From a63fbb4f8f3fbbca35d252203d7529e81f0088d6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 14:52:35 +0200 Subject: [PATCH] 6.10-stable patches added patches: acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch acpi-resource-do-irq-override-on-mechrev-gm7xg0m.patch acpi-sysfs-validate-return-type-of-_str-method.patch btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bitmap-corruption.patch debugobjects-fix-conditions-in-fill_pool.patch drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch efistub-tpm-use-acpi-reclaim-memory-for-event-log-to-avoid-corruption.patch perf-x86-intel-allow-to-setup-lbr-for-counting-event-for-bpf.patch perf-x86-intel-pt-fix-sampling-synchronization.patch wifi-mt76-mt7615-check-devm_kasprintf-returned-value.patch wifi-mt76-mt7915-check-devm_kasprintf-returned-value.patch wifi-mt76-mt7921-check-devm_kasprintf-returned-value.patch wifi-mt76-mt7925-fix-a-potential-array-index-out-of-bounds-issue-for-clc.patch wifi-mt76-mt7996-fix-null-pointer-dereference-in-mt7996_mcu_sta_bfer_he.patch wifi-rtw88-8703b-fix-reported-rx-band-width.patch wifi-rtw88-8821cu-remove-vid-pid-0bda-c82c.patch wifi-rtw88-8822c-fix-reported-rx-band-width.patch x86-entry-remove-unwanted-instrumentation-in-common_interrupt.patch --- ...r-dmi-match-for-the-tongfang-gmxxgxx.patch | 38 +++++++ ...e-do-irq-override-on-mechrev-gm7xg0m.patch | 36 ++++++ ...-validate-return-type-of-_str-method.patch | 41 +++++++ ...mp-which-can-cause-bitmap-corruption.patch | 50 +++++++++ ...gobjects-fix-conditions-in-fill_pool.patch | 49 ++++++++ ...vent-dereference-in-state-validation.patch | 36 ++++++ ...micity-violation-in-drbd_uuid_set_bm.patch | 58 ++++++++++ ...ry-for-event-log-to-avoid-corruption.patch | 45 ++++++++ ...setup-lbr-for-counting-event-for-bpf.patch | 64 +++++++++++ ...ntel-pt-fix-sampling-synchronization.patch | 71 ++++++++++++ queue-6.10/series | 19 ++++ ...-check-devm_kasprintf-returned-value.patch | 37 ++++++ ...-check-devm_kasprintf-returned-value.patch | 36 ++++++ ...-check-devm_kasprintf-returned-value.patch | 36 ++++++ ...ay-index-out-of-bounds-issue-for-clc.patch | 34 ++++++ ...ereference-in-mt7996_mcu_sta_bfer_he.patch | 36 ++++++ ...w88-8703b-fix-reported-rx-band-width.patch | 41 +++++++ ...tw88-8821cu-remove-vid-pid-0bda-c82c.patch | 35 ++++++ ...w88-8822c-fix-reported-rx-band-width.patch | 58 ++++++++++ ...-instrumentation-in-common_interrupt.patch | 105 ++++++++++++++++++ 20 files changed, 925 insertions(+) create mode 100644 queue-6.10/acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch create mode 100644 queue-6.10/acpi-resource-do-irq-override-on-mechrev-gm7xg0m.patch create mode 100644 queue-6.10/acpi-sysfs-validate-return-type-of-_str-method.patch create mode 100644 queue-6.10/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bitmap-corruption.patch create mode 100644 queue-6.10/debugobjects-fix-conditions-in-fill_pool.patch create mode 100644 queue-6.10/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch create mode 100644 queue-6.10/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch create mode 100644 queue-6.10/efistub-tpm-use-acpi-reclaim-memory-for-event-log-to-avoid-corruption.patch create mode 100644 queue-6.10/perf-x86-intel-allow-to-setup-lbr-for-counting-event-for-bpf.patch create mode 100644 queue-6.10/perf-x86-intel-pt-fix-sampling-synchronization.patch create mode 100644 queue-6.10/wifi-mt76-mt7615-check-devm_kasprintf-returned-value.patch create mode 100644 queue-6.10/wifi-mt76-mt7915-check-devm_kasprintf-returned-value.patch create mode 100644 queue-6.10/wifi-mt76-mt7921-check-devm_kasprintf-returned-value.patch create mode 100644 queue-6.10/wifi-mt76-mt7925-fix-a-potential-array-index-out-of-bounds-issue-for-clc.patch create mode 100644 queue-6.10/wifi-mt76-mt7996-fix-null-pointer-dereference-in-mt7996_mcu_sta_bfer_he.patch create mode 100644 queue-6.10/wifi-rtw88-8703b-fix-reported-rx-band-width.patch create mode 100644 queue-6.10/wifi-rtw88-8821cu-remove-vid-pid-0bda-c82c.patch create mode 100644 queue-6.10/wifi-rtw88-8822c-fix-reported-rx-band-width.patch create mode 100644 queue-6.10/x86-entry-remove-unwanted-instrumentation-in-common_interrupt.patch diff --git a/queue-6.10/acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch b/queue-6.10/acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch new file mode 100644 index 00000000000..c3184fe0779 --- /dev/null +++ b/queue-6.10/acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch @@ -0,0 +1,38 @@ +From a98cfe6ff15b62f94a44d565607a16771c847bc6 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Tue, 10 Sep 2024 11:40:06 +0200 +Subject: ACPI: resource: Add another DMI match for the TongFang GMxXGxx + +From: Werner Sembach + +commit a98cfe6ff15b62f94a44d565607a16771c847bc6 upstream. + +Internal documentation suggest that the TUXEDO Polaris 15 Gen5 AMD might +have GMxXGxX as the board name instead of GMxXGxx. + +Adding both to be on the safe side. + +Signed-off-by: Werner Sembach +Cc: All applicable +Link: https://patch.msgid.link/20240910094008.1601230-1-wse@tuxedocomputers.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -579,6 +579,12 @@ static const struct dmi_system_id irq1_e + }, + }, + { ++ /* TongFang GMxXGxX/TUXEDO Polaris 15 Gen5 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GMxXGxX"), ++ }, ++ }, ++ { + /* TongFang GMxXGxx sold as Eluktronics Inc. RP-15 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Eluktronics Inc."), diff --git a/queue-6.10/acpi-resource-do-irq-override-on-mechrev-gm7xg0m.patch b/queue-6.10/acpi-resource-do-irq-override-on-mechrev-gm7xg0m.patch new file mode 100644 index 00000000000..619c502bbc2 --- /dev/null +++ b/queue-6.10/acpi-resource-do-irq-override-on-mechrev-gm7xg0m.patch @@ -0,0 +1,36 @@ +From b53f09ecd602d7b8b7da83b0890cbac500b6a9b9 Mon Sep 17 00:00:00 2001 +From: Li Chen +Date: Sat, 3 Aug 2024 16:13:18 +0800 +Subject: ACPI: resource: Do IRQ override on MECHREV GM7XG0M + +From: Li Chen + +commit b53f09ecd602d7b8b7da83b0890cbac500b6a9b9 upstream. + +Listed device need the override for the keyboard to work. + +Fixes: 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen platforms") +Cc: All applicable +Signed-off-by: Li Chen +Link: https://patch.msgid.link/87y15e6n35.wl-me@linux.beauty +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -555,6 +555,12 @@ static const struct dmi_system_id irq1_l + */ + static const struct dmi_system_id irq1_edge_low_force_override[] = { + { ++ /* MECHREV Jiaolong17KS Series GM7XG0M */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GM7XG0M"), ++ }, ++ }, ++ { + /* XMG APEX 17 (M23) */ + .matches = { + DMI_MATCH(DMI_BOARD_NAME, "GMxBGxx"), diff --git a/queue-6.10/acpi-sysfs-validate-return-type-of-_str-method.patch b/queue-6.10/acpi-sysfs-validate-return-type-of-_str-method.patch new file mode 100644 index 00000000000..eef9d06eeec --- /dev/null +++ b/queue-6.10/acpi-sysfs-validate-return-type-of-_str-method.patch @@ -0,0 +1,41 @@ +From 4bb1e7d027413835b086aed35bc3f0713bc0f72b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 9 Jul 2024 22:37:24 +0200 +Subject: ACPI: sysfs: validate return type of _STR method +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 4bb1e7d027413835b086aed35bc3f0713bc0f72b upstream. + +Only buffer objects are valid return values of _STR. + +If something else is returned description_show() will access invalid +memory. + +Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") +Cc: All applicable +Signed-off-by: Thomas Weißschuh +Link: https://patch.msgid.link/20240709-acpi-sysfs-groups-v2-1-058ab0667fa8@weissschuh.net +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/device_sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -540,8 +540,9 @@ int acpi_device_setup_files(struct acpi_ + * If device has _STR, 'description' file is created + */ + if (acpi_has_method(dev->handle, "_STR")) { +- status = acpi_evaluate_object(dev->handle, "_STR", +- NULL, &buffer); ++ status = acpi_evaluate_object_typed(dev->handle, "_STR", ++ NULL, &buffer, ++ ACPI_TYPE_BUFFER); + if (ACPI_FAILURE(status)) + buffer.pointer = NULL; + dev->pnp.str_obj = buffer.pointer; diff --git a/queue-6.10/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bitmap-corruption.patch b/queue-6.10/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bitmap-corruption.patch new file mode 100644 index 00000000000..5329b60d739 --- /dev/null +++ b/queue-6.10/btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bitmap-corruption.patch @@ -0,0 +1,50 @@ +From 77b0b98bb743f5d04d8f995ba1936e1143689d4a Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 30 Aug 2024 16:35:48 +0930 +Subject: btrfs: subpage: fix the bitmap dump which can cause bitmap corruption + +From: Qu Wenruo + +commit 77b0b98bb743f5d04d8f995ba1936e1143689d4a upstream. + +In commit 75258f20fb70 ("btrfs: subpage: dump extra subpage bitmaps for +debug") an internal macro GET_SUBPAGE_BITMAP() is introduced to grab the +bitmap of each attribute. + +But that commit is using bitmap_cut() which will do the left shift of +the larger bitmap, causing incorrect values. + +Thankfully this bitmap_cut() is only called for debug usage, and so far +it's not yet causing problem. + +Fix it to use bitmap_read() to only grab the desired sub-bitmap. + +Fixes: 75258f20fb70 ("btrfs: subpage: dump extra subpage bitmaps for debug") +CC: stable@vger.kernel.org # 6.6+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/subpage.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/subpage.c ++++ b/fs/btrfs/subpage.c +@@ -766,8 +766,14 @@ void btrfs_folio_unlock_writer(struct bt + } + + #define GET_SUBPAGE_BITMAP(subpage, subpage_info, name, dst) \ +- bitmap_cut(dst, subpage->bitmaps, 0, \ +- subpage_info->name##_offset, subpage_info->bitmap_nr_bits) ++{ \ ++ const int bitmap_nr_bits = subpage_info->bitmap_nr_bits; \ ++ \ ++ ASSERT(bitmap_nr_bits < BITS_PER_LONG); \ ++ *dst = bitmap_read(subpage->bitmaps, \ ++ subpage_info->name##_offset, \ ++ bitmap_nr_bits); \ ++} + + void __cold btrfs_subpage_dump_bitmap(const struct btrfs_fs_info *fs_info, + struct folio *folio, u64 start, u32 len) diff --git a/queue-6.10/debugobjects-fix-conditions-in-fill_pool.patch b/queue-6.10/debugobjects-fix-conditions-in-fill_pool.patch new file mode 100644 index 00000000000..a71be7b14ee --- /dev/null +++ b/queue-6.10/debugobjects-fix-conditions-in-fill_pool.patch @@ -0,0 +1,49 @@ +From 684d28feb8546d1e9597aa363c3bfcf52fe250b7 Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Wed, 4 Sep 2024 21:39:40 +0800 +Subject: debugobjects: Fix conditions in fill_pool() + +From: Zhen Lei + +commit 684d28feb8546d1e9597aa363c3bfcf52fe250b7 upstream. + +fill_pool() uses 'obj_pool_min_free' to decide whether objects should be +handed back to the kmem cache. But 'obj_pool_min_free' records the lowest +historical value of the number of objects in the object pool and not the +minimum number of objects which should be kept in the pool. + +Use 'debug_objects_pool_min_level' instead, which holds the minimum number +which was scaled to the number of CPUs at boot time. + +[ tglx: Massage change log ] + +Fixes: d26bf5056fc0 ("debugobjects: Reduce number of pool_lock acquisitions in fill_pool()") +Fixes: 36c4ead6f6df ("debugobjects: Add global free list and the counter") +Signed-off-by: Zhen Lei +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240904133944.2124-3-thunder.leizhen@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + lib/debugobjects.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -142,13 +142,14 @@ static void fill_pool(void) + * READ_ONCE()s pair with the WRITE_ONCE()s in pool_lock critical + * sections. + */ +- while (READ_ONCE(obj_nr_tofree) && (READ_ONCE(obj_pool_free) < obj_pool_min_free)) { ++ while (READ_ONCE(obj_nr_tofree) && ++ READ_ONCE(obj_pool_free) < debug_objects_pool_min_level) { + raw_spin_lock_irqsave(&pool_lock, flags); + /* + * Recheck with the lock held as the worker thread might have + * won the race and freed the global free list already. + */ +- while (obj_nr_tofree && (obj_pool_free < obj_pool_min_free)) { ++ while (obj_nr_tofree && (obj_pool_free < debug_objects_pool_min_level)) { + obj = hlist_entry(obj_to_free.first, typeof(*obj), node); + hlist_del(&obj->node); + WRITE_ONCE(obj_nr_tofree, obj_nr_tofree - 1); diff --git a/queue-6.10/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch b/queue-6.10/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch new file mode 100644 index 00000000000..df3f8689701 --- /dev/null +++ b/queue-6.10/drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch @@ -0,0 +1,36 @@ +From a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 Mon Sep 17 00:00:00 2001 +From: Mikhail Lobanov +Date: Mon, 9 Sep 2024 09:37:36 -0400 +Subject: drbd: Add NULL check for net_conf to prevent dereference in state validation + +From: Mikhail Lobanov + +commit a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 upstream. + +If the net_conf pointer is NULL and the code attempts to access its +fields without a check, it will lead to a null pointer dereference. +Add a NULL check before dereferencing the pointer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 44ed167da748 ("drbd: rcu_read_lock() and rcu_dereference() for tconn->net_conf") +Cc: stable@vger.kernel.org +Signed-off-by: Mikhail Lobanov +Link: https://lore.kernel.org/r/20240909133740.84297-1-m.lobanov@rosalinux.ru +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/drbd/drbd_state.c ++++ b/drivers/block/drbd/drbd_state.c +@@ -876,7 +876,7 @@ is_valid_state(struct drbd_device *devic + ns.disk == D_OUTDATED) + rv = SS_CONNECTED_OUTDATES; + +- else if ((ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) && ++ else if (nc && (ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) && + (nc->verify_alg[0] == 0)) + rv = SS_NO_VERIFY_ALG; + diff --git a/queue-6.10/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch b/queue-6.10/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch new file mode 100644 index 00000000000..17c2635ac8e --- /dev/null +++ b/queue-6.10/drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch @@ -0,0 +1,58 @@ +From 2f02b5af3a4482b216e6a466edecf6ba8450fa45 Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Fri, 13 Sep 2024 16:35:04 +0800 +Subject: drbd: Fix atomicity violation in drbd_uuid_set_bm() + +From: Qiu-ji Chen + +commit 2f02b5af3a4482b216e6a466edecf6ba8450fa45 upstream. + +The violation of atomicity occurs when the drbd_uuid_set_bm function is +executed simultaneously with modifying the value of +device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while +device->ldev->md.uuid[UI_BITMAP] passes the validity check when its +value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is +written to zero. In this case, the check in drbd_uuid_set_bm might refer +to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking), +which allows an invalid value to pass the validity check, resulting in +inconsistency. + +To address this issue, it is recommended to include the data validity +check within the locked section of the function. This modification +ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not +change during the validation process, thereby maintaining its integrity. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs to extract +function pairs that can be concurrently executed, and then analyzes the +instructions in the paired functions to identify possible concurrency +bugs including data races and atomicity violations. + +Fixes: 9f2247bb9b75 ("drbd: Protect accesses to the uuid set with a spinlock") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Reviewed-by: Philipp Reisner +Link: https://lore.kernel.org/r/20240913083504.10549-1-chenqiuji666@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/block/drbd/drbd_main.c ++++ b/drivers/block/drbd/drbd_main.c +@@ -3399,10 +3399,12 @@ void drbd_uuid_new_current(struct drbd_d + void drbd_uuid_set_bm(struct drbd_device *device, u64 val) __must_hold(local) + { + unsigned long flags; +- if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) ++ spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); ++ if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) { ++ spin_unlock_irqrestore(&device->ldev->md.uuid_lock, flags); + return; ++ } + +- spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); + if (val == 0) { + drbd_uuid_move_history(device); + device->ldev->md.uuid[UI_HISTORY_START] = device->ldev->md.uuid[UI_BITMAP]; diff --git a/queue-6.10/efistub-tpm-use-acpi-reclaim-memory-for-event-log-to-avoid-corruption.patch b/queue-6.10/efistub-tpm-use-acpi-reclaim-memory-for-event-log-to-avoid-corruption.patch new file mode 100644 index 00000000000..8f8cc199e96 --- /dev/null +++ b/queue-6.10/efistub-tpm-use-acpi-reclaim-memory-for-event-log-to-avoid-corruption.patch @@ -0,0 +1,45 @@ +From 77d48d39e99170b528e4f2e9fc5d1d64cdedd386 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 12 Sep 2024 17:45:49 +0200 +Subject: efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption + +From: Ard Biesheuvel + +commit 77d48d39e99170b528e4f2e9fc5d1d64cdedd386 upstream. + +The TPM event log table is a Linux specific construct, where the data +produced by the GetEventLog() boot service is cached in memory, and +passed on to the OS using an EFI configuration table. + +The use of EFI_LOADER_DATA here results in the region being left +unreserved in the E820 memory map constructed by the EFI stub, and this +is the memory description that is passed on to the incoming kernel by +kexec, which is therefore unaware that the region should be reserved. + +Even though the utility of the TPM2 event log after a kexec is +questionable, any corruption might send the parsing code off into the +weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY +instead, which is always treated as reserved by the E820 conversion +logic. + +Cc: +Reported-by: Breno Leitao +Tested-by: Usama Arif +Reviewed-by: Ilias Apalodimas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/tpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/libstub/tpm.c ++++ b/drivers/firmware/efi/libstub/tpm.c +@@ -96,7 +96,7 @@ static void efi_retrieve_tcg2_eventlog(i + } + + /* Allocate space for the logs and copy them. */ +- status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, ++ status = efi_bs_call(allocate_pool, EFI_ACPI_RECLAIM_MEMORY, + sizeof(*log_tbl) + log_size, (void **)&log_tbl); + + if (status != EFI_SUCCESS) { diff --git a/queue-6.10/perf-x86-intel-allow-to-setup-lbr-for-counting-event-for-bpf.patch b/queue-6.10/perf-x86-intel-allow-to-setup-lbr-for-counting-event-for-bpf.patch new file mode 100644 index 00000000000..ff3136f3338 --- /dev/null +++ b/queue-6.10/perf-x86-intel-allow-to-setup-lbr-for-counting-event-for-bpf.patch @@ -0,0 +1,64 @@ +From ef493f4b122d6b14a6de111d1acac1eab1d673b0 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Mon, 9 Sep 2024 08:58:48 -0700 +Subject: perf/x86/intel: Allow to setup LBR for counting event for BPF + +From: Kan Liang + +commit ef493f4b122d6b14a6de111d1acac1eab1d673b0 upstream. + +The BPF subsystem may capture LBR data on a counting event. However, the +current implementation assumes that LBR can/should only be used with +sampling events. + +For instance, retsnoop tool ([0]) makes an extensive use of this +functionality and sets up perf event as follows: + + struct perf_event_attr attr; + + memset(&attr, 0, sizeof(attr)); + attr.size = sizeof(attr); + attr.type = PERF_TYPE_HARDWARE; + attr.config = PERF_COUNT_HW_CPU_CYCLES; + attr.sample_type = PERF_SAMPLE_BRANCH_STACK; + attr.branch_sample_type = PERF_SAMPLE_BRANCH_KERNEL; + +To limit the LBR for a sampling event is to avoid unnecessary branch +stack setup for a counting event in the sample read. Because LBR is only +read in the sampling event's overflow. + +Although in most cases LBR is used in sampling, there is no HW limit to +bind LBR to the sampling mode. Allow an LBR setup for a counting event +unless in the sample read mode. + +Fixes: 85846b27072d ("perf/x86: Add PERF_X86_EVENT_NEEDS_BRANCH_STACK flag") +Closes: https://lore.kernel.org/lkml/20240905180055.1221620-1-andrii@kernel.org/ +Reported-by: Andrii Nakryiko +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Andrii Nakryiko +Tested-by: Andrii Nakryiko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240909155848.326640-1-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3912,8 +3912,12 @@ static int intel_pmu_hw_config(struct pe + x86_pmu.pebs_aliases(event); + } + +- if (needs_branch_stack(event) && is_sampling_event(event)) +- event->hw.flags |= PERF_X86_EVENT_NEEDS_BRANCH_STACK; ++ if (needs_branch_stack(event)) { ++ /* Avoid branch stack setup for counting events in SAMPLE READ */ ++ if (is_sampling_event(event) || ++ !(event->attr.sample_type & PERF_SAMPLE_READ)) ++ event->hw.flags |= PERF_X86_EVENT_NEEDS_BRANCH_STACK; ++ } + + if (branch_sample_counters(event)) { + struct perf_event *leader, *sibling; diff --git a/queue-6.10/perf-x86-intel-pt-fix-sampling-synchronization.patch b/queue-6.10/perf-x86-intel-pt-fix-sampling-synchronization.patch new file mode 100644 index 00000000000..57ba8abb0c8 --- /dev/null +++ b/queue-6.10/perf-x86-intel-pt-fix-sampling-synchronization.patch @@ -0,0 +1,71 @@ +From d92792a4b26e50b96ab734cbe203d8a4c932a7a9 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Jul 2024 19:07:00 +0300 +Subject: perf/x86/intel/pt: Fix sampling synchronization + +From: Adrian Hunter + +commit d92792a4b26e50b96ab734cbe203d8a4c932a7a9 upstream. + +pt_event_snapshot_aux() uses pt->handle_nmi to determine if tracing +needs to be stopped, however tracing can still be going because +pt->handle_nmi is set to zero before tracing is stopped in pt_event_stop, +whereas pt_event_snapshot_aux() requires that tracing must be stopped in +order to copy a sample of trace from the buffer. + +Instead call pt_config_stop() always, which anyway checks config for +RTIT_CTL_TRACEEN and does nothing if it is already clear. + +Note pt_event_snapshot_aux() can continue to use pt->handle_nmi to +determine if the trace needs to be restarted afterwards. + +Fixes: 25e8920b301c ("perf/x86/intel/pt: Add sampling support") +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20240715160712.127117-2-adrian.hunter@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/pt.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -1606,6 +1606,7 @@ static void pt_event_stop(struct perf_ev + * see comment in intel_pt_interrupt(). + */ + WRITE_ONCE(pt->handle_nmi, 0); ++ barrier(); + + pt_config_stop(event); + +@@ -1657,11 +1658,10 @@ static long pt_event_snapshot_aux(struct + return 0; + + /* +- * Here, handle_nmi tells us if the tracing is on ++ * There is no PT interrupt in this mode, so stop the trace and it will ++ * remain stopped while the buffer is copied. + */ +- if (READ_ONCE(pt->handle_nmi)) +- pt_config_stop(event); +- ++ pt_config_stop(event); + pt_read_offset(buf); + pt_update_head(pt); + +@@ -1673,11 +1673,10 @@ static long pt_event_snapshot_aux(struct + ret = perf_output_copy_aux(&pt->handle, handle, from, to); + + /* +- * If the tracing was on when we turned up, restart it. +- * Compiler barrier not needed as we couldn't have been +- * preempted by anything that touches pt->handle_nmi. ++ * Here, handle_nmi tells us if the tracing was on. ++ * If the tracing was on, restart it. + */ +- if (pt->handle_nmi) ++ if (READ_ONCE(pt->handle_nmi)) + pt_config_start(event); + + return ret; diff --git a/queue-6.10/series b/queue-6.10/series index c4d6cc4d360..36ef4b20ec0 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -542,3 +542,22 @@ serial-qcom-geni-fix-fifo-polling-timeout.patch serial-qcom-geni-fix-false-console-tx-restart.patch crypto-qcom-rng-fix-support-for-acpi-based-systems.patch crypto-ccp-properly-unregister-dev-sev-on-sev-platform_status-failure.patch +drbd-fix-atomicity-violation-in-drbd_uuid_set_bm.patch +drbd-add-null-check-for-net_conf-to-prevent-dereference-in-state-validation.patch +acpi-sysfs-validate-return-type-of-_str-method.patch +acpi-resource-do-irq-override-on-mechrev-gm7xg0m.patch +acpi-resource-add-another-dmi-match-for-the-tongfang-gmxxgxx.patch +efistub-tpm-use-acpi-reclaim-memory-for-event-log-to-avoid-corruption.patch +x86-entry-remove-unwanted-instrumentation-in-common_interrupt.patch +perf-x86-intel-allow-to-setup-lbr-for-counting-event-for-bpf.patch +perf-x86-intel-pt-fix-sampling-synchronization.patch +btrfs-subpage-fix-the-bitmap-dump-which-can-cause-bitmap-corruption.patch +wifi-mt76-mt7921-check-devm_kasprintf-returned-value.patch +wifi-mt76-mt7915-check-devm_kasprintf-returned-value.patch +wifi-mt76-mt7996-fix-null-pointer-dereference-in-mt7996_mcu_sta_bfer_he.patch +wifi-mt76-mt7925-fix-a-potential-array-index-out-of-bounds-issue-for-clc.patch +wifi-rtw88-8821cu-remove-vid-pid-0bda-c82c.patch +wifi-rtw88-8822c-fix-reported-rx-band-width.patch +wifi-rtw88-8703b-fix-reported-rx-band-width.patch +wifi-mt76-mt7615-check-devm_kasprintf-returned-value.patch +debugobjects-fix-conditions-in-fill_pool.patch diff --git a/queue-6.10/wifi-mt76-mt7615-check-devm_kasprintf-returned-value.patch b/queue-6.10/wifi-mt76-mt7615-check-devm_kasprintf-returned-value.patch new file mode 100644 index 00000000000..883dde3b734 --- /dev/null +++ b/queue-6.10/wifi-mt76-mt7615-check-devm_kasprintf-returned-value.patch @@ -0,0 +1,37 @@ +From 5acdc432f832d810e0d638164c393b877291d9b4 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 5 Sep 2024 09:47:53 +0800 +Subject: wifi: mt76: mt7615: check devm_kasprintf() returned value + +From: Ma Ke + +commit 5acdc432f832d810e0d638164c393b877291d9b4 upstream. + +devm_kasprintf() can return a NULL pointer on failure but this returned +value is not checked. Fix this lack and check the returned value. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 0bb4e9187ea4 ("mt76: mt7615: fix hwmon temp sensor mem use-after-free") +Signed-off-by: Ma Ke +Reviewed-by: Matthias Brugger +Link: https://patch.msgid.link/20240905014753.353271-1-make24@iscas.ac.cn +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7615/init.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7615/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/init.c +@@ -56,6 +56,9 @@ int mt7615_thermal_init(struct mt7615_de + + name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7615_%s", + wiphy_name(wiphy)); ++ if (!name) ++ return -ENOMEM; ++ + hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, name, dev, + mt7615_hwmon_groups); + return PTR_ERR_OR_ZERO(hwmon); diff --git a/queue-6.10/wifi-mt76-mt7915-check-devm_kasprintf-returned-value.patch b/queue-6.10/wifi-mt76-mt7915-check-devm_kasprintf-returned-value.patch new file mode 100644 index 00000000000..143b1389f7f --- /dev/null +++ b/queue-6.10/wifi-mt76-mt7915-check-devm_kasprintf-returned-value.patch @@ -0,0 +1,36 @@ +From 267efeda8c55f30e0e7c5b7fd03dea4efec6916c Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 3 Sep 2024 09:49:55 +0800 +Subject: wifi: mt76: mt7915: check devm_kasprintf() returned value + +From: Ma Ke + +commit 267efeda8c55f30e0e7c5b7fd03dea4efec6916c upstream. + +devm_kasprintf() can return a NULL pointer on failure but this returned +value is not checked. Fix this lack and check the returned value. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 6ae39b7c7ed4 ("wifi: mt76: mt7921: Support temp sensor") +Signed-off-by: Ma Ke +Reviewed-by: Matthias Brugger +Link: https://patch.msgid.link/20240903014955.4145423-1-make24@iscas.ac.cn +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7915/init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c +@@ -194,6 +194,8 @@ static int mt7915_thermal_init(struct mt + + name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7915_%s", + wiphy_name(wiphy)); ++ if (!name) ++ return -ENOMEM; + + cdev = thermal_cooling_device_register(name, phy, &mt7915_thermal_ops); + if (!IS_ERR(cdev)) { diff --git a/queue-6.10/wifi-mt76-mt7921-check-devm_kasprintf-returned-value.patch b/queue-6.10/wifi-mt76-mt7921-check-devm_kasprintf-returned-value.patch new file mode 100644 index 00000000000..8bd8321f9cd --- /dev/null +++ b/queue-6.10/wifi-mt76-mt7921-check-devm_kasprintf-returned-value.patch @@ -0,0 +1,36 @@ +From 1ccc9e476ce76e8577ba4fdbd1f63cb3e3499d38 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 3 Sep 2024 09:44:55 +0800 +Subject: wifi: mt76: mt7921: Check devm_kasprintf() returned value + +From: Ma Ke + +commit 1ccc9e476ce76e8577ba4fdbd1f63cb3e3499d38 upstream. + +devm_kasprintf() can return a NULL pointer on failure but this returned +value is not checked. Fix this lack and check the returned value. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 6ae39b7c7ed4 ("wifi: mt76: mt7921: Support temp sensor") +Signed-off-by: Ma Ke +Reviwed-by: Matthias Brugger +Link: https://patch.msgid.link/20240903014455.4144536-1-make24@iscas.ac.cn +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c +@@ -52,6 +52,8 @@ static int mt7921_thermal_init(struct mt + + name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7921_%s", + wiphy_name(wiphy)); ++ if (!name) ++ return -ENOMEM; + + hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, name, phy, + mt7921_hwmon_groups); diff --git a/queue-6.10/wifi-mt76-mt7925-fix-a-potential-array-index-out-of-bounds-issue-for-clc.patch b/queue-6.10/wifi-mt76-mt7925-fix-a-potential-array-index-out-of-bounds-issue-for-clc.patch new file mode 100644 index 00000000000..e7093142a92 --- /dev/null +++ b/queue-6.10/wifi-mt76-mt7925-fix-a-potential-array-index-out-of-bounds-issue-for-clc.patch @@ -0,0 +1,34 @@ +From 9679ca7326e52282cc923c4d71d81c999cb6cd55 Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Mon, 19 Aug 2024 09:53:33 +0800 +Subject: wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc + +From: Ming Yen Hsieh + +commit 9679ca7326e52282cc923c4d71d81c999cb6cd55 upstream. + +Due to the lack of checks on the clc array, if the firmware supports +more clc configuration, it will cause illegal memory access. + +Cc: stable@vger.kernel.org +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20240819015334.14580-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +@@ -613,6 +613,9 @@ static int mt7925_load_clc(struct mt792x + for (offset = 0; offset < len; offset += le32_to_cpu(clc->len)) { + clc = (const struct mt7925_clc *)(clc_base + offset); + ++ if (clc->idx > ARRAY_SIZE(phy->clc)) ++ break; ++ + /* do not init buf again if chip reset triggered */ + if (phy->clc[clc->idx]) + continue; diff --git a/queue-6.10/wifi-mt76-mt7996-fix-null-pointer-dereference-in-mt7996_mcu_sta_bfer_he.patch b/queue-6.10/wifi-mt76-mt7996-fix-null-pointer-dereference-in-mt7996_mcu_sta_bfer_he.patch new file mode 100644 index 00000000000..abf32584331 --- /dev/null +++ b/queue-6.10/wifi-mt76-mt7996-fix-null-pointer-dereference-in-mt7996_mcu_sta_bfer_he.patch @@ -0,0 +1,36 @@ +From f503ae90c7355e8506e68498fe84c1357894cd5b Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 13 Aug 2024 16:12:42 +0800 +Subject: wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he + +From: Ma Ke + +commit f503ae90c7355e8506e68498fe84c1357894cd5b upstream. + +Fix the NULL pointer dereference in mt7996_mcu_sta_bfer_he +routine adding an sta interface to the mt7996 driver. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20240813081242.3991814-1-make24@iscas.ac.cn +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -1544,6 +1544,9 @@ mt7996_mcu_sta_bfer_he(struct ieee80211_ + u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map); + u8 snd_dim, sts; + ++ if (!vc) ++ return; ++ + bf->tx_mode = MT_PHY_TYPE_HE_SU; + + mt7996_mcu_sta_sounding_rate(bf); diff --git a/queue-6.10/wifi-rtw88-8703b-fix-reported-rx-band-width.patch b/queue-6.10/wifi-rtw88-8703b-fix-reported-rx-band-width.patch new file mode 100644 index 00000000000..0e1343cc650 --- /dev/null +++ b/queue-6.10/wifi-rtw88-8703b-fix-reported-rx-band-width.patch @@ -0,0 +1,41 @@ +From 0129e5ff2842450f1426e312b5e580c0814e0de3 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Tue, 23 Jul 2024 22:32:59 +0300 +Subject: wifi: rtw88: 8703b: Fix reported RX band width + +From: Bitterblue Smith + +commit 0129e5ff2842450f1426e312b5e580c0814e0de3 upstream. + +The definition of GET_RX_DESC_BW is incorrect. Fix it according to the +GET_RX_STATUS_DESC_BW_8703B macro from the official driver. + +Tested only with RTL8812AU, which uses the same bits. + +Cc: stable@vger.kernel.org +Fixes: 9bb762b3a957 ("wifi: rtw88: Add definitions for 8703b chip") +Signed-off-by: Bitterblue Smith +Tested-by: Fiona Klute +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/1cfed9d5-4304-4b96-84c5-c347f59fedb9@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/rx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/rx.h b/drivers/net/wireless/realtek/rtw88/rx.h +index d3668c4efc24..8a072dd3d73c 100644 +--- a/drivers/net/wireless/realtek/rtw88/rx.h ++++ b/drivers/net/wireless/realtek/rtw88/rx.h +@@ -41,7 +41,7 @@ enum rtw_rx_desc_enc { + #define GET_RX_DESC_TSFL(rxdesc) \ + le32_get_bits(*((__le32 *)(rxdesc) + 0x05), GENMASK(31, 0)) + #define GET_RX_DESC_BW(rxdesc) \ +- (le32_get_bits(*((__le32 *)(rxdesc) + 0x04), GENMASK(31, 24))) ++ (le32_get_bits(*((__le32 *)(rxdesc) + 0x04), GENMASK(5, 4))) + + void rtw_rx_stats(struct rtw_dev *rtwdev, struct ieee80211_vif *vif, + struct sk_buff *skb); +-- +2.46.2 + diff --git a/queue-6.10/wifi-rtw88-8821cu-remove-vid-pid-0bda-c82c.patch b/queue-6.10/wifi-rtw88-8821cu-remove-vid-pid-0bda-c82c.patch new file mode 100644 index 00000000000..404e0fed17c --- /dev/null +++ b/queue-6.10/wifi-rtw88-8821cu-remove-vid-pid-0bda-c82c.patch @@ -0,0 +1,35 @@ +From 0af8cd2822f31ed8363223329e5cff2a7ed01961 Mon Sep 17 00:00:00 2001 +From: Nick Morrow +Date: Thu, 11 Jul 2024 01:14:23 +0300 +Subject: wifi: rtw88: 8821cu: Remove VID/PID 0bda:c82c + +From: Nick Morrow + +commit 0af8cd2822f31ed8363223329e5cff2a7ed01961 upstream. + +Remove VID/PID 0bda:c82c as it was inadvertently added to the device +list in driver rtw8821cu. This VID/PID is for the rtw8822cu device +and it is already in the appropriate place for that device. + +Cc: stable@vger.kernel.org +Signed-off-by: Nick Morrow +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/335d7fa1-0ba5-4b86-bba5-f98834ace1f8@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/rtw8821cu.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/rtw8821cu.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8821cu.c +@@ -31,8 +31,6 @@ static const struct usb_device_id rtw_88 + .driver_info = (kernel_ulong_t)&(rtw8821c_hw_spec) }, + { USB_DEVICE_AND_INTERFACE_INFO(RTW_USB_VENDOR_ID_REALTEK, 0xc82b, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)&(rtw8821c_hw_spec) }, +- { USB_DEVICE_AND_INTERFACE_INFO(RTW_USB_VENDOR_ID_REALTEK, 0xc82c, 0xff, 0xff, 0xff), +- .driver_info = (kernel_ulong_t)&(rtw8821c_hw_spec) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x331d, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)&(rtw8821c_hw_spec) }, /* D-Link */ + { USB_DEVICE_AND_INTERFACE_INFO(0x7392, 0xc811, 0xff, 0xff, 0xff), diff --git a/queue-6.10/wifi-rtw88-8822c-fix-reported-rx-band-width.patch b/queue-6.10/wifi-rtw88-8822c-fix-reported-rx-band-width.patch new file mode 100644 index 00000000000..78c54d8ed85 --- /dev/null +++ b/queue-6.10/wifi-rtw88-8822c-fix-reported-rx-band-width.patch @@ -0,0 +1,58 @@ +From a71ed5898dfae68262f79277915d1dfe34586bc6 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Tue, 23 Jul 2024 22:31:36 +0300 +Subject: wifi: rtw88: 8822c: Fix reported RX band width + +From: Bitterblue Smith + +commit a71ed5898dfae68262f79277915d1dfe34586bc6 upstream. + +"iw dev wlp2s0 station dump" shows incorrect rx bitrate: + +tx bitrate: 866.7 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 2 +rx bitrate: 86.7 MBit/s VHT-MCS 9 VHT-NSS 1 + +This is because the RX band width is calculated incorrectly. Fix the +calculation according to the phydm_rxsc_2_bw() function from the +official drivers. + +After: + +tx bitrate: 866.7 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 2 +rx bitrate: 390.0 MBit/s VHT-MCS 9 80MHz VHT-NSS 1 + +It also works correctly with the AP configured for 20 MHz and 40 MHz. + +Tested with RTL8822CE. + +Cc: stable@vger.kernel.org +Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") +Signed-off-by: Bitterblue Smith +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/bca8949b-e2bd-4515-98fd-70d3049a0097@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -2611,12 +2611,14 @@ static void query_phy_status_page1(struc + else + rxsc = GET_PHY_STAT_P1_HT_RXSC(phy_status); + +- if (rxsc >= 9 && rxsc <= 12) ++ if (rxsc == 0) ++ bw = rtwdev->hal.current_band_width; ++ else if (rxsc >= 1 && rxsc <= 8) ++ bw = RTW_CHANNEL_WIDTH_20; ++ else if (rxsc >= 9 && rxsc <= 12) + bw = RTW_CHANNEL_WIDTH_40; +- else if (rxsc >= 13) +- bw = RTW_CHANNEL_WIDTH_80; + else +- bw = RTW_CHANNEL_WIDTH_20; ++ bw = RTW_CHANNEL_WIDTH_80; + + channel = GET_PHY_STAT_P1_CHANNEL(phy_status); + rtw_set_rx_freq_band(pkt_stat, channel); diff --git a/queue-6.10/x86-entry-remove-unwanted-instrumentation-in-common_interrupt.patch b/queue-6.10/x86-entry-remove-unwanted-instrumentation-in-common_interrupt.patch new file mode 100644 index 00000000000..d6b31f54e77 --- /dev/null +++ b/queue-6.10/x86-entry-remove-unwanted-instrumentation-in-common_interrupt.patch @@ -0,0 +1,105 @@ +From 477d81a1c47a1b79b9c08fc92b5dea3c5143800b Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov +Date: Tue, 11 Jun 2024 09:50:30 +0200 +Subject: x86/entry: Remove unwanted instrumentation in common_interrupt() + +From: Dmitry Vyukov + +commit 477d81a1c47a1b79b9c08fc92b5dea3c5143800b upstream. + +common_interrupt() and related variants call kvm_set_cpu_l1tf_flush_l1d(), +which is neither marked noinstr nor __always_inline. + +So compiler puts it out of line and adds instrumentation to it. Since the +call is inside of instrumentation_begin/end(), objtool does not warn about +it. + +The manifestation is that KCOV produces spurious coverage in +kvm_set_cpu_l1tf_flush_l1d() in random places because the call happens when +preempt count is not yet updated to say that the kernel is in an interrupt. + +Mark kvm_set_cpu_l1tf_flush_l1d() as __always_inline and move it out of the +instrumentation_begin/end() section. It only calls __this_cpu_write() +which is already safe to call in noinstr contexts. + +Fixes: 6368558c3710 ("x86/entry: Provide IDTENTRY_SYSVEC") +Signed-off-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Alexander Potapenko +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/3f9a1de9e415fcb53d07dc9e19fa8481bb021b1b.1718092070.git.dvyukov@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/hardirq.h | 8 ++++++-- + arch/x86/include/asm/idtentry.h | 6 +++--- + 2 files changed, 9 insertions(+), 5 deletions(-) + +--- a/arch/x86/include/asm/hardirq.h ++++ b/arch/x86/include/asm/hardirq.h +@@ -69,7 +69,11 @@ extern u64 arch_irq_stat(void); + #define local_softirq_pending_ref pcpu_hot.softirq_pending + + #if IS_ENABLED(CONFIG_KVM_INTEL) +-static inline void kvm_set_cpu_l1tf_flush_l1d(void) ++/* ++ * This function is called from noinstr interrupt contexts ++ * and must be inlined to not get instrumentation. ++ */ ++static __always_inline void kvm_set_cpu_l1tf_flush_l1d(void) + { + __this_cpu_write(irq_stat.kvm_cpu_l1tf_flush_l1d, 1); + } +@@ -84,7 +88,7 @@ static __always_inline bool kvm_get_cpu_ + return __this_cpu_read(irq_stat.kvm_cpu_l1tf_flush_l1d); + } + #else /* !IS_ENABLED(CONFIG_KVM_INTEL) */ +-static inline void kvm_set_cpu_l1tf_flush_l1d(void) { } ++static __always_inline void kvm_set_cpu_l1tf_flush_l1d(void) { } + #endif /* IS_ENABLED(CONFIG_KVM_INTEL) */ + + #endif /* _ASM_X86_HARDIRQ_H */ +--- a/arch/x86/include/asm/idtentry.h ++++ b/arch/x86/include/asm/idtentry.h +@@ -212,8 +212,8 @@ __visible noinstr void func(struct pt_re + irqentry_state_t state = irqentry_enter(regs); \ + u32 vector = (u32)(u8)error_code; \ + \ ++ kvm_set_cpu_l1tf_flush_l1d(); \ + instrumentation_begin(); \ +- kvm_set_cpu_l1tf_flush_l1d(); \ + run_irq_on_irqstack_cond(__##func, regs, vector); \ + instrumentation_end(); \ + irqentry_exit(regs, state); \ +@@ -250,7 +250,6 @@ static void __##func(struct pt_regs *reg + \ + static __always_inline void instr_##func(struct pt_regs *regs) \ + { \ +- kvm_set_cpu_l1tf_flush_l1d(); \ + run_sysvec_on_irqstack_cond(__##func, regs); \ + } \ + \ +@@ -258,6 +257,7 @@ __visible noinstr void func(struct pt_re + { \ + irqentry_state_t state = irqentry_enter(regs); \ + \ ++ kvm_set_cpu_l1tf_flush_l1d(); \ + instrumentation_begin(); \ + instr_##func (regs); \ + instrumentation_end(); \ +@@ -288,7 +288,6 @@ static __always_inline void __##func(str + static __always_inline void instr_##func(struct pt_regs *regs) \ + { \ + __irq_enter_raw(); \ +- kvm_set_cpu_l1tf_flush_l1d(); \ + __##func (regs); \ + __irq_exit_raw(); \ + } \ +@@ -297,6 +296,7 @@ __visible noinstr void func(struct pt_re + { \ + irqentry_state_t state = irqentry_enter(regs); \ + \ ++ kvm_set_cpu_l1tf_flush_l1d(); \ + instrumentation_begin(); \ + instr_##func (regs); \ + instrumentation_end(); \ -- 2.47.3