From: Greg Kroah-Hartman Date: Tue, 11 Feb 2025 09:59:01 +0000 (+0100) Subject: 6.13-stable patches X-Git-Tag: v6.6.78~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a585e3323e1c8350ac388aff76050b2a2cf6fda;p=thirdparty%2Fkernel%2Fstable-queue.git 6.13-stable patches added patches: ata-libata-core-add-ata_quirk_nolpm-for-samsung-ssd-870-qvo-drives.patch ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch ceph-fix-memory-leak-in-ceph_mds_auth_match.patch crypto-qce-fix-goto-jump-in-error-path.patch crypto-qce-unregister-previously-registered-algos-in-error-path.patch fgraph-fix-set_graph_notrace-with-setting-trace_graph_notrace_bit.patch i3c-master-fix-missing-ret-assignment-in-set_speed.patch io_uring-fix-multishots-with-selected-buffers.patch io_uring-net-don-t-retry-connect-operation-on-epollerr.patch irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch irqchip-irq-mvebu-icu-fix-access-to-msi_data-from-irq_domain-host_data.patch mailbox-tegra-hsp-clear-mailbox-before-using-message.patch mailbox-zynqmp-remove-invalid-__percpu-annotation-in-zynqmp_ipi_probe.patch maple_tree-simplify-split-calculation.patch misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch misc-fastrpc-fix-copy-buffer-page-size.patch misc-fastrpc-fix-registered-buffer-page-address.patch misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch nfs-make-nfs_fscache-select-netfs_support-instead-of-depending-on-it.patch nfsd-encode-compound-operation-status-on-page-boundaries.patch nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch nvmem-core-improve-range-check-for-nvmem_cell_write.patch nvmem-imx-ocotp-ele-fix-mac-address-byte-order.patch nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch nvmem-imx-ocotp-ele-set-word-length-to-1.patch nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch ocfs2-handle-a-symlink-read-error-correctly.patch pinctrl-renesas-rzg2l-fix-pfc_mask-for-rz-v2h-and-rz-g3e.patch pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch ptp-ensure-info-enable-callback-is-always-set.patch rdma-mlx5-fix-a-race-for-an-odp-mr-which-leads-to-cqe-with-error.patch rtc-zynqmp-fix-optional-clock-name-property.patch rtla-add-trace_instance_stop.patch rtla-osnoise-distinguish-missing-workload-option.patch rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch selftests-mptcp-connect-f-no-reconnect.patch statmount-let-unset-strings-be-empty.patch timers-migration-fix-off-by-one-root-mis-connection.patch tracing-osnoise-fix-resetting-of-tracepoints.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch --- diff --git a/queue-6.13/ata-libata-core-add-ata_quirk_nolpm-for-samsung-ssd-870-qvo-drives.patch b/queue-6.13/ata-libata-core-add-ata_quirk_nolpm-for-samsung-ssd-870-qvo-drives.patch new file mode 100644 index 0000000000..48b8d8dcae --- /dev/null +++ b/queue-6.13/ata-libata-core-add-ata_quirk_nolpm-for-samsung-ssd-870-qvo-drives.patch @@ -0,0 +1,40 @@ +From cc77e2ce187d26cc66af3577bf896d7410eb25ab Mon Sep 17 00:00:00 2001 +From: Daniel Baumann +Date: Sat, 18 Jan 2025 06:36:43 +0100 +Subject: ata: libata-core: Add ATA_QUIRK_NOLPM for Samsung SSD 870 QVO drives + +From: Daniel Baumann + +commit cc77e2ce187d26cc66af3577bf896d7410eb25ab upstream. + +Disabling link power management on Samsung SSD 870 QVO drives +to make them work again after the switch of the default LPM +policy to low. + +Testing so far has shown that regular Samsung SSD 870 +(the non QVO variants) do not need it and work fine with +the default LPM policy. + +Cc: stable@vger.kernel.org +Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type") +Signed-off-by: Daniel Baumann +Link: https://lore.kernel.org/linux-ide/ac64a484-022c-42a0-95bc-1520333b1536@debian.org/ +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4143,6 +4143,10 @@ static const struct ata_dev_quirks_entry + { "Samsung SSD 860*", NULL, ATA_QUIRK_NO_NCQ_TRIM | + ATA_QUIRK_ZERO_AFTER_TRIM | + ATA_QUIRK_NO_NCQ_ON_ATI }, ++ { "Samsung SSD 870 QVO*", NULL, ATA_QUIRK_NO_NCQ_TRIM | ++ ATA_QUIRK_ZERO_AFTER_TRIM | ++ ATA_QUIRK_NO_NCQ_ON_ATI | ++ ATA_QUIRK_NOLPM }, + { "Samsung SSD 870*", NULL, ATA_QUIRK_NO_NCQ_TRIM | + ATA_QUIRK_ZERO_AFTER_TRIM | + ATA_QUIRK_NO_NCQ_ON_ATI }, diff --git a/queue-6.13/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch b/queue-6.13/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch new file mode 100644 index 0000000000..96b11d54b7 --- /dev/null +++ b/queue-6.13/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch @@ -0,0 +1,81 @@ +From 6e74e53b34b6dec5a50e1404e2680852ec6768d2 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Mon, 27 Jan 2025 16:43:04 +0100 +Subject: ata: libata-sff: Ensure that we cannot write outside the allocated buffer + +From: Niklas Cassel + +commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 upstream. + +reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len +set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to +ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to +write outside the allocated buffer, overwriting random memory. + +While a ATA device is supposed to abort a ATA_NOP command, there does seem +to be a bug either in libata-sff or QEMU, where either this status is not +set, or the status is cleared before read by ata_sff_hsm_move(). +Anyway, that is most likely a separate bug. + +Looking at __atapi_pio_bytes(), it already has a safety check to ensure +that __atapi_pio_bytes() cannot write outside the allocated buffer. + +Add a similar check to ata_pio_sector(), such that also ata_pio_sector() +cannot write outside the allocated buffer. + +Cc: stable@vger.kernel.org +Reported-by: reveliofuzzing +Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/ +Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-sff.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -601,7 +601,7 @@ static void ata_pio_sector(struct ata_qu + { + struct ata_port *ap = qc->ap; + struct page *page; +- unsigned int offset; ++ unsigned int offset, count; + + if (!qc->cursg) { + qc->curbytes = qc->nbytes; +@@ -617,25 +617,27 @@ static void ata_pio_sector(struct ata_qu + page = nth_page(page, (offset >> PAGE_SHIFT)); + offset %= PAGE_SIZE; + +- trace_ata_sff_pio_transfer_data(qc, offset, qc->sect_size); ++ /* don't overrun current sg */ ++ count = min(qc->cursg->length - qc->cursg_ofs, qc->sect_size); ++ ++ trace_ata_sff_pio_transfer_data(qc, offset, count); + + /* + * Split the transfer when it splits a page boundary. Note that the + * split still has to be dword aligned like all ATA data transfers. + */ + WARN_ON_ONCE(offset % 4); +- if (offset + qc->sect_size > PAGE_SIZE) { ++ if (offset + count > PAGE_SIZE) { + unsigned int split_len = PAGE_SIZE - offset; + + ata_pio_xfer(qc, page, offset, split_len); +- ata_pio_xfer(qc, nth_page(page, 1), 0, +- qc->sect_size - split_len); ++ ata_pio_xfer(qc, nth_page(page, 1), 0, count - split_len); + } else { +- ata_pio_xfer(qc, page, offset, qc->sect_size); ++ ata_pio_xfer(qc, page, offset, count); + } + +- qc->curbytes += qc->sect_size; +- qc->cursg_ofs += qc->sect_size; ++ qc->curbytes += count; ++ qc->cursg_ofs += count; + + if (qc->cursg_ofs == qc->cursg->length) { + qc->cursg = sg_next(qc->cursg); diff --git a/queue-6.13/ceph-fix-memory-leak-in-ceph_mds_auth_match.patch b/queue-6.13/ceph-fix-memory-leak-in-ceph_mds_auth_match.patch new file mode 100644 index 0000000000..f599447b18 --- /dev/null +++ b/queue-6.13/ceph-fix-memory-leak-in-ceph_mds_auth_match.patch @@ -0,0 +1,97 @@ +From 3b7d93db450e9d8ead80d75e2a303248f1528c35 Mon Sep 17 00:00:00 2001 +From: Antoine Viallon +Date: Tue, 14 Jan 2025 23:45:14 +0100 +Subject: ceph: fix memory leak in ceph_mds_auth_match() + +From: Antoine Viallon + +commit 3b7d93db450e9d8ead80d75e2a303248f1528c35 upstream. + +We now free the temporary target path substring allocation on every +possible branch, instead of omitting the default branch. In some +cases, a memory leak occured, which could rapidly crash the system +(depending on how many file accesses were attempted). + +This was detected in production because it caused a continuous memory +growth, eventually triggering kernel OOM and completely hard-locking +the kernel. + +Relevant kmemleak stacktrace: + + unreferenced object 0xffff888131e69900 (size 128): + comm "git", pid 66104, jiffies 4295435999 + hex dump (first 32 bytes): + 76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 volumes/containe + 72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g + backtrace (crc 2f3bb450): + [] __kmalloc_noprof+0x359/0x510 + [] ceph_mds_check_access+0x5bf/0x14e0 [ceph] + [] ceph_open+0x312/0xd80 [ceph] + [] do_dentry_open+0x456/0x1120 + [] vfs_open+0x79/0x360 + [] path_openat+0x1de5/0x4390 + [] do_filp_open+0x19c/0x3c0 + [] do_sys_openat2+0x141/0x180 + [] __x64_sys_open+0xe5/0x1a0 + [] do_syscall_64+0xb7/0x210 + [] entry_SYSCALL_64_after_hwframe+0x77/0x7f + +It can be triggered by mouting a subdirectory of a CephFS filesystem, +and then trying to access files on this subdirectory with an auth token +using a path-scoped capability: + + $ ceph auth get client.services + [client.services] + key = REDACTED + caps mds = "allow rw fsname=cephfs path=/volumes/" + caps mon = "allow r fsname=cephfs" + caps osd = "allow rw tag cephfs data=cephfs" + + $ cat /proc/self/mounts + services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0 + + $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} && \ + seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{} + +[ idryomov: combine if statements, rename rc to path_matched and make + it a bool, formatting ] + +Cc: stable@vger.kernel.org +Fixes: 596afb0b8933 ("ceph: add ceph_mds_check_access() helper") +Signed-off-by: Antoine Viallon +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mds_client.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -5690,18 +5690,18 @@ static int ceph_mds_auth_match(struct ce + * + * All the other cases --> mismatch + */ ++ bool path_matched = true; + char *first = strstr(_tpath, auth->match.path); +- if (first != _tpath) { +- if (free_tpath) +- kfree(_tpath); +- return 0; ++ if (first != _tpath || ++ (tlen > len && _tpath[len] != '/')) { ++ path_matched = false; + } + +- if (tlen > len && _tpath[len] != '/') { +- if (free_tpath) +- kfree(_tpath); ++ if (free_tpath) ++ kfree(_tpath); ++ ++ if (!path_matched) + return 0; +- } + } + } + diff --git a/queue-6.13/crypto-qce-fix-goto-jump-in-error-path.patch b/queue-6.13/crypto-qce-fix-goto-jump-in-error-path.patch new file mode 100644 index 0000000000..6c66935b6d --- /dev/null +++ b/queue-6.13/crypto-qce-fix-goto-jump-in-error-path.patch @@ -0,0 +1,33 @@ +From 5278275c1758a38199b43530adfc50098f4b41c7 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:29 +0100 +Subject: crypto: qce - fix goto jump in error path + +From: Bartosz Golaszewski + +commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream. + +If qce_check_version() fails, we should jump to err_dma as we already +called qce_dma_request() a couple lines before. + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -247,7 +247,7 @@ static int qce_crypto_probe(struct platf + + ret = qce_check_version(qce); + if (ret) +- goto err_clks; ++ goto err_dma; + + spin_lock_init(&qce->lock); + tasklet_init(&qce->done_tasklet, qce_tasklet_req_done, diff --git a/queue-6.13/crypto-qce-unregister-previously-registered-algos-in-error-path.patch b/queue-6.13/crypto-qce-unregister-previously-registered-algos-in-error-path.patch new file mode 100644 index 0000000000..24276b5469 --- /dev/null +++ b/queue-6.13/crypto-qce-unregister-previously-registered-algos-in-error-path.patch @@ -0,0 +1,52 @@ +From e80cf84b608725303113d6fe98bb727bf7b7a40d Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:30 +0100 +Subject: crypto: qce - unregister previously registered algos in error path + +From: Bartosz Golaszewski + +commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream. + +If we encounter an error when registering alorithms with the crypto +framework, we just bail out and don't unregister the ones we +successfully registered in prior iterations of the loop. + +Add code that goes back over the algos and unregisters them before +returning an error from qce_register_algs(). + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -51,16 +51,19 @@ static void qce_unregister_algs(struct q + static int qce_register_algs(struct qce_device *qce) + { + const struct qce_algo_ops *ops; +- int i, ret = -ENODEV; ++ int i, j, ret = -ENODEV; + + for (i = 0; i < ARRAY_SIZE(qce_ops); i++) { + ops = qce_ops[i]; + ret = ops->register_algs(qce); +- if (ret) +- break; ++ if (ret) { ++ for (j = i - 1; j >= 0; j--) ++ ops->unregister_algs(qce); ++ return ret; ++ } + } + +- return ret; ++ return 0; + } + + static int qce_handle_request(struct crypto_async_request *async_req) diff --git a/queue-6.13/fgraph-fix-set_graph_notrace-with-setting-trace_graph_notrace_bit.patch b/queue-6.13/fgraph-fix-set_graph_notrace-with-setting-trace_graph_notrace_bit.patch new file mode 100644 index 0000000000..ece29435cc --- /dev/null +++ b/queue-6.13/fgraph-fix-set_graph_notrace-with-setting-trace_graph_notrace_bit.patch @@ -0,0 +1,73 @@ +From c8c9b1d2d5b4377c72a979f5a26e842a869aefc9 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Sat, 8 Feb 2025 00:15:11 -0500 +Subject: fgraph: Fix set_graph_notrace with setting TRACE_GRAPH_NOTRACE_BIT + +From: Steven Rostedt + +commit c8c9b1d2d5b4377c72a979f5a26e842a869aefc9 upstream. + +The code was restructured where the function graph notrace code, that +would not trace a function and all its children is done by setting a +NOTRACE flag when the function that is not to be traced is hit. + +There's a TRACE_GRAPH_NOTRACE_BIT which defines the bit in the flags and a +TRACE_GRAPH_NOTRACE which is the mask with that bit set. But the +restructuring used TRACE_GRAPH_NOTRACE_BIT when it should have used +TRACE_GRAPH_NOTRACE. + +For example: + + # cd /sys/kernel/tracing + # echo set_track_prepare stack_trace_save > set_graph_notrace + # echo function_graph > current_tracer + # cat trace +[..] + 0) | __slab_free() { + 0) | free_to_partial_list() { + 0) | arch_stack_walk() { + 0) | __unwind_start() { + 0) 0.501 us | get_stack_info(); + +Where a non filter trace looks like: + + # echo > set_graph_notrace + # cat trace + 0) | free_to_partial_list() { + 0) | set_track_prepare() { + 0) | stack_trace_save() { + 0) | arch_stack_walk() { + 0) | __unwind_start() { + +Where the filter should look like: + + # cat trace + 0) | free_to_partial_list() { + 0) | _raw_spin_lock_irqsave() { + 0) 0.350 us | preempt_count_add(); + 0) 0.351 us | do_raw_spin_lock(); + 0) 2.440 us | } + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20250208001511.535be150@batman.local.home +Fixes: b84214890a9bc ("function_graph: Move graph notrace bit to shadow stack global var") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_functions_graph.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -198,7 +198,7 @@ int trace_graph_entry(struct ftrace_grap + * returning from the function. + */ + if (ftrace_graph_notrace_addr(trace->func)) { +- *task_var |= TRACE_GRAPH_NOTRACE_BIT; ++ *task_var |= TRACE_GRAPH_NOTRACE; + /* + * Need to return 1 to have the return called + * that will clear the NOTRACE bit. diff --git a/queue-6.13/i3c-master-fix-missing-ret-assignment-in-set_speed.patch b/queue-6.13/i3c-master-fix-missing-ret-assignment-in-set_speed.patch new file mode 100644 index 0000000000..6be08d0d87 --- /dev/null +++ b/queue-6.13/i3c-master-fix-missing-ret-assignment-in-set_speed.patch @@ -0,0 +1,42 @@ +From b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Wed, 8 Jan 2025 17:55:33 -0500 +Subject: i3c: master: Fix missing 'ret' assignment in set_speed() + +From: Frank Li + +commit b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 upstream. + +Fix a probe failure in the i3c master driver that occurs when no i3c +devices are connected to the bus. + +The issue arises in `i3c_master_bus_init()` where the `ret` value is not +updated after calling `master->ops->set_speed()`. If no devices are +present, `ret` remains set to `I3C_ERROR_M2`, causing the code to +incorrectly proceed to `err_bus_cleanup`. + +Cc: stable@vger.kernel.org +Fixes: aef79e189ba2 ("i3c: master: support to adjust first broadcast address speed") +Signed-off-by: Frank Li +Reviewed-by: Wolfram Sang +Tested-by: Wolfram Sang +Acked-by: Mukesh Kumar Savaliya +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20250108225533.915334-1-Frank.Li@nxp.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1919,7 +1919,7 @@ static int i3c_master_bus_init(struct i3 + goto err_bus_cleanup; + + if (master->ops->set_speed) { +- master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED); ++ ret = master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED); + if (ret) + goto err_bus_cleanup; + } diff --git a/queue-6.13/io_uring-fix-multishots-with-selected-buffers.patch b/queue-6.13/io_uring-fix-multishots-with-selected-buffers.patch new file mode 100644 index 0000000000..de2f66d754 --- /dev/null +++ b/queue-6.13/io_uring-fix-multishots-with-selected-buffers.patch @@ -0,0 +1,39 @@ +From d63b0e8a628e62ca85a0f7915230186bb92f8bb4 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Tue, 28 Jan 2025 00:55:24 +0000 +Subject: io_uring: fix multishots with selected buffers + +From: Pavel Begunkov + +commit d63b0e8a628e62ca85a0f7915230186bb92f8bb4 upstream. + +We do io_kbuf_recycle() when arming a poll but every iteration of a +multishot can grab more buffers, which is why we need to flush the kbuf +ring state before continuing with waiting. + +Cc: stable@vger.kernel.org +Fixes: b3fdea6ecb55c ("io_uring: multishot recv") +Reported-by: Muhammad Ramdhan +Reported-by: Bing-Jhong Billy Jheng +Reported-by: Jacob Soo +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/1bfc9990fe435f1fc6152ca9efeba5eb3e68339c.1738025570.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -315,8 +315,10 @@ void io_poll_task_func(struct io_kiocb * + + ret = io_poll_check_events(req, ts); + if (ret == IOU_POLL_NO_ACTION) { ++ io_kbuf_recycle(req, 0); + return; + } else if (ret == IOU_POLL_REQUEUE) { ++ io_kbuf_recycle(req, 0); + __io_poll_execute(req, 0); + return; + } diff --git a/queue-6.13/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch b/queue-6.13/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch new file mode 100644 index 0000000000..455dc58a7a --- /dev/null +++ b/queue-6.13/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch @@ -0,0 +1,55 @@ +From 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 30 Jan 2025 08:40:29 -0700 +Subject: io_uring/net: don't retry connect operation on EPOLLERR + +From: Jens Axboe + +commit 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 upstream. + +If a socket is shutdown before the connection completes, POLLERR is set +in the poll mask. However, connect ignores this as it doesn't know, and +attempts the connection again. This may lead to a bogus -ETIMEDOUT +result, where it should have noticed the POLLERR and just returned +-ECONNRESET instead. + +Have the poll logic check for whether or not POLLERR is set in the mask, +and if so, mark the request as failed. Then connect can appropriately +fail the request rather than retry it. + +Reported-by: Sergey Galas +Cc: stable@vger.kernel.org +Link: https://github.com/axboe/liburing/discussions/1335 +Fixes: 3fb1bd688172 ("io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 5 +++++ + io_uring/poll.c | 2 ++ + 2 files changed, 7 insertions(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1709,6 +1709,11 @@ int io_connect(struct io_kiocb *req, uns + int ret; + bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK; + ++ if (unlikely(req->flags & REQ_F_FAIL)) { ++ ret = -ECONNRESET; ++ goto out; ++ } ++ + file_flags = force_nonblock ? O_NONBLOCK : 0; + + ret = __sys_connect_file(req->file, &io->addr, connect->addr_len, +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -273,6 +273,8 @@ static int io_poll_check_events(struct i + return IOU_POLL_REISSUE; + } + } ++ if (unlikely(req->cqe.res & EPOLLERR)) ++ req_set_fail(req); + if (req->apoll_events & EPOLLONESHOT) + return IOU_POLL_DONE; + diff --git a/queue-6.13/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch b/queue-6.13/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch new file mode 100644 index 0000000000..8f9d7a7935 --- /dev/null +++ b/queue-6.13/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch @@ -0,0 +1,42 @@ +From 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 Mon Sep 17 00:00:00 2001 +From: Nick Chan +Date: Sun, 19 Jan 2025 00:31:42 +0800 +Subject: irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured so + +From: Nick Chan + +commit 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 upstream. + +The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of +several ways, and since Apple A11 one of the methods is FIQ, but the check +of the configuration register fails to test explicitely for FIQ mode. It +tests whether the IMODE bitfield is zero or not and the PMCRO_IACT bit is +set. That results in false positives when the IMODE bitfield is not zero, +but does not have the mode PMCR0_IMODE_FIQ. + +Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured +to fire FIQs, i.e. the IMODE bitfield value is PMCR0_IMODE_FIQ and +PMCR0_IACT is set. + +Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts") +Signed-off-by: Nick Chan +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250118163554.16733-1-towinchenmi@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-apple-aic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-apple-aic.c ++++ b/drivers/irqchip/irq-apple-aic.c +@@ -577,7 +577,8 @@ static void __exception_irq_entry aic_ha + AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT)); + } + +- if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) { ++ if ((read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & (PMCR0_IMODE | PMCR0_IACT)) == ++ (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) { + int irq; + if (cpumask_test_cpu(smp_processor_id(), + &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff)) diff --git a/queue-6.13/irqchip-irq-mvebu-icu-fix-access-to-msi_data-from-irq_domain-host_data.patch b/queue-6.13/irqchip-irq-mvebu-icu-fix-access-to-msi_data-from-irq_domain-host_data.patch new file mode 100644 index 0000000000..ad4112fd9b --- /dev/null +++ b/queue-6.13/irqchip-irq-mvebu-icu-fix-access-to-msi_data-from-irq_domain-host_data.patch @@ -0,0 +1,46 @@ +From 987f379b54091cc1b1db986bde71cee1081350b3 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Fri, 24 Jan 2025 09:50:39 +0100 +Subject: irqchip/irq-mvebu-icu: Fix access to msi_data from irq_domain::host_data + +From: Stefan Eichenberger + +commit 987f379b54091cc1b1db986bde71cee1081350b3 upstream. + +mvebu_icu_translate() incorrectly casts irq_domain::host_data directly to +mvebu_icu_msi_data. However, host_data actually points to a structure of +type msi_domain_info. + +This incorrect cast causes issues such as the thermal sensors of the +CP110 platform malfunctioning. Specifically, the translation of the SEI +interrupt to IRQ_TYPE_EDGE_RISING fails, preventing proper interrupt +handling. The following error was observed: + + genirq: Setting trigger mode 4 for irq 85 failed (irq_chip_set_type_parent+0x0/0x34) + armada_thermal f2400000.system-controller:thermal-sensor@70: Cannot request threaded IRQ 85 + +Resolve the issue by first casting host_data to msi_domain_info and then +accessing mvebu_icu_msi_data through msi_domain_info::chip_data. + +Fixes: d929e4db22b6 ("irqchip/irq-mvebu-icu: Prepare for real per device MSI") +Signed-off-by: Stefan Eichenberger +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250124085140.44792-1-eichest@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-mvebu-icu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-mvebu-icu.c ++++ b/drivers/irqchip/irq-mvebu-icu.c +@@ -68,7 +68,8 @@ static int mvebu_icu_translate(struct ir + unsigned long *hwirq, unsigned int *type) + { + unsigned int param_count = static_branch_unlikely(&legacy_bindings) ? 3 : 2; +- struct mvebu_icu_msi_data *msi_data = d->host_data; ++ struct msi_domain_info *info = d->host_data; ++ struct mvebu_icu_msi_data *msi_data = info->chip_data; + struct mvebu_icu *icu = msi_data->icu; + + /* Check the count of the parameters in dt */ diff --git a/queue-6.13/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch b/queue-6.13/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch new file mode 100644 index 0000000000..db0a6fdc56 --- /dev/null +++ b/queue-6.13/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch @@ -0,0 +1,68 @@ +From 0b7f8328f988178b55ee11d772a6e1238c04d29d Mon Sep 17 00:00:00 2001 +From: Pekka Pessi +Date: Mon, 2 Dec 2024 15:35:59 +0530 +Subject: mailbox: tegra-hsp: Clear mailbox before using message + +From: Pekka Pessi + +commit 0b7f8328f988178b55ee11d772a6e1238c04d29d upstream. + +The Tegra RCE (Camera) driver expects the mailbox to be empty before +processing the IVC messages. On RT kernel, the threads processing the +IVC messages (which are invoked after `mbox_chan_received_data()` is +called) may be on a different CPU or running with a higher priority +than the HSP interrupt handler thread. This can cause it to act on the +message before the mailbox gets cleared in the HSP interrupt handler +resulting in a loss of IVC notification. + +Fix this by clearing the mailbox data register before calling +`mbox_chan_received_data()`. + +Fixes: 8f585d14030d ("mailbox: tegra-hsp: Add tegra_hsp_sm_ops") +Fixes: 74c20dd0f892 ("mailbox: tegra-hsp: Add 128-bit shared mailbox support") +Cc: stable@vger.kernel.org +Signed-off-by: Pekka Pessi +Signed-off-by: Kartik Rajput +Acked-by: Thierry Reding +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/tegra-hsp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mailbox/tegra-hsp.c ++++ b/drivers/mailbox/tegra-hsp.c +@@ -388,7 +388,6 @@ static void tegra_hsp_sm_recv32(struct t + value = tegra_hsp_channel_readl(channel, HSP_SM_SHRD_MBOX); + value &= ~HSP_SM_SHRD_MBOX_FULL; + msg = (void *)(unsigned long)value; +- mbox_chan_received_data(channel->chan, msg); + + /* + * Need to clear all bits here since some producers, such as TCU, depend +@@ -398,6 +397,8 @@ static void tegra_hsp_sm_recv32(struct t + * explicitly, so we have to make sure we cover all possible cases. + */ + tegra_hsp_channel_writel(channel, 0x0, HSP_SM_SHRD_MBOX); ++ ++ mbox_chan_received_data(channel->chan, msg); + } + + static const struct tegra_hsp_sm_ops tegra_hsp_sm_32bit_ops = { +@@ -433,7 +434,6 @@ static void tegra_hsp_sm_recv128(struct + value[3] = tegra_hsp_channel_readl(channel, HSP_SHRD_MBOX_TYPE1_DATA3); + + msg = (void *)(unsigned long)value; +- mbox_chan_received_data(channel->chan, msg); + + /* + * Clear data registers and tag. +@@ -443,6 +443,8 @@ static void tegra_hsp_sm_recv128(struct + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA2); + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA3); + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_TAG); ++ ++ mbox_chan_received_data(channel->chan, msg); + } + + static const struct tegra_hsp_sm_ops tegra_hsp_sm_128bit_ops = { diff --git a/queue-6.13/mailbox-zynqmp-remove-invalid-__percpu-annotation-in-zynqmp_ipi_probe.patch b/queue-6.13/mailbox-zynqmp-remove-invalid-__percpu-annotation-in-zynqmp_ipi_probe.patch new file mode 100644 index 0000000000..77a6bec4f9 --- /dev/null +++ b/queue-6.13/mailbox-zynqmp-remove-invalid-__percpu-annotation-in-zynqmp_ipi_probe.patch @@ -0,0 +1,53 @@ +From 170a264d2611a0bfa96b7818730473db5e7546fc Mon Sep 17 00:00:00 2001 +From: Uros Bizjak +Date: Sat, 14 Dec 2024 10:12:59 +0100 +Subject: mailbox: zynqmp: Remove invalid __percpu annotation in zynqmp_ipi_probe() + +From: Uros Bizjak + +commit 170a264d2611a0bfa96b7818730473db5e7546fc upstream. + +struct zynqmp_ipi_pdata __percpu *pdata is not a per-cpu variable, +so it should not be annotated with __percpu annotation. + +Remove invalid __percpu annotation to fix several + +zynqmp-ipi-mailbox.c:920:15: warning: incorrect type in assignment (different address spaces) +zynqmp-ipi-mailbox.c:920:15: expected struct zynqmp_ipi_pdata [noderef] __percpu *pdata +zynqmp-ipi-mailbox.c:920:15: got void * +zynqmp-ipi-mailbox.c:927:56: warning: incorrect type in argument 3 (different address spaces) +zynqmp-ipi-mailbox.c:927:56: expected unsigned int [usertype] *out_value +zynqmp-ipi-mailbox.c:927:56: got unsigned int [noderef] __percpu * +... + +and several + +drivers/mailbox/zynqmp-ipi-mailbox.c:924:9: warning: dereference of noderef expression +... + +sparse warnings. + +There were no changes in the resulting object file. + +Cc: stable@vger.kernel.org +Fixes: 6ffb1635341b ("mailbox: zynqmp: handle SGI for shared IPI") +Signed-off-by: Uros Bizjak +Reviewed-by: Michal Simek +Reviewed-by: Tanmay Shah +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/zynqmp-ipi-mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mailbox/zynqmp-ipi-mailbox.c ++++ b/drivers/mailbox/zynqmp-ipi-mailbox.c +@@ -905,7 +905,7 @@ static int zynqmp_ipi_probe(struct platf + { + struct device *dev = &pdev->dev; + struct device_node *nc, *np = pdev->dev.of_node; +- struct zynqmp_ipi_pdata __percpu *pdata; ++ struct zynqmp_ipi_pdata *pdata; + struct of_phandle_args out_irq; + struct zynqmp_ipi_mbox *mbox; + int num_mboxes, ret = -EINVAL; diff --git a/queue-6.13/maple_tree-simplify-split-calculation.patch b/queue-6.13/maple_tree-simplify-split-calculation.patch new file mode 100644 index 0000000000..d091426312 --- /dev/null +++ b/queue-6.13/maple_tree-simplify-split-calculation.patch @@ -0,0 +1,112 @@ +From 4f6a6bed0bfef4b966f076f33eb4f5547226056a Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Wed, 13 Nov 2024 03:16:14 +0000 +Subject: maple_tree: simplify split calculation + +From: Wei Yang + +commit 4f6a6bed0bfef4b966f076f33eb4f5547226056a upstream. + +Patch series "simplify split calculation", v3. + + +This patch (of 3): + +The current calculation for splitting nodes tries to enforce a minimum +span on the leaf nodes. This code is complex and never worked correctly +to begin with, due to the min value being passed as 0 for all leaves. + +The calculation should just split the data as equally as possible +between the new nodes. Note that b_end will be one more than the data, +so the left side is still favoured in the calculation. + +The current code may also lead to a deficient node by not leaving enough +data for the right side of the split. This issue is also addressed with +the split calculation change. + +[Liam.Howlett@Oracle.com: rephrase the change log] +Link: https://lkml.kernel.org/r/20241113031616.10530-1-richard.weiyang@gmail.com +Link: https://lkml.kernel.org/r/20241113031616.10530-2-richard.weiyang@gmail.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Wei Yang +Reviewed-by: Liam R. Howlett +Cc: Sidhartha Kumar +Cc: Lorenzo Stoakes +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 23 ++++++----------------- + 1 file changed, 6 insertions(+), 17 deletions(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -1863,11 +1863,11 @@ static inline int mab_no_null_split(stru + * Return: The first split location. The middle split is set in @mid_split. + */ + static inline int mab_calc_split(struct ma_state *mas, +- struct maple_big_node *bn, unsigned char *mid_split, unsigned long min) ++ struct maple_big_node *bn, unsigned char *mid_split) + { + unsigned char b_end = bn->b_end; + int split = b_end / 2; /* Assume equal split. */ +- unsigned char slot_min, slot_count = mt_slots[bn->type]; ++ unsigned char slot_count = mt_slots[bn->type]; + + /* + * To support gap tracking, all NULL entries are kept together and a node cannot +@@ -1900,18 +1900,7 @@ static inline int mab_calc_split(struct + split = b_end / 3; + *mid_split = split * 2; + } else { +- slot_min = mt_min_slots[bn->type]; +- + *mid_split = 0; +- /* +- * Avoid having a range less than the slot count unless it +- * causes one node to be deficient. +- * NOTE: mt_min_slots is 1 based, b_end and split are zero. +- */ +- while ((split < slot_count - 1) && +- ((bn->pivot[split] - min) < slot_count - 1) && +- (b_end - split > slot_min)) +- split++; + } + + /* Avoid ending a node on a NULL entry */ +@@ -2377,7 +2366,7 @@ static inline struct maple_enode + static inline unsigned char mas_mab_to_node(struct ma_state *mas, + struct maple_big_node *b_node, struct maple_enode **left, + struct maple_enode **right, struct maple_enode **middle, +- unsigned char *mid_split, unsigned long min) ++ unsigned char *mid_split) + { + unsigned char split = 0; + unsigned char slot_count = mt_slots[b_node->type]; +@@ -2390,7 +2379,7 @@ static inline unsigned char mas_mab_to_n + if (b_node->b_end < slot_count) { + split = b_node->b_end; + } else { +- split = mab_calc_split(mas, b_node, mid_split, min); ++ split = mab_calc_split(mas, b_node, mid_split); + *right = mas_new_ma_node(mas, b_node); + } + +@@ -2877,7 +2866,7 @@ static void mas_spanning_rebalance(struc + mast->bn->b_end--; + mast->bn->type = mte_node_type(mast->orig_l->node); + split = mas_mab_to_node(mas, mast->bn, &left, &right, &middle, +- &mid_split, mast->orig_l->min); ++ &mid_split); + mast_set_split_parents(mast, left, middle, right, split, + mid_split); + mast_cp_to_nodes(mast, left, middle, right, split, mid_split); +@@ -3365,7 +3354,7 @@ static void mas_split(struct ma_state *m + if (mas_push_data(mas, height, &mast, false)) + break; + +- split = mab_calc_split(mas, b_node, &mid_split, prev_l_mas.min); ++ split = mab_calc_split(mas, b_node, &mid_split); + mast_split_data(&mast, mas, split); + /* + * Usually correct, mab_mas_cp in the above call overwrites diff --git a/queue-6.13/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch b/queue-6.13/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch new file mode 100644 index 0000000000..db65159a09 --- /dev/null +++ b/queue-6.13/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch @@ -0,0 +1,35 @@ +From 637c20002dc8c347001292664055bfbf56544ec6 Mon Sep 17 00:00:00 2001 +From: Anandu Krishnan E +Date: Fri, 10 Jan 2025 13:42:37 +0000 +Subject: misc: fastrpc: Deregister device nodes properly in error scenarios + +From: Anandu Krishnan E + +commit 637c20002dc8c347001292664055bfbf56544ec6 upstream. + +During fastrpc_rpmsg_probe, if secure device node registration +succeeds but non-secure device node registration fails, the secure +device node deregister is not called during error cleanup. Add proper +exit paths to ensure proper cleanup in case of error. + +Fixes: 3abe3ab3cdab ("misc: fastrpc: add secure domain support") +Cc: stable@kernel.org +Signed-off-by: Anandu Krishnan E +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -2344,7 +2344,7 @@ static int fastrpc_rpmsg_probe(struct rp + + err = fastrpc_device_register(rdev, data, false, domains[domain_id]); + if (err) +- goto fdev_error; ++ goto populate_error; + break; + default: + err = -EINVAL; diff --git a/queue-6.13/misc-fastrpc-fix-copy-buffer-page-size.patch b/queue-6.13/misc-fastrpc-fix-copy-buffer-page-size.patch new file mode 100644 index 0000000000..2a3eee7fb6 --- /dev/null +++ b/queue-6.13/misc-fastrpc-fix-copy-buffer-page-size.patch @@ -0,0 +1,40 @@ +From e966eae72762ecfdbdb82627e2cda48845b9dd66 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 10 Jan 2025 13:42:39 +0000 +Subject: misc: fastrpc: Fix copy buffer page size + +From: Ekansh Gupta + +commit e966eae72762ecfdbdb82627e2cda48845b9dd66 upstream. + +For non-registered buffer, fastrpc driver copies the buffer and +pass it to the remote subsystem. There is a problem with current +implementation of page size calculation which is not considering +the offset in the calculation. This might lead to passing of +improper and out-of-bounds page size which could result in +memory issue. Calculate page start and page end using the offset +adjusted address instead of absolute address. + +Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation") +Cc: stable@kernel.org +Signed-off-by: Ekansh Gupta +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1019,8 +1019,8 @@ static int fastrpc_get_args(u32 kernel, + (pkt_size - rlen); + pages[i].addr = pages[i].addr & PAGE_MASK; + +- pg_start = (args & PAGE_MASK) >> PAGE_SHIFT; +- pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT; ++ pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT; ++ pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT; + pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE; + args = args + mlen; + rlen -= mlen; diff --git a/queue-6.13/misc-fastrpc-fix-registered-buffer-page-address.patch b/queue-6.13/misc-fastrpc-fix-registered-buffer-page-address.patch new file mode 100644 index 0000000000..f96111d2da --- /dev/null +++ b/queue-6.13/misc-fastrpc-fix-registered-buffer-page-address.patch @@ -0,0 +1,48 @@ +From 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 10 Jan 2025 13:42:38 +0000 +Subject: misc: fastrpc: Fix registered buffer page address + +From: Ekansh Gupta + +commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream. + +For registered buffers, fastrpc driver sends the buffer information +to remote subsystem. There is a problem with current implementation +where the page address is being sent with an offset leading to +improper buffer address on DSP. This is leads to functional failures +as DSP expects base address in page information and extracts offset +information from remote arguments. Mask the offset and pass the base +page address to DSP. + +This issue is observed is a corner case when some buffer which is registered +with fastrpc framework is passed with some offset by user and then the DSP +implementation tried to read the data. As DSP expects base address and takes +care of offsetting with remote arguments, passing an offsetted address will +result in some unexpected data read in DSP. + +All generic usecases usually pass the buffer as it is hence is problem is +not usually observed. If someone tries to pass offsetted buffer and then +tries to compare data at HLOS and DSP end, then the ambiguity will be observed. + +Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") +Cc: stable@kernel.org +Signed-off-by: Ekansh Gupta +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -992,7 +992,7 @@ static int fastrpc_get_args(u32 kernel, + mmap_read_lock(current->mm); + vma = find_vma(current->mm, ctx->args[i].ptr); + if (vma) +- pages[i].addr += ctx->args[i].ptr - ++ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) - + vma->vm_start; + mmap_read_unlock(current->mm); + diff --git a/queue-6.13/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch b/queue-6.13/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch new file mode 100644 index 0000000000..0f15f885e6 --- /dev/null +++ b/queue-6.13/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch @@ -0,0 +1,103 @@ +From 6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68 Mon Sep 17 00:00:00 2001 +From: Vimal Agrawal +Date: Mon, 21 Oct 2024 13:38:12 +0000 +Subject: misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors + +From: Vimal Agrawal + +commit 6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68 upstream. + +misc_minor_alloc was allocating id using ida for minor only in case of +MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids +using ida_free causing a mismatch and following warn: +> > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f +> > ida_free called for id=127 which is not allocated. +> > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +... +> > [<60941eb4>] ida_free+0x3e0/0x41f +> > [<605ac993>] misc_minor_free+0x3e/0xbc +> > [<605acb82>] misc_deregister+0x171/0x1b3 + +misc_minor_alloc is changed to allocate id from ida for all minors +falling in the range of dynamic/ misc dynamic minors + +Fixes: ab760791c0cf ("char: misc: Increase the maximum number of dynamic misc devices to 1048448") +Signed-off-by: Vimal Agrawal +Reviewed-by: Dirk VanDerMerwe +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241021133812.23703-1-vimal.agrawal@sophos.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/misc.c | 37 +++++++++++++++++++++++++++++-------- + 1 file changed, 29 insertions(+), 8 deletions(-) + +--- a/drivers/char/misc.c ++++ b/drivers/char/misc.c +@@ -63,16 +63,30 @@ static DEFINE_MUTEX(misc_mtx); + #define DYNAMIC_MINORS 128 /* like dynamic majors */ + static DEFINE_IDA(misc_minors_ida); + +-static int misc_minor_alloc(void) ++static int misc_minor_alloc(int minor) + { +- int ret; ++ int ret = 0; + +- ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL); +- if (ret >= 0) { +- ret = DYNAMIC_MINORS - ret - 1; ++ if (minor == MISC_DYNAMIC_MINOR) { ++ /* allocate free id */ ++ ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL); ++ if (ret >= 0) { ++ ret = DYNAMIC_MINORS - ret - 1; ++ } else { ++ ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1, ++ MINORMASK, GFP_KERNEL); ++ } + } else { +- ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1, +- MINORMASK, GFP_KERNEL); ++ /* specific minor, check if it is in dynamic or misc dynamic range */ ++ if (minor < DYNAMIC_MINORS) { ++ minor = DYNAMIC_MINORS - minor - 1; ++ ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL); ++ } else if (minor > MISC_DYNAMIC_MINOR) { ++ ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL); ++ } else { ++ /* case of non-dynamic minors, no need to allocate id */ ++ ret = 0; ++ } + } + return ret; + } +@@ -219,7 +233,7 @@ int misc_register(struct miscdevice *mis + mutex_lock(&misc_mtx); + + if (is_dynamic) { +- int i = misc_minor_alloc(); ++ int i = misc_minor_alloc(misc->minor); + + if (i < 0) { + err = -EBUSY; +@@ -228,6 +242,7 @@ int misc_register(struct miscdevice *mis + misc->minor = i; + } else { + struct miscdevice *c; ++ int i; + + list_for_each_entry(c, &misc_list, list) { + if (c->minor == misc->minor) { +@@ -235,6 +250,12 @@ int misc_register(struct miscdevice *mis + goto out; + } + } ++ ++ i = misc_minor_alloc(misc->minor); ++ if (i < 0) { ++ err = -EBUSY; ++ goto out; ++ } + } + + dev = MKDEV(MISC_MAJOR, misc->minor); diff --git a/queue-6.13/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch b/queue-6.13/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch new file mode 100644 index 0000000000..a32bcef9ce --- /dev/null +++ b/queue-6.13/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch @@ -0,0 +1,36 @@ +From 70a71f8151b9879b0950668ce3ad76263261fee0 Mon Sep 17 00:00:00 2001 +From: Ivan Stepchenko +Date: Thu, 14 Nov 2024 16:29:51 +0300 +Subject: mtd: onenand: Fix uninitialized retlen in do_otp_read() + +From: Ivan Stepchenko + +commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream. + +The function do_otp_read() does not set the output parameter *retlen, +which is expected to contain the number of bytes actually read. +As a result, in onenand_otp_walk(), the tmp_retlen variable remains +uninitialized after calling do_otp_walk() and used to change +the values of the buf, len and retlen variables. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Stepchenko +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/onenand/onenand_base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/onenand/onenand_base.c ++++ b/drivers/mtd/nand/onenand/onenand_base.c +@@ -2923,6 +2923,7 @@ static int do_otp_read(struct mtd_info * + ret = ONENAND_IS_4KB_PAGE(this) ? + onenand_mlc_read_ops_nolock(mtd, from, &ops) : + onenand_read_ops_nolock(mtd, from, &ops); ++ *retlen = ops.retlen; + + /* Exit OTP access mode */ + this->command(mtd, ONENAND_CMD_RESET, 0, 0); diff --git a/queue-6.13/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch b/queue-6.13/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch new file mode 100644 index 0000000000..4a1b7a6cb5 --- /dev/null +++ b/queue-6.13/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch @@ -0,0 +1,64 @@ +From 6bb194d036c6e1b329dcdff459338cdd9a54802a Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Thu, 16 Jan 2025 18:29:00 +0300 +Subject: net/ncsi: wait for the last response to Deselect Package before configuring channel + +From: Paul Fertser + +commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream. + +The NCSI state machine as it's currently implemented assumes that +transition to the next logical state is performed either explicitly by +calling `schedule_work(&ndp->work)` to re-queue itself or implicitly +after processing the predefined (ndp->pending_req_num) number of +replies. Thus to avoid the configuration FSM from advancing prematurely +and getting out of sync with the process it's essential to not skip +waiting for a reply. + +This patch makes the code wait for reception of the Deselect Package +response for the last package probed before proceeding to channel +configuration. + +Thanks go to Potin Lai and Cosmo Chou for the initial investigation and +testing. + +Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Fertser +Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-manage.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1385,6 +1385,12 @@ static void ncsi_probe_channel(struct nc + nd->state = ncsi_dev_state_probe_package; + break; + case ncsi_dev_state_probe_package: ++ if (ndp->package_probe_id >= 8) { ++ /* Last package probed, finishing */ ++ ndp->flags |= NCSI_DEV_PROBED; ++ break; ++ } ++ + ndp->pending_req_num = 1; + + nca.type = NCSI_PKT_CMD_SP; +@@ -1501,13 +1507,8 @@ static void ncsi_probe_channel(struct nc + if (ret) + goto error; + +- /* Probe next package */ ++ /* Probe next package after receiving response */ + ndp->package_probe_id++; +- if (ndp->package_probe_id >= 8) { +- /* Probe finished */ +- ndp->flags |= NCSI_DEV_PROBED; +- break; +- } + nd->state = ncsi_dev_state_probe_package; + ndp->active_package = NULL; + break; diff --git a/queue-6.13/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch b/queue-6.13/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch new file mode 100644 index 0000000000..ede2460a4b --- /dev/null +++ b/queue-6.13/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch @@ -0,0 +1,40 @@ +From bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 Mon Sep 17 00:00:00 2001 +From: Milos Reljin +Date: Fri, 24 Jan 2025 10:41:02 +0000 +Subject: net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset + +From: Milos Reljin + +commit bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 upstream. + +In application note (AN13663) for TJA1120, on page 30, there's a figure +with average PHY startup timing values following software reset. +The time it takes for SMI to become operational after software reset +ranges roughly from 500 us to 1500 us. + +This commit adds 2000 us delay after MDIO write which triggers software +reset. Without this delay, soft_reset function returns an error and +prevents successful PHY init. + +Cc: stable@vger.kernel.org +Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103") +Signed-off-by: Milos Reljin +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/AM8P250MB0124D258E5A71041AF2CC322E1E32@AM8P250MB0124.EURP250.PROD.OUTLOOK.COM +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -1297,6 +1297,8 @@ static int nxp_c45_soft_reset(struct phy + if (ret) + return ret; + ++ usleep_range(2000, 2050); ++ + return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1, + VEND1_DEVICE_CONTROL, ret, + !(ret & DEVICE_CONTROL_RESET), 20000, diff --git a/queue-6.13/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch b/queue-6.13/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch new file mode 100644 index 0000000000..6e52684969 --- /dev/null +++ b/queue-6.13/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch @@ -0,0 +1,36 @@ +From 110b43ef05342d5a11284cc8b21582b698b4ef1c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 17 Jan 2025 12:38:41 +0300 +Subject: NFC: nci: Add bounds checking in nci_hci_create_pipe() + +From: Dan Carpenter + +commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream. + +The "pipe" variable is a u8 which comes from the network. If it's more +than 127, then it results in memory corruption in the caller, +nci_hci_connect_gate(). + +Cc: stable@vger.kernel.org +Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/hci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -542,6 +542,8 @@ static u8 nci_hci_create_pipe(struct nci + + pr_debug("pipe created=%d\n", pipe); + ++ if (pipe >= NCI_HCI_MAX_PIPES) ++ pipe = NCI_HCI_INVALID_PIPE; + return pipe; + } + diff --git a/queue-6.13/nfs-make-nfs_fscache-select-netfs_support-instead-of-depending-on-it.patch b/queue-6.13/nfs-make-nfs_fscache-select-netfs_support-instead-of-depending-on-it.patch new file mode 100644 index 0000000000..96fa617028 --- /dev/null +++ b/queue-6.13/nfs-make-nfs_fscache-select-netfs_support-instead-of-depending-on-it.patch @@ -0,0 +1,42 @@ +From 90190ba1c3b11687e2c251fda1f5d9893b4bab17 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Fri, 27 Dec 2024 20:17:58 +0100 +Subject: nfs: Make NFS_FSCACHE select NETFS_SUPPORT instead of depending on it + +From: Dragan Simic + +commit 90190ba1c3b11687e2c251fda1f5d9893b4bab17 upstream. + +Having the NFS_FSCACHE option depend on the NETFS_SUPPORT options makes +selecting NFS_FSCACHE impossible unless another option that additionally +selects NETFS_SUPPORT is already selected. + +As a result, for example, being able to reach and select the NFS_FSCACHE +option requires the CEPH_FS or CIFS option to be selected beforehand, which +obviously doesn't make much sense. + +Let's correct this by making the NFS_FSCACHE option actually select the +NETFS_SUPPORT option, instead of depending on it. + +Fixes: 915cd30cdea8 ("netfs, fscache: Combine fscache with netfs") +Cc: stable@vger.kernel.org +Reported-by: Diederik de Haas +Signed-off-by: Dragan Simic +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -170,7 +170,8 @@ config ROOT_NFS + + config NFS_FSCACHE + bool "Provide NFS client caching support" +- depends on NFS_FS=m && NETFS_SUPPORT || NFS_FS=y && NETFS_SUPPORT=y ++ depends on NFS_FS ++ select NETFS_SUPPORT + select FSCACHE + help + Say Y here if you want NFS data to be cached locally on disc through diff --git a/queue-6.13/nfsd-encode-compound-operation-status-on-page-boundaries.patch b/queue-6.13/nfsd-encode-compound-operation-status-on-page-boundaries.patch new file mode 100644 index 0000000000..b60c3a8282 --- /dev/null +++ b/queue-6.13/nfsd-encode-compound-operation-status-on-page-boundaries.patch @@ -0,0 +1,117 @@ +From ef3675b45bcb6c17cabbbde620c6cea52ffb21ac Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Mon, 30 Dec 2024 19:28:52 -0500 +Subject: NFSD: Encode COMPOUND operation status on page boundaries + +From: Chuck Lever + +commit ef3675b45bcb6c17cabbbde620c6cea52ffb21ac upstream. + +J. David reports an odd corruption of a READDIR reply sent to a +FreeBSD client. + +xdr_reserve_space() has to do a special trick when the @nbytes value +requests more space than there is in the current page of the XDR +buffer. + +In that case, xdr_reserve_space() returns a pointer to the start of +the next page, and then the next call to xdr_reserve_space() invokes +__xdr_commit_encode() to copy enough of the data item back into the +previous page to make that data item contiguous across the page +boundary. + +But we need to be careful in the case where buffer space is reserved +early for a data item whose value will be inserted into the buffer +later. + +One such caller, nfsd4_encode_operation(), reserves 8 bytes in the +encoding buffer for each COMPOUND operation. However, a READDIR +result can sometimes encode file names so that there are only 4 +bytes left at the end of the current XDR buffer page (though plenty +of pages are left to handle the remaining encoding tasks). + +If a COMPOUND operation follows the READDIR result (say, a GETATTR), +then nfsd4_encode_operation() will reserve 8 bytes for the op number +(9) and the op status (usually NFS4_OK). In this weird case, +xdr_reserve_space() returns a pointer to byte zero of the next buffer +page, as it assumes the data item will be copied back into place (in +the previous page) on the next call to xdr_reserve_space(). + +nfsd4_encode_operation() writes the op num into the buffer, then +saves the next 4-byte location for the op's status code. The next +xdr_reserve_space() call is part of GETATTR encoding, so the op num +gets copied back into the previous page, but the saved location for +the op status continues to point to the wrong spot in the current +XDR buffer page because __xdr_commit_encode() moved that data item. + +After GETATTR encoding is complete, nfsd4_encode_operation() writes +the op status over the first XDR data item in the GETATTR result. +The NFS4_OK status code (0) makes it look like there are zero items +in the GETATTR's attribute bitmask. + +The patch description of commit 2825a7f90753 ("nfsd4: allow encoding +across page boundaries") [2014] remarks that NFSD "can't handle a +new operation starting close to the end of a page." This bug appears +to be one reason for that remark. + +Reported-by: J David +Closes: https://lore.kernel.org/linux-nfs/3998d739-c042-46b4-8166-dbd6c5f0e804@oracle.com/T/#t +Tested-by: Rick Macklem +Reviewed-by: NeilBrown +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -5760,15 +5760,14 @@ nfsd4_encode_operation(struct nfsd4_comp + struct nfs4_stateowner *so = resp->cstate.replay_owner; + struct svc_rqst *rqstp = resp->rqstp; + const struct nfsd4_operation *opdesc = op->opdesc; +- int post_err_offset; ++ unsigned int op_status_offset; + nfsd4_enc encoder; +- __be32 *p; + +- p = xdr_reserve_space(xdr, 8); +- if (!p) ++ if (xdr_stream_encode_u32(xdr, op->opnum) != XDR_UNIT) ++ goto release; ++ op_status_offset = xdr->buf->len; ++ if (!xdr_reserve_space(xdr, XDR_UNIT)) + goto release; +- *p++ = cpu_to_be32(op->opnum); +- post_err_offset = xdr->buf->len; + + if (op->opnum == OP_ILLEGAL) + goto status; +@@ -5809,20 +5808,21 @@ nfsd4_encode_operation(struct nfsd4_comp + * bug if we had to do this on a non-idempotent op: + */ + warn_on_nonidempotent_op(op); +- xdr_truncate_encode(xdr, post_err_offset); ++ xdr_truncate_encode(xdr, op_status_offset + XDR_UNIT); + } + if (so) { +- int len = xdr->buf->len - post_err_offset; ++ int len = xdr->buf->len - (op_status_offset + XDR_UNIT); + + so->so_replay.rp_status = op->status; + so->so_replay.rp_buflen = len; +- read_bytes_from_xdr_buf(xdr->buf, post_err_offset, ++ read_bytes_from_xdr_buf(xdr->buf, op_status_offset + XDR_UNIT, + so->so_replay.rp_buf, len); + } + status: + op->status = nfsd4_map_status(op->status, + resp->cstate.minorversion); +- *p = op->status; ++ write_bytes_to_xdr_buf(xdr->buf, op_status_offset, ++ &op->status, XDR_UNIT); + release: + if (opdesc && opdesc->op_release) + opdesc->op_release(&op->u); diff --git a/queue-6.13/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch b/queue-6.13/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch new file mode 100644 index 0000000000..d8f7ef26ac --- /dev/null +++ b/queue-6.13/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch @@ -0,0 +1,58 @@ +From 6438ef381c183444f7f9d1de18f22661cba1e946 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Sat, 25 Jan 2025 07:20:53 +0900 +Subject: nilfs2: fix possible int overflows in nilfs_fiemap() + +From: Nikita Zhandarovich + +commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream. + +Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result +by being prepared to go through potentially maxblocks == INT_MAX blocks, +the value in n may experience an overflow caused by left shift of blkbits. + +While it is extremely unlikely to occur, play it safe and cast right hand +expression to wider type to mitigate the issue. + +Found by Linux Verification Center (linuxtesting.org) with static analysis +tool SVACE. + +Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com +Fixes: 622daaff0a89 ("nilfs2: fiemap support") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -1188,7 +1188,7 @@ int nilfs_fiemap(struct inode *inode, st + if (size) { + if (phys && blkphy << blkbits == phys + size) { + /* The current extent goes on */ +- size += n << blkbits; ++ size += (u64)n << blkbits; + } else { + /* Terminate the current extent */ + ret = fiemap_fill_next_extent( +@@ -1201,14 +1201,14 @@ int nilfs_fiemap(struct inode *inode, st + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + } else { + /* Start a new extent */ + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + blkoff += n; + } diff --git a/queue-6.13/nvmem-core-improve-range-check-for-nvmem_cell_write.patch b/queue-6.13/nvmem-core-improve-range-check-for-nvmem_cell_write.patch new file mode 100644 index 0000000000..3889ec4642 --- /dev/null +++ b/queue-6.13/nvmem-core-improve-range-check-for-nvmem_cell_write.patch @@ -0,0 +1,47 @@ +From 31507fc2ad36e0071751a710449db19c85d82a7f Mon Sep 17 00:00:00 2001 +From: Jennifer Berringer +Date: Mon, 30 Dec 2024 14:19:01 +0000 +Subject: nvmem: core: improve range check for nvmem_cell_write() + +From: Jennifer Berringer + +commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream. + +When __nvmem_cell_entry_write() is called for an nvmem cell that does +not need bit shifting, it requires that the len parameter exactly +matches the nvmem cell size. However, when the nvmem cell has a nonzero +bit_offset, it was skipping this check. + +Accepting values of len larger than the cell size results in +nvmem_cell_prepare_write_buffer() trying to write past the end of a heap +buffer that it allocates. Add a check to avoid that problem and instead +return -EINVAL when len doesn't match the number of bits expected by the +nvmem cell when bit_offset is nonzero. + +This check uses cell->nbits in order to allow providing the smaller size +to cells that are shifted into another byte by bit_offset. For example, +a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should +accept a 1-byte write here, although no current callers depend on this. + +Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") +Cc: stable@vger.kernel.org +Signed-off-by: Jennifer Berringer +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -1790,6 +1790,8 @@ static int __nvmem_cell_entry_write(stru + return -EINVAL; + + if (cell->bit_offset || cell->nbits) { ++ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes) ++ return -EINVAL; + buf = nvmem_cell_prepare_write_buffer(cell, buf, len); + if (IS_ERR(buf)) + return PTR_ERR(buf); diff --git a/queue-6.13/nvmem-imx-ocotp-ele-fix-mac-address-byte-order.patch b/queue-6.13/nvmem-imx-ocotp-ele-fix-mac-address-byte-order.patch new file mode 100644 index 0000000000..1fd5c66fdd --- /dev/null +++ b/queue-6.13/nvmem-imx-ocotp-ele-fix-mac-address-byte-order.patch @@ -0,0 +1,74 @@ +From 391b06ecb63e6eacd054582cb4eb738dfbf5eb77 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 30 Dec 2024 14:18:58 +0000 +Subject: nvmem: imx-ocotp-ele: fix MAC address byte order + +From: Sascha Hauer + +commit 391b06ecb63e6eacd054582cb4eb738dfbf5eb77 upstream. + +According to the i.MX93 Fusemap the two MAC addresses are stored in +words 315 to 317 like this: + +315 MAC1_ADDR_31_0[31:0] +316 MAC1_ADDR_47_32[47:32] + MAC2_ADDR_15_0[15:0] +317 MAC2_ADDR_47_16[31:0] + +This means the MAC addresses are stored in reverse byte order. We have +to swap the bytes before passing them to the upper layers. The storage +format is consistent to the one used on i.MX6 using imx-ocotp driver +which does the same byte swapping as introduced here. + +With this patch the MAC address on my i.MX93 TQ board correctly reads as +00:d0:93:6b:27:b8 instead of b8:27:6b:93:d0:00. + +Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP") +Signed-off-by: Sascha Hauer +Cc: stable +Reviewed-by: Peng Fan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -109,6 +109,26 @@ static int imx_ocotp_reg_read(void *cont + return 0; + }; + ++static int imx_ocotp_cell_pp(void *context, const char *id, int index, ++ unsigned int offset, void *data, size_t bytes) ++{ ++ u8 *buf = data; ++ int i; ++ ++ /* Deal with some post processing of nvmem cell data */ ++ if (id && !strcmp(id, "mac-address")) ++ for (i = 0; i < bytes / 2; i++) ++ swap(buf[i], buf[bytes - i - 1]); ++ ++ return 0; ++} ++ ++static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem, ++ struct nvmem_cell_info *cell) ++{ ++ cell->read_post_process = imx_ocotp_cell_pp; ++} ++ + static int imx_ele_ocotp_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -135,6 +155,8 @@ static int imx_ele_ocotp_probe(struct pl + priv->config.stride = 1; + priv->config.priv = priv; + priv->config.read_only = true; ++ priv->config.add_legacy_fixed_of_cells = true; ++ priv->config.fixup_dt_cell_info = imx_ocotp_fixup_dt_cell_info; + mutex_init(&priv->lock); + + nvmem = devm_nvmem_register(dev, &priv->config); diff --git a/queue-6.13/nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch b/queue-6.13/nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch new file mode 100644 index 0000000000..ce9d674166 --- /dev/null +++ b/queue-6.13/nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch @@ -0,0 +1,58 @@ +From 3c9e2cb6cecf65f7501004038c5d1ed85fb7db84 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 30 Dec 2024 14:18:57 +0000 +Subject: nvmem: imx-ocotp-ele: fix reading from non zero offset + +From: Sascha Hauer + +commit 3c9e2cb6cecf65f7501004038c5d1ed85fb7db84 upstream. + +In imx_ocotp_reg_read() the offset comes in as bytes and not as words. +This means we have to divide offset by 4 to get to the correct word +offset. + +Also the incoming offset might not be word aligned. In order to read +from the OCOTP the driver aligns down the previous word boundary and +reads from there. This means we have to skip this alignment offset from +the temporary buffer when copying the data to the output buffer. + +Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP") +Signed-off-by: Sascha Hauer +Cc: stable +Reviewed-by: Peng Fan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -71,12 +71,14 @@ static int imx_ocotp_reg_read(void *cont + u32 *buf; + void *p; + int i; ++ u8 skipbytes; + + if (offset + bytes > priv->data->size) + bytes = priv->data->size - offset; + +- index = offset; +- num_bytes = round_up(bytes, 4); ++ index = offset >> 2; ++ skipbytes = offset - (index << 2); ++ num_bytes = round_up(bytes + skipbytes, 4); + count = num_bytes >> 2; + + p = kzalloc(num_bytes, GFP_KERNEL); +@@ -100,7 +102,7 @@ static int imx_ocotp_reg_read(void *cont + *buf++ = readl_relaxed(reg + (i << 2)); + } + +- memcpy(val, (u8 *)p, bytes); ++ memcpy(val, ((u8 *)p) + skipbytes, bytes); + + mutex_unlock(&priv->lock); + diff --git a/queue-6.13/nvmem-imx-ocotp-ele-set-word-length-to-1.patch b/queue-6.13/nvmem-imx-ocotp-ele-set-word-length-to-1.patch new file mode 100644 index 0000000000..3a69e5fba4 --- /dev/null +++ b/queue-6.13/nvmem-imx-ocotp-ele-set-word-length-to-1.patch @@ -0,0 +1,45 @@ +From 1b2cb4d0b5b6a9d9fe78470704309ec75f8a1c3a Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 30 Dec 2024 14:18:59 +0000 +Subject: nvmem: imx-ocotp-ele: set word length to 1 + +From: Sascha Hauer + +commit 1b2cb4d0b5b6a9d9fe78470704309ec75f8a1c3a upstream. + +The ELE hardware internally has a word length of 4. However, among other +things we store MAC addresses in the ELE OCOTP. With a length of 6 bytes +these are naturally unaligned to the word length. Therefore we must +support unaligned reads in reg_read() and indeed it works properly when +reg_read() is called via nvmem_reg_read(). Setting the word size to 4 +has the only visible effect that doing unaligned reads from userspace +via bin_attr_nvmem_read() do not work because they are rejected by that +function. + +Given that we have to abstract from word accesses to byte accesses in +the driver, set the word size to 1. This allows bytewise accesses from +userspace to be able to test what the driver has to support anyway. + +Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP") +Signed-off-by: Sascha Hauer +Cc: stable +Reviewed-by: Peng Fan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-5-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -153,7 +153,7 @@ static int imx_ele_ocotp_probe(struct pl + priv->config.owner = THIS_MODULE; + priv->config.size = priv->data->size; + priv->config.reg_read = priv->data->reg_read; +- priv->config.word_size = 4; ++ priv->config.word_size = 1; + priv->config.stride = 1; + priv->config.priv = priv; + priv->config.read_only = true; diff --git a/queue-6.13/nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch b/queue-6.13/nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch new file mode 100644 index 0000000000..a01276701d --- /dev/null +++ b/queue-6.13/nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch @@ -0,0 +1,42 @@ +From 343aa1e289e8e3dba5e3d054c4eb27da7b4e1ecc Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 30 Dec 2024 14:18:56 +0000 +Subject: nvmem: imx-ocotp-ele: simplify read beyond device check + +From: Sascha Hauer + +commit 343aa1e289e8e3dba5e3d054c4eb27da7b4e1ecc upstream. + +Do the read beyond device check on function entry in bytes instead of +32bit words which is easier to follow. + +Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP") +Signed-off-by: Sascha Hauer +Cc: stable +Reviewed-by: Peng Fan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -72,13 +72,13 @@ static int imx_ocotp_reg_read(void *cont + void *p; + int i; + ++ if (offset + bytes > priv->data->size) ++ bytes = priv->data->size - offset; ++ + index = offset; + num_bytes = round_up(bytes, 4); + count = num_bytes >> 2; + +- if (count > ((priv->data->size >> 2) - index)) +- count = (priv->data->size >> 2) - index; +- + p = kzalloc(num_bytes, GFP_KERNEL); + if (!p) + return -ENOMEM; diff --git a/queue-6.13/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch b/queue-6.13/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch new file mode 100644 index 0000000000..e712d898e3 --- /dev/null +++ b/queue-6.13/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch @@ -0,0 +1,41 @@ +From e88f516ea417c71bb3702603ac6af9e95338cfa6 Mon Sep 17 00:00:00 2001 +From: Luca Weiss +Date: Mon, 30 Dec 2024 14:19:00 +0000 +Subject: nvmem: qcom-spmi-sdam: Set size in struct nvmem_config + +From: Luca Weiss + +commit e88f516ea417c71bb3702603ac6af9e95338cfa6 upstream. + +Let the nvmem core know what size the SDAM is, most notably this fixes +the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes +user space work with that file. + + ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem + 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| + 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 00000080 + +Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver") +Cc: stable@vger.kernel.org +Signed-off-by: Luca Weiss +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-6-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/qcom-spmi-sdam.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvmem/qcom-spmi-sdam.c ++++ b/drivers/nvmem/qcom-spmi-sdam.c +@@ -144,6 +144,7 @@ static int sdam_probe(struct platform_de + sdam->sdam_config.owner = THIS_MODULE; + sdam->sdam_config.add_legacy_fixed_of_cells = true; + sdam->sdam_config.stride = 1; ++ sdam->sdam_config.size = sdam->size; + sdam->sdam_config.word_size = 1; + sdam->sdam_config.reg_read = sdam_read; + sdam->sdam_config.reg_write = sdam_write; diff --git a/queue-6.13/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch b/queue-6.13/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch new file mode 100644 index 0000000000..badd907da4 --- /dev/null +++ b/queue-6.13/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch @@ -0,0 +1,41 @@ +From f921da2c34692dfec5f72b5ae347b1bea22bb369 Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Tue, 21 Jan 2025 19:22:03 +0800 +Subject: ocfs2: fix incorrect CPU endianness conversion causing mount failure + +From: Heming Zhao + +commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream. + +Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +introduced a regression bug. The blksz_bits value is already converted to +CPU endian in the previous code; therefore, the code shouldn't use +le32_to_cpu() anymore. + +Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com +Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2340,7 +2340,7 @@ static int ocfs2_verify_volume(struct oc + mlog(ML_ERROR, "found superblock with incorrect block " + "size bits: found %u, should be 9, 10, 11, or 12\n", + blksz_bits); +- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) { ++ } else if ((1 << blksz_bits) != blksz) { + mlog(ML_ERROR, "found superblock with incorrect block " + "size: found %u, should be %u\n", 1 << blksz_bits, blksz); + } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) != diff --git a/queue-6.13/ocfs2-handle-a-symlink-read-error-correctly.patch b/queue-6.13/ocfs2-handle-a-symlink-read-error-correctly.patch new file mode 100644 index 0000000000..94af19fa33 --- /dev/null +++ b/queue-6.13/ocfs2-handle-a-symlink-read-error-correctly.patch @@ -0,0 +1,65 @@ +From 2b4c2094da6d84e69b843dd3317902e977bf64bd Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 5 Dec 2024 17:16:29 +0000 +Subject: ocfs2: handle a symlink read error correctly + +From: Matthew Wilcox (Oracle) + +commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream. + +Patch series "Convert ocfs2 to use folios". + +Mark did a conversion of ocfs2 to use folios and sent it to me as a +giant patch for review ;-) + +So I've redone it as individual patches, and credited Mark for the patches +where his code is substantially the same. It's not a bad way to do it; +his patch had some bugs and my patches had some bugs. Hopefully all our +bugs were different from each other. And hopefully Mark likes all the +changes I made to his code! + + +This patch (of 23): + +If we can't read the buffer, be sure to unlock the page before returning. + +Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org +Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Mark Tinguely +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/symlink.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/symlink.c ++++ b/fs/ocfs2/symlink.c +@@ -65,7 +65,7 @@ static int ocfs2_fast_symlink_read_folio + + if (status < 0) { + mlog_errno(status); +- return status; ++ goto out; + } + + fe = (struct ocfs2_dinode *) bh->b_data; +@@ -76,9 +76,10 @@ static int ocfs2_fast_symlink_read_folio + memcpy(kaddr, link, len + 1); + kunmap_atomic(kaddr); + SetPageUptodate(page); ++out: + unlock_page(page); + brelse(bh); +- return 0; ++ return status; + } + + const struct address_space_operations ocfs2_fast_symlink_aops = { diff --git a/queue-6.13/pinctrl-renesas-rzg2l-fix-pfc_mask-for-rz-v2h-and-rz-g3e.patch b/queue-6.13/pinctrl-renesas-rzg2l-fix-pfc_mask-for-rz-v2h-and-rz-g3e.patch new file mode 100644 index 0000000000..7f0921b416 --- /dev/null +++ b/queue-6.13/pinctrl-renesas-rzg2l-fix-pfc_mask-for-rz-v2h-and-rz-g3e.patch @@ -0,0 +1,44 @@ +From accabfaae0940f9427c782bfee7340ce4c15151c Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Fri, 10 Jan 2025 22:10:45 +0000 +Subject: pinctrl: renesas: rzg2l: Fix PFC_MASK for RZ/V2H and RZ/G3E + +From: Lad Prabhakar + +commit accabfaae0940f9427c782bfee7340ce4c15151c upstream. + +The PFC_MASK value for the PFC_mx registers is currently hardcoded to +0x07, which is correct for SoCs in the RZ/G2L family, but insufficient +for RZ/V2H and RZ/G3E, where the mask value should be 0x0f. This +discrepancy causes incorrect PFC register configuration on RZ/V2H and +RZ/G3E SoCs. + +On RZ/G2L, the PFC_mx bitfields are also 4 bits wide, with bit 4 marked +as reserved. The reserved bits are documented to read as zero and be +ignored when written. Updating the PFC_MASK definition from 0x07 to +0x0f ensures compatibility with both SoC families while maintaining +correct behavior on RZ/G2L. + +Fixes: 9bd95ac86e70 ("pinctrl: renesas: rzg2l: Add support for RZ/V2H SoC") +Cc: stable@vger.kernel.org +Reported-by: Hien Huynh +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250110221045.594596-1-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -157,7 +157,7 @@ + #define PWPR_REGWE_B BIT(5) /* OEN Register Write Enable, known only in RZ/V2H(P) */ + + #define PM_MASK 0x03 +-#define PFC_MASK 0x07 ++#define PFC_MASK 0x0f + #define IEN_MASK 0x01 + #define IOLH_MASK 0x03 + #define SR_MASK 0x01 diff --git a/queue-6.13/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch b/queue-6.13/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch new file mode 100644 index 0000000000..be04a18ba5 --- /dev/null +++ b/queue-6.13/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch @@ -0,0 +1,44 @@ +From 459915f55509f4bfd6076daa1428e28490ddee3b Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Wed, 6 Nov 2024 23:04:39 +0100 +Subject: pinctrl: samsung: fix fwnode refcount cleanup if platform_get_irq_optional() fails + +From: Javier Carrasco + +commit 459915f55509f4bfd6076daa1428e28490ddee3b upstream. + +Commit 50ebd19e3585 ("pinctrl: samsung: drop pin banks references on +error paths") fixed the pin bank references on the error paths of the +probe function, but there is still an error path where this is not done. + +If samsung_pinctrl_get_soc_data() does not fail, the child references +will have acquired, and they will need to be released in the error path +of platform_get_irq_optional(), as it is done in the following error +paths within the probe function. + +Replace the direct return in the error path with a goto instruction to +the cleanup function. + +Cc: stable@vger.kernel.org +Fixes: a382d568f144 ("pinctrl: samsung: Use platform_get_irq_optional() to get the interrupt") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241106-samsung-pinctrl-put-v1-1-de854e26dd03@gmail.com +[krzysztof: change Fixes SHA to point to commit introducing the return + leading to OF node leak] +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -1272,7 +1272,7 @@ static int samsung_pinctrl_probe(struct + + ret = platform_get_irq_optional(pdev, 0); + if (ret < 0 && ret != -ENXIO) +- return ret; ++ goto err_put_banks; + if (ret > 0) + drvdata->irq = ret; + diff --git a/queue-6.13/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch b/queue-6.13/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch new file mode 100644 index 0000000000..21022b4945 --- /dev/null +++ b/queue-6.13/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch @@ -0,0 +1,78 @@ +From eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Thu, 16 Jan 2025 20:05:39 -0500 +Subject: pnfs/flexfiles: retry getting layout segment for reads + +From: Mike Snitzer + +commit eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca upstream. + +If ff_layout_pg_get_read()'s attempt to get a layout segment results +in -EAGAIN have ff_layout_pg_init_read() retry it after sleeping. + +If "softerr" mount is used, use 'io_maxretrans' to limit the number of +attempts to get a layout segment. + +This fixes a long-standing issue of O_DIRECT reads failing with +-EAGAIN (11) when using flexfiles Client Side Mirroring (CSM). + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -847,6 +847,9 @@ ff_layout_pg_init_read(struct nfs_pageio + struct nfs4_pnfs_ds *ds; + u32 ds_idx; + ++ if (NFS_SERVER(pgio->pg_inode)->flags & ++ (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR)) ++ pgio->pg_maxretrans = io_maxretrans; + retry: + pnfs_generic_pg_check_layout(pgio, req); + /* Use full layout for now */ +@@ -860,6 +863,8 @@ retry: + if (!pgio->pg_lseg) + goto out_nolseg; + } ++ /* Reset wb_nio, since getting layout segment was successful */ ++ req->wb_nio = 0; + + ds = ff_layout_get_ds_for_read(pgio, &ds_idx); + if (!ds) { +@@ -876,14 +881,24 @@ retry: + pgm->pg_bsize = mirror->mirror_ds->ds_versions[0].rsize; + + pgio->pg_mirror_idx = ds_idx; +- +- if (NFS_SERVER(pgio->pg_inode)->flags & +- (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR)) +- pgio->pg_maxretrans = io_maxretrans; + return; + out_nolseg: +- if (pgio->pg_error < 0) +- return; ++ if (pgio->pg_error < 0) { ++ if (pgio->pg_error != -EAGAIN) ++ return; ++ /* Retry getting layout segment if lower layer returned -EAGAIN */ ++ if (pgio->pg_maxretrans && req->wb_nio++ > pgio->pg_maxretrans) { ++ if (NFS_SERVER(pgio->pg_inode)->flags & NFS_MOUNT_SOFTERR) ++ pgio->pg_error = -ETIMEDOUT; ++ else ++ pgio->pg_error = -EIO; ++ return; ++ } ++ pgio->pg_error = 0; ++ /* Sleep for 1 second before retrying */ ++ ssleep(1); ++ goto retry; ++ } + out_mds: + trace_pnfs_mds_fallback_pg_init_read(pgio->pg_inode, + 0, NFS4_MAX_UINT64, IOMODE_READ, diff --git a/queue-6.13/ptp-ensure-info-enable-callback-is-always-set.patch b/queue-6.13/ptp-ensure-info-enable-callback-is-always-set.patch new file mode 100644 index 0000000000..23369f81ef --- /dev/null +++ b/queue-6.13/ptp-ensure-info-enable-callback-is-always-set.patch @@ -0,0 +1,54 @@ +From fd53aa40e65f518453115b6f56183b0c201db26b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Thu, 23 Jan 2025 08:22:40 +0100 +Subject: ptp: Ensure info->enable callback is always set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit fd53aa40e65f518453115b6f56183b0c201db26b upstream. + +The ioctl and sysfs handlers unconditionally call the ->enable callback. +Not all drivers implement that callback, leading to NULL dereferences. +Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. + +Instead use a dummy callback if no better was specified by the driver. + +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Acked-by: Richard Cochran +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_clock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -217,6 +217,11 @@ static int ptp_getcycles64(struct ptp_cl + return info->gettime64(info, ts); + } + ++static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on) ++{ ++ return -EOPNOTSUPP; ++} ++ + static void ptp_aux_kworker(struct kthread_work *work) + { + struct ptp_clock *ptp = container_of(work, struct ptp_clock, +@@ -294,6 +299,9 @@ struct ptp_clock *ptp_clock_register(str + ptp->info->getcrosscycles = ptp->info->getcrosststamp; + } + ++ if (!ptp->info->enable) ++ ptp->info->enable = ptp_enable; ++ + if (ptp->info->do_aux_work) { + kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker); + ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index); diff --git a/queue-6.13/rdma-mlx5-fix-a-race-for-an-odp-mr-which-leads-to-cqe-with-error.patch b/queue-6.13/rdma-mlx5-fix-a-race-for-an-odp-mr-which-leads-to-cqe-with-error.patch new file mode 100644 index 0000000000..cfb09eaf52 --- /dev/null +++ b/queue-6.13/rdma-mlx5-fix-a-race-for-an-odp-mr-which-leads-to-cqe-with-error.patch @@ -0,0 +1,125 @@ +From abb604a1a9c87255c7a6f3b784410a9707baf467 Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Sun, 19 Jan 2025 14:38:25 +0200 +Subject: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error + +From: Yishai Hadas + +commit abb604a1a9c87255c7a6f3b784410a9707baf467 upstream. + +This patch addresses a race condition for an ODP MR that can result in a +CQE with an error on the UMR QP. + +During the __mlx5_ib_dereg_mr() flow, the following sequence of calls +occurs: + +mlx5_revoke_mr() + mlx5r_umr_revoke_mr() + mlx5r_umr_post_send_wait() + +At this point, the lkey is freed from the hardware's perspective. + +However, concurrently, mlx5_ib_invalidate_range() might be triggered by +another task attempting to invalidate a range for the same freed lkey. + +This task will: + - Acquire the umem_odp->umem_mutex lock. + - Call mlx5r_umr_update_xlt() on the UMR QP. + - Since the lkey has already been freed, this can lead to a CQE error, + causing the UMR QP to enter an error state [1]. + +To resolve this race condition, the umem_odp->umem_mutex lock is now also +acquired as part of the mlx5_revoke_mr() scope. Upon successful revoke, +we set umem_odp->private which points to that MR to NULL, preventing any +further invalidation attempts on its lkey. + +[1] From dmesg: + + infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error + cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2 + + WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] + Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core + CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] + [..] + Call Trace: + + mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib] + mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib] + __mmu_notifier_invalidate_range_start+0x1e1/0x240 + zap_page_range_single+0xf1/0x1a0 + madvise_vma_behavior+0x677/0x6e0 + do_madvise+0x1a2/0x4b0 + __x64_sys_madvise+0x25/0x30 + do_syscall_64+0x6b/0x140 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: e6fb246ccafb ("RDMA/mlx5: Consolidate MR destruction to mlx5_ib_dereg_mr()") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/r/68a1e007c25b2b8fe5d625f238cc3b63e5341f77.1737290229.git.leon@kernel.org +Signed-off-by: Yishai Hadas +Reviewed-by: Artemy Kovalyov +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/mr.c | 17 +++++++++++++++-- + drivers/infiniband/hw/mlx5/odp.c | 2 ++ + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -2021,6 +2021,11 @@ static int mlx5_revoke_mr(struct mlx5_ib + { + struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device); + struct mlx5_cache_ent *ent = mr->mmkey.cache_ent; ++ bool is_odp = is_odp_mr(mr); ++ int ret = 0; ++ ++ if (is_odp) ++ mutex_lock(&to_ib_umem_odp(mr->umem)->umem_mutex); + + if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr)) { + ent = mr->mmkey.cache_ent; +@@ -2032,7 +2037,7 @@ static int mlx5_revoke_mr(struct mlx5_ib + ent->tmp_cleanup_scheduled = true; + } + spin_unlock_irq(&ent->mkeys_queue.lock); +- return 0; ++ goto out; + } + + if (ent) { +@@ -2041,7 +2046,15 @@ static int mlx5_revoke_mr(struct mlx5_ib + mr->mmkey.cache_ent = NULL; + spin_unlock_irq(&ent->mkeys_queue.lock); + } +- return destroy_mkey(dev, mr); ++ ret = destroy_mkey(dev, mr); ++out: ++ if (is_odp) { ++ if (!ret) ++ to_ib_umem_odp(mr->umem)->private = NULL; ++ mutex_unlock(&to_ib_umem_odp(mr->umem)->umem_mutex); ++ } ++ ++ return ret; + } + + static int __mlx5_ib_dereg_mr(struct ib_mr *ibmr) +--- a/drivers/infiniband/hw/mlx5/odp.c ++++ b/drivers/infiniband/hw/mlx5/odp.c +@@ -282,6 +282,8 @@ static bool mlx5_ib_invalidate_range(str + if (!umem_odp->npages) + goto out; + mr = umem_odp->private; ++ if (!mr) ++ goto out; + + start = max_t(u64, ib_umem_start(umem_odp), range->start); + end = min_t(u64, ib_umem_end(umem_odp), range->end); diff --git a/queue-6.13/rtc-zynqmp-fix-optional-clock-name-property.patch b/queue-6.13/rtc-zynqmp-fix-optional-clock-name-property.patch new file mode 100644 index 0000000000..bb84807c4d --- /dev/null +++ b/queue-6.13/rtc-zynqmp-fix-optional-clock-name-property.patch @@ -0,0 +1,39 @@ +From 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 Mon Sep 17 00:00:00 2001 +From: Michal Simek +Date: Wed, 27 Nov 2024 17:01:22 +0100 +Subject: rtc: zynqmp: Fix optional clock name property + +From: Michal Simek + +commit 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 upstream. + +Clock description in DT binding introduced by commit f69060c14431 +("dt-bindings: rtc: zynqmp: Add clock information") is talking about "rtc" +clock name but driver is checking "rtc_clk" name instead. +Because clock is optional property likely in was never handled properly by +the driver. + +Fixes: 07dcc6f9c762 ("rtc: zynqmp: Add calibration set and get support") +Signed-off-by: Michal Simek +Cc: stable@kernel.org +Reviewed-by: Peter Korsgaard +Link: https://lore.kernel.org/r/cd5f0c9d01ec1f5a240e37a7e0d85b8dacb3a869.1732723280.git.michal.simek@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-zynqmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-zynqmp.c ++++ b/drivers/rtc/rtc-zynqmp.c +@@ -318,8 +318,8 @@ static int xlnx_rtc_probe(struct platfor + return ret; + } + +- /* Getting the rtc_clk info */ +- xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc_clk"); ++ /* Getting the rtc info */ ++ xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc"); + if (IS_ERR(xrtcdev->rtc_clk)) { + if (PTR_ERR(xrtcdev->rtc_clk) != -EPROBE_DEFER) + dev_warn(&pdev->dev, "Device clock not found.\n"); diff --git a/queue-6.13/rtla-add-trace_instance_stop.patch b/queue-6.13/rtla-add-trace_instance_stop.patch new file mode 100644 index 0000000000..bcd1987dab --- /dev/null +++ b/queue-6.13/rtla-add-trace_instance_stop.patch @@ -0,0 +1,55 @@ +From e879b5dcf8d044f3865a32d95cc5b213f314c54f Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:27 +0100 +Subject: rtla: Add trace_instance_stop + +From: Tomas Glozar + +commit e879b5dcf8d044f3865a32d95cc5b213f314c54f upstream. + +Support not only turning trace on for the timerlat tracer, but also +turning it off. + +This will be used in subsequent patches to stop the timerlat tracer +without also wiping the trace buffer. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-2-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/trace.c | 8 ++++++++ + tools/tracing/rtla/src/trace.h | 1 + + 2 files changed, 9 insertions(+) + +--- a/tools/tracing/rtla/src/trace.c ++++ b/tools/tracing/rtla/src/trace.c +@@ -197,6 +197,14 @@ int trace_instance_start(struct trace_in + } + + /* ++ * trace_instance_stop - stop tracing a given rtla instance ++ */ ++int trace_instance_stop(struct trace_instance *trace) ++{ ++ return tracefs_trace_off(trace->inst); ++} ++ ++/* + * trace_events_free - free a list of trace events + */ + static void trace_events_free(struct trace_events *events) +--- a/tools/tracing/rtla/src/trace.h ++++ b/tools/tracing/rtla/src/trace.h +@@ -21,6 +21,7 @@ struct trace_instance { + + int trace_instance_init(struct trace_instance *trace, char *tool_name); + int trace_instance_start(struct trace_instance *trace); ++int trace_instance_stop(struct trace_instance *trace); + void trace_instance_destroy(struct trace_instance *trace); + + struct trace_seq *get_trace_seq(void); diff --git a/queue-6.13/rtla-osnoise-distinguish-missing-workload-option.patch b/queue-6.13/rtla-osnoise-distinguish-missing-workload-option.patch new file mode 100644 index 0000000000..f835627d83 --- /dev/null +++ b/queue-6.13/rtla-osnoise-distinguish-missing-workload-option.patch @@ -0,0 +1,36 @@ +From 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Tue, 7 Jan 2025 15:48:21 +0100 +Subject: rtla/osnoise: Distinguish missing workload option + +From: Tomas Glozar + +commit 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c upstream. + +osnoise_set_workload returns -1 for both missing OSNOISE_WORKLOAD option +and failure in setting the option. + +Return -1 for missing and -2 for failure to distinguish them. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Link: https://lore.kernel.org/20250107144823.239782-2-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/osnoise.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/osnoise.c ++++ b/tools/tracing/rtla/src/osnoise.c +@@ -867,7 +867,7 @@ int osnoise_set_workload(struct osnoise_ + + retval = osnoise_options_set_option("OSNOISE_WORKLOAD", onoff); + if (retval < 0) +- return -1; ++ return -2; + + context->opt_workload = onoff; + diff --git a/queue-6.13/rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch b/queue-6.13/rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch new file mode 100644 index 0000000000..fbf3a936d1 --- /dev/null +++ b/queue-6.13/rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch @@ -0,0 +1,72 @@ +From d8d866171a414ed88bd0d720864095fd75461134 Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Tue, 7 Jan 2025 15:48:22 +0100 +Subject: rtla/timerlat_hist: Set OSNOISE_WORKLOAD for kernel threads + +From: Tomas Glozar + +commit d8d866171a414ed88bd0d720864095fd75461134 upstream. + +When using rtla timerlat with userspace threads (-u or -U), rtla +disables the OSNOISE_WORKLOAD option in +/sys/kernel/tracing/osnoise/options. This option is not re-enabled in a +subsequent run with kernel-space threads, leading to rtla collecting no +results if the previous run exited abnormally: + +$ rtla timerlat hist -u +^\Quit (core dumped) +$ rtla timerlat hist -k -d 1s +Index +over: +count: +min: +avg: +max: +ALL: IRQ Thr Usr +count: 0 0 0 +min: - - - +avg: - - - +max: - - - + +The issue persists until OSNOISE_WORKLOAD is set manually by running: +$ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + +Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if +available to fix the issue. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Link: https://lore.kernel.org/20250107144823.239782-3-tglozar@redhat.com +Fixes: ed774f7481fa ("rtla/timerlat_hist: Add timerlat user-space support") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_hist.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/tools/tracing/rtla/src/timerlat_hist.c ++++ b/tools/tracing/rtla/src/timerlat_hist.c +@@ -1100,12 +1100,15 @@ timerlat_hist_apply_config(struct osnois + } + } + +- if (params->user_hist) { +- retval = osnoise_set_workload(tool->context, 0); +- if (retval) { +- err_msg("Failed to set OSNOISE_WORKLOAD option\n"); +- goto out_err; +- } ++ /* ++ * Set workload according to type of thread if the kernel supports it. ++ * On kernels without support, user threads will have already failed ++ * on missing timerlat_fd, and kernel threads do not need it. ++ */ ++ retval = osnoise_set_workload(tool->context, params->kernel_workload); ++ if (retval < -1) { ++ err_msg("Failed to set OSNOISE_WORKLOAD option\n"); ++ goto out_err; + } + + return 0; diff --git a/queue-6.13/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch b/queue-6.13/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch new file mode 100644 index 0000000000..deef38adcf --- /dev/null +++ b/queue-6.13/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch @@ -0,0 +1,71 @@ +From c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:28 +0100 +Subject: rtla/timerlat_hist: Stop timerlat tracer on signal + +From: Tomas Glozar + +commit c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 upstream. + +Currently, when either SIGINT from the user or SIGALRM from the duration +timer is caught by rtla-timerlat, stop_tracing is set to break out of +the main loop. This is not sufficient for cases where the timerlat +tracer is producing more data than rtla can consume, since in that case, +rtla is looping indefinitely inside tracefs_iterate_raw_events, never +reaches the check of stop_tracing and hangs. + +In addition to setting stop_tracing, also stop the timerlat tracer on +received signal (SIGINT or SIGALRM). This will stop new samples so that +the existing samples may be processed and tracefs_iterate_raw_events +eventually exits. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-3-tglozar@redhat.com +Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_hist.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/timerlat_hist.c ++++ b/tools/tracing/rtla/src/timerlat_hist.c +@@ -1149,9 +1149,12 @@ out_err: + } + + static int stop_tracing; ++static struct trace_instance *hist_inst = NULL; + static void stop_hist(int sig) + { + stop_tracing = 1; ++ if (hist_inst) ++ trace_instance_stop(hist_inst); + } + + /* +@@ -1198,6 +1201,12 @@ int timerlat_hist_main(int argc, char *a + } + + trace = &tool->trace; ++ /* ++ * Save trace instance into global variable so that SIGINT can stop ++ * the timerlat tracer. ++ * Otherwise, rtla could loop indefinitely when overloaded. ++ */ ++ hist_inst = trace; + + retval = enable_timerlat(trace); + if (retval) { +@@ -1366,7 +1375,7 @@ int timerlat_hist_main(int argc, char *a + + return_value = 0; + +- if (trace_is_off(&tool->trace, &record->trace)) { ++ if (trace_is_off(&tool->trace, &record->trace) && !stop_tracing) { + printf("rtla timerlat hit stop tracing\n"); + + if (!params->no_aa) diff --git a/queue-6.13/rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch b/queue-6.13/rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch new file mode 100644 index 0000000000..91c2db05dc --- /dev/null +++ b/queue-6.13/rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch @@ -0,0 +1,64 @@ +From 217f0b1e990e30a1f06f6d531fdb4530f4788d48 Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Tue, 7 Jan 2025 15:48:23 +0100 +Subject: rtla/timerlat_top: Set OSNOISE_WORKLOAD for kernel threads + +From: Tomas Glozar + +commit 217f0b1e990e30a1f06f6d531fdb4530f4788d48 upstream. + +When using rtla timerlat with userspace threads (-u or -U), rtla +disables the OSNOISE_WORKLOAD option in +/sys/kernel/tracing/osnoise/options. This option is not re-enabled in a +subsequent run with kernel-space threads, leading to rtla collecting no +results if the previous run exited abnormally: + +$ rtla timerlat top -u +^\Quit (core dumped) +$ rtla timerlat top -k -d 1s + Timer Latency + 0 00:00:01 | IRQ Timer Latency (us) | Thread Timer Latency (us) +CPU COUNT | cur min avg max | cur min avg max + +The issue persists until OSNOISE_WORKLOAD is set manually by running: +$ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + +Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if +available to fix the issue. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Link: https://lore.kernel.org/20250107144823.239782-4-tglozar@redhat.com +Fixes: cdca4f4e5e8e ("rtla/timerlat_top: Add timerlat user-space support") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_top.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/tools/tracing/rtla/src/timerlat_top.c ++++ b/tools/tracing/rtla/src/timerlat_top.c +@@ -851,12 +851,15 @@ timerlat_top_apply_config(struct osnoise + } + } + +- if (params->user_top) { +- retval = osnoise_set_workload(top->context, 0); +- if (retval) { +- err_msg("Failed to set OSNOISE_WORKLOAD option\n"); +- goto out_err; +- } ++ /* ++ * Set workload according to type of thread if the kernel supports it. ++ * On kernels without support, user threads will have already failed ++ * on missing timerlat_fd, and kernel threads do not need it. ++ */ ++ retval = osnoise_set_workload(top->context, params->kernel_workload); ++ if (retval < -1) { ++ err_msg("Failed to set OSNOISE_WORKLOAD option\n"); ++ goto out_err; + } + + if (isatty(STDOUT_FILENO) && !params->quiet) diff --git a/queue-6.13/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch b/queue-6.13/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch new file mode 100644 index 0000000000..e5b8542593 --- /dev/null +++ b/queue-6.13/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch @@ -0,0 +1,72 @@ +From a4dfce7559d75430c464294ddee554be2a413c4a Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:29 +0100 +Subject: rtla/timerlat_top: Stop timerlat tracer on signal + +From: Tomas Glozar + +commit a4dfce7559d75430c464294ddee554be2a413c4a upstream. + +Currently, when either SIGINT from the user or SIGALRM from the duration +timer is caught by rtla-timerlat, stop_tracing is set to break out of +the main loop. This is not sufficient for cases where the timerlat +tracer is producing more data than rtla can consume, since in that case, +rtla is looping indefinitely inside tracefs_iterate_raw_events, never +reaches the check of stop_tracing and hangs. + +In addition to setting stop_tracing, also stop the timerlat tracer on +received signal (SIGINT or SIGALRM). This will stop new samples so that +the existing samples may be processed and tracefs_iterate_raw_events +eventually exits. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-4-tglozar@redhat.com +Fixes: a828cd18bc4a ("rtla: Add timerlat tool and timelart top mode") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_top.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/timerlat_top.c ++++ b/tools/tracing/rtla/src/timerlat_top.c +@@ -903,9 +903,12 @@ out_err: + } + + static int stop_tracing; ++static struct trace_instance *top_inst = NULL; + static void stop_top(int sig) + { + stop_tracing = 1; ++ if (top_inst) ++ trace_instance_stop(top_inst); + } + + /* +@@ -953,6 +956,13 @@ int timerlat_top_main(int argc, char *ar + } + + trace = &top->trace; ++ /* ++ * Save trace instance into global variable so that SIGINT can stop ++ * the timerlat tracer. ++ * Otherwise, rtla could loop indefinitely when overloaded. ++ */ ++ top_inst = trace; ++ + + retval = enable_timerlat(trace); + if (retval) { +@@ -1134,7 +1144,7 @@ int timerlat_top_main(int argc, char *ar + + return_value = 0; + +- if (trace_is_off(&top->trace, &record->trace)) { ++ if (trace_is_off(&top->trace, &record->trace) && !stop_tracing) { + printf("rtla timerlat hit stop tracing\n"); + + if (!params->no_aa) diff --git a/queue-6.13/scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch b/queue-6.13/scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch new file mode 100644 index 0000000000..9afd418713 --- /dev/null +++ b/queue-6.13/scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch @@ -0,0 +1,34 @@ +From 4ebc417ef9cb34010a71270421fe320ec5d88aa2 Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Fri, 10 Jan 2025 11:36:33 +0100 +Subject: scripts/gdb: fix aarch64 userspace detection in get_current_task + +From: Jan Kiszka + +commit 4ebc417ef9cb34010a71270421fe320ec5d88aa2 upstream. + +At least recent gdb releases (seen with 14.2) return SP_EL0 as signed long +which lets the right-shift always return 0. + +Link: https://lkml.kernel.org/r/dcd2fabc-9131-4b48-8419-6444e2d67454@siemens.com +Signed-off-by: Jan Kiszka +Cc: Barry Song +Cc: Kieran Bingham +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gdb/linux/cpus.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/gdb/linux/cpus.py ++++ b/scripts/gdb/linux/cpus.py +@@ -167,7 +167,7 @@ def get_current_task(cpu): + var_ptr = gdb.parse_and_eval("&pcpu_hot.current_task") + return per_cpu(var_ptr, cpu).dereference() + elif utils.is_target_arch("aarch64"): +- current_task_addr = gdb.parse_and_eval("$SP_EL0") ++ current_task_addr = gdb.parse_and_eval("(unsigned long)$SP_EL0") + if (current_task_addr >> 63) != 0: + current_task = current_task_addr.cast(task_ptr_type) + return current_task.dereference() diff --git a/queue-6.13/selftests-mptcp-connect-f-no-reconnect.patch b/queue-6.13/selftests-mptcp-connect-f-no-reconnect.patch new file mode 100644 index 0000000000..524bcea739 --- /dev/null +++ b/queue-6.13/selftests-mptcp-connect-f-no-reconnect.patch @@ -0,0 +1,45 @@ +From 5368a67307b3b2c347dc8965ac55b888be665934 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 4 Feb 2025 23:19:53 +0100 +Subject: selftests: mptcp: connect: -f: no reconnect + +From: Matthieu Baerts (NGI0) + +commit 5368a67307b3b2c347dc8965ac55b888be665934 upstream. + +The '-f' parameter is there to force the kernel to emit MPTCP FASTCLOSE +by closing the connection with unread bytes in the receive queue. + +The xdisconnect() helper was used to stop the connection, but it does +more than that: it will shut it down, then wait before reconnecting to +the same address. This causes the mptcp_join's "fastclose test" to fail +all the time. + +This failure is due to a recent change, with commit 218cc166321f +("selftests: mptcp: avoid spurious errors on disconnect"), but that went +unnoticed because the test is currently ignored. The recent modification +only shown an existing issue: xdisconnect() doesn't need to be used +here, only the shutdown() part is needed. + +Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250204-net-mptcp-sft-conn-f-v1-1-6b470c72fffa@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1302,7 +1302,7 @@ again: + return ret; + + if (cfg_truncate > 0) { +- xdisconnect(fd); ++ shutdown(fd, SHUT_WR); + } else if (--cfg_repeat > 0) { + xdisconnect(fd); + diff --git a/queue-6.13/series b/queue-6.13/series index 363292edae..86644f5105 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -379,3 +379,54 @@ mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch mm-vmscan-accumulate-nr_demoted-for-accurate-demotion-statistics.patch mm-hugetlb-fix-hugepage-allocation-for-interleaved-memory-nodes.patch mm-compaction-fix-ubsan-shift-out-of-bounds-warning.patch +ata-libata-core-add-ata_quirk_nolpm-for-samsung-ssd-870-qvo-drives.patch +ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch +irqchip-irq-mvebu-icu-fix-access-to-msi_data-from-irq_domain-host_data.patch +crypto-qce-fix-goto-jump-in-error-path.patch +crypto-qce-unregister-previously-registered-algos-in-error-path.patch +ceph-fix-memory-leak-in-ceph_mds_auth_match.patch +nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch +nvmem-core-improve-range-check-for-nvmem_cell_write.patch +nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch +nvmem-imx-ocotp-ele-fix-mac-address-byte-order.patch +nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch +nvmem-imx-ocotp-ele-set-word-length-to-1.patch +io_uring-fix-multishots-with-selected-buffers.patch +io_uring-net-don-t-retry-connect-operation-on-epollerr.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +selftests-mptcp-connect-f-no-reconnect.patch +pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch +ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch +ocfs2-handle-a-symlink-read-error-correctly.patch +nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch +nfs-make-nfs_fscache-select-netfs_support-instead-of-depending-on-it.patch +nfsd-encode-compound-operation-status-on-page-boundaries.patch +mailbox-tegra-hsp-clear-mailbox-before-using-message.patch +mailbox-zynqmp-remove-invalid-__percpu-annotation-in-zynqmp_ipi_probe.patch +nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch +fgraph-fix-set_graph_notrace-with-setting-trace_graph_notrace_bit.patch +i3c-master-fix-missing-ret-assignment-in-set_speed.patch +irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch +mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch +misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch +misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch +misc-fastrpc-fix-registered-buffer-page-address.patch +misc-fastrpc-fix-copy-buffer-page-size.patch +net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch +net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch +maple_tree-simplify-split-calculation.patch +scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch +tracing-osnoise-fix-resetting-of-tracepoints.patch +rtla-osnoise-distinguish-missing-workload-option.patch +rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch +rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch +rtla-add-trace_instance_stop.patch +rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch +rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch +pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch +pinctrl-renesas-rzg2l-fix-pfc_mask-for-rz-v2h-and-rz-g3e.patch +ptp-ensure-info-enable-callback-is-always-set.patch +rdma-mlx5-fix-a-race-for-an-odp-mr-which-leads-to-cqe-with-error.patch +rtc-zynqmp-fix-optional-clock-name-property.patch +statmount-let-unset-strings-be-empty.patch +timers-migration-fix-off-by-one-root-mis-connection.patch diff --git a/queue-6.13/statmount-let-unset-strings-be-empty.patch b/queue-6.13/statmount-let-unset-strings-be-empty.patch new file mode 100644 index 0000000000..3a0d003648 --- /dev/null +++ b/queue-6.13/statmount-let-unset-strings-be-empty.patch @@ -0,0 +1,97 @@ +From e52e97f09fb66fd868260d05bd6b74a9a3db39ee Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 30 Jan 2025 13:15:00 +0100 +Subject: statmount: let unset strings be empty + +From: Miklos Szeredi + +commit e52e97f09fb66fd868260d05bd6b74a9a3db39ee upstream. + +Just like it's normal for unset values to be zero, unset strings should be +empty instead of containing random values. + +It seems to be a typical mistake that the mask returned by statmount is not +checked, which can result in various bugs. + +With this fix, these bugs are prevented, since it is highly likely that +userspace would just want to turn the missing mask case into an empty +string anyway (most of the recently found cases are of this type). + +Link: https://lore.kernel.org/all/CAJfpegsVCPfCn2DpM8iiYSS5DpMsLB8QBUCHecoj6s0Vxf4jzg@mail.gmail.com/ +Fixes: 68385d77c05b ("statmount: simplify string option retrieval") +Fixes: 46eae99ef733 ("add statmount(2) syscall") +Cc: stable@vger.kernel.org # v6.8 +Signed-off-by: Miklos Szeredi +Link: https://lore.kernel.org/r/20250130121500.113446-1-mszeredi@redhat.com +Reviewed-by: Jeff Layton +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -5137,39 +5137,45 @@ static int statmount_string(struct kstat + size_t kbufsize; + struct seq_file *seq = &s->seq; + struct statmount *sm = &s->sm; +- u32 start = seq->count; ++ u32 start, *offp; ++ ++ /* Reserve an empty string at the beginning for any unset offsets */ ++ if (!seq->count) ++ seq_putc(seq, 0); ++ ++ start = seq->count; + + switch (flag) { + case STATMOUNT_FS_TYPE: +- sm->fs_type = start; ++ offp = &sm->fs_type; + ret = statmount_fs_type(s, seq); + break; + case STATMOUNT_MNT_ROOT: +- sm->mnt_root = start; ++ offp = &sm->mnt_root; + ret = statmount_mnt_root(s, seq); + break; + case STATMOUNT_MNT_POINT: +- sm->mnt_point = start; ++ offp = &sm->mnt_point; + ret = statmount_mnt_point(s, seq); + break; + case STATMOUNT_MNT_OPTS: +- sm->mnt_opts = start; ++ offp = &sm->mnt_opts; + ret = statmount_mnt_opts(s, seq); + break; + case STATMOUNT_OPT_ARRAY: +- sm->opt_array = start; ++ offp = &sm->opt_array; + ret = statmount_opt_array(s, seq); + break; + case STATMOUNT_OPT_SEC_ARRAY: +- sm->opt_sec_array = start; ++ offp = &sm->opt_sec_array; + ret = statmount_opt_sec_array(s, seq); + break; + case STATMOUNT_FS_SUBTYPE: +- sm->fs_subtype = start; ++ offp = &sm->fs_subtype; + statmount_fs_subtype(s, seq); + break; + case STATMOUNT_SB_SOURCE: +- sm->sb_source = start; ++ offp = &sm->sb_source; + ret = statmount_sb_source(s, seq); + break; + default: +@@ -5197,6 +5203,7 @@ static int statmount_string(struct kstat + + seq->buf[seq->count++] = '\0'; + sm->mask |= flag; ++ *offp = start; + return 0; + } + diff --git a/queue-6.13/timers-migration-fix-off-by-one-root-mis-connection.patch b/queue-6.13/timers-migration-fix-off-by-one-root-mis-connection.patch new file mode 100644 index 0000000000..c59f75c30c --- /dev/null +++ b/queue-6.13/timers-migration-fix-off-by-one-root-mis-connection.patch @@ -0,0 +1,87 @@ +From 868c9037df626b3c245ee26a290a03ae1f9f58d3 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Wed, 5 Feb 2025 17:02:20 +0100 +Subject: timers/migration: Fix off-by-one root mis-connection + +From: Frederic Weisbecker + +commit 868c9037df626b3c245ee26a290a03ae1f9f58d3 upstream. + +Before attaching a new root to the old root, the children counter of the +new root is checked to verify that only the upcoming CPU's top group have +been connected to it. However since the recently added commit b729cc1ec21a +("timers/migration: Fix another race between hotplug and idle entry/exit") +this check is not valid anymore because the old root is pre-accounted +as a child to the new root. Therefore after connecting the upcoming +CPU's top group to the new root, the children count to be expected must +be 2 and not 1 anymore. + +This omission results in the old root to not be connected to the new +root. Then eventually the system may run with more than one top level, +which defeats the purpose of a single idle migrator. + +Also the old root is pre-accounted but not connected upon the new root +creation. But it can be connected to the new root later on. Therefore +the old root may be accounted twice to the new root. The propagation of +such overcommit can end up creating a double final top-level root with a +groupmask incorrectly initialized. Although harmless given that the final +top level roots will never have a parent to walk up to, this oddity +opportunistically reported the core issue: + + WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote + CPU: 8 UID: 0 PID: 0 Comm: swapper/8 + RIP: 0010:tmigr_requires_handle_remote + Call Trace: + + ? tmigr_requires_handle_remote + ? hrtimer_run_queues + update_process_times + tick_periodic + tick_handle_periodic + __sysvec_apic_timer_interrupt + sysvec_apic_timer_interrupt + + +Fix the problem by taking the old root into account in the children count +of the new root so the connection is not omitted. + +Also warn when more than one top level group exists to better detect +similar issues in the future. + +Fixes: b729cc1ec21a ("timers/migration: Fix another race between hotplug and idle entry/exit") +Reported-by: Matt Fleming +Signed-off-by: Frederic Weisbecker +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250205160220.39467-1-frederic@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timer_migration.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/kernel/time/timer_migration.c ++++ b/kernel/time/timer_migration.c +@@ -1677,6 +1677,9 @@ static int tmigr_setup_groups(unsigned i + + } while (i < tmigr_hierarchy_levels); + ++ /* Assert single root */ ++ WARN_ON_ONCE(!err && !group->parent && !list_is_singular(&tmigr_level_list[top])); ++ + while (i > 0) { + group = stack[--i]; + +@@ -1718,7 +1721,12 @@ static int tmigr_setup_groups(unsigned i + WARN_ON_ONCE(top == 0); + + lvllist = &tmigr_level_list[top]; +- if (group->num_children == 1 && list_is_singular(lvllist)) { ++ ++ /* ++ * Newly created root level should have accounted the upcoming ++ * CPU's child group and pre-accounted the old root. ++ */ ++ if (group->num_children == 2 && list_is_singular(lvllist)) { + /* + * The target CPU must never do the prepare work, except + * on early boot when the boot CPU is the target. Otherwise diff --git a/queue-6.13/tracing-osnoise-fix-resetting-of-tracepoints.patch b/queue-6.13/tracing-osnoise-fix-resetting-of-tracepoints.patch new file mode 100644 index 0000000000..a9a926fcc4 --- /dev/null +++ b/queue-6.13/tracing-osnoise-fix-resetting-of-tracepoints.patch @@ -0,0 +1,124 @@ +From e3ff4245928f948f3eb2e852aa350b870421c358 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 23 Jan 2025 20:41:59 -0500 +Subject: tracing/osnoise: Fix resetting of tracepoints + +From: Steven Rostedt + +commit e3ff4245928f948f3eb2e852aa350b870421c358 upstream. + +If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD +disabled, but then that option is enabled and timerlat is removed, the +tracepoints that were enabled on timerlat registration do not get +disabled. If the option is disabled again and timelat is started, then it +triggers a warning in the tracepoint code due to registering the +tracepoint again without ever disabling it. + +Do not use the same user space defined options to know to disable the +tracepoints when timerlat is removed. Instead, set a global flag when it +is enabled and use that flag to know to disable the events. + + ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + ~# echo timerlat > /sys/kernel/tracing/current_tracer + ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + ~# echo nop > /sys/kernel/tracing/current_tracer + ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + ~# echo timerlat > /sys/kernel/tracing/current_tracer + +Triggers: + + ------------[ cut here ]------------ + WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0 + Modules linked in: + CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + RIP: 0010:tracepoint_add_func+0x3b6/0x3f0 + Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b + RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202 + RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410 + RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002 + R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001 + R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008 + FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0 + Call Trace: + + ? __warn.cold+0xb7/0x14d + ? tracepoint_add_func+0x3b6/0x3f0 + ? report_bug+0xea/0x170 + ? handle_bug+0x58/0x90 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + ? tracepoint_add_func+0x3b6/0x3f0 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + tracepoint_probe_register+0x78/0xb0 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + osnoise_workload_start+0x2b5/0x370 + timerlat_tracer_init+0x76/0x1b0 + tracing_set_tracer+0x244/0x400 + tracing_set_trace_write+0xa0/0xe0 + vfs_write+0xfc/0x570 + ? do_sys_openat2+0x9c/0xe0 + ksys_write+0x72/0xf0 + do_syscall_64+0x79/0x1c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Tomas Glozar +Cc: Gabriele Monaco +Cc: Luis Goncalves +Cc: John Kacur +Link: https://lore.kernel.org/20250123204159.4450c88e@gandalf.local.home +Fixes: e88ed227f639e ("tracing/timerlat: Add user-space interface") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_osnoise.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1229,6 +1229,8 @@ static void trace_sched_migrate_callback + } + } + ++static bool monitor_enabled; ++ + static int register_migration_monitor(void) + { + int ret = 0; +@@ -1237,16 +1239,25 @@ static int register_migration_monitor(vo + * Timerlat thread migration check is only required when running timerlat in user-space. + * Thus, enable callback only if timerlat is set with no workload. + */ +- if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) ++ if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) { ++ if (WARN_ON_ONCE(monitor_enabled)) ++ return 0; ++ + ret = register_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); ++ if (!ret) ++ monitor_enabled = true; ++ } + + return ret; + } + + static void unregister_migration_monitor(void) + { +- if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) +- unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); ++ if (!monitor_enabled) ++ return; ++ ++ unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); ++ monitor_enabled = false; + } + #else + static int register_migration_monitor(void) diff --git a/queue-6.13/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-6.13/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..d5d4818d24 --- /dev/null +++ b/queue-6.13/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -393,6 +393,11 @@ static ssize_t vfio_platform_read_mmio(s + + count = min_t(size_t, count, reg->size - off); + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); +@@ -474,6 +479,11 @@ static ssize_t vfio_platform_write_mmio( + + if (off >= reg->size) + return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ ++ if (off >= reg->size) ++ return -EINVAL; + + count = min_t(size_t, count, reg->size - off); +