diff --git a/blacklist.conf b/blacklist.conf index 984de19..ec5a052 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -833,3 +833,7 @@ fa2bbff7b0b4e211fec5e5686ef96350690597b5 # break KABI 162aadaa0df8217b0cc49d919dd00022fef65e78 # No file to patch 008820524844326ffb3123cebceba1960c0ad0dc # No file to patch f19e5bb91d53264d7dac5d845a4825afadf72440 # No file to patch +285e76fc049c4d32c772eea9460a7ef28a193802 # cleanup, not a fix +d77e745613680c54708470402e2b623dcd769681 # feature breaking kABI +02d6fdecb9c38de19065f6bed8d5214556fd061d # feature breaking kABI +6ef281daf020592c219fa91780abc381c6c20db5 # cleanup, not a fix diff --git a/patches.suse/clk-zynq-Prevent-null-pointer-dereference-caused-by-.patch b/patches.suse/clk-zynq-Prevent-null-pointer-dereference-caused-by-.patch new file mode 100644 index 0000000..80c23a9 --- /dev/null +++ b/patches.suse/clk-zynq-Prevent-null-pointer-dereference-caused-by-.patch @@ -0,0 +1,75 @@ +From 7938e9ce39d6779d2f85d822cc930f73420e54a6 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 1 Mar 2024 16:44:37 +0800 +Subject: [PATCH] clk: zynq: Prevent null pointer dereference caused by kmalloc + failure +Git-commit: 7938e9ce39d6779d2f85d822cc930f73420e54a6 +References: git-fixes +Patch-mainline: v6.9-rc1 + +The kmalloc() in zynq_clk_setup() will return null if the +physical memory has run out. As a result, if we use snprintf() +to write data to the null address, the null pointer dereference +bug will happen. + +This patch uses a stack variable to replace the kmalloc(). + +Fixes: 0ee52b157b8e ("clk: zynq: Add clock controller driver") +Suggested-by: Michal Simek +Suggested-by: Stephen Boyd +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20240301084437.16084-1-duoming@zju.edu.cn +Acked-by: Michal Simek +Signed-off-by: Stephen Boyd +Signed-off-by: Oliver Neukum + +--- + drivers/clk/zynq/clkc.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/zynq/clkc.c b/drivers/clk/zynq/clkc.c +index 7bdeaff2bfd6..c28d3dacf0fb 100644 +--- a/drivers/clk/zynq/clkc.c ++++ b/drivers/clk/zynq/clkc.c +@@ -42,6 +42,7 @@ static void __iomem *zynq_clkc_base; + #define SLCR_SWDT_CLK_SEL (zynq_clkc_base + 0x204) + + #define NUM_MIO_PINS 54 ++#define CLK_NAME_LEN 16 + + #define DBG_CLK_CTRL_CLKACT_TRC BIT(0) + #define DBG_CLK_CTRL_CPU_1XCLKACT BIT(1) +@@ -215,7 +216,7 @@ static void __init zynq_clk_setup(struct device_node *np) + int i; + u32 tmp; + int ret; +- char *clk_name; ++ char clk_name[CLK_NAME_LEN]; + unsigned int fclk_enable = 0; + const char *clk_output_name[clk_max]; + const char *cpu_parents[4]; +@@ -426,12 +427,10 @@ static void __init zynq_clk_setup(struct device_node *np) + "gem1_emio_mux", CLK_SET_RATE_PARENT, + SLCR_GEM1_CLK_CTRL, 0, 0, &gem1clk_lock); + +- tmp = strlen("mio_clk_00x"); +- clk_name = kmalloc(tmp, GFP_KERNEL); + for (i = 0; i < NUM_MIO_PINS; i++) { + int idx; + +- snprintf(clk_name, tmp, "mio_clk_%2.2d", i); ++ snprintf(clk_name, CLK_NAME_LEN, "mio_clk_%2.2d", i); + idx = of_property_match_string(np, "clock-names", clk_name); + if (idx >= 0) + can_mio_mux_parents[i] = of_clk_get_parent_name(np, +@@ -439,7 +438,6 @@ static void __init zynq_clk_setup(struct device_node *np) + else + can_mio_mux_parents[i] = dummy_nm; + } +- kfree(clk_name); + clk_register_mux(NULL, "can_mux", periph_parents, 4, + CLK_SET_RATE_NO_REPARENT, SLCR_CAN_CLK_CTRL, 4, 2, 0, + &canclk_lock); +-- +2.44.0 + diff --git a/patches.suse/media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch b/patches.suse/media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch new file mode 100644 index 0000000..27caf76 --- /dev/null +++ b/patches.suse/media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch @@ -0,0 +1,35 @@ +From 4797a3dd46f220e6d83daf54d70c5b33db6deb01 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Wed, 31 Jan 2024 13:00:33 +0100 +Subject: [PATCH] media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak +Git-commit: 4797a3dd46f220e6d83daf54d70c5b33db6deb01 +References: git-fixes +Patch-mainline: v6.9-rc1 + +Free the memory allocated in v4l2_ctrl_handler_init on release. + +Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") +Signed-off-by: Lucas Stach +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Oliver Neukum + +--- + drivers/staging/media/imx/imx-media-csc-scaler.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/media/imx/imx-media-csc-scaler.c b/drivers/staging/media/imx/imx-media-csc-scaler.c +index 1fd39a2fca98..95cca281e8a3 100644 +--- a/drivers/staging/media/imx/imx-media-csc-scaler.c ++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c +@@ -803,6 +803,7 @@ static int ipu_csc_scaler_release(struct file *file) + + dev_dbg(priv->dev, "Releasing instance %p\n", ctx); + ++ v4l2_ctrl_handler_free(&ctx->ctrl_hdlr); + v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); + v4l2_fh_del(&ctx->fh); + v4l2_fh_exit(&ctx->fh); +-- +2.44.0 + diff --git a/patches.suse/media-staging-ipu3-imgu-Set-fields-before-media_enti.patch b/patches.suse/media-staging-ipu3-imgu-Set-fields-before-media_enti.patch new file mode 100644 index 0000000..314d318 --- /dev/null +++ b/patches.suse/media-staging-ipu3-imgu-Set-fields-before-media_enti.patch @@ -0,0 +1,82 @@ +From 87318b7092670d4086bfec115a0280a60c51c2dd Mon Sep 17 00:00:00 2001 +From: Hidenori Kobayashi +Date: Tue, 9 Jan 2024 17:09:09 +0900 +Subject: [PATCH] media: staging: ipu3-imgu: Set fields before + media_entity_pads_init() +Git-commit: 87318b7092670d4086bfec115a0280a60c51c2dd +References: git-fixes +Patch-mainline: v6.9-rc1 + +The imgu driver fails to probe with the following message because it +does not set the pad's flags before calling media_entity_pads_init(). + +[ 14.596315] ipu3-imgu 0000:00:05.0: failed initialize subdev media entity (-22) +[ 14.596322] ipu3-imgu 0000:00:05.0: failed to register subdev0 ret (-22) +[ 14.596327] ipu3-imgu 0000:00:05.0: failed to register pipes (-22) +[ 14.596331] ipu3-imgu 0000:00:05.0: failed to create V4L2 devices (-22) + +Fix the initialization order so that the driver probe succeeds. The ops +initialization is also moved together for readability. + +Fixes: a0ca1627b450 ("media: staging/intel-ipu3: Add v4l2 driver based on media framework") +Cc: # 6.7 +Cc: Dan Carpenter +Signed-off-by: Hidenori Kobayashi +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Oliver Neukum + +--- + drivers/staging/media/ipu3/ipu3-v4l2.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c +index a66f034380c0..3df58eb3e882 100644 +--- a/drivers/staging/media/ipu3/ipu3-v4l2.c ++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c +@@ -1069,6 +1069,11 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, + struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[pipe]; + + /* Initialize subdev media entity */ ++ imgu_sd->subdev.entity.ops = &imgu_media_ops; ++ for (i = 0; i < IMGU_NODE_NUM; i++) { ++ imgu_sd->subdev_pads[i].flags = imgu_pipe->nodes[i].output ? ++ MEDIA_PAD_FL_SINK : MEDIA_PAD_FL_SOURCE; ++ } + r = media_entity_pads_init(&imgu_sd->subdev.entity, IMGU_NODE_NUM, + imgu_sd->subdev_pads); + if (r) { +@@ -1076,11 +1081,6 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, + "failed initialize subdev media entity (%d)\n", r); + return r; + } +- imgu_sd->subdev.entity.ops = &imgu_media_ops; +- for (i = 0; i < IMGU_NODE_NUM; i++) { +- imgu_sd->subdev_pads[i].flags = imgu_pipe->nodes[i].output ? +- MEDIA_PAD_FL_SINK : MEDIA_PAD_FL_SOURCE; +- } + + /* Initialize subdev */ + v4l2_subdev_init(&imgu_sd->subdev, &imgu_subdev_ops); +@@ -1177,15 +1177,15 @@ static int imgu_v4l2_node_setup(struct imgu_device *imgu, unsigned int pipe, + } + + /* Initialize media entities */ ++ node->vdev_pad.flags = node->output ? ++ MEDIA_PAD_FL_SOURCE : MEDIA_PAD_FL_SINK; ++ vdev->entity.ops = NULL; + r = media_entity_pads_init(&vdev->entity, 1, &node->vdev_pad); + if (r) { + dev_err(dev, "failed initialize media entity (%d)\n", r); + mutex_destroy(&node->lock); + return r; + } +- node->vdev_pad.flags = node->output ? +- MEDIA_PAD_FL_SOURCE : MEDIA_PAD_FL_SINK; +- vdev->entity.ops = NULL; + + /* Initialize vbq */ + vbq->type = node->vdev_fmt.type; +-- +2.44.0 + diff --git a/patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch b/patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch new file mode 100644 index 0000000..cc1f8da --- /dev/null +++ b/patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch @@ -0,0 +1,57 @@ +From 7c4650ded49e5b88929ecbbb631efb8b0838e811 Mon Sep 17 00:00:00 2001 +From: Michal Pecio +Date: Thu, 25 Jan 2024 17:27:37 +0200 +Subject: [PATCH] xhci: handle isoc Babble and Buffer Overrun events properly +Git-commit: 7c4650ded49e5b88929ecbbb631efb8b0838e811 +References: git-fixes +Patch-mainline: v6.8-rc3 + +xHCI 4.9 explicitly forbids assuming that the xHC has released its +ownership of a multi-TRB TD when it reports an error on one of the +early TRBs. Yet the driver makes such assumption and releases the TD, +allowing the remaining TRBs to be freed or overwritten by new TDs. + +The xHC should also report completion of the final TRB due to its IOC +flag being set by us, regardless of prior errors. This event cannot +be recognized if the TD has already been freed earlier, resulting in +"Transfer event TRB DMA ptr not part of current TD" error message. + +Fix this by reusing the logic for processing isoc Transaction Errors. +This also handles hosts which fail to report the final completion. + +Fix transfer length reporting on Babble errors. They may be caused by +device malfunction, no guarantee that the buffer has been filled. + +Signed-off-by: Michal Pecio +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20240125152737.2983959-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum + +--- + drivers/usb/host/xhci-ring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 41be7d31a36e..f0d8a607ff21 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2394,9 +2394,13 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, + case COMP_BANDWIDTH_OVERRUN_ERROR: + frame->status = -ECOMM; + break; +- case COMP_ISOCH_BUFFER_OVERRUN: + case COMP_BABBLE_DETECTED_ERROR: ++ sum_trbs_for_length = true; ++ fallthrough; ++ case COMP_ISOCH_BUFFER_OVERRUN: + frame->status = -EOVERFLOW; ++ if (ep_trb != td->last_trb) ++ td->error_mid_td = true; + break; + case COMP_INCOMPATIBLE_DEVICE_ERROR: + case COMP_STALL_ERROR: +-- +2.44.0 + diff --git a/patches.suse/xhci-process-isoc-TD-properly-when-there-was-a-trans.patch b/patches.suse/xhci-process-isoc-TD-properly-when-there-was-a-trans.patch new file mode 100644 index 0000000..217fb77 --- /dev/null +++ b/patches.suse/xhci-process-isoc-TD-properly-when-there-was-a-trans.patch @@ -0,0 +1,186 @@ +From 5372c65e1311a16351ef03dd096ff576e6477674 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 25 Jan 2024 17:27:36 +0200 +Subject: [PATCH] xhci: process isoc TD properly when there was a transaction + error mid TD. +Mime-version: 1.0 +Content-type: text/plain; charset=UTF-8 +Content-transfer-encoding: 8bit +Git-commit: 5372c65e1311a16351ef03dd096ff576e6477674 +References: git-fixes +Patch-mainline: v6.8-rc3 + +The last TRB of a isoc TD might not trigger an event if there was +an error event for a TRB mid TD. This is seen on a NEC Corporation +uPD720200 USB 3.0 Host + +After an error mid a multi-TRB TD the xHC should according to xhci 4.9.1 +generate events for passed TRBs with IOC flag set if it proceeds to the +next TD. This event is either a copy of the original error, or a +"success" transfer event. + +If that event is missing then the driver and xHC host get out of sync as +the driver is still expecting a transfer event for that first TD, while +xHC host is already sending events for the next TD in the list. +This leads to +"Transfer event TRB DMA ptr not part of current TD" messages. + +As a solution we tag the isoc TDs that get error events mid TD. +If an event doesn't match the first TD, then check if the tag is +set, and event points to the next TD. +In that case give back the fist TD and process the next TD normally + +Make sure TD status and transferred length stay valid in both cases +with and without final TD completion event. + +Reported-by: Michał Pecio +Closes: https://lore.kernel.org/linux-usb/20240112235205.1259f60c@foxbook/ +Tested-by: Michał Pecio +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20240125152737.2983959-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum + +--- + drivers/usb/host/xhci-ring.c | 74 +++++++++++++++++++++++++++++------- + drivers/usb/host/xhci.h | 1 + + 2 files changed, 61 insertions(+), 14 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 33806ae966f9..41be7d31a36e 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2376,6 +2376,9 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, + /* handle completion code */ + switch (trb_comp_code) { + case COMP_SUCCESS: ++ /* Don't overwrite status if TD had an error, see xHCI 4.9.1 */ ++ if (td->error_mid_td) ++ break; + if (remaining) { + frame->status = short_framestatus; + if (xhci->quirks & XHCI_TRUST_TX_LENGTH) +@@ -2401,8 +2404,9 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, + break; + case COMP_USB_TRANSACTION_ERROR: + frame->status = -EPROTO; ++ sum_trbs_for_length = true; + if (ep_trb != td->last_trb) +- return 0; ++ td->error_mid_td = true; + break; + case COMP_STOPPED: + sum_trbs_for_length = true; +@@ -2422,6 +2426,9 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, + break; + } + ++ if (td->urb_length_set) ++ goto finish_td; ++ + if (sum_trbs_for_length) + frame->actual_length = sum_trb_lengths(xhci, ep->ring, ep_trb) + + ep_trb_len - remaining; +@@ -2430,6 +2437,14 @@ static int process_isoc_td(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, + + td->urb->actual_length += frame->actual_length; + ++finish_td: ++ /* Don't give back TD yet if we encountered an error mid TD */ ++ if (td->error_mid_td && ep_trb != td->last_trb) { ++ xhci_dbg(xhci, "Error mid isoc TD, wait for final completion event\n"); ++ td->urb_length_set = true; ++ return 0; ++ } ++ + return finish_td(xhci, ep, ep_ring, td, trb_comp_code); + } + +@@ -2808,17 +2823,51 @@ static int handle_tx_event(struct xhci_hcd *xhci, + } + + if (!ep_seg) { +- if (!ep->skip || +- !usb_endpoint_xfer_isoc(&td->urb->ep->desc)) { +- /* Some host controllers give a spurious +- * successful event after a short transfer. +- * Ignore it. +- */ +- if ((xhci->quirks & XHCI_SPURIOUS_SUCCESS) && +- ep_ring->last_td_was_short) { +- ep_ring->last_td_was_short = false; +- goto cleanup; ++ ++ if (ep->skip && usb_endpoint_xfer_isoc(&td->urb->ep->desc)) { ++ skip_isoc_td(xhci, td, ep, status); ++ goto cleanup; ++ } ++ ++ /* ++ * Some hosts give a spurious success event after a short ++ * transfer. Ignore it. ++ */ ++ if ((xhci->quirks & XHCI_SPURIOUS_SUCCESS) && ++ ep_ring->last_td_was_short) { ++ ep_ring->last_td_was_short = false; ++ goto cleanup; ++ } ++ ++ /* ++ * xhci 4.10.2 states isoc endpoints should continue ++ * processing the next TD if there was an error mid TD. ++ * So host like NEC don't generate an event for the last ++ * isoc TRB even if the IOC flag is set. ++ * xhci 4.9.1 states that if there are errors in mult-TRB ++ * TDs xHC should generate an error for that TRB, and if xHC ++ * proceeds to the next TD it should genete an event for ++ * any TRB with IOC flag on the way. Other host follow this. ++ * So this event might be for the next TD. ++ */ ++ if (td->error_mid_td && ++ !list_is_last(&td->td_list, &ep_ring->td_list)) { ++ struct xhci_td *td_next = list_next_entry(td, td_list); ++ ++ ep_seg = trb_in_td(xhci, td_next->start_seg, td_next->first_trb, ++ td_next->last_trb, ep_trb_dma, false); ++ if (ep_seg) { ++ /* give back previous TD, start handling new */ ++ xhci_dbg(xhci, "Missing TD completion event after mid TD error\n"); ++ ep_ring->dequeue = td->last_trb; ++ ep_ring->deq_seg = td->last_trb_seg; ++ inc_deq(xhci, ep_ring); ++ xhci_td_cleanup(xhci, td, ep_ring, td->status); ++ td = td_next; + } ++ } ++ ++ if (!ep_seg) { + /* HC is busted, give up! */ + xhci_err(xhci, + "ERROR Transfer event TRB DMA ptr not " +@@ -2830,9 +2879,6 @@ static int handle_tx_event(struct xhci_hcd *xhci, + ep_trb_dma, true); + return -ESHUTDOWN; + } +- +- skip_isoc_td(xhci, td, ep, status); +- goto cleanup; + } + if (trb_comp_code == COMP_SHORT_PACKET) + ep_ring->last_td_was_short = true; +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index a5c72a634e6a..6f82d404883f 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1549,6 +1549,7 @@ struct xhci_td { + struct xhci_segment *bounce_seg; + /* actual_length of the URB has already been set */ + bool urb_length_set; ++ bool error_mid_td; + unsigned int num_trbs; + }; + +-- +2.44.0 + diff --git a/series.conf b/series.conf index 76371c3..ec99c1f 100644 --- a/series.conf +++ b/series.conf @@ -45396,6 +45396,8 @@ patches.suse/dmaengine-fix-is_slave_direction-return-false-when-D.patch patches.suse/usb-dwc3-host-Set-XHCI_SG_TRB_CACHE_SIZE_QUIRK.patch patches.suse/usb-host-xhci-plat-Add-support-for-XHCI_SG_TRB_CACHE.patch + patches.suse/xhci-process-isoc-TD-properly-when-there-was-a-trans.patch + patches.suse/xhci-handle-isoc-Babble-and-Buffer-Overrun-events-pr.patch patches.suse/USB-hub-check-for-alternate-port-before-enabling-A_A.patch patches.suse/usb-f_mass_storage-forbid-async-queue-when-shutdown-.patch patches.suse/usb-ucsi-Add-missing-ppm_lock.patch @@ -45695,6 +45697,9 @@ patches.suse/ALSA-usb-audio-Stop-parsing-channels-bits-when-all-c.patch patches.suse/nilfs2-fix-failure-to-detect-DAT-corruption-in-btree.patch patches.suse/nilfs2-prevent-kernel-bug-at-submit_bh_wbc.patch + patches.suse/media-staging-ipu3-imgu-Set-fields-before-media_enti.patch + patches.suse/media-imx-csc-scaler-fix-v4l2_ctrl_handler-memory-le.patch + patches.suse/clk-zynq-Prevent-null-pointer-dereference-caused-by-.patch patches.suse/KVM-s390-only-deliver-the-set-service-event-bits.patch patches.suse/powerpc-pseries-Fix-potential-memleak-in-papr_get_at.patch patches.suse/net-sunrpc-Fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch