-LINUX_VERSION-6.1 = .84
-LINUX_KERNEL_HASH-6.1.84 = af97d2ebe14765d0db3af6560309daf08535da25bfad36e5fb3e436f22a1707a
+LINUX_VERSION-6.1 = .86
+LINUX_KERNEL_HASH-6.1.86 = d3d3c8c44f0f0a870a95bd2823f9d91979d1aa6f266da5d8cccd0c4b15e3115b
if (ret)
--- a/drivers/gpu/drm/vc4/vc4_plane.c
+++ b/drivers/gpu/drm/vc4/vc4_plane.c
-@@ -1600,9 +1600,14 @@ struct drm_plane *vc4_plane_init(struct
+@@ -1597,9 +1597,14 @@ struct drm_plane *vc4_plane_init(struct
DRM_COLOR_YCBCR_BT709,
DRM_COLOR_YCBCR_LIMITED_RANGE);
int vc4_plane_create_additional_planes(struct drm_device *drm)
{
struct drm_plane *cursor_plane;
-@@ -1618,24 +1623,35 @@ int vc4_plane_create_additional_planes(s
+@@ -1615,24 +1620,35 @@ int vc4_plane_create_additional_planes(s
* modest number of planes to expose, that should hopefully
* still cover any sane usecase.
*/
vc4_dlist_write(vc4_state, 0xc0c0c0c0);
}
-@@ -1649,6 +1652,8 @@ struct drm_plane *vc4_plane_init(struct
+@@ -1646,6 +1649,8 @@ struct drm_plane *vc4_plane_init(struct
DRM_COLOR_YCBCR_BT709,
DRM_COLOR_YCBCR_LIMITED_RANGE);
};
static const struct hvs_format *vc4_get_hvs_format(u32 drm_format)
-@@ -1575,6 +1635,16 @@ static bool vc4_format_mod_supported(str
+@@ -1572,6 +1632,16 @@ static bool vc4_format_mod_supported(str
case DRM_FORMAT_BGRX1010102:
case DRM_FORMAT_RGBA1010102:
case DRM_FORMAT_BGRA1010102:
+#endif /* _TAS5713_H */
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
-@@ -1220,7 +1220,15 @@ int snd_soc_runtime_set_dai_fmt(struct s
+@@ -1223,7 +1223,15 @@ int snd_soc_runtime_set_dai_fmt(struct s
return 0;
for_each_rtd_codec_dais(rtd, i, codec_dai) {
/* Control word */
vc4_dlist_write(vc4_state,
SCALER_CTL0_VALID |
-@@ -1717,7 +1717,7 @@ struct drm_plane *vc4_plane_init(struct
+@@ -1714,7 +1714,7 @@ struct drm_plane *vc4_plane_init(struct
};
for (i = 0; i < ARRAY_SIZE(hvs_formats); i++) {
formats[num_formats] = hvs_formats[i].drm;
num_formats++;
}
-@@ -1732,7 +1732,7 @@ struct drm_plane *vc4_plane_init(struct
+@@ -1729,7 +1729,7 @@ struct drm_plane *vc4_plane_init(struct
return ERR_CAST(vc4_plane);
plane = &vc4_plane->base;
return 0;
}
-@@ -1716,7 +2345,7 @@ struct drm_plane *vc4_plane_init(struct
+@@ -1713,7 +2342,7 @@ struct drm_plane *vc4_plane_init(struct
};
for (i = 0; i < ARRAY_SIZE(hvs_formats); i++) {
formats[num_formats] = hvs_formats[i].drm;
num_formats++;
}
-@@ -1731,7 +2360,7 @@ struct drm_plane *vc4_plane_init(struct
+@@ -1728,7 +2357,7 @@ struct drm_plane *vc4_plane_init(struct
return ERR_CAST(vc4_plane);
plane = &vc4_plane->base;
+++ /dev/null
-From 146bbf9627f6c37816939de29538ec8ee9a7be1a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>
-Date: Fri, 5 Jan 2024 15:07:34 -0300
-Subject: [PATCH] drm/vc4: don't check if plane->state->fb == state->fb
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently, when using non-blocking commits, we can see the following
-kernel warning:
-
-[ 110.908514] ------------[ cut here ]------------
-[ 110.908529] refcount_t: underflow; use-after-free.
-[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0
-[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
-[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32
-[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
-[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
-[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0
-[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0
-[ 110.909170] sp : ffffffc00913b9c0
-[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60
-[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480
-[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78
-[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000
-[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004
-[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003
-[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00
-[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572
-[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000
-[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001
-[ 110.909434] Call trace:
-[ 110.909441] refcount_dec_not_one+0xb8/0xc0
-[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]
-[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]
-[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]
-[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]
-[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]
-[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]
-[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]
-[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]
-[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]
-[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]
-[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4
-[ 110.914873] invoke_syscall+0x4c/0x114
-[ 110.914897] el0_svc_common+0xd0/0x118
-[ 110.914917] do_el0_svc+0x38/0xd0
-[ 110.914936] el0_svc+0x30/0x8c
-[ 110.914958] el0t_64_sync_handler+0x84/0xf0
-[ 110.914979] el0t_64_sync+0x18c/0x190
-[ 110.914996] ---[ end trace 0000000000000000 ]---
-
-This happens because, although `prepare_fb` and `cleanup_fb` are
-perfectly balanced, we cannot guarantee consistency in the check
-plane->state->fb == state->fb. This means that sometimes we can increase
-the refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The
-opposite can also be true.
-
-In fact, the struct drm_plane .state shouldn't be accessed directly
-but instead, the `drm_atomic_get_new_plane_state()` helper function should
-be used. So, we could stick to this check, but using
-`drm_atomic_get_new_plane_state()`. But actually, this check is not really
-needed. We can increase and decrease the refcount symmetrically without
-problems.
-
-This is going to make the code more simple and consistent.
-
-Signed-off-by: Maíra Canal <mcanal@igalia.com>
----
- drivers/gpu/drm/vc4/vc4_plane.c | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
---- a/drivers/gpu/drm/vc4/vc4_plane.c
-+++ b/drivers/gpu/drm/vc4/vc4_plane.c
-@@ -2225,9 +2225,6 @@ static int vc4_prepare_fb(struct drm_pla
-
- drm_gem_plane_helper_prepare_fb(plane, state);
-
-- if (plane->state->fb == state->fb)
-- return 0;
--
- return vc4_bo_inc_usecnt(bo);
- }
-
-@@ -2236,7 +2233,7 @@ static void vc4_cleanup_fb(struct drm_pl
- {
- struct vc4_bo *bo;
-
-- if (plane->state->fb == state->fb || !state->fb)
-+ if (!state->fb)
- return;
-
- bo = to_vc4_bo(&drm_fb_dma_get_gem_obj(state->fb, 0)->base);
--- a/drivers/bus/mhi/host/init.c
+++ b/drivers/bus/mhi/host/init.c
-@@ -881,6 +881,7 @@ static int parse_config(struct mhi_contr
+@@ -882,6 +882,7 @@ static int parse_config(struct mhi_contr
if (!mhi_cntrl->timeout_ms)
mhi_cntrl->timeout_ms = MHI_TIMEOUT_MS;
if (!mhi_cntrl->buffer_len)
--- a/drivers/bus/mhi/host/internal.h
+++ b/drivers/bus/mhi/host/internal.h
-@@ -321,7 +321,7 @@ int __must_check mhi_read_reg_field(stru
+@@ -324,7 +324,7 @@ int __must_check mhi_read_reg_field(stru
u32 *out);
int __must_check mhi_poll_reg_field(struct mhi_controller *mhi_cntrl,
void __iomem *base, u32 offset, u32 mask,
ret = mhi_read_reg_field(mhi_cntrl, base, offset, mask, &out);
--- a/drivers/bus/mhi/host/pm.c
+++ b/drivers/bus/mhi/host/pm.c
-@@ -163,6 +163,7 @@ int mhi_ready_state_transition(struct mh
+@@ -171,6 +171,7 @@ int mhi_ready_state_transition(struct mh
enum mhi_pm_state cur_state;
struct device *dev = &mhi_cntrl->mhi_dev->dev;
u32 interval_us = 25000; /* poll register field every 25 milliseconds */
int ret, i;
/* Check if device entered error state */
-@@ -173,14 +174,18 @@ int mhi_ready_state_transition(struct mh
+@@ -181,14 +182,18 @@ int mhi_ready_state_transition(struct mh
/* Wait for RESET to be cleared and READY bit to be set by the device */
ret = mhi_poll_reg_field(mhi_cntrl, mhi_cntrl->regs, MHICTRL,
if (ret) {
dev_err(dev, "Device failed to enter MHI Ready\n");
return ret;
-@@ -479,7 +484,7 @@ static void mhi_pm_disable_transition(st
+@@ -487,7 +492,7 @@ static void mhi_pm_disable_transition(st
/* Wait for the reset bit to be cleared by the device */
ret = mhi_poll_reg_field(mhi_cntrl, mhi_cntrl->regs, MHICTRL,
if (ret)
dev_err(dev, "Device failed to clear MHI Reset\n");
-@@ -492,8 +497,8 @@ static void mhi_pm_disable_transition(st
+@@ -500,8 +505,8 @@ static void mhi_pm_disable_transition(st
if (!MHI_IN_PBL(mhi_get_exec_env(mhi_cntrl))) {
/* wait for ready to be set */
ret = mhi_poll_reg_field(mhi_cntrl, mhi_cntrl->regs,
if (ret)
dev_err(dev, "Device failed to enter READY state\n");
}
-@@ -1111,7 +1116,8 @@ int mhi_async_power_up(struct mhi_contro
+@@ -1125,7 +1130,8 @@ int mhi_async_power_up(struct mhi_contro
if (state == MHI_STATE_SYS_ERR) {
mhi_set_mhi_state(mhi_cntrl, MHI_STATE_RESET);
ret = mhi_poll_reg_field(mhi_cntrl, mhi_cntrl->regs, MHICTRL,
if (ret) {
dev_info(dev, "Failed to reset MHI due to syserr state\n");
goto error_exit;
-@@ -1202,14 +1208,18 @@ EXPORT_SYMBOL_GPL(mhi_power_down);
+@@ -1216,14 +1222,18 @@ EXPORT_SYMBOL_GPL(mhi_power_down);
int mhi_sync_power_up(struct mhi_controller *mhi_cntrl)
{
int ret = mhi_async_power_up(mhi_cntrl);
*/
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
-@@ -3040,6 +3040,10 @@ static inline int pskb_trim(struct sk_bu
+@@ -3046,6 +3046,10 @@ static inline int pskb_trim(struct sk_bu
return (len < skb->len) ? __pskb_trim(skb, len) : 0;
}
/**
* pskb_trim_unique - remove end from a paged unique (not cloned) buffer
* @skb: buffer to alter
-@@ -3189,16 +3193,6 @@ static inline struct sk_buff *dev_alloc_
+@@ -3195,16 +3199,6 @@ static inline struct sk_buff *dev_alloc_
}
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
-@@ -1702,7 +1702,7 @@ static void device_links_purge(struct de
+@@ -1717,7 +1717,7 @@ static void device_links_purge(struct de
#define FW_DEVLINK_FLAGS_RPM (FW_DEVLINK_FLAGS_ON | \
DL_FLAG_PM_RUNTIME)
for (i = sizeof(struct ipt_entry);
i < e->target_offset;
i += m->u.match_size) {
-@@ -1223,12 +1260,15 @@ compat_copy_entry_to_user(struct ipt_ent
+@@ -1225,12 +1262,15 @@ compat_copy_entry_to_user(struct ipt_ent
compat_uint_t origsize;
const struct xt_entry_match *ematch;
int ret = 0;
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
-@@ -3006,7 +3006,7 @@ static inline int pskb_network_may_pull(
+@@ -3012,7 +3012,7 @@ static inline int pskb_network_may_pull(
* NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
*/
#ifndef NET_SKB_PAD
#endif
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
-@@ -972,6 +972,7 @@ struct sk_buff {
+@@ -967,6 +967,7 @@ struct sk_buff {
#ifdef CONFIG_IPV6_NDISC_NODETYPE
__u8 ndisc_nodetype:2;
#endif
__u8 inner_protocol_type:1;
--- a/net/core/gro.c
+++ b/net/core/gro.c
-@@ -491,6 +491,9 @@ static enum gro_result dev_gro_receive(s
+@@ -492,6 +492,9 @@ static enum gro_result dev_gro_receive(s
int same_flow;
int grow;
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
-@@ -7925,7 +7925,7 @@ static int nft_register_flowtable_net_ho
+@@ -7951,7 +7951,7 @@ static int nft_register_flowtable_net_ho
err = flowtable->data.type->setup(&flowtable->data,
hook->ops.dev,
FLOW_BLOCK_BIND);
+#endif
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
-@@ -4588,6 +4588,9 @@ enum skb_ext_id {
+@@ -4594,6 +4594,9 @@ enum skb_ext_id {
#if IS_ENABLED(CONFIG_MCTP_FLOWS)
SKB_EXT_MCTP,
#endif
CONFIG_SOFTIRQ_ON_OWN_STACK=y
CONFIG_SPARSEMEM_STATIC=y
CONFIG_SPARSE_IRQ=y
+# CONFIG_SPECTRE_BHI_AUTO is not set
+# CONFIG_SPECTRE_BHI_OFF is not set
+CONFIG_SPECTRE_BHI_ON=y
CONFIG_SPECULATION_MITIGATIONS=y
CONFIG_SRCU=y
# CONFIG_STATIC_CALL_SELFTEST is not set