c:3560 +path_mount+0x742/0x1f10 fs/namespace.c:3887 +do_mount fs/namespace.c:3900 [inline] +__do_sys_mount fs/namespace.c:4111 [inline] +__se_sys_mount+0x71f/0x800 fs/namespace.c:4088 +__x64_sys_mount+0xe4/0x150 fs/namespace.c:4088 +x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x77/0x7f +===================================================== + +The reason is that imap is not properly initialized after memory +allocation. It will cause the snprintf() function to write uninitialized +data into linebuf within hex_dump_to_buffer(). + +Fix this by using kzalloc instead of kmalloc to clear its content at the +beginning in diMount(). + +Signed-off-by: Zhongqiu Han +Reported-by: syzbot+df6cdcb35904203d2b6d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/lkml/67b5d07e.050a0220.14d86d.00e6.GAE@google.com/ +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index c72e97f065798..309b5f6e977d7 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -102,7 +102,7 @@ int diMount(struct inode *ipimap) + * allocate/initialize the in-memory inode map control structure + */ + /* allocate the in-memory inode map control structure. */ +- imap = kmalloc(sizeof(struct inomap), GFP_KERNEL); ++ imap = kzalloc(sizeof(struct inomap), GFP_KERNEL); + if (imap == NULL) + return -ENOMEM; + +-- +2.39.5 + diff --git a/queue-5.15/jfs-prevent-copying-of-nlink-with-value-0-from-disk-.patch b/queue-5.15/jfs-prevent-copying-of-nlink-with-value-0-from-disk-.patch new file mode 100644 index 0000000000..280a5d3485 --- /dev/null +++ b/queue-5.15/jfs-prevent-copying-of-nlink-with-value-0-from-disk-.patch @@ -0,0 +1,116 @@ +From 303119bf2ddea4acfa6d9b06cbb1ddc29430df03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 19:13:21 +0800 +Subject: jfs: Prevent copying of nlink with value 0 from disk inode + +From: Edward Adam Davis + +[ Upstream commit b61e69bb1c049cf507e3c654fa3dc1568231bd07 ] + +syzbot report a deadlock in diFree. [1] + +When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4, +which does not match the mounted loop device, causing the mapping of the +mounted loop device to be invalidated. + +When creating the directory and creating the inode of iag in diReadSpecial(), +read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the +metapage data it returns is corrupted, which causes the nlink value of 0 to be +assigned to the iag inode when executing copy_from_dinode(), which ultimately +causes a deadlock when entering diFree(). + +To avoid this, first check the nlink value of dinode before setting iag inode. + +[1] +WARNING: possible recursive locking detected +6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted +-------------------------------------------- +syz-executor301/5309 is trying to acquire lock: +ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 + +but task is already holding lock: +ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(imap->im_aglock[index])); + lock(&(imap->im_aglock[index])); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +5 locks held by syz-executor301/5309: + #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515 + #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline] + #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026 + #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 + #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline] + #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] + #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669 + #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline] + #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] + #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669 + +stack backtrace: +CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037 + check_deadlock kernel/locking/lockdep.c:3089 [inline] + validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891 + __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 + __mutex_lock_common kernel/locking/mutex.c:608 [inline] + __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 + diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 + jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156 + evict+0x4e8/0x9b0 fs/inode.c:725 + diFreeSpecial fs/jfs/jfs_imap.c:552 [inline] + duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022 + diNewIAG fs/jfs/jfs_imap.c:2597 [inline] + diAllocExt fs/jfs/jfs_imap.c:1905 [inline] + diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669 + diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590 + ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 + jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225 + vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 + do_mkdirat+0x264/0x3a0 fs/namei.c:4280 + __do_sys_mkdirat fs/namei.c:4295 [inline] + __se_sys_mkdirat fs/namei.c:4293 [inline] + __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=355da3b3a74881008e8f +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 309b5f6e977d7..155f66812934a 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -456,7 +456,7 @@ struct inode *diReadSpecial(struct super_block *sb, ino_t inum, int secondary) + dp += inum % 8; /* 8 inodes per 4K page */ + + /* copy on-disk inode to in-memory inode */ +- if ((copy_from_dinode(dp, ip)) != 0) { ++ if ((copy_from_dinode(dp, ip) != 0) || (ip->i_nlink == 0)) { + /* handle bad return by returning NULL for ip */ + set_nlink(ip, 1); /* Don't want iput() deleting it */ + iput(ip); +-- +2.39.5 + diff --git a/queue-5.15/ktest-fix-test-failures-due-to-missing-log_file-dire.patch b/queue-5.15/ktest-fix-test-failures-due-to-missing-log_file-dire.patch new file mode 100644 index 0000000000..b3c12bccc1 --- /dev/null +++ b/queue-5.15/ktest-fix-test-failures-due-to-missing-log_file-dire.patch @@ -0,0 +1,44 @@ +From 59f45870e46f084432f0919b9374d7730e953caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 04:38:54 +0000 +Subject: ktest: Fix Test Failures Due to Missing LOG_FILE Directories + +From: Ayush Jain + +[ Upstream commit 5a1bed232781d356f842576daacc260f0d0c8d2e ] + +Handle missing parent directories for LOG_FILE path to prevent test +failures. If the parent directories don't exist, create them to ensure +the tests proceed successfully. + +Cc: +Link: https://lore.kernel.org/20250307043854.2518539-1-Ayush.jain3@amd.com +Signed-off-by: Ayush Jain +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index aecea16cbd02f..2109bd42c144a 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -4282,6 +4282,14 @@ if (defined($opt{"LOG_FILE"})) { + if ($opt{"CLEAR_LOG"}) { + unlink $opt{"LOG_FILE"}; + } ++ ++ if (! -e $opt{"LOG_FILE"} && $opt{"LOG_FILE"} =~ m,^(.*/),) { ++ my $dir = $1; ++ if (! -d $dir) { ++ mkpath($dir) or die "Failed to create directories '$dir': $!"; ++ print "\nThe log directory $dir did not exist, so it was created.\n"; ++ } ++ } + open(LOG, ">> $opt{LOG_FILE}") or die "Can't write to $opt{LOG_FILE}"; + LOG->autoflush(1); + } +-- +2.39.5 + diff --git a/queue-5.15/net-vlan-don-t-propagate-flags-on-open.patch b/queue-5.15/net-vlan-don-t-propagate-flags-on-open.patch new file mode 100644 index 0000000000..fa17afc42d --- /dev/null +++ b/queue-5.15/net-vlan-don-t-propagate-flags-on-open.patch @@ -0,0 +1,182 @@ +From 8e1f88f08dbb3513f0d9c6d3a9c4c64114b3c66a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 03:06:57 -0700 +Subject: net: vlan: don't propagate flags on open + +From: Stanislav Fomichev + +[ Upstream commit 27b918007d96402aba10ed52a6af8015230f1793 ] + +With the device instance lock, there is now a possibility of a deadlock: + +[ 1.211455] ============================================ +[ 1.211571] WARNING: possible recursive locking detected +[ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted +[ 1.211823] -------------------------------------------- +[ 1.211936] ip/184 is trying to acquire lock: +[ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0 +[ 1.212207] +[ 1.212207] but task is already holding lock: +[ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 +[ 1.212487] +[ 1.212487] other info that might help us debug this: +[ 1.212626] Possible unsafe locking scenario: +[ 1.212626] +[ 1.212751] CPU0 +[ 1.212815] ---- +[ 1.212871] lock(&dev->lock); +[ 1.212944] lock(&dev->lock); +[ 1.213016] +[ 1.213016] *** DEADLOCK *** +[ 1.213016] +[ 1.213143] May be due to missing lock nesting notation +[ 1.213143] +[ 1.213294] 3 locks held by ip/184: +[ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0 +[ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0 +[ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 +[ 1.213895] +[ 1.213895] stack backtrace: +[ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 +[ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 +[ 1.213994] Call Trace: +[ 1.213995] +[ 1.213996] dump_stack_lvl+0x8e/0xd0 +[ 1.214000] print_deadlock_bug+0x28b/0x2a0 +[ 1.214020] lock_acquire+0xea/0x2a0 +[ 1.214027] __mutex_lock+0xbf/0xd40 +[ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI +[ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev +[ 1.214042] __dev_open+0x145/0x270 +[ 1.214046] __dev_change_flags+0xb0/0x1e0 +[ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev +[ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info +[ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0 +[ 1.214058] notifier_call_chain+0x78/0x120 +[ 1.214062] netif_open+0x6d/0x90 +[ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0 +[ 1.214066] bond_enslave+0x64c/0x1230 +[ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0 +[ 1.214077] do_setlink+0x516/0x13b0 +[ 1.214094] rtnl_newlink+0xaba/0xb80 +[ 1.214132] rtnetlink_rcv_msg+0x440/0x490 +[ 1.214144] netlink_rcv_skb+0xeb/0x120 +[ 1.214150] netlink_unicast+0x1f9/0x320 +[ 1.214153] netlink_sendmsg+0x346/0x3f0 +[ 1.214157] __sock_sendmsg+0x86/0xb0 +[ 1.214160] ____sys_sendmsg+0x1c8/0x220 +[ 1.214164] ___sys_sendmsg+0x28f/0x2d0 +[ 1.214179] __x64_sys_sendmsg+0xef/0x140 +[ 1.214184] do_syscall_64+0xec/0x1d0 +[ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 1.214191] RIP: 0033:0x7f2d1b4a7e56 + +Device setup: + + netdevsim0 (down) + ^ ^ + bond netdevsim1.100@netdevsim1 allmulticast=on (down) + +When we enslave the lower device (netdevsim0) which has a vlan, we +propagate vlan's allmuti/promisc flags during ndo_open. This causes +(re)locking on of the real_dev. + +Propagate allmulti/promisc on flags change, not on the open. There +is a slight semantics change that vlans that are down now propagate +the flags, but this seems unlikely to result in the real issues. + +Reproducer: + + echo 0 1 > /sys/bus/netdevsim/new_device + + dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*) + dev=$(echo $dev_path | rev | cut -d/ -f1 | rev) + + ip link set dev $dev name netdevsim0 + ip link set dev netdevsim0 up + + ip link add link netdevsim0 name netdevsim0.100 type vlan id 100 + ip link set dev netdevsim0.100 allmulticast on down + ip link add name bond1 type bond mode 802.3ad + ip link set dev netdevsim0 down + ip link set dev netdevsim0 master bond1 + ip link set dev bond1 up + ip link show + +Reported-by: syzbot+b0c03d76056ef6cd12a6@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/Z9CfXjLMKn6VLG5d@mini-arch/T/#m15ba130f53227c883e79fb969687d69d670337a0 +Signed-off-by: Stanislav Fomichev +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250313100657.2287455-1-sdf@fomichev.me +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_dev.c | 31 ++++--------------------------- + 1 file changed, 4 insertions(+), 27 deletions(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index ad2d3ad34b7d7..945a5bb7402d2 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -272,17 +272,6 @@ static int vlan_dev_open(struct net_device *dev) + goto out; + } + +- if (dev->flags & IFF_ALLMULTI) { +- err = dev_set_allmulti(real_dev, 1); +- if (err < 0) +- goto del_unicast; +- } +- if (dev->flags & IFF_PROMISC) { +- err = dev_set_promiscuity(real_dev, 1); +- if (err < 0) +- goto clear_allmulti; +- } +- + ether_addr_copy(vlan->real_dev_addr, real_dev->dev_addr); + + if (vlan->flags & VLAN_FLAG_GVRP) +@@ -296,12 +285,6 @@ static int vlan_dev_open(struct net_device *dev) + netif_carrier_on(dev); + return 0; + +-clear_allmulti: +- if (dev->flags & IFF_ALLMULTI) +- dev_set_allmulti(real_dev, -1); +-del_unicast: +- if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr)) +- dev_uc_del(real_dev, dev->dev_addr); + out: + netif_carrier_off(dev); + return err; +@@ -314,10 +297,6 @@ static int vlan_dev_stop(struct net_device *dev) + + dev_mc_unsync(real_dev, dev); + dev_uc_unsync(real_dev, dev); +- if (dev->flags & IFF_ALLMULTI) +- dev_set_allmulti(real_dev, -1); +- if (dev->flags & IFF_PROMISC) +- dev_set_promiscuity(real_dev, -1); + + if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr)) + dev_uc_del(real_dev, dev->dev_addr); +@@ -474,12 +453,10 @@ static void vlan_dev_change_rx_flags(struct net_device *dev, int change) + { + struct net_device *real_dev = vlan_dev_priv(dev)->real_dev; + +- if (dev->flags & IFF_UP) { +- if (change & IFF_ALLMULTI) +- dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1); +- if (change & IFF_PROMISC) +- dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1); +- } ++ if (change & IFF_ALLMULTI) ++ dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1); ++ if (change & IFF_PROMISC) ++ dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1); + } + + static void vlan_dev_set_rx_mode(struct net_device *vlan_dev) +-- +2.39.5 + diff --git a/queue-5.15/page_pool-avoid-infinite-loop-to-schedule-delayed-wo.patch b/queue-5.15/page_pool-avoid-infinite-loop-to-schedule-delayed-wo.patch new file mode 100644 index 0000000000..faa363db2b --- /dev/null +++ b/queue-5.15/page_pool-avoid-infinite-loop-to-schedule-delayed-wo.patch @@ -0,0 +1,68 @@ +From 50a5177bbf4c71050840254cc3b4da383b929bc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 14:42:50 +0800 +Subject: page_pool: avoid infinite loop to schedule delayed worker + +From: Jason Xing + +[ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ] + +We noticed the kworker in page_pool_release_retry() was waken +up repeatedly and infinitely in production because of the +buggy driver causing the inflight less than 0 and warning +us in page_pool_inflight()[1]. + +Since the inflight value goes negative, it means we should +not expect the whole page_pool to get back to work normally. + +This patch mitigates the adverse effect by not rescheduling +the kworker when detecting the inflight negative in +page_pool_release_retry(). + +[1] +[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ +[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages +... +[Mon Feb 10 20:36:11 2025] Call Trace: +[Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 +[Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 +[Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 +[Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 +[Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 +[Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 +[Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 +[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- +Note: before this patch, the above calltrace would flood the +dmesg due to repeated reschedule of release_dw kworker. + +Signed-off-by: Jason Xing +Reviewed-by: Mina Almasry +Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/page_pool.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/core/page_pool.c b/net/core/page_pool.c +index 069d6ba0e33fb..416be038e1cae 100644 +--- a/net/core/page_pool.c ++++ b/net/core/page_pool.c +@@ -699,7 +699,13 @@ static void page_pool_release_retry(struct work_struct *wq) + int inflight; + + inflight = page_pool_release(pool); +- if (!inflight) ++ /* In rare cases, a driver bug may cause inflight to go negative. ++ * Don't reschedule release if inflight is 0 or negative. ++ * - If 0, the page_pool has been destroyed ++ * - if negative, we will never recover ++ * in both cases no reschedule is necessary. ++ */ ++ if (inflight <= 0) + return; + + /* Periodic warning */ +-- +2.39.5 + diff --git a/queue-5.15/pci-vmd-make-vmd_dev-cfg_lock-a-raw_spinlock_t-type.patch b/queue-5.15/pci-vmd-make-vmd_dev-cfg_lock-a-raw_spinlock_t-type.patch new file mode 100644 index 0000000000..fbdf64ff49 --- /dev/null +++ b/queue-5.15/pci-vmd-make-vmd_dev-cfg_lock-a-raw_spinlock_t-type.patch @@ -0,0 +1,112 @@ +From bd162133721947ef84bfcdf245db2e1fb9ee76fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 09:08:30 +0100 +Subject: PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ryo Takakura + +[ Upstream commit 18056a48669a040bef491e63b25896561ee14d90 ] + +The access to the PCI config space via pci_ops::read and pci_ops::write is +a low-level hardware access. The functions can be accessed with disabled +interrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this +purpose. + +A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be +acquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in +the same context as the pci_lock. + +Make vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with +interrupts disabled. + +This was reported as: + + BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 + Call Trace: + rt_spin_lock+0x4e/0x130 + vmd_pci_read+0x8d/0x100 [vmd] + pci_user_read_config_byte+0x6f/0xe0 + pci_read_config+0xfe/0x290 + sysfs_kf_bin_read+0x68/0x90 + +Signed-off-by: Ryo Takakura +Tested-by: Luis Claudio R. Goncalves +Acked-by: Luis Claudio R. Goncalves +[bigeasy: reword commit message] +Signed-off-by: Sebastian Andrzej Siewior +Tested-off-by: Luis Claudio R. Goncalves +Link: https://lore.kernel.org/r/20250218080830.ufw3IgyX@linutronix.de +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +[bhelgaas: add back report info from +https://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/vmd.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c +index 10a078ef4799d..1195c570599c0 100644 +--- a/drivers/pci/controller/vmd.c ++++ b/drivers/pci/controller/vmd.c +@@ -108,7 +108,7 @@ struct vmd_irq_list { + struct vmd_dev { + struct pci_dev *dev; + +- spinlock_t cfg_lock; ++ raw_spinlock_t cfg_lock; + void __iomem *cfgbar; + + int msix_count; +@@ -386,7 +386,7 @@ static int vmd_pci_read(struct pci_bus *bus, unsigned int devfn, int reg, + if (!addr) + return -EFAULT; + +- spin_lock_irqsave(&vmd->cfg_lock, flags); ++ raw_spin_lock_irqsave(&vmd->cfg_lock, flags); + switch (len) { + case 1: + *value = readb(addr); +@@ -401,7 +401,7 @@ static int vmd_pci_read(struct pci_bus *bus, unsigned int devfn, int reg, + ret = -EINVAL; + break; + } +- spin_unlock_irqrestore(&vmd->cfg_lock, flags); ++ raw_spin_unlock_irqrestore(&vmd->cfg_lock, flags); + return ret; + } + +@@ -421,7 +421,7 @@ static int vmd_pci_write(struct pci_bus *bus, unsigned int devfn, int reg, + if (!addr) + return -EFAULT; + +- spin_lock_irqsave(&vmd->cfg_lock, flags); ++ raw_spin_lock_irqsave(&vmd->cfg_lock, flags); + switch (len) { + case 1: + writeb(value, addr); +@@ -439,7 +439,7 @@ static int vmd_pci_write(struct pci_bus *bus, unsigned int devfn, int reg, + ret = -EINVAL; + break; + } +- spin_unlock_irqrestore(&vmd->cfg_lock, flags); ++ raw_spin_unlock_irqrestore(&vmd->cfg_lock, flags); + return ret; + } + +@@ -850,7 +850,7 @@ static int vmd_probe(struct pci_dev *dev, const struct pci_device_id *id) + if (features & VMD_FEAT_OFFSET_FIRST_VECTOR) + vmd->first_vec = 1; + +- spin_lock_init(&vmd->cfg_lock); ++ raw_spin_lock_init(&vmd->cfg_lock); + pci_set_drvdata(dev, vmd); + err = vmd_enable_domain(vmd, features); + if (err) +-- +2.39.5 + diff --git a/queue-5.15/perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch b/queue-5.15/perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch new file mode 100644 index 0000000000..3f9ef97379 --- /dev/null +++ b/queue-5.15/perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch @@ -0,0 +1,67 @@ +From ee0d97bed50f38ac09bb04f603e375f6f1cd4ab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 14:39:57 -0600 +Subject: perf: arm_pmu: Don't disable counter in armpmu_add() + +From: Mark Rutland + +[ Upstream commit dcca27bc1eccb9abc2552aab950b18a9742fb8e7 ] + +Currently armpmu_add() tries to handle a newly-allocated counter having +a stale associated event, but this should not be possible, and if this +were to happen the current mitigation is insufficient and potentially +expensive. It would be better to warn if we encounter the impossible +case. + +Calls to pmu::add() and pmu::del() are serialized by the core perf code, +and armpmu_del() clears the relevant slot in pmu_hw_events::events[] +before clearing the bit in pmu_hw_events::used_mask such that the +counter can be reallocated. Thus when armpmu_add() allocates a counter +index from pmu_hw_events::used_mask, it should not be possible to observe +a stale even in pmu_hw_events::events[] unless either +pmu_hw_events::used_mask or pmu_hw_events::events[] have been corrupted. + +If this were to happen, we'd end up with two events with the same +event->hw.idx, which would clash with each other during reprogramming, +deletion, etc, and produce bogus results. Add a WARN_ON_ONCE() for this +case so that we can detect if this ever occurs in practice. + +That possiblity aside, there's no need to call arm_pmu::disable(event) +for the new event. The PMU reset code initialises the counter in a +disabled state, and armpmu_del() will disable the counter before it can +be reused. Remove the redundant disable. + +Signed-off-by: Mark Rutland +Signed-off-by: Rob Herring (Arm) +Reviewed-by: Anshuman Khandual +Tested-by: James Clark +Link: https://lore.kernel.org/r/20250218-arm-brbe-v19-v20-2-4e9922fc2e8e@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm_pmu.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c +index 57d20cf3da7a3..fd59f40f74435 100644 +--- a/drivers/perf/arm_pmu.c ++++ b/drivers/perf/arm_pmu.c +@@ -338,12 +338,10 @@ armpmu_add(struct perf_event *event, int flags) + if (idx < 0) + return idx; + +- /* +- * If there is an event in the counter we are going to use then make +- * sure it is disabled. +- */ ++ /* The newly-allocated counter should be empty */ ++ WARN_ON_ONCE(hw_events->events[idx]); ++ + event->hw.idx = idx; +- armpmu->disable(event); + hw_events->events[idx] = event; + + hwc->state = PERF_HES_STOPPED | PERF_HES_UPTODATE; +-- +2.39.5 + diff --git a/queue-5.15/pm-cpupower-bench-prevent-null-dereference-on-malloc.patch b/queue-5.15/pm-cpupower-bench-prevent-null-dereference-on-malloc.patch new file mode 100644 index 0000000000..707e57dc90 --- /dev/null +++ b/queue-5.15/pm-cpupower-bench-prevent-null-dereference-on-malloc.patch @@ -0,0 +1,38 @@ +From f173f06a4061e50d699af3651e2d378acac9628f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2025 20:27:15 +0800 +Subject: pm: cpupower: bench: Prevent NULL dereference on malloc failure + +From: Zhongqiu Han + +[ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ] + +If malloc returns NULL due to low memory, 'config' pointer can be NULL. +Add a check to prevent NULL dereference. + +Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com +Signed-off-by: Zhongqiu Han +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/bench/parse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c +index e63dc11fa3a53..48e25be6e1635 100644 +--- a/tools/power/cpupower/bench/parse.c ++++ b/tools/power/cpupower/bench/parse.c +@@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname) + struct config *prepare_default_config() + { + struct config *config = malloc(sizeof(struct config)); ++ if (!config) { ++ perror("malloc"); ++ return NULL; ++ } + + dprintf("loading defaults\n"); + +-- +2.39.5 + diff --git a/queue-5.15/scsi-st-fix-array-overflow-in-st_setup.patch b/queue-5.15/scsi-st-fix-array-overflow-in-st_setup.patch new file mode 100644 index 0000000000..2c6bdb9bcd --- /dev/null +++ b/queue-5.15/scsi-st-fix-array-overflow-in-st_setup.patch @@ -0,0 +1,40 @@ +From 22e71acf67458f3b20f376166f282046227bede6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 13:25:14 +0200 +Subject: scsi: st: Fix array overflow in st_setup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Mäkisara + +[ Upstream commit a018d1cf990d0c339fe0e29b762ea5dc10567d67 ] + +Change the array size to follow parms size instead of a fixed value. + +Reported-by: Chenyuan Yang +Closes: https://lore.kernel.org/linux-scsi/CALGdzuoubbra4xKOJcsyThdk5Y1BrAmZs==wbqjbkAgmKS39Aw@mail.gmail.com/ +Signed-off-by: Kai Mäkisara +Link: https://lore.kernel.org/r/20250311112516.5548-2-Kai.Makisara@kolumbus.fi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/st.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c +index 1551d533c7196..956b3b9c5aad5 100644 +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -4109,7 +4109,7 @@ static void validate_options(void) + */ + static int __init st_setup(char *str) + { +- int i, len, ints[5]; ++ int i, len, ints[ARRAY_SIZE(parms) + 1]; + char *stp; + + stp = get_options(str, ARRAY_SIZE(ints), ints); +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index ac2b8535c6..dc802b0bda 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -8,3 +8,44 @@ ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch nvmet-fcloop-swap-list_add_tail-arguments.patch net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch nft_set_pipapo-fix-incorrect-avx2-match-of-5th-field.patch +umount-allow-superblock-owners-to-force-umount.patch +pm-cpupower-bench-prevent-null-dereference-on-malloc.patch +x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch +perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch +arm64-cputype-add-qcom_cpu_part_kryo_3xx_gold.patch +xen-mcelog-add-__nonstring-annotations-for-untermina.patch +x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch +hid-pidff-convert-infinite-length-from-linux-api-to-.patch +hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch +hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch +alsa-hda-intel-fix-optimus-when-gpu-has-no-sound.patch +asoc-fsl_audmix-register-card-device-depends-on-dais.patch +alsa-usb-audio-fix-cme-quirk-for-uf-series-keyboards.patch +page_pool-avoid-infinite-loop-to-schedule-delayed-wo.patch +jfs-fix-uninit-value-access-of-imap-allocated-in-the.patch +fs-jfs-cast-inactags-to-s64-to-prevent-potential-ove.patch +fs-jfs-prevent-integer-overflow-in-ag-size-calculati.patch +jfs-prevent-copying-of-nlink-with-value-0-from-disk-.patch +jfs-add-sanity-check-for-agwidth-in-dbmount.patch +ata-libata-eh-do-not-use-atapi-dma-for-a-device-limi.patch +f2fs-fix-to-avoid-out-of-bounds-access-in-f2fs_trunc.patch +ahci-add-pci-id-for-marvell-88se9215-sata-controller.patch +ext4-protect-ext4_release_dquot-against-freezing.patch +ext4-ignore-xattrs-past-end.patch +scsi-st-fix-array-overflow-in-st_setup.patch +wifi-mt76-mt76x2u-add-tp-link-tl-wdn6200-id-to-devic.patch +net-vlan-don-t-propagate-flags-on-open.patch +tracing-fix-return-value-in-__ftrace_event_enable_di.patch +bluetooth-hci_uart-fix-race-during-initialization.patch +drm-allow-encoder-mode_set-even-when-connectors-chan.patch +drm-amd-display-update-cursor-request-mode-to-the-be.patch +drm-panel-orientation-quirks-add-support-for-ayaneo-.patch +drm-panel-orientation-quirks-add-new-quirk-for-gpd-w.patch +drm-bridge-panel-forbid-initializing-a-panel-with-un.patch +drivers-base-devres-allow-to-release-group-on-device.patch +drm-amdkfd-clamp-queue-size-to-minimum.patch +drm-amdkfd-fix-pqm_destroy_queue-race-with-gpu-reset.patch +drm-mediatek-mtk_dpi-explicitly-manage-tvd-clock-in-.patch +pci-vmd-make-vmd_dev-cfg_lock-a-raw_spinlock_t-type.patch +fbdev-omapfb-add-plane-value-check.patch +ktest-fix-test-failures-due-to-missing-log_file-dire.patch diff --git a/queue-5.15/tracing-fix-return-value-in-__ftrace_event_enable_di.patch b/queue-5.15/tracing-fix-return-value-in-__ftrace_event_enable_di.patch new file mode 100644 index 0000000000..3e99eec4c8 --- /dev/null +++ b/queue-5.15/tracing-fix-return-value-in-__ftrace_event_enable_di.patch @@ -0,0 +1,46 @@ +From b544f6d9406104c9e464bb14e7cd33774d1ee33c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 18:08:21 +0100 +Subject: tracing: fix return value in __ftrace_event_enable_disable for + TRACE_REG_UNREGISTER + +From: Gabriele Paoloni + +[ Upstream commit 0c588ac0ca6c22b774d9ad4a6594681fdfa57d9d ] + +When __ftrace_event_enable_disable invokes the class callback to +unregister the event, the return value is not reported up to the +caller, hence leading to event unregister failures being silently +ignored. + +This patch assigns the ret variable to the invocation of the +event unregister callback, so that its return value is stored +and reported to the caller, and it raises a warning in case +of error. + +Link: https://lore.kernel.org/20250321170821.101403-1-gpaoloni@redhat.com +Signed-off-by: Gabriele Paoloni +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index 54a035b079d38..e9d40f9fb09ba 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -763,7 +763,9 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file, + clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags); + } + +- call->class->reg(call, TRACE_REG_UNREGISTER, file); ++ ret = call->class->reg(call, TRACE_REG_UNREGISTER, file); ++ ++ WARN_ON_ONCE(ret); + } + /* If in SOFT_MODE, just set the SOFT_DISABLE_BIT, else clear it */ + if (file->flags & EVENT_FILE_FL_SOFT_MODE) +-- +2.39.5 + diff --git a/queue-5.15/umount-allow-superblock-owners-to-force-umount.patch b/queue-5.15/umount-allow-superblock-owners-to-force-umount.patch new file mode 100644 index 0000000000..6d3ca13907 --- /dev/null +++ b/queue-5.15/umount-allow-superblock-owners-to-force-umount.patch @@ -0,0 +1,46 @@ +From ba414ff264f2941b94d303476486da926f97b138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 12:29:21 -0400 +Subject: umount: Allow superblock owners to force umount + +From: Trond Myklebust + +[ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ] + +Loosen the permission check on forced umount to allow users holding +CAP_SYS_ADMIN privileges in namespaces that are privileged with respect +to the userns that originally mounted the filesystem. + +Signed-off-by: Trond Myklebust +Link: https://lore.kernel.org/r/12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com +Acked-by: "Eric W. Biederman" +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 22af4b6c737f4..642baef4d9aaa 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1734,6 +1734,7 @@ static void warn_mandlock(void) + static int can_umount(const struct path *path, int flags) + { + struct mount *mnt = real_mount(path->mnt); ++ struct super_block *sb = path->dentry->d_sb; + + if (!may_mount()) + return -EPERM; +@@ -1743,7 +1744,7 @@ static int can_umount(const struct path *path, int flags) + return -EINVAL; + if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */ + return -EINVAL; +- if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN)) ++ if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN)) + return -EPERM; + return 0; + } +-- +2.39.5 + diff --git a/queue-5.15/wifi-mt76-mt76x2u-add-tp-link-tl-wdn6200-id-to-devic.patch b/queue-5.15/wifi-mt76-mt76x2u-add-tp-link-tl-wdn6200-id-to-devic.patch new file mode 100644 index 0000000000..fe16eca81f --- /dev/null +++ b/queue-5.15/wifi-mt76-mt76x2u-add-tp-link-tl-wdn6200-id-to-devic.patch @@ -0,0 +1,36 @@ +From 7256fe20aa3ea4e5d9d8ae31c8d51aed0e4123c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 18:22:35 +0800 +Subject: wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table + +From: Icenowy Zheng + +[ Upstream commit 06cccc2ebbe6c8a20f714f3a0ff3ff489d3004bb ] + +The TP-Link TL-WDN6200 "Driverless" version cards use a MT7612U chipset. + +Add the USB ID to mt76x2u driver. + +Signed-off-by: Icenowy Zheng +Link: https://patch.msgid.link/20250317102235.1421726-1-uwu@icenowy.me +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +index 2575369e44e20..9369515f36a3a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +@@ -21,6 +21,7 @@ static const struct usb_device_id mt76x2u_device_table[] = { + { USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */ + { USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */ + { USB_DEVICE(0x045e, 0x02fe) }, /* XBox One Wireless Adapter */ ++ { USB_DEVICE(0x2357, 0x0137) }, /* TP-Link TL-WDN6200 */ + { }, + }; + +-- +2.39.5 + diff --git a/queue-5.15/x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch b/queue-5.15/x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch new file mode 100644 index 0000000000..6ad4b2d938 --- /dev/null +++ b/queue-5.15/x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch @@ -0,0 +1,103 @@ +From ef94e73daf2608bbcc9fff67720cb51b4e946eab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 21:45:05 +0100 +Subject: x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD + when running in a virtual machine +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Max Grobecker + +[ Upstream commit a4248ee16f411ac1ea7dfab228a6659b111e3d65 ] + +When running in a virtual machine, we might see the original hardware CPU +vendor string (i.e. "AuthenticAMD"), but a model and family ID set by the +hypervisor. In case we run on AMD hardware and the hypervisor sets a model +ID < 0x14, the LAHF cpu feature is eliminated from the the list of CPU +capabilities present to circumvent a bug with some BIOSes in conjunction with +AMD K8 processors. + +Parsing the flags list from /proc/cpuinfo seems to be happening mostly in +bash scripts and prebuilt Docker containers, as it does not need to have +additionals tools present – even though more reliable ways like using "kcpuid", +which calls the CPUID instruction instead of parsing a list, should be preferred. +Scripts, that use /proc/cpuinfo to determine if the current CPU is +"compliant" with defined microarchitecture levels like x86-64-v2 will falsely +claim the CPU is incapable of modern CPU instructions when "lahf_lm" is missing +in that flags list. + +This can prevent some docker containers from starting or build scripts to create +unoptimized binaries. + +Admittably, this is more a small inconvenience than a severe bug in the kernel +and the shoddy scripts that rely on parsing /proc/cpuinfo +should be fixed instead. + +This patch adds an additional check to see if we're running inside a +virtual machine (X86_FEATURE_HYPERVISOR is present), which, to my +understanding, can't be present on a real K8 processor as it was introduced +only with the later/other Athlon64 models. + +Example output with the "lahf_lm" flag missing in the flags list +(should be shown between "hypervisor" and "abm"): + + $ cat /proc/cpuinfo + processor : 0 + vendor_id : AuthenticAMD + cpu family : 15 + model : 6 + model name : Common KVM processor + stepping : 1 + microcode : 0x1000065 + cpu MHz : 2599.998 + cache size : 512 KB + physical id : 0 + siblings : 1 + core id : 0 + cpu cores : 1 + apicid : 0 + initial apicid : 0 + fpu : yes + fpu_exception : yes + cpuid level : 13 + wp : yes + flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca + cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp + lm rep_good nopl cpuid extd_apicid tsc_known_freq pni + pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt + tsc_deadline_timer aes xsave avx f16c hypervisor abm + 3dnowprefetch vmmcall bmi1 avx2 bmi2 xsaveopt + +... while kcpuid shows the feature to be present in the CPU: + + # kcpuid -d | grep lahf + lahf_lm - LAHF/SAHF available in 64-bit mode + +[ mingo: Updated the comment a bit, incorporated Boris's review feedback. ] + +Signed-off-by: Max Grobecker +Signed-off-by: Ingo Molnar +Cc: linux-kernel@vger.kernel.org +Cc: Borislav Petkov +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index ce5b27db65e10..a8dc7fe5f1003 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -811,7 +811,7 @@ static void init_amd_k8(struct cpuinfo_x86 *c) + * (model = 0x14) and later actually support it. + * (AMD Erratum #110, docId: 25759). + */ +- if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM)) { ++ if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM) && !cpu_has(c, X86_FEATURE_HYPERVISOR)) { + clear_cpu_cap(c, X86_FEATURE_LAHF_LM); + if (!rdmsrl_amd_safe(0xc001100d, &value)) { + value &= ~BIT_64(32); +-- +2.39.5 + diff --git a/queue-5.15/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch b/queue-5.15/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch new file mode 100644 index 0000000000..0da43b2c57 --- /dev/null +++ b/queue-5.15/x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch @@ -0,0 +1,85 @@ +From f915f4bd41ad619ca5a481a67c0f10b3c63028b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 14:14:55 +0300 +Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero + +From: Kirill A. Shutemov + +[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ] + +The current calculation of the 'next' virtual address in the +page table initialization functions in arch/x86/mm/ident_map.c +doesn't protect against wrapping to zero. + +This is a theoretical issue that cannot happen currently, +the problematic case is possible only if the user sets a +high enough x86_mapping_info::offset value - which no +current code in the upstream kernel does. + +( The wrapping to zero only occurs if the top PGD entry is accessed. + There are no such users upstream. Only hibernate_64.c uses + x86_mapping_info::offset, and it operates on the direct mapping + range, which is not the top PGD entry. ) + +Should such an overflow happen, it can result in page table +corruption and a hang. + +To future-proof this code, replace the manual 'next' calculation +with p?d_addr_end() which handles wrapping correctly. + +[ Backporter's note: there's no need to backport this patch. ] + +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Ingo Molnar +Reviewed-by: Kai Huang +Reviewed-by: Tom Lendacky +Cc: Andy Lutomirski +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/mm/ident_map.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c +index 968d7005f4a72..2f383e288c430 100644 +--- a/arch/x86/mm/ident_map.c ++++ b/arch/x86/mm/ident_map.c +@@ -27,9 +27,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page, + pud_t *pud = pud_page + pud_index(addr); + pmd_t *pmd; + +- next = (addr & PUD_MASK) + PUD_SIZE; +- if (next > end) +- next = end; ++ next = pud_addr_end(addr, end); + + if (info->direct_gbpages) { + pud_t pudval; +@@ -68,10 +66,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page, + p4d_t *p4d = p4d_page + p4d_index(addr); + pud_t *pud; + +- next = (addr & P4D_MASK) + P4D_SIZE; +- if (next > end) +- next = end; +- ++ next = p4d_addr_end(addr, end); + if (p4d_present(*p4d)) { + pud = pud_offset(p4d, 0); + result = ident_pud_init(info, pud, addr, next); +@@ -113,10 +108,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page, + pgd_t *pgd = pgd_page + pgd_index(addr); + p4d_t *p4d; + +- next = (addr & PGDIR_MASK) + PGDIR_SIZE; +- if (next > end) +- next = end; +- ++ next = pgd_addr_end(addr, end); + if (pgd_present(*pgd)) { + p4d = p4d_offset(pgd, 0); + result = ident_p4d_init(info, p4d, addr, next); +-- +2.39.5 + diff --git a/queue-5.15/xen-mcelog-add-__nonstring-annotations-for-untermina.patch b/queue-5.15/xen-mcelog-add-__nonstring-annotations-for-untermina.patch new file mode 100644 index 0000000000..d68c7a088c --- /dev/null +++ b/queue-5.15/xen-mcelog-add-__nonstring-annotations-for-untermina.patch @@ -0,0 +1,45 @@ +From 236c63ef2ff9998c34eca25f13cfca67451e194c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 15:22:38 -0700 +Subject: xen/mcelog: Add __nonstring annotations for unterminated strings + +From: Kees Cook + +[ Upstream commit 1c3dfc7c6b0f551fdca3f7c1f1e4c73be8adb17d ] + +When a character array without a terminating NUL character has a static +initializer, GCC 15's -Wunterminated-string-initialization will only +warn if the array lacks the "nonstring" attribute[1]. Mark the arrays +with __nonstring to and correctly identify the char array as "not a C +string" and thereby eliminate the warning. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1] +Cc: Juergen Gross +Cc: Stefano Stabellini +Cc: Oleksandr Tyshchenko +Cc: xen-devel@lists.xenproject.org +Signed-off-by: Kees Cook +Acked-by: Juergen Gross +Message-ID: <20250310222234.work.473-kees@kernel.org> +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + include/xen/interface/xen-mca.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/xen/interface/xen-mca.h b/include/xen/interface/xen-mca.h +index 7483a78d24251..20a3b320d1a58 100644 +--- a/include/xen/interface/xen-mca.h ++++ b/include/xen/interface/xen-mca.h +@@ -371,7 +371,7 @@ struct xen_mce { + #define XEN_MCE_LOG_LEN 32 + + struct xen_mce_log { +- char signature[12]; /* "MACHINECHECK" */ ++ char signature[12] __nonstring; /* "MACHINECHECK" */ + unsigned len; /* = XEN_MCE_LOG_LEN */ + unsigned next; + unsigned flags; +-- +2.39.5 +