From: Greg Kroah-Hartman Date: Mon, 7 Oct 2024 16:28:03 +0000 (+0200) Subject: 6.11-stable patches X-Git-Tag: v6.6.55~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=affaa9c86253c0b7e56570003a7cef8ea8e04e05;p=thirdparty%2Fkernel%2Fstable-queue.git 6.11-stable patches added patches: arm64-fix-selection-of-have_dynamic_ftrace_with_args.patch arm64-subscribe-microsoft-azure-cobalt-100-to-erratum-3194386.patch drm-xe-fix-uaf-around-queue-destruction.patch drm-xe-oa-don-t-reset-oac_context_enable-on-oa-stream-close.patch exfat-fix-memory-leak-in-exfat_load_bitmap.patch i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch nfsd-fix-delegation_blocked-to-block-correctly-for-at-least-30-seconds.patch nfsd-fix-nfsv4-s-putpubfh-operation.patch nfsd-map-the-ebadmsg-to-nfserr_io-to-avoid-warning.patch perf-hist-update-hist-symbol-when-updating-maps.patch perf-python-disable-wno-cast-function-type-mismatch-if-present-on-clang.patch rdma-mana_ib-use-the-correct-page-size-for-mapping-user-mode-doorbell-page.patch rdma-mana_ib-use-the-correct-page-table-index-based-on-hardware-page-size.patch riscv-define-illegal_pointer_value-for-64bit.patch sched-core-add-clearing-of-dl_server-in-put_prev_task_balance.patch sched-core-clear-prev-dl_server-in-cfs-pick-fast-path.patch sched-deadline-comment-sched_dl_entity-dl_server-variable.patch sched-psi-fix-bogus-pressure-spikes-from-aggregation-race.patch sysctl-avoid-spurious-permanent-empty-tables.patch --- diff --git a/queue-6.11/arm64-fix-selection-of-have_dynamic_ftrace_with_args.patch b/queue-6.11/arm64-fix-selection-of-have_dynamic_ftrace_with_args.patch new file mode 100644 index 00000000000..564f4897cf7 --- /dev/null +++ b/queue-6.11/arm64-fix-selection-of-have_dynamic_ftrace_with_args.patch @@ -0,0 +1,83 @@ +From b3d6121eaeb22aee8a02f46706745b1968cc0292 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 30 Sep 2024 13:04:48 +0100 +Subject: arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS + +From: Mark Rutland + +commit b3d6121eaeb22aee8a02f46706745b1968cc0292 upstream. + +The Kconfig logic to select HAVE_DYNAMIC_FTRACE_WITH_ARGS is incorrect, +and HAVE_DYNAMIC_FTRACE_WITH_ARGS may be selected when it is not +supported by the combination of clang and GNU LD, resulting in link-time +errors: + + aarch64-linux-gnu-ld: .init.data has both ordered [`__patchable_function_entries' in init/main.o] and unordered [`.meminit.data' in mm/sparse.o] sections + aarch64-linux-gnu-ld: final link failed: bad value + +... which can be seen when building with CC=clang using a binutils +version older than 2.36. + +We originally fixed that in commit: + + 45bd8951806eb5e8 ("arm64: Improve HAVE_DYNAMIC_FTRACE_WITH_REGS selection for clang") + +... by splitting the "select HAVE_DYNAMIC_FTRACE_WITH_ARGS" statement +into separete CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS and +GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS options which individually select +HAVE_DYNAMIC_FTRACE_WITH_ARGS. + +Subsequently we accidentally re-introduced the common "select +HAVE_DYNAMIC_FTRACE_WITH_ARGS" statement in commit: + + 26299b3f6ba26bfc ("ftrace: arm64: move from REGS to ARGS") + +... then we removed it again in commit: + + 68a63a412d18bd2e ("arm64: Fix build with CC=clang, CONFIG_FTRACE=y and CONFIG_STACK_TRACER=y") + +... then we accidentally re-introduced it again in commit: + + 2aa6ac03516d078c ("arm64: ftrace: Add direct call support") + +Fix this for the third time by keeping the unified select statement and +making this depend onf either GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS or +CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS. This is more consistent with +usual style and less likely to go wrong in future. + +Fixes: 2aa6ac03516d ("arm64: ftrace: Add direct call support") +Cc: # 6.4.x +Signed-off-by: Mark Rutland +Cc: Will Deacon +Link: https://lore.kernel.org/r/20240930120448.3352564-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Kconfig | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -196,7 +196,8 @@ config ARM64 + select HAVE_DMA_CONTIGUOUS + select HAVE_DYNAMIC_FTRACE + select HAVE_DYNAMIC_FTRACE_WITH_ARGS \ +- if $(cc-option,-fpatchable-function-entry=2) ++ if (GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS || \ ++ CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS) + select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \ + if DYNAMIC_FTRACE_WITH_ARGS && DYNAMIC_FTRACE_WITH_CALL_OPS + select HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS \ +@@ -269,12 +270,10 @@ config CLANG_SUPPORTS_DYNAMIC_FTRACE_WIT + def_bool CC_IS_CLANG + # https://github.com/ClangBuiltLinux/linux/issues/1507 + depends on AS_IS_GNU || (AS_IS_LLVM && (LD_IS_LLD || LD_VERSION >= 23600)) +- select HAVE_DYNAMIC_FTRACE_WITH_ARGS + + config GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS + def_bool CC_IS_GCC + depends on $(cc-option,-fpatchable-function-entry=2) +- select HAVE_DYNAMIC_FTRACE_WITH_ARGS + + config 64BIT + def_bool y diff --git a/queue-6.11/arm64-subscribe-microsoft-azure-cobalt-100-to-erratum-3194386.patch b/queue-6.11/arm64-subscribe-microsoft-azure-cobalt-100-to-erratum-3194386.patch new file mode 100644 index 00000000000..df01a86bb08 --- /dev/null +++ b/queue-6.11/arm64-subscribe-microsoft-azure-cobalt-100-to-erratum-3194386.patch @@ -0,0 +1,44 @@ +From 3eddb108abe3de6723cc4b77e8558ce1b3047987 Mon Sep 17 00:00:00 2001 +From: Easwar Hariharan +Date: Thu, 3 Oct 2024 22:52:35 +0000 +Subject: arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 + +From: Easwar Hariharan + +commit 3eddb108abe3de6723cc4b77e8558ce1b3047987 upstream. + +Add the Microsoft Azure Cobalt 100 CPU to the list of CPUs suffering +from erratum 3194386 added in commit 75b3c43eab59 ("arm64: errata: +Expand speculative SSBS workaround") + +CC: Mark Rutland +CC: James More +CC: Will Deacon +CC: stable@vger.kernel.org # 6.6+ +Signed-off-by: Easwar Hariharan +Link: https://lore.kernel.org/r/20241003225239.321774-1-eahariha@linux.microsoft.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arch/arm64/silicon-errata.rst | 2 ++ + arch/arm64/kernel/cpu_errata.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/Documentation/arch/arm64/silicon-errata.rst ++++ b/Documentation/arch/arm64/silicon-errata.rst +@@ -289,3 +289,5 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Microsoft | Azure Cobalt 100| #3324339 | ARM64_ERRATUM_3194386 | +++----------------+-----------------+-----------------+-----------------------------+ +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -447,6 +447,7 @@ static const struct midr_range erratum_s + MIDR_ALL_VERSIONS(MIDR_CORTEX_X3), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X4), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), ++ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), diff --git a/queue-6.11/drm-xe-fix-uaf-around-queue-destruction.patch b/queue-6.11/drm-xe-fix-uaf-around-queue-destruction.patch new file mode 100644 index 00000000000..401be5f499b --- /dev/null +++ b/queue-6.11/drm-xe-fix-uaf-around-queue-destruction.patch @@ -0,0 +1,149 @@ +From 2d2be279f1ca9e7288282d4214f16eea8a727cdb Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Mon, 23 Sep 2024 15:56:48 +0100 +Subject: drm/xe: fix UAF around queue destruction + +From: Matthew Auld + +commit 2d2be279f1ca9e7288282d4214f16eea8a727cdb upstream. + +We currently do stuff like queuing the final destruction step on a +random system wq, which will outlive the driver instance. With bad +timing we can teardown the driver with one or more work workqueue still +being alive leading to various UAF splats. Add a fini step to ensure +user queues are properly torn down. At this point GuC should already be +nuked so queue itself should no longer be referenced from hw pov. + +v2 (Matt B) + - Looks much safer to use a waitqueue and then just wait for the + xa_array to become empty before triggering the drain. + +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2317 +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Signed-off-by: Matthew Auld +Cc: Matthew Brost +Cc: # v6.8+ +Reviewed-by: Matthew Brost +Link: https://patchwork.freedesktop.org/patch/msgid/20240923145647.77707-2-matthew.auld@intel.com +(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_device.c | 6 +++++- + drivers/gpu/drm/xe/xe_device_types.h | 3 +++ + drivers/gpu/drm/xe/xe_guc_submit.c | 26 +++++++++++++++++++++++++- + drivers/gpu/drm/xe/xe_guc_types.h | 2 ++ + 4 files changed, 35 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_device.c ++++ b/drivers/gpu/drm/xe/xe_device.c +@@ -285,6 +285,9 @@ static void xe_device_destroy(struct drm + if (xe->unordered_wq) + destroy_workqueue(xe->unordered_wq); + ++ if (xe->destroy_wq) ++ destroy_workqueue(xe->destroy_wq); ++ + ttm_device_fini(&xe->ttm); + } + +@@ -350,8 +353,9 @@ struct xe_device *xe_device_create(struc + xe->preempt_fence_wq = alloc_ordered_workqueue("xe-preempt-fence-wq", 0); + xe->ordered_wq = alloc_ordered_workqueue("xe-ordered-wq", 0); + xe->unordered_wq = alloc_workqueue("xe-unordered-wq", 0, 0); ++ xe->destroy_wq = alloc_workqueue("xe-destroy-wq", 0, 0); + if (!xe->ordered_wq || !xe->unordered_wq || +- !xe->preempt_fence_wq) { ++ !xe->preempt_fence_wq || !xe->destroy_wq) { + /* + * Cleanup done in xe_device_destroy via + * drmm_add_action_or_reset register above +--- a/drivers/gpu/drm/xe/xe_device_types.h ++++ b/drivers/gpu/drm/xe/xe_device_types.h +@@ -392,6 +392,9 @@ struct xe_device { + /** @unordered_wq: used to serialize unordered work, mostly display */ + struct workqueue_struct *unordered_wq; + ++ /** @destroy_wq: used to serialize user destroy work, like queue */ ++ struct workqueue_struct *destroy_wq; ++ + /** @tiles: device tiles */ + struct xe_tile tiles[XE_MAX_TILES_PER_DEVICE]; + +--- a/drivers/gpu/drm/xe/xe_guc_submit.c ++++ b/drivers/gpu/drm/xe/xe_guc_submit.c +@@ -276,10 +276,26 @@ static struct workqueue_struct *get_subm + } + #endif + ++static void xe_guc_submit_fini(struct xe_guc *guc) ++{ ++ struct xe_device *xe = guc_to_xe(guc); ++ struct xe_gt *gt = guc_to_gt(guc); ++ int ret; ++ ++ ret = wait_event_timeout(guc->submission_state.fini_wq, ++ xa_empty(&guc->submission_state.exec_queue_lookup), ++ HZ * 5); ++ ++ drain_workqueue(xe->destroy_wq); ++ ++ xe_gt_assert(gt, ret); ++} ++ + static void guc_submit_fini(struct drm_device *drm, void *arg) + { + struct xe_guc *guc = arg; + ++ xe_guc_submit_fini(guc); + xa_destroy(&guc->submission_state.exec_queue_lookup); + free_submit_wq(guc); + } +@@ -351,6 +367,8 @@ int xe_guc_submit_init(struct xe_guc *gu + + xa_init(&guc->submission_state.exec_queue_lookup); + ++ init_waitqueue_head(&guc->submission_state.fini_wq); ++ + primelockdep(guc); + + return drmm_add_action_or_reset(&xe->drm, guc_submit_fini, guc); +@@ -367,6 +385,9 @@ static void __release_guc_id(struct xe_g + + xe_guc_id_mgr_release_locked(&guc->submission_state.idm, + q->guc->id, q->width); ++ ++ if (xa_empty(&guc->submission_state.exec_queue_lookup)) ++ wake_up(&guc->submission_state.fini_wq); + } + + static int alloc_guc_id(struct xe_guc *guc, struct xe_exec_queue *q) +@@ -1267,13 +1288,16 @@ static void __guc_exec_queue_fini_async( + + static void guc_exec_queue_fini_async(struct xe_exec_queue *q) + { ++ struct xe_guc *guc = exec_queue_to_guc(q); ++ struct xe_device *xe = guc_to_xe(guc); ++ + INIT_WORK(&q->guc->fini_async, __guc_exec_queue_fini_async); + + /* We must block on kernel engines so slabs are empty on driver unload */ + if (q->flags & EXEC_QUEUE_FLAG_PERMANENT || exec_queue_wedged(q)) + __guc_exec_queue_fini_async(&q->guc->fini_async); + else +- queue_work(system_wq, &q->guc->fini_async); ++ queue_work(xe->destroy_wq, &q->guc->fini_async); + } + + static void __guc_exec_queue_fini(struct xe_guc *guc, struct xe_exec_queue *q) +--- a/drivers/gpu/drm/xe/xe_guc_types.h ++++ b/drivers/gpu/drm/xe/xe_guc_types.h +@@ -81,6 +81,8 @@ struct xe_guc { + #endif + /** @submission_state.enabled: submission is enabled */ + bool enabled; ++ /** @submission_state.fini_wq: submit fini wait queue */ ++ wait_queue_head_t fini_wq; + } submission_state; + /** @hwconfig: Hardware config state */ + struct { diff --git a/queue-6.11/drm-xe-oa-don-t-reset-oac_context_enable-on-oa-stream-close.patch b/queue-6.11/drm-xe-oa-don-t-reset-oac_context_enable-on-oa-stream-close.patch new file mode 100644 index 00000000000..ef7e879fb1e --- /dev/null +++ b/queue-6.11/drm-xe-oa-don-t-reset-oac_context_enable-on-oa-stream-close.patch @@ -0,0 +1,66 @@ +From 8135f1c09dd2eecee7cb637f7ec9a29e57300eb8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Roberto=20de=20Souza?= +Date: Tue, 24 Sep 2024 14:37:13 -0700 +Subject: drm/xe/oa: Don't reset OAC_CONTEXT_ENABLE on OA stream close +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Roberto de Souza + +commit 8135f1c09dd2eecee7cb637f7ec9a29e57300eb8 upstream. + +Mesa testing on Xe2+ revealed that when OA metrics are collected for an +exec_queue, after the OA stream is closed, future batch buffers submitted +on that exec_queue do not complete. Not resetting OAC_CONTEXT_ENABLE on OA +stream close resolves these hangs and should not have any adverse effects. + +v2: Make the change that we don't reset the bit clearer (Ashutosh) + Also make the same fix for OAC as OAR (Ashutosh) + +Bspec: 60314 +Fixes: 2f4a730fcd2d ("drm/xe/oa: Add OAR support") +Fixes: 14e077f8006d ("drm/xe/oa: Add OAC support") +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2821 +Signed-off-by: José Roberto de Souza +Signed-off-by: Ashutosh Dixit +Cc: stable@vger.kernel.org +Reviewed-by: Ashutosh Dixit +Link: https://patchwork.freedesktop.org/patch/msgid/20240924213713.3497992-1-ashutosh.dixit@intel.com +(cherry picked from commit 0c8650b09a365f4a31fca1d1d1e9d99c56071128) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_oa.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c +index eae38a49ee8e..2804f14f8f29 100644 +--- a/drivers/gpu/drm/xe/xe_oa.c ++++ b/drivers/gpu/drm/xe/xe_oa.c +@@ -709,8 +709,7 @@ static int xe_oa_configure_oar_context(struct xe_oa_stream *stream, bool enable) + { + RING_CONTEXT_CONTROL(stream->hwe->mmio_base), + regs_offset + CTX_CONTEXT_CONTROL, +- _MASKED_FIELD(CTX_CTRL_OAC_CONTEXT_ENABLE, +- enable ? CTX_CTRL_OAC_CONTEXT_ENABLE : 0) ++ _MASKED_BIT_ENABLE(CTX_CTRL_OAC_CONTEXT_ENABLE), + }, + }; + struct xe_oa_reg reg_lri = { OAR_OACONTROL, oacontrol }; +@@ -742,10 +741,8 @@ static int xe_oa_configure_oac_context(struct xe_oa_stream *stream, bool enable) + { + RING_CONTEXT_CONTROL(stream->hwe->mmio_base), + regs_offset + CTX_CONTEXT_CONTROL, +- _MASKED_FIELD(CTX_CTRL_OAC_CONTEXT_ENABLE, +- enable ? CTX_CTRL_OAC_CONTEXT_ENABLE : 0) | +- _MASKED_FIELD(CTX_CTRL_RUN_ALONE, +- enable ? CTX_CTRL_RUN_ALONE : 0), ++ _MASKED_BIT_ENABLE(CTX_CTRL_OAC_CONTEXT_ENABLE) | ++ _MASKED_FIELD(CTX_CTRL_RUN_ALONE, enable ? CTX_CTRL_RUN_ALONE : 0), + }, + }; + struct xe_oa_reg reg_lri = { OAC_OACONTROL, oacontrol }; +-- +2.46.2 + diff --git a/queue-6.11/exfat-fix-memory-leak-in-exfat_load_bitmap.patch b/queue-6.11/exfat-fix-memory-leak-in-exfat_load_bitmap.patch new file mode 100644 index 00000000000..90b3d75703d --- /dev/null +++ b/queue-6.11/exfat-fix-memory-leak-in-exfat_load_bitmap.patch @@ -0,0 +1,49 @@ +From d2b537b3e533f28e0d97293fe9293161fe8cd137 Mon Sep 17 00:00:00 2001 +From: Yuezhang Mo +Date: Tue, 3 Sep 2024 15:01:09 +0800 +Subject: exfat: fix memory leak in exfat_load_bitmap() + +From: Yuezhang Mo + +commit d2b537b3e533f28e0d97293fe9293161fe8cd137 upstream. + +If the first directory entry in the root directory is not a bitmap +directory entry, 'bh' will not be released and reassigned, which +will cause a memory leak. + +Fixes: 1e49a94cf707 ("exfat: add bitmap operations") +Cc: stable@vger.kernel.org +Signed-off-by: Yuezhang Mo +Reviewed-by: Aoyama Wataru +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/balloc.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/exfat/balloc.c ++++ b/fs/exfat/balloc.c +@@ -91,11 +91,8 @@ int exfat_load_bitmap(struct super_block + return -EIO; + + type = exfat_get_entry_type(ep); +- if (type == TYPE_UNUSED) +- break; +- if (type != TYPE_BITMAP) +- continue; +- if (ep->dentry.bitmap.flags == 0x0) { ++ if (type == TYPE_BITMAP && ++ ep->dentry.bitmap.flags == 0x0) { + int err; + + err = exfat_allocate_bitmap(sb, ep); +@@ -103,6 +100,9 @@ int exfat_load_bitmap(struct super_block + return err; + } + brelse(bh); ++ ++ if (type == TYPE_UNUSED) ++ return -EINVAL; + } + + if (exfat_get_next_cluster(sb, &clu.dir)) diff --git a/queue-6.11/i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch b/queue-6.11/i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch new file mode 100644 index 00000000000..d42665f07c6 --- /dev/null +++ b/queue-6.11/i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch @@ -0,0 +1,56 @@ +From 61850725779709369c7e907ae8c7c75dc7cec4f3 Mon Sep 17 00:00:00 2001 +From: Kaixin Wang +Date: Sun, 15 Sep 2024 00:39:33 +0800 +Subject: i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition + +From: Kaixin Wang + +commit 61850725779709369c7e907ae8c7c75dc7cec4f3 upstream. + +In the svc_i3c_master_probe function, &master->hj_work is bound with +svc_i3c_master_hj_work, &master->ibi_work is bound with +svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the +hj_work, svc_i3c_master_irq_handler can start the ibi_work. + +If we remove the module which will call svc_i3c_master_remove to +make cleanup, it will free master->base through i3c_master_unregister +while the work mentioned above will be used. The sequence of operations +that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | svc_i3c_master_hj_work +svc_i3c_master_remove | +i3c_master_unregister(&master->base)| +device_unregister(&master->dev) | +device_release | +//free master->base | + | i3c_master_do_daa(&master->base) + | //use master->base + +Fix it by ensuring that the work is canceled before proceeding with the +cleanup in svc_i3c_master_remove. + +Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void") +Cc: stable@vger.kernel.org +Signed-off-by: Kaixin Wang +Reviewed-by: Miquel Raynal +Reviewed-by: Frank Li +Link: https://lore.kernel.org/stable/20240914154030.180-1-kxwang23%40m.fudan.edu.cn +Link: https://lore.kernel.org/r/20240914163932.253-1-kxwang23@m.fudan.edu.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master/svc-i3c-master.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -1775,6 +1775,7 @@ static void svc_i3c_master_remove(struct + { + struct svc_i3c_master *master = platform_get_drvdata(pdev); + ++ cancel_work_sync(&master->hj_work); + i3c_master_unregister(&master->base); + + pm_runtime_dont_use_autosuspend(&pdev->dev); diff --git a/queue-6.11/nfsd-fix-delegation_blocked-to-block-correctly-for-at-least-30-seconds.patch b/queue-6.11/nfsd-fix-delegation_blocked-to-block-correctly-for-at-least-30-seconds.patch new file mode 100644 index 00000000000..14ac6be1ed6 --- /dev/null +++ b/queue-6.11/nfsd-fix-delegation_blocked-to-block-correctly-for-at-least-30-seconds.patch @@ -0,0 +1,59 @@ +From 45bb63ed20e02ae146336412889fe5450316a84f Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 9 Sep 2024 15:06:36 +1000 +Subject: nfsd: fix delegation_blocked() to block correctly for at least 30 seconds + +From: NeilBrown + +commit 45bb63ed20e02ae146336412889fe5450316a84f upstream. + +The pair of bloom filtered used by delegation_blocked() was intended to +block delegations on given filehandles for between 30 and 60 seconds. A +new filehandle would be recorded in the "new" bit set. That would then +be switch to the "old" bit set between 0 and 30 seconds later, and it +would remain as the "old" bit set for 30 seconds. + +Unfortunately the code intended to clear the old bit set once it reached +30 seconds old, preparing it to be the next new bit set, instead cleared +the *new* bit set before switching it to be the old bit set. This means +that the "old" bit set is always empty and delegations are blocked +between 0 and 30 seconds. + +This patch updates bd->new before clearing the set with that index, +instead of afterwards. + +Reported-by: Olga Kornievskaia +Cc: stable@vger.kernel.org +Fixes: 6282cd565553 ("NFSD: Don't hand out delegations for 30 seconds after recalling them.") +Signed-off-by: NeilBrown +Reviewed-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1077,7 +1077,8 @@ static void nfs4_free_deleg(struct nfs4_ + * When a delegation is recalled, the filehandle is stored in the "new" + * filter. + * Every 30 seconds we swap the filters and clear the "new" one, +- * unless both are empty of course. ++ * unless both are empty of course. This results in delegations for a ++ * given filehandle being blocked for between 30 and 60 seconds. + * + * Each filter is 256 bits. We hash the filehandle to 32bit and use the + * low 3 bytes as hash-table indices. +@@ -1106,9 +1107,9 @@ static int delegation_blocked(struct knf + if (ktime_get_seconds() - bd->swap_time > 30) { + bd->entries -= bd->old_entries; + bd->old_entries = bd->entries; ++ bd->new = 1-bd->new; + memset(bd->set[bd->new], 0, + sizeof(bd->set[0])); +- bd->new = 1-bd->new; + bd->swap_time = ktime_get_seconds(); + } + spin_unlock(&blocked_delegations_lock); diff --git a/queue-6.11/nfsd-fix-nfsv4-s-putpubfh-operation.patch b/queue-6.11/nfsd-fix-nfsv4-s-putpubfh-operation.patch new file mode 100644 index 00000000000..347919e550a --- /dev/null +++ b/queue-6.11/nfsd-fix-nfsv4-s-putpubfh-operation.patch @@ -0,0 +1,55 @@ +From 202f39039a11402dcbcd5fece8d9fa6be83f49ae Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 11 Aug 2024 13:11:07 -0400 +Subject: NFSD: Fix NFSv4's PUTPUBFH operation + +From: Chuck Lever + +commit 202f39039a11402dcbcd5fece8d9fa6be83f49ae upstream. + +According to RFC 8881, all minor versions of NFSv4 support PUTPUBFH. + +Replace the XDR decoder for PUTPUBFH with a "noop" since we no +longer want the minorversion check, and PUTPUBFH has no arguments to +decode. (Ideally nfsd4_decode_noop should really be called +nfsd4_decode_void). + +PUTPUBFH should now behave just like PUTROOTFH. + +Reported-by: Cedric Blancher +Fixes: e1a90ebd8b23 ("NFSD: Combine decode operations for v4 and v4.1") +Cc: Dan Shelton +Cc: Roland Mainz +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -1246,14 +1246,6 @@ nfsd4_decode_putfh(struct nfsd4_compound + } + + static __be32 +-nfsd4_decode_putpubfh(struct nfsd4_compoundargs *argp, union nfsd4_op_u *p) +-{ +- if (argp->minorversion == 0) +- return nfs_ok; +- return nfserr_notsupp; +-} +- +-static __be32 + nfsd4_decode_read(struct nfsd4_compoundargs *argp, union nfsd4_op_u *u) + { + struct nfsd4_read *read = &u->read; +@@ -2374,7 +2366,7 @@ static const nfsd4_dec nfsd4_dec_ops[] = + [OP_OPEN_CONFIRM] = nfsd4_decode_open_confirm, + [OP_OPEN_DOWNGRADE] = nfsd4_decode_open_downgrade, + [OP_PUTFH] = nfsd4_decode_putfh, +- [OP_PUTPUBFH] = nfsd4_decode_putpubfh, ++ [OP_PUTPUBFH] = nfsd4_decode_noop, + [OP_PUTROOTFH] = nfsd4_decode_noop, + [OP_READ] = nfsd4_decode_read, + [OP_READDIR] = nfsd4_decode_readdir, diff --git a/queue-6.11/nfsd-map-the-ebadmsg-to-nfserr_io-to-avoid-warning.patch b/queue-6.11/nfsd-map-the-ebadmsg-to-nfserr_io-to-avoid-warning.patch new file mode 100644 index 00000000000..cc6a9f19575 --- /dev/null +++ b/queue-6.11/nfsd-map-the-ebadmsg-to-nfserr_io-to-avoid-warning.patch @@ -0,0 +1,108 @@ +From 340e61e44c1d2a15c42ec72ade9195ad525fd048 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng +Date: Sat, 17 Aug 2024 14:27:13 +0800 +Subject: nfsd: map the EBADMSG to nfserr_io to avoid warning + +From: Li Lingfeng + +commit 340e61e44c1d2a15c42ec72ade9195ad525fd048 upstream. + +Ext4 will throw -EBADMSG through ext4_readdir when a checksum error +occurs, resulting in the following WARNING. + +Fix it by mapping EBADMSG to nfserr_io. + +nfsd_buffered_readdir + iterate_dir // -EBADMSG -74 + ext4_readdir // .iterate_shared + ext4_dx_readdir + ext4_htree_fill_tree + htree_dirblock_to_tree + ext4_read_dirblock + __ext4_read_dirblock + ext4_dirblock_csum_verify + warn_no_space_for_csum + __warn_no_space_for_csum + return ERR_PTR(-EFSBADCRC) // -EBADMSG -74 + nfserrno // WARNING + +[ 161.115610] ------------[ cut here ]------------ +[ 161.116465] nfsd: non-standard errno: -74 +[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0 +[ 161.118596] Modules linked in: +[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138 +[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe +mu.org 04/01/2014 +[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0 +[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6 + 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33 +[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286 +[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a +[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827 +[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021 +[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8 +[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000 +[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0 +[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 161.141519] PKRU: 55555554 +[ 161.142076] Call Trace: +[ 161.142575] ? __warn+0x9b/0x140 +[ 161.143229] ? nfserrno+0x9d/0xd0 +[ 161.143872] ? report_bug+0x125/0x150 +[ 161.144595] ? handle_bug+0x41/0x90 +[ 161.145284] ? exc_invalid_op+0x14/0x70 +[ 161.146009] ? asm_exc_invalid_op+0x12/0x20 +[ 161.146816] ? nfserrno+0x9d/0xd0 +[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0 +[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380 +[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0 +[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170 +[ 161.151004] ? generic_file_llseek_size+0x48/0x160 +[ 161.151895] nfsd_readdir+0x132/0x190 +[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380 +[ 161.153516] ? nfsd_unlink+0x380/0x380 +[ 161.154256] ? override_creds+0x45/0x60 +[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0 +[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210 +[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0 +[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0 +[ 161.158494] ? lock_downgrade+0x90/0x90 +[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10 +[ 161.160092] nfsd4_encode_operation+0x15a/0x440 +[ 161.160959] nfsd4_proc_compound+0x718/0xe90 +[ 161.161818] nfsd_dispatch+0x18e/0x2c0 +[ 161.162586] svc_process_common+0x786/0xc50 +[ 161.163403] ? nfsd_svc+0x380/0x380 +[ 161.164137] ? svc_printk+0x160/0x160 +[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380 +[ 161.165808] ? nfsd_svc+0x380/0x380 +[ 161.166523] ? rcu_is_watching+0x23/0x40 +[ 161.167309] svc_process+0x1a5/0x200 +[ 161.168019] nfsd+0x1f5/0x380 +[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260 +[ 161.169554] kthread+0x1c4/0x210 +[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80 +[ 161.171246] ret_from_fork+0x1f/0x30 + +Signed-off-by: Li Lingfeng +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -100,6 +100,7 @@ nfserrno (int errno) + { nfserr_io, -EUCLEAN }, + { nfserr_perm, -ENOKEY }, + { nfserr_no_grace, -ENOGRACE}, ++ { nfserr_io, -EBADMSG }, + }; + int i; + diff --git a/queue-6.11/perf-hist-update-hist-symbol-when-updating-maps.patch b/queue-6.11/perf-hist-update-hist-symbol-when-updating-maps.patch new file mode 100644 index 00000000000..9ca27f00dce --- /dev/null +++ b/queue-6.11/perf-hist-update-hist-symbol-when-updating-maps.patch @@ -0,0 +1,67 @@ +From ac01c8c4246546fd8340a232f3ada1921dc0ee48 Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Thu, 15 Aug 2024 15:22:12 +0100 +Subject: perf hist: Update hist symbol when updating maps + +From: Matt Fleming + +commit ac01c8c4246546fd8340a232f3ada1921dc0ee48 upstream. + +AddressSanitizer found a use-after-free bug in the symbol code which +manifested as 'perf top' segfaulting. + + ==1238389==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00c48844b at pc 0x5650d8035961 bp 0x7f751aaecc90 sp 0x7f751aaecc80 + READ of size 1 at 0x60b00c48844b thread T193 + #0 0x5650d8035960 in _sort__sym_cmp util/sort.c:310 + #1 0x5650d8043744 in hist_entry__cmp util/hist.c:1286 + #2 0x5650d8043951 in hists__findnew_entry util/hist.c:614 + #3 0x5650d804568f in __hists__add_entry util/hist.c:754 + #4 0x5650d8045bf9 in hists__add_entry util/hist.c:772 + #5 0x5650d8045df1 in iter_add_single_normal_entry util/hist.c:997 + #6 0x5650d8043326 in hist_entry_iter__add util/hist.c:1242 + #7 0x5650d7ceeefe in perf_event__process_sample /home/matt/src/linux/tools/perf/builtin-top.c:845 + #8 0x5650d7ceeefe in deliver_event /home/matt/src/linux/tools/perf/builtin-top.c:1208 + #9 0x5650d7fdb51b in do_flush util/ordered-events.c:245 + #10 0x5650d7fdb51b in __ordered_events__flush util/ordered-events.c:324 + #11 0x5650d7ced743 in process_thread /home/matt/src/linux/tools/perf/builtin-top.c:1120 + #12 0x7f757ef1f133 in start_thread nptl/pthread_create.c:442 + #13 0x7f757ef9f7db in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 + +When updating hist maps it's also necessary to update the hist symbol +reference because the old one gets freed in map__put(). + +While this bug was probably introduced with 5c24b67aae72f54c ("perf +tools: Replace map->referenced & maps->removed_maps with map->refcnt"), +the symbol objects were leaked until c087e9480cf33672 ("perf machine: +Fix refcount usage when processing PERF_RECORD_KSYMBOL") was merged so +the bug was masked. + +Fixes: c087e9480cf33672 ("perf machine: Fix refcount usage when processing PERF_RECORD_KSYMBOL") +Reported-by: Yunzhao Li +Signed-off-by: Matt Fleming (Cloudflare) +Cc: Ian Rogers +Cc: kernel-team@cloudflare.com +Cc: Namhyung Kim +Cc: Riccardo Mancini +Cc: stable@vger.kernel.org # v5.13+ +Link: https://lore.kernel.org/r/20240815142212.3834625-1-matt@readmodwrite.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/hist.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -637,6 +637,11 @@ static struct hist_entry *hists__findnew + * the history counter to increment. + */ + if (he->ms.map != entry->ms.map) { ++ if (he->ms.sym) { ++ u64 addr = he->ms.sym->start; ++ he->ms.sym = map__find_symbol(entry->ms.map, addr); ++ } ++ + map__put(he->ms.map); + he->ms.map = map__get(entry->ms.map); + } diff --git a/queue-6.11/perf-python-disable-wno-cast-function-type-mismatch-if-present-on-clang.patch b/queue-6.11/perf-python-disable-wno-cast-function-type-mismatch-if-present-on-clang.patch new file mode 100644 index 00000000000..140eeaab3ec --- /dev/null +++ b/queue-6.11/perf-python-disable-wno-cast-function-type-mismatch-if-present-on-clang.patch @@ -0,0 +1,40 @@ +From 00dc514612fe98cfa117193b9df28f15e7c9db9c Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 22 Aug 2024 14:13:49 -0300 +Subject: perf python: Disable -Wno-cast-function-type-mismatch if present on clang + +From: Arnaldo Carvalho de Melo + +commit 00dc514612fe98cfa117193b9df28f15e7c9db9c upstream. + +The -Wcast-function-type-mismatch option was introduced in clang 19 and +its enabled by default, since we use -Werror, and python bindings do +casts that are valid but trips this warning, disable it if present. + +Closes: https://lore.kernel.org/all/CA+icZUXoJ6BS3GMhJHV3aZWyb5Cz2haFneX0C5pUMUUhG-UVKQ@mail.gmail.com +Reported-by: Sedat Dilek +Tested-by: Sedat Dilek +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Namhyung Kim +Cc: Nathan Chancellor +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org # To allow building with the upcoming clang 19 +Link: https://lore.kernel.org/lkml/CA+icZUVtHn8X1Tb_Y__c-WswsO0K8U9uy3r2MzKXwTA5THtL7w@mail.gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/setup.py | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/util/setup.py ++++ b/tools/perf/util/setup.py +@@ -63,6 +63,8 @@ cflags = getenv('CFLAGS', '').split() + cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter', '-Wno-redundant-decls' ] + if cc_is_clang: + cflags += ["-Wno-unused-command-line-argument" ] ++ if clang_has_option("-Wno-cast-function-type-mismatch"): ++ cflags += ["-Wno-cast-function-type-mismatch" ] + else: + cflags += ['-Wno-cast-function-type' ] + diff --git a/queue-6.11/rdma-mana_ib-use-the-correct-page-size-for-mapping-user-mode-doorbell-page.patch b/queue-6.11/rdma-mana_ib-use-the-correct-page-size-for-mapping-user-mode-doorbell-page.patch new file mode 100644 index 00000000000..fcc6964f4c0 --- /dev/null +++ b/queue-6.11/rdma-mana_ib-use-the-correct-page-size-for-mapping-user-mode-doorbell-page.patch @@ -0,0 +1,41 @@ +From 4a3b99bc04e501b816db78f70064e26a01257910 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Fri, 30 Aug 2024 08:16:33 -0700 +Subject: RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page + +From: Long Li + +commit 4a3b99bc04e501b816db78f70064e26a01257910 upstream. + +When mapping doorbell page from user-mode, the driver should use the system +page size as this memory is allocated via mmap() from user-mode. + +Cc: stable@vger.kernel.org +Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") +Signed-off-by: Long Li +Link: https://patch.msgid.link/1725030993-16213-2-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mana/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/mana/main.c ++++ b/drivers/infiniband/hw/mana/main.c +@@ -511,13 +511,13 @@ int mana_ib_mmap(struct ib_ucontext *ibc + PAGE_SHIFT; + prot = pgprot_writecombine(vma->vm_page_prot); + +- ret = rdma_user_mmap_io(ibcontext, vma, pfn, gc->db_page_size, prot, ++ ret = rdma_user_mmap_io(ibcontext, vma, pfn, PAGE_SIZE, prot, + NULL); + if (ret) + ibdev_dbg(ibdev, "can't rdma_user_mmap_io ret %d\n", ret); + else +- ibdev_dbg(ibdev, "mapped I/O pfn 0x%llx page_size %u, ret %d\n", +- pfn, gc->db_page_size, ret); ++ ibdev_dbg(ibdev, "mapped I/O pfn 0x%llx page_size %lu, ret %d\n", ++ pfn, PAGE_SIZE, ret); + + return ret; + } diff --git a/queue-6.11/rdma-mana_ib-use-the-correct-page-table-index-based-on-hardware-page-size.patch b/queue-6.11/rdma-mana_ib-use-the-correct-page-table-index-based-on-hardware-page-size.patch new file mode 100644 index 00000000000..534d4fe28ae --- /dev/null +++ b/queue-6.11/rdma-mana_ib-use-the-correct-page-table-index-based-on-hardware-page-size.patch @@ -0,0 +1,33 @@ +From 9e517a8e9d9a303bf9bde35e5c5374795544c152 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Fri, 30 Aug 2024 08:16:32 -0700 +Subject: RDMA/mana_ib: use the correct page table index based on hardware page size + +From: Long Li + +commit 9e517a8e9d9a303bf9bde35e5c5374795544c152 upstream. + +MANA hardware uses 4k page size. When calculating the page table index, +it should use the hardware page size, not the system page size. + +Cc: stable@vger.kernel.org +Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") +Signed-off-by: Long Li +Link: https://patch.msgid.link/1725030993-16213-1-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mana/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mana/main.c ++++ b/drivers/infiniband/hw/mana/main.c +@@ -383,7 +383,7 @@ static int mana_ib_gd_create_dma_region( + + create_req->length = umem->length; + create_req->offset_in_page = ib_umem_dma_offset(umem, page_sz); +- create_req->gdma_page_type = order_base_2(page_sz) - PAGE_SHIFT; ++ create_req->gdma_page_type = order_base_2(page_sz) - MANA_PAGE_SHIFT; + create_req->page_count = num_pages_total; + + ibdev_dbg(&dev->ib_dev, "size_dma_region %lu num_pages_total %lu\n", diff --git a/queue-6.11/riscv-define-illegal_pointer_value-for-64bit.patch b/queue-6.11/riscv-define-illegal_pointer_value-for-64bit.patch new file mode 100644 index 00000000000..0a50d08c810 --- /dev/null +++ b/queue-6.11/riscv-define-illegal_pointer_value-for-64bit.patch @@ -0,0 +1,38 @@ +From 5c178472af247c7b50f962495bb7462ba453b9fb Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Sat, 6 Jul 2024 01:02:10 +0800 +Subject: riscv: define ILLEGAL_POINTER_VALUE for 64bit + +From: Jisheng Zhang + +commit 5c178472af247c7b50f962495bb7462ba453b9fb upstream. + +This is used in poison.h for poison pointer offset. Based on current +SV39, SV48 and SV57 vm layout, 0xdead000000000000 is a proper value +that is not mappable, this can avoid potentially turning an oops to +an expolit. + +Signed-off-by: Jisheng Zhang +Fixes: fbe934d69eb7 ("RISC-V: Build Infrastructure") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240705170210.3236-1-jszhang@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Kconfig | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -319,6 +319,11 @@ config GENERIC_HWEIGHT + config FIX_EARLYCON_MEM + def_bool MMU + ++config ILLEGAL_POINTER_VALUE ++ hex ++ default 0 if 32BIT ++ default 0xdead000000000000 if 64BIT ++ + config PGTABLE_LEVELS + int + default 5 if 64BIT diff --git a/queue-6.11/sched-core-add-clearing-of-dl_server-in-put_prev_task_balance.patch b/queue-6.11/sched-core-add-clearing-of-dl_server-in-put_prev_task_balance.patch new file mode 100644 index 00000000000..80d5832da7c --- /dev/null +++ b/queue-6.11/sched-core-add-clearing-of-dl_server-in-put_prev_task_balance.patch @@ -0,0 +1,57 @@ +From c245910049d04fbfa85bb2f5acd591c24e9907c7 Mon Sep 17 00:00:00 2001 +From: "Joel Fernandes (Google)" +Date: Mon, 27 May 2024 14:06:48 +0200 +Subject: sched/core: Add clearing of ->dl_server in put_prev_task_balance() + +From: Joel Fernandes (Google) + +commit c245910049d04fbfa85bb2f5acd591c24e9907c7 upstream. + +Paths using put_prev_task_balance() need to do a pick shortly +after. Make sure they also clear the ->dl_server on prev as a +part of that. + +Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers") +Signed-off-by: "Joel Fernandes (Google)" +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Juri Lelli +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/d184d554434bedbad0581cb34656582d78655150.1716811044.git.bristot@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5789,6 +5789,14 @@ static void put_prev_task_balance(struct + #endif + + put_prev_task(rq, prev); ++ ++ /* ++ * We've updated @prev and no longer need the server link, clear it. ++ * Must be done before ->pick_next_task() because that can (re)set ++ * ->dl_server. ++ */ ++ if (prev->dl_server) ++ prev->dl_server = NULL; + } + + /* +@@ -5832,14 +5840,6 @@ __pick_next_task(struct rq *rq, struct t + restart: + put_prev_task_balance(rq, prev, rf); + +- /* +- * We've updated @prev and no longer need the server link, clear it. +- * Must be done before ->pick_next_task() because that can (re)set +- * ->dl_server. +- */ +- if (prev->dl_server) +- prev->dl_server = NULL; +- + for_each_class(class) { + p = class->pick_next_task(rq); + if (p) diff --git a/queue-6.11/sched-core-clear-prev-dl_server-in-cfs-pick-fast-path.patch b/queue-6.11/sched-core-clear-prev-dl_server-in-cfs-pick-fast-path.patch new file mode 100644 index 00000000000..2318f6a142d --- /dev/null +++ b/queue-6.11/sched-core-clear-prev-dl_server-in-cfs-pick-fast-path.patch @@ -0,0 +1,40 @@ +From a741b82423f41501e301eb6f9820b45ca202e877 Mon Sep 17 00:00:00 2001 +From: Youssef Esmat +Date: Mon, 27 May 2024 14:06:49 +0200 +Subject: sched/core: Clear prev->dl_server in CFS pick fast path + +From: Youssef Esmat + +commit a741b82423f41501e301eb6f9820b45ca202e877 upstream. + +In case the previous pick was a DL server pick, ->dl_server might be +set. Clear it in the fast path as well. + +Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers") +Signed-off-by: Youssef Esmat +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Juri Lelli +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/7f7381ccba09efcb4a1c1ff808ed58385eccc222.1716811044.git.bristot@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5828,6 +5828,13 @@ __pick_next_task(struct rq *rq, struct t + } + + /* ++ * This is a normal CFS pick, but the previous could be a DL pick. ++ * Clear it as previous is no longer picked. ++ */ ++ if (prev->dl_server) ++ prev->dl_server = NULL; ++ ++ /* + * This is the fast path; it cannot be a DL server pick; + * therefore even if @p == @prev, ->dl_server must be NULL. + */ diff --git a/queue-6.11/sched-deadline-comment-sched_dl_entity-dl_server-variable.patch b/queue-6.11/sched-deadline-comment-sched_dl_entity-dl_server-variable.patch new file mode 100644 index 00000000000..b2d934bc2b8 --- /dev/null +++ b/queue-6.11/sched-deadline-comment-sched_dl_entity-dl_server-variable.patch @@ -0,0 +1,33 @@ +From f23c042ce34ba265cf3129d530702b5d218e3f4b Mon Sep 17 00:00:00 2001 +From: Daniel Bristot de Oliveira +Date: Mon, 27 May 2024 14:06:47 +0200 +Subject: sched/deadline: Comment sched_dl_entity::dl_server variable + +From: Daniel Bristot de Oliveira + +commit f23c042ce34ba265cf3129d530702b5d218e3f4b upstream. + +Add an explanation for the newly added variable. + +Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers") +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Juri Lelli +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/147f7aa8cb8fd925f36aa8059af6a35aad08b45a.1716811044.git.bristot@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -639,6 +639,8 @@ struct sched_dl_entity { + * + * @dl_overrun tells if the task asked to be informed about runtime + * overruns. ++ * ++ * @dl_server tells if this is a server entity. + */ + unsigned int dl_throttled : 1; + unsigned int dl_yielded : 1; diff --git a/queue-6.11/sched-psi-fix-bogus-pressure-spikes-from-aggregation-race.patch b/queue-6.11/sched-psi-fix-bogus-pressure-spikes-from-aggregation-race.patch new file mode 100644 index 00000000000..af94188de17 --- /dev/null +++ b/queue-6.11/sched-psi-fix-bogus-pressure-spikes-from-aggregation-race.patch @@ -0,0 +1,179 @@ +From 3840cbe24cf060ea05a585ca497814609f5d47d1 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Thu, 3 Oct 2024 07:29:05 -0400 +Subject: sched: psi: fix bogus pressure spikes from aggregation race + +From: Johannes Weiner + +commit 3840cbe24cf060ea05a585ca497814609f5d47d1 upstream. + +Brandon reports sporadic, non-sensical spikes in cumulative pressure +time (total=) when reading cpu.pressure at a high rate. This is due to +a race condition between reader aggregation and tasks changing states. + +While it affects all states and all resources captured by PSI, in +practice it most likely triggers with CPU pressure, since scheduling +events are so frequent compared to other resource events. + +The race context is the live snooping of ongoing stalls during a +pressure read. The read aggregates per-cpu records for stalls that +have concluded, but will also incorporate ad-hoc the duration of any +active state that hasn't been recorded yet. This is important to get +timely measurements of ongoing stalls. Those ad-hoc samples are +calculated on-the-fly up to the current time on that CPU; since the +stall hasn't concluded, it's expected that this is the minimum amount +of stall time that will enter the per-cpu records once it does. + +The problem is that the path that concludes the state uses a CPU clock +read that is not synchronized against aggregators; the clock is read +outside of the seqlock protection. This allows aggregators to race and +snoop a stall with a longer duration than will actually be recorded. + +With the recorded stall time being less than the last snapshot +remembered by the aggregator, a subsequent sample will underflow and +observe a bogus delta value, resulting in an erratic jump in pressure. + +Fix this by moving the clock read of the state change into the seqlock +protection. This ensures no aggregation can snoop live stalls past the +time that's recorded when the state concludes. + +Reported-by: Brandon Duffany +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219194 +Link: https://lore.kernel.org/lkml/20240827121851.GB438928@cmpxchg.org/ +Fixes: df77430639c9 ("psi: Reduce calls to sched_clock() in psi") +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Weiner +Reviewed-by: Chengming Zhou +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/psi.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -769,12 +769,13 @@ static void record_times(struct psi_grou + } + + static void psi_group_change(struct psi_group *group, int cpu, +- unsigned int clear, unsigned int set, u64 now, ++ unsigned int clear, unsigned int set, + bool wake_clock) + { + struct psi_group_cpu *groupc; + unsigned int t, m; + u32 state_mask; ++ u64 now; + + lockdep_assert_rq_held(cpu_rq(cpu)); + groupc = per_cpu_ptr(group->pcpu, cpu); +@@ -789,6 +790,7 @@ static void psi_group_change(struct psi_ + * SOME and FULL time these may have resulted in. + */ + write_seqcount_begin(&groupc->seq); ++ now = cpu_clock(cpu); + + /* + * Start with TSK_ONCPU, which doesn't have a corresponding +@@ -899,18 +901,15 @@ void psi_task_change(struct task_struct + { + int cpu = task_cpu(task); + struct psi_group *group; +- u64 now; + + if (!task->pid) + return; + + psi_flags_change(task, clear, set); + +- now = cpu_clock(cpu); +- + group = task_psi_group(task); + do { +- psi_group_change(group, cpu, clear, set, now, true); ++ psi_group_change(group, cpu, clear, set, true); + } while ((group = group->parent)); + } + +@@ -919,7 +918,6 @@ void psi_task_switch(struct task_struct + { + struct psi_group *group, *common = NULL; + int cpu = task_cpu(prev); +- u64 now = cpu_clock(cpu); + + if (next->pid) { + psi_flags_change(next, 0, TSK_ONCPU); +@@ -936,7 +934,7 @@ void psi_task_switch(struct task_struct + break; + } + +- psi_group_change(group, cpu, 0, TSK_ONCPU, now, true); ++ psi_group_change(group, cpu, 0, TSK_ONCPU, true); + } while ((group = group->parent)); + } + +@@ -974,7 +972,7 @@ void psi_task_switch(struct task_struct + do { + if (group == common) + break; +- psi_group_change(group, cpu, clear, set, now, wake_clock); ++ psi_group_change(group, cpu, clear, set, wake_clock); + } while ((group = group->parent)); + + /* +@@ -986,7 +984,7 @@ void psi_task_switch(struct task_struct + if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) { + clear &= ~TSK_ONCPU; + for (; group; group = group->parent) +- psi_group_change(group, cpu, clear, set, now, wake_clock); ++ psi_group_change(group, cpu, clear, set, wake_clock); + } + } + } +@@ -997,8 +995,8 @@ void psi_account_irqtime(struct rq *rq, + int cpu = task_cpu(curr); + struct psi_group *group; + struct psi_group_cpu *groupc; +- u64 now, irq; + s64 delta; ++ u64 irq; + + if (static_branch_likely(&psi_disabled)) + return; +@@ -1011,7 +1009,6 @@ void psi_account_irqtime(struct rq *rq, + if (prev && task_psi_group(prev) == group) + return; + +- now = cpu_clock(cpu); + irq = irq_time_read(cpu); + delta = (s64)(irq - rq->psi_irq_time); + if (delta < 0) +@@ -1019,12 +1016,15 @@ void psi_account_irqtime(struct rq *rq, + rq->psi_irq_time = irq; + + do { ++ u64 now; ++ + if (!group->enabled) + continue; + + groupc = per_cpu_ptr(group->pcpu, cpu); + + write_seqcount_begin(&groupc->seq); ++ now = cpu_clock(cpu); + + record_times(groupc, now); + groupc->times[PSI_IRQ_FULL] += delta; +@@ -1223,11 +1223,9 @@ void psi_cgroup_restart(struct psi_group + for_each_possible_cpu(cpu) { + struct rq *rq = cpu_rq(cpu); + struct rq_flags rf; +- u64 now; + + rq_lock_irq(rq, &rf); +- now = cpu_clock(cpu); +- psi_group_change(group, cpu, 0, 0, now, true); ++ psi_group_change(group, cpu, 0, 0, true); + rq_unlock_irq(rq, &rf); + } + } diff --git a/queue-6.11/series b/queue-6.11/series index 4f94a5c2cc7..9624cd7c3f9 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -420,3 +420,22 @@ ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch scripts-gdb-fix-timerlist-parsing-issue.patch scripts-gdb-add-iteration-function-for-rbtree.patch scripts-gdb-fix-lx-mounts-command-error.patch +arm64-fix-selection-of-have_dynamic_ftrace_with_args.patch +arm64-subscribe-microsoft-azure-cobalt-100-to-erratum-3194386.patch +drm-xe-fix-uaf-around-queue-destruction.patch +drm-xe-oa-don-t-reset-oac_context_enable-on-oa-stream-close.patch +sched-deadline-comment-sched_dl_entity-dl_server-variable.patch +sched-core-add-clearing-of-dl_server-in-put_prev_task_balance.patch +sched-core-clear-prev-dl_server-in-cfs-pick-fast-path.patch +sched-psi-fix-bogus-pressure-spikes-from-aggregation-race.patch +riscv-define-illegal_pointer_value-for-64bit.patch +exfat-fix-memory-leak-in-exfat_load_bitmap.patch +perf-python-disable-wno-cast-function-type-mismatch-if-present-on-clang.patch +perf-hist-update-hist-symbol-when-updating-maps.patch +nfsd-fix-delegation_blocked-to-block-correctly-for-at-least-30-seconds.patch +nfsd-map-the-ebadmsg-to-nfserr_io-to-avoid-warning.patch +nfsd-fix-nfsv4-s-putpubfh-operation.patch +i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch +sysctl-avoid-spurious-permanent-empty-tables.patch +rdma-mana_ib-use-the-correct-page-table-index-based-on-hardware-page-size.patch +rdma-mana_ib-use-the-correct-page-size-for-mapping-user-mode-doorbell-page.patch diff --git a/queue-6.11/sysctl-avoid-spurious-permanent-empty-tables.patch b/queue-6.11/sysctl-avoid-spurious-permanent-empty-tables.patch new file mode 100644 index 00000000000..e4939cba861 --- /dev/null +++ b/queue-6.11/sysctl-avoid-spurious-permanent-empty-tables.patch @@ -0,0 +1,71 @@ +From 559d4c6a9d3b60f239493239070eb304edaea594 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 5 Aug 2024 11:39:35 +0200 +Subject: sysctl: avoid spurious permanent empty tables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 559d4c6a9d3b60f239493239070eb304edaea594 upstream. + +The test if a table is a permanently empty one, inspects the address of +the registered ctl_table argument. +However as sysctl_mount_point is an empty array and does not occupy and +space it can end up sharing an address with another object in memory. +If that other object itself is a "struct ctl_table" then registering +that table will fail as it's incorrectly recognized as permanently empty. + +Avoid this issue by adding a dummy element to the array so that is not +empty anymore. +Explicitly register the table with zero elements as otherwise the dummy +element would be recognized as a sentinel element which would lead to a +runtime warning from the sysctl core. + +While the issue seems not being encountered at this time, this seems +mostly to be due to luck. +Also a future change, constifying sysctl_mount_point and root_table, can +reliably trigger this issue on clang 18. + +Given that empty arrays are non-standard in the first place it seems +prudent to avoid them if possible. + +Fixes: 4a7b29f65094 ("sysctl: move sysctl type to ctl_table_header") +Fixes: a35dd3a786f5 ("sysctl: drop now unnecessary out-of-bounds check") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Closes: https://lore.kernel.org/oe-lkp/202408051453.f638857e-lkp@intel.com +Signed-off-by: Joel Granados +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -29,8 +29,13 @@ static const struct inode_operations pro + static const struct file_operations proc_sys_dir_file_operations; + static const struct inode_operations proc_sys_dir_operations; + +-/* Support for permanently empty directories */ +-static struct ctl_table sysctl_mount_point[] = { }; ++/* ++ * Support for permanently empty directories. ++ * Must be non-empty to avoid sharing an address with other tables. ++ */ ++static struct ctl_table sysctl_mount_point[] = { ++ { } ++}; + + /** + * register_sysctl_mount_point() - registers a sysctl mount point +@@ -42,7 +47,7 @@ static struct ctl_table sysctl_mount_poi + */ + struct ctl_table_header *register_sysctl_mount_point(const char *path) + { +- return register_sysctl(path, sysctl_mount_point); ++ return register_sysctl_sz(path, sysctl_mount_point, 0); + } + EXPORT_SYMBOL(register_sysctl_mount_point); +