From 05f09b4014208a3cae45fbd70cf5c798b1e9d10c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 12 Jun 2024 14:45:38 +0200 Subject: [PATCH] 5.15-stable patches added patches: afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch mmc-core-do-not-force-a-retune-before-rpmb-switch.patch nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch --- ...backup-mountpoint-from-backup-volume.patch | 50 +++++++ ...op-if-non-zero-op-flags-is-passed-in.patch | 38 ++++++ ...ot-force-a-retune-before-rpmb-switch.patch | 66 ++++++++++ ...-free-of-timer-for-log-writer-thread.patch | 122 ++++++++++++++++++ ...-init-iommu-after-amdkfd-device-init.patch | 54 ++++++++ queue-5.15/series | 5 + 6 files changed, 335 insertions(+) create mode 100644 queue-5.15/afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch create mode 100644 queue-5.15/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch create mode 100644 queue-5.15/mmc-core-do-not-force-a-retune-before-rpmb-switch.patch create mode 100644 queue-5.15/nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch create mode 100644 queue-5.15/revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch diff --git a/queue-5.15/afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch b/queue-5.15/afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch new file mode 100644 index 00000000000..8615127058d --- /dev/null +++ b/queue-5.15/afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch @@ -0,0 +1,50 @@ +From 29be9100aca2915fab54b5693309bc42956542e5 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Fri, 24 May 2024 17:17:55 +0100 +Subject: afs: Don't cross .backup mountpoint from backup volume + +From: Marc Dionne + +commit 29be9100aca2915fab54b5693309bc42956542e5 upstream. + +Don't cross a mountpoint that explicitly specifies a backup volume +(target is .backup) when starting from a backup volume. + +It it not uncommon to mount a volume's backup directly in the volume +itself. This can cause tools that are not paying attention to get +into a loop mounting the volume onto itself as they attempt to +traverse the tree, leading to a variety of problems. + +This doesn't prevent the general case of loops in a sequence of +mountpoints, but addresses a common special case in the same way +as other afs clients. + +Reported-by: Jan Henrik Sylvester +Link: http://lists.infradead.org/pipermail/linux-afs/2024-May/008454.html +Reported-by: Markus Suvanto +Link: http://lists.infradead.org/pipermail/linux-afs/2024-February/008074.html +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/768760.1716567475@warthog.procyon.org.uk +Reviewed-by: Jeffrey Altman +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/mntpt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/afs/mntpt.c ++++ b/fs/afs/mntpt.c +@@ -146,6 +146,11 @@ static int afs_mntpt_set_params(struct f + put_page(page); + if (ret < 0) + return ret; ++ ++ /* Don't cross a backup volume mountpoint from a backup volume */ ++ if (src_as->volume && src_as->volume->type == AFSVL_BACKVOL && ++ ctx->type == AFSVL_BACKVOL) ++ return -ENODEV; + } + + return 0; diff --git a/queue-5.15/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch b/queue-5.15/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch new file mode 100644 index 00000000000..3dd34970b5c --- /dev/null +++ b/queue-5.15/io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch @@ -0,0 +1,38 @@ +From 3d8f874bd620ce03f75a5512847586828ab86544 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 10 May 2024 11:50:27 +0800 +Subject: io_uring: fail NOP if non-zero op flags is passed in + +From: Ming Lei + +commit 3d8f874bd620ce03f75a5512847586828ab86544 upstream. + +The NOP op flags should have been checked from beginning like any other +opcode, otherwise NOP may not be extended with the op flags. + +Given both liburing and Rust io-uring crate always zeros SQE op flags, just +ignore users which play raw NOP uring interface without zeroing SQE, because +NOP is just for test purpose. Then we can save one NOP2 opcode. + +Suggested-by: Jens Axboe +Fixes: 2b188cc1bb85 ("Add io_uring IO interface") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20240510035031.78874-2-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -6621,6 +6621,8 @@ static int io_req_prep(struct io_kiocb * + { + switch (req->opcode) { + case IORING_OP_NOP: ++ if (READ_ONCE(sqe->rw_flags)) ++ return -EINVAL; + return 0; + case IORING_OP_READV: + case IORING_OP_READ_FIXED: diff --git a/queue-5.15/mmc-core-do-not-force-a-retune-before-rpmb-switch.patch b/queue-5.15/mmc-core-do-not-force-a-retune-before-rpmb-switch.patch new file mode 100644 index 00000000000..5c2d8e80645 --- /dev/null +++ b/queue-5.15/mmc-core-do-not-force-a-retune-before-rpmb-switch.patch @@ -0,0 +1,66 @@ +From 67380251e8bbd3302c64fea07f95c31971b91c22 Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz +Date: Wed, 3 Jan 2024 12:29:11 +0100 +Subject: mmc: core: Do not force a retune before RPMB switch + +From: Jorge Ramirez-Ortiz + +commit 67380251e8bbd3302c64fea07f95c31971b91c22 upstream. + +Requesting a retune before switching to the RPMB partition has been +observed to cause CRC errors on the RPMB reads (-EILSEQ). + +Since RPMB reads can not be retried, the clients would be directly +affected by the errors. + +This commit disables the retune request prior to switching to the RPMB +partition: mmc_retune_pause() no longer triggers a retune before the +pause period begins. + +This was verified with the sdhci-of-arasan driver (ZynqMP) configured +for HS200 using two separate eMMC cards (DG4064 and 064GB2). In both +cases, the error was easy to reproduce triggering every few tenths of +reads. + +With this commit, systems that were utilizing OP-TEE to access RPMB +variables will experience an enhanced performance. Specifically, when +OP-TEE is configured to employ RPMB as a secure storage solution, it not +only writes the data but also the secure filesystem within the +partition. As a result, retrieving any variable involves multiple RPMB +reads, typically around five. + +For context, on ZynqMP, each retune request consumed approximately +8ms. Consequently, reading any RPMB variable used to take at the very +minimum 40ms. + +After droping the need to retune before switching to the RPMB partition, +this is no longer the case. + +Signed-off-by: Jorge Ramirez-Ortiz +Acked-by: Avri Altman +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20240103112911.2954632-1-jorge@foundries.io +Signed-off-by: Ulf Hansson +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/host.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -119,13 +119,12 @@ void mmc_retune_enable(struct mmc_host * + + /* + * Pause re-tuning for a small set of operations. The pause begins after the +- * next command and after first doing re-tuning. ++ * next command. + */ + void mmc_retune_pause(struct mmc_host *host) + { + if (!host->retune_paused) { + host->retune_paused = 1; +- mmc_retune_needed(host); + mmc_retune_hold(host); + } + } diff --git a/queue-5.15/nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch b/queue-5.15/nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch new file mode 100644 index 00000000000..53b492cbd11 --- /dev/null +++ b/queue-5.15/nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch @@ -0,0 +1,122 @@ +From f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Mon, 20 May 2024 22:26:19 +0900 +Subject: nilfs2: fix use-after-free of timer for log writer thread + +From: Ryusuke Konishi + +commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream. + +Patch series "nilfs2: fix log writer related issues". + +This bug fix series covers three nilfs2 log writer-related issues, +including a timer use-after-free issue and potential deadlock issue on +unmount, and a potential freeze issue in event synchronization found +during their analysis. Details are described in each commit log. + + +This patch (of 3): + +A use-after-free issue has been reported regarding the timer sc_timer on +the nilfs_sc_info structure. + +The problem is that even though it is used to wake up a sleeping log +writer thread, sc_timer is not shut down until the nilfs_sc_info structure +is about to be freed, and is used regardless of the thread's lifetime. + +Fix this issue by limiting the use of sc_timer only while the log writer +thread is alive. + +Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com +Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") +Signed-off-by: Ryusuke Konishi +Reported-by: "Bai, Shuangpeng" +Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2159,8 +2159,10 @@ static void nilfs_segctor_start_timer(st + { + spin_lock(&sci->sc_state_lock); + if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) { +- sci->sc_timer.expires = jiffies + sci->sc_interval; +- add_timer(&sci->sc_timer); ++ if (sci->sc_task) { ++ sci->sc_timer.expires = jiffies + sci->sc_interval; ++ add_timer(&sci->sc_timer); ++ } + sci->sc_state |= NILFS_SEGCTOR_COMMIT; + } + spin_unlock(&sci->sc_state_lock); +@@ -2380,10 +2382,21 @@ int nilfs_construct_dsync_segment(struct + */ + static void nilfs_segctor_accept(struct nilfs_sc_info *sci) + { ++ bool thread_is_alive; ++ + spin_lock(&sci->sc_state_lock); + sci->sc_seq_accepted = sci->sc_seq_request; ++ thread_is_alive = (bool)sci->sc_task; + spin_unlock(&sci->sc_state_lock); +- del_timer_sync(&sci->sc_timer); ++ ++ /* ++ * This function does not race with the log writer thread's ++ * termination. Therefore, deleting sc_timer, which should not be ++ * done after the log writer thread exits, can be done safely outside ++ * the area protected by sc_state_lock. ++ */ ++ if (thread_is_alive) ++ del_timer_sync(&sci->sc_timer); + } + + /** +@@ -2409,7 +2422,7 @@ static void nilfs_segctor_notify(struct + sci->sc_flush_request &= ~FLUSH_DAT_BIT; + + /* re-enable timer if checkpoint creation was not done */ +- if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && ++ if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task && + time_before(jiffies, sci->sc_timer.expires)) + add_timer(&sci->sc_timer); + } +@@ -2599,6 +2612,7 @@ static int nilfs_segctor_thread(void *ar + int timeout = 0; + + sci->sc_timer_task = current; ++ timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); + + /* start sync. */ + sci->sc_task = current; +@@ -2665,6 +2679,7 @@ static int nilfs_segctor_thread(void *ar + end_thread: + /* end sync. */ + sci->sc_task = NULL; ++ del_timer_sync(&sci->sc_timer); + wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ + spin_unlock(&sci->sc_state_lock); + return 0; +@@ -2728,7 +2743,6 @@ static struct nilfs_sc_info *nilfs_segct + INIT_LIST_HEAD(&sci->sc_gc_inodes); + INIT_LIST_HEAD(&sci->sc_iput_queue); + INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); +- timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); + + sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; + sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; +@@ -2814,7 +2828,6 @@ static void nilfs_segctor_destroy(struct + + down_write(&nilfs->ns_segctor_sem); + +- del_timer_sync(&sci->sc_timer); + kfree(sci); + } + diff --git a/queue-5.15/revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch b/queue-5.15/revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch new file mode 100644 index 00000000000..fbfbf9af5bf --- /dev/null +++ b/queue-5.15/revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch @@ -0,0 +1,54 @@ +From W_Armin@gmx.de Wed Jun 12 14:43:21 2024 +From: Armin Wolf +Date: Thu, 23 May 2024 19:30:31 +0200 +Subject: Revert "drm/amdgpu: init iommu after amdkfd device init" +To: alexander.deucher@amd.com, christian.koenig@amd.com, Xinhui.Pan@amd.com, gregkh@linuxfoundation.org, sashal@kernel.org +Cc: stable@vger.kernel.org, bkauler@gmail.com, yifan1.zhang@amd.com, Prike.Liang@amd.com, dri-devel@lists.freedesktop.org, amd-gfx@lists.freedesktop.org +Message-ID: <20240523173031.4212-1-W_Armin@gmx.de> + +From: Armin Wolf + +This reverts commit 56b522f4668167096a50c39446d6263c96219f5f. + +A user reported that this commit breaks the integrated gpu of his +notebook, causing a black screen. He was able to bisect the problematic +commit and verified that by reverting it the notebook works again. +He also confirmed that kernel 6.8.1 also works on his device, so the +upstream commit itself seems to be ok. + +An amdgpu developer (Alex Deucher) confirmed that this patch should +have never been ported to 5.15 in the first place, so revert this +commit from the 5.15 stable series. + +Reported-by: Barry Kauler +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20240523173031.4212-1-W_Armin@gmx.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2487,6 +2487,10 @@ static int amdgpu_device_ip_init(struct + if (r) + goto init_failed; + ++ r = amdgpu_amdkfd_resume_iommu(adev); ++ if (r) ++ goto init_failed; ++ + r = amdgpu_device_ip_hw_init_phase1(adev); + if (r) + goto init_failed; +@@ -2525,10 +2529,6 @@ static int amdgpu_device_ip_init(struct + if (!adev->gmc.xgmi.pending_reset) + amdgpu_amdkfd_device_init(adev); + +- r = amdgpu_amdkfd_resume_iommu(adev); +- if (r) +- goto init_failed; +- + amdgpu_fru_get_product_info(adev); + + init_failed: diff --git a/queue-5.15/series b/queue-5.15/series index c472b74b813..b534e5fede9 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -339,3 +339,8 @@ media-cec-core-add-adap_nb_transmit_canceled-callback.patch sunrpc-fix-loop-termination-condition-in-gss_free_in_token_pages.patch drm-check-output-polling-initialized-before-disabling.patch drm-check-polling-initialized-before-enabling-in-drm_helper_probe_single_connector_modes.patch +mmc-core-do-not-force-a-retune-before-rpmb-switch.patch +io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch +afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch +nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch +revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch -- 2.47.3