From: Sasha Levin Date: Tue, 19 Sep 2023 17:29:05 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.10.196~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3aca091ddcc4d89971b16969b9d6b2e021b7d80;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch new file mode 100644 index 00000000000..0b6763ded59 --- /dev/null +++ b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch @@ -0,0 +1,56 @@ +From 03785130c75b78817b4363e7b0bb2cb7ce9fae35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 11:44:08 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Apple iMac12,1 and + iMac12,2 + +From: Hans de Goede + +[ Upstream commit 8cf04bb321f036dd2e523e993897e0789bd5265c ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Apple iMac12,1 and iMac12,2. + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1838 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2753 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 28e816be4753e..a5cb9e1d48bcc 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -357,6 +357,24 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "iMac11,3"), + }, + }, ++ { ++ /* https://gitlab.freedesktop.org/drm/amd/-/issues/1838 */ ++ .callback = video_detect_force_native, ++ /* Apple iMac12,1 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac12,1"), ++ }, ++ }, ++ { ++ /* https://gitlab.freedesktop.org/drm/amd/-/issues/2753 */ ++ .callback = video_detect_force_native, ++ /* Apple iMac12,2 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac12,2"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */ + .callback = video_detect_force_native, +-- +2.40.1 + diff --git a/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch new file mode 100644 index 00000000000..197ea0643ab --- /dev/null +++ b/queue-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch @@ -0,0 +1,47 @@ +From 635cb39b637a35f54784256968972a7bafcd285f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 08:42:00 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470 + +From: Jiri Slaby (SUSE) + +[ Upstream commit 96b709be183c56293933ef45b8b75f8af268c6de ] + +The Lenovo Ideapad Z470 predates Windows 8, so it defaults to using +acpi_video for backlight control. But this is not functional on this +model. + +Add a DMI quirk to use the native backlight interface which works. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1208724 +Signed-off-by: Jiri Slaby (SUSE) +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index b02d381e78483..28e816be4753e 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -307,6 +307,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "Lenovo IdeaPad S405"), + }, + }, ++ { ++ /* https://bugzilla.suse.com/show_bug.cgi?id=1208724 */ ++ .callback = video_detect_force_native, ++ /* Lenovo Ideapad Z470 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Z470"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1187004 */ + .callback = video_detect_force_native, +-- +2.40.1 + diff --git a/queue-5.10/acpica-add-aml_no_operand_resolve-flag-to-timer.patch b/queue-5.10/acpica-add-aml_no_operand_resolve-flag-to-timer.patch new file mode 100644 index 00000000000..3a4be38224b --- /dev/null +++ b/queue-5.10/acpica-add-aml_no_operand_resolve-flag-to-timer.patch @@ -0,0 +1,60 @@ +From 54ea9f0a98633831aff1ab7a5ae7272aeabc4d35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 22:26:06 +0000 +Subject: ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer + +From: Abhishek Mainkar + +[ Upstream commit 3a21ffdbc825e0919db9da0e27ee5ff2cc8a863e ] + +ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 + +According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. + +When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. + +============================================================= +UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' +CPU: 37 PID: 1678 Comm: cat Not tainted +6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k +HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: + dump_backtrace+0xe0/0x130 + show_stack+0x20/0x60 + dump_stack_lvl+0x68/0x84 + dump_stack+0x18/0x34 + ubsan_epilogue+0x10/0x50 + __ubsan_handle_out_of_bounds+0x80/0x90 + acpi_ds_exec_end_op+0x1bc/0x6d8 + acpi_ps_parse_loop+0x57c/0x618 + acpi_ps_parse_aml+0x1e0/0x4b4 + acpi_ps_execute_method+0x24c/0x2b8 + acpi_ns_evaluate+0x3a8/0x4bc + acpi_evaluate_object+0x15c/0x37c + acpi_evaluate_integer+0x54/0x15c + show_power+0x8c/0x12c [acpi_power_meter] + +Link: https://github.com/acpica/acpica/commit/90310989 +Signed-off-by: Abhishek Mainkar +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psopcode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/psopcode.c b/drivers/acpi/acpica/psopcode.c +index 28af49263ebfa..62957cba30f61 100644 +--- a/drivers/acpi/acpica/psopcode.c ++++ b/drivers/acpi/acpica/psopcode.c +@@ -603,7 +603,7 @@ const struct acpi_opcode_info acpi_gbl_aml_op_info[AML_NUM_OPCODES] = { + + /* 7E */ ACPI_OP("Timer", ARGP_TIMER_OP, ARGI_TIMER_OP, ACPI_TYPE_ANY, + AML_CLASS_EXECUTE, AML_TYPE_EXEC_0A_0T_1R, +- AML_FLAGS_EXEC_0A_0T_1R), ++ AML_FLAGS_EXEC_0A_0T_1R | AML_NO_OPERAND_RESOLVE), + + /* ACPI 5.0 opcodes */ + +-- +2.40.1 + diff --git a/queue-5.10/alsa-hda-intel-dsp-cfg-add-lunarlake-support.patch b/queue-5.10/alsa-hda-intel-dsp-cfg-add-lunarlake-support.patch new file mode 100644 index 00000000000..78a6eafb86b --- /dev/null +++ b/queue-5.10/alsa-hda-intel-dsp-cfg-add-lunarlake-support.patch @@ -0,0 +1,43 @@ +From d6560446e57fb41829b7a369d003c5c42b56b951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 10:01:04 -0500 +Subject: ALSA: hda: intel-dsp-cfg: add LunarLake support + +From: Pierre-Louis Bossart + +[ Upstream commit d2852b8c045ebd31d753b06f2810df5be30ed56a ] + +One more PCI ID for the road. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Link: https://lore.kernel.org/r/20230802150105.24604-5-pierre-louis.bossart@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/intel-dsp-config.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c +index f96e70c85f84a..801c89a3a1b6f 100644 +--- a/sound/hda/intel-dsp-config.c ++++ b/sound/hda/intel-dsp-config.c +@@ -368,6 +368,14 @@ static const struct config_entry config_table[] = { + }, + #endif + ++/* Lunar Lake */ ++#if IS_ENABLED(CONFIG_SND_SOC_SOF_LUNARLAKE) ++ /* Lunarlake-P */ ++ { ++ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE, ++ .device = PCI_DEVICE_ID_INTEL_HDA_LNL_P, ++ }, ++#endif + }; + + static const struct config_entry *snd_intel_dsp_find_config +-- +2.40.1 + diff --git a/queue-5.10/alx-fix-oob-read-compiler-warning.patch b/queue-5.10/alx-fix-oob-read-compiler-warning.patch new file mode 100644 index 00000000000..277e708004f --- /dev/null +++ b/queue-5.10/alx-fix-oob-read-compiler-warning.patch @@ -0,0 +1,54 @@ +From b67e27aeb09a0da85fca6a1a4d2e27094253772d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Aug 2023 09:32:18 +0800 +Subject: alx: fix OOB-read compiler warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: GONG, Ruiqi + +[ Upstream commit 3a198c95c95da10ad844cbeade2fe40bdf14c411 ] + +The following message shows up when compiling with W=1: + +In function ‘fortify_memcpy_chk’, + inlined from ‘alx_get_ethtool_stats’ at drivers/net/ethernet/atheros/alx/ethtool.c:297:2: +./include/linux/fortify-string.h:592:4: error: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Werror=attribute-warning] + 592 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to get alx stats altogether, alx_get_ethtool_stats() reads +beyond hw->stats.rx_ok. Fix this warning by directly copying hw->stats, +and refactor the unnecessarily complicated BUILD_BUG_ON btw. + +Signed-off-by: GONG, Ruiqi +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230821013218.1614265-1-gongruiqi@huaweicloud.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/ethtool.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/alx/ethtool.c b/drivers/net/ethernet/atheros/alx/ethtool.c +index 2f4eabf652e80..51e5aa2c74b34 100644 +--- a/drivers/net/ethernet/atheros/alx/ethtool.c ++++ b/drivers/net/ethernet/atheros/alx/ethtool.c +@@ -281,9 +281,8 @@ static void alx_get_ethtool_stats(struct net_device *netdev, + spin_lock(&alx->stats_lock); + + alx_update_hw_stats(hw); +- BUILD_BUG_ON(sizeof(hw->stats) - offsetof(struct alx_hw_stats, rx_ok) < +- ALX_NUM_STATS * sizeof(u64)); +- memcpy(data, &hw->stats.rx_ok, ALX_NUM_STATS * sizeof(u64)); ++ BUILD_BUG_ON(sizeof(hw->stats) != ALX_NUM_STATS * sizeof(u64)); ++ memcpy(data, &hw->stats, sizeof(hw->stats)); + + spin_unlock(&alx->stats_lock); + } +-- +2.40.1 + diff --git a/queue-5.10/asoc-intel-sof_sdw-update-bt-offload-config-for-soun.patch b/queue-5.10/asoc-intel-sof_sdw-update-bt-offload-config-for-soun.patch new file mode 100644 index 00000000000..3de94966d2f --- /dev/null +++ b/queue-5.10/asoc-intel-sof_sdw-update-bt-offload-config-for-soun.patch @@ -0,0 +1,43 @@ +From b7c66c6e35704244e5a33c98a207da173bc3f3ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 16:42:38 -0500 +Subject: ASoC: Intel: sof_sdw: Update BT offload config for soundwire config + +From: Uday M Bhat + +[ Upstream commit a14aded9299187bb17ef90700eb2cf1120ef5885 ] + +For soundwire config, SSP1 is used for BT offload. This is enabled +in sof_sdw_quirk_table + +Reviewed-by: Kai Vehmanen +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Signed-off-by: Uday M Bhat +Signed-off-by: Jairaj Arava +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230731214257.444605-5-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_sdw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c +index f36a0fda1b6ae..1955d277fdf20 100644 +--- a/sound/soc/intel/boards/sof_sdw.c ++++ b/sound/soc/intel/boards/sof_sdw.c +@@ -214,7 +214,9 @@ static const struct dmi_system_id sof_sdw_quirk_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "Google"), + DMI_MATCH(DMI_PRODUCT_NAME, "Rex"), + }, +- .driver_data = (void *)(SOF_SDW_PCH_DMIC), ++ .driver_data = (void *)(SOF_SDW_PCH_DMIC | ++ SOF_BT_OFFLOAD_SSP(1) | ++ SOF_SSP_BT_OFFLOAD_PRESENT), + }, + /* LunarLake devices */ + { +-- +2.40.1 + diff --git a/queue-5.10/autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch b/queue-5.10/autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch new file mode 100644 index 00000000000..c8ad35f0ed6 --- /dev/null +++ b/queue-5.10/autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch @@ -0,0 +1,106 @@ +From 7c16f6e24eaa264c3f497eea2eb2efd07567ab75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 13:33:12 +0800 +Subject: autofs: fix memory leak of waitqueues in autofs_catatonic_mode + +From: Fedor Pchelkin + +[ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] + +Syzkaller reports a memory leak: + +BUG: memory leak +unreferenced object 0xffff88810b279e00 (size 96): + comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... + 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. + backtrace: + [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 + [] kmalloc include/linux/slab.h:576 [inline] + [] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 + [] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 + [] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 + [] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 + [] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 + [] vfs_ioctl fs/ioctl.c:51 [inline] + [] __do_sys_ioctl fs/ioctl.c:870 [inline] + [] __se_sys_ioctl fs/ioctl.c:856 [inline] + [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 + [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + [] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +autofs_wait_queue structs should be freed if their wait_ctr becomes zero. +Otherwise they will be lost. + +In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new +waitqueue struct is allocated in autofs_wait(), its initial wait_ctr +equals 2. After that wait_event_killable() is interrupted (it returns +-ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not +satisfied. Actually, this condition can be satisfied when +autofs_wait_release() or autofs_catatonic_mode() is called and, what is +also important, wait_ctr is decremented in those places. Upon the exit of +autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process +begins: kill_sb calls autofs_catatonic_mode(), which should have freed the +waitqueues, but it only decrements its usage counter to zero which is not +a correct behaviour. + +edit:imk +This description is of course not correct. The umount performed as a result +of an expire is a umount of a mount that has been automounted, it's not the +autofs mount itself. They happen independently, usually after everything +mounted within the autofs file system has been expired away. If everything +hasn't been expired away the automount daemon can still exit leaving mounts +in place. But expires done in both cases will result in a notification that +calls autofs_wait_release() with a result status. The problem case is the +summary execution of of the automount daemon. In this case any waiting +processes won't be woken up until either they are terminated or the mount +is umounted. +end edit: imk + +So in catatonic mode we should free waitqueues which counter becomes zero. + +edit: imk +Initially I was concerned that the calling of autofs_wait_release() and +autofs_catatonic_mode() was not mutually exclusive but that can't be the +case (obviously) because the queue entry (or entries) is removed from the +list when either of these two functions are called. Consequently the wait +entry will be freed by only one of these functions or by the woken process +in autofs_wait() depending on the order of the calls. +end edit: imk + +Reported-by: syzbot+5e53f70e69ff0c0a1c0c@syzkaller.appspotmail.com +Suggested-by: Takeshi Misawa +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Ian Kent +Cc: Matthew Wilcox +Cc: Andrei Vagin +Cc: autofs@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Message-Id: <169112719161.7590.6700123246297365841.stgit@donald.themaw.net> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/autofs/waitq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c +index 5ced859dac539..dd479198310e8 100644 +--- a/fs/autofs/waitq.c ++++ b/fs/autofs/waitq.c +@@ -32,8 +32,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) + wq->status = -ENOENT; /* Magic is gone - report failure */ + kfree(wq->name.name); + wq->name.name = NULL; +- wq->wait_ctr--; + wake_up_interruptible(&wq->queue); ++ if (!--wq->wait_ctr) ++ kfree(wq); + wq = nwq; + } + fput(sbi->pipe); /* Close the pipe */ +-- +2.40.1 + diff --git a/queue-5.10/btrfs-add-a-helper-to-read-the-superblock-metadata_u.patch b/queue-5.10/btrfs-add-a-helper-to-read-the-superblock-metadata_u.patch new file mode 100644 index 00000000000..d5e323883f5 --- /dev/null +++ b/queue-5.10/btrfs-add-a-helper-to-read-the-superblock-metadata_u.patch @@ -0,0 +1,58 @@ +From f463c8602b620e35b411ebd55af7e863c1663a04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 19:16:32 +0800 +Subject: btrfs: add a helper to read the superblock metadata_uuid + +From: Anand Jain + +[ Upstream commit 4844c3664a72d36cc79752cb651c78860b14c240 ] + +In some cases, we need to read the FSID from the superblock when the +metadata_uuid is not set, and otherwise, read the metadata_uuid. So, +add a helper. + +Reviewed-by: Johannes Thumshirn +Tested-by: Guilherme G. Piccoli +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: 6bfe3959b0e7 ("btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super") +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 8 ++++++++ + fs/btrfs/volumes.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index b798586263ebb..86c50e0570a5e 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -718,6 +718,14 @@ static int btrfs_open_one_device(struct btrfs_fs_devices *fs_devices, + return -EINVAL; + } + ++u8 *btrfs_sb_fsid_ptr(struct btrfs_super_block *sb) ++{ ++ bool has_metadata_uuid = (btrfs_super_incompat_flags(sb) & ++ BTRFS_FEATURE_INCOMPAT_METADATA_UUID); ++ ++ return has_metadata_uuid ? sb->metadata_uuid : sb->fsid; ++} ++ + /* + * Handle scanned device having its CHANGING_FSID_V2 flag set and the fs_devices + * being created with a disk that has already completed its fsid change. Such +diff --git a/fs/btrfs/volumes.h b/fs/btrfs/volumes.h +index 2463aeb34ab55..b2046e92b9143 100644 +--- a/fs/btrfs/volumes.h ++++ b/fs/btrfs/volumes.h +@@ -581,5 +581,6 @@ const char *btrfs_bg_type_to_raid_name(u64 flags); + int btrfs_verify_dev_extents(struct btrfs_fs_info *fs_info); + + bool btrfs_pinned_by_swapfile(struct btrfs_fs_info *fs_info, void *ptr); ++u8 *btrfs_sb_fsid_ptr(struct btrfs_super_block *sb); + + #endif +-- +2.40.1 + diff --git a/queue-5.10/btrfs-compare-the-correct-fsid-metadata_uuid-in-btrf.patch b/queue-5.10/btrfs-compare-the-correct-fsid-metadata_uuid-in-btrf.patch new file mode 100644 index 00000000000..268d720b081 --- /dev/null +++ b/queue-5.10/btrfs-compare-the-correct-fsid-metadata_uuid-in-btrf.patch @@ -0,0 +1,66 @@ +From 6a5fd23af77fef34cae32106924c0aaf9e732296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jul 2023 19:16:35 +0800 +Subject: btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super + +From: Anand Jain + +[ Upstream commit 6bfe3959b0e7a526f5c64747801a8613f002f05a ] + +The function btrfs_validate_super() should verify the metadata_uuid in +the provided superblock argument. Because, all its callers expect it to +do that. + +Such as in the following stacks: + + write_all_supers() + sb = fs_info->super_for_commit; + btrfs_validate_write_super(.., sb) + btrfs_validate_super(.., sb, ..) + + scrub_one_super() + btrfs_validate_super(.., sb, ..) + +And + check_dev_super() + btrfs_validate_super(.., sb, ..) + +However, it currently verifies the fs_info::super_copy::metadata_uuid +instead. Fix this using the correct metadata_uuid in the superblock +argument. + +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Johannes Thumshirn +Tested-by: Guilherme G. Piccoli +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 1bc6909d4de94..0e25a3f64b2e0 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2503,13 +2503,11 @@ static int validate_super(struct btrfs_fs_info *fs_info, + ret = -EINVAL; + } + +- if (btrfs_fs_incompat(fs_info, METADATA_UUID) && +- memcmp(fs_info->fs_devices->metadata_uuid, +- fs_info->super_copy->metadata_uuid, BTRFS_FSID_SIZE)) { ++ if (memcmp(fs_info->fs_devices->metadata_uuid, btrfs_sb_fsid_ptr(sb), ++ BTRFS_FSID_SIZE) != 0) { + btrfs_err(fs_info, + "superblock metadata_uuid doesn't match metadata uuid of fs_devices: %pU != %pU", +- fs_info->super_copy->metadata_uuid, +- fs_info->fs_devices->metadata_uuid); ++ btrfs_sb_fsid_ptr(sb), fs_info->fs_devices->metadata_uuid); + ret = -EINVAL; + } + +-- +2.40.1 + diff --git a/queue-5.10/btrfs-move-btrfs_pinned_by_swapfile-prototype-into-v.patch b/queue-5.10/btrfs-move-btrfs_pinned_by_swapfile-prototype-into-v.patch new file mode 100644 index 00000000000..dad274b53a6 --- /dev/null +++ b/queue-5.10/btrfs-move-btrfs_pinned_by_swapfile-prototype-into-v.patch @@ -0,0 +1,50 @@ +From cbbe23898ba53a3f87535d02a99d1068c201c2f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 19:04:40 -0400 +Subject: btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h + +From: Josef Bacik + +[ Upstream commit c2e79e865b87c2920a3cd39de69c35f2bc758a51 ] + +This is defined in volumes.c, move the prototype into volumes.h. + +Reviewed-by: Johannes Thumshirn +Reviewed-by: Anand Jain +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: 6bfe3959b0e7 ("btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super") +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 2 -- + fs/btrfs/volumes.h | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index bcc6848bb6d6a..67831868ef0de 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -529,8 +529,6 @@ struct btrfs_swapfile_pin { + int bg_extent_count; + }; + +-bool btrfs_pinned_by_swapfile(struct btrfs_fs_info *fs_info, void *ptr); +- + enum { + BTRFS_FS_BARRIER, + BTRFS_FS_CLOSING_START, +diff --git a/fs/btrfs/volumes.h b/fs/btrfs/volumes.h +index f2177263748e8..2463aeb34ab55 100644 +--- a/fs/btrfs/volumes.h ++++ b/fs/btrfs/volumes.h +@@ -580,4 +580,6 @@ int btrfs_bg_type_to_factor(u64 flags); + const char *btrfs_bg_type_to_raid_name(u64 flags); + int btrfs_verify_dev_extents(struct btrfs_fs_info *fs_info); + ++bool btrfs_pinned_by_swapfile(struct btrfs_fs_info *fs_info, void *ptr); ++ + #endif +-- +2.40.1 + diff --git a/queue-5.10/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch b/queue-5.10/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch new file mode 100644 index 00000000000..fddffa3e677 --- /dev/null +++ b/queue-5.10/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch @@ -0,0 +1,52 @@ +From d48bf4496f02bae3543f3973683de75d9cb02083 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 19:02:28 +0800 +Subject: btrfs: output extra debug info if we failed to find an inline backref + +From: Qu Wenruo + +[ Upstream commit 7f72f50547b7af4ddf985b07fc56600a4deba281 ] + +[BUG] +Syzbot reported several warning triggered inside +lookup_inline_extent_backref(). + +[CAUSE] +As usual, the reproducer doesn't reliably trigger locally here, but at +least we know the WARN_ON() is triggered when an inline backref can not +be found, and it can only be triggered when @insert is true. (I.e. +inserting a new inline backref, which means the backref should already +exist) + +[ENHANCEMENT] +After the WARN_ON(), dump all the parameters and the extent tree +leaf to help debug. + +Link: https://syzkaller.appspot.com/bug?extid=d6f9ff86c1d804ba2bc6 +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 9cdf50e2484e1..4d2f25ebe3048 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -857,6 +857,11 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans, + err = -ENOENT; + goto out; + } else if (WARN_ON(ret)) { ++ btrfs_print_leaf(path->nodes[0]); ++ btrfs_err(fs_info, ++"extent item not found for insert, bytenr %llu num_bytes %llu parent %llu root_objectid %llu owner %llu offset %llu", ++ bytenr, num_bytes, parent, root_objectid, owner, ++ offset); + err = -EIO; + goto out; + } +-- +2.40.1 + diff --git a/queue-5.10/bus-ti-sysc-configure-uart-quirks-for-k3-soc.patch b/queue-5.10/bus-ti-sysc-configure-uart-quirks-for-k3-soc.patch new file mode 100644 index 00000000000..278c1c52121 --- /dev/null +++ b/queue-5.10/bus-ti-sysc-configure-uart-quirks-for-k3-soc.patch @@ -0,0 +1,39 @@ +From e14684d8f1718fdd9dfc290c8542f4e9a79ee85c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 13:38:01 +0300 +Subject: bus: ti-sysc: Configure uart quirks for k3 SoC + +From: Tony Lindgren + +[ Upstream commit 03a711d3cb83692733f865312f49e665c49de6de ] + +Enable the uart quirks similar to the earlier SoCs. Let's assume we are +likely going to need a k3 specific quirk mask separate from the earlier +SoCs, so let's not start changing the revision register mask at this point. + +Note that SYSC_QUIRK_LEGACY_IDLE will be needed until we can remove the +need for pm_runtime_irq_safe() from 8250_omap driver. + +Reviewed-by: Nishanth Menon +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index c8e0f8cb9aa32..5e8c078efd22a 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1504,6 +1504,8 @@ static const struct sysc_revision_quirk sysc_revision_quirks[] = { + SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_LEGACY_IDLE), + SYSC_QUIRK("uart", 0, 0x50, 0x54, 0x58, 0x47422e03, 0xffffffff, + SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_LEGACY_IDLE), ++ SYSC_QUIRK("uart", 0, 0x50, 0x54, 0x58, 0x47424e03, 0xffffffff, ++ SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_LEGACY_IDLE), + + /* Quirks that need to be set based on the module address */ + SYSC_QUIRK("mcpdm", 0x40132000, 0, 0x10, -ENODEV, 0x50000800, 0xffffffff, +-- +2.40.1 + diff --git a/queue-5.10/crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch b/queue-5.10/crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch new file mode 100644 index 00000000000..7d60873fc7c --- /dev/null +++ b/queue-5.10/crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch @@ -0,0 +1,45 @@ +From 72e0bfd74e1dee2860aed93abfb7d05654eb9068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Aug 2023 09:32:18 +0000 +Subject: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() + +From: Mark O'Donovan + +[ Upstream commit 9e47a758b70167c9301d2b44d2569f86c7796f2d ] + +During NVMeTCP Authentication a controller can trigger a kernel +oops by specifying the 8192 bit Diffie Hellman group and passing +a correctly sized, but zeroed Diffie Hellamn value. +mpi_cmp_ui() was detecting this if the second parameter was 0, +but 1 is passed from dh_is_pubkey_valid(). This causes the null +pointer u->d to be dereferenced towards the end of mpi_cmp_ui() + +Signed-off-by: Mark O'Donovan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/mpi-cmp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/mpi/mpi-cmp.c b/lib/mpi/mpi-cmp.c +index c4cfa3ff05818..0835b6213235e 100644 +--- a/lib/mpi/mpi-cmp.c ++++ b/lib/mpi/mpi-cmp.c +@@ -25,8 +25,12 @@ int mpi_cmp_ui(MPI u, unsigned long v) + mpi_limb_t limb = v; + + mpi_normalize(u); +- if (!u->nlimbs && !limb) +- return 0; ++ if (u->nlimbs == 0) { ++ if (v == 0) ++ return 0; ++ else ++ return -1; ++ } + if (u->sign) + return -1; + if (u->nlimbs > 1) +-- +2.40.1 + diff --git a/queue-5.10/crypto-lrw-xts-replace-strlcpy-with-strscpy.patch b/queue-5.10/crypto-lrw-xts-replace-strlcpy-with-strscpy.patch new file mode 100644 index 00000000000..940e2c984c8 --- /dev/null +++ b/queue-5.10/crypto-lrw-xts-replace-strlcpy-with-strscpy.patch @@ -0,0 +1,70 @@ +From 18f8ade8535b7976527276636a2e8847d446624e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:08:32 +0000 +Subject: crypto: lrw,xts - Replace strlcpy with strscpy + +From: Azeem Shaikh + +[ Upstream commit babb80b3ecc6f40c962e13c654ebcd27f25ee327 ] + +strlcpy() reads the entire source buffer first. +This read may exceed the destination size limit. +This is both inefficient and can lead to linear read +overflows if a source string is not NUL-terminated [1]. +In an effort to remove strlcpy() completely [2], replace +strlcpy() here with strscpy(). + +Direct replacement is safe here since return value of -errno +is used to check for truncation instead of sizeof(dest). + +[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy +[2] https://github.com/KSPP/linux/issues/89 + +Signed-off-by: Azeem Shaikh +Reviewed-by: Kees Cook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/lrw.c | 6 +++--- + crypto/xts.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/crypto/lrw.c b/crypto/lrw.c +index bcf09fbc750af..80d9076e42e0b 100644 +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -357,10 +357,10 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb) + * cipher name. + */ + if (!strncmp(cipher_name, "ecb(", 4)) { +- unsigned len; ++ int len; + +- len = strlcpy(ecb_name, cipher_name + 4, sizeof(ecb_name)); +- if (len < 2 || len >= sizeof(ecb_name)) ++ len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name)); ++ if (len < 2) + goto err_free_inst; + + if (ecb_name[len - 1] != ')') +diff --git a/crypto/xts.c b/crypto/xts.c +index c6a105dba38b9..74dc199d54867 100644 +--- a/crypto/xts.c ++++ b/crypto/xts.c +@@ -395,10 +395,10 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb) + * cipher name. + */ + if (!strncmp(cipher_name, "ecb(", 4)) { +- unsigned len; ++ int len; + +- len = strlcpy(ctx->name, cipher_name + 4, sizeof(ctx->name)); +- if (len < 2 || len >= sizeof(ctx->name)) ++ len = strscpy(ctx->name, cipher_name + 4, sizeof(ctx->name)); ++ if (len < 2) + goto err_free_inst; + + if (ctx->name[len - 1] != ')') +-- +2.40.1 + diff --git a/queue-5.10/devlink-remove-reload-failed-checks-in-params-get-se.patch b/queue-5.10/devlink-remove-reload-failed-checks-in-params-get-se.patch new file mode 100644 index 00000000000..f8163643d31 --- /dev/null +++ b/queue-5.10/devlink-remove-reload-failed-checks-in-params-get-se.patch @@ -0,0 +1,68 @@ +From cfe30703ecfc658afcadda7b26266e334b4b8f4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 11:44:19 +0200 +Subject: devlink: remove reload failed checks in params get/set callbacks + +From: Jiri Pirko + +[ Upstream commit 633d76ad01ad0321a1ace3e5cc4fed06753d7ac4 ] + +The checks in question were introduced by: +commit 6b4db2e528f6 ("devlink: Fix use-after-free after a failed reload"). +That fixed an issue of reload with mlxsw driver. + +Back then, that was a valid fix, because there was a limitation +in place that prevented drivers from registering/unregistering params +when devlink instance was registered. + +It was possible to do the fix differently by changing drivers to +register/unregister params in appropriate places making sure the ops +operate only on memory which is allocated and initialized. But that, +as a dependency, would require to remove the limitation mentioned above. + +Eventually, this limitation was lifted by: +commit 1d18bb1a4ddd ("devlink: allow registering parameters after the instance") + +Also, the alternative fix (which also fixed another issue) was done by: +commit 74cbc3c03c82 ("mlxsw: spectrum_acl_tcam: Move devlink param to TCAM code"). + +Therefore, the checks are no longer relevant. Each driver should make +sure to have the params registered only when the memory the ops +are working with is allocated and initialized. + +So remove the checks. + +Signed-off-by: Jiri Pirko +Reviewed-by: Ido Schimmel +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/devlink.c b/net/core/devlink.c +index 00c6944ed6342..38666dde89340 100644 +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -3620,7 +3620,7 @@ static int devlink_param_get(struct devlink *devlink, + const struct devlink_param *param, + struct devlink_param_gset_ctx *ctx) + { +- if (!param->get || devlink->reload_failed) ++ if (!param->get) + return -EOPNOTSUPP; + return param->get(devlink, param->id, ctx); + } +@@ -3629,7 +3629,7 @@ static int devlink_param_set(struct devlink *devlink, + const struct devlink_param *param, + struct devlink_param_gset_ctx *ctx) + { +- if (!param->set || devlink->reload_failed) ++ if (!param->set) + return -EOPNOTSUPP; + return param->set(devlink, param->id, ctx); + } +-- +2.40.1 + diff --git a/queue-5.10/drm-bridge-tc358762-instruct-dsi-host-to-generate-hs.patch b/queue-5.10/drm-bridge-tc358762-instruct-dsi-host-to-generate-hs.patch new file mode 100644 index 00000000000..00cb970d8f6 --- /dev/null +++ b/queue-5.10/drm-bridge-tc358762-instruct-dsi-host-to-generate-hs.patch @@ -0,0 +1,38 @@ +From 57638f73a3e390e13bbe0e74063d706ffad460c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 22:19:00 +0200 +Subject: drm/bridge: tc358762: Instruct DSI host to generate HSE packets + +From: Marek Vasut + +[ Upstream commit 362fa8f6e6a05089872809f4465bab9d011d05b3 ] + +This bridge seems to need the HSE packet, otherwise the image is +shifted up and corrupted at the bottom. This makes the bridge +work with Samsung DSIM on i.MX8MM and i.MX8MP. + +Signed-off-by: Marek Vasut +Reviewed-by: Sam Ravnborg +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230615201902.566182-3-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358762.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/tc358762.c b/drivers/gpu/drm/bridge/tc358762.c +index 1bfdfc6affafe..21c57d3435687 100644 +--- a/drivers/gpu/drm/bridge/tc358762.c ++++ b/drivers/gpu/drm/bridge/tc358762.c +@@ -224,7 +224,7 @@ static int tc358762_probe(struct mipi_dsi_device *dsi) + dsi->lanes = 1; + dsi->format = MIPI_DSI_FMT_RGB888; + dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE | +- MIPI_DSI_MODE_LPM; ++ MIPI_DSI_MODE_LPM | MIPI_DSI_MODE_VIDEO_HSE; + + ret = tc358762_parse_dt(ctx); + if (ret < 0) +-- +2.40.1 + diff --git a/queue-5.10/drm-exynos-fix-a-possible-null-pointer-dereference-d.patch b/queue-5.10/drm-exynos-fix-a-possible-null-pointer-dereference-d.patch new file mode 100644 index 00000000000..537f849e555 --- /dev/null +++ b/queue-5.10/drm-exynos-fix-a-possible-null-pointer-dereference-d.patch @@ -0,0 +1,61 @@ +From 5bf08b83f16311ed268d352b1ef7fc19280c50a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 10:19:06 +0800 +Subject: drm/exynos: fix a possible null-pointer dereference due to data race + in exynos_drm_crtc_atomic_disable() + +From: Tuo Li + +[ Upstream commit 2e63972a2de14482d0eae1a03a73e379f1c3f44c ] + +The variable crtc->state->event is often protected by the lock +crtc->dev->event_lock when is accessed. However, it is accessed as a +condition of an if statement in exynos_drm_crtc_atomic_disable() without +holding the lock: + + if (crtc->state->event && !crtc->state->active) + +However, if crtc->state->event is changed to NULL by another thread right +after the conditions of the if statement is checked to be true, a +null-pointer dereference can occur in drm_crtc_send_vblank_event(): + + e->pipe = pipe; + +To fix this possible null-pointer dereference caused by data race, the +spin lock coverage is extended to protect the if statement as well as the +function call to drm_crtc_send_vblank_event(). + +Reported-by: BassCheck +Link: https://sites.google.com/view/basscheck/home +Signed-off-by: Tuo Li +Reviewed-by: Krzysztof Kozlowski +Added relevant link. +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_crtc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c +index 1c03485676efa..de9fadccf22e5 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c +@@ -39,13 +39,12 @@ static void exynos_drm_crtc_atomic_disable(struct drm_crtc *crtc, + if (exynos_crtc->ops->atomic_disable) + exynos_crtc->ops->atomic_disable(exynos_crtc); + ++ spin_lock_irq(&crtc->dev->event_lock); + if (crtc->state->event && !crtc->state->active) { +- spin_lock_irq(&crtc->dev->event_lock); + drm_crtc_send_vblank_event(crtc, crtc->state->event); +- spin_unlock_irq(&crtc->dev->event_lock); +- + crtc->state->event = NULL; + } ++ spin_unlock_irq(&crtc->dev->event_lock); + } + + static int exynos_crtc_atomic_check(struct drm_crtc *crtc, +-- +2.40.1 + diff --git a/queue-5.10/drm-gm12u320-fix-the-timeout-usage-for-usb_bulk_msg.patch b/queue-5.10/drm-gm12u320-fix-the-timeout-usage-for-usb_bulk_msg.patch new file mode 100644 index 00000000000..e7f03893378 --- /dev/null +++ b/queue-5.10/drm-gm12u320-fix-the-timeout-usage-for-usb_bulk_msg.patch @@ -0,0 +1,59 @@ +From baacc3d1052a0d422b63c914baeb211ea6de1186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Sep 2023 10:14:20 +0800 +Subject: drm: gm12u320: Fix the timeout usage for usb_bulk_msg() + +From: Jinjie Ruan + +[ Upstream commit 7583028d359db3cd0072badcc576b4f9455fd27a ] + +The timeout arg of usb_bulk_msg() is ms already, which has been converted +to jiffies by msecs_to_jiffies() in usb_start_wait_urb(). So fix the usage +by removing the redundant msecs_to_jiffies() in the macros. + +And as Hans suggested, also remove msecs_to_jiffies() for the IDLE_TIMEOUT +macro to make it consistent here and so change IDLE_TIMEOUT to +msecs_to_jiffies(IDLE_TIMEOUT) where it is used. + +Fixes: e4f86e437164 ("drm: Add Grain Media GM12U320 driver v2") +Signed-off-by: Jinjie Ruan +Suggested-by: Hans de Goede +Reviewed-by: Hans de Goede +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230904021421.1663892-1-ruanjinjie@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tiny/gm12u320.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/tiny/gm12u320.c b/drivers/gpu/drm/tiny/gm12u320.c +index 0f5d1e598d75f..1656f3ee0b193 100644 +--- a/drivers/gpu/drm/tiny/gm12u320.c ++++ b/drivers/gpu/drm/tiny/gm12u320.c +@@ -67,10 +67,10 @@ MODULE_PARM_DESC(eco_mode, "Turn on Eco mode (less bright, more silent)"); + #define READ_STATUS_SIZE 13 + #define MISC_VALUE_SIZE 4 + +-#define CMD_TIMEOUT msecs_to_jiffies(200) +-#define DATA_TIMEOUT msecs_to_jiffies(1000) +-#define IDLE_TIMEOUT msecs_to_jiffies(2000) +-#define FIRST_FRAME_TIMEOUT msecs_to_jiffies(2000) ++#define CMD_TIMEOUT 200 ++#define DATA_TIMEOUT 1000 ++#define IDLE_TIMEOUT 2000 ++#define FIRST_FRAME_TIMEOUT 2000 + + #define MISC_REQ_GET_SET_ECO_A 0xff + #define MISC_REQ_GET_SET_ECO_B 0x35 +@@ -399,7 +399,7 @@ static void gm12u320_fb_update_work(struct work_struct *work) + * switches back to showing its logo. + */ + queue_delayed_work(system_long_wq, &gm12u320->fb_update.work, +- IDLE_TIMEOUT); ++ msecs_to_jiffies(IDLE_TIMEOUT)); + + return; + err: +-- +2.40.1 + diff --git a/queue-5.10/ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch b/queue-5.10/ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch new file mode 100644 index 00000000000..c4d54133c66 --- /dev/null +++ b/queue-5.10/ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch @@ -0,0 +1,55 @@ +From c48f9a386128d4ace20448d91efc450d244e9669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 12:03:40 +0200 +Subject: ext2: fix datatype of block number in ext2_xattr_set2() + +From: Georg Ottinger + +[ Upstream commit e88076348425b7d0491c8c98d8732a7df8de7aa3 ] + +I run a small server that uses external hard drives for backups. The +backup software I use uses ext2 filesystems with 4KiB block size and +the server is running SELinux and therefore relies on xattr. I recently +upgraded the hard drives from 4TB to 12TB models. I noticed that after +transferring some TBs I got a filesystem error "Freeing blocks not in +datazone - block = 18446744071529317386, count = 1" and the backup +process stopped. Trying to fix the fs with e2fsck resulted in a +completely corrupted fs. The error probably came from ext2_free_blocks(), +and because of the large number 18e19 this problem immediately looked +like some kind of integer overflow. Whereas the 4TB fs was about 1e9 +blocks, the new 12TB is about 3e9 blocks. So, searching the ext2 code, +I came across the line in fs/ext2/xattr.c:745 where ext2_new_block() +is called and the resulting block number is stored in the variable block +as an int datatype. If a block with a block number greater than +INT32_MAX is returned, this variable overflows and the call to +sb_getblk() at line fs/ext2/xattr.c:750 fails, then the call to +ext2_free_blocks() produces the error. + +Signed-off-by: Georg Ottinger +Signed-off-by: Jan Kara +Message-Id: <20230815100340.22121-1-g.ottinger@gmx.at> +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index 841fa6d9d744b..f1dc11dab0d88 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -694,10 +694,10 @@ ext2_xattr_set2(struct inode *inode, struct buffer_head *old_bh, + /* We need to allocate a new block */ + ext2_fsblk_t goal = ext2_group_first_block_no(sb, + EXT2_I(inode)->i_block_group); +- int block = ext2_new_block(inode, goal, &error); ++ ext2_fsblk_t block = ext2_new_block(inode, goal, &error); + if (error) + goto cleanup; +- ea_idebug(inode, "creating block %d", block); ++ ea_idebug(inode, "creating block %lu", block); + + new_bh = sb_getblk(sb, block); + if (unlikely(!new_bh)) { +-- +2.40.1 + diff --git a/queue-5.10/fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch b/queue-5.10/fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch new file mode 100644 index 00000000000..4abe1dff976 --- /dev/null +++ b/queue-5.10/fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch @@ -0,0 +1,121 @@ +From 33623fe21f64d4a3ca91f92abed17a1e0756ccea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Jul 2023 17:05:42 +0300 +Subject: fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() + +From: Andrew Kanner + +[ Upstream commit cade5397e5461295f3cb87880534b6a07cafa427 ] + +Syzkaller reported the following issue: +================================================================== +BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] +BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 +Free of addr ffff888086408000 by task syz-executor.4/12750 +[...] +Call Trace: + +[...] + kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 + ____kasan_slab_free+0xfb/0x120 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 + slab_free mm/slub.c:3787 [inline] + __kmem_cache_free+0x71/0x110 mm/slub.c:3800 + dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 + jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 + jfs_put_super+0x86/0x190 fs/jfs/super.c:194 + generic_shutdown_super+0x130/0x310 fs/super.c:492 + kill_block_super+0x79/0xd0 fs/super.c:1386 + deactivate_locked_super+0xa7/0xf0 fs/super.c:332 + cleanup_mnt+0x494/0x520 fs/namespace.c:1291 + task_work_run+0x243/0x300 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 + exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 + do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] + + +Allocated by task 13352: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 + kmalloc include/linux/slab.h:580 [inline] + dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 + jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 + jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 + mount_bdev+0x26c/0x3a0 fs/super.c:1359 + legacy_get_tree+0xea/0x180 fs/fs_context.c:610 + vfs_get_tree+0x88/0x270 fs/super.c:1489 + do_new_mount+0x289/0xad0 fs/namespace.c:3145 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 13352: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 + kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 + slab_free mm/slub.c:3787 [inline] + __kmem_cache_free+0x71/0x110 mm/slub.c:3800 + dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 + jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 + jfs_remount+0x3db/0x710 fs/jfs/super.c:454 + reconfigure_super+0x3bc/0x7b0 fs/super.c:935 + vfs_fsconfig_locked fs/fsopen.c:254 [inline] + __do_sys_fsconfig fs/fsopen.c:439 [inline] + __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] + +JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in +dbUnmount(). + +Syzkaller uses faultinject to reproduce this KASAN double-free +warning. The issue is triggered if either diMount() or dbMount() fail +in jfs_remount(), since diUnmount() or dbUnmount() already happened in +such a case - they will do double-free on next execution: jfs_umount +or jfs_remount. + +Tested on both upstream and jfs-next by syzkaller. + +Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ +Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 +Signed-off-by: Andrew Kanner +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index cef3303d94995..a9c078fc2302a 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) + + /* free the memory for the in-memory bmap. */ + kfree(bmp); ++ JFS_SBI(ipbmap->i_sb)->bmap = NULL; + + return (0); + } +-- +2.40.1 + diff --git a/queue-5.10/hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch b/queue-5.10/hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch new file mode 100644 index 00000000000..8fce10cc657 --- /dev/null +++ b/queue-5.10/hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch @@ -0,0 +1,150 @@ +From 529f6548a891f35396bdd3e6a131cb7dfd771c7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 12:19:23 -0700 +Subject: hw_breakpoint: fix single-stepping when using bpf_overflow_handler + +From: Tomislav Novak + +[ Upstream commit d11a69873d9a7435fe6a48531e165ab80a8b1221 ] + +Arm platforms use is_default_overflow_handler() to determine if the +hw_breakpoint code should single-step over the breakpoint trigger or +let the custom handler deal with it. + +Since bpf_overflow_handler() currently isn't recognized as a default +handler, attaching a BPF program to a PERF_TYPE_BREAKPOINT event causes +it to keep firing (the instruction triggering the data abort exception +is never skipped). For example: + + # bpftrace -e 'watchpoint:0x10000:4:w { print("hit") }' -c ./test + Attaching 1 probe... + hit + hit + [...] + ^C + +(./test performs a single 4-byte store to 0x10000) + +This patch replaces the check with uses_default_overflow_handler(), +which accounts for the bpf_overflow_handler() case by also testing +if one of the perf_event_output functions gets invoked indirectly, +via orig_default_handler. + +Signed-off-by: Tomislav Novak +Tested-by: Samuel Gosselin # arm64 +Reviewed-by: Catalin Marinas +Acked-by: Alexei Starovoitov +Link: https://lore.kernel.org/linux-arm-kernel/20220923203644.2731604-1-tnovak@fb.com/ +Link: https://lore.kernel.org/r/20230605191923.1219974-1-tnovak@meta.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/hw_breakpoint.c | 8 ++++---- + arch/arm64/kernel/hw_breakpoint.c | 4 ++-- + include/linux/perf_event.h | 22 +++++++++++++++++++--- + 3 files changed, 25 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index b1423fb130ea4..8f1fa7aac31fb 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -626,7 +626,7 @@ int hw_breakpoint_arch_parse(struct perf_event *bp, + hw->address &= ~alignment_mask; + hw->ctrl.len <<= offset; + +- if (is_default_overflow_handler(bp)) { ++ if (uses_default_overflow_handler(bp)) { + /* + * Mismatch breakpoints are required for single-stepping + * breakpoints. +@@ -798,7 +798,7 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + * Otherwise, insert a temporary mismatch breakpoint so that + * we can single-step over the watchpoint trigger. + */ +- if (!is_default_overflow_handler(wp)) ++ if (!uses_default_overflow_handler(wp)) + continue; + step: + enable_single_step(wp, instruction_pointer(regs)); +@@ -811,7 +811,7 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + info->trigger = addr; + pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); + perf_bp_event(wp, regs); +- if (is_default_overflow_handler(wp)) ++ if (uses_default_overflow_handler(wp)) + enable_single_step(wp, instruction_pointer(regs)); + } + +@@ -886,7 +886,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs) + info->trigger = addr; + pr_debug("breakpoint fired: address = 0x%x\n", addr); + perf_bp_event(bp, regs); +- if (is_default_overflow_handler(bp)) ++ if (uses_default_overflow_handler(bp)) + enable_single_step(bp, addr); + goto unlock; + } +diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c +index 712e97c03e54c..e5a0c38f1b5ee 100644 +--- a/arch/arm64/kernel/hw_breakpoint.c ++++ b/arch/arm64/kernel/hw_breakpoint.c +@@ -654,7 +654,7 @@ static int breakpoint_handler(unsigned long unused, unsigned int esr, + perf_bp_event(bp, regs); + + /* Do we need to handle the stepping? */ +- if (is_default_overflow_handler(bp)) ++ if (uses_default_overflow_handler(bp)) + step = 1; + unlock: + rcu_read_unlock(); +@@ -733,7 +733,7 @@ static u64 get_distance_from_watchpoint(unsigned long addr, u64 val, + static int watchpoint_report(struct perf_event *wp, unsigned long addr, + struct pt_regs *regs) + { +- int step = is_default_overflow_handler(wp); ++ int step = uses_default_overflow_handler(wp); + struct arch_hw_breakpoint *info = counter_arch_bp(wp); + + info->trigger = addr; +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 67a50c78232fe..93dffe2f3fff2 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1069,15 +1069,31 @@ extern int perf_event_output(struct perf_event *event, + struct pt_regs *regs); + + static inline bool +-is_default_overflow_handler(struct perf_event *event) ++__is_default_overflow_handler(perf_overflow_handler_t overflow_handler) + { +- if (likely(event->overflow_handler == perf_event_output_forward)) ++ if (likely(overflow_handler == perf_event_output_forward)) + return true; +- if (unlikely(event->overflow_handler == perf_event_output_backward)) ++ if (unlikely(overflow_handler == perf_event_output_backward)) + return true; + return false; + } + ++#define is_default_overflow_handler(event) \ ++ __is_default_overflow_handler((event)->overflow_handler) ++ ++#ifdef CONFIG_BPF_SYSCALL ++static inline bool uses_default_overflow_handler(struct perf_event *event) ++{ ++ if (likely(is_default_overflow_handler(event))) ++ return true; ++ ++ return __is_default_overflow_handler(event->orig_overflow_handler); ++} ++#else ++#define uses_default_overflow_handler(event) \ ++ is_default_overflow_handler(event) ++#endif ++ + extern void + perf_event_header__init_id(struct perf_event_header *header, + struct perf_sample_data *data, +-- +2.40.1 + diff --git a/queue-5.10/interconnect-fix-locking-for-runpm-vs-reclaim.patch b/queue-5.10/interconnect-fix-locking-for-runpm-vs-reclaim.patch new file mode 100644 index 00000000000..593533f2da1 --- /dev/null +++ b/queue-5.10/interconnect-fix-locking-for-runpm-vs-reclaim.patch @@ -0,0 +1,249 @@ +From 55b60fb81f1ff7c95330091b2114314e5b59e75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Aug 2023 10:11:40 -0700 +Subject: interconnect: Fix locking for runpm vs reclaim + +From: Rob Clark + +[ Upstream commit af42269c3523492d71ebbe11fefae2653e9cdc78 ] + +For cases where icc_bw_set() can be called in callbaths that could +deadlock against shrinker/reclaim, such as runpm resume, we need to +decouple the icc locking. Introduce a new icc_bw_lock for cases where +we need to serialize bw aggregation and update to decouple that from +paths that require memory allocation such as node/link creation/ +destruction. + +Fixes this lockdep splat: + + ====================================================== + WARNING: possible circular locking dependency detected + 6.2.0-rc8-debug+ #554 Not tainted + ------------------------------------------------------ + ring0/132 is trying to acquire lock: + ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234 + + but task is already holding lock: + ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #4 (dma_fence_map){++++}-{0:0}: + __dma_fence_might_wait+0x74/0xc0 + dma_resv_lockdep+0x1f4/0x2f4 + do_one_initcall+0x104/0x2bc + kernel_init_freeable+0x344/0x34c + kernel_init+0x30/0x134 + ret_from_fork+0x10/0x20 + + -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: + fs_reclaim_acquire+0x80/0xa8 + slab_pre_alloc_hook.constprop.0+0x40/0x25c + __kmem_cache_alloc_node+0x60/0x1cc + __kmalloc+0xd8/0x100 + topology_parse_cpu_capacity+0x8c/0x178 + get_cpu_for_node+0x88/0xc4 + parse_cluster+0x1b0/0x28c + parse_cluster+0x8c/0x28c + init_cpu_topology+0x168/0x188 + smp_prepare_cpus+0x24/0xf8 + kernel_init_freeable+0x18c/0x34c + kernel_init+0x30/0x134 + ret_from_fork+0x10/0x20 + + -> #2 (fs_reclaim){+.+.}-{0:0}: + __fs_reclaim_acquire+0x3c/0x48 + fs_reclaim_acquire+0x54/0xa8 + slab_pre_alloc_hook.constprop.0+0x40/0x25c + __kmem_cache_alloc_node+0x60/0x1cc + __kmalloc+0xd8/0x100 + kzalloc.constprop.0+0x14/0x20 + icc_node_create_nolock+0x4c/0xc4 + icc_node_create+0x38/0x58 + qcom_icc_rpmh_probe+0x1b8/0x248 + platform_probe+0x70/0xc4 + really_probe+0x158/0x290 + __driver_probe_device+0xc8/0xe0 + driver_probe_device+0x44/0x100 + __driver_attach+0xf8/0x108 + bus_for_each_dev+0x78/0xc4 + driver_attach+0x2c/0x38 + bus_add_driver+0xd0/0x1d8 + driver_register+0xbc/0xf8 + __platform_driver_register+0x30/0x3c + qnoc_driver_init+0x24/0x30 + do_one_initcall+0x104/0x2bc + kernel_init_freeable+0x344/0x34c + kernel_init+0x30/0x134 + ret_from_fork+0x10/0x20 + + -> #1 (icc_lock){+.+.}-{3:3}: + __mutex_lock+0xcc/0x3c8 + mutex_lock_nested+0x30/0x44 + icc_set_bw+0x88/0x2b4 + _set_opp_bw+0x8c/0xd8 + _set_opp+0x19c/0x300 + dev_pm_opp_set_opp+0x84/0x94 + a6xx_gmu_resume+0x18c/0x804 + a6xx_pm_resume+0xf8/0x234 + adreno_runtime_resume+0x2c/0x38 + pm_generic_runtime_resume+0x30/0x44 + __rpm_callback+0x15c/0x174 + rpm_callback+0x78/0x7c + rpm_resume+0x318/0x524 + __pm_runtime_resume+0x78/0xbc + adreno_load_gpu+0xc4/0x17c + msm_open+0x50/0x120 + drm_file_alloc+0x17c/0x228 + drm_open_helper+0x74/0x118 + drm_open+0xa0/0x144 + drm_stub_open+0xd4/0xe4 + chrdev_open+0x1b8/0x1e4 + do_dentry_open+0x2f8/0x38c + vfs_open+0x34/0x40 + path_openat+0x64c/0x7b4 + do_filp_open+0x54/0xc4 + do_sys_openat2+0x9c/0x100 + do_sys_open+0x50/0x7c + __arm64_sys_openat+0x28/0x34 + invoke_syscall+0x8c/0x128 + el0_svc_common.constprop.0+0xa0/0x11c + do_el0_svc+0xac/0xbc + el0_svc+0x48/0xa0 + el0t_64_sync_handler+0xac/0x13c + el0t_64_sync+0x190/0x194 + + -> #0 (&gmu->lock){+.+.}-{3:3}: + __lock_acquire+0xe00/0x1060 + lock_acquire+0x1e0/0x2f8 + __mutex_lock+0xcc/0x3c8 + mutex_lock_nested+0x30/0x44 + a6xx_pm_resume+0xf0/0x234 + adreno_runtime_resume+0x2c/0x38 + pm_generic_runtime_resume+0x30/0x44 + __rpm_callback+0x15c/0x174 + rpm_callback+0x78/0x7c + rpm_resume+0x318/0x524 + __pm_runtime_resume+0x78/0xbc + pm_runtime_get_sync.isra.0+0x14/0x20 + msm_gpu_submit+0x58/0x178 + msm_job_run+0x78/0x150 + drm_sched_main+0x290/0x370 + kthread+0xf0/0x100 + ret_from_fork+0x10/0x20 + + other info that might help us debug this: + + Chain exists of: + &gmu->lock --> mmu_notifier_invalidate_range_start --> dma_fence_map + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(dma_fence_map); + lock(mmu_notifier_invalidate_range_start); + lock(dma_fence_map); + lock(&gmu->lock); + + *** DEADLOCK *** + + 2 locks held by ring0/132: + #0: ffffff8087191170 (&gpu->lock){+.+.}-{3:3}, at: msm_job_run+0x64/0x150 + #1: ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150 + + stack backtrace: + CPU: 7 PID: 132 Comm: ring0 Not tainted 6.2.0-rc8-debug+ #554 + Hardware name: Google Lazor (rev1 - 2) with LTE (DT) + Call trace: + dump_backtrace.part.0+0xb4/0xf8 + show_stack+0x20/0x38 + dump_stack_lvl+0x9c/0xd0 + dump_stack+0x18/0x34 + print_circular_bug+0x1b4/0x1f0 + check_noncircular+0x78/0xac + __lock_acquire+0xe00/0x1060 + lock_acquire+0x1e0/0x2f8 + __mutex_lock+0xcc/0x3c8 + mutex_lock_nested+0x30/0x44 + a6xx_pm_resume+0xf0/0x234 + adreno_runtime_resume+0x2c/0x38 + pm_generic_runtime_resume+0x30/0x44 + __rpm_callback+0x15c/0x174 + rpm_callback+0x78/0x7c + rpm_resume+0x318/0x524 + __pm_runtime_resume+0x78/0xbc + pm_runtime_get_sync.isra.0+0x14/0x20 + msm_gpu_submit+0x58/0x178 + msm_job_run+0x78/0x150 + drm_sched_main+0x290/0x370 + kthread+0xf0/0x100 + ret_from_fork+0x10/0x20 + +Signed-off-by: Rob Clark +Link: https://lore.kernel.org/r/20230807171148.210181-7-robdclark@gmail.com +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/interconnect/core.c b/drivers/interconnect/core.c +index 7db6d0fc6ec2e..64d8dcdc41fd8 100644 +--- a/drivers/interconnect/core.c ++++ b/drivers/interconnect/core.c +@@ -29,6 +29,7 @@ static LIST_HEAD(icc_providers); + static int providers_count; + static bool synced_state; + static DEFINE_MUTEX(icc_lock); ++static DEFINE_MUTEX(icc_bw_lock); + static struct dentry *icc_debugfs_dir; + + static void icc_summary_show_one(struct seq_file *s, struct icc_node *n) +@@ -632,7 +633,7 @@ int icc_set_bw(struct icc_path *path, u32 avg_bw, u32 peak_bw) + if (WARN_ON(IS_ERR(path) || !path->num_nodes)) + return -EINVAL; + +- mutex_lock(&icc_lock); ++ mutex_lock(&icc_bw_lock); + + old_avg = path->reqs[0].avg_bw; + old_peak = path->reqs[0].peak_bw; +@@ -664,7 +665,7 @@ int icc_set_bw(struct icc_path *path, u32 avg_bw, u32 peak_bw) + apply_constraints(path); + } + +- mutex_unlock(&icc_lock); ++ mutex_unlock(&icc_bw_lock); + + trace_icc_set_bw_end(path, ret); + +@@ -964,6 +965,7 @@ EXPORT_SYMBOL_GPL(icc_link_destroy); + void icc_node_add(struct icc_node *node, struct icc_provider *provider) + { + mutex_lock(&icc_lock); ++ mutex_lock(&icc_bw_lock); + + node->provider = provider; + list_add_tail(&node->node_list, &provider->nodes); +@@ -989,6 +991,7 @@ void icc_node_add(struct icc_node *node, struct icc_provider *provider) + node->avg_bw = 0; + node->peak_bw = 0; + ++ mutex_unlock(&icc_bw_lock); + mutex_unlock(&icc_lock); + } + EXPORT_SYMBOL_GPL(icc_node_add); +@@ -1115,6 +1118,7 @@ void icc_sync_state(struct device *dev) + return; + + mutex_lock(&icc_lock); ++ mutex_lock(&icc_bw_lock); + synced_state = true; + list_for_each_entry(p, &icc_providers, provider_list) { + dev_dbg(p->dev, "interconnect provider is in synced state\n"); +-- +2.40.1 + diff --git a/queue-5.10/jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch b/queue-5.10/jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch new file mode 100644 index 00000000000..9855ffff7a4 --- /dev/null +++ b/queue-5.10/jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch @@ -0,0 +1,77 @@ +From bdf4b1ee91c12cf811e1ce7a98ea3c93aa757f6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:46:28 +0800 +Subject: jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount + +From: Liu Shixin via Jfs-discussion + +[ Upstream commit 6e2bda2c192d0244b5a78b787ef20aa10cb319b7 ] + +syzbot found an invalid-free in diUnmount: + +BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline] +BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674 +Free of addr ffff88806f410000 by task syz-executor131/3632 + + CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460 + ____kasan_slab_free+0xfb/0x120 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750 + slab_free mm/slub.c:3661 [inline] + __kmem_cache_free+0x71/0x110 mm/slub.c:3674 + diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195 + jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63 + jfs_put_super+0x86/0x190 fs/jfs/super.c:194 + generic_shutdown_super+0x130/0x310 fs/super.c:492 + kill_block_super+0x79/0xd0 fs/super.c:1428 + deactivate_locked_super+0xa7/0xf0 fs/super.c:332 + cleanup_mnt+0x494/0x520 fs/namespace.c:1186 + task_work_run+0x243/0x300 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0x664/0x2070 kernel/exit.c:820 + do_group_exit+0x1fd/0x2b0 kernel/exit.c:950 + __do_sys_exit_group kernel/exit.c:961 [inline] + __se_sys_exit_group kernel/exit.c:959 [inline] + __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] + +JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount. +If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount(). +JFS_IP(ipimap)->i_imap will be freed once again. +Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free. + +Reported-by: syzbot+90a11e6b1e810785c6ff@syzkaller.appspotmail.com +Signed-off-by: Liu Shixin +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 937ca07b58b1d..67c67604b8c85 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -195,6 +195,7 @@ int diUnmount(struct inode *ipimap, int mounterror) + * free in-memory control structure + */ + kfree(imap); ++ JFS_IP(ipimap)->i_imap = NULL; + + return (0); + } +-- +2.40.1 + diff --git a/queue-5.10/kernel-fork-beware-of-__put_task_struct-calling-cont.patch b/queue-5.10/kernel-fork-beware-of-__put_task_struct-calling-cont.patch new file mode 100644 index 00000000000..c710ce6dd8a --- /dev/null +++ b/queue-5.10/kernel-fork-beware-of-__put_task_struct-calling-cont.patch @@ -0,0 +1,128 @@ +From a7b946c6e6fe9d92d6521625ea6d5a76b7dc564e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 09:23:21 -0300 +Subject: kernel/fork: beware of __put_task_struct() calling context + +From: Wander Lairson Costa + +[ Upstream commit d243b34459cea30cfe5f3a9b2feb44e7daff9938 ] + +Under PREEMPT_RT, __put_task_struct() indirectly acquires sleeping +locks. Therefore, it can't be called from an non-preemptible context. + +One practical example is splat inside inactive_task_timer(), which is +called in a interrupt context: + + CPU: 1 PID: 2848 Comm: life Kdump: loaded Tainted: G W --------- + Hardware name: HP ProLiant DL388p Gen8, BIOS P70 07/15/2012 + Call Trace: + dump_stack_lvl+0x57/0x7d + mark_lock_irq.cold+0x33/0xba + mark_lock+0x1e7/0x400 + mark_usage+0x11d/0x140 + __lock_acquire+0x30d/0x930 + lock_acquire.part.0+0x9c/0x210 + rt_spin_lock+0x27/0xe0 + refill_obj_stock+0x3d/0x3a0 + kmem_cache_free+0x357/0x560 + inactive_task_timer+0x1ad/0x340 + __run_hrtimer+0x8a/0x1a0 + __hrtimer_run_queues+0x91/0x130 + hrtimer_interrupt+0x10f/0x220 + __sysvec_apic_timer_interrupt+0x7b/0xd0 + sysvec_apic_timer_interrupt+0x4f/0xd0 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + RIP: 0033:0x7fff196bf6f5 + +Instead of calling __put_task_struct() directly, we defer it using +call_rcu(). A more natural approach would use a workqueue, but since +in PREEMPT_RT, we can't allocate dynamic memory from atomic context, +the code would become more complex because we would need to put the +work_struct instance in the task_struct and initialize it when we +allocate a new task_struct. + +The issue is reproducible with stress-ng: + + while true; do + stress-ng --sched deadline --sched-period 1000000000 \ + --sched-runtime 800000000 --sched-deadline \ + 1000000000 --mmapfork 23 -t 20 + done + +Reported-by: Hu Chunyu +Suggested-by: Oleg Nesterov +Suggested-by: Valentin Schneider +Suggested-by: Peter Zijlstra +Signed-off-by: Wander Lairson Costa +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20230614122323.37957-2-wander@redhat.com +Signed-off-by: Sasha Levin +--- + include/linux/sched/task.h | 28 +++++++++++++++++++++++++++- + kernel/fork.c | 8 ++++++++ + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h +index e8304e929e283..de21a45a4ee7d 100644 +--- a/include/linux/sched/task.h ++++ b/include/linux/sched/task.h +@@ -110,10 +110,36 @@ static inline struct task_struct *get_task_struct(struct task_struct *t) + } + + extern void __put_task_struct(struct task_struct *t); ++extern void __put_task_struct_rcu_cb(struct rcu_head *rhp); + + static inline void put_task_struct(struct task_struct *t) + { +- if (refcount_dec_and_test(&t->usage)) ++ if (!refcount_dec_and_test(&t->usage)) ++ return; ++ ++ /* ++ * under PREEMPT_RT, we can't call put_task_struct ++ * in atomic context because it will indirectly ++ * acquire sleeping locks. ++ * ++ * call_rcu() will schedule delayed_put_task_struct_rcu() ++ * to be called in process context. ++ * ++ * __put_task_struct() is called when ++ * refcount_dec_and_test(&t->usage) succeeds. ++ * ++ * This means that it can't "conflict" with ++ * put_task_struct_rcu_user() which abuses ->rcu the same ++ * way; rcu_users has a reference so task->usage can't be ++ * zero after rcu_users 1 -> 0 transition. ++ * ++ * delayed_free_task() also uses ->rcu, but it is only called ++ * when it fails to fork a process. Therefore, there is no ++ * way it can conflict with put_task_struct(). ++ */ ++ if (IS_ENABLED(CONFIG_PREEMPT_RT) && !preemptible()) ++ call_rcu(&t->rcu, __put_task_struct_rcu_cb); ++ else + __put_task_struct(t); + } + +diff --git a/kernel/fork.c b/kernel/fork.c +index 31455f5ab015a..633b0af1d1a73 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -745,6 +745,14 @@ void __put_task_struct(struct task_struct *tsk) + } + EXPORT_SYMBOL_GPL(__put_task_struct); + ++void __put_task_struct_rcu_cb(struct rcu_head *rhp) ++{ ++ struct task_struct *task = container_of(rhp, struct task_struct, rcu); ++ ++ __put_task_struct(task); ++} ++EXPORT_SYMBOL_GPL(__put_task_struct_rcu_cb); ++ + void __init __weak arch_task_cache_init(void) { } + + /* +-- +2.40.1 + diff --git a/queue-5.10/kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch b/queue-5.10/kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch new file mode 100644 index 00000000000..b2887718b93 --- /dev/null +++ b/queue-5.10/kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch @@ -0,0 +1,60 @@ +From 8ae9fb36a47d1160a0361dbcdc117d9033efbbd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Aug 2023 16:41:13 +0800 +Subject: kobject: Add sanity check for kset->kobj.ktype in kset_register() + +From: Zhen Lei + +[ Upstream commit 4d0fe8c52bb3029d83e323c961221156ab98680b ] + +When I register a kset in the following way: + static struct kset my_kset; + kobject_set_name(&my_kset.kobj, "my_kset"); + ret = kset_register(&my_kset); + +A null pointer dereference exception is occurred: +[ 4453.568337] Unable to handle kernel NULL pointer dereference at \ +virtual address 0000000000000028 +... ... +[ 4453.810361] Call trace: +[ 4453.813062] kobject_get_ownership+0xc/0x34 +[ 4453.817493] kobject_add_internal+0x98/0x274 +[ 4453.822005] kset_register+0x5c/0xb4 +[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset] +... ... + +Because I didn't initialize my_kset.kobj.ktype. + +According to the description in Documentation/core-api/kobject.rst: + - A ktype is the type of object that embeds a kobject. Every structure + that embeds a kobject needs a corresponding ktype. + +So add sanity check to make sure kset->kobj.ktype is not NULL. + +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20230805084114.1298-2-thunder.leizhen@huaweicloud.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/kobject.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf4837..cd3e1a98eff9e 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -874,6 +874,11 @@ int kset_register(struct kset *k) + if (!k) + return -EINVAL; + ++ if (!k->kobj.ktype) { ++ pr_err("must have a ktype to be initialized properly!\n"); ++ return -EINVAL; ++ } ++ + kset_init(k); + err = kobject_add_internal(&k->kobj); + if (err) +-- +2.40.1 + diff --git a/queue-5.10/libbpf-free-btf_vmlinux-when-closing-bpf_object.patch b/queue-5.10/libbpf-free-btf_vmlinux-when-closing-bpf_object.patch new file mode 100644 index 00000000000..88dab6e4371 --- /dev/null +++ b/queue-5.10/libbpf-free-btf_vmlinux-when-closing-bpf_object.patch @@ -0,0 +1,41 @@ +From 7eafa0453fad740d53915d98678684fd8d80890a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 12:38:40 -0700 +Subject: libbpf: Free btf_vmlinux when closing bpf_object + +From: Hao Luo + +[ Upstream commit 29d67fdebc42af6466d1909c60fdd1ef4f3e5240 ] + +I hit a memory leak when testing bpf_program__set_attach_target(). +Basically, set_attach_target() may allocate btf_vmlinux, for example, +when setting attach target for bpf_iter programs. But btf_vmlinux +is freed only in bpf_object_load(), which means if we only open +bpf object but not load it, setting attach target may leak +btf_vmlinux. + +So let's free btf_vmlinux in bpf_object__close() anyway. + +Signed-off-by: Hao Luo +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230822193840.1509809-1-haoluo@google.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 015ed8253f739..44646c5286fbe 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -7962,6 +7962,7 @@ void bpf_object__close(struct bpf_object *obj) + bpf_object__elf_finish(obj); + bpf_object__unload(obj); + btf__free(obj->btf); ++ btf__free(obj->btf_vmlinux); + btf_ext__free(obj->btf_ext); + + for (i = 0; i < obj->nr_maps; i++) +-- +2.40.1 + diff --git a/queue-5.10/locks-fix-kasan-use-after-free-in-trace_event_raw_ev.patch b/queue-5.10/locks-fix-kasan-use-after-free-in-trace_event_raw_ev.patch new file mode 100644 index 00000000000..47ccd715bf1 --- /dev/null +++ b/queue-5.10/locks-fix-kasan-use-after-free-in-trace_event_raw_ev.patch @@ -0,0 +1,88 @@ +From 7ab67d6479b720db69d4810654a03cfe7dccffff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 13:19:04 +0800 +Subject: locks: fix KASAN: use-after-free in + trace_event_raw_event_filelock_lock + +From: Will Shiu + +[ Upstream commit 74f6f5912693ce454384eaeec48705646a21c74f ] + +As following backtrace, the struct file_lock request , in posix_lock_inode +is free before ftrace function using. +Replace the ftrace function ahead free flow could fix the use-after-free +issue. + +[name:report&]=============================================== +BUG:KASAN: use-after-free in trace_event_raw_event_filelock_lock+0x80/0x12c +[name:report&]Read at addr f6ffff8025622620 by task NativeThread/16753 +[name:report_hw_tags&]Pointer tag: [f6], memory tag: [fe] +[name:report&] +BT: +Hardware name: MT6897 (DT) +Call trace: + dump_backtrace+0xf8/0x148 + show_stack+0x18/0x24 + dump_stack_lvl+0x60/0x7c + print_report+0x2c8/0xa08 + kasan_report+0xb0/0x120 + __do_kernel_fault+0xc8/0x248 + do_bad_area+0x30/0xdc + do_tag_check_fault+0x1c/0x30 + do_mem_abort+0x58/0xbc + el1_abort+0x3c/0x5c + el1h_64_sync_handler+0x54/0x90 + el1h_64_sync+0x68/0x6c + trace_event_raw_event_filelock_lock+0x80/0x12c + posix_lock_inode+0xd0c/0xd60 + do_lock_file_wait+0xb8/0x190 + fcntl_setlk+0x2d8/0x440 +... +[name:report&] +[name:report&]Allocated by task 16752: +... + slab_post_alloc_hook+0x74/0x340 + kmem_cache_alloc+0x1b0/0x2f0 + posix_lock_inode+0xb0/0xd60 +... + [name:report&] + [name:report&]Freed by task 16752: +... + kmem_cache_free+0x274/0x5b0 + locks_dispose_list+0x3c/0x148 + posix_lock_inode+0xc40/0xd60 + do_lock_file_wait+0xb8/0x190 + fcntl_setlk+0x2d8/0x440 + do_fcntl+0x150/0xc18 +... + +Signed-off-by: Will Shiu +Signed-off-by: Jeff Layton +Signed-off-by: Sasha Levin +--- + fs/locks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/locks.c b/fs/locks.c +index 12d72c3d8756c..cbb5701ce9f37 100644 +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -1339,6 +1339,7 @@ static int posix_lock_inode(struct inode *inode, struct file_lock *request, + out: + spin_unlock(&ctx->flc_lock); + percpu_up_read(&file_rwsem); ++ trace_posix_lock_inode(inode, request, error); + /* + * Free any unused locks. + */ +@@ -1347,7 +1348,6 @@ static int posix_lock_inode(struct inode *inode, struct file_lock *request, + if (new_fl2) + locks_free_lock(new_fl2); + locks_dispose_list(&dispose); +- trace_posix_lock_inode(inode, request, error); + + return error; + } +-- +2.40.1 + diff --git a/queue-5.10/md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch b/queue-5.10/md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch new file mode 100644 index 00000000000..56fe6e0cec6 --- /dev/null +++ b/queue-5.10/md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch @@ -0,0 +1,54 @@ +From 3997a3ae0b0e5d9e7c5a14970cff8a0b5f362b36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Sep 2023 14:25:23 -0700 +Subject: md/raid1: fix error: ISO C90 forbids mixed declarations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nigel Croxon + +[ Upstream commit df203da47f4428bc286fc99318936416253a321c ] + +There is a compile error when this commit is added: +md: raid1: fix potential OOB in raid1_remove_disk() + +drivers/md/raid1.c: In function 'raid1_remove_disk': +drivers/md/raid1.c:1844:9: error: ISO C90 forbids mixed declarations +and code [-Werror=declaration-after-statement] +1844 |         struct raid1_info *p = conf->mirrors + number; +     |         ^~~~~~ + +That's because the new code was inserted before the struct. +The change is move the struct command above this commit. + +Fixes: 8b0472b50bcf ("md: raid1: fix potential OOB in raid1_remove_disk()") +Signed-off-by: Nigel Croxon +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/46d929d0-2aab-4cf2-b2bf-338963e8ba5a@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 25be491c1a6ac..3619db7e382a0 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1791,12 +1791,11 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) + struct r1conf *conf = mddev->private; + int err = 0; + int number = rdev->raid_disk; ++ struct raid1_info *p = conf->mirrors + number; + + if (unlikely(number >= conf->raid_disks)) + goto abort; + +- struct raid1_info *p = conf->mirrors + number; +- + if (rdev != p->rdev) + p = conf->mirrors + conf->raid_disks + number; + +-- +2.40.1 + diff --git a/queue-5.10/md-raid1-fix-potential-oob-in-raid1_remove_disk.patch b/queue-5.10/md-raid1-fix-potential-oob-in-raid1_remove_disk.patch new file mode 100644 index 00000000000..003602a5ef1 --- /dev/null +++ b/queue-5.10/md-raid1-fix-potential-oob-in-raid1_remove_disk.patch @@ -0,0 +1,46 @@ +From e7f32dee32014b600d94ed2ba6884d090a960e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 15:53:53 +0800 +Subject: md: raid1: fix potential OOB in raid1_remove_disk() + +From: Zhang Shurong + +[ Upstream commit 8b0472b50bcf0f19a5119b00a53b63579c8e1e4d ] + +If rddev->raid_disk is greater than mddev->raid_disks, there will be +an out-of-bounds in raid1_remove_disk(). We have already found +similar reports as follows: + +1) commit d17f744e883b ("md-raid10: fix KASAN warning") +2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk") + +Fix this bug by checking whether the "number" variable is +valid. + +Signed-off-by: Zhang Shurong +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/tencent_0D24426FAC6A21B69AC0C03CE4143A508F09@qq.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 6b5cc3f59fb39..25be491c1a6ac 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1791,6 +1791,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev) + struct r1conf *conf = mddev->private; + int err = 0; + int number = rdev->raid_disk; ++ ++ if (unlikely(number >= conf->raid_disks)) ++ goto abort; ++ + struct raid1_info *p = conf->mirrors + number; + + if (rdev != p->rdev) +-- +2.40.1 + diff --git a/queue-5.10/media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch b/queue-5.10/media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch new file mode 100644 index 00000000000..4169efe4ca4 --- /dev/null +++ b/queue-5.10/media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch @@ -0,0 +1,52 @@ +From bf780e350197e87f9c2faad8355141dff79e58c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 23:24:11 +0800 +Subject: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer + +From: Zhang Shurong + +[ Upstream commit f4ee84f27625ce1fdf41e8483fa0561a1b837d10 ] + +In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach af9005_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/af9005.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c +index b6a2436d16e97..9af54fcbed1de 100644 +--- a/drivers/media/usb/dvb-usb/af9005.c ++++ b/drivers/media/usb/dvb-usb/af9005.c +@@ -422,6 +422,10 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + if (ret == 0) + ret = 2; + } else { ++ if (msg[0].len < 2) { ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } + /* write one or more registers */ + reg = msg[0].buf[0]; + addr = msg[0].addr; +@@ -431,6 +435,7 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = 1; + } + ++unlock: + mutex_unlock(&d->i2c_mutex); + return ret; + } +-- +2.40.1 + diff --git a/queue-5.10/media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch b/queue-5.10/media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch new file mode 100644 index 00000000000..de35fea32a5 --- /dev/null +++ b/queue-5.10/media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch @@ -0,0 +1,43 @@ +From 93fbe3dc145a4985ed705577ed664bbbc18b39a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 00:02:20 +0800 +Subject: media: anysee: fix null-ptr-deref in anysee_master_xfer + +From: Zhang Shurong + +[ Upstream commit c30411266fd67ea3c02a05c157231654d5a3bdc9 ] + +In anysee_master_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach anysee_master_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +[hverkuil: add spaces around +] +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/anysee.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/anysee.c b/drivers/media/usb/dvb-usb-v2/anysee.c +index 89a1b204b90c3..3dacf3914d75b 100644 +--- a/drivers/media/usb/dvb-usb-v2/anysee.c ++++ b/drivers/media/usb/dvb-usb-v2/anysee.c +@@ -202,7 +202,7 @@ static int anysee_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msg, + + while (i < num) { + if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) { +- if (msg[i].len > 2 || msg[i+1].len > 60) { ++ if (msg[i].len != 2 || msg[i + 1].len > 60) { + ret = -EOPNOTSUPP; + break; + } +-- +2.40.1 + diff --git a/queue-5.10/media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch b/queue-5.10/media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch new file mode 100644 index 00000000000..2cf404f2f1a --- /dev/null +++ b/queue-5.10/media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch @@ -0,0 +1,55 @@ +From 3e3a2d8fc8806d10ad0ee213b195804b0cbec7f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 00:28:17 +0800 +Subject: media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() + +From: Zhang Shurong + +[ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ] + +In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach az6007_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c +index 7524c90f5da61..6cbfe75791c21 100644 +--- a/drivers/media/usb/dvb-usb-v2/az6007.c ++++ b/drivers/media/usb/dvb-usb-v2/az6007.c +@@ -788,6 +788,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + if (az6007_xfer_debug) + printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", + addr, msgs[i].len); ++ if (msgs[i].len < 1) { ++ ret = -EIO; ++ goto err; ++ } + req = AZ6007_I2C_WR; + index = msgs[i].buf[0]; + value = addr | (1 << 8); +@@ -802,6 +806,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + if (az6007_xfer_debug) + printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", + addr, msgs[i].len); ++ if (msgs[i].len < 1) { ++ ret = -EIO; ++ goto err; ++ } + req = AZ6007_I2C_RD; + index = msgs[i].buf[0]; + value = addr; +-- +2.40.1 + diff --git a/queue-5.10/media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch b/queue-5.10/media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch new file mode 100644 index 00000000000..cef2389fca3 --- /dev/null +++ b/queue-5.10/media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch @@ -0,0 +1,64 @@ +From d6fa65ad7f3d470de0302f846997741140917c7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 00:06:54 +0800 +Subject: media: dvb-usb-v2: af9035: Fix null-ptr-deref in + af9035_i2c_master_xfer + +From: Zhang Shurong + +[ Upstream commit 7bf744f2de0a848fb1d717f5831b03db96feae89 ] + +In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/af9035.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c +index b1f69c11c8395..218c06da2a469 100644 +--- a/drivers/media/usb/dvb-usb-v2/af9035.c ++++ b/drivers/media/usb/dvb-usb-v2/af9035.c +@@ -321,6 +321,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { ++ if (msg[0].len < 3 || msg[1].len < 1) ++ return -EOPNOTSUPP; + /* demod access via firmware interface */ + u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -380,6 +382,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + /* demod access via firmware interface */ + u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -387,10 +391,7 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + if (msg[0].addr == state->af9033_i2c_addr[1]) + reg |= 0x100000; + +- ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg, +- &msg[0].buf[3], +- msg[0].len - 3) +- : -EOPNOTSUPP; ++ ret = af9035_wr_regs(d, reg, &msg[0].buf[3], msg[0].len - 3); + } else { + /* I2C write */ + u8 buf[MAX_XFER_SIZE]; +-- +2.40.1 + diff --git a/queue-5.10/media-dvb-usb-v2-gl861-fix-null-ptr-deref-in-gl861_i.patch b/queue-5.10/media-dvb-usb-v2-gl861-fix-null-ptr-deref-in-gl861_i.patch new file mode 100644 index 00000000000..0194fc08ce5 --- /dev/null +++ b/queue-5.10/media-dvb-usb-v2-gl861-fix-null-ptr-deref-in-gl861_i.patch @@ -0,0 +1,42 @@ +From 7f0bebcaf469a58abb5d12e8c70c98b4f6eaf7a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 13:32:13 +0800 +Subject: media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer + +From: Zhang Shurong + +[ Upstream commit b97719a66970601cd3151a3e2020f4454a1c4ff6 ] + +In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/gl861.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c b/drivers/media/usb/dvb-usb-v2/gl861.c +index 0c434259c36f1..c71e7b93476de 100644 +--- a/drivers/media/usb/dvb-usb-v2/gl861.c ++++ b/drivers/media/usb/dvb-usb-v2/gl861.c +@@ -120,7 +120,7 @@ static int gl861_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + } else if (num == 2 && !(msg[0].flags & I2C_M_RD) && + (msg[1].flags & I2C_M_RD)) { + /* I2C write + read */ +- if (msg[0].len > 1 || msg[1].len > sizeof(ctx->buf)) { ++ if (msg[0].len != 1 || msg[1].len > sizeof(ctx->buf)) { + ret = -EOPNOTSUPP; + goto err; + } +-- +2.40.1 + diff --git a/queue-5.10/media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch b/queue-5.10/media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch new file mode 100644 index 00000000000..36720f43929 --- /dev/null +++ b/queue-5.10/media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch @@ -0,0 +1,98 @@ +From 4440518fa8b2882184621903d0f62229b1a82f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 18:22:52 +0800 +Subject: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() + +From: Zhang Shurong + +[ Upstream commit 5ae544d94abc8ff77b1b9bf8774def3fa5689b5b ] + +In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach dw2102_i2c_transfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 950e252cb469 +("[media] dw2102: limit messages to buffer size") + +Signed-off-by: Zhang Shurong +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dw2102.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index 3c4ac998d040f..2290f132a82c8 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -128,6 +128,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + + switch (num) { + case 2: ++ if (msg[0].len < 1) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* read stv0299 register */ + value = msg[0].buf[0];/* register */ + for (i = 0; i < msg[1].len; i++) { +@@ -139,6 +143,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + case 1: + switch (msg[0].addr) { + case 0x68: ++ if (msg[0].len < 2) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* write to stv0299 register */ + buf6[0] = 0x2a; + buf6[1] = msg[0].buf[0]; +@@ -148,6 +156,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + break; + case 0x60: + if (msg[0].flags == 0) { ++ if (msg[0].len < 4) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* write to tuner pll */ + buf6[0] = 0x2c; + buf6[1] = 5; +@@ -159,6 +171,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + dw210x_op_rw(d->udev, 0xb2, 0, 0, + buf6, 7, DW210X_WRITE_MSG); + } else { ++ if (msg[0].len < 1) { ++ num = -EOPNOTSUPP; ++ break; ++ } + /* read from tuner */ + dw210x_op_rw(d->udev, 0xb5, 0, 0, + buf6, 1, DW210X_READ_MSG); +@@ -166,12 +182,20 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[], + } + break; + case (DW2102_RC_QUERY): ++ if (msg[0].len < 2) { ++ num = -EOPNOTSUPP; ++ break; ++ } + dw210x_op_rw(d->udev, 0xb8, 0, 0, + buf6, 2, DW210X_READ_MSG); + msg[0].buf[0] = buf6[0]; + msg[0].buf[1] = buf6[1]; + break; + case (DW2102_VOLTAGE_CTRL): ++ if (msg[0].len < 1) { ++ num = -EOPNOTSUPP; ++ break; ++ } + buf6[0] = 0x30; + buf6[1] = msg[0].buf[0]; + dw210x_op_rw(d->udev, 0xb2, 0, 0, +-- +2.40.1 + diff --git a/queue-5.10/media-pci-cx23885-replace-bug-with-error-return.patch b/queue-5.10/media-pci-cx23885-replace-bug-with-error-return.patch new file mode 100644 index 00000000000..84af30ac592 --- /dev/null +++ b/queue-5.10/media-pci-cx23885-replace-bug-with-error-return.patch @@ -0,0 +1,36 @@ +From 77265c7a91a8503934b38e1914295c63600163d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jul 2023 10:23:42 +0200 +Subject: media: pci: cx23885: replace BUG with error return + +From: Hans Verkuil + +[ Upstream commit 2e1796fd4904fdd6062a8e4589778ea899ea0c8d ] + +It was completely unnecessary to use BUG in buffer_prepare(). +Just replace it with an error return. This also fixes a smatch warning: + +drivers/media/pci/cx23885/cx23885-video.c:422 buffer_prepare() error: uninitialized symbol 'ret'. + +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c +index a380e0920a21f..86e3bb5903712 100644 +--- a/drivers/media/pci/cx23885/cx23885-video.c ++++ b/drivers/media/pci/cx23885/cx23885-video.c +@@ -412,7 +412,7 @@ static int buffer_prepare(struct vb2_buffer *vb) + dev->height >> 1); + break; + default: +- BUG(); ++ return -EINVAL; /* should not happen */ + } + dprintk(2, "[%p/%d] buffer_init - %dx%d %dbpp 0x%08x - dma=0x%08lx\n", + buf, buf->vb.vb2_buf.index, +-- +2.40.1 + diff --git a/queue-5.10/media-pci-ipu3-cio2-initialise-timing-struct-to-avoi.patch b/queue-5.10/media-pci-ipu3-cio2-initialise-timing-struct-to-avoi.patch new file mode 100644 index 00000000000..0febb2f83dd --- /dev/null +++ b/queue-5.10/media-pci-ipu3-cio2-initialise-timing-struct-to-avoi.patch @@ -0,0 +1,37 @@ +From a0debec3f74f03caf121cd977962d183358f911c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Aug 2023 10:14:30 +0300 +Subject: media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler + warning + +From: Sakari Ailus + +[ Upstream commit 9d7531be3085a8f013cf173ccc4e72e3cf493538 ] + +Initialise timing struct in cio2_hw_init() to zero in order to avoid a +compiler warning. The warning was a false positive. + +Reported-by: Hans Verkuil +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/intel/ipu3/ipu3-cio2.c b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +index d6838c8ebd7e8..f8dca47904766 100644 +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -355,7 +355,7 @@ static int cio2_hw_init(struct cio2_device *cio2, struct cio2_queue *q) + void __iomem *const base = cio2->base; + u8 lanes, csi2bus = q->csi2.port; + u8 sensor_vc = SENSOR_VIR_CH_DFLT; +- struct cio2_csi2_timing timing; ++ struct cio2_csi2_timing timing = { 0 }; + int i, r; + + fmt = cio2_find_format(NULL, &q->subdev_fmt.code); +-- +2.40.1 + diff --git a/queue-5.10/media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch b/queue-5.10/media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch new file mode 100644 index 00000000000..f130ab8ea2b --- /dev/null +++ b/queue-5.10/media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch @@ -0,0 +1,46 @@ +From ebeafebe7bdda619276fbe9fe8e66266e643bbbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 08:20:51 +0200 +Subject: media: tuners: qt1010: replace BUG_ON with a regular error + +From: Hans Verkuil + +[ Upstream commit ee630b29ea44d1851bb6c903f400956604834463 ] + +BUG_ON is unnecessary here, and in addition it confuses smatch. +Replacing this with an error return help resolve this smatch +warning: + +drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34 + +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/qt1010.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/tuners/qt1010.c b/drivers/media/tuners/qt1010.c +index 60931367b82ca..48fc79cd40273 100644 +--- a/drivers/media/tuners/qt1010.c ++++ b/drivers/media/tuners/qt1010.c +@@ -345,11 +345,12 @@ static int qt1010_init(struct dvb_frontend *fe) + else + valptr = &tmpval; + +- BUG_ON(i >= ARRAY_SIZE(i2c_data) - 1); +- +- err = qt1010_init_meas1(priv, i2c_data[i+1].reg, +- i2c_data[i].reg, +- i2c_data[i].val, valptr); ++ if (i >= ARRAY_SIZE(i2c_data) - 1) ++ err = -EIO; ++ else ++ err = qt1010_init_meas1(priv, i2c_data[i + 1].reg, ++ i2c_data[i].reg, ++ i2c_data[i].val, valptr); + i++; + break; + } +-- +2.40.1 + diff --git a/queue-5.10/mmc-sdhci-esdhc-imx-improve-esdhc_flag_err010450.patch b/queue-5.10/mmc-sdhci-esdhc-imx-improve-esdhc_flag_err010450.patch new file mode 100644 index 00000000000..c453bd83f5b --- /dev/null +++ b/queue-5.10/mmc-sdhci-esdhc-imx-improve-esdhc_flag_err010450.patch @@ -0,0 +1,54 @@ +From 838861a0815ed289a0d4f1591da3e2f9801f8935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Aug 2023 23:48:53 +0200 +Subject: mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450 + +From: Giulio Benetti + +[ Upstream commit 5ae4b0d8875caa44946e579420c7fd5740d58653 ] + +Errata ERR010450 only shows up if voltage is 1.8V, but if the device is +supplied by 3v3 the errata can be ignored. So let's check for if quirk +SDHCI_QUIRK2_NO_1_8_V is defined or not before limiting the frequency. + +Cc: Jim Reinhart +Cc: James Autry +Cc: Matthew Maron +Signed-off-by: Giulio Benetti +Acked-by: Haibo Chen +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20230811214853.8623-1-giulio.benetti@benettiengineering.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 70f388f83485c..b030f657e2534 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -166,8 +166,8 @@ + #define ESDHC_FLAG_HS400 BIT(9) + /* + * The IP has errata ERR010450 +- * uSDHC: Due to the I/O timing limit, for SDR mode, SD card clock can't +- * exceed 150MHz, for DDR mode, SD card clock can't exceed 45MHz. ++ * uSDHC: At 1.8V due to the I/O timing limit, for SDR mode, SD card ++ * clock can't exceed 150MHz, for DDR mode, SD card clock can't exceed 45MHz. + */ + #define ESDHC_FLAG_ERR010450 BIT(10) + /* The IP supports HS400ES mode */ +@@ -873,7 +873,8 @@ static inline void esdhc_pltfm_set_clock(struct sdhci_host *host, + | ESDHC_CLOCK_MASK); + sdhci_writel(host, temp, ESDHC_SYSTEM_CONTROL); + +- if (imx_data->socdata->flags & ESDHC_FLAG_ERR010450) { ++ if ((imx_data->socdata->flags & ESDHC_FLAG_ERR010450) && ++ (!(host->quirks2 & SDHCI_QUIRK2_NO_1_8_V))) { + unsigned int max_clock; + + max_clock = imx_data->is_ddr ? 45000000 : 150000000; +-- +2.40.1 + diff --git a/queue-5.10/mtd-rawnand-brcmnand-allow-soc-to-provide-i-o-operat.patch b/queue-5.10/mtd-rawnand-brcmnand-allow-soc-to-provide-i-o-operat.patch new file mode 100644 index 00000000000..a557f6e01df --- /dev/null +++ b/queue-5.10/mtd-rawnand-brcmnand-allow-soc-to-provide-i-o-operat.patch @@ -0,0 +1,165 @@ +From fa8a2c8f5da214bad6bf940660895903e24d3cdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 10:46:07 -0800 +Subject: mtd: rawnand: brcmnand: Allow SoC to provide I/O operations + +From: Florian Fainelli + +[ Upstream commit 25f97138f8c225dbf365b428a94d7b30a6daefb3 ] + +Allow a brcmnand_soc instance to provide a custom set of I/O operations +which we will require when using this driver on a BCMA bus which is not +directly memory mapped I/O. Update the nand_{read,write}_reg accordingly +to use the SoC operations if provided. + +To minimize the penalty on other SoCs which do support standard MMIO +accesses, we use a static key which is disabled by default and gets +enabled if a soc implementation does provide I/O operations. + +Signed-off-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220107184614.2670254-3-f.fainelli@gmail.com +Stable-dep-of: 2ec2839a9062 ("mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller") +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 28 +++++++++++++++++++++-- + drivers/mtd/nand/raw/brcmnand/brcmnand.h | 29 ++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index e170c545fec50..9ef58194d3a04 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -207,6 +208,8 @@ enum { + + struct brcmnand_host; + ++static DEFINE_STATIC_KEY_FALSE(brcmnand_soc_has_ops_key); ++ + struct brcmnand_controller { + struct device *dev; + struct nand_controller controller; +@@ -589,15 +592,25 @@ enum { + INTFC_CTLR_READY = BIT(31), + }; + ++static inline bool brcmnand_non_mmio_ops(struct brcmnand_controller *ctrl) ++{ ++ return static_branch_unlikely(&brcmnand_soc_has_ops_key); ++} ++ + static inline u32 nand_readreg(struct brcmnand_controller *ctrl, u32 offs) + { ++ if (brcmnand_non_mmio_ops(ctrl)) ++ return brcmnand_soc_read(ctrl->soc, offs); + return brcmnand_readl(ctrl->nand_base + offs); + } + + static inline void nand_writereg(struct brcmnand_controller *ctrl, u32 offs, + u32 val) + { +- brcmnand_writel(val, ctrl->nand_base + offs); ++ if (brcmnand_non_mmio_ops(ctrl)) ++ brcmnand_soc_write(ctrl->soc, val, offs); ++ else ++ brcmnand_writel(val, ctrl->nand_base + offs); + } + + static int brcmnand_revision_init(struct brcmnand_controller *ctrl) +@@ -763,13 +776,18 @@ static inline void brcmnand_rmw_reg(struct brcmnand_controller *ctrl, + + static inline u32 brcmnand_read_fc(struct brcmnand_controller *ctrl, int word) + { ++ if (brcmnand_non_mmio_ops(ctrl)) ++ return brcmnand_soc_read(ctrl->soc, BRCMNAND_NON_MMIO_FC_ADDR); + return __raw_readl(ctrl->nand_fc + word * 4); + } + + static inline void brcmnand_write_fc(struct brcmnand_controller *ctrl, + int word, u32 val) + { +- __raw_writel(val, ctrl->nand_fc + word * 4); ++ if (brcmnand_non_mmio_ops(ctrl)) ++ brcmnand_soc_write(ctrl->soc, val, BRCMNAND_NON_MMIO_FC_ADDR); ++ else ++ __raw_writel(val, ctrl->nand_fc + word * 4); + } + + static inline void edu_writel(struct brcmnand_controller *ctrl, +@@ -2985,6 +3003,12 @@ int brcmnand_probe(struct platform_device *pdev, struct brcmnand_soc *soc) + dev_set_drvdata(dev, ctrl); + ctrl->dev = dev; + ++ /* Enable the static key if the soc provides I/O operations indicating ++ * that a non-memory mapped IO access path must be used ++ */ ++ if (brcmnand_soc_has_ops(ctrl->soc)) ++ static_branch_enable(&brcmnand_soc_has_ops_key); ++ + init_completion(&ctrl->done); + init_completion(&ctrl->dma_done); + init_completion(&ctrl->edu_done); +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.h b/drivers/mtd/nand/raw/brcmnand/brcmnand.h +index eb498fbe505ec..f1f93d85f50d2 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.h ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.h +@@ -11,12 +11,25 @@ + + struct platform_device; + struct dev_pm_ops; ++struct brcmnand_io_ops; ++ ++/* Special register offset constant to intercept a non-MMIO access ++ * to the flash cache register space. This is intentionally large ++ * not to overlap with an existing offset. ++ */ ++#define BRCMNAND_NON_MMIO_FC_ADDR 0xffffffff + + struct brcmnand_soc { + bool (*ctlrdy_ack)(struct brcmnand_soc *soc); + void (*ctlrdy_set_enabled)(struct brcmnand_soc *soc, bool en); + void (*prepare_data_bus)(struct brcmnand_soc *soc, bool prepare, + bool is_param); ++ const struct brcmnand_io_ops *ops; ++}; ++ ++struct brcmnand_io_ops { ++ u32 (*read_reg)(struct brcmnand_soc *soc, u32 offset); ++ void (*write_reg)(struct brcmnand_soc *soc, u32 val, u32 offset); + }; + + static inline void brcmnand_soc_data_bus_prepare(struct brcmnand_soc *soc, +@@ -58,6 +71,22 @@ static inline void brcmnand_writel(u32 val, void __iomem *addr) + writel_relaxed(val, addr); + } + ++static inline bool brcmnand_soc_has_ops(struct brcmnand_soc *soc) ++{ ++ return soc && soc->ops && soc->ops->read_reg && soc->ops->write_reg; ++} ++ ++static inline u32 brcmnand_soc_read(struct brcmnand_soc *soc, u32 offset) ++{ ++ return soc->ops->read_reg(soc, offset); ++} ++ ++static inline void brcmnand_soc_write(struct brcmnand_soc *soc, u32 val, ++ u32 offset) ++{ ++ soc->ops->write_reg(soc, val, offset); ++} ++ + int brcmnand_probe(struct platform_device *pdev, struct brcmnand_soc *soc); + int brcmnand_remove(struct platform_device *pdev); + +-- +2.40.1 + diff --git a/queue-5.10/mtd-rawnand-brcmnand-fix-ecc-level-field-setting-for.patch b/queue-5.10/mtd-rawnand-brcmnand-fix-ecc-level-field-setting-for.patch new file mode 100644 index 00000000000..9293845c503 --- /dev/null +++ b/queue-5.10/mtd-rawnand-brcmnand-fix-ecc-level-field-setting-for.patch @@ -0,0 +1,161 @@ +From b2cfe43fc2d6448503f845e93899555e5177bab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 11:29:05 -0700 +Subject: mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 + controller + +From: William Zhang + +[ Upstream commit 2ec2839a9062db8a592525a3fdabd42dcd9a3a9b ] + +v7.2 controller has different ECC level field size and shift in the acc +control register than its predecessor and successor controller. It needs +to be set specifically. + +Fixes: decba6d47869 ("mtd: brcmnand: Add v7.2 controller support") +Signed-off-by: William Zhang +Reviewed-by: Florian Fainelli +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-2-william.zhang@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 74 +++++++++++++----------- + 1 file changed, 41 insertions(+), 33 deletions(-) + +diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +index 9ef58194d3a04..11d706ff30dd0 100644 +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -268,6 +268,7 @@ struct brcmnand_controller { + const unsigned int *page_sizes; + unsigned int page_size_shift; + unsigned int max_oob; ++ u32 ecc_level_shift; + u32 features; + + /* for low-power standby/resume only */ +@@ -592,6 +593,34 @@ enum { + INTFC_CTLR_READY = BIT(31), + }; + ++/*********************************************************************** ++ * NAND ACC CONTROL bitfield ++ * ++ * Some bits have remained constant throughout hardware revision, while ++ * others have shifted around. ++ ***********************************************************************/ ++ ++/* Constant for all versions (where supported) */ ++enum { ++ /* See BRCMNAND_HAS_CACHE_MODE */ ++ ACC_CONTROL_CACHE_MODE = BIT(22), ++ ++ /* See BRCMNAND_HAS_PREFETCH */ ++ ACC_CONTROL_PREFETCH = BIT(23), ++ ++ ACC_CONTROL_PAGE_HIT = BIT(24), ++ ACC_CONTROL_WR_PREEMPT = BIT(25), ++ ACC_CONTROL_PARTIAL_PAGE = BIT(26), ++ ACC_CONTROL_RD_ERASED = BIT(27), ++ ACC_CONTROL_FAST_PGM_RDIN = BIT(28), ++ ACC_CONTROL_WR_ECC = BIT(30), ++ ACC_CONTROL_RD_ECC = BIT(31), ++}; ++ ++#define ACC_CONTROL_ECC_SHIFT 16 ++/* Only for v7.2 */ ++#define ACC_CONTROL_ECC_EXT_SHIFT 13 ++ + static inline bool brcmnand_non_mmio_ops(struct brcmnand_controller *ctrl) + { + return static_branch_unlikely(&brcmnand_soc_has_ops_key); +@@ -729,6 +758,12 @@ static int brcmnand_revision_init(struct brcmnand_controller *ctrl) + else if (of_property_read_bool(ctrl->dev->of_node, "brcm,nand-has-wp")) + ctrl->features |= BRCMNAND_HAS_WP; + ++ /* v7.2 has different ecc level shift in the acc register */ ++ if (ctrl->nand_version == 0x0702) ++ ctrl->ecc_level_shift = ACC_CONTROL_ECC_EXT_SHIFT; ++ else ++ ctrl->ecc_level_shift = ACC_CONTROL_ECC_SHIFT; ++ + return 0; + } + +@@ -917,30 +952,6 @@ static inline int brcmnand_cmd_shift(struct brcmnand_controller *ctrl) + return 0; + } + +-/*********************************************************************** +- * NAND ACC CONTROL bitfield +- * +- * Some bits have remained constant throughout hardware revision, while +- * others have shifted around. +- ***********************************************************************/ +- +-/* Constant for all versions (where supported) */ +-enum { +- /* See BRCMNAND_HAS_CACHE_MODE */ +- ACC_CONTROL_CACHE_MODE = BIT(22), +- +- /* See BRCMNAND_HAS_PREFETCH */ +- ACC_CONTROL_PREFETCH = BIT(23), +- +- ACC_CONTROL_PAGE_HIT = BIT(24), +- ACC_CONTROL_WR_PREEMPT = BIT(25), +- ACC_CONTROL_PARTIAL_PAGE = BIT(26), +- ACC_CONTROL_RD_ERASED = BIT(27), +- ACC_CONTROL_FAST_PGM_RDIN = BIT(28), +- ACC_CONTROL_WR_ECC = BIT(30), +- ACC_CONTROL_RD_ECC = BIT(31), +-}; +- + static inline u32 brcmnand_spare_area_mask(struct brcmnand_controller *ctrl) + { + if (ctrl->nand_version == 0x0702) +@@ -953,18 +964,15 @@ static inline u32 brcmnand_spare_area_mask(struct brcmnand_controller *ctrl) + return GENMASK(4, 0); + } + +-#define NAND_ACC_CONTROL_ECC_SHIFT 16 +-#define NAND_ACC_CONTROL_ECC_EXT_SHIFT 13 +- + static inline u32 brcmnand_ecc_level_mask(struct brcmnand_controller *ctrl) + { + u32 mask = (ctrl->nand_version >= 0x0600) ? 0x1f : 0x0f; + +- mask <<= NAND_ACC_CONTROL_ECC_SHIFT; ++ mask <<= ACC_CONTROL_ECC_SHIFT; + + /* v7.2 includes additional ECC levels */ +- if (ctrl->nand_version >= 0x0702) +- mask |= 0x7 << NAND_ACC_CONTROL_ECC_EXT_SHIFT; ++ if (ctrl->nand_version == 0x0702) ++ mask |= 0x7 << ACC_CONTROL_ECC_EXT_SHIFT; + + return mask; + } +@@ -978,8 +986,8 @@ static void brcmnand_set_ecc_enabled(struct brcmnand_host *host, int en) + + if (en) { + acc_control |= ecc_flags; /* enable RD/WR ECC */ +- acc_control |= host->hwcfg.ecc_level +- << NAND_ACC_CONTROL_ECC_SHIFT; ++ acc_control &= ~brcmnand_ecc_level_mask(ctrl); ++ acc_control |= host->hwcfg.ecc_level << ctrl->ecc_level_shift; + } else { + acc_control &= ~ecc_flags; /* disable RD/WR ECC */ + acc_control &= ~brcmnand_ecc_level_mask(ctrl); +@@ -2533,7 +2541,7 @@ static int brcmnand_set_cfg(struct brcmnand_host *host, + tmp &= ~brcmnand_ecc_level_mask(ctrl); + tmp &= ~brcmnand_spare_area_mask(ctrl); + if (ctrl->nand_version >= 0x0302) { +- tmp |= cfg->ecc_level << NAND_ACC_CONTROL_ECC_SHIFT; ++ tmp |= cfg->ecc_level << ctrl->ecc_level_shift; + tmp |= cfg->spare_area_size; + } + nand_writereg(ctrl, acc_control_offs, tmp); +-- +2.40.1 + diff --git a/queue-5.10/netfilter-ebtables-fix-fortify-warnings-in-size_entr.patch b/queue-5.10/netfilter-ebtables-fix-fortify-warnings-in-size_entr.patch new file mode 100644 index 00000000000..6baf8ffefee --- /dev/null +++ b/queue-5.10/netfilter-ebtables-fix-fortify-warnings-in-size_entr.patch @@ -0,0 +1,84 @@ +From 27e63f54ebb81803b8f257677e83a95b13ef2b0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Aug 2023 15:45:03 +0800 +Subject: netfilter: ebtables: fix fortify warnings in size_entry_mwt() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: GONG, Ruiqi + +[ Upstream commit a7ed3465daa240bdf01a5420f64336fee879c09d ] + +When compiling with gcc 13 and CONFIG_FORTIFY_SOURCE=y, the following +warning appears: + +In function ‘fortify_memcpy_chk’, + inlined from ‘size_entry_mwt’ at net/bridge/netfilter/ebtables.c:2118:2: +./include/linux/fortify-string.h:592:25: error: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Werror=attribute-warning] + 592 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The compiler is complaining: + +memcpy(&offsets[1], &entry->watchers_offset, + sizeof(offsets) - sizeof(offsets[0])); + +where memcpy reads beyong &entry->watchers_offset to copy +{watchers,target,next}_offset altogether into offsets[]. Silence the +warning by wrapping these three up via struct_group(). + +Signed-off-by: GONG, Ruiqi +Reviewed-by: Gustavo A. R. Silva +Reviewed-by: Kees Cook +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter_bridge/ebtables.h | 14 ++++++++------ + net/bridge/netfilter/ebtables.c | 3 +-- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h +index a494cf43a7552..b0caad82b6937 100644 +--- a/include/uapi/linux/netfilter_bridge/ebtables.h ++++ b/include/uapi/linux/netfilter_bridge/ebtables.h +@@ -182,12 +182,14 @@ struct ebt_entry { + unsigned char sourcemsk[ETH_ALEN]; + unsigned char destmac[ETH_ALEN]; + unsigned char destmsk[ETH_ALEN]; +- /* sizeof ebt_entry + matches */ +- unsigned int watchers_offset; +- /* sizeof ebt_entry + matches + watchers */ +- unsigned int target_offset; +- /* sizeof ebt_entry + matches + watchers + target */ +- unsigned int next_offset; ++ __struct_group(/* no tag */, offsets, /* no attrs */, ++ /* sizeof ebt_entry + matches */ ++ unsigned int watchers_offset; ++ /* sizeof ebt_entry + matches + watchers */ ++ unsigned int target_offset; ++ /* sizeof ebt_entry + matches + watchers + target */ ++ unsigned int next_offset; ++ ); + unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); + }; + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 8335b7e4bcf6f..bab14186f9ad5 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2001,8 +2001,7 @@ static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *ba + return ret; + + offsets[0] = sizeof(struct ebt_entry); /* matches come first */ +- memcpy(&offsets[1], &entry->watchers_offset, +- sizeof(offsets) - sizeof(offsets[0])); ++ memcpy(&offsets[1], &entry->offsets, sizeof(entry->offsets)); + + if (state->buf_kern_start) { + buf_start = state->buf_kern_start + state->buf_kern_offset; +-- +2.40.1 + diff --git a/queue-5.10/perf-build-update-build-rule-for-generated-files.patch b/queue-5.10/perf-build-update-build-rule-for-generated-files.patch new file mode 100644 index 00000000000..e954e695b95 --- /dev/null +++ b/queue-5.10/perf-build-update-build-rule-for-generated-files.patch @@ -0,0 +1,87 @@ +From 9a4c5c0bd91c0c480ac89fc0800ec6057b4ba509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jul 2023 19:24:46 -0700 +Subject: perf build: Update build rule for generated files + +From: Namhyung Kim + +[ Upstream commit 7822a8913f4c51c7d1aff793b525d60c3384fb5b ] + +The bison and flex generate C files from the source (.y and .l) +files. When O= option is used, they are saved in a separate directory +but the default build rule assumes the .C files are in the source +directory. So it might read invalid file if there are generated files +from an old version. The same is true for the pmu-events files. + +For example, the following command would cause a build failure: + + $ git checkout v6.3 + $ make -C tools/perf # build in the same directory + + $ git checkout v6.5-rc2 + $ mkdir build # create a build directory + $ make -C tools/perf O=build # build in a different directory but it + # refers files in the source directory + +Let's update the build rule to specify those cases explicitly to depend +on the files in the output directory. + +Note that it's not a complete fix and it needs the next patch for the +include path too. + +Fixes: 80eeb67fe577aa76 ("perf jevents: Program to convert JSON file") +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Andi Kleen +Cc: Anup Sharma +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230728022447.1323563-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/Makefile.build | 10 ++++++++++ + tools/perf/pmu-events/Build | 6 ++++++ + 2 files changed, 16 insertions(+) + +diff --git a/tools/build/Makefile.build b/tools/build/Makefile.build +index cd72016c3cfa7..5a727094ae832 100644 +--- a/tools/build/Makefile.build ++++ b/tools/build/Makefile.build +@@ -116,6 +116,16 @@ $(OUTPUT)%.s: %.c FORCE + $(call rule_mkdir) + $(call if_changed_dep,cc_s_c) + ++# bison and flex files are generated in the OUTPUT directory ++# so it needs a separate rule to depend on them properly ++$(OUTPUT)%-bison.o: $(OUTPUT)%-bison.c FORCE ++ $(call rule_mkdir) ++ $(call if_changed_dep,$(host)cc_o_c) ++ ++$(OUTPUT)%-flex.o: $(OUTPUT)%-flex.c FORCE ++ $(call rule_mkdir) ++ $(call if_changed_dep,$(host)cc_o_c) ++ + # Gather build data: + # obj-y - list of build objects + # subdir-y - list of directories to nest +diff --git a/tools/perf/pmu-events/Build b/tools/perf/pmu-events/Build +index 5ec5ce8c31bab..ea8c41f9c7398 100644 +--- a/tools/perf/pmu-events/Build ++++ b/tools/perf/pmu-events/Build +@@ -25,3 +25,9 @@ $(OUTPUT)pmu-events/pmu-events.c: $(JSON) $(JSON_TEST) $(JEVENTS_PY) + $(call rule_mkdir) + $(Q)$(call echo-cmd,gen)$(PYTHON) $(JEVENTS_PY) $(SRCARCH) pmu-events/arch $@ + endif ++ ++# pmu-events.c file is generated in the OUTPUT directory so it needs a ++# separate rule to depend on it properly ++$(OUTPUT)pmu-events/pmu-events.o: $(PMU_EVENTS_C) ++ $(call rule_mkdir) ++ $(call if_changed_dep,cc_o_c) +-- +2.40.1 + diff --git a/queue-5.10/perf-jevents-make-build-dependency-on-test-jsons.patch b/queue-5.10/perf-jevents-make-build-dependency-on-test-jsons.patch new file mode 100644 index 00000000000..f615028be4b --- /dev/null +++ b/queue-5.10/perf-jevents-make-build-dependency-on-test-jsons.patch @@ -0,0 +1,54 @@ +From 8d7f97f5c2d587242f09e619ca34ef26f86a7e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 08:44:09 +0100 +Subject: perf jevents: Make build dependency on test JSONs + +From: John Garry + +[ Upstream commit 517db3b59537a59f6cc251b1926df93e93bb9c87 ] + +Currently all JSONs and the mapfile for an arch are dependencies for +building pmu-events.c + +The test JSONs are missing as a dependency, so add them. + +Signed-off-by: John Garry +Reported-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: linuxarm@huawei.com +Link: http://lore.kernel.org/lkml/90094733-741c-50e5-ac7d-f5640b5f0bdd@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 7822a8913f4c ("perf build: Update build rule for generated files") +Signed-off-by: Sasha Levin +--- + tools/perf/pmu-events/Build | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/pmu-events/Build b/tools/perf/pmu-events/Build +index 215ba30b85343..a055dee6a46af 100644 +--- a/tools/perf/pmu-events/Build ++++ b/tools/perf/pmu-events/Build +@@ -6,10 +6,13 @@ pmu-events-y += pmu-events.o + JDIR = pmu-events/arch/$(SRCARCH) + JSON = $(shell [ -d $(JDIR) ] && \ + find $(JDIR) -name '*.json' -o -name 'mapfile.csv') ++JDIR_TEST = pmu-events/arch/test ++JSON_TEST = $(shell [ -d $(JDIR_TEST) ] && \ ++ find $(JDIR_TEST) -name '*.json') + + # + # Locate/process JSON files in pmu-events/arch/ + # directory and create tables in pmu-events.c. + # +-$(OUTPUT)pmu-events/pmu-events.c: $(JSON) $(JEVENTS) ++$(OUTPUT)pmu-events/pmu-events.c: $(JSON) $(JSON_TEST) $(JEVENTS) + $(Q)$(call echo-cmd,gen)$(JEVENTS) $(SRCARCH) pmu-events/arch $(OUTPUT)pmu-events/pmu-events.c $(V) +-- +2.40.1 + diff --git a/queue-5.10/perf-jevents-switch-build-to-use-jevents.py.patch b/queue-5.10/perf-jevents-switch-build-to-use-jevents.py.patch new file mode 100644 index 00000000000..a44c6025dee --- /dev/null +++ b/queue-5.10/perf-jevents-switch-build-to-use-jevents.py.patch @@ -0,0 +1,295 @@ +From e51e13831d91b7107d7df3bb89a2dc87f3c7d930 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 11:25:04 -0700 +Subject: perf jevents: Switch build to use jevents.py + +From: Ian Rogers + +[ Upstream commit 00facc760903be6675870c2749e2cd72140e396e ] + +Generate pmu-events.c using jevents.py rather than the binary built from +jevents.c. + +Add a new config variable NO_JEVENTS that is set when there is no +architecture json or an appropriate python interpreter isn't present. + +When NO_JEVENTS is defined the file pmu-events/empty-pmu-events.c is +copied and used as the pmu-events.c file. + +Signed-off-by: Ian Rogers +Tested-by: John Garry +Cc: Alexander Shishkin +Cc: Ananth Narayan +Cc: Andi Kleen +Cc: Andrew Kilroy +Cc: Caleb Biggers +Cc: Felix Fietkau +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kajol Jain +Cc: Kan Liang +Cc: Kshipra Bopardikar +Cc: Like Xu +Cc: Mark Rutland +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Nick Forrington +Cc: Paul Clarke +Cc: Perry Taylor +Cc: Peter Zijlstra +Cc: Qi Liu +Cc: Ravi Bangoria +Cc: Sandipan Das +Cc: Santosh Shukla +Cc: Stephane Eranian +Cc: Will Deacon +Cc: Xing Zhengjun +Link: https://lore.kernel.org/r/20220629182505.406269-4-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 7822a8913f4c ("perf build: Update build rule for generated files") +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 19 +++ + tools/perf/Makefile.perf | 1 + + tools/perf/pmu-events/Build | 13 +- + tools/perf/pmu-events/empty-pmu-events.c | 158 +++++++++++++++++++++++ + 4 files changed, 189 insertions(+), 2 deletions(-) + create mode 100644 tools/perf/pmu-events/empty-pmu-events.c + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 89905b4e93091..a92d5422041ee 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -824,6 +824,25 @@ else + endif + endif + ++ifneq ($(NO_JEVENTS),1) ++ ifeq ($(wildcard pmu-events/arch/$(SRCARCH)/mapfile.csv),) ++ NO_JEVENTS := 1 ++ endif ++endif ++ifneq ($(NO_JEVENTS),1) ++ NO_JEVENTS := 0 ++ ifndef PYTHON ++ $(warning No python interpreter disabling jevent generation) ++ NO_JEVENTS := 1 ++ else ++ # jevents.py uses f-strings present in Python 3.6 released in Dec. 2016. ++ JEVENTS_PYTHON_GOOD := $(shell $(PYTHON) -c 'import sys;print("1" if(sys.version_info.major >= 3 and sys.version_info.minor >= 6) else "0")' 2> /dev/null) ++ ifneq ($(JEVENTS_PYTHON_GOOD), 1) ++ $(warning Python interpreter too old (older than 3.6) disabling jevent generation) ++ NO_JEVENTS := 1 ++ endif ++ endif ++endif + + ifndef NO_LIBBFD + ifeq ($(feature-libbfd), 1) +diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf +index e41a8f9b99d2d..ef25028b2e2fa 100644 +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -634,6 +634,7 @@ JEVENTS := $(OUTPUT)pmu-events/jevents + JEVENTS_IN := $(OUTPUT)pmu-events/jevents-in.o + + PMU_EVENTS_IN := $(OUTPUT)pmu-events/pmu-events-in.o ++export NO_JEVENTS + + export JEVENTS + +diff --git a/tools/perf/pmu-events/Build b/tools/perf/pmu-events/Build +index a055dee6a46af..5ec5ce8c31bab 100644 +--- a/tools/perf/pmu-events/Build ++++ b/tools/perf/pmu-events/Build +@@ -9,10 +9,19 @@ JSON = $(shell [ -d $(JDIR) ] && \ + JDIR_TEST = pmu-events/arch/test + JSON_TEST = $(shell [ -d $(JDIR_TEST) ] && \ + find $(JDIR_TEST) -name '*.json') ++JEVENTS_PY = pmu-events/jevents.py + + # + # Locate/process JSON files in pmu-events/arch/ + # directory and create tables in pmu-events.c. + # +-$(OUTPUT)pmu-events/pmu-events.c: $(JSON) $(JSON_TEST) $(JEVENTS) +- $(Q)$(call echo-cmd,gen)$(JEVENTS) $(SRCARCH) pmu-events/arch $(OUTPUT)pmu-events/pmu-events.c $(V) ++ ++ifeq ($(NO_JEVENTS),1) ++$(OUTPUT)pmu-events/pmu-events.c: pmu-events/empty-pmu-events.c ++ $(call rule_mkdir) ++ $(Q)$(call echo-cmd,gen)cp $< $@ ++else ++$(OUTPUT)pmu-events/pmu-events.c: $(JSON) $(JSON_TEST) $(JEVENTS_PY) ++ $(call rule_mkdir) ++ $(Q)$(call echo-cmd,gen)$(PYTHON) $(JEVENTS_PY) $(SRCARCH) pmu-events/arch $@ ++endif +diff --git a/tools/perf/pmu-events/empty-pmu-events.c b/tools/perf/pmu-events/empty-pmu-events.c +new file mode 100644 +index 0000000000000..77e655c6f1162 +--- /dev/null ++++ b/tools/perf/pmu-events/empty-pmu-events.c +@@ -0,0 +1,158 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * An empty pmu-events.c file used when there is no architecture json files in ++ * arch or when the jevents.py script cannot be run. ++ * ++ * The test cpu/soc is provided for testing. ++ */ ++#include "pmu-events/pmu-events.h" ++ ++static const struct pmu_event pme_test_soc_cpu[] = { ++ { ++ .name = "l3_cache_rd", ++ .event = "event=0x40", ++ .desc = "L3 cache access, read", ++ .topic = "cache", ++ .long_desc = "Attributable Level 3 cache access, read", ++ }, ++ { ++ .name = "segment_reg_loads.any", ++ .event = "event=0x6,period=200000,umask=0x80", ++ .desc = "Number of segment register loads", ++ .topic = "other", ++ }, ++ { ++ .name = "dispatch_blocked.any", ++ .event = "event=0x9,period=200000,umask=0x20", ++ .desc = "Memory cluster signals to block micro-op dispatch for any reason", ++ .topic = "other", ++ }, ++ { ++ .name = "eist_trans", ++ .event = "event=0x3a,period=200000,umask=0x0", ++ .desc = "Number of Enhanced Intel SpeedStep(R) Technology (EIST) transitions", ++ .topic = "other", ++ }, ++ { ++ .name = "uncore_hisi_ddrc.flux_wcmd", ++ .event = "event=0x2", ++ .desc = "DDRC write commands. Unit: hisi_sccl,ddrc ", ++ .topic = "uncore", ++ .long_desc = "DDRC write commands", ++ .pmu = "hisi_sccl,ddrc", ++ }, ++ { ++ .name = "unc_cbo_xsnp_response.miss_eviction", ++ .event = "event=0x22,umask=0x81", ++ .desc = "A cross-core snoop resulted from L3 Eviction which misses in some processor core. Unit: uncore_cbox ", ++ .topic = "uncore", ++ .long_desc = "A cross-core snoop resulted from L3 Eviction which misses in some processor core", ++ .pmu = "uncore_cbox", ++ }, ++ { ++ .name = "event-hyphen", ++ .event = "event=0xe0,umask=0x00", ++ .desc = "UNC_CBO_HYPHEN. Unit: uncore_cbox ", ++ .topic = "uncore", ++ .long_desc = "UNC_CBO_HYPHEN", ++ .pmu = "uncore_cbox", ++ }, ++ { ++ .name = "event-two-hyph", ++ .event = "event=0xc0,umask=0x00", ++ .desc = "UNC_CBO_TWO_HYPH. Unit: uncore_cbox ", ++ .topic = "uncore", ++ .long_desc = "UNC_CBO_TWO_HYPH", ++ .pmu = "uncore_cbox", ++ }, ++ { ++ .name = "uncore_hisi_l3c.rd_hit_cpipe", ++ .event = "event=0x7", ++ .desc = "Total read hits. Unit: hisi_sccl,l3c ", ++ .topic = "uncore", ++ .long_desc = "Total read hits", ++ .pmu = "hisi_sccl,l3c", ++ }, ++ { ++ .name = "uncore_imc_free_running.cache_miss", ++ .event = "event=0x12", ++ .desc = "Total cache misses. Unit: uncore_imc_free_running ", ++ .topic = "uncore", ++ .long_desc = "Total cache misses", ++ .pmu = "uncore_imc_free_running", ++ }, ++ { ++ .name = "uncore_imc.cache_hits", ++ .event = "event=0x34", ++ .desc = "Total cache hits. Unit: uncore_imc ", ++ .topic = "uncore", ++ .long_desc = "Total cache hits", ++ .pmu = "uncore_imc", ++ }, ++ { ++ .name = "bp_l1_btb_correct", ++ .event = "event=0x8a", ++ .desc = "L1 BTB Correction", ++ .topic = "branch", ++ }, ++ { ++ .name = "bp_l2_btb_correct", ++ .event = "event=0x8b", ++ .desc = "L2 BTB Correction", ++ .topic = "branch", ++ }, ++ { ++ .name = 0, ++ .event = 0, ++ .desc = 0, ++ }, ++}; ++ ++const struct pmu_events_map pmu_events_map[] = { ++ { ++ .cpuid = "testcpu", ++ .version = "v1", ++ .type = "core", ++ .table = pme_test_soc_cpu, ++ }, ++ { ++ .cpuid = 0, ++ .version = 0, ++ .type = 0, ++ .table = 0, ++ }, ++}; ++ ++static const struct pmu_event pme_test_soc_sys[] = { ++ { ++ .name = "sys_ddr_pmu.write_cycles", ++ .event = "event=0x2b", ++ .desc = "ddr write-cycles event. Unit: uncore_sys_ddr_pmu ", ++ .compat = "v8", ++ .topic = "uncore", ++ .pmu = "uncore_sys_ddr_pmu", ++ }, ++ { ++ .name = "sys_ccn_pmu.read_cycles", ++ .event = "config=0x2c", ++ .desc = "ccn read-cycles event. Unit: uncore_sys_ccn_pmu ", ++ .compat = "0x01", ++ .topic = "uncore", ++ .pmu = "uncore_sys_ccn_pmu", ++ }, ++ { ++ .name = 0, ++ .event = 0, ++ .desc = 0, ++ }, ++}; ++ ++const struct pmu_sys_events pmu_sys_event_tables[] = { ++ { ++ .table = pme_test_soc_sys, ++ .name = "pme_test_soc_sys", ++ }, ++ { ++ .table = 0 ++ }, ++}; +-- +2.40.1 + diff --git a/queue-5.10/perf-smmuv3-enable-hisilicon-erratum-162001900-quirk.patch b/queue-5.10/perf-smmuv3-enable-hisilicon-erratum-162001900-quirk.patch new file mode 100644 index 00000000000..b90012933cc --- /dev/null +++ b/queue-5.10/perf-smmuv3-enable-hisilicon-erratum-162001900-quirk.patch @@ -0,0 +1,160 @@ +From 3e823de93c6bfc5285249ff140463c73cd9afcc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Aug 2023 20:40:12 +0800 +Subject: perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 + +From: Yicong Yang + +[ Upstream commit 0242737dc4eb9f6e9a5ea594b3f93efa0b12f28d ] + +Some HiSilicon SMMU PMCG suffers the erratum 162001900 that the PMU +disable control sometimes fail to disable the counters. This will lead +to error or inaccurate data since before we enable the counters the +counter's still counting for the event used in last perf session. + +This patch tries to fix this by hardening the global disable process. +Before disable the PMU, writing an invalid event type (0xffff) to +focibly stop the counters. Correspondingly restore each events on +pmu::pmu_enable(). + +Signed-off-by: Yicong Yang +Link: https://lore.kernel.org/r/20230814124012.58013-1-yangyicong@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + Documentation/arm64/silicon-errata.rst | 3 ++ + drivers/acpi/arm64/iort.c | 5 ++- + drivers/perf/arm_smmuv3_pmu.c | 46 +++++++++++++++++++++++++- + include/linux/acpi_iort.h | 1 + + 4 files changed, 53 insertions(+), 2 deletions(-) + +diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst +index 4f3206495217c..10a26d44ef4a9 100644 +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -149,6 +149,9 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Hisilicon | Hip08 SMMU PMCG | #162001800 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ ++| Hisilicon | Hip08 SMMU PMCG | #162001900 | N/A | ++| | Hip09 SMMU PMCG | | | +++----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | Qualcomm Tech. | Kryo/Falkor v1 | E1003 | QCOM_FALKOR_ERRATUM_1003 | + +----------------+-----------------+-----------------+-----------------------------+ +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index 50ed949dc1449..554943be26984 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -1474,7 +1474,10 @@ static void __init arm_smmu_v3_pmcg_init_resources(struct resource *res, + static struct acpi_platform_list pmcg_plat_info[] __initdata = { + /* HiSilicon Hip08 Platform */ + {"HISI ", "HIP08 ", 0, ACPI_SIG_IORT, greater_than_or_equal, +- "Erratum #162001800", IORT_SMMU_V3_PMCG_HISI_HIP08}, ++ "Erratum #162001800, Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP08}, ++ /* HiSilicon Hip09 Platform */ ++ {"HISI ", "HIP09 ", 0, ACPI_SIG_IORT, greater_than_or_equal, ++ "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, + { } + }; + +diff --git a/drivers/perf/arm_smmuv3_pmu.c b/drivers/perf/arm_smmuv3_pmu.c +index f5a33dbe7acb9..6ebe72b862661 100644 +--- a/drivers/perf/arm_smmuv3_pmu.c ++++ b/drivers/perf/arm_smmuv3_pmu.c +@@ -95,6 +95,7 @@ + #define SMMU_PMCG_PA_SHIFT 12 + + #define SMMU_PMCG_EVCNTR_RDONLY BIT(0) ++#define SMMU_PMCG_HARDEN_DISABLE BIT(1) + + static int cpuhp_state_num; + +@@ -138,6 +139,20 @@ static inline void smmu_pmu_enable(struct pmu *pmu) + writel(SMMU_PMCG_CR_ENABLE, smmu_pmu->reg_base + SMMU_PMCG_CR); + } + ++static int smmu_pmu_apply_event_filter(struct smmu_pmu *smmu_pmu, ++ struct perf_event *event, int idx); ++ ++static inline void smmu_pmu_enable_quirk_hip08_09(struct pmu *pmu) ++{ ++ struct smmu_pmu *smmu_pmu = to_smmu_pmu(pmu); ++ unsigned int idx; ++ ++ for_each_set_bit(idx, smmu_pmu->used_counters, smmu_pmu->num_counters) ++ smmu_pmu_apply_event_filter(smmu_pmu, smmu_pmu->events[idx], idx); ++ ++ smmu_pmu_enable(pmu); ++} ++ + static inline void smmu_pmu_disable(struct pmu *pmu) + { + struct smmu_pmu *smmu_pmu = to_smmu_pmu(pmu); +@@ -146,6 +161,22 @@ static inline void smmu_pmu_disable(struct pmu *pmu) + writel(0, smmu_pmu->reg_base + SMMU_PMCG_IRQ_CTRL); + } + ++static inline void smmu_pmu_disable_quirk_hip08_09(struct pmu *pmu) ++{ ++ struct smmu_pmu *smmu_pmu = to_smmu_pmu(pmu); ++ unsigned int idx; ++ ++ /* ++ * The global disable of PMU sometimes fail to stop the counting. ++ * Harden this by writing an invalid event type to each used counter ++ * to forcibly stop counting. ++ */ ++ for_each_set_bit(idx, smmu_pmu->used_counters, smmu_pmu->num_counters) ++ writel(0xffff, smmu_pmu->reg_base + SMMU_PMCG_EVTYPER(idx)); ++ ++ smmu_pmu_disable(pmu); ++} ++ + static inline void smmu_pmu_counter_set_value(struct smmu_pmu *smmu_pmu, + u32 idx, u64 value) + { +@@ -719,7 +750,10 @@ static void smmu_pmu_get_acpi_options(struct smmu_pmu *smmu_pmu) + switch (model) { + case IORT_SMMU_V3_PMCG_HISI_HIP08: + /* HiSilicon Erratum 162001800 */ +- smmu_pmu->options |= SMMU_PMCG_EVCNTR_RDONLY; ++ smmu_pmu->options |= SMMU_PMCG_EVCNTR_RDONLY | SMMU_PMCG_HARDEN_DISABLE; ++ break; ++ case IORT_SMMU_V3_PMCG_HISI_HIP09: ++ smmu_pmu->options |= SMMU_PMCG_HARDEN_DISABLE; + break; + } + +@@ -806,6 +840,16 @@ static int smmu_pmu_probe(struct platform_device *pdev) + + smmu_pmu_get_acpi_options(smmu_pmu); + ++ /* ++ * For platforms suffer this quirk, the PMU disable sometimes fails to ++ * stop the counters. This will leads to inaccurate or error counting. ++ * Forcibly disable the counters with these quirk handler. ++ */ ++ if (smmu_pmu->options & SMMU_PMCG_HARDEN_DISABLE) { ++ smmu_pmu->pmu.pmu_enable = smmu_pmu_enable_quirk_hip08_09; ++ smmu_pmu->pmu.pmu_disable = smmu_pmu_disable_quirk_hip08_09; ++ } ++ + /* Pick one CPU to be the preferred one to use */ + smmu_pmu->on_cpu = raw_smp_processor_id(); + WARN_ON(irq_set_affinity_hint(smmu_pmu->irq, +diff --git a/include/linux/acpi_iort.h b/include/linux/acpi_iort.h +index 1a12baa58e409..136dba94c646f 100644 +--- a/include/linux/acpi_iort.h ++++ b/include/linux/acpi_iort.h +@@ -21,6 +21,7 @@ + */ + #define IORT_SMMU_V3_PMCG_GENERIC 0x00000000 /* Generic SMMUv3 PMCG */ + #define IORT_SMMU_V3_PMCG_HISI_HIP08 0x00000001 /* HiSilicon HIP08 PMCG */ ++#define IORT_SMMU_V3_PMCG_HISI_HIP09 0x00000002 /* HiSilicon HIP09 PMCG */ + + int iort_register_domain_token(int trans_id, phys_addr_t base, + struct fwnode_handle *fw_node); +-- +2.40.1 + diff --git a/queue-5.10/perf-tools-add-an-option-to-build-without-libbfd.patch b/queue-5.10/perf-tools-add-an-option-to-build-without-libbfd.patch new file mode 100644 index 00000000000..59cfc16ead9 --- /dev/null +++ b/queue-5.10/perf-tools-add-an-option-to-build-without-libbfd.patch @@ -0,0 +1,97 @@ +From 6a1c6f46c9e6090cc0d040c2414e783524d51c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 15:57:56 -0700 +Subject: perf tools: Add an option to build without libbfd + +From: Ian Rogers + +[ Upstream commit 0d1c50ac488ebdaeeaea8ed5069f8d435fd485ed ] + +Some distributions, like debian, don't link perf with libbfd. Add a +build flag to make this configuration buildable and testable. + +This was inspired by: + + https://lore.kernel.org/linux-perf-users/20210910102307.2055484-1-tonyg@leastfixedpoint.com/T/#u + +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: tony garnock-jones +Link: http://lore.kernel.org/lkml/20210910225756.729087-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 7822a8913f4c ("perf build: Update build rule for generated files") +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 47 ++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 22 deletions(-) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 3e7706c251e9e..89905b4e93091 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -824,33 +824,36 @@ else + endif + endif + +-ifeq ($(feature-libbfd), 1) +- EXTLIBS += -lbfd -lopcodes +-else +- # we are on a system that requires -liberty and (maybe) -lz +- # to link against -lbfd; test each case individually here +- +- # call all detections now so we get correct +- # status in VF output +- $(call feature_check,libbfd-liberty) +- $(call feature_check,libbfd-liberty-z) + +- ifeq ($(feature-libbfd-liberty), 1) +- EXTLIBS += -lbfd -lopcodes -liberty +- FEATURE_CHECK_LDFLAGS-disassembler-four-args += -liberty -ldl ++ifndef NO_LIBBFD ++ ifeq ($(feature-libbfd), 1) ++ EXTLIBS += -lbfd -lopcodes + else +- ifeq ($(feature-libbfd-liberty-z), 1) +- EXTLIBS += -lbfd -lopcodes -liberty -lz +- FEATURE_CHECK_LDFLAGS-disassembler-four-args += -liberty -lz -ldl ++ # we are on a system that requires -liberty and (maybe) -lz ++ # to link against -lbfd; test each case individually here ++ ++ # call all detections now so we get correct ++ # status in VF output ++ $(call feature_check,libbfd-liberty) ++ $(call feature_check,libbfd-liberty-z) ++ ++ ifeq ($(feature-libbfd-liberty), 1) ++ EXTLIBS += -lbfd -lopcodes -liberty ++ FEATURE_CHECK_LDFLAGS-disassembler-four-args += -liberty -ldl ++ else ++ ifeq ($(feature-libbfd-liberty-z), 1) ++ EXTLIBS += -lbfd -lopcodes -liberty -lz ++ FEATURE_CHECK_LDFLAGS-disassembler-four-args += -liberty -lz -ldl ++ endif + endif ++ $(call feature_check,disassembler-four-args) + endif +- $(call feature_check,disassembler-four-args) +-endif + +-ifeq ($(feature-libbfd-buildid), 1) +- CFLAGS += -DHAVE_LIBBFD_BUILDID_SUPPORT +-else +- msg := $(warning Old version of libbfd/binutils things like PE executable profiling will not be available); ++ ifeq ($(feature-libbfd-buildid), 1) ++ CFLAGS += -DHAVE_LIBBFD_BUILDID_SUPPORT ++ else ++ msg := $(warning Old version of libbfd/binutils things like PE executable profiling will not be available); ++ endif + endif + + ifdef NO_DEMANGLE +-- +2.40.1 + diff --git a/queue-5.10/powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch b/queue-5.10/powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch new file mode 100644 index 00000000000..7cb19d257d3 --- /dev/null +++ b/queue-5.10/powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch @@ -0,0 +1,39 @@ +From 79fd609aa40995595a7dbcbcde6f05c353b37f33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 09:19:29 +0800 +Subject: powerpc/pseries: fix possible memory leak in ibmebus_bus_init() + +From: ruanjinjie + +[ Upstream commit afda85b963c12947e298ad85d757e333aa40fd74 ] + +If device_register() returns error in ibmebus_bus_init(), name of kobject +which is allocated in dev_set_name() called in device_add() is leaked. + +As comment of device_add() says, it should call put_device() to drop +the reference count that was set in device_initialize() when it fails, +so the name can be freed in kobject_cleanup(). + +Signed-off-by: ruanjinjie +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20221110011929.3709774-1-ruanjinjie@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/ibmebus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/pseries/ibmebus.c b/arch/powerpc/platforms/pseries/ibmebus.c +index 8c6e509f69675..c3cc010e9cc45 100644 +--- a/arch/powerpc/platforms/pseries/ibmebus.c ++++ b/arch/powerpc/platforms/pseries/ibmebus.c +@@ -451,6 +451,7 @@ static int __init ibmebus_bus_init(void) + if (err) { + printk(KERN_WARNING "%s: device_register returned %i\n", + __func__, err); ++ put_device(&ibmebus_bus_device); + bus_unregister(&ibmebus_bus_type); + + return err; +-- +2.40.1 + diff --git a/queue-5.10/rcuscale-move-rcu_scale_writer-schedule_timeout_unin.patch b/queue-5.10/rcuscale-move-rcu_scale_writer-schedule_timeout_unin.patch new file mode 100644 index 00000000000..e7a2aa5f6ac --- /dev/null +++ b/queue-5.10/rcuscale-move-rcu_scale_writer-schedule_timeout_unin.patch @@ -0,0 +1,71 @@ +From 68885af045c6ba60566550b5778178220e17869a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 15:39:26 +0800 +Subject: rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() + to _idle() + +From: Zqiang + +[ Upstream commit e60c122a1614b4f65b29a7bef9d83b9fd30e937a ] + +The rcuscale.holdoff module parameter can be used to delay the start +of rcu_scale_writer() kthread. However, the hung-task timeout will +trigger when the timeout specified by rcuscale.holdoff is greater than +hung_task_timeout_secs: + +runqemu kvm nographic slirp qemuparams="-smp 4 -m 2048M" +bootparams="rcuscale.shutdown=0 rcuscale.holdoff=300" + +[ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds. +[ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7 +[ 247.073400] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000 +[ 247.075346] Call Trace: +[ 247.075660] +[ 247.075965] __schedule+0x635/0x1280 +[ 247.076448] ? __pfx___schedule+0x10/0x10 +[ 247.076967] ? schedule_timeout+0x2dc/0x4d0 +[ 247.077471] ? __pfx_lock_release+0x10/0x10 +[ 247.078018] ? enqueue_timer+0xe2/0x220 +[ 247.078522] schedule+0x84/0x120 +[ 247.078957] schedule_timeout+0x2e1/0x4d0 +[ 247.079447] ? __pfx_schedule_timeout+0x10/0x10 +[ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10 +[ 247.080591] ? __pfx_process_timeout+0x10/0x10 +[ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10 +[ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10 +[ 247.082287] rcu_scale_writer+0x6b1/0x7f0 +[ 247.082773] ? mark_held_locks+0x29/0xa0 +[ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10 +[ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10 +[ 247.084412] kthread+0x179/0x1c0 +[ 247.084759] ? __pfx_kthread+0x10/0x10 +[ 247.085098] ret_from_fork+0x2c/0x50 +[ 247.085433] + +This commit therefore replaces schedule_timeout_uninterruptible() with +schedule_timeout_idle(). + +Signed-off-by: Zqiang +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuscale.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c +index 6c05365ed80fc..3b9783eda6796 100644 +--- a/kernel/rcu/rcuscale.c ++++ b/kernel/rcu/rcuscale.c +@@ -372,7 +372,7 @@ rcu_scale_writer(void *arg) + sched_set_fifo_low(current); + + if (holdoff) +- schedule_timeout_uninterruptible(holdoff * HZ); ++ schedule_timeout_idle(holdoff * HZ); + + /* + * Wait until rcu_end_inkernel_boot() is called for normal GP tests +-- +2.40.1 + diff --git a/queue-5.10/samples-hw_breakpoint-fix-building-without-module-un.patch b/queue-5.10/samples-hw_breakpoint-fix-building-without-module-un.patch new file mode 100644 index 00000000000..011c88ea30f --- /dev/null +++ b/queue-5.10/samples-hw_breakpoint-fix-building-without-module-un.patch @@ -0,0 +1,48 @@ +From 3cfbdd261b345ec70e6e3c62e5ef199f81498cd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jul 2023 10:25:36 +0200 +Subject: samples/hw_breakpoint: fix building without module unloading + +From: Arnd Bergmann + +[ Upstream commit b9080468caeddc58a91edd1c3a7d212ea82b0d1d ] + +__symbol_put() is really meant as an internal helper and is not available +when module unloading is disabled, unlike the previously used symbol_put(): + +samples/hw_breakpoint/data_breakpoint.c: In function 'hw_break_module_exit': +samples/hw_breakpoint/data_breakpoint.c:73:9: error: implicit declaration of function '__symbol_put'; did you mean '__symbol_get'? [-Werror=implicit-function-declaration] + +The hw_break_module_exit() function is not actually used when module +unloading is disabled, but it still causes the build failure for an +undefined identifier. Enclose this one call in an appropriate #ifdef to +clarify what the requirement is. Leaving out the entire exit function +would also work but feels less clar in this case. + +Fixes: 910e230d5f1bb ("samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000'") +Fixes: d8a84d33a4954 ("samples/hw_breakpoint: drop use of kallsyms_lookup_name()") +Signed-off-by: Arnd Bergmann +Reviewed-by: Petr Mladek +Signed-off-by: Luis Chamberlain +Signed-off-by: Sasha Levin +--- + samples/hw_breakpoint/data_breakpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/samples/hw_breakpoint/data_breakpoint.c b/samples/hw_breakpoint/data_breakpoint.c +index 9debd128b2ab8..b99322f188e59 100644 +--- a/samples/hw_breakpoint/data_breakpoint.c ++++ b/samples/hw_breakpoint/data_breakpoint.c +@@ -70,7 +70,9 @@ static int __init hw_break_module_init(void) + static void __exit hw_break_module_exit(void) + { + unregister_wide_hw_breakpoint(sample_hbp); ++#ifdef CONFIG_MODULE_UNLOAD + __symbol_put(ksym_name); ++#endif + printk(KERN_INFO "HW Breakpoint for %s write uninstalled\n", ksym_name); + } + +-- +2.40.1 + diff --git a/queue-5.10/samples-hw_breakpoint-fix-kernel-bug-invalid-opcode-.patch b/queue-5.10/samples-hw_breakpoint-fix-kernel-bug-invalid-opcode-.patch new file mode 100644 index 00000000000..b07ea387c56 --- /dev/null +++ b/queue-5.10/samples-hw_breakpoint-fix-kernel-bug-invalid-opcode-.patch @@ -0,0 +1,77 @@ +From a94cca98742a4a9925bfbcd35cba86f14156e5d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 23:05:17 +0800 +Subject: samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000' + +From: Rong Tao + +[ Upstream commit 910e230d5f1bb72c54532e94fbb1705095c7bab6 ] + +Macro symbol_put() is defined as __symbol_put(__stringify(x)) + + ksym_name = "jiffies" + symbol_put(ksym_name) + +will be resolved as + + __symbol_put("ksym_name") + +which is clearly wrong. So symbol_put must be replaced with __symbol_put. + +When we uninstall hw_breakpoint.ko (rmmod), a kernel bug occurs with the +following error: + +[11381.854152] kernel BUG at kernel/module/main.c:779! +[11381.854159] invalid opcode: 0000 [#2] PREEMPT SMP PTI +[11381.854163] CPU: 8 PID: 59623 Comm: rmmod Tainted: G D OE 6.2.9-200.fc37.x86_64 #1 +[11381.854167] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./B360M-HDV, BIOS P3.20 10/23/2018 +[11381.854169] RIP: 0010:__symbol_put+0xa2/0xb0 +[11381.854175] Code: 00 e8 92 d2 f7 ff 65 8b 05 c3 2f e6 78 85 c0 74 1b 48 8b 44 24 30 65 48 2b 04 25 28 00 00 00 75 12 48 83 c4 38 c3 cc cc cc cc <0f> 0b 0f 1f 44 00 00 eb de e8 c0 df d8 00 90 90 90 90 90 90 90 90 +[11381.854178] RSP: 0018:ffffad8ec6ae7dd0 EFLAGS: 00010246 +[11381.854181] RAX: 0000000000000000 RBX: ffffffffc1fd1240 RCX: 000000000000000c +[11381.854184] RDX: 000000000000006b RSI: ffffffffc02bf7c7 RDI: ffffffffc1fd001c +[11381.854186] RBP: 000055a38b76e7c8 R08: ffffffff871ccfe0 R09: 0000000000000000 +[11381.854188] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +[11381.854190] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[11381.854192] FS: 00007fbf7c62c740(0000) GS:ffff8c5badc00000(0000) knlGS:0000000000000000 +[11381.854195] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[11381.854197] CR2: 000055a38b7793f8 CR3: 0000000363e1e001 CR4: 00000000003726e0 +[11381.854200] DR0: ffffffffb3407980 DR1: 0000000000000000 DR2: 0000000000000000 +[11381.854202] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[11381.854204] Call Trace: +[11381.854207] +[11381.854212] s_module_exit+0xc/0xff0 [symbol_getput] +[11381.854219] __do_sys_delete_module.constprop.0+0x198/0x2f0 +[11381.854225] do_syscall_64+0x58/0x80 +[11381.854231] ? exit_to_user_mode_prepare+0x180/0x1f0 +[11381.854237] ? syscall_exit_to_user_mode+0x17/0x40 +[11381.854241] ? do_syscall_64+0x67/0x80 +[11381.854245] ? syscall_exit_to_user_mode+0x17/0x40 +[11381.854248] ? do_syscall_64+0x67/0x80 +[11381.854252] ? exc_page_fault+0x70/0x170 +[11381.854256] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Signed-off-by: Rong Tao +Reviewed-by: Petr Mladek +Signed-off-by: Luis Chamberlain +Signed-off-by: Sasha Levin +--- + samples/hw_breakpoint/data_breakpoint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/hw_breakpoint/data_breakpoint.c b/samples/hw_breakpoint/data_breakpoint.c +index 418c46fe5ffc3..9debd128b2ab8 100644 +--- a/samples/hw_breakpoint/data_breakpoint.c ++++ b/samples/hw_breakpoint/data_breakpoint.c +@@ -70,7 +70,7 @@ static int __init hw_break_module_init(void) + static void __exit hw_break_module_exit(void) + { + unregister_wide_hw_breakpoint(sample_hbp); +- symbol_put(ksym_name); ++ __symbol_put(ksym_name); + printk(KERN_INFO "HW Breakpoint for %s write uninstalled\n", ksym_name); + } + +-- +2.40.1 + diff --git a/queue-5.10/scftorture-forgive-memory-allocation-failure-if-kasa.patch b/queue-5.10/scftorture-forgive-memory-allocation-failure-if-kasa.patch new file mode 100644 index 00000000000..ad78deb1166 --- /dev/null +++ b/queue-5.10/scftorture-forgive-memory-allocation-failure-if-kasa.patch @@ -0,0 +1,49 @@ +From d205d1c7e91c1f9d080a24cfae45bd99299e35ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 19:00:10 -0700 +Subject: scftorture: Forgive memory-allocation failure if KASAN + +From: Paul E. McKenney + +[ Upstream commit 013608cd0812bdb21fc26d39ed8fdd2fc76e8b9b ] + +Kernels built with CONFIG_KASAN=y quarantine newly freed memory in order +to better detect use-after-free errors. However, this can exhaust memory +more quickly in allocator-heavy tests, which can result in spurious +scftorture failure. This commit therefore forgives memory-allocation +failure in kernels built with CONFIG_KASAN=y, but continues counting +the errors for use in detailed test-result analyses. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/scftorture.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/scftorture.c b/kernel/scftorture.c +index 060ee0b1569a0..be86207a2ab68 100644 +--- a/kernel/scftorture.c ++++ b/kernel/scftorture.c +@@ -158,7 +158,8 @@ static void scf_torture_stats_print(void) + scfs.n_all_wait += scf_stats_p[i].n_all_wait; + } + if (atomic_read(&n_errs) || atomic_read(&n_mb_in_errs) || +- atomic_read(&n_mb_out_errs) || atomic_read(&n_alloc_errs)) ++ atomic_read(&n_mb_out_errs) || ++ (!IS_ENABLED(CONFIG_KASAN) && atomic_read(&n_alloc_errs))) + bangstr = "!!! "; + pr_alert("%s %sscf_invoked_count %s: %lld single: %lld/%lld single_ofl: %lld/%lld many: %lld/%lld all: %lld/%lld ", + SCFTORT_FLAG, bangstr, isdone ? "VER" : "ver", invoked_count, +@@ -306,7 +307,8 @@ static void scftorture_invoke_one(struct scf_statistics *scfp, struct torture_ra + preempt_disable(); + if (scfsp->scfs_prim == SCF_PRIM_SINGLE || scfsp->scfs_wait) { + scfcp = kmalloc(sizeof(*scfcp), GFP_ATOMIC); +- if (WARN_ON_ONCE(!scfcp)) { ++ if (!scfcp) { ++ WARN_ON_ONCE(!IS_ENABLED(CONFIG_KASAN)); + atomic_inc(&n_alloc_errs); + } else { + scfcp->scfc_cpu = -1; +-- +2.40.1 + diff --git a/queue-5.10/scsi-lpfc-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch b/queue-5.10/scsi-lpfc-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch new file mode 100644 index 00000000000..58a37aed5be --- /dev/null +++ b/queue-5.10/scsi-lpfc-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch @@ -0,0 +1,79 @@ +From 7ed403d351502e6938168129c23b4aa2a2ac06ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 11:08:09 +0800 +Subject: scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() + +From: Jinjie Ruan + +[ Upstream commit 7dcc683db3639eadd11bf0d59a09088a43de5e22 ] + +Since debugfs_create_file() returns ERR_PTR and never NULL, use IS_ERR() to +check the return value. + +Fixes: 2fcbc569b9f5 ("scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI") +Fixes: 4c47efc140fa ("scsi: lpfc: Move SCSI and NVME Stats to hardware queue structures") +Fixes: 6a828b0f6192 ("scsi: lpfc: Support non-uniform allocation of MSIX vectors to hardware queues") +Fixes: 95bfc6d8ad86 ("scsi: lpfc: Make FW logging dynamically configurable") +Fixes: 9f77870870d8 ("scsi: lpfc: Add debugfs support for cm framework buffers") +Fixes: c490850a0947 ("scsi: lpfc: Adapt partitioned XRI lists to efficient sharing") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/r/20230906030809.2847970-1-ruanjinjie@huawei.com +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_debugfs.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index 2b77cbbcdccb6..f91eee01ce95e 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -5909,7 +5909,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + phba->hba_debugfs_root, + phba, + &lpfc_debugfs_op_multixripools); +- if (!phba->debug_multixri_pools) { ++ if (IS_ERR(phba->debug_multixri_pools)) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, + "0527 Cannot create debugfs multixripools\n"); + goto debug_failed; +@@ -5921,7 +5921,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + debugfs_create_file(name, 0644, + phba->hba_debugfs_root, + phba, &lpfc_debugfs_ras_log); +- if (!phba->debug_ras_log) { ++ if (IS_ERR(phba->debug_ras_log)) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, + "6148 Cannot create debugfs" + " ras_log\n"); +@@ -5942,7 +5942,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + debugfs_create_file(name, S_IFREG | 0644, + phba->hba_debugfs_root, + phba, &lpfc_debugfs_op_lockstat); +- if (!phba->debug_lockstat) { ++ if (IS_ERR(phba->debug_lockstat)) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, + "4610 Can't create debugfs lockstat\n"); + goto debug_failed; +@@ -6171,7 +6171,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + debugfs_create_file(name, 0644, + vport->vport_debugfs_root, + vport, &lpfc_debugfs_op_scsistat); +- if (!vport->debug_scsistat) { ++ if (IS_ERR(vport->debug_scsistat)) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, + "4611 Cannot create debugfs scsistat\n"); + goto debug_failed; +@@ -6182,7 +6182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) + debugfs_create_file(name, 0644, + vport->vport_debugfs_root, + vport, &lpfc_debugfs_op_ioktime); +- if (!vport->debug_ioktime) { ++ if (IS_ERR(vport->debug_ioktime)) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_INIT, + "0815 Cannot create debugfs ioktime\n"); + goto debug_failed; +-- +2.40.1 + diff --git a/queue-5.10/scsi-qla2xxx-fix-null-vs-is_err-bug-for-debugfs_crea.patch b/queue-5.10/scsi-qla2xxx-fix-null-vs-is_err-bug-for-debugfs_crea.patch new file mode 100644 index 00000000000..210a62768bc --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-fix-null-vs-is_err-bug-for-debugfs_crea.patch @@ -0,0 +1,54 @@ +From 611c15a80ac1349bda0339b96dd72c95c75bffb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 22:09:29 +0800 +Subject: scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() + +From: Jinjie Ruan + +[ Upstream commit d0b0822e32dbae80bbcb3cc86f34d28539d913df ] + +Since both debugfs_create_dir() and debugfs_create_file() return ERR_PTR +and never NULL, use IS_ERR() instead of checking for NULL. + +Fixes: 1e98fb0f9208 ("scsi: qla2xxx: Setup debugfs entries for remote ports") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/r/20230831140930.3166359-1-ruanjinjie@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_dfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_dfs.c b/drivers/scsi/qla2xxx/qla_dfs.c +index d5ebcf7d70ff0..7d778bf3fd722 100644 +--- a/drivers/scsi/qla2xxx/qla_dfs.c ++++ b/drivers/scsi/qla2xxx/qla_dfs.c +@@ -116,7 +116,7 @@ qla2x00_dfs_create_rport(scsi_qla_host_t *vha, struct fc_port *fp) + + sprintf(wwn, "pn-%016llx", wwn_to_u64(fp->port_name)); + fp->dfs_rport_dir = debugfs_create_dir(wwn, vha->dfs_rport_root); +- if (!fp->dfs_rport_dir) ++ if (IS_ERR(fp->dfs_rport_dir)) + return; + if (NVME_TARGET(vha->hw, fp)) + debugfs_create_file("dev_loss_tmo", 0600, fp->dfs_rport_dir, +@@ -571,14 +571,14 @@ qla2x00_dfs_setup(scsi_qla_host_t *vha) + if (IS_QLA27XX(ha) || IS_QLA83XX(ha) || IS_QLA28XX(ha)) { + ha->tgt.dfs_naqp = debugfs_create_file("naqp", + 0400, ha->dfs_dir, vha, &dfs_naqp_ops); +- if (!ha->tgt.dfs_naqp) { ++ if (IS_ERR(ha->tgt.dfs_naqp)) { + ql_log(ql_log_warn, vha, 0xd011, + "Unable to create debugFS naqp node.\n"); + goto out; + } + } + vha->dfs_rport_root = debugfs_create_dir("rports", ha->dfs_dir); +- if (!vha->dfs_rport_root) { ++ if (IS_ERR(vha->dfs_rport_root)) { + ql_log(ql_log_warn, vha, 0xd012, + "Unable to create debugFS rports node.\n"); + goto out; +-- +2.40.1 + diff --git a/queue-5.10/scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch b/queue-5.10/scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch new file mode 100644 index 00000000000..1dfcbbb05eb --- /dev/null +++ b/queue-5.10/scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch @@ -0,0 +1,163 @@ +From f3e035b74c1d9487f76ece87c3f5961cde8b8302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jul 2023 18:26:37 +0300 +Subject: scsi: target: iscsi: Fix buffer overflow in + lio_target_nacl_info_show() + +From: Konstantin Shelekhin + +[ Upstream commit 801f287c93ff95582b0a2d2163f12870a2f076d4 ] + +The function lio_target_nacl_info_show() uses sprintf() in a loop to print +details for every iSCSI connection in a session without checking for the +buffer length. With enough iSCSI connections it's possible to overflow the +buffer provided by configfs and corrupt the memory. + +This patch replaces sprintf() with sysfs_emit_at() that checks for buffer +boundries. + +Signed-off-by: Konstantin Shelekhin +Link: https://lore.kernel.org/r/20230722152657.168859-2-k.shelekhin@yadro.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_configfs.c | 54 ++++++++++---------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c +index 0fa1d57b26fa8..3cd671bbb9a41 100644 +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -508,102 +508,102 @@ static ssize_t lio_target_nacl_info_show(struct config_item *item, char *page) + spin_lock_bh(&se_nacl->nacl_sess_lock); + se_sess = se_nacl->nacl_sess; + if (!se_sess) { +- rb += sprintf(page+rb, "No active iSCSI Session for Initiator" ++ rb += sysfs_emit_at(page, rb, "No active iSCSI Session for Initiator" + " Endpoint: %s\n", se_nacl->initiatorname); + } else { + sess = se_sess->fabric_sess_ptr; + +- rb += sprintf(page+rb, "InitiatorName: %s\n", ++ rb += sysfs_emit_at(page, rb, "InitiatorName: %s\n", + sess->sess_ops->InitiatorName); +- rb += sprintf(page+rb, "InitiatorAlias: %s\n", ++ rb += sysfs_emit_at(page, rb, "InitiatorAlias: %s\n", + sess->sess_ops->InitiatorAlias); + +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "LIO Session ID: %u ISID: 0x%6ph TSIH: %hu ", + sess->sid, sess->isid, sess->tsih); +- rb += sprintf(page+rb, "SessionType: %s\n", ++ rb += sysfs_emit_at(page, rb, "SessionType: %s\n", + (sess->sess_ops->SessionType) ? + "Discovery" : "Normal"); +- rb += sprintf(page+rb, "Session State: "); ++ rb += sysfs_emit_at(page, rb, "Session State: "); + switch (sess->session_state) { + case TARG_SESS_STATE_FREE: +- rb += sprintf(page+rb, "TARG_SESS_FREE\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_FREE\n"); + break; + case TARG_SESS_STATE_ACTIVE: +- rb += sprintf(page+rb, "TARG_SESS_STATE_ACTIVE\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_ACTIVE\n"); + break; + case TARG_SESS_STATE_LOGGED_IN: +- rb += sprintf(page+rb, "TARG_SESS_STATE_LOGGED_IN\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_LOGGED_IN\n"); + break; + case TARG_SESS_STATE_FAILED: +- rb += sprintf(page+rb, "TARG_SESS_STATE_FAILED\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_FAILED\n"); + break; + case TARG_SESS_STATE_IN_CONTINUE: +- rb += sprintf(page+rb, "TARG_SESS_STATE_IN_CONTINUE\n"); ++ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_IN_CONTINUE\n"); + break; + default: +- rb += sprintf(page+rb, "ERROR: Unknown Session" ++ rb += sysfs_emit_at(page, rb, "ERROR: Unknown Session" + " State!\n"); + break; + } + +- rb += sprintf(page+rb, "---------------------[iSCSI Session" ++ rb += sysfs_emit_at(page, rb, "---------------------[iSCSI Session" + " Values]-----------------------\n"); +- rb += sprintf(page+rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN" ++ rb += sysfs_emit_at(page, rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN" + " : MaxCmdSN : ITT : TTT\n"); + max_cmd_sn = (u32) atomic_read(&sess->max_cmd_sn); +- rb += sprintf(page+rb, " 0x%08x 0x%08x 0x%08x 0x%08x" ++ rb += sysfs_emit_at(page, rb, " 0x%08x 0x%08x 0x%08x 0x%08x" + " 0x%08x 0x%08x\n", + sess->cmdsn_window, + (max_cmd_sn - sess->exp_cmd_sn) + 1, + sess->exp_cmd_sn, max_cmd_sn, + sess->init_task_tag, sess->targ_xfer_tag); +- rb += sprintf(page+rb, "----------------------[iSCSI" ++ rb += sysfs_emit_at(page, rb, "----------------------[iSCSI" + " Connections]-------------------------\n"); + + spin_lock(&sess->conn_lock); + list_for_each_entry(conn, &sess->sess_conn_list, conn_list) { +- rb += sprintf(page+rb, "CID: %hu Connection" ++ rb += sysfs_emit_at(page, rb, "CID: %hu Connection" + " State: ", conn->cid); + switch (conn->conn_state) { + case TARG_CONN_STATE_FREE: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_FREE\n"); + break; + case TARG_CONN_STATE_XPT_UP: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_XPT_UP\n"); + break; + case TARG_CONN_STATE_IN_LOGIN: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_IN_LOGIN\n"); + break; + case TARG_CONN_STATE_LOGGED_IN: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_LOGGED_IN\n"); + break; + case TARG_CONN_STATE_IN_LOGOUT: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_IN_LOGOUT\n"); + break; + case TARG_CONN_STATE_LOGOUT_REQUESTED: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_LOGOUT_REQUESTED\n"); + break; + case TARG_CONN_STATE_CLEANUP_WAIT: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "TARG_CONN_STATE_CLEANUP_WAIT\n"); + break; + default: +- rb += sprintf(page+rb, ++ rb += sysfs_emit_at(page, rb, + "ERROR: Unknown Connection State!\n"); + break; + } + +- rb += sprintf(page+rb, " Address %pISc %s", &conn->login_sockaddr, ++ rb += sysfs_emit_at(page, rb, " Address %pISc %s", &conn->login_sockaddr, + (conn->network_transport == ISCSI_TCP) ? + "TCP" : "SCTP"); +- rb += sprintf(page+rb, " StatSN: 0x%08x\n", ++ rb += sysfs_emit_at(page, rb, " StatSN: 0x%08x\n", + conn->stat_sn); + } + spin_unlock(&sess->conn_lock); +-- +2.40.1 + diff --git a/queue-5.10/selftests-tracing-fix-to-unmount-tracefs-for-recover.patch b/queue-5.10/selftests-tracing-fix-to-unmount-tracefs-for-recover.patch new file mode 100644 index 00000000000..b5276cbb0c4 --- /dev/null +++ b/queue-5.10/selftests-tracing-fix-to-unmount-tracefs-for-recover.patch @@ -0,0 +1,65 @@ +From a0ce8940be4dafbe9ec98a63a5171ffbe4842904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 10:10:39 +0900 +Subject: selftests: tracing: Fix to unmount tracefs for recovering environment + +From: Masami Hiramatsu (Google) + +[ Upstream commit 7e021da80f48582171029714f8a487347f29dddb ] + +Fix to unmount the tracefs if the ftracetest mounted it for recovering +system environment. If the tracefs is already mounted, this does nothing. + +Suggested-by: Mark Brown +Link: https://lore.kernel.org/all/29fce076-746c-4650-8358-b4e0fa215cf7@sirena.org.uk/ +Fixes: cbd965bde74c ("ftrace/selftests: Return the skip code when tracing directory not configured in kernel") +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Reviewed-by: Mark Brown +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/ftrace/ftracetest | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/testing/selftests/ftrace/ftracetest b/tools/testing/selftests/ftrace/ftracetest +index 8ec1922e974eb..55314cd197ab9 100755 +--- a/tools/testing/selftests/ftrace/ftracetest ++++ b/tools/testing/selftests/ftrace/ftracetest +@@ -30,6 +30,9 @@ err_ret=1 + # kselftest skip code is 4 + err_skip=4 + ++# umount required ++UMOUNT_DIR="" ++ + # cgroup RT scheduling prevents chrt commands from succeeding, which + # induces failures in test wakeup tests. Disable for the duration of + # the tests. +@@ -44,6 +47,9 @@ setup() { + + cleanup() { + echo $sched_rt_runtime_orig > $sched_rt_runtime ++ if [ -n "${UMOUNT_DIR}" ]; then ++ umount ${UMOUNT_DIR} ||: ++ fi + } + + errexit() { # message +@@ -155,11 +161,13 @@ if [ -z "$TRACING_DIR" ]; then + mount -t tracefs nodev /sys/kernel/tracing || + errexit "Failed to mount /sys/kernel/tracing" + TRACING_DIR="/sys/kernel/tracing" ++ UMOUNT_DIR=${TRACING_DIR} + # If debugfs exists, then so does /sys/kernel/debug + elif [ -d "/sys/kernel/debug" ]; then + mount -t debugfs nodev /sys/kernel/debug || + errexit "Failed to mount /sys/kernel/debug" + TRACING_DIR="/sys/kernel/debug/tracing" ++ UMOUNT_DIR=${TRACING_DIR} + else + err_ret=$err_skip + errexit "debugfs and tracefs are not configured in this kernel" +-- +2.40.1 + diff --git a/queue-5.10/serial-cpm_uart-avoid-suspicious-locking.patch b/queue-5.10/serial-cpm_uart-avoid-suspicious-locking.patch new file mode 100644 index 00000000000..5afaa1f7433 --- /dev/null +++ b/queue-5.10/serial-cpm_uart-avoid-suspicious-locking.patch @@ -0,0 +1,80 @@ +From 7175f2ebd9658f6f1e62fc5210a16bebe6809ae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Aug 2023 15:56:42 +0200 +Subject: serial: cpm_uart: Avoid suspicious locking + +From: Christophe Leroy + +[ Upstream commit 36ef11d311f405e55ad8e848c19b212ff71ef536 ] + + CHECK drivers/tty/serial/cpm_uart/cpm_uart_core.c +drivers/tty/serial/cpm_uart/cpm_uart_core.c:1271:39: warning: context imbalance in 'cpm_uart_console_write' - unexpected unlock + +Allthough 'nolock' is not expected to change, sparse find the following +form suspicious: + + if (unlikely(nolock)) { + local_irq_save(flags); + } else { + spin_lock_irqsave(&pinfo->port.lock, flags); + } + + cpm_uart_early_write(pinfo, s, count, true); + + if (unlikely(nolock)) { + local_irq_restore(flags); + } else { + spin_unlock_irqrestore(&pinfo->port.lock, flags); + } + +Rewrite it a more obvious form: + + if (unlikely(oops_in_progress)) { + local_irq_save(flags); + cpm_uart_early_write(pinfo, s, count, true); + local_irq_restore(flags); + } else { + spin_lock_irqsave(&pinfo->port.lock, flags); + cpm_uart_early_write(pinfo, s, count, true); + spin_unlock_irqrestore(&pinfo->port.lock, flags); + } + +Signed-off-by: Christophe Leroy +Link: https://lore.kernel.org/r/f7da5cdc9287960185829cfef681a7d8614efa1f.1691068700.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +index 4df47d02b34b4..f727222469b60 100644 +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1263,19 +1263,14 @@ static void cpm_uart_console_write(struct console *co, const char *s, + { + struct uart_cpm_port *pinfo = &cpm_uart_ports[co->index]; + unsigned long flags; +- int nolock = oops_in_progress; + +- if (unlikely(nolock)) { ++ if (unlikely(oops_in_progress)) { + local_irq_save(flags); +- } else { +- spin_lock_irqsave(&pinfo->port.lock, flags); +- } +- +- cpm_uart_early_write(pinfo, s, count, true); +- +- if (unlikely(nolock)) { ++ cpm_uart_early_write(pinfo, s, count, true); + local_irq_restore(flags); + } else { ++ spin_lock_irqsave(&pinfo->port.lock, flags); ++ cpm_uart_early_write(pinfo, s, count, true); + spin_unlock_irqrestore(&pinfo->port.lock, flags); + } + } +-- +2.40.1 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..033dde7c23a --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,65 @@ +autofs-fix-memory-leak-of-waitqueues-in-autofs_catat.patch +btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch +locks-fix-kasan-use-after-free-in-trace_event_raw_ev.patch +acpica-add-aml_no_operand_resolve-flag-to-timer.patch +kernel-fork-beware-of-__put_task_struct-calling-cont.patch +rcuscale-move-rcu_scale_writer-schedule_timeout_unin.patch +scftorture-forgive-memory-allocation-failure-if-kasa.patch +acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch +perf-smmuv3-enable-hisilicon-erratum-162001900-quirk.patch +acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch +hw_breakpoint-fix-single-stepping-when-using-bpf_ove.patch +devlink-remove-reload-failed-checks-in-params-get-se.patch +crypto-lrw-xts-replace-strlcpy-with-strscpy.patch +wifi-ath9k-fix-fortify-warnings.patch +wifi-ath9k-fix-printk-specifier.patch +wifi-mwifiex-fix-fortify-warning.patch +wifi-wil6210-fix-fortify-warnings.patch +crypto-lib-mpi-avoid-null-pointer-deref-in-mpi_cmp_u.patch +tpm_tis-resend-command-to-recover-from-data-transfer.patch +mmc-sdhci-esdhc-imx-improve-esdhc_flag_err010450.patch +alx-fix-oob-read-compiler-warning.patch +netfilter-ebtables-fix-fortify-warnings-in-size_entr.patch +wifi-mac80211_hwsim-drop-short-frames.patch +libbpf-free-btf_vmlinux-when-closing-bpf_object.patch +drm-bridge-tc358762-instruct-dsi-host-to-generate-hs.patch +samples-hw_breakpoint-fix-kernel-bug-invalid-opcode-.patch +asoc-intel-sof_sdw-update-bt-offload-config-for-soun.patch +alsa-hda-intel-dsp-cfg-add-lunarlake-support.patch +drm-exynos-fix-a-possible-null-pointer-dereference-d.patch +bus-ti-sysc-configure-uart-quirks-for-k3-soc.patch +md-raid1-fix-potential-oob-in-raid1_remove_disk.patch +ext2-fix-datatype-of-block-number-in-ext2_xattr_set2.patch +fs-jfs-prevent-double-free-in-dbunmount-after-failed.patch +jfs-fix-invalid-free-of-jfs_ip-ipimap-i_imap-in-diun.patch +powerpc-pseries-fix-possible-memory-leak-in-ibmebus_.patch +media-dvb-usb-v2-af9035-fix-null-ptr-deref-in-af9035.patch +media-dw2102-fix-null-ptr-deref-in-dw2102_i2c_transf.patch +media-af9005-fix-null-ptr-deref-in-af9005_i2c_xfer.patch +media-anysee-fix-null-ptr-deref-in-anysee_master_xfe.patch +media-az6007-fix-null-ptr-deref-in-az6007_i2c_xfer.patch +media-dvb-usb-v2-gl861-fix-null-ptr-deref-in-gl861_i.patch +media-tuners-qt1010-replace-bug_on-with-a-regular-er.patch +media-pci-cx23885-replace-bug-with-error-return.patch +usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch +scsi-target-iscsi-fix-buffer-overflow-in-lio_target_.patch +serial-cpm_uart-avoid-suspicious-locking.patch +media-pci-ipu3-cio2-initialise-timing-struct-to-avoi.patch +kobject-add-sanity-check-for-kset-kobj.ktype-in-kset.patch +interconnect-fix-locking-for-runpm-vs-reclaim.patch +mtd-rawnand-brcmnand-allow-soc-to-provide-i-o-operat.patch +mtd-rawnand-brcmnand-fix-ecc-level-field-setting-for.patch +perf-jevents-make-build-dependency-on-test-jsons.patch +perf-tools-add-an-option-to-build-without-libbfd.patch +perf-jevents-switch-build-to-use-jevents.py.patch +perf-build-update-build-rule-for-generated-files.patch +btrfs-move-btrfs_pinned_by_swapfile-prototype-into-v.patch +btrfs-add-a-helper-to-read-the-superblock-metadata_u.patch +btrfs-compare-the-correct-fsid-metadata_uuid-in-btrf.patch +drm-gm12u320-fix-the-timeout-usage-for-usb_bulk_msg.patch +scsi-qla2xxx-fix-null-vs-is_err-bug-for-debugfs_crea.patch +selftests-tracing-fix-to-unmount-tracefs-for-recover.patch +scsi-lpfc-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch +x86-boot-compressed-reserve-more-memory-for-page-tab.patch +samples-hw_breakpoint-fix-building-without-module-un.patch +md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch diff --git a/queue-5.10/tpm_tis-resend-command-to-recover-from-data-transfer.patch b/queue-5.10/tpm_tis-resend-command-to-recover-from-data-transfer.patch new file mode 100644 index 00000000000..3da6c8b34ab --- /dev/null +++ b/queue-5.10/tpm_tis-resend-command-to-recover-from-data-transfer.patch @@ -0,0 +1,50 @@ +From 06bf31666a4d07d68cb1373ab971831d5d88a830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 20:02:59 +0200 +Subject: tpm_tis: Resend command to recover from data transfer errors + +From: Alexander Steffen + +[ Upstream commit 280db21e153d8810ce3b93640c63ae922bcb9e8e ] + +Similar to the transmission of TPM responses, also the transmission of TPM +commands may become corrupted. Instead of aborting when detecting such +issues, try resending the command again. + +Signed-off-by: Alexander Steffen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_core.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index d7c440ac465f3..b3452259d6e0b 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -469,10 +469,17 @@ static int tpm_tis_send_main(struct tpm_chip *chip, const u8 *buf, size_t len) + int rc; + u32 ordinal; + unsigned long dur; +- +- rc = tpm_tis_send_data(chip, buf, len); +- if (rc < 0) +- return rc; ++ unsigned int try; ++ ++ for (try = 0; try < TPM_RETRY; try++) { ++ rc = tpm_tis_send_data(chip, buf, len); ++ if (rc >= 0) ++ /* Data transfer done successfully */ ++ break; ++ else if (rc != -EIO) ++ /* Data transfer failed, not recoverable */ ++ return rc; ++ } + + /* go and do it */ + rc = tpm_tis_write8(priv, TPM_STS(priv->locality), TPM_STS_GO); +-- +2.40.1 + diff --git a/queue-5.10/usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch b/queue-5.10/usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch new file mode 100644 index 00000000000..413f22cf2d7 --- /dev/null +++ b/queue-5.10/usb-gadget-fsl_qe_udc-validate-endpoint-index-for-ch.patch @@ -0,0 +1,37 @@ +From 978f0e873a8060ada7b2e1154a576e3e6c4962ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 16:15:11 +0800 +Subject: usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc + +From: Ma Ke + +[ Upstream commit ce9daa2efc0872a9a68ea51dc8000df05893ef2e ] + +We should verify the bound of the array to assure that host +may not manipulate the index to point past endpoint array. + +Signed-off-by: Ma Ke +Acked-by: Li Yang +Link: https://lore.kernel.org/r/20230628081511.186850-1-make_ruc2021@163.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fsl_qe_udc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c b/drivers/usb/gadget/udc/fsl_qe_udc.c +index fa66449b39075..f3388c720e0fa 100644 +--- a/drivers/usb/gadget/udc/fsl_qe_udc.c ++++ b/drivers/usb/gadget/udc/fsl_qe_udc.c +@@ -1950,6 +1950,8 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value, + } else if ((request_type & USB_RECIP_MASK) == USB_RECIP_ENDPOINT) { + /* Get endpoint status */ + int pipe = index & USB_ENDPOINT_NUMBER_MASK; ++ if (pipe >= USB_MAX_ENDPOINTS) ++ goto stall; + struct qe_ep *target_ep = &udc->eps[pipe]; + u16 usep; + +-- +2.40.1 + diff --git a/queue-5.10/wifi-ath9k-fix-fortify-warnings.patch b/queue-5.10/wifi-ath9k-fix-fortify-warnings.patch new file mode 100644 index 00000000000..e7e86d51bd5 --- /dev/null +++ b/queue-5.10/wifi-ath9k-fix-fortify-warnings.patch @@ -0,0 +1,97 @@ +From 1724c2aa51ec07f1f290250f38e90fac2054b856 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 13:11:07 +0300 +Subject: wifi: ath9k: fix fortify warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 810e41cebb6c6e394f2068f839e1a3fc745a5dcc ] + +When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, +I've noticed the following: + +In function ‘fortify_memcpy_chk’, + inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4, + inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: +./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In function ‘fortify_memcpy_chk’, + inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3, + inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2, + inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: +./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In both cases, the compiler complains on: + +memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); + +which is the legal way to copy both 'ba_low' and following 'ba_high' +members of 'struct ath_tx_status' at once (that is, issue one 8-byte +'memcpy()' for two 4-byte fields). Since the fortification logic seems +interprets this trick as an attempt to overread 4-byte 'ba_low', silence +relevant warnings by using the convenient 'struct_group()' quirk. + +Suggested-by: Johannes Berg +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230620080855.396851-2-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/mac.h | 6 ++++-- + drivers/net/wireless/ath/ath9k/xmit.c | 4 ++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/mac.h b/drivers/net/wireless/ath/ath9k/mac.h +index fd6aa49adadfe..9b00e77a6fc3c 100644 +--- a/drivers/net/wireless/ath/ath9k/mac.h ++++ b/drivers/net/wireless/ath/ath9k/mac.h +@@ -113,8 +113,10 @@ struct ath_tx_status { + u8 qid; + u16 desc_id; + u8 tid; +- u32 ba_low; +- u32 ba_high; ++ struct_group(ba, ++ u32 ba_low; ++ u32 ba_high; ++ ); + u32 evm0; + u32 evm1; + u32 evm2; +diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c +index 6555abf02f18b..84c68aefc171a 100644 +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -421,7 +421,7 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf, + isaggr = bf_isaggr(bf); + if (isaggr) { + seq_st = ts->ts_seqnum; +- memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); ++ memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3); + } + + while (bf) { +@@ -504,7 +504,7 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq, + if (isaggr && txok) { + if (ts->ts_flags & ATH9K_TX_BA) { + seq_st = ts->ts_seqnum; +- memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); ++ memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3); + } else { + /* + * AR5416 can become deaf/mute when BA +-- +2.40.1 + diff --git a/queue-5.10/wifi-ath9k-fix-printk-specifier.patch b/queue-5.10/wifi-ath9k-fix-printk-specifier.patch new file mode 100644 index 00000000000..c7572a77db2 --- /dev/null +++ b/queue-5.10/wifi-ath9k-fix-printk-specifier.patch @@ -0,0 +1,68 @@ +From d62882b752163bf28a120980b96658915d270ee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 12:04:02 +0800 +Subject: wifi: ath9k: fix printk specifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dongliang Mu + +[ Upstream commit 061115fbfb2ce5870c9a004d68dc63138c07c782 ] + +Smatch reports: + +ath_pci_probe() warn: argument 4 to %lx specifier is cast from pointer +ath_ahb_probe() warn: argument 4 to %lx specifier is cast from pointer + +Fix it by modifying %lx to %p in the printk format string. + +Note that with this change, the pointer address will be printed as a +hashed value by default. This is appropriate because the kernel +should not leak kernel pointers to user space in an informational +message. If someone wants to see the real address for debugging +purposes, this can be achieved with the no_hash_pointers kernel option. + +Signed-off-by: Dongliang Mu +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230723040403.296723-1-dzm91@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ahb.c | 4 ++-- + drivers/net/wireless/ath/ath9k/pci.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ahb.c b/drivers/net/wireless/ath/ath9k/ahb.c +index cdefb8e2daf14..05fb76a4e144e 100644 +--- a/drivers/net/wireless/ath/ath9k/ahb.c ++++ b/drivers/net/wireless/ath/ath9k/ahb.c +@@ -136,8 +136,8 @@ static int ath_ahb_probe(struct platform_device *pdev) + + ah = sc->sc_ah; + ath9k_hw_name(ah, hw_name, sizeof(hw_name)); +- wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n", +- hw_name, (unsigned long)mem, irq); ++ wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n", ++ hw_name, mem, irq); + + return 0; + +diff --git a/drivers/net/wireless/ath/ath9k/pci.c b/drivers/net/wireless/ath/ath9k/pci.c +index cff9af3af38d5..4f90c304d1214 100644 +--- a/drivers/net/wireless/ath/ath9k/pci.c ++++ b/drivers/net/wireless/ath/ath9k/pci.c +@@ -994,8 +994,8 @@ static int ath_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + sc->sc_ah->msi_reg = 0; + + ath9k_hw_name(sc->sc_ah, hw_name, sizeof(hw_name)); +- wiphy_info(hw->wiphy, "%s mem=0x%lx, irq=%d\n", +- hw_name, (unsigned long)sc->mem, pdev->irq); ++ wiphy_info(hw->wiphy, "%s mem=0x%p, irq=%d\n", ++ hw_name, sc->mem, pdev->irq); + + return 0; + +-- +2.40.1 + diff --git a/queue-5.10/wifi-mac80211_hwsim-drop-short-frames.patch b/queue-5.10/wifi-mac80211_hwsim-drop-short-frames.patch new file mode 100644 index 00000000000..24b41d5c36c --- /dev/null +++ b/queue-5.10/wifi-mac80211_hwsim-drop-short-frames.patch @@ -0,0 +1,49 @@ +From b1bf9dc1f7da5dd8fc45e961c950c8b8401b20d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Aug 2023 21:28:01 +0200 +Subject: wifi: mac80211_hwsim: drop short frames + +From: Johannes Berg + +[ Upstream commit fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6 ] + +While technically some control frames like ACK are shorter and +end after Address 1, such frames shouldn't be forwarded through +wmediumd or similar userspace, so require the full 3-address +header to avoid accessing invalid memory if shorter frames are +passed in. + +Reported-by: syzbot+b2645b5bf1512b81fa22@syzkaller.appspotmail.com +Reviewed-by: Jeff Johnson +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 255286b2324e2..0d41f172a1dc2 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3619,14 +3619,15 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, + frame_data_len = nla_len(info->attrs[HWSIM_ATTR_FRAME]); + frame_data = (void *)nla_data(info->attrs[HWSIM_ATTR_FRAME]); + ++ if (frame_data_len < sizeof(struct ieee80211_hdr_3addr) || ++ frame_data_len > IEEE80211_MAX_DATA_LEN) ++ goto err; ++ + /* Allocate new skb here */ + skb = alloc_skb(frame_data_len, GFP_KERNEL); + if (skb == NULL) + goto err; + +- if (frame_data_len > IEEE80211_MAX_DATA_LEN) +- goto err; +- + /* Copy the data */ + skb_put_data(skb, frame_data, frame_data_len); + +-- +2.40.1 + diff --git a/queue-5.10/wifi-mwifiex-fix-fortify-warning.patch b/queue-5.10/wifi-mwifiex-fix-fortify-warning.patch new file mode 100644 index 00000000000..d121c5f9f85 --- /dev/null +++ b/queue-5.10/wifi-mwifiex-fix-fortify-warning.patch @@ -0,0 +1,87 @@ +From f83360c291734e25091dc6bb82b6005731de50b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 11:51:01 +0300 +Subject: wifi: mwifiex: fix fortify warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit dcce94b80a954a8968ff29fafcfb066d6197fa9a ] + +When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, +I've noticed the following: + +In function ‘fortify_memcpy_chk’, + inlined from ‘mwifiex_construct_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:765:3, + inlined from ‘mwifiex_send_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:856:6: +./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The compiler actually complains on: + +memmove(pos + ETH_ALEN, &mgmt->u.action.category, + sizeof(mgmt->u.action.u.tdls_discover_resp)); + +and it happens because the fortification logic interprets this +as an attempt to overread 1-byte 'u.action.category' member of +'struct ieee80211_mgmt'. To silence this warning, it's enough +to pass an address of 'u.action' itself instead of an address +of its first member. + +This also fixes an improper usage of 'sizeof()'. Since 'skb' is +extended with 'sizeof(mgmt->u.action.u.tdls_discover_resp) + 1' +bytes (where 1 is actually 'sizeof(mgmt->u.action.category)'), +I assume that the same number of bytes should be copied. + +Suggested-by: Brian Norris +Signed-off-by: Dmitry Antipov +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230629085115.180499-2-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/tdls.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c +index 97bb87c3676bb..6c60621b6cccb 100644 +--- a/drivers/net/wireless/marvell/mwifiex/tdls.c ++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c +@@ -735,6 +735,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, + int ret; + u16 capab; + struct ieee80211_ht_cap *ht_cap; ++ unsigned int extra; + u8 radio, *pos; + + capab = priv->curr_bss_params.bss_descriptor.cap_info_bitmap; +@@ -753,7 +754,10 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, + + switch (action_code) { + case WLAN_PUB_ACTION_TDLS_DISCOVER_RES: +- skb_put(skb, sizeof(mgmt->u.action.u.tdls_discover_resp) + 1); ++ /* See the layout of 'struct ieee80211_mgmt'. */ ++ extra = sizeof(mgmt->u.action.u.tdls_discover_resp) + ++ sizeof(mgmt->u.action.category); ++ skb_put(skb, extra); + mgmt->u.action.category = WLAN_CATEGORY_PUBLIC; + mgmt->u.action.u.tdls_discover_resp.action_code = + WLAN_PUB_ACTION_TDLS_DISCOVER_RES; +@@ -762,8 +766,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, + mgmt->u.action.u.tdls_discover_resp.capability = + cpu_to_le16(capab); + /* move back for addr4 */ +- memmove(pos + ETH_ALEN, &mgmt->u.action.category, +- sizeof(mgmt->u.action.u.tdls_discover_resp)); ++ memmove(pos + ETH_ALEN, &mgmt->u.action, extra); + /* init address 4 */ + eth_broadcast_addr(pos); + +-- +2.40.1 + diff --git a/queue-5.10/wifi-wil6210-fix-fortify-warnings.patch b/queue-5.10/wifi-wil6210-fix-fortify-warnings.patch new file mode 100644 index 00000000000..8b958e06fdf --- /dev/null +++ b/queue-5.10/wifi-wil6210-fix-fortify-warnings.patch @@ -0,0 +1,127 @@ +From c7e971a7502813934f5ac8fcfcab45fc52d9799e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 12:36:55 +0300 +Subject: wifi: wil6210: fix fortify warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 1ad8237e971630c66a1a6194491e0837b64d00e0 ] + +When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, +I've noticed the following: + +In function ‘fortify_memcpy_chk’, + inlined from ‘wil_rx_crypto_check_edma’ at drivers/net/wireless/ath/wil6210/txrx_edma.c:566:2: +./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +where the compiler complains on: + +const u8 *pn; +... +pn = (u8 *)&st->ext.pn_15_0; +... +memcpy(cc->pn, pn, IEEE80211_GCMP_PN_LEN); + +and: + +In function ‘fortify_memcpy_chk’, + inlined from ‘wil_rx_crypto_check’ at drivers/net/wireless/ath/wil6210/txrx.c:684:2: +./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ +declared with attribute warning: detected read beyond size of field (2nd parameter); +maybe use struct_group()? [-Wattribute-warning] + 529 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +where the compiler complains on: + +const u8 *pn = (u8 *)&d->mac.pn_15_0; +... +memcpy(cc->pn, pn, IEEE80211_GCMP_PN_LEN); + +In both cases, the fortification logic interprets 'memcpy()' as 6-byte +overread of 2-byte field 'pn_15_0' of 'struct wil_rx_status_extension' +and 'pn_15_0' of 'struct vring_rx_mac', respectively. To silence +these warnings, last two fields of the aforementioned structures +are grouped using 'struct_group_attr(pn, __packed' quirk. + +Signed-off-by: Dmitry Antipov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230621093711.80118-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/txrx.c | 2 +- + drivers/net/wireless/ath/wil6210/txrx.h | 6 ++++-- + drivers/net/wireless/ath/wil6210/txrx_edma.c | 2 +- + drivers/net/wireless/ath/wil6210/txrx_edma.h | 6 ++++-- + 4 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c +index cc830c795b33c..5b2de4f3fa0bd 100644 +--- a/drivers/net/wireless/ath/wil6210/txrx.c ++++ b/drivers/net/wireless/ath/wil6210/txrx.c +@@ -666,7 +666,7 @@ static int wil_rx_crypto_check(struct wil6210_priv *wil, struct sk_buff *skb) + struct wil_tid_crypto_rx *c = mc ? &s->group_crypto_rx : + &s->tid_crypto_rx[tid]; + struct wil_tid_crypto_rx_single *cc = &c->key_id[key_id]; +- const u8 *pn = (u8 *)&d->mac.pn_15_0; ++ const u8 *pn = (u8 *)&d->mac.pn; + + if (!cc->key_set) { + wil_err_ratelimited(wil, +diff --git a/drivers/net/wireless/ath/wil6210/txrx.h b/drivers/net/wireless/ath/wil6210/txrx.h +index 1f4c8ec75be87..0f6f6b62bfc9a 100644 +--- a/drivers/net/wireless/ath/wil6210/txrx.h ++++ b/drivers/net/wireless/ath/wil6210/txrx.h +@@ -343,8 +343,10 @@ struct vring_rx_mac { + u32 d0; + u32 d1; + u16 w4; +- u16 pn_15_0; +- u32 pn_47_16; ++ struct_group_attr(pn, __packed, ++ u16 pn_15_0; ++ u32 pn_47_16; ++ ); + } __packed; + + /* Rx descriptor - DMA part +diff --git a/drivers/net/wireless/ath/wil6210/txrx_edma.c b/drivers/net/wireless/ath/wil6210/txrx_edma.c +index 8ca2ce51c83ef..b23c05f16320b 100644 +--- a/drivers/net/wireless/ath/wil6210/txrx_edma.c ++++ b/drivers/net/wireless/ath/wil6210/txrx_edma.c +@@ -548,7 +548,7 @@ static int wil_rx_crypto_check_edma(struct wil6210_priv *wil, + s = &wil->sta[cid]; + c = mc ? &s->group_crypto_rx : &s->tid_crypto_rx[tid]; + cc = &c->key_id[key_id]; +- pn = (u8 *)&st->ext.pn_15_0; ++ pn = (u8 *)&st->ext.pn; + + if (!cc->key_set) { + wil_err_ratelimited(wil, +diff --git a/drivers/net/wireless/ath/wil6210/txrx_edma.h b/drivers/net/wireless/ath/wil6210/txrx_edma.h +index c736f7413a35f..ee90e225bb050 100644 +--- a/drivers/net/wireless/ath/wil6210/txrx_edma.h ++++ b/drivers/net/wireless/ath/wil6210/txrx_edma.h +@@ -330,8 +330,10 @@ struct wil_rx_status_extension { + u32 d0; + u32 d1; + __le16 seq_num; /* only lower 12 bits */ +- u16 pn_15_0; +- u32 pn_47_16; ++ struct_group_attr(pn, __packed, ++ u16 pn_15_0; ++ u32 pn_47_16; ++ ); + } __packed; + + struct wil_rx_status_extended { +-- +2.40.1 + diff --git a/queue-5.10/x86-boot-compressed-reserve-more-memory-for-page-tab.patch b/queue-5.10/x86-boot-compressed-reserve-more-memory-for-page-tab.patch new file mode 100644 index 00000000000..dab1c4ba0c5 --- /dev/null +++ b/queue-5.10/x86-boot-compressed-reserve-more-memory-for-page-tab.patch @@ -0,0 +1,123 @@ +From 5a90c926e01cf088dd8bf644537830dc4d160af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 10:02:21 +0300 +Subject: x86/boot/compressed: Reserve more memory for page tables + +From: Kirill A. Shutemov + +[ Upstream commit f530ee95b72e77b09c141c4b1a4b94d1199ffbd9 ] + +The decompressor has a hard limit on the number of page tables it can +allocate. This limit is defined at compile-time and will cause boot +failure if it is reached. + +The kernel is very strict and calculates the limit precisely for the +worst-case scenario based on the current configuration. However, it is +easy to forget to adjust the limit when a new use-case arises. The +worst-case scenario is rarely encountered during sanity checks. + +In the case of enabling 5-level paging, a use-case was overlooked. The +limit needs to be increased by one to accommodate the additional level. +This oversight went unnoticed until Aaron attempted to run the kernel +via kexec with 5-level paging and unaccepted memory enabled. + +Update wost-case calculations to include 5-level paging. + +To address this issue, let's allocate some extra space for page tables. +128K should be sufficient for any use-case. The logic can be simplified +by using a single value for all kernel configurations. + +[ Also add a warning, should this memory run low - by Dave Hansen. ] + +Fixes: 34bbb0009f3b ("x86/boot/compressed: Enable 5-level paging during decompression stage") +Reported-by: Aaron Lu +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20230915070221.10266-1-kirill.shutemov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/ident_map_64.c | 8 +++++ + arch/x86/include/asm/boot.h | 45 +++++++++++++++++-------- + 2 files changed, 39 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c +index 39b2eded7bc2b..f4a2e6d373b29 100644 +--- a/arch/x86/boot/compressed/ident_map_64.c ++++ b/arch/x86/boot/compressed/ident_map_64.c +@@ -67,6 +67,14 @@ static void *alloc_pgt_page(void *context) + return NULL; + } + ++ /* Consumed more tables than expected? */ ++ if (pages->pgt_buf_offset == BOOT_PGT_SIZE_WARN) { ++ debug_putstr("pgt_buf running low in " __FILE__ "\n"); ++ debug_putstr("Need to raise BOOT_PGT_SIZE?\n"); ++ debug_putaddr(pages->pgt_buf_offset); ++ debug_putaddr(pages->pgt_buf_size); ++ } ++ + entry = pages->pgt_buf + pages->pgt_buf_offset; + pages->pgt_buf_offset += PAGE_SIZE; + +diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h +index 9191280d9ea31..215d37f7dde8a 100644 +--- a/arch/x86/include/asm/boot.h ++++ b/arch/x86/include/asm/boot.h +@@ -40,23 +40,40 @@ + #ifdef CONFIG_X86_64 + # define BOOT_STACK_SIZE 0x4000 + ++/* ++ * Used by decompressor's startup_32() to allocate page tables for identity ++ * mapping of the 4G of RAM in 4-level paging mode: ++ * - 1 level4 table; ++ * - 1 level3 table; ++ * - 4 level2 table that maps everything with 2M pages; ++ * ++ * The additional level5 table needed for 5-level paging is allocated from ++ * trampoline_32bit memory. ++ */ + # define BOOT_INIT_PGT_SIZE (6*4096) +-# ifdef CONFIG_RANDOMIZE_BASE ++ + /* +- * Assuming all cross the 512GB boundary: +- * 1 page for level4 +- * (2+2)*4 pages for kernel, param, cmd_line, and randomized kernel +- * 2 pages for first 2M (video RAM: CONFIG_X86_VERBOSE_BOOTUP). +- * Total is 19 pages. ++ * Total number of page tables kernel_add_identity_map() can allocate, ++ * including page tables consumed by startup_32(). ++ * ++ * Worst-case scenario: ++ * - 5-level paging needs 1 level5 table; ++ * - KASLR needs to map kernel, boot_params, cmdline and randomized kernel, ++ * assuming all of them cross 256T boundary: ++ * + 4*2 level4 table; ++ * + 4*2 level3 table; ++ * + 4*2 level2 table; ++ * - X86_VERBOSE_BOOTUP needs to map the first 2M (video RAM): ++ * + 1 level4 table; ++ * + 1 level3 table; ++ * + 1 level2 table; ++ * Total: 28 tables ++ * ++ * Add 4 spare table in case decompressor touches anything beyond what is ++ * accounted above. Warn if it happens. + */ +-# ifdef CONFIG_X86_VERBOSE_BOOTUP +-# define BOOT_PGT_SIZE (19*4096) +-# else /* !CONFIG_X86_VERBOSE_BOOTUP */ +-# define BOOT_PGT_SIZE (17*4096) +-# endif +-# else /* !CONFIG_RANDOMIZE_BASE */ +-# define BOOT_PGT_SIZE BOOT_INIT_PGT_SIZE +-# endif ++# define BOOT_PGT_SIZE_WARN (28*4096) ++# define BOOT_PGT_SIZE (32*4096) + + #else /* !CONFIG_X86_64 */ + # define BOOT_STACK_SIZE 0x1000 +-- +2.40.1 +