From: Greg Kroah-Hartman Date: Tue, 7 Mar 2023 10:02:02 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.2.3~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d9a49d337aeca1e5bcf4aa4acf8c1e6d9bbd11d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alpha-fix-fen-fault-handling.patch alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch arm-dts-qcom-sdx65-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch arm64-mm-hugetlb-disable-hugetlb_page_optimize_vmemmap.patch block-fix-scan-partition-for-exclusively-open-device-again.patch ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch cpuidle-add-arch_suspend_possible-dependencies.patch cxl-pmem-fix-nvdimm-registration-races.patch dax-kmem-fix-leak-of-memory-hotplug-resources.patch dm-add-cond_resched-to-dm_wq_requeue_work.patch dm-add-cond_resched-to-dm_wq_work.patch dm-cache-free-background-tracker-s-queued-work-in-btracker_destroy.patch dm-flakey-don-t-corrupt-the-zero-page.patch dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch dm-flakey-fix-logic-when-corrupting-a-bio.patch dm-send-just-one-event-on-resize-not-two.patch docs-gdbmacros-print-newest-record.patch ext4-fix-possible-corruption-when-moving-a-directory.patch ext4-optimize-ea_inode-block-expansion.patch ext4-refuse-to-create-ea-block-when-umounted.patch fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch hwmon-nct6775-fix-incorrect-parenthesization-in-nct6775_write_fan_div.patch hwmon-peci-cputemp-fix-off-by-one-in-coretemp_label-allocation.patch iommu-amd-add-a-length-limitation-for-the-ivrs_acpihid-command-line-parameter.patch iommu-amd-improve-page-fault-error-reporting.patch jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch kprobes-fix-to-handle-forcibly-unoptimized-kprobes-on-freeing_list.patch ktest.pl-add-run_timeout-option-with-default-unlimited.patch ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch memory-tier-release-the-new_memtier-in-find_create_memory_tier.patch mips-fix-syscall_get_nr.patch mm-hwpoison-convert-ttu_ignore_hwpoison-to-ttu_hwpoison.patch mm-memcontrol-deprecate-charge-moving.patch mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch panic-fix-the-panic_print-nmi-backtrace-setting.patch qede-fix-interrupt-coalescing-configuration.patch rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch regulator-core-use-ktime_get_boottime-to-determine-how-long-a-regulator-was-off.patch remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch tools-bootconfig-fix-single-used-for-logical-condition.patch tracing-eprobe-fix-to-add-filter-on-eprobe-description-in-readme-file.patch wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch wifi-cfg80211-fix-use-after-free-for-wext.patch wifi-cfg80211-set-ssid-if-it-is-not-already-set.patch wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch wifi-rtw88-use-rtw_flag_poweron-flag-to-prevent-to-power-on-off-twice.patch --- diff --git a/queue-6.1/alpha-fix-fen-fault-handling.patch b/queue-6.1/alpha-fix-fen-fault-handling.patch new file mode 100644 index 00000000000..e4db753e2a0 --- /dev/null +++ b/queue-6.1/alpha-fix-fen-fault-handling.patch @@ -0,0 +1,88 @@ +From 977a3009547dad4a5bc95d91be4a58c9f7eedac0 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 6 Jan 2023 19:25:59 -0500 +Subject: alpha: fix FEN fault handling + +From: Al Viro + +commit 977a3009547dad4a5bc95d91be4a58c9f7eedac0 upstream. + +Type 3 instruction fault (FPU insn with FPU disabled) is handled +by quietly enabling FPU and returning. Which is fine, except that +we need to do that both for fault in userland and in the kernel; +the latter *can* legitimately happen - all it takes is this: + +.global _start +_start: + call_pal 0xae + lda $0, 0 + ldq $0, 0($0) + +- call_pal CLRFEN to clear "FPU enabled" flag and arrange for +a signal delivery (SIGSEGV in this case). + +Fixed by moving the handling of type 3 into the common part of +do_entIF(), before we check for kernel vs. user mode. + +Incidentally, the check for kernel mode is unidiomatic; the normal +way to do that is !user_mode(regs). The difference is that +the open-coded variant treats any of bits 63..3 of regs->ps being +set as "it's user mode" while the normal approach is to check just +the bit 3. PS is a 4-bit register and regs->ps always will have +bits 63..4 clear, so the open-coded variant here is actually equivalent +to !user_mode(regs). Harder to follow, though... + +Cc: stable@vger.kernel.org +Reviewed-by: Richard Henderson +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/traps.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/arch/alpha/kernel/traps.c ++++ b/arch/alpha/kernel/traps.c +@@ -233,7 +233,21 @@ do_entIF(unsigned long type, struct pt_r + { + int signo, code; + +- if ((regs->ps & ~IPL_MAX) == 0) { ++ if (type == 3) { /* FEN fault */ ++ /* Irritating users can call PAL_clrfen to disable the ++ FPU for the process. The kernel will then trap in ++ do_switch_stack and undo_switch_stack when we try ++ to save and restore the FP registers. ++ ++ Given that GCC by default generates code that uses the ++ FP registers, PAL_clrfen is not useful except for DoS ++ attacks. So turn the bleeding FPU back on and be done ++ with it. */ ++ current_thread_info()->pcb.flags |= 1; ++ __reload_thread(¤t_thread_info()->pcb); ++ return; ++ } ++ if (!user_mode(regs)) { + if (type == 1) { + const unsigned int *data + = (const unsigned int *) regs->pc; +@@ -366,20 +380,6 @@ do_entIF(unsigned long type, struct pt_r + } + break; + +- case 3: /* FEN fault */ +- /* Irritating users can call PAL_clrfen to disable the +- FPU for the process. The kernel will then trap in +- do_switch_stack and undo_switch_stack when we try +- to save and restore the FP registers. +- +- Given that GCC by default generates code that uses the +- FP registers, PAL_clrfen is not useful except for DoS +- attacks. So turn the bleeding FPU back on and be done +- with it. */ +- current_thread_info()->pcb.flags |= 1; +- __reload_thread(¤t_thread_info()->pcb); +- return; +- + case 5: /* illoc */ + default: /* unexpected instruction-fault type */ + ; diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch new file mode 100644 index 00000000000..e63b5cc1b95 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch @@ -0,0 +1,35 @@ +From ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= +Date: Thu, 23 Feb 2023 08:47:48 +0100 +Subject: ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +commit ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 upstream. + +HP EliteDesk 800 G6 Tower PC (103c:870c) requires a quirk for enabling +headset-mic. + +Signed-off-by: Łukasz Stelmach +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217008 +Link: https://lore.kernel.org/r/20230223074749.1026060-1-l.stelmach@samsung.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11617,6 +11617,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), ++ SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), diff --git a/queue-6.1/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch b/queue-6.1/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch new file mode 100644 index 00000000000..68d90628767 --- /dev/null +++ b/queue-6.1/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch @@ -0,0 +1,48 @@ +From 951606a14a8901e3551fe4d8d3cedd73fe954ce1 Mon Sep 17 00:00:00 2001 +From: Dmitry Fomin +Date: Sat, 25 Feb 2023 21:43:21 +0300 +Subject: ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls() + +From: Dmitry Fomin + +commit 951606a14a8901e3551fe4d8d3cedd73fe954ce1 upstream. + +If snd_ctl_add() fails in aureon_add_controls(), it immediately returns +and leaves ice->gpio_mutex locked. ice->gpio_mutex locks in +snd_ice1712_save_gpio_status and unlocks in +snd_ice1712_restore_gpio_status(ice). + +It seems that the mutex is required only for aureon_cs8415_get(), +so snd_ice1712_restore_gpio_status(ice) can be placed +just after that. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dmitry Fomin +Cc: +Link: https://lore.kernel.org/r/20230225184322.6286-1-fomindmitriyfoma@mail.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ice1712/aureon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ice1712/aureon.c ++++ b/sound/pci/ice1712/aureon.c +@@ -1892,6 +1892,7 @@ static int aureon_add_controls(struct sn + unsigned char id; + snd_ice1712_save_gpio_status(ice); + id = aureon_cs8415_get(ice, CS8415_ID); ++ snd_ice1712_restore_gpio_status(ice); + if (id != 0x41) + dev_info(ice->card->dev, + "No CS8415 chip. Skipping CS8415 controls.\n"); +@@ -1909,7 +1910,6 @@ static int aureon_add_controls(struct sn + kctl->id.device = ice->pcm->device; + } + } +- snd_ice1712_restore_gpio_status(ice); + } + + return 0; diff --git a/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch new file mode 100644 index 00000000000..b7a06f441ae --- /dev/null +++ b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch @@ -0,0 +1,32 @@ +From 8e4505e617a80f601e2f53a917611777f128f925 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:36 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Exynos4 + +From: Krzysztof Kozlowski + +commit 8e4505e617a80f601e2f53a917611777f128f925 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. + +Fixes: 328829a6ad70 ("ARM: dts: define default thermal-zones for exynos4") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos4-cpu-thermal.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi ++++ b/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi +@@ -10,7 +10,7 @@ + / { + thermal-zones { + cpu_thermal: cpu-thermal { +- thermal-sensors = <&tmu 0>; ++ thermal-sensors = <&tmu>; + polling-delay-passive = <0>; + polling-delay = <0>; + trips { diff --git a/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch new file mode 100644 index 00000000000..57cc3a9af8c --- /dev/null +++ b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch @@ -0,0 +1,33 @@ +From 408ab6786dbf6dd696488054c9559681112ef994 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:37 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Exynos4210 + +From: Krzysztof Kozlowski + +commit 408ab6786dbf6dd696488054c9559681112ef994 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. Since thermal-sensors property is +already defined in included exynos4-cpu-thermal.dtsi, drop it from +exynos4210.dtsi to fix the error and remoev redundancy. + +Fixes: 9843a2236003 ("ARM: dts: Provide dt bindings identical for Exynos TMU") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos4210.dtsi | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos4210.dtsi ++++ b/arch/arm/boot/dts/exynos4210.dtsi +@@ -393,7 +393,6 @@ + &cpu_thermal { + polling-delay-passive = <0>; + polling-delay = <0>; +- thermal-sensors = <&tmu 0>; + }; + + &gic { diff --git a/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch new file mode 100644 index 00000000000..5b414ff139c --- /dev/null +++ b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch @@ -0,0 +1,32 @@ +From 33e2c595e2e4016991ead44933a29d1ef93d5f26 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:38 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Exynos5250 + +From: Krzysztof Kozlowski + +commit 33e2c595e2e4016991ead44933a29d1ef93d5f26 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. + +Cc: +Fixes: 9843a2236003 ("ARM: dts: Provide dt bindings identical for Exynos TMU") +Link: https://lore.kernel.org/r/20230209105841.779596-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5250.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos5250.dtsi ++++ b/arch/arm/boot/dts/exynos5250.dtsi +@@ -1107,7 +1107,7 @@ + &cpu_thermal { + polling-delay-passive = <0>; + polling-delay = <0>; +- thermal-sensors = <&tmu 0>; ++ thermal-sensors = <&tmu>; + + cooling-maps { + map0 { diff --git a/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch new file mode 100644 index 00000000000..48f80bd2ef3 --- /dev/null +++ b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch @@ -0,0 +1,77 @@ +From 2e3d0e20d8456f876607a8af61fdb83dfbf98cb6 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:40 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Odroid HC1 + +From: Krzysztof Kozlowski + +commit 2e3d0e20d8456f876607a8af61fdb83dfbf98cb6 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. This was not critical before, +but since rework of thermal Devicetree initialization in the +commit 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree +initialization"), this leads to errors registering thermal zones other +than first one: + + thermal_sys: cpu0-thermal: Failed to read thermal-sensors cells: -2 + thermal_sys: Failed to find thermal zone for tmu id=0 + exynos-tmu 10064000.tmu: Failed to register sensor: -2 + exynos-tmu: probe of 10064000.tmu failed with error -2 + +Fixes: 1ac49427b566 ("ARM: dts: exynos: Add support for Hardkernel's Odroid HC1 board") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-5-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5422-odroidhc1.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/exynos5422-odroidhc1.dts ++++ b/arch/arm/boot/dts/exynos5422-odroidhc1.dts +@@ -31,7 +31,7 @@ + + thermal-zones { + cpu0_thermal: cpu0-thermal { +- thermal-sensors = <&tmu_cpu0 0>; ++ thermal-sensors = <&tmu_cpu0>; + trips { + cpu0_alert0: cpu-alert-0 { + temperature = <70000>; /* millicelsius */ +@@ -86,7 +86,7 @@ + }; + }; + cpu1_thermal: cpu1-thermal { +- thermal-sensors = <&tmu_cpu1 0>; ++ thermal-sensors = <&tmu_cpu1>; + trips { + cpu1_alert0: cpu-alert-0 { + temperature = <70000>; +@@ -130,7 +130,7 @@ + }; + }; + cpu2_thermal: cpu2-thermal { +- thermal-sensors = <&tmu_cpu2 0>; ++ thermal-sensors = <&tmu_cpu2>; + trips { + cpu2_alert0: cpu-alert-0 { + temperature = <70000>; +@@ -174,7 +174,7 @@ + }; + }; + cpu3_thermal: cpu3-thermal { +- thermal-sensors = <&tmu_cpu3 0>; ++ thermal-sensors = <&tmu_cpu3>; + trips { + cpu3_alert0: cpu-alert-0 { + temperature = <70000>; +@@ -218,7 +218,7 @@ + }; + }; + gpu_thermal: gpu-thermal { +- thermal-sensors = <&tmu_gpu 0>; ++ thermal-sensors = <&tmu_gpu>; + trips { + gpu_alert0: gpu-alert-0 { + temperature = <70000>; diff --git a/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch new file mode 100644 index 00000000000..c7148a73c1a --- /dev/null +++ b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch @@ -0,0 +1,33 @@ +From 9372eca505e7a19934d750b4b4c89a3652738e66 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:39 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Odroid XU + +From: Krzysztof Kozlowski + +commit 9372eca505e7a19934d750b4b4c89a3652738e66 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. Since thermal-sensors property +is already defined in included exynosi5410.dtsi, drop it from +exynos5410-odroidxu.dts to fix the error and remoev redundancy. + +Fixes: 88644b4c750b ("ARM: dts: exynos: Configure PWM, usb3503, PMIC and thermal on Odroid XU board") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5410-odroidxu.dts | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos5410-odroidxu.dts ++++ b/arch/arm/boot/dts/exynos5410-odroidxu.dts +@@ -120,7 +120,6 @@ + }; + + &cpu0_thermal { +- thermal-sensors = <&tmu_cpu0 0>; + polling-delay-passive = <0>; + polling-delay = <0>; + diff --git a/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch new file mode 100644 index 00000000000..7126e01f44b --- /dev/null +++ b/queue-6.1/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch @@ -0,0 +1,77 @@ +From a3583e92d188ec6c58c7f603ac5e72dd8a11c21a Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:41 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Odroid XU3 family + +From: Krzysztof Kozlowski + +commit a3583e92d188ec6c58c7f603ac5e72dd8a11c21a upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. This was not critical before, +but since rework of thermal Devicetree initialization in the +commit 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree +initialization"), this leads to errors registering thermal zones other +than first one: + + thermal_sys: cpu0-thermal: Failed to read thermal-sensors cells: -2 + thermal_sys: Failed to find thermal zone for tmu id=0 + exynos-tmu 10064000.tmu: Failed to register sensor: -2 + exynos-tmu: probe of 10064000.tmu failed with error -2 + +Fixes: f1722d7dd8b8 ("ARM: dts: Define default thermal-zones for exynos5422") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-6-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi ++++ b/arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi +@@ -50,7 +50,7 @@ + + thermal-zones { + cpu0_thermal: cpu0-thermal { +- thermal-sensors = <&tmu_cpu0 0>; ++ thermal-sensors = <&tmu_cpu0>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -139,7 +139,7 @@ + }; + }; + cpu1_thermal: cpu1-thermal { +- thermal-sensors = <&tmu_cpu1 0>; ++ thermal-sensors = <&tmu_cpu1>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -212,7 +212,7 @@ + }; + }; + cpu2_thermal: cpu2-thermal { +- thermal-sensors = <&tmu_cpu2 0>; ++ thermal-sensors = <&tmu_cpu2>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -285,7 +285,7 @@ + }; + }; + cpu3_thermal: cpu3-thermal { +- thermal-sensors = <&tmu_cpu3 0>; ++ thermal-sensors = <&tmu_cpu3>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -358,7 +358,7 @@ + }; + }; + gpu_thermal: gpu-thermal { +- thermal-sensors = <&tmu_gpu 0>; ++ thermal-sensors = <&tmu_gpu>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { diff --git a/queue-6.1/arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch b/queue-6.1/arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch new file mode 100644 index 00000000000..e0146b9cff8 --- /dev/null +++ b/queue-6.1/arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch @@ -0,0 +1,34 @@ +From af4ab377543853b690cc85b4c46cf976ab560dc2 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 23 Jan 2023 18:49:30 +0530 +Subject: ARM: dts: qcom: sdx55: Add Qcom SMMU-500 as the fallback for IOMMU node + +From: Manivannan Sadhasivam + +commit af4ab377543853b690cc85b4c46cf976ab560dc2 upstream. + +SDX55 uses the Qcom version of the SMMU-500 IP. So use "qcom,smmu-500" +compatible as the fallback to the SoC specific compatible. + +Cc: # 5.12 +Fixes: a2bdfdfba2af ("ARM: dts: qcom: sdx55: Enable ARM SMMU") +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230123131931.263024-3-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom-sdx55.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/qcom-sdx55.dtsi ++++ b/arch/arm/boot/dts/qcom-sdx55.dtsi +@@ -577,7 +577,7 @@ + }; + + apps_smmu: iommu@15000000 { +- compatible = "qcom,sdx55-smmu-500", "arm,mmu-500"; ++ compatible = "qcom,sdx55-smmu-500", "qcom,smmu-500", "arm,mmu-500"; + reg = <0x15000000 0x20000>; + #iommu-cells = <2>; + #global-interrupts = <1>; diff --git a/queue-6.1/arm-dts-qcom-sdx65-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch b/queue-6.1/arm-dts-qcom-sdx65-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch new file mode 100644 index 00000000000..102d6bf6d67 --- /dev/null +++ b/queue-6.1/arm-dts-qcom-sdx65-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch @@ -0,0 +1,34 @@ +From 157178a7912e00a0aa0371dc9041952c1a21d112 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 23 Jan 2023 18:49:31 +0530 +Subject: ARM: dts: qcom: sdx65: Add Qcom SMMU-500 as the fallback for IOMMU node + +From: Manivannan Sadhasivam + +commit 157178a7912e00a0aa0371dc9041952c1a21d112 upstream. + +SDX65 uses the Qcom version of the SMMU-500 IP. So use "qcom,smmu-500" +compatible as the fallback to the SoC specific compatible. + +Cc: # 5.19 +Fixes: 98187f7b74bf ("ARM: dts: qcom: sdx65: Enable ARM SMMU") +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230123131931.263024-4-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom-sdx65.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/qcom-sdx65.dtsi ++++ b/arch/arm/boot/dts/qcom-sdx65.dtsi +@@ -455,7 +455,7 @@ + }; + + apps_smmu: iommu@15000000 { +- compatible = "qcom,sdx65-smmu-500", "arm,mmu-500"; ++ compatible = "qcom,sdx65-smmu-500", "qcom,smmu-500", "arm,mmu-500"; + reg = <0x15000000 0x40000>; + #iommu-cells = <2>; + #global-interrupts = <1>; diff --git a/queue-6.1/arm64-mm-hugetlb-disable-hugetlb_page_optimize_vmemmap.patch b/queue-6.1/arm64-mm-hugetlb-disable-hugetlb_page_optimize_vmemmap.patch new file mode 100644 index 00000000000..5ad1cab2549 --- /dev/null +++ b/queue-6.1/arm64-mm-hugetlb-disable-hugetlb_page_optimize_vmemmap.patch @@ -0,0 +1,52 @@ +From 060a2c92d1b627c86c5c42ca69baf00457c00c5a Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Wed, 22 Feb 2023 17:52:32 +0000 +Subject: arm64: mm: hugetlb: Disable HUGETLB_PAGE_OPTIMIZE_VMEMMAP + +From: Catalin Marinas + +commit 060a2c92d1b627c86c5c42ca69baf00457c00c5a upstream. + +Revert the HUGETLB_PAGE_FREE_VMEMMAP selection from commit 1e63ac088f20 +("arm64: mm: hugetlb: enable HUGETLB_PAGE_FREE_VMEMMAP for arm64") but +keep the flush_dcache_page() compound_head() change as it aligns with +the corresponding check in the __sync_icache_dcache() function. + +The original config option was renamed in commit 47010c040dec ("mm: +hugetlb_vmemmap: cleanup CONFIG_HUGETLB_PAGE_FREE_VMEMMAP*") to +HUGETLB_PAGE_OPTIMIZE_VMEMMAP and the flush_dcache_page() check was +further simplified by commit 2da1c30929a2 ("mm: hugetlb_vmemmap: delete +hugetlb_optimize_vmemmap_enabled()"). + +The reason for the revert is that the generic vmemmap_remap_pte() +function changes both the permissions (writeable to read-only) and the +output address (pfn) of the vmemmap ptes. This is deemed UNPREDICTABLE +by the Arm architecture without a break-before-make sequence (make the +PTE invalid, TLBI, write the new valid PTE). However, such sequence is +not possible since the vmemmap may be concurrently accessed by the +kernel. Disable the optimisation until a better solution is found. + +Fixes: 1e63ac088f20 ("arm64: mm: hugetlb: enable HUGETLB_PAGE_FREE_VMEMMAP for arm64") +Cc: # 5.19.x +Cc: Muchun Song +Cc: Will Deacon +Cc: Anshuman Khandual +Link: https://lore.kernel.org/r/Y9pZALdn3pKiJUeQ@arm.com +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20230222175232.540851-1-catalin.marinas@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -98,7 +98,6 @@ config ARM64 + select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT + select ARCH_WANT_FRAME_POINTERS + select ARCH_WANT_HUGE_PMD_SHARE if ARM64_4K_PAGES || (ARM64_16K_PAGES && !ARM64_VA_BITS_36) +- select ARCH_WANT_HUGETLB_PAGE_OPTIMIZE_VMEMMAP + select ARCH_WANT_LD_ORPHAN_WARN + select ARCH_WANTS_NO_INSTR + select ARCH_WANTS_THP_SWAP if ARM64_4K_PAGES diff --git a/queue-6.1/block-fix-scan-partition-for-exclusively-open-device-again.patch b/queue-6.1/block-fix-scan-partition-for-exclusively-open-device-again.patch new file mode 100644 index 00000000000..782a2ae5b7f --- /dev/null +++ b/queue-6.1/block-fix-scan-partition-for-exclusively-open-device-again.patch @@ -0,0 +1,97 @@ +From e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Fri, 17 Feb 2023 10:22:00 +0800 +Subject: block: fix scan partition for exclusively open device again + +From: Yu Kuai + +commit e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f upstream. + +As explained in commit 36369f46e917 ("block: Do not reread partition table +on exclusively open device"), reread partition on the device that is +exclusively opened by someone else is problematic. + +This patch will make sure partition scan will only be proceed if current +thread open the device exclusively, or the device is not opened +exclusively, and in the later case, other scanners and exclusive openers +will be blocked temporarily until partition scan is done. + +Fixes: 10c70d95c0f2 ("block: remove the bd_openers checks in blk_drop_partitions") +Cc: +Suggested-by: Jan Kara +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230217022200.3092987-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/genhd.c | 30 ++++++++++++++++++++++++++---- + block/ioctl.c | 3 +-- + 2 files changed, 27 insertions(+), 6 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -359,6 +359,7 @@ EXPORT_SYMBOL_GPL(disk_uevent); + int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner) + { + struct block_device *bdev; ++ int ret = 0; + + if (disk->flags & (GENHD_FL_NO_PART | GENHD_FL_HIDDEN)) + return -EINVAL; +@@ -371,11 +372,27 @@ int disk_scan_partitions(struct gendisk + return -EBUSY; + + set_bit(GD_NEED_PART_SCAN, &disk->state); +- bdev = blkdev_get_by_dev(disk_devt(disk), mode, NULL); ++ /* ++ * If the device is opened exclusively by current thread already, it's ++ * safe to scan partitons, otherwise, use bd_prepare_to_claim() to ++ * synchronize with other exclusive openers and other partition ++ * scanners. ++ */ ++ if (!(mode & FMODE_EXCL)) { ++ ret = bd_prepare_to_claim(disk->part0, disk_scan_partitions); ++ if (ret) ++ return ret; ++ } ++ ++ bdev = blkdev_get_by_dev(disk_devt(disk), mode & ~FMODE_EXCL, NULL); + if (IS_ERR(bdev)) +- return PTR_ERR(bdev); +- blkdev_put(bdev, mode); +- return 0; ++ ret = PTR_ERR(bdev); ++ else ++ blkdev_put(bdev, mode); ++ ++ if (!(mode & FMODE_EXCL)) ++ bd_abort_claiming(disk->part0, disk_scan_partitions); ++ return ret; + } + + /** +@@ -501,6 +518,11 @@ int __must_check device_add_disk(struct + if (ret) + goto out_unregister_bdi; + ++ /* Make sure the first partition scan will be proceed */ ++ if (get_capacity(disk) && !(disk->flags & GENHD_FL_NO_PART) && ++ !test_bit(GD_SUPPRESS_PART_SCAN, &disk->state)) ++ set_bit(GD_NEED_PART_SCAN, &disk->state); ++ + bdev_add(disk->part0, ddev->devt); + if (get_capacity(disk)) + disk_scan_partitions(disk, FMODE_READ, NULL); +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -528,8 +528,7 @@ static int blkdev_common_ioctl(struct fi + return -EACCES; + if (bdev_is_partition(bdev)) + return -EINVAL; +- return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL, +- file); ++ return disk_scan_partitions(bdev->bd_disk, mode, file); + case BLKTRACESTART: + case BLKTRACESTOP: + case BLKTRACETEARDOWN: diff --git a/queue-6.1/ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch b/queue-6.1/ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch new file mode 100644 index 00000000000..e9cf4ad2fa4 --- /dev/null +++ b/queue-6.1/ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch @@ -0,0 +1,61 @@ +From e027253c4b77d395798600a90b6a96fe4adf4d5e Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Mon, 13 Feb 2023 13:56:20 +0800 +Subject: ceph: update the time stamps and try to drop the suid/sgid + +From: Xiubo Li + +commit e027253c4b77d395798600a90b6a96fe4adf4d5e upstream. + +The fallocate will try to clear the suid/sgid if a unprevileged user +changed the file. + +There is no POSIX item requires that we should clear the suid/sgid +in fallocate code path but this is the default behaviour for most of +the filesystems and the VFS layer. And also the same for the write +code path, which have already support it. + +And also we need to update the time stamps since the fallocate will +change the file contents. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/58054 +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/file.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -2095,6 +2095,9 @@ static long ceph_fallocate(struct file * + loff_t endoff = 0; + loff_t size; + ++ dout("%s %p %llx.%llx mode %x, offset %llu length %llu\n", __func__, ++ inode, ceph_vinop(inode), mode, offset, length); ++ + if (mode != (FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) + return -EOPNOTSUPP; + +@@ -2129,6 +2132,10 @@ static long ceph_fallocate(struct file * + if (ret < 0) + goto unlock; + ++ ret = file_modified(file); ++ if (ret) ++ goto put_caps; ++ + filemap_invalidate_lock(inode->i_mapping); + ceph_fscache_invalidate(inode, false); + ceph_zero_pagecache_range(inode, offset, length); +@@ -2144,6 +2151,7 @@ static long ceph_fallocate(struct file * + } + filemap_invalidate_unlock(inode->i_mapping); + ++put_caps: + ceph_put_cap_refs(ci, got); + unlock: + inode_unlock(inode); diff --git a/queue-6.1/cpuidle-add-arch_suspend_possible-dependencies.patch b/queue-6.1/cpuidle-add-arch_suspend_possible-dependencies.patch new file mode 100644 index 00000000000..cd1b6e5fe4a --- /dev/null +++ b/queue-6.1/cpuidle-add-arch_suspend_possible-dependencies.patch @@ -0,0 +1,55 @@ +From 7787943a3a8ade6594a68db28c166adbb1d3708c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 6 Feb 2023 20:33:06 +0100 +Subject: cpuidle: add ARCH_SUSPEND_POSSIBLE dependencies + +From: Arnd Bergmann + +commit 7787943a3a8ade6594a68db28c166adbb1d3708c upstream. + +Some ARMv4 processors don't support suspend, which leads +to a build failure with the tegra and qualcomm cpuidle driver: + +WARNING: unmet direct dependencies detected for ARM_CPU_SUSPEND + Depends on [n]: ARCH_SUSPEND_POSSIBLE [=n] + Selected by [y]: + - ARM_TEGRA_CPUIDLE [=y] && CPU_IDLE [=y] && (ARM [=y] || ARM64) && (ARCH_TEGRA [=n] || COMPILE_TEST [=y]) && !ARM64 && MMU [=y] + +arch/arm/kernel/sleep.o: in function `__cpu_suspend': +(.text+0x68): undefined reference to `cpu_sa110_suspend_size' +(.text+0x68): undefined reference to `cpu_fa526_suspend_size' + +Add an explicit dependency to make randconfig builds avoid +this combination. + +Fixes: faae6c9f2e68 ("cpuidle: tegra: Enable compile testing") +Fixes: a871be6b8eee ("cpuidle: Convert Qualcomm SPM driver to a generic CPUidle driver") +Link: https://lore.kernel.org/all/20211013160125.772873-1-arnd@kernel.org/ +Cc: All applicable +Reviewed-by: Dmitry Osipenko +Signed-off-by: Arnd Bergmann +Acked-by: Thierry Reding +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/Kconfig.arm | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/cpuidle/Kconfig.arm ++++ b/drivers/cpuidle/Kconfig.arm +@@ -102,6 +102,7 @@ config ARM_MVEBU_V7_CPUIDLE + config ARM_TEGRA_CPUIDLE + bool "CPU Idle Driver for NVIDIA Tegra SoCs" + depends on (ARCH_TEGRA || COMPILE_TEST) && !ARM64 && MMU ++ depends on ARCH_SUSPEND_POSSIBLE + select ARCH_NEEDS_CPU_IDLE_COUPLED if SMP + select ARM_CPU_SUSPEND + help +@@ -110,6 +111,7 @@ config ARM_TEGRA_CPUIDLE + config ARM_QCOM_SPM_CPUIDLE + bool "CPU Idle Driver for Qualcomm Subsystem Power Manager (SPM)" + depends on (ARCH_QCOM || COMPILE_TEST) && !ARM64 && MMU ++ depends on ARCH_SUSPEND_POSSIBLE + select ARM_CPU_SUSPEND + select CPU_IDLE_MULTIPLE_DRIVERS + select DT_IDLE_STATES diff --git a/queue-6.1/cxl-pmem-fix-nvdimm-registration-races.patch b/queue-6.1/cxl-pmem-fix-nvdimm-registration-races.patch new file mode 100644 index 00000000000..ed79f581afa --- /dev/null +++ b/queue-6.1/cxl-pmem-fix-nvdimm-registration-races.patch @@ -0,0 +1,141 @@ +From f57aec443c24d2e8e1f3b5b4856aea12ddda4254 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Mon, 13 Feb 2023 17:01:05 -0800 +Subject: cxl/pmem: Fix nvdimm registration races + +From: Dan Williams + +commit f57aec443c24d2e8e1f3b5b4856aea12ddda4254 upstream. + +A loop of the form: + + while true; do modprobe cxl_pci; modprobe -r cxl_pci; done + +...fails with the following crash signature: + + BUG: kernel NULL pointer dereference, address: 0000000000000040 + [..] + RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core] + [..] + Call Trace: + + cxl_pmem_ctl+0x121/0x240 [cxl_pmem] + nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm] + nd_label_data_init+0x135/0x7e0 [libnvdimm] + nvdimm_probe+0xd6/0x1c0 [libnvdimm] + nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm] + really_probe+0xde/0x380 + __driver_probe_device+0x78/0x170 + driver_probe_device+0x1f/0x90 + __device_attach_driver+0x85/0x110 + bus_for_each_drv+0x7d/0xc0 + __device_attach+0xb4/0x1e0 + bus_probe_device+0x9f/0xc0 + device_add+0x445/0x9c0 + nd_async_device_register+0xe/0x40 [libnvdimm] + async_run_entry_fn+0x30/0x130 + +...namely that the bottom half of async nvdimm device registration runs +after the CXL has already torn down the context that cxl_pmem_ctl() +needs. Unlike the ACPI NFIT case that benefits from launching multiple +nvdimm device registrations in parallel from those listed in the table, +CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a +synchronous registration path to preclude this scenario. + +Fixes: 21083f51521f ("cxl/pmem: Register 'pmem' / cxl_nvdimm devices") +Cc: +Reported-by: Dave Jiang +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cxl/pmem.c | 1 + + drivers/nvdimm/bus.c | 19 ++++++++++++++++--- + drivers/nvdimm/dimm_devs.c | 5 ++++- + drivers/nvdimm/nd-core.h | 1 + + include/linux/libnvdimm.h | 3 +++ + 5 files changed, 25 insertions(+), 4 deletions(-) + +--- a/drivers/cxl/pmem.c ++++ b/drivers/cxl/pmem.c +@@ -75,6 +75,7 @@ static int cxl_nvdimm_probe(struct devic + goto out; + + set_bit(NDD_LABELING, &flags); ++ set_bit(NDD_REGISTER_SYNC, &flags); + set_bit(ND_CMD_GET_CONFIG_SIZE, &cmd_mask); + set_bit(ND_CMD_GET_CONFIG_DATA, &cmd_mask); + set_bit(ND_CMD_SET_CONFIG_DATA, &cmd_mask); +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -508,7 +508,7 @@ static void nd_async_device_unregister(v + put_device(dev); + } + +-void nd_device_register(struct device *dev) ++static void __nd_device_register(struct device *dev, bool sync) + { + if (!dev) + return; +@@ -531,11 +531,24 @@ void nd_device_register(struct device *d + } + get_device(dev); + +- async_schedule_dev_domain(nd_async_device_register, dev, +- &nd_async_domain); ++ if (sync) ++ nd_async_device_register(dev, 0); ++ else ++ async_schedule_dev_domain(nd_async_device_register, dev, ++ &nd_async_domain); ++} ++ ++void nd_device_register(struct device *dev) ++{ ++ __nd_device_register(dev, false); + } + EXPORT_SYMBOL(nd_device_register); + ++void nd_device_register_sync(struct device *dev) ++{ ++ __nd_device_register(dev, true); ++} ++ + void nd_device_unregister(struct device *dev, enum nd_async_mode mode) + { + bool killed; +--- a/drivers/nvdimm/dimm_devs.c ++++ b/drivers/nvdimm/dimm_devs.c +@@ -617,7 +617,10 @@ struct nvdimm *__nvdimm_create(struct nv + nvdimm->sec.ext_flags = nvdimm_security_flags(nvdimm, NVDIMM_MASTER); + device_initialize(dev); + lockdep_set_class(&dev->mutex, &nvdimm_key); +- nd_device_register(dev); ++ if (test_bit(NDD_REGISTER_SYNC, &flags)) ++ nd_device_register_sync(dev); ++ else ++ nd_device_register(dev); + + return nvdimm; + } +--- a/drivers/nvdimm/nd-core.h ++++ b/drivers/nvdimm/nd-core.h +@@ -107,6 +107,7 @@ int nvdimm_bus_create_ndctl(struct nvdim + void nvdimm_bus_destroy_ndctl(struct nvdimm_bus *nvdimm_bus); + void nd_synchronize(void); + void nd_device_register(struct device *dev); ++void nd_device_register_sync(struct device *dev); + struct nd_label_id; + char *nd_label_gen_id(struct nd_label_id *label_id, const uuid_t *uuid, + u32 flags); +--- a/include/linux/libnvdimm.h ++++ b/include/linux/libnvdimm.h +@@ -36,6 +36,9 @@ enum { + /* dimm supports namespace labels */ + NDD_LABELING = 6, + ++ /* dimm provider wants synchronous registration by __nvdimm_create() */ ++ NDD_REGISTER_SYNC = 8, ++ + /* need to set a limit somewhere, but yes, this is likely overkill */ + ND_IOCTL_MAX_BUFLEN = SZ_4M, + ND_CMD_MAX_ELEM = 5, diff --git a/queue-6.1/dax-kmem-fix-leak-of-memory-hotplug-resources.patch b/queue-6.1/dax-kmem-fix-leak-of-memory-hotplug-resources.patch new file mode 100644 index 00000000000..c4abf2db635 --- /dev/null +++ b/queue-6.1/dax-kmem-fix-leak-of-memory-hotplug-resources.patch @@ -0,0 +1,136 @@ +From e686c32590f40bffc45f105c04c836ffad3e531a Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 16 Feb 2023 00:36:02 -0800 +Subject: dax/kmem: Fix leak of memory-hotplug resources + +From: Dan Williams + +commit e686c32590f40bffc45f105c04c836ffad3e531a upstream. + +While experimenting with CXL region removal the following corruption of +/proc/iomem appeared. + +Before: +f010000000-f04fffffff : CXL Window 0 + f010000000-f02fffffff : region4 + f010000000-f02fffffff : dax4.0 + f010000000-f02fffffff : System RAM (kmem) + +After (modprobe -r cxl_test): +f010000000-f02fffffff : **redacted binary garbage** + f010000000-f02fffffff : System RAM (kmem) + +...and testing further the same is visible with persistent memory +assigned to kmem: + +Before: +480000000-243fffffff : Persistent Memory + 480000000-57e1fffff : namespace3.0 + 580000000-243fffffff : dax3.0 + 580000000-243fffffff : System RAM (kmem) + +After (ndctl disable-region all): +480000000-243fffffff : Persistent Memory + 580000000-243fffffff : ***redacted binary garbage*** + 580000000-243fffffff : System RAM (kmem) + +The corrupted data is from a use-after-free of the "dax4.0" and "dax3.0" +resources, and it also shows that the "System RAM (kmem)" resource is +not being removed. The bug does not appear after "modprobe -r kmem", it +requires the parent of "dax4.0" and "dax3.0" to be removed which +re-parents the leaked "System RAM (kmem)" instances. Those in turn +reference the freed resource as a parent. + +First up for the fix is release_mem_region_adjustable() needs to +reliably delete the resource inserted by add_memory_driver_managed(). +That is thwarted by a check for IORESOURCE_SYSRAM that predates the +dax/kmem driver, from commit: + +65c78784135f ("kernel, resource: check for IORESOURCE_SYSRAM in release_mem_region_adjustable") + +That appears to be working around the behavior of HMM's +"MEMORY_DEVICE_PUBLIC" facility that has since been deleted. With that +check removed the "System RAM (kmem)" resource gets removed, but +corruption still occurs occasionally because the "dax" resource is not +reliably removed. + +The dax range information is freed before the device is unregistered, so +the driver can not reliably recall (another use after free) what it is +meant to release. Lastly if that use after free got lucky, the driver +was covering up the leak of "System RAM (kmem)" due to its use of +release_resource() which detaches, but does not free, child resources. +The switch to remove_resource() forces remove_memory() to be responsible +for the deletion of the resource added by add_memory_driver_managed(). + +Fixes: c2f3011ee697 ("device-dax: add an allocation interface for device-dax instances") +Cc: +Cc: Oscar Salvador +Cc: David Hildenbrand +Cc: Pavel Tatashin +Reviewed-by: Vishal Verma +Reviewed-by: Pasha Tatashin +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/167653656244.3147810.5705900882794040229.stgit@dwillia2-xfh.jf.intel.com +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dax/bus.c | 2 +- + drivers/dax/kmem.c | 4 ++-- + kernel/resource.c | 14 -------------- + 3 files changed, 3 insertions(+), 17 deletions(-) + +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -427,8 +427,8 @@ static void unregister_dev_dax(void *dev + dev_dbg(dev, "%s\n", __func__); + + kill_dev_dax(dev_dax); +- free_dev_dax_ranges(dev_dax); + device_del(dev); ++ free_dev_dax_ranges(dev_dax); + put_device(dev); + } + +--- a/drivers/dax/kmem.c ++++ b/drivers/dax/kmem.c +@@ -146,7 +146,7 @@ static int dev_dax_kmem_probe(struct dev + if (rc) { + dev_warn(dev, "mapping%d: %#llx-%#llx memory add failed\n", + i, range.start, range.end); +- release_resource(res); ++ remove_resource(res); + kfree(res); + data->res[i] = NULL; + if (mapped) +@@ -195,7 +195,7 @@ static void dev_dax_kmem_remove(struct d + + rc = remove_memory(range.start, range_len(&range)); + if (rc == 0) { +- release_resource(data->res[i]); ++ remove_resource(data->res[i]); + kfree(data->res[i]); + data->res[i] = NULL; + success++; +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -1345,20 +1345,6 @@ retry: + continue; + } + +- /* +- * All memory regions added from memory-hotplug path have the +- * flag IORESOURCE_SYSTEM_RAM. If the resource does not have +- * this flag, we know that we are dealing with a resource coming +- * from HMM/devm. HMM/devm use another mechanism to add/release +- * a resource. This goes via devm_request_mem_region and +- * devm_release_mem_region. +- * HMM/devm take care to release their resources when they want, +- * so if we are dealing with them, let us just back off here. +- */ +- if (!(res->flags & IORESOURCE_SYSRAM)) { +- break; +- } +- + if (!(res->flags & IORESOURCE_MEM)) + break; + diff --git a/queue-6.1/dm-add-cond_resched-to-dm_wq_requeue_work.patch b/queue-6.1/dm-add-cond_resched-to-dm_wq_requeue_work.patch new file mode 100644 index 00000000000..983989f8a86 --- /dev/null +++ b/queue-6.1/dm-add-cond_resched-to-dm_wq_requeue_work.patch @@ -0,0 +1,31 @@ +From f77692d65d54665d81815349cc727baa85e8b71d Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Thu, 16 Feb 2023 12:10:05 -0500 +Subject: dm: add cond_resched() to dm_wq_requeue_work() + +From: Mike Snitzer + +commit f77692d65d54665d81815349cc727baa85e8b71d upstream. + +Otherwise the while() loop in dm_wq_requeue_work() can result in a +"dead loop" on systems that have preemption disabled. This is +particularly problematic on single cpu systems. + +Fixes: 8b211aaccb915 ("dm: add two stage requeue mechanism") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1020,6 +1020,7 @@ static void dm_wq_requeue_work(struct wo + io->next = NULL; + __dm_io_complete(io, false); + io = next; ++ cond_resched(); + } + } + diff --git a/queue-6.1/dm-add-cond_resched-to-dm_wq_work.patch b/queue-6.1/dm-add-cond_resched-to-dm_wq_work.patch new file mode 100644 index 00000000000..82d9422dc15 --- /dev/null +++ b/queue-6.1/dm-add-cond_resched-to-dm_wq_work.patch @@ -0,0 +1,32 @@ +From 0ca44fcef241768fd25ee763b3d203b9852f269b Mon Sep 17 00:00:00 2001 +From: Pingfan Liu +Date: Wed, 15 Feb 2023 19:23:40 +0800 +Subject: dm: add cond_resched() to dm_wq_work() + +From: Pingfan Liu + +commit 0ca44fcef241768fd25ee763b3d203b9852f269b upstream. + +Otherwise the while() loop in dm_wq_work() can result in a "dead +loop" on systems that have preemption disabled. This is particularly +problematic on single cpu systems. + +Cc: stable@vger.kernel.org +Signed-off-by: Pingfan Liu +Acked-by: Ming Lei +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2578,6 +2578,7 @@ static void dm_wq_work(struct work_struc + break; + + submit_bio_noacct(bio); ++ cond_resched(); + } + } + diff --git a/queue-6.1/dm-cache-free-background-tracker-s-queued-work-in-btracker_destroy.patch b/queue-6.1/dm-cache-free-background-tracker-s-queued-work-in-btracker_destroy.patch new file mode 100644 index 00000000000..2c884e5ba59 --- /dev/null +++ b/queue-6.1/dm-cache-free-background-tracker-s-queued-work-in-btracker_destroy.patch @@ -0,0 +1,84 @@ +From 95ab80a8a0fef2ce0cc494a306dd283948066ce7 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Thu, 26 Jan 2023 09:59:10 +0000 +Subject: dm cache: free background tracker's queued work in btracker_destroy + +From: Joe Thornber + +commit 95ab80a8a0fef2ce0cc494a306dd283948066ce7 upstream. + +Otherwise the kernel can BUG with: + +[ 2245.426978] ============================================================================= +[ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown() +[ 2245.445233] ----------------------------------------------------------------------------- +[ 2245.445233] +[ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) +[ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19 +[ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021 +[ 2245.483646] Call Trace: +[ 2245.486100] +[ 2245.488206] dump_stack_lvl+0x34/0x48 +[ 2245.491878] slab_err+0x95/0xcd +[ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136 +[ 2245.499821] kmem_cache_destroy+0x49/0x130 +[ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache] +[ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq] +[ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache] +[ 2245.518834] destroy+0xc0/0x110 [dm_cache] +[ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod] +[ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod] +[ 2245.532102] dev_remove+0x117/0x190 [dm_mod] +[ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod] +[ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod] +[ 2245.544773] __x64_sys_ioctl+0x8a/0xc0 +[ 2245.548524] do_syscall_64+0x5c/0x90 +[ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30 +[ 2245.556897] ? do_syscall_64+0x69/0x90 +[ 2245.560648] ? do_syscall_64+0x69/0x90 +[ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 2245.569447] RIP: 0033:0x7fe52583ec6b +... +[ 2245.646771] ------------[ cut here ]------------ +[ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache] +[ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130 + +Found using: lvm2-testsuite --only "cache-single-split.sh" + +Ben bisected and found that commit 0495e337b703 ("mm/slab_common: +Deleting kobject in kmem_cache_destroy() without holding +slab_mutex/cpu_hotplug_lock") first exposed dm-cache's incomplete +cleanup of its background tracker work objects. + +Reported-by: Benjamin Marzinski +Tested-by: Benjamin Marzinski +Cc: stable@vger.kernel.org # 6.0+ +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-background-tracker.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/md/dm-cache-background-tracker.c b/drivers/md/dm-cache-background-tracker.c +index 84814e819e4c..7887f99b82bd 100644 +--- a/drivers/md/dm-cache-background-tracker.c ++++ b/drivers/md/dm-cache-background-tracker.c +@@ -60,6 +60,14 @@ EXPORT_SYMBOL_GPL(btracker_create); + + void btracker_destroy(struct background_tracker *b) + { ++ struct bt_work *w, *tmp; ++ ++ BUG_ON(!list_empty(&b->issued)); ++ list_for_each_entry_safe (w, tmp, &b->queued, list) { ++ list_del(&w->list); ++ kmem_cache_free(b->work_cache, w); ++ } ++ + kmem_cache_destroy(b->work_cache); + kfree(b); + } +-- +2.39.2 + diff --git a/queue-6.1/dm-flakey-don-t-corrupt-the-zero-page.patch b/queue-6.1/dm-flakey-don-t-corrupt-the-zero-page.patch new file mode 100644 index 00000000000..f75f76351f8 --- /dev/null +++ b/queue-6.1/dm-flakey-don-t-corrupt-the-zero-page.patch @@ -0,0 +1,46 @@ +From f50714b57aecb6b3dc81d578e295f86d9c73f078 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:02:57 -0500 +Subject: dm flakey: don't corrupt the zero page + +From: Mikulas Patocka + +commit f50714b57aecb6b3dc81d578e295f86d9c73f078 upstream. + +When we need to zero some range on a block device, the function +__blkdev_issue_zero_pages submits a write bio with the bio vector pointing +to the zero page. If we use dm-flakey with corrupt bio writes option, it +will corrupt the content of the zero page which results in crashes of +various userspace programs. Glibc assumes that memory returned by mmap is +zeroed and it uses it for calloc implementation; if the newly mapped +memory is not zeroed, calloc will return non-zeroed memory. + +Fix this bug by testing if the page is equal to ZERO_PAGE(0) and +avoiding the corruption in this case. + +Cc: stable@vger.kernel.org +Fixes: a00f5276e266 ("dm flakey: Properly corrupt multi-page bios.") +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -303,8 +303,11 @@ static void corrupt_bio_data(struct bio + */ + bio_for_each_segment(bvec, bio, iter) { + if (bio_iter_len(bio, iter) > corrupt_bio_byte) { +- char *segment = (page_address(bio_iter_page(bio, iter)) +- + bio_iter_offset(bio, iter)); ++ char *segment; ++ struct page *page = bio_iter_page(bio, iter); ++ if (unlikely(page == ZERO_PAGE(0))) ++ break; ++ segment = (page_address(page) + bio_iter_offset(bio, iter)); + segment[corrupt_bio_byte] = fc->corrupt_bio_value; + DMDEBUG("Corrupting data bio=%p by writing %u to byte %u " + "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n", diff --git a/queue-6.1/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch b/queue-6.1/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch new file mode 100644 index 00000000000..488f9c1370e --- /dev/null +++ b/queue-6.1/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch @@ -0,0 +1,34 @@ +From 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:03:31 -0500 +Subject: dm flakey: fix a bug with 32-bit highmem systems + +From: Mikulas Patocka + +commit 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 upstream. + +The function page_address does not work with 32-bit systems with high +memory. Use bvec_kmap_local/kunmap_local instead. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -307,8 +307,9 @@ static void corrupt_bio_data(struct bio + struct page *page = bio_iter_page(bio, iter); + if (unlikely(page == ZERO_PAGE(0))) + break; +- segment = (page_address(page) + bio_iter_offset(bio, iter)); ++ segment = bvec_kmap_local(&bvec); + segment[corrupt_bio_byte] = fc->corrupt_bio_value; ++ kunmap_local(segment); + DMDEBUG("Corrupting data bio=%p by writing %u to byte %u " + "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n", + bio, fc->corrupt_bio_value, fc->corrupt_bio_byte, diff --git a/queue-6.1/dm-flakey-fix-logic-when-corrupting-a-bio.patch b/queue-6.1/dm-flakey-fix-logic-when-corrupting-a-bio.patch new file mode 100644 index 00000000000..c037d13f7f2 --- /dev/null +++ b/queue-6.1/dm-flakey-fix-logic-when-corrupting-a-bio.patch @@ -0,0 +1,65 @@ +From aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:03:56 -0500 +Subject: dm flakey: fix logic when corrupting a bio + +From: Mikulas Patocka + +commit aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc upstream. + +If "corrupt_bio_byte" is set to corrupt reads and corrupt_bio_flags is +used, dm-flakey would erroneously return all writes as errors. Likewise, +if "corrupt_bio_byte" is set to corrupt writes, dm-flakey would return +errors for all reads. + +Fix the logic so that if fc->corrupt_bio_byte is non-zero, dm-flakey +will not abort reads on writes with an error. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -361,9 +361,11 @@ static int flakey_map(struct dm_target * + /* + * Corrupt matching writes. + */ +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == WRITE)) { +- if (all_corrupt_bio_flags_match(bio, fc)) +- corrupt_bio_data(bio, fc); ++ if (fc->corrupt_bio_byte) { ++ if (fc->corrupt_bio_rw == WRITE) { ++ if (all_corrupt_bio_flags_match(bio, fc)) ++ corrupt_bio_data(bio, fc); ++ } + goto map_bio; + } + +@@ -389,13 +391,14 @@ static int flakey_end_io(struct dm_targe + return DM_ENDIO_DONE; + + if (!*error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && +- all_corrupt_bio_flags_match(bio, fc)) { +- /* +- * Corrupt successful matching READs while in down state. +- */ +- corrupt_bio_data(bio, fc); +- ++ if (fc->corrupt_bio_byte) { ++ if ((fc->corrupt_bio_rw == READ) && ++ all_corrupt_bio_flags_match(bio, fc)) { ++ /* ++ * Corrupt successful matching READs while in down state. ++ */ ++ corrupt_bio_data(bio, fc); ++ } + } else if (!test_bit(DROP_WRITES, &fc->flags) && + !test_bit(ERROR_WRITES, &fc->flags)) { + /* diff --git a/queue-6.1/dm-send-just-one-event-on-resize-not-two.patch b/queue-6.1/dm-send-just-one-event-on-resize-not-two.patch new file mode 100644 index 00000000000..ec3280df22f --- /dev/null +++ b/queue-6.1/dm-send-just-one-event-on-resize-not-two.patch @@ -0,0 +1,168 @@ +From 7533afa1d27ba1234146d31d2402c195cf195962 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 7 Feb 2023 08:33:06 -0500 +Subject: dm: send just one event on resize, not two + +From: Mikulas Patocka + +commit 7533afa1d27ba1234146d31d2402c195cf195962 upstream. + +Device mapper sends an uevent when the device is suspended, using the +function set_capacity_and_notify. However, this causes a race condition +with udev. + +Udev skips scanning dm devices that are suspended. If we send an uevent +while we are suspended, udev will be racing with device mapper resume +code. If the device mapper resume code wins the race, udev will process +the uevent after the device is resumed and it will properly scan the +device. + +However, if udev wins the race, it will receive the uevent, find out that +the dm device is suspended and skip scanning the device. This causes bugs +such as systemd unmounting the device - see +https://bugzilla.redhat.com/show_bug.cgi?id=2158628 + +This commit fixes this race. + +We replace the function set_capacity_and_notify with set_capacity, so that +the uevent is not sent at this point. In do_resume, we detect if the +capacity has changed and we pass a boolean variable need_resize_uevent to +dm_kobject_uevent. dm_kobject_uevent adds "RESIZE=1" to the uevent if +need_resize_uevent is set. + +Signed-off-by: Mikulas Patocka +Tested-by: Peter Rajnoha +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 13 ++++++++++--- + drivers/md/dm.c | 27 +++++++++++++-------------- + drivers/md/dm.h | 2 +- + 3 files changed, 24 insertions(+), 18 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -482,7 +482,7 @@ static struct mapped_device *dm_hash_ren + dm_table_event(table); + dm_put_live_table(hc->md, srcu_idx); + +- if (!dm_kobject_uevent(hc->md, KOBJ_CHANGE, param->event_nr)) ++ if (!dm_kobject_uevent(hc->md, KOBJ_CHANGE, param->event_nr, false)) + param->flags |= DM_UEVENT_GENERATED_FLAG; + + md = hc->md; +@@ -995,7 +995,7 @@ static int dev_remove(struct file *filp, + + dm_ima_measure_on_device_remove(md, false); + +- if (!dm_kobject_uevent(md, KOBJ_REMOVE, param->event_nr)) ++ if (!dm_kobject_uevent(md, KOBJ_REMOVE, param->event_nr, false)) + param->flags |= DM_UEVENT_GENERATED_FLAG; + + dm_put(md); +@@ -1129,6 +1129,7 @@ static int do_resume(struct dm_ioctl *pa + struct hash_cell *hc; + struct mapped_device *md; + struct dm_table *new_map, *old_map = NULL; ++ bool need_resize_uevent = false; + + down_write(&_hash_lock); + +@@ -1149,6 +1150,8 @@ static int do_resume(struct dm_ioctl *pa + + /* Do we need to load a new map ? */ + if (new_map) { ++ sector_t old_size, new_size; ++ + /* Suspend if it isn't already suspended */ + if (param->flags & DM_SKIP_LOCKFS_FLAG) + suspend_flags &= ~DM_SUSPEND_LOCKFS_FLAG; +@@ -1157,6 +1160,7 @@ static int do_resume(struct dm_ioctl *pa + if (!dm_suspended_md(md)) + dm_suspend(md, suspend_flags); + ++ old_size = dm_get_size(md); + old_map = dm_swap_table(md, new_map); + if (IS_ERR(old_map)) { + dm_sync_table(md); +@@ -1164,6 +1168,9 @@ static int do_resume(struct dm_ioctl *pa + dm_put(md); + return PTR_ERR(old_map); + } ++ new_size = dm_get_size(md); ++ if (old_size && new_size && old_size != new_size) ++ need_resize_uevent = true; + + if (dm_table_get_mode(new_map) & FMODE_WRITE) + set_disk_ro(dm_disk(md), 0); +@@ -1176,7 +1183,7 @@ static int do_resume(struct dm_ioctl *pa + if (!r) { + dm_ima_measure_on_device_resume(md, new_map ? true : false); + +- if (!dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr)) ++ if (!dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr, need_resize_uevent)) + param->flags |= DM_UEVENT_GENERATED_FLAG; + } + } +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2184,10 +2184,7 @@ static struct dm_table *__bind(struct ma + if (size != dm_get_size(md)) + memset(&md->geometry, 0, sizeof(md->geometry)); + +- if (!get_capacity(md->disk)) +- set_capacity(md->disk, size); +- else +- set_capacity_and_notify(md->disk, size); ++ set_capacity(md->disk, size); + + dm_table_event_callback(t, event_callback, md); + +@@ -2980,23 +2977,25 @@ EXPORT_SYMBOL_GPL(dm_internal_resume_fas + * Event notification. + *---------------------------------------------------------------*/ + int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +- unsigned cookie) ++ unsigned cookie, bool need_resize_uevent) + { + int r; + unsigned noio_flag; + char udev_cookie[DM_COOKIE_LENGTH]; +- char *envp[] = { udev_cookie, NULL }; +- +- noio_flag = memalloc_noio_save(); +- +- if (!cookie) +- r = kobject_uevent(&disk_to_dev(md->disk)->kobj, action); +- else { ++ char *envp[3] = { NULL, NULL, NULL }; ++ char **envpp = envp; ++ if (cookie) { + snprintf(udev_cookie, DM_COOKIE_LENGTH, "%s=%u", + DM_COOKIE_ENV_VAR_NAME, cookie); +- r = kobject_uevent_env(&disk_to_dev(md->disk)->kobj, +- action, envp); ++ *envpp++ = udev_cookie; + } ++ if (need_resize_uevent) { ++ *envpp++ = "RESIZE=1"; ++ } ++ ++ noio_flag = memalloc_noio_save(); ++ ++ r = kobject_uevent_env(&disk_to_dev(md->disk)->kobj, action, envp); + + memalloc_noio_restore(noio_flag); + +--- a/drivers/md/dm.h ++++ b/drivers/md/dm.h +@@ -203,7 +203,7 @@ int dm_get_table_device(struct mapped_de + void dm_put_table_device(struct mapped_device *md, struct dm_dev *d); + + int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +- unsigned cookie); ++ unsigned cookie, bool need_resize_uevent); + + void dm_internal_suspend(struct mapped_device *md); + void dm_internal_resume(struct mapped_device *md); diff --git a/queue-6.1/docs-gdbmacros-print-newest-record.patch b/queue-6.1/docs-gdbmacros-print-newest-record.patch new file mode 100644 index 00000000000..0297508b409 --- /dev/null +++ b/queue-6.1/docs-gdbmacros-print-newest-record.patch @@ -0,0 +1,42 @@ +From f2e4cca2f670c8e52fbb551a295f2afc9aa2bd72 Mon Sep 17 00:00:00 2001 +From: John Ogness +Date: Thu, 29 Dec 2022 14:49:39 +0106 +Subject: docs: gdbmacros: print newest record + +From: John Ogness + +commit f2e4cca2f670c8e52fbb551a295f2afc9aa2bd72 upstream. + +@head_id points to the newest record, but the printing loop +exits when it increments to this value (before printing). + +Exit the printing loop after the newest record has been printed. + +The python-based function in scripts/gdb/linux/dmesg.py already +does this correctly. + +Fixes: e60768311af8 ("scripts/gdb: update for lockless printk ringbuffer") +Cc: stable@vger.kernel.org +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20221229134339.197627-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/kdump/gdbmacros.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/admin-guide/kdump/gdbmacros.txt ++++ b/Documentation/admin-guide/kdump/gdbmacros.txt +@@ -312,10 +312,10 @@ define dmesg + set var $prev_flags = $info->flags + end + +- set var $id = ($id + 1) & $id_mask + if ($id == $end_id) + loop_break + end ++ set var $id = ($id + 1) & $id_mask + end + end + document dmesg diff --git a/queue-6.1/ext4-fix-possible-corruption-when-moving-a-directory.patch b/queue-6.1/ext4-fix-possible-corruption-when-moving-a-directory.patch new file mode 100644 index 00000000000..31fd5675ba8 --- /dev/null +++ b/queue-6.1/ext4-fix-possible-corruption-when-moving-a-directory.patch @@ -0,0 +1,54 @@ +From 0813299c586b175d7edb25f56412c54b812d0379 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 26 Jan 2023 12:22:21 +0100 +Subject: ext4: Fix possible corruption when moving a directory + +From: Jan Kara + +commit 0813299c586b175d7edb25f56412c54b812d0379 upstream. + +When we are renaming a directory to a different directory, we need to +update '..' entry in the moved directory. However nothing prevents moved +directory from being modified and even converted from the inline format +to the normal format. When such race happens the rename code gets +confused and we crash. Fix the problem by locking the moved directory. + +CC: stable@vger.kernel.org +Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3872,9 +3872,16 @@ static int ext4_rename(struct user_names + if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) + goto end_rename; + } ++ /* ++ * We need to protect against old.inode directory getting ++ * converted from inline directory format into a normal one. ++ */ ++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2); + retval = ext4_rename_dir_prepare(handle, &old); +- if (retval) ++ if (retval) { ++ inode_unlock(old.inode); + goto end_rename; ++ } + } + /* + * If we're renaming a file within an inline_data dir and adding or +@@ -4006,6 +4013,8 @@ end_rename: + } else { + ext4_journal_stop(handle); + } ++ if (old.dir_bh) ++ inode_unlock(old.inode); + release_bh: + brelse(old.dir_bh); + brelse(old.bh); diff --git a/queue-6.1/ext4-optimize-ea_inode-block-expansion.patch b/queue-6.1/ext4-optimize-ea_inode-block-expansion.patch new file mode 100644 index 00000000000..acbcc9c6c17 --- /dev/null +++ b/queue-6.1/ext4-optimize-ea_inode-block-expansion.patch @@ -0,0 +1,95 @@ +From 1e9d62d252812575ded7c620d8fc67c32ff06c16 Mon Sep 17 00:00:00 2001 +From: Jun Nie +Date: Tue, 3 Jan 2023 09:45:16 +0800 +Subject: ext4: optimize ea_inode block expansion + +From: Jun Nie + +commit 1e9d62d252812575ded7c620d8fc67c32ff06c16 upstream. + +Copy ea data from inode entry when expanding ea block if possible. +Then remove the ea entry if expansion success. Thus memcpy to a +temporary buffer may be avoided. + +If the expansion fails, we do not need to recovery the removed ea +entry neither in this way. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-2-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2550,9 +2550,8 @@ static int ext4_xattr_move_to_block(hand + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); + bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS); +- buffer = kvmalloc(value_size, GFP_NOFS); + b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS); +- if (!is || !bs || !buffer || !b_entry_name) { ++ if (!is || !bs || !b_entry_name) { + error = -ENOMEM; + goto out; + } +@@ -2564,12 +2563,18 @@ static int ext4_xattr_move_to_block(hand + + /* Save the entry name and the entry value */ + if (entry->e_value_inum) { ++ buffer = kvmalloc(value_size, GFP_NOFS); ++ if (!buffer) { ++ error = -ENOMEM; ++ goto out; ++ } ++ + error = ext4_xattr_inode_get(inode, entry, buffer, value_size); + if (error) + goto out; + } else { + size_t value_offs = le16_to_cpu(entry->e_value_offs); +- memcpy(buffer, (void *)IFIRST(header) + value_offs, value_size); ++ buffer = (void *)IFIRST(header) + value_offs; + } + + memcpy(b_entry_name, entry->e_name, entry->e_name_len); +@@ -2584,25 +2589,26 @@ static int ext4_xattr_move_to_block(hand + if (error) + goto out; + +- /* Remove the chosen entry from the inode */ +- error = ext4_xattr_ibody_set(handle, inode, &i, is); +- if (error) +- goto out; +- + i.value = buffer; + i.value_len = value_size; + error = ext4_xattr_block_find(inode, &i, bs); + if (error) + goto out; + +- /* Add entry which was removed from the inode into the block */ ++ /* Move ea entry from the inode into the block */ + error = ext4_xattr_block_set(handle, inode, &i, bs); + if (error) + goto out; +- error = 0; ++ ++ /* Remove the chosen entry from the inode */ ++ i.value = NULL; ++ i.value_len = 0; ++ error = ext4_xattr_ibody_set(handle, inode, &i, is); ++ + out: + kfree(b_entry_name); +- kvfree(buffer); ++ if (entry->e_value_inum && buffer) ++ kvfree(buffer); + if (is) + brelse(is->iloc.bh); + if (bs) diff --git a/queue-6.1/ext4-refuse-to-create-ea-block-when-umounted.patch b/queue-6.1/ext4-refuse-to-create-ea-block-when-umounted.patch new file mode 100644 index 00000000000..166249b87ba --- /dev/null +++ b/queue-6.1/ext4-refuse-to-create-ea-block-when-umounted.patch @@ -0,0 +1,40 @@ +From f31173c19901a96bb2ebf6bcfec8a08df7095c91 Mon Sep 17 00:00:00 2001 +From: Jun Nie +Date: Tue, 3 Jan 2023 09:45:17 +0800 +Subject: ext4: refuse to create ea block when umounted + +From: Jun Nie + +commit f31173c19901a96bb2ebf6bcfec8a08df7095c91 upstream. + +The ea block expansion need to access s_root while it is +already set as NULL when umount is triggered. Refuse this +request to avoid panic. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-3-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1422,6 +1422,13 @@ static struct inode *ext4_xattr_inode_cr + uid_t owner[2] = { i_uid_read(inode), i_gid_read(inode) }; + int err; + ++ if (inode->i_sb->s_root == NULL) { ++ ext4_warning(inode->i_sb, ++ "refuse to create EA inode when umounting"); ++ WARN_ON(1); ++ return ERR_PTR(-EINVAL); ++ } ++ + /* + * Let the next inode be the goal, so we try and allocate the EA inode + * in the same group, or nearby one. diff --git a/queue-6.1/fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch b/queue-6.1/fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch new file mode 100644 index 00000000000..ac5c24b0b09 --- /dev/null +++ b/queue-6.1/fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch @@ -0,0 +1,36 @@ +From 1cc4606d19e3710bfab3f6704b87ff9580493c69 Mon Sep 17 00:00:00 2001 +From: Alexander Mikhalitsyn +Date: Thu, 26 Jan 2023 11:23:18 +0100 +Subject: fuse: add inode/permission checks to fileattr_get/fileattr_set + +From: Alexander Mikhalitsyn + +commit 1cc4606d19e3710bfab3f6704b87ff9580493c69 upstream. + +It looks like these checks were accidentally lost during the conversion to +fileattr API. + +Fixes: 72227eac177d ("fuse: convert to fileattr") +Cc: # v5.13 +Signed-off-by: Alexander Mikhalitsyn +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -419,6 +419,12 @@ static struct fuse_file *fuse_priv_ioctl + struct fuse_mount *fm = get_fuse_mount(inode); + bool isdir = S_ISDIR(inode->i_mode); + ++ if (!fuse_allow_current_process(fm->fc)) ++ return ERR_PTR(-EACCES); ++ ++ if (fuse_is_bad(inode)) ++ return ERR_PTR(-EIO); ++ + if (!S_ISREG(inode->i_mode) && !isdir) + return ERR_PTR(-ENOTTY); + diff --git a/queue-6.1/hwmon-nct6775-fix-incorrect-parenthesization-in-nct6775_write_fan_div.patch b/queue-6.1/hwmon-nct6775-fix-incorrect-parenthesization-in-nct6775_write_fan_div.patch new file mode 100644 index 00000000000..45cc4b1d1ab --- /dev/null +++ b/queue-6.1/hwmon-nct6775-fix-incorrect-parenthesization-in-nct6775_write_fan_div.patch @@ -0,0 +1,40 @@ +From 2fbb848b65cde5b876cce52ebcb34de4aaa5a94a Mon Sep 17 00:00:00 2001 +From: Zev Weiss +Date: Mon, 2 Jan 2023 13:28:57 -0800 +Subject: hwmon: (nct6775) Fix incorrect parenthesization in nct6775_write_fan_div() + +From: Zev Weiss + +commit 2fbb848b65cde5b876cce52ebcb34de4aaa5a94a upstream. + +Commit 4ef2774511dc ("hwmon: (nct6775) Convert register access to +regmap API") fumbled the shifting & masking of the fan_div values such +that odd-numbered fan divisors would always be set to zero. Fix it so +that we actually OR in the bits we meant to. + +Signed-off-by: Zev Weiss +Fixes: 4ef2774511dc ("hwmon: (nct6775) Convert register access to regmap API") +Cc: stable@kernel.org # v5.19+ +Link: https://lore.kernel.org/r/20230102212857.5670-1-zev@bewilderbeest.net +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/nct6775-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c +index da9ec6983e13..c54233f0369b 100644 +--- a/drivers/hwmon/nct6775-core.c ++++ b/drivers/hwmon/nct6775-core.c +@@ -1150,7 +1150,7 @@ static int nct6775_write_fan_div(struct nct6775_data *data, int nr) + if (err) + return err; + reg &= 0x70 >> oddshift; +- reg |= data->fan_div[nr] & (0x7 << oddshift); ++ reg |= (data->fan_div[nr] & 0x7) << oddshift; + return nct6775_write_value(data, fandiv_reg, reg); + } + +-- +2.39.2 + diff --git a/queue-6.1/hwmon-peci-cputemp-fix-off-by-one-in-coretemp_label-allocation.patch b/queue-6.1/hwmon-peci-cputemp-fix-off-by-one-in-coretemp_label-allocation.patch new file mode 100644 index 00000000000..a7f7892ab40 --- /dev/null +++ b/queue-6.1/hwmon-peci-cputemp-fix-off-by-one-in-coretemp_label-allocation.patch @@ -0,0 +1,40 @@ +From f00093608fa790580da309bb9feb5108fbe7c331 Mon Sep 17 00:00:00 2001 +From: Zev Weiss +Date: Wed, 1 Feb 2023 18:18:25 -0800 +Subject: hwmon: (peci/cputemp) Fix off-by-one in coretemp_label allocation + +From: Zev Weiss + +commit f00093608fa790580da309bb9feb5108fbe7c331 upstream. + +The find_last_bit() call produces the index of the highest-numbered +core in core_mask; because cores are numbered from zero, the number of +elements we need to allocate is one more than that. + +Signed-off-by: Zev Weiss +Cc: stable@kernel.org # v5.18 +Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver") +Reviewed-by: Iwona Winiarska +Link: https://lore.kernel.org/r/20230202021825.21486-1-zev@bewilderbeest.net +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/peci/cputemp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/peci/cputemp.c b/drivers/hwmon/peci/cputemp.c +index 57470fda5f6c..30850a479f61 100644 +--- a/drivers/hwmon/peci/cputemp.c ++++ b/drivers/hwmon/peci/cputemp.c +@@ -402,7 +402,7 @@ static int create_temp_label(struct peci_cputemp *priv) + unsigned long core_max = find_last_bit(priv->core_mask, CORE_NUMS_MAX); + int i; + +- priv->coretemp_label = devm_kzalloc(priv->dev, core_max * sizeof(char *), GFP_KERNEL); ++ priv->coretemp_label = devm_kzalloc(priv->dev, (core_max + 1) * sizeof(char *), GFP_KERNEL); + if (!priv->coretemp_label) + return -ENOMEM; + +-- +2.39.2 + diff --git a/queue-6.1/iommu-amd-add-a-length-limitation-for-the-ivrs_acpihid-command-line-parameter.patch b/queue-6.1/iommu-amd-add-a-length-limitation-for-the-ivrs_acpihid-command-line-parameter.patch new file mode 100644 index 00000000000..1c10ddd9284 --- /dev/null +++ b/queue-6.1/iommu-amd-add-a-length-limitation-for-the-ivrs_acpihid-command-line-parameter.patch @@ -0,0 +1,67 @@ +From b6b26d86c61c441144c72f842f7469bb686e1211 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Thu, 2 Feb 2023 08:26:56 +0000 +Subject: iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter + +From: Gavrilov Ilia + +commit b6b26d86c61c441144c72f842f7469bb686e1211 upstream. + +The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, +because the string specifier in the format string sscanf() +has no width limitation. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Kim Phillips +Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/init.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -3475,15 +3475,26 @@ found: + return 1; + } + ++#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) ++ + static int __init parse_ivrs_acpihid(char *str) + { + u32 seg = 0, bus, dev, fn; + char *hid, *uid, *p, *addr; +- char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; ++ char acpiid[ACPIID_LEN] = {0}; + int i; + + addr = strchr(str, '@'); + if (!addr) { ++ addr = strchr(str, '='); ++ if (!addr) ++ goto not_found; ++ ++ ++addr; ++ ++ if (strlen(addr) > ACPIID_LEN) ++ goto not_found; ++ + if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || + sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { + pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", +@@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(cha + /* We have the '@', make it the terminator to get just the acpiid */ + *addr++ = 0; + ++ if (strlen(str) > ACPIID_LEN + 1) ++ goto not_found; ++ + if (sscanf(str, "=%s", acpiid) != 1) + goto not_found; + diff --git a/queue-6.1/iommu-amd-improve-page-fault-error-reporting.patch b/queue-6.1/iommu-amd-improve-page-fault-error-reporting.patch new file mode 100644 index 00000000000..80855f25a50 --- /dev/null +++ b/queue-6.1/iommu-amd-improve-page-fault-error-reporting.patch @@ -0,0 +1,73 @@ +From 996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Wed, 15 Feb 2023 05:26:42 +0000 +Subject: iommu/amd: Improve page fault error reporting + +From: Vasant Hegde + +commit 996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc upstream. + +If IOMMU domain for device group is not setup properly then we may hit +IOMMU page fault. Current page fault handler assumes that domain is +always setup and it will hit NULL pointer derefence (see below sample log). + +Lets check whether domain is setup or not and log appropriate message. + +Sample log: +---------- + amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6 + BUG: kernel NULL pointer dereference, address: 0000000000000058 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89 + Hardware name: xxx + RIP: 0010:report_iommu_fault+0x11/0x90 + [...] + Call Trace: + + amd_iommu_int_thread+0x60c/0x760 + ? __pfx_irq_thread_fn+0x10/0x10 + irq_thread_fn+0x1f/0x60 + irq_thread+0xea/0x1a0 + ? preempt_count_add+0x6a/0xa0 + ? __pfx_irq_thread_dtor+0x10/0x10 + ? __pfx_irq_thread+0x10/0x10 + kthread+0xe9/0x110 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2c/0x50 + + +Reported-by: Matt Fagnani +Suggested-by: Joerg Roedel +Signed-off-by: Vasant Hegde +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216865 +Link: https://lore.kernel.org/lkml/15d0f9ff-2a56-b3e9-5b45-e6b23300ae3b@leemhuis.info/ +Link: https://lore.kernel.org/r/20230215052642.6016-3-vasant.hegde@amd.com +Cc: stable@vger.kernel.org +[joro: Edit commit message] +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/iommu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -558,6 +558,15 @@ static void amd_iommu_report_page_fault( + * prevent logging it. + */ + if (IS_IOMMU_MEM_TRANSACTION(flags)) { ++ /* Device not attached to domain properly */ ++ if (dev_data->domain == NULL) { ++ pr_err_ratelimited("Event logged [Device not attached to domain properly]\n"); ++ pr_err_ratelimited(" device=%04x:%02x:%02x.%x domain=0x%04x\n", ++ iommu->pci_seg->id, PCI_BUS_NUM(devid), PCI_SLOT(devid), ++ PCI_FUNC(devid), domain_id); ++ goto out; ++ } ++ + if (!report_iommu_fault(&dev_data->domain->domain, + &pdev->dev, address, + IS_WRITE_REQUEST(flags) ? diff --git a/queue-6.1/jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch b/queue-6.1/jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch new file mode 100644 index 00000000000..0c845d1a246 --- /dev/null +++ b/queue-6.1/jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch @@ -0,0 +1,145 @@ +From e6b9bd7290d334451ce054e98e752abc055e0034 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Tue, 10 Jan 2023 09:53:27 +0800 +Subject: jbd2: fix data missing when reusing bh which is ready to be checkpointed + +From: Zhihao Cheng + +commit e6b9bd7290d334451ce054e98e752abc055e0034 upstream. + +Following process will make data lost and could lead to a filesystem +corrupted problem: + +1. jh(bh) is inserted into T1->t_checkpoint_list, bh is dirty, and + jh->b_transaction = NULL +2. T1 is added into journal->j_checkpoint_transactions. +3. Get bh prepare to write while doing checkpoing: + PA PB + do_get_write_access jbd2_log_do_checkpoint + spin_lock(&jh->b_state_lock) + if (buffer_dirty(bh)) + clear_buffer_dirty(bh) // clear buffer dirty + set_buffer_jbddirty(bh) + transaction = + journal->j_checkpoint_transactions + jh = transaction->t_checkpoint_list + if (!buffer_dirty(bh)) + __jbd2_journal_remove_checkpoint(jh) + // bh won't be flushed + jbd2_cleanup_journal_tail + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved) +4. Aborting journal/Power-cut before writing latest bh on journal area. + +In this way we get a corrupted filesystem with bh's data lost. + +Fix it by moving the clearing of buffer_dirty bit just before the call +to __jbd2_journal_file_buffer(), both bit clearing and jh->b_transaction +assignment are under journal->j_list_lock locked, so that +jbd2_log_do_checkpoint() will wait until jh's new transaction fininshed +even bh is currently not dirty. And journal_shrink_one_cp_list() won't +remove jh from checkpoint list if the buffer head is reused in +do_get_write_access(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216898 +Cc: +Signed-off-by: Zhihao Cheng +Signed-off-by: zhanchengbin +Suggested-by: Jan Kara +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230110015327.1181863-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 50 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 21 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1010,36 +1010,28 @@ repeat: + * ie. locked but not dirty) or tune2fs (which may actually have + * the buffer dirtied, ugh.) */ + +- if (buffer_dirty(bh)) { ++ if (buffer_dirty(bh) && jh->b_transaction) { ++ warn_dirty_buffer(bh); + /* +- * First question: is this buffer already part of the current +- * transaction or the existing committing transaction? +- */ +- if (jh->b_transaction) { +- J_ASSERT_JH(jh, +- jh->b_transaction == transaction || +- jh->b_transaction == +- journal->j_committing_transaction); +- if (jh->b_next_transaction) +- J_ASSERT_JH(jh, jh->b_next_transaction == +- transaction); +- warn_dirty_buffer(bh); +- } +- /* +- * In any case we need to clean the dirty flag and we must +- * do it under the buffer lock to be sure we don't race +- * with running write-out. ++ * We need to clean the dirty flag and we must do it under the ++ * buffer lock to be sure we don't race with running write-out. + */ + JBUFFER_TRACE(jh, "Journalling dirty buffer"); + clear_buffer_dirty(bh); ++ /* ++ * The buffer is going to be added to BJ_Reserved list now and ++ * nothing guarantees jbd2_journal_dirty_metadata() will be ++ * ever called for it. So we need to set jbddirty bit here to ++ * make sure the buffer is dirtied and written out when the ++ * journaling machinery is done with it. ++ */ + set_buffer_jbddirty(bh); + } + +- unlock_buffer(bh); +- + error = -EROFS; + if (is_handle_aborted(handle)) { + spin_unlock(&jh->b_state_lock); ++ unlock_buffer(bh); + goto out; + } + error = 0; +@@ -1049,8 +1041,10 @@ repeat: + * b_next_transaction points to it + */ + if (jh->b_transaction == transaction || +- jh->b_next_transaction == transaction) ++ jh->b_next_transaction == transaction) { ++ unlock_buffer(bh); + goto done; ++ } + + /* + * this is the first time this transaction is touching this buffer, +@@ -1074,10 +1068,24 @@ repeat: + */ + smp_wmb(); + spin_lock(&journal->j_list_lock); ++ if (test_clear_buffer_dirty(bh)) { ++ /* ++ * Execute buffer dirty clearing and jh->b_transaction ++ * assignment under journal->j_list_lock locked to ++ * prevent bh being removed from checkpoint list if ++ * the buffer is in an intermediate state (not dirty ++ * and jh->b_transaction is NULL). ++ */ ++ JBUFFER_TRACE(jh, "Journalling dirty buffer"); ++ set_buffer_jbddirty(bh); ++ } + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved); + spin_unlock(&journal->j_list_lock); ++ unlock_buffer(bh); + goto done; + } ++ unlock_buffer(bh); ++ + /* + * If there is already a copy-out version of this buffer, then we don't + * need to make another one diff --git a/queue-6.1/kprobes-fix-to-handle-forcibly-unoptimized-kprobes-on-freeing_list.patch b/queue-6.1/kprobes-fix-to-handle-forcibly-unoptimized-kprobes-on-freeing_list.patch new file mode 100644 index 00000000000..8d40e949b68 --- /dev/null +++ b/queue-6.1/kprobes-fix-to-handle-forcibly-unoptimized-kprobes-on-freeing_list.patch @@ -0,0 +1,92 @@ +From 4fbd2f83fda0ca44a2ec6421ca3508b355b31858 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 21 Feb 2023 08:49:16 +0900 +Subject: kprobes: Fix to handle forcibly unoptimized kprobes on freeing_list + +From: Masami Hiramatsu (Google) + +commit 4fbd2f83fda0ca44a2ec6421ca3508b355b31858 upstream. + +Since forcibly unoptimized kprobes will be put on the freeing_list directly +in the unoptimize_kprobe(), do_unoptimize_kprobes() must continue to check +the freeing_list even if unoptimizing_list is empty. + +This bug can happen if a kprobe is put in an instruction which is in the +middle of the jump-replaced instruction sequence of an optprobe, *and* the +optprobe is recently unregistered and queued on unoptimizing_list. +In this case, the optprobe will be unoptimized forcibly (means immediately) +and put it into the freeing_list, expecting the optprobe will be handled in +do_unoptimize_kprobe(). +But if there is no other optprobes on the unoptimizing_list, current code +returns from the do_unoptimize_kprobe() soon and does not handle the +optprobe which is on the freeing_list. Then the optprobe will hit the +WARN_ON_ONCE() in the do_free_cleaned_kprobes(), because it is not handled +in the latter loop of the do_unoptimize_kprobe(). + +To solve this issue, do not return from do_unoptimize_kprobes() immediately +even if unoptimizing_list is empty. + +Moreover, this change affects another case. kill_optimized_kprobes() expects +kprobe_optimizer() will just free the optprobe on freeing_list. +So I changed it to just do list_move() to freeing_list if optprobes are on +unoptimizing list. And the do_unoptimize_kprobe() will skip +arch_disarm_kprobe() if the probe on freeing_list has gone flag. + +Link: https://lore.kernel.org/all/Y8URdIfVr3pq2X8w@xpf.sh.intel.com/ +Link: https://lore.kernel.org/all/167448024501.3253718.13037333683110512967.stgit@devnote3/ + +Fixes: e4add247789e ("kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic") +Reported-by: Pengfei Xu +Signed-off-by: Masami Hiramatsu (Google) +Cc: stable@vger.kernel.org +Acked-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -555,17 +555,15 @@ static void do_unoptimize_kprobes(void) + /* See comment in do_optimize_kprobes() */ + lockdep_assert_cpus_held(); + +- /* Unoptimization must be done anytime */ +- if (list_empty(&unoptimizing_list)) +- return; ++ if (!list_empty(&unoptimizing_list)) ++ arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list); + +- arch_unoptimize_kprobes(&unoptimizing_list, &freeing_list); +- /* Loop on 'freeing_list' for disarming */ ++ /* Loop on 'freeing_list' for disarming and removing from kprobe hash list */ + list_for_each_entry_safe(op, tmp, &freeing_list, list) { + /* Switching from detour code to origin */ + op->kp.flags &= ~KPROBE_FLAG_OPTIMIZED; +- /* Disarm probes if marked disabled */ +- if (kprobe_disabled(&op->kp)) ++ /* Disarm probes if marked disabled and not gone */ ++ if (kprobe_disabled(&op->kp) && !kprobe_gone(&op->kp)) + arch_disarm_kprobe(&op->kp); + if (kprobe_unused(&op->kp)) { + /* +@@ -797,14 +795,13 @@ static void kill_optimized_kprobe(struct + op->kp.flags &= ~KPROBE_FLAG_OPTIMIZED; + + if (kprobe_unused(p)) { +- /* Enqueue if it is unused */ +- list_add(&op->list, &freeing_list); + /* +- * Remove unused probes from the hash list. After waiting +- * for synchronization, this probe is reclaimed. +- * (reclaiming is done by do_free_cleaned_kprobes().) ++ * Unused kprobe is on unoptimizing or freeing list. We move it ++ * to freeing_list and let the kprobe_optimizer() remove it from ++ * the kprobe hash list and free it. + */ +- hlist_del_rcu(&op->kp.hlist); ++ if (optprobe_queued_unopt(op)) ++ list_move(&op->list, &freeing_list); + } + + /* Don't touch the code, because it is already freed. */ diff --git a/queue-6.1/ktest.pl-add-run_timeout-option-with-default-unlimited.patch b/queue-6.1/ktest.pl-add-run_timeout-option-with-default-unlimited.patch new file mode 100644 index 00000000000..d0b04a199d3 --- /dev/null +++ b/queue-6.1/ktest.pl-add-run_timeout-option-with-default-unlimited.patch @@ -0,0 +1,108 @@ +From 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 16:37:25 -0500 +Subject: ktest.pl: Add RUN_TIMEOUT option with default unlimited + +From: Steven Rostedt + +commit 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 upstream. + +There is a disconnect between the run_command function and the +wait_for_input. The wait_for_input has a default timeout of 2 minutes. But +if that happens, the run_command loop will exit out to the waitpid() of +the executing command. This fails in that it no longer monitors the +command, and also, the ssh to the test box can hang when its finished, as +it's waiting for the pipe it's writing to to flush, but the loop that +reads that pipe has already exited, leaving the command stuck, and the +test hangs. + +Instead, make the default "wait_for_input" of the run_command infinite, +and allow the user to override it if they want with a default timeout +option "RUN_TIMEOUT". + +But this fixes the hang that happens when the pipe is full and the ssh +session never exits. + +Cc: stable@vger.kernel.org +Fixes: 6e98d1b4415fe ("ktest: Add timeout to ssh command") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 20 ++++++++++++++++---- + tools/testing/ktest/sample.conf | 5 +++++ + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -178,6 +178,7 @@ my $store_failures; + my $store_successes; + my $test_name; + my $timeout; ++my $run_timeout; + my $connect_timeout; + my $config_bisect_exec; + my $booted_timeout; +@@ -340,6 +341,7 @@ my %option_map = ( + "STORE_SUCCESSES" => \$store_successes, + "TEST_NAME" => \$test_name, + "TIMEOUT" => \$timeout, ++ "RUN_TIMEOUT" => \$run_timeout, + "CONNECT_TIMEOUT" => \$connect_timeout, + "CONFIG_BISECT_EXEC" => \$config_bisect_exec, + "BOOTED_TIMEOUT" => \$booted_timeout, +@@ -1851,6 +1853,14 @@ sub run_command { + $command =~ s/\$SSH_USER/$ssh_user/g; + $command =~ s/\$MACHINE/$machine/g; + ++ if (!defined($timeout)) { ++ $timeout = $run_timeout; ++ } ++ ++ if (!defined($timeout)) { ++ $timeout = -1; # tell wait_for_input to wait indefinitely ++ } ++ + doprint("$command ... "); + $start_time = time; + +@@ -1877,13 +1887,10 @@ sub run_command { + + while (1) { + my $fp = \*CMD; +- if (defined($timeout)) { +- doprint "timeout = $timeout\n"; +- } + my $line = wait_for_input($fp, $timeout); + if (!defined($line)) { + my $now = time; +- if (defined($timeout) && (($now - $start_time) >= $timeout)) { ++ if ($timeout >= 0 && (($now - $start_time) >= $timeout)) { + doprint "Hit timeout of $timeout, killing process\n"; + $hit_timeout = 1; + kill 9, $pid; +@@ -2055,6 +2062,11 @@ sub wait_for_input { + $time = $timeout; + } + ++ if ($time < 0) { ++ # Negative number means wait indefinitely ++ undef $time; ++ } ++ + $rin = ''; + vec($rin, fileno($fp), 1) = 1; + vec($rin, fileno(\*STDIN), 1) = 1; +--- a/tools/testing/ktest/sample.conf ++++ b/tools/testing/ktest/sample.conf +@@ -809,6 +809,11 @@ + # is issued instead of a reboot. + # CONNECT_TIMEOUT = 25 + ++# The timeout in seconds for how long to wait for any running command ++# to timeout. If not defined, it will let it go indefinitely. ++# (default undefined) ++#RUN_TIMEOUT = 600 ++ + # In between tests, a reboot of the box may occur, and this + # is the time to wait for the console after it stops producing + # output. Some machines may not produce a large lag on reboot diff --git a/queue-6.1/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch b/queue-6.1/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch new file mode 100644 index 00000000000..e85465654de --- /dev/null +++ b/queue-6.1/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch @@ -0,0 +1,38 @@ +From e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 11:31:25 -0500 +Subject: ktest.pl: Fix missing "end_monitor" when machine check fails + +From: Steven Rostedt + +commit e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 upstream. + +In the "reboot" command, it does a check of the machine to see if it is +still alive with a simple "ssh echo" command. If it fails, it will assume +that a normal "ssh reboot" is not possible and force a power cycle. + +In this case, the "start_monitor" is executed, but the "end_monitor" is +not, and this causes the screen will not be given back to the console. That +is, after the test, a "reset" command needs to be performed, as "echo" is +turned off. + +Cc: stable@vger.kernel.org +Fixes: 6474ace999edd ("ktest.pl: Powercycle the box on reboot if no connection can be made") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -1488,7 +1488,8 @@ sub reboot { + + # Still need to wait for the reboot to finish + wait_for_monitor($time, $reboot_success_line); +- ++ } ++ if ($powercycle || $time) { + end_monitor; + } + } diff --git a/queue-6.1/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch b/queue-6.1/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch new file mode 100644 index 00000000000..a96f8e22446 --- /dev/null +++ b/queue-6.1/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch @@ -0,0 +1,36 @@ +From 83d29d439cd3ef23041570d55841f814af2ecac0 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 16:32:13 -0500 +Subject: ktest.pl: Give back console on Ctrt^C on monitor + +From: Steven Rostedt + +commit 83d29d439cd3ef23041570d55841f814af2ecac0 upstream. + +When monitoring the console output, the stdout is being redirected to do +so. If Ctrl^C is hit during this mode, the stdout is not back to the +console, the user does not see anything they type (no echo). + +Add "end_monitor" to the SIGINT interrupt handler to give back the console +on Ctrl^C. + +Cc: stable@vger.kernel.org +Fixes: 9f2cdcbbb90e7 ("ktest: Give console process a dedicated tty") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -4193,6 +4193,9 @@ sub send_email { + } + + sub cancel_test { ++ if ($monitor_cnt) { ++ end_monitor; ++ } + if ($email_when_canceled) { + my $name = get_test_name; + send_email("KTEST: Your [$name] test was cancelled", diff --git a/queue-6.1/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch b/queue-6.1/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch new file mode 100644 index 00000000000..266435d095d --- /dev/null +++ b/queue-6.1/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch @@ -0,0 +1,34 @@ +From 909d3096ac99fa2289f9b8945a3eab2269947a0a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 21 Dec 2022 09:30:11 +0100 +Subject: media: ipu3-cio2: Fix PM runtime usage_count in driver unbind + +From: Sakari Ailus + +commit 909d3096ac99fa2289f9b8945a3eab2269947a0a upstream. + +Get the PM runtime usage_count and forbid PM runtime at driver unbind. The +opposite is being done in probe() already. + +Fixes: commit c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Cc: stable@vger.kernel.org # for >= 4.16 +Signed-off-by: Sakari Ailus +Reviewed-by: Bingbu Cao +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu3/ipu3-cio2-main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c +@@ -1843,6 +1843,9 @@ static void cio2_pci_remove(struct pci_d + v4l2_device_unregister(&cio2->v4l2_dev); + media_device_cleanup(&cio2->media_dev); + mutex_destroy(&cio2->lock); ++ ++ pm_runtime_forbid(&pci_dev->dev); ++ pm_runtime_get_noresume(&pci_dev->dev); + } + + static int __maybe_unused cio2_runtime_suspend(struct device *dev) diff --git a/queue-6.1/memory-tier-release-the-new_memtier-in-find_create_memory_tier.patch b/queue-6.1/memory-tier-release-the-new_memtier-in-find_create_memory_tier.patch new file mode 100644 index 00000000000..c74db45b73e --- /dev/null +++ b/queue-6.1/memory-tier-release-the-new_memtier-in-find_create_memory_tier.patch @@ -0,0 +1,44 @@ +From 93419139fa14124c1c507d804f2b28866ebee28d Mon Sep 17 00:00:00 2001 +From: Tong Tiangen +Date: Sun, 29 Jan 2023 04:06:51 +0000 +Subject: memory tier: release the new_memtier in find_create_memory_tier() + +From: Tong Tiangen + +commit 93419139fa14124c1c507d804f2b28866ebee28d upstream. + +In find_create_memory_tier(), if failed to register device, then we should +release new_memtier from the tier list and put device instead of memtier. + +Link: https://lkml.kernel.org/r/20230129040651.1329208-1-tongtiangen@huawei.com +Fixes: 9832fb87834e ("mm/demotion: expose memory tier details via sysfs") +Signed-off-by: Tong Tiangen +Cc: Aneesh Kumar K.V +Cc: Hanjun Guo +Cc: Kefeng Wang +Cc: Guohanjun +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-tiers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/memory-tiers.c b/mm/memory-tiers.c +index c734658c6242..e593e56e530b 100644 +--- a/mm/memory-tiers.c ++++ b/mm/memory-tiers.c +@@ -211,8 +211,8 @@ static struct memory_tier *find_create_memory_tier(struct memory_dev_type *memty + + ret = device_register(&new_memtier->dev); + if (ret) { +- list_del(&memtier->list); +- put_device(&memtier->dev); ++ list_del(&new_memtier->list); ++ put_device(&new_memtier->dev); + return ERR_PTR(ret); + } + memtier = new_memtier; +-- +2.39.2 + diff --git a/queue-6.1/mips-fix-syscall_get_nr.patch b/queue-6.1/mips-fix-syscall_get_nr.patch new file mode 100644 index 00000000000..199261508c2 --- /dev/null +++ b/queue-6.1/mips-fix-syscall_get_nr.patch @@ -0,0 +1,39 @@ +From 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d Mon Sep 17 00:00:00 2001 +From: Elvira Khabirova +Date: Sat, 18 Feb 2023 23:43:59 +0100 +Subject: mips: fix syscall_get_nr + +From: Elvira Khabirova + +commit 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d upstream. + +The implementation of syscall_get_nr on mips used to ignore the task +argument and return the syscall number of the calling thread instead of +the target thread. + +The bug was exposed to user space by commit 201766a20e30f ("ptrace: add +PTRACE_GET_SYSCALL_INFO request") and detected by strace test suite. + +Link: https://github.com/strace/strace/issues/235 +Fixes: c2d9f1775731 ("MIPS: Fix syscall_get_nr for the syscall exit tracing.") +Cc: # v3.19+ +Co-developed-by: Dmitry V. Levin +Signed-off-by: Dmitry V. Levin +Signed-off-by: Elvira Khabirova +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/syscall.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/syscall.h ++++ b/arch/mips/include/asm/syscall.h +@@ -38,7 +38,7 @@ static inline bool mips_syscall_is_indir + static inline long syscall_get_nr(struct task_struct *task, + struct pt_regs *regs) + { +- return current_thread_info()->syscall; ++ return task_thread_info(task)->syscall; + } + + static inline void mips_syscall_update_nr(struct task_struct *task, diff --git a/queue-6.1/mm-hwpoison-convert-ttu_ignore_hwpoison-to-ttu_hwpoison.patch b/queue-6.1/mm-hwpoison-convert-ttu_ignore_hwpoison-to-ttu_hwpoison.patch new file mode 100644 index 00000000000..54dd8198056 --- /dev/null +++ b/queue-6.1/mm-hwpoison-convert-ttu_ignore_hwpoison-to-ttu_hwpoison.patch @@ -0,0 +1,106 @@ +From 6da6b1d4a7df8c35770186b53ef65d388398e139 Mon Sep 17 00:00:00 2001 +From: Naoya Horiguchi +Date: Tue, 21 Feb 2023 17:59:05 +0900 +Subject: mm/hwpoison: convert TTU_IGNORE_HWPOISON to TTU_HWPOISON + +From: Naoya Horiguchi + +commit 6da6b1d4a7df8c35770186b53ef65d388398e139 upstream. + +After a memory error happens on a clean folio, a process unexpectedly +receives SIGBUS when it accesses the error page. This SIGBUS killing is +pointless and simply degrades the level of RAS of the system, because the +clean folio can be dropped without any data lost on memory error handling +as we do for a clean pagecache. + +When memory_failure() is called on a clean folio, try_to_unmap() is called +twice (one from split_huge_page() and one from hwpoison_user_mappings()). +The root cause of the issue is that pte conversion to hwpoisoned entry is +now done in the first call of try_to_unmap() because PageHWPoison is +already set at this point, while it's actually expected to be done in the +second call. This behavior disturbs the error handling operation like +removing pagecache, which results in the malfunction described above. + +So convert TTU_IGNORE_HWPOISON into TTU_HWPOISON and set TTU_HWPOISON only +when we really intend to convert pte to hwpoison entry. This can prevent +other callers of try_to_unmap() from accidentally converting to hwpoison +entries. + +Link: https://lkml.kernel.org/r/20230221085905.1465385-1-naoya.horiguchi@linux.dev +Fixes: a42634a6c07d ("readahead: Use a folio in read_pages()") +Signed-off-by: Naoya Horiguchi +Cc: David Hildenbrand +Cc: Hugh Dickins +Cc: Matthew Wilcox +Cc: Miaohe Lin +Cc: Minchan Kim +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/rmap.h | 2 +- + mm/memory-failure.c | 8 ++++---- + mm/rmap.c | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/include/linux/rmap.h ++++ b/include/linux/rmap.h +@@ -94,7 +94,7 @@ enum ttu_flags { + TTU_SPLIT_HUGE_PMD = 0x4, /* split huge PMD if any */ + TTU_IGNORE_MLOCK = 0x8, /* ignore mlock */ + TTU_SYNC = 0x10, /* avoid racy checks with PVMW_SYNC */ +- TTU_IGNORE_HWPOISON = 0x20, /* corrupted page is recoverable */ ++ TTU_HWPOISON = 0x20, /* do convert pte to hwpoison entry */ + TTU_BATCH_FLUSH = 0x40, /* Batch TLB flushes where possible + * and caller guarantees they will + * do a final flush if necessary */ +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1020,7 +1020,7 @@ static int me_pagecache_dirty(struct pag + * cache and swap cache(ie. page is freshly swapped in). So it could be + * referenced concurrently by 2 types of PTEs: + * normal PTEs and swap PTEs. We try to handle them consistently by calling +- * try_to_unmap(TTU_IGNORE_HWPOISON) to convert the normal PTEs to swap PTEs, ++ * try_to_unmap(!TTU_HWPOISON) to convert the normal PTEs to swap PTEs, + * and then + * - clear dirty bit to prevent IO + * - remove from LRU +@@ -1401,7 +1401,7 @@ static bool hwpoison_user_mappings(struc + int flags, struct page *hpage) + { + struct folio *folio = page_folio(hpage); +- enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC; ++ enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC | TTU_HWPOISON; + struct address_space *mapping; + LIST_HEAD(tokill); + bool unmap_success; +@@ -1431,7 +1431,7 @@ static bool hwpoison_user_mappings(struc + + if (PageSwapCache(p)) { + pr_err("%#lx: keeping poisoned page in swap cache\n", pfn); +- ttu |= TTU_IGNORE_HWPOISON; ++ ttu &= ~TTU_HWPOISON; + } + + /* +@@ -1446,7 +1446,7 @@ static bool hwpoison_user_mappings(struc + if (page_mkclean(hpage)) { + SetPageDirty(hpage); + } else { +- ttu |= TTU_IGNORE_HWPOISON; ++ ttu &= ~TTU_HWPOISON; + pr_info("%#lx: corrupted page was clean: dropped without side effects\n", + pfn); + } +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -1623,7 +1623,7 @@ static bool try_to_unmap_one(struct foli + /* Update high watermark before we lower rss */ + update_hiwater_rss(mm); + +- if (PageHWPoison(subpage) && !(flags & TTU_IGNORE_HWPOISON)) { ++ if (PageHWPoison(subpage) && (flags & TTU_HWPOISON)) { + pteval = swp_entry_to_pte(make_hwpoison_entry(subpage)); + if (folio_test_hugetlb(folio)) { + hugetlb_count_sub(folio_nr_pages(folio), mm); diff --git a/queue-6.1/mm-memcontrol-deprecate-charge-moving.patch b/queue-6.1/mm-memcontrol-deprecate-charge-moving.patch new file mode 100644 index 00000000000..3d76dff4432 --- /dev/null +++ b/queue-6.1/mm-memcontrol-deprecate-charge-moving.patch @@ -0,0 +1,100 @@ +From da34a8484d162585e22ed8c1e4114aa2f60e3567 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Wed, 7 Dec 2022 14:00:39 +0100 +Subject: mm: memcontrol: deprecate charge moving + +From: Johannes Weiner + +commit da34a8484d162585e22ed8c1e4114aa2f60e3567 upstream. + +Charge moving mode in cgroup1 allows memory to follow tasks as they +migrate between cgroups. This is, and always has been, a questionable +thing to do - for several reasons. + +First, it's expensive. Pages need to be identified, locked and isolated +from various MM operations, and reassigned, one by one. + +Second, it's unreliable. Once pages are charged to a cgroup, there isn't +always a clear owner task anymore. Cache isn't moved at all, for example. +Mapped memory is moved - but if trylocking or isolating a page fails, +it's arbitrarily left behind. Frequent moving between domains may leave a +task's memory scattered all over the place. + +Third, it isn't really needed. Launcher tasks can kick off workload tasks +directly in their target cgroup. Using dedicated per-workload groups +allows fine-grained policy adjustments - no need to move tasks and their +physical pages between control domains. The feature was never +forward-ported to cgroup2, and it hasn't been missed. + +Despite it being a niche usecase, the maintenance overhead of supporting +it is enormous. Because pages are moved while they are live and subject +to various MM operations, the synchronization rules are complicated. +There are lock_page_memcg() in MM and FS code, which non-cgroup people +don't understand. In some cases we've been able to shift code and cgroup +API calls around such that we can rely on native locking as much as +possible. But that's fragile, and sometimes we need to hold MM locks for +longer than we otherwise would (pte lock e.g.). + +Mark the feature deprecated. Hopefully we can remove it soon. + +And backport into -stable kernels so that people who develop against +earlier kernels are warned about this deprecation as early as possible. + +[akpm@linux-foundation.org: fix memory.rst underlining] +Link: https://lkml.kernel.org/r/Y5COd+qXwk/S+n8N@cmpxchg.org +Signed-off-by: Johannes Weiner +Acked-by: Shakeel Butt +Acked-by: Hugh Dickins +Acked-by: Michal Hocko +Cc: Muchun Song +Cc: Roman Gushchin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/cgroup-v1/memory.rst | 13 +++++++++++-- + mm/memcontrol.c | 4 ++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/cgroup-v1/memory.rst ++++ b/Documentation/admin-guide/cgroup-v1/memory.rst +@@ -86,6 +86,8 @@ Brief summary of control files. + memory.swappiness set/show swappiness parameter of vmscan + (See sysctl's vm.swappiness) + memory.move_charge_at_immigrate set/show controls of moving charges ++ This knob is deprecated and shouldn't be ++ used. + memory.oom_control set/show oom controls. + memory.numa_stat show the number of memory usage per numa + node +@@ -716,8 +718,15 @@ NOTE2: + It is recommended to set the soft limit always below the hard limit, + otherwise the hard limit will take precedence. + +-8. Move charges at task migration +-================================= ++8. Move charges at task migration (DEPRECATED!) ++=============================================== ++ ++THIS IS DEPRECATED! ++ ++It's expensive and unreliable! It's better practice to launch workload ++tasks directly from inside their target cgroup. Use dedicated workload ++cgroups to allow fine-grained policy adjustments without having to ++move physical pages between control domains. + + Users can move charges associated with a task along with task migration, that + is, uncharge task's pages from the old cgroup and charge them to the new cgroup. +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3910,6 +3910,10 @@ static int mem_cgroup_move_charge_write( + { + struct mem_cgroup *memcg = mem_cgroup_from_css(css); + ++ pr_warn_once("Cgroup memory moving (move_charge_at_immigrate) is deprecated. " ++ "Please report your usecase to linux-mm@kvack.org if you " ++ "depend on this functionality.\n"); ++ + if (val & ~MOVE_MASK) + return -EINVAL; + diff --git a/queue-6.1/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch b/queue-6.1/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch new file mode 100644 index 00000000000..39753586497 --- /dev/null +++ b/queue-6.1/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch @@ -0,0 +1,91 @@ +From 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 Mon Sep 17 00:00:00 2001 +From: Yin Fengwei +Date: Fri, 23 Dec 2022 21:52:07 +0800 +Subject: mm/thp: check and bail out if page in deferred queue already + +From: Yin Fengwei + +commit 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 upstream. + +Kernel build regression with LLVM was reported here: +https://lore.kernel.org/all/Y1GCYXGtEVZbcv%2F5@dev-arch.thelio-3990X/ with +commit f35b5d7d676e ("mm: align larger anonymous mappings on THP +boundaries"). And the commit f35b5d7d676e was reverted. + +It turned out the regression is related with madvise(MADV_DONTNEED) +was used by ld.lld. But with none PMD_SIZE aligned parameter len. +trace-bpfcc captured: +531607 531732 ld.lld do_madvise.part.0 start: 0x7feca9000000, len: 0x7fb000, behavior: 0x4 +531607 531793 ld.lld do_madvise.part.0 start: 0x7fec86a00000, len: 0x7fb000, behavior: 0x4 + +If the underneath physical page is THP, the madvise(MADV_DONTNEED) can +trigger split_queue_lock contention raised significantly. perf showed +following data: + 14.85% 0.00% ld.lld [kernel.kallsyms] [k] + entry_SYSCALL_64_after_hwframe + 11.52% + entry_SYSCALL_64_after_hwframe + do_syscall_64 + __x64_sys_madvise + do_madvise.part.0 + zap_page_range + unmap_single_vma + unmap_page_range + page_remove_rmap + deferred_split_huge_page + __lock_text_start + native_queued_spin_lock_slowpath + +If THP can't be removed from rmap as whole THP, partial THP will be +removed from rmap by removing sub-pages from rmap. Even the THP head page +is added to deferred queue already, the split_queue_lock will be acquired +and check whether the THP head page is in the queue already. Thus, the +contention of split_queue_lock is raised. + +Before acquire split_queue_lock, check and bail out early if the THP +head page is in the queue already. The checking without holding +split_queue_lock could race with deferred_split_scan, but it doesn't +impact the correctness here. + +Test result of building kernel with ld.lld: +commit 7b5a0b664ebe (parent commit of f35b5d7d676e): +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 6:07.99 real, 26367.77 user, 5063.35 sys + +commit f35b5d7d676e: +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 7:22.15 real, 26235.03 user, 12504.55 sys + +commit f35b5d7d676e with the fixing patch: +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 6:08.49 real, 26520.15 user, 5047.91 sys + +Link: https://lkml.kernel.org/r/20221223135207.2275317-1-fengwei.yin@intel.com +Signed-off-by: Yin Fengwei +Tested-by: Nathan Chancellor +Acked-by: David Rientjes +Reviewed-by: "Huang, Ying" +Cc: Feng Tang +Cc: Matthew Wilcox +Cc: Rik van Riel +Cc: Xing Zhengjun +Cc: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2818,6 +2818,9 @@ void deferred_split_huge_page(struct pag + if (PageSwapCache(page)) + return; + ++ if (!list_empty(page_deferred_list(page))) ++ return; ++ + spin_lock_irqsave(&ds_queue->split_queue_lock, flags); + if (list_empty(page_deferred_list(page))) { + count_vm_event(THP_DEFERRED_SPLIT_PAGE); diff --git a/queue-6.1/mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch b/queue-6.1/mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch new file mode 100644 index 00000000000..221cae5621a --- /dev/null +++ b/queue-6.1/mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch @@ -0,0 +1,85 @@ +From f0f0cfdc3a024e21161714f2e05f0df3b84d42ad Mon Sep 17 00:00:00 2001 +From: Louis Rannou +Date: Fri, 3 Feb 2023 09:07:54 +0200 +Subject: mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type + +From: Louis Rannou + +commit f0f0cfdc3a024e21161714f2e05f0df3b84d42ad upstream. + +spi_nor_set_erase_type() was used either to set or to mask out an erase +type. When we used it to mask out an erase type a shift-out-of-bounds +was hit: +UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24 +shift exponent 4294967295 is too large for 32-bit type 'int' + +The setting of the size_{shift, mask} and of the opcode are unnecessary +when the erase size is zero, as throughout the code just the erase size +is considered to determine whether an erase type is supported or not. +Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF +is an unused opcode. Thus when masking out an erase type, just set the +erase size to zero. This will fix the shift-out-of-bounds. + +Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") +Cc: stable@vger.kernel.org +Reported-by: Alexander Stein +Signed-off-by: Louis Rannou +Tested-by: Alexander Stein +Link: https://lore.kernel.org/r/20230203070754.50677-1-tudor.ambarus@linaro.org +[ta: refine changes, new commit message, fix compilation error] +Signed-off-by: Tudor Ambarus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 9 +++++++++ + drivers/mtd/spi-nor/core.h | 1 + + drivers/mtd/spi-nor/sfdp.c | 4 ++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -2004,6 +2004,15 @@ void spi_nor_set_erase_type(struct spi_n + } + + /** ++ * spi_nor_mask_erase_type() - mask out a SPI NOR erase type ++ * @erase: pointer to a structure that describes a SPI NOR erase type ++ */ ++void spi_nor_mask_erase_type(struct spi_nor_erase_type *erase) ++{ ++ erase->size = 0; ++} ++ ++/** + * spi_nor_init_uniform_erase_map() - Initialize uniform erase map + * @map: the erase map of the SPI NOR + * @erase_mask: bitmask encoding erase types that can erase the entire +--- a/drivers/mtd/spi-nor/core.h ++++ b/drivers/mtd/spi-nor/core.h +@@ -682,6 +682,7 @@ void spi_nor_set_pp_settings(struct spi_ + + void spi_nor_set_erase_type(struct spi_nor_erase_type *erase, u32 size, + u8 opcode); ++void spi_nor_mask_erase_type(struct spi_nor_erase_type *erase); + struct spi_nor_erase_region * + spi_nor_region_next(struct spi_nor_erase_region *region); + void spi_nor_init_uniform_erase_map(struct spi_nor_erase_map *map, +--- a/drivers/mtd/spi-nor/sfdp.c ++++ b/drivers/mtd/spi-nor/sfdp.c +@@ -876,7 +876,7 @@ static int spi_nor_init_non_uniform_eras + */ + for (i = 0; i < SNOR_ERASE_TYPE_MAX; i++) + if (!(regions_erase_type & BIT(erase[i].idx))) +- spi_nor_set_erase_type(&erase[i], 0, 0xFF); ++ spi_nor_mask_erase_type(&erase[i]); + + return 0; + } +@@ -1090,7 +1090,7 @@ static int spi_nor_parse_4bait(struct sp + erase_type[i].opcode = (dwords[1] >> + erase_type[i].idx * 8) & 0xFF; + else +- spi_nor_set_erase_type(&erase_type[i], 0u, 0xFF); ++ spi_nor_mask_erase_type(&erase_type[i]); + } + + /* diff --git a/queue-6.1/mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch b/queue-6.1/mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch new file mode 100644 index 00000000000..f2f005b8289 --- /dev/null +++ b/queue-6.1/mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch @@ -0,0 +1,33 @@ +From ad9679f3811899fd1c21dc7bdd715e8e1cfb46b9 Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Mon, 26 Dec 2022 13:01:58 +0900 +Subject: mtd: spi-nor: sfdp: Fix index value for SCCR dwords + +From: Takahiro Kuwano + +commit ad9679f3811899fd1c21dc7bdd715e8e1cfb46b9 upstream. + +Array index for SCCR 22th DOWRD should be 21. + +Fixes: 981a8d60e01f ("mtd: spi-nor: Parse SFDP SCCR Map") +Signed-off-by: Takahiro Kuwano +Signed-off-by: Tudor Ambarus +Reviewed-by: Michael Walle +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/d8a2a77c2c95cf776e7dcae6392d29fdcf5d6307.1672026365.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sfdp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/sfdp.c ++++ b/drivers/mtd/spi-nor/sfdp.c +@@ -1222,7 +1222,7 @@ static int spi_nor_parse_sccr(struct spi + + le32_to_cpu_array(dwords, sccr_header->length); + +- if (FIELD_GET(SCCR_DWORD22_OCTAL_DTR_EN_VOLATILE, dwords[22])) ++ if (FIELD_GET(SCCR_DWORD22_OCTAL_DTR_EN_VOLATILE, dwords[21])) + nor->flags |= SNOR_F_IO_MODE_EN_VOLATILE; + + out: diff --git a/queue-6.1/mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch b/queue-6.1/mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch new file mode 100644 index 00000000000..aaf0d411288 --- /dev/null +++ b/queue-6.1/mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch @@ -0,0 +1,46 @@ +From 3f592a869f87723314f0cb1ac232bd3bf8245be8 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Tue, 10 Jan 2023 18:47:02 +0200 +Subject: mtd: spi-nor: spansion: Consider reserved bits in CFR5 register + +From: Tudor Ambarus + +commit 3f592a869f87723314f0cb1ac232bd3bf8245be8 upstream. + +CFR5[6] is reserved bit and must be always 1. Set it to comply with flash +requirements. While fixing SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_{EN, DS} +definition, stop using magic numbers and describe the missing bit fields +in CFR5 register. This is useful for both readability and future possible +addition of Octal STR mode support. + +Fixes: c3266af101f2 ("mtd: spi-nor: spansion: add support for Cypress Semper flash") +Cc: stable@vger.kernel.org +Reported-by: Takahiro Kuwano +Signed-off-by: Tudor Ambarus +Reviewed-by: Dhruva Gole +Reviewed-by: Pratyush Yadav +Tested-by: Dhruva Gole +Link: https://lore.kernel.org/linux-mtd/20230110164703.83413-1-tudor.ambarus@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/spansion.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/spansion.c ++++ b/drivers/mtd/spi-nor/spansion.c +@@ -21,8 +21,13 @@ + #define SPINOR_REG_CYPRESS_CFR3V 0x00800004 + #define SPINOR_REG_CYPRESS_CFR3V_PGSZ BIT(4) /* Page size. */ + #define SPINOR_REG_CYPRESS_CFR5V 0x00800006 +-#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_EN 0x3 +-#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS 0 ++#define SPINOR_REG_CYPRESS_CFR5_BIT6 BIT(6) ++#define SPINOR_REG_CYPRESS_CFR5_DDR BIT(1) ++#define SPINOR_REG_CYPRESS_CFR5_OPI BIT(0) ++#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_EN \ ++ (SPINOR_REG_CYPRESS_CFR5_BIT6 | SPINOR_REG_CYPRESS_CFR5_DDR | \ ++ SPINOR_REG_CYPRESS_CFR5_OPI) ++#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS SPINOR_REG_CYPRESS_CFR5_BIT6 + #define SPINOR_OP_CYPRESS_RD_FAST 0xee + + /* Cypress SPI NOR flash operations. */ diff --git a/queue-6.1/panic-fix-the-panic_print-nmi-backtrace-setting.patch b/queue-6.1/panic-fix-the-panic_print-nmi-backtrace-setting.patch new file mode 100644 index 00000000000..6a46c0256d6 --- /dev/null +++ b/queue-6.1/panic-fix-the-panic_print-nmi-backtrace-setting.patch @@ -0,0 +1,107 @@ +From b905039e428d639adeebb719b76f98865ea38d4d Mon Sep 17 00:00:00 2001 +From: "Guilherme G. Piccoli" +Date: Sun, 26 Feb 2023 13:08:38 -0300 +Subject: panic: fix the panic_print NMI backtrace setting + +From: Guilherme G. Piccoli + +commit b905039e428d639adeebb719b76f98865ea38d4d upstream. + +Commit 8d470a45d1a6 ("panic: add option to dump all CPUs backtraces in +panic_print") introduced a setting for the "panic_print" kernel parameter +to allow users to request a NMI backtrace on panic. Problem is that the +panic_print handling happens after the secondary CPUs are already +disabled, hence this option ended-up being kind of a no-op - kernel skips +the NMI trace in idling CPUs, which is the case of offline CPUs. + +Fix it by checking the NMI backtrace bit in the panic_print prior to the +CPU disabling function. + +Link: https://lkml.kernel.org/r/20230226160838.414257-1-gpiccoli@igalia.com +Fixes: 8d470a45d1a6 ("panic: add option to dump all CPUs backtraces in panic_print") +Signed-off-by: Guilherme G. Piccoli +Cc: +Cc: Baoquan He +Cc: Dave Young +Cc: Feng Tang +Cc: HATAYAMA Daisuke +Cc: Hidehiro Kawai +Cc: Kees Cook +Cc: Michael Kelley +Cc: Petr Mladek +Cc: Vivek Goyal +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/panic.c | 44 ++++++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 18 deletions(-) + +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -211,9 +211,6 @@ static void panic_print_sys_info(bool co + return; + } + +- if (panic_print & PANIC_PRINT_ALL_CPU_BT) +- trigger_all_cpu_backtrace(); +- + if (panic_print & PANIC_PRINT_TASK_INFO) + show_state(); + +@@ -243,6 +240,30 @@ void check_panic_on_warn(const char *ori + origin, limit); + } + ++/* ++ * Helper that triggers the NMI backtrace (if set in panic_print) ++ * and then performs the secondary CPUs shutdown - we cannot have ++ * the NMI backtrace after the CPUs are off! ++ */ ++static void panic_other_cpus_shutdown(bool crash_kexec) ++{ ++ if (panic_print & PANIC_PRINT_ALL_CPU_BT) ++ trigger_all_cpu_backtrace(); ++ ++ /* ++ * Note that smp_send_stop() is the usual SMP shutdown function, ++ * which unfortunately may not be hardened to work in a panic ++ * situation. If we want to do crash dump after notifier calls ++ * and kmsg_dump, we will need architecture dependent extra ++ * bits in addition to stopping other CPUs, hence we rely on ++ * crash_smp_send_stop() for that. ++ */ ++ if (!crash_kexec) ++ smp_send_stop(); ++ else ++ crash_smp_send_stop(); ++} ++ + /** + * panic - halt the system + * @fmt: The text string to print +@@ -333,23 +354,10 @@ void panic(const char *fmt, ...) + * + * Bypass the panic_cpu check and call __crash_kexec directly. + */ +- if (!_crash_kexec_post_notifiers) { ++ if (!_crash_kexec_post_notifiers) + __crash_kexec(NULL); + +- /* +- * Note smp_send_stop is the usual smp shutdown function, which +- * unfortunately means it may not be hardened to work in a +- * panic situation. +- */ +- smp_send_stop(); +- } else { +- /* +- * If we want to do crash dump after notifier calls and +- * kmsg_dump, we will need architecture dependent extra +- * works in addition to stopping other CPUs. +- */ +- crash_smp_send_stop(); +- } ++ panic_other_cpus_shutdown(_crash_kexec_post_notifiers); + + /* + * Run any panic handlers, including those that might need to diff --git a/queue-6.1/qede-fix-interrupt-coalescing-configuration.patch b/queue-6.1/qede-fix-interrupt-coalescing-configuration.patch new file mode 100644 index 00000000000..3c7cd466ff9 --- /dev/null +++ b/queue-6.1/qede-fix-interrupt-coalescing-configuration.patch @@ -0,0 +1,52 @@ +From 908d4bb7c54caa58253a363d63e797a468eaf321 Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Thu, 16 Feb 2023 03:54:47 -0800 +Subject: qede: fix interrupt coalescing configuration + +From: Manish Chopra + +commit 908d4bb7c54caa58253a363d63e797a468eaf321 upstream. + +On default driver load device gets configured with unexpected +higher interrupt coalescing values instead of default expected +values as memory allocated from krealloc() is not supposed to +be zeroed out and may contain garbage values. + +Fix this by allocating the memory of required size first with +kcalloc() and then use krealloc() to resize and preserve the +contents across down/up of the interface. + +Signed-off-by: Manish Chopra +Fixes: b0ec5489c480 ("qede: preserve per queue stats across up/down of interface") +Cc: stable@vger.kernel.org +Cc: Bhaskar Upadhaya +Cc: David S. Miller +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2160054 +Signed-off-by: Alok Prasad +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -970,8 +970,15 @@ static int qede_alloc_fp_array(struct qe + goto err; + } + +- mem = krealloc(edev->coal_entry, QEDE_QUEUE_CNT(edev) * +- sizeof(*edev->coal_entry), GFP_KERNEL); ++ if (!edev->coal_entry) { ++ mem = kcalloc(QEDE_MAX_RSS_CNT(edev), ++ sizeof(*edev->coal_entry), GFP_KERNEL); ++ } else { ++ mem = krealloc(edev->coal_entry, ++ QEDE_QUEUE_CNT(edev) * sizeof(*edev->coal_entry), ++ GFP_KERNEL); ++ } ++ + if (!mem) { + DP_ERR(edev, "coalesce entry allocation failed\n"); + kfree(edev->coal_entry); diff --git a/queue-6.1/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch b/queue-6.1/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch new file mode 100644 index 00000000000..22c2a5edec2 --- /dev/null +++ b/queue-6.1/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch @@ -0,0 +1,94 @@ +From f7c4d9b133c7a04ca619355574e96b6abf209fba Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 24 Feb 2023 18:48:54 +0100 +Subject: rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails + +From: Ilya Dryomov + +commit f7c4d9b133c7a04ca619355574e96b6abf209fba upstream. + +If getting an ID or setting up a work queue in rbd_dev_create() fails, +use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts +is triggered in do_rbd_add(). The root cause is that the ownership of +these structures is transfered to rbd_dev prematurely and they all end +up getting freed when rbd_dev_create() calls rbd_dev_free() prior to +returning to do_rbd_add(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE, an +incomplete patch submitted by Natalia Petrova . + +Cc: stable@vger.kernel.org +Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue") +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/rbd.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -5292,8 +5292,7 @@ static void rbd_dev_release(struct devic + module_put(THIS_MODULE); + } + +-static struct rbd_device *__rbd_dev_create(struct rbd_client *rbdc, +- struct rbd_spec *spec) ++static struct rbd_device *__rbd_dev_create(struct rbd_spec *spec) + { + struct rbd_device *rbd_dev; + +@@ -5338,9 +5337,6 @@ static struct rbd_device *__rbd_dev_crea + rbd_dev->dev.parent = &rbd_root_dev; + device_initialize(&rbd_dev->dev); + +- rbd_dev->rbd_client = rbdc; +- rbd_dev->spec = spec; +- + return rbd_dev; + } + +@@ -5353,12 +5349,10 @@ static struct rbd_device *rbd_dev_create + { + struct rbd_device *rbd_dev; + +- rbd_dev = __rbd_dev_create(rbdc, spec); ++ rbd_dev = __rbd_dev_create(spec); + if (!rbd_dev) + return NULL; + +- rbd_dev->opts = opts; +- + /* get an id and fill in device name */ + rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0, + minor_to_rbd_dev_id(1 << MINORBITS), +@@ -5375,6 +5369,10 @@ static struct rbd_device *rbd_dev_create + /* we have a ref from do_rbd_add() */ + __module_get(THIS_MODULE); + ++ rbd_dev->rbd_client = rbdc; ++ rbd_dev->spec = spec; ++ rbd_dev->opts = opts; ++ + dout("%s rbd_dev %p dev_id %d\n", __func__, rbd_dev, rbd_dev->dev_id); + return rbd_dev; + +@@ -6736,7 +6734,7 @@ static int rbd_dev_probe_parent(struct r + goto out_err; + } + +- parent = __rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec); ++ parent = __rbd_dev_create(rbd_dev->parent_spec); + if (!parent) { + ret = -ENOMEM; + goto out_err; +@@ -6746,8 +6744,8 @@ static int rbd_dev_probe_parent(struct r + * Images related by parent/child relationships always share + * rbd_client and spec/parent_spec, so bump their refcounts. + */ +- __rbd_get_client(rbd_dev->rbd_client); +- rbd_spec_get(rbd_dev->parent_spec); ++ parent->rbd_client = __rbd_get_client(rbd_dev->rbd_client); ++ parent->spec = rbd_spec_get(rbd_dev->parent_spec); + + __set_bit(RBD_DEV_FLAG_READONLY, &parent->flags); + diff --git a/queue-6.1/regulator-core-use-ktime_get_boottime-to-determine-how-long-a-regulator-was-off.patch b/queue-6.1/regulator-core-use-ktime_get_boottime-to-determine-how-long-a-regulator-was-off.patch new file mode 100644 index 00000000000..39b41ccab7b --- /dev/null +++ b/queue-6.1/regulator-core-use-ktime_get_boottime-to-determine-how-long-a-regulator-was-off.patch @@ -0,0 +1,59 @@ +From 80d2c29e09e663761c2778167a625b25ffe01b6f Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Thu, 23 Feb 2023 00:33:30 +0000 +Subject: regulator: core: Use ktime_get_boottime() to determine how long a regulator was off + +From: Matthias Kaehlcke + +commit 80d2c29e09e663761c2778167a625b25ffe01b6f upstream. + +For regulators with 'off-on-delay-us' the regulator framework currently +uses ktime_get() to determine how long the regulator has been off +before re-enabling it (after a delay if needed). A problem with using +ktime_get() is that it doesn't account for the time the system is +suspended. As a result a regulator with a longer 'off-on-delay' (e.g. +500ms) that was switched off during suspend might still incurr in a +delay on resume before it is re-enabled, even though the regulator +might have been off for hours. ktime_get_boottime() accounts for +suspend time, use it instead of ktime_get(). + +Fixes: a8ce7bd89689 ("regulator: core: Fix off_on_delay handling") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230223003301.v2.1.I9719661b8eb0a73b8c416f9c26cf5bd8c0563f99@changeid +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1584,7 +1584,7 @@ static int set_machine_constraints(struc + } + + if (rdev->desc->off_on_delay) +- rdev->last_off = ktime_get(); ++ rdev->last_off = ktime_get_boottime(); + + /* If the constraints say the regulator should be on at this point + * and we have control then make sure it is enabled. +@@ -2673,7 +2673,7 @@ static int _regulator_do_enable(struct r + * this regulator was disabled. + */ + ktime_t end = ktime_add_us(rdev->last_off, rdev->desc->off_on_delay); +- s64 remaining = ktime_us_delta(end, ktime_get()); ++ s64 remaining = ktime_us_delta(end, ktime_get_boottime()); + + if (remaining > 0) + _regulator_delay_helper(remaining); +@@ -2912,7 +2912,7 @@ static int _regulator_do_disable(struct + } + + if (rdev->desc->off_on_delay) +- rdev->last_off = ktime_get(); ++ rdev->last_off = ktime_get_boottime(); + + trace_regulator_disable_complete(rdev_get_name(rdev)); + diff --git a/queue-6.1/remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch b/queue-6.1/remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch new file mode 100644 index 00000000000..9a0a5514d98 --- /dev/null +++ b/queue-6.1/remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch @@ -0,0 +1,75 @@ +From e46ceea3148163166ef9b7bcac578e72dd30c064 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 4 Jan 2023 16:31:10 +0800 +Subject: remoteproc/mtk_scp: Move clk ops outside send_lock + +From: Chen-Yu Tsai + +commit e46ceea3148163166ef9b7bcac578e72dd30c064 upstream. + +Clocks are properly reference counted and do not need to be inside the +lock range. + +Right now this triggers a false-positive lockdep warning on MT8192 based +Chromebooks, through a combination of mtk-scp that has a cros-ec-rpmsg +sub-device, the (actual) cros-ec I2C adapter registration, I2C client +(not on cros-ec) probe doing i2c transfers and enabling clocks. + +This is a false positive because the cros-ec-rpmsg under mtk-scp does +not have an I2C adapter, and also each I2C adapter and cros-ec instance +have their own mutex. + +Move the clk operations outside of the send_lock range. + +Fixes: 63c13d61eafe ("remoteproc/mediatek: add SCP support for mt8183") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230104083110.736377-1-wenst@chromium.org +[Fixed "Fixes:" tag line] +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/mtk_scp_ipi.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/remoteproc/mtk_scp_ipi.c ++++ b/drivers/remoteproc/mtk_scp_ipi.c +@@ -164,21 +164,21 @@ int scp_ipi_send(struct mtk_scp *scp, u3 + WARN_ON(len > sizeof(send_obj->share_buf)) || WARN_ON(!buf)) + return -EINVAL; + +- mutex_lock(&scp->send_lock); +- + ret = clk_prepare_enable(scp->clk); + if (ret) { + dev_err(scp->dev, "failed to enable clock\n"); +- goto unlock_mutex; ++ return ret; + } + ++ mutex_lock(&scp->send_lock); ++ + /* Wait until SCP receives the last command */ + timeout = jiffies + msecs_to_jiffies(2000); + do { + if (time_after(jiffies, timeout)) { + dev_err(scp->dev, "%s: IPI timeout!\n", __func__); + ret = -ETIMEDOUT; +- goto clock_disable; ++ goto unlock_mutex; + } + } while (readl(scp->reg_base + scp->data->host_to_scp_reg)); + +@@ -205,10 +205,9 @@ int scp_ipi_send(struct mtk_scp *scp, u3 + ret = 0; + } + +-clock_disable: +- clk_disable_unprepare(scp->clk); + unlock_mutex: + mutex_unlock(&scp->send_lock); ++ clk_disable_unprepare(scp->clk); + + return ret; + } diff --git a/queue-6.1/ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch b/queue-6.1/ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch new file mode 100644 index 00000000000..52054544d11 --- /dev/null +++ b/queue-6.1/ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch @@ -0,0 +1,175 @@ +From 8843e06f67b14f71c044bf6267b2387784c7e198 Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Tue, 14 Feb 2023 17:36:43 +0530 +Subject: ring-buffer: Handle race between rb_move_tail and rb_check_pages + +From: Mukesh Ojha + +commit 8843e06f67b14f71c044bf6267b2387784c7e198 upstream. + +It seems a data race between ring_buffer writing and integrity check. +That is, RB_FLAG of head_page is been updating, while at same time +RB_FLAG was cleared when doing integrity check rb_check_pages(): + + rb_check_pages() rb_handle_head_page(): + -------- -------- + rb_head_page_deactivate() + rb_head_page_set_normal() + rb_head_page_activate() + +We do intergrity test of the list to check if the list is corrupted and +it is still worth doing it. So, let's refactor rb_check_pages() such that +we no longer clear and set flag during the list sanity checking. + +[1] and [2] are the test to reproduce and the crash report respectively. + +1: +``` read_trace.sh + while true; + do + # the "trace" file is closed after read + head -1 /sys/kernel/tracing/trace > /dev/null + done +``` +``` repro.sh + sysctl -w kernel.panic_on_warn=1 + # function tracer will writing enough data into ring_buffer + echo function > /sys/kernel/tracing/current_tracer + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & +``` + +2: +------------[ cut here ]------------ +WARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653 +rb_move_tail+0x450/0x470 +Modules linked in: +CPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:rb_move_tail+0x450/0x470 +Code: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24 +83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83 +f8 02 0f 84 ce fb ff ff e9 db +RSP: 0018:ffffb5564089bd00 EFLAGS: 00000203 +RAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18 +RDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400 +RBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2 +R10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000 +R13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108 +FS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0 +Call Trace: + + ring_buffer_lock_reserve+0x136/0x360 + ? __do_softirq+0x287/0x2df + ? __pfx_rcu_softirq_qs+0x10/0x10 + trace_function+0x21/0x110 + ? __pfx_rcu_softirq_qs+0x10/0x10 + ? __do_softirq+0x287/0x2df + function_trace_call+0xf6/0x120 + 0xffffffffc038f097 + ? rcu_softirq_qs+0x5/0x140 + rcu_softirq_qs+0x5/0x140 + __do_softirq+0x287/0x2df + run_ksoftirqd+0x2a/0x30 + smpboot_thread_fn+0x188/0x220 + ? __pfx_smpboot_thread_fn+0x10/0x10 + kthread+0xe7/0x110 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2c/0x50 + +---[ end trace 0000000000000000 ]--- + +[ crash report and test reproducer credit goes to Zheng Yejian] + +Link: https://lore.kernel.org/linux-trace-kernel/1676376403-16462-1-git-send-email-quic_mojha@quicinc.com + +Cc: +Cc: stable@vger.kernel.org +Fixes: 1039221cc278 ("ring-buffer: Do not disable recording when there is an iterator") +Reported-by: Zheng Yejian +Signed-off-by: Mukesh Ojha +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 42 ++++++++++-------------------------------- + 1 file changed, 10 insertions(+), 32 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1581,19 +1581,6 @@ static int rb_check_bpage(struct ring_bu + } + + /** +- * rb_check_list - make sure a pointer to a list has the last bits zero +- */ +-static int rb_check_list(struct ring_buffer_per_cpu *cpu_buffer, +- struct list_head *list) +-{ +- if (RB_WARN_ON(cpu_buffer, rb_list_head(list->prev) != list->prev)) +- return 1; +- if (RB_WARN_ON(cpu_buffer, rb_list_head(list->next) != list->next)) +- return 1; +- return 0; +-} +- +-/** + * rb_check_pages - integrity check of buffer pages + * @cpu_buffer: CPU buffer with pages to test + * +@@ -1602,36 +1589,27 @@ static int rb_check_list(struct ring_buf + */ + static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) + { +- struct list_head *head = cpu_buffer->pages; +- struct buffer_page *bpage, *tmp; ++ struct list_head *head = rb_list_head(cpu_buffer->pages); ++ struct list_head *tmp; + +- /* Reset the head page if it exists */ +- if (cpu_buffer->head_page) +- rb_set_head_page(cpu_buffer); +- +- rb_head_page_deactivate(cpu_buffer); +- +- if (RB_WARN_ON(cpu_buffer, head->next->prev != head)) +- return -1; +- if (RB_WARN_ON(cpu_buffer, head->prev->next != head)) ++ if (RB_WARN_ON(cpu_buffer, ++ rb_list_head(rb_list_head(head->next)->prev) != head)) + return -1; + +- if (rb_check_list(cpu_buffer, head)) ++ if (RB_WARN_ON(cpu_buffer, ++ rb_list_head(rb_list_head(head->prev)->next) != head)) + return -1; + +- list_for_each_entry_safe(bpage, tmp, head, list) { ++ for (tmp = rb_list_head(head->next); tmp != head; tmp = rb_list_head(tmp->next)) { + if (RB_WARN_ON(cpu_buffer, +- bpage->list.next->prev != &bpage->list)) ++ rb_list_head(rb_list_head(tmp->next)->prev) != tmp)) + return -1; ++ + if (RB_WARN_ON(cpu_buffer, +- bpage->list.prev->next != &bpage->list)) +- return -1; +- if (rb_check_list(cpu_buffer, &bpage->list)) ++ rb_list_head(rb_list_head(tmp->prev)->next) != tmp)) + return -1; + } + +- rb_head_page_activate(cpu_buffer); +- + return 0; + } + diff --git a/queue-6.1/series b/queue-6.1/series index eabc5f8c853..0d8559dd515 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -781,3 +781,64 @@ irqdomain-fix-mapping-creation-race.patch irqdomain-fix-domain-registration-race.patch crypto-qat-fix-out-of-bounds-read.patch mm-damon-paddr-fix-missing-folio_put.patch +alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch +alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch +jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch +ext4-optimize-ea_inode-block-expansion.patch +ext4-refuse-to-create-ea-block-when-umounted.patch +ext4-fix-possible-corruption-when-moving-a-directory.patch +cxl-pmem-fix-nvdimm-registration-races.patch +mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch +mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch +mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch +dm-send-just-one-event-on-resize-not-two.patch +dm-add-cond_resched-to-dm_wq_work.patch +dm-add-cond_resched-to-dm_wq_requeue_work.patch +wifi-rtw88-use-rtw_flag_poweron-flag-to-prevent-to-power-on-off-twice.patch +wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch +wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch +wifi-cfg80211-fix-use-after-free-for-wext.patch +wifi-cfg80211-set-ssid-if-it-is-not-already-set.patch +cpuidle-add-arch_suspend_possible-dependencies.patch +qede-fix-interrupt-coalescing-configuration.patch +thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch +dm-flakey-fix-logic-when-corrupting-a-bio.patch +dm-cache-free-background-tracker-s-queued-work-in-btracker_destroy.patch +dm-flakey-don-t-corrupt-the-zero-page.patch +dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch +hwmon-peci-cputemp-fix-off-by-one-in-coretemp_label-allocation.patch +hwmon-nct6775-fix-incorrect-parenthesization-in-nct6775_write_fan_div.patch +arm-dts-qcom-sdx65-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch +arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch +arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch +arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch +arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch +arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch +arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch +arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch +arm64-mm-hugetlb-disable-hugetlb_page_optimize_vmemmap.patch +fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch +rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch +ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch +regulator-core-use-ktime_get_boottime-to-determine-how-long-a-regulator-was-off.patch +block-fix-scan-partition-for-exclusively-open-device-again.patch +panic-fix-the-panic_print-nmi-backtrace-setting.patch +mm-hwpoison-convert-ttu_ignore_hwpoison-to-ttu_hwpoison.patch +alpha-fix-fen-fault-handling.patch +dax-kmem-fix-leak-of-memory-hotplug-resources.patch +mips-fix-syscall_get_nr.patch +media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch +remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch +docs-gdbmacros-print-newest-record.patch +mm-memcontrol-deprecate-charge-moving.patch +mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch +ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch +kprobes-fix-to-handle-forcibly-unoptimized-kprobes-on-freeing_list.patch +ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch +ktest.pl-add-run_timeout-option-with-default-unlimited.patch +memory-tier-release-the-new_memtier-in-find_create_memory_tier.patch +ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch +tools-bootconfig-fix-single-used-for-logical-condition.patch +tracing-eprobe-fix-to-add-filter-on-eprobe-description-in-readme-file.patch +iommu-amd-add-a-length-limitation-for-the-ivrs_acpihid-command-line-parameter.patch +iommu-amd-improve-page-fault-error-reporting.patch diff --git a/queue-6.1/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch b/queue-6.1/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch new file mode 100644 index 00000000000..ae0dbaf6278 --- /dev/null +++ b/queue-6.1/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch @@ -0,0 +1,97 @@ +From 8e47363588377e1bdb65e2b020b409cfb44dd260 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Wed, 1 Feb 2023 12:39:41 -0800 +Subject: thermal: intel: powerclamp: Fix cur_state for multi package system + +From: Srinivas Pandruvada + +commit 8e47363588377e1bdb65e2b020b409cfb44dd260 upstream. + +The powerclamp cooling device cur_state shows actual idle observed by +package C-state idle counters. But the implementation is not sufficient +for multi package or multi die system. The cur_state value is incorrect. +On these systems, these counters must be read from each package/die and +somehow aggregate them. But there is no good method for aggregation. + +It was not a problem when explicit CPU model addition was required to +enable intel powerclamp. In this way certain CPU models could have +been avoided. But with the removal of CPU model check with the +availability of Package C-state counters, the driver is loaded on most +of the recent systems. + +For multi package/die systems, just show the actual target idle state, +the system is trying to achieve. In powerclamp this is the user set +state minus one. + +Also there is no use of starting a worker thread for polling package +C-state counters and applying any compensation for multiple package +or multiple die systems. + +Fixes: b721ca0d1927 ("thermal/powerclamp: remove cpu whitelist") +Signed-off-by: Srinivas Pandruvada +Cc: 4.14+ # 4.14+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/intel_powerclamp.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -57,6 +57,7 @@ + + static unsigned int target_mwait; + static struct dentry *debug_dir; ++static bool poll_pkg_cstate_enable; + + /* user selected target */ + static unsigned int set_target_ratio; +@@ -261,6 +262,9 @@ static unsigned int get_compensation(int + { + unsigned int comp = 0; + ++ if (!poll_pkg_cstate_enable) ++ return 0; ++ + /* we only use compensation if all adjacent ones are good */ + if (ratio == 1 && + cal_data[ratio].confidence >= CONFIDENCE_OK && +@@ -519,7 +523,8 @@ static int start_power_clamp(void) + control_cpu = cpumask_first(cpu_online_mask); + + clamping = true; +- schedule_delayed_work(&poll_pkg_cstate_work, 0); ++ if (poll_pkg_cstate_enable) ++ schedule_delayed_work(&poll_pkg_cstate_work, 0); + + /* start one kthread worker per online cpu */ + for_each_online_cpu(cpu) { +@@ -585,11 +590,15 @@ static int powerclamp_get_max_state(stru + static int powerclamp_get_cur_state(struct thermal_cooling_device *cdev, + unsigned long *state) + { +- if (true == clamping) +- *state = pkg_cstate_ratio_cur; +- else ++ if (clamping) { ++ if (poll_pkg_cstate_enable) ++ *state = pkg_cstate_ratio_cur; ++ else ++ *state = set_target_ratio; ++ } else { + /* to save power, do not poll idle ratio while not clamping */ + *state = -1; /* indicates invalid state */ ++ } + + return 0; + } +@@ -712,6 +721,9 @@ static int __init powerclamp_init(void) + goto exit_unregister; + } + ++ if (topology_max_packages() == 1 && topology_max_die_per_package() == 1) ++ poll_pkg_cstate_enable = true; ++ + cooling_dev = thermal_cooling_device_register("intel_powerclamp", NULL, + &powerclamp_cooling_ops); + if (IS_ERR(cooling_dev)) { diff --git a/queue-6.1/tools-bootconfig-fix-single-used-for-logical-condition.patch b/queue-6.1/tools-bootconfig-fix-single-used-for-logical-condition.patch new file mode 100644 index 00000000000..1173676eaf1 --- /dev/null +++ b/queue-6.1/tools-bootconfig-fix-single-used-for-logical-condition.patch @@ -0,0 +1,36 @@ +From cf8c59a3756b2735c409a9b3ac1e4ec556546a7a Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Wed, 22 Feb 2023 08:27:35 +0900 +Subject: tools/bootconfig: fix single & used for logical condition + +From: Antonio Alvarez Feijoo + +commit cf8c59a3756b2735c409a9b3ac1e4ec556546a7a upstream. + +A single & will create a background process and return true, so the grep +command will run even if the file checked in the first condition does not +exist. + +Link: https://lore.kernel.org/all/20230112114215.17103-1-antonio.feijoo@suse.com/ + +Fixes: 1eaad3ac3f39 ("tools/bootconfig: Use per-group/all enable option in ftrace2bconf script") +Signed-off-by: Antonio Alvarez Feijoo +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/bootconfig/scripts/ftrace2bconf.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/bootconfig/scripts/ftrace2bconf.sh ++++ b/tools/bootconfig/scripts/ftrace2bconf.sh +@@ -93,7 +93,7 @@ referred_vars() { + } + + event_is_enabled() { # enable-file +- test -f $1 & grep -q "1" $1 ++ test -f $1 && grep -q "1" $1 + } + + per_event_options() { # event-dir diff --git a/queue-6.1/tracing-eprobe-fix-to-add-filter-on-eprobe-description-in-readme-file.patch b/queue-6.1/tracing-eprobe-fix-to-add-filter-on-eprobe-description-in-readme-file.patch new file mode 100644 index 00000000000..bd49d8a46a5 --- /dev/null +++ b/queue-6.1/tracing-eprobe-fix-to-add-filter-on-eprobe-description-in-readme-file.patch @@ -0,0 +1,34 @@ +From 133921530c42960c07d25d12677f9e131a2b0cdf Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 21 Feb 2023 08:49:16 +0900 +Subject: tracing/eprobe: Fix to add filter on eprobe description in README file + +From: Masami Hiramatsu (Google) + +commit 133921530c42960c07d25d12677f9e131a2b0cdf upstream. + +Fix to add a description of the filter on eprobe in README file. This +is required to identify the kernel supports the filter on eprobe or not. + +Link: https://lore.kernel.org/all/167309833728.640500.12232259238201433587.stgit@devnote3/ + +Fixes: 752be5c5c910 ("tracing/eprobe: Add eprobe filter support") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -5599,7 +5599,7 @@ static const char readme_msg[] = + #ifdef CONFIG_HIST_TRIGGERS + "\t s:[synthetic/] []\n" + #endif +- "\t e[:[/][]] . []\n" ++ "\t e[:[/][]] . [] [if ]\n" + "\t -:[/][]\n" + #ifdef CONFIG_KPROBE_EVENTS + "\t place: [:][+]|\n" diff --git a/queue-6.1/wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch b/queue-6.1/wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch new file mode 100644 index 00000000000..40605688db2 --- /dev/null +++ b/queue-6.1/wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch @@ -0,0 +1,48 @@ +From 7c15430822e71e90203d87e6d0cfe83fa058b0dc Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Wed, 1 Feb 2023 12:32:01 -0600 +Subject: wifi: ath11k: allow system suspend to survive ath11k + +From: Len Brown + +commit 7c15430822e71e90203d87e6d0cfe83fa058b0dc upstream. + +When ath11k runs into internal errors upon suspend, +it returns an error code to pci_pm_suspend, which +aborts the entire system suspend. + +The driver should not abort system suspend, but should +keep its internal errors to itself, and allow the system +to suspend. Otherwise, a user can suspend a laptop +by closing the lid and sealing it into a case, assuming +that is will suspend, rather than heating up and draining +the battery when in transit. + +In practice, the ath11k device seems to have plenty of transient +errors, and subsequent suspend cycles after this failure +often succeed. + +https://bugzilla.kernel.org/show_bug.cgi?id=216968 + +Fixes: d1b0c33850d29 ("ath11k: implement suspend for QCA6390 PCI devices") + +Signed-off-by: Len Brown +Cc: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230201183201.14431-1-len.brown@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath11k/pci.c ++++ b/drivers/net/wireless/ath/ath11k/pci.c +@@ -979,7 +979,7 @@ static __maybe_unused int ath11k_pci_pm_ + if (ret) + ath11k_warn(ab, "failed to suspend core: %d\n", ret); + +- return ret; ++ return 0; + } + + static __maybe_unused int ath11k_pci_pm_resume(struct device *dev) diff --git a/queue-6.1/wifi-cfg80211-fix-use-after-free-for-wext.patch b/queue-6.1/wifi-cfg80211-fix-use-after-free-for-wext.patch new file mode 100644 index 00000000000..cd4b5469098 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-use-after-free-for-wext.patch @@ -0,0 +1,96 @@ +From 015b8cc5e7c4d7bb671f1984d7b7338c310b185b Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Tue, 24 Jan 2023 15:18:56 +0100 +Subject: wifi: cfg80211: Fix use after free for wext + +From: Alexander Wetzel + +commit 015b8cc5e7c4d7bb671f1984d7b7338c310b185b upstream. + +Key information in wext.connect is not reset on (re)connect and can hold +data from a previous connection. + +Reset key data to avoid that drivers or mac80211 incorrectly detect a +WEP connection request and access the freed or already reused memory. + +Additionally optimize cfg80211_sme_connect() and avoid an useless +schedule of conn_work. + +Fixes: fffd0934b939 ("cfg80211: rework key operation") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230124141856.356646-1-alexander@wetzel-home.de +Signed-off-by: Alexander Wetzel +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/sme.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -285,6 +285,15 @@ void cfg80211_conn_work(struct work_stru + wiphy_unlock(&rdev->wiphy); + } + ++static void cfg80211_step_auth_next(struct cfg80211_conn *conn, ++ struct cfg80211_bss *bss) ++{ ++ memcpy(conn->bssid, bss->bssid, ETH_ALEN); ++ conn->params.bssid = conn->bssid; ++ conn->params.channel = bss->channel; ++ conn->state = CFG80211_CONN_AUTHENTICATE_NEXT; ++} ++ + /* Returned bss is reference counted and must be cleaned up appropriately. */ + static struct cfg80211_bss *cfg80211_get_conn_bss(struct wireless_dev *wdev) + { +@@ -302,10 +311,7 @@ static struct cfg80211_bss *cfg80211_get + if (!bss) + return NULL; + +- memcpy(wdev->conn->bssid, bss->bssid, ETH_ALEN); +- wdev->conn->params.bssid = wdev->conn->bssid; +- wdev->conn->params.channel = bss->channel; +- wdev->conn->state = CFG80211_CONN_AUTHENTICATE_NEXT; ++ cfg80211_step_auth_next(wdev->conn, bss); + schedule_work(&rdev->conn_work); + + return bss; +@@ -597,7 +603,12 @@ static int cfg80211_sme_connect(struct w + wdev->conn->params.ssid_len = wdev->u.client.ssid_len; + + /* see if we have the bss already */ +- bss = cfg80211_get_conn_bss(wdev); ++ bss = cfg80211_get_bss(wdev->wiphy, wdev->conn->params.channel, ++ wdev->conn->params.bssid, ++ wdev->conn->params.ssid, ++ wdev->conn->params.ssid_len, ++ wdev->conn_bss_type, ++ IEEE80211_PRIVACY(wdev->conn->params.privacy)); + + if (prev_bssid) { + memcpy(wdev->conn->prev_bssid, prev_bssid, ETH_ALEN); +@@ -608,6 +619,7 @@ static int cfg80211_sme_connect(struct w + if (bss) { + enum nl80211_timeout_reason treason; + ++ cfg80211_step_auth_next(wdev->conn, bss); + err = cfg80211_conn_do_work(wdev, &treason); + cfg80211_put_bss(wdev->wiphy, bss); + } else { +@@ -1450,6 +1462,15 @@ int cfg80211_connect(struct cfg80211_reg + } else { + if (WARN_ON(connkeys)) + return -EINVAL; ++ ++ /* connect can point to wdev->wext.connect which ++ * can hold key data from a previous connection ++ */ ++ connect->key = NULL; ++ connect->key_len = 0; ++ connect->key_idx = 0; ++ connect->crypto.cipher_group = 0; ++ connect->crypto.n_ciphers_pairwise = 0; + } + + wdev->connect_keys = connkeys; diff --git a/queue-6.1/wifi-cfg80211-set-ssid-if-it-is-not-already-set.patch b/queue-6.1/wifi-cfg80211-set-ssid-if-it-is-not-already-set.patch new file mode 100644 index 00000000000..4e9330dc326 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-set-ssid-if-it-is-not-already-set.patch @@ -0,0 +1,62 @@ +From c38c701851011c94ce3be1ccb3593678d2933fd8 Mon Sep 17 00:00:00 2001 +From: Marc Bornand +Date: Wed, 15 Feb 2023 08:47:53 +0000 +Subject: wifi: cfg80211: Set SSID if it is not already set + +From: Marc Bornand + +commit c38c701851011c94ce3be1ccb3593678d2933fd8 upstream. + +When a connection was established without going through +NL80211_CMD_CONNECT, the ssid was never set in the wireless_dev struct. +Now we set it in __cfg80211_connect_result() when it is not already set. + +When using a userspace configuration that does not call +cfg80211_connect() (can be checked with breakpoints in the kernel), +this patch should allow `networkctl status device_name` to output the +SSID instead of null. + +Cc: stable@vger.kernel.org +Reported-by: Yohan Prod'homme +Fixes: 7b0a0e3c3a88 (wifi: cfg80211: do some rework towards MLO link APIs) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216711 +Signed-off-by: Marc Bornand +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/sme.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -736,6 +736,7 @@ void __cfg80211_connect_result(struct ne + { + struct wireless_dev *wdev = dev->ieee80211_ptr; + const struct element *country_elem = NULL; ++ const struct element *ssid; + const u8 *country_data; + u8 country_datalen; + #ifdef CONFIG_CFG80211_WEXT +@@ -881,6 +882,22 @@ void __cfg80211_connect_result(struct ne + country_data, country_datalen); + kfree(country_data); + ++ if (!wdev->u.client.ssid_len) { ++ rcu_read_lock(); ++ for_each_valid_link(cr, link) { ++ ssid = ieee80211_bss_get_elem(cr->links[link].bss, ++ WLAN_EID_SSID); ++ ++ if (!ssid || !ssid->datalen) ++ continue; ++ ++ memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen); ++ wdev->u.client.ssid_len = ssid->datalen; ++ break; ++ } ++ rcu_read_unlock(); ++ } ++ + return; + out: + for_each_valid_link(cr, link) diff --git a/queue-6.1/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch b/queue-6.1/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch new file mode 100644 index 00000000000..67553f25945 --- /dev/null +++ b/queue-6.1/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch @@ -0,0 +1,59 @@ +From 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Sun, 8 Jan 2023 17:08:16 +0200 +Subject: wifi: rtl8xxxu: Use a longer retry limit of 48 + +From: Bitterblue Smith + +commit 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 upstream. + +The Realtek rate control algorithm goes back and forth a lot between +the highest and the lowest rate it's allowed to use. This is due to +a lot of frames being dropped because the retry limits set by +IEEE80211_CONF_CHANGE_RETRY_LIMITS are too low. (Experimentally, they +are 4 for long frames and 7 for short frames.) + +The vendor drivers hardcode the value 48 for both retry limits (for +station mode), which makes dropped frames very rare and thus the rate +control is more stable. + +Because most Realtek chips handle the rate control in the firmware, +which can't be modified, ignore the limits set by +IEEE80211_CONF_CHANGE_RETRY_LIMITS and use the value 48 (set during +chip initialisation), same as the vendor drivers. + +Cc: stable@vger.kernel.org +Signed-off-by: Bitterblue Smith +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/477d745b-6bac-111d-403c-487fc19aa30d@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5966,7 +5966,6 @@ static int rtl8xxxu_config(struct ieee80 + { + struct rtl8xxxu_priv *priv = hw->priv; + struct device *dev = &priv->udev->dev; +- u16 val16; + int ret = 0, channel; + bool ht40; + +@@ -5976,14 +5975,6 @@ static int rtl8xxxu_config(struct ieee80 + __func__, hw->conf.chandef.chan->hw_value, + changed, hw->conf.chandef.width); + +- if (changed & IEEE80211_CONF_CHANGE_RETRY_LIMITS) { +- val16 = ((hw->conf.long_frame_max_tx_count << +- RETRY_LIMIT_LONG_SHIFT) & RETRY_LIMIT_LONG_MASK) | +- ((hw->conf.short_frame_max_tx_count << +- RETRY_LIMIT_SHORT_SHIFT) & RETRY_LIMIT_SHORT_MASK); +- rtl8xxxu_write16(priv, REG_RETRY_LIMIT, val16); +- } +- + if (changed & IEEE80211_CONF_CHANGE_CHANNEL) { + switch (hw->conf.chandef.width) { + case NL80211_CHAN_WIDTH_20_NOHT: diff --git a/queue-6.1/wifi-rtw88-use-rtw_flag_poweron-flag-to-prevent-to-power-on-off-twice.patch b/queue-6.1/wifi-rtw88-use-rtw_flag_poweron-flag-to-prevent-to-power-on-off-twice.patch new file mode 100644 index 00000000000..c3ad262fe6b --- /dev/null +++ b/queue-6.1/wifi-rtw88-use-rtw_flag_poweron-flag-to-prevent-to-power-on-off-twice.patch @@ -0,0 +1,125 @@ +From 4a267bc5ea8f159b614d0549030216d0434eccca Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Thu, 16 Feb 2023 13:36:33 +0800 +Subject: wifi: rtw88: use RTW_FLAG_POWERON flag to prevent to power on/off twice + +From: Ping-Ke Shih + +commit 4a267bc5ea8f159b614d0549030216d0434eccca upstream. + +Use power state to decide whether we can enter or leave IPS accurately, +and then prevent to power on/off twice. + +The commit 6bf3a083407b ("wifi: rtw88: add flag check before enter or leave IPS") +would like to prevent this as well, but it still can't entirely handle all +cases. The exception is that WiFi gets connected and does suspend/resume, +it will power on twice and cause it failed to power on after resuming, +like: + + rtw_8723de 0000:03:00.0: failed to poll offset=0x6 mask=0x2 value=0x2 + rtw_8723de 0000:03:00.0: mac power on failed + rtw_8723de 0000:03:00.0: failed to power on mac + rtw_8723de 0000:03:00.0: leave idle state failed + rtw_8723de 0000:03:00.0: failed to leave ips state + rtw_8723de 0000:03:00.0: failed to leave idle state + rtw_8723de 0000:03:00.0: failed to send h2c command + +To fix this, introduce new flag RTW_FLAG_POWERON to reflect power state, +and call rtw_mac_pre_system_cfg() to configure registers properly between +power-off/-on. + +Reported-by: Paul Gover +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217016 +Fixes: 6bf3a083407b ("wifi: rtw88: add flag check before enter or leave IPS") +Cc: +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230216053633.20366-1-pkshih@realtek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/coex.c | 2 +- + drivers/net/wireless/realtek/rtw88/mac.c | 10 ++++++++++ + drivers/net/wireless/realtek/rtw88/main.h | 2 +- + drivers/net/wireless/realtek/rtw88/ps.c | 4 ++-- + drivers/net/wireless/realtek/rtw88/wow.c | 2 +- + 5 files changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/coex.c ++++ b/drivers/net/wireless/realtek/rtw88/coex.c +@@ -4057,7 +4057,7 @@ void rtw_coex_display_coex_info(struct r + rtwdev->stats.tx_throughput, rtwdev->stats.rx_throughput); + seq_printf(m, "%-40s = %u/ %u/ %u\n", + "IPS/ Low Power/ PS mode", +- test_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags), ++ !test_bit(RTW_FLAG_POWERON, rtwdev->flags), + test_bit(RTW_FLAG_LEISURE_PS_DEEP, rtwdev->flags), + rtwdev->lps_conf.mode); + +--- a/drivers/net/wireless/realtek/rtw88/mac.c ++++ b/drivers/net/wireless/realtek/rtw88/mac.c +@@ -273,6 +273,11 @@ static int rtw_mac_power_switch(struct r + if (rtw_pwr_seq_parser(rtwdev, pwr_seq)) + return -EINVAL; + ++ if (pwr_on) ++ set_bit(RTW_FLAG_POWERON, rtwdev->flags); ++ else ++ clear_bit(RTW_FLAG_POWERON, rtwdev->flags); ++ + return 0; + } + +@@ -335,6 +340,11 @@ int rtw_mac_power_on(struct rtw_dev *rtw + ret = rtw_mac_power_switch(rtwdev, true); + if (ret == -EALREADY) { + rtw_mac_power_switch(rtwdev, false); ++ ++ ret = rtw_mac_pre_system_cfg(rtwdev); ++ if (ret) ++ goto err; ++ + ret = rtw_mac_power_switch(rtwdev, true); + if (ret) + goto err; +--- a/drivers/net/wireless/realtek/rtw88/main.h ++++ b/drivers/net/wireless/realtek/rtw88/main.h +@@ -356,7 +356,7 @@ enum rtw_flags { + RTW_FLAG_RUNNING, + RTW_FLAG_FW_RUNNING, + RTW_FLAG_SCANNING, +- RTW_FLAG_INACTIVE_PS, ++ RTW_FLAG_POWERON, + RTW_FLAG_LEISURE_PS, + RTW_FLAG_LEISURE_PS_DEEP, + RTW_FLAG_DIG_DISABLE, +--- a/drivers/net/wireless/realtek/rtw88/ps.c ++++ b/drivers/net/wireless/realtek/rtw88/ps.c +@@ -25,7 +25,7 @@ static int rtw_ips_pwr_up(struct rtw_dev + + int rtw_enter_ips(struct rtw_dev *rtwdev) + { +- if (test_and_set_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags)) ++ if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags)) + return 0; + + rtw_coex_ips_notify(rtwdev, COEX_IPS_ENTER); +@@ -50,7 +50,7 @@ int rtw_leave_ips(struct rtw_dev *rtwdev + { + int ret; + +- if (!test_and_clear_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags)) ++ if (test_bit(RTW_FLAG_POWERON, rtwdev->flags)) + return 0; + + rtw_hci_link_ps(rtwdev, false); +--- a/drivers/net/wireless/realtek/rtw88/wow.c ++++ b/drivers/net/wireless/realtek/rtw88/wow.c +@@ -592,7 +592,7 @@ static int rtw_wow_leave_no_link_ps(stru + if (rtw_get_lps_deep_mode(rtwdev) != LPS_DEEP_MODE_NONE) + rtw_leave_lps_deep(rtwdev); + } else { +- if (test_bit(RTW_FLAG_INACTIVE_PS, rtwdev->flags)) { ++ if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags)) { + rtw_wow->ips_enabled = true; + ret = rtw_leave_ips(rtwdev); + if (ret)