From: Sasha Levin Date: Mon, 13 Jan 2025 14:02:57 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v6.1.125~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f4fe8567dd7e4155467cf3d515a82f9c7d47b316;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/arm-dts-imxrt1050-fix-clocks-for-mmc.patch b/queue-6.1/arm-dts-imxrt1050-fix-clocks-for-mmc.patch new file mode 100644 index 00000000000..baf1aac6bf6 --- /dev/null +++ b/queue-6.1/arm-dts-imxrt1050-fix-clocks-for-mmc.patch @@ -0,0 +1,36 @@ +From 4bdf80e5670ecc5cddf0b81d1831bf822f50d855 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 10:36:41 -0500 +Subject: ARM: dts: imxrt1050: Fix clocks for mmc + +From: Jesse Taube + +[ Upstream commit 5f122030061db3e5d2bddd9cf5c583deaa6c54ff ] + +One of the usdhc1 controller's clocks should be IMXRT1050_CLK_AHB_PODF not +IMXRT1050_CLK_OSC. + +Fixes: 1c4f01be3490 ("ARM: dts: imx: Add i.MXRT1050-EVK support") +Signed-off-by: Jesse Taube +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imxrt1050.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imxrt1050.dtsi b/arch/arm/boot/dts/imxrt1050.dtsi +index 03e6a858a7be..a25eae9bd38a 100644 +--- a/arch/arm/boot/dts/imxrt1050.dtsi ++++ b/arch/arm/boot/dts/imxrt1050.dtsi +@@ -87,7 +87,7 @@ + reg = <0x402c0000 0x4000>; + interrupts = <110>; + clocks = <&clks IMXRT1050_CLK_IPG_PDOF>, +- <&clks IMXRT1050_CLK_OSC>, ++ <&clks IMXRT1050_CLK_AHB_PODF>, + <&clks IMXRT1050_CLK_USDHC1>; + clock-names = "ipg", "ahb", "per"; + bus-width = <4>; +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch b/queue-6.1/arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch new file mode 100644 index 00000000000..f90b5e2e059 --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch @@ -0,0 +1,76 @@ +From 061662609136677ca974d5a2ee93917b2d827872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 22:43:39 +0000 +Subject: arm64: dts: rockchip: add hevc power domain clock to rk3328 + +From: Peter Geis + +[ Upstream commit 3699f2c43ea9984e00d70463f8c29baaf260ea97 ] + +There is a race condition at startup between disabling power domains not +used and disabling clocks not used on the rk3328. When the clocks are +disabled first, the hevc power domain fails to shut off leading to a +splat of failures. Add the hevc core clock to the rk3328 power domain +node to prevent this condition. + +rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 3-.... } +1087 jiffies s: 89 root: 0x8/. +rcu: blocking rcu_node structures (internal RCU debug): +Sending NMI from CPU 0 to CPUs 3: +NMI backtrace for cpu 3 +CPU: 3 UID: 0 PID: 86 Comm: kworker/3:3 Not tainted 6.12.0-rc5+ #53 +Hardware name: Firefly ROC-RK3328-CC (DT) +Workqueue: pm genpd_power_off_work_fn +pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : regmap_unlock_spinlock+0x18/0x30 +lr : regmap_read+0x60/0x88 +sp : ffff800081123c00 +x29: ffff800081123c00 x28: ffff2fa4c62cad80 x27: 0000000000000000 +x26: ffffd74e6e660eb8 x25: ffff2fa4c62cae00 x24: 0000000000000040 +x23: ffffd74e6d2f3ab8 x22: 0000000000000001 x21: ffff800081123c74 +x20: 0000000000000000 x19: ffff2fa4c0412000 x18: 0000000000000000 +x17: 77202c31203d2065 x16: 6c6469203a72656c x15: 6c6f72746e6f632d +x14: 7265776f703a6e6f x13: 2063766568206e69 x12: 616d6f64202c3431 +x11: 347830206f742030 x10: 3430303034783020 x9 : ffffd74e6c7369e0 +x8 : 3030316666206e69 x7 : 205d383738353733 x6 : 332e31202020205b +x5 : ffffd74e6c73fc88 x4 : ffffd74e6c73fcd4 x3 : ffffd74e6c740b40 +x2 : ffff800080015484 x1 : 0000000000000000 x0 : ffff2fa4c0412000 +Call trace: +regmap_unlock_spinlock+0x18/0x30 +rockchip_pmu_set_idle_request+0xac/0x2c0 +rockchip_pd_power+0x144/0x5f8 +rockchip_pd_power_off+0x1c/0x30 +_genpd_power_off+0x9c/0x180 +genpd_power_off.part.0.isra.0+0x130/0x2a8 +genpd_power_off_work_fn+0x6c/0x98 +process_one_work+0x170/0x3f0 +worker_thread+0x290/0x4a8 +kthread+0xec/0xf8 +ret_from_fork+0x10/0x20 +rockchip-pm-domain ff100000.syscon:power-controller: failed to get ack on domain 'hevc', val=0x88220 + +Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs") +Signed-off-by: Peter Geis +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20241214224339.24674-1-pgwipeout@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +index 75ea512e9724..ce7c1d3c345e 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +@@ -302,6 +302,7 @@ + + power-domain@RK3328_PD_HEVC { + reg = ; ++ clocks = <&cru SCLK_VENC_CORE>; + #power-domain-cells = <0>; + }; + power-domain@RK3328_PD_VIDEO { +-- +2.39.5 + diff --git a/queue-6.1/block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch b/queue-6.1/block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch new file mode 100644 index 00000000000..13c6092ea57 --- /dev/null +++ b/queue-6.1/block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch @@ -0,0 +1,199 @@ +From 47730ac695f22168991ea7777f90b8f332be2781 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 16:41:48 +0800 +Subject: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() + +From: Yu Kuai + +[ Upstream commit fcede1f0a043ccefe9bc6ad57f12718e42f63f1d ] + +Our syzkaller report a following UAF for v6.6: + +BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 +Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726 + +CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 + print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 + print_report+0x3e/0x70 mm/kasan/report.c:475 + kasan_report+0xb8/0xf0 mm/kasan/report.c:588 + hlist_add_head include/linux/list.h:1023 [inline] + bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 + bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 + bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 + blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 + blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 + __submit_bio+0xa0/0x6b0 block/blk-core.c:639 + __submit_bio_noacct_mq block/blk-core.c:718 [inline] + submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 + submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 + __ext4_read_bh fs/ext4/super.c:205 [inline] + ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 + __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 + ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 + ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 + ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 + ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 + iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 + iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 + ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 + ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 + do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 + __do_sys_ioctl fs/ioctl.c:869 [inline] + __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +Allocated by task 232719: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:188 [inline] + slab_post_alloc_hook mm/slab.h:768 [inline] + slab_alloc_node mm/slub.c:3492 [inline] + kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537 + bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869 + bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776 + bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938 + bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 + bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 + blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 + blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 + __submit_bio+0xa0/0x6b0 block/blk-core.c:639 + __submit_bio_noacct_mq block/blk-core.c:718 [inline] + submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 + submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 + __ext4_read_bh fs/ext4/super.c:205 [inline] + ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217 + ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242 + ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958 + __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671 + ext4_lookup_entry fs/ext4/namei.c:1774 [inline] + ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 + ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839 + __lookup_slow+0x257/0x480 fs/namei.c:1696 + lookup_slow fs/namei.c:1713 [inline] + walk_component+0x454/0x5c0 fs/namei.c:2004 + link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331 + link_path_walk fs/namei.c:3826 [inline] + path_openat+0x1b9/0x520 fs/namei.c:3826 + do_filp_open+0x1b7/0x400 fs/namei.c:3857 + do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428 + do_sys_open fs/open.c:1443 [inline] + __do_sys_openat fs/open.c:1459 [inline] + __se_sys_openat fs/open.c:1454 [inline] + __x64_sys_openat+0x148/0x200 fs/open.c:1454 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +Freed by task 232726: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:164 [inline] + slab_free_hook mm/slub.c:1827 [inline] + slab_free_freelist_hook mm/slub.c:1853 [inline] + slab_free mm/slub.c:3820 [inline] + kmem_cache_free+0x110/0x760 mm/slub.c:3842 + bfq_put_queue+0x6a7/0xfb0 block/bfq-iosched.c:5428 + bfq_forget_entity block/bfq-wf2q.c:634 [inline] + bfq_put_idle_entity+0x142/0x240 block/bfq-wf2q.c:645 + bfq_forget_idle+0x189/0x1e0 block/bfq-wf2q.c:671 + bfq_update_vtime block/bfq-wf2q.c:1280 [inline] + __bfq_lookup_next_entity block/bfq-wf2q.c:1374 [inline] + bfq_lookup_next_entity+0x350/0x480 block/bfq-wf2q.c:1433 + bfq_update_next_in_service+0x1c0/0x4f0 block/bfq-wf2q.c:128 + bfq_deactivate_entity+0x10a/0x240 block/bfq-wf2q.c:1188 + bfq_deactivate_bfqq block/bfq-wf2q.c:1592 [inline] + bfq_del_bfqq_busy+0x2e8/0xad0 block/bfq-wf2q.c:1659 + bfq_release_process_ref+0x1cc/0x220 block/bfq-iosched.c:3139 + bfq_split_bfqq+0x481/0xdf0 block/bfq-iosched.c:6754 + bfq_init_rq+0xf29/0x17a0 block/bfq-iosched.c:6934 + bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 + bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 + blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 + blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 + __submit_bio+0xa0/0x6b0 block/blk-core.c:639 + __submit_bio_noacct_mq block/blk-core.c:718 [inline] + submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 + submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 + __ext4_read_bh fs/ext4/super.c:205 [inline] + ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 + __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 + ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 + ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 + ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 + ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 + iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 + iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 + ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 + ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 + do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 + __do_sys_ioctl fs/ioctl.c:869 [inline] + __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +commit 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after +splitting") fix the problem that if waker_bfqq is in the merge chain, +and current is the only procress, waker_bfqq can be freed from +bfq_split_bfqq(). However, the case that waker_bfqq is not in the merge +chain is missed, and if the procress reference of waker_bfqq is 0, +waker_bfqq can be freed as well. + +Fix the problem by checking procress reference if waker_bfqq is not in +the merge_chain. + +Fixes: 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after splitting") +Signed-off-by: Hou Tao +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250108084148.1549973-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 8e797782cfe3..f75945764653 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -6733,16 +6733,24 @@ static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq) + if (new_bfqq == waker_bfqq) { + /* + * If waker_bfqq is in the merge chain, and current +- * is the only procress. ++ * is the only process, waker_bfqq can be freed. + */ + if (bfqq_process_refs(waker_bfqq) == 1) + return NULL; +- break; ++ ++ return waker_bfqq; + } + + new_bfqq = new_bfqq->new_bfqq; + } + ++ /* ++ * If waker_bfqq is not in the merge chain, and it's procress reference ++ * is 0, waker_bfqq can be freed. ++ */ ++ if (bfqq_process_refs(waker_bfqq) == 0) ++ return NULL; ++ + return waker_bfqq; + } + +-- +2.39.5 + diff --git a/queue-6.1/drm-adv7511-fix-use-after-free-in-adv7533_attach_dsi.patch b/queue-6.1/drm-adv7511-fix-use-after-free-in-adv7533_attach_dsi.patch new file mode 100644 index 00000000000..17f443e2ca9 --- /dev/null +++ b/queue-6.1/drm-adv7511-fix-use-after-free-in-adv7533_attach_dsi.patch @@ -0,0 +1,80 @@ +From 74ea10900172e223bfa2da6258d4a07890401fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 19:20:29 +0000 +Subject: drm: adv7511: Fix use-after-free in adv7533_attach_dsi() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Biju Das + +[ Upstream commit 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 ] + +The host_node pointer was assigned and freed in adv7533_parse_dt(), and +later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue +by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() +in error path of probe() and also in the remove(). + +Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") +Cc: stable@vger.kernel.org +Reviewed-by: Laurent Pinchart +Signed-off-by: Biju Das +Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.das.jz@bp.renesas.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 10 ++++++++-- + drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 -- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index cb6923eed7ca..3e6fe8604959 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -1224,8 +1224,10 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id) + return ret; + + ret = adv7511_init_regulators(adv7511); +- if (ret) +- return dev_err_probe(dev, ret, "failed to init regulators\n"); ++ if (ret) { ++ dev_err_probe(dev, ret, "failed to init regulators\n"); ++ goto err_of_node_put; ++ } + + /* + * The power down GPIO is optional. If present, toggle it from active to +@@ -1345,6 +1347,8 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id) + i2c_unregister_device(adv7511->i2c_edid); + uninit_regulators: + adv7511_uninit_regulators(adv7511); ++err_of_node_put: ++ of_node_put(adv7511->host_node); + + return ret; + } +@@ -1353,6 +1357,8 @@ static void adv7511_remove(struct i2c_client *i2c) + { + struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + ++ of_node_put(adv7511->host_node); ++ + adv7511_uninit_regulators(adv7511); + + drm_bridge_remove(&adv7511->bridge); +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c +index 3a79297ca980..6a4733c70827 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c +@@ -184,8 +184,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) + if (!adv->host_node) + return -ENODEV; + +- of_node_put(adv->host_node); +- + adv->use_timing_gen = !of_property_read_bool(np, + "adi,disable-timing-generator"); + +-- +2.39.5 + diff --git a/queue-6.1/drm-bridge-adv7511-use-dev_err_probe-in-probe-functi.patch b/queue-6.1/drm-bridge-adv7511-use-dev_err_probe-in-probe-functi.patch new file mode 100644 index 00000000000..16cc43c8d44 --- /dev/null +++ b/queue-6.1/drm-bridge-adv7511-use-dev_err_probe-in-probe-functi.patch @@ -0,0 +1,93 @@ +From 4aa522cdb924624b11aba4bb93dbf733e62b0572 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 14:52:46 +0200 +Subject: drm: bridge: adv7511: use dev_err_probe in probe function + +From: Ahmad Fatoum + +[ Upstream commit 2a865248399a13bb2b2bcc50297069a7521de258 ] + +adv7511 probe may need to be attempted multiple times before no +-EPROBE_DEFER is returned. Currently, every such probe results in +an error message: + +[ 4.534229] adv7511 1-003d: failed to find dsi host +[ 4.580288] adv7511 1-003d: failed to find dsi host + +This is misleading, as there is no error and probe deferral is normal +behavior. Fix this by using dev_err_probe that will suppress +-EPROBE_DEFER errors. While at it, we touch all dev_err in the probe +path. This makes the code more concise and included the error code +everywhere to aid user in debugging. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Ahmad Fatoum +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20221026125246.3188260-1-a.fatoum@pengutronix.de +Stable-dep-of: 81adbd3ff21c ("drm: adv7511: Fix use-after-free in adv7533_attach_dsi()") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 6 ++---- + drivers/gpu/drm/bridge/adv7511/adv7533.c | 20 ++++++++------------ + 2 files changed, 10 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index 9f9874acfb2b..cb6923eed7ca 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -1224,10 +1224,8 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id) + return ret; + + ret = adv7511_init_regulators(adv7511); +- if (ret) { +- dev_err(dev, "failed to init regulators\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "failed to init regulators\n"); + + /* + * The power down GPIO is optional. If present, toggle it from active to +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c +index 145b43f5e427..3a79297ca980 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c +@@ -146,16 +146,14 @@ int adv7533_attach_dsi(struct adv7511 *adv) + }; + + host = of_find_mipi_dsi_host_by_node(adv->host_node); +- if (!host) { +- dev_err(dev, "failed to find dsi host\n"); +- return -EPROBE_DEFER; +- } ++ if (!host) ++ return dev_err_probe(dev, -EPROBE_DEFER, ++ "failed to find dsi host\n"); + + dsi = devm_mipi_dsi_device_register_full(dev, host, &info); +- if (IS_ERR(dsi)) { +- dev_err(dev, "failed to create dsi device\n"); +- return PTR_ERR(dsi); +- } ++ if (IS_ERR(dsi)) ++ return dev_err_probe(dev, PTR_ERR(dsi), ++ "failed to create dsi device\n"); + + adv->dsi = dsi; + +@@ -165,10 +163,8 @@ int adv7533_attach_dsi(struct adv7511 *adv) + MIPI_DSI_MODE_NO_EOT_PACKET | MIPI_DSI_MODE_VIDEO_HSE; + + ret = devm_mipi_dsi_attach(dev, dsi); +- if (ret < 0) { +- dev_err(dev, "failed to attach dsi to host\n"); +- return ret; +- } ++ if (ret < 0) ++ return dev_err_probe(dev, ret, "failed to attach dsi to host\n"); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.1/ocfs2-correct-return-value-of-ocfs2_local_free_info.patch b/queue-6.1/ocfs2-correct-return-value-of-ocfs2_local_free_info.patch new file mode 100644 index 00000000000..f4d18a36d7a --- /dev/null +++ b/queue-6.1/ocfs2-correct-return-value-of-ocfs2_local_free_info.patch @@ -0,0 +1,66 @@ +From e28eb6a3f00f3da98c20587d3e0eb6cff846241d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 21:20:32 +0800 +Subject: ocfs2: correct return value of ocfs2_local_free_info() + +From: Joseph Qi + +[ Upstream commit d32840ad4a111c6abd651fbf6b5996e6123913da ] + +Now in ocfs2_local_free_info(), it returns 0 even if it actually fails. +Though it doesn't cause any real problem since the only caller +dquot_disable() ignores the return value, we'd better return correct as it +is. + +Link: https://lkml.kernel.org/r/20230528132033.217664-1-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Stable-dep-of: 5f3fd772d152 ("ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv") +Signed-off-by: Sasha Levin +--- + fs/ocfs2/quota_local.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c +index 404ca3a62508..257f13cdd14c 100644 +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -815,7 +815,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) + struct ocfs2_quota_chunk *chunk; + struct ocfs2_local_disk_chunk *dchunk; + int mark_clean = 1, len; +- int status; ++ int status = 0; + + iput(oinfo->dqi_gqinode); + ocfs2_simple_drop_lockres(OCFS2_SB(sb), &oinfo->dqi_gqlock); +@@ -857,17 +857,14 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) + oinfo->dqi_libh, + olq_update_info, + info); +- if (status < 0) { ++ if (status < 0) + mlog_errno(status); +- goto out; +- } +- + out: + ocfs2_inode_unlock(sb_dqopt(sb)->files[type], 1); + brelse(oinfo->dqi_libh); + brelse(oinfo->dqi_lqi_bh); + kfree(oinfo); +- return 0; ++ return status; + } + + static void olq_set_dquot(struct buffer_head *bh, void *private) +-- +2.39.5 + diff --git a/queue-6.1/ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch b/queue-6.1/ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch new file mode 100644 index 00000000000..67bcac1f330 --- /dev/null +++ b/queue-6.1/ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch @@ -0,0 +1,73 @@ +From 1774ed65bcf54806d527fe5fcaba459a72e73595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 21:39:25 -0500 +Subject: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv + +From: Dennis Lam + +[ Upstream commit 5f3fd772d152229d94602bca243fbb658068a597 ] + +When mounting ocfs2 and then remounting it as read-only, a +slab-use-after-free occurs after the user uses a syscall to +quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the +dangling pointer. + +During the remounting process, the pointer dqi_priv is freed but is never +set as null leaving it to be accessed. Additionally, the read-only option +for remounting sets the DQUOT_SUSPENDED flag instead of setting the +DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the +next quota, the function ocfs2_get_next_id is called and only checks the +quota usage flags and not the quota suspended flags. + +To fix this, I set dqi_priv to null when it is freed after remounting with +read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. + +[akpm@linux-foundation.org: coding-style cleanups] +Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com +Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas") +Signed-off-by: Dennis Lam +Reported-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com +Tested-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/quota_global.c | 2 +- + fs/ocfs2/quota_local.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c +index dc9f76ab7e13..0dffd6a44d39 100644 +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -881,7 +881,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid) + int status = 0; + + trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); +- if (!sb_has_quota_loaded(sb, type)) { ++ if (!sb_has_quota_active(sb, type)) { + status = -ESRCH; + goto out; + } +diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c +index 257f13cdd14c..4b4fa58cd32f 100644 +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -864,6 +864,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) + brelse(oinfo->dqi_libh); + brelse(oinfo->dqi_lqi_bh); + kfree(oinfo); ++ info->dqi_priv = NULL; + return status; + } + +-- +2.39.5 + diff --git a/queue-6.1/of-address-add-support-for-3-address-cell-bus.patch b/queue-6.1/of-address-add-support-for-3-address-cell-bus.patch new file mode 100644 index 00000000000..f1405d056b6 --- /dev/null +++ b/queue-6.1/of-address-add-support-for-3-address-cell-bus.patch @@ -0,0 +1,189 @@ +From 0e1d96d0372d8191df1746aa0b003f0d4de5a456 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 15:15:58 -0500 +Subject: of/address: Add support for 3 address cell bus + +From: Rob Herring + +[ Upstream commit 3d5089c4263d3594dc055e0f9c5cb990505cdd64 ] + +There's a few custom bus bindings (e.g. fsl,qoriq-mc) which use a +3 cell format with custom flags in the high cell. We can match these +buses as a fallback if we didn't match on PCI bus which is the only +standard bus binding with 3 address cells. + +Link: https://lore.kernel.org/r/20230328-dt-address-helpers-v1-3-e2456c3e77ab@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 22 ++++++++ + drivers/of/unittest-data/tests-address.dtsi | 9 +++- + drivers/of/unittest.c | 58 ++++++++++++++++++++- + 3 files changed, 87 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 18498619177c..b6245b493249 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -95,11 +95,17 @@ static int of_bus_default_translate(__be32 *addr, u64 offset, int na) + return 0; + } + ++static unsigned int of_bus_default_flags_get_flags(const __be32 *addr) ++{ ++ return of_read_number(addr, 1); ++} ++ + static unsigned int of_bus_default_get_flags(const __be32 *addr) + { + return IORESOURCE_MEM; + } + ++ + #ifdef CONFIG_PCI + static unsigned int of_bus_pci_get_flags(const __be32 *addr) + { +@@ -319,6 +325,11 @@ static unsigned int of_bus_isa_get_flags(const __be32 *addr) + return flags; + } + ++static int of_bus_default_flags_match(struct device_node *np) ++{ ++ return of_bus_n_addr_cells(np) == 3; ++} ++ + /* + * Array of bus specific translators + */ +@@ -348,6 +359,17 @@ static struct of_bus of_busses[] = { + .has_flags = true, + .get_flags = of_bus_isa_get_flags, + }, ++ /* Default with flags cell */ ++ { ++ .name = "default-flags", ++ .addresses = "reg", ++ .match = of_bus_default_flags_match, ++ .count_cells = of_bus_default_count_cells, ++ .map = of_bus_default_map, ++ .translate = of_bus_default_translate, ++ .has_flags = true, ++ .get_flags = of_bus_default_flags_get_flags, ++ }, + /* Default */ + { + .name = "default", +diff --git a/drivers/of/unittest-data/tests-address.dtsi b/drivers/of/unittest-data/tests-address.dtsi +index 6604a52bf6cb..bc0029cbf8ea 100644 +--- a/drivers/of/unittest-data/tests-address.dtsi ++++ b/drivers/of/unittest-data/tests-address.dtsi +@@ -14,7 +14,7 @@ + #size-cells = <1>; + /* ranges here is to make sure we don't use it for + * dma-ranges translation */ +- ranges = <0x70000000 0x70000000 0x40000000>, ++ ranges = <0x70000000 0x70000000 0x50000000>, + <0x00000000 0xd0000000 0x20000000>; + dma-ranges = <0x0 0x20000000 0x40000000>; + +@@ -43,6 +43,13 @@ + <0x42000000 0x0 0xc0000000 0x20000000 0x0 0x10000000>; + }; + ++ bus@a0000000 { ++ #address-cells = <3>; ++ #size-cells = <2>; ++ ranges = <0xf00baa 0x0 0x0 0xa0000000 0x0 0x100000>, ++ <0xf00bee 0x1 0x0 0xb0000000 0x0 0x200000>; ++ }; ++ + }; + }; + }; +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index cd321f5b9d3c..598e0891533f 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1045,7 +1045,7 @@ static void __init of_unittest_bus_ranges(void) + "for_each_of_range wrong flags on node %pOF flags=%x (expected %x)\n", + np, range.flags, IORESOURCE_MEM); + if (!i) { +- unittest(range.size == 0x40000000, ++ unittest(range.size == 0x50000000, + "for_each_of_range wrong size on node %pOF size=%llx\n", + np, range.size); + unittest(range.cpu_addr == 0x70000000, +@@ -1071,6 +1071,61 @@ static void __init of_unittest_bus_ranges(void) + of_node_put(np); + } + ++static void __init of_unittest_bus_3cell_ranges(void) ++{ ++ struct device_node *np; ++ struct of_range range; ++ struct of_range_parser parser; ++ int i = 0; ++ ++ np = of_find_node_by_path("/testcase-data/address-tests/bus@a0000000"); ++ if (!np) { ++ pr_err("missing testcase data\n"); ++ return; ++ } ++ ++ if (of_range_parser_init(&parser, np)) { ++ pr_err("missing ranges property\n"); ++ return; ++ } ++ ++ /* ++ * Get the "ranges" from the device tree ++ */ ++ for_each_of_range(&parser, &range) { ++ if (!i) { ++ unittest(range.flags == 0xf00baa, ++ "for_each_of_range wrong flags on node %pOF flags=%x\n", ++ np, range.flags); ++ unittest(range.size == 0x100000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0xa0000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x0, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } else { ++ unittest(range.flags == 0xf00bee, ++ "for_each_of_range wrong flags on node %pOF flags=%x\n", ++ np, range.flags); ++ unittest(range.size == 0x200000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0xb0000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x100000000, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } ++ i++; ++ } ++ ++ of_node_put(np); ++} ++ + static void __init of_unittest_parse_interrupts(void) + { + struct device_node *np; +@@ -3574,6 +3629,7 @@ static int __init of_unittest(void) + of_unittest_parse_dma_ranges(); + of_unittest_pci_dma_ranges(); + of_unittest_bus_ranges(); ++ of_unittest_bus_3cell_ranges(); + of_unittest_match_node(); + of_unittest_platform_populate(); + of_unittest_overlay(); +-- +2.39.5 + diff --git a/queue-6.1/of-address-fix-address-translation-when-address-size.patch b/queue-6.1/of-address-fix-address-translation-when-address-size.patch new file mode 100644 index 00000000000..07218843777 --- /dev/null +++ b/queue-6.1/of-address-fix-address-translation-when-address-size.patch @@ -0,0 +1,129 @@ +From 612172ac580f8a3292441c4981ce59b3b8710822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 13:02:16 +0200 +Subject: of: address: Fix address translation when address-size is greater + than 2 + +From: Herve Codina + +[ Upstream commit 42604f8eb7ba04b589375049cc76282dad4677d2 ] + +With the recent addition of of_pci_prop_ranges() in commit 407d1a51921e +("PCI: Create device tree node for bridge"), the ranges property can +have a 3 cells child address, a 3 cells parent address and a 2 cells +child size. + +A range item property for a PCI device is filled as follow: + 0 0 + <-- Child --> <-- Parent (PCI definition) --> <- BAR size (64bit) --> + +This allow to translate BAR addresses from the DT. For instance: +pci@0,0 { + #address-cells = <0x03>; + #size-cells = <0x02>; + device_type = "pci"; + compatible = "pci11ab,100", "pciclass,060400", "pciclass,0604"; + ranges = <0x82000000 0x00 0xe8000000 + 0x82000000 0x00 0xe8000000 + 0x00 0x4400000>; + ... + dev@0,0 { + #address-cells = <0x03>; + #size-cells = <0x02>; + compatible = "pci1055,9660", "pciclass,020000", "pciclass,0200"; + /* Translations for BAR0 to BAR5 */ + ranges = <0x00 0x00 0x00 0x82010000 0x00 0xe8000000 0x00 0x2000000 + 0x01 0x00 0x00 0x82010000 0x00 0xea000000 0x00 0x1000000 + 0x02 0x00 0x00 0x82010000 0x00 0xeb000000 0x00 0x800000 + 0x03 0x00 0x00 0x82010000 0x00 0xeb800000 0x00 0x800000 + 0x04 0x00 0x00 0x82010000 0x00 0xec000000 0x00 0x20000 + 0x05 0x00 0x00 0x82010000 0x00 0xec020000 0x00 0x2000>; + ... + pci-ep-bus@0 { + #address-cells = <0x01>; + #size-cells = <0x01>; + compatible = "simple-bus"; + /* Translate 0xe2000000 to BAR0 and 0xe0000000 to BAR1 */ + ranges = <0xe2000000 0x00 0x00 0x00 0x2000000 + 0xe0000000 0x01 0x00 0x00 0x1000000>; + ... + }; + }; +}; + +During the translation process, the "default-flags" map() function is +used to select the matching item in the ranges table and determine the +address offset from this matching item. +This map() function simply calls of_read_number() and when address-size +is greater than 2, the map() function skips the extra high address part +(ie part over 64bit). This lead to a wrong matching item and a wrong +offset computation. +Also during the translation itself, the extra high part related to the +parent address is not present in the translated address. + +Fix the "default-flags" map() and translate() in order to take into +account the child extra high address part in map() and the parent extra +high address part in translate() and so having a correct address +translation for ranges patterns such as the one given in the example +above. + +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20231017110221.189299-2-herve.codina@bootlin.com +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index b6245b493249..4f7f4f519e80 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -105,6 +105,32 @@ static unsigned int of_bus_default_get_flags(const __be32 *addr) + return IORESOURCE_MEM; + } + ++static u64 of_bus_default_flags_map(__be32 *addr, const __be32 *range, int na, ++ int ns, int pna) ++{ ++ u64 cp, s, da; ++ ++ /* Check that flags match */ ++ if (*addr != *range) ++ return OF_BAD_ADDR; ++ ++ /* Read address values, skipping high cell */ ++ cp = of_read_number(range + 1, na - 1); ++ s = of_read_number(range + na + pna, ns); ++ da = of_read_number(addr + 1, na - 1); ++ ++ pr_debug("default flags map, cp=%llx, s=%llx, da=%llx\n", cp, s, da); ++ ++ if (da < cp || da >= (cp + s)) ++ return OF_BAD_ADDR; ++ return da - cp; ++} ++ ++static int of_bus_default_flags_translate(__be32 *addr, u64 offset, int na) ++{ ++ /* Keep "flags" part (high cell) in translated address */ ++ return of_bus_default_translate(addr + 1, offset, na - 1); ++} + + #ifdef CONFIG_PCI + static unsigned int of_bus_pci_get_flags(const __be32 *addr) +@@ -365,8 +391,8 @@ static struct of_bus of_busses[] = { + .addresses = "reg", + .match = of_bus_default_flags_match, + .count_cells = of_bus_default_count_cells, +- .map = of_bus_default_map, +- .translate = of_bus_default_translate, ++ .map = of_bus_default_flags_map, ++ .translate = of_bus_default_flags_translate, + .has_flags = true, + .get_flags = of_bus_default_flags_get_flags, + }, +-- +2.39.5 + diff --git a/queue-6.1/of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch b/queue-6.1/of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch new file mode 100644 index 00000000000..a5c17ceb986 --- /dev/null +++ b/queue-6.1/of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch @@ -0,0 +1,50 @@ +From 790000f7c67d7d76b9aa77d06f5654146df440c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Nov 2024 11:05:37 +0100 +Subject: of: address: Preserve the flags portion on 1:1 dma-ranges mapping + +From: Andrea della Porta + +[ Upstream commit 7f05e20b989ac33c9c0f8c2028ec0a566493548f ] + +A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma +translations. In this specific case, the current behaviour is to zero out +the entire specifier so that the translation could be carried on as an +offset from zero. This includes address specifier that has flags (e.g. +PCI ranges). + +Once the flags portion has been zeroed, the translation chain is broken +since the mapping functions will check the upcoming address specifier +against mismatching flags, always failing the 1:1 mapping and its entire +purpose of always succeeding. + +Set to zero only the address portion while passing the flags through. + +Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") +Cc: stable@vger.kernel.org +Signed-off-by: Andrea della Porta +Tested-by: Herve Codina +Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.1732441813.git.andrea.porta@suse.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 596381e70c0a..e93b7b527f61 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -466,7 +466,8 @@ static int of_translate_one(struct device_node *parent, struct of_bus *bus, + } + if (ranges == NULL || rlen == 0) { + offset = of_read_number(addr, na); +- memset(addr, 0, pna * 4); ++ /* set address to zero, pass flags through */ ++ memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); + pr_debug("empty ranges; 1:1 translation\n"); + goto finish; + } +-- +2.39.5 + diff --git a/queue-6.1/of-address-remove-duplicated-functions.patch b/queue-6.1/of-address-remove-duplicated-functions.patch new file mode 100644 index 00000000000..954e55070e5 --- /dev/null +++ b/queue-6.1/of-address-remove-duplicated-functions.patch @@ -0,0 +1,72 @@ +From 0ec9a74bca017ca618b29830f5e0617404124b46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Oct 2023 13:02:17 +0200 +Subject: of: address: Remove duplicated functions + +From: Herve Codina + +[ Upstream commit 3eb030c60835668997d5763b1a0c7938faf169f6 ] + +The recently added of_bus_default_flags_translate() performs the exact +same operation as of_bus_pci_translate() and of_bus_isa_translate(). + +Avoid duplicated code replacing both of_bus_pci_translate() and +of_bus_isa_translate() with of_bus_default_flags_translate(). + +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20231017110221.189299-3-herve.codina@bootlin.com +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 4f7f4f519e80..39abcad30ddb 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -221,10 +221,6 @@ static u64 of_bus_pci_map(__be32 *addr, const __be32 *range, int na, int ns, + return da - cp; + } + +-static int of_bus_pci_translate(__be32 *addr, u64 offset, int na) +-{ +- return of_bus_default_translate(addr + 1, offset, na - 1); +-} + #endif /* CONFIG_PCI */ + + int of_pci_address_to_resource(struct device_node *dev, int bar, +@@ -334,11 +330,6 @@ static u64 of_bus_isa_map(__be32 *addr, const __be32 *range, int na, int ns, + return da - cp; + } + +-static int of_bus_isa_translate(__be32 *addr, u64 offset, int na) +-{ +- return of_bus_default_translate(addr + 1, offset, na - 1); +-} +- + static unsigned int of_bus_isa_get_flags(const __be32 *addr) + { + unsigned int flags = 0; +@@ -369,7 +360,7 @@ static struct of_bus of_busses[] = { + .match = of_bus_pci_match, + .count_cells = of_bus_pci_count_cells, + .map = of_bus_pci_map, +- .translate = of_bus_pci_translate, ++ .translate = of_bus_default_flags_translate, + .has_flags = true, + .get_flags = of_bus_pci_get_flags, + }, +@@ -381,7 +372,7 @@ static struct of_bus of_busses[] = { + .match = of_bus_isa_match, + .count_cells = of_bus_isa_count_cells, + .map = of_bus_isa_map, +- .translate = of_bus_isa_translate, ++ .translate = of_bus_default_flags_translate, + .has_flags = true, + .get_flags = of_bus_isa_get_flags, + }, +-- +2.39.5 + diff --git a/queue-6.1/of-address-store-number-of-bus-flag-cells-rather-tha.patch b/queue-6.1/of-address-store-number-of-bus-flag-cells-rather-tha.patch new file mode 100644 index 00000000000..aa5bc0b816d --- /dev/null +++ b/queue-6.1/of-address-store-number-of-bus-flag-cells-rather-tha.patch @@ -0,0 +1,85 @@ +From a08fa5e58cf63f042af33e30c69a6f040c265d8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 08:53:58 -0500 +Subject: of: address: Store number of bus flag cells rather than bool + +From: Rob Herring + +[ Upstream commit 88696db08b7efa3b6bb722014ea7429e78f6be32 ] + +It is more useful to know how many flags cells a bus has rather than +whether a bus has flags or not as ultimately the number of cells is the +information used. Replace 'has_flags' boolean with 'flag_cells' count. + +Acked-by: Herve Codina +Link: https://lore.kernel.org/r/20231026135358.3564307-2-robh@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 39abcad30ddb..596381e70c0a 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -50,7 +50,7 @@ struct of_bus { + u64 (*map)(__be32 *addr, const __be32 *range, + int na, int ns, int pna); + int (*translate)(__be32 *addr, u64 offset, int na); +- bool has_flags; ++ int flag_cells; + unsigned int (*get_flags)(const __be32 *addr); + }; + +@@ -361,7 +361,7 @@ static struct of_bus of_busses[] = { + .count_cells = of_bus_pci_count_cells, + .map = of_bus_pci_map, + .translate = of_bus_default_flags_translate, +- .has_flags = true, ++ .flag_cells = 1, + .get_flags = of_bus_pci_get_flags, + }, + #endif /* CONFIG_PCI */ +@@ -373,7 +373,7 @@ static struct of_bus of_busses[] = { + .count_cells = of_bus_isa_count_cells, + .map = of_bus_isa_map, + .translate = of_bus_default_flags_translate, +- .has_flags = true, ++ .flag_cells = 1, + .get_flags = of_bus_isa_get_flags, + }, + /* Default with flags cell */ +@@ -384,7 +384,7 @@ static struct of_bus of_busses[] = { + .count_cells = of_bus_default_count_cells, + .map = of_bus_default_flags_map, + .translate = of_bus_default_flags_translate, +- .has_flags = true, ++ .flag_cells = 1, + .get_flags = of_bus_default_flags_get_flags, + }, + /* Default */ +@@ -753,7 +753,7 @@ struct of_pci_range *of_pci_range_parser_one(struct of_pci_range_parser *parser, + int na = parser->na; + int ns = parser->ns; + int np = parser->pna + na + ns; +- int busflag_na = 0; ++ int busflag_na = parser->bus->flag_cells; + + if (!range) + return NULL; +@@ -763,10 +763,6 @@ struct of_pci_range *of_pci_range_parser_one(struct of_pci_range_parser *parser, + + range->flags = parser->bus->get_flags(parser->range); + +- /* A extra cell for resource flags */ +- if (parser->bus->has_flags) +- busflag_na = 1; +- + range->bus_addr = of_read_number(parser->range + busflag_na, na - busflag_na); + + if (parser->dma) +-- +2.39.5 + diff --git a/queue-6.1/of-unittest-add-bus-address-range-parsing-tests.patch b/queue-6.1/of-unittest-add-bus-address-range-parsing-tests.patch new file mode 100644 index 00000000000..85174c6e12c --- /dev/null +++ b/queue-6.1/of-unittest-add-bus-address-range-parsing-tests.patch @@ -0,0 +1,96 @@ +From d620e2a2cc41adf1a0155f6d1fdd755aa44ecc7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 15:15:56 -0500 +Subject: of: unittest: Add bus address range parsing tests + +From: Rob Herring + +[ Upstream commit 6d32dadb11a6480be62c6ada901bbdcbda1775c9 ] + +While there are tests for "dma-ranges" helpers, "ranges" is missing any +tests. It's the same underlying code, but for completeness add a test +for "ranges" parsing iterators. This is in preparation to add some +additional "ranges" helpers. + +Link: https://lore.kernel.org/r/20230328-dt-address-helpers-v1-1-e2456c3e77ab@kernel.org +Signed-off-by: Rob Herring +Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping") +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 53 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index ce1386074e66..cd321f5b9d3c 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1019,6 +1019,58 @@ static void __init of_unittest_pci_dma_ranges(void) + of_node_put(np); + } + ++static void __init of_unittest_bus_ranges(void) ++{ ++ struct device_node *np; ++ struct of_range range; ++ struct of_range_parser parser; ++ int i = 0; ++ ++ np = of_find_node_by_path("/testcase-data/address-tests"); ++ if (!np) { ++ pr_err("missing testcase data\n"); ++ return; ++ } ++ ++ if (of_range_parser_init(&parser, np)) { ++ pr_err("missing ranges property\n"); ++ return; ++ } ++ ++ /* ++ * Get the "ranges" from the device tree ++ */ ++ for_each_of_range(&parser, &range) { ++ unittest(range.flags == IORESOURCE_MEM, ++ "for_each_of_range wrong flags on node %pOF flags=%x (expected %x)\n", ++ np, range.flags, IORESOURCE_MEM); ++ if (!i) { ++ unittest(range.size == 0x40000000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0x70000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x70000000, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } else { ++ unittest(range.size == 0x20000000, ++ "for_each_of_range wrong size on node %pOF size=%llx\n", ++ np, range.size); ++ unittest(range.cpu_addr == 0xd0000000, ++ "for_each_of_range wrong CPU addr (%llx) on node %pOF", ++ range.cpu_addr, np); ++ unittest(range.bus_addr == 0x00000000, ++ "for_each_of_range wrong bus addr (%llx) on node %pOF", ++ range.pci_addr, np); ++ } ++ i++; ++ } ++ ++ of_node_put(np); ++} ++ + static void __init of_unittest_parse_interrupts(void) + { + struct device_node *np; +@@ -3521,6 +3573,7 @@ static int __init of_unittest(void) + of_unittest_dma_get_max_cpu_address(); + of_unittest_parse_dma_ranges(); + of_unittest_pci_dma_ranges(); ++ of_unittest_bus_ranges(); + of_unittest_match_node(); + of_unittest_platform_populate(); + of_unittest_overlay(); +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 3175285dac7..903c94164ba 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -81,3 +81,16 @@ iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch iio-inkern-call-iio_device_put-only-on-mapped-devices.patch iio-adc-ad7124-disable-all-channels-at-probe-time.patch io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch +arm-dts-imxrt1050-fix-clocks-for-mmc.patch +block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch +arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch +of-unittest-add-bus-address-range-parsing-tests.patch +of-address-add-support-for-3-address-cell-bus.patch +of-address-fix-address-translation-when-address-size.patch +of-address-remove-duplicated-functions.patch +of-address-store-number-of-bus-flag-cells-rather-tha.patch +of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch +ocfs2-correct-return-value-of-ocfs2_local_free_info.patch +ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch +drm-bridge-adv7511-use-dev_err_probe-in-probe-functi.patch +drm-adv7511-fix-use-after-free-in-adv7533_attach_dsi.patch