From: Greg Kroah-Hartman Date: Mon, 12 Aug 2024 12:10:27 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.105~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b04b5818cb2aaee21a5f30a18bef6006c3b1f6da;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch irqchip-xilinx-fix-shift-out-of-bounds.patch kcov-properly-check-for-softirq-context.patch padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch parisc-fix-a-possible-dma-corruption.patch power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch smb3-fix-setting-securityflags-when-encryption-is-required.patch timekeeping-fix-bogus-clock_was_set-invocation-in-do_adjtimex.patch tracing-fix-overflow-in-get_free_elt.patch x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch --- diff --git a/queue-6.1/asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch b/queue-6.1/asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch new file mode 100644 index 00000000000..fdb9690b7dc --- /dev/null +++ b/queue-6.1/asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch @@ -0,0 +1,38 @@ +From 6675e76a5c441b52b1b983ebb714122087020ebe Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 7 Aug 2024 19:02:27 +0200 +Subject: ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx + +From: Takashi Iwai + +commit 6675e76a5c441b52b1b983ebb714122087020ebe upstream. + +Fix the missing mic on OMEN by HP Gaming Laptop 16-n0xxx by adding the +quirk entry with the board ID 8A44. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.suse.com/show_bug.cgi?id=1227182 +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20240807170249.16490-1-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -385,6 +385,13 @@ static const struct dmi_system_id yc_acp + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_BOARD_NAME, "8A44"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), + DMI_MATCH(DMI_BOARD_NAME, "8A22"), + } + }, diff --git a/queue-6.1/btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch b/queue-6.1/btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch new file mode 100644 index 00000000000..5e73038dee3 --- /dev/null +++ b/queue-6.1/btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch @@ -0,0 +1,66 @@ +From 12653ec36112ab55fa06c01db7c4432653d30a8d Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 19 Jul 2024 18:56:46 +0930 +Subject: btrfs: avoid using fixed char array size for tree names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qu Wenruo + +commit 12653ec36112ab55fa06c01db7c4432653d30a8d upstream. + +[BUG] +There is a bug report that using the latest trunk GCC 15, btrfs would cause +unterminated-string-initialization warning: + + linux-6.6/fs/btrfs/print-tree.c:29:49: error: initializer-string for array of ‘char’ is too long [-Werror=unterminated-string-initialization] + 29 | { BTRFS_BLOCK_GROUP_TREE_OBJECTID, "BLOCK_GROUP_TREE" }, + | + ^~~~~~~~~~~~~~~~~~ + +[CAUSE] +To print tree names we have an array of root_name_map structure, which +uses "char name[16];" to store the name string of a tree. + +But the following trees have names exactly at 16 chars length: +- "BLOCK_GROUP_TREE" +- "RAID_STRIPE_TREE" + +This means we will have no space for the terminating '\0', and can lead +to unexpected access when printing the name. + +[FIX] +Instead of "char name[16];" use "const char *" instead. + +Since the name strings are all read-only data, and are all NULL +terminated by default, there is not much need to bother the length at +all. + +Reported-by: Sam James +Reported-by: Alejandro Colomar +Fixes: edde81f1abf29 ("btrfs: add raid stripe tree pretty printer") +Fixes: 9c54e80ddc6bd ("btrfs: add code to support the block group root") +CC: stable@vger.kernel.org # 6.1+ +Suggested-by: Alejandro Colomar +Reviewed-by: Johannes Thumshirn +Reviewed-by: Alejandro Colomar +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/print-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/print-tree.c ++++ b/fs/btrfs/print-tree.c +@@ -9,7 +9,7 @@ + + struct root_name_map { + u64 id; +- char name[16]; ++ const char *name; + }; + + static const struct root_name_map root_map[] = { diff --git a/queue-6.1/genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch b/queue-6.1/genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch new file mode 100644 index 00000000000..76755678bc1 --- /dev/null +++ b/queue-6.1/genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch @@ -0,0 +1,43 @@ +From edbbaae42a56f9a2b39c52ef2504dfb3fb0a7858 Mon Sep 17 00:00:00 2001 +From: Shay Drory +Date: Tue, 6 Aug 2024 10:20:44 +0300 +Subject: genirq/irqdesc: Honor caller provided affinity in alloc_desc() + +From: Shay Drory + +commit edbbaae42a56f9a2b39c52ef2504dfb3fb0a7858 upstream. + +Currently, whenever a caller is providing an affinity hint for an +interrupt, the allocation code uses it to calculate the node and copies the +cpumask into irq_desc::affinity. + +If the affinity for the interrupt is not marked 'managed' then the startup +of the interrupt ignores irq_desc::affinity and uses the system default +affinity mask. + +Prevent this by setting the IRQD_AFFINITY_SET flag for the interrupt in the +allocator, which causes irq_setup_affinity() to use irq_desc::affinity on +interrupt startup if the mask contains an online CPU. + +[ tglx: Massaged changelog ] + +Fixes: 45ddcecbfa94 ("genirq: Use affinity hint in irqdesc allocation") +Signed-off-by: Shay Drory +Signed-off-by: Thomas Gleixner +Cc: +Link: https://lore.kernel.org/all/20240806072044.837827-1-shayd@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/irqdesc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -493,6 +493,7 @@ static int alloc_descs(unsigned int star + flags = IRQD_AFFINITY_MANAGED | + IRQD_MANAGED_SHUTDOWN; + } ++ flags |= IRQD_AFFINITY_SET; + mask = &affinity->mask; + node = cpu_to_node(cpumask_first(mask)); + affinity++; diff --git a/queue-6.1/irqchip-xilinx-fix-shift-out-of-bounds.patch b/queue-6.1/irqchip-xilinx-fix-shift-out-of-bounds.patch new file mode 100644 index 00000000000..47500503bbe --- /dev/null +++ b/queue-6.1/irqchip-xilinx-fix-shift-out-of-bounds.patch @@ -0,0 +1,46 @@ +From d73f0f49daa84176c3beee1606e73c7ffb6af8b2 Mon Sep 17 00:00:00 2001 +From: Radhey Shyam Pandey +Date: Fri, 9 Aug 2024 12:32:24 +0530 +Subject: irqchip/xilinx: Fix shift out of bounds + +From: Radhey Shyam Pandey + +commit d73f0f49daa84176c3beee1606e73c7ffb6af8b2 upstream. + +The device tree property 'xlnx,kind-of-intr' is sanity checked that the +bitmask contains only set bits which are in the range of the number of +interrupts supported by the controller. + +The check is done by shifting the mask right by the number of supported +interrupts and checking the result for zero. + +The data type of the mask is u32 and the number of supported interrupts is +up to 32. In case of 32 interrupts the shift is out of bounds, resulting in +a mismatch warning. The out of bounds condition is also reported by UBSAN: + + UBSAN: shift-out-of-bounds in irq-xilinx-intc.c:332:22 + shift exponent 32 is too large for 32-bit type 'unsigned int' + +Fix it by promoting the mask to u64 for the test. + +Fixes: d50466c90724 ("microblaze: intc: Refactor DT sanity check") +Signed-off-by: Radhey Shyam Pandey +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/1723186944-3571957-1-git-send-email-radhey.shyam.pandey@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-xilinx-intc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-xilinx-intc.c ++++ b/drivers/irqchip/irq-xilinx-intc.c +@@ -189,7 +189,7 @@ static int __init xilinx_intc_of_init(st + irqc->intr_mask = 0; + } + +- if (irqc->intr_mask >> irqc->nr_irq) ++ if ((u64)irqc->intr_mask >> irqc->nr_irq) + pr_warn("irq-xilinx: mismatch in kind-of-intr param\n"); + + pr_info("irq-xilinx: %pOF: num_irq=%d, edge=0x%x\n", diff --git a/queue-6.1/kcov-properly-check-for-softirq-context.patch b/queue-6.1/kcov-properly-check-for-softirq-context.patch new file mode 100644 index 00000000000..2cb47a8a737 --- /dev/null +++ b/queue-6.1/kcov-properly-check-for-softirq-context.patch @@ -0,0 +1,96 @@ +From 7d4df2dad312f270d62fecb0e5c8b086c6d7dcfc Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Mon, 29 Jul 2024 04:21:58 +0200 +Subject: kcov: properly check for softirq context + +From: Andrey Konovalov + +commit 7d4df2dad312f270d62fecb0e5c8b086c6d7dcfc upstream. + +When collecting coverage from softirqs, KCOV uses in_serving_softirq() to +check whether the code is running in the softirq context. Unfortunately, +in_serving_softirq() is > 0 even when the code is running in the hardirq +or NMI context for hardirqs and NMIs that happened during a softirq. + +As a result, if a softirq handler contains a remote coverage collection +section and a hardirq with another remote coverage collection section +happens during handling the softirq, KCOV incorrectly detects a nested +softirq coverate collection section and prints a WARNING, as reported by +syzbot. + +This issue was exposed by commit a7f3813e589f ("usb: gadget: dummy_hcd: +Switch to hrtimer transfer scheduler"), which switched dummy_hcd to using +hrtimer and made the timer's callback be executed in the hardirq context. + +Change the related checks in KCOV to account for this behavior of +in_serving_softirq() and make KCOV ignore remote coverage collection +sections in the hardirq and NMI contexts. + +This prevents the WARNING printed by syzbot but does not fix the inability +of KCOV to collect coverage from the __usb_hcd_giveback_urb when dummy_hcd +is in use (caused by a7f3813e589f); a separate patch is required for that. + +Link: https://lkml.kernel.org/r/20240729022158.92059-1-andrey.konovalov@linux.dev +Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts") +Signed-off-by: Andrey Konovalov +Reported-by: syzbot+2388cdaeb6b10f0c13ac@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2388cdaeb6b10f0c13ac +Acked-by: Marco Elver +Cc: Alan Stern +Cc: Aleksandr Nogikh +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Greg Kroah-Hartman +Cc: Marcello Sylvester Bauer +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kcov.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/kernel/kcov.c ++++ b/kernel/kcov.c +@@ -161,6 +161,15 @@ static void kcov_remote_area_put(struct + kmsan_unpoison_memory(&area->list, sizeof(area->list)); + } + ++/* ++ * Unlike in_serving_softirq(), this function returns false when called during ++ * a hardirq or an NMI that happened in the softirq context. ++ */ ++static inline bool in_softirq_really(void) ++{ ++ return in_serving_softirq() && !in_hardirq() && !in_nmi(); ++} ++ + static notrace bool check_kcov_mode(enum kcov_mode needed_mode, struct task_struct *t) + { + unsigned int mode; +@@ -170,7 +179,7 @@ static notrace bool check_kcov_mode(enum + * so we ignore code executed in interrupts, unless we are in a remote + * coverage collection section in a softirq. + */ +- if (!in_task() && !(in_serving_softirq() && t->kcov_softirq)) ++ if (!in_task() && !(in_softirq_really() && t->kcov_softirq)) + return false; + mode = READ_ONCE(t->kcov_mode); + /* +@@ -847,7 +856,7 @@ void kcov_remote_start(u64 handle) + + if (WARN_ON(!kcov_check_handle(handle, true, true, true))) + return; +- if (!in_task() && !in_serving_softirq()) ++ if (!in_task() && !in_softirq_really()) + return; + + local_lock_irqsave(&kcov_percpu_data.lock, flags); +@@ -989,7 +998,7 @@ void kcov_remote_stop(void) + int sequence; + unsigned long flags; + +- if (!in_task() && !in_serving_softirq()) ++ if (!in_task() && !in_softirq_really()) + return; + + local_lock_irqsave(&kcov_percpu_data.lock, flags); diff --git a/queue-6.1/padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch b/queue-6.1/padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch new file mode 100644 index 00000000000..98495f93ff9 --- /dev/null +++ b/queue-6.1/padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch @@ -0,0 +1,65 @@ +From 6d45e1c948a8b7ed6ceddb14319af69424db730c Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 6 Aug 2024 13:46:47 -0400 +Subject: padata: Fix possible divide-by-0 panic in padata_mt_helper() + +From: Waiman Long + +commit 6d45e1c948a8b7ed6ceddb14319af69424db730c upstream. + +We are hit with a not easily reproducible divide-by-0 panic in padata.c at +bootup time. + + [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI + [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1 + [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021 + [ 10.017908] Workqueue: events_unbound padata_mt_helper + [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0 + : + [ 10.017963] Call Trace: + [ 10.017968] + [ 10.018004] ? padata_mt_helper+0x39/0xb0 + [ 10.018084] process_one_work+0x174/0x330 + [ 10.018093] worker_thread+0x266/0x3a0 + [ 10.018111] kthread+0xcf/0x100 + [ 10.018124] ret_from_fork+0x31/0x50 + [ 10.018138] ret_from_fork_asm+0x1a/0x30 + [ 10.018147] + +Looking at the padata_mt_helper() function, the only way a divide-by-0 +panic can happen is when ps->chunk_size is 0. The way that chunk_size is +initialized in padata_do_multithreaded(), chunk_size can be 0 when the +min_chunk in the passed-in padata_mt_job structure is 0. + +Fix this divide-by-0 panic by making sure that chunk_size will be at least +1 no matter what the input parameters are. + +Link: https://lkml.kernel.org/r/20240806174647.1050398-1-longman@redhat.com +Fixes: 004ed42638f4 ("padata: add basic support for multithreaded jobs") +Signed-off-by: Waiman Long +Cc: Daniel Jordan +Cc: Steffen Klassert +Cc: Waiman Long +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/padata.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -508,6 +508,13 @@ void __init padata_do_multithreaded(stru + ps.chunk_size = max(ps.chunk_size, job->min_chunk); + ps.chunk_size = roundup(ps.chunk_size, job->align); + ++ /* ++ * chunk_size can be 0 if the caller sets min_chunk to 0. So force it ++ * to at least 1 to prevent divide-by-0 panic in padata_mt_helper().` ++ */ ++ if (!ps.chunk_size) ++ ps.chunk_size = 1U; ++ + list_for_each_entry(pw, &works, pw_list) + queue_work(system_unbound_wq, &pw->pw_work); + diff --git a/queue-6.1/parisc-fix-a-possible-dma-corruption.patch b/queue-6.1/parisc-fix-a-possible-dma-corruption.patch new file mode 100644 index 00000000000..81998074f28 --- /dev/null +++ b/queue-6.1/parisc-fix-a-possible-dma-corruption.patch @@ -0,0 +1,62 @@ +From 7ae04ba36b381bffe2471eff3a93edced843240f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sat, 27 Jul 2024 20:22:52 +0200 +Subject: parisc: fix a possible DMA corruption + +From: Mikulas Patocka + +commit 7ae04ba36b381bffe2471eff3a93edced843240f upstream. + +ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be +possible that two unrelated 16-byte allocations share a cache line. If +one of these allocations is written using DMA and the other is written +using cached write, the value that was written with DMA may be +corrupted. + +This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 - +that's the largest possible cache line size. + +As different parisc microarchitectures have different cache line size, we +define arch_slab_minalign(), cache_line_size() and +dma_get_cache_alignment() so that the kernel may tune slab cache +parameters dynamically, based on the detected cache line size. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Kconfig | 1 + + arch/parisc/include/asm/cache.h | 11 ++++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/parisc/Kconfig ++++ b/arch/parisc/Kconfig +@@ -18,6 +18,7 @@ config PARISC + select ARCH_SUPPORTS_HUGETLBFS if PA20 + select ARCH_SUPPORTS_MEMORY_FAILURE + select ARCH_STACKWALK ++ select ARCH_HAS_CACHE_LINE_SIZE + select ARCH_HAS_DEBUG_VM_PGTABLE + select HAVE_RELIABLE_STACKTRACE + select DMA_OPS +--- a/arch/parisc/include/asm/cache.h ++++ b/arch/parisc/include/asm/cache.h +@@ -20,7 +20,16 @@ + + #define SMP_CACHE_BYTES L1_CACHE_BYTES + +-#define ARCH_DMA_MINALIGN L1_CACHE_BYTES ++#ifdef CONFIG_PA20 ++#define ARCH_DMA_MINALIGN 128 ++#else ++#define ARCH_DMA_MINALIGN 32 ++#endif ++#define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */ ++ ++#define arch_slab_minalign() ((unsigned)dcache_stride) ++#define cache_line_size() dcache_stride ++#define dma_get_cache_alignment cache_line_size + + #define __read_mostly __section(".data..read_mostly") + diff --git a/queue-6.1/power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch b/queue-6.1/power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch new file mode 100644 index 00000000000..88c4b050abc --- /dev/null +++ b/queue-6.1/power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch @@ -0,0 +1,39 @@ +From b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 17 Jul 2024 22:03:32 +0200 +Subject: power: supply: axp288_charger: Fix constant_charge_voltage writes + +From: Hans de Goede + +commit b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 upstream. + +info->max_cv is in millivolts, divide the microvolt value being written +to constant_charge_voltage by 1000 *before* clamping it to info->max_cv. + +Before this fix the code always tried to set constant_charge_voltage +to max_cv / 1000 = 4 millivolt, which ends up in setting it to 4.1V +which is the lowest supported value. + +Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240717200333.56669-1-hdegoede@redhat.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -337,8 +337,8 @@ static int axp288_charger_usb_set_proper + } + break; + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE: +- scaled_val = min(val->intval, info->max_cv); +- scaled_val = DIV_ROUND_CLOSEST(scaled_val, 1000); ++ scaled_val = DIV_ROUND_CLOSEST(val->intval, 1000); ++ scaled_val = min(scaled_val, info->max_cv); + ret = axp288_charger_set_cv(info, scaled_val); + if (ret < 0) { + dev_warn(&info->pdev->dev, "set charge voltage failed\n"); diff --git a/queue-6.1/power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch b/queue-6.1/power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch new file mode 100644 index 00000000000..9649a365054 --- /dev/null +++ b/queue-6.1/power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch @@ -0,0 +1,56 @@ +From 81af7f2342d162e24ac820c10e68684d9f927663 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 17 Jul 2024 22:03:33 +0200 +Subject: power: supply: axp288_charger: Round constant_charge_voltage writes down + +From: Hans de Goede + +commit 81af7f2342d162e24ac820c10e68684d9f927663 upstream. + +Round constant_charge_voltage writes down to the first supported lower +value, rather then rounding them up to the first supported higher value. + +This fixes e.g. writing 4250000 resulting in a value of 4350000 which +might be dangerous, instead writing 4250000 will now result in a safe +4200000 value. + +Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20240717200333.56669-2-hdegoede@redhat.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -178,18 +178,18 @@ static inline int axp288_charger_set_cv( + u8 reg_val; + int ret; + +- if (cv <= CV_4100MV) { +- reg_val = CHRG_CCCV_CV_4100MV; +- cv = CV_4100MV; +- } else if (cv <= CV_4150MV) { +- reg_val = CHRG_CCCV_CV_4150MV; +- cv = CV_4150MV; +- } else if (cv <= CV_4200MV) { ++ if (cv >= CV_4350MV) { ++ reg_val = CHRG_CCCV_CV_4350MV; ++ cv = CV_4350MV; ++ } else if (cv >= CV_4200MV) { + reg_val = CHRG_CCCV_CV_4200MV; + cv = CV_4200MV; ++ } else if (cv >= CV_4150MV) { ++ reg_val = CHRG_CCCV_CV_4150MV; ++ cv = CV_4150MV; + } else { +- reg_val = CHRG_CCCV_CV_4350MV; +- cv = CV_4350MV; ++ reg_val = CHRG_CCCV_CV_4100MV; ++ cv = CV_4100MV; + } + + reg_val = reg_val << CHRG_CCCV_CV_BIT_POS; diff --git a/queue-6.1/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch b/queue-6.1/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch new file mode 100644 index 00000000000..be280992f20 --- /dev/null +++ b/queue-6.1/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch @@ -0,0 +1,68 @@ +From 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Wed, 17 Jul 2024 07:24:38 -0500 +Subject: serial: core: check uartclk for zero to avoid divide by zero + +From: George Kennedy + +commit 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 upstream. + +Calling ioctl TIOCSSERIAL with an invalid baud_base can +result in uartclk being zero, which will result in a +divide by zero error in uart_get_divisor(). The check for +uartclk being zero in uart_set_info() needs to be done +before other settings are made as subsequent calls to +ioctl TIOCSSERIAL for the same port would be impacted if +the uartclk check was done where uartclk gets set. + +Oops: divide error: 0000 PREEMPT SMP KASAN PTI +RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) +Call Trace: + +serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 + drivers/tty/serial/8250/8250_port.c:2589) +serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 + drivers/tty/serial/8250/8250_port.c:2741) +serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) +uart_change_line_settings (./include/linux/spinlock.h:376 + ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) +uart_port_startup (drivers/tty/serial/serial_core.c:342) +uart_startup (drivers/tty/serial/serial_core.c:368) +uart_set_info (drivers/tty/serial/serial_core.c:1034) +uart_set_info_user (drivers/tty/serial/serial_core.c:1059) +tty_set_serial (drivers/tty/tty_io.c:2637) +tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) +__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 + fs/ioctl.c:893 fs/ioctl.c:893) +do_syscall_64 (arch/x86/entry/common.c:52 + (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Reported-by: syzkaller +Cc: stable@vger.kernel.org +Signed-off-by: George Kennedy +Rule: add +Link: https://lore.kernel.org/stable/1721148848-9784-1-git-send-email-george.kennedy%40oracle.com +Link: https://lore.kernel.org/r/1721219078-3209-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -846,6 +846,14 @@ static int uart_set_info(struct tty_stru + new_flags = (__force upf_t)new_info->flags; + old_custom_divisor = uport->custom_divisor; + ++ if (!(uport->flags & UPF_FIXED_PORT)) { ++ unsigned int uartclk = new_info->baud_base * 16; ++ /* check needs to be done here before other settings made */ ++ if (uartclk == 0) { ++ retval = -EINVAL; ++ goto exit; ++ } ++ } + if (!capable(CAP_SYS_ADMIN)) { + retval = -EPERM; + if (change_irq || change_port || diff --git a/queue-6.1/series b/queue-6.1/series index bf096ef72d5..1d20de11589 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -105,3 +105,17 @@ clocksource-scale-the-watchdog-read-retries-automati.patch clocksource-fix-brown-bag-boolean-thinko-in-cs_watch.patch driver-core-fix-uevent_show-vs-driver-detach-race.patch ntp-safeguard-against-time_constant-overflow.patch +timekeeping-fix-bogus-clock_was_set-invocation-in-do_adjtimex.patch +serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch +parisc-fix-a-possible-dma-corruption.patch +asoc-amd-yc-add-quirk-entry-for-omen-by-hp-gaming-laptop-16-n0xxx.patch +kcov-properly-check-for-softirq-context.patch +irqchip-xilinx-fix-shift-out-of-bounds.patch +genirq-irqdesc-honor-caller-provided-affinity-in-alloc_desc.patch +power-supply-axp288_charger-fix-constant_charge_voltage-writes.patch +power-supply-axp288_charger-round-constant_charge_voltage-writes-down.patch +tracing-fix-overflow-in-get_free_elt.patch +padata-fix-possible-divide-by-0-panic-in-padata_mt_helper.patch +smb3-fix-setting-securityflags-when-encryption-is-required.patch +btrfs-avoid-using-fixed-char-array-size-for-tree-names.patch +x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch diff --git a/queue-6.1/smb3-fix-setting-securityflags-when-encryption-is-required.patch b/queue-6.1/smb3-fix-setting-securityflags-when-encryption-is-required.patch new file mode 100644 index 00000000000..0b6b3a7b208 --- /dev/null +++ b/queue-6.1/smb3-fix-setting-securityflags-when-encryption-is-required.patch @@ -0,0 +1,91 @@ +From 1b5487aefb1ce7a6b1f15a33297d1231306b4122 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 31 Jul 2024 21:38:50 -0500 +Subject: smb3: fix setting SecurityFlags when encryption is required + +From: Steve French + +commit 1b5487aefb1ce7a6b1f15a33297d1231306b4122 upstream. + +Setting encryption as required in security flags was broken. +For example (to require all mounts to be encrypted by setting): + + "echo 0x400c5 > /proc/fs/cifs/SecurityFlags" + +Would return "Invalid argument" and log "Unsupported security flags" +This patch fixes that (e.g. allowing overriding the default for +SecurityFlags 0x00c5, including 0x40000 to require seal, ie +SMB3.1.1 encryption) so now that works and forces encryption +on subsequent mounts. + +Acked-by: Bharath SM +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/cifs/usage.rst | 2 +- + fs/smb/client/cifs_debug.c | 2 +- + fs/smb/client/cifsglob.h | 8 ++++---- + fs/smb/client/smb2pdu.c | 3 +++ + 4 files changed, 9 insertions(+), 6 deletions(-) + +--- a/Documentation/admin-guide/cifs/usage.rst ++++ b/Documentation/admin-guide/cifs/usage.rst +@@ -741,7 +741,7 @@ SecurityFlags Flags which control secur + may use NTLMSSP 0x00080 + must use NTLMSSP 0x80080 + seal (packet encryption) 0x00040 +- must seal (not implemented yet) 0x40040 ++ must seal 0x40040 + + cifsFYI If set to non-zero value, additional debug information + will be logged to the system error log. This field +--- a/fs/smb/client/cifs_debug.c ++++ b/fs/smb/client/cifs_debug.c +@@ -960,7 +960,7 @@ static int cifs_security_flags_proc_open + static void + cifs_security_flags_handle_must_flags(unsigned int *flags) + { +- unsigned int signflags = *flags & CIFSSEC_MUST_SIGN; ++ unsigned int signflags = *flags & (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL); + + if ((*flags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5) + *flags = CIFSSEC_MUST_KRB5; +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -1820,7 +1820,7 @@ static inline bool is_retryable_error(in + #define CIFSSEC_MAY_SIGN 0x00001 + #define CIFSSEC_MAY_NTLMV2 0x00004 + #define CIFSSEC_MAY_KRB5 0x00008 +-#define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ ++#define CIFSSEC_MAY_SEAL 0x00040 + #define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */ + + #define CIFSSEC_MUST_SIGN 0x01001 +@@ -1830,11 +1830,11 @@ require use of the stronger protocol */ + #define CIFSSEC_MUST_NTLMV2 0x04004 + #define CIFSSEC_MUST_KRB5 0x08008 + #ifdef CONFIG_CIFS_UPCALL +-#define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */ ++#define CIFSSEC_MASK 0xCF0CF /* flags supported if no weak allowed */ + #else +-#define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */ ++#define CIFSSEC_MASK 0xC70C7 /* flags supported if no weak allowed */ + #endif /* UPCALL */ +-#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ ++#define CIFSSEC_MUST_SEAL 0x40040 + #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ + + #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL) +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -80,6 +80,9 @@ int smb3_encryption_required(const struc + if (tcon->seal && + (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) + return 1; ++ if (((global_secflags & CIFSSEC_MUST_SEAL) == CIFSSEC_MUST_SEAL) && ++ (tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) ++ return 1; + return 0; + } + diff --git a/queue-6.1/timekeeping-fix-bogus-clock_was_set-invocation-in-do_adjtimex.patch b/queue-6.1/timekeeping-fix-bogus-clock_was_set-invocation-in-do_adjtimex.patch new file mode 100644 index 00000000000..dee468430d7 --- /dev/null +++ b/queue-6.1/timekeeping-fix-bogus-clock_was_set-invocation-in-do_adjtimex.patch @@ -0,0 +1,40 @@ +From 5916be8a53de6401871bdd953f6c60237b47d6d3 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sat, 3 Aug 2024 17:07:51 +0200 +Subject: timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() + +From: Thomas Gleixner + +commit 5916be8a53de6401871bdd953f6c60237b47d6d3 upstream. + +The addition of the bases argument to clock_was_set() fixed up all call +sites correctly except for do_adjtimex(). This uses CLOCK_REALTIME +instead of CLOCK_SET_WALL as argument. CLOCK_REALTIME is 0. + +As a result the effect of that clock_was_set() notification is incomplete +and might result in timers expiring late because the hrtimer code does +not re-evaluate the affected clock bases. + +Use CLOCK_SET_WALL instead of CLOCK_REALTIME to tell the hrtimers code +which clock bases need to be re-evaluated. + +Fixes: 17a1b8826b45 ("hrtimer: Add bases argument to clock_was_set()") +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/877ccx7igo.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timekeeping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -2476,7 +2476,7 @@ int do_adjtimex(struct __kernel_timex *t + clock_set |= timekeeping_advance(TK_ADV_FREQ); + + if (clock_set) +- clock_was_set(CLOCK_REALTIME); ++ clock_was_set(CLOCK_SET_WALL); + + ntp_notify_cmos_timer(); + diff --git a/queue-6.1/tracing-fix-overflow-in-get_free_elt.patch b/queue-6.1/tracing-fix-overflow-in-get_free_elt.patch new file mode 100644 index 00000000000..f2adf30386f --- /dev/null +++ b/queue-6.1/tracing-fix-overflow-in-get_free_elt.patch @@ -0,0 +1,65 @@ +From bcf86c01ca4676316557dd482c8416ece8c2e143 Mon Sep 17 00:00:00 2001 +From: Tze-nan Wu +Date: Mon, 5 Aug 2024 13:59:22 +0800 +Subject: tracing: Fix overflow in get_free_elt() + +From: Tze-nan Wu + +commit bcf86c01ca4676316557dd482c8416ece8c2e143 upstream. + +"tracing_map->next_elt" in get_free_elt() is at risk of overflowing. + +Once it overflows, new elements can still be inserted into the tracing_map +even though the maximum number of elements (`max_elts`) has been reached. +Continuing to insert elements after the overflow could result in the +tracing_map containing "tracing_map->max_size" elements, leaving no empty +entries. +If any attempt is made to insert an element into a full tracing_map using +`__tracing_map_insert()`, it will cause an infinite loop with preemption +disabled, leading to a CPU hang problem. + +Fix this by preventing any further increments to "tracing_map->next_elt" +once it reaches "tracing_map->max_elt". + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Fixes: 08d43a5fa063e ("tracing: Add lock-free tracing_map") +Co-developed-by: Cheng-Jui Wang +Link: https://lore.kernel.org/20240805055922.6277-1-Tze-nan.Wu@mediatek.com +Signed-off-by: Cheng-Jui Wang +Signed-off-by: Tze-nan Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/tracing_map.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/tracing_map.c ++++ b/kernel/trace/tracing_map.c +@@ -454,7 +454,7 @@ static struct tracing_map_elt *get_free_ + struct tracing_map_elt *elt = NULL; + int idx; + +- idx = atomic_inc_return(&map->next_elt); ++ idx = atomic_fetch_add_unless(&map->next_elt, 1, map->max_elts); + if (idx < map->max_elts) { + elt = *(TRACING_MAP_ELT(map->elts, idx)); + if (map->ops && map->ops->elt_init) +@@ -699,7 +699,7 @@ void tracing_map_clear(struct tracing_ma + { + unsigned int i; + +- atomic_set(&map->next_elt, -1); ++ atomic_set(&map->next_elt, 0); + atomic64_set(&map->hits, 0); + atomic64_set(&map->drops, 0); + +@@ -783,7 +783,7 @@ struct tracing_map *tracing_map_create(u + + map->map_bits = map_bits; + map->max_elts = (1 << map_bits); +- atomic_set(&map->next_elt, -1); ++ atomic_set(&map->next_elt, 0); + + map->map_size = (1 << (map_bits + 1)); + map->ops = ops; diff --git a/queue-6.1/x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch b/queue-6.1/x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch new file mode 100644 index 00000000000..2ccf7be6bc9 --- /dev/null +++ b/queue-6.1/x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch @@ -0,0 +1,44 @@ +From 919f18f961c03d6694aa726c514184f2311a4614 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Wed, 7 Aug 2024 17:02:44 -0700 +Subject: x86/mtrr: Check if fixed MTRRs exist before saving them + +From: Andi Kleen + +commit 919f18f961c03d6694aa726c514184f2311a4614 upstream. + +MTRRs have an obsolete fixed variant for fine grained caching control +of the 640K-1MB region that uses separate MSRs. This fixed variant has +a separate capability bit in the MTRR capability MSR. + +So far all x86 CPUs which support MTRR have this separate bit set, so it +went unnoticed that mtrr_save_state() does not check the capability bit +before accessing the fixed MTRR MSRs. + +Though on a CPU that does not support the fixed MTRR capability this +results in a #GP. The #GP itself is harmless because the RDMSR fault is +handled gracefully, but results in a WARN_ON(). + +Add the missing capability check to prevent this. + +Fixes: 2b1f6278d77c ("[PATCH] x86: Save the MTRRs of the BSP before booting an AP") +Signed-off-by: Andi Kleen +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240808000244.946864-1-ak@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mtrr/mtrr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mtrr/mtrr.c ++++ b/arch/x86/kernel/cpu/mtrr/mtrr.c +@@ -816,7 +816,7 @@ void mtrr_save_state(void) + { + int first_cpu; + +- if (!mtrr_enabled()) ++ if (!mtrr_enabled() || !mtrr_state.have_fixed) + return; + + first_cpu = cpumask_first(cpu_online_mask);