From: Sasha Levin Date: Tue, 10 Dec 2024 02:42:08 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v6.6.65~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7df20c6934d8618004801644700b94d49c5ab655;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/alsa-usb-audio-notify-xrun-for-low-latency-mode.patch b/queue-6.1/alsa-usb-audio-notify-xrun-for-low-latency-mode.patch new file mode 100644 index 00000000000..744980d6d29 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-notify-xrun-for-low-latency-mode.patch @@ -0,0 +1,78 @@ +From 9051d85f4a4e99d173be5df5b19064c0b095385c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 09:04:16 +0100 +Subject: ALSA: usb-audio: Notify xrun for low-latency mode + +From: Takashi Iwai + +[ Upstream commit 4f9d674377d090e38d93360bd4df21b67534d622 ] + +The low-latency mode of USB-audio driver uses a similar approach like +the implicit feedback mode but it has an explicit queuing at the +trigger start time. The difference is, however, that no packet will +be handled any longer after all queued packets are handled but no +enough data is fed. In the case of implicit feedback mode, the +capture-side packet handling triggers the re-queuing, and this checks +the XRUN. OTOH, in the low-latency mode, it just stops without XRUN +notification unless any new action is taken from user-space via ack +callback. For example, when you stop the stream in aplay, no XRUN is +reported. + +This patch adds the XRUN check at the packet complete callback in the +case all pending URBs are exhausted. Strictly speaking, this state +doesn't match really with XRUN; in theory the application may queue +immediately after this happens. But such behavior is only for +1-period configuration, which the USB-audio driver doesn't support. +So we may conclude that this situation leads certainly to XRUN. + +A caveat is that the XRUN should be triggered only for the PCM RUNNING +state, and not during DRAINING. This additional state check is put in +notify_xrun(), too. + +Fixes: d5f871f89e21 ("ALSA: usb-audio: Improved lowlatency playback support") +Reported-by: Leonard Crestez +Link: https://lore.kernel.org/25d5b0d8-4efd-4630-9d33-7a9e3fa9dc2b@gmail.com +Link: https://patch.msgid.link/20241128080446.1181-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/endpoint.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 647fa054d8b1d..e3684dfa5f1fa 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -403,10 +403,15 @@ static int prepare_inbound_urb(struct snd_usb_endpoint *ep, + static void notify_xrun(struct snd_usb_endpoint *ep) + { + struct snd_usb_substream *data_subs; ++ struct snd_pcm_substream *psubs; + + data_subs = READ_ONCE(ep->data_subs); +- if (data_subs && data_subs->pcm_substream) +- snd_pcm_stop_xrun(data_subs->pcm_substream); ++ if (!data_subs) ++ return; ++ psubs = data_subs->pcm_substream; ++ if (psubs && psubs->runtime && ++ psubs->runtime->state == SNDRV_PCM_STATE_RUNNING) ++ snd_pcm_stop_xrun(psubs); + } + + static struct snd_usb_packet_info * +@@ -557,7 +562,10 @@ static void snd_complete_urb(struct urb *urb) + push_back_to_ready_list(ep, ctx); + clear_bit(ctx->index, &ep->active_mask); + snd_usb_queue_pending_output_urbs(ep, false); +- atomic_dec(&ep->submitted_urbs); /* decrement at last */ ++ /* decrement at last, and check xrun */ ++ if (atomic_dec_and_test(&ep->submitted_urbs) && ++ !snd_usb_endpoint_implicit_feedback_sink(ep)) ++ notify_xrun(ep); + return; + } + +-- +2.43.0 + diff --git a/queue-6.1/bpf-fix-exact-match-conditions-in-trie_get_next_key.patch b/queue-6.1/bpf-fix-exact-match-conditions-in-trie_get_next_key.patch new file mode 100644 index 00000000000..6406bce08d1 --- /dev/null +++ b/queue-6.1/bpf-fix-exact-match-conditions-in-trie_get_next_key.patch @@ -0,0 +1,60 @@ +From 32accb9c3c192d9d7f86785ed1453b4d9e772a86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:18 +0800 +Subject: bpf: Fix exact match conditions in trie_get_next_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit 27abc7b3fa2e09bbe41e2924d328121546865eda ] + +trie_get_next_key() uses node->prefixlen == key->prefixlen to identify +an exact match, However, it is incorrect because when the target key +doesn't fully match the found node (e.g., node->prefixlen != matchlen), +these two nodes may also have the same prefixlen. It will return +expected result when the passed key exist in the trie. However when a +recently-deleted key or nonexistent key is passed to +trie_get_next_key(), it may skip keys and return incorrect result. + +Fix it by using node->prefixlen == matchlen to identify exact matches. +When the condition is true after the search, it also implies +node->prefixlen equals key->prefixlen, otherwise, the search would +return NULL instead. + +Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map") +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-6-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index c5fa2a74de771..fd6e31e722908 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -641,7 +641,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key) + struct lpm_trie_node **node_stack = NULL; + int err = 0, stack_ptr = -1; + unsigned int next_bit; +- size_t matchlen; ++ size_t matchlen = 0; + + /* The get_next_key follows postorder. For the 4 node example in + * the top of this file, the trie_get_next_key() returns the following +@@ -680,7 +680,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key) + next_bit = extract_bit(key->data, node->prefixlen); + node = rcu_dereference(node->child[next_bit]); + } +- if (!node || node->prefixlen != key->prefixlen || ++ if (!node || node->prefixlen != matchlen || + (node->flags & LPM_TREE_NODE_FLAG_IM)) + goto find_leftmost; + +-- +2.43.0 + diff --git a/queue-6.1/bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch b/queue-6.1/bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch new file mode 100644 index 00000000000..dcf44bf3cde --- /dev/null +++ b/queue-6.1/bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch @@ -0,0 +1,80 @@ +From 2165a2a28c3ed75d598e0e5f9b2c952d7acdf91e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:16 +0800 +Subject: bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit eae6a075e9537dd69891cf77ca5a88fa8a28b4a1 ] + +Add the currently missing handling for the BPF_EXIST and BPF_NOEXIST +flags. These flags can be specified by users and are relevant since LPM +trie supports exact matches during update. + +Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Daniel Borkmann +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-4-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index d8ddb1e245d9d..0b35f1a9e901c 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -368,6 +368,10 @@ static int trie_update_elem(struct bpf_map *map, + * simply assign the @new_node to that slot and be done. + */ + if (!node) { ++ if (flags == BPF_EXIST) { ++ ret = -ENOENT; ++ goto out; ++ } + rcu_assign_pointer(*slot, new_node); + goto out; + } +@@ -376,18 +380,31 @@ static int trie_update_elem(struct bpf_map *map, + * which already has the correct data array set. + */ + if (node->prefixlen == matchlen) { ++ if (!(node->flags & LPM_TREE_NODE_FLAG_IM)) { ++ if (flags == BPF_NOEXIST) { ++ ret = -EEXIST; ++ goto out; ++ } ++ trie->n_entries--; ++ } else if (flags == BPF_EXIST) { ++ ret = -ENOENT; ++ goto out; ++ } ++ + new_node->child[0] = node->child[0]; + new_node->child[1] = node->child[1]; + +- if (!(node->flags & LPM_TREE_NODE_FLAG_IM)) +- trie->n_entries--; +- + rcu_assign_pointer(*slot, new_node); + free_node = node; + + goto out; + } + ++ if (flags == BPF_EXIST) { ++ ret = -ENOENT; ++ goto out; ++ } ++ + /* If the new node matches the prefix completely, it must be inserted + * as an ancestor. Simply insert it between @node and *@slot. + */ +-- +2.43.0 + diff --git a/queue-6.1/bpf-handle-in-place-update-for-full-lpm-trie-correct.patch b/queue-6.1/bpf-handle-in-place-update-for-full-lpm-trie-correct.patch new file mode 100644 index 00000000000..181dd5f83ac --- /dev/null +++ b/queue-6.1/bpf-handle-in-place-update-for-full-lpm-trie-correct.patch @@ -0,0 +1,138 @@ +From 32d6dc38fee33d57d3965fefeecacf8bd0d2a91c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:17 +0800 +Subject: bpf: Handle in-place update for full LPM trie correctly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit 532d6b36b2bfac5514426a97a4df8d103d700d43 ] + +When a LPM trie is full, in-place updates of existing elements +incorrectly return -ENOSPC. + +Fix this by deferring the check of trie->n_entries. For new insertions, +n_entries must not exceed max_entries. However, in-place updates are +allowed even when the trie is full. + +Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-5-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 44 +++++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index 694fbf9891f4f..c5fa2a74de771 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -302,6 +302,16 @@ static struct lpm_trie_node *lpm_trie_node_alloc(const struct lpm_trie *trie, + return node; + } + ++static int trie_check_add_elem(struct lpm_trie *trie, u64 flags) ++{ ++ if (flags == BPF_EXIST) ++ return -ENOENT; ++ if (trie->n_entries == trie->map.max_entries) ++ return -ENOSPC; ++ trie->n_entries++; ++ return 0; ++} ++ + /* Called from syscall or from eBPF program */ + static int trie_update_elem(struct bpf_map *map, + void *_key, void *value, u64 flags) +@@ -325,20 +335,12 @@ static int trie_update_elem(struct bpf_map *map, + spin_lock_irqsave(&trie->lock, irq_flags); + + /* Allocate and fill a new node */ +- +- if (trie->n_entries == trie->map.max_entries) { +- ret = -ENOSPC; +- goto out; +- } +- + new_node = lpm_trie_node_alloc(trie, value); + if (!new_node) { + ret = -ENOMEM; + goto out; + } + +- trie->n_entries++; +- + new_node->prefixlen = key->prefixlen; + RCU_INIT_POINTER(new_node->child[0], NULL); + RCU_INIT_POINTER(new_node->child[1], NULL); +@@ -368,10 +370,10 @@ static int trie_update_elem(struct bpf_map *map, + * simply assign the @new_node to that slot and be done. + */ + if (!node) { +- if (flags == BPF_EXIST) { +- ret = -ENOENT; ++ ret = trie_check_add_elem(trie, flags); ++ if (ret) + goto out; +- } ++ + rcu_assign_pointer(*slot, new_node); + goto out; + } +@@ -385,10 +387,10 @@ static int trie_update_elem(struct bpf_map *map, + ret = -EEXIST; + goto out; + } +- trie->n_entries--; +- } else if (flags == BPF_EXIST) { +- ret = -ENOENT; +- goto out; ++ } else { ++ ret = trie_check_add_elem(trie, flags); ++ if (ret) ++ goto out; + } + + new_node->child[0] = node->child[0]; +@@ -400,10 +402,9 @@ static int trie_update_elem(struct bpf_map *map, + goto out; + } + +- if (flags == BPF_EXIST) { +- ret = -ENOENT; ++ ret = trie_check_add_elem(trie, flags); ++ if (ret) + goto out; +- } + + /* If the new node matches the prefix completely, it must be inserted + * as an ancestor. Simply insert it between @node and *@slot. +@@ -417,6 +418,7 @@ static int trie_update_elem(struct bpf_map *map, + + im_node = lpm_trie_node_alloc(trie, NULL); + if (!im_node) { ++ trie->n_entries--; + ret = -ENOMEM; + goto out; + } +@@ -438,12 +440,8 @@ static int trie_update_elem(struct bpf_map *map, + rcu_assign_pointer(*slot, im_node); + + out: +- if (ret) { +- if (new_node) +- trie->n_entries--; ++ if (ret) + kfree(new_node); +- } +- + spin_unlock_irqrestore(&trie->lock, irq_flags); + kfree_rcu(free_node, rcu); + +-- +2.43.0 + diff --git a/queue-6.1/bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch b/queue-6.1/bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch new file mode 100644 index 00000000000..ca8a9af00c9 --- /dev/null +++ b/queue-6.1/bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch @@ -0,0 +1,53 @@ +From 02c52b4997b1100f1e05c5865d6cd32f6fdc343b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 19:06:15 +0800 +Subject: bpf: Remove unnecessary kfree(im_node) in lpm_trie_update_elem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hou Tao + +[ Upstream commit 3d5611b4d7efbefb85a74fcdbc35c603847cc022 ] + +There is no need to call kfree(im_node) when updating element fails, +because im_node must be NULL. Remove the unnecessary kfree() for +im_node. + +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Daniel Borkmann +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20241206110622.1161752-3-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 532d6b36b2bf ("bpf: Handle in-place update for full LPM trie correctly") +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index 0b35f1a9e901c..694fbf9891f4f 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -307,7 +307,7 @@ static int trie_update_elem(struct bpf_map *map, + void *_key, void *value, u64 flags) + { + struct lpm_trie *trie = container_of(map, struct lpm_trie, map); +- struct lpm_trie_node *node, *im_node = NULL, *new_node = NULL; ++ struct lpm_trie_node *node, *im_node, *new_node = NULL; + struct lpm_trie_node *free_node = NULL; + struct lpm_trie_node __rcu **slot; + struct bpf_lpm_trie_key_u8 *key = _key; +@@ -441,9 +441,7 @@ static int trie_update_elem(struct bpf_map *map, + if (ret) { + if (new_node) + trie->n_entries--; +- + kfree(new_node); +- kfree(im_node); + } + + spin_unlock_irqrestore(&trie->lock, irq_flags); +-- +2.43.0 + diff --git a/queue-6.1/bpftool-fix-potential-null-pointer-dereferencing-in-.patch b/queue-6.1/bpftool-fix-potential-null-pointer-dereferencing-in-.patch new file mode 100644 index 00000000000..7b092186528 --- /dev/null +++ b/queue-6.1/bpftool-fix-potential-null-pointer-dereferencing-in-.patch @@ -0,0 +1,54 @@ +From 49ca6117a11dd464012c8acc2ea24d8f9f4c06c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 12:04:13 +0330 +Subject: bpftool: fix potential NULL pointer dereferencing in prog_dump() + +From: Amir Mohammadi + +[ Upstream commit ef3ba8c258ee368a5343fa9329df85b4bcb9e8b5 ] + +A NULL pointer dereference could occur if ksyms +is not properly checked before usage in the prog_dump() function. + +Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump") +Signed-off-by: Amir Mohammadi +Reviewed-by: Quentin Monnet +Acked-by: John Fastabend +Link: https://lore.kernel.org/r/20241121083413.7214-1-amiremohamadi@yahoo.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index 801e564b055a0..1c3dc1dae23f6 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -820,11 +820,18 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode, + printf("%s:\n", sym_name); + } + +- if (disasm_print_insn(img, lens[i], opcodes, +- name, disasm_opt, btf, +- prog_linfo, ksyms[i], i, +- linum)) +- goto exit_free; ++ if (ksyms) { ++ if (disasm_print_insn(img, lens[i], opcodes, ++ name, disasm_opt, btf, ++ prog_linfo, ksyms[i], i, ++ linum)) ++ goto exit_free; ++ } else { ++ if (disasm_print_insn(img, lens[i], opcodes, ++ name, disasm_opt, btf, ++ NULL, 0, 0, false)) ++ goto exit_free; ++ } + + img += lens[i]; + +-- +2.43.0 + diff --git a/queue-6.1/bpftool-remove-asserts-from-jit-disassembler.patch b/queue-6.1/bpftool-remove-asserts-from-jit-disassembler.patch new file mode 100644 index 00000000000..69b52ab8bd9 --- /dev/null +++ b/queue-6.1/bpftool-remove-asserts-from-jit-disassembler.patch @@ -0,0 +1,242 @@ +From b32360f68ffc93460b4551861a4e6f620e3c8d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 16:03:23 +0100 +Subject: bpftool: Remove asserts from JIT disassembler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Quentin Monnet + +[ Upstream commit 55b4de58d0e2aca810ed2b198a0173640300acf8 ] + +The JIT disassembler in bpftool is the only components (with the JSON +writer) using asserts to check the return values of functions. But it +does not do so in a consistent way, and diasm_print_insn() returns no +value, although sometimes the operation failed. + +Remove the asserts, and instead check the return values, print messages +on errors, and propagate the error to the caller from prog.c. + +Remove the inclusion of assert.h from jit_disasm.c, and also from map.c +where it is unused. + +Signed-off-by: Quentin Monnet +Tested-by: Niklas Söderlund +Acked-by: Song Liu +Link: https://lore.kernel.org/r/20221025150329.97371-3-quentin@isovalent.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: ef3ba8c258ee ("bpftool: fix potential NULL pointer dereferencing in prog_dump()") +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/jit_disasm.c | 51 +++++++++++++++++++++++----------- + tools/bpf/bpftool/main.h | 25 +++++++++-------- + tools/bpf/bpftool/map.c | 1 - + tools/bpf/bpftool/prog.c | 15 ++++++---- + 4 files changed, 57 insertions(+), 35 deletions(-) + +diff --git a/tools/bpf/bpftool/jit_disasm.c b/tools/bpf/bpftool/jit_disasm.c +index aaf99a0168c90..fe23c9669a876 100644 +--- a/tools/bpf/bpftool/jit_disasm.c ++++ b/tools/bpf/bpftool/jit_disasm.c +@@ -16,7 +16,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -29,14 +28,18 @@ + #include "json_writer.h" + #include "main.h" + +-static void get_exec_path(char *tpath, size_t size) ++static int get_exec_path(char *tpath, size_t size) + { + const char *path = "/proc/self/exe"; + ssize_t len; + + len = readlink(path, tpath, size - 1); +- assert(len > 0); ++ if (len <= 0) ++ return -1; ++ + tpath[len] = 0; ++ ++ return 0; + } + + static int oper_count; +@@ -97,30 +100,39 @@ static int fprintf_json_styled(void *out, + return r; + } + +-void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, +- const char *arch, const char *disassembler_options, +- const struct btf *btf, +- const struct bpf_prog_linfo *prog_linfo, +- __u64 func_ksym, unsigned int func_idx, +- bool linum) ++int disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, ++ const char *arch, const char *disassembler_options, ++ const struct btf *btf, ++ const struct bpf_prog_linfo *prog_linfo, ++ __u64 func_ksym, unsigned int func_idx, ++ bool linum) + { + const struct bpf_line_info *linfo = NULL; + disassembler_ftype disassemble; ++ int count, i, pc = 0, err = -1; + struct disassemble_info info; + unsigned int nr_skip = 0; +- int count, i, pc = 0; + char tpath[PATH_MAX]; + bfd *bfdf; + + if (!len) +- return; ++ return -1; + + memset(tpath, 0, sizeof(tpath)); +- get_exec_path(tpath, sizeof(tpath)); ++ if (get_exec_path(tpath, sizeof(tpath))) { ++ p_err("failed to create disasembler (get_exec_path)"); ++ return -1; ++ } + + bfdf = bfd_openr(tpath, NULL); +- assert(bfdf); +- assert(bfd_check_format(bfdf, bfd_object)); ++ if (!bfdf) { ++ p_err("failed to create disassembler (bfd_openr)"); ++ return -1; ++ } ++ if (!bfd_check_format(bfdf, bfd_object)) { ++ p_err("failed to create disassembler (bfd_check_format)"); ++ goto exit_close; ++ } + + if (json_output) + init_disassemble_info_compat(&info, stdout, +@@ -139,7 +151,7 @@ void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, + bfdf->arch_info = inf; + } else { + p_err("No libbfd support for %s", arch); +- return; ++ goto exit_close; + } + } + +@@ -160,7 +172,10 @@ void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, + #else + disassemble = disassembler(bfdf); + #endif +- assert(disassemble); ++ if (!disassemble) { ++ p_err("failed to create disassembler"); ++ goto exit_close; ++ } + + if (json_output) + jsonw_start_array(json_wtr); +@@ -224,7 +239,11 @@ void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, + if (json_output) + jsonw_end_array(json_wtr); + ++ err = 0; ++ ++exit_close: + bfd_close(bfdf); ++ return err; + } + + int disasm_init(void) +diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h +index 5e5060c2ac047..c9e171082cf61 100644 +--- a/tools/bpf/bpftool/main.h ++++ b/tools/bpf/bpftool/main.h +@@ -173,22 +173,23 @@ int map_parse_fd_and_info(int *argc, char ***argv, void *info, __u32 *info_len); + + struct bpf_prog_linfo; + #ifdef HAVE_LIBBFD_SUPPORT +-void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, +- const char *arch, const char *disassembler_options, +- const struct btf *btf, +- const struct bpf_prog_linfo *prog_linfo, +- __u64 func_ksym, unsigned int func_idx, +- bool linum); ++int disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, ++ const char *arch, const char *disassembler_options, ++ const struct btf *btf, ++ const struct bpf_prog_linfo *prog_linfo, ++ __u64 func_ksym, unsigned int func_idx, ++ bool linum); + int disasm_init(void); + #else + static inline +-void disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, +- const char *arch, const char *disassembler_options, +- const struct btf *btf, +- const struct bpf_prog_linfo *prog_linfo, +- __u64 func_ksym, unsigned int func_idx, +- bool linum) ++int disasm_print_insn(unsigned char *image, ssize_t len, int opcodes, ++ const char *arch, const char *disassembler_options, ++ const struct btf *btf, ++ const struct bpf_prog_linfo *prog_linfo, ++ __u64 func_ksym, unsigned int func_idx, ++ bool linum) + { ++ return 0; + } + static inline int disasm_init(void) + { +diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c +index 9a6ca9f311338..3087ced658adc 100644 +--- a/tools/bpf/bpftool/map.c ++++ b/tools/bpf/bpftool/map.c +@@ -1,7 +1,6 @@ + // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) + /* Copyright (C) 2017-2018 Netronome Systems, Inc. */ + +-#include + #include + #include + #include +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index 7e0b846e17eef..801e564b055a0 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -820,10 +820,11 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode, + printf("%s:\n", sym_name); + } + +- disasm_print_insn(img, lens[i], opcodes, +- name, disasm_opt, btf, +- prog_linfo, ksyms[i], i, +- linum); ++ if (disasm_print_insn(img, lens[i], opcodes, ++ name, disasm_opt, btf, ++ prog_linfo, ksyms[i], i, ++ linum)) ++ goto exit_free; + + img += lens[i]; + +@@ -836,8 +837,10 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode, + if (json_output) + jsonw_end_array(json_wtr); + } else { +- disasm_print_insn(buf, member_len, opcodes, name, +- disasm_opt, btf, NULL, 0, 0, false); ++ if (disasm_print_insn(buf, member_len, opcodes, name, ++ disasm_opt, btf, NULL, 0, 0, ++ false)) ++ goto exit_free; + } + } else if (visual) { + if (json_output) +-- +2.43.0 + diff --git a/queue-6.1/drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch b/queue-6.1/drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch new file mode 100644 index 00000000000..a867b1244c3 --- /dev/null +++ b/queue-6.1/drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch @@ -0,0 +1,41 @@ +From ddab5fcd38f08735ffe69ecf81f49f84ca6e731f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2024 15:21:36 +0800 +Subject: drm/sti: Add __iomem for mixer_dbg_mxn's parameter + +From: Pei Xiao + +[ Upstream commit 86e8f94789dd6f3e705bfa821e1e416f97a2f863 ] + +Sparse complains about incorrect type in argument 1. +expected void const volatile __iomem *ptr but got void *. +so modify mixer_dbg_mxn's addr parameter. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202411191809.6V3c826r-lkp@intel.com/ +Fixes: a5f81078a56c ("drm/sti: add debugfs entries for MIXER crtc") +Signed-off-by: Pei Xiao +Acked-by: Raphael Gallais-Pou +Link: https://patchwork.freedesktop.org/patch/msgid/c28f0dcb6a4526721d83ba1f659bba30564d3d54.1732087094.git.xiaopei01@kylinos.cn +Signed-off-by: Raphael Gallais-Pou +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_mixer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sti/sti_mixer.c b/drivers/gpu/drm/sti/sti_mixer.c +index 7e5f14646625b..06c1b81912f79 100644 +--- a/drivers/gpu/drm/sti/sti_mixer.c ++++ b/drivers/gpu/drm/sti/sti_mixer.c +@@ -137,7 +137,7 @@ static void mixer_dbg_crb(struct seq_file *s, int val) + } + } + +-static void mixer_dbg_mxn(struct seq_file *s, void *addr) ++static void mixer_dbg_mxn(struct seq_file *s, void __iomem *addr) + { + int i; + +-- +2.43.0 + diff --git a/queue-6.1/drm-v3d-enable-performance-counters-before-clearing-.patch b/queue-6.1/drm-v3d-enable-performance-counters-before-clearing-.patch new file mode 100644 index 00000000000..c687bf84b12 --- /dev/null +++ b/queue-6.1/drm-v3d-enable-performance-counters-before-clearing-.patch @@ -0,0 +1,53 @@ +From 3aa40486c663de10a88e42e01b0880966a8191a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 09:28:31 -0300 +Subject: drm/v3d: Enable Performance Counters before clearing them +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit c98b10496b2f3c4f576af3482c71aadcfcbf765e ] + +On the Raspberry Pi 5, performance counters are not being cleared +when `v3d_perfmon_start()` is called, even though we write to the +CLR register. As a result, their values accumulate until they +overflow. + +The expected behavior is for performance counters to reset to zero +at the start of a job. When the job finishes and the perfmon is +stopped, the counters should accurately reflect the values for that +specific job. + +To ensure this behavior, the performance counters are now enabled +before being cleared. This allows the CLR register to function as +intended, zeroing the counter values when the job begins. + +Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace") +Signed-off-by: Maíra Canal +Reviewed-by: Iago Toral Quiroga +Link: https://patchwork.freedesktop.org/patch/msgid/20241204122831.17015-1-mcanal@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/v3d/v3d_perfmon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/v3d/v3d_perfmon.c b/drivers/gpu/drm/v3d/v3d_perfmon.c +index cb56627328bb0..101332775b6a7 100644 +--- a/drivers/gpu/drm/v3d/v3d_perfmon.c ++++ b/drivers/gpu/drm/v3d/v3d_perfmon.c +@@ -49,9 +49,9 @@ void v3d_perfmon_start(struct v3d_dev *v3d, struct v3d_perfmon *perfmon) + V3D_CORE_WRITE(0, V3D_V4_PCTR_0_SRC_X(source), channel); + } + ++ V3D_CORE_WRITE(0, V3D_V4_PCTR_0_EN, mask); + V3D_CORE_WRITE(0, V3D_V4_PCTR_0_CLR, mask); + V3D_CORE_WRITE(0, V3D_PCTR_0_OVERFLOW, mask); +- V3D_CORE_WRITE(0, V3D_V4_PCTR_0_EN, mask); + + v3d->active_perfmon = perfmon; + } +-- +2.43.0 + diff --git a/queue-6.1/iio-magnetometer-yas530-use-signed-integer-type-for-.patch b/queue-6.1/iio-magnetometer-yas530-use-signed-integer-type-for-.patch new file mode 100644 index 00000000000..7ff3e9d7e91 --- /dev/null +++ b/queue-6.1/iio-magnetometer-yas530-use-signed-integer-type-for-.patch @@ -0,0 +1,85 @@ +From 13d4a4e4899d3fb9160278419845ec8c7c606ed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2024 22:25:07 +0100 +Subject: iio: magnetometer: yas530: use signed integer type for clamp limits + +From: Jakob Hauser + +[ Upstream commit f1ee5483e40881d8ad5a63aa148b753b5c6a839b ] + +In the function yas537_measure() there is a clamp_val() with limits of +-BIT(13) and BIT(13) - 1. The input clamp value h[] is of type s32. The +BIT() is of type unsigned long integer due to its define in +include/vdso/bits.h. The lower limit -BIT(13) is recognized as -8192 but +expressed as an unsigned long integer. The size of an unsigned long +integer differs between 32-bit and 64-bit architectures. Converting this +to type s32 may lead to undesired behavior. + +Additionally, in the calculation lines h[0], h[1] and h[2] the unsigned +long integer divisor BIT(13) causes an unsigned division, shifting the +left-hand side of the equation back and forth, possibly ending up in large +positive values instead of negative values on 32-bit architectures. + +To solve those two issues, declare a signed integer with a value of +BIT(13). + +There is another omission in the clamp line: clamp_val() returns a value +and it's going nowhere here. Self-assign it to h[i] to make use of the +clamp macro. + +Finally, replace clamp_val() macro by clamp() because after changing the +limits from type unsigned long integer to signed integer it's fine that +way. + +Link: https://lkml.kernel.org/r/11609b2243c295d65ab4d47e78c239d61ad6be75.1732914810.git.jahau@rocketmail.com +Fixes: 65f79b501030 ("iio: magnetometer: yas530: Add YAS537 variant") +Signed-off-by: Jakob Hauser + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202411230458.dhZwh3TT-lkp@intel.com/ +Closes: https://lore.kernel.org/oe-kbuild-all/202411282222.oF0B4110-lkp@intel.com/ +Reviewed-by: David Laight +Acked-by: Jonathan Cameron +Cc: Lars-Peter Clausen +Cc: Linus Walleij +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/iio/magnetometer/yamaha-yas530.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/magnetometer/yamaha-yas530.c b/drivers/iio/magnetometer/yamaha-yas530.c +index 801c760feb4d1..1cbe3ca797471 100644 +--- a/drivers/iio/magnetometer/yamaha-yas530.c ++++ b/drivers/iio/magnetometer/yamaha-yas530.c +@@ -372,6 +372,7 @@ static int yas537_measure(struct yas5xx *yas5xx, u16 *t, u16 *x, u16 *y1, u16 *y + u8 data[8]; + u16 xy1y2[3]; + s32 h[3], s[3]; ++ int half_range = BIT(13); + int i, ret; + + mutex_lock(&yas5xx->lock); +@@ -406,13 +407,13 @@ static int yas537_measure(struct yas5xx *yas5xx, u16 *t, u16 *x, u16 *y1, u16 *y + /* The second version of YAS537 needs to include calibration coefficients */ + if (yas5xx->version == YAS537_VERSION_1) { + for (i = 0; i < 3; i++) +- s[i] = xy1y2[i] - BIT(13); +- h[0] = (c->k * (128 * s[0] + c->a2 * s[1] + c->a3 * s[2])) / BIT(13); +- h[1] = (c->k * (c->a4 * s[0] + c->a5 * s[1] + c->a6 * s[2])) / BIT(13); +- h[2] = (c->k * (c->a7 * s[0] + c->a8 * s[1] + c->a9 * s[2])) / BIT(13); ++ s[i] = xy1y2[i] - half_range; ++ h[0] = (c->k * (128 * s[0] + c->a2 * s[1] + c->a3 * s[2])) / half_range; ++ h[1] = (c->k * (c->a4 * s[0] + c->a5 * s[1] + c->a6 * s[2])) / half_range; ++ h[2] = (c->k * (c->a7 * s[0] + c->a8 * s[1] + c->a9 * s[2])) / half_range; + for (i = 0; i < 3; i++) { +- clamp_val(h[i], -BIT(13), BIT(13) - 1); +- xy1y2[i] = h[i] + BIT(13); ++ h[i] = clamp(h[i], -half_range, half_range - 1); ++ xy1y2[i] = h[i] + half_range; + } + } + +-- +2.43.0 + diff --git a/queue-6.1/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch b/queue-6.1/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch new file mode 100644 index 00000000000..d357a3f7910 --- /dev/null +++ b/queue-6.1/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch @@ -0,0 +1,50 @@ +From 2487d79b7751a74e379e199e67a4b094a94a2961 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Nov 2024 22:28:34 +0900 +Subject: ocfs2: free inode when ocfs2_get_init_inode() fails + +From: Tetsuo Handa + +[ Upstream commit 965b5dd1894f4525f38c1b5f99b0106a07dbb5db ] + +syzbot is reporting busy inodes after unmount, for commit 9c89fe0af826 +("ocfs2: Handle error from dquot_initialize()") forgot to call iput() when +new_inode() succeeded and dquot_initialize() failed. + +Link: https://lkml.kernel.org/r/e68c0224-b7c6-4784-b4fa-a9fc8c675525@I-love.SAKURA.ne.jp +Fixes: 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()") +Signed-off-by: Tetsuo Handa +Reported-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0af00f6a2cba2058b5db +Tested-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/namei.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c +index 8a0fa51c9ac68..63b06377f6305 100644 +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -200,8 +200,10 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode) + mode = mode_strip_sgid(&init_user_ns, dir, mode); + inode_init_owner(&init_user_ns, inode, dir, mode); + status = dquot_initialize(inode); +- if (status) ++ if (status) { ++ iput(inode); + return ERR_PTR(status); ++ } + + return inode; + } +-- +2.43.0 + diff --git a/queue-6.1/scatterlist-fix-incorrect-func-name-in-kernel-doc.patch b/queue-6.1/scatterlist-fix-incorrect-func-name-in-kernel-doc.patch new file mode 100644 index 00000000000..c3f890074de --- /dev/null +++ b/queue-6.1/scatterlist-fix-incorrect-func-name-in-kernel-doc.patch @@ -0,0 +1,41 @@ +From 7bf33648c54c62ff7ca46d72be0d509d7a5389ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2024 18:24:06 -0800 +Subject: scatterlist: fix incorrect func name in kernel-doc + +From: Randy Dunlap + +[ Upstream commit d89c8ec0546184267cb211b579514ebaf8916100 ] + +Fix a kernel-doc warning by making the kernel-doc function description +match the function name: + +include/linux/scatterlist.h:323: warning: expecting prototype for sg_unmark_bus_address(). Prototype was for sg_dma_unmark_bus_address() instead + +Link: https://lkml.kernel.org/r/20241130022406.537973-1-rdunlap@infradead.org +Fixes: 42399301203e ("lib/scatterlist: add flag for indicating P2PDMA segments in an SGL") +Signed-off-by: Randy Dunlap +Cc: Logan Gunthorpe +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/scatterlist.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h +index 375a5e90d86ac..02cdcd3c31fb4 100644 +--- a/include/linux/scatterlist.h ++++ b/include/linux/scatterlist.h +@@ -288,7 +288,7 @@ static inline void sg_dma_mark_bus_address(struct scatterlist *sg) + } + + /** +- * sg_unmark_bus_address - Unmark the scatterlist entry as a bus address ++ * sg_dma_unmark_bus_address - Unmark the scatterlist entry as a bus address + * @sg: SG entry + * + * Description: +-- +2.43.0 + diff --git a/queue-6.1/scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch b/queue-6.1/scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch new file mode 100644 index 00000000000..c9830cbbc3d --- /dev/null +++ b/queue-6.1/scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch @@ -0,0 +1,42 @@ +From 2edf1eb5baad9db8163c858e42ed84e3e0efafdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 13:00:45 +0000 +Subject: scsi: scsi_debug: Fix hrtimer support for ndelay + +From: John Garry + +[ Upstream commit 6918141d815acef056a0d10e966a027d869a922d ] + +Since commit 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration +calculation"), ns_from_boot value is only evaluated in schedule_resp() +for polled requests. + +However, ns_from_boot is also required for hrtimer support for when +ndelay is less than INCLUSIVE_TIMING_MAX_NS, so fix up the logic to +decide when to evaluate ns_from_boot. + +Fixes: 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration calculation") +Signed-off-by: John Garry +Link: https://lore.kernel.org/r/20241202130045.2335194-1-john.g.garry@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index b77035ddc9440..2493e07a1a5ba 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -5672,7 +5672,7 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip, + if (sdebug_host_max_queue) + sd_dp->hc_idx = get_tag(cmnd); + +- if (polled) ++ if (polled || (ndelay > 0 && ndelay < INCLUSIVE_TIMING_MAX_NS)) + ns_from_boot = ktime_get_boottime_ns(); + + /* one of the resp_*() response functions is called here */ +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 7f2b3e6aa3a..b9d9ee970ab 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -596,3 +596,20 @@ device-property-introduce-device_for_each_child_node.patch leds-flash-mt6360-fix-device_for_each_child_node-ref.patch drm-bridge-it6505-update-usleep_range-for-rc-circuit.patch drm-bridge-it6505-fix-inverted-reset-polarity.patch +xsk-always-clear-dma-mapping-information-when-unmapp.patch +bpftool-remove-asserts-from-jit-disassembler.patch +bpftool-fix-potential-null-pointer-dereferencing-in-.patch +drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch +tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch +alsa-usb-audio-notify-xrun-for-low-latency-mode.patch +tools-override-makefile-arch-variable-if-defined-but.patch +spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch +scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch +drm-v3d-enable-performance-counters-before-clearing-.patch +ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch +scatterlist-fix-incorrect-func-name-in-kernel-doc.patch +iio-magnetometer-yas530-use-signed-integer-type-for-.patch +bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch +bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch +bpf-handle-in-place-update-for-full-lpm-trie-correct.patch +bpf-fix-exact-match-conditions-in-trie_get_next_key.patch diff --git a/queue-6.1/spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch b/queue-6.1/spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch new file mode 100644 index 00000000000..10a6d528ab2 --- /dev/null +++ b/queue-6.1/spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch @@ -0,0 +1,41 @@ +From 47332777563fe6fc6f5a4cf641411700bf57b111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 16:38:17 +0800 +Subject: spi: mpc52xx: Add cancel_work_sync before module remove + +From: Pei Xiao + +[ Upstream commit 984836621aad98802d92c4a3047114cf518074c8 ] + +If we remove the module which will call mpc52xx_spi_remove +it will free 'ms' through spi_unregister_controller. +while the work ms->work will be used. The sequence of operations +that may lead to a UAF bug. + +Fix it by ensuring that the work is canceled before proceeding with +the cleanup in mpc52xx_spi_remove. + +Fixes: ca632f556697 ("spi: reorganize drivers") +Signed-off-by: Pei Xiao +Link: https://patch.msgid.link/1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.1732783000.git.xiaopei01@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mpc52xx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c +index 7b64e64c65cfe..2badf6535b306 100644 +--- a/drivers/spi/spi-mpc52xx.c ++++ b/drivers/spi/spi-mpc52xx.c +@@ -519,6 +519,7 @@ static int mpc52xx_spi_remove(struct platform_device *op) + struct mpc52xx_spi *ms = spi_master_get_devdata(master); + int i; + ++ cancel_work_sync(&ms->work); + free_irq(ms->irq0, ms); + free_irq(ms->irq1, ms); + +-- +2.43.0 + diff --git a/queue-6.1/tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch b/queue-6.1/tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch new file mode 100644 index 00000000000..c0387c4c924 --- /dev/null +++ b/queue-6.1/tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch @@ -0,0 +1,165 @@ +From 115525546e89c5c1367ed2dd1a16c229f6ca8965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 23:48:38 +0000 +Subject: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg + +From: Zijian Zhang + +[ Upstream commit ca70b8baf2bd125b2a4d96e76db79375c07d7ff2 ] + +The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging +tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. + +Potential problems with this strategy are as follows: + +- If the actual sent bytes are smaller than tosend, we need to charge some + bytes back, as in line 487, which is okay but seems not clean. + +- When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may + miss uncharging (msg->sg.size - apply_bytes) bytes. + +[...] +415 tosend = msg->sg.size; +416 if (psock->apply_bytes && psock->apply_bytes < tosend) +417 tosend = psock->apply_bytes; +[...] +443 sk_msg_return(sk, msg, tosend); +444 release_sock(sk); +446 origsize = msg->sg.size; +447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, +448 msg, tosend, flags); +449 sent = origsize - msg->sg.size; +[...] +454 lock_sock(sk); +455 if (unlikely(ret < 0)) { +456 int free = sk_msg_free_nocharge(sk, msg); +458 if (!cork) +459 *copied -= free; +460 } +[...] +487 if (eval == __SK_REDIRECT) +488 sk_mem_charge(sk, tosend - sent); +[...] + +When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, +the following warning will be reported: + +------------[ cut here ]------------ +WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 +Modules linked in: +CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Workqueue: events sk_psock_destroy +RIP: 0010:inet_sock_destruct+0x190/0x1a0 +RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 +RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 +RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 +RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 +R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 +R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 +FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + +? __warn+0x89/0x130 +? inet_sock_destruct+0x190/0x1a0 +? report_bug+0xfc/0x1e0 +? handle_bug+0x5c/0xa0 +? exc_invalid_op+0x17/0x70 +? asm_exc_invalid_op+0x1a/0x20 +? inet_sock_destruct+0x190/0x1a0 +__sk_destruct+0x25/0x220 +sk_psock_destroy+0x2b2/0x310 +process_scheduled_works+0xa3/0x3e0 +worker_thread+0x117/0x240 +? __pfx_worker_thread+0x10/0x10 +kthread+0xcf/0x100 +? __pfx_kthread+0x10/0x10 +ret_from_fork+0x31/0x40 +? __pfx_kthread+0x10/0x10 +ret_from_fork_asm+0x1a/0x30 + +---[ end trace 0000000000000000 ]--- + +In __SK_REDIRECT, a more concise way is delaying the uncharging after sent +bytes are finalized, and uncharge this value. When (ret < 0), we shall +invoke sk_msg_free. + +Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, +we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same +warning will be reported in selftest. + +[...] +468 case __SK_DROP: +469 default: +470 sk_msg_free_partial(sk, msg, tosend); +471 sk_msg_apply_bytes(psock, tosend); +472 *copied -= (tosend + delta); +473 return -EACCES; +[...] + +So instead of sk_msg_free_partial we can do sk_msg_free here. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Fixes: 8ec95b94716a ("bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues") +Signed-off-by: Zijian Zhang +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20241016234838.3167769-3-zijianzhang@bytedance.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index f67e4c9f8d40e..deb6286b58810 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -436,7 +436,6 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + cork = true; + psock->cork = NULL; + } +- sk_msg_return(sk, msg, tosend); + release_sock(sk); + + origsize = msg->sg.size; +@@ -448,8 +447,9 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + sock_put(sk_redir); + + lock_sock(sk); ++ sk_mem_uncharge(sk, sent); + if (unlikely(ret < 0)) { +- int free = sk_msg_free_nocharge(sk, msg); ++ int free = sk_msg_free(sk, msg); + + if (!cork) + *copied -= free; +@@ -463,7 +463,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + break; + case __SK_DROP: + default: +- sk_msg_free_partial(sk, msg, tosend); ++ sk_msg_free(sk, msg); + sk_msg_apply_bytes(psock, tosend); + *copied -= (tosend + delta); + return -EACCES; +@@ -479,11 +479,8 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock, + } + if (msg && + msg->sg.data[msg->sg.start].page_link && +- msg->sg.data[msg->sg.start].length) { +- if (eval == __SK_REDIRECT) +- sk_mem_charge(sk, tosend - sent); ++ msg->sg.data[msg->sg.start].length) + goto more_data; +- } + } + return ret; + } +-- +2.43.0 + diff --git a/queue-6.1/tools-override-makefile-arch-variable-if-defined-but.patch b/queue-6.1/tools-override-makefile-arch-variable-if-defined-but.patch new file mode 100644 index 00000000000..097c246cd84 --- /dev/null +++ b/queue-6.1/tools-override-makefile-arch-variable-if-defined-but.patch @@ -0,0 +1,59 @@ +From b2d6750986f341e6a2228c8b427a74730ca5c974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 11:17:46 +0100 +Subject: tools: Override makefile ARCH variable if defined, but empty +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 537a2525eaf76ea9b0dca62b994500d8670b39d5 ] + +There are a number of tools (bpftool, selftests), that require a +"bootstrap" build. Here, a bootstrap build is a build host variant of +a target. E.g., assume that you're performing a bpftool cross-build on +x86 to riscv, a bootstrap build would then be an x86 variant of +bpftool. The typical way to perform the host build variant, is to pass +"ARCH=" in a sub-make. However, if a variable has been set with a +command argument, then ordinary assignments in the makefile are +ignored. + +This side-effect results in that ARCH, and variables depending on ARCH +are not set. Workaround by overriding ARCH to the host arch, if ARCH +is empty. + +Fixes: 8859b0da5aac ("tools/bpftool: Fix cross-build") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Tested-by: Alexandre Ghiti +Reviewed-by: Jean-Philippe Brucker +Reviewed-by: Namhyung Kim +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Quentin Monnet +Acked-by: Jiri Olsa +Cc: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/bpf/20241127101748.165693-1-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + tools/scripts/Makefile.arch | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/scripts/Makefile.arch b/tools/scripts/Makefile.arch +index 0c6c7f4568878..a57a9b752b6c5 100644 +--- a/tools/scripts/Makefile.arch ++++ b/tools/scripts/Makefile.arch +@@ -7,8 +7,8 @@ HOSTARCH := $(shell uname -m | sed -e s/i.86/x86/ -e s/x86_64/x86/ \ + -e s/sh[234].*/sh/ -e s/aarch64.*/arm64/ \ + -e s/riscv.*/riscv/) + +-ifndef ARCH +-ARCH := $(HOSTARCH) ++ifeq ($(strip $(ARCH)),) ++override ARCH := $(HOSTARCH) + endif + + SRCARCH := $(ARCH) +-- +2.43.0 + diff --git a/queue-6.1/xsk-always-clear-dma-mapping-information-when-unmapp.patch b/queue-6.1/xsk-always-clear-dma-mapping-information-when-unmapp.patch new file mode 100644 index 00000000000..cc92498b687 --- /dev/null +++ b/queue-6.1/xsk-always-clear-dma-mapping-information-when-unmapp.patch @@ -0,0 +1,67 @@ +From 44a7eb700bc8cd9c1c6dfb0388e0692a925bdda8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 12:29:09 +0100 +Subject: xsk: always clear DMA mapping information when unmapping the pool + +From: Larysa Zaremba + +[ Upstream commit ac9a48a6f1610b094072b815e884e1668aea4401 ] + +When the umem is shared, the DMA mapping is also shared between the xsk +pools, therefore it should stay valid as long as at least 1 user remains. +However, the pool also keeps the copies of DMA-related information that are +initialized in the same way in xp_init_dma_info(), but cleared by +xp_dma_unmap() only for the last remaining pool, this causes the problems +below. + +The first one is that the commit adbf5a42341f ("ice: remove af_xdp_zc_qps +bitmap") relies on pool->dev to determine the presence of a ZC pool on a +given queue, avoiding internal bookkeeping. This works perfectly fine if +the UMEM is not shared, but reliably fails otherwise as stated in the +linked report. + +The second one is pool->dma_pages which is dynamically allocated and +only freed in xp_dma_unmap(), this leads to a small memory leak. kmemleak +does not catch it, but by printing the allocation results after terminating +the userspace program it is possible to see that all addresses except the +one belonging to the last detached pool are still accessible through the +kmemleak dump functionality. + +Always clear the DMA mapping information from the pool and free +pool->dma_pages when unmapping the pool, so that the only difference +between results of the last remaining user's call and the ones before would +be the destruction of the DMA mapping. + +Fixes: adbf5a42341f ("ice: remove af_xdp_zc_qps bitmap") +Fixes: 921b68692abb ("xsk: Enable sharing of dma mappings") +Reported-by: Alasdair McWilliam +Closes: https://lore.kernel.org/PA4P194MB10056F208AF221D043F57A3D86512@PA4P194MB1005.EURP194.PROD.OUTLOOK.COM +Acked-by: Maciej Fijalkowski +Signed-off-by: Larysa Zaremba +Link: https://lore.kernel.org/r/20241122112912.89881-1-larysa.zaremba@intel.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/xdp/xsk_buff_pool.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c +index ed6c71826d31f..3321ca7eb76c2 100644 +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -356,10 +356,9 @@ void xp_dma_unmap(struct xsk_buff_pool *pool, unsigned long attrs) + return; + } + +- if (!refcount_dec_and_test(&dma_map->users)) +- return; ++ if (refcount_dec_and_test(&dma_map->users)) ++ __xp_dma_unmap(dma_map, attrs); + +- __xp_dma_unmap(dma_map, attrs); + kvfree(pool->dma_pages); + pool->dma_pages_cnt = 0; + pool->dev = NULL; +-- +2.43.0 +