From 4668590f484d46de384b68b7a69ac7fd71eaa970 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 3 Jun 2024 07:42:16 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...d-.align-2-to-the-end-of-__bug_entry.patch | 160 ++++++++++ ...ways-flush-the-slave-intf-on-the-ctl.patch | 49 +++ ...-msm-dpu-remove-empty-useless-labels.patch | 288 ++++++++++++++++++ ...-msm-dpu-use-kms-stored-hw-mdp-block.patch | 95 ++++++ ...t-ims-pcu-fix-printf-string-overflow.patch | 43 +++ ...rator-correct-vib_max_levels-calcula.patch | 55 ++++ ...r-fix-memleak-in-seg6_hmac_init_algo.patch | 125 ++++++++ ...ap-always-cancel-work-in-cec_transmi.patch | 39 +++ ...c-cec-api-add-locking-in-cec_release.patch | 46 +++ ...x-bounds-checking-in-stk1160_copy_vi.patch | 84 +++++ ...lock-evasion-when-reading-pps_enable.patch | 62 ++++ ...ling-of-zero-length-payload-packets-.patch | 42 +++ ...fc-nci-fix-kcov-check-in-nci_rx_work.patch | 45 +++ ...-nci-fix-uninit-value-in-nci_rx_work.patch | 63 ++++ ...-warning-modpost-missing-module_desc.patch | 34 +++ ...the-skbuff-pkt_type-for-proper-pmtud.patch | 101 ++++++ ...param_set_uint_minmax-to-common-code.patch | 99 ++++++ ...add-failure-related-checks-for-h_get.patch | 86 ++++++ queue-4.19/series | 25 ++ ...-out-of-bounds-in-dctcp_update_alpha.patch | 125 ++++++++ ...yte-limit-for-initial-tp-rcv_wnd-val.patch | 76 +++++ ...winch_handlers-before-registering-wi.patch | 68 +++++ .../um-fix-return-value-in-ubd_init.patch | 46 +++ ...ing-prototypes-warning-for-__switch_.patch | 48 +++ ...-in-vp_find_vqs_msix-when-request_ir.patch | 94 ++++++ ...ct-arch_want_frame_pointers-again-wh.patch | 63 ++++ 26 files changed, 2061 insertions(+) create mode 100644 queue-4.19/arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch create mode 100644 queue-4.19/drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch create mode 100644 queue-4.19/drm-msm-dpu-remove-empty-useless-labels.patch create mode 100644 queue-4.19/drm-msm-dpu-use-kms-stored-hw-mdp-block.patch create mode 100644 queue-4.19/input-ims-pcu-fix-printf-string-overflow.patch create mode 100644 queue-4.19/input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch create mode 100644 queue-4.19/ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch create mode 100644 queue-4.19/media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch create mode 100644 queue-4.19/media-cec-cec-api-add-locking-in-cec_release.patch create mode 100644 queue-4.19/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch create mode 100644 queue-4.19/net-fec-avoid-lock-evasion-when-reading-pps_enable.patch create mode 100644 queue-4.19/nfc-nci-fix-handling-of-zero-length-payload-packets-.patch create mode 100644 queue-4.19/nfc-nci-fix-kcov-check-in-nci_rx_work.patch create mode 100644 queue-4.19/nfc-nci-fix-uninit-value-in-nci_rx_work.patch create mode 100644 queue-4.19/null_blk-fix-the-warning-modpost-missing-module_desc.patch create mode 100644 queue-4.19/openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch create mode 100644 queue-4.19/params-lift-param_set_uint_minmax-to-common-code.patch create mode 100644 queue-4.19/powerpc-pseries-add-failure-related-checks-for-h_get.patch create mode 100644 queue-4.19/tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch create mode 100644 queue-4.19/tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch create mode 100644 queue-4.19/um-add-winch-to-winch_handlers-before-registering-wi.patch create mode 100644 queue-4.19/um-fix-return-value-in-ubd_init.patch create mode 100644 queue-4.19/um-fix-the-wmissing-prototypes-warning-for-__switch_.patch create mode 100644 queue-4.19/virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch create mode 100644 queue-4.19/x86-kconfig-select-arch_want_frame_pointers-again-wh.patch diff --git a/queue-4.19/arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch b/queue-4.19/arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch new file mode 100644 index 00000000000..392b8610b6d --- /dev/null +++ b/queue-4.19/arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch @@ -0,0 +1,160 @@ +From b2cd0eff96886c9c7911dc12f179589a8fd79f52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 May 2024 21:34:37 +0800 +Subject: arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY + +From: Jiangfeng Xiao + +[ Upstream commit ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f ] + +When CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes +to bug_table entries, and as a result the last entry in a bug table will +be ignored, potentially leading to an unexpected panic(). All prior +entries in the table will be handled correctly. + +The arm64 ABI requires that struct fields of up to 8 bytes are +naturally-aligned, with padding added within a struct such that struct +are suitably aligned within arrays. + +When CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is: + + struct bug_entry { + signed int bug_addr_disp; // 4 bytes + signed int file_disp; // 4 bytes + unsigned short line; // 2 bytes + unsigned short flags; // 2 bytes + } + +... with 12 bytes total, requiring 4-byte alignment. + +When CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is: + + struct bug_entry { + signed int bug_addr_disp; // 4 bytes + unsigned short flags; // 2 bytes + < implicit padding > // 2 bytes + } + +... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing +padding, requiring 4-byte alginment. + +When we create a bug_entry in assembly, we align the start of the entry +to 4 bytes, which implicitly handles padding for any prior entries. +However, we do not align the end of the entry, and so when +CONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding +bytes. + +For the main kernel image this is not a problem as find_bug() doesn't +depend on the trailing padding bytes when searching for entries: + + for (bug = __start___bug_table; bug < __stop___bug_table; ++bug) + if (bugaddr == bug_addr(bug)) + return bug; + +However for modules, module_bug_finalize() depends on the trailing +bytes when calculating the number of entries: + + mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry); + +... and as the last bug_entry lacks the necessary padding bytes, this entry +will not be counted, e.g. in the case of a single entry: + + sechdrs[i].sh_size == 6 + sizeof(struct bug_entry) == 8; + + sechdrs[i].sh_size / sizeof(struct bug_entry) == 0; + +Consequently module_find_bug() will miss the last bug_entry when it does: + + for (i = 0; i < mod->num_bugs; ++i, ++bug) + if (bugaddr == bug_addr(bug)) + goto out; + +... which can lead to a kenrel panic due to an unhandled bug. + +This can be demonstrated with the following module: + + static int __init buginit(void) + { + WARN(1, "hello\n"); + return 0; + } + + static void __exit bugexit(void) + { + } + + module_init(buginit); + module_exit(bugexit); + MODULE_LICENSE("GPL"); + +... which will trigger a kernel panic when loaded: + + ------------[ cut here ]------------ + hello + Unexpected kernel BRK exception at EL1 + Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP + Modules linked in: hello(O+) + CPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8 + Hardware name: linux,dummy-virt (DT) + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : buginit+0x18/0x1000 [hello] + lr : buginit+0x18/0x1000 [hello] + sp : ffff800080533ae0 + x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000 + x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58 + x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0 + x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006 + x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720 + x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312 + x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8 + x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000 + x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0 + Call trace: + buginit+0x18/0x1000 [hello] + do_one_initcall+0x80/0x1c8 + do_init_module+0x60/0x218 + load_module+0x1ba4/0x1d70 + __do_sys_init_module+0x198/0x1d0 + __arm64_sys_init_module+0x1c/0x28 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0x40/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xd8 + el0t_64_sync_handler+0x120/0x12c + el0t_64_sync+0x190/0x194 + Code: d0ffffe0 910003fd 91000000 9400000b (d4210000) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: BRK handler: Fatal exception + +Fix this by always aligning the end of a bug_entry to 4 bytes, which is +correct regardless of CONFIG_DEBUG_BUGVERBOSE. + +Fixes: 9fb7410f955f ("arm64/BUG: Use BRK instruction for generic BUG traps") + +Signed-off-by: Yuanbin Xie +Signed-off-by: Jiangfeng Xiao +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/1716212077-43826-1-git-send-email-xiaojiangfeng@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/asm-bug.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/include/asm/asm-bug.h b/arch/arm64/include/asm/asm-bug.h +index b3552c4a405f2..04e5be18acb16 100644 +--- a/arch/arm64/include/asm/asm-bug.h ++++ b/arch/arm64/include/asm/asm-bug.h +@@ -39,6 +39,7 @@ + 14470: .long 14471f - 14470b; \ + _BUGVERBOSE_LOCATION(__FILE__, __LINE__) \ + .short flags; \ ++ .align 2; \ + .popsection; \ + 14471: + #else +-- +2.43.0 + diff --git a/queue-4.19/drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch b/queue-4.19/drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch new file mode 100644 index 00000000000..4f49ca06e21 --- /dev/null +++ b/queue-4.19/drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch @@ -0,0 +1,49 @@ +From a0c0ee1edbbc73e4397621e0026af5b9482ac09a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Apr 2024 01:57:43 +0200 +Subject: drm/msm/dpu: Always flush the slave INTF on the CTL + +From: Marijn Suijten + +[ Upstream commit 2b938c3ab0a69ec6ea587bbf6fc2aec3db4a8736 ] + +As we can clearly see in a downstream kernel [1], flushing the slave INTF +is skipped /only if/ the PPSPLIT topology is active. + +However, when DPU was originally submitted to mainline PPSPLIT was no +longer part of it (seems to have been ripped out before submission), but +this clause was incorrectly ported from the original SDE driver. Given +that there is no support for PPSPLIT (currently), flushing the slave +INTF should /never/ be skipped (as the `if (ppsplit && !master) goto +skip;` clause downstream never becomes true). + +[1]: https://git.codelinaro.org/clo/la/platform/vendor/opensource/display-drivers/-/blob/display-kernel.lnx.5.4.r1-rel/msm/sde/sde_encoder_phys_cmd.c?ref_type=heads#L1131-1139 + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Marijn Suijten +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/589901/ +Link: https://lore.kernel.org/r/20240417-drm-msm-initial-dualpipe-dsc-fixes-v1-3-78ae3ee9a697@somainline.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +index f2aa62bae8bfd..4f5700155383e 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +@@ -514,9 +514,6 @@ static void dpu_encoder_phys_cmd_enable_helper( + + _dpu_encoder_phys_cmd_pingpong_config(phys_enc); + +- if (!dpu_encoder_phys_cmd_is_master(phys_enc)) +- return; +- + ctl = phys_enc->hw_ctl; + ctl->ops.get_bitmask_intf(ctl, &flush_mask, phys_enc->intf_idx); + ctl->ops.update_pending_flush(ctl, flush_mask); +-- +2.43.0 + diff --git a/queue-4.19/drm-msm-dpu-remove-empty-useless-labels.patch b/queue-4.19/drm-msm-dpu-remove-empty-useless-labels.patch new file mode 100644 index 00000000000..e95cf8d8d0a --- /dev/null +++ b/queue-4.19/drm-msm-dpu-remove-empty-useless-labels.patch @@ -0,0 +1,288 @@ +From 99ed5fb980b740da9246f1862dc9fafcbb4d545a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Sep 2018 10:58:17 -0400 +Subject: drm/msm: dpu: Remove empty/useless labels + +From: Sean Paul + +[ Upstream commit 0841851f3b22bc1da09683aa458efe9f9e2abf51 ] + +I noticed an empty label while driving by and decided to use +coccinelle to see if there were any more. Here's the spatch and the +invocation: +--- + +@@ +identifier lbl; +expression E; +@@ + +- goto lbl; ++ return E; +... +- lbl: + return E; + +@@ +identifier lbl; +@@ + +- goto lbl; ++ return; +... +- lbl: +- return; + +--- +spatch --allow-inconsistent-paths --sp-file file.spatch --dir +drivers/gpu/drm/msm/disp/dpu1 --in-place +--- + +Reviewed-by: Jeykumar Sankaran +Signed-off-by: Sean Paul + +Signed-off-by: Rob Clark +Stable-dep-of: 2b938c3ab0a6 ("drm/msm/dpu: Always flush the slave INTF on the CTL") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c | 5 ++--- + .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 8 ++------ + drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c | 5 ++--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_pingpong.c | 3 +-- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 15 ++++++--------- + drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 3 +-- + drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c | 4 +--- + 7 files changed, 15 insertions(+), 28 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c +index 41c5191f9056c..affc9738e2b5b 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c +@@ -68,7 +68,7 @@ static bool _dpu_core_video_mode_intf_connected(struct drm_crtc *crtc) + bool intf_connected = false; + + if (!crtc) +- goto end; ++ return intf_connected; + + drm_for_each_crtc(tmp_crtc, crtc->dev) { + if ((dpu_crtc_get_intf_mode(tmp_crtc) == INTF_MODE_VIDEO) && +@@ -76,11 +76,10 @@ static bool _dpu_core_video_mode_intf_connected(struct drm_crtc *crtc) + DPU_DEBUG("video interface connected crtc:%d\n", + tmp_crtc->base.id); + intf_connected = true; +- goto end; ++ return intf_connected; + } + } + +-end: + return intf_connected; + } + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +index c8c4612dc34dd..f2aa62bae8bfd 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +@@ -515,14 +515,11 @@ static void dpu_encoder_phys_cmd_enable_helper( + _dpu_encoder_phys_cmd_pingpong_config(phys_enc); + + if (!dpu_encoder_phys_cmd_is_master(phys_enc)) +- goto skip_flush; ++ return; + + ctl = phys_enc->hw_ctl; + ctl->ops.get_bitmask_intf(ctl, &flush_mask, phys_enc->intf_idx); + ctl->ops.update_pending_flush(ctl, flush_mask); +- +-skip_flush: +- return; + } + + static void dpu_encoder_phys_cmd_enable(struct dpu_encoder_phys *phys_enc) +@@ -832,7 +829,7 @@ struct dpu_encoder_phys *dpu_encoder_phys_cmd_init( + if (!cmd_enc) { + ret = -ENOMEM; + DPU_ERROR("failed to allocate\n"); +- goto fail; ++ return ERR_PTR(ret); + } + phys_enc = &cmd_enc->base; + phys_enc->hw_mdptop = p->dpu_kms->hw_mdp; +@@ -890,6 +887,5 @@ struct dpu_encoder_phys *dpu_encoder_phys_cmd_init( + + return phys_enc; + +-fail: + return ERR_PTR(ret); + } +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c +index bfcd165e96dfe..0aa9b8e1ae707 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_formats.c +@@ -921,7 +921,7 @@ static int _dpu_format_populate_addrs_ubwc( + + layout->plane_size[2] + layout->plane_size[3]; + + if (!meta) +- goto done; ++ return 0; + + /* configure Y metadata plane */ + layout->plane_addr[2] = base_addr; +@@ -952,12 +952,11 @@ static int _dpu_format_populate_addrs_ubwc( + layout->plane_addr[1] = 0; + + if (!meta) +- goto done; ++ return 0; + + layout->plane_addr[2] = base_addr; + layout->plane_addr[3] = 0; + } +-done: + return 0; + } + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_pingpong.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_pingpong.c +index cc3a623903f4f..52fca13da1765 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_pingpong.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_pingpong.c +@@ -177,7 +177,7 @@ static u32 dpu_hw_pp_get_line_count(struct dpu_hw_pingpong *pp) + height = DPU_REG_READ(c, PP_SYNC_CONFIG_HEIGHT) & 0xFFFF; + + if (height < init) +- goto line_count_exit; ++ return line; + + line = DPU_REG_READ(c, PP_INT_COUNT_VAL) & 0xFFFF; + +@@ -186,7 +186,6 @@ static u32 dpu_hw_pp_get_line_count(struct dpu_hw_pingpong *pp) + else + line -= init; + +-line_count_exit: + return line; + } + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index 57b40cf0f199f..c20fdb21570d9 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -974,20 +974,20 @@ static int dpu_kms_hw_init(struct msm_kms *kms) + + if (!kms) { + DPU_ERROR("invalid kms\n"); +- goto end; ++ return rc; + } + + dpu_kms = to_dpu_kms(kms); + dev = dpu_kms->dev; + if (!dev) { + DPU_ERROR("invalid device\n"); +- goto end; ++ return rc; + } + + rc = dpu_dbg_init(&dpu_kms->pdev->dev); + if (rc) { + DRM_ERROR("failed to init dpu dbg: %d\n", rc); +- goto end; ++ return rc; + } + + priv = dev->dev_private; +@@ -1169,7 +1169,6 @@ static int dpu_kms_hw_init(struct msm_kms *kms) + _dpu_kms_hw_destroy(dpu_kms); + dbg_destroy: + dpu_dbg_destroy(); +-end: + return rc; + } + +@@ -1274,7 +1273,7 @@ static int __maybe_unused dpu_runtime_suspend(struct device *dev) + ddev = dpu_kms->dev; + if (!ddev) { + DPU_ERROR("invalid drm_device\n"); +- goto exit; ++ return rc; + } + + rc = dpu_power_resource_enable(&dpu_kms->phandle, +@@ -1286,7 +1285,6 @@ static int __maybe_unused dpu_runtime_suspend(struct device *dev) + if (rc) + DPU_ERROR("clock disable failed rc:%d\n", rc); + +-exit: + return rc; + } + +@@ -1301,13 +1299,13 @@ static int __maybe_unused dpu_runtime_resume(struct device *dev) + ddev = dpu_kms->dev; + if (!ddev) { + DPU_ERROR("invalid drm_device\n"); +- goto exit; ++ return rc; + } + + rc = msm_dss_enable_clk(mp->clk_config, mp->num_clk, true); + if (rc) { + DPU_ERROR("clock enable failed rc:%d\n", rc); +- goto exit; ++ return rc; + } + + rc = dpu_power_resource_enable(&dpu_kms->phandle, +@@ -1315,7 +1313,6 @@ static int __maybe_unused dpu_runtime_resume(struct device *dev) + if (rc) + DPU_ERROR("resource enable failed: %d\n", rc); + +-exit: + return rc; + } + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +index 4ac2b0c669b74..616b7abc59643 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +@@ -1874,7 +1874,7 @@ struct drm_plane *dpu_plane_init(struct drm_device *dev, + if (!pdpu) { + DPU_ERROR("[%u]failed to allocate local plane struct\n", pipe); + ret = -ENOMEM; +- goto exit; ++ return ERR_PTR(ret); + } + + /* cache local stuff for later */ +@@ -1966,6 +1966,5 @@ struct drm_plane *dpu_plane_init(struct drm_device *dev, + dpu_hw_sspp_destroy(pdpu->pipe_hw); + clean_plane: + kfree(pdpu); +-exit: + return ERR_PTR(ret); + } +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c +index 24d009e066ab6..5c876a57532cb 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c +@@ -194,7 +194,7 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms, + ot_lim = _dpu_vbif_get_ot_limit(vbif, params) & 0xFF; + + if (ot_lim == 0) +- goto exit; ++ return; + + trace_dpu_perf_set_ot(params->num, params->xin_id, ot_lim, + params->vbif_idx); +@@ -213,8 +213,6 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms, + + if (forced_on) + mdp->ops.setup_clk_force_ctrl(mdp, params->clk_ctrl, false); +-exit: +- return; + } + + void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms, +-- +2.43.0 + diff --git a/queue-4.19/drm-msm-dpu-use-kms-stored-hw-mdp-block.patch b/queue-4.19/drm-msm-dpu-use-kms-stored-hw-mdp-block.patch new file mode 100644 index 00000000000..82f8bced594 --- /dev/null +++ b/queue-4.19/drm-msm-dpu-use-kms-stored-hw-mdp-block.patch @@ -0,0 +1,95 @@ +From 7a780e2e4a1156108831b1c9ea98ad7c02f69b9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Sep 2018 19:08:16 -0700 +Subject: drm/msm/dpu: use kms stored hw mdp block + +From: Jeykumar Sankaran + +[ Upstream commit 57250ca5433306774e7f83b11503609ed1bf28cf ] + +Avoid querying RM for hw mdp block. Use the one +stored in KMS during initialization. + +changes in v4: + - none +changes in v5: + - none + +Signed-off-by: Jeykumar Sankaran +Reviewed-by: Sean Paul +Signed-off-by: Sean Paul +Signed-off-by: Rob Clark +Stable-dep-of: 2b938c3ab0a6 ("drm/msm/dpu: Always flush the slave INTF on the CTL") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 12 +----------- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 9 +-------- + 2 files changed, 2 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +index 3084675ed4257..c8c4612dc34dd 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c +@@ -823,7 +823,6 @@ struct dpu_encoder_phys *dpu_encoder_phys_cmd_init( + { + struct dpu_encoder_phys *phys_enc = NULL; + struct dpu_encoder_phys_cmd *cmd_enc = NULL; +- struct dpu_hw_mdp *hw_mdp; + struct dpu_encoder_irq *irq; + int i, ret = 0; + +@@ -836,14 +835,7 @@ struct dpu_encoder_phys *dpu_encoder_phys_cmd_init( + goto fail; + } + phys_enc = &cmd_enc->base; +- +- hw_mdp = dpu_rm_get_mdp(&p->dpu_kms->rm); +- if (IS_ERR_OR_NULL(hw_mdp)) { +- ret = PTR_ERR(hw_mdp); +- DPU_ERROR("failed to get mdptop\n"); +- goto fail_mdp_init; +- } +- phys_enc->hw_mdptop = hw_mdp; ++ phys_enc->hw_mdptop = p->dpu_kms->hw_mdp; + phys_enc->intf_idx = p->intf_idx; + + dpu_encoder_phys_cmd_init_ops(&phys_enc->ops); +@@ -898,8 +890,6 @@ struct dpu_encoder_phys *dpu_encoder_phys_cmd_init( + + return phys_enc; + +-fail_mdp_init: +- kfree(cmd_enc); + fail: + return ERR_PTR(ret); + } +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +index c9962a36b86b8..15a1277fe3540 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c +@@ -829,7 +829,6 @@ struct dpu_encoder_phys *dpu_encoder_phys_vid_init( + struct dpu_encoder_phys *phys_enc = NULL; + struct dpu_encoder_phys_vid *vid_enc = NULL; + struct dpu_rm_hw_iter iter; +- struct dpu_hw_mdp *hw_mdp; + struct dpu_encoder_irq *irq; + int i, ret = 0; + +@@ -846,13 +845,7 @@ struct dpu_encoder_phys *dpu_encoder_phys_vid_init( + + phys_enc = &vid_enc->base; + +- hw_mdp = dpu_rm_get_mdp(&p->dpu_kms->rm); +- if (IS_ERR_OR_NULL(hw_mdp)) { +- ret = PTR_ERR(hw_mdp); +- DPU_ERROR("failed to get mdptop\n"); +- goto fail; +- } +- phys_enc->hw_mdptop = hw_mdp; ++ phys_enc->hw_mdptop = p->dpu_kms->hw_mdp; + phys_enc->intf_idx = p->intf_idx; + + /** +-- +2.43.0 + diff --git a/queue-4.19/input-ims-pcu-fix-printf-string-overflow.patch b/queue-4.19/input-ims-pcu-fix-printf-string-overflow.patch new file mode 100644 index 00000000000..a9431725e2c --- /dev/null +++ b/queue-4.19/input-ims-pcu-fix-printf-string-overflow.patch @@ -0,0 +1,43 @@ +From 7c3a7edfd6b3e5eda196fd84573d5a71fe0d9ebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 13:28:56 -0700 +Subject: Input: ims-pcu - fix printf string overflow + +From: Arnd Bergmann + +[ Upstream commit bf32bceedd0453c70d9d022e2e29f98e446d7161 ] + +clang warns about a string overflow in this driver + +drivers/input/misc/ims-pcu.c:1802:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation] +drivers/input/misc/ims-pcu.c:1814:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation] + +Make the buffer a little longer to ensure it always fits. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20240326223825.4084412-7-arnd@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/ims-pcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c +index 3d51175c4d720..ceb42b17bb948 100644 +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -47,8 +47,8 @@ struct ims_pcu_backlight { + #define IMS_PCU_PART_NUMBER_LEN 15 + #define IMS_PCU_SERIAL_NUMBER_LEN 8 + #define IMS_PCU_DOM_LEN 8 +-#define IMS_PCU_FW_VERSION_LEN (9 + 1) +-#define IMS_PCU_BL_VERSION_LEN (9 + 1) ++#define IMS_PCU_FW_VERSION_LEN 16 ++#define IMS_PCU_BL_VERSION_LEN 16 + #define IMS_PCU_BL_RESET_REASON_LEN (2 + 1) + + #define IMS_PCU_PCU_B_DEVICE_ID 5 +-- +2.43.0 + diff --git a/queue-4.19/input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch b/queue-4.19/input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch new file mode 100644 index 00000000000..808b1f02367 --- /dev/null +++ b/queue-4.19/input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch @@ -0,0 +1,55 @@ +From 24ebade7bfd57364eac27aff089e64290152e7e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 16:03:40 -0700 +Subject: Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation + +From: Fenglin Wu + +[ Upstream commit 48c0687a322d54ac7e7a685c0b6db78d78f593af ] + +The output voltage is inclusive hence the max level calculation is +off-by-one-step. Correct it. + +iWhile we are at it also add a define for the step size instead of +using the magic value. + +Fixes: 11205bb63e5c ("Input: add support for pm8xxx based vibrator driver") +Signed-off-by: Fenglin Wu +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240412-pm8xxx-vibrator-new-design-v10-1-0ec0ad133866@quicinc.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/pm8xxx-vibrator.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/misc/pm8xxx-vibrator.c b/drivers/input/misc/pm8xxx-vibrator.c +index 27b3db154a33f..97bf7d94e8c6e 100644 +--- a/drivers/input/misc/pm8xxx-vibrator.c ++++ b/drivers/input/misc/pm8xxx-vibrator.c +@@ -22,7 +22,8 @@ + + #define VIB_MAX_LEVEL_mV (3100) + #define VIB_MIN_LEVEL_mV (1200) +-#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV) ++#define VIB_PER_STEP_mV (100) ++#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV + VIB_PER_STEP_mV) + + #define MAX_FF_SPEED 0xff + +@@ -126,10 +127,10 @@ static void pm8xxx_work_handler(struct work_struct *work) + vib->active = true; + vib->level = ((VIB_MAX_LEVELS * vib->speed) / MAX_FF_SPEED) + + VIB_MIN_LEVEL_mV; +- vib->level /= 100; ++ vib->level /= VIB_PER_STEP_mV; + } else { + vib->active = false; +- vib->level = VIB_MIN_LEVEL_mV / 100; ++ vib->level = VIB_MIN_LEVEL_mV / VIB_PER_STEP_mV; + } + + pm8xxx_vib_set(vib, vib->active); +-- +2.43.0 + diff --git a/queue-4.19/ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch b/queue-4.19/ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch new file mode 100644 index 00000000000..c9c43320da2 --- /dev/null +++ b/queue-4.19/ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch @@ -0,0 +1,125 @@ +From ed8a0baedc8af7472b144b94b7c823d0d25afcef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 08:54:35 +0800 +Subject: ipv6: sr: fix memleak in seg6_hmac_init_algo + +From: Hangbin Liu + +[ Upstream commit efb9f4f19f8e37fde43dfecebc80292d179f56c6 ] + +seg6_hmac_init_algo returns without cleaning up the previous allocations +if one fails, so it's going to leak all that memory and the crypto tfms. + +Update seg6_hmac_exit to only free the memory when allocated, so we can +reuse the code directly. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Reported-by: Sabrina Dubroca +Closes: https://lore.kernel.org/netdev/Zj3bh-gE7eT6V6aH@hog/ +Signed-off-by: Hangbin Liu +Reviewed-by: Simon Horman +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20240517005435.2600277-1-liuhangbin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_hmac.c | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c +index b801283da28df..9a077a4fa10e4 100644 +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -361,6 +361,7 @@ static int seg6_hmac_init_algo(void) + struct crypto_shash *tfm; + struct shash_desc *shash; + int i, alg_count, cpu; ++ int ret = -ENOMEM; + + alg_count = ARRAY_SIZE(hmac_algos); + +@@ -371,12 +372,14 @@ static int seg6_hmac_init_algo(void) + algo = &hmac_algos[i]; + algo->tfms = alloc_percpu(struct crypto_shash *); + if (!algo->tfms) +- return -ENOMEM; ++ goto error_out; + + for_each_possible_cpu(cpu) { + tfm = crypto_alloc_shash(algo->name, 0, 0); +- if (IS_ERR(tfm)) +- return PTR_ERR(tfm); ++ if (IS_ERR(tfm)) { ++ ret = PTR_ERR(tfm); ++ goto error_out; ++ } + p_tfm = per_cpu_ptr(algo->tfms, cpu); + *p_tfm = tfm; + } +@@ -388,18 +391,22 @@ static int seg6_hmac_init_algo(void) + + algo->shashs = alloc_percpu(struct shash_desc *); + if (!algo->shashs) +- return -ENOMEM; ++ goto error_out; + + for_each_possible_cpu(cpu) { + shash = kzalloc_node(shsize, GFP_KERNEL, + cpu_to_node(cpu)); + if (!shash) +- return -ENOMEM; ++ goto error_out; + *per_cpu_ptr(algo->shashs, cpu) = shash; + } + } + + return 0; ++ ++error_out: ++ seg6_hmac_exit(); ++ return ret; + } + + int __init seg6_hmac_init(void) +@@ -419,22 +426,29 @@ int __net_init seg6_hmac_net_init(struct net *net) + void seg6_hmac_exit(void) + { + struct seg6_hmac_algo *algo = NULL; ++ struct crypto_shash *tfm; ++ struct shash_desc *shash; + int i, alg_count, cpu; + + alg_count = ARRAY_SIZE(hmac_algos); + for (i = 0; i < alg_count; i++) { + algo = &hmac_algos[i]; +- for_each_possible_cpu(cpu) { +- struct crypto_shash *tfm; +- struct shash_desc *shash; + +- shash = *per_cpu_ptr(algo->shashs, cpu); +- kfree(shash); +- tfm = *per_cpu_ptr(algo->tfms, cpu); +- crypto_free_shash(tfm); ++ if (algo->shashs) { ++ for_each_possible_cpu(cpu) { ++ shash = *per_cpu_ptr(algo->shashs, cpu); ++ kfree(shash); ++ } ++ free_percpu(algo->shashs); ++ } ++ ++ if (algo->tfms) { ++ for_each_possible_cpu(cpu) { ++ tfm = *per_cpu_ptr(algo->tfms, cpu); ++ crypto_free_shash(tfm); ++ } ++ free_percpu(algo->tfms); + } +- free_percpu(algo->tfms); +- free_percpu(algo->shashs); + } + } + EXPORT_SYMBOL(seg6_hmac_exit); +-- +2.43.0 + diff --git a/queue-4.19/media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch b/queue-4.19/media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch new file mode 100644 index 00000000000..a054b944472 --- /dev/null +++ b/queue-4.19/media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch @@ -0,0 +1,39 @@ +From b0edbd65ac40901f75a41a4437d1407e2f22051d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 12:24:38 +0000 +Subject: media: cec: cec-adap: always cancel work in cec_transmit_msg_fh + +From: Hans Verkuil + +[ Upstream commit 9fe2816816a3c765dff3b88af5b5c3d9bbb911ce ] + +Do not check for !data->completed, just always call +cancel_delayed_work_sync(). This fixes a small race condition. + +Signed-off-by: Hans Verkuil +Reported-by: Yang, Chenyuan +Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/ +Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-adap.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c +index 2f49c4db49b35..d73beb1246946 100644 +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -863,8 +863,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, + */ + mutex_unlock(&adap->lock); + wait_for_completion_killable(&data->c); +- if (!data->completed) +- cancel_delayed_work_sync(&data->work); ++ cancel_delayed_work_sync(&data->work); + mutex_lock(&adap->lock); + + /* Cancel the transmit if it was interrupted */ +-- +2.43.0 + diff --git a/queue-4.19/media-cec-cec-api-add-locking-in-cec_release.patch b/queue-4.19/media-cec-cec-api-add-locking-in-cec_release.patch new file mode 100644 index 00000000000..3accd063dae --- /dev/null +++ b/queue-4.19/media-cec-cec-api-add-locking-in-cec_release.patch @@ -0,0 +1,46 @@ +From 8f8d01d74e344cc36f11369618694e60f220e8ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 12:25:55 +0000 +Subject: media: cec: cec-api: add locking in cec_release() + +From: Hans Verkuil + +[ Upstream commit 42bcaacae924bf18ae387c3f78c202df0b739292 ] + +When cec_release() uses fh->msgs it has to take fh->lock, +otherwise the list can get corrupted. + +Signed-off-by: Hans Verkuil +Reported-by: Yang, Chenyuan +Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/ +Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c +index b2b3f779592fd..d4c848c2f3764 100644 +--- a/drivers/media/cec/cec-api.c ++++ b/drivers/media/cec/cec-api.c +@@ -660,6 +660,8 @@ static int cec_release(struct inode *inode, struct file *filp) + list_del(&data->xfer_list); + } + mutex_unlock(&adap->lock); ++ ++ mutex_lock(&fh->lock); + while (!list_empty(&fh->msgs)) { + struct cec_msg_entry *entry = + list_first_entry(&fh->msgs, struct cec_msg_entry, list); +@@ -677,6 +679,7 @@ static int cec_release(struct inode *inode, struct file *filp) + kfree(entry); + } + } ++ mutex_unlock(&fh->lock); + kfree(fh); + + cec_put_device(devnode); +-- +2.43.0 + diff --git a/queue-4.19/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch b/queue-4.19/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch new file mode 100644 index 00000000000..1d69d202c14 --- /dev/null +++ b/queue-4.19/media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch @@ -0,0 +1,84 @@ +From b16084186906c418510b341520b88d968464a933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Apr 2024 12:32:44 +0300 +Subject: media: stk1160: fix bounds checking in stk1160_copy_video() + +From: Dan Carpenter + +[ Upstream commit faa4364bef2ec0060de381ff028d1d836600a381 ] + +The subtract in this condition is reversed. The ->length is the length +of the buffer. The ->bytesused is how many bytes we have copied thus +far. When the condition is reversed that means the result of the +subtraction is always negative but since it's unsigned then the result +is a very high positive value. That means the overflow check is never +true. + +Additionally, the ->bytesused doesn't actually work for this purpose +because we're not writing to "buf->mem + buf->bytesused". Instead, the +math to calculate the destination where we are writing is a bit +involved. You calculate the number of full lines already written, +multiply by two, skip a line if necessary so that we start on an odd +numbered line, and add the offset into the line. + +To fix this buffer overflow, just take the actual destination where we +are writing, if the offset is already out of bounds print an error and +return. Otherwise, write up to buf->length bytes. + +Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)") +Signed-off-by: Dan Carpenter +Reviewed-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/stk1160/stk1160-video.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c +index 0e98b450ae01b..687c7b6a0c303 100644 +--- a/drivers/media/usb/stk1160/stk1160-video.c ++++ b/drivers/media/usb/stk1160/stk1160-video.c +@@ -109,7 +109,7 @@ void stk1160_buffer_done(struct stk1160 *dev) + static inline + void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + { +- int linesdone, lineoff, lencopy; ++ int linesdone, lineoff, lencopy, offset; + int bytesperline = dev->width * 2; + struct stk1160_buffer *buf = dev->isoc_ctl.buf; + u8 *dst = buf->mem; +@@ -149,8 +149,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + * Check if we have enough space left in the buffer. + * In that case, we force loop exit after copy. + */ +- if (lencopy > buf->bytesused - buf->length) { +- lencopy = buf->bytesused - buf->length; ++ offset = dst - (u8 *)buf->mem; ++ if (offset > buf->length) { ++ dev_warn_ratelimited(dev->dev, "out of bounds offset\n"); ++ return; ++ } ++ if (lencopy > buf->length - offset) { ++ lencopy = buf->length - offset; + remain = lencopy; + } + +@@ -192,8 +197,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) + * Check if we have enough space left in the buffer. + * In that case, we force loop exit after copy. + */ +- if (lencopy > buf->bytesused - buf->length) { +- lencopy = buf->bytesused - buf->length; ++ offset = dst - (u8 *)buf->mem; ++ if (offset > buf->length) { ++ dev_warn_ratelimited(dev->dev, "offset out of bounds\n"); ++ return; ++ } ++ if (lencopy > buf->length - offset) { ++ lencopy = buf->length - offset; + remain = lencopy; + } + +-- +2.43.0 + diff --git a/queue-4.19/net-fec-avoid-lock-evasion-when-reading-pps_enable.patch b/queue-4.19/net-fec-avoid-lock-evasion-when-reading-pps_enable.patch new file mode 100644 index 00000000000..e7133b369ce --- /dev/null +++ b/queue-4.19/net-fec-avoid-lock-evasion-when-reading-pps_enable.patch @@ -0,0 +1,62 @@ +From 75734664eb0c654e94153690f55bc7c54777f2bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 10:38:00 +0800 +Subject: net: fec: avoid lock evasion when reading pps_enable + +From: Wei Fang + +[ Upstream commit 3b1c92f8e5371700fada307cc8fd2c51fa7bc8c1 ] + +The assignment of pps_enable is protected by tmreg_lock, but the read +operation of pps_enable is not. So the Coverity tool reports a lock +evasion warning which may cause data race to occur when running in a +multithread environment. Although this issue is almost impossible to +occur, we'd better fix it, at least it seems more logically reasonable, +and it also prevents Coverity from continuing to issue warnings. + +Fixes: 278d24047891 ("net: fec: ptp: Enable PPS output based on ptp clock") +Signed-off-by: Wei Fang +Link: https://lore.kernel.org/r/20240521023800.17102-1-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_ptp.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index eb11a8e7fcb7f..abf0b6cddf204 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -108,14 +108,13 @@ static int fec_ptp_enable_pps(struct fec_enet_private *fep, uint enable) + return -EINVAL; + } + +- if (fep->pps_enable == enable) +- return 0; +- +- fep->pps_channel = DEFAULT_PPS_CHANNEL; +- fep->reload_period = PPS_OUPUT_RELOAD_PERIOD; +- + spin_lock_irqsave(&fep->tmreg_lock, flags); + ++ if (fep->pps_enable == enable) { ++ spin_unlock_irqrestore(&fep->tmreg_lock, flags); ++ return 0; ++ } ++ + if (enable) { + /* clear capture or output compare interrupt status if have. + */ +@@ -446,6 +445,9 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp, + int ret = 0; + + if (rq->type == PTP_CLK_REQ_PPS) { ++ fep->pps_channel = DEFAULT_PPS_CHANNEL; ++ fep->reload_period = PPS_OUPUT_RELOAD_PERIOD; ++ + ret = fec_ptp_enable_pps(fep, on); + + return ret; +-- +2.43.0 + diff --git a/queue-4.19/nfc-nci-fix-handling-of-zero-length-payload-packets-.patch b/queue-4.19/nfc-nci-fix-handling-of-zero-length-payload-packets-.patch new file mode 100644 index 00000000000..9e6f2e8e045 --- /dev/null +++ b/queue-4.19/nfc-nci-fix-handling-of-zero-length-payload-packets-.patch @@ -0,0 +1,42 @@ +From 12e234f7d79d2b7cf258b17b68eef7f9ee32ebe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 May 2024 00:34:42 +0900 +Subject: nfc: nci: Fix handling of zero-length payload packets in + nci_rx_work() + +From: Ryosuke Yasuoka + +[ Upstream commit 6671e352497ca4bb07a96c48e03907065ff77d8a ] + +When nci_rx_work() receives a zero-length payload packet, it should not +discard the packet and exit the loop. Instead, it should continue +processing subsequent packets. + +Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") +Signed-off-by: Ryosuke Yasuoka +Reviewed-by: Simon Horman +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240521153444.535399-1-ryasuoka@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 0e6bca80265ae..c29d7aee63bd5 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1526,8 +1526,7 @@ static void nci_rx_work(struct work_struct *work) + + if (!nci_valid_size(skb)) { + kfree_skb(skb); +- kcov_remote_stop(); +- break; ++ continue; + } + + /* Process frame */ +-- +2.43.0 + diff --git a/queue-4.19/nfc-nci-fix-kcov-check-in-nci_rx_work.patch b/queue-4.19/nfc-nci-fix-kcov-check-in-nci_rx_work.patch new file mode 100644 index 00000000000..cddd09067ac --- /dev/null +++ b/queue-4.19/nfc-nci-fix-kcov-check-in-nci_rx_work.patch @@ -0,0 +1,45 @@ +From 025cf48a56a45c4514ae0a562c2b9bbeed55fd91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 May 2024 19:36:49 +0900 +Subject: nfc: nci: Fix kcov check in nci_rx_work() + +From: Tetsuo Handa + +[ Upstream commit 19e35f24750ddf860c51e51c68cf07ea181b4881 ] + +Commit 7e8cdc97148c ("nfc: Add KCOV annotations") added +kcov_remote_start_common()/kcov_remote_stop() pair into nci_rx_work(), +with an assumption that kcov_remote_stop() is called upon continue of +the for loop. But commit d24b03535e5e ("nfc: nci: Fix uninit-value in +nci_dev_up and nci_ntf_packet") forgot to call kcov_remote_stop() before +break of the for loop. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2 +Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") +Suggested-by: Andrey Konovalov +Signed-off-by: Tetsuo Handa +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/6d10f829-5a0c-405a-b39a-d7266f3a1a0b@I-love.SAKURA.ne.jp +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6671e352497c ("nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()") +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 6e83159b7b436..0e6bca80265ae 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1526,6 +1526,7 @@ static void nci_rx_work(struct work_struct *work) + + if (!nci_valid_size(skb)) { + kfree_skb(skb); ++ kcov_remote_stop(); + break; + } + +-- +2.43.0 + diff --git a/queue-4.19/nfc-nci-fix-uninit-value-in-nci_rx_work.patch b/queue-4.19/nfc-nci-fix-uninit-value-in-nci_rx_work.patch new file mode 100644 index 00000000000..1e9ebf26ea3 --- /dev/null +++ b/queue-4.19/nfc-nci-fix-uninit-value-in-nci_rx_work.patch @@ -0,0 +1,63 @@ +From e5dc3f234d579f80e220e5ede3937c6fc9c1245d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 May 2024 18:43:03 +0900 +Subject: nfc: nci: Fix uninit-value in nci_rx_work + +From: Ryosuke Yasuoka + +[ Upstream commit e4a87abf588536d1cdfb128595e6e680af5cf3ed ] + +syzbot reported the following uninit-value access issue [1] + +nci_rx_work() parses received packet from ndev->rx_q. It should be +validated header size, payload size and total packet size before +processing the packet. If an invalid packet is detected, it should be +silently discarded. + +Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") +Reported-and-tested-by: syzbot+d7b4dc6cd50410152534@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d7b4dc6cd50410152534 [1] +Signed-off-by: Ryosuke Yasuoka +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 1f863ccf21211..6e83159b7b436 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1461,6 +1461,19 @@ int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode, + ndev->ops->n_core_ops); + } + ++static bool nci_valid_size(struct sk_buff *skb) ++{ ++ BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE); ++ unsigned int hdr_size = NCI_CTRL_HDR_SIZE; ++ ++ if (skb->len < hdr_size || ++ !nci_plen(skb->data) || ++ skb->len < hdr_size + nci_plen(skb->data)) { ++ return false; ++ } ++ return true; ++} ++ + /* ---- NCI TX Data worker thread ---- */ + + static void nci_tx_work(struct work_struct *work) +@@ -1511,7 +1524,7 @@ static void nci_rx_work(struct work_struct *work) + nfc_send_to_raw_sock(ndev->nfc_dev, skb, + RAW_PAYLOAD_NCI, NFC_DIRECTION_RX); + +- if (!nci_plen(skb->data)) { ++ if (!nci_valid_size(skb)) { + kfree_skb(skb); + break; + } +-- +2.43.0 + diff --git a/queue-4.19/null_blk-fix-the-warning-modpost-missing-module_desc.patch b/queue-4.19/null_blk-fix-the-warning-modpost-missing-module_desc.patch new file mode 100644 index 00000000000..df04200943d --- /dev/null +++ b/queue-4.19/null_blk-fix-the-warning-modpost-missing-module_desc.patch @@ -0,0 +1,34 @@ +From 7c709e0066fe0de8d8fe87b605c7d6f042a53c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 09:55:38 +0200 +Subject: null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() + +From: Zhu Yanjun + +[ Upstream commit 9e6727f824edcdb8fdd3e6e8a0862eb49546e1cd ] + +No functional changes intended. + +Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver") +Signed-off-by: Zhu Yanjun +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20240506075538.6064-1-yanjun.zhu@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c +index fb20ed1360f99..216c03913dd6d 100644 +--- a/drivers/block/null_blk_main.c ++++ b/drivers/block/null_blk_main.c +@@ -1975,4 +1975,5 @@ module_init(null_init); + module_exit(null_exit); + + MODULE_AUTHOR("Jens Axboe "); ++MODULE_DESCRIPTION("multi queue aware block test driver"); + MODULE_LICENSE("GPL"); +-- +2.43.0 + diff --git a/queue-4.19/openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch b/queue-4.19/openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch new file mode 100644 index 00000000000..a9904bd3ed4 --- /dev/null +++ b/queue-4.19/openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch @@ -0,0 +1,101 @@ +From 90c3ad0db13849ef2ab56b4f686d7c08eefc1669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 May 2024 16:09:41 -0400 +Subject: openvswitch: Set the skbuff pkt_type for proper pmtud support. + +From: Aaron Conole + +[ Upstream commit 30a92c9e3d6b073932762bef2ac66f4ee784c657 ] + +Open vSwitch is originally intended to switch at layer 2, only dealing with +Ethernet frames. With the introduction of l3 tunnels support, it crossed +into the realm of needing to care a bit about some routing details when +making forwarding decisions. If an oversized packet would need to be +fragmented during this forwarding decision, there is a chance for pmtu +to get involved and generate a routing exception. This is gated by the +skbuff->pkt_type field. + +When a flow is already loaded into the openvswitch module this field is +set up and transitioned properly as a packet moves from one port to +another. In the case that a packet execute is invoked after a flow is +newly installed this field is not properly initialized. This causes the +pmtud mechanism to omit sending the required exception messages across +the tunnel boundary and a second attempt needs to be made to make sure +that the routing exception is properly setup. To fix this, we set the +outgoing packet's pkt_type to PACKET_OUTGOING, since it can only get +to the openvswitch module via a port device or packet command. + +Even for bridge ports as users, the pkt_type needs to be reset when +doing the transmit as the packet is truly outgoing and routing needs +to get involved post packet transformations, in the case of +VXLAN/GENEVE/udp-tunnel packets. In general, the pkt_type on output +gets ignored, since we go straight to the driver, but in the case of +tunnel ports they go through IP routing layer. + +This issue is periodically encountered in complex setups, such as large +openshift deployments, where multiple sets of tunnel traversal occurs. +A way to recreate this is with the ovn-heater project that can setup +a networking environment which mimics such large deployments. We need +larger environments for this because we need to ensure that flow +misses occur. In these environment, without this patch, we can see: + + ./ovn_cluster.sh start + podman exec ovn-chassis-1 ip r a 170.168.0.5/32 dev eth1 mtu 1200 + podman exec ovn-chassis-1 ip netns exec sw01p1 ip r flush cache + podman exec ovn-chassis-1 ip netns exec sw01p1 \ + ping 21.0.0.3 -M do -s 1300 -c2 + PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data. + From 21.0.0.3 icmp_seq=2 Frag needed and DF set (mtu = 1142) + + --- 21.0.0.3 ping statistics --- + ... + +Using tcpdump, we can also see the expected ICMP FRAG_NEEDED message is not +sent into the server. + +With this patch, setting the pkt_type, we see the following: + + podman exec ovn-chassis-1 ip netns exec sw01p1 \ + ping 21.0.0.3 -M do -s 1300 -c2 + PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data. + From 21.0.0.3 icmp_seq=1 Frag needed and DF set (mtu = 1222) + ping: local error: message too long, mtu=1222 + + --- 21.0.0.3 ping statistics --- + ... + +In this case, the first ping request receives the FRAG_NEEDED message and +a local routing exception is created. + +Tested-by: Jaime Caamano +Reported-at: https://issues.redhat.com/browse/FDP-164 +Fixes: 58264848a5a7 ("openvswitch: Add vxlan tunneling support.") +Signed-off-by: Aaron Conole +Acked-by: Eelco Chaudron +Link: https://lore.kernel.org/r/20240516200941.16152-1-aconole@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 091202b84b6e6..63b7586c31a2c 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -992,6 +992,12 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port, + pskb_trim(skb, ovs_mac_header_len(key)); + } + ++ /* Need to set the pkt_type to involve the routing layer. The ++ * packet movement through the OVS datapath doesn't generally ++ * use routing, but this is needed for tunnel cases. ++ */ ++ skb->pkt_type = PACKET_OUTGOING; ++ + if (likely(!mru || + (skb->len <= mru + vport->dev->hard_header_len))) { + ovs_vport_send(vport, skb, ovs_key_mac_proto(key)); +-- +2.43.0 + diff --git a/queue-4.19/params-lift-param_set_uint_minmax-to-common-code.patch b/queue-4.19/params-lift-param_set_uint_minmax-to-common-code.patch new file mode 100644 index 00000000000..3c81712ebec --- /dev/null +++ b/queue-4.19/params-lift-param_set_uint_minmax-to-common-code.patch @@ -0,0 +1,99 @@ +From 3c689a59fa853b0235ea0d3609d826ceef71ad5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 14:19:33 -0700 +Subject: params: lift param_set_uint_minmax to common code + +From: Sagi Grimberg + +[ Upstream commit 2a14c9ae15a38148484a128b84bff7e9ffd90d68 ] + +It is a useful helper hence move it to common code so others can enjoy +it. + +Suggested-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Hannes Reinecke +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Stable-dep-of: 3ebc46ca8675 ("tcp: Fix shift-out-of-bounds in dctcp_update_alpha().") +Signed-off-by: Sasha Levin +--- + include/linux/moduleparam.h | 2 ++ + kernel/params.c | 18 ++++++++++++++++++ + net/sunrpc/xprtsock.c | 18 ------------------ + 3 files changed, 20 insertions(+), 18 deletions(-) + +diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h +index ba36506db4fb7..dee4c402c040e 100644 +--- a/include/linux/moduleparam.h ++++ b/include/linux/moduleparam.h +@@ -361,6 +361,8 @@ extern int param_get_int(char *buffer, const struct kernel_param *kp); + extern const struct kernel_param_ops param_ops_uint; + extern int param_set_uint(const char *val, const struct kernel_param *kp); + extern int param_get_uint(char *buffer, const struct kernel_param *kp); ++int param_set_uint_minmax(const char *val, const struct kernel_param *kp, ++ unsigned int min, unsigned int max); + #define param_check_uint(name, p) __param_check(name, p, unsigned int) + + extern const struct kernel_param_ops param_ops_long; +diff --git a/kernel/params.c b/kernel/params.c +index ce89f757e6da0..8339cf40cdc72 100644 +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -245,6 +245,24 @@ STANDARD_PARAM_DEF(long, long, "%li", kstrtol); + STANDARD_PARAM_DEF(ulong, unsigned long, "%lu", kstrtoul); + STANDARD_PARAM_DEF(ullong, unsigned long long, "%llu", kstrtoull); + ++int param_set_uint_minmax(const char *val, const struct kernel_param *kp, ++ unsigned int min, unsigned int max) ++{ ++ unsigned int num; ++ int ret; ++ ++ if (!val) ++ return -EINVAL; ++ ret = kstrtouint(val, 0, &num); ++ if (ret) ++ return ret; ++ if (num < min || num > max) ++ return -EINVAL; ++ *((unsigned int *)kp->arg) = num; ++ return 0; ++} ++EXPORT_SYMBOL_GPL(param_set_uint_minmax); ++ + int param_set_charp(const char *val, const struct kernel_param *kp) + { + if (strlen(val) > 1024) { +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index a0a82d9a59008..938c649c5c9fa 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -3306,24 +3306,6 @@ void cleanup_socket_xprt(void) + xprt_unregister_transport(&xs_bc_tcp_transport); + } + +-static int param_set_uint_minmax(const char *val, +- const struct kernel_param *kp, +- unsigned int min, unsigned int max) +-{ +- unsigned int num; +- int ret; +- +- if (!val) +- return -EINVAL; +- ret = kstrtouint(val, 0, &num); +- if (ret) +- return ret; +- if (num < min || num > max) +- return -EINVAL; +- *((unsigned int *)kp->arg) = num; +- return 0; +-} +- + static int param_set_portnr(const char *val, const struct kernel_param *kp) + { + return param_set_uint_minmax(val, kp, +-- +2.43.0 + diff --git a/queue-4.19/powerpc-pseries-add-failure-related-checks-for-h_get.patch b/queue-4.19/powerpc-pseries-add-failure-related-checks-for-h_get.patch new file mode 100644 index 00000000000..672ff125695 --- /dev/null +++ b/queue-4.19/powerpc-pseries-add-failure-related-checks-for-h_get.patch @@ -0,0 +1,86 @@ +From 083246fd00ad220912cb01cd390fe644ac0f74d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Apr 2024 14:50:47 +0530 +Subject: powerpc/pseries: Add failure related checks for h_get_mpp and + h_get_ppp + +From: Shrikanth Hegde + +[ Upstream commit 6d4341638516bf97b9a34947e0bd95035a8230a5 ] + +Couple of Minor fixes: + +- hcall return values are long. Fix that for h_get_mpp, h_get_ppp and +parse_ppp_data + +- If hcall fails, values set should be at-least zero. It shouldn't be +uninitialized values. Fix that for h_get_mpp and h_get_ppp + +Signed-off-by: Shrikanth Hegde +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240412092047.455483-3-sshegde@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/hvcall.h | 2 +- + arch/powerpc/platforms/pseries/lpar.c | 6 +++--- + arch/powerpc/platforms/pseries/lparcfg.c | 6 +++--- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index a0b17f9f1ea4e..2bbf6c01a13d7 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -424,7 +424,7 @@ struct hvcall_mpp_data { + unsigned long backing_mem; + }; + +-int h_get_mpp(struct hvcall_mpp_data *); ++long h_get_mpp(struct hvcall_mpp_data *mpp_data); + + struct hvcall_mpp_x_data { + unsigned long coalesced_bytes; +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index d660a90616cda..eebaf44e5508e 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -933,10 +933,10 @@ void __trace_hcall_exit(long opcode, long retval, unsigned long *retbuf) + * h_get_mpp + * H_GET_MPP hcall returns info in 7 parms + */ +-int h_get_mpp(struct hvcall_mpp_data *mpp_data) ++long h_get_mpp(struct hvcall_mpp_data *mpp_data) + { +- int rc; +- unsigned long retbuf[PLPAR_HCALL9_BUFSIZE]; ++ unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; ++ long rc; + + rc = plpar_hcall9(H_GET_MPP, retbuf); + +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index d1b338b7dbded..3b82cfe229012 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -114,8 +114,8 @@ struct hvcall_ppp_data { + */ + static unsigned int h_get_ppp(struct hvcall_ppp_data *ppp_data) + { +- unsigned long rc; +- unsigned long retbuf[PLPAR_HCALL9_BUFSIZE]; ++ unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; ++ long rc; + + rc = plpar_hcall9(H_GET_PPP, retbuf); + +@@ -161,7 +161,7 @@ static void parse_ppp_data(struct seq_file *m) + struct hvcall_ppp_data ppp_data; + struct device_node *root; + const __be32 *perf_level; +- int rc; ++ long rc; + + rc = h_get_ppp(&ppp_data); + if (rc) +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index bd0162e0aac..ec9d4b1cdaf 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -106,3 +106,28 @@ f2fs-fix-to-release-node-block-count-in-error-path-o.patch serial-sh-sci-extract-sci_dma_rx_chan_invalidate.patch serial-sh-sci-protect-invalidating-rxdma-on-shutdown.patch libsubcmd-fix-parse-options-memory-leak.patch +input-ims-pcu-fix-printf-string-overflow.patch +input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch +drm-msm-dpu-use-kms-stored-hw-mdp-block.patch +drm-msm-dpu-remove-empty-useless-labels.patch +drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch +um-fix-return-value-in-ubd_init.patch +um-add-winch-to-winch_handlers-before-registering-wi.patch +media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch +powerpc-pseries-add-failure-related-checks-for-h_get.patch +um-fix-the-wmissing-prototypes-warning-for-__switch_.patch +media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch +media-cec-cec-api-add-locking-in-cec_release.patch +null_blk-fix-the-warning-modpost-missing-module_desc.patch +x86-kconfig-select-arch_want_frame_pointers-again-wh.patch +nfc-nci-fix-uninit-value-in-nci_rx_work.patch +ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch +params-lift-param_set_uint_minmax-to-common-code.patch +tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch +openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch +arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch +virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch +net-fec-avoid-lock-evasion-when-reading-pps_enable.patch +tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch +nfc-nci-fix-kcov-check-in-nci_rx_work.patch +nfc-nci-fix-handling-of-zero-length-payload-packets-.patch diff --git a/queue-4.19/tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch b/queue-4.19/tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch new file mode 100644 index 00000000000..c1243a5a4ce --- /dev/null +++ b/queue-4.19/tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch @@ -0,0 +1,125 @@ +From b658c09dad1b74d09c0425089f55a2f01167e325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 18:16:26 +0900 +Subject: tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). + +From: Kuniyuki Iwashima + +[ Upstream commit 3ebc46ca8675de6378e3f8f40768e180bb8afa66 ] + +In dctcp_update_alpha(), we use a module parameter dctcp_shift_g +as follows: + + alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g); + ... + delivered_ce <<= (10 - dctcp_shift_g); + +It seems syzkaller started fuzzing module parameters and triggered +shift-out-of-bounds [0] by setting 100 to dctcp_shift_g: + + memcpy((void*)0x20000080, + "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47); + res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, + /*flags=*/2ul, /*mode=*/0ul); + memcpy((void*)0x20000000, "100\000", 4); + syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul); + +Let's limit the max value of dctcp_shift_g by param_set_uint_minmax(). + +With this patch: + + # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g + # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g + 10 + # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g + -bash: echo: write error: Invalid argument + +[0]: +UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12 +shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int') +CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.13.0-1ubuntu1.1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468 + dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 + tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline] + tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 + tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711 + tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 + sk_backlog_rcv include/net/sock.h:1106 [inline] + __release_sock+0x20f/0x350 net/core/sock.c:2983 + release_sock+0x61/0x1f0 net/core/sock.c:3549 + mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 + mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 + __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072 + mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 + inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 + __sock_release net/socket.c:659 [inline] + sock_close+0xc0/0x240 net/socket.c:1421 + __fput+0x41b/0x890 fs/file_table.c:422 + task_work_run+0x23b/0x300 kernel/task_work.c:180 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0x9c8/0x2540 kernel/exit.c:878 + do_group_exit+0x201/0x2b0 kernel/exit.c:1027 + __do_sys_exit_group kernel/exit.c:1038 [inline] + __se_sys_exit_group kernel/exit.c:1036 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x67/0x6f +RIP: 0033:0x7f6c2b5005b6 +Code: Unable to access opcode bytes at 0x7f6c2b50058c. +RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 +RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 +RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 +R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 + + +Reported-by: syzkaller +Reported-by: Yue Sun +Reported-by: xingwei lee +Closes: https://lore.kernel.org/netdev/CAEkJfYNJM=cw-8x7_Vmj1J6uYVCWMbbvD=EFmDPVBGpTsqOxEA@mail.gmail.com/ +Fixes: e3118e8359bb ("net: tcp: add DCTCP congestion control algorithm") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240517091626.32772-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_dctcp.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c +index 5205c5a5d8d55..0cf7bfda2d6d2 100644 +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -59,7 +59,18 @@ struct dctcp { + }; + + static unsigned int dctcp_shift_g __read_mostly = 4; /* g = 1/2^4 */ +-module_param(dctcp_shift_g, uint, 0644); ++ ++static int dctcp_shift_g_set(const char *val, const struct kernel_param *kp) ++{ ++ return param_set_uint_minmax(val, kp, 0, 10); ++} ++ ++static const struct kernel_param_ops dctcp_shift_g_ops = { ++ .set = dctcp_shift_g_set, ++ .get = param_get_uint, ++}; ++ ++module_param_cb(dctcp_shift_g, &dctcp_shift_g_ops, &dctcp_shift_g, 0644); + MODULE_PARM_DESC(dctcp_shift_g, "parameter g for updating dctcp_alpha"); + + static unsigned int dctcp_alpha_on_init __read_mostly = DCTCP_MAX_ALPHA; +-- +2.43.0 + diff --git a/queue-4.19/tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch b/queue-4.19/tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch new file mode 100644 index 00000000000..871d92ecc27 --- /dev/null +++ b/queue-4.19/tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch @@ -0,0 +1,76 @@ +From 6f88dd423e7d6ca686dc446c3cc0eab6d9768e27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 21:42:20 +0800 +Subject: tcp: remove 64 KByte limit for initial tp->rcv_wnd value + +From: Jason Xing + +[ Upstream commit 378979e94e953c2070acb4f0e0c98d29260bd09d ] + +Recently, we had some servers upgraded to the latest kernel and noticed +the indicator from the user side showed worse results than before. It is +caused by the limitation of tp->rcv_wnd. + +In 2018 commit a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin +to around 64KB") limited the initial value of tp->rcv_wnd to 65535, most +CDN teams would not benefit from this change because they cannot have a +large window to receive a big packet, which will be slowed down especially +in long RTT. Small rcv_wnd means slow transfer speed, to some extent. It's +the side effect for the latency/time-sensitive users. + +To avoid future confusion, current change doesn't affect the initial +receive window on the wire in a SYN or SYN+ACK packet which are set within +65535 bytes according to RFC 7323 also due to the limit in +__tcp_transmit_skb(): + + th->window = htons(min(tp->rcv_wnd, 65535U)); + +In one word, __tcp_transmit_skb() already ensures that constraint is +respected, no matter how large tp->rcv_wnd is. The change doesn't violate +RFC. + +Let me provide one example if with or without the patch: +Before: +client --- SYN: rwindow=65535 ---> server +client <--- SYN+ACK: rwindow=65535 ---- server +client --- ACK: rwindow=65536 ---> server +Note: for the last ACK, the calculation is 512 << 7. + +After: +client --- SYN: rwindow=65535 ---> server +client <--- SYN+ACK: rwindow=65535 ---- server +client --- ACK: rwindow=175232 ---> server +Note: I use the following command to make it work: +ip route change default via [ip] dev eth0 metric 100 initrwnd 120 +For the last ACK, the calculation is 1369 << 7. + +When we apply such a patch, having a large rcv_wnd if the user tweak this +knob can help transfer data more rapidly and save some rtts. + +Fixes: a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin to around 64KB") +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Acked-by: Neal Cardwell +Link: https://lore.kernel.org/r/20240521134220.12510-1-kerneljasonxing@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index fbeb40a481fcb..105301b8d0fcb 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -216,7 +216,7 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss, + if (sock_net(sk)->ipv4.sysctl_tcp_workaround_signed_windows) + (*rcv_wnd) = min(space, MAX_TCP_WINDOW); + else +- (*rcv_wnd) = min_t(u32, space, U16_MAX); ++ (*rcv_wnd) = space; + + if (init_rcv_wnd) + *rcv_wnd = min(*rcv_wnd, init_rcv_wnd * mss); +-- +2.43.0 + diff --git a/queue-4.19/um-add-winch-to-winch_handlers-before-registering-wi.patch b/queue-4.19/um-add-winch-to-winch_handlers-before-registering-wi.patch new file mode 100644 index 00000000000..19333c1a1d6 --- /dev/null +++ b/queue-4.19/um-add-winch-to-winch_handlers-before-registering-wi.patch @@ -0,0 +1,68 @@ +From 62db8e8649be5cda30e0952121e074fa22dbe21f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 11:49:26 +0100 +Subject: um: Add winch to winch_handlers before registering winch IRQ + +From: Roberto Sassu + +[ Upstream commit a0fbbd36c156b9f7b2276871d499c9943dfe5101 ] + +Registering a winch IRQ is racy, an interrupt may occur before the winch is +added to the winch_handlers list. + +If that happens, register_winch_irq() adds to that list a winch that is +scheduled to be (or has already been) freed, causing a panic later in +winch_cleanup(). + +Avoid the race by adding the winch to the winch_handlers list before +registering the IRQ, and rolling back if um_request_irq() fails. + +Fixes: 42a359e31a0e ("uml: SIGIO support cleanup") +Signed-off-by: Roberto Sassu +Reviewed-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/line.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c +index 7e524efed5848..71e26488dfde2 100644 +--- a/arch/um/drivers/line.c ++++ b/arch/um/drivers/line.c +@@ -683,24 +683,26 @@ void register_winch_irq(int fd, int tty_fd, int pid, struct tty_port *port, + goto cleanup; + } + +- *winch = ((struct winch) { .list = LIST_HEAD_INIT(winch->list), +- .fd = fd, ++ *winch = ((struct winch) { .fd = fd, + .tty_fd = tty_fd, + .pid = pid, + .port = port, + .stack = stack }); + ++ spin_lock(&winch_handler_lock); ++ list_add(&winch->list, &winch_handlers); ++ spin_unlock(&winch_handler_lock); ++ + if (um_request_irq(WINCH_IRQ, fd, IRQ_READ, winch_interrupt, + IRQF_SHARED, "winch", winch) < 0) { + printk(KERN_ERR "register_winch_irq - failed to register " + "IRQ\n"); ++ spin_lock(&winch_handler_lock); ++ list_del(&winch->list); ++ spin_unlock(&winch_handler_lock); + goto out_free; + } + +- spin_lock(&winch_handler_lock); +- list_add(&winch->list, &winch_handlers); +- spin_unlock(&winch_handler_lock); +- + return; + + out_free: +-- +2.43.0 + diff --git a/queue-4.19/um-fix-return-value-in-ubd_init.patch b/queue-4.19/um-fix-return-value-in-ubd_init.patch new file mode 100644 index 00000000000..6489ebabfc5 --- /dev/null +++ b/queue-4.19/um-fix-return-value-in-ubd_init.patch @@ -0,0 +1,46 @@ +From ee2dea5b59f102a4756b0faa0d7d4934feb079d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 17:12:59 +0800 +Subject: um: Fix return value in ubd_init() + +From: Duoming Zhou + +[ Upstream commit 31a5990ed253a66712d7ddc29c92d297a991fdf2 ] + +When kmalloc_array() fails to allocate memory, the ubd_init() +should return -ENOMEM instead of -1. So, fix it. + +Fixes: f88f0bdfc32f ("um: UBD Improvements") +Signed-off-by: Duoming Zhou +Reviewed-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/ubd_kern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c +index 788c80abff5d3..4a32df89a491e 100644 +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -1135,7 +1135,7 @@ static int __init ubd_init(void) + + if (irq_req_buffer == NULL) { + printk(KERN_ERR "Failed to initialize ubd buffering\n"); +- return -1; ++ return -ENOMEM; + } + io_req_buffer = kmalloc_array(UBD_REQ_BUFFER_SIZE, + sizeof(struct io_thread_req *), +@@ -1146,7 +1146,7 @@ static int __init ubd_init(void) + + if (io_req_buffer == NULL) { + printk(KERN_ERR "Failed to initialize ubd buffering\n"); +- return -1; ++ return -ENOMEM; + } + platform_driver_register(&ubd_driver); + mutex_lock(&ubd_lock); +-- +2.43.0 + diff --git a/queue-4.19/um-fix-the-wmissing-prototypes-warning-for-__switch_.patch b/queue-4.19/um-fix-the-wmissing-prototypes-warning-for-__switch_.patch new file mode 100644 index 00000000000..ff91f917dde --- /dev/null +++ b/queue-4.19/um-fix-the-wmissing-prototypes-warning-for-__switch_.patch @@ -0,0 +1,48 @@ +From 4cc8deb194491c2a42bc26fa635c0083be5df10e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 20:58:53 +0800 +Subject: um: Fix the -Wmissing-prototypes warning for __switch_mm + +From: Tiwei Bie + +[ Upstream commit 2cbade17b18c0f0fd9963f26c9fc9b057eb1cb3a ] + +The __switch_mm function is defined in the user code, and is called +by the kernel code. It should be declared in a shared header. + +Fixes: 4dc706c2f292 ("um: take um_mmu.h to asm/mmu.h, clean asm/mmu_context.h a bit") +Signed-off-by: Tiwei Bie +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/mmu.h | 2 -- + arch/um/include/shared/skas/mm_id.h | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/um/include/asm/mmu.h b/arch/um/include/asm/mmu.h +index da705448590f2..21fbe5454dbd8 100644 +--- a/arch/um/include/asm/mmu.h ++++ b/arch/um/include/asm/mmu.h +@@ -15,8 +15,6 @@ typedef struct mm_context { + struct page *stub_pages[2]; + } mm_context_t; + +-extern void __switch_mm(struct mm_id * mm_idp); +- + /* Avoid tangled inclusion with asm/ldt.h */ + extern long init_new_ldt(struct mm_context *to_mm, struct mm_context *from_mm); + extern void free_ldt(struct mm_context *mm); +diff --git a/arch/um/include/shared/skas/mm_id.h b/arch/um/include/shared/skas/mm_id.h +index 48dd0989ddaa6..169482ec95f98 100644 +--- a/arch/um/include/shared/skas/mm_id.h ++++ b/arch/um/include/shared/skas/mm_id.h +@@ -14,4 +14,6 @@ struct mm_id { + unsigned long stack; + }; + ++void __switch_mm(struct mm_id *mm_idp); ++ + #endif +-- +2.43.0 + diff --git a/queue-4.19/virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch b/queue-4.19/virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch new file mode 100644 index 00000000000..71bbfa19a76 --- /dev/null +++ b/queue-4.19/virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch @@ -0,0 +1,94 @@ +From b5f23ae9e1a71b28db6eae9206ad5ec616fa7d26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 17:08:45 +0200 +Subject: virtio: delete vq in vp_find_vqs_msix() when request_irq() fails + +From: Jiri Pirko + +[ Upstream commit 89875151fccdd024d571aa884ea97a0128b968b6 ] + +When request_irq() fails, error path calls vp_del_vqs(). There, as vq is +present in the list, free_irq() is called for the same vector. That +causes following splat: + +[ 0.414355] Trying to free already-free IRQ 27 +[ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0 +[ 0.414510] Modules linked in: +[ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27 +[ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 +[ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0 +[ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40 +[ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086 +[ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000 +[ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001 +[ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001 +[ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760 +[ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600 +[ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000 +[ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0 +[ 0.414540] Call Trace: +[ 0.414540] +[ 0.414540] ? __warn+0x80/0x120 +[ 0.414540] ? free_irq+0x1a1/0x2d0 +[ 0.414540] ? report_bug+0x164/0x190 +[ 0.414540] ? handle_bug+0x3b/0x70 +[ 0.414540] ? exc_invalid_op+0x17/0x70 +[ 0.414540] ? asm_exc_invalid_op+0x1a/0x20 +[ 0.414540] ? free_irq+0x1a1/0x2d0 +[ 0.414540] vp_del_vqs+0xc1/0x220 +[ 0.414540] vp_find_vqs_msix+0x305/0x470 +[ 0.414540] vp_find_vqs+0x3e/0x1a0 +[ 0.414540] vp_modern_find_vqs+0x1b/0x70 +[ 0.414540] init_vqs+0x387/0x600 +[ 0.414540] virtnet_probe+0x50a/0xc80 +[ 0.414540] virtio_dev_probe+0x1e0/0x2b0 +[ 0.414540] really_probe+0xc0/0x2c0 +[ 0.414540] ? __pfx___driver_attach+0x10/0x10 +[ 0.414540] __driver_probe_device+0x73/0x120 +[ 0.414540] driver_probe_device+0x1f/0xe0 +[ 0.414540] __driver_attach+0x88/0x180 +[ 0.414540] bus_for_each_dev+0x85/0xd0 +[ 0.414540] bus_add_driver+0xec/0x1f0 +[ 0.414540] driver_register+0x59/0x100 +[ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10 +[ 0.414540] virtio_net_driver_init+0x90/0xb0 +[ 0.414540] do_one_initcall+0x58/0x230 +[ 0.414540] kernel_init_freeable+0x1a3/0x2d0 +[ 0.414540] ? __pfx_kernel_init+0x10/0x10 +[ 0.414540] kernel_init+0x1a/0x1c0 +[ 0.414540] ret_from_fork+0x31/0x50 +[ 0.414540] ? __pfx_kernel_init+0x10/0x10 +[ 0.414540] ret_from_fork_asm+0x1a/0x30 +[ 0.414540] + +Fix this by calling deleting the current vq when request_irq() fails. + +Fixes: 0b0f9dc52ed0 ("Revert "virtio_pci: use shared interrupts for virtqueues"") +Signed-off-by: Jiri Pirko +Message-Id: <20240426150845.3999481-1-jiri@resnulli.us> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_pci_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c +index 40618ccffeb8b..39abf02ece95e 100644 +--- a/drivers/virtio/virtio_pci_common.c ++++ b/drivers/virtio/virtio_pci_common.c +@@ -342,8 +342,10 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs, + vring_interrupt, 0, + vp_dev->msix_names[msix_vec], + vqs[i]); +- if (err) ++ if (err) { ++ vp_del_vq(vqs[i]); + goto error_find; ++ } + } + return 0; + +-- +2.43.0 + diff --git a/queue-4.19/x86-kconfig-select-arch_want_frame_pointers-again-wh.patch b/queue-4.19/x86-kconfig-select-arch_want_frame_pointers-again-wh.patch new file mode 100644 index 00000000000..71dab9aa2ab --- /dev/null +++ b/queue-4.19/x86-kconfig-select-arch_want_frame_pointers-again-wh.patch @@ -0,0 +1,63 @@ +From 51e44008c9babf2061b2525c4b7e8283977877f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Feb 2024 21:20:03 +0900 +Subject: x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when + UNWINDER_FRAME_POINTER=y + +From: Masahiro Yamada + +[ Upstream commit 66ee3636eddcc82ab82b539d08b85fb5ac1dff9b ] + +It took me some time to understand the purpose of the tricky code at +the end of arch/x86/Kconfig.debug. + +Without it, the following would be shown: + + WARNING: unmet direct dependencies detected for FRAME_POINTER + +because + + 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection") + +removed 'select ARCH_WANT_FRAME_POINTERS'. + +The correct and more straightforward approach should have been to move +it where 'select FRAME_POINTER' is located. + +Several architectures properly handle the conditional selection of +ARCH_WANT_FRAME_POINTERS. For example, 'config UNWINDER_FRAME_POINTER' +in arch/arm/Kconfig.debug. + +Fixes: 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection") +Signed-off-by: Masahiro Yamada +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/20240204122003.53795-1-masahiroy@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig.debug | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug +index 687cd1a213d50..82170d6257b1c 100644 +--- a/arch/x86/Kconfig.debug ++++ b/arch/x86/Kconfig.debug +@@ -376,6 +376,7 @@ config UNWINDER_ORC + + config UNWINDER_FRAME_POINTER + bool "Frame pointer unwinder" ++ select ARCH_WANT_FRAME_POINTERS + select FRAME_POINTER + ---help--- + This option enables the frame pointer unwinder for unwinding kernel +@@ -403,7 +404,3 @@ config UNWINDER_GUESS + overhead. + + endchoice +- +-config FRAME_POINTER +- depends on !UNWINDER_ORC && !UNWINDER_GUESS +- bool +-- +2.43.0 + -- 2.47.3