From: Greg Kroah-Hartman Date: Fri, 25 Mar 2022 13:24:32 +0000 (+0100) Subject: 5.16-stable patches X-Git-Tag: v4.9.309~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c5d9bae8a7002e6dc1715ec09d9b9a8878ad4793;p=thirdparty%2Fkernel%2Fstable-queue.git 5.16-stable patches added patches: bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch revert-ath-add-support-for-special-0x0-regulatory-domain.patch uaccess-fix-integer-overflow-on-access_ok.patch --- diff --git a/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch b/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch new file mode 100644 index 00000000000..0c00157a31c --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch @@ -0,0 +1,65 @@ +From 2e7b4a328ed6ea57d22853939e69bc86c560996d Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 19 Jan 2022 14:18:37 -0600 +Subject: Bluetooth: btusb: Add one more Bluetooth part for the Realtek RTL8852AE + +From: Larry Finger + +commit 2e7b4a328ed6ea57d22853939e69bc86c560996d upstream. + +This Realtek device has both wifi and BT components. The latter reports +a USB ID of 0bda:2852, which is not in the table. + +BT device description in /sys/kernel/debug/usb/devices contains the following entries: + +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=2852 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +The missing USB_ID was reported by user trius65 at https://github.com/lwfinger/rtw89/issues/122 + +Signed-off-by: Larry Finger +Cc: stable@vger.kernel.org +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -404,6 +404,8 @@ static const struct usb_device_id blackl + BTUSB_WIDEBAND_SPEECH }, + + /* Realtek 8852AE Bluetooth devices */ ++ { USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0xc852), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x385a), .driver_info = BTUSB_REALTEK | diff --git a/queue-5.16/drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch b/queue-5.16/drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch new file mode 100644 index 00000000000..f1a1ee6d5bc --- /dev/null +++ b/queue-5.16/drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch @@ -0,0 +1,39 @@ +From 6b79f96f4a23846516e5e6e4dd37fc06f43a60dd Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Mon, 13 Dec 2021 19:31:22 +0100 +Subject: drm/virtio: Ensure that objs is not NULL in virtio_gpu_array_put_free() + +From: Roberto Sassu + +commit 6b79f96f4a23846516e5e6e4dd37fc06f43a60dd upstream. + +If virtio_gpu_object_shmem_init() fails (e.g. due to fault injection, as it +happened in the bug report by syzbot), virtio_gpu_array_put_free() could be +called with objs equal to NULL. + +Ensure that objs is not NULL in virtio_gpu_array_put_free(), or otherwise +return from the function. + +Cc: stable@vger.kernel.org # 5.13.x +Signed-off-by: Roberto Sassu +Reported-by: syzbot+e9072e90624a31dfa85f@syzkaller.appspotmail.com +Fixes: 377f8331d0565 ("drm/virtio: fix possible leak/unlock virtio_gpu_object_array") +Link: http://patchwork.freedesktop.org/patch/msgid/20211213183122.838119-1-roberto.sassu@huawei.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_gem.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/virtio/virtgpu_gem.c ++++ b/drivers/gpu/drm/virtio/virtgpu_gem.c +@@ -248,6 +248,9 @@ void virtio_gpu_array_put_free(struct vi + { + u32 i; + ++ if (!objs) ++ return; ++ + for (i = 0; i < objs->nents; i++) + drm_gem_object_put(objs->objs[i]); + virtio_gpu_array_free(objs); diff --git a/queue-5.16/rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch b/queue-5.16/rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch new file mode 100644 index 00000000000..58cb2cec75b --- /dev/null +++ b/queue-5.16/rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch @@ -0,0 +1,63 @@ +From 10c535787436d62ea28156a4b91365fd89b5a432 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Fri, 21 Jan 2022 12:40:08 -0800 +Subject: rcu: Don't deboost before reporting expedited quiescent state + +From: Paul E. McKenney + +commit 10c535787436d62ea28156a4b91365fd89b5a432 upstream. + +Currently rcu_preempt_deferred_qs_irqrestore() releases rnp->boost_mtx +before reporting the expedited quiescent state. Under heavy real-time +load, this can result in this function being preempted before the +quiescent state is reported, which can in turn prevent the expedited grace +period from completing. Tim Murray reports that the resulting expedited +grace periods can take hundreds of milliseconds and even more than one +second, when they should normally complete in less than a millisecond. + +This was fine given that there were no particular response-time +constraints for synchronize_rcu_expedited(), as it was designed +for throughput rather than latency. However, some users now need +sub-100-millisecond response-time constratints. + +This patch therefore follows Neeraj's suggestion (seconded by Tim and +by Uladzislau Rezki) of simply reversing the two operations. + +Reported-by: Tim Murray +Reported-by: Joel Fernandes +Reported-by: Neeraj Upadhyay +Reviewed-by: Neeraj Upadhyay +Reviewed-by: Uladzislau Rezki (Sony) +Tested-by: Tim Murray +Cc: Todd Kjos +Cc: Sandeep Patil +Cc: # 5.4.x +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tree_plugin.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -554,16 +554,16 @@ rcu_preempt_deferred_qs_irqrestore(struc + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + } + +- /* Unboost if we were boosted. */ +- if (IS_ENABLED(CONFIG_RCU_BOOST) && drop_boost_mutex) +- rt_mutex_futex_unlock(&rnp->boost_mtx.rtmutex); +- + /* + * If this was the last task on the expedited lists, + * then we need to report up the rcu_node hierarchy. + */ + if (!empty_exp && empty_exp_now) + rcu_report_exp_rnp(rnp, true); ++ ++ /* Unboost if we were boosted. */ ++ if (IS_ENABLED(CONFIG_RCU_BOOST) && drop_boost_mutex) ++ rt_mutex_futex_unlock(&rnp->boost_mtx.rtmutex); + } else { + local_irq_restore(flags); + } diff --git a/queue-5.16/revert-ath-add-support-for-special-0x0-regulatory-domain.patch b/queue-5.16/revert-ath-add-support-for-special-0x0-regulatory-domain.patch new file mode 100644 index 00000000000..f222505fca8 --- /dev/null +++ b/queue-5.16/revert-ath-add-support-for-special-0x0-regulatory-domain.patch @@ -0,0 +1,56 @@ +From 1ec7ed5163c70a0d040150d2279f932c7e7c143f Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 25 Feb 2022 11:44:32 +0200 +Subject: Revert "ath: add support for special 0x0 regulatory domain" + +From: Brian Norris + +commit 1ec7ed5163c70a0d040150d2279f932c7e7c143f upstream. + +This reverts commit 2dc016599cfa9672a147528ca26d70c3654a5423. + +Users are reporting regressions in regulatory domain detection and +channel availability. + +The problem this was trying to resolve was fixed in firmware anyway: + + QCA6174 hw3.0: sdio-4.4.1: add firmware.bin_WLAN.RMH.4.4.1-00042 + https://github.com/kvalo/ath10k-firmware/commit/4d382787f0efa77dba40394e0bc604f8eff82552 + +Link: https://bbs.archlinux.org/viewtopic.php?id=254535 +Link: http://lists.infradead.org/pipermail/ath10k/2020-April/014871.html +Link: http://lists.infradead.org/pipermail/ath10k/2020-May/015152.html +Link: https://lore.kernel.org/all/1c160dfb-6ccc-b4d6-76f6-4364e0adb6dd@reox.at/ +Fixes: 2dc016599cfa ("ath: add support for special 0x0 regulatory domain") +Cc: +Cc: Wen Gong +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200527165718.129307-1-briannorris@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/regd.c ++++ b/drivers/net/wireless/ath/regd.c +@@ -667,14 +667,14 @@ ath_regd_init_wiphy(struct ath_regulator + + /* + * Some users have reported their EEPROM programmed with +- * 0x8000 or 0x0 set, this is not a supported regulatory +- * domain but since we have more than one user with it we +- * need a solution for them. We default to 0x64, which is +- * the default Atheros world regulatory domain. ++ * 0x8000 set, this is not a supported regulatory domain ++ * but since we have more than one user with it we need ++ * a solution for them. We default to 0x64, which is the ++ * default Atheros world regulatory domain. + */ + static void ath_regd_sanitize(struct ath_regulatory *reg) + { +- if (reg->current_rd != COUNTRY_ERD_FLAG && reg->current_rd != 0) ++ if (reg->current_rd != COUNTRY_ERD_FLAG) + return; + printk(KERN_DEBUG "ath: EEPROM regdomain sanitized\n"); + reg->current_rd = 0x64; diff --git a/queue-5.16/series b/queue-5.16/series index 3b0475194d2..b3524ab739f 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -25,3 +25,8 @@ acpi-x86-work-around-broken-xsdt-on-advantech-dac-bj01-board.patch acpi-battery-add-device-hid-and-quirk-for-microsoft-surface-go-3.patch acpi-video-force-backlight-native-for-clevo-nl5xru-and-nl5xnu.patch crypto-qat-disable-registration-of-algorithms.patch +bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch +revert-ath-add-support-for-special-0x0-regulatory-domain.patch +drm-virtio-ensure-that-objs-is-not-null-in-virtio_gpu_array_put_free.patch +rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch +uaccess-fix-integer-overflow-on-access_ok.patch diff --git a/queue-5.16/uaccess-fix-integer-overflow-on-access_ok.patch b/queue-5.16/uaccess-fix-integer-overflow-on-access_ok.patch new file mode 100644 index 00000000000..1bcabb32483 --- /dev/null +++ b/queue-5.16/uaccess-fix-integer-overflow-on-access_ok.patch @@ -0,0 +1,112 @@ +From 222ca305c9fd39e5ed8104da25c09b2b79a516a8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 10 Feb 2022 16:24:30 +0100 +Subject: uaccess: fix integer overflow on access_ok() + +From: Arnd Bergmann + +commit 222ca305c9fd39e5ed8104da25c09b2b79a516a8 upstream. + +Three architectures check the end of a user access against the +address limit without taking a possible overflow into account. +Passing a negative length or another overflow in here returns +success when it should not. + +Use the most common correct implementation here, which optimizes +for a constant 'size' argument, and turns the common case into a +single comparison. + +Cc: stable@vger.kernel.org +Fixes: da551281947c ("csky: User access") +Fixes: f663b60f5215 ("microblaze: Fix uaccess_ok macro") +Fixes: 7567746e1c0d ("Hexagon: Add user access functions") +Reported-by: David Laight +Reviewed-by: Christoph Hellwig +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/include/asm/uaccess.h | 7 +++---- + arch/hexagon/include/asm/uaccess.h | 18 +++++++++--------- + arch/microblaze/include/asm/uaccess.h | 19 ++++--------------- + 3 files changed, 16 insertions(+), 28 deletions(-) + +--- a/arch/csky/include/asm/uaccess.h ++++ b/arch/csky/include/asm/uaccess.h +@@ -3,14 +3,13 @@ + #ifndef __ASM_CSKY_UACCESS_H + #define __ASM_CSKY_UACCESS_H + +-#define user_addr_max() \ +- (uaccess_kernel() ? KERNEL_DS.seg : get_fs().seg) ++#define user_addr_max() (current_thread_info()->addr_limit.seg) + + static inline int __access_ok(unsigned long addr, unsigned long size) + { +- unsigned long limit = current_thread_info()->addr_limit.seg; ++ unsigned long limit = user_addr_max(); + +- return ((addr < limit) && ((addr + size) < limit)); ++ return (size <= limit) && (addr <= (limit - size)); + } + #define __access_ok __access_ok + +--- a/arch/hexagon/include/asm/uaccess.h ++++ b/arch/hexagon/include/asm/uaccess.h +@@ -25,17 +25,17 @@ + * Returns true (nonzero) if the memory block *may* be valid, false (zero) + * if it is definitely invalid. + * +- * User address space in Hexagon, like x86, goes to 0xbfffffff, so the +- * simple MSB-based tests used by MIPS won't work. Some further +- * optimization is probably possible here, but for now, keep it +- * reasonably simple and not *too* slow. After all, we've got the +- * MMU for backup. + */ ++#define uaccess_kernel() (get_fs().seg == KERNEL_DS.seg) ++#define user_addr_max() (uaccess_kernel() ? ~0UL : TASK_SIZE) + +-#define __access_ok(addr, size) \ +- ((get_fs().seg == KERNEL_DS.seg) || \ +- (((unsigned long)addr < get_fs().seg) && \ +- (unsigned long)size < (get_fs().seg - (unsigned long)addr))) ++static inline int __access_ok(unsigned long addr, unsigned long size) ++{ ++ unsigned long limit = TASK_SIZE; ++ ++ return (size <= limit) && (addr <= (limit - size)); ++} ++#define __access_ok __access_ok + + /* + * When a kernel-mode page fault is taken, the faulting instruction +--- a/arch/microblaze/include/asm/uaccess.h ++++ b/arch/microblaze/include/asm/uaccess.h +@@ -39,24 +39,13 @@ + + # define uaccess_kernel() (get_fs().seg == KERNEL_DS.seg) + +-static inline int access_ok(const void __user *addr, unsigned long size) ++static inline int __access_ok(unsigned long addr, unsigned long size) + { +- if (!size) +- goto ok; ++ unsigned long limit = user_addr_max(); + +- if ((get_fs().seg < ((unsigned long)addr)) || +- (get_fs().seg < ((unsigned long)addr + size - 1))) { +- pr_devel("ACCESS fail at 0x%08x (size 0x%x), seg 0x%08x\n", +- (__force u32)addr, (u32)size, +- (u32)get_fs().seg); +- return 0; +- } +-ok: +- pr_devel("ACCESS OK at 0x%08x (size 0x%x), seg 0x%08x\n", +- (__force u32)addr, (u32)size, +- (u32)get_fs().seg); +- return 1; ++ return (size <= limit) && (addr <= (limit - size)); + } ++#define access_ok(addr, size) __access_ok((unsigned long)addr, size) + + # define __FIXUP_SECTION ".section .fixup,\"ax\"\n" + # define __EX_TABLE_SECTION ".section __ex_table,\"a\"\n"