From: Greg Kroah-Hartman Date: Tue, 23 Apr 2024 11:08:26 +0000 (+0200) Subject: drop a bunch of duplicate 5.4 and 5.10 patches X-Git-Tag: v5.15.157~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eca6cf077336d4bc94f2d973d45bffb1c2de74ef;p=thirdparty%2Fkernel%2Fstable-queue.git drop a bunch of duplicate 5.4 and 5.10 patches --- diff --git a/queue-5.10/drm-nv04-fix-out-of-bounds-access.patch-17182 b/queue-5.10/drm-nv04-fix-out-of-bounds-access.patch-17182 deleted file mode 100644 index c69a001beea..00000000000 --- a/queue-5.10/drm-nv04-fix-out-of-bounds-access.patch-17182 +++ /dev/null @@ -1,86 +0,0 @@ -From 1d58626b156f71d001ac27d0294447cefe780de1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 14:08:52 +0300 -Subject: drm: nv04: Fix out of bounds access - -From: Mikhail Kobuk - -[ Upstream commit cf92bb778eda7830e79452c6917efa8474a30c1e ] - -When Output Resource (dcb->or) value is assigned in -fabricate_dcb_output(), there may be out of bounds access to -dac_users array in case dcb->or is zero because ffs(dcb->or) is -used as index there. -The 'or' argument of fabricate_dcb_output() must be interpreted as a -number of bit to set, not value. - -Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. - -Found by Linux Verification Center (linuxtesting.org) with SVACE. - -Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for iMac G4") -Fixes: 670820c0e6a9 ("drm/nouveau: Workaround incorrect DCB entry on a GeForce3 Ti 200.") -Signed-off-by: Mikhail Kobuk -Signed-off-by: Danilo Krummrich -Link: https://patchwork.freedesktop.org/patch/msgid/20240411110854.16701-1-m.kobuk@ispras.ru -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_bios.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c -index d204ea8a5618e..5cdf0d8d4bc18 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_bios.c -+++ b/drivers/gpu/drm/nouveau/nouveau_bios.c -@@ -23,6 +23,7 @@ - */ - - #include "nouveau_drv.h" -+#include "nouveau_bios.h" - #include "nouveau_reg.h" - #include "dispnv04/hw.h" - #include "nouveau_encoder.h" -@@ -1672,7 +1673,7 @@ apply_dcb_encoder_quirks(struct drm_device *dev, int idx, u32 *conn, u32 *conf) - */ - if (nv_match_device(dev, 0x0201, 0x1462, 0x8851)) { - if (*conn == 0xf2005014 && *conf == 0xffffffff) { -- fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 1, 1, 1); -+ fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 1, 1, DCB_OUTPUT_B); - return false; - } - } -@@ -1758,26 +1759,26 @@ fabricate_dcb_encoder_table(struct drm_device *dev, struct nvbios *bios) - #ifdef __powerpc__ - /* Apple iMac G4 NV17 */ - if (of_machine_is_compatible("PowerMac4,5")) { -- fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, 1); -- fabricate_dcb_output(dcb, DCB_OUTPUT_ANALOG, 1, all_heads, 2); -+ fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, DCB_OUTPUT_B); -+ fabricate_dcb_output(dcb, DCB_OUTPUT_ANALOG, 1, all_heads, DCB_OUTPUT_C); - return; - } - #endif - - /* Make up some sane defaults */ - fabricate_dcb_output(dcb, DCB_OUTPUT_ANALOG, -- bios->legacy.i2c_indices.crt, 1, 1); -+ bios->legacy.i2c_indices.crt, 1, DCB_OUTPUT_B); - - if (nv04_tv_identify(dev, bios->legacy.i2c_indices.tv) >= 0) - fabricate_dcb_output(dcb, DCB_OUTPUT_TV, - bios->legacy.i2c_indices.tv, -- all_heads, 0); -+ all_heads, DCB_OUTPUT_A); - - else if (bios->tmds.output0_script_ptr || - bios->tmds.output1_script_ptr) - fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, - bios->legacy.i2c_indices.panel, -- all_heads, 1); -+ all_heads, DCB_OUTPUT_B); - } - - static int --- -2.43.0 - diff --git a/queue-5.10/drm-panel-visionox-rm69299-don-t-unregister-dsi-devi.patch-29707 b/queue-5.10/drm-panel-visionox-rm69299-don-t-unregister-dsi-devi.patch-29707 deleted file mode 100644 index 2b7a68174d0..00000000000 --- a/queue-5.10/drm-panel-visionox-rm69299-don-t-unregister-dsi-devi.patch-29707 +++ /dev/null @@ -1,38 +0,0 @@ -From b5a756939611eba7601d44ffb37bf1f58d8c7193 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Apr 2024 13:07:59 +0300 -Subject: drm/panel: visionox-rm69299: don't unregister DSI device - -From: Dmitry Baryshkov - -[ Upstream commit 9e4d3f4f34455abbaa9930bf6b7575a5cd081496 ] - -The DSI device for the panel was registered by the DSI host, so it is an -error to unregister it from the panel driver. Drop the call to -mipi_dsi_device_unregister(). - -Fixes: c7f66d32dd43 ("drm/panel: add support for rm69299 visionox panel") -Reviewed-by: Jessica Zhang -Signed-off-by: Dmitry Baryshkov -Link: https://patchwork.freedesktop.org/patch/msgid/20240404-drop-panel-unregister-v1-1-9f56953c5fb9@linaro.org -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/panel/panel-visionox-rm69299.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/drivers/gpu/drm/panel/panel-visionox-rm69299.c b/drivers/gpu/drm/panel/panel-visionox-rm69299.c -index eb43503ec97b3..6134432e4918d 100644 ---- a/drivers/gpu/drm/panel/panel-visionox-rm69299.c -+++ b/drivers/gpu/drm/panel/panel-visionox-rm69299.c -@@ -261,8 +261,6 @@ static int visionox_rm69299_remove(struct mipi_dsi_device *dsi) - struct visionox_rm69299 *ctx = mipi_dsi_get_drvdata(dsi); - - mipi_dsi_detach(ctx->dsi); -- mipi_dsi_device_unregister(ctx->dsi); -- - drm_panel_remove(&ctx->panel); - return 0; - } --- -2.43.0 - diff --git a/queue-5.10/kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch b/queue-5.10/kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch deleted file mode 100644 index ad9f8cf4d78..00000000000 --- a/queue-5.10/kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch +++ /dev/null @@ -1,82 +0,0 @@ -From eafe098bc555680560db39b534bec118e2a005c6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 09:58:02 +0800 -Subject: kprobes: Fix possible use-after-free issue on kprobe registration - -From: Zheng Yejian - -commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream. - -When unloading a module, its state is changing MODULE_STATE_LIVE -> - MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take -a time. `is_module_text_address()` and `__module_text_address()` -works with MODULE_STATE_LIVE and MODULE_STATE_GOING. -If we use `is_module_text_address()` and `__module_text_address()` -separately, there is a chance that the first one is succeeded but the -next one is failed because module->state becomes MODULE_STATE_UNFORMED -between those operations. - -In `check_kprobe_address_safe()`, if the second `__module_text_address()` -is failed, that is ignored because it expected a kernel_text address. -But it may have failed simply because module->state has been changed -to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify -non-exist module text address (use-after-free). - -To fix this problem, we should not use separated `is_module_text_address()` -and `__module_text_address()`, but use only `__module_text_address()` -once and do `try_module_get(module)` which is only available with -MODULE_STATE_LIVE. - -Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/ - -Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") -Cc: stable@vger.kernel.org -Signed-off-by: Zheng Yejian -Signed-off-by: Masami Hiramatsu (Google) -[Fix conflict due to lack dependency -commit 223a76b268c9 ("kprobes: Fix coding style issues")] -Signed-off-by: Zheng Yejian -Signed-off-by: Greg Kroah-Hartman ---- - kernel/kprobes.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index 05d3e156a7d63..dba6541c0fc3c 100644 ---- a/kernel/kprobes.c -+++ b/kernel/kprobes.c -@@ -1647,10 +1647,17 @@ static int check_kprobe_address_safe(struct kprobe *p, - jump_label_lock(); - preempt_disable(); - -- /* Ensure it is not in reserved area nor out of text */ -- if (!(core_kernel_text((unsigned long) p->addr) || -- is_module_text_address((unsigned long) p->addr)) || -- in_gate_area_no_mm((unsigned long) p->addr) || -+ /* Ensure the address is in a text area, and find a module if exists. */ -+ *probed_mod = NULL; -+ if (!core_kernel_text((unsigned long) p->addr)) { -+ *probed_mod = __module_text_address((unsigned long) p->addr); -+ if (!(*probed_mod)) { -+ ret = -EINVAL; -+ goto out; -+ } -+ } -+ /* Ensure it is not in reserved area. */ -+ if (in_gate_area_no_mm((unsigned long) p->addr) || - within_kprobe_blacklist((unsigned long) p->addr) || - jump_label_text_reserved(p->addr, p->addr) || - static_call_text_reserved(p->addr, p->addr) || -@@ -1660,8 +1667,7 @@ static int check_kprobe_address_safe(struct kprobe *p, - goto out; - } - -- /* Check if are we probing a module */ -- *probed_mod = __module_text_address((unsigned long) p->addr); -+ /* Get module refcount and reject __init functions for loaded modules. */ - if (*probed_mod) { - /* - * We must hold a refcount of the probed module while updating --- -2.43.0 - diff --git a/queue-5.10/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-25891 b/queue-5.10/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-25891 deleted file mode 100644 index 899ad26d9a3..00000000000 --- a/queue-5.10/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-25891 +++ /dev/null @@ -1,58 +0,0 @@ -From a0cfa2880cc61669d25cc98fdc85a72880a61679 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 7 Apr 2024 14:56:04 +0800 -Subject: netfilter: nf_tables: Fix potential data-race in - __nft_expr_type_get() - -From: Ziyang Xuan - -[ Upstream commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf ] - -nft_unregister_expr() can concurrent with __nft_expr_type_get(), -and there is not any protection when iterate over nf_tables_expressions -list in __nft_expr_type_get(). Therefore, there is potential data-race -of nf_tables_expressions list entry. - -Use list_for_each_entry_rcu() to iterate over nf_tables_expressions -list in __nft_expr_type_get(), and use rcu_read_lock() in the caller -nft_expr_type_get() to protect the entire type query process. - -Fixes: ef1f7df9170d ("netfilter: nf_tables: expression ops overloading") -Signed-off-by: Ziyang Xuan -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index ab7f7e45b9846..858d09b54eaa4 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -2739,7 +2739,7 @@ static const struct nft_expr_type *__nft_expr_type_get(u8 family, - { - const struct nft_expr_type *type, *candidate = NULL; - -- list_for_each_entry(type, &nf_tables_expressions, list) { -+ list_for_each_entry_rcu(type, &nf_tables_expressions, list) { - if (!nla_strcmp(nla, type->name)) { - if (!type->family && !candidate) - candidate = type; -@@ -2771,9 +2771,13 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net, - if (nla == NULL) - return ERR_PTR(-EINVAL); - -+ rcu_read_lock(); - type = __nft_expr_type_get(family, nla); -- if (type != NULL && try_module_get(type->owner)) -+ if (type != NULL && try_module_get(type->owner)) { -+ rcu_read_unlock(); - return type; -+ } -+ rcu_read_unlock(); - - lockdep_nfnl_nft_mutex_not_held(); - #ifdef CONFIG_MODULES --- -2.43.0 - diff --git a/queue-5.10/netfilter-nft_set_pipapo-do-not-free-live-element.patch-6586 b/queue-5.10/netfilter-nft_set_pipapo-do-not-free-live-element.patch-6586 deleted file mode 100644 index 53058589895..00000000000 --- a/queue-5.10/netfilter-nft_set_pipapo-do-not-free-live-element.patch-6586 +++ /dev/null @@ -1,105 +0,0 @@ -From 373fa197ed1d58c0e39a2341189ebec6e41c6cb8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 21:05:13 +0200 -Subject: netfilter: nft_set_pipapo: do not free live element - -From: Florian Westphal - -[ Upstream commit 3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc ] - -Pablo reports a crash with large batches of elements with a -back-to-back add/remove pattern. Quoting Pablo: - - add_elem("00000000") timeout 100 ms - ... - add_elem("0000000X") timeout 100 ms - del_elem("0000000X") <---------------- delete one that was just added - ... - add_elem("00005000") timeout 100 ms - - 1) nft_pipapo_remove() removes element 0000000X - Then, KASAN shows a splat. - -Looking at the remove function there is a chance that we will drop a -rule that maps to a non-deactivated element. - -Removal happens in two steps, first we do a lookup for key k and return the -to-be-removed element and mark it as inactive in the next generation. -Then, in a second step, the element gets removed from the set/map. - -The _remove function does not work correctly if we have more than one -element that share the same key. - -This can happen if we insert an element into a set when the set already -holds an element with same key, but the element mapping to the existing -key has timed out or is not active in the next generation. - -In such case its possible that removal will unmap the wrong element. -If this happens, we will leak the non-deactivated element, it becomes -unreachable. - -The element that got deactivated (and will be freed later) will -remain reachable in the set data structure, this can result in -a crash when such an element is retrieved during lookup (stale -pointer). - -Add a check that the fully matching key does in fact map to the element -that we have marked as inactive in the deactivation step. -If not, we need to continue searching. - -Add a bug/warn trap at the end of the function as well, the remove -function must not ever be called with an invisible/unreachable/non-existent -element. - -v2: avoid uneeded temporary variable (Stefano) - -Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") -Reported-by: Pablo Neira Ayuso -Reviewed-by: Stefano Brivio -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nft_set_pipapo.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c -index b9682e085fcef..5a8521abd8f5c 100644 ---- a/net/netfilter/nft_set_pipapo.c -+++ b/net/netfilter/nft_set_pipapo.c -@@ -1980,6 +1980,8 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, - rules_fx = rules_f0; - - nft_pipapo_for_each_field(f, i, m) { -+ bool last = i == m->field_count - 1; -+ - if (!pipapo_match_field(f, start, rules_fx, - match_start, match_end)) - break; -@@ -1992,16 +1994,18 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, - - match_start += NFT_PIPAPO_GROUPS_PADDED_SIZE(f); - match_end += NFT_PIPAPO_GROUPS_PADDED_SIZE(f); -- } - -- if (i == m->field_count) { -- priv->dirty = true; -- pipapo_drop(m, rulemap); -- return; -+ if (last && f->mt[rulemap[i].to].e == e) { -+ priv->dirty = true; -+ pipapo_drop(m, rulemap); -+ return; -+ } - } - - first_rule += rules_f0; - } -+ -+ WARN_ON_ONCE(1); /* elem_priv not found */ - } - - /** --- -2.43.0 - diff --git a/queue-5.10/rdma-cm-print-the-old-state-when-cm_destroy_id-gets-.patch-22806 b/queue-5.10/rdma-cm-print-the-old-state-when-cm_destroy_id-gets-.patch-22806 deleted file mode 100644 index eb14a19d4c9..00000000000 --- a/queue-5.10/rdma-cm-print-the-old-state-when-cm_destroy_id-gets-.patch-22806 +++ /dev/null @@ -1,67 +0,0 @@ -From 4e330cf8e3c2b3326f29ce9bc1c3d0f7ec93ac0e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Mar 2024 13:20:49 +0200 -Subject: RDMA/cm: Print the old state when cm_destroy_id gets timeout - -From: Mark Zhang - -[ Upstream commit b68e1acb5834ed1a2ad42d9d002815a8bae7c0b6 ] - -The old state is helpful for debugging, as the current state is always -IB_CM_IDLE when timeout happens. - -Fixes: 96d9cbe2f2ff ("RDMA/cm: add timeout to cm_destroy_id wait") -Signed-off-by: Mark Zhang -Link: https://lore.kernel.org/r/20240322112049.2022994-1-markzhang@nvidia.com -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/core/cm.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c -index 2a30b25c5e7e5..26c66685a43dd 100644 ---- a/drivers/infiniband/core/cm.c -+++ b/drivers/infiniband/core/cm.c -@@ -1057,23 +1057,26 @@ static void cm_reset_to_idle(struct cm_id_private *cm_id_priv) - } - } - --static noinline void cm_destroy_id_wait_timeout(struct ib_cm_id *cm_id) -+static noinline void cm_destroy_id_wait_timeout(struct ib_cm_id *cm_id, -+ enum ib_cm_state old_state) - { - struct cm_id_private *cm_id_priv; - - cm_id_priv = container_of(cm_id, struct cm_id_private, id); -- pr_err("%s: cm_id=%p timed out. state=%d refcnt=%d\n", __func__, -- cm_id, cm_id->state, refcount_read(&cm_id_priv->refcount)); -+ pr_err("%s: cm_id=%p timed out. state %d -> %d, refcnt=%d\n", __func__, -+ cm_id, old_state, cm_id->state, refcount_read(&cm_id_priv->refcount)); - } - - static void cm_destroy_id(struct ib_cm_id *cm_id, int err) - { - struct cm_id_private *cm_id_priv; -+ enum ib_cm_state old_state; - struct cm_work *work; - int ret; - - cm_id_priv = container_of(cm_id, struct cm_id_private, id); - spin_lock_irq(&cm_id_priv->lock); -+ old_state = cm_id->state; - retest: - switch (cm_id->state) { - case IB_CM_LISTEN: -@@ -1187,7 +1190,7 @@ static void cm_destroy_id(struct ib_cm_id *cm_id, int err) - msecs_to_jiffies( - CM_DESTROY_ID_WAIT_TIMEOUT)); - if (!ret) /* timeout happened */ -- cm_destroy_id_wait_timeout(cm_id); -+ cm_destroy_id_wait_timeout(cm_id, old_state); - } while (!ret); - - while ((work = cm_dequeue_work(cm_id_priv)) != NULL) --- -2.43.0 - diff --git a/queue-5.10/rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-8293 b/queue-5.10/rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-8293 deleted file mode 100644 index e847c452463..00000000000 --- a/queue-5.10/rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-8293 +++ /dev/null @@ -1,41 +0,0 @@ -From f0b2ba257dfdd5fbd7672fea4ace851d853e11df Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Apr 2024 12:03:46 +0300 -Subject: RDMA/mlx5: Fix port number for counter query in multi-port - configuration - -From: Michael Guralnik - -[ Upstream commit be121ffb384f53e966ee7299ffccc6eeb61bc73d ] - -Set the correct port when querying PPCNT in multi-port configuration. -Distinguish between cases where switchdev mode was enabled to multi-port -configuration and don't overwrite the queried port to 1 in multi-port -case. - -Fixes: 74b30b3ad5ce ("RDMA/mlx5: Set local port to one when accessing counters") -Signed-off-by: Michael Guralnik -Link: https://lore.kernel.org/r/9bfcc8ade958b760a51408c3ad654a01b11f7d76.1712134988.git.leon@kernel.org -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/hw/mlx5/mad.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/infiniband/hw/mlx5/mad.c b/drivers/infiniband/hw/mlx5/mad.c -index cca7a4a6bd82d..7f12a9b05c872 100644 ---- a/drivers/infiniband/hw/mlx5/mad.c -+++ b/drivers/infiniband/hw/mlx5/mad.c -@@ -166,7 +166,8 @@ static int process_pma_cmd(struct mlx5_ib_dev *dev, u8 port_num, - mdev = dev->mdev; - mdev_port_num = 1; - } -- if (MLX5_CAP_GEN(dev->mdev, num_ports) == 1) { -+ if (MLX5_CAP_GEN(dev->mdev, num_ports) == 1 && -+ !mlx5_core_mp_enabled(mdev)) { - /* set local port to one for Function-Per-Port HCA. */ - mdev = dev->mdev; - mdev_port_num = 1; --- -2.43.0 - diff --git a/queue-5.10/rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-21680 b/queue-5.10/rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-21680 deleted file mode 100644 index b8f0f63af8e..00000000000 --- a/queue-5.10/rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-21680 +++ /dev/null @@ -1,38 +0,0 @@ -From 24cb4126c3565cc2f2b7c6c165d0ca811ac75369 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Mar 2024 07:51:40 +0100 -Subject: RDMA/rxe: Fix the problem "mutex_destroy missing" - -From: Yanjun.Zhu - -[ Upstream commit 481047d7e8391d3842ae59025806531cdad710d9 ] - -When a mutex lock is not used any more, the function mutex_destroy -should be called to mark the mutex lock uninitialized. - -Fixes: 8700e3e7c485 ("Soft RoCE driver") -Signed-off-by: Yanjun.Zhu -Link: https://lore.kernel.org/r/20240314065140.27468-1-yanjun.zhu@linux.dev -Reviewed-by: Daisuke Matsuda -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/sw/rxe/rxe.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/infiniband/sw/rxe/rxe.c b/drivers/infiniband/sw/rxe/rxe.c -index 95f0de0c8b49c..0505c81aa8d04 100644 ---- a/drivers/infiniband/sw/rxe/rxe.c -+++ b/drivers/infiniband/sw/rxe/rxe.c -@@ -35,6 +35,8 @@ void rxe_dealloc(struct ib_device *ib_dev) - - if (rxe->tfm) - crypto_free_shash(rxe->tfm); -+ -+ mutex_destroy(&rxe->usdev_lock); - } - - /* initialize rxe device parameters */ --- -2.43.0 - diff --git a/queue-5.10/revert-tracing-trigger-fix-to-return-error-if-failed.patch b/queue-5.10/revert-tracing-trigger-fix-to-return-error-if-failed.patch deleted file mode 100644 index b8f2af78651..00000000000 --- a/queue-5.10/revert-tracing-trigger-fix-to-return-error-if-failed.patch +++ /dev/null @@ -1,56 +0,0 @@ -From f8e3c1cf9e23a256368ca13e52896e719e4d3aae Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 18:58:06 +0530 -Subject: Revert "tracing/trigger: Fix to return error if failed to alloc - snapshot" - -From: Siddh Raman Pant - -This reverts commit 56cfbe60710772916a5ba092c99542332b48e870 which is -commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream. - -The change has an incorrect assumption about the return value because -in the current stable trees for versions 5.15 and before, the following -commit responsible for making 0 a success value is not present: -b8cc44a4d3c1 ("tracing: Remove logic for registering multiple event triggers at a time") - -The return value should be 0 on failure in the current tree, because in -the functions event_trigger_callback() and event_enable_trigger_func(), -we have: - - ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file); - /* - * The above returns on success the # of functions enabled, - * but if it didn't find any functions it returns zero. - * Consider no functions a failure too. - */ - if (!ret) { - ret = -ENOENT; - -Cc: stable@kernel.org # 5.15, 5.10, 5.4, 4.19 -Signed-off-by: Siddh Raman Pant -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/trace_events_trigger.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c -index e4340958da2df..4bc90965abb25 100644 ---- a/kernel/trace/trace_events_trigger.c -+++ b/kernel/trace/trace_events_trigger.c -@@ -1140,10 +1140,8 @@ register_snapshot_trigger(char *glob, struct event_trigger_ops *ops, - struct event_trigger_data *data, - struct trace_event_file *file) - { -- int ret = tracing_alloc_snapshot_instance(file->tr); -- -- if (ret < 0) -- return ret; -+ if (tracing_alloc_snapshot_instance(file->tr) != 0) -+ return 0; - - return register_trigger(glob, ops, data, file); - } --- -2.43.0 - diff --git a/queue-5.10/selftests-ftrace-limit-length-in-subsystem-enable-te.patch b/queue-5.10/selftests-ftrace-limit-length-in-subsystem-enable-te.patch deleted file mode 100644 index cb1652fbe9b..00000000000 --- a/queue-5.10/selftests-ftrace-limit-length-in-subsystem-enable-te.patch +++ /dev/null @@ -1,60 +0,0 @@ -From faf496c02dce46cc4bddd0a9b71a0554b227e92f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Feb 2024 11:18:16 +0800 -Subject: selftests/ftrace: Limit length in subsystem-enable tests - -From: Yuanhe Shu - -commit 1a4ea83a6e67f1415a1f17c1af5e9c814c882bb5 upstream. - -While sched* events being traced and sched* events continuously happen, -"[xx] event tracing - enable/disable with subsystem level files" would -not stop as on some slower systems it seems to take forever. -Select the first 100 lines of output would be enough to judge whether -there are more than 3 types of sched events. - -Fixes: 815b18ea66d6 ("ftracetest: Add basic event tracing test cases") -Cc: stable@vger.kernel.org -Signed-off-by: Yuanhe Shu -Acked-by: Masami Hiramatsu (Google) -Acked-by: Steven Rostedt (Google) -Signed-off-by: Shuah Khan -Signed-off-by: Greg Kroah-Hartman ---- - .../selftests/ftrace/test.d/event/subsystem-enable.tc | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc -index b1ede62498667..b7c8f29c09a97 100644 ---- a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc -+++ b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc -@@ -18,7 +18,7 @@ echo 'sched:*' > set_event - - yield - --count=`cat trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` -+count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` - if [ $count -lt 3 ]; then - fail "at least fork, exec and exit events should be recorded" - fi -@@ -29,7 +29,7 @@ echo 1 > events/sched/enable - - yield - --count=`cat trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` -+count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` - if [ $count -lt 3 ]; then - fail "at least fork, exec and exit events should be recorded" - fi -@@ -40,7 +40,7 @@ echo 0 > events/sched/enable - - yield - --count=`cat trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` -+count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` - if [ $count -ne 0 ]; then - fail "any of scheduler events should not be recorded" - fi --- -2.43.0 - diff --git a/queue-5.10/series b/queue-5.10/series index 94911fd26cf..bc89aaf3aa1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -42,17 +42,6 @@ rdma-cm-print-the-old-state-when-cm_destroy_id-gets-.patch rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch drm-nv04-fix-out-of-bounds-access.patch drm-panel-visionox-rm69299-don-t-unregister-dsi-devi.patch -selftests-ftrace-limit-length-in-subsystem-enable-te.patch -kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch -revert-tracing-trigger-fix-to-return-error-if-failed.patch -netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-25891 -netfilter-nft_set_pipapo-do-not-free-live-element.patch-6586 -tun-limit-printing-rate-when-illegal-packet-received.patch-16285 -rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-21680 -rdma-cm-print-the-old-state-when-cm_destroy_id-gets-.patch-22806 -rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-8293 -drm-nv04-fix-out-of-bounds-access.patch-17182 -drm-panel-visionox-rm69299-don-t-unregister-dsi-devi.patch-29707 clk-remove-prepare_lock-hold-assertion-in-__clk_rele.patch clk-mark-all_lists-as-const.patch clk-remove-extra-empty-line.patch diff --git a/queue-5.10/tun-limit-printing-rate-when-illegal-packet-received.patch-16285 b/queue-5.10/tun-limit-printing-rate-when-illegal-packet-received.patch-16285 deleted file mode 100644 index 48526154657..00000000000 --- a/queue-5.10/tun-limit-printing-rate-when-illegal-packet-received.patch-16285 +++ /dev/null @@ -1,91 +0,0 @@ -From e11b1a06368955e76f40d7d933fc707af7ad056b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Apr 2024 22:02:46 -0400 -Subject: tun: limit printing rate when illegal packet received by tun dev - -From: Lei Chen - -[ Upstream commit f8bbc07ac535593139c875ffa19af924b1084540 ] - -vhost_worker will call tun call backs to receive packets. If too many -illegal packets arrives, tun_do_read will keep dumping packet contents. -When console is enabled, it will costs much more cpu time to dump -packet and soft lockup will be detected. - -net_ratelimit mechanism can be used to limit the dumping rate. - -PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" - #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 - #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 - #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e - #3 [fffffe00003fced0] do_nmi at ffffffff8922660d - #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 - [exception RIP: io_serial_in+20] - RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 - RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 - RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 - RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f - R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 - R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 - ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 - #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 - #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 - #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 - #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 - #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 - #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 - #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 - #12 [ffffa65531497b68] printk at ffffffff89318306 - #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 - #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] - #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] - #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] - #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] - #18 [ffffa65531497f10] kthread at ffffffff892d2e72 - #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f - -Fixes: ef3db4a59542 ("tun: avoid BUG, dump packet on GSO errors") -Signed-off-by: Lei Chen -Reviewed-by: Willem de Bruijn -Acked-by: Jason Wang -Reviewed-by: Eric Dumazet -Acked-by: Michael S. Tsirkin -Link: https://lore.kernel.org/r/20240415020247.2207781-1-lei.chen@smartx.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/tun.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index bb0368272a1bb..77e63e7366e78 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -2141,14 +2141,16 @@ static ssize_t tun_put_user(struct tun_struct *tun, - tun_is_little_endian(tun), true, - vlan_hlen)) { - struct skb_shared_info *sinfo = skb_shinfo(skb); -- pr_err("unexpected GSO type: " -- "0x%x, gso_size %d, hdr_len %d\n", -- sinfo->gso_type, tun16_to_cpu(tun, gso.gso_size), -- tun16_to_cpu(tun, gso.hdr_len)); -- print_hex_dump(KERN_ERR, "tun: ", -- DUMP_PREFIX_NONE, -- 16, 1, skb->head, -- min((int)tun16_to_cpu(tun, gso.hdr_len), 64), true); -+ -+ if (net_ratelimit()) { -+ netdev_err(tun->dev, "unexpected GSO type: 0x%x, gso_size %d, hdr_len %d\n", -+ sinfo->gso_type, tun16_to_cpu(tun, gso.gso_size), -+ tun16_to_cpu(tun, gso.hdr_len)); -+ print_hex_dump(KERN_ERR, "tun: ", -+ DUMP_PREFIX_NONE, -+ 16, 1, skb->head, -+ min((int)tun16_to_cpu(tun, gso.hdr_len), 64), true); -+ } - WARN_ON_ONCE(1); - return -EINVAL; - } --- -2.43.0 - diff --git a/queue-5.4/drm-nv04-fix-out-of-bounds-access.patch-5395 b/queue-5.4/drm-nv04-fix-out-of-bounds-access.patch-5395 deleted file mode 100644 index a32e6fbc1bf..00000000000 --- a/queue-5.4/drm-nv04-fix-out-of-bounds-access.patch-5395 +++ /dev/null @@ -1,86 +0,0 @@ -From a952b7352866c48c812bf0f597bf0c5313ba584e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Apr 2024 14:08:52 +0300 -Subject: drm: nv04: Fix out of bounds access - -From: Mikhail Kobuk - -[ Upstream commit cf92bb778eda7830e79452c6917efa8474a30c1e ] - -When Output Resource (dcb->or) value is assigned in -fabricate_dcb_output(), there may be out of bounds access to -dac_users array in case dcb->or is zero because ffs(dcb->or) is -used as index there. -The 'or' argument of fabricate_dcb_output() must be interpreted as a -number of bit to set, not value. - -Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. - -Found by Linux Verification Center (linuxtesting.org) with SVACE. - -Fixes: 2e5702aff395 ("drm/nouveau: fabricate DCB encoder table for iMac G4") -Fixes: 670820c0e6a9 ("drm/nouveau: Workaround incorrect DCB entry on a GeForce3 Ti 200.") -Signed-off-by: Mikhail Kobuk -Signed-off-by: Danilo Krummrich -Link: https://patchwork.freedesktop.org/patch/msgid/20240411110854.16701-1-m.kobuk@ispras.ru -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/nouveau/nouveau_bios.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c -index d204ea8a5618e..5cdf0d8d4bc18 100644 ---- a/drivers/gpu/drm/nouveau/nouveau_bios.c -+++ b/drivers/gpu/drm/nouveau/nouveau_bios.c -@@ -23,6 +23,7 @@ - */ - - #include "nouveau_drv.h" -+#include "nouveau_bios.h" - #include "nouveau_reg.h" - #include "dispnv04/hw.h" - #include "nouveau_encoder.h" -@@ -1672,7 +1673,7 @@ apply_dcb_encoder_quirks(struct drm_device *dev, int idx, u32 *conn, u32 *conf) - */ - if (nv_match_device(dev, 0x0201, 0x1462, 0x8851)) { - if (*conn == 0xf2005014 && *conf == 0xffffffff) { -- fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 1, 1, 1); -+ fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 1, 1, DCB_OUTPUT_B); - return false; - } - } -@@ -1758,26 +1759,26 @@ fabricate_dcb_encoder_table(struct drm_device *dev, struct nvbios *bios) - #ifdef __powerpc__ - /* Apple iMac G4 NV17 */ - if (of_machine_is_compatible("PowerMac4,5")) { -- fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, 1); -- fabricate_dcb_output(dcb, DCB_OUTPUT_ANALOG, 1, all_heads, 2); -+ fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, 0, all_heads, DCB_OUTPUT_B); -+ fabricate_dcb_output(dcb, DCB_OUTPUT_ANALOG, 1, all_heads, DCB_OUTPUT_C); - return; - } - #endif - - /* Make up some sane defaults */ - fabricate_dcb_output(dcb, DCB_OUTPUT_ANALOG, -- bios->legacy.i2c_indices.crt, 1, 1); -+ bios->legacy.i2c_indices.crt, 1, DCB_OUTPUT_B); - - if (nv04_tv_identify(dev, bios->legacy.i2c_indices.tv) >= 0) - fabricate_dcb_output(dcb, DCB_OUTPUT_TV, - bios->legacy.i2c_indices.tv, -- all_heads, 0); -+ all_heads, DCB_OUTPUT_A); - - else if (bios->tmds.output0_script_ptr || - bios->tmds.output1_script_ptr) - fabricate_dcb_output(dcb, DCB_OUTPUT_TMDS, - bios->legacy.i2c_indices.panel, -- all_heads, 1); -+ all_heads, DCB_OUTPUT_B); - } - - static int --- -2.43.0 - diff --git a/queue-5.4/kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch b/queue-5.4/kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch deleted file mode 100644 index 09ee538dfe2..00000000000 --- a/queue-5.4/kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 4c8e57e3bd41dea5d8812dd5b93e1bd2d4e35e78 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Apr 2024 09:58:02 +0800 -Subject: kprobes: Fix possible use-after-free issue on kprobe registration - -From: Zheng Yejian - -commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream. - -When unloading a module, its state is changing MODULE_STATE_LIVE -> - MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take -a time. `is_module_text_address()` and `__module_text_address()` -works with MODULE_STATE_LIVE and MODULE_STATE_GOING. -If we use `is_module_text_address()` and `__module_text_address()` -separately, there is a chance that the first one is succeeded but the -next one is failed because module->state becomes MODULE_STATE_UNFORMED -between those operations. - -In `check_kprobe_address_safe()`, if the second `__module_text_address()` -is failed, that is ignored because it expected a kernel_text address. -But it may have failed simply because module->state has been changed -to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify -non-exist module text address (use-after-free). - -To fix this problem, we should not use separated `is_module_text_address()` -and `__module_text_address()`, but use only `__module_text_address()` -once and do `try_module_get(module)` which is only available with -MODULE_STATE_LIVE. - -Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/ - -Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") -Cc: stable@vger.kernel.org -Signed-off-by: Zheng Yejian -Signed-off-by: Masami Hiramatsu (Google) -[Fix conflict due to lack dependency -commit 223a76b268c9 ("kprobes: Fix coding style issues")] -Signed-off-by: Zheng Yejian -Signed-off-by: Greg Kroah-Hartman ---- - kernel/kprobes.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/kernel/kprobes.c b/kernel/kprobes.c -index aecf4342f67cc..063e4ade16806 100644 ---- a/kernel/kprobes.c -+++ b/kernel/kprobes.c -@@ -1593,10 +1593,17 @@ static int check_kprobe_address_safe(struct kprobe *p, - jump_label_lock(); - preempt_disable(); - -- /* Ensure it is not in reserved area nor out of text */ -- if (!(core_kernel_text((unsigned long) p->addr) || -- is_module_text_address((unsigned long) p->addr)) || -- in_gate_area_no_mm((unsigned long) p->addr) || -+ /* Ensure the address is in a text area, and find a module if exists. */ -+ *probed_mod = NULL; -+ if (!core_kernel_text((unsigned long) p->addr)) { -+ *probed_mod = __module_text_address((unsigned long) p->addr); -+ if (!(*probed_mod)) { -+ ret = -EINVAL; -+ goto out; -+ } -+ } -+ /* Ensure it is not in reserved area. */ -+ if (in_gate_area_no_mm((unsigned long) p->addr) || - within_kprobe_blacklist((unsigned long) p->addr) || - jump_label_text_reserved(p->addr, p->addr) || - find_bug((unsigned long)p->addr)) { -@@ -1604,8 +1611,7 @@ static int check_kprobe_address_safe(struct kprobe *p, - goto out; - } - -- /* Check if are we probing a module */ -- *probed_mod = __module_text_address((unsigned long) p->addr); -+ /* Get module refcount and reject __init functions for loaded modules. */ - if (*probed_mod) { - /* - * We must hold a refcount of the probed module while updating --- -2.43.0 - diff --git a/queue-5.4/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-10812 b/queue-5.4/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-10812 deleted file mode 100644 index 947da044310..00000000000 --- a/queue-5.4/netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-10812 +++ /dev/null @@ -1,58 +0,0 @@ -From 0dcfc4e7b09585952b57920bb9034f32c4907785 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 7 Apr 2024 14:56:04 +0800 -Subject: netfilter: nf_tables: Fix potential data-race in - __nft_expr_type_get() - -From: Ziyang Xuan - -[ Upstream commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf ] - -nft_unregister_expr() can concurrent with __nft_expr_type_get(), -and there is not any protection when iterate over nf_tables_expressions -list in __nft_expr_type_get(). Therefore, there is potential data-race -of nf_tables_expressions list entry. - -Use list_for_each_entry_rcu() to iterate over nf_tables_expressions -list in __nft_expr_type_get(), and use rcu_read_lock() in the caller -nft_expr_type_get() to protect the entire type query process. - -Fixes: ef1f7df9170d ("netfilter: nf_tables: expression ops overloading") -Signed-off-by: Ziyang Xuan -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index b4bb93b9aafc7..8131d858f38d9 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -2239,7 +2239,7 @@ static const struct nft_expr_type *__nft_expr_type_get(u8 family, - { - const struct nft_expr_type *type, *candidate = NULL; - -- list_for_each_entry(type, &nf_tables_expressions, list) { -+ list_for_each_entry_rcu(type, &nf_tables_expressions, list) { - if (!nla_strcmp(nla, type->name)) { - if (!type->family && !candidate) - candidate = type; -@@ -2271,9 +2271,13 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net, - if (nla == NULL) - return ERR_PTR(-EINVAL); - -+ rcu_read_lock(); - type = __nft_expr_type_get(family, nla); -- if (type != NULL && try_module_get(type->owner)) -+ if (type != NULL && try_module_get(type->owner)) { -+ rcu_read_unlock(); - return type; -+ } -+ rcu_read_unlock(); - - lockdep_nfnl_nft_mutex_not_held(); - #ifdef CONFIG_MODULES --- -2.43.0 - diff --git a/queue-5.4/rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-31356 b/queue-5.4/rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-31356 deleted file mode 100644 index ed1f89045f5..00000000000 --- a/queue-5.4/rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-31356 +++ /dev/null @@ -1,41 +0,0 @@ -From 39f1af976b89528f966adfb1ffc3bffde986cb9d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Apr 2024 12:03:46 +0300 -Subject: RDMA/mlx5: Fix port number for counter query in multi-port - configuration - -From: Michael Guralnik - -[ Upstream commit be121ffb384f53e966ee7299ffccc6eeb61bc73d ] - -Set the correct port when querying PPCNT in multi-port configuration. -Distinguish between cases where switchdev mode was enabled to multi-port -configuration and don't overwrite the queried port to 1 in multi-port -case. - -Fixes: 74b30b3ad5ce ("RDMA/mlx5: Set local port to one when accessing counters") -Signed-off-by: Michael Guralnik -Link: https://lore.kernel.org/r/9bfcc8ade958b760a51408c3ad654a01b11f7d76.1712134988.git.leon@kernel.org -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/hw/mlx5/mad.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/infiniband/hw/mlx5/mad.c b/drivers/infiniband/hw/mlx5/mad.c -index 3897a3ce02ad0..84d72b3b6df84 100644 ---- a/drivers/infiniband/hw/mlx5/mad.c -+++ b/drivers/infiniband/hw/mlx5/mad.c -@@ -219,7 +219,8 @@ static int process_pma_cmd(struct mlx5_ib_dev *dev, u8 port_num, - mdev = dev->mdev; - mdev_port_num = 1; - } -- if (MLX5_CAP_GEN(dev->mdev, num_ports) == 1) { -+ if (MLX5_CAP_GEN(dev->mdev, num_ports) == 1 && -+ !mlx5_core_mp_enabled(mdev)) { - /* set local port to one for Function-Per-Port HCA. */ - mdev = dev->mdev; - mdev_port_num = 1; --- -2.43.0 - diff --git a/queue-5.4/rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-31426 b/queue-5.4/rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-31426 deleted file mode 100644 index 56356658687..00000000000 --- a/queue-5.4/rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-31426 +++ /dev/null @@ -1,38 +0,0 @@ -From 7b535d3999441b4e1f1c583fd2638a745c3c99f8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Mar 2024 07:51:40 +0100 -Subject: RDMA/rxe: Fix the problem "mutex_destroy missing" - -From: Yanjun.Zhu - -[ Upstream commit 481047d7e8391d3842ae59025806531cdad710d9 ] - -When a mutex lock is not used any more, the function mutex_destroy -should be called to mark the mutex lock uninitialized. - -Fixes: 8700e3e7c485 ("Soft RoCE driver") -Signed-off-by: Yanjun.Zhu -Link: https://lore.kernel.org/r/20240314065140.27468-1-yanjun.zhu@linux.dev -Reviewed-by: Daisuke Matsuda -Signed-off-by: Leon Romanovsky -Signed-off-by: Sasha Levin ---- - drivers/infiniband/sw/rxe/rxe.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/infiniband/sw/rxe/rxe.c b/drivers/infiniband/sw/rxe/rxe.c -index de5f3efe9fcb4..76e103ef5be31 100644 ---- a/drivers/infiniband/sw/rxe/rxe.c -+++ b/drivers/infiniband/sw/rxe/rxe.c -@@ -72,6 +72,8 @@ void rxe_dealloc(struct ib_device *ib_dev) - - if (rxe->tfm) - crypto_free_shash(rxe->tfm); -+ -+ mutex_destroy(&rxe->usdev_lock); - } - - /* initialize rxe device parameters */ --- -2.43.0 - diff --git a/queue-5.4/revert-tracing-trigger-fix-to-return-error-if-failed.patch b/queue-5.4/revert-tracing-trigger-fix-to-return-error-if-failed.patch deleted file mode 100644 index b839e9a262d..00000000000 --- a/queue-5.4/revert-tracing-trigger-fix-to-return-error-if-failed.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 38da0d658911ae0f64075bccaa246638d85b5119 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 Apr 2024 18:58:06 +0530 -Subject: Revert "tracing/trigger: Fix to return error if failed to alloc - snapshot" - -From: Siddh Raman Pant - -This reverts commit 8ffd5590f4d6ef5460acbeac7fbdff7025f9b419 which is -commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream. - -The change has an incorrect assumption about the return value because -in the current stable trees for versions 5.15 and before, the following -commit responsible for making 0 a success value is not present: -b8cc44a4d3c1 ("tracing: Remove logic for registering multiple event triggers at a time") - -The return value should be 0 on failure in the current tree, because in -the functions event_trigger_callback() and event_enable_trigger_func(), -we have: - - ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file); - /* - * The above returns on success the # of functions enabled, - * but if it didn't find any functions it returns zero. - * Consider no functions a failure too. - */ - if (!ret) { - ret = -ENOENT; - -Cc: stable@kernel.org # 5.15, 5.10, 5.4, 4.19 -Signed-off-by: Siddh Raman Pant -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/trace_events_trigger.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c -index 634d120eab2b1..82580f7ffad95 100644 ---- a/kernel/trace/trace_events_trigger.c -+++ b/kernel/trace/trace_events_trigger.c -@@ -1140,10 +1140,8 @@ register_snapshot_trigger(char *glob, struct event_trigger_ops *ops, - struct event_trigger_data *data, - struct trace_event_file *file) - { -- int ret = tracing_alloc_snapshot_instance(file->tr); -- -- if (ret < 0) -- return ret; -+ if (tracing_alloc_snapshot_instance(file->tr) != 0) -+ return 0; - - return register_trigger(glob, ops, data, file); - } --- -2.43.0 - diff --git a/queue-5.4/selftests-ftrace-limit-length-in-subsystem-enable-te.patch b/queue-5.4/selftests-ftrace-limit-length-in-subsystem-enable-te.patch deleted file mode 100644 index 7a4b7d27555..00000000000 --- a/queue-5.4/selftests-ftrace-limit-length-in-subsystem-enable-te.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ac61e8dc63e68742c8d4a2beef7f30bf74a4a987 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Feb 2024 11:18:16 +0800 -Subject: selftests/ftrace: Limit length in subsystem-enable tests - -From: Yuanhe Shu - -commit 1a4ea83a6e67f1415a1f17c1af5e9c814c882bb5 upstream. - -While sched* events being traced and sched* events continuously happen, -"[xx] event tracing - enable/disable with subsystem level files" would -not stop as on some slower systems it seems to take forever. -Select the first 100 lines of output would be enough to judge whether -there are more than 3 types of sched events. - -Fixes: 815b18ea66d6 ("ftracetest: Add basic event tracing test cases") -Cc: stable@vger.kernel.org -Signed-off-by: Yuanhe Shu -Acked-by: Masami Hiramatsu (Google) -Acked-by: Steven Rostedt (Google) -Signed-off-by: Shuah Khan -Signed-off-by: Greg Kroah-Hartman ---- - .../selftests/ftrace/test.d/event/subsystem-enable.tc | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc -index 83a8c571e93af..ff6cf579f503b 100644 ---- a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc -+++ b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc -@@ -22,7 +22,7 @@ echo 'sched:*' > set_event - - yield - --count=`cat trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` -+count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` - if [ $count -lt 3 ]; then - fail "at least fork, exec and exit events should be recorded" - fi -@@ -33,7 +33,7 @@ echo 1 > events/sched/enable - - yield - --count=`cat trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` -+count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` - if [ $count -lt 3 ]; then - fail "at least fork, exec and exit events should be recorded" - fi -@@ -44,7 +44,7 @@ echo 0 > events/sched/enable - - yield - --count=`cat trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` -+count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l` - if [ $count -ne 0 ]; then - fail "any of scheduler events should not be recorded" - fi --- -2.43.0 - diff --git a/queue-5.4/series b/queue-5.4/series index 59599b14bb6..8596d3d13c6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -26,14 +26,6 @@ tun-limit-printing-rate-when-illegal-packet-received.patch rdma-rxe-fix-the-problem-mutex_destroy-missing.patch rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch drm-nv04-fix-out-of-bounds-access.patch -selftests-ftrace-limit-length-in-subsystem-enable-te.patch -kprobes-fix-possible-use-after-free-issue-on-kprobe-.patch -revert-tracing-trigger-fix-to-return-error-if-failed.patch -netfilter-nf_tables-fix-potential-data-race-in-__nft.patch-10812 -tun-limit-printing-rate-when-illegal-packet-received.patch-11321 -rdma-rxe-fix-the-problem-mutex_destroy-missing.patch-31426 -rdma-mlx5-fix-port-number-for-counter-query-in-multi.patch-31356 -drm-nv04-fix-out-of-bounds-access.patch-5395 clk-remove-prepare_lock-hold-assertion-in-__clk_rele.patch clk-mark-all_lists-as-const.patch clk-remove-extra-empty-line.patch diff --git a/queue-5.4/tun-limit-printing-rate-when-illegal-packet-received.patch-11321 b/queue-5.4/tun-limit-printing-rate-when-illegal-packet-received.patch-11321 deleted file mode 100644 index a5bc5c831cc..00000000000 --- a/queue-5.4/tun-limit-printing-rate-when-illegal-packet-received.patch-11321 +++ /dev/null @@ -1,91 +0,0 @@ -From c511ed4287cde740c404a9d7dbaf504d8982b880 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Apr 2024 22:02:46 -0400 -Subject: tun: limit printing rate when illegal packet received by tun dev - -From: Lei Chen - -[ Upstream commit f8bbc07ac535593139c875ffa19af924b1084540 ] - -vhost_worker will call tun call backs to receive packets. If too many -illegal packets arrives, tun_do_read will keep dumping packet contents. -When console is enabled, it will costs much more cpu time to dump -packet and soft lockup will be detected. - -net_ratelimit mechanism can be used to limit the dumping rate. - -PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" - #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 - #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 - #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e - #3 [fffffe00003fced0] do_nmi at ffffffff8922660d - #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 - [exception RIP: io_serial_in+20] - RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 - RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 - RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 - RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f - R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 - R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 - ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 - #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 - #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 - #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 - #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 - #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 - #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 - #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 - #12 [ffffa65531497b68] printk at ffffffff89318306 - #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 - #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] - #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] - #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] - #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] - #18 [ffffa65531497f10] kthread at ffffffff892d2e72 - #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f - -Fixes: ef3db4a59542 ("tun: avoid BUG, dump packet on GSO errors") -Signed-off-by: Lei Chen -Reviewed-by: Willem de Bruijn -Acked-by: Jason Wang -Reviewed-by: Eric Dumazet -Acked-by: Michael S. Tsirkin -Link: https://lore.kernel.org/r/20240415020247.2207781-1-lei.chen@smartx.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/tun.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 47958e6bd77fb..3c52d0d24704f 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -2208,14 +2208,16 @@ static ssize_t tun_put_user(struct tun_struct *tun, - tun_is_little_endian(tun), true, - vlan_hlen)) { - struct skb_shared_info *sinfo = skb_shinfo(skb); -- pr_err("unexpected GSO type: " -- "0x%x, gso_size %d, hdr_len %d\n", -- sinfo->gso_type, tun16_to_cpu(tun, gso.gso_size), -- tun16_to_cpu(tun, gso.hdr_len)); -- print_hex_dump(KERN_ERR, "tun: ", -- DUMP_PREFIX_NONE, -- 16, 1, skb->head, -- min((int)tun16_to_cpu(tun, gso.hdr_len), 64), true); -+ -+ if (net_ratelimit()) { -+ netdev_err(tun->dev, "unexpected GSO type: 0x%x, gso_size %d, hdr_len %d\n", -+ sinfo->gso_type, tun16_to_cpu(tun, gso.gso_size), -+ tun16_to_cpu(tun, gso.hdr_len)); -+ print_hex_dump(KERN_ERR, "tun: ", -+ DUMP_PREFIX_NONE, -+ 16, 1, skb->head, -+ min((int)tun16_to_cpu(tun, gso.hdr_len), 64), true); -+ } - WARN_ON_ONCE(1); - return -EINVAL; - } --- -2.43.0 -