From: Greg Kroah-Hartman Date: Thu, 13 Feb 2025 13:13:31 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.78~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dfe6fe90180f3ba1a2b8aee8da9ddd6ae656db1c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: arm64-dts-rockchip-add-reset-names-for-combphy-on-rk3568.patch drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch fs-fix-adding-security-options-to-statmount.mnt_opt.patch fs-prepend-statmount.mnt_opts-string-with-security_sb_mnt_opts.patch ocfs2-check-dir-i_size-in-ocfs2_find_entry.patch revert-drm-amd-display-fix-green-screen-issue-after-suspend.patch revert-selftests-sched_ext-fix-build-after-renames-in-sched_ext-api.patch statmount-let-unset-strings-be-empty.patch --- diff --git a/queue-6.12/arm64-dts-rockchip-add-reset-names-for-combphy-on-rk3568.patch b/queue-6.12/arm64-dts-rockchip-add-reset-names-for-combphy-on-rk3568.patch new file mode 100644 index 0000000000..553bd7c7e4 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-add-reset-names-for-combphy-on-rk3568.patch @@ -0,0 +1,50 @@ +From 8b9c12757f919157752646faf3821abf2b7d2a64 Mon Sep 17 00:00:00 2001 +From: Chukun Pan +Date: Fri, 22 Nov 2024 15:30:05 +0800 +Subject: arm64: dts: rockchip: add reset-names for combphy on rk3568 + +From: Chukun Pan + +commit 8b9c12757f919157752646faf3821abf2b7d2a64 upstream. + +The reset-names of combphy are missing, add it. + +Signed-off-by: Chukun Pan +Fixes: fd3ac6e80497 ("dt-bindings: phy: rockchip: rk3588 has two reset lines") +Link: https://lore.kernel.org/r/20241122073006.99309-1-amadeus@jmu.edu.cn +Signed-off-by: Heiko Stuebner +Signed-off-by: Aurelien Jarno +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3568.dtsi | 1 + + arch/arm64/boot/dts/rockchip/rk356x.dtsi | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3568.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3568.dtsi +@@ -262,6 +262,7 @@ + assigned-clocks = <&pmucru CLK_PCIEPHY0_REF>; + assigned-clock-rates = <100000000>; + resets = <&cru SRST_PIPEPHY0>; ++ reset-names = "phy"; + rockchip,pipe-grf = <&pipegrf>; + rockchip,pipe-phy-grf = <&pipe_phy_grf0>; + #phy-cells = <1>; +--- a/arch/arm64/boot/dts/rockchip/rk356x.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk356x.dtsi +@@ -1762,6 +1762,7 @@ + assigned-clocks = <&pmucru CLK_PCIEPHY1_REF>; + assigned-clock-rates = <100000000>; + resets = <&cru SRST_PIPEPHY1>; ++ reset-names = "phy"; + rockchip,pipe-grf = <&pipegrf>; + rockchip,pipe-phy-grf = <&pipe_phy_grf1>; + #phy-cells = <1>; +@@ -1778,6 +1779,7 @@ + assigned-clocks = <&pmucru CLK_PCIEPHY2_REF>; + assigned-clock-rates = <100000000>; + resets = <&cru SRST_PIPEPHY2>; ++ reset-names = "phy"; + rockchip,pipe-grf = <&pipegrf>; + rockchip,pipe-phy-grf = <&pipe_phy_grf2>; + #phy-cells = <1>; diff --git a/queue-6.12/drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch b/queue-6.12/drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch new file mode 100644 index 0000000000..514134d74c --- /dev/null +++ b/queue-6.12/drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch @@ -0,0 +1,145 @@ +From a9ab6591b45258b79af1cb66112fd9f83c8855da Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Thu, 23 Jan 2025 12:22:03 -0800 +Subject: drm/xe: Fix and re-enable xe_print_blob_ascii85() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas De Marchi + +commit a9ab6591b45258b79af1cb66112fd9f83c8855da upstream. + +Commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa +debug tool") partially reverted some changes to workaround breakage +caused to mesa tools. However, in doing so it also broke fetching the +GuC log via debugfs since xe_print_blob_ascii85() simply bails out. + +The fix is to avoid the extra newlines: the devcoredump interface is +line-oriented and adding random newlines in the middle breaks it. If a +tool is able to parse it by looking at the data and checking for chars +that are out of the ascii85 space, it can still do so. A format change +that breaks the line-oriented output on devcoredump however needs better +coordination with existing tools. + +v2: Add suffix description comment +v3: Reword explanation of xe_print_blob_ascii85() calling drm_puts() + in a loop + +Reviewed-by: José Roberto de Souza +Cc: John Harrison +Cc: Julia Filipchuk +Cc: José Roberto de Souza +Cc: stable@vger.kernel.org +Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") +Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") +Link: https://patchwork.freedesktop.org/patch/msgid/20250123202307.95103-2-jose.souza@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 2c95bbf5002776117a69caed3b31c10bf7341bec) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_devcoredump.c | 34 +++++++++++++--------------------- + drivers/gpu/drm/xe/xe_devcoredump.h | 2 +- + drivers/gpu/drm/xe/xe_guc_log.c | 2 +- + 3 files changed, 15 insertions(+), 23 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_devcoredump.c ++++ b/drivers/gpu/drm/xe/xe_devcoredump.c +@@ -333,42 +333,34 @@ int xe_devcoredump_init(struct xe_device + /** + * xe_print_blob_ascii85 - print a BLOB to some useful location in ASCII85 + * +- * The output is split to multiple lines because some print targets, e.g. dmesg +- * cannot handle arbitrarily long lines. Note also that printing to dmesg in +- * piece-meal fashion is not possible, each separate call to drm_puts() has a +- * line-feed automatically added! Therefore, the entire output line must be +- * constructed in a local buffer first, then printed in one atomic output call. ++ * The output is split into multiple calls to drm_puts() because some print ++ * targets, e.g. dmesg, cannot handle arbitrarily long lines. These targets may ++ * add newlines, as is the case with dmesg: each drm_puts() call creates a ++ * separate line. + * + * There is also a scheduler yield call to prevent the 'task has been stuck for + * 120s' kernel hang check feature from firing when printing to a slow target + * such as dmesg over a serial port. + * +- * TODO: Add compression prior to the ASCII85 encoding to shrink huge buffers down. +- * + * @p: the printer object to output to + * @prefix: optional prefix to add to output string ++ * @suffix: optional suffix to add at the end. 0 disables it and is ++ * not added to the output, which is useful when using multiple calls ++ * to dump data to @p + * @blob: the Binary Large OBject to dump out + * @offset: offset in bytes to skip from the front of the BLOB, must be a multiple of sizeof(u32) + * @size: the size in bytes of the BLOB, must be a multiple of sizeof(u32) + */ +-void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, ++void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, + const void *blob, size_t offset, size_t size) + { + const u32 *blob32 = (const u32 *)blob; + char buff[ASCII85_BUFSZ], *line_buff; + size_t line_pos = 0; + +- /* +- * Splitting blobs across multiple lines is not compatible with the mesa +- * debug decoder tool. Note that even dropping the explicit '\n' below +- * doesn't help because the GuC log is so big some underlying implementation +- * still splits the lines at 512K characters. So just bail completely for +- * the moment. +- */ +- return; +- + #define DMESG_MAX_LINE_LEN 800 +-#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\n\0" */ ++ /* Always leave space for the suffix char and the \0 */ ++#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\0" */ + + if (size & 3) + drm_printf(p, "Size not word aligned: %zu", size); +@@ -400,7 +392,6 @@ void xe_print_blob_ascii85(struct drm_pr + line_pos += strlen(line_buff + line_pos); + + if ((line_pos + MIN_SPACE) >= DMESG_MAX_LINE_LEN) { +- line_buff[line_pos++] = '\n'; + line_buff[line_pos++] = 0; + + drm_puts(p, line_buff); +@@ -412,10 +403,11 @@ void xe_print_blob_ascii85(struct drm_pr + } + } + ++ if (suffix) ++ line_buff[line_pos++] = suffix; ++ + if (line_pos) { +- line_buff[line_pos++] = '\n'; + line_buff[line_pos++] = 0; +- + drm_puts(p, line_buff); + } + +--- a/drivers/gpu/drm/xe/xe_devcoredump.h ++++ b/drivers/gpu/drm/xe/xe_devcoredump.h +@@ -26,7 +26,7 @@ static inline int xe_devcoredump_init(st + } + #endif + +-void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, ++void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, + const void *blob, size_t offset, size_t size); + + #endif +--- a/drivers/gpu/drm/xe/xe_guc_log.c ++++ b/drivers/gpu/drm/xe/xe_guc_log.c +@@ -78,7 +78,7 @@ void xe_guc_log_print(struct xe_guc_log + + xe_map_memcpy_from(xe, copy, &log->bo->vmap, 0, size); + +- xe_print_blob_ascii85(p, "Log data", copy, 0, size); ++ xe_print_blob_ascii85(p, "Log data", '\n', copy, 0, size); + + vfree(copy); + } diff --git a/queue-6.12/fs-fix-adding-security-options-to-statmount.mnt_opt.patch b/queue-6.12/fs-fix-adding-security-options-to-statmount.mnt_opt.patch new file mode 100644 index 0000000000..33b595e269 --- /dev/null +++ b/queue-6.12/fs-fix-adding-security-options-to-statmount.mnt_opt.patch @@ -0,0 +1,70 @@ +From 5eb987105357cb7cfa7cf3b1e2f66d5c0977e412 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 29 Jan 2025 16:12:53 +0100 +Subject: fs: fix adding security options to statmount.mnt_opt + +From: Miklos Szeredi + +commit 5eb987105357cb7cfa7cf3b1e2f66d5c0977e412 upstream. + +Prepending security options was made conditional on sb->s_op->show_options, +but security options are independent of sb options. + +Fixes: 056d33137bf9 ("fs: prepend statmount.mnt_opts string with security_sb_mnt_opts()") +Fixes: f9af549d1fd3 ("fs: export mount options via statmount()") +Cc: stable@vger.kernel.org # v6.11 +Signed-off-by: Miklos Szeredi +Link: https://lore.kernel.org/r/20250129151253.33241-1-mszeredi@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -5020,30 +5020,29 @@ static int statmount_mnt_opts(struct kst + { + struct vfsmount *mnt = s->mnt; + struct super_block *sb = mnt->mnt_sb; ++ size_t start = seq->count; + int err; + +- if (sb->s_op->show_options) { +- size_t start = seq->count; +- +- err = security_sb_show_options(seq, sb); +- if (err) +- return err; ++ err = security_sb_show_options(seq, sb); ++ if (err) ++ return err; + ++ if (sb->s_op->show_options) { + err = sb->s_op->show_options(seq, mnt->mnt_root); + if (err) + return err; ++ } + +- if (unlikely(seq_has_overflowed(seq))) +- return -EAGAIN; ++ if (unlikely(seq_has_overflowed(seq))) ++ return -EAGAIN; + +- if (seq->count == start) +- return 0; ++ if (seq->count == start) ++ return 0; + +- /* skip leading comma */ +- memmove(seq->buf + start, seq->buf + start + 1, +- seq->count - start - 1); +- seq->count--; +- } ++ /* skip leading comma */ ++ memmove(seq->buf + start, seq->buf + start + 1, ++ seq->count - start - 1); ++ seq->count--; + + return 0; + } diff --git a/queue-6.12/fs-prepend-statmount.mnt_opts-string-with-security_sb_mnt_opts.patch b/queue-6.12/fs-prepend-statmount.mnt_opts-string-with-security_sb_mnt_opts.patch new file mode 100644 index 0000000000..93c7611be1 --- /dev/null +++ b/queue-6.12/fs-prepend-statmount.mnt_opts-string-with-security_sb_mnt_opts.patch @@ -0,0 +1,40 @@ +From 056d33137bf9364456ee70aa265ccbb948daee49 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Fri, 15 Nov 2024 10:35:53 -0500 +Subject: fs: prepend statmount.mnt_opts string with security_sb_mnt_opts() + +From: Jeff Layton + +commit 056d33137bf9364456ee70aa265ccbb948daee49 upstream. + +Currently these mount options aren't accessible via statmount(). + +The read handler for /proc/#/mountinfo calls security_sb_show_options() +to emit the security options after emitting superblock flag options, but +before calling sb->s_op->show_options. + +Have statmount_mnt_opts() call security_sb_show_options() before +calling ->show_options. + +Signed-off-by: Jeff Layton +Link: https://lore.kernel.org/r/20241115-statmount-v2-2-cd29aeff9cbb@kernel.org +Signed-off-by: Christian Brauner +Stable-dep-of: 5eb987105357 ("fs: fix adding security options to statmount.mnt_opt") +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -5025,6 +5025,10 @@ static int statmount_mnt_opts(struct kst + if (sb->s_op->show_options) { + size_t start = seq->count; + ++ err = security_sb_show_options(seq, sb); ++ if (err) ++ return err; ++ + err = sb->s_op->show_options(seq, mnt->mnt_root); + if (err) + return err; diff --git a/queue-6.12/ocfs2-check-dir-i_size-in-ocfs2_find_entry.patch b/queue-6.12/ocfs2-check-dir-i_size-in-ocfs2_find_entry.patch new file mode 100644 index 0000000000..859e098f31 --- /dev/null +++ b/queue-6.12/ocfs2-check-dir-i_size-in-ocfs2_find_entry.patch @@ -0,0 +1,217 @@ +From b0fce54b8c0d8e5f2b4c243c803c5996e73baee8 Mon Sep 17 00:00:00 2001 +From: Su Yue +Date: Mon, 6 Jan 2025 22:06:40 +0800 +Subject: ocfs2: check dir i_size in ocfs2_find_entry + +From: Su Yue + +commit b0fce54b8c0d8e5f2b4c243c803c5996e73baee8 upstream. + +syz reports an out of bounds read: + +================================================================== +BUG: KASAN: slab-out-of-bounds in ocfs2_match fs/ocfs2/dir.c:334 +[inline] +BUG: KASAN: slab-out-of-bounds in ocfs2_search_dirblock+0x283/0x6e0 +fs/ocfs2/dir.c:367 +Read of size 1 at addr ffff88804d8b9982 by task syz-executor.2/14802 + +CPU: 0 UID: 0 PID: 14802 Comm: syz-executor.2 Not tainted 6.13.0-rc4 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 +04/01/2014 +Sched_ext: serialise (enabled+all), task: runnable_at=-10ms +Call Trace: + +__dump_stack lib/dump_stack.c:94 [inline] +dump_stack_lvl+0x229/0x350 lib/dump_stack.c:120 +print_address_description mm/kasan/report.c:378 [inline] +print_report+0x164/0x530 mm/kasan/report.c:489 +kasan_report+0x147/0x180 mm/kasan/report.c:602 +ocfs2_match fs/ocfs2/dir.c:334 [inline] +ocfs2_search_dirblock+0x283/0x6e0 fs/ocfs2/dir.c:367 +ocfs2_find_entry_id fs/ocfs2/dir.c:414 [inline] +ocfs2_find_entry+0x1143/0x2db0 fs/ocfs2/dir.c:1078 +ocfs2_find_files_on_disk+0x18e/0x530 fs/ocfs2/dir.c:1981 +ocfs2_lookup_ino_from_name+0xb6/0x110 fs/ocfs2/dir.c:2003 +ocfs2_lookup+0x30a/0xd40 fs/ocfs2/namei.c:122 +lookup_open fs/namei.c:3627 [inline] +open_last_lookups fs/namei.c:3748 [inline] +path_openat+0x145a/0x3870 fs/namei.c:3984 +do_filp_open+0xe9/0x1c0 fs/namei.c:4014 +do_sys_openat2+0x135/0x1d0 fs/open.c:1402 +do_sys_open fs/open.c:1417 [inline] +__do_sys_openat fs/open.c:1433 [inline] +__se_sys_openat fs/open.c:1428 [inline] +__x64_sys_openat+0x15d/0x1c0 fs/open.c:1428 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0xf6/0x210 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f01076903ad +Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f01084acfc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +RAX: ffffffffffffffda RBX: 00007f01077cbf80 RCX: 00007f01076903ad +RDX: 0000000000105042 RSI: 0000000020000080 RDI: ffffffffffffff9c +RBP: 00007f01077cbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 00000000000001ff R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f01077cbf80 R14: 00007f010764fc90 R15: 00007f010848d000 + +================================================================== + +And a general protection fault in ocfs2_prepare_dir_for_insert: + +================================================================== +loop0: detected capacity change from 0 to 32768 +JBD2: Ignoring recovery information on journal +ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data +mode. +Oops: general protection fault, probably for non-canonical address +0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 0 UID: 0 PID: 5096 Comm: syz-executor792 Not tainted +6.11.0-rc4-syzkaller-00002-gb0da640826ba #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:ocfs2_find_dir_space_id fs/ocfs2/dir.c:3406 [inline] +RIP: 0010:ocfs2_prepare_dir_for_insert+0x3309/0x5c70 fs/ocfs2/dir.c:4280 +Code: 00 00 e8 2a 25 13 fe e9 ba 06 00 00 e8 20 25 13 fe e9 4f 01 00 00 +e8 16 25 13 fe 49 8d 7f 08 49 8d 5f 09 48 89 f8 48 c1 e8 03 <42> 0f b6 +04 20 84 c0 0f 85 bd 23 00 00 48 89 d8 48 c1 e8 03 42 0f +RSP: 0018:ffffc9000af9f020 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: 0000000000000009 RCX: ffff88801e27a440 +RDX: 0000000000000000 RSI: 0000000000000400 RDI: 0000000000000008 +RBP: ffffc9000af9f830 R08: ffffffff8380395b R09: ffffffff838090a7 +R10: 0000000000000002 R11: ffff88801e27a440 R12: dffffc0000000000 +R13: ffff88803c660878 R14: f700000000000088 R15: 0000000000000000 +FS: 000055555a677380(0000) GS:ffff888020800000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000560bce569178 CR3: 000000001de5a000 CR4: 0000000000350ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +ocfs2_mknod+0xcaf/0x2b40 fs/ocfs2/namei.c:292 +vfs_mknod+0x36d/0x3b0 fs/namei.c:4088 +do_mknodat+0x3ec/0x5b0 +__do_sys_mknodat fs/namei.c:4166 [inline] +__se_sys_mknodat fs/namei.c:4163 [inline] +__x64_sys_mknodat+0xa7/0xc0 fs/namei.c:4163 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f2dafda3a99 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 +f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 +0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 +64 89 01 48 +RSP: 002b:00007ffe336a6658 EFLAGS: 00000246 ORIG_RAX: +0000000000000103 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: +00007f2dafda3a99 +RDX: 00000000000021c0 RSI: 0000000020000040 RDI: +00000000ffffff9c +RBP: 00007f2dafe1b5f0 R08: 0000000000004480 R09: +000055555a6784c0 +R10: 0000000000000103 R11: 0000000000000246 R12: +00007ffe336a6680 +R13: 00007ffe336a68a8 R14: 431bde82d7b634db R15: +00007f2dafdec03b + +================================================================== + +The two reports are all caused invalid negative i_size of dir inode. For +ocfs2, dir_inode can't be negative or zero. + +Here add a check in which is called by ocfs2_check_dir_for_entry(). It +fixes the second report as ocfs2_check_dir_for_entry() must be called +before ocfs2_prepare_dir_for_insert(). Also set a up limit for dir with +OCFS2_INLINE_DATA_FL. The i_size can't be great than blocksize. + +Link: https://lkml.kernel.org/r/20250106140640.92260-1-glass.su@suse.com +Reported-by: Jiacheng Xu +Link: https://lore.kernel.org/ocfs2-devel/17a04f01.1ae74.19436d003fc.Coremail.stitch@zju.edu.cn/T/#u +Reported-by: syzbot+5a64828fcc4c2ad9b04f@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/0000000000005894f3062018caf1@google.com/T/ +Signed-off-by: Su Yue +Reviewed-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dir.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +--- a/fs/ocfs2/dir.c ++++ b/fs/ocfs2/dir.c +@@ -1065,26 +1065,39 @@ int ocfs2_find_entry(const char *name, i + { + struct buffer_head *bh; + struct ocfs2_dir_entry *res_dir = NULL; ++ int ret = 0; + + if (ocfs2_dir_indexed(dir)) + return ocfs2_find_entry_dx(name, namelen, dir, lookup); + ++ if (unlikely(i_size_read(dir) <= 0)) { ++ ret = -EFSCORRUPTED; ++ mlog_errno(ret); ++ goto out; ++ } + /* + * The unindexed dir code only uses part of the lookup + * structure, so there's no reason to push it down further + * than this. + */ +- if (OCFS2_I(dir)->ip_dyn_features & OCFS2_INLINE_DATA_FL) ++ if (OCFS2_I(dir)->ip_dyn_features & OCFS2_INLINE_DATA_FL) { ++ if (unlikely(i_size_read(dir) > dir->i_sb->s_blocksize)) { ++ ret = -EFSCORRUPTED; ++ mlog_errno(ret); ++ goto out; ++ } + bh = ocfs2_find_entry_id(name, namelen, dir, &res_dir); +- else ++ } else { + bh = ocfs2_find_entry_el(name, namelen, dir, &res_dir); ++ } + + if (bh == NULL) + return -ENOENT; + + lookup->dl_leaf_bh = bh; + lookup->dl_entry = res_dir; +- return 0; ++out: ++ return ret; + } + + /* +@@ -2010,6 +2023,7 @@ int ocfs2_lookup_ino_from_name(struct in + * + * Return 0 if the name does not exist + * Return -EEXIST if the directory contains the name ++ * Return -EFSCORRUPTED if found corruption + * + * Callers should have i_rwsem + a cluster lock on dir + */ +@@ -2023,9 +2037,12 @@ int ocfs2_check_dir_for_entry(struct ino + trace_ocfs2_check_dir_for_entry( + (unsigned long long)OCFS2_I(dir)->ip_blkno, namelen, name); + +- if (ocfs2_find_entry(name, namelen, dir, &lookup) == 0) { ++ ret = ocfs2_find_entry(name, namelen, dir, &lookup); ++ if (ret == 0) { + ret = -EEXIST; + mlog_errno(ret); ++ } else if (ret == -ENOENT) { ++ ret = 0; + } + + ocfs2_free_dir_lookup_result(&lookup); diff --git a/queue-6.12/revert-drm-amd-display-fix-green-screen-issue-after-suspend.patch b/queue-6.12/revert-drm-amd-display-fix-green-screen-issue-after-suspend.patch new file mode 100644 index 0000000000..c4f2a56c9c --- /dev/null +++ b/queue-6.12/revert-drm-amd-display-fix-green-screen-issue-after-suspend.patch @@ -0,0 +1,189 @@ +From 04d6273faed083e619fc39a738ab0372b6a4db20 Mon Sep 17 00:00:00 2001 +From: Rodrigo Siqueira +Date: Thu, 14 Nov 2024 15:32:52 -0700 +Subject: Revert "drm/amd/display: Fix green screen issue after suspend" + +From: Rodrigo Siqueira + +commit 04d6273faed083e619fc39a738ab0372b6a4db20 upstream. + +This reverts commit 87b7ebc2e16c14d32a912f18206a4d6cc9abc3e8. + +A long time ago, we had an issue with the Raven system when it was +connected to two displays: one with DP and another with HDMI. After the +system woke up from suspension, we saw a solid green screen caused by an +underflow generated by bad DCC metadata. To workaround this issue, the +'commit 87b7ebc2e16c ("drm/amd/display: Fix green screen issue after +suspend")' was introduced to disable the DCC for a few frames after in +the resume phase. However, in hindsight, this solution was probably a +workaround at the kernel level for some issues from another part +(probably other driver components or user space). After applying this +patch and trying to reproduce the green issue in a similar hardware +system but using the latest kernel and userspace, we cannot see the +issue, which makes this workaround obsolete and creates extra +unnecessary complexity to the code; for all of this reason, this commit +reverts the original change. + +Cc: Mario Limonciello +Cc: Pierre-Eric Pelloux-Prayer +Tested-by: Daniel Wheeler +Reviewed-by: Aurabindo Pillai +Signed-off-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 ++------ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 22 +++++----------- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.h | 3 -- + 3 files changed, 13 insertions(+), 24 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -5499,8 +5499,7 @@ fill_dc_plane_info_and_addr(struct amdgp + const u64 tiling_flags, + struct dc_plane_info *plane_info, + struct dc_plane_address *address, +- bool tmz_surface, +- bool force_disable_dcc) ++ bool tmz_surface) + { + const struct drm_framebuffer *fb = plane_state->fb; + const struct amdgpu_framebuffer *afb = +@@ -5599,7 +5598,7 @@ fill_dc_plane_info_and_addr(struct amdgp + &plane_info->tiling_info, + &plane_info->plane_size, + &plane_info->dcc, address, +- tmz_surface, force_disable_dcc); ++ tmz_surface); + if (ret) + return ret; + +@@ -5620,7 +5619,6 @@ static int fill_dc_plane_attributes(stru + struct dc_scaling_info scaling_info; + struct dc_plane_info plane_info; + int ret; +- bool force_disable_dcc = false; + + ret = amdgpu_dm_plane_fill_dc_scaling_info(adev, plane_state, &scaling_info); + if (ret) +@@ -5631,13 +5629,11 @@ static int fill_dc_plane_attributes(stru + dc_plane_state->clip_rect = scaling_info.clip_rect; + dc_plane_state->scaling_quality = scaling_info.scaling_quality; + +- force_disable_dcc = adev->asic_type == CHIP_RAVEN && adev->in_suspend; + ret = fill_dc_plane_info_and_addr(adev, plane_state, + afb->tiling_flags, + &plane_info, + &dc_plane_state->address, +- afb->tmz_surface, +- force_disable_dcc); ++ afb->tmz_surface); + if (ret) + return ret; + +@@ -9063,7 +9059,7 @@ static void amdgpu_dm_commit_planes(stru + afb->tiling_flags, + &bundle->plane_infos[planes_count], + &bundle->flip_addrs[planes_count].address, +- afb->tmz_surface, false); ++ afb->tmz_surface); + + drm_dbg_state(state->dev, "plane: id=%d dcc_en=%d\n", + new_plane_state->plane->index, +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c +@@ -309,8 +309,7 @@ static int amdgpu_dm_plane_fill_gfx9_pla + const struct plane_size *plane_size, + union dc_tiling_info *tiling_info, + struct dc_plane_dcc_param *dcc, +- struct dc_plane_address *address, +- const bool force_disable_dcc) ++ struct dc_plane_address *address) + { + const uint64_t modifier = afb->base.modifier; + int ret = 0; +@@ -318,7 +317,7 @@ static int amdgpu_dm_plane_fill_gfx9_pla + amdgpu_dm_plane_fill_gfx9_tiling_info_from_modifier(adev, tiling_info, modifier); + tiling_info->gfx9.swizzle = amdgpu_dm_plane_modifier_gfx9_swizzle_mode(modifier); + +- if (amdgpu_dm_plane_modifier_has_dcc(modifier) && !force_disable_dcc) { ++ if (amdgpu_dm_plane_modifier_has_dcc(modifier)) { + uint64_t dcc_address = afb->address + afb->base.offsets[1]; + bool independent_64b_blks = AMD_FMT_MOD_GET(DCC_INDEPENDENT_64B, modifier); + bool independent_128b_blks = AMD_FMT_MOD_GET(DCC_INDEPENDENT_128B, modifier); +@@ -360,8 +359,7 @@ static int amdgpu_dm_plane_fill_gfx12_pl + const struct plane_size *plane_size, + union dc_tiling_info *tiling_info, + struct dc_plane_dcc_param *dcc, +- struct dc_plane_address *address, +- const bool force_disable_dcc) ++ struct dc_plane_address *address) + { + const uint64_t modifier = afb->base.modifier; + int ret = 0; +@@ -371,7 +369,7 @@ static int amdgpu_dm_plane_fill_gfx12_pl + + tiling_info->gfx9.swizzle = amdgpu_dm_plane_modifier_gfx9_swizzle_mode(modifier); + +- if (amdgpu_dm_plane_modifier_has_dcc(modifier) && !force_disable_dcc) { ++ if (amdgpu_dm_plane_modifier_has_dcc(modifier)) { + int max_compressed_block = AMD_FMT_MOD_GET(DCC_MAX_COMPRESSED_BLOCK, modifier); + + dcc->enable = 1; +@@ -839,8 +837,7 @@ int amdgpu_dm_plane_fill_plane_buffer_at + struct plane_size *plane_size, + struct dc_plane_dcc_param *dcc, + struct dc_plane_address *address, +- bool tmz_surface, +- bool force_disable_dcc) ++ bool tmz_surface) + { + const struct drm_framebuffer *fb = &afb->base; + int ret; +@@ -900,16 +897,14 @@ int amdgpu_dm_plane_fill_plane_buffer_at + ret = amdgpu_dm_plane_fill_gfx12_plane_attributes_from_modifiers(adev, afb, format, + rotation, plane_size, + tiling_info, dcc, +- address, +- force_disable_dcc); ++ address); + if (ret) + return ret; + } else if (adev->family >= AMDGPU_FAMILY_AI) { + ret = amdgpu_dm_plane_fill_gfx9_plane_attributes_from_modifiers(adev, afb, format, + rotation, plane_size, + tiling_info, dcc, +- address, +- force_disable_dcc); ++ address); + if (ret) + return ret; + } else { +@@ -1000,14 +995,13 @@ static int amdgpu_dm_plane_helper_prepar + dm_plane_state_old->dc_state != dm_plane_state_new->dc_state) { + struct dc_plane_state *plane_state = + dm_plane_state_new->dc_state; +- bool force_disable_dcc = !plane_state->dcc.enable; + + amdgpu_dm_plane_fill_plane_buffer_attributes( + adev, afb, plane_state->format, plane_state->rotation, + afb->tiling_flags, + &plane_state->tiling_info, &plane_state->plane_size, + &plane_state->dcc, &plane_state->address, +- afb->tmz_surface, force_disable_dcc); ++ afb->tmz_surface); + } + + return 0; +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.h ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.h +@@ -51,8 +51,7 @@ int amdgpu_dm_plane_fill_plane_buffer_at + struct plane_size *plane_size, + struct dc_plane_dcc_param *dcc, + struct dc_plane_address *address, +- bool tmz_surface, +- bool force_disable_dcc); ++ bool tmz_surface); + + int amdgpu_dm_plane_init(struct amdgpu_display_manager *dm, + struct drm_plane *plane, diff --git a/queue-6.12/revert-selftests-sched_ext-fix-build-after-renames-in-sched_ext-api.patch b/queue-6.12/revert-selftests-sched_ext-fix-build-after-renames-in-sched_ext-api.patch new file mode 100644 index 0000000000..54716ee2ca --- /dev/null +++ b/queue-6.12/revert-selftests-sched_ext-fix-build-after-renames-in-sched_ext-api.patch @@ -0,0 +1,210 @@ +From libo.chen@oracle.com Thu Feb 13 13:25:58 2025 +From: Libo Chen +Date: Tue, 11 Feb 2025 17:11:37 -0800 +Subject: [PATCH 6.12] Revert "selftests/sched_ext: fix build after renames in sched_ext API" +To: gregkh@linuxfoundation.org +Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, tj@kernel.org, void@manifault.com, ihor.solodrai@pm.me, harshit.m.mogalapalli@oracle.com +Message-ID: <20250212011137.2354596-1-libo.chen@oracle.com> + +From: Libo Chen + +This reverts commit fc20e87419e59d86f3bbcee2d4506bcd01c6450a which is +commit ef7009decc30eb2515a64253791d61b72229c119 upstream. + +Commit "selftests/sched_ext: fix build after renames in sched_ext API” +was pulled into 6.12.y without the sched_ext API renames it depends on. +The prereqs can be found in +https://lore.kernel.org/lkml/20241110200308.103681-1-tj@kernel.org/ +As a result, sched_ext selftests fail to compile. + +Cc: stable@vger.kernel.org +Fixes: fc20e87419e59 ("selftests/sched_ext: fix build after renames in sched_ext API") +Signed-off-by: Libo Chen +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c | 2 +- + tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c | 4 ++-- + tools/testing/selftests/sched_ext/dsp_local_on.bpf.c | 2 +- + tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c | 2 +- + tools/testing/selftests/sched_ext/exit.bpf.c | 4 ++-- + tools/testing/selftests/sched_ext/maximal.bpf.c | 4 ++-- + tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c | 2 +- + tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c | 2 +- + tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c | 2 +- + tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c | 2 +- + tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c | 4 ++-- + tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c | 8 ++++---- + 12 files changed, 19 insertions(+), 19 deletions(-) + +--- a/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c ++++ b/tools/testing/selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c +@@ -20,7 +20,7 @@ s32 BPF_STRUCT_OPS(ddsp_bogus_dsq_fail_s + * If we dispatch to a bogus DSQ that will fall back to the + * builtin global DSQ, we fail gracefully. + */ +- scx_bpf_dsq_insert_vtime(p, 0xcafef00d, SCX_SLICE_DFL, ++ scx_bpf_dispatch_vtime(p, 0xcafef00d, SCX_SLICE_DFL, + p->scx.dsq_vtime, 0); + return cpu; + } +--- a/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c ++++ b/tools/testing/selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c +@@ -17,8 +17,8 @@ s32 BPF_STRUCT_OPS(ddsp_vtimelocal_fail_ + + if (cpu >= 0) { + /* Shouldn't be allowed to vtime dispatch to a builtin DSQ. */ +- scx_bpf_dsq_insert_vtime(p, SCX_DSQ_LOCAL, SCX_SLICE_DFL, +- p->scx.dsq_vtime, 0); ++ scx_bpf_dispatch_vtime(p, SCX_DSQ_LOCAL, SCX_SLICE_DFL, ++ p->scx.dsq_vtime, 0); + return cpu; + } + +--- a/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c ++++ b/tools/testing/selftests/sched_ext/dsp_local_on.bpf.c +@@ -48,7 +48,7 @@ void BPF_STRUCT_OPS(dsp_local_on_dispatc + else + target = scx_bpf_task_cpu(p); + +- scx_bpf_dsq_insert(p, SCX_DSQ_LOCAL_ON | target, SCX_SLICE_DFL, 0); ++ scx_bpf_dispatch(p, SCX_DSQ_LOCAL_ON | target, SCX_SLICE_DFL, 0); + bpf_task_release(p); + } + +--- a/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c ++++ b/tools/testing/selftests/sched_ext/enq_select_cpu_fails.bpf.c +@@ -31,7 +31,7 @@ void BPF_STRUCT_OPS(enq_select_cpu_fails + /* Can only call from ops.select_cpu() */ + scx_bpf_select_cpu_dfl(p, 0, 0, &found); + +- scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); ++ scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); + } + + SEC(".struct_ops.link") +--- a/tools/testing/selftests/sched_ext/exit.bpf.c ++++ b/tools/testing/selftests/sched_ext/exit.bpf.c +@@ -33,7 +33,7 @@ void BPF_STRUCT_OPS(exit_enqueue, struct + if (exit_point == EXIT_ENQUEUE) + EXIT_CLEANLY(); + +- scx_bpf_dsq_insert(p, DSQ_ID, SCX_SLICE_DFL, enq_flags); ++ scx_bpf_dispatch(p, DSQ_ID, SCX_SLICE_DFL, enq_flags); + } + + void BPF_STRUCT_OPS(exit_dispatch, s32 cpu, struct task_struct *p) +@@ -41,7 +41,7 @@ void BPF_STRUCT_OPS(exit_dispatch, s32 c + if (exit_point == EXIT_DISPATCH) + EXIT_CLEANLY(); + +- scx_bpf_dsq_move_to_local(DSQ_ID); ++ scx_bpf_consume(DSQ_ID); + } + + void BPF_STRUCT_OPS(exit_enable, struct task_struct *p) +--- a/tools/testing/selftests/sched_ext/maximal.bpf.c ++++ b/tools/testing/selftests/sched_ext/maximal.bpf.c +@@ -22,7 +22,7 @@ s32 BPF_STRUCT_OPS(maximal_select_cpu, s + + void BPF_STRUCT_OPS(maximal_enqueue, struct task_struct *p, u64 enq_flags) + { +- scx_bpf_dsq_insert(p, DSQ_ID, SCX_SLICE_DFL, enq_flags); ++ scx_bpf_dispatch(p, DSQ_ID, SCX_SLICE_DFL, enq_flags); + } + + void BPF_STRUCT_OPS(maximal_dequeue, struct task_struct *p, u64 deq_flags) +@@ -30,7 +30,7 @@ void BPF_STRUCT_OPS(maximal_dequeue, str + + void BPF_STRUCT_OPS(maximal_dispatch, s32 cpu, struct task_struct *prev) + { +- scx_bpf_dsq_move_to_local(DSQ_ID); ++ scx_bpf_consume(DSQ_ID); + } + + void BPF_STRUCT_OPS(maximal_runnable, struct task_struct *p, u64 enq_flags) +--- a/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c ++++ b/tools/testing/selftests/sched_ext/select_cpu_dfl.bpf.c +@@ -30,7 +30,7 @@ void BPF_STRUCT_OPS(select_cpu_dfl_enque + } + scx_bpf_put_idle_cpumask(idle_mask); + +- scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); ++ scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, enq_flags); + } + + SEC(".struct_ops.link") +--- a/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c ++++ b/tools/testing/selftests/sched_ext/select_cpu_dfl_nodispatch.bpf.c +@@ -67,7 +67,7 @@ void BPF_STRUCT_OPS(select_cpu_dfl_nodis + saw_local = true; + } + +- scx_bpf_dsq_insert(p, dsq_id, SCX_SLICE_DFL, enq_flags); ++ scx_bpf_dispatch(p, dsq_id, SCX_SLICE_DFL, enq_flags); + } + + s32 BPF_STRUCT_OPS(select_cpu_dfl_nodispatch_init_task, +--- a/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c ++++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch.bpf.c +@@ -29,7 +29,7 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_s + cpu = prev_cpu; + + dispatch: +- scx_bpf_dsq_insert(p, dsq_id, SCX_SLICE_DFL, 0); ++ scx_bpf_dispatch(p, dsq_id, SCX_SLICE_DFL, 0); + return cpu; + } + +--- a/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c ++++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch_bad_dsq.bpf.c +@@ -18,7 +18,7 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_b + s32 prev_cpu, u64 wake_flags) + { + /* Dispatching to a random DSQ should fail. */ +- scx_bpf_dsq_insert(p, 0xcafef00d, SCX_SLICE_DFL, 0); ++ scx_bpf_dispatch(p, 0xcafef00d, SCX_SLICE_DFL, 0); + + return prev_cpu; + } +--- a/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c ++++ b/tools/testing/selftests/sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c +@@ -18,8 +18,8 @@ s32 BPF_STRUCT_OPS(select_cpu_dispatch_d + s32 prev_cpu, u64 wake_flags) + { + /* Dispatching twice in a row is disallowed. */ +- scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); +- scx_bpf_dsq_insert(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); ++ scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); ++ scx_bpf_dispatch(p, SCX_DSQ_GLOBAL, SCX_SLICE_DFL, 0); + + return prev_cpu; + } +--- a/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c ++++ b/tools/testing/selftests/sched_ext/select_cpu_vtime.bpf.c +@@ -2,8 +2,8 @@ + /* + * A scheduler that validates that enqueue flags are properly stored and + * applied at dispatch time when a task is directly dispatched from +- * ops.select_cpu(). We validate this by using scx_bpf_dsq_insert_vtime(), +- * and making the test a very basic vtime scheduler. ++ * ops.select_cpu(). We validate this by using scx_bpf_dispatch_vtime(), and ++ * making the test a very basic vtime scheduler. + * + * Copyright (c) 2024 Meta Platforms, Inc. and affiliates. + * Copyright (c) 2024 David Vernet +@@ -47,13 +47,13 @@ s32 BPF_STRUCT_OPS(select_cpu_vtime_sele + cpu = prev_cpu; + scx_bpf_test_and_clear_cpu_idle(cpu); + ddsp: +- scx_bpf_dsq_insert_vtime(p, VTIME_DSQ, SCX_SLICE_DFL, task_vtime(p), 0); ++ scx_bpf_dispatch_vtime(p, VTIME_DSQ, SCX_SLICE_DFL, task_vtime(p), 0); + return cpu; + } + + void BPF_STRUCT_OPS(select_cpu_vtime_dispatch, s32 cpu, struct task_struct *p) + { +- if (scx_bpf_dsq_move_to_local(VTIME_DSQ)) ++ if (scx_bpf_consume(VTIME_DSQ)) + consumed = true; + } + diff --git a/queue-6.12/series b/queue-6.12/series index 3a035da477..21fbcc5466 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -412,3 +412,11 @@ mptcp-prevent-excessive-coalescing-on-receive.patch x86-mm-convert-unreachable-to-bug.patch md-md-linear-fix-a-null-vs-is_err-bug-in-linear_add.patch md-fix-linear_set_limits.patch +revert-selftests-sched_ext-fix-build-after-renames-in-sched_ext-api.patch +revert-drm-amd-display-fix-green-screen-issue-after-suspend.patch +drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch +fs-prepend-statmount.mnt_opts-string-with-security_sb_mnt_opts.patch +fs-fix-adding-security-options-to-statmount.mnt_opt.patch +statmount-let-unset-strings-be-empty.patch +arm64-dts-rockchip-add-reset-names-for-combphy-on-rk3568.patch +ocfs2-check-dir-i_size-in-ocfs2_find_entry.patch diff --git a/queue-6.12/statmount-let-unset-strings-be-empty.patch b/queue-6.12/statmount-let-unset-strings-be-empty.patch new file mode 100644 index 0000000000..cf343d635f --- /dev/null +++ b/queue-6.12/statmount-let-unset-strings-be-empty.patch @@ -0,0 +1,76 @@ +From e52e97f09fb66fd868260d05bd6b74a9a3db39ee Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 30 Jan 2025 13:15:00 +0100 +Subject: statmount: let unset strings be empty + +From: Miklos Szeredi + +commit e52e97f09fb66fd868260d05bd6b74a9a3db39ee upstream. + +Just like it's normal for unset values to be zero, unset strings should be +empty instead of containing random values. + +It seems to be a typical mistake that the mask returned by statmount is not +checked, which can result in various bugs. + +With this fix, these bugs are prevented, since it is highly likely that +userspace would just want to turn the missing mask case into an empty +string anyway (most of the recently found cases are of this type). + +Link: https://lore.kernel.org/all/CAJfpegsVCPfCn2DpM8iiYSS5DpMsLB8QBUCHecoj6s0Vxf4jzg@mail.gmail.com/ +Fixes: 68385d77c05b ("statmount: simplify string option retrieval") +Fixes: 46eae99ef733 ("add statmount(2) syscall") +Cc: stable@vger.kernel.org # v6.8 +Signed-off-by: Miklos Szeredi +Link: https://lore.kernel.org/r/20250130121500.113446-1-mszeredi@redhat.com +Reviewed-by: Jeff Layton +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -5053,22 +5053,29 @@ static int statmount_string(struct kstat + size_t kbufsize; + struct seq_file *seq = &s->seq; + struct statmount *sm = &s->sm; ++ u32 start, *offp; ++ ++ /* Reserve an empty string at the beginning for any unset offsets */ ++ if (!seq->count) ++ seq_putc(seq, 0); ++ ++ start = seq->count; + + switch (flag) { + case STATMOUNT_FS_TYPE: +- sm->fs_type = seq->count; ++ offp = &sm->fs_type; + ret = statmount_fs_type(s, seq); + break; + case STATMOUNT_MNT_ROOT: +- sm->mnt_root = seq->count; ++ offp = &sm->mnt_root; + ret = statmount_mnt_root(s, seq); + break; + case STATMOUNT_MNT_POINT: +- sm->mnt_point = seq->count; ++ offp = &sm->mnt_point; + ret = statmount_mnt_point(s, seq); + break; + case STATMOUNT_MNT_OPTS: +- sm->mnt_opts = seq->count; ++ offp = &sm->mnt_opts; + ret = statmount_mnt_opts(s, seq); + break; + default: +@@ -5090,6 +5097,7 @@ static int statmount_string(struct kstat + + seq->buf[seq->count++] = '\0'; + sm->mask |= flag; ++ *offp = start; + return 0; + } +