--- /dev/null
+From 29be9100aca2915fab54b5693309bc42956542e5 Mon Sep 17 00:00:00 2001
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Fri, 24 May 2024 17:17:55 +0100
+Subject: afs: Don't cross .backup mountpoint from backup volume
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+commit 29be9100aca2915fab54b5693309bc42956542e5 upstream.
+
+Don't cross a mountpoint that explicitly specifies a backup volume
+(target is <vol>.backup) when starting from a backup volume.
+
+It it not uncommon to mount a volume's backup directly in the volume
+itself. This can cause tools that are not paying attention to get
+into a loop mounting the volume onto itself as they attempt to
+traverse the tree, leading to a variety of problems.
+
+This doesn't prevent the general case of loops in a sequence of
+mountpoints, but addresses a common special case in the same way
+as other afs clients.
+
+Reported-by: Jan Henrik Sylvester <jan.henrik.sylvester@uni-hamburg.de>
+Link: http://lists.infradead.org/pipermail/linux-afs/2024-May/008454.html
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Link: http://lists.infradead.org/pipermail/linux-afs/2024-February/008074.html
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/768760.1716567475@warthog.procyon.org.uk
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/mntpt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/afs/mntpt.c
++++ b/fs/afs/mntpt.c
+@@ -146,6 +146,11 @@ static int afs_mntpt_set_params(struct f
+ put_page(page);
+ if (ret < 0)
+ return ret;
++
++ /* Don't cross a backup volume mountpoint from a backup volume */
++ if (src_as->volume && src_as->volume->type == AFSVL_BACKVOL &&
++ ctx->type == AFSVL_BACKVOL)
++ return -ENODEV;
+ }
+
+ return 0;
--- /dev/null
+From 3d8f874bd620ce03f75a5512847586828ab86544 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Fri, 10 May 2024 11:50:27 +0800
+Subject: io_uring: fail NOP if non-zero op flags is passed in
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 3d8f874bd620ce03f75a5512847586828ab86544 upstream.
+
+The NOP op flags should have been checked from beginning like any other
+opcode, otherwise NOP may not be extended with the op flags.
+
+Given both liburing and Rust io-uring crate always zeros SQE op flags, just
+ignore users which play raw NOP uring interface without zeroing SQE, because
+NOP is just for test purpose. Then we can save one NOP2 opcode.
+
+Suggested-by: Jens Axboe <axboe@kernel.dk>
+Fixes: 2b188cc1bb85 ("Add io_uring IO interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20240510035031.78874-2-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -6621,6 +6621,8 @@ static int io_req_prep(struct io_kiocb *
+ {
+ switch (req->opcode) {
+ case IORING_OP_NOP:
++ if (READ_ONCE(sqe->rw_flags))
++ return -EINVAL;
+ return 0;
+ case IORING_OP_READV:
+ case IORING_OP_READ_FIXED:
--- /dev/null
+From 67380251e8bbd3302c64fea07f95c31971b91c22 Mon Sep 17 00:00:00 2001
+From: Jorge Ramirez-Ortiz <jorge@foundries.io>
+Date: Wed, 3 Jan 2024 12:29:11 +0100
+Subject: mmc: core: Do not force a retune before RPMB switch
+
+From: Jorge Ramirez-Ortiz <jorge@foundries.io>
+
+commit 67380251e8bbd3302c64fea07f95c31971b91c22 upstream.
+
+Requesting a retune before switching to the RPMB partition has been
+observed to cause CRC errors on the RPMB reads (-EILSEQ).
+
+Since RPMB reads can not be retried, the clients would be directly
+affected by the errors.
+
+This commit disables the retune request prior to switching to the RPMB
+partition: mmc_retune_pause() no longer triggers a retune before the
+pause period begins.
+
+This was verified with the sdhci-of-arasan driver (ZynqMP) configured
+for HS200 using two separate eMMC cards (DG4064 and 064GB2). In both
+cases, the error was easy to reproduce triggering every few tenths of
+reads.
+
+With this commit, systems that were utilizing OP-TEE to access RPMB
+variables will experience an enhanced performance. Specifically, when
+OP-TEE is configured to employ RPMB as a secure storage solution, it not
+only writes the data but also the secure filesystem within the
+partition. As a result, retrieving any variable involves multiple RPMB
+reads, typically around five.
+
+For context, on ZynqMP, each retune request consumed approximately
+8ms. Consequently, reading any RPMB variable used to take at the very
+minimum 40ms.
+
+After droping the need to retune before switching to the RPMB partition,
+this is no longer the case.
+
+Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
+Acked-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20240103112911.2954632-1-jorge@foundries.io
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/host.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/mmc/core/host.c
++++ b/drivers/mmc/core/host.c
+@@ -119,13 +119,12 @@ void mmc_retune_enable(struct mmc_host *
+
+ /*
+ * Pause re-tuning for a small set of operations. The pause begins after the
+- * next command and after first doing re-tuning.
++ * next command.
+ */
+ void mmc_retune_pause(struct mmc_host *host)
+ {
+ if (!host->retune_paused) {
+ host->retune_paused = 1;
+- mmc_retune_needed(host);
+ mmc_retune_hold(host);
+ }
+ }
--- /dev/null
+From f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Mon, 20 May 2024 22:26:19 +0900
+Subject: nilfs2: fix use-after-free of timer for log writer thread
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream.
+
+Patch series "nilfs2: fix log writer related issues".
+
+This bug fix series covers three nilfs2 log writer-related issues,
+including a timer use-after-free issue and potential deadlock issue on
+unmount, and a potential freeze issue in event synchronization found
+during their analysis. Details are described in each commit log.
+
+
+This patch (of 3):
+
+A use-after-free issue has been reported regarding the timer sc_timer on
+the nilfs_sc_info structure.
+
+The problem is that even though it is used to wake up a sleeping log
+writer thread, sc_timer is not shut down until the nilfs_sc_info structure
+is about to be freed, and is used regardless of the thread's lifetime.
+
+Fix this issue by limiting the use of sc_timer only while the log writer
+thread is alive.
+
+Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com
+Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: "Bai, Shuangpeng" <sjb7183@psu.edu>
+Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/segment.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -2159,8 +2159,10 @@ static void nilfs_segctor_start_timer(st
+ {
+ spin_lock(&sci->sc_state_lock);
+ if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) {
+- sci->sc_timer.expires = jiffies + sci->sc_interval;
+- add_timer(&sci->sc_timer);
++ if (sci->sc_task) {
++ sci->sc_timer.expires = jiffies + sci->sc_interval;
++ add_timer(&sci->sc_timer);
++ }
+ sci->sc_state |= NILFS_SEGCTOR_COMMIT;
+ }
+ spin_unlock(&sci->sc_state_lock);
+@@ -2380,10 +2382,21 @@ int nilfs_construct_dsync_segment(struct
+ */
+ static void nilfs_segctor_accept(struct nilfs_sc_info *sci)
+ {
++ bool thread_is_alive;
++
+ spin_lock(&sci->sc_state_lock);
+ sci->sc_seq_accepted = sci->sc_seq_request;
++ thread_is_alive = (bool)sci->sc_task;
+ spin_unlock(&sci->sc_state_lock);
+- del_timer_sync(&sci->sc_timer);
++
++ /*
++ * This function does not race with the log writer thread's
++ * termination. Therefore, deleting sc_timer, which should not be
++ * done after the log writer thread exits, can be done safely outside
++ * the area protected by sc_state_lock.
++ */
++ if (thread_is_alive)
++ del_timer_sync(&sci->sc_timer);
+ }
+
+ /**
+@@ -2409,7 +2422,7 @@ static void nilfs_segctor_notify(struct
+ sci->sc_flush_request &= ~FLUSH_DAT_BIT;
+
+ /* re-enable timer if checkpoint creation was not done */
+- if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) &&
++ if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task &&
+ time_before(jiffies, sci->sc_timer.expires))
+ add_timer(&sci->sc_timer);
+ }
+@@ -2599,6 +2612,7 @@ static int nilfs_segctor_thread(void *ar
+ int timeout = 0;
+
+ sci->sc_timer_task = current;
++ timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0);
+
+ /* start sync. */
+ sci->sc_task = current;
+@@ -2665,6 +2679,7 @@ static int nilfs_segctor_thread(void *ar
+ end_thread:
+ /* end sync. */
+ sci->sc_task = NULL;
++ del_timer_sync(&sci->sc_timer);
+ wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */
+ spin_unlock(&sci->sc_state_lock);
+ return 0;
+@@ -2728,7 +2743,6 @@ static struct nilfs_sc_info *nilfs_segct
+ INIT_LIST_HEAD(&sci->sc_gc_inodes);
+ INIT_LIST_HEAD(&sci->sc_iput_queue);
+ INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func);
+- timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0);
+
+ sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT;
+ sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ;
+@@ -2814,7 +2828,6 @@ static void nilfs_segctor_destroy(struct
+
+ down_write(&nilfs->ns_segctor_sem);
+
+- del_timer_sync(&sci->sc_timer);
+ kfree(sci);
+ }
+
--- /dev/null
+From W_Armin@gmx.de Wed Jun 12 14:43:21 2024
+From: Armin Wolf <W_Armin@gmx.de>
+Date: Thu, 23 May 2024 19:30:31 +0200
+Subject: Revert "drm/amdgpu: init iommu after amdkfd device init"
+To: alexander.deucher@amd.com, christian.koenig@amd.com, Xinhui.Pan@amd.com, gregkh@linuxfoundation.org, sashal@kernel.org
+Cc: stable@vger.kernel.org, bkauler@gmail.com, yifan1.zhang@amd.com, Prike.Liang@amd.com, dri-devel@lists.freedesktop.org, amd-gfx@lists.freedesktop.org
+Message-ID: <20240523173031.4212-1-W_Armin@gmx.de>
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+This reverts commit 56b522f4668167096a50c39446d6263c96219f5f.
+
+A user reported that this commit breaks the integrated gpu of his
+notebook, causing a black screen. He was able to bisect the problematic
+commit and verified that by reverting it the notebook works again.
+He also confirmed that kernel 6.8.1 also works on his device, so the
+upstream commit itself seems to be ok.
+
+An amdgpu developer (Alex Deucher) confirmed that this patch should
+have never been ported to 5.15 in the first place, so revert this
+commit from the 5.15 stable series.
+
+Reported-by: Barry Kauler <bkauler@gmail.com>
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20240523173031.4212-1-W_Armin@gmx.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2487,6 +2487,10 @@ static int amdgpu_device_ip_init(struct
+ if (r)
+ goto init_failed;
+
++ r = amdgpu_amdkfd_resume_iommu(adev);
++ if (r)
++ goto init_failed;
++
+ r = amdgpu_device_ip_hw_init_phase1(adev);
+ if (r)
+ goto init_failed;
+@@ -2525,10 +2529,6 @@ static int amdgpu_device_ip_init(struct
+ if (!adev->gmc.xgmi.pending_reset)
+ amdgpu_amdkfd_device_init(adev);
+
+- r = amdgpu_amdkfd_resume_iommu(adev);
+- if (r)
+- goto init_failed;
+-
+ amdgpu_fru_get_product_info(adev);
+
+ init_failed:
sunrpc-fix-loop-termination-condition-in-gss_free_in_token_pages.patch
drm-check-output-polling-initialized-before-disabling.patch
drm-check-polling-initialized-before-enabling-in-drm_helper_probe_single_connector_modes.patch
+mmc-core-do-not-force-a-retune-before-rpmb-switch.patch
+io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch
+afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch
+nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch
+revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
