From: Sasha Levin Date: Sat, 8 Mar 2025 14:08:45 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v6.6.82~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b72ec7c625411f8d2836813780a19f201eb5a47d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acct-perform-last-write-from-workqueue.patch b/queue-5.10/acct-perform-last-write-from-workqueue.patch new file mode 100644 index 0000000000..46fb32c16c --- /dev/null +++ b/queue-5.10/acct-perform-last-write-from-workqueue.patch @@ -0,0 +1,253 @@ +From a48fbdaab7d4b9398d93f42b9d4e016eb6aad25a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 18:15:59 +0100 +Subject: acct: perform last write from workqueue + +From: Christian Brauner + +[ Upstream commit 56d5f3eba3f5de0efdd556de4ef381e109b973a9 ] + +In [1] it was reported that the acct(2) system call can be used to +trigger NULL deref in cases where it is set to write to a file that +triggers an internal lookup. This can e.g., happen when pointing acc(2) +to /sys/power/resume. At the point the where the write to this file +happens the calling task has already exited and called exit_fs(). A +lookup will thus trigger a NULL-deref when accessing current->fs. + +Reorganize the code so that the the final write happens from the +workqueue but with the caller's credentials. This preserves the +(strange) permission model and has almost no regression risk. + +This api should stop to exist though. + +Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1] +Link: https://lore.kernel.org/r/20250211-work-acct-v1-1-1c16aecab8b3@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Zicheng Qu +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + kernel/acct.c | 120 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 70 insertions(+), 50 deletions(-) + +diff --git a/kernel/acct.c b/kernel/acct.c +index 2b2224b7ae55a..c0c79bdb92195 100644 +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -85,48 +85,50 @@ struct bsd_acct_struct { + atomic_long_t count; + struct rcu_head rcu; + struct mutex lock; +- int active; ++ bool active; ++ bool check_space; + unsigned long needcheck; + struct file *file; + struct pid_namespace *ns; + struct work_struct work; + struct completion done; ++ acct_t ac; + }; + +-static void do_acct_process(struct bsd_acct_struct *acct); ++static void fill_ac(struct bsd_acct_struct *acct); ++static void acct_write_process(struct bsd_acct_struct *acct); + + /* + * Check the amount of free space and suspend/resume accordingly. + */ +-static int check_free_space(struct bsd_acct_struct *acct) ++static bool check_free_space(struct bsd_acct_struct *acct) + { + struct kstatfs sbuf; + +- if (time_is_after_jiffies(acct->needcheck)) +- goto out; ++ if (!acct->check_space) ++ return acct->active; + + /* May block */ + if (vfs_statfs(&acct->file->f_path, &sbuf)) +- goto out; ++ return acct->active; + + if (acct->active) { + u64 suspend = sbuf.f_blocks * SUSPEND; + do_div(suspend, 100); + if (sbuf.f_bavail <= suspend) { +- acct->active = 0; ++ acct->active = false; + pr_info("Process accounting paused\n"); + } + } else { + u64 resume = sbuf.f_blocks * RESUME; + do_div(resume, 100); + if (sbuf.f_bavail >= resume) { +- acct->active = 1; ++ acct->active = true; + pr_info("Process accounting resumed\n"); + } + } + + acct->needcheck = jiffies + ACCT_TIMEOUT*HZ; +-out: + return acct->active; + } + +@@ -171,7 +173,11 @@ static void acct_pin_kill(struct fs_pin *pin) + { + struct bsd_acct_struct *acct = to_acct(pin); + mutex_lock(&acct->lock); +- do_acct_process(acct); ++ /* ++ * Fill the accounting struct with the exiting task's info ++ * before punting to the workqueue. ++ */ ++ fill_ac(acct); + schedule_work(&acct->work); + wait_for_completion(&acct->done); + cmpxchg(&acct->ns->bacct, pin, NULL); +@@ -184,6 +190,9 @@ static void close_work(struct work_struct *work) + { + struct bsd_acct_struct *acct = container_of(work, struct bsd_acct_struct, work); + struct file *file = acct->file; ++ ++ /* We were fired by acct_pin_kill() which holds acct->lock. */ ++ acct_write_process(acct); + if (file->f_op->flush) + file->f_op->flush(file, NULL); + __fput_sync(file); +@@ -426,13 +435,27 @@ static u32 encode_float(u64 value) + * do_exit() or when switching to a different output file. + */ + +-static void fill_ac(acct_t *ac) ++static void fill_ac(struct bsd_acct_struct *acct) + { + struct pacct_struct *pacct = ¤t->signal->pacct; ++ struct file *file = acct->file; ++ acct_t *ac = &acct->ac; + u64 elapsed, run_time; + time64_t btime; + struct tty_struct *tty; + ++ lockdep_assert_held(&acct->lock); ++ ++ if (time_is_after_jiffies(acct->needcheck)) { ++ acct->check_space = false; ++ ++ /* Don't fill in @ac if nothing will be written. */ ++ if (!acct->active) ++ return; ++ } else { ++ acct->check_space = true; ++ } ++ + /* + * Fill the accounting struct with the needed info as recorded + * by the different kernel functions. +@@ -480,64 +503,61 @@ static void fill_ac(acct_t *ac) + ac->ac_majflt = encode_comp_t(pacct->ac_majflt); + ac->ac_exitcode = pacct->ac_exitcode; + spin_unlock_irq(¤t->sighand->siglock); +-} +-/* +- * do_acct_process does all actual work. Caller holds the reference to file. +- */ +-static void do_acct_process(struct bsd_acct_struct *acct) +-{ +- acct_t ac; +- unsigned long flim; +- const struct cred *orig_cred; +- struct file *file = acct->file; +- +- /* +- * Accounting records are not subject to resource limits. +- */ +- flim = rlimit(RLIMIT_FSIZE); +- current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; +- /* Perform file operations on behalf of whoever enabled accounting */ +- orig_cred = override_creds(file->f_cred); + +- /* +- * First check to see if there is enough free_space to continue +- * the process accounting system. +- */ +- if (!check_free_space(acct)) +- goto out; +- +- fill_ac(&ac); + /* we really need to bite the bullet and change layout */ +- ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid); +- ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid); ++ ac->ac_uid = from_kuid_munged(file->f_cred->user_ns, current_uid()); ++ ac->ac_gid = from_kgid_munged(file->f_cred->user_ns, current_gid()); + #if ACCT_VERSION == 1 || ACCT_VERSION == 2 + /* backward-compatible 16 bit fields */ +- ac.ac_uid16 = ac.ac_uid; +- ac.ac_gid16 = ac.ac_gid; ++ ac->ac_uid16 = ac->ac_uid; ++ ac->ac_gid16 = ac->ac_gid; + #elif ACCT_VERSION == 3 + { + struct pid_namespace *ns = acct->ns; + +- ac.ac_pid = task_tgid_nr_ns(current, ns); ++ ac->ac_pid = task_tgid_nr_ns(current, ns); + rcu_read_lock(); +- ac.ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), +- ns); ++ ac->ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), ns); + rcu_read_unlock(); + } + #endif ++} ++ ++static void acct_write_process(struct bsd_acct_struct *acct) ++{ ++ struct file *file = acct->file; ++ const struct cred *cred; ++ acct_t *ac = &acct->ac; ++ ++ /* Perform file operations on behalf of whoever enabled accounting */ ++ cred = override_creds(file->f_cred); ++ + /* +- * Get freeze protection. If the fs is frozen, just skip the write +- * as we could deadlock the system otherwise. ++ * First check to see if there is enough free_space to continue ++ * the process accounting system. Then get freeze protection. If ++ * the fs is frozen, just skip the write as we could deadlock ++ * the system otherwise. + */ +- if (file_start_write_trylock(file)) { ++ if (check_free_space(acct) && file_start_write_trylock(file)) { + /* it's been opened O_APPEND, so position is irrelevant */ + loff_t pos = 0; +- __kernel_write(file, &ac, sizeof(acct_t), &pos); ++ __kernel_write(file, ac, sizeof(acct_t), &pos); + file_end_write(file); + } +-out: ++ ++ revert_creds(cred); ++} ++ ++static void do_acct_process(struct bsd_acct_struct *acct) ++{ ++ unsigned long flim; ++ ++ /* Accounting records are not subject to resource limits. */ ++ flim = rlimit(RLIMIT_FSIZE); ++ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; ++ fill_ac(acct); ++ acct_write_process(acct); + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; +- revert_creds(orig_cred); + } + + /** +-- +2.39.5 + diff --git a/queue-5.10/drm-amdgpu-check-extended-configuration-space-regist.patch b/queue-5.10/drm-amdgpu-check-extended-configuration-space-regist.patch new file mode 100644 index 0000000000..3b3dbab0f7 --- /dev/null +++ b/queue-5.10/drm-amdgpu-check-extended-configuration-space-regist.patch @@ -0,0 +1,53 @@ +From 5aaf135ab21654c109496d7cbd10fe890d516562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Dec 2023 11:32:06 +0800 +Subject: drm/amdgpu: Check extended configuration space register when system + uses large bar +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Jun + +[ Upstream commit e372baeb3d336b20fd9463784c577fd8824497cd ] + +Some customer platforms do not enable mmconfig for various reasons, +such as bios bug, and therefore cannot access the GPU extend configuration +space through mmio. + +When the system enters the d3cold state and resumes, the amdgpu driver +fails to resume because the extend configuration space registers of +GPU can't be restored. At this point, Usually we only see some failure +dmesg log printed by amdgpu driver, it is difficult to find the root +cause. + +Therefor print a warnning message if the system can't access the +extended configuration space register when using large bar. + +Signed-off-by: Ma Jun +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Stable-dep-of: 099bffc7cadf ("drm/amdgpu: disable BAR resize on Dell G5 SE") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 2f42471e578ad..edb1b1cf05f29 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1098,6 +1098,10 @@ int amdgpu_device_resize_fb_bar(struct amdgpu_device *adev) + if (amdgpu_sriov_vf(adev)) + return 0; + ++ /* PCI_EXT_CAP_ID_VNDR extended capability is located at 0x100 */ ++ if (!pci_find_ext_capability(adev->pdev, PCI_EXT_CAP_ID_VNDR)) ++ DRM_WARN("System can't access extended configuration space,please check!!\n"); ++ + /* skip if the bios has already enabled large BAR */ + if (adev->gmc.real_vram_size && + (pci_resource_len(adev->pdev, 0) >= adev->gmc.real_vram_size)) +-- +2.39.5 + diff --git a/queue-5.10/drm-amdgpu-disable-bar-resize-on-dell-g5-se.patch b/queue-5.10/drm-amdgpu-disable-bar-resize-on-dell-g5-se.patch new file mode 100644 index 0000000000..227024fb62 --- /dev/null +++ b/queue-5.10/drm-amdgpu-disable-bar-resize-on-dell-g5-se.patch @@ -0,0 +1,50 @@ +From 0eaae9b9940ce1a5f8a9afae7116f32edd6d3859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 10:55:05 -0500 +Subject: drm/amdgpu: disable BAR resize on Dell G5 SE + +From: Alex Deucher + +[ Upstream commit 099bffc7cadff40bfab1517c3461c53a7a38a0d7 ] + +There was a quirk added to add a workaround for a Sapphire +RX 5600 XT Pulse that didn't allow BAR resizing. However, +the quirk caused a regression with runtime pm on Dell laptops +using those chips, rather than narrowing the scope of the +resizing quirk, add a quirk to prevent amdgpu from resizing +the BAR on those Dell platforms unless runtime pm is disabled. + +v2: update commit message, add runpm check + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1707 +Fixes: 907830b0fc9e ("PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse") +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +(cherry picked from commit 5235053f443cef4210606e5fb71f99b915a9723d) +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index edb1b1cf05f29..40d2f0ed1c75f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1098,6 +1098,13 @@ int amdgpu_device_resize_fb_bar(struct amdgpu_device *adev) + if (amdgpu_sriov_vf(adev)) + return 0; + ++ /* resizing on Dell G5 SE platforms causes problems with runtime pm */ ++ if ((amdgpu_runtime_pm != 0) && ++ adev->pdev->vendor == PCI_VENDOR_ID_ATI && ++ adev->pdev->device == 0x731f && ++ adev->pdev->subsystem_vendor == PCI_VENDOR_ID_DELL) ++ return 0; ++ + /* PCI_EXT_CAP_ID_VNDR extended capability is located at 0x100 */ + if (!pci_find_ext_capability(adev->pdev, PCI_EXT_CAP_ID_VNDR)) + DRM_WARN("System can't access extended configuration space,please check!!\n"); +-- +2.39.5 + diff --git a/queue-5.10/drop_monitor-fix-incorrect-initialization-order.patch b/queue-5.10/drop_monitor-fix-incorrect-initialization-order.patch new file mode 100644 index 0000000000..9c39411e09 --- /dev/null +++ b/queue-5.10/drop_monitor-fix-incorrect-initialization-order.patch @@ -0,0 +1,142 @@ +From bbfea133c5dbe4a9c1ca27e54ebcee93064e0bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 15:20:55 +0000 +Subject: drop_monitor: fix incorrect initialization order + +From: Gavrilov Ilia + +[ Upstream commit 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea ] + +Syzkaller reports the following bug: + +BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 + lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x119/0x179 lib/dump_stack.c:118 + debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] + do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] + _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 + reset_per_cpu_data+0xe6/0x240 [drop_monitor] + net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] + genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 + genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 + netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 + genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 + sock_sendmsg_nosec net/socket.c:651 [inline] + __sock_sendmsg+0x157/0x190 net/socket.c:663 + ____sys_sendmsg+0x712/0x870 net/socket.c:2378 + ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 + __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 + do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x62/0xc7 +RIP: 0033:0x7f3f9815aee9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 +RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 +RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 + +If drop_monitor is built as a kernel module, syzkaller may have time +to send a netlink NET_DM_CMD_START message during the module loading. +This will call the net_dm_monitor_start() function that uses +a spinlock that has not yet been initialized. + +To fix this, let's place resource initialization above the registration +of a generic netlink family. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with Syzkaller. + +Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250213152054.2785669-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/drop_monitor.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c +index 009b9e22c4e75..c8a3d6056365f 100644 +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -1727,30 +1727,30 @@ static int __init init_net_drop_monitor(void) + return -ENOSPC; + } + +- rc = genl_register_family(&net_drop_monitor_family); +- if (rc) { +- pr_err("Could not create drop monitor netlink family\n"); +- return rc; ++ for_each_possible_cpu(cpu) { ++ net_dm_cpu_data_init(cpu); ++ net_dm_hw_cpu_data_init(cpu); + } +- WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT); + + rc = register_netdevice_notifier(&dropmon_net_notifier); + if (rc < 0) { + pr_crit("Failed to register netdevice notifier\n"); ++ return rc; ++ } ++ ++ rc = genl_register_family(&net_drop_monitor_family); ++ if (rc) { ++ pr_err("Could not create drop monitor netlink family\n"); + goto out_unreg; + } ++ WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT); + + rc = 0; + +- for_each_possible_cpu(cpu) { +- net_dm_cpu_data_init(cpu); +- net_dm_hw_cpu_data_init(cpu); +- } +- + goto out; + + out_unreg: +- genl_unregister_family(&net_drop_monitor_family); ++ WARN_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); + out: + return rc; + } +@@ -1759,19 +1759,18 @@ static void exit_net_drop_monitor(void) + { + int cpu; + +- BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); +- + /* + * Because of the module_get/put we do in the trace state change path + * we are guarnateed not to have any current users when we get here + */ ++ BUG_ON(genl_unregister_family(&net_drop_monitor_family)); ++ ++ BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); + + for_each_possible_cpu(cpu) { + net_dm_hw_cpu_data_fini(cpu); + net_dm_cpu_data_fini(cpu); + } +- +- BUG_ON(genl_unregister_family(&net_drop_monitor_family)); + } + + module_init(init_net_drop_monitor); +-- +2.39.5 + diff --git a/queue-5.10/efi-don-t-map-the-entire-mokvar-table-to-determine-i.patch b/queue-5.10/efi-don-t-map-the-entire-mokvar-table-to-determine-i.patch new file mode 100644 index 0000000000..568814caf7 --- /dev/null +++ b/queue-5.10/efi-don-t-map-the-entire-mokvar-table-to-determine-i.patch @@ -0,0 +1,130 @@ +From 79d22a43e28ed120d290d1b6e3f9b9d4575cfabd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 15:18:39 -0500 +Subject: efi: Don't map the entire mokvar table to determine its size + +From: Peter Jones + +[ Upstream commit 2b90e7ace79774a3540ce569e000388f8d22c9e0 ] + +Currently, when validating the mokvar table, we (re)map the entire table +on each iteration of the loop, adding space as we discover new entries. +If the table grows over a certain size, this fails due to limitations of +early_memmap(), and we get a failure and traceback: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220 + ... + Call Trace: + + ? __early_ioremap+0xef/0x220 + ? __warn.cold+0x93/0xfa + ? __early_ioremap+0xef/0x220 + ? report_bug+0xff/0x140 + ? early_fixup_exception+0x5d/0xb0 + ? early_idt_handler_common+0x2f/0x3a + ? __early_ioremap+0xef/0x220 + ? efi_mokvar_table_init+0xce/0x1d0 + ? setup_arch+0x864/0xc10 + ? start_kernel+0x6b/0xa10 + ? x86_64_start_reservations+0x24/0x30 + ? x86_64_start_kernel+0xed/0xf0 + ? common_startup_64+0x13e/0x141 + + ---[ end trace 0000000000000000 ]--- + mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187. + +Mapping the entire structure isn't actually necessary, as we don't ever +need more than one entry header mapped at once. + +Changes efi_mokvar_table_init() to only map each entry header, not the +entire table, when determining the table size. Since we're not mapping +any data past the variable name, it also changes the code to enforce +that each variable name is NUL terminated, rather than attempting to +verify it in place. + +Cc: +Signed-off-by: Peter Jones +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/mokvar-table.c | 41 +++++++++-------------------- + 1 file changed, 13 insertions(+), 28 deletions(-) + +diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c +index 38722d2009e20..3ac37f8cfd680 100644 +--- a/drivers/firmware/efi/mokvar-table.c ++++ b/drivers/firmware/efi/mokvar-table.c +@@ -103,7 +103,6 @@ void __init efi_mokvar_table_init(void) + void *va = NULL; + unsigned long cur_offset = 0; + unsigned long offset_limit; +- unsigned long map_size = 0; + unsigned long map_size_needed = 0; + unsigned long size; + struct efi_mokvar_table_entry *mokvar_entry; +@@ -134,48 +133,34 @@ void __init efi_mokvar_table_init(void) + */ + err = -EINVAL; + while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) { +- mokvar_entry = va + cur_offset; +- map_size_needed = cur_offset + sizeof(*mokvar_entry); +- if (map_size_needed > map_size) { +- if (va) +- early_memunmap(va, map_size); +- /* +- * Map a little more than the fixed size entry +- * header, anticipating some data. It's safe to +- * do so as long as we stay within current memory +- * descriptor. +- */ +- map_size = min(map_size_needed + 2*EFI_PAGE_SIZE, +- offset_limit); +- va = early_memremap(efi.mokvar_table, map_size); +- if (!va) { +- pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%lu.\n", +- efi.mokvar_table, map_size); +- return; +- } +- mokvar_entry = va + cur_offset; ++ if (va) ++ early_memunmap(va, sizeof(*mokvar_entry)); ++ va = early_memremap(efi.mokvar_table + cur_offset, sizeof(*mokvar_entry)); ++ if (!va) { ++ pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%zu.\n", ++ efi.mokvar_table + cur_offset, sizeof(*mokvar_entry)); ++ return; + } ++ mokvar_entry = va; + + /* Check for last sentinel entry */ + if (mokvar_entry->name[0] == '\0') { + if (mokvar_entry->data_size != 0) + break; + err = 0; ++ map_size_needed = cur_offset + sizeof(*mokvar_entry); + break; + } + +- /* Sanity check that the name is null terminated */ +- size = strnlen(mokvar_entry->name, +- sizeof(mokvar_entry->name)); +- if (size >= sizeof(mokvar_entry->name)) +- break; ++ /* Enforce that the name is NUL terminated */ ++ mokvar_entry->name[sizeof(mokvar_entry->name) - 1] = '\0'; + + /* Advance to the next entry */ +- cur_offset = map_size_needed + mokvar_entry->data_size; ++ cur_offset += sizeof(*mokvar_entry) + mokvar_entry->data_size; + } + + if (va) +- early_memunmap(va, map_size); ++ early_memunmap(va, sizeof(*mokvar_entry)); + if (err) { + pr_err("EFI MOKvar config table is not valid\n"); + return; +-- +2.39.5 + diff --git a/queue-5.10/kernel-acct.c-use-dedicated-helper-to-access-rlimit-.patch b/queue-5.10/kernel-acct.c-use-dedicated-helper-to-access-rlimit-.patch new file mode 100644 index 0000000000..69251d79c1 --- /dev/null +++ b/queue-5.10/kernel-acct.c-use-dedicated-helper-to-access-rlimit-.patch @@ -0,0 +1,43 @@ +From 986871fea96854f82eba8dbc8f487bc2b95eb040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 19:58:18 -0700 +Subject: kernel/acct.c: use dedicated helper to access rlimit values + +From: Yang Yang + +[ Upstream commit 3c91dda97eea704ac257ddb138d1154adab8db62 ] + +Use rlimit() helper instead of manually writing whole chain from +task to rlimit value. See patch "posix-cpu-timers: Use dedicated +helper to access rlimit values". + +Link: https://lkml.kernel.org/r/20210728030822.524789-1-yang.yang29@zte.com.cn +Signed-off-by: Yang Yang +Reported-by: Zeal Robot +Cc: Randy Dunlap +Cc: sh_def@163.com +Cc: Yang Yang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 56d5f3eba3f5 ("acct: perform last write from workqueue") +Signed-off-by: Sasha Levin +--- + kernel/acct.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/acct.c b/kernel/acct.c +index a7e29ca8f3591..2b2224b7ae55a 100644 +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -494,7 +494,7 @@ static void do_acct_process(struct bsd_acct_struct *acct) + /* + * Accounting records are not subject to resource limits. + */ +- flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur; ++ flim = rlimit(RLIMIT_FSIZE); + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; + /* Perform file operations on behalf of whoever enabled accounting */ + orig_cred = override_creds(file->f_cred); +-- +2.39.5 + diff --git a/queue-5.10/kernel-acct.c-use-elif-instead-of-end-and-elif.patch b/queue-5.10/kernel-acct.c-use-elif-instead-of-end-and-elif.patch new file mode 100644 index 0000000000..d47d20ce02 --- /dev/null +++ b/queue-5.10/kernel-acct.c-use-elif-instead-of-end-and-elif.patch @@ -0,0 +1,50 @@ +From df44eece33bc37c7982836a4fedae80829f98d80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Dec 2020 20:42:52 -0800 +Subject: kernel/acct.c: use #elif instead of #end and #elif + +From: Hui Su + +[ Upstream commit 35189b8ff18ee0c6f7c04f4c674584d1149d5c55 ] + +Cleanup: use #elif instead of #end and #elif. + +Link: https://lkml.kernel.org/r/20201015150736.GA91603@rlk +Signed-off-by: Hui Su +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 56d5f3eba3f5 ("acct: perform last write from workqueue") +Signed-off-by: Sasha Levin +--- + kernel/acct.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/kernel/acct.c b/kernel/acct.c +index 6552eb22dd1e4..a7e29ca8f3591 100644 +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -397,9 +397,7 @@ static comp2_t encode_comp2_t(u64 value) + return (value & (MAXFRACT2>>1)) | (exp << (MANTSIZE2-1)); + } + } +-#endif +- +-#if ACCT_VERSION == 3 ++#elif ACCT_VERSION == 3 + /* + * encode an u64 into a 32 bit IEEE float + */ +@@ -516,8 +514,7 @@ static void do_acct_process(struct bsd_acct_struct *acct) + /* backward-compatible 16 bit fields */ + ac.ac_uid16 = ac.ac_uid; + ac.ac_gid16 = ac.ac_gid; +-#endif +-#if ACCT_VERSION == 3 ++#elif ACCT_VERSION == 3 + { + struct pid_namespace *ns = acct->ns; + +-- +2.39.5 + diff --git a/queue-5.10/revert-riscv-set-more-data-to-cacheinfo.patch b/queue-5.10/revert-riscv-set-more-data-to-cacheinfo.patch new file mode 100644 index 0000000000..90afc7a8ed --- /dev/null +++ b/queue-5.10/revert-riscv-set-more-data-to-cacheinfo.patch @@ -0,0 +1,129 @@ +From bbd414673ff6cc7e821cf05ee44878b8650ea259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 14:47:34 +0800 +Subject: Revert "riscv: Set more data to cacheinfo" + +From: Song Shuai + +[ Upstream commit 6a24915145c922b79d3ac78f681137a4c14a6d6b ] + +This reverts commit baf7cbd94b5688f167443a2cc3dcea3300132099. + +There are some duplicate cache attributes populations executed +in both ci_leaf_init() and later cache_setup_properties(). + +Revert the commit baf7cbd94b56 ("riscv: Set more data to cacheinfo") +to setup only the level and type attributes at this early place. + +Signed-off-by: Song Shuai +Acked-by: Sudeep Holla +Acked-by: Conor Dooley +Link: https://lore.kernel.org/r/20230308064734.512457-1-suagrfillet@gmail.com +Signed-off-by: Palmer Dabbelt +Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties") +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cacheinfo.c | 66 ++++++++--------------------------- + 1 file changed, 15 insertions(+), 51 deletions(-) + +diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c +index 90deabfe63eaa..56141a65c7348 100644 +--- a/arch/riscv/kernel/cacheinfo.c ++++ b/arch/riscv/kernel/cacheinfo.c +@@ -64,53 +64,12 @@ uintptr_t get_cache_geometry(u32 level, enum cache_type type) + 0; + } + +-static void ci_leaf_init(struct cacheinfo *this_leaf, enum cache_type type, +- unsigned int level, unsigned int size, +- unsigned int sets, unsigned int line_size) ++static void ci_leaf_init(struct cacheinfo *this_leaf, ++ struct device_node *node, ++ enum cache_type type, unsigned int level) + { + this_leaf->level = level; + this_leaf->type = type; +- this_leaf->size = size; +- this_leaf->number_of_sets = sets; +- this_leaf->coherency_line_size = line_size; +- +- /* +- * If the cache is fully associative, there is no need to +- * check the other properties. +- */ +- if (sets == 1) +- return; +- +- /* +- * Set the ways number for n-ways associative, make sure +- * all properties are big than zero. +- */ +- if (sets > 0 && size > 0 && line_size > 0) +- this_leaf->ways_of_associativity = (size / sets) / line_size; +-} +- +-static void fill_cacheinfo(struct cacheinfo **this_leaf, +- struct device_node *node, unsigned int level) +-{ +- unsigned int size, sets, line_size; +- +- if (!of_property_read_u32(node, "cache-size", &size) && +- !of_property_read_u32(node, "cache-block-size", &line_size) && +- !of_property_read_u32(node, "cache-sets", &sets)) { +- ci_leaf_init((*this_leaf)++, CACHE_TYPE_UNIFIED, level, size, sets, line_size); +- } +- +- if (!of_property_read_u32(node, "i-cache-size", &size) && +- !of_property_read_u32(node, "i-cache-sets", &sets) && +- !of_property_read_u32(node, "i-cache-block-size", &line_size)) { +- ci_leaf_init((*this_leaf)++, CACHE_TYPE_INST, level, size, sets, line_size); +- } +- +- if (!of_property_read_u32(node, "d-cache-size", &size) && +- !of_property_read_u32(node, "d-cache-sets", &sets) && +- !of_property_read_u32(node, "d-cache-block-size", &line_size)) { +- ci_leaf_init((*this_leaf)++, CACHE_TYPE_DATA, level, size, sets, line_size); +- } + } + + int init_cache_level(unsigned int cpu) +@@ -163,24 +122,29 @@ int populate_cache_leaves(unsigned int cpu) + struct device_node *prev = NULL; + int levels = 1, level = 1; + +- /* Level 1 caches in cpu node */ +- fill_cacheinfo(&this_leaf, np, level); ++ if (of_property_read_bool(np, "cache-size")) ++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level); ++ if (of_property_read_bool(np, "i-cache-size")) ++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level); ++ if (of_property_read_bool(np, "d-cache-size")) ++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level); + +- /* Next level caches in cache nodes */ + prev = np; + while ((np = of_find_next_cache_node(np))) { + of_node_put(prev); + prev = np; +- + if (!of_device_is_compatible(np, "cache")) + break; + if (of_property_read_u32(np, "cache-level", &level)) + break; + if (level <= levels) + break; +- +- fill_cacheinfo(&this_leaf, np, level); +- ++ if (of_property_read_bool(np, "cache-size")) ++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level); ++ if (of_property_read_bool(np, "i-cache-size")) ++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level); ++ if (of_property_read_bool(np, "d-cache-size")) ++ ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level); + levels = level; + } + of_node_put(np); +-- +2.39.5 + diff --git a/queue-5.10/riscv-cacheinfo-initialize-cacheinfo-s-level-and-typ.patch b/queue-5.10/riscv-cacheinfo-initialize-cacheinfo-s-level-and-typ.patch new file mode 100644 index 0000000000..50c4cb5fd3 --- /dev/null +++ b/queue-5.10/riscv-cacheinfo-initialize-cacheinfo-s-level-and-typ.patch @@ -0,0 +1,74 @@ +From c7ffa1c4b7defeca1ed7aa50907abd22e263a484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 21:14:24 +0800 +Subject: riscv: cacheinfo: initialize cacheinfo's level and type from ACPI + PPTT + +From: Yunhui Cui + +[ Upstream commit 604f32ea6909b0ebb8ab0bf1ab7dc66ee3dc8955 ] + +Before cacheinfo can be built correctly, we need to initialize level +and type. Since RISC-V currently does not have a register group that +describes cache-related attributes like ARM64, we cannot obtain them +directly, so now we obtain cache leaves from the ACPI PPTT table +(acpi_get_cache_info()) and set the cache type through split_levels. + +Suggested-by: Jeremy Linton +Suggested-by: Sudeep Holla +Reviewed-by: Conor Dooley +Reviewed-by: Sunil V L +Reviewed-by: Jeremy Linton +Reviewed-by: Sudeep Holla +Signed-off-by: Yunhui Cui +Link: https://lore.kernel.org/r/20240617131425.7526-2-cuiyunhui@bytedance.com +Signed-off-by: Palmer Dabbelt +Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties") +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cacheinfo.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c +index 7c6dff3dac2d6..8290cced2e62e 100644 +--- a/arch/riscv/kernel/cacheinfo.c ++++ b/arch/riscv/kernel/cacheinfo.c +@@ -3,6 +3,7 @@ + * Copyright (C) 2017 SiFive + */ + ++#include + #include + #include + #include +@@ -121,6 +122,27 @@ int populate_cache_leaves(unsigned int cpu) + struct device_node *prev = NULL; + int levels = 1, level = 1; + ++ if (!acpi_disabled) { ++ int ret, fw_levels, split_levels; ++ ++ ret = acpi_get_cache_info(cpu, &fw_levels, &split_levels); ++ if (ret) ++ return ret; ++ ++ BUG_ON((split_levels > fw_levels) || ++ (split_levels + fw_levels > this_cpu_ci->num_leaves)); ++ ++ for (; level <= this_cpu_ci->num_levels; level++) { ++ if (level <= split_levels) { ++ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); ++ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); ++ } else { ++ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level); ++ } ++ } ++ return 0; ++ } ++ + if (of_property_read_bool(np, "cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level); + if (of_property_read_bool(np, "i-cache-size")) +-- +2.39.5 + diff --git a/queue-5.10/riscv-cacheinfo-remove-the-useless-input-parameter-n.patch b/queue-5.10/riscv-cacheinfo-remove-the-useless-input-parameter-n.patch new file mode 100644 index 0000000000..fdb02e6196 --- /dev/null +++ b/queue-5.10/riscv-cacheinfo-remove-the-useless-input-parameter-n.patch @@ -0,0 +1,71 @@ +From 2948d79f6ffa783c397aa87f33c6f28de1eebd9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 21:14:23 +0800 +Subject: riscv: cacheinfo: remove the useless input parameter (node) of + ci_leaf_init() + +From: Yunhui Cui + +[ Upstream commit ee3fab10cb1566562aa683f319066eaeecccf918 ] + +ci_leaf_init() is a declared static function. The implementation of the +function body and the caller do not use the parameter (struct device_node +*node) input parameter, so remove it. + +Fixes: 6a24915145c9 ("Revert "riscv: Set more data to cacheinfo"") +Signed-off-by: Yunhui Cui +Reviewed-by: Jeremy Linton +Reviewed-by: Sudeep Holla +Link: https://lore.kernel.org/r/20240617131425.7526-1-cuiyunhui@bytedance.com +Signed-off-by: Palmer Dabbelt +Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties") +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cacheinfo.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c +index 56141a65c7348..7c6dff3dac2d6 100644 +--- a/arch/riscv/kernel/cacheinfo.c ++++ b/arch/riscv/kernel/cacheinfo.c +@@ -65,7 +65,6 @@ uintptr_t get_cache_geometry(u32 level, enum cache_type type) + } + + static void ci_leaf_init(struct cacheinfo *this_leaf, +- struct device_node *node, + enum cache_type type, unsigned int level) + { + this_leaf->level = level; +@@ -123,11 +122,11 @@ int populate_cache_leaves(unsigned int cpu) + int levels = 1, level = 1; + + if (of_property_read_bool(np, "cache-size")) +- ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level); ++ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level); + if (of_property_read_bool(np, "i-cache-size")) +- ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level); ++ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); + if (of_property_read_bool(np, "d-cache-size")) +- ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level); ++ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); + + prev = np; + while ((np = of_find_next_cache_node(np))) { +@@ -140,11 +139,11 @@ int populate_cache_leaves(unsigned int cpu) + if (level <= levels) + break; + if (of_property_read_bool(np, "cache-size")) +- ci_leaf_init(this_leaf++, np, CACHE_TYPE_UNIFIED, level); ++ ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level); + if (of_property_read_bool(np, "i-cache-size")) +- ci_leaf_init(this_leaf++, np, CACHE_TYPE_INST, level); ++ ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); + if (of_property_read_bool(np, "d-cache-size")) +- ci_leaf_init(this_leaf++, np, CACHE_TYPE_DATA, level); ++ ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); + levels = level; + } + of_node_put(np); +-- +2.39.5 + diff --git a/queue-5.10/riscv-cacheinfo-use-of_property_present-for-non-bool.patch b/queue-5.10/riscv-cacheinfo-use-of_property_present-for-non-bool.patch new file mode 100644 index 0000000000..3645e42c6c --- /dev/null +++ b/queue-5.10/riscv-cacheinfo-use-of_property_present-for-non-bool.patch @@ -0,0 +1,65 @@ +From d91dfd65707ad051bc5666c3658859aa587c86d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2024 13:03:13 -0600 +Subject: riscv: cacheinfo: Use of_property_present() for non-boolean + properties +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Herring + +[ Upstream commit fb8179ce2996bffaa36a04e2b6262843b01b7565 ] + +The use of of_property_read_bool() for non-boolean properties is +deprecated in favor of of_property_present() when testing for property +presence. + +Signed-off-by: Rob Herring (Arm) +Reviewed-by: Clément Léger +Cc: stable@vger.kernel.org +Fixes: 76d2a0493a17 ("RISC-V: Init and Halt Code") +Link: https://lore.kernel.org/r/20241104190314.270095-1-robh@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cacheinfo.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c +index c196d1a0b8d98..f42c0886484a4 100644 +--- a/arch/riscv/kernel/cacheinfo.c ++++ b/arch/riscv/kernel/cacheinfo.c +@@ -146,11 +146,11 @@ int populate_cache_leaves(unsigned int cpu) + if (!np) + return -ENOENT; + +- if (of_property_read_bool(np, "cache-size")) ++ if (of_property_present(np, "cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level); +- if (of_property_read_bool(np, "i-cache-size")) ++ if (of_property_present(np, "i-cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); +- if (of_property_read_bool(np, "d-cache-size")) ++ if (of_property_present(np, "d-cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); + + prev = np; +@@ -163,11 +163,11 @@ int populate_cache_leaves(unsigned int cpu) + break; + if (level <= levels) + break; +- if (of_property_read_bool(np, "cache-size")) ++ if (of_property_present(np, "cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level); +- if (of_property_read_bool(np, "i-cache-size")) ++ if (of_property_present(np, "i-cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); +- if (of_property_read_bool(np, "d-cache-size")) ++ if (of_property_present(np, "d-cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); + levels = level; + } +-- +2.39.5 + diff --git a/queue-5.10/riscv-prevent-a-bad-reference-count-on-cpu-nodes.patch b/queue-5.10/riscv-prevent-a-bad-reference-count-on-cpu-nodes.patch new file mode 100644 index 0000000000..7d0cf4de04 --- /dev/null +++ b/queue-5.10/riscv-prevent-a-bad-reference-count-on-cpu-nodes.patch @@ -0,0 +1,67 @@ +From 6b369a3c46963b05c18e2ef44f3407561169d48c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 10:00:52 +0200 +Subject: riscv: Prevent a bad reference count on CPU nodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miquel Sabaté Solà + +[ Upstream commit 37233169a6ea912020c572f870075a63293b786a ] + +When populating cache leaves we previously fetched the CPU device node +at the very beginning. But when ACPI is enabled we go through a +specific branch which returns early and does not call 'of_node_put' for +the node that was acquired. + +Since we are not using a CPU device node for the ACPI code anyways, we +can simply move the initialization of it just passed the ACPI block, and +we are guaranteed to have an 'of_node_put' call for the acquired node. +This prevents a bad reference count of the CPU device node. + +Moreover, the previous function did not check for errors when acquiring +the device node, so a return -ENOENT has been added for that case. + +Signed-off-by: Miquel Sabaté Solà +Reviewed-by: Sudeep Holla +Reviewed-by: Sunil V L +Reviewed-by: Alexandre Ghiti +Fixes: 604f32ea6909 ("riscv: cacheinfo: initialize cacheinfo's level and type from ACPI PPTT") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240913080053.36636-1-mikisabate@gmail.com +Signed-off-by: Palmer Dabbelt +Stable-dep-of: fb8179ce2996 ("riscv: cacheinfo: Use of_property_present() for non-boolean properties") +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cacheinfo.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/cacheinfo.c b/arch/riscv/kernel/cacheinfo.c +index 8290cced2e62e..c196d1a0b8d98 100644 +--- a/arch/riscv/kernel/cacheinfo.c ++++ b/arch/riscv/kernel/cacheinfo.c +@@ -118,8 +118,7 @@ int populate_cache_leaves(unsigned int cpu) + { + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); + struct cacheinfo *this_leaf = this_cpu_ci->info_list; +- struct device_node *np = of_cpu_device_node_get(cpu); +- struct device_node *prev = NULL; ++ struct device_node *np, *prev; + int levels = 1, level = 1; + + if (!acpi_disabled) { +@@ -143,6 +142,10 @@ int populate_cache_leaves(unsigned int cpu) + return 0; + } + ++ np = of_cpu_device_node_get(cpu); ++ if (!np) ++ return -ENOENT; ++ + if (of_property_read_bool(np, "cache-size")) + ci_leaf_init(this_leaf++, CACHE_TYPE_UNIFIED, level); + if (of_property_read_bool(np, "i-cache-size")) +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index bfef66b3f5..c1fd86d6e5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -391,3 +391,16 @@ vmlinux.lds-ensure-that-const-vars-with-relocations-are-mapped-r-o.patch sched-core-prevent-rescheduling-when-interrupts-are-disabled.patch intel_idle-handle-older-cpus-which-stop-the-tsc-in-deeper-c-states-correctly.patch pfifo_tail_enqueue-drop-new-packet-when-sch-limit-0.patch +drop_monitor-fix-incorrect-initialization-order.patch +kernel-acct.c-use-elif-instead-of-end-and-elif.patch +kernel-acct.c-use-dedicated-helper-to-access-rlimit-.patch +acct-perform-last-write-from-workqueue.patch +smb-client-add-check-for-next_buffer-in-receive_encr.patch +drm-amdgpu-check-extended-configuration-space-regist.patch +drm-amdgpu-disable-bar-resize-on-dell-g5-se.patch +revert-riscv-set-more-data-to-cacheinfo.patch +riscv-cacheinfo-remove-the-useless-input-parameter-n.patch +riscv-cacheinfo-initialize-cacheinfo-s-level-and-typ.patch +riscv-prevent-a-bad-reference-count-on-cpu-nodes.patch +riscv-cacheinfo-use-of_property_present-for-non-bool.patch +efi-don-t-map-the-entire-mokvar-table-to-determine-i.patch diff --git a/queue-5.10/smb-client-add-check-for-next_buffer-in-receive_encr.patch b/queue-5.10/smb-client-add-check-for-next_buffer-in-receive_encr.patch new file mode 100644 index 0000000000..1ae4d4947a --- /dev/null +++ b/queue-5.10/smb-client-add-check-for-next_buffer-in-receive_encr.patch @@ -0,0 +1,40 @@ +From 26383cc9e4f27bebd1e9d0f597c6a009be1f31ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 15:20:38 +0800 +Subject: smb: client: Add check for next_buffer in + receive_encrypted_standard() + +From: Haoxiang Li + +[ Upstream commit 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 ] + +Add check for the return value of cifs_buf_get() and cifs_small_buf_get() +in receive_encrypted_standard() to prevent null pointer dereference. + +Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 68f93de2b1527..70a4d101b5428 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -4938,6 +4938,10 @@ receive_encrypted_standard(struct TCP_Server_Info *server, + next_buffer = (char *)cifs_buf_get(); + else + next_buffer = (char *)cifs_small_buf_get(); ++ if (!next_buffer) { ++ cifs_server_dbg(VFS, "No memory for (large) SMB response\n"); ++ return -1; ++ } + memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd); + } + +-- +2.39.5 +