From: Sasha Levin Date: Thu, 9 May 2024 17:27:47 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.19.314~105 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=76275a829408d1cebe4faf3ad9b3258a37e4fb30;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/9p-explicitly-deny-setlease-attempts.patch b/queue-5.15/9p-explicitly-deny-setlease-attempts.patch new file mode 100644 index 00000000000..213d9a034d6 --- /dev/null +++ b/queue-5.15/9p-explicitly-deny-setlease-attempts.patch @@ -0,0 +1,42 @@ +From 02b305e51d9dce1d859792120f15d58dd26bb02a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 12:34:45 -0400 +Subject: 9p: explicitly deny setlease attempts + +From: Jeff Layton + +[ Upstream commit 7a84602297d36617dbdadeba55a2567031e5165b ] + +9p is a remote network protocol, and it doesn't support asynchronous +notifications from the server. Ensure that we don't hand out any leases +since we can't guarantee they'll be broken when a file's contents +change. + +Signed-off-by: Jeff Layton +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c +index 7437b185fa8eb..0c84d414660ca 100644 +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -660,6 +660,7 @@ const struct file_operations v9fs_file_operations = { + .splice_read = generic_file_splice_read, + .splice_write = iter_file_splice_write, + .fsync = v9fs_file_fsync, ++ .setlease = simple_nosetlease, + }; + + const struct file_operations v9fs_file_operations_dotl = { +@@ -701,4 +702,5 @@ const struct file_operations v9fs_mmap_file_operations_dotl = { + .splice_read = generic_file_splice_read, + .splice_write = iter_file_splice_write, + .fsync = v9fs_file_fsync_dotl, ++ .setlease = simple_nosetlease, + }; +-- +2.43.0 + diff --git a/queue-5.15/alsa-line6-zero-initialize-message-buffers.patch b/queue-5.15/alsa-line6-zero-initialize-message-buffers.patch new file mode 100644 index 00000000000..d58154cc5c8 --- /dev/null +++ b/queue-5.15/alsa-line6-zero-initialize-message-buffers.patch @@ -0,0 +1,57 @@ +From 04ee94cbc9aee6cf40b15af86516f2af64ca18ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 08:36:25 +0200 +Subject: ALSA: line6: Zero-initialize message buffers + +From: Takashi Iwai + +[ Upstream commit c4e51e424e2c772ce1836912a8b0b87cd61bc9d5 ] + +For shutting up spurious KMSAN uninit-value warnings, just replace +kmalloc() calls with kzalloc() for the buffers used for +communications. There should be no real issue with the original code, +but it's still better to cover. + +Reported-by: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/00000000000084b18706150bcca5@google.com +Message-ID: <20240402063628.26609-1-tiwai@suse.de> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/line6/driver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c +index b67617b68e509..f4437015d43a7 100644 +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -202,7 +202,7 @@ int line6_send_raw_message_async(struct usb_line6 *line6, const char *buffer, + struct urb *urb; + + /* create message: */ +- msg = kmalloc(sizeof(struct message), GFP_ATOMIC); ++ msg = kzalloc(sizeof(struct message), GFP_ATOMIC); + if (msg == NULL) + return -ENOMEM; + +@@ -688,7 +688,7 @@ static int line6_init_cap_control(struct usb_line6 *line6) + int ret; + + /* initialize USB buffers: */ +- line6->buffer_listen = kmalloc(LINE6_BUFSIZE_LISTEN, GFP_KERNEL); ++ line6->buffer_listen = kzalloc(LINE6_BUFSIZE_LISTEN, GFP_KERNEL); + if (!line6->buffer_listen) + return -ENOMEM; + +@@ -697,7 +697,7 @@ static int line6_init_cap_control(struct usb_line6 *line6) + return -ENOMEM; + + if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) { +- line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); ++ line6->buffer_message = kzalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); + if (!line6->buffer_message) + return -ENOMEM; + +-- +2.43.0 + diff --git a/queue-5.15/asoc-meson-axg-card-fix-nonatomic-links.patch b/queue-5.15/asoc-meson-axg-card-fix-nonatomic-links.patch new file mode 100644 index 00000000000..94b4302ee4a --- /dev/null +++ b/queue-5.15/asoc-meson-axg-card-fix-nonatomic-links.patch @@ -0,0 +1,57 @@ +From 196e54ec5e43481fa366a62d764e0b6e27e899e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 17:57:25 +0200 +Subject: ASoC: meson: axg-card: Fix nonatomic links + +From: Neil Armstrong + +[ Upstream commit 0c9b152c72e53016e96593bdbb8cffe2176694b9 ] + +This commit e138233e56e9829e65b6293887063a1a3ccb2d68 causes the +following system crash when using audio on G12A/G12B & SM1 systems: + + BUG: sleeping function called from invalid context at kernel/locking/mutex.c:282 + in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0 + preempt_count: 10001, expected: 0 + RCU nest depth: 0, expected: 0 + Preemption disabled at: + schedule_preempt_disabled+0x20/0x2c + + mutex_lock+0x24/0x60 + _snd_pcm_stream_lock_irqsave+0x20/0x3c + snd_pcm_period_elapsed+0x24/0xa4 + axg_fifo_pcm_irq_block+0x64/0xdc + __handle_irq_event_percpu+0x104/0x264 + handle_irq_event+0x48/0xb4 + ... + start_kernel+0x3f0/0x484 + __primary_switched+0xc0/0xc8 + +Revert this commit until the crash is fixed. + +Fixes: e138233e56e9829e65b6 ("ASoC: meson: axg-card: make links nonatomic") +Reported-by: Dmitry Shmidt +Signed-off-by: Neil Armstrong +Acked-by: Jerome Brunet +Link: https://lore.kernel.org/r/20220421155725.2589089-2-narmstrong@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-card.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/meson/axg-card.c b/sound/soc/meson/axg-card.c +index cbbaa55d92a66..2b77010c2c5ce 100644 +--- a/sound/soc/meson/axg-card.c ++++ b/sound/soc/meson/axg-card.c +@@ -320,7 +320,6 @@ static int axg_card_add_link(struct snd_soc_card *card, struct device_node *np, + + dai_link->cpus = cpu; + dai_link->num_cpus = 1; +- dai_link->nonatomic = true; + + ret = meson_card_parse_dai(card, np, &dai_link->cpus->of_node, + &dai_link->cpus->dai_name); +-- +2.43.0 + diff --git a/queue-5.15/asoc-meson-axg-tdm-interface-fix-formatters-in-trigg.patch b/queue-5.15/asoc-meson-axg-tdm-interface-fix-formatters-in-trigg.patch new file mode 100644 index 00000000000..30984a1f059 --- /dev/null +++ b/queue-5.15/asoc-meson-axg-tdm-interface-fix-formatters-in-trigg.patch @@ -0,0 +1,76 @@ +From eb2cd42efa1a3c0c8cab97605f0b7afadb47d14c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 17:57:24 +0200 +Subject: ASoC: meson: axg-tdm-interface: Fix formatters in trigger" + +From: Neil Armstrong + +[ Upstream commit c26830b6c5c534d273ce007eb33d5a2d2ad4e969 ] + +This reverts commit bf5e4887eeddb48480568466536aa08ec7f179a5 because +the following and required commit e138233e56e9829e65b6293887063a1a3ccb2d68 +causes the following system crash when using audio: + BUG: sleeping function called from invalid context at kernel/locking/mutex.c:282 + +Fixes: bf5e4887eeddb4848056846 ("ASoC: meson: axg-tdm-interface: manage formatters in trigger") +Reported-by: Dmitry Shmidt +Signed-off-by: Neil Armstrong +Acked-by: Jerome Brunet +Link: https://lore.kernel.org/r/20220421155725.2589089-1-narmstrong@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/meson/axg-tdm-interface.c | 26 +++++--------------------- + 1 file changed, 5 insertions(+), 21 deletions(-) + +diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c +index f5145902360de..60d132ab1ab78 100644 +--- a/sound/soc/meson/axg-tdm-interface.c ++++ b/sound/soc/meson/axg-tdm-interface.c +@@ -362,29 +362,13 @@ static int axg_tdm_iface_hw_free(struct snd_pcm_substream *substream, + return 0; + } + +-static int axg_tdm_iface_trigger(struct snd_pcm_substream *substream, +- int cmd, ++static int axg_tdm_iface_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { +- struct axg_tdm_stream *ts = +- snd_soc_dai_get_dma_data(dai, substream); +- +- switch (cmd) { +- case SNDRV_PCM_TRIGGER_START: +- case SNDRV_PCM_TRIGGER_RESUME: +- case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: +- axg_tdm_stream_start(ts); +- break; +- case SNDRV_PCM_TRIGGER_SUSPEND: +- case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +- case SNDRV_PCM_TRIGGER_STOP: +- axg_tdm_stream_stop(ts); +- break; +- default: +- return -EINVAL; +- } ++ struct axg_tdm_stream *ts = snd_soc_dai_get_dma_data(dai, substream); + +- return 0; ++ /* Force all attached formatters to update */ ++ return axg_tdm_stream_reset(ts); + } + + static int axg_tdm_iface_remove_dai(struct snd_soc_dai *dai) +@@ -424,8 +408,8 @@ static const struct snd_soc_dai_ops axg_tdm_iface_ops = { + .set_fmt = axg_tdm_iface_set_fmt, + .startup = axg_tdm_iface_startup, + .hw_params = axg_tdm_iface_hw_params, ++ .prepare = axg_tdm_iface_prepare, + .hw_free = axg_tdm_iface_hw_free, +- .trigger = axg_tdm_iface_trigger, + }; + + /* TDM Backend DAIs */ +-- +2.43.0 + diff --git a/queue-5.15/ata-sata_gemini-check-clk_enable-result.patch b/queue-5.15/ata-sata_gemini-check-clk_enable-result.patch new file mode 100644 index 00000000000..de233e22de6 --- /dev/null +++ b/queue-5.15/ata-sata_gemini-check-clk_enable-result.patch @@ -0,0 +1,38 @@ +From 1c170092d7ebd16878749dd6e3ccae8ed24b3c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 04:33:49 +0000 +Subject: ata: sata_gemini: Check clk_enable() result + +From: Chen Ni + +[ Upstream commit e85006ae7430aef780cc4f0849692e266a102ec0 ] + +The call to clk_enable() in gemini_sata_start_bridge() can fail. +Add a check to detect such failure. + +Signed-off-by: Chen Ni +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_gemini.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/sata_gemini.c b/drivers/ata/sata_gemini.c +index 6fd54e968d10a..1564472fd5d50 100644 +--- a/drivers/ata/sata_gemini.c ++++ b/drivers/ata/sata_gemini.c +@@ -201,7 +201,10 @@ int gemini_sata_start_bridge(struct sata_gemini *sg, unsigned int bridge) + pclk = sg->sata0_pclk; + else + pclk = sg->sata1_pclk; +- clk_enable(pclk); ++ ret = clk_enable(pclk); ++ if (ret) ++ return ret; ++ + msleep(10); + + /* Do not keep clocking a bridge that is not online */ +-- +2.43.0 + diff --git a/queue-5.15/blk-iocost-avoid-out-of-bounds-shift.patch b/queue-5.15/blk-iocost-avoid-out-of-bounds-shift.patch new file mode 100644 index 00000000000..5dac5e4de14 --- /dev/null +++ b/queue-5.15/blk-iocost-avoid-out-of-bounds-shift.patch @@ -0,0 +1,74 @@ +From 7167f96cd25263c24a1d3ae8d5b3f53423e3a5ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 12:32:53 -0400 +Subject: blk-iocost: avoid out of bounds shift + +From: Rik van Riel + +[ Upstream commit beaa51b36012fad5a4d3c18b88a617aea7a9b96d ] + +UBSAN catches undefined behavior in blk-iocost, where sometimes +iocg->delay is shifted right by a number that is too large, +resulting in undefined behavior on some architectures. + +[ 186.556576] ------------[ cut here ]------------ +UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 +shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') +CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 +Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020 +Call Trace: + + dump_stack_lvl+0x8f/0xe0 + __ubsan_handle_shift_out_of_bounds+0x22c/0x280 + iocg_kick_delay+0x30b/0x310 + ioc_timer_fn+0x2fb/0x1f80 + __run_timer_base+0x1b6/0x250 +... + +Avoid that undefined behavior by simply taking the +"delay = 0" branch if the shift is too large. + +I am not sure what the symptoms of an undefined value +delay will be, but I suspect it could be more than a +little annoying to debug. + +Signed-off-by: Rik van Riel +Cc: Tejun Heo +Cc: Josef Bacik +Cc: Jens Axboe +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20240404123253.0f58010f@imladris.surriel.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iocost.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index 645a589edda82..bfdb7b0cf49de 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -1336,7 +1336,7 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) + { + struct ioc *ioc = iocg->ioc; + struct blkcg_gq *blkg = iocg_to_blkg(iocg); +- u64 tdelta, delay, new_delay; ++ u64 tdelta, delay, new_delay, shift; + s64 vover, vover_pct; + u32 hwa; + +@@ -1351,8 +1351,9 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) + + /* calculate the current delay in effect - 1/2 every second */ + tdelta = now->now - iocg->delay_at; +- if (iocg->delay) +- delay = iocg->delay >> div64_u64(tdelta, USEC_PER_SEC); ++ shift = div64_u64(tdelta, USEC_PER_SEC); ++ if (iocg->delay && shift < BITS_PER_LONG) ++ delay = iocg->delay >> shift; + else + delay = 0; + +-- +2.43.0 + diff --git a/queue-5.15/bpf-sockmap-convert-schedule_work-into-delayed_work.patch b/queue-5.15/bpf-sockmap-convert-schedule_work-into-delayed_work.patch new file mode 100644 index 00000000000..766da677439 --- /dev/null +++ b/queue-5.15/bpf-sockmap-convert-schedule_work-into-delayed_work.patch @@ -0,0 +1,191 @@ +From d2aeeca726ebb44363ea0fe4f7b97d253e8198d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 19:56:06 -0700 +Subject: bpf, sockmap: Convert schedule_work into delayed_work + +From: John Fastabend + +[ Upstream commit 29173d07f79883ac94f5570294f98af3d4287382 ] + +Sk_buffs are fed into sockmap verdict programs either from a strparser +(when the user might want to decide how framing of skb is done by attaching +another parser program) or directly through tcp_read_sock. The +tcp_read_sock is the preferred method for performance when the BPF logic is +a stream parser. + +The flow for Cilium's common use case with a stream parser is, + + tcp_read_sock() + sk_psock_verdict_recv + ret = bpf_prog_run_pin_on_cpu() + sk_psock_verdict_apply(sock, skb, ret) + // if system is under memory pressure or app is slow we may + // need to queue skb. Do this queuing through ingress_skb and + // then kick timer to wake up handler + skb_queue_tail(ingress_skb, skb) + schedule_work(work); + +The work queue is wired up to sk_psock_backlog(). This will then walk the +ingress_skb skb list that holds our sk_buffs that could not be handled, +but should be OK to run at some later point. However, its possible that +the workqueue doing this work still hits an error when sending the skb. +When this happens the skbuff is requeued on a temporary 'state' struct +kept with the workqueue. This is necessary because its possible to +partially send an skbuff before hitting an error and we need to know how +and where to restart when the workqueue runs next. + +Now for the trouble, we don't rekick the workqueue. This can cause a +stall where the skbuff we just cached on the state variable might never +be sent. This happens when its the last packet in a flow and no further +packets come along that would cause the system to kick the workqueue from +that side. + +To fix we could do simple schedule_work(), but while under memory pressure +it makes sense to back off some instead of continue to retry repeatedly. So +instead to fix convert schedule_work to schedule_delayed_work and add +backoff logic to reschedule from backlog queue on errors. Its not obvious +though what a good backoff is so use '1'. + +To test we observed some flakes whil running NGINX compliance test with +sockmap we attributed these failed test to this bug and subsequent issue. + +>From on list discussion. This commit + + bec217197b41("skmsg: Schedule psock work if the cached skb exists on the psock") + +was intended to address similar race, but had a couple cases it missed. +Most obvious it only accounted for receiving traffic on the local socket +so if redirecting into another socket we could still get an sk_buff stuck +here. Next it missed the case where copied=0 in the recv() handler and +then we wouldn't kick the scheduler. Also its sub-optimal to require +userspace to kick the internal mechanisms of sockmap to wake it up and +copy data to user. It results in an extra syscall and requires the app +to actual handle the EAGAIN correctly. + +Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Tested-by: William Findlay +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230523025618.113937-3-john.fastabend@gmail.com +Stable-dep-of: 405df89dd52c ("bpf, sockmap: Improved check for empty queue") +Signed-off-by: Sasha Levin +--- + include/linux/skmsg.h | 2 +- + net/core/skmsg.c | 21 ++++++++++++++------- + net/core/sock_map.c | 3 ++- + 3 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h +index f18eb6a6f7631..07a8e7c695373 100644 +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -107,7 +107,7 @@ struct sk_psock { + struct proto *sk_proto; + struct mutex work_mutex; + struct sk_psock_work_state work_state; +- struct work_struct work; ++ struct delayed_work work; + struct rcu_work rwork; + }; + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 6bdb15b05a78d..e9fddceba390e 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -482,7 +482,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg, + } + out: + if (psock->work_state.skb && copied > 0) +- schedule_work(&psock->work); ++ schedule_delayed_work(&psock->work, 0); + return copied; + } + EXPORT_SYMBOL_GPL(sk_msg_recvmsg); +@@ -633,7 +633,8 @@ static void sk_psock_skb_state(struct sk_psock *psock, + + static void sk_psock_backlog(struct work_struct *work) + { +- struct sk_psock *psock = container_of(work, struct sk_psock, work); ++ struct delayed_work *dwork = to_delayed_work(work); ++ struct sk_psock *psock = container_of(dwork, struct sk_psock, work); + struct sk_psock_work_state *state = &psock->work_state; + struct sk_buff *skb = NULL; + bool ingress; +@@ -673,6 +674,12 @@ static void sk_psock_backlog(struct work_struct *work) + if (ret == -EAGAIN) { + sk_psock_skb_state(psock, state, skb, + len, off); ++ ++ /* Delay slightly to prioritize any ++ * other work that might be here. ++ */ ++ if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) ++ schedule_delayed_work(&psock->work, 1); + goto end; + } + /* Hard errors break pipe and stop xmit. */ +@@ -727,7 +734,7 @@ struct sk_psock *sk_psock_init(struct sock *sk, int node) + INIT_LIST_HEAD(&psock->link); + spin_lock_init(&psock->link_lock); + +- INIT_WORK(&psock->work, sk_psock_backlog); ++ INIT_DELAYED_WORK(&psock->work, sk_psock_backlog); + mutex_init(&psock->work_mutex); + INIT_LIST_HEAD(&psock->ingress_msg); + spin_lock_init(&psock->ingress_lock); +@@ -816,7 +823,7 @@ static void sk_psock_destroy(struct work_struct *work) + + sk_psock_done_strp(psock); + +- cancel_work_sync(&psock->work); ++ cancel_delayed_work_sync(&psock->work); + mutex_destroy(&psock->work_mutex); + + psock_progs_drop(&psock->progs); +@@ -931,7 +938,7 @@ static int sk_psock_skb_redirect(struct sk_psock *from, struct sk_buff *skb) + } + + skb_queue_tail(&psock_other->ingress_skb, skb); +- schedule_work(&psock_other->work); ++ schedule_delayed_work(&psock_other->work, 0); + spin_unlock_bh(&psock_other->ingress_lock); + return 0; + } +@@ -1011,7 +1018,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb, + spin_lock_bh(&psock->ingress_lock); + if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) { + skb_queue_tail(&psock->ingress_skb, skb); +- schedule_work(&psock->work); ++ schedule_delayed_work(&psock->work, 0); + err = 0; + } + spin_unlock_bh(&psock->ingress_lock); +@@ -1042,7 +1049,7 @@ static void sk_psock_write_space(struct sock *sk) + psock = sk_psock(sk); + if (likely(psock)) { + if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) +- schedule_work(&psock->work); ++ schedule_delayed_work(&psock->work, 0); + write_space = psock->saved_write_space; + } + rcu_read_unlock(); +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 4e42bc679bac9..2ded250ac0d2b 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -1577,9 +1577,10 @@ void sock_map_close(struct sock *sk, long timeout) + rcu_read_unlock(); + sk_psock_stop(psock); + release_sock(sk); +- cancel_work_sync(&psock->work); ++ cancel_delayed_work_sync(&psock->work); + sk_psock_put(sk, psock); + } ++ + /* Make sure we do not recurse. This is a bug. + * Leak the socket instead of crashing on a stack overflow. + */ +-- +2.43.0 + diff --git a/queue-5.15/bpf-sockmap-handle-fin-correctly.patch b/queue-5.15/bpf-sockmap-handle-fin-correctly.patch new file mode 100644 index 00000000000..94500930995 --- /dev/null +++ b/queue-5.15/bpf-sockmap-handle-fin-correctly.patch @@ -0,0 +1,83 @@ +From 88273fb7af387cd8d6eae1e2db11385d47022a79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 19:56:09 -0700 +Subject: bpf, sockmap: Handle fin correctly + +From: John Fastabend + +[ Upstream commit 901546fd8f9ca4b5c481ce00928ab425ce9aacc0 ] + +The sockmap code is returning EAGAIN after a FIN packet is received and no +more data is on the receive queue. Correct behavior is to return 0 to the +user and the user can then close the socket. The EAGAIN causes many apps +to retry which masks the problem. Eventually the socket is evicted from +the sockmap because its released from sockmap sock free handling. The +issue creates a delay and can cause some errors on application side. + +To fix this check on sk_msg_recvmsg side if length is zero and FIN flag +is set then set return to zero. A selftest will be added to check this +condition. + +Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Tested-by: William Findlay +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230523025618.113937-6-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 89204004eeb5e..5fdef5ddfbbe6 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -174,6 +174,24 @@ static int tcp_msg_wait_data(struct sock *sk, struct sk_psock *psock, + return ret; + } + ++static bool is_next_msg_fin(struct sk_psock *psock) ++{ ++ struct scatterlist *sge; ++ struct sk_msg *msg_rx; ++ int i; ++ ++ msg_rx = sk_psock_peek_msg(psock); ++ i = msg_rx->sg.start; ++ sge = sk_msg_elem(msg_rx, i); ++ if (!sge->length) { ++ struct sk_buff *skb = msg_rx->skb; ++ ++ if (skb && TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) ++ return true; ++ } ++ return false; ++} ++ + static int tcp_bpf_recvmsg_parser(struct sock *sk, + struct msghdr *msg, + size_t len, +@@ -217,6 +235,19 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + + msg_bytes_ready: + copied = sk_msg_recvmsg(sk, psock, msg, len, flags); ++ /* The typical case for EFAULT is the socket was gracefully ++ * shutdown with a FIN pkt. So check here the other case is ++ * some error on copy_page_to_iter which would be unexpected. ++ * On fin return correct return code to zero. ++ */ ++ if (copied == -EFAULT) { ++ bool is_fin = is_next_msg_fin(psock); ++ ++ if (is_fin) { ++ copied = 0; ++ goto out; ++ } ++ } + if (!copied) { + long timeo; + int data; +-- +2.43.0 + diff --git a/queue-5.15/bpf-sockmap-improved-check-for-empty-queue.patch b/queue-5.15/bpf-sockmap-improved-check-for-empty-queue.patch new file mode 100644 index 00000000000..8c8b6c9967f --- /dev/null +++ b/queue-5.15/bpf-sockmap-improved-check-for-empty-queue.patch @@ -0,0 +1,178 @@ +From c56e0721e40d3ed1d91f65eaa09ac34722dc3386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 19:56:08 -0700 +Subject: bpf, sockmap: Improved check for empty queue + +From: John Fastabend + +[ Upstream commit 405df89dd52cbcd69a3cd7d9a10d64de38f854b2 ] + +We noticed some rare sk_buffs were stepping past the queue when system was +under memory pressure. The general theory is to skip enqueueing +sk_buffs when its not necessary which is the normal case with a system +that is properly provisioned for the task, no memory pressure and enough +cpu assigned. + +But, if we can't allocate memory due to an ENOMEM error when enqueueing +the sk_buff into the sockmap receive queue we push it onto a delayed +workqueue to retry later. When a new sk_buff is received we then check +if that queue is empty. However, there is a problem with simply checking +the queue length. When a sk_buff is being processed from the ingress queue +but not yet on the sockmap msg receive queue its possible to also recv +a sk_buff through normal path. It will check the ingress queue which is +zero and then skip ahead of the pkt being processed. + +Previously we used sock lock from both contexts which made the problem +harder to hit, but not impossible. + +To fix instead of popping the skb from the queue entirely we peek the +skb from the queue and do the copy there. This ensures checks to the +queue length are non-zero while skb is being processed. Then finally +when the entire skb has been copied to user space queue or another +socket we pop it off the queue. This way the queue length check allows +bypassing the queue only after the list has been completely processed. + +To reproduce issue we run NGINX compliance test with sockmap running and +observe some flakes in our testing that we attributed to this issue. + +Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()") +Suggested-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Tested-by: William Findlay +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230523025618.113937-5-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/skmsg.h | 1 - + net/core/skmsg.c | 32 ++++++++------------------------ + 2 files changed, 8 insertions(+), 25 deletions(-) + +diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h +index 07a8e7c695373..422b391d931fe 100644 +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -73,7 +73,6 @@ struct sk_psock_link { + }; + + struct sk_psock_work_state { +- struct sk_buff *skb; + u32 len; + u32 off; + }; +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 51ab1e617d922..675fd86279d87 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -615,16 +615,12 @@ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb, + + static void sk_psock_skb_state(struct sk_psock *psock, + struct sk_psock_work_state *state, +- struct sk_buff *skb, + int len, int off) + { + spin_lock_bh(&psock->ingress_lock); + if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) { +- state->skb = skb; + state->len = len; + state->off = off; +- } else { +- sock_drop(psock->sk, skb); + } + spin_unlock_bh(&psock->ingress_lock); + } +@@ -635,23 +631,17 @@ static void sk_psock_backlog(struct work_struct *work) + struct sk_psock *psock = container_of(dwork, struct sk_psock, work); + struct sk_psock_work_state *state = &psock->work_state; + struct sk_buff *skb = NULL; ++ u32 len = 0, off = 0; + bool ingress; +- u32 len, off; + int ret; + + mutex_lock(&psock->work_mutex); +- if (unlikely(state->skb)) { +- spin_lock_bh(&psock->ingress_lock); +- skb = state->skb; ++ if (unlikely(state->len)) { + len = state->len; + off = state->off; +- state->skb = NULL; +- spin_unlock_bh(&psock->ingress_lock); + } +- if (skb) +- goto start; + +- while ((skb = skb_dequeue(&psock->ingress_skb))) { ++ while ((skb = skb_peek(&psock->ingress_skb))) { + len = skb->len; + off = 0; + if (skb_bpf_strparser(skb)) { +@@ -660,7 +650,6 @@ static void sk_psock_backlog(struct work_struct *work) + off = stm->offset; + len = stm->full_len; + } +-start: + ingress = skb_bpf_ingress(skb); + skb_bpf_redirect_clear(skb); + do { +@@ -670,8 +659,7 @@ static void sk_psock_backlog(struct work_struct *work) + len, ingress); + if (ret <= 0) { + if (ret == -EAGAIN) { +- sk_psock_skb_state(psock, state, skb, +- len, off); ++ sk_psock_skb_state(psock, state, len, off); + + /* Delay slightly to prioritize any + * other work that might be here. +@@ -683,15 +671,16 @@ static void sk_psock_backlog(struct work_struct *work) + /* Hard errors break pipe and stop xmit. */ + sk_psock_report_error(psock, ret ? -ret : EPIPE); + sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED); +- sock_drop(psock->sk, skb); + goto end; + } + off += ret; + len -= ret; + } while (len); + +- if (!ingress) ++ skb = skb_dequeue(&psock->ingress_skb); ++ if (!ingress) { + kfree_skb(skb); ++ } + } + end: + mutex_unlock(&psock->work_mutex); +@@ -784,11 +773,6 @@ static void __sk_psock_zap_ingress(struct sk_psock *psock) + skb_bpf_redirect_clear(skb); + sock_drop(psock->sk, skb); + } +- kfree_skb(psock->work_state.skb); +- /* We null the skb here to ensure that calls to sk_psock_backlog +- * do not pick up the free'd skb. +- */ +- psock->work_state.skb = NULL; + __sk_psock_purge_ingress_msg(psock); + } + +@@ -807,7 +791,6 @@ void sk_psock_stop(struct sk_psock *psock) + spin_lock_bh(&psock->ingress_lock); + sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED); + sk_psock_cork_free(psock); +- __sk_psock_zap_ingress(psock); + spin_unlock_bh(&psock->ingress_lock); + } + +@@ -822,6 +805,7 @@ static void sk_psock_destroy(struct work_struct *work) + sk_psock_done_strp(psock); + + cancel_delayed_work_sync(&psock->work); ++ __sk_psock_zap_ingress(psock); + mutex_destroy(&psock->work_mutex); + + psock_progs_drop(&psock->progs); +-- +2.43.0 + diff --git a/queue-5.15/bpf-sockmap-reschedule-is-now-done-through-backlog.patch b/queue-5.15/bpf-sockmap-reschedule-is-now-done-through-backlog.patch new file mode 100644 index 00000000000..1b43d020ce0 --- /dev/null +++ b/queue-5.15/bpf-sockmap-reschedule-is-now-done-through-backlog.patch @@ -0,0 +1,49 @@ +From 5acb00d1b2303b0c7ffe8ea15f15fc30e022ee07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 19:56:07 -0700 +Subject: bpf, sockmap: Reschedule is now done through backlog + +From: John Fastabend + +[ Upstream commit bce22552f92ea7c577f49839b8e8f7d29afaf880 ] + +Now that the backlog manages the reschedule() logic correctly we can drop +the partial fix to reschedule from recvmsg hook. + +Rescheduling on recvmsg hook was added to address a corner case where we +still had data in the backlog state but had nothing to kick it and +reschedule the backlog worker to run and finish copying data out of the +state. This had a couple limitations, first it required user space to +kick it introducing an unnecessary EBUSY and retry. Second it only +handled the ingress case and egress redirects would still be hung. + +With the correct fix, pushing the reschedule logic down to where the +enomem error occurs we can drop this fix. + +Fixes: bec217197b412 ("skmsg: Schedule psock work if the cached skb exists on the psock") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230523025618.113937-4-john.fastabend@gmail.com +Stable-dep-of: 405df89dd52c ("bpf, sockmap: Improved check for empty queue") +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index e9fddceba390e..51ab1e617d922 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -481,8 +481,6 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg, + msg_rx = sk_psock_peek_msg(psock); + } + out: +- if (psock->work_state.skb && copied > 0) +- schedule_delayed_work(&psock->work, 0); + return copied; + } + EXPORT_SYMBOL_GPL(sk_msg_recvmsg); +-- +2.43.0 + diff --git a/queue-5.15/bpf-sockmap-tcp-data-stall-on-recv-before-accept.patch b/queue-5.15/bpf-sockmap-tcp-data-stall-on-recv-before-accept.patch new file mode 100644 index 00000000000..f227f4a978c --- /dev/null +++ b/queue-5.15/bpf-sockmap-tcp-data-stall-on-recv-before-accept.patch @@ -0,0 +1,96 @@ +From 571b906d7d24a275334d64a47b43b62da302017a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 19:56:10 -0700 +Subject: bpf, sockmap: TCP data stall on recv before accept + +From: John Fastabend + +[ Upstream commit ea444185a6bf7da4dd0df1598ee953e4f7174858 ] + +A common mechanism to put a TCP socket into the sockmap is to hook the +BPF_SOCK_OPS_{ACTIVE_PASSIVE}_ESTABLISHED_CB event with a BPF program +that can map the socket info to the correct BPF verdict parser. When +the user adds the socket to the map the psock is created and the new +ops are assigned to ensure the verdict program will 'see' the sk_buffs +as they arrive. + +Part of this process hooks the sk_data_ready op with a BPF specific +handler to wake up the BPF verdict program when data is ready to read. +The logic is simple enough (posted here for easy reading) + + static void sk_psock_verdict_data_ready(struct sock *sk) + { + struct socket *sock = sk->sk_socket; + + if (unlikely(!sock || !sock->ops || !sock->ops->read_skb)) + return; + sock->ops->read_skb(sk, sk_psock_verdict_recv); + } + +The oversight here is sk->sk_socket is not assigned until the application +accepts() the new socket. However, its entirely ok for the peer application +to do a connect() followed immediately by sends. The socket on the receiver +is sitting on the backlog queue of the listening socket until its accepted +and the data is queued up. If the peer never accepts the socket or is slow +it will eventually hit data limits and rate limit the session. But, +important for BPF sockmap hooks when this data is received TCP stack does +the sk_data_ready() call but the read_skb() for this data is never called +because sk_socket is missing. The data sits on the sk_receive_queue. + +Then once the socket is accepted if we never receive more data from the +peer there will be no further sk_data_ready calls and all the data +is still on the sk_receive_queue(). Then user calls recvmsg after accept() +and for TCP sockets in sockmap we use the tcp_bpf_recvmsg_parser() handler. +The handler checks for data in the sk_msg ingress queue expecting that +the BPF program has already run from the sk_data_ready hook and enqueued +the data as needed. So we are stuck. + +To fix do an unlikely check in recvmsg handler for data on the +sk_receive_queue and if it exists wake up data_ready. We have the sock +locked in both read_skb and recvmsg so should avoid having multiple +runners. + +Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20230523025618.113937-7-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index e3a9477293ce4..89204004eeb5e 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -195,6 +195,26 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk, + return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); + + lock_sock(sk); ++ ++ /* We may have received data on the sk_receive_queue pre-accept and ++ * then we can not use read_skb in this context because we haven't ++ * assigned a sk_socket yet so have no link to the ops. The work-around ++ * is to check the sk_receive_queue and in these cases read skbs off ++ * queue again. The read_skb hook is not running at this point because ++ * of lock_sock so we avoid having multiple runners in read_skb. ++ */ ++ if (unlikely(!skb_queue_empty(&sk->sk_receive_queue))) { ++ tcp_data_ready(sk); ++ /* This handles the ENOMEM errors if we both receive data ++ * pre accept and are already under memory pressure. At least ++ * let user know to retry. ++ */ ++ if (unlikely(!skb_queue_empty(&sk->sk_receive_queue))) { ++ copied = -EAGAIN; ++ goto out; ++ } ++ } ++ + msg_bytes_ready: + copied = sk_msg_recvmsg(sk, psock, msg, len, flags); + if (!copied) { +-- +2.43.0 + diff --git a/queue-5.15/btrfs-always-clear-pertrans-metadata-during-commit.patch b/queue-5.15/btrfs-always-clear-pertrans-metadata-during-commit.patch new file mode 100644 index 00000000000..7e8dc28f954 --- /dev/null +++ b/queue-5.15/btrfs-always-clear-pertrans-metadata-during-commit.patch @@ -0,0 +1,44 @@ +From ea0f8a95e12dd2ae00d826daa0560f478e5ea854 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 12:01:28 -0700 +Subject: btrfs: always clear PERTRANS metadata during commit + +From: Boris Burkov + +[ Upstream commit 6e68de0bb0ed59e0554a0c15ede7308c47351e2d ] + +It is possible to clear a root's IN_TRANS tag from the radix tree, but +not clear its PERTRANS, if there is some error in between. Eliminate +that possibility by moving the free up to where we clear the tag. + +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/transaction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 99cdd1d6a4bf8..a9b794c47159f 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1424,6 +1424,7 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans) + radix_tree_tag_clear(&fs_info->fs_roots_radix, + (unsigned long)root->root_key.objectid, + BTRFS_ROOT_TRANS_TAG); ++ btrfs_qgroup_free_meta_all_pertrans(root); + spin_unlock(&fs_info->fs_roots_radix_lock); + + btrfs_free_log(trans, root); +@@ -1448,7 +1449,6 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans) + if (ret2) + return ret2; + spin_lock(&fs_info->fs_roots_radix_lock); +- btrfs_qgroup_free_meta_all_pertrans(root); + } + } + spin_unlock(&fs_info->fs_roots_radix_lock); +-- +2.43.0 + diff --git a/queue-5.15/btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch b/queue-5.15/btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch new file mode 100644 index 00000000000..6ab70db2387 --- /dev/null +++ b/queue-5.15/btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch @@ -0,0 +1,41 @@ +From 677110ddce868a2838f74490b66dbc41c9a3540f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 11:55:22 -0700 +Subject: btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve + +From: Boris Burkov + +[ Upstream commit 3c6f0c5ecc8910d4ffb0dfe85609ebc0c91c8f34 ] + +Currently, this call site in btrfs_clear_delalloc_extent() only converts +the reservation. We are marking it not delalloc, so I don't think it +makes sense to keep the rsv around. This is a path where we are not +sure to join a transaction, so it leads to incorrect free-ing during +umount. + +Helps with the pass rate of generic/269 and generic/475. + +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index c7d8a18daaf50..07c6ab4ba0d43 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -2261,7 +2261,7 @@ void btrfs_clear_delalloc_extent(struct inode *vfs_inode, + */ + if (*bits & EXTENT_CLEAR_META_RESV && + root != fs_info->tree_root) +- btrfs_delalloc_release_metadata(inode, len, false); ++ btrfs_delalloc_release_metadata(inode, len, true); + + /* For sanity tests. */ + if (btrfs_is_testing(fs_info)) +-- +2.43.0 + diff --git a/queue-5.15/btrfs-return-accurate-error-code-on-open-failure-in-.patch b/queue-5.15/btrfs-return-accurate-error-code-on-open-failure-in-.patch new file mode 100644 index 00000000000..6bcd1e0771e --- /dev/null +++ b/queue-5.15/btrfs-return-accurate-error-code-on-open-failure-in-.patch @@ -0,0 +1,76 @@ +From 98fc2b179cda94606c5d87624e5a9e87e1ec61ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 08:28:18 +0530 +Subject: btrfs: return accurate error code on open failure in + open_fs_devices() + +From: Anand Jain + +[ Upstream commit 2f1aeab9fca1a5f583be1add175d1ee95c213cfa ] + +When attempting to exclusive open a device which has no exclusive open +permission, such as a physical device associated with the flakey dm +device, the open operation will fail, resulting in a mount failure. + +In this particular scenario, we erroneously return -EINVAL instead of the +correct error code provided by the bdev_open_by_path() function, which is +-EBUSY. + +Fix this, by returning error code from the bdev_open_by_path() function. +With this correction, the mount error message will align with that of +ext4 and xfs. + +Reviewed-by: Boris Burkov +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 36e77956c63fa..2a0d44fd2dd98 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1260,25 +1260,32 @@ static int open_fs_devices(struct btrfs_fs_devices *fs_devices, + struct btrfs_device *device; + struct btrfs_device *latest_dev = NULL; + struct btrfs_device *tmp_device; ++ int ret = 0; + + flags |= FMODE_EXCL; + + list_for_each_entry_safe(device, tmp_device, &fs_devices->devices, + dev_list) { +- int ret; ++ int ret2; + +- ret = btrfs_open_one_device(fs_devices, device, flags, holder); +- if (ret == 0 && ++ ret2 = btrfs_open_one_device(fs_devices, device, flags, holder); ++ if (ret2 == 0 && + (!latest_dev || device->generation > latest_dev->generation)) { + latest_dev = device; +- } else if (ret == -ENODATA) { ++ } else if (ret2 == -ENODATA) { + fs_devices->num_devices--; + list_del(&device->dev_list); + btrfs_free_device(device); + } ++ if (ret == 0 && ret2 != 0) ++ ret = ret2; + } +- if (fs_devices->open_devices == 0) ++ ++ if (fs_devices->open_devices == 0) { ++ if (ret) ++ return ret; + return -EINVAL; ++ } + + fs_devices->opened = 1; + fs_devices->latest_dev = latest_dev; +-- +2.43.0 + diff --git a/queue-5.15/clk-don-t-hold-prepare_lock-when-calling-kref_put.patch b/queue-5.15/clk-don-t-hold-prepare_lock-when-calling-kref_put.patch new file mode 100644 index 00000000000..2eede0609c2 --- /dev/null +++ b/queue-5.15/clk-don-t-hold-prepare_lock-when-calling-kref_put.patch @@ -0,0 +1,71 @@ +From fc07c35011af35d74bfea585f330c35e8319dfe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 11:41:56 -0700 +Subject: clk: Don't hold prepare_lock when calling kref_put() + +From: Stephen Boyd + +[ Upstream commit 6f63af7511e7058f3fa4ad5b8102210741c9f947 ] + +We don't need to hold the prepare_lock when dropping a ref on a struct +clk_core. The release function is only freeing memory and any code with +a pointer reference has already unlinked anything pointing to the +clk_core. This reduces the holding area of the prepare_lock a bit. + +Note that we also don't call free_clk() with the prepare_lock held. +There isn't any reason to do that. + +Reviewed-by: Douglas Anderson +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20240325184204.745706-3-sboyd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index a05b5bca64250..dc2bcf58fc107 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -4227,7 +4227,8 @@ void clk_unregister(struct clk *clk) + if (ops == &clk_nodrv_ops) { + pr_err("%s: unregistered clock: %s\n", __func__, + clk->core->name); +- goto unlock; ++ clk_prepare_unlock(); ++ return; + } + /* + * Assign empty clock ops for consumers that might still hold +@@ -4261,11 +4262,10 @@ void clk_unregister(struct clk *clk) + if (clk->core->protect_count) + pr_warn("%s: unregistering protected clock: %s\n", + __func__, clk->core->name); ++ clk_prepare_unlock(); + + kref_put(&clk->core->ref, __clk_release); + free_clk(clk); +-unlock: +- clk_prepare_unlock(); + } + EXPORT_SYMBOL_GPL(clk_unregister); + +@@ -4471,13 +4471,11 @@ void __clk_put(struct clk *clk) + clk->max_rate < clk->core->req_rate) + clk_core_set_rate_nolock(clk->core, clk->core->req_rate); + +- owner = clk->core->owner; +- kref_put(&clk->core->ref, __clk_release); +- + clk_prepare_unlock(); + ++ owner = clk->core->owner; ++ kref_put(&clk->core->ref, __clk_release); + module_put(owner); +- + free_clk(clk); + } + +-- +2.43.0 + diff --git a/queue-5.15/drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch b/queue-5.15/drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch new file mode 100644 index 00000000000..f282ecc85e8 --- /dev/null +++ b/queue-5.15/drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch @@ -0,0 +1,57 @@ +From 1169d9bcc9c0b26e6c1d11265c32f56aa1ad98bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 19:35:54 -0400 +Subject: drm/nouveau/dp: Don't probe eDP ports twice harder + +From: Lyude Paul + +[ Upstream commit bf52d7f9b2067f02efe7e32697479097aba4a055 ] + +I didn't pay close enough attention the last time I tried to fix this +problem - while we currently do correctly take care to make sure we don't +probe a connected eDP port more then once, we don't do the same thing for +eDP ports we found to be disconnected. + +So, fix this and make sure we only ever probe eDP ports once and then leave +them at that connector state forever (since without HPD, it's not going to +change on its own anyway). This should get rid of the last few GSP errors +getting spit out during runtime suspend and resume on some machines, as we +tried to reprobe eDP ports in response to ACPI hotplug probe events. + +Signed-off-by: Lyude Paul +Reviewed-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20240404233736.7946-3-lyude@redhat.com +(cherry picked from commit fe6660b661c3397af0867d5d098f5b26581f1290) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_dp.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_dp.c b/drivers/gpu/drm/nouveau/nouveau_dp.c +index 447b7594b35ae..0107a21dc9f9b 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_dp.c ++++ b/drivers/gpu/drm/nouveau/nouveau_dp.c +@@ -109,12 +109,15 @@ nouveau_dp_detect(struct nouveau_connector *nv_connector, + u8 *dpcd = nv_encoder->dp.dpcd; + int ret = NOUVEAU_DP_NONE; + +- /* If we've already read the DPCD on an eDP device, we don't need to +- * reread it as it won't change ++ /* eDP ports don't support hotplugging - so there's no point in probing eDP ports unless we ++ * haven't probed them once before. + */ +- if (connector->connector_type == DRM_MODE_CONNECTOR_eDP && +- dpcd[DP_DPCD_REV] != 0) +- return NOUVEAU_DP_SST; ++ if (connector->connector_type == DRM_MODE_CONNECTOR_eDP) { ++ if (connector->status == connector_status_connected) ++ return NOUVEAU_DP_SST; ++ else if (connector->status == connector_status_disconnected) ++ return NOUVEAU_DP_NONE; ++ } + + mutex_lock(&nv_encoder->dp.hpd_irq_lock); + if (mstm) { +-- +2.43.0 + diff --git a/queue-5.15/firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch b/queue-5.15/firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch new file mode 100644 index 00000000000..0bcd3b76ce2 --- /dev/null +++ b/queue-5.15/firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch @@ -0,0 +1,87 @@ +From 968863258057916309e0837962fb67f31a1c4b67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 07:38:41 +0900 +Subject: firewire: ohci: mask bus reset interrupts between ISR and bottom half + +From: Adam Goldman + +[ Upstream commit 752e3c53de0fa3b7d817a83050b6699b8e9c6ec9 ] + +In the FireWire OHCI interrupt handler, if a bus reset interrupt has +occurred, mask bus reset interrupts until bus_reset_work has serviced and +cleared the interrupt. + +Normally, we always leave bus reset interrupts masked. We infer the bus +reset from the self-ID interrupt that happens shortly thereafter. A +scenario where we unmask bus reset interrupts was introduced in 2008 in +a007bb857e0b26f5d8b73c2ff90782d9c0972620: If +OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we +will unmask bus reset interrupts so we can log them. + +irq_handler logs the bus reset interrupt. However, we can't clear the bus +reset event flag in irq_handler, because we won't service the event until +later. irq_handler exits with the event flag still set. If the +corresponding interrupt is still unmasked, the first bus reset will +usually freeze the system due to irq_handler being called again each +time it exits. This freeze can be reproduced by loading firewire_ohci +with "modprobe firewire_ohci debug=-1" (to enable all debugging output). +Apparently there are also some cases where bus_reset_work will get called +soon enough to clear the event, and operation will continue normally. + +This freeze was first reported a few months after a007bb85 was committed, +but until now it was never fixed. The debug level could safely be set +to -1 through sysfs after the module was loaded, but this would be +ineffectual in logging bus reset interrupts since they were only +unmasked during initialization. + +irq_handler will now leave the event flag set but mask bus reset +interrupts, so irq_handler won't be called again and there will be no +freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will +unmask the interrupt after servicing the event, so future interrupts +will be caught as desired. + +As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be +enabled through sysfs in addition to during initial module loading. +However, when enabled through sysfs, logging of bus reset interrupts will +be effective only starting with the second bus reset, after +bus_reset_work has executed. + +Signed-off-by: Adam Goldman +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/ohci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c +index 667ff40f39353..7d94e1cbc0ed3 100644 +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -2049,6 +2049,8 @@ static void bus_reset_work(struct work_struct *work) + + ohci->generation = generation; + reg_write(ohci, OHCI1394_IntEventClear, OHCI1394_busReset); ++ if (param_debug & OHCI_PARAM_DEBUG_BUSRESETS) ++ reg_write(ohci, OHCI1394_IntMaskSet, OHCI1394_busReset); + + if (ohci->quirks & QUIRK_RESET_PACKET) + ohci->request_generation = generation; +@@ -2115,12 +2117,14 @@ static irqreturn_t irq_handler(int irq, void *data) + return IRQ_NONE; + + /* +- * busReset and postedWriteErr must not be cleared yet ++ * busReset and postedWriteErr events must not be cleared yet + * (OHCI 1.1 clauses 7.2.3.2 and 13.2.8.1) + */ + reg_write(ohci, OHCI1394_IntEventClear, + event & ~(OHCI1394_busReset | OHCI1394_postedWriteErr)); + log_irqs(ohci, event); ++ if (event & OHCI1394_busReset) ++ reg_write(ohci, OHCI1394_IntMaskClear, OHCI1394_busReset); + + if (event & OHCI1394_selfIDComplete) + queue_work(selfid_workqueue, &ohci->bus_reset_work); +-- +2.43.0 + diff --git a/queue-5.15/fs-9p-drop-inodes-immediately-on-non-.l-too.patch b/queue-5.15/fs-9p-drop-inodes-immediately-on-non-.l-too.patch new file mode 100644 index 00000000000..01c9b026775 --- /dev/null +++ b/queue-5.15/fs-9p-drop-inodes-immediately-on-non-.l-too.patch @@ -0,0 +1,31 @@ +From fa6eccc96c586544825a36a2894b5d0f57cdb636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 12:22:32 +0100 +Subject: fs/9p: drop inodes immediately on non-.L too + +From: Joakim Sindholt + +[ Upstream commit 7fd524b9bd1be210fe79035800f4bd78a41b349f ] + +Signed-off-by: Joakim Sindholt +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/9p/vfs_super.c b/fs/9p/vfs_super.c +index 7449f7fd47d22..51ac2653984a7 100644 +--- a/fs/9p/vfs_super.c ++++ b/fs/9p/vfs_super.c +@@ -340,6 +340,7 @@ static const struct super_operations v9fs_super_ops = { + .alloc_inode = v9fs_alloc_inode, + .free_inode = v9fs_free_inode, + .statfs = simple_statfs, ++ .drop_inode = v9fs_drop_inode, + .evict_inode = v9fs_evict_inode, + .show_options = v9fs_show_options, + .umount_begin = v9fs_umount_begin, +-- +2.43.0 + diff --git a/queue-5.15/fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch b/queue-5.15/fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch new file mode 100644 index 00000000000..5415fe5c1c0 --- /dev/null +++ b/queue-5.15/fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch @@ -0,0 +1,37 @@ +From 58c76f4f827629566c33c15d68f9aeef82d47552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 12:22:31 +0100 +Subject: fs/9p: only translate RWX permissions for plain 9P2000 + +From: Joakim Sindholt + +[ Upstream commit cd25e15e57e68a6b18dc9323047fe9c68b99290b ] + +Garbage in plain 9P2000's perm bits is allowed through, which causes it +to be able to set (among others) the suid bit. This was presumably not +the intent since the unix extended bits are handled explicitly and +conditionally on .u. + +Signed-off-by: Joakim Sindholt +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index 0d9b7d453a877..75907f77f9e38 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -87,7 +87,7 @@ static int p9mode2perm(struct v9fs_session_info *v9ses, + int res; + int mode = stat->mode; + +- res = mode & S_IALLUGO; ++ res = mode & 0777; /* S_IRWXUGO */ + if (v9fs_proto_dotu(v9ses)) { + if ((mode & P9_DMSETUID) == P9_DMSETUID) + res |= S_ISUID; +-- +2.43.0 + diff --git a/queue-5.15/fs-9p-translate-o_trunc-into-otrunc.patch b/queue-5.15/fs-9p-translate-o_trunc-into-otrunc.patch new file mode 100644 index 00000000000..6e5de6281f1 --- /dev/null +++ b/queue-5.15/fs-9p-translate-o_trunc-into-otrunc.patch @@ -0,0 +1,36 @@ +From 27affae537cf65214aa324a8d0c3c1b91908b23b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 12:22:33 +0100 +Subject: fs/9p: translate O_TRUNC into OTRUNC + +From: Joakim Sindholt + +[ Upstream commit 87de39e70503e04ddb58965520b15eb9efa7eef3 ] + +This one hits both 9P2000 and .u as it appears v9fs has never translated +the O_TRUNC flag. + +Signed-off-by: Joakim Sindholt +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index 75907f77f9e38..ef103ef392ee3 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -178,6 +178,9 @@ int v9fs_uflags2omode(int uflags, int extended) + break; + } + ++ if (uflags & O_TRUNC) ++ ret |= P9_OTRUNC; ++ + if (extended) { + if (uflags & O_EXCL) + ret |= P9_OEXCL; +-- +2.43.0 + diff --git a/queue-5.15/gfs2-fix-invalid-metadata-access-in-punch_hole.patch b/queue-5.15/gfs2-fix-invalid-metadata-access-in-punch_hole.patch new file mode 100644 index 00000000000..c7bea896319 --- /dev/null +++ b/queue-5.15/gfs2-fix-invalid-metadata-access-in-punch_hole.patch @@ -0,0 +1,47 @@ +From be6e8a396d30bbde5a6bcffa993a19eae739eae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 16:40:36 +0100 +Subject: gfs2: Fix invalid metadata access in punch_hole + +From: Andrew Price + +[ Upstream commit c95346ac918c5badf51b9a7ac58a26d3bd5bb224 ] + +In punch_hole(), when the offset lies in the final block for a given +height, there is no hole to punch, but the maximum size check fails to +detect that. Consequently, punch_hole() will try to punch a hole beyond +the end of the metadata and fail. Fix the maximum size check. + +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/bmap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c +index 0ec1eaf338338..d2011c3c33fc2 100644 +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1704,7 +1704,8 @@ static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length) + struct buffer_head *dibh, *bh; + struct gfs2_holder rd_gh; + unsigned int bsize_shift = sdp->sd_sb.sb_bsize_shift; +- u64 lblock = (offset + (1 << bsize_shift) - 1) >> bsize_shift; ++ unsigned int bsize = 1 << bsize_shift; ++ u64 lblock = (offset + bsize - 1) >> bsize_shift; + __u16 start_list[GFS2_MAX_META_HEIGHT]; + __u16 __end_list[GFS2_MAX_META_HEIGHT], *end_list = NULL; + unsigned int start_aligned, end_aligned; +@@ -1715,7 +1716,7 @@ static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length) + u64 prev_bnr = 0; + __be64 *start, *end; + +- if (offset >= maxsize) { ++ if (offset + bsize - 1 >= maxsize) { + /* + * The starting point lies beyond the allocated meta-data; + * there are no blocks do deallocate. +-- +2.43.0 + diff --git a/queue-5.15/gpio-crystalcove-use-enotsupp-consistently.patch b/queue-5.15/gpio-crystalcove-use-enotsupp-consistently.patch new file mode 100644 index 00000000000..32df8f708ca --- /dev/null +++ b/queue-5.15/gpio-crystalcove-use-enotsupp-consistently.patch @@ -0,0 +1,35 @@ +From 28bf8e7ccc8d8b31c6c2532356c31a1a36e7f288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 19:26:22 +0300 +Subject: gpio: crystalcove: Use -ENOTSUPP consistently + +From: Andy Shevchenko + +[ Upstream commit ace0ebe5c98d66889f19e0f30e2518d0c58d0e04 ] + +The GPIO library expects the drivers to return -ENOTSUPP in some +cases and not using analogue POSIX code. Make the driver to follow +this. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-crystalcove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-crystalcove.c b/drivers/gpio/gpio-crystalcove.c +index 5a909f3c79e87..c48a82c240873 100644 +--- a/drivers/gpio/gpio-crystalcove.c ++++ b/drivers/gpio/gpio-crystalcove.c +@@ -91,7 +91,7 @@ static inline int to_reg(int gpio, enum ctrl_register reg_type) + case 0x5e: + return GPIOPANELCTL; + default: +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + } + } + +-- +2.43.0 + diff --git a/queue-5.15/gpio-wcove-use-enotsupp-consistently.patch b/queue-5.15/gpio-wcove-use-enotsupp-consistently.patch new file mode 100644 index 00000000000..55398b08a70 --- /dev/null +++ b/queue-5.15/gpio-wcove-use-enotsupp-consistently.patch @@ -0,0 +1,36 @@ +From 224c4dec96dddf91b7c39a14d926ab9da87c58dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 19:25:21 +0300 +Subject: gpio: wcove: Use -ENOTSUPP consistently + +From: Andy Shevchenko + +[ Upstream commit 0c3b532ad3fbf82884a2e7e83e37c7dcdd4d1d99 ] + +The GPIO library expects the drivers to return -ENOTSUPP in some +cases and not using analogue POSIX code. Make the driver to follow +this. + +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-wcove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-wcove.c b/drivers/gpio/gpio-wcove.c +index 16a0fae1e32eb..2df948e16eb71 100644 +--- a/drivers/gpio/gpio-wcove.c ++++ b/drivers/gpio/gpio-wcove.c +@@ -104,7 +104,7 @@ static inline int to_reg(int gpio, enum ctrl_register type) + unsigned int reg = type == CTRL_IN ? GPIO_IN_CTRL_BASE : GPIO_OUT_CTRL_BASE; + + if (gpio >= WCOVE_GPIO_NUM) +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + + return reg + gpio; + } +-- +2.43.0 + diff --git a/queue-5.15/gpu-host1x-do-not-setup-dma-for-virtual-devices.patch b/queue-5.15/gpu-host1x-do-not-setup-dma-for-virtual-devices.patch new file mode 100644 index 00000000000..0ead3601673 --- /dev/null +++ b/queue-5.15/gpu-host1x-do-not-setup-dma-for-virtual-devices.patch @@ -0,0 +1,61 @@ +From 06bd6573ab811a47d44b9d20a14c6414a889ff38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 16:49:43 +0100 +Subject: gpu: host1x: Do not setup DMA for virtual devices + +From: Thierry Reding + +[ Upstream commit 8ab58f6841b19423231c5db3378691ec80c778f8 ] + +The host1x devices are virtual compound devices and do not perform DMA +accesses themselves, so they do not need to be set up for DMA. + +Ideally we would also not need to set up DMA masks for the virtual +devices, but we currently still need those for legacy support on old +hardware. + +Tested-by: Jon Hunter +Acked-by: Jon Hunter +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20240314154943.2487549-1-thierry.reding@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/bus.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c +index 218e3718fd68c..96737ddc81209 100644 +--- a/drivers/gpu/host1x/bus.c ++++ b/drivers/gpu/host1x/bus.c +@@ -367,11 +367,6 @@ static int host1x_device_uevent(struct device *dev, + return 0; + } + +-static int host1x_dma_configure(struct device *dev) +-{ +- return of_dma_configure(dev, dev->of_node, true); +-} +- + static const struct dev_pm_ops host1x_device_pm_ops = { + .suspend = pm_generic_suspend, + .resume = pm_generic_resume, +@@ -385,7 +380,6 @@ struct bus_type host1x_bus_type = { + .name = "host1x", + .match = host1x_device_match, + .uevent = host1x_device_uevent, +- .dma_configure = host1x_dma_configure, + .pm = &host1x_device_pm_ops, + }; + +@@ -474,8 +468,6 @@ static int host1x_device_add(struct host1x *host1x, + device->dev.bus = &host1x_bus_type; + device->dev.parent = host1x->dev; + +- of_dma_configure(&device->dev, host1x->dev->of_node, true); +- + device->dev.dma_parms = &device->dma_parms; + dma_set_max_seg_size(&device->dev, UINT_MAX); + +-- +2.43.0 + diff --git a/queue-5.15/iommu-mtk-fix-module-autoloading.patch b/queue-5.15/iommu-mtk-fix-module-autoloading.patch new file mode 100644 index 00000000000..a9a85312059 --- /dev/null +++ b/queue-5.15/iommu-mtk-fix-module-autoloading.patch @@ -0,0 +1,48 @@ +From fa26cc6a74d3b301df89b9744d47436be8d7f3c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 18:41:09 +0200 +Subject: iommu: mtk: fix module autoloading + +From: Krzysztof Kozlowski + +[ Upstream commit 7537e31df80cb58c27f3b6fef702534ea87a5957 ] + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded +based on the alias from of_device_id table. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240410164109.233308-1-krzk@kernel.org +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 1 + + drivers/iommu/mtk_iommu_v1.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index 2ae46fa6b3dee..04ac40d11fdff 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -1101,6 +1101,7 @@ static const struct of_device_id mtk_iommu_of_ids[] = { + { .compatible = "mediatek,mt8192-m4u", .data = &mt8192_data}, + {} + }; ++MODULE_DEVICE_TABLE(of, mtk_iommu_of_ids); + + static struct platform_driver mtk_iommu_driver = { + .probe = mtk_iommu_probe, +diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c +index fe1c3123a7e77..3a52f6a6ecb32 100644 +--- a/drivers/iommu/mtk_iommu_v1.c ++++ b/drivers/iommu/mtk_iommu_v1.c +@@ -576,6 +576,7 @@ static const struct of_device_id mtk_iommu_of_ids[] = { + { .compatible = "mediatek,mt2701-m4u", }, + {} + }; ++MODULE_DEVICE_TABLE(of, mtk_iommu_v1_of_ids); + + static const struct component_master_ops mtk_iommu_com_ops = { + .bind = mtk_iommu_bind, +-- +2.43.0 + diff --git a/queue-5.15/kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch b/queue-5.15/kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch new file mode 100644 index 00000000000..d9a558a4e00 --- /dev/null +++ b/queue-5.15/kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch @@ -0,0 +1,100 @@ +From c3ac2e0f989770434efb77ea235bf93305b6a90f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 21:25:48 +0100 +Subject: kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries + +From: Borislav Petkov (AMD) + +[ Upstream commit 54babdc0343fff2f32dfaafaaa9e42c4db278204 ] + +When KCSAN and CONSTRUCTORS are enabled, one can trigger the + + "Unpatched return thunk in use. This should not happen!" + +catch-all warning. + +Usually, when objtool runs on the .o objects, it does generate a section +.return_sites which contains all offsets in the objects to the return +thunks of the functions present there. Those return thunks then get +patched at runtime by the alternatives. + +KCSAN and CONSTRUCTORS add this to the object file's .text.startup +section: + + ------------------- + Disassembly of section .text.startup: + + ... + + 0000000000000010 <_sub_I_00099_0>: + 10: f3 0f 1e fa endbr64 + 14: e8 00 00 00 00 call 19 <_sub_I_00099_0+0x9> + 15: R_X86_64_PLT32 __tsan_init-0x4 + 19: e9 00 00 00 00 jmp 1e <__UNIQUE_ID___addressable_cryptd_alloc_aead349+0x6> + 1a: R_X86_64_PLT32 __x86_return_thunk-0x4 + ------------------- + +which, if it is built as a module goes through the intermediary stage of +creating a .mod.c file which, when translated, receives a second +constructor: + + ------------------- + Disassembly of section .text.startup: + + 0000000000000010 <_sub_I_00099_0>: + 10: f3 0f 1e fa endbr64 + 14: e8 00 00 00 00 call 19 <_sub_I_00099_0+0x9> + 15: R_X86_64_PLT32 __tsan_init-0x4 + 19: e9 00 00 00 00 jmp 1e <_sub_I_00099_0+0xe> + 1a: R_X86_64_PLT32 __x86_return_thunk-0x4 + + ... + + 0000000000000030 <_sub_I_00099_0>: + 30: f3 0f 1e fa endbr64 + 34: e8 00 00 00 00 call 39 <_sub_I_00099_0+0x9> + 35: R_X86_64_PLT32 __tsan_init-0x4 + 39: e9 00 00 00 00 jmp 3e <__ksymtab_cryptd_alloc_ahash+0x2> + 3a: R_X86_64_PLT32 __x86_return_thunk-0x4 + ------------------- + +in the .ko file. + +Objtool has run already so that second constructor's return thunk cannot +be added to the .return_sites section and thus the return thunk remains +unpatched and the warning rightfully fires. + +Drop KCSAN flags from the mod.c generation stage as those constructors +do not contain data races one would be interested about. + +Debugged together with David Kaplan and Nikolay +Borisov . + +Reported-by: Paul Menzel +Closes: https://lore.kernel.org/r/0851a207-7143-417e-be31-8bf2b3afb57d@molgen.mpg.de +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Paul Menzel # Dell XPS 13 +Reviewed-by: Nikolay Borisov +Reviewed-by: Marco Elver +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.modfinal | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal +index 47f047458264f..dce4cf55a4b68 100644 +--- a/scripts/Makefile.modfinal ++++ b/scripts/Makefile.modfinal +@@ -23,7 +23,7 @@ modname = $(notdir $(@:.mod.o=)) + part-of-module = y + + quiet_cmd_cc_o_c = CC [M] $@ +- cmd_cc_o_c = $(CC) $(filter-out $(CC_FLAGS_CFI) $(CFLAGS_GCOV), $(c_flags)) -c -o $@ $< ++ cmd_cc_o_c = $(CC) $(filter-out $(CC_FLAGS_CFI) $(CFLAGS_GCOV) $(CFLAGS_KCSAN), $(c_flags)) -c -o $@ $< + + %.mod.o: %.mod.c FORCE + $(call if_changed_dep,cc_o_c) +-- +2.43.0 + diff --git a/queue-5.15/mips-scall-save-thread_info.syscall-unconditionally-.patch b/queue-5.15/mips-scall-save-thread_info.syscall-unconditionally-.patch new file mode 100644 index 00000000000..3c5815196b7 --- /dev/null +++ b/queue-5.15/mips-scall-save-thread_info.syscall-unconditionally-.patch @@ -0,0 +1,255 @@ +From f7a5c184d864981a4065fa60454dde1d7edcca79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 14:27:56 +0000 +Subject: MIPS: scall: Save thread_info.syscall unconditionally on entry + +From: Jiaxun Yang + +[ Upstream commit 4370b673ccf240bf7587b0cb8e6726a5ccaf1f17 ] + +thread_info.syscall is used by syscall_get_nr to supply syscall nr +over a thread stack frame. + +Previously, thread_info.syscall is only saved at syscall_trace_enter +when syscall tracing is enabled. However rest of the kernel code do +expect syscall_get_nr to be available without syscall tracing. The +previous design breaks collect_syscall. + +Move saving process to syscall entry to fix it. + +Reported-by: Xi Ruoyao +Link: https://github.com/util-linux/util-linux/issues/2867 +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/ptrace.h | 2 +- + arch/mips/kernel/asm-offsets.c | 1 + + arch/mips/kernel/ptrace.c | 15 ++++++--------- + arch/mips/kernel/scall32-o32.S | 23 +++++++++++++---------- + arch/mips/kernel/scall64-n32.S | 3 ++- + arch/mips/kernel/scall64-n64.S | 3 ++- + arch/mips/kernel/scall64-o32.S | 33 +++++++++++++++++---------------- + 7 files changed, 42 insertions(+), 38 deletions(-) + +diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h +index b3e4dd6be7e20..428b9f1cf1de2 100644 +--- a/arch/mips/include/asm/ptrace.h ++++ b/arch/mips/include/asm/ptrace.h +@@ -157,7 +157,7 @@ static inline long regs_return_value(struct pt_regs *regs) + #define instruction_pointer(regs) ((regs)->cp0_epc) + #define profile_pc(regs) instruction_pointer(regs) + +-extern asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall); ++extern asmlinkage long syscall_trace_enter(struct pt_regs *regs); + extern asmlinkage void syscall_trace_leave(struct pt_regs *regs); + + extern void die(const char *, struct pt_regs *) __noreturn; +diff --git a/arch/mips/kernel/asm-offsets.c b/arch/mips/kernel/asm-offsets.c +index 04ca75278f023..6cd0246aa2c69 100644 +--- a/arch/mips/kernel/asm-offsets.c ++++ b/arch/mips/kernel/asm-offsets.c +@@ -98,6 +98,7 @@ void output_thread_info_defines(void) + OFFSET(TI_CPU, thread_info, cpu); + OFFSET(TI_PRE_COUNT, thread_info, preempt_count); + OFFSET(TI_REGS, thread_info, regs); ++ OFFSET(TI_SYSCALL, thread_info, syscall); + DEFINE(_THREAD_SIZE, THREAD_SIZE); + DEFINE(_THREAD_MASK, THREAD_MASK); + DEFINE(_IRQ_STACK_SIZE, IRQ_STACK_SIZE); +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index db7c5be1d4a35..dd454b429ff73 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -1310,16 +1310,13 @@ long arch_ptrace(struct task_struct *child, long request, + * Notification of system call entry/exit + * - triggered by current->work.syscall_trace + */ +-asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) ++asmlinkage long syscall_trace_enter(struct pt_regs *regs) + { + user_exit(); + +- current_thread_info()->syscall = syscall; +- + if (test_thread_flag(TIF_SYSCALL_TRACE)) { + if (tracehook_report_syscall_entry(regs)) + return -1; +- syscall = current_thread_info()->syscall; + } + + #ifdef CONFIG_SECCOMP +@@ -1328,7 +1325,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) + struct seccomp_data sd; + unsigned long args[6]; + +- sd.nr = syscall; ++ sd.nr = current_thread_info()->syscall; + sd.arch = syscall_get_arch(current); + syscall_get_arguments(current, regs, args); + for (i = 0; i < 6; i++) +@@ -1338,23 +1335,23 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) + ret = __secure_computing(&sd); + if (ret == -1) + return ret; +- syscall = current_thread_info()->syscall; + } + #endif + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) + trace_sys_enter(regs, regs->regs[2]); + +- audit_syscall_entry(syscall, regs->regs[4], regs->regs[5], ++ audit_syscall_entry(current_thread_info()->syscall, ++ regs->regs[4], regs->regs[5], + regs->regs[6], regs->regs[7]); + + /* + * Negative syscall numbers are mistaken for rejected syscalls, but + * won't have had the return value set appropriately, so we do so now. + */ +- if (syscall < 0) ++ if (current_thread_info()->syscall < 0) + syscall_set_return_value(current, regs, -ENOSYS, 0); +- return syscall; ++ return current_thread_info()->syscall; + } + + /* +diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S +index 9bfce5f75f601..6c14160cd8ba7 100644 +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -78,6 +78,18 @@ loads_done: + PTR_WD load_a7, bad_stack_a7 + .previous + ++ /* ++ * syscall number is in v0 unless we called syscall(__NR_###) ++ * where the real syscall number is in a0 ++ */ ++ subu t2, v0, __NR_O32_Linux ++ bnez t2, 1f /* __NR_syscall at offset 0 */ ++ LONG_S a0, TI_SYSCALL($28) # Save a0 as syscall number ++ b 2f ++1: ++ LONG_S v0, TI_SYSCALL($28) # Save v0 as syscall number ++2: ++ + lw t0, TI_FLAGS($28) # syscall tracing enabled? + li t1, _TIF_WORK_SYSCALL_ENTRY + and t0, t1 +@@ -115,16 +127,7 @@ syscall_trace_entry: + SAVE_STATIC + move a0, sp + +- /* +- * syscall number is in v0 unless we called syscall(__NR_###) +- * where the real syscall number is in a0 +- */ +- move a1, v0 +- subu t2, v0, __NR_O32_Linux +- bnez t2, 1f /* __NR_syscall at offset 0 */ +- lw a1, PT_R4(sp) +- +-1: jal syscall_trace_enter ++ jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall + +diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S +index 97456b2ca7dc3..97788859238c3 100644 +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -44,6 +44,8 @@ NESTED(handle_sysn32, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + ++ LONG_S v0, TI_SYSCALL($28) # Store syscall number ++ + li t1, _TIF_WORK_SYSCALL_ENTRY + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 +@@ -72,7 +74,6 @@ syscall_common: + n32_syscall_trace_entry: + SAVE_STATIC + move a0, sp +- move a1, v0 + jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall +diff --git a/arch/mips/kernel/scall64-n64.S b/arch/mips/kernel/scall64-n64.S +index 5f6ed4b4c3993..db58115385639 100644 +--- a/arch/mips/kernel/scall64-n64.S ++++ b/arch/mips/kernel/scall64-n64.S +@@ -47,6 +47,8 @@ NESTED(handle_sys64, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + ++ LONG_S v0, TI_SYSCALL($28) # Store syscall number ++ + li t1, _TIF_WORK_SYSCALL_ENTRY + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 +@@ -83,7 +85,6 @@ n64_syscall_exit: + syscall_trace_entry: + SAVE_STATIC + move a0, sp +- move a1, v0 + jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index d3c2616cba226..7a5abb73e5312 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -79,6 +79,22 @@ loads_done: + PTR_WD load_a7, bad_stack_a7 + .previous + ++ /* ++ * absolute syscall number is in v0 unless we called syscall(__NR_###) ++ * where the real syscall number is in a0 ++ * note: NR_syscall is the first O32 syscall but the macro is ++ * only defined when compiling with -mabi=32 (CONFIG_32BIT) ++ * therefore __NR_O32_Linux is used (4000) ++ */ ++ ++ subu t2, v0, __NR_O32_Linux ++ bnez t2, 1f /* __NR_syscall at offset 0 */ ++ LONG_S a0, TI_SYSCALL($28) # Save a0 as syscall number ++ b 2f ++1: ++ LONG_S v0, TI_SYSCALL($28) # Save v0 as syscall number ++2: ++ + li t1, _TIF_WORK_SYSCALL_ENTRY + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 +@@ -113,22 +129,7 @@ trace_a_syscall: + sd a7, PT_R11(sp) # For indirect syscalls + + move a0, sp +- /* +- * absolute syscall number is in v0 unless we called syscall(__NR_###) +- * where the real syscall number is in a0 +- * note: NR_syscall is the first O32 syscall but the macro is +- * only defined when compiling with -mabi=32 (CONFIG_32BIT) +- * therefore __NR_O32_Linux is used (4000) +- */ +- .set push +- .set reorder +- subu t1, v0, __NR_O32_Linux +- move a1, v0 +- bnez t1, 1f /* __NR_syscall at offset 0 */ +- ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ +- .set pop +- +-1: jal syscall_trace_enter ++ jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall + +-- +2.43.0 + diff --git a/queue-5.15/net-bcmgenet-reset-rbuf-on-first-open.patch b/queue-5.15/net-bcmgenet-reset-rbuf-on-first-open.patch new file mode 100644 index 00000000000..e66ad6461ae --- /dev/null +++ b/queue-5.15/net-bcmgenet-reset-rbuf-on-first-open.patch @@ -0,0 +1,83 @@ +From f0d6749a8c64e75d9c468d10e34d9b7fddce5ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 13:09:33 +0200 +Subject: net: bcmgenet: Reset RBUF on first open + +From: Phil Elwell + +[ Upstream commit 0a6380cb4c6b5c1d6dad226ba3130f9090f0ccea ] + +If the RBUF logic is not reset when the kernel starts then there +may be some data left over from any network boot loader. If the +64-byte packet headers are enabled then this can be fatal. + +Extend bcmgenet_dma_disable to do perform the reset, but not when +called from bcmgenet_resume in order to preserve a wake packet. + +N.B. This different handling of resume is just based on a hunch - +why else wouldn't one reset the RBUF as well as the TBUF? If this +isn't the case then it's easy to change the patch to make the RBUF +reset unconditional. + +See: https://github.com/raspberrypi/linux/issues/3850 +See: https://github.com/raspberrypi/firmware/issues/1882 + +Signed-off-by: Phil Elwell +Signed-off-by: Maarten Vanraes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index a2b736a9d20cc..9db391e5b4f4f 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3256,7 +3256,7 @@ static void bcmgenet_get_hw_addr(struct bcmgenet_priv *priv, + } + + /* Returns a reusable dma control register value */ +-static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv) ++static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv, bool flush_rx) + { + unsigned int i; + u32 reg; +@@ -3281,6 +3281,14 @@ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv) + udelay(10); + bcmgenet_umac_writel(priv, 0, UMAC_TX_FLUSH); + ++ if (flush_rx) { ++ reg = bcmgenet_rbuf_ctrl_get(priv); ++ bcmgenet_rbuf_ctrl_set(priv, reg | BIT(0)); ++ udelay(10); ++ bcmgenet_rbuf_ctrl_set(priv, reg); ++ udelay(10); ++ } ++ + return dma_ctrl; + } + +@@ -3344,8 +3352,8 @@ static int bcmgenet_open(struct net_device *dev) + + bcmgenet_set_hw_addr(priv, dev->dev_addr); + +- /* Disable RX/TX DMA and flush TX queues */ +- dma_ctrl = bcmgenet_dma_disable(priv); ++ /* Disable RX/TX DMA and flush TX and RX queues */ ++ dma_ctrl = bcmgenet_dma_disable(priv, true); + + /* Reinitialize TDMA and RDMA and SW housekeeping */ + ret = bcmgenet_init_dma(priv); +@@ -4201,7 +4209,7 @@ static int bcmgenet_resume(struct device *d) + bcmgenet_hfb_create_rxnfc_filter(priv, rule); + + /* Disable RX/TX DMA and flush TX queues */ +- dma_ctrl = bcmgenet_dma_disable(priv); ++ dma_ctrl = bcmgenet_dma_disable(priv, false); + + /* Reinitialize TDMA and RDMA and SW housekeeping */ + ret = bcmgenet_init_dma(priv); +-- +2.43.0 + diff --git a/queue-5.15/net-mark-racy-access-on-sk-sk_rcvbuf.patch b/queue-5.15/net-mark-racy-access-on-sk-sk_rcvbuf.patch new file mode 100644 index 00000000000..7e8c1c9ddd3 --- /dev/null +++ b/queue-5.15/net-mark-racy-access-on-sk-sk_rcvbuf.patch @@ -0,0 +1,48 @@ +From 5cd0f15c8e05a0753b51e19c0e0b1ed81b21b31e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 16:44:10 +0800 +Subject: net: mark racy access on sk->sk_rcvbuf + +From: linke li + +[ Upstream commit c2deb2e971f5d9aca941ef13ee05566979e337a4 ] + +sk->sk_rcvbuf in __sock_queue_rcv_skb() and __sk_receive_skb() can be +changed by other threads. Mark this as benign using READ_ONCE(). + +This patch is aimed at reducing the number of benign races reported by +KCSAN in order to focus future debugging effort on harmful races. + +Signed-off-by: linke li +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 6f761f3c272aa..62e376f09f957 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -459,7 +459,7 @@ int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) + unsigned long flags; + struct sk_buff_head *list = &sk->sk_receive_queue; + +- if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) { ++ if (atomic_read(&sk->sk_rmem_alloc) >= READ_ONCE(sk->sk_rcvbuf)) { + atomic_inc(&sk->sk_drops); + trace_sock_rcvqueue_full(sk, skb); + return -ENOMEM; +@@ -511,7 +511,7 @@ int __sk_receive_skb(struct sock *sk, struct sk_buff *skb, + + skb->dev = NULL; + +- if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { ++ if (sk_rcvqueues_full(sk, READ_ONCE(sk->sk_rcvbuf))) { + atomic_inc(&sk->sk_drops); + goto discard_and_relse; + } +-- +2.43.0 + diff --git a/queue-5.15/net-usb-qmi_wwan-support-rolling-modules.patch b/queue-5.15/net-usb-qmi_wwan-support-rolling-modules.patch new file mode 100644 index 00000000000..9063bbaf3be --- /dev/null +++ b/queue-5.15/net-usb-qmi_wwan-support-rolling-modules.patch @@ -0,0 +1,70 @@ +From eb77ec976324ee2eda28cf8ca994f5ca4b7eb89b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 20:07:13 +0800 +Subject: net:usb:qmi_wwan: support Rolling modules + +From: Vanillan Wang + +[ Upstream commit d362046021ea122309da8c8e0b6850c792ca97b5 ] + +Update the qmi_wwan driver support for the Rolling +LTE modules. + +- VID:PID 33f8:0104, RW101-GL for laptop debug M.2 cards(with RMNET +interface for /Linux/Chrome OS) +0x0104: RMNET, diag, at, pipe + +Here are the outputs of usb-devices: +T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=33f8 ProdID=0104 Rev=05.04 +S: Manufacturer=Rolling Wireless S.a.r.l. +S: Product=Rolling Module +S: SerialNumber=ba2eb033 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Signed-off-by: Vanillan Wang +Link: https://lore.kernel.org/r/20240416120713.24777-1-vanillanwang@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 846ace9830d3b..89e1fac07a255 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1419,6 +1419,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x0489, 0xe0b5, 0)}, /* Foxconn T77W968 LTE with eSIM support*/ + {QMI_FIXED_INTF(0x2692, 0x9025, 4)}, /* Cellient MPL200 (rebranded Qualcomm 05c6:9025) */ + {QMI_QUIRK_SET_DTR(0x1546, 0x1342, 4)}, /* u-blox LARA-L6 */ ++ {QMI_QUIRK_SET_DTR(0x33f8, 0x0104, 4)}, /* Rolling RW101 RMNET */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ +-- +2.43.0 + diff --git a/queue-5.15/scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch b/queue-5.15/scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch new file mode 100644 index 00000000000..fb6ff80ca27 --- /dev/null +++ b/queue-5.15/scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch @@ -0,0 +1,86 @@ +From 5c779491ad7fa4af9ec117c19988b5a088485453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 12:44:27 +0530 +Subject: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after + upload + +From: Saurav Kashyap + +[ Upstream commit c214ed2a4dda35b308b0b28eed804d7ae66401f9 ] + +The session resources are used by FW and driver when session is offloaded, +once session is uploaded these resources are not used. The lock is not +required as these fields won't be used any longer. The offload and upload +calls are sequential, hence lock is not required. + +This will suppress following BUG_ON(): + +[ 449.843143] ------------[ cut here ]------------ +[ 449.848302] kernel BUG at mm/vmalloc.c:2727! +[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI +[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1 +Rebooting. +[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016 +[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc] +[ 449.882910] RIP: 0010:vunmap+0x2e/0x30 +[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41 +[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206 +[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005 +[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000 +[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf +[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000 +[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0 +[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000 +[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0 +[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 449.993028] Call Trace: +[ 449.995756] __iommu_dma_free+0x96/0x100 +[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc] +[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc] +[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc] +[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc] +[ 450.023103] process_one_work+0x1e8/0x3c0 +[ 450.027581] worker_thread+0x50/0x3b0 +[ 450.031669] ? rescuer_thread+0x370/0x370 +[ 450.036143] kthread+0x149/0x170 +[ 450.039744] ? set_kthread_struct+0x40/0x40 +[ 450.044411] ret_from_fork+0x22/0x30 +[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls +[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler +[ 450.159753] ---[ end trace 712de2c57c64abc8 ]--- + +Reported-by: Guangwu Zhang +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20240315071427.31842-1-skashyap@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_tgt.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_tgt.c b/drivers/scsi/bnx2fc/bnx2fc_tgt.c +index 9200b718085c4..5015d9b0817ac 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_tgt.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_tgt.c +@@ -833,7 +833,6 @@ static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba, + + BNX2FC_TGT_DBG(tgt, "Freeing up session resources\n"); + +- spin_lock_bh(&tgt->cq_lock); + ctx_base_ptr = tgt->ctx_base; + tgt->ctx_base = NULL; + +@@ -889,7 +888,6 @@ static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba, + tgt->sq, tgt->sq_dma); + tgt->sq = NULL; + } +- spin_unlock_bh(&tgt->cq_lock); + + if (ctx_base_ptr) + iounmap(ctx_base_ptr); +-- +2.43.0 + diff --git a/queue-5.15/scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch b/queue-5.15/scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch new file mode 100644 index 00000000000..bbfbc4b642a --- /dev/null +++ b/queue-5.15/scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch @@ -0,0 +1,60 @@ +From efbe5d370717ec6fca069194fb4c69d5e9c2a808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:04:53 -0800 +Subject: scsi: lpfc: Move NPIV's transport unregistration to after resource + clean up + +From: Justin Tee + +[ Upstream commit 4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c ] + +There are cases after NPIV deletion where the fabric switch still believes +the NPIV is logged into the fabric. This occurs when a vport is +unregistered before the Remove All DA_ID CT and LOGO ELS are sent to the +fabric. + +Currently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including +the fabric D_ID, removes the last ndlp reference and frees the ndlp rport +object. This sometimes causes the race condition where the final DA_ID and +LOGO are skipped from being sent to the fabric switch. + +Fix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID +and LOGO are sent. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240305200503.57317-3-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_vport.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c +index da9a1f72d9383..b1071226e27fb 100644 +--- a/drivers/scsi/lpfc/lpfc_vport.c ++++ b/drivers/scsi/lpfc/lpfc_vport.c +@@ -651,10 +651,6 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + lpfc_free_sysfs_attr(vport); + lpfc_debugfs_terminate(vport); + +- /* Remove FC host to break driver binding. */ +- fc_remove_host(shost); +- scsi_remove_host(shost); +- + /* Send the DA_ID and Fabric LOGO to cleanup Nameserver entries. */ + ndlp = lpfc_findnode_did(vport, Fabric_DID); + if (!ndlp) +@@ -700,6 +696,10 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + + skip_logo: + ++ /* Remove FC host to break driver binding. */ ++ fc_remove_host(shost); ++ scsi_remove_host(shost); ++ + lpfc_cleanup(vport); + + /* Remove scsi host now. The nodes are cleaned up. */ +-- +2.43.0 + diff --git a/queue-5.15/scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch b/queue-5.15/scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch new file mode 100644 index 00000000000..080c3ee66f1 --- /dev/null +++ b/queue-5.15/scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch @@ -0,0 +1,40 @@ +From ffb7196df5eaa5d6627893b268fe301fd16a5b9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:04:56 -0800 +Subject: scsi: lpfc: Replace hbalock with ndlp lock in + lpfc_nvme_unregister_port() + +From: Justin Tee + +[ Upstream commit d11272be497e48a8e8f980470eb6b70e92eed0ce ] + +The ndlp object update in lpfc_nvme_unregister_port() should be protected +by the ndlp lock rather than hbalock. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240305200503.57317-6-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nvme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index 4e0c0b273e5fe..2ff8ace6f78f2 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -2539,9 +2539,9 @@ lpfc_nvme_unregister_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + /* No concern about the role change on the nvme remoteport. + * The transport will update it. + */ +- spin_lock_irq(&vport->phba->hbalock); ++ spin_lock_irq(&ndlp->lock); + ndlp->fc4_xpt_flags |= NVME_XPT_UNREG_WAIT; +- spin_unlock_irq(&vport->phba->hbalock); ++ spin_unlock_irq(&ndlp->lock); + + /* Don't let the host nvme transport keep sending keep-alives + * on this remoteport. Vport is unloading, no recovery. The +-- +2.43.0 + diff --git a/queue-5.15/scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch b/queue-5.15/scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch new file mode 100644 index 00000000000..371b4825267 --- /dev/null +++ b/queue-5.15/scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch @@ -0,0 +1,92 @@ +From 80a245afbb569458dc789ccb1aec78c240e0128f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:04:55 -0800 +Subject: scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic + +From: Justin Tee + +[ Upstream commit bb011631435c705cdeddca68d5c85fd40a4320f9 ] + +Typically when an out of resource CQE status is detected, the +lpfc_ramp_down_queue_handler() logic is called to help reduce I/O load by +reducing an sdev's queue_depth. + +However, the current lpfc_rampdown_queue_depth() logic does not help reduce +queue_depth. num_cmd_success is never updated and is always zero, which +means new_queue_depth will always be set to sdev->queue_depth. So, +new_queue_depth = sdev->queue_depth - new_queue_depth always sets +new_queue_depth to zero. And, scsi_change_queue_depth(sdev, 0) is +essentially a no-op. + +Change the lpfc_ramp_down_queue_handler() logic to set new_queue_depth +equal to sdev->queue_depth subtracted from number of times num_rsrc_err was +incremented. If num_rsrc_err is >= sdev->queue_depth, then set +new_queue_depth equal to 1. Eventually, the frequency of Good_Status +frames will signal SCSI upper layer to auto increase the queue_depth back +to the driver default of 64 via scsi_handle_queue_ramp_up(). + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240305200503.57317-5-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc.h | 1 - + drivers/scsi/lpfc/lpfc_scsi.c | 13 ++++--------- + 2 files changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 65ac952b767fb..194825ff1ee80 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -1341,7 +1341,6 @@ struct lpfc_hba { + unsigned long bit_flags; + #define FABRIC_COMANDS_BLOCKED 0 + atomic_t num_rsrc_err; +- atomic_t num_cmd_success; + unsigned long last_rsrc_error_time; + unsigned long last_ramp_down_time; + #ifdef CONFIG_SCSI_LPFC_DEBUG_FS +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 6d1a3cbd6b3c4..d9fb5e09fb53f 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -231,11 +231,10 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) + struct Scsi_Host *shost; + struct scsi_device *sdev; + unsigned long new_queue_depth; +- unsigned long num_rsrc_err, num_cmd_success; ++ unsigned long num_rsrc_err; + int i; + + num_rsrc_err = atomic_read(&phba->num_rsrc_err); +- num_cmd_success = atomic_read(&phba->num_cmd_success); + + /* + * The error and success command counters are global per +@@ -250,20 +249,16 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) { + shost = lpfc_shost_from_vport(vports[i]); + shost_for_each_device(sdev, shost) { +- new_queue_depth = +- sdev->queue_depth * num_rsrc_err / +- (num_rsrc_err + num_cmd_success); +- if (!new_queue_depth) +- new_queue_depth = sdev->queue_depth - 1; ++ if (num_rsrc_err >= sdev->queue_depth) ++ new_queue_depth = 1; + else + new_queue_depth = sdev->queue_depth - +- new_queue_depth; ++ num_rsrc_err; + scsi_change_queue_depth(sdev, new_queue_depth); + } + } + lpfc_destroy_vport_work_array(phba, vports); + atomic_set(&phba->num_rsrc_err, 0); +- atomic_set(&phba->num_cmd_success, 0); + } + + /** +-- +2.43.0 + diff --git a/queue-5.15/scsi-target-fix-selinux-error-when-systemd-modules-l.patch b/queue-5.15/scsi-target-fix-selinux-error-when-systemd-modules-l.patch new file mode 100644 index 00000000000..2339c1dc58e --- /dev/null +++ b/queue-5.15/scsi-target-fix-selinux-error-when-systemd-modules-l.patch @@ -0,0 +1,68 @@ +From 37493ebbc72faab3e892038fe36ac5210ab1117c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 15:39:43 +0100 +Subject: scsi: target: Fix SELinux error when systemd-modules loads the target + module + +From: Maurizio Lombardi + +[ Upstream commit 97a54ef596c3fd24ec2b227ba8aaf2cf5415e779 ] + +If the systemd-modules service loads the target module, the credentials of +that userspace process will be used to validate the access to the target db +directory. SELinux will prevent it, reporting an error like the following: + +kernel: audit: type=1400 audit(1676301082.205:4): avc: denied { read } +for pid=1020 comm="systemd-modules" name="target" dev="dm-3" +ino=4657583 scontext=system_u:system_r:systemd_modules_load_t:s0 +tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0 + +Fix the error by using the kernel credentials to access the db directory + +Signed-off-by: Maurizio Lombardi +Link: https://lore.kernel.org/r/20240215143944.847184-2-mlombard@redhat.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_configfs.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c +index 023bd4516a681..30ce3451bc6b0 100644 +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -3566,6 +3566,8 @@ static int __init target_core_init_configfs(void) + { + struct configfs_subsystem *subsys = &target_core_fabrics; + struct t10_alua_lu_gp *lu_gp; ++ struct cred *kern_cred; ++ const struct cred *old_cred; + int ret; + + pr_debug("TARGET_CORE[0]: Loading Generic Kernel Storage" +@@ -3642,11 +3644,21 @@ static int __init target_core_init_configfs(void) + if (ret < 0) + goto out; + ++ /* We use the kernel credentials to access the target directory */ ++ kern_cred = prepare_kernel_cred(&init_task); ++ if (!kern_cred) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ old_cred = override_creds(kern_cred); + target_init_dbroot(); ++ revert_creds(old_cred); ++ put_cred(kern_cred); + + return 0; + + out: ++ target_xcopy_release_pt(); + configfs_unregister_subsystem(subsys); + core_dev_release_virtual_lun0(); + rd_module_exit(); +-- +2.43.0 + diff --git a/queue-5.15/selftests-timers-fix-valid-adjtimex-signed-left-shif.patch b/queue-5.15/selftests-timers-fix-valid-adjtimex-signed-left-shif.patch new file mode 100644 index 00000000000..6931c256bea --- /dev/null +++ b/queue-5.15/selftests-timers-fix-valid-adjtimex-signed-left-shif.patch @@ -0,0 +1,139 @@ +From 44683e5842d0cadfc779af19d76c854413d2627d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 13:22:12 -0700 +Subject: selftests: timers: Fix valid-adjtimex signed left-shift undefined + behavior + +From: John Stultz + +[ Upstream commit 076361362122a6d8a4c45f172ced5576b2d4a50d ] + +The struct adjtimex freq field takes a signed value who's units are in +shifted (<<16) parts-per-million. + +Unfortunately for negative adjustments, the straightforward use of: + + freq = ppm << 16 trips undefined behavior warnings with clang: + +valid-adjtimex.c:66:6: warning: shifting a negative signed value is undefined [-Wshift-negative-value] + -499<<16, + ~~~~^ +valid-adjtimex.c:67:6: warning: shifting a negative signed value is undefined [-Wshift-negative-value] + -450<<16, + ~~~~^ +.. + +Fix it by using a multiply by (1 << 16) instead of shifting negative values +in the valid-adjtimex test case. Align the values for better readability. + +Reported-by: Lee Jones +Reported-by: Muhammad Usama Anjum +Signed-off-by: John Stultz +Signed-off-by: Thomas Gleixner +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/r/20240409202222.2830476-1-jstultz@google.com +Link: https://lore.kernel.org/lkml/0c6d4f0d-2064-4444-986b-1d1ed782135f@collabora.com/ +Signed-off-by: Sasha Levin +--- + .../testing/selftests/timers/valid-adjtimex.c | 73 +++++++++---------- + 1 file changed, 36 insertions(+), 37 deletions(-) + +diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c +index 48b9a803235a8..d13ebde203221 100644 +--- a/tools/testing/selftests/timers/valid-adjtimex.c ++++ b/tools/testing/selftests/timers/valid-adjtimex.c +@@ -21,9 +21,6 @@ + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ +- +- +- + #include + #include + #include +@@ -62,45 +59,47 @@ int clear_time_state(void) + #define NUM_FREQ_OUTOFRANGE 4 + #define NUM_FREQ_INVALID 2 + ++#define SHIFTED_PPM (1 << 16) ++ + long valid_freq[NUM_FREQ_VALID] = { +- -499<<16, +- -450<<16, +- -400<<16, +- -350<<16, +- -300<<16, +- -250<<16, +- -200<<16, +- -150<<16, +- -100<<16, +- -75<<16, +- -50<<16, +- -25<<16, +- -10<<16, +- -5<<16, +- -1<<16, ++ -499 * SHIFTED_PPM, ++ -450 * SHIFTED_PPM, ++ -400 * SHIFTED_PPM, ++ -350 * SHIFTED_PPM, ++ -300 * SHIFTED_PPM, ++ -250 * SHIFTED_PPM, ++ -200 * SHIFTED_PPM, ++ -150 * SHIFTED_PPM, ++ -100 * SHIFTED_PPM, ++ -75 * SHIFTED_PPM, ++ -50 * SHIFTED_PPM, ++ -25 * SHIFTED_PPM, ++ -10 * SHIFTED_PPM, ++ -5 * SHIFTED_PPM, ++ -1 * SHIFTED_PPM, + -1000, +- 1<<16, +- 5<<16, +- 10<<16, +- 25<<16, +- 50<<16, +- 75<<16, +- 100<<16, +- 150<<16, +- 200<<16, +- 250<<16, +- 300<<16, +- 350<<16, +- 400<<16, +- 450<<16, +- 499<<16, ++ 1 * SHIFTED_PPM, ++ 5 * SHIFTED_PPM, ++ 10 * SHIFTED_PPM, ++ 25 * SHIFTED_PPM, ++ 50 * SHIFTED_PPM, ++ 75 * SHIFTED_PPM, ++ 100 * SHIFTED_PPM, ++ 150 * SHIFTED_PPM, ++ 200 * SHIFTED_PPM, ++ 250 * SHIFTED_PPM, ++ 300 * SHIFTED_PPM, ++ 350 * SHIFTED_PPM, ++ 400 * SHIFTED_PPM, ++ 450 * SHIFTED_PPM, ++ 499 * SHIFTED_PPM, + }; + + long outofrange_freq[NUM_FREQ_OUTOFRANGE] = { +- -1000<<16, +- -550<<16, +- 550<<16, +- 1000<<16, ++ -1000 * SHIFTED_PPM, ++ -550 * SHIFTED_PPM, ++ 550 * SHIFTED_PPM, ++ 1000 * SHIFTED_PPM, + }; + + #define LONG_MAX (~0UL>>1) +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 30ad33c743c..f84db724fd4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -64,3 +64,44 @@ net-gro-add-flush-check-in-udp_gro_receive_segment.patch clk-sunxi-ng-h6-reparent-cpux-during-pll-cpux-rate-c.patch kvm-arm64-vgic-v2-use-cpuid-from-userspace-as-vcpu_i.patch kvm-arm64-vgic-v2-check-for-non-null-vcpu-in-vgic_v2.patch +scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch +scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch +scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch +gfs2-fix-invalid-metadata-access-in-punch_hole.patch +wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch +wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch +net-mark-racy-access-on-sk-sk_rcvbuf.patch +scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch +btrfs-return-accurate-error-code-on-open-failure-in-.patch +kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch +alsa-line6-zero-initialize-message-buffers.patch +net-bcmgenet-reset-rbuf-on-first-open.patch +ata-sata_gemini-check-clk_enable-result.patch +firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch +tools-power-turbostat-fix-added-raw-msr-output.patch +tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch +btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch +btrfs-always-clear-pertrans-metadata-during-commit.patch +scsi-target-fix-selinux-error-when-systemd-modules-l.patch +blk-iocost-avoid-out-of-bounds-shift.patch +gpu-host1x-do-not-setup-dma-for-virtual-devices.patch +mips-scall-save-thread_info.syscall-unconditionally-.patch +selftests-timers-fix-valid-adjtimex-signed-left-shif.patch +iommu-mtk-fix-module-autoloading.patch +fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch +fs-9p-translate-o_trunc-into-otrunc.patch +9p-explicitly-deny-setlease-attempts.patch +gpio-wcove-use-enotsupp-consistently.patch +gpio-crystalcove-use-enotsupp-consistently.patch +clk-don-t-hold-prepare_lock-when-calling-kref_put.patch +fs-9p-drop-inodes-immediately-on-non-.l-too.patch +drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch +net-usb-qmi_wwan-support-rolling-modules.patch +tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch +bpf-sockmap-tcp-data-stall-on-recv-before-accept.patch +bpf-sockmap-handle-fin-correctly.patch +bpf-sockmap-convert-schedule_work-into-delayed_work.patch +bpf-sockmap-reschedule-is-now-done-through-backlog.patch +bpf-sockmap-improved-check-for-empty-queue.patch +asoc-meson-axg-card-fix-nonatomic-links.patch +asoc-meson-axg-tdm-interface-fix-formatters-in-trigg.patch diff --git a/queue-5.15/tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch b/queue-5.15/tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch new file mode 100644 index 00000000000..68375c58694 --- /dev/null +++ b/queue-5.15/tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch @@ -0,0 +1,47 @@ +From 4920db06394f041b049e3d13016d15577051471d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 12:54:42 -0700 +Subject: tcp: fix sock skb accounting in tcp_read_skb() + +From: Cong Wang + +[ Upstream commit e9c6e79760265f019cde39d3f2c443dfbc1395b0 ] + +Before commit 965b57b469a5 ("net: Introduce a new proto_ops +->read_skb()"), skb was not dequeued from receive queue hence +when we close TCP socket skb can be just flushed synchronously. + +After this commit, we have to uncharge skb immediately after being +dequeued, otherwise it is still charged in the original sock. And we +still need to retain skb->sk, as eBPF programs may extract sock +information from skb->sk. Therefore, we have to call +skb_set_owner_sk_safe() here. + +Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()") +Reported-and-tested-by: syzbot+a0e6f8738b58f7654417@syzkaller.appspotmail.com +Tested-by: Stanislav Fomichev +Cc: Eric Dumazet +Cc: John Fastabend +Cc: Jakub Sitnicki +Signed-off-by: Cong Wang +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 3fd4de1961a62..c826db961fc08 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1720,6 +1720,7 @@ int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor) + int used; + + __skb_unlink(skb, &sk->sk_receive_queue); ++ WARN_ON(!skb_set_owner_sk_safe(skb, sk)); + used = recv_actor(sk, skb); + if (used <= 0) { + if (!copied) +-- +2.43.0 + diff --git a/queue-5.15/tools-power-turbostat-fix-added-raw-msr-output.patch b/queue-5.15/tools-power-turbostat-fix-added-raw-msr-output.patch new file mode 100644 index 00000000000..9be234c70d1 --- /dev/null +++ b/queue-5.15/tools-power-turbostat-fix-added-raw-msr-output.patch @@ -0,0 +1,87 @@ +From fce2e71d945f071ea968e2b69294961565c9ca6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:11:38 -0700 +Subject: tools/power turbostat: Fix added raw MSR output + +From: Doug Smythies + +[ Upstream commit e5f4e68eed85fa8495d78cd966eecc2b27bb9e53 ] + +When using --Summary mode, added MSRs in raw mode always +print zeros. Print the actual register contents. + +Example, with patch: + +note the added column: +--add msr0x64f,u32,package,raw,REASON + +Where: + +0x64F is MSR_CORE_PERF_LIMIT_REASONS + +Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON +0.00 4800 35 1.42 0.76 0x00000000 +0.00 4801 34 1.42 0.76 0x00000000 +80.08 4531 66 108.17 107.52 0x08000000 +98.69 4530 66 133.21 132.54 0x08000000 +99.28 4505 66 128.26 127.60 0x0c000400 +99.65 4486 68 124.91 124.25 0x0c000400 +99.63 4483 68 124.90 124.25 0x0c000400 +79.34 4481 41 99.80 99.13 0x0c000000 +0.00 4801 41 1.40 0.73 0x0c000000 + +Where, for the test processor (i5-10600K): + +PKG Limit #1: 125.000 Watts, 8.000000 sec +MSR bit 26 = log; bit 10 = status + +PKG Limit #2: 136.000 Watts, 0.002441 sec +MSR bit 27 = log; bit 11 = status + +Example, without patch: + +Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON +0.01 4800 35 1.43 0.77 0x00000000 +0.00 4801 35 1.39 0.73 0x00000000 +83.49 4531 66 112.71 112.06 0x00000000 +98.69 4530 68 133.35 132.69 0x00000000 +99.31 4500 67 127.96 127.30 0x00000000 +99.63 4483 69 124.91 124.25 0x00000000 +99.61 4481 69 124.90 124.25 0x00000000 +99.61 4481 71 124.92 124.25 0x00000000 +59.35 4479 42 75.03 74.37 0x00000000 +0.00 4800 42 1.39 0.73 0x00000000 +0.00 4801 42 1.42 0.76 0x00000000 + +c000000 + +[lenb: simplified patch to apply only to package scope] + +Signed-off-by: Doug Smythies +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 65ada8065cfc2..0822e7dc0fd8b 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -1761,9 +1761,10 @@ int sum_counters(struct thread_data *t, struct core_data *c, struct pkg_data *p) + average.packages.rapl_dram_perf_status += p->rapl_dram_perf_status; + + for (i = 0, mp = sys.pp; mp; i++, mp = mp->next) { +- if (mp->format == FORMAT_RAW) +- continue; +- average.packages.counter[i] += p->counter[i]; ++ if ((mp->format == FORMAT_RAW) && (topo.num_packages == 0)) ++ average.packages.counter[i] = p->counter[i]; ++ else ++ average.packages.counter[i] += p->counter[i]; + } + return 0; + } +-- +2.43.0 + diff --git a/queue-5.15/tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch b/queue-5.15/tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch new file mode 100644 index 00000000000..d19ca28dc07 --- /dev/null +++ b/queue-5.15/tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch @@ -0,0 +1,35 @@ +From 76b457f00efa0f3f18279721736d5f5767379cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 13:46:22 +0800 +Subject: tools/power turbostat: Fix Bzy_MHz documentation typo + +From: Peng Liu + +[ Upstream commit 0b13410b52c4636aacb6964a4253a797c0fa0d16 ] + +The code calculates Bzy_MHz by multiplying TSC_delta * APERF_delta/MPERF_delta +The man page erroneously showed that TSC_delta was divided. + +Signed-off-by: Peng Liu +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8 +index b3d4bf08e70b1..f382cd53cb4e8 100644 +--- a/tools/power/x86/turbostat/turbostat.8 ++++ b/tools/power/x86/turbostat/turbostat.8 +@@ -322,7 +322,7 @@ below the processor's base frequency. + + Busy% = MPERF_delta/TSC_delta + +-Bzy_MHz = TSC_delta/APERF_delta/MPERF_delta/measurement_interval ++Bzy_MHz = TSC_delta*APERF_delta/MPERF_delta/measurement_interval + + Note that these calculations depend on TSC_delta, so they + are not reliable during intervals when TSC_MHz is not running at the base frequency. +-- +2.43.0 + diff --git a/queue-5.15/wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch b/queue-5.15/wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch new file mode 100644 index 00000000000..29e0c3791e6 --- /dev/null +++ b/queue-5.15/wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch @@ -0,0 +1,38 @@ +From d33575ab3fdc8fe9c6d3f2993b17d93ff8a03372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 19:45:19 +0300 +Subject: wifi: cfg80211: fix rdev_dump_mpp() arguments order + +From: Igor Artemiev + +[ Upstream commit ec50f3114e55406a1aad24b7dfaa1c3f4336d8eb ] + +Fix the order of arguments in the TP_ARGS macro +for the rdev_dump_mpp tracepoint event. + +Found by Linux Verification Center (linuxtesting.org). + +Signed-off-by: Igor Artemiev +Link: https://msgid.link/20240311164519.118398-1-Igor.A.Artemiev@mcst.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/trace.h b/net/wireless/trace.h +index 19b78d4722834..dafea8bfcf3cb 100644 +--- a/net/wireless/trace.h ++++ b/net/wireless/trace.h +@@ -963,7 +963,7 @@ TRACE_EVENT(rdev_get_mpp, + TRACE_EVENT(rdev_dump_mpp, + TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int _idx, + u8 *dst, u8 *mpp), +- TP_ARGS(wiphy, netdev, _idx, mpp, dst), ++ TP_ARGS(wiphy, netdev, _idx, dst, mpp), + TP_STRUCT__entry( + WIPHY_ENTRY + NETDEV_ENTRY +-- +2.43.0 + diff --git a/queue-5.15/wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch b/queue-5.15/wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch new file mode 100644 index 00000000000..c4f3f0c51aa --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch @@ -0,0 +1,49 @@ +From 400c3a868b70da55fc0066b52e5a89c7de6552b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 14:23:00 -0700 +Subject: wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc + +From: Jeff Johnson + +[ Upstream commit 774f8841f55d7ac4044c79812691649da203584a ] + +Running kernel-doc on ieee80211_i.h flagged the following: +net/mac80211/ieee80211_i.h:145: warning: expecting prototype for enum ieee80211_corrupt_data_flags. Prototype was for enum ieee80211_bss_corrupt_data_flags instead +net/mac80211/ieee80211_i.h:162: warning: expecting prototype for enum ieee80211_valid_data_flags. Prototype was for enum ieee80211_bss_valid_data_flags instead + +Fix these warnings. + +Signed-off-by: Jeff Johnson +Reviewed-by: Simon Horman +Link: https://msgid.link/20240314-kdoc-ieee80211_i-v1-1-72b91b55b257@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 21549a440b38c..03f8c8bdab765 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -113,7 +113,7 @@ struct ieee80211_bss { + }; + + /** +- * enum ieee80211_corrupt_data_flags - BSS data corruption flags ++ * enum ieee80211_bss_corrupt_data_flags - BSS data corruption flags + * @IEEE80211_BSS_CORRUPT_BEACON: last beacon frame received was corrupted + * @IEEE80211_BSS_CORRUPT_PROBE_RESP: last probe response received was corrupted + * +@@ -126,7 +126,7 @@ enum ieee80211_bss_corrupt_data_flags { + }; + + /** +- * enum ieee80211_valid_data_flags - BSS valid data flags ++ * enum ieee80211_bss_valid_data_flags - BSS valid data flags + * @IEEE80211_BSS_VALID_WMM: WMM/UAPSD data was gathered from non-corrupt IE + * @IEEE80211_BSS_VALID_RATES: Supported rates were gathered from non-corrupt IE + * @IEEE80211_BSS_VALID_ERP: ERP flag was gathered from non-corrupt IE +-- +2.43.0 +