From: Greg Kroah-Hartman Date: Fri, 15 Jul 2022 13:36:13 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.9.324~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ff5d90473eb97751146ebf941d890002d629bb77;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch alsa-hda-realtek-fix-mute-micmute-leds-for-hp-machines.patch arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch fix-race-between-exit_itimers-and-proc-pid-timers.patch fs-remap-constrain-dedupe-of-eof-blocks.patch ip-fix-dflt-addr-selection-for-connected-nexthop.patch mm-split-huge-pud-on-wp_huge_pud-fallback.patch mm-userfaultfd-fix-uffdio_continue-on-fallocated-shmem-pages.patch net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch revert-evm-fix-memleak-in-init_desc.patch sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch tracing-histograms-fix-memory-leak-problem.patch wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch --- diff --git a/queue-5.15/alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch b/queue-5.15/alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch new file mode 100644 index 00000000000..cc7cd4c5395 --- /dev/null +++ b/queue-5.15/alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch @@ -0,0 +1,32 @@ +From d16d69bf5a25d91c6d8f3e29711be12551bf56cd Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Mon, 11 Jul 2022 18:17:44 +0800 +Subject: ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model + +From: Meng Tang + +commit d16d69bf5a25d91c6d8f3e29711be12551bf56cd upstream. + +There is another HP ProDesk 600 G3 model with the PCI SSID 103c:82b4 +that requires the quirk HP_MIC_NO_PRESENCE. Add the corresponding +entry to the quirk table. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220711101744.25189-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -944,6 +944,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x103c, 0x82b4, "HP ProDesk 600 G3", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK), diff --git a/queue-5.15/alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch b/queue-5.15/alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch new file mode 100644 index 00000000000..e3c36869c90 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch @@ -0,0 +1,31 @@ +From 9b043a8f386485c74c0f8eea2c287d5bdbdf3279 Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Wed, 13 Jul 2022 17:41:33 +0800 +Subject: ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop + +From: Meng Tang + +commit 9b043a8f386485c74c0f8eea2c287d5bdbdf3279 upstream. + +The headset on this machine is not defined, after applying the quirk +ALC256_FIXUP_ASUS_HEADSET_MIC, the headset-mic works well + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220713094133.9894-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9158,6 +9158,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC), + SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED), diff --git a/queue-5.15/alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch b/queue-5.15/alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch new file mode 100644 index 00000000000..5fe39b98351 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch @@ -0,0 +1,33 @@ +From 5f3fe25e70559fa3b096ab17e13316c93ddb7020 Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Mon, 11 Jul 2022 16:15:27 +0800 +Subject: ALSA: hda/realtek: Fix headset mic for Acer SF313-51 + +From: Meng Tang + +commit 5f3fe25e70559fa3b096ab17e13316c93ddb7020 upstream. + +The issue on Acer SWIFT SF313-51 is that headset microphone +doesn't work. The following quirk fixed headset microphone issue. +Note that the fixup of SF314-54/55 (ALC256_FIXUP_ACER_HEADSET_MIC) +was not successful on my SF313-51. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220711081527.6254-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8695,6 +8695,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x129c, "Acer SWIFT SF314-55", ALC256_FIXUP_ACER_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1025, 0x129d, "Acer SWIFT SF313-51", ALC256_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1300, "Acer SWIFT SF314-56", ALC256_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1308, "Acer Aspire Z24-890", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC), diff --git a/queue-5.15/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch b/queue-5.15/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch new file mode 100644 index 00000000000..968588a6082 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch @@ -0,0 +1,58 @@ +From 4ba5c853d7945b3855c3dcb293f7f9f019db641e Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Wed, 13 Jul 2022 14:33:32 +0800 +Subject: ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 + +From: Meng Tang + +commit 4ba5c853d7945b3855c3dcb293f7f9f019db641e upstream. + +On a HP 288 Pro G2 MT (X9W02AV), the front mic could not be detected. +In order to get it working, the pin configuration needs to be set +correctly, and the ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE fixup needs +to be applied. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220713063332.30095-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6780,6 +6780,7 @@ enum { + ALC298_FIXUP_LENOVO_SPK_VOLUME, + ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER, + ALC269_FIXUP_ATIV_BOOK_8, ++ ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE, + ALC221_FIXUP_HP_MIC_NO_PRESENCE, + ALC256_FIXUP_ASUS_HEADSET_MODE, + ALC256_FIXUP_ASUS_MIC, +@@ -7707,6 +7708,16 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_NO_SHUTUP + }, ++ [ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */ ++ { 0x1a, 0x01813030 }, /* use as headphone mic, without its own jack detect */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MODE ++ }, + [ALC221_FIXUP_HP_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -8820,6 +8831,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x2335, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), ++ SND_PCI_QUIRK(0x103c, 0x2b5e, "HP 288 Pro G2 MT", ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x802e, "HP Z240 SFF", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC), diff --git a/queue-5.15/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch b/queue-5.15/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch new file mode 100644 index 00000000000..ff06ceb39e3 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch @@ -0,0 +1,32 @@ +From dbe75d314748e08fc6e4576d153d8a69621ee5ca Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Tue, 12 Jul 2022 17:22:22 +0800 +Subject: ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 + +From: Meng Tang + +commit dbe75d314748e08fc6e4576d153d8a69621ee5ca upstream. + +On a HP 288 Pro G6, the front mic could not be detected.In order to +get it working, the pin configuration needs to be set correctly, and +the ALC671_FIXUP_HP_HEADSET_MIC2 fixup needs to be applied. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220712092222.21738-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11003,6 +11003,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), ++ SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x1043, 0x1080, "Asus UX501VW", ALC668_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50), diff --git a/queue-5.15/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-machines.patch b/queue-5.15/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-machines.patch new file mode 100644 index 00000000000..6d2e55393b5 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-machines.patch @@ -0,0 +1,35 @@ +From 61d307855eb1a2ae849da445edd5389db8a58a5c Mon Sep 17 00:00:00 2001 +From: Jeremy Szu +Date: Wed, 13 Jul 2022 10:27:04 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP machines + +From: Jeremy Szu + +commit 61d307855eb1a2ae849da445edd5389db8a58a5c upstream. + +The HP ProBook 440/450 G9 and EliteBook 640/650 G9 have multiple +motherboard design and they are using different subsystem ID of audio +codec. Add the same quirk for other MBs. + +Signed-off-by: Jeremy Szu +Cc: +Link: https://lore.kernel.org/r/20220713022706.22892-1-jeremy.szu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8887,6 +8887,10 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x89c3, "HP", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x89ca, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8a78, "HP Dev One", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x103c, 0x8aa0, "HP ProBook 440 G9 (MB 8A9E)", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8aa3, "HP ProBook 450 G9 (MB 8AA1)", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8aa8, "HP EliteBook 640 G9 (MB 8AA6)", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8aab, "HP EliteBook 650 G9 (MB 8AA9)", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-5.15/arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch b/queue-5.15/arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch new file mode 100644 index 00000000000..23b6e4cc45c --- /dev/null +++ b/queue-5.15/arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch @@ -0,0 +1,33 @@ +From e4ced82deb5fb17222fb82e092c3f8311955b585 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Tue, 28 Jun 2022 08:55:45 +0100 +Subject: ARM: 9213/1: Print message about disabled Spectre workarounds only once + +From: Dmitry Osipenko + +commit e4ced82deb5fb17222fb82e092c3f8311955b585 upstream. + +Print the message about disabled Spectre workarounds only once. The +message is printed each time CPU goes out from idling state on NVIDIA +Tegra boards, causing storm in KMSG that makes system unusable. + +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Osipenko +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mm/proc-v7-bugs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -108,8 +108,7 @@ static unsigned int spectre_v2_install_w + #else + static unsigned int spectre_v2_install_workaround(unsigned int method) + { +- pr_info("CPU%u: Spectre V2: workarounds disabled by configuration\n", +- smp_processor_id()); ++ pr_info_once("Spectre V2: workarounds disabled by configuration\n"); + + return SPECTRE_VULNERABLE; + } diff --git a/queue-5.15/arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch b/queue-5.15/arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch new file mode 100644 index 00000000000..971d0ac7a8e --- /dev/null +++ b/queue-5.15/arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch @@ -0,0 +1,117 @@ +From e5c46fde75e43c15a29b40e5fc5641727f97ae47 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 30 Jun 2022 16:46:54 +0100 +Subject: ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction + +From: Ard Biesheuvel + +commit e5c46fde75e43c15a29b40e5fc5641727f97ae47 upstream. + +After emulating a misaligned load or store issued in Thumb mode, we have +to advance the IT state by hand, or it will get out of sync with the +actual instruction stream, which means we'll end up applying the wrong +condition code to subsequent instructions. This might corrupt the +program state rather catastrophically. + +So borrow the it_advance() helper from the probing code, and use it on +CPSR if the emulated instruction is Thumb. + +Cc: +Reviewed-by: Linus Walleij +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/ptrace.h | 26 ++++++++++++++++++++++++++ + arch/arm/mm/alignment.c | 3 +++ + arch/arm/probes/decode.h | 26 +------------------------- + 3 files changed, 30 insertions(+), 25 deletions(-) + +--- a/arch/arm/include/asm/ptrace.h ++++ b/arch/arm/include/asm/ptrace.h +@@ -163,5 +163,31 @@ static inline unsigned long user_stack_p + ((current_stack_pointer | (THREAD_SIZE - 1)) - 7) - 1; \ + }) + ++ ++/* ++ * Update ITSTATE after normal execution of an IT block instruction. ++ * ++ * The 8 IT state bits are split into two parts in CPSR: ++ * ITSTATE<1:0> are in CPSR<26:25> ++ * ITSTATE<7:2> are in CPSR<15:10> ++ */ ++static inline unsigned long it_advance(unsigned long cpsr) ++{ ++ if ((cpsr & 0x06000400) == 0) { ++ /* ITSTATE<2:0> == 0 means end of IT block, so clear IT state */ ++ cpsr &= ~PSR_IT_MASK; ++ } else { ++ /* We need to shift left ITSTATE<4:0> */ ++ const unsigned long mask = 0x06001c00; /* Mask ITSTATE<4:0> */ ++ unsigned long it = cpsr & mask; ++ it <<= 1; ++ it |= it >> (27 - 10); /* Carry ITSTATE<2> to correct place */ ++ it &= mask; ++ cpsr &= ~mask; ++ cpsr |= it; ++ } ++ return cpsr; ++} ++ + #endif /* __ASSEMBLY__ */ + #endif +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -935,6 +935,9 @@ do_alignment(unsigned long addr, unsigne + if (type == TYPE_LDST) + do_alignment_finish_ldst(addr, instr, regs, offset); + ++ if (thumb_mode(regs)) ++ regs->ARM_cpsr = it_advance(regs->ARM_cpsr); ++ + return 0; + + bad_or_fault: +--- a/arch/arm/probes/decode.h ++++ b/arch/arm/probes/decode.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + + void __init arm_probes_decode_init(void); +@@ -35,31 +36,6 @@ void __init find_str_pc_offset(void); + #endif + + +-/* +- * Update ITSTATE after normal execution of an IT block instruction. +- * +- * The 8 IT state bits are split into two parts in CPSR: +- * ITSTATE<1:0> are in CPSR<26:25> +- * ITSTATE<7:2> are in CPSR<15:10> +- */ +-static inline unsigned long it_advance(unsigned long cpsr) +- { +- if ((cpsr & 0x06000400) == 0) { +- /* ITSTATE<2:0> == 0 means end of IT block, so clear IT state */ +- cpsr &= ~PSR_IT_MASK; +- } else { +- /* We need to shift left ITSTATE<4:0> */ +- const unsigned long mask = 0x06001c00; /* Mask ITSTATE<4:0> */ +- unsigned long it = cpsr & mask; +- it <<= 1; +- it |= it >> (27 - 10); /* Carry ITSTATE<2> to correct place */ +- it &= mask; +- cpsr &= ~mask; +- cpsr |= it; +- } +- return cpsr; +-} +- + static inline void __kprobes bx_write_pc(long pcv, struct pt_regs *regs) + { + long cpsr = regs->ARM_cpsr; diff --git a/queue-5.15/btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch b/queue-5.15/btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch new file mode 100644 index 00000000000..8ce291dfa9e --- /dev/null +++ b/queue-5.15/btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch @@ -0,0 +1,76 @@ +From a4527e1853f8ff6e0b7c2dadad6268bd38427a31 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 4 Jul 2022 12:42:03 +0100 +Subject: btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents + +From: Filipe Manana + +commit a4527e1853f8ff6e0b7c2dadad6268bd38427a31 upstream. + +When doing a direct IO read or write, we always return -ENOTBLK when we +find a compressed extent (or an inline extent) so that we fallback to +buffered IO. This however is not ideal in case we are in a NOWAIT context +(io_uring for example), because buffered IO can block and we currently +have no support for NOWAIT semantics for buffered IO, so if we need to +fallback to buffered IO we should first signal the caller that we may +need to block by returning -EAGAIN instead. + +This behaviour can also result in short reads being returned to user +space, which although it's not incorrect and user space should be able +to deal with partial reads, it's somewhat surprising and even some popular +applications like QEMU (Link tag #1) and MariaDB (Link tag #2) don't +deal with short reads properly (or at all). + +The short read case happens when we try to read from a range that has a +non-compressed and non-inline extent followed by a compressed extent. +After having read the first extent, when we find the compressed extent we +return -ENOTBLK from btrfs_dio_iomap_begin(), which results in iomap to +treat the request as a short read, returning 0 (success) and waiting for +previously submitted bios to complete (this happens at +fs/iomap/direct-io.c:__iomap_dio_rw()). After that, and while at +btrfs_file_read_iter(), we call filemap_read() to use buffered IO to +read the remaining data, and pass it the number of bytes we were able to +read with direct IO. Than at filemap_read() if we get a page fault error +when accessing the read buffer, we return a partial read instead of an +-EFAULT error, because the number of bytes previously read is greater +than zero. + +So fix this by returning -EAGAIN for NOWAIT direct IO when we find a +compressed or an inline extent. + +Reported-by: Dominique MARTINET +Link: https://lore.kernel.org/linux-btrfs/YrrFGO4A1jS0GI0G@atmark-techno.com/ +Link: https://jira.mariadb.org/browse/MDEV-27900?focusedCommentId=216582&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-216582 +Tested-by: Dominique MARTINET +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Christoph Hellwig +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7957,7 +7957,19 @@ static int btrfs_dio_iomap_begin(struct + if (test_bit(EXTENT_FLAG_COMPRESSED, &em->flags) || + em->block_start == EXTENT_MAP_INLINE) { + free_extent_map(em); +- ret = -ENOTBLK; ++ /* ++ * If we are in a NOWAIT context, return -EAGAIN in order to ++ * fallback to buffered IO. This is not only because we can ++ * block with buffered IO (no support for NOWAIT semantics at ++ * the moment) but also to avoid returning short reads to user ++ * space - this happens if we were able to read some data from ++ * previous non-compressed extents and then when we fallback to ++ * buffered IO, at btrfs_file_read_iter() by calling ++ * filemap_read(), we fail to fault in pages for the read buffer, ++ * in which case filemap_read() returns a short read (the number ++ * of bytes previously read is > 0, so it does not return -EFAULT). ++ */ ++ ret = (flags & IOMAP_NOWAIT) ? -EAGAIN : -ENOTBLK; + goto unlock_err; + } + diff --git a/queue-5.15/cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch b/queue-5.15/cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch new file mode 100644 index 00000000000..8408dedd988 --- /dev/null +++ b/queue-5.15/cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch @@ -0,0 +1,201 @@ +From 07fd5b6cdf3cc30bfde8fe0f644771688be04447 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 13 Jun 2022 12:19:50 -1000 +Subject: cgroup: Use separate src/dst nodes when preloading css_sets for migration + +From: Tejun Heo + +commit 07fd5b6cdf3cc30bfde8fe0f644771688be04447 upstream. + +Each cset (css_set) is pinned by its tasks. When we're moving tasks around +across csets for a migration, we need to hold the source and destination +csets to ensure that they don't go away while we're moving tasks about. This +is done by linking cset->mg_preload_node on either the +mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the +same cset->mg_preload_node for both the src and dst lists was deemed okay as +a cset can't be both the source and destination at the same time. + +Unfortunately, this overloading becomes problematic when multiple tasks are +involved in a migration and some of them are identity noop migrations while +others are actually moving across cgroups. For example, this can happen with +the following sequence on cgroup1: + + #1> mkdir -p /sys/fs/cgroup/misc/a/b + #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs + #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS & + #4> PID=$! + #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks + #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs + +the process including the group leader back into a. In this final migration, +non-leader threads would be doing identity migration while the group leader +is doing an actual one. + +After #3, let's say the whole process was in cset A, and that after #4, the +leader moves to cset B. Then, during #6, the following happens: + + 1. cgroup_migrate_add_src() is called on B for the leader. + + 2. cgroup_migrate_add_src() is called on A for the other threads. + + 3. cgroup_migrate_prepare_dst() is called. It scans the src list. + + 4. It notices that B wants to migrate to A, so it tries to A to the dst + list but realizes that its ->mg_preload_node is already busy. + + 5. and then it notices A wants to migrate to A as it's an identity + migration, it culls it by list_del_init()'ing its ->mg_preload_node and + putting references accordingly. + + 6. The rest of migration takes place with B on the src list but nothing on + the dst list. + +This means that A isn't held while migration is in progress. If all tasks +leave A before the migration finishes and the incoming task pins it, the +cset will be destroyed leading to use-after-free. + +This is caused by overloading cset->mg_preload_node for both src and dst +preload lists. We wanted to exclude the cset from the src list but ended up +inadvertently excluding it from the dst list too. + +This patch fixes the issue by separating out cset->mg_preload_node into +->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst +preloadings don't interfere with each other. + +Signed-off-by: Tejun Heo +Reported-by: Mukesh Ojha +Reported-by: shisiyuan +Link: http://lkml.kernel.org/r/1654187688-27411-1-git-send-email-shisiyuan@xiaomi.com +Link: https://www.spinics.net/lists/cgroups/msg33313.html +Fixes: f817de98513d ("cgroup: prepare migration path for unified hierarchy") +Cc: stable@vger.kernel.org # v3.16+ +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup-defs.h | 3 ++- + kernel/cgroup/cgroup.c | 37 +++++++++++++++++++++++-------------- + 2 files changed, 25 insertions(+), 15 deletions(-) + +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -264,7 +264,8 @@ struct css_set { + * List of csets participating in the on-going migration either as + * source or destination. Protected by cgroup_mutex. + */ +- struct list_head mg_preload_node; ++ struct list_head mg_src_preload_node; ++ struct list_head mg_dst_preload_node; + struct list_head mg_node; + + /* +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -764,7 +764,8 @@ struct css_set init_css_set = { + .task_iters = LIST_HEAD_INIT(init_css_set.task_iters), + .threaded_csets = LIST_HEAD_INIT(init_css_set.threaded_csets), + .cgrp_links = LIST_HEAD_INIT(init_css_set.cgrp_links), +- .mg_preload_node = LIST_HEAD_INIT(init_css_set.mg_preload_node), ++ .mg_src_preload_node = LIST_HEAD_INIT(init_css_set.mg_src_preload_node), ++ .mg_dst_preload_node = LIST_HEAD_INIT(init_css_set.mg_dst_preload_node), + .mg_node = LIST_HEAD_INIT(init_css_set.mg_node), + + /* +@@ -1239,7 +1240,8 @@ static struct css_set *find_css_set(stru + INIT_LIST_HEAD(&cset->threaded_csets); + INIT_HLIST_NODE(&cset->hlist); + INIT_LIST_HEAD(&cset->cgrp_links); +- INIT_LIST_HEAD(&cset->mg_preload_node); ++ INIT_LIST_HEAD(&cset->mg_src_preload_node); ++ INIT_LIST_HEAD(&cset->mg_dst_preload_node); + INIT_LIST_HEAD(&cset->mg_node); + + /* Copy the set of subsystem state objects generated in +@@ -2596,21 +2598,27 @@ int cgroup_migrate_vet_dst(struct cgroup + */ + void cgroup_migrate_finish(struct cgroup_mgctx *mgctx) + { +- LIST_HEAD(preloaded); + struct css_set *cset, *tmp_cset; + + lockdep_assert_held(&cgroup_mutex); + + spin_lock_irq(&css_set_lock); + +- list_splice_tail_init(&mgctx->preloaded_src_csets, &preloaded); +- list_splice_tail_init(&mgctx->preloaded_dst_csets, &preloaded); ++ list_for_each_entry_safe(cset, tmp_cset, &mgctx->preloaded_src_csets, ++ mg_src_preload_node) { ++ cset->mg_src_cgrp = NULL; ++ cset->mg_dst_cgrp = NULL; ++ cset->mg_dst_cset = NULL; ++ list_del_init(&cset->mg_src_preload_node); ++ put_css_set_locked(cset); ++ } + +- list_for_each_entry_safe(cset, tmp_cset, &preloaded, mg_preload_node) { ++ list_for_each_entry_safe(cset, tmp_cset, &mgctx->preloaded_dst_csets, ++ mg_dst_preload_node) { + cset->mg_src_cgrp = NULL; + cset->mg_dst_cgrp = NULL; + cset->mg_dst_cset = NULL; +- list_del_init(&cset->mg_preload_node); ++ list_del_init(&cset->mg_dst_preload_node); + put_css_set_locked(cset); + } + +@@ -2652,7 +2660,7 @@ void cgroup_migrate_add_src(struct css_s + + src_cgrp = cset_cgroup_from_root(src_cset, dst_cgrp->root); + +- if (!list_empty(&src_cset->mg_preload_node)) ++ if (!list_empty(&src_cset->mg_src_preload_node)) + return; + + WARN_ON(src_cset->mg_src_cgrp); +@@ -2663,7 +2671,7 @@ void cgroup_migrate_add_src(struct css_s + src_cset->mg_src_cgrp = src_cgrp; + src_cset->mg_dst_cgrp = dst_cgrp; + get_css_set(src_cset); +- list_add_tail(&src_cset->mg_preload_node, &mgctx->preloaded_src_csets); ++ list_add_tail(&src_cset->mg_src_preload_node, &mgctx->preloaded_src_csets); + } + + /** +@@ -2688,7 +2696,7 @@ int cgroup_migrate_prepare_dst(struct cg + + /* look up the dst cset for each src cset and link it to src */ + list_for_each_entry_safe(src_cset, tmp_cset, &mgctx->preloaded_src_csets, +- mg_preload_node) { ++ mg_src_preload_node) { + struct css_set *dst_cset; + struct cgroup_subsys *ss; + int ssid; +@@ -2707,7 +2715,7 @@ int cgroup_migrate_prepare_dst(struct cg + if (src_cset == dst_cset) { + src_cset->mg_src_cgrp = NULL; + src_cset->mg_dst_cgrp = NULL; +- list_del_init(&src_cset->mg_preload_node); ++ list_del_init(&src_cset->mg_src_preload_node); + put_css_set(src_cset); + put_css_set(dst_cset); + continue; +@@ -2715,8 +2723,8 @@ int cgroup_migrate_prepare_dst(struct cg + + src_cset->mg_dst_cset = dst_cset; + +- if (list_empty(&dst_cset->mg_preload_node)) +- list_add_tail(&dst_cset->mg_preload_node, ++ if (list_empty(&dst_cset->mg_dst_preload_node)) ++ list_add_tail(&dst_cset->mg_dst_preload_node, + &mgctx->preloaded_dst_csets); + else + put_css_set(dst_cset); +@@ -2962,7 +2970,8 @@ static int cgroup_update_dfl_csses(struc + goto out_finish; + + spin_lock_irq(&css_set_lock); +- list_for_each_entry(src_cset, &mgctx.preloaded_src_csets, mg_preload_node) { ++ list_for_each_entry(src_cset, &mgctx.preloaded_src_csets, ++ mg_src_preload_node) { + struct task_struct *task, *ntask; + + /* all tasks in src_csets need to be migrated */ diff --git a/queue-5.15/drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch b/queue-5.15/drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch new file mode 100644 index 00000000000..eea59c6b497 --- /dev/null +++ b/queue-5.15/drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch @@ -0,0 +1,39 @@ +From 9fc33eaaa979d112d10fea729edcd2a2e21aa912 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:06:01 +0300 +Subject: drm/panfrost: Fix shrinker list corruption by madvise IOCTL + +From: Dmitry Osipenko + +commit 9fc33eaaa979d112d10fea729edcd2a2e21aa912 upstream. + +Calling madvise IOCTL twice on BO causes memory shrinker list corruption +and crashes kernel because BO is already on the list and it's added to +the list again, while BO should be removed from the list before it's +re-added. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 013b65101315 ("drm/panfrost: Add madvise and shrinker support") +Acked-by: Alyssa Rosenzweig +Reviewed-by: Steven Price +Signed-off-by: Dmitry Osipenko +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20220630200601.1884120-3-dmitry.osipenko@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c +@@ -422,8 +422,8 @@ static int panfrost_ioctl_madvise(struct + + if (args->retained) { + if (args->madv == PANFROST_MADV_DONTNEED) +- list_add_tail(&bo->base.madv_list, +- &pfdev->shrinker_list); ++ list_move_tail(&bo->base.madv_list, ++ &pfdev->shrinker_list); + else if (args->madv == PANFROST_MADV_WILLNEED) + list_del_init(&bo->base.madv_list); + } diff --git a/queue-5.15/drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch b/queue-5.15/drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch new file mode 100644 index 00000000000..71784dc2f66 --- /dev/null +++ b/queue-5.15/drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch @@ -0,0 +1,34 @@ +From fb6e0637ab7ebd8e61fe24f4d663c4bae99cfa62 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:06:00 +0300 +Subject: drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error + +From: Dmitry Osipenko + +commit fb6e0637ab7ebd8e61fe24f4d663c4bae99cfa62 upstream. + +When panfrost_mmu_map_fault_addr() fails, the BO's mapping should be +unreferenced and not the shmem object which backs the mapping. + +Cc: stable@vger.kernel.org +Fixes: bdefca2d8dc0 ("drm/panfrost: Add the panfrost_gem_mapping concept") +Reviewed-by: Steven Price +Signed-off-by: Dmitry Osipenko +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20220630200601.1884120-2-dmitry.osipenko@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -501,7 +501,7 @@ err_map: + err_pages: + drm_gem_shmem_put_pages(&bo->base); + err_bo: +- drm_gem_object_put(&bo->base.base); ++ panfrost_gem_mapping_put(bomapping); + return ret; + } + diff --git a/queue-5.15/fix-race-between-exit_itimers-and-proc-pid-timers.patch b/queue-5.15/fix-race-between-exit_itimers-and-proc-pid-timers.patch new file mode 100644 index 00000000000..d5fdcbcc1ef --- /dev/null +++ b/queue-5.15/fix-race-between-exit_itimers-and-proc-pid-timers.patch @@ -0,0 +1,90 @@ +From d5b36a4dbd06c5e8e36ca8ccc552f679069e2946 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Mon, 11 Jul 2022 18:16:25 +0200 +Subject: fix race between exit_itimers() and /proc/pid/timers + +From: Oleg Nesterov + +commit d5b36a4dbd06c5e8e36ca8ccc552f679069e2946 upstream. + +As Chris explains, the comment above exit_itimers() is not correct, +we can race with proc_timers_seq_ops. Change exit_itimers() to clear +signal->posix_timers with ->siglock held. + +Cc: +Reported-by: chris@accessvector.net +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 2 +- + include/linux/sched/task.h | 2 +- + kernel/exit.c | 2 +- + kernel/time/posix-timers.c | 19 ++++++++++++++----- + 4 files changed, 17 insertions(+), 8 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1298,7 +1298,7 @@ int begin_new_exec(struct linux_binprm * + bprm->mm = NULL; + + #ifdef CONFIG_POSIX_TIMERS +- exit_itimers(me->signal); ++ exit_itimers(me); + flush_itimer_signals(); + #endif + +--- a/include/linux/sched/task.h ++++ b/include/linux/sched/task.h +@@ -81,7 +81,7 @@ static inline void exit_thread(struct ta + extern void do_group_exit(int); + + extern void exit_files(struct task_struct *); +-extern void exit_itimers(struct signal_struct *); ++extern void exit_itimers(struct task_struct *); + + extern pid_t kernel_clone(struct kernel_clone_args *kargs); + struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node); +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -796,7 +796,7 @@ void __noreturn do_exit(long code) + + #ifdef CONFIG_POSIX_TIMERS + hrtimer_cancel(&tsk->signal->real_timer); +- exit_itimers(tsk->signal); ++ exit_itimers(tsk); + #endif + if (tsk->mm) + setmax_mm_hiwater_rss(&tsk->signal->maxrss, tsk->mm); +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -1051,15 +1051,24 @@ retry_delete: + } + + /* +- * This is called by do_exit or de_thread, only when there are no more +- * references to the shared signal_struct. ++ * This is called by do_exit or de_thread, only when nobody else can ++ * modify the signal->posix_timers list. Yet we need sighand->siglock ++ * to prevent the race with /proc/pid/timers. + */ +-void exit_itimers(struct signal_struct *sig) ++void exit_itimers(struct task_struct *tsk) + { ++ struct list_head timers; + struct k_itimer *tmr; + +- while (!list_empty(&sig->posix_timers)) { +- tmr = list_entry(sig->posix_timers.next, struct k_itimer, list); ++ if (list_empty(&tsk->signal->posix_timers)) ++ return; ++ ++ spin_lock_irq(&tsk->sighand->siglock); ++ list_replace_init(&tsk->signal->posix_timers, &timers); ++ spin_unlock_irq(&tsk->sighand->siglock); ++ ++ while (!list_empty(&timers)) { ++ tmr = list_first_entry(&timers, struct k_itimer, list); + itimer_delete(tmr); + } + } diff --git a/queue-5.15/fs-remap-constrain-dedupe-of-eof-blocks.patch b/queue-5.15/fs-remap-constrain-dedupe-of-eof-blocks.patch new file mode 100644 index 00000000000..9bed2f83e07 --- /dev/null +++ b/queue-5.15/fs-remap-constrain-dedupe-of-eof-blocks.patch @@ -0,0 +1,46 @@ +From 5750676b64a561f7ec920d7c6ba130fc9c7378f3 Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Wed, 13 Jul 2022 17:49:15 +1000 +Subject: fs/remap: constrain dedupe of EOF blocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dave Chinner + +commit 5750676b64a561f7ec920d7c6ba130fc9c7378f3 upstream. + +If dedupe of an EOF block is not constrainted to match against only +other EOF blocks with the same EOF offset into the block, it can +match against any other block that has the same matching initial +bytes in it, even if the bytes beyond EOF in the source file do +not match. + +Fix this by constraining the EOF block matching to only match +against other EOF blocks that have identical EOF offsets and data. +This allows "whole file dedupe" to continue to work without allowing +eof blocks to randomly match against partial full blocks with the +same data. + +Reported-by: Ansgar Lößer +Fixes: 1383a7ed6749 ("vfs: check file ranges before cloning files") +Link: https://lore.kernel.org/linux-fsdevel/a7c93559-4ba1-df2f-7a85-55a143696405@tu-darmstadt.de/ +Signed-off-by: Dave Chinner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/remap_range.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/remap_range.c ++++ b/fs/remap_range.c +@@ -71,7 +71,8 @@ static int generic_remap_checks(struct f + * Otherwise, make sure the count is also block-aligned, having + * already confirmed the starting offsets' block alignment. + */ +- if (pos_in + count == size_in) { ++ if (pos_in + count == size_in && ++ (!(remap_flags & REMAP_FILE_DEDUP) || pos_out + count == size_out)) { + bcount = ALIGN(size_in, bs) - pos_in; + } else { + if (!IS_ALIGNED(count, bs)) diff --git a/queue-5.15/ip-fix-dflt-addr-selection-for-connected-nexthop.patch b/queue-5.15/ip-fix-dflt-addr-selection-for-connected-nexthop.patch new file mode 100644 index 00000000000..31e277265af --- /dev/null +++ b/queue-5.15/ip-fix-dflt-addr-selection-for-connected-nexthop.patch @@ -0,0 +1,92 @@ +From 747c14307214b55dbd8250e1ab44cad8305756f1 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Wed, 13 Jul 2022 13:48:52 +0200 +Subject: ip: fix dflt addr selection for connected nexthop + +From: Nicolas Dichtel + +commit 747c14307214b55dbd8250e1ab44cad8305756f1 upstream. + +When a nexthop is added, without a gw address, the default scope was set +to 'host'. Thus, when a source address is selected, 127.0.0.1 may be chosen +but rejected when the route is used. + +When using a route without a nexthop id, the scope can be configured in the +route, thus the problem doesn't exist. + +To explain more deeply: when a user creates a nexthop, it cannot specify +the scope. To create it, the function nh_create_ipv4() calls fib_check_nh() +with scope set to 0. fib_check_nh() calls fib_check_nh_nongw() wich was +setting scope to 'host'. Then, nh_create_ipv4() calls +fib_info_update_nhc_saddr() with scope set to 'host'. The src addr is +chosen before the route is inserted. + +When a 'standard' route (ie without a reference to a nexthop) is added, +fib_create_info() calls fib_info_update_nhc_saddr() with the scope set by +the user. iproute2 set the scope to 'link' by default. + +Here is a way to reproduce the problem: +ip netns add foo +ip -n foo link set lo up +ip netns add bar +ip -n bar link set lo up +sleep 1 + +ip -n foo link add name eth0 type dummy +ip -n foo link set eth0 up +ip -n foo address add 192.168.0.1/24 dev eth0 + +ip -n foo link add name veth0 type veth peer name veth1 netns bar +ip -n foo link set veth0 up +ip -n bar link set veth1 up + +ip -n bar address add 192.168.1.1/32 dev veth1 +ip -n bar route add default dev veth1 + +ip -n foo nexthop add id 1 dev veth0 +ip -n foo route add 192.168.1.1 nhid 1 + +Try to get/use the route: +> $ ip -n foo route get 192.168.1.1 +> RTNETLINK answers: Invalid argument +> $ ip netns exec foo ping -c1 192.168.1.1 +> ping: connect: Invalid argument + +Try without nexthop group (iproute2 sets scope to 'link' by dflt): +ip -n foo route del 192.168.1.1 +ip -n foo route add 192.168.1.1 dev veth0 + +Try to get/use the route: +> $ ip -n foo route get 192.168.1.1 +> 192.168.1.1 dev veth0 src 192.168.0.1 uid 0 +> cache +> $ ip netns exec foo ping -c1 192.168.1.1 +> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. +> 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.039 ms +> +> --- 192.168.1.1 ping statistics --- +> 1 packets transmitted, 1 received, 0% packet loss, time 0ms +> rtt min/avg/max/mdev = 0.039/0.039/0.039/0.000 ms + +CC: stable@vger.kernel.org +Fixes: 597cfe4fc339 ("nexthop: Add support for IPv4 nexthops") +Reported-by: Edwin Brossette +Signed-off-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20220713114853.29406-1-nicolas.dichtel@6wind.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1228,7 +1228,7 @@ static int fib_check_nh_nongw(struct net + + nh->fib_nh_dev = in_dev->dev; + dev_hold(nh->fib_nh_dev); +- nh->fib_nh_scope = RT_SCOPE_HOST; ++ nh->fib_nh_scope = RT_SCOPE_LINK; + if (!netif_carrier_ok(nh->fib_nh_dev)) + nh->fib_nh_flags |= RTNH_F_LINKDOWN; + err = 0; diff --git a/queue-5.15/mm-split-huge-pud-on-wp_huge_pud-fallback.patch b/queue-5.15/mm-split-huge-pud-on-wp_huge_pud-fallback.patch new file mode 100644 index 00000000000..d8b50d994a9 --- /dev/null +++ b/queue-5.15/mm-split-huge-pud-on-wp_huge_pud-fallback.patch @@ -0,0 +1,78 @@ +From 14c99d65941538aa33edd8dc7b1bbbb593c324a2 Mon Sep 17 00:00:00 2001 +From: "Gowans, James" +Date: Thu, 23 Jun 2022 05:24:03 +0000 +Subject: mm: split huge PUD on wp_huge_pud fallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gowans, James + +commit 14c99d65941538aa33edd8dc7b1bbbb593c324a2 upstream. + +Currently the implementation will split the PUD when a fallback is taken +inside the create_huge_pud function. This isn't where it should be done: +the splitting should be done in wp_huge_pud, just like it's done for PMDs. +Reason being that if a callback is taken during create, there is no PUD +yet so nothing to split, whereas if a fallback is taken when encountering +a write protection fault there is something to split. + +It looks like this was the original intention with the commit where the +splitting was introduced, but somehow it got moved to the wrong place +between v1 and v2 of the patch series. Rebase mistake perhaps. + +Link: https://lkml.kernel.org/r/6f48d622eb8bce1ae5dd75327b0b73894a2ec407.camel@amazon.com +Fixes: 327e9fd48972 ("mm: Split huge pages on write-notify or COW") +Signed-off-by: James Gowans +Reviewed-by: Thomas Hellström +Cc: Christian König +Cc: Jan H. Schönherr +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4491,6 +4491,19 @@ static vm_fault_t create_huge_pud(struct + defined(CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD) + /* No support for anonymous transparent PUD pages yet */ + if (vma_is_anonymous(vmf->vma)) ++ return VM_FAULT_FALLBACK; ++ if (vmf->vma->vm_ops->huge_fault) ++ return vmf->vma->vm_ops->huge_fault(vmf, PE_SIZE_PUD); ++#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ ++ return VM_FAULT_FALLBACK; ++} ++ ++static vm_fault_t wp_huge_pud(struct vm_fault *vmf, pud_t orig_pud) ++{ ++#if defined(CONFIG_TRANSPARENT_HUGEPAGE) && \ ++ defined(CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD) ++ /* No support for anonymous transparent PUD pages yet */ ++ if (vma_is_anonymous(vmf->vma)) + goto split; + if (vmf->vma->vm_ops->huge_fault) { + vm_fault_t ret = vmf->vma->vm_ops->huge_fault(vmf, PE_SIZE_PUD); +@@ -4501,19 +4514,7 @@ static vm_fault_t create_huge_pud(struct + split: + /* COW or write-notify not handled on PUD level: split pud.*/ + __split_huge_pud(vmf->vma, vmf->pud, vmf->address); +-#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ +- return VM_FAULT_FALLBACK; +-} +- +-static vm_fault_t wp_huge_pud(struct vm_fault *vmf, pud_t orig_pud) +-{ +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +- /* No support for anonymous transparent PUD pages yet */ +- if (vma_is_anonymous(vmf->vma)) +- return VM_FAULT_FALLBACK; +- if (vmf->vma->vm_ops->huge_fault) +- return vmf->vma->vm_ops->huge_fault(vmf, PE_SIZE_PUD); +-#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ ++#endif /* CONFIG_TRANSPARENT_HUGEPAGE && CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */ + return VM_FAULT_FALLBACK; + } + diff --git a/queue-5.15/mm-userfaultfd-fix-uffdio_continue-on-fallocated-shmem-pages.patch b/queue-5.15/mm-userfaultfd-fix-uffdio_continue-on-fallocated-shmem-pages.patch new file mode 100644 index 00000000000..f23e9c2e391 --- /dev/null +++ b/queue-5.15/mm-userfaultfd-fix-uffdio_continue-on-fallocated-shmem-pages.patch @@ -0,0 +1,52 @@ +From 73f37dbcfe1763ee2294c7717a1f571e27d17fd8 Mon Sep 17 00:00:00 2001 +From: Axel Rasmussen +Date: Fri, 10 Jun 2022 10:38:12 -0700 +Subject: mm: userfaultfd: fix UFFDIO_CONTINUE on fallocated shmem pages + +From: Axel Rasmussen + +commit 73f37dbcfe1763ee2294c7717a1f571e27d17fd8 upstream. + +When fallocate() is used on a shmem file, the pages we allocate can end up +with !PageUptodate. + +Since UFFDIO_CONTINUE tries to find the existing page the user wants to +map with SGP_READ, we would fail to find such a page, since +shmem_getpage_gfp returns with a "NULL" pagep for SGP_READ if it discovers +!PageUptodate. As a result, UFFDIO_CONTINUE returns -EFAULT, as it would +do if the page wasn't found in the page cache at all. + +This isn't the intended behavior. UFFDIO_CONTINUE is just trying to find +if a page exists, and doesn't care whether it still needs to be cleared or +not. So, instead of SGP_READ, pass in SGP_NOALLOC. This is the same, +except for one critical difference: in the !PageUptodate case, SGP_NOALLOC +will clear the page and then return it. With this change, UFFDIO_CONTINUE +works properly (succeeds) on a shmem file which has been fallocated, but +otherwise not modified. + +Link: https://lkml.kernel.org/r/20220610173812.1768919-1-axelrasmussen@google.com +Fixes: 153132571f02 ("userfaultfd/shmem: support UFFDIO_CONTINUE for shmem") +Signed-off-by: Axel Rasmussen +Acked-by: Peter Xu +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -227,7 +227,10 @@ static int mcontinue_atomic_pte(struct m + struct page *page; + int ret; + +- ret = shmem_getpage(inode, pgoff, &page, SGP_READ); ++ ret = shmem_getpage(inode, pgoff, &page, SGP_NOALLOC); ++ /* Our caller expects us to return -EFAULT if we failed to find page. */ ++ if (ret == -ENOENT) ++ ret = -EFAULT; + if (ret) + goto out; + if (!page) { diff --git a/queue-5.15/net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch b/queue-5.15/net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch new file mode 100644 index 00000000000..cf773ec3d84 --- /dev/null +++ b/queue-5.15/net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch @@ -0,0 +1,53 @@ +From 820b8963adaea34a87abbecb906d1f54c0aabfb7 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Wed, 6 Jul 2022 10:50:40 -0400 +Subject: net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer + +From: Steven Rostedt (Google) + +commit 820b8963adaea34a87abbecb906d1f54c0aabfb7 upstream. + +The trace event sock_exceed_buf_limit saves the prot->sysctl_mem pointer +and then dereferences it in the TP_printk() portion. This is unsafe as the +TP_printk() portion is executed at the time the buffer is read. That is, +it can be seconds, minutes, days, months, even years later. If the proto +is freed, then this dereference will can also lead to a kernel crash. + +Instead, save the sysctl_mem array into the ring buffer and have the +TP_printk() reference that instead. This is the proper and safe way to +read pointers in trace events. + +Link: https://lore.kernel.org/all/20220706052130.16368-12-kuniyu@amazon.com/ + +Cc: stable@vger.kernel.org +Fixes: 3847ce32aea9f ("core: add tracepoints for queueing skb to rcvbuf") +Signed-off-by: Steven Rostedt (Google) +Acked-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/sock.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/trace/events/sock.h ++++ b/include/trace/events/sock.h +@@ -98,7 +98,7 @@ TRACE_EVENT(sock_exceed_buf_limit, + + TP_STRUCT__entry( + __array(char, name, 32) +- __field(long *, sysctl_mem) ++ __array(long, sysctl_mem, 3) + __field(long, allocated) + __field(int, sysctl_rmem) + __field(int, rmem_alloc) +@@ -110,7 +110,9 @@ TRACE_EVENT(sock_exceed_buf_limit, + + TP_fast_assign( + strncpy(__entry->name, prot->name, 32); +- __entry->sysctl_mem = prot->sysctl_mem; ++ __entry->sysctl_mem[0] = READ_ONCE(prot->sysctl_mem[0]); ++ __entry->sysctl_mem[1] = READ_ONCE(prot->sysctl_mem[1]); ++ __entry->sysctl_mem[2] = READ_ONCE(prot->sysctl_mem[2]); + __entry->allocated = allocated; + __entry->sysctl_rmem = sk_get_rmem0(sk, prot); + __entry->rmem_alloc = atomic_read(&sk->sk_rmem_alloc); diff --git a/queue-5.15/nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch b/queue-5.15/nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch new file mode 100644 index 00000000000..b95a1454c60 --- /dev/null +++ b/queue-5.15/nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch @@ -0,0 +1,45 @@ +From 5924e6ec1585445f251ea92713eb15beb732622a Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 23 Jun 2022 17:54:01 +0900 +Subject: nilfs2: fix incorrect masking of permission flags for symlinks + +From: Ryusuke Konishi + +commit 5924e6ec1585445f251ea92713eb15beb732622a upstream. + +The permission flags of newly created symlinks are wrongly dropped on +nilfs2 with the current umask value even though symlinks should have 777 +(rwxrwxrwx) permissions: + + $ umask + 0022 + $ touch file && ln -s file symlink; ls -l file symlink + -rw-r--r--. 1 root root 0 Jun 23 16:29 file + lrwxr-xr-x. 1 root root 4 Jun 23 16:29 symlink -> file + +This fixes the bug by inserting a missing check that excludes +symlinks. + +Link: https://lkml.kernel.org/r/1655974441-5612-1-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: Tommy Pettersson +Reported-by: Ciprian Craciun +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/nilfs.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nilfs2/nilfs.h ++++ b/fs/nilfs2/nilfs.h +@@ -198,6 +198,9 @@ static inline int nilfs_acl_chmod(struct + + static inline int nilfs_init_acl(struct inode *inode, struct inode *dir) + { ++ if (S_ISLNK(inode->i_mode)) ++ return 0; ++ + inode->i_mode &= ~current_umask(); + return 0; + } diff --git a/queue-5.15/revert-evm-fix-memleak-in-init_desc.patch b/queue-5.15/revert-evm-fix-memleak-in-init_desc.patch new file mode 100644 index 00000000000..a0de55981c7 --- /dev/null +++ b/queue-5.15/revert-evm-fix-memleak-in-init_desc.patch @@ -0,0 +1,59 @@ +From 51dd64bb99e4478fc5280171acd8e1b529eadaf7 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Fri, 27 May 2022 19:17:26 +0800 +Subject: Revert "evm: Fix memleak in init_desc" + +From: Xiu Jianfeng + +commit 51dd64bb99e4478fc5280171acd8e1b529eadaf7 upstream. + +This reverts commit ccf11dbaa07b328fa469415c362d33459c140a37. + +Commit ccf11dbaa07b ("evm: Fix memleak in init_desc") said there is +memleak in init_desc. That may be incorrect, as we can see, tmp_tfm is +saved in one of the two global variables hmac_tfm or evm_tfm[hash_algo], +then if init_desc is called next time, there is no need to alloc tfm +again, so in the error path of kmalloc desc or crypto_shash_init(desc), +It is not a problem without freeing tmp_tfm. + +And also that commit did not reset the global variable to NULL after +freeing tmp_tfm and this makes *tfm a dangling pointer which may cause a +UAF issue. + +Reported-by: Guozihua (Scott) +Signed-off-by: Xiu Jianfeng +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/evm/evm_crypto.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/security/integrity/evm/evm_crypto.c ++++ b/security/integrity/evm/evm_crypto.c +@@ -75,7 +75,7 @@ static struct shash_desc *init_desc(char + { + long rc; + const char *algo; +- struct crypto_shash **tfm, *tmp_tfm = NULL; ++ struct crypto_shash **tfm, *tmp_tfm; + struct shash_desc *desc; + + if (type == EVM_XATTR_HMAC) { +@@ -120,16 +120,13 @@ unlock: + alloc: + desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm), + GFP_KERNEL); +- if (!desc) { +- crypto_free_shash(tmp_tfm); ++ if (!desc) + return ERR_PTR(-ENOMEM); +- } + + desc->tfm = *tfm; + + rc = crypto_shash_init(desc); + if (rc) { +- crypto_free_shash(tmp_tfm); + kfree(desc); + return ERR_PTR(rc); + } diff --git a/queue-5.15/series b/queue-5.15/series index 18a2b680ea2..8cc9026057c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1 +1,25 @@ alsa-hda-add-fixup-for-dell-latitidue-e5430.patch +alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch +alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch +alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch +alsa-hda-realtek-fix-mute-micmute-leds-for-hp-machines.patch +alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch +alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch +xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch +fix-race-between-exit_itimers-and-proc-pid-timers.patch +mm-userfaultfd-fix-uffdio_continue-on-fallocated-shmem-pages.patch +mm-split-huge-pud-on-wp_huge_pud-fallback.patch +tracing-histograms-fix-memory-leak-problem.patch +net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch +ip-fix-dflt-addr-selection-for-connected-nexthop.patch +arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch +arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch +wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch +cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch +btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch +drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch +drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch +fs-remap-constrain-dedupe-of-eof-blocks.patch +nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch +sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch +revert-evm-fix-memleak-in-init_desc.patch diff --git a/queue-5.15/sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch b/queue-5.15/sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch new file mode 100644 index 00000000000..491c4b18bc9 --- /dev/null +++ b/queue-5.15/sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch @@ -0,0 +1,52 @@ +From d684e0a52d36f8939eda30a0f31ee235ee4ee741 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 20 Jun 2022 09:01:43 +0200 +Subject: sh: convert nommu io{re,un}map() to static inline functions + +From: Geert Uytterhoeven + +commit d684e0a52d36f8939eda30a0f31ee235ee4ee741 upstream. + +Recently, nommu iounmap() was converted from a static inline function to a +macro again, basically reverting commit 4580ba4ad2e6b8dd ("sh: Convert +iounmap() macros to inline functions"). With -Werror, this leads to build +failures like: + + drivers/iio/adc/xilinx-ams.c: In function `ams_iounmap_ps': + drivers/iio/adc/xilinx-ams.c:1195:14: error: unused variable `ams' [-Werror=unused-variable] + 1195 | struct ams *ams = data; + | ^~~ + +Fix this by replacing the macros for ioremap() and iounmap() by static +inline functions, based on . + +Link: https://lkml.kernel.org/r/8d1b1766260961799b04035e7bc39a7f59729f72.1655708312.git.geert+renesas@glider.be +Fixes: 13f1fc870dd74713 ("sh: move the ioremap implementation out of line") +Signed-off-by: Geert Uytterhoeven +Reported-by: kernel test robot +Reported-by: Jonathan Cameron +Acked-by: Jonathan Cameron +Reviewed-by: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/include/asm/io.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/sh/include/asm/io.h ++++ b/arch/sh/include/asm/io.h +@@ -271,8 +271,12 @@ static inline void __iomem *ioremap_prot + #endif /* CONFIG_HAVE_IOREMAP_PROT */ + + #else /* CONFIG_MMU */ +-#define iounmap(addr) do { } while (0) +-#define ioremap(offset, size) ((void __iomem *)(unsigned long)(offset)) ++static inline void __iomem *ioremap(phys_addr_t offset, size_t size) ++{ ++ return (void __iomem *)(unsigned long)offset; ++} ++ ++static inline void iounmap(volatile void __iomem *addr) { } + #endif /* CONFIG_MMU */ + + #define ioremap_uc ioremap diff --git a/queue-5.15/tracing-histograms-fix-memory-leak-problem.patch b/queue-5.15/tracing-histograms-fix-memory-leak-problem.patch new file mode 100644 index 00000000000..ea8d5700761 --- /dev/null +++ b/queue-5.15/tracing-histograms-fix-memory-leak-problem.patch @@ -0,0 +1,80 @@ +From 7edc3945bdce9c39198a10d6129377a5c53559c2 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Mon, 11 Jul 2022 09:47:31 +0800 +Subject: tracing/histograms: Fix memory leak problem + +From: Zheng Yejian + +commit 7edc3945bdce9c39198a10d6129377a5c53559c2 upstream. + +This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac. + +As commit 46bbe5c671e0 ("tracing: fix double free") said, the +"double free" problem reported by clang static analyzer is: + > In parse_var_defs() if there is a problem allocating + > var_defs.expr, the earlier var_defs.name is freed. + > This free is duplicated by free_var_defs() which frees + > the rest of the list. + +However, if there is a problem allocating N-th var_defs.expr: + + in parse_var_defs(), the freed 'earlier var_defs.name' is + actually the N-th var_defs.name; + + then in free_var_defs(), the names from 0th to (N-1)-th are freed; + + IF ALLOCATING PROBLEM HAPPENED HERE!!! -+ + \ + | + 0th 1th (N-1)-th N-th V + +-------------+-------------+-----+-------------+----------- +var_defs: | name | expr | name | expr | ... | name | expr | name | /// + +-------------+-------------+-----+-------------+----------- + +These two frees don't act on same name, so there was no "double free" +problem before. Conversely, after that commit, we get a "memory leak" +problem because the above "N-th var_defs.name" is not freed. + +If enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th +var_defs.expr allocated, then execute on shell like: + $ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \ +/sys/kernel/debug/tracing/events/kmem/kmalloc/trigger + +Then kmemleak reports: + unreferenced object 0xffff8fb100ef3518 (size 8): + comm "bash", pid 196, jiffies 4295681690 (age 28.538s) + hex dump (first 8 bytes): + 76 31 00 00 b1 8f ff ff v1...... + backtrace: + [<0000000038fe4895>] kstrdup+0x2d/0x60 + [<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0 + [<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110 + [<0000000066737a4c>] event_trigger_write+0x75/0xd0 + [<000000007341e40c>] vfs_write+0xbb/0x2a0 + [<0000000087fde4c2>] ksys_write+0x59/0xd0 + [<00000000581e9cdf>] do_syscall_64+0x3a/0x80 + [<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Link: https://lkml.kernel.org/r/20220711014731.69520-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 46bbe5c671e0 ("tracing: fix double free") +Reported-by: Hulk Robot +Suggested-by: Steven Rostedt +Reviewed-by: Tom Zanussi +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -4056,6 +4056,8 @@ static int parse_var_defs(struct hist_tr + + s = kstrdup(field_str, GFP_KERNEL); + if (!s) { ++ kfree(hist_data->attrs->var_defs.name[n_vars]); ++ hist_data->attrs->var_defs.name[n_vars] = NULL; + ret = -ENOMEM; + goto free; + } diff --git a/queue-5.15/wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch b/queue-5.15/wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch new file mode 100644 index 00000000000..fed3e44dac6 --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch @@ -0,0 +1,38 @@ +From 50e2ab39291947b6c6c7025cf01707c270fcde59 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sat, 2 Jul 2022 16:52:27 +0200 +Subject: wifi: mac80211: fix queue selection for mesh/OCB interfaces + +From: Felix Fietkau + +commit 50e2ab39291947b6c6c7025cf01707c270fcde59 upstream. + +When using iTXQ, the code assumes that there is only one vif queue for +broadcast packets, using the BE queue. Allowing non-BE queue marking +violates that assumption and txq->ac == skb_queue_mapping is no longer +guaranteed. This can cause issues with queue handling in the driver and +also causes issues with the recent ATF change, resulting in an AQL +underflow warning. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220702145227.39356-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/wme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/wme.c ++++ b/net/mac80211/wme.c +@@ -147,8 +147,8 @@ u16 __ieee80211_select_queue(struct ieee + bool qos; + + /* all mesh/ocb stations are required to support WME */ +- if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT || +- sdata->vif.type == NL80211_IFTYPE_OCB) ++ if (sta && (sdata->vif.type == NL80211_IFTYPE_MESH_POINT || ++ sdata->vif.type == NL80211_IFTYPE_OCB)) + qos = true; + else if (sta) + qos = sta->sta.wme; diff --git a/queue-5.15/xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch b/queue-5.15/xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch new file mode 100644 index 00000000000..dab0867f1be --- /dev/null +++ b/queue-5.15/xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch @@ -0,0 +1,60 @@ +From 94e8100678889ab428e68acadf042de723f094b9 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Wed, 13 Jul 2022 15:53:22 +0200 +Subject: xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue + +From: Juergen Gross + +commit 94e8100678889ab428e68acadf042de723f094b9 upstream. + +xenvif_rx_next_skb() is expecting the rx queue not being empty, but +in case the loop in xenvif_rx_action() is doing multiple iterations, +the availability of another skb in the rx queue is not being checked. + +This can lead to crashes: + +[40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 +[40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback] +[40072.537534] PGD 0 P4D 0 +[40072.537644] Oops: 0000 [#1] SMP NOPTI +[40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5 +[40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021 +[40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000 +[40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback] +[40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246 +[40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7 +[40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8 +[40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008 +[40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708 +[40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0 +[40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000 +[40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660 +[40072.539211] Call Trace: +[40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback] +[40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback] + +Fix that by stopping the loop in case the rx queue becomes empty. + +Cc: stable@vger.kernel.org +Fixes: 98f6d57ced73 ("xen-netback: process guest rx packets in batches") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Paul Durrant +Link: https://lore.kernel.org/r/20220713135322.19616-1-jgross@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/rx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/xen-netback/rx.c ++++ b/drivers/net/xen-netback/rx.c +@@ -495,6 +495,7 @@ void xenvif_rx_action(struct xenvif_queu + queue->rx_copy.completed = &completed_skbs; + + while (xenvif_rx_ring_slots_available(queue) && ++ !skb_queue_empty(&queue->rx_queue) && + work_done < RX_BATCH_SIZE) { + xenvif_rx_skb(queue); + work_done++;