From: Greg Kroah-Hartman Date: Tue, 7 Mar 2023 10:02:19 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.2.3~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=89680ce1f0a2a791dc16bf7acb65e615fb96f436;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alpha-fix-fen-fault-handling.patch alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch dax-kmem-fix-leak-of-memory-hotplug-resources.patch dm-add-cond_resched-to-dm_wq_work.patch dm-flakey-don-t-corrupt-the-zero-page.patch dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch dm-flakey-fix-logic-when-corrupting-a-bio.patch dm-send-just-one-event-on-resize-not-two.patch docs-gdbmacros-print-newest-record.patch ext4-fix-possible-corruption-when-moving-a-directory.patch ext4-optimize-ea_inode-block-expansion.patch ext4-refuse-to-create-ea-block-when-umounted.patch fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch ktest.pl-add-run_timeout-option-with-default-unlimited.patch ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch mips-fix-syscall_get_nr.patch mm-memcontrol-deprecate-charge-moving.patch mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch qede-fix-interrupt-coalescing-configuration.patch rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch tools-bootconfig-fix-single-used-for-logical-condition.patch wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch wifi-cfg80211-fix-use-after-free-for-wext.patch wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch --- diff --git a/queue-5.15/alpha-fix-fen-fault-handling.patch b/queue-5.15/alpha-fix-fen-fault-handling.patch new file mode 100644 index 00000000000..d5331ce497b --- /dev/null +++ b/queue-5.15/alpha-fix-fen-fault-handling.patch @@ -0,0 +1,88 @@ +From 977a3009547dad4a5bc95d91be4a58c9f7eedac0 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 6 Jan 2023 19:25:59 -0500 +Subject: alpha: fix FEN fault handling + +From: Al Viro + +commit 977a3009547dad4a5bc95d91be4a58c9f7eedac0 upstream. + +Type 3 instruction fault (FPU insn with FPU disabled) is handled +by quietly enabling FPU and returning. Which is fine, except that +we need to do that both for fault in userland and in the kernel; +the latter *can* legitimately happen - all it takes is this: + +.global _start +_start: + call_pal 0xae + lda $0, 0 + ldq $0, 0($0) + +- call_pal CLRFEN to clear "FPU enabled" flag and arrange for +a signal delivery (SIGSEGV in this case). + +Fixed by moving the handling of type 3 into the common part of +do_entIF(), before we check for kernel vs. user mode. + +Incidentally, the check for kernel mode is unidiomatic; the normal +way to do that is !user_mode(regs). The difference is that +the open-coded variant treats any of bits 63..3 of regs->ps being +set as "it's user mode" while the normal approach is to check just +the bit 3. PS is a 4-bit register and regs->ps always will have +bits 63..4 clear, so the open-coded variant here is actually equivalent +to !user_mode(regs). Harder to follow, though... + +Cc: stable@vger.kernel.org +Reviewed-by: Richard Henderson +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/traps.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/arch/alpha/kernel/traps.c ++++ b/arch/alpha/kernel/traps.c +@@ -235,7 +235,21 @@ do_entIF(unsigned long type, struct pt_r + { + int signo, code; + +- if ((regs->ps & ~IPL_MAX) == 0) { ++ if (type == 3) { /* FEN fault */ ++ /* Irritating users can call PAL_clrfen to disable the ++ FPU for the process. The kernel will then trap in ++ do_switch_stack and undo_switch_stack when we try ++ to save and restore the FP registers. ++ ++ Given that GCC by default generates code that uses the ++ FP registers, PAL_clrfen is not useful except for DoS ++ attacks. So turn the bleeding FPU back on and be done ++ with it. */ ++ current_thread_info()->pcb.flags |= 1; ++ __reload_thread(¤t_thread_info()->pcb); ++ return; ++ } ++ if (!user_mode(regs)) { + if (type == 1) { + const unsigned int *data + = (const unsigned int *) regs->pc; +@@ -368,20 +382,6 @@ do_entIF(unsigned long type, struct pt_r + } + break; + +- case 3: /* FEN fault */ +- /* Irritating users can call PAL_clrfen to disable the +- FPU for the process. The kernel will then trap in +- do_switch_stack and undo_switch_stack when we try +- to save and restore the FP registers. +- +- Given that GCC by default generates code that uses the +- FP registers, PAL_clrfen is not useful except for DoS +- attacks. So turn the bleeding FPU back on and be done +- with it. */ +- current_thread_info()->pcb.flags |= 1; +- __reload_thread(¤t_thread_info()->pcb); +- return; +- + case 5: /* illoc */ + default: /* unexpected instruction-fault type */ + ; diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch new file mode 100644 index 00000000000..bdc8d5bd1a8 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch @@ -0,0 +1,35 @@ +From ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= +Date: Thu, 23 Feb 2023 08:47:48 +0100 +Subject: ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +commit ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 upstream. + +HP EliteDesk 800 G6 Tower PC (103c:870c) requires a quirk for enabling +headset-mic. + +Signed-off-by: Łukasz Stelmach +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217008 +Link: https://lore.kernel.org/r/20230223074749.1026060-1-l.stelmach@samsung.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11236,6 +11236,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), ++ SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), diff --git a/queue-5.15/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch b/queue-5.15/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch new file mode 100644 index 00000000000..68d90628767 --- /dev/null +++ b/queue-5.15/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch @@ -0,0 +1,48 @@ +From 951606a14a8901e3551fe4d8d3cedd73fe954ce1 Mon Sep 17 00:00:00 2001 +From: Dmitry Fomin +Date: Sat, 25 Feb 2023 21:43:21 +0300 +Subject: ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls() + +From: Dmitry Fomin + +commit 951606a14a8901e3551fe4d8d3cedd73fe954ce1 upstream. + +If snd_ctl_add() fails in aureon_add_controls(), it immediately returns +and leaves ice->gpio_mutex locked. ice->gpio_mutex locks in +snd_ice1712_save_gpio_status and unlocks in +snd_ice1712_restore_gpio_status(ice). + +It seems that the mutex is required only for aureon_cs8415_get(), +so snd_ice1712_restore_gpio_status(ice) can be placed +just after that. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dmitry Fomin +Cc: +Link: https://lore.kernel.org/r/20230225184322.6286-1-fomindmitriyfoma@mail.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ice1712/aureon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ice1712/aureon.c ++++ b/sound/pci/ice1712/aureon.c +@@ -1892,6 +1892,7 @@ static int aureon_add_controls(struct sn + unsigned char id; + snd_ice1712_save_gpio_status(ice); + id = aureon_cs8415_get(ice, CS8415_ID); ++ snd_ice1712_restore_gpio_status(ice); + if (id != 0x41) + dev_info(ice->card->dev, + "No CS8415 chip. Skipping CS8415 controls.\n"); +@@ -1909,7 +1910,6 @@ static int aureon_add_controls(struct sn + kctl->id.device = ice->pcm->device; + } + } +- snd_ice1712_restore_gpio_status(ice); + } + + return 0; diff --git a/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch new file mode 100644 index 00000000000..b7a06f441ae --- /dev/null +++ b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch @@ -0,0 +1,32 @@ +From 8e4505e617a80f601e2f53a917611777f128f925 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:36 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Exynos4 + +From: Krzysztof Kozlowski + +commit 8e4505e617a80f601e2f53a917611777f128f925 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. + +Fixes: 328829a6ad70 ("ARM: dts: define default thermal-zones for exynos4") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos4-cpu-thermal.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi ++++ b/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi +@@ -10,7 +10,7 @@ + / { + thermal-zones { + cpu_thermal: cpu-thermal { +- thermal-sensors = <&tmu 0>; ++ thermal-sensors = <&tmu>; + polling-delay-passive = <0>; + polling-delay = <0>; + trips { diff --git a/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch new file mode 100644 index 00000000000..57cc3a9af8c --- /dev/null +++ b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch @@ -0,0 +1,33 @@ +From 408ab6786dbf6dd696488054c9559681112ef994 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:37 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Exynos4210 + +From: Krzysztof Kozlowski + +commit 408ab6786dbf6dd696488054c9559681112ef994 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. Since thermal-sensors property is +already defined in included exynos4-cpu-thermal.dtsi, drop it from +exynos4210.dtsi to fix the error and remoev redundancy. + +Fixes: 9843a2236003 ("ARM: dts: Provide dt bindings identical for Exynos TMU") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos4210.dtsi | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos4210.dtsi ++++ b/arch/arm/boot/dts/exynos4210.dtsi +@@ -393,7 +393,6 @@ + &cpu_thermal { + polling-delay-passive = <0>; + polling-delay = <0>; +- thermal-sensors = <&tmu 0>; + }; + + &gic { diff --git a/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch new file mode 100644 index 00000000000..f935aa71c1b --- /dev/null +++ b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch @@ -0,0 +1,32 @@ +From 33e2c595e2e4016991ead44933a29d1ef93d5f26 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:38 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Exynos5250 + +From: Krzysztof Kozlowski + +commit 33e2c595e2e4016991ead44933a29d1ef93d5f26 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. + +Cc: +Fixes: 9843a2236003 ("ARM: dts: Provide dt bindings identical for Exynos TMU") +Link: https://lore.kernel.org/r/20230209105841.779596-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5250.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos5250.dtsi ++++ b/arch/arm/boot/dts/exynos5250.dtsi +@@ -1119,7 +1119,7 @@ + &cpu_thermal { + polling-delay-passive = <0>; + polling-delay = <0>; +- thermal-sensors = <&tmu 0>; ++ thermal-sensors = <&tmu>; + + cooling-maps { + map0 { diff --git a/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch new file mode 100644 index 00000000000..a04d385a912 --- /dev/null +++ b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch @@ -0,0 +1,77 @@ +From 2e3d0e20d8456f876607a8af61fdb83dfbf98cb6 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:40 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Odroid HC1 + +From: Krzysztof Kozlowski + +commit 2e3d0e20d8456f876607a8af61fdb83dfbf98cb6 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. This was not critical before, +but since rework of thermal Devicetree initialization in the +commit 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree +initialization"), this leads to errors registering thermal zones other +than first one: + + thermal_sys: cpu0-thermal: Failed to read thermal-sensors cells: -2 + thermal_sys: Failed to find thermal zone for tmu id=0 + exynos-tmu 10064000.tmu: Failed to register sensor: -2 + exynos-tmu: probe of 10064000.tmu failed with error -2 + +Fixes: 1ac49427b566 ("ARM: dts: exynos: Add support for Hardkernel's Odroid HC1 board") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-5-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5422-odroidhc1.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/exynos5422-odroidhc1.dts ++++ b/arch/arm/boot/dts/exynos5422-odroidhc1.dts +@@ -29,7 +29,7 @@ + + thermal-zones { + cpu0_thermal: cpu0-thermal { +- thermal-sensors = <&tmu_cpu0 0>; ++ thermal-sensors = <&tmu_cpu0>; + trips { + cpu0_alert0: cpu-alert-0 { + temperature = <70000>; /* millicelsius */ +@@ -84,7 +84,7 @@ + }; + }; + cpu1_thermal: cpu1-thermal { +- thermal-sensors = <&tmu_cpu1 0>; ++ thermal-sensors = <&tmu_cpu1>; + trips { + cpu1_alert0: cpu-alert-0 { + temperature = <70000>; +@@ -128,7 +128,7 @@ + }; + }; + cpu2_thermal: cpu2-thermal { +- thermal-sensors = <&tmu_cpu2 0>; ++ thermal-sensors = <&tmu_cpu2>; + trips { + cpu2_alert0: cpu-alert-0 { + temperature = <70000>; +@@ -172,7 +172,7 @@ + }; + }; + cpu3_thermal: cpu3-thermal { +- thermal-sensors = <&tmu_cpu3 0>; ++ thermal-sensors = <&tmu_cpu3>; + trips { + cpu3_alert0: cpu-alert-0 { + temperature = <70000>; +@@ -216,7 +216,7 @@ + }; + }; + gpu_thermal: gpu-thermal { +- thermal-sensors = <&tmu_gpu 0>; ++ thermal-sensors = <&tmu_gpu>; + trips { + gpu_alert0: gpu-alert-0 { + temperature = <70000>; diff --git a/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch new file mode 100644 index 00000000000..c7148a73c1a --- /dev/null +++ b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch @@ -0,0 +1,33 @@ +From 9372eca505e7a19934d750b4b4c89a3652738e66 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:39 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Odroid XU + +From: Krzysztof Kozlowski + +commit 9372eca505e7a19934d750b4b4c89a3652738e66 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. Since thermal-sensors property +is already defined in included exynosi5410.dtsi, drop it from +exynos5410-odroidxu.dts to fix the error and remoev redundancy. + +Fixes: 88644b4c750b ("ARM: dts: exynos: Configure PWM, usb3503, PMIC and thermal on Odroid XU board") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5410-odroidxu.dts | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos5410-odroidxu.dts ++++ b/arch/arm/boot/dts/exynos5410-odroidxu.dts +@@ -120,7 +120,6 @@ + }; + + &cpu0_thermal { +- thermal-sensors = <&tmu_cpu0 0>; + polling-delay-passive = <0>; + polling-delay = <0>; + diff --git a/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch new file mode 100644 index 00000000000..7126e01f44b --- /dev/null +++ b/queue-5.15/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch @@ -0,0 +1,77 @@ +From a3583e92d188ec6c58c7f603ac5e72dd8a11c21a Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:41 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Odroid XU3 family + +From: Krzysztof Kozlowski + +commit a3583e92d188ec6c58c7f603ac5e72dd8a11c21a upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. This was not critical before, +but since rework of thermal Devicetree initialization in the +commit 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree +initialization"), this leads to errors registering thermal zones other +than first one: + + thermal_sys: cpu0-thermal: Failed to read thermal-sensors cells: -2 + thermal_sys: Failed to find thermal zone for tmu id=0 + exynos-tmu 10064000.tmu: Failed to register sensor: -2 + exynos-tmu: probe of 10064000.tmu failed with error -2 + +Fixes: f1722d7dd8b8 ("ARM: dts: Define default thermal-zones for exynos5422") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-6-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi ++++ b/arch/arm/boot/dts/exynos5422-odroidxu3-common.dtsi +@@ -50,7 +50,7 @@ + + thermal-zones { + cpu0_thermal: cpu0-thermal { +- thermal-sensors = <&tmu_cpu0 0>; ++ thermal-sensors = <&tmu_cpu0>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -139,7 +139,7 @@ + }; + }; + cpu1_thermal: cpu1-thermal { +- thermal-sensors = <&tmu_cpu1 0>; ++ thermal-sensors = <&tmu_cpu1>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -212,7 +212,7 @@ + }; + }; + cpu2_thermal: cpu2-thermal { +- thermal-sensors = <&tmu_cpu2 0>; ++ thermal-sensors = <&tmu_cpu2>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -285,7 +285,7 @@ + }; + }; + cpu3_thermal: cpu3-thermal { +- thermal-sensors = <&tmu_cpu3 0>; ++ thermal-sensors = <&tmu_cpu3>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { +@@ -358,7 +358,7 @@ + }; + }; + gpu_thermal: gpu-thermal { +- thermal-sensors = <&tmu_gpu 0>; ++ thermal-sensors = <&tmu_gpu>; + polling-delay-passive = <250>; + polling-delay = <0>; + trips { diff --git a/queue-5.15/arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch b/queue-5.15/arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch new file mode 100644 index 00000000000..39c78ea8b0c --- /dev/null +++ b/queue-5.15/arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch @@ -0,0 +1,34 @@ +From af4ab377543853b690cc85b4c46cf976ab560dc2 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 23 Jan 2023 18:49:30 +0530 +Subject: ARM: dts: qcom: sdx55: Add Qcom SMMU-500 as the fallback for IOMMU node + +From: Manivannan Sadhasivam + +commit af4ab377543853b690cc85b4c46cf976ab560dc2 upstream. + +SDX55 uses the Qcom version of the SMMU-500 IP. So use "qcom,smmu-500" +compatible as the fallback to the SoC specific compatible. + +Cc: # 5.12 +Fixes: a2bdfdfba2af ("ARM: dts: qcom: sdx55: Enable ARM SMMU") +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230123131931.263024-3-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom-sdx55.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/qcom-sdx55.dtsi ++++ b/arch/arm/boot/dts/qcom-sdx55.dtsi +@@ -502,7 +502,7 @@ + }; + + apps_smmu: iommu@15000000 { +- compatible = "qcom,sdx55-smmu-500", "arm,mmu-500"; ++ compatible = "qcom,sdx55-smmu-500", "qcom,smmu-500", "arm,mmu-500"; + reg = <0x15000000 0x20000>; + #iommu-cells = <2>; + #global-interrupts = <1>; diff --git a/queue-5.15/ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch b/queue-5.15/ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch new file mode 100644 index 00000000000..cd063c477db --- /dev/null +++ b/queue-5.15/ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch @@ -0,0 +1,61 @@ +From e027253c4b77d395798600a90b6a96fe4adf4d5e Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Mon, 13 Feb 2023 13:56:20 +0800 +Subject: ceph: update the time stamps and try to drop the suid/sgid + +From: Xiubo Li + +commit e027253c4b77d395798600a90b6a96fe4adf4d5e upstream. + +The fallocate will try to clear the suid/sgid if a unprevileged user +changed the file. + +There is no POSIX item requires that we should clear the suid/sgid +in fallocate code path but this is the default behaviour for most of +the filesystems and the VFS layer. And also the same for the write +code path, which have already support it. + +And also we need to update the time stamps since the fallocate will +change the file contents. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/58054 +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/file.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -2084,6 +2084,9 @@ static long ceph_fallocate(struct file * + loff_t endoff = 0; + loff_t size; + ++ dout("%s %p %llx.%llx mode %x, offset %llu length %llu\n", __func__, ++ inode, ceph_vinop(inode), mode, offset, length); ++ + if (mode != (FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) + return -EOPNOTSUPP; + +@@ -2124,6 +2127,10 @@ static long ceph_fallocate(struct file * + if (ret < 0) + goto unlock; + ++ ret = file_modified(file); ++ if (ret) ++ goto put_caps; ++ + filemap_invalidate_lock(inode->i_mapping); + ceph_zero_pagecache_range(inode, offset, length); + ret = ceph_zero_objects(inode, offset, length); +@@ -2139,6 +2146,7 @@ static long ceph_fallocate(struct file * + } + filemap_invalidate_unlock(inode->i_mapping); + ++put_caps: + ceph_put_cap_refs(ci, got); + unlock: + inode_unlock(inode); diff --git a/queue-5.15/dax-kmem-fix-leak-of-memory-hotplug-resources.patch b/queue-5.15/dax-kmem-fix-leak-of-memory-hotplug-resources.patch new file mode 100644 index 00000000000..22779ff3d50 --- /dev/null +++ b/queue-5.15/dax-kmem-fix-leak-of-memory-hotplug-resources.patch @@ -0,0 +1,136 @@ +From e686c32590f40bffc45f105c04c836ffad3e531a Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 16 Feb 2023 00:36:02 -0800 +Subject: dax/kmem: Fix leak of memory-hotplug resources + +From: Dan Williams + +commit e686c32590f40bffc45f105c04c836ffad3e531a upstream. + +While experimenting with CXL region removal the following corruption of +/proc/iomem appeared. + +Before: +f010000000-f04fffffff : CXL Window 0 + f010000000-f02fffffff : region4 + f010000000-f02fffffff : dax4.0 + f010000000-f02fffffff : System RAM (kmem) + +After (modprobe -r cxl_test): +f010000000-f02fffffff : **redacted binary garbage** + f010000000-f02fffffff : System RAM (kmem) + +...and testing further the same is visible with persistent memory +assigned to kmem: + +Before: +480000000-243fffffff : Persistent Memory + 480000000-57e1fffff : namespace3.0 + 580000000-243fffffff : dax3.0 + 580000000-243fffffff : System RAM (kmem) + +After (ndctl disable-region all): +480000000-243fffffff : Persistent Memory + 580000000-243fffffff : ***redacted binary garbage*** + 580000000-243fffffff : System RAM (kmem) + +The corrupted data is from a use-after-free of the "dax4.0" and "dax3.0" +resources, and it also shows that the "System RAM (kmem)" resource is +not being removed. The bug does not appear after "modprobe -r kmem", it +requires the parent of "dax4.0" and "dax3.0" to be removed which +re-parents the leaked "System RAM (kmem)" instances. Those in turn +reference the freed resource as a parent. + +First up for the fix is release_mem_region_adjustable() needs to +reliably delete the resource inserted by add_memory_driver_managed(). +That is thwarted by a check for IORESOURCE_SYSRAM that predates the +dax/kmem driver, from commit: + +65c78784135f ("kernel, resource: check for IORESOURCE_SYSRAM in release_mem_region_adjustable") + +That appears to be working around the behavior of HMM's +"MEMORY_DEVICE_PUBLIC" facility that has since been deleted. With that +check removed the "System RAM (kmem)" resource gets removed, but +corruption still occurs occasionally because the "dax" resource is not +reliably removed. + +The dax range information is freed before the device is unregistered, so +the driver can not reliably recall (another use after free) what it is +meant to release. Lastly if that use after free got lucky, the driver +was covering up the leak of "System RAM (kmem)" due to its use of +release_resource() which detaches, but does not free, child resources. +The switch to remove_resource() forces remove_memory() to be responsible +for the deletion of the resource added by add_memory_driver_managed(). + +Fixes: c2f3011ee697 ("device-dax: add an allocation interface for device-dax instances") +Cc: +Cc: Oscar Salvador +Cc: David Hildenbrand +Cc: Pavel Tatashin +Reviewed-by: Vishal Verma +Reviewed-by: Pasha Tatashin +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/167653656244.3147810.5705900882794040229.stgit@dwillia2-xfh.jf.intel.com +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dax/bus.c | 2 +- + drivers/dax/kmem.c | 4 ++-- + kernel/resource.c | 14 -------------- + 3 files changed, 3 insertions(+), 17 deletions(-) + +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -397,8 +397,8 @@ static void unregister_dev_dax(void *dev + dev_dbg(dev, "%s\n", __func__); + + kill_dev_dax(dev_dax); +- free_dev_dax_ranges(dev_dax); + device_del(dev); ++ free_dev_dax_ranges(dev_dax); + put_device(dev); + } + +--- a/drivers/dax/kmem.c ++++ b/drivers/dax/kmem.c +@@ -135,7 +135,7 @@ static int dev_dax_kmem_probe(struct dev + if (rc) { + dev_warn(dev, "mapping%d: %#llx-%#llx memory add failed\n", + i, range.start, range.end); +- release_resource(res); ++ remove_resource(res); + kfree(res); + data->res[i] = NULL; + if (mapped) +@@ -181,7 +181,7 @@ static void dev_dax_kmem_remove(struct d + + rc = remove_memory(range.start, range_len(&range)); + if (rc == 0) { +- release_resource(data->res[i]); ++ remove_resource(data->res[i]); + kfree(data->res[i]); + data->res[i] = NULL; + success++; +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -1325,20 +1325,6 @@ retry: + continue; + } + +- /* +- * All memory regions added from memory-hotplug path have the +- * flag IORESOURCE_SYSTEM_RAM. If the resource does not have +- * this flag, we know that we are dealing with a resource coming +- * from HMM/devm. HMM/devm use another mechanism to add/release +- * a resource. This goes via devm_request_mem_region and +- * devm_release_mem_region. +- * HMM/devm take care to release their resources when they want, +- * so if we are dealing with them, let us just back off here. +- */ +- if (!(res->flags & IORESOURCE_SYSRAM)) { +- break; +- } +- + if (!(res->flags & IORESOURCE_MEM)) + break; + diff --git a/queue-5.15/dm-add-cond_resched-to-dm_wq_work.patch b/queue-5.15/dm-add-cond_resched-to-dm_wq_work.patch new file mode 100644 index 00000000000..d564227cbbe --- /dev/null +++ b/queue-5.15/dm-add-cond_resched-to-dm_wq_work.patch @@ -0,0 +1,32 @@ +From 0ca44fcef241768fd25ee763b3d203b9852f269b Mon Sep 17 00:00:00 2001 +From: Pingfan Liu +Date: Wed, 15 Feb 2023 19:23:40 +0800 +Subject: dm: add cond_resched() to dm_wq_work() + +From: Pingfan Liu + +commit 0ca44fcef241768fd25ee763b3d203b9852f269b upstream. + +Otherwise the while() loop in dm_wq_work() can result in a "dead +loop" on systems that have preemption disabled. This is particularly +problematic on single cpu systems. + +Cc: stable@vger.kernel.org +Signed-off-by: Pingfan Liu +Acked-by: Ming Lei +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2305,6 +2305,7 @@ static void dm_wq_work(struct work_struc + break; + + submit_bio_noacct(bio); ++ cond_resched(); + } + } + diff --git a/queue-5.15/dm-flakey-don-t-corrupt-the-zero-page.patch b/queue-5.15/dm-flakey-don-t-corrupt-the-zero-page.patch new file mode 100644 index 00000000000..445726e5aa1 --- /dev/null +++ b/queue-5.15/dm-flakey-don-t-corrupt-the-zero-page.patch @@ -0,0 +1,46 @@ +From f50714b57aecb6b3dc81d578e295f86d9c73f078 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:02:57 -0500 +Subject: dm flakey: don't corrupt the zero page + +From: Mikulas Patocka + +commit f50714b57aecb6b3dc81d578e295f86d9c73f078 upstream. + +When we need to zero some range on a block device, the function +__blkdev_issue_zero_pages submits a write bio with the bio vector pointing +to the zero page. If we use dm-flakey with corrupt bio writes option, it +will corrupt the content of the zero page which results in crashes of +various userspace programs. Glibc assumes that memory returned by mmap is +zeroed and it uses it for calloc implementation; if the newly mapped +memory is not zeroed, calloc will return non-zeroed memory. + +Fix this bug by testing if the page is equal to ZERO_PAGE(0) and +avoiding the corruption in this case. + +Cc: stable@vger.kernel.org +Fixes: a00f5276e266 ("dm flakey: Properly corrupt multi-page bios.") +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -301,8 +301,11 @@ static void corrupt_bio_data(struct bio + */ + bio_for_each_segment(bvec, bio, iter) { + if (bio_iter_len(bio, iter) > corrupt_bio_byte) { +- char *segment = (page_address(bio_iter_page(bio, iter)) +- + bio_iter_offset(bio, iter)); ++ char *segment; ++ struct page *page = bio_iter_page(bio, iter); ++ if (unlikely(page == ZERO_PAGE(0))) ++ break; ++ segment = (page_address(page) + bio_iter_offset(bio, iter)); + segment[corrupt_bio_byte] = fc->corrupt_bio_value; + DMDEBUG("Corrupting data bio=%p by writing %u to byte %u " + "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n", diff --git a/queue-5.15/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch b/queue-5.15/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch new file mode 100644 index 00000000000..9475c10ba4b --- /dev/null +++ b/queue-5.15/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch @@ -0,0 +1,34 @@ +From 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:03:31 -0500 +Subject: dm flakey: fix a bug with 32-bit highmem systems + +From: Mikulas Patocka + +commit 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 upstream. + +The function page_address does not work with 32-bit systems with high +memory. Use bvec_kmap_local/kunmap_local instead. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -305,8 +305,9 @@ static void corrupt_bio_data(struct bio + struct page *page = bio_iter_page(bio, iter); + if (unlikely(page == ZERO_PAGE(0))) + break; +- segment = (page_address(page) + bio_iter_offset(bio, iter)); ++ segment = bvec_kmap_local(&bvec); + segment[corrupt_bio_byte] = fc->corrupt_bio_value; ++ kunmap_local(segment); + DMDEBUG("Corrupting data bio=%p by writing %u to byte %u " + "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n", + bio, fc->corrupt_bio_value, fc->corrupt_bio_byte, diff --git a/queue-5.15/dm-flakey-fix-logic-when-corrupting-a-bio.patch b/queue-5.15/dm-flakey-fix-logic-when-corrupting-a-bio.patch new file mode 100644 index 00000000000..0087bbc47c3 --- /dev/null +++ b/queue-5.15/dm-flakey-fix-logic-when-corrupting-a-bio.patch @@ -0,0 +1,65 @@ +From aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:03:56 -0500 +Subject: dm flakey: fix logic when corrupting a bio + +From: Mikulas Patocka + +commit aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc upstream. + +If "corrupt_bio_byte" is set to corrupt reads and corrupt_bio_flags is +used, dm-flakey would erroneously return all writes as errors. Likewise, +if "corrupt_bio_byte" is set to corrupt writes, dm-flakey would return +errors for all reads. + +Fix the logic so that if fc->corrupt_bio_byte is non-zero, dm-flakey +will not abort reads on writes with an error. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -359,9 +359,11 @@ static int flakey_map(struct dm_target * + /* + * Corrupt matching writes. + */ +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == WRITE)) { +- if (all_corrupt_bio_flags_match(bio, fc)) +- corrupt_bio_data(bio, fc); ++ if (fc->corrupt_bio_byte) { ++ if (fc->corrupt_bio_rw == WRITE) { ++ if (all_corrupt_bio_flags_match(bio, fc)) ++ corrupt_bio_data(bio, fc); ++ } + goto map_bio; + } + +@@ -387,13 +389,14 @@ static int flakey_end_io(struct dm_targe + return DM_ENDIO_DONE; + + if (!*error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && +- all_corrupt_bio_flags_match(bio, fc)) { +- /* +- * Corrupt successful matching READs while in down state. +- */ +- corrupt_bio_data(bio, fc); +- ++ if (fc->corrupt_bio_byte) { ++ if ((fc->corrupt_bio_rw == READ) && ++ all_corrupt_bio_flags_match(bio, fc)) { ++ /* ++ * Corrupt successful matching READs while in down state. ++ */ ++ corrupt_bio_data(bio, fc); ++ } + } else if (!test_bit(DROP_WRITES, &fc->flags) && + !test_bit(ERROR_WRITES, &fc->flags)) { + /* diff --git a/queue-5.15/dm-send-just-one-event-on-resize-not-two.patch b/queue-5.15/dm-send-just-one-event-on-resize-not-two.patch new file mode 100644 index 00000000000..81a338e6703 --- /dev/null +++ b/queue-5.15/dm-send-just-one-event-on-resize-not-two.patch @@ -0,0 +1,168 @@ +From 7533afa1d27ba1234146d31d2402c195cf195962 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 7 Feb 2023 08:33:06 -0500 +Subject: dm: send just one event on resize, not two + +From: Mikulas Patocka + +commit 7533afa1d27ba1234146d31d2402c195cf195962 upstream. + +Device mapper sends an uevent when the device is suspended, using the +function set_capacity_and_notify. However, this causes a race condition +with udev. + +Udev skips scanning dm devices that are suspended. If we send an uevent +while we are suspended, udev will be racing with device mapper resume +code. If the device mapper resume code wins the race, udev will process +the uevent after the device is resumed and it will properly scan the +device. + +However, if udev wins the race, it will receive the uevent, find out that +the dm device is suspended and skip scanning the device. This causes bugs +such as systemd unmounting the device - see +https://bugzilla.redhat.com/show_bug.cgi?id=2158628 + +This commit fixes this race. + +We replace the function set_capacity_and_notify with set_capacity, so that +the uevent is not sent at this point. In do_resume, we detect if the +capacity has changed and we pass a boolean variable need_resize_uevent to +dm_kobject_uevent. dm_kobject_uevent adds "RESIZE=1" to the uevent if +need_resize_uevent is set. + +Signed-off-by: Mikulas Patocka +Tested-by: Peter Rajnoha +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 13 ++++++++++--- + drivers/md/dm.c | 27 +++++++++++++-------------- + drivers/md/dm.h | 2 +- + 3 files changed, 24 insertions(+), 18 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -482,7 +482,7 @@ static struct mapped_device *dm_hash_ren + dm_table_event(table); + dm_put_live_table(hc->md, srcu_idx); + +- if (!dm_kobject_uevent(hc->md, KOBJ_CHANGE, param->event_nr)) ++ if (!dm_kobject_uevent(hc->md, KOBJ_CHANGE, param->event_nr, false)) + param->flags |= DM_UEVENT_GENERATED_FLAG; + + md = hc->md; +@@ -989,7 +989,7 @@ static int dev_remove(struct file *filp, + + dm_ima_measure_on_device_remove(md, false); + +- if (!dm_kobject_uevent(md, KOBJ_REMOVE, param->event_nr)) ++ if (!dm_kobject_uevent(md, KOBJ_REMOVE, param->event_nr, false)) + param->flags |= DM_UEVENT_GENERATED_FLAG; + + dm_put(md); +@@ -1123,6 +1123,7 @@ static int do_resume(struct dm_ioctl *pa + struct hash_cell *hc; + struct mapped_device *md; + struct dm_table *new_map, *old_map = NULL; ++ bool need_resize_uevent = false; + + down_write(&_hash_lock); + +@@ -1143,6 +1144,8 @@ static int do_resume(struct dm_ioctl *pa + + /* Do we need to load a new map ? */ + if (new_map) { ++ sector_t old_size, new_size; ++ + /* Suspend if it isn't already suspended */ + if (param->flags & DM_SKIP_LOCKFS_FLAG) + suspend_flags &= ~DM_SUSPEND_LOCKFS_FLAG; +@@ -1151,6 +1154,7 @@ static int do_resume(struct dm_ioctl *pa + if (!dm_suspended_md(md)) + dm_suspend(md, suspend_flags); + ++ old_size = dm_get_size(md); + old_map = dm_swap_table(md, new_map); + if (IS_ERR(old_map)) { + dm_sync_table(md); +@@ -1158,6 +1162,9 @@ static int do_resume(struct dm_ioctl *pa + dm_put(md); + return PTR_ERR(old_map); + } ++ new_size = dm_get_size(md); ++ if (old_size && new_size && old_size != new_size) ++ need_resize_uevent = true; + + if (dm_table_get_mode(new_map) & FMODE_WRITE) + set_disk_ro(dm_disk(md), 0); +@@ -1170,7 +1177,7 @@ static int do_resume(struct dm_ioctl *pa + if (!r) { + dm_ima_measure_on_device_resume(md, new_map ? true : false); + +- if (!dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr)) ++ if (!dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr, need_resize_uevent)) + param->flags |= DM_UEVENT_GENERATED_FLAG; + } + } +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1942,10 +1942,7 @@ static struct dm_table *__bind(struct ma + if (size != dm_get_size(md)) + memset(&md->geometry, 0, sizeof(md->geometry)); + +- if (!get_capacity(md->disk)) +- set_capacity(md->disk, size); +- else +- set_capacity_and_notify(md->disk, size); ++ set_capacity(md->disk, size); + + dm_table_event_callback(t, event_callback, md); + +@@ -2707,23 +2704,25 @@ EXPORT_SYMBOL_GPL(dm_internal_resume_fas + * Event notification. + *---------------------------------------------------------------*/ + int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +- unsigned cookie) ++ unsigned cookie, bool need_resize_uevent) + { + int r; + unsigned noio_flag; + char udev_cookie[DM_COOKIE_LENGTH]; +- char *envp[] = { udev_cookie, NULL }; +- +- noio_flag = memalloc_noio_save(); +- +- if (!cookie) +- r = kobject_uevent(&disk_to_dev(md->disk)->kobj, action); +- else { ++ char *envp[3] = { NULL, NULL, NULL }; ++ char **envpp = envp; ++ if (cookie) { + snprintf(udev_cookie, DM_COOKIE_LENGTH, "%s=%u", + DM_COOKIE_ENV_VAR_NAME, cookie); +- r = kobject_uevent_env(&disk_to_dev(md->disk)->kobj, +- action, envp); ++ *envpp++ = udev_cookie; + } ++ if (need_resize_uevent) { ++ *envpp++ = "RESIZE=1"; ++ } ++ ++ noio_flag = memalloc_noio_save(); ++ ++ r = kobject_uevent_env(&disk_to_dev(md->disk)->kobj, action, envp); + + memalloc_noio_restore(noio_flag); + +--- a/drivers/md/dm.h ++++ b/drivers/md/dm.h +@@ -210,7 +210,7 @@ int dm_get_table_device(struct mapped_de + void dm_put_table_device(struct mapped_device *md, struct dm_dev *d); + + int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action, +- unsigned cookie); ++ unsigned cookie, bool need_resize_uevent); + + void dm_internal_suspend(struct mapped_device *md); + void dm_internal_resume(struct mapped_device *md); diff --git a/queue-5.15/docs-gdbmacros-print-newest-record.patch b/queue-5.15/docs-gdbmacros-print-newest-record.patch new file mode 100644 index 00000000000..0297508b409 --- /dev/null +++ b/queue-5.15/docs-gdbmacros-print-newest-record.patch @@ -0,0 +1,42 @@ +From f2e4cca2f670c8e52fbb551a295f2afc9aa2bd72 Mon Sep 17 00:00:00 2001 +From: John Ogness +Date: Thu, 29 Dec 2022 14:49:39 +0106 +Subject: docs: gdbmacros: print newest record + +From: John Ogness + +commit f2e4cca2f670c8e52fbb551a295f2afc9aa2bd72 upstream. + +@head_id points to the newest record, but the printing loop +exits when it increments to this value (before printing). + +Exit the printing loop after the newest record has been printed. + +The python-based function in scripts/gdb/linux/dmesg.py already +does this correctly. + +Fixes: e60768311af8 ("scripts/gdb: update for lockless printk ringbuffer") +Cc: stable@vger.kernel.org +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20221229134339.197627-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/kdump/gdbmacros.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/admin-guide/kdump/gdbmacros.txt ++++ b/Documentation/admin-guide/kdump/gdbmacros.txt +@@ -312,10 +312,10 @@ define dmesg + set var $prev_flags = $info->flags + end + +- set var $id = ($id + 1) & $id_mask + if ($id == $end_id) + loop_break + end ++ set var $id = ($id + 1) & $id_mask + end + end + document dmesg diff --git a/queue-5.15/ext4-fix-possible-corruption-when-moving-a-directory.patch b/queue-5.15/ext4-fix-possible-corruption-when-moving-a-directory.patch new file mode 100644 index 00000000000..3d4572f7834 --- /dev/null +++ b/queue-5.15/ext4-fix-possible-corruption-when-moving-a-directory.patch @@ -0,0 +1,54 @@ +From 0813299c586b175d7edb25f56412c54b812d0379 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 26 Jan 2023 12:22:21 +0100 +Subject: ext4: Fix possible corruption when moving a directory + +From: Jan Kara + +commit 0813299c586b175d7edb25f56412c54b812d0379 upstream. + +When we are renaming a directory to a different directory, we need to +update '..' entry in the moved directory. However nothing prevents moved +directory from being modified and even converted from the inline format +to the normal format. When such race happens the rename code gets +confused and we crash. Fix the problem by locking the moved directory. + +CC: stable@vger.kernel.org +Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3886,9 +3886,16 @@ static int ext4_rename(struct user_names + if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) + goto end_rename; + } ++ /* ++ * We need to protect against old.inode directory getting ++ * converted from inline directory format into a normal one. ++ */ ++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2); + retval = ext4_rename_dir_prepare(handle, &old); +- if (retval) ++ if (retval) { ++ inode_unlock(old.inode); + goto end_rename; ++ } + } + /* + * If we're renaming a file within an inline_data dir and adding or +@@ -4013,6 +4020,8 @@ end_rename: + } else { + ext4_journal_stop(handle); + } ++ if (old.dir_bh) ++ inode_unlock(old.inode); + release_bh: + brelse(old.dir_bh); + brelse(old.bh); diff --git a/queue-5.15/ext4-optimize-ea_inode-block-expansion.patch b/queue-5.15/ext4-optimize-ea_inode-block-expansion.patch new file mode 100644 index 00000000000..44be707475c --- /dev/null +++ b/queue-5.15/ext4-optimize-ea_inode-block-expansion.patch @@ -0,0 +1,95 @@ +From 1e9d62d252812575ded7c620d8fc67c32ff06c16 Mon Sep 17 00:00:00 2001 +From: Jun Nie +Date: Tue, 3 Jan 2023 09:45:16 +0800 +Subject: ext4: optimize ea_inode block expansion + +From: Jun Nie + +commit 1e9d62d252812575ded7c620d8fc67c32ff06c16 upstream. + +Copy ea data from inode entry when expanding ea block if possible. +Then remove the ea entry if expansion success. Thus memcpy to a +temporary buffer may be avoided. + +If the expansion fails, we do not need to recovery the removed ea +entry neither in this way. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-2-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2549,9 +2549,8 @@ static int ext4_xattr_move_to_block(hand + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); + bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS); +- buffer = kvmalloc(value_size, GFP_NOFS); + b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS); +- if (!is || !bs || !buffer || !b_entry_name) { ++ if (!is || !bs || !b_entry_name) { + error = -ENOMEM; + goto out; + } +@@ -2563,12 +2562,18 @@ static int ext4_xattr_move_to_block(hand + + /* Save the entry name and the entry value */ + if (entry->e_value_inum) { ++ buffer = kvmalloc(value_size, GFP_NOFS); ++ if (!buffer) { ++ error = -ENOMEM; ++ goto out; ++ } ++ + error = ext4_xattr_inode_get(inode, entry, buffer, value_size); + if (error) + goto out; + } else { + size_t value_offs = le16_to_cpu(entry->e_value_offs); +- memcpy(buffer, (void *)IFIRST(header) + value_offs, value_size); ++ buffer = (void *)IFIRST(header) + value_offs; + } + + memcpy(b_entry_name, entry->e_name, entry->e_name_len); +@@ -2583,25 +2588,26 @@ static int ext4_xattr_move_to_block(hand + if (error) + goto out; + +- /* Remove the chosen entry from the inode */ +- error = ext4_xattr_ibody_set(handle, inode, &i, is); +- if (error) +- goto out; +- + i.value = buffer; + i.value_len = value_size; + error = ext4_xattr_block_find(inode, &i, bs); + if (error) + goto out; + +- /* Add entry which was removed from the inode into the block */ ++ /* Move ea entry from the inode into the block */ + error = ext4_xattr_block_set(handle, inode, &i, bs); + if (error) + goto out; +- error = 0; ++ ++ /* Remove the chosen entry from the inode */ ++ i.value = NULL; ++ i.value_len = 0; ++ error = ext4_xattr_ibody_set(handle, inode, &i, is); ++ + out: + kfree(b_entry_name); +- kvfree(buffer); ++ if (entry->e_value_inum && buffer) ++ kvfree(buffer); + if (is) + brelse(is->iloc.bh); + if (bs) diff --git a/queue-5.15/ext4-refuse-to-create-ea-block-when-umounted.patch b/queue-5.15/ext4-refuse-to-create-ea-block-when-umounted.patch new file mode 100644 index 00000000000..166249b87ba --- /dev/null +++ b/queue-5.15/ext4-refuse-to-create-ea-block-when-umounted.patch @@ -0,0 +1,40 @@ +From f31173c19901a96bb2ebf6bcfec8a08df7095c91 Mon Sep 17 00:00:00 2001 +From: Jun Nie +Date: Tue, 3 Jan 2023 09:45:17 +0800 +Subject: ext4: refuse to create ea block when umounted + +From: Jun Nie + +commit f31173c19901a96bb2ebf6bcfec8a08df7095c91 upstream. + +The ea block expansion need to access s_root while it is +already set as NULL when umount is triggered. Refuse this +request to avoid panic. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-3-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1422,6 +1422,13 @@ static struct inode *ext4_xattr_inode_cr + uid_t owner[2] = { i_uid_read(inode), i_gid_read(inode) }; + int err; + ++ if (inode->i_sb->s_root == NULL) { ++ ext4_warning(inode->i_sb, ++ "refuse to create EA inode when umounting"); ++ WARN_ON(1); ++ return ERR_PTR(-EINVAL); ++ } ++ + /* + * Let the next inode be the goal, so we try and allocate the EA inode + * in the same group, or nearby one. diff --git a/queue-5.15/fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch b/queue-5.15/fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch new file mode 100644 index 00000000000..ac5c24b0b09 --- /dev/null +++ b/queue-5.15/fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch @@ -0,0 +1,36 @@ +From 1cc4606d19e3710bfab3f6704b87ff9580493c69 Mon Sep 17 00:00:00 2001 +From: Alexander Mikhalitsyn +Date: Thu, 26 Jan 2023 11:23:18 +0100 +Subject: fuse: add inode/permission checks to fileattr_get/fileattr_set + +From: Alexander Mikhalitsyn + +commit 1cc4606d19e3710bfab3f6704b87ff9580493c69 upstream. + +It looks like these checks were accidentally lost during the conversion to +fileattr API. + +Fixes: 72227eac177d ("fuse: convert to fileattr") +Cc: # v5.13 +Signed-off-by: Alexander Mikhalitsyn +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -419,6 +419,12 @@ static struct fuse_file *fuse_priv_ioctl + struct fuse_mount *fm = get_fuse_mount(inode); + bool isdir = S_ISDIR(inode->i_mode); + ++ if (!fuse_allow_current_process(fm->fc)) ++ return ERR_PTR(-EACCES); ++ ++ if (fuse_is_bad(inode)) ++ return ERR_PTR(-EIO); ++ + if (!S_ISREG(inode->i_mode) && !isdir) + return ERR_PTR(-ENOTTY); + diff --git a/queue-5.15/jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch b/queue-5.15/jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch new file mode 100644 index 00000000000..81694d23961 --- /dev/null +++ b/queue-5.15/jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch @@ -0,0 +1,145 @@ +From e6b9bd7290d334451ce054e98e752abc055e0034 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Tue, 10 Jan 2023 09:53:27 +0800 +Subject: jbd2: fix data missing when reusing bh which is ready to be checkpointed + +From: Zhihao Cheng + +commit e6b9bd7290d334451ce054e98e752abc055e0034 upstream. + +Following process will make data lost and could lead to a filesystem +corrupted problem: + +1. jh(bh) is inserted into T1->t_checkpoint_list, bh is dirty, and + jh->b_transaction = NULL +2. T1 is added into journal->j_checkpoint_transactions. +3. Get bh prepare to write while doing checkpoing: + PA PB + do_get_write_access jbd2_log_do_checkpoint + spin_lock(&jh->b_state_lock) + if (buffer_dirty(bh)) + clear_buffer_dirty(bh) // clear buffer dirty + set_buffer_jbddirty(bh) + transaction = + journal->j_checkpoint_transactions + jh = transaction->t_checkpoint_list + if (!buffer_dirty(bh)) + __jbd2_journal_remove_checkpoint(jh) + // bh won't be flushed + jbd2_cleanup_journal_tail + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved) +4. Aborting journal/Power-cut before writing latest bh on journal area. + +In this way we get a corrupted filesystem with bh's data lost. + +Fix it by moving the clearing of buffer_dirty bit just before the call +to __jbd2_journal_file_buffer(), both bit clearing and jh->b_transaction +assignment are under journal->j_list_lock locked, so that +jbd2_log_do_checkpoint() will wait until jh's new transaction fininshed +even bh is currently not dirty. And journal_shrink_one_cp_list() won't +remove jh from checkpoint list if the buffer head is reused in +do_get_write_access(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216898 +Cc: +Signed-off-by: Zhihao Cheng +Signed-off-by: zhanchengbin +Suggested-by: Jan Kara +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230110015327.1181863-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 50 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 21 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1001,36 +1001,28 @@ repeat: + * ie. locked but not dirty) or tune2fs (which may actually have + * the buffer dirtied, ugh.) */ + +- if (buffer_dirty(bh)) { ++ if (buffer_dirty(bh) && jh->b_transaction) { ++ warn_dirty_buffer(bh); + /* +- * First question: is this buffer already part of the current +- * transaction or the existing committing transaction? +- */ +- if (jh->b_transaction) { +- J_ASSERT_JH(jh, +- jh->b_transaction == transaction || +- jh->b_transaction == +- journal->j_committing_transaction); +- if (jh->b_next_transaction) +- J_ASSERT_JH(jh, jh->b_next_transaction == +- transaction); +- warn_dirty_buffer(bh); +- } +- /* +- * In any case we need to clean the dirty flag and we must +- * do it under the buffer lock to be sure we don't race +- * with running write-out. ++ * We need to clean the dirty flag and we must do it under the ++ * buffer lock to be sure we don't race with running write-out. + */ + JBUFFER_TRACE(jh, "Journalling dirty buffer"); + clear_buffer_dirty(bh); ++ /* ++ * The buffer is going to be added to BJ_Reserved list now and ++ * nothing guarantees jbd2_journal_dirty_metadata() will be ++ * ever called for it. So we need to set jbddirty bit here to ++ * make sure the buffer is dirtied and written out when the ++ * journaling machinery is done with it. ++ */ + set_buffer_jbddirty(bh); + } + +- unlock_buffer(bh); +- + error = -EROFS; + if (is_handle_aborted(handle)) { + spin_unlock(&jh->b_state_lock); ++ unlock_buffer(bh); + goto out; + } + error = 0; +@@ -1040,8 +1032,10 @@ repeat: + * b_next_transaction points to it + */ + if (jh->b_transaction == transaction || +- jh->b_next_transaction == transaction) ++ jh->b_next_transaction == transaction) { ++ unlock_buffer(bh); + goto done; ++ } + + /* + * this is the first time this transaction is touching this buffer, +@@ -1065,10 +1059,24 @@ repeat: + */ + smp_wmb(); + spin_lock(&journal->j_list_lock); ++ if (test_clear_buffer_dirty(bh)) { ++ /* ++ * Execute buffer dirty clearing and jh->b_transaction ++ * assignment under journal->j_list_lock locked to ++ * prevent bh being removed from checkpoint list if ++ * the buffer is in an intermediate state (not dirty ++ * and jh->b_transaction is NULL). ++ */ ++ JBUFFER_TRACE(jh, "Journalling dirty buffer"); ++ set_buffer_jbddirty(bh); ++ } + __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved); + spin_unlock(&journal->j_list_lock); ++ unlock_buffer(bh); + goto done; + } ++ unlock_buffer(bh); ++ + /* + * If there is already a copy-out version of this buffer, then we don't + * need to make another one diff --git a/queue-5.15/ktest.pl-add-run_timeout-option-with-default-unlimited.patch b/queue-5.15/ktest.pl-add-run_timeout-option-with-default-unlimited.patch new file mode 100644 index 00000000000..d0b04a199d3 --- /dev/null +++ b/queue-5.15/ktest.pl-add-run_timeout-option-with-default-unlimited.patch @@ -0,0 +1,108 @@ +From 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 16:37:25 -0500 +Subject: ktest.pl: Add RUN_TIMEOUT option with default unlimited + +From: Steven Rostedt + +commit 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 upstream. + +There is a disconnect between the run_command function and the +wait_for_input. The wait_for_input has a default timeout of 2 minutes. But +if that happens, the run_command loop will exit out to the waitpid() of +the executing command. This fails in that it no longer monitors the +command, and also, the ssh to the test box can hang when its finished, as +it's waiting for the pipe it's writing to to flush, but the loop that +reads that pipe has already exited, leaving the command stuck, and the +test hangs. + +Instead, make the default "wait_for_input" of the run_command infinite, +and allow the user to override it if they want with a default timeout +option "RUN_TIMEOUT". + +But this fixes the hang that happens when the pipe is full and the ssh +session never exits. + +Cc: stable@vger.kernel.org +Fixes: 6e98d1b4415fe ("ktest: Add timeout to ssh command") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 20 ++++++++++++++++---- + tools/testing/ktest/sample.conf | 5 +++++ + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -178,6 +178,7 @@ my $store_failures; + my $store_successes; + my $test_name; + my $timeout; ++my $run_timeout; + my $connect_timeout; + my $config_bisect_exec; + my $booted_timeout; +@@ -340,6 +341,7 @@ my %option_map = ( + "STORE_SUCCESSES" => \$store_successes, + "TEST_NAME" => \$test_name, + "TIMEOUT" => \$timeout, ++ "RUN_TIMEOUT" => \$run_timeout, + "CONNECT_TIMEOUT" => \$connect_timeout, + "CONFIG_BISECT_EXEC" => \$config_bisect_exec, + "BOOTED_TIMEOUT" => \$booted_timeout, +@@ -1851,6 +1853,14 @@ sub run_command { + $command =~ s/\$SSH_USER/$ssh_user/g; + $command =~ s/\$MACHINE/$machine/g; + ++ if (!defined($timeout)) { ++ $timeout = $run_timeout; ++ } ++ ++ if (!defined($timeout)) { ++ $timeout = -1; # tell wait_for_input to wait indefinitely ++ } ++ + doprint("$command ... "); + $start_time = time; + +@@ -1877,13 +1887,10 @@ sub run_command { + + while (1) { + my $fp = \*CMD; +- if (defined($timeout)) { +- doprint "timeout = $timeout\n"; +- } + my $line = wait_for_input($fp, $timeout); + if (!defined($line)) { + my $now = time; +- if (defined($timeout) && (($now - $start_time) >= $timeout)) { ++ if ($timeout >= 0 && (($now - $start_time) >= $timeout)) { + doprint "Hit timeout of $timeout, killing process\n"; + $hit_timeout = 1; + kill 9, $pid; +@@ -2055,6 +2062,11 @@ sub wait_for_input { + $time = $timeout; + } + ++ if ($time < 0) { ++ # Negative number means wait indefinitely ++ undef $time; ++ } ++ + $rin = ''; + vec($rin, fileno($fp), 1) = 1; + vec($rin, fileno(\*STDIN), 1) = 1; +--- a/tools/testing/ktest/sample.conf ++++ b/tools/testing/ktest/sample.conf +@@ -809,6 +809,11 @@ + # is issued instead of a reboot. + # CONNECT_TIMEOUT = 25 + ++# The timeout in seconds for how long to wait for any running command ++# to timeout. If not defined, it will let it go indefinitely. ++# (default undefined) ++#RUN_TIMEOUT = 600 ++ + # In between tests, a reboot of the box may occur, and this + # is the time to wait for the console after it stops producing + # output. Some machines may not produce a large lag on reboot diff --git a/queue-5.15/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch b/queue-5.15/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch new file mode 100644 index 00000000000..e85465654de --- /dev/null +++ b/queue-5.15/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch @@ -0,0 +1,38 @@ +From e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 11:31:25 -0500 +Subject: ktest.pl: Fix missing "end_monitor" when machine check fails + +From: Steven Rostedt + +commit e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 upstream. + +In the "reboot" command, it does a check of the machine to see if it is +still alive with a simple "ssh echo" command. If it fails, it will assume +that a normal "ssh reboot" is not possible and force a power cycle. + +In this case, the "start_monitor" is executed, but the "end_monitor" is +not, and this causes the screen will not be given back to the console. That +is, after the test, a "reset" command needs to be performed, as "echo" is +turned off. + +Cc: stable@vger.kernel.org +Fixes: 6474ace999edd ("ktest.pl: Powercycle the box on reboot if no connection can be made") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -1488,7 +1488,8 @@ sub reboot { + + # Still need to wait for the reboot to finish + wait_for_monitor($time, $reboot_success_line); +- ++ } ++ if ($powercycle || $time) { + end_monitor; + } + } diff --git a/queue-5.15/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch b/queue-5.15/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch new file mode 100644 index 00000000000..a96f8e22446 --- /dev/null +++ b/queue-5.15/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch @@ -0,0 +1,36 @@ +From 83d29d439cd3ef23041570d55841f814af2ecac0 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 16:32:13 -0500 +Subject: ktest.pl: Give back console on Ctrt^C on monitor + +From: Steven Rostedt + +commit 83d29d439cd3ef23041570d55841f814af2ecac0 upstream. + +When monitoring the console output, the stdout is being redirected to do +so. If Ctrl^C is hit during this mode, the stdout is not back to the +console, the user does not see anything they type (no echo). + +Add "end_monitor" to the SIGINT interrupt handler to give back the console +on Ctrl^C. + +Cc: stable@vger.kernel.org +Fixes: 9f2cdcbbb90e7 ("ktest: Give console process a dedicated tty") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -4193,6 +4193,9 @@ sub send_email { + } + + sub cancel_test { ++ if ($monitor_cnt) { ++ end_monitor; ++ } + if ($email_when_canceled) { + my $name = get_test_name; + send_email("KTEST: Your [$name] test was cancelled", diff --git a/queue-5.15/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch b/queue-5.15/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch new file mode 100644 index 00000000000..507e5fc84e5 --- /dev/null +++ b/queue-5.15/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch @@ -0,0 +1,34 @@ +From 909d3096ac99fa2289f9b8945a3eab2269947a0a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 21 Dec 2022 09:30:11 +0100 +Subject: media: ipu3-cio2: Fix PM runtime usage_count in driver unbind + +From: Sakari Ailus + +commit 909d3096ac99fa2289f9b8945a3eab2269947a0a upstream. + +Get the PM runtime usage_count and forbid PM runtime at driver unbind. The +opposite is being done in probe() already. + +Fixes: commit c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Cc: stable@vger.kernel.org # for >= 4.16 +Signed-off-by: Sakari Ailus +Reviewed-by: Bingbu Cao +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu3/ipu3-cio2-main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2-main.c +@@ -1851,6 +1851,9 @@ static void cio2_pci_remove(struct pci_d + v4l2_device_unregister(&cio2->v4l2_dev); + media_device_cleanup(&cio2->media_dev); + mutex_destroy(&cio2->lock); ++ ++ pm_runtime_forbid(&pci_dev->dev); ++ pm_runtime_get_noresume(&pci_dev->dev); + } + + static int __maybe_unused cio2_runtime_suspend(struct device *dev) diff --git a/queue-5.15/mips-fix-syscall_get_nr.patch b/queue-5.15/mips-fix-syscall_get_nr.patch new file mode 100644 index 00000000000..199261508c2 --- /dev/null +++ b/queue-5.15/mips-fix-syscall_get_nr.patch @@ -0,0 +1,39 @@ +From 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d Mon Sep 17 00:00:00 2001 +From: Elvira Khabirova +Date: Sat, 18 Feb 2023 23:43:59 +0100 +Subject: mips: fix syscall_get_nr + +From: Elvira Khabirova + +commit 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d upstream. + +The implementation of syscall_get_nr on mips used to ignore the task +argument and return the syscall number of the calling thread instead of +the target thread. + +The bug was exposed to user space by commit 201766a20e30f ("ptrace: add +PTRACE_GET_SYSCALL_INFO request") and detected by strace test suite. + +Link: https://github.com/strace/strace/issues/235 +Fixes: c2d9f1775731 ("MIPS: Fix syscall_get_nr for the syscall exit tracing.") +Cc: # v3.19+ +Co-developed-by: Dmitry V. Levin +Signed-off-by: Dmitry V. Levin +Signed-off-by: Elvira Khabirova +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/syscall.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/syscall.h ++++ b/arch/mips/include/asm/syscall.h +@@ -38,7 +38,7 @@ static inline bool mips_syscall_is_indir + static inline long syscall_get_nr(struct task_struct *task, + struct pt_regs *regs) + { +- return current_thread_info()->syscall; ++ return task_thread_info(task)->syscall; + } + + static inline void mips_syscall_update_nr(struct task_struct *task, diff --git a/queue-5.15/mm-memcontrol-deprecate-charge-moving.patch b/queue-5.15/mm-memcontrol-deprecate-charge-moving.patch new file mode 100644 index 00000000000..f4c77a38b75 --- /dev/null +++ b/queue-5.15/mm-memcontrol-deprecate-charge-moving.patch @@ -0,0 +1,100 @@ +From da34a8484d162585e22ed8c1e4114aa2f60e3567 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Wed, 7 Dec 2022 14:00:39 +0100 +Subject: mm: memcontrol: deprecate charge moving + +From: Johannes Weiner + +commit da34a8484d162585e22ed8c1e4114aa2f60e3567 upstream. + +Charge moving mode in cgroup1 allows memory to follow tasks as they +migrate between cgroups. This is, and always has been, a questionable +thing to do - for several reasons. + +First, it's expensive. Pages need to be identified, locked and isolated +from various MM operations, and reassigned, one by one. + +Second, it's unreliable. Once pages are charged to a cgroup, there isn't +always a clear owner task anymore. Cache isn't moved at all, for example. +Mapped memory is moved - but if trylocking or isolating a page fails, +it's arbitrarily left behind. Frequent moving between domains may leave a +task's memory scattered all over the place. + +Third, it isn't really needed. Launcher tasks can kick off workload tasks +directly in their target cgroup. Using dedicated per-workload groups +allows fine-grained policy adjustments - no need to move tasks and their +physical pages between control domains. The feature was never +forward-ported to cgroup2, and it hasn't been missed. + +Despite it being a niche usecase, the maintenance overhead of supporting +it is enormous. Because pages are moved while they are live and subject +to various MM operations, the synchronization rules are complicated. +There are lock_page_memcg() in MM and FS code, which non-cgroup people +don't understand. In some cases we've been able to shift code and cgroup +API calls around such that we can rely on native locking as much as +possible. But that's fragile, and sometimes we need to hold MM locks for +longer than we otherwise would (pte lock e.g.). + +Mark the feature deprecated. Hopefully we can remove it soon. + +And backport into -stable kernels so that people who develop against +earlier kernels are warned about this deprecation as early as possible. + +[akpm@linux-foundation.org: fix memory.rst underlining] +Link: https://lkml.kernel.org/r/Y5COd+qXwk/S+n8N@cmpxchg.org +Signed-off-by: Johannes Weiner +Acked-by: Shakeel Butt +Acked-by: Hugh Dickins +Acked-by: Michal Hocko +Cc: Muchun Song +Cc: Roman Gushchin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/cgroup-v1/memory.rst | 13 +++++++++++-- + mm/memcontrol.c | 4 ++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/cgroup-v1/memory.rst ++++ b/Documentation/admin-guide/cgroup-v1/memory.rst +@@ -84,6 +84,8 @@ Brief summary of control files. + memory.swappiness set/show swappiness parameter of vmscan + (See sysctl's vm.swappiness) + memory.move_charge_at_immigrate set/show controls of moving charges ++ This knob is deprecated and shouldn't be ++ used. + memory.oom_control set/show oom controls. + memory.numa_stat show the number of memory usage per numa + node +@@ -723,8 +725,15 @@ NOTE2: + It is recommended to set the soft limit always below the hard limit, + otherwise the hard limit will take precedence. + +-8. Move charges at task migration +-================================= ++8. Move charges at task migration (DEPRECATED!) ++=============================================== ++ ++THIS IS DEPRECATED! ++ ++It's expensive and unreliable! It's better practice to launch workload ++tasks directly from inside their target cgroup. Use dedicated workload ++cgroups to allow fine-grained policy adjustments without having to ++move physical pages between control domains. + + Users can move charges associated with a task along with task migration, that + is, uncharge task's pages from the old cgroup and charge them to the new cgroup. +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3872,6 +3872,10 @@ static int mem_cgroup_move_charge_write( + { + struct mem_cgroup *memcg = mem_cgroup_from_css(css); + ++ pr_warn_once("Cgroup memory moving (move_charge_at_immigrate) is deprecated. " ++ "Please report your usecase to linux-mm@kvack.org if you " ++ "depend on this functionality.\n"); ++ + if (val & ~MOVE_MASK) + return -EINVAL; + diff --git a/queue-5.15/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch b/queue-5.15/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch new file mode 100644 index 00000000000..88d4ee2ec38 --- /dev/null +++ b/queue-5.15/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch @@ -0,0 +1,91 @@ +From 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 Mon Sep 17 00:00:00 2001 +From: Yin Fengwei +Date: Fri, 23 Dec 2022 21:52:07 +0800 +Subject: mm/thp: check and bail out if page in deferred queue already + +From: Yin Fengwei + +commit 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 upstream. + +Kernel build regression with LLVM was reported here: +https://lore.kernel.org/all/Y1GCYXGtEVZbcv%2F5@dev-arch.thelio-3990X/ with +commit f35b5d7d676e ("mm: align larger anonymous mappings on THP +boundaries"). And the commit f35b5d7d676e was reverted. + +It turned out the regression is related with madvise(MADV_DONTNEED) +was used by ld.lld. But with none PMD_SIZE aligned parameter len. +trace-bpfcc captured: +531607 531732 ld.lld do_madvise.part.0 start: 0x7feca9000000, len: 0x7fb000, behavior: 0x4 +531607 531793 ld.lld do_madvise.part.0 start: 0x7fec86a00000, len: 0x7fb000, behavior: 0x4 + +If the underneath physical page is THP, the madvise(MADV_DONTNEED) can +trigger split_queue_lock contention raised significantly. perf showed +following data: + 14.85% 0.00% ld.lld [kernel.kallsyms] [k] + entry_SYSCALL_64_after_hwframe + 11.52% + entry_SYSCALL_64_after_hwframe + do_syscall_64 + __x64_sys_madvise + do_madvise.part.0 + zap_page_range + unmap_single_vma + unmap_page_range + page_remove_rmap + deferred_split_huge_page + __lock_text_start + native_queued_spin_lock_slowpath + +If THP can't be removed from rmap as whole THP, partial THP will be +removed from rmap by removing sub-pages from rmap. Even the THP head page +is added to deferred queue already, the split_queue_lock will be acquired +and check whether the THP head page is in the queue already. Thus, the +contention of split_queue_lock is raised. + +Before acquire split_queue_lock, check and bail out early if the THP +head page is in the queue already. The checking without holding +split_queue_lock could race with deferred_split_scan, but it doesn't +impact the correctness here. + +Test result of building kernel with ld.lld: +commit 7b5a0b664ebe (parent commit of f35b5d7d676e): +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 6:07.99 real, 26367.77 user, 5063.35 sys + +commit f35b5d7d676e: +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 7:22.15 real, 26235.03 user, 12504.55 sys + +commit f35b5d7d676e with the fixing patch: +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 6:08.49 real, 26520.15 user, 5047.91 sys + +Link: https://lkml.kernel.org/r/20221223135207.2275317-1-fengwei.yin@intel.com +Signed-off-by: Yin Fengwei +Tested-by: Nathan Chancellor +Acked-by: David Rientjes +Reviewed-by: "Huang, Ying" +Cc: Feng Tang +Cc: Matthew Wilcox +Cc: Rik van Riel +Cc: Xing Zhengjun +Cc: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2778,6 +2778,9 @@ void deferred_split_huge_page(struct pag + if (PageSwapCache(page)) + return; + ++ if (!list_empty(page_deferred_list(page))) ++ return; ++ + spin_lock_irqsave(&ds_queue->split_queue_lock, flags); + if (list_empty(page_deferred_list(page))) { + count_vm_event(THP_DEFERRED_SPLIT_PAGE); diff --git a/queue-5.15/mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch b/queue-5.15/mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch new file mode 100644 index 00000000000..fac3b35e410 --- /dev/null +++ b/queue-5.15/mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch @@ -0,0 +1,85 @@ +From f0f0cfdc3a024e21161714f2e05f0df3b84d42ad Mon Sep 17 00:00:00 2001 +From: Louis Rannou +Date: Fri, 3 Feb 2023 09:07:54 +0200 +Subject: mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type + +From: Louis Rannou + +commit f0f0cfdc3a024e21161714f2e05f0df3b84d42ad upstream. + +spi_nor_set_erase_type() was used either to set or to mask out an erase +type. When we used it to mask out an erase type a shift-out-of-bounds +was hit: +UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24 +shift exponent 4294967295 is too large for 32-bit type 'int' + +The setting of the size_{shift, mask} and of the opcode are unnecessary +when the erase size is zero, as throughout the code just the erase size +is considered to determine whether an erase type is supported or not. +Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF +is an unused opcode. Thus when masking out an erase type, just set the +erase size to zero. This will fix the shift-out-of-bounds. + +Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") +Cc: stable@vger.kernel.org +Reported-by: Alexander Stein +Signed-off-by: Louis Rannou +Tested-by: Alexander Stein +Link: https://lore.kernel.org/r/20230203070754.50677-1-tudor.ambarus@linaro.org +[ta: refine changes, new commit message, fix compilation error] +Signed-off-by: Tudor Ambarus +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 9 +++++++++ + drivers/mtd/spi-nor/core.h | 1 + + drivers/mtd/spi-nor/sfdp.c | 4 ++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -2247,6 +2247,15 @@ void spi_nor_set_erase_type(struct spi_n + } + + /** ++ * spi_nor_mask_erase_type() - mask out a SPI NOR erase type ++ * @erase: pointer to a structure that describes a SPI NOR erase type ++ */ ++void spi_nor_mask_erase_type(struct spi_nor_erase_type *erase) ++{ ++ erase->size = 0; ++} ++ ++/** + * spi_nor_init_uniform_erase_map() - Initialize uniform erase map + * @map: the erase map of the SPI NOR + * @erase_mask: bitmask encoding erase types that can erase the entire +--- a/drivers/mtd/spi-nor/core.h ++++ b/drivers/mtd/spi-nor/core.h +@@ -538,6 +538,7 @@ void spi_nor_set_pp_settings(struct spi_ + + void spi_nor_set_erase_type(struct spi_nor_erase_type *erase, u32 size, + u8 opcode); ++void spi_nor_mask_erase_type(struct spi_nor_erase_type *erase); + struct spi_nor_erase_region * + spi_nor_region_next(struct spi_nor_erase_region *region); + void spi_nor_init_uniform_erase_map(struct spi_nor_erase_map *map, +--- a/drivers/mtd/spi-nor/sfdp.c ++++ b/drivers/mtd/spi-nor/sfdp.c +@@ -874,7 +874,7 @@ static int spi_nor_init_non_uniform_eras + */ + for (i = 0; i < SNOR_ERASE_TYPE_MAX; i++) + if (!(regions_erase_type & BIT(erase[i].idx))) +- spi_nor_set_erase_type(&erase[i], 0, 0xFF); ++ spi_nor_mask_erase_type(&erase[i]); + + return 0; + } +@@ -1088,7 +1088,7 @@ static int spi_nor_parse_4bait(struct sp + erase_type[i].opcode = (dwords[1] >> + erase_type[i].idx * 8) & 0xFF; + else +- spi_nor_set_erase_type(&erase_type[i], 0u, 0xFF); ++ spi_nor_mask_erase_type(&erase_type[i]); + } + + /* diff --git a/queue-5.15/mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch b/queue-5.15/mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch new file mode 100644 index 00000000000..3a5e700d784 --- /dev/null +++ b/queue-5.15/mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch @@ -0,0 +1,33 @@ +From ad9679f3811899fd1c21dc7bdd715e8e1cfb46b9 Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Mon, 26 Dec 2022 13:01:58 +0900 +Subject: mtd: spi-nor: sfdp: Fix index value for SCCR dwords + +From: Takahiro Kuwano + +commit ad9679f3811899fd1c21dc7bdd715e8e1cfb46b9 upstream. + +Array index for SCCR 22th DOWRD should be 21. + +Fixes: 981a8d60e01f ("mtd: spi-nor: Parse SFDP SCCR Map") +Signed-off-by: Takahiro Kuwano +Signed-off-by: Tudor Ambarus +Reviewed-by: Michael Walle +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/d8a2a77c2c95cf776e7dcae6392d29fdcf5d6307.1672026365.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sfdp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/sfdp.c ++++ b/drivers/mtd/spi-nor/sfdp.c +@@ -1220,7 +1220,7 @@ static int spi_nor_parse_sccr(struct spi + + le32_to_cpu_array(dwords, sccr_header->length); + +- if (FIELD_GET(SCCR_DWORD22_OCTAL_DTR_EN_VOLATILE, dwords[22])) ++ if (FIELD_GET(SCCR_DWORD22_OCTAL_DTR_EN_VOLATILE, dwords[21])) + nor->flags |= SNOR_F_IO_MODE_EN_VOLATILE; + + out: diff --git a/queue-5.15/mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch b/queue-5.15/mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch new file mode 100644 index 00000000000..74e623b475f --- /dev/null +++ b/queue-5.15/mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch @@ -0,0 +1,46 @@ +From 3f592a869f87723314f0cb1ac232bd3bf8245be8 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Tue, 10 Jan 2023 18:47:02 +0200 +Subject: mtd: spi-nor: spansion: Consider reserved bits in CFR5 register + +From: Tudor Ambarus + +commit 3f592a869f87723314f0cb1ac232bd3bf8245be8 upstream. + +CFR5[6] is reserved bit and must be always 1. Set it to comply with flash +requirements. While fixing SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_{EN, DS} +definition, stop using magic numbers and describe the missing bit fields +in CFR5 register. This is useful for both readability and future possible +addition of Octal STR mode support. + +Fixes: c3266af101f2 ("mtd: spi-nor: spansion: add support for Cypress Semper flash") +Cc: stable@vger.kernel.org +Reported-by: Takahiro Kuwano +Signed-off-by: Tudor Ambarus +Reviewed-by: Dhruva Gole +Reviewed-by: Pratyush Yadav +Tested-by: Dhruva Gole +Link: https://lore.kernel.org/linux-mtd/20230110164703.83413-1-tudor.ambarus@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/spansion.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/spansion.c ++++ b/drivers/mtd/spi-nor/spansion.c +@@ -15,8 +15,13 @@ + #define SPINOR_REG_CYPRESS_CFR3V 0x00800004 + #define SPINOR_REG_CYPRESS_CFR3V_PGSZ BIT(4) /* Page size. */ + #define SPINOR_REG_CYPRESS_CFR5V 0x00800006 +-#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_EN 0x3 +-#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS 0 ++#define SPINOR_REG_CYPRESS_CFR5_BIT6 BIT(6) ++#define SPINOR_REG_CYPRESS_CFR5_DDR BIT(1) ++#define SPINOR_REG_CYPRESS_CFR5_OPI BIT(0) ++#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_EN \ ++ (SPINOR_REG_CYPRESS_CFR5_BIT6 | SPINOR_REG_CYPRESS_CFR5_DDR | \ ++ SPINOR_REG_CYPRESS_CFR5_OPI) ++#define SPINOR_REG_CYPRESS_CFR5V_OCT_DTR_DS SPINOR_REG_CYPRESS_CFR5_BIT6 + #define SPINOR_OP_CYPRESS_RD_FAST 0xee + + /** diff --git a/queue-5.15/qede-fix-interrupt-coalescing-configuration.patch b/queue-5.15/qede-fix-interrupt-coalescing-configuration.patch new file mode 100644 index 00000000000..f68af7f09f4 --- /dev/null +++ b/queue-5.15/qede-fix-interrupt-coalescing-configuration.patch @@ -0,0 +1,52 @@ +From 908d4bb7c54caa58253a363d63e797a468eaf321 Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Thu, 16 Feb 2023 03:54:47 -0800 +Subject: qede: fix interrupt coalescing configuration + +From: Manish Chopra + +commit 908d4bb7c54caa58253a363d63e797a468eaf321 upstream. + +On default driver load device gets configured with unexpected +higher interrupt coalescing values instead of default expected +values as memory allocated from krealloc() is not supposed to +be zeroed out and may contain garbage values. + +Fix this by allocating the memory of required size first with +kcalloc() and then use krealloc() to resize and preserve the +contents across down/up of the interface. + +Signed-off-by: Manish Chopra +Fixes: b0ec5489c480 ("qede: preserve per queue stats across up/down of interface") +Cc: stable@vger.kernel.org +Cc: Bhaskar Upadhaya +Cc: David S. Miller +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2160054 +Signed-off-by: Alok Prasad +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -909,8 +909,15 @@ static int qede_alloc_fp_array(struct qe + goto err; + } + +- mem = krealloc(edev->coal_entry, QEDE_QUEUE_CNT(edev) * +- sizeof(*edev->coal_entry), GFP_KERNEL); ++ if (!edev->coal_entry) { ++ mem = kcalloc(QEDE_MAX_RSS_CNT(edev), ++ sizeof(*edev->coal_entry), GFP_KERNEL); ++ } else { ++ mem = krealloc(edev->coal_entry, ++ QEDE_QUEUE_CNT(edev) * sizeof(*edev->coal_entry), ++ GFP_KERNEL); ++ } ++ + if (!mem) { + DP_ERR(edev, "coalesce entry allocation failed\n"); + kfree(edev->coal_entry); diff --git a/queue-5.15/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch b/queue-5.15/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch new file mode 100644 index 00000000000..bdb83ba2190 --- /dev/null +++ b/queue-5.15/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch @@ -0,0 +1,94 @@ +From f7c4d9b133c7a04ca619355574e96b6abf209fba Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 24 Feb 2023 18:48:54 +0100 +Subject: rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails + +From: Ilya Dryomov + +commit f7c4d9b133c7a04ca619355574e96b6abf209fba upstream. + +If getting an ID or setting up a work queue in rbd_dev_create() fails, +use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts +is triggered in do_rbd_add(). The root cause is that the ownership of +these structures is transfered to rbd_dev prematurely and they all end +up getting freed when rbd_dev_create() calls rbd_dev_free() prior to +returning to do_rbd_add(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE, an +incomplete patch submitted by Natalia Petrova . + +Cc: stable@vger.kernel.org +Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue") +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/rbd.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -5296,8 +5296,7 @@ static void rbd_dev_release(struct devic + module_put(THIS_MODULE); + } + +-static struct rbd_device *__rbd_dev_create(struct rbd_client *rbdc, +- struct rbd_spec *spec) ++static struct rbd_device *__rbd_dev_create(struct rbd_spec *spec) + { + struct rbd_device *rbd_dev; + +@@ -5342,9 +5341,6 @@ static struct rbd_device *__rbd_dev_crea + rbd_dev->dev.parent = &rbd_root_dev; + device_initialize(&rbd_dev->dev); + +- rbd_dev->rbd_client = rbdc; +- rbd_dev->spec = spec; +- + return rbd_dev; + } + +@@ -5357,12 +5353,10 @@ static struct rbd_device *rbd_dev_create + { + struct rbd_device *rbd_dev; + +- rbd_dev = __rbd_dev_create(rbdc, spec); ++ rbd_dev = __rbd_dev_create(spec); + if (!rbd_dev) + return NULL; + +- rbd_dev->opts = opts; +- + /* get an id and fill in device name */ + rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0, + minor_to_rbd_dev_id(1 << MINORBITS), +@@ -5379,6 +5373,10 @@ static struct rbd_device *rbd_dev_create + /* we have a ref from do_rbd_add() */ + __module_get(THIS_MODULE); + ++ rbd_dev->rbd_client = rbdc; ++ rbd_dev->spec = spec; ++ rbd_dev->opts = opts; ++ + dout("%s rbd_dev %p dev_id %d\n", __func__, rbd_dev, rbd_dev->dev_id); + return rbd_dev; + +@@ -6739,7 +6737,7 @@ static int rbd_dev_probe_parent(struct r + goto out_err; + } + +- parent = __rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec); ++ parent = __rbd_dev_create(rbd_dev->parent_spec); + if (!parent) { + ret = -ENOMEM; + goto out_err; +@@ -6749,8 +6747,8 @@ static int rbd_dev_probe_parent(struct r + * Images related by parent/child relationships always share + * rbd_client and spec/parent_spec, so bump their refcounts. + */ +- __rbd_get_client(rbd_dev->rbd_client); +- rbd_spec_get(rbd_dev->parent_spec); ++ parent->rbd_client = __rbd_get_client(rbd_dev->rbd_client); ++ parent->spec = rbd_spec_get(rbd_dev->parent_spec); + + __set_bit(RBD_DEV_FLAG_READONLY, &parent->flags); + diff --git a/queue-5.15/remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch b/queue-5.15/remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch new file mode 100644 index 00000000000..9a0a5514d98 --- /dev/null +++ b/queue-5.15/remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch @@ -0,0 +1,75 @@ +From e46ceea3148163166ef9b7bcac578e72dd30c064 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 4 Jan 2023 16:31:10 +0800 +Subject: remoteproc/mtk_scp: Move clk ops outside send_lock + +From: Chen-Yu Tsai + +commit e46ceea3148163166ef9b7bcac578e72dd30c064 upstream. + +Clocks are properly reference counted and do not need to be inside the +lock range. + +Right now this triggers a false-positive lockdep warning on MT8192 based +Chromebooks, through a combination of mtk-scp that has a cros-ec-rpmsg +sub-device, the (actual) cros-ec I2C adapter registration, I2C client +(not on cros-ec) probe doing i2c transfers and enabling clocks. + +This is a false positive because the cros-ec-rpmsg under mtk-scp does +not have an I2C adapter, and also each I2C adapter and cros-ec instance +have their own mutex. + +Move the clk operations outside of the send_lock range. + +Fixes: 63c13d61eafe ("remoteproc/mediatek: add SCP support for mt8183") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230104083110.736377-1-wenst@chromium.org +[Fixed "Fixes:" tag line] +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/mtk_scp_ipi.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/remoteproc/mtk_scp_ipi.c ++++ b/drivers/remoteproc/mtk_scp_ipi.c +@@ -164,21 +164,21 @@ int scp_ipi_send(struct mtk_scp *scp, u3 + WARN_ON(len > sizeof(send_obj->share_buf)) || WARN_ON(!buf)) + return -EINVAL; + +- mutex_lock(&scp->send_lock); +- + ret = clk_prepare_enable(scp->clk); + if (ret) { + dev_err(scp->dev, "failed to enable clock\n"); +- goto unlock_mutex; ++ return ret; + } + ++ mutex_lock(&scp->send_lock); ++ + /* Wait until SCP receives the last command */ + timeout = jiffies + msecs_to_jiffies(2000); + do { + if (time_after(jiffies, timeout)) { + dev_err(scp->dev, "%s: IPI timeout!\n", __func__); + ret = -ETIMEDOUT; +- goto clock_disable; ++ goto unlock_mutex; + } + } while (readl(scp->reg_base + scp->data->host_to_scp_reg)); + +@@ -205,10 +205,9 @@ int scp_ipi_send(struct mtk_scp *scp, u3 + ret = 0; + } + +-clock_disable: +- clk_disable_unprepare(scp->clk); + unlock_mutex: + mutex_unlock(&scp->send_lock); ++ clk_disable_unprepare(scp->clk); + + return ret; + } diff --git a/queue-5.15/ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch b/queue-5.15/ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch new file mode 100644 index 00000000000..3d0e5afa11c --- /dev/null +++ b/queue-5.15/ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch @@ -0,0 +1,175 @@ +From 8843e06f67b14f71c044bf6267b2387784c7e198 Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Tue, 14 Feb 2023 17:36:43 +0530 +Subject: ring-buffer: Handle race between rb_move_tail and rb_check_pages + +From: Mukesh Ojha + +commit 8843e06f67b14f71c044bf6267b2387784c7e198 upstream. + +It seems a data race between ring_buffer writing and integrity check. +That is, RB_FLAG of head_page is been updating, while at same time +RB_FLAG was cleared when doing integrity check rb_check_pages(): + + rb_check_pages() rb_handle_head_page(): + -------- -------- + rb_head_page_deactivate() + rb_head_page_set_normal() + rb_head_page_activate() + +We do intergrity test of the list to check if the list is corrupted and +it is still worth doing it. So, let's refactor rb_check_pages() such that +we no longer clear and set flag during the list sanity checking. + +[1] and [2] are the test to reproduce and the crash report respectively. + +1: +``` read_trace.sh + while true; + do + # the "trace" file is closed after read + head -1 /sys/kernel/tracing/trace > /dev/null + done +``` +``` repro.sh + sysctl -w kernel.panic_on_warn=1 + # function tracer will writing enough data into ring_buffer + echo function > /sys/kernel/tracing/current_tracer + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & + ./read_trace.sh & +``` + +2: +------------[ cut here ]------------ +WARNING: CPU: 9 PID: 62 at kernel/trace/ring_buffer.c:2653 +rb_move_tail+0x450/0x470 +Modules linked in: +CPU: 9 PID: 62 Comm: ksoftirqd/9 Tainted: G W 6.2.0-rc6+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:rb_move_tail+0x450/0x470 +Code: ff ff 4c 89 c8 f0 4d 0f b1 02 48 89 c2 48 83 e2 fc 49 39 d0 75 24 +83 e0 03 83 f8 02 0f 84 e1 fb ff ff 48 8b 57 10 f0 ff 42 08 <0f> 0b 83 +f8 02 0f 84 ce fb ff ff e9 db +RSP: 0018:ffffb5564089bd00 EFLAGS: 00000203 +RAX: 0000000000000000 RBX: ffff9db385a2bf81 RCX: ffffb5564089bd18 +RDX: ffff9db281110100 RSI: 0000000000000fe4 RDI: ffff9db380145400 +RBP: ffff9db385a2bf80 R08: ffff9db385a2bfc0 R09: ffff9db385a2bfc2 +R10: ffff9db385a6c000 R11: ffff9db385a2bf80 R12: 0000000000000000 +R13: 00000000000003e8 R14: ffff9db281110100 R15: ffffffffbb006108 +FS: 0000000000000000(0000) GS:ffff9db3bdcc0000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005602323024c8 CR3: 0000000022e0c000 CR4: 00000000000006e0 +Call Trace: + + ring_buffer_lock_reserve+0x136/0x360 + ? __do_softirq+0x287/0x2df + ? __pfx_rcu_softirq_qs+0x10/0x10 + trace_function+0x21/0x110 + ? __pfx_rcu_softirq_qs+0x10/0x10 + ? __do_softirq+0x287/0x2df + function_trace_call+0xf6/0x120 + 0xffffffffc038f097 + ? rcu_softirq_qs+0x5/0x140 + rcu_softirq_qs+0x5/0x140 + __do_softirq+0x287/0x2df + run_ksoftirqd+0x2a/0x30 + smpboot_thread_fn+0x188/0x220 + ? __pfx_smpboot_thread_fn+0x10/0x10 + kthread+0xe7/0x110 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2c/0x50 + +---[ end trace 0000000000000000 ]--- + +[ crash report and test reproducer credit goes to Zheng Yejian] + +Link: https://lore.kernel.org/linux-trace-kernel/1676376403-16462-1-git-send-email-quic_mojha@quicinc.com + +Cc: +Cc: stable@vger.kernel.org +Fixes: 1039221cc278 ("ring-buffer: Do not disable recording when there is an iterator") +Reported-by: Zheng Yejian +Signed-off-by: Mukesh Ojha +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 42 ++++++++++-------------------------------- + 1 file changed, 10 insertions(+), 32 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1545,19 +1545,6 @@ static int rb_check_bpage(struct ring_bu + } + + /** +- * rb_check_list - make sure a pointer to a list has the last bits zero +- */ +-static int rb_check_list(struct ring_buffer_per_cpu *cpu_buffer, +- struct list_head *list) +-{ +- if (RB_WARN_ON(cpu_buffer, rb_list_head(list->prev) != list->prev)) +- return 1; +- if (RB_WARN_ON(cpu_buffer, rb_list_head(list->next) != list->next)) +- return 1; +- return 0; +-} +- +-/** + * rb_check_pages - integrity check of buffer pages + * @cpu_buffer: CPU buffer with pages to test + * +@@ -1566,36 +1553,27 @@ static int rb_check_list(struct ring_buf + */ + static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) + { +- struct list_head *head = cpu_buffer->pages; +- struct buffer_page *bpage, *tmp; ++ struct list_head *head = rb_list_head(cpu_buffer->pages); ++ struct list_head *tmp; + +- /* Reset the head page if it exists */ +- if (cpu_buffer->head_page) +- rb_set_head_page(cpu_buffer); +- +- rb_head_page_deactivate(cpu_buffer); +- +- if (RB_WARN_ON(cpu_buffer, head->next->prev != head)) +- return -1; +- if (RB_WARN_ON(cpu_buffer, head->prev->next != head)) ++ if (RB_WARN_ON(cpu_buffer, ++ rb_list_head(rb_list_head(head->next)->prev) != head)) + return -1; + +- if (rb_check_list(cpu_buffer, head)) ++ if (RB_WARN_ON(cpu_buffer, ++ rb_list_head(rb_list_head(head->prev)->next) != head)) + return -1; + +- list_for_each_entry_safe(bpage, tmp, head, list) { ++ for (tmp = rb_list_head(head->next); tmp != head; tmp = rb_list_head(tmp->next)) { + if (RB_WARN_ON(cpu_buffer, +- bpage->list.next->prev != &bpage->list)) ++ rb_list_head(rb_list_head(tmp->next)->prev) != tmp)) + return -1; ++ + if (RB_WARN_ON(cpu_buffer, +- bpage->list.prev->next != &bpage->list)) +- return -1; +- if (rb_check_list(cpu_buffer, &bpage->list)) ++ rb_list_head(rb_list_head(tmp->prev)->next) != tmp)) + return -1; + } + +- rb_head_page_activate(cpu_buffer); +- + return 0; + } + diff --git a/queue-5.15/series b/queue-5.15/series index 15f24e20bc6..c0afe41ecaa 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -494,3 +494,45 @@ io_uring-add-a-conditional-reschedule-to-the-iopoll-cancelation-loop.patch io_uring-rsrc-disallow-multi-source-reg-buffers.patch io_uring-remove-msg_nosignal-from-recvmsg.patch io_uring-poll-allow-some-retries-for-poll-triggering-spuriously.patch +alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch +alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch +jbd2-fix-data-missing-when-reusing-bh-which-is-ready-to-be-checkpointed.patch +ext4-optimize-ea_inode-block-expansion.patch +ext4-refuse-to-create-ea-block-when-umounted.patch +ext4-fix-possible-corruption-when-moving-a-directory.patch +mtd-spi-nor-sfdp-fix-index-value-for-sccr-dwords.patch +mtd-spi-nor-spansion-consider-reserved-bits-in-cfr5-register.patch +mtd-spi-nor-fix-shift-out-of-bounds-in-spi_nor_set_erase_type.patch +dm-send-just-one-event-on-resize-not-two.patch +dm-add-cond_resched-to-dm_wq_work.patch +wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch +wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch +wifi-cfg80211-fix-use-after-free-for-wext.patch +qede-fix-interrupt-coalescing-configuration.patch +thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch +dm-flakey-fix-logic-when-corrupting-a-bio.patch +dm-flakey-don-t-corrupt-the-zero-page.patch +dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch +arm-dts-qcom-sdx55-add-qcom-smmu-500-as-the-fallback-for-iommu-node.patch +arm-dts-exynos-correct-tmu-phandle-in-exynos4210.patch +arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch +arm-dts-exynos-correct-tmu-phandle-in-odroid-xu3-family.patch +arm-dts-exynos-correct-tmu-phandle-in-exynos5250.patch +arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch +arm-dts-exynos-correct-tmu-phandle-in-odroid-hc1.patch +fuse-add-inode-permission-checks-to-fileattr_get-fileattr_set.patch +rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch +ceph-update-the-time-stamps-and-try-to-drop-the-suid-sgid.patch +alpha-fix-fen-fault-handling.patch +dax-kmem-fix-leak-of-memory-hotplug-resources.patch +mips-fix-syscall_get_nr.patch +media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch +remoteproc-mtk_scp-move-clk-ops-outside-send_lock.patch +docs-gdbmacros-print-newest-record.patch +mm-memcontrol-deprecate-charge-moving.patch +mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch +ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch +ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch +ktest.pl-add-run_timeout-option-with-default-unlimited.patch +ring-buffer-handle-race-between-rb_move_tail-and-rb_check_pages.patch +tools-bootconfig-fix-single-used-for-logical-condition.patch diff --git a/queue-5.15/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch b/queue-5.15/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch new file mode 100644 index 00000000000..029a68bd179 --- /dev/null +++ b/queue-5.15/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch @@ -0,0 +1,97 @@ +From 8e47363588377e1bdb65e2b020b409cfb44dd260 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Wed, 1 Feb 2023 12:39:41 -0800 +Subject: thermal: intel: powerclamp: Fix cur_state for multi package system + +From: Srinivas Pandruvada + +commit 8e47363588377e1bdb65e2b020b409cfb44dd260 upstream. + +The powerclamp cooling device cur_state shows actual idle observed by +package C-state idle counters. But the implementation is not sufficient +for multi package or multi die system. The cur_state value is incorrect. +On these systems, these counters must be read from each package/die and +somehow aggregate them. But there is no good method for aggregation. + +It was not a problem when explicit CPU model addition was required to +enable intel powerclamp. In this way certain CPU models could have +been avoided. But with the removal of CPU model check with the +availability of Package C-state counters, the driver is loaded on most +of the recent systems. + +For multi package/die systems, just show the actual target idle state, +the system is trying to achieve. In powerclamp this is the user set +state minus one. + +Also there is no use of starting a worker thread for polling package +C-state counters and applying any compensation for multiple package +or multiple die systems. + +Fixes: b721ca0d1927 ("thermal/powerclamp: remove cpu whitelist") +Signed-off-by: Srinivas Pandruvada +Cc: 4.14+ # 4.14+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/intel_powerclamp.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -57,6 +57,7 @@ + + static unsigned int target_mwait; + static struct dentry *debug_dir; ++static bool poll_pkg_cstate_enable; + + /* user selected target */ + static unsigned int set_target_ratio; +@@ -262,6 +263,9 @@ static unsigned int get_compensation(int + { + unsigned int comp = 0; + ++ if (!poll_pkg_cstate_enable) ++ return 0; ++ + /* we only use compensation if all adjacent ones are good */ + if (ratio == 1 && + cal_data[ratio].confidence >= CONFIDENCE_OK && +@@ -534,7 +538,8 @@ static int start_power_clamp(void) + control_cpu = cpumask_first(cpu_online_mask); + + clamping = true; +- schedule_delayed_work(&poll_pkg_cstate_work, 0); ++ if (poll_pkg_cstate_enable) ++ schedule_delayed_work(&poll_pkg_cstate_work, 0); + + /* start one kthread worker per online cpu */ + for_each_online_cpu(cpu) { +@@ -603,11 +608,15 @@ static int powerclamp_get_max_state(stru + static int powerclamp_get_cur_state(struct thermal_cooling_device *cdev, + unsigned long *state) + { +- if (true == clamping) +- *state = pkg_cstate_ratio_cur; +- else ++ if (clamping) { ++ if (poll_pkg_cstate_enable) ++ *state = pkg_cstate_ratio_cur; ++ else ++ *state = set_target_ratio; ++ } else { + /* to save power, do not poll idle ratio while not clamping */ + *state = -1; /* indicates invalid state */ ++ } + + return 0; + } +@@ -732,6 +741,9 @@ static int __init powerclamp_init(void) + goto exit_unregister; + } + ++ if (topology_max_packages() == 1 && topology_max_die_per_package() == 1) ++ poll_pkg_cstate_enable = true; ++ + cooling_dev = thermal_cooling_device_register("intel_powerclamp", NULL, + &powerclamp_cooling_ops); + if (IS_ERR(cooling_dev)) { diff --git a/queue-5.15/tools-bootconfig-fix-single-used-for-logical-condition.patch b/queue-5.15/tools-bootconfig-fix-single-used-for-logical-condition.patch new file mode 100644 index 00000000000..17dd004364d --- /dev/null +++ b/queue-5.15/tools-bootconfig-fix-single-used-for-logical-condition.patch @@ -0,0 +1,41 @@ +From cf8c59a3756b2735c409a9b3ac1e4ec556546a7a Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Wed, 22 Feb 2023 08:27:35 +0900 +Subject: tools/bootconfig: fix single & used for logical condition + +From: Antonio Alvarez Feijoo + +commit cf8c59a3756b2735c409a9b3ac1e4ec556546a7a upstream. + +A single & will create a background process and return true, so the grep +command will run even if the file checked in the first condition does not +exist. + +Link: https://lore.kernel.org/all/20230112114215.17103-1-antonio.feijoo@suse.com/ + +Fixes: 1eaad3ac3f39 ("tools/bootconfig: Use per-group/all enable option in ftrace2bconf script") +Signed-off-by: Antonio Alvarez Feijoo +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/bootconfig/scripts/ftrace2bconf.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bootconfig/scripts/ftrace2bconf.sh b/tools/bootconfig/scripts/ftrace2bconf.sh +index 6183b36c6846..1603801cf126 100755 +--- a/tools/bootconfig/scripts/ftrace2bconf.sh ++++ b/tools/bootconfig/scripts/ftrace2bconf.sh +@@ -93,7 +93,7 @@ referred_vars() { + } + + event_is_enabled() { # enable-file +- test -f $1 & grep -q "1" $1 ++ test -f $1 && grep -q "1" $1 + } + + per_event_options() { # event-dir +-- +2.39.2 + diff --git a/queue-5.15/wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch b/queue-5.15/wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch new file mode 100644 index 00000000000..fecacbdfa51 --- /dev/null +++ b/queue-5.15/wifi-ath11k-allow-system-suspend-to-survive-ath11k.patch @@ -0,0 +1,48 @@ +From 7c15430822e71e90203d87e6d0cfe83fa058b0dc Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Wed, 1 Feb 2023 12:32:01 -0600 +Subject: wifi: ath11k: allow system suspend to survive ath11k + +From: Len Brown + +commit 7c15430822e71e90203d87e6d0cfe83fa058b0dc upstream. + +When ath11k runs into internal errors upon suspend, +it returns an error code to pci_pm_suspend, which +aborts the entire system suspend. + +The driver should not abort system suspend, but should +keep its internal errors to itself, and allow the system +to suspend. Otherwise, a user can suspend a laptop +by closing the lid and sealing it into a case, assuming +that is will suspend, rather than heating up and draining +the battery when in transit. + +In practice, the ath11k device seems to have plenty of transient +errors, and subsequent suspend cycles after this failure +often succeed. + +https://bugzilla.kernel.org/show_bug.cgi?id=216968 + +Fixes: d1b0c33850d29 ("ath11k: implement suspend for QCA6390 PCI devices") + +Signed-off-by: Len Brown +Cc: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230201183201.14431-1-len.brown@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath11k/pci.c ++++ b/drivers/net/wireless/ath/ath11k/pci.c +@@ -1395,7 +1395,7 @@ static __maybe_unused int ath11k_pci_pm_ + if (ret) + ath11k_warn(ab, "failed to suspend core: %d\n", ret); + +- return ret; ++ return 0; + } + + static __maybe_unused int ath11k_pci_pm_resume(struct device *dev) diff --git a/queue-5.15/wifi-cfg80211-fix-use-after-free-for-wext.patch b/queue-5.15/wifi-cfg80211-fix-use-after-free-for-wext.patch new file mode 100644 index 00000000000..7a439336fea --- /dev/null +++ b/queue-5.15/wifi-cfg80211-fix-use-after-free-for-wext.patch @@ -0,0 +1,96 @@ +From 015b8cc5e7c4d7bb671f1984d7b7338c310b185b Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Tue, 24 Jan 2023 15:18:56 +0100 +Subject: wifi: cfg80211: Fix use after free for wext + +From: Alexander Wetzel + +commit 015b8cc5e7c4d7bb671f1984d7b7338c310b185b upstream. + +Key information in wext.connect is not reset on (re)connect and can hold +data from a previous connection. + +Reset key data to avoid that drivers or mac80211 incorrectly detect a +WEP connection request and access the freed or already reused memory. + +Additionally optimize cfg80211_sme_connect() and avoid an useless +schedule of conn_work. + +Fixes: fffd0934b939 ("cfg80211: rework key operation") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230124141856.356646-1-alexander@wetzel-home.de +Signed-off-by: Alexander Wetzel +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/sme.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -268,6 +268,15 @@ void cfg80211_conn_work(struct work_stru + wiphy_unlock(&rdev->wiphy); + } + ++static void cfg80211_step_auth_next(struct cfg80211_conn *conn, ++ struct cfg80211_bss *bss) ++{ ++ memcpy(conn->bssid, bss->bssid, ETH_ALEN); ++ conn->params.bssid = conn->bssid; ++ conn->params.channel = bss->channel; ++ conn->state = CFG80211_CONN_AUTHENTICATE_NEXT; ++} ++ + /* Returned bss is reference counted and must be cleaned up appropriately. */ + static struct cfg80211_bss *cfg80211_get_conn_bss(struct wireless_dev *wdev) + { +@@ -285,10 +294,7 @@ static struct cfg80211_bss *cfg80211_get + if (!bss) + return NULL; + +- memcpy(wdev->conn->bssid, bss->bssid, ETH_ALEN); +- wdev->conn->params.bssid = wdev->conn->bssid; +- wdev->conn->params.channel = bss->channel; +- wdev->conn->state = CFG80211_CONN_AUTHENTICATE_NEXT; ++ cfg80211_step_auth_next(wdev->conn, bss); + schedule_work(&rdev->conn_work); + + return bss; +@@ -567,7 +573,12 @@ static int cfg80211_sme_connect(struct w + wdev->conn->params.ssid_len = wdev->ssid_len; + + /* see if we have the bss already */ +- bss = cfg80211_get_conn_bss(wdev); ++ bss = cfg80211_get_bss(wdev->wiphy, wdev->conn->params.channel, ++ wdev->conn->params.bssid, ++ wdev->conn->params.ssid, ++ wdev->conn->params.ssid_len, ++ wdev->conn_bss_type, ++ IEEE80211_PRIVACY(wdev->conn->params.privacy)); + + if (prev_bssid) { + memcpy(wdev->conn->prev_bssid, prev_bssid, ETH_ALEN); +@@ -578,6 +589,7 @@ static int cfg80211_sme_connect(struct w + if (bss) { + enum nl80211_timeout_reason treason; + ++ cfg80211_step_auth_next(wdev->conn, bss); + err = cfg80211_conn_do_work(wdev, &treason); + cfg80211_put_bss(wdev->wiphy, bss); + } else { +@@ -1244,6 +1256,15 @@ int cfg80211_connect(struct cfg80211_reg + } else { + if (WARN_ON(connkeys)) + return -EINVAL; ++ ++ /* connect can point to wdev->wext.connect which ++ * can hold key data from a previous connection ++ */ ++ connect->key = NULL; ++ connect->key_len = 0; ++ connect->key_idx = 0; ++ connect->crypto.cipher_group = 0; ++ connect->crypto.n_ciphers_pairwise = 0; + } + + wdev->connect_keys = connkeys; diff --git a/queue-5.15/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch b/queue-5.15/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch new file mode 100644 index 00000000000..3262cb0d0d4 --- /dev/null +++ b/queue-5.15/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch @@ -0,0 +1,59 @@ +From 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Sun, 8 Jan 2023 17:08:16 +0200 +Subject: wifi: rtl8xxxu: Use a longer retry limit of 48 + +From: Bitterblue Smith + +commit 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 upstream. + +The Realtek rate control algorithm goes back and forth a lot between +the highest and the lowest rate it's allowed to use. This is due to +a lot of frames being dropped because the retry limits set by +IEEE80211_CONF_CHANGE_RETRY_LIMITS are too low. (Experimentally, they +are 4 for long frames and 7 for short frames.) + +The vendor drivers hardcode the value 48 for both retry limits (for +station mode), which makes dropped frames very rare and thus the rate +control is more stable. + +Because most Realtek chips handle the rate control in the firmware, +which can't be modified, ignore the limits set by +IEEE80211_CONF_CHANGE_RETRY_LIMITS and use the value 48 (set during +chip initialisation), same as the vendor drivers. + +Cc: stable@vger.kernel.org +Signed-off-by: Bitterblue Smith +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/477d745b-6bac-111d-403c-487fc19aa30d@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5909,7 +5909,6 @@ static int rtl8xxxu_config(struct ieee80 + { + struct rtl8xxxu_priv *priv = hw->priv; + struct device *dev = &priv->udev->dev; +- u16 val16; + int ret = 0, channel; + bool ht40; + +@@ -5919,14 +5918,6 @@ static int rtl8xxxu_config(struct ieee80 + __func__, hw->conf.chandef.chan->hw_value, + changed, hw->conf.chandef.width); + +- if (changed & IEEE80211_CONF_CHANGE_RETRY_LIMITS) { +- val16 = ((hw->conf.long_frame_max_tx_count << +- RETRY_LIMIT_LONG_SHIFT) & RETRY_LIMIT_LONG_MASK) | +- ((hw->conf.short_frame_max_tx_count << +- RETRY_LIMIT_SHORT_SHIFT) & RETRY_LIMIT_SHORT_MASK); +- rtl8xxxu_write16(priv, REG_RETRY_LIMIT, val16); +- } +- + if (changed & IEEE80211_CONF_CHANGE_CHANNEL) { + switch (hw->conf.chandef.width) { + case NL80211_CHAN_WIDTH_20_NOHT: