From 091435d6b91d46f3cc50d7b8b9f9512b78030d83 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 May 2024 14:41:41 +0200 Subject: [PATCH] 6.6-stable patches added patches: admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch binder-fix-max_thread-type-inconsistency.patch block-add-a-disk_has_partscan-helper.patch block-add-a-partscan-sysfs-attribute-for-disks.patch bpf-add-missing-bpf_link_type-invocations.patch docs-admin-guide-mm-damon-usage-fix-wrong-example-of-damos-filter-matching-sysfs-file.patch docs-kernel_include.py-cope-with-docutils-0.21.patch drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch erofs-get-rid-of-erofs_fs_context.patch erofs-reliably-distinguish-block-based-and-fscache-mode.patch keys-trusted-do-not-use-warn-when-encode-fails.patch net-usb-ax88179_178a-fix-link-status-when-link-is-set-to-down-up.patch remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch usb-dwc3-wait-unconditionally-after-issuing-endxfer-command.patch usb-typec-tipd-fix-event-checking-for-tps6598x.patch usb-typec-ucsi-displayport-fix-potential-deadlock.patch --- ...fix-return-type-of-pr_sched_core_get.patch | 47 +++ ...er-fix-max_thread-type-inconsistency.patch | 51 +++ ...block-add-a-disk_has_partscan-helper.patch | 83 +++++ ...a-partscan-sysfs-attribute-for-disks.patch | 76 +++++ ...dd-missing-bpf_link_type-invocations.patch | 47 +++ ...-of-damos-filter-matching-sysfs-file.patch | 39 +++ ...l_include.py-cope-with-docutils-0.21.patch | 66 ++++ ...amdgpu_ras_query_error_status_helper.patch | 47 +++ .../erofs-get-rid-of-erofs_fs_context.patch | 293 ++++++++++++++++++ ...inguish-block-based-and-fscache-mode.patch | 67 ++++ ...ed-do-not-use-warn-when-encode-fails.patch | 44 +++ ...k-status-when-link-is-set-to-down-up.patch | 181 +++++++++++ ...k-make-sure-ipi-buffer-fits-in-l2tcm.patch | 59 ++++ ...ty-problems-from-keyboard-reset-code.patch | 95 ++++++ queue-6.6/series | 17 + ...onally-after-issuing-endxfer-command.patch | 58 ++++ ...tipd-fix-event-checking-for-tps6598x.patch | 148 +++++++++ ...i-displayport-fix-potential-deadlock.patch | 51 +++ 18 files changed, 1469 insertions(+) create mode 100644 queue-6.6/admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch create mode 100644 queue-6.6/binder-fix-max_thread-type-inconsistency.patch create mode 100644 queue-6.6/block-add-a-disk_has_partscan-helper.patch create mode 100644 queue-6.6/block-add-a-partscan-sysfs-attribute-for-disks.patch create mode 100644 queue-6.6/bpf-add-missing-bpf_link_type-invocations.patch create mode 100644 queue-6.6/docs-admin-guide-mm-damon-usage-fix-wrong-example-of-damos-filter-matching-sysfs-file.patch create mode 100644 queue-6.6/docs-kernel_include.py-cope-with-docutils-0.21.patch create mode 100644 queue-6.6/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch create mode 100644 queue-6.6/erofs-get-rid-of-erofs_fs_context.patch create mode 100644 queue-6.6/erofs-reliably-distinguish-block-based-and-fscache-mode.patch create mode 100644 queue-6.6/keys-trusted-do-not-use-warn-when-encode-fails.patch create mode 100644 queue-6.6/net-usb-ax88179_178a-fix-link-status-when-link-is-set-to-down-up.patch create mode 100644 queue-6.6/remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch create mode 100644 queue-6.6/serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch create mode 100644 queue-6.6/usb-dwc3-wait-unconditionally-after-issuing-endxfer-command.patch create mode 100644 queue-6.6/usb-typec-tipd-fix-event-checking-for-tps6598x.patch create mode 100644 queue-6.6/usb-typec-ucsi-displayport-fix-potential-deadlock.patch diff --git a/queue-6.6/admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch b/queue-6.6/admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch new file mode 100644 index 00000000000..32ec6c785b8 --- /dev/null +++ b/queue-6.6/admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch @@ -0,0 +1,47 @@ +From 8af2d1ab78f2342f8c4c3740ca02d86f0ebfac5a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 23 Apr 2024 12:34:25 +0200 +Subject: admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 8af2d1ab78f2342f8c4c3740ca02d86f0ebfac5a upstream. + +sched_core_share_pid() copies the cookie to userspace with +put_user(id, (u64 __user *)uaddr), expecting 64 bits of space. +The "unsigned long" datatype that is documented in core-scheduling.rst +however is only 32 bits large on 32 bit architectures. + +Document "unsigned long long" as the correct data type that is always +64bits large. + +This matches what the selftest cs_prctl_test.c has been doing all along. + +Fixes: 0159bb020ca9 ("Documentation: Add usecases, design and interface for core scheduling") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/util-linux/df7a25a0-7923-4f8b-a527-5e6f0064074d@t-8ch.de/ +Signed-off-by: Thomas Weißschuh +Reviewed-by: Chris Hyser +Signed-off-by: Jonathan Corbet +Link: https://lore.kernel.org/r/20240423-core-scheduling-cookie-v1-1-5753a35f8dfc@weissschuh.net +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/hw-vuln/core-scheduling.rst ++++ b/Documentation/admin-guide/hw-vuln/core-scheduling.rst +@@ -67,8 +67,8 @@ arg4: + will be performed for all tasks in the task group of ``pid``. + + arg5: +- userspace pointer to an unsigned long for storing the cookie returned by +- ``PR_SCHED_CORE_GET`` command. Should be 0 for all other commands. ++ userspace pointer to an unsigned long long for storing the cookie returned ++ by ``PR_SCHED_CORE_GET`` command. Should be 0 for all other commands. + + In order for a process to push a cookie to, or pull a cookie from a process, it + is required to have the ptrace access mode: `PTRACE_MODE_READ_REALCREDS` to the diff --git a/queue-6.6/binder-fix-max_thread-type-inconsistency.patch b/queue-6.6/binder-fix-max_thread-type-inconsistency.patch new file mode 100644 index 00000000000..9452259918d --- /dev/null +++ b/queue-6.6/binder-fix-max_thread-type-inconsistency.patch @@ -0,0 +1,51 @@ +From 42316941335644a98335f209daafa4c122f28983 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Sun, 21 Apr 2024 17:37:49 +0000 +Subject: binder: fix max_thread type inconsistency +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Carlos Llamas + +commit 42316941335644a98335f209daafa4c122f28983 upstream. + +The type defined for the BINDER_SET_MAX_THREADS ioctl was changed from +size_t to __u32 in order to avoid incompatibility issues between 32 and +64-bit kernels. However, the internal types used to copy from user and +store the value were never updated. Use u32 to fix the inconsistency. + +Fixes: a9350fc859ae ("staging: android: binder: fix BINDER_SET_MAX_THREADS declaration") +Reported-by: Arve Hjønnevåg +Cc: stable@vger.kernel.org +Signed-off-by: Carlos Llamas +Reviewed-by: Alice Ryhl +Link: https://lore.kernel.org/r/20240421173750.3117808-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 +- + drivers/android/binder_internal.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -5368,7 +5368,7 @@ static long binder_ioctl(struct file *fi + goto err; + break; + case BINDER_SET_MAX_THREADS: { +- int max_threads; ++ u32 max_threads; + + if (copy_from_user(&max_threads, ubuf, + sizeof(max_threads))) { +--- a/drivers/android/binder_internal.h ++++ b/drivers/android/binder_internal.h +@@ -421,7 +421,7 @@ struct binder_proc { + struct list_head todo; + struct binder_stats stats; + struct list_head delivered_death; +- int max_threads; ++ u32 max_threads; + int requested_threads; + int requested_threads_started; + int tmp_ref; diff --git a/queue-6.6/block-add-a-disk_has_partscan-helper.patch b/queue-6.6/block-add-a-disk_has_partscan-helper.patch new file mode 100644 index 00000000000..87fb1324758 --- /dev/null +++ b/queue-6.6/block-add-a-disk_has_partscan-helper.patch @@ -0,0 +1,83 @@ +From 140ce28dd3bee8e53acc27f123ae474d69ef66f0 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 2 May 2024 15:00:32 +0200 +Subject: block: add a disk_has_partscan helper + +From: Christoph Hellwig + +commit 140ce28dd3bee8e53acc27f123ae474d69ef66f0 upstream. + +Add a helper to check if partition scanning is enabled instead of +open coding the check in a few places. This now always checks for +the hidden flag even if all but one of the callers are never reachable +for hidden gendisks. + +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20240502130033.1958492-2-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/genhd.c | 7 ++----- + block/partitions/core.c | 5 +---- + include/linux/blkdev.h | 13 +++++++++++++ + 3 files changed, 16 insertions(+), 9 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -345,9 +345,7 @@ int disk_scan_partitions(struct gendisk + struct block_device *bdev; + int ret = 0; + +- if (disk->flags & (GENHD_FL_NO_PART | GENHD_FL_HIDDEN)) +- return -EINVAL; +- if (test_bit(GD_SUPPRESS_PART_SCAN, &disk->state)) ++ if (!disk_has_partscan(disk)) + return -EINVAL; + if (disk->open_partitions) + return -EBUSY; +@@ -503,8 +501,7 @@ int __must_check device_add_disk(struct + goto out_unregister_bdi; + + /* Make sure the first partition scan will be proceed */ +- if (get_capacity(disk) && !(disk->flags & GENHD_FL_NO_PART) && +- !test_bit(GD_SUPPRESS_PART_SCAN, &disk->state)) ++ if (get_capacity(disk) && disk_has_partscan(disk)) + set_bit(GD_NEED_PART_SCAN, &disk->state); + + bdev_add(disk->part0, ddev->devt); +--- a/block/partitions/core.c ++++ b/block/partitions/core.c +@@ -592,10 +592,7 @@ static int blk_add_partitions(struct gen + struct parsed_partitions *state; + int ret = -EAGAIN, p; + +- if (disk->flags & GENHD_FL_NO_PART) +- return 0; +- +- if (test_bit(GD_SUPPRESS_PART_SCAN, &disk->state)) ++ if (!disk_has_partscan(disk)) + return 0; + + state = check_partition(disk); +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -229,6 +229,19 @@ static inline unsigned int disk_openers( + return atomic_read(&disk->part0->bd_openers); + } + ++/** ++ * disk_has_partscan - return %true if partition scanning is enabled on a disk ++ * @disk: disk to check ++ * ++ * Returns %true if partitions scanning is enabled for @disk, or %false if ++ * partition scanning is disabled either permanently or temporarily. ++ */ ++static inline bool disk_has_partscan(struct gendisk *disk) ++{ ++ return !(disk->flags & (GENHD_FL_NO_PART | GENHD_FL_HIDDEN)) && ++ !test_bit(GD_SUPPRESS_PART_SCAN, &disk->state); ++} ++ + /* + * The gendisk is refcounted by the part0 block_device, and the bd_device + * therein is also used for device model presentation in sysfs. diff --git a/queue-6.6/block-add-a-partscan-sysfs-attribute-for-disks.patch b/queue-6.6/block-add-a-partscan-sysfs-attribute-for-disks.patch new file mode 100644 index 00000000000..44483572d8a --- /dev/null +++ b/queue-6.6/block-add-a-partscan-sysfs-attribute-for-disks.patch @@ -0,0 +1,76 @@ +From a4217c6740dc64a3eb6815868a9260825e8c68c6 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 2 May 2024 15:00:33 +0200 +Subject: block: add a partscan sysfs attribute for disks + +From: Christoph Hellwig + +commit a4217c6740dc64a3eb6815868a9260825e8c68c6 upstream. + +Userspace had been unknowingly relying on a non-stable interface of +kernel internals to determine if partition scanning is enabled for a +given disk. Provide a stable interface for this purpose instead. + +Cc: stable@vger.kernel.org # 6.3+ +Depends-on: 140ce28dd3be ("block: add a disk_has_partscan helper") +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/linux-block/ZhQJf8mzq_wipkBH@gardel-login/ +Link: https://lore.kernel.org/r/20240502130033.1958492-3-hch@lst.de +[axboe: add links and commit message from Keith] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/ABI/stable/sysfs-block | 10 ++++++++++ + block/genhd.c | 8 ++++++++ + 2 files changed, 18 insertions(+) + +--- a/Documentation/ABI/stable/sysfs-block ++++ b/Documentation/ABI/stable/sysfs-block +@@ -101,6 +101,16 @@ Description: + devices that support receiving integrity metadata. + + ++What: /sys/block//partscan ++Date: May 2024 ++Contact: Christoph Hellwig ++Description: ++ The /sys/block//partscan files reports if partition ++ scanning is enabled for the disk. It returns "1" if partition ++ scanning is enabled, or "0" if not. The value type is a 32-bit ++ unsigned integer, but only "0" and "1" are valid values. ++ ++ + What: /sys/block///alignment_offset + Date: April 2009 + Contact: Martin K. Petersen +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -1037,6 +1037,12 @@ static ssize_t diskseq_show(struct devic + return sprintf(buf, "%llu\n", disk->diskseq); + } + ++static ssize_t partscan_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "%u\n", disk_has_partscan(dev_to_disk(dev))); ++} ++ + static DEVICE_ATTR(range, 0444, disk_range_show, NULL); + static DEVICE_ATTR(ext_range, 0444, disk_ext_range_show, NULL); + static DEVICE_ATTR(removable, 0444, disk_removable_show, NULL); +@@ -1050,6 +1056,7 @@ static DEVICE_ATTR(stat, 0444, part_stat + static DEVICE_ATTR(inflight, 0444, part_inflight_show, NULL); + static DEVICE_ATTR(badblocks, 0644, disk_badblocks_show, disk_badblocks_store); + static DEVICE_ATTR(diskseq, 0444, diskseq_show, NULL); ++static DEVICE_ATTR(partscan, 0444, partscan_show, NULL); + + #ifdef CONFIG_FAIL_MAKE_REQUEST + ssize_t part_fail_show(struct device *dev, +@@ -1096,6 +1103,7 @@ static struct attribute *disk_attrs[] = + &dev_attr_events_async.attr, + &dev_attr_events_poll_msecs.attr, + &dev_attr_diskseq.attr, ++ &dev_attr_partscan.attr, + #ifdef CONFIG_FAIL_MAKE_REQUEST + &dev_attr_fail.attr, + #endif diff --git a/queue-6.6/bpf-add-missing-bpf_link_type-invocations.patch b/queue-6.6/bpf-add-missing-bpf_link_type-invocations.patch new file mode 100644 index 00000000000..d85e95af38c --- /dev/null +++ b/queue-6.6/bpf-add-missing-bpf_link_type-invocations.patch @@ -0,0 +1,47 @@ +From 117211aa739a926e6555cfea883be84bee6f1695 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sat, 16 Dec 2023 00:05:02 +0100 +Subject: bpf: Add missing BPF_LINK_TYPE invocations + +From: Jiri Olsa + +commit 117211aa739a926e6555cfea883be84bee6f1695 upstream. + +Pengfei Xu reported [1] Syzkaller/KASAN issue found in bpf_link_show_fdinfo. + +The reason is missing BPF_LINK_TYPE invocation for uprobe multi +link and for several other links, adding that. + +[1] https://lore.kernel.org/bpf/ZXptoKRSLspnk2ie@xpf.sh.intel.com/ + +Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link") +Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") +Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") +Fixes: 35dfaad7188c ("netkit, bpf: Add bpf programmable net device") +Reported-by: Pengfei Xu +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Tested-by: Pengfei Xu +Acked-by: Hou Tao +Link: https://lore.kernel.org/bpf/20231215230502.2769743-1-jolsa@kernel.org +Signed-off-by: Ignat Korchagin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bpf_types.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/linux/bpf_types.h ++++ b/include/linux/bpf_types.h +@@ -142,9 +142,12 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter) + #ifdef CONFIG_NET + BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns) + BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp) ++BPF_LINK_TYPE(BPF_LINK_TYPE_NETFILTER, netfilter) ++BPF_LINK_TYPE(BPF_LINK_TYPE_TCX, tcx) + #endif + #ifdef CONFIG_PERF_EVENTS + BPF_LINK_TYPE(BPF_LINK_TYPE_PERF_EVENT, perf) + #endif + BPF_LINK_TYPE(BPF_LINK_TYPE_KPROBE_MULTI, kprobe_multi) + BPF_LINK_TYPE(BPF_LINK_TYPE_STRUCT_OPS, struct_ops) ++BPF_LINK_TYPE(BPF_LINK_TYPE_UPROBE_MULTI, uprobe_multi) diff --git a/queue-6.6/docs-admin-guide-mm-damon-usage-fix-wrong-example-of-damos-filter-matching-sysfs-file.patch b/queue-6.6/docs-admin-guide-mm-damon-usage-fix-wrong-example-of-damos-filter-matching-sysfs-file.patch new file mode 100644 index 00000000000..93a4ad273a9 --- /dev/null +++ b/queue-6.6/docs-admin-guide-mm-damon-usage-fix-wrong-example-of-damos-filter-matching-sysfs-file.patch @@ -0,0 +1,39 @@ +From da2a061888883e067e8e649d086df35c92c760a7 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Fri, 3 May 2024 11:03:14 -0700 +Subject: Docs/admin-guide/mm/damon/usage: fix wrong example of DAMOS filter matching sysfs file + +From: SeongJae Park + +commit da2a061888883e067e8e649d086df35c92c760a7 upstream. + +The example usage of DAMOS filter sysfs files, specifically the part of +'matching' file writing for memcg type filter, is wrong. The intention is +to exclude pages of a memcg that already getting enough care from a given +scheme, but the example is setting the filter to apply the scheme to only +the pages of the memcg. Fix it. + +Link: https://lkml.kernel.org/r/20240503180318.72798-7-sj@kernel.org +Fixes: 9b7f9322a530 ("Docs/admin-guide/mm/damon/usage: document DAMOS filters of sysfs") +Closes: https://lore.kernel.org/r/20240317191358.97578-1-sj@kernel.org +Signed-off-by: SeongJae Park +Cc: [6.3.x] +Cc: Jonathan Corbet +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/mm/damon/usage.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/admin-guide/mm/damon/usage.rst ++++ b/Documentation/admin-guide/mm/damon/usage.rst +@@ -389,7 +389,7 @@ pages of all memory cgroups except ``/ha + # # further filter out all cgroups except one at '/having_care_already' + echo memcg > 1/type + echo /having_care_already > 1/memcg_path +- echo N > 1/matching ++ echo Y > 1/matching + + Note that ``anon`` and ``memcg`` filters are currently supported only when + ``paddr`` `implementation ` is being used. diff --git a/queue-6.6/docs-kernel_include.py-cope-with-docutils-0.21.patch b/queue-6.6/docs-kernel_include.py-cope-with-docutils-0.21.patch new file mode 100644 index 00000000000..f055827e0e7 --- /dev/null +++ b/queue-6.6/docs-kernel_include.py-cope-with-docutils-0.21.patch @@ -0,0 +1,66 @@ +From d43ddd5c91802a46354fa4c4381416ef760676e2 Mon Sep 17 00:00:00 2001 +From: Akira Yokosawa +Date: Wed, 1 May 2024 12:16:11 +0900 +Subject: docs: kernel_include.py: Cope with docutils 0.21 + +From: Akira Yokosawa + +commit d43ddd5c91802a46354fa4c4381416ef760676e2 upstream. + +Running "make htmldocs" on a newly installed Sphinx 7.3.7 ends up in +a build error: + + Sphinx parallel build error: + AttributeError: module 'docutils.nodes' has no attribute 'reprunicode' + +docutils 0.21 has removed nodes.reprunicode, quote from release note [1]: + + * Removed objects: + + docutils.nodes.reprunicode, docutils.nodes.ensure_str() + Python 2 compatibility hacks + +Sphinx 7.3.0 supports docutils 0.21 [2]: + +kernel_include.py, whose origin is misc.py of docutils, uses reprunicode. + +Upstream docutils removed the offending line from the corresponding file +(docutils/docutils/parsers/rst/directives/misc.py) in January 2022. +Quoting the changelog [3]: + + Deprecate `nodes.reprunicode` and `nodes.ensure_str()`. + + Drop uses of the deprecated constructs (not required with Python 3). + +Do the same for kernel_include.py. + +Tested against: + - Sphinx 2.4.5 (docutils 0.17.1) + - Sphinx 3.4.3 (docutils 0.17.1) + - Sphinx 5.3.0 (docutils 0.18.1) + - Sphinx 6.2.1 (docutils 0.19) + - Sphinx 7.2.6 (docutils 0.20.1) + - Sphinx 7.3.7 (docutils 0.21.2) + +Link: http://www.docutils.org/RELEASE-NOTES.html#release-0-21-2024-04-09 [1] +Link: https://www.sphinx-doc.org/en/master/changes.html#release-7-3-0-released-apr-16-2024 [2] +Link: https://github.com/docutils/docutils/commit/c8471ce47a24 [3] +Signed-off-by: Akira Yokosawa +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Link: https://lore.kernel.org/r/faf5fa45-2a9d-4573-9d2e-3930bdc1ed65@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sphinx/kernel_include.py | 1 - + 1 file changed, 1 deletion(-) + +--- a/Documentation/sphinx/kernel_include.py ++++ b/Documentation/sphinx/kernel_include.py +@@ -97,7 +97,6 @@ class KernelInclude(Include): + # HINT: this is the only line I had to change / commented out: + #path = utils.relative_path(None, path) + +- path = nodes.reprunicode(path) + encoding = self.options.get( + 'encoding', self.state.document.settings.input_encoding) + e_handler=self.state.document.settings.input_encoding_error_handler diff --git a/queue-6.6/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch b/queue-6.6/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch new file mode 100644 index 00000000000..50248bf9873 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch @@ -0,0 +1,47 @@ +From b8d55a90fd55b767c25687747e2b24abd1ef8680 Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Tue, 26 Dec 2023 15:32:19 +0530 +Subject: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +commit b8d55a90fd55b767c25687747e2b24abd1ef8680 upstream. + +Return invalid error code -EINVAL for invalid block id. + +Fixes the below: + +drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176) + +Suggested-by: Hawking Zhang +Cc: Tao Zhou +Cc: Hawking Zhang +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +[Ajay: applied AMDGPU_RAS_BLOCK_COUNT condition to amdgpu_ras_query_error_status() + as amdgpu_ras_query_error_status_helper() not present in v6.6, v6.1 + amdgpu_ras_query_error_status_helper() was introduced in 8cc0f5669eb6] +Signed-off-by: Ajay Kaher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +@@ -1025,6 +1025,9 @@ int amdgpu_ras_query_error_status(struct + if (!obj) + return -EINVAL; + ++ if (!info || info->head.block == AMDGPU_RAS_BLOCK_COUNT) ++ return -EINVAL; ++ + if (info->head.block == AMDGPU_RAS_BLOCK__UMC) { + amdgpu_ras_get_ecc_info(adev, &err_data); + } else { diff --git a/queue-6.6/erofs-get-rid-of-erofs_fs_context.patch b/queue-6.6/erofs-get-rid-of-erofs_fs_context.patch new file mode 100644 index 00000000000..a3a79cf324e --- /dev/null +++ b/queue-6.6/erofs-get-rid-of-erofs_fs_context.patch @@ -0,0 +1,293 @@ +From 07abe43a28b2c660f726d66f5470f7f114f9643a Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Fri, 19 Apr 2024 20:36:10 +0800 +Subject: erofs: get rid of erofs_fs_context + +From: Baokun Li + +commit 07abe43a28b2c660f726d66f5470f7f114f9643a upstream. + +Instead of allocating the erofs_sb_info in fill_super() allocate it during +erofs_init_fs_context() and ensure that erofs can always have the info +available during erofs_kill_sb(). After this erofs_fs_context is no longer +needed, replace ctx with sbi, no functional changes. + +Suggested-by: Jingbo Xu +Signed-off-by: Baokun Li +Reviewed-by: Jingbo Xu +Reviewed-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20240419123611.947084-2-libaokun1@huawei.com +[ Gao Xiang: trivial conflict due to a warning message. ] +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/internal.h | 7 --- + fs/erofs/super.c | 116 +++++++++++++++++++++++----------------------------- + 2 files changed, 53 insertions(+), 70 deletions(-) + +--- a/fs/erofs/internal.h ++++ b/fs/erofs/internal.h +@@ -82,13 +82,6 @@ struct erofs_dev_context { + bool flatdev; + }; + +-struct erofs_fs_context { +- struct erofs_mount_opts opt; +- struct erofs_dev_context *devs; +- char *fsid; +- char *domain_id; +-}; +- + /* all filesystem-wide lz4 configurations */ + struct erofs_sb_lz4_info { + /* # of pages needed for EROFS lz4 rolling decompression */ +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -367,18 +367,18 @@ out: + return ret; + } + +-static void erofs_default_options(struct erofs_fs_context *ctx) ++static void erofs_default_options(struct erofs_sb_info *sbi) + { + #ifdef CONFIG_EROFS_FS_ZIP +- ctx->opt.cache_strategy = EROFS_ZIP_CACHE_READAROUND; +- ctx->opt.max_sync_decompress_pages = 3; +- ctx->opt.sync_decompress = EROFS_SYNC_DECOMPRESS_AUTO; ++ sbi->opt.cache_strategy = EROFS_ZIP_CACHE_READAROUND; ++ sbi->opt.max_sync_decompress_pages = 3; ++ sbi->opt.sync_decompress = EROFS_SYNC_DECOMPRESS_AUTO; + #endif + #ifdef CONFIG_EROFS_FS_XATTR +- set_opt(&ctx->opt, XATTR_USER); ++ set_opt(&sbi->opt, XATTR_USER); + #endif + #ifdef CONFIG_EROFS_FS_POSIX_ACL +- set_opt(&ctx->opt, POSIX_ACL); ++ set_opt(&sbi->opt, POSIX_ACL); + #endif + } + +@@ -423,17 +423,17 @@ static const struct fs_parameter_spec er + static bool erofs_fc_set_dax_mode(struct fs_context *fc, unsigned int mode) + { + #ifdef CONFIG_FS_DAX +- struct erofs_fs_context *ctx = fc->fs_private; ++ struct erofs_sb_info *sbi = fc->s_fs_info; + + switch (mode) { + case EROFS_MOUNT_DAX_ALWAYS: + warnfc(fc, "DAX enabled. Warning: EXPERIMENTAL, use at your own risk"); +- set_opt(&ctx->opt, DAX_ALWAYS); +- clear_opt(&ctx->opt, DAX_NEVER); ++ set_opt(&sbi->opt, DAX_ALWAYS); ++ clear_opt(&sbi->opt, DAX_NEVER); + return true; + case EROFS_MOUNT_DAX_NEVER: +- set_opt(&ctx->opt, DAX_NEVER); +- clear_opt(&ctx->opt, DAX_ALWAYS); ++ set_opt(&sbi->opt, DAX_NEVER); ++ clear_opt(&sbi->opt, DAX_ALWAYS); + return true; + default: + DBG_BUGON(1); +@@ -448,7 +448,7 @@ static bool erofs_fc_set_dax_mode(struct + static int erofs_fc_parse_param(struct fs_context *fc, + struct fs_parameter *param) + { +- struct erofs_fs_context *ctx = fc->fs_private; ++ struct erofs_sb_info *sbi = fc->s_fs_info; + struct fs_parse_result result; + struct erofs_device_info *dif; + int opt, ret; +@@ -461,9 +461,9 @@ static int erofs_fc_parse_param(struct f + case Opt_user_xattr: + #ifdef CONFIG_EROFS_FS_XATTR + if (result.boolean) +- set_opt(&ctx->opt, XATTR_USER); ++ set_opt(&sbi->opt, XATTR_USER); + else +- clear_opt(&ctx->opt, XATTR_USER); ++ clear_opt(&sbi->opt, XATTR_USER); + #else + errorfc(fc, "{,no}user_xattr options not supported"); + #endif +@@ -471,16 +471,16 @@ static int erofs_fc_parse_param(struct f + case Opt_acl: + #ifdef CONFIG_EROFS_FS_POSIX_ACL + if (result.boolean) +- set_opt(&ctx->opt, POSIX_ACL); ++ set_opt(&sbi->opt, POSIX_ACL); + else +- clear_opt(&ctx->opt, POSIX_ACL); ++ clear_opt(&sbi->opt, POSIX_ACL); + #else + errorfc(fc, "{,no}acl options not supported"); + #endif + break; + case Opt_cache_strategy: + #ifdef CONFIG_EROFS_FS_ZIP +- ctx->opt.cache_strategy = result.uint_32; ++ sbi->opt.cache_strategy = result.uint_32; + #else + errorfc(fc, "compression not supported, cache_strategy ignored"); + #endif +@@ -502,27 +502,27 @@ static int erofs_fc_parse_param(struct f + kfree(dif); + return -ENOMEM; + } +- down_write(&ctx->devs->rwsem); +- ret = idr_alloc(&ctx->devs->tree, dif, 0, 0, GFP_KERNEL); +- up_write(&ctx->devs->rwsem); ++ down_write(&sbi->devs->rwsem); ++ ret = idr_alloc(&sbi->devs->tree, dif, 0, 0, GFP_KERNEL); ++ up_write(&sbi->devs->rwsem); + if (ret < 0) { + kfree(dif->path); + kfree(dif); + return ret; + } +- ++ctx->devs->extra_devices; ++ ++sbi->devs->extra_devices; + break; + #ifdef CONFIG_EROFS_FS_ONDEMAND + case Opt_fsid: +- kfree(ctx->fsid); +- ctx->fsid = kstrdup(param->string, GFP_KERNEL); +- if (!ctx->fsid) ++ kfree(sbi->fsid); ++ sbi->fsid = kstrdup(param->string, GFP_KERNEL); ++ if (!sbi->fsid) + return -ENOMEM; + break; + case Opt_domain_id: +- kfree(ctx->domain_id); +- ctx->domain_id = kstrdup(param->string, GFP_KERNEL); +- if (!ctx->domain_id) ++ kfree(sbi->domain_id); ++ sbi->domain_id = kstrdup(param->string, GFP_KERNEL); ++ if (!sbi->domain_id) + return -ENOMEM; + break; + #else +@@ -578,8 +578,7 @@ static const struct export_operations er + static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) + { + struct inode *inode; +- struct erofs_sb_info *sbi; +- struct erofs_fs_context *ctx = fc->fs_private; ++ struct erofs_sb_info *sbi = EROFS_SB(sb); + int err; + + sb->s_magic = EROFS_SUPER_MAGIC; +@@ -587,19 +586,6 @@ static int erofs_fc_fill_super(struct su + sb->s_maxbytes = MAX_LFS_FILESIZE; + sb->s_op = &erofs_sops; + +- sbi = kzalloc(sizeof(*sbi), GFP_KERNEL); +- if (!sbi) +- return -ENOMEM; +- +- sb->s_fs_info = sbi; +- sbi->opt = ctx->opt; +- sbi->devs = ctx->devs; +- ctx->devs = NULL; +- sbi->fsid = ctx->fsid; +- ctx->fsid = NULL; +- sbi->domain_id = ctx->domain_id; +- ctx->domain_id = NULL; +- + sbi->blkszbits = PAGE_SHIFT; + if (erofs_is_fscache_mode(sb)) { + sb->s_blocksize = PAGE_SIZE; +@@ -703,9 +689,9 @@ static int erofs_fc_fill_super(struct su + + static int erofs_fc_get_tree(struct fs_context *fc) + { +- struct erofs_fs_context *ctx = fc->fs_private; ++ struct erofs_sb_info *sbi = fc->s_fs_info; + +- if (IS_ENABLED(CONFIG_EROFS_FS_ONDEMAND) && ctx->fsid) ++ if (IS_ENABLED(CONFIG_EROFS_FS_ONDEMAND) && sbi->fsid) + return get_tree_nodev(fc, erofs_fc_fill_super); + + return get_tree_bdev(fc, erofs_fc_fill_super); +@@ -715,19 +701,19 @@ static int erofs_fc_reconfigure(struct f + { + struct super_block *sb = fc->root->d_sb; + struct erofs_sb_info *sbi = EROFS_SB(sb); +- struct erofs_fs_context *ctx = fc->fs_private; ++ struct erofs_sb_info *new_sbi = fc->s_fs_info; + + DBG_BUGON(!sb_rdonly(sb)); + +- if (ctx->fsid || ctx->domain_id) ++ if (new_sbi->fsid || new_sbi->domain_id) + erofs_info(sb, "ignoring reconfiguration for fsid|domain_id."); + +- if (test_opt(&ctx->opt, POSIX_ACL)) ++ if (test_opt(&new_sbi->opt, POSIX_ACL)) + fc->sb_flags |= SB_POSIXACL; + else + fc->sb_flags &= ~SB_POSIXACL; + +- sbi->opt = ctx->opt; ++ sbi->opt = new_sbi->opt; + + fc->sb_flags |= SB_RDONLY; + return 0; +@@ -758,12 +744,15 @@ static void erofs_free_dev_context(struc + + static void erofs_fc_free(struct fs_context *fc) + { +- struct erofs_fs_context *ctx = fc->fs_private; ++ struct erofs_sb_info *sbi = fc->s_fs_info; + +- erofs_free_dev_context(ctx->devs); +- kfree(ctx->fsid); +- kfree(ctx->domain_id); +- kfree(ctx); ++ if (!sbi) ++ return; ++ ++ erofs_free_dev_context(sbi->devs); ++ kfree(sbi->fsid); ++ kfree(sbi->domain_id); ++ kfree(sbi); + } + + static const struct fs_context_operations erofs_context_ops = { +@@ -775,21 +764,22 @@ static const struct fs_context_operation + + static int erofs_init_fs_context(struct fs_context *fc) + { +- struct erofs_fs_context *ctx; ++ struct erofs_sb_info *sbi; + +- ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); +- if (!ctx) ++ sbi = kzalloc(sizeof(*sbi), GFP_KERNEL); ++ if (!sbi) + return -ENOMEM; +- ctx->devs = kzalloc(sizeof(struct erofs_dev_context), GFP_KERNEL); +- if (!ctx->devs) { +- kfree(ctx); ++ ++ sbi->devs = kzalloc(sizeof(struct erofs_dev_context), GFP_KERNEL); ++ if (!sbi->devs) { ++ kfree(sbi); + return -ENOMEM; + } +- fc->fs_private = ctx; ++ fc->s_fs_info = sbi; + +- idr_init(&ctx->devs->tree); +- init_rwsem(&ctx->devs->rwsem); +- erofs_default_options(ctx); ++ idr_init(&sbi->devs->tree); ++ init_rwsem(&sbi->devs->rwsem); ++ erofs_default_options(sbi); + fc->ops = &erofs_context_ops; + return 0; + } diff --git a/queue-6.6/erofs-reliably-distinguish-block-based-and-fscache-mode.patch b/queue-6.6/erofs-reliably-distinguish-block-based-and-fscache-mode.patch new file mode 100644 index 00000000000..f1f019d2d02 --- /dev/null +++ b/queue-6.6/erofs-reliably-distinguish-block-based-and-fscache-mode.patch @@ -0,0 +1,67 @@ +From 7af2ae1b1531feab5d38ec9c8f472dc6cceb4606 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Fri, 19 Apr 2024 20:36:11 +0800 +Subject: erofs: reliably distinguish block based and fscache mode + +From: Christian Brauner + +commit 7af2ae1b1531feab5d38ec9c8f472dc6cceb4606 upstream. + +When erofs_kill_sb() is called in block dev based mode, s_bdev may not +have been initialised yet, and if CONFIG_EROFS_FS_ONDEMAND is enabled, +it will be mistaken for fscache mode, and then attempt to free an anon_dev +that has never been allocated, triggering the following warning: + +============================================ +ida_free called for id=0 which is not allocated. +WARNING: CPU: 14 PID: 926 at lib/idr.c:525 ida_free+0x134/0x140 +Modules linked in: +CPU: 14 PID: 926 Comm: mount Not tainted 6.9.0-rc3-dirty #630 +RIP: 0010:ida_free+0x134/0x140 +Call Trace: + + erofs_kill_sb+0x81/0x90 + deactivate_locked_super+0x35/0x80 + get_tree_bdev+0x136/0x1e0 + vfs_get_tree+0x2c/0xf0 + do_new_mount+0x190/0x2f0 + [...] +============================================ + +Now when erofs_kill_sb() is called, erofs_sb_info must have been +initialised, so use sbi->fsid to distinguish between the two modes. + +Signed-off-by: Christian Brauner +Signed-off-by: Baokun Li +Reviewed-by: Jingbo Xu +Reviewed-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20240419123611.947084-3-libaokun1@huawei.com +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/super.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -786,17 +786,13 @@ static int erofs_init_fs_context(struct + + static void erofs_kill_sb(struct super_block *sb) + { +- struct erofs_sb_info *sbi; ++ struct erofs_sb_info *sbi = EROFS_SB(sb); + +- if (erofs_is_fscache_mode(sb)) ++ if (IS_ENABLED(CONFIG_EROFS_FS_ONDEMAND) && sbi->fsid) + kill_anon_super(sb); + else + kill_block_super(sb); + +- sbi = EROFS_SB(sb); +- if (!sbi) +- return; +- + erofs_free_dev_context(sbi->devs); + fs_put_dax(sbi->dax_dev, NULL); + erofs_fscache_unregister_fs(sb); diff --git a/queue-6.6/keys-trusted-do-not-use-warn-when-encode-fails.patch b/queue-6.6/keys-trusted-do-not-use-warn-when-encode-fails.patch new file mode 100644 index 00000000000..1a75425963f --- /dev/null +++ b/queue-6.6/keys-trusted-do-not-use-warn-when-encode-fails.patch @@ -0,0 +1,44 @@ +From 050bf3c793a07f96bd1e2fd62e1447f731ed733b Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 13 May 2024 21:19:04 +0300 +Subject: KEYS: trusted: Do not use WARN when encode fails + +From: Jarkko Sakkinen + +commit 050bf3c793a07f96bd1e2fd62e1447f731ed733b upstream. + +When asn1_encode_sequence() fails, WARN is not the correct solution. + +1. asn1_encode_sequence() is not an internal function (located + in lib/asn1_encode.c). +2. Location is known, which makes the stack trace useless. +3. Results a crash if panic_on_warn is set. + +It is also noteworthy that the use of WARN is undocumented, and it +should be avoided unless there is a carefully considered rationale to +use it. + +Replace WARN with pr_err, and print the return value instead, which is +only useful piece of information. + +Cc: stable@vger.kernel.org # v5.13+ +Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -84,8 +84,9 @@ static int tpm2_key_encode(struct truste + work1 = payload->blob; + work1 = asn1_encode_sequence(work1, work1 + sizeof(payload->blob), + scratch, work - scratch); +- if (WARN(IS_ERR(work1), "BUG: ASN.1 encoder failed")) { ++ if (IS_ERR(work1)) { + ret = PTR_ERR(work1); ++ pr_err("BUG: ASN.1 encoder failed with %d\n", ret); + goto err; + } + diff --git a/queue-6.6/net-usb-ax88179_178a-fix-link-status-when-link-is-set-to-down-up.patch b/queue-6.6/net-usb-ax88179_178a-fix-link-status-when-link-is-set-to-down-up.patch new file mode 100644 index 00000000000..61122a224af --- /dev/null +++ b/queue-6.6/net-usb-ax88179_178a-fix-link-status-when-link-is-set-to-down-up.patch @@ -0,0 +1,181 @@ +From ecf848eb934b03959918f5269f64c0e52bc23998 Mon Sep 17 00:00:00 2001 +From: Jose Ignacio Tornos Martinez +Date: Fri, 10 May 2024 11:08:28 +0200 +Subject: net: usb: ax88179_178a: fix link status when link is set to down/up + +From: Jose Ignacio Tornos Martinez + +commit ecf848eb934b03959918f5269f64c0e52bc23998 upstream. + +The idea was to keep only one reset at initialization stage in order to +reduce the total delay, or the reset from usbnet_probe or the reset from +usbnet_open. + +I have seen that restarting from usbnet_probe is necessary to avoid doing +too complex things. But when the link is set to down/up (for example to +configure a different mac address) the link is not correctly recovered +unless a reset is commanded from usbnet_open. + +So, detect the initialization stage (first call) to not reset from +usbnet_open after the reset from usbnet_probe and after this stage, always +reset from usbnet_open too (when the link needs to be rechecked). + +Apply to all the possible devices, the behavior now is going to be the same. + +cc: stable@vger.kernel.org # 6.6+ +Fixes: 56f78615bcb1 ("net: usb: ax88179_178a: avoid writing the mac address before first reading") +Reported-by: Isaac Ganoung +Reported-by: Yongqin Liu +Signed-off-by: Jose Ignacio Tornos Martinez +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240510090846.328201-1-jtornosm@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88179_178a.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -174,6 +174,7 @@ struct ax88179_data { + u32 wol_supported; + u32 wolopts; + u8 disconnecting; ++ u8 initialized; + }; + + struct ax88179_int_data { +@@ -1673,6 +1674,18 @@ static int ax88179_reset(struct usbnet * + return 0; + } + ++static int ax88179_net_reset(struct usbnet *dev) ++{ ++ struct ax88179_data *ax179_data = dev->driver_priv; ++ ++ if (ax179_data->initialized) ++ ax88179_reset(dev); ++ else ++ ax179_data->initialized = 1; ++ ++ return 0; ++} ++ + static int ax88179_stop(struct usbnet *dev) + { + u16 tmp16; +@@ -1692,6 +1705,7 @@ static const struct driver_info ax88179_ + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1704,6 +1718,7 @@ static const struct driver_info ax88178a + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1716,7 +1731,7 @@ static const struct driver_info cypress_ + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1729,7 +1744,7 @@ static const struct driver_info dlink_du + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1742,7 +1757,7 @@ static const struct driver_info sitecom_ + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1755,7 +1770,7 @@ static const struct driver_info samsung_ + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1768,7 +1783,7 @@ static const struct driver_info lenovo_i + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1781,7 +1796,7 @@ static const struct driver_info belkin_i + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1794,7 +1809,7 @@ static const struct driver_info toshiba_ + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1807,7 +1822,7 @@ static const struct driver_info mct_info + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1820,7 +1835,7 @@ static const struct driver_info at_umc20 + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1833,7 +1848,7 @@ static const struct driver_info at_umc20 + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, +@@ -1846,7 +1861,7 @@ static const struct driver_info at_umc20 + .unbind = ax88179_unbind, + .status = ax88179_status, + .link_reset = ax88179_link_reset, +- .reset = ax88179_reset, ++ .reset = ax88179_net_reset, + .stop = ax88179_stop, + .flags = FLAG_ETHER | FLAG_FRAMING_AX, + .rx_fixup = ax88179_rx_fixup, diff --git a/queue-6.6/remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch b/queue-6.6/remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch new file mode 100644 index 00000000000..9e014fa569a --- /dev/null +++ b/queue-6.6/remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch @@ -0,0 +1,59 @@ +From 331f91d86f71d0bb89a44217cc0b2a22810bbd42 Mon Sep 17 00:00:00 2001 +From: AngeloGioacchino Del Regno +Date: Thu, 21 Mar 2024 09:46:13 +0100 +Subject: remoteproc: mediatek: Make sure IPI buffer fits in L2TCM + +From: AngeloGioacchino Del Regno + +commit 331f91d86f71d0bb89a44217cc0b2a22810bbd42 upstream. + +The IPI buffer location is read from the firmware that we load to the +System Companion Processor, and it's not granted that both the SRAM +(L2TCM) size that is defined in the devicetree node is large enough +for that, and while this is especially true for multi-core SCP, it's +still useful to check on single-core variants as well. + +Failing to perform this check may make this driver perform R/W +operations out of the L2TCM boundary, resulting (at best) in a +kernel panic. + +To fix that, check that the IPI buffer fits, otherwise return a +failure and refuse to boot the relevant SCP core (or the SCP at +all, if this is single core). + +Fixes: 3efa0ea743b7 ("remoteproc/mediatek: read IPI buffer offset from FW") +Signed-off-by: AngeloGioacchino Del Regno +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240321084614.45253-2-angelogioacchino.delregno@collabora.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/mtk_scp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/remoteproc/mtk_scp.c ++++ b/drivers/remoteproc/mtk_scp.c +@@ -126,7 +126,7 @@ static int scp_elf_read_ipi_buf_addr(str + static int scp_ipi_init(struct mtk_scp *scp, const struct firmware *fw) + { + int ret; +- size_t offset; ++ size_t buf_sz, offset; + + /* read the ipi buf addr from FW itself first */ + ret = scp_elf_read_ipi_buf_addr(scp, fw, &offset); +@@ -138,6 +138,14 @@ static int scp_ipi_init(struct mtk_scp * + } + dev_info(scp->dev, "IPI buf addr %#010zx\n", offset); + ++ /* Make sure IPI buffer fits in the L2TCM range assigned to this core */ ++ buf_sz = sizeof(*scp->recv_buf) + sizeof(*scp->send_buf); ++ ++ if (scp->sram_size < buf_sz + offset) { ++ dev_err(scp->dev, "IPI buffer does not fit in SRAM.\n"); ++ return -EOVERFLOW; ++ } ++ + scp->recv_buf = (struct mtk_share_obj __iomem *) + (scp->sram_base + offset); + scp->send_buf = (struct mtk_share_obj __iomem *) diff --git a/queue-6.6/serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch b/queue-6.6/serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch new file mode 100644 index 00000000000..23282587fde --- /dev/null +++ b/queue-6.6/serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch @@ -0,0 +1,95 @@ +From b2aba15ad6f908d1a620fd97f6af5620c3639742 Mon Sep 17 00:00:00 2001 +From: Daniel Thompson +Date: Wed, 24 Apr 2024 15:21:41 +0100 +Subject: serial: kgdboc: Fix NMI-safety problems from keyboard reset code + +From: Daniel Thompson + +commit b2aba15ad6f908d1a620fd97f6af5620c3639742 upstream. + +Currently, when kdb is compiled with keyboard support, then we will use +schedule_work() to provoke reset of the keyboard status. Unfortunately +schedule_work() gets called from the kgdboc post-debug-exception +handler. That risks deadlock since schedule_work() is not NMI-safe and, +even on platforms where the NMI is not directly used for debugging, the +debug trap can have NMI-like behaviour depending on where breakpoints +are placed. + +Fix this by using the irq work system, which is NMI-safe, to defer the +call to schedule_work() to a point when it is safe to call. + +Reported-by: Liuye +Closes: https://lore.kernel.org/all/20240228025602.3087748-1-liu.yeC@h3c.com/ +Cc: stable@vger.kernel.org +Reviewed-by: Douglas Anderson +Acked-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20240424-kgdboc_fix_schedule_work-v2-1-50f5a490aec5@linaro.org +Signed-off-by: Daniel Thompson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/kgdboc.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -48,6 +49,25 @@ static struct kgdb_io kgdboc_earlycon_i + static int (*earlycon_orig_exit)(struct console *con); + #endif /* IS_BUILTIN(CONFIG_KGDB_SERIAL_CONSOLE) */ + ++/* ++ * When we leave the debug trap handler we need to reset the keyboard status ++ * (since the original keyboard state gets partially clobbered by kdb use of ++ * the keyboard). ++ * ++ * The path to deliver the reset is somewhat circuitous. ++ * ++ * To deliver the reset we register an input handler, reset the keyboard and ++ * then deregister the input handler. However, to get this done right, we do ++ * have to carefully manage the calling context because we can only register ++ * input handlers from task context. ++ * ++ * In particular we need to trigger the action from the debug trap handler with ++ * all its NMI and/or NMI-like oddities. To solve this the kgdboc trap exit code ++ * (the "post_exception" callback) uses irq_work_queue(), which is NMI-safe, to ++ * schedule a callback from a hardirq context. From there we have to defer the ++ * work again, this time using schedule_work(), to get a callback using the ++ * system workqueue, which runs in task context. ++ */ + #ifdef CONFIG_KDB_KEYBOARD + static int kgdboc_reset_connect(struct input_handler *handler, + struct input_dev *dev, +@@ -99,10 +119,17 @@ static void kgdboc_restore_input_helper( + + static DECLARE_WORK(kgdboc_restore_input_work, kgdboc_restore_input_helper); + ++static void kgdboc_queue_restore_input_helper(struct irq_work *unused) ++{ ++ schedule_work(&kgdboc_restore_input_work); ++} ++ ++static DEFINE_IRQ_WORK(kgdboc_restore_input_irq_work, kgdboc_queue_restore_input_helper); ++ + static void kgdboc_restore_input(void) + { + if (likely(system_state == SYSTEM_RUNNING)) +- schedule_work(&kgdboc_restore_input_work); ++ irq_work_queue(&kgdboc_restore_input_irq_work); + } + + static int kgdboc_register_kbd(char **cptr) +@@ -133,6 +160,7 @@ static void kgdboc_unregister_kbd(void) + i--; + } + } ++ irq_work_sync(&kgdboc_restore_input_irq_work); + flush_work(&kgdboc_restore_input_work); + } + #else /* ! CONFIG_KDB_KEYBOARD */ diff --git a/queue-6.6/series b/queue-6.6/series index dde37789026..486a2ba5cd2 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -86,3 +86,20 @@ bluetooth-l2cap-fix-div-by-zero-in-l2cap_le_flowctl_init.patch keys-trusted-fix-memory-leak-in-tpm2_key_encode.patch mmc-core-add-hs400-tuning-in-hs400es-initialization.patch kselftest-add-a-ksft_perror-helper.patch +bpf-add-missing-bpf_link_type-invocations.patch +erofs-get-rid-of-erofs_fs_context.patch +erofs-reliably-distinguish-block-based-and-fscache-mode.patch +drm-amdgpu-fix-possible-null-dereference-in-amdgpu_ras_query_error_status_helper.patch +binder-fix-max_thread-type-inconsistency.patch +usb-dwc3-wait-unconditionally-after-issuing-endxfer-command.patch +net-usb-ax88179_178a-fix-link-status-when-link-is-set-to-down-up.patch +usb-typec-ucsi-displayport-fix-potential-deadlock.patch +usb-typec-tipd-fix-event-checking-for-tps6598x.patch +serial-kgdboc-fix-nmi-safety-problems-from-keyboard-reset-code.patch +remoteproc-mediatek-make-sure-ipi-buffer-fits-in-l2tcm.patch +keys-trusted-do-not-use-warn-when-encode-fails.patch +admin-guide-hw-vuln-core-scheduling-fix-return-type-of-pr_sched_core_get.patch +docs-kernel_include.py-cope-with-docutils-0.21.patch +docs-admin-guide-mm-damon-usage-fix-wrong-example-of-damos-filter-matching-sysfs-file.patch +block-add-a-disk_has_partscan-helper.patch +block-add-a-partscan-sysfs-attribute-for-disks.patch diff --git a/queue-6.6/usb-dwc3-wait-unconditionally-after-issuing-endxfer-command.patch b/queue-6.6/usb-dwc3-wait-unconditionally-after-issuing-endxfer-command.patch new file mode 100644 index 00000000000..8ba070553b8 --- /dev/null +++ b/queue-6.6/usb-dwc3-wait-unconditionally-after-issuing-endxfer-command.patch @@ -0,0 +1,58 @@ +From 1d26ba0944d398f88aaf997bda3544646cf21945 Mon Sep 17 00:00:00 2001 +From: Prashanth K +Date: Thu, 2 May 2024 10:11:03 +0530 +Subject: usb: dwc3: Wait unconditionally after issuing EndXfer command + +From: Prashanth K + +commit 1d26ba0944d398f88aaf997bda3544646cf21945 upstream. + +Currently all controller IP/revisions except DWC3_usb3 >= 310a +wait 1ms unconditionally for ENDXFER completion when IOC is not +set. This is because DWC_usb3 controller revisions >= 3.10a +supports GUCTL2[14: Rst_actbitlater] bit which allows polling +CMDACT bit to know whether ENDXFER command is completed. + +Consider a case where an IN request was queued, and parallelly +soft_disconnect was called (due to ffs_epfile_release). This +eventually calls stop_active_transfer with IOC cleared, hence +send_gadget_ep_cmd() skips waiting for CMDACT cleared during +EndXfer. For DWC3 controllers with revisions >= 310a, we don't +forcefully wait for 1ms either, and we proceed by unmapping the +requests. If ENDXFER didn't complete by this time, it leads to +SMMU faults since the controller would still be accessing those +requests. + +Fix this by ensuring ENDXFER completion by adding 1ms delay in +__dwc3_stop_active_transfer() unconditionally. + +Cc: stable@vger.kernel.org +Fixes: b353eb6dc285 ("usb: dwc3: gadget: Skip waiting for CMDACT cleared during endxfer") +Signed-off-by: Prashanth K +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20240502044103.1066350-1-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1718,7 +1718,6 @@ static int __dwc3_gadget_get_frame(struc + */ + static int __dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force, bool interrupt) + { +- struct dwc3 *dwc = dep->dwc; + struct dwc3_gadget_ep_cmd_params params; + u32 cmd; + int ret; +@@ -1743,8 +1742,7 @@ static int __dwc3_stop_active_transfer(s + dep->resource_index = 0; + + if (!interrupt) { +- if (!DWC3_IP_IS(DWC3) || DWC3_VER_IS_PRIOR(DWC3, 310A)) +- mdelay(1); ++ mdelay(1); + dep->flags &= ~DWC3_EP_TRANSFER_STARTED; + } else if (!ret) { + dep->flags |= DWC3_EP_END_TRANSFER_PENDING; diff --git a/queue-6.6/usb-typec-tipd-fix-event-checking-for-tps6598x.patch b/queue-6.6/usb-typec-tipd-fix-event-checking-for-tps6598x.patch new file mode 100644 index 00000000000..667f6dfa778 --- /dev/null +++ b/queue-6.6/usb-typec-tipd-fix-event-checking-for-tps6598x.patch @@ -0,0 +1,148 @@ +From 409c1cfb5a803f3cf2d17aeaf75c25c4be951b07 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 29 Apr 2024 15:35:58 +0200 +Subject: usb: typec: tipd: fix event checking for tps6598x + +From: Javier Carrasco + +commit 409c1cfb5a803f3cf2d17aeaf75c25c4be951b07 upstream. + +The current interrupt service routine of the tps6598x only reads the +first 64 bits of the INT_EVENT1 and INT_EVENT2 registers, which means +that any event above that range will be ignored, leaving interrupts +unattended. Moreover, those events will not be cleared, and the device +will keep the interrupt enabled. + +This issue has been observed while attempting to load patches, and the +'ReadyForPatch' field (bit 81) of INT_EVENT1 was set. + +Given that older versions of the tps6598x (1, 2 and 6) provide 8-byte +registers, a mechanism based on the upper byte of the version register +(0x0F) has been included. The manufacturer has confirmed [1] that this +byte is always 0 for older versions, and either 0xF7 (DH parts) or 0xF9 +(DK parts) is returned in newer versions (7 and 8). + +Read the complete INT_EVENT registers to handle all interrupts generated +by the device and account for the hardware version to select the +register size. + +Link: https://e2e.ti.com/support/power-management-group/power-management/f/power-management-forum/1346521/tps65987d-register-command-to-distinguish-between-tps6591-2-6-and-tps65987-8 [1] +Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") +Cc: stable@vger.kernel.org +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20240429-tps6598x_fix_event_handling-v3-2-4e8e58dce489@wolfvision.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tipd/core.c | 45 +++++++++++++++++++++++++++----------- + drivers/usb/typec/tipd/tps6598x.h | 11 +++++++++ + 2 files changed, 43 insertions(+), 13 deletions(-) + +--- a/drivers/usb/typec/tipd/core.c ++++ b/drivers/usb/typec/tipd/core.c +@@ -26,6 +26,7 @@ + #define TPS_REG_MODE 0x03 + #define TPS_REG_CMD1 0x08 + #define TPS_REG_DATA1 0x09 ++#define TPS_REG_VERSION 0x0F + #define TPS_REG_INT_EVENT1 0x14 + #define TPS_REG_INT_EVENT2 0x15 + #define TPS_REG_INT_MASK1 0x16 +@@ -515,49 +516,67 @@ err_unlock: + + static irqreturn_t tps6598x_interrupt(int irq, void *data) + { ++ int intev_len = TPS_65981_2_6_INTEVENT_LEN; + struct tps6598x *tps = data; +- u64 event1 = 0; +- u64 event2 = 0; ++ u64 event1[2] = { }; ++ u64 event2[2] = { }; ++ u32 version; + u32 status; + int ret; + + mutex_lock(&tps->lock); + +- ret = tps6598x_read64(tps, TPS_REG_INT_EVENT1, &event1); +- ret |= tps6598x_read64(tps, TPS_REG_INT_EVENT2, &event2); ++ ret = tps6598x_read32(tps, TPS_REG_VERSION, &version); ++ if (ret) ++ dev_warn(tps->dev, "%s: failed to read version (%d)\n", ++ __func__, ret); ++ ++ if (TPS_VERSION_HW_VERSION(version) == TPS_VERSION_HW_65987_8_DH || ++ TPS_VERSION_HW_VERSION(version) == TPS_VERSION_HW_65987_8_DK) ++ intev_len = TPS_65987_8_INTEVENT_LEN; ++ ++ ret = tps6598x_block_read(tps, TPS_REG_INT_EVENT1, event1, intev_len); ++ ++ ret = tps6598x_block_read(tps, TPS_REG_INT_EVENT1, event1, intev_len); + if (ret) { +- dev_err(tps->dev, "%s: failed to read events\n", __func__); ++ dev_err(tps->dev, "%s: failed to read event1\n", __func__); + goto err_unlock; + } +- trace_tps6598x_irq(event1, event2); ++ ret = tps6598x_block_read(tps, TPS_REG_INT_EVENT2, event2, intev_len); ++ if (ret) { ++ dev_err(tps->dev, "%s: failed to read event2\n", __func__); ++ goto err_unlock; ++ } ++ trace_tps6598x_irq(event1[0], event2[0]); + +- if (!(event1 | event2)) ++ if (!(event1[0] | event1[1] | event2[0] | event2[1])) + goto err_unlock; + + if (!tps6598x_read_status(tps, &status)) + goto err_clear_ints; + +- if ((event1 | event2) & TPS_REG_INT_POWER_STATUS_UPDATE) ++ if ((event1[0] | event2[0]) & TPS_REG_INT_POWER_STATUS_UPDATE) + if (!tps6598x_read_power_status(tps)) + goto err_clear_ints; + +- if ((event1 | event2) & TPS_REG_INT_DATA_STATUS_UPDATE) ++ if ((event1[0] | event2[0]) & TPS_REG_INT_DATA_STATUS_UPDATE) + if (!tps6598x_read_data_status(tps)) + goto err_clear_ints; + + /* Handle plug insert or removal */ +- if ((event1 | event2) & TPS_REG_INT_PLUG_EVENT) ++ if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT) + tps6598x_handle_plug_event(tps, status); + + err_clear_ints: +- tps6598x_write64(tps, TPS_REG_INT_CLEAR1, event1); +- tps6598x_write64(tps, TPS_REG_INT_CLEAR2, event2); ++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR1, event1, intev_len); ++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR2, event2, intev_len); + + err_unlock: + mutex_unlock(&tps->lock); + +- if (event1 | event2) ++ if (event1[0] | event1[1] | event2[0] | event2[1]) + return IRQ_HANDLED; ++ + return IRQ_NONE; + } + +--- a/drivers/usb/typec/tipd/tps6598x.h ++++ b/drivers/usb/typec/tipd/tps6598x.h +@@ -199,4 +199,15 @@ + #define TPS_DATA_STATUS_DP_SPEC_PIN_ASSIGNMENT_A BIT(2) + #define TPS_DATA_STATUS_DP_SPEC_PIN_ASSIGNMENT_B (BIT(2) | BIT(1)) + ++/* Version Register */ ++#define TPS_VERSION_HW_VERSION_MASK GENMASK(31, 24) ++#define TPS_VERSION_HW_VERSION(x) TPS_FIELD_GET(TPS_VERSION_HW_VERSION_MASK, (x)) ++#define TPS_VERSION_HW_65981_2_6 0x00 ++#define TPS_VERSION_HW_65987_8_DH 0xF7 ++#define TPS_VERSION_HW_65987_8_DK 0xF9 ++ ++/* Int Event Register length */ ++#define TPS_65981_2_6_INTEVENT_LEN 8 ++#define TPS_65987_8_INTEVENT_LEN 11 ++ + #endif /* __TPS6598X_H__ */ diff --git a/queue-6.6/usb-typec-ucsi-displayport-fix-potential-deadlock.patch b/queue-6.6/usb-typec-ucsi-displayport-fix-potential-deadlock.patch new file mode 100644 index 00000000000..290180397f8 --- /dev/null +++ b/queue-6.6/usb-typec-ucsi-displayport-fix-potential-deadlock.patch @@ -0,0 +1,51 @@ +From b791a67f68121d69108640d4a3e591d210ffe850 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Tue, 7 May 2024 16:43:16 +0300 +Subject: usb: typec: ucsi: displayport: Fix potential deadlock + +From: Heikki Krogerus + +commit b791a67f68121d69108640d4a3e591d210ffe850 upstream. + +The function ucsi_displayport_work() does not access the +connector, so it also must not acquire the connector lock. + +This fixes a potential deadlock scenario: + +ucsi_displayport_work() -> lock(&con->lock) +typec_altmode_vdm() +dp_altmode_vdm() +dp_altmode_work() +typec_altmode_enter() +ucsi_displayport_enter() -> lock(&con->lock) + +Reported-by: Mathias Nyman +Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode") +Cc: stable@vger.kernel.org +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20240507134316.161999-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/displayport.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/typec/ucsi/displayport.c ++++ b/drivers/usb/typec/ucsi/displayport.c +@@ -275,8 +275,6 @@ static void ucsi_displayport_work(struct + struct ucsi_dp *dp = container_of(work, struct ucsi_dp, work); + int ret; + +- mutex_lock(&dp->con->lock); +- + ret = typec_altmode_vdm(dp->alt, dp->header, + dp->vdo_data, dp->vdo_size); + if (ret) +@@ -285,8 +283,6 @@ static void ucsi_displayport_work(struct + dp->vdo_data = NULL; + dp->vdo_size = 0; + dp->header = 0; +- +- mutex_unlock(&dp->con->lock); + } + + void ucsi_displayport_remove_partner(struct typec_altmode *alt) -- 2.47.3