From: Sasha Levin Date: Mon, 7 Apr 2025 14:02:17 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v5.4.292~80 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea81279654e1d41864f1bd3e4f4282b72e697bea;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch b/queue-5.15/acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch new file mode 100644 index 0000000000..ef0b8053fe --- /dev/null +++ b/queue-5.15/acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch @@ -0,0 +1,58 @@ +From 86c0325b1565fc5681bc9ebcd261dabbe412ff55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 15:30:39 +0100 +Subject: ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states + are invalid + +From: Giovanni Gherdovich + +[ Upstream commit 9e9b893404d43894d69a18dd2fc8fcf1c36abb7e ] + +Prior to commit 496121c02127 ("ACPI: processor: idle: Allow probing on +platforms with one ACPI C-state"), the acpi_idle driver wouldn't load on +systems without a valid C-State at least as deep as C2. + +The behavior was desirable for guests on hypervisors such as VMWare +ESXi, which by default don't have the _CST ACPI method, and set the C2 +and C3 latencies to 101 and 1001 microseconds respectively via the FADT, +to signify they're unsupported. + +Since the above change though, these virtualized deployments end up +loading acpi_idle, and thus entering the default C1 C-State set by +acpi_processor_get_power_info_default(); this is undesirable for a +system that's communicating to the OS it doesn't want C-States (missing +_CST, and invalid C2/C3 in FADT). + +Make acpi_processor_get_power_info_fadt() return -ENODEV in that case, +so that acpi_processor_get_cstate_info() exits early and doesn't set +pr->flags.power = 1. + +Fixes: 496121c02127 ("ACPI: processor: idle: Allow probing on platforms with one ACPI C-state") +Signed-off-by: Giovanni Gherdovich +Reviewed-by: Zhang Rui +Link: https://patch.msgid.link/20250328143040.9348-1-ggherdovich@suse.cz +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/processor_idle.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 5289c344de900..469a2e5eb6e8c 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -265,6 +265,10 @@ static int acpi_processor_get_power_info_fadt(struct acpi_processor *pr) + ACPI_CX_DESC_LEN, "ACPI P_LVL3 IOPORT 0x%x", + pr->power.states[ACPI_STATE_C3].address); + ++ if (!pr->power.states[ACPI_STATE_C2].address && ++ !pr->power.states[ACPI_STATE_C3].address) ++ return -ENODEV; ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.15/affs-don-t-write-overlarge-ofs-data-block-size-field.patch b/queue-5.15/affs-don-t-write-overlarge-ofs-data-block-size-field.patch new file mode 100644 index 0000000000..3325c8f5dc --- /dev/null +++ b/queue-5.15/affs-don-t-write-overlarge-ofs-data-block-size-field.patch @@ -0,0 +1,51 @@ +From 8e48c7686e8e3ed401e5bc6e2f4b3706a9397ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 08:14:44 +0000 +Subject: affs: don't write overlarge OFS data block size fields + +From: Simon Tatham + +[ Upstream commit 011ea742a25a77bac3d995f457886a67d178c6f0 ] + +If a data sector on an OFS floppy contains a value > 0x1e8 (the +largest amount of data that fits in the sector after its header), then +an Amiga reading the file can return corrupt data, by taking the +overlarge size at its word and reading past the end of the buffer it +read the disk sector into! + +The cause: when affs_write_end_ofs() writes data to an OFS filesystem, +the new size field for a data block was computed by adding the amount +of data currently being written (into the block) to the existing value +of the size field. This is correct if you're extending the file at the +end, but if you seek backwards in the file and overwrite _existing_ +data, it can lead to the size field being larger than the maximum +legal value. + +This commit changes the calculation so that it sets the size field to +the max of its previous size and the position within the block that we +just wrote up to. + +Signed-off-by: Simon Tatham +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index 88d4e6263df96..2000241431d55 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -726,7 +726,8 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + tmp = min(bsize - boff, to - from); + BUG_ON(boff + tmp > bsize || tmp > bsize); + memcpy(AFFS_DATA(bh) + boff, data + from, tmp); +- be32_add_cpu(&AFFS_DATA_HEAD(bh)->size, tmp); ++ AFFS_DATA_HEAD(bh)->size = cpu_to_be32( ++ max(boff + tmp, be32_to_cpu(AFFS_DATA_HEAD(bh)->size))); + affs_fix_checksum(sb, bh); + mark_buffer_dirty_inode(bh, inode); + written += tmp; +-- +2.39.5 + diff --git a/queue-5.15/affs-generate-ofs-sequence-numbers-starting-at-1.patch b/queue-5.15/affs-generate-ofs-sequence-numbers-starting-at-1.patch new file mode 100644 index 0000000000..99c8a99e4a --- /dev/null +++ b/queue-5.15/affs-generate-ofs-sequence-numbers-starting-at-1.patch @@ -0,0 +1,68 @@ +From e7c6fd35c7f2c3bdee34287c0364c40e80cd0ef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 08:14:43 +0000 +Subject: affs: generate OFS sequence numbers starting at 1 + +From: Simon Tatham + +[ Upstream commit e4cf8ec4de4e13f156c1d61977d282d90c221085 ] + +If I write a file to an OFS floppy image, and try to read it back on +an emulated Amiga running Workbench 1.3, the Amiga reports a disk +error trying to read the file. (That is, it's unable to read it _at +all_, even to copy it to the NIL: device. It isn't a matter of getting +the wrong data and being unable to parse the file format.) + +This is because the 'sequence number' field in the OFS data block +header is supposed to be based at 1, but affs writes it based at 0. +All three locations changed by this patch were setting the sequence +number to a variable 'bidx' which was previously obtained by dividing +a file position by bsize, so bidx will naturally use 0 for the first +block. Therefore all three should add 1 to that value before writing +it into the sequence number field. + +With this change, the Amiga successfully reads the file. + +For data block reference: https://wiki.osdev.org/FFS_(Amiga) + +Signed-off-by: Simon Tatham +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index 25d480ea797bd..88d4e6263df96 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -598,7 +598,7 @@ affs_extent_file_ofs(struct inode *inode, u32 newsize) + BUG_ON(tmp > bsize); + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp); + affs_fix_checksum(sb, bh); + bh->b_state &= ~(1UL << BH_New); +@@ -748,7 +748,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + if (buffer_new(bh)) { + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(bsize); + AFFS_DATA_HEAD(bh)->next = 0; + bh->b_state &= ~(1UL << BH_New); +@@ -782,7 +782,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + if (buffer_new(bh)) { + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp); + AFFS_DATA_HEAD(bh)->next = 0; + bh->b_state &= ~(1UL << BH_New); +-- +2.39.5 + diff --git a/queue-5.15/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-5.15/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..63b6984ecf --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,78 @@ +From a8b749d5e6aa92c7362efad1b54d803739aac9d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Mar 2025 03:03:19 +0530 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx + +From: Navon John Lukose + +[ Upstream commit b11a74ac4f545626d0dc95a8ca8c41df90532bf3 ] + +Add a fixup to enable the mute LED on HP Pavilion x360 Convertible +14-dy1xxx with ALC295 codec. The appropriate coefficient index and bits +were identified through a brute-force method, as detailed in +https://bbs.archlinux.org/viewtopic.php?pid=2079504#p2079504. + +Signed-off-by: Navon John Lukose +Link: https://patch.msgid.link/20250307213319.35507-1-navonjohnlukose@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 12967b40ab088..e1de24c9f6265 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4759,6 +4759,21 @@ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec, + } + } + ++static void alc295_fixup_hp_mute_led_coefbit11(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->mute_led_polarity = 0; ++ spec->mute_led_coef.idx = 0xb; ++ spec->mute_led_coef.mask = 3 << 3; ++ spec->mute_led_coef.on = 1 << 3; ++ spec->mute_led_coef.off = 1 << 4; ++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); ++ } ++} ++ + static void alc285_fixup_hp_mute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -6998,6 +7013,7 @@ enum { + ALC290_FIXUP_MONO_SPEAKERS_HSJACK, + ALC290_FIXUP_SUBWOOFER, + ALC290_FIXUP_SUBWOOFER_HSJACK, ++ ALC295_FIXUP_HP_MUTE_LED_COEFBIT11, + ALC269_FIXUP_THINKPAD_ACPI, + ALC269_FIXUP_DMIC_THINKPAD_ACPI, + ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13, +@@ -8544,6 +8560,10 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC283_FIXUP_INT_MIC, + }, ++ [ALC295_FIXUP_HP_MUTE_LED_COEFBIT11] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc295_fixup_hp_mute_led_coefbit11, ++ }, + [ALC298_FIXUP_SAMSUNG_AMP] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc298_fixup_samsung_amp, +@@ -9258,6 +9278,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360), + SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x85c6, "HP Pavilion x360 Convertible 14-dy1xxx", ALC295_FIXUP_HP_MUTE_LED_COEFBIT11), + SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360), + SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT), +-- +2.39.5 + diff --git a/queue-5.15/alsa-hda-realtek-always-honor-no_shutup_pins.patch b/queue-5.15/alsa-hda-realtek-always-honor-no_shutup_pins.patch new file mode 100644 index 0000000000..0c59481938 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-always-honor-no_shutup_pins.patch @@ -0,0 +1,55 @@ +From 707690d929f9db84f2d22b6ffc1c4ad53f0a77a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 15:30:19 +0100 +Subject: ALSA: hda/realtek: Always honor no_shutup_pins + +From: Takashi Iwai + +[ Upstream commit 5a0c72c1da3cbc0cd4940a95d1be2830104c6edf ] + +The workaround for Dell machines to skip the pin-shutup for mic pins +introduced alc_headset_mic_no_shutup() that is replaced from the +generic snd_hda_shutup_pins() for certain codecs. The problem is that +the call is done unconditionally even if spec->no_shutup_pins is set. +This seems causing problems on other platforms like Lenovo. + +This patch corrects the behavior and the driver honors always +spec->no_shutup_pins flag and skips alc_headset_mic_no_shutup() if +it's set. + +Fixes: dad3197da7a3 ("ALSA: hda/realtek - Fixup headphone noise via runtime suspend") +Reported-and-tested-by: Oleg Gorobets +Link: https://patch.msgid.link/20250315143020.27184-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index cc0d6e040a1d2..12967b40ab088 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -576,6 +576,9 @@ static void alc_shutup_pins(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; + ++ if (spec->no_shutup_pins) ++ return; ++ + switch (codec->core.vendor_id) { + case 0x10ec0236: + case 0x10ec0256: +@@ -591,8 +594,7 @@ static void alc_shutup_pins(struct hda_codec *codec) + alc_headset_mic_no_shutup(codec); + break; + default: +- if (!spec->no_shutup_pins) +- snd_hda_shutup_pins(codec); ++ snd_hda_shutup_pins(codec); + break; + } + } +-- +2.39.5 + diff --git a/queue-5.15/arcnet-add-null-check-in-com20020pci_probe.patch b/queue-5.15/arcnet-add-null-check-in-com20020pci_probe.patch new file mode 100644 index 0000000000..809ab84376 --- /dev/null +++ b/queue-5.15/arcnet-add-null-check-in-com20020pci_probe.patch @@ -0,0 +1,67 @@ +From d61d2f2a67a14fb86790fa62388228e8929c09e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 21:50:36 +0800 +Subject: arcnet: Add NULL check in com20020pci_probe() + +From: Henry Martin + +[ Upstream commit fda8c491db2a90ff3e6fbbae58e495b4ddddeca3 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +com20020pci_probe() does not check for this case, which results in a +NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue and ensure +no resources are left allocated. + +Fixes: 6b17a597fc2f ("arcnet: restoring support for multiple Sohard Arcnet cards") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250402135036.44697-1-bsdhenrymartin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/com20020-pci.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c +index 9d9e4200064f9..00a80f0adece4 100644 +--- a/drivers/net/arcnet/com20020-pci.c ++++ b/drivers/net/arcnet/com20020-pci.c +@@ -250,18 +250,33 @@ static int com20020pci_probe(struct pci_dev *pdev, + card->tx_led.default_trigger = devm_kasprintf(&pdev->dev, + GFP_KERNEL, "arc%d-%d-tx", + dev->dev_id, i); ++ if (!card->tx_led.default_trigger) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "pci:green:tx:%d-%d", + dev->dev_id, i); +- ++ if (!card->tx_led.name) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->tx_led.dev = &dev->dev; + card->recon_led.brightness_set = led_recon_set; + card->recon_led.default_trigger = devm_kasprintf(&pdev->dev, + GFP_KERNEL, "arc%d-%d-recon", + dev->dev_id, i); ++ if (!card->recon_led.default_trigger) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "pci:red:recon:%d-%d", + dev->dev_id, i); ++ if (!card->recon_led.name) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->recon_led.dev = &dev->dev; + + ret = devm_led_classdev_register(&pdev->dev, &card->tx_led); +-- +2.39.5 + diff --git a/queue-5.15/asoc-imx-card-add-null-check-in-imx_card_probe.patch b/queue-5.15/asoc-imx-card-add-null-check-in-imx_card_probe.patch new file mode 100644 index 0000000000..7ea938ff38 --- /dev/null +++ b/queue-5.15/asoc-imx-card-add-null-check-in-imx_card_probe.patch @@ -0,0 +1,50 @@ +From 01cf5f46bc7c3ff1db47a1c24c959dbfacb4125c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 22:25:10 +0800 +Subject: ASoC: imx-card: Add NULL check in imx_card_probe() + +From: Henry Martin + +[ Upstream commit 93d34608fd162f725172e780b1c60cc93a920719 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +imx_card_probe() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") +Signed-off-by: Henry Martin +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250401142510.29900-1-bsdhenrymartin@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-card.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c +index 223234f6172b2..2b64c0384b6bb 100644 +--- a/sound/soc/fsl/imx-card.c ++++ b/sound/soc/fsl/imx-card.c +@@ -759,6 +759,8 @@ static int imx_card_probe(struct platform_device *pdev) + data->dapm_routes[i].sink = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s", + i + 1, "Playback"); ++ if (!data->dapm_routes[i].sink) ++ return -ENOMEM; + data->dapm_routes[i].source = "CPU-Playback"; + } + } +@@ -776,6 +778,8 @@ static int imx_card_probe(struct platform_device *pdev) + data->dapm_routes[i].source = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s", + i + 1, "Capture"); ++ if (!data->dapm_routes[i].source) ++ return -ENOMEM; + data->dapm_routes[i].sink = "CPU-Capture"; + } + } +-- +2.39.5 + diff --git a/queue-5.15/asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch b/queue-5.15/asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch new file mode 100644 index 0000000000..fff12ea951 --- /dev/null +++ b/queue-5.15/asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch @@ -0,0 +1,41 @@ +From d7f939fc3f20042452cf5c76dd15d77ad8cbc878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 17:05:24 +0530 +Subject: ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio + compatible + +From: Jayesh Choudhary + +[ Upstream commit 45ff65e30deb919604e68faed156ad96ce7474d9 ] + +For 'ti,j7200-cpb-audio' compatible, there is support for only one PLL for +48k. For 11025, 22050, 44100 and 88200 sampling rates, due to absence of +J721E_CLK_PARENT_44100, we get EINVAL while running any audio application. +Add support for these rates by using the 48k parent clock and adjusting +the clock for these rates later in j721e_configure_refclk. + +Fixes: 6748d0559059 ("ASoC: ti: Add custom machine driver for j721e EVM (CPB and IVI)") +Signed-off-by: Jayesh Choudhary +Link: https://patch.msgid.link/20250318113524.57100-1-j-choudhary@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/j721e-evm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/ti/j721e-evm.c b/sound/soc/ti/j721e-evm.c +index 149f4e2ce9998..7f2734318452f 100644 +--- a/sound/soc/ti/j721e-evm.c ++++ b/sound/soc/ti/j721e-evm.c +@@ -182,6 +182,8 @@ static int j721e_configure_refclk(struct j721e_priv *priv, + clk_id = J721E_CLK_PARENT_48000; + else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_44100]) + clk_id = J721E_CLK_PARENT_44100; ++ else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_48000]) ++ clk_id = J721E_CLK_PARENT_48000; + else + return ret; + +-- +2.39.5 + diff --git a/queue-5.15/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch b/queue-5.15/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch new file mode 100644 index 0000000000..94499082cd --- /dev/null +++ b/queue-5.15/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch @@ -0,0 +1,47 @@ +From 23bfb76590e5589f0667a26a114f0d3fc1e4ee5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 12:22:59 +0800 +Subject: bpf: Use preempt_count() directly in bpf_send_signal_common() + +From: Hou Tao + +[ Upstream commit b4a8b5bba712a711d8ca1f7d04646db63f9c88f5 ] + +bpf_send_signal_common() uses preemptible() to check whether or not the +current context is preemptible. If it is preemptible, it will use +irq_work to send the signal asynchronously instead of trying to hold a +spin-lock, because spin-lock is sleepable under PREEMPT_RT. + +However, preemptible() depends on CONFIG_PREEMPT_COUNT. When +CONFIG_PREEMPT_COUNT is turned off (e.g., CONFIG_PREEMPT_VOLUNTARY=y), +!preemptible() will be evaluated as 1 and bpf_send_signal_common() will +use irq_work unconditionally. + +Fix it by unfolding "!preemptible()" and using "preempt_count() != 0 || +irqs_disabled()" instead. + +Fixes: 87c544108b61 ("bpf: Send signals asynchronously if !preemptible") +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20250220042259.1583319-1-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 60acc3c76316f..dba736defdfec 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -799,7 +799,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type) + if (unlikely(is_global_init(current))) + return -EPERM; + +- if (!preemptible()) { ++ if (preempt_count() != 0 || irqs_disabled()) { + /* Do an early check on signal validity. Otherwise, + * the error is lost in deferred irq_work. + */ +-- +2.39.5 + diff --git a/queue-5.15/can-statistics-use-atomic-access-in-hot-path.patch b/queue-5.15/can-statistics-use-atomic-access-in-hot-path.patch new file mode 100644 index 0000000000..798bb62b96 --- /dev/null +++ b/queue-5.15/can-statistics-use-atomic-access-in-hot-path.patch @@ -0,0 +1,194 @@ +From d84c6f04afb6c06e79f161f200d19de317004672 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 15:33:53 +0100 +Subject: can: statistics: use atomic access in hot path + +From: Oliver Hartkopp + +[ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] + +In can_send() and can_receive() CAN messages and CAN filter matches are +counted to be visible in the CAN procfs files. + +KCSAN detected a data race within can_send() when two CAN frames have +been generated by a timer event writing to the same CAN netdevice at the +same time. Use atomic operations to access the statistics in the hot path +to fix the KCSAN complaint. + +Reported-by: syzbot+78ce4489b812515d5e4d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com +Signed-off-by: Oliver Hartkopp +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/af_can.c | 12 ++++++------ + net/can/af_can.h | 12 ++++++------ + net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- + 3 files changed, 39 insertions(+), 31 deletions(-) + +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 4e728b3da40b3..edf01b73d2878 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -288,8 +288,8 @@ int can_send(struct sk_buff *skb, int loop) + netif_rx_ni(newskb); + + /* update statistics */ +- pkg_stats->tx_frames++; +- pkg_stats->tx_frames_delta++; ++ atomic_long_inc(&pkg_stats->tx_frames); ++ atomic_long_inc(&pkg_stats->tx_frames_delta); + + return 0; + +@@ -649,8 +649,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) + int matches; + + /* update statistics */ +- pkg_stats->rx_frames++; +- pkg_stats->rx_frames_delta++; ++ atomic_long_inc(&pkg_stats->rx_frames); ++ atomic_long_inc(&pkg_stats->rx_frames_delta); + + /* create non-zero unique skb identifier together with *skb */ + while (!(can_skb_prv(skb)->skbcnt)) +@@ -671,8 +671,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + + if (matches > 0) { +- pkg_stats->matches++; +- pkg_stats->matches_delta++; ++ atomic_long_inc(&pkg_stats->matches); ++ atomic_long_inc(&pkg_stats->matches_delta); + } + } + +diff --git a/net/can/af_can.h b/net/can/af_can.h +index 7c2d9161e2245..22f3352c77fec 100644 +--- a/net/can/af_can.h ++++ b/net/can/af_can.h +@@ -66,9 +66,9 @@ struct receiver { + struct can_pkg_stats { + unsigned long jiffies_init; + +- unsigned long rx_frames; +- unsigned long tx_frames; +- unsigned long matches; ++ atomic_long_t rx_frames; ++ atomic_long_t tx_frames; ++ atomic_long_t matches; + + unsigned long total_rx_rate; + unsigned long total_tx_rate; +@@ -82,9 +82,9 @@ struct can_pkg_stats { + unsigned long max_tx_rate; + unsigned long max_rx_match_ratio; + +- unsigned long rx_frames_delta; +- unsigned long tx_frames_delta; +- unsigned long matches_delta; ++ atomic_long_t rx_frames_delta; ++ atomic_long_t tx_frames_delta; ++ atomic_long_t matches_delta; + }; + + /* persistent statistics */ +diff --git a/net/can/proc.c b/net/can/proc.c +index b3099f0a3cb82..0533a3c4ff0e1 100644 +--- a/net/can/proc.c ++++ b/net/can/proc.c +@@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t) + struct can_pkg_stats *pkg_stats = net->can.pkg_stats; + unsigned long j = jiffies; /* snapshot */ + ++ long rx_frames = atomic_long_read(&pkg_stats->rx_frames); ++ long tx_frames = atomic_long_read(&pkg_stats->tx_frames); ++ long matches = atomic_long_read(&pkg_stats->matches); ++ long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); ++ long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); ++ long matches_delta = atomic_long_read(&pkg_stats->matches_delta); ++ + /* restart counting in timer context on user request */ + if (user_reset) + can_init_stats(net); +@@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t) + can_init_stats(net); + + /* prevent overflow in calc_rate() */ +- if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) ++ if (rx_frames > (LONG_MAX / HZ)) + can_init_stats(net); + + /* prevent overflow in calc_rate() */ +- if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) ++ if (tx_frames > (LONG_MAX / HZ)) + can_init_stats(net); + + /* matches overflow - very improbable */ +- if (pkg_stats->matches > (ULONG_MAX / 100)) ++ if (matches > (LONG_MAX / 100)) + can_init_stats(net); + + /* calc total values */ +- if (pkg_stats->rx_frames) +- pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / +- pkg_stats->rx_frames; ++ if (rx_frames) ++ pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; + + pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, +- pkg_stats->tx_frames); ++ tx_frames); + pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, +- pkg_stats->rx_frames); ++ rx_frames); + + /* calc current values */ +- if (pkg_stats->rx_frames_delta) ++ if (rx_frames_delta) + pkg_stats->current_rx_match_ratio = +- (pkg_stats->matches_delta * 100) / +- pkg_stats->rx_frames_delta; ++ (matches_delta * 100) / rx_frames_delta; + +- pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); +- pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); ++ pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); ++ pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); + + /* check / update maximum values */ + if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) +@@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t) + pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; + + /* clear values for 'current rate' calculation */ +- pkg_stats->tx_frames_delta = 0; +- pkg_stats->rx_frames_delta = 0; +- pkg_stats->matches_delta = 0; ++ atomic_long_set(&pkg_stats->tx_frames_delta, 0); ++ atomic_long_set(&pkg_stats->rx_frames_delta, 0); ++ atomic_long_set(&pkg_stats->matches_delta, 0); + + /* restart timer (one second) */ + mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); +@@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) + struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; + + seq_putc(m, '\n'); +- seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); +- seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); +- seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); ++ seq_printf(m, " %8ld transmitted frames (TXF)\n", ++ atomic_long_read(&pkg_stats->tx_frames)); ++ seq_printf(m, " %8ld received frames (RXF)\n", ++ atomic_long_read(&pkg_stats->rx_frames)); ++ seq_printf(m, " %8ld matched frames (RXMF)\n", ++ atomic_long_read(&pkg_stats->matches)); + + seq_putc(m, '\n'); + +-- +2.39.5 + diff --git a/queue-5.15/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch b/queue-5.15/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch new file mode 100644 index 0000000000..2b34d152e4 --- /dev/null +++ b/queue-5.15/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch @@ -0,0 +1,45 @@ +From 945010368c059a6c41d7a67051455e2d9e75f542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 11:03:23 +0100 +Subject: clk: amlogic: g12a: fix mmc A peripheral clock + +From: Jerome Brunet + +[ Upstream commit 0079e77c08de692cb20b38e408365c830a44b1ef ] + +The bit index of the peripheral clock for mmc A is wrong +This was probably not a problem for mmc A as the peripheral is likely left +enabled by the bootloader. + +No issues has been reported so far but it could be a problem, most likely +some form of conflict between the ethernet and mmc A clock, breaking +ethernet on init. + +Use the value provided by the documentation for mmc A before this +becomes an actual problem. + +Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-mmca-fix-v1-1-5af421f58b64@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index a623596c1e490..d13a60fefc1b8 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -4199,7 +4199,7 @@ static MESON_GATE(g12a_spicc_1, HHI_GCLK_MPEG0, 14); + static MESON_GATE(g12a_hiu_reg, HHI_GCLK_MPEG0, 19); + static MESON_GATE(g12a_mipi_dsi_phy, HHI_GCLK_MPEG0, 20); + static MESON_GATE(g12a_assist_misc, HHI_GCLK_MPEG0, 23); +-static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 4); ++static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 24); + static MESON_GATE(g12a_emmc_b, HHI_GCLK_MPEG0, 25); + static MESON_GATE(g12a_emmc_c, HHI_GCLK_MPEG0, 26); + static MESON_GATE(g12a_audio_codec, HHI_GCLK_MPEG0, 28); +-- +2.39.5 + diff --git a/queue-5.15/clk-amlogic-g12b-fix-cluster-a-parent-data.patch b/queue-5.15/clk-amlogic-g12b-fix-cluster-a-parent-data.patch new file mode 100644 index 0000000000..8346fe761a --- /dev/null +++ b/queue-5.15/clk-amlogic-g12b-fix-cluster-a-parent-data.patch @@ -0,0 +1,105 @@ +From ec63d7a2692640e20bdb4210f851308698c1b9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 15:30:17 +0100 +Subject: clk: amlogic: g12b: fix cluster A parent data + +From: Jerome Brunet + +[ Upstream commit 8995f8f108c3ac5ad52b12a6cfbbc7b3b32e9a58 ] + +Several clocks used by both g12a and g12b use the g12a cpu A clock hw +pointer as clock parent. This is incorrect on g12b since the parents of +cluster A cpu clock are different. Also the hw clock provided as parent to +these children is not even registered clock on g12b. + +Fix the problem by reverting to the global namespace and let CCF pick +the appropriate, as it is already done for other clocks, such as +cpu_clk_trace_div. + +Fixes: 25e682a02d91 ("clk: meson: g12a: migrate to the new parent description method") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-cpua-parent-fix-v1-1-d8c0f41865fe@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index 310accf94830b..a623596c1e490 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -1136,8 +1136,18 @@ static struct clk_regmap g12a_cpu_clk_div16_en = { + .hw.init = &(struct clk_init_data) { + .name = "cpu_clk_div16_en", + .ops = &clk_regmap_gate_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { +- &g12a_cpu_clk.hw ++ .parent_data = &(const struct clk_parent_data) { ++ /* ++ * Note: ++ * G12A and G12B have different cpu clocks (with ++ * different struct clk_hw). We fallback to the global ++ * naming string mechanism so this clock picks ++ * up the appropriate one. Same goes for the other ++ * clock using cpu cluster A clock output and present ++ * on both G12 variant. ++ */ ++ .name = "cpu_clk", ++ .index = -1, + }, + .num_parents = 1, + /* +@@ -1202,7 +1212,10 @@ static struct clk_regmap g12a_cpu_clk_apb_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_apb_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1236,7 +1249,10 @@ static struct clk_regmap g12a_cpu_clk_atb_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_atb_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1270,7 +1286,10 @@ static struct clk_regmap g12a_cpu_clk_axi_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_axi_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1305,13 +1324,6 @@ static struct clk_regmap g12a_cpu_clk_trace_div = { + .name = "cpu_clk_trace_div", + .ops = &clk_regmap_divider_ro_ops, + .parent_data = &(const struct clk_parent_data) { +- /* +- * Note: +- * G12A and G12B have different cpu_clks (with +- * different struct clk_hw). We fallback to the global +- * naming string mechanism so cpu_clk_trace_div picks +- * up the appropriate one. +- */ + .name = "cpu_clk", + .index = -1, + }, +-- +2.39.5 + diff --git a/queue-5.15/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch b/queue-5.15/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch new file mode 100644 index 0000000000..e4f88063fe --- /dev/null +++ b/queue-5.15/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch @@ -0,0 +1,43 @@ +From 3fdfa6314a2a7840286c95d12b395ad610017806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 11:25:36 +0100 +Subject: clk: amlogic: gxbb: drop incorrect flag on 32k clock + +From: Jerome Brunet + +[ Upstream commit f38f7fe4830c5cb4eac138249225f119e7939965 ] + +gxbb_32k_clk_div sets CLK_DIVIDER_ROUND_CLOSEST in the init_data flag which +is incorrect. This is field is not where the divider flags belong. + +Thankfully, CLK_DIVIDER_ROUND_CLOSEST maps to bit 4 which is an unused +clock flag, so there is no unintended consequence to this error. + +Effectively, the clock has been used without CLK_DIVIDER_ROUND_CLOSEST +so far, so just drop it. + +Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-1-baca56ecf2db@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/gxbb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c +index 608e0e8ca49a8..48c47503ea752 100644 +--- a/drivers/clk/meson/gxbb.c ++++ b/drivers/clk/meson/gxbb.c +@@ -1310,7 +1310,7 @@ static struct clk_regmap gxbb_32k_clk_div = { + &gxbb_32k_clk_sel.hw + }, + .num_parents = 1, +- .flags = CLK_SET_RATE_PARENT | CLK_DIVIDER_ROUND_CLOSEST, ++ .flags = CLK_SET_RATE_PARENT, + }, + }; + +-- +2.39.5 + diff --git a/queue-5.15/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch b/queue-5.15/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch new file mode 100644 index 0000000000..e5f546ffed --- /dev/null +++ b/queue-5.15/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch @@ -0,0 +1,62 @@ +From 621a581b3b13406676e96095048b44c3b9d5cf89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 11:25:37 +0100 +Subject: clk: amlogic: gxbb: drop non existing 32k clock parent + +From: Jerome Brunet + +[ Upstream commit 7915d7d5407c026fa9343befb4d3343f7a345f97 ] + +The 32k clock reference a parent 'cts_slow_oscin' with a fixme note saying +that this clock should be provided by AO controller. + +The HW probably has this clock but it does not exist at the moment in +any controller implementation. Furthermore, referencing clock by the global +name should be avoided whenever possible. + +There is no reason to keep this hack around, at least for now. + +Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-2-baca56ecf2db@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/gxbb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c +index 48c47503ea752..35bc13e73c0dd 100644 +--- a/drivers/clk/meson/gxbb.c ++++ b/drivers/clk/meson/gxbb.c +@@ -1270,14 +1270,13 @@ static struct clk_regmap gxbb_cts_i958 = { + }, + }; + ++/* ++ * This table skips a clock named 'cts_slow_oscin' in the documentation ++ * This clock does not exist yet in this controller or the AO one ++ */ ++static u32 gxbb_32k_clk_parents_val_table[] = { 0, 2, 3 }; + static const struct clk_parent_data gxbb_32k_clk_parent_data[] = { + { .fw_name = "xtal", }, +- /* +- * FIXME: This clock is provided by the ao clock controller but the +- * clock is not yet part of the binding of this controller, so string +- * name must be use to set this parent. +- */ +- { .name = "cts_slow_oscin", .index = -1 }, + { .hw = &gxbb_fclk_div3.hw }, + { .hw = &gxbb_fclk_div5.hw }, + }; +@@ -1287,6 +1286,7 @@ static struct clk_regmap gxbb_32k_clk_sel = { + .offset = HHI_32K_CLK_CNTL, + .mask = 0x3, + .shift = 16, ++ .table = gxbb_32k_clk_parents_val_table, + }, + .hw.init = &(struct clk_init_data){ + .name = "32k_clk_sel", +-- +2.39.5 + diff --git a/queue-5.15/clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch b/queue-5.15/clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch new file mode 100644 index 0000000000..1af95c4d2a --- /dev/null +++ b/queue-5.15/clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch @@ -0,0 +1,43 @@ +From 457e8d54f163f469ac260993dd9c727ca20e7dc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 16:26:18 +0100 +Subject: clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Lypak + +[ Upstream commit cdc59600bccf2cb4c483645438a97d4ec55f326b ] + +This clock can't be enable with VENUS_CORE0 GDSC turned off. But that +GDSC is under HW control so it can be turned off at any moment. +Instead of checking the dependent clock we can just vote for it to +enable later when GDSC gets turned on. + +Fixes: 9bb6cfc3c77e6 ("clk: qcom: Add Global Clock Controller driver for MSM8953") +Signed-off-by: Vladimir Lypak +Signed-off-by: Barnabás Czémán +Link: https://lore.kernel.org/r/20250315-clock-fix-v1-2-2efdc4920dda@mainlining.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8953.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-msm8953.c b/drivers/clk/qcom/gcc-msm8953.c +index 49513f1366ffd..9d11f993843db 100644 +--- a/drivers/clk/qcom/gcc-msm8953.c ++++ b/drivers/clk/qcom/gcc-msm8953.c +@@ -3771,7 +3771,7 @@ static struct clk_branch gcc_venus0_axi_clk = { + + static struct clk_branch gcc_venus0_core0_vcodec0_clk = { + .halt_reg = 0x4c02c, +- .halt_check = BRANCH_HALT, ++ .halt_check = BRANCH_HALT_SKIP, + .clkr = { + .enable_reg = 0x4c02c, + .enable_mask = BIT(0), +-- +2.39.5 + diff --git a/queue-5.15/clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch b/queue-5.15/clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch new file mode 100644 index 0000000000..89b84f736c --- /dev/null +++ b/queue-5.15/clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch @@ -0,0 +1,42 @@ +From b4610e515af976fd54e3949dd8f9a88da91ec805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 16:26:17 +0100 +Subject: clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Czémán + +[ Upstream commit 000cbe3896c56bf5c625e286ff096533a6b27657 ] + +This clock can't be enable with VENUS_CORE0 GDSC turned off. But that +GDSC is under HW control so it can be turned off at any moment. +Instead of checking the dependent clock we can just vote for it to +enable later when GDSC gets turned on. + +Fixes: 5db3ae8b33de6 ("clk: qcom: Add SDM660 Multimedia Clock Controller (MMCC) driver") +Signed-off-by: Barnabás Czémán +Link: https://lore.kernel.org/r/20250315-clock-fix-v1-1-2efdc4920dda@mainlining.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/mmcc-sdm660.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/mmcc-sdm660.c b/drivers/clk/qcom/mmcc-sdm660.c +index 941993bc610df..04e2b0801ee42 100644 +--- a/drivers/clk/qcom/mmcc-sdm660.c ++++ b/drivers/clk/qcom/mmcc-sdm660.c +@@ -2544,7 +2544,7 @@ static struct clk_branch video_core_clk = { + + static struct clk_branch video_subcore0_clk = { + .halt_reg = 0x1048, +- .halt_check = BRANCH_HALT, ++ .halt_check = BRANCH_HALT_SKIP, + .clkr = { + .enable_reg = 0x1048, + .enable_mask = BIT(0), +-- +2.39.5 + diff --git a/queue-5.15/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch b/queue-5.15/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch new file mode 100644 index 0000000000..6eaed33ad9 --- /dev/null +++ b/queue-5.15/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch @@ -0,0 +1,39 @@ +From fec0a8219cf705632d47e5b16b164006095909db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 01:26:22 +0000 +Subject: clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent + +From: Peter Geis + +[ Upstream commit a9e60f1ffe1ca57d6af6a2573e2f950e76efbf5b ] + +Correct the clk_ref_usb3otg parent to fix clock control for the usb3 +controller on rk3328. Verified against the rk3328 trm, the rk3228h trm, +and the rk3328 usb3 phy clock map. + +Fixes: fe3511ad8a1c ("clk: rockchip: add clock controller for rk3328") +Signed-off-by: Peter Geis +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20250115012628.1035928-2-pgwipeout@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3328.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c +index 267ab54937d3d..a3587c500de28 100644 +--- a/drivers/clk/rockchip/clk-rk3328.c ++++ b/drivers/clk/rockchip/clk-rk3328.c +@@ -201,7 +201,7 @@ PNAME(mux_aclk_peri_pre_p) = { "cpll_peri", + "gpll_peri", + "hdmiphy_peri" }; + PNAME(mux_ref_usb3otg_src_p) = { "xin24m", +- "clk_usb3otg_ref" }; ++ "clk_ref_usb3otg_src" }; + PNAME(mux_xin24m_32k_p) = { "xin24m", + "clk_rtc32k" }; + PNAME(mux_mac2io_src_p) = { "clk_mac2io_src", +-- +2.39.5 + diff --git a/queue-5.15/clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch b/queue-5.15/clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch new file mode 100644 index 0000000000..dfb0607fcd --- /dev/null +++ b/queue-5.15/clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch @@ -0,0 +1,52 @@ +From 6d1e9fb4f72386be2e41329024b143a817b12b7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 10:32:52 -0800 +Subject: clk: samsung: Fix UBSAN panic in samsung_clk_init() + +From: Will McVicker + +[ Upstream commit d19d7345a7bcdb083b65568a11b11adffe0687af ] + +With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to +dereferencing `ctx->clk_data.hws` before setting +`ctx->clk_data.num = nr_clks`. Move that up to fix the crash. + + UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP + + Call trace: + samsung_clk_init+0x110/0x124 (P) + samsung_clk_init+0x48/0x124 (L) + samsung_cmu_register_one+0x3c/0xa0 + exynos_arm64_register_cmu+0x54/0x64 + __gs101_cmu_top_of_clk_init_declare+0x28/0x60 + ... + +Fixes: e620a1e061c4 ("drivers/clk: convert VL struct to struct_size") +Signed-off-by: Will McVicker +Link: https://lore.kernel.org/r/20250212183253.509771-1-willmcvicker@google.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/samsung/clk.c b/drivers/clk/samsung/clk.c +index 1949ae7851b2e..0468ce5506aef 100644 +--- a/drivers/clk/samsung/clk.c ++++ b/drivers/clk/samsung/clk.c +@@ -64,11 +64,11 @@ struct samsung_clk_provider *__init samsung_clk_init(struct device_node *np, + if (!ctx) + panic("could not allocate clock provider context.\n"); + ++ ctx->clk_data.num = nr_clks; + for (i = 0; i < nr_clks; ++i) + ctx->clk_data.hws[i] = ERR_PTR(-ENOENT); + + ctx->reg_base = base; +- ctx->clk_data.num = nr_clks; + spin_lock_init(&ctx->lock); + + return ctx; +-- +2.39.5 + diff --git a/queue-5.15/coresight-catu-fix-number-of-pages-while-using-64k-p.patch b/queue-5.15/coresight-catu-fix-number-of-pages-while-using-64k-p.patch new file mode 100644 index 0000000000..ca48d07522 --- /dev/null +++ b/queue-5.15/coresight-catu-fix-number-of-pages-while-using-64k-p.patch @@ -0,0 +1,41 @@ +From ddbafc7218733d04b5fc7bf9f3b85e3578011e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 21:53:48 +0000 +Subject: coresight: catu: Fix number of pages while using 64k pages + +From: Ilkka Koskinen + +[ Upstream commit 0e14e062f5ff98aa15264dfa87c5f5e924028561 ] + +Trying to record a trace on kernel with 64k pages resulted in -ENOMEM. +This happens due to a bug in calculating the number of table pages, which +returns zero. Fix the issue by rounding up. + +$ perf record --kcore -e cs_etm/@tmc_etr55,cycacc,branch_broadcast/k --per-thread taskset --cpu-list 1 dd if=/dev/zero of=/dev/null +failed to mmap with 12 (Cannot allocate memory) + +Fixes: 8ed536b1e283 ("coresight: catu: Add support for scatter gather tables") +Signed-off-by: Ilkka Koskinen +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250109215348.5483-1-ilkka@os.amperecomputing.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-catu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c +index e0740c6dbd542..29c74a4905366 100644 +--- a/drivers/hwtracing/coresight/coresight-catu.c ++++ b/drivers/hwtracing/coresight/coresight-catu.c +@@ -267,7 +267,7 @@ catu_init_sg_table(struct device *catu_dev, int node, + * Each table can address upto 1MB and we can have + * CATU_PAGES_PER_SYSPAGE tables in a system page. + */ +- nr_tpages = DIV_ROUND_UP(size, SZ_1M) / CATU_PAGES_PER_SYSPAGE; ++ nr_tpages = DIV_ROUND_UP(size, CATU_PAGES_PER_SYSPAGE * SZ_1M); + catu_table = tmc_alloc_sg_table(catu_dev, node, nr_tpages, + size >> PAGE_SHIFT, pages); + if (IS_ERR(catu_table)) +-- +2.39.5 + diff --git a/queue-5.15/cpufreq-governor-fix-negative-idle_time-handling-in-.patch b/queue-5.15/cpufreq-governor-fix-negative-idle_time-handling-in-.patch new file mode 100644 index 0000000000..b3e9143fb1 --- /dev/null +++ b/queue-5.15/cpufreq-governor-fix-negative-idle_time-handling-in-.patch @@ -0,0 +1,116 @@ +From d5e78cdfad0fb991bc0d4feca389f1307fddb81e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 11:55:10 +0800 +Subject: cpufreq: governor: Fix negative 'idle_time' handling in dbs_update() + +From: Jie Zhan + +[ Upstream commit 3698dd6b139dc37b35a9ad83d9330c1f99666c02 ] + +We observed an issue that the CPU frequency can't raise up with a 100% CPU +load when NOHZ is off and the 'conservative' governor is selected. + +'idle_time' can be negative if it's obtained from get_cpu_idle_time_jiffy() +when NOHZ is off. This was found and explained in commit 9485e4ca0b48 +("cpufreq: governor: Fix handling of special cases in dbs_update()"). + +However, commit 7592019634f8 ("cpufreq: governors: Fix long idle detection +logic in load calculation") introduced a comparison between 'idle_time' and +'samling_rate' to detect a long idle interval. While 'idle_time' is +converted to int before comparison, it's actually promoted to unsigned +again when compared with an unsigned 'sampling_rate'. Hence, this leads to +wrong idle interval detection when it's in fact 100% busy and sets +policy_dbs->idle_periods to a very large value. 'conservative' adjusts the +frequency to minimum because of the large 'idle_periods', such that the +frequency can't raise up. 'Ondemand' doesn't use policy_dbs->idle_periods +so it fortunately avoids the issue. + +Correct negative 'idle_time' to 0 before any use of it in dbs_update(). + +Fixes: 7592019634f8 ("cpufreq: governors: Fix long idle detection logic in load calculation") +Signed-off-by: Jie Zhan +Reviewed-by: Chen Yu +Link: https://patch.msgid.link/20250213035510.2402076-1-zhanjie9@hisilicon.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq_governor.c | 45 +++++++++++++++--------------- + 1 file changed, 23 insertions(+), 22 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c +index 55c80319d2684..5981e3ef9ce0e 100644 +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -145,7 +145,23 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + time_elapsed = update_time - j_cdbs->prev_update_time; + j_cdbs->prev_update_time = update_time; + +- idle_time = cur_idle_time - j_cdbs->prev_cpu_idle; ++ /* ++ * cur_idle_time could be smaller than j_cdbs->prev_cpu_idle if ++ * it's obtained from get_cpu_idle_time_jiffy() when NOHZ is ++ * off, where idle_time is calculated by the difference between ++ * time elapsed in jiffies and "busy time" obtained from CPU ++ * statistics. If a CPU is 100% busy, the time elapsed and busy ++ * time should grow with the same amount in two consecutive ++ * samples, but in practice there could be a tiny difference, ++ * making the accumulated idle time decrease sometimes. Hence, ++ * in this case, idle_time should be regarded as 0 in order to ++ * make the further process correct. ++ */ ++ if (cur_idle_time > j_cdbs->prev_cpu_idle) ++ idle_time = cur_idle_time - j_cdbs->prev_cpu_idle; ++ else ++ idle_time = 0; ++ + j_cdbs->prev_cpu_idle = cur_idle_time; + + if (ignore_nice) { +@@ -162,7 +178,7 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + * calls, so the previous load value can be used then. + */ + load = j_cdbs->prev_load; +- } else if (unlikely((int)idle_time > 2 * sampling_rate && ++ } else if (unlikely(idle_time > 2 * sampling_rate && + j_cdbs->prev_load)) { + /* + * If the CPU had gone completely idle and a task has +@@ -189,30 +205,15 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + load = j_cdbs->prev_load; + j_cdbs->prev_load = 0; + } else { +- if (time_elapsed >= idle_time) { ++ if (time_elapsed > idle_time) + load = 100 * (time_elapsed - idle_time) / time_elapsed; +- } else { +- /* +- * That can happen if idle_time is returned by +- * get_cpu_idle_time_jiffy(). In that case +- * idle_time is roughly equal to the difference +- * between time_elapsed and "busy time" obtained +- * from CPU statistics. Then, the "busy time" +- * can end up being greater than time_elapsed +- * (for example, if jiffies_64 and the CPU +- * statistics are updated by different CPUs), +- * so idle_time may in fact be negative. That +- * means, though, that the CPU was busy all +- * the time (on the rough average) during the +- * last sampling interval and 100 can be +- * returned as the load. +- */ +- load = (int)idle_time < 0 ? 100 : 0; +- } ++ else ++ load = 0; ++ + j_cdbs->prev_load = load; + } + +- if (unlikely((int)idle_time > 2 * sampling_rate)) { ++ if (unlikely(idle_time > 2 * sampling_rate)) { + unsigned int periods = idle_time / sampling_rate; + + if (periods < idle_periods) +-- +2.39.5 + diff --git a/queue-5.15/cpufreq-scpi-compare-khz-instead-of-hz.patch b/queue-5.15/cpufreq-scpi-compare-khz-instead-of-hz.patch new file mode 100644 index 0000000000..8e46a59061 --- /dev/null +++ b/queue-5.15/cpufreq-scpi-compare-khz-instead-of-hz.patch @@ -0,0 +1,52 @@ +From 2009c3c1bdca4522e52a7f14fb0d55ffc24bb952 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jan 2025 08:49:49 +0000 +Subject: cpufreq: scpi: compare kHz instead of Hz + +From: zuoqian + +[ Upstream commit 4742da9774a416908ef8e3916164192c15c0e2d1 ] + +The CPU rate from clk_get_rate() may not be divisible by 1000 +(e.g., 133333333). But the rate calculated from frequency(kHz) is +always divisible by 1000 (e.g., 133333000). +Comparing the rate causes a warning during CPU scaling: +"cpufreq: __target_index: Failed to change cpu frequency: -5". +When we choose to compare kHz here, the issue does not occur. + +Fixes: 343a8d17fa8d ("cpufreq: scpi: remove arm_big_little dependency") +Signed-off-by: zuoqian +Reviewed-by: Dan Carpenter +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/scpi-cpufreq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c +index 763692e327b18..35b20c74dbfc7 100644 +--- a/drivers/cpufreq/scpi-cpufreq.c ++++ b/drivers/cpufreq/scpi-cpufreq.c +@@ -47,8 +47,9 @@ static unsigned int scpi_cpufreq_get_rate(unsigned int cpu) + static int + scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index) + { +- u64 rate = policy->freq_table[index].frequency * 1000; ++ unsigned long freq_khz = policy->freq_table[index].frequency; + struct scpi_data *priv = policy->driver_data; ++ unsigned long rate = freq_khz * 1000; + int ret; + + ret = clk_set_rate(priv->clk, rate); +@@ -56,7 +57,7 @@ scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index) + if (ret) + return ret; + +- if (clk_get_rate(priv->clk) != rate) ++ if (clk_get_rate(priv->clk) / 1000 != freq_khz) + return -EIO; + + return 0; +-- +2.39.5 + diff --git a/queue-5.15/crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch b/queue-5.15/crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch new file mode 100644 index 0000000000..e2a285a875 --- /dev/null +++ b/queue-5.15/crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch @@ -0,0 +1,52 @@ +From afa794bdab30e234fde8edfcaa13cc2ab6f0f713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:56:26 +0800 +Subject: crypto: hisilicon/sec2 - fix for aead auth key length + +From: Wenkai Lin + +[ Upstream commit 1b284ffc30b02808a0de698667cbcf5ce5f9144e ] + +According to the HMAC RFC, the authentication key +can be 0 bytes, and the hardware can handle this +scenario. Therefore, remove the incorrect validation +for this case. + +Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2") +Signed-off-by: Wenkai Lin +Signed-off-by: Chenghai Huang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/sec2/sec_crypto.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c +index 6de3ccd0fa9b7..915333deae6f0 100644 +--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c ++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c +@@ -1047,11 +1047,6 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx, + struct crypto_shash *hash_tfm = ctx->hash_tfm; + int blocksize, digestsize, ret; + +- if (!keys->authkeylen) { +- pr_err("hisi_sec2: aead auth key error!\n"); +- return -EINVAL; +- } +- + blocksize = crypto_shash_blocksize(hash_tfm); + digestsize = crypto_shash_digestsize(hash_tfm); + if (keys->authkeylen > blocksize) { +@@ -1063,7 +1058,8 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx, + } + ctx->a_key_len = digestsize; + } else { +- memcpy(ctx->a_key, keys->authkey, keys->authkeylen); ++ if (keys->authkeylen) ++ memcpy(ctx->a_key, keys->authkey, keys->authkeylen); + ctx->a_key_len = keys->authkeylen; + } + +-- +2.39.5 + diff --git a/queue-5.15/crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch b/queue-5.15/crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch new file mode 100644 index 0000000000..c3f0a1d05a --- /dev/null +++ b/queue-5.15/crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch @@ -0,0 +1,105 @@ +From 78c5353e6f866d41f248ede6c68727627a676a2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:56:27 +0800 +Subject: crypto: hisilicon/sec2 - fix for aead authsize alignment + +From: Wenkai Lin + +[ Upstream commit a49cc71e219040d771a8c1254879984f98192811 ] + +The hardware only supports authentication sizes +that are 4-byte aligned. Therefore, the driver +switches to software computation in this case. + +Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2") +Signed-off-by: Wenkai Lin +Signed-off-by: Chenghai Huang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/sec2/sec_crypto.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c +index 32150e05a2795..6de3ccd0fa9b7 100644 +--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c ++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c +@@ -55,7 +55,6 @@ + #define SEC_TYPE_MASK 0x0F + #define SEC_DONE_MASK 0x0001 + #define SEC_ICV_MASK 0x000E +-#define SEC_SQE_LEN_RATE_MASK 0x3 + + #define SEC_TOTAL_IV_SZ (SEC_IV_SIZE * QM_Q_DEPTH) + #define SEC_SGL_SGE_NR 128 +@@ -77,16 +76,16 @@ + #define SEC_TOTAL_PBUF_SZ (PAGE_SIZE * SEC_PBUF_PAGE_NUM + \ + SEC_PBUF_LEFT_SZ) + +-#define SEC_SQE_LEN_RATE 4 + #define SEC_SQE_CFLAG 2 + #define SEC_SQE_AEAD_FLAG 3 + #define SEC_SQE_DONE 0x1 + #define SEC_ICV_ERR 0x2 +-#define MIN_MAC_LEN 4 + #define MAC_LEN_MASK 0x1U + #define MAX_INPUT_DATA_LEN 0xFFFE00 + #define BITS_MASK 0xFF ++#define WORD_MASK 0x3 + #define BYTE_BITS 0x8 ++#define BYTES_TO_WORDS(bcount) ((bcount) >> 2) + #define SEC_XTS_NAME_SZ 0x3 + #define IV_CM_CAL_NUM 2 + #define IV_CL_MASK 0x7 +@@ -1133,7 +1132,7 @@ static int sec_aead_setkey(struct crypto_aead *tfm, const u8 *key, + goto bad_key; + } + +- if (ctx->a_ctx.a_key_len & SEC_SQE_LEN_RATE_MASK) { ++ if (ctx->a_ctx.a_key_len & WORD_MASK) { + ret = -EINVAL; + dev_err(dev, "AUTH key length error!\n"); + goto bad_key; +@@ -1538,11 +1537,10 @@ static void sec_auth_bd_fill_ex(struct sec_auth_ctx *ctx, int dir, + + sec_sqe->type2.a_key_addr = cpu_to_le64(ctx->a_key_dma); + +- sec_sqe->type2.mac_key_alg = cpu_to_le32(authsize / SEC_SQE_LEN_RATE); ++ sec_sqe->type2.mac_key_alg = cpu_to_le32(BYTES_TO_WORDS(authsize)); + + sec_sqe->type2.mac_key_alg |= +- cpu_to_le32((u32)((ctx->a_key_len) / +- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET); ++ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET); + + sec_sqe->type2.mac_key_alg |= + cpu_to_le32((u32)(ctx->a_alg) << SEC_AEAD_ALG_OFFSET); +@@ -1594,12 +1592,10 @@ static void sec_auth_bd_fill_ex_v3(struct sec_auth_ctx *ctx, int dir, + sqe3->a_key_addr = cpu_to_le64(ctx->a_key_dma); + + sqe3->auth_mac_key |= +- cpu_to_le32((u32)(authsize / +- SEC_SQE_LEN_RATE) << SEC_MAC_OFFSET_V3); ++ cpu_to_le32(BYTES_TO_WORDS(authsize) << SEC_MAC_OFFSET_V3); + + sqe3->auth_mac_key |= +- cpu_to_le32((u32)(ctx->a_key_len / +- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET_V3); ++ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET_V3); + + sqe3->auth_mac_key |= + cpu_to_le32((u32)(ctx->a_alg) << SEC_AUTH_ALG_OFFSET_V3); +@@ -2205,8 +2201,8 @@ static int sec_aead_spec_check(struct sec_ctx *ctx, struct sec_req *sreq) + struct device *dev = ctx->dev; + int ret; + +- /* Hardware does not handle cases where authsize is less than 4 bytes */ +- if (unlikely(sz < MIN_MAC_LEN)) { ++ /* Hardware does not handle cases where authsize is not 4 bytes aligned */ ++ if (c_mode == SEC_CMODE_CBC && (sz & WORD_MASK)) { + sreq->aead_req.fallback = true; + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-5.15/crypto-nx-fix-uninitialised-hv_nxc-on-error.patch b/queue-5.15/crypto-nx-fix-uninitialised-hv_nxc-on-error.patch new file mode 100644 index 0000000000..e3ae06e60b --- /dev/null +++ b/queue-5.15/crypto-nx-fix-uninitialised-hv_nxc-on-error.patch @@ -0,0 +1,95 @@ +From 5d33024d3e5bbb5eacaf6bf2a53993e80b9b07b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 16:50:42 +0800 +Subject: crypto: nx - Fix uninitialised hv_nxc on error + +From: Herbert Xu + +[ Upstream commit 9b00eb923f3e60ca76cbc8b31123716f3a87ac6a ] + +The compiler correctly warns that hv_nxc may be used uninitialised +as that will occur when NX-GZIP is unavailable. + +Fix it by rearranging the code and delay setting caps_feat until +the final query succeeds. + +Fixes: b4ba22114c78 ("crypto/nx: Get NX capabilities for GZIP coprocessor type") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/nx-common-pseries.c | 37 ++++++++++++--------------- + 1 file changed, 17 insertions(+), 20 deletions(-) + +diff --git a/drivers/crypto/nx/nx-common-pseries.c b/drivers/crypto/nx/nx-common-pseries.c +index 4e304f6081e47..f24d58b6eb1e5 100644 +--- a/drivers/crypto/nx/nx-common-pseries.c ++++ b/drivers/crypto/nx/nx-common-pseries.c +@@ -1142,6 +1142,7 @@ static void __init nxcop_get_capabilities(void) + { + struct hv_vas_all_caps *hv_caps; + struct hv_nx_cop_caps *hv_nxc; ++ u64 feat; + int rc; + + hv_caps = kmalloc(sizeof(*hv_caps), GFP_KERNEL); +@@ -1152,27 +1153,26 @@ static void __init nxcop_get_capabilities(void) + */ + rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, 0, + (u64)virt_to_phys(hv_caps)); ++ if (!rc) ++ feat = be64_to_cpu(hv_caps->feat_type); ++ kfree(hv_caps); + if (rc) +- goto out; ++ return; ++ if (!(feat & VAS_NX_GZIP_FEAT_BIT)) ++ return; + +- caps_feat = be64_to_cpu(hv_caps->feat_type); + /* + * NX-GZIP feature available + */ +- if (caps_feat & VAS_NX_GZIP_FEAT_BIT) { +- hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL); +- if (!hv_nxc) +- goto out; +- /* +- * Get capabilities for NX-GZIP feature +- */ +- rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, +- VAS_NX_GZIP_FEAT, +- (u64)virt_to_phys(hv_nxc)); +- } else { +- pr_err("NX-GZIP feature is not available\n"); +- rc = -EINVAL; +- } ++ hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL); ++ if (!hv_nxc) ++ return; ++ /* ++ * Get capabilities for NX-GZIP feature ++ */ ++ rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, ++ VAS_NX_GZIP_FEAT, ++ (u64)virt_to_phys(hv_nxc)); + + if (!rc) { + nx_cop_caps.descriptor = be64_to_cpu(hv_nxc->descriptor); +@@ -1182,13 +1182,10 @@ static void __init nxcop_get_capabilities(void) + be64_to_cpu(hv_nxc->min_compress_len); + nx_cop_caps.min_decompress_len = + be64_to_cpu(hv_nxc->min_decompress_len); +- } else { +- caps_feat = 0; ++ caps_feat = feat; + } + + kfree(hv_nxc); +-out: +- kfree(hv_caps); + } + + static const struct vio_device_id nx842_vio_driver_ids[] = { +-- +2.39.5 + diff --git a/queue-5.15/drm-amd-display-fix-type-mismatch-in-calculatedynami.patch b/queue-5.15/drm-amd-display-fix-type-mismatch-in-calculatedynami.patch new file mode 100644 index 0000000000..afcb477acf --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-type-mismatch-in-calculatedynami.patch @@ -0,0 +1,64 @@ +From 7cbcf9183f3b7f67c1b4325f82f290fa3adf9d93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 01:28:51 +0500 +Subject: drm/amd/display: fix type mismatch in + CalculateDynamicMetadataParameters() + +From: Vitaliy Shevtsov + +[ Upstream commit c3c584c18c90a024a54716229809ba36424f9660 ] + +There is a type mismatch between what CalculateDynamicMetadataParameters() +takes and what is passed to it. Currently this function accepts several +args as signed long but it's called with unsigned integers and integer. On +some systems where long is 32 bits and one of these unsigned int params is +greater than INT_MAX it may cause passing input params as negative values. + +Fix this by changing these argument types from long to unsigned int and to +int respectively. Also this will align the function's definition with +similar functions in other dcn* drivers. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 6725a88f88a7 ("drm/amd/display: Add DCN3 DML") +Signed-off-by: Vitaliy Shevtsov +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +index de0fa87b301a5..5c0d49d4eb8ec 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +@@ -283,10 +283,10 @@ static void CalculateDynamicMetadataParameters( + double DISPCLK, + double DCFClkDeepSleep, + double PixelClock, +- long HTotal, +- long VBlank, +- long DynamicMetadataTransmittedBytes, +- long DynamicMetadataLinesBeforeActiveRequired, ++ unsigned int HTotal, ++ unsigned int VBlank, ++ unsigned int DynamicMetadataTransmittedBytes, ++ int DynamicMetadataLinesBeforeActiveRequired, + int InterlaceEnable, + bool ProgressiveToInterlaceUnitInOPP, + double *Tsetup, +@@ -3375,8 +3375,8 @@ static double CalculateWriteBackDelay( + + + static void CalculateDynamicMetadataParameters(int MaxInterDCNTileRepeaters, double DPPCLK, double DISPCLK, +- double DCFClkDeepSleep, double PixelClock, long HTotal, long VBlank, long DynamicMetadataTransmittedBytes, +- long DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP, ++ double DCFClkDeepSleep, double PixelClock, unsigned int HTotal, unsigned int VBlank, unsigned int DynamicMetadataTransmittedBytes, ++ int DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP, + double *Tsetup, double *Tdmbf, double *Tdmec, double *Tdmsks) + { + double TotalRepeaterDelayTime = 0; +-- +2.39.5 + diff --git a/queue-5.15/drm-amd-keep-display-off-while-going-into-s4.patch b/queue-5.15/drm-amd-keep-display-off-while-going-into-s4.patch new file mode 100644 index 0000000000..fef23261a4 --- /dev/null +++ b/queue-5.15/drm-amd-keep-display-off-while-going-into-s4.patch @@ -0,0 +1,102 @@ +From 64eceb48434f7b7cdf3c3a92e1e7a5204b49ad98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 12:51:24 -0600 +Subject: drm/amd: Keep display off while going into S4 + +From: Mario Limonciello + +[ Upstream commit 4afacc9948e1f8fdbca401d259ae65ad93d298c0 ] + +When userspace invokes S4 the flow is: + +1) amdgpu_pmops_prepare() +2) amdgpu_pmops_freeze() +3) Create hibernation image +4) amdgpu_pmops_thaw() +5) Write out image to disk +6) Turn off system + +Then on resume amdgpu_pmops_restore() is called. + +This flow has a problem that because amdgpu_pmops_thaw() is called +it will call amdgpu_device_resume() which will resume all of the GPU. + +This includes turning the display hardware back on and discovering +connectors again. + +This is an unexpected experience for the display to turn back on. +Adjust the flow so that during the S4 sequence display hardware is +not turned back on. + +Reported-by: Xaver Hugl +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2038 +Cc: Muhammad Usama Anjum +Tested-by: Muhammad Usama Anjum +Acked-by: Alex Deucher +Acked-by: Harry Wentland +Link: https://lore.kernel.org/r/20250306185124.44780-1-mario.limonciello@amd.com +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 68bfdc8dc0a1a7fdd9ab61e69907ae71a6fd3d91) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 11 +++++++++-- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 57943e9008710..adcf3adc5ca51 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -2294,7 +2294,6 @@ static int amdgpu_pmops_freeze(struct device *dev) + + adev->in_s4 = true; + r = amdgpu_device_suspend(drm_dev, true); +- adev->in_s4 = false; + if (r) + return r; + return amdgpu_asic_reset(adev); +@@ -2303,8 +2302,13 @@ static int amdgpu_pmops_freeze(struct device *dev) + static int amdgpu_pmops_thaw(struct device *dev) + { + struct drm_device *drm_dev = dev_get_drvdata(dev); ++ struct amdgpu_device *adev = drm_to_adev(drm_dev); ++ int r; + +- return amdgpu_device_resume(drm_dev, true); ++ r = amdgpu_device_resume(drm_dev, true); ++ adev->in_s4 = false; ++ ++ return r; + } + + static int amdgpu_pmops_poweroff(struct device *dev) +@@ -2317,6 +2321,9 @@ static int amdgpu_pmops_poweroff(struct device *dev) + static int amdgpu_pmops_restore(struct device *dev) + { + struct drm_device *drm_dev = dev_get_drvdata(dev); ++ struct amdgpu_device *adev = drm_to_adev(drm_dev); ++ ++ adev->in_s4 = false; + + return amdgpu_device_resume(drm_dev, true); + } +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index a128259b19adb..a33ca712a89c5 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2710,6 +2710,11 @@ static int dm_resume(void *handle) + + return 0; + } ++ ++ /* leave display off for S4 sequence */ ++ if (adev->in_s4) ++ return 0; ++ + /* Recreate dc_state - DC invalidates it when setting power state to S3. */ + dc_release_state(dm_state->context); + dm_state->context = dc_create_state(dm->dc); +-- +2.39.5 + diff --git a/queue-5.15/drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch b/queue-5.15/drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch new file mode 100644 index 0000000000..5d122cfd0c --- /dev/null +++ b/queue-5.15/drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch @@ -0,0 +1,52 @@ +From c1168a4f2f673a79287a1b62a15c3b8d140f828b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:18:46 +0100 +Subject: drm/bridge: ti-sn65dsi86: Fix multiple instances + +From: Geert Uytterhoeven + +[ Upstream commit 574f5ee2c85a00a579549d50e9fc9c6c072ee4c4 ] + +Each bridge instance creates up to four auxiliary devices with different +names. However, their IDs are always zero, causing duplicate filename +errors when a system has multiple bridges: + + sysfs: cannot create duplicate filename '/bus/auxiliary/devices/ti_sn65dsi86.gpio.0' + +Fix this by using a unique instance ID per bridge instance. The +instance ID is derived from the I2C adapter number and the bridge's I2C +address, to support multiple instances on the same bus. + +Fixes: bf73537f411b ("drm/bridge: ti-sn65dsi86: Break GPIO and MIPI-to-eDP bridge into sub-drivers") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/7a68a0e3f927e26edca6040067fb653eb06efb79.1733840089.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index b488c6cb8f106..1c9dd62d3c47b 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -424,6 +424,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata, + const char *name) + { + struct device *dev = pdata->dev; ++ const struct i2c_client *client = to_i2c_client(dev); + struct auxiliary_device *aux; + int ret; + +@@ -432,6 +433,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata, + return -ENOMEM; + + aux->name = name; ++ aux->id = (client->adapter->nr << 10) | client->addr; + aux->dev.parent = dev; + aux->dev.release = ti_sn65dsi86_aux_device_release; + device_set_of_node_from_dev(&aux->dev, dev); +-- +2.39.5 + diff --git a/queue-5.15/drm-dp_mst-fix-drm-rad-print.patch b/queue-5.15/drm-dp_mst-fix-drm-rad-print.patch new file mode 100644 index 0000000000..80dc26cb92 --- /dev/null +++ b/queue-5.15/drm-dp_mst-fix-drm-rad-print.patch @@ -0,0 +1,95 @@ +From 367648d40b622b8767557403e045a2df06b14bb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 17:10:59 +0800 +Subject: drm/dp_mst: Fix drm RAD print +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wayne Lin + +[ Upstream commit 6bbce873a9c97cb12f5455c497be279ac58e707f ] + +[Why] +The RAD of sideband message printed today is incorrect. +For RAD stored within MST branch +- If MST branch LCT is 1, it's RAD array is untouched and remained as 0. +- If MST branch LCT is larger than 1, use nibble to store the up facing + port number in cascaded sequence as illustrated below: + + u8 RAD[0] = (LCT_2_UFP << 4) | LCT_3_UFP + RAD[1] = (LCT_4_UFP << 4) | LCT_5_UFP + ... + +In drm_dp_mst_rad_to_str(), it wrongly to use BIT_MASK(4) to fetch the port +number of one nibble. + +[How] +Adjust the code by: +- RAD array items are valuable only for LCT >= 1. +- Use 0xF as the mask to replace BIT_MASK(4) + +V2: +- Document how RAD is constructed (Imre) + +V3: +- Adjust the comment for rad[] so kdoc formats it properly (Lyude) + +Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing + selftests") +Cc: Imre Deak +Cc: Ville Syrjälä +Cc: Harry Wentland +Cc: Lyude Paul +Reviewed-by: Lyude Paul +Signed-off-by: Wayne Lin +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20250113091100.3314533-2-Wayne.Lin@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 8 ++++---- + include/drm/drm_dp_mst_helper.h | 7 +++++++ + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index 86e1a61b6b6df..70be5719e403b 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -178,13 +178,13 @@ static int + drm_dp_mst_rad_to_str(const u8 rad[8], u8 lct, char *out, size_t len) + { + int i; +- u8 unpacked_rad[16]; ++ u8 unpacked_rad[16] = {}; + +- for (i = 0; i < lct; i++) { ++ for (i = 1; i < lct; i++) { + if (i % 2) +- unpacked_rad[i] = rad[i / 2] >> 4; ++ unpacked_rad[i] = rad[(i - 1) / 2] >> 4; + else +- unpacked_rad[i] = rad[i / 2] & BIT_MASK(4); ++ unpacked_rad[i] = rad[(i - 1) / 2] & 0xF; + } + + /* TODO: Eventually add something to printk so we can format the rad +diff --git a/include/drm/drm_dp_mst_helper.h b/include/drm/drm_dp_mst_helper.h +index ddb9231d03097..9911264e0b155 100644 +--- a/include/drm/drm_dp_mst_helper.h ++++ b/include/drm/drm_dp_mst_helper.h +@@ -232,6 +232,13 @@ struct drm_dp_mst_branch { + */ + struct list_head destroy_next; + ++ /** ++ * @rad: Relative Address of the MST branch. ++ * For &drm_dp_mst_topology_mgr.mst_primary, it's rad[8] are all 0, ++ * unset and unused. For MST branches connected after mst_primary, ++ * in each element of rad[] the nibbles are ordered by the most ++ * signifcant 4 bits first and the least significant 4 bits second. ++ */ + u8 rad[8]; + u8 lct; + int num_ports; +-- +2.39.5 + diff --git a/queue-5.15/drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch b/queue-5.15/drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch new file mode 100644 index 0000000000..8702d6b6e7 --- /dev/null +++ b/queue-5.15/drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch @@ -0,0 +1,64 @@ +From 5773a2ff8a2f5d97b96de2d8beeef8a957d26bf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 12:35:57 +0300 +Subject: drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() + +From: Dan Carpenter + +[ Upstream commit dcb166ee43c3d594e7b73a24f6e8cf5663eeff2c ] + +There is a type bug because the return statement: + + return ret < 0 ? ret : recv_cnt; + +The issue is that ret is an int, recv_cnt is a u32 and the function +returns ssize_t, which is a signed long. The way that the type promotion +works is that the negative error codes are first cast to u32 and then +to signed long. The error codes end up being positive instead of +negative and the callers treat them as success. + +Fixes: 81cc7e51c4f1 ("drm/mediatek: Allow commands to be sent during video mode") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/r/202412210801.iADw0oIH-lkp@intel.com/ +Signed-off-by: Dan Carpenter +Reviewed-by: Mattijs Korpershoek +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/b754a408-4f39-4e37-b52d-7706c132e27f@stanley.mountain/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c +index 3b55a83b7cdff..cac98f0104257 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dsi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c +@@ -920,12 +920,12 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host, + const struct mipi_dsi_msg *msg) + { + struct mtk_dsi *dsi = host_to_dsi(host); +- u32 recv_cnt, i; ++ ssize_t recv_cnt; + u8 read_data[16]; + void *src_addr; + u8 irq_flag = CMD_DONE_INT_FLAG; + u32 dsi_mode; +- int ret; ++ int ret, i; + + dsi_mode = readl(dsi->regs + DSI_MODE_CTRL); + if (dsi_mode & MODE) { +@@ -974,7 +974,7 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host, + if (recv_cnt) + memcpy(msg->rx_buf, src_addr, recv_cnt); + +- DRM_INFO("dsi get %d byte data from the panel address(0x%x)\n", ++ DRM_INFO("dsi get %zd byte data from the panel address(0x%x)\n", + recv_cnt, *((u8 *)(msg->tx_buf))); + + restore_dsi_mode: +-- +2.39.5 + diff --git a/queue-5.15/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch b/queue-5.15/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch new file mode 100644 index 0000000000..36a9141c57 --- /dev/null +++ b/queue-5.15/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch @@ -0,0 +1,66 @@ +From bd77e274a98df2eac85849337b7636a8138a31b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 16:48:12 +0100 +Subject: drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member + +From: AngeloGioacchino Del Regno + +[ Upstream commit 72fcb88e7bbc053ed4fc74cebb0315b98a0f20c3 ] + +Rename member aud_sampe_size of struct hdmi_audio_param to +aud_sample_size to fix a typo and enhance readability. + +This commit brings no functional changes. + +Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-20-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 047ed79dce3ff..67ab6579daf72 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -138,7 +138,7 @@ enum hdmi_aud_channel_swap_type { + + struct hdmi_audio_param { + enum hdmi_audio_coding_type aud_codec; +- enum hdmi_audio_sample_size aud_sampe_size; ++ enum hdmi_audio_sample_size aud_sample_size; + enum hdmi_aud_input_type aud_input_type; + enum hdmi_aud_i2s_fmt aud_i2s_fmt; + enum hdmi_aud_mclk aud_mclk; +@@ -1076,7 +1076,7 @@ static int mtk_hdmi_output_init(struct mtk_hdmi *hdmi) + + hdmi->csp = HDMI_COLORSPACE_RGB; + aud_param->aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- aud_param->aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ aud_param->aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + aud_param->aud_input_type = HDMI_AUD_INPUT_I2S; + aud_param->aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT; + aud_param->aud_mclk = HDMI_AUD_MCLK_128FS; +@@ -1577,14 +1577,14 @@ static int mtk_hdmi_audio_hw_params(struct device *dev, void *data, + switch (daifmt->fmt) { + case HDMI_I2S: + hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + hdmi_params.aud_input_type = HDMI_AUD_INPUT_I2S; + hdmi_params.aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT; + hdmi_params.aud_mclk = HDMI_AUD_MCLK_128FS; + break; + case HDMI_SPDIF: + hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + hdmi_params.aud_input_type = HDMI_AUD_INPUT_SPDIF; + break; + default: +-- +2.39.5 + diff --git a/queue-5.15/drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch b/queue-5.15/drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch new file mode 100644 index 0000000000..dabb420a41 --- /dev/null +++ b/queue-5.15/drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch @@ -0,0 +1,85 @@ +From b6aac456b98048a3da9bef61a191f589d3f748bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 16:48:10 +0100 +Subject: drm/mediatek: mtk_hdmi: Unregister audio platform device on failure + +From: AngeloGioacchino Del Regno + +[ Upstream commit 0be123cafc06eed0fd1227166a66e786434b0c50 ] + +The probe function of this driver may fail after registering the +audio platform device: in that case, the state is not getting +cleaned up, leaving this device registered. + +Adding up to the mix, should the probe function of this driver +return a probe deferral for N times, we're registering up to N +audio platform devices and, again, never freeing them up. + +To fix this, add a pointer to the audio platform device in the +mtk_hdmi structure, and add a devm action to unregister it upon +driver removal or probe failure. + +Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-18-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 7613b0fa2be6e..047ed79dce3ff 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -174,6 +174,7 @@ struct mtk_hdmi { + unsigned int sys_offset; + void __iomem *regs; + enum hdmi_colorspace csp; ++ struct platform_device *audio_pdev; + struct hdmi_audio_param aud_param; + bool audio_enable; + bool powered; +@@ -1667,6 +1668,11 @@ static const struct hdmi_codec_ops mtk_hdmi_audio_codec_ops = { + .no_capture_mute = 1, + }; + ++static void mtk_hdmi_unregister_audio_driver(void *data) ++{ ++ platform_device_unregister(data); ++} ++ + static int mtk_hdmi_register_audio_driver(struct device *dev) + { + struct mtk_hdmi *hdmi = dev_get_drvdata(dev); +@@ -1676,13 +1682,20 @@ static int mtk_hdmi_register_audio_driver(struct device *dev) + .i2s = 1, + .data = hdmi, + }; +- struct platform_device *pdev; ++ int ret; + +- pdev = platform_device_register_data(dev, HDMI_CODEC_DRV_NAME, +- PLATFORM_DEVID_AUTO, &codec_data, +- sizeof(codec_data)); +- if (IS_ERR(pdev)) +- return PTR_ERR(pdev); ++ hdmi->audio_pdev = platform_device_register_data(dev, ++ HDMI_CODEC_DRV_NAME, ++ PLATFORM_DEVID_AUTO, ++ &codec_data, ++ sizeof(codec_data)); ++ if (IS_ERR(hdmi->audio_pdev)) ++ return PTR_ERR(hdmi->audio_pdev); ++ ++ ret = devm_add_action_or_reset(dev, mtk_hdmi_unregister_audio_driver, ++ hdmi->audio_pdev); ++ if (ret) ++ return ret; + + DRM_INFO("%s driver bound to HDMI\n", HDMI_CODEC_DRV_NAME); + return 0; +-- +2.39.5 + diff --git a/queue-5.15/drm-vkms-fix-use-after-free-and-double-free-on-init-.patch b/queue-5.15/drm-vkms-fix-use-after-free-and-double-free-on-init-.patch new file mode 100644 index 0000000000..2cba113c2e --- /dev/null +++ b/queue-5.15/drm-vkms-fix-use-after-free-and-double-free-on-init-.patch @@ -0,0 +1,76 @@ +From 2534da75eb51d0550e8ee8b1e8dc8aef39f59b6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 09:49:12 +0100 +Subject: drm/vkms: Fix use after free and double free on init error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit ed15511a773df86205bda66c37193569575ae828 ] + +If the driver initialization fails, the vkms_exit() function might +access an uninitialized or freed default_config pointer and it might +double free it. + +Fix both possible errors by initializing default_config only when the +driver initialization succeeded. + +Reported-by: Louis Chauvet +Closes: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ +Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") +Signed-off-by: José Expósito +Reviewed-by: Thomas Zimmermann +Reviewed-by: Louis Chauvet +Link: https://patchwork.freedesktop.org/patch/msgid/20250212084912.3196-1-jose.exposito89@gmail.com +Signed-off-by: Louis Chauvet +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c +index f716c5796f5fc..09025ff3b1961 100644 +--- a/drivers/gpu/drm/vkms/vkms_drv.c ++++ b/drivers/gpu/drm/vkms/vkms_drv.c +@@ -226,17 +226,19 @@ static int __init vkms_init(void) + if (!config) + return -ENOMEM; + +- default_config = config; +- + config->cursor = enable_cursor; + config->writeback = enable_writeback; + config->overlay = enable_overlay; + + ret = vkms_create(config); +- if (ret) ++ if (ret) { + kfree(config); ++ return ret; ++ } + +- return ret; ++ default_config = config; ++ ++ return 0; + } + + static void vkms_destroy(struct vkms_config *config) +@@ -260,9 +262,10 @@ static void vkms_destroy(struct vkms_config *config) + + static void __exit vkms_exit(void) + { +- if (default_config->dev) +- vkms_destroy(default_config); ++ if (!default_config) ++ return; + ++ vkms_destroy(default_config); + kfree(default_config); + } + +-- +2.39.5 + diff --git a/queue-5.15/drm-xlnx-zynqmp-fix-max-dma-segment-size.patch b/queue-5.15/drm-xlnx-zynqmp-fix-max-dma-segment-size.patch new file mode 100644 index 0000000000..3dae3cf649 --- /dev/null +++ b/queue-5.15/drm-xlnx-zynqmp-fix-max-dma-segment-size.patch @@ -0,0 +1,38 @@ +From 355f6a85cccbdb6db7ed04c41ae2fd45802d2a99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 11:03:39 +0200 +Subject: drm: xlnx: zynqmp: Fix max dma segment size + +From: Tomi Valkeinen + +[ Upstream commit 28b529a98525123acd37372a04d21e87ec2edcf7 ] + +Fix "mapping sg segment longer than device claims to support" warning by +setting the max segment size. + +Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem") +Reviewed-by: Sean Anderson +Tested-by: Sean Anderson +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20250115-xilinx-formats-v2-10-160327ca652a@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +index 5bb42d0a2de98..78b7dd210d89c 100644 +--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c ++++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +@@ -204,6 +204,8 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ dma_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32)); ++ + /* Try the reserved memory. Proceed if there's none. */ + of_reserved_mem_device_init(&pdev->dev); + +-- +2.39.5 + diff --git a/queue-5.15/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch b/queue-5.15/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch new file mode 100644 index 0000000000..1db7b05f3e --- /dev/null +++ b/queue-5.15/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch @@ -0,0 +1,46 @@ +From 1e7762c58897037599c8c89cc1312d4236c828d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:02 +0800 +Subject: EDAC/ie31200: Fix the DIMM size mask for several SoCs + +From: Qiuxu Zhuo + +[ Upstream commit 3427befbbca6b19fe0e37f91d66ce5221de70bf1 ] + +The DIMM size mask for {Sky, Kaby, Coffee} Lake is not bits{7:0}, +but bits{5:0}. Fix it. + +Fixes: 953dee9bbd24 ("EDAC, ie31200_edac: Add Skylake support") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-3-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index de89df8ff06ee..ead3646294b68 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -154,6 +154,7 @@ + #define IE31200_MAD_DIMM_0_OFFSET 0x5004 + #define IE31200_MAD_DIMM_0_OFFSET_SKL 0x500C + #define IE31200_MAD_DIMM_SIZE GENMASK_ULL(7, 0) ++#define IE31200_MAD_DIMM_SIZE_SKL GENMASK_ULL(5, 0) + #define IE31200_MAD_DIMM_A_RANK BIT(17) + #define IE31200_MAD_DIMM_A_RANK_SHIFT 17 + #define IE31200_MAD_DIMM_A_RANK_SKL BIT(10) +@@ -367,7 +368,7 @@ static void __iomem *ie31200_map_mchbar(struct pci_dev *pdev) + static void __skl_populate_dimm_info(struct dimm_data *dd, u32 addr_decode, + int chan) + { +- dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE; ++ dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE_SKL; + dd->dual_rank = (addr_decode & (IE31200_MAD_DIMM_A_RANK_SKL << (chan << 4))) ? 1 : 0; + dd->x16_width = ((addr_decode & (IE31200_MAD_DIMM_A_WIDTH_SKL << (chan << 4))) >> + (IE31200_MAD_DIMM_A_WIDTH_SKL_SHIFT + (chan << 4))); +-- +2.39.5 + diff --git a/queue-5.15/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch b/queue-5.15/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch new file mode 100644 index 0000000000..32981b59bb --- /dev/null +++ b/queue-5.15/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch @@ -0,0 +1,68 @@ +From df3930285b30ae83b20d626cb38ae925f6374762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:03 +0800 +Subject: EDAC/ie31200: Fix the error path order of ie31200_init() + +From: Qiuxu Zhuo + +[ Upstream commit 231e341036d9988447e3b3345cf741a98139199e ] + +The error path order of ie31200_init() is incorrect, fix it. + +Fixes: 709ed1bcef12 ("EDAC/ie31200: Fallback if host bridge device is already initialized") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-4-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index ead3646294b68..acb011cfd8c4f 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -607,7 +607,7 @@ static int __init ie31200_init(void) + + pci_rc = pci_register_driver(&ie31200_driver); + if (pci_rc < 0) +- goto fail0; ++ return pci_rc; + + if (!mci_pdev) { + ie31200_registered = 0; +@@ -618,11 +618,13 @@ static int __init ie31200_init(void) + if (mci_pdev) + break; + } ++ + if (!mci_pdev) { + edac_dbg(0, "ie31200 pci_get_device fail\n"); + pci_rc = -ENODEV; +- goto fail1; ++ goto fail0; + } ++ + pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]); + if (pci_rc < 0) { + edac_dbg(0, "ie31200 init fail\n"); +@@ -630,12 +632,12 @@ static int __init ie31200_init(void) + goto fail1; + } + } +- return 0; + ++ return 0; + fail1: +- pci_unregister_driver(&ie31200_driver); +-fail0: + pci_dev_put(mci_pdev); ++fail0: ++ pci_unregister_driver(&ie31200_driver); + + return pci_rc; + } +-- +2.39.5 + diff --git a/queue-5.15/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch b/queue-5.15/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch new file mode 100644 index 0000000000..e70a9024c9 --- /dev/null +++ b/queue-5.15/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch @@ -0,0 +1,48 @@ +From d3ad197c7bdc08fac7c9e099f22f379182a14768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:01 +0800 +Subject: EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer + +From: Qiuxu Zhuo + +[ Upstream commit d59d844e319d97682c8de29b88d2d60922a683b3 ] + +The EDAC_MC_LAYER_CHIP_SELECT layer pertains to the rank, not the DIMM. +Fix its size to reflect the number of ranks instead of the number of DIMMs. +Also delete the unused macros IE31200_{DIMMS,RANKS}. + +Fixes: 7ee40b897d18 ("ie31200_edac: Introduce the driver") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-2-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 9a9ff5ad611ac..de89df8ff06ee 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -83,8 +83,6 @@ + (((did) & PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK) == \ + PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK)) + +-#define IE31200_DIMMS 4 +-#define IE31200_RANKS 8 + #define IE31200_RANKS_PER_CHANNEL 4 + #define IE31200_DIMMS_PER_CHANNEL 2 + #define IE31200_CHANNELS 2 +@@ -418,7 +416,7 @@ static int ie31200_probe1(struct pci_dev *pdev, int dev_idx) + + nr_channels = how_many_channels(pdev); + layers[0].type = EDAC_MC_LAYER_CHIP_SELECT; +- layers[0].size = IE31200_DIMMS; ++ layers[0].size = IE31200_RANKS_PER_CHANNEL; + layers[0].is_virt_csrow = true; + layers[1].type = EDAC_MC_LAYER_CHANNEL; + layers[1].size = nr_channels; +-- +2.39.5 + diff --git a/queue-5.15/exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch b/queue-5.15/exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch new file mode 100644 index 0000000000..36a280bafc --- /dev/null +++ b/queue-5.15/exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch @@ -0,0 +1,46 @@ +From 66d445ca3f85c18ac1c7f51457476dd0b4a6c4ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 10:53:10 +0800 +Subject: exfat: fix the infinite loop in exfat_find_last_cluster() + +From: Yuezhang Mo + +[ Upstream commit b0522303f67255926b946aa66885a0104d1b2980 ] + +In exfat_find_last_cluster(), the cluster chain is traversed until +the EOF cluster. If the cluster chain includes a loop due to file +system corruption, the EOF cluster cannot be traversed, resulting +in an infinite loop. + +If the number of clusters indicated by the file size is inconsistent +with the cluster chain length, exfat_find_last_cluster() will return +an error, so if this inconsistency is found, the traversal can be +aborted without traversing to the EOF cluster. + +Reported-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f7d147e6db52b1e09dba +Tested-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com +Fixes: 31023864e67a ("exfat: add fat entry operations") +Signed-off-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Sasha Levin +--- + fs/exfat/fatent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c +index 9c116a58544da..c5f6015a947ce 100644 +--- a/fs/exfat/fatent.c ++++ b/fs/exfat/fatent.c +@@ -264,7 +264,7 @@ int exfat_find_last_cluster(struct super_block *sb, struct exfat_chain *p_chain, + clu = next; + if (exfat_ent_get(sb, clu, &next)) + return -EIO; +- } while (next != EXFAT_EOF_CLUSTER); ++ } while (next != EXFAT_EOF_CLUSTER && count <= p_chain->size); + + if (p_chain->size != count) { + exfat_fs_error(sb, +-- +2.39.5 + diff --git a/queue-5.15/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch b/queue-5.15/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch new file mode 100644 index 0000000000..25be43c4cc --- /dev/null +++ b/queue-5.15/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch @@ -0,0 +1,52 @@ +From ef6203026fec4e2a974ebf2f148ba58ebe5228c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 21:35:36 +0200 +Subject: fbdev: au1100fb: Move a variable assignment behind a null pointer + check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit 2df2c0caaecfd869b49e14f2b8df822397c5dd7f ] + +The address of a data structure member was determined before +a corresponding null pointer check in the implementation of +the function “au1100fb_setmode”. + +This issue was detected by using the Coccinelle software. + +Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.") +Signed-off-by: Markus Elfring +Acked-by: Uwe Kleine-König +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1100fb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/au1100fb.c b/drivers/video/fbdev/au1100fb.c +index 37a6512feda0f..abb769824840e 100644 +--- a/drivers/video/fbdev/au1100fb.c ++++ b/drivers/video/fbdev/au1100fb.c +@@ -137,13 +137,15 @@ static int au1100fb_fb_blank(int blank_mode, struct fb_info *fbi) + */ + int au1100fb_setmode(struct au1100fb_device *fbdev) + { +- struct fb_info *info = &fbdev->info; ++ struct fb_info *info; + u32 words; + int index; + + if (!fbdev) + return -EINVAL; + ++ info = &fbdev->info; ++ + /* Update var-dependent FB info */ + if (panel_is_active(fbdev->panel) || panel_is_color(fbdev->panel)) { + if (info->var.bits_per_pixel <= 8) { +-- +2.39.5 + diff --git a/queue-5.15/fbdev-sm501fb-add-some-geometry-checks.patch b/queue-5.15/fbdev-sm501fb-add-some-geometry-checks.patch new file mode 100644 index 0000000000..2e0915bae0 --- /dev/null +++ b/queue-5.15/fbdev-sm501fb-add-some-geometry-checks.patch @@ -0,0 +1,44 @@ +From 75fafe83930e7aa0542dc5473455ee38ee39b2e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 01:30:11 +0000 +Subject: fbdev: sm501fb: Add some geometry checks. + +From: Danila Chernetsov + +[ Upstream commit aee50bd88ea5fde1ff4cc021385598f81a65830c ] + +Added checks for xoffset, yoffset settings. +Incorrect settings of these parameters can lead to errors +in sm501fb_pan_ functions. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5fc404e47bdf ("[PATCH] fb: SM501 framebuffer driver") +Signed-off-by: Danila Chernetsov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sm501fb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c +index 6a52eba645596..3c46838651b06 100644 +--- a/drivers/video/fbdev/sm501fb.c ++++ b/drivers/video/fbdev/sm501fb.c +@@ -326,6 +326,13 @@ static int sm501fb_check_var(struct fb_var_screeninfo *var, + if (var->xres_virtual > 4096 || var->yres_virtual > 2048) + return -EINVAL; + ++ /* geometry sanity checks */ ++ if (var->xres + var->xoffset > var->xres_virtual) ++ return -EINVAL; ++ ++ if (var->yres + var->yoffset > var->yres_virtual) ++ return -EINVAL; ++ + /* can cope with 8,16 or 32bpp */ + + if (var->bits_per_pixel <= 8) +-- +2.39.5 + diff --git a/queue-5.15/fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch b/queue-5.15/fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch new file mode 100644 index 0000000000..e02d2c1ced --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch @@ -0,0 +1,45 @@ +From e3946d6d6d4aa0c4d0a6645ac2fa14e95044a017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Feb 2025 23:52:00 +0300 +Subject: fs/ntfs3: Fix a couple integer overflows on 32bit systems + +From: Dan Carpenter + +[ Upstream commit 5ad414f4df2294b28836b5b7b69787659d6aa708 ] + +On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can +have an integer wrapping issue. Fix it by using size_add(). + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Signed-off-by: Dan Carpenter +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 9cffd59e9735b..cc2d29261859a 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -617,7 +617,7 @@ static bool index_hdr_check(const struct INDEX_HDR *hdr, u32 bytes) + u32 off = le32_to_cpu(hdr->de_off); + + if (!IS_ALIGNED(off, 8) || tot > bytes || end > tot || +- off + sizeof(struct NTFS_DE) > end) { ++ size_add(off, sizeof(struct NTFS_DE)) > end) { + /* incorrect index buffer. */ + return false; + } +@@ -736,7 +736,7 @@ static struct NTFS_DE *hdr_find_e(const struct ntfs_index *indx, + if (end > total) + return NULL; + +- if (off + sizeof(struct NTFS_DE) > end) ++ if (size_add(off, sizeof(struct NTFS_DE)) > end) + return NULL; + + e = Add2Ptr(hdr, off); +-- +2.39.5 + diff --git a/queue-5.15/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch b/queue-5.15/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch new file mode 100644 index 0000000000..a02df23e6c --- /dev/null +++ b/queue-5.15/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch @@ -0,0 +1,41 @@ +From ce44fd5d4d7697bbbed8705dbc106ae9f22db9d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 14:02:22 -0700 +Subject: fs/procfs: fix the comment above proc_pid_wchan() + +From: Bart Van Assche + +[ Upstream commit 6287fbad1cd91f0c25cdc3a580499060828a8f30 ] + +proc_pid_wchan() used to report kernel addresses to user space but that is +no longer the case today. Bring the comment above proc_pid_wchan() in +sync with the implementation. + +Link: https://lkml.kernel.org/r/20250319210222.1518771-1-bvanassche@acm.org +Fixes: b2f73922d119 ("fs/proc, core/debug: Don't expose absolute kernel addresses via wchan") +Signed-off-by: Bart Van Assche +Cc: Kees Cook +Cc: Eric W. Biederman +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index d0414e566d30a..3405005199b61 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -416,7 +416,7 @@ static const struct file_operations proc_pid_cmdline_ops = { + #ifdef CONFIG_KALLSYMS + /* + * Provides a wchan file via kallsyms in a proper one-value-per-file format. +- * Returns the resolved symbol. If that fails, simply return the address. ++ * Returns the resolved symbol to user space. + */ + static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task) +-- +2.39.5 + diff --git a/queue-5.15/fuse-fix-dax-truncate-punch_hole-fault-path.patch b/queue-5.15/fuse-fix-dax-truncate-punch_hole-fault-path.patch new file mode 100644 index 0000000000..26731323f1 --- /dev/null +++ b/queue-5.15/fuse-fix-dax-truncate-punch_hole-fault-path.patch @@ -0,0 +1,146 @@ +From 28b68d2f0a9769b8f6f260ea357d186be031a841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:30:56 +1100 +Subject: fuse: fix dax truncate/punch_hole fault path + +From: Alistair Popple + +[ Upstream commit 7851bf649d423edd7286b292739f2eefded3d35c ] + +Patch series "fs/dax: Fix ZONE_DEVICE page reference counts", v9. + +Device and FS DAX pages have always maintained their own page reference +counts without following the normal rules for page reference counting. In +particular pages are considered free when the refcount hits one rather +than zero and refcounts are not added when mapping the page. + +Tracking this requires special PTE bits (PTE_DEVMAP) and a secondary +mechanism for allowing GUP to hold references on the page (see +get_dev_pagemap). However there doesn't seem to be any reason why FS DAX +pages need their own reference counting scheme. + +By treating the refcounts on these pages the same way as normal pages we +can remove a lot of special checks. In particular pXd_trans_huge() +becomes the same as pXd_leaf(), although I haven't made that change here. +It also frees up a valuable SW define PTE bit on architectures that have +devmap PTE bits defined. + +It also almost certainly allows further clean-up of the devmap managed +functions, but I have left that as a future improvment. It also enables +support for compound ZONE_DEVICE pages which is one of my primary +motivators for doing this work. + +This patch (of 20): + +FS DAX requires file systems to call into the DAX layout prior to +unlinking inodes to ensure there is no ongoing DMA or other remote access +to the direct mapped page. The fuse file system implements +fuse_dax_break_layouts() to do this which includes a comment indicating +that passing dmap_end == 0 leads to unmapping of the whole file. + +However this is not true - passing dmap_end == 0 will not unmap anything +before dmap_start, and further more dax_layout_busy_page_range() will not +scan any of the range to see if there maybe ongoing DMA access to the +range. Fix this by passing -1 for dmap_end to fuse_dax_break_layouts() +which will invalidate the entire file range to +dax_layout_busy_page_range(). + +Link: https://lkml.kernel.org/r/cover.8068ad144a7eea4a813670301f4d2a86a8e68ec4.1740713401.git-series.apopple@nvidia.com +Link: https://lkml.kernel.org/r/f09a34b6c40032022e4ddee6fadb7cc676f08867.1740713401.git-series.apopple@nvidia.com +Fixes: 6ae330cad6ef ("virtiofs: serialize truncate/punch_hole and dax fault path") +Signed-off-by: Alistair Popple +Co-developed-by: Dan Williams +Signed-off-by: Dan Williams +Reviewed-by: Balbir Singh +Tested-by: Alison Schofield +Cc: Vivek Goyal +Cc: Alexander Gordeev +Cc: Asahi Lina +Cc: Bjorn Helgaas +Cc: Catalin Marinas +Cc: Christian Borntraeger +Cc: Christoph Hellwig +Cc: Chunyan Zhang +Cc: "Darrick J. Wong" +Cc: Dave Chinner +Cc: Dave Hansen +Cc: Dave Jiang +Cc: David Hildenbrand +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Huacai Chen +Cc: Ira Weiny +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: linmiaohe +Cc: Logan Gunthorpe +Cc: Matthew Wilcow (Oracle) +Cc: Michael "Camp Drill Sergeant" Ellerman +Cc: Nicholas Piggin +Cc: Peter Xu +Cc: Sven Schnelle +Cc: Ted Ts'o +Cc: Vasily Gorbik +Cc: Vishal Verma +Cc: WANG Xuerui +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/fuse/dax.c | 1 - + fs/fuse/dir.c | 2 +- + fs/fuse/file.c | 4 ++-- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/fuse/dax.c b/fs/fuse/dax.c +index 3e7aafe2e9533..d3ebb02626e2f 100644 +--- a/fs/fuse/dax.c ++++ b/fs/fuse/dax.c +@@ -681,7 +681,6 @@ static int __fuse_dax_break_layouts(struct inode *inode, bool *retry, + 0, 0, fuse_wait_dax_page(inode)); + } + +-/* dmap_end == 0 leads to unmapping of whole file */ + int fuse_dax_break_layouts(struct inode *inode, u64 dmap_start, + u64 dmap_end) + { +diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c +index 03dadc44e9b1c..1b8bf81d6c16b 100644 +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1600,7 +1600,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr, + if (FUSE_IS_DAX(inode) && is_truncate) { + filemap_invalidate_lock(mapping); + fault_blocked = true; +- err = fuse_dax_break_layouts(inode, 0, 0); ++ err = fuse_dax_break_layouts(inode, 0, -1); + if (err) { + filemap_invalidate_unlock(mapping); + return err; +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 8702ef9ff8b9e..40fdb4dac5bbc 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -242,7 +242,7 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir) + + if (dax_truncate) { + filemap_invalidate_lock(inode->i_mapping); +- err = fuse_dax_break_layouts(inode, 0, 0); ++ err = fuse_dax_break_layouts(inode, 0, -1); + if (err) + goto out_inode_unlock; + } +@@ -2962,7 +2962,7 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset, + inode_lock(inode); + if (block_faults) { + filemap_invalidate_lock(inode->i_mapping); +- err = fuse_dax_break_layouts(inode, 0, 0); ++ err = fuse_dax_break_layouts(inode, 0, -1); + if (err) + goto out; + } +-- +2.39.5 + diff --git a/queue-5.15/hid-remove-superfluous-and-wrong-makefile-entry-for-.patch b/queue-5.15/hid-remove-superfluous-and-wrong-makefile-entry-for-.patch new file mode 100644 index 0000000000..4c8eb907a4 --- /dev/null +++ b/queue-5.15/hid-remove-superfluous-and-wrong-makefile-entry-for-.patch @@ -0,0 +1,44 @@ +From 36f37d5186084de298f0be79de4124ed3c57d458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 09:08:22 +0100 +Subject: HID: remove superfluous (and wrong) Makefile entry for + CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER + +From: Jiri Kosina + +[ Upstream commit fe0fb58325e519008e2606a5aa2cff7ad23e212d ] + +The line + + obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/ + +in top-level HID Makefile is both superfluous (as CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER +depends on CONFIG_INTEL_ISH_HID, which contains intel-ish-hid/ already) and wrong (as it's +missing the CONFIG_ prefix). + +Just remove it. + +Fixes: 91b228107da3e ("HID: intel-ish-hid: ISH firmware loader client driver") +Reported-by: Jiri Slaby +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/Makefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile +index e29efcb1c0402..9fc46db0a3da6 100644 +--- a/drivers/hid/Makefile ++++ b/drivers/hid/Makefile +@@ -144,7 +144,6 @@ obj-$(CONFIG_USB_KBD) += usbhid/ + obj-$(CONFIG_I2C_HID_CORE) += i2c-hid/ + + obj-$(CONFIG_INTEL_ISH_HID) += intel-ish-hid/ +-obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/ + + obj-$(CONFIG_AMD_SFH_HID) += amd-sfh-hid/ + +-- +2.39.5 + diff --git a/queue-5.15/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch b/queue-5.15/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch new file mode 100644 index 0000000000..0a3fa15784 --- /dev/null +++ b/queue-5.15/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch @@ -0,0 +1,40 @@ +From 4e861f794367a375b035575ce3d0bfd7fda44050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 05:08:32 +0200 +Subject: hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} + +From: Tasos Sahanidis + +[ Upstream commit 815f80ad20b63830949a77c816e35395d5d55144 ] + +pwm_num is set to 7 for these chips, but NCT6776_REG_PWM_MODE and +NCT6776_PWM_MODE_MASK only contain 6 values. + +Fix this by adding another 0 to the end of each array. + +Signed-off-by: Tasos Sahanidis +Link: https://lore.kernel.org/r/20250312030832.106475-1-tasos@tasossah.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index 3645a19cdaf4d..71cfc1c5bd12e 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -420,8 +420,8 @@ static const s8 NCT6776_BEEP_BITS[] = { + static const u16 NCT6776_REG_TOLERANCE_H[] = { + 0x10c, 0x20c, 0x30c, 0x80c, 0x90c, 0xa0c, 0xb0c }; + +-static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0 }; +-static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0 }; ++static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0, 0 }; ++static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0, 0 }; + + static const u16 NCT6776_REG_FAN_MIN[] = { + 0x63a, 0x63c, 0x63e, 0x640, 0x642, 0x64a, 0x64c }; +-- +2.39.5 + diff --git a/queue-5.15/i3c-master-svc-fix-missing-the-ibi-rules.patch b/queue-5.15/i3c-master-svc-fix-missing-the-ibi-rules.patch new file mode 100644 index 0000000000..39f72f7ec8 --- /dev/null +++ b/queue-5.15/i3c-master-svc-fix-missing-the-ibi-rules.patch @@ -0,0 +1,40 @@ +From 377336125fb11d5c99d74ed8530b25ceeb69cc7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 13:36:04 +0800 +Subject: i3c: master: svc: Fix missing the IBI rules + +From: Stanley Chu + +[ Upstream commit 9cecad134d84d14dc72a0eea7a107691c3e5a837 ] + +The code does not add IBI rules for devices with controller capability. +However, the secondary controller has the controller capability and works +at target mode when the device is probed. Therefore, add IBI rules for +such devices. + +Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver") +Signed-off-by: Stanley Chu +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250318053606.3087121-2-yschu@nuvoton.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/svc-i3c-master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c +index 7fc82b003b961..29440a1266b8a 100644 +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -807,7 +807,7 @@ static int svc_i3c_update_ibirules(struct svc_i3c_master *master) + + /* Create the IBIRULES register for both cases */ + i3c_bus_for_each_i3cdev(&master->base.bus, dev) { +- if (I3C_BCR_DEVICE_ROLE(dev->info.bcr) == I3C_BCR_I3C_MASTER) ++ if (!(dev->info.bcr & I3C_BCR_IBI_REQ_CAP)) + continue; + + if (dev->info.bcr & I3C_BCR_IBI_PAYLOAD) { +-- +2.39.5 + diff --git a/queue-5.15/ib-mad-check-available-slots-before-posting-receive-.patch b/queue-5.15/ib-mad-check-available-slots-before-posting-receive-.patch new file mode 100644 index 0000000000..f128aa8904 --- /dev/null +++ b/queue-5.15/ib-mad-check-available-slots-before-posting-receive-.patch @@ -0,0 +1,133 @@ +From bc0702e4f08b7860958dd7794c9c91334ad9780c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:20:17 +0200 +Subject: IB/mad: Check available slots before posting receive WRs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maher Sanalla + +[ Upstream commit 37826f0a8c2f6b6add5179003b8597e32a445362 ] + +The ib_post_receive_mads() function handles posting receive work +requests (WRs) to MAD QPs and is called in two cases: +1) When a MAD port is opened. +2) When a receive WQE is consumed upon receiving a new MAD. + +Whereas, if MADs arrive during the port open phase, a race condition +might cause an extra WR to be posted, exceeding the QP’s capacity. +This leads to failures such as: +infiniband mlx5_0: ib_post_recv failed: -12 +infiniband mlx5_0: Couldn't post receive WRs +infiniband mlx5_0: Couldn't start port +infiniband mlx5_0: Couldn't open port 1 + +Fix this by checking the current receive count before posting a new WR. +If the QP’s receive queue is full, do not post additional WRs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Maher Sanalla +Link: https://patch.msgid.link/c4984ba3c3a98a5711a558bccefcad789587ecf1.1741875592.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 38 ++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 58befbaaf0ad5..242434c09e8d8 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -2671,11 +2671,11 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + struct ib_mad_private *mad) + { + unsigned long flags; +- int post, ret; + struct ib_mad_private *mad_priv; + struct ib_sge sg_list; + struct ib_recv_wr recv_wr; + struct ib_mad_queue *recv_queue = &qp_info->recv_queue; ++ int ret = 0; + + /* Initialize common scatter list fields */ + sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey; +@@ -2685,7 +2685,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + recv_wr.sg_list = &sg_list; + recv_wr.num_sge = 1; + +- do { ++ while (true) { + /* Allocate and map receive buffer */ + if (mad) { + mad_priv = mad; +@@ -2693,10 +2693,8 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + } else { + mad_priv = alloc_mad_private(port_mad_size(qp_info->port_priv), + GFP_ATOMIC); +- if (!mad_priv) { +- ret = -ENOMEM; +- break; +- } ++ if (!mad_priv) ++ return -ENOMEM; + } + sg_list.length = mad_priv_dma_size(mad_priv); + sg_list.addr = ib_dma_map_single(qp_info->port_priv->device, +@@ -2705,37 +2703,41 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + DMA_FROM_DEVICE); + if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device, + sg_list.addr))) { +- kfree(mad_priv); + ret = -ENOMEM; +- break; ++ goto free_mad_priv; + } + mad_priv->header.mapping = sg_list.addr; + mad_priv->header.mad_list.mad_queue = recv_queue; + mad_priv->header.mad_list.cqe.done = ib_mad_recv_done; + recv_wr.wr_cqe = &mad_priv->header.mad_list.cqe; +- +- /* Post receive WR */ + spin_lock_irqsave(&recv_queue->lock, flags); +- post = (++recv_queue->count < recv_queue->max_active); +- list_add_tail(&mad_priv->header.mad_list.list, &recv_queue->list); ++ if (recv_queue->count >= recv_queue->max_active) { ++ /* Fully populated the receive queue */ ++ spin_unlock_irqrestore(&recv_queue->lock, flags); ++ break; ++ } ++ recv_queue->count++; ++ list_add_tail(&mad_priv->header.mad_list.list, ++ &recv_queue->list); + spin_unlock_irqrestore(&recv_queue->lock, flags); ++ + ret = ib_post_recv(qp_info->qp, &recv_wr, NULL); + if (ret) { + spin_lock_irqsave(&recv_queue->lock, flags); + list_del(&mad_priv->header.mad_list.list); + recv_queue->count--; + spin_unlock_irqrestore(&recv_queue->lock, flags); +- ib_dma_unmap_single(qp_info->port_priv->device, +- mad_priv->header.mapping, +- mad_priv_dma_size(mad_priv), +- DMA_FROM_DEVICE); +- kfree(mad_priv); + dev_err(&qp_info->port_priv->device->dev, + "ib_post_recv failed: %d\n", ret); + break; + } +- } while (post); ++ } + ++ ib_dma_unmap_single(qp_info->port_priv->device, ++ mad_priv->header.mapping, ++ mad_priv_dma_size(mad_priv), DMA_FROM_DEVICE); ++free_mad_priv: ++ kfree(mad_priv); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.15/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch b/queue-5.15/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch new file mode 100644 index 0000000000..ad8c5249c4 --- /dev/null +++ b/queue-5.15/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch @@ -0,0 +1,61 @@ +From 4fd6562d9cbce12449d4421677b83aa64410a989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:01:28 +0000 +Subject: iio: accel: mma8452: Ensure error return on failure to matching + oversampling ratio + +From: Jonathan Cameron + +[ Upstream commit df330c808182a8beab5d0f84a6cbc9cff76c61fc ] + +If a match was not found, then the write_raw() callback would return +the odr index, not an error. Return -EINVAL if this occurs. +To avoid similar issues in future, introduce j, a new indexing variable +rather than using ret for this purpose. + +Fixes: 79de2ee469aa ("iio: accel: mma8452: claim direct mode during write raw") +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250217140135.896574-2-jic23@kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/mma8452.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c +index 1f46a73aafeac..a7168803408f6 100644 +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -709,7 +709,7 @@ static int mma8452_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct mma8452_data *data = iio_priv(indio_dev); +- int i, ret; ++ int i, j, ret; + + ret = iio_device_claim_direct_mode(indio_dev); + if (ret) +@@ -769,14 +769,18 @@ static int mma8452_write_raw(struct iio_dev *indio_dev, + break; + + case IIO_CHAN_INFO_OVERSAMPLING_RATIO: +- ret = mma8452_get_odr_index(data); ++ j = mma8452_get_odr_index(data); + + for (i = 0; i < ARRAY_SIZE(mma8452_os_ratio); i++) { +- if (mma8452_os_ratio[i][ret] == val) { ++ if (mma8452_os_ratio[i][j] == val) { + ret = mma8452_set_power_mode(data, i); + break; + } + } ++ if (i == ARRAY_SIZE(mma8452_os_ratio)) { ++ ret = -EINVAL; ++ break; ++ } + break; + default: + ret = -EINVAL; +-- +2.39.5 + diff --git a/queue-5.15/iio-adc-ad7124-fix-comparison-of-channel-configs.patch b/queue-5.15/iio-adc-ad7124-fix-comparison-of-channel-configs.patch new file mode 100644 index 0000000000..6ef2588d2e --- /dev/null +++ b/queue-5.15/iio-adc-ad7124-fix-comparison-of-channel-configs.patch @@ -0,0 +1,103 @@ +From fc1df214dbfabb3448fadca9261a340914c5f9e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 12:47:01 +0100 +Subject: iio: adc: ad7124: Fix comparison of channel configs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 05a5d874f7327b75e9bc4359618017e047cc129c ] + +Checking the binary representation of two structs (of the same type) +for equality doesn't have the same semantic as comparing all members for +equality. The former might find a difference where the latter doesn't in +the presence of padding or when ambiguous types like float or bool are +involved. (Floats typically have different representations for single +values, like -0.0 vs +0.0, or 0.5 * 2² vs 0.25 * 2³. The type bool has +at least 8 bits and the raw values 1 and 2 (probably) both evaluate to +true, but memcmp finds a difference.) + +When searching for a channel that already has the configuration we need, +the comparison by member is the one that is needed. + +Convert the comparison accordingly to compare the members one after +another. Also add a static_assert guard to (somewhat) ensure that when +struct ad7124_channel_config::config_props is expanded, the comparison +is adapted, too. + +This issue is somewhat theoretic, but using memcmp() on a struct is a +bad pattern that is worth fixing. + +Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels") +Signed-off-by: Uwe Kleine-König +Link: https://patch.msgid.link/20250303114659.1672695-13-u.kleine-koenig@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7124.c | 35 +++++++++++++++++++++++++++++++---- + 1 file changed, 31 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c +index 93f32bba73f62..31c8cb3bf811b 100644 +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -144,7 +144,11 @@ struct ad7124_chip_info { + struct ad7124_channel_config { + bool live; + unsigned int cfg_slot; +- /* Following fields are used to compare equality. */ ++ /* ++ * Following fields are used to compare for equality. If you ++ * make adaptations in it, you most likely also have to adapt ++ * ad7124_find_similar_live_cfg(), too. ++ */ + struct_group(config_props, + enum ad7124_ref_sel refsel; + bool bipolar; +@@ -331,15 +335,38 @@ static struct ad7124_channel_config *ad7124_find_similar_live_cfg(struct ad7124_ + struct ad7124_channel_config *cfg) + { + struct ad7124_channel_config *cfg_aux; +- ptrdiff_t cmp_size; + int i; + +- cmp_size = sizeof_field(struct ad7124_channel_config, config_props); ++ /* ++ * This is just to make sure that the comparison is adapted after ++ * struct ad7124_channel_config was changed. ++ */ ++ static_assert(sizeof_field(struct ad7124_channel_config, config_props) == ++ sizeof(struct { ++ enum ad7124_ref_sel refsel; ++ bool bipolar; ++ bool buf_positive; ++ bool buf_negative; ++ unsigned int vref_mv; ++ unsigned int pga_bits; ++ unsigned int odr; ++ unsigned int odr_sel_bits; ++ unsigned int filter_type; ++ })); ++ + for (i = 0; i < st->num_channels; i++) { + cfg_aux = &st->channels[i].cfg; + + if (cfg_aux->live && +- !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size)) ++ cfg->refsel == cfg_aux->refsel && ++ cfg->bipolar == cfg_aux->bipolar && ++ cfg->buf_positive == cfg_aux->buf_positive && ++ cfg->buf_negative == cfg_aux->buf_negative && ++ cfg->vref_mv == cfg_aux->vref_mv && ++ cfg->pga_bits == cfg_aux->pga_bits && ++ cfg->odr == cfg_aux->odr && ++ cfg->odr_sel_bits == cfg_aux->odr_sel_bits && ++ cfg->filter_type == cfg_aux->filter_type) + return cfg_aux; + } + +-- +2.39.5 + diff --git a/queue-5.15/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch b/queue-5.15/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch new file mode 100644 index 0000000000..4a5a063012 --- /dev/null +++ b/queue-5.15/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch @@ -0,0 +1,87 @@ +From 0091be5005c723ccc7717b382ef9cf5cd464770b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 14:17:51 +0200 +Subject: ipv6: fix omitted netlink attributes when using + RTEXT_FILTER_SKIP_STATS + +From: Fernando Fernandez Mancera + +[ Upstream commit 7ac6ea4a3e0898db76aecccd68fb2c403eb7d24e ] + +Using RTEXT_FILTER_SKIP_STATS is incorrectly skipping non-stats IPv6 +netlink attributes on link dump. This causes issues on userspace tools, +e.g iproute2 is not rendering address generation mode as it should due +to missing netlink attribute. + +Move the filling of IFLA_INET6_STATS and IFLA_INET6_ICMP6STATS to a +helper function guarded by a flag check to avoid hitting the same +situation in the future. + +Fixes: d5566fd72ec1 ("rtnetlink: RTEXT_FILTER_SKIP_STATS support to avoid dumping inet/inet6 stats") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250402121751.3108-1-ffmancera@riseup.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 37 +++++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 932a10f64adcb..07b3487e3ae97 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5689,6 +5689,27 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype, + } + } + ++static int inet6_fill_ifla6_stats_attrs(struct sk_buff *skb, ++ struct inet6_dev *idev) ++{ ++ struct nlattr *nla; ++ ++ nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64)); ++ if (!nla) ++ goto nla_put_failure; ++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla)); ++ ++ nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64)); ++ if (!nla) ++ goto nla_put_failure; ++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla)); ++ ++ return 0; ++ ++nla_put_failure: ++ return -EMSGSIZE; ++} ++ + static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev, + u32 ext_filter_mask) + { +@@ -5710,18 +5731,10 @@ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev, + + /* XXX - MC not implemented */ + +- if (ext_filter_mask & RTEXT_FILTER_SKIP_STATS) +- return 0; +- +- nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64)); +- if (!nla) +- goto nla_put_failure; +- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla)); +- +- nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64)); +- if (!nla) +- goto nla_put_failure; +- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla)); ++ if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS)) { ++ if (inet6_fill_ifla6_stats_attrs(skb, idev) < 0) ++ goto nla_put_failure; ++ } + + nla = nla_reserve(skb, IFLA_INET6_TOKEN, sizeof(struct in6_addr)); + if (!nla) +-- +2.39.5 + diff --git a/queue-5.15/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch b/queue-5.15/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch new file mode 100644 index 0000000000..c39592e40a --- /dev/null +++ b/queue-5.15/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch @@ -0,0 +1,89 @@ +From bd90eb3589410847c26a07da2899d7416ae6b5c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 19:59:00 +0000 +Subject: isofs: fix KMSAN uninit-value bug in do_isofs_readdir() + +From: Qasim Ijaz + +[ Upstream commit 81a82e8f33880793029cd6f8a766fb13b737e6a7 ] + +In do_isofs_readdir() when assigning the variable +"struct iso_directory_record *de" the b_data field of the buffer_head +is accessed and an offset is added to it, the size of b_data is 2048 +and the offset size is 2047, meaning +"de = (struct iso_directory_record *) (bh->b_data + offset);" +yields the final byte of the 2048 sized b_data block. + +The first byte of the directory record (de_len) is then read and +found to be 31, meaning the directory record size is 31 bytes long. +The directory record is defined by the structure: + + struct iso_directory_record { + __u8 length; // 1 byte + __u8 ext_attr_length; // 1 byte + __u8 extent[8]; // 8 bytes + __u8 size[8]; // 8 bytes + __u8 date[7]; // 7 bytes + __u8 flags; // 1 byte + __u8 file_unit_size; // 1 byte + __u8 interleave; // 1 byte + __u8 volume_sequence_number[4]; // 4 bytes + __u8 name_len; // 1 byte + char name[]; // variable size + } __attribute__((packed)); + +The fixed portion of this structure occupies 33 bytes. Therefore, a +valid directory record must be at least 33 bytes long +(even without considering the variable-length name field). +Since de_len is only 31, it is insufficient to contain +the complete fixed header. + +The code later hits the following sanity check that +compares de_len against the sum of de->name_len and +sizeof(struct iso_directory_record): + + if (de_len < de->name_len[0] + sizeof(struct iso_directory_record)) { + ... + } + +Since the fixed portion of the structure is +33 bytes (up to and including name_len member), +a valid record should have de_len of at least 33 bytes; +here, however, de_len is too short, and the field de->name_len +(located at offset 32) is accessed even though it lies beyond +the available 31 bytes. + +This access on the corrupted isofs data triggers a KASAN uninitialized +memory warning. The fix would be to first verify that de_len is at least +sizeof(struct iso_directory_record) before accessing any +fields like de->name_len. + +Reported-by: syzbot +Tested-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=812641c6c3d7586a1613 +Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem") +Signed-off-by: Qasim Ijaz +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20250211195900.42406-1-qasdev00@gmail.com +Signed-off-by: Sasha Levin +--- + fs/isofs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c +index eb2f8273e6f15..09df40b612fbf 100644 +--- a/fs/isofs/dir.c ++++ b/fs/isofs/dir.c +@@ -147,7 +147,8 @@ static int do_isofs_readdir(struct inode *inode, struct file *file, + de = tmpde; + } + /* Basic sanity check, whether name doesn't exceed dir entry */ +- if (de_len < de->name_len[0] + ++ if (de_len < sizeof(struct iso_directory_record) || ++ de_len < de->name_len[0] + + sizeof(struct iso_directory_record)) { + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, +-- +2.39.5 + diff --git a/queue-5.15/kexec-initialize-elf-lowest-address-to-ulong_max.patch b/queue-5.15/kexec-initialize-elf-lowest-address-to-ulong_max.patch new file mode 100644 index 0000000000..22de97179f --- /dev/null +++ b/queue-5.15/kexec-initialize-elf-lowest-address-to-ulong_max.patch @@ -0,0 +1,71 @@ +From 7cd14bdddff3b009be309ea7dbfab8b3cbfd65d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 17:08:24 +0530 +Subject: kexec: initialize ELF lowest address to ULONG_MAX + +From: Sourabh Jain + +[ Upstream commit 9986fb5164c8b21f6439cfd45ba36d8cc80c9710 ] + +Patch series "powerpc/crash: use generic crashkernel reservation", v3. + +Commit 0ab97169aa05 ("crash_core: add generic function to do reservation") +added a generic function to reserve crashkernel memory. So let's use the +same function on powerpc and remove the architecture-specific code that +essentially does the same thing. + +The generic crashkernel reservation also provides a way to split the +crashkernel reservation into high and low memory reservations, which can +be enabled for powerpc in the future. + +Additionally move powerpc to use generic APIs to locate memory hole for +kexec segments while loading kdump kernel. + +This patch (of 7): + +kexec_elf_load() loads an ELF executable and sets the address of the +lowest PT_LOAD section to the address held by the lowest_load_addr +function argument. + +To determine the lowest PT_LOAD address, a local variable lowest_addr +(type unsigned long) is initialized to UINT_MAX. After loading each +PT_LOAD, its address is compared to lowest_addr. If a loaded PT_LOAD +address is lower, lowest_addr is updated. However, setting lowest_addr to +UINT_MAX won't work when the kernel image is loaded above 4G, as the +returned lowest PT_LOAD address would be invalid. This is resolved by +initializing lowest_addr to ULONG_MAX instead. + +This issue was discovered while implementing crashkernel high/low +reservation on the PowerPC architecture. + +Link: https://lkml.kernel.org/r/20250131113830.925179-1-sourabhjain@linux.ibm.com +Link: https://lkml.kernel.org/r/20250131113830.925179-2-sourabhjain@linux.ibm.com +Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()") +Signed-off-by: Sourabh Jain +Acked-by: Hari Bathini +Acked-by: Baoquan He +Cc: Madhavan Srinivasan +Cc: Mahesh Salgaonkar +Cc: Michael Ellerman +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/kexec_elf.c b/kernel/kexec_elf.c +index d3689632e8b90..3a5c25b2adc94 100644 +--- a/kernel/kexec_elf.c ++++ b/kernel/kexec_elf.c +@@ -390,7 +390,7 @@ int kexec_elf_load(struct kimage *image, struct elfhdr *ehdr, + struct kexec_buf *kbuf, + unsigned long *lowest_load_addr) + { +- unsigned long lowest_addr = UINT_MAX; ++ unsigned long lowest_addr = ULONG_MAX; + int ret; + size_t i; + +-- +2.39.5 + diff --git a/queue-5.15/ksmbd-fix-incorrect-validation-for-num_aces-field-of.patch b/queue-5.15/ksmbd-fix-incorrect-validation-for-num_aces-field-of.patch new file mode 100644 index 0000000000..40ae87cc15 --- /dev/null +++ b/queue-5.15/ksmbd-fix-incorrect-validation-for-num_aces-field-of.patch @@ -0,0 +1,52 @@ +From dbe117d88977e6485f2fe1a07786eeeb90a8a8d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 09:32:11 +0900 +Subject: ksmbd: fix incorrect validation for num_aces field of smb_acl + +From: Namjae Jeon + +[ Upstream commit 1b8b67f3c5e5169535e26efedd3e422172e2db64 ] + +parse_dcal() validate num_aces to allocate posix_ace_state_array. + +if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) + +It is an incorrect validation that we can create an array of size ULONG_MAX. +smb_acl has ->size field to calculate actual number of aces in request buffer +size. Use this to check invalid num_aces. + +Reported-by: Igor Leite Ladessa +Tested-by: Igor Leite Ladessa +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/smbacl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c +index 3a6c0abdb0352..ecf9db3d69c38 100644 +--- a/fs/ksmbd/smbacl.c ++++ b/fs/ksmbd/smbacl.c +@@ -396,7 +396,9 @@ static void parse_dacl(struct user_namespace *user_ns, + if (num_aces <= 0) + return; + +- if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) ++ if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) / ++ (offsetof(struct smb_ace, sid) + ++ offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) + return; + + ret = init_acl_state(&acl_state, num_aces); +@@ -430,6 +432,7 @@ static void parse_dacl(struct user_namespace *user_ns, + offsetof(struct smb_sid, sub_auth); + + if (end_of_acl - acl_base < acl_size || ++ ppace[i]->sid.num_subauth == 0 || + ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || + (end_of_acl - acl_base < + acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || +-- +2.39.5 + diff --git a/queue-5.15/ksmbd-fix-multichannel-connection-failure.patch b/queue-5.15/ksmbd-fix-multichannel-connection-failure.patch new file mode 100644 index 0000000000..e5c3604d81 --- /dev/null +++ b/queue-5.15/ksmbd-fix-multichannel-connection-failure.patch @@ -0,0 +1,127 @@ +From 85518c7b2c6b77082e86333c974670939cc822f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 20:19:20 +0900 +Subject: ksmbd: fix multichannel connection failure + +From: Namjae Jeon + +[ Upstream commit c1883049aa9b2b7dffd3a68c5fc67fa92c174bd9 ] + +ksmbd check that the session of second channel is in the session list of +first connection. If it is in session list, multichannel connection +should not be allowed. + +Fixes: b95629435b84 ("ksmbd: fix racy issue from session lookup and expire") +Reported-by: Sean Heelan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/mgmt/user_session.c | 16 ++++++++++++++++ + fs/ksmbd/mgmt/user_session.h | 2 ++ + fs/ksmbd/smb2pdu.c | 12 ++++-------- + 3 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c +index 1cee9733bdac5..f59714bfc819b 100644 +--- a/fs/ksmbd/mgmt/user_session.c ++++ b/fs/ksmbd/mgmt/user_session.c +@@ -250,6 +250,22 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) + up_write(&conn->session_lock); + } + ++bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn, ++ unsigned long long id) ++{ ++ struct ksmbd_session *sess; ++ ++ down_read(&conn->session_lock); ++ sess = xa_load(&conn->sessions, id); ++ if (sess) { ++ up_read(&conn->session_lock); ++ return true; ++ } ++ up_read(&conn->session_lock); ++ ++ return false; ++} ++ + struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, + unsigned long long id) + { +diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h +index ce91b1d698e71..f4da293c4dbb2 100644 +--- a/fs/ksmbd/mgmt/user_session.h ++++ b/fs/ksmbd/mgmt/user_session.h +@@ -87,6 +87,8 @@ void ksmbd_session_destroy(struct ksmbd_session *sess); + struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id); + struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, + unsigned long long id); ++bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn, ++ unsigned long long id); + int ksmbd_session_register(struct ksmbd_conn *conn, + struct ksmbd_session *sess); + void ksmbd_sessions_deregister(struct ksmbd_conn *conn); +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index 82b6be188ad4a..3dfe0acf21a5d 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -1725,44 +1725,38 @@ int smb2_sess_setup(struct ksmbd_work *work) + + if (conn->dialect != sess->dialect) { + rc = -EINVAL; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (!(req->hdr.Flags & SMB2_FLAGS_SIGNED)) { + rc = -EINVAL; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (strncmp(conn->ClientGUID, sess->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) { + rc = -ENOENT; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (sess->state == SMB2_SESSION_IN_PROGRESS) { + rc = -EACCES; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (sess->state == SMB2_SESSION_EXPIRED) { + rc = -EFAULT; +- ksmbd_user_session_put(sess); + goto out_err; + } +- ksmbd_user_session_put(sess); + + if (ksmbd_conn_need_reconnect(conn)) { + rc = -EFAULT; ++ ksmbd_user_session_put(sess); + sess = NULL; + goto out_err; + } + +- sess = ksmbd_session_lookup(conn, sess_id); +- if (!sess) { ++ if (is_ksmbd_session_in_connection(conn, sess_id)) { + rc = -EACCES; + goto out_err; + } +@@ -1928,6 +1922,8 @@ int smb2_sess_setup(struct ksmbd_work *work) + + sess->last_active = jiffies; + sess->state = SMB2_SESSION_EXPIRED; ++ ksmbd_user_session_put(sess); ++ work->sess = NULL; + if (try_delay) { + ksmbd_conn_set_need_reconnect(conn); + ssleep(5); +-- +2.39.5 + diff --git a/queue-5.15/ksmbd-use-aead_request_free-to-match-aead_request_al.patch b/queue-5.15/ksmbd-use-aead_request_free-to-match-aead_request_al.patch new file mode 100644 index 0000000000..879ce4271d --- /dev/null +++ b/queue-5.15/ksmbd-use-aead_request_free-to-match-aead_request_al.patch @@ -0,0 +1,38 @@ +From 4831f4f8c2be1794c6e677fcc750109d2e608a29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 20:12:34 +0800 +Subject: ksmbd: use aead_request_free to match aead_request_alloc + +From: Miaoqian Lin + +[ Upstream commit 6171063e9d046ffa46f51579b2ca4a43caef581a ] + +Use aead_request_free() instead of kfree() to properly free memory +allocated by aead_request_alloc(). This ensures sensitive crypto data +is zeroed before being freed. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Signed-off-by: Miaoqian Lin +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/ksmbd/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ksmbd/auth.c b/fs/ksmbd/auth.c +index 3b776b5de7db6..647692ca78a28 100644 +--- a/fs/ksmbd/auth.c ++++ b/fs/ksmbd/auth.c +@@ -1211,7 +1211,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov, + free_sg: + kfree(sg); + free_req: +- kfree(req); ++ aead_request_free(req); + free_ctx: + ksmbd_release_crypto_ctx(ctx); + return rc; +-- +2.39.5 + diff --git a/queue-5.15/lib-842-improve-error-handling-in-sw842_compress.patch b/queue-5.15/lib-842-improve-error-handling-in-sw842_compress.patch new file mode 100644 index 0000000000..93787aad3a --- /dev/null +++ b/queue-5.15/lib-842-improve-error-handling-in-sw842_compress.patch @@ -0,0 +1,44 @@ +From 4d0a92ca706622ee4240d518fe2a9939eb7c0d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2025 19:42:04 +0530 +Subject: lib: 842: Improve error handling in sw842_compress() + +From: Tanya Agarwal + +[ Upstream commit af324dc0e2b558678aec42260cce38be16cc77ca ] + +The static code analysis tool "Coverity Scan" pointed the following +implementation details out for further development considerations: +CID 1309755: Unused value +In sw842_compress: A value assigned to a variable is never used. (CWE-563) +returned_value: Assigning value from add_repeat_template(p, repeat_count) +to ret here, but that stored value is overwritten before it can be used. + +Conclusion: +Add error handling for the return value from an add_repeat_template() +call. + +Fixes: 2da572c959dd ("lib: add software 842 compression/decompression") +Signed-off-by: Tanya Agarwal +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/842/842_compress.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/842/842_compress.c b/lib/842/842_compress.c +index c02baa4168e16..055356508d97c 100644 +--- a/lib/842/842_compress.c ++++ b/lib/842/842_compress.c +@@ -532,6 +532,8 @@ int sw842_compress(const u8 *in, unsigned int ilen, + } + if (repeat_count) { + ret = add_repeat_template(p, repeat_count); ++ if (ret) ++ return ret; + repeat_count = 0; + if (next == last) /* reached max repeat bits */ + goto repeat; +-- +2.39.5 + diff --git a/queue-5.15/libbpf-fix-hypothetical-stt_section-extern-null-dere.patch b/queue-5.15/libbpf-fix-hypothetical-stt_section-extern-null-dere.patch new file mode 100644 index 0000000000..9f6cbdfa0e --- /dev/null +++ b/queue-5.15/libbpf-fix-hypothetical-stt_section-extern-null-dere.patch @@ -0,0 +1,41 @@ +From 4cf1104d4a48e85b1ee21f280b792f2f545bd06f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2025 16:28:21 -0800 +Subject: libbpf: Fix hypothetical STT_SECTION extern NULL deref case + +From: Andrii Nakryiko + +[ Upstream commit e0525cd72b5979d8089fe524a071ea93fd011dc9 ] + +Fix theoretical NULL dereference in linker when resolving *extern* +STT_SECTION symbol against not-yet-existing ELF section. Not sure if +it's possible in practice for valid ELF object files (this would require +embedded assembly manipulations, at which point BTF will be missing), +but fix the s/dst_sym/dst_sec/ typo guarding this condition anyways. + +Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs") +Fixes: a46349227cd8 ("libbpf: Add linker extern resolution support for functions and global variables") +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20250220002821.834400-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/linker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c +index 2adf55f487430..fc91814a35e8e 100644 +--- a/tools/lib/bpf/linker.c ++++ b/tools/lib/bpf/linker.c +@@ -1966,7 +1966,7 @@ static int linker_append_elf_sym(struct bpf_linker *linker, struct src_obj *obj, + + obj->sym_map[src_sym_idx] = dst_sym_idx; + +- if (sym_type == STT_SECTION && dst_sym) { ++ if (sym_type == STT_SECTION && dst_sec) { + dst_sec->sec_sym_idx = dst_sym_idx; + dst_sym->st_value = 0; + } +-- +2.39.5 + diff --git a/queue-5.15/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch b/queue-5.15/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch new file mode 100644 index 0000000000..aa742feb9d --- /dev/null +++ b/queue-5.15/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch @@ -0,0 +1,82 @@ +From 6fe1ff6c84c3e1ac861368008ba4120bd068cbeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 11:36:18 +0100 +Subject: lockdep: Don't disable interrupts on RT in + disable_irq_nosync_lockdep.*() + +From: Sebastian Andrzej Siewior + +[ Upstream commit 87886b32d669abc11c7be95ef44099215e4f5788 ] + +disable_irq_nosync_lockdep() disables interrupts with lockdep enabled to +avoid false positive reports by lockdep that a certain lock has not been +acquired with disabled interrupts. The user of this macros expects that +a lock can be acquried without disabling interrupts because the IRQ line +triggering the interrupt is disabled. + +This triggers a warning on PREEMPT_RT because after +disable_irq_nosync_lockdep.*() the following spinlock_t now is acquired +with disabled interrupts. + +On PREEMPT_RT there is no difference between spin_lock() and +spin_lock_irq() so avoiding disabling interrupts in this case works for +the two remaining callers as of today. + +Don't disable interrupts on PREEMPT_RT in disable_irq_nosync_lockdep.*(). + +Closes: https://lore.kernel.org/760e34f9-6034-40e0-82a5-ee9becd24438@roeck-us.net +Fixes: e8106b941ceab ("[PATCH] lockdep: core, add enable/disable_irq_irqsave/irqrestore() APIs") +Reported-by: Guenter Roeck +Suggested-by: "Steven Rostedt (Google)" +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250212103619.2560503-2-bigeasy@linutronix.de +Signed-off-by: Sasha Levin +--- + include/linux/interrupt.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index 1f22a30c09637..976bca44bae0c 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -408,7 +408,7 @@ irq_calc_affinity_vectors(unsigned int minvec, unsigned int maxvec, + static inline void disable_irq_nosync_lockdep(unsigned int irq) + { + disable_irq_nosync(irq); +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_disable(); + #endif + } +@@ -416,7 +416,7 @@ static inline void disable_irq_nosync_lockdep(unsigned int irq) + static inline void disable_irq_nosync_lockdep_irqsave(unsigned int irq, unsigned long *flags) + { + disable_irq_nosync(irq); +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_save(*flags); + #endif + } +@@ -431,7 +431,7 @@ static inline void disable_irq_lockdep(unsigned int irq) + + static inline void enable_irq_lockdep(unsigned int irq) + { +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_enable(); + #endif + enable_irq(irq); +@@ -439,7 +439,7 @@ static inline void enable_irq_lockdep(unsigned int irq) + + static inline void enable_irq_lockdep_irqrestore(unsigned int irq, unsigned long *flags) + { +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_restore(*flags); + #endif + enable_irq(irq); +-- +2.39.5 + diff --git a/queue-5.15/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch b/queue-5.15/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch new file mode 100644 index 0000000000..27336b4be3 --- /dev/null +++ b/queue-5.15/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch @@ -0,0 +1,150 @@ +From 5e103bd7200f96fa38116da5b9b614f9012ba2fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 15:26:52 -0800 +Subject: locking/semaphore: Use wake_q to wake up processes outside lock + critical section + +From: Waiman Long + +[ Upstream commit 85b2b9c16d053364e2004883140538e73b333cdb ] + +A circular lock dependency splat has been seen involving down_trylock(): + + ====================================================== + WARNING: possible circular locking dependency detected + 6.12.0-41.el10.s390x+debug + ------------------------------------------------------ + dd/32479 is trying to acquire lock: + 0015a20accd0d4f8 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x26/0x90 + + but task is already holding lock: + 000000017e461698 (&zone->lock){-.-.}-{2:2}, at: rmqueue_bulk+0xac/0x8f0 + + the existing dependency chain (in reverse order) is: + -> #4 (&zone->lock){-.-.}-{2:2}: + -> #3 (hrtimer_bases.lock){-.-.}-{2:2}: + -> #2 (&rq->__lock){-.-.}-{2:2}: + -> #1 (&p->pi_lock){-.-.}-{2:2}: + -> #0 ((console_sem).lock){-.-.}-{2:2}: + +The console_sem -> pi_lock dependency is due to calling try_to_wake_up() +while holding the console_sem raw_spinlock. This dependency can be broken +by using wake_q to do the wakeup instead of calling try_to_wake_up() +under the console_sem lock. This will also make the semaphore's +raw_spinlock become a terminal lock without taking any further locks +underneath it. + +The hrtimer_bases.lock is a raw_spinlock while zone->lock is a +spinlock. The hrtimer_bases.lock -> zone->lock dependency happens via +the debug_objects_fill_pool() helper function in the debugobjects code. + + -> #4 (&zone->lock){-.-.}-{2:2}: + __lock_acquire+0xe86/0x1cc0 + lock_acquire.part.0+0x258/0x630 + lock_acquire+0xb8/0xe0 + _raw_spin_lock_irqsave+0xb4/0x120 + rmqueue_bulk+0xac/0x8f0 + __rmqueue_pcplist+0x580/0x830 + rmqueue_pcplist+0xfc/0x470 + rmqueue.isra.0+0xdec/0x11b0 + get_page_from_freelist+0x2ee/0xeb0 + __alloc_pages_noprof+0x2c2/0x520 + alloc_pages_mpol_noprof+0x1fc/0x4d0 + alloc_pages_noprof+0x8c/0xe0 + allocate_slab+0x320/0x460 + ___slab_alloc+0xa58/0x12b0 + __slab_alloc.isra.0+0x42/0x60 + kmem_cache_alloc_noprof+0x304/0x350 + fill_pool+0xf6/0x450 + debug_object_activate+0xfe/0x360 + enqueue_hrtimer+0x34/0x190 + __run_hrtimer+0x3c8/0x4c0 + __hrtimer_run_queues+0x1b2/0x260 + hrtimer_interrupt+0x316/0x760 + do_IRQ+0x9a/0xe0 + do_irq_async+0xf6/0x160 + +Normally a raw_spinlock to spinlock dependency is not legitimate +and will be warned if CONFIG_PROVE_RAW_LOCK_NESTING is enabled, +but debug_objects_fill_pool() is an exception as it explicitly +allows this dependency for non-PREEMPT_RT kernel without causing +PROVE_RAW_LOCK_NESTING lockdep splat. As a result, this dependency is +legitimate and not a bug. + +Anyway, semaphore is the only locking primitive left that is still +using try_to_wake_up() to do wakeup inside critical section, all the +other locking primitives had been migrated to use wake_q to do wakeup +outside of the critical section. It is also possible that there are +other circular locking dependencies involving printk/console_sem or +other existing/new semaphores lurking somewhere which may show up in +the future. Let just do the migration now to wake_q to avoid headache +like this. + +Reported-by: yzbot+ed801a886dfdbfe7136d@syzkaller.appspotmail.com +Signed-off-by: Waiman Long +Signed-off-by: Boqun Feng +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250307232717.1759087-3-boqun.feng@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/locking/semaphore.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/kernel/locking/semaphore.c b/kernel/locking/semaphore.c +index 9ee381e4d2a4d..a26c915430ba0 100644 +--- a/kernel/locking/semaphore.c ++++ b/kernel/locking/semaphore.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -37,7 +38,7 @@ static noinline void __down(struct semaphore *sem); + static noinline int __down_interruptible(struct semaphore *sem); + static noinline int __down_killable(struct semaphore *sem); + static noinline int __down_timeout(struct semaphore *sem, long timeout); +-static noinline void __up(struct semaphore *sem); ++static noinline void __up(struct semaphore *sem, struct wake_q_head *wake_q); + + /** + * down - acquire the semaphore +@@ -182,13 +183,16 @@ EXPORT_SYMBOL(down_timeout); + void up(struct semaphore *sem) + { + unsigned long flags; ++ DEFINE_WAKE_Q(wake_q); + + raw_spin_lock_irqsave(&sem->lock, flags); + if (likely(list_empty(&sem->wait_list))) + sem->count++; + else +- __up(sem); ++ __up(sem, &wake_q); + raw_spin_unlock_irqrestore(&sem->lock, flags); ++ if (!wake_q_empty(&wake_q)) ++ wake_up_q(&wake_q); + } + EXPORT_SYMBOL(up); + +@@ -256,11 +260,12 @@ static noinline int __sched __down_timeout(struct semaphore *sem, long timeout) + return __down_common(sem, TASK_UNINTERRUPTIBLE, timeout); + } + +-static noinline void __sched __up(struct semaphore *sem) ++static noinline void __sched __up(struct semaphore *sem, ++ struct wake_q_head *wake_q) + { + struct semaphore_waiter *waiter = list_first_entry(&sem->wait_list, + struct semaphore_waiter, list); + list_del(&waiter->list); + waiter->up = true; +- wake_up_process(waiter->task); ++ wake_q_add(wake_q, waiter->task); + } +-- +2.39.5 + diff --git a/queue-5.15/mdacon-rework-dependency-list.patch b/queue-5.15/mdacon-rework-dependency-list.patch new file mode 100644 index 0000000000..287e1fc4db --- /dev/null +++ b/queue-5.15/mdacon-rework-dependency-list.patch @@ -0,0 +1,47 @@ +From 95bf2677eab32c7e1eb7646008def2796b5a7d3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 17:44:23 +0100 +Subject: mdacon: rework dependency list + +From: Arnd Bergmann + +[ Upstream commit 5bbcc7645f4b244ffb5ac6563fbe9d3d42194447 ] + +mdacon has roughly the same dependencies as vgacon but expresses them +as a negative list instead of a positive list, with the only practical +difference being PowerPC/CHRP, which uses vga16fb instead of vgacon. + +The CONFIG_MDA_CONSOLE description advises to only turn it on when vgacon +is also used because MDA/Hercules-only systems should be using vgacon +instead, so just change the list to enforce that directly for simplicity. + +The probing was broken from 2002 to 2008, this improves on the fix +that was added then: If vgacon is a loadable module, then mdacon +cannot be built-in now, and the list of systems that support vgacon +is carried over. + +Fixes: 0b9cf3aa6b1e ("mdacon messing up default vc's - set default to vc13-16 again") +Signed-off-by: Arnd Bergmann +Reviewed-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/console/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/console/Kconfig b/drivers/video/console/Kconfig +index fcc46380e7c91..390280ce7ea3e 100644 +--- a/drivers/video/console/Kconfig ++++ b/drivers/video/console/Kconfig +@@ -23,7 +23,7 @@ config VGA_CONSOLE + Say Y. + + config MDA_CONSOLE +- depends on !M68K && !PARISC && ISA ++ depends on VGA_CONSOLE && ISA + tristate "MDA text console (dual-headed)" + help + Say Y here if you have an old MDA or monochrome Hercules graphics +-- +2.39.5 + diff --git a/queue-5.15/media-platform-allgro-dvt-unregister-v4l2_device-on-.patch b/queue-5.15/media-platform-allgro-dvt-unregister-v4l2_device-on-.patch new file mode 100644 index 0000000000..81936faa8a --- /dev/null +++ b/queue-5.15/media-platform-allgro-dvt-unregister-v4l2_device-on-.patch @@ -0,0 +1,38 @@ +From f52ff3aa794193b0d496a5ca24513cb61781a8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 11:06:21 +0900 +Subject: media: platform: allgro-dvt: unregister v4l2_device on the error path + +From: Joe Hattori + +[ Upstream commit c2b96a6818159fba8a3bcc38262da9e77f9b3ec7 ] + +In allegro_probe(), the v4l2 device is not unregistered in the error +path, which results in a memory leak. Fix it by calling +v4l2_device_unregister() before returning error. + +Fixes: d74d4e2359ec ("media: allegro: move driver out of staging") +Signed-off-by: Joe Hattori +Reviewed-by: Michael Tretter +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/allegro-dvt/allegro-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c +index 881c5bbf61568..f472eb19cd92f 100644 +--- a/drivers/media/platform/allegro-dvt/allegro-core.c ++++ b/drivers/media/platform/allegro-dvt/allegro-core.c +@@ -3740,6 +3740,7 @@ static int allegro_probe(struct platform_device *pdev) + if (ret < 0) { + v4l2_err(&dev->v4l2_dev, + "failed to request firmware: %d\n", ret); ++ v4l2_device_unregister(&dev->v4l2_dev); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.15/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch b/queue-5.15/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch new file mode 100644 index 0000000000..8adf33a3d8 --- /dev/null +++ b/queue-5.15/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch @@ -0,0 +1,63 @@ +From 4d1c2b30c957ef97f90d7873d9e1050b70d8b041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 09:12:06 -0800 +Subject: mfd: sm501: Switch to BIT() to mitigate integer overflows + +From: Nikita Zhandarovich + +[ Upstream commit 2d8cb9ffe18c2f1e5bd07a19cbce85b26c1d0cf0 ] + +If offset end up being high enough, right hand expression in functions +like sm501_gpio_set() shifted left for that number of bits, may +not fit in int type. + +Just in case, fix that by using BIT() both as an option safe from +overflow issues and to make this step look similar to other gpio +drivers. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: f61be273d369 ("sm501: add gpiolib support") +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20250115171206.20308-1-n.zhandarovich@fintech.ru +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index 3ac4508a6742a..78dcbf8e2c15d 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -920,7 +920,7 @@ static void sm501_gpio_set(struct gpio_chip *chip, unsigned offset, int value) + { + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + void __iomem *regs = smchip->regbase; + unsigned long save; + unsigned long val; +@@ -946,7 +946,7 @@ static int sm501_gpio_input(struct gpio_chip *chip, unsigned offset) + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; + void __iomem *regs = smchip->regbase; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + unsigned long save; + unsigned long ddr; + +@@ -971,7 +971,7 @@ static int sm501_gpio_output(struct gpio_chip *chip, + { + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + void __iomem *regs = smchip->regbase; + unsigned long save; + unsigned long val; +-- +2.39.5 + diff --git a/queue-5.15/net-fix-geneve_opt-length-integer-overflow.patch b/queue-5.15/net-fix-geneve_opt-length-integer-overflow.patch new file mode 100644 index 0000000000..4a63b70928 --- /dev/null +++ b/queue-5.15/net-fix-geneve_opt-length-integer-overflow.patch @@ -0,0 +1,134 @@ +From bf78b8f0b153d7c856c757f9b85e3b0577a195b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 00:56:32 +0800 +Subject: net: fix geneve_opt length integer overflow + +From: Lin Ma + +[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ] + +struct geneve_opt uses 5 bit length for each single option, which +means every vary size option should be smaller than 128 bytes. + +However, all current related Netlink policies cannot promise this +length condition and the attacker can exploit a exact 128-byte size +option to *fake* a zero length option and confuse the parsing logic, +further achieve heap out-of-bounds read. + +One example crash log is like below: + +[ 3.905425] ================================================================== +[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 +[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 +[ 3.906646] +[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 +[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 3.907784] Call Trace: +[ 3.907925] +[ 3.908048] dump_stack_lvl+0x44/0x5c +[ 3.908258] print_report+0x184/0x4be +[ 3.909151] kasan_report+0xc5/0x100 +[ 3.909539] kasan_check_range+0xf3/0x1a0 +[ 3.909794] memcpy+0x1f/0x60 +[ 3.909968] nla_put+0xa9/0xe0 +[ 3.910147] tunnel_key_dump+0x945/0xba0 +[ 3.911536] tcf_action_dump_1+0x1c1/0x340 +[ 3.912436] tcf_action_dump+0x101/0x180 +[ 3.912689] tcf_exts_dump+0x164/0x1e0 +[ 3.912905] fw_dump+0x18b/0x2d0 +[ 3.913483] tcf_fill_node+0x2ee/0x460 +[ 3.914778] tfilter_notify+0xf4/0x180 +[ 3.915208] tc_new_tfilter+0xd51/0x10d0 +[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 +[ 3.919118] netlink_rcv_skb+0xcd/0x200 +[ 3.919787] netlink_unicast+0x395/0x530 +[ 3.921032] netlink_sendmsg+0x3d0/0x6d0 +[ 3.921987] __sock_sendmsg+0x99/0xa0 +[ 3.922220] __sys_sendto+0x1b7/0x240 +[ 3.922682] __x64_sys_sendto+0x72/0x90 +[ 3.922906] do_syscall_64+0x5e/0x90 +[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 3.924122] RIP: 0033:0x7e83eab84407 +[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf +[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c +[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 +[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 +[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c +[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 +[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 + +Fix these issues by enforing correct length condition in related +policies. + +Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") +Fixes: 4ece47787077 ("lwtunnel: add options setting and dumping for geneve") +Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key") +Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") +Signed-off-by: Lin Ma +Reviewed-by: Xin Long +Acked-by: Cong Wang +Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel_core.c | 2 +- + net/netfilter/nft_tunnel.c | 2 +- + net/sched/act_tunnel_key.c | 2 +- + net/sched/cls_flower.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 51dd2b36c49d4..35189f1b361ea 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -450,7 +450,7 @@ static const struct nla_policy + geneve_opt_policy[LWTUNNEL_IP_OPT_GENEVE_MAX + 1] = { + [LWTUNNEL_IP_OPT_GENEVE_CLASS] = { .type = NLA_U16 }, + [LWTUNNEL_IP_OPT_GENEVE_TYPE] = { .type = NLA_U8 }, +- [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 }, ++ [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 }, + }; + + static const struct nla_policy +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index 1b05b70497283..cfe6cf1be4217 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -305,7 +305,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, + static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GENEVE_MAX + 1] = { + [NFTA_TUNNEL_KEY_GENEVE_CLASS] = { .type = NLA_U16 }, + [NFTA_TUNNEL_KEY_GENEVE_TYPE] = { .type = NLA_U8 }, +- [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 }, ++ [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 }, + }; + + static int nft_tunnel_obj_geneve_init(const struct nlattr *attr, +diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c +index d9cd174eecb79..64277ce3c5eb9 100644 +--- a/net/sched/act_tunnel_key.c ++++ b/net/sched/act_tunnel_key.c +@@ -67,7 +67,7 @@ geneve_opt_policy[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_MAX + 1] = { + [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 }, + [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 }, + [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY, +- .len = 128 }, ++ .len = 127 }, + }; + + static const struct nla_policy +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 35842b51a24e2..af437be93e25a 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -723,7 +723,7 @@ geneve_opt_policy[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1] = { + [TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 }, + [TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 }, + [TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY, +- .len = 128 }, ++ .len = 127 }, + }; + + static const struct nla_policy +-- +2.39.5 + diff --git a/queue-5.15/net-mvpp2-prevent-parser-tcam-memory-corruption.patch b/queue-5.15/net-mvpp2-prevent-parser-tcam-memory-corruption.patch new file mode 100644 index 0000000000..a33bc7ab95 --- /dev/null +++ b/queue-5.15/net-mvpp2-prevent-parser-tcam-memory-corruption.patch @@ -0,0 +1,659 @@ +From 59b5d21d91a7e2f89025bd153a769a44b3d2046a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 08:58:04 +0200 +Subject: net: mvpp2: Prevent parser TCAM memory corruption + +From: Tobias Waldekranz + +[ Upstream commit 96844075226b49af25a69a1d084b648ec2d9b08d ] + +Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM +information, from concurrent modifications. + +Both the TCAM and SRAM tables are indirectly accessed by configuring +an index register that selects the row to read or write to. This means +that operations must be atomic in order to, e.g., avoid spreading +writes across multiple rows. Since the shadow SRAM array is used to +find free rows in the hardware table, it must also be protected in +order to avoid TOCTOU errors where multiple cores allocate the same +row. + +This issue was detected in a situation where `mvpp2_set_rx_mode()` ran +concurrently on two CPUs. In this particular case the +MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the +classifier unit to drop all incoming unicast - indicated by the +`rx_classifier_drops` counter. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Tobias Waldekranz +Reviewed-by: Maxime Chevallier +Tested-by: Maxime Chevallier +Link: https://patch.msgid.link/20250401065855.3113635-1-tobias@waldekranz.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 3 + + .../net/ethernet/marvell/mvpp2/mvpp2_main.c | 3 +- + .../net/ethernet/marvell/mvpp2/mvpp2_prs.c | 201 ++++++++++++------ + 3 files changed, 140 insertions(+), 67 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index 24a8c9b8126b7..8732134cb33c9 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -1108,6 +1108,9 @@ struct mvpp2 { + + /* Spinlocks for CM3 shared memory configuration */ + spinlock_t mss_spinlock; ++ ++ /* Spinlock for shared PRS parser memory and shadow table */ ++ spinlock_t prs_spinlock; + }; + + struct mvpp2_pcpu_stats { +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 2a60f949d9532..7fa880e62d096 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -7589,8 +7589,9 @@ static int mvpp2_probe(struct platform_device *pdev) + if (mvpp2_read(priv, MVPP2_VER_ID_REG) == MVPP2_VER_PP23) + priv->hw_version = MVPP23; + +- /* Init mss lock */ ++ /* Init locks for shared packet processor resources */ + spin_lock_init(&priv->mss_spinlock); ++ spin_lock_init(&priv->prs_spinlock); + + /* Initialize network controller */ + err = mvpp2_init(pdev, priv); +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index 9af22f497a40f..93e978bdf303c 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -23,6 +23,8 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe) + { + int i; + ++ lockdep_assert_held(&priv->prs_spinlock); ++ + if (pe->index > MVPP2_PRS_TCAM_SRAM_SIZE - 1) + return -EINVAL; + +@@ -43,11 +45,13 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe) + } + + /* Initialize tcam entry from hw */ +-int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe, +- int tid) ++static int __mvpp2_prs_init_from_hw(struct mvpp2 *priv, ++ struct mvpp2_prs_entry *pe, int tid) + { + int i; + ++ lockdep_assert_held(&priv->prs_spinlock); ++ + if (tid > MVPP2_PRS_TCAM_SRAM_SIZE - 1) + return -EINVAL; + +@@ -73,6 +77,18 @@ int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe, + return 0; + } + ++int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe, ++ int tid) ++{ ++ int err; ++ ++ spin_lock_bh(&priv->prs_spinlock); ++ err = __mvpp2_prs_init_from_hw(priv, pe, tid); ++ spin_unlock_bh(&priv->prs_spinlock); ++ ++ return err; ++} ++ + /* Invalidate tcam hw entry */ + static void mvpp2_prs_hw_inv(struct mvpp2 *priv, int index) + { +@@ -374,7 +390,7 @@ static int mvpp2_prs_flow_find(struct mvpp2 *priv, int flow) + priv->prs_shadow[tid].lu != MVPP2_PRS_LU_FLOWS) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + bits = mvpp2_prs_sram_ai_get(&pe); + + /* Sram store classification lookup ID in AI bits [5:0] */ +@@ -441,7 +457,7 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add) + + if (priv->prs_shadow[MVPP2_PE_DROP_ALL].valid) { + /* Entry exist - update port only */ +- mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL); ++ __mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL); + } else { + /* Entry doesn't exist - create new */ + memset(&pe, 0, sizeof(pe)); +@@ -469,14 +485,17 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add) + } + + /* Set port to unicast or multicast promiscuous mode */ +-void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, +- enum mvpp2_prs_l2_cast l2_cast, bool add) ++static void __mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, ++ enum mvpp2_prs_l2_cast l2_cast, ++ bool add) + { + struct mvpp2_prs_entry pe; + unsigned char cast_match; + unsigned int ri; + int tid; + ++ lockdep_assert_held(&priv->prs_spinlock); ++ + if (l2_cast == MVPP2_PRS_L2_UNI_CAST) { + cast_match = MVPP2_PRS_UCAST_VAL; + tid = MVPP2_PE_MAC_UC_PROMISCUOUS; +@@ -489,7 +508,7 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, + + /* promiscuous mode - Accept unknown unicast or multicast packets */ + if (priv->prs_shadow[tid].valid) { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } else { + memset(&pe, 0, sizeof(pe)); + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC); +@@ -522,6 +541,14 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, + mvpp2_prs_hw_write(priv, &pe); + } + ++void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, ++ enum mvpp2_prs_l2_cast l2_cast, bool add) ++{ ++ spin_lock_bh(&priv->prs_spinlock); ++ __mvpp2_prs_mac_promisc_set(priv, port, l2_cast, add); ++ spin_unlock_bh(&priv->prs_spinlock); ++} ++ + /* Set entry for dsa packets */ + static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add, + bool tagged, bool extend) +@@ -539,7 +566,7 @@ static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add, + + if (priv->prs_shadow[tid].valid) { + /* Entry exist - update port only */ +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } else { + /* Entry doesn't exist - create new */ + memset(&pe, 0, sizeof(pe)); +@@ -610,7 +637,7 @@ static void mvpp2_prs_dsa_tag_ethertype_set(struct mvpp2 *priv, int port, + + if (priv->prs_shadow[tid].valid) { + /* Entry exist - update port only */ +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } else { + /* Entry doesn't exist - create new */ + memset(&pe, 0, sizeof(pe)); +@@ -673,7 +700,7 @@ static int mvpp2_prs_vlan_find(struct mvpp2 *priv, unsigned short tpid, int ai) + priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid); + if (!match) + continue; +@@ -726,7 +753,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai, + priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid_aux); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux); + ri_bits = mvpp2_prs_sram_ri_get(&pe); + if ((ri_bits & MVPP2_PRS_RI_VLAN_MASK) == + MVPP2_PRS_RI_VLAN_DOUBLE) +@@ -760,7 +787,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai, + + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + /* Update ports' mask */ + mvpp2_prs_tcam_port_map_set(&pe, port_map); +@@ -800,7 +827,7 @@ static int mvpp2_prs_double_vlan_find(struct mvpp2 *priv, unsigned short tpid1, + priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + + match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid1) && + mvpp2_prs_tcam_data_cmp(&pe, 4, tpid2); +@@ -849,7 +876,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1, + priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid_aux); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux); + ri_bits = mvpp2_prs_sram_ri_get(&pe); + ri_bits &= MVPP2_PRS_RI_VLAN_MASK; + if (ri_bits == MVPP2_PRS_RI_VLAN_SINGLE || +@@ -880,7 +907,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1, + + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + + /* Update ports' mask */ +@@ -1213,8 +1240,8 @@ static void mvpp2_prs_mac_init(struct mvpp2 *priv) + /* Create dummy entries for drop all and promiscuous modes */ + mvpp2_prs_drop_fc(priv); + mvpp2_prs_mac_drop_all_set(priv, 0, false); +- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false); +- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false); ++ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false); ++ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false); + } + + /* Set default entries for various types of dsa packets */ +@@ -1533,12 +1560,6 @@ static int mvpp2_prs_vlan_init(struct platform_device *pdev, struct mvpp2 *priv) + struct mvpp2_prs_entry pe; + int err; + +- priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool), +- MVPP2_PRS_DBL_VLANS_MAX, +- GFP_KERNEL); +- if (!priv->prs_double_vlans) +- return -ENOMEM; +- + /* Double VLAN: 0x88A8, 0x8100 */ + err = mvpp2_prs_double_vlan_add(priv, ETH_P_8021AD, ETH_P_8021Q, + MVPP2_PRS_PORT_MASK); +@@ -1941,7 +1962,7 @@ static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask) + port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID) + continue; + +- mvpp2_prs_init_from_hw(port->priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(port->priv, &pe, tid); + + mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]); + mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]); +@@ -1970,6 +1991,8 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&priv->prs_spinlock); ++ + /* Scan TCAM and see if entry with this already exist */ + tid = mvpp2_prs_vid_range_find(port, vid, mask); + +@@ -1988,8 +2011,10 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + MVPP2_PRS_VLAN_FILT_MAX_ENTRY); + + /* There isn't room for a new VID filter */ +- if (tid < 0) ++ if (tid < 0) { ++ spin_unlock_bh(&priv->prs_spinlock); + return tid; ++ } + + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_VID); + pe.index = tid; +@@ -1997,7 +2022,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + /* Mask all ports */ + mvpp2_prs_tcam_port_map_set(&pe, 0); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + + /* Enable the current port */ +@@ -2019,6 +2044,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID); + mvpp2_prs_hw_write(priv, &pe); + ++ spin_unlock_bh(&priv->prs_spinlock); + return 0; + } + +@@ -2028,15 +2054,16 @@ void mvpp2_prs_vid_entry_remove(struct mvpp2_port *port, u16 vid) + struct mvpp2 *priv = port->priv; + int tid; + +- /* Scan TCAM and see if entry with this already exist */ +- tid = mvpp2_prs_vid_range_find(port, vid, 0xfff); ++ spin_lock_bh(&priv->prs_spinlock); + +- /* No such entry */ +- if (tid < 0) +- return; ++ /* Invalidate TCAM entry with this , if it exists */ ++ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff); ++ if (tid >= 0) { ++ mvpp2_prs_hw_inv(priv, tid); ++ priv->prs_shadow[tid].valid = false; ++ } + +- mvpp2_prs_hw_inv(priv, tid); +- priv->prs_shadow[tid].valid = false; ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Remove all existing VID filters on this port */ +@@ -2045,6 +2072,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port) + struct mvpp2 *priv = port->priv; + int tid; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id); + tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) { + if (priv->prs_shadow[tid].valid) { +@@ -2052,6 +2081,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port) + priv->prs_shadow[tid].valid = false; + } + } ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Remove VID filering entry for this port */ +@@ -2060,10 +2091,14 @@ void mvpp2_prs_vid_disable_filtering(struct mvpp2_port *port) + unsigned int tid = MVPP2_PRS_VID_PORT_DFLT(port->id); + struct mvpp2 *priv = port->priv; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + /* Invalidate the guard entry */ + mvpp2_prs_hw_inv(priv, tid); + + priv->prs_shadow[tid].valid = false; ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Add guard entry that drops packets when no VID is matched on this port */ +@@ -2079,6 +2114,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&priv->prs_spinlock); ++ + pe.index = tid; + + reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id)); +@@ -2111,6 +2148,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port) + /* Update shadow table */ + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID); + mvpp2_prs_hw_write(priv, &pe); ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Parser default initialization */ +@@ -2118,6 +2157,20 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv) + { + int err, index, i; + ++ priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE, ++ sizeof(*priv->prs_shadow), ++ GFP_KERNEL); ++ if (!priv->prs_shadow) ++ return -ENOMEM; ++ ++ priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool), ++ MVPP2_PRS_DBL_VLANS_MAX, ++ GFP_KERNEL); ++ if (!priv->prs_double_vlans) ++ return -ENOMEM; ++ ++ spin_lock_bh(&priv->prs_spinlock); ++ + /* Enable tcam table */ + mvpp2_write(priv, MVPP2_PRS_TCAM_CTRL_REG, MVPP2_PRS_TCAM_EN_MASK); + +@@ -2136,12 +2189,6 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv) + for (index = 0; index < MVPP2_PRS_TCAM_SRAM_SIZE; index++) + mvpp2_prs_hw_inv(priv, index); + +- priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE, +- sizeof(*priv->prs_shadow), +- GFP_KERNEL); +- if (!priv->prs_shadow) +- return -ENOMEM; +- + /* Always start from lookup = 0 */ + for (index = 0; index < MVPP2_MAX_PORTS; index++) + mvpp2_prs_hw_port_init(priv, index, MVPP2_PRS_LU_MH, +@@ -2158,26 +2205,13 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv) + mvpp2_prs_vid_init(priv); + + err = mvpp2_prs_etype_init(priv); +- if (err) +- return err; +- +- err = mvpp2_prs_vlan_init(pdev, priv); +- if (err) +- return err; +- +- err = mvpp2_prs_pppoe_init(priv); +- if (err) +- return err; +- +- err = mvpp2_prs_ip6_init(priv); +- if (err) +- return err; +- +- err = mvpp2_prs_ip4_init(priv); +- if (err) +- return err; ++ err = err ? : mvpp2_prs_vlan_init(pdev, priv); ++ err = err ? : mvpp2_prs_pppoe_init(priv); ++ err = err ? : mvpp2_prs_ip6_init(priv); ++ err = err ? : mvpp2_prs_ip4_init(priv); + +- return 0; ++ spin_unlock_bh(&priv->prs_spinlock); ++ return err; + } + + /* Compare MAC DA with tcam entry data */ +@@ -2217,7 +2251,7 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da, + (priv->prs_shadow[tid].udf != udf_type)) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + entry_pmap = mvpp2_prs_tcam_port_map_get(&pe); + + if (mvpp2_prs_mac_range_equals(&pe, da, mask) && +@@ -2229,7 +2263,8 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da, + } + + /* Update parser's mac da entry */ +-int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) ++static int __mvpp2_prs_mac_da_accept(struct mvpp2_port *port, ++ const u8 *da, bool add) + { + unsigned char mask[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + struct mvpp2 *priv = port->priv; +@@ -2261,7 +2296,7 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) + /* Mask all ports */ + mvpp2_prs_tcam_port_map_set(&pe, 0); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC); +@@ -2317,6 +2352,17 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) + return 0; + } + ++int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) ++{ ++ int err; ++ ++ spin_lock_bh(&port->priv->prs_spinlock); ++ err = __mvpp2_prs_mac_da_accept(port, da, add); ++ spin_unlock_bh(&port->priv->prs_spinlock); ++ ++ return err; ++} ++ + int mvpp2_prs_update_mac_da(struct net_device *dev, const u8 *da) + { + struct mvpp2_port *port = netdev_priv(dev); +@@ -2345,6 +2391,8 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port) + unsigned long pmap; + int index, tid; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + for (tid = MVPP2_PE_MAC_RANGE_START; + tid <= MVPP2_PE_MAC_RANGE_END; tid++) { + unsigned char da[ETH_ALEN], da_mask[ETH_ALEN]; +@@ -2354,7 +2402,7 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port) + (priv->prs_shadow[tid].udf != MVPP2_PRS_UDF_MAC_DEF)) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + + pmap = mvpp2_prs_tcam_port_map_get(&pe); + +@@ -2375,14 +2423,17 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port) + continue; + + /* Remove entry from TCAM */ +- mvpp2_prs_mac_da_accept(port, da, false); ++ __mvpp2_prs_mac_da_accept(port, da, false); + } ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + { + switch (type) { + case MVPP2_TAG_TYPE_EDSA: ++ spin_lock_bh(&priv->prs_spinlock); + /* Add port to EDSA entries */ + mvpp2_prs_dsa_tag_set(priv, port, true, + MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA); +@@ -2393,9 +2444,11 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + MVPP2_PRS_TAGGED, MVPP2_PRS_DSA); + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_UNTAGGED, MVPP2_PRS_DSA); ++ spin_unlock_bh(&priv->prs_spinlock); + break; + + case MVPP2_TAG_TYPE_DSA: ++ spin_lock_bh(&priv->prs_spinlock); + /* Add port to DSA entries */ + mvpp2_prs_dsa_tag_set(priv, port, true, + MVPP2_PRS_TAGGED, MVPP2_PRS_DSA); +@@ -2406,10 +2459,12 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA); + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA); ++ spin_unlock_bh(&priv->prs_spinlock); + break; + + case MVPP2_TAG_TYPE_MH: + case MVPP2_TAG_TYPE_NONE: ++ spin_lock_bh(&priv->prs_spinlock); + /* Remove port form EDSA and DSA entries */ + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_TAGGED, MVPP2_PRS_DSA); +@@ -2419,6 +2474,7 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA); + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA); ++ spin_unlock_bh(&priv->prs_spinlock); + break; + + default: +@@ -2437,11 +2493,15 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&priv->prs_spinlock); ++ + tid = mvpp2_prs_tcam_first_free(priv, + MVPP2_PE_LAST_FREE_TID, + MVPP2_PE_FIRST_FREE_TID); +- if (tid < 0) ++ if (tid < 0) { ++ spin_unlock_bh(&priv->prs_spinlock); + return tid; ++ } + + pe.index = tid; + +@@ -2461,6 +2521,7 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask) + mvpp2_prs_tcam_port_map_set(&pe, MVPP2_PRS_PORT_MASK); + mvpp2_prs_hw_write(priv, &pe); + ++ spin_unlock_bh(&priv->prs_spinlock); + return 0; + } + +@@ -2472,6 +2533,8 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&port->priv->prs_spinlock); ++ + tid = mvpp2_prs_flow_find(port->priv, port->id); + + /* Such entry not exist */ +@@ -2480,8 +2543,10 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port) + tid = mvpp2_prs_tcam_first_free(port->priv, + MVPP2_PE_LAST_FREE_TID, + MVPP2_PE_FIRST_FREE_TID); +- if (tid < 0) ++ if (tid < 0) { ++ spin_unlock_bh(&port->priv->prs_spinlock); + return tid; ++ } + + pe.index = tid; + +@@ -2492,13 +2557,14 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port) + /* Update shadow table */ + mvpp2_prs_shadow_set(port->priv, pe.index, MVPP2_PRS_LU_FLOWS); + } else { +- mvpp2_prs_init_from_hw(port->priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(port->priv, &pe, tid); + } + + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_FLOWS); + mvpp2_prs_tcam_port_map_set(&pe, (1 << port->id)); + mvpp2_prs_hw_write(port->priv, &pe); + ++ spin_unlock_bh(&port->priv->prs_spinlock); + return 0; + } + +@@ -2509,11 +2575,14 @@ int mvpp2_prs_hits(struct mvpp2 *priv, int index) + if (index > MVPP2_PRS_TCAM_SRAM_SIZE) + return -EINVAL; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + mvpp2_write(priv, MVPP2_PRS_TCAM_HIT_IDX_REG, index); + + val = mvpp2_read(priv, MVPP2_PRS_TCAM_HIT_CNT_REG); + + val &= MVPP2_PRS_TCAM_HIT_CNT_MASK; + ++ spin_unlock_bh(&priv->prs_spinlock); + return val; + } +-- +2.39.5 + diff --git a/queue-5.15/net_sched-skbprio-remove-overly-strict-queue-asserti.patch b/queue-5.15/net_sched-skbprio-remove-overly-strict-queue-asserti.patch new file mode 100644 index 0000000000..90e0797a03 --- /dev/null +++ b/queue-5.15/net_sched-skbprio-remove-overly-strict-queue-asserti.patch @@ -0,0 +1,60 @@ +From c8ef80466270325f0582eea3ae905b9f8160de32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Mar 2025 15:25:35 -0700 +Subject: net_sched: skbprio: Remove overly strict queue assertions + +From: Cong Wang + +[ Upstream commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8 ] + +In the current implementation, skbprio enqueue/dequeue contains an assertion +that fails under certain conditions when SKBPRIO is used as a child qdisc under +TBF with specific parameters. The failure occurs because TBF sometimes peeks at +packets in the child qdisc without actually dequeuing them when tokens are +unavailable. + +This peek operation creates a discrepancy between the parent and child qdisc +queue length counters. When TBF later receives a high-priority packet, +SKBPRIO's queue length may show a different value than what's reflected in its +internal priority queue tracking, triggering the assertion. + +The fix removes this overly strict assertions in SKBPRIO, they are not +necessary at all. + +Reported-by: syzbot+a3422a19b05ea96bee18@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a3422a19b05ea96bee18 +Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler") +Cc: Nishanth Devarajan +Signed-off-by: Cong Wang +Acked-by: Paolo Abeni +Link: https://patch.msgid.link/20250329222536.696204-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_skbprio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/sched/sch_skbprio.c b/net/sched/sch_skbprio.c +index df72fb83d9c7d..c9e422e466159 100644 +--- a/net/sched/sch_skbprio.c ++++ b/net/sched/sch_skbprio.c +@@ -121,8 +121,6 @@ static int skbprio_enqueue(struct sk_buff *skb, struct Qdisc *sch, + /* Check to update highest and lowest priorities. */ + if (skb_queue_empty(lp_qdisc)) { + if (q->lowest_prio == q->highest_prio) { +- /* The incoming packet is the only packet in queue. */ +- BUG_ON(sch->q.qlen != 1); + q->lowest_prio = prio; + q->highest_prio = prio; + } else { +@@ -154,7 +152,6 @@ static struct sk_buff *skbprio_dequeue(struct Qdisc *sch) + /* Update highest priority field. */ + if (skb_queue_empty(hpq)) { + if (q->lowest_prio == q->highest_prio) { +- BUG_ON(sch->q.qlen); + q->highest_prio = 0; + q->lowest_prio = SKBPRIO_MAX_PRIORITY - 1; + } else { +-- +2.39.5 + diff --git a/queue-5.15/netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch b/queue-5.15/netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch new file mode 100644 index 0000000000..f52f403385 --- /dev/null +++ b/queue-5.15/netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch @@ -0,0 +1,40 @@ +From fc2ad8dfe989239193b9f5de5a67ffcf52923507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 23:24:20 +0100 +Subject: netfilter: nft_set_hash: GC reaps elements with conncount for dynamic + sets only + +From: Pablo Neira Ayuso + +[ Upstream commit 9d74da1177c800eb3d51c13f9821b7b0683845a5 ] + +conncount has its own GC handler which determines when to reap stale +elements, this is convenient for dynamic sets. However, this also reaps +non-dynamic sets with static configurations coming from control plane. +Always run connlimit gc handler but honor feedback to reap element if +this set is dynamic. + +Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_hash.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c +index 5c4209b49bda7..a592cca7a61f9 100644 +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -310,7 +310,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set, + + nft_setelem_expr_foreach(expr, elem_expr, size) { + if (expr->ops->gc && +- expr->ops->gc(read_pnet(&set->net), expr)) ++ expr->ops->gc(read_pnet(&set->net), expr) && ++ set->flags & NFT_SET_EVAL) + return true; + } + +-- +2.39.5 + diff --git a/queue-5.15/netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch b/queue-5.15/netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch new file mode 100644 index 0000000000..fa8a0f42f0 --- /dev/null +++ b/queue-5.15/netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch @@ -0,0 +1,88 @@ +From 8ef9c4df9fa5b5731b7d72a9a391d55565c13507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 01:00:26 +0800 +Subject: netfilter: nft_tunnel: fix geneve_opt type confusion addition + +From: Lin Ma + +[ Upstream commit 1b755d8eb1ace3870789d48fbd94f386ad6e30be ] + +When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the +parsing logic should place every geneve_opt structure one by one +compactly. Hence, when deciding the next geneve_opt position, the +pointer addition should be in units of char *. + +However, the current implementation erroneously does type conversion +before the addition, which will lead to heap out-of-bounds write. + +[ 6.989857] ================================================================== +[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 +[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 +[ 6.991162] +[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1 +[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 6.992281] Call Trace: +[ 6.992423] +[ 6.992586] dump_stack_lvl+0x44/0x5c +[ 6.992801] print_report+0x184/0x4be +[ 6.993790] kasan_report+0xc5/0x100 +[ 6.994252] kasan_check_range+0xf3/0x1a0 +[ 6.994486] memcpy+0x38/0x60 +[ 6.994692] nft_tunnel_obj_init+0x977/0xa70 +[ 6.995677] nft_obj_init+0x10c/0x1b0 +[ 6.995891] nf_tables_newobj+0x585/0x950 +[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 +[ 6.998997] nfnetlink_rcv+0x1df/0x220 +[ 6.999537] netlink_unicast+0x395/0x530 +[ 7.000771] netlink_sendmsg+0x3d0/0x6d0 +[ 7.001462] __sock_sendmsg+0x99/0xa0 +[ 7.001707] ____sys_sendmsg+0x409/0x450 +[ 7.002391] ___sys_sendmsg+0xfd/0x170 +[ 7.003145] __sys_sendmsg+0xea/0x170 +[ 7.004359] do_syscall_64+0x5e/0x90 +[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 7.006127] RIP: 0033:0x7ec756d4e407 +[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf +[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e +[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 +[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 +[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 +[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 +[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8 + +Fix this bug with correct pointer addition and conversion in parse +and dump code. + +Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") +Signed-off-by: Lin Ma +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tunnel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index c8822fa8196d9..1b05b70497283 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -311,7 +311,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN + static int nft_tunnel_obj_geneve_init(const struct nlattr *attr, + struct nft_tunnel_opts *opts) + { +- struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len; ++ struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len); + struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1]; + int err, data_len; + +@@ -592,7 +592,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + if (!inner) + goto failure; + while (opts->len > offset) { +- opt = (struct geneve_opt *)opts->u.data + offset; ++ opt = (struct geneve_opt *)(opts->u.data + offset); + if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS, + opt->opt_class) || + nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE, +-- +2.39.5 + diff --git a/queue-5.15/netlabel-fix-null-pointer-exception-caused-by-calips.patch b/queue-5.15/netlabel-fix-null-pointer-exception-caused-by-calips.patch new file mode 100644 index 0000000000..07bf989c7d --- /dev/null +++ b/queue-5.15/netlabel-fix-null-pointer-exception-caused-by-calips.patch @@ -0,0 +1,87 @@ +From dbba400658ca2a61c798ef962b1b419ad88aba59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 20:40:18 +0800 +Subject: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 + sockets + +From: Debin Zhu + +[ Upstream commit 078aabd567de3d63d37d7673f714e309d369e6e2 ] + +When calling netlbl_conn_setattr(), addr->sa_family is used +to determine the function behavior. If sk is an IPv4 socket, +but the connect function is called with an IPv6 address, +the function calipso_sock_setattr() is triggered. +Inside this function, the following code is executed: + +sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; + +Since sk is an IPv4 socket, pinet6 is NULL, leading to a +null pointer dereference. + +This patch fixes the issue by checking if inet6_sk(sk) +returns a NULL pointer before accessing pinet6. + +Signed-off-by: Debin Zhu +Signed-off-by: Bitao Ouyang <1985755126@qq.com> +Acked-by: Paul Moore +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Link: https://patch.msgid.link/20250401124018.4763-1-mowenroot@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 1578ed9e97d89..c07e3da08d2a8 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1075,8 +1075,13 @@ static int calipso_sock_getattr(struct sock *sk, + struct ipv6_opt_hdr *hop; + int opt_len, len, ret_val = -ENOMSG, offset; + unsigned char *opt; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return -EAFNOSUPPORT; + ++ txopts = txopt_get(pinfo); + if (!txopts || !txopts->hopopt) + goto done; + +@@ -1128,8 +1133,13 @@ static int calipso_sock_setattr(struct sock *sk, + { + int ret_val; + struct ipv6_opt_hdr *old, *new; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return -EAFNOSUPPORT; + ++ txopts = txopt_get(pinfo); + old = NULL; + if (txopts) + old = txopts->hopopt; +@@ -1156,8 +1166,13 @@ static int calipso_sock_setattr(struct sock *sk, + static void calipso_sock_delattr(struct sock *sk) + { + struct ipv6_opt_hdr *new_hop; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return; + ++ txopts = txopt_get(pinfo); + if (!txopts || !txopts->hopopt) + goto done; + +-- +2.39.5 + diff --git a/queue-5.15/nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch b/queue-5.15/nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch new file mode 100644 index 0000000000..06d63bcb27 --- /dev/null +++ b/queue-5.15/nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch @@ -0,0 +1,79 @@ +From bcb9fe2ebad45f01d7a8e8e18fb4f509a5738e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 16:50:30 -0500 +Subject: NFSv4: Don't trigger uneccessary scans for return-on-close + delegations + +From: Trond Myklebust + +[ Upstream commit 47acca884f714f41d95dc654f802845544554784 ] + +The amount of looping through the list of delegations is occasionally +leading to soft lockups. Avoid at least some loops by not requiring the +NFSv4 state manager to scan for delegations that are marked for +return-on-close. Instead, either mark them for immediate return (if +possible) or else leave it up to nfs4_inode_return_delegation_on_close() +to return them once the file is closed by the application. + +Fixes: b757144fd77c ("NFSv4: Be less aggressive about returning delegations for open files") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/delegation.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index ac79ef0d43a73..0c14ff09cfbe3 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -570,17 +570,6 @@ static bool nfs_delegation_need_return(struct nfs_delegation *delegation) + + if (test_and_clear_bit(NFS_DELEGATION_RETURN, &delegation->flags)) + ret = true; +- else if (test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags)) { +- struct inode *inode; +- +- spin_lock(&delegation->lock); +- inode = delegation->inode; +- if (inode && list_empty(&NFS_I(inode)->open_files)) +- ret = true; +- spin_unlock(&delegation->lock); +- } +- if (ret) +- clear_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags); + if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags) || + test_bit(NFS_DELEGATION_RETURN_DELAYED, &delegation->flags) || + test_bit(NFS_DELEGATION_REVOKED, &delegation->flags)) +@@ -821,11 +810,25 @@ int nfs4_inode_make_writeable(struct inode *inode) + return nfs4_inode_return_delegation(inode); + } + +-static void nfs_mark_return_if_closed_delegation(struct nfs_server *server, +- struct nfs_delegation *delegation) ++static void ++nfs_mark_return_if_closed_delegation(struct nfs_server *server, ++ struct nfs_delegation *delegation) + { +- set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags); +- set_bit(NFS4CLNT_DELEGRETURN, &server->nfs_client->cl_state); ++ struct inode *inode; ++ ++ if (test_bit(NFS_DELEGATION_RETURN, &delegation->flags) || ++ test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags)) ++ return; ++ spin_lock(&delegation->lock); ++ inode = delegation->inode; ++ if (!inode) ++ goto out; ++ if (list_empty(&NFS_I(inode)->open_files)) ++ nfs_mark_return_delegation(server, delegation); ++ else ++ set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags); ++out: ++ spin_unlock(&delegation->lock); + } + + static bool nfs_server_mark_return_all_delegations(struct nfs_server *server) +-- +2.39.5 + diff --git a/queue-5.15/ntb-intel-fix-using-link-status-db-s.patch b/queue-5.15/ntb-intel-fix-using-link-status-db-s.patch new file mode 100644 index 0000000000..5e5c5fb42b --- /dev/null +++ b/queue-5.15/ntb-intel-fix-using-link-status-db-s.patch @@ -0,0 +1,37 @@ +From 18389ef1170a7005a505dd3ff75533779c31152b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 11:15:19 +0300 +Subject: ntb: intel: Fix using link status DB's + +From: Nikita Shubin + +[ Upstream commit 8144e9c8f30fb23bb736a5d24d5c9d46965563c4 ] + +Make sure we are not using DB's which were remapped for link status. + +Fixes: f6e51c354b60 ("ntb: intel: split out the gen3 code") +Signed-off-by: Nikita Shubin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen3.c b/drivers/ntb/hw/intel/ntb_hw_gen3.c +index ffcfc3e02c353..a5aa96a31f4a6 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen3.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen3.c +@@ -215,6 +215,9 @@ static int gen3_init_ntb(struct intel_ntb_dev *ndev) + } + + ndev->db_valid_mask = BIT_ULL(ndev->db_count) - 1; ++ /* Make sure we are not using DB's used for link status */ ++ if (ndev->hwerr_flags & NTB_HWERR_MSIX_VECTOR32_BAD) ++ ndev->db_valid_mask &= ~ndev->db_link_mask; + + ndev->reg->db_iowrite(ndev->db_valid_mask, + ndev->self_mmio + +-- +2.39.5 + diff --git a/queue-5.15/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch b/queue-5.15/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch new file mode 100644 index 0000000000..733af53898 --- /dev/null +++ b/queue-5.15/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch @@ -0,0 +1,45 @@ +From f455f91221af97e728bac5b2cd436b4785dd84f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 16:33:05 +0800 +Subject: ntb_hw_switchtec: Fix shift-out-of-bounds in + switchtec_ntb_mw_set_trans + +From: Yajun Deng + +[ Upstream commit de203da734fae00e75be50220ba5391e7beecdf9 ] + +There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and +size. This would make xlate_pos negative. + +[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 +[ 23.734158] ================================================================================ +[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 +[ 23.734418] shift exponent -1 is negative + +Ensuring xlate_pos is a positive or zero before BIT. + +Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()") +Signed-off-by: Yajun Deng +Reviewed-by: Logan Gunthorpe +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +index 759248415b5c2..c9351063aaf15 100644 +--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c ++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +@@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx, + if (size != 0 && xlate_pos < 12) + return -EINVAL; + +- if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { ++ if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { + /* + * In certain circumstances we can get a buffer that is + * not aligned to its size. (Most of the time +-- +2.39.5 + diff --git a/queue-5.15/nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch b/queue-5.15/nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch new file mode 100644 index 0000000000..287255cece --- /dev/null +++ b/queue-5.15/nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch @@ -0,0 +1,38 @@ +From 546377e2e23bb751a2eba38099fb80a2de0f6bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 01:04:43 +0800 +Subject: nvme-pci: clean up CMBMSC when registering CMB fails + +From: Icenowy Zheng + +[ Upstream commit 6a3572e10f740acd48e2713ef37e92186a3ce5e8 ] + +CMB decoding should get disabled when the CMB block isn't successfully +registered to P2P DMA subsystem. + +Clean up the CMBMSC register in this error handling codepath to disable +CMB decoding (and CMBLOC/CMBSZ registers). + +Signed-off-by: Icenowy Zheng +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 2eb692876f695..39df3ac10a21f 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1870,6 +1870,7 @@ static void nvme_map_cmb(struct nvme_dev *dev) + if (pci_p2pdma_add_resource(pdev, bar, size, offset)) { + dev_warn(dev->ctrl.device, + "failed to register the CMB\n"); ++ hi_lo_writeq(0, dev->bar + NVME_REG_CMBMSC); + return; + } + +-- +2.39.5 + diff --git a/queue-5.15/nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch b/queue-5.15/nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch new file mode 100644 index 0000000000..22477a043b --- /dev/null +++ b/queue-5.15/nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch @@ -0,0 +1,68 @@ +From 2fbd2002fc3f726f346f9ebf468fdb31f40c61c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 01:04:44 +0800 +Subject: nvme-pci: skip CMB blocks incompatible with PCI P2P DMA + +From: Icenowy Zheng + +[ Upstream commit 56cf7ef0d490b28fad8f8629fc135c5ab7c9f54e ] + +The PCI P2PDMA code will register the CMB block to the memory +hot-plugging subsystem, which have an alignment requirement. Memory +blocks that do not satisfy this alignment requirement (usually 2MB) will +lead to a WARNING from memory hotplugging. + +Verify the CMB block's address and size against the alignment and only +try to send CMB blocks compatible with it to prevent this warning. + +Tested on Intel DC D4502 SSD, which has a 512K CMB block that is too +small for memory hotplugging (thus PCI P2PDMA). + +Signed-off-by: Icenowy Zheng +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 39df3ac10a21f..a3c5af95e8f3e 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1849,6 +1849,18 @@ static void nvme_map_cmb(struct nvme_dev *dev) + if (offset > bar_size) + return; + ++ /* ++ * Controllers may support a CMB size larger than their BAR, for ++ * example, due to being behind a bridge. Reduce the CMB to the ++ * reported size of the BAR ++ */ ++ size = min(size, bar_size - offset); ++ ++ if (!IS_ALIGNED(size, memremap_compat_align()) || ++ !IS_ALIGNED(pci_resource_start(pdev, bar), ++ memremap_compat_align())) ++ return; ++ + /* + * Tell the controller about the host side address mapping the CMB, + * and enable CMB decoding for the NVMe 1.4+ scheme: +@@ -1859,14 +1871,6 @@ static void nvme_map_cmb(struct nvme_dev *dev) + dev->bar + NVME_REG_CMBMSC); + } + +- /* +- * Controllers may support a CMB size larger than their BAR, +- * for example, due to being behind a bridge. Reduce the CMB to +- * the reported size of the BAR +- */ +- if (size > bar_size - offset) +- size = bar_size - offset; +- + if (pci_p2pdma_add_resource(pdev, bar, size, offset)) { + dev_warn(dev->ctrl.device, + "failed to register the CMB\n"); +-- +2.39.5 + diff --git a/queue-5.15/nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch b/queue-5.15/nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch new file mode 100644 index 0000000000..cdd4333443 --- /dev/null +++ b/queue-5.15/nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch @@ -0,0 +1,88 @@ +From 871c0f08ef1634493ce53c275def1ec4a5872e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 13:18:30 +0200 +Subject: nvme-tcp: fix possible UAF in nvme_tcp_poll + +From: Sagi Grimberg + +[ Upstream commit 8c1624b63a7d24142a2bbc3a5ee7e95f004ea36e ] + +nvme_tcp_poll() may race with the send path error handler because +it may complete the request while it is actively being polled for +completion, resulting in a UAF panic [1]: + +We should make sure to stop polling when we see an error when +trying to read from the socket. Hence make sure to propagate the +error so that the block layer breaks the polling cycle. + +[1]: +-- +[35665.692310] nvme nvme2: failed to send request -13 +[35665.702265] nvme nvme2: unsupported pdu type (3) +[35665.702272] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[35665.702542] nvme nvme2: queue 1 receive failed: -22 +[35665.703209] #PF: supervisor write access in kernel mode +[35665.703213] #PF: error_code(0x0002) - not-present page +[35665.703214] PGD 8000003801cce067 P4D 8000003801cce067 PUD 37e6f79067 PMD 0 +[35665.703220] Oops: 0002 [#1] SMP PTI +[35665.703658] nvme nvme2: starting error recovery +[35665.705809] Hardware name: Inspur aaabbb/YZMB-00882-104, BIOS 4.1.26 09/22/2022 +[35665.705812] Workqueue: kblockd blk_mq_requeue_work +[35665.709172] RIP: 0010:_raw_spin_lock+0xc/0x30 +[35665.715788] Call Trace: +[35665.716201] +[35665.716613] ? show_trace_log_lvl+0x1c1/0x2d9 +[35665.717049] ? show_trace_log_lvl+0x1c1/0x2d9 +[35665.717457] ? blk_mq_request_bypass_insert+0x2c/0xb0 +[35665.717950] ? __die_body.cold+0x8/0xd +[35665.718361] ? page_fault_oops+0xac/0x140 +[35665.718749] ? blk_mq_start_request+0x30/0xf0 +[35665.719144] ? nvme_tcp_queue_rq+0xc7/0x170 [nvme_tcp] +[35665.719547] ? exc_page_fault+0x62/0x130 +[35665.719938] ? asm_exc_page_fault+0x22/0x30 +[35665.720333] ? _raw_spin_lock+0xc/0x30 +[35665.720723] blk_mq_request_bypass_insert+0x2c/0xb0 +[35665.721101] blk_mq_requeue_work+0xa5/0x180 +[35665.721451] process_one_work+0x1e8/0x390 +[35665.721809] worker_thread+0x53/0x3d0 +[35665.722159] ? process_one_work+0x390/0x390 +[35665.722501] kthread+0x124/0x150 +[35665.722849] ? set_kthread_struct+0x50/0x50 +[35665.723182] ret_from_fork+0x1f/0x30 + +Reported-by: Zhang Guanghui +Signed-off-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 4ca7ef9416002..0fc5aba88bc15 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2491,6 +2491,7 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx) + { + struct nvme_tcp_queue *queue = hctx->driver_data; + struct sock *sk = queue->sock->sk; ++ int ret; + + if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags)) + return 0; +@@ -2498,9 +2499,9 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx) + set_bit(NVME_TCP_Q_POLLING, &queue->flags); + if (sk_can_busy_loop(sk) && skb_queue_empty_lockless(&sk->sk_receive_queue)) + sk_busy_loop(sk, true); +- nvme_tcp_try_recv(queue); ++ ret = nvme_tcp_try_recv(queue); + clear_bit(NVME_TCP_Q_POLLING, &queue->flags); +- return queue->nr_cqe; ++ return ret < 0 ? ret : queue->nr_cqe; + } + + static const struct blk_mq_ops nvme_tcp_mq_ops = { +-- +2.39.5 + diff --git a/queue-5.15/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch b/queue-5.15/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch new file mode 100644 index 0000000000..35a375d14e --- /dev/null +++ b/queue-5.15/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch @@ -0,0 +1,49 @@ +From a82f838febd08c7e5b08670ca2968f5b38073dee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:06 -0700 +Subject: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() + +From: Josh Poimboeuf + +[ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ] + +If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result +is a divide-by-zero. Prevent that from happening. + +Fixes the following warning with an UBSAN kernel: + + drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx() + +Fixes: 173a64cb3fcf ("[media] dib8000: enhancement") +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Mauro Carvalho Chehab +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib8000.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index 02cb48223dc67..a28cbbd9e475c 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz) + u8 ratio; + + if (state->revision == 0x8090) { ++ u32 internal = dib8000_read32(state, 23) / 1000; ++ + ratio = 4; +- unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000); ++ ++ unit_khz_dds_val = (1<<26) / (internal ?: 1); + if (offset_khz < 0) + dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val); + else +-- +2.39.5 + diff --git a/queue-5.15/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch b/queue-5.15/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch new file mode 100644 index 0000000000..52fde3f275 --- /dev/null +++ b/queue-5.15/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch @@ -0,0 +1,56 @@ +From d88b23822f7ecb58e960431e2eaeb95facfa4de9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 11:49:08 +0300 +Subject: ocfs2: validate l_tree_depth to avoid out-of-bounds access + +From: Vasiliy Kovalev + +[ Upstream commit a406aff8c05115119127c962cbbbbd202e1973ef ] + +The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is +limited to OCFS2_MAX_PATH_DEPTH. + +Add a check to prevent out-of-bounds access if l_tree_depth has an invalid +value, which may occur when reading from a corrupted mounted disk [1]. + +Link: https://lkml.kernel.org/r/20250214084908.736528-1-kovalev@altlinux.org +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Vasiliy Kovalev +Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1] +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Kurt Hackel +Cc: Mark Fasheh +Cc: Vasiliy Kovalev +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 5d9ae17bd443f..9c95d911a14b1 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -1796,6 +1796,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci, + + el = root_el; + while (el->l_tree_depth) { ++ if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) { ++ ocfs2_error(ocfs2_metadata_cache_get_super(ci), ++ "Owner %llu has invalid tree depth %u in extent list\n", ++ (unsigned long long)ocfs2_metadata_cache_owner(ci), ++ le16_to_cpu(el->l_tree_depth)); ++ ret = -EROFS; ++ goto out; ++ } + if (le16_to_cpu(el->l_next_free_rec) == 0) { + ocfs2_error(ocfs2_metadata_cache_get_super(ci), + "Owner %llu has empty extent list at depth %u\n", +-- +2.39.5 + diff --git a/queue-5.15/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch b/queue-5.15/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch new file mode 100644 index 0000000000..32dd66d5b6 --- /dev/null +++ b/queue-5.15/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch @@ -0,0 +1,39 @@ +From 2ce647e4166fc89ca6b364fcfaef5b10605da834 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 14:44:41 +0530 +Subject: octeontx2-af: Fix mbox INTR handler when num VFs > 64 + +From: Geetha sowjanya + +[ Upstream commit 0fdba88a211508984eb5df62008c29688692b134 ] + +When number of RVU VFs > 64, the vfs value passed to "rvu_queue_work" +function is incorrect. Due to which mbox workqueue entries for +VFs 0 to 63 never gets added to workqueue. + +Fixes: 9bdc47a6e328 ("octeontx2-af: Mbox communication support btw AF and it's VFs") +Signed-off-by: Geetha sowjanya +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250327091441.1284-1-gakula@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index bc8187e3f3393..0863fa06c06d1 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -2469,7 +2469,7 @@ static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq) + rvupf_write64(rvu, RVU_PF_VFPF_MBOX_INTX(1), intr); + + rvu_queue_work(&rvu->afvf_wq_info, 64, vfs, intr); +- vfs -= 64; ++ vfs = 64; + } + + intr = rvupf_read64(rvu, RVU_PF_VFPF_MBOX_INTX(0)); +-- +2.39.5 + diff --git a/queue-5.15/octeontx2-af-free-nix_af_int_vec_gen-irq.patch b/queue-5.15/octeontx2-af-free-nix_af_int_vec_gen-irq.patch new file mode 100644 index 0000000000..bd33d02e76 --- /dev/null +++ b/queue-5.15/octeontx2-af-free-nix_af_int_vec_gen-irq.patch @@ -0,0 +1,40 @@ +From 3b2c8f91f1972fdccfe143718c4de3f9441bbdfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 15:10:54 +0530 +Subject: octeontx2-af: Free NIX_AF_INT_VEC_GEN irq + +From: Geetha sowjanya + +[ Upstream commit 323d6db6dc7decb06f2545efb9496259ddacd4f4 ] + +Due to the incorrect initial vector number in +rvu_nix_unregister_interrupts(), NIX_AF_INT_VEC_GEN is not +geeting free. Fix the vector number to include NIX_AF_INT_VEC_GEN +irq. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Geetha sowjanya +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250327094054.2312-1-gakula@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 40fbda152533b..c5e3ef6b41a87 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -216,7 +216,7 @@ static void rvu_nix_unregister_interrupts(struct rvu *rvu) + rvu->irq_allocated[offs + NIX_AF_INT_VEC_RVU] = false; + } + +- for (i = NIX_AF_INT_VEC_AF_ERR; i < NIX_AF_INT_VEC_CNT; i++) ++ for (i = NIX_AF_INT_VEC_GEN; i < NIX_AF_INT_VEC_CNT; i++) + if (rvu->irq_allocated[offs + i]) { + free_irq(pci_irq_vector(rvu->pdev, offs + i), rvu_dl); + rvu->irq_allocated[offs + i] = false; +-- +2.39.5 + diff --git a/queue-5.15/of-property-increase-nr_fwnode_reference_args.patch b/queue-5.15/of-property-increase-nr_fwnode_reference_args.patch new file mode 100644 index 0000000000..8b7729e56f --- /dev/null +++ b/queue-5.15/of-property-increase-nr_fwnode_reference_args.patch @@ -0,0 +1,52 @@ +From afb288bc3fd6725d4510e6d74703118e3120ba7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 21:58:06 +0800 +Subject: of: property: Increase NR_FWNODE_REFERENCE_ARGS + +From: Zijun Hu + +[ Upstream commit eb50844d728f11e87491f7c7af15a4a737f1159d ] + +Currently, the following two macros have different values: + +// The maximal argument count for firmware node reference + #define NR_FWNODE_REFERENCE_ARGS 8 +// The maximal argument count for DT node reference + #define MAX_PHANDLE_ARGS 16 + +It may cause firmware node reference's argument count out of range if +directly assign DT node reference's argument count to firmware's. + +drivers/of/property.c:of_fwnode_get_reference_args() is doing the direct +assignment, so may cause firmware's argument count @args->nargs got out +of range, namely, in [9, 16]. + +Fix by increasing NR_FWNODE_REFERENCE_ARGS to 16 to meet DT requirement. +Will align both macros later to avoid such inconsistency. + +Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args") +Signed-off-by: Zijun Hu +Acked-by: Sakari Ailus +Link: https://lore.kernel.org/r/20250225-fix_arg_count-v4-1-13cdc519eb31@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + include/linux/fwnode.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/fwnode.h b/include/linux/fwnode.h +index 2d68606fb725d..f0833bafe6bd4 100644 +--- a/include/linux/fwnode.h ++++ b/include/linux/fwnode.h +@@ -67,7 +67,7 @@ struct fwnode_endpoint { + #define SWNODE_GRAPH_PORT_NAME_FMT "port@%u" + #define SWNODE_GRAPH_ENDPOINT_NAME_FMT "endpoint@%u" + +-#define NR_FWNODE_REFERENCE_ARGS 8 ++#define NR_FWNODE_REFERENCE_ARGS 16 + + /** + * struct fwnode_reference_args - Fwnode reference with additional arguments +-- +2.39.5 + diff --git a/queue-5.15/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch b/queue-5.15/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch new file mode 100644 index 0000000000..8f1be7c1c3 --- /dev/null +++ b/queue-5.15/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch @@ -0,0 +1,84 @@ +From 9b059fbcc61c8239b5f1e160aade9d645d83b78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Dec 2024 19:39:08 -0800 +Subject: PCI/ASPM: Fix link state exit during switch upstream function removal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Stodden + +[ Upstream commit cbf937dcadfd571a434f8074d057b32cd14fbea5 ] + +Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to +avoid use-after-free"), we would free the ASPM link only after the last +function on the bus pertaining to the given link was removed. + +That was too late. If function 0 is removed before sibling function, +link->downstream would point to free'd memory after. + +After above change, we freed the ASPM parent link state upon any function +removal on the bus pertaining to a given link. + +That is too early. If the link is to a PCIe switch with MFD on the upstream +port, then removing functions other than 0 first would free a link which +still remains parent_link to the remaining downstream ports. + +The resulting GPFs are especially frequent during hot-unplug, because +pciehp removes devices on the link bus in reverse order. + +On that switch, function 0 is the virtual P2P bridge to the internal bus. +Free exactly when function 0 is removed -- before the parent link is +obsolete, but after all subordinate links are gone. + +Link: https://lore.kernel.org/r/e12898835f25234561c9d7de4435590d957b85d9.1734924854.git.dns@arista.com +Fixes: 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free") +Signed-off-by: Daniel Stodden +Signed-off-by: Bjorn Helgaas +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index e3f81948ce724..521340126b339 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -1014,16 +1014,16 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + parent_link = link->parent; + + /* +- * link->downstream is a pointer to the pci_dev of function 0. If +- * we remove that function, the pci_dev is about to be deallocated, +- * so we can't use link->downstream again. Free the link state to +- * avoid this. ++ * Free the parent link state, no later than function 0 (i.e. ++ * link->downstream) being removed. + * +- * If we're removing a non-0 function, it's possible we could +- * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends +- * programming the same ASPM Control value for all functions of +- * multi-function devices, so disable ASPM for all of them. ++ * Do not free the link state any earlier. If function 0 is a ++ * switch upstream port, this link state is parent_link to all ++ * subordinate ones. + */ ++ if (pdev != link->downstream) ++ goto out; ++ + pcie_config_aspm_link(link, 0); + list_del(&link->sibling); + free_link_state(link); +@@ -1034,6 +1034,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + pcie_config_aspm_path(parent_link); + } + ++ out: + mutex_unlock(&aspm_lock); + up_read(&pci_bus_sem); + } +-- +2.39.5 + diff --git a/queue-5.15/pci-avoid-reset-when-disabled-via-sysfs.patch b/queue-5.15/pci-avoid-reset-when-disabled-via-sysfs.patch new file mode 100644 index 0000000000..7d20270dd3 --- /dev/null +++ b/queue-5.15/pci-avoid-reset-when-disabled-via-sysfs.patch @@ -0,0 +1,67 @@ +From 25f96af91e07bb5e2e6d65ba8727975024976b78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 14:56:00 -0600 +Subject: PCI: Avoid reset when disabled via sysfs + +From: Nishanth Aravamudan + +[ Upstream commit 479380efe1625e251008d24b2810283db60d6fcd ] + +After d88f521da3ef ("PCI: Allow userspace to query and set device reset +mechanism"), userspace can disable reset of specific PCI devices by writing +an empty string to the sysfs reset_method file. + +However, pci_slot_resettable() does not check pci_reset_supported(), which +means that pci_reset_function() will still reset the device even if +userspace has disabled all the reset methods. + +I was able to reproduce this issue with a vfio device passed to a qemu +guest, where I had disabled PCI reset via sysfs. + +Add an explicit check of pci_reset_supported() in both +pci_slot_resettable() and pci_bus_resettable() to ensure both the reset +status and reset execution are bypassed if an administrator disables it for +a device. + +Link: https://lore.kernel.org/r/20250207205600.1846178-1-naravamudan@nvidia.com +Fixes: d88f521da3ef ("PCI: Allow userspace to query and set device reset mechanism") +Signed-off-by: Nishanth Aravamudan +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Cc: Alex Williamson +Cc: Raphael Norwitz +Cc: Amey Narkhede +Cc: Jason Gunthorpe +Cc: Yishai Hadas +Cc: Shameer Kolothum +Cc: Kevin Tian +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index fbaf9af62bd67..6a5f53f968c3d 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5484,6 +5484,8 @@ static bool pci_bus_resetable(struct pci_bus *bus) + return false; + + list_for_each_entry(dev, &bus->devices, bus_list) { ++ if (!pci_reset_supported(dev)) ++ return false; + if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET || + (dev->subordinate && !pci_bus_resetable(dev->subordinate))) + return false; +@@ -5560,6 +5562,8 @@ static bool pci_slot_resetable(struct pci_slot *slot) + list_for_each_entry(dev, &slot->bus->devices, bus_list) { + if (!dev->slot || dev->slot != slot) + continue; ++ if (!pci_reset_supported(dev)) ++ return false; + if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET || + (dev->subordinate && !pci_bus_resetable(dev->subordinate))) + return false; +-- +2.39.5 + diff --git a/queue-5.15/pci-brcmstb-use-internal-register-to-change-link-cap.patch b/queue-5.15/pci-brcmstb-use-internal-register-to-change-link-cap.patch new file mode 100644 index 0000000000..bff2a184aa --- /dev/null +++ b/queue-5.15/pci-brcmstb-use-internal-register-to-change-link-cap.patch @@ -0,0 +1,54 @@ +From 74a7691674ce31791857911fe5f973db54a9225b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 12:39:30 -0500 +Subject: PCI: brcmstb: Use internal register to change link capability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jim Quinlan + +[ Upstream commit 0c97321e11e0e9e18546f828492758f6aaecec59 ] + +The driver has been mistakenly writing to a read-only (RO) +configuration space register (PCI_EXP_LNKCAP) to change the +PCIe link capability. + +Although harmless in this case, the proper write destination +is an internal register that is reflected by PCI_EXP_LNKCAP. + +Thus, fix the brcm_pcie_set_gen() function to correctly update +the link capability. + +Fixes: c0452137034b ("PCI: brcmstb: Add Broadcom STB PCIe host controller driver") +Signed-off-by: Jim Quinlan +Reviewed-by: Florian Fainelli +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250214173944.47506-3-james.quinlan@broadcom.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-brcmstb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c +index cc30215f5a433..c3c1d700f519a 100644 +--- a/drivers/pci/controller/pcie-brcmstb.c ++++ b/drivers/pci/controller/pcie-brcmstb.c +@@ -410,10 +410,10 @@ static int brcm_pcie_set_ssc(struct brcm_pcie *pcie) + static void brcm_pcie_set_gen(struct brcm_pcie *pcie, int gen) + { + u16 lnkctl2 = readw(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2); +- u32 lnkcap = readl(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP); ++ u32 lnkcap = readl(pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY); + + lnkcap = (lnkcap & ~PCI_EXP_LNKCAP_SLS) | gen; +- writel(lnkcap, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP); ++ writel(lnkcap, pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY); + + lnkctl2 = (lnkctl2 & ~0xf) | gen; + writew(lnkctl2, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2); +-- +2.39.5 + diff --git a/queue-5.15/pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch b/queue-5.15/pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch new file mode 100644 index 0000000000..c1615f4ff7 --- /dev/null +++ b/queue-5.15/pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch @@ -0,0 +1,67 @@ +From 38543e716537597bac570524e1286c5363a1ba08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Feb 2025 00:57:24 +0800 +Subject: PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data + payload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit 3ac47fbf4f6e8c3a7c3855fac68cc3246f90f850 ] + +Per the Cadence's "PCIe Controller IP for AX14" user guide, Version +1.04, Section 9.1.7.1, "AXI Subordinate to PCIe Address Translation +Registers", Table 9.4, the bit 16 of the AXI Subordinate Address +(axi_s_awaddr) when set corresponds to MSG with data, and when not set, +to MSG without data. + +However, the driver is currently doing the opposite and due to this, +the INTx is never received on the host. + +So, fix the driver to reflect the documentation and also make INTx work. + +Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller") +Signed-off-by: Hans Zhang <18255117159@163.com> +Signed-off-by: Hans Zhang +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250214165724.184599-1-18255117159@163.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/cadence/pcie-cadence-ep.c | 3 +-- + drivers/pci/controller/cadence/pcie-cadence.h | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/cadence/pcie-cadence-ep.c b/drivers/pci/controller/cadence/pcie-cadence-ep.c +index 18e32b8ffd5ef..90d1e2ac774e0 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-ep.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-ep.c +@@ -354,8 +354,7 @@ static void cdns_pcie_ep_assert_intx(struct cdns_pcie_ep *ep, u8 fn, u8 intx, + spin_unlock_irqrestore(&ep->lock, flags); + + offset = CDNS_PCIE_NORMAL_MSG_ROUTING(MSG_ROUTING_LOCAL) | +- CDNS_PCIE_NORMAL_MSG_CODE(msg_code) | +- CDNS_PCIE_MSG_NO_DATA; ++ CDNS_PCIE_NORMAL_MSG_CODE(msg_code); + writel(0, ep->irq_cpu_addr + offset); + } + +diff --git a/drivers/pci/controller/cadence/pcie-cadence.h b/drivers/pci/controller/cadence/pcie-cadence.h +index 262421e5d9178..ef649c807af4e 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence.h ++++ b/drivers/pci/controller/cadence/pcie-cadence.h +@@ -235,7 +235,7 @@ struct cdns_pcie_rp_ib_bar { + #define CDNS_PCIE_NORMAL_MSG_CODE_MASK GENMASK(15, 8) + #define CDNS_PCIE_NORMAL_MSG_CODE(code) \ + (((code) << 8) & CDNS_PCIE_NORMAL_MSG_CODE_MASK) +-#define CDNS_PCIE_MSG_NO_DATA BIT(16) ++#define CDNS_PCIE_MSG_DATA BIT(16) + + struct cdns_pcie; + +-- +2.39.5 + diff --git a/queue-5.15/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch b/queue-5.15/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch new file mode 100644 index 0000000000..338afac34f --- /dev/null +++ b/queue-5.15/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch @@ -0,0 +1,49 @@ +From 7622fc8ae27c0379515f986117945107bd073421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 18:21:14 +0200 +Subject: PCI: pciehp: Don't enable HPIE when resuming in poll mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 527664f738afb6f2c58022cd35e63801e5dc7aec ] + +PCIe hotplug can operate in poll mode without interrupt handlers using a +polling kthread only. eb34da60edee ("PCI: pciehp: Disable hotplug +interrupt during suspend") failed to consider that and enables HPIE +(Hot-Plug Interrupt Enable) unconditionally when resuming the Port. + +Only set HPIE if non-poll mode is in use. This makes +pcie_enable_interrupt() match how pcie_enable_notification() already +handles HPIE. + +Link: https://lore.kernel.org/r/20250321162114.3939-1-ilpo.jarvinen@linux.intel.com +Fixes: eb34da60edee ("PCI: pciehp: Disable hotplug interrupt during suspend") +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_hpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index 7773009b8b32e..6647ade09f054 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -840,7 +840,9 @@ void pcie_enable_interrupt(struct controller *ctrl) + { + u16 mask; + +- mask = PCI_EXP_SLTCTL_HPIE | PCI_EXP_SLTCTL_DLLSCE; ++ mask = PCI_EXP_SLTCTL_DLLSCE; ++ if (!pciehp_poll_mode) ++ mask |= PCI_EXP_SLTCTL_HPIE; + pcie_write_cmd(ctrl, mask, mask); + } + +-- +2.39.5 + diff --git a/queue-5.15/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch b/queue-5.15/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch new file mode 100644 index 0000000000..8cb4c520c2 --- /dev/null +++ b/queue-5.15/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch @@ -0,0 +1,60 @@ +From 86da2b1040b61b03efd0774559e8157b0d96c9b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 10:36:30 +0800 +Subject: PCI/portdrv: Only disable pciehp interrupts early when needed + +From: Feng Tang + +[ Upstream commit 9d7db4db19827380e225914618c0c1bf435ed2f5 ] + +Firmware developers reported that Linux issues two PCIe hotplug commands in +very short intervals on an ARM server, which doesn't comply with the PCIe +spec. According to PCIe r6.1, sec 6.7.3.2, if the Command Completed event +is supported, software must wait for a command to complete or wait at +least 1 second before sending a new command. + +In the failure case, the first PCIe hotplug command is from +get_port_device_capability(), which sends a command to disable PCIe hotplug +interrupts without waiting for its completion, and the second command comes +from pcie_enable_notification() of pciehp driver, which enables hotplug +interrupts again. + +Fix this by only disabling the hotplug interrupts when the pciehp driver is +not enabled. + +Link: https://lore.kernel.org/r/20250303023630.78397-1-feng.tang@linux.alibaba.com +Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization") +Suggested-by: Lukas Wunner +Signed-off-by: Feng Tang +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/portdrv_core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c +index 604feeb84ee40..3e5274ad60f10 100644 +--- a/drivers/pci/pcie/portdrv_core.c ++++ b/drivers/pci/pcie/portdrv_core.c +@@ -214,10 +214,12 @@ static int get_port_device_capability(struct pci_dev *dev) + + /* + * Disable hot-plug interrupts in case they have been enabled +- * by the BIOS and the hot-plug service driver is not loaded. ++ * by the BIOS and the hot-plug service driver won't be loaded ++ * to handle them. + */ +- pcie_capability_clear_word(dev, PCI_EXP_SLTCTL, +- PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE); ++ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) ++ pcie_capability_clear_word(dev, PCI_EXP_SLTCTL, ++ PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE); + } + + #ifdef CONFIG_PCIEAER +-- +2.39.5 + diff --git a/queue-5.15/pci-remove-stray-put_device-in-pci_register_host_bri.patch b/queue-5.15/pci-remove-stray-put_device-in-pci_register_host_bri.patch new file mode 100644 index 0000000000..4a85b6177d --- /dev/null +++ b/queue-5.15/pci-remove-stray-put_device-in-pci_register_host_bri.patch @@ -0,0 +1,41 @@ +From 450e934f9463bbda2e5896d1da9837570d6c7d4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 11:46:34 +0300 +Subject: PCI: Remove stray put_device() in pci_register_host_bridge() + +From: Dan Carpenter + +[ Upstream commit 6e8d06e5096c80cbf41313b4a204f43071ca42be ] + +This put_device() was accidentally left over from when we changed the code +from using device_register() to calling device_add(). Delete it. + +Link: https://lore.kernel.org/r/55b24870-89fb-4c91-b85d-744e35db53c2@stanley.mountain +Fixes: 9885440b16b8 ("PCI: Fix pci_host_bridge struct device release/free handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index dd2134c7c4192..51615e4d28f41 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -926,10 +926,9 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) + goto free; + + err = device_add(&bridge->dev); +- if (err) { +- put_device(&bridge->dev); ++ if (err) + goto free; +- } ++ + bus->bridge = get_device(&bridge->dev); + device_enable_async_suspend(bus->bridge); + pci_set_bus_of_node(bus); +-- +2.39.5 + diff --git a/queue-5.15/pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch b/queue-5.15/pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch new file mode 100644 index 0000000000..e8e1240ce1 --- /dev/null +++ b/queue-5.15/pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch @@ -0,0 +1,63 @@ +From 1318ee07addad4f5a55c21dcc95a583f141b1685 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 21:20:22 +0530 +Subject: PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thippeswamy Havalige + +[ Upstream commit 57b0302240741e73fe51f88404b3866e0d2933ad ] + +The IRQ domain allocated for the PCIe controller is not freed if +resource_list_first_type() returns NULL, leading to a resource leak. + +This fix ensures properly cleaning up the allocated IRQ domain in +the error path. + +Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'") +Signed-off-by: Thippeswamy Havalige +[kwilczynski: added missing Fixes: tag, refactored to use one of the goto labels] +Signed-off-by: Krzysztof Wilczyński +Link: https://lore.kernel.org/r/20250224155025.782179-2-thippeswamy.havalige@amd.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-xilinx-cpm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pcie-xilinx-cpm.c b/drivers/pci/controller/pcie-xilinx-cpm.c +index 95426df032000..1e72cea8563f3 100644 +--- a/drivers/pci/controller/pcie-xilinx-cpm.c ++++ b/drivers/pci/controller/pcie-xilinx-cpm.c +@@ -556,13 +556,15 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev) + return err; + + bus = resource_list_first_type(&bridge->windows, IORESOURCE_BUS); +- if (!bus) +- return -ENODEV; ++ if (!bus) { ++ err = -ENODEV; ++ goto err_free_irq_domains; ++ } + + err = xilinx_cpm_pcie_parse_dt(port, bus->res); + if (err) { + dev_err(dev, "Parsing DT failed\n"); +- goto err_parse_dt; ++ goto err_free_irq_domains; + } + + xilinx_cpm_pcie_init_port(port); +@@ -586,7 +588,7 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev) + xilinx_cpm_free_interrupts(port); + err_setup_irq: + pci_ecam_free(port->cfg); +-err_parse_dt: ++err_free_irq_domains: + xilinx_cpm_free_irq_domains(port); + return err; + } +-- +2.39.5 + diff --git a/queue-5.15/perf-python-check-if-there-is-space-to-copy-all-the-.patch b/queue-5.15/perf-python-check-if-there-is-space-to-copy-all-the-.patch new file mode 100644 index 0000000000..b645a979d6 --- /dev/null +++ b/queue-5.15/perf-python-check-if-there-is-space-to-copy-all-the-.patch @@ -0,0 +1,68 @@ +From 3800a982c22777fefbacf0dc5bd8ff087319e5b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:41 -0300 +Subject: perf python: Check if there is space to copy all the event + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 89aaeaf84231157288035b366cb6300c1c6cac64 ] + +The pyrf_event__new() method copies the event obtained from the perf +ring buffer to a structure that will then be turned into a python object +for further consumption, so it copies perf_event.header.size bytes to +its 'event' member: + + $ pahole -C pyrf_event /tmp/build/perf-tools-next/python/perf.cpython-312-x86_64-linux-gnu.so + struct pyrf_event { + PyObject ob_base; /* 0 16 */ + struct evsel * evsel; /* 16 8 */ + struct perf_sample sample; /* 24 312 */ + + /* XXX last struct has 7 bytes of padding, 2 holes */ + + /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */ + union perf_event event; /* 336 4168 */ + + /* size: 4504, cachelines: 71, members: 4 */ + /* member types with holes: 1, total: 2 */ + /* paddings: 1, sum paddings: 7 */ + /* last cacheline: 24 bytes */ + }; + + $ + +It was doing so without checking if the event just obtained has more +than that space, fix it. + +This isn't a proper, final solution, as we need to support larger +events, but for the time being we at least bounds check and document it. + +Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-7-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 42810b63125a9..b9fd7edfbb3cc 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -585,6 +585,11 @@ static PyObject *pyrf_event__new(union perf_event *event) + event->header.type == PERF_RECORD_SWITCH_CPU_WIDE)) + return NULL; + ++ // FIXME this better be dynamic or we need to parse everything ++ // before calling perf_mmap__consume(), including tracepoint fields. ++ if (sizeof(pevent->event) < event->header.size) ++ return NULL; ++ + ptype = pyrf_event__type[event->header.type]; + pevent = PyObject_New(struct pyrf_event, ptype); + if (pevent != NULL) +-- +2.39.5 + diff --git a/queue-5.15/perf-python-decrement-the-refcount-of-just-created-e.patch b/queue-5.15/perf-python-decrement-the-refcount-of-just-created-e.patch new file mode 100644 index 0000000000..241afd3edc --- /dev/null +++ b/queue-5.15/perf-python-decrement-the-refcount-of-just-created-e.patch @@ -0,0 +1,52 @@ +From c4e106ef037c89064251aaabc93f2afad3a333ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:39 -0300 +Subject: perf python: Decrement the refcount of just created event on failure + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 3de5a2bf5b4847f7a59a184568f969f8fe05d57f ] + +To avoid a leak if we have the python object but then something happens +and we need to return the operation, decrement the offset of the newly +created object. + +Fixes: 377f698db12150a1 ("perf python: Add struct evsel into struct pyrf_event") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-5-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 13d65a3cc6d7d..368a5f2c244c8 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -1084,6 +1084,7 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + + evsel = evlist__event2evsel(evlist, event); + if (!evsel) { ++ Py_DECREF(pyevent); + Py_INCREF(Py_None); + return Py_None; + } +@@ -1095,9 +1096,12 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + /* Consume the even only after we parsed it out. */ + perf_mmap__consume(&md->core); + +- if (err) ++ if (err) { ++ Py_DECREF(pyevent); + return PyErr_Format(PyExc_OSError, + "perf: can't parse sample, err=%d", err); ++ } ++ + return pyevent; + } + end: +-- +2.39.5 + diff --git a/queue-5.15/perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch b/queue-5.15/perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch new file mode 100644 index 0000000000..713e5433ff --- /dev/null +++ b/queue-5.15/perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch @@ -0,0 +1,86 @@ +From 287b749591a8e91a29f25ae8e82c14fb796d2fc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:40 -0300 +Subject: perf python: Don't keep a raw_data pointer to consumed ring buffer + space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit f3fed3ae34d606819d87a63d970cc3092a5be7ab ] + +When processing tracepoints the perf python binding was parsing the +event before calling perf_mmap__consume(&md->core) in +pyrf_evlist__read_on_cpu(). + +But part of this event parsing was to set the perf_sample->raw_data +pointer to the payload of the event, which then could be overwritten by +other event before tracepoint fields were asked for via event.prev_comm +in a python program, for instance. + +This also happened with other fields, but strings were were problems +were surfacing, as there is UTF-8 validation for the potentially garbled +data. + +This ended up showing up as (with some added debugging messages): + + ( field 'prev_comm' ret=0x7f7c31f65110, raw_size=68 ) ( field 'prev_pid' ret=0x7f7c23b1bed0, raw_size=68 ) ( field 'prev_prio' ret=0x7f7c239c0030, raw_size=68 ) ( field 'prev_state' ret=0x7f7c239c0250, raw_size=68 ) time 14771421785867 prev_comm= prev_pid=1919907691 prev_prio=796026219 prev_state=0x303a32313175 ==> + ( XXX '��' len=16, raw_size=68) ( field 'next_comm' ret=(nil), raw_size=68 ) Traceback (most recent call last): + File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 51, in + main() + File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 46, in main + event.next_comm, + ^^^^^^^^^^^^^^^ + AttributeError: 'perf.sample_event' object has no attribute 'next_comm' + +When event.next_comm was asked for, the PyUnicode_FromString() python +API would fail and that tracepoint field wouldn't be available, stopping +the tools/perf/python/tracepoint.py test tool. + +But, since we already do a copy of the whole event in pyrf_event__new, +just use it and while at it remove what was done in in e8968e654191390a +("perf python: Fix pyrf_evlist__read_on_cpu event consuming") because we +don't really need to wait for parsing the sample before declaring the +event as consumed. + +This copy is questionable as is now, as it limits the maximum event + +sample_type and tracepoint payload to sizeof(union perf_event), this all +has been "working" because 'struct perf_event_mmap2', the largest entry +in 'union perf_event' is: + + $ pahole -C perf_event ~/bin/perf | grep mmap2 + struct perf_record_mmap2 mmap2; /* 0 4168 */ + $ + +Fixes: bae57e3825a3dded ("perf python: Add support to resolve tracepoint fields") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-6-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 368a5f2c244c8..42810b63125a9 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -1091,11 +1091,9 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + + pevent->evsel = evsel; + +- err = evsel__parse_sample(evsel, event, &pevent->sample); +- +- /* Consume the even only after we parsed it out. */ + perf_mmap__consume(&md->core); + ++ err = evsel__parse_sample(evsel, &pevent->event, &pevent->sample); + if (err) { + Py_DECREF(pyevent); + return PyErr_Format(PyExc_OSError, +-- +2.39.5 + diff --git a/queue-5.15/perf-python-fixup-description-of-sample.id-event-mem.patch b/queue-5.15/perf-python-fixup-description-of-sample.id-event-mem.patch new file mode 100644 index 0000000000..7eae9f879b --- /dev/null +++ b/queue-5.15/perf-python-fixup-description-of-sample.id-event-mem.patch @@ -0,0 +1,38 @@ +From 3de3613d71dc76adc8b27ebec3f437e6c0513640 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:36 -0300 +Subject: perf python: Fixup description of sample.id event member + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 1376c195e8ad327bb9f2d32e0acc5ac39e7cb30a ] + +Some old cut'n'paste error, its "ip", so the description should be +"event ip", not "event type". + +Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-2-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 8feef3a05af7b..13d65a3cc6d7d 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -158,7 +158,7 @@ struct pyrf_event { + }; + + #define sample_members \ +- sample_member_def(sample_ip, ip, T_ULONGLONG, "event type"), \ ++ sample_member_def(sample_ip, ip, T_ULONGLONG, "event ip"), \ + sample_member_def(sample_pid, pid, T_INT, "event pid"), \ + sample_member_def(sample_tid, tid, T_INT, "event tid"), \ + sample_member_def(sample_time, time, T_ULONGLONG, "event timestamp"), \ +-- +2.39.5 + diff --git a/queue-5.15/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch b/queue-5.15/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch new file mode 100644 index 0000000000..d69d4120a4 --- /dev/null +++ b/queue-5.15/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch @@ -0,0 +1,43 @@ +From fd7e5da69c5e8acc1727d75e2f6cbddbb6a5eab5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 11:00:36 +0800 +Subject: perf/ring_buffer: Allow the EPOLLRDNORM flag for poll + +From: Tao Chen + +[ Upstream commit c96fff391c095c11dc87dab35be72dee7d217cde ] + +The poll man page says POLLRDNORM is equivalent to POLLIN. For poll(), +it seems that if user sets pollfd with POLLRDNORM in userspace, perf_poll +will not return until timeout even if perf_output_wakeup called, +whereas POLLIN returns. + +Fixes: 76369139ceb9 ("perf: Split up buffer handling from core code") +Signed-off-by: Tao Chen +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250314030036.2543180-1-chen.dylane@linux.dev +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 98588e96b5919..3e1655374c2ed 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -19,7 +19,7 @@ + + static void perf_output_wakeup(struct perf_output_handle *handle) + { +- atomic_set(&handle->rb->poll, EPOLLIN); ++ atomic_set(&handle->rb->poll, EPOLLIN | EPOLLRDNORM); + + handle->event->pending_wakeup = 1; + irq_work_queue(&handle->event->pending_irq); +-- +2.39.5 + diff --git a/queue-5.15/perf-units-fix-insufficient-array-space.patch b/queue-5.15/perf-units-fix-insufficient-array-space.patch new file mode 100644 index 0000000000..cc7925676b --- /dev/null +++ b/queue-5.15/perf-units-fix-insufficient-array-space.patch @@ -0,0 +1,46 @@ +From b87e1f4ac70768339d9a216a15f342f2e17acf65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 16:45:32 -0300 +Subject: perf units: Fix insufficient array space + +From: Arnaldo Carvalho de Melo + +[ Upstream commit cf67629f7f637fb988228abdb3aae46d0c1748fe ] + +No need to specify the array size, let the compiler figure that out. + +This addresses this compiler warning that was noticed while build +testing on fedora rawhide: + + 31 15.81 fedora:rawhide : FAIL gcc version 15.0.1 20250225 (Red Hat 15.0.1-0) (GCC) + util/units.c: In function 'unit_number__scnprintf': + util/units.c:67:24: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-initialization] + 67 | char unit[4] = "BKMG"; + | ^~~~~~ + cc1: all warnings being treated as errors + +Fixes: 9808143ba2e54818 ("perf tools: Add unit_number__scnprintf function") +Signed-off-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/r/20250310194534.265487-3-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/units.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/units.c b/tools/perf/util/units.c +index 32c39cfe209b3..4c6a86e1cb54b 100644 +--- a/tools/perf/util/units.c ++++ b/tools/perf/util/units.c +@@ -64,7 +64,7 @@ unsigned long convert_unit(unsigned long value, char *unit) + + int unit_number__scnprintf(char *buf, size_t size, u64 n) + { +- char unit[4] = "BKMG"; ++ char unit[] = "BKMG"; + int i = 0; + + while (((n / 1024) > 1) && (i < 3)) { +-- +2.39.5 + diff --git a/queue-5.15/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch b/queue-5.15/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch new file mode 100644 index 0000000000..9aaa75b339 --- /dev/null +++ b/queue-5.15/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch @@ -0,0 +1,42 @@ +From 4ed78f0fd58b34af2916f31abca60b12a5412944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 16:37:53 +0000 +Subject: pinctrl: renesas: rza2: Fix missing of_node_put() call + +From: Fabrizio Castro + +[ Upstream commit abcdeb4e299a11ecb5a3ea0cce00e68e8f540375 ] + +of_parse_phandle_with_fixed_args() requires its caller to +call into of_node_put() on the node pointer from the output +structure, but such a call is currently missing. + +Call into of_node_put() to rectify that. + +Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller") +Signed-off-by: Fabrizio Castro +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250305163753.34913-5-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rza2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c +index ddd8ee6b604ef..1fd3191d9f8d9 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rza2.c ++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c +@@ -253,6 +253,8 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv) + return ret; + } + ++ of_node_put(of_args.np); ++ + if ((of_args.args[0] != 0) || + (of_args.args[1] != 0) || + (of_args.args[2] != priv->npins)) { +-- +2.39.5 + diff --git a/queue-5.15/pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch b/queue-5.15/pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch new file mode 100644 index 0000000000..3fc01e650c --- /dev/null +++ b/queue-5.15/pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch @@ -0,0 +1,42 @@ +From 302b690dc7150fb3af11e624f96d4ec51e51cf36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 16:37:51 +0000 +Subject: pinctrl: renesas: rzg2l: Fix missing of_node_put() call + +From: Fabrizio Castro + +[ Upstream commit a5779e625e2b377f16a6675c432aaf299ce5028c ] + +of_parse_phandle_with_fixed_args() requires its caller to +call into of_node_put() on the node pointer from the output +structure, but such a call is currently missing. + +Call into of_node_put() to rectify that. + +Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Signed-off-by: Fabrizio Castro +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250305163753.34913-3-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index 20b2af889ca96..f839bd3d0927a 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -979,6 +979,8 @@ static int rzg2l_gpio_register(struct rzg2l_pinctrl *pctrl) + return ret; + } + ++ of_node_put(of_args.np); ++ + if (of_args.args[0] != 0 || of_args.args[1] != 0 || + of_args.args[2] != ARRAY_SIZE(rzg2l_gpio_names)) { + dev_err(pctrl->dev, "gpio-ranges does not match selected SOC\n"); +-- +2.39.5 + diff --git a/queue-5.15/pinctrl-tegra-set-sfio-mode-to-mux-register.patch b/queue-5.15/pinctrl-tegra-set-sfio-mode-to-mux-register.patch new file mode 100644 index 0000000000..36081f863e --- /dev/null +++ b/queue-5.15/pinctrl-tegra-set-sfio-mode-to-mux-register.patch @@ -0,0 +1,49 @@ +From 652693a5178c019826ddfac20875a2574f627962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 10:35:42 +0530 +Subject: pinctrl: tegra: Set SFIO mode to Mux Register + +From: Prathamesh Shete + +[ Upstream commit 17013f0acb322e5052ff9b9d0fab0ab5a4bfd828 ] + +Tegra devices have an 'sfsel' bit field that determines whether a pin +operates in SFIO (Special Function I/O) or GPIO mode. Currently, +tegra_pinctrl_gpio_disable_free() sets this bit when releasing a GPIO. + +However, tegra_pinctrl_set_mux() can be called independently in certain +code paths where gpio_disable_free() is not invoked. In such cases, failing +to set the SFIO mode could lead to incorrect pin configurations, resulting +in functional issues for peripherals relying on SFIO. + +This patch ensures that whenever set_mux() is called, the SFIO mode is +correctly set in the Mux Register if the 'sfsel' bit is present. This +prevents situations where the pin remains in GPIO mode despite being +configured for SFIO use. + +Fixes: 971dac7123c7 ("pinctrl: add a driver for NVIDIA Tegra") +Signed-off-by: Prathamesh Shete +Link: https://lore.kernel.org/20250306050542.16335-1-pshete@nvidia.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/tegra/pinctrl-tegra.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pinctrl/tegra/pinctrl-tegra.c b/drivers/pinctrl/tegra/pinctrl-tegra.c +index 195cfe557511b..90de78e4175c9 100644 +--- a/drivers/pinctrl/tegra/pinctrl-tegra.c ++++ b/drivers/pinctrl/tegra/pinctrl-tegra.c +@@ -270,6 +270,9 @@ static int tegra_pinctrl_set_mux(struct pinctrl_dev *pctldev, + val = pmx_readl(pmx, g->mux_bank, g->mux_reg); + val &= ~(0x3 << g->mux_bit); + val |= i << g->mux_bit; ++ /* Set the SFIO/GPIO selection to SFIO when under pinmux control*/ ++ if (pmx->soc->sfsel_in_mux) ++ val |= (1 << g->sfsel_bit); + pmx_writel(pmx, val, g->mux_bank, g->mux_reg); + + return 0; +-- +2.39.5 + diff --git a/queue-5.15/pm-sleep-adjust-check-before-setting-power.must_resu.patch b/queue-5.15/pm-sleep-adjust-check-before-setting-power.must_resu.patch new file mode 100644 index 0000000000..74a717c42e --- /dev/null +++ b/queue-5.15/pm-sleep-adjust-check-before-setting-power.must_resu.patch @@ -0,0 +1,86 @@ +From df06a83365d263682e6c3ebdeb3ab22a1562574f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 11:53:50 +0100 +Subject: PM: sleep: Adjust check before setting power.must_resume + +From: Rafael J. Wysocki + +[ Upstream commit eeb87d17aceab7803a5a5bcb6cf2817b745157cf ] + +The check before setting power.must_resume in device_suspend_noirq() +does not take power.child_count into account, but it should do that, so +use pm_runtime_need_not_resume() in it for this purpose and adjust the +comment next to it accordingly. + +Fixes: 107d47b2b95e ("PM: sleep: core: Simplify the SMART_SUSPEND flag handling") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Ulf Hansson +Link: https://patch.msgid.link/3353728.44csPzL39Z@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 13 ++++++------- + drivers/base/power/runtime.c | 2 +- + include/linux/pm_runtime.h | 2 ++ + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 185ea0d93a5e5..8586651320901 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1239,14 +1239,13 @@ static int __device_suspend_noirq(struct device *dev, pm_message_t state, bool a + dev->power.is_noirq_suspended = true; + + /* +- * Skipping the resume of devices that were in use right before the +- * system suspend (as indicated by their PM-runtime usage counters) +- * would be suboptimal. Also resume them if doing that is not allowed +- * to be skipped. ++ * Devices must be resumed unless they are explicitly allowed to be left ++ * in suspend, but even in that case skipping the resume of devices that ++ * were in use right before the system suspend (as indicated by their ++ * runtime PM usage counters and child counters) would be suboptimal. + */ +- if (atomic_read(&dev->power.usage_count) > 1 || +- !(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) && +- dev->power.may_skip_resume)) ++ if (!(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) && ++ dev->power.may_skip_resume) || !pm_runtime_need_not_resume(dev)) + dev->power.must_resume = true; + + if (dev->power.must_resume) +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 6699096ff2fa6..edee7f1af1cec 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1809,7 +1809,7 @@ void pm_runtime_drop_link(struct device_link *link) + pm_request_idle(link->supplier); + } + +-static bool pm_runtime_need_not_resume(struct device *dev) ++bool pm_runtime_need_not_resume(struct device *dev) + { + return atomic_read(&dev->power.usage_count) <= 1 && + (atomic_read(&dev->power.child_count) == 0 || +diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h +index 9a10b6bac4a71..ed01ae76e2fa5 100644 +--- a/include/linux/pm_runtime.h ++++ b/include/linux/pm_runtime.h +@@ -46,6 +46,7 @@ static inline bool queue_pm_work(struct work_struct *work) + + extern int pm_generic_runtime_suspend(struct device *dev); + extern int pm_generic_runtime_resume(struct device *dev); ++extern bool pm_runtime_need_not_resume(struct device *dev); + extern int pm_runtime_force_suspend(struct device *dev); + extern int pm_runtime_force_resume(struct device *dev); + +@@ -234,6 +235,7 @@ static inline bool queue_pm_work(struct work_struct *work) { return false; } + + static inline int pm_generic_runtime_suspend(struct device *dev) { return 0; } + static inline int pm_generic_runtime_resume(struct device *dev) { return 0; } ++static inline bool pm_runtime_need_not_resume(struct device *dev) {return true; } + static inline int pm_runtime_force_suspend(struct device *dev) { return 0; } + static inline int pm_runtime_force_resume(struct device *dev) { return 0; } + +-- +2.39.5 + diff --git a/queue-5.15/pm-sleep-fix-handling-devices-with-direct_complete-s.patch b/queue-5.15/pm-sleep-fix-handling-devices-with-direct_complete-s.patch new file mode 100644 index 0000000000..cec22aea19 --- /dev/null +++ b/queue-5.15/pm-sleep-fix-handling-devices-with-direct_complete-s.patch @@ -0,0 +1,91 @@ +From 6d1494079aeed6c977da796cce17c3f72fb91da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 17:00:00 +0100 +Subject: PM: sleep: Fix handling devices with direct_complete set on errors + +From: Rafael J. Wysocki + +[ Upstream commit 03f1444016b71feffa1dfb8a51f15ba592f94b13 ] + +When dpm_suspend() fails, some devices with power.direct_complete set +may not have been handled by device_suspend() yet, so runtime PM has +not been disabled for them yet even though power.direct_complete is set. + +Since device_resume() expects that runtime PM has been disabled for all +devices with power.direct_complete set, it will attempt to reenable +runtime PM for the devices that have not been processed by device_suspend() +which does not make sense. Had those devices had runtime PM disabled +before device_suspend() had run, device_resume() would have inadvertently +enable runtime PM for them, but this is not expected to happen because +it would require ->prepare() callbacks to return positive values for +devices with runtime PM disabled, which would be invalid. + +In practice, this issue is most likely benign because pm_runtime_enable() +will not allow the "disable depth" counter to underflow, but it causes a +warning message to be printed for each affected device. + +To allow device_resume() to distinguish the "direct complete" devices +that have been processed by device_suspend() from those which have not +been handled by it, make device_suspend() set power.is_suspended for +"direct complete" devices. + +Next, move the power.is_suspended check in device_resume() before the +power.direct_complete check in it to make it skip the "direct complete" +devices that have not been handled by device_suspend(). + +This change is based on a preliminary patch from Saravana Kannan. + +Fixes: aae4518b3124 ("PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily") +Link: https://lore.kernel.org/linux-pm/20241114220921.2529905-2-saravanak@google.com/ +Reported-by: Saravana Kannan +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Saravana Kannan +Link: https://patch.msgid.link/12627587.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 8586651320901..d77ab224b861a 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -897,6 +897,9 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async) + if (dev->power.syscore) + goto Complete; + ++ if (!dev->power.is_suspended) ++ goto Complete; ++ + if (dev->power.direct_complete) { + /* Match the pm_runtime_disable() in __device_suspend(). */ + pm_runtime_enable(dev); +@@ -915,9 +918,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async) + */ + dev->power.is_prepared = false; + +- if (!dev->power.is_suspended) +- goto Unlock; +- + if (dev->pm_domain) { + info = "power domain "; + callback = pm_op(&dev->pm_domain->ops, state); +@@ -957,7 +957,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async) + error = dpm_run_callback(callback, dev, state, info); + dev->power.is_suspended = false; + +- Unlock: + device_unlock(dev); + dpm_watchdog_clear(&wd); + +@@ -1642,6 +1641,7 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async) + pm_runtime_disable(dev); + if (pm_runtime_status_suspended(dev)) { + pm_dev_dbg(dev, state, "direct-complete "); ++ dev->power.is_suspended = true; + goto Complete; + } + +-- +2.39.5 + diff --git a/queue-5.15/power-supply-max77693-fix-wrong-conversion-of-charge.patch b/queue-5.15/power-supply-max77693-fix-wrong-conversion-of-charge.patch new file mode 100644 index 0000000000..ca3c2e9d4a --- /dev/null +++ b/queue-5.15/power-supply-max77693-fix-wrong-conversion-of-charge.patch @@ -0,0 +1,46 @@ +From 9ed6b7d6603c61689b40ff19f19bb6f8077228ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Mar 2025 21:11:49 +0100 +Subject: power: supply: max77693: Fix wrong conversion of charge input + threshold value + +From: Artur Weber + +[ Upstream commit 30cc7b0d0e9341d419eb7da15fb5c22406dbe499 ] + +The charge input threshold voltage register on the MAX77693 PMIC accepts +four values: 0x0 for 4.3v, 0x1 for 4.7v, 0x2 for 4.8v and 0x3 for 4.9v. +Due to an oversight, the driver calculated the values for 4.7v and above +starting from 0x0, rather than from 0x1 ([(4700000 - 4700000) / 100000] +gives 0). + +Add 1 to the calculation to ensure that 4.7v is converted to a register +value of 0x1 and that the other two voltages are converted correctly as +well. + +Fixes: 87c2d9067893 ("power: max77693: Add charger driver for Maxim 77693") +Signed-off-by: Artur Weber +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250316-max77693-charger-input-threshold-fix-v1-1-2b037d0ac722@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max77693_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/max77693_charger.c b/drivers/power/supply/max77693_charger.c +index a2c5c9858639f..ef3482fa4023e 100644 +--- a/drivers/power/supply/max77693_charger.c ++++ b/drivers/power/supply/max77693_charger.c +@@ -556,7 +556,7 @@ static int max77693_set_charge_input_threshold_volt(struct max77693_charger *chg + case 4700000: + case 4800000: + case 4900000: +- data = (uvolt - 4700000) / 100000; ++ data = ((uvolt - 4700000) / 100000) + 1; + break; + default: + dev_err(chg->dev, "Wrong value for charge input voltage regulation threshold\n"); +-- +2.39.5 + diff --git a/queue-5.15/rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch b/queue-5.15/rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch new file mode 100644 index 0000000000..e963217373 --- /dev/null +++ b/queue-5.15/rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch @@ -0,0 +1,150 @@ +From f1eedf4f99e06e2fca4885311d39a607655efa53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 16:54:20 +0000 +Subject: RDMA/core: Don't expose hw_counters outside of init net namespace + +From: Roman Gushchin + +[ Upstream commit a1ecb30f90856b0be4168ad51b8875148e285c1f ] + +Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs +attributes") accidentally almost exposed hw counters to non-init net +namespaces. It didn't expose them fully, as an attempt to read any of +those counters leads to a crash like this one: + +[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 +[42021.814463] #PF: supervisor read access in kernel mode +[42021.819549] #PF: error_code(0x0000) - not-present page +[42021.824636] PGD 0 P4D 0 +[42021.827145] Oops: 0000 [#1] SMP PTI +[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX +[42021.841697] Hardware name: XXX +[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] +[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 +[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 +[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 +[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 +[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 +[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 +[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 +[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 +[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 +[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[42021.949324] Call Trace: +[42021.951756] +[42021.953842] [] ? show_regs+0x64/0x70 +[42021.959030] [] ? __die+0x78/0xc0 +[42021.963874] [] ? page_fault_oops+0x2b5/0x3b0 +[42021.969749] [] ? exc_page_fault+0x1a2/0x3c0 +[42021.975549] [] ? asm_exc_page_fault+0x26/0x30 +[42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] +[42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core] +[42021.995438] [] dev_attr_show+0x1e/0x50 +[42022.000803] [] sysfs_kf_seq_show+0x81/0xe0 +[42022.006508] [] seq_read_iter+0xf4/0x410 +[42022.011954] [] vfs_read+0x16e/0x2f0 +[42022.017058] [] ksys_read+0x6e/0xe0 +[42022.022073] [] do_syscall_64+0x6a/0xa0 +[42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +The problem can be reproduced using the following steps: + ip netns add foo + ip netns exec foo bash + cat /sys/class/infiniband/mlx4_0/hw_counters/* + +The panic occurs because of casting the device pointer into an +ib_device pointer using container_of() in hw_stat_device_show() is +wrong and leads to a memory corruption. + +However the real problem is that hw counters should never been exposed +outside of the non-init net namespace. + +Fix this by saving the index of the corresponding attribute group +(it might be 1 or 2 depending on the presence of driver-specific +attributes) and zeroing the pointer to hw_counters group for compat +devices during the initialization. + +With this fix applied hw_counters are not available in a non-init +net namespace: + find /sys/class/infiniband/mlx4_0/ -name hw_counters + /sys/class/infiniband/mlx4_0/ports/1/hw_counters + /sys/class/infiniband/mlx4_0/ports/2/hw_counters + /sys/class/infiniband/mlx4_0/hw_counters + + ip netns add foo + ip netns exec foo bash + find /sys/class/infiniband/mlx4_0/ -name hw_counters + +Fixes: 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") +Signed-off-by: Roman Gushchin +Cc: Jason Gunthorpe +Cc: Leon Romanovsky +Cc: Maher Sanalla +Cc: linux-rdma@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Link: https://patch.msgid.link/20250227165420.3430301-1-roman.gushchin@linux.dev +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 9 +++++++++ + drivers/infiniband/core/sysfs.c | 1 + + include/rdma/ib_verbs.h | 1 + + 3 files changed, 11 insertions(+) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 5d1ce55fda71e..241245e25f004 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -542,6 +542,8 @@ static struct class ib_class = { + static void rdma_init_coredev(struct ib_core_device *coredev, + struct ib_device *dev, struct net *net) + { ++ bool is_full_dev = &dev->coredev == coredev; ++ + /* This BUILD_BUG_ON is intended to catch layout change + * of union of ib_core_device and device. + * dev must be the first element as ib_core and providers +@@ -553,6 +555,13 @@ static void rdma_init_coredev(struct ib_core_device *coredev, + + coredev->dev.class = &ib_class; + coredev->dev.groups = dev->groups; ++ ++ /* ++ * Don't expose hw counters outside of the init namespace. ++ */ ++ if (!is_full_dev && dev->hw_stats_attr_index) ++ coredev->dev.groups[dev->hw_stats_attr_index] = NULL; ++ + device_initialize(&coredev->dev); + coredev->owner = dev; + INIT_LIST_HEAD(&coredev->port_list); +diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c +index afc59048c40c8..f68673c370d2e 100644 +--- a/drivers/infiniband/core/sysfs.c ++++ b/drivers/infiniband/core/sysfs.c +@@ -976,6 +976,7 @@ int ib_setup_device_attrs(struct ib_device *ibdev) + for (i = 0; i != ARRAY_SIZE(ibdev->groups); i++) + if (!ibdev->groups[i]) { + ibdev->groups[i] = &data->group; ++ ibdev->hw_stats_attr_index = i; + return 0; + } + WARN(true, "struct ib_device->groups is too small"); +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index fa13bf15feb3e..f4257c2e96b6d 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -2707,6 +2707,7 @@ struct ib_device { + * It is a NULL terminated array. + */ + const struct attribute_group *groups[4]; ++ u8 hw_stats_attr_index; + + u64 uverbs_cmd_mask; + +-- +2.39.5 + diff --git a/queue-5.15/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch b/queue-5.15/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch new file mode 100644 index 0000000000..97c19ec64e --- /dev/null +++ b/queue-5.15/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch @@ -0,0 +1,91 @@ +From ec9dbe282768452bb8b6a5971fdfdb51988c5439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:29:53 +0200 +Subject: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow + +From: Patrisious Haddad + +[ Upstream commit 5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd ] + +When cur_qp isn't NULL, in order to avoid fetching the QP from +the radix tree again we check if the next cqe QP is identical to +the one we already have. + +The bug however is that we are checking if the QP is identical by +checking the QP number inside the CQE against the QP number inside the +mlx5_ib_qp, but that's wrong since the QP number from the CQE is from +FW so it should be matched against mlx5_core_qp which is our FW QP +number. + +Otherwise we could use the wrong QP when handling a CQE which could +cause the kernel trace below. + +This issue is mainly noticeable over QPs 0 & 1, since for now they are +the only QPs in our driver whereas the QP number inside mlx5_ib_qp +doesn't match the QP number inside mlx5_core_qp. + +BUG: kernel NULL pointer dereference, address: 0000000000000012 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP + CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] + RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] + Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 + RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 + RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a + RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 + R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 + FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 + Call Trace: + + ? __die+0x20/0x60 + ? page_fault_oops+0x150/0x3e0 + ? exc_page_fault+0x74/0x130 + ? asm_exc_page_fault+0x22/0x30 + ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] + __ib_process_cq+0x5a/0x150 [ib_core] + ib_cq_poll_work+0x31/0x90 [ib_core] + process_one_work+0x169/0x320 + worker_thread+0x288/0x3a0 + ? work_busy+0xb0/0xb0 + kthread+0xd7/0x1f0 + ? kthreads_online_cpu+0x130/0x130 + ? kthreads_online_cpu+0x130/0x130 + ret_from_fork+0x2d/0x50 + ? kthreads_online_cpu+0x130/0x130 + ret_from_fork_asm+0x11/0x20 + + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Patrisious Haddad +Reviewed-by: Edward Srouji +Link: https://patch.msgid.link/4ada09d41f1e36db62c44a9b25c209ea5f054316.1741875692.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/cq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index a190fb5815913..f3becb506125e 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -481,7 +481,7 @@ static int mlx5_poll_one(struct mlx5_ib_cq *cq, + } + + qpn = ntohl(cqe64->sop_drop_qpn) & 0xffffff; +- if (!*cur_qp || (qpn != (*cur_qp)->ibqp.qp_num)) { ++ if (!*cur_qp || (qpn != (*cur_qp)->trans_qp.base.mqp.qpn)) { + /* We do not have to take the QP table lock here, + * because CQs will be locked while QPs are removed + * from the table. +-- +2.39.5 + diff --git a/queue-5.15/remoteproc-core-clear-table_sz-when-rproc_shutdown.patch b/queue-5.15/remoteproc-core-clear-table_sz-when-rproc_shutdown.patch new file mode 100644 index 0000000000..af6cdc17e3 --- /dev/null +++ b/queue-5.15/remoteproc-core-clear-table_sz-when-rproc_shutdown.patch @@ -0,0 +1,86 @@ +From 9227244e3f0dcb74b9d9628414c0d93661f66e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 18:01:05 +0800 +Subject: remoteproc: core: Clear table_sz when rproc_shutdown + +From: Peng Fan + +[ Upstream commit efdde3d73ab25cef4ff2d06783b0aad8b093c0e4 ] + +There is case as below could trigger kernel dump: +Use U-Boot to start remote processor(rproc) with resource table +published to a fixed address by rproc. After Kernel boots up, +stop the rproc, load a new firmware which doesn't have resource table +,and start rproc. + +When starting rproc with a firmware not have resource table, +`memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will +trigger dump, because rproc->cache_table is set to NULL during the last +stop operation, but rproc->table_sz is still valid. + +This issue is found on i.MX8MP and i.MX9. + +Dump as below: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault +Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000 +[0000000000000000] pgd=0000000000000000, p4d=0000000000000000 +Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38 +Hardware name: NXP i.MX8MPlus EVK board (DT) +pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : __pi_memcpy_generic+0x110/0x22c +lr : rproc_start+0x88/0x1e0 +Call trace: + __pi_memcpy_generic+0x110/0x22c (P) + rproc_boot+0x198/0x57c + state_store+0x40/0x104 + dev_attr_store+0x18/0x2c + sysfs_kf_write+0x7c/0x94 + kernfs_fop_write_iter+0x120/0x1cc + vfs_write+0x240/0x378 + ksys_write+0x70/0x108 + __arm64_sys_write+0x1c/0x28 + invoke_syscall+0x48/0x10c + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x30/0xcc + el0t_64_sync_handler+0x10c/0x138 + el0t_64_sync+0x198/0x19c + +Clear rproc->table_sz to address the issue. + +Fixes: 9dc9507f1880 ("remoteproc: Properly deal with the resource table when detaching") +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20250319100106.3622619-1-peng.fan@oss.nxp.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index 97e59f7461261..9e6d0dda64a99 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -2102,6 +2102,7 @@ void rproc_shutdown(struct rproc *rproc) + kfree(rproc->cached_table); + rproc->cached_table = NULL; + rproc->table_ptr = NULL; ++ rproc->table_sz = 0; + out: + mutex_unlock(&rproc->lock); + } +-- +2.39.5 + diff --git a/queue-5.15/remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch b/queue-5.15/remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch new file mode 100644 index 0000000000..eec698e40c --- /dev/null +++ b/queue-5.15/remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch @@ -0,0 +1,90 @@ +From 4a68419194be981d6c3f9c319ea49661d8c4f00b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 23:05:18 +0100 +Subject: remoteproc: qcom_q6v5_mss: Handle platforms with one power domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luca Weiss + +[ Upstream commit 4641840341f37dc8231e0840ec1514b4061b4322 ] + +For example MSM8974 has mx voltage rail exposed as regulator and only cx +voltage rail is exposed as power domain. This power domain (cx) is +attached internally in power domain and cannot be attached in this driver. + +Fixes: 8750cf392394 ("remoteproc: qcom_q6v5_mss: Allow replacing regulators with power domains") +Co-developed-by: Matti Lehtimäki +Signed-off-by: Matti Lehtimäki +Reviewed-by: Stephan Gerhold +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20250217-msm8226-modem-v5-4-2bc74b80e0ae@lucaweiss.eu +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_mss.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c +index 7fe1f2c5480af..7acd60de18c8f 100644 +--- a/drivers/remoteproc/qcom_q6v5_mss.c ++++ b/drivers/remoteproc/qcom_q6v5_mss.c +@@ -1594,6 +1594,13 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs, + while (pd_names[num_pds]) + num_pds++; + ++ /* Handle single power domain */ ++ if (num_pds == 1 && dev->pm_domain) { ++ devs[0] = dev; ++ pm_runtime_enable(dev); ++ return 1; ++ } ++ + for (i = 0; i < num_pds; i++) { + devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]); + if (IS_ERR_OR_NULL(devs[i])) { +@@ -1614,8 +1621,15 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs, + static void q6v5_pds_detach(struct q6v5 *qproc, struct device **pds, + size_t pd_count) + { ++ struct device *dev = qproc->dev; + int i; + ++ /* Handle single power domain */ ++ if (pd_count == 1 && dev->pm_domain) { ++ pm_runtime_disable(dev); ++ return; ++ } ++ + for (i = 0; i < pd_count; i++) + dev_pm_domain_detach(pds[i], false); + } +@@ -2081,13 +2095,13 @@ static const struct rproc_hexagon_res msm8974_mss = { + .supply = "pll", + .uA = 100000, + }, +- {} +- }, +- .fallback_proxy_supply = (struct qcom_mss_reg_res[]) { + { + .supply = "mx", + .uV = 1050000, + }, ++ {} ++ }, ++ .fallback_proxy_supply = (struct qcom_mss_reg_res[]) { + { + .supply = "cx", + .uA = 100000, +@@ -2113,7 +2127,6 @@ static const struct rproc_hexagon_res msm8974_mss = { + NULL + }, + .proxy_pd_names = (char*[]){ +- "mx", + "cx", + NULL + }, +-- +2.39.5 + diff --git a/queue-5.15/remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch b/queue-5.15/remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch new file mode 100644 index 0000000000..03db28012a --- /dev/null +++ b/queue-5.15/remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch @@ -0,0 +1,63 @@ +From 3167174c40fadd2730adeaa8b4e69de89210a5bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 22:54:00 +0100 +Subject: remoteproc: qcom_q6v5_pas: Make single-PD handling more robust + +From: Luca Weiss + +[ Upstream commit e917b73234b02aa4966325e7380d2559bf127ba9 ] + +Only go into the if condition for single-PD handling when there's +actually just one power domain specified there. Otherwise it'll be an +issue in the dts and we should fail in the regular code path. + +This also mirrors the latest changes in the qcom_q6v5_mss driver. + +Suggested-by: Stephan Gerhold +Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains") +Signed-off-by: Luca Weiss +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20250128-pas-singlepd-v1-2-85d9ae4b0093@lucaweiss.eu +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_pas.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c +index fbcbc00f2e645..776319ab1baf9 100644 +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -330,16 +330,16 @@ static int adsp_pds_attach(struct device *dev, struct device **devs, + if (!pd_names) + return 0; + ++ while (pd_names[num_pds]) ++ num_pds++; ++ + /* Handle single power domain */ +- if (dev->pm_domain) { ++ if (num_pds == 1 && dev->pm_domain) { + devs[0] = dev; + pm_runtime_enable(dev); + return 1; + } + +- while (pd_names[num_pds]) +- num_pds++; +- + for (i = 0; i < num_pds; i++) { + devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]); + if (IS_ERR_OR_NULL(devs[i])) { +@@ -364,7 +364,7 @@ static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds, + int i; + + /* Handle single power domain */ +- if (dev->pm_domain && pd_count) { ++ if (pd_count == 1 && dev->pm_domain) { + pm_runtime_disable(dev); + return; + } +-- +2.39.5 + diff --git a/queue-5.15/ring-buffer-fix-bytes_dropped-calculation-issue.patch b/queue-5.15/ring-buffer-fix-bytes_dropped-calculation-issue.patch new file mode 100644 index 0000000000..683efcf8ce --- /dev/null +++ b/queue-5.15/ring-buffer-fix-bytes_dropped-calculation-issue.patch @@ -0,0 +1,41 @@ +From b3123963792f23375d23c83bca946752e32bd1a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Feb 2025 15:01:06 +0800 +Subject: ring-buffer: Fix bytes_dropped calculation issue + +From: Feng Yang + +[ Upstream commit c73f0b69648501978e8b3e8fa7eef7f4197d0481 ] + +The calculation of bytes-dropped and bytes_dropped_nested is reversed. +Although it does not affect the final calculation of total_dropped, +it should still be modified. + +Link: https://lore.kernel.org/20250223070106.6781-1-yangfeng59949@163.com +Fixes: 6c43e554a2a5 ("ring-buffer: Add ring buffer startup selftest") +Signed-off-by: Feng Yang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index f9f0c198cb43c..90a8dd91e2eb0 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -5949,9 +5949,9 @@ static __init int rb_write_something(struct rb_test_data *data, bool nested) + /* Ignore dropped events before test starts. */ + if (started) { + if (nested) +- data->bytes_dropped += len; +- else + data->bytes_dropped_nested += len; ++ else ++ data->bytes_dropped += len; + } + return len; + } +-- +2.39.5 + diff --git a/queue-5.15/riscv-ftrace-add-parentheses-in-macro-definitions-of.patch b/queue-5.15/riscv-ftrace-add-parentheses-in-macro-definitions-of.patch new file mode 100644 index 0000000000..e8b0c3fb6e --- /dev/null +++ b/queue-5.15/riscv-ftrace-add-parentheses-in-macro-definitions-of.patch @@ -0,0 +1,63 @@ +From 943c28d58a9b1c8dd8f255cdbea500c99a515216 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 13:28:36 -0600 +Subject: riscv: ftrace: Add parentheses in macro definitions of make_call_t0 + and make_call_ra + +From: Juhan Jin + +[ Upstream commit 5f1a58ed91a040d4625d854f9bb3dd4995919202 ] + +This patch adds parentheses to parameters caller and callee of macros +make_call_t0 and make_call_ra. Every existing invocation of these two +macros uses a single variable for each argument, so the absence of the +parentheses seems okay. However, future invocations might use more +complex expressions as arguments. For example, a future invocation might +look like this: make_call_t0(a - b, c, call). Without parentheses in the +macro definition, the macro invocation expands to: + +... +unsigned int offset = (unsigned long) c - (unsigned long) a - b; +... + +which is clearly wrong. + +The use of parentheses ensures arguments are correctly evaluated and +potentially saves future users of make_call_t0 and make_call_ra debugging +trouble. + +Fixes: 6724a76cff85 ("riscv: ftrace: Reduce the detour code size to half") +Signed-off-by: Juhan Jin +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/tencent_AE90AA59903A628E87E9F80E563DA5BA5508@qq.com +Signed-off-by: Alexandre Ghiti +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/ftrace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h +index d47d87c2d7e3d..195f4ebd71f2c 100644 +--- a/arch/riscv/include/asm/ftrace.h ++++ b/arch/riscv/include/asm/ftrace.h +@@ -77,7 +77,7 @@ struct dyn_arch_ftrace { + #define make_call_t0(caller, callee, call) \ + do { \ + unsigned int offset = \ +- (unsigned long) callee - (unsigned long) caller; \ ++ (unsigned long) (callee) - (unsigned long) (caller); \ + call[0] = to_auipc_t0(offset); \ + call[1] = to_jalr_t0(offset); \ + } while (0) +@@ -93,7 +93,7 @@ do { \ + #define make_call_ra(caller, callee, call) \ + do { \ + unsigned int offset = \ +- (unsigned long) callee - (unsigned long) caller; \ ++ (unsigned long) (callee) - (unsigned long) (caller); \ + call[0] = to_auipc_ra(offset); \ + call[1] = to_jalr_ra(offset); \ + } while (0) +-- +2.39.5 + diff --git a/queue-5.15/rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch b/queue-5.15/rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch new file mode 100644 index 0000000000..818f99aad3 --- /dev/null +++ b/queue-5.15/rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch @@ -0,0 +1,163 @@ +From 977de69d9be0db950180e5d06ea180b1578c8da2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 11:02:26 +0200 +Subject: rtnetlink: Allocate vfinfo size for VF GUIDs when supported + +From: Mark Zhang + +[ Upstream commit 23f00807619d15063d676218f36c5dfeda1eb420 ] + +Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs") +added support for getting VF port and node GUIDs in netlink ifinfo +messages, but their size was not taken into consideration in the +function that allocates the netlink message, causing the following +warning when a netlink message is filled with many VF port and node +GUIDs: + # echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs + # ip link show dev ib0 + RTNETLINK answers: Message too long + Cannot send link get request: Message too long + +Kernel warning: + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0 + Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core + CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:rtnl_getlink+0x586/0x5a0 + Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00 + RSP: 0018:ffff888113557348 EFLAGS: 00010246 + RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000 + RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8 + RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000 + R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00 + R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff + FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ? __warn+0xa5/0x230 + ? rtnl_getlink+0x586/0x5a0 + ? report_bug+0x22d/0x240 + ? handle_bug+0x53/0xa0 + ? exc_invalid_op+0x14/0x50 + ? asm_exc_invalid_op+0x16/0x20 + ? skb_trim+0x6a/0x80 + ? rtnl_getlink+0x586/0x5a0 + ? __pfx_rtnl_getlink+0x10/0x10 + ? rtnetlink_rcv_msg+0x1e5/0x860 + ? __pfx___mutex_lock+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? __pfx_lock_acquire+0x10/0x10 + ? stack_trace_save+0x90/0xd0 + ? filter_irq_stacks+0x1d/0x70 + ? kasan_save_stack+0x30/0x40 + ? kasan_save_stack+0x20/0x40 + ? kasan_save_track+0x10/0x30 + rtnetlink_rcv_msg+0x21c/0x860 + ? entry_SYSCALL_64_after_hwframe+0x76/0x7e + ? __pfx_rtnetlink_rcv_msg+0x10/0x10 + ? arch_stack_walk+0x9e/0xf0 + ? rcu_is_watching+0x34/0x60 + ? lock_acquire+0xd5/0x410 + ? rcu_is_watching+0x34/0x60 + netlink_rcv_skb+0xe0/0x210 + ? __pfx_rtnetlink_rcv_msg+0x10/0x10 + ? __pfx_netlink_rcv_skb+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? __pfx___netlink_lookup+0x10/0x10 + ? lock_release+0x62/0x200 + ? netlink_deliver_tap+0xfd/0x290 + ? rcu_is_watching+0x34/0x60 + ? lock_release+0x62/0x200 + ? netlink_deliver_tap+0x95/0x290 + netlink_unicast+0x31f/0x480 + ? __pfx_netlink_unicast+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? lock_acquire+0xd5/0x410 + netlink_sendmsg+0x369/0x660 + ? lock_release+0x62/0x200 + ? __pfx_netlink_sendmsg+0x10/0x10 + ? import_ubuf+0xb9/0xf0 + ? __import_iovec+0x254/0x2b0 + ? lock_release+0x62/0x200 + ? __pfx_netlink_sendmsg+0x10/0x10 + ____sys_sendmsg+0x559/0x5a0 + ? __pfx_____sys_sendmsg+0x10/0x10 + ? __pfx_copy_msghdr_from_user+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? do_read_fault+0x213/0x4a0 + ? rcu_is_watching+0x34/0x60 + ___sys_sendmsg+0xe4/0x150 + ? __pfx____sys_sendmsg+0x10/0x10 + ? do_fault+0x2cc/0x6f0 + ? handle_pte_fault+0x2e3/0x3d0 + ? __pfx_handle_pte_fault+0x10/0x10 + ? preempt_count_sub+0x14/0xc0 + ? __down_read_trylock+0x150/0x270 + ? __handle_mm_fault+0x404/0x8e0 + ? __pfx___handle_mm_fault+0x10/0x10 + ? lock_release+0x62/0x200 + ? __rcu_read_unlock+0x65/0x90 + ? rcu_is_watching+0x34/0x60 + __sys_sendmsg+0xd5/0x150 + ? __pfx___sys_sendmsg+0x10/0x10 + ? __up_read+0x192/0x480 + ? lock_release+0x62/0x200 + ? __rcu_read_unlock+0x65/0x90 + ? rcu_is_watching+0x34/0x60 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f63a5b13367 + Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + RSP: 002b:00007fff8c726bc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000067b687c2 RCX: 00007f63a5b13367 + RDX: 0000000000000000 RSI: 00007fff8c726c30 RDI: 0000000000000004 + RBP: 00007fff8c726cb8 R08: 0000000000000000 R09: 0000000000000034 + R10: 00007fff8c726c7c R11: 0000000000000246 R12: 0000000000000001 + R13: 0000000000000000 R14: 00007fff8c726cd0 R15: 00007fff8c726cd0 + + irq event stamp: 0 + hardirqs last enabled at (0): [<0000000000000000>] 0x0 + hardirqs last disabled at (0): [] copy_process+0xd08/0x2830 + softirqs last enabled at (0): [] copy_process+0xd08/0x2830 + softirqs last disabled at (0): [<0000000000000000>] 0x0 + ---[ end trace 0000000000000000 ]--- + +Thus, when calculating ifinfo message size, take VF GUIDs sizes into +account when supported. + +Fixes: 30aad41721e0 ("net/core: Add support for getting VF GUIDs") +Signed-off-by: Mark Zhang +Reviewed-by: Maher Sanalla +Signed-off-by: Mark Bloch +Reviewed-by: Sabrina Dubroca +Link: https://patch.msgid.link/20250325090226.749730-1-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 24795110b2ff3..46a97c915e93e 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -972,6 +972,9 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev, + /* IFLA_VF_STATS_TX_DROPPED */ + nla_total_size_64bit(sizeof(__u64))); + } ++ if (dev->netdev_ops->ndo_get_vf_guid) ++ size += num_vfs * 2 * ++ nla_total_size(sizeof(struct ifla_vf_guid)); + return size; + } else + return 0; +-- +2.39.5 + diff --git a/queue-5.15/sched-deadline-use-online-cpus-for-validating-runtim.patch b/queue-5.15/sched-deadline-use-online-cpus-for-validating-runtim.patch new file mode 100644 index 0000000000..32f8558fba --- /dev/null +++ b/queue-5.15/sched-deadline-use-online-cpus-for-validating-runtim.patch @@ -0,0 +1,45 @@ +From 9fe565ae6080eb6e574b6110844b1e424d644d6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 10:59:53 +0530 +Subject: sched/deadline: Use online cpus for validating runtime + +From: Shrikanth Hegde + +[ Upstream commit 14672f059d83f591afb2ee1fff56858efe055e5a ] + +The ftrace selftest reported a failure because writing -1 to +sched_rt_runtime_us returns -EBUSY. This happens when the possible +CPUs are different from active CPUs. + +Active CPUs are part of one root domain, while remaining CPUs are part +of def_root_domain. Since active cpumask is being used, this results in +cpus=0 when a non active CPUs is used in the loop. + +Fix it by looping over the online CPUs instead for validating the +bandwidth calculations. + +Signed-off-by: Shrikanth Hegde +Signed-off-by: Ingo Molnar +Reviewed-by: Juri Lelli +Link: https://lore.kernel.org/r/20250306052954.452005-2-sshegde@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 0a6d6899be5bd..66eb68c59f0bb 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -2610,7 +2610,7 @@ int sched_dl_global_validate(void) + * value smaller than the currently allocated bandwidth in + * any of the root_domains. + */ +- for_each_possible_cpu(cpu) { ++ for_each_online_cpu(cpu) { + rcu_read_lock_sched(); + + if (dl_bw_visited(cpu, gen)) +-- +2.39.5 + diff --git a/queue-5.15/sched-smt-always-inline-sched_smt_active.patch b/queue-5.15/sched-smt-always-inline-sched_smt_active.patch new file mode 100644 index 0000000000..d50758151d --- /dev/null +++ b/queue-5.15/sched-smt-always-inline-sched_smt_active.patch @@ -0,0 +1,45 @@ +From bdf4a87344be9b38f74c0c11a0022660e9f61687 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 21:26:44 -0700 +Subject: sched/smt: Always inline sched_smt_active() + +From: Josh Poimboeuf + +[ Upstream commit 09f37f2d7b21ff35b8b533f9ab8cfad2fe8f72f6 ] + +sched_smt_active() can be called from noinstr code, so it should always +be inlined. The CONFIG_SCHED_SMT version already has __always_inline. +Do the same for its !CONFIG_SCHED_SMT counterpart. + +Fixes the following warning: + + vmlinux.o: error: objtool: intel_idle_ibrs+0x13: call to sched_smt_active() leaves .noinstr.text section + +Fixes: 321a874a7ef8 ("sched/smt: Expose sched_smt_present static key") +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/1d03907b0a247cf7fb5c1d518de378864f603060.1743481539.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/r/202503311434.lyw2Tveh-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + include/linux/sched/smt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h +index 59d3736c454cf..737b50f40137b 100644 +--- a/include/linux/sched/smt.h ++++ b/include/linux/sched/smt.h +@@ -12,7 +12,7 @@ static __always_inline bool sched_smt_active(void) + return static_branch_likely(&sched_smt_present); + } + #else +-static inline bool sched_smt_active(void) { return false; } ++static __always_inline bool sched_smt_active(void) { return false; } + #endif + + void arch_smt_update(void); +-- +2.39.5 + diff --git a/queue-5.15/selinux-chain-up-tool-resolving-errors-in-install_po.patch b/queue-5.15/selinux-chain-up-tool-resolving-errors-in-install_po.patch new file mode 100644 index 0000000000..c284c70eac --- /dev/null +++ b/queue-5.15/selinux-chain-up-tool-resolving-errors-in-install_po.patch @@ -0,0 +1,66 @@ +From f1d68dcf6c39e4cc12b5d582a71f4a35c5408db6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 10:56:43 +0100 +Subject: selinux: Chain up tool resolving errors in install_policy.sh + +From: Tim Schumacher + +[ Upstream commit 6ae0042f4d3f331e841495eb0a3d51598e593ec2 ] + +Subshell evaluations are not exempt from errexit, so if a command is +not available, `which` will fail and exit the script as a whole. +This causes the helpful error messages to not be printed if they are +tacked on using a `$?` comparison. + +Resolve the issue by using chains of logical operators, which are not +subject to the effects of errexit. + +Fixes: e37c1877ba5b1 ("scripts/selinux: modernize mdp") +Signed-off-by: Tim Schumacher +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + scripts/selinux/install_policy.sh | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh +index 20af56ce245c5..c68f0e045fb00 100755 +--- a/scripts/selinux/install_policy.sh ++++ b/scripts/selinux/install_policy.sh +@@ -6,27 +6,24 @@ if [ `id -u` -ne 0 ]; then + exit 1 + fi + +-SF=`which setfiles` +-if [ $? -eq 1 ]; then ++SF=`which setfiles` || { + echo "Could not find setfiles" + echo "Do you have policycoreutils installed?" + exit 1 +-fi ++} + +-CP=`which checkpolicy` +-if [ $? -eq 1 ]; then ++CP=`which checkpolicy` || { + echo "Could not find checkpolicy" + echo "Do you have checkpolicy installed?" + exit 1 +-fi ++} + VERS=`$CP -V | awk '{print $1}'` + +-ENABLED=`which selinuxenabled` +-if [ $? -eq 1 ]; then ++ENABLED=`which selinuxenabled` || { + echo "Could not find selinuxenabled" + echo "Do you have libselinux-utils installed?" + exit 1 +-fi ++} + + if selinuxenabled; then + echo "SELinux is already enabled" +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index 22c1d3e061..4f2dddc23c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -125,3 +125,126 @@ net-usb-usbnet-restore-usb-d-name-exception-for-local-mac-addresses.patch memstick-rtsx_usb_ms-fix-slab-use-after-free-in-rtsx_usb_ms_drv_remove.patch serial-8250_dma-terminate-correct-dma-in-tx_dma_flush.patch media-i2c-et8ek8-don-t-strip-remove-function-when-driver-is-builtin.patch +watch_queue-fix-pipe-accounting-mismatch.patch +x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch +cpufreq-scpi-compare-khz-instead-of-hz.patch +cpufreq-governor-fix-negative-idle_time-handling-in-.patch +x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch +x86-platform-only-allow-config_eisa-for-32-bit.patch +pm-sleep-adjust-check-before-setting-power.must_resu.patch +selinux-chain-up-tool-resolving-errors-in-install_po.patch +edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch +edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch +edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch +thermal-int340x-add-null-check-for-adev.patch +pm-sleep-fix-handling-devices-with-direct_complete-s.patch +lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch +perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch +media-platform-allgro-dvt-unregister-v4l2_device-on-.patch +hid-remove-superfluous-and-wrong-makefile-entry-for-.patch +alsa-hda-realtek-always-honor-no_shutup_pins.patch +asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch +drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch +drm-dp_mst-fix-drm-rad-print.patch +drm-xlnx-zynqmp-fix-max-dma-segment-size.patch +drm-vkms-fix-use-after-free-and-double-free-on-init-.patch +drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch +drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch +pci-aspm-fix-link-state-exit-during-switch-upstream-.patch +pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch +pci-brcmstb-use-internal-register-to-change-link-cap.patch +pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch +pci-avoid-reset-when-disabled-via-sysfs.patch +drm-amd-display-fix-type-mismatch-in-calculatedynami.patch +pci-remove-stray-put_device-in-pci_register_host_bri.patch +pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch +drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch +pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch +fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch +mdacon-rework-dependency-list.patch +fbdev-sm501fb-add-some-geometry-checks.patch +clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch +crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch +remoteproc-core-clear-table_sz-when-rproc_shutdown.patch +of-property-increase-nr_fwnode_reference_args.patch +remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch +libbpf-fix-hypothetical-stt_section-extern-null-dere.patch +clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch +clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch +bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch +lib-842-improve-error-handling-in-sw842_compress.patch +pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch +pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch +clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch +rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch +remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch +ib-mad-check-available-slots-before-posting-receive-.patch +pinctrl-tegra-set-sfio-mode-to-mux-register.patch +clk-amlogic-g12b-fix-cluster-a-parent-data.patch +clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch +clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch +x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch +power-supply-max77693-fix-wrong-conversion-of-charge.patch +crypto-nx-fix-uninitialised-hv_nxc-on-error.patch +rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch +mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch +x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch +crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch +clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch +isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch +soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch +coresight-catu-fix-number-of-pages-while-using-64k-p.patch +iio-accel-mma8452-ensure-error-return-on-failure-to-.patch +fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch +iio-adc-ad7124-fix-comparison-of-channel-configs.patch +perf-units-fix-insufficient-array-space.patch +kexec-initialize-elf-lowest-address-to-ulong_max.patch +ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch +nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch +fuse-fix-dax-truncate-punch_hole-fault-path.patch +i3c-master-svc-fix-missing-the-ibi-rules.patch +perf-python-fixup-description-of-sample.id-event-mem.patch +perf-python-decrement-the-refcount-of-just-created-e.patch +perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch +perf-python-check-if-there-is-space-to-copy-all-the-.patch +fs-procfs-fix-the-comment-above-proc_pid_wchan.patch +objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch +exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch +rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch +ksmbd-use-aead_request_free-to-match-aead_request_al.patch +ksmbd-fix-multichannel-connection-failure.patch +ring-buffer-fix-bytes_dropped-calculation-issue.patch +acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch +octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch +octeontx2-af-free-nix_af_int_vec_gen-irq.patch +sched-smt-always-inline-sched_smt_active.patch +wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch +nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch +nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch +nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch +affs-generate-ofs-sequence-numbers-starting-at-1.patch +affs-don-t-write-overlarge-ofs-data-block-size-field.patch +ksmbd-fix-incorrect-validation-for-num_aces-field-of.patch +sched-deadline-use-online-cpus-for-validating-runtim.patch +locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch +x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch +drm-amd-keep-display-off-while-going-into-s4.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +can-statistics-use-atomic-access-in-hot-path.patch +hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch +spufs-fix-a-leak-on-spufs_new_file-failure.patch +spufs-fix-a-leak-in-spufs_create_context.patch +riscv-ftrace-add-parentheses-in-macro-definitions-of.patch +ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch +ntb-intel-fix-using-link-status-db-s.patch +asoc-imx-card-add-null-check-in-imx_card_probe.patch +netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch +netlabel-fix-null-pointer-exception-caused-by-calips.patch +net_sched-skbprio-remove-overly-strict-queue-asserti.patch +net-mvpp2-prevent-parser-tcam-memory-corruption.patch +vsock-avoid-timeout-during-connect-if-the-socket-is-.patch +tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch +netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch +ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch +net-fix-geneve_opt-length-integer-overflow.patch +arcnet-add-null-check-in-com20020pci_probe.patch diff --git a/queue-5.15/soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch b/queue-5.15/soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch new file mode 100644 index 0000000000..8e763d0eef --- /dev/null +++ b/queue-5.15/soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch @@ -0,0 +1,40 @@ +From 1f9652a53c3e8d381cd04fc63fe4f080bf0ae6d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 12:48:44 +0900 +Subject: soundwire: slave: fix an OF node reference leak in soundwire slave + device + +From: Joe Hattori + +[ Upstream commit aac2f8363f773ae1f65aab140e06e2084ac6b787 ] + +When initializing a soundwire slave device, an OF node is stored to the +device with refcount incremented. However, the refcount is not +decremented in .release(), thus call of_node_put() in +sdw_slave_release(). + +Fixes: a2e484585ad3 ("soundwire: core: add device tree support for slave devices") +Signed-off-by: Joe Hattori +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20241205034844.2784964-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/slave.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soundwire/slave.c b/drivers/soundwire/slave.c +index 25e76b5d4a1a3..a5a9118612de2 100644 +--- a/drivers/soundwire/slave.c ++++ b/drivers/soundwire/slave.c +@@ -12,6 +12,7 @@ static void sdw_slave_release(struct device *dev) + { + struct sdw_slave *slave = dev_to_sdw_dev(dev); + ++ of_node_put(slave->dev.of_node); + mutex_destroy(&slave->sdw_dev_lock); + kfree(slave); + } +-- +2.39.5 + diff --git a/queue-5.15/spufs-fix-a-leak-in-spufs_create_context.patch b/queue-5.15/spufs-fix-a-leak-in-spufs_create_context.patch new file mode 100644 index 0000000000..9f3c6dff31 --- /dev/null +++ b/queue-5.15/spufs-fix-a-leak-in-spufs_create_context.patch @@ -0,0 +1,39 @@ +From 478f7b08869e947667869a2389ae00bb3fab19b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 19:38:28 -0400 +Subject: spufs: fix a leak in spufs_create_context() + +From: Al Viro + +[ Upstream commit 0f5cce3fc55b08ee4da3372baccf4bcd36a98396 ] + +Leak fixes back in 2008 missed one case - if we are trying to set affinity +and spufs_mkdir() fails, we need to drop the reference to neighbor. + +Fixes: 58119068cb27 "[POWERPC] spufs: Fix memory leak on SPU affinity" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index 1095be5186ebf..ea3082f2f9d1d 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -436,8 +436,11 @@ spufs_create_context(struct inode *inode, struct dentry *dentry, + } + + ret = spufs_mkdir(inode, dentry, flags, mode & 0777); +- if (ret) ++ if (ret) { ++ if (neighbor) ++ put_spu_context(neighbor); + goto out_aff_unlock; ++ } + + if (affinity) { + spufs_set_affinity(flags, SPUFS_I(d_inode(dentry))->i_ctx, +-- +2.39.5 + diff --git a/queue-5.15/spufs-fix-a-leak-on-spufs_new_file-failure.patch b/queue-5.15/spufs-fix-a-leak-on-spufs_new_file-failure.patch new file mode 100644 index 0000000000..5ec8b8156b --- /dev/null +++ b/queue-5.15/spufs-fix-a-leak-on-spufs_new_file-failure.patch @@ -0,0 +1,40 @@ +From cd5ef599eb38b1e2ddc673323db04af7bb00efe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Mar 2025 19:26:31 -0500 +Subject: spufs: fix a leak on spufs_new_file() failure + +From: Al Viro + +[ Upstream commit d1ca8698ca1332625d83ea0d753747be66f9906d ] + +It's called from spufs_fill_dir(), and caller of that will do +spufs_rmdir() in case of failure. That does remove everything +we'd managed to create, but... the problem dentry is still +negative. IOW, it needs to be explicitly dropped. + +Fixes: 3f51dd91c807 "[PATCH] spufs: fix spufs_fill_dir error path" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index ed37a93bf858a..1095be5186ebf 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -190,8 +190,10 @@ static int spufs_fill_dir(struct dentry *dir, + return -ENOMEM; + ret = spufs_new_file(dir->d_sb, dentry, files->ops, + files->mode & mode, files->size, ctx); +- if (ret) ++ if (ret) { ++ dput(dentry); + return ret; ++ } + files++; + } + return 0; +-- +2.39.5 + diff --git a/queue-5.15/thermal-int340x-add-null-check-for-adev.patch b/queue-5.15/thermal-int340x-add-null-check-for-adev.patch new file mode 100644 index 0000000000..4a18635f8b --- /dev/null +++ b/queue-5.15/thermal-int340x-add-null-check-for-adev.patch @@ -0,0 +1,50 @@ +From 9ac6a22c9d7073090b946b29d26d2f1b8ade44f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 23:36:11 -0500 +Subject: thermal: int340x: Add NULL check for adev +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenyuan Yang + +[ Upstream commit 2542a3f70e563a9e70e7ded314286535a3321bdb ] + +Not all devices have an ACPI companion fwnode, so adev might be NULL. +This is similar to the commit cd2fd6eab480 +("platform/x86: int3472: Check for adev == NULL"). + +Add a check for adev not being set and return -ENODEV in that case to +avoid a possible NULL pointer deref in int3402_thermal_probe(). + +Note, under the same directory, int3400_thermal_probe() has such a +check. + +Fixes: 77e337c6e23e ("Thermal: introduce INT3402 thermal driver") +Signed-off-by: Chenyuan Yang +Acked-by: Uwe Kleine-König +Link: https://patch.msgid.link/20250313043611.1212116-1-chenyuan0y@gmail.com +[ rjw: Subject edit, added Fixes: ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/int340x_thermal/int3402_thermal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c +index 43fa351e2b9ec..b7fdf25bfd237 100644 +--- a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c +@@ -45,6 +45,9 @@ static int int3402_thermal_probe(struct platform_device *pdev) + struct int3402_thermal_data *d; + int ret; + ++ if (!adev) ++ return -ENODEV; ++ + if (!acpi_has_method(adev->handle, "_TMP")) + return -ENODEV; + +-- +2.39.5 + diff --git a/queue-5.15/tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch b/queue-5.15/tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch new file mode 100644 index 0000000000..8898caa701 --- /dev/null +++ b/queue-5.15/tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch @@ -0,0 +1,83 @@ +From dfa05f849f5f523a7f47e8df8d99943ff9417a18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Mar 2025 01:33:44 +0100 +Subject: tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu(). + +From: Guillaume Nault + +[ Upstream commit 8930424777e43257f5bf6f0f0f53defd0d30415c ] + +Because skb_tunnel_check_pmtu() doesn't handle PACKET_HOST packets, +commit 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper +pmtud support.") forced skb->pkt_type to PACKET_OUTGOING for +openvswitch packets that are sent using the OVS_ACTION_ATTR_OUTPUT +action. This allowed such packets to invoke the +iptunnel_pmtud_check_icmp() or iptunnel_pmtud_check_icmpv6() helpers +and thus trigger PMTU update on the input device. + +However, this also broke other parts of PMTU discovery. Since these +packets don't have the PACKET_HOST type anymore, they won't trigger the +sending of ICMP Fragmentation Needed or Packet Too Big messages to +remote hosts when oversized (see the skb_in->pkt_type condition in +__icmp_send() for example). + +These two skb->pkt_type checks are therefore incompatible as one +requires skb->pkt_type to be PACKET_HOST, while the other requires it +to be anything but PACKET_HOST. + +It makes sense to not trigger ICMP messages for non-PACKET_HOST packets +as these messages should be generated only for incoming l2-unicast +packets. However there doesn't seem to be any reason for +skb_tunnel_check_pmtu() to ignore PACKET_HOST packets. + +Allow both cases to work by allowing skb_tunnel_check_pmtu() to work on +PACKET_HOST packets and not overriding skb->pkt_type in openvswitch +anymore. + +Fixes: 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper pmtud support.") +Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") +Signed-off-by: Guillaume Nault +Reviewed-by: Stefano Brivio +Reviewed-by: Aaron Conole +Tested-by: Aaron Conole +Link: https://patch.msgid.link/eac941652b86fddf8909df9b3bf0d97bc9444793.1743208264.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel_core.c | 2 +- + net/openvswitch/actions.c | 6 ------ + 2 files changed, 1 insertion(+), 7 deletions(-) + +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 50ddbd7021f0e..51dd2b36c49d4 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -415,7 +415,7 @@ int skb_tunnel_check_pmtu(struct sk_buff *skb, struct dst_entry *encap_dst, + + skb_dst_update_pmtu_no_confirm(skb, mtu); + +- if (!reply || skb->pkt_type == PACKET_HOST) ++ if (!reply) + return 0; + + if (skb->protocol == htons(ETH_P_IP)) +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 85af0e9e0ac6d..aca6e2b599c86 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -924,12 +924,6 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port, + pskb_trim(skb, ovs_mac_header_len(key)); + } + +- /* Need to set the pkt_type to involve the routing layer. The +- * packet movement through the OVS datapath doesn't generally +- * use routing, but this is needed for tunnel cases. +- */ +- skb->pkt_type = PACKET_OUTGOING; +- + if (likely(!mru || + (skb->len <= mru + vport->dev->hard_header_len))) { + ovs_vport_send(vport, skb, ovs_key_mac_proto(key)); +-- +2.39.5 + diff --git a/queue-5.15/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch b/queue-5.15/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch new file mode 100644 index 0000000000..ede2a41827 --- /dev/null +++ b/queue-5.15/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch @@ -0,0 +1,62 @@ +From ae356f569977be20c918b13639ddaa22dcc30d41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 15:15:28 +0100 +Subject: vsock: avoid timeout during connect() if the socket is closing + +From: Stefano Garzarella + +[ Upstream commit fccd2b711d9628c7ce0111d5e4938652101ee30a ] + +When a peer attempts to establish a connection, vsock_connect() contains +a loop that waits for the state to be TCP_ESTABLISHED. However, the +other peer can be fast enough to accept the connection and close it +immediately, thus moving the state to TCP_CLOSING. + +When this happens, the peer in the vsock_connect() is properly woken up, +but since the state is not TCP_ESTABLISHED, it goes back to sleep +until the timeout expires, returning -ETIMEDOUT. + +If the socket state is TCP_CLOSING, waiting for the timeout is pointless. +vsock_connect() can return immediately without errors or delay since the +connection actually happened. The socket will be in a closing state, +but this is not an issue, and subsequent calls will fail as expected. + +We discovered this issue while developing a test that accepts and +immediately closes connections to stress the transport switch between +two connect() calls, where the first one was interrupted by a signal +(see Closes link). + +Reported-by: Luigi Leonardi +Closes: https://lore.kernel.org/virtualization/bq6hxrolno2vmtqwcvb5bljfpb7mvwb3kohrvaed6auz5vxrfv@ijmd2f3grobn/ +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Stefano Garzarella +Acked-by: Paolo Abeni +Tested-by: Luigi Leonardi +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20250328141528.420719-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 29ce6cc7b4011..036bdcc9d5c51 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1428,7 +1428,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + timeout = vsk->connect_timeout; + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + +- while (sk->sk_state != TCP_ESTABLISHED && sk->sk_err == 0) { ++ /* If the socket is already closing or it is in an error state, there ++ * is no point in waiting. ++ */ ++ while (sk->sk_state != TCP_ESTABLISHED && ++ sk->sk_state != TCP_CLOSING && sk->sk_err == 0) { + if (flags & O_NONBLOCK) { + /* If we're not going to block, we schedule a timeout + * function to generate a timeout on the connection +-- +2.39.5 + diff --git a/queue-5.15/watch_queue-fix-pipe-accounting-mismatch.patch b/queue-5.15/watch_queue-fix-pipe-accounting-mismatch.patch new file mode 100644 index 0000000000..28b43920b0 --- /dev/null +++ b/queue-5.15/watch_queue-fix-pipe-accounting-mismatch.patch @@ -0,0 +1,55 @@ +From 65366bbba18f5ea9ca11ea7894f8e3d2c69e5e94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 11:41:08 -0600 +Subject: watch_queue: fix pipe accounting mismatch + +From: Eric Sandeen + +[ Upstream commit f13abc1e8e1a3b7455511c4e122750127f6bc9b0 ] + +Currently, watch_queue_set_size() modifies the pipe buffers charged to +user->pipe_bufs without updating the pipe->nr_accounted on the pipe +itself, due to the if (!pipe_has_watch_queue()) test in +pipe_resize_ring(). This means that when the pipe is ultimately freed, +we decrement user->pipe_bufs by something other than what than we had +charged to it, potentially leading to an underflow. This in turn can +cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. + +To remedy this, explicitly account for the pipe usage in +watch_queue_set_size() to match the number set via account_pipe_buffers() + +(It's unclear why watch_queue_set_size() does not update nr_accounted; +it may be due to intentional overprovisioning in watch_queue_set_size()?) + +Fixes: e95aada4cb93d ("pipe: wakeup wr_wait after setting max_usage") +Signed-off-by: Eric Sandeen +Link: https://lore.kernel.org/r/206682a8-0604-49e5-8224-fdbe0c12b460@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + kernel/watch_queue.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c +index ae31bf8d2feb1..6ed37bc95cb7b 100644 +--- a/kernel/watch_queue.c ++++ b/kernel/watch_queue.c +@@ -274,6 +274,15 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes) + if (ret < 0) + goto error; + ++ /* ++ * pipe_resize_ring() does not update nr_accounted for watch_queue ++ * pipes, because the above vastly overprovisions. Set nr_accounted on ++ * and max_usage this pipe to the number that was actually charged to ++ * the user above via account_pipe_buffers. ++ */ ++ pipe->max_usage = nr_pages; ++ pipe->nr_accounted = nr_pages; ++ + ret = -ENOMEM; + pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL); + if (!pages) +-- +2.39.5 + diff --git a/queue-5.15/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch b/queue-5.15/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch new file mode 100644 index 0000000000..ebc5241a7a --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch @@ -0,0 +1,140 @@ +From 230a5230d595ec3f3d5916a292288c04744ed3b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2025 14:34:45 +0200 +Subject: wifi: iwlwifi: fw: allocate chained SG tables for dump + +From: Johannes Berg + +[ Upstream commit 7774e3920029398ad49dc848b23840593f14d515 ] + +The firmware dumps can be pretty big, and since we use single +pages for each SG table entry, even the table itself may end +up being an order-5 allocation. Build chained tables so that +we need not allocate a higher-order table here. + +This could be improved and cleaned up, e.g. by using the SG +pool code or simply kvmalloc(), but all of that would require +also updating the devcoredump first since that frees it all, +so we need to be more careful. SG pool might also run against +the CONFIG_ARCH_NO_SG_CHAIN limitation, which is irrelevant +here. + +Also use _devcd_free_sgtable() for the error paths now, much +simpler especially since it's in two places now. + +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250209143303.697c7a465ac9.Iea982df46b5c075bfb77ade36f187d99a70c63db@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++++++++++------- + 1 file changed, 58 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index fc630a0d9c83c..f1d07ddb3f831 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -558,41 +558,71 @@ static void iwl_dump_prph(struct iwl_fw_runtime *fwrt, + } + + /* +- * alloc_sgtable - allocates scallerlist table in the given size, +- * fills it with pages and returns it ++ * alloc_sgtable - allocates (chained) scatterlist in the given size, ++ * fills it with pages and returns it + * @size: the size (in bytes) of the table +-*/ +-static struct scatterlist *alloc_sgtable(int size) ++ */ ++static struct scatterlist *alloc_sgtable(ssize_t size) + { +- int alloc_size, nents, i; +- struct page *new_page; +- struct scatterlist *iter; +- struct scatterlist *table; ++ struct scatterlist *result = NULL, *prev; ++ int nents, i, n_prev; + + nents = DIV_ROUND_UP(size, PAGE_SIZE); +- table = kcalloc(nents, sizeof(*table), GFP_KERNEL); +- if (!table) +- return NULL; +- sg_init_table(table, nents); +- iter = table; +- for_each_sg(table, iter, sg_nents(table), i) { +- new_page = alloc_page(GFP_KERNEL); +- if (!new_page) { +- /* release all previous allocated pages in the table */ +- iter = table; +- for_each_sg(table, iter, sg_nents(table), i) { +- new_page = sg_page(iter); +- if (new_page) +- __free_page(new_page); +- } +- kfree(table); ++ ++#define N_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(*result)) ++ /* ++ * We need an additional entry for table chaining, ++ * this ensures the loop can finish i.e. we can ++ * fit at least two entries per page (obviously, ++ * many more really fit.) ++ */ ++ BUILD_BUG_ON(N_ENTRIES_PER_PAGE < 2); ++ ++ while (nents > 0) { ++ struct scatterlist *new, *iter; ++ int n_fill, n_alloc; ++ ++ if (nents <= N_ENTRIES_PER_PAGE) { ++ /* last needed table */ ++ n_fill = nents; ++ n_alloc = nents; ++ nents = 0; ++ } else { ++ /* fill a page with entries */ ++ n_alloc = N_ENTRIES_PER_PAGE; ++ /* reserve one for chaining */ ++ n_fill = n_alloc - 1; ++ nents -= n_fill; ++ } ++ ++ new = kcalloc(n_alloc, sizeof(*new), GFP_KERNEL); ++ if (!new) { ++ if (result) ++ _devcd_free_sgtable(result); + return NULL; + } +- alloc_size = min_t(int, size, PAGE_SIZE); +- size -= PAGE_SIZE; +- sg_set_page(iter, new_page, alloc_size, 0); ++ sg_init_table(new, n_alloc); ++ ++ if (!result) ++ result = new; ++ else ++ sg_chain(prev, n_prev, new); ++ prev = new; ++ n_prev = n_alloc; ++ ++ for_each_sg(new, iter, n_fill, i) { ++ struct page *new_page = alloc_page(GFP_KERNEL); ++ ++ if (!new_page) { ++ _devcd_free_sgtable(result); ++ return NULL; ++ } ++ ++ sg_set_page(iter, new_page, PAGE_SIZE, 0); ++ } + } +- return table; ++ ++ return result; + } + + static void iwl_fw_get_prph_len(struct iwl_fw_runtime *fwrt, +-- +2.39.5 + diff --git a/queue-5.15/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch b/queue-5.15/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch new file mode 100644 index 0000000000..50b12c4eeb --- /dev/null +++ b/queue-5.15/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch @@ -0,0 +1,69 @@ +From cf15af724a7e5375c2c890858c5b8184d6c4e823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 03:01:23 +0100 +Subject: x86/dumpstack: Fix inaccurate unwinding from exception stacks due to + misplaced assignment + +From: Jann Horn + +[ Upstream commit 2c118f50d7fd4d9aefc4533a26f83338b2906b7a ] + +Commit: + + 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again") + +was intended to ensure alignment of the stack pointer; but it also moved +the initialization of the "stack" variable down into the loop header. + +This was likely intended as a no-op cleanup, since the commit +message does not mention it; however, this caused a behavioral change +because the value of "regs" is different between the two places. + +Originally, get_stack_pointer() used the regs provided by the caller; after +that commit, get_stack_pointer() instead uses the regs at the top of the +stack frame the unwinder is looking at. Often, there are no such regs at +all, and "regs" is NULL, causing get_stack_pointer() to fall back to the +task's current stack pointer, which is not what we want here, but probably +happens to mostly work. Other times, the original regs will point to +another regs frame - in that case, the linear guess unwind logic in +show_trace_log_lvl() will start unwinding too far up the stack, causing the +first frame found by the proper unwinder to never be visited, resulting in +a stack trace consisting purely of guess lines. + +Fix it by moving the "stack = " assignment back where it belongs. + +Fixes: 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again") +Signed-off-by: Jann Horn +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-2-acd774364768@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/dumpstack.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c +index 92b33c7eaf3f9..8a8660074284f 100644 +--- a/arch/x86/kernel/dumpstack.c ++++ b/arch/x86/kernel/dumpstack.c +@@ -195,6 +195,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs, + printk("%sCall Trace:\n", log_lvl); + + unwind_start(&state, task, regs, stack); ++ stack = stack ?: get_stack_pointer(task, regs); + regs = unwind_get_entry_regs(&state, &partial); + + /* +@@ -213,9 +214,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs, + * - hardirq stack + * - entry stack + */ +- for (stack = stack ?: get_stack_pointer(task, regs); +- stack; +- stack = stack_info.next_sp) { ++ for (; stack; stack = stack_info.next_sp) { + const char *stack_name; + + stack = PTR_ALIGN(stack, sizeof(long)); +-- +2.39.5 + diff --git a/queue-5.15/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch b/queue-5.15/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch new file mode 100644 index 0000000000..f0d14f6078 --- /dev/null +++ b/queue-5.15/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch @@ -0,0 +1,55 @@ +From bc8effd53c42f1cde6e0de9096a495fd6a779754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 03:01:22 +0100 +Subject: x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 + +From: Jann Horn + +[ Upstream commit 57e2428f8df8263275344566e02c277648a4b7f1 ] + +PUSH_REGS with save_ret=1 is used by interrupt entry helper functions that +initially start with a UNWIND_HINT_FUNC ORC state. + +However, save_ret=1 means that we clobber the helper function's return +address (and then later restore the return address further down on the +stack); after that point, the only thing on the stack we can unwind through +is the IRET frame, so use UNWIND_HINT_IRET_REGS until we have a full +pt_regs frame. + +( An alternate approach would be to move the pt_regs->di overwrite down + such that it is the final step of pt_regs setup; but I don't want to + rearrange entry code just to make unwinding a tiny bit more elegant. ) + +Fixes: 9e809d15d6b6 ("x86/entry: Reduce the code footprint of the 'idtentry' macro") +Signed-off-by: Jann Horn +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: Brian Gerst +Cc: Juergen Gross +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Kees Cook +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-1-acd774364768@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/calling.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h +index b00a3a95fbfab..16e12b45b151a 100644 +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -70,6 +70,8 @@ For 32-bit we have the following conventions - kernel is built with + pushq %rsi /* pt_regs->si */ + movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */ + movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */ ++ /* We just clobbered the return address - use the IRET frame for unwinding: */ ++ UNWIND_HINT_IRET_REGS offset=3*8 + .else + pushq %rdi /* pt_regs->di */ + pushq %rsi /* pt_regs->si */ +-- +2.39.5 + diff --git a/queue-5.15/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch b/queue-5.15/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch new file mode 100644 index 0000000000..4977728d77 --- /dev/null +++ b/queue-5.15/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch @@ -0,0 +1,57 @@ +From e7b54abeb9b57e13dc2db5f72238d97cf5287fca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 14:31:36 +0100 +Subject: x86/fpu: Avoid copying dynamic FP state from init_task in + arch_dup_task_struct() + +From: Benjamin Berg + +[ Upstream commit 5d3b81d4d8520efe888536b6906dc10fd1a228a8 ] + +The init_task instance of struct task_struct is statically allocated and +may not contain the full FP state for userspace. As such, limit the copy +to the valid area of both init_task and 'dst' and ensure all memory is +initialized. + +Note that the FP state is only needed for userspace, and as such it is +entirely reasonable for init_task to not contain parts of it. + +Fixes: 5aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86") +Signed-off-by: Benjamin Berg +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: H. Peter Anvin +Cc: Oleg Nesterov +Link: https://lore.kernel.org/r/20250226133136.816901-1-benjamin@sipsolutions.net +---- + +v2: +- Fix code if arch_task_struct_size < sizeof(init_task) by using + memcpy_and_pad. + +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 720d99520316a..72eb0df1a1a5f 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -83,7 +83,12 @@ EXPORT_PER_CPU_SYMBOL_GPL(__tss_limit_invalid); + */ + int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) + { +- memcpy(dst, src, arch_task_struct_size); ++ /* init_task is not dynamically sized (incomplete FPU state) */ ++ if (unlikely(src == &init_task)) ++ memcpy_and_pad(dst, arch_task_struct_size, src, sizeof(init_task), 0); ++ else ++ memcpy(dst, src, arch_task_struct_size); ++ + #ifdef CONFIG_VM86 + dst->thread.vm86 = NULL; + #endif +-- +2.39.5 + diff --git a/queue-5.15/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch b/queue-5.15/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch new file mode 100644 index 0000000000..167a0d5942 --- /dev/null +++ b/queue-5.15/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch @@ -0,0 +1,40 @@ +From 605bf79140e060c0a999213f2420e2c2a459d1e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2025 09:47:25 +0200 +Subject: x86/mm/pat: cpa-test: fix length for CPA_ARRAY test + +From: Mike Rapoport (Microsoft) + +[ Upstream commit 33ea120582a638b2f2e380a50686c2b1d7cce795 ] + +The CPA_ARRAY test always uses len[1] as numpages argument to +change_page_attr_set() although the addresses array is different each +iteration of the test loop. + +Replace len[1] with len[i] to have numpages matching the addresses array. + +Fixes: ecc729f1f471 ("x86/mm/cpa: Add ARRAY and PAGES_ARRAY selftests") +Signed-off-by: "Mike Rapoport (Microsoft)" +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20250126074733.1384926-2-rppt@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pat/cpa-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/pat/cpa-test.c b/arch/x86/mm/pat/cpa-test.c +index 0612a73638a81..7641cff719bd0 100644 +--- a/arch/x86/mm/pat/cpa-test.c ++++ b/arch/x86/mm/pat/cpa-test.c +@@ -183,7 +183,7 @@ static int pageattr_test(void) + break; + + case 1: +- err = change_page_attr_set(addrs, len[1], PAGE_CPA_TEST, 1); ++ err = change_page_attr_set(addrs, len[i], PAGE_CPA_TEST, 1); + break; + + case 2: +-- +2.39.5 + diff --git a/queue-5.15/x86-platform-only-allow-config_eisa-for-32-bit.patch b/queue-5.15/x86-platform-only-allow-config_eisa-for-32-bit.patch new file mode 100644 index 0000000000..cbe9d05f90 --- /dev/null +++ b/queue-5.15/x86-platform-only-allow-config_eisa-for-32-bit.patch @@ -0,0 +1,43 @@ +From ae92c5d142785bc073fde5cd55a5fbd7bee36e86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 22:37:14 +0100 +Subject: x86/platform: Only allow CONFIG_EISA for 32-bit + +From: Arnd Bergmann + +[ Upstream commit 976ba8da2f3c2f1e997f4f620da83ae65c0e3728 ] + +The CONFIG_EISA menu was cleaned up in 2018, but this inadvertently +brought the option back on 64-bit machines: ISA remains guarded by +a CONFIG_X86_32 check, but EISA no longer depends on ISA. + +The last Intel machines ith EISA support used a 82375EB PCI/EISA bridge +from 1993 that could be paired with the 440FX chipset on early Pentium-II +CPUs, long before the first x86-64 products. + +Fixes: 6630a8e50105 ("eisa: consolidate EISA Kconfig entry in drivers/eisa") +Signed-off-by: Arnd Bergmann +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250226213714.4040853-11-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 90ac8d84389cf..de6a66ad3fa62 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -194,7 +194,7 @@ config X86 + select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS + select HAVE_EBPF_JIT + select HAVE_EFFICIENT_UNALIGNED_ACCESS +- select HAVE_EISA ++ select HAVE_EISA if X86_32 + select HAVE_EXIT_THREAD + select HAVE_FAST_GUP + select HAVE_FENTRY if X86_64 || DYNAMIC_FTRACE +-- +2.39.5 + diff --git a/queue-5.15/x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch b/queue-5.15/x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch new file mode 100644 index 0000000000..8289f2c56c --- /dev/null +++ b/queue-5.15/x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch @@ -0,0 +1,87 @@ +From 1bdd3655df4f92b0949f8bd48ecc9dada3b7f661 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Mar 2025 18:22:16 +0100 +Subject: x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled + +From: Vladis Dronov + +[ Upstream commit 65be5c95d08eedda570a6c888a12384c77fe7614 ] + +The kernel requires X86_FEATURE_SGX_LC to be able to create SGX enclaves, +not just X86_FEATURE_SGX. + +There is quite a number of hardware which has X86_FEATURE_SGX but not +X86_FEATURE_SGX_LC. A kernel running on such hardware does not create +the /dev/sgx_enclave file and does so silently. + +Explicitly warn if X86_FEATURE_SGX_LC is not enabled to properly notify +users that the kernel disabled the SGX driver. + +The X86_FEATURE_SGX_LC, a.k.a. SGX Launch Control, is a CPU feature +that enables LE (Launch Enclave) hash MSRs to be writable (with +additional opt-in required in the 'feature control' MSR) when running +enclaves, i.e. using a custom root key rather than the Intel proprietary +key for enclave signing. + +I've hit this issue myself and have spent some time researching where +my /dev/sgx_enclave file went on SGX-enabled hardware. + +Related links: + + https://github.com/intel/linux-sgx/issues/837 + https://patchwork.kernel.org/project/platform-driver-x86/patch/20180827185507.17087-3-jarkko.sakkinen@linux.intel.com/ + +[ mingo: Made the error message a bit more verbose, and added other cases + where the kernel fails to create the /dev/sgx_enclave device node. ] + +Signed-off-by: Vladis Dronov +Signed-off-by: Ingo Molnar +Acked-by: Kai Huang +Cc: Jarkko Sakkinen +Cc: Andy Lutomirski +Cc: Sean Christopherson +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250309172215.21777-2-vdronov@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/sgx/driver.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c +index aa9b8b8688676..afccb69cd9a2c 100644 +--- a/arch/x86/kernel/cpu/sgx/driver.c ++++ b/arch/x86/kernel/cpu/sgx/driver.c +@@ -150,13 +150,15 @@ int __init sgx_drv_init(void) + u64 xfrm_mask; + int ret; + +- if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) ++ if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) { ++ pr_info("SGX disabled: SGX launch control CPU feature is not available, /dev/sgx_enclave disabled.\n"); + return -ENODEV; ++ } + + cpuid_count(SGX_CPUID, 0, &eax, &ebx, &ecx, &edx); + + if (!(eax & 1)) { +- pr_err("SGX disabled: SGX1 instruction support not available.\n"); ++ pr_info("SGX disabled: SGX1 instruction support not available, /dev/sgx_enclave disabled.\n"); + return -ENODEV; + } + +@@ -173,8 +175,10 @@ int __init sgx_drv_init(void) + } + + ret = misc_register(&sgx_dev_enclave); +- if (ret) ++ if (ret) { ++ pr_info("SGX disabled: Unable to register the /dev/sgx_enclave driver (%d).\n", ret); + return ret; ++ } + + return 0; + } +-- +2.39.5 +