From: Greg Kroah-Hartman Date: Sat, 17 Jun 2023 08:32:40 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.14.319~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f49733968fb7bac110756b474cc9a871f44f6b9a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch btrfs-do-not-assert-on-duplicated-global-roots.patch btrfs-fix-iomap_begin-length-for-nocow-writes.patch dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch dm-thin-metadata-check-fail_io-before-using-data_sm.patch drm-amd-display-edp-do-not-add-non-edid-timings.patch drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch drm-amdgpu-add-missing-radeon-secondary-pci-id.patch drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch io_uring-net-save-msghdr-msg_control-for-retries.patch kexec-support-purgatories-with-.text.hot-sections.patch loongarch-fix-perf-event-id-calculation.patch net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch nilfs2-reject-devices-with-insufficient-block-count.patch nios2-dts-fix-tse_mac-max-frame-size-property.patch nouveau-fix-client-work-fence-deletion-race.patch ocfs2-check-new-file-size-on-fallocate-call.patch ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch powerpc-purgatory-remove-pgo-flags.patch rdma-uverbs-restrict-usage-of-privileged-qkeys.patch riscv-purgatory-remove-pgo-flags.patch wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch x86-purgatory-remove-pgo-flags.patch zswap-do-not-shrink-if-cgroup-may-not-zswap.patch --- diff --git a/queue-6.1/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch b/queue-6.1/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch new file mode 100644 index 00000000000..17b21d906fb --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch @@ -0,0 +1,30 @@ +From a2a871483161014f1bcc4e9a04354b01aa77cedb Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Fri, 9 Jun 2023 17:10:58 -0300 +Subject: ALSA: hda/realtek: Add a quirk for Compaq N14JP6 + +From: Edson Juliano Drosdeck + +commit a2a871483161014f1bcc4e9a04354b01aa77cedb upstream. + +Add a quirk for Compaq N14JP6 to fixup ALC897 headset MIC no sound. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://lore.kernel.org/r/20230609201058.523499-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11738,6 +11738,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON), + SND_PCI_QUIRK(0x1b35, 0x1234, "CZC ET26", ALC662_FIXUP_CZC_ET26), + SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T), ++ SND_PCI_QUIRK(0x1c6c, 0x1239, "Compaq N14JP6-V2", ALC897_FIXUP_HP_HSMIC_VERB), + + #if 0 + /* Below is a quirk table taken from the old code. diff --git a/queue-6.1/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch b/queue-6.1/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch new file mode 100644 index 00000000000..9224f03119f --- /dev/null +++ b/queue-6.1/alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch @@ -0,0 +1,39 @@ +From 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b Mon Sep 17 00:00:00 2001 +From: Lukasz Tyl +Date: Wed, 14 Jun 2023 14:25:24 +0200 +Subject: ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback + +From: Lukasz Tyl + +commit 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b upstream. + +This commit adds new DEVICE_FLG with QUIRK_FLAG_DSD_RAW and Vendor Id for +HEM devices which supports native DSD. Prior to this change Linux kernel +was not enabling native DSD playback for HEM devices, and as a result, +DSD audio was being converted to PCM "on the fly". HEM devices, +when connected to the system, would only play audio in PCM format, +even if the source material was in DSD format. With the addition of new +VENDOR_FLG in the quircks.c file, the devices are now correctly +recognized, and raw DSD data is transmitted to the device, +allowing for native DSD playback. + +Signed-off-by: Lukasz Tyl +Cc: +Link: https://lore.kernel.org/r/20230614122524.30271-1-ltyl@hem-e.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2191,6 +2191,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x2ab6, /* T+A devices */ + QUIRK_FLAG_DSD_RAW), ++ VENDOR_FLG(0x3336, /* HEM devices */ ++ QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x3353, /* Khadas devices */ + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x3842, /* EVGA */ diff --git a/queue-6.1/alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch b/queue-6.1/alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch new file mode 100644 index 00000000000..bcc4d001c45 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch @@ -0,0 +1,47 @@ +From 8ba61c9f6c9bdfbf9d197b0282641d24ae909778 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 12 Jun 2023 15:28:18 +0200 +Subject: ALSA: usb-audio: Fix broken resume due to UAC3 power state + +From: Takashi Iwai + +commit 8ba61c9f6c9bdfbf9d197b0282641d24ae909778 upstream. + +As reported in the bugzilla below, the PM resume of a UAC3 device may +fail due to the incomplete power state change, stuck at D1. The +reason is that the driver expects the full D0 power state change only +at hw_params, while the normal PCM resume procedure doesn't call +hw_params. + +For fixing the bug, we add the same power state update to D0 at the +prepare callback, which is certainly called by the resume procedure. + +Note that, with this change, the power state change in the hw_params +becomes almost redundant, since snd_usb_hw_params() doesn't touch the +parameters (at least it tires so). But dropping it is still a bit +risky (e.g. we have the media-driver binding), so I leave the D0 power +state change in snd_usb_hw_params() as is for now. + +Fixes: a0a4959eb4e9 ("ALSA: usb-audio: Operate UAC3 Power Domains in PCM callbacks") +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217539 +Link: https://lore.kernel.org/r/20230612132818.29486-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/pcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -650,6 +650,10 @@ static int snd_usb_pcm_prepare(struct sn + goto unlock; + } + ++ ret = snd_usb_pcm_change_state(subs, UAC3_PD_STATE_D0); ++ if (ret < 0) ++ goto unlock; ++ + again: + if (subs->sync_endpoint) { + ret = snd_usb_endpoint_prepare(chip, subs->sync_endpoint); diff --git a/queue-6.1/btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch b/queue-6.1/btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch new file mode 100644 index 00000000000..ccad18581a4 --- /dev/null +++ b/queue-6.1/btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch @@ -0,0 +1,55 @@ +From deccae40e4b30f98837e44225194d80c8baf2233 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Fri, 9 Jun 2023 10:53:41 -0700 +Subject: btrfs: can_nocow_file_extent should pass down args->strict from callers + +From: Chris Mason + +commit deccae40e4b30f98837e44225194d80c8baf2233 upstream. + +Commit 619104ba453ad0 ("btrfs: move common NOCOW checks against a file +extent into a helper") changed our call to btrfs_cross_ref_exist() to +always pass false for the 'strict' parameter. We're passing this down +through the stack so that we can do a full check for cross references +during swapfile activation. + +With strict always false, this test fails: + + btrfs subvol create swappy + chattr +C swappy + fallocate -l1G swappy/swapfile + chmod 600 swappy/swapfile + mkswap swappy/swapfile + + btrfs subvol snap swappy swapsnap + btrfs subvol del -C swapsnap + + btrfs fi sync / + sync;sync;sync + + swapon swappy/swapfile + +The fix is to just use args->strict, and everyone except swapfile +activation is passing false. + +Fixes: 619104ba453ad0 ("btrfs: move common NOCOW checks against a file extent into a helper") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Filipe Manana +Signed-off-by: Chris Mason +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1849,7 +1849,7 @@ static int can_nocow_file_extent(struct + + ret = btrfs_cross_ref_exist(root, btrfs_ino(inode), + key->offset - args->extent_offset, +- args->disk_bytenr, false, path); ++ args->disk_bytenr, args->strict, path); + WARN_ON_ONCE(ret > 0 && is_freespace_inode); + if (ret != 0) + goto out; diff --git a/queue-6.1/btrfs-do-not-assert-on-duplicated-global-roots.patch b/queue-6.1/btrfs-do-not-assert-on-duplicated-global-roots.patch new file mode 100644 index 00000000000..55eb5046301 --- /dev/null +++ b/queue-6.1/btrfs-do-not-assert-on-duplicated-global-roots.patch @@ -0,0 +1,120 @@ +From 745806fb4554f334e6406fa82b328562aa48f08f Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Sun, 11 Jun 2023 08:09:13 +0800 +Subject: btrfs: do not ASSERT() on duplicated global roots + +From: Qu Wenruo + +commit 745806fb4554f334e6406fa82b328562aa48f08f upstream. + +[BUG] +Syzbot reports a reproducible ASSERT() when using rescue=usebackuproot +mount option on a corrupted fs. + +The full report can be found here: +https://syzkaller.appspot.com/bug?extid=c4614eae20a166c25bf0 + + BTRFS error (device loop0: state C): failed to load root csum + assertion failed: !tmp, in fs/btrfs/disk-io.c:1103 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/ctree.h:3664! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN + CPU: 1 PID: 3608 Comm: syz-executor356 Not tainted 6.0.0-rc7-syzkaller-00029-g3800a713b607 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 + RIP: 0010:assertfail+0x1a/0x1c fs/btrfs/ctree.h:3663 + RSP: 0018:ffffc90003aaf250 EFLAGS: 00010246 + RAX: 0000000000000032 RBX: 0000000000000000 RCX: f21c13f886638400 + RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 + RBP: ffff888021c640a0 R08: ffffffff816bd38d R09: ffffed10173667f1 + R10: ffffed10173667f1 R11: 1ffff110173667f0 R12: dffffc0000000000 + R13: ffff8880229c21f7 R14: ffff888021c64060 R15: ffff8880226c0000 + FS: 0000555556a73300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055a2637d7a00 CR3: 00000000709c4000 CR4: 00000000003506e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + btrfs_global_root_insert+0x1a7/0x1b0 fs/btrfs/disk-io.c:1103 + load_global_roots_objectid+0x482/0x8c0 fs/btrfs/disk-io.c:2467 + load_global_roots fs/btrfs/disk-io.c:2501 [inline] + btrfs_read_roots fs/btrfs/disk-io.c:2528 [inline] + init_tree_roots+0xccb/0x203c fs/btrfs/disk-io.c:2939 + open_ctree+0x1e53/0x33df fs/btrfs/disk-io.c:3574 + btrfs_fill_super+0x1c6/0x2d0 fs/btrfs/super.c:1456 + btrfs_mount_root+0x885/0x9a0 fs/btrfs/super.c:1824 + legacy_get_tree+0xea/0x180 fs/fs_context.c:610 + vfs_get_tree+0x88/0x270 fs/super.c:1530 + fc_mount fs/namespace.c:1043 [inline] + vfs_kern_mount+0xc9/0x160 fs/namespace.c:1073 + btrfs_mount+0x3d3/0xbb0 fs/btrfs/super.c:1884 + +[CAUSE] +Since the introduction of global roots, we handle +csum/extent/free-space-tree roots as global roots, even if no +extent-tree-v2 feature is enabled. + +So for regular csum/extent/fst roots, we load them into +fs_info::global_root_tree rb tree. + +And we should not expect any conflicts in that rb tree, thus we have an +ASSERT() inside btrfs_global_root_insert(). + +But rescue=usebackuproot can break the assumption, as we will try to +load those trees again and again as long as we have bad roots and have +backup roots slot remaining. + +So in that case we can have conflicting roots in the rb tree, and +triggering the ASSERT() crash. + +[FIX] +We can safely remove that ASSERT(), as the caller will properly put the +offending root. + +To make further debugging easier, also add two explicit error messages: + +- Error message for conflicting global roots +- Error message when using backup roots slot + +Reported-by: syzbot+a694851c6ab28cbcfb9c@syzkaller.appspotmail.com +Fixes: abed4aaae4f7 ("btrfs: track the csum, extent, and free space trees in a rb tree") +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1098,13 +1098,18 @@ int btrfs_global_root_insert(struct btrf + { + struct btrfs_fs_info *fs_info = root->fs_info; + struct rb_node *tmp; ++ int ret = 0; + + write_lock(&fs_info->global_root_lock); + tmp = rb_find_add(&root->rb_node, &fs_info->global_root_tree, global_root_cmp); + write_unlock(&fs_info->global_root_lock); +- ASSERT(!tmp); + +- return tmp ? -EEXIST : 0; ++ if (tmp) { ++ ret = -EEXIST; ++ btrfs_warn(fs_info, "global root %llu %llu already exists", ++ root->root_key.objectid, root->root_key.offset); ++ } ++ return ret; + } + + void btrfs_global_root_delete(struct btrfs_root *root) +@@ -2934,6 +2939,7 @@ static int __cold init_tree_roots(struct + /* We can't trust the free space cache either */ + btrfs_set_opt(fs_info->mount_opt, CLEAR_CACHE); + ++ btrfs_warn(fs_info, "try to load backup roots slot %d", i); + ret = read_backup_root(fs_info, i); + backup_index = ret; + if (ret < 0) diff --git a/queue-6.1/btrfs-fix-iomap_begin-length-for-nocow-writes.patch b/queue-6.1/btrfs-fix-iomap_begin-length-for-nocow-writes.patch new file mode 100644 index 00000000000..215a2a6649d --- /dev/null +++ b/queue-6.1/btrfs-fix-iomap_begin-length-for-nocow-writes.patch @@ -0,0 +1,91 @@ +From 7833b865953c8e62abc76a3261c04132b2fb69de Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 8 Jun 2023 11:10:25 +0200 +Subject: btrfs: fix iomap_begin length for nocow writes + +From: Christoph Hellwig + +commit 7833b865953c8e62abc76a3261c04132b2fb69de upstream. + +can_nocow_extent can reduce the len passed in, which needs to be +propagated to btrfs_dio_iomap_begin so that iomap does not submit +more data then is mapped. + +This problems exists since the btrfs_get_blocks_direct helper was added +in commit c5794e51784a ("btrfs: Factor out write portion of +btrfs_get_blocks_direct"), but the ordered_extent splitting added in +commit b73a6fd1b1ef ("btrfs: split partial dio bios before submit") +added a WARN_ON that made a syzkaller test fail. + +Reported-by: syzbot+ee90502d5c8fd1d0dd93@syzkaller.appspotmail.com +Fixes: c5794e51784a ("btrfs: Factor out write portion of btrfs_get_blocks_direct") +CC: stable@vger.kernel.org # 6.1+ +Tested-by: syzbot+ee90502d5c8fd1d0dd93@syzkaller.appspotmail.com +Reviewed-by: Filipe Manana +Signed-off-by: Christoph Hellwig +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7387,7 +7387,7 @@ static struct extent_map *create_io_em(s + static int btrfs_get_blocks_direct_write(struct extent_map **map, + struct inode *inode, + struct btrfs_dio_data *dio_data, +- u64 start, u64 len, ++ u64 start, u64 *lenp, + unsigned int iomap_flags) + { + const bool nowait = (iomap_flags & IOMAP_NOWAIT); +@@ -7398,6 +7398,7 @@ static int btrfs_get_blocks_direct_write + struct btrfs_block_group *bg; + bool can_nocow = false; + bool space_reserved = false; ++ u64 len = *lenp; + u64 prev_len; + int ret = 0; + +@@ -7468,15 +7469,19 @@ static int btrfs_get_blocks_direct_write + free_extent_map(em); + *map = NULL; + +- if (nowait) +- return -EAGAIN; ++ if (nowait) { ++ ret = -EAGAIN; ++ goto out; ++ } + + /* + * If we could not allocate data space before locking the file + * range and we can't do a NOCOW write, then we have to fail. + */ +- if (!dio_data->data_space_reserved) +- return -ENOSPC; ++ if (!dio_data->data_space_reserved) { ++ ret = -ENOSPC; ++ goto out; ++ } + + /* + * We have to COW and we have already reserved data space before, +@@ -7517,6 +7522,7 @@ out: + btrfs_delalloc_release_extents(BTRFS_I(inode), len); + btrfs_delalloc_release_metadata(BTRFS_I(inode), len, true); + } ++ *lenp = len; + return ret; + } + +@@ -7693,7 +7699,7 @@ static int btrfs_dio_iomap_begin(struct + + if (write) { + ret = btrfs_get_blocks_direct_write(&em, inode, dio_data, +- start, len, flags); ++ start, &len, flags); + if (ret < 0) + goto unlock_err; + unlock_extents = true; diff --git a/queue-6.1/dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch b/queue-6.1/dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch new file mode 100644 index 00000000000..41186200f0b --- /dev/null +++ b/queue-6.1/dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch @@ -0,0 +1,39 @@ +From 722d90822321497e2837cfc9000202e256e6b32f Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Tue, 13 Jun 2023 20:05:34 -0400 +Subject: dm thin: fix issue_discard to pass GFP_NOIO to __blkdev_issue_discard + +From: Mike Snitzer + +commit 722d90822321497e2837cfc9000202e256e6b32f upstream. + +issue_discard() passes GFP_NOWAIT to __blkdev_issue_discard() despite +its code assuming bio_alloc() always succeeds. + +Commit 3dba53a958a75 ("dm thin: use __blkdev_issue_discard for async +discard support") clearly shows where things went bad: + +Before commit 3dba53a958a75, dm-thin.c's open-coded +__blkdev_issue_discard_async() properly handled using GFP_NOWAIT. +Unfortunately __blkdev_issue_discard() doesn't and it was missed +during review. + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -398,8 +398,7 @@ static int issue_discard(struct discard_ + sector_t s = block_to_sectors(tc->pool, data_b); + sector_t len = block_to_sectors(tc->pool, data_e - data_b); + +- return __blkdev_issue_discard(tc->pool_dev->bdev, s, len, GFP_NOWAIT, +- &op->bio); ++ return __blkdev_issue_discard(tc->pool_dev->bdev, s, len, GFP_NOIO, &op->bio); + } + + static void end_discard(struct discard_op *op, int r) diff --git a/queue-6.1/dm-thin-metadata-check-fail_io-before-using-data_sm.patch b/queue-6.1/dm-thin-metadata-check-fail_io-before-using-data_sm.patch new file mode 100644 index 00000000000..5ed04ef8c00 --- /dev/null +++ b/queue-6.1/dm-thin-metadata-check-fail_io-before-using-data_sm.patch @@ -0,0 +1,101 @@ +From cb65b282c9640c27d3129e2e04b711ce1b352838 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng +Date: Tue, 6 Jun 2023 20:20:24 +0800 +Subject: dm thin metadata: check fail_io before using data_sm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Li Lingfeng + +commit cb65b282c9640c27d3129e2e04b711ce1b352838 upstream. + +Must check pmd->fail_io before using pmd->data_sm since +pmd->data_sm may be destroyed by other processes. + + P1(kworker) P2(message) +do_worker + process_prepared + process_prepared_discard_passdown_pt2 + dm_pool_dec_data_range + pool_message + commit + dm_pool_commit_metadata + ↓ + // commit failed + metadata_operation_failed + abort_transaction + dm_pool_abort_metadata + __open_or_format_metadata + ↓ + dm_sm_disk_open + ↓ + // open failed + // pmd->data_sm is NULL + dm_sm_dec_blocks + ↓ + // try to access pmd->data_sm --> UAF + +As shown above, if dm_pool_commit_metadata() and +dm_pool_abort_metadata() fail in pool_message process, kworker may +trigger UAF. + +Fixes: be500ed721a6 ("dm space maps: improve performance with inc/dec on ranges of blocks") +Cc: stable@vger.kernel.org +Signed-off-by: Li Lingfeng +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin-metadata.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1750,13 +1750,15 @@ int dm_thin_remove_range(struct dm_thin_ + + int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) + { +- int r; ++ int r = -EINVAL; + uint32_t ref_count; + + down_read(&pmd->root_lock); +- r = dm_sm_get_count(pmd->data_sm, b, &ref_count); +- if (!r) +- *result = (ref_count > 1); ++ if (!pmd->fail_io) { ++ r = dm_sm_get_count(pmd->data_sm, b, &ref_count); ++ if (!r) ++ *result = (ref_count > 1); ++ } + up_read(&pmd->root_lock); + + return r; +@@ -1764,10 +1766,11 @@ int dm_pool_block_is_shared(struct dm_po + + int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e) + { +- int r = 0; ++ int r = -EINVAL; + + pmd_write_lock(pmd); +- r = dm_sm_inc_blocks(pmd->data_sm, b, e); ++ if (!pmd->fail_io) ++ r = dm_sm_inc_blocks(pmd->data_sm, b, e); + pmd_write_unlock(pmd); + + return r; +@@ -1775,10 +1778,11 @@ int dm_pool_inc_data_range(struct dm_poo + + int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e) + { +- int r = 0; ++ int r = -EINVAL; + + pmd_write_lock(pmd); +- r = dm_sm_dec_blocks(pmd->data_sm, b, e); ++ if (!pmd->fail_io) ++ r = dm_sm_dec_blocks(pmd->data_sm, b, e); + pmd_write_unlock(pmd); + + return r; diff --git a/queue-6.1/drm-amd-display-edp-do-not-add-non-edid-timings.patch b/queue-6.1/drm-amd-display-edp-do-not-add-non-edid-timings.patch new file mode 100644 index 00000000000..e26ea4a1b62 --- /dev/null +++ b/queue-6.1/drm-amd-display-edp-do-not-add-non-edid-timings.patch @@ -0,0 +1,45 @@ +From e749dd10e5f292061ad63d2b030194bf7d7d452c Mon Sep 17 00:00:00 2001 +From: Hersen Wu +Date: Thu, 25 May 2023 08:37:40 -0400 +Subject: drm/amd/display: edp do not add non-edid timings + +From: Hersen Wu + +commit e749dd10e5f292061ad63d2b030194bf7d7d452c upstream. + +[Why] most edp support only timings from edid. applying +non-edid timings, especially those timings out of edp +bandwidth, may damage edp. + +[How] do not add non-edid timings for edp. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Stylon Wang +Signed-off-by: Hersen Wu +Reviewed-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -6942,7 +6942,13 @@ static int amdgpu_dm_connector_get_modes + drm_add_modes_noedid(connector, 640, 480); + } else { + amdgpu_dm_connector_ddc_get_modes(connector, edid); +- amdgpu_dm_connector_add_common_modes(encoder, connector); ++ /* most eDP supports only timings from its edid, ++ * usually only detailed timings are available ++ * from eDP edid. timings which are not from edid ++ * may damage eDP ++ */ ++ if (connector->connector_type != DRM_MODE_CONNECTOR_eDP) ++ amdgpu_dm_connector_add_common_modes(encoder, connector); + amdgpu_dm_connector_add_freesync_modes(connector, edid); + } + amdgpu_dm_fbc_init(connector); diff --git a/queue-6.1/drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch b/queue-6.1/drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch new file mode 100644 index 00000000000..7bf5e89e112 --- /dev/null +++ b/queue-6.1/drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch @@ -0,0 +1,43 @@ +From 3eb1a3a04056ba3df3205e169b8acc9da0c65a94 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 7 Jun 2023 01:41:22 -0500 +Subject: drm/amd: Make sure image is written to trigger VBIOS image update flow + +From: Mario Limonciello + +commit 3eb1a3a04056ba3df3205e169b8acc9da0c65a94 upstream. + +The VBIOS image update flow requires userspace to: +1) Write the image to `psp_vbflash` +2) Read `psp_vbflash` +3) Poll `psp_vbflash_status` to check for completion + +If userspace reads `psp_vbflash` before writing an image, it's +possible that it causes problems that can put the dGPU into an invalid +state. + +Explicitly check that an image has been written before letting a read +succeed. + +Cc: stable@vger.kernel.org +Fixes: 8424f2ccb3c0 ("drm/amdgpu/psp: Add vbflash sysfs interface support") +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -3550,6 +3550,9 @@ static ssize_t amdgpu_psp_vbflash_read(s + void *fw_pri_cpu_addr; + int ret; + ++ if (adev->psp.vbflash_image_size == 0) ++ return -EINVAL; ++ + dev_info(adev->dev, "VBIOS flash to PSP started"); + + ret = amdgpu_bo_create_kernel(adev, adev->psp.vbflash_image_size, diff --git a/queue-6.1/drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch b/queue-6.1/drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch new file mode 100644 index 00000000000..76f95add496 --- /dev/null +++ b/queue-6.1/drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch @@ -0,0 +1,69 @@ +From 7ca302d488f80cf4529620acc1c545f9022d8bb8 Mon Sep 17 00:00:00 2001 +From: Kenneth Feng +Date: Thu, 8 Jun 2023 22:07:11 +0800 +Subject: drm/amd/pm: workaround for compute workload type on some skus + +From: Kenneth Feng + +commit 7ca302d488f80cf4529620acc1c545f9022d8bb8 upstream. + +On smu 13.0.0, the compute workload type cannot be set on all the skus +due to some other problems. This workaround is to make sure compute workload type +can also run on some specific skus. + +v2: keep the variable consistent + +Signed-off-by: Kenneth Feng +Acked-by: Lijo Lazar +Reviewed-by: Feifei Xu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 33 +++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -1675,10 +1675,39 @@ static int smu_v13_0_0_set_power_profile + } + } + +- /* conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT */ +- workload_type = smu_cmn_to_asic_specific_index(smu, ++ if (smu->power_profile_mode == PP_SMC_POWER_PROFILE_COMPUTE && ++ (((smu->adev->pdev->device == 0x744C) && (smu->adev->pdev->revision == 0xC8)) || ++ ((smu->adev->pdev->device == 0x744C) && (smu->adev->pdev->revision == 0xCC)))) { ++ ret = smu_cmn_update_table(smu, ++ SMU_TABLE_ACTIVITY_MONITOR_COEFF, ++ WORKLOAD_PPLIB_COMPUTE_BIT, ++ (void *)(&activity_monitor_external), ++ false); ++ if (ret) { ++ dev_err(smu->adev->dev, "[%s] Failed to get activity monitor!", __func__); ++ return ret; ++ } ++ ++ ret = smu_cmn_update_table(smu, ++ SMU_TABLE_ACTIVITY_MONITOR_COEFF, ++ WORKLOAD_PPLIB_CUSTOM_BIT, ++ (void *)(&activity_monitor_external), ++ true); ++ if (ret) { ++ dev_err(smu->adev->dev, "[%s] Failed to set activity monitor!", __func__); ++ return ret; ++ } ++ ++ workload_type = smu_cmn_to_asic_specific_index(smu, ++ CMN2ASIC_MAPPING_WORKLOAD, ++ PP_SMC_POWER_PROFILE_CUSTOM); ++ } else { ++ /* conv PP_SMC_POWER_PROFILE* to WORKLOAD_PPLIB_*_BIT */ ++ workload_type = smu_cmn_to_asic_specific_index(smu, + CMN2ASIC_MAPPING_WORKLOAD, + smu->power_profile_mode); ++ } ++ + if (workload_type < 0) + return -EINVAL; + diff --git a/queue-6.1/drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch b/queue-6.1/drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch new file mode 100644 index 00000000000..76ea0df6c66 --- /dev/null +++ b/queue-6.1/drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch @@ -0,0 +1,41 @@ +From 7ab1a4913d0051cf5196ef7987b5fa42c25e13b6 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 7 Jun 2023 01:45:20 -0500 +Subject: drm/amd: Tighten permissions on VBIOS flashing attributes + +From: Mario Limonciello + +commit 7ab1a4913d0051cf5196ef7987b5fa42c25e13b6 upstream. + +Non-root users shouldn't be able to try to trigger a VBIOS flash +or query the flashing status. This should be reserved for users with the +appropriate permissions. + +Cc: stable@vger.kernel.org +Fixes: 8424f2ccb3c0 ("drm/amdgpu/psp: Add vbflash sysfs interface support") +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -3604,13 +3604,13 @@ static ssize_t amdgpu_psp_vbflash_status + } + + static const struct bin_attribute psp_vbflash_bin_attr = { +- .attr = {.name = "psp_vbflash", .mode = 0664}, ++ .attr = {.name = "psp_vbflash", .mode = 0660}, + .size = 0, + .write = amdgpu_psp_vbflash_write, + .read = amdgpu_psp_vbflash_read, + }; + +-static DEVICE_ATTR(psp_vbflash_status, 0444, amdgpu_psp_vbflash_status, NULL); ++static DEVICE_ATTR(psp_vbflash_status, 0440, amdgpu_psp_vbflash_status, NULL); + + int amdgpu_psp_sysfs_init(struct amdgpu_device *adev) + { diff --git a/queue-6.1/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch b/queue-6.1/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch new file mode 100644 index 00000000000..dac64f61ea9 --- /dev/null +++ b/queue-6.1/drm-amdgpu-add-missing-radeon-secondary-pci-id.patch @@ -0,0 +1,35 @@ +From e61f67749b351c19455ce3085af2ae9af80023bc Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 6 Jun 2023 11:14:04 -0400 +Subject: drm/amdgpu: add missing radeon secondary PCI ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit e61f67749b351c19455ce3085af2ae9af80023bc upstream. + +0x5b70 is a missing RV370 secondary id. Add it so +we don't try and probe it with amdgpu. + +Cc: michel@daenzer.net +Reviewed-by: Michel Dänzer +Tested-by: Michel Dänzer +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1605,6 +1605,7 @@ static const u16 amdgpu_unsupported_pcii + 0x5874, + 0x5940, + 0x5941, ++ 0x5b70, + 0x5b72, + 0x5b73, + 0x5b74, diff --git a/queue-6.1/drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch b/queue-6.1/drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch new file mode 100644 index 00000000000..a7ad62a86e8 --- /dev/null +++ b/queue-6.1/drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch @@ -0,0 +1,37 @@ +From 9db5ec1ceb5303398ec4f899d691073d531257c3 Mon Sep 17 00:00:00 2001 +From: Sonny Jiang +Date: Tue, 6 Jun 2023 17:18:52 -0400 +Subject: drm/amdgpu: vcn_4_0 set instance 0 init sched score to 1 + +From: Sonny Jiang + +commit 9db5ec1ceb5303398ec4f899d691073d531257c3 upstream. + +Only vcn0 can process AV1 codecx. In order to use both vcn0 and +vcn1 in h264/265 transcode to AV1 cases, set vcn0 sched score to 1 +at initialization time. + +Signed-off-by: Sonny Jiang +Reviewed-by: Leo Liu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +@@ -117,7 +117,11 @@ static int vcn_v4_0_sw_init(void *handle + if (adev->vcn.harvest_config & (1 << i)) + continue; + +- atomic_set(&adev->vcn.inst[i].sched_score, 0); ++ /* Init instance 0 sched_score to 1, so it's scheduled after other instances */ ++ if (i == 0) ++ atomic_set(&adev->vcn.inst[i].sched_score, 1); ++ else ++ atomic_set(&adev->vcn.inst[i].sched_score, 0); + + /* VCN UNIFIED TRAP */ + r = amdgpu_irq_add_id(adev, amdgpu_ih_clientid_vcns[i], diff --git a/queue-6.1/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch b/queue-6.1/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch new file mode 100644 index 00000000000..1e9bd2f5ab2 --- /dev/null +++ b/queue-6.1/epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch @@ -0,0 +1,42 @@ +From 2192bba03d80f829233bfa34506b428f71e531e7 Mon Sep 17 00:00:00 2001 +From: Benjamin Segall +Date: Tue, 30 May 2023 11:32:28 -0700 +Subject: epoll: ep_autoremove_wake_function should use list_del_init_careful + +From: Benjamin Segall + +commit 2192bba03d80f829233bfa34506b428f71e531e7 upstream. + +autoremove_wake_function uses list_del_init_careful, so should epoll's +more aggressive variant. It only doesn't because it was copied from an +older wait.c rather than the most recent. + +[bsegall@google.com: add comment] + Link: https://lkml.kernel.org/r/xm26bki0ulsr.fsf_-_@google.com +Link: https://lkml.kernel.org/r/xm26pm6hvfer.fsf@google.com +Fixes: a16ceb139610 ("epoll: autoremove wakers even more aggressively") +Signed-off-by: Ben Segall +Cc: Al Viro +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1760,7 +1760,11 @@ static int ep_autoremove_wake_function(s + { + int ret = default_wake_function(wq_entry, mode, sync, key); + +- list_del_init(&wq_entry->entry); ++ /* ++ * Pairs with list_empty_careful in ep_poll, and ensures future loop ++ * iterations see the cause of this wakeup. ++ */ ++ list_del_init_careful(&wq_entry->entry); + return ret; + } + diff --git a/queue-6.1/io_uring-net-save-msghdr-msg_control-for-retries.patch b/queue-6.1/io_uring-net-save-msghdr-msg_control-for-retries.patch new file mode 100644 index 00000000000..2451b55d1ea --- /dev/null +++ b/queue-6.1/io_uring-net-save-msghdr-msg_control-for-retries.patch @@ -0,0 +1,60 @@ +From cac9e4418f4cbd548ccb065b3adcafe073f7f7d2 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 12 Jun 2023 13:51:36 -0600 +Subject: io_uring/net: save msghdr->msg_control for retries + +From: Jens Axboe + +commit cac9e4418f4cbd548ccb065b3adcafe073f7f7d2 upstream. + +If the application sets ->msg_control and we have to later retry this +command, or if it got queued with IOSQE_ASYNC to begin with, then we +need to retain the original msg_control value. This is due to the net +stack overwriting this field with an in-kernel pointer, to copy it +in. Hitting that path for the second time will now fail the copy from +user, as it's attempting to copy from a non-user address. + +Cc: stable@vger.kernel.org # 5.10+ +Link: https://github.com/axboe/liburing/issues/880 +Reported-and-tested-by: Marek Majkowski +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -65,6 +65,7 @@ struct io_sr_msg { + u16 addr_len; + u16 buf_group; + void __user *addr; ++ void __user *msg_control; + /* used only for send zerocopy */ + struct io_kiocb *notif; + }; +@@ -182,11 +183,15 @@ static int io_sendmsg_copy_hdr(struct io + struct io_async_msghdr *iomsg) + { + struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg); ++ int ret; + + iomsg->msg.msg_name = &iomsg->addr; + iomsg->free_iov = iomsg->fast_iov; +- return sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags, ++ ret = sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags, + &iomsg->free_iov); ++ /* save msg_control as sys_sendmsg() overwrites it */ ++ sr->msg_control = iomsg->msg.msg_control; ++ return ret; + } + + int io_send_prep_async(struct io_kiocb *req) +@@ -284,6 +289,7 @@ int io_sendmsg(struct io_kiocb *req, uns + + if (req_has_async_data(req)) { + kmsg = req->async_data; ++ kmsg->msg.msg_control = sr->msg_control; + } else { + ret = io_sendmsg_copy_hdr(req, &iomsg); + if (ret) diff --git a/queue-6.1/kexec-support-purgatories-with-.text.hot-sections.patch b/queue-6.1/kexec-support-purgatories-with-.text.hot-sections.patch new file mode 100644 index 00000000000..827ecf19665 --- /dev/null +++ b/queue-6.1/kexec-support-purgatories-with-.text.hot-sections.patch @@ -0,0 +1,102 @@ +From 8652d44f466ad5772e7d1756e9457046189b0dfc Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:36 +0200 +Subject: kexec: support purgatories with .text.hot sections + +From: Ricardo Ribalda + +commit 8652d44f466ad5772e7d1756e9457046189b0dfc upstream. + +Patch series "kexec: Fix kexec_file_load for llvm16 with PGO", v7. + +When upreving llvm I realised that kexec stopped working on my test +platform. + +The reason seems to be that due to PGO there are multiple .text sections +on the purgatory, and kexec does not supports that. + + +This patch (of 4): + +Clang16 links the purgatory text in two sections when PGO is in use: + + [ 1] .text PROGBITS 0000000000000000 00000040 + 00000000000011a1 0000000000000000 AX 0 0 16 + [ 2] .rela.text RELA 0000000000000000 00003498 + 0000000000000648 0000000000000018 I 24 1 8 + ... + [17] .text.hot. PROGBITS 0000000000000000 00003220 + 000000000000020b 0000000000000000 AX 0 0 1 + [18] .rela.text.hot. RELA 0000000000000000 00004428 + 0000000000000078 0000000000000018 I 24 17 8 + +And both of them have their range [sh_addr ... sh_addr+sh_size] on the +area pointed by `e_entry`. + +This causes that image->start is calculated twice, once for .text and +another time for .text.hot. The second calculation leaves image->start +in a random location. + +Because of this, the system crashes immediately after: + +kexec_core: Starting new kernel + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-0-b05c520b7296@chromium.org +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-1-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Ross Zwisler +Reviewed-by: Steven Rostedt (Google) +Reviewed-by: Philipp Rudo +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Simon Horman +Cc: Thomas Gleixner +Cc: Tom Rix +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kexec_file.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -898,10 +898,22 @@ static int kexec_purgatory_setup_sechdrs + } + + offset = ALIGN(offset, align); ++ ++ /* ++ * Check if the segment contains the entry point, if so, ++ * calculate the value of image->start based on it. ++ * If the compiler has produced more than one .text section ++ * (Eg: .text.hot), they are generally after the main .text ++ * section, and they shall not be used to calculate ++ * image->start. So do not re-calculate image->start if it ++ * is not set to the initial value, and warn the user so they ++ * have a chance to fix their purgatory's linker script. ++ */ + if (sechdrs[i].sh_flags & SHF_EXECINSTR && + pi->ehdr->e_entry >= sechdrs[i].sh_addr && + pi->ehdr->e_entry < (sechdrs[i].sh_addr +- + sechdrs[i].sh_size)) { ++ + sechdrs[i].sh_size) && ++ !WARN_ON(kbuf->image->start != pi->ehdr->e_entry)) { + kbuf->image->start -= sechdrs[i].sh_addr; + kbuf->image->start += kbuf->mem + offset; + } diff --git a/queue-6.1/loongarch-fix-perf-event-id-calculation.patch b/queue-6.1/loongarch-fix-perf-event-id-calculation.patch new file mode 100644 index 00000000000..5d923bc3933 --- /dev/null +++ b/queue-6.1/loongarch-fix-perf-event-id-calculation.patch @@ -0,0 +1,48 @@ +From 962369120d750cbc9c4dc492f32b4304669ff6aa Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Jun 2023 14:35:52 +0800 +Subject: LoongArch: Fix perf event id calculation + +From: Huacai Chen + +commit 962369120d750cbc9c4dc492f32b4304669ff6aa upstream. + +LoongArch PMCFG has 10bit event id rather than 8 bit, so fix it. + +Cc: stable@vger.kernel.org +Signed-off-by: Jun Yi +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/perf_event.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/loongarch/kernel/perf_event.c ++++ b/arch/loongarch/kernel/perf_event.c +@@ -271,7 +271,7 @@ static void loongarch_pmu_enable_event(s + WARN_ON(idx < 0 || idx >= loongarch_pmu.num_counters); + + /* Make sure interrupt enabled. */ +- cpuc->saved_ctrl[idx] = M_PERFCTL_EVENT(evt->event_base & 0xff) | ++ cpuc->saved_ctrl[idx] = M_PERFCTL_EVENT(evt->event_base) | + (evt->config_base & M_PERFCTL_CONFIG_MASK) | CSR_PERFCTRL_IE; + + cpu = (event->cpu >= 0) ? event->cpu : smp_processor_id(); +@@ -594,7 +594,7 @@ static struct pmu pmu = { + + static unsigned int loongarch_pmu_perf_event_encode(const struct loongarch_perf_event *pev) + { +- return (pev->event_id & 0xff); ++ return M_PERFCTL_EVENT(pev->event_id); + } + + static const struct loongarch_perf_event *loongarch_pmu_map_general_event(int idx) +@@ -849,7 +849,7 @@ static void resume_local_counters(void) + + static const struct loongarch_perf_event *loongarch_pmu_map_raw_event(u64 config) + { +- raw_event.event_id = config & 0xff; ++ raw_event.event_id = M_PERFCTL_EVENT(config); + + return &raw_event; + } diff --git a/queue-6.1/net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch b/queue-6.1/net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch new file mode 100644 index 00000000000..58662119077 --- /dev/null +++ b/queue-6.1/net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch @@ -0,0 +1,66 @@ +From 30134b7c47bd28fdb4db4d12aef824e0579cfee4 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Wed, 14 Jun 2023 11:17:14 +0200 +Subject: net: ethernet: stmicro: stmmac: fix possible memory leak in __stmmac_open + +From: Christian Marangi + +commit 30134b7c47bd28fdb4db4d12aef824e0579cfee4 upstream. + +Fix a possible memory leak in __stmmac_open when stmmac_init_phy fails. +It's also needed to free everything allocated by stmmac_setup_dma_desc +and not just the dma_conf struct. + +Drop free_dma_desc_resources from __stmmac_open and correctly call +free_dma_desc_resources on each user of __stmmac_open on error. + +Reported-by: Jose Abreu +Fixes: ba39b344e924 ("net: ethernet: stmicro: stmmac: generate stmmac dma conf before open") +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Reviewed-by: Jose Abreu +Link: https://lore.kernel.org/r/20230614091714.15912-1-ansuelsmth@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3865,7 +3865,6 @@ irq_error: + + stmmac_hw_teardown(dev); + init_error: +- free_dma_desc_resources(priv, &priv->dma_conf); + phylink_disconnect_phy(priv->phylink); + init_phy_error: + pm_runtime_put(priv->device); +@@ -3883,6 +3882,9 @@ static int stmmac_open(struct net_device + return PTR_ERR(dma_conf); + + ret = __stmmac_open(dev, dma_conf); ++ if (ret) ++ free_dma_desc_resources(priv, dma_conf); ++ + kfree(dma_conf); + return ret; + } +@@ -5607,12 +5609,15 @@ static int stmmac_change_mtu(struct net_ + stmmac_release(dev); + + ret = __stmmac_open(dev, dma_conf); +- kfree(dma_conf); + if (ret) { ++ free_dma_desc_resources(priv, dma_conf); ++ kfree(dma_conf); + netdev_err(priv->dev, "failed reopening the interface after MTU change\n"); + return ret; + } + ++ kfree(dma_conf); ++ + stmmac_set_rx_mode(dev); + } + diff --git a/queue-6.1/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch b/queue-6.1/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch new file mode 100644 index 00000000000..a22ba6a642b --- /dev/null +++ b/queue-6.1/net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch @@ -0,0 +1,88 @@ +From 863199199713908afaa47ba09332b87621c12496 Mon Sep 17 00:00:00 2001 +From: Wes Huang +Date: Thu, 8 Jun 2023 11:01:42 +0800 +Subject: net: usb: qmi_wwan: add support for Compal RXM-G1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wes Huang + +commit 863199199713908afaa47ba09332b87621c12496 upstream. + +Add support for Compal RXM-G1 which is based on Qualcomm SDX55 chip. +This patch adds support for two compositions: + +0x9091: DIAG + MODEM + QMI_RMNET + ADB +0x90db: DIAG + DUN + RMNET + DPL + QDSS(Trace) + ADB + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=05c6 ProdID=9091 Rev= 4.14 +S: Manufacturer=QCOM +S: Product=SDXPRAIRIE-MTP _SN:719AB680 +S: SerialNumber=719ab680 +C:* #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=896mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=05c6 ProdID=90db Rev= 4.14 +S: Manufacturer=QCOM +S: Product=SDXPRAIRIE-MTP _SN:719AB680 +S: SerialNumber=719ab680 +C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=896mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none) +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=8f(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Wes Huang +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/20230608030141.3546-1-wes.huang@moxa.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1219,7 +1219,9 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)}, + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)}, + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)}, ++ {QMI_QUIRK_SET_DTR(0x05c6, 0x9091, 2)}, /* Compal RXM-G1 */ + {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */ ++ {QMI_QUIRK_SET_DTR(0x05c6, 0x90db, 2)}, /* Compal RXM-G1 */ + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */ diff --git a/queue-6.1/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch b/queue-6.1/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch new file mode 100644 index 00000000000..5db83e98d8b --- /dev/null +++ b/queue-6.1/nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch @@ -0,0 +1,53 @@ +From 2f012f2baca140c488e43d27a374029c1e59098d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 13 May 2023 19:24:28 +0900 +Subject: nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key() + +From: Ryusuke Konishi + +commit 2f012f2baca140c488e43d27a374029c1e59098d upstream. + +A syzbot fault injection test reported that nilfs_btnode_create_block, a +helper function that allocates a new node block for b-trees, causes a +kernel BUG for disk images where the file system block size is smaller +than the page size. + +This was due to unexpected flags on the newly allocated buffer head, and +it turned out to be because the buffer flags were not cleared by +nilfs_btnode_abort_change_key() after an error occurred during a b-tree +update operation and the buffer was later reused in that state. + +Fix this issue by using nilfs_btnode_delete() to abandon the unused +preallocated buffer in nilfs_btnode_abort_change_key(). + +Link: https://lkml.kernel.org/r/20230513102428.10223-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+b0a35a5c1f7e846d3b09@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/000000000000d1d6c205ebc4d512@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btnode.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -285,6 +285,14 @@ void nilfs_btnode_abort_change_key(struc + if (nbh == NULL) { /* blocksize == pagesize */ + xa_erase_irq(&btnc->i_pages, newkey); + unlock_page(ctxt->bh->b_page); +- } else +- brelse(nbh); ++ } else { ++ /* ++ * When canceling a buffer that a prepare operation has ++ * allocated to copy a node block to another location, use ++ * nilfs_btnode_delete() to initialize and release the buffer ++ * so that the buffer flags will not be in an inconsistent ++ * state when it is reallocated. ++ */ ++ nilfs_btnode_delete(nbh); ++ } + } diff --git a/queue-6.1/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch b/queue-6.1/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch new file mode 100644 index 00000000000..b26aee731e3 --- /dev/null +++ b/queue-6.1/nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch @@ -0,0 +1,62 @@ +From fee5eaecca86afa544355569b831c1f90f334b85 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 24 May 2023 18:43:48 +0900 +Subject: nilfs2: fix possible out-of-bounds segment allocation in resize ioctl + +From: Ryusuke Konishi + +commit fee5eaecca86afa544355569b831c1f90f334b85 upstream. + +Syzbot reports that in its stress test for resize ioctl, the log writing +function nilfs_segctor_do_construct hits a WARN_ON in +nilfs_segctor_truncate_segments(). + +It turned out that there is a problem with the current implementation of +the resize ioctl, which changes the writable range on the device (the +range of allocatable segments) at the end of the resize process. + +This order is necessary for file system expansion to avoid corrupting the +superblock at trailing edge. However, in the case of a file system +shrink, if log writes occur after truncating out-of-bounds trailing +segments and before the resize is complete, segments may be allocated from +the truncated space. + +The userspace resize tool was fine as it limits the range of allocatable +segments before performing the resize, but it can run into this issue if +the resize ioctl is called alone. + +Fix this issue by changing nilfs_sufile_resize() to update the range of +allocatable segments immediately after successful truncation of segment +space in case of file system shrink. + +Link: https://lkml.kernel.org/r/20230524094348.3784-1-konishi.ryusuke@gmail.com +Fixes: 4e33f9eab07e ("nilfs2: implement resize ioctl") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+33494cd0df2ec2931851@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/0000000000005434c405fbbafdc5@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/sufile.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/nilfs2/sufile.c ++++ b/fs/nilfs2/sufile.c +@@ -779,6 +779,15 @@ int nilfs_sufile_resize(struct inode *su + goto out_header; + + sui->ncleansegs -= nsegs - newnsegs; ++ ++ /* ++ * If the sufile is successfully truncated, immediately adjust ++ * the segment allocation space while locking the semaphore ++ * "mi_sem" so that nilfs_sufile_alloc() never allocates ++ * segments in the truncated space. ++ */ ++ sui->allocmax = newnsegs - 1; ++ sui->allocmin = 0; + } + + kaddr = kmap_atomic(header_bh->b_page); diff --git a/queue-6.1/nilfs2-reject-devices-with-insufficient-block-count.patch b/queue-6.1/nilfs2-reject-devices-with-insufficient-block-count.patch new file mode 100644 index 00000000000..8ec1f485adf --- /dev/null +++ b/queue-6.1/nilfs2-reject-devices-with-insufficient-block-count.patch @@ -0,0 +1,104 @@ +From 92c5d1b860e9581d64baca76779576c0ab0d943d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 26 May 2023 11:13:32 +0900 +Subject: nilfs2: reject devices with insufficient block count + +From: Ryusuke Konishi + +commit 92c5d1b860e9581d64baca76779576c0ab0d943d upstream. + +The current sanity check for nilfs2 geometry information lacks checks for +the number of segments stored in superblocks, so even for device images +that have been destructively truncated or have an unusually high number of +segments, the mount operation may succeed. + +This causes out-of-bounds block I/O on file system block reads or log +writes to the segments, the latter in particular causing +"a_ops->writepages" to repeatedly fail, resulting in sync_inodes_sb() to +hang. + +Fix this issue by checking the number of segments stored in the superblock +and avoiding mounting devices that can cause out-of-bounds accesses. To +eliminate the possibility of overflow when calculating the number of +blocks required for the device from the number of segments, this also adds +a helper function to calculate the upper bound on the number of segments +and inserts a check using it. + +Link: https://lkml.kernel.org/r/20230526021332.3431-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+7d50f1e54a12ba3aeae2@syzkaller.appspotmail.com + Link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2 +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/the_nilfs.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -405,6 +405,18 @@ unsigned long nilfs_nrsvsegs(struct the_ + 100)); + } + ++/** ++ * nilfs_max_segment_count - calculate the maximum number of segments ++ * @nilfs: nilfs object ++ */ ++static u64 nilfs_max_segment_count(struct the_nilfs *nilfs) ++{ ++ u64 max_count = U64_MAX; ++ ++ do_div(max_count, nilfs->ns_blocks_per_segment); ++ return min_t(u64, max_count, ULONG_MAX); ++} ++ + void nilfs_set_nsegments(struct the_nilfs *nilfs, unsigned long nsegs) + { + nilfs->ns_nsegments = nsegs; +@@ -414,6 +426,8 @@ void nilfs_set_nsegments(struct the_nilf + static int nilfs_store_disk_layout(struct the_nilfs *nilfs, + struct nilfs_super_block *sbp) + { ++ u64 nsegments, nblocks; ++ + if (le32_to_cpu(sbp->s_rev_level) < NILFS_MIN_SUPP_REV) { + nilfs_err(nilfs->ns_sb, + "unsupported revision (superblock rev.=%d.%d, current rev.=%d.%d). Please check the version of mkfs.nilfs(2).", +@@ -457,7 +471,34 @@ static int nilfs_store_disk_layout(struc + return -EINVAL; + } + +- nilfs_set_nsegments(nilfs, le64_to_cpu(sbp->s_nsegments)); ++ nsegments = le64_to_cpu(sbp->s_nsegments); ++ if (nsegments > nilfs_max_segment_count(nilfs)) { ++ nilfs_err(nilfs->ns_sb, ++ "segment count %llu exceeds upper limit (%llu segments)", ++ (unsigned long long)nsegments, ++ (unsigned long long)nilfs_max_segment_count(nilfs)); ++ return -EINVAL; ++ } ++ ++ nblocks = sb_bdev_nr_blocks(nilfs->ns_sb); ++ if (nblocks) { ++ u64 min_block_count = nsegments * nilfs->ns_blocks_per_segment; ++ /* ++ * To avoid failing to mount early device images without a ++ * second superblock, exclude that block count from the ++ * "min_block_count" calculation. ++ */ ++ ++ if (nblocks < min_block_count) { ++ nilfs_err(nilfs->ns_sb, ++ "total number of segment blocks %llu exceeds device size (%llu blocks)", ++ (unsigned long long)min_block_count, ++ (unsigned long long)nblocks); ++ return -EINVAL; ++ } ++ } ++ ++ nilfs_set_nsegments(nilfs, nsegments); + nilfs->ns_crc_seed = le32_to_cpu(sbp->s_crc_seed); + return 0; + } diff --git a/queue-6.1/nios2-dts-fix-tse_mac-max-frame-size-property.patch b/queue-6.1/nios2-dts-fix-tse_mac-max-frame-size-property.patch new file mode 100644 index 00000000000..53a13d28876 --- /dev/null +++ b/queue-6.1/nios2-dts-fix-tse_mac-max-frame-size-property.patch @@ -0,0 +1,46 @@ +From 85041e12418fd0c08ff972b7729f7971afb361f8 Mon Sep 17 00:00:00 2001 +From: Janne Grunau +Date: Sun, 12 Feb 2023 13:16:32 +0100 +Subject: nios2: dts: Fix tse_mac "max-frame-size" property + +From: Janne Grunau + +commit 85041e12418fd0c08ff972b7729f7971afb361f8 upstream. + +The given value of 1518 seems to refer to the layer 2 ethernet frame +size without 802.1Q tag. Actual use of the "max-frame-size" including in +the consumer of the "altr,tse-1.0" compatible is the MTU. + +Fixes: 95acd4c7b69c ("nios2: Device tree support") +Fixes: 61c610ec61bb ("nios2: Add Max10 device tree") +Cc: +Signed-off-by: Janne Grunau +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/nios2/boot/dts/10m50_devboard.dts | 2 +- + arch/nios2/boot/dts/3c120_devboard.dts | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/nios2/boot/dts/10m50_devboard.dts ++++ b/arch/nios2/boot/dts/10m50_devboard.dts +@@ -97,7 +97,7 @@ + rx-fifo-depth = <8192>; + tx-fifo-depth = <8192>; + address-bits = <48>; +- max-frame-size = <1518>; ++ max-frame-size = <1500>; + local-mac-address = [00 00 00 00 00 00]; + altr,has-supplementary-unicast; + altr,enable-sup-addr = <1>; +--- a/arch/nios2/boot/dts/3c120_devboard.dts ++++ b/arch/nios2/boot/dts/3c120_devboard.dts +@@ -106,7 +106,7 @@ + interrupt-names = "rx_irq", "tx_irq"; + rx-fifo-depth = <8192>; + tx-fifo-depth = <8192>; +- max-frame-size = <1518>; ++ max-frame-size = <1500>; + local-mac-address = [ 00 00 00 00 00 00 ]; + phy-mode = "rgmii-id"; + phy-handle = <&phy0>; diff --git a/queue-6.1/nouveau-fix-client-work-fence-deletion-race.patch b/queue-6.1/nouveau-fix-client-work-fence-deletion-race.patch new file mode 100644 index 00000000000..fb6d7f8d4bc --- /dev/null +++ b/queue-6.1/nouveau-fix-client-work-fence-deletion-race.patch @@ -0,0 +1,60 @@ +From c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 15 Jun 2023 12:22:11 +1000 +Subject: nouveau: fix client work fence deletion race + +From: Dave Airlie + +commit c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 upstream. + +This seems to have existed for ever but is now more apparant after +commit 9bff18d13473 ("drm/ttm: use per BO cleanup workers") + +My analysis: two threads are running, one in the irq signalling the +fence, in dma_fence_signal_timestamp_locked, it has done the +DMA_FENCE_FLAG_SIGNALLED_BIT setting, but hasn't yet reached the +callbacks. + +The second thread in nouveau_cli_work_ready, where it sees the fence is +signalled, so then puts the fence, cleanups the object and frees the +work item, which contains the callback. + +Thread one goes again and tries to call the callback and causes the +use-after-free. + +Proposed fix: lock the fence signalled check in nouveau_cli_work_ready, +so either the callbacks are done or the memory is freed. + +Reviewed-by: Karol Herbst +Fixes: 11e451e74050 ("drm/nouveau: remove fence wait code from deferred client work handler") +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Link: https://lore.kernel.org/dri-devel/20230615024008.1600281-1-airlied@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -139,10 +139,16 @@ nouveau_name(struct drm_device *dev) + static inline bool + nouveau_cli_work_ready(struct dma_fence *fence) + { +- if (!dma_fence_is_signaled(fence)) +- return false; +- dma_fence_put(fence); +- return true; ++ bool ret = true; ++ ++ spin_lock_irq(fence->lock); ++ if (!dma_fence_is_signaled_locked(fence)) ++ ret = false; ++ spin_unlock_irq(fence->lock); ++ ++ if (ret == true) ++ dma_fence_put(fence); ++ return ret; + } + + static void diff --git a/queue-6.1/ocfs2-check-new-file-size-on-fallocate-call.patch b/queue-6.1/ocfs2-check-new-file-size-on-fallocate-call.patch new file mode 100644 index 00000000000..1c4ab2781c9 --- /dev/null +++ b/queue-6.1/ocfs2-check-new-file-size-on-fallocate-call.patch @@ -0,0 +1,57 @@ +From 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= +Date: Mon, 29 May 2023 16:26:45 +0100 +Subject: ocfs2: check new file size on fallocate call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luís Henriques + +commit 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 upstream. + +When changing a file size with fallocate() the new size isn't being +checked. In particular, the FSIZE ulimit isn't being checked, which makes +fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes +this issue. + +Link: https://lkml.kernel.org/r/20230529152645.32680-1-lhenriques@suse.de +Signed-off-by: Luís Henriques +Reviewed-by: Mark Fasheh +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file + struct ocfs2_space_resv sr; + int change_size = 1; + int cmd = OCFS2_IOC_RESVSP64; ++ int ret = 0; + + if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) + return -EOPNOTSUPP; + if (!ocfs2_writes_unwritten_extents(osb)) + return -EOPNOTSUPP; + +- if (mode & FALLOC_FL_KEEP_SIZE) ++ if (mode & FALLOC_FL_KEEP_SIZE) { + change_size = 0; ++ } else { ++ ret = inode_newsize_ok(inode, offset + len); ++ if (ret) ++ return ret; ++ } + + if (mode & FALLOC_FL_PUNCH_HOLE) + cmd = OCFS2_IOC_UNRESVSP64; diff --git a/queue-6.1/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch b/queue-6.1/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch new file mode 100644 index 00000000000..4743b7340f6 --- /dev/null +++ b/queue-6.1/ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch @@ -0,0 +1,100 @@ +From 50d927880e0f90d5cb25e897e9d03e5edacc79a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= +Date: Mon, 22 May 2023 11:21:12 +0100 +Subject: ocfs2: fix use-after-free when unmounting read-only filesystem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luís Henriques + +commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. + +It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using +fstest generic/452. After a read-only remount, quotas are suspended and +ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting +the filesystem, an UAF access to the oinfo will eventually cause a crash. + +BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 +Read of size 8 at addr ffff8880389a8208 by task umount/669 +... +Call Trace: + + ... + timer_delete+0x54/0xc0 + try_to_grab_pending+0x31/0x230 + __cancel_work_timer+0x6c/0x270 + ocfs2_disable_quotas.isra.0+0x3e/0xf0 [ocfs2] + ocfs2_dismount_volume+0xdd/0x450 [ocfs2] + generic_shutdown_super+0xaa/0x280 + kill_block_super+0x46/0x70 + deactivate_locked_super+0x4d/0xb0 + cleanup_mnt+0x135/0x1f0 + ... + + +Allocated by task 632: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x8b/0x90 + ocfs2_local_read_info+0xe3/0x9a0 [ocfs2] + dquot_load_quota_sb+0x34b/0x680 + dquot_load_quota_inode+0xfe/0x1a0 + ocfs2_enable_quotas+0x190/0x2f0 [ocfs2] + ocfs2_fill_super+0x14ef/0x2120 [ocfs2] + mount_bdev+0x1be/0x200 + legacy_get_tree+0x6c/0xb0 + vfs_get_tree+0x3e/0x110 + path_mount+0xa90/0xe10 + __x64_sys_mount+0x16f/0x1a0 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 650: + kasan_save_stack+0x1c/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0xf9/0x150 + __kmem_cache_free+0x89/0x180 + ocfs2_local_free_info+0x2ba/0x3f0 [ocfs2] + dquot_disable+0x35f/0xa70 + ocfs2_susp_quotas.isra.0+0x159/0x1a0 [ocfs2] + ocfs2_remount+0x150/0x580 [ocfs2] + reconfigure_super+0x1a5/0x3a0 + path_mount+0xc8a/0xe10 + __x64_sys_mount+0x16f/0x1a0 + do_syscall_64+0x43/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques@suse.de +Signed-off-by: Luís Henriques +Reviewed-by: Joseph Qi +Tested-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -952,8 +952,10 @@ static void ocfs2_disable_quotas(struct + for (type = 0; type < OCFS2_MAXQUOTAS; type++) { + if (!sb_has_quota_loaded(sb, type)) + continue; +- oinfo = sb_dqinfo(sb, type)->dqi_priv; +- cancel_delayed_work_sync(&oinfo->dqi_sync_work); ++ if (!sb_has_quota_suspended(sb, type)) { ++ oinfo = sb_dqinfo(sb, type)->dqi_priv; ++ cancel_delayed_work_sync(&oinfo->dqi_sync_work); ++ } + inode = igrab(sb->s_dquot.files[type]); + /* Turn off quotas. This will remove all dquot structures from + * memory and so they will be automatically synced to global diff --git a/queue-6.1/powerpc-purgatory-remove-pgo-flags.patch b/queue-6.1/powerpc-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..e3d37b435af --- /dev/null +++ b/queue-6.1/powerpc-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 20188baceb7a1463dc0bcb0c8678b69c2f447df6 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:38 +0200 +Subject: powerpc/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 20188baceb7a1463dc0bcb0c8678b69c2f447df6 upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-3-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/powerpc/purgatory/Makefile ++++ b/arch/powerpc/purgatory/Makefile +@@ -4,6 +4,11 @@ KASAN_SANITIZE := n + + targets += trampoline_$(BITS).o purgatory.ro + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined + + $(obj)/purgatory.ro: $(obj)/trampoline_$(BITS).o FORCE diff --git a/queue-6.1/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch b/queue-6.1/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch new file mode 100644 index 00000000000..5d4caca6add --- /dev/null +++ b/queue-6.1/rdma-uverbs-restrict-usage-of-privileged-qkeys.patch @@ -0,0 +1,43 @@ +From 0cadb4db79e1d9eea66711c4031e435c2191907e Mon Sep 17 00:00:00 2001 +From: Edward Srouji +Date: Mon, 5 Jun 2023 13:33:24 +0300 +Subject: RDMA/uverbs: Restrict usage of privileged QKEYs + +From: Edward Srouji + +commit 0cadb4db79e1d9eea66711c4031e435c2191907e upstream. + +According to the IB specification rel-1.6, section 3.5.3: +"QKEYs with the most significant bit set are considered controlled +QKEYs, and a HCA does not allow a consumer to arbitrarily specify a +controlled QKEY." + +Thus, block non-privileged users from setting such a QKEY. + +Cc: stable@vger.kernel.org +Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation") +Signed-off-by: Edward Srouji +Link: https://lore.kernel.org/r/c00c809ddafaaf87d6f6cb827978670989a511b3.1685960567.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_cmd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1850,8 +1850,13 @@ static int modify_qp(struct uverbs_attr_ + attr->path_mtu = cmd->base.path_mtu; + if (cmd->base.attr_mask & IB_QP_PATH_MIG_STATE) + attr->path_mig_state = cmd->base.path_mig_state; +- if (cmd->base.attr_mask & IB_QP_QKEY) ++ if (cmd->base.attr_mask & IB_QP_QKEY) { ++ if (cmd->base.qkey & IB_QP_SET_QKEY && !capable(CAP_NET_RAW)) { ++ ret = -EPERM; ++ goto release_qp; ++ } + attr->qkey = cmd->base.qkey; ++ } + if (cmd->base.attr_mask & IB_QP_RQ_PSN) + attr->rq_psn = cmd->base.rq_psn; + if (cmd->base.attr_mask & IB_QP_SQ_PSN) diff --git a/queue-6.1/riscv-purgatory-remove-pgo-flags.patch b/queue-6.1/riscv-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..eb686ef7dc9 --- /dev/null +++ b/queue-6.1/riscv-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 88ac3bbcf73853880a9b2a65c67e6854390741cc Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:39 +0200 +Subject: riscv/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 88ac3bbcf73853880a9b2a65c67e6854390741cc upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-4-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Acked-by: Palmer Dabbelt +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/riscv/purgatory/Makefile ++++ b/arch/riscv/purgatory/Makefile +@@ -25,6 +25,11 @@ CFLAGS_sha256.o := -D__DISABLE_EXPORTS + CFLAGS_string.o := -D__DISABLE_EXPORTS + CFLAGS_ctype.o := -D__DISABLE_EXPORTS + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + # When linking purgatory.ro with -r unresolved symbols are not checked, + # also link a purgatory.chk binary without -r to check for unresolved symbols. + PURGATORY_LDFLAGS := -e purgatory_start -z nodefaultlib diff --git a/queue-6.1/series b/queue-6.1/series index 9f5eed7dbbd..adddeb11fd9 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -40,3 +40,37 @@ drm-amd-amdgpu-fix-missing-buffer-object-unlock-in-f.patch io_uring-unlock-sqd-lock-before-sq-thread-release-cp.patch nvme-add-maxio-1602-to-bogus-nid-list.patch irqchip-gic-correctly-validate-of-quirk-descriptors.patch +wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch +wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch +epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch +ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch +ocfs2-check-new-file-size-on-fallocate-call.patch +zswap-do-not-shrink-if-cgroup-may-not-zswap.patch +nios2-dts-fix-tse_mac-max-frame-size-property.patch +nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch +nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch +nilfs2-reject-devices-with-insufficient-block-count.patch +loongarch-fix-perf-event-id-calculation.patch +io_uring-net-save-msghdr-msg_control-for-retries.patch +kexec-support-purgatories-with-.text.hot-sections.patch +x86-purgatory-remove-pgo-flags.patch +riscv-purgatory-remove-pgo-flags.patch +powerpc-purgatory-remove-pgo-flags.patch +btrfs-do-not-assert-on-duplicated-global-roots.patch +btrfs-fix-iomap_begin-length-for-nocow-writes.patch +btrfs-can_nocow_file_extent-should-pass-down-args-strict-from-callers.patch +alsa-usb-audio-fix-broken-resume-due-to-uac3-power-state.patch +alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch +dm-thin-metadata-check-fail_io-before-using-data_sm.patch +dm-thin-fix-issue_discard-to-pass-gfp_noio-to-__blkdev_issue_discard.patch +net-ethernet-stmicro-stmmac-fix-possible-memory-leak-in-__stmmac_open.patch +nouveau-fix-client-work-fence-deletion-race.patch +rdma-uverbs-restrict-usage-of-privileged-qkeys.patch +drm-amdgpu-vcn_4_0-set-instance-0-init-sched-score-to-1.patch +net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch +drm-amd-display-edp-do-not-add-non-edid-timings.patch +drm-amd-make-sure-image-is-written-to-trigger-vbios-image-update-flow.patch +drm-amd-tighten-permissions-on-vbios-flashing-attributes.patch +drm-amd-pm-workaround-for-compute-workload-type-on-some-skus.patch +drm-amdgpu-add-missing-radeon-secondary-pci-id.patch +alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch diff --git a/queue-6.1/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch b/queue-6.1/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch new file mode 100644 index 00000000000..8a11b05943e --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch @@ -0,0 +1,36 @@ +From 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 9 Jun 2023 13:48:44 +0300 +Subject: wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid() + +From: Dan Carpenter + +commit 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 upstream. + +The locking was changed recently so now the caller holds the wiphy_lock() +lock. Taking the lock inside the reg_wdev_chan_valid() function will +lead to a deadlock. + +Fixes: f7e60032c661 ("wifi: cfg80211: fix locking in regulatory disconnect") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/40c4114a-6cb4-4abf-b013-300b598aba65@moroto.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2442,11 +2442,8 @@ static bool reg_wdev_chan_valid(struct w + case NL80211_IFTYPE_P2P_GO: + case NL80211_IFTYPE_ADHOC: + case NL80211_IFTYPE_MESH_POINT: +- wiphy_lock(wiphy); + ret = cfg80211_reg_can_beacon_relax(wiphy, &chandef, + iftype); +- wiphy_unlock(wiphy); +- + if (!ret) + return ret; + break; diff --git a/queue-6.1/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch b/queue-6.1/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch new file mode 100644 index 00000000000..50858b032c4 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch @@ -0,0 +1,36 @@ +From f7e60032c6618dfd643c7210d5cba2789e2de2e2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 6 Jun 2023 14:34:48 +0200 +Subject: wifi: cfg80211: fix locking in regulatory disconnect + +From: Johannes Berg + +commit f7e60032c6618dfd643c7210d5cba2789e2de2e2 upstream. + +This should use wiphy_lock() now instead of requiring the +RTNL, since __cfg80211_leave() via cfg80211_leave() is now +requiring that lock to be held. + +Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2478,11 +2478,11 @@ static void reg_leave_invalid_chans(stru + struct wireless_dev *wdev; + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); + +- ASSERT_RTNL(); +- ++ wiphy_lock(wiphy); + list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) + if (!reg_wdev_chan_valid(wiphy, wdev)) + cfg80211_leave(rdev, wdev); ++ wiphy_unlock(wiphy); + } + + static void reg_check_chans_work(struct work_struct *work) diff --git a/queue-6.1/x86-purgatory-remove-pgo-flags.patch b/queue-6.1/x86-purgatory-remove-pgo-flags.patch new file mode 100644 index 00000000000..43550770ede --- /dev/null +++ b/queue-6.1/x86-purgatory-remove-pgo-flags.patch @@ -0,0 +1,59 @@ +From 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 19 May 2023 16:47:37 +0200 +Subject: x86/purgatory: remove PGO flags + +From: Ricardo Ribalda + +commit 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e upstream. + +If profile-guided optimization is enabled, the purgatory ends up with +multiple .text sections. This is not supported by kexec and crashes the +system. + +Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-2-b05c520b7296@chromium.org +Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory") +Signed-off-by: Ricardo Ribalda +Cc: +Cc: Albert Ou +Cc: Baoquan He +Cc: Borislav Petkov (AMD) +Cc: Christophe Leroy +Cc: Dave Hansen +Cc: Dave Young +Cc: Eric W. Biederman +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Nicholas Piggin +Cc: Nick Desaulniers +Cc: Palmer Dabbelt +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Philipp Rudo +Cc: Ross Zwisler +Cc: Simon Horman +Cc: Steven Rostedt (Google) +Cc: Thomas Gleixner +Cc: Tom Rix +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/purgatory/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/purgatory/Makefile ++++ b/arch/x86/purgatory/Makefile +@@ -14,6 +14,11 @@ $(obj)/sha256.o: $(srctree)/lib/crypto/s + + CFLAGS_sha256.o := -D__DISABLE_EXPORTS + ++# When profile-guided optimization is enabled, llvm emits two different ++# overlapping text sections, which is not supported by kexec. Remove profile ++# optimization flags. ++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS)) ++ + # When linking purgatory.ro with -r unresolved symbols are not checked, + # also link a purgatory.chk binary without -r to check for unresolved symbols. + PURGATORY_LDFLAGS := -e purgatory_start -z nodefaultlib diff --git a/queue-6.1/zswap-do-not-shrink-if-cgroup-may-not-zswap.patch b/queue-6.1/zswap-do-not-shrink-if-cgroup-may-not-zswap.patch new file mode 100644 index 00000000000..0d2db085e1a --- /dev/null +++ b/queue-6.1/zswap-do-not-shrink-if-cgroup-may-not-zswap.patch @@ -0,0 +1,70 @@ +From 0bdf0efa180a9cb1361cbded4e2260a49306ac89 Mon Sep 17 00:00:00 2001 +From: Nhat Pham +Date: Tue, 30 May 2023 15:24:40 -0700 +Subject: zswap: do not shrink if cgroup may not zswap + +From: Nhat Pham + +commit 0bdf0efa180a9cb1361cbded4e2260a49306ac89 upstream. + +Before storing a page, zswap first checks if the number of stored pages +exceeds the limit specified by memory.zswap.max, for each cgroup in the +hierarchy. If this limit is reached or exceeded, then zswap shrinking is +triggered and short-circuits the store attempt. + +However, since the zswap's LRU is not memcg-aware, this can create the +following pathological behavior: the cgroup whose zswap limit is 0 will +evict pages from other cgroups continually, without lowering its own zswap +usage. This means the shrinking will continue until the need for swap +ceases or the pool becomes empty. + +As a result of this, we observe a disproportionate amount of zswap +writeback and a perpetually small zswap pool in our experiments, even +though the pool limit is never hit. + +More generally, a cgroup might unnecessarily evict pages from other +cgroups before we drive the memcg back below its limit. + +This patch fixes the issue by rejecting zswap store attempt without +shrinking the pool when obj_cgroup_may_zswap() returns false. + +[akpm@linux-foundation.org: fix return of unintialized value] +[akpm@linux-foundation.org: s/ENOSPC/ENOMEM/] +Link: https://lkml.kernel.org/r/20230530222440.2777700-1-nphamcs@gmail.com +Link: https://lkml.kernel.org/r/20230530232435.3097106-1-nphamcs@gmail.com +Fixes: f4840ccfca25 ("zswap: memcg accounting") +Signed-off-by: Nhat Pham +Cc: Dan Streetman +Cc: Domenico Cerasuolo +Cc: Johannes Weiner +Cc: Seth Jennings +Cc: Vitaly Wool +Cc: Yosry Ahmed +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/zswap.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -1138,9 +1138,16 @@ static int zswap_frontswap_store(unsigne + goto reject; + } + ++ /* ++ * XXX: zswap reclaim does not work with cgroups yet. Without a ++ * cgroup-aware entry LRU, we will push out entries system-wide based on ++ * local cgroup limits. ++ */ + objcg = get_obj_cgroup_from_page(page); +- if (objcg && !obj_cgroup_may_zswap(objcg)) +- goto shrink; ++ if (objcg && !obj_cgroup_may_zswap(objcg)) { ++ ret = -ENOMEM; ++ goto reject; ++ } + + /* reclaim space if needed */ + if (zswap_is_full()) {