From: Greg Kroah-Hartman Date: Sat, 25 May 2024 15:13:27 +0000 (+0200) Subject: 6.8-stable patches X-Git-Tag: v6.9.3~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5cf5c1eed8459ffa53510f86a708b30c0e2ea8dc;p=thirdparty%2Fkernel%2Fstable-queue.git 6.8-stable patches added patches: io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch net-lan966x-remove-debugfs-directory-in-probe-error-path.patch net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch ring-buffer-fix-a-race-between-readers-and-resize-checks.patch tools-latency-collector-fix-wformat-security-compile-warns.patch tools-nolibc-stdlib-fix-memory-error-in-realloc.patch --- diff --git a/queue-6.8/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch b/queue-6.8/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch index 7a63eba8c4d..193705cfe32 100644 --- a/queue-6.8/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch +++ b/queue-6.8/arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch @@ -56,8 +56,8 @@ Signed-off-by: Greg Kroah-Hartman --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c -@@ -1518,6 +1518,27 @@ static void fpsimd_save_kernel_state(str - task->thread.kernel_fpsimd_cpu = smp_processor_id(); +@@ -1500,6 +1500,27 @@ static void fpsimd_save_kernel_state(str + fpsimd_save_state(&task->thread.kernel_fpsimd_state); } +/* @@ -84,7 +84,7 @@ Signed-off-by: Greg Kroah-Hartman void fpsimd_thread_switch(struct task_struct *next) { bool wrong_task, wrong_cpu; -@@ -1535,7 +1556,7 @@ void fpsimd_thread_switch(struct task_st +@@ -1517,7 +1538,7 @@ void fpsimd_thread_switch(struct task_st if (test_tsk_thread_flag(next, TIF_KERNEL_FPSTATE)) { fpsimd_load_kernel_state(next); @@ -93,7 +93,7 @@ Signed-off-by: Greg Kroah-Hartman } else { /* * Fix up TIF_FOREIGN_FPSTATE to correctly describe next's -@@ -1825,27 +1846,6 @@ void fpsimd_flush_task_state(struct task +@@ -1807,27 +1828,6 @@ void fpsimd_flush_task_state(struct task } /* diff --git a/queue-6.8/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch b/queue-6.8/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch new file mode 100644 index 00000000000..64faa0eba7b --- /dev/null +++ b/queue-6.8/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch @@ -0,0 +1,38 @@ +From 3d8f874bd620ce03f75a5512847586828ab86544 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 10 May 2024 11:50:27 +0800 +Subject: io_uring: fail NOP if non-zero op flags is passed in + +From: Ming Lei + +commit 3d8f874bd620ce03f75a5512847586828ab86544 upstream. + +The NOP op flags should have been checked from beginning like any other +opcode, otherwise NOP may not be extended with the op flags. + +Given both liburing and Rust io-uring crate always zeros SQE op flags, just +ignore users which play raw NOP uring interface without zeroing SQE, because +NOP is just for test purpose. Then we can save one NOP2 opcode. + +Suggested-by: Jens Axboe +Fixes: 2b188cc1bb85 ("Add io_uring IO interface") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20240510035031.78874-2-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/nop.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/nop.c ++++ b/io_uring/nop.c +@@ -12,6 +12,8 @@ + + int io_nop_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) + { ++ if (READ_ONCE(sqe->rw_flags)) ++ return -EINVAL; + return 0; + } + diff --git a/queue-6.8/net-lan966x-remove-debugfs-directory-in-probe-error-path.patch b/queue-6.8/net-lan966x-remove-debugfs-directory-in-probe-error-path.patch new file mode 100644 index 00000000000..e40d99747b5 --- /dev/null +++ b/queue-6.8/net-lan966x-remove-debugfs-directory-in-probe-error-path.patch @@ -0,0 +1,57 @@ +From 99975ad644c7836414183fa7be4f883a4fb2bf64 Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Mon, 13 May 2024 13:18:53 +0200 +Subject: net: lan966x: remove debugfs directory in probe() error path + +From: Herve Codina + +commit 99975ad644c7836414183fa7be4f883a4fb2bf64 upstream. + +A debugfs directory entry is create early during probe(). This entry is +not removed on error path leading to some "already present" issues in +case of EPROBE_DEFER. + +Create this entry later in the probe() code to avoid the need to change +many 'return' in 'goto' and add the removal in the already present error +path. + +Fixes: 942814840127 ("net: lan966x: Add VCAP debugFS support") +Cc: +Signed-off-by: Herve Codina +Reviewed-by: Andrew Lunn +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -1087,8 +1087,6 @@ static int lan966x_probe(struct platform + platform_set_drvdata(pdev, lan966x); + lan966x->dev = &pdev->dev; + +- lan966x->debugfs_root = debugfs_create_dir("lan966x", NULL); +- + if (!device_get_mac_address(&pdev->dev, mac_addr)) { + ether_addr_copy(lan966x->base_mac, mac_addr); + } else { +@@ -1179,6 +1177,8 @@ static int lan966x_probe(struct platform + return dev_err_probe(&pdev->dev, -ENODEV, + "no ethernet-ports child found\n"); + ++ lan966x->debugfs_root = debugfs_create_dir("lan966x", NULL); ++ + /* init switch */ + lan966x_init(lan966x); + lan966x_stats_init(lan966x); +@@ -1257,6 +1257,8 @@ cleanup_ports: + destroy_workqueue(lan966x->stats_queue); + mutex_destroy(&lan966x->stats_lock); + ++ debugfs_remove_recursive(lan966x->debugfs_root); ++ + return err; + } + diff --git a/queue-6.8/net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch b/queue-6.8/net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch new file mode 100644 index 00000000000..0f6918ac302 --- /dev/null +++ b/queue-6.8/net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch @@ -0,0 +1,35 @@ +From 9c91c7fadb1771dcc2815c5271d14566366d05c5 Mon Sep 17 00:00:00 2001 +From: Souradeep Chakrabarti +Date: Sun, 19 May 2024 23:05:04 -0700 +Subject: net: mana: Fix the extra HZ in mana_hwc_send_request + +From: Souradeep Chakrabarti + +commit 9c91c7fadb1771dcc2815c5271d14566366d05c5 upstream. + +Commit 62c1bff593b7 added an extra HZ along with msecs_to_jiffies. +This patch fixes that. + +Cc: stable@vger.kernel.org +Fixes: 62c1bff593b7 ("net: mana: Configure hwc timeout from hardware") +Signed-off-by: Souradeep Chakrabarti +Reviewed-by: Brett Creeley +Reviewed-by: Dexuan Cui +Link: https://lore.kernel.org/r/1716185104-31658-1-git-send-email-schakrabarti@linux.microsoft.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/hw_channel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c ++++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c +@@ -848,7 +848,7 @@ int mana_hwc_send_request(struct hw_chan + } + + if (!wait_for_completion_timeout(&ctx->comp_event, +- (msecs_to_jiffies(hwc->hwc_timeout) * HZ))) { ++ (msecs_to_jiffies(hwc->hwc_timeout)))) { + dev_err(hwc->dev, "HWC: Request timed out!\n"); + err = -ETIMEDOUT; + goto out; diff --git a/queue-6.8/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch b/queue-6.8/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch new file mode 100644 index 00000000000..99fd084a25d --- /dev/null +++ b/queue-6.8/net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch @@ -0,0 +1,58 @@ +From 5eefb477d21a26183bc3499aeefa991198315a2d Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Fri, 10 May 2024 13:30:55 +0200 +Subject: net: smc91x: Fix m68k kernel compilation for ColdFire CPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thorsten Blum + +commit 5eefb477d21a26183bc3499aeefa991198315a2d upstream. + +Compiling the m68k kernel with support for the ColdFire CPU family fails +with the following error: + +In file included from drivers/net/ethernet/smsc/smc91x.c:80: +drivers/net/ethernet/smsc/smc91x.c: In function ‘smc_reset’: +drivers/net/ethernet/smsc/smc91x.h:160:40: error: implicit declaration of function ‘_swapw’; did you mean ‘swap’? [-Werror=implicit-function-declaration] + 160 | #define SMC_outw(lp, v, a, r) writew(_swapw(v), (a) + (r)) + | ^~~~~~ +drivers/net/ethernet/smsc/smc91x.h:904:25: note: in expansion of macro ‘SMC_outw’ + 904 | SMC_outw(lp, x, ioaddr, BANK_SELECT); \ + | ^~~~~~~~ +drivers/net/ethernet/smsc/smc91x.c:250:9: note: in expansion of macro ‘SMC_SELECT_BANK’ + 250 | SMC_SELECT_BANK(lp, 2); + | ^~~~~~~~~~~~~~~ +cc1: some warnings being treated as errors + +The function _swapw() was removed in commit d97cf70af097 ("m68k: use +asm-generic/io.h for non-MMU io access functions"), but is still used in +drivers/net/ethernet/smsc/smc91x.h. + +Use ioread16be() and iowrite16be() to resolve the error. + +Cc: stable@vger.kernel.org +Fixes: d97cf70af097 ("m68k: use asm-generic/io.h for non-MMU io access functions") +Signed-off-by: Thorsten Blum +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20240510113054.186648-2-thorsten.blum@toblux.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/smsc/smc91x.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/smsc/smc91x.h ++++ b/drivers/net/ethernet/smsc/smc91x.h +@@ -156,8 +156,8 @@ static inline void mcf_outsw(void *a, un + writew(*wp++, a); + } + +-#define SMC_inw(a, r) _swapw(readw((a) + (r))) +-#define SMC_outw(lp, v, a, r) writew(_swapw(v), (a) + (r)) ++#define SMC_inw(a, r) ioread16be((a) + (r)) ++#define SMC_outw(lp, v, a, r) iowrite16be(v, (a) + (r)) + #define SMC_insw(a, r, p, l) mcf_insw(a + r, p, l) + #define SMC_outsw(a, r, p, l) mcf_outsw(a + r, p, l) + diff --git a/queue-6.8/net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch b/queue-6.8/net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch new file mode 100644 index 00000000000..fb35ee95f3a --- /dev/null +++ b/queue-6.8/net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch @@ -0,0 +1,58 @@ +From b31c7e78086127a7fcaa761e8d336ee855a920c6 Mon Sep 17 00:00:00 2001 +From: Romain Gantois +Date: Tue, 21 May 2024 14:44:11 +0200 +Subject: net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe() + +From: Romain Gantois + +commit b31c7e78086127a7fcaa761e8d336ee855a920c6 upstream. + +In the prueth_probe() function, if one of the calls to emac_phy_connect() +fails due to of_phy_connect() returning NULL, then the subsequent call to +phy_attached_info() will dereference a NULL pointer. + +Check the return code of emac_phy_connect and fail cleanly if there is an +error. + +Fixes: 128d5874c082 ("net: ti: icssg-prueth: Add ICSSG ethernet driver") +Cc: stable@vger.kernel.org +Signed-off-by: Romain Gantois +Reviewed-by: Simon Horman +Reviewed-by: MD Danish Anwar +Link: https://lore.kernel.org/r/20240521-icssg-prueth-fix-v1-1-b4b17b1433e9@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/icssg/icssg_prueth.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c ++++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c +@@ -2156,7 +2156,12 @@ static int prueth_probe(struct platform_ + + prueth->registered_netdevs[PRUETH_MAC0] = prueth->emac[PRUETH_MAC0]->ndev; + +- emac_phy_connect(prueth->emac[PRUETH_MAC0]); ++ ret = emac_phy_connect(prueth->emac[PRUETH_MAC0]); ++ if (ret) { ++ dev_err(dev, ++ "can't connect to MII0 PHY, error -%d", ret); ++ goto netdev_unregister; ++ } + phy_attached_info(prueth->emac[PRUETH_MAC0]->ndev->phydev); + } + +@@ -2168,7 +2173,12 @@ static int prueth_probe(struct platform_ + } + + prueth->registered_netdevs[PRUETH_MAC1] = prueth->emac[PRUETH_MAC1]->ndev; +- emac_phy_connect(prueth->emac[PRUETH_MAC1]); ++ ret = emac_phy_connect(prueth->emac[PRUETH_MAC1]); ++ if (ret) { ++ dev_err(dev, ++ "can't connect to MII1 PHY, error %d", ret); ++ goto netdev_unregister; ++ } + phy_attached_info(prueth->emac[PRUETH_MAC1]->ndev->phydev); + } + diff --git a/queue-6.8/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch b/queue-6.8/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch new file mode 100644 index 00000000000..64166aa7ed6 --- /dev/null +++ b/queue-6.8/r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch @@ -0,0 +1,55 @@ +From c71e3a5cffd5309d7f84444df03d5b72600cc417 Mon Sep 17 00:00:00 2001 +From: Ken Milmore +Date: Tue, 21 May 2024 23:45:50 +0100 +Subject: r8169: Fix possible ring buffer corruption on fragmented Tx packets. + +From: Ken Milmore + +commit c71e3a5cffd5309d7f84444df03d5b72600cc417 upstream. + +An issue was found on the RTL8125b when transmitting small fragmented +packets, whereby invalid entries were inserted into the transmit ring +buffer, subsequently leading to calls to dma_unmap_single() with a null +address. + +This was caused by rtl8169_start_xmit() not noticing changes to nr_frags +which may occur when small packets are padded (to work around hardware +quirks) in rtl8169_tso_csum_v2(). + +To fix this, postpone inspecting nr_frags until after any padding has been +applied. + +Fixes: 9020845fb5d6 ("r8169: improve rtl8169_start_xmit") +Cc: stable@vger.kernel.org +Signed-off-by: Ken Milmore +Reviewed-by: Heiner Kallweit +Link: https://lore.kernel.org/r/27ead18b-c23d-4f49-a020-1fc482c5ac95@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4221,11 +4221,11 @@ static void rtl8169_doorbell(struct rtl8 + static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb, + struct net_device *dev) + { +- unsigned int frags = skb_shinfo(skb)->nr_frags; + struct rtl8169_private *tp = netdev_priv(dev); + unsigned int entry = tp->cur_tx % NUM_TX_DESC; + struct TxDesc *txd_first, *txd_last; + bool stop_queue, door_bell; ++ unsigned int frags; + u32 opts[2]; + + if (unlikely(!rtl_tx_slots_avail(tp))) { +@@ -4248,6 +4248,7 @@ static netdev_tx_t rtl8169_start_xmit(st + + txd_first = tp->TxDescArray + entry; + ++ frags = skb_shinfo(skb)->nr_frags; + if (frags) { + if (rtl8169_xmit_frags(tp, skb, opts, entry)) + goto err_dma_1; diff --git a/queue-6.8/reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch b/queue-6.8/reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch new file mode 100644 index 00000000000..aa0423e2e6f --- /dev/null +++ b/queue-6.8/reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch @@ -0,0 +1,66 @@ +From f481bb32d60e45fb3d19ea68ce79c5629f3fc3a0 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 22 May 2024 11:53:05 +0100 +Subject: Reapply "arm64: fpsimd: Implement lazy restore for kernel mode FPSIMD" + +From: Will Deacon + +commit f481bb32d60e45fb3d19ea68ce79c5629f3fc3a0 upstream. + +This reverts commit b8995a18417088bb53f87c49d200ec72a9dd4ec1. + +Ard managed to reproduce the dm-crypt corruption problem and got to the +bottom of it, so re-apply the problematic patch in preparation for +fixing things properly. + +Cc: stable@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/processor.h | 1 + + arch/arm64/kernel/fpsimd.c | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/arch/arm64/include/asm/processor.h ++++ b/arch/arm64/include/asm/processor.h +@@ -169,6 +169,7 @@ struct thread_struct { + struct debug_info debug; /* debugging */ + + struct user_fpsimd_state kernel_fpsimd_state; ++ unsigned int kernel_fpsimd_cpu; + #ifdef CONFIG_ARM64_PTR_AUTH + struct ptrauth_keys_user keys_user; + #ifdef CONFIG_ARM64_PTR_AUTH_KERNEL +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1492,12 +1492,30 @@ void do_fpsimd_exc(unsigned long esr, st + + static void fpsimd_load_kernel_state(struct task_struct *task) + { ++ struct cpu_fp_state *last = this_cpu_ptr(&fpsimd_last_state); ++ ++ /* ++ * Elide the load if this CPU holds the most recent kernel mode ++ * FPSIMD context of the current task. ++ */ ++ if (last->st == &task->thread.kernel_fpsimd_state && ++ task->thread.kernel_fpsimd_cpu == smp_processor_id()) ++ return; ++ + fpsimd_load_state(&task->thread.kernel_fpsimd_state); + } + + static void fpsimd_save_kernel_state(struct task_struct *task) + { ++ struct cpu_fp_state cpu_fp_state = { ++ .st = &task->thread.kernel_fpsimd_state, ++ .to_save = FP_STATE_FPSIMD, ++ }; ++ + fpsimd_save_state(&task->thread.kernel_fpsimd_state); ++ fpsimd_bind_state_to_cpu(&cpu_fp_state); ++ ++ task->thread.kernel_fpsimd_cpu = smp_processor_id(); + } + + /* diff --git a/queue-6.8/revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch b/queue-6.8/revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch new file mode 100644 index 00000000000..de8dd10e04e --- /dev/null +++ b/queue-6.8/revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch @@ -0,0 +1,68 @@ +From b8995a18417088bb53f87c49d200ec72a9dd4ec1 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 17 May 2024 12:55:55 +0100 +Subject: Revert "arm64: fpsimd: Implement lazy restore for kernel mode FPSIMD" + +From: Will Deacon + +commit b8995a18417088bb53f87c49d200ec72a9dd4ec1 upstream. + +This reverts commit 2632e25217696712681dd1f3ecc0d71624ea3b23. + +Johannes (and others) report data corruption with dm-crypt on Apple M1 +which has been bisected to this change. Revert the offending commit +while we figure out what's going on. + +Cc: stable@vger.kernel.org +Reported-by: Johannes Nixdorf +Link: https://lore.kernel.org/all/D1B7GPIR9K1E.5JFV37G0YTIF@shadowice.org/ +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/processor.h | 1 - + arch/arm64/kernel/fpsimd.c | 18 ------------------ + 2 files changed, 19 deletions(-) + +--- a/arch/arm64/include/asm/processor.h ++++ b/arch/arm64/include/asm/processor.h +@@ -169,7 +169,6 @@ struct thread_struct { + struct debug_info debug; /* debugging */ + + struct user_fpsimd_state kernel_fpsimd_state; +- unsigned int kernel_fpsimd_cpu; + #ifdef CONFIG_ARM64_PTR_AUTH + struct ptrauth_keys_user keys_user; + #ifdef CONFIG_ARM64_PTR_AUTH_KERNEL +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1492,30 +1492,12 @@ void do_fpsimd_exc(unsigned long esr, st + + static void fpsimd_load_kernel_state(struct task_struct *task) + { +- struct cpu_fp_state *last = this_cpu_ptr(&fpsimd_last_state); +- +- /* +- * Elide the load if this CPU holds the most recent kernel mode +- * FPSIMD context of the current task. +- */ +- if (last->st == &task->thread.kernel_fpsimd_state && +- task->thread.kernel_fpsimd_cpu == smp_processor_id()) +- return; +- + fpsimd_load_state(&task->thread.kernel_fpsimd_state); + } + + static void fpsimd_save_kernel_state(struct task_struct *task) + { +- struct cpu_fp_state cpu_fp_state = { +- .st = &task->thread.kernel_fpsimd_state, +- .to_save = FP_STATE_FPSIMD, +- }; +- + fpsimd_save_state(&task->thread.kernel_fpsimd_state); +- fpsimd_bind_state_to_cpu(&cpu_fp_state); +- +- task->thread.kernel_fpsimd_cpu = smp_processor_id(); + } + + void fpsimd_thread_switch(struct task_struct *next) diff --git a/queue-6.8/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch b/queue-6.8/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch new file mode 100644 index 00000000000..56edda9de00 --- /dev/null +++ b/queue-6.8/revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch @@ -0,0 +1,44 @@ +From eabb8a9be1e4a12f3bf37ceb7411083e3775672d Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Wed, 15 May 2024 08:18:01 +0200 +Subject: Revert "r8169: don't try to disable interrupts if NAPI is, scheduled already" + +From: Heiner Kallweit + +commit eabb8a9be1e4a12f3bf37ceb7411083e3775672d upstream. + +This reverts commit 7274c4147afbf46f45b8501edbdad6da8cd013b9. + +Ken reported that RTL8125b can lock up if gro_flush_timeout has the +default value of 20000 and napi_defer_hard_irqs is set to 0. +In this scenario device interrupts aren't disabled, what seems to +trigger some silicon bug under heavy load. I was able to reproduce this +behavior on RTL8168h. Fix this by reverting 7274c4147afb. + +Fixes: 7274c4147afb ("r8169: don't try to disable interrupts if NAPI is scheduled already") +Cc: stable@vger.kernel.org +Reported-by: Ken Milmore +Signed-off-by: Heiner Kallweit +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/9b5b6f4c-4f54-4b90-b0b3-8d8023c2e780@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4541,10 +4541,8 @@ static irqreturn_t rtl8169_interrupt(int + rtl_schedule_task(tp, RTL_FLAG_TASK_RESET_PENDING); + } + +- if (napi_schedule_prep(&tp->napi)) { +- rtl_irq_disable(tp); +- __napi_schedule(&tp->napi); +- } ++ rtl_irq_disable(tp); ++ napi_schedule(&tp->napi); + out: + rtl_ack_events(tp, status); + diff --git a/queue-6.8/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch b/queue-6.8/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch new file mode 100644 index 00000000000..d4e9cf64132 --- /dev/null +++ b/queue-6.8/ring-buffer-fix-a-race-between-readers-and-resize-checks.patch @@ -0,0 +1,134 @@ +From c2274b908db05529980ec056359fae916939fdaa Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Fri, 17 May 2024 15:40:08 +0200 +Subject: ring-buffer: Fix a race between readers and resize checks + +From: Petr Pavlu + +commit c2274b908db05529980ec056359fae916939fdaa upstream. + +The reader code in rb_get_reader_page() swaps a new reader page into the +ring buffer by doing cmpxchg on old->list.prev->next to point it to the +new page. Following that, if the operation is successful, +old->list.next->prev gets updated too. This means the underlying +doubly-linked list is temporarily inconsistent, page->prev->next or +page->next->prev might not be equal back to page for some page in the +ring buffer. + +The resize operation in ring_buffer_resize() can be invoked in parallel. +It calls rb_check_pages() which can detect the described inconsistency +and stop further tracing: + +[ 190.271762] ------------[ cut here ]------------ +[ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 +[ 190.271789] Modules linked in: [...] +[ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 +[ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f +[ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 +[ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 +[ 190.272023] Code: [...] +[ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 +[ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 +[ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 +[ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 +[ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 +[ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 +[ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 +[ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 +[ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 190.272077] Call Trace: +[ 190.272098] +[ 190.272189] ring_buffer_resize+0x2ab/0x460 +[ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 +[ 190.272206] tracing_resize_ring_buffer+0x65/0x90 +[ 190.272216] tracing_entries_write+0x74/0xc0 +[ 190.272225] vfs_write+0xf5/0x420 +[ 190.272248] ksys_write+0x67/0xe0 +[ 190.272256] do_syscall_64+0x82/0x170 +[ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 190.272373] RIP: 0033:0x7f1bd657d263 +[ 190.272381] Code: [...] +[ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 +[ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 +[ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 +[ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 +[ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 +[ 190.272412] +[ 190.272414] ---[ end trace 0000000000000000 ]--- + +Note that ring_buffer_resize() calls rb_check_pages() only if the parent +trace_buffer has recording disabled. Recent commit d78ab792705c +("tracing: Stop current tracer when resizing buffer") causes that it is +now always the case which makes it more likely to experience this issue. + +The window to hit this race is nonetheless very small. To help +reproducing it, one can add a delay loop in rb_get_reader_page(): + + ret = rb_head_page_replace(reader, cpu_buffer->reader_page); + if (!ret) + goto spin; + for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ + __asm__ __volatile__ ("" : : : "memory"); + rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; + +.. and then run the following commands on the target system: + + echo 1 > /sys/kernel/tracing/events/sched/sched_switch/enable + while true; do + echo 16 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 + echo 8 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 + done & + while true; do + for i in /sys/kernel/tracing/per_cpu/*; do + timeout 0.1 cat $i/trace_pipe; sleep 0.2 + done + done + +To fix the problem, make sure ring_buffer_resize() doesn't invoke +rb_check_pages() concurrently with a reader operating on the same +ring_buffer_per_cpu by taking its cpu_buffer->reader_lock. + +Link: https://lore.kernel.org/linux-trace-kernel/20240517134008.24529-3-petr.pavlu@suse.com + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Fixes: 659f451ff213 ("ring-buffer: Add integrity check at end of iter read") +Signed-off-by: Petr Pavlu +[ Fixed whitespace ] +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1456,6 +1456,11 @@ static void rb_check_bpage(struct ring_b + * + * As a safety measure we check to make sure the data pages have not + * been corrupted. ++ * ++ * Callers of this function need to guarantee that the list of pages doesn't get ++ * modified during the check. In particular, if it's possible that the function ++ * is invoked with concurrent readers which can swap in a new reader page then ++ * the caller should take cpu_buffer->reader_lock. + */ + static void rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) + { +@@ -2205,8 +2210,12 @@ int ring_buffer_resize(struct trace_buff + */ + synchronize_rcu(); + for_each_buffer_cpu(buffer, cpu) { ++ unsigned long flags; ++ + cpu_buffer = buffer->buffers[cpu]; ++ raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); + rb_check_pages(cpu_buffer); ++ raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); + } + atomic_dec(&buffer->record_disabled); + } diff --git a/queue-6.8/series b/queue-6.8/series index b0f23f50340..a776b1c10bf 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -1,4 +1,6 @@ +revert-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch arm64-fpsimd-avoid-erroneous-elide-of-user-state-reload.patch +reapply-arm64-fpsimd-implement-lazy-restore-for-kernel-mode-fpsimd.patch tty-n_gsm-fix-possible-out-of-bounds-in-gsm0_receive.patch tty-n_gsm-fix-missing-receive-state-reset-after-mode-switch.patch speakup-fix-sizeof-vs-array_size-bug.patch @@ -6,3 +8,13 @@ serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-using-prescaler.patch serial-8250_bcm7271-use-default_mux_rate-if-possible.patch serial-8520_mtk-set-rts-on-shutdown-for-rx-in-band-wakeup.patch input-try-trimming-too-long-modalias-strings.patch +io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch +revert-r8169-don-t-try-to-disable-interrupts-if-napi-is-scheduled-already.patch +r8169-fix-possible-ring-buffer-corruption-on-fragmented-tx-packets.patch +ring-buffer-fix-a-race-between-readers-and-resize-checks.patch +net-mana-fix-the-extra-hz-in-mana_hwc_send_request.patch +tools-latency-collector-fix-wformat-security-compile-warns.patch +tools-nolibc-stdlib-fix-memory-error-in-realloc.patch +net-ti-icssg_prueth-fix-null-pointer-dereference-in-prueth_probe.patch +net-lan966x-remove-debugfs-directory-in-probe-error-path.patch +net-smc91x-fix-m68k-kernel-compilation-for-coldfire-cpu.patch diff --git a/queue-6.8/tools-latency-collector-fix-wformat-security-compile-warns.patch b/queue-6.8/tools-latency-collector-fix-wformat-security-compile-warns.patch new file mode 100644 index 00000000000..337deb87833 --- /dev/null +++ b/queue-6.8/tools-latency-collector-fix-wformat-security-compile-warns.patch @@ -0,0 +1,84 @@ +From df73757cf8f66fa54c4721c53b0916af3c4d9818 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Wed, 3 Apr 2024 19:10:09 -0600 +Subject: tools/latency-collector: Fix -Wformat-security compile warns +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +commit df73757cf8f66fa54c4721c53b0916af3c4d9818 upstream. + +Fix the following -Wformat-security compile warnings adding missing +format arguments: + +latency-collector.c: In function ‘show_available’: +latency-collector.c:938:17: warning: format not a string literal and +no format arguments [-Wformat-security] + 938 | warnx(no_tracer_msg); + | ^~~~~ + +latency-collector.c:943:17: warning: format not a string literal and +no format arguments [-Wformat-security] + 943 | warnx(no_latency_tr_msg); + | ^~~~~ + +latency-collector.c: In function ‘find_default_tracer’: +latency-collector.c:986:25: warning: format not a string literal and +no format arguments [-Wformat-security] + 986 | errx(EXIT_FAILURE, no_tracer_msg); + | + ^~~~ +latency-collector.c: In function ‘scan_arguments’: +latency-collector.c:1881:33: warning: format not a string literal and +no format arguments [-Wformat-security] + 1881 | errx(EXIT_FAILURE, no_tracer_msg); + | ^~~~ + +Link: https://lore.kernel.org/linux-trace-kernel/20240404011009.32945-1-skhan@linuxfoundation.org + +Cc: stable@vger.kernel.org +Fixes: e23db805da2df ("tracing/tools: Add the latency-collector to tools directory") +Signed-off-by: Shuah Khan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/latency/latency-collector.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/tracing/latency/latency-collector.c ++++ b/tools/tracing/latency/latency-collector.c +@@ -935,12 +935,12 @@ static void show_available(void) + } + + if (!tracers) { +- warnx(no_tracer_msg); ++ warnx("%s", no_tracer_msg); + return; + } + + if (!found) { +- warnx(no_latency_tr_msg); ++ warnx("%s", no_latency_tr_msg); + tracefs_list_free(tracers); + return; + } +@@ -983,7 +983,7 @@ static const char *find_default_tracer(v + for (i = 0; relevant_tracers[i]; i++) { + valid = tracer_valid(relevant_tracers[i], ¬racer); + if (notracer) +- errx(EXIT_FAILURE, no_tracer_msg); ++ errx(EXIT_FAILURE, "%s", no_tracer_msg); + if (valid) + return relevant_tracers[i]; + } +@@ -1878,7 +1878,7 @@ static void scan_arguments(int argc, cha + } + valid = tracer_valid(current_tracer, ¬racer); + if (notracer) +- errx(EXIT_FAILURE, no_tracer_msg); ++ errx(EXIT_FAILURE, "%s", no_tracer_msg); + if (!valid) + errx(EXIT_FAILURE, + "The tracer %s is not supported by your kernel!\n", current_tracer); diff --git a/queue-6.8/tools-nolibc-stdlib-fix-memory-error-in-realloc.patch b/queue-6.8/tools-nolibc-stdlib-fix-memory-error-in-realloc.patch new file mode 100644 index 00000000000..98d46f01027 --- /dev/null +++ b/queue-6.8/tools-nolibc-stdlib-fix-memory-error-in-realloc.patch @@ -0,0 +1,38 @@ +From 791f4641142e2aced85de082e5783b4fb0b977c2 Mon Sep 17 00:00:00 2001 +From: Brennan Xavier McManus +Date: Tue, 9 Jan 2024 18:44:02 -0500 +Subject: tools/nolibc/stdlib: fix memory error in realloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brennan Xavier McManus + +commit 791f4641142e2aced85de082e5783b4fb0b977c2 upstream. + +Pass user_p_len to memcpy() instead of heap->len to prevent realloc() +from copying an extra sizeof(heap) bytes from beyond the allocated +region. + +Signed-off-by: Brennan Xavier McManus +Cc: stable@vger.kernel.org +Reviewed-by: Ammar Faizi +Fixes: 0e0ff638400be8f497a35b51a4751fd823f6bd6a ("tools/nolibc/stdlib: Implement `malloc()`, `calloc()`, `realloc()` and `free()`") +Signed-off-by: Willy Tarreau +Signed-off-by: Thomas Weißschuh +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/stdlib.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/include/nolibc/stdlib.h ++++ b/tools/include/nolibc/stdlib.h +@@ -185,7 +185,7 @@ void *realloc(void *old_ptr, size_t new_ + if (__builtin_expect(!ret, 0)) + return NULL; + +- memcpy(ret, heap->user_p, heap->len); ++ memcpy(ret, heap->user_p, user_p_len); + munmap(heap, heap->len); + return ret; + }