From: Sasha Levin Date: Thu, 14 Nov 2024 12:39:16 +0000 (-0500) Subject: Fixes for 6.11 X-Git-Tag: v4.19.324~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bc025d20c0d02467c52be379f4a59317c913acf9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.11 Signed-off-by: Sasha Levin --- diff --git a/queue-6.11/9p-avoid-creating-multiple-slab-caches-with-the-same.patch b/queue-6.11/9p-avoid-creating-multiple-slab-caches-with-the-same.patch new file mode 100644 index 00000000000..bba9a57154c --- /dev/null +++ b/queue-6.11/9p-avoid-creating-multiple-slab-caches-with-the-same.patch @@ -0,0 +1,62 @@ +From 50e036794eea58e49d8487c5bfef322908fd3d87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2024 10:47:25 +0100 +Subject: 9p: Avoid creating multiple slab caches with the same name + +From: Pedro Falcato + +[ Upstream commit 79efebae4afc2221fa814c3cae001bede66ab259 ] + +In the spirit of [1], avoid creating multiple slab caches with the same +name. Instead, add the dev_name into the mix. + +[1]: https://lore.kernel.org/all/20240807090746.2146479-1-pedro.falcato@gmail.com/ + +Signed-off-by: Pedro Falcato +Reported-by: syzbot+3c5d43e97993e1fa612b@syzkaller.appspotmail.com +Message-ID: <20240807094725.2193423-1-pedro.falcato@gmail.com> +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/client.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/9p/client.c b/net/9p/client.c +index 5cd94721d974f..9e7b9151816d6 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -979,6 +979,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + int err; + struct p9_client *clnt; + char *client_id; ++ char *cache_name; + + clnt = kmalloc(sizeof(*clnt), GFP_KERNEL); + if (!clnt) +@@ -1035,15 +1036,22 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + if (err) + goto close_trans; + ++ cache_name = kasprintf(GFP_KERNEL, "9p-fcall-cache-%s", dev_name); ++ if (!cache_name) { ++ err = -ENOMEM; ++ goto close_trans; ++ } ++ + /* P9_HDRSZ + 4 is the smallest packet header we can have that is + * followed by data accessed from userspace by read + */ + clnt->fcall_cache = +- kmem_cache_create_usercopy("9p-fcall-cache", clnt->msize, ++ kmem_cache_create_usercopy(cache_name, clnt->msize, + 0, 0, P9_HDRSZ + 4, + clnt->msize - (P9_HDRSZ + 4), + NULL); + ++ kfree(cache_name); + return clnt; + + close_trans: +-- +2.43.0 + diff --git a/queue-6.11/9p-v9fs_fid_find-also-lookup-by-inode-if-not-found-d.patch b/queue-6.11/9p-v9fs_fid_find-also-lookup-by-inode-if-not-found-d.patch new file mode 100644 index 00000000000..2bba00df9ac --- /dev/null +++ b/queue-6.11/9p-v9fs_fid_find-also-lookup-by-inode-if-not-found-d.patch @@ -0,0 +1,45 @@ +From 181681155e60b2dc1d5966baac4f010aacfd0069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 May 2024 20:31:38 +0900 +Subject: 9p: v9fs_fid_find: also lookup by inode if not found dentry + +From: Dominique Martinet + +[ Upstream commit 38d222b3163f7b7d737e5d999ffc890a12870e36 ] + +It's possible for v9fs_fid_find "find by dentry" branch to not turn up +anything despite having an entry set (because e.g. uid doesn't match), +in which case the calling code will generally make an extra lookup +to the server. + +In this case we might have had better luck looking by inode, so fall +back to look up by inode if we have one and the lookup by dentry failed. + +Message-Id: <20240523210024.1214386-1-asmadeus@codewreck.org> +Reviewed-by: Christian Schoenebeck +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + fs/9p/fid.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/9p/fid.c b/fs/9p/fid.c +index de009a33e0e26..f84412290a30c 100644 +--- a/fs/9p/fid.c ++++ b/fs/9p/fid.c +@@ -131,10 +131,9 @@ static struct p9_fid *v9fs_fid_find(struct dentry *dentry, kuid_t uid, int any) + } + } + spin_unlock(&dentry->d_lock); +- } else { +- if (dentry->d_inode) +- ret = v9fs_fid_find_inode(dentry->d_inode, false, uid, any); + } ++ if (!ret && dentry->d_inode) ++ ret = v9fs_fid_find_inode(dentry->d_inode, false, uid, any); + + return ret; + } +-- +2.43.0 + diff --git a/queue-6.11/alsa-hda-tas2781-add-new-quirk-for-lenovo-asus-dell-.patch b/queue-6.11/alsa-hda-tas2781-add-new-quirk-for-lenovo-asus-dell-.patch new file mode 100644 index 00000000000..014f975be93 --- /dev/null +++ b/queue-6.11/alsa-hda-tas2781-add-new-quirk-for-lenovo-asus-dell-.patch @@ -0,0 +1,121 @@ +From a880d2864b3ef7c8246b3c9dc7f927dc502416be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 15:40:40 +0800 +Subject: ALSA: hda/tas2781: Add new quirk for Lenovo, ASUS, Dell projects + +From: Baojun Xu + +[ Upstream commit 1e9c708dc3ae7226d5f9461540e3d583736af5f1 ] + +Add new vendor_id and subsystem_id in quirk for Lenovo, ASUS, +and Dell projects. + +Signed-off-by: Baojun Xu +Link: https://patch.msgid.link/20241011074040.524-1-baojun.xu@ti.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 660fd984a9285..d1d39f4cc9425 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10258,6 +10258,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x0c1e, "Dell Precision 3540", ALC236_FIXUP_DELL_DUAL_CODECS), + SND_PCI_QUIRK(0x1028, 0x0c28, "Dell Inspiron 16 Plus 7630", ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS), + SND_PCI_QUIRK(0x1028, 0x0c4d, "Dell", ALC287_FIXUP_CS35L41_I2C_4), ++ SND_PCI_QUIRK(0x1028, 0x0c94, "Dell Polaris 3 metal", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1028, 0x0c96, "Dell Polaris 2in1", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1028, 0x0cbd, "Dell Oasis 13 CS MTL-U", ALC289_FIXUP_DELL_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1028, 0x0cbe, "Dell Oasis 13 2-IN-1 MTL-U", ALC289_FIXUP_DELL_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1028, 0x0cbf, "Dell Oasis 13 Low Weight MTU-L", ALC289_FIXUP_DELL_CS35L41_SPI_2), +@@ -10572,11 +10574,15 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK), ++ SND_PCI_QUIRK(0x1043, 0x10a4, "ASUS TP3407SA", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x10d3, "ASUS K6500ZC", ALC294_FIXUP_ASUS_SPK), ++ SND_PCI_QUIRK(0x1043, 0x1154, "ASUS TP3607SH", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1043, 0x1204, "ASUS Strix G615JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x1214, "ASUS Strix G615LH_LM_LP", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1271, "ASUS X430UN", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1290, "ASUS X441SA", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE), +@@ -10656,6 +10662,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1e63, "ASUS H7606W", ALC285_FIXUP_CS35L56_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1e83, "ASUS GA605W", ALC285_FIXUP_CS35L56_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1e8e, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA401), ++ SND_PCI_QUIRK(0x1043, 0x1eb3, "ASUS Ally RCLA72", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x1ed3, "ASUS HN7306W", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1ee2, "ASUS UM6702RA/RC", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1c52, "ASUS Zephyrus G15 2022", ALC289_FIXUP_ASUS_GA401), +@@ -10670,6 +10677,13 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x3a40, "ASUS G814JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a50, "ASUS G834JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a60, "ASUS G634JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), ++ SND_PCI_QUIRK(0x1043, 0x3e30, "ASUS TP3607SA", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x3ee0, "ASUS Strix G815_JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x3ef0, "ASUS Strix G635LR_LW_LX", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x3f00, "ASUS Strix G815LH_LM_LP", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x3f10, "ASUS Strix G835LR_LW_LX", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x3f20, "ASUS Strix G615LR_LW", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x3f30, "ASUS Strix G815LR_LW", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x834a, "ASUS S101", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x8398, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC), +@@ -10891,11 +10905,14 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3878, "Lenovo Legion 7 Slim 16ARHA7", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x387d, "Yoga S780-16 pro Quad AAC", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x387e, "Yoga S780-16 pro Quad YC", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x387f, "Yoga S780-16 pro dual LX", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x3880, "Yoga S780-16 pro dual YC", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3881, "YB9 dual power mode2 YC", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3882, "Lenovo Yoga Pro 7 14APH8", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x3884, "Y780 YG DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3886, "Y780 VECO DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3891, "Lenovo Yoga Pro 7 14AHP9", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x38a5, "Y580P AMD dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38a7, "Y780P AMD YG dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38a8, "Y780P AMD VECO dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38a9, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), +@@ -10904,6 +10921,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38b5, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b6, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b7, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x17aa, 0x38b8, "Yoga S780-14.5 proX AMD YC Dual", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x38b9, "Yoga S780-14.5 proX AMD LX Dual", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38ba, "Yoga S780-14.5 Air AMD quad YC", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38bb, "Yoga S780-14.5 Air AMD quad AAC", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38be, "Yoga S980-14.5 proX YC Dual", ALC287_FIXUP_TAS2781_I2C), +@@ -10914,12 +10933,22 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38cb, "Y790 YG DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38cd, "Y790 VECO DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38d2, "Lenovo Yoga 9 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x38d3, "Yoga S990-16 Pro IMH YC Dual", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x38d4, "Yoga S990-16 Pro IMH VECO Dual", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x38d5, "Yoga S990-16 Pro IMH YC Quad", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x38d6, "Yoga S990-16 Pro IMH VECO Quad", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38d7, "Lenovo Yoga 9 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN), ++ SND_PCI_QUIRK(0x17aa, 0x38df, "Yoga Y990 Intel YC Dual", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x38e0, "Yoga Y990 Intel VECO Dual", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x38f8, "Yoga Book 9i", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38df, "Y990 YG DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x38f9, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38fa, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x17aa, 0x38fd, "ThinkBook plus Gen5 Hybrid", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3913, "Lenovo 145", ALC236_FIXUP_LENOVO_INV_DMIC), ++ SND_PCI_QUIRK(0x17aa, 0x391f, "Yoga S990-16 pro Quad YC Quad", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x17aa, 0x3920, "Yoga S990-16 pro Quad VECO Quad", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K), +-- +2.43.0 + diff --git a/queue-6.11/block-fix-elevator_get_default-checking-for-null-q-t.patch b/queue-6.11/block-fix-elevator_get_default-checking-for-null-q-t.patch new file mode 100644 index 00000000000..3c5dbd6cad0 --- /dev/null +++ b/queue-6.11/block-fix-elevator_get_default-checking-for-null-q-t.patch @@ -0,0 +1,50 @@ +From 059c4c782143897b09285dca0b57125d7eab7618 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 16:44:16 +0530 +Subject: block: Fix elevator_get_default() checking for NULL q->tag_set + +From: SurajSonawane2415 + +[ Upstream commit b402328a24ee7193a8ab84277c0c90ae16768126 ] + +elevator_get_default() and elv_support_iosched() both check for whether +or not q->tag_set is non-NULL, however it's not possible for them to be +NULL. This messes up some static checkers, as the checking of tag_set +isn't consistent. + +Remove the checks, which both simplifies the logic and avoids checker +errors. + +Signed-off-by: SurajSonawane2415 +Link: https://lore.kernel.org/r/20241007111416.13814-1-surajsonawane0215@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/elevator.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/elevator.c b/block/elevator.c +index 640fcc891b0d2..9430cde13d1a4 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -550,7 +550,7 @@ EXPORT_SYMBOL_GPL(elv_unregister); + static inline bool elv_support_iosched(struct request_queue *q) + { + if (!queue_is_mq(q) || +- (q->tag_set && (q->tag_set->flags & BLK_MQ_F_NO_SCHED))) ++ (q->tag_set->flags & BLK_MQ_F_NO_SCHED)) + return false; + return true; + } +@@ -561,7 +561,7 @@ static inline bool elv_support_iosched(struct request_queue *q) + */ + static struct elevator_type *elevator_get_default(struct request_queue *q) + { +- if (q->tag_set && q->tag_set->flags & BLK_MQ_F_NO_SCHED_BY_DEFAULT) ++ if (q->tag_set->flags & BLK_MQ_F_NO_SCHED_BY_DEFAULT) + return NULL; + + if (q->nr_hw_queues != 1 && +-- +2.43.0 + diff --git a/queue-6.11/bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch b/queue-6.11/bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch new file mode 100644 index 00000000000..8373eb16bca --- /dev/null +++ b/queue-6.11/bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch @@ -0,0 +1,52 @@ +From 081ca0792af5c0d249ac0018986b5563b9afd882 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 17:07:35 -0400 +Subject: bpf: use kvzmalloc to allocate BPF verifier environment + +From: Rik van Riel + +[ Upstream commit 434247637c66e1be2bc71a9987d4c3f0d8672387 ] + +The kzmalloc call in bpf_check can fail when memory is very fragmented, +which in turn can lead to an OOM kill. + +Use kvzmalloc to fall back to vmalloc when memory is too fragmented to +allocate an order 3 sized bpf verifier environment. + +Admittedly this is not a very common case, and only happens on systems +where memory has already been squeezed close to the limit, but this does +not seem like much of a hot path, and it's a simple enough fix. + +Signed-off-by: Rik van Riel +Reviewed-by: Shakeel Butt +Link: https://lore.kernel.org/r/20241008170735.16766766@imladris.surriel.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 626c5284ca5a8..a5a9b4e418a68 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -21718,7 +21718,7 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr, __u3 + /* 'struct bpf_verifier_env' can be global, but since it's not small, + * allocate/free it every time bpf_check() is called + */ +- env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); ++ env = kvzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); + if (!env) + return -ENOMEM; + +@@ -21944,6 +21944,6 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr, __u3 + mutex_unlock(&bpf_verifier_lock); + vfree(env->insn_aux_data); + err_free_env: +- kfree(env); ++ kvfree(env); + return ret; + } +-- +2.43.0 + diff --git a/queue-6.11/crypto-api-fix-liveliness-check-in-crypto_alg_tested.patch b/queue-6.11/crypto-api-fix-liveliness-check-in-crypto_alg_tested.patch new file mode 100644 index 00000000000..df4ac4b289b --- /dev/null +++ b/queue-6.11/crypto-api-fix-liveliness-check-in-crypto_alg_tested.patch @@ -0,0 +1,47 @@ +From d3945ee76658b5a99423dfab21a8ca4e56300dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 09:18:37 +0800 +Subject: crypto: api - Fix liveliness check in crypto_alg_tested + +From: Herbert Xu + +[ Upstream commit b81e286ba154a4e0f01a94d99179a97f4ba3e396 ] + +As algorithm testing is carried out without holding the main crypto +lock, it is always possible for the algorithm to go away during the +test. + +So before crypto_alg_tested updates the status of the tested alg, +it checks whether it's still on the list of all algorithms. This +is inaccurate because it may be off the main list but still on the +list of algorithms to be removed. + +Updating the algorithm status is safe per se as the larval still +holds a reference to it. However, killing spawns of other algorithms +that are of lower priority is clearly a deficiency as it adds +unnecessary churn. + +Fix the test by checking whether the algorithm is dead. + +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algapi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algapi.c b/crypto/algapi.c +index 122cd910c4e1c..192ea14d64ce6 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -396,7 +396,7 @@ void crypto_alg_tested(const char *name, int err) + q->cra_flags |= CRYPTO_ALG_DEAD; + alg = test->adult; + +- if (list_empty(&alg->cra_list)) ++ if (crypto_is_dead(alg)) + goto complete; + + if (err == -ECANCELED) +-- +2.43.0 + diff --git a/queue-6.11/crypto-marvell-cesa-disable-hash-algorithms.patch b/queue-6.11/crypto-marvell-cesa-disable-hash-algorithms.patch new file mode 100644 index 00000000000..754766b0f4c --- /dev/null +++ b/queue-6.11/crypto-marvell-cesa-disable-hash-algorithms.patch @@ -0,0 +1,81 @@ +From 6c7280b0afad9d1e2524b490c7e72345e16f5a3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 16:38:48 +0800 +Subject: crypto: marvell/cesa - Disable hash algorithms + +From: Herbert Xu + +[ Upstream commit e845d2399a00f866f287e0cefbd4fc7d8ef0d2f7 ] + +Disable cesa hash algorithms by lowering the priority because they +appear to be broken when invoked in parallel. This allows them to +still be tested for debugging purposes. + +Reported-by: Klaus Kudielka +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/hash.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c +index 8d84ad45571c7..f150861ceaf69 100644 +--- a/drivers/crypto/marvell/cesa/hash.c ++++ b/drivers/crypto/marvell/cesa/hash.c +@@ -947,7 +947,7 @@ struct ahash_alg mv_md5_alg = { + .base = { + .cra_name = "md5", + .cra_driver_name = "mv-md5", +- .cra_priority = 300, ++ .cra_priority = 0, + .cra_flags = CRYPTO_ALG_ASYNC | + CRYPTO_ALG_ALLOCATES_MEMORY | + CRYPTO_ALG_KERN_DRIVER_ONLY, +@@ -1018,7 +1018,7 @@ struct ahash_alg mv_sha1_alg = { + .base = { + .cra_name = "sha1", + .cra_driver_name = "mv-sha1", +- .cra_priority = 300, ++ .cra_priority = 0, + .cra_flags = CRYPTO_ALG_ASYNC | + CRYPTO_ALG_ALLOCATES_MEMORY | + CRYPTO_ALG_KERN_DRIVER_ONLY, +@@ -1092,7 +1092,7 @@ struct ahash_alg mv_sha256_alg = { + .base = { + .cra_name = "sha256", + .cra_driver_name = "mv-sha256", +- .cra_priority = 300, ++ .cra_priority = 0, + .cra_flags = CRYPTO_ALG_ASYNC | + CRYPTO_ALG_ALLOCATES_MEMORY | + CRYPTO_ALG_KERN_DRIVER_ONLY, +@@ -1302,7 +1302,7 @@ struct ahash_alg mv_ahmac_md5_alg = { + .base = { + .cra_name = "hmac(md5)", + .cra_driver_name = "mv-hmac-md5", +- .cra_priority = 300, ++ .cra_priority = 0, + .cra_flags = CRYPTO_ALG_ASYNC | + CRYPTO_ALG_ALLOCATES_MEMORY | + CRYPTO_ALG_KERN_DRIVER_ONLY, +@@ -1373,7 +1373,7 @@ struct ahash_alg mv_ahmac_sha1_alg = { + .base = { + .cra_name = "hmac(sha1)", + .cra_driver_name = "mv-hmac-sha1", +- .cra_priority = 300, ++ .cra_priority = 0, + .cra_flags = CRYPTO_ALG_ASYNC | + CRYPTO_ALG_ALLOCATES_MEMORY | + CRYPTO_ALG_KERN_DRIVER_ONLY, +@@ -1444,7 +1444,7 @@ struct ahash_alg mv_ahmac_sha256_alg = { + .base = { + .cra_name = "hmac(sha256)", + .cra_driver_name = "mv-hmac-sha256", +- .cra_priority = 300, ++ .cra_priority = 0, + .cra_flags = CRYPTO_ALG_ASYNC | + CRYPTO_ALG_ALLOCATES_MEMORY | + CRYPTO_ALG_KERN_DRIVER_ONLY, +-- +2.43.0 + diff --git a/queue-6.11/drm-amdkfd-accounting-pdd-vram_usage-for-svm.patch b/queue-6.11/drm-amdkfd-accounting-pdd-vram_usage-for-svm.patch new file mode 100644 index 00000000000..9a63b85093f --- /dev/null +++ b/queue-6.11/drm-amdkfd-accounting-pdd-vram_usage-for-svm.patch @@ -0,0 +1,149 @@ +From 33aead116b4046c2e46a9812c1f377624dbf773f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2024 16:28:07 -0400 +Subject: drm/amdkfd: Accounting pdd vram_usage for svm + +From: Philip Yang + +[ Upstream commit 68d26c10ef503175df3142db6fcd75dd94860592 ] + +Process device data pdd->vram_usage is read by rocm-smi via sysfs, this +is currently missing the svm_bo usage accounting, so "rocm-smi +--showpids" per process VRAM usage report is incorrect. + +Add pdd->vram_usage accounting when svm_bo allocation and release, +change to atomic64_t type because it is updated outside process mutex +now. + +Signed-off-by: Philip Yang +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +(cherry picked from commit 98c0b0efcc11f2a5ddf3ce33af1e48eedf808b04) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 6 +++--- + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 2 +- + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 4 ++-- + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 26 ++++++++++++++++++++++++ + 4 files changed, 32 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +index 546b02f2241a6..5953bc5f31192 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -1170,7 +1170,7 @@ static int kfd_ioctl_alloc_memory_of_gpu(struct file *filep, + + if (flags & KFD_IOC_ALLOC_MEM_FLAGS_AQL_QUEUE_MEM) + size >>= 1; +- WRITE_ONCE(pdd->vram_usage, pdd->vram_usage + PAGE_ALIGN(size)); ++ atomic64_add(PAGE_ALIGN(size), &pdd->vram_usage); + } + + mutex_unlock(&p->mutex); +@@ -1241,7 +1241,7 @@ static int kfd_ioctl_free_memory_of_gpu(struct file *filep, + kfd_process_device_remove_obj_handle( + pdd, GET_IDR_HANDLE(args->handle)); + +- WRITE_ONCE(pdd->vram_usage, pdd->vram_usage - size); ++ atomic64_sub(size, &pdd->vram_usage); + + err_unlock: + err_pdd: +@@ -2346,7 +2346,7 @@ static int criu_restore_memory_of_gpu(struct kfd_process_device *pdd, + } else if (bo_bucket->alloc_flags & KFD_IOC_ALLOC_MEM_FLAGS_VRAM) { + bo_bucket->restored_offset = offset; + /* Update the VRAM usage count */ +- WRITE_ONCE(pdd->vram_usage, pdd->vram_usage + bo_bucket->size); ++ atomic64_add(bo_bucket->size, &pdd->vram_usage); + } + return 0; + } +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +index 2b3ec92981e8f..f35741fade911 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -766,7 +766,7 @@ struct kfd_process_device { + enum kfd_pdd_bound bound; + + /* VRAM usage */ +- uint64_t vram_usage; ++ atomic64_t vram_usage; + struct attribute attr_vram; + char vram_filename[MAX_SYSFS_FILENAME_LEN]; + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +index e44892109f71b..8343b3e4de7b5 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -306,7 +306,7 @@ static ssize_t kfd_procfs_show(struct kobject *kobj, struct attribute *attr, + } else if (strncmp(attr->name, "vram_", 5) == 0) { + struct kfd_process_device *pdd = container_of(attr, struct kfd_process_device, + attr_vram); +- return snprintf(buffer, PAGE_SIZE, "%llu\n", READ_ONCE(pdd->vram_usage)); ++ return snprintf(buffer, PAGE_SIZE, "%llu\n", atomic64_read(&pdd->vram_usage)); + } else if (strncmp(attr->name, "sdma_", 5) == 0) { + struct kfd_process_device *pdd = container_of(attr, struct kfd_process_device, + attr_sdma); +@@ -1599,7 +1599,7 @@ struct kfd_process_device *kfd_create_process_device_data(struct kfd_node *dev, + pdd->bound = PDD_UNBOUND; + pdd->already_dequeued = false; + pdd->runtime_inuse = false; +- pdd->vram_usage = 0; ++ atomic64_set(&pdd->vram_usage, 0); + pdd->sdma_past_activity_counter = 0; + pdd->user_gpu_id = dev->id; + atomic64_set(&pdd->evict_duration_counter, 0); +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +index bd9c2921e0dcc..7d00d89586a10 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +@@ -404,6 +404,27 @@ static void svm_range_bo_release(struct kref *kref) + spin_lock(&svm_bo->list_lock); + } + spin_unlock(&svm_bo->list_lock); ++ ++ if (mmget_not_zero(svm_bo->eviction_fence->mm)) { ++ struct kfd_process_device *pdd; ++ struct kfd_process *p; ++ struct mm_struct *mm; ++ ++ mm = svm_bo->eviction_fence->mm; ++ /* ++ * The forked child process takes svm_bo device pages ref, svm_bo could be ++ * released after parent process is gone. ++ */ ++ p = kfd_lookup_process_by_mm(mm); ++ if (p) { ++ pdd = kfd_get_process_device_data(svm_bo->node, p); ++ if (pdd) ++ atomic64_sub(amdgpu_bo_size(svm_bo->bo), &pdd->vram_usage); ++ kfd_unref_process(p); ++ } ++ mmput(mm); ++ } ++ + if (!dma_fence_is_signaled(&svm_bo->eviction_fence->base)) + /* We're not in the eviction worker. Signal the fence. */ + dma_fence_signal(&svm_bo->eviction_fence->base); +@@ -531,6 +552,7 @@ int + svm_range_vram_node_new(struct kfd_node *node, struct svm_range *prange, + bool clear) + { ++ struct kfd_process_device *pdd; + struct amdgpu_bo_param bp; + struct svm_range_bo *svm_bo; + struct amdgpu_bo_user *ubo; +@@ -622,6 +644,10 @@ svm_range_vram_node_new(struct kfd_node *node, struct svm_range *prange, + list_add(&prange->svm_bo_list, &svm_bo->range_list); + spin_unlock(&svm_bo->list_lock); + ++ pdd = svm_range_get_pdd_by_node(prange, node); ++ if (pdd) ++ atomic64_add(amdgpu_bo_size(bo), &pdd->vram_usage); ++ + return 0; + + reserve_bo_failed: +-- +2.43.0 + diff --git a/queue-6.11/drm-vmwgfx-limit-display-layout-ioctl-array-size-to-.patch b/queue-6.11/drm-vmwgfx-limit-display-layout-ioctl-array-size-to-.patch new file mode 100644 index 00000000000..ac757d58cb6 --- /dev/null +++ b/queue-6.11/drm-vmwgfx-limit-display-layout-ioctl-array-size-to-.patch @@ -0,0 +1,87 @@ +From 6b4d6bbe3a70dc514f7d36a96c3076bde69cd2bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Aug 2024 15:06:34 -0500 +Subject: drm/vmwgfx: Limit display layout ioctl array size to + VMWGFX_NUM_DISPLAY_UNITS + +From: Ian Forbes + +[ Upstream commit 28a5dfd4f615539fb22fb6d5c219c199c14e6eb6 ] + +Currently the array size is only limited by the largest kmalloc size which +is incorrect. This change will also return a more specific error message +than ENOMEM to userspace. + +Signed-off-by: Ian Forbes +Reviewed-by: Zack Rusin +Reviewed-by: Martin Krastev +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240808200634.1074083-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 ++-- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 4 +++- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 3 --- + 3 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +index 3f4719b3c2681..4e2807f5f94cf 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +@@ -62,7 +62,7 @@ + #define VMWGFX_DRIVER_MINOR 20 + #define VMWGFX_DRIVER_PATCHLEVEL 0 + #define VMWGFX_FIFO_STATIC_SIZE (1024*1024) +-#define VMWGFX_MAX_DISPLAYS 16 ++#define VMWGFX_NUM_DISPLAY_UNITS 8 + #define VMWGFX_CMD_BOUNCE_INIT_SIZE 32768 + + #define VMWGFX_MIN_INITIAL_WIDTH 1280 +@@ -82,7 +82,7 @@ + #define VMWGFX_NUM_GB_CONTEXT 256 + #define VMWGFX_NUM_GB_SHADER 20000 + #define VMWGFX_NUM_GB_SURFACE 32768 +-#define VMWGFX_NUM_GB_SCREEN_TARGET VMWGFX_MAX_DISPLAYS ++#define VMWGFX_NUM_GB_SCREEN_TARGET VMWGFX_NUM_DISPLAY_UNITS + #define VMWGFX_NUM_DXCONTEXT 256 + #define VMWGFX_NUM_DXQUERY 512 + #define VMWGFX_NUM_MOB (VMWGFX_NUM_GB_CONTEXT +\ +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index aec624196d6ea..63b8d7591253c 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2197,7 +2197,7 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data, + struct drm_mode_config *mode_config = &dev->mode_config; + struct drm_vmw_update_layout_arg *arg = + (struct drm_vmw_update_layout_arg *)data; +- void __user *user_rects; ++ const void __user *user_rects; + struct drm_vmw_rect *rects; + struct drm_rect *drm_rects; + unsigned rects_size; +@@ -2209,6 +2209,8 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data, + VMWGFX_MIN_INITIAL_HEIGHT}; + vmw_du_update_layout(dev_priv, 1, &def_rect); + return 0; ++ } else if (arg->num_outputs > VMWGFX_NUM_DISPLAY_UNITS) { ++ return -E2BIG; + } + + rects_size = arg->num_outputs * sizeof(struct drm_vmw_rect); +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h +index 6141fadf81efe..2a6c6d6581e02 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h +@@ -199,9 +199,6 @@ struct vmw_kms_dirty { + s32 unit_y2; + }; + +-#define VMWGFX_NUM_DISPLAY_UNITS 8 +- +- + #define vmw_framebuffer_to_vfb(x) \ + container_of(x, struct vmw_framebuffer, base) + #define vmw_framebuffer_to_vfbs(x) \ +-- +2.43.0 + diff --git a/queue-6.11/drm-xe-query-increase-timestamp-width.patch b/queue-6.11/drm-xe-query-increase-timestamp-width.patch new file mode 100644 index 00000000000..a739325d150 --- /dev/null +++ b/queue-6.11/drm-xe-query-increase-timestamp-width.patch @@ -0,0 +1,55 @@ +From da198595c8a9f461395b506de45a1e35d9764652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 20:56:16 -0700 +Subject: drm/xe/query: Increase timestamp width + +From: Lucas De Marchi + +[ Upstream commit 477d665e9b6a1369968383f50c688d56b692a155 ] + +Starting with Xe2 the timestamp is a full 64 bit counter, contrary to +the 36 bit that was available before. Although 36 should be sufficient +for any reasonable delta calculation (for Xe2, of about 30min), it's +surprising to userspace to get something truncated. Also if the +timestamp being compared to is coming from the GPU and the application +is not careful enough to apply the width there, a delta calculation +would be wrong. + +Extend it to full 64-bits starting with Xe2. + +v2: Expand width=64 to media gt, as it's just a wrong tagging in the +spec - empirical tests show it goes beyond 36 bits and match the engines +for the main gt + +Bspec: 60411 +Cc: Szymon Morek +Reviewed-by: Matt Roper +Link: https://patchwork.freedesktop.org/patch/msgid/20241011035618.1057602-1-lucas.demarchi@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 9d559cdcb21f42188d4c3ff3b4fe42b240f4af5d) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_query.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c +index 4e01df6b1b7a1..3a30b12e22521 100644 +--- a/drivers/gpu/drm/xe/xe_query.c ++++ b/drivers/gpu/drm/xe/xe_query.c +@@ -161,7 +161,11 @@ query_engine_cycles(struct xe_device *xe, + cpu_clock); + + xe_force_wake_put(gt_to_fw(gt), XE_FORCEWAKE_ALL); +- resp.width = 36; ++ ++ if (GRAPHICS_VER(xe) >= 20) ++ resp.width = 64; ++ else ++ resp.width = 36; + + /* Only write to the output fields of user query */ + if (put_user(resp.cpu_timestamp, &query_ptr->cpu_timestamp)) +-- +2.43.0 + diff --git a/queue-6.11/hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch b/queue-6.11/hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch new file mode 100644 index 00000000000..7f35d80ed68 --- /dev/null +++ b/queue-6.11/hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch @@ -0,0 +1,47 @@ +From eb7dec44fe3e7a43aab766d793df6205ed5f4f3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 12:08:03 +0800 +Subject: HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad + +From: WangYuli + +[ Upstream commit 7a5ab8071114344f62a8b1e64ed3452a77257d76 ] + +The behavior of HONOR MagicBook Art 14 touchpad is not consistent +after reboots, as sometimes it reports itself as a touchpad, and +sometimes as a mouse. + +Similarly to GLO-GXXX it is possible to call MT_QUIRK_FORCE_GET_FEATURE as a +workaround to force set feature in mt_set_input_mode() for such special touchpad +device. + +[jkosina@suse.com: reword changelog a little bit] +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1040 +Signed-off-by: Wentao Guan +Signed-off-by: WangYuli +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 86ca25b637809..871d7417824b8 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2090,6 +2090,11 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + 0x347d, 0x7853) }, + ++ /* HONOR MagicBook Art 14 touchpad */ ++ { .driver_data = MT_CLS_VTL, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ 0x35cc, 0x0104) }, ++ + /* Ilitek dual touch panel */ + { .driver_data = MT_CLS_NSMU, + MT_USB_DEVICE(USB_VENDOR_ID_ILITEK, +-- +2.43.0 + diff --git a/queue-6.11/hid-multitouch-add-support-for-b2402fva-track-point.patch b/queue-6.11/hid-multitouch-add-support-for-b2402fva-track-point.patch new file mode 100644 index 00000000000..f1f8dd4b3a5 --- /dev/null +++ b/queue-6.11/hid-multitouch-add-support-for-b2402fva-track-point.patch @@ -0,0 +1,44 @@ +From da97932840cf47933fdd5259270a3f1ec7e07550 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 10:12:23 +0200 +Subject: HID: multitouch: Add support for B2402FVA track point + +From: Stefan Blum + +[ Upstream commit 1a5cbb526ec4b885177d06a8bc04f38da7dbb1d9 ] + +By default the track point does not work on the Asus Expertbook B2402FVA. + +From libinput record i got the ID of the track point device: + evdev: + # Name: ASUE1201:00 04F3:32AE + # ID: bus 0x18 vendor 0x4f3 product 0x32ae version 0x100 + +I found that the track point is functional, when i set the +MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU class for the reported device. + +Signed-off-by: Stefan Blum +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 847462650549e..86ca25b637809 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2017,6 +2017,10 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_ELAN, 0x3148) }, + ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_ELAN, 0x32ae) }, ++ + /* Elitegroup panel */ + { .driver_data = MT_CLS_SERIAL, + MT_USB_DEVICE(USB_VENDOR_ID_ELITEGROUP, +-- +2.43.0 + diff --git a/queue-6.11/iommu-arm-smmu-clarify-mmu-500-cpre-workaround.patch b/queue-6.11/iommu-arm-smmu-clarify-mmu-500-cpre-workaround.patch new file mode 100644 index 00000000000..e93175658e1 --- /dev/null +++ b/queue-6.11/iommu-arm-smmu-clarify-mmu-500-cpre-workaround.patch @@ -0,0 +1,47 @@ +From 19ef62326ff19e96e6a325135a39948fd96538cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 16:21:17 +0100 +Subject: iommu/arm-smmu: Clarify MMU-500 CPRE workaround + +From: Robin Murphy + +[ Upstream commit 0dfe314cdd0d378f96bb9c6bdc05c8120f48606d ] + +CPRE workarounds are implicated in at least 5 MMU-500 errata, some of +which remain unfixed. The comment and warning message have proven to be +unhelpfully misleading about this scope, so reword them to get the point +across with less risk of going out of date or confusing users. + +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/dfa82171b5248ad7cf1f25592101a6eec36b8c9a.1728400877.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu/arm-smmu-impl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c b/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c +index 9dc772f2cbb27..99030e6b16e7a 100644 +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c +@@ -130,7 +130,7 @@ int arm_mmu500_reset(struct arm_smmu_device *smmu) + + /* + * Disable MMU-500's not-particularly-beneficial next-page +- * prefetcher for the sake of errata #841119 and #826419. ++ * prefetcher for the sake of at least 5 known errata. + */ + for (i = 0; i < smmu->num_context_banks; ++i) { + reg = arm_smmu_cb_read(smmu, i, ARM_SMMU_CB_ACTLR); +@@ -138,7 +138,7 @@ int arm_mmu500_reset(struct arm_smmu_device *smmu) + arm_smmu_cb_write(smmu, i, ARM_SMMU_CB_ACTLR, reg); + reg = arm_smmu_cb_read(smmu, i, ARM_SMMU_CB_ACTLR); + if (reg & ARM_MMU500_ACTLR_CPRE) +- dev_warn_once(smmu->dev, "Failed to disable prefetcher [errata #841119 and #826419], check ACR.CACHE_LOCK\n"); ++ dev_warn_once(smmu->dev, "Failed to disable prefetcher for errata workarounds, check SACR.CACHE_LOCK\n"); + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.11/irqchip-ocelot-fix-trigger-register-address.patch b/queue-6.11/irqchip-ocelot-fix-trigger-register-address.patch new file mode 100644 index 00000000000..06bef5326f8 --- /dev/null +++ b/queue-6.11/irqchip-ocelot-fix-trigger-register-address.patch @@ -0,0 +1,56 @@ +From e5dd326d6d44d6868407a257cfafc05ae4c2246f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 21:44:15 +0300 +Subject: irqchip/ocelot: Fix trigger register address + +From: Sergey Matsievskiy + +[ Upstream commit 9e9c4666abb5bb444dac37e2d7eb5250c8d52a45 ] + +Controllers, supported by this driver, have two sets of registers: + + * (main) interrupt registers control peripheral interrupt sources. + + * device interrupt registers configure per-device (network interface) + interrupts and act as an extra stage before the main interrupt + registers. + +In the driver unmask code, device trigger registers are used in the mask +calculation of the main interrupt sticky register, mixing two kinds of +registers. + +Use the main interrupt trigger register instead. + +Signed-off-by: Sergey Matsievskiy +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/20240925184416.54204-2-matsievskiysv@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mscc-ocelot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-mscc-ocelot.c b/drivers/irqchip/irq-mscc-ocelot.c +index 4d0c3532dbe73..c19ab379e8c5e 100644 +--- a/drivers/irqchip/irq-mscc-ocelot.c ++++ b/drivers/irqchip/irq-mscc-ocelot.c +@@ -37,7 +37,7 @@ static struct chip_props ocelot_props = { + .reg_off_ena_clr = 0x1c, + .reg_off_ena_set = 0x20, + .reg_off_ident = 0x38, +- .reg_off_trigger = 0x5c, ++ .reg_off_trigger = 0x4, + .n_irq = 24, + }; + +@@ -70,7 +70,7 @@ static struct chip_props jaguar2_props = { + .reg_off_ena_clr = 0x1c, + .reg_off_ena_set = 0x20, + .reg_off_ident = 0x38, +- .reg_off_trigger = 0x5c, ++ .reg_off_trigger = 0x4, + .n_irq = 29, + }; + +-- +2.43.0 + diff --git a/queue-6.11/kasan-disable-software-tag-based-kasan-with-gcc.patch b/queue-6.11/kasan-disable-software-tag-based-kasan-with-gcc.patch new file mode 100644 index 00000000000..256b2131c98 --- /dev/null +++ b/queue-6.11/kasan-disable-software-tag-based-kasan-with-gcc.patch @@ -0,0 +1,81 @@ +From f3c408bbb36563f810601873206f02d2ff0a1923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 17:11:00 +0100 +Subject: kasan: Disable Software Tag-Based KASAN with GCC + +From: Will Deacon + +[ Upstream commit 7aed6a2c51ffc97a126e0ea0c270fab7af97ae18 ] + +Syzbot reports a KASAN failure early during boot on arm64 when building +with GCC 12.2.0 and using the Software Tag-Based KASAN mode: + + | BUG: KASAN: invalid-access in smp_build_mpidr_hash arch/arm64/kernel/setup.c:133 [inline] + | BUG: KASAN: invalid-access in setup_arch+0x984/0xd60 arch/arm64/kernel/setup.c:356 + | Write of size 4 at addr 03ff800086867e00 by task swapper/0 + | Pointer tag: [03], memory tag: [fe] + +Initial triage indicates that the report is a false positive and a +thorough investigation of the crash by Mark Rutland revealed the root +cause to be a bug in GCC: + + > When GCC is passed `-fsanitize=hwaddress` or + > `-fsanitize=kernel-hwaddress` it ignores + > `__attribute__((no_sanitize_address))`, and instruments functions + > we require are not instrumented. + > + > [...] + > + > All versions [of GCC] I tried were broken, from 11.3.0 to 14.2.0 + > inclusive. + > + > I think we have to disable KASAN_SW_TAGS with GCC until this is + > fixed + +Disable Software Tag-Based KASAN when building with GCC by making +CC_HAS_KASAN_SW_TAGS depend on !CC_IS_GCC. + +Cc: Andrey Konovalov +Suggested-by: Mark Rutland +Reported-by: syzbot+908886656a02769af987@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/000000000000f362e80620e27859@google.com +Link: https://lore.kernel.org/r/ZvFGwKfoC4yVjN_X@J2N7QTR9R3 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218854 +Reviewed-by: Andrey Konovalov +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20241014161100.18034-1-will@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + lib/Kconfig.kasan | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan +index 98016e137b7f0..233ab20969242 100644 +--- a/lib/Kconfig.kasan ++++ b/lib/Kconfig.kasan +@@ -22,8 +22,11 @@ config ARCH_DISABLE_KASAN_INLINE + config CC_HAS_KASAN_GENERIC + def_bool $(cc-option, -fsanitize=kernel-address) + ++# GCC appears to ignore no_sanitize_address when -fsanitize=kernel-hwaddress ++# is passed. See https://bugzilla.kernel.org/show_bug.cgi?id=218854 (and ++# the linked LKML thread) for more details. + config CC_HAS_KASAN_SW_TAGS +- def_bool $(cc-option, -fsanitize=kernel-hwaddress) ++ def_bool !CC_IS_GCC && $(cc-option, -fsanitize=kernel-hwaddress) + + # This option is only required for software KASAN modes. + # Old GCC versions do not have proper support for no_sanitize_address. +@@ -98,7 +101,7 @@ config KASAN_SW_TAGS + help + Enables Software Tag-Based KASAN. + +- Requires GCC 11+ or Clang. ++ Requires Clang. + + Supported only on arm64 CPUs and relies on Top Byte Ignore. + +-- +2.43.0 + diff --git a/queue-6.11/net-phy-mdio-bcm-unimac-add-bcm6846-support.patch b/queue-6.11/net-phy-mdio-bcm-unimac-add-bcm6846-support.patch new file mode 100644 index 00000000000..a53c4792f4b --- /dev/null +++ b/queue-6.11/net-phy-mdio-bcm-unimac-add-bcm6846-support.patch @@ -0,0 +1,40 @@ +From eceb59f705178646c44c9ba5c74812216463edf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Oct 2024 22:35:23 +0200 +Subject: net: phy: mdio-bcm-unimac: Add BCM6846 support + +From: Linus Walleij + +[ Upstream commit 906b77ca91c7e9833b4e47bedb6bec76be71d497 ] + +Add Unimac mdio compatible string for the special BCM6846 +variant. + +This variant has a few extra registers compared to other +versions. + +Suggested-by: Florian Fainelli +Link: https://lore.kernel.org/linux-devicetree/b542b2e8-115c-4234-a464-e73aa6bece5c@broadcom.com/ +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20241012-bcm6846-mdio-v1-2-c703ca83e962@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-bcm-unimac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mdio/mdio-bcm-unimac.c b/drivers/net/mdio/mdio-bcm-unimac.c +index f40eb50bb978d..b7bc70586ee0a 100644 +--- a/drivers/net/mdio/mdio-bcm-unimac.c ++++ b/drivers/net/mdio/mdio-bcm-unimac.c +@@ -337,6 +337,7 @@ static const struct of_device_id unimac_mdio_ids[] = { + { .compatible = "brcm,asp-v2.2-mdio", }, + { .compatible = "brcm,asp-v2.1-mdio", }, + { .compatible = "brcm,asp-v2.0-mdio", }, ++ { .compatible = "brcm,bcm6846-mdio", }, + { .compatible = "brcm,genet-mdio-v5", }, + { .compatible = "brcm,genet-mdio-v4", }, + { .compatible = "brcm,genet-mdio-v3", }, +-- +2.43.0 + diff --git a/queue-6.11/nvme-disable-cc.crime-nvme_cc_crime.patch b/queue-6.11/nvme-disable-cc.crime-nvme_cc_crime.patch new file mode 100644 index 00000000000..1f4fcdc5cba --- /dev/null +++ b/queue-6.11/nvme-disable-cc.crime-nvme_cc_crime.patch @@ -0,0 +1,57 @@ +From a56e3c045fc421bdb31c20ddcdf1c7071089c690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 14:33:24 -0500 +Subject: nvme: disable CC.CRIME (NVME_CC_CRIME) + +From: Greg Joyce + +[ Upstream commit 0ce96a6708f34280a536263ee5c67e20c433dcce ] + +Disable NVME_CC_CRIME so that CSTS.RDY indicates that the media +is ready and able to handle commands without returning +NVME_SC_ADMIN_COMMAND_MEDIA_NOT_READY. + +Signed-off-by: Greg Joyce +Reviewed-by: Nilay Shroff +Tested-by: Nilay Shroff +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index b954e77d3fc56..7dac71cce3ebe 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2472,8 +2472,13 @@ int nvme_enable_ctrl(struct nvme_ctrl *ctrl) + else + ctrl->ctrl_config = NVME_CC_CSS_NVM; + +- if (ctrl->cap & NVME_CAP_CRMS_CRWMS && ctrl->cap & NVME_CAP_CRMS_CRIMS) +- ctrl->ctrl_config |= NVME_CC_CRIME; ++ /* ++ * Setting CRIME results in CSTS.RDY before the media is ready. This ++ * makes it possible for media related commands to return the error ++ * NVME_SC_ADMIN_COMMAND_MEDIA_NOT_READY. Until the driver is ++ * restructured to handle retries, disable CC.CRIME. ++ */ ++ ctrl->ctrl_config &= ~NVME_CC_CRIME; + + ctrl->ctrl_config |= (NVME_CTRL_PAGE_SHIFT - 12) << NVME_CC_MPS_SHIFT; + ctrl->ctrl_config |= NVME_CC_AMS_RR | NVME_CC_SHN_NONE; +@@ -2508,10 +2513,7 @@ int nvme_enable_ctrl(struct nvme_ctrl *ctrl) + * devices are known to get this wrong. Use the larger of the + * two values. + */ +- if (ctrl->ctrl_config & NVME_CC_CRIME) +- ready_timeout = NVME_CRTO_CRIMT(crto); +- else +- ready_timeout = NVME_CRTO_CRWMT(crto); ++ ready_timeout = NVME_CRTO_CRWMT(crto); + + if (ready_timeout < timeout) + dev_warn_once(ctrl->device, "bad crto:%x cap:%llx\n", +-- +2.43.0 + diff --git a/queue-6.11/nvme-host-fix-rcu-list-traversal-to-use-srcu-primiti.patch b/queue-6.11/nvme-host-fix-rcu-list-traversal-to-use-srcu-primiti.patch new file mode 100644 index 00000000000..5ee1aeb53d0 --- /dev/null +++ b/queue-6.11/nvme-host-fix-rcu-list-traversal-to-use-srcu-primiti.patch @@ -0,0 +1,106 @@ +From 7b746a6e8ec8609ea186d71a0143e28d3f2bb28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2024 04:24:40 -0800 +Subject: nvme/host: Fix RCU list traversal to use SRCU primitive + +From: Breno Leitao + +[ Upstream commit 6d1c69945ce63a9fba22a4abf646cf960d878782 ] + +The code currently uses list_for_each_entry_rcu() while holding an SRCU +lock, triggering false positive warnings with CONFIG_PROVE_RCU=y +enabled: + + drivers/nvme/host/core.c:3770 RCU-list traversed in non-reader section!! + +While the list is properly protected by SRCU lock, the code uses the wrong +list traversal primitive. Replace list_for_each_entry_rcu() with +list_for_each_entry_srcu() to correctly indicate SRCU-based protection +and eliminate the false warning. + +Fixes: be647e2c76b2 ("nvme: use srcu for iterating namespace list") +Signed-off-by: Breno Leitao +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 89ad4217f8606..b954e77d3fc56 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3793,7 +3793,8 @@ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid) + int srcu_idx; + + srcu_idx = srcu_read_lock(&ctrl->srcu); +- list_for_each_entry_rcu(ns, &ctrl->namespaces, list) { ++ list_for_each_entry_srcu(ns, &ctrl->namespaces, list, ++ srcu_read_lock_held(&ctrl->srcu)) { + if (ns->head->ns_id == nsid) { + if (!nvme_get_ns(ns)) + continue; +@@ -4840,7 +4841,8 @@ void nvme_mark_namespaces_dead(struct nvme_ctrl *ctrl) + int srcu_idx; + + srcu_idx = srcu_read_lock(&ctrl->srcu); +- list_for_each_entry_rcu(ns, &ctrl->namespaces, list) ++ list_for_each_entry_srcu(ns, &ctrl->namespaces, list, ++ srcu_read_lock_held(&ctrl->srcu)) + blk_mark_disk_dead(ns->disk); + srcu_read_unlock(&ctrl->srcu, srcu_idx); + } +@@ -4852,7 +4854,8 @@ void nvme_unfreeze(struct nvme_ctrl *ctrl) + int srcu_idx; + + srcu_idx = srcu_read_lock(&ctrl->srcu); +- list_for_each_entry_rcu(ns, &ctrl->namespaces, list) ++ list_for_each_entry_srcu(ns, &ctrl->namespaces, list, ++ srcu_read_lock_held(&ctrl->srcu)) + blk_mq_unfreeze_queue(ns->queue); + srcu_read_unlock(&ctrl->srcu, srcu_idx); + clear_bit(NVME_CTRL_FROZEN, &ctrl->flags); +@@ -4865,7 +4868,8 @@ int nvme_wait_freeze_timeout(struct nvme_ctrl *ctrl, long timeout) + int srcu_idx; + + srcu_idx = srcu_read_lock(&ctrl->srcu); +- list_for_each_entry_rcu(ns, &ctrl->namespaces, list) { ++ list_for_each_entry_srcu(ns, &ctrl->namespaces, list, ++ srcu_read_lock_held(&ctrl->srcu)) { + timeout = blk_mq_freeze_queue_wait_timeout(ns->queue, timeout); + if (timeout <= 0) + break; +@@ -4881,7 +4885,8 @@ void nvme_wait_freeze(struct nvme_ctrl *ctrl) + int srcu_idx; + + srcu_idx = srcu_read_lock(&ctrl->srcu); +- list_for_each_entry_rcu(ns, &ctrl->namespaces, list) ++ list_for_each_entry_srcu(ns, &ctrl->namespaces, list, ++ srcu_read_lock_held(&ctrl->srcu)) + blk_mq_freeze_queue_wait(ns->queue); + srcu_read_unlock(&ctrl->srcu, srcu_idx); + } +@@ -4894,7 +4899,8 @@ void nvme_start_freeze(struct nvme_ctrl *ctrl) + + set_bit(NVME_CTRL_FROZEN, &ctrl->flags); + srcu_idx = srcu_read_lock(&ctrl->srcu); +- list_for_each_entry_rcu(ns, &ctrl->namespaces, list) ++ list_for_each_entry_srcu(ns, &ctrl->namespaces, list, ++ srcu_read_lock_held(&ctrl->srcu)) + blk_freeze_queue_start(ns->queue); + srcu_read_unlock(&ctrl->srcu, srcu_idx); + } +@@ -4942,7 +4948,8 @@ void nvme_sync_io_queues(struct nvme_ctrl *ctrl) + int srcu_idx; + + srcu_idx = srcu_read_lock(&ctrl->srcu); +- list_for_each_entry_rcu(ns, &ctrl->namespaces, list) ++ list_for_each_entry_srcu(ns, &ctrl->namespaces, list, ++ srcu_read_lock_held(&ctrl->srcu)) + blk_sync_queue(ns->queue); + srcu_read_unlock(&ctrl->srcu, srcu_idx); + } +-- +2.43.0 + diff --git a/queue-6.11/nvme-loop-flush-off-pending-i-o-while-shutting-down-.patch b/queue-6.11/nvme-loop-flush-off-pending-i-o-while-shutting-down-.patch new file mode 100644 index 00000000000..5626e3d0a5c --- /dev/null +++ b/queue-6.11/nvme-loop-flush-off-pending-i-o-while-shutting-down-.patch @@ -0,0 +1,64 @@ +From 4575a455c3842f188e6601da405527b337335e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 08:33:14 +0530 +Subject: nvme-loop: flush off pending I/O while shutting down loop controller + +From: Nilay Shroff + +[ Upstream commit c199fac88fe7c749f88a0653e9f621b9f5a71cf1 ] + +While shutting down loop controller, we first quiesce the admin/IO queue, +delete the admin/IO tag-set and then at last destroy the admin/IO queue. +However it's quite possible that during the window between quiescing and +destroying of the admin/IO queue, some admin/IO request might sneak in +and if that happens then we could potentially encounter a hung task +because shutdown operation can't forward progress until any pending I/O +is flushed off. + +This commit helps ensure that before destroying the admin/IO queue, we +unquiesce the admin/IO queue so that any outstanding requests, which are +added after the admin/IO queue is quiesced, are now flushed to its +completion. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Nilay Shroff +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index e32790d8fc260..a9d112d34d4f4 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -265,6 +265,13 @@ static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl) + { + if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags)) + return; ++ /* ++ * It's possible that some requests might have been added ++ * after admin queue is stopped/quiesced. So now start the ++ * queue to flush these requests to the completion. ++ */ ++ nvme_unquiesce_admin_queue(&ctrl->ctrl); ++ + nvmet_sq_destroy(&ctrl->queues[0].nvme_sq); + nvme_remove_admin_tag_set(&ctrl->ctrl); + } +@@ -297,6 +304,12 @@ static void nvme_loop_destroy_io_queues(struct nvme_loop_ctrl *ctrl) + nvmet_sq_destroy(&ctrl->queues[i].nvme_sq); + } + ctrl->ctrl.queue_count = 1; ++ /* ++ * It's possible that some requests might have been added ++ * after io queue is stopped/quiesced. So now start the ++ * queue to flush these requests to the completion. ++ */ ++ nvme_unquiesce_io_queues(&ctrl->ctrl); + } + + static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl) +-- +2.43.0 + diff --git a/queue-6.11/nvme-make-keep-alive-synchronous-operation.patch b/queue-6.11/nvme-make-keep-alive-synchronous-operation.patch new file mode 100644 index 00000000000..c89c90739b6 --- /dev/null +++ b/queue-6.11/nvme-make-keep-alive-synchronous-operation.patch @@ -0,0 +1,122 @@ +From e9525e76a7265357f5e3ad58f30e822770b55a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2024 08:33:15 +0530 +Subject: nvme: make keep-alive synchronous operation + +From: Nilay Shroff + +[ Upstream commit d06923670b5a5f609603d4a9fee4dec02d38de9c ] + +The nvme keep-alive operation, which executes at a periodic interval, +could potentially sneak in while shutting down a fabric controller. +This may lead to a race between the fabric controller admin queue +destroy code path (invoked while shutting down controller) and hw/hctx +queue dispatcher called from the nvme keep-alive async request queuing +operation. This race could lead to the kernel crash shown below: + +Call Trace: + autoremove_wake_function+0x0/0xbc (unreliable) + __blk_mq_sched_dispatch_requests+0x114/0x24c + blk_mq_sched_dispatch_requests+0x44/0x84 + blk_mq_run_hw_queue+0x140/0x220 + nvme_keep_alive_work+0xc8/0x19c [nvme_core] + process_one_work+0x200/0x4e0 + worker_thread+0x340/0x504 + kthread+0x138/0x140 + start_kernel_thread+0x14/0x18 + +While shutting down fabric controller, if nvme keep-alive request sneaks +in then it would be flushed off. The nvme_keep_alive_end_io function is +then invoked to handle the end of the keep-alive operation which +decrements the admin->q_usage_counter and assuming this is the last/only +request in the admin queue then the admin->q_usage_counter becomes zero. +If that happens then blk-mq destroy queue operation (blk_mq_destroy_ +queue()) which could be potentially running simultaneously on another +cpu (as this is the controller shutdown code path) would forward +progress and deletes the admin queue. So, now from this point onward +we are not supposed to access the admin queue resources. However the +issue here's that the nvme keep-alive thread running hw/hctx queue +dispatch operation hasn't yet finished its work and so it could still +potentially access the admin queue resource while the admin queue had +been already deleted and that causes the above crash. + +This fix helps avoid the observed crash by implementing keep-alive as a +synchronous operation so that we decrement admin->q_usage_counter only +after keep-alive command finished its execution and returns the command +status back up to its caller (blk_execute_rq()). This would ensure that +fabric shutdown code path doesn't destroy the fabric admin queue until +keep-alive request finished execution and also keep-alive thread is not +running hw/hctx queue dispatch operation. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Nilay Shroff +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 7dac71cce3ebe..128932c849a1a 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1302,10 +1302,9 @@ static void nvme_queue_keep_alive_work(struct nvme_ctrl *ctrl) + queue_delayed_work(nvme_wq, &ctrl->ka_work, delay); + } + +-static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq, +- blk_status_t status) ++static void nvme_keep_alive_finish(struct request *rq, ++ blk_status_t status, struct nvme_ctrl *ctrl) + { +- struct nvme_ctrl *ctrl = rq->end_io_data; + unsigned long flags; + bool startka = false; + unsigned long rtt = jiffies - (rq->deadline - rq->timeout); +@@ -1323,13 +1322,11 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq, + delay = 0; + } + +- blk_mq_free_request(rq); +- + if (status) { + dev_err(ctrl->device, + "failed nvme_keep_alive_end_io error=%d\n", + status); +- return RQ_END_IO_NONE; ++ return; + } + + ctrl->ka_last_check_time = jiffies; +@@ -1341,7 +1338,6 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq, + spin_unlock_irqrestore(&ctrl->lock, flags); + if (startka) + queue_delayed_work(nvme_wq, &ctrl->ka_work, delay); +- return RQ_END_IO_NONE; + } + + static void nvme_keep_alive_work(struct work_struct *work) +@@ -1350,6 +1346,7 @@ static void nvme_keep_alive_work(struct work_struct *work) + struct nvme_ctrl, ka_work); + bool comp_seen = ctrl->comp_seen; + struct request *rq; ++ blk_status_t status; + + ctrl->ka_last_check_time = jiffies; + +@@ -1372,9 +1369,9 @@ static void nvme_keep_alive_work(struct work_struct *work) + nvme_init_request(rq, &ctrl->ka_cmd); + + rq->timeout = ctrl->kato * HZ; +- rq->end_io = nvme_keep_alive_end_io; +- rq->end_io_data = ctrl; +- blk_execute_rq_nowait(rq, false); ++ status = blk_execute_rq(rq, false); ++ nvme_keep_alive_finish(rq, status, ctrl); ++ blk_mq_free_request(rq); + } + + static void nvme_start_keep_alive(struct nvme_ctrl *ctrl) +-- +2.43.0 + diff --git a/queue-6.11/nvme-multipath-defer-partition-scanning.patch b/queue-6.11/nvme-multipath-defer-partition-scanning.patch new file mode 100644 index 00000000000..288328f1c1b --- /dev/null +++ b/queue-6.11/nvme-multipath-defer-partition-scanning.patch @@ -0,0 +1,118 @@ +From 3a158e619298f94ed87b6275afdd2fe5040c9c92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 07:30:17 -0700 +Subject: nvme-multipath: defer partition scanning + +From: Keith Busch + +[ Upstream commit 1f021341eef41e77a633186e9be5223de2ce5d48 ] + +We need to suppress the partition scan from occuring within the +controller's scan_work context. If a path error occurs here, the IO will +wait until a path becomes available or all paths are torn down, but that +action also occurs within scan_work, so it would deadlock. Defer the +partion scan to a different context that does not block scan_work. + +Reported-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 33 +++++++++++++++++++++++++++++++++ + drivers/nvme/host/nvme.h | 1 + + 2 files changed, 34 insertions(+) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 6d97058cde7a1..a43982aaa40d7 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -577,6 +577,20 @@ static int nvme_add_ns_head_cdev(struct nvme_ns_head *head) + return ret; + } + ++static void nvme_partition_scan_work(struct work_struct *work) ++{ ++ struct nvme_ns_head *head = ++ container_of(work, struct nvme_ns_head, partition_scan_work); ++ ++ if (WARN_ON_ONCE(!test_and_clear_bit(GD_SUPPRESS_PART_SCAN, ++ &head->disk->state))) ++ return; ++ ++ mutex_lock(&head->disk->open_mutex); ++ bdev_disk_changed(head->disk, false); ++ mutex_unlock(&head->disk->open_mutex); ++} ++ + static void nvme_requeue_work(struct work_struct *work) + { + struct nvme_ns_head *head = +@@ -603,6 +617,7 @@ int nvme_mpath_alloc_disk(struct nvme_ctrl *ctrl, struct nvme_ns_head *head) + bio_list_init(&head->requeue_list); + spin_lock_init(&head->requeue_lock); + INIT_WORK(&head->requeue_work, nvme_requeue_work); ++ INIT_WORK(&head->partition_scan_work, nvme_partition_scan_work); + + /* + * Add a multipath node if the subsystems supports multiple controllers. +@@ -626,6 +641,16 @@ int nvme_mpath_alloc_disk(struct nvme_ctrl *ctrl, struct nvme_ns_head *head) + return PTR_ERR(head->disk); + head->disk->fops = &nvme_ns_head_ops; + head->disk->private_data = head; ++ ++ /* ++ * We need to suppress the partition scan from occuring within the ++ * controller's scan_work context. If a path error occurs here, the IO ++ * will wait until a path becomes available or all paths are torn down, ++ * but that action also occurs within scan_work, so it would deadlock. ++ * Defer the partion scan to a different context that does not block ++ * scan_work. ++ */ ++ set_bit(GD_SUPPRESS_PART_SCAN, &head->disk->state); + sprintf(head->disk->disk_name, "nvme%dn%d", + ctrl->subsys->instance, head->instance); + return 0; +@@ -652,6 +677,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns) + return; + } + nvme_add_ns_head_cdev(head); ++ kblockd_schedule_work(&head->partition_scan_work); + } + + mutex_lock(&head->lock); +@@ -972,6 +998,12 @@ void nvme_mpath_shutdown_disk(struct nvme_ns_head *head) + kblockd_schedule_work(&head->requeue_work); + if (test_bit(NVME_NSHEAD_DISK_LIVE, &head->flags)) { + nvme_cdev_del(&head->cdev, &head->cdev_device); ++ /* ++ * requeue I/O after NVME_NSHEAD_DISK_LIVE has been cleared ++ * to allow multipath to fail all I/O. ++ */ ++ synchronize_srcu(&head->srcu); ++ kblockd_schedule_work(&head->requeue_work); + del_gendisk(head->disk); + } + } +@@ -983,6 +1015,7 @@ void nvme_mpath_remove_disk(struct nvme_ns_head *head) + /* make sure all pending bios are cleaned up */ + kblockd_schedule_work(&head->requeue_work); + flush_work(&head->requeue_work); ++ flush_work(&head->partition_scan_work); + put_disk(head->disk); + } + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 313a4f978a2cf..093cb423f536b 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -494,6 +494,7 @@ struct nvme_ns_head { + struct bio_list requeue_list; + spinlock_t requeue_lock; + struct work_struct requeue_work; ++ struct work_struct partition_scan_work; + struct mutex lock; + unsigned long flags; + #define NVME_NSHEAD_DISK_LIVE 0 +-- +2.43.0 + diff --git a/queue-6.11/nvme-tcp-avoid-race-between-queue_lock-lock-and-dest.patch b/queue-6.11/nvme-tcp-avoid-race-between-queue_lock-lock-and-dest.patch new file mode 100644 index 00000000000..a1503510694 --- /dev/null +++ b/queue-6.11/nvme-tcp-avoid-race-between-queue_lock-lock-and-dest.patch @@ -0,0 +1,140 @@ +From 5f6496910994cc376c301ef3d8c3a8402d4a02ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 13:51:41 +0900 +Subject: nvme: tcp: avoid race between queue_lock lock and destroy + +From: Hannes Reinecke + +[ Upstream commit 782373ba27660ba7d330208cf5509ece6feb4545 ] + +Commit 76d54bf20cdc ("nvme-tcp: don't access released socket during +error recovery") added a mutex_lock() call for the queue->queue_lock +in nvme_tcp_get_address(). However, the mutex_lock() races with +mutex_destroy() in nvme_tcp_free_queue(), and causes the WARN below. + +DEBUG_LOCKS_WARN_ON(lock->magic != lock) +WARNING: CPU: 3 PID: 34077 at kernel/locking/mutex.c:587 __mutex_lock+0xcf0/0x1220 +Modules linked in: nvmet_tcp nvmet nvme_tcp nvme_fabrics iw_cm ib_cm ib_core pktcdvd nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables qrtr sunrpc ppdev 9pnet_virtio 9pnet pcspkr netfs parport_pc parport e1000 i2c_piix4 i2c_smbus loop fuse nfnetlink zram bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper xfs drm sym53c8xx floppy nvme scsi_transport_spi nvme_core nvme_auth serio_raw ata_generic pata_acpi dm_multipath qemu_fw_cfg [last unloaded: ib_uverbs] +CPU: 3 UID: 0 PID: 34077 Comm: udisksd Not tainted 6.11.0-rc7 #319 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:__mutex_lock+0xcf0/0x1220 +Code: 08 84 d2 0f 85 c8 04 00 00 8b 15 ef b6 c8 01 85 d2 0f 85 78 f4 ff ff 48 c7 c6 20 93 ee af 48 c7 c7 60 91 ee af e8 f0 a7 6d fd <0f> 0b e9 5e f4 ff ff 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 +RSP: 0018:ffff88811305f760 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff88812c652058 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001 +RBP: ffff88811305f8b0 R08: 0000000000000001 R09: ffffed1075c36341 +R10: ffff8883ae1b1a0b R11: 0000000000010498 R12: 0000000000000000 +R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88812c652058 +FS: 00007f9713ae4980(0000) GS:ffff8883ae180000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fcd78483c7c CR3: 0000000122c38000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? __warn.cold+0x5b/0x1af + ? __mutex_lock+0xcf0/0x1220 + ? report_bug+0x1ec/0x390 + ? handle_bug+0x3c/0x80 + ? exc_invalid_op+0x13/0x40 + ? asm_exc_invalid_op+0x16/0x20 + ? __mutex_lock+0xcf0/0x1220 + ? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp] + ? __pfx___mutex_lock+0x10/0x10 + ? __lock_acquire+0xd6a/0x59e0 + ? nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp] + nvme_tcp_get_address+0xc2/0x1e0 [nvme_tcp] + ? __pfx_nvme_tcp_get_address+0x10/0x10 [nvme_tcp] + nvme_sysfs_show_address+0x81/0xc0 [nvme_core] + dev_attr_show+0x42/0x80 + ? __asan_memset+0x1f/0x40 + sysfs_kf_seq_show+0x1f0/0x370 + seq_read_iter+0x2cb/0x1130 + ? rw_verify_area+0x3b1/0x590 + ? __mutex_lock+0x433/0x1220 + vfs_read+0x6a6/0xa20 + ? lockdep_hardirqs_on+0x78/0x100 + ? __pfx_vfs_read+0x10/0x10 + ksys_read+0xf7/0x1d0 + ? __pfx_ksys_read+0x10/0x10 + ? __x64_sys_openat+0x105/0x1d0 + do_syscall_64+0x93/0x180 + ? lockdep_hardirqs_on_prepare+0x16d/0x400 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on+0x78/0x100 + ? do_syscall_64+0x9f/0x180 + ? __pfx_ksys_read+0x10/0x10 + ? lockdep_hardirqs_on_prepare+0x16d/0x400 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on+0x78/0x100 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on_prepare+0x16d/0x400 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on+0x78/0x100 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on_prepare+0x16d/0x400 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on+0x78/0x100 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on_prepare+0x16d/0x400 + ? do_syscall_64+0x9f/0x180 + ? lockdep_hardirqs_on+0x78/0x100 + ? do_syscall_64+0x9f/0x180 + ? do_syscall_64+0x9f/0x180 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7f9713f55cfa +Code: 55 48 89 e5 48 83 ec 20 48 89 55 e8 48 89 75 f0 89 7d f8 e8 e8 74 f8 ff 48 8b 55 e8 48 8b 75 f0 41 89 c0 8b 7d f8 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 2e 44 89 c7 48 89 45 f8 e8 42 75 f8 ff 48 8b +RSP: 002b:00007ffd7f512e70 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +RAX: ffffffffffffffda RBX: 000055c38f316859 RCX: 00007f9713f55cfa +RDX: 0000000000000fff RSI: 00007ffd7f512eb0 RDI: 0000000000000011 +RBP: 00007ffd7f512e90 R08: 0000000000000000 R09: 00000000ffffffff +R10: 0000000000000000 R11: 0000000000000246 R12: 000055c38f317148 +R13: 0000000000000000 R14: 00007f96f4004f30 R15: 000055c3b6b623c0 + + +The WARN is observed when the blktests test case nvme/014 is repeated +with tcp transport. It is rare, and 200 times repeat is required to +recreate in some test environments. + +To avoid the WARN, check the NVME_TCP_Q_LIVE flag before locking +queue->queue_lock. The flag is cleared long time before the lock gets +destroyed. + +Signed-off-by: Hannes Reinecke +Signed-off-by: Shin'ichiro Kawasaki +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index e3d82e91151af..c4d776c0ec206 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2644,10 +2644,11 @@ static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size) + + len = nvmf_get_address(ctrl, buf, size); + ++ if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags)) ++ return len; ++ + mutex_lock(&queue->queue_lock); + +- if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags)) +- goto done; + ret = kernel_getsockname(queue->sock, (struct sockaddr *)&src_addr); + if (ret > 0) { + if (len > 0) +@@ -2655,7 +2656,7 @@ static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size) + len += scnprintf(buf + len, size - len, "%ssrc_addr=%pISc\n", + (len) ? "," : "", &src_addr); + } +-done: ++ + mutex_unlock(&queue->queue_lock); + + return len; +-- +2.43.0 + diff --git a/queue-6.11/nvmet-passthru-clear-euid-nguid-uuid-while-using-loo.patch b/queue-6.11/nvmet-passthru-clear-euid-nguid-uuid-while-using-loo.patch new file mode 100644 index 00000000000..9a7856ce407 --- /dev/null +++ b/queue-6.11/nvmet-passthru-clear-euid-nguid-uuid-while-using-loo.patch @@ -0,0 +1,66 @@ +From 0064828d15d7ae7256ea2814164f2bfef6cfafb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2024 12:35:33 +0530 +Subject: nvmet-passthru: clear EUID/NGUID/UUID while using loop target + +From: Nilay Shroff + +[ Upstream commit e38dad438fc08162e20c600ae899e9e60688f72e ] + +When nvme passthru is configured using loop target, the clear_ids +attribute is, by default, set to true. This attribute would ensure that +EUID/NGUID/UUID is cleared for the loop passthru target. + +The newer NVMe disk supporting the NVMe spec 1.3 or higher, typically, +implements the support for "Namespace Identification Descriptor list" +command. This command when issued from host returns EUID/NGUID/UUID +assigned to the inquired namespace. Not clearing these values, while +using nvme passthru using loop target, would result in NVMe host driver +rejecting the namespace. This check was implemented in the commit +2079f41ec6ff ("nvme: check that EUI/GUID/UUID are globally unique"). + +The fix implemented in this commit ensure that when host issues ns-id +descriptor list command, the EUID/NGUID/UUID are cleared by passthru +target. In fact, the function nvmet_passthru_override_id_descs() which +clears those unique ids already exits, so we just need to ensure that +ns-id descriptor list command falls through the corretc code path. And +while we're at it, we also combines the three passthru admin command +cases together which shares the same code. + +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Signed-off-by: Nilay Shroff +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/passthru.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c +index 24d0e2418d2e6..0f9b280c438d9 100644 +--- a/drivers/nvme/target/passthru.c ++++ b/drivers/nvme/target/passthru.c +@@ -535,10 +535,6 @@ u16 nvmet_parse_passthru_admin_cmd(struct nvmet_req *req) + break; + case nvme_admin_identify: + switch (req->cmd->identify.cns) { +- case NVME_ID_CNS_CTRL: +- req->execute = nvmet_passthru_execute_cmd; +- req->p.use_workqueue = true; +- return NVME_SC_SUCCESS; + case NVME_ID_CNS_CS_CTRL: + switch (req->cmd->identify.csi) { + case NVME_CSI_ZNS: +@@ -547,7 +543,9 @@ u16 nvmet_parse_passthru_admin_cmd(struct nvmet_req *req) + return NVME_SC_SUCCESS; + } + return NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR; ++ case NVME_ID_CNS_CTRL: + case NVME_ID_CNS_NS: ++ case NVME_ID_CNS_NS_DESC_LIST: + req->execute = nvmet_passthru_execute_cmd; + req->p.use_workqueue = true; + return NVME_SC_SUCCESS; +-- +2.43.0 + diff --git a/queue-6.11/pinctrl-aw9523-add-missing-mutex_destroy.patch b/queue-6.11/pinctrl-aw9523-add-missing-mutex_destroy.patch new file mode 100644 index 00000000000..b8579e724e1 --- /dev/null +++ b/queue-6.11/pinctrl-aw9523-add-missing-mutex_destroy.patch @@ -0,0 +1,39 @@ +From d7f1f96bd00bd453187895a49fdd6929b1a780f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 14:27:22 -0700 +Subject: pinctrl: aw9523: add missing mutex_destroy + +From: Rosen Penev + +[ Upstream commit 393c554093c0c4cbc8e2f178d36df169016384da ] + +Otherwise the mutex remains after a failed kzalloc. + +Signed-off-by: Rosen Penev +Link: https://lore.kernel.org/20241001212724.309320-1-rosenp@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-aw9523.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-aw9523.c b/drivers/pinctrl/pinctrl-aw9523.c +index b5e1c467625ba..1374f30166bc3 100644 +--- a/drivers/pinctrl/pinctrl-aw9523.c ++++ b/drivers/pinctrl/pinctrl-aw9523.c +@@ -987,8 +987,10 @@ static int aw9523_probe(struct i2c_client *client) + lockdep_set_subclass(&awi->i2c_lock, i2c_adapter_depth(client->adapter)); + + pdesc = devm_kzalloc(dev, sizeof(*pdesc), GFP_KERNEL); +- if (!pdesc) +- return -ENOMEM; ++ if (!pdesc) { ++ ret = -ENOMEM; ++ goto err_disable_vregs; ++ } + + ret = aw9523_hw_init(awi); + if (ret) +-- +2.43.0 + diff --git a/queue-6.11/pinctrl-intel-platform-add-panther-lake-to-the-list-.patch b/queue-6.11/pinctrl-intel-platform-add-panther-lake-to-the-list-.patch new file mode 100644 index 00000000000..0759787cf07 --- /dev/null +++ b/queue-6.11/pinctrl-intel-platform-add-panther-lake-to-the-list-.patch @@ -0,0 +1,34 @@ +From 94d21b0a0234f7c31a80cb1a0917e16e1a325788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2024 18:00:36 +0300 +Subject: pinctrl: intel: platform: Add Panther Lake to the list of supported + +From: Andy Shevchenko + +[ Upstream commit 37756257093bf1bda0bb034f4f1bd3219c7b2a40 ] + +Intel Panther Lake is supported by the generic platform driver, +so add it to the list of supported in Kconfig. + +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/intel/Kconfig b/drivers/pinctrl/intel/Kconfig +index 2101d30bd66c1..14c26c023590e 100644 +--- a/drivers/pinctrl/intel/Kconfig ++++ b/drivers/pinctrl/intel/Kconfig +@@ -46,6 +46,7 @@ config PINCTRL_INTEL_PLATFORM + of Intel PCH pins and using them as GPIOs. Currently the following + Intel SoCs / platforms require this to be functional: + - Lunar Lake ++ - Panther Lake + + config PINCTRL_ALDERLAKE + tristate "Intel Alder Lake pinctrl and GPIO driver" +-- +2.43.0 + diff --git a/queue-6.11/powerpc-powernv-free-name-on-error-in-opal_event_ini.patch b/queue-6.11/powerpc-powernv-free-name-on-error-in-opal_event_ini.patch new file mode 100644 index 00000000000..13de73e7633 --- /dev/null +++ b/queue-6.11/powerpc-powernv-free-name-on-error-in-opal_event_ini.patch @@ -0,0 +1,39 @@ +From aa33c6f054e2f5f9b3586ba37356afdc113353c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2024 19:35:20 +1000 +Subject: powerpc/powernv: Free name on error in opal_event_init() + +From: Michael Ellerman + +[ Upstream commit cf8989d20d64ad702a6210c11a0347ebf3852aa7 ] + +In opal_event_init() if request_irq() fails name is not freed, leading +to a memory leak. The code only runs at boot time, there's no way for a +user to trigger it, so there's no security impact. + +Fix the leak by freeing name in the error path. + +Reported-by: 2639161967 <2639161967@qq.com> +Closes: https://lore.kernel.org/linuxppc-dev/87wmjp3wig.fsf@mail.lhotse +Signed-off-by: Michael Ellerman +Link: https://patch.msgid.link/20240920093520.67997-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-irqchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c +index 56a1f7ce78d2c..d92759c21fae9 100644 +--- a/arch/powerpc/platforms/powernv/opal-irqchip.c ++++ b/arch/powerpc/platforms/powernv/opal-irqchip.c +@@ -282,6 +282,7 @@ int __init opal_event_init(void) + name, NULL); + if (rc) { + pr_warn("Error %d requesting OPAL irq %d\n", rc, (int)r->start); ++ kfree(name); + continue; + } + } +-- +2.43.0 + diff --git a/queue-6.11/rdma-siw-add-sendpage_ok-check-to-disable-msg_splice.patch b/queue-6.11/rdma-siw-add-sendpage_ok-check-to-disable-msg_splice.patch new file mode 100644 index 00000000000..1356b3dfb3f --- /dev/null +++ b/queue-6.11/rdma-siw-add-sendpage_ok-check-to-disable-msg_splice.patch @@ -0,0 +1,54 @@ +From c6e0da157f9ee30c13bfa0827dd13d030dd7ad08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 18:28:36 +0530 +Subject: RDMA/siw: Add sendpage_ok() check to disable MSG_SPLICE_PAGES + +From: Showrya M N + +[ Upstream commit 4e1e3dd88a4cedd5ccc1a3fc3d71e03b70a7a791 ] + +While running ISER over SIW, the initiator machine encounters a warning +from skb_splice_from_iter() indicating that a slab page is being used in +send_page. To address this, it is better to add a sendpage_ok() check +within the driver itself, and if it returns 0, then MSG_SPLICE_PAGES flag +should be disabled before entering the network stack. + +A similar issue has been discussed for NVMe in this thread: +https://lore.kernel.org/all/20240530142417.146696-1-ofir.gal@volumez.com/ + + WARNING: CPU: 0 PID: 5342 at net/core/skbuff.c:7140 skb_splice_from_iter+0x173/0x320 + Call Trace: + tcp_sendmsg_locked+0x368/0xe40 + siw_tx_hdt+0x695/0xa40 [siw] + siw_qp_sq_process+0x102/0xb00 [siw] + siw_sq_resume+0x39/0x110 [siw] + siw_run_sq+0x74/0x160 [siw] + kthread+0xd2/0x100 + ret_from_fork+0x34/0x40 + ret_from_fork_asm+0x1a/0x30 + +Link: https://patch.msgid.link/r/20241007125835.89942-1-showrya@chelsio.com +Signed-off-by: Showrya M N +Signed-off-by: Potnuri Bharat Teja +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_qp_tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c +index 64ad9e0895bd0..a034264c56698 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -331,6 +331,8 @@ static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset, + msg.msg_flags &= ~MSG_MORE; + + tcp_rate_check_app_limited(sk); ++ if (!sendpage_ok(page[i])) ++ msg.msg_flags &= ~MSG_SPLICE_PAGES; + bvec_set_page(&bvec, page[i], bytes, offset); + iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); + +-- +2.43.0 + diff --git a/queue-6.11/s390-ap-fix-cca-crypto-card-behavior-within-protecte.patch b/queue-6.11/s390-ap-fix-cca-crypto-card-behavior-within-protecte.patch new file mode 100644 index 00000000000..f4d664a9d34 --- /dev/null +++ b/queue-6.11/s390-ap-fix-cca-crypto-card-behavior-within-protecte.patch @@ -0,0 +1,142 @@ +From e0cc94df4d630aa22a6520b2c3fc8b7b00cf4357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2024 15:31:06 +0200 +Subject: s390/ap: Fix CCA crypto card behavior within protected execution + environment + +From: Harald Freudenberger + +[ Upstream commit 78f636e82b2288462498e235dc5a886426ce5dd7 ] + +A crypto card comes in 3 flavors: accelerator, CCA co-processor or +EP11 co-processor. Within a protected execution environment only the +accelerator and EP11 co-processor is supported. However, it is +possible to set up a KVM guest with a CCA card and run it as a +protected execution guest. There is nothing at the host side which +prevents this. Within such a guest, a CCA card is shown as "illicit" +and you can't do anything with such a crypto card. + +Regardless of the unsupported CCA card within a protected execution +guest there are a couple of user space applications which +unconditional try to run crypto requests to the zcrypt device +driver. There was a bug within the AP bus code which allowed such a +request to be forwarded to a CCA card where it is finally +rejected and the driver reacts with -ENODEV but also triggers an AP +bus scan. Together with a retry loop this caused some kind of "hang" +of the KVM guest. On startup it caused timeouts and finally led the +KVM guest startup fail. Fix that by closing the gap and make sure a +CCA card is not usable within a protected execution environment. + +Another behavior within an protected execution environment with CCA +cards was that the se_bind and se_associate AP queue sysfs attributes +where shown. The implementation unconditional always added these +attributes. Fix that by checking if the card mode is supported within +a protected execution environment and only if valid, add the attribute +group. + +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/ap_bus.c | 3 +-- + drivers/s390/crypto/ap_bus.h | 2 +- + drivers/s390/crypto/ap_queue.c | 28 ++++++++++++++++++++-------- + 3 files changed, 22 insertions(+), 11 deletions(-) + +diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c +index 3ba4e1c5e15df..57aefccbb8556 100644 +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -1865,13 +1865,12 @@ static inline void ap_scan_domains(struct ap_card *ac) + } + /* if no queue device exists, create a new one */ + if (!aq) { +- aq = ap_queue_create(qid, ac->ap_dev.device_type); ++ aq = ap_queue_create(qid, ac); + if (!aq) { + AP_DBF_WARN("%s(%d,%d) ap_queue_create() failed\n", + __func__, ac->id, dom); + continue; + } +- aq->card = ac; + aq->config = !decfg; + aq->chkstop = chkstop; + aq->se_bstate = hwinfo.bs; +diff --git a/drivers/s390/crypto/ap_bus.h b/drivers/s390/crypto/ap_bus.h +index 0b275c7193196..f4622ee4d8947 100644 +--- a/drivers/s390/crypto/ap_bus.h ++++ b/drivers/s390/crypto/ap_bus.h +@@ -272,7 +272,7 @@ int ap_test_config_usage_domain(unsigned int domain); + int ap_test_config_ctrl_domain(unsigned int domain); + + void ap_queue_init_reply(struct ap_queue *aq, struct ap_message *ap_msg); +-struct ap_queue *ap_queue_create(ap_qid_t qid, int device_type); ++struct ap_queue *ap_queue_create(ap_qid_t qid, struct ap_card *ac); + void ap_queue_prepare_remove(struct ap_queue *aq); + void ap_queue_remove(struct ap_queue *aq); + void ap_queue_init_state(struct ap_queue *aq); +diff --git a/drivers/s390/crypto/ap_queue.c b/drivers/s390/crypto/ap_queue.c +index 1f647ffd6f4db..dcd1590c0f81f 100644 +--- a/drivers/s390/crypto/ap_queue.c ++++ b/drivers/s390/crypto/ap_queue.c +@@ -22,6 +22,11 @@ static void __ap_flush_queue(struct ap_queue *aq); + * some AP queue helper functions + */ + ++static inline bool ap_q_supported_in_se(struct ap_queue *aq) ++{ ++ return aq->card->hwinfo.ep11 || aq->card->hwinfo.accel; ++} ++ + static inline bool ap_q_supports_bind(struct ap_queue *aq) + { + return aq->card->hwinfo.ep11 || aq->card->hwinfo.accel; +@@ -1104,18 +1109,19 @@ static void ap_queue_device_release(struct device *dev) + kfree(aq); + } + +-struct ap_queue *ap_queue_create(ap_qid_t qid, int device_type) ++struct ap_queue *ap_queue_create(ap_qid_t qid, struct ap_card *ac) + { + struct ap_queue *aq; + + aq = kzalloc(sizeof(*aq), GFP_KERNEL); + if (!aq) + return NULL; ++ aq->card = ac; + aq->ap_dev.device.release = ap_queue_device_release; + aq->ap_dev.device.type = &ap_queue_type; +- aq->ap_dev.device_type = device_type; +- // add optional SE secure binding attributes group +- if (ap_sb_available() && is_prot_virt_guest()) ++ aq->ap_dev.device_type = ac->ap_dev.device_type; ++ /* in SE environment add bind/associate attributes group */ ++ if (ap_is_se_guest() && ap_q_supported_in_se(aq)) + aq->ap_dev.device.groups = ap_queue_dev_sb_attr_groups; + aq->qid = qid; + spin_lock_init(&aq->lock); +@@ -1196,10 +1202,16 @@ bool ap_queue_usable(struct ap_queue *aq) + } + + /* SE guest's queues additionally need to be bound */ +- if (ap_q_needs_bind(aq) && +- !(aq->se_bstate == AP_BS_Q_USABLE || +- aq->se_bstate == AP_BS_Q_USABLE_NO_SECURE_KEY)) +- rc = false; ++ if (ap_is_se_guest()) { ++ if (!ap_q_supported_in_se(aq)) { ++ rc = false; ++ goto unlock_and_out; ++ } ++ if (ap_q_needs_bind(aq) && ++ !(aq->se_bstate == AP_BS_Q_USABLE || ++ aq->se_bstate == AP_BS_Q_USABLE_NO_SECURE_KEY)) ++ rc = false; ++ } + + unlock_and_out: + spin_unlock_bh(&aq->lock); +-- +2.43.0 + diff --git a/queue-6.11/selftests-bpf-assert-link-info-uprobe_multi-count-pa.patch b/queue-6.11/selftests-bpf-assert-link-info-uprobe_multi-count-pa.patch new file mode 100644 index 00000000000..6f485383573 --- /dev/null +++ b/queue-6.11/selftests-bpf-assert-link-info-uprobe_multi-count-pa.patch @@ -0,0 +1,48 @@ +From a5bbcdc69154a3f8e0c60e3341c6d51deaaeddc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 00:08:03 +0000 +Subject: selftests/bpf: Assert link info uprobe_multi count & path_size if + unset + +From: Tyrone Wu + +[ Upstream commit b836cbdf3b81a4a22b3452186efa2e5105a77e10 ] + +Add assertions in `bpf_link_info.uprobe_multi` test to verify that +`count` and `path_size` fields are correctly populated when the fields +are unset. + +This tests a previous bug where the `path_size` field was not populated +when `path` and `path_size` were unset. + +Signed-off-by: Tyrone Wu +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20241011000803.681190-2-wudevelops@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/fill_link_info.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +index 745c5ada4c4bf..d50cbd8040d45 100644 +--- a/tools/testing/selftests/bpf/prog_tests/fill_link_info.c ++++ b/tools/testing/selftests/bpf/prog_tests/fill_link_info.c +@@ -420,6 +420,15 @@ verify_umulti_link_info(int fd, bool retprobe, __u64 *offsets, + if (!ASSERT_NEQ(err, -1, "readlink")) + return -1; + ++ memset(&info, 0, sizeof(info)); ++ err = bpf_link_get_info_by_fd(fd, &info, &len); ++ if (!ASSERT_OK(err, "bpf_link_get_info_by_fd")) ++ return -1; ++ ++ ASSERT_EQ(info.uprobe_multi.count, 3, "info.uprobe_multi.count"); ++ ASSERT_EQ(info.uprobe_multi.path_size, strlen(path) + 1, ++ "info.uprobe_multi.path_size"); ++ + for (bit = 0; bit < 8; bit++) { + memset(&info, 0, sizeof(info)); + info.uprobe_multi.path = ptr_to_u64(path_buf); +-- +2.43.0 + diff --git a/queue-6.11/selftests-bpf-verify-that-sync_linked_regs-preserves.patch b/queue-6.11/selftests-bpf-verify-that-sync_linked_regs-preserves.patch new file mode 100644 index 00000000000..36607d52704 --- /dev/null +++ b/queue-6.11/selftests-bpf-verify-that-sync_linked_regs-preserves.patch @@ -0,0 +1,105 @@ +From a1ccb43bccb641e53da2c12957c23f1d45931dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2024 14:08:44 -0700 +Subject: selftests/bpf: Verify that sync_linked_regs preserves subreg_def + +From: Eduard Zingerman + +[ Upstream commit a41b3828ec056a631ad22413d4560017fed5c3bd ] + +This test was added because of a bug in verifier.c:sync_linked_regs(), +upon range propagation it destroyed subreg_def marks for registers. +The test is written in a way to return an upper half of a register +that is affected by range propagation and must have it's subreg_def +preserved. This gives a return value of 0 and leads to undefined +return value if subreg_def mark is not preserved. + +Signed-off-by: Eduard Zingerman +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240924210844.1758441-2-eddyz87@gmail.com +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/progs/verifier_scalar_ids.c | 67 +++++++++++++++++++ + 1 file changed, 67 insertions(+) + +diff --git a/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c b/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c +index 13b29a7faa71a..d24d3a36ec144 100644 +--- a/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c ++++ b/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c +@@ -656,4 +656,71 @@ __naked void two_old_ids_one_cur_id(void) + : __clobber_all); + } + ++SEC("socket") ++/* Note the flag, see verifier.c:opt_subreg_zext_lo32_rnd_hi32() */ ++__flag(BPF_F_TEST_RND_HI32) ++__success ++/* This test was added because of a bug in verifier.c:sync_linked_regs(), ++ * upon range propagation it destroyed subreg_def marks for registers. ++ * The subreg_def mark is used to decide whether zero extension instructions ++ * are needed when register is read. When BPF_F_TEST_RND_HI32 is set it ++ * also causes generation of statements to randomize upper halves of ++ * read registers. ++ * ++ * The test is written in a way to return an upper half of a register ++ * that is affected by range propagation and must have it's subreg_def ++ * preserved. This gives a return value of 0 and leads to undefined ++ * return value if subreg_def mark is not preserved. ++ */ ++__retval(0) ++/* Check that verifier believes r1/r0 are zero at exit */ ++__log_level(2) ++__msg("4: (77) r1 >>= 32 ; R1_w=0") ++__msg("5: (bf) r0 = r1 ; R0_w=0 R1_w=0") ++__msg("6: (95) exit") ++__msg("from 3 to 4") ++__msg("4: (77) r1 >>= 32 ; R1_w=0") ++__msg("5: (bf) r0 = r1 ; R0_w=0 R1_w=0") ++__msg("6: (95) exit") ++/* Verify that statements to randomize upper half of r1 had not been ++ * generated. ++ */ ++__xlated("call unknown") ++__xlated("r0 &= 2147483647") ++__xlated("w1 = w0") ++/* This is how disasm.c prints BPF_ZEXT_REG at the moment, x86 and arm ++ * are the only CI archs that do not need zero extension for subregs. ++ */ ++#if !defined(__TARGET_ARCH_x86) && !defined(__TARGET_ARCH_arm64) ++__xlated("w1 = w1") ++#endif ++__xlated("if w0 < 0xa goto pc+0") ++__xlated("r1 >>= 32") ++__xlated("r0 = r1") ++__xlated("exit") ++__naked void linked_regs_and_subreg_def(void) ++{ ++ asm volatile ( ++ "call %[bpf_ktime_get_ns];" ++ /* make sure r0 is in 32-bit range, otherwise w1 = w0 won't ++ * assign same IDs to registers. ++ */ ++ "r0 &= 0x7fffffff;" ++ /* link w1 and w0 via ID */ ++ "w1 = w0;" ++ /* 'if' statement propagates range info from w0 to w1, ++ * but should not affect w1->subreg_def property. ++ */ ++ "if w0 < 10 goto +0;" ++ /* r1 is read here, on archs that require subreg zero ++ * extension this would cause zext patch generation. ++ */ ++ "r1 >>= 32;" ++ "r0 = r1;" ++ "exit;" ++ : ++ : __imm(bpf_ktime_get_ns) ++ : __clobber_all); ++} ++ + char _license[] SEC("license") = "GPL"; +-- +2.43.0 + diff --git a/queue-6.11/series b/queue-6.11/series new file mode 100644 index 00000000000..321ccaca879 --- /dev/null +++ b/queue-6.11/series @@ -0,0 +1,32 @@ +smb-client-fix-use-after-free-of-network-namespace.patch +nvme-host-fix-rcu-list-traversal-to-use-srcu-primiti.patch +9p-v9fs_fid_find-also-lookup-by-inode-if-not-found-d.patch +9p-avoid-creating-multiple-slab-caches-with-the-same.patch +selftests-bpf-verify-that-sync_linked_regs-preserves.patch +nvmet-passthru-clear-euid-nguid-uuid-while-using-loo.patch +irqchip-ocelot-fix-trigger-register-address.patch +pinctrl-aw9523-add-missing-mutex_destroy.patch +pinctrl-intel-platform-add-panther-lake-to-the-list-.patch +nvme-tcp-avoid-race-between-queue_lock-lock-and-dest.patch +block-fix-elevator_get_default-checking-for-null-q-t.patch +hid-multitouch-add-support-for-b2402fva-track-point.patch +hid-multitouch-add-quirk-for-honor-magicbook-art-14-.patch +iommu-arm-smmu-clarify-mmu-500-cpre-workaround.patch +nvme-disable-cc.crime-nvme_cc_crime.patch +bpf-use-kvzmalloc-to-allocate-bpf-verifier-environme.patch +crypto-api-fix-liveliness-check-in-crypto_alg_tested.patch +crypto-marvell-cesa-disable-hash-algorithms.patch +s390-ap-fix-cca-crypto-card-behavior-within-protecte.patch +sound-make-config_snd-depend-on-indirect_iomem-inste.patch +drm-vmwgfx-limit-display-layout-ioctl-array-size-to-.patch +selftests-bpf-assert-link-info-uprobe_multi-count-pa.patch +rdma-siw-add-sendpage_ok-check-to-disable-msg_splice.patch +alsa-hda-tas2781-add-new-quirk-for-lenovo-asus-dell-.patch +kasan-disable-software-tag-based-kasan-with-gcc.patch +nvme-multipath-defer-partition-scanning.patch +drm-amdkfd-accounting-pdd-vram_usage-for-svm.patch +powerpc-powernv-free-name-on-error-in-opal_event_ini.patch +net-phy-mdio-bcm-unimac-add-bcm6846-support.patch +drm-xe-query-increase-timestamp-width.patch +nvme-loop-flush-off-pending-i-o-while-shutting-down-.patch +nvme-make-keep-alive-synchronous-operation.patch diff --git a/queue-6.11/smb-client-fix-use-after-free-of-network-namespace.patch b/queue-6.11/smb-client-fix-use-after-free-of-network-namespace.patch new file mode 100644 index 00000000000..5f754466c16 --- /dev/null +++ b/queue-6.11/smb-client-fix-use-after-free-of-network-namespace.patch @@ -0,0 +1,205 @@ +From 1db81b84aae422168d47e4024b17c0d86200f76e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Nov 2024 14:24:38 -0700 +Subject: smb: client: Fix use-after-free of network namespace. + +From: Kuniyuki Iwashima + +[ Upstream commit ef7134c7fc48e1441b398e55a862232868a6f0a7 ] + +Recently, we got a customer report that CIFS triggers oops while +reconnecting to a server. [0] + +The workload runs on Kubernetes, and some pods mount CIFS servers +in non-root network namespaces. The problem rarely happened, but +it was always while the pod was dying. + +The root cause is wrong reference counting for network namespace. + +CIFS uses kernel sockets, which do not hold refcnt of the netns that +the socket belongs to. That means CIFS must ensure the socket is +always freed before its netns; otherwise, use-after-free happens. + +The repro steps are roughly: + + 1. mount CIFS in a non-root netns + 2. drop packets from the netns + 3. destroy the netns + 4. unmount CIFS + +We can reproduce the issue quickly with the script [1] below and see +the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled. + +When the socket is TCP, it is hard to guarantee the netns lifetime +without holding refcnt due to async timers. + +Let's hold netns refcnt for each socket as done for SMC in commit +9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler()."). + +Note that we need to move put_net() from cifs_put_tcp_session() to +clean_demultiplex_info(); otherwise, __sock_create() still could touch a +freed netns while cifsd tries to reconnect from cifs_demultiplex_thread(). + +Also, maybe_get_net() cannot be put just before __sock_create() because +the code is not under RCU and there is a small chance that the same +address happened to be reallocated to another netns. + +[0]: +CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... +CIFS: Serverclose failed 4 times, giving up +Unable to handle kernel paging request at virtual address 14de99e461f84a07 +Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault +Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 +[14de99e461f84a07] address between user and kernel address ranges +Internal error: Oops: 0000000096000004 [#1] SMP +Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs +CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 +Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 +pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : fib_rules_lookup+0x44/0x238 +lr : __fib_lookup+0x64/0xbc +sp : ffff8000265db790 +x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 +x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 +x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 +x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 +x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 +x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 +x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 +x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 +Call trace: + fib_rules_lookup+0x44/0x238 + __fib_lookup+0x64/0xbc + ip_route_output_key_hash_rcu+0x2c4/0x398 + ip_route_output_key_hash+0x60/0x8c + tcp_v4_connect+0x290/0x488 + __inet_stream_connect+0x108/0x3d0 + inet_stream_connect+0x50/0x78 + kernel_connect+0x6c/0xac + generic_ip_connect+0x10c/0x6c8 [cifs] + __reconnect_target_unlocked+0xa0/0x214 [cifs] + reconnect_dfs_server+0x144/0x460 [cifs] + cifs_reconnect+0x88/0x148 [cifs] + cifs_readv_from_socket+0x230/0x430 [cifs] + cifs_read_from_socket+0x74/0xa8 [cifs] + cifs_demultiplex_thread+0xf8/0x704 [cifs] + kthread+0xd0/0xd4 +Code: aa0003f8 f8480f13 eb18027f 540006c0 (b9401264) + +[1]: +CIFS_CRED="/root/cred.cifs" +CIFS_USER="Administrator" +CIFS_PASS="Password" +CIFS_IP="X.X.X.X" +CIFS_PATH="//${CIFS_IP}/Users/Administrator/Desktop/CIFS_TEST" +CIFS_MNT="/mnt/smb" +DEV="enp0s3" + +cat < ${CIFS_CRED} +username=${CIFS_USER} +password=${CIFS_PASS} +domain=EXAMPLE.COM +EOF + +unshare -n bash -c " +mkdir -p ${CIFS_MNT} +ip netns attach root 1 +ip link add eth0 type veth peer veth0 netns root +ip link set eth0 up +ip -n root link set veth0 up +ip addr add 192.168.0.2/24 dev eth0 +ip -n root addr add 192.168.0.1/24 dev veth0 +ip route add default via 192.168.0.1 dev eth0 +ip netns exec root sysctl net.ipv4.ip_forward=1 +ip netns exec root iptables -t nat -A POSTROUTING -s 192.168.0.2 -o ${DEV} -j MASQUERADE +mount -t cifs ${CIFS_PATH} ${CIFS_MNT} -o vers=3.0,sec=ntlmssp,credentials=${CIFS_CRED},rsize=65536,wsize=65536,cache=none,echo_interval=1 +touch ${CIFS_MNT}/a.txt +ip netns exec root iptables -t nat -D POSTROUTING -s 192.168.0.2 -o ${DEV} -j MASQUERADE +" + +umount ${CIFS_MNT} + +[2]: +ref_tracker: net notrefcnt@000000004bbc008d has 1/1 users at + sk_alloc (./include/net/net_namespace.h:339 net/core/sock.c:2227) + inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) + __sock_create (net/socket.c:1576) + generic_ip_connect (fs/smb/client/connect.c:3075) + cifs_get_tcp_session.part.0 (fs/smb/client/connect.c:3160 fs/smb/client/connect.c:1798) + cifs_mount_get_session (fs/smb/client/trace.h:959 fs/smb/client/connect.c:3366) + dfs_mount_share (fs/smb/client/dfs.c:63 fs/smb/client/dfs.c:285) + cifs_mount (fs/smb/client/connect.c:3622) + cifs_smb3_do_mount (fs/smb/client/cifsfs.c:949) + smb3_get_tree (fs/smb/client/fs_context.c:784 fs/smb/client/fs_context.c:802 fs/smb/client/fs_context.c:794) + vfs_get_tree (fs/super.c:1800) + path_mount (fs/namespace.c:3508 fs/namespace.c:3834) + __x64_sys_mount (fs/namespace.c:3848 fs/namespace.c:4057 fs/namespace.c:4034 fs/namespace.c:4034) + do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Tom Talpey +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/connect.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index 5375b0c1dfb99..9af28ed4cca46 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -1054,6 +1054,7 @@ clean_demultiplex_info(struct TCP_Server_Info *server) + */ + } + ++ put_net(cifs_net_ns(server)); + kfree(server->leaf_fullpath); + kfree(server); + +@@ -1649,8 +1650,6 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) + /* srv_count can never go negative */ + WARN_ON(server->srv_count < 0); + +- put_net(cifs_net_ns(server)); +- + list_del_init(&server->tcp_ses_list); + spin_unlock(&cifs_tcp_ses_lock); + +@@ -3077,13 +3076,22 @@ generic_ip_connect(struct TCP_Server_Info *server) + if (server->ssocket) { + socket = server->ssocket; + } else { +- rc = __sock_create(cifs_net_ns(server), sfamily, SOCK_STREAM, ++ struct net *net = cifs_net_ns(server); ++ struct sock *sk; ++ ++ rc = __sock_create(net, sfamily, SOCK_STREAM, + IPPROTO_TCP, &server->ssocket, 1); + if (rc < 0) { + cifs_server_dbg(VFS, "Error %d creating socket\n", rc); + return rc; + } + ++ sk = server->ssocket->sk; ++ __netns_tracker_free(net, &sk->ns_tracker, false); ++ sk->sk_net_refcnt = 1; ++ get_net_track(net, &sk->ns_tracker, GFP_KERNEL); ++ sock_inuse_add(net, 1); ++ + /* BB other socket options to set KEEPALIVE, NODELAY? */ + cifs_dbg(FYI, "Socket created\n"); + socket = server->ssocket; +-- +2.43.0 + diff --git a/queue-6.11/sound-make-config_snd-depend-on-indirect_iomem-inste.patch b/queue-6.11/sound-make-config_snd-depend-on-indirect_iomem-inste.patch new file mode 100644 index 00000000000..1953010faeb --- /dev/null +++ b/queue-6.11/sound-make-config_snd-depend-on-indirect_iomem-inste.patch @@ -0,0 +1,40 @@ +From 48e58e52d9078c9670c31ec5d13932f3a30d615d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 14:46:01 +0200 +Subject: sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML + +From: Julian Vetter + +[ Upstream commit ad6639f143a0b42d7fb110ad14f5949f7c218890 ] + +When building for the UM arch and neither INDIRECT_IOMEM=y, nor +HAS_IOMEM=y is selected, it will fall back to the implementations from +asm-generic/io.h for IO memcpy. But these fall-back functions just do a +memcpy. So, instead of depending on UML, add dependency on 'HAS_IOMEM || +INDIRECT_IOMEM'. + +Reviewed-by: Yann Sionneau +Signed-off-by: Julian Vetter +Link: https://patch.msgid.link/20241010124601.700528-1-jvetter@kalrayinc.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/Kconfig b/sound/Kconfig +index 4c036a9a420ab..8b40205394fe0 100644 +--- a/sound/Kconfig ++++ b/sound/Kconfig +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + menuconfig SOUND + tristate "Sound card support" +- depends on HAS_IOMEM || UML ++ depends on HAS_IOMEM || INDIRECT_IOMEM + help + If you have a sound card in your computer, i.e. if it can say more + than an occasional beep, say Y. +-- +2.43.0 +