From: Greg Kroah-Hartman Date: Wed, 22 Nov 2023 21:40:42 +0000 (+0000) Subject: 6.5-stable patches X-Git-Tag: v4.14.331~98 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db4d08dd5522f6e8fd7f7cc430fd279883a9f6bb;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: acpi-fpdt-properly-handle-invalid-fpdt-subtables.patch arm64-dts-qcom-ipq5332-fix-hwlock-index-for-smem.patch arm64-dts-qcom-ipq6018-fix-hwlock-index-for-smem.patch arm64-dts-qcom-ipq6018-fix-tcsr_mutex-register-size.patch arm64-dts-qcom-ipq8074-fix-hwlock-index-for-smem.patch arm64-dts-qcom-ipq9574-fix-hwlock-index-for-smem.patch btrfs-don-t-arbitrarily-slow-down-delalloc-if-we-re-committing.patch dt-bindings-timer-renesas-rz-mtu3-fix-overflow-underflow-interrupt-names.patch firmware-qcom_scm-use-64-bit-calling-convention-only-when-client-is-64-bit.patch ima-annotate-iint-mutex-to-avoid-lockdep-false-positive-warnings.patch ima-detect-changes-to-the-backing-overlay-file.patch leds-trigger-netdev-move-size-check-in-set_device_name.patch mfd-qcom-spmi-pmic-fix-reference-leaks-in-revid-helper.patch mfd-qcom-spmi-pmic-fix-revid-implementation.patch pm-hibernate-clean-up-sync_read-handling-in-snapshot_write_next.patch pm-hibernate-use-__get_safe_page-rather-than-touching-the-list.patch rcu-kmemleak-ignore-kmemleak-false-positives-when-rcu-freeing-objects.patch rcu-tree-defer-setting-of-jiffies-during-stall-reset.patch svcrdma-drop-connection-after-an-rdma-read-error.patch thermal-intel-powerclamp-fix-mismatch-in-get-function-for-max_idle.patch wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch --- diff --git a/queue-6.5/acpi-fpdt-properly-handle-invalid-fpdt-subtables.patch b/queue-6.5/acpi-fpdt-properly-handle-invalid-fpdt-subtables.patch new file mode 100644 index 00000000000..c32e7125bac --- /dev/null +++ b/queue-6.5/acpi-fpdt-properly-handle-invalid-fpdt-subtables.patch @@ -0,0 +1,166 @@ +From a83c68a3bf7c418c9a46693c63c638852b0c1f4e Mon Sep 17 00:00:00 2001 +From: Vasily Khoruzhick +Date: Wed, 27 Sep 2023 12:50:02 -0700 +Subject: ACPI: FPDT: properly handle invalid FPDT subtables + +From: Vasily Khoruzhick + +commit a83c68a3bf7c418c9a46693c63c638852b0c1f4e upstream. + +Buggy BIOSes may have invalid FPDT subtables, e.g. on my hardware: + +S3PT subtable: + +7F20FE30: 53 33 50 54 24 00 00 00-00 00 00 00 00 00 18 01 *S3PT$...........* +7F20FE40: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................* +7F20FE50: 00 00 00 00 + +Here the first record has zero length. + +FBPT subtable: + +7F20FE50: 46 42 50 54-3C 00 00 00 46 42 50 54 *....FBPT<...FBPT* +7F20FE60: 02 00 30 02 00 00 00 00-00 00 00 00 00 00 00 00 *..0.............* +7F20FE70: 2A A6 BC 6E 0B 00 00 00-1A 44 41 70 0B 00 00 00 **..n.....DAp....* +7F20FE80: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................* + +And here FBPT table has FBPT signature repeated instead of the first +record. + +Current code will be looping indefinitely due to zero length records, so +break out of the loop if record length is zero. + +While we are here, add proper handling for fpdt_process_subtable() +failures. + +Fixes: d1eb86e59be0 ("ACPI: tables: introduce support for FPDT table") +Cc: All applicable +Signed-off-by: Vasily Khoruzhick +[ rjw: Comment edit, added empty code lines ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_fpdt.c | 45 +++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 37 insertions(+), 8 deletions(-) + +--- a/drivers/acpi/acpi_fpdt.c ++++ b/drivers/acpi/acpi_fpdt.c +@@ -194,12 +194,19 @@ static int fpdt_process_subtable(u64 add + record_header = (void *)subtable_header + offset; + offset += record_header->length; + ++ if (!record_header->length) { ++ pr_err(FW_BUG "Zero-length record found in FPTD.\n"); ++ result = -EINVAL; ++ goto err; ++ } ++ + switch (record_header->type) { + case RECORD_S3_RESUME: + if (subtable_type != SUBTABLE_S3PT) { + pr_err(FW_BUG "Invalid record %d for subtable %s\n", + record_header->type, signature); +- return -EINVAL; ++ result = -EINVAL; ++ goto err; + } + if (record_resume) { + pr_err("Duplicate resume performance record found.\n"); +@@ -208,7 +215,7 @@ static int fpdt_process_subtable(u64 add + record_resume = (struct resume_performance_record *)record_header; + result = sysfs_create_group(fpdt_kobj, &resume_attr_group); + if (result) +- return result; ++ goto err; + break; + case RECORD_S3_SUSPEND: + if (subtable_type != SUBTABLE_S3PT) { +@@ -223,13 +230,14 @@ static int fpdt_process_subtable(u64 add + record_suspend = (struct suspend_performance_record *)record_header; + result = sysfs_create_group(fpdt_kobj, &suspend_attr_group); + if (result) +- return result; ++ goto err; + break; + case RECORD_BOOT: + if (subtable_type != SUBTABLE_FBPT) { + pr_err(FW_BUG "Invalid %d for subtable %s\n", + record_header->type, signature); +- return -EINVAL; ++ result = -EINVAL; ++ goto err; + } + if (record_boot) { + pr_err("Duplicate boot performance record found.\n"); +@@ -238,7 +246,7 @@ static int fpdt_process_subtable(u64 add + record_boot = (struct boot_performance_record *)record_header; + result = sysfs_create_group(fpdt_kobj, &boot_attr_group); + if (result) +- return result; ++ goto err; + break; + + default: +@@ -247,6 +255,18 @@ static int fpdt_process_subtable(u64 add + } + } + return 0; ++ ++err: ++ if (record_boot) ++ sysfs_remove_group(fpdt_kobj, &boot_attr_group); ++ ++ if (record_suspend) ++ sysfs_remove_group(fpdt_kobj, &suspend_attr_group); ++ ++ if (record_resume) ++ sysfs_remove_group(fpdt_kobj, &resume_attr_group); ++ ++ return result; + } + + static int __init acpi_init_fpdt(void) +@@ -255,6 +275,7 @@ static int __init acpi_init_fpdt(void) + struct acpi_table_header *header; + struct fpdt_subtable_entry *subtable; + u32 offset = sizeof(*header); ++ int result; + + status = acpi_get_table(ACPI_SIG_FPDT, 0, &header); + +@@ -263,8 +284,8 @@ static int __init acpi_init_fpdt(void) + + fpdt_kobj = kobject_create_and_add("fpdt", acpi_kobj); + if (!fpdt_kobj) { +- acpi_put_table(header); +- return -ENOMEM; ++ result = -ENOMEM; ++ goto err_nomem; + } + + while (offset < header->length) { +@@ -272,8 +293,10 @@ static int __init acpi_init_fpdt(void) + switch (subtable->type) { + case SUBTABLE_FBPT: + case SUBTABLE_S3PT: +- fpdt_process_subtable(subtable->address, ++ result = fpdt_process_subtable(subtable->address, + subtable->type); ++ if (result) ++ goto err_subtable; + break; + default: + /* Other types are reserved in ACPI 6.4 spec. */ +@@ -282,6 +305,12 @@ static int __init acpi_init_fpdt(void) + offset += sizeof(*subtable); + } + return 0; ++err_subtable: ++ kobject_put(fpdt_kobj); ++ ++err_nomem: ++ acpi_put_table(header); ++ return result; + } + + fs_initcall(acpi_init_fpdt); diff --git a/queue-6.5/arm64-dts-qcom-ipq5332-fix-hwlock-index-for-smem.patch b/queue-6.5/arm64-dts-qcom-ipq5332-fix-hwlock-index-for-smem.patch new file mode 100644 index 00000000000..421057de807 --- /dev/null +++ b/queue-6.5/arm64-dts-qcom-ipq5332-fix-hwlock-index-for-smem.patch @@ -0,0 +1,41 @@ +From d08afd80158399a081b478a19902364e3dd0f84c Mon Sep 17 00:00:00 2001 +From: Vignesh Viswanathan +Date: Mon, 4 Sep 2023 22:55:12 +0530 +Subject: arm64: dts: qcom: ipq5332: Fix hwlock index for SMEM + +From: Vignesh Viswanathan + +commit d08afd80158399a081b478a19902364e3dd0f84c upstream. + +SMEM uses lock index 3 of the TCSR Mutex hwlock for allocations +in SMEM region shared by the Host and FW. + +Fix the SMEM hwlock index to 3 for IPQ5332. + +Cc: stable@vger.kernel.org +Fixes: d56dd7f935e1 ("arm64: dts: qcom: ipq5332: add SMEM support") +Signed-off-by: Vignesh Viswanathan +Acked-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230904172516.479866-2-quic_viswanat@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/ipq5332.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq5332.dtsi b/arch/arm64/boot/dts/qcom/ipq5332.dtsi +index 991b23027805..d3fef2f80a81 100644 +--- a/arch/arm64/boot/dts/qcom/ipq5332.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq5332.dtsi +@@ -135,7 +135,7 @@ smem@4a800000 { + reg = <0x0 0x4a800000 0x0 0x100000>; + no-map; + +- hwlocks = <&tcsr_mutex 0>; ++ hwlocks = <&tcsr_mutex 3>; + }; + }; + +-- +2.43.0 + diff --git a/queue-6.5/arm64-dts-qcom-ipq6018-fix-hwlock-index-for-smem.patch b/queue-6.5/arm64-dts-qcom-ipq6018-fix-hwlock-index-for-smem.patch new file mode 100644 index 00000000000..52855513f2a --- /dev/null +++ b/queue-6.5/arm64-dts-qcom-ipq6018-fix-hwlock-index-for-smem.patch @@ -0,0 +1,36 @@ +From 95d97b111e1e184b0c8656137033ed64f2cf21e4 Mon Sep 17 00:00:00 2001 +From: Vignesh Viswanathan +Date: Mon, 4 Sep 2023 22:55:13 +0530 +Subject: arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM + +From: Vignesh Viswanathan + +commit 95d97b111e1e184b0c8656137033ed64f2cf21e4 upstream. + +SMEM uses lock index 3 of the TCSR Mutex hwlock for allocations +in SMEM region shared by the Host and FW. + +Fix the SMEM hwlock index to 3 for IPQ6018. + +Cc: stable@vger.kernel.org +Fixes: 5bf635621245 ("arm64: dts: ipq6018: Add a few device nodes") +Signed-off-by: Vignesh Viswanathan +Acked-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230904172516.479866-3-quic_viswanat@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/ipq6018.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq6018.dtsi +@@ -207,7 +207,7 @@ + smem { + compatible = "qcom,smem"; + memory-region = <&smem_region>; +- hwlocks = <&tcsr_mutex 0>; ++ hwlocks = <&tcsr_mutex 3>; + }; + + soc: soc@0 { diff --git a/queue-6.5/arm64-dts-qcom-ipq6018-fix-tcsr_mutex-register-size.patch b/queue-6.5/arm64-dts-qcom-ipq6018-fix-tcsr_mutex-register-size.patch new file mode 100644 index 00000000000..de3111afeec --- /dev/null +++ b/queue-6.5/arm64-dts-qcom-ipq6018-fix-tcsr_mutex-register-size.patch @@ -0,0 +1,40 @@ +From 72fc3d58b87b0d622039c6299b89024fbb7b420f Mon Sep 17 00:00:00 2001 +From: Vignesh Viswanathan +Date: Tue, 5 Sep 2023 15:25:34 +0530 +Subject: arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size + +From: Vignesh Viswanathan + +commit 72fc3d58b87b0d622039c6299b89024fbb7b420f upstream. + +IPQ6018's TCSR Mutex HW lock register has 32 locks of size 4KB each. +Total size of the TCSR Mutex registers is 128KB. + +Fix size of the tcsr_mutex hwlock register to 0x20000. + +Changes in v2: + - Drop change to remove qcom,ipq6018-tcsr-mutex compatible string + - Added Fixes and stable tags + +Cc: stable@vger.kernel.org +Fixes: 5bf635621245 ("arm64: dts: ipq6018: Add a few device nodes") +Signed-off-by: Vignesh Viswanathan +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230905095535.1263113-2-quic_viswanat@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/ipq6018.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq6018.dtsi +@@ -389,7 +389,7 @@ + + tcsr_mutex: hwlock@1905000 { + compatible = "qcom,ipq6018-tcsr-mutex", "qcom,tcsr-mutex"; +- reg = <0x0 0x01905000 0x0 0x1000>; ++ reg = <0x0 0x01905000 0x0 0x20000>; + #hwlock-cells = <1>; + }; + diff --git a/queue-6.5/arm64-dts-qcom-ipq8074-fix-hwlock-index-for-smem.patch b/queue-6.5/arm64-dts-qcom-ipq8074-fix-hwlock-index-for-smem.patch new file mode 100644 index 00000000000..464e63e0e9d --- /dev/null +++ b/queue-6.5/arm64-dts-qcom-ipq8074-fix-hwlock-index-for-smem.patch @@ -0,0 +1,36 @@ +From 8a781d04e580705d36f7db07f5c80e748100b69d Mon Sep 17 00:00:00 2001 +From: Vignesh Viswanathan +Date: Mon, 4 Sep 2023 22:55:14 +0530 +Subject: arm64: dts: qcom: ipq8074: Fix hwlock index for SMEM + +From: Vignesh Viswanathan + +commit 8a781d04e580705d36f7db07f5c80e748100b69d upstream. + +SMEM uses lock index 3 of the TCSR Mutex hwlock for allocations +in SMEM region shared by the Host and FW. + +Fix the SMEM hwlock index to 3 for IPQ8074. + +Cc: stable@vger.kernel.org +Fixes: 42124b947e8e ("arm64: dts: qcom: ipq8074: add SMEM support") +Signed-off-by: Vignesh Viswanathan +Acked-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230904172516.479866-4-quic_viswanat@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/ipq8074.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/ipq8074.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq8074.dtsi +@@ -101,7 +101,7 @@ + reg = <0x0 0x4ab00000 0x0 0x100000>; + no-map; + +- hwlocks = <&tcsr_mutex 0>; ++ hwlocks = <&tcsr_mutex 3>; + }; + + memory@4ac00000 { diff --git a/queue-6.5/arm64-dts-qcom-ipq9574-fix-hwlock-index-for-smem.patch b/queue-6.5/arm64-dts-qcom-ipq9574-fix-hwlock-index-for-smem.patch new file mode 100644 index 00000000000..db8a7d72c9d --- /dev/null +++ b/queue-6.5/arm64-dts-qcom-ipq9574-fix-hwlock-index-for-smem.patch @@ -0,0 +1,36 @@ +From 5fe8508e2bc8eb4208b0434b6c1ca306c1519ade Mon Sep 17 00:00:00 2001 +From: Vignesh Viswanathan +Date: Mon, 4 Sep 2023 22:55:15 +0530 +Subject: arm64: dts: qcom: ipq9574: Fix hwlock index for SMEM + +From: Vignesh Viswanathan + +commit 5fe8508e2bc8eb4208b0434b6c1ca306c1519ade upstream. + +SMEM uses lock index 3 of the TCSR Mutex hwlock for allocations +in SMEM region shared by the Host and FW. + +Fix the SMEM hwlock index to 3 for IPQ9574. + +Cc: stable@vger.kernel.org +Fixes: 46384ac7a618 ("arm64: dts: qcom: ipq9574: Add SMEM support") +Signed-off-by: Vignesh Viswanathan +Acked-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20230904172516.479866-5-quic_viswanat@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/ipq9574.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/ipq9574.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq9574.dtsi +@@ -174,7 +174,7 @@ + smem@4aa00000 { + compatible = "qcom,smem"; + reg = <0x0 0x4aa00000 0x0 0x100000>; +- hwlocks = <&tcsr_mutex 0>; ++ hwlocks = <&tcsr_mutex 3>; + no-map; + }; + }; diff --git a/queue-6.5/btrfs-don-t-arbitrarily-slow-down-delalloc-if-we-re-committing.patch b/queue-6.5/btrfs-don-t-arbitrarily-slow-down-delalloc-if-we-re-committing.patch new file mode 100644 index 00000000000..cca976c2cfa --- /dev/null +++ b/queue-6.5/btrfs-don-t-arbitrarily-slow-down-delalloc-if-we-re-committing.patch @@ -0,0 +1,38 @@ +From 11aeb97b45ad2e0040cbb2a589bc403152526345 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 18 Sep 2023 14:15:33 -0400 +Subject: btrfs: don't arbitrarily slow down delalloc if we're committing + +From: Josef Bacik + +commit 11aeb97b45ad2e0040cbb2a589bc403152526345 upstream. + +We have a random schedule_timeout() if the current transaction is +committing, which seems to be a holdover from the original delalloc +reservation code. + +Remove this, we have the proper flushing stuff, we shouldn't be hoping +for random timing things to make everything work. This just induces +latency for no reason. + +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/delalloc-space.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/btrfs/delalloc-space.c ++++ b/fs/btrfs/delalloc-space.c +@@ -322,9 +322,6 @@ int btrfs_delalloc_reserve_metadata(stru + } else { + if (current->journal_info) + flush = BTRFS_RESERVE_FLUSH_LIMIT; +- +- if (btrfs_transaction_in_commit(fs_info)) +- schedule_timeout(1); + } + + num_bytes = ALIGN(num_bytes, fs_info->sectorsize); diff --git a/queue-6.5/dt-bindings-timer-renesas-rz-mtu3-fix-overflow-underflow-interrupt-names.patch b/queue-6.5/dt-bindings-timer-renesas-rz-mtu3-fix-overflow-underflow-interrupt-names.patch new file mode 100644 index 00000000000..8973a76f50b --- /dev/null +++ b/queue-6.5/dt-bindings-timer-renesas-rz-mtu3-fix-overflow-underflow-interrupt-names.patch @@ -0,0 +1,128 @@ +From b7a8f1f7a8a25e09aaefebb6251a77f44cda638b Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Thu, 27 Jul 2023 09:18:44 +0100 +Subject: dt-bindings: timer: renesas,rz-mtu3: Fix overflow/underflow interrupt names + +From: Biju Das + +commit b7a8f1f7a8a25e09aaefebb6251a77f44cda638b upstream. + +As per R01UH0914EJ0130 Rev.1.30 HW manual the MTU3 overflow/underflow +interrupt names starts with 'tci' instead of 'tgi'. + +Fix this documentation issue by replacing below overflow/underflow +interrupt names: + - tgiv0->tciv0 + - tgiv1->tciv1 + - tgiu1->tciu1 + - tgiv2->tciv2 + - tgiu2->tciu2 + - tgiv3->tciv3 + - tgiv4->tciv4 + - tgiv6->tciv6 + - tgiv7->tciv7 + - tgiv8->tciv8 + - tgiu8->tciu8 + +Fixes: 0a9d6b54297e ("dt-bindings: timer: Document RZ/G2L MTU3a bindings") +Cc: stable@kernel.org +Signed-off-by: Biju Das +Acked-by: Conor Dooley +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20230727081848.100834-2-biju.das.jz@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +--- + .../bindings/timer/renesas,rz-mtu3.yaml | 38 +++++++++---------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/Documentation/devicetree/bindings/timer/renesas,rz-mtu3.yaml b/Documentation/devicetree/bindings/timer/renesas,rz-mtu3.yaml +index bffdab0b0185..fbac40b958dd 100644 +--- a/Documentation/devicetree/bindings/timer/renesas,rz-mtu3.yaml ++++ b/Documentation/devicetree/bindings/timer/renesas,rz-mtu3.yaml +@@ -169,27 +169,27 @@ properties: + - const: tgib0 + - const: tgic0 + - const: tgid0 +- - const: tgiv0 ++ - const: tciv0 + - const: tgie0 + - const: tgif0 + - const: tgia1 + - const: tgib1 +- - const: tgiv1 +- - const: tgiu1 ++ - const: tciv1 ++ - const: tciu1 + - const: tgia2 + - const: tgib2 +- - const: tgiv2 +- - const: tgiu2 ++ - const: tciv2 ++ - const: tciu2 + - const: tgia3 + - const: tgib3 + - const: tgic3 + - const: tgid3 +- - const: tgiv3 ++ - const: tciv3 + - const: tgia4 + - const: tgib4 + - const: tgic4 + - const: tgid4 +- - const: tgiv4 ++ - const: tciv4 + - const: tgiu5 + - const: tgiv5 + - const: tgiw5 +@@ -197,18 +197,18 @@ properties: + - const: tgib6 + - const: tgic6 + - const: tgid6 +- - const: tgiv6 ++ - const: tciv6 + - const: tgia7 + - const: tgib7 + - const: tgic7 + - const: tgid7 +- - const: tgiv7 ++ - const: tciv7 + - const: tgia8 + - const: tgib8 + - const: tgic8 + - const: tgid8 +- - const: tgiv8 +- - const: tgiu8 ++ - const: tciv8 ++ - const: tciu8 + + clocks: + maxItems: 1 +@@ -285,16 +285,16 @@ examples: + , + , + ; +- interrupt-names = "tgia0", "tgib0", "tgic0", "tgid0", "tgiv0", "tgie0", ++ interrupt-names = "tgia0", "tgib0", "tgic0", "tgid0", "tciv0", "tgie0", + "tgif0", +- "tgia1", "tgib1", "tgiv1", "tgiu1", +- "tgia2", "tgib2", "tgiv2", "tgiu2", +- "tgia3", "tgib3", "tgic3", "tgid3", "tgiv3", +- "tgia4", "tgib4", "tgic4", "tgid4", "tgiv4", ++ "tgia1", "tgib1", "tciv1", "tciu1", ++ "tgia2", "tgib2", "tciv2", "tciu2", ++ "tgia3", "tgib3", "tgic3", "tgid3", "tciv3", ++ "tgia4", "tgib4", "tgic4", "tgid4", "tciv4", + "tgiu5", "tgiv5", "tgiw5", +- "tgia6", "tgib6", "tgic6", "tgid6", "tgiv6", +- "tgia7", "tgib7", "tgic7", "tgid7", "tgiv7", +- "tgia8", "tgib8", "tgic8", "tgid8", "tgiv8", "tgiu8"; ++ "tgia6", "tgib6", "tgic6", "tgid6", "tciv6", ++ "tgia7", "tgib7", "tgic7", "tgid7", "tciv7", ++ "tgia8", "tgib8", "tgic8", "tgid8", "tciv8", "tciu8"; + clocks = <&cpg CPG_MOD R9A07G044_MTU_X_MCK_MTU3>; + power-domains = <&cpg>; + resets = <&cpg R9A07G044_MTU_X_PRESET_MTU3>; +-- +2.43.0 + diff --git a/queue-6.5/firmware-qcom_scm-use-64-bit-calling-convention-only-when-client-is-64-bit.patch b/queue-6.5/firmware-qcom_scm-use-64-bit-calling-convention-only-when-client-is-64-bit.patch new file mode 100644 index 00000000000..c205fca132c --- /dev/null +++ b/queue-6.5/firmware-qcom_scm-use-64-bit-calling-convention-only-when-client-is-64-bit.patch @@ -0,0 +1,52 @@ +From 3337a6fea25370d3d244ec6bb38c71ee86fcf837 Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Mon, 25 Sep 2023 13:59:22 +0530 +Subject: firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit + +From: Kathiravan Thirumoorthy + +commit 3337a6fea25370d3d244ec6bb38c71ee86fcf837 upstream. + +Per the "SMC calling convention specification", the 64-bit calling +convention can only be used when the client is 64-bit. Whereas the +32-bit calling convention can be used by either a 32-bit or a 64-bit +client. + +Currently during SCM probe, irrespective of the client, 64-bit calling +convention is made, which is incorrect and may lead to the undefined +behaviour when the client is 32-bit. Let's fix it. + +Cc: stable@vger.kernel.org +Fixes: 9a434cee773a ("firmware: qcom_scm: Dynamically support SMCCC and legacy conventions") +Reviewed-By: Elliot Berman +Signed-off-by: Kathiravan Thirumoorthy +Link: https://lore.kernel.org/r/20230925-scm-v3-1-8790dff6a749@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qcom_scm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/firmware/qcom_scm.c ++++ b/drivers/firmware/qcom_scm.c +@@ -172,6 +172,12 @@ static enum qcom_scm_convention __get_co + return qcom_scm_convention; + + /* ++ * Per the "SMC calling convention specification", the 64-bit calling ++ * convention can only be used when the client is 64-bit, otherwise ++ * system will encounter the undefined behaviour. ++ */ ++#if IS_ENABLED(CONFIG_ARM64) ++ /* + * Device isn't required as there is only one argument - no device + * needed to dma_map_single to secure world + */ +@@ -191,6 +197,7 @@ static enum qcom_scm_convention __get_co + forced = true; + goto found; + } ++#endif + + probed_convention = SMC_CONVENTION_ARM_32; + ret = __scm_smc_call(NULL, &desc, probed_convention, &res, true); diff --git a/queue-6.5/ima-annotate-iint-mutex-to-avoid-lockdep-false-positive-warnings.patch b/queue-6.5/ima-annotate-iint-mutex-to-avoid-lockdep-false-positive-warnings.patch new file mode 100644 index 00000000000..e829831ea64 --- /dev/null +++ b/queue-6.5/ima-annotate-iint-mutex-to-avoid-lockdep-false-positive-warnings.patch @@ -0,0 +1,112 @@ +From e044374a8a0a99e46f4e6d6751d3042b6d9cc12e Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 5 Oct 2023 14:15:58 +0300 +Subject: ima: annotate iint mutex to avoid lockdep false positive warnings + +From: Amir Goldstein + +commit e044374a8a0a99e46f4e6d6751d3042b6d9cc12e upstream. + +It is not clear that IMA should be nested at all, but as long is it +measures files both on overlayfs and on underlying fs, we need to +annotate the iint mutex to avoid lockdep false positives related to +IMA + overlayfs, same as overlayfs annotates the inode mutex. + +Reported-and-tested-by: syzbot+b42fe626038981fb7bfa@syzkaller.appspotmail.com +Signed-off-by: Amir Goldstein +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/iint.c | 48 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 37 insertions(+), 11 deletions(-) + +--- a/security/integrity/iint.c ++++ b/security/integrity/iint.c +@@ -66,9 +66,32 @@ struct integrity_iint_cache *integrity_i + return iint; + } + +-static void iint_free(struct integrity_iint_cache *iint) ++#define IMA_MAX_NESTING (FILESYSTEM_MAX_STACK_DEPTH+1) ++ ++/* ++ * It is not clear that IMA should be nested at all, but as long is it measures ++ * files both on overlayfs and on underlying fs, we need to annotate the iint ++ * mutex to avoid lockdep false positives related to IMA + overlayfs. ++ * See ovl_lockdep_annotate_inode_mutex_key() for more details. ++ */ ++static inline void iint_lockdep_annotate(struct integrity_iint_cache *iint, ++ struct inode *inode) ++{ ++#ifdef CONFIG_LOCKDEP ++ static struct lock_class_key iint_mutex_key[IMA_MAX_NESTING]; ++ ++ int depth = inode->i_sb->s_stack_depth; ++ ++ if (WARN_ON_ONCE(depth < 0 || depth >= IMA_MAX_NESTING)) ++ depth = 0; ++ ++ lockdep_set_class(&iint->mutex, &iint_mutex_key[depth]); ++#endif ++} ++ ++static void iint_init_always(struct integrity_iint_cache *iint, ++ struct inode *inode) + { +- kfree(iint->ima_hash); + iint->ima_hash = NULL; + iint->version = 0; + iint->flags = 0UL; +@@ -80,6 +103,14 @@ static void iint_free(struct integrity_i + iint->ima_creds_status = INTEGRITY_UNKNOWN; + iint->evm_status = INTEGRITY_UNKNOWN; + iint->measured_pcrs = 0; ++ mutex_init(&iint->mutex); ++ iint_lockdep_annotate(iint, inode); ++} ++ ++static void iint_free(struct integrity_iint_cache *iint) ++{ ++ kfree(iint->ima_hash); ++ mutex_destroy(&iint->mutex); + kmem_cache_free(iint_cache, iint); + } + +@@ -104,6 +135,8 @@ struct integrity_iint_cache *integrity_i + if (!iint) + return NULL; + ++ iint_init_always(iint, inode); ++ + write_lock(&integrity_iint_lock); + + p = &integrity_iint_tree.rb_node; +@@ -153,25 +186,18 @@ void integrity_inode_free(struct inode * + iint_free(iint); + } + +-static void init_once(void *foo) ++static void iint_init_once(void *foo) + { + struct integrity_iint_cache *iint = (struct integrity_iint_cache *) foo; + + memset(iint, 0, sizeof(*iint)); +- iint->ima_file_status = INTEGRITY_UNKNOWN; +- iint->ima_mmap_status = INTEGRITY_UNKNOWN; +- iint->ima_bprm_status = INTEGRITY_UNKNOWN; +- iint->ima_read_status = INTEGRITY_UNKNOWN; +- iint->ima_creds_status = INTEGRITY_UNKNOWN; +- iint->evm_status = INTEGRITY_UNKNOWN; +- mutex_init(&iint->mutex); + } + + static int __init integrity_iintcache_init(void) + { + iint_cache = + kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), +- 0, SLAB_PANIC, init_once); ++ 0, SLAB_PANIC, iint_init_once); + return 0; + } + DEFINE_LSM(integrity) = { diff --git a/queue-6.5/ima-detect-changes-to-the-backing-overlay-file.patch b/queue-6.5/ima-detect-changes-to-the-backing-overlay-file.patch new file mode 100644 index 00000000000..306574d2c81 --- /dev/null +++ b/queue-6.5/ima-detect-changes-to-the-backing-overlay-file.patch @@ -0,0 +1,113 @@ +From b836c4d29f2744200b2af41e14bf50758dddc818 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 18 Oct 2023 14:47:02 -0400 +Subject: ima: detect changes to the backing overlay file + +From: Mimi Zohar + +commit b836c4d29f2744200b2af41e14bf50758dddc818 upstream. + +Commit 18b44bc5a672 ("ovl: Always reevaluate the file signature for +IMA") forced signature re-evaulation on every file access. + +Instead of always re-evaluating the file's integrity, detect a change +to the backing file, by comparing the cached file metadata with the +backing file's metadata. Verifying just the i_version has not changed +is insufficient. In addition save and compare the i_ino and s_dev +as well. + +Reviewed-by: Amir Goldstein +Tested-by: Eric Snowberg +Tested-by: Raul E Rangel +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/super.c | 2 +- + security/integrity/ima/ima_api.c | 5 +++++ + security/integrity/ima/ima_main.c | 16 +++++++++++++++- + security/integrity/integrity.h | 2 ++ + 4 files changed, 23 insertions(+), 2 deletions(-) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -1467,7 +1467,7 @@ int ovl_fill_super(struct super_block *s + ovl_trusted_xattr_handlers; + sb->s_fs_info = ofs; + sb->s_flags |= SB_POSIXACL; +- sb->s_iflags |= SB_I_SKIP_SYNC | SB_I_IMA_UNVERIFIABLE_SIGNATURE; ++ sb->s_iflags |= SB_I_SKIP_SYNC; + + err = -ENOMEM; + root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe); +--- a/security/integrity/ima/ima_api.c ++++ b/security/integrity/ima/ima_api.c +@@ -243,6 +243,7 @@ int ima_collect_measurement(struct integ + { + const char *audit_cause = "failed"; + struct inode *inode = file_inode(file); ++ struct inode *real_inode = d_real_inode(file_dentry(file)); + const char *filename = file->f_path.dentry->d_name.name; + struct ima_max_digest_data hash; + struct kstat stat; +@@ -302,6 +303,10 @@ int ima_collect_measurement(struct integ + iint->ima_hash = tmpbuf; + memcpy(iint->ima_hash, &hash, length); + iint->version = i_version; ++ if (real_inode != inode) { ++ iint->real_ino = real_inode->i_ino; ++ iint->real_dev = real_inode->i_sb->s_dev; ++ } + + /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ + if (!result) +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include "ima.h" + +@@ -207,7 +208,7 @@ static int process_measurement(struct fi + u32 secid, char *buf, loff_t size, int mask, + enum ima_hooks func) + { +- struct inode *inode = file_inode(file); ++ struct inode *backing_inode, *inode = file_inode(file); + struct integrity_iint_cache *iint = NULL; + struct ima_template_desc *template_desc = NULL; + char *pathbuf = NULL; +@@ -284,6 +285,19 @@ static int process_measurement(struct fi + iint->measured_pcrs = 0; + } + ++ /* Detect and re-evaluate changes made to the backing file. */ ++ backing_inode = d_real_inode(file_dentry(file)); ++ if (backing_inode != inode && ++ (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) { ++ if (!IS_I_VERSION(backing_inode) || ++ backing_inode->i_sb->s_dev != iint->real_dev || ++ backing_inode->i_ino != iint->real_ino || ++ !inode_eq_iversion(backing_inode, iint->version)) { ++ iint->flags &= ~IMA_DONE_MASK; ++ iint->measured_pcrs = 0; ++ } ++ } ++ + /* Determine if already appraised/measured based on bitmask + * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, + * IMA_AUDIT, IMA_AUDITED) +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -164,6 +164,8 @@ struct integrity_iint_cache { + unsigned long flags; + unsigned long measured_pcrs; + unsigned long atomic_flags; ++ unsigned long real_ino; ++ dev_t real_dev; + enum integrity_status ima_file_status:4; + enum integrity_status ima_mmap_status:4; + enum integrity_status ima_bprm_status:4; diff --git a/queue-6.5/leds-trigger-netdev-move-size-check-in-set_device_name.patch b/queue-6.5/leds-trigger-netdev-move-size-check-in-set_device_name.patch new file mode 100644 index 00000000000..12ed479fa2c --- /dev/null +++ b/queue-6.5/leds-trigger-netdev-move-size-check-in-set_device_name.patch @@ -0,0 +1,67 @@ +From 259e33cbb1712a7dd844fc9757661cc47cb0e39b Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Sat, 7 Oct 2023 15:10:42 +0200 +Subject: leds: trigger: netdev: Move size check in set_device_name + +From: Christian Marangi + +commit 259e33cbb1712a7dd844fc9757661cc47cb0e39b upstream. + +GCC 13.2 complains about array subscript 17 is above array bounds of +'char[16]' with IFNAMSIZ set to 16. + +The warning is correct but this scenario is impossible. +set_device_name is called by device_name_store (store sysfs entry) and +netdev_trig_activate. + +device_name_store already check if size is >= of IFNAMSIZ and return +-EINVAL. (making the warning scenario impossible) + +netdev_trig_activate works on already defined interface, where the name +has already been checked and should already follow the condition of +strlen() < IFNAMSIZ. + +Aside from the scenario being impossible, set_device_name can be +improved to both mute the warning and make the function safer. +To make it safer, move size check from device_name_store directly to +set_device_name and prevent any out of bounds scenario. + +Cc: stable@vger.kernel.org +Fixes: 28a6a2ef18ad ("leds: trigger: netdev: refactor code setting device name") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202309192035.GTJEEbem-lkp@intel.com/ +Signed-off-by: Christian Marangi +Link: https://lore.kernel.org/r/20231007131042.15032-1-ansuelsmth@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/trigger/ledtrig-netdev.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c +index 58f3352539e8..e358e77e4b38 100644 +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -221,6 +221,9 @@ static ssize_t device_name_show(struct device *dev, + static int set_device_name(struct led_netdev_data *trigger_data, + const char *name, size_t size) + { ++ if (size >= IFNAMSIZ) ++ return -EINVAL; ++ + cancel_delayed_work_sync(&trigger_data->work); + + mutex_lock(&trigger_data->lock); +@@ -263,9 +266,6 @@ static ssize_t device_name_store(struct device *dev, + struct led_netdev_data *trigger_data = led_trigger_get_drvdata(dev); + int ret; + +- if (size >= IFNAMSIZ) +- return -EINVAL; +- + ret = set_device_name(trigger_data, buf, size); + + if (ret < 0) +-- +2.43.0 + diff --git a/queue-6.5/mfd-qcom-spmi-pmic-fix-reference-leaks-in-revid-helper.patch b/queue-6.5/mfd-qcom-spmi-pmic-fix-reference-leaks-in-revid-helper.patch new file mode 100644 index 00000000000..02cf0d22fda --- /dev/null +++ b/queue-6.5/mfd-qcom-spmi-pmic-fix-reference-leaks-in-revid-helper.patch @@ -0,0 +1,97 @@ +From a0fa44c261e448c531f9adb3a5189a3520f3e316 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:29:23 +0200 +Subject: mfd: qcom-spmi-pmic: Fix reference leaks in revid helper + +From: Johan Hovold + +commit a0fa44c261e448c531f9adb3a5189a3520f3e316 upstream. + +The Qualcomm SPMI PMIC revid implementation is broken in multiple ways. + +First, it totally ignores struct device_node reference counting and +leaks references to the parent bus node as well as each child it +iterates over using an open-coded for_each_child_of_node(). + +Second, it leaks references to each spmi device on the bus that it +iterates over by failing to drop the reference taken by the +spmi_device_from_of() helper. + +Fix the struct device_node leaks by reimplementing the lookup using +for_each_child_of_node() and adding the missing reference count +decrements. Fix the sibling struct device leaks by dropping the +unnecessary lookups of devices with the wrong USID. + +Note that this still leaves one struct device reference leak in case a +base device is found but it is not the parent of the device used for the +lookup. This will be addressed in a follow-on patch. + +Fixes: e9c11c6e3a0e ("mfd: qcom-spmi-pmic: expose the PMIC revid information to clients") +Cc: stable@vger.kernel.org # 6.0 +Signed-off-by: Johan Hovold +Acked-by: Caleb Connolly +Link: https://lore.kernel.org/r/20231003152927.15000-2-johan+linaro@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/qcom-spmi-pmic.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/drivers/mfd/qcom-spmi-pmic.c ++++ b/drivers/mfd/qcom-spmi-pmic.c +@@ -81,7 +81,7 @@ static struct spmi_device *qcom_pmic_get + struct spmi_device *sdev; + struct qcom_spmi_dev *ctx; + struct device_node *spmi_bus; +- struct device_node *other_usid = NULL; ++ struct device_node *child; + int function_parent_usid, ret; + u32 pmic_addr; + +@@ -105,28 +105,34 @@ static struct spmi_device *qcom_pmic_get + * device for USID 2. + */ + spmi_bus = of_get_parent(sdev->dev.of_node); +- do { +- other_usid = of_get_next_child(spmi_bus, other_usid); +- +- ret = of_property_read_u32_index(other_usid, "reg", 0, &pmic_addr); +- if (ret) +- return ERR_PTR(ret); ++ sdev = ERR_PTR(-ENODATA); ++ for_each_child_of_node(spmi_bus, child) { ++ ret = of_property_read_u32_index(child, "reg", 0, &pmic_addr); ++ if (ret) { ++ of_node_put(child); ++ sdev = ERR_PTR(ret); ++ break; ++ } + +- sdev = spmi_device_from_of(other_usid); + if (pmic_addr == function_parent_usid - (ctx->num_usids - 1)) { +- if (!sdev) ++ sdev = spmi_device_from_of(child); ++ if (!sdev) { + /* + * If the base USID for this PMIC hasn't probed yet + * but the secondary USID has, then we need to defer + * the function driver so that it will attempt to + * probe again when the base USID is ready. + */ +- return ERR_PTR(-EPROBE_DEFER); +- return sdev; ++ sdev = ERR_PTR(-EPROBE_DEFER); ++ } ++ of_node_put(child); ++ break; + } +- } while (other_usid->sibling); ++ } ++ ++ of_node_put(spmi_bus); + +- return ERR_PTR(-ENODATA); ++ return sdev; + } + + static int pmic_spmi_load_revid(struct regmap *map, struct device *dev, diff --git a/queue-6.5/mfd-qcom-spmi-pmic-fix-revid-implementation.patch b/queue-6.5/mfd-qcom-spmi-pmic-fix-revid-implementation.patch new file mode 100644 index 00000000000..99e516f5cdd --- /dev/null +++ b/queue-6.5/mfd-qcom-spmi-pmic-fix-revid-implementation.patch @@ -0,0 +1,177 @@ +From 7b439aaa62fee474a0d84d67a25f4984467e7b95 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 3 Oct 2023 17:29:24 +0200 +Subject: mfd: qcom-spmi-pmic: Fix revid implementation + +From: Johan Hovold + +commit 7b439aaa62fee474a0d84d67a25f4984467e7b95 upstream. + +The Qualcomm SPMI PMIC revid implementation is broken in multiple ways. + +First, it assumes that just because the sibling base device has been +registered that means that it is also bound to a driver, which may not +be the case (e.g. due to probe deferral or asynchronous probe). This +could trigger a NULL-pointer dereference when attempting to access the +driver data of the unbound device. + +Second, it accesses driver data of a sibling device directly and without +any locking, which means that the driver data may be freed while it is +being accessed (e.g. on driver unbind). + +Third, it leaks a struct device reference to the sibling device which is +looked up using the spmi_device_from_of() every time a function (child) +device is calling the revid function (e.g. on probe). + +Fix this mess by reimplementing the revid lookup so that it is done only +at probe of the PMIC device; the base device fetches the revid info from +the hardware, while any secondary SPMI device fetches the information +from the base device and caches it so that it can be accessed safely +from its children. If the base device has not been probed yet then probe +of a secondary device is deferred. + +Fixes: e9c11c6e3a0e ("mfd: qcom-spmi-pmic: expose the PMIC revid information to clients") +Cc: stable@vger.kernel.org # 6.0 +Signed-off-by: Johan Hovold +Acked-by: Caleb Connolly +Link: https://lore.kernel.org/r/20231003152927.15000-3-johan+linaro@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/qcom-spmi-pmic.c | 69 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 53 insertions(+), 16 deletions(-) + +--- a/drivers/mfd/qcom-spmi-pmic.c ++++ b/drivers/mfd/qcom-spmi-pmic.c +@@ -30,6 +30,8 @@ struct qcom_spmi_dev { + struct qcom_spmi_pmic pmic; + }; + ++static DEFINE_MUTEX(pmic_spmi_revid_lock); ++ + #define N_USIDS(n) ((void *)n) + + static const struct of_device_id pmic_spmi_id_table[] = { +@@ -76,24 +78,21 @@ static const struct of_device_id pmic_sp + * + * This only supports PMICs with 1 or 2 USIDs. + */ +-static struct spmi_device *qcom_pmic_get_base_usid(struct device *dev) ++static struct spmi_device *qcom_pmic_get_base_usid(struct spmi_device *sdev, struct qcom_spmi_dev *ctx) + { +- struct spmi_device *sdev; +- struct qcom_spmi_dev *ctx; + struct device_node *spmi_bus; + struct device_node *child; + int function_parent_usid, ret; + u32 pmic_addr; + +- sdev = to_spmi_device(dev); +- ctx = dev_get_drvdata(&sdev->dev); +- + /* + * Quick return if the function device is already in the base + * USID. This will always be hit for PMICs with only 1 USID. + */ +- if (sdev->usid % ctx->num_usids == 0) ++ if (sdev->usid % ctx->num_usids == 0) { ++ get_device(&sdev->dev); + return sdev; ++ } + + function_parent_usid = sdev->usid; + +@@ -118,10 +117,8 @@ static struct spmi_device *qcom_pmic_get + sdev = spmi_device_from_of(child); + if (!sdev) { + /* +- * If the base USID for this PMIC hasn't probed yet +- * but the secondary USID has, then we need to defer +- * the function driver so that it will attempt to +- * probe again when the base USID is ready. ++ * If the base USID for this PMIC hasn't been ++ * registered yet then we need to defer. + */ + sdev = ERR_PTR(-EPROBE_DEFER); + } +@@ -135,6 +132,35 @@ static struct spmi_device *qcom_pmic_get + return sdev; + } + ++static int pmic_spmi_get_base_revid(struct spmi_device *sdev, struct qcom_spmi_dev *ctx) ++{ ++ struct qcom_spmi_dev *base_ctx; ++ struct spmi_device *base; ++ int ret = 0; ++ ++ base = qcom_pmic_get_base_usid(sdev, ctx); ++ if (IS_ERR(base)) ++ return PTR_ERR(base); ++ ++ /* ++ * Copy revid info from base device if it has probed and is still ++ * bound to its driver. ++ */ ++ mutex_lock(&pmic_spmi_revid_lock); ++ base_ctx = spmi_device_get_drvdata(base); ++ if (!base_ctx) { ++ ret = -EPROBE_DEFER; ++ goto out_unlock; ++ } ++ memcpy(&ctx->pmic, &base_ctx->pmic, sizeof(ctx->pmic)); ++out_unlock: ++ mutex_unlock(&pmic_spmi_revid_lock); ++ ++ put_device(&base->dev); ++ ++ return ret; ++} ++ + static int pmic_spmi_load_revid(struct regmap *map, struct device *dev, + struct qcom_spmi_pmic *pmic) + { +@@ -210,11 +236,7 @@ const struct qcom_spmi_pmic *qcom_pmic_g + if (!of_match_device(pmic_spmi_id_table, dev->parent)) + return ERR_PTR(-EINVAL); + +- sdev = qcom_pmic_get_base_usid(dev->parent); +- +- if (IS_ERR(sdev)) +- return ERR_CAST(sdev); +- ++ sdev = to_spmi_device(dev->parent); + spmi = dev_get_drvdata(&sdev->dev); + + return &spmi->pmic; +@@ -249,16 +271,31 @@ static int pmic_spmi_probe(struct spmi_d + ret = pmic_spmi_load_revid(regmap, &sdev->dev, &ctx->pmic); + if (ret < 0) + return ret; ++ } else { ++ ret = pmic_spmi_get_base_revid(sdev, ctx); ++ if (ret) ++ return ret; + } ++ ++ mutex_lock(&pmic_spmi_revid_lock); + spmi_device_set_drvdata(sdev, ctx); ++ mutex_unlock(&pmic_spmi_revid_lock); + + return devm_of_platform_populate(&sdev->dev); + } + ++static void pmic_spmi_remove(struct spmi_device *sdev) ++{ ++ mutex_lock(&pmic_spmi_revid_lock); ++ spmi_device_set_drvdata(sdev, NULL); ++ mutex_unlock(&pmic_spmi_revid_lock); ++} ++ + MODULE_DEVICE_TABLE(of, pmic_spmi_id_table); + + static struct spmi_driver pmic_spmi_driver = { + .probe = pmic_spmi_probe, ++ .remove = pmic_spmi_remove, + .driver = { + .name = "pmic-spmi", + .of_match_table = pmic_spmi_id_table, diff --git a/queue-6.5/pm-hibernate-clean-up-sync_read-handling-in-snapshot_write_next.patch b/queue-6.5/pm-hibernate-clean-up-sync_read-handling-in-snapshot_write_next.patch new file mode 100644 index 00000000000..66903eb481f --- /dev/null +++ b/queue-6.5/pm-hibernate-clean-up-sync_read-handling-in-snapshot_write_next.patch @@ -0,0 +1,67 @@ +From d08970df1980476f27936e24d452550f3e9e92e1 Mon Sep 17 00:00:00 2001 +From: Brian Geffon +Date: Fri, 22 Sep 2023 12:07:04 -0400 +Subject: PM: hibernate: Clean up sync_read handling in snapshot_write_next() + +From: Brian Geffon + +commit d08970df1980476f27936e24d452550f3e9e92e1 upstream. + +In snapshot_write_next(), sync_read is set and unset in three different +spots unnecessiarly. As a result there is a subtle bug where the first +page after the meta data has been loaded unconditionally sets sync_read +to 0. If this first PFN was actually a highmem page, then the returned +buffer will be the global "buffer," and the page needs to be loaded +synchronously. + +That is, I'm not sure we can always assume the following to be safe: + + handle->buffer = get_buffer(&orig_bm, &ca); + handle->sync_read = 0; + +Because get_buffer() can call get_highmem_page_buffer() which can +return 'buffer'. + +The easiest way to address this is just set sync_read before +snapshot_write_next() returns if handle->buffer == buffer. + +Signed-off-by: Brian Geffon +Fixes: 8357376d3df2 ("[PATCH] swsusp: Improve handling of highmem") +Cc: All applicable +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/snapshot.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -2689,8 +2689,6 @@ int snapshot_write_next(struct snapshot_ + if (handle->cur > 1 && handle->cur > nr_meta_pages + nr_copy_pages) + return 0; + +- handle->sync_read = 1; +- + if (!handle->cur) { + if (!buffer) + /* This makes the buffer be freed by swsusp_free() */ +@@ -2726,7 +2724,6 @@ int snapshot_write_next(struct snapshot_ + memory_bm_position_reset(&orig_bm); + restore_pblist = NULL; + handle->buffer = get_buffer(&orig_bm, &ca); +- handle->sync_read = 0; + if (IS_ERR(handle->buffer)) + return PTR_ERR(handle->buffer); + } +@@ -2736,9 +2733,8 @@ int snapshot_write_next(struct snapshot_ + handle->buffer = get_buffer(&orig_bm, &ca); + if (IS_ERR(handle->buffer)) + return PTR_ERR(handle->buffer); +- if (handle->buffer != buffer) +- handle->sync_read = 0; + } ++ handle->sync_read = (handle->buffer == buffer); + handle->cur++; + return PAGE_SIZE; + } diff --git a/queue-6.5/pm-hibernate-use-__get_safe_page-rather-than-touching-the-list.patch b/queue-6.5/pm-hibernate-use-__get_safe_page-rather-than-touching-the-list.patch new file mode 100644 index 00000000000..e4d772a9c08 --- /dev/null +++ b/queue-6.5/pm-hibernate-use-__get_safe_page-rather-than-touching-the-list.patch @@ -0,0 +1,47 @@ +From f0c7183008b41e92fa676406d87f18773724b48b Mon Sep 17 00:00:00 2001 +From: Brian Geffon +Date: Thu, 21 Sep 2023 13:00:45 -0400 +Subject: PM: hibernate: Use __get_safe_page() rather than touching the list + +From: Brian Geffon + +commit f0c7183008b41e92fa676406d87f18773724b48b upstream. + +We found at least one situation where the safe pages list was empty and +get_buffer() would gladly try to use a NULL pointer. + +Signed-off-by: Brian Geffon +Fixes: 8357376d3df2 ("[PATCH] swsusp: Improve handling of highmem") +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/snapshot.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -2474,8 +2474,9 @@ static void *get_highmem_page_buffer(str + pbe->copy_page = tmp; + } else { + /* Copy of the page will be stored in normal memory */ +- kaddr = safe_pages_list; +- safe_pages_list = safe_pages_list->next; ++ kaddr = __get_safe_page(ca->gfp_mask); ++ if (!kaddr) ++ return ERR_PTR(-ENOMEM); + pbe->copy_page = virt_to_page(kaddr); + } + pbe->next = highmem_pblist; +@@ -2655,8 +2656,9 @@ static void *get_buffer(struct memory_bi + return ERR_PTR(-ENOMEM); + } + pbe->orig_address = page_address(page); +- pbe->address = safe_pages_list; +- safe_pages_list = safe_pages_list->next; ++ pbe->address = __get_safe_page(ca->gfp_mask); ++ if (!pbe->address) ++ return ERR_PTR(-ENOMEM); + pbe->next = restore_pblist; + restore_pblist = pbe; + return pbe->address; diff --git a/queue-6.5/rcu-kmemleak-ignore-kmemleak-false-positives-when-rcu-freeing-objects.patch b/queue-6.5/rcu-kmemleak-ignore-kmemleak-false-positives-when-rcu-freeing-objects.patch new file mode 100644 index 00000000000..e7d76c2a701 --- /dev/null +++ b/queue-6.5/rcu-kmemleak-ignore-kmemleak-false-positives-when-rcu-freeing-objects.patch @@ -0,0 +1,58 @@ +From 5f98fd034ca6fd1ab8c91a3488968a0e9caaabf6 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Sat, 30 Sep 2023 17:46:56 +0000 +Subject: rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects + +From: Catalin Marinas + +commit 5f98fd034ca6fd1ab8c91a3488968a0e9caaabf6 upstream. + +Since the actual slab freeing is deferred when calling kvfree_rcu(), so +is the kmemleak_free() callback informing kmemleak of the object +deletion. From the perspective of the kvfree_rcu() caller, the object is +freed and it may remove any references to it. Since kmemleak does not +scan RCU internal data storing the pointer, it will report such objects +as leaks during the grace period. + +Tell kmemleak to ignore such objects on the kvfree_call_rcu() path. Note +that the tiny RCU implementation does not have such issue since the +objects can be tracked from the rcu_ctrlblk structure. + +Signed-off-by: Catalin Marinas +Reported-by: Christoph Paasch +Closes: https://lore.kernel.org/all/F903A825-F05F-4B77-A2B5-7356282FBA2C@apple.com/ +Cc: +Tested-by: Christoph Paasch +Reviewed-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Frederic Weisbecker +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tree.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3397,6 +3398,14 @@ void kvfree_call_rcu(struct rcu_head *he + success = true; + } + ++ /* ++ * The kvfree_rcu() caller considers the pointer freed at this point ++ * and likely removes any references to it. Since the actual slab ++ * freeing (and kmemleak_free()) is deferred, tell kmemleak to ignore ++ * this object (no scanning or false positives reporting). ++ */ ++ kmemleak_ignore(ptr); ++ + // Set timer to drain after KFREE_DRAIN_JIFFIES. + if (rcu_scheduler_active == RCU_SCHEDULER_RUNNING) + schedule_delayed_monitor_work(krcp); diff --git a/queue-6.5/rcu-tree-defer-setting-of-jiffies-during-stall-reset.patch b/queue-6.5/rcu-tree-defer-setting-of-jiffies-during-stall-reset.patch new file mode 100644 index 00000000000..c119398bdf0 --- /dev/null +++ b/queue-6.5/rcu-tree-defer-setting-of-jiffies-during-stall-reset.patch @@ -0,0 +1,131 @@ +From b96e7a5fa0ba9cda32888e04f8f4bac42d49a7f8 Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Tue, 5 Sep 2023 00:02:11 +0000 +Subject: rcu/tree: Defer setting of jiffies during stall reset + +From: Joel Fernandes (Google) + +commit b96e7a5fa0ba9cda32888e04f8f4bac42d49a7f8 upstream. + +There are instances where rcu_cpu_stall_reset() is called when jiffies +did not get a chance to update for a long time. Before jiffies is +updated, the CPU stall detector can go off triggering false-positives +where a just-started grace period appears to be ages old. In the past, +we disabled stall detection in rcu_cpu_stall_reset() however this got +changed [1]. This is resulting in false-positives in KGDB usecase [2]. + +Fix this by deferring the update of jiffies to the third run of the FQS +loop. This is more robust, as, even if rcu_cpu_stall_reset() is called +just before jiffies is read, we would end up pushing out the jiffies +read by 3 more FQS loops. Meanwhile the CPU stall detection will be +delayed and we will not get any false positives. + +[1] https://lore.kernel.org/all/20210521155624.174524-2-senozhatsky@chromium.org/ +[2] https://lore.kernel.org/all/20230814020045.51950-2-chenhuacai@loongson.cn/ + +Tested with rcutorture.cpu_stall option as well to verify stall behavior +with/without patch. + +Tested-by: Huacai Chen +Reported-by: Binbin Zhou +Closes: https://lore.kernel.org/all/20230814020045.51950-2-chenhuacai@loongson.cn/ +Suggested-by: Paul McKenney +Cc: Sergey Senozhatsky +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Fixes: a80be428fbc1 ("rcu: Do not disable GP stall detection in rcu_cpu_stall_reset()") +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Frederic Weisbecker +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tree.c | 12 ++++++++++++ + kernel/rcu/tree.h | 4 ++++ + kernel/rcu/tree_stall.h | 20 ++++++++++++++++++-- + 3 files changed, 34 insertions(+), 2 deletions(-) + +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -1552,10 +1552,22 @@ static bool rcu_gp_fqs_check_wake(int *g + */ + static void rcu_gp_fqs(bool first_time) + { ++ int nr_fqs = READ_ONCE(rcu_state.nr_fqs_jiffies_stall); + struct rcu_node *rnp = rcu_get_root(); + + WRITE_ONCE(rcu_state.gp_activity, jiffies); + WRITE_ONCE(rcu_state.n_force_qs, rcu_state.n_force_qs + 1); ++ ++ WARN_ON_ONCE(nr_fqs > 3); ++ /* Only countdown nr_fqs for stall purposes if jiffies moves. */ ++ if (nr_fqs) { ++ if (nr_fqs == 1) { ++ WRITE_ONCE(rcu_state.jiffies_stall, ++ jiffies + rcu_jiffies_till_stall_check()); ++ } ++ WRITE_ONCE(rcu_state.nr_fqs_jiffies_stall, --nr_fqs); ++ } ++ + if (first_time) { + /* Collect dyntick-idle snapshots. */ + force_qs_rnp(dyntick_save_progress_counter); +--- a/kernel/rcu/tree.h ++++ b/kernel/rcu/tree.h +@@ -386,6 +386,10 @@ struct rcu_state { + /* in jiffies. */ + unsigned long jiffies_stall; /* Time at which to check */ + /* for CPU stalls. */ ++ int nr_fqs_jiffies_stall; /* Number of fqs loops after ++ * which read jiffies and set ++ * jiffies_stall. Stall ++ * warnings disabled if !0. */ + unsigned long jiffies_resched; /* Time at which to resched */ + /* a reluctant CPU. */ + unsigned long n_force_qs_gpstart; /* Snapshot of n_force_qs at */ +--- a/kernel/rcu/tree_stall.h ++++ b/kernel/rcu/tree_stall.h +@@ -149,12 +149,17 @@ static void panic_on_rcu_stall(void) + /** + * rcu_cpu_stall_reset - restart stall-warning timeout for current grace period + * ++ * To perform the reset request from the caller, disable stall detection until ++ * 3 fqs loops have passed. This is required to ensure a fresh jiffies is ++ * loaded. It should be safe to do from the fqs loop as enough timer ++ * interrupts and context switches should have passed. ++ * + * The caller must disable hard irqs. + */ + void rcu_cpu_stall_reset(void) + { +- WRITE_ONCE(rcu_state.jiffies_stall, +- jiffies + rcu_jiffies_till_stall_check()); ++ WRITE_ONCE(rcu_state.nr_fqs_jiffies_stall, 3); ++ WRITE_ONCE(rcu_state.jiffies_stall, ULONG_MAX); + } + + ////////////////////////////////////////////////////////////////////////////// +@@ -170,6 +175,7 @@ static void record_gp_stall_check_time(v + WRITE_ONCE(rcu_state.gp_start, j); + j1 = rcu_jiffies_till_stall_check(); + smp_mb(); // ->gp_start before ->jiffies_stall and caller's ->gp_seq. ++ WRITE_ONCE(rcu_state.nr_fqs_jiffies_stall, 0); + WRITE_ONCE(rcu_state.jiffies_stall, j + j1); + rcu_state.jiffies_resched = j + j1 / 2; + rcu_state.n_force_qs_gpstart = READ_ONCE(rcu_state.n_force_qs); +@@ -725,6 +731,16 @@ static void check_cpu_stall(struct rcu_d + !rcu_gp_in_progress()) + return; + rcu_stall_kick_kthreads(); ++ ++ /* ++ * Check if it was requested (via rcu_cpu_stall_reset()) that the FQS ++ * loop has to set jiffies to ensure a non-stale jiffies value. This ++ * is required to have good jiffies value after coming out of long ++ * breaks of jiffies updates. Not doing so can cause false positives. ++ */ ++ if (READ_ONCE(rcu_state.nr_fqs_jiffies_stall) > 0) ++ return; ++ + j = jiffies; + + /* diff --git a/queue-6.5/series b/queue-6.5/series index def71ccd8d4..e156e7dbe01 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -303,3 +303,24 @@ mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch pci-aspm-fix-l1-substate-handling-in-aspm_attr_store_common.patch pci-kirin-don-t-discard-.remove-callback.patch pci-exynos-don-t-discard-.remove-callback.patch +wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch +svcrdma-drop-connection-after-an-rdma-read-error.patch +rcu-tree-defer-setting-of-jiffies-during-stall-reset.patch +arm64-dts-qcom-ipq6018-fix-hwlock-index-for-smem.patch +dt-bindings-timer-renesas-rz-mtu3-fix-overflow-underflow-interrupt-names.patch +pm-hibernate-use-__get_safe_page-rather-than-touching-the-list.patch +pm-hibernate-clean-up-sync_read-handling-in-snapshot_write_next.patch +rcu-kmemleak-ignore-kmemleak-false-positives-when-rcu-freeing-objects.patch +btrfs-don-t-arbitrarily-slow-down-delalloc-if-we-re-committing.patch +thermal-intel-powerclamp-fix-mismatch-in-get-function-for-max_idle.patch +arm64-dts-qcom-ipq5332-fix-hwlock-index-for-smem.patch +arm64-dts-qcom-ipq8074-fix-hwlock-index-for-smem.patch +firmware-qcom_scm-use-64-bit-calling-convention-only-when-client-is-64-bit.patch +acpi-fpdt-properly-handle-invalid-fpdt-subtables.patch +arm64-dts-qcom-ipq9574-fix-hwlock-index-for-smem.patch +arm64-dts-qcom-ipq6018-fix-tcsr_mutex-register-size.patch +leds-trigger-netdev-move-size-check-in-set_device_name.patch +mfd-qcom-spmi-pmic-fix-reference-leaks-in-revid-helper.patch +mfd-qcom-spmi-pmic-fix-revid-implementation.patch +ima-annotate-iint-mutex-to-avoid-lockdep-false-positive-warnings.patch +ima-detect-changes-to-the-backing-overlay-file.patch diff --git a/queue-6.5/svcrdma-drop-connection-after-an-rdma-read-error.patch b/queue-6.5/svcrdma-drop-connection-after-an-rdma-read-error.patch new file mode 100644 index 00000000000..b52760f1a9e --- /dev/null +++ b/queue-6.5/svcrdma-drop-connection-after-an-rdma-read-error.patch @@ -0,0 +1,33 @@ +From 197115ebf358cb440c73e868b2a0a5ef728decc6 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 10 Oct 2023 13:23:41 -0400 +Subject: svcrdma: Drop connection after an RDMA Read error + +From: Chuck Lever + +commit 197115ebf358cb440c73e868b2a0a5ef728decc6 upstream. + +When an RPC Call message cannot be pulled from the client, that +is a message loss, by definition. Close the connection to trigger +the client to resend. + +Cc: +Reviewed-by: Tom Talpey +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -852,7 +852,8 @@ out_readfail: + if (ret == -EINVAL) + svc_rdma_send_error(rdma_xprt, ctxt, ret); + svc_rdma_recv_ctxt_put(rdma_xprt, ctxt); +- return ret; ++ svc_xprt_deferred_close(xprt); ++ return -ENOTCONN; + + out_backchannel: + svc_rdma_handle_bc_reply(rqstp, ctxt); diff --git a/queue-6.5/thermal-intel-powerclamp-fix-mismatch-in-get-function-for-max_idle.patch b/queue-6.5/thermal-intel-powerclamp-fix-mismatch-in-get-function-for-max_idle.patch new file mode 100644 index 00000000000..bb8ee4e65b4 --- /dev/null +++ b/queue-6.5/thermal-intel-powerclamp-fix-mismatch-in-get-function-for-max_idle.patch @@ -0,0 +1,47 @@ +From fae633cfb729da2771b5433f6b84ae7e8b4aa5f7 Mon Sep 17 00:00:00 2001 +From: David Arcari +Date: Thu, 5 Oct 2023 07:17:57 -0400 +Subject: thermal: intel: powerclamp: fix mismatch in get function for max_idle + +From: David Arcari + +commit fae633cfb729da2771b5433f6b84ae7e8b4aa5f7 upstream. + +KASAN reported this + + [ 444.853098] BUG: KASAN: global-out-of-bounds in param_get_int+0x77/0x90 + [ 444.853111] Read of size 4 at addr ffffffffc16c9220 by task cat/2105 + ... + [ 444.853442] The buggy address belongs to the variable: + [ 444.853443] max_idle+0x0/0xffffffffffffcde0 [intel_powerclamp] + +There is a mismatch between the param_get_int and the definition of +max_idle. Replacing param_get_int with param_get_byte resolves this +issue. + +Fixes: ebf519710218 ("thermal: intel: powerclamp: Add two module parameters") +Cc: 6.3+ # 6.3+ +Signed-off-by: David Arcari +Reviewed-by: Srinivas Pandruvada +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/intel_powerclamp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c +index 36243a3972fd..5ac5cb60bae6 100644 +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -256,7 +256,7 @@ static int max_idle_set(const char *arg, const struct kernel_param *kp) + + static const struct kernel_param_ops max_idle_ops = { + .set = max_idle_set, +- .get = param_get_int, ++ .get = param_get_byte, + }; + + module_param_cb(max_idle, &max_idle_ops, &max_idle, 0644); +-- +2.43.0 + diff --git a/queue-6.5/wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch b/queue-6.5/wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch new file mode 100644 index 00000000000..e738e2dde81 --- /dev/null +++ b/queue-6.5/wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch @@ -0,0 +1,47 @@ +From 05ac1a198a63ad66bf5ae8b7321407c102d40ef3 Mon Sep 17 00:00:00 2001 +From: Ajay Singh +Date: Tue, 17 Oct 2023 10:43:38 +0200 +Subject: wifi: wilc1000: use vmm_table as array in wilc struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ajay Singh + +commit 05ac1a198a63ad66bf5ae8b7321407c102d40ef3 upstream. + +Enabling KASAN and running some iperf tests raises some memory issues with +vmm_table: + +BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4 +Write of size 4 at addr c3a61540 by task wlan0-tx/95 + +KASAN detects that we are writing data beyond range allocated to vmm_table. +There is indeed a mismatch between the size passed to allocator in +wilc_wlan_init, and the range of possible indexes used later: allocation +size is missing a multiplication by sizeof(u32) + +Fixes: 40b717bfcefa ("wifi: wilc1000: fix DMA on stack objects") +Cc: stable@vger.kernel.org +Signed-off-by: Ajay Singh +Signed-off-by: Alexis Lothoré +Reviewed-by: Michael Walle +Reviewed-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231017-wilc1000_tx_oops-v3-1-b2155f1f7bee@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/microchip/wilc1000/wlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/microchip/wilc1000/wlan.c ++++ b/drivers/net/wireless/microchip/wilc1000/wlan.c +@@ -1492,7 +1492,7 @@ int wilc_wlan_init(struct net_device *de + } + + if (!wilc->vmm_table) +- wilc->vmm_table = kzalloc(WILC_VMM_TBL_SIZE, GFP_KERNEL); ++ wilc->vmm_table = kcalloc(WILC_VMM_TBL_SIZE, sizeof(u32), GFP_KERNEL); + + if (!wilc->vmm_table) { + ret = -ENOBUFS;