From: Greg Kroah-Hartman Date: Sat, 26 Aug 2023 20:46:54 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.49~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7166702ec3556206f3d54c6d8535c6e2cde8639f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-ymfpci-fix-the-missing-snd_card_free-call-at-probe-error.patch batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch batman-adv-don-t-increase-mtu-when-set-by-user.patch batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch batman-adv-trigger-events-for-auto-adjusted-mtu.patch lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch mm-gup-handle-cont-pte-hugetlb-pages-correctly-in-gup_must_unshare-via-gup-fast.patch mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch nfsd-fix-race-to-free_stateid-and-cl_revoked.patch of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch of-unittest-fix-expect-for-parse_phandle_with_args_map-test.patch pinctrl-amd-mask-wake-bits-on-probe-again.patch radix-tree-remove-unused-variable.patch riscv-fix-build-errors-using-binutils2.37-toolchains.patch riscv-handle-zicsr-zifencei-issue-between-gcc-and-binutils.patch selinux-set-next-pointer-before-attaching-to-list.patch --- diff --git a/queue-6.1/alsa-ymfpci-fix-the-missing-snd_card_free-call-at-probe-error.patch b/queue-6.1/alsa-ymfpci-fix-the-missing-snd_card_free-call-at-probe-error.patch new file mode 100644 index 00000000000..be321ec98a1 --- /dev/null +++ b/queue-6.1/alsa-ymfpci-fix-the-missing-snd_card_free-call-at-probe-error.patch @@ -0,0 +1,53 @@ +From 1d0eb6143c1e85d3f9a3f5a616ee7e5dc351d33b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 23 Aug 2023 18:16:25 +0200 +Subject: ALSA: ymfpci: Fix the missing snd_card_free() call at probe error + +From: Takashi Iwai + +commit 1d0eb6143c1e85d3f9a3f5a616ee7e5dc351d33b upstream. + +Like a few other drivers, YMFPCI driver needs to clean up with +snd_card_free() call at an error path of the probe; otherwise the +other devres resources are released before the card and it results in +the UAF. + +This patch uses the helper for handling the probe error gracefully. + +Fixes: f33fc1576757 ("ALSA: ymfpci: Create card with device-managed snd_devm_card_new()") +Cc: +Reported-and-tested-by: Takashi Yano +Closes: https://lore.kernel.org/r/20230823135846.1812-1-takashi.yano@nifty.ne.jp +Link: https://lore.kernel.org/r/20230823161625.5807-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ymfpci/ymfpci.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/sound/pci/ymfpci/ymfpci.c ++++ b/sound/pci/ymfpci/ymfpci.c +@@ -150,8 +150,8 @@ static inline int snd_ymfpci_create_game + void snd_ymfpci_free_gameport(struct snd_ymfpci *chip) { } + #endif /* SUPPORT_JOYSTICK */ + +-static int snd_card_ymfpci_probe(struct pci_dev *pci, +- const struct pci_device_id *pci_id) ++static int __snd_card_ymfpci_probe(struct pci_dev *pci, ++ const struct pci_device_id *pci_id) + { + static int dev; + struct snd_card *card; +@@ -333,6 +333,12 @@ static int snd_card_ymfpci_probe(struct + return 0; + } + ++static int snd_card_ymfpci_probe(struct pci_dev *pci, ++ const struct pci_device_id *pci_id) ++{ ++ return snd_card_free_on_error(&pci->dev, __snd_card_ymfpci_probe(pci, pci_id)); ++} ++ + static struct pci_driver ymfpci_driver = { + .name = KBUILD_MODNAME, + .id_table = snd_ymfpci_ids, diff --git a/queue-6.1/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch b/queue-6.1/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch new file mode 100644 index 00000000000..5513d3e5b62 --- /dev/null +++ b/queue-6.1/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch @@ -0,0 +1,122 @@ +From eac27a41ab641de074655d2932fc7f8cdb446881 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Fri, 28 Jul 2023 15:38:50 +0200 +Subject: batman-adv: Do not get eth header before batadv_check_management_packet + +From: Remi Pommarel + +commit eac27a41ab641de074655d2932fc7f8cdb446881 upstream. + +If received skb in batadv_v_elp_packet_recv or batadv_v_ogm_packet_recv +is either cloned or non linearized then its data buffer will be +reallocated by batadv_check_management_packet when skb_cow or +skb_linearize get called. Thus geting ethernet header address inside +skb data buffer before batadv_check_management_packet had any chance to +reallocate it could lead to the following kernel panic: + + Unable to handle kernel paging request at virtual address ffffff8020ab069a + Mem abort info: + ESR = 0x96000007 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x07: level 3 translation fault + Data abort info: + ISV = 0, ISS = 0x00000007 + CM = 0, WnR = 0 + swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000040f45000 + [ffffff8020ab069a] pgd=180000007fffa003, p4d=180000007fffa003, pud=180000007fffa003, pmd=180000007fefe003, pte=0068000020ab0706 + Internal error: Oops: 96000007 [#1] SMP + Modules linked in: ahci_mvebu libahci_platform libahci dvb_usb_af9035 dvb_usb_dib0700 dib0070 dib7000m dibx000_common ath11k_pci ath10k_pci ath10k_core mwl8k_new nf_nat_sip nf_conntrack_sip xhci_plat_hcd xhci_hcd nf_nat_pptp nf_conntrack_pptp at24 sbsa_gwdt + CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.15.42-00066-g3242268d425c-dirty #550 + Hardware name: A8k (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : batadv_is_my_mac+0x60/0xc0 + lr : batadv_v_ogm_packet_recv+0x98/0x5d0 + sp : ffffff8000183820 + x29: ffffff8000183820 x28: 0000000000000001 x27: ffffff8014f9af00 + x26: 0000000000000000 x25: 0000000000000543 x24: 0000000000000003 + x23: ffffff8020ab0580 x22: 0000000000000110 x21: ffffff80168ae880 + x20: 0000000000000000 x19: ffffff800b561000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: 00dc098924ae0032 + x14: 0f0405433e0054b0 x13: ffffffff00000080 x12: 0000004000000001 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : 0000000000000000 x7 : ffffffc076dae000 x6 : ffffff8000183700 + x5 : ffffffc00955e698 x4 : ffffff80168ae000 x3 : ffffff80059cf000 + x2 : ffffff800b561000 x1 : ffffff8020ab0696 x0 : ffffff80168ae880 + Call trace: + batadv_is_my_mac+0x60/0xc0 + batadv_v_ogm_packet_recv+0x98/0x5d0 + batadv_batman_skb_recv+0x1b8/0x244 + __netif_receive_skb_core.isra.0+0x440/0xc74 + __netif_receive_skb_one_core+0x14/0x20 + netif_receive_skb+0x68/0x140 + br_pass_frame_up+0x70/0x80 + br_handle_frame_finish+0x108/0x284 + br_handle_frame+0x190/0x250 + __netif_receive_skb_core.isra.0+0x240/0xc74 + __netif_receive_skb_list_core+0x6c/0x90 + netif_receive_skb_list_internal+0x1f4/0x310 + napi_complete_done+0x64/0x1d0 + gro_cell_poll+0x7c/0xa0 + __napi_poll+0x34/0x174 + net_rx_action+0xf8/0x2a0 + _stext+0x12c/0x2ac + run_ksoftirqd+0x4c/0x7c + smpboot_thread_fn+0x120/0x210 + kthread+0x140/0x150 + ret_from_fork+0x10/0x20 + Code: f9403844 eb03009f 54fffee1 f94 + +Thus ethernet header address should only be fetched after +batadv_check_management_packet has been called. + +Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure") +Cc: stable@vger.kernel.org +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 3 ++- + net/batman-adv/bat_v_ogm.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -506,7 +506,7 @@ int batadv_v_elp_packet_recv(struct sk_b + struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface); + struct batadv_elp_packet *elp_packet; + struct batadv_hard_iface *primary_if; +- struct ethhdr *ethhdr = (struct ethhdr *)skb_mac_header(skb); ++ struct ethhdr *ethhdr; + bool res; + int ret = NET_RX_DROP; + +@@ -514,6 +514,7 @@ int batadv_v_elp_packet_recv(struct sk_b + if (!res) + goto free_skb; + ++ ethhdr = eth_hdr(skb); + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -986,7 +986,7 @@ int batadv_v_ogm_packet_recv(struct sk_b + { + struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface); + struct batadv_ogm2_packet *ogm_packet; +- struct ethhdr *ethhdr = eth_hdr(skb); ++ struct ethhdr *ethhdr; + int ogm_offset; + u8 *packet_pos; + int ret = NET_RX_DROP; +@@ -1000,6 +1000,7 @@ int batadv_v_ogm_packet_recv(struct sk_b + if (!batadv_check_management_packet(skb, if_incoming, BATADV_OGM2_HLEN)) + goto free_skb; + ++ ethhdr = eth_hdr(skb); + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + diff --git a/queue-6.1/batman-adv-don-t-increase-mtu-when-set-by-user.patch b/queue-6.1/batman-adv-don-t-increase-mtu-when-set-by-user.patch new file mode 100644 index 00000000000..3d7276aabbc --- /dev/null +++ b/queue-6.1/batman-adv-don-t-increase-mtu-when-set-by-user.patch @@ -0,0 +1,83 @@ +From d8e42a2b0addf238be8b3b37dcd9795a5c1be459 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 19 Jul 2023 10:01:15 +0200 +Subject: batman-adv: Don't increase MTU when set by user + +From: Sven Eckelmann + +commit d8e42a2b0addf238be8b3b37dcd9795a5c1be459 upstream. + +If the user set an MTU value, it usually means that there are special +requirements for the MTU. But if an interface gots activated, the MTU was +always recalculated and then the user set value was overwritten. + +The only reason why this user set value has to be overwritten, is when the +MTU has to be decreased because batman-adv is not able to transfer packets +with the user specified size. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/hard-interface.c | 14 +++++++++++++- + net/batman-adv/soft-interface.c | 3 +++ + net/batman-adv/types.h | 6 ++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -630,7 +630,19 @@ out: + */ + void batadv_update_min_mtu(struct net_device *soft_iface) + { +- dev_set_mtu(soft_iface, batadv_hardif_min_mtu(soft_iface)); ++ struct batadv_priv *bat_priv = netdev_priv(soft_iface); ++ int limit_mtu; ++ int mtu; ++ ++ mtu = batadv_hardif_min_mtu(soft_iface); ++ ++ if (bat_priv->mtu_set_by_user) ++ limit_mtu = bat_priv->mtu_set_by_user; ++ else ++ limit_mtu = ETH_DATA_LEN; ++ ++ mtu = min(mtu, limit_mtu); ++ dev_set_mtu(soft_iface, mtu); + + /* Check if the local translate table should be cleaned up to match a + * new (and smaller) MTU. +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -154,11 +154,14 @@ static int batadv_interface_set_mac_addr + + static int batadv_interface_change_mtu(struct net_device *dev, int new_mtu) + { ++ struct batadv_priv *bat_priv = netdev_priv(dev); ++ + /* check ranges */ + if (new_mtu < 68 || new_mtu > batadv_hardif_min_mtu(dev)) + return -EINVAL; + + dev->mtu = new_mtu; ++ bat_priv->mtu_set_by_user = new_mtu; + + return 0; + } +--- a/net/batman-adv/types.h ++++ b/net/batman-adv/types.h +@@ -1547,6 +1547,12 @@ struct batadv_priv { + struct net_device *soft_iface; + + /** ++ * @mtu_set_by_user: MTU was set once by user ++ * protected by rtnl_lock ++ */ ++ int mtu_set_by_user; ++ ++ /** + * @bat_counters: mesh internal traffic statistic counters (see + * batadv_counters) + */ diff --git a/queue-6.1/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch b/queue-6.1/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch new file mode 100644 index 00000000000..6f024ce1cc9 --- /dev/null +++ b/queue-6.1/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch @@ -0,0 +1,56 @@ +From 421d467dc2d483175bad4fb76a31b9e5a3d744cf Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Wed, 9 Aug 2023 17:29:13 +0200 +Subject: batman-adv: Fix batadv_v_ogm_aggr_send memory leak + +From: Remi Pommarel + +commit 421d467dc2d483175bad4fb76a31b9e5a3d744cf upstream. + +When batadv_v_ogm_aggr_send is called for an inactive interface, the skb +is silently dropped by batadv_v_ogm_send_to_if() but never freed causing +the following memory leak: + + unreferenced object 0xffff00000c164800 (size 512): + comm "kworker/u8:1", pid 2648, jiffies 4295122303 (age 97.656s) + hex dump (first 32 bytes): + 00 80 af 09 00 00 ff ff e1 09 00 00 75 01 60 83 ............u.`. + 1f 00 00 00 b8 00 00 00 15 00 05 00 da e3 d3 64 ...............d + backtrace: + [<0000000007ad20f6>] __kmalloc_track_caller+0x1a8/0x310 + [<00000000d1029e55>] kmalloc_reserve.constprop.0+0x70/0x13c + [<000000008b9d4183>] __alloc_skb+0xec/0x1fc + [<00000000c7af5051>] __netdev_alloc_skb+0x48/0x23c + [<00000000642ee5f5>] batadv_v_ogm_aggr_send+0x50/0x36c + [<0000000088660bd7>] batadv_v_ogm_aggr_work+0x24/0x40 + [<0000000042fc2606>] process_one_work+0x3b0/0x610 + [<000000002f2a0b1c>] worker_thread+0xa0/0x690 + [<0000000059fae5d4>] kthread+0x1fc/0x210 + [<000000000c587d3a>] ret_from_fork+0x10/0x20 + +Free the skb in that case to fix this leak. + +Cc: stable@vger.kernel.org +Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure") +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -124,8 +124,10 @@ static void batadv_v_ogm_send_to_if(stru + { + struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface); + +- if (hard_iface->if_status != BATADV_IF_ACTIVE) ++ if (hard_iface->if_status != BATADV_IF_ACTIVE) { ++ kfree_skb(skb); + return; ++ } + + batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_TX); + batadv_add_counter(bat_priv, BATADV_CNT_MGMT_TX_BYTES, diff --git a/queue-6.1/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch b/queue-6.1/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch new file mode 100644 index 00000000000..53f32f5479a --- /dev/null +++ b/queue-6.1/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch @@ -0,0 +1,85 @@ +From d25ddb7e788d34cf27ff1738d11a87cb4b67d446 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Fri, 4 Aug 2023 11:39:36 +0200 +Subject: batman-adv: Fix TT global entry leak when client roamed back + +From: Remi Pommarel + +commit d25ddb7e788d34cf27ff1738d11a87cb4b67d446 upstream. + +When a client roamed back to a node before it got time to destroy the +pending local entry (i.e. within the same originator interval) the old +global one is directly removed from hash table and left as such. + +But because this entry had an extra reference taken at lookup (i.e using +batadv_tt_global_hash_find) there is no way its memory will be reclaimed +at any time causing the following memory leak: + + unreferenced object 0xffff0000073c8000 (size 18560): + comm "softirq", pid 0, jiffies 4294907738 (age 228.644s) + hex dump (first 32 bytes): + 06 31 ac 12 c7 7a 05 00 01 00 00 00 00 00 00 00 .1...z.......... + 2c ad be 08 00 80 ff ff 6c b6 be 08 00 80 ff ff ,.......l....... + backtrace: + [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 + [<000000000ff2fdbc>] batadv_tt_global_add+0x700/0xe20 + [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 + [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 + [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 + [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 + [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 + [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 + [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 + [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 + [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 + [<00000000f2cd8888>] process_backlog+0x174/0x344 + [<00000000507d6564>] __napi_poll+0x58/0x1f4 + [<00000000b64ef9eb>] net_rx_action+0x504/0x590 + [<00000000056fa5e4>] _stext+0x1b8/0x418 + [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 + unreferenced object 0xffff00000bae1a80 (size 56): + comm "softirq", pid 0, jiffies 4294910888 (age 216.092s) + hex dump (first 32 bytes): + 00 78 b1 0b 00 00 ff ff 0d 50 00 00 00 00 00 00 .x.......P...... + 00 00 00 00 00 00 00 00 50 c8 3c 07 00 00 ff ff ........P.<..... + backtrace: + [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 + [<00000000d9aaa49e>] batadv_tt_global_add+0x53c/0xe20 + [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 + [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 + [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 + [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 + [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 + [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 + [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 + [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 + [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 + [<00000000f2cd8888>] process_backlog+0x174/0x344 + [<00000000507d6564>] __napi_poll+0x58/0x1f4 + [<00000000b64ef9eb>] net_rx_action+0x504/0x590 + [<00000000056fa5e4>] _stext+0x1b8/0x418 + [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 + +Releasing the extra reference from batadv_tt_global_hash_find even at +roam back when batadv_tt_global_free is called fixes this memory leak. + +Cc: stable@vger.kernel.org +Fixes: 068ee6e204e1 ("batman-adv: roaming handling mechanism redesign") +Signed-off-by: Remi Pommarel +Signed-off-by; Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/translation-table.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -774,7 +774,6 @@ check_roaming: + if (roamed_back) { + batadv_tt_global_free(bat_priv, tt_global, + "Roaming canceled"); +- tt_global = NULL; + } else { + /* The global entry has to be marked as ROAMING and + * has to be kept for consistency purpose diff --git a/queue-6.1/batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch b/queue-6.1/batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch new file mode 100644 index 00000000000..d605f6a2c8e --- /dev/null +++ b/queue-6.1/batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch @@ -0,0 +1,45 @@ +From 987aae75fc1041072941ffb622b45ce2359a99b9 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 21 Aug 2023 21:48:48 +0200 +Subject: batman-adv: Hold rtnl lock during MTU update via netlink + +From: Sven Eckelmann + +commit 987aae75fc1041072941ffb622b45ce2359a99b9 upstream. + +The automatic recalculation of the maximum allowed MTU is usually triggered +by code sections which are already rtnl lock protected by callers outside +of batman-adv. But when the fragmentation setting is changed via +batman-adv's own batadv genl family, then the rtnl lock is not yet taken. + +But dev_set_mtu requires that the caller holds the rtnl lock because it +uses netdevice notifiers. And this code will then fail the check for this +lock: + + RTNL: assertion failed at net/core/dev.c (1953) + +Cc: stable@vger.kernel.org +Reported-by: syzbot+f8812454d9b3ac00d282@syzkaller.appspotmail.com +Fixes: c6a953cce8d0 ("batman-adv: Trigger events for auto adjusted MTU") +Signed-off-by: Sven Eckelmann +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230821-batadv-missing-mtu-rtnl-lock-v1-1-1c5a7bfe861e@narfation.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/batman-adv/netlink.c ++++ b/net/batman-adv/netlink.c +@@ -495,7 +495,10 @@ static int batadv_netlink_set_mesh(struc + attr = info->attrs[BATADV_ATTR_FRAGMENTATION_ENABLED]; + + atomic_set(&bat_priv->fragmentation, !!nla_get_u8(attr)); ++ ++ rtnl_lock(); + batadv_update_min_mtu(bat_priv->soft_iface); ++ rtnl_unlock(); + } + + if (info->attrs[BATADV_ATTR_GW_BANDWIDTH_DOWN]) { diff --git a/queue-6.1/batman-adv-trigger-events-for-auto-adjusted-mtu.patch b/queue-6.1/batman-adv-trigger-events-for-auto-adjusted-mtu.patch new file mode 100644 index 00000000000..b81ccd3131e --- /dev/null +++ b/queue-6.1/batman-adv-trigger-events-for-auto-adjusted-mtu.patch @@ -0,0 +1,38 @@ +From c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 19 Jul 2023 09:29:29 +0200 +Subject: batman-adv: Trigger events for auto adjusted MTU + +From: Sven Eckelmann + +commit c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 upstream. + +If an interface changes the MTU, it is expected that an NETDEV_PRECHANGEMTU +and NETDEV_CHANGEMTU notification events is triggered. This worked fine for +.ndo_change_mtu based changes because core networking code took care of it. +But for auto-adjustments after hard-interfaces changes, these events were +simply missing. + +Due to this problem, non-batman-adv components weren't aware of MTU changes +and thus couldn't perform their own tasks correctly. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/hard-interface.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -630,7 +630,7 @@ out: + */ + void batadv_update_min_mtu(struct net_device *soft_iface) + { +- soft_iface->mtu = batadv_hardif_min_mtu(soft_iface); ++ dev_set_mtu(soft_iface, batadv_hardif_min_mtu(soft_iface)); + + /* Check if the local translate table should be cleaned up to match a + * new (and smaller) MTU. diff --git a/queue-6.1/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch b/queue-6.1/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch new file mode 100644 index 00000000000..be10831e130 --- /dev/null +++ b/queue-6.1/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch @@ -0,0 +1,120 @@ +From 382d4cd1847517ffcb1800fd462b625db7b2ebea Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 25 Aug 2023 21:50:33 +0200 +Subject: lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels + +From: Helge Deller + +commit 382d4cd1847517ffcb1800fd462b625db7b2ebea upstream. + +The gcc compiler translates on some architectures the 64-bit +__builtin_clzll() function to a call to the libgcc function __clzdi2(), +which should take a 64-bit parameter on 32- and 64-bit platforms. + +But in the current kernel code, the built-in __clzdi2() function is +defined to operate (wrongly) on 32-bit parameters if BITS_PER_LONG == +32, thus the return values on 32-bit kernels are in the range from +[0..31] instead of the expected [0..63] range. + +This patch fixes the in-kernel functions __clzdi2() and __ctzdi2() to +take a 64-bit parameter on 32-bit kernels as well, thus it makes the +functions identical for 32- and 64-bit kernels. + +This bug went unnoticed since kernel 3.11 for over 10 years, and here +are some possible reasons for that: + + a) Some architectures have assembly instructions to count the bits and + which are used instead of calling __clzdi2(), e.g. on x86 the bsr + instruction and on ppc cntlz is used. On such architectures the + wrong __clzdi2() implementation isn't used and as such the bug has + no effect and won't be noticed. + + b) Some architectures link to libgcc.a, and the in-kernel weak + functions get replaced by the correct 64-bit variants from libgcc.a. + + c) __builtin_clzll() and __clzdi2() doesn't seem to be used in many + places in the kernel, and most likely only in uncritical functions, + e.g. when printing hex values via seq_put_hex_ll(). The wrong return + value will still print the correct number, but just in a wrong + formatting (e.g. with too many leading zeroes). + + d) 32-bit kernels aren't used that much any longer, so they are less + tested. + +A trivial testcase to verify if the currently running 32-bit kernel is +affected by the bug is to look at the output of /proc/self/maps: + +Here the kernel uses a correct implementation of __clzdi2(): + + root@debian:~# cat /proc/self/maps + 00010000-00019000 r-xp 00000000 08:05 787324 /usr/bin/cat + 00019000-0001a000 rwxp 00009000 08:05 787324 /usr/bin/cat + 0001a000-0003b000 rwxp 00000000 00:00 0 [heap] + f7551000-f770d000 r-xp 00000000 08:05 794765 /usr/lib/hppa-linux-gnu/libc.so.6 + ... + +and this kernel uses the broken implementation of __clzdi2(): + + root@debian:~# cat /proc/self/maps + 0000000010000-0000000019000 r-xp 00000000 000000008:000000005 787324 /usr/bin/cat + 0000000019000-000000001a000 rwxp 000000009000 000000008:000000005 787324 /usr/bin/cat + 000000001a000-000000003b000 rwxp 00000000 00:00 0 [heap] + 00000000f73d1000-00000000f758d000 r-xp 00000000 000000008:000000005 794765 /usr/lib/hppa-linux-gnu/libc.so.6 + ... + +Signed-off-by: Helge Deller +Fixes: 4df87bb7b6a22 ("lib: add weak clz/ctz functions") +Cc: Chanho Min +Cc: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v3.11+ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + lib/clz_ctz.c | 32 ++++++-------------------------- + 1 file changed, 6 insertions(+), 26 deletions(-) + +--- a/lib/clz_ctz.c ++++ b/lib/clz_ctz.c +@@ -28,36 +28,16 @@ int __weak __clzsi2(int val) + } + EXPORT_SYMBOL(__clzsi2); + +-int __weak __clzdi2(long val); +-int __weak __ctzdi2(long val); +-#if BITS_PER_LONG == 32 +- +-int __weak __clzdi2(long val) ++int __weak __clzdi2(u64 val); ++int __weak __clzdi2(u64 val) + { +- return 32 - fls((int)val); ++ return 64 - fls64(val); + } + EXPORT_SYMBOL(__clzdi2); + +-int __weak __ctzdi2(long val) ++int __weak __ctzdi2(u64 val); ++int __weak __ctzdi2(u64 val) + { +- return __ffs((u32)val); ++ return __ffs64(val); + } + EXPORT_SYMBOL(__ctzdi2); +- +-#elif BITS_PER_LONG == 64 +- +-int __weak __clzdi2(long val) +-{ +- return 64 - fls64((u64)val); +-} +-EXPORT_SYMBOL(__clzdi2); +- +-int __weak __ctzdi2(long val) +-{ +- return __ffs64((u64)val); +-} +-EXPORT_SYMBOL(__ctzdi2); +- +-#else +-#error BITS_PER_LONG not 32 or 64 +-#endif diff --git a/queue-6.1/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch b/queue-6.1/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch new file mode 100644 index 00000000000..33b20d3e6da --- /dev/null +++ b/queue-6.1/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch @@ -0,0 +1,37 @@ +From e7f2e65699e2290fd547ec12a17008764e5d9620 Mon Sep 17 00:00:00 2001 +From: Wei Chen +Date: Thu, 10 Aug 2023 08:23:33 +0000 +Subject: media: vcodec: Fix potential array out-of-bounds in encoder queue_setup + +From: Wei Chen + +commit e7f2e65699e2290fd547ec12a17008764e5d9620 upstream. + +variable *nplanes is provided by user via system call argument. The +possible value of q_data->fmt->num_planes is 1-3, while the value +of *nplanes can be 1-8. The array access by index i can cause array +out-of-bounds. + +Fix this bug by checking *nplanes against the array size. + +Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") +Signed-off-by: Wei Chen +Cc: stable@vger.kernel.org +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c ++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c +@@ -821,6 +821,8 @@ static int vb2ops_venc_queue_setup(struc + return -EINVAL; + + if (*nplanes) { ++ if (*nplanes != q_data->fmt->num_planes) ++ return -EINVAL; + for (i = 0; i < *nplanes; i++) + if (sizes[i] < q_data->sizeimage[i]) + return -EINVAL; diff --git a/queue-6.1/mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch b/queue-6.1/mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch new file mode 100644 index 00000000000..14d8b60d326 --- /dev/null +++ b/queue-6.1/mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch @@ -0,0 +1,55 @@ +From a50420c79731fc5cf27ad43719c1091e842a2606 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Wed, 9 Aug 2023 18:46:33 +0200 +Subject: mm: add a call to flush_cache_vmap() in vmap_pfn() + +From: Alexandre Ghiti + +commit a50420c79731fc5cf27ad43719c1091e842a2606 upstream. + +flush_cache_vmap() must be called after new vmalloc mappings are installed +in the page table in order to allow architectures to make sure the new +mapping is visible. + +It could lead to a panic since on some architectures (like powerpc), +the page table walker could see the wrong pte value and trigger a +spurious page fault that can not be resolved (see commit f1cb8f9beba8 +("powerpc/64s/radix: avoid ptesync after set_pte and +ptep_set_access_flags")). + +But actually the patch is aiming at riscv: the riscv specification +allows the caching of invalid entries in the TLB, and since we recently +removed the vmalloc page fault handling, we now need to emit a tlb +shootdown whenever a new vmalloc mapping is emitted +(https://lore.kernel.org/linux-riscv/20230725132246.817726-1-alexghiti@rivosinc.com/). +That's a temporary solution, there are ways to avoid that :) + +Link: https://lkml.kernel.org/r/20230809164633.1556126-1-alexghiti@rivosinc.com +Fixes: 3e9a9e256b1e ("mm: add a vmap_pfn function") +Reported-by: Dylan Jhong +Closes: https://lore.kernel.org/linux-riscv/ZMytNY2J8iyjbPPy@atctrx.andestech.com/ +Signed-off-by: Alexandre Ghiti +Reviewed-by: Christoph Hellwig +Reviewed-by: Palmer Dabbelt +Acked-by: Palmer Dabbelt +Reviewed-by: Dylan Jhong +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmalloc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -2909,6 +2909,10 @@ void *vmap_pfn(unsigned long *pfns, unsi + free_vm_area(area); + return NULL; + } ++ ++ flush_cache_vmap((unsigned long)area->addr, ++ (unsigned long)area->addr + count * PAGE_SIZE); ++ + return area->addr; + } + EXPORT_SYMBOL_GPL(vmap_pfn); diff --git a/queue-6.1/mm-gup-handle-cont-pte-hugetlb-pages-correctly-in-gup_must_unshare-via-gup-fast.patch b/queue-6.1/mm-gup-handle-cont-pte-hugetlb-pages-correctly-in-gup_must_unshare-via-gup-fast.patch new file mode 100644 index 00000000000..5380d22408f --- /dev/null +++ b/queue-6.1/mm-gup-handle-cont-pte-hugetlb-pages-correctly-in-gup_must_unshare-via-gup-fast.patch @@ -0,0 +1,149 @@ +From 5805192c7b7257d290474cb1a3897d0567281bbc Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Sat, 5 Aug 2023 12:12:56 +0200 +Subject: mm/gup: handle cont-PTE hugetlb pages correctly in gup_must_unshare() via GUP-fast + +From: David Hildenbrand + +commit 5805192c7b7257d290474cb1a3897d0567281bbc upstream. + +In contrast to most other GUP code, GUP-fast common page table walking +code like gup_pte_range() also handles hugetlb pages. But in contrast to +other hugetlb page table walking code, it does not look at the hugetlb PTE +abstraction whereby we have only a single logical hugetlb PTE per hugetlb +page, even when using multiple cont-PTEs underneath -- which is for +example what huge_ptep_get() abstracts. + +So when we have a hugetlb page that is mapped via cont-PTEs, GUP-fast +might stumble over a PTE that does not map the head page of a hugetlb page +-- not the first "head" PTE of such a cont mapping. + +Logically, the whole hugetlb page is mapped (entire_mapcount == 1), but we +might end up calling gup_must_unshare() with a tail page of a hugetlb +page. + +We only maintain a single PageAnonExclusive flag per hugetlb page (as +hugetlb pages cannot get partially COW-shared), stored for the head page. +That flag is clear for all tail pages. + +So when gup_must_unshare() ends up calling PageAnonExclusive() with a tail +page of a hugetlb page: + +1) With CONFIG_DEBUG_VM_PGFLAGS + +Stumbles over the: + + VM_BUG_ON_PGFLAGS(PageHuge(page) && !PageHead(page), page); + +For example, when executing the COW selftests with 64k hugetlb pages on +arm64: + + [ 61.082187] page:00000000829819ff refcount:3 mapcount:1 mapping:0000000000000000 index:0x1 pfn:0x11ee11 + [ 61.082842] head:0000000080f79bf7 order:4 entire_mapcount:1 nr_pages_mapped:0 pincount:2 + [ 61.083384] anon flags: 0x17ffff80003000e(referenced|uptodate|dirty|head|mappedtodisk|node=0|zone=2|lastcpupid=0xfffff) + [ 61.084101] page_type: 0xffffffff() + [ 61.084332] raw: 017ffff800000000 fffffc00037b8401 0000000000000402 0000000200000000 + [ 61.084840] raw: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000 + [ 61.085359] head: 017ffff80003000e ffffd9e95b09b788 ffffd9e95b09b788 ffff0007ff63cf71 + [ 61.085885] head: 0000000000000000 0000000000000002 00000003ffffffff 0000000000000000 + [ 61.086415] page dumped because: VM_BUG_ON_PAGE(PageHuge(page) && !PageHead(page)) + [ 61.086914] ------------[ cut here ]------------ + [ 61.087220] kernel BUG at include/linux/page-flags.h:990! + [ 61.087591] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + [ 61.087999] Modules linked in: ... + [ 61.089404] CPU: 0 PID: 4612 Comm: cow Kdump: loaded Not tainted 6.5.0-rc4+ #3 + [ 61.089917] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 + [ 61.090409] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + [ 61.090897] pc : gup_must_unshare.part.0+0x64/0x98 + [ 61.091242] lr : gup_must_unshare.part.0+0x64/0x98 + [ 61.091592] sp : ffff8000825eb940 + [ 61.091826] x29: ffff8000825eb940 x28: 0000000000000000 x27: fffffc00037b8440 + [ 61.092329] x26: 0400000000000001 x25: 0000000000080101 x24: 0000000000080000 + [ 61.092835] x23: 0000000000080100 x22: ffff0000cffb9588 x21: ffff0000c8ec6b58 + [ 61.093341] x20: 0000ffffad6b1000 x19: fffffc00037b8440 x18: ffffffffffffffff + [ 61.093850] x17: 2864616548656761 x16: 5021202626202965 x15: 6761702865677548 + [ 61.094358] x14: 6567615028454741 x13: 2929656761702864 x12: 6165486567615021 + [ 61.094858] x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffd9e958b7a1c0 + [ 61.095359] x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 00000000002bffa8 + [ 61.095873] x5 : ffff0008bb19e708 x4 : 0000000000000000 x3 : 0000000000000000 + [ 61.096380] x2 : 0000000000000000 x1 : ffff0000cf6636c0 x0 : 0000000000000046 + [ 61.096894] Call trace: + [ 61.097080] gup_must_unshare.part.0+0x64/0x98 + [ 61.097392] gup_pte_range+0x3a8/0x3f0 + [ 61.097662] gup_pgd_range+0x1ec/0x280 + [ 61.097942] lockless_pages_from_mm+0x64/0x1a0 + [ 61.098258] internal_get_user_pages_fast+0xe4/0x1d0 + [ 61.098612] pin_user_pages_fast+0x58/0x78 + [ 61.098917] pin_longterm_test_start+0xf4/0x2b8 + [ 61.099243] gup_test_ioctl+0x170/0x3b0 + [ 61.099528] __arm64_sys_ioctl+0xa8/0xf0 + [ 61.099822] invoke_syscall.constprop.0+0x7c/0xd0 + [ 61.100160] el0_svc_common.constprop.0+0xe8/0x100 + [ 61.100500] do_el0_svc+0x38/0xa0 + [ 61.100736] el0_svc+0x3c/0x198 + [ 61.100971] el0t_64_sync_handler+0x134/0x150 + [ 61.101280] el0t_64_sync+0x17c/0x180 + [ 61.101543] Code: aa1303e0 f00074c1 912b0021 97fffeb2 (d4210000) + +2) Without CONFIG_DEBUG_VM_PGFLAGS + +Always detects "not exclusive" for passed tail pages and refuses to PIN +the tail pages R/O, as gup_must_unshare() == true. GUP-fast will fallback +to ordinary GUP. As ordinary GUP properly considers the logical hugetlb +PTE abstraction in hugetlb_follow_page_mask(), pinning the page will +succeed when looking at the PageAnonExclusive on the head page only. + +So the only real effect of this is that with cont-PTE hugetlb pages, we'll +always fallback from GUP-fast to ordinary GUP when not working on the head +page, which ends up checking the head page and do the right thing. + +Consequently, the cow selftests pass with cont-PTE hugetlb pages as well +without CONFIG_DEBUG_VM_PGFLAGS. + +Note that this only applies to anon hugetlb pages that are mapped using +cont-PTEs: for example 64k hugetlb pages on a 4k arm64 kernel. + +... and only when R/O-pinning (FOLL_PIN) such pages that are mapped into +the page table R/O using GUP-fast. + +On production kernels (and even most debug kernels, that don't set +CONFIG_DEBUG_VM_PGFLAGS) this patch should theoretically not be required +to be backported. But of course, it does not hurt. + +Link: https://lkml.kernel.org/r/20230805101256.87306-1-david@redhat.com +Fixes: a7f226604170 ("mm/gup: trigger FAULT_FLAG_UNSHARE when R/O-pinning a possibly shared anonymous page") +Signed-off-by: David Hildenbrand +Reported-by: Ryan Roberts +Reviewed-by: Ryan Roberts +Tested-by: Ryan Roberts +Cc: Vlastimil Babka +Cc: John Hubbard +Cc: Jason Gunthorpe +Cc: Peter Xu +Cc: Mike Kravetz +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/internal.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -850,6 +850,16 @@ static inline bool vma_soft_dirty_enable + return false; + + /* ++ * During GUP-fast we might not get called on the head page for a ++ * hugetlb page that is mapped using cont-PTE, because GUP-fast does ++ * not work with the abstracted hugetlb PTEs that always point at the ++ * head page. For hugetlb, PageAnonExclusive only applies on the head ++ * page (as it cannot be partially COW-shared), so lookup the head page. ++ */ ++ if (unlikely(!PageHead(page) && PageHuge(page))) ++ page = compound_head(page); ++ ++ /* + * Soft-dirty is kind of special: its tracking is enabled when the + * vma flags not set. + */ diff --git a/queue-6.1/mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch b/queue-6.1/mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch new file mode 100644 index 00000000000..98c7ef60c8f --- /dev/null +++ b/queue-6.1/mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch @@ -0,0 +1,47 @@ +From e2c1ab070fdc81010ec44634838d24fce9ff9e53 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Tue, 27 Jun 2023 19:28:08 +0800 +Subject: mm: memory-failure: fix unexpected return value in soft_offline_page() + +From: Miaohe Lin + +commit e2c1ab070fdc81010ec44634838d24fce9ff9e53 upstream. + +When page_handle_poison() fails to handle the hugepage or free page in +retry path, soft_offline_page() will return 0 while -EBUSY is expected in +this case. + +Consequently the user will think soft_offline_page succeeds while it in +fact failed. So the user will not try again later in this case. + +Link: https://lkml.kernel.org/r/20230627112808.1275241-1-linmiaohe@huawei.com +Fixes: b94e02822deb ("mm,hwpoison: try to narrow window race for free pages") +Signed-off-by: Miaohe Lin +Acked-by: Naoya Horiguchi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -2591,10 +2591,13 @@ retry: + if (ret > 0) { + ret = soft_offline_in_use_page(page); + } else if (ret == 0) { +- if (!page_handle_poison(page, true, false) && try_again) { +- try_again = false; +- flags &= ~MF_COUNT_INCREASED; +- goto retry; ++ if (!page_handle_poison(page, true, false)) { ++ if (try_again) { ++ try_again = false; ++ flags &= ~MF_COUNT_INCREASED; ++ goto retry; ++ } ++ ret = -EBUSY; + } + } + diff --git a/queue-6.1/nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch b/queue-6.1/nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch new file mode 100644 index 00000000000..6faf39bc886 --- /dev/null +++ b/queue-6.1/nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch @@ -0,0 +1,60 @@ +From be2fd1560eb57b7298aa3c258ddcca0d53ecdea3 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 8 Aug 2023 21:17:11 -0400 +Subject: NFS: Fix a use after free in nfs_direct_join_group() + +From: Trond Myklebust + +commit be2fd1560eb57b7298aa3c258ddcca0d53ecdea3 upstream. + +Be more careful when tearing down the subrequests of an O_DIRECT write +as part of a retransmission. + +Reported-by: Chris Mason +Fixes: ed5d588fe47f ("NFS: Try to join page groups before an O_DIRECT retransmission") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/direct.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -474,20 +474,26 @@ out: + return result; + } + +-static void +-nfs_direct_join_group(struct list_head *list, struct inode *inode) ++static void nfs_direct_join_group(struct list_head *list, struct inode *inode) + { +- struct nfs_page *req, *next; ++ struct nfs_page *req, *subreq; + + list_for_each_entry(req, list, wb_list) { +- if (req->wb_head != req || req->wb_this_page == req) ++ if (req->wb_head != req) + continue; +- for (next = req->wb_this_page; +- next != req->wb_head; +- next = next->wb_this_page) { +- nfs_list_remove_request(next); +- nfs_release_request(next); +- } ++ subreq = req->wb_this_page; ++ if (subreq == req) ++ continue; ++ do { ++ /* ++ * Remove subrequests from this list before freeing ++ * them in the call to nfs_join_page_group(). ++ */ ++ if (!list_empty(&subreq->wb_list)) { ++ nfs_list_remove_request(subreq); ++ nfs_release_request(subreq); ++ } ++ } while ((subreq = subreq->wb_this_page) != req); + nfs_join_page_group(req, inode); + } + } diff --git a/queue-6.1/nfsd-fix-race-to-free_stateid-and-cl_revoked.patch b/queue-6.1/nfsd-fix-race-to-free_stateid-and-cl_revoked.patch new file mode 100644 index 00000000000..569cb04d755 --- /dev/null +++ b/queue-6.1/nfsd-fix-race-to-free_stateid-and-cl_revoked.patch @@ -0,0 +1,47 @@ +From 3b816601e279756e781e6c4d9b3f3bd21a72ac67 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 4 Aug 2023 10:52:20 -0400 +Subject: nfsd: Fix race to FREE_STATEID and cl_revoked + +From: Benjamin Coddington + +commit 3b816601e279756e781e6c4d9b3f3bd21a72ac67 upstream. + +We have some reports of linux NFS clients that cannot satisfy a linux knfsd +server that always sets SEQ4_STATUS_RECALLABLE_STATE_REVOKED even though +those clients repeatedly walk all their known state using TEST_STATEID and +receive NFS4_OK for all. + +Its possible for revoke_delegation() to set NFS4_REVOKED_DELEG_STID, then +nfsd4_free_stateid() finds the delegation and returns NFS4_OK to +FREE_STATEID. Afterward, revoke_delegation() moves the same delegation to +cl_revoked. This would produce the observed client/server effect. + +Fix this by ensuring that the setting of sc_type to NFS4_REVOKED_DELEG_STID +and move to cl_revoked happens within the same cl_lock. This will allow +nfsd4_free_stateid() to properly remove the delegation from cl_revoked. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2217103 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2176575 +Signed-off-by: Benjamin Coddington +Cc: stable@vger.kernel.org # v4.17+ +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1368,9 +1368,9 @@ static void revoke_delegation(struct nfs + WARN_ON(!list_empty(&dp->dl_recall_lru)); + + if (clp->cl_minorversion) { ++ spin_lock(&clp->cl_lock); + dp->dl_stid.sc_type = NFS4_REVOKED_DELEG_STID; + refcount_inc(&dp->dl_stid.sc_count); +- spin_lock(&clp->cl_lock); + list_add(&dp->dl_recall_lru, &clp->cl_revoked); + spin_unlock(&clp->cl_lock); + } diff --git a/queue-6.1/of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch b/queue-6.1/of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch new file mode 100644 index 00000000000..0f1213b34ba --- /dev/null +++ b/queue-6.1/of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch @@ -0,0 +1,114 @@ +From 914d9d831e6126a6e7a92e27fcfaa250671be42c Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Fri, 18 Aug 2023 15:40:57 -0500 +Subject: of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock + +From: Rob Herring + +commit 914d9d831e6126a6e7a92e27fcfaa250671be42c upstream. + +While originally it was fine to format strings using "%pOF" while +holding devtree_lock, this now causes a deadlock. Lockdep reports: + + of_get_parent from of_fwnode_get_parent+0x18/0x24 + ^^^^^^^^^^^^^ + of_fwnode_get_parent from fwnode_count_parents+0xc/0x28 + fwnode_count_parents from fwnode_full_name_string+0x18/0xac + fwnode_full_name_string from device_node_string+0x1a0/0x404 + device_node_string from pointer+0x3c0/0x534 + pointer from vsnprintf+0x248/0x36c + vsnprintf from vprintk_store+0x130/0x3b4 + +Fix this by moving the printing in __of_changeset_entry_apply() outside +the lock. As the only difference in the multiple prints is the action +name, use the existing "action_names" to refactor the prints into a +single print. + +Fixes: a92eb7621b9fb2c2 ("lib/vsprintf: Make use of fwnode API to obtain node names and separators") +Cc: stable@vger.kernel.org +Reported-by: Geert Uytterhoeven +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230801-dt-changeset-fixes-v3-2-5f0410e007dd@kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/dynamic.c | 31 +++++++++---------------------- + 1 file changed, 9 insertions(+), 22 deletions(-) + +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -63,15 +63,14 @@ int of_reconfig_notifier_unregister(stru + } + EXPORT_SYMBOL_GPL(of_reconfig_notifier_unregister); + +-#ifdef DEBUG +-const char *action_names[] = { ++static const char *action_names[] = { ++ [0] = "INVALID", + [OF_RECONFIG_ATTACH_NODE] = "ATTACH_NODE", + [OF_RECONFIG_DETACH_NODE] = "DETACH_NODE", + [OF_RECONFIG_ADD_PROPERTY] = "ADD_PROPERTY", + [OF_RECONFIG_REMOVE_PROPERTY] = "REMOVE_PROPERTY", + [OF_RECONFIG_UPDATE_PROPERTY] = "UPDATE_PROPERTY", + }; +-#endif + + int of_reconfig_notify(unsigned long action, struct of_reconfig_data *p) + { +@@ -594,21 +593,9 @@ static int __of_changeset_entry_apply(st + } + + ret = __of_add_property(ce->np, ce->prop); +- if (ret) { +- pr_err("changeset: add_property failed @%pOF/%s\n", +- ce->np, +- ce->prop->name); +- break; +- } + break; + case OF_RECONFIG_REMOVE_PROPERTY: + ret = __of_remove_property(ce->np, ce->prop); +- if (ret) { +- pr_err("changeset: remove_property failed @%pOF/%s\n", +- ce->np, +- ce->prop->name); +- break; +- } + break; + + case OF_RECONFIG_UPDATE_PROPERTY: +@@ -622,20 +609,17 @@ static int __of_changeset_entry_apply(st + } + + ret = __of_update_property(ce->np, ce->prop, &old_prop); +- if (ret) { +- pr_err("changeset: update_property failed @%pOF/%s\n", +- ce->np, +- ce->prop->name); +- break; +- } + break; + default: + ret = -EINVAL; + } + raw_spin_unlock_irqrestore(&devtree_lock, flags); + +- if (ret) ++ if (ret) { ++ pr_err("changeset: apply failed: %-15s %pOF:%s\n", ++ action_names[ce->action], ce->np, ce->prop->name); + return ret; ++ } + + switch (ce->action) { + case OF_RECONFIG_ATTACH_NODE: +@@ -921,6 +905,9 @@ int of_changeset_action(struct of_change + if (!ce) + return -ENOMEM; + ++ if (WARN_ON(action >= ARRAY_SIZE(action_names))) ++ return -EINVAL; ++ + /* get a reference to the node */ + ce->action = action; + ce->np = of_node_get(np); diff --git a/queue-6.1/of-unittest-fix-expect-for-parse_phandle_with_args_map-test.patch b/queue-6.1/of-unittest-fix-expect-for-parse_phandle_with_args_map-test.patch new file mode 100644 index 00000000000..724a3714dc7 --- /dev/null +++ b/queue-6.1/of-unittest-fix-expect-for-parse_phandle_with_args_map-test.patch @@ -0,0 +1,40 @@ +From 0aeae3788e28f64ccb95405d4dc8cd80637ffaea Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Fri, 18 Aug 2023 15:40:56 -0500 +Subject: of: unittest: Fix EXPECT for parse_phandle_with_args_map() test + +From: Rob Herring + +commit 0aeae3788e28f64ccb95405d4dc8cd80637ffaea upstream. + +Commit 12e17243d8a1 ("of: base: improve error msg in +of_phandle_iterator_next()") added printing of the phandle value on +error, but failed to update the unittest. + +Fixes: 12e17243d8a1 ("of: base: improve error msg in of_phandle_iterator_next()") +Cc: stable@vger.kernel.org +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230801-dt-changeset-fixes-v3-1-5f0410e007dd@kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/unittest.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -657,12 +657,12 @@ static void __init of_unittest_parse_pha + memset(&args, 0, sizeof(args)); + + EXPECT_BEGIN(KERN_INFO, +- "OF: /testcase-data/phandle-tests/consumer-b: could not find phandle"); ++ "OF: /testcase-data/phandle-tests/consumer-b: could not find phandle 12345678"); + + rc = of_parse_phandle_with_args_map(np, "phandle-list-bad-phandle", + "phandle", 0, &args); + EXPECT_END(KERN_INFO, +- "OF: /testcase-data/phandle-tests/consumer-b: could not find phandle"); ++ "OF: /testcase-data/phandle-tests/consumer-b: could not find phandle 12345678"); + + unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc); + diff --git a/queue-6.1/pinctrl-amd-mask-wake-bits-on-probe-again.patch b/queue-6.1/pinctrl-amd-mask-wake-bits-on-probe-again.patch new file mode 100644 index 00000000000..d21c13a16af --- /dev/null +++ b/queue-6.1/pinctrl-amd-mask-wake-bits-on-probe-again.patch @@ -0,0 +1,94 @@ +From 6bc3462a0f5ecaa376a0b3d76dafc55796799e17 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 18 Aug 2023 09:48:50 -0500 +Subject: pinctrl: amd: Mask wake bits on probe again + +From: Mario Limonciello + +commit 6bc3462a0f5ecaa376a0b3d76dafc55796799e17 upstream. + +Shubhra reports that their laptop is heating up over s2idle. Even though +it's getting into the deepest state, it appears to be having spurious +wakeup events. + +While debugging a tangential issue with the RTC Carsten reports that recent +6.1.y based kernel face a similar problem. + +Looking at acpidump and GPIO register comparisons these spurious wakeup +events are from the GPIO associated with the I2C touchpad on both laptops +and occur even when the touchpad is not marked as a wake source by the +kernel. + +This means that the boot firmware has programmed these bits and because +Linux didn't touch them lead to spurious wakeup events from that GPIO. + +To fix this issue, restore most of the code that previously would clear all +the bits associated with wakeup sources. This will allow the kernel to only +program the wake up sources that are necessary. + +This is similar to what was done previously; but only the wake bits are +cleared by default instead of interrupts and wake bits. If any other +problems are reported then it may make sense to clear interrupts again too. + +Cc: Sachi King +Cc: stable@vger.kernel.org +Cc: Thorsten Leemhuis +Fixes: 65f6c7c91cb2 ("pinctrl: amd: Revert "pinctrl: amd: disable and mask interrupts on probe"") +Reported-by: Shubhra Prakash Nandi +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217754 +Reported-by: Carsten Hatger +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217626#c28 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230818144850.1439-1-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -862,6 +862,33 @@ static const struct pinconf_ops amd_pinc + .pin_config_group_set = amd_pinconf_group_set, + }; + ++static void amd_gpio_irq_init(struct amd_gpio *gpio_dev) ++{ ++ struct pinctrl_desc *desc = gpio_dev->pctrl->desc; ++ unsigned long flags; ++ u32 pin_reg, mask; ++ int i; ++ ++ mask = BIT(WAKE_CNTRL_OFF_S0I3) | BIT(WAKE_CNTRL_OFF_S3) | ++ BIT(WAKE_CNTRL_OFF_S4); ++ ++ for (i = 0; i < desc->npins; i++) { ++ int pin = desc->pins[i].number; ++ const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin); ++ ++ if (!pd) ++ continue; ++ ++ raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ ++ pin_reg = readl(gpio_dev->base + pin * 4); ++ pin_reg &= ~mask; ++ writel(pin_reg, gpio_dev->base + pin * 4); ++ ++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); ++ } ++} ++ + #ifdef CONFIG_PM_SLEEP + static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin) + { +@@ -1099,6 +1126,9 @@ static int amd_gpio_probe(struct platfor + return PTR_ERR(gpio_dev->pctrl); + } + ++ /* Disable and mask interrupts */ ++ amd_gpio_irq_init(gpio_dev); ++ + girq = &gpio_dev->gc.irq; + gpio_irq_chip_set_chip(girq, &amd_gpio_irqchip); + /* This will let us handle the parent IRQ in the driver */ diff --git a/queue-6.1/radix-tree-remove-unused-variable.patch b/queue-6.1/radix-tree-remove-unused-variable.patch new file mode 100644 index 00000000000..2998050f79d --- /dev/null +++ b/queue-6.1/radix-tree-remove-unused-variable.patch @@ -0,0 +1,42 @@ +From d59070d1076ec5114edb67c87658aeb1d691d381 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 11 Aug 2023 15:10:13 +0200 +Subject: radix tree: remove unused variable + +From: Arnd Bergmann + +commit d59070d1076ec5114edb67c87658aeb1d691d381 upstream. + +Recent versions of clang warn about an unused variable, though older +versions saw the 'slot++' as a use and did not warn: + +radix-tree.c:1136:50: error: parameter 'slot' set but not used [-Werror,-Wunused-but-set-parameter] + +It's clearly not needed any more, so just remove it. + +Link: https://lkml.kernel.org/r/20230811131023.2226509-1-arnd@kernel.org +Fixes: 3a08cd52c37c7 ("radix tree: Remove multiorder support") +Signed-off-by: Arnd Bergmann +Cc: Matthew Wilcox +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peng Zhang +Cc: Rong Tao +Cc: Tom Rix +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/radix-tree.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -1134,7 +1134,6 @@ static void set_iter_tags(struct radix_t + void __rcu **radix_tree_iter_resume(void __rcu **slot, + struct radix_tree_iter *iter) + { +- slot++; + iter->index = __radix_tree_iter_add(iter, 1); + iter->next_index = iter->index; + iter->tags = 0; diff --git a/queue-6.1/riscv-fix-build-errors-using-binutils2.37-toolchains.patch b/queue-6.1/riscv-fix-build-errors-using-binutils2.37-toolchains.patch new file mode 100644 index 00000000000..27c6328704a --- /dev/null +++ b/queue-6.1/riscv-fix-build-errors-using-binutils2.37-toolchains.patch @@ -0,0 +1,61 @@ +From ef21fa7c198e04f3d3053b1c5b5f2b4b225c3350 Mon Sep 17 00:00:00 2001 +From: Mingzheng Xing +Date: Fri, 25 Aug 2023 03:08:52 +0800 +Subject: riscv: Fix build errors using binutils2.37 toolchains + +From: Mingzheng Xing + +commit ef21fa7c198e04f3d3053b1c5b5f2b4b225c3350 upstream. + +When building the kernel with binutils 2.37 and GCC-11.1.0/GCC-11.2.0, +the following error occurs: + + Assembler messages: + Error: cannot find default versions of the ISA extension `zicsr' + Error: cannot find default versions of the ISA extension `zifencei' + +The above error originated from this commit of binutils[0], which has been +resolved and backported by GCC-12.1.0[1] and GCC-11.3.0[2]. + +So fix this by change the GCC version in +CONFIG_TOOLCHAIN_NEEDS_OLD_ISA_SPEC to GCC-11.3.0. + +Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=f0bae2552db1dd4f1995608fbf6648fcee4e9e0c [0] +Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ca2bbb88f999f4d3cc40e89bc1aba712505dd598 [1] +Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d29f5d6ab513c52fd872f532c492e35ae9fd6671 [2] +Fixes: ca09f772ccca ("riscv: Handle zicsr/zifencei issue between gcc and binutils") +Reported-by: Conor Dooley +Cc: +Signed-off-by: Mingzheng Xing +Link: https://lore.kernel.org/r/20230824190852.45470-1-xingmingzheng@iscas.ac.cn +Closes: https://lore.kernel.org/all/20230823-captive-abdomen-befd942a4a73@wendy/ +Reviewed-by: Conor Dooley +Tested-by: Conor Dooley +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Kconfig | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -457,15 +457,15 @@ config TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZI + and Zifencei are supported in binutils from version 2.36 onwards. + To make life easier, and avoid forcing toolchains that default to a + newer ISA spec to version 2.2, relax the check to binutils >= 2.36. +- For clang < 17 or GCC < 11.1.0, for which this is not possible, this is +- dealt with in CONFIG_TOOLCHAIN_NEEDS_OLD_ISA_SPEC. ++ For clang < 17 or GCC < 11.3.0, for which this is not possible or need ++ special treatment, this is dealt with in TOOLCHAIN_NEEDS_OLD_ISA_SPEC. + + config TOOLCHAIN_NEEDS_OLD_ISA_SPEC + def_bool y + depends on TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI + # https://github.com/llvm/llvm-project/commit/22e199e6afb1263c943c0c0d4498694e15bf8a16 +- # https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=b03be74bad08c382da47e048007a78fa3fb4ef49 +- depends on (CC_IS_CLANG && CLANG_VERSION < 170000) || (CC_IS_GCC && GCC_VERSION < 110100) ++ # https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d29f5d6ab513c52fd872f532c492e35ae9fd6671 ++ depends on (CC_IS_CLANG && CLANG_VERSION < 170000) || (CC_IS_GCC && GCC_VERSION < 110300) + help + Certain versions of clang and GCC do not support zicsr and zifencei via + -march. This option causes an older ISA spec compatible with these older diff --git a/queue-6.1/riscv-handle-zicsr-zifencei-issue-between-gcc-and-binutils.patch b/queue-6.1/riscv-handle-zicsr-zifencei-issue-between-gcc-and-binutils.patch new file mode 100644 index 00000000000..03620de4faa --- /dev/null +++ b/queue-6.1/riscv-handle-zicsr-zifencei-issue-between-gcc-and-binutils.patch @@ -0,0 +1,111 @@ +From ca09f772cccaeec4cd05a21528c37a260aa2dd2c Mon Sep 17 00:00:00 2001 +From: Mingzheng Xing +Date: Thu, 10 Aug 2023 00:56:48 +0800 +Subject: riscv: Handle zicsr/zifencei issue between gcc and binutils + +From: Mingzheng Xing + +commit ca09f772cccaeec4cd05a21528c37a260aa2dd2c upstream. + +Binutils-2.38 and GCC-12.1.0 bumped[0][1] the default ISA spec to the newer +20191213 version which moves some instructions from the I extension to the +Zicsr and Zifencei extensions. So if one of the binutils and GCC exceeds +that version, we should explicitly specifying Zicsr and Zifencei via -march +to cope with the new changes. but this only occurs when binutils >= 2.36 +and GCC >= 11.1.0. It's a different story when binutils < 2.36. + +binutils-2.36 supports the Zifencei extension[2] and splits Zifencei and +Zicsr from I[3]. GCC-11.1.0 is particular[4] because it add support Zicsr +and Zifencei extension for -march. binutils-2.35 does not support the +Zifencei extension, and does not need to specify Zicsr and Zifencei when +working with GCC >= 12.1.0. + +To make our lives easier, let's relax the check to binutils >= 2.36 in +CONFIG_TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI. For the other two cases, +where clang < 17 or GCC < 11.1.0, we will deal with them in +CONFIG_TOOLCHAIN_NEEDS_OLD_ISA_SPEC. + +For more information, please refer to: +commit 6df2a016c0c8 ("riscv: fix build with binutils 2.38") +commit e89c2e815e76 ("riscv: Handle zicsr/zifencei issues between clang and binutils") + +Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=aed44286efa8ae8717a77d94b51ac3614e2ca6dc [0] +Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=98416dbb0a62579d4a7a4a76bab51b5b52fec2cd [1] +Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=5a1b31e1e1cee6e9f1c92abff59cdcfff0dddf30 [2] +Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=729a53530e86972d1143553a415db34e6e01d5d2 [3] +Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=b03be74bad08c382da47e048007a78fa3fb4ef49 [4] +Link: https://lore.kernel.org/all/20230308220842.1231003-1-conor@kernel.org +Link: https://lore.kernel.org/all/20230223220546.52879-1-conor@kernel.org +Reviewed-by: Conor Dooley +Acked-by: Guo Ren +Cc: +Signed-off-by: Mingzheng Xing +Link: https://lore.kernel.org/r/20230809165648.21071-1-xingmingzheng@iscas.ac.cn +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Kconfig | 28 +++++++++++++++++----------- + arch/riscv/kernel/compat_vdso/Makefile | 8 +++++++- + 2 files changed, 24 insertions(+), 12 deletions(-) + +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -447,24 +447,30 @@ config TOOLCHAIN_HAS_ZIHINTPAUSE + config TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI + def_bool y + # https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=aed44286efa8ae8717a77d94b51ac3614e2ca6dc +- depends on AS_IS_GNU && AS_VERSION >= 23800 ++ # https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=98416dbb0a62579d4a7a4a76bab51b5b52fec2cd ++ depends on AS_IS_GNU && AS_VERSION >= 23600 + help +- Newer binutils versions default to ISA spec version 20191213 which +- moves some instructions from the I extension to the Zicsr and Zifencei +- extensions. ++ Binutils-2.38 and GCC-12.1.0 bumped the default ISA spec to the newer ++ 20191213 version, which moves some instructions from the I extension to ++ the Zicsr and Zifencei extensions. This requires explicitly specifying ++ Zicsr and Zifencei when binutils >= 2.38 or GCC >= 12.1.0. Zicsr ++ and Zifencei are supported in binutils from version 2.36 onwards. ++ To make life easier, and avoid forcing toolchains that default to a ++ newer ISA spec to version 2.2, relax the check to binutils >= 2.36. ++ For clang < 17 or GCC < 11.1.0, for which this is not possible, this is ++ dealt with in CONFIG_TOOLCHAIN_NEEDS_OLD_ISA_SPEC. + + config TOOLCHAIN_NEEDS_OLD_ISA_SPEC + def_bool y + depends on TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI + # https://github.com/llvm/llvm-project/commit/22e199e6afb1263c943c0c0d4498694e15bf8a16 +- depends on CC_IS_CLANG && CLANG_VERSION < 170000 ++ # https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=b03be74bad08c382da47e048007a78fa3fb4ef49 ++ depends on (CC_IS_CLANG && CLANG_VERSION < 170000) || (CC_IS_GCC && GCC_VERSION < 110100) + help +- Certain versions of clang do not support zicsr and zifencei via -march +- but newer versions of binutils require it for the reasons noted in the +- help text of CONFIG_TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI. This +- option causes an older ISA spec compatible with these older versions +- of clang to be passed to GAS, which has the same result as passing zicsr +- and zifencei to -march. ++ Certain versions of clang and GCC do not support zicsr and zifencei via ++ -march. This option causes an older ISA spec compatible with these older ++ versions of clang and GCC to be passed to GAS, which has the same result ++ as passing zicsr and zifencei to -march. + + config FPU + bool "FPU support" +--- a/arch/riscv/kernel/compat_vdso/Makefile ++++ b/arch/riscv/kernel/compat_vdso/Makefile +@@ -11,7 +11,13 @@ compat_vdso-syms += flush_icache + COMPAT_CC := $(CC) + COMPAT_LD := $(LD) + +-COMPAT_CC_FLAGS := -march=rv32g -mabi=ilp32 ++# binutils 2.35 does not support the zifencei extension, but in the ISA ++# spec 20191213, G stands for IMAFD_ZICSR_ZIFENCEI. ++ifdef CONFIG_TOOLCHAIN_NEEDS_EXPLICIT_ZICSR_ZIFENCEI ++ COMPAT_CC_FLAGS := -march=rv32g -mabi=ilp32 ++else ++ COMPAT_CC_FLAGS := -march=rv32imafd -mabi=ilp32 ++endif + COMPAT_LD_FLAGS := -melf32lriscv + + # Disable attributes, as they're useless and break the build. diff --git a/queue-6.1/selinux-set-next-pointer-before-attaching-to-list.patch b/queue-6.1/selinux-set-next-pointer-before-attaching-to-list.patch new file mode 100644 index 00000000000..31fe133ba1a --- /dev/null +++ b/queue-6.1/selinux-set-next-pointer-before-attaching-to-list.patch @@ -0,0 +1,43 @@ +From 70d91dc9b2ac91327d0eefd86163abc3548effa6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 18 Aug 2023 17:33:58 +0200 +Subject: selinux: set next pointer before attaching to list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Göttsche + +commit 70d91dc9b2ac91327d0eefd86163abc3548effa6 upstream. + +Set the next pointer in filename_trans_read_helper() before attaching +the new node under construction to the list, otherwise garbage would be +dereferenced on subsequent failure during cleanup in the out goto label. + +Cc: +Fixes: 430059024389 ("selinux: implement new format of filename transitions") +Signed-off-by: Christian Göttsche +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/ss/policydb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -2005,6 +2005,7 @@ static int filename_trans_read_helper(st + if (!datum) + goto out; + ++ datum->next = NULL; + *dst = datum; + + /* ebitmap_read() will at least init the bitmap */ +@@ -2017,7 +2018,6 @@ static int filename_trans_read_helper(st + goto out; + + datum->otype = le32_to_cpu(buf[0]); +- datum->next = NULL; + + dst = &datum->next; + } diff --git a/queue-6.1/series b/queue-6.1/series index b1224c2048f..e7c3c379845 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -71,3 +71,24 @@ nfsv4-fix-dropped-lock-for-racing-open-and-delegation-return.patch clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch mm-ima-kexec-of-use-memblock_free_late-from-ima_free_kexec_buffer.patch shmem-fix-smaps-bug-sleeping-while-atomic.patch +alsa-ymfpci-fix-the-missing-snd_card_free-call-at-probe-error.patch +mm-gup-handle-cont-pte-hugetlb-pages-correctly-in-gup_must_unshare-via-gup-fast.patch +mm-add-a-call-to-flush_cache_vmap-in-vmap_pfn.patch +mm-memory-failure-fix-unexpected-return-value-in-soft_offline_page.patch +nfs-fix-a-use-after-free-in-nfs_direct_join_group.patch +nfsd-fix-race-to-free_stateid-and-cl_revoked.patch +selinux-set-next-pointer-before-attaching-to-list.patch +batman-adv-trigger-events-for-auto-adjusted-mtu.patch +batman-adv-don-t-increase-mtu-when-set-by-user.patch +batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch +batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch +batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch +batman-adv-hold-rtnl-lock-during-mtu-update-via-netlink.patch +lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch +riscv-handle-zicsr-zifencei-issue-between-gcc-and-binutils.patch +riscv-fix-build-errors-using-binutils2.37-toolchains.patch +radix-tree-remove-unused-variable.patch +of-unittest-fix-expect-for-parse_phandle_with_args_map-test.patch +of-dynamic-refactor-action-prints-to-not-use-pof-inside-devtree_lock.patch +pinctrl-amd-mask-wake-bits-on-probe-again.patch +media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch