From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 15:13:22 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v5.10.121~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dab86277ff6bbe520dd59daf493dcd45ebf76b62;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: cfg80211-declare-module_firmware-for-regulatory.db.patch csky-patch_text-fixup-last-cpu-should-be-master.patch ftrace-clean-up-hash-direct_functions-on-register-failures.patch hugetlb-fix-huge_pmd_unshare-address-update.patch ima-remove-the-ima_template-kconfig-option.patch iommu-dma-fix-iova-map-result-check-bug.patch iommu-msm-fix-an-incorrect-null-check-on-list-iterator.patch irqchip-armada-370-xp-do-not-touch-performance-counter-overflow-on-a375-a38x-a39x.patch irqchip-irq-xtensa-mx-fix-initial-irq-affinity.patch kconfig-add-option-for-asm-goto-w-tied-outputs-to-workaround-clang-13-bug.patch kexec_file-drop-weak-attribute-from-arch_kexec_apply_relocations.patch kprobes-fix-build-errors-with-config_kretprobes-n.patch ksmbd-fix-outstanding-credits-related-bugs.patch lib-string_helpers-fix-not-adding-strarray-to-device-s-resource-list.patch mac80211-upgrade-passive-scan-to-active-scan-on-dfs-channels-after-beacon-rx.patch mips-ip27-remove-incorrect-cpu_has_fpu-override.patch mips-ip30-remove-incorrect-cpu_has_fpu-override.patch mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range.patch mm-page_alloc-always-attempt-to-allocate-at-least-one-page-during-bulk-allocation.patch mm-page_owner-use-strscpy-instead-of-strlcpy.patch mmc-core-allows-to-override-the-timeout-value-for-ioctl-path.patch mt76-fix-use-after-free-by-removing-a-non-rcu-wcid-pointer.patch nodemask.h-fix-compilation-error-with-gcc12.patch rdma-hfi1-fix-potential-integer-multiplication-overflow-errors.patch revert-mm-cma.c-remove-redundant-cma_mutex-lock.patch thermal-devfreq_cooling-use-local-ops-instead-of-global-ops.patch um-chan_user-fix-winch_tramp-return-value.patch um-fix-out-of-bounds-read-in-ldt-setup.patch um-use-asm-generic-dma-mapping.h.patch um-virtio_uml-fix-broken-device-handling-in-time-travel.patch xtensa-simdisk-fix-proc_read_simdisk.patch --- diff --git a/queue-5.18/cfg80211-declare-module_firmware-for-regulatory.db.patch b/queue-5.18/cfg80211-declare-module_firmware-for-regulatory.db.patch new file mode 100644 index 00000000000..494b0610ae4 --- /dev/null +++ b/queue-5.18/cfg80211-declare-module_firmware-for-regulatory.db.patch @@ -0,0 +1,42 @@ +From 7bc7981eeebe1b8e603ad2ffc5e84f4df76920dd Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Thu, 14 Apr 2022 13:50:03 +0100 +Subject: cfg80211: declare MODULE_FIRMWARE for regulatory.db + +From: Dimitri John Ledkov + +commit 7bc7981eeebe1b8e603ad2ffc5e84f4df76920dd upstream. + +Add MODULE_FIRMWARE declarations for regulatory.db and +regulatory.db.p7s such that userspace tooling can discover and include +these files. + +Cc: stable@vger.kernel.org +Signed-off-by: Dimitri John Ledkov +Link: https://lore.kernel.org/r/20220414125004.267819-1-dimitri.ledkov@canonical.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -807,6 +807,8 @@ static int __init load_builtin_regdb_key + return 0; + } + ++MODULE_FIRMWARE("regulatory.db.p7s"); ++ + static bool regdb_has_valid_signature(const u8 *data, unsigned int size) + { + const struct firmware *sig; +@@ -1078,6 +1080,8 @@ static void regdb_fw_cb(const struct fir + release_firmware(fw); + } + ++MODULE_FIRMWARE("regulatory.db"); ++ + static int query_regdb_file(const char *alpha2) + { + ASSERT_RTNL(); diff --git a/queue-5.18/csky-patch_text-fixup-last-cpu-should-be-master.patch b/queue-5.18/csky-patch_text-fixup-last-cpu-should-be-master.patch new file mode 100644 index 00000000000..157741fb1e0 --- /dev/null +++ b/queue-5.18/csky-patch_text-fixup-last-cpu-should-be-master.patch @@ -0,0 +1,37 @@ +From 8c4d16471e2babe9bdfe41d6ef724526629696cb Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Wed, 6 Apr 2022 22:28:43 +0800 +Subject: csky: patch_text: Fixup last cpu should be master + +From: Guo Ren + +commit 8c4d16471e2babe9bdfe41d6ef724526629696cb upstream. + +These patch_text implementations are using stop_machine_cpuslocked +infrastructure with atomic cpu_count. The original idea: When the +master CPU patch_text, the others should wait for it. But current +implementation is using the first CPU as master, which couldn't +guarantee the remaining CPUs are waiting. This patch changes the +last CPU as the master to solve the potential risk. + +Fixes: 33e53ae1ce41 ("csky: Add kprobes supported") +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Reviewed-by: Masami Hiramatsu +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/kernel/probes/kprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/csky/kernel/probes/kprobes.c ++++ b/arch/csky/kernel/probes/kprobes.c +@@ -30,7 +30,7 @@ static int __kprobes patch_text_cb(void + struct csky_insn_patch *param = priv; + unsigned int addr = (unsigned int)param->addr; + +- if (atomic_inc_return(¶m->cpu_count) == 1) { ++ if (atomic_inc_return(¶m->cpu_count) == num_online_cpus()) { + *(u16 *) addr = cpu_to_le16(param->opcode); + dcache_wb_range(addr, addr + 2); + atomic_inc(¶m->cpu_count); diff --git a/queue-5.18/ftrace-clean-up-hash-direct_functions-on-register-failures.patch b/queue-5.18/ftrace-clean-up-hash-direct_functions-on-register-failures.patch new file mode 100644 index 00000000000..58228adce28 --- /dev/null +++ b/queue-5.18/ftrace-clean-up-hash-direct_functions-on-register-failures.patch @@ -0,0 +1,106 @@ +From 7d54c15cb89a29a5f59e5ffc9ee62e6591769ef1 Mon Sep 17 00:00:00 2001 +From: Song Liu +Date: Tue, 24 May 2022 10:08:39 -0700 +Subject: ftrace: Clean up hash direct_functions on register failures + +From: Song Liu + +commit 7d54c15cb89a29a5f59e5ffc9ee62e6591769ef1 upstream. + +We see the following GPF when register_ftrace_direct fails: + +[ ] general protection fault, probably for non-canonical address \ + 0x200000000000010: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI +[...] +[ ] RIP: 0010:ftrace_find_rec_direct+0x53/0x70 +[ ] Code: 48 c1 e0 03 48 03 42 08 48 8b 10 31 c0 48 85 d2 74 [...] +[ ] RSP: 0018:ffffc9000138bc10 EFLAGS: 00010206 +[ ] RAX: 0000000000000000 RBX: ffffffff813e0df0 RCX: 000000000000003b +[ ] RDX: 0200000000000000 RSI: 000000000000000c RDI: ffffffff813e0df0 +[ ] RBP: ffffffffa00a3000 R08: ffffffff81180ce0 R09: 0000000000000001 +[ ] R10: ffffc9000138bc18 R11: 0000000000000001 R12: ffffffff813e0df0 +[ ] R13: ffffffff813e0df0 R14: ffff888171b56400 R15: 0000000000000000 +[ ] FS: 00007fa9420c7780(0000) GS:ffff888ff6a00000(0000) knlGS:000000000 +[ ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ ] CR2: 000000000770d000 CR3: 0000000107d50003 CR4: 0000000000370ee0 +[ ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ ] Call Trace: +[ ] +[ ] register_ftrace_direct+0x54/0x290 +[ ] ? render_sigset_t+0xa0/0xa0 +[ ] bpf_trampoline_update+0x3f5/0x4a0 +[ ] ? 0xffffffffa00a3000 +[ ] bpf_trampoline_link_prog+0xa9/0x140 +[ ] bpf_tracing_prog_attach+0x1dc/0x450 +[ ] bpf_raw_tracepoint_open+0x9a/0x1e0 +[ ] ? find_held_lock+0x2d/0x90 +[ ] ? lock_release+0x150/0x430 +[ ] __sys_bpf+0xbd6/0x2700 +[ ] ? lock_is_held_type+0xd8/0x130 +[ ] __x64_sys_bpf+0x1c/0x20 +[ ] do_syscall_64+0x3a/0x80 +[ ] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ ] RIP: 0033:0x7fa9421defa9 +[ ] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 9 f8 [...] +[ ] RSP: 002b:00007ffed743bd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 +[ ] RAX: ffffffffffffffda RBX: 00000000069d2480 RCX: 00007fa9421defa9 +[ ] RDX: 0000000000000078 RSI: 00007ffed743bd80 RDI: 0000000000000011 +[ ] RBP: 00007ffed743be00 R08: 0000000000bb7270 R09: 0000000000000000 +[ ] R10: 00000000069da210 R11: 0000000000000246 R12: 0000000000000001 +[ ] R13: 00007ffed743c4b0 R14: 00000000069d2480 R15: 0000000000000001 +[ ] +[ ] Modules linked in: klp_vm(OK) +[ ] ---[ end trace 0000000000000000 ]--- + +One way to trigger this is: + 1. load a livepatch that patches kernel function xxx; + 2. run bpftrace -e 'kfunc:xxx {}', this will fail (expected for now); + 3. repeat #2 => gpf. + +This is because the entry is added to direct_functions, but not removed. +Fix this by remove the entry from direct_functions when +register_ftrace_direct fails. + +Also remove the last trailing space from ftrace.c, so we don't have to +worry about it anymore. + +Link: https://lkml.kernel.org/r/20220524170839.900849-1-song@kernel.org + +Cc: stable@vger.kernel.org +Fixes: 763e34e74bb7 ("ftrace: Add register_ftrace_direct()") +Signed-off-by: Song Liu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4465,7 +4465,7 @@ int ftrace_func_mapper_add_ip(struct ftr + * @ip: The instruction pointer address to remove the data from + * + * Returns the data if it is found, otherwise NULL. +- * Note, if the data pointer is used as the data itself, (see ++ * Note, if the data pointer is used as the data itself, (see + * ftrace_func_mapper_find_ip(), then the return value may be meaningless, + * if the data pointer was set to zero. + */ +@@ -5195,8 +5195,6 @@ int register_ftrace_direct(unsigned long + goto out_unlock; + + ret = ftrace_set_filter_ip(&direct_ops, ip, 0, 0); +- if (ret) +- remove_hash_entry(direct_functions, entry); + + if (!ret && !(direct_ops.flags & FTRACE_OPS_FL_ENABLED)) { + ret = register_ftrace_function(&direct_ops); +@@ -5205,6 +5203,7 @@ int register_ftrace_direct(unsigned long + } + + if (ret) { ++ remove_hash_entry(direct_functions, entry); + kfree(entry); + if (!direct->count) { + list_del_rcu(&direct->next); diff --git a/queue-5.18/hugetlb-fix-huge_pmd_unshare-address-update.patch b/queue-5.18/hugetlb-fix-huge_pmd_unshare-address-update.patch new file mode 100644 index 00000000000..f4fc414d4a4 --- /dev/null +++ b/queue-5.18/hugetlb-fix-huge_pmd_unshare-address-update.patch @@ -0,0 +1,47 @@ +From 48381273f8734d28ef56a5bdf1966dd8530111bc Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Tue, 24 May 2022 13:50:03 -0700 +Subject: hugetlb: fix huge_pmd_unshare address update + +From: Mike Kravetz + +commit 48381273f8734d28ef56a5bdf1966dd8530111bc upstream. + +The routine huge_pmd_unshare() is passed a pointer to an address +associated with an area which may be unshared. If unshare is successful +this address is updated to 'optimize' callers iterating over huge page +addresses. For the optimization to work correctly, address should be +updated to the last huge page in the unmapped/unshared area. However, in +the common case where the passed address is PUD_SIZE aligned, the address +is incorrectly updated to the address of the preceding huge page. That +wastes CPU cycles as the unmapped/unshared range is scanned twice. + +Link: https://lkml.kernel.org/r/20220524205003.126184-1-mike.kravetz@oracle.com +Fixes: 39dde65c9940 ("shared page table for hugetlb page") +Signed-off-by: Mike Kravetz +Acked-by: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -6562,7 +6562,14 @@ int huge_pmd_unshare(struct mm_struct *m + pud_clear(pud); + put_page(virt_to_page(ptep)); + mm_dec_nr_pmds(mm); +- *addr = ALIGN(*addr, HPAGE_SIZE * PTRS_PER_PTE) - HPAGE_SIZE; ++ /* ++ * This update of passed address optimizes loops sequentially ++ * processing addresses in increments of huge page size (PMD_SIZE ++ * in this case). By clearing the pud, a PUD_SIZE area is unmapped. ++ * Update address to the 'last page' in the cleared area so that ++ * calling loop can move to first page past this area. ++ */ ++ *addr |= PUD_SIZE - PMD_SIZE; + return 1; + } + diff --git a/queue-5.18/ima-remove-the-ima_template-kconfig-option.patch b/queue-5.18/ima-remove-the-ima_template-kconfig-option.patch new file mode 100644 index 00000000000..742d58af5fe --- /dev/null +++ b/queue-5.18/ima-remove-the-ima_template-kconfig-option.patch @@ -0,0 +1,100 @@ +From 891163adf180bc369b2f11c9dfce6d2758d2a5bd Mon Sep 17 00:00:00 2001 +From: GUO Zihua +Date: Thu, 7 Apr 2022 10:16:19 +0800 +Subject: ima: remove the IMA_TEMPLATE Kconfig option + +From: GUO Zihua + +commit 891163adf180bc369b2f11c9dfce6d2758d2a5bd upstream. + +The original 'ima' measurement list template contains a hash, defined +as 20 bytes, and a null terminated pathname, limited to 255 +characters. Other measurement list templates permit both larger hashes +and longer pathnames. When the "ima" template is configured as the +default, a new measurement list template (ima_template=) must be +specified before specifying a larger hash algorithm (ima_hash=) on the +boot command line. + +To avoid this boot command line ordering issue, remove the legacy "ima" +template configuration option, allowing it to still be specified on the +boot command line. + +The root cause of this issue is that during the processing of ima_hash, +we would try to check whether the hash algorithm is compatible with the +template. If the template is not set at the moment we do the check, we +check the algorithm against the configured default template. If the +default template is "ima", then we reject any hash algorithm other than +sha1 and md5. + +For example, if the compiled default template is "ima", and the default +algorithm is sha1 (which is the current default). In the cmdline, we put +in "ima_hash=sha256 ima_template=ima-ng". The expected behavior would be +that ima starts with ima-ng as the template and sha256 as the hash +algorithm. However, during the processing of "ima_hash=", +"ima_template=" has not been processed yet, and hash_setup would check +the configured hash algorithm against the compiled default: ima, and +reject sha256. So at the end, the hash algorithm that is actually used +will be sha1. + +With template "ima" removed from the configured default, we ensure that +the default tempalte would at least be "ima-ng" which allows for +basically any hash algorithm. + +This change would not break the algorithm compatibility checks for IMA. + +Fixes: 4286587dccd43 ("ima: add Kconfig default measurement list template") +Signed-off-by: GUO Zihua +Cc: +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -69,10 +69,9 @@ choice + hash, defined as 20 bytes, and a null terminated pathname, + limited to 255 characters. The 'ima-ng' measurement list + template permits both larger hash digests and longer +- pathnames. ++ pathnames. The configured default template can be replaced ++ by specifying "ima_template=" on the boot command line. + +- config IMA_TEMPLATE +- bool "ima" + config IMA_NG_TEMPLATE + bool "ima-ng (default)" + config IMA_SIG_TEMPLATE +@@ -82,7 +81,6 @@ endchoice + config IMA_DEFAULT_TEMPLATE + string + depends on IMA +- default "ima" if IMA_TEMPLATE + default "ima-ng" if IMA_NG_TEMPLATE + default "ima-sig" if IMA_SIG_TEMPLATE + +@@ -102,19 +100,19 @@ choice + + config IMA_DEFAULT_HASH_SHA256 + bool "SHA256" +- depends on CRYPTO_SHA256=y && !IMA_TEMPLATE ++ depends on CRYPTO_SHA256=y + + config IMA_DEFAULT_HASH_SHA512 + bool "SHA512" +- depends on CRYPTO_SHA512=y && !IMA_TEMPLATE ++ depends on CRYPTO_SHA512=y + + config IMA_DEFAULT_HASH_WP512 + bool "WP512" +- depends on CRYPTO_WP512=y && !IMA_TEMPLATE ++ depends on CRYPTO_WP512=y + + config IMA_DEFAULT_HASH_SM3 + bool "SM3" +- depends on CRYPTO_SM3=y && !IMA_TEMPLATE ++ depends on CRYPTO_SM3=y + endchoice + + config IMA_DEFAULT_HASH diff --git a/queue-5.18/iommu-dma-fix-iova-map-result-check-bug.patch b/queue-5.18/iommu-dma-fix-iova-map-result-check-bug.patch new file mode 100644 index 00000000000..92c91b1d2db --- /dev/null +++ b/queue-5.18/iommu-dma-fix-iova-map-result-check-bug.patch @@ -0,0 +1,65 @@ +From a3884774d731f03d3a3dd4fb70ec2d9341ceb39d Mon Sep 17 00:00:00 2001 +From: Yunfei Wang +Date: Sat, 7 May 2022 16:52:03 +0800 +Subject: iommu/dma: Fix iova map result check bug + +From: Yunfei Wang + +commit a3884774d731f03d3a3dd4fb70ec2d9341ceb39d upstream. + +The data type of the return value of the iommu_map_sg_atomic +is ssize_t, but the data type of iova size is size_t, +e.g. one is int while the other is unsigned int. + +When iommu_map_sg_atomic return value is compared with iova size, +it will force the signed int to be converted to unsigned int, if +iova map fails and iommu_map_sg_atomic return error code is less +than 0, then (ret < iova_len) is false, which will to cause not +do free iova, and the master can still successfully get the iova +of map fail, which is not expected. + +Therefore, we need to check the return value of iommu_map_sg_atomic +in two cases according to whether it is less than 0. + +Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()") +Signed-off-by: Yunfei Wang +Cc: # 5.15.* +Reviewed-by: Robin Murphy +Reviewed-by: Miles Chen +Link: https://lore.kernel.org/r/20220507085204.16914-1-yf.wang@mediatek.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/dma-iommu.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -776,6 +776,7 @@ static struct page **__iommu_dma_alloc_n + unsigned int count, min_size, alloc_sizes = domain->pgsize_bitmap; + struct page **pages; + dma_addr_t iova; ++ ssize_t ret; + + if (static_branch_unlikely(&iommu_deferred_attach_enabled) && + iommu_deferred_attach(dev, domain)) +@@ -813,8 +814,8 @@ static struct page **__iommu_dma_alloc_n + arch_dma_prep_coherent(sg_page(sg), sg->length); + } + +- if (iommu_map_sg_atomic(domain, iova, sgt->sgl, sgt->orig_nents, ioprot) +- < size) ++ ret = iommu_map_sg_atomic(domain, iova, sgt->sgl, sgt->orig_nents, ioprot); ++ if (ret < 0 || ret < size) + goto out_free_sg; + + sgt->sgl->dma_address = iova; +@@ -1209,7 +1210,7 @@ static int iommu_dma_map_sg(struct devic + * implementation - it knows better than we do. + */ + ret = iommu_map_sg_atomic(domain, iova, sg, nents, prot); +- if (ret < iova_len) ++ if (ret < 0 || ret < iova_len) + goto out_free_iova; + + return __finalise_sg(dev, sg, nents, iova); diff --git a/queue-5.18/iommu-msm-fix-an-incorrect-null-check-on-list-iterator.patch b/queue-5.18/iommu-msm-fix-an-incorrect-null-check-on-list-iterator.patch new file mode 100644 index 00000000000..9aa7583d7b2 --- /dev/null +++ b/queue-5.18/iommu-msm-fix-an-incorrect-null-check-on-list-iterator.patch @@ -0,0 +1,58 @@ +From 8b9ad480bd1dd25f4ff4854af5685fa334a2f57a Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 1 May 2022 21:28:23 +0800 +Subject: iommu/msm: Fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +commit 8b9ad480bd1dd25f4ff4854af5685fa334a2f57a upstream. + +The bug is here: + if (!iommu || iommu->dev->of_node != spec->np) { + +The list iterator value 'iommu' will *always* be set and non-NULL by +list_for_each_entry(), so it is incorrect to assume that the iterator +value will be NULL if the list is empty or no element is found (in fact, +it will point to a invalid structure object containing HEAD). + +To fix the bug, use a new value 'iter' as the list iterator, while use +the old value 'iommu' as a dedicated variable to point to the found one, +and remove the unneeded check for 'iommu->dev->of_node != spec->np' +outside the loop. + +Cc: stable@vger.kernel.org +Fixes: f78ebca8ff3d6 ("iommu/msm: Add support for generic master bindings") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220501132823.12714-1-xiam0nd.tong@gmail.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/msm_iommu.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/iommu/msm_iommu.c ++++ b/drivers/iommu/msm_iommu.c +@@ -610,16 +610,19 @@ static void insert_iommu_master(struct d + static int qcom_iommu_of_xlate(struct device *dev, + struct of_phandle_args *spec) + { +- struct msm_iommu_dev *iommu; ++ struct msm_iommu_dev *iommu = NULL, *iter; + unsigned long flags; + int ret = 0; + + spin_lock_irqsave(&msm_iommu_lock, flags); +- list_for_each_entry(iommu, &qcom_iommu_devices, dev_node) +- if (iommu->dev->of_node == spec->np) ++ list_for_each_entry(iter, &qcom_iommu_devices, dev_node) { ++ if (iter->dev->of_node == spec->np) { ++ iommu = iter; + break; ++ } ++ } + +- if (!iommu || iommu->dev->of_node != spec->np) { ++ if (!iommu) { + ret = -ENODEV; + goto fail; + } diff --git a/queue-5.18/irqchip-armada-370-xp-do-not-touch-performance-counter-overflow-on-a375-a38x-a39x.patch b/queue-5.18/irqchip-armada-370-xp-do-not-touch-performance-counter-overflow-on-a375-a38x-a39x.patch new file mode 100644 index 00000000000..fec762e19eb --- /dev/null +++ b/queue-5.18/irqchip-armada-370-xp-do-not-touch-performance-counter-overflow-on-a375-a38x-a39x.patch @@ -0,0 +1,48 @@ +From a3d66a76348daf559873f19afc912a2a7c2ccdaf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Mon, 25 Apr 2022 13:37:05 +0200 +Subject: irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit a3d66a76348daf559873f19afc912a2a7c2ccdaf upstream. + +Register ARMADA_370_XP_INT_FABRIC_MASK_OFFS is Armada 370 and XP specific +and on new Armada platforms it has different meaning. It does not configure +Performance Counter Overflow interrupt masking. So do not touch this +register on non-A370/XP platforms (A375, A38x and A39x). + +Signed-off-by: Pali Rohár +Cc: stable@vger.kernel.org +Fixes: 28da06dfd9e4 ("irqchip: armada-370-xp: Enable the PMU interrupts") +Reviewed-by: Andrew Lunn +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220425113706.29310-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-armada-370-xp.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -308,7 +308,16 @@ static inline int armada_370_xp_msi_init + + static void armada_xp_mpic_perf_init(void) + { +- unsigned long cpuid = cpu_logical_map(smp_processor_id()); ++ unsigned long cpuid; ++ ++ /* ++ * This Performance Counter Overflow interrupt is specific for ++ * Armada 370 and XP. It is not available on Armada 375, 38x and 39x. ++ */ ++ if (!of_machine_is_compatible("marvell,armada-370-xp")) ++ return; ++ ++ cpuid = cpu_logical_map(smp_processor_id()); + + /* Enable Performance Counter Overflow interrupts */ + writel(ARMADA_370_XP_INT_CAUSE_PERF(cpuid), diff --git a/queue-5.18/irqchip-irq-xtensa-mx-fix-initial-irq-affinity.patch b/queue-5.18/irqchip-irq-xtensa-mx-fix-initial-irq-affinity.patch new file mode 100644 index 00000000000..054471528a0 --- /dev/null +++ b/queue-5.18/irqchip-irq-xtensa-mx-fix-initial-irq-affinity.patch @@ -0,0 +1,62 @@ +From a255ee29252066d621df5d6b420bf534c6ba5bc0 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 26 Apr 2022 09:01:18 -0700 +Subject: irqchip: irq-xtensa-mx: fix initial IRQ affinity + +From: Max Filippov + +commit a255ee29252066d621df5d6b420bf534c6ba5bc0 upstream. + +When irq-xtensa-mx chip is used in non-SMP configuration its +irq_set_affinity callback is not called leaving IRQ affinity set empty. +As a result IRQ delivery does not work in that configuration. +Initialize IRQ affinity of the xtensa MX interrupt distributor to CPU 0 +for all external IRQ lines. + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-xtensa-mx.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-xtensa-mx.c ++++ b/drivers/irqchip/irq-xtensa-mx.c +@@ -151,14 +151,25 @@ static struct irq_chip xtensa_mx_irq_chi + .irq_set_affinity = xtensa_mx_irq_set_affinity, + }; + ++static void __init xtensa_mx_init_common(struct irq_domain *root_domain) ++{ ++ unsigned int i; ++ ++ irq_set_default_host(root_domain); ++ secondary_init_irq(); ++ ++ /* Initialize default IRQ routing to CPU 0 */ ++ for (i = 0; i < XCHAL_NUM_EXTINTERRUPTS; ++i) ++ set_er(1, MIROUT(i)); ++} ++ + int __init xtensa_mx_init_legacy(struct device_node *interrupt_parent) + { + struct irq_domain *root_domain = + irq_domain_add_legacy(NULL, NR_IRQS - 1, 1, 0, + &xtensa_mx_irq_domain_ops, + &xtensa_mx_irq_chip); +- irq_set_default_host(root_domain); +- secondary_init_irq(); ++ xtensa_mx_init_common(root_domain); + return 0; + } + +@@ -168,8 +179,7 @@ static int __init xtensa_mx_init(struct + struct irq_domain *root_domain = + irq_domain_add_linear(np, NR_IRQS, &xtensa_mx_irq_domain_ops, + &xtensa_mx_irq_chip); +- irq_set_default_host(root_domain); +- secondary_init_irq(); ++ xtensa_mx_init_common(root_domain); + return 0; + } + IRQCHIP_DECLARE(xtensa_mx_irq_chip, "cdns,xtensa-mx", xtensa_mx_init); diff --git a/queue-5.18/kconfig-add-option-for-asm-goto-w-tied-outputs-to-workaround-clang-13-bug.patch b/queue-5.18/kconfig-add-option-for-asm-goto-w-tied-outputs-to-workaround-clang-13-bug.patch new file mode 100644 index 00000000000..fb3dd293e7b --- /dev/null +++ b/queue-5.18/kconfig-add-option-for-asm-goto-w-tied-outputs-to-workaround-clang-13-bug.patch @@ -0,0 +1,61 @@ +From 1aa0e8b144b6474c4914439d232d15bfe883636b Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 2 Feb 2022 00:49:41 +0000 +Subject: Kconfig: Add option for asm goto w/ tied outputs to workaround clang-13 bug + +From: Sean Christopherson + +commit 1aa0e8b144b6474c4914439d232d15bfe883636b upstream. + +Add a config option to guard (future) usage of asm_volatile_goto() that +includes "tied outputs", i.e. "+" constraints that specify both an input +and output parameter. clang-13 has a bug[1] that causes compilation of +such inline asm to fail, and KVM wants to use a "+m" constraint to +implement a uaccess form of CMPXCHG[2]. E.g. the test code fails with + + :1:29: error: invalid operand in inline asm: '.long (${1:l}) - .' + int foo(int *x) { asm goto (".long (%l[bar]) - .\n": "+m"(*x) ::: bar); return *x; bar: return 0; } + ^ + :1:29: error: unknown token in expression + :1:9: note: instantiated into assembly here + .long () - . + ^ + 2 errors generated. + +on clang-13, but passes on gcc (with appropriate asm goto support). The +bug is fixed in clang-14, but won't be backported to clang-13 as the +changes are too invasive/risky. + +gcc also had a similar bug[3], fixed in gcc-11, where gcc failed to +account for its behavior of assigning two numbers to tied outputs (one +for input, one for output) when evaluating symbolic references. + +[1] https://github.com/ClangBuiltLinux/linux/issues/1512 +[2] https://lore.kernel.org/all/YfMruK8%2F1izZ2VHS@google.com +[3] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98096 + +Suggested-by: Nick Desaulniers +Reviewed-by: Nick Desaulniers +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20220202004945.2540433-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + init/Kconfig | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -77,6 +77,11 @@ config CC_HAS_ASM_GOTO_OUTPUT + depends on CC_HAS_ASM_GOTO + def_bool $(success,echo 'int foo(int x) { asm goto ("": "=r"(x) ::: bar); return x; bar: return 0; }' | $(CC) -x c - -c -o /dev/null) + ++config CC_HAS_ASM_GOTO_TIED_OUTPUT ++ depends on CC_HAS_ASM_GOTO_OUTPUT ++ # Detect buggy gcc and clang, fixed in gcc-11 clang-14. ++ def_bool $(success,echo 'int foo(int *x) { asm goto (".long (%l[bar]) - .\n": "+m"(*x) ::: bar); return *x; bar: return 0; }' | $CC -x c - -c -o /dev/null) ++ + config TOOLS_SUPPORT_RELR + def_bool $(success,env "CC=$(CC)" "LD=$(LD)" "NM=$(NM)" "OBJCOPY=$(OBJCOPY)" $(srctree)/scripts/tools-support-relr.sh) + diff --git a/queue-5.18/kexec_file-drop-weak-attribute-from-arch_kexec_apply_relocations.patch b/queue-5.18/kexec_file-drop-weak-attribute-from-arch_kexec_apply_relocations.patch new file mode 100644 index 00000000000..978136c7786 --- /dev/null +++ b/queue-5.18/kexec_file-drop-weak-attribute-from-arch_kexec_apply_relocations.patch @@ -0,0 +1,184 @@ +From 3e35142ef99fe6b4fe5d834ad43ee13cca10a2dc Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 19 May 2022 14:42:37 +0530 +Subject: kexec_file: drop weak attribute from arch_kexec_apply_relocations[_add] + +From: Naveen N. Rao + +commit 3e35142ef99fe6b4fe5d834ad43ee13cca10a2dc upstream. + +Since commit d1bcae833b32f1 ("ELF: Don't generate unused section +symbols") [1], binutils (v2.36+) started dropping section symbols that +it thought were unused. This isn't an issue in general, but with +kexec_file.c, gcc is placing kexec_arch_apply_relocations[_add] into a +separate .text.unlikely section and the section symbol ".text.unlikely" +is being dropped. Due to this, recordmcount is unable to find a non-weak +symbol in .text.unlikely to generate a relocation record against. + +Address this by dropping the weak attribute from these functions. +Instead, follow the existing pattern of having architectures #define the +name of the function they want to override in their headers. + +[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=d1bcae833b32f1 + +[akpm@linux-foundation.org: arch/s390/include/asm/kexec.h needs linux/module.h] +Link: https://lkml.kernel.org/r/20220519091237.676736-1-naveen.n.rao@linux.vnet.ibm.com +Signed-off-by: Michael Ellerman +Signed-off-by: Naveen N. Rao +Cc: "Eric W. Biederman" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/kexec.h | 10 +++++++++ + arch/x86/include/asm/kexec.h | 8 +++++++ + include/linux/kexec.h | 46 ++++++++++++++++++++++++++++++++++-------- + kernel/kexec_file.c | 34 ------------------------------- + 4 files changed, 56 insertions(+), 42 deletions(-) + +--- a/arch/s390/include/asm/kexec.h ++++ b/arch/s390/include/asm/kexec.h +@@ -9,6 +9,8 @@ + #ifndef _S390_KEXEC_H + #define _S390_KEXEC_H + ++#include ++ + #include + #include + #include +@@ -83,4 +85,12 @@ struct kimage_arch { + extern const struct kexec_file_ops s390_kexec_image_ops; + extern const struct kexec_file_ops s390_kexec_elf_ops; + ++#ifdef CONFIG_KEXEC_FILE ++struct purgatory_info; ++int arch_kexec_apply_relocations_add(struct purgatory_info *pi, ++ Elf_Shdr *section, ++ const Elf_Shdr *relsec, ++ const Elf_Shdr *symtab); ++#define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add ++#endif + #endif /*_S390_KEXEC_H */ +--- a/arch/x86/include/asm/kexec.h ++++ b/arch/x86/include/asm/kexec.h +@@ -186,6 +186,14 @@ extern int arch_kexec_post_alloc_pages(v + extern void arch_kexec_pre_free_pages(void *vaddr, unsigned int pages); + #define arch_kexec_pre_free_pages arch_kexec_pre_free_pages + ++#ifdef CONFIG_KEXEC_FILE ++struct purgatory_info; ++int arch_kexec_apply_relocations_add(struct purgatory_info *pi, ++ Elf_Shdr *section, ++ const Elf_Shdr *relsec, ++ const Elf_Shdr *symtab); ++#define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add ++#endif + #endif + + typedef void crash_vmclear_fn(void); +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -193,14 +193,6 @@ void *kexec_purgatory_get_symbol_addr(st + int arch_kexec_kernel_image_probe(struct kimage *image, void *buf, + unsigned long buf_len); + void *arch_kexec_kernel_image_load(struct kimage *image); +-int arch_kexec_apply_relocations_add(struct purgatory_info *pi, +- Elf_Shdr *section, +- const Elf_Shdr *relsec, +- const Elf_Shdr *symtab); +-int arch_kexec_apply_relocations(struct purgatory_info *pi, +- Elf_Shdr *section, +- const Elf_Shdr *relsec, +- const Elf_Shdr *symtab); + int arch_kimage_file_post_load_cleanup(struct kimage *image); + #ifdef CONFIG_KEXEC_SIG + int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, +@@ -229,6 +221,44 @@ extern int crash_exclude_mem_range(struc + unsigned long long mend); + extern int crash_prepare_elf64_headers(struct crash_mem *mem, int kernel_map, + void **addr, unsigned long *sz); ++ ++#ifndef arch_kexec_apply_relocations_add ++/* ++ * arch_kexec_apply_relocations_add - apply relocations of type RELA ++ * @pi: Purgatory to be relocated. ++ * @section: Section relocations applying to. ++ * @relsec: Section containing RELAs. ++ * @symtab: Corresponding symtab. ++ * ++ * Return: 0 on success, negative errno on error. ++ */ ++static inline int ++arch_kexec_apply_relocations_add(struct purgatory_info *pi, Elf_Shdr *section, ++ const Elf_Shdr *relsec, const Elf_Shdr *symtab) ++{ ++ pr_err("RELA relocation unsupported.\n"); ++ return -ENOEXEC; ++} ++#endif ++ ++#ifndef arch_kexec_apply_relocations ++/* ++ * arch_kexec_apply_relocations - apply relocations of type REL ++ * @pi: Purgatory to be relocated. ++ * @section: Section relocations applying to. ++ * @relsec: Section containing RELs. ++ * @symtab: Corresponding symtab. ++ * ++ * Return: 0 on success, negative errno on error. ++ */ ++static inline int ++arch_kexec_apply_relocations(struct purgatory_info *pi, Elf_Shdr *section, ++ const Elf_Shdr *relsec, const Elf_Shdr *symtab) ++{ ++ pr_err("REL relocation unsupported.\n"); ++ return -ENOEXEC; ++} ++#endif + #endif /* CONFIG_KEXEC_FILE */ + + #ifdef CONFIG_KEXEC_ELF +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -109,40 +109,6 @@ int __weak arch_kexec_kernel_verify_sig( + #endif + + /* +- * arch_kexec_apply_relocations_add - apply relocations of type RELA +- * @pi: Purgatory to be relocated. +- * @section: Section relocations applying to. +- * @relsec: Section containing RELAs. +- * @symtab: Corresponding symtab. +- * +- * Return: 0 on success, negative errno on error. +- */ +-int __weak +-arch_kexec_apply_relocations_add(struct purgatory_info *pi, Elf_Shdr *section, +- const Elf_Shdr *relsec, const Elf_Shdr *symtab) +-{ +- pr_err("RELA relocation unsupported.\n"); +- return -ENOEXEC; +-} +- +-/* +- * arch_kexec_apply_relocations - apply relocations of type REL +- * @pi: Purgatory to be relocated. +- * @section: Section relocations applying to. +- * @relsec: Section containing RELs. +- * @symtab: Corresponding symtab. +- * +- * Return: 0 on success, negative errno on error. +- */ +-int __weak +-arch_kexec_apply_relocations(struct purgatory_info *pi, Elf_Shdr *section, +- const Elf_Shdr *relsec, const Elf_Shdr *symtab) +-{ +- pr_err("REL relocation unsupported.\n"); +- return -ENOEXEC; +-} +- +-/* + * Free up memory used by kernel, initrd, and command line. This is temporary + * memory allocation which is not needed any more after these buffers have + * been loaded into separate segments and have been copied elsewhere. diff --git a/queue-5.18/kprobes-fix-build-errors-with-config_kretprobes-n.patch b/queue-5.18/kprobes-fix-build-errors-with-config_kretprobes-n.patch new file mode 100644 index 00000000000..2b0fe86b616 --- /dev/null +++ b/queue-5.18/kprobes-fix-build-errors-with-config_kretprobes-n.patch @@ -0,0 +1,223 @@ +From 43994049180704fd1faf78623fabd9a5cd443708 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Wed, 4 May 2022 12:36:31 +0900 +Subject: kprobes: Fix build errors with CONFIG_KRETPROBES=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Masami Hiramatsu + +commit 43994049180704fd1faf78623fabd9a5cd443708 upstream. + +Max Filippov reported: + +When building kernel with CONFIG_KRETPROBES=n kernel/kprobes.c +compilation fails with the following messages: + + kernel/kprobes.c: In function ‘recycle_rp_inst’: + kernel/kprobes.c:1273:32: error: implicit declaration of function + ‘get_kretprobe’ + + kernel/kprobes.c: In function ‘kprobe_flush_task’: + kernel/kprobes.c:1299:35: error: ‘struct task_struct’ has no member + named ‘kretprobe_instances’ + +This came from the commit d741bf41d7c7 ("kprobes: Remove +kretprobe hash") which introduced get_kretprobe() and +kretprobe_instances member in task_struct when CONFIG_KRETPROBES=y, +but did not make recycle_rp_inst() and kprobe_flush_task() +depending on CONFIG_KRETPORBES. + +Since those functions are only used for kretprobe, move those +functions into #ifdef CONFIG_KRETPROBE area. + +Link: https://lkml.kernel.org/r/165163539094.74407.3838114721073251225.stgit@devnote2 + +Reported-by: Max Filippov +Fixes: d741bf41d7c7 ("kprobes: Remove kretprobe hash") +Cc: "Naveen N . Rao" +Cc: Anil S Keshavamurthy +Cc: "David S . Miller" +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu +Tested-by: Max Filippov +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kprobes.h | 2 + kernel/kprobes.c | 144 +++++++++++++++++++++++------------------------- + 2 files changed, 72 insertions(+), 74 deletions(-) + +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -424,7 +424,7 @@ void unregister_kretprobe(struct kretpro + int register_kretprobes(struct kretprobe **rps, int num); + void unregister_kretprobes(struct kretprobe **rps, int num); + +-#ifdef CONFIG_KRETPROBE_ON_RETHOOK ++#if defined(CONFIG_KRETPROBE_ON_RETHOOK) || !defined(CONFIG_KRETPROBES) + #define kprobe_flush_task(tk) do {} while (0) + #else + void kprobe_flush_task(struct task_struct *tk); +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1257,79 +1257,6 @@ void kprobe_busy_end(void) + preempt_enable(); + } + +-#if !defined(CONFIG_KRETPROBE_ON_RETHOOK) +-static void free_rp_inst_rcu(struct rcu_head *head) +-{ +- struct kretprobe_instance *ri = container_of(head, struct kretprobe_instance, rcu); +- +- if (refcount_dec_and_test(&ri->rph->ref)) +- kfree(ri->rph); +- kfree(ri); +-} +-NOKPROBE_SYMBOL(free_rp_inst_rcu); +- +-static void recycle_rp_inst(struct kretprobe_instance *ri) +-{ +- struct kretprobe *rp = get_kretprobe(ri); +- +- if (likely(rp)) +- freelist_add(&ri->freelist, &rp->freelist); +- else +- call_rcu(&ri->rcu, free_rp_inst_rcu); +-} +-NOKPROBE_SYMBOL(recycle_rp_inst); +- +-/* +- * This function is called from delayed_put_task_struct() when a task is +- * dead and cleaned up to recycle any kretprobe instances associated with +- * this task. These left over instances represent probed functions that +- * have been called but will never return. +- */ +-void kprobe_flush_task(struct task_struct *tk) +-{ +- struct kretprobe_instance *ri; +- struct llist_node *node; +- +- /* Early boot, not yet initialized. */ +- if (unlikely(!kprobes_initialized)) +- return; +- +- kprobe_busy_begin(); +- +- node = __llist_del_all(&tk->kretprobe_instances); +- while (node) { +- ri = container_of(node, struct kretprobe_instance, llist); +- node = node->next; +- +- recycle_rp_inst(ri); +- } +- +- kprobe_busy_end(); +-} +-NOKPROBE_SYMBOL(kprobe_flush_task); +- +-static inline void free_rp_inst(struct kretprobe *rp) +-{ +- struct kretprobe_instance *ri; +- struct freelist_node *node; +- int count = 0; +- +- node = rp->freelist.head; +- while (node) { +- ri = container_of(node, struct kretprobe_instance, freelist); +- node = node->next; +- +- kfree(ri); +- count++; +- } +- +- if (refcount_sub_and_test(count, &rp->rph->ref)) { +- kfree(rp->rph); +- rp->rph = NULL; +- } +-} +-#endif /* !CONFIG_KRETPROBE_ON_RETHOOK */ +- + /* Add the new probe to 'ap->list'. */ + static int add_new_kprobe(struct kprobe *ap, struct kprobe *p) + { +@@ -1928,6 +1855,77 @@ static struct notifier_block kprobe_exce + #ifdef CONFIG_KRETPROBES + + #if !defined(CONFIG_KRETPROBE_ON_RETHOOK) ++static void free_rp_inst_rcu(struct rcu_head *head) ++{ ++ struct kretprobe_instance *ri = container_of(head, struct kretprobe_instance, rcu); ++ ++ if (refcount_dec_and_test(&ri->rph->ref)) ++ kfree(ri->rph); ++ kfree(ri); ++} ++NOKPROBE_SYMBOL(free_rp_inst_rcu); ++ ++static void recycle_rp_inst(struct kretprobe_instance *ri) ++{ ++ struct kretprobe *rp = get_kretprobe(ri); ++ ++ if (likely(rp)) ++ freelist_add(&ri->freelist, &rp->freelist); ++ else ++ call_rcu(&ri->rcu, free_rp_inst_rcu); ++} ++NOKPROBE_SYMBOL(recycle_rp_inst); ++ ++/* ++ * This function is called from delayed_put_task_struct() when a task is ++ * dead and cleaned up to recycle any kretprobe instances associated with ++ * this task. These left over instances represent probed functions that ++ * have been called but will never return. ++ */ ++void kprobe_flush_task(struct task_struct *tk) ++{ ++ struct kretprobe_instance *ri; ++ struct llist_node *node; ++ ++ /* Early boot, not yet initialized. */ ++ if (unlikely(!kprobes_initialized)) ++ return; ++ ++ kprobe_busy_begin(); ++ ++ node = __llist_del_all(&tk->kretprobe_instances); ++ while (node) { ++ ri = container_of(node, struct kretprobe_instance, llist); ++ node = node->next; ++ ++ recycle_rp_inst(ri); ++ } ++ ++ kprobe_busy_end(); ++} ++NOKPROBE_SYMBOL(kprobe_flush_task); ++ ++static inline void free_rp_inst(struct kretprobe *rp) ++{ ++ struct kretprobe_instance *ri; ++ struct freelist_node *node; ++ int count = 0; ++ ++ node = rp->freelist.head; ++ while (node) { ++ ri = container_of(node, struct kretprobe_instance, freelist); ++ node = node->next; ++ ++ kfree(ri); ++ count++; ++ } ++ ++ if (refcount_sub_and_test(count, &rp->rph->ref)) { ++ kfree(rp->rph); ++ rp->rph = NULL; ++ } ++} ++ + /* This assumes the 'tsk' is the current task or the is not running. */ + static kprobe_opcode_t *__kretprobe_find_ret_addr(struct task_struct *tsk, + struct llist_node **cur) diff --git a/queue-5.18/ksmbd-fix-outstanding-credits-related-bugs.patch b/queue-5.18/ksmbd-fix-outstanding-credits-related-bugs.patch new file mode 100644 index 00000000000..9987afccdd0 --- /dev/null +++ b/queue-5.18/ksmbd-fix-outstanding-credits-related-bugs.patch @@ -0,0 +1,73 @@ +From 376b9133826865568167b4091ef92a68c4622b87 Mon Sep 17 00:00:00 2001 +From: Hyunchul Lee +Date: Fri, 20 May 2022 14:35:47 +0900 +Subject: ksmbd: fix outstanding credits related bugs + +From: Hyunchul Lee + +commit 376b9133826865568167b4091ef92a68c4622b87 upstream. + +outstanding credits must be initialized to 0, +because it means the sum of credits consumed by +in-flight requests. +And outstanding credits must be compared with +total credits in smb2_validate_credit_charge(), +because total credits are the sum of credits +granted by ksmbd. + +This patch fix the following error, +while frametest with Windows clients: + +Limits exceeding the maximum allowable outstanding requests, +given : 128, pending : 8065 + +Fixes: b589f5db6d4a ("ksmbd: limits exceeding the maximum allowable outstanding requests") +Cc: stable@vger.kernel.org +Signed-off-by: Hyunchul Lee +Reported-by: Yufan Chen +Tested-by: Yufan Chen +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/connection.c | 2 +- + fs/ksmbd/smb2misc.c | 2 +- + fs/ksmbd/smb_common.c | 4 +++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/ksmbd/connection.c ++++ b/fs/ksmbd/connection.c +@@ -62,7 +62,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void + atomic_set(&conn->req_running, 0); + atomic_set(&conn->r_count, 0); + conn->total_credits = 1; +- conn->outstanding_credits = 1; ++ conn->outstanding_credits = 0; + + init_waitqueue_head(&conn->req_running_q); + INIT_LIST_HEAD(&conn->conns_list); +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -338,7 +338,7 @@ static int smb2_validate_credit_charge(s + ret = 1; + } + +- if ((u64)conn->outstanding_credits + credit_charge > conn->vals->max_credits) { ++ if ((u64)conn->outstanding_credits + credit_charge > conn->total_credits) { + ksmbd_debug(SMB, "Limits exceeding the maximum allowable outstanding requests, given : %u, pending : %u\n", + credit_charge, conn->outstanding_credits); + ret = 1; +--- a/fs/ksmbd/smb_common.c ++++ b/fs/ksmbd/smb_common.c +@@ -140,8 +140,10 @@ int ksmbd_verify_smb_message(struct ksmb + + hdr = work->request_buf; + if (*(__le32 *)hdr->Protocol == SMB1_PROTO_NUMBER && +- hdr->Command == SMB_COM_NEGOTIATE) ++ hdr->Command == SMB_COM_NEGOTIATE) { ++ work->conn->outstanding_credits++; + return 0; ++ } + + return -EINVAL; + } diff --git a/queue-5.18/lib-string_helpers-fix-not-adding-strarray-to-device-s-resource-list.patch b/queue-5.18/lib-string_helpers-fix-not-adding-strarray-to-device-s-resource-list.patch new file mode 100644 index 00000000000..71504a443ec --- /dev/null +++ b/queue-5.18/lib-string_helpers-fix-not-adding-strarray-to-device-s-resource-list.patch @@ -0,0 +1,41 @@ +From cd290a9839cee2f6641558877e707bd373c8f6f1 Mon Sep 17 00:00:00 2001 +From: Puyou Lu +Date: Thu, 12 May 2022 20:38:36 -0700 +Subject: lib/string_helpers: fix not adding strarray to device's resource list + +From: Puyou Lu + +commit cd290a9839cee2f6641558877e707bd373c8f6f1 upstream. + +Add allocated strarray to device's resource list. This is a must to +automatically release strarray when the device disappears. + +Without this fix we have a memory leak in the few drivers which use +devm_kasprintf_strarray(). + +Link: https://lkml.kernel.org/r/20220506044409.30066-1-puyou.lu@gmail.com +Link: https://lkml.kernel.org/r/20220506073623.2679-1-puyou.lu@gmail.com +Fixes: acdb89b6c87a ("lib/string_helpers: Introduce managed variant of kasprintf_strarray()") +Signed-off-by: Puyou Lu +Reviewed-by: Andy Shevchenko +Reviewed-by: Linus Walleij +Cc: Tejun Heo +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/string_helpers.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/lib/string_helpers.c ++++ b/lib/string_helpers.c +@@ -757,6 +757,9 @@ char **devm_kasprintf_strarray(struct de + return ERR_PTR(-ENOMEM); + } + ++ ptr->n = n; ++ devres_add(dev, ptr); ++ + return ptr->array; + } + EXPORT_SYMBOL_GPL(devm_kasprintf_strarray); diff --git a/queue-5.18/mac80211-upgrade-passive-scan-to-active-scan-on-dfs-channels-after-beacon-rx.patch b/queue-5.18/mac80211-upgrade-passive-scan-to-active-scan-on-dfs-channels-after-beacon-rx.patch new file mode 100644 index 00000000000..0205f8aae0a --- /dev/null +++ b/queue-5.18/mac80211-upgrade-passive-scan-to-active-scan-on-dfs-channels-after-beacon-rx.patch @@ -0,0 +1,103 @@ +From b041b7b9de6e1d4362de855ab90f9d03ef323edd Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 20 Apr 2022 12:49:07 +0200 +Subject: mac80211: upgrade passive scan to active scan on DFS channels after beacon rx + +From: Felix Fietkau + +commit b041b7b9de6e1d4362de855ab90f9d03ef323edd upstream. + +In client mode, we can't connect to hidden SSID APs or SSIDs not advertised +in beacons on DFS channels, since we're forced to passive scan. Fix this by +sending out a probe request immediately after the first beacon, if active +scan was requested by the user. + +Cc: stable@vger.kernel.org +Reported-by: Catrinel Catrinescu +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220420104907.36275-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 5 +++++ + net/mac80211/scan.c | 20 ++++++++++++++++++++ + 2 files changed, 25 insertions(+) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1148,6 +1148,9 @@ struct tpt_led_trigger { + * a scan complete for an aborted scan. + * @SCAN_HW_CANCELLED: Set for our scan work function when the scan is being + * cancelled. ++ * @SCAN_BEACON_WAIT: Set whenever we're passive scanning because of radar/no-IR ++ * and could send a probe request after receiving a beacon. ++ * @SCAN_BEACON_DONE: Beacon received, we can now send a probe request + */ + enum { + SCAN_SW_SCANNING, +@@ -1156,6 +1159,8 @@ enum { + SCAN_COMPLETED, + SCAN_ABORTED, + SCAN_HW_CANCELLED, ++ SCAN_BEACON_WAIT, ++ SCAN_BEACON_DONE, + }; + + /** +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -281,6 +281,16 @@ void ieee80211_scan_rx(struct ieee80211_ + if (likely(!sdata1 && !sdata2)) + return; + ++ if (test_and_clear_bit(SCAN_BEACON_WAIT, &local->scanning)) { ++ /* ++ * we were passive scanning because of radar/no-IR, but ++ * the beacon/proberesp rx gives us an opportunity to upgrade ++ * to active scan ++ */ ++ set_bit(SCAN_BEACON_DONE, &local->scanning); ++ ieee80211_queue_delayed_work(&local->hw, &local->scan_work, 0); ++ } ++ + if (ieee80211_is_probe_resp(mgmt->frame_control)) { + struct cfg80211_scan_request *scan_req; + struct cfg80211_sched_scan_request *sched_scan_req; +@@ -787,6 +797,8 @@ static int __ieee80211_start_scan(struct + IEEE80211_CHAN_RADAR)) || + !req->n_ssids) { + next_delay = IEEE80211_PASSIVE_CHANNEL_TIME; ++ if (req->n_ssids) ++ set_bit(SCAN_BEACON_WAIT, &local->scanning); + } else { + ieee80211_scan_state_send_probe(local, &next_delay); + next_delay = IEEE80211_CHANNEL_TIME; +@@ -998,6 +1010,8 @@ set_channel: + !scan_req->n_ssids) { + *next_delay = IEEE80211_PASSIVE_CHANNEL_TIME; + local->next_scan_state = SCAN_DECISION; ++ if (scan_req->n_ssids) ++ set_bit(SCAN_BEACON_WAIT, &local->scanning); + return; + } + +@@ -1090,6 +1104,8 @@ void ieee80211_scan_work(struct work_str + goto out; + } + ++ clear_bit(SCAN_BEACON_WAIT, &local->scanning); ++ + /* + * as long as no delay is required advance immediately + * without scheduling a new work +@@ -1100,6 +1116,10 @@ void ieee80211_scan_work(struct work_str + goto out_complete; + } + ++ if (test_and_clear_bit(SCAN_BEACON_DONE, &local->scanning) && ++ local->next_scan_state == SCAN_DECISION) ++ local->next_scan_state = SCAN_SEND_PROBE; ++ + switch (local->next_scan_state) { + case SCAN_DECISION: + /* if no more bands/channels left, complete scan */ diff --git a/queue-5.18/mips-ip27-remove-incorrect-cpu_has_fpu-override.patch b/queue-5.18/mips-ip27-remove-incorrect-cpu_has_fpu-override.patch new file mode 100644 index 00000000000..de9a541ed30 --- /dev/null +++ b/queue-5.18/mips-ip27-remove-incorrect-cpu_has_fpu-override.patch @@ -0,0 +1,39 @@ +From 424c3781dd1cb401857585331eaaa425a13f2429 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Sun, 1 May 2022 23:14:16 +0100 +Subject: MIPS: IP27: Remove incorrect `cpu_has_fpu' override + +From: Maciej W. Rozycki + +commit 424c3781dd1cb401857585331eaaa425a13f2429 upstream. + +Remove unsupported forcing of `cpu_has_fpu' to 1, which makes the `nofpu' +kernel parameter non-functional, and also causes a link error: + +ld: arch/mips/kernel/traps.o: in function `trap_init': +./arch/mips/include/asm/msa.h:(.init.text+0x348): undefined reference to `handle_fpe' +ld: ./arch/mips/include/asm/msa.h:(.init.text+0x354): undefined reference to `handle_fpe' +ld: ./arch/mips/include/asm/msa.h:(.init.text+0x360): undefined reference to `handle_fpe' + +where the CONFIG_MIPS_FP_SUPPORT configuration option has been disabled. + +Signed-off-by: Maciej W. Rozycki +Reported-by: Stephen Zhang +Fixes: 0ebb2f4159af ("MIPS: IP27: Update/restructure CPU overrides") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h ++++ b/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h +@@ -25,7 +25,6 @@ + #define cpu_has_4kex 1 + #define cpu_has_3k_cache 0 + #define cpu_has_4k_cache 1 +-#define cpu_has_fpu 1 + #define cpu_has_nofpuex 0 + #define cpu_has_32fpr 1 + #define cpu_has_counter 1 diff --git a/queue-5.18/mips-ip30-remove-incorrect-cpu_has_fpu-override.patch b/queue-5.18/mips-ip30-remove-incorrect-cpu_has_fpu-override.patch new file mode 100644 index 00000000000..3c36883bfbe --- /dev/null +++ b/queue-5.18/mips-ip30-remove-incorrect-cpu_has_fpu-override.patch @@ -0,0 +1,39 @@ +From f44b3e74c33fe04defeff24ebcae98c3bcc5b285 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Sun, 1 May 2022 23:14:22 +0100 +Subject: MIPS: IP30: Remove incorrect `cpu_has_fpu' override + +From: Maciej W. Rozycki + +commit f44b3e74c33fe04defeff24ebcae98c3bcc5b285 upstream. + +Remove unsupported forcing of `cpu_has_fpu' to 1, which makes the `nofpu' +kernel parameter non-functional, and also causes a link error: + +ld: arch/mips/kernel/traps.o: in function `trap_init': +./arch/mips/include/asm/msa.h:(.init.text+0x348): undefined reference to `handle_fpe' +ld: ./arch/mips/include/asm/msa.h:(.init.text+0x354): undefined reference to `handle_fpe' +ld: ./arch/mips/include/asm/msa.h:(.init.text+0x360): undefined reference to `handle_fpe' + +where the CONFIG_MIPS_FP_SUPPORT configuration option has been disabled. + +Signed-off-by: Maciej W. Rozycki +Reported-by: Stephen Zhang +Fixes: 7505576d1c1a ("MIPS: add support for SGI Octane (IP30)") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mach-ip30/cpu-feature-overrides.h | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/mips/include/asm/mach-ip30/cpu-feature-overrides.h ++++ b/arch/mips/include/asm/mach-ip30/cpu-feature-overrides.h +@@ -28,7 +28,6 @@ + #define cpu_has_4kex 1 + #define cpu_has_3k_cache 0 + #define cpu_has_4k_cache 1 +-#define cpu_has_fpu 1 + #define cpu_has_nofpuex 0 + #define cpu_has_32fpr 1 + #define cpu_has_counter 1 diff --git a/queue-5.18/mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range.patch b/queue-5.18/mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range.patch new file mode 100644 index 00000000000..b760c31f70f --- /dev/null +++ b/queue-5.18/mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range.patch @@ -0,0 +1,37 @@ +From a04e1928e2ead144dc2f369768bc0a0f3110af89 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Tue, 31 May 2022 20:26:43 +0800 +Subject: mm/memremap: fix missing call to untrack_pfn() in pagemap_range() + +From: Miaohe Lin + +commit a04e1928e2ead144dc2f369768bc0a0f3110af89 upstream. + +We forget to call untrack_pfn() to pair with track_pfn_remap() when range +is not allowed to hotplug. Fix it by jump err_kasan. + +Link: https://lkml.kernel.org/r/20220531122643.25249-1-linmiaohe@huawei.com +Fixes: bca3feaa0764 ("mm/memory_hotplug: prevalidate the address range being added with platform") +Signed-off-by: Miaohe Lin +Reviewed-by: David Hildenbrand +Acked-by: Muchun Song +Cc: Anshuman Khandual +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memremap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memremap.c ++++ b/mm/memremap.c +@@ -214,7 +214,7 @@ static int pagemap_range(struct dev_page + + if (!mhp_range_allowed(range->start, range_len(range), !is_private)) { + error = -EINVAL; +- goto err_pfn_remap; ++ goto err_kasan; + } + + mem_hotplug_begin(); diff --git a/queue-5.18/mm-page_alloc-always-attempt-to-allocate-at-least-one-page-during-bulk-allocation.patch b/queue-5.18/mm-page_alloc-always-attempt-to-allocate-at-least-one-page-during-bulk-allocation.patch new file mode 100644 index 00000000000..322e85b10b3 --- /dev/null +++ b/queue-5.18/mm-page_alloc-always-attempt-to-allocate-at-least-one-page-during-bulk-allocation.patch @@ -0,0 +1,67 @@ +From c572e4888ad1be123c1516ec577ad30a700bbec4 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 26 May 2022 10:12:10 +0100 +Subject: mm/page_alloc: always attempt to allocate at least one page during bulk allocation + +From: Mel Gorman + +commit c572e4888ad1be123c1516ec577ad30a700bbec4 upstream. + +Peter Pavlisko reported the following problem on kernel bugzilla 216007. + + When I try to extract an uncompressed tar archive (2.6 milion + files, 760.3 GiB in size) on newly created (empty) XFS file system, + after first low tens of gigabytes extracted the process hangs in + iowait indefinitely. One CPU core is 100% occupied with iowait, + the other CPU core is idle (on 2-core Intel Celeron G1610T). + +It was bisected to c9fa563072e1 ("xfs: use alloc_pages_bulk_array() for +buffers") but XFS is only the messenger. The problem is that nothing is +waking kswapd to reclaim some pages at a time the PCP lists cannot be +refilled until some reclaim happens. The bulk allocator checks that there +are some pages in the array and the original intent was that a bulk +allocator did not necessarily need all the requested pages and it was best +to return as quickly as possible. + +This was fine for the first user of the API but both NFS and XFS require +the requested number of pages be available before making progress. Both +could be adjusted to call the page allocator directly if a bulk allocation +fails but it puts a burden on users of the API. Adjust the semantics to +attempt at least one allocation via __alloc_pages() before returning so +kswapd is woken if necessary. + +It was reported via bugzilla that the patch addressed the problem and that +the tar extraction completed successfully. This may also address bug +215975 but has yet to be confirmed. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216007 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215975 +Link: https://lkml.kernel.org/r/20220526091210.GC3441@techsingularity.net +Fixes: 387ba26fb1cb ("mm/page_alloc: add a bulk page allocator") +Signed-off-by: Mel Gorman +Cc: "Darrick J. Wong" +Cc: Dave Chinner +Cc: Jan Kara +Cc: Vlastimil Babka +Cc: Jesper Dangaard Brouer +Cc: Chuck Lever +Cc: [5.13+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5324,8 +5324,8 @@ unsigned long __alloc_pages_bulk(gfp_t g + page = __rmqueue_pcplist(zone, 0, ac.migratetype, alloc_flags, + pcp, pcp_list); + if (unlikely(!page)) { +- /* Try and get at least one page */ +- if (!nr_populated) ++ /* Try and allocate at least one page */ ++ if (!nr_account) + goto failed_irq; + break; + } diff --git a/queue-5.18/mm-page_owner-use-strscpy-instead-of-strlcpy.patch b/queue-5.18/mm-page_owner-use-strscpy-instead-of-strlcpy.patch new file mode 100644 index 00000000000..e83487b8e0e --- /dev/null +++ b/queue-5.18/mm-page_owner-use-strscpy-instead-of-strlcpy.patch @@ -0,0 +1,79 @@ +From cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 12 May 2022 20:23:09 -0700 +Subject: mm/page_owner: use strscpy() instead of strlcpy() + +From: Eric Dumazet + +commit cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a upstream. + +current->comm[] is not a string (no guarantee for a zero byte in it). + +strlcpy(s1, s2, l) is calling strlen(s2), potentially +causing out-of-bound access, as reported by syzbot: + +detected buffer overflow in __fortify_strlen +------------[ cut here ]------------ +kernel BUG at lib/string_helpers.c:980! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980 +Code: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a +RSP: 0018:ffffc900000074a8 EFLAGS: 00010286 + +RAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000 +RDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87 +RBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000 +R10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700 +R13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Call Trace: + + __fortify_strlen include/linux/fortify-string.h:128 [inline] + strlcpy include/linux/fortify-string.h:143 [inline] + __set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171 + __set_page_owner+0x3e/0x50 mm/page_owner.c:190 + prep_new_page mm/page_alloc.c:2441 [inline] + get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182 + __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408 + alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272 + alloc_slab_page mm/slub.c:1799 [inline] + allocate_slab+0x26c/0x3c0 mm/slub.c:1944 + new_slab mm/slub.c:2004 [inline] + ___slab_alloc+0x8df/0xf20 mm/slub.c:3005 + __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092 + slab_alloc_node mm/slub.c:3183 [inline] + slab_alloc mm/slub.c:3225 [inline] + __kmem_cache_alloc_lru mm/slub.c:3232 [inline] + kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242 + dst_alloc+0x146/0x1f0 net/core/dst.c:92 + +Link: https://lkml.kernel.org/r/20220509145949.265184-1-eric.dumazet@gmail.com +Fixes: 865ed6a32786 ("mm/page_owner: record task command name") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Waiman Long +Acked-by: Shakeel Butt +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_owner.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_owner.c ++++ b/mm/page_owner.c +@@ -168,7 +168,7 @@ static inline void __set_page_owner_hand + page_owner->pid = current->pid; + page_owner->tgid = current->tgid; + page_owner->ts_nsec = local_clock(); +- strlcpy(page_owner->comm, current->comm, ++ strscpy(page_owner->comm, current->comm, + sizeof(page_owner->comm)); + __set_bit(PAGE_EXT_OWNER, &page_ext->flags); + __set_bit(PAGE_EXT_OWNER_ALLOCATED, &page_ext->flags); diff --git a/queue-5.18/mmc-core-allows-to-override-the-timeout-value-for-ioctl-path.patch b/queue-5.18/mmc-core-allows-to-override-the-timeout-value-for-ioctl-path.patch new file mode 100644 index 00000000000..c224f3364ab --- /dev/null +++ b/queue-5.18/mmc-core-allows-to-override-the-timeout-value-for-ioctl-path.patch @@ -0,0 +1,44 @@ +From 23e09be254f95a5b75cd87f91a4014f3b46dda3f Mon Sep 17 00:00:00 2001 +From: Bean Huo +Date: Sun, 24 Apr 2022 00:16:23 +0200 +Subject: mmc: core: Allows to override the timeout value for ioctl() path + +From: Bean Huo + +commit 23e09be254f95a5b75cd87f91a4014f3b46dda3f upstream. + +Occasionally, user-land applications initiate longer timeout values for certain commands +through ioctl() system call. But so far we are still using a fixed timeout of 10 seconds +in mmc_poll_for_busy() on the ioctl() path, even if a custom timeout is specified in the +userspace application. This patch allows custom timeout values to override this default +timeout values on the ioctl path. + +Cc: stable +Signed-off-by: Bean Huo +Acked-by: Avri Altman +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20220423221623.1074556-3-huobean@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -609,11 +609,11 @@ static int __mmc_blk_ioctl_cmd(struct mm + + if (idata->rpmb || (cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) { + /* +- * Ensure RPMB/R1B command has completed by polling CMD13 +- * "Send Status". ++ * Ensure RPMB/R1B command has completed by polling CMD13 "Send Status". Here we ++ * allow to override the default timeout value if a custom timeout is specified. + */ +- err = mmc_poll_for_busy(card, MMC_BLK_TIMEOUT_MS, false, +- MMC_BUSY_IO); ++ err = mmc_poll_for_busy(card, idata->ic.cmd_timeout_ms ? : MMC_BLK_TIMEOUT_MS, ++ false, MMC_BUSY_IO); + } + + return err; diff --git a/queue-5.18/mt76-fix-use-after-free-by-removing-a-non-rcu-wcid-pointer.patch b/queue-5.18/mt76-fix-use-after-free-by-removing-a-non-rcu-wcid-pointer.patch new file mode 100644 index 00000000000..f4440383387 --- /dev/null +++ b/queue-5.18/mt76-fix-use-after-free-by-removing-a-non-rcu-wcid-pointer.patch @@ -0,0 +1,250 @@ +From 51fb1278aa57ae0fc54adaa786e1965362bed4fb Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 25 Mar 2022 22:01:43 +0100 +Subject: mt76: fix use-after-free by removing a non-RCU wcid pointer + +From: Felix Fietkau + +commit 51fb1278aa57ae0fc54adaa786e1965362bed4fb upstream. + +Fixes an issue caught by KASAN about use-after-free in mt76_txq_schedule +by protecting mtxq->wcid with rcu_lock between mt76_txq_schedule and +sta_info_[alloc, free]. + +[18853.876689] ================================================================== +[18853.876751] BUG: KASAN: use-after-free in mt76_txq_schedule+0x204/0xaf8 [mt76] +[18853.876773] Read of size 8 at addr ffffffaf989a2138 by task mt76-tx phy0/883 +[18853.876786] +[18853.876810] CPU: 5 PID: 883 Comm: mt76-tx phy0 Not tainted 5.10.100-fix-510-56778d365941-kasan #5 0b01fbbcf41a530f52043508fec2e31a4215 + +[18853.876840] Call trace: +[18853.876861] dump_backtrace+0x0/0x3ec +[18853.876878] show_stack+0x20/0x2c +[18853.876899] dump_stack+0x11c/0x1ac +[18853.876918] print_address_description+0x74/0x514 +[18853.876934] kasan_report+0x134/0x174 +[18853.876948] __asan_report_load8_noabort+0x44/0x50 +[18853.876976] mt76_txq_schedule+0x204/0xaf8 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2] +[18853.877002] mt76_txq_schedule_all+0x2c/0x48 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2] +[18853.877030] mt7921_tx_worker+0xa0/0x1cc [mt7921_common f0875ebac9d7b4754e1010549e7db50fbd90a047] +[18853.877054] __mt76_worker_fn+0x190/0x22c [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2] +[18853.877071] kthread+0x2f8/0x3b8 +[18853.877087] ret_from_fork+0x10/0x30 +[18853.877098] +[18853.877112] Allocated by task 941: +[18853.877131] kasan_save_stack+0x38/0x68 +[18853.877147] __kasan_kmalloc+0xd4/0xfc +[18853.877163] kasan_kmalloc+0x10/0x1c +[18853.877177] __kmalloc+0x264/0x3c4 +[18853.877294] sta_info_alloc+0x460/0xf88 [mac80211] +[18853.877410] ieee80211_prep_connection+0x204/0x1ee0 [mac80211] +[18853.877523] ieee80211_mgd_auth+0x6c4/0xa4c [mac80211] +[18853.877635] ieee80211_auth+0x20/0x2c [mac80211] +[18853.877733] rdev_auth+0x7c/0x438 [cfg80211] +[18853.877826] cfg80211_mlme_auth+0x26c/0x390 [cfg80211] +[18853.877919] nl80211_authenticate+0x6d4/0x904 [cfg80211] +[18853.877938] genl_rcv_msg+0x748/0x93c +[18853.877954] netlink_rcv_skb+0x160/0x2a8 +[18853.877969] genl_rcv+0x3c/0x54 +[18853.877985] netlink_unicast_kernel+0x104/0x1ec +[18853.877999] netlink_unicast+0x178/0x268 +[18853.878015] netlink_sendmsg+0x3cc/0x5f0 +[18853.878030] sock_sendmsg+0xb4/0xd8 +[18853.878043] ____sys_sendmsg+0x2f8/0x53c +[18853.878058] ___sys_sendmsg+0xe8/0x150 +[18853.878071] __sys_sendmsg+0xc4/0x1f4 +[18853.878087] __arm64_compat_sys_sendmsg+0x88/0x9c +[18853.878101] el0_svc_common+0x1b4/0x390 +[18853.878115] do_el0_svc_compat+0x8c/0xdc +[18853.878131] el0_svc_compat+0x10/0x1c +[18853.878146] el0_sync_compat_handler+0xa8/0xcc +[18853.878161] el0_sync_compat+0x188/0x1c0 +[18853.878171] +[18853.878183] Freed by task 10927: +[18853.878200] kasan_save_stack+0x38/0x68 +[18853.878215] kasan_set_track+0x28/0x3c +[18853.878228] kasan_set_free_info+0x24/0x48 +[18853.878244] __kasan_slab_free+0x11c/0x154 +[18853.878259] kasan_slab_free+0x14/0x24 +[18853.878273] slab_free_freelist_hook+0xac/0x1b0 +[18853.878287] kfree+0x104/0x390 +[18853.878402] sta_info_free+0x198/0x210 [mac80211] +[18853.878515] __sta_info_destroy_part2+0x230/0x2d4 [mac80211] +[18853.878628] __sta_info_flush+0x300/0x37c [mac80211] +[18853.878740] ieee80211_set_disassoc+0x2cc/0xa7c [mac80211] +[18853.878851] ieee80211_mgd_deauth+0x4a4/0x10a0 [mac80211] +[18853.878962] ieee80211_deauth+0x20/0x2c [mac80211] +[18853.879057] rdev_deauth+0x7c/0x438 [cfg80211] +[18853.879150] cfg80211_mlme_deauth+0x274/0x414 [cfg80211] +[18853.879243] cfg80211_mlme_down+0xe4/0x118 [cfg80211] +[18853.879335] cfg80211_disconnect+0x218/0x2d8 [cfg80211] +[18853.879427] __cfg80211_leave+0x17c/0x240 [cfg80211] +[18853.879519] cfg80211_leave+0x3c/0x58 [cfg80211] +[18853.879611] wiphy_suspend+0xdc/0x200 [cfg80211] +[18853.879628] dpm_run_callback+0x58/0x408 +[18853.879642] __device_suspend+0x4cc/0x864 +[18853.879658] async_suspend+0x34/0xf4 +[18853.879673] async_run_entry_fn+0xe0/0x37c +[18853.879689] process_one_work+0x508/0xb98 +[18853.879702] worker_thread+0x7f4/0xcd4 +[18853.879717] kthread+0x2f8/0x3b8 +[18853.879731] ret_from_fork+0x10/0x30 +[18853.879741] +[18853.879757] The buggy address belongs to the object at ffffffaf989a2000 +[18853.879757] which belongs to the cache kmalloc-8k of size 8192 +[18853.879774] The buggy address is located 312 bytes inside of +[18853.879774] 8192-byte region [ffffffaf989a2000, ffffffaf989a4000) +[18853.879787] The buggy address belongs to the page: +[18853.879807] page:000000004bda2a59 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d89a0 +[18853.879823] head:000000004bda2a59 order:3 compound_mapcount:0 compound_pincount:0 +[18853.879839] flags: 0x8000000000010200(slab|head) +[18853.879857] raw: 8000000000010200 ffffffffbc89e208 ffffffffb7fb5208 ffffffaec000cc80 +[18853.879873] raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000 +[18853.879885] page dumped because: kasan: bad access detected +[18853.879896] +[18853.879907] Memory state around the buggy address: +[18853.879922] ffffffaf989a2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[18853.879935] ffffffaf989a2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[18853.879948] >ffffffaf989a2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[18853.879961] ^ +[18853.879973] ffffffaf989a2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[18853.879986] ffffffaf989a2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[18853.879998] ================================================================== + +Cc: stable@vger.kernel.org +Reported-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +- + drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- + drivers/net/wireless/mediatek/mt76/mt7603/main.c | 2 +- + drivers/net/wireless/mediatek/mt76/mt7615/main.c | 2 +- + drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 +++- + drivers/net/wireless/mediatek/mt76/mt7915/main.c | 2 +- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- + drivers/net/wireless/mediatek/mt76/tx.c | 9 ++++----- + 8 files changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -1303,7 +1303,7 @@ mt76_sta_add(struct mt76_dev *dev, struc + continue; + + mtxq = (struct mt76_txq *)sta->txq[i]->drv_priv; +- mtxq->wcid = wcid; ++ mtxq->wcid = wcid->idx; + } + + ewma_signal_init(&wcid->rssi); +--- a/drivers/net/wireless/mediatek/mt76/mt76.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76.h +@@ -275,7 +275,7 @@ struct mt76_wcid { + }; + + struct mt76_txq { +- struct mt76_wcid *wcid; ++ u16 wcid; + + u16 agg_ssn; + bool send_bar; +--- a/drivers/net/wireless/mediatek/mt76/mt7603/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/main.c +@@ -75,7 +75,7 @@ mt7603_add_interface(struct ieee80211_hw + mt7603_wtbl_init(dev, idx, mvif->idx, bc_addr); + + mtxq = (struct mt76_txq *)vif->txq->drv_priv; +- mtxq->wcid = &mvif->sta.wcid; ++ mtxq->wcid = idx; + rcu_assign_pointer(dev->mt76.wcid[idx], &mvif->sta.wcid); + + out: +--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +@@ -234,7 +234,7 @@ static int mt7615_add_interface(struct i + rcu_assign_pointer(dev->mt76.wcid[idx], &mvif->sta.wcid); + if (vif->txq) { + mtxq = (struct mt76_txq *)vif->txq->drv_priv; +- mtxq->wcid = &mvif->sta.wcid; ++ mtxq->wcid = idx; + } + + ret = mt7615_mcu_add_dev_info(phy, vif, true); +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c +@@ -292,7 +292,8 @@ mt76x02_vif_init(struct mt76x02_dev *dev + mt76_packet_id_init(&mvif->group_wcid); + + mtxq = (struct mt76_txq *)vif->txq->drv_priv; +- mtxq->wcid = &mvif->group_wcid; ++ rcu_assign_pointer(dev->mt76.wcid[MT_VIF_WCID(idx)], &mvif->group_wcid); ++ mtxq->wcid = MT_VIF_WCID(idx); + } + + int +@@ -345,6 +346,7 @@ void mt76x02_remove_interface(struct iee + struct mt76x02_vif *mvif = (struct mt76x02_vif *)vif->drv_priv; + + dev->mt76.vif_mask &= ~BIT(mvif->idx); ++ rcu_assign_pointer(dev->mt76.wcid[mvif->group_wcid.idx], NULL); + mt76_packet_id_flush(&dev->mt76, &mvif->group_wcid); + } + EXPORT_SYMBOL_GPL(mt76x02_remove_interface); +--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c +@@ -246,7 +246,7 @@ static int mt7915_add_interface(struct i + rcu_assign_pointer(dev->mt76.wcid[idx], &mvif->sta.wcid); + if (vif->txq) { + mtxq = (struct mt76_txq *)vif->txq->drv_priv; +- mtxq->wcid = &mvif->sta.wcid; ++ mtxq->wcid = idx; + } + + if (vif->type != NL80211_IFTYPE_AP && +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -330,7 +330,7 @@ static int mt7921_add_interface(struct i + rcu_assign_pointer(dev->mt76.wcid[idx], &mvif->sta.wcid); + if (vif->txq) { + mtxq = (struct mt76_txq *)vif->txq->drv_priv; +- mtxq->wcid = &mvif->sta.wcid; ++ mtxq->wcid = idx; + } + + out: +--- a/drivers/net/wireless/mediatek/mt76/tx.c ++++ b/drivers/net/wireless/mediatek/mt76/tx.c +@@ -436,12 +436,11 @@ mt76_txq_stopped(struct mt76_queue *q) + + static int + mt76_txq_send_burst(struct mt76_phy *phy, struct mt76_queue *q, +- struct mt76_txq *mtxq) ++ struct mt76_txq *mtxq, struct mt76_wcid *wcid) + { + struct mt76_dev *dev = phy->dev; + struct ieee80211_txq *txq = mtxq_to_txq(mtxq); + enum mt76_txq_id qid = mt76_txq_get_qid(txq); +- struct mt76_wcid *wcid = mtxq->wcid; + struct ieee80211_tx_info *info; + struct sk_buff *skb; + int n_frames = 1; +@@ -521,8 +520,8 @@ mt76_txq_schedule_list(struct mt76_phy * + break; + + mtxq = (struct mt76_txq *)txq->drv_priv; +- wcid = mtxq->wcid; +- if (wcid && test_bit(MT_WCID_FLAG_PS, &wcid->flags)) ++ wcid = rcu_dereference(dev->wcid[mtxq->wcid]); ++ if (!wcid || test_bit(MT_WCID_FLAG_PS, &wcid->flags)) + continue; + + spin_lock_bh(&q->lock); +@@ -541,7 +540,7 @@ mt76_txq_schedule_list(struct mt76_phy * + } + + if (!mt76_txq_stopped(q)) +- n_frames = mt76_txq_send_burst(phy, q, mtxq); ++ n_frames = mt76_txq_send_burst(phy, q, mtxq, wcid); + + spin_unlock_bh(&q->lock); + diff --git a/queue-5.18/nodemask.h-fix-compilation-error-with-gcc12.patch b/queue-5.18/nodemask.h-fix-compilation-error-with-gcc12.patch new file mode 100644 index 00000000000..3da8cd92b24 --- /dev/null +++ b/queue-5.18/nodemask.h-fix-compilation-error-with-gcc12.patch @@ -0,0 +1,92 @@ +From 37462a920392cb86541650a6f4121155f11f1199 Mon Sep 17 00:00:00 2001 +From: Christophe de Dinechin +Date: Thu, 14 Apr 2022 17:08:54 +0200 +Subject: nodemask.h: fix compilation error with GCC12 + +From: Christophe de Dinechin + +commit 37462a920392cb86541650a6f4121155f11f1199 upstream. + +With gcc version 12.0.1 20220401 (Red Hat 12.0.1-0), building with +defconfig results in the following compilation error: + +| CC mm/swapfile.o +| mm/swapfile.c: In function `setup_swap_info': +| mm/swapfile.c:2291:47: error: array subscript -1 is below array bounds +| of `struct plist_node[]' [-Werror=array-bounds] +| 2291 | p->avail_lists[i].prio = 1; +| | ~~~~~~~~~~~~~~^~~ +| In file included from mm/swapfile.c:16: +| ./include/linux/swap.h:292:27: note: while referencing `avail_lists' +| 292 | struct plist_node avail_lists[]; /* +| | ^~~~~~~~~~~ + +This is due to the compiler detecting that the mask in +node_states[__state] could theoretically be zero, which would lead to +first_node() returning -1 through find_first_bit. + +I believe that the warning/error is legitimate. I first tried adding a +test to check that the node mask is not emtpy, since a similar test exists +in the case where MAX_NUMNODES == 1. + +However, adding the if statement causes other warnings to appear in +for_each_cpu_node_but, because it introduces a dangling else ambiguity. +And unfortunately, GCC is not smart enough to detect that the added test +makes the case where (node) == -1 impossible, so it still complains with +the same message. + +This is why I settled on replacing that with a harmless, but relatively +useless (node) >= 0 test. Based on the warning for the dangling else, I +also decided to fix the case where MAX_NUMNODES == 1 by moving the +condition inside the for loop. It will still only be tested once. This +ensures that the meaning of an else following for_each_node_mask or +derivatives would not silently have a different meaning depending on the +configuration. + +Link: https://lkml.kernel.org/r/20220414150855.2407137-3-dinechin@redhat.com +Signed-off-by: Christophe de Dinechin +Signed-off-by: Christophe de Dinechin +Reviewed-by: Andrew Morton +Cc: Ben Segall +Cc: "Michael S. Tsirkin" +Cc: Steven Rostedt +Cc: Ingo Molnar +Cc: Mel Gorman +Cc: Dietmar Eggemann +Cc: Vincent Guittot +Cc: Paolo Bonzini +Cc: Daniel Bristot de Oliveira +Cc: Jason Wang +Cc: Zhen Lei +Cc: Juri Lelli +Cc: Peter Zijlstra +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/nodemask.h | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/include/linux/nodemask.h ++++ b/include/linux/nodemask.h +@@ -375,14 +375,13 @@ static inline void __nodes_fold(nodemask + } + + #if MAX_NUMNODES > 1 +-#define for_each_node_mask(node, mask) \ +- for ((node) = first_node(mask); \ +- (node) < MAX_NUMNODES; \ +- (node) = next_node((node), (mask))) ++#define for_each_node_mask(node, mask) \ ++ for ((node) = first_node(mask); \ ++ (node >= 0) && (node) < MAX_NUMNODES; \ ++ (node) = next_node((node), (mask))) + #else /* MAX_NUMNODES == 1 */ +-#define for_each_node_mask(node, mask) \ +- if (!nodes_empty(mask)) \ +- for ((node) = 0; (node) < 1; (node)++) ++#define for_each_node_mask(node, mask) \ ++ for ((node) = 0; (node) < 1 && !nodes_empty(mask); (node)++) + #endif /* MAX_NUMNODES */ + + /* diff --git a/queue-5.18/rdma-hfi1-fix-potential-integer-multiplication-overflow-errors.patch b/queue-5.18/rdma-hfi1-fix-potential-integer-multiplication-overflow-errors.patch new file mode 100644 index 00000000000..53b744b5878 --- /dev/null +++ b/queue-5.18/rdma-hfi1-fix-potential-integer-multiplication-overflow-errors.patch @@ -0,0 +1,40 @@ +From f93e91a0372c922c20d5bee260b0f43b4b8a1bee Mon Sep 17 00:00:00 2001 +From: Dennis Dalessandro +Date: Fri, 20 May 2022 14:37:12 -0400 +Subject: RDMA/hfi1: Fix potential integer multiplication overflow errors + +From: Dennis Dalessandro + +commit f93e91a0372c922c20d5bee260b0f43b4b8a1bee upstream. + +When multiplying of different types, an overflow is possible even when +storing the result in a larger type. This is because the conversion is +done after the multiplication. So arithmetic overflow and thus in +incorrect value is possible. + +Correct an instance of this in the inter packet delay calculation. Fix by +ensuring one of the operands is u64 which will promote the other to u64 as +well ensuring no overflow. + +Cc: stable@vger.kernel.org +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20220520183712.48973.29855.stgit@awfm-01.cornelisnetworks.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -489,7 +489,7 @@ void set_link_ipg(struct hfi1_pportdata + u16 shift, mult; + u64 src; + u32 current_egress_rate; /* Mbits /sec */ +- u32 max_pkt_time; ++ u64 max_pkt_time; + /* + * max_pkt_time is the maximum packet egress time in units + * of the fabric clock period 1/(805 MHz). diff --git a/queue-5.18/revert-mm-cma.c-remove-redundant-cma_mutex-lock.patch b/queue-5.18/revert-mm-cma.c-remove-redundant-cma_mutex-lock.patch new file mode 100644 index 00000000000..4c23f51c110 --- /dev/null +++ b/queue-5.18/revert-mm-cma.c-remove-redundant-cma_mutex-lock.patch @@ -0,0 +1,97 @@ +From 60a60e32cf91169840abcb4a80f0b0df31708ba7 Mon Sep 17 00:00:00 2001 +From: Dong Aisheng +Date: Fri, 13 May 2022 15:11:26 -0700 +Subject: Revert "mm/cma.c: remove redundant cma_mutex lock" + +From: Dong Aisheng + +commit 60a60e32cf91169840abcb4a80f0b0df31708ba7 upstream. + +This reverts commit a4efc174b382fcdb which introduced a regression issue +that when there're multiple processes allocating dma memory in parallel by +calling dma_alloc_coherent(), it may fail sometimes as follows: + +Error log: +cma: cma_alloc: linux,cma: alloc failed, req-size: 148 pages, ret: -16 +cma: number of available pages: +3@125+20@172+12@236+4@380+32@736+17@2287+23@2473+20@36076+99@40477+108@40852+44@41108+20@41196+108@41364+108@41620+ +108@42900+108@43156+483@44061+1763@45341+1440@47712+20@49324+20@49388+5076@49452+2304@55040+35@58141+20@58220+20@58284+ +7188@58348+84@66220+7276@66452+227@74525+6371@75549=> 33161 free of 81920 total pages + +When issue happened, we saw there were still 33161 pages (129M) free CMA +memory and a lot available free slots for 148 pages in CMA bitmap that we +want to allocate. + +When dumping memory info, we found that there was also ~342M normal +memory, but only 1352K CMA memory left in buddy system while a lot of +pageblocks were isolated. + +Memory info log: +Normal free:351096kB min:30000kB low:37500kB high:45000kB reserved_highatomic:0KB + active_anon:98060kB inactive_anon:98948kB active_file:60864kB inactive_file:31776kB + unevictable:0kB writepending:0kB present:1048576kB managed:1018328kB mlocked:0kB + bounce:0kB free_pcp:220kB local_pcp:192kB free_cma:1352kB lowmem_reserve[]: 0 0 0 +Normal: 78*4kB (UECI) 1772*8kB (UMECI) 1335*16kB (UMECI) 360*32kB (UMECI) 65*64kB (UMCI) + 36*128kB (UMECI) 16*256kB (UMCI) 6*512kB (EI) 8*1024kB (UEI) 4*2048kB (MI) 8*4096kB (EI) + 8*8192kB (UI) 3*16384kB (EI) 8*32768kB (M) = 489288kB + +The root cause of this issue is that since commit a4efc174b382 ("mm/cma.c: +remove redundant cma_mutex lock"), CMA supports concurrent memory +allocation. It's possible that the memory range process A trying to alloc +has already been isolated by the allocation of process B during memory +migration. + +The problem here is that the memory range isolated during one allocation +by start_isolate_page_range() could be much bigger than the real size we +want to alloc due to the range is aligned to MAX_ORDER_NR_PAGES. + +Taking an ARMv7 platform with 1G memory as an example, when +MAX_ORDER_NR_PAGES is big (e.g. 32M with max_order 14) and CMA memory is +relatively small (e.g. 128M), there're only 4 MAX_ORDER slot, then it's +very easy that all CMA memory may have already been isolated by other +processes when one trying to allocate memory using dma_alloc_coherent(). +Since current CMA code will only scan one time of whole available CMA +memory, then dma_alloc_coherent() may easy fail due to contention with +other processes. + +This patch simply falls back to the original method that using cma_mutex +to make alloc_contig_range() run sequentially to avoid the issue. + +Link: https://lkml.kernel.org/r/20220509094551.3596244-1-aisheng.dong@nxp.com +Link: https://lore.kernel.org/all/20220315144521.3810298-2-aisheng.dong@nxp.com/ +Fixes: a4efc174b382 ("mm/cma.c: remove redundant cma_mutex lock") +Signed-off-by: Dong Aisheng +Acked-by: Minchan Kim +Acked-by: David Hildenbrand +Cc: Marek Szyprowski +Cc: Lecopzer Chen +Cc: Vlastimil Babka +Cc: [5.11+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/cma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -37,6 +37,7 @@ + + struct cma cma_areas[MAX_CMA_AREAS]; + unsigned cma_area_count; ++static DEFINE_MUTEX(cma_mutex); + + phys_addr_t cma_get_base(const struct cma *cma) + { +@@ -468,9 +469,10 @@ struct page *cma_alloc(struct cma *cma, + spin_unlock_irq(&cma->lock); + + pfn = cma->base_pfn + (bitmap_no << cma->order_per_bit); ++ mutex_lock(&cma_mutex); + ret = alloc_contig_range(pfn, pfn + count, MIGRATE_CMA, + GFP_KERNEL | (no_warn ? __GFP_NOWARN : 0)); +- ++ mutex_unlock(&cma_mutex); + if (ret == 0) { + page = pfn_to_page(pfn); + break; diff --git a/queue-5.18/series b/queue-5.18/series index c44d5e7a76d..e4cf7b482d6 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -802,3 +802,34 @@ mtd-cfi_cmdset_0002-move-and-rename-chip_check-chip_ready-chip_good_for_write.pa mtd-cfi_cmdset_0002-use-chip_ready-for-write-on-s29gl064n.patch media-coda-fix-reported-h264-profile.patch media-coda-add-more-h264-levels-for-coda960.patch +ima-remove-the-ima_template-kconfig-option.patch +kconfig-add-option-for-asm-goto-w-tied-outputs-to-workaround-clang-13-bug.patch +lib-string_helpers-fix-not-adding-strarray-to-device-s-resource-list.patch +rdma-hfi1-fix-potential-integer-multiplication-overflow-errors.patch +mmc-core-allows-to-override-the-timeout-value-for-ioctl-path.patch +csky-patch_text-fixup-last-cpu-should-be-master.patch +irqchip-armada-370-xp-do-not-touch-performance-counter-overflow-on-a375-a38x-a39x.patch +irqchip-irq-xtensa-mx-fix-initial-irq-affinity.patch +thermal-devfreq_cooling-use-local-ops-instead-of-global-ops.patch +mt76-fix-use-after-free-by-removing-a-non-rcu-wcid-pointer.patch +cfg80211-declare-module_firmware-for-regulatory.db.patch +mac80211-upgrade-passive-scan-to-active-scan-on-dfs-channels-after-beacon-rx.patch +um-virtio_uml-fix-broken-device-handling-in-time-travel.patch +um-use-asm-generic-dma-mapping.h.patch +um-chan_user-fix-winch_tramp-return-value.patch +um-fix-out-of-bounds-read-in-ldt-setup.patch +mips-ip27-remove-incorrect-cpu_has_fpu-override.patch +mips-ip30-remove-incorrect-cpu_has_fpu-override.patch +kexec_file-drop-weak-attribute-from-arch_kexec_apply_relocations.patch +ftrace-clean-up-hash-direct_functions-on-register-failures.patch +ksmbd-fix-outstanding-credits-related-bugs.patch +iommu-msm-fix-an-incorrect-null-check-on-list-iterator.patch +iommu-dma-fix-iova-map-result-check-bug.patch +kprobes-fix-build-errors-with-config_kretprobes-n.patch +revert-mm-cma.c-remove-redundant-cma_mutex-lock.patch +mm-page_owner-use-strscpy-instead-of-strlcpy.patch +mm-page_alloc-always-attempt-to-allocate-at-least-one-page-during-bulk-allocation.patch +nodemask.h-fix-compilation-error-with-gcc12.patch +hugetlb-fix-huge_pmd_unshare-address-update.patch +mm-memremap-fix-missing-call-to-untrack_pfn-in-pagemap_range.patch +xtensa-simdisk-fix-proc_read_simdisk.patch diff --git a/queue-5.18/thermal-devfreq_cooling-use-local-ops-instead-of-global-ops.patch b/queue-5.18/thermal-devfreq_cooling-use-local-ops-instead-of-global-ops.patch new file mode 100644 index 00000000000..840e7d17c4d --- /dev/null +++ b/queue-5.18/thermal-devfreq_cooling-use-local-ops-instead-of-global-ops.patch @@ -0,0 +1,109 @@ +From b947769b8f778db130aad834257fcaca25df2edc Mon Sep 17 00:00:00 2001 +From: Kant Fan +Date: Fri, 25 Mar 2022 15:30:30 +0800 +Subject: thermal: devfreq_cooling: use local ops instead of global ops + +From: Kant Fan + +commit b947769b8f778db130aad834257fcaca25df2edc upstream. + +Fix access illegal address problem in following condition: + +There are multiple devfreq cooling devices in system, some of them has +EM model but others do not. Energy model ops such as state2power will +append to global devfreq_cooling_ops when the cooling device with +EM model is registered. It makes the cooling device without EM model +also use devfreq_cooling_ops after appending when registered later by +of_devfreq_cooling_register_power() or of_devfreq_cooling_register(). + +The IPA governor regards the cooling devices without EM model as a power +actor, because they also have energy model ops, and will access illegal +address at dfc->em_pd when execute cdev->ops->get_requested_power, +cdev->ops->state2power or cdev->ops->power2state. + +Fixes: 615510fe13bd2 ("thermal: devfreq_cooling: remove old power model and use EM") +Cc: 5.13+ # 5.13+ +Signed-off-by: Kant Fan +Reviewed-by: Lukasz Luba +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/devfreq_cooling.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/thermal/devfreq_cooling.c ++++ b/drivers/thermal/devfreq_cooling.c +@@ -358,21 +358,28 @@ of_devfreq_cooling_register_power(struct + struct thermal_cooling_device *cdev; + struct device *dev = df->dev.parent; + struct devfreq_cooling_device *dfc; ++ struct thermal_cooling_device_ops *ops; + char *name; + int err, num_opps; + +- dfc = kzalloc(sizeof(*dfc), GFP_KERNEL); +- if (!dfc) ++ ops = kmemdup(&devfreq_cooling_ops, sizeof(*ops), GFP_KERNEL); ++ if (!ops) + return ERR_PTR(-ENOMEM); + ++ dfc = kzalloc(sizeof(*dfc), GFP_KERNEL); ++ if (!dfc) { ++ err = -ENOMEM; ++ goto free_ops; ++ } ++ + dfc->devfreq = df; + + dfc->em_pd = em_pd_get(dev); + if (dfc->em_pd) { +- devfreq_cooling_ops.get_requested_power = ++ ops->get_requested_power = + devfreq_cooling_get_requested_power; +- devfreq_cooling_ops.state2power = devfreq_cooling_state2power; +- devfreq_cooling_ops.power2state = devfreq_cooling_power2state; ++ ops->state2power = devfreq_cooling_state2power; ++ ops->power2state = devfreq_cooling_power2state; + + dfc->power_ops = dfc_power; + +@@ -407,8 +414,7 @@ of_devfreq_cooling_register_power(struct + if (!name) + goto remove_qos_req; + +- cdev = thermal_of_cooling_device_register(np, name, dfc, +- &devfreq_cooling_ops); ++ cdev = thermal_of_cooling_device_register(np, name, dfc, ops); + kfree(name); + + if (IS_ERR(cdev)) { +@@ -429,6 +435,8 @@ free_table: + kfree(dfc->freq_table); + free_dfc: + kfree(dfc); ++free_ops: ++ kfree(ops); + + return ERR_PTR(err); + } +@@ -510,11 +518,13 @@ EXPORT_SYMBOL_GPL(devfreq_cooling_em_reg + void devfreq_cooling_unregister(struct thermal_cooling_device *cdev) + { + struct devfreq_cooling_device *dfc; ++ const struct thermal_cooling_device_ops *ops; + struct device *dev; + + if (IS_ERR_OR_NULL(cdev)) + return; + ++ ops = cdev->ops; + dfc = cdev->devdata; + dev = dfc->devfreq->dev.parent; + +@@ -525,5 +535,6 @@ void devfreq_cooling_unregister(struct t + + kfree(dfc->freq_table); + kfree(dfc); ++ kfree(ops); + } + EXPORT_SYMBOL_GPL(devfreq_cooling_unregister); diff --git a/queue-5.18/um-chan_user-fix-winch_tramp-return-value.patch b/queue-5.18/um-chan_user-fix-winch_tramp-return-value.patch new file mode 100644 index 00000000000..8cc9b1af57c --- /dev/null +++ b/queue-5.18/um-chan_user-fix-winch_tramp-return-value.patch @@ -0,0 +1,64 @@ +From 57ae0b67b747031bc41fb44643aa5344ab58607e Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 20 May 2022 19:45:36 +0200 +Subject: um: chan_user: Fix winch_tramp() return value + +From: Johannes Berg + +commit 57ae0b67b747031bc41fb44643aa5344ab58607e upstream. + +The previous fix here was only partially correct, it did +result in returning a proper error value in case of error, +but it also clobbered the pid that we need to return from +this function (not just zero for success). + +As a result, it returned 0 here, but later this is treated +as a pid and used to kill the process, but since it's now +0 we kill(0, SIGKILL), which makes UML kill itself rather +than just the helper thread. + +Fix that and make it more obvious by using a separate +variable for the pid. + +Fixes: ccf1236ecac4 ("um: fix error return code in winch_tramp()") +Reported-and-tested-by: Nathan Chancellor +Signed-off-by: Johannes Berg +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/drivers/chan_user.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/um/drivers/chan_user.c ++++ b/arch/um/drivers/chan_user.c +@@ -220,7 +220,7 @@ static int winch_tramp(int fd, struct tt + unsigned long *stack_out) + { + struct winch_data data; +- int fds[2], n, err; ++ int fds[2], n, err, pid; + char c; + + err = os_pipe(fds, 1, 1); +@@ -238,8 +238,9 @@ static int winch_tramp(int fd, struct tt + * problem with /dev/net/tun, which if held open by this + * thread, prevents the TUN/TAP device from being reused. + */ +- err = run_helper_thread(winch_thread, &data, CLONE_FILES, stack_out); +- if (err < 0) { ++ pid = run_helper_thread(winch_thread, &data, CLONE_FILES, stack_out); ++ if (pid < 0) { ++ err = pid; + printk(UM_KERN_ERR "fork of winch_thread failed - errno = %d\n", + -err); + goto out_close; +@@ -263,7 +264,7 @@ static int winch_tramp(int fd, struct tt + goto out_close; + } + +- return err; ++ return pid; + + out_close: + close(fds[1]); diff --git a/queue-5.18/um-fix-out-of-bounds-read-in-ldt-setup.patch b/queue-5.18/um-fix-out-of-bounds-read-in-ldt-setup.patch new file mode 100644 index 00000000000..11236e74beb --- /dev/null +++ b/queue-5.18/um-fix-out-of-bounds-read-in-ldt-setup.patch @@ -0,0 +1,71 @@ +From 2a4a62a14be1947fa945c5c11ebf67326381a568 Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Mon, 23 May 2022 16:04:03 +0200 +Subject: um: Fix out-of-bounds read in LDT setup + +From: Vincent Whitchurch + +commit 2a4a62a14be1947fa945c5c11ebf67326381a568 upstream. + +syscall_stub_data() expects the data_count parameter to be the number of +longs, not bytes. + + ================================================================== + BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0 + Read of size 128 at addr 000000006411f6f0 by task swapper/1 + + CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18 + Call Trace: + show_stack.cold+0x166/0x2a7 + __dump_stack+0x3a/0x43 + dump_stack_lvl+0x1f/0x27 + print_report.cold+0xdb/0xf81 + kasan_report+0x119/0x1f0 + kasan_check_range+0x3a3/0x440 + memcpy+0x52/0x140 + syscall_stub_data+0x70/0xe0 + write_ldt_entry+0xac/0x190 + init_new_ldt+0x515/0x960 + init_new_context+0x2c4/0x4d0 + mm_init.constprop.0+0x5ed/0x760 + mm_alloc+0x118/0x170 + 0x60033f48 + do_one_initcall+0x1d7/0x860 + 0x60003e7b + kernel_init+0x6e/0x3d4 + new_thread_handler+0x1e7/0x2c0 + + The buggy address belongs to stack of task swapper/1 + and is located at offset 64 in frame: + init_new_ldt+0x0/0x960 + + This frame has 2 objects: + [32, 40) 'addr' + [64, 80) 'desc' + ================================================================== + +Fixes: 858259cf7d1c443c83 ("uml: maintain own LDT entries") +Signed-off-by: Vincent Whitchurch +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/um/ldt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/um/ldt.c ++++ b/arch/x86/um/ldt.c +@@ -23,9 +23,11 @@ static long write_ldt_entry(struct mm_id + { + long res; + void *stub_addr; ++ ++ BUILD_BUG_ON(sizeof(*desc) % sizeof(long)); ++ + res = syscall_stub_data(mm_idp, (unsigned long *)desc, +- (sizeof(*desc) + sizeof(long) - 1) & +- ~(sizeof(long) - 1), ++ sizeof(*desc) / sizeof(long), + addr, &stub_addr); + if (!res) { + unsigned long args[] = { func, diff --git a/queue-5.18/um-use-asm-generic-dma-mapping.h.patch b/queue-5.18/um-use-asm-generic-dma-mapping.h.patch new file mode 100644 index 00000000000..ea7219668ff --- /dev/null +++ b/queue-5.18/um-use-asm-generic-dma-mapping.h.patch @@ -0,0 +1,44 @@ +From 365719035526e8eda214a1cedb2e1c96e969a0d7 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 28 Mar 2022 09:46:25 +0200 +Subject: um: Use asm-generic/dma-mapping.h + +From: Johannes Berg + +commit 365719035526e8eda214a1cedb2e1c96e969a0d7 upstream. + +If DMA (PCI over virtio) is enabled, then some drivers may +enable CONFIG_DMA_OPS as well, and then we pull in the x86 +definition of get_arch_dma_ops(), which uses the dma_ops +symbol, which isn't defined. + +Since we don't have real DMA ops nor any kind of IOMMU fix +this in the simplest possible way: pull in the asm-generic +file instead of inheriting the x86 one. It's not clear why +those drivers that do (e.g. VDPA) "select DMA_OPS", and if +they'd even work with this, but chances are nobody will be +wanting to do that anyway, so fixing the build failure is +good enough. + +Reported-by: Randy Dunlap +Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") +Signed-off-by: Johannes Berg +Tested-by: Randy Dunlap +Acked-by: Randy Dunlap +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/include/asm/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/um/include/asm/Kbuild ++++ b/arch/um/include/asm/Kbuild +@@ -4,6 +4,7 @@ generic-y += bug.h + generic-y += compat.h + generic-y += current.h + generic-y += device.h ++generic-y += dma-mapping.h + generic-y += emergency-restart.h + generic-y += exec.h + generic-y += extable.h diff --git a/queue-5.18/um-virtio_uml-fix-broken-device-handling-in-time-travel.patch b/queue-5.18/um-virtio_uml-fix-broken-device-handling-in-time-travel.patch new file mode 100644 index 00000000000..388741b27c7 --- /dev/null +++ b/queue-5.18/um-virtio_uml-fix-broken-device-handling-in-time-travel.patch @@ -0,0 +1,117 @@ +From af9fb41ed315ce95f659f0b10b4d59a71975381d Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 May 2022 22:52:50 +0200 +Subject: um: virtio_uml: Fix broken device handling in time-travel + +From: Johannes Berg + +commit af9fb41ed315ce95f659f0b10b4d59a71975381d upstream. + +If a device implementation crashes, virtio_uml will mark it +as dead by calling virtio_break_device() and scheduling the +work that will remove it. + +This still seems like the right thing to do, but it's done +directly while reading the message, and if time-travel is +used, this is in the time-travel handler, outside of the +normal Linux machinery. Therefore, we cannot acquire locks +or do normal "linux-y" things because e.g. lockdep will be +confused about the context. + +Move handling this situation out of the read function and +into the actual IRQ handler and response handling instead, +so that in the case of time-travel we don't call it in the +wrong context. + +Chances are the system will still crash immediately, since +the device implementation crashing may also cause the time- +travel controller to go down, but at least all of that now +happens without strange warnings from lockdep. + +Fixes: c8177aba37ca ("um: time-travel: rework interrupt handling in ext mode") +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/drivers/virtio_uml.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -63,6 +63,7 @@ struct virtio_uml_device { + + u8 config_changed_irq:1; + uint64_t vq_irq_vq_map; ++ int recv_rc; + }; + + struct virtio_uml_vq_info { +@@ -148,14 +149,6 @@ static int vhost_user_recv(struct virtio + + rc = vhost_user_recv_header(fd, msg); + +- if (rc == -ECONNRESET && vu_dev->registered) { +- struct virtio_uml_platform_data *pdata; +- +- pdata = vu_dev->pdata; +- +- virtio_break_device(&vu_dev->vdev); +- schedule_work(&pdata->conn_broken_wk); +- } + if (rc) + return rc; + size = msg->header.size; +@@ -164,6 +157,21 @@ static int vhost_user_recv(struct virtio + return full_read(fd, &msg->payload, size, false); + } + ++static void vhost_user_check_reset(struct virtio_uml_device *vu_dev, ++ int rc) ++{ ++ struct virtio_uml_platform_data *pdata = vu_dev->pdata; ++ ++ if (rc != -ECONNRESET) ++ return; ++ ++ if (!vu_dev->registered) ++ return; ++ ++ virtio_break_device(&vu_dev->vdev); ++ schedule_work(&pdata->conn_broken_wk); ++} ++ + static int vhost_user_recv_resp(struct virtio_uml_device *vu_dev, + struct vhost_user_msg *msg, + size_t max_payload_size) +@@ -171,8 +179,10 @@ static int vhost_user_recv_resp(struct v + int rc = vhost_user_recv(vu_dev, vu_dev->sock, msg, + max_payload_size, true); + +- if (rc) ++ if (rc) { ++ vhost_user_check_reset(vu_dev, rc); + return rc; ++ } + + if (msg->header.flags != (VHOST_USER_FLAG_REPLY | VHOST_USER_VERSION)) + return -EPROTO; +@@ -369,6 +379,7 @@ static irqreturn_t vu_req_read_message(s + sizeof(msg.msg.payload) + + sizeof(msg.extra_payload)); + ++ vu_dev->recv_rc = rc; + if (rc) + return IRQ_NONE; + +@@ -412,7 +423,9 @@ static irqreturn_t vu_req_interrupt(int + if (!um_irq_timetravel_handler_used()) + ret = vu_req_read_message(vu_dev, NULL); + +- if (vu_dev->vq_irq_vq_map) { ++ if (vu_dev->recv_rc) { ++ vhost_user_check_reset(vu_dev, vu_dev->recv_rc); ++ } else if (vu_dev->vq_irq_vq_map) { + struct virtqueue *vq; + + virtio_device_for_each_vq((&vu_dev->vdev), vq) { diff --git a/queue-5.18/xtensa-simdisk-fix-proc_read_simdisk.patch b/queue-5.18/xtensa-simdisk-fix-proc_read_simdisk.patch new file mode 100644 index 00000000000..0f63f019841 --- /dev/null +++ b/queue-5.18/xtensa-simdisk-fix-proc_read_simdisk.patch @@ -0,0 +1,56 @@ +From b011946d039d66bbc7102137e98cc67e1356aa87 Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Tue, 10 May 2022 16:05:33 +0800 +Subject: xtensa/simdisk: fix proc_read_simdisk() + +From: Yi Yang + +commit b011946d039d66bbc7102137e98cc67e1356aa87 upstream. + +The commit a69755b18774 ("xtensa simdisk: switch to proc_create_data()") +split read operation into two parts, first retrieving the path when it's +non-null and second retrieving the trailing '\n'. However when the path +is non-null the first simple_read_from_buffer updates ppos, and the +second simple_read_from_buffer returns 0 if ppos is greater than 1 (i.e. +almost always). As a result reading from that proc file is almost always +empty. + +Fix it by making a temporary copy of the path with the trailing '\n' and +using simple_read_from_buffer on that copy. + +Cc: stable@vger.kernel.org +Fixes: a69755b18774 ("xtensa simdisk: switch to proc_create_data()") +Signed-off-by: Yi Yang +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/platforms/iss/simdisk.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/arch/xtensa/platforms/iss/simdisk.c ++++ b/arch/xtensa/platforms/iss/simdisk.c +@@ -211,12 +211,18 @@ static ssize_t proc_read_simdisk(struct + struct simdisk *dev = pde_data(file_inode(file)); + const char *s = dev->filename; + if (s) { +- ssize_t n = simple_read_from_buffer(buf, size, ppos, +- s, strlen(s)); +- if (n < 0) +- return n; +- buf += n; +- size -= n; ++ ssize_t len = strlen(s); ++ char *temp = kmalloc(len + 2, GFP_KERNEL); ++ ++ if (!temp) ++ return -ENOMEM; ++ ++ len = scnprintf(temp, len + 2, "%s\n", s); ++ len = simple_read_from_buffer(buf, size, ppos, ++ temp, len); ++ ++ kfree(temp); ++ return len; + } + return simple_read_from_buffer(buf, size, ppos, "\n", 1); + }