From 172e7843d90339d8d0f3d91a0cb7f249b1277321 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Jan 2025 11:55:32 +0100 Subject: [PATCH] 6.1-stable patches added patches: drm-adv7511-drop-dsi-single-lane-support.patch dt-bindings-display-adi-adv7533-drop-single-lane-support.patch kcov-mark-in_softirq_really-as-__always_inline.patch net-sctp-prevent-autoclose-integer-overflow-in-sctp_association_init.patch pinctrl-mcp23s08-fix-sleeping-in-atomic-context-due-to-regmap-locking.patch rdma-uverbs-prevent-integer-overflow-issue.patch sky2-add-device-id-11ab-4373-for-marvell-88e8075.patch --- ...adv7511-drop-dsi-single-lane-support.patch | 39 ++++++ ...adi-adv7533-drop-single-lane-support.patch | 39 ++++++ ...in_softirq_really-as-__always_inline.patch | 44 +++++++ ...er-overflow-in-sctp_association_init.patch | 36 ++++++ ...atomic-context-due-to-regmap-locking.patch | 111 ++++++++++++++++++ ...verbs-prevent-integer-overflow-issue.patch | 74 ++++++++++++ queue-6.1/series | 7 ++ ...ice-id-11ab-4373-for-marvell-88e8075.patch | 31 +++++ 8 files changed, 381 insertions(+) create mode 100644 queue-6.1/drm-adv7511-drop-dsi-single-lane-support.patch create mode 100644 queue-6.1/dt-bindings-display-adi-adv7533-drop-single-lane-support.patch create mode 100644 queue-6.1/kcov-mark-in_softirq_really-as-__always_inline.patch create mode 100644 queue-6.1/net-sctp-prevent-autoclose-integer-overflow-in-sctp_association_init.patch create mode 100644 queue-6.1/pinctrl-mcp23s08-fix-sleeping-in-atomic-context-due-to-regmap-locking.patch create mode 100644 queue-6.1/rdma-uverbs-prevent-integer-overflow-issue.patch create mode 100644 queue-6.1/sky2-add-device-id-11ab-4373-for-marvell-88e8075.patch diff --git a/queue-6.1/drm-adv7511-drop-dsi-single-lane-support.patch b/queue-6.1/drm-adv7511-drop-dsi-single-lane-support.patch new file mode 100644 index 00000000000..cb876be80ec --- /dev/null +++ b/queue-6.1/drm-adv7511-drop-dsi-single-lane-support.patch @@ -0,0 +1,39 @@ +From 79d67c499c3f886202a40c5cb27e747e4fa4d738 Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Tue, 19 Nov 2024 19:20:31 +0000 +Subject: drm: adv7511: Drop dsi single lane support + +From: Biju Das + +commit 79d67c499c3f886202a40c5cb27e747e4fa4d738 upstream. + +As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop +unsupported 1-lane. + +[1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535.pdf +[2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533.pdf + +Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") +Reported-by: Hien Huynh +Cc: stable@vger.kernel.org +Reviewed-by: Laurent Pinchart +Reviewed-by: Adam Ford +Signed-off-by: Biju Das +Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-4-biju.das.jz@bp.renesas.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c +@@ -179,7 +179,7 @@ int adv7533_parse_dt(struct device_node + + of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); + +- if (num_lanes < 1 || num_lanes > 4) ++ if (num_lanes < 2 || num_lanes > 4) + return -EINVAL; + + adv->num_dsi_lanes = num_lanes; diff --git a/queue-6.1/dt-bindings-display-adi-adv7533-drop-single-lane-support.patch b/queue-6.1/dt-bindings-display-adi-adv7533-drop-single-lane-support.patch new file mode 100644 index 00000000000..898f82d836b --- /dev/null +++ b/queue-6.1/dt-bindings-display-adi-adv7533-drop-single-lane-support.patch @@ -0,0 +1,39 @@ +From ee8f9ed57a397605434caeef351bafa3ec4dfdd4 Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Tue, 19 Nov 2024 19:20:30 +0000 +Subject: dt-bindings: display: adi,adv7533: Drop single lane support + +From: Biju Das + +commit ee8f9ed57a397605434caeef351bafa3ec4dfdd4 upstream. + +As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop +unsupported 1-lane from bindings. + +[1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535.pdf +[2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533.pdf + +Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") +Cc: stable@vger.kernel.org +Acked-by: Krzysztof Kozlowski +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: Biju Das +Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-3-biju.das.jz@bp.renesas.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml ++++ b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml +@@ -87,7 +87,7 @@ properties: + adi,dsi-lanes: + description: Number of DSI data lanes connected to the DSI host. + $ref: /schemas/types.yaml#/definitions/uint32 +- enum: [ 1, 2, 3, 4 ] ++ enum: [ 2, 3, 4 ] + + ports: + description: diff --git a/queue-6.1/kcov-mark-in_softirq_really-as-__always_inline.patch b/queue-6.1/kcov-mark-in_softirq_really-as-__always_inline.patch new file mode 100644 index 00000000000..778efc09602 --- /dev/null +++ b/queue-6.1/kcov-mark-in_softirq_really-as-__always_inline.patch @@ -0,0 +1,44 @@ +From cb0ca08b326aa03f87fe94bb91872ce8d2ef1ed8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 17 Dec 2024 08:18:10 +0100 +Subject: kcov: mark in_softirq_really() as __always_inline + +From: Arnd Bergmann + +commit cb0ca08b326aa03f87fe94bb91872ce8d2ef1ed8 upstream. + +If gcc decides not to inline in_softirq_really(), objtool warns about a +function call with UACCESS enabled: + +kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc+0x1e: call to in_softirq_really() with UACCESS enabled +kernel/kcov.o: warning: objtool: check_kcov_mode+0x11: call to in_softirq_really() with UACCESS enabled + +Mark this as __always_inline to avoid the problem. + +Link: https://lkml.kernel.org/r/20241217071814.2261620-1-arnd@kernel.org +Fixes: 7d4df2dad312 ("kcov: properly check for softirq context") +Signed-off-by: Arnd Bergmann +Reviewed-by: Marco Elver +Cc: Aleksandr Nogikh +Cc: Andrey Konovalov +Cc: Dmitry Vyukov +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kcov.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/kcov.c ++++ b/kernel/kcov.c +@@ -165,7 +165,7 @@ static void kcov_remote_area_put(struct + * Unlike in_serving_softirq(), this function returns false when called during + * a hardirq or an NMI that happened in the softirq context. + */ +-static inline bool in_softirq_really(void) ++static __always_inline bool in_softirq_really(void) + { + return in_serving_softirq() && !in_hardirq() && !in_nmi(); + } diff --git a/queue-6.1/net-sctp-prevent-autoclose-integer-overflow-in-sctp_association_init.patch b/queue-6.1/net-sctp-prevent-autoclose-integer-overflow-in-sctp_association_init.patch new file mode 100644 index 00000000000..f73118b6ea6 --- /dev/null +++ b/queue-6.1/net-sctp-prevent-autoclose-integer-overflow-in-sctp_association_init.patch @@ -0,0 +1,36 @@ +From 4e86729d1ff329815a6e8a920cb554a1d4cb5b8d Mon Sep 17 00:00:00 2001 +From: Nikolay Kuratov +Date: Thu, 19 Dec 2024 19:21:14 +0300 +Subject: net/sctp: Prevent autoclose integer overflow in sctp_association_init() + +From: Nikolay Kuratov + +commit 4e86729d1ff329815a6e8a920cb554a1d4cb5b8d upstream. + +While by default max_autoclose equals to INT_MAX / HZ, one may set +net.sctp.max_autoclose to UINT_MAX. There is code in +sctp_association_init() that can consequently trigger overflow. + +Cc: stable@vger.kernel.org +Fixes: 9f70f46bd4c7 ("sctp: properly latch and use autoclose value from sock to association") +Signed-off-by: Nikolay Kuratov +Acked-by: Xin Long +Link: https://patch.msgid.link/20241219162114.2863827-1-kniv@yandex-team.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/associola.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -137,7 +137,8 @@ static struct sctp_association *sctp_ass + = 5 * asoc->rto_max; + + asoc->timeouts[SCTP_EVENT_TIMEOUT_SACK] = asoc->sackdelay; +- asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] = sp->autoclose * HZ; ++ asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] = ++ (unsigned long)sp->autoclose * HZ; + + /* Initializes the timers */ + for (i = SCTP_EVENT_TIMEOUT_NONE; i < SCTP_NUM_TIMEOUT_TYPES; ++i) diff --git a/queue-6.1/pinctrl-mcp23s08-fix-sleeping-in-atomic-context-due-to-regmap-locking.patch b/queue-6.1/pinctrl-mcp23s08-fix-sleeping-in-atomic-context-due-to-regmap-locking.patch new file mode 100644 index 00000000000..c0d343e3964 --- /dev/null +++ b/queue-6.1/pinctrl-mcp23s08-fix-sleeping-in-atomic-context-due-to-regmap-locking.patch @@ -0,0 +1,111 @@ +From a37eecb705f33726f1fb7cd2a67e514a15dfe693 Mon Sep 17 00:00:00 2001 +From: Evgenii Shatokhin +Date: Mon, 9 Dec 2024 10:46:59 +0300 +Subject: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking + +From: Evgenii Shatokhin + +commit a37eecb705f33726f1fb7cd2a67e514a15dfe693 upstream. + +If a device uses MCP23xxx IO expander to receive IRQs, the following +bug can happen: + + BUG: sleeping function called from invalid context + at kernel/locking/mutex.c:283 + in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... + preempt_count: 1, expected: 0 + ... + Call Trace: + ... + __might_resched+0x104/0x10e + __might_sleep+0x3e/0x62 + mutex_lock+0x20/0x4c + regmap_lock_mutex+0x10/0x18 + regmap_update_bits_base+0x2c/0x66 + mcp23s08_irq_set_type+0x1ae/0x1d6 + __irq_set_trigger+0x56/0x172 + __setup_irq+0x1e6/0x646 + request_threaded_irq+0xb6/0x160 + ... + +We observed the problem while experimenting with a touchscreen driver which +used MCP23017 IO expander (I2C). + +The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from +concurrent accesses, which is the default for regmaps without .fast_io, +.disable_locking, etc. + +mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter +locks the mutex. + +However, __setup_irq() locks desc->lock spinlock before calling these +functions. As a result, the system tries to lock the mutex whole holding +the spinlock. + +It seems, the internal regmap locks are not needed in this driver at all. +mcp->lock seems to protect the regmap from concurrent accesses already, +except, probably, in mcp_pinconf_get/set. + +mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under +chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes +mcp->lock and enables regmap caching, so that the potentially slow I2C +accesses are deferred until chip_bus_unlock(). + +The accesses to the regmap from mcp23s08_probe_one() do not need additional +locking. + +In all remaining places where the regmap is accessed, except +mcp_pinconf_get/set(), the driver already takes mcp->lock. + +This patch adds locking in mcp_pinconf_get/set() and disables internal +locking in the regmap config. Among other things, it fixes the sleeping +in atomic context described above. + +Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") +Cc: stable@vger.kernel.org +Signed-off-by: Evgenii Shatokhin +Link: https://lore.kernel.org/20241209074659.1442898-1-e.shatokhin@yadro.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -85,6 +85,7 @@ const struct regmap_config mcp23x08_regm + .num_reg_defaults = ARRAY_SIZE(mcp23x08_defaults), + .cache_type = REGCACHE_FLAT, + .max_register = MCP_OLAT, ++ .disable_locking = true, /* mcp->lock protects the regmap */ + }; + EXPORT_SYMBOL_GPL(mcp23x08_regmap); + +@@ -131,6 +132,7 @@ const struct regmap_config mcp23x17_regm + .num_reg_defaults = ARRAY_SIZE(mcp23x17_defaults), + .cache_type = REGCACHE_FLAT, + .val_format_endian = REGMAP_ENDIAN_LITTLE, ++ .disable_locking = true, /* mcp->lock protects the regmap */ + }; + EXPORT_SYMBOL_GPL(mcp23x17_regmap); + +@@ -228,7 +230,9 @@ static int mcp_pinconf_get(struct pinctr + + switch (param) { + case PIN_CONFIG_BIAS_PULL_UP: ++ mutex_lock(&mcp->lock); + ret = mcp_read(mcp, MCP_GPPU, &data); ++ mutex_unlock(&mcp->lock); + if (ret < 0) + return ret; + status = (data & BIT(pin)) ? 1 : 0; +@@ -257,7 +261,9 @@ static int mcp_pinconf_set(struct pinctr + + switch (param) { + case PIN_CONFIG_BIAS_PULL_UP: ++ mutex_lock(&mcp->lock); + ret = mcp_set_bit(mcp, MCP_GPPU, pin, arg); ++ mutex_unlock(&mcp->lock); + break; + default: + dev_dbg(mcp->dev, "Invalid config param %04x\n", param); diff --git a/queue-6.1/rdma-uverbs-prevent-integer-overflow-issue.patch b/queue-6.1/rdma-uverbs-prevent-integer-overflow-issue.patch new file mode 100644 index 00000000000..9399378bd43 --- /dev/null +++ b/queue-6.1/rdma-uverbs-prevent-integer-overflow-issue.patch @@ -0,0 +1,74 @@ +From d0257e089d1bbd35c69b6c97ff73e3690ab149a9 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 30 Nov 2024 13:06:41 +0300 +Subject: RDMA/uverbs: Prevent integer overflow issue + +From: Dan Carpenter + +commit d0257e089d1bbd35c69b6c97ff73e3690ab149a9 upstream. + +In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 +values that come from the user so the multiplication can lead to integer +wrapping. Then we pass the result to uverbs_request_next_ptr() which also +could potentially wrap. The "cmd.sge_count * sizeof(struct ib_uverbs_sge)" +multiplication can also overflow on 32bit systems although it's fine on +64bit systems. + +This patch does two things. First, I've re-arranged the condition in +uverbs_request_next_ptr() so that the use controlled variable "len" is on +one side of the comparison by itself without any math. Then I've modified +all the callers to use size_mul() for the multiplications. + +Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/b8765ab3-c2da-4611-aae0-ddd6ba173d23@stanley.mountain +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_cmd.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -161,7 +161,7 @@ static const void __user *uverbs_request + { + const void __user *res = iter->cur; + +- if (iter->cur + len > iter->end) ++ if (len > iter->end - iter->cur) + return (void __force __user *)ERR_PTR(-ENOSPC); + iter->cur += len; + return res; +@@ -2009,11 +2009,13 @@ static int ib_uverbs_post_send(struct uv + ret = uverbs_request_start(attrs, &iter, &cmd, sizeof(cmd)); + if (ret) + return ret; +- wqes = uverbs_request_next_ptr(&iter, cmd.wqe_size * cmd.wr_count); ++ wqes = uverbs_request_next_ptr(&iter, size_mul(cmd.wqe_size, ++ cmd.wr_count)); + if (IS_ERR(wqes)) + return PTR_ERR(wqes); +- sgls = uverbs_request_next_ptr( +- &iter, cmd.sge_count * sizeof(struct ib_uverbs_sge)); ++ sgls = uverbs_request_next_ptr(&iter, ++ size_mul(cmd.sge_count, ++ sizeof(struct ib_uverbs_sge))); + if (IS_ERR(sgls)) + return PTR_ERR(sgls); + ret = uverbs_request_finish(&iter); +@@ -2199,11 +2201,11 @@ ib_uverbs_unmarshall_recv(struct uverbs_ + if (wqe_size < sizeof(struct ib_uverbs_recv_wr)) + return ERR_PTR(-EINVAL); + +- wqes = uverbs_request_next_ptr(iter, wqe_size * wr_count); ++ wqes = uverbs_request_next_ptr(iter, size_mul(wqe_size, wr_count)); + if (IS_ERR(wqes)) + return ERR_CAST(wqes); +- sgls = uverbs_request_next_ptr( +- iter, sge_count * sizeof(struct ib_uverbs_sge)); ++ sgls = uverbs_request_next_ptr(iter, size_mul(sge_count, ++ sizeof(struct ib_uverbs_sge))); + if (IS_ERR(sgls)) + return ERR_CAST(sgls); + ret = uverbs_request_finish(iter); diff --git a/queue-6.1/series b/queue-6.1/series index f003423b01a..31c2bf60609 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -67,3 +67,10 @@ modpost-fix-input-module_device_table-built-for-64-b.patch modpost-fix-the-missed-iteration-for-the-max-bit-in-.patch alsa-hda-realtek-add-quirk-for-framework-f111-000c.patch alsa-seq-oss-fix-races-at-processing-sysex-messages.patch +kcov-mark-in_softirq_really-as-__always_inline.patch +rdma-uverbs-prevent-integer-overflow-issue.patch +pinctrl-mcp23s08-fix-sleeping-in-atomic-context-due-to-regmap-locking.patch +sky2-add-device-id-11ab-4373-for-marvell-88e8075.patch +net-sctp-prevent-autoclose-integer-overflow-in-sctp_association_init.patch +drm-adv7511-drop-dsi-single-lane-support.patch +dt-bindings-display-adi-adv7533-drop-single-lane-support.patch diff --git a/queue-6.1/sky2-add-device-id-11ab-4373-for-marvell-88e8075.patch b/queue-6.1/sky2-add-device-id-11ab-4373-for-marvell-88e8075.patch new file mode 100644 index 00000000000..1d8ece7fa51 --- /dev/null +++ b/queue-6.1/sky2-add-device-id-11ab-4373-for-marvell-88e8075.patch @@ -0,0 +1,31 @@ +From 03c8d0af2e409e15c16130b185e12b5efba0a6b9 Mon Sep 17 00:00:00 2001 +From: Pascal Hambourg +Date: Mon, 23 Dec 2024 17:44:01 +0100 +Subject: sky2: Add device ID 11ab:4373 for Marvell 88E8075 + +From: Pascal Hambourg + +commit 03c8d0af2e409e15c16130b185e12b5efba0a6b9 upstream. + +A Marvell 88E8075 ethernet controller has this device ID instead of +11ab:4370 and works fine with the sky2 driver. + +Signed-off-by: Pascal Hambourg +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/10165a62-99fb-4be6-8c64-84afd6234085@plouf.fr.eu.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -130,6 +130,7 @@ static const struct pci_device_id sky2_i + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436C) }, /* 88E8072 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x436D) }, /* 88E8055 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4370) }, /* 88E8075 */ ++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4373) }, /* 88E8075 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4380) }, /* 88E8057 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4381) }, /* 88E8059 */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL, 0x4382) }, /* 88E8079 */ -- 2.47.3