From 9f68f8b12be7ffed118fedf83da9d5d33c30a230 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 21 Jun 2024 11:39:28 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...acklight-native-quirk-for-lenovo-sli.patch | 47 +++++ ...a-false-positive-warning-in-packet_s.patch | 81 ++++++++ ...sof_sdw-add-jd2-quirk-for-hp-omen-14.patch | 42 ++++ ...s-empty-buckets-in-batadv_purge_orig.patch | 110 ++++++++++ ...octl-prefer-different-overflow-check.patch | 88 ++++++++ ...fix-multiple-issues-reported-by-chec.patch | 190 ++++++++++++++++++ ...exit-idle-optimizations-before-hdcp-.patch | 88 ++++++++ ...a-add-mask-irq-callback-to-gp-and-pp.patch | 145 +++++++++++++ ...qs-in-timeout-path-before-hard-reset.patch | 63 ++++++ ...r-replace-spin_lock-by-raw_spin_lock.patch | 155 ++++++++++++++ ...r-sb_inlinecrypt-flag-in-default_opt.patch | 49 +++++ ...add-quirk-for-logitech-casa-touchpad.patch | 56 ++++++ ...-smmu-v3-free-msis-in-case-of-enomem.patch | 40 ++++ ...ftest-arm64-add-a-null-pointer-check.patch | 48 +++++ ...ps-octeon-add-pcie-link-status-check.patch | 55 +++++ ...ce-condition-in-netpoll_owner_active.patch | 52 +++++ ...bh-when-taking-works-lock-on-mt-path.patch | 62 ++++++ ...old-for-hp-pavilion-17-pc-1972-pcie-.patch | 71 +++++++ ...s_usbpd-provide-id-table-for-avoidin.patch | 66 ++++++ ...-clang-null-pointer-arithmetic-warni.patch | 85 ++++++++ ...enforce-hcall-result-buffer-validity.patch | 82 ++++++++ ...nvalid-context-warning-when-enable-s.patch | 120 +++++++++++ ...cu_torture_one_read-pipe_count-overf.patch | 39 ++++ ...rash-while-reading-debugfs-attribute.patch | 95 +++++++++ ...x-flaky-test-btf_map_in_map-lookup_u.patch | 87 ++++++++ ...event-client-connect-before-server-b.patch | 82 ++++++++ ...-adding-missing-cti-and-exar-pci-ids.patch | 77 +++++++ queue-5.10/series | 30 +++ ...ent-overflow-in-udf_disk_stamp_to_ti.patch | 54 +++++ ...check-for-incompatible-versions-of-t.patch | 75 +++++++ ...-work-around-memset-overflow-warning.patch | 72 +++++++ 31 files changed, 2406 insertions(+) create mode 100644 queue-5.10/acpi-video-add-backlight-native-quirk-for-lenovo-sli.patch create mode 100644 queue-5.10/af_packet-avoid-a-false-positive-warning-in-packet_s.patch create mode 100644 queue-5.10/asoc-intel-sof_sdw-add-jd2-quirk-for-hp-omen-14.patch create mode 100644 queue-5.10/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch create mode 100644 queue-5.10/block-ioctl-prefer-different-overflow-check.patch create mode 100644 queue-5.10/bluetooth-ath3k-fix-multiple-issues-reported-by-chec.patch create mode 100644 queue-5.10/drm-amd-display-exit-idle-optimizations-before-hdcp-.patch create mode 100644 queue-5.10/drm-lima-add-mask-irq-callback-to-gp-and-pp.patch create mode 100644 queue-5.10/drm-lima-mask-irqs-in-timeout-path-before-hard-reset.patch create mode 100644 queue-5.10/drop_monitor-replace-spin_lock-by-raw_spin_lock.patch create mode 100644 queue-5.10/f2fs-remove-clear-sb_inlinecrypt-flag-in-default_opt.patch create mode 100644 queue-5.10/hid-add-quirk-for-logitech-casa-touchpad.patch create mode 100644 queue-5.10/iommu-arm-smmu-v3-free-msis-in-case-of-enomem.patch create mode 100644 queue-5.10/kselftest-arm64-add-a-null-pointer-check.patch create mode 100644 queue-5.10/mips-octeon-add-pcie-link-status-check.patch create mode 100644 queue-5.10/netpoll-fix-race-condition-in-netpoll_owner_active.patch create mode 100644 queue-5.10/padata-disable-bh-when-taking-works-lock-on-mt-path.patch create mode 100644 queue-5.10/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch create mode 100644 queue-5.10/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch create mode 100644 queue-5.10/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch create mode 100644 queue-5.10/powerpc-pseries-enforce-hcall-result-buffer-validity.patch create mode 100644 queue-5.10/rcutorture-fix-invalid-context-warning-when-enable-s.patch create mode 100644 queue-5.10/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch create mode 100644 queue-5.10/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch create mode 100644 queue-5.10/selftests-bpf-fix-flaky-test-btf_map_in_map-lookup_u.patch create mode 100644 queue-5.10/selftests-bpf-prevent-client-connect-before-server-b.patch create mode 100644 queue-5.10/serial-exar-adding-missing-cti-and-exar-pci-ids.patch create mode 100644 queue-5.10/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch create mode 100644 queue-5.10/usb-misc-uss720-check-for-incompatible-versions-of-t.patch create mode 100644 queue-5.10/wifi-ath9k-work-around-memset-overflow-warning.patch diff --git a/queue-5.10/acpi-video-add-backlight-native-quirk-for-lenovo-sli.patch b/queue-5.10/acpi-video-add-backlight-native-quirk-for-lenovo-sli.patch new file mode 100644 index 00000000000..b12b6c5e6d4 --- /dev/null +++ b/queue-5.10/acpi-video-add-backlight-native-quirk-for-lenovo-sli.patch @@ -0,0 +1,47 @@ +From f39c47768b4df16ecb503b3ee93ea2c1adc9681d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 16:08:50 +0200 +Subject: ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 + +From: Takashi Iwai + +[ Upstream commit c901f63dc142c48326931f164f787dfff69273d9 ] + +Lenovo Slim 7 16ARH7 is a machine with switchable graphics between AMD +and Nvidia, and the backlight can't be adjusted properly unless +acpi_backlight=native is passed. Although nvidia-wmi-backlight is +present and loaded, this doesn't work as expected at all. + +For making it working as default, add the corresponding quirk entry +with a DMI matching "LENOVO" "82UX". + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1217750 +Signed-off-by: Takashi Iwai +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index a5cb9e1d48bcc..338e1f44906a9 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -341,6 +341,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Lenovo Slim 7 16ARH7 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82UX"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Lenovo ThinkPad X131e (3371 AMD version) */ +-- +2.43.0 + diff --git a/queue-5.10/af_packet-avoid-a-false-positive-warning-in-packet_s.patch b/queue-5.10/af_packet-avoid-a-false-positive-warning-in-packet_s.patch new file mode 100644 index 00000000000..9beddacb251 --- /dev/null +++ b/queue-5.10/af_packet-avoid-a-false-positive-warning-in-packet_s.patch @@ -0,0 +1,81 @@ +From f2958cea9d2d17d4e31b5e7d8db69b9479ea15c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 11:49:39 +0000 +Subject: af_packet: avoid a false positive warning in packet_setsockopt() + +From: Eric Dumazet + +[ Upstream commit 86d43e2bf93ccac88ef71cee36a23282ebd9e427 ] + +Although the code is correct, the following line + + copy_from_sockptr(&req_u.req, optval, len)); + +triggers this warning : + +memcpy: detected field-spanning write (size 28) of single field "dst" at include/linux/sockptr.h:49 (size 16) + +Refactor the code to be more explicit. + +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Kees Cook +Cc: Willem de Bruijn +Reviewed-by: Kees Cook +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 8e52f09493053..9bec88fe35058 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3761,28 +3761,30 @@ packet_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, + case PACKET_TX_RING: + { + union tpacket_req_u req_u; +- int len; + ++ ret = -EINVAL; + lock_sock(sk); + switch (po->tp_version) { + case TPACKET_V1: + case TPACKET_V2: +- len = sizeof(req_u.req); ++ if (optlen < sizeof(req_u.req)) ++ break; ++ ret = copy_from_sockptr(&req_u.req, optval, ++ sizeof(req_u.req)) ? ++ -EINVAL : 0; + break; + case TPACKET_V3: + default: +- len = sizeof(req_u.req3); ++ if (optlen < sizeof(req_u.req3)) ++ break; ++ ret = copy_from_sockptr(&req_u.req3, optval, ++ sizeof(req_u.req3)) ? ++ -EINVAL : 0; + break; + } +- if (optlen < len) { +- ret = -EINVAL; +- } else { +- if (copy_from_sockptr(&req_u.req, optval, len)) +- ret = -EFAULT; +- else +- ret = packet_set_ring(sk, &req_u, 0, +- optname == PACKET_TX_RING); +- } ++ if (!ret) ++ ret = packet_set_ring(sk, &req_u, 0, ++ optname == PACKET_TX_RING); + release_sock(sk); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.10/asoc-intel-sof_sdw-add-jd2-quirk-for-hp-omen-14.patch b/queue-5.10/asoc-intel-sof_sdw-add-jd2-quirk-for-hp-omen-14.patch new file mode 100644 index 00000000000..274a26fdf3a --- /dev/null +++ b/queue-5.10/asoc-intel-sof_sdw-add-jd2-quirk-for-hp-omen-14.patch @@ -0,0 +1,42 @@ +From 9b76240534c02db18b44730628b0de7bc566327a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 17:03:38 -0500 +Subject: ASoC: Intel: sof_sdw: add JD2 quirk for HP Omen 14 + +From: Pierre-Louis Bossart + +[ Upstream commit 4fee07fbf47d2a5f1065d985459e5ce7bf7969f0 ] + +The default JD1 does not seem to work, use JD2 instead. + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20240411220347.131267-4-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/sof_sdw.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c +index f36a0fda1b6ae..25bf73a7e7bfa 100644 +--- a/sound/soc/intel/boards/sof_sdw.c ++++ b/sound/soc/intel/boards/sof_sdw.c +@@ -216,6 +216,15 @@ static const struct dmi_system_id sof_sdw_quirk_table[] = { + }, + .driver_data = (void *)(SOF_SDW_PCH_DMIC), + }, ++ { ++ .callback = sof_sdw_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN Transcend Gaming Laptop"), ++ }, ++ .driver_data = (void *)(RT711_JD2), ++ }, ++ + /* LunarLake devices */ + { + .callback = sof_sdw_quirk_cb, +-- +2.43.0 + diff --git a/queue-5.10/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch b/queue-5.10/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch new file mode 100644 index 00000000000..7a5db2e4009 --- /dev/null +++ b/queue-5.10/batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch @@ -0,0 +1,110 @@ +From bb8811d01a49f91d636aae51fe9ad1d89fe7c87a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Mar 2024 15:54:38 +0000 +Subject: batman-adv: bypass empty buckets in batadv_purge_orig_ref() + +From: Eric Dumazet + +[ Upstream commit 40dc8ab605894acae1473e434944924a22cfaaa0 ] + +Many syzbot reports are pointing to soft lockups in +batadv_purge_orig_ref() [1] + +Root cause is unknown, but we can avoid spending too much +time there and perhaps get more interesting reports. + +[1] + +watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] +Modules linked in: +irq event stamp: 6182794 + hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 + hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] + hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 + softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] + softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 + softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline] + softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 +CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 +Workqueue: bat_events batadv_purge_orig +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] + pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 + lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 +sp : ffff800099007970 +x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 +x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 +x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 +x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 +x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 +x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 +x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 +x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 +x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 +Call trace: + __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] + arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] + __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] + _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:396 [inline] + batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 + batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 + process_one_work+0x694/0x1204 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x938/0xef4 kernel/workqueue.c:2787 + kthread+0x288/0x310 kernel/kthread.c:388 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 + lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 +sp : ffff800093a17d30 +x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 +x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 +x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 +x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 +x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 +x14: 1fffe00036805f10 x13: 0000000000000000 x12: 0000000000000003 +x11: 0000000000000001 x10: 0000000000000003 x9 : 0000000000000000 +x8 : 00000000000ce8d1 x7 : ffff8000804609e4 x6 : 0000000000000000 +x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008ad6aac0 +x2 : 0000000000000000 x1 : ffff80008aedea60 x0 : ffff800125436000 +Call trace: + __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] + arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49 + cpuidle_idle_call kernel/sched/idle.c:170 [inline] + do_idle+0x1f0/0x4e8 kernel/sched/idle.c:312 + cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:410 + secondary_start_kernel+0x198/0x1c0 arch/arm64/kernel/smp.c:272 + __secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:404 + +Signed-off-by: Eric Dumazet +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/originator.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c +index 2d38a09459bb5..3b2a3759efd6a 100644 +--- a/net/batman-adv/originator.c ++++ b/net/batman-adv/originator.c +@@ -1285,6 +1285,8 @@ void batadv_purge_orig_ref(struct batadv_priv *bat_priv) + /* for all origins... */ + for (i = 0; i < hash->size; i++) { + head = &hash->table[i]; ++ if (hlist_empty(head)) ++ continue; + list_lock = &hash->list_locks[i]; + + spin_lock_bh(list_lock); +-- +2.43.0 + diff --git a/queue-5.10/block-ioctl-prefer-different-overflow-check.patch b/queue-5.10/block-ioctl-prefer-different-overflow-check.patch new file mode 100644 index 00000000000..ea10a512b10 --- /dev/null +++ b/queue-5.10/block-ioctl-prefer-different-overflow-check.patch @@ -0,0 +1,88 @@ +From 128153db3016e89fa7a3fb564495232b8c17cd3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 03:53:49 +0000 +Subject: block/ioctl: prefer different overflow check + +From: Justin Stitt + +[ Upstream commit ccb326b5f9e623eb7f130fbbf2505ec0e2dcaff9 ] + +Running syzkaller with the newly reintroduced signed integer overflow +sanitizer shows this report: + +[ 62.982337] ------------[ cut here ]------------ +[ 62.985692] cgroup: Invalid name +[ 62.986211] UBSAN: signed-integer-overflow in ../block/ioctl.c:36:46 +[ 62.989370] 9pnet_fd: p9_fd_create_tcp (7343): problem connecting socket to 127.0.0.1 +[ 62.992992] 9223372036854775807 + 4095 cannot be represented in type 'long long' +[ 62.997827] 9pnet_fd: p9_fd_create_tcp (7345): problem connecting socket to 127.0.0.1 +[ 62.999369] random: crng reseeded on system resumption +[ 63.000634] GUP no longer grows the stack in syz-executor.2 (7353): 20002000-20003000 (20001000) +[ 63.000668] CPU: 0 PID: 7353 Comm: syz-executor.2 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1 +[ 63.000677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 63.000682] Call Trace: +[ 63.000686] +[ 63.000731] dump_stack_lvl+0x93/0xd0 +[ 63.000919] __get_user_pages+0x903/0xd30 +[ 63.001030] __gup_longterm_locked+0x153e/0x1ba0 +[ 63.001041] ? _raw_read_unlock_irqrestore+0x17/0x50 +[ 63.001072] ? try_get_folio+0x29c/0x2d0 +[ 63.001083] internal_get_user_pages_fast+0x1119/0x1530 +[ 63.001109] iov_iter_extract_pages+0x23b/0x580 +[ 63.001206] bio_iov_iter_get_pages+0x4de/0x1220 +[ 63.001235] iomap_dio_bio_iter+0x9b6/0x1410 +[ 63.001297] __iomap_dio_rw+0xab4/0x1810 +[ 63.001316] iomap_dio_rw+0x45/0xa0 +[ 63.001328] ext4_file_write_iter+0xdde/0x1390 +[ 63.001372] vfs_write+0x599/0xbd0 +[ 63.001394] ksys_write+0xc8/0x190 +[ 63.001403] do_syscall_64+0xd4/0x1b0 +[ 63.001421] ? arch_exit_to_user_mode_prepare+0x3a/0x60 +[ 63.001479] entry_SYSCALL_64_after_hwframe+0x6f/0x77 +[ 63.001535] RIP: 0033:0x7f7fd3ebf539 +[ 63.001551] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +[ 63.001562] RSP: 002b:00007f7fd32570c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 63.001584] RAX: ffffffffffffffda RBX: 00007f7fd3ff3f80 RCX: 00007f7fd3ebf539 +[ 63.001590] RDX: 4db6d1e4f7e43360 RSI: 0000000020000000 RDI: 0000000000000004 +[ 63.001595] RBP: 00007f7fd3f1e496 R08: 0000000000000000 R09: 0000000000000000 +[ 63.001599] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 63.001604] R13: 0000000000000006 R14: 00007f7fd3ff3f80 R15: 00007ffd415ad2b8 +... +[ 63.018142] ---[ end trace ]--- + +Historically, the signed integer overflow sanitizer did not work in the +kernel due to its interaction with `-fwrapv` but this has since been +changed [1] in the newest version of Clang; It was re-enabled in the +kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow +sanitizer"). + +Let's rework this overflow checking logic to not actually perform an +overflow during the check itself, thus avoiding the UBSAN splat. + +[1]: https://github.com/llvm/llvm-project/pull/82432 + +Signed-off-by: Justin Stitt +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20240507-b4-sio-block-ioctl-v3-1-ba0c2b32275e@google.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/ioctl.c b/block/ioctl.c +index bc97698e0e8a3..11e692741f17c 100644 +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -32,7 +32,7 @@ static int blkpg_do_ioctl(struct block_device *bdev, + if (op == BLKPG_DEL_PARTITION) + return bdev_del_partition(bdev, p.pno); + +- if (p.start < 0 || p.length <= 0 || p.start + p.length < 0) ++ if (p.start < 0 || p.length <= 0 || LLONG_MAX - p.length < p.start) + return -EINVAL; + /* Check that the partition is aligned to the block size */ + if (!IS_ALIGNED(p.start | p.length, bdev_logical_block_size(bdev))) +-- +2.43.0 + diff --git a/queue-5.10/bluetooth-ath3k-fix-multiple-issues-reported-by-chec.patch b/queue-5.10/bluetooth-ath3k-fix-multiple-issues-reported-by-chec.patch new file mode 100644 index 00000000000..c914709dcfe --- /dev/null +++ b/queue-5.10/bluetooth-ath3k-fix-multiple-issues-reported-by-chec.patch @@ -0,0 +1,190 @@ +From 7962830891d3290583d98ff1c1687db5242669b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Apr 2024 00:42:24 +0300 +Subject: Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl + +From: Uri Arev + +[ Upstream commit 68aa21054ec3a1a313af90a5f95ade16c3326d20 ] + +This fixes some CHECKs reported by the checkpatch script. + +Issues reported in ath3k.c: +------- +ath3k.c +------- +CHECK: Please don't use multiple blank lines ++ ++ + +CHECK: Blank lines aren't necessary after an open brace '{' ++static const struct usb_device_id ath3k_blist_tbl[] = { ++ + +CHECK: Alignment should match open parenthesis ++static int ath3k_load_firmware(struct usb_device *udev, ++ const struct firmware *firmware) + +CHECK: Alignment should match open parenthesis ++ err = usb_bulk_msg(udev, pipe, send_buf, size, ++ &len, 3000); + +CHECK: Unnecessary parentheses around 'len != size' ++ if (err || (len != size)) { + +CHECK: Alignment should match open parenthesis ++static int ath3k_get_version(struct usb_device *udev, ++ struct ath3k_version *version) + +CHECK: Alignment should match open parenthesis ++static int ath3k_load_fwfile(struct usb_device *udev, ++ const struct firmware *firmware) + +CHECK: Alignment should match open parenthesis ++ err = usb_bulk_msg(udev, pipe, send_buf, size, ++ &len, 3000); + +CHECK: Unnecessary parentheses around 'len != size' ++ if (err || (len != size)) { + +CHECK: Blank lines aren't necessary after an open brace '{' ++ switch (fw_version.ref_clock) { ++ + +CHECK: Alignment should match open parenthesis ++ snprintf(filename, ATH3K_NAME_LEN, "ar3k/ramps_0x%08x_%d%s", ++ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu"); + +CHECK: Alignment should match open parenthesis ++static int ath3k_probe(struct usb_interface *intf, ++ const struct usb_device_id *id) + +CHECK: Alignment should match open parenthesis ++ BT_ERR("Firmware file \"%s\" not found", ++ ATH3K_FIRMWARE); + +CHECK: Alignment should match open parenthesis ++ BT_ERR("Firmware file \"%s\" request failed (err=%d)", ++ ATH3K_FIRMWARE, ret); + +total: 0 errors, 0 warnings, 14 checks, 540 lines checked + +Signed-off-by: Uri Arev +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/ath3k.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index 759d7828931d9..56ada48104f0e 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -3,7 +3,6 @@ + * Copyright (c) 2008-2009 Atheros Communications Inc. + */ + +- + #include + #include + #include +@@ -129,7 +128,6 @@ MODULE_DEVICE_TABLE(usb, ath3k_table); + * for AR3012 + */ + static const struct usb_device_id ath3k_blist_tbl[] = { +- + /* Atheros AR3012 with sflash firmware*/ + { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, +@@ -203,7 +201,7 @@ static inline void ath3k_log_failed_loading(int err, int len, int size, + #define TIMEGAP_USEC_MAX 100 + + static int ath3k_load_firmware(struct usb_device *udev, +- const struct firmware *firmware) ++ const struct firmware *firmware) + { + u8 *send_buf; + int len = 0; +@@ -238,9 +236,9 @@ static int ath3k_load_firmware(struct usb_device *udev, + memcpy(send_buf, firmware->data + sent, size); + + err = usb_bulk_msg(udev, pipe, send_buf, size, +- &len, 3000); ++ &len, 3000); + +- if (err || (len != size)) { ++ if (err || len != size) { + ath3k_log_failed_loading(err, len, size, count); + goto error; + } +@@ -263,7 +261,7 @@ static int ath3k_get_state(struct usb_device *udev, unsigned char *state) + } + + static int ath3k_get_version(struct usb_device *udev, +- struct ath3k_version *version) ++ struct ath3k_version *version) + { + return usb_control_msg_recv(udev, 0, ATH3K_GETVERSION, + USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, +@@ -272,7 +270,7 @@ static int ath3k_get_version(struct usb_device *udev, + } + + static int ath3k_load_fwfile(struct usb_device *udev, +- const struct firmware *firmware) ++ const struct firmware *firmware) + { + u8 *send_buf; + int len = 0; +@@ -311,8 +309,8 @@ static int ath3k_load_fwfile(struct usb_device *udev, + memcpy(send_buf, firmware->data + sent, size); + + err = usb_bulk_msg(udev, pipe, send_buf, size, +- &len, 3000); +- if (err || (len != size)) { ++ &len, 3000); ++ if (err || len != size) { + ath3k_log_failed_loading(err, len, size, count); + kfree(send_buf); + return err; +@@ -426,7 +424,6 @@ static int ath3k_load_syscfg(struct usb_device *udev) + } + + switch (fw_version.ref_clock) { +- + case ATH3K_XTAL_FREQ_26M: + clk_value = 26; + break; +@@ -442,7 +439,7 @@ static int ath3k_load_syscfg(struct usb_device *udev) + } + + snprintf(filename, ATH3K_NAME_LEN, "ar3k/ramps_0x%08x_%d%s", +- le32_to_cpu(fw_version.rom_version), clk_value, ".dfu"); ++ le32_to_cpu(fw_version.rom_version), clk_value, ".dfu"); + + ret = request_firmware(&firmware, filename, &udev->dev); + if (ret < 0) { +@@ -457,7 +454,7 @@ static int ath3k_load_syscfg(struct usb_device *udev) + } + + static int ath3k_probe(struct usb_interface *intf, +- const struct usb_device_id *id) ++ const struct usb_device_id *id) + { + const struct firmware *firmware; + struct usb_device *udev = interface_to_usbdev(intf); +@@ -506,10 +503,10 @@ static int ath3k_probe(struct usb_interface *intf, + if (ret < 0) { + if (ret == -ENOENT) + BT_ERR("Firmware file \"%s\" not found", +- ATH3K_FIRMWARE); ++ ATH3K_FIRMWARE); + else + BT_ERR("Firmware file \"%s\" request failed (err=%d)", +- ATH3K_FIRMWARE, ret); ++ ATH3K_FIRMWARE, ret); + return ret; + } + +-- +2.43.0 + diff --git a/queue-5.10/drm-amd-display-exit-idle-optimizations-before-hdcp-.patch b/queue-5.10/drm-amd-display-exit-idle-optimizations-before-hdcp-.patch new file mode 100644 index 00000000000..4dcc4e78e13 --- /dev/null +++ b/queue-5.10/drm-amd-display-exit-idle-optimizations-before-hdcp-.patch @@ -0,0 +1,88 @@ +From 3f9ed25867f1985ba0bacae110b9a533b480b692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 16:51:59 -0500 +Subject: drm/amd/display: Exit idle optimizations before HDCP execution + +From: Nicholas Kazlauskas + +[ Upstream commit f30a3bea92bdab398531129d187629fb1d28f598 ] + +[WHY] +PSP can access DCN registers during command submission and we need +to ensure that DCN is not in PG before doing so. + +[HOW] +Add a callback to DM to lock and notify DC for idle optimization exit. +It can't be DC directly because of a potential race condition with the +link protection thread and the rest of DM operation. + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Charlene Liu +Acked-by: Alex Hung +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ++++++++++ + drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 ++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +index fa8aeec304ef4..c39cb4b6767cf 100644 +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +@@ -86,6 +86,14 @@ static uint8_t is_cp_desired_hdcp2(struct mod_hdcp *hdcp) + !hdcp->connection.is_hdcp2_revoked; + } + ++static void exit_idle_optimizations(struct mod_hdcp *hdcp) ++{ ++ struct mod_hdcp_dm *dm = &hdcp->config.dm; ++ ++ if (dm->funcs.exit_idle_optimizations) ++ dm->funcs.exit_idle_optimizations(dm->handle); ++} ++ + static enum mod_hdcp_status execution(struct mod_hdcp *hdcp, + struct mod_hdcp_event_context *event_ctx, + union mod_hdcp_transition_input *input) +@@ -448,6 +456,8 @@ enum mod_hdcp_status mod_hdcp_process_event(struct mod_hdcp *hdcp, + memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context)); + event_ctx.event = event; + ++ exit_idle_optimizations(hdcp); ++ + /* execute and transition */ + exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input); + trans_status = transition( +diff --git a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h +index eed560eecbab4..fb195276fb704 100644 +--- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h ++++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h +@@ -143,6 +143,13 @@ struct mod_hdcp_ddc { + } funcs; + }; + ++struct mod_hdcp_dm { ++ void *handle; ++ struct { ++ void (*exit_idle_optimizations)(void *handle); ++ } funcs; ++}; ++ + struct mod_hdcp_psp { + void *handle; + void *funcs; +@@ -252,6 +259,7 @@ struct mod_hdcp_display_query { + struct mod_hdcp_config { + struct mod_hdcp_psp psp; + struct mod_hdcp_ddc ddc; ++ struct mod_hdcp_dm dm; + uint8_t index; + }; + +-- +2.43.0 + diff --git a/queue-5.10/drm-lima-add-mask-irq-callback-to-gp-and-pp.patch b/queue-5.10/drm-lima-add-mask-irq-callback-to-gp-and-pp.patch new file mode 100644 index 00000000000..a6347243a3a --- /dev/null +++ b/queue-5.10/drm-lima-add-mask-irq-callback-to-gp-and-pp.patch @@ -0,0 +1,145 @@ +From dea8f22d742f12dc2037051d9625699e961b1ee0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 17:29:49 +0200 +Subject: drm/lima: add mask irq callback to gp and pp + +From: Erico Nunes + +[ Upstream commit 49c13b4d2dd4a831225746e758893673f6ae961c ] + +This is needed because we want to reset those devices in device-agnostic +code such as lima_sched. +In particular, masking irqs will be useful before a hard reset to +prevent race conditions. + +Signed-off-by: Erico Nunes +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20240405152951.1531555-2-nunes.erico@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_bcast.c | 12 ++++++++++++ + drivers/gpu/drm/lima/lima_bcast.h | 3 +++ + drivers/gpu/drm/lima/lima_gp.c | 8 ++++++++ + drivers/gpu/drm/lima/lima_pp.c | 18 ++++++++++++++++++ + drivers/gpu/drm/lima/lima_sched.h | 1 + + 5 files changed, 42 insertions(+) + +diff --git a/drivers/gpu/drm/lima/lima_bcast.c b/drivers/gpu/drm/lima/lima_bcast.c +index fbc43f243c54d..6d000504e1a4e 100644 +--- a/drivers/gpu/drm/lima/lima_bcast.c ++++ b/drivers/gpu/drm/lima/lima_bcast.c +@@ -43,6 +43,18 @@ void lima_bcast_suspend(struct lima_ip *ip) + + } + ++int lima_bcast_mask_irq(struct lima_ip *ip) ++{ ++ bcast_write(LIMA_BCAST_BROADCAST_MASK, 0); ++ bcast_write(LIMA_BCAST_INTERRUPT_MASK, 0); ++ return 0; ++} ++ ++int lima_bcast_reset(struct lima_ip *ip) ++{ ++ return lima_bcast_hw_init(ip); ++} ++ + int lima_bcast_init(struct lima_ip *ip) + { + int i; +diff --git a/drivers/gpu/drm/lima/lima_bcast.h b/drivers/gpu/drm/lima/lima_bcast.h +index 465ee587bceb2..cd08841e47879 100644 +--- a/drivers/gpu/drm/lima/lima_bcast.h ++++ b/drivers/gpu/drm/lima/lima_bcast.h +@@ -13,4 +13,7 @@ void lima_bcast_fini(struct lima_ip *ip); + + void lima_bcast_enable(struct lima_device *dev, int num_pp); + ++int lima_bcast_mask_irq(struct lima_ip *ip); ++int lima_bcast_reset(struct lima_ip *ip); ++ + #endif +diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c +index 8dd501b7a3d0d..6cf46b653e810 100644 +--- a/drivers/gpu/drm/lima/lima_gp.c ++++ b/drivers/gpu/drm/lima/lima_gp.c +@@ -212,6 +212,13 @@ static void lima_gp_task_mmu_error(struct lima_sched_pipe *pipe) + lima_sched_pipe_task_done(pipe); + } + ++static void lima_gp_task_mask_irq(struct lima_sched_pipe *pipe) ++{ ++ struct lima_ip *ip = pipe->processor[0]; ++ ++ gp_write(LIMA_GP_INT_MASK, 0); ++} ++ + static int lima_gp_task_recover(struct lima_sched_pipe *pipe) + { + struct lima_ip *ip = pipe->processor[0]; +@@ -344,6 +351,7 @@ int lima_gp_pipe_init(struct lima_device *dev) + pipe->task_error = lima_gp_task_error; + pipe->task_mmu_error = lima_gp_task_mmu_error; + pipe->task_recover = lima_gp_task_recover; ++ pipe->task_mask_irq = lima_gp_task_mask_irq; + + return 0; + } +diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c +index a5c95bed08c09..54b208a4a768e 100644 +--- a/drivers/gpu/drm/lima/lima_pp.c ++++ b/drivers/gpu/drm/lima/lima_pp.c +@@ -408,6 +408,9 @@ static void lima_pp_task_error(struct lima_sched_pipe *pipe) + + lima_pp_hard_reset(ip); + } ++ ++ if (pipe->bcast_processor) ++ lima_bcast_reset(pipe->bcast_processor); + } + + static void lima_pp_task_mmu_error(struct lima_sched_pipe *pipe) +@@ -416,6 +419,20 @@ static void lima_pp_task_mmu_error(struct lima_sched_pipe *pipe) + lima_sched_pipe_task_done(pipe); + } + ++static void lima_pp_task_mask_irq(struct lima_sched_pipe *pipe) ++{ ++ int i; ++ ++ for (i = 0; i < pipe->num_processor; i++) { ++ struct lima_ip *ip = pipe->processor[i]; ++ ++ pp_write(LIMA_PP_INT_MASK, 0); ++ } ++ ++ if (pipe->bcast_processor) ++ lima_bcast_mask_irq(pipe->bcast_processor); ++} ++ + static struct kmem_cache *lima_pp_task_slab; + static int lima_pp_task_slab_refcnt; + +@@ -447,6 +464,7 @@ int lima_pp_pipe_init(struct lima_device *dev) + pipe->task_fini = lima_pp_task_fini; + pipe->task_error = lima_pp_task_error; + pipe->task_mmu_error = lima_pp_task_mmu_error; ++ pipe->task_mask_irq = lima_pp_task_mask_irq; + + return 0; + } +diff --git a/drivers/gpu/drm/lima/lima_sched.h b/drivers/gpu/drm/lima/lima_sched.h +index 90f03c48ef4a8..f8bbfa69baea6 100644 +--- a/drivers/gpu/drm/lima/lima_sched.h ++++ b/drivers/gpu/drm/lima/lima_sched.h +@@ -83,6 +83,7 @@ struct lima_sched_pipe { + void (*task_error)(struct lima_sched_pipe *pipe); + void (*task_mmu_error)(struct lima_sched_pipe *pipe); + int (*task_recover)(struct lima_sched_pipe *pipe); ++ void (*task_mask_irq)(struct lima_sched_pipe *pipe); + + struct work_struct recover_work; + }; +-- +2.43.0 + diff --git a/queue-5.10/drm-lima-mask-irqs-in-timeout-path-before-hard-reset.patch b/queue-5.10/drm-lima-mask-irqs-in-timeout-path-before-hard-reset.patch new file mode 100644 index 00000000000..ec49d4ba57d --- /dev/null +++ b/queue-5.10/drm-lima-mask-irqs-in-timeout-path-before-hard-reset.patch @@ -0,0 +1,63 @@ +From 721a8eb0833b4090e2e85edaf1da02ae20fe9c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 17:29:51 +0200 +Subject: drm/lima: mask irqs in timeout path before hard reset + +From: Erico Nunes + +[ Upstream commit a421cc7a6a001b70415aa4f66024fa6178885a14 ] + +There is a race condition in which a rendering job might take just long +enough to trigger the drm sched job timeout handler but also still +complete before the hard reset is done by the timeout handler. +This runs into race conditions not expected by the timeout handler. +In some very specific cases it currently may result in a refcount +imbalance on lima_pm_idle, with a stack dump such as: + +[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0 +... +[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0 +... +[10136.669628] Call trace: +[10136.669634] lima_devfreq_record_idle+0xa0/0xb0 +[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0 +[10136.669656] lima_gp_irq_handler+0xa8/0x120 +[10136.669666] __handle_irq_event_percpu+0x48/0x160 +[10136.669679] handle_irq_event+0x4c/0xc0 + +We can prevent that race condition entirely by masking the irqs at the +beginning of the timeout handler, at which point we give up on waiting +for that job entirely. +The irqs will be enabled again at the next hard reset which is already +done as a recovery by the timeout handler. + +Signed-off-by: Erico Nunes +Reviewed-by: Qiang Yu +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20240405152951.1531555-4-nunes.erico@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_sched.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/lima/lima_sched.c b/drivers/gpu/drm/lima/lima_sched.c +index f6e7a88a56f1b..290f875c28598 100644 +--- a/drivers/gpu/drm/lima/lima_sched.c ++++ b/drivers/gpu/drm/lima/lima_sched.c +@@ -419,6 +419,13 @@ static void lima_sched_timedout_job(struct drm_sched_job *job) + struct lima_sched_task *task = to_lima_task(job); + struct lima_device *ldev = pipe->ldev; + ++ /* ++ * The task might still finish while this timeout handler runs. ++ * To prevent a race condition on its completion, mask all irqs ++ * on the running core until the next hard reset completes. ++ */ ++ pipe->task_mask_irq(pipe); ++ + if (!pipe->error) + DRM_ERROR("lima job timeout\n"); + +-- +2.43.0 + diff --git a/queue-5.10/drop_monitor-replace-spin_lock-by-raw_spin_lock.patch b/queue-5.10/drop_monitor-replace-spin_lock-by-raw_spin_lock.patch new file mode 100644 index 00000000000..a5ae34069a6 --- /dev/null +++ b/queue-5.10/drop_monitor-replace-spin_lock-by-raw_spin_lock.patch @@ -0,0 +1,155 @@ +From 0fe686e23310e558c81906de7e7729bc4b123312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Apr 2024 11:13:46 -0300 +Subject: drop_monitor: replace spin_lock by raw_spin_lock + +From: Wander Lairson Costa + +[ Upstream commit f1e197a665c2148ebc25fe09c53689e60afea195 ] + +trace_drop_common() is called with preemption disabled, and it acquires +a spin_lock. This is problematic for RT kernels because spin_locks are +sleeping locks in this configuration, which causes the following splat: + +BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 +preempt_count: 1, expected: 0 +RCU nest depth: 2, expected: 2 +5 locks held by rcuc/47/449: + #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210 + #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130 + #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210 + #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70 + #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290 +irq event stamp: 139909 +hardirqs last enabled at (139908): [] _raw_spin_unlock_irqrestore+0x63/0x80 +hardirqs last disabled at (139909): [] trace_drop_common.constprop.0+0x26d/0x290 +softirqs last enabled at (139892): [] __local_bh_enable_ip+0x103/0x170 +softirqs last disabled at (139898): [] rcu_cpu_kthread+0x93/0x1f0 +Preemption disabled at: +[] rt_mutex_slowunlock+0xab/0x2e0 +CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7 +Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022 +Call Trace: + + dump_stack_lvl+0x8c/0xd0 + dump_stack+0x14/0x20 + __might_resched+0x21e/0x2f0 + rt_spin_lock+0x5e/0x130 + ? trace_drop_common.constprop.0+0xb5/0x290 + ? skb_queue_purge_reason.part.0+0x1bf/0x230 + trace_drop_common.constprop.0+0xb5/0x290 + ? preempt_count_sub+0x1c/0xd0 + ? _raw_spin_unlock_irqrestore+0x4a/0x80 + ? __pfx_trace_drop_common.constprop.0+0x10/0x10 + ? rt_mutex_slowunlock+0x26a/0x2e0 + ? skb_queue_purge_reason.part.0+0x1bf/0x230 + ? __pfx_rt_mutex_slowunlock+0x10/0x10 + ? skb_queue_purge_reason.part.0+0x1bf/0x230 + trace_kfree_skb_hit+0x15/0x20 + trace_kfree_skb+0xe9/0x150 + kfree_skb_reason+0x7b/0x110 + skb_queue_purge_reason.part.0+0x1bf/0x230 + ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 + ? mark_lock.part.0+0x8a/0x520 +... + +trace_drop_common() also disables interrupts, but this is a minor issue +because we could easily replace it with a local_lock. + +Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic +context. + +Signed-off-by: Wander Lairson Costa +Reported-by: Hu Chunyu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/drop_monitor.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c +index 7742ee689141f..009b9e22c4e75 100644 +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -73,7 +73,7 @@ struct net_dm_hw_entries { + }; + + struct per_cpu_dm_data { +- spinlock_t lock; /* Protects 'skb', 'hw_entries' and ++ raw_spinlock_t lock; /* Protects 'skb', 'hw_entries' and + * 'send_timer' + */ + union { +@@ -168,9 +168,9 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data) + err: + mod_timer(&data->send_timer, jiffies + HZ / 10); + out: +- spin_lock_irqsave(&data->lock, flags); ++ raw_spin_lock_irqsave(&data->lock, flags); + swap(data->skb, skb); +- spin_unlock_irqrestore(&data->lock, flags); ++ raw_spin_unlock_irqrestore(&data->lock, flags); + + if (skb) { + struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data; +@@ -225,7 +225,7 @@ static void trace_drop_common(struct sk_buff *skb, void *location) + + local_irq_save(flags); + data = this_cpu_ptr(&dm_cpu_data); +- spin_lock(&data->lock); ++ raw_spin_lock(&data->lock); + dskb = data->skb; + + if (!dskb) +@@ -259,7 +259,7 @@ static void trace_drop_common(struct sk_buff *skb, void *location) + } + + out: +- spin_unlock_irqrestore(&data->lock, flags); ++ raw_spin_unlock_irqrestore(&data->lock, flags); + } + + static void trace_kfree_skb_hit(void *ignore, struct sk_buff *skb, void *location) +@@ -318,9 +318,9 @@ net_dm_hw_reset_per_cpu_data(struct per_cpu_dm_data *hw_data) + mod_timer(&hw_data->send_timer, jiffies + HZ / 10); + } + +- spin_lock_irqsave(&hw_data->lock, flags); ++ raw_spin_lock_irqsave(&hw_data->lock, flags); + swap(hw_data->hw_entries, hw_entries); +- spin_unlock_irqrestore(&hw_data->lock, flags); ++ raw_spin_unlock_irqrestore(&hw_data->lock, flags); + + return hw_entries; + } +@@ -452,7 +452,7 @@ net_dm_hw_trap_summary_probe(void *ignore, const struct devlink *devlink, + return; + + hw_data = this_cpu_ptr(&dm_hw_cpu_data); +- spin_lock_irqsave(&hw_data->lock, flags); ++ raw_spin_lock_irqsave(&hw_data->lock, flags); + hw_entries = hw_data->hw_entries; + + if (!hw_entries) +@@ -481,7 +481,7 @@ net_dm_hw_trap_summary_probe(void *ignore, const struct devlink *devlink, + } + + out: +- spin_unlock_irqrestore(&hw_data->lock, flags); ++ raw_spin_unlock_irqrestore(&hw_data->lock, flags); + } + + static const struct net_dm_alert_ops net_dm_alert_summary_ops = { +@@ -1669,7 +1669,7 @@ static struct notifier_block dropmon_net_notifier = { + + static void __net_dm_cpu_data_init(struct per_cpu_dm_data *data) + { +- spin_lock_init(&data->lock); ++ raw_spin_lock_init(&data->lock); + skb_queue_head_init(&data->drop_queue); + u64_stats_init(&data->stats.syncp); + } +-- +2.43.0 + diff --git a/queue-5.10/f2fs-remove-clear-sb_inlinecrypt-flag-in-default_opt.patch b/queue-5.10/f2fs-remove-clear-sb_inlinecrypt-flag-in-default_opt.patch new file mode 100644 index 00000000000..49349200263 --- /dev/null +++ b/queue-5.10/f2fs-remove-clear-sb_inlinecrypt-flag-in-default_opt.patch @@ -0,0 +1,49 @@ +From 692a7f2aa0e0208daad3383ade5777f94df1c46c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 14:10:43 +0800 +Subject: f2fs: remove clear SB_INLINECRYPT flag in default_options + +From: Yunlei He + +[ Upstream commit ac5eecf481c29942eb9a862e758c0c8b68090c33 ] + +In f2fs_remount, SB_INLINECRYPT flag will be clear and re-set. +If create new file or open file during this gap, these files +will not use inlinecrypt. Worse case, it may lead to data +corruption if wrappedkey_v0 is enable. + +Thread A: Thread B: + +-f2fs_remount -f2fs_file_open or f2fs_new_inode + -default_options + <- clear SB_INLINECRYPT flag + + -fscrypt_select_encryption_impl + + -parse_options + <- set SB_INLINECRYPT again + +Signed-off-by: Yunlei He +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 1281b59da6a2a..9fed42e7bb1d2 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1745,8 +1745,6 @@ static void default_options(struct f2fs_sb_info *sbi) + F2FS_OPTION(sbi).compress_mode = COMPR_MODE_FS; + F2FS_OPTION(sbi).bggc_mode = BGGC_MODE_ON; + +- sbi->sb->s_flags &= ~SB_INLINECRYPT; +- + set_opt(sbi, INLINE_XATTR); + set_opt(sbi, INLINE_DATA); + set_opt(sbi, INLINE_DENTRY); +-- +2.43.0 + diff --git a/queue-5.10/hid-add-quirk-for-logitech-casa-touchpad.patch b/queue-5.10/hid-add-quirk-for-logitech-casa-touchpad.patch new file mode 100644 index 00000000000..59e97c4db58 --- /dev/null +++ b/queue-5.10/hid-add-quirk-for-logitech-casa-touchpad.patch @@ -0,0 +1,56 @@ +From 0c58048139702bafe0cba5a0876e5217364a6894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 18:08:05 +0000 +Subject: HID: Add quirk for Logitech Casa touchpad + +From: Sean O'Brien + +[ Upstream commit dd2c345a94cfa3873cc20db87387ee509c345c1b ] + +This device sometimes doesn't send touch release signals when moving +from >=4 fingers to <4 fingers. Using MT_QUIRK_NOT_SEEN_MEANS_UP instead +of MT_QUIRK_ALWAYS_VALID makes sure that no touches become stuck. + +MT_QUIRK_FORCE_MULTI_INPUT is not necessary for this device, but does no +harm. + +Signed-off-by: Sean O'Brien +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-multitouch.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 0732fe6c7a853..9f3f7588fe46d 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -765,6 +765,7 @@ + #define USB_DEVICE_ID_LOGITECH_AUDIOHUB 0x0a0e + #define USB_DEVICE_ID_LOGITECH_T651 0xb00c + #define USB_DEVICE_ID_LOGITECH_DINOVO_EDGE_KBD 0xb309 ++#define USB_DEVICE_ID_LOGITECH_CASA_TOUCHPAD 0xbb00 + #define USB_DEVICE_ID_LOGITECH_C007 0xc007 + #define USB_DEVICE_ID_LOGITECH_C077 0xc077 + #define USB_DEVICE_ID_LOGITECH_RECEIVER 0xc101 +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 8dcd636daf270..e7b047421f3d9 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1998,6 +1998,12 @@ static const struct hid_device_id mt_devices[] = { + USB_VENDOR_ID_LENOVO, + USB_DEVICE_ID_LENOVO_X12_TAB) }, + ++ /* Logitech devices */ ++ { .driver_data = MT_CLS_NSMU, ++ HID_DEVICE(BUS_BLUETOOTH, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_LOGITECH, ++ USB_DEVICE_ID_LOGITECH_CASA_TOUCHPAD) }, ++ + /* MosArt panels */ + { .driver_data = MT_CLS_CONFIDENCE_MINUS_ONE, + MT_USB_DEVICE(USB_VENDOR_ID_ASUS, +-- +2.43.0 + diff --git a/queue-5.10/iommu-arm-smmu-v3-free-msis-in-case-of-enomem.patch b/queue-5.10/iommu-arm-smmu-v3-free-msis-in-case-of-enomem.patch new file mode 100644 index 00000000000..4720ca58d30 --- /dev/null +++ b/queue-5.10/iommu-arm-smmu-v3-free-msis-in-case-of-enomem.patch @@ -0,0 +1,40 @@ +From 614f76c724706f2d2bf1f08ccb078737dd270f1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 12:37:59 +0700 +Subject: iommu/arm-smmu-v3: Free MSIs in case of ENOMEM + +From: Aleksandr Aprelkov + +[ Upstream commit 80fea979dd9d48d67c5b48d2f690c5da3e543ebd ] + +If devm_add_action() returns -ENOMEM, then MSIs are allocated but not +not freed on teardown. Use devm_add_action_or_reset() instead to keep +the static analyser happy. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Aleksandr Aprelkov +Link: https://lore.kernel.org/r/20240403053759.643164-1-aaprelkov@usergate.com +[will: Tweak commit message, remove warning message] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +index 982c42c873102..9ac7b37290eb0 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +@@ -2925,7 +2925,7 @@ static void arm_smmu_setup_msis(struct arm_smmu_device *smmu) + } + + /* Add callback to free MSIs on teardown */ +- devm_add_action(dev, arm_smmu_free_msis, dev); ++ devm_add_action_or_reset(dev, arm_smmu_free_msis, dev); + } + + static void arm_smmu_setup_unique_irqs(struct arm_smmu_device *smmu) +-- +2.43.0 + diff --git a/queue-5.10/kselftest-arm64-add-a-null-pointer-check.patch b/queue-5.10/kselftest-arm64-add-a-null-pointer-check.patch new file mode 100644 index 00000000000..87d9edc96d1 --- /dev/null +++ b/queue-5.10/kselftest-arm64-add-a-null-pointer-check.patch @@ -0,0 +1,48 @@ +From 94e568bdbf1fb295d90c214b30b6094b7314090b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Apr 2024 16:21:02 +0800 +Subject: kselftest: arm64: Add a null pointer check + +From: Kunwu Chan + +[ Upstream commit 80164282b3620a3cb73de6ffda5592743e448d0e ] + +There is a 'malloc' call, which can be unsuccessful. +This patch will add the malloc failure checking +to avoid possible null dereference and give more information +about test fail reasons. + +Signed-off-by: Kunwu Chan +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/r/20240423082102.2018886-1-chentao@kylinos.cn +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/arm64/tags/tags_test.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/arm64/tags/tags_test.c b/tools/testing/selftests/arm64/tags/tags_test.c +index 5701163460ef7..955f87c1170d7 100644 +--- a/tools/testing/selftests/arm64/tags/tags_test.c ++++ b/tools/testing/selftests/arm64/tags/tags_test.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include "../../kselftest.h" + + #define SHIFT_TAG(tag) ((uint64_t)(tag) << 56) + #define SET_TAG(ptr, tag) (((uint64_t)(ptr) & ~SHIFT_TAG(0xff)) | \ +@@ -21,6 +22,9 @@ int main(void) + if (prctl(PR_SET_TAGGED_ADDR_CTRL, PR_TAGGED_ADDR_ENABLE, 0, 0, 0) == 0) + tbi_enabled = 1; + ptr = (struct utsname *)malloc(sizeof(*ptr)); ++ if (!ptr) ++ ksft_exit_fail_msg("Failed to allocate utsname buffer\n"); ++ + if (tbi_enabled) + tag = 0x42; + ptr = (struct utsname *)SET_TAG(ptr, tag); +-- +2.43.0 + diff --git a/queue-5.10/mips-octeon-add-pcie-link-status-check.patch b/queue-5.10/mips-octeon-add-pcie-link-status-check.patch new file mode 100644 index 00000000000..84c2442b0db --- /dev/null +++ b/queue-5.10/mips-octeon-add-pcie-link-status-check.patch @@ -0,0 +1,55 @@ +From 35d81867589dfc0eb5c4bd415784007de3f597cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 23:22:00 +0800 +Subject: MIPS: Octeon: Add PCIe link status check + +From: Songyang Li + +[ Upstream commit 29b83a64df3b42c88c0338696feb6fdcd7f1f3b7 ] + +The standard PCIe configuration read-write interface is used to +access the configuration space of the peripheral PCIe devices +of the mips processor after the PCIe link surprise down, it can +generate kernel panic caused by "Data bus error". So it is +necessary to add PCIe link status check for system protection. +When the PCIe link is down or in training, assigning a value +of 0 to the configuration address can prevent read-write behavior +to the configuration space of peripheral PCIe devices, thereby +preventing kernel panic. + +Signed-off-by: Songyang Li +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/pci/pcie-octeon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + mode change 100644 => 100755 arch/mips/pci/pcie-octeon.c + +diff --git a/arch/mips/pci/pcie-octeon.c b/arch/mips/pci/pcie-octeon.c +old mode 100644 +new mode 100755 +index d919a0d813a17..38de2a9c3cf1a +--- a/arch/mips/pci/pcie-octeon.c ++++ b/arch/mips/pci/pcie-octeon.c +@@ -230,12 +230,18 @@ static inline uint64_t __cvmx_pcie_build_config_addr(int pcie_port, int bus, + { + union cvmx_pcie_address pcie_addr; + union cvmx_pciercx_cfg006 pciercx_cfg006; ++ union cvmx_pciercx_cfg032 pciercx_cfg032; + + pciercx_cfg006.u32 = + cvmx_pcie_cfgx_read(pcie_port, CVMX_PCIERCX_CFG006(pcie_port)); + if ((bus <= pciercx_cfg006.s.pbnum) && (dev != 0)) + return 0; + ++ pciercx_cfg032.u32 = ++ cvmx_pcie_cfgx_read(pcie_port, CVMX_PCIERCX_CFG032(pcie_port)); ++ if ((pciercx_cfg032.s.dlla == 0) || (pciercx_cfg032.s.lt == 1)) ++ return 0; ++ + pcie_addr.u64 = 0; + pcie_addr.config.upper = 2; + pcie_addr.config.io = 1; +-- +2.43.0 + diff --git a/queue-5.10/netpoll-fix-race-condition-in-netpoll_owner_active.patch b/queue-5.10/netpoll-fix-race-condition-in-netpoll_owner_active.patch new file mode 100644 index 00000000000..a9f7a457325 --- /dev/null +++ b/queue-5.10/netpoll-fix-race-condition-in-netpoll_owner_active.patch @@ -0,0 +1,52 @@ +From 011296fdbf2faeb85a2160064ee913afd013bfa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 03:04:33 -0700 +Subject: netpoll: Fix race condition in netpoll_owner_active + +From: Breno Leitao + +[ Upstream commit c2e6a872bde9912f1a7579639c5ca3adf1003916 ] + +KCSAN detected a race condition in netpoll: + + BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb + write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10: + net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822) + + read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2: + netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393) + netpoll_send_udp (net/core/netpoll.c:?) + + value changed: 0x0000000a -> 0xffffffff + +This happens because netpoll_owner_active() needs to check if the +current CPU is the owner of the lock, touching napi->poll_owner +non atomically. The ->poll_owner field contains the current CPU holding +the lock. + +Use an atomic read to check if the poll owner is the current CPU. + +Signed-off-by: Breno Leitao +Link: https://lore.kernel.org/r/20240429100437.3487432-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 2ad22511b9c6d..f76afab9fd8bd 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -316,7 +316,7 @@ static int netpoll_owner_active(struct net_device *dev) + struct napi_struct *napi; + + list_for_each_entry_rcu(napi, &dev->napi_list, dev_list) { +- if (napi->poll_owner == smp_processor_id()) ++ if (READ_ONCE(napi->poll_owner) == smp_processor_id()) + return 1; + } + return 0; +-- +2.43.0 + diff --git a/queue-5.10/padata-disable-bh-when-taking-works-lock-on-mt-path.patch b/queue-5.10/padata-disable-bh-when-taking-works-lock-on-mt-path.patch new file mode 100644 index 00000000000..bc4dbaf1f63 --- /dev/null +++ b/queue-5.10/padata-disable-bh-when-taking-works-lock-on-mt-path.patch @@ -0,0 +1,62 @@ +From 7538ed1c094c296f51952beae55ba7c305df0d30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 17:36:18 +0800 +Subject: padata: Disable BH when taking works lock on MT path + +From: Herbert Xu + +[ Upstream commit 58329c4312031603bb1786b44265c26d5065fe72 ] + +As the old padata code can execute in softirq context, disable +softirqs for the new padata_do_mutithreaded code too as otherwise +lockdep will get antsy. + +Reported-by: syzbot+0cb5bb0f4bf9e79db3b3@syzkaller.appspotmail.com +Signed-off-by: Herbert Xu +Acked-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/padata.c b/kernel/padata.c +index fdcd78302cd72..471ccbc44541d 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -111,7 +111,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data, + { + int i; + +- spin_lock(&padata_works_lock); ++ spin_lock_bh(&padata_works_lock); + /* Start at 1 because the current task participates in the job. */ + for (i = 1; i < nworks; ++i) { + struct padata_work *pw = padata_work_alloc(); +@@ -121,7 +121,7 @@ static int __init padata_work_alloc_mt(int nworks, void *data, + padata_work_init(pw, padata_mt_helper, data, 0); + list_add(&pw->pw_list, head); + } +- spin_unlock(&padata_works_lock); ++ spin_unlock_bh(&padata_works_lock); + + return i; + } +@@ -139,12 +139,12 @@ static void __init padata_works_free(struct list_head *works) + if (list_empty(works)) + return; + +- spin_lock(&padata_works_lock); ++ spin_lock_bh(&padata_works_lock); + list_for_each_entry_safe(cur, next, works, pw_list) { + list_del(&cur->pw_list); + padata_work_free(cur); + } +- spin_unlock(&padata_works_lock); ++ spin_unlock_bh(&padata_works_lock); + } + + static void padata_parallel_worker(struct work_struct *parallel_work) +-- +2.43.0 + diff --git a/queue-5.10/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch b/queue-5.10/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch new file mode 100644 index 00000000000..10b4177cfad --- /dev/null +++ b/queue-5.10/pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch @@ -0,0 +1,71 @@ +From 76dc8c84a6db0ce294e515661ca09f5aedad9454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 10:37:09 -0600 +Subject: PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports + +From: Mario Limonciello + +[ Upstream commit 256df20c590bf0e4d63ac69330cf23faddac3e08 ] + +Hewlett-Packard HP Pavilion 17 Notebook PC/1972 is an Intel Ivy Bridge +system with a muxless AMD Radeon dGPU. Attempting to use the dGPU fails +with the following sequence: + + ACPI Error: Aborting method \AMD3._ON due to previous error (AE_AML_LOOP_TIMEOUT) (20230628/psparse-529) + radeon 0000:01:00.0: not ready 1023ms after resume; waiting + radeon 0000:01:00.0: not ready 2047ms after resume; waiting + radeon 0000:01:00.0: not ready 4095ms after resume; waiting + radeon 0000:01:00.0: not ready 8191ms after resume; waiting + radeon 0000:01:00.0: not ready 16383ms after resume; waiting + radeon 0000:01:00.0: not ready 32767ms after resume; waiting + radeon 0000:01:00.0: not ready 65535ms after resume; giving up + radeon 0000:01:00.0: Unable to change power state from D3cold to D0, device inaccessible + +The issue is that the Root Port the dGPU is connected to can't handle the +transition from D3cold to D0 so the dGPU can't properly exit runtime PM. + +The existing logic in pci_bridge_d3_possible() checks for systems that are +newer than 2015 to decide that D3 is safe. This would nominally work for +an Ivy Bridge system (which was discontinued in 2015), but this system +appears to have continued to receive BIOS updates until 2017 and so this +existing logic doesn't appropriately capture it. + +Add the system to bridge_d3_blacklist to prevent D3cold from being used. + +Link: https://lore.kernel.org/r/20240307163709.323-1-mario.limonciello@amd.com +Reported-by: Eric Heintzmann +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3229 +Signed-off-by: Mario Limonciello +Signed-off-by: Bjorn Helgaas +Tested-by: Eric Heintzmann +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index d1631109b1422..530ced8f7abd2 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2840,6 +2840,18 @@ static const struct dmi_system_id bridge_d3_blacklist[] = { + DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"), + }, + }, ++ { ++ /* ++ * Changing power state of root port dGPU is connected fails ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/3229 ++ */ ++ .ident = "Hewlett-Packard HP Pavilion 17 Notebook PC/1972", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_BOARD_NAME, "1972"), ++ DMI_MATCH(DMI_BOARD_VERSION, "95.33"), ++ }, ++ }, + #endif + { } + }; +-- +2.43.0 + diff --git a/queue-5.10/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch b/queue-5.10/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch new file mode 100644 index 00000000000..191452530e1 --- /dev/null +++ b/queue-5.10/power-supply-cros_usbpd-provide-id-table-for-avoidin.patch @@ -0,0 +1,66 @@ +From 390128c5be48b0ba8e69691384532218eded7f5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 11:00:49 +0800 +Subject: power: supply: cros_usbpd: provide ID table for avoiding fallback + match + +From: Tzung-Bi Shih + +[ Upstream commit 0f8678c34cbfdc63569a9b0ede1fe235ec6ec693 ] + +Instead of using fallback driver name match, provide ID table[1] for the +primary match. + +[1]: https://elixir.bootlin.com/linux/v6.8/source/drivers/base/platform.c#L1353 + +Reviewed-by: Benson Leung +Reviewed-by: Prashant Malani +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20240401030052.2887845-4-tzungbi@kernel.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/cros_usbpd-charger.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c +index 0a4f02e4ae7ba..d7ee1eb9ca880 100644 +--- a/drivers/power/supply/cros_usbpd-charger.c ++++ b/drivers/power/supply/cros_usbpd-charger.c +@@ -5,6 +5,7 @@ + * Copyright (c) 2014 - 2018 Google, Inc + */ + ++#include + #include + #include + #include +@@ -711,16 +712,22 @@ static int cros_usbpd_charger_resume(struct device *dev) + static SIMPLE_DEV_PM_OPS(cros_usbpd_charger_pm_ops, NULL, + cros_usbpd_charger_resume); + ++static const struct platform_device_id cros_usbpd_charger_id[] = { ++ { DRV_NAME, 0 }, ++ {} ++}; ++MODULE_DEVICE_TABLE(platform, cros_usbpd_charger_id); ++ + static struct platform_driver cros_usbpd_charger_driver = { + .driver = { + .name = DRV_NAME, + .pm = &cros_usbpd_charger_pm_ops, + }, +- .probe = cros_usbpd_charger_probe ++ .probe = cros_usbpd_charger_probe, ++ .id_table = cros_usbpd_charger_id, + }; + + module_platform_driver(cros_usbpd_charger_driver); + + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("ChromeOS EC USBPD charger"); +-MODULE_ALIAS("platform:" DRV_NAME); +-- +2.43.0 + diff --git a/queue-5.10/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch b/queue-5.10/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch new file mode 100644 index 00000000000..ec9a2c02638 --- /dev/null +++ b/queue-5.10/powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch @@ -0,0 +1,85 @@ +From f7739dca45fd0ee96712c9f242ee8ef49c6bb450 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 17:56:18 +1000 +Subject: powerpc/io: Avoid clang null pointer arithmetic warnings + +From: Michael Ellerman + +[ Upstream commit 03c0f2c2b2220fc9cf8785cd7b61d3e71e24a366 ] + +With -Wextra clang warns about pointer arithmetic using a null pointer. +When building with CONFIG_PCI=n, that triggers a warning in the IO +accessors, eg: + + In file included from linux/arch/powerpc/include/asm/io.h:672: + linux/arch/powerpc/include/asm/io-defs.h:23:1: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] + 23 | DEF_PCI_AC_RET(inb, u8, (unsigned long port), (port), pio, port) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ... + linux/arch/powerpc/include/asm/io.h:591:53: note: expanded from macro '__do_inb' + 591 | #define __do_inb(port) readb((PCI_IO_ADDR)_IO_BASE + port); + | ~~~~~~~~~~~~~~~~~~~~~ ^ + +That is because when CONFIG_PCI=n, _IO_BASE is defined as 0. + +Although _IO_BASE is defined as plain 0, the cast (PCI_IO_ADDR) converts +it to void * before the addition with port happens. + +Instead the addition can be done first, and then the cast. The resulting +value will be the same, but avoids the warning, and also avoids void +pointer arithmetic which is apparently non-standard. + +Reported-by: Naresh Kamboju +Closes: https://lore.kernel.org/all/CA+G9fYtEh8zmq8k8wE-8RZwW-Qr927RLTn+KqGnq1F=ptaaNsA@mail.gmail.com +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240503075619.394467-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/io.h | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h +index 0182b291248ac..058d21f493fad 100644 +--- a/arch/powerpc/include/asm/io.h ++++ b/arch/powerpc/include/asm/io.h +@@ -541,12 +541,12 @@ __do_out_asm(_rec_outl, "stwbrx") + #define __do_inw(port) _rec_inw(port) + #define __do_inl(port) _rec_inl(port) + #else /* CONFIG_PPC32 */ +-#define __do_outb(val, port) writeb(val,(PCI_IO_ADDR)_IO_BASE+port); +-#define __do_outw(val, port) writew(val,(PCI_IO_ADDR)_IO_BASE+port); +-#define __do_outl(val, port) writel(val,(PCI_IO_ADDR)_IO_BASE+port); +-#define __do_inb(port) readb((PCI_IO_ADDR)_IO_BASE + port); +-#define __do_inw(port) readw((PCI_IO_ADDR)_IO_BASE + port); +-#define __do_inl(port) readl((PCI_IO_ADDR)_IO_BASE + port); ++#define __do_outb(val, port) writeb(val,(PCI_IO_ADDR)(_IO_BASE+port)); ++#define __do_outw(val, port) writew(val,(PCI_IO_ADDR)(_IO_BASE+port)); ++#define __do_outl(val, port) writel(val,(PCI_IO_ADDR)(_IO_BASE+port)); ++#define __do_inb(port) readb((PCI_IO_ADDR)(_IO_BASE + port)); ++#define __do_inw(port) readw((PCI_IO_ADDR)(_IO_BASE + port)); ++#define __do_inl(port) readl((PCI_IO_ADDR)(_IO_BASE + port)); + #endif /* !CONFIG_PPC32 */ + + #ifdef CONFIG_EEH +@@ -562,12 +562,12 @@ __do_out_asm(_rec_outl, "stwbrx") + #define __do_writesw(a, b, n) _outsw(PCI_FIX_ADDR(a),(b),(n)) + #define __do_writesl(a, b, n) _outsl(PCI_FIX_ADDR(a),(b),(n)) + +-#define __do_insb(p, b, n) readsb((PCI_IO_ADDR)_IO_BASE+(p), (b), (n)) +-#define __do_insw(p, b, n) readsw((PCI_IO_ADDR)_IO_BASE+(p), (b), (n)) +-#define __do_insl(p, b, n) readsl((PCI_IO_ADDR)_IO_BASE+(p), (b), (n)) +-#define __do_outsb(p, b, n) writesb((PCI_IO_ADDR)_IO_BASE+(p),(b),(n)) +-#define __do_outsw(p, b, n) writesw((PCI_IO_ADDR)_IO_BASE+(p),(b),(n)) +-#define __do_outsl(p, b, n) writesl((PCI_IO_ADDR)_IO_BASE+(p),(b),(n)) ++#define __do_insb(p, b, n) readsb((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n)) ++#define __do_insw(p, b, n) readsw((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n)) ++#define __do_insl(p, b, n) readsl((PCI_IO_ADDR)(_IO_BASE+(p)), (b), (n)) ++#define __do_outsb(p, b, n) writesb((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n)) ++#define __do_outsw(p, b, n) writesw((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n)) ++#define __do_outsl(p, b, n) writesl((PCI_IO_ADDR)(_IO_BASE+(p)),(b),(n)) + + #define __do_memset_io(addr, c, n) \ + _memset_io(PCI_FIX_ADDR(addr), c, n) +-- +2.43.0 + diff --git a/queue-5.10/powerpc-pseries-enforce-hcall-result-buffer-validity.patch b/queue-5.10/powerpc-pseries-enforce-hcall-result-buffer-validity.patch new file mode 100644 index 00000000000..e7125b047a9 --- /dev/null +++ b/queue-5.10/powerpc-pseries-enforce-hcall-result-buffer-validity.patch @@ -0,0 +1,82 @@ +From 73fd0ac093d2b60359387efe5190f3f4860bf831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2024 09:08:31 -0500 +Subject: powerpc/pseries: Enforce hcall result buffer validity and size + +From: Nathan Lynch + +[ Upstream commit ff2e185cf73df480ec69675936c4ee75a445c3e4 ] + +plpar_hcall(), plpar_hcall9(), and related functions expect callers to +provide valid result buffers of certain minimum size. Currently this +is communicated only through comments in the code and the compiler has +no idea. + +For example, if I write a bug like this: + + long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE + plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...); + +This compiles with no diagnostics emitted, but likely results in stack +corruption at runtime when plpar_hcall9() stores results past the end +of the array. (To be clear this is a contrived example and I have not +found a real instance yet.) + +To make this class of error less likely, we can use explicitly-sized +array parameters instead of pointers in the declarations for the hcall +APIs. When compiled with -Warray-bounds[1], the code above now +provokes a diagnostic like this: + +error: array argument is too small; +is of size 32, callee requires at least 72 [-Werror,-Warray-bounds] + 60 | plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, + | ^ ~~~~~~ + +[1] Enabled for LLVM builds but not GCC for now. See commit + 0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and + related changes. + +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240408-pseries-hvcall-retbuf-v1-1-ebc73d7253cf@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/hvcall.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h +index 1a60188f74ad8..f3b46a0fa7082 100644 +--- a/arch/powerpc/include/asm/hvcall.h ++++ b/arch/powerpc/include/asm/hvcall.h +@@ -453,7 +453,7 @@ long plpar_hcall_norets_notrace(unsigned long opcode, ...); + * Used for all but the craziest of phyp interfaces (see plpar_hcall9) + */ + #define PLPAR_HCALL_BUFSIZE 4 +-long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...); ++long plpar_hcall(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...); + + /** + * plpar_hcall_raw: - Make a hypervisor call without calculating hcall stats +@@ -467,7 +467,7 @@ long plpar_hcall(unsigned long opcode, unsigned long *retbuf, ...); + * plpar_hcall, but plpar_hcall_raw works in real mode and does not + * calculate hypervisor call statistics. + */ +-long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...); ++long plpar_hcall_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL_BUFSIZE], ...); + + /** + * plpar_hcall9: - Make a pseries hypervisor call with up to 9 return arguments +@@ -478,8 +478,8 @@ long plpar_hcall_raw(unsigned long opcode, unsigned long *retbuf, ...); + * PLPAR_HCALL9_BUFSIZE to size the return argument buffer. + */ + #define PLPAR_HCALL9_BUFSIZE 9 +-long plpar_hcall9(unsigned long opcode, unsigned long *retbuf, ...); +-long plpar_hcall9_raw(unsigned long opcode, unsigned long *retbuf, ...); ++long plpar_hcall9(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...); ++long plpar_hcall9_raw(unsigned long opcode, unsigned long retbuf[static PLPAR_HCALL9_BUFSIZE], ...); + + struct hvcall_mpp_data { + unsigned long entitled_mem; +-- +2.43.0 + diff --git a/queue-5.10/rcutorture-fix-invalid-context-warning-when-enable-s.patch b/queue-5.10/rcutorture-fix-invalid-context-warning-when-enable-s.patch new file mode 100644 index 00000000000..cb31b33b7b9 --- /dev/null +++ b/queue-5.10/rcutorture-fix-invalid-context-warning-when-enable-s.patch @@ -0,0 +1,120 @@ +From 79c8254bf204beb8c55ec5c9392d73de53092790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 15:52:19 +0800 +Subject: rcutorture: Fix invalid context warning when enable srcu barrier + testing + +From: Zqiang + +[ Upstream commit 668c0406d887467d53f8fe79261dda1d22d5b671 ] + +When the torture_type is set srcu or srcud and cb_barrier is +non-zero, running the rcutorture test will trigger the +following warning: + +[ 163.910989][ C1] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 +[ 163.910994][ C1] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 +[ 163.910999][ C1] preempt_count: 10001, expected: 0 +[ 163.911002][ C1] RCU nest depth: 0, expected: 0 +[ 163.911005][ C1] INFO: lockdep is turned off. +[ 163.911007][ C1] irq event stamp: 30964 +[ 163.911010][ C1] hardirqs last enabled at (30963): [] do_idle+0x362/0x500 +[ 163.911018][ C1] hardirqs last disabled at (30964): [] sysvec_call_function_single+0xf/0xd0 +[ 163.911025][ C1] softirqs last enabled at (0): [] copy_process+0x16ff/0x6580 +[ 163.911033][ C1] softirqs last disabled at (0): [<0000000000000000>] 0x0 +[ 163.911038][ C1] Preemption disabled at: +[ 163.911039][ C1] [] stack_depot_save_flags+0x24b/0x6c0 +[ 163.911063][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 6.8.0-rc4-rt4-yocto-preempt-rt+ #3 1e39aa9a737dd024a3275c4f835a872f673a7d3a +[ 163.911071][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 +[ 163.911075][ C1] Call Trace: +[ 163.911078][ C1] +[ 163.911080][ C1] dump_stack_lvl+0x88/0xd0 +[ 163.911089][ C1] dump_stack+0x10/0x20 +[ 163.911095][ C1] __might_resched+0x36f/0x530 +[ 163.911105][ C1] rt_spin_lock+0x82/0x1c0 +[ 163.911112][ C1] spin_lock_irqsave_ssp_contention+0xb8/0x100 +[ 163.911121][ C1] srcu_gp_start_if_needed+0x782/0xf00 +[ 163.911128][ C1] ? _raw_spin_unlock_irqrestore+0x46/0x70 +[ 163.911136][ C1] ? debug_object_active_state+0x336/0x470 +[ 163.911148][ C1] ? __pfx_srcu_gp_start_if_needed+0x10/0x10 +[ 163.911156][ C1] ? __pfx_lock_release+0x10/0x10 +[ 163.911165][ C1] ? __pfx_rcu_torture_barrier_cbf+0x10/0x10 +[ 163.911188][ C1] __call_srcu+0x9f/0xe0 +[ 163.911196][ C1] call_srcu+0x13/0x20 +[ 163.911201][ C1] srcu_torture_call+0x1b/0x30 +[ 163.911224][ C1] rcu_torture_barrier1cb+0x4a/0x60 +[ 163.911247][ C1] __flush_smp_call_function_queue+0x267/0xca0 +[ 163.911256][ C1] ? __pfx_rcu_torture_barrier1cb+0x10/0x10 +[ 163.911281][ C1] generic_smp_call_function_single_interrupt+0x13/0x20 +[ 163.911288][ C1] __sysvec_call_function_single+0x7d/0x280 +[ 163.911295][ C1] sysvec_call_function_single+0x93/0xd0 +[ 163.911302][ C1] +[ 163.911304][ C1] +[ 163.911308][ C1] asm_sysvec_call_function_single+0x1b/0x20 +[ 163.911313][ C1] RIP: 0010:default_idle+0x17/0x20 +[ 163.911326][ C1] RSP: 0018:ffff888001997dc8 EFLAGS: 00000246 +[ 163.911333][ C1] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffffae618b51 +[ 163.911337][ C1] RDX: 0000000000000000 RSI: ffffffffaea80920 RDI: ffffffffaec2de80 +[ 163.911342][ C1] RBP: ffff888001997dc8 R08: 0000000000000001 R09: ffffed100d740cad +[ 163.911346][ C1] R10: ffffed100d740cac R11: ffff88806ba06563 R12: 0000000000000001 +[ 163.911350][ C1] R13: ffffffffafe460c0 R14: ffffffffafe460c0 R15: 0000000000000000 +[ 163.911358][ C1] ? ct_kernel_exit.constprop.3+0x121/0x160 +[ 163.911369][ C1] ? lockdep_hardirqs_on+0xc4/0x150 +[ 163.911376][ C1] arch_cpu_idle+0x9/0x10 +[ 163.911383][ C1] default_idle_call+0x7a/0xb0 +[ 163.911390][ C1] do_idle+0x362/0x500 +[ 163.911398][ C1] ? __pfx_do_idle+0x10/0x10 +[ 163.911404][ C1] ? complete_with_flags+0x8b/0xb0 +[ 163.911416][ C1] cpu_startup_entry+0x58/0x70 +[ 163.911423][ C1] start_secondary+0x221/0x280 +[ 163.911430][ C1] ? __pfx_start_secondary+0x10/0x10 +[ 163.911440][ C1] secondary_startup_64_no_verify+0x17f/0x18b +[ 163.911455][ C1] + +This commit therefore use smp_call_on_cpu() instead of +smp_call_function_single(), make rcu_torture_barrier1cb() invoked +happens on task-context. + +Signed-off-by: Zqiang +Signed-off-by: Paul E. McKenney +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcutorture.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index c413eb4a95667..9f505688291e5 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -2210,11 +2210,12 @@ static void rcu_torture_barrier_cbf(struct rcu_head *rcu) + } + + /* IPI handler to get callback posted on desired CPU, if online. */ +-static void rcu_torture_barrier1cb(void *rcu_void) ++static int rcu_torture_barrier1cb(void *rcu_void) + { + struct rcu_head *rhp = rcu_void; + + cur_ops->call(rhp, rcu_torture_barrier_cbf); ++ return 0; + } + + /* kthread function to register callbacks used to test RCU barriers. */ +@@ -2240,11 +2241,9 @@ static int rcu_torture_barrier_cbs(void *arg) + * The above smp_load_acquire() ensures barrier_phase load + * is ordered before the following ->call(). + */ +- if (smp_call_function_single(myid, rcu_torture_barrier1cb, +- &rcu, 1)) { +- // IPI failed, so use direct call from current CPU. ++ if (smp_call_on_cpu(myid, rcu_torture_barrier1cb, &rcu, 1)) + cur_ops->call(&rcu, rcu_torture_barrier_cbf); +- } ++ + if (atomic_dec_and_test(&barrier_cbs_count)) + wake_up(&barrier_wq); + } while (!torture_must_stop()); +-- +2.43.0 + diff --git a/queue-5.10/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch b/queue-5.10/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch new file mode 100644 index 00000000000..789d94b8cbb --- /dev/null +++ b/queue-5.10/rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch @@ -0,0 +1,39 @@ +From 3392137b2f0b61569e746fe231610392811e7263 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 19:21:47 -0800 +Subject: rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment + +From: Paul E. McKenney + +[ Upstream commit 8b9b443fa860276822b25057cb3ff3b28734dec0 ] + +The "pipe_count > RCU_TORTURE_PIPE_LEN" check has a comment saying "Should +not happen, but...". This is only true when testing an RCU whose grace +periods are always long enough. This commit therefore fixes this comment. + +Reported-by: Linus Torvalds +Closes: https://lore.kernel.org/lkml/CAHk-=wi7rJ-eGq+xaxVfzFEgbL9tdf6Kc8Z89rCpfcQOKm74Tw@mail.gmail.com/ +Signed-off-by: Paul E. McKenney +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcutorture.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index 6c1aea48a79a1..c413eb4a95667 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -1407,7 +1407,8 @@ static bool rcu_torture_one_read(struct torture_random_state *trsp) + preempt_disable(); + pipe_count = READ_ONCE(p->rtort_pipe_count); + if (pipe_count > RCU_TORTURE_PIPE_LEN) { +- /* Should not happen, but... */ ++ // Should not happen in a correct RCU implementation, ++ // happens quite often for torture_type=busted. + pipe_count = RCU_TORTURE_PIPE_LEN; + } + completed = cur_ops->get_gp_seq(); +-- +2.43.0 + diff --git a/queue-5.10/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch b/queue-5.10/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch new file mode 100644 index 00000000000..c1460b82449 --- /dev/null +++ b/queue-5.10/scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch @@ -0,0 +1,95 @@ +From 0620e93ee1e1d8399d4d3890e77dbe6f5770a966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2024 12:51:55 +0530 +Subject: scsi: qedi: Fix crash while reading debugfs attribute + +From: Manish Rangankar + +[ Upstream commit 28027ec8e32ecbadcd67623edb290dad61e735b5 ] + +The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly +on a __user pointer, which results into the crash. + +To fix this issue, use a small local stack buffer for sprintf() and then +call simple_read_from_buffer(), which in turns make the copy_to_user() +call. + +BUG: unable to handle page fault for address: 00007f4801111000 +PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0 +Oops: 0002 [#1] PREEMPT SMP PTI +Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023 +RIP: 0010:memcpy_orig+0xcd/0x130 +RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202 +RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f +RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000 +RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572 +R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff +R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af +FS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? __die_body+0x1a/0x60 + ? page_fault_oops+0x183/0x510 + ? exc_page_fault+0x69/0x150 + ? asm_exc_page_fault+0x22/0x30 + ? memcpy_orig+0xcd/0x130 + vsnprintf+0x102/0x4c0 + sprintf+0x51/0x80 + qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324] + full_proxy_read+0x50/0x80 + vfs_read+0xa5/0x2e0 + ? folio_add_new_anon_rmap+0x44/0xa0 + ? set_pte_at+0x15/0x30 + ? do_pte_missing+0x426/0x7f0 + ksys_read+0xa5/0xe0 + do_syscall_64+0x58/0x80 + ? __count_memcg_events+0x46/0x90 + ? count_memcg_event_mm+0x3d/0x60 + ? handle_mm_fault+0x196/0x2f0 + ? do_user_addr_fault+0x267/0x890 + ? exc_page_fault+0x69/0x150 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f4800f20b4d + +Tested-by: Martin Hoyer +Reviewed-by: John Meneghini +Signed-off-by: Manish Rangankar +Link: https://lore.kernel.org/r/20240415072155.30840-1-mrangankar@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_debugfs.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_debugfs.c b/drivers/scsi/qedi/qedi_debugfs.c +index 42f5afb60055c..6e724f47ab9e8 100644 +--- a/drivers/scsi/qedi/qedi_debugfs.c ++++ b/drivers/scsi/qedi/qedi_debugfs.c +@@ -120,15 +120,11 @@ static ssize_t + qedi_dbg_do_not_recover_cmd_read(struct file *filp, char __user *buffer, + size_t count, loff_t *ppos) + { +- size_t cnt = 0; +- +- if (*ppos) +- return 0; ++ char buf[64]; ++ int len; + +- cnt = sprintf(buffer, "do_not_recover=%d\n", qedi_do_not_recover); +- cnt = min_t(int, count, cnt - *ppos); +- *ppos += cnt; +- return cnt; ++ len = sprintf(buf, "do_not_recover=%d\n", qedi_do_not_recover); ++ return simple_read_from_buffer(buffer, count, ppos, buf, len); + } + + static int +-- +2.43.0 + diff --git a/queue-5.10/selftests-bpf-fix-flaky-test-btf_map_in_map-lookup_u.patch b/queue-5.10/selftests-bpf-fix-flaky-test-btf_map_in_map-lookup_u.patch new file mode 100644 index 00000000000..7af794965b9 --- /dev/null +++ b/queue-5.10/selftests-bpf-fix-flaky-test-btf_map_in_map-lookup_u.patch @@ -0,0 +1,87 @@ +From 188b5b35a4abb215c6283d6ad2b8fc449f37dcd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 23:13:53 -0700 +Subject: selftests/bpf: Fix flaky test btf_map_in_map/lookup_update + +From: Yonghong Song + +[ Upstream commit 14bb1e8c8d4ad5d9d2febb7d19c70a3cf536e1e5 ] + +Recently, I frequently hit the following test failure: + + [root@arch-fb-vm1 bpf]# ./test_progs -n 33/1 + test_lookup_update:PASS:skel_open 0 nsec + [...] + test_lookup_update:PASS:sync_rcu 0 nsec + test_lookup_update:FAIL:map1_leak inner_map1 leaked! + #33/1 btf_map_in_map/lookup_update:FAIL + #33 btf_map_in_map:FAIL + +In the test, after map is closed and then after two rcu grace periods, +it is assumed that map_id is not available to user space. + +But the above assumption cannot be guaranteed. After zero or one +or two rcu grace periods in different siturations, the actual +freeing-map-work is put into a workqueue. Later on, when the work +is dequeued, the map will be actually freed. +See bpf_map_put() in kernel/bpf/syscall.c. + +By using workqueue, there is no ganrantee that map will be actually +freed after a couple of rcu grace periods. This patch removed +such map leak detection and then the test can pass consistently. + +Signed-off-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240322061353.632136-1-yonghong.song@linux.dev +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/prog_tests/btf_map_in_map.c | 26 +------------------ + 1 file changed, 1 insertion(+), 25 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c +index 76ebe4c250f11..a434828bc7ab7 100644 +--- a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c ++++ b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c +@@ -58,7 +58,7 @@ static void test_lookup_update(void) + int map1_fd, map2_fd, map3_fd, map4_fd, map5_fd, map1_id, map2_id; + int outer_arr_fd, outer_hash_fd, outer_arr_dyn_fd; + struct test_btf_map_in_map *skel; +- int err, key = 0, val, i, fd; ++ int err, key = 0, val, i; + + skel = test_btf_map_in_map__open_and_load(); + if (CHECK(!skel, "skel_open", "failed to open&load skeleton\n")) +@@ -135,30 +135,6 @@ static void test_lookup_update(void) + CHECK(map1_id == 0, "map1_id", "failed to get ID 1\n"); + CHECK(map2_id == 0, "map2_id", "failed to get ID 2\n"); + +- test_btf_map_in_map__destroy(skel); +- skel = NULL; +- +- /* we need to either wait for or force synchronize_rcu(), before +- * checking for "still exists" condition, otherwise map could still be +- * resolvable by ID, causing false positives. +- * +- * Older kernels (5.8 and earlier) freed map only after two +- * synchronize_rcu()s, so trigger two, to be entirely sure. +- */ +- CHECK(kern_sync_rcu(), "sync_rcu", "failed\n"); +- CHECK(kern_sync_rcu(), "sync_rcu", "failed\n"); +- +- fd = bpf_map_get_fd_by_id(map1_id); +- if (CHECK(fd >= 0, "map1_leak", "inner_map1 leaked!\n")) { +- close(fd); +- goto cleanup; +- } +- fd = bpf_map_get_fd_by_id(map2_id); +- if (CHECK(fd >= 0, "map2_leak", "inner_map2 leaked!\n")) { +- close(fd); +- goto cleanup; +- } +- + cleanup: + test_btf_map_in_map__destroy(skel); + } +-- +2.43.0 + diff --git a/queue-5.10/selftests-bpf-prevent-client-connect-before-server-b.patch b/queue-5.10/selftests-bpf-prevent-client-connect-before-server-b.patch new file mode 100644 index 00000000000..4987294cc85 --- /dev/null +++ b/queue-5.10/selftests-bpf-prevent-client-connect-before-server-b.patch @@ -0,0 +1,82 @@ +From f8f704c7a958ba9e7ff631d3af19a97aa8ccf50d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 10:59:11 +0000 +Subject: selftests/bpf: Prevent client connect before server bind in + test_tc_tunnel.sh + +From: Alessandro Carminati (Red Hat) + +[ Upstream commit f803bcf9208a2540acb4c32bdc3616673169f490 ] + +In some systems, the netcat server can incur in delay to start listening. +When this happens, the test can randomly fail in various points. +This is an example error message: + + # ip gre none gso + # encap 192.168.1.1 to 192.168.1.2, type gre, mac none len 2000 + # test basic connectivity + # Ncat: Connection refused. + +The issue stems from a race condition between the netcat client and server. +The test author had addressed this problem by implementing a sleep, which +I have removed in this patch. +This patch introduces a function capable of sleeping for up to two seconds. +However, it can terminate the waiting period early if the port is reported +to be listening. + +Signed-off-by: Alessandro Carminati (Red Hat) +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240314105911.213411-1-alessandro.carminati@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_tc_tunnel.sh | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_tc_tunnel.sh b/tools/testing/selftests/bpf/test_tc_tunnel.sh +index 7c76b841b17bb..21bde60c95230 100755 +--- a/tools/testing/selftests/bpf/test_tc_tunnel.sh ++++ b/tools/testing/selftests/bpf/test_tc_tunnel.sh +@@ -71,7 +71,6 @@ cleanup() { + server_listen() { + ip netns exec "${ns2}" nc "${netcat_opt}" -l -p "${port}" > "${outfile}" & + server_pid=$! +- sleep 0.2 + } + + client_connect() { +@@ -92,6 +91,16 @@ verify_data() { + fi + } + ++wait_for_port() { ++ for i in $(seq 20); do ++ if ip netns exec "${ns2}" ss ${2:--4}OHntl | grep -q "$1"; then ++ return 0 ++ fi ++ sleep 0.1 ++ done ++ return 1 ++} ++ + set -e + + # no arguments: automated test, run all +@@ -183,6 +192,7 @@ setup + # basic communication works + echo "test basic connectivity" + server_listen ++wait_for_port ${port} ${netcat_opt} + client_connect + verify_data + +@@ -194,6 +204,7 @@ ip netns exec "${ns1}" tc filter add dev veth1 egress \ + section "encap_${tuntype}_${mac}" + echo "test bpf encap without decap (expect failure)" + server_listen ++wait_for_port ${port} ${netcat_opt} + ! client_connect + + if [[ "$tuntype" =~ "udp" ]]; then +-- +2.43.0 + diff --git a/queue-5.10/serial-exar-adding-missing-cti-and-exar-pci-ids.patch b/queue-5.10/serial-exar-adding-missing-cti-and-exar-pci-ids.patch new file mode 100644 index 00000000000..a0d6c15b7f4 --- /dev/null +++ b/queue-5.10/serial-exar-adding-missing-cti-and-exar-pci-ids.patch @@ -0,0 +1,77 @@ +From b29a6fd4e537937927c5680e47619baa3e4b39d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 08:55:28 -0400 +Subject: serial: exar: adding missing CTI and Exar PCI ids + +From: Parker Newman + +[ Upstream commit b86ae40ffcf5a16b9569b1016da4a08c4f352ca2 ] + +- Added Connect Tech and Exar IDs not already in pci_ids.h + +Signed-off-by: Parker Newman +Link: https://lore.kernel.org/r/7c3d8e795a864dd9b0a00353b722060dc27c4e09.1713270624.git.pnewman@connecttech.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_exar.c | 42 +++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c +index 7c28d2752a4cd..3d09f8f30e02a 100644 +--- a/drivers/tty/serial/8250/8250_exar.c ++++ b/drivers/tty/serial/8250/8250_exar.c +@@ -41,8 +41,50 @@ + #define PCI_DEVICE_ID_COMMTECH_4228PCIE 0x0021 + #define PCI_DEVICE_ID_COMMTECH_4222PCIE 0x0022 + ++#define PCI_VENDOR_ID_CONNECT_TECH 0x12c4 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_SP_OPTO 0x0340 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_SP_OPTO_A 0x0341 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_SP_OPTO_B 0x0342 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XPRS 0x0350 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_A 0x0351 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_B 0x0352 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS 0x0353 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_16_XPRS_A 0x0354 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_16_XPRS_B 0x0355 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XPRS_OPTO 0x0360 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_OPTO_A 0x0361 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XPRS_OPTO_B 0x0362 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP 0x0370 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP_232 0x0371 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP_485 0x0372 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_4_SP 0x0373 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_6_2_SP 0x0374 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_6_SP 0x0375 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_SP_232_NS 0x0376 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XP_OPTO_LEFT 0x0380 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_2_XP_OPTO_RIGHT 0x0381 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_XP_OPTO 0x0382 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_4_4_XPRS_OPTO 0x0392 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP 0x03A0 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP_232 0x03A1 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP_485 0x03A2 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCI_UART_8_XPRS_LP_232_NS 0x03A3 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XEG001 0x0602 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_BASE 0x1000 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_2 0x1002 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_4 0x1004 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_8 0x1008 ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_12 0x100C ++#define PCI_SUBDEVICE_ID_CONNECT_TECH_PCIE_XR35X_16 0x1010 ++#define PCI_DEVICE_ID_CONNECT_TECH_PCI_XR79X_12_XIG00X 0x110c ++#define PCI_DEVICE_ID_CONNECT_TECH_PCI_XR79X_12_XIG01X 0x110d ++#define PCI_DEVICE_ID_CONNECT_TECH_PCI_XR79X_16 0x1110 ++ + #define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358 + #define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358 ++#define PCI_DEVICE_ID_EXAR_XR17V252 0x0252 ++#define PCI_DEVICE_ID_EXAR_XR17V254 0x0254 ++#define PCI_DEVICE_ID_EXAR_XR17V258 0x0258 + + #define PCI_SUBDEVICE_ID_USR_2980 0x0128 + #define PCI_SUBDEVICE_ID_USR_2981 0x0129 +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index fc12ea72dde..a9948030b9f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -129,3 +129,33 @@ x86-compat-simplify-compat-syscall-userspace-allocat.patch x86-elf-use-e_machine-to-select-start_thread-for-x32.patch x86-mm-convert-mmu-context-ia32_compat-into-a-proper.patch zap_pid_ns_processes-clear-tif_notify_signal-along-w.patch +padata-disable-bh-when-taking-works-lock-on-mt-path.patch +rcutorture-fix-rcu_torture_one_read-pipe_count-overf.patch +rcutorture-fix-invalid-context-warning-when-enable-s.patch +block-ioctl-prefer-different-overflow-check.patch +selftests-bpf-prevent-client-connect-before-server-b.patch +selftests-bpf-fix-flaky-test-btf_map_in_map-lookup_u.patch +batman-adv-bypass-empty-buckets-in-batadv_purge_orig.patch +wifi-ath9k-work-around-memset-overflow-warning.patch +af_packet-avoid-a-false-positive-warning-in-packet_s.patch +drop_monitor-replace-spin_lock-by-raw_spin_lock.patch +scsi-qedi-fix-crash-while-reading-debugfs-attribute.patch +kselftest-arm64-add-a-null-pointer-check.patch +netpoll-fix-race-condition-in-netpoll_owner_active.patch +hid-add-quirk-for-logitech-casa-touchpad.patch +acpi-video-add-backlight-native-quirk-for-lenovo-sli.patch +bluetooth-ath3k-fix-multiple-issues-reported-by-chec.patch +drm-amd-display-exit-idle-optimizations-before-hdcp-.patch +asoc-intel-sof_sdw-add-jd2-quirk-for-hp-omen-14.patch +drm-lima-add-mask-irq-callback-to-gp-and-pp.patch +drm-lima-mask-irqs-in-timeout-path-before-hard-reset.patch +powerpc-pseries-enforce-hcall-result-buffer-validity.patch +powerpc-io-avoid-clang-null-pointer-arithmetic-warni.patch +power-supply-cros_usbpd-provide-id-table-for-avoidin.patch +iommu-arm-smmu-v3-free-msis-in-case-of-enomem.patch +f2fs-remove-clear-sb_inlinecrypt-flag-in-default_opt.patch +usb-misc-uss720-check-for-incompatible-versions-of-t.patch +udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch +pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch +mips-octeon-add-pcie-link-status-check.patch +serial-exar-adding-missing-cti-and-exar-pci-ids.patch diff --git a/queue-5.10/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch b/queue-5.10/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch new file mode 100644 index 00000000000..f99220ac409 --- /dev/null +++ b/queue-5.10/udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch @@ -0,0 +1,54 @@ +From 2cb5a53df148e02292bea302fdb294ef2abd7cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 16:27:55 +0300 +Subject: udf: udftime: prevent overflow in udf_disk_stamp_to_time() + +From: Roman Smirnov + +[ Upstream commit 3b84adf460381169c085e4bc09e7b57e9e16db0a ] + +An overflow can occur in a situation where src.centiseconds +takes the value of 255. This situation is unlikely, but there +is no validation check anywere in the code. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Suggested-by: Jan Kara +Signed-off-by: Roman Smirnov +Reviewed-by: Sergey Shtylyov +Signed-off-by: Jan Kara +Message-Id: <20240327132755.13945-1-r.smirnov@omp.ru> +Signed-off-by: Sasha Levin +--- + fs/udf/udftime.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/udf/udftime.c b/fs/udf/udftime.c +index fce4ad976c8c2..26169b1f482c3 100644 +--- a/fs/udf/udftime.c ++++ b/fs/udf/udftime.c +@@ -60,13 +60,18 @@ udf_disk_stamp_to_time(struct timespec64 *dest, struct timestamp src) + dest->tv_sec = mktime64(year, src.month, src.day, src.hour, src.minute, + src.second); + dest->tv_sec -= offset * 60; +- dest->tv_nsec = 1000 * (src.centiseconds * 10000 + +- src.hundredsOfMicroseconds * 100 + src.microseconds); ++ + /* + * Sanitize nanosecond field since reportedly some filesystems are + * recorded with bogus sub-second values. + */ +- dest->tv_nsec %= NSEC_PER_SEC; ++ if (src.centiseconds < 100 && src.hundredsOfMicroseconds < 100 && ++ src.microseconds < 100) { ++ dest->tv_nsec = 1000 * (src.centiseconds * 10000 + ++ src.hundredsOfMicroseconds * 100 + src.microseconds); ++ } else { ++ dest->tv_nsec = 0; ++ } + } + + void +-- +2.43.0 + diff --git a/queue-5.10/usb-misc-uss720-check-for-incompatible-versions-of-t.patch b/queue-5.10/usb-misc-uss720-check-for-incompatible-versions-of-t.patch new file mode 100644 index 00000000000..c3c1c840768 --- /dev/null +++ b/queue-5.10/usb-misc-uss720-check-for-incompatible-versions-of-t.patch @@ -0,0 +1,75 @@ +From babb7711bfb787b88f7f462da2fcd35c20349d25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 09:07:11 -0600 +Subject: usb: misc: uss720: check for incompatible versions of the Belkin + F5U002 + +From: Alex Henrie + +[ Upstream commit 3295f1b866bfbcabd625511968e8a5c541f9ab32 ] + +The incompatible device in my possession has a sticker that says +"F5U002 Rev 2" and "P80453-B", and lsusb identifies it as +"050d:0002 Belkin Components IEEE-1284 Controller". There is a bug +report from 2007 from Michael Trausch who was seeing the exact same +errors that I saw in 2024 trying to use this cable. + +Link: https://lore.kernel.org/all/46DE5830.9060401@trausch.us/ +Signed-off-by: Alex Henrie +Link: https://lore.kernel.org/r/20240326150723.99939-5-alexhenrie24@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/uss720.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c +index 0be8efcda15d5..d972c09629397 100644 +--- a/drivers/usb/misc/uss720.c ++++ b/drivers/usb/misc/uss720.c +@@ -677,7 +677,7 @@ static int uss720_probe(struct usb_interface *intf, + struct parport_uss720_private *priv; + struct parport *pp; + unsigned char reg; +- int i; ++ int ret; + + dev_dbg(&intf->dev, "probe: vendor id 0x%x, device id 0x%x\n", + le16_to_cpu(usbdev->descriptor.idVendor), +@@ -688,8 +688,8 @@ static int uss720_probe(struct usb_interface *intf, + usb_put_dev(usbdev); + return -ENODEV; + } +- i = usb_set_interface(usbdev, intf->altsetting->desc.bInterfaceNumber, 2); +- dev_dbg(&intf->dev, "set interface result %d\n", i); ++ ret = usb_set_interface(usbdev, intf->altsetting->desc.bInterfaceNumber, 2); ++ dev_dbg(&intf->dev, "set interface result %d\n", ret); + + interface = intf->cur_altsetting; + +@@ -725,12 +725,18 @@ static int uss720_probe(struct usb_interface *intf, + set_1284_register(pp, 7, 0x00, GFP_KERNEL); + set_1284_register(pp, 6, 0x30, GFP_KERNEL); /* PS/2 mode */ + set_1284_register(pp, 2, 0x0c, GFP_KERNEL); +- /* debugging */ +- get_1284_register(pp, 0, ®, GFP_KERNEL); ++ ++ /* The Belkin F5U002 Rev 2 P80453-B USB parallel port adapter shares the ++ * device ID 050d:0002 with some other device that works with this ++ * driver, but it itself does not. Detect and handle the bad cable ++ * here. */ ++ ret = get_1284_register(pp, 0, ®, GFP_KERNEL); + dev_dbg(&intf->dev, "reg: %7ph\n", priv->reg); ++ if (ret < 0) ++ return ret; + +- i = usb_find_last_int_in_endpoint(interface, &epd); +- if (!i) { ++ ret = usb_find_last_int_in_endpoint(interface, &epd); ++ if (!ret) { + dev_dbg(&intf->dev, "epaddr %d interval %d\n", + epd->bEndpointAddress, epd->bInterval); + } +-- +2.43.0 + diff --git a/queue-5.10/wifi-ath9k-work-around-memset-overflow-warning.patch b/queue-5.10/wifi-ath9k-work-around-memset-overflow-warning.patch new file mode 100644 index 00000000000..54da98614e9 --- /dev/null +++ b/queue-5.10/wifi-ath9k-work-around-memset-overflow-warning.patch @@ -0,0 +1,72 @@ +From 402aed7c1281324fd02dbc44e554a8b93cf079b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 09:35:59 +0300 +Subject: wifi: ath9k: work around memset overflow warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 61752ac69b69ed2e04444d090f6917c77ab36d42 ] + +gcc-9 and some other older versions produce a false-positive warning +for zeroing two fields + +In file included from include/linux/string.h:369, + from drivers/net/wireless/ath/ath9k/main.c:18: +In function 'fortify_memset_chk', + inlined from 'ath9k_ps_wakeup' at drivers/net/wireless/ath/ath9k/main.c:140:3: +include/linux/fortify-string.h:462:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 462 | __write_overflow_field(p_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Using a struct_group seems to reliably avoid the warning and +not make the code much uglier. The combined memset() should even +save a couple of cpu cycles. + +Signed-off-by: Arnd Bergmann +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240328135509.3755090-3-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath.h | 6 ++++-- + drivers/net/wireless/ath/ath9k/main.c | 3 +-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h +index f02a308a9ffc5..34654f710d8a1 100644 +--- a/drivers/net/wireless/ath/ath.h ++++ b/drivers/net/wireless/ath/ath.h +@@ -171,8 +171,10 @@ struct ath_common { + unsigned int clockrate; + + spinlock_t cc_lock; +- struct ath_cycle_counters cc_ani; +- struct ath_cycle_counters cc_survey; ++ struct_group(cc, ++ struct ath_cycle_counters cc_ani; ++ struct ath_cycle_counters cc_survey; ++ ); + + struct ath_regulatory regulatory; + struct ath_regulatory reg_world_copy; +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index b2cfc483515c0..c5904d81d0006 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -135,8 +135,7 @@ void ath9k_ps_wakeup(struct ath_softc *sc) + if (power_mode != ATH9K_PM_AWAKE) { + spin_lock(&common->cc_lock); + ath_hw_cycle_counters_update(common); +- memset(&common->cc_survey, 0, sizeof(common->cc_survey)); +- memset(&common->cc_ani, 0, sizeof(common->cc_ani)); ++ memset(&common->cc, 0, sizeof(common->cc)); + spin_unlock(&common->cc_lock); + } + +-- +2.43.0 + -- 2.47.3