From: Greg Kroah-Hartman Date: Mon, 7 Oct 2024 15:26:00 +0000 (+0200) Subject: 6.11-stable patches X-Git-Tag: v6.6.55~91 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d78077769fb0080a05dbd9a00595ba8d7c0579c9;p=thirdparty%2Fkernel%2Fstable-queue.git 6.11-stable patches added patches: drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch drm-rockchip-vop-clear-dma-stop-bit-on-rk3066.patch jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch lib-buildid-harden-build-id-parsing-logic.patch mm-krealloc-consider-spare-memory-for-__gfp_zero.patch ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch ocfs2-fix-uninit-value-in-ocfs2_get_block.patch ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch of-address-report-error-on-resource-bounds-overflow.patch of-irq-support-msi-cells-0-in-of_msi_get_domain.patch parisc-allow-mmap-map_stack-memory-to-automatically-expand-upwards.patch parisc-fix-64-bit-userspace-syscall-path.patch parisc-fix-stack-start-for-addr_no_randomize-personality.patch resource-fix-region_intersects-vs-add_memory_driver_managed.patch scripts-gdb-add-iteration-function-for-rbtree.patch scripts-gdb-fix-lx-mounts-command-error.patch scripts-gdb-fix-timerlist-parsing-issue.patch --- diff --git a/queue-6.11/drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch b/queue-6.11/drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch new file mode 100644 index 00000000000..1415528e336 --- /dev/null +++ b/queue-6.11/drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch @@ -0,0 +1,43 @@ +From e794b7b9b92977365c693760a259f8eef940c536 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 8 Aug 2024 14:13:36 +0800 +Subject: drm: omapdrm: Add missing check for alloc_ordered_workqueue + +From: Ma Ke + +commit e794b7b9b92977365c693760a259f8eef940c536 upstream. + +As it may return NULL pointer and cause NULL pointer dereference. Add check +for the return value of alloc_ordered_workqueue. + +Cc: stable@vger.kernel.org +Fixes: 2f95bc6d324a ("drm: omapdrm: Perform initialization/cleanup at probe/remove time") +Signed-off-by: Ma Ke +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20240808061336.2796729-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_drv.c ++++ b/drivers/gpu/drm/omapdrm/omap_drv.c +@@ -695,6 +695,10 @@ static int omapdrm_init(struct omap_drm_ + soc = soc_device_match(omapdrm_soc_devices); + priv->omaprev = soc ? (uintptr_t)soc->data : 0; + priv->wq = alloc_ordered_workqueue("omapdrm", 0); ++ if (!priv->wq) { ++ ret = -ENOMEM; ++ goto err_alloc_workqueue; ++ } + + mutex_init(&priv->list_lock); + INIT_LIST_HEAD(&priv->obj_list); +@@ -753,6 +757,7 @@ err_gem_deinit: + drm_mode_config_cleanup(ddev); + omap_gem_deinit(ddev); + destroy_workqueue(priv->wq); ++err_alloc_workqueue: + omap_disconnect_pipelines(ddev); + drm_dev_put(ddev); + return ret; diff --git a/queue-6.11/drm-rockchip-vop-clear-dma-stop-bit-on-rk3066.patch b/queue-6.11/drm-rockchip-vop-clear-dma-stop-bit-on-rk3066.patch new file mode 100644 index 00000000000..d4478175c65 --- /dev/null +++ b/queue-6.11/drm-rockchip-vop-clear-dma-stop-bit-on-rk3066.patch @@ -0,0 +1,66 @@ +From 6b44aa559d6c7f4ea591ef9d2352a7250138d62a Mon Sep 17 00:00:00 2001 +From: Val Packett +Date: Mon, 24 Jun 2024 17:40:48 -0300 +Subject: drm/rockchip: vop: clear DMA stop bit on RK3066 + +From: Val Packett + +commit 6b44aa559d6c7f4ea591ef9d2352a7250138d62a upstream. + +The RK3066 VOP sets a dma_stop bit when it's done scanning out a frame +and needs the driver to acknowledge that by clearing the bit. + +Unless we clear it "between" frames, the RGB output only shows noise +instead of the picture. atomic_flush is the place for it that least +affects other code (doing it on vblank would require converting all +other usages of the reg_lock to spin_(un)lock_irq, which would affect +performance for everyone). + +This seems to be a redundant synchronization mechanism that was removed +in later iterations of the VOP hardware block. + +Fixes: f4a6de855eae ("drm: rockchip: vop: add rk3066 vop definitions") +Cc: stable@vger.kernel.org +Signed-off-by: Val Packett +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20240624204054.5524-2-val@packett.cool +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++++ + drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 + + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 1 + + 3 files changed, 6 insertions(+) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -1583,6 +1583,10 @@ static void vop_crtc_atomic_flush(struct + VOP_AFBC_SET(vop, enable, s->enable_afbc); + vop_cfg_done(vop); + ++ /* Ack the DMA transfer of the previous frame (RK3066). */ ++ if (VOP_HAS_REG(vop, common, dma_stop)) ++ VOP_REG_SET(vop, common, dma_stop, 0); ++ + spin_unlock(&vop->reg_lock); + + /* +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.h ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.h +@@ -122,6 +122,7 @@ struct vop_common { + struct vop_reg lut_buffer_index; + struct vop_reg gate_en; + struct vop_reg mmu_en; ++ struct vop_reg dma_stop; + struct vop_reg out_mode; + struct vop_reg standby; + }; +--- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c ++++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +@@ -466,6 +466,7 @@ static const struct vop_output rk3066_ou + }; + + static const struct vop_common rk3066_common = { ++ .dma_stop = VOP_REG(RK3066_SYS_CTRL0, 0x1, 0), + .standby = VOP_REG(RK3066_SYS_CTRL0, 0x1, 1), + .out_mode = VOP_REG(RK3066_DSP_CTRL0, 0xf, 0), + .cfg_done = VOP_REG(RK3066_REG_CFG_DONE, 0x1, 0), diff --git a/queue-6.11/jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch b/queue-6.11/jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch new file mode 100644 index 00000000000..a3b35693b7d --- /dev/null +++ b/queue-6.11/jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch @@ -0,0 +1,33 @@ +From f0e3c14802515f60a47e6ef347ea59c2733402aa Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Thu, 1 Aug 2024 09:38:08 +0800 +Subject: jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit + +From: Kemeng Shi + +commit f0e3c14802515f60a47e6ef347ea59c2733402aa upstream. + +Use tid_geq to compare tids to work over sequence number wraps. + +Signed-off-by: Kemeng Shi +Reviewed-by: Jan Kara +Reviewed-by: Zhang Yi +Cc: stable@kernel.org +Link: https://patch.msgid.link/20240801013815.2393869-2-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -710,7 +710,7 @@ int jbd2_fc_begin_commit(journal_t *jour + return -EINVAL; + + write_lock(&journal->j_state_lock); +- if (tid <= journal->j_commit_sequence) { ++ if (tid_geq(journal->j_commit_sequence, tid)) { + write_unlock(&journal->j_state_lock); + return -EALREADY; + } diff --git a/queue-6.11/jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch b/queue-6.11/jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch new file mode 100644 index 00000000000..7606949f36f --- /dev/null +++ b/queue-6.11/jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch @@ -0,0 +1,69 @@ +From f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 18 Jul 2024 19:53:36 +0800 +Subject: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error + +From: Baokun Li + +commit f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a upstream. + +In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail() +to recover some journal space. But if an error occurs while executing +jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free +space right away, we try other branches, and if j_committing_transaction +is NULL (i.e., the tid is 0), we will get the following complain: + +============================================ +JBD2: I/O error when updating journal superblock for sdd-8. +__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available +__jbd2_log_wait_for_space: no way to get more journal space in sdd-8 +------------[ cut here ]------------ +WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0 +Modules linked in: +CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1 +RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0 +Call Trace: + + add_transaction_credits+0x5d1/0x5e0 + start_this_handle+0x1ef/0x6a0 + jbd2__journal_start+0x18b/0x340 + ext4_dirty_inode+0x5d/0xb0 + __mark_inode_dirty+0xe4/0x5d0 + generic_update_time+0x60/0x70 +[...] +============================================ + +So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to +clean up at the moment, continue to try to reclaim free space in other ways. + +Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt +when updating journal superblock fails") to make jbd2_cleanup_journal_tail +return the correct error code. + +Fixes: 8c3f25d8950c ("jbd2: don't give up looking for space so easily in __jbd2_log_wait_for_space") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20240718115336.2554501-1-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -89,8 +89,11 @@ __releases(&journal->j_state_lock) + write_unlock(&journal->j_state_lock); + if (chkpt) { + jbd2_log_do_checkpoint(journal); +- } else if (jbd2_cleanup_journal_tail(journal) == 0) { +- /* We were able to recover space; yay! */ ++ } else if (jbd2_cleanup_journal_tail(journal) <= 0) { ++ /* ++ * We were able to recover space or the ++ * journal was aborted due to an error. ++ */ + ; + } else if (has_transaction) { + /* diff --git a/queue-6.11/lib-buildid-harden-build-id-parsing-logic.patch b/queue-6.11/lib-buildid-harden-build-id-parsing-logic.patch new file mode 100644 index 00000000000..eab8c076345 --- /dev/null +++ b/queue-6.11/lib-buildid-harden-build-id-parsing-logic.patch @@ -0,0 +1,172 @@ +From 905415ff3ffb1d7e5afa62bacabd79776bd24606 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Thu, 29 Aug 2024 10:42:23 -0700 +Subject: lib/buildid: harden build ID parsing logic + +From: Andrii Nakryiko + +commit 905415ff3ffb1d7e5afa62bacabd79776bd24606 upstream. + +Harden build ID parsing logic, adding explicit READ_ONCE() where it's +important to have a consistent value read and validated just once. + +Also, as pointed out by Andi Kleen, we need to make sure that entire ELF +note is within a page bounds, so move the overflow check up and add an +extra note_size boundaries validation. + +Fixes tag below points to the code that moved this code into +lib/buildid.c, and then subsequently was used in perf subsystem, making +this code exposed to perf_event_open() users in v5.12+. + +Cc: stable@vger.kernel.org +Reviewed-by: Eduard Zingerman +Reviewed-by: Jann Horn +Suggested-by: Andi Kleen +Fixes: bd7525dacd7e ("bpf: Move stack_map_get_build_id into lib") +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20240829174232.3133883-2-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + lib/buildid.c | 76 +++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 44 insertions(+), 32 deletions(-) + +--- a/lib/buildid.c ++++ b/lib/buildid.c +@@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned c + const void *note_start, + Elf32_Word note_size) + { +- Elf32_Word note_offs = 0, new_offs; +- +- while (note_offs + sizeof(Elf32_Nhdr) < note_size) { +- Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_offs); ++ const char note_name[] = "GNU"; ++ const size_t note_name_sz = sizeof(note_name); ++ u64 note_off = 0, new_off, name_sz, desc_sz; ++ const char *data; ++ ++ while (note_off + sizeof(Elf32_Nhdr) < note_size && ++ note_off + sizeof(Elf32_Nhdr) > note_off /* overflow */) { ++ Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_off); ++ ++ name_sz = READ_ONCE(nhdr->n_namesz); ++ desc_sz = READ_ONCE(nhdr->n_descsz); ++ ++ new_off = note_off + sizeof(Elf32_Nhdr); ++ if (check_add_overflow(new_off, ALIGN(name_sz, 4), &new_off) || ++ check_add_overflow(new_off, ALIGN(desc_sz, 4), &new_off) || ++ new_off > note_size) ++ break; + + if (nhdr->n_type == BUILD_ID && +- nhdr->n_namesz == sizeof("GNU") && +- !strcmp((char *)(nhdr + 1), "GNU") && +- nhdr->n_descsz > 0 && +- nhdr->n_descsz <= BUILD_ID_SIZE_MAX) { +- memcpy(build_id, +- note_start + note_offs + +- ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr), +- nhdr->n_descsz); +- memset(build_id + nhdr->n_descsz, 0, +- BUILD_ID_SIZE_MAX - nhdr->n_descsz); ++ name_sz == note_name_sz && ++ memcmp(nhdr + 1, note_name, note_name_sz) == 0 && ++ desc_sz > 0 && desc_sz <= BUILD_ID_SIZE_MAX) { ++ data = note_start + note_off + ALIGN(note_name_sz, 4); ++ memcpy(build_id, data, desc_sz); ++ memset(build_id + desc_sz, 0, BUILD_ID_SIZE_MAX - desc_sz); + if (size) +- *size = nhdr->n_descsz; ++ *size = desc_sz; + return 0; + } +- new_offs = note_offs + sizeof(Elf32_Nhdr) + +- ALIGN(nhdr->n_namesz, 4) + ALIGN(nhdr->n_descsz, 4); +- if (new_offs <= note_offs) /* overflow */ +- break; +- note_offs = new_offs; ++ ++ note_off = new_off; + } + + return -EINVAL; +@@ -71,7 +77,7 @@ static int get_build_id_32(const void *p + { + Elf32_Ehdr *ehdr = (Elf32_Ehdr *)page_addr; + Elf32_Phdr *phdr; +- int i; ++ __u32 i, phnum; + + /* + * FIXME +@@ -80,18 +86,19 @@ static int get_build_id_32(const void *p + */ + if (ehdr->e_phoff != sizeof(Elf32_Ehdr)) + return -EINVAL; ++ ++ phnum = READ_ONCE(ehdr->e_phnum); + /* only supports phdr that fits in one page */ +- if (ehdr->e_phnum > +- (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) ++ if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) + return -EINVAL; + + phdr = (Elf32_Phdr *)(page_addr + sizeof(Elf32_Ehdr)); + +- for (i = 0; i < ehdr->e_phnum; ++i) { ++ for (i = 0; i < phnum; ++i) { + if (phdr[i].p_type == PT_NOTE && + !parse_build_id(page_addr, build_id, size, +- page_addr + phdr[i].p_offset, +- phdr[i].p_filesz)) ++ page_addr + READ_ONCE(phdr[i].p_offset), ++ READ_ONCE(phdr[i].p_filesz))) + return 0; + } + return -EINVAL; +@@ -103,7 +110,7 @@ static int get_build_id_64(const void *p + { + Elf64_Ehdr *ehdr = (Elf64_Ehdr *)page_addr; + Elf64_Phdr *phdr; +- int i; ++ __u32 i, phnum; + + /* + * FIXME +@@ -112,18 +119,19 @@ static int get_build_id_64(const void *p + */ + if (ehdr->e_phoff != sizeof(Elf64_Ehdr)) + return -EINVAL; ++ ++ phnum = READ_ONCE(ehdr->e_phnum); + /* only supports phdr that fits in one page */ +- if (ehdr->e_phnum > +- (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) ++ if (phnum > (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) + return -EINVAL; + + phdr = (Elf64_Phdr *)(page_addr + sizeof(Elf64_Ehdr)); + +- for (i = 0; i < ehdr->e_phnum; ++i) { ++ for (i = 0; i < phnum; ++i) { + if (phdr[i].p_type == PT_NOTE && + !parse_build_id(page_addr, build_id, size, +- page_addr + phdr[i].p_offset, +- phdr[i].p_filesz)) ++ page_addr + READ_ONCE(phdr[i].p_offset), ++ READ_ONCE(phdr[i].p_filesz))) + return 0; + } + return -EINVAL; +@@ -152,6 +160,10 @@ int build_id_parse(struct vm_area_struct + page = find_get_page(vma->vm_file->f_mapping, 0); + if (!page) + return -EFAULT; /* page not mapped */ ++ if (!PageUptodate(page)) { ++ put_page(page); ++ return -EFAULT; ++ } + + ret = -EINVAL; + page_addr = kmap_local_page(page); diff --git a/queue-6.11/mm-krealloc-consider-spare-memory-for-__gfp_zero.patch b/queue-6.11/mm-krealloc-consider-spare-memory-for-__gfp_zero.patch new file mode 100644 index 00000000000..ad4135b04b5 --- /dev/null +++ b/queue-6.11/mm-krealloc-consider-spare-memory-for-__gfp_zero.patch @@ -0,0 +1,63 @@ +From 1a83a716ec233990e1fd5b6fbb1200ade63bf450 Mon Sep 17 00:00:00 2001 +From: Danilo Krummrich +Date: Tue, 13 Aug 2024 00:34:34 +0200 +Subject: mm: krealloc: consider spare memory for __GFP_ZERO + +From: Danilo Krummrich + +commit 1a83a716ec233990e1fd5b6fbb1200ade63bf450 upstream. + +As long as krealloc() is called with __GFP_ZERO consistently, starting +with the initial memory allocation, __GFP_ZERO should be fully honored. + +However, if for an existing allocation krealloc() is called with a +decreased size, it is not ensured that the spare portion the allocation is +zeroed. Thus, if krealloc() is subsequently called with a larger size +again, __GFP_ZERO can't be fully honored, since we don't know the previous +size, but only the bucket size. + +Example: + + buf = kzalloc(64, GFP_KERNEL); + memset(buf, 0xff, 64); + + buf = krealloc(buf, 48, GFP_KERNEL | __GFP_ZERO); + + /* After this call the last 16 bytes are still 0xff. */ + buf = krealloc(buf, 64, GFP_KERNEL | __GFP_ZERO); + +Fix this, by explicitly setting spare memory to zero, when shrinking an +allocation with __GFP_ZERO flag set or init_on_alloc enabled. + +Link: https://lkml.kernel.org/r/20240812223707.32049-1-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Acked-by: Vlastimil Babka +Acked-by: David Rientjes +Cc: Christoph Lameter +Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: Joonsoo Kim +Cc: Pekka Enberg +Cc: Roman Gushchin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab_common.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -1273,6 +1273,13 @@ __do_krealloc(const void *p, size_t new_ + + /* If the object still fits, repoison it precisely. */ + if (ks >= new_size) { ++ /* Zero out spare memory. */ ++ if (want_init_on_alloc(flags)) { ++ kasan_disable_current(); ++ memset((void *)p + new_size, 0, ks - new_size); ++ kasan_enable_current(); ++ } ++ + p = kasan_krealloc((void *)p, new_size, flags); + return (void *)p; + } diff --git a/queue-6.11/ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch b/queue-6.11/ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch new file mode 100644 index 00000000000..4f5c18b8ed3 --- /dev/null +++ b/queue-6.11/ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch @@ -0,0 +1,80 @@ +From 35fccce29feb3706f649726d410122dd81b92c18 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Wed, 4 Sep 2024 15:10:03 +0800 +Subject: ocfs2: cancel dqi_sync_work before freeing oinfo + +From: Joseph Qi + +commit 35fccce29feb3706f649726d410122dd81b92c18 upstream. + +ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the +end, if error occurs after successfully reading global quota, it will +trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: + +ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c + +This reports that there is an active delayed work when freeing oinfo in +error handling, so cancel dqi_sync_work first. BTW, return status instead +of -1 when .read_file_info fails. + +Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd +Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.com +Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Reported-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com +Tested-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/quota_local.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -692,7 +692,7 @@ static int ocfs2_local_read_info(struct + int status; + struct buffer_head *bh = NULL; + struct ocfs2_quota_recovery *rec; +- int locked = 0; ++ int locked = 0, global_read = 0; + + info->dqi_max_spc_limit = 0x7fffffffffffffffLL; + info->dqi_max_ino_limit = 0x7fffffffffffffffLL; +@@ -700,6 +700,7 @@ static int ocfs2_local_read_info(struct + if (!oinfo) { + mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" + " info."); ++ status = -ENOMEM; + goto out_err; + } + info->dqi_priv = oinfo; +@@ -712,6 +713,7 @@ static int ocfs2_local_read_info(struct + status = ocfs2_global_read_info(sb, type); + if (status < 0) + goto out_err; ++ global_read = 1; + + status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1); + if (status < 0) { +@@ -782,10 +784,12 @@ out_err: + if (locked) + ocfs2_inode_unlock(lqinode, 1); + ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); ++ if (global_read) ++ cancel_delayed_work_sync(&oinfo->dqi_sync_work); + kfree(oinfo); + } + brelse(bh); +- return -1; ++ return status; + } + + /* Write local info to quota file */ diff --git a/queue-6.11/ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch b/queue-6.11/ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch new file mode 100644 index 00000000000..e7153c25583 --- /dev/null +++ b/queue-6.11/ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch @@ -0,0 +1,65 @@ +From 5784d9fcfd43bd853654bb80c87ef293b9e8e80a Mon Sep 17 00:00:00 2001 +From: Julian Sun +Date: Mon, 2 Sep 2024 11:08:44 +0800 +Subject: ocfs2: fix null-ptr-deref when journal load failed. + +From: Julian Sun + +commit 5784d9fcfd43bd853654bb80c87ef293b9e8e80a upstream. + +During the mounting process, if journal_reset() fails because of too short +journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. +Subsequently, ocfs2_journal_shutdown() calls +jbd2_journal_flush()->jbd2_cleanup_journal_tail()-> +__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail() +->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer +dereference error. + +To resolve this issue, we should check the JBD2_LOADED flag to ensure the +journal was properly loaded. Additionally, use journal instead of +osb->journal directly to simplify the code. + +Link: https://syzkaller.appspot.com/bug?extid=05b9b39d8bdfe1a0861f +Link: https://lkml.kernel.org/r/20240902030844.422725-1-sunjunchao2870@gmail.com +Fixes: f6f50e28f0cb ("jbd2: Fail to load a journal if it is too short") +Signed-off-by: Julian Sun +Reported-by: syzbot+05b9b39d8bdfe1a0861f@syzkaller.appspotmail.com +Suggested-by: Joseph Qi +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -1055,7 +1055,7 @@ void ocfs2_journal_shutdown(struct ocfs2 + if (!igrab(inode)) + BUG(); + +- num_running_trans = atomic_read(&(osb->journal->j_num_trans)); ++ num_running_trans = atomic_read(&(journal->j_num_trans)); + trace_ocfs2_journal_shutdown(num_running_trans); + + /* Do a commit_cache here. It will flush our journal, *and* +@@ -1074,9 +1074,10 @@ void ocfs2_journal_shutdown(struct ocfs2 + osb->commit_task = NULL; + } + +- BUG_ON(atomic_read(&(osb->journal->j_num_trans)) != 0); ++ BUG_ON(atomic_read(&(journal->j_num_trans)) != 0); + +- if (ocfs2_mount_local(osb)) { ++ if (ocfs2_mount_local(osb) && ++ (journal->j_journal->j_flags & JBD2_LOADED)) { + jbd2_journal_lock_updates(journal->j_journal); + status = jbd2_journal_flush(journal->j_journal, 0); + jbd2_journal_unlock_updates(journal->j_journal); diff --git a/queue-6.11/ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch b/queue-6.11/ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch new file mode 100644 index 00000000000..d7be117350f --- /dev/null +++ b/queue-6.11/ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch @@ -0,0 +1,45 @@ +From 33b525cef4cff49e216e4133cc48452e11c0391e Mon Sep 17 00:00:00 2001 +From: Lizhi Xu +Date: Mon, 2 Sep 2024 10:36:36 +0800 +Subject: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate + +From: Lizhi Xu + +commit 33b525cef4cff49e216e4133cc48452e11c0391e upstream. + +When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger +NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if +bh is NULL. + +Link: https://lkml.kernel.org/r/20240902023636.1843422-3-joseph.qi@linux.alibaba.com +Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") +Signed-off-by: Lizhi Xu +Signed-off-by: Joseph Qi +Reviewed-by: Joseph Qi +Reported-by: Heming Zhao +Suggested-by: Heming Zhao +Cc: [4.20+] +Cc: Changwei Ge +Cc: Gang He +Cc: Joel Becker +Cc: Jun Piao +Cc: Junxiao Bi +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/buffer_head_io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -388,7 +388,8 @@ read_failure: + /* Always set the buffer in the cache, even if it was + * a forced read, or read-ahead which hasn't yet + * completed. */ +- ocfs2_set_buffer_uptodate(ci, bh); ++ if (bh) ++ ocfs2_set_buffer_uptodate(ci, bh); + } + ocfs2_metadata_cache_io_unlock(ci); + diff --git a/queue-6.11/ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch b/queue-6.11/ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch new file mode 100644 index 00000000000..c3e771bdc6e --- /dev/null +++ b/queue-6.11/ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch @@ -0,0 +1,60 @@ +From dfe6c5692fb525e5e90cefe306ee0dffae13d35f Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Fri, 19 Jul 2024 19:43:10 +0800 +Subject: ocfs2: fix the la space leak when unmounting an ocfs2 volume + +From: Heming Zhao + +commit dfe6c5692fb525e5e90cefe306ee0dffae13d35f upstream. + +This bug has existed since the initial OCFS2 code. The code logic in +ocfs2_sync_local_to_main() is wrong, as it ignores the last contiguous +free bits, which causes an OCFS2 volume to lose the last free clusters of +LA window on each umount command. + +Link: https://lkml.kernel.org/r/20240719114310.14245-1-heming.zhao@suse.com +Signed-off-by: Heming Zhao +Reviewed-by: Su Yue +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/localalloc.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/ocfs2/localalloc.c ++++ b/fs/ocfs2/localalloc.c +@@ -1002,6 +1002,25 @@ static int ocfs2_sync_local_to_main(stru + start = bit_off + 1; + } + ++ /* clear the contiguous bits until the end boundary */ ++ if (count) { ++ blkno = la_start_blk + ++ ocfs2_clusters_to_blocks(osb->sb, ++ start - count); ++ ++ trace_ocfs2_sync_local_to_main_free( ++ count, start - count, ++ (unsigned long long)la_start_blk, ++ (unsigned long long)blkno); ++ ++ status = ocfs2_release_clusters(handle, ++ main_bm_inode, ++ main_bm_bh, blkno, ++ count); ++ if (status < 0) ++ mlog_errno(status); ++ } ++ + bail: + if (status) + mlog_errno(status); diff --git a/queue-6.11/ocfs2-fix-uninit-value-in-ocfs2_get_block.patch b/queue-6.11/ocfs2-fix-uninit-value-in-ocfs2_get_block.patch new file mode 100644 index 00000000000..50998af6908 --- /dev/null +++ b/queue-6.11/ocfs2-fix-uninit-value-in-ocfs2_get_block.patch @@ -0,0 +1,75 @@ +From 2af148ef8549a12f8025286b8825c2833ee6bcb8 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Wed, 25 Sep 2024 17:06:00 +0800 +Subject: ocfs2: fix uninit-value in ocfs2_get_block() + +From: Joseph Qi + +commit 2af148ef8549a12f8025286b8825c2833ee6bcb8 upstream. + +syzbot reported an uninit-value BUG: + +BUG: KMSAN: uninit-value in ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 +ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 +do_mpage_readpage+0xc45/0x2780 fs/mpage.c:225 +mpage_readahead+0x43f/0x840 fs/mpage.c:374 +ocfs2_readahead+0x269/0x320 fs/ocfs2/aops.c:381 +read_pages+0x193/0x1110 mm/readahead.c:160 +page_cache_ra_unbounded+0x901/0x9f0 mm/readahead.c:273 +do_page_cache_ra mm/readahead.c:303 [inline] +force_page_cache_ra+0x3b1/0x4b0 mm/readahead.c:332 +force_page_cache_readahead mm/internal.h:347 [inline] +generic_fadvise+0x6b0/0xa90 mm/fadvise.c:106 +vfs_fadvise mm/fadvise.c:185 [inline] +ksys_fadvise64_64 mm/fadvise.c:199 [inline] +__do_sys_fadvise64 mm/fadvise.c:214 [inline] +__se_sys_fadvise64 mm/fadvise.c:212 [inline] +__x64_sys_fadvise64+0x1fb/0x3a0 mm/fadvise.c:212 +x64_sys_call+0xe11/0x3ba0 +arch/x86/include/generated/asm/syscalls_64.h:222 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x77/0x7f + +This is because when ocfs2_extent_map_get_blocks() fails, p_blkno is +uninitialized. So the error log will trigger the above uninit-value +access. + +The error log is out-of-date since get_blocks() was removed long time ago. +And the error code will be logged in ocfs2_extent_map_get_blocks() once +ocfs2_get_cluster() fails, so fix this by only logging inode and block. + +Link: https://syzkaller.appspot.com/bug?extid=9709e73bae885b05314b +Link: https://lkml.kernel.org/r/20240925090600.3643376-1-joseph.qi@linux.alibaba.com +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Joseph Qi +Reported-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com +Tested-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com +Cc: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/aops.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -156,9 +156,8 @@ int ocfs2_get_block(struct inode *inode, + err = ocfs2_extent_map_get_blocks(inode, iblock, &p_blkno, &count, + &ext_flags); + if (err) { +- mlog(ML_ERROR, "Error %d from get_blocks(0x%p, %llu, 1, " +- "%llu, NULL)\n", err, inode, (unsigned long long)iblock, +- (unsigned long long)p_blkno); ++ mlog(ML_ERROR, "get_blocks() failed, inode: 0x%p, " ++ "block: %llu\n", inode, (unsigned long long)iblock); + goto bail; + } + diff --git a/queue-6.11/ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch b/queue-6.11/ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch new file mode 100644 index 00000000000..2fff54e7e21 --- /dev/null +++ b/queue-6.11/ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch @@ -0,0 +1,54 @@ +From c03a82b4a0c935774afa01fd6d128b444fd930a1 Mon Sep 17 00:00:00 2001 +From: Lizhi Xu +Date: Mon, 2 Sep 2024 10:36:35 +0800 +Subject: ocfs2: remove unreasonable unlock in ocfs2_read_blocks + +From: Lizhi Xu + +commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream. + +Patch series "Misc fixes for ocfs2_read_blocks", v5. + +This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix +the issue reported by syzbot, which detects bad unlock balance in +ocfs2_read_blocks(). The second patch fixes an issue reported by Heming +Zhao when reviewing above fix. + + +This patch (of 2): + +There was a lock release before exiting, so remove the unreasonable unlock. + +Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.com +Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.com +Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") +Signed-off-by: Lizhi Xu +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Reviewed-by: Joseph Qi +Reported-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5 +Tested-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: [4.20+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/buffer_head_io.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -235,7 +235,6 @@ int ocfs2_read_blocks(struct ocfs2_cachi + if (bhs[i] == NULL) { + bhs[i] = sb_getblk(sb, block++); + if (bhs[i] == NULL) { +- ocfs2_metadata_cache_io_unlock(ci); + status = -ENOMEM; + mlog_errno(status); + /* Don't forget to put previous bh! */ diff --git a/queue-6.11/ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch b/queue-6.11/ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch new file mode 100644 index 00000000000..2b1208e28ae --- /dev/null +++ b/queue-6.11/ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch @@ -0,0 +1,154 @@ +From 5ca60b86f57a4d9648f68418a725b3a7de2816b0 Mon Sep 17 00:00:00 2001 +From: Gautham Ananthakrishna +Date: Wed, 18 Sep 2024 06:38:44 +0000 +Subject: ocfs2: reserve space for inline xattr before attaching reflink tree + +From: Gautham Ananthakrishna + +commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 upstream. + +One of our customers reported a crash and a corrupted ocfs2 filesystem. +The crash was due to the detection of corruption. Upon troubleshooting, +the fsck -fn output showed the below corruption + +[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, +but fsck believes the largest valid value is 227. Clamp the next record value? n + +The stat output from the debugfs.ocfs2 showed the following corruption +where the "Next Free Rec:" had overshot the "Count:" in the root metadata +block. + + Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) + FS Generation: 904309833 (0x35e6ac49) + CRC32: 00000000 ECC: 0000 + Type: Regular Attr: 0x0 Flags: Valid + Dynamic Features: (0x16) HasXattr InlineXattr Refcounted + Extended Attributes Block: 0 Extended Attributes Inline Size: 256 + User: 0 (root) Group: 0 (root) Size: 281320357888 + Links: 1 Clusters: 141738 + ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 + atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 + mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 + dtime: 0x0 -- Wed Dec 31 17:00:00 1969 + Refcount Block: 2777346 + Last Extblk: 2886943 Orphan Slot: 0 + Sub Alloc Slot: 0 Sub Alloc Bit: 14 + Tree Depth: 1 Count: 227 Next Free Rec: 230 + ## Offset Clusters Block# + 0 0 2310 2776351 + 1 2310 2139 2777375 + 2 4449 1221 2778399 + 3 5670 731 2779423 + 4 6401 566 2780447 + ....... .... ....... + ....... .... ....... + +The issue was in the reflink workfow while reserving space for inline +xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the +time this function is called the reflink tree is already recreated at the +destination inode from the source inode. At this point, this function +reserves space for inline xattrs at the destination inode without even +checking if there is space at the root metadata block. It simply reduces +the l_count from 243 to 227 thereby making space of 256 bytes for inline +xattr whereas the inode already has extents beyond this index (in this +case up to 230), thereby causing corruption. + +The fix for this is to reserve space for inline metadata at the destination +inode before the reflink tree gets recreated. The customer has verified the +fix. + +Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@oracle.com +Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") +Signed-off-by: Gautham Ananthakrishna +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- + fs/ocfs2/xattr.c | 11 +---------- + 2 files changed, 25 insertions(+), 12 deletions(-) + +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -25,6 +25,7 @@ + #include "namei.h" + #include "ocfs2_trace.h" + #include "file.h" ++#include "symlink.h" + + #include + #include +@@ -4155,8 +4156,9 @@ static int __ocfs2_reflink(struct dentry + int ret; + struct inode *inode = d_inode(old_dentry); + struct buffer_head *new_bh = NULL; ++ struct ocfs2_inode_info *oi = OCFS2_I(inode); + +- if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ++ if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + ret = -EINVAL; + mlog_errno(ret); + goto out; +@@ -4182,6 +4184,26 @@ static int __ocfs2_reflink(struct dentry + goto out_unlock; + } + ++ if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && ++ (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { ++ /* ++ * Adjust extent record count to reserve space for extended attribute. ++ * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). ++ */ ++ struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); ++ ++ if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && ++ !(ocfs2_inode_is_fast_symlink(new_inode))) { ++ struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; ++ struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; ++ struct ocfs2_extent_list *el = &new_di->id2.i_list; ++ int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); ++ ++ le16_add_cpu(&el->l_count, -(inline_size / ++ sizeof(struct ocfs2_extent_rec))); ++ } ++ } ++ + ret = ocfs2_create_reflink_node(inode, old_bh, + new_inode, new_bh, preserve); + if (ret) { +@@ -4189,7 +4211,7 @@ static int __ocfs2_reflink(struct dentry + goto inode_unlock; + } + +- if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ++ if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + ret = ocfs2_reflink_xattrs(inode, old_bh, + new_inode, new_bh, + preserve); +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -6520,16 +6520,7 @@ static int ocfs2_reflink_xattr_inline(st + } + + new_oi = OCFS2_I(args->new_inode); +- /* +- * Adjust extent record count to reserve space for extended attribute. +- * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). +- */ +- if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && +- !(ocfs2_inode_is_fast_symlink(args->new_inode))) { +- struct ocfs2_extent_list *el = &new_di->id2.i_list; +- le16_add_cpu(&el->l_count, -(inline_size / +- sizeof(struct ocfs2_extent_rec))); +- } ++ + spin_lock(&new_oi->ip_lock); + new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; + new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); diff --git a/queue-6.11/of-address-report-error-on-resource-bounds-overflow.patch b/queue-6.11/of-address-report-error-on-resource-bounds-overflow.patch new file mode 100644 index 00000000000..c53b5d1af12 --- /dev/null +++ b/queue-6.11/of-address-report-error-on-resource-bounds-overflow.patch @@ -0,0 +1,55 @@ +From 000f6d588a8f3d128f89351058dc04d38e54a327 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Thu, 5 Sep 2024 09:46:01 +0200 +Subject: of: address: Report error on resource bounds overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 000f6d588a8f3d128f89351058dc04d38e54a327 upstream. + +The members "start" and "end" of struct resource are of type +"resource_size_t" which can be 32bit wide. +Values read from OF however are always 64bit wide. +Avoid silently truncating the value and instead return an error value. + +This can happen on real systems when the DT was created for a +PAE-enabled kernel and a non-PAE kernel is actually running. +For example with an arm defconfig and "qemu-system-arm -M virt". + +Link: https://bugs.launchpad.net/qemu/+bug/1790975 +Signed-off-by: Thomas Weißschuh +Tested-by: Nam Cao +Reviewed-by: Nam Cao +Link: https://lore.kernel.org/r/20240905-of-resource-overflow-v1-1-0cd8bb92cc1f@linutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/address.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1061,7 +1062,11 @@ static int __of_address_to_resource(stru + if (of_mmio_is_nonposted(dev)) + flags |= IORESOURCE_MEM_NONPOSTED; + ++ if (overflows_type(taddr, r->start)) ++ return -EOVERFLOW; + r->start = taddr; ++ if (overflows_type(taddr + size - 1, r->end)) ++ return -EOVERFLOW; + r->end = taddr + size - 1; + r->flags = flags; + r->name = name ? name : dev->full_name; diff --git a/queue-6.11/of-irq-support-msi-cells-0-in-of_msi_get_domain.patch b/queue-6.11/of-irq-support-msi-cells-0-in-of_msi_get_domain.patch new file mode 100644 index 00000000000..da20594f07a --- /dev/null +++ b/queue-6.11/of-irq-support-msi-cells-0-in-of_msi_get_domain.patch @@ -0,0 +1,102 @@ +From db8e81132cf051843c9a59b46fa5a071c45baeb3 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Sat, 17 Aug 2024 09:41:08 +0200 +Subject: of/irq: Support #msi-cells=<0> in of_msi_get_domain + +From: Andrew Jones + +commit db8e81132cf051843c9a59b46fa5a071c45baeb3 upstream. + +An 'msi-parent' property with a single entry and no accompanying +'#msi-cells' property is considered the legacy definition as opposed +to its definition after being expanded with commit 126b16e2ad98 +("Docs: dt: add generic MSI bindings"). However, the legacy +definition is completely compatible with the current definition and, +since of_phandle_iterator_next() tolerates missing and present-but- +zero *cells properties since commit e42ee61017f5 ("of: Let +of_for_each_phandle fallback to non-negative cell_count"), there's no +need anymore to special case the legacy definition in +of_msi_get_domain(). + +Indeed, special casing has turned out to be harmful, because, as of +commit 7c025238b47a ("dt-bindings: irqchip: Describe the IMX MU block +as a MSI controller"), MSI controller DT bindings have started +specifying '#msi-cells' as a required property (even when the value +must be zero) as an effort to make the bindings more explicit. But, +since the special casing of 'msi-parent' only uses the existence of +'#msi-cells' for its heuristic, and not whether or not it's also +nonzero, the legacy path is not taken. Furthermore, the path to +support the new, broader definition isn't taken either since that +path has been restricted to the platform-msi bus. + +But, neither the definition of 'msi-parent' nor the definition of +'#msi-cells' is platform-msi-specific (the platform-msi bus was just +the first bus that needed '#msi-cells'), so remove both the special +casing and the restriction. The code removal also requires changing +to of_parse_phandle_with_optional_args() in order to ensure the +legacy (but compatible) use of 'msi-parent' remains supported. This +not only simplifies the code but also resolves an issue with PCI +devices finding their MSI controllers on riscv, as the riscv,imsics +binding requires '#msi-cells=<0>'. + +Signed-off-by: Andrew Jones +Link: https://lore.kernel.org/r/20240817074107.31153-2-ajones@ventanamicro.com +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 34 +++++++--------------------------- + 1 file changed, 7 insertions(+), 27 deletions(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -716,8 +716,7 @@ struct irq_domain *of_msi_map_get_device + * @np: device node for @dev + * @token: bus type for this domain + * +- * Parse the msi-parent property (both the simple and the complex +- * versions), and returns the corresponding MSI domain. ++ * Parse the msi-parent property and returns the corresponding MSI domain. + * + * Returns: the MSI domain for this device (or NULL on failure). + */ +@@ -725,33 +724,14 @@ struct irq_domain *of_msi_get_domain(str + struct device_node *np, + enum irq_domain_bus_token token) + { +- struct device_node *msi_np; ++ struct of_phandle_iterator it; + struct irq_domain *d; ++ int err; + +- /* Check for a single msi-parent property */ +- msi_np = of_parse_phandle(np, "msi-parent", 0); +- if (msi_np && !of_property_read_bool(msi_np, "#msi-cells")) { +- d = irq_find_matching_host(msi_np, token); +- if (!d) +- of_node_put(msi_np); +- return d; +- } +- +- if (token == DOMAIN_BUS_PLATFORM_MSI) { +- /* Check for the complex msi-parent version */ +- struct of_phandle_args args; +- int index = 0; +- +- while (!of_parse_phandle_with_args(np, "msi-parent", +- "#msi-cells", +- index, &args)) { +- d = irq_find_matching_host(args.np, token); +- if (d) +- return d; +- +- of_node_put(args.np); +- index++; +- } ++ of_for_each_phandle(&it, err, np, "msi-parent", "#msi-cells", 0) { ++ d = irq_find_matching_host(it.node, token); ++ if (d) ++ return d; + } + + return NULL; diff --git a/queue-6.11/parisc-allow-mmap-map_stack-memory-to-automatically-expand-upwards.patch b/queue-6.11/parisc-allow-mmap-map_stack-memory-to-automatically-expand-upwards.patch new file mode 100644 index 00000000000..777520fa49d --- /dev/null +++ b/queue-6.11/parisc-allow-mmap-map_stack-memory-to-automatically-expand-upwards.patch @@ -0,0 +1,47 @@ +From 5d698966fa7b452035c44c937d704910bf3440dd Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 8 Sep 2024 20:51:17 +0200 +Subject: parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards + +From: Helge Deller + +commit 5d698966fa7b452035c44c937d704910bf3440dd upstream. + +When userspace allocates memory with mmap() in order to be used for stack, +allow this memory region to automatically expand upwards up until the +current maximum process stack size. +The fault handler checks if the VM_GROWSUP bit is set in the vm_flags field +of a memory area before it allows it to expand. +This patch modifies the parisc specific code only. +A RFC for a generic patch to modify mmap() for all architectures was sent +to the mailing list but did not get enough Acks. + +Reported-by: Camm Maguire +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/mman.h | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/arch/parisc/include/asm/mman.h ++++ b/arch/parisc/include/asm/mman.h +@@ -11,4 +11,18 @@ static inline bool arch_memory_deny_writ + } + #define arch_memory_deny_write_exec_supported arch_memory_deny_write_exec_supported + ++static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) ++{ ++ /* ++ * The stack on parisc grows upwards, so if userspace requests memory ++ * for a stack, mark it with VM_GROWSUP so that the stack expansion in ++ * the fault handler will work. ++ */ ++ if (flags & MAP_STACK) ++ return VM_GROWSUP; ++ ++ return 0; ++} ++#define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags) ++ + #endif /* __ASM_MMAN_H__ */ diff --git a/queue-6.11/parisc-fix-64-bit-userspace-syscall-path.patch b/queue-6.11/parisc-fix-64-bit-userspace-syscall-path.patch new file mode 100644 index 00000000000..4bf9b863973 --- /dev/null +++ b/queue-6.11/parisc-fix-64-bit-userspace-syscall-path.patch @@ -0,0 +1,64 @@ +From d24449864da5838936669618356b0e30ca2999c3 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 8 Sep 2024 00:40:38 +0200 +Subject: parisc: Fix 64-bit userspace syscall path + +From: Helge Deller + +commit d24449864da5838936669618356b0e30ca2999c3 upstream. + +Currently the glibc isn't yet ported to 64-bit for hppa, so +there is no usable userspace available yet. +But it's possible to manually build a static 64-bit binary +and run that for testing. One such 64-bit test program is +available at http://ftp.parisc-linux.org/src/64bit.tar.gz +and it shows various issues with the existing 64-bit syscall +path in the kernel. +This patch fixes those issues. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscall.S | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -243,10 +243,10 @@ linux_gateway_entry: + + #ifdef CONFIG_64BIT + ldil L%sys_call_table, %r1 +- or,= %r2,%r2,%r2 +- addil L%(sys_call_table64-sys_call_table), %r1 ++ or,ev %r2,%r2,%r2 ++ ldil L%sys_call_table64, %r1 + ldo R%sys_call_table(%r1), %r19 +- or,= %r2,%r2,%r2 ++ or,ev %r2,%r2,%r2 + ldo R%sys_call_table64(%r1), %r19 + #else + load32 sys_call_table, %r19 +@@ -379,10 +379,10 @@ tracesys_next: + extrd,u %r19,63,1,%r2 /* W hidden in bottom bit */ + + ldil L%sys_call_table, %r1 +- or,= %r2,%r2,%r2 +- addil L%(sys_call_table64-sys_call_table), %r1 ++ or,ev %r2,%r2,%r2 ++ ldil L%sys_call_table64, %r1 + ldo R%sys_call_table(%r1), %r19 +- or,= %r2,%r2,%r2 ++ or,ev %r2,%r2,%r2 + ldo R%sys_call_table64(%r1), %r19 + #else + load32 sys_call_table, %r19 +@@ -1327,6 +1327,8 @@ ENTRY(sys_call_table) + END(sys_call_table) + + #ifdef CONFIG_64BIT ++#undef __SYSCALL_WITH_COMPAT ++#define __SYSCALL_WITH_COMPAT(nr, native, compat) __SYSCALL(nr, native) + .align 8 + ENTRY(sys_call_table64) + #include /* 64-bit syscalls */ diff --git a/queue-6.11/parisc-fix-stack-start-for-addr_no_randomize-personality.patch b/queue-6.11/parisc-fix-stack-start-for-addr_no_randomize-personality.patch new file mode 100644 index 00000000000..f5468fc05db --- /dev/null +++ b/queue-6.11/parisc-fix-stack-start-for-addr_no_randomize-personality.patch @@ -0,0 +1,75 @@ +From f31b256994acec6929306dfa86ac29716e7503d6 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 7 Sep 2024 18:28:11 +0200 +Subject: parisc: Fix stack start for ADDR_NO_RANDOMIZE personality + +From: Helge Deller + +commit f31b256994acec6929306dfa86ac29716e7503d6 upstream. + +Fix the stack start address calculation for the parisc architecture in +setup_arg_pages() when address randomization is disabled. When the +ADDR_NO_RANDOMIZE process personality is disabled there is no need to add +additional space for the stack. +Note that this patch touches code inside an #ifdef CONFIG_STACK_GROWSUP hunk, +which is why only the parisc architecture is affected since it's the +only Linux architecture where the stack grows upwards. + +Without this patch you will find the stack in the middle of some +mapped libaries and suddenly limited to 6MB instead of 8MB: + +root@parisc:~# setarch -R /bin/bash -c "cat /proc/self/maps" +00010000-00019000 r-xp 00000000 08:05 1182034 /usr/bin/cat +00019000-0001a000 rwxp 00009000 08:05 1182034 /usr/bin/cat +0001a000-0003b000 rwxp 00000000 00:00 0 [heap] +f90c4000-f9283000 r-xp 00000000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6 +f9283000-f9285000 r--p 001bf000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6 +f9285000-f928a000 rwxp 001c1000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6 +f928a000-f9294000 rwxp 00000000 00:00 0 +f9301000-f9323000 rwxp 00000000 00:00 0 [stack] +f98b4000-f98e4000 r-xp 00000000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1 +f98e4000-f98e5000 r--p 00030000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1 +f98e5000-f98e9000 rwxp 00031000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1 +f9ad8000-f9b00000 rw-p 00000000 00:00 0 +f9b00000-f9b01000 r-xp 00000000 00:00 0 [vdso] + +With the patch the stack gets correctly mapped at the end +of the process memory map: + +root@panama:~# setarch -R /bin/bash -c "cat /proc/self/maps" +00010000-00019000 r-xp 00000000 08:13 16385582 /usr/bin/cat +00019000-0001a000 rwxp 00009000 08:13 16385582 /usr/bin/cat +0001a000-0003b000 rwxp 00000000 00:00 0 [heap] +fef29000-ff0eb000 r-xp 00000000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6 +ff0eb000-ff0ed000 r--p 001c2000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6 +ff0ed000-ff0f2000 rwxp 001c4000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6 +ff0f2000-ff0fc000 rwxp 00000000 00:00 0 +ff4b4000-ff4e4000 r-xp 00000000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1 +ff4e4000-ff4e6000 r--p 00030000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1 +ff4e6000-ff4ea000 rwxp 00032000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1 +ff6d7000-ff6ff000 rw-p 00000000 00:00 0 +ff6ff000-ff700000 r-xp 00000000 00:00 0 [vdso] +ff700000-ff722000 rwxp 00000000 00:00 0 [stack] + +Reported-by: Camm Maguire +Signed-off-by: Helge Deller +Fixes: d045c77c1a69 ("parisc,metag: Fix crashes due to stack randomization on stack-grows-upwards architectures") +Fixes: 17d9822d4b4c ("parisc: Consider stack randomization for mmap base only when necessary") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -811,7 +811,8 @@ int setup_arg_pages(struct linux_binprm + stack_base = calc_max_stack_size(stack_base); + + /* Add space for stack randomization. */ +- stack_base += (STACK_RND_MASK << PAGE_SHIFT); ++ if (current->flags & PF_RANDOMIZE) ++ stack_base += (STACK_RND_MASK << PAGE_SHIFT); + + /* Make sure we didn't let the argument array grow too large. */ + if (vma->vm_end - vma->vm_start > stack_base) diff --git a/queue-6.11/resource-fix-region_intersects-vs-add_memory_driver_managed.patch b/queue-6.11/resource-fix-region_intersects-vs-add_memory_driver_managed.patch new file mode 100644 index 00000000000..b7d113e2b59 --- /dev/null +++ b/queue-6.11/resource-fix-region_intersects-vs-add_memory_driver_managed.patch @@ -0,0 +1,174 @@ +From b4afe4183ec77f230851ea139d91e5cf2644c68b Mon Sep 17 00:00:00 2001 +From: Huang Ying +Date: Fri, 6 Sep 2024 11:07:11 +0800 +Subject: resource: fix region_intersects() vs add_memory_driver_managed() + +From: Huang Ying + +commit b4afe4183ec77f230851ea139d91e5cf2644c68b upstream. + +On a system with CXL memory, the resource tree (/proc/iomem) related to +CXL memory may look like something as follows. + +490000000-50fffffff : CXL Window 0 + 490000000-50fffffff : region0 + 490000000-50fffffff : dax0.0 + 490000000-50fffffff : System RAM (kmem) + +Because drivers/dax/kmem.c calls add_memory_driver_managed() during +onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL +Window X". This confuses region_intersects(), which expects all "System +RAM" resources to be at the top level of iomem_resource. This can lead to +bugs. + +For example, when the following command line is executed to write some +memory in CXL memory range via /dev/mem, + + $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 + dd: error writing '/dev/mem': Bad address + 1+0 records in + 0+0 records out + 0 bytes copied, 0.0283507 s, 0.0 kB/s + +the command fails as expected. However, the error code is wrong. It +should be "Operation not permitted" instead of "Bad address". More +seriously, the /dev/mem permission checking in devmem_is_allowed() passes +incorrectly. Although the accessing is prevented later because ioremap() +isn't allowed to map system RAM, it is a potential security issue. During +command executing, the following warning is reported in the kernel log for +calling ioremap() on system RAM. + + ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff + WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d + Call Trace: + memremap+0xcb/0x184 + xlate_dev_mem_ptr+0x25/0x2f + write_mem+0x94/0xfb + vfs_write+0x128/0x26d + ksys_write+0xac/0xfe + do_syscall_64+0x9a/0xfd + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +The details of command execution process are as follows. In the above +resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a +top level resource. So, region_intersects() will report no System RAM +resources in the CXL memory region incorrectly, because it only checks the +top level resources. Consequently, devmem_is_allowed() will return 1 +(allow access via /dev/mem) for CXL memory region incorrectly. +Fortunately, ioremap() doesn't allow to map System RAM and reject the +access. + +So, region_intersects() needs to be fixed to work correctly with the +resource tree with "System RAM" not at top level as above. To fix it, if +we found a unmatched resource in the top level, we will continue to search +matched resources in its descendant resources. So, we will not miss any +matched resources in resource tree anymore. + +In the new implementation, an example resource tree + +|------------- "CXL Window 0" ------------| +|-- "System RAM" --| + +will behave similar as the following fake resource tree for +region_intersects(, IORESOURCE_SYSTEM_RAM, ), + +|-- "System RAM" --||-- "CXL Window 0a" --| + +Where "CXL Window 0a" is part of the original "CXL Window 0" that +isn't covered by "System RAM". + +Link: https://lkml.kernel.org/r/20240906030713.204292-2-ying.huang@intel.com +Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") +Signed-off-by: "Huang, Ying" +Cc: Dan Williams +Cc: David Hildenbrand +Cc: Davidlohr Bueso +Cc: Jonathan Cameron +Cc: Dave Jiang +Cc: Alison Schofield +Cc: Vishal Verma +Cc: Ira Weiny +Cc: Alistair Popple +Cc: Andy Shevchenko +Cc: Bjorn Helgaas +Cc: Baoquan He +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/resource.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 50 insertions(+), 8 deletions(-) + +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -540,20 +540,62 @@ static int __region_intersects(struct re + size_t size, unsigned long flags, + unsigned long desc) + { +- struct resource res; ++ resource_size_t ostart, oend; + int type = 0; int other = 0; +- struct resource *p; ++ struct resource *p, *dp; ++ bool is_type, covered; ++ struct resource res; + + res.start = start; + res.end = start + size - 1; + + for (p = parent->child; p ; p = p->sibling) { +- bool is_type = (((p->flags & flags) == flags) && +- ((desc == IORES_DESC_NONE) || +- (desc == p->desc))); +- +- if (resource_overlaps(p, &res)) +- is_type ? type++ : other++; ++ if (!resource_overlaps(p, &res)) ++ continue; ++ is_type = (p->flags & flags) == flags && ++ (desc == IORES_DESC_NONE || desc == p->desc); ++ if (is_type) { ++ type++; ++ continue; ++ } ++ /* ++ * Continue to search in descendant resources as if the ++ * matched descendant resources cover some ranges of 'p'. ++ * ++ * |------------- "CXL Window 0" ------------| ++ * |-- "System RAM" --| ++ * ++ * will behave similar as the following fake resource ++ * tree when searching "System RAM". ++ * ++ * |-- "System RAM" --||-- "CXL Window 0a" --| ++ */ ++ covered = false; ++ ostart = max(res.start, p->start); ++ oend = min(res.end, p->end); ++ for_each_resource(p, dp, false) { ++ if (!resource_overlaps(dp, &res)) ++ continue; ++ is_type = (dp->flags & flags) == flags && ++ (desc == IORES_DESC_NONE || desc == dp->desc); ++ if (is_type) { ++ type++; ++ /* ++ * Range from 'ostart' to 'dp->start' ++ * isn't covered by matched resource. ++ */ ++ if (dp->start > ostart) ++ break; ++ if (dp->end >= oend) { ++ covered = true; ++ break; ++ } ++ /* Remove covered range */ ++ ostart = max(ostart, dp->end + 1); ++ } ++ } ++ if (!covered) ++ other++; + } + + if (type == 0) diff --git a/queue-6.11/scripts-gdb-add-iteration-function-for-rbtree.patch b/queue-6.11/scripts-gdb-add-iteration-function-for-rbtree.patch new file mode 100644 index 00000000000..55365499a3f --- /dev/null +++ b/queue-6.11/scripts-gdb-add-iteration-function-for-rbtree.patch @@ -0,0 +1,47 @@ +From 0c77e103c45fa1b119f5d3bb4625eee081c1a6cf Mon Sep 17 00:00:00 2001 +From: Kuan-Ying Lee +Date: Tue, 23 Jul 2024 14:48:58 +0800 +Subject: scripts/gdb: add iteration function for rbtree + +From: Kuan-Ying Lee + +commit 0c77e103c45fa1b119f5d3bb4625eee081c1a6cf upstream. + +Add inorder iteration function for rbtree usage. + +This is a preparation patch for the next patch to fix the gdb mounts +issue. + +Link: https://lkml.kernel.org/r/20240723064902.124154-3-kuan-ying.lee@canonical.com +Fixes: 2eea9ce4310d ("mounts: keep list of mounts in an rbtree") +Signed-off-by: Kuan-Ying Lee +Cc: Jan Kiszka +Cc: Kieran Bingham +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gdb/linux/rbtree.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/scripts/gdb/linux/rbtree.py ++++ b/scripts/gdb/linux/rbtree.py +@@ -9,6 +9,18 @@ from linux import utils + rb_root_type = utils.CachedType("struct rb_root") + rb_node_type = utils.CachedType("struct rb_node") + ++def rb_inorder_for_each(root): ++ def inorder(node): ++ if node: ++ yield from inorder(node['rb_left']) ++ yield node ++ yield from inorder(node['rb_right']) ++ ++ yield from inorder(root['rb_node']) ++ ++def rb_inorder_for_each_entry(root, gdbtype, member): ++ for node in rb_inorder_for_each(root): ++ yield utils.container_of(node, gdbtype, member) + + def rb_first(root): + if root.type == rb_root_type.get_type(): diff --git a/queue-6.11/scripts-gdb-fix-lx-mounts-command-error.patch b/queue-6.11/scripts-gdb-fix-lx-mounts-command-error.patch new file mode 100644 index 00000000000..a65a1e6967a --- /dev/null +++ b/queue-6.11/scripts-gdb-fix-lx-mounts-command-error.patch @@ -0,0 +1,52 @@ +From 4b183f613924ad536be2f8bd12b307e9c5a96bf6 Mon Sep 17 00:00:00 2001 +From: Kuan-Ying Lee +Date: Tue, 23 Jul 2024 14:48:59 +0800 +Subject: scripts/gdb: fix lx-mounts command error + +From: Kuan-Ying Lee + +commit 4b183f613924ad536be2f8bd12b307e9c5a96bf6 upstream. + +(gdb) lx-mounts + mount super_block devname pathname fstype options +Python Exception : There is no member named list. +Error occurred in Python: There is no member named list. + +We encounter the above issue after commit 2eea9ce4310d ("mounts: keep +list of mounts in an rbtree"). The commit move a mount from list into +rbtree. + +So we can instead use rbtree to iterate all mounts information. + +Link: https://lkml.kernel.org/r/20240723064902.124154-4-kuan-ying.lee@canonical.com +Fixes: 2eea9ce4310d ("mounts: keep list of mounts in an rbtree") +Signed-off-by: Kuan-Ying Lee +Cc: Jan Kiszka +Cc: Kieran Bingham +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gdb/linux/proc.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/gdb/linux/proc.py ++++ b/scripts/gdb/linux/proc.py +@@ -18,6 +18,7 @@ from linux import utils + from linux import tasks + from linux import lists + from linux import vfs ++from linux import rbtree + from struct import * + + +@@ -172,8 +173,7 @@ values of that process namespace""" + gdb.write("{:^18} {:^15} {:>9} {} {} options\n".format( + "mount", "super_block", "devname", "pathname", "fstype")) + +- for mnt in lists.list_for_each_entry(namespace['list'], +- mount_ptr_type, "mnt_list"): ++ for mnt in rbtree.rb_inorder_for_each_entry(namespace['mounts'], mount_ptr_type, "mnt_node"): + devname = mnt['mnt_devname'].string() + devname = devname if devname else "none" + diff --git a/queue-6.11/scripts-gdb-fix-timerlist-parsing-issue.patch b/queue-6.11/scripts-gdb-fix-timerlist-parsing-issue.patch new file mode 100644 index 00000000000..83d0e163a1d --- /dev/null +++ b/queue-6.11/scripts-gdb-fix-timerlist-parsing-issue.patch @@ -0,0 +1,85 @@ +From a633a4b8001a7f2a12584f267a3280990d9ababa Mon Sep 17 00:00:00 2001 +From: Kuan-Ying Lee +Date: Tue, 23 Jul 2024 14:48:57 +0800 +Subject: scripts/gdb: fix timerlist parsing issue + +From: Kuan-Ying Lee + +commit a633a4b8001a7f2a12584f267a3280990d9ababa upstream. + +Patch series "Fix some GDB command error and add some GDB commands", v3. + +Fix some GDB command errors and add some useful GDB commands. + + +This patch (of 5): + +Commit 7988e5ae2be7 ("tick: Split nohz and highres features from +nohz_mode") and commit 7988e5ae2be7 ("tick: Split nohz and highres +features from nohz_mode") move 'tick_stopped' and 'nohz_mode' to flags +field which will break the gdb lx-mounts command: + +(gdb) lx-timerlist +Python Exception : There is no member named nohz_mode. +Error occurred in Python: There is no member named nohz_mode. + +(gdb) lx-timerlist +Python Exception : There is no member named tick_stopped. +Error occurred in Python: There is no member named tick_stopped. + +We move 'tick_stopped' and 'nohz_mode' to flags field instead. + +Link: https://lkml.kernel.org/r/20240723064902.124154-1-kuan-ying.lee@canonical.com +Link: https://lkml.kernel.org/r/20240723064902.124154-2-kuan-ying.lee@canonical.com +Fixes: a478ffb2ae23 ("tick: Move individual bit features to debuggable mask accesses") +Fixes: 7988e5ae2be7 ("tick: Split nohz and highres features from nohz_mode") +Signed-off-by: Kuan-Ying Lee +Cc: Jan Kiszka +Cc: Kieran Bingham +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gdb/linux/timerlist.py | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +--- a/scripts/gdb/linux/timerlist.py ++++ b/scripts/gdb/linux/timerlist.py +@@ -87,21 +87,22 @@ def print_cpu(hrtimer_bases, cpu, max_cl + text += "\n" + + if constants.LX_CONFIG_TICK_ONESHOT: +- fmts = [(" .{} : {}", 'nohz_mode'), +- (" .{} : {} nsecs", 'last_tick'), +- (" .{} : {}", 'tick_stopped'), +- (" .{} : {}", 'idle_jiffies'), +- (" .{} : {}", 'idle_calls'), +- (" .{} : {}", 'idle_sleeps'), +- (" .{} : {} nsecs", 'idle_entrytime'), +- (" .{} : {} nsecs", 'idle_waketime'), +- (" .{} : {} nsecs", 'idle_exittime'), +- (" .{} : {} nsecs", 'idle_sleeptime'), +- (" .{}: {} nsecs", 'iowait_sleeptime'), +- (" .{} : {}", 'last_jiffies'), +- (" .{} : {}", 'next_timer'), +- (" .{} : {} nsecs", 'idle_expires')] +- text += "\n".join([s.format(f, ts[f]) for s, f in fmts]) ++ TS_FLAG_STOPPED = 1 << 1 ++ TS_FLAG_NOHZ = 1 << 4 ++ text += f" .{'nohz':15s}: {int(bool(ts['flags'] & TS_FLAG_NOHZ))}\n" ++ text += f" .{'last_tick':15s}: {ts['last_tick']}\n" ++ text += f" .{'tick_stopped':15s}: {int(bool(ts['flags'] & TS_FLAG_STOPPED))}\n" ++ text += f" .{'idle_jiffies':15s}: {ts['idle_jiffies']}\n" ++ text += f" .{'idle_calls':15s}: {ts['idle_calls']}\n" ++ text += f" .{'idle_sleeps':15s}: {ts['idle_sleeps']}\n" ++ text += f" .{'idle_entrytime':15s}: {ts['idle_entrytime']} nsecs\n" ++ text += f" .{'idle_waketime':15s}: {ts['idle_waketime']} nsecs\n" ++ text += f" .{'idle_exittime':15s}: {ts['idle_exittime']} nsecs\n" ++ text += f" .{'idle_sleeptime':15s}: {ts['idle_sleeptime']} nsecs\n" ++ text += f" .{'iowait_sleeptime':15s}: {ts['iowait_sleeptime']} nsecs\n" ++ text += f" .{'last_jiffies':15s}: {ts['last_jiffies']}\n" ++ text += f" .{'next_timer':15s}: {ts['next_timer']}\n" ++ text += f" .{'idle_expires':15s}: {ts['idle_expires']} nsecs\n" + text += "\njiffies: {}\n".format(jiffies) + + text += "\n" diff --git a/queue-6.11/series b/queue-6.11/series index 9e56292d27d..4f94a5c2cc7 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -398,3 +398,25 @@ ext4-use-handle-to-mark-fc-as-ineligible-in-__track_dentry_update.patch ext4-mark-fc-as-ineligible-using-an-handle-in-ext4_xattr_set.patch ext4-fix-off-by-one-issue-in-alloc_flex_gd.patch drm-xe-generate-oob-before-compiling-anything.patch +parisc-fix-64-bit-userspace-syscall-path.patch +parisc-allow-mmap-map_stack-memory-to-automatically-expand-upwards.patch +parisc-fix-stack-start-for-addr_no_randomize-personality.patch +drm-rockchip-vop-clear-dma-stop-bit-on-rk3066.patch +of-address-report-error-on-resource-bounds-overflow.patch +of-irq-support-msi-cells-0-in-of_msi_get_domain.patch +drm-omapdrm-add-missing-check-for-alloc_ordered_workqueue.patch +resource-fix-region_intersects-vs-add_memory_driver_managed.patch +lib-buildid-harden-build-id-parsing-logic.patch +jbd2-stop-waiting-for-space-when-jbd2_cleanup_journal_tail-returns-error.patch +jbd2-correctly-compare-tids-with-tid_geq-function-in-jbd2_fc_begin_commit.patch +mm-krealloc-consider-spare-memory-for-__gfp_zero.patch +ocfs2-fix-the-la-space-leak-when-unmounting-an-ocfs2-volume.patch +ocfs2-fix-uninit-value-in-ocfs2_get_block.patch +ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch +ocfs2-cancel-dqi_sync_work-before-freeing-oinfo.patch +ocfs2-remove-unreasonable-unlock-in-ocfs2_read_blocks.patch +ocfs2-fix-null-ptr-deref-when-journal-load-failed.patch +ocfs2-fix-possible-null-ptr-deref-in-ocfs2_set_buffer_uptodate.patch +scripts-gdb-fix-timerlist-parsing-issue.patch +scripts-gdb-add-iteration-function-for-rbtree.patch +scripts-gdb-fix-lx-mounts-command-error.patch