From: Sasha Levin Date: Tue, 10 Dec 2024 02:42:06 +0000 (-0500) Subject: Fixes for 6.12 X-Git-Tag: v6.6.65~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7dd5afa74934ef0312ee5558c8b209963c147c6f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.12 Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/alsa-seq-ump-fix-seq-port-updates-per-fb-info-notify.patch b/queue-6.12/alsa-seq-ump-fix-seq-port-updates-per-fb-info-notify.patch new file mode 100644 index 00000000000..4e5a203b50b --- /dev/null +++ b/queue-6.12/alsa-seq-ump-fix-seq-port-updates-per-fb-info-notify.patch @@ -0,0 +1,61 @@ +From fda4e6bf7cb0435fef15f05b2c549720997d01eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 18:04:22 +0100 +Subject: ALSA: seq: ump: Fix seq port updates per FB info notify + +From: Takashi Iwai + +[ Upstream commit aaa55faa2495320e44bc643a917c701f2cc89ee7 ] + +update_port_infos() is called when a UMP FB Info update notification +is received, and this function is supposed to update the attributes of +the corresponding sequencer port. However, the function had a few +issues and it brought to the incorrect states. Namely: + +- It tried to get a wrong sequencer info for the update without + correcting the port number with the group-offset 1 +- The loop exited immediately when a sequencer port isn't present; + this ended up with the truncation if a sequencer port in the middle + goes away + +This patch addresses those bugs. + +Fixes: 4a16a3af0571 ("ALSA: seq: ump: Handle FB info update") +Link: https://patch.msgid.link/20241128170423.23351-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_ump_client.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/core/seq/seq_ump_client.c b/sound/core/seq/seq_ump_client.c +index e5d3f4d206bf6..e956f17f37928 100644 +--- a/sound/core/seq/seq_ump_client.c ++++ b/sound/core/seq/seq_ump_client.c +@@ -257,12 +257,12 @@ static void update_port_infos(struct seq_ump_client *client) + continue; + + old->addr.client = client->seq_client; +- old->addr.port = i; ++ old->addr.port = ump_group_to_seq_port(i); + err = snd_seq_kernel_client_ctl(client->seq_client, + SNDRV_SEQ_IOCTL_GET_PORT_INFO, + old); + if (err < 0) +- return; ++ continue; + fill_port_info(new, client, &client->ump->groups[i]); + if (old->capability == new->capability && + !strcmp(old->name, new->name)) +@@ -271,7 +271,7 @@ static void update_port_infos(struct seq_ump_client *client) + SNDRV_SEQ_IOCTL_SET_PORT_INFO, + new); + if (err < 0) +- return; ++ continue; + /* notify to system port */ + snd_seq_system_client_ev_port_change(client->seq_client, i); + } +-- +2.43.0 + diff --git a/queue-6.12/alsa-usb-audio-notify-xrun-for-low-latency-mode.patch b/queue-6.12/alsa-usb-audio-notify-xrun-for-low-latency-mode.patch new file mode 100644 index 00000000000..4b429f4ec92 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-notify-xrun-for-low-latency-mode.patch @@ -0,0 +1,78 @@ +From 671ff4f7a5722c2f949be9b0cd54de921c3966ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 09:04:16 +0100 +Subject: ALSA: usb-audio: Notify xrun for low-latency mode + +From: Takashi Iwai + +[ Upstream commit 4f9d674377d090e38d93360bd4df21b67534d622 ] + +The low-latency mode of USB-audio driver uses a similar approach like +the implicit feedback mode but it has an explicit queuing at the +trigger start time. The difference is, however, that no packet will +be handled any longer after all queued packets are handled but no +enough data is fed. In the case of implicit feedback mode, the +capture-side packet handling triggers the re-queuing, and this checks +the XRUN. OTOH, in the low-latency mode, it just stops without XRUN +notification unless any new action is taken from user-space via ack +callback. For example, when you stop the stream in aplay, no XRUN is +reported. + +This patch adds the XRUN check at the packet complete callback in the +case all pending URBs are exhausted. Strictly speaking, this state +doesn't match really with XRUN; in theory the application may queue +immediately after this happens. But such behavior is only for +1-period configuration, which the USB-audio driver doesn't support. +So we may conclude that this situation leads certainly to XRUN. + +A caveat is that the XRUN should be triggered only for the PCM RUNNING +state, and not during DRAINING. This additional state check is put in +notify_xrun(), too. + +Fixes: d5f871f89e21 ("ALSA: usb-audio: Improved lowlatency playback support") +Reported-by: Leonard Crestez +Link: https://lore.kernel.org/25d5b0d8-4efd-4630-9d33-7a9e3fa9dc2b@gmail.com +Link: https://patch.msgid.link/20241128080446.1181-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/endpoint.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 568099467dbbc..a29f28eb7d0c6 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -403,10 +403,15 @@ static int prepare_inbound_urb(struct snd_usb_endpoint *ep, + static void notify_xrun(struct snd_usb_endpoint *ep) + { + struct snd_usb_substream *data_subs; ++ struct snd_pcm_substream *psubs; + + data_subs = READ_ONCE(ep->data_subs); +- if (data_subs && data_subs->pcm_substream) +- snd_pcm_stop_xrun(data_subs->pcm_substream); ++ if (!data_subs) ++ return; ++ psubs = data_subs->pcm_substream; ++ if (psubs && psubs->runtime && ++ psubs->runtime->state == SNDRV_PCM_STATE_RUNNING) ++ snd_pcm_stop_xrun(psubs); + } + + static struct snd_usb_packet_info * +@@ -562,7 +567,10 @@ static void snd_complete_urb(struct urb *urb) + push_back_to_ready_list(ep, ctx); + clear_bit(ctx->index, &ep->active_mask); + snd_usb_queue_pending_output_urbs(ep, false); +- atomic_dec(&ep->submitted_urbs); /* decrement at last */ ++ /* decrement at last, and check xrun */ ++ if (atomic_dec_and_test(&ep->submitted_urbs) && ++ !snd_usb_endpoint_implicit_feedback_sink(ep)) ++ notify_xrun(ep); + return; + } + +-- +2.43.0 + diff --git a/queue-6.12/asoc-mediatek-mt8188-mt6359-remove-hardcoded-dmic-co.patch b/queue-6.12/asoc-mediatek-mt8188-mt6359-remove-hardcoded-dmic-co.patch new file mode 100644 index 00000000000..2346095ca4f --- /dev/null +++ b/queue-6.12/asoc-mediatek-mt8188-mt6359-remove-hardcoded-dmic-co.patch @@ -0,0 +1,49 @@ +From 0b6150e370a2aa56cc5b8a5c8737d09dde9bdf35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 16:20:58 -0300 +Subject: ASoC: mediatek: mt8188-mt6359: Remove hardcoded dmic codec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit ec16a3cdf37e507013062f9c4a2067eacdd12b62 ] + +Remove hardcoded dmic codec from the UL_SRC dai link to avoid requiring +a dmic codec to be present for the driver to probe, as not every +MT8188-based platform might need a dmic codec. The codec can be assigned +to the dai link through the dai-link property in Devicetree on the +platforms where it is needed. + +No Devicetree currently relies on it so it is safe to remove without +worrying about backward compatibility. + +Fixes: 9f08dcbddeb3 ("ASoC: mediatek: mt8188-mt6359: support new board with nau88255") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patch.msgid.link/20241203-mt8188-6359-unhardcode-dmic-v1-1-346e3e5cbe6d@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8188/mt8188-mt6359.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/mediatek/mt8188/mt8188-mt6359.c b/sound/soc/mediatek/mt8188/mt8188-mt6359.c +index 4eed90d13a532..62429e8e57b55 100644 +--- a/sound/soc/mediatek/mt8188/mt8188-mt6359.c ++++ b/sound/soc/mediatek/mt8188/mt8188-mt6359.c +@@ -188,9 +188,7 @@ SND_SOC_DAILINK_DEFS(pcm1, + SND_SOC_DAILINK_DEFS(ul_src, + DAILINK_COMP_ARRAY(COMP_CPU("UL_SRC")), + DAILINK_COMP_ARRAY(COMP_CODEC("mt6359-sound", +- "mt6359-snd-codec-aif1"), +- COMP_CODEC("dmic-codec", +- "dmic-hifi")), ++ "mt6359-snd-codec-aif1")), + DAILINK_COMP_ARRAY(COMP_EMPTY())); + + SND_SOC_DAILINK_DEFS(AFE_SOF_DL2, +-- +2.43.0 + diff --git a/queue-6.12/asoc-sof-ipc3-topology-convert-the-topology-pin-inde.patch b/queue-6.12/asoc-sof-ipc3-topology-convert-the-topology-pin-inde.patch new file mode 100644 index 00000000000..efcf663ef09 --- /dev/null +++ b/queue-6.12/asoc-sof-ipc3-topology-convert-the-topology-pin-inde.patch @@ -0,0 +1,90 @@ +From 98e5b221027a5082d9b513b69bbd76dc0202ecd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 17:29:54 +0800 +Subject: ASoC: SOF: ipc3-topology: Convert the topology pin index to ALH dai + index +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bard Liao + +[ Upstream commit e9db1b551774037ebe39dde4a658d89ba95e260b ] + +Intel SoundWire machine driver always uses Pin number 2 and above. +Currently, the pin number is used as the FW DAI index directly. As a +result, FW DAI 0 and 1 are never used. That worked fine because we use +up to 2 DAIs in a SDW link. Convert the topology pin index to ALH dai +index, the mapping is using 2-off indexing, iow, pin #2 is ALH dai #0. + +The issue exists since beginning. And the Fixes tag is the first commit +that this commit can be applied. + +Fixes: b66bfc3a9810 ("ASoC: SOF: sof-audio: Fix broken early bclk feature for SSP") +Signed-off-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Reviewed-by: Liam Girdwood +Reviewed-by: Kai Vehmanen +Reviewed-by: Ranjani Sridharan +Link: https://patch.msgid.link/20241127092955.20026-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 6d544ea21d36 ("ASoC: SOF: ipc3-topology: fix resource leaks in sof_ipc3_widget_setup_comp_dai()") +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc3-topology.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c +index be61e377e59e0..c2fce554a674b 100644 +--- a/sound/soc/sof/ipc3-topology.c ++++ b/sound/soc/sof/ipc3-topology.c +@@ -20,6 +20,9 @@ + /* size of tplg ABI in bytes */ + #define SOF_IPC3_TPLG_ABI_SIZE 3 + ++/* Base of SOF_DAI_INTEL_ALH, this should be aligned with SOC_SDW_INTEL_BIDIR_PDI_BASE */ ++#define INTEL_ALH_DAI_INDEX_BASE 2 ++ + struct sof_widget_data { + int ctrl_type; + int ipc_cmd; +@@ -1594,6 +1597,17 @@ static int sof_ipc3_widget_setup_comp_dai(struct snd_sof_widget *swidget) + if (ret < 0) + goto free; + ++ /* Subtract the base to match the FW dai index. */ ++ if (comp_dai->type == SOF_DAI_INTEL_ALH) { ++ if (comp_dai->dai_index < INTEL_ALH_DAI_INDEX_BASE) { ++ dev_err(sdev->dev, ++ "Invalid ALH dai index %d, only Pin numbers >= %d can be used\n", ++ comp_dai->dai_index, INTEL_ALH_DAI_INDEX_BASE); ++ return -EINVAL; ++ } ++ comp_dai->dai_index -= INTEL_ALH_DAI_INDEX_BASE; ++ } ++ + dev_dbg(scomp->dev, "dai %s: type %d index %d\n", + swidget->widget->name, comp_dai->type, comp_dai->dai_index); + sof_dbg_comp_config(scomp, &comp_dai->config); +@@ -2167,8 +2181,16 @@ static int sof_ipc3_dai_config(struct snd_sof_dev *sdev, struct snd_sof_widget * + case SOF_DAI_INTEL_ALH: + if (data) { + /* save the dai_index during hw_params and reuse it for hw_free */ +- if (flags & SOF_DAI_CONFIG_FLAGS_HW_PARAMS) +- config->dai_index = data->dai_index; ++ if (flags & SOF_DAI_CONFIG_FLAGS_HW_PARAMS) { ++ /* Subtract the base to match the FW dai index. */ ++ if (data->dai_index < INTEL_ALH_DAI_INDEX_BASE) { ++ dev_err(sdev->dev, ++ "Invalid ALH dai index %d, only Pin numbers >= %d can be used\n", ++ config->dai_index, INTEL_ALH_DAI_INDEX_BASE); ++ return -EINVAL; ++ } ++ config->dai_index = data->dai_index - INTEL_ALH_DAI_INDEX_BASE; ++ } + config->alh.stream_id = data->dai_data; + } + break; +-- +2.43.0 + diff --git a/queue-6.12/asoc-sof-ipc3-topology-fix-resource-leaks-in-sof_ipc.patch b/queue-6.12/asoc-sof-ipc3-topology-fix-resource-leaks-in-sof_ipc.patch new file mode 100644 index 00000000000..5777263192f --- /dev/null +++ b/queue-6.12/asoc-sof-ipc3-topology-fix-resource-leaks-in-sof_ipc.patch @@ -0,0 +1,55 @@ +From 3a26f6481c2113eab5892556388207427983ceeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2024 13:09:06 +0300 +Subject: ASoC: SOF: ipc3-topology: fix resource leaks in + sof_ipc3_widget_setup_comp_dai() + +From: Dan Carpenter + +[ Upstream commit 6d544ea21d367cbd9746ae882e67a839391a6594 ] + +These error paths should free comp_dai before returning. + +Fixes: 909dadf21aae ("ASoC: SOF: topology: Make DAI widget parsing IPC agnostic") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/67d185cf-d139-4f8c-970a-dbf0542246a8@stanley.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc3-topology.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c +index c2fce554a674b..e98b53b67d12b 100644 +--- a/sound/soc/sof/ipc3-topology.c ++++ b/sound/soc/sof/ipc3-topology.c +@@ -1588,14 +1588,14 @@ static int sof_ipc3_widget_setup_comp_dai(struct snd_sof_widget *swidget) + ret = sof_update_ipc_object(scomp, comp_dai, SOF_DAI_TOKENS, swidget->tuples, + swidget->num_tuples, sizeof(*comp_dai), 1); + if (ret < 0) +- goto free; ++ goto free_comp; + + /* update comp_tokens */ + ret = sof_update_ipc_object(scomp, &comp_dai->config, SOF_COMP_TOKENS, + swidget->tuples, swidget->num_tuples, + sizeof(comp_dai->config), 1); + if (ret < 0) +- goto free; ++ goto free_comp; + + /* Subtract the base to match the FW dai index. */ + if (comp_dai->type == SOF_DAI_INTEL_ALH) { +@@ -1603,7 +1603,8 @@ static int sof_ipc3_widget_setup_comp_dai(struct snd_sof_widget *swidget) + dev_err(sdev->dev, + "Invalid ALH dai index %d, only Pin numbers >= %d can be used\n", + comp_dai->dai_index, INTEL_ALH_DAI_INDEX_BASE); +- return -EINVAL; ++ ret = -EINVAL; ++ goto free_comp; + } + comp_dai->dai_index -= INTEL_ALH_DAI_INDEX_BASE; + } +-- +2.43.0 + diff --git a/queue-6.12/bpf-don-t-mark-stack_invalid-as-stack_misc-in-mark_s.patch b/queue-6.12/bpf-don-t-mark-stack_invalid-as-stack_misc-in-mark_s.patch new file mode 100644 index 00000000000..7c5b9404f79 --- /dev/null +++ b/queue-6.12/bpf-don-t-mark-stack_invalid-as-stack_misc-in-mark_s.patch @@ -0,0 +1,59 @@ +From 3414a25eb060a525af721a6389b42ebd51d567df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 20:47:53 -0800 +Subject: bpf: Don't mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 69772f509e084ec6bca12dbcdeeeff41b0103774 ] + +Inside mark_stack_slot_misc, we should not upgrade STACK_INVALID to +STACK_MISC when allow_ptr_leaks is false, since invalid contents +shouldn't be read unless the program has the relevant capabilities. +The relaxation only makes sense when env->allow_ptr_leaks is true. + +However, such conversion in privileged mode becomes unnecessary, as +invalid slots can be read without being upgraded to STACK_MISC. + +Currently, the condition is inverted (i.e. checking for true instead of +false), simply remove it to restore correct behavior. + +Fixes: eaf18febd6eb ("bpf: preserve STACK_ZERO slots on partial reg spills") +Acked-by: Andrii Nakryiko +Reported-by: Tao Lyu +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20241204044757.1483141-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 8955259112c03..cdf8ce1e2cc4f 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1200,14 +1200,17 @@ static bool is_spilled_scalar_reg64(const struct bpf_stack_state *stack) + /* Mark stack slot as STACK_MISC, unless it is already STACK_INVALID, in which + * case they are equivalent, or it's STACK_ZERO, in which case we preserve + * more precise STACK_ZERO. +- * Note, in uprivileged mode leaving STACK_INVALID is wrong, so we take +- * env->allow_ptr_leaks into account and force STACK_MISC, if necessary. ++ * Regardless of allow_ptr_leaks setting (i.e., privileged or unprivileged ++ * mode), we won't promote STACK_INVALID to STACK_MISC. In privileged case it is ++ * unnecessary as both are considered equivalent when loading data and pruning, ++ * in case of unprivileged mode it will be incorrect to allow reads of invalid ++ * slots. + */ + static void mark_stack_slot_misc(struct bpf_verifier_env *env, u8 *stype) + { + if (*stype == STACK_ZERO) + return; +- if (env->allow_ptr_leaks && *stype == STACK_INVALID) ++ if (*stype == STACK_INVALID) + return; + *stype = STACK_MISC; + } +-- +2.43.0 + diff --git a/queue-6.12/bpf-ensure-reg-is-ptr_to_stack-in-process_iter_arg.patch b/queue-6.12/bpf-ensure-reg-is-ptr_to_stack-in-process_iter_arg.patch new file mode 100644 index 00000000000..73ddc81196d --- /dev/null +++ b/queue-6.12/bpf-ensure-reg-is-ptr_to_stack-in-process_iter_arg.patch @@ -0,0 +1,69 @@ +From 4dd9d039bb37841504d563d41d8213df3a26a44d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 16:02:37 -0800 +Subject: bpf: Ensure reg is PTR_TO_STACK in process_iter_arg + +From: Tao Lyu + +[ Upstream commit 12659d28615d606b36e382f4de2dd05550d202af ] + +Currently, KF_ARG_PTR_TO_ITER handling missed checking the reg->type and +ensuring it is PTR_TO_STACK. Instead of enforcing this in the caller of +process_iter_arg, move the check into it instead so that all callers +will gain the check by default. This is similar to process_dynptr_func. + +An existing selftest in verifier_bits_iter.c fails due to this change, +but it's because it was passing a NULL pointer into iter_next helper and +getting an error further down the checks, but probably meant to pass an +uninitialized iterator on the stack (as is done in the subsequent test +below it). We will gain coverage for non-PTR_TO_STACK arguments in later +patches hence just change the declaration to zero-ed stack object. + +Fixes: 06accc8779c1 ("bpf: add support for open-coded iterator loops") +Suggested-by: Andrii Nakryiko +Signed-off-by: Tao Lyu +[ Kartikeya: move check into process_iter_arg, rewrite commit log ] +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20241203000238.3602922-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 5 +++++ + tools/testing/selftests/bpf/progs/verifier_bits_iter.c | 4 ++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 91317857ea3ee..8955259112c03 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -8021,6 +8021,11 @@ static int process_iter_arg(struct bpf_verifier_env *env, int regno, int insn_id + const struct btf_type *t; + int spi, err, i, nr_slots, btf_id; + ++ if (reg->type != PTR_TO_STACK) { ++ verbose(env, "arg#%d expected pointer to an iterator on stack\n", regno - 1); ++ return -EINVAL; ++ } ++ + /* For iter_{new,next,destroy} functions, btf_check_iter_kfuncs() + * ensures struct convention, so we wouldn't need to do any BTF + * validation here. But given iter state can be passed as a parameter +diff --git a/tools/testing/selftests/bpf/progs/verifier_bits_iter.c b/tools/testing/selftests/bpf/progs/verifier_bits_iter.c +index 7c881bca9af5c..a7a6ae6c162fe 100644 +--- a/tools/testing/selftests/bpf/progs/verifier_bits_iter.c ++++ b/tools/testing/selftests/bpf/progs/verifier_bits_iter.c +@@ -35,9 +35,9 @@ __description("uninitialized iter in ->next()") + __failure __msg("expected an initialized iter_bits as arg #1") + int BPF_PROG(next_uninit, struct bpf_iter_meta *meta, struct cgroup *cgrp) + { +- struct bpf_iter_bits *it = NULL; ++ struct bpf_iter_bits it = {}; + +- bpf_iter_bits_next(it); ++ bpf_iter_bits_next(&it); + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.12/bpf-fix-exact-match-conditions-in-trie_get_next_key.patch b/queue-6.12/bpf-fix-exact-match-conditions-in-trie_get_next_key.patch new file mode 100644 index 00000000000..ce3721cd3c1 --- /dev/null +++ b/queue-6.12/bpf-fix-exact-match-conditions-in-trie_get_next_key.patch @@ -0,0 +1,60 @@ +From 17696538e518267c043c84811fe0d571230cc290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:18 +0800 +Subject: bpf: Fix exact match conditions in trie_get_next_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit 27abc7b3fa2e09bbe41e2924d328121546865eda ] + +trie_get_next_key() uses node->prefixlen == key->prefixlen to identify +an exact match, However, it is incorrect because when the target key +doesn't fully match the found node (e.g., node->prefixlen != matchlen), +these two nodes may also have the same prefixlen. It will return +expected result when the passed key exist in the trie. However when a +recently-deleted key or nonexistent key is passed to +trie_get_next_key(), it may skip keys and return incorrect result. + +Fix it by using node->prefixlen == matchlen to identify exact matches. +When the condition is true after the search, it also implies +node->prefixlen equals key->prefixlen, otherwise, the search would +return NULL instead. + +Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map") +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-6-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index fcc5cd358d7f9..010e91ac978e6 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -646,7 +646,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key) + struct lpm_trie_node **node_stack = NULL; + int err = 0, stack_ptr = -1; + unsigned int next_bit; +- size_t matchlen; ++ size_t matchlen = 0; + + /* The get_next_key follows postorder. For the 4 node example in + * the top of this file, the trie_get_next_key() returns the following +@@ -685,7 +685,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key) + next_bit = extract_bit(key->data, node->prefixlen); + node = rcu_dereference(node->child[next_bit]); + } +- if (!node || node->prefixlen != key->prefixlen || ++ if (!node || node->prefixlen != matchlen || + (node->flags & LPM_TREE_NODE_FLAG_IM)) + goto find_leftmost; + +-- +2.43.0 + diff --git a/queue-6.12/bpf-fix-narrow-scalar-spill-onto-64-bit-spilled-scal.patch b/queue-6.12/bpf-fix-narrow-scalar-spill-onto-64-bit-spilled-scal.patch new file mode 100644 index 00000000000..a8ead221ce1 --- /dev/null +++ b/queue-6.12/bpf-fix-narrow-scalar-spill-onto-64-bit-spilled-scal.patch @@ -0,0 +1,61 @@ +From c3f5e2a56482fd7c01bbc564b823594c3c28cfa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 20:47:54 -0800 +Subject: bpf: Fix narrow scalar spill onto 64-bit spilled scalar slots + +From: Tao Lyu + +[ Upstream commit b0e66977dc072906bb76555fb1a64261d7f63d0f ] + +When CAP_PERFMON and CAP_SYS_ADMIN (allow_ptr_leaks) are disabled, the +verifier aims to reject partial overwrite on an 8-byte stack slot that +contains a spilled pointer. + +However, in such a scenario, it rejects all partial stack overwrites as +long as the targeted stack slot is a spilled register, because it does +not check if the stack slot is a spilled pointer. + +Incomplete checks will result in the rejection of valid programs, which +spill narrower scalar values onto scalar slots, as shown below. + +0: R1=ctx() R10=fp0 +; asm volatile ( @ repro.bpf.c:679 +0: (7a) *(u64 *)(r10 -8) = 1 ; R10=fp0 fp-8_w=1 +1: (62) *(u32 *)(r10 -8) = 1 +attempt to corrupt spilled pointer on stack +processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0. + +Fix this by expanding the check to not consider spilled scalar registers +when rejecting the write into the stack. + +Previous discussion on this patch is at link [0]. + + [0]: https://lore.kernel.org/bpf/20240403202409.2615469-1-tao.lyu@epfl.ch + +Fixes: ab125ed3ec1c ("bpf: fix check for attempt to corrupt spilled pointer") +Acked-by: Eduard Zingerman +Acked-by: Andrii Nakryiko +Signed-off-by: Tao Lyu +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20241204044757.1483141-3-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index cdf8ce1e2cc4f..b2008076df9c2 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4649,6 +4649,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + */ + if (!env->allow_ptr_leaks && + is_spilled_reg(&state->stack[spi]) && ++ !is_spilled_scalar_reg(&state->stack[spi]) && + size != BPF_REG_SIZE) { + verbose(env, "attempt to corrupt spilled pointer on stack\n"); + return -EACCES; +-- +2.43.0 + diff --git a/queue-6.12/bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch b/queue-6.12/bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch new file mode 100644 index 00000000000..fbadcbcb3ba --- /dev/null +++ b/queue-6.12/bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch @@ -0,0 +1,80 @@ +From 8b53171bf1b8083f61eb82257a0cf19e5e5c1a06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:16 +0800 +Subject: bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit eae6a075e9537dd69891cf77ca5a88fa8a28b4a1 ] + +Add the currently missing handling for the BPF_EXIST and BPF_NOEXIST +flags. These flags can be specified by users and are relevant since LPM +trie supports exact matches during update. + +Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Daniel Borkmann +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-4-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index 9b60eda0f727b..a82cf3693778a 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -376,6 +376,10 @@ static long trie_update_elem(struct bpf_map *map, + * simply assign the @new_node to that slot and be done. + */ + if (!node) { ++ if (flags == BPF_EXIST) { ++ ret = -ENOENT; ++ goto out; ++ } + rcu_assign_pointer(*slot, new_node); + goto out; + } +@@ -384,18 +388,31 @@ static long trie_update_elem(struct bpf_map *map, + * which already has the correct data array set. + */ + if (node->prefixlen == matchlen) { ++ if (!(node->flags & LPM_TREE_NODE_FLAG_IM)) { ++ if (flags == BPF_NOEXIST) { ++ ret = -EEXIST; ++ goto out; ++ } ++ trie->n_entries--; ++ } else if (flags == BPF_EXIST) { ++ ret = -ENOENT; ++ goto out; ++ } ++ + new_node->child[0] = node->child[0]; + new_node->child[1] = node->child[1]; + +- if (!(node->flags & LPM_TREE_NODE_FLAG_IM)) +- trie->n_entries--; +- + rcu_assign_pointer(*slot, new_node); + free_node = node; + + goto out; + } + ++ if (flags == BPF_EXIST) { ++ ret = -ENOENT; ++ goto out; ++ } ++ + /* If the new node matches the prefix completely, it must be inserted + * as an ancestor. Simply insert it between @node and *@slot. + */ +-- +2.43.0 + diff --git a/queue-6.12/bpf-handle-in-place-update-for-full-lpm-trie-correct.patch b/queue-6.12/bpf-handle-in-place-update-for-full-lpm-trie-correct.patch new file mode 100644 index 00000000000..99d363d9c67 --- /dev/null +++ b/queue-6.12/bpf-handle-in-place-update-for-full-lpm-trie-correct.patch @@ -0,0 +1,138 @@ +From 4905d15b2aecc0321ee2c5f133f4721fc7874658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:17 +0800 +Subject: bpf: Handle in-place update for full LPM trie correctly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit 532d6b36b2bfac5514426a97a4df8d103d700d43 ] + +When a LPM trie is full, in-place updates of existing elements +incorrectly return -ENOSPC. + +Fix this by deferring the check of trie->n_entries. For new insertions, +n_entries must not exceed max_entries. However, in-place updates are +allowed even when the trie is full. + +Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-5-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 44 +++++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index 8a040f123e04a..fcc5cd358d7f9 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -310,6 +310,16 @@ static struct lpm_trie_node *lpm_trie_node_alloc(const struct lpm_trie *trie, + return node; + } + ++static int trie_check_add_elem(struct lpm_trie *trie, u64 flags) ++{ ++ if (flags == BPF_EXIST) ++ return -ENOENT; ++ if (trie->n_entries == trie->map.max_entries) ++ return -ENOSPC; ++ trie->n_entries++; ++ return 0; ++} ++ + /* Called from syscall or from eBPF program */ + static long trie_update_elem(struct bpf_map *map, + void *_key, void *value, u64 flags) +@@ -333,20 +343,12 @@ static long trie_update_elem(struct bpf_map *map, + spin_lock_irqsave(&trie->lock, irq_flags); + + /* Allocate and fill a new node */ +- +- if (trie->n_entries == trie->map.max_entries) { +- ret = -ENOSPC; +- goto out; +- } +- + new_node = lpm_trie_node_alloc(trie, value); + if (!new_node) { + ret = -ENOMEM; + goto out; + } + +- trie->n_entries++; +- + new_node->prefixlen = key->prefixlen; + RCU_INIT_POINTER(new_node->child[0], NULL); + RCU_INIT_POINTER(new_node->child[1], NULL); +@@ -376,10 +378,10 @@ static long trie_update_elem(struct bpf_map *map, + * simply assign the @new_node to that slot and be done. + */ + if (!node) { +- if (flags == BPF_EXIST) { +- ret = -ENOENT; ++ ret = trie_check_add_elem(trie, flags); ++ if (ret) + goto out; +- } ++ + rcu_assign_pointer(*slot, new_node); + goto out; + } +@@ -393,10 +395,10 @@ static long trie_update_elem(struct bpf_map *map, + ret = -EEXIST; + goto out; + } +- trie->n_entries--; +- } else if (flags == BPF_EXIST) { +- ret = -ENOENT; +- goto out; ++ } else { ++ ret = trie_check_add_elem(trie, flags); ++ if (ret) ++ goto out; + } + + new_node->child[0] = node->child[0]; +@@ -408,10 +410,9 @@ static long trie_update_elem(struct bpf_map *map, + goto out; + } + +- if (flags == BPF_EXIST) { +- ret = -ENOENT; ++ ret = trie_check_add_elem(trie, flags); ++ if (ret) + goto out; +- } + + /* If the new node matches the prefix completely, it must be inserted + * as an ancestor. Simply insert it between @node and *@slot. +@@ -425,6 +426,7 @@ static long trie_update_elem(struct bpf_map *map, + + im_node = lpm_trie_node_alloc(trie, NULL); + if (!im_node) { ++ trie->n_entries--; + ret = -ENOMEM; + goto out; + } +@@ -446,12 +448,8 @@ static long trie_update_elem(struct bpf_map *map, + rcu_assign_pointer(*slot, im_node); + + out: +- if (ret) { +- if (new_node) +- trie->n_entries--; ++ if (ret) + kfree(new_node); +- } +- + spin_unlock_irqrestore(&trie->lock, irq_flags); + kfree_rcu(free_node, rcu); + +-- +2.43.0 + diff --git a/queue-6.12/bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch b/queue-6.12/bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch new file mode 100644 index 00000000000..5b6d7066b68 --- /dev/null +++ b/queue-6.12/bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch @@ -0,0 +1,53 @@ +From 577f1cd101210d482e10c2bd91da71cfb9cc5582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:15 +0800 +Subject: bpf: Remove unnecessary kfree(im_node) in lpm_trie_update_elem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit 3d5611b4d7efbefb85a74fcdbc35c603847cc022 ] + +There is no need to call kfree(im_node) when updating element fails, +because im_node must be NULL. Remove the unnecessary kfree() for +im_node. + +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Daniel Borkmann +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-3-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 532d6b36b2bf ("bpf: Handle in-place update for full LPM trie correctly") +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index a82cf3693778a..8a040f123e04a 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -315,7 +315,7 @@ static long trie_update_elem(struct bpf_map *map, + void *_key, void *value, u64 flags) + { + struct lpm_trie *trie = container_of(map, struct lpm_trie, map); +- struct lpm_trie_node *node, *im_node = NULL, *new_node = NULL; ++ struct lpm_trie_node *node, *im_node, *new_node = NULL; + struct lpm_trie_node *free_node = NULL; + struct lpm_trie_node __rcu **slot; + struct bpf_lpm_trie_key_u8 *key = _key; +@@ -449,9 +449,7 @@ static long trie_update_elem(struct bpf_map *map, + if (ret) { + if (new_node) + trie->n_entries--; +- + kfree(new_node); +- kfree(im_node); + } + + spin_unlock_irqrestore(&trie->lock, irq_flags); +-- +2.43.0 + diff --git a/queue-6.12/bpf-vsock-fix-poll-missing-a-queue.patch b/queue-6.12/bpf-vsock-fix-poll-missing-a-queue.patch new file mode 100644 index 00000000000..261a3c32d79 --- /dev/null +++ b/queue-6.12/bpf-vsock-fix-poll-missing-a-queue.patch @@ -0,0 +1,41 @@ +From 3c9d0f5c5799ccff5a4b2502e797ccee3c9960d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 22:03:41 +0100 +Subject: bpf, vsock: Fix poll() missing a queue + +From: Michal Luczaj + +[ Upstream commit 9f0fc98145218ff8f50d8cfa3b393785056c53e1 ] + +When a verdict program simply passes a packet without redirection, sk_msg +is enqueued on sk_psock::ingress_msg. Add a missing check to poll(). + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-1-f1b9669cacdc@rbox.co +Signed-off-by: Alexei Starovoitov +Acked-by: John Fastabend +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index dfd29160fe11c..919da8edd03c8 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1054,6 +1054,9 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock, + mask |= EPOLLRDHUP; + } + ++ if (sk_is_readable(sk)) ++ mask |= EPOLLIN | EPOLLRDNORM; ++ + if (sock->type == SOCK_DGRAM) { + /* For datagram sockets we can read if there is something in + * the queue and write as long as the socket isn't shutdown for +-- +2.43.0 + diff --git a/queue-6.12/bpf-vsock-invoke-proto-close-on-close.patch b/queue-6.12/bpf-vsock-invoke-proto-close-on-close.patch new file mode 100644 index 00000000000..df074ba9f69 --- /dev/null +++ b/queue-6.12/bpf-vsock-invoke-proto-close-on-close.patch @@ -0,0 +1,140 @@ +From 695060c147128c128e22fa2b3fa062c0c82e9e31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2024 22:03:43 +0100 +Subject: bpf, vsock: Invoke proto::close on close() + +From: Michal Luczaj + +[ Upstream commit 135ffc7becc82cfb84936ae133da7969220b43b2 ] + +vsock defines a BPF callback to be invoked when close() is called. However, +this callback is never actually executed. As a result, a closed vsock +socket is not automatically removed from the sockmap/sockhash. + +Introduce a dummy vsock_close() and make vsock_release() call proto::close. + +Note: changes in __vsock_release() look messy, but it's only due to indent +level reduction and variables xmas tree reorder. + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-3-f1b9669cacdc@rbox.co +Signed-off-by: Alexei Starovoitov +Acked-by: John Fastabend +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 67 ++++++++++++++++++++++++---------------- + 1 file changed, 40 insertions(+), 27 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 919da8edd03c8..b52b798aa4c29 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -117,12 +117,14 @@ + static int __vsock_bind(struct sock *sk, struct sockaddr_vm *addr); + static void vsock_sk_destruct(struct sock *sk); + static int vsock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); ++static void vsock_close(struct sock *sk, long timeout); + + /* Protocol family. */ + struct proto vsock_proto = { + .name = "AF_VSOCK", + .owner = THIS_MODULE, + .obj_size = sizeof(struct vsock_sock), ++ .close = vsock_close, + #ifdef CONFIG_BPF_SYSCALL + .psock_update_sk_prot = vsock_bpf_update_proto, + #endif +@@ -797,39 +799,37 @@ static bool sock_type_connectible(u16 type) + + static void __vsock_release(struct sock *sk, int level) + { +- if (sk) { +- struct sock *pending; +- struct vsock_sock *vsk; +- +- vsk = vsock_sk(sk); +- pending = NULL; /* Compiler warning. */ ++ struct vsock_sock *vsk; ++ struct sock *pending; + +- /* When "level" is SINGLE_DEPTH_NESTING, use the nested +- * version to avoid the warning "possible recursive locking +- * detected". When "level" is 0, lock_sock_nested(sk, level) +- * is the same as lock_sock(sk). +- */ +- lock_sock_nested(sk, level); ++ vsk = vsock_sk(sk); ++ pending = NULL; /* Compiler warning. */ + +- if (vsk->transport) +- vsk->transport->release(vsk); +- else if (sock_type_connectible(sk->sk_type)) +- vsock_remove_sock(vsk); ++ /* When "level" is SINGLE_DEPTH_NESTING, use the nested ++ * version to avoid the warning "possible recursive locking ++ * detected". When "level" is 0, lock_sock_nested(sk, level) ++ * is the same as lock_sock(sk). ++ */ ++ lock_sock_nested(sk, level); + +- sock_orphan(sk); +- sk->sk_shutdown = SHUTDOWN_MASK; ++ if (vsk->transport) ++ vsk->transport->release(vsk); ++ else if (sock_type_connectible(sk->sk_type)) ++ vsock_remove_sock(vsk); + +- skb_queue_purge(&sk->sk_receive_queue); ++ sock_orphan(sk); ++ sk->sk_shutdown = SHUTDOWN_MASK; + +- /* Clean up any sockets that never were accepted. */ +- while ((pending = vsock_dequeue_accept(sk)) != NULL) { +- __vsock_release(pending, SINGLE_DEPTH_NESTING); +- sock_put(pending); +- } ++ skb_queue_purge(&sk->sk_receive_queue); + +- release_sock(sk); +- sock_put(sk); ++ /* Clean up any sockets that never were accepted. */ ++ while ((pending = vsock_dequeue_accept(sk)) != NULL) { ++ __vsock_release(pending, SINGLE_DEPTH_NESTING); ++ sock_put(pending); + } ++ ++ release_sock(sk); ++ sock_put(sk); + } + + static void vsock_sk_destruct(struct sock *sk) +@@ -901,9 +901,22 @@ void vsock_data_ready(struct sock *sk) + } + EXPORT_SYMBOL_GPL(vsock_data_ready); + ++/* Dummy callback required by sockmap. ++ * See unconditional call of saved_close() in sock_map_close(). ++ */ ++static void vsock_close(struct sock *sk, long timeout) ++{ ++} ++ + static int vsock_release(struct socket *sock) + { +- __vsock_release(sock->sk, 0); ++ struct sock *sk = sock->sk; ++ ++ if (!sk) ++ return 0; ++ ++ sk->sk_prot->close(sk, 0); ++ __vsock_release(sk, 0); + sock->sk = NULL; + sock->state = SS_FREE; + +-- +2.43.0 + diff --git a/queue-6.12/bpftool-fix-potential-null-pointer-dereferencing-in-.patch b/queue-6.12/bpftool-fix-potential-null-pointer-dereferencing-in-.patch new file mode 100644 index 00000000000..2140517a7da --- /dev/null +++ b/queue-6.12/bpftool-fix-potential-null-pointer-dereferencing-in-.patch @@ -0,0 +1,54 @@ +From 0f6d38b10794fe666b7a98bfc172fb3a7752d771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 12:04:13 +0330 +Subject: bpftool: fix potential NULL pointer dereferencing in prog_dump() + +From: Amir Mohammadi + +[ Upstream commit ef3ba8c258ee368a5343fa9329df85b4bcb9e8b5 ] + +A NULL pointer dereference could occur if ksyms +is not properly checked before usage in the prog_dump() function. + +Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump") +Signed-off-by: Amir Mohammadi +Reviewed-by: Quentin Monnet +Acked-by: John Fastabend +Link: https://lore.kernel.org/r/20241121083413.7214-1-amiremohamadi@yahoo.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index 2ff949ea82fa6..e71be67f1d865 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -822,11 +822,18 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode, + printf("%s:\n", sym_name); + } + +- if (disasm_print_insn(img, lens[i], opcodes, +- name, disasm_opt, btf, +- prog_linfo, ksyms[i], i, +- linum)) +- goto exit_free; ++ if (ksyms) { ++ if (disasm_print_insn(img, lens[i], opcodes, ++ name, disasm_opt, btf, ++ prog_linfo, ksyms[i], i, ++ linum)) ++ goto exit_free; ++ } else { ++ if (disasm_print_insn(img, lens[i], opcodes, ++ name, disasm_opt, btf, ++ NULL, 0, 0, false)) ++ goto exit_free; ++ } + + img += lens[i]; + +-- +2.43.0 + diff --git a/queue-6.12/drivers-virt-pkvm-don-t-fail-ioremap-call-if-mmio_gu.patch b/queue-6.12/drivers-virt-pkvm-don-t-fail-ioremap-call-if-mmio_gu.patch new file mode 100644 index 00000000000..12c2291df53 --- /dev/null +++ b/queue-6.12/drivers-virt-pkvm-don-t-fail-ioremap-call-if-mmio_gu.patch @@ -0,0 +1,47 @@ +From c9cfb3cd52a834f612779b9a52e58c1bf2a2233d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 14:57:29 +0000 +Subject: drivers/virt: pkvm: Don't fail ioremap() call if MMIO_GUARD fails + +From: Will Deacon + +[ Upstream commit d44679fb954ffea961036ed1aeb7d65035f78489 ] + +Calling the MMIO_GUARD hypercall from guests which have not been +enrolled (e.g. because they are running without pvmfw) results in +-EINVAL being returned. In this case, MMIO_GUARD is not active +and so we can simply proceed with the normal ioremap() routine. + +Don't fail ioremap() if MMIO_GUARD fails; instead WARN_ON_ONCE() +to highlight that the pvm environment is slightly wonky. + +Fixes: 0f1269495800 ("drivers/virt: pkvm: Intercept ioremap using pKVM MMIO_GUARD hypercall") +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20241202145731.6422-2-will@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c b/drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c +index 56a3859dda8a1..4230b817a80bd 100644 +--- a/drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c ++++ b/drivers/virt/coco/pkvm-guest/arm-pkvm-guest.c +@@ -87,12 +87,8 @@ static int mmio_guard_ioremap_hook(phys_addr_t phys, size_t size, + + while (phys < end) { + const int func_id = ARM_SMCCC_VENDOR_HYP_KVM_MMIO_GUARD_FUNC_ID; +- int err; +- +- err = arm_smccc_do_one_page(func_id, phys); +- if (err) +- return err; + ++ WARN_ON_ONCE(arm_smccc_do_one_page(func_id, phys)); + phys += PAGE_SIZE; + } + +-- +2.43.0 + diff --git a/queue-6.12/drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch b/queue-6.12/drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch new file mode 100644 index 00000000000..e7b29efa8ab --- /dev/null +++ b/queue-6.12/drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch @@ -0,0 +1,41 @@ +From f998726b92b396b41fcbbe1d599c5017b3f562ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2024 15:21:36 +0800 +Subject: drm/sti: Add __iomem for mixer_dbg_mxn's parameter + +From: Pei Xiao + +[ Upstream commit 86e8f94789dd6f3e705bfa821e1e416f97a2f863 ] + +Sparse complains about incorrect type in argument 1. +expected void const volatile __iomem *ptr but got void *. +so modify mixer_dbg_mxn's addr parameter. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202411191809.6V3c826r-lkp@intel.com/ +Fixes: a5f81078a56c ("drm/sti: add debugfs entries for MIXER crtc") +Signed-off-by: Pei Xiao +Acked-by: Raphael Gallais-Pou +Link: https://patchwork.freedesktop.org/patch/msgid/c28f0dcb6a4526721d83ba1f659bba30564d3d54.1732087094.git.xiaopei01@kylinos.cn +Signed-off-by: Raphael Gallais-Pou +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_mixer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sti/sti_mixer.c b/drivers/gpu/drm/sti/sti_mixer.c +index 7e5f14646625b..06c1b81912f79 100644 +--- a/drivers/gpu/drm/sti/sti_mixer.c ++++ b/drivers/gpu/drm/sti/sti_mixer.c +@@ -137,7 +137,7 @@ static void mixer_dbg_crb(struct seq_file *s, int val) + } + } + +-static void mixer_dbg_mxn(struct seq_file *s, void *addr) ++static void mixer_dbg_mxn(struct seq_file *s, void __iomem *addr) + { + int i; + +-- +2.43.0 + diff --git a/queue-6.12/drm-v3d-enable-performance-counters-before-clearing-.patch b/queue-6.12/drm-v3d-enable-performance-counters-before-clearing-.patch new file mode 100644 index 00000000000..143923b7f8c --- /dev/null +++ b/queue-6.12/drm-v3d-enable-performance-counters-before-clearing-.patch @@ -0,0 +1,53 @@ +From 74ffcf7570235c4da070e4d28ee32388a64e4e1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 09:28:31 -0300 +Subject: drm/v3d: Enable Performance Counters before clearing them +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit c98b10496b2f3c4f576af3482c71aadcfcbf765e ] + +On the Raspberry Pi 5, performance counters are not being cleared +when `v3d_perfmon_start()` is called, even though we write to the +CLR register. As a result, their values accumulate until they +overflow. + +The expected behavior is for performance counters to reset to zero +at the start of a job. When the job finishes and the perfmon is +stopped, the counters should accurately reflect the values for that +specific job. + +To ensure this behavior, the performance counters are now enabled +before being cleared. This allows the CLR register to function as +intended, zeroing the counter values when the job begins. + +Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace") +Signed-off-by: Maíra Canal +Reviewed-by: Iago Toral Quiroga +Link: https://patchwork.freedesktop.org/patch/msgid/20241204122831.17015-1-mcanal@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/v3d/v3d_perfmon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/v3d/v3d_perfmon.c b/drivers/gpu/drm/v3d/v3d_perfmon.c +index 00cd081d78732..6ee56cbd3f1bf 100644 +--- a/drivers/gpu/drm/v3d/v3d_perfmon.c ++++ b/drivers/gpu/drm/v3d/v3d_perfmon.c +@@ -254,9 +254,9 @@ void v3d_perfmon_start(struct v3d_dev *v3d, struct v3d_perfmon *perfmon) + V3D_CORE_WRITE(0, V3D_V4_PCTR_0_SRC_X(source), channel); + } + ++ V3D_CORE_WRITE(0, V3D_V4_PCTR_0_EN, mask); + V3D_CORE_WRITE(0, V3D_V4_PCTR_0_CLR, mask); + V3D_CORE_WRITE(0, V3D_PCTR_0_OVERFLOW, mask); +- V3D_CORE_WRITE(0, V3D_V4_PCTR_0_EN, mask); + + v3d->active_perfmon = perfmon; + } +-- +2.43.0 + diff --git a/queue-6.12/iio-magnetometer-yas530-use-signed-integer-type-for-.patch b/queue-6.12/iio-magnetometer-yas530-use-signed-integer-type-for-.patch new file mode 100644 index 00000000000..178550a10a0 --- /dev/null +++ b/queue-6.12/iio-magnetometer-yas530-use-signed-integer-type-for-.patch @@ -0,0 +1,85 @@ +From 39fbad1c5aee9809d8c1b98675d06afb8312e630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2024 22:25:07 +0100 +Subject: iio: magnetometer: yas530: use signed integer type for clamp limits + +From: Jakob Hauser + +[ Upstream commit f1ee5483e40881d8ad5a63aa148b753b5c6a839b ] + +In the function yas537_measure() there is a clamp_val() with limits of +-BIT(13) and BIT(13) - 1. The input clamp value h[] is of type s32. The +BIT() is of type unsigned long integer due to its define in +include/vdso/bits.h. The lower limit -BIT(13) is recognized as -8192 but +expressed as an unsigned long integer. The size of an unsigned long +integer differs between 32-bit and 64-bit architectures. Converting this +to type s32 may lead to undesired behavior. + +Additionally, in the calculation lines h[0], h[1] and h[2] the unsigned +long integer divisor BIT(13) causes an unsigned division, shifting the +left-hand side of the equation back and forth, possibly ending up in large +positive values instead of negative values on 32-bit architectures. + +To solve those two issues, declare a signed integer with a value of +BIT(13). + +There is another omission in the clamp line: clamp_val() returns a value +and it's going nowhere here. Self-assign it to h[i] to make use of the +clamp macro. + +Finally, replace clamp_val() macro by clamp() because after changing the +limits from type unsigned long integer to signed integer it's fine that +way. + +Link: https://lkml.kernel.org/r/11609b2243c295d65ab4d47e78c239d61ad6be75.1732914810.git.jahau@rocketmail.com +Fixes: 65f79b501030 ("iio: magnetometer: yas530: Add YAS537 variant") +Signed-off-by: Jakob Hauser + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202411230458.dhZwh3TT-lkp@intel.com/ +Closes: https://lore.kernel.org/oe-kbuild-all/202411282222.oF0B4110-lkp@intel.com/ +Reviewed-by: David Laight +Acked-by: Jonathan Cameron +Cc: Lars-Peter Clausen +Cc: Linus Walleij +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/iio/magnetometer/yamaha-yas530.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/magnetometer/yamaha-yas530.c b/drivers/iio/magnetometer/yamaha-yas530.c +index 65011a8598d33..c55a38650c0d4 100644 +--- a/drivers/iio/magnetometer/yamaha-yas530.c ++++ b/drivers/iio/magnetometer/yamaha-yas530.c +@@ -372,6 +372,7 @@ static int yas537_measure(struct yas5xx *yas5xx, u16 *t, u16 *x, u16 *y1, u16 *y + u8 data[8]; + u16 xy1y2[3]; + s32 h[3], s[3]; ++ int half_range = BIT(13); + int i, ret; + + mutex_lock(&yas5xx->lock); +@@ -406,13 +407,13 @@ static int yas537_measure(struct yas5xx *yas5xx, u16 *t, u16 *x, u16 *y1, u16 *y + /* The second version of YAS537 needs to include calibration coefficients */ + if (yas5xx->version == YAS537_VERSION_1) { + for (i = 0; i < 3; i++) +- s[i] = xy1y2[i] - BIT(13); +- h[0] = (c->k * (128 * s[0] + c->a2 * s[1] + c->a3 * s[2])) / BIT(13); +- h[1] = (c->k * (c->a4 * s[0] + c->a5 * s[1] + c->a6 * s[2])) / BIT(13); +- h[2] = (c->k * (c->a7 * s[0] + c->a8 * s[1] + c->a9 * s[2])) / BIT(13); ++ s[i] = xy1y2[i] - half_range; ++ h[0] = (c->k * (128 * s[0] + c->a2 * s[1] + c->a3 * s[2])) / half_range; ++ h[1] = (c->k * (c->a4 * s[0] + c->a5 * s[1] + c->a6 * s[2])) / half_range; ++ h[2] = (c->k * (c->a7 * s[0] + c->a8 * s[1] + c->a9 * s[2])) / half_range; + for (i = 0; i < 3; i++) { +- clamp_val(h[i], -BIT(13), BIT(13) - 1); +- xy1y2[i] = h[i] + BIT(13); ++ h[i] = clamp(h[i], -half_range, half_range - 1); ++ xy1y2[i] = h[i] + half_range; + } + } + +-- +2.43.0 + diff --git a/queue-6.12/irqchip-stm32mp-exti-config_stm32mp_exti-should-not-.patch b/queue-6.12/irqchip-stm32mp-exti-config_stm32mp_exti-should-not-.patch new file mode 100644 index 00000000000..c2d9591eb0d --- /dev/null +++ b/queue-6.12/irqchip-stm32mp-exti-config_stm32mp_exti-should-not-.patch @@ -0,0 +1,37 @@ +From cba9d2b0ba5ff64f662508cc97d0f0ba3b40cf40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 17:27:40 +0100 +Subject: irqchip/stm32mp-exti: CONFIG_STM32MP_EXTI should not default to y + when compile-testing + +From: Geert Uytterhoeven + +[ Upstream commit 9151299ee5101e03eeed544c1280b0e14b89a8a4 ] + +Merely enabling compile-testing should not enable additional functionality. + +Fixes: 0be58e0553812fcb ("irqchip/stm32mp-exti: Allow building as module") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/ef5ec063b23522058f92087e072419ea233acfe9.1733243115.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/irqchip/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index d82bcab233a1b..66ce15027f28d 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -407,7 +407,7 @@ config PARTITION_PERCPU + config STM32MP_EXTI + tristate "STM32MP extended interrupts and event controller" + depends on (ARCH_STM32 && !ARM_SINGLE_ARMV7M) || COMPILE_TEST +- default y ++ default ARCH_STM32 && !ARM_SINGLE_ARMV7M + select IRQ_DOMAIN_HIERARCHY + select GENERIC_IRQ_CHIP + help +-- +2.43.0 + diff --git a/queue-6.12/nvme-don-t-apply-nvme_quirk_deallocate_zeroes-when-d.patch b/queue-6.12/nvme-don-t-apply-nvme_quirk_deallocate_zeroes-when-d.patch new file mode 100644 index 00000000000..b6189b8a199 --- /dev/null +++ b/queue-6.12/nvme-don-t-apply-nvme_quirk_deallocate_zeroes-when-d.patch @@ -0,0 +1,47 @@ +From e67ca80326d425ca40b0ba1b44cbcd3039604d8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 07:42:18 +0100 +Subject: nvme: don't apply NVME_QUIRK_DEALLOCATE_ZEROES when DSM is not + supported + +From: Christoph Hellwig + +[ Upstream commit 58a0c875ce028678c9594c7bdf3fe33462392808 ] + +Commit 63dfa1004322 ("nvme: move NVME_QUIRK_DEALLOCATE_ZEROES out of +nvme_config_discard") started applying the NVME_QUIRK_DEALLOCATE_ZEROES +quirk even then the Dataset Management is not supported. It turns out +that there versions of these old Intel SSDs that have DSM support +disabled in the firmware, which will now lead to errors everytime +a Write Zeroes command is issued. Fix this by checking for DSM support +before applying the quirk. + +Reported-by: Saeed Mirzamohammadi +Fixes: 63dfa1004322 ("nvme: move NVME_QUIRK_DEALLOCATE_ZEROES out of nvme_config_discard") +Tested-by: Saeed Mirzamohammadi +Signed-off-by: Christoph Hellwig +Reviewed-by: Nitesh Shetty +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index f0d4c6f3cb055..fe83d31ac928b 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2064,7 +2064,8 @@ static bool nvme_update_disk_info(struct nvme_ns *ns, struct nvme_id_ns *id, + lim->physical_block_size = min(phys_bs, atomic_bs); + lim->io_min = phys_bs; + lim->io_opt = io_opt; +- if (ns->ctrl->quirks & NVME_QUIRK_DEALLOCATE_ZEROES) ++ if ((ns->ctrl->quirks & NVME_QUIRK_DEALLOCATE_ZEROES) && ++ (ns->ctrl->oncs & NVME_CTRL_ONCS_DSM)) + lim->max_write_zeroes_sectors = UINT_MAX; + else + lim->max_write_zeroes_sectors = ns->ctrl->max_zeroes_sectors; +-- +2.43.0 + diff --git a/queue-6.12/nvme-fabrics-handle-zero-maxcmd-without-closing-the-.patch b/queue-6.12/nvme-fabrics-handle-zero-maxcmd-without-closing-the-.patch new file mode 100644 index 00000000000..d15011d6e25 --- /dev/null +++ b/queue-6.12/nvme-fabrics-handle-zero-maxcmd-without-closing-the-.patch @@ -0,0 +1,51 @@ +From 921d457ef162fc451de6498529068ab9931d3219 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2024 15:17:06 +0100 +Subject: nvme-fabrics: handle zero MAXCMD without closing the connection + +From: Maurizio Lombardi + +[ Upstream commit 88c23a32b851e36adc4ab36f796d9b711f47e2bb ] + +The NVMe specification states that MAXCMD is mandatory +for NVMe-over-Fabrics implementations. However, some NVMe/TCP +and NVMe/FC arrays from major vendors have buggy firmware +that reports MAXCMD as zero in the Identify Controller data structure. + +Currently, the implementation closes the connection in such cases, +completely preventing the host from connecting to the target. + +Fix the issue by printing a clear error message about the firmware bug +and allowing the connection to proceed. It assumes that the +target supports a MAXCMD value of SQSIZE + 1. If any issues arise, +the user can manually adjust SQSIZE to mitigate them. + +Fixes: 4999568184e5 ("nvme-fabrics: check max outstanding commands") +Signed-off-by: Maurizio Lombardi +Reviewed-by: Laurence Oberman +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index fe83d31ac928b..ec03b25eacbbc 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3251,8 +3251,9 @@ static int nvme_check_ctrl_fabric_info(struct nvme_ctrl *ctrl, struct nvme_id_ct + } + + if (!ctrl->maxcmd) { +- dev_err(ctrl->device, "Maximum outstanding commands is 0\n"); +- return -EINVAL; ++ dev_warn(ctrl->device, ++ "Firmware bug: maximum outstanding commands is 0\n"); ++ ctrl->maxcmd = ctrl->sqsize + 1; + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.12/nvme-rdma-unquiesce-admin_q-before-destroy-it.patch b/queue-6.12/nvme-rdma-unquiesce-admin_q-before-destroy-it.patch new file mode 100644 index 00000000000..6eec9ebf648 --- /dev/null +++ b/queue-6.12/nvme-rdma-unquiesce-admin_q-before-destroy-it.patch @@ -0,0 +1,71 @@ +From ee62c5d4cda118454eb7677944229c6b76cd766f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 11:34:41 +0800 +Subject: nvme-rdma: unquiesce admin_q before destroy it + +From: Chunguang.xu + +[ Upstream commit 5858b687559809f05393af745cbadf06dee61295 ] + +Kernel will hang on destroy admin_q while we create ctrl failed, such +as following calltrace: + +PID: 23644 TASK: ff2d52b40f439fc0 CPU: 2 COMMAND: "nvme" + #0 [ff61d23de260fb78] __schedule at ffffffff8323bc15 + #1 [ff61d23de260fc08] schedule at ffffffff8323c014 + #2 [ff61d23de260fc28] blk_mq_freeze_queue_wait at ffffffff82a3dba1 + #3 [ff61d23de260fc78] blk_freeze_queue at ffffffff82a4113a + #4 [ff61d23de260fc90] blk_cleanup_queue at ffffffff82a33006 + #5 [ff61d23de260fcb0] nvme_rdma_destroy_admin_queue at ffffffffc12686ce + #6 [ff61d23de260fcc8] nvme_rdma_setup_ctrl at ffffffffc1268ced + #7 [ff61d23de260fd28] nvme_rdma_create_ctrl at ffffffffc126919b + #8 [ff61d23de260fd68] nvmf_dev_write at ffffffffc024f362 + #9 [ff61d23de260fe38] vfs_write at ffffffff827d5f25 + RIP: 00007fda7891d574 RSP: 00007ffe2ef06958 RFLAGS: 00000202 + RAX: ffffffffffffffda RBX: 000055e8122a4d90 RCX: 00007fda7891d574 + RDX: 000000000000012b RSI: 000055e8122a4d90 RDI: 0000000000000004 + RBP: 00007ffe2ef079c0 R8: 000000000000012b R9: 000055e8122a4d90 + R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004 + R13: 000055e8122923c0 R14: 000000000000012b R15: 00007fda78a54500 + ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b + +This due to we have quiesced admi_q before cancel requests, but forgot +to unquiesce before destroy it, as a result we fail to drain the +pending requests, and hang on blk_mq_freeze_queue_wait() forever. Here +try to reuse nvme_rdma_teardown_admin_queue() to fix this issue and +simplify the code. + +Fixes: 958dc1d32c80 ("nvme-rdma: add clean action for failed reconnection") +Reported-by: Yingfu.zhou +Signed-off-by: Chunguang.xu +Signed-off-by: Yue.zhao +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 24a2759798d01..913e6e5a80705 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1091,13 +1091,7 @@ static int nvme_rdma_setup_ctrl(struct nvme_rdma_ctrl *ctrl, bool new) + } + destroy_admin: + nvme_stop_keep_alive(&ctrl->ctrl); +- nvme_quiesce_admin_queue(&ctrl->ctrl); +- blk_sync_queue(ctrl->ctrl.admin_q); +- nvme_rdma_stop_queue(&ctrl->queues[0]); +- nvme_cancel_admin_tagset(&ctrl->ctrl); +- if (new) +- nvme_remove_admin_tag_set(&ctrl->ctrl); +- nvme_rdma_destroy_admin_queue(ctrl); ++ nvme_rdma_teardown_admin_queue(ctrl, new); + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.12/nvme-tcp-fix-the-memleak-while-create-new-ctrl-faile.patch b/queue-6.12/nvme-tcp-fix-the-memleak-while-create-new-ctrl-faile.patch new file mode 100644 index 00000000000..f815644bc1f --- /dev/null +++ b/queue-6.12/nvme-tcp-fix-the-memleak-while-create-new-ctrl-faile.patch @@ -0,0 +1,38 @@ +From 825d2d52d226f62bbef050ee038eeec0e88ec8f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 11:34:40 +0800 +Subject: nvme-tcp: fix the memleak while create new ctrl failed + +From: Chunguang.xu + +[ Upstream commit fec55c29e54d3ca6fe9d7d7d9266098b4514fd34 ] + +Now while we create new ctrl failed, we have not free the +tagset occupied by admin_q, here try to fix it. + +Fixes: fd1418de10b9 ("nvme-tcp: avoid open-coding nvme_tcp_teardown_admin_queue()") +Signed-off-by: Chunguang.xu +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 3e416af2659f1..55abfe5e1d254 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2278,7 +2278,7 @@ static int nvme_tcp_setup_ctrl(struct nvme_ctrl *ctrl, bool new) + } + destroy_admin: + nvme_stop_keep_alive(ctrl); +- nvme_tcp_teardown_admin_queue(ctrl, false); ++ nvme_tcp_teardown_admin_queue(ctrl, new); + return ret; + } + +-- +2.43.0 + diff --git a/queue-6.12/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch b/queue-6.12/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch new file mode 100644 index 00000000000..bf7ed6556c3 --- /dev/null +++ b/queue-6.12/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch @@ -0,0 +1,50 @@ +From 64e568a1d6c18cc43a2cd9af1966b2c7a9faa7df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Nov 2024 22:28:34 +0900 +Subject: ocfs2: free inode when ocfs2_get_init_inode() fails + +From: Tetsuo Handa + +[ Upstream commit 965b5dd1894f4525f38c1b5f99b0106a07dbb5db ] + +syzbot is reporting busy inodes after unmount, for commit 9c89fe0af826 +("ocfs2: Handle error from dquot_initialize()") forgot to call iput() when +new_inode() succeeded and dquot_initialize() failed. + +Link: https://lkml.kernel.org/r/e68c0224-b7c6-4784-b4fa-a9fc8c675525@I-love.SAKURA.ne.jp +Fixes: 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()") +Signed-off-by: Tetsuo Handa +Reported-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0af00f6a2cba2058b5db +Tested-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/namei.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index 59c92353151a8..5550f8afa4380 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -200,8 +200,10 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) + mode = mode_strip_sgid(&nop_mnt_idmap, dir, mode); + inode_init_owner(&nop_mnt_idmap, inode, dir, mode); + status = dquot_initialize(inode); +- if (status) ++ if (status) { ++ iput(inode); + return ERR_PTR(status); ++ } + + return inode; + } +-- +2.43.0 + diff --git a/queue-6.12/pmdomain-core-add-missing-put_device.patch b/queue-6.12/pmdomain-core-add-missing-put_device.patch new file mode 100644 index 00000000000..78e6bc0e438 --- /dev/null +++ b/queue-6.12/pmdomain-core-add-missing-put_device.patch @@ -0,0 +1,37 @@ +From d66c41888ac28651d49d8c437ea790cfd439238c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 14:42:02 +0100 +Subject: pmdomain: core: Add missing put_device() + +From: Ulf Hansson + +[ Upstream commit b8f7bbd1f4ecff6d6277b8c454f62bb0a1c6dbe4 ] + +When removing a genpd we don't clean up the genpd->dev correctly. Let's add +the missing put_device() in genpd_free_data() to fix this. + +Fixes: 401ea1572de9 ("PM / Domain: Add struct device to genpd") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Message-ID: <20241122134207.157283-2-ulf.hansson@linaro.org> +Stable-dep-of: 3e3b71d35a02 ("pmdomain: core: Fix error path in pm_genpd_init() when ida alloc fails") +Signed-off-by: Sasha Levin +--- + drivers/pmdomain/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c +index 29ad510e881c3..e330490d8d7c8 100644 +--- a/drivers/pmdomain/core.c ++++ b/drivers/pmdomain/core.c +@@ -2182,6 +2182,7 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) + + static void genpd_free_data(struct generic_pm_domain *genpd) + { ++ put_device(&genpd->dev); + if (genpd_is_cpu_domain(genpd)) + free_cpumask_var(genpd->cpus); + if (genpd->free_states) +-- +2.43.0 + diff --git a/queue-6.12/pmdomain-core-fix-error-path-in-pm_genpd_init-when-i.patch b/queue-6.12/pmdomain-core-fix-error-path-in-pm_genpd_init-when-i.patch new file mode 100644 index 00000000000..016077e2a08 --- /dev/null +++ b/queue-6.12/pmdomain-core-fix-error-path-in-pm_genpd_init-when-i.patch @@ -0,0 +1,95 @@ +From bc7df8189d2a1fc916a0ea9a065d504de75c4613 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 14:42:03 +0100 +Subject: pmdomain: core: Fix error path in pm_genpd_init() when ida alloc + fails + +From: Ulf Hansson + +[ Upstream commit 3e3b71d35a02cee4b2cc3d4255668a6609165518 ] + +When the ida allocation fails we need to free up the previously allocated +memory before returning the error code. Let's fix this and while at it, +let's also move the ida allocation to genpd_alloc_data() and the freeing to +genpd_free_data(), as it better belongs there. + +Fixes: 899f44531fe6 ("pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag") +Signed-off-by: Ulf Hansson +Message-ID: <20241122134207.157283-3-ulf.hansson@linaro.org> +Signed-off-by: Sasha Levin +--- + drivers/pmdomain/core.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c +index e330490d8d7c8..778ff187ac59e 100644 +--- a/drivers/pmdomain/core.c ++++ b/drivers/pmdomain/core.c +@@ -2171,8 +2171,24 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) + } + + genpd->gd = gd; +- return 0; ++ device_initialize(&genpd->dev); ++ ++ if (!genpd_is_dev_name_fw(genpd)) { ++ dev_set_name(&genpd->dev, "%s", genpd->name); ++ } else { ++ ret = ida_alloc(&genpd_ida, GFP_KERNEL); ++ if (ret < 0) ++ goto put; + ++ genpd->device_id = ret; ++ dev_set_name(&genpd->dev, "%s_%u", genpd->name, genpd->device_id); ++ } ++ ++ return 0; ++put: ++ put_device(&genpd->dev); ++ if (genpd->free_states == genpd_free_default_power_state) ++ kfree(genpd->states); + free: + if (genpd_is_cpu_domain(genpd)) + free_cpumask_var(genpd->cpus); +@@ -2183,6 +2199,8 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) + static void genpd_free_data(struct generic_pm_domain *genpd) + { + put_device(&genpd->dev); ++ if (genpd->device_id != -ENXIO) ++ ida_free(&genpd_ida, genpd->device_id); + if (genpd_is_cpu_domain(genpd)) + free_cpumask_var(genpd->cpus); + if (genpd->free_states) +@@ -2271,20 +2289,6 @@ int pm_genpd_init(struct generic_pm_domain *genpd, + if (ret) + return ret; + +- device_initialize(&genpd->dev); +- +- if (!genpd_is_dev_name_fw(genpd)) { +- dev_set_name(&genpd->dev, "%s", genpd->name); +- } else { +- ret = ida_alloc(&genpd_ida, GFP_KERNEL); +- if (ret < 0) { +- put_device(&genpd->dev); +- return ret; +- } +- genpd->device_id = ret; +- dev_set_name(&genpd->dev, "%s_%u", genpd->name, genpd->device_id); +- } +- + mutex_lock(&gpd_list_lock); + list_add(&genpd->gpd_list_node, &gpd_list); + mutex_unlock(&gpd_list_lock); +@@ -2325,8 +2329,6 @@ static int genpd_remove(struct generic_pm_domain *genpd) + genpd_unlock(genpd); + genpd_debug_remove(genpd); + cancel_work_sync(&genpd->power_off_work); +- if (genpd->device_id != -ENXIO) +- ida_free(&genpd_ida, genpd->device_id); + genpd_free_data(genpd); + + pr_debug("%s: removed %s\n", __func__, dev_name(&genpd->dev)); +-- +2.43.0 + diff --git a/queue-6.12/scatterlist-fix-incorrect-func-name-in-kernel-doc.patch b/queue-6.12/scatterlist-fix-incorrect-func-name-in-kernel-doc.patch new file mode 100644 index 00000000000..91a02da0134 --- /dev/null +++ b/queue-6.12/scatterlist-fix-incorrect-func-name-in-kernel-doc.patch @@ -0,0 +1,41 @@ +From a10650cb8124fbc8f82f5582aea98ba7a1c9f10a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2024 18:24:06 -0800 +Subject: scatterlist: fix incorrect func name in kernel-doc + +From: Randy Dunlap + +[ Upstream commit d89c8ec0546184267cb211b579514ebaf8916100 ] + +Fix a kernel-doc warning by making the kernel-doc function description +match the function name: + +include/linux/scatterlist.h:323: warning: expecting prototype for sg_unmark_bus_address(). Prototype was for sg_dma_unmark_bus_address() instead + +Link: https://lkml.kernel.org/r/20241130022406.537973-1-rdunlap@infradead.org +Fixes: 42399301203e ("lib/scatterlist: add flag for indicating P2PDMA segments in an SGL") +Signed-off-by: Randy Dunlap +Cc: Logan Gunthorpe +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/scatterlist.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h +index e61d164622db4..1bad36e3e4ef1 100644 +--- a/include/linux/scatterlist.h ++++ b/include/linux/scatterlist.h +@@ -313,7 +313,7 @@ static inline void sg_dma_mark_bus_address(struct scatterlist *sg) + } + + /** +- * sg_unmark_bus_address - Unmark the scatterlist entry as a bus address ++ * sg_dma_unmark_bus_address - Unmark the scatterlist entry as a bus address + * @sg: SG entry + * + * Description: +-- +2.43.0 + diff --git a/queue-6.12/scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch b/queue-6.12/scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch new file mode 100644 index 00000000000..d02c521189a --- /dev/null +++ b/queue-6.12/scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch @@ -0,0 +1,42 @@ +From 36d9ee99613299b628c7fe2b157740158c086dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 13:00:45 +0000 +Subject: scsi: scsi_debug: Fix hrtimer support for ndelay + +From: John Garry + +[ Upstream commit 6918141d815acef056a0d10e966a027d869a922d ] + +Since commit 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration +calculation"), ns_from_boot value is only evaluated in schedule_resp() +for polled requests. + +However, ns_from_boot is also required for hrtimer support for when +ndelay is less than INCLUSIVE_TIMING_MAX_NS, so fix up the logic to +decide when to evaluate ns_from_boot. + +Fixes: 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration calculation") +Signed-off-by: John Garry +Link: https://lore.kernel.org/r/20241202130045.2335194-1-john.g.garry@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index b52513eeeafa7..680ba180a6725 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -6447,7 +6447,7 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip, + } + sd_dp = &sqcp->sd_dp; + +- if (polled) ++ if (polled || (ndelay > 0 && ndelay < INCLUSIVE_TIMING_MAX_NS)) + ns_from_boot = ktime_get_boottime_ns(); + + /* one of the resp_*() response functions is called here */ +-- +2.43.0 + diff --git a/queue-6.12/scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch b/queue-6.12/scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch new file mode 100644 index 00000000000..d1965b6b3db --- /dev/null +++ b/queue-6.12/scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch @@ -0,0 +1,77 @@ +From 0345c3f320c8d81c6f231d49996da79259dcd88b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2024 18:29:44 +0530 +Subject: scsi: sg: Fix slab-use-after-free read in sg_release() + +From: Suraj Sonawane + +[ Upstream commit f10593ad9bc36921f623361c9e3dd96bd52d85ee ] + +Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: + +BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 +kernel/locking/lockdep.c:5838 +__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 +sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 + +In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is +called before releasing the open_rel_lock mutex. The kref_put() call may +decrement the reference count of sfp to zero, triggering its cleanup +through sg_remove_sfp(). This cleanup includes scheduling deferred work +via sg_remove_sfp_usercontext(), which ultimately frees sfp. + +After kref_put(), sg_release() continues to unlock open_rel_lock and may +reference sfp or sdp. If sfp has already been freed, this results in a +slab-use-after-free error. + +Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the +open_rel_lock mutex. This ensures: + + - No references to sfp or sdp occur after the reference count is + decremented. + + - Cleanup functions such as sg_remove_sfp() and + sg_remove_sfp_usercontext() can safely execute without impacting the + mutex handling in sg_release(). + +The fix has been tested and validated by syzbot. This patch closes the +bug reported at the following syzkaller link and ensures proper +sequencing of resource cleanup and mutex operations, eliminating the +risk of use-after-free errors in sg_release(). + +Reported-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7efb5850a17ba6ce098b +Tested-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com +Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling") +Signed-off-by: Suraj Sonawane +Link: https://lore.kernel.org/r/20241120125944.88095-1-surajsonawane0215@gmail.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 84334ab39c810..94127868bedf8 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -386,7 +386,6 @@ sg_release(struct inode *inode, struct file *filp) + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, "sg_release\n")); + + mutex_lock(&sdp->open_rel_lock); +- kref_put(&sfp->f_ref, sg_remove_sfp); + sdp->open_cnt--; + + /* possibly many open()s waiting on exlude clearing, start many; +@@ -398,6 +397,7 @@ sg_release(struct inode *inode, struct file *filp) + wake_up_interruptible(&sdp->open_wait); + } + mutex_unlock(&sdp->open_rel_lock); ++ kref_put(&sfp->f_ref, sg_remove_sfp); + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.12/scsi-ufs-core-add-ufshcd_send_bsg_uic_cmd-for-ufs-bs.patch b/queue-6.12/scsi-ufs-core-add-ufshcd_send_bsg_uic_cmd-for-ufs-bs.patch new file mode 100644 index 00000000000..b87d161ede4 --- /dev/null +++ b/queue-6.12/scsi-ufs-core-add-ufshcd_send_bsg_uic_cmd-for-ufs-bs.patch @@ -0,0 +1,117 @@ +From 9b49fcd6022d33d14d35be0d70cf532ea0f3c56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 17:56:04 +0800 +Subject: scsi: ufs: core: Add ufshcd_send_bsg_uic_cmd() for UFS BSG + +From: Ziqi Chen + +[ Upstream commit 60b4dd1460f6d65739acb0f28d12bd9abaeb34b4 ] + +User layer applications can send UIC GET/SET commands via the BSG +framework, and if the user layer application sends a UIC SET command to the +PA_PWRMODE attribute, a power mode change shall be initiated in UniPro and +two interrupts shall be triggered if the power mode is successfully +changed, i.e., UIC Command Completion interrupt and UIC Power Mode +interrupt. + +The current UFS BSG code calls ufshcd_send_uic_cmd() directly, with which +the second interrupt, i.e., UIC Power Mode interrupt, shall be treated as +unhandled interrupt. In addition, after the UIC command is completed, user +layer application has to poll UniPro and/or M-PHY state machine to confirm +the power mode change is finished. + +Add a new wrapper function ufshcd_send_bsg_uic_cmd() and call it from +ufs_bsg_request() so that if a UIC SET command is targeting the PA_PWRMODE +attribute it can be redirected to ufshcd_uic_pwr_ctrl(). + +Fixes: e77044c5a842 ("scsi: ufs-bsg: Add support for uic commands in ufs_bsg_request()") +Co-developed-by: Can Guo +Signed-off-by: Can Guo +Signed-off-by: Ziqi Chen +Link: https://lore.kernel.org/r/20241119095613.121385-1-quic_ziqichen@quicinc.com +Reviewed-by: Bean Huo +Reviewed-by: Avri Altman +Reviewed-by: Peter Wang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs_bsg.c | 2 +- + drivers/ufs/core/ufshcd-priv.h | 1 + + drivers/ufs/core/ufshcd.c | 36 ++++++++++++++++++++++++++++++++++ + 3 files changed, 38 insertions(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c +index 433d0480391ea..6c09d97ae0065 100644 +--- a/drivers/ufs/core/ufs_bsg.c ++++ b/drivers/ufs/core/ufs_bsg.c +@@ -170,7 +170,7 @@ static int ufs_bsg_request(struct bsg_job *job) + break; + case UPIU_TRANSACTION_UIC_CMD: + memcpy(&uc, &bsg_request->upiu_req.uc, UIC_CMD_SIZE); +- ret = ufshcd_send_uic_cmd(hba, &uc); ++ ret = ufshcd_send_bsg_uic_cmd(hba, &uc); + if (ret) + dev_err(hba->dev, "send uic cmd: error code %d\n", ret); + +diff --git a/drivers/ufs/core/ufshcd-priv.h b/drivers/ufs/core/ufshcd-priv.h +index 7aea8fbaeee88..9ffd94ddf8c7c 100644 +--- a/drivers/ufs/core/ufshcd-priv.h ++++ b/drivers/ufs/core/ufshcd-priv.h +@@ -84,6 +84,7 @@ int ufshcd_read_string_desc(struct ufs_hba *hba, u8 desc_index, + u8 **buf, bool ascii); + + int ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd); ++int ufshcd_send_bsg_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd); + + int ufshcd_exec_raw_upiu_cmd(struct ufs_hba *hba, + struct utp_upiu_req *req_upiu, +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index f68e13aac8d37..6a0e86a8069be 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4340,6 +4340,42 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + return ret; + } + ++/** ++ * ufshcd_send_bsg_uic_cmd - Send UIC commands requested via BSG layer and retrieve the result ++ * @hba: per adapter instance ++ * @uic_cmd: UIC command ++ * ++ * Return: 0 only if success. ++ */ ++int ufshcd_send_bsg_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd) ++{ ++ int ret; ++ ++ if (hba->quirks & UFSHCD_QUIRK_BROKEN_UIC_CMD) ++ return 0; ++ ++ ufshcd_hold(hba); ++ ++ if (uic_cmd->argument1 == UIC_ARG_MIB(PA_PWRMODE) && ++ uic_cmd->command == UIC_CMD_DME_SET) { ++ ret = ufshcd_uic_pwr_ctrl(hba, uic_cmd); ++ goto out; ++ } ++ ++ mutex_lock(&hba->uic_cmd_mutex); ++ ufshcd_add_delay_before_dme_cmd(hba); ++ ++ ret = __ufshcd_send_uic_cmd(hba, uic_cmd); ++ if (!ret) ++ ret = ufshcd_wait_for_uic_cmd(hba, uic_cmd); ++ ++ mutex_unlock(&hba->uic_cmd_mutex); ++ ++out: ++ ufshcd_release(hba); ++ return ret; ++} ++ + /** + * ufshcd_uic_change_pwr_mode - Perform the UIC power mode chage + * using DME_SET primitives. +-- +2.43.0 + diff --git a/queue-6.12/scsi-ufs-core-always-initialize-the-uic-done-complet.patch b/queue-6.12/scsi-ufs-core-always-initialize-the-uic-done-complet.patch new file mode 100644 index 00000000000..b089283e1f9 --- /dev/null +++ b/queue-6.12/scsi-ufs-core-always-initialize-the-uic-done-complet.patch @@ -0,0 +1,74 @@ +From de6d660be2647c2b4bab542bbb6ecd38b4a64ebc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 15:30:05 -0700 +Subject: scsi: ufs: core: Always initialize the UIC done completion + +From: Bart Van Assche + +[ Upstream commit b1e8c53749adb795bfb0bf4e2f7836e26684bb90 ] + +Simplify __ufshcd_send_uic_cmd() by always initializing the +uic_cmd::done completion. This is fine since the time required to +initialize a completion is small compared to the time required to +process an UIC command. + +Reviewed-by: Peter Wang +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240912223019.3510966-5-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Stable-dep-of: 60b4dd1460f6 ("scsi: ufs: core: Add ufshcd_send_bsg_uic_cmd() for UFS BSG") +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index abbe7135a9778..f68e13aac8d37 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -2551,13 +2551,11 @@ ufshcd_wait_for_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd) + * __ufshcd_send_uic_cmd - Send UIC commands and retrieve the result + * @hba: per adapter instance + * @uic_cmd: UIC command +- * @completion: initialize the completion only if this is set to true + * + * Return: 0 only if success. + */ + static int +-__ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd, +- bool completion) ++__ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd) + { + lockdep_assert_held(&hba->uic_cmd_mutex); + +@@ -2567,8 +2565,7 @@ __ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd, + return -EIO; + } + +- if (completion) +- init_completion(&uic_cmd->done); ++ init_completion(&uic_cmd->done); + + uic_cmd->cmd_active = 1; + ufshcd_dispatch_uic_cmd(hba, uic_cmd); +@@ -2594,7 +2591,7 @@ int ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd) + mutex_lock(&hba->uic_cmd_mutex); + ufshcd_add_delay_before_dme_cmd(hba); + +- ret = __ufshcd_send_uic_cmd(hba, uic_cmd, true); ++ ret = __ufshcd_send_uic_cmd(hba, uic_cmd); + if (!ret) + ret = ufshcd_wait_for_uic_cmd(hba, uic_cmd); + +@@ -4288,7 +4285,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) + reenable_intr = true; + } + spin_unlock_irqrestore(hba->host->host_lock, flags); +- ret = __ufshcd_send_uic_cmd(hba, cmd, false); ++ ret = __ufshcd_send_uic_cmd(hba, cmd); + if (ret) { + dev_err(hba->dev, + "pwr ctrl cmd 0x%x with mode 0x%x uic error %d\n", +-- +2.43.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 6936b0738b9..575ca3adf19 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -87,3 +87,43 @@ i3c-master-extend-address-status-bit-to-4-and-add-i3.patch i3c-master-fix-dynamic-address-leak-when-assigned-ad.patch drm-amd-display-calculate-final-viewport-before-tap-.patch drm-amd-display-ignore-scalar-validation-failure-if-.patch +scsi-ufs-core-always-initialize-the-uic-done-complet.patch +scsi-ufs-core-add-ufshcd_send_bsg_uic_cmd-for-ufs-bs.patch +bpf-vsock-fix-poll-missing-a-queue.patch +bpf-vsock-invoke-proto-close-on-close.patch +xsk-always-clear-dma-mapping-information-when-unmapp.patch +bpftool-fix-potential-null-pointer-dereferencing-in-.patch +drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch +tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch +alsa-seq-ump-fix-seq-port-updates-per-fb-info-notify.patch +alsa-usb-audio-notify-xrun-for-low-latency-mode.patch +tools-override-makefile-arch-variable-if-defined-but.patch +spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch +asoc-sof-ipc3-topology-convert-the-topology-pin-inde.patch +asoc-sof-ipc3-topology-fix-resource-leaks-in-sof_ipc.patch +pmdomain-core-add-missing-put_device.patch +pmdomain-core-fix-error-path-in-pm_genpd_init-when-i.patch +nvme-don-t-apply-nvme_quirk_deallocate_zeroes-when-d.patch +x86-pkeys-change-caller-of-update_pkru_in_sigframe.patch +x86-pkeys-ensure-updated-pkru-value-is-xrstor-d.patch +bpf-ensure-reg-is-ptr_to_stack-in-process_iter_arg.patch +irqchip-stm32mp-exti-config_stm32mp_exti-should-not-.patch +drivers-virt-pkvm-don-t-fail-ioremap-call-if-mmio_gu.patch +bpf-don-t-mark-stack_invalid-as-stack_misc-in-mark_s.patch +bpf-fix-narrow-scalar-spill-onto-64-bit-spilled-scal.patch +nvme-fabrics-handle-zero-maxcmd-without-closing-the-.patch +nvme-tcp-fix-the-memleak-while-create-new-ctrl-faile.patch +nvme-rdma-unquiesce-admin_q-before-destroy-it.patch +scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch +scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch +asoc-mediatek-mt8188-mt6359-remove-hardcoded-dmic-co.patch +drm-v3d-enable-performance-counters-before-clearing-.patch +ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch +scatterlist-fix-incorrect-func-name-in-kernel-doc.patch +iio-magnetometer-yas530-use-signed-integer-type-for-.patch +smb-client-fix-potential-race-in-cifs_put_tcon.patch +bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch +bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch +bpf-handle-in-place-update-for-full-lpm-trie-correct.patch +bpf-fix-exact-match-conditions-in-trie_get_next_key.patch +x86-cpu-amd-warn-when-setting-efer.autoibrs-if-and-o.patch diff --git a/queue-6.12/smb-client-fix-potential-race-in-cifs_put_tcon.patch b/queue-6.12/smb-client-fix-potential-race-in-cifs_put_tcon.patch new file mode 100644 index 00000000000..fc1e8f4ef7a --- /dev/null +++ b/queue-6.12/smb-client-fix-potential-race-in-cifs_put_tcon.patch @@ -0,0 +1,46 @@ +From c4e482c6c5f3d1117a7fc031f88442dfc84d480b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 11:49:07 -0300 +Subject: smb: client: fix potential race in cifs_put_tcon() + +From: Paulo Alcantara + +[ Upstream commit c32b624fa4f7ca5a2ff217a0b1b2f1352bb4ec11 ] + +dfs_cache_refresh() delayed worker could race with cifs_put_tcon(), so +make sure to call list_replace_init() on @tcon->dfs_ses_list after +kworker is cancelled or finished. + +Fixes: 4f42a8b54b5c ("smb: client: fix DFS interlink failover") +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/connect.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index a94c538ff8636..feff3324d39c6 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -2512,9 +2512,6 @@ cifs_put_tcon(struct cifs_tcon *tcon, enum smb3_tcon_ref_trace trace) + + list_del_init(&tcon->tcon_list); + tcon->status = TID_EXITING; +-#ifdef CONFIG_CIFS_DFS_UPCALL +- list_replace_init(&tcon->dfs_ses_list, &ses_list); +-#endif + spin_unlock(&tcon->tc_lock); + spin_unlock(&cifs_tcp_ses_lock); + +@@ -2522,6 +2519,7 @@ cifs_put_tcon(struct cifs_tcon *tcon, enum smb3_tcon_ref_trace trace) + cancel_delayed_work_sync(&tcon->query_interfaces); + #ifdef CONFIG_CIFS_DFS_UPCALL + cancel_delayed_work_sync(&tcon->dfs_cache_work); ++ list_replace_init(&tcon->dfs_ses_list, &ses_list); + #endif + + if (tcon->use_witness) { +-- +2.43.0 + diff --git a/queue-6.12/spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch b/queue-6.12/spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch new file mode 100644 index 00000000000..4cc059b7aee --- /dev/null +++ b/queue-6.12/spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch @@ -0,0 +1,41 @@ +From d444672229ebb0a8af958714a4763883bf43a234 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 16:38:17 +0800 +Subject: spi: mpc52xx: Add cancel_work_sync before module remove + +From: Pei Xiao + +[ Upstream commit 984836621aad98802d92c4a3047114cf518074c8 ] + +If we remove the module which will call mpc52xx_spi_remove +it will free 'ms' through spi_unregister_controller. +while the work ms->work will be used. The sequence of operations +that may lead to a UAF bug. + +Fix it by ensuring that the work is canceled before proceeding with +the cleanup in mpc52xx_spi_remove. + +Fixes: ca632f556697 ("spi: reorganize drivers") +Signed-off-by: Pei Xiao +Link: https://patch.msgid.link/1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.1732783000.git.xiaopei01@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mpc52xx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c +index d5ac60c135c20..159f359d7501a 100644 +--- a/drivers/spi/spi-mpc52xx.c ++++ b/drivers/spi/spi-mpc52xx.c +@@ -520,6 +520,7 @@ static void mpc52xx_spi_remove(struct platform_device *op) + struct mpc52xx_spi *ms = spi_controller_get_devdata(host); + int i; + ++ cancel_work_sync(&ms->work); + free_irq(ms->irq0, ms); + free_irq(ms->irq1, ms); + +-- +2.43.0 + diff --git a/queue-6.12/tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch b/queue-6.12/tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch new file mode 100644 index 00000000000..97f5ab10f01 --- /dev/null +++ b/queue-6.12/tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch @@ -0,0 +1,165 @@ +From c39c3290f910a48af8efa667e8e60892a33c6d3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 23:48:38 +0000 +Subject: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg + +From: Zijian Zhang + +[ Upstream commit ca70b8baf2bd125b2a4d96e76db79375c07d7ff2 ] + +The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging +tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. + +Potential problems with this strategy are as follows: + +- If the actual sent bytes are smaller than tosend, we need to charge some + bytes back, as in line 487, which is okay but seems not clean. + +- When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may + miss uncharging (msg->sg.size - apply_bytes) bytes. + +[...] +415 tosend = msg->sg.size; +416 if (psock->apply_bytes && psock->apply_bytes < tosend) +417 tosend = psock->apply_bytes; +[...] +443 sk_msg_return(sk, msg, tosend); +444 release_sock(sk); +446 origsize = msg->sg.size; +447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, +448 msg, tosend, flags); +449 sent = origsize - msg->sg.size; +[...] +454 lock_sock(sk); +455 if (unlikely(ret < 0)) { +456 int free = sk_msg_free_nocharge(sk, msg); +458 if (!cork) +459 *copied -= free; +460 } +[...] +487 if (eval == __SK_REDIRECT) +488 sk_mem_charge(sk, tosend - sent); +[...] + +When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, +the following warning will be reported: + +------------[ cut here ]------------ +WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 +Modules linked in: +CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Workqueue: events sk_psock_destroy +RIP: 0010:inet_sock_destruct+0x190/0x1a0 +RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 +RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 +RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 +RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 +R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 +R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 +FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + +? __warn+0x89/0x130 +? inet_sock_destruct+0x190/0x1a0 +? report_bug+0xfc/0x1e0 +? handle_bug+0x5c/0xa0 +? exc_invalid_op+0x17/0x70 +? asm_exc_invalid_op+0x1a/0x20 +? inet_sock_destruct+0x190/0x1a0 +__sk_destruct+0x25/0x220 +sk_psock_destroy+0x2b2/0x310 +process_scheduled_works+0xa3/0x3e0 +worker_thread+0x117/0x240 +? __pfx_worker_thread+0x10/0x10 +kthread+0xcf/0x100 +? __pfx_kthread+0x10/0x10 +ret_from_fork+0x31/0x40 +? __pfx_kthread+0x10/0x10 +ret_from_fork_asm+0x1a/0x30 + +---[ end trace 0000000000000000 ]--- + +In __SK_REDIRECT, a more concise way is delaying the uncharging after sent +bytes are finalized, and uncharge this value. When (ret < 0), we shall +invoke sk_msg_free. + +Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, +we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same +warning will be reported in selftest. + +[...] +468 case __SK_DROP: +469 default: +470 sk_msg_free_partial(sk, msg, tosend); +471 sk_msg_apply_bytes(psock, tosend); +472 *copied -= (tosend + delta); +473 return -EACCES; +[...] + +So instead of sk_msg_free_partial we can do sk_msg_free here. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Fixes: 8ec95b94716a ("bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues") +Signed-off-by: Zijian Zhang +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241016234838.3167769-3-zijianzhang@bytedance.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 370993c03d313..99cef92e6290c 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -441,7 +441,6 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + cork = true; + psock->cork = NULL; + } +- sk_msg_return(sk, msg, tosend); + release_sock(sk); + + origsize = msg->sg.size; +@@ -453,8 +452,9 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + sock_put(sk_redir); + + lock_sock(sk); ++ sk_mem_uncharge(sk, sent); + if (unlikely(ret < 0)) { +- int free = sk_msg_free_nocharge(sk, msg); ++ int free = sk_msg_free(sk, msg); + + if (!cork) + *copied -= free; +@@ -468,7 +468,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + break; + case __SK_DROP: + default: +- sk_msg_free_partial(sk, msg, tosend); ++ sk_msg_free(sk, msg); + sk_msg_apply_bytes(psock, tosend); + *copied -= (tosend + delta); + return -EACCES; +@@ -484,11 +484,8 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + } + if (msg && + msg->sg.data[msg->sg.start].page_link && +- msg->sg.data[msg->sg.start].length) { +- if (eval == __SK_REDIRECT) +- sk_mem_charge(sk, tosend - sent); ++ msg->sg.data[msg->sg.start].length) + goto more_data; +- } + } + return ret; + } +-- +2.43.0 + diff --git a/queue-6.12/tools-override-makefile-arch-variable-if-defined-but.patch b/queue-6.12/tools-override-makefile-arch-variable-if-defined-but.patch new file mode 100644 index 00000000000..7e1276ee9b9 --- /dev/null +++ b/queue-6.12/tools-override-makefile-arch-variable-if-defined-but.patch @@ -0,0 +1,59 @@ +From 4a10bd826c195d42211c86d4100aa4323abd778e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 11:17:46 +0100 +Subject: tools: Override makefile ARCH variable if defined, but empty +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 537a2525eaf76ea9b0dca62b994500d8670b39d5 ] + +There are a number of tools (bpftool, selftests), that require a +"bootstrap" build. Here, a bootstrap build is a build host variant of +a target. E.g., assume that you're performing a bpftool cross-build on +x86 to riscv, a bootstrap build would then be an x86 variant of +bpftool. The typical way to perform the host build variant, is to pass +"ARCH=" in a sub-make. However, if a variable has been set with a +command argument, then ordinary assignments in the makefile are +ignored. + +This side-effect results in that ARCH, and variables depending on ARCH +are not set. Workaround by overriding ARCH to the host arch, if ARCH +is empty. + +Fixes: 8859b0da5aac ("tools/bpftool: Fix cross-build") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Tested-by: Alexandre Ghiti +Reviewed-by: Jean-Philippe Brucker +Reviewed-by: Namhyung Kim +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Quentin Monnet +Acked-by: Jiri Olsa +Cc: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/bpf/20241127101748.165693-1-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + tools/scripts/Makefile.arch | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/scripts/Makefile.arch b/tools/scripts/Makefile.arch +index f6a50f06dfc45..eabfe9f411d91 100644 +--- a/tools/scripts/Makefile.arch ++++ b/tools/scripts/Makefile.arch +@@ -7,8 +7,8 @@ HOSTARCH := $(shell uname -m | sed -e s/i.86/x86/ -e s/x86_64/x86/ \ + -e s/sh[234].*/sh/ -e s/aarch64.*/arm64/ \ + -e s/riscv.*/riscv/ -e s/loongarch.*/loongarch/) + +-ifndef ARCH +-ARCH := $(HOSTARCH) ++ifeq ($(strip $(ARCH)),) ++override ARCH := $(HOSTARCH) + endif + + SRCARCH := $(ARCH) +-- +2.43.0 + diff --git a/queue-6.12/x86-cpu-amd-warn-when-setting-efer.autoibrs-if-and-o.patch b/queue-6.12/x86-cpu-amd-warn-when-setting-efer.autoibrs-if-and-o.patch new file mode 100644 index 00000000000..8801abb1c1b --- /dev/null +++ b/queue-6.12/x86-cpu-amd-warn-when-setting-efer.autoibrs-if-and-o.patch @@ -0,0 +1,41 @@ +From f78144a3627e3aabee0ea6b6d8b986a877300ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 08:20:06 -0800 +Subject: x86/CPU/AMD: WARN when setting EFER.AUTOIBRS if and only if the WRMSR + fails + +From: Sean Christopherson + +[ Upstream commit 492077668fb453b8b16c842fcf3fafc2ebc190e9 ] + +When ensuring EFER.AUTOIBRS is set, WARN only on a negative return code +from msr_set_bit(), as '1' is used to indicate the WRMSR was successful +('0' indicates the MSR bit was already set). + +Fixes: 8cc68c9c9e92 ("x86/CPU/AMD: Make sure EFER[AIBRSE] is set") +Reported-by: Nathan Chancellor +Signed-off-by: Sean Christopherson +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/Z1MkNofJjt7Oq0G6@google.com +Closes: https://lore.kernel.org/all/20241205220604.GA2054199@thelio-3990X +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index d8408aafeed98..79d2e17f6582e 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1065,7 +1065,7 @@ static void init_amd(struct cpuinfo_x86 *c) + */ + if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) && + cpu_has(c, X86_FEATURE_AUTOIBRS)) +- WARN_ON_ONCE(msr_set_bit(MSR_EFER, _EFER_AUTOIBRS)); ++ WARN_ON_ONCE(msr_set_bit(MSR_EFER, _EFER_AUTOIBRS) < 0); + + /* AMD CPUs don't need fencing after x2APIC/TSC_DEADLINE MSR writes. */ + clear_cpu_cap(c, X86_FEATURE_APIC_MSRS_FENCE); +-- +2.43.0 + diff --git a/queue-6.12/x86-pkeys-change-caller-of-update_pkru_in_sigframe.patch b/queue-6.12/x86-pkeys-change-caller-of-update_pkru_in_sigframe.patch new file mode 100644 index 00000000000..3a1fbd82d47 --- /dev/null +++ b/queue-6.12/x86-pkeys-change-caller-of-update_pkru_in_sigframe.patch @@ -0,0 +1,107 @@ +From 5683d0ce8fb46f36315a2b508f90ec6221cda018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 17:45:19 +0000 +Subject: x86/pkeys: Change caller of update_pkru_in_sigframe() + +From: Aruna Ramakrishna + +[ Upstream commit 6a1853bdf17874392476b552398df261f75503e0 ] + +update_pkru_in_sigframe() will shortly need some information which +is only available inside xsave_to_user_sigframe(). Move +update_pkru_in_sigframe() inside the other function to make it +easier to provide it that information. + +No functional changes. + +Signed-off-by: Aruna Ramakrishna +Signed-off-by: Dave Hansen +Link: https://lore.kernel.org/all/20241119174520.3987538-2-aruna.ramakrishna%40oracle.com +Stable-dep-of: ae6012d72fa6 ("x86/pkeys: Ensure updated PKRU value is XRSTOR'd") +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/signal.c | 20 ++------------------ + arch/x86/kernel/fpu/xstate.h | 15 ++++++++++++++- + 2 files changed, 16 insertions(+), 19 deletions(-) + +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c +index 1065ab995305c..8f62e0666dea5 100644 +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -63,16 +63,6 @@ static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf, + return true; + } + +-/* +- * Update the value of PKRU register that was already pushed onto the signal frame. +- */ +-static inline int update_pkru_in_sigframe(struct xregs_state __user *buf, u32 pkru) +-{ +- if (unlikely(!cpu_feature_enabled(X86_FEATURE_OSPKE))) +- return 0; +- return __put_user(pkru, (unsigned int __user *)get_xsave_addr_user(buf, XFEATURE_PKRU)); +-} +- + /* + * Signal frame handlers. + */ +@@ -168,14 +158,8 @@ static inline bool save_xstate_epilog(void __user *buf, int ia32_frame, + + static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf, u32 pkru) + { +- int err = 0; +- +- if (use_xsave()) { +- err = xsave_to_user_sigframe(buf); +- if (!err) +- err = update_pkru_in_sigframe(buf, pkru); +- return err; +- } ++ if (use_xsave()) ++ return xsave_to_user_sigframe(buf, pkru); + + if (use_fxsr()) + return fxsave_to_user_sigframe((struct fxregs_state __user *) buf); +diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h +index 0b86a5002c846..6b2924fbe5b8d 100644 +--- a/arch/x86/kernel/fpu/xstate.h ++++ b/arch/x86/kernel/fpu/xstate.h +@@ -69,6 +69,16 @@ static inline u64 xfeatures_mask_independent(void) + return fpu_kernel_cfg.independent_features; + } + ++/* ++ * Update the value of PKRU register that was already pushed onto the signal frame. ++ */ ++static inline int update_pkru_in_sigframe(struct xregs_state __user *buf, u32 pkru) ++{ ++ if (unlikely(!cpu_feature_enabled(X86_FEATURE_OSPKE))) ++ return 0; ++ return __put_user(pkru, (unsigned int __user *)get_xsave_addr_user(buf, XFEATURE_PKRU)); ++} ++ + /* XSAVE/XRSTOR wrapper functions */ + + #ifdef CONFIG_X86_64 +@@ -256,7 +266,7 @@ static inline u64 xfeatures_need_sigframe_write(void) + * The caller has to zero buf::header before calling this because XSAVE* + * does not touch the reserved fields in the header. + */ +-static inline int xsave_to_user_sigframe(struct xregs_state __user *buf) ++static inline int xsave_to_user_sigframe(struct xregs_state __user *buf, u32 pkru) + { + /* + * Include the features which are not xsaved/rstored by the kernel +@@ -281,6 +291,9 @@ static inline int xsave_to_user_sigframe(struct xregs_state __user *buf) + XSTATE_OP(XSAVE, buf, lmask, hmask, err); + clac(); + ++ if (!err) ++ err = update_pkru_in_sigframe(buf, pkru); ++ + return err; + } + +-- +2.43.0 + diff --git a/queue-6.12/x86-pkeys-ensure-updated-pkru-value-is-xrstor-d.patch b/queue-6.12/x86-pkeys-ensure-updated-pkru-value-is-xrstor-d.patch new file mode 100644 index 00000000000..11b1f768de8 --- /dev/null +++ b/queue-6.12/x86-pkeys-ensure-updated-pkru-value-is-xrstor-d.patch @@ -0,0 +1,96 @@ +From 24fedf2768fd57e0d767137044c4f7493357b325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 17:45:20 +0000 +Subject: x86/pkeys: Ensure updated PKRU value is XRSTOR'd + +From: Aruna Ramakrishna + +[ Upstream commit ae6012d72fa60c9ff92de5bac7a8021a47458e5b ] + +When XSTATE_BV[i] is 0, and XRSTOR attempts to restore state component +'i' it ignores any value in the XSAVE buffer and instead restores the +state component's init value. + +This means that if XSAVE writes XSTATE_BV[PKRU]=0 then XRSTOR will +ignore the value that update_pkru_in_sigframe() writes to the XSAVE buffer. + +XSTATE_BV[PKRU] only gets written as 0 if PKRU is in its init state. On +Intel CPUs, basically never happens because the kernel usually +overwrites the init value (aside: this is why we didn't notice this bug +until now). But on AMD, the init tracker is more aggressive and will +track PKRU as being in its init state upon any wrpkru(0x0). +Unfortunately, sig_prepare_pkru() does just that: wrpkru(0x0). + +This writes XSTATE_BV[PKRU]=0 which makes XRSTOR ignore the PKRU value +in the sigframe. + +To fix this, always overwrite the sigframe XSTATE_BV with a value that +has XSTATE_BV[PKRU]==1. This ensures that XRSTOR will not ignore what +update_pkru_in_sigframe() wrote. + +The problematic sequence of events is something like this: + +Userspace does: + * wrpkru(0xffff0000) (or whatever) + * Hardware sets: XINUSE[PKRU]=1 +Signal happens, kernel is entered: + * sig_prepare_pkru() => wrpkru(0x00000000) + * Hardware sets: XINUSE[PKRU]=0 (aggressive AMD init tracker) + * XSAVE writes most of XSAVE buffer, including + XSTATE_BV[PKRU]=XINUSE[PKRU]=0 + * update_pkru_in_sigframe() overwrites PKRU in XSAVE buffer +... signal handling + * XRSTOR sees XSTATE_BV[PKRU]==0, ignores just-written value + from update_pkru_in_sigframe() + +Fixes: 70044df250d0 ("x86/pkeys: Update PKRU to enable all pkeys before XSAVE") +Suggested-by: Rudi Horn +Signed-off-by: Aruna Ramakrishna +Signed-off-by: Dave Hansen +Acked-by: Dave Hansen +Link: https://lore.kernel.org/all/20241119174520.3987538-3-aruna.ramakrishna%40oracle.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/xstate.h | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h +index 6b2924fbe5b8d..aa16f1a1bbcf1 100644 +--- a/arch/x86/kernel/fpu/xstate.h ++++ b/arch/x86/kernel/fpu/xstate.h +@@ -72,10 +72,22 @@ static inline u64 xfeatures_mask_independent(void) + /* + * Update the value of PKRU register that was already pushed onto the signal frame. + */ +-static inline int update_pkru_in_sigframe(struct xregs_state __user *buf, u32 pkru) ++static inline int update_pkru_in_sigframe(struct xregs_state __user *buf, u64 mask, u32 pkru) + { ++ u64 xstate_bv; ++ int err; ++ + if (unlikely(!cpu_feature_enabled(X86_FEATURE_OSPKE))) + return 0; ++ ++ /* Mark PKRU as in-use so that it is restored correctly. */ ++ xstate_bv = (mask & xfeatures_in_use()) | XFEATURE_MASK_PKRU; ++ ++ err = __put_user(xstate_bv, &buf->header.xfeatures); ++ if (err) ++ return err; ++ ++ /* Update PKRU value in the userspace xsave buffer. */ + return __put_user(pkru, (unsigned int __user *)get_xsave_addr_user(buf, XFEATURE_PKRU)); + } + +@@ -292,7 +304,7 @@ static inline int xsave_to_user_sigframe(struct xregs_state __user *buf, u32 pkr + clac(); + + if (!err) +- err = update_pkru_in_sigframe(buf, pkru); ++ err = update_pkru_in_sigframe(buf, mask, pkru); + + return err; + } +-- +2.43.0 + diff --git a/queue-6.12/xsk-always-clear-dma-mapping-information-when-unmapp.patch b/queue-6.12/xsk-always-clear-dma-mapping-information-when-unmapp.patch new file mode 100644 index 00000000000..db9a077eb77 --- /dev/null +++ b/queue-6.12/xsk-always-clear-dma-mapping-information-when-unmapp.patch @@ -0,0 +1,67 @@ +From 118be6995e0dd22fa54a0db115b212da495b4ef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 12:29:09 +0100 +Subject: xsk: always clear DMA mapping information when unmapping the pool + +From: Larysa Zaremba + +[ Upstream commit ac9a48a6f1610b094072b815e884e1668aea4401 ] + +When the umem is shared, the DMA mapping is also shared between the xsk +pools, therefore it should stay valid as long as at least 1 user remains. +However, the pool also keeps the copies of DMA-related information that are +initialized in the same way in xp_init_dma_info(), but cleared by +xp_dma_unmap() only for the last remaining pool, this causes the problems +below. + +The first one is that the commit adbf5a42341f ("ice: remove af_xdp_zc_qps +bitmap") relies on pool->dev to determine the presence of a ZC pool on a +given queue, avoiding internal bookkeeping. This works perfectly fine if +the UMEM is not shared, but reliably fails otherwise as stated in the +linked report. + +The second one is pool->dma_pages which is dynamically allocated and +only freed in xp_dma_unmap(), this leads to a small memory leak. kmemleak +does not catch it, but by printing the allocation results after terminating +the userspace program it is possible to see that all addresses except the +one belonging to the last detached pool are still accessible through the +kmemleak dump functionality. + +Always clear the DMA mapping information from the pool and free +pool->dma_pages when unmapping the pool, so that the only difference +between results of the last remaining user's call and the ones before would +be the destruction of the DMA mapping. + +Fixes: adbf5a42341f ("ice: remove af_xdp_zc_qps bitmap") +Fixes: 921b68692abb ("xsk: Enable sharing of dma mappings") +Reported-by: Alasdair McWilliam +Closes: https://lore.kernel.org/PA4P194MB10056F208AF221D043F57A3D86512@PA4P194MB1005.EURP194.PROD.OUTLOOK.COM +Acked-by: Maciej Fijalkowski +Signed-off-by: Larysa Zaremba +Link: https://lore.kernel.org/r/20241122112912.89881-1-larysa.zaremba@intel.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_buff_pool.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index 521a2938e50a1..0662d34b09ee7 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -387,10 +387,9 @@ void xp_dma_unmap(struct xsk_buff_pool *pool, unsigned long attrs) + return; + } + +- if (!refcount_dec_and_test(&dma_map->users)) +- return; ++ if (refcount_dec_and_test(&dma_map->users)) ++ __xp_dma_unmap(dma_map, attrs); + +- __xp_dma_unmap(dma_map, attrs); + kvfree(pool->dma_pages); + pool->dma_pages = NULL; + pool->dma_pages_cnt = 0; +-- +2.43.0 +