From 60ca76a33c696e11ed66fd827f49dcf690421c8c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 14 Sep 2024 12:11:55 -0400 Subject: [PATCH] Fixes for 6.6 Signed-off-by: Sasha Levin --- ...d-possible-garbage-value-in-peb2466_.patch | 44 ++++++++++ .../cifs-fix-signature-miscalculation.patch | 43 ++++++++++ ...vent-a-possible-int-overflow-in-wq-o.patch | 53 ++++++++++++ queue-6.6/series | 5 ++ ...qcom-fix-incorrect-free_irq-sequence.patch | 43 ++++++++++ ...do-runtime-pm-changes-at-driver-exit.patch | 85 +++++++++++++++++++ 6 files changed, 273 insertions(+) create mode 100644 queue-6.6/asoc-codecs-avoid-possible-garbage-value-in-peb2466_.patch create mode 100644 queue-6.6/cifs-fix-signature-miscalculation.patch create mode 100644 queue-6.6/drm-i915-guc-prevent-a-possible-int-overflow-in-wq-o.patch create mode 100644 queue-6.6/spi-geni-qcom-fix-incorrect-free_irq-sequence.patch create mode 100644 queue-6.6/spi-geni-qcom-undo-runtime-pm-changes-at-driver-exit.patch diff --git a/queue-6.6/asoc-codecs-avoid-possible-garbage-value-in-peb2466_.patch b/queue-6.6/asoc-codecs-avoid-possible-garbage-value-in-peb2466_.patch new file mode 100644 index 00000000000..0804d7a8daa --- /dev/null +++ b/queue-6.6/asoc-codecs-avoid-possible-garbage-value-in-peb2466_.patch @@ -0,0 +1,44 @@ +From bcc248879317c42d4aff140db9a05f7d03cbcc78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Sep 2024 19:54:50 +0800 +Subject: ASoC: codecs: avoid possible garbage value in peb2466_reg_read() + +From: Su Hui + +[ Upstream commit 38cc0334baabc5baf08a1db753de521e016c0432 ] + +Clang static checker (scan-build) warning: +sound/soc/codecs/peb2466.c:232:8: +Assigned value is garbage or undefined [core.uninitialized.Assign] + 232 | *val = tmp; + | ^ ~~~ + +When peb2466_read_byte() fails, 'tmp' will have a garbage value. +Add a judgemnet to avoid this problem. + +Fixes: 227f609c7c0e ("ASoC: codecs: Add support for the Infineon PEB2466 codec") +Signed-off-by: Su Hui +Link: https://patch.msgid.link/20240911115448.277828-1-suhui@nfschina.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/peb2466.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/peb2466.c b/sound/soc/codecs/peb2466.c +index 5dec69be0acb..06c83d2042f3 100644 +--- a/sound/soc/codecs/peb2466.c ++++ b/sound/soc/codecs/peb2466.c +@@ -229,7 +229,8 @@ static int peb2466_reg_read(void *context, unsigned int reg, unsigned int *val) + case PEB2466_CMD_XOP: + case PEB2466_CMD_SOP: + ret = peb2466_read_byte(peb2466, reg, &tmp); +- *val = tmp; ++ if (!ret) ++ *val = tmp; + break; + default: + dev_err(&peb2466->spi->dev, "Not a XOP or SOP command\n"); +-- +2.43.0 + diff --git a/queue-6.6/cifs-fix-signature-miscalculation.patch b/queue-6.6/cifs-fix-signature-miscalculation.patch new file mode 100644 index 00000000000..ef712bb81d6 --- /dev/null +++ b/queue-6.6/cifs-fix-signature-miscalculation.patch @@ -0,0 +1,43 @@ +From a57e2c8cf2fb6e2d4ea9a7538c33bb01742a5305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 16:58:48 +0100 +Subject: cifs: Fix signature miscalculation + +From: David Howells + +[ Upstream commit 5a20b7cb0d8d3ee490a8e088dc2584aa782e3355 ] + +Fix the calculation of packet signatures by adding the offset into a page +in the read or write data payload when hashing the pages from it. + +Fixes: 39bc58203f04 ("cifs: Add a function to Hash the contents of an iterator") +Signed-off-by: David Howells +Reviewed-by: Tom Talpey +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Shyam Prasad N +cc: Rohith Surabattula +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsencrypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifsencrypt.c b/fs/smb/client/cifsencrypt.c +index 6322f0f68a17..b0473c2567fe 100644 +--- a/fs/smb/client/cifsencrypt.c ++++ b/fs/smb/client/cifsencrypt.c +@@ -129,7 +129,7 @@ static ssize_t cifs_shash_xarray(const struct iov_iter *iter, ssize_t maxsize, + for (j = foffset / PAGE_SIZE; j < npages; j++) { + len = min_t(size_t, maxsize, PAGE_SIZE - offset); + p = kmap_local_page(folio_page(folio, j)); +- ret = crypto_shash_update(shash, p, len); ++ ret = crypto_shash_update(shash, p + offset, len); + kunmap_local(p); + if (ret < 0) + return ret; +-- +2.43.0 + diff --git a/queue-6.6/drm-i915-guc-prevent-a-possible-int-overflow-in-wq-o.patch b/queue-6.6/drm-i915-guc-prevent-a-possible-int-overflow-in-wq-o.patch new file mode 100644 index 00000000000..569bf244a35 --- /dev/null +++ b/queue-6.6/drm-i915-guc-prevent-a-possible-int-overflow-in-wq-o.patch @@ -0,0 +1,53 @@ +From 93e93d2a2f59a6200b15a86abc52b2646238870c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 08:59:25 -0700 +Subject: drm/i915/guc: prevent a possible int overflow in wq offsets + +From: Nikita Zhandarovich + +[ Upstream commit d3d37f74683e2f16f2635ee265884f7ca69350ae ] + +It may be possible for the sum of the values derived from +i915_ggtt_offset() and __get_parent_scratch_offset()/ +i915_ggtt_offset() to go over the u32 limit before being assigned +to wq offsets of u64 type. + +Mitigate these issues by expanding one of the right operands +to u64 to avoid any overflow issues just in case. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: c2aa552ff09d ("drm/i915/guc: Add multi-lrc context registration") +Cc: Matthew Brost +Cc: John Harrison +Signed-off-by: Nikita Zhandarovich +Link: https://patchwork.freedesktop.org/patch/msgid/20240725155925.14707-1-n.zhandarovich@fintech.ru +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 1f1c1bd56620b80ae407c5790743e17caad69cec) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +index b5de5a9f5967..236dfff81fea 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -2695,9 +2695,9 @@ static void prepare_context_registration_info_v70(struct intel_context *ce, + ce->parallel.guc.wqi_tail = 0; + ce->parallel.guc.wqi_head = 0; + +- wq_desc_offset = i915_ggtt_offset(ce->state) + ++ wq_desc_offset = (u64)i915_ggtt_offset(ce->state) + + __get_parent_scratch_offset(ce); +- wq_base_offset = i915_ggtt_offset(ce->state) + ++ wq_base_offset = (u64)i915_ggtt_offset(ce->state) + + __get_wq_offset(ce); + info->wq_desc_lo = lower_32_bits(wq_desc_offset); + info->wq_desc_hi = upper_32_bits(wq_desc_offset); +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 9dddbc5f898..302eae1a1cd 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -81,3 +81,8 @@ dma-buf-heaps-fix-off-by-one-in-cma-heap-fault-handler.patch drm-nouveau-fb-restore-init-for-ramgp102.patch drm-amdgpu-atomfirmware-silence-ubsan-warning.patch drm-amd-amdgpu-apply-command-submission-parser-for-jpeg-v1.patch +spi-geni-qcom-undo-runtime-pm-changes-at-driver-exit.patch +spi-geni-qcom-fix-incorrect-free_irq-sequence.patch +drm-i915-guc-prevent-a-possible-int-overflow-in-wq-o.patch +asoc-codecs-avoid-possible-garbage-value-in-peb2466_.patch +cifs-fix-signature-miscalculation.patch diff --git a/queue-6.6/spi-geni-qcom-fix-incorrect-free_irq-sequence.patch b/queue-6.6/spi-geni-qcom-fix-incorrect-free_irq-sequence.patch new file mode 100644 index 00000000000..2a5286830c5 --- /dev/null +++ b/queue-6.6/spi-geni-qcom-fix-incorrect-free_irq-sequence.patch @@ -0,0 +1,43 @@ +From e628d45db67471c9cae33d24f19ee93261279ed0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 15:31:40 +0800 +Subject: spi: geni-qcom: Fix incorrect free_irq() sequence + +From: Jinjie Ruan + +[ Upstream commit b787a33864121a565aeb0e88561bf6062a19f99c ] + +In spi_geni_remove(), the free_irq() sequence is different from that +on the probe error path. And the IRQ will still remain and it's interrupt +handler may use the dma channel after release dma channel and before free +irq, which is not secure, fix it. + +Fixes: b59c122484ec ("spi: spi-geni-qcom: Add support for GPI dma") +Signed-off-by: Jinjie Ruan +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20240909073141.951494-3-ruanjinjie@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-geni-qcom.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c +index 983c4896c8cf..7401ed3b9acd 100644 +--- a/drivers/spi/spi-geni-qcom.c ++++ b/drivers/spi/spi-geni-qcom.c +@@ -1170,9 +1170,9 @@ static void spi_geni_remove(struct platform_device *pdev) + /* Unregister _before_ disabling pm_runtime() so we stop transfers */ + spi_unregister_master(spi); + +- spi_geni_release_dma_chan(mas); +- + free_irq(mas->irq, spi); ++ ++ spi_geni_release_dma_chan(mas); + } + + static int __maybe_unused spi_geni_runtime_suspend(struct device *dev) +-- +2.43.0 + diff --git a/queue-6.6/spi-geni-qcom-undo-runtime-pm-changes-at-driver-exit.patch b/queue-6.6/spi-geni-qcom-undo-runtime-pm-changes-at-driver-exit.patch new file mode 100644 index 00000000000..95d4e8f8de4 --- /dev/null +++ b/queue-6.6/spi-geni-qcom-undo-runtime-pm-changes-at-driver-exit.patch @@ -0,0 +1,85 @@ +From 7de30115b9067b7d091162188e99d59fef0c676b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 15:31:39 +0800 +Subject: spi: geni-qcom: Undo runtime PM changes at driver exit time + +From: Jinjie Ruan + +[ Upstream commit 89e362c883c65ff94b76b9862285f63545fb5274 ] + +It's important to undo pm_runtime_use_autosuspend() with +pm_runtime_dont_use_autosuspend() at driver exit time unless driver +initially enabled pm_runtime with devm_pm_runtime_enable() +(which handles it for you). + +Hence, switch to devm_pm_runtime_enable() to fix it, so the +pm_runtime_disable() in probe error path and remove function +can be removed. + +Fixes: cfdab2cd85ec ("spi: spi-geni-qcom: Set an autosuspend delay of 250 ms") +Signed-off-by: Jinjie Ruan +Suggested-by: Dmitry Baryshkov +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20240909073141.951494-2-ruanjinjie@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-geni-qcom.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c +index f4f376a8351b..983c4896c8cf 100644 +--- a/drivers/spi/spi-geni-qcom.c ++++ b/drivers/spi/spi-geni-qcom.c +@@ -1110,25 +1110,27 @@ static int spi_geni_probe(struct platform_device *pdev) + spin_lock_init(&mas->lock); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, 250); +- pm_runtime_enable(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + + if (device_property_read_bool(&pdev->dev, "spi-slave")) + spi->slave = true; + + ret = geni_icc_get(&mas->se, NULL); + if (ret) +- goto spi_geni_probe_runtime_disable; ++ return ret; + /* Set the bus quota to a reasonable value for register access */ + mas->se.icc_paths[GENI_TO_CORE].avg_bw = Bps_to_icc(CORE_2X_50_MHZ); + mas->se.icc_paths[CPU_TO_GENI].avg_bw = GENI_DEFAULT_BW; + + ret = geni_icc_set_bw(&mas->se); + if (ret) +- goto spi_geni_probe_runtime_disable; ++ return ret; + + ret = spi_geni_init(mas); + if (ret) +- goto spi_geni_probe_runtime_disable; ++ return ret; + + /* + * check the mode supported and set_cs for fifo mode only +@@ -1157,8 +1159,6 @@ static int spi_geni_probe(struct platform_device *pdev) + free_irq(mas->irq, spi); + spi_geni_release_dma: + spi_geni_release_dma_chan(mas); +-spi_geni_probe_runtime_disable: +- pm_runtime_disable(dev); + return ret; + } + +@@ -1173,7 +1173,6 @@ static void spi_geni_remove(struct platform_device *pdev) + spi_geni_release_dma_chan(mas); + + free_irq(mas->irq, spi); +- pm_runtime_disable(&pdev->dev); + } + + static int __maybe_unused spi_geni_runtime_suspend(struct device *dev) +-- +2.43.0 + -- 2.47.3