From: Greg Kroah-Hartman Date: Tue, 7 Mar 2023 12:21:30 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.2.3~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df92c024f84c08a234606d5f93a8ed7af8c9f0f6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alpha-fix-fen-fault-handling.patch alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch dm-flakey-don-t-corrupt-the-zero-page.patch dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch dm-flakey-fix-logic-when-corrupting-a-bio.patch ext4-fix-possible-corruption-when-moving-a-directory.patch ext4-optimize-ea_inode-block-expansion.patch ext4-refuse-to-create-ea-block-when-umounted.patch ktest.pl-add-run_timeout-option-with-default-unlimited.patch ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch mips-fix-syscall_get_nr.patch mm-memcontrol-deprecate-charge-moving.patch mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch scsi-core-remove-the-proc-scsi-proc_name-directory-earlier.patch scsi-qla2xxx-fix-dma-api-call-trace-on-nvme-ls-requests.patch scsi-qla2xxx-fix-erroneous-link-down.patch scsi-qla2xxx-fix-link-failure-in-npiv-environment.patch thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch wifi-cfg80211-fix-use-after-free-for-wext.patch wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch --- diff --git a/queue-5.4/alpha-fix-fen-fault-handling.patch b/queue-5.4/alpha-fix-fen-fault-handling.patch new file mode 100644 index 00000000000..d5331ce497b --- /dev/null +++ b/queue-5.4/alpha-fix-fen-fault-handling.patch @@ -0,0 +1,88 @@ +From 977a3009547dad4a5bc95d91be4a58c9f7eedac0 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 6 Jan 2023 19:25:59 -0500 +Subject: alpha: fix FEN fault handling + +From: Al Viro + +commit 977a3009547dad4a5bc95d91be4a58c9f7eedac0 upstream. + +Type 3 instruction fault (FPU insn with FPU disabled) is handled +by quietly enabling FPU and returning. Which is fine, except that +we need to do that both for fault in userland and in the kernel; +the latter *can* legitimately happen - all it takes is this: + +.global _start +_start: + call_pal 0xae + lda $0, 0 + ldq $0, 0($0) + +- call_pal CLRFEN to clear "FPU enabled" flag and arrange for +a signal delivery (SIGSEGV in this case). + +Fixed by moving the handling of type 3 into the common part of +do_entIF(), before we check for kernel vs. user mode. + +Incidentally, the check for kernel mode is unidiomatic; the normal +way to do that is !user_mode(regs). The difference is that +the open-coded variant treats any of bits 63..3 of regs->ps being +set as "it's user mode" while the normal approach is to check just +the bit 3. PS is a 4-bit register and regs->ps always will have +bits 63..4 clear, so the open-coded variant here is actually equivalent +to !user_mode(regs). Harder to follow, though... + +Cc: stable@vger.kernel.org +Reviewed-by: Richard Henderson +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/traps.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/arch/alpha/kernel/traps.c ++++ b/arch/alpha/kernel/traps.c +@@ -235,7 +235,21 @@ do_entIF(unsigned long type, struct pt_r + { + int signo, code; + +- if ((regs->ps & ~IPL_MAX) == 0) { ++ if (type == 3) { /* FEN fault */ ++ /* Irritating users can call PAL_clrfen to disable the ++ FPU for the process. The kernel will then trap in ++ do_switch_stack and undo_switch_stack when we try ++ to save and restore the FP registers. ++ ++ Given that GCC by default generates code that uses the ++ FP registers, PAL_clrfen is not useful except for DoS ++ attacks. So turn the bleeding FPU back on and be done ++ with it. */ ++ current_thread_info()->pcb.flags |= 1; ++ __reload_thread(¤t_thread_info()->pcb); ++ return; ++ } ++ if (!user_mode(regs)) { + if (type == 1) { + const unsigned int *data + = (const unsigned int *) regs->pc; +@@ -368,20 +382,6 @@ do_entIF(unsigned long type, struct pt_r + } + break; + +- case 3: /* FEN fault */ +- /* Irritating users can call PAL_clrfen to disable the +- FPU for the process. The kernel will then trap in +- do_switch_stack and undo_switch_stack when we try +- to save and restore the FP registers. +- +- Given that GCC by default generates code that uses the +- FP registers, PAL_clrfen is not useful except for DoS +- attacks. So turn the bleeding FPU back on and be done +- with it. */ +- current_thread_info()->pcb.flags |= 1; +- __reload_thread(¤t_thread_info()->pcb); +- return; +- + case 5: /* illoc */ + default: /* unexpected instruction-fault type */ + ; diff --git a/queue-5.4/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch b/queue-5.4/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch new file mode 100644 index 00000000000..f5f76403965 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch @@ -0,0 +1,35 @@ +From ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= +Date: Thu, 23 Feb 2023 08:47:48 +0100 +Subject: ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +commit ea24b9953bcd3889f77a66e7f1d7e86e995dd9c3 upstream. + +HP EliteDesk 800 G6 Tower PC (103c:870c) requires a quirk for enabling +headset-mic. + +Signed-off-by: Łukasz Stelmach +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217008 +Link: https://lore.kernel.org/r/20230223074749.1026060-1-l.stelmach@samsung.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10339,6 +10339,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), ++ SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), diff --git a/queue-5.4/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch b/queue-5.4/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch new file mode 100644 index 00000000000..68d90628767 --- /dev/null +++ b/queue-5.4/alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch @@ -0,0 +1,48 @@ +From 951606a14a8901e3551fe4d8d3cedd73fe954ce1 Mon Sep 17 00:00:00 2001 +From: Dmitry Fomin +Date: Sat, 25 Feb 2023 21:43:21 +0300 +Subject: ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls() + +From: Dmitry Fomin + +commit 951606a14a8901e3551fe4d8d3cedd73fe954ce1 upstream. + +If snd_ctl_add() fails in aureon_add_controls(), it immediately returns +and leaves ice->gpio_mutex locked. ice->gpio_mutex locks in +snd_ice1712_save_gpio_status and unlocks in +snd_ice1712_restore_gpio_status(ice). + +It seems that the mutex is required only for aureon_cs8415_get(), +so snd_ice1712_restore_gpio_status(ice) can be placed +just after that. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dmitry Fomin +Cc: +Link: https://lore.kernel.org/r/20230225184322.6286-1-fomindmitriyfoma@mail.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ice1712/aureon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ice1712/aureon.c ++++ b/sound/pci/ice1712/aureon.c +@@ -1892,6 +1892,7 @@ static int aureon_add_controls(struct sn + unsigned char id; + snd_ice1712_save_gpio_status(ice); + id = aureon_cs8415_get(ice, CS8415_ID); ++ snd_ice1712_restore_gpio_status(ice); + if (id != 0x41) + dev_info(ice->card->dev, + "No CS8415 chip. Skipping CS8415 controls.\n"); +@@ -1909,7 +1910,6 @@ static int aureon_add_controls(struct sn + kctl->id.device = ice->pcm->device; + } + } +- snd_ice1712_restore_gpio_status(ice); + } + + return 0; diff --git a/queue-5.4/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch b/queue-5.4/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch new file mode 100644 index 00000000000..b7a06f441ae --- /dev/null +++ b/queue-5.4/arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch @@ -0,0 +1,32 @@ +From 8e4505e617a80f601e2f53a917611777f128f925 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:36 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Exynos4 + +From: Krzysztof Kozlowski + +commit 8e4505e617a80f601e2f53a917611777f128f925 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. + +Fixes: 328829a6ad70 ("ARM: dts: define default thermal-zones for exynos4") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos4-cpu-thermal.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi ++++ b/arch/arm/boot/dts/exynos4-cpu-thermal.dtsi +@@ -10,7 +10,7 @@ + / { + thermal-zones { + cpu_thermal: cpu-thermal { +- thermal-sensors = <&tmu 0>; ++ thermal-sensors = <&tmu>; + polling-delay-passive = <0>; + polling-delay = <0>; + trips { diff --git a/queue-5.4/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch b/queue-5.4/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch new file mode 100644 index 00000000000..a8265a99b43 --- /dev/null +++ b/queue-5.4/arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch @@ -0,0 +1,33 @@ +From 9372eca505e7a19934d750b4b4c89a3652738e66 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 9 Feb 2023 11:58:39 +0100 +Subject: ARM: dts: exynos: correct TMU phandle in Odroid XU + +From: Krzysztof Kozlowski + +commit 9372eca505e7a19934d750b4b4c89a3652738e66 upstream. + +TMU node uses 0 as thermal-sensor-cells, thus thermal zone referencing +it must not have an argument to phandle. Since thermal-sensors property +is already defined in included exynosi5410.dtsi, drop it from +exynos5410-odroidxu.dts to fix the error and remoev redundancy. + +Fixes: 88644b4c750b ("ARM: dts: exynos: Configure PWM, usb3503, PMIC and thermal on Odroid XU board") +Cc: +Link: https://lore.kernel.org/r/20230209105841.779596-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5410-odroidxu.dts | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos5410-odroidxu.dts ++++ b/arch/arm/boot/dts/exynos5410-odroidxu.dts +@@ -116,7 +116,6 @@ + }; + + &cpu0_thermal { +- thermal-sensors = <&tmu_cpu0 0>; + polling-delay-passive = <0>; + polling-delay = <0>; + diff --git a/queue-5.4/dm-flakey-don-t-corrupt-the-zero-page.patch b/queue-5.4/dm-flakey-don-t-corrupt-the-zero-page.patch new file mode 100644 index 00000000000..445726e5aa1 --- /dev/null +++ b/queue-5.4/dm-flakey-don-t-corrupt-the-zero-page.patch @@ -0,0 +1,46 @@ +From f50714b57aecb6b3dc81d578e295f86d9c73f078 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:02:57 -0500 +Subject: dm flakey: don't corrupt the zero page + +From: Mikulas Patocka + +commit f50714b57aecb6b3dc81d578e295f86d9c73f078 upstream. + +When we need to zero some range on a block device, the function +__blkdev_issue_zero_pages submits a write bio with the bio vector pointing +to the zero page. If we use dm-flakey with corrupt bio writes option, it +will corrupt the content of the zero page which results in crashes of +various userspace programs. Glibc assumes that memory returned by mmap is +zeroed and it uses it for calloc implementation; if the newly mapped +memory is not zeroed, calloc will return non-zeroed memory. + +Fix this bug by testing if the page is equal to ZERO_PAGE(0) and +avoiding the corruption in this case. + +Cc: stable@vger.kernel.org +Fixes: a00f5276e266 ("dm flakey: Properly corrupt multi-page bios.") +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -301,8 +301,11 @@ static void corrupt_bio_data(struct bio + */ + bio_for_each_segment(bvec, bio, iter) { + if (bio_iter_len(bio, iter) > corrupt_bio_byte) { +- char *segment = (page_address(bio_iter_page(bio, iter)) +- + bio_iter_offset(bio, iter)); ++ char *segment; ++ struct page *page = bio_iter_page(bio, iter); ++ if (unlikely(page == ZERO_PAGE(0))) ++ break; ++ segment = (page_address(page) + bio_iter_offset(bio, iter)); + segment[corrupt_bio_byte] = fc->corrupt_bio_value; + DMDEBUG("Corrupting data bio=%p by writing %u to byte %u " + "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n", diff --git a/queue-5.4/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch b/queue-5.4/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch new file mode 100644 index 00000000000..9475c10ba4b --- /dev/null +++ b/queue-5.4/dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch @@ -0,0 +1,34 @@ +From 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:03:31 -0500 +Subject: dm flakey: fix a bug with 32-bit highmem systems + +From: Mikulas Patocka + +commit 8eb29c4fbf9661e6bd4dd86197a37ffe0ecc9d50 upstream. + +The function page_address does not work with 32-bit systems with high +memory. Use bvec_kmap_local/kunmap_local instead. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -305,8 +305,9 @@ static void corrupt_bio_data(struct bio + struct page *page = bio_iter_page(bio, iter); + if (unlikely(page == ZERO_PAGE(0))) + break; +- segment = (page_address(page) + bio_iter_offset(bio, iter)); ++ segment = bvec_kmap_local(&bvec); + segment[corrupt_bio_byte] = fc->corrupt_bio_value; ++ kunmap_local(segment); + DMDEBUG("Corrupting data bio=%p by writing %u to byte %u " + "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n", + bio, fc->corrupt_bio_value, fc->corrupt_bio_byte, diff --git a/queue-5.4/dm-flakey-fix-logic-when-corrupting-a-bio.patch b/queue-5.4/dm-flakey-fix-logic-when-corrupting-a-bio.patch new file mode 100644 index 00000000000..9558d9ea11e --- /dev/null +++ b/queue-5.4/dm-flakey-fix-logic-when-corrupting-a-bio.patch @@ -0,0 +1,65 @@ +From aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 22 Jan 2023 14:03:56 -0500 +Subject: dm flakey: fix logic when corrupting a bio + +From: Mikulas Patocka + +commit aa56b9b75996ff4c76a0a4181c2fa0206c3d91cc upstream. + +If "corrupt_bio_byte" is set to corrupt reads and corrupt_bio_flags is +used, dm-flakey would erroneously return all writes as errors. Likewise, +if "corrupt_bio_byte" is set to corrupt writes, dm-flakey would return +errors for all reads. + +Fix the logic so that if fc->corrupt_bio_byte is non-zero, dm-flakey +will not abort reads on writes with an error. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reviewed-by: Sweet Tea Dorminy +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-flakey.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -360,9 +360,11 @@ static int flakey_map(struct dm_target * + /* + * Corrupt matching writes. + */ +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == WRITE)) { +- if (all_corrupt_bio_flags_match(bio, fc)) +- corrupt_bio_data(bio, fc); ++ if (fc->corrupt_bio_byte) { ++ if (fc->corrupt_bio_rw == WRITE) { ++ if (all_corrupt_bio_flags_match(bio, fc)) ++ corrupt_bio_data(bio, fc); ++ } + goto map_bio; + } + +@@ -388,13 +390,14 @@ static int flakey_end_io(struct dm_targe + return DM_ENDIO_DONE; + + if (!*error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { +- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) && +- all_corrupt_bio_flags_match(bio, fc)) { +- /* +- * Corrupt successful matching READs while in down state. +- */ +- corrupt_bio_data(bio, fc); +- ++ if (fc->corrupt_bio_byte) { ++ if ((fc->corrupt_bio_rw == READ) && ++ all_corrupt_bio_flags_match(bio, fc)) { ++ /* ++ * Corrupt successful matching READs while in down state. ++ */ ++ corrupt_bio_data(bio, fc); ++ } + } else if (!test_bit(DROP_WRITES, &fc->flags) && + !test_bit(ERROR_WRITES, &fc->flags)) { + /* diff --git a/queue-5.4/ext4-fix-possible-corruption-when-moving-a-directory.patch b/queue-5.4/ext4-fix-possible-corruption-when-moving-a-directory.patch new file mode 100644 index 00000000000..bc21341250e --- /dev/null +++ b/queue-5.4/ext4-fix-possible-corruption-when-moving-a-directory.patch @@ -0,0 +1,54 @@ +From 0813299c586b175d7edb25f56412c54b812d0379 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 26 Jan 2023 12:22:21 +0100 +Subject: ext4: Fix possible corruption when moving a directory + +From: Jan Kara + +commit 0813299c586b175d7edb25f56412c54b812d0379 upstream. + +When we are renaming a directory to a different directory, we need to +update '..' entry in the moved directory. However nothing prevents moved +directory from being modified and even converted from the inline format +to the normal format. When such race happens the rename code gets +confused and we crash. Fix the problem by locking the moved directory. + +CC: stable@vger.kernel.org +Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3854,9 +3854,16 @@ static int ext4_rename(struct inode *old + if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) + goto end_rename; + } ++ /* ++ * We need to protect against old.inode directory getting ++ * converted from inline directory format into a normal one. ++ */ ++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2); + retval = ext4_rename_dir_prepare(handle, &old); +- if (retval) ++ if (retval) { ++ inode_unlock(old.inode); + goto end_rename; ++ } + } + /* + * If we're renaming a file within an inline_data dir and adding or +@@ -3952,6 +3959,8 @@ end_rename: + } else { + ext4_journal_stop(handle); + } ++ if (old.dir_bh) ++ inode_unlock(old.inode); + release_bh: + brelse(old.dir_bh); + brelse(old.bh); diff --git a/queue-5.4/ext4-optimize-ea_inode-block-expansion.patch b/queue-5.4/ext4-optimize-ea_inode-block-expansion.patch new file mode 100644 index 00000000000..8003f5f2bdb --- /dev/null +++ b/queue-5.4/ext4-optimize-ea_inode-block-expansion.patch @@ -0,0 +1,95 @@ +From 1e9d62d252812575ded7c620d8fc67c32ff06c16 Mon Sep 17 00:00:00 2001 +From: Jun Nie +Date: Tue, 3 Jan 2023 09:45:16 +0800 +Subject: ext4: optimize ea_inode block expansion + +From: Jun Nie + +commit 1e9d62d252812575ded7c620d8fc67c32ff06c16 upstream. + +Copy ea data from inode entry when expanding ea block if possible. +Then remove the ea entry if expansion success. Thus memcpy to a +temporary buffer may be avoided. + +If the expansion fails, we do not need to recovery the removed ea +entry neither in this way. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-2-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2579,9 +2579,8 @@ static int ext4_xattr_move_to_block(hand + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); + bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS); +- buffer = kvmalloc(value_size, GFP_NOFS); + b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS); +- if (!is || !bs || !buffer || !b_entry_name) { ++ if (!is || !bs || !b_entry_name) { + error = -ENOMEM; + goto out; + } +@@ -2593,12 +2592,18 @@ static int ext4_xattr_move_to_block(hand + + /* Save the entry name and the entry value */ + if (entry->e_value_inum) { ++ buffer = kvmalloc(value_size, GFP_NOFS); ++ if (!buffer) { ++ error = -ENOMEM; ++ goto out; ++ } ++ + error = ext4_xattr_inode_get(inode, entry, buffer, value_size); + if (error) + goto out; + } else { + size_t value_offs = le16_to_cpu(entry->e_value_offs); +- memcpy(buffer, (void *)IFIRST(header) + value_offs, value_size); ++ buffer = (void *)IFIRST(header) + value_offs; + } + + memcpy(b_entry_name, entry->e_name, entry->e_name_len); +@@ -2613,25 +2618,26 @@ static int ext4_xattr_move_to_block(hand + if (error) + goto out; + +- /* Remove the chosen entry from the inode */ +- error = ext4_xattr_ibody_set(handle, inode, &i, is); +- if (error) +- goto out; +- + i.value = buffer; + i.value_len = value_size; + error = ext4_xattr_block_find(inode, &i, bs); + if (error) + goto out; + +- /* Add entry which was removed from the inode into the block */ ++ /* Move ea entry from the inode into the block */ + error = ext4_xattr_block_set(handle, inode, &i, bs); + if (error) + goto out; +- error = 0; ++ ++ /* Remove the chosen entry from the inode */ ++ i.value = NULL; ++ i.value_len = 0; ++ error = ext4_xattr_ibody_set(handle, inode, &i, is); ++ + out: + kfree(b_entry_name); +- kvfree(buffer); ++ if (entry->e_value_inum && buffer) ++ kvfree(buffer); + if (is) + brelse(is->iloc.bh); + if (bs) diff --git a/queue-5.4/ext4-refuse-to-create-ea-block-when-umounted.patch b/queue-5.4/ext4-refuse-to-create-ea-block-when-umounted.patch new file mode 100644 index 00000000000..cb9fbe49f1d --- /dev/null +++ b/queue-5.4/ext4-refuse-to-create-ea-block-when-umounted.patch @@ -0,0 +1,40 @@ +From f31173c19901a96bb2ebf6bcfec8a08df7095c91 Mon Sep 17 00:00:00 2001 +From: Jun Nie +Date: Tue, 3 Jan 2023 09:45:17 +0800 +Subject: ext4: refuse to create ea block when umounted + +From: Jun Nie + +commit f31173c19901a96bb2ebf6bcfec8a08df7095c91 upstream. + +The ea block expansion need to access s_root while it is +already set as NULL when umount is triggered. Refuse this +request to avoid panic. + +Reported-by: syzbot+2dacb8f015bf1420155f@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=3613786cb88c93aa1c6a279b1df6a7b201347d08 +Link: https://lore.kernel.org/r/20230103014517.495275-3-jun.nie@linaro.org +Cc: stable@kernel.org +Signed-off-by: Jun Nie +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1432,6 +1432,13 @@ static struct inode *ext4_xattr_inode_cr + uid_t owner[2] = { i_uid_read(inode), i_gid_read(inode) }; + int err; + ++ if (inode->i_sb->s_root == NULL) { ++ ext4_warning(inode->i_sb, ++ "refuse to create EA inode when umounting"); ++ WARN_ON(1); ++ return ERR_PTR(-EINVAL); ++ } ++ + /* + * Let the next inode be the goal, so we try and allocate the EA inode + * in the same group, or nearby one. diff --git a/queue-5.4/ktest.pl-add-run_timeout-option-with-default-unlimited.patch b/queue-5.4/ktest.pl-add-run_timeout-option-with-default-unlimited.patch new file mode 100644 index 00000000000..7378cad15e9 --- /dev/null +++ b/queue-5.4/ktest.pl-add-run_timeout-option-with-default-unlimited.patch @@ -0,0 +1,108 @@ +From 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 16:37:25 -0500 +Subject: ktest.pl: Add RUN_TIMEOUT option with default unlimited + +From: Steven Rostedt + +commit 4e7d2a8f0b52abf23b1dc13b3d88bc0923383cd5 upstream. + +There is a disconnect between the run_command function and the +wait_for_input. The wait_for_input has a default timeout of 2 minutes. But +if that happens, the run_command loop will exit out to the waitpid() of +the executing command. This fails in that it no longer monitors the +command, and also, the ssh to the test box can hang when its finished, as +it's waiting for the pipe it's writing to to flush, but the loop that +reads that pipe has already exited, leaving the command stuck, and the +test hangs. + +Instead, make the default "wait_for_input" of the run_command infinite, +and allow the user to override it if they want with a default timeout +option "RUN_TIMEOUT". + +But this fixes the hang that happens when the pipe is full and the ssh +session never exits. + +Cc: stable@vger.kernel.org +Fixes: 6e98d1b4415fe ("ktest: Add timeout to ssh command") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 20 ++++++++++++++++---- + tools/testing/ktest/sample.conf | 5 +++++ + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -174,6 +174,7 @@ my $store_failures; + my $store_successes; + my $test_name; + my $timeout; ++my $run_timeout; + my $connect_timeout; + my $config_bisect_exec; + my $booted_timeout; +@@ -333,6 +334,7 @@ my %option_map = ( + "STORE_SUCCESSES" => \$store_successes, + "TEST_NAME" => \$test_name, + "TIMEOUT" => \$timeout, ++ "RUN_TIMEOUT" => \$run_timeout, + "CONNECT_TIMEOUT" => \$connect_timeout, + "CONFIG_BISECT_EXEC" => \$config_bisect_exec, + "BOOTED_TIMEOUT" => \$booted_timeout, +@@ -1766,6 +1768,14 @@ sub run_command { + $command =~ s/\$SSH_USER/$ssh_user/g; + $command =~ s/\$MACHINE/$machine/g; + ++ if (!defined($timeout)) { ++ $timeout = $run_timeout; ++ } ++ ++ if (!defined($timeout)) { ++ $timeout = -1; # tell wait_for_input to wait indefinitely ++ } ++ + doprint("$command ... "); + $start_time = time; + +@@ -1794,13 +1804,10 @@ sub run_command { + + while (1) { + my $fp = \*CMD; +- if (defined($timeout)) { +- doprint "timeout = $timeout\n"; +- } + my $line = wait_for_input($fp, $timeout); + if (!defined($line)) { + my $now = time; +- if (defined($timeout) && (($now - $start_time) >= $timeout)) { ++ if ($timeout >= 0 && (($now - $start_time) >= $timeout)) { + doprint "Hit timeout of $timeout, killing process\n"; + $hit_timeout = 1; + kill 9, $pid; +@@ -1974,6 +1981,11 @@ sub wait_for_input + $time = $timeout; + } + ++ if ($time < 0) { ++ # Negative number means wait indefinitely ++ undef $time; ++ } ++ + $rin = ''; + vec($rin, fileno($fp), 1) = 1; + vec($rin, fileno(\*STDIN), 1) = 1; +--- a/tools/testing/ktest/sample.conf ++++ b/tools/testing/ktest/sample.conf +@@ -791,6 +791,11 @@ + # is issued instead of a reboot. + # CONNECT_TIMEOUT = 25 + ++# The timeout in seconds for how long to wait for any running command ++# to timeout. If not defined, it will let it go indefinitely. ++# (default undefined) ++#RUN_TIMEOUT = 600 ++ + # In between tests, a reboot of the box may occur, and this + # is the time to wait for the console after it stops producing + # output. Some machines may not produce a large lag on reboot diff --git a/queue-5.4/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch b/queue-5.4/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch new file mode 100644 index 00000000000..42be8ec9edf --- /dev/null +++ b/queue-5.4/ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch @@ -0,0 +1,38 @@ +From e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 11:31:25 -0500 +Subject: ktest.pl: Fix missing "end_monitor" when machine check fails + +From: Steven Rostedt + +commit e8bf9b98d40dbdf4e39362e3b85a70c61da68cb7 upstream. + +In the "reboot" command, it does a check of the machine to see if it is +still alive with a simple "ssh echo" command. If it fails, it will assume +that a normal "ssh reboot" is not possible and force a power cycle. + +In this case, the "start_monitor" is executed, but the "end_monitor" is +not, and this causes the screen will not be given back to the console. That +is, after the test, a "reset" command needs to be performed, as "echo" is +turned off. + +Cc: stable@vger.kernel.org +Fixes: 6474ace999edd ("ktest.pl: Powercycle the box on reboot if no connection can be made") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -1422,7 +1422,8 @@ sub reboot { + + # Still need to wait for the reboot to finish + wait_for_monitor($time, $reboot_success_line); +- ++ } ++ if ($powercycle || $time) { + end_monitor; + } + } diff --git a/queue-5.4/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch b/queue-5.4/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch new file mode 100644 index 00000000000..eeedc3ab46e --- /dev/null +++ b/queue-5.4/ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch @@ -0,0 +1,36 @@ +From 83d29d439cd3ef23041570d55841f814af2ecac0 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 18 Jan 2023 16:32:13 -0500 +Subject: ktest.pl: Give back console on Ctrt^C on monitor + +From: Steven Rostedt + +commit 83d29d439cd3ef23041570d55841f814af2ecac0 upstream. + +When monitoring the console output, the stdout is being redirected to do +so. If Ctrl^C is hit during this mode, the stdout is not back to the +console, the user does not see anything they type (no echo). + +Add "end_monitor" to the SIGINT interrupt handler to give back the console +on Ctrl^C. + +Cc: stable@vger.kernel.org +Fixes: 9f2cdcbbb90e7 ("ktest: Give console process a dedicated tty") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/ktest.pl | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -4228,6 +4228,9 @@ sub send_email { + } + + sub cancel_test { ++ if ($monitor_cnt) { ++ end_monitor; ++ } + if ($email_when_canceled) { + my $name = get_test_name; + send_email("KTEST: Your [$name] test was cancelled", diff --git a/queue-5.4/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch b/queue-5.4/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch new file mode 100644 index 00000000000..76affc42aba --- /dev/null +++ b/queue-5.4/media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch @@ -0,0 +1,34 @@ +From 909d3096ac99fa2289f9b8945a3eab2269947a0a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 21 Dec 2022 09:30:11 +0100 +Subject: media: ipu3-cio2: Fix PM runtime usage_count in driver unbind + +From: Sakari Ailus + +commit 909d3096ac99fa2289f9b8945a3eab2269947a0a upstream. + +Get the PM runtime usage_count and forbid PM runtime at driver unbind. The +opposite is being done in probe() already. + +Fixes: commit c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") +Cc: stable@vger.kernel.org # for >= 4.16 +Signed-off-by: Sakari Ailus +Reviewed-by: Bingbu Cao +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu3/ipu3-cio2.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c ++++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c +@@ -1871,6 +1871,9 @@ static void cio2_pci_remove(struct pci_d + v4l2_device_unregister(&cio2->v4l2_dev); + media_device_cleanup(&cio2->media_dev); + mutex_destroy(&cio2->lock); ++ ++ pm_runtime_forbid(&pci_dev->dev); ++ pm_runtime_get_noresume(&pci_dev->dev); + } + + static int __maybe_unused cio2_runtime_suspend(struct device *dev) diff --git a/queue-5.4/mips-fix-syscall_get_nr.patch b/queue-5.4/mips-fix-syscall_get_nr.patch new file mode 100644 index 00000000000..199261508c2 --- /dev/null +++ b/queue-5.4/mips-fix-syscall_get_nr.patch @@ -0,0 +1,39 @@ +From 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d Mon Sep 17 00:00:00 2001 +From: Elvira Khabirova +Date: Sat, 18 Feb 2023 23:43:59 +0100 +Subject: mips: fix syscall_get_nr + +From: Elvira Khabirova + +commit 85cc91e2ba4262a602ec65e2b76c4391a9e60d3d upstream. + +The implementation of syscall_get_nr on mips used to ignore the task +argument and return the syscall number of the calling thread instead of +the target thread. + +The bug was exposed to user space by commit 201766a20e30f ("ptrace: add +PTRACE_GET_SYSCALL_INFO request") and detected by strace test suite. + +Link: https://github.com/strace/strace/issues/235 +Fixes: c2d9f1775731 ("MIPS: Fix syscall_get_nr for the syscall exit tracing.") +Cc: # v3.19+ +Co-developed-by: Dmitry V. Levin +Signed-off-by: Dmitry V. Levin +Signed-off-by: Elvira Khabirova +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/syscall.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/syscall.h ++++ b/arch/mips/include/asm/syscall.h +@@ -38,7 +38,7 @@ static inline bool mips_syscall_is_indir + static inline long syscall_get_nr(struct task_struct *task, + struct pt_regs *regs) + { +- return current_thread_info()->syscall; ++ return task_thread_info(task)->syscall; + } + + static inline void mips_syscall_update_nr(struct task_struct *task, diff --git a/queue-5.4/mm-memcontrol-deprecate-charge-moving.patch b/queue-5.4/mm-memcontrol-deprecate-charge-moving.patch new file mode 100644 index 00000000000..d6ef6b5c60b --- /dev/null +++ b/queue-5.4/mm-memcontrol-deprecate-charge-moving.patch @@ -0,0 +1,100 @@ +From da34a8484d162585e22ed8c1e4114aa2f60e3567 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Wed, 7 Dec 2022 14:00:39 +0100 +Subject: mm: memcontrol: deprecate charge moving + +From: Johannes Weiner + +commit da34a8484d162585e22ed8c1e4114aa2f60e3567 upstream. + +Charge moving mode in cgroup1 allows memory to follow tasks as they +migrate between cgroups. This is, and always has been, a questionable +thing to do - for several reasons. + +First, it's expensive. Pages need to be identified, locked and isolated +from various MM operations, and reassigned, one by one. + +Second, it's unreliable. Once pages are charged to a cgroup, there isn't +always a clear owner task anymore. Cache isn't moved at all, for example. +Mapped memory is moved - but if trylocking or isolating a page fails, +it's arbitrarily left behind. Frequent moving between domains may leave a +task's memory scattered all over the place. + +Third, it isn't really needed. Launcher tasks can kick off workload tasks +directly in their target cgroup. Using dedicated per-workload groups +allows fine-grained policy adjustments - no need to move tasks and their +physical pages between control domains. The feature was never +forward-ported to cgroup2, and it hasn't been missed. + +Despite it being a niche usecase, the maintenance overhead of supporting +it is enormous. Because pages are moved while they are live and subject +to various MM operations, the synchronization rules are complicated. +There are lock_page_memcg() in MM and FS code, which non-cgroup people +don't understand. In some cases we've been able to shift code and cgroup +API calls around such that we can rely on native locking as much as +possible. But that's fragile, and sometimes we need to hold MM locks for +longer than we otherwise would (pte lock e.g.). + +Mark the feature deprecated. Hopefully we can remove it soon. + +And backport into -stable kernels so that people who develop against +earlier kernels are warned about this deprecation as early as possible. + +[akpm@linux-foundation.org: fix memory.rst underlining] +Link: https://lkml.kernel.org/r/Y5COd+qXwk/S+n8N@cmpxchg.org +Signed-off-by: Johannes Weiner +Acked-by: Shakeel Butt +Acked-by: Hugh Dickins +Acked-by: Michal Hocko +Cc: Muchun Song +Cc: Roman Gushchin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/cgroup-v1/memory.rst | 13 +++++++++++-- + mm/memcontrol.c | 4 ++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/cgroup-v1/memory.rst ++++ b/Documentation/admin-guide/cgroup-v1/memory.rst +@@ -82,6 +82,8 @@ Brief summary of control files. + memory.swappiness set/show swappiness parameter of vmscan + (See sysctl's vm.swappiness) + memory.move_charge_at_immigrate set/show controls of moving charges ++ This knob is deprecated and shouldn't be ++ used. + memory.oom_control set/show oom controls. + memory.numa_stat show the number of memory usage per numa + node +@@ -745,8 +747,15 @@ NOTE2: + It is recommended to set the soft limit always below the hard limit, + otherwise the hard limit will take precedence. + +-8. Move charges at task migration +-================================= ++8. Move charges at task migration (DEPRECATED!) ++=============================================== ++ ++THIS IS DEPRECATED! ++ ++It's expensive and unreliable! It's better practice to launch workload ++tasks directly from inside their target cgroup. Use dedicated workload ++cgroups to allow fine-grained policy adjustments without having to ++move physical pages between control domains. + + Users can move charges associated with a task along with task migration, that + is, uncharge task's pages from the old cgroup and charge them to the new cgroup. +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3775,6 +3775,10 @@ static int mem_cgroup_move_charge_write( + { + struct mem_cgroup *memcg = mem_cgroup_from_css(css); + ++ pr_warn_once("Cgroup memory moving (move_charge_at_immigrate) is deprecated. " ++ "Please report your usecase to linux-mm@kvack.org if you " ++ "depend on this functionality.\n"); ++ + if (val & ~MOVE_MASK) + return -EINVAL; + diff --git a/queue-5.4/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch b/queue-5.4/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch new file mode 100644 index 00000000000..c6cbe8fbff2 --- /dev/null +++ b/queue-5.4/mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch @@ -0,0 +1,91 @@ +From 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 Mon Sep 17 00:00:00 2001 +From: Yin Fengwei +Date: Fri, 23 Dec 2022 21:52:07 +0800 +Subject: mm/thp: check and bail out if page in deferred queue already + +From: Yin Fengwei + +commit 81e506bec9be1eceaf5a2c654e28ba5176ef48d8 upstream. + +Kernel build regression with LLVM was reported here: +https://lore.kernel.org/all/Y1GCYXGtEVZbcv%2F5@dev-arch.thelio-3990X/ with +commit f35b5d7d676e ("mm: align larger anonymous mappings on THP +boundaries"). And the commit f35b5d7d676e was reverted. + +It turned out the regression is related with madvise(MADV_DONTNEED) +was used by ld.lld. But with none PMD_SIZE aligned parameter len. +trace-bpfcc captured: +531607 531732 ld.lld do_madvise.part.0 start: 0x7feca9000000, len: 0x7fb000, behavior: 0x4 +531607 531793 ld.lld do_madvise.part.0 start: 0x7fec86a00000, len: 0x7fb000, behavior: 0x4 + +If the underneath physical page is THP, the madvise(MADV_DONTNEED) can +trigger split_queue_lock contention raised significantly. perf showed +following data: + 14.85% 0.00% ld.lld [kernel.kallsyms] [k] + entry_SYSCALL_64_after_hwframe + 11.52% + entry_SYSCALL_64_after_hwframe + do_syscall_64 + __x64_sys_madvise + do_madvise.part.0 + zap_page_range + unmap_single_vma + unmap_page_range + page_remove_rmap + deferred_split_huge_page + __lock_text_start + native_queued_spin_lock_slowpath + +If THP can't be removed from rmap as whole THP, partial THP will be +removed from rmap by removing sub-pages from rmap. Even the THP head page +is added to deferred queue already, the split_queue_lock will be acquired +and check whether the THP head page is in the queue already. Thus, the +contention of split_queue_lock is raised. + +Before acquire split_queue_lock, check and bail out early if the THP +head page is in the queue already. The checking without holding +split_queue_lock could race with deferred_split_scan, but it doesn't +impact the correctness here. + +Test result of building kernel with ld.lld: +commit 7b5a0b664ebe (parent commit of f35b5d7d676e): +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 6:07.99 real, 26367.77 user, 5063.35 sys + +commit f35b5d7d676e: +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 7:22.15 real, 26235.03 user, 12504.55 sys + +commit f35b5d7d676e with the fixing patch: +time -f "\t%E real,\t%U user,\t%S sys" make LD=ld.lld -skj96 allmodconfig all + 6:08.49 real, 26520.15 user, 5047.91 sys + +Link: https://lkml.kernel.org/r/20221223135207.2275317-1-fengwei.yin@intel.com +Signed-off-by: Yin Fengwei +Tested-by: Nathan Chancellor +Acked-by: David Rientjes +Reviewed-by: "Huang, Ying" +Cc: Feng Tang +Cc: Matthew Wilcox +Cc: Rik van Riel +Cc: Xing Zhengjun +Cc: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2912,6 +2912,9 @@ void deferred_split_huge_page(struct pag + if (PageSwapCache(page)) + return; + ++ if (!list_empty(page_deferred_list(page))) ++ return; ++ + spin_lock_irqsave(&ds_queue->split_queue_lock, flags); + if (list_empty(page_deferred_list(page))) { + count_vm_event(THP_DEFERRED_SPLIT_PAGE); diff --git a/queue-5.4/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch b/queue-5.4/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch new file mode 100644 index 00000000000..ce52dff94e1 --- /dev/null +++ b/queue-5.4/rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch @@ -0,0 +1,94 @@ +From f7c4d9b133c7a04ca619355574e96b6abf209fba Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 24 Feb 2023 18:48:54 +0100 +Subject: rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails + +From: Ilya Dryomov + +commit f7c4d9b133c7a04ca619355574e96b6abf209fba upstream. + +If getting an ID or setting up a work queue in rbd_dev_create() fails, +use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts +is triggered in do_rbd_add(). The root cause is that the ownership of +these structures is transfered to rbd_dev prematurely and they all end +up getting freed when rbd_dev_create() calls rbd_dev_free() prior to +returning to do_rbd_add(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE, an +incomplete patch submitted by Natalia Petrova . + +Cc: stable@vger.kernel.org +Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue") +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/rbd.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -5529,8 +5529,7 @@ static void rbd_dev_release(struct devic + module_put(THIS_MODULE); + } + +-static struct rbd_device *__rbd_dev_create(struct rbd_client *rbdc, +- struct rbd_spec *spec) ++static struct rbd_device *__rbd_dev_create(struct rbd_spec *spec) + { + struct rbd_device *rbd_dev; + +@@ -5575,9 +5574,6 @@ static struct rbd_device *__rbd_dev_crea + rbd_dev->dev.parent = &rbd_root_dev; + device_initialize(&rbd_dev->dev); + +- rbd_dev->rbd_client = rbdc; +- rbd_dev->spec = spec; +- + return rbd_dev; + } + +@@ -5590,12 +5586,10 @@ static struct rbd_device *rbd_dev_create + { + struct rbd_device *rbd_dev; + +- rbd_dev = __rbd_dev_create(rbdc, spec); ++ rbd_dev = __rbd_dev_create(spec); + if (!rbd_dev) + return NULL; + +- rbd_dev->opts = opts; +- + /* get an id and fill in device name */ + rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0, + minor_to_rbd_dev_id(1 << MINORBITS), +@@ -5612,6 +5606,10 @@ static struct rbd_device *rbd_dev_create + /* we have a ref from do_rbd_add() */ + __module_get(THIS_MODULE); + ++ rbd_dev->rbd_client = rbdc; ++ rbd_dev->spec = spec; ++ rbd_dev->opts = opts; ++ + dout("%s rbd_dev %p dev_id %d\n", __func__, rbd_dev, rbd_dev->dev_id); + return rbd_dev; + +@@ -6827,7 +6825,7 @@ static int rbd_dev_probe_parent(struct r + goto out_err; + } + +- parent = __rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec); ++ parent = __rbd_dev_create(rbd_dev->parent_spec); + if (!parent) { + ret = -ENOMEM; + goto out_err; +@@ -6837,8 +6835,8 @@ static int rbd_dev_probe_parent(struct r + * Images related by parent/child relationships always share + * rbd_client and spec/parent_spec, so bump their refcounts. + */ +- __rbd_get_client(rbd_dev->rbd_client); +- rbd_spec_get(rbd_dev->parent_spec); ++ parent->rbd_client = __rbd_get_client(rbd_dev->rbd_client); ++ parent->spec = rbd_spec_get(rbd_dev->parent_spec); + + ret = rbd_dev_image_probe(parent, depth); + if (ret < 0) diff --git a/queue-5.4/scsi-core-remove-the-proc-scsi-proc_name-directory-earlier.patch b/queue-5.4/scsi-core-remove-the-proc-scsi-proc_name-directory-earlier.patch new file mode 100644 index 00000000000..cbfe1da88f3 --- /dev/null +++ b/queue-5.4/scsi-core-remove-the-proc-scsi-proc_name-directory-earlier.patch @@ -0,0 +1,74 @@ +From fc663711b94468f4e1427ebe289c9f05669699c9 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 10 Feb 2023 12:52:00 -0800 +Subject: scsi: core: Remove the /proc/scsi/${proc_name} directory earlier + +From: Bart Van Assche + +commit fc663711b94468f4e1427ebe289c9f05669699c9 upstream. + +Remove the /proc/scsi/${proc_name} directory earlier to fix a race +condition between unloading and reloading kernel modules. This fixes a bug +introduced in 2009 by commit 77c019768f06 ("[SCSI] fix /proc memory leak in +the SCSI core"). + +Fix the following kernel warning: + +proc_dir_entry 'scsi/scsi_debug' already registered +WARNING: CPU: 19 PID: 27986 at fs/proc/generic.c:376 proc_register+0x27d/0x2e0 +Call Trace: + proc_mkdir+0xb5/0xe0 + scsi_proc_hostdir_add+0xb5/0x170 + scsi_host_alloc+0x683/0x6c0 + sdebug_driver_probe+0x6b/0x2d0 [scsi_debug] + really_probe+0x159/0x540 + __driver_probe_device+0xdc/0x230 + driver_probe_device+0x4f/0x120 + __device_attach_driver+0xef/0x180 + bus_for_each_drv+0xe5/0x130 + __device_attach+0x127/0x290 + device_initial_probe+0x17/0x20 + bus_probe_device+0x110/0x130 + device_add+0x673/0xc80 + device_register+0x1e/0x30 + sdebug_add_host_helper+0x1a7/0x3b0 [scsi_debug] + scsi_debug_init+0x64f/0x1000 [scsi_debug] + do_one_initcall+0xd7/0x470 + do_init_module+0xe7/0x330 + load_module+0x122a/0x12c0 + __do_sys_finit_module+0x124/0x1a0 + __x64_sys_finit_module+0x46/0x50 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Link: https://lore.kernel.org/r/20230210205200.36973-3-bvanassche@acm.org +Cc: Alan Stern +Cc: Yi Zhang +Cc: stable@vger.kernel.org +Fixes: 77c019768f06 ("[SCSI] fix /proc memory leak in the SCSI core") +Reported-by: Yi Zhang +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hosts.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -179,6 +179,7 @@ void scsi_remove_host(struct Scsi_Host * + scsi_forget_host(shost); + mutex_unlock(&shost->scan_mutex); + scsi_proc_host_rm(shost); ++ scsi_proc_hostdir_rm(shost->hostt); + + spin_lock_irqsave(shost->host_lock, flags); + if (scsi_host_set_state(shost, SHOST_DEL)) +@@ -318,6 +319,7 @@ static void scsi_host_dev_release(struct + struct Scsi_Host *shost = dev_to_shost(dev); + struct device *parent = dev->parent; + ++ /* In case scsi_remove_host() has not been called. */ + scsi_proc_hostdir_rm(shost->hostt); + + /* Wait for functions invoked through call_rcu(&shost->rcu, ...) */ diff --git a/queue-5.4/scsi-qla2xxx-fix-dma-api-call-trace-on-nvme-ls-requests.patch b/queue-5.4/scsi-qla2xxx-fix-dma-api-call-trace-on-nvme-ls-requests.patch new file mode 100644 index 00000000000..cc78e26c774 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-dma-api-call-trace-on-nvme-ls-requests.patch @@ -0,0 +1,87 @@ +From c75e6aef5039830cce5d4cf764dd204522f89e6b Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Mon, 19 Dec 2022 03:07:40 -0800 +Subject: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests + +From: Arun Easi + +commit c75e6aef5039830cce5d4cf764dd204522f89e6b upstream. + +The following message and call trace was seen with debug kernels: + +DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map +error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as +single] +WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017 + check_unmap+0xf42/0x1990 + +Call Trace: + debug_dma_unmap_page+0xc9/0x100 + qla_nvme_ls_unmap+0x141/0x210 [qla2xxx] + +Remove DMA mapping from the driver altogether, as it is already done by FC +layer. This prevents the warning. + +Fixes: c85ab7d9e27a ("scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests") +Cc: stable@vger.kernel.org +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_nvme.c | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -152,18 +152,6 @@ out: + qla2xxx_rel_qpair_sp(sp->qpair, sp); + } + +-static void qla_nvme_ls_unmap(struct srb *sp, struct nvmefc_ls_req *fd) +-{ +- if (sp->flags & SRB_DMA_VALID) { +- struct srb_iocb *nvme = &sp->u.iocb_cmd; +- struct qla_hw_data *ha = sp->fcport->vha->hw; +- +- dma_unmap_single(&ha->pdev->dev, nvme->u.nvme.cmd_dma, +- fd->rqstlen, DMA_TO_DEVICE); +- sp->flags &= ~SRB_DMA_VALID; +- } +-} +- + static void qla_nvme_release_ls_cmd_kref(struct kref *kref) + { + struct srb *sp = container_of(kref, struct srb, cmd_kref); +@@ -181,7 +169,6 @@ static void qla_nvme_release_ls_cmd_kref + + fd = priv->fd; + +- qla_nvme_ls_unmap(sp, fd); + fd->done(fd, priv->comp_status); + out: + qla2x00_rel_sp(sp); +@@ -323,13 +310,10 @@ static int qla_nvme_ls_req(struct nvme_f + nvme->u.nvme.rsp_len = fd->rsplen; + nvme->u.nvme.rsp_dma = fd->rspdma; + nvme->u.nvme.timeout_sec = fd->timeout; +- nvme->u.nvme.cmd_dma = dma_map_single(&ha->pdev->dev, fd->rqstaddr, +- fd->rqstlen, DMA_TO_DEVICE); ++ nvme->u.nvme.cmd_dma = fd->rqstdma; + dma_sync_single_for_device(&ha->pdev->dev, nvme->u.nvme.cmd_dma, + fd->rqstlen, DMA_TO_DEVICE); + +- sp->flags |= SRB_DMA_VALID; +- + rval = qla2x00_start_sp(sp); + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x700e, +@@ -337,7 +321,6 @@ static int qla_nvme_ls_req(struct nvme_f + wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; +- qla_nvme_ls_unmap(sp, fd); + qla2x00_rel_sp(sp); + return rval; + } diff --git a/queue-5.4/scsi-qla2xxx-fix-erroneous-link-down.patch b/queue-5.4/scsi-qla2xxx-fix-erroneous-link-down.patch new file mode 100644 index 00000000000..39b332208ef --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-erroneous-link-down.patch @@ -0,0 +1,50 @@ +From 3fbc74feb642deb688cc97f76d40b7287ddd4cb1 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Mon, 19 Dec 2022 03:07:45 -0800 +Subject: scsi: qla2xxx: Fix erroneous link down + +From: Quinn Tran + +commit 3fbc74feb642deb688cc97f76d40b7287ddd4cb1 upstream. + +If after an adapter reset the appearance of link is not recovered, the +devices are not rediscovered. This is result of a race condition between +adapter reset (abort_isp) and the topology scan. During adapter reset, the +ABORT_ISP_ACTIVE flag is set. Topology scan usually occurred after adapter +reset. In this case, the topology scan came earlier than usual where it +ran into problem due to ABORT_ISP_ACTIVE flag was still set. + +kernel: qla2xxx [0000:13:00.0]-1005:1: Cmd 0x6a aborted with timeout since ISP Abort is pending +kernel: qla2xxx [0000:13:00.0]-28a0:1: MBX_GET_PORT_NAME failed, No FL Port. +kernel: qla2xxx [0000:13:00.0]-286b:1: qla2x00_configure_loop: exiting normally. local port wwpn 51402ec0123d9a80 id 012300) +kernel: qla2xxx [0000:13:00.0]-8017:1: ADAPTER RESET SUCCEEDED nexus=1:0:15. + +Allow adapter reset to complete before any scan can start. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -6361,9 +6361,12 @@ qla2x00_do_dpc(void *data) + } + } + loop_resync_check: +- if (test_and_clear_bit(LOOP_RESYNC_NEEDED, ++ if (!qla2x00_reset_active(base_vha) && ++ test_and_clear_bit(LOOP_RESYNC_NEEDED, + &base_vha->dpc_flags)) { +- ++ /* ++ * Allow abort_isp to complete before moving on to scanning. ++ */ + ql_dbg(ql_dbg_dpc, base_vha, 0x400f, + "Loop resync scheduled.\n"); + diff --git a/queue-5.4/scsi-qla2xxx-fix-link-failure-in-npiv-environment.patch b/queue-5.4/scsi-qla2xxx-fix-link-failure-in-npiv-environment.patch new file mode 100644 index 00000000000..bebef672991 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-link-failure-in-npiv-environment.patch @@ -0,0 +1,43 @@ +From b1ae65c082f74536ec292b15766f2846f0238373 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Mon, 19 Dec 2022 03:07:39 -0800 +Subject: scsi: qla2xxx: Fix link failure in NPIV environment + +From: Quinn Tran + +commit b1ae65c082f74536ec292b15766f2846f0238373 upstream. + +User experienced symptoms of adapter failure in NPIV environment. NPIV +hosts were allowed to trigger chip reset back to back due to NPIV link +state being slow to come online. + +Fix link failure in NPIV environment by removing NPIV host from directly +being able to perform chip reset. + + kernel: qla2xxx [0000:04:00.1]-6009:261: Loop down - aborting ISP. + kernel: qla2xxx [0000:04:00.1]-6009:262: Loop down - aborting ISP. + kernel: qla2xxx [0000:04:00.1]-6009:281: Loop down - aborting ISP. + kernel: qla2xxx [0000:04:00.1]-6009:285: Loop down - aborting ISP + +Fixes: 0d6e61bc6a4f ("[SCSI] qla2xxx: Correct various NPIV issues.") +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -6607,7 +6607,7 @@ qla2x00_timer(struct timer_list *t) + + /* if the loop has been down for 4 minutes, reinit adapter */ + if (atomic_dec_and_test(&vha->loop_down_timer) != 0) { +- if (!(vha->device_flags & DFLG_NO_CABLE)) { ++ if (!(vha->device_flags & DFLG_NO_CABLE) && !vha->vp_idx) { + ql_log(ql_log_warn, vha, 0x6009, + "Loop down - aborting ISP.\n"); + diff --git a/queue-5.4/series b/queue-5.4/series index 58d38abb8fb..4517f79e6af 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -248,3 +248,29 @@ ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch irqdomain-fix-association-race.patch irqdomain-fix-disassociation-race.patch irqdomain-drop-bogus-fwspec-mapping-error-handling.patch +alsa-ice1712-do-not-left-ice-gpio_mutex-locked-in-aureon_add_controls.patch +alsa-hda-realtek-add-quirk-for-hp-elitedesk-800-g6-tower-pc.patch +ext4-optimize-ea_inode-block-expansion.patch +ext4-refuse-to-create-ea-block-when-umounted.patch +ext4-fix-possible-corruption-when-moving-a-directory.patch +wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch +wifi-cfg80211-fix-use-after-free-for-wext.patch +thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch +dm-flakey-fix-logic-when-corrupting-a-bio.patch +dm-flakey-don-t-corrupt-the-zero-page.patch +dm-flakey-fix-a-bug-with-32-bit-highmem-systems.patch +arm-dts-exynos-correct-tmu-phandle-in-exynos4.patch +arm-dts-exynos-correct-tmu-phandle-in-odroid-xu.patch +rbd-avoid-use-after-free-in-do_rbd_add-when-rbd_dev_create-fails.patch +alpha-fix-fen-fault-handling.patch +mips-fix-syscall_get_nr.patch +media-ipu3-cio2-fix-pm-runtime-usage_count-in-driver-unbind.patch +mm-memcontrol-deprecate-charge-moving.patch +mm-thp-check-and-bail-out-if-page-in-deferred-queue-already.patch +ktest.pl-give-back-console-on-ctrt-c-on-monitor.patch +ktest.pl-fix-missing-end_monitor-when-machine-check-fails.patch +ktest.pl-add-run_timeout-option-with-default-unlimited.patch +scsi-core-remove-the-proc-scsi-proc_name-directory-earlier.patch +scsi-qla2xxx-fix-link-failure-in-npiv-environment.patch +scsi-qla2xxx-fix-dma-api-call-trace-on-nvme-ls-requests.patch +scsi-qla2xxx-fix-erroneous-link-down.patch diff --git a/queue-5.4/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch b/queue-5.4/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch new file mode 100644 index 00000000000..dedb9ca7694 --- /dev/null +++ b/queue-5.4/thermal-intel-powerclamp-fix-cur_state-for-multi-package-system.patch @@ -0,0 +1,97 @@ +From 8e47363588377e1bdb65e2b020b409cfb44dd260 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Wed, 1 Feb 2023 12:39:41 -0800 +Subject: thermal: intel: powerclamp: Fix cur_state for multi package system + +From: Srinivas Pandruvada + +commit 8e47363588377e1bdb65e2b020b409cfb44dd260 upstream. + +The powerclamp cooling device cur_state shows actual idle observed by +package C-state idle counters. But the implementation is not sufficient +for multi package or multi die system. The cur_state value is incorrect. +On these systems, these counters must be read from each package/die and +somehow aggregate them. But there is no good method for aggregation. + +It was not a problem when explicit CPU model addition was required to +enable intel powerclamp. In this way certain CPU models could have +been avoided. But with the removal of CPU model check with the +availability of Package C-state counters, the driver is loaded on most +of the recent systems. + +For multi package/die systems, just show the actual target idle state, +the system is trying to achieve. In powerclamp this is the user set +state minus one. + +Also there is no use of starting a worker thread for polling package +C-state counters and applying any compensation for multiple package +or multiple die systems. + +Fixes: b721ca0d1927 ("thermal/powerclamp: remove cpu whitelist") +Signed-off-by: Srinivas Pandruvada +Cc: 4.14+ # 4.14+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/intel_powerclamp.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -57,6 +57,7 @@ + + static unsigned int target_mwait; + static struct dentry *debug_dir; ++static bool poll_pkg_cstate_enable; + + /* user selected target */ + static unsigned int set_target_ratio; +@@ -265,6 +266,9 @@ static unsigned int get_compensation(int + { + unsigned int comp = 0; + ++ if (!poll_pkg_cstate_enable) ++ return 0; ++ + /* we only use compensation if all adjacent ones are good */ + if (ratio == 1 && + cal_data[ratio].confidence >= CONFIDENCE_OK && +@@ -537,7 +541,8 @@ static int start_power_clamp(void) + control_cpu = cpumask_first(cpu_online_mask); + + clamping = true; +- schedule_delayed_work(&poll_pkg_cstate_work, 0); ++ if (poll_pkg_cstate_enable) ++ schedule_delayed_work(&poll_pkg_cstate_work, 0); + + /* start one kthread worker per online cpu */ + for_each_online_cpu(cpu) { +@@ -606,11 +611,15 @@ static int powerclamp_get_max_state(stru + static int powerclamp_get_cur_state(struct thermal_cooling_device *cdev, + unsigned long *state) + { +- if (true == clamping) +- *state = pkg_cstate_ratio_cur; +- else ++ if (clamping) { ++ if (poll_pkg_cstate_enable) ++ *state = pkg_cstate_ratio_cur; ++ else ++ *state = set_target_ratio; ++ } else { + /* to save power, do not poll idle ratio while not clamping */ + *state = -1; /* indicates invalid state */ ++ } + + return 0; + } +@@ -735,6 +744,9 @@ static int __init powerclamp_init(void) + goto exit_unregister; + } + ++ if (topology_max_packages() == 1 && topology_max_die_per_package() == 1) ++ poll_pkg_cstate_enable = true; ++ + cooling_dev = thermal_cooling_device_register("intel_powerclamp", NULL, + &powerclamp_cooling_ops); + if (IS_ERR(cooling_dev)) { diff --git a/queue-5.4/wifi-cfg80211-fix-use-after-free-for-wext.patch b/queue-5.4/wifi-cfg80211-fix-use-after-free-for-wext.patch new file mode 100644 index 00000000000..c0c5d018364 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-use-after-free-for-wext.patch @@ -0,0 +1,96 @@ +From 015b8cc5e7c4d7bb671f1984d7b7338c310b185b Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Tue, 24 Jan 2023 15:18:56 +0100 +Subject: wifi: cfg80211: Fix use after free for wext + +From: Alexander Wetzel + +commit 015b8cc5e7c4d7bb671f1984d7b7338c310b185b upstream. + +Key information in wext.connect is not reset on (re)connect and can hold +data from a previous connection. + +Reset key data to avoid that drivers or mac80211 incorrectly detect a +WEP connection request and access the freed or already reused memory. + +Additionally optimize cfg80211_sme_connect() and avoid an useless +schedule of conn_work. + +Fixes: fffd0934b939 ("cfg80211: rework key operation") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230124141856.356646-1-alexander@wetzel-home.de +Signed-off-by: Alexander Wetzel +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/sme.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -269,6 +269,15 @@ void cfg80211_conn_work(struct work_stru + rtnl_unlock(); + } + ++static void cfg80211_step_auth_next(struct cfg80211_conn *conn, ++ struct cfg80211_bss *bss) ++{ ++ memcpy(conn->bssid, bss->bssid, ETH_ALEN); ++ conn->params.bssid = conn->bssid; ++ conn->params.channel = bss->channel; ++ conn->state = CFG80211_CONN_AUTHENTICATE_NEXT; ++} ++ + /* Returned bss is reference counted and must be cleaned up appropriately. */ + static struct cfg80211_bss *cfg80211_get_conn_bss(struct wireless_dev *wdev) + { +@@ -286,10 +295,7 @@ static struct cfg80211_bss *cfg80211_get + if (!bss) + return NULL; + +- memcpy(wdev->conn->bssid, bss->bssid, ETH_ALEN); +- wdev->conn->params.bssid = wdev->conn->bssid; +- wdev->conn->params.channel = bss->channel; +- wdev->conn->state = CFG80211_CONN_AUTHENTICATE_NEXT; ++ cfg80211_step_auth_next(wdev->conn, bss); + schedule_work(&rdev->conn_work); + + return bss; +@@ -568,7 +574,12 @@ static int cfg80211_sme_connect(struct w + wdev->conn->params.ssid_len = wdev->ssid_len; + + /* see if we have the bss already */ +- bss = cfg80211_get_conn_bss(wdev); ++ bss = cfg80211_get_bss(wdev->wiphy, wdev->conn->params.channel, ++ wdev->conn->params.bssid, ++ wdev->conn->params.ssid, ++ wdev->conn->params.ssid_len, ++ wdev->conn_bss_type, ++ IEEE80211_PRIVACY(wdev->conn->params.privacy)); + + if (prev_bssid) { + memcpy(wdev->conn->prev_bssid, prev_bssid, ETH_ALEN); +@@ -579,6 +590,7 @@ static int cfg80211_sme_connect(struct w + if (bss) { + enum nl80211_timeout_reason treason; + ++ cfg80211_step_auth_next(wdev->conn, bss); + err = cfg80211_conn_do_work(wdev, &treason); + cfg80211_put_bss(wdev->wiphy, bss); + } else { +@@ -1233,6 +1245,15 @@ int cfg80211_connect(struct cfg80211_reg + } else { + if (WARN_ON(connkeys)) + return -EINVAL; ++ ++ /* connect can point to wdev->wext.connect which ++ * can hold key data from a previous connection ++ */ ++ connect->key = NULL; ++ connect->key_len = 0; ++ connect->key_idx = 0; ++ connect->crypto.cipher_group = 0; ++ connect->crypto.n_ciphers_pairwise = 0; + } + + wdev->connect_keys = connkeys; diff --git a/queue-5.4/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch b/queue-5.4/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch new file mode 100644 index 00000000000..874514e3091 --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-use-a-longer-retry-limit-of-48.patch @@ -0,0 +1,59 @@ +From 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Sun, 8 Jan 2023 17:08:16 +0200 +Subject: wifi: rtl8xxxu: Use a longer retry limit of 48 + +From: Bitterblue Smith + +commit 2a86aa9a1892d60ef2e3f310f5b42b8b05546d65 upstream. + +The Realtek rate control algorithm goes back and forth a lot between +the highest and the lowest rate it's allowed to use. This is due to +a lot of frames being dropped because the retry limits set by +IEEE80211_CONF_CHANGE_RETRY_LIMITS are too low. (Experimentally, they +are 4 for long frames and 7 for short frames.) + +The vendor drivers hardcode the value 48 for both retry limits (for +station mode), which makes dropped frames very rare and thus the rate +control is more stable. + +Because most Realtek chips handle the rate control in the firmware, +which can't be modified, ignore the limits set by +IEEE80211_CONF_CHANGE_RETRY_LIMITS and use the value 48 (set during +chip initialisation), same as the vendor drivers. + +Cc: stable@vger.kernel.org +Signed-off-by: Bitterblue Smith +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/477d745b-6bac-111d-403c-487fc19aa30d@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5494,7 +5494,6 @@ static int rtl8xxxu_config(struct ieee80 + { + struct rtl8xxxu_priv *priv = hw->priv; + struct device *dev = &priv->udev->dev; +- u16 val16; + int ret = 0, channel; + bool ht40; + +@@ -5504,14 +5503,6 @@ static int rtl8xxxu_config(struct ieee80 + __func__, hw->conf.chandef.chan->hw_value, + changed, hw->conf.chandef.width); + +- if (changed & IEEE80211_CONF_CHANGE_RETRY_LIMITS) { +- val16 = ((hw->conf.long_frame_max_tx_count << +- RETRY_LIMIT_LONG_SHIFT) & RETRY_LIMIT_LONG_MASK) | +- ((hw->conf.short_frame_max_tx_count << +- RETRY_LIMIT_SHORT_SHIFT) & RETRY_LIMIT_SHORT_MASK); +- rtl8xxxu_write16(priv, REG_RETRY_LIMIT, val16); +- } +- + if (changed & IEEE80211_CONF_CHANGE_CHANNEL) { + switch (hw->conf.chandef.width) { + case NL80211_CHAN_WIDTH_20_NOHT: