From 096f39a73e9ad87b089df7abb5b7c0d77d6abf8a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 11 Feb 2025 11:04:09 +0100 Subject: [PATCH] 6.6-stable patches added patches: ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch crypto-qce-fix-goto-jump-in-error-path.patch crypto-qce-unregister-previously-registered-algos-in-error-path.patch i3c-master-fix-missing-ret-assignment-in-set_speed.patch io_uring-fix-multishots-with-selected-buffers.patch io_uring-net-don-t-retry-connect-operation-on-epollerr.patch irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch mailbox-tegra-hsp-clear-mailbox-before-using-message.patch maple_tree-simplify-split-calculation.patch misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch misc-fastrpc-fix-copy-buffer-page-size.patch misc-fastrpc-fix-registered-buffer-page-address.patch misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch nvmem-core-improve-range-check-for-nvmem_cell_write.patch nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch nvmem-imx-ocotp-ele-set-word-length-to-1.patch nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch ocfs2-handle-a-symlink-read-error-correctly.patch pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch ptp-ensure-info-enable-callback-is-always-set.patch rtc-zynqmp-fix-optional-clock-name-property.patch rtla-add-trace_instance_stop.patch rtla-osnoise-distinguish-missing-workload-option.patch rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch selftests-mptcp-connect-f-no-reconnect.patch tracing-osnoise-fix-resetting-of-tracepoints.patch vfio-platform-check-the-bounds-of-read-write-syscalls.patch --- ...t-write-outside-the-allocated-buffer.patch | 81 ++++++++++++ ...ypto-qce-fix-goto-jump-in-error-path.patch | 33 +++++ ...ously-registered-algos-in-error-path.patch | 52 ++++++++ ...-missing-ret-assignment-in-set_speed.patch | 42 ++++++ ...fix-multishots-with-selected-buffers.patch | 39 ++++++ ...-retry-connect-operation-on-epollerr.patch | 55 ++++++++ ...-interrupt-as-fiq-when-configured-so.patch | 42 ++++++ ...p-clear-mailbox-before-using-message.patch | 68 ++++++++++ ...aple_tree-simplify-split-calculation.patch | 112 ++++++++++++++++ ...ce-nodes-properly-in-error-scenarios.patch | 35 +++++ ...sc-fastrpc-fix-copy-buffer-page-size.patch | 40 ++++++ ...c-fix-registered-buffer-page-address.patch | 48 +++++++ ...-for-all-dynamic-misc-dynamic-minors.patch | 103 +++++++++++++++ ...-uninitialized-retlen-in-do_otp_read.patch | 36 +++++ ...t-package-before-configuring-channel.patch | 64 +++++++++ ...en-mdio-write-and-read-in-soft_reset.patch | 40 ++++++ ...unds-checking-in-nci_hci_create_pipe.patch | 36 +++++ ...ssible-int-overflows-in-nilfs_fiemap.patch | 58 ++++++++ ...ove-range-check-for-nvmem_cell_write.patch | 47 +++++++ ...ele-fix-reading-from-non-zero-offset.patch | 58 ++++++++ ...m-imx-ocotp-ele-set-word-length-to-1.patch | 45 +++++++ ...le-simplify-read-beyond-device-check.patch | 42 ++++++ ...sdam-set-size-in-struct-nvmem_config.patch | 41 ++++++ ...ess-conversion-causing-mount-failure.patch | 41 ++++++ ...andle-a-symlink-read-error-correctly.patch | 65 +++++++++ ...p-if-platform_get_irq_optional-fails.patch | 44 +++++++ ...try-getting-layout-segment-for-reads.patch | 78 +++++++++++ ...e-info-enable-callback-is-always-set.patch | 54 ++++++++ ...qmp-fix-optional-clock-name-property.patch | 39 ++++++ queue-6.6/rtla-add-trace_instance_stop.patch | 55 ++++++++ ...-distinguish-missing-workload-option.patch | 36 +++++ ...-osnoise_workload-for-kernel-threads.patch | 72 ++++++++++ ..._hist-stop-timerlat-tracer-on-signal.patch | 71 ++++++++++ ...-osnoise_workload-for-kernel-threads.patch | 64 +++++++++ ...t_top-stop-timerlat-tracer-on-signal.patch | 72 ++++++++++ ...rspace-detection-in-get_current_task.patch | 34 +++++ ...lftests-mptcp-connect-f-no-reconnect.patch | 45 +++++++ queue-6.6/series | 39 ++++++ ...osnoise-fix-resetting-of-tracepoints.patch | 124 ++++++++++++++++++ ...ck-the-bounds-of-read-write-syscalls.patch | 54 ++++++++ 40 files changed, 2204 insertions(+) create mode 100644 queue-6.6/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch create mode 100644 queue-6.6/crypto-qce-fix-goto-jump-in-error-path.patch create mode 100644 queue-6.6/crypto-qce-unregister-previously-registered-algos-in-error-path.patch create mode 100644 queue-6.6/i3c-master-fix-missing-ret-assignment-in-set_speed.patch create mode 100644 queue-6.6/io_uring-fix-multishots-with-selected-buffers.patch create mode 100644 queue-6.6/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch create mode 100644 queue-6.6/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch create mode 100644 queue-6.6/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch create mode 100644 queue-6.6/maple_tree-simplify-split-calculation.patch create mode 100644 queue-6.6/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch create mode 100644 queue-6.6/misc-fastrpc-fix-copy-buffer-page-size.patch create mode 100644 queue-6.6/misc-fastrpc-fix-registered-buffer-page-address.patch create mode 100644 queue-6.6/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch create mode 100644 queue-6.6/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch create mode 100644 queue-6.6/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch create mode 100644 queue-6.6/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch create mode 100644 queue-6.6/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch create mode 100644 queue-6.6/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch create mode 100644 queue-6.6/nvmem-core-improve-range-check-for-nvmem_cell_write.patch create mode 100644 queue-6.6/nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch create mode 100644 queue-6.6/nvmem-imx-ocotp-ele-set-word-length-to-1.patch create mode 100644 queue-6.6/nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch create mode 100644 queue-6.6/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch create mode 100644 queue-6.6/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch create mode 100644 queue-6.6/ocfs2-handle-a-symlink-read-error-correctly.patch create mode 100644 queue-6.6/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch create mode 100644 queue-6.6/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch create mode 100644 queue-6.6/ptp-ensure-info-enable-callback-is-always-set.patch create mode 100644 queue-6.6/rtc-zynqmp-fix-optional-clock-name-property.patch create mode 100644 queue-6.6/rtla-add-trace_instance_stop.patch create mode 100644 queue-6.6/rtla-osnoise-distinguish-missing-workload-option.patch create mode 100644 queue-6.6/rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch create mode 100644 queue-6.6/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch create mode 100644 queue-6.6/rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch create mode 100644 queue-6.6/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch create mode 100644 queue-6.6/scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch create mode 100644 queue-6.6/selftests-mptcp-connect-f-no-reconnect.patch create mode 100644 queue-6.6/tracing-osnoise-fix-resetting-of-tracepoints.patch create mode 100644 queue-6.6/vfio-platform-check-the-bounds-of-read-write-syscalls.patch diff --git a/queue-6.6/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch b/queue-6.6/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch new file mode 100644 index 0000000000..7db7605fa1 --- /dev/null +++ b/queue-6.6/ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch @@ -0,0 +1,81 @@ +From 6e74e53b34b6dec5a50e1404e2680852ec6768d2 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Mon, 27 Jan 2025 16:43:04 +0100 +Subject: ata: libata-sff: Ensure that we cannot write outside the allocated buffer + +From: Niklas Cassel + +commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 upstream. + +reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len +set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to +ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to +write outside the allocated buffer, overwriting random memory. + +While a ATA device is supposed to abort a ATA_NOP command, there does seem +to be a bug either in libata-sff or QEMU, where either this status is not +set, or the status is cleared before read by ata_sff_hsm_move(). +Anyway, that is most likely a separate bug. + +Looking at __atapi_pio_bytes(), it already has a safety check to ensure +that __atapi_pio_bytes() cannot write outside the allocated buffer. + +Add a similar check to ata_pio_sector(), such that also ata_pio_sector() +cannot write outside the allocated buffer. + +Cc: stable@vger.kernel.org +Reported-by: reveliofuzzing +Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/ +Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-sff.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -602,7 +602,7 @@ static void ata_pio_sector(struct ata_qu + { + struct ata_port *ap = qc->ap; + struct page *page; +- unsigned int offset; ++ unsigned int offset, count; + + if (!qc->cursg) { + qc->curbytes = qc->nbytes; +@@ -618,25 +618,27 @@ static void ata_pio_sector(struct ata_qu + page = nth_page(page, (offset >> PAGE_SHIFT)); + offset %= PAGE_SIZE; + +- trace_ata_sff_pio_transfer_data(qc, offset, qc->sect_size); ++ /* don't overrun current sg */ ++ count = min(qc->cursg->length - qc->cursg_ofs, qc->sect_size); ++ ++ trace_ata_sff_pio_transfer_data(qc, offset, count); + + /* + * Split the transfer when it splits a page boundary. Note that the + * split still has to be dword aligned like all ATA data transfers. + */ + WARN_ON_ONCE(offset % 4); +- if (offset + qc->sect_size > PAGE_SIZE) { ++ if (offset + count > PAGE_SIZE) { + unsigned int split_len = PAGE_SIZE - offset; + + ata_pio_xfer(qc, page, offset, split_len); +- ata_pio_xfer(qc, nth_page(page, 1), 0, +- qc->sect_size - split_len); ++ ata_pio_xfer(qc, nth_page(page, 1), 0, count - split_len); + } else { +- ata_pio_xfer(qc, page, offset, qc->sect_size); ++ ata_pio_xfer(qc, page, offset, count); + } + +- qc->curbytes += qc->sect_size; +- qc->cursg_ofs += qc->sect_size; ++ qc->curbytes += count; ++ qc->cursg_ofs += count; + + if (qc->cursg_ofs == qc->cursg->length) { + qc->cursg = sg_next(qc->cursg); diff --git a/queue-6.6/crypto-qce-fix-goto-jump-in-error-path.patch b/queue-6.6/crypto-qce-fix-goto-jump-in-error-path.patch new file mode 100644 index 0000000000..6c66935b6d --- /dev/null +++ b/queue-6.6/crypto-qce-fix-goto-jump-in-error-path.patch @@ -0,0 +1,33 @@ +From 5278275c1758a38199b43530adfc50098f4b41c7 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:29 +0100 +Subject: crypto: qce - fix goto jump in error path + +From: Bartosz Golaszewski + +commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream. + +If qce_check_version() fails, we should jump to err_dma as we already +called qce_dma_request() a couple lines before. + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -247,7 +247,7 @@ static int qce_crypto_probe(struct platf + + ret = qce_check_version(qce); + if (ret) +- goto err_clks; ++ goto err_dma; + + spin_lock_init(&qce->lock); + tasklet_init(&qce->done_tasklet, qce_tasklet_req_done, diff --git a/queue-6.6/crypto-qce-unregister-previously-registered-algos-in-error-path.patch b/queue-6.6/crypto-qce-unregister-previously-registered-algos-in-error-path.patch new file mode 100644 index 0000000000..24276b5469 --- /dev/null +++ b/queue-6.6/crypto-qce-unregister-previously-registered-algos-in-error-path.patch @@ -0,0 +1,52 @@ +From e80cf84b608725303113d6fe98bb727bf7b7a40d Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 3 Dec 2024 10:19:30 +0100 +Subject: crypto: qce - unregister previously registered algos in error path + +From: Bartosz Golaszewski + +commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream. + +If we encounter an error when registering alorithms with the crypto +framework, we just bail out and don't unregister the ones we +successfully registered in prior iterations of the loop. + +Add code that goes back over the algos and unregisters them before +returning an error from qce_register_algs(). + +Cc: stable@vger.kernel.org +Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Neil Armstrong +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qce/core.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/qce/core.c ++++ b/drivers/crypto/qce/core.c +@@ -51,16 +51,19 @@ static void qce_unregister_algs(struct q + static int qce_register_algs(struct qce_device *qce) + { + const struct qce_algo_ops *ops; +- int i, ret = -ENODEV; ++ int i, j, ret = -ENODEV; + + for (i = 0; i < ARRAY_SIZE(qce_ops); i++) { + ops = qce_ops[i]; + ret = ops->register_algs(qce); +- if (ret) +- break; ++ if (ret) { ++ for (j = i - 1; j >= 0; j--) ++ ops->unregister_algs(qce); ++ return ret; ++ } + } + +- return ret; ++ return 0; + } + + static int qce_handle_request(struct crypto_async_request *async_req) diff --git a/queue-6.6/i3c-master-fix-missing-ret-assignment-in-set_speed.patch b/queue-6.6/i3c-master-fix-missing-ret-assignment-in-set_speed.patch new file mode 100644 index 0000000000..dfc99d5164 --- /dev/null +++ b/queue-6.6/i3c-master-fix-missing-ret-assignment-in-set_speed.patch @@ -0,0 +1,42 @@ +From b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Wed, 8 Jan 2025 17:55:33 -0500 +Subject: i3c: master: Fix missing 'ret' assignment in set_speed() + +From: Frank Li + +commit b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 upstream. + +Fix a probe failure in the i3c master driver that occurs when no i3c +devices are connected to the bus. + +The issue arises in `i3c_master_bus_init()` where the `ret` value is not +updated after calling `master->ops->set_speed()`. If no devices are +present, `ret` remains set to `I3C_ERROR_M2`, causing the code to +incorrectly proceed to `err_bus_cleanup`. + +Cc: stable@vger.kernel.org +Fixes: aef79e189ba2 ("i3c: master: support to adjust first broadcast address speed") +Signed-off-by: Frank Li +Reviewed-by: Wolfram Sang +Tested-by: Wolfram Sang +Acked-by: Mukesh Kumar Savaliya +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20250108225533.915334-1-Frank.Li@nxp.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i3c/master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1878,7 +1878,7 @@ static int i3c_master_bus_init(struct i3 + goto err_bus_cleanup; + + if (master->ops->set_speed) { +- master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED); ++ ret = master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED); + if (ret) + goto err_bus_cleanup; + } diff --git a/queue-6.6/io_uring-fix-multishots-with-selected-buffers.patch b/queue-6.6/io_uring-fix-multishots-with-selected-buffers.patch new file mode 100644 index 0000000000..b2a02e2380 --- /dev/null +++ b/queue-6.6/io_uring-fix-multishots-with-selected-buffers.patch @@ -0,0 +1,39 @@ +From d63b0e8a628e62ca85a0f7915230186bb92f8bb4 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Tue, 28 Jan 2025 00:55:24 +0000 +Subject: io_uring: fix multishots with selected buffers + +From: Pavel Begunkov + +commit d63b0e8a628e62ca85a0f7915230186bb92f8bb4 upstream. + +We do io_kbuf_recycle() when arming a poll but every iteration of a +multishot can grab more buffers, which is why we need to flush the kbuf +ring state before continuing with waiting. + +Cc: stable@vger.kernel.org +Fixes: b3fdea6ecb55c ("io_uring: multishot recv") +Reported-by: Muhammad Ramdhan +Reported-by: Bing-Jhong Billy Jheng +Reported-by: Jacob Soo +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/1bfc9990fe435f1fc6152ca9efeba5eb3e68339c.1738025570.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -350,8 +350,10 @@ void io_poll_task_func(struct io_kiocb * + + ret = io_poll_check_events(req, ts); + if (ret == IOU_POLL_NO_ACTION) { ++ io_kbuf_recycle(req, 0); + return; + } else if (ret == IOU_POLL_REQUEUE) { ++ io_kbuf_recycle(req, 0); + __io_poll_execute(req, 0); + return; + } diff --git a/queue-6.6/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch b/queue-6.6/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch new file mode 100644 index 0000000000..90b0e6cd42 --- /dev/null +++ b/queue-6.6/io_uring-net-don-t-retry-connect-operation-on-epollerr.patch @@ -0,0 +1,55 @@ +From 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 30 Jan 2025 08:40:29 -0700 +Subject: io_uring/net: don't retry connect operation on EPOLLERR + +From: Jens Axboe + +commit 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 upstream. + +If a socket is shutdown before the connection completes, POLLERR is set +in the poll mask. However, connect ignores this as it doesn't know, and +attempts the connection again. This may lead to a bogus -ETIMEDOUT +result, where it should have noticed the POLLERR and just returned +-ECONNRESET instead. + +Have the poll logic check for whether or not POLLERR is set in the mask, +and if so, mark the request as failed. Then connect can appropriately +fail the request rather than retry it. + +Reported-by: Sergey Galas +Cc: stable@vger.kernel.org +Link: https://github.com/axboe/liburing/discussions/1335 +Fixes: 3fb1bd688172 ("io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 5 +++++ + io_uring/poll.c | 2 ++ + 2 files changed, 7 insertions(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1533,6 +1533,11 @@ int io_connect(struct io_kiocb *req, uns + io = &__io; + } + ++ if (unlikely(req->flags & REQ_F_FAIL)) { ++ ret = -ECONNRESET; ++ goto out; ++ } ++ + file_flags = force_nonblock ? O_NONBLOCK : 0; + + ret = __sys_connect_file(req->file, &io->address, +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -308,6 +308,8 @@ static int io_poll_check_events(struct i + return IOU_POLL_REISSUE; + } + } ++ if (unlikely(req->cqe.res & EPOLLERR)) ++ req_set_fail(req); + if (req->apoll_events & EPOLLONESHOT) + return IOU_POLL_DONE; + diff --git a/queue-6.6/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch b/queue-6.6/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch new file mode 100644 index 0000000000..7be9f1f93c --- /dev/null +++ b/queue-6.6/irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch @@ -0,0 +1,42 @@ +From 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 Mon Sep 17 00:00:00 2001 +From: Nick Chan +Date: Sun, 19 Jan 2025 00:31:42 +0800 +Subject: irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured so + +From: Nick Chan + +commit 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 upstream. + +The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of +several ways, and since Apple A11 one of the methods is FIQ, but the check +of the configuration register fails to test explicitely for FIQ mode. It +tests whether the IMODE bitfield is zero or not and the PMCRO_IACT bit is +set. That results in false positives when the IMODE bitfield is not zero, +but does not have the mode PMCR0_IMODE_FIQ. + +Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured +to fire FIQs, i.e. the IMODE bitfield value is PMCR0_IMODE_FIQ and +PMCR0_IACT is set. + +Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts") +Signed-off-by: Nick Chan +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250118163554.16733-1-towinchenmi@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-apple-aic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-apple-aic.c ++++ b/drivers/irqchip/irq-apple-aic.c +@@ -563,7 +563,8 @@ static void __exception_irq_entry aic_ha + AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT)); + } + +- if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) { ++ if ((read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & (PMCR0_IMODE | PMCR0_IACT)) == ++ (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) { + int irq; + if (cpumask_test_cpu(smp_processor_id(), + &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff)) diff --git a/queue-6.6/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch b/queue-6.6/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch new file mode 100644 index 0000000000..db0a6fdc56 --- /dev/null +++ b/queue-6.6/mailbox-tegra-hsp-clear-mailbox-before-using-message.patch @@ -0,0 +1,68 @@ +From 0b7f8328f988178b55ee11d772a6e1238c04d29d Mon Sep 17 00:00:00 2001 +From: Pekka Pessi +Date: Mon, 2 Dec 2024 15:35:59 +0530 +Subject: mailbox: tegra-hsp: Clear mailbox before using message + +From: Pekka Pessi + +commit 0b7f8328f988178b55ee11d772a6e1238c04d29d upstream. + +The Tegra RCE (Camera) driver expects the mailbox to be empty before +processing the IVC messages. On RT kernel, the threads processing the +IVC messages (which are invoked after `mbox_chan_received_data()` is +called) may be on a different CPU or running with a higher priority +than the HSP interrupt handler thread. This can cause it to act on the +message before the mailbox gets cleared in the HSP interrupt handler +resulting in a loss of IVC notification. + +Fix this by clearing the mailbox data register before calling +`mbox_chan_received_data()`. + +Fixes: 8f585d14030d ("mailbox: tegra-hsp: Add tegra_hsp_sm_ops") +Fixes: 74c20dd0f892 ("mailbox: tegra-hsp: Add 128-bit shared mailbox support") +Cc: stable@vger.kernel.org +Signed-off-by: Pekka Pessi +Signed-off-by: Kartik Rajput +Acked-by: Thierry Reding +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/tegra-hsp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mailbox/tegra-hsp.c ++++ b/drivers/mailbox/tegra-hsp.c +@@ -388,7 +388,6 @@ static void tegra_hsp_sm_recv32(struct t + value = tegra_hsp_channel_readl(channel, HSP_SM_SHRD_MBOX); + value &= ~HSP_SM_SHRD_MBOX_FULL; + msg = (void *)(unsigned long)value; +- mbox_chan_received_data(channel->chan, msg); + + /* + * Need to clear all bits here since some producers, such as TCU, depend +@@ -398,6 +397,8 @@ static void tegra_hsp_sm_recv32(struct t + * explicitly, so we have to make sure we cover all possible cases. + */ + tegra_hsp_channel_writel(channel, 0x0, HSP_SM_SHRD_MBOX); ++ ++ mbox_chan_received_data(channel->chan, msg); + } + + static const struct tegra_hsp_sm_ops tegra_hsp_sm_32bit_ops = { +@@ -433,7 +434,6 @@ static void tegra_hsp_sm_recv128(struct + value[3] = tegra_hsp_channel_readl(channel, HSP_SHRD_MBOX_TYPE1_DATA3); + + msg = (void *)(unsigned long)value; +- mbox_chan_received_data(channel->chan, msg); + + /* + * Clear data registers and tag. +@@ -443,6 +443,8 @@ static void tegra_hsp_sm_recv128(struct + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA2); + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA3); + tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_TAG); ++ ++ mbox_chan_received_data(channel->chan, msg); + } + + static const struct tegra_hsp_sm_ops tegra_hsp_sm_128bit_ops = { diff --git a/queue-6.6/maple_tree-simplify-split-calculation.patch b/queue-6.6/maple_tree-simplify-split-calculation.patch new file mode 100644 index 0000000000..0d162b6d62 --- /dev/null +++ b/queue-6.6/maple_tree-simplify-split-calculation.patch @@ -0,0 +1,112 @@ +From 4f6a6bed0bfef4b966f076f33eb4f5547226056a Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Wed, 13 Nov 2024 03:16:14 +0000 +Subject: maple_tree: simplify split calculation + +From: Wei Yang + +commit 4f6a6bed0bfef4b966f076f33eb4f5547226056a upstream. + +Patch series "simplify split calculation", v3. + + +This patch (of 3): + +The current calculation for splitting nodes tries to enforce a minimum +span on the leaf nodes. This code is complex and never worked correctly +to begin with, due to the min value being passed as 0 for all leaves. + +The calculation should just split the data as equally as possible +between the new nodes. Note that b_end will be one more than the data, +so the left side is still favoured in the calculation. + +The current code may also lead to a deficient node by not leaving enough +data for the right side of the split. This issue is also addressed with +the split calculation change. + +[Liam.Howlett@Oracle.com: rephrase the change log] +Link: https://lkml.kernel.org/r/20241113031616.10530-1-richard.weiyang@gmail.com +Link: https://lkml.kernel.org/r/20241113031616.10530-2-richard.weiyang@gmail.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Wei Yang +Reviewed-by: Liam R. Howlett +Cc: Sidhartha Kumar +Cc: Lorenzo Stoakes +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 23 ++++++----------------- + 1 file changed, 6 insertions(+), 17 deletions(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -1870,11 +1870,11 @@ static inline int mab_no_null_split(stru + * Return: The first split location. The middle split is set in @mid_split. + */ + static inline int mab_calc_split(struct ma_state *mas, +- struct maple_big_node *bn, unsigned char *mid_split, unsigned long min) ++ struct maple_big_node *bn, unsigned char *mid_split) + { + unsigned char b_end = bn->b_end; + int split = b_end / 2; /* Assume equal split. */ +- unsigned char slot_min, slot_count = mt_slots[bn->type]; ++ unsigned char slot_count = mt_slots[bn->type]; + + /* + * To support gap tracking, all NULL entries are kept together and a node cannot +@@ -1907,18 +1907,7 @@ static inline int mab_calc_split(struct + split = b_end / 3; + *mid_split = split * 2; + } else { +- slot_min = mt_min_slots[bn->type]; +- + *mid_split = 0; +- /* +- * Avoid having a range less than the slot count unless it +- * causes one node to be deficient. +- * NOTE: mt_min_slots is 1 based, b_end and split are zero. +- */ +- while ((split < slot_count - 1) && +- ((bn->pivot[split] - min) < slot_count - 1) && +- (b_end - split > slot_min)) +- split++; + } + + /* Avoid ending a node on a NULL entry */ +@@ -2402,7 +2391,7 @@ static inline struct maple_enode + static inline unsigned char mas_mab_to_node(struct ma_state *mas, + struct maple_big_node *b_node, struct maple_enode **left, + struct maple_enode **right, struct maple_enode **middle, +- unsigned char *mid_split, unsigned long min) ++ unsigned char *mid_split) + { + unsigned char split = 0; + unsigned char slot_count = mt_slots[b_node->type]; +@@ -2415,7 +2404,7 @@ static inline unsigned char mas_mab_to_n + if (b_node->b_end < slot_count) { + split = b_node->b_end; + } else { +- split = mab_calc_split(mas, b_node, mid_split, min); ++ split = mab_calc_split(mas, b_node, mid_split); + *right = mas_new_ma_node(mas, b_node); + } + +@@ -2905,7 +2894,7 @@ static int mas_spanning_rebalance(struct + mast->bn->b_end--; + mast->bn->type = mte_node_type(mast->orig_l->node); + split = mas_mab_to_node(mas, mast->bn, &left, &right, &middle, +- &mid_split, mast->orig_l->min); ++ &mid_split); + mast_set_split_parents(mast, left, middle, right, split, + mid_split); + mast_cp_to_nodes(mast, left, middle, right, split, mid_split); +@@ -3413,7 +3402,7 @@ static int mas_split(struct ma_state *ma + if (mas_push_data(mas, height, &mast, false)) + break; + +- split = mab_calc_split(mas, b_node, &mid_split, prev_l_mas.min); ++ split = mab_calc_split(mas, b_node, &mid_split); + mast_split_data(&mast, mas, split); + /* + * Usually correct, mab_mas_cp in the above call overwrites diff --git a/queue-6.6/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch b/queue-6.6/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch new file mode 100644 index 0000000000..eeb5409155 --- /dev/null +++ b/queue-6.6/misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch @@ -0,0 +1,35 @@ +From 637c20002dc8c347001292664055bfbf56544ec6 Mon Sep 17 00:00:00 2001 +From: Anandu Krishnan E +Date: Fri, 10 Jan 2025 13:42:37 +0000 +Subject: misc: fastrpc: Deregister device nodes properly in error scenarios + +From: Anandu Krishnan E + +commit 637c20002dc8c347001292664055bfbf56544ec6 upstream. + +During fastrpc_rpmsg_probe, if secure device node registration +succeeds but non-secure device node registration fails, the secure +device node deregister is not called during error cleanup. Add proper +exit paths to ensure proper cleanup in case of error. + +Fixes: 3abe3ab3cdab ("misc: fastrpc: add secure domain support") +Cc: stable@kernel.org +Signed-off-by: Anandu Krishnan E +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -2327,7 +2327,7 @@ static int fastrpc_rpmsg_probe(struct rp + + err = fastrpc_device_register(rdev, data, false, domains[domain_id]); + if (err) +- goto fdev_error; ++ goto populate_error; + break; + default: + err = -EINVAL; diff --git a/queue-6.6/misc-fastrpc-fix-copy-buffer-page-size.patch b/queue-6.6/misc-fastrpc-fix-copy-buffer-page-size.patch new file mode 100644 index 0000000000..b4e8be40c7 --- /dev/null +++ b/queue-6.6/misc-fastrpc-fix-copy-buffer-page-size.patch @@ -0,0 +1,40 @@ +From e966eae72762ecfdbdb82627e2cda48845b9dd66 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 10 Jan 2025 13:42:39 +0000 +Subject: misc: fastrpc: Fix copy buffer page size + +From: Ekansh Gupta + +commit e966eae72762ecfdbdb82627e2cda48845b9dd66 upstream. + +For non-registered buffer, fastrpc driver copies the buffer and +pass it to the remote subsystem. There is a problem with current +implementation of page size calculation which is not considering +the offset in the calculation. This might lead to passing of +improper and out-of-bounds page size which could result in +memory issue. Calculate page start and page end using the offset +adjusted address instead of absolute address. + +Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation") +Cc: stable@kernel.org +Signed-off-by: Ekansh Gupta +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1015,8 +1015,8 @@ static int fastrpc_get_args(u32 kernel, + (pkt_size - rlen); + pages[i].addr = pages[i].addr & PAGE_MASK; + +- pg_start = (args & PAGE_MASK) >> PAGE_SHIFT; +- pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT; ++ pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT; ++ pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT; + pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE; + args = args + mlen; + rlen -= mlen; diff --git a/queue-6.6/misc-fastrpc-fix-registered-buffer-page-address.patch b/queue-6.6/misc-fastrpc-fix-registered-buffer-page-address.patch new file mode 100644 index 0000000000..8439b13f3f --- /dev/null +++ b/queue-6.6/misc-fastrpc-fix-registered-buffer-page-address.patch @@ -0,0 +1,48 @@ +From 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Fri, 10 Jan 2025 13:42:38 +0000 +Subject: misc: fastrpc: Fix registered buffer page address + +From: Ekansh Gupta + +commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream. + +For registered buffers, fastrpc driver sends the buffer information +to remote subsystem. There is a problem with current implementation +where the page address is being sent with an offset leading to +improper buffer address on DSP. This is leads to functional failures +as DSP expects base address in page information and extracts offset +information from remote arguments. Mask the offset and pass the base +page address to DSP. + +This issue is observed is a corner case when some buffer which is registered +with fastrpc framework is passed with some offset by user and then the DSP +implementation tried to read the data. As DSP expects base address and takes +care of offsetting with remote arguments, passing an offsetted address will +result in some unexpected data read in DSP. + +All generic usecases usually pass the buffer as it is hence is problem is +not usually observed. If someone tries to pass offsetted buffer and then +tries to compare data at HLOS and DSP end, then the ambiguity will be observed. + +Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") +Cc: stable@kernel.org +Signed-off-by: Ekansh Gupta +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -988,7 +988,7 @@ static int fastrpc_get_args(u32 kernel, + mmap_read_lock(current->mm); + vma = find_vma(current->mm, ctx->args[i].ptr); + if (vma) +- pages[i].addr += ctx->args[i].ptr - ++ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) - + vma->vm_start; + mmap_read_unlock(current->mm); + diff --git a/queue-6.6/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch b/queue-6.6/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch new file mode 100644 index 0000000000..0f15f885e6 --- /dev/null +++ b/queue-6.6/misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch @@ -0,0 +1,103 @@ +From 6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68 Mon Sep 17 00:00:00 2001 +From: Vimal Agrawal +Date: Mon, 21 Oct 2024 13:38:12 +0000 +Subject: misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors + +From: Vimal Agrawal + +commit 6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68 upstream. + +misc_minor_alloc was allocating id using ida for minor only in case of +MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids +using ida_free causing a mismatch and following warn: +> > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f +> > ida_free called for id=127 which is not allocated. +> > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +... +> > [<60941eb4>] ida_free+0x3e0/0x41f +> > [<605ac993>] misc_minor_free+0x3e/0xbc +> > [<605acb82>] misc_deregister+0x171/0x1b3 + +misc_minor_alloc is changed to allocate id from ida for all minors +falling in the range of dynamic/ misc dynamic minors + +Fixes: ab760791c0cf ("char: misc: Increase the maximum number of dynamic misc devices to 1048448") +Signed-off-by: Vimal Agrawal +Reviewed-by: Dirk VanDerMerwe +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241021133812.23703-1-vimal.agrawal@sophos.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/misc.c | 37 +++++++++++++++++++++++++++++-------- + 1 file changed, 29 insertions(+), 8 deletions(-) + +--- a/drivers/char/misc.c ++++ b/drivers/char/misc.c +@@ -63,16 +63,30 @@ static DEFINE_MUTEX(misc_mtx); + #define DYNAMIC_MINORS 128 /* like dynamic majors */ + static DEFINE_IDA(misc_minors_ida); + +-static int misc_minor_alloc(void) ++static int misc_minor_alloc(int minor) + { +- int ret; ++ int ret = 0; + +- ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL); +- if (ret >= 0) { +- ret = DYNAMIC_MINORS - ret - 1; ++ if (minor == MISC_DYNAMIC_MINOR) { ++ /* allocate free id */ ++ ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL); ++ if (ret >= 0) { ++ ret = DYNAMIC_MINORS - ret - 1; ++ } else { ++ ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1, ++ MINORMASK, GFP_KERNEL); ++ } + } else { +- ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1, +- MINORMASK, GFP_KERNEL); ++ /* specific minor, check if it is in dynamic or misc dynamic range */ ++ if (minor < DYNAMIC_MINORS) { ++ minor = DYNAMIC_MINORS - minor - 1; ++ ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL); ++ } else if (minor > MISC_DYNAMIC_MINOR) { ++ ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL); ++ } else { ++ /* case of non-dynamic minors, no need to allocate id */ ++ ret = 0; ++ } + } + return ret; + } +@@ -219,7 +233,7 @@ int misc_register(struct miscdevice *mis + mutex_lock(&misc_mtx); + + if (is_dynamic) { +- int i = misc_minor_alloc(); ++ int i = misc_minor_alloc(misc->minor); + + if (i < 0) { + err = -EBUSY; +@@ -228,6 +242,7 @@ int misc_register(struct miscdevice *mis + misc->minor = i; + } else { + struct miscdevice *c; ++ int i; + + list_for_each_entry(c, &misc_list, list) { + if (c->minor == misc->minor) { +@@ -235,6 +250,12 @@ int misc_register(struct miscdevice *mis + goto out; + } + } ++ ++ i = misc_minor_alloc(misc->minor); ++ if (i < 0) { ++ err = -EBUSY; ++ goto out; ++ } + } + + dev = MKDEV(MISC_MAJOR, misc->minor); diff --git a/queue-6.6/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch b/queue-6.6/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch new file mode 100644 index 0000000000..a32bcef9ce --- /dev/null +++ b/queue-6.6/mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch @@ -0,0 +1,36 @@ +From 70a71f8151b9879b0950668ce3ad76263261fee0 Mon Sep 17 00:00:00 2001 +From: Ivan Stepchenko +Date: Thu, 14 Nov 2024 16:29:51 +0300 +Subject: mtd: onenand: Fix uninitialized retlen in do_otp_read() + +From: Ivan Stepchenko + +commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream. + +The function do_otp_read() does not set the output parameter *retlen, +which is expected to contain the number of bytes actually read. +As a result, in onenand_otp_walk(), the tmp_retlen variable remains +uninitialized after calling do_otp_walk() and used to change +the values of the buf, len and retlen variables. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Stepchenko +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/onenand/onenand_base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/nand/onenand/onenand_base.c ++++ b/drivers/mtd/nand/onenand/onenand_base.c +@@ -2923,6 +2923,7 @@ static int do_otp_read(struct mtd_info * + ret = ONENAND_IS_4KB_PAGE(this) ? + onenand_mlc_read_ops_nolock(mtd, from, &ops) : + onenand_read_ops_nolock(mtd, from, &ops); ++ *retlen = ops.retlen; + + /* Exit OTP access mode */ + this->command(mtd, ONENAND_CMD_RESET, 0, 0); diff --git a/queue-6.6/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch b/queue-6.6/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch new file mode 100644 index 0000000000..4a1b7a6cb5 --- /dev/null +++ b/queue-6.6/net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch @@ -0,0 +1,64 @@ +From 6bb194d036c6e1b329dcdff459338cdd9a54802a Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Thu, 16 Jan 2025 18:29:00 +0300 +Subject: net/ncsi: wait for the last response to Deselect Package before configuring channel + +From: Paul Fertser + +commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream. + +The NCSI state machine as it's currently implemented assumes that +transition to the next logical state is performed either explicitly by +calling `schedule_work(&ndp->work)` to re-queue itself or implicitly +after processing the predefined (ndp->pending_req_num) number of +replies. Thus to avoid the configuration FSM from advancing prematurely +and getting out of sync with the process it's essential to not skip +waiting for a reply. + +This patch makes the code wait for reception of the Deselect Package +response for the last package probed before proceeding to channel +configuration. + +Thanks go to Potin Lai and Cosmo Chou for the initial investigation and +testing. + +Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Fertser +Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/ncsi-manage.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1385,6 +1385,12 @@ static void ncsi_probe_channel(struct nc + nd->state = ncsi_dev_state_probe_package; + break; + case ncsi_dev_state_probe_package: ++ if (ndp->package_probe_id >= 8) { ++ /* Last package probed, finishing */ ++ ndp->flags |= NCSI_DEV_PROBED; ++ break; ++ } ++ + ndp->pending_req_num = 1; + + nca.type = NCSI_PKT_CMD_SP; +@@ -1501,13 +1507,8 @@ static void ncsi_probe_channel(struct nc + if (ret) + goto error; + +- /* Probe next package */ ++ /* Probe next package after receiving response */ + ndp->package_probe_id++; +- if (ndp->package_probe_id >= 8) { +- /* Probe finished */ +- ndp->flags |= NCSI_DEV_PROBED; +- break; +- } + nd->state = ncsi_dev_state_probe_package; + ndp->active_package = NULL; + break; diff --git a/queue-6.6/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch b/queue-6.6/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch new file mode 100644 index 0000000000..7dae4271bc --- /dev/null +++ b/queue-6.6/net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch @@ -0,0 +1,40 @@ +From bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 Mon Sep 17 00:00:00 2001 +From: Milos Reljin +Date: Fri, 24 Jan 2025 10:41:02 +0000 +Subject: net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset + +From: Milos Reljin + +commit bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 upstream. + +In application note (AN13663) for TJA1120, on page 30, there's a figure +with average PHY startup timing values following software reset. +The time it takes for SMI to become operational after software reset +ranges roughly from 500 us to 1500 us. + +This commit adds 2000 us delay after MDIO write which triggers software +reset. Without this delay, soft_reset function returns an error and +prevents successful PHY init. + +Cc: stable@vger.kernel.org +Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103") +Signed-off-by: Milos Reljin +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/AM8P250MB0124D258E5A71041AF2CC322E1E32@AM8P250MB0124.EURP250.PROD.OUTLOOK.COM +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/nxp-c45-tja11xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/nxp-c45-tja11xx.c ++++ b/drivers/net/phy/nxp-c45-tja11xx.c +@@ -1302,6 +1302,8 @@ static int nxp_c45_soft_reset(struct phy + if (ret) + return ret; + ++ usleep_range(2000, 2050); ++ + return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1, + VEND1_DEVICE_CONTROL, ret, + !(ret & DEVICE_CONTROL_RESET), 20000, diff --git a/queue-6.6/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch b/queue-6.6/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch new file mode 100644 index 0000000000..6e52684969 --- /dev/null +++ b/queue-6.6/nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch @@ -0,0 +1,36 @@ +From 110b43ef05342d5a11284cc8b21582b698b4ef1c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 17 Jan 2025 12:38:41 +0300 +Subject: NFC: nci: Add bounds checking in nci_hci_create_pipe() + +From: Dan Carpenter + +commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream. + +The "pipe" variable is a u8 which comes from the network. If it's more +than 127, then it results in memory corruption in the caller, +nci_hci_connect_gate(). + +Cc: stable@vger.kernel.org +Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Reviewed-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/hci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -542,6 +542,8 @@ static u8 nci_hci_create_pipe(struct nci + + pr_debug("pipe created=%d\n", pipe); + ++ if (pipe >= NCI_HCI_MAX_PIPES) ++ pipe = NCI_HCI_INVALID_PIPE; + return pipe; + } + diff --git a/queue-6.6/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch b/queue-6.6/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch new file mode 100644 index 0000000000..eb3a372d3f --- /dev/null +++ b/queue-6.6/nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch @@ -0,0 +1,58 @@ +From 6438ef381c183444f7f9d1de18f22661cba1e946 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Sat, 25 Jan 2025 07:20:53 +0900 +Subject: nilfs2: fix possible int overflows in nilfs_fiemap() + +From: Nikita Zhandarovich + +commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream. + +Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result +by being prepared to go through potentially maxblocks == INT_MAX blocks, +the value in n may experience an overflow caused by left shift of blkbits. + +While it is extremely unlikely to occur, play it safe and cast right hand +expression to wider type to mitigate the issue. + +Found by Linux Verification Center (linuxtesting.org) with static analysis +tool SVACE. + +Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com +Fixes: 622daaff0a89 ("nilfs2: fiemap support") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -1267,7 +1267,7 @@ int nilfs_fiemap(struct inode *inode, st + if (size) { + if (phys && blkphy << blkbits == phys + size) { + /* The current extent goes on */ +- size += n << blkbits; ++ size += (u64)n << blkbits; + } else { + /* Terminate the current extent */ + ret = fiemap_fill_next_extent( +@@ -1280,14 +1280,14 @@ int nilfs_fiemap(struct inode *inode, st + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + } else { + /* Start a new extent */ + flags = FIEMAP_EXTENT_MERGED; + logical = blkoff << blkbits; + phys = blkphy << blkbits; +- size = n << blkbits; ++ size = (u64)n << blkbits; + } + blkoff += n; + } diff --git a/queue-6.6/nvmem-core-improve-range-check-for-nvmem_cell_write.patch b/queue-6.6/nvmem-core-improve-range-check-for-nvmem_cell_write.patch new file mode 100644 index 0000000000..d931c7ff7d --- /dev/null +++ b/queue-6.6/nvmem-core-improve-range-check-for-nvmem_cell_write.patch @@ -0,0 +1,47 @@ +From 31507fc2ad36e0071751a710449db19c85d82a7f Mon Sep 17 00:00:00 2001 +From: Jennifer Berringer +Date: Mon, 30 Dec 2024 14:19:01 +0000 +Subject: nvmem: core: improve range check for nvmem_cell_write() + +From: Jennifer Berringer + +commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream. + +When __nvmem_cell_entry_write() is called for an nvmem cell that does +not need bit shifting, it requires that the len parameter exactly +matches the nvmem cell size. However, when the nvmem cell has a nonzero +bit_offset, it was skipping this check. + +Accepting values of len larger than the cell size results in +nvmem_cell_prepare_write_buffer() trying to write past the end of a heap +buffer that it allocates. Add a check to avoid that problem and instead +return -EINVAL when len doesn't match the number of bits expected by the +nvmem cell when bit_offset is nonzero. + +This check uses cell->nbits in order to allow providing the smaller size +to cells that are shifted into another byte by bit_offset. For example, +a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should +accept a 1-byte write here, although no current callers depend on this. + +Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") +Cc: stable@vger.kernel.org +Signed-off-by: Jennifer Berringer +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -1725,6 +1725,8 @@ static int __nvmem_cell_entry_write(stru + return -EINVAL; + + if (cell->bit_offset || cell->nbits) { ++ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes) ++ return -EINVAL; + buf = nvmem_cell_prepare_write_buffer(cell, buf, len); + if (IS_ERR(buf)) + return PTR_ERR(buf); diff --git a/queue-6.6/nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch b/queue-6.6/nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch new file mode 100644 index 0000000000..c1202c6373 --- /dev/null +++ b/queue-6.6/nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch @@ -0,0 +1,58 @@ +From 3c9e2cb6cecf65f7501004038c5d1ed85fb7db84 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 30 Dec 2024 14:18:57 +0000 +Subject: nvmem: imx-ocotp-ele: fix reading from non zero offset + +From: Sascha Hauer + +commit 3c9e2cb6cecf65f7501004038c5d1ed85fb7db84 upstream. + +In imx_ocotp_reg_read() the offset comes in as bytes and not as words. +This means we have to divide offset by 4 to get to the correct word +offset. + +Also the incoming offset might not be word aligned. In order to read +from the OCOTP the driver aligns down the previous word boundary and +reads from there. This means we have to skip this alignment offset from +the temporary buffer when copying the data to the output buffer. + +Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP") +Signed-off-by: Sascha Hauer +Cc: stable +Reviewed-by: Peng Fan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -70,12 +70,14 @@ static int imx_ocotp_reg_read(void *cont + u32 *buf; + void *p; + int i; ++ u8 skipbytes; + + if (offset + bytes > priv->data->size) + bytes = priv->data->size - offset; + +- index = offset; +- num_bytes = round_up(bytes, 4); ++ index = offset >> 2; ++ skipbytes = offset - (index << 2); ++ num_bytes = round_up(bytes + skipbytes, 4); + count = num_bytes >> 2; + + p = kzalloc(num_bytes, GFP_KERNEL); +@@ -96,7 +98,7 @@ static int imx_ocotp_reg_read(void *cont + *buf++ = readl_relaxed(reg + (i << 2)); + } + +- memcpy(val, (u8 *)p, bytes); ++ memcpy(val, ((u8 *)p) + skipbytes, bytes); + + mutex_unlock(&priv->lock); + diff --git a/queue-6.6/nvmem-imx-ocotp-ele-set-word-length-to-1.patch b/queue-6.6/nvmem-imx-ocotp-ele-set-word-length-to-1.patch new file mode 100644 index 0000000000..13d4f733be --- /dev/null +++ b/queue-6.6/nvmem-imx-ocotp-ele-set-word-length-to-1.patch @@ -0,0 +1,45 @@ +From 1b2cb4d0b5b6a9d9fe78470704309ec75f8a1c3a Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 30 Dec 2024 14:18:59 +0000 +Subject: nvmem: imx-ocotp-ele: set word length to 1 + +From: Sascha Hauer + +commit 1b2cb4d0b5b6a9d9fe78470704309ec75f8a1c3a upstream. + +The ELE hardware internally has a word length of 4. However, among other +things we store MAC addresses in the ELE OCOTP. With a length of 6 bytes +these are naturally unaligned to the word length. Therefore we must +support unaligned reads in reg_read() and indeed it works properly when +reg_read() is called via nvmem_reg_read(). Setting the word size to 4 +has the only visible effect that doing unaligned reads from userspace +via bin_attr_nvmem_read() do not work because they are rejected by that +function. + +Given that we have to abstract from word accesses to byte accesses in +the driver, set the word size to 1. This allows bytewise accesses from +userspace to be able to test what the driver has to support anyway. + +Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP") +Signed-off-by: Sascha Hauer +Cc: stable +Reviewed-by: Peng Fan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-5-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -129,7 +129,7 @@ static int imx_ele_ocotp_probe(struct pl + priv->config.owner = THIS_MODULE; + priv->config.size = priv->data->size; + priv->config.reg_read = priv->data->reg_read; +- priv->config.word_size = 4; ++ priv->config.word_size = 1; + priv->config.stride = 1; + priv->config.priv = priv; + priv->config.read_only = true; diff --git a/queue-6.6/nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch b/queue-6.6/nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch new file mode 100644 index 0000000000..15f64ca2d4 --- /dev/null +++ b/queue-6.6/nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch @@ -0,0 +1,42 @@ +From 343aa1e289e8e3dba5e3d054c4eb27da7b4e1ecc Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Mon, 30 Dec 2024 14:18:56 +0000 +Subject: nvmem: imx-ocotp-ele: simplify read beyond device check + +From: Sascha Hauer + +commit 343aa1e289e8e3dba5e3d054c4eb27da7b4e1ecc upstream. + +Do the read beyond device check on function entry in bytes instead of +32bit words which is easier to follow. + +Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP") +Signed-off-by: Sascha Hauer +Cc: stable +Reviewed-by: Peng Fan +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -71,13 +71,13 @@ static int imx_ocotp_reg_read(void *cont + void *p; + int i; + ++ if (offset + bytes > priv->data->size) ++ bytes = priv->data->size - offset; ++ + index = offset; + num_bytes = round_up(bytes, 4); + count = num_bytes >> 2; + +- if (count > ((priv->data->size >> 2) - index)) +- count = (priv->data->size >> 2) - index; +- + p = kzalloc(num_bytes, GFP_KERNEL); + if (!p) + return -ENOMEM; diff --git a/queue-6.6/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch b/queue-6.6/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch new file mode 100644 index 0000000000..e712d898e3 --- /dev/null +++ b/queue-6.6/nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch @@ -0,0 +1,41 @@ +From e88f516ea417c71bb3702603ac6af9e95338cfa6 Mon Sep 17 00:00:00 2001 +From: Luca Weiss +Date: Mon, 30 Dec 2024 14:19:00 +0000 +Subject: nvmem: qcom-spmi-sdam: Set size in struct nvmem_config + +From: Luca Weiss + +commit e88f516ea417c71bb3702603ac6af9e95338cfa6 upstream. + +Let the nvmem core know what size the SDAM is, most notably this fixes +the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes +user space work with that file. + + ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem + 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| + 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 00000080 + +Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver") +Cc: stable@vger.kernel.org +Signed-off-by: Luca Weiss +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241230141901.263976-6-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/qcom-spmi-sdam.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvmem/qcom-spmi-sdam.c ++++ b/drivers/nvmem/qcom-spmi-sdam.c +@@ -144,6 +144,7 @@ static int sdam_probe(struct platform_de + sdam->sdam_config.owner = THIS_MODULE; + sdam->sdam_config.add_legacy_fixed_of_cells = true; + sdam->sdam_config.stride = 1; ++ sdam->sdam_config.size = sdam->size; + sdam->sdam_config.word_size = 1; + sdam->sdam_config.reg_read = sdam_read; + sdam->sdam_config.reg_write = sdam_write; diff --git a/queue-6.6/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch b/queue-6.6/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch new file mode 100644 index 0000000000..91f4a59adb --- /dev/null +++ b/queue-6.6/ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch @@ -0,0 +1,41 @@ +From f921da2c34692dfec5f72b5ae347b1bea22bb369 Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Tue, 21 Jan 2025 19:22:03 +0800 +Subject: ocfs2: fix incorrect CPU endianness conversion causing mount failure + +From: Heming Zhao + +commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream. + +Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +introduced a regression bug. The blksz_bits value is already converted to +CPU endian in the previous code; therefore, the code shouldn't use +le32_to_cpu() anymore. + +Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com +Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()") +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2343,7 +2343,7 @@ static int ocfs2_verify_volume(struct oc + mlog(ML_ERROR, "found superblock with incorrect block " + "size bits: found %u, should be 9, 10, 11, or 12\n", + blksz_bits); +- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) { ++ } else if ((1 << blksz_bits) != blksz) { + mlog(ML_ERROR, "found superblock with incorrect block " + "size: found %u, should be %u\n", 1 << blksz_bits, blksz); + } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) != diff --git a/queue-6.6/ocfs2-handle-a-symlink-read-error-correctly.patch b/queue-6.6/ocfs2-handle-a-symlink-read-error-correctly.patch new file mode 100644 index 0000000000..94af19fa33 --- /dev/null +++ b/queue-6.6/ocfs2-handle-a-symlink-read-error-correctly.patch @@ -0,0 +1,65 @@ +From 2b4c2094da6d84e69b843dd3317902e977bf64bd Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 5 Dec 2024 17:16:29 +0000 +Subject: ocfs2: handle a symlink read error correctly + +From: Matthew Wilcox (Oracle) + +commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream. + +Patch series "Convert ocfs2 to use folios". + +Mark did a conversion of ocfs2 to use folios and sent it to me as a +giant patch for review ;-) + +So I've redone it as individual patches, and credited Mark for the patches +where his code is substantially the same. It's not a bad way to do it; +his patch had some bugs and my patches had some bugs. Hopefully all our +bugs were different from each other. And hopefully Mark likes all the +changes I made to his code! + + +This patch (of 23): + +If we can't read the buffer, be sure to unlock the page before returning. + +Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org +Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Mark Tinguely +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/symlink.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/symlink.c ++++ b/fs/ocfs2/symlink.c +@@ -65,7 +65,7 @@ static int ocfs2_fast_symlink_read_folio + + if (status < 0) { + mlog_errno(status); +- return status; ++ goto out; + } + + fe = (struct ocfs2_dinode *) bh->b_data; +@@ -76,9 +76,10 @@ static int ocfs2_fast_symlink_read_folio + memcpy(kaddr, link, len + 1); + kunmap_atomic(kaddr); + SetPageUptodate(page); ++out: + unlock_page(page); + brelse(bh); +- return 0; ++ return status; + } + + const struct address_space_operations ocfs2_fast_symlink_aops = { diff --git a/queue-6.6/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch b/queue-6.6/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch new file mode 100644 index 0000000000..65dc2bba45 --- /dev/null +++ b/queue-6.6/pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch @@ -0,0 +1,44 @@ +From 459915f55509f4bfd6076daa1428e28490ddee3b Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Wed, 6 Nov 2024 23:04:39 +0100 +Subject: pinctrl: samsung: fix fwnode refcount cleanup if platform_get_irq_optional() fails + +From: Javier Carrasco + +commit 459915f55509f4bfd6076daa1428e28490ddee3b upstream. + +Commit 50ebd19e3585 ("pinctrl: samsung: drop pin banks references on +error paths") fixed the pin bank references on the error paths of the +probe function, but there is still an error path where this is not done. + +If samsung_pinctrl_get_soc_data() does not fail, the child references +will have acquired, and they will need to be released in the error path +of platform_get_irq_optional(), as it is done in the following error +paths within the probe function. + +Replace the direct return in the error path with a goto instruction to +the cleanup function. + +Cc: stable@vger.kernel.org +Fixes: a382d568f144 ("pinctrl: samsung: Use platform_get_irq_optional() to get the interrupt") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241106-samsung-pinctrl-put-v1-1-de854e26dd03@gmail.com +[krzysztof: change Fixes SHA to point to commit introducing the return + leading to OF node leak] +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -1150,7 +1150,7 @@ static int samsung_pinctrl_probe(struct + + ret = platform_get_irq_optional(pdev, 0); + if (ret < 0 && ret != -ENXIO) +- return ret; ++ goto err_put_banks; + if (ret > 0) + drvdata->irq = ret; + diff --git a/queue-6.6/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch b/queue-6.6/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch new file mode 100644 index 0000000000..725efbbe86 --- /dev/null +++ b/queue-6.6/pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch @@ -0,0 +1,78 @@ +From eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Thu, 16 Jan 2025 20:05:39 -0500 +Subject: pnfs/flexfiles: retry getting layout segment for reads + +From: Mike Snitzer + +commit eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca upstream. + +If ff_layout_pg_get_read()'s attempt to get a layout segment results +in -EAGAIN have ff_layout_pg_init_read() retry it after sleeping. + +If "softerr" mount is used, use 'io_maxretrans' to limit the number of +attempts to get a layout segment. + +This fixes a long-standing issue of O_DIRECT reads failing with +-EAGAIN (11) when using flexfiles Client Side Mirroring (CSM). + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -839,6 +839,9 @@ ff_layout_pg_init_read(struct nfs_pageio + struct nfs4_pnfs_ds *ds; + u32 ds_idx; + ++ if (NFS_SERVER(pgio->pg_inode)->flags & ++ (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR)) ++ pgio->pg_maxretrans = io_maxretrans; + retry: + ff_layout_pg_check_layout(pgio, req); + /* Use full layout for now */ +@@ -852,6 +855,8 @@ retry: + if (!pgio->pg_lseg) + goto out_nolseg; + } ++ /* Reset wb_nio, since getting layout segment was successful */ ++ req->wb_nio = 0; + + ds = ff_layout_get_ds_for_read(pgio, &ds_idx); + if (!ds) { +@@ -868,14 +873,24 @@ retry: + pgm->pg_bsize = mirror->mirror_ds->ds_versions[0].rsize; + + pgio->pg_mirror_idx = ds_idx; +- +- if (NFS_SERVER(pgio->pg_inode)->flags & +- (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR)) +- pgio->pg_maxretrans = io_maxretrans; + return; + out_nolseg: +- if (pgio->pg_error < 0) +- return; ++ if (pgio->pg_error < 0) { ++ if (pgio->pg_error != -EAGAIN) ++ return; ++ /* Retry getting layout segment if lower layer returned -EAGAIN */ ++ if (pgio->pg_maxretrans && req->wb_nio++ > pgio->pg_maxretrans) { ++ if (NFS_SERVER(pgio->pg_inode)->flags & NFS_MOUNT_SOFTERR) ++ pgio->pg_error = -ETIMEDOUT; ++ else ++ pgio->pg_error = -EIO; ++ return; ++ } ++ pgio->pg_error = 0; ++ /* Sleep for 1 second before retrying */ ++ ssleep(1); ++ goto retry; ++ } + out_mds: + trace_pnfs_mds_fallback_pg_init_read(pgio->pg_inode, + 0, NFS4_MAX_UINT64, IOMODE_READ, diff --git a/queue-6.6/ptp-ensure-info-enable-callback-is-always-set.patch b/queue-6.6/ptp-ensure-info-enable-callback-is-always-set.patch new file mode 100644 index 0000000000..4bc47c0ecd --- /dev/null +++ b/queue-6.6/ptp-ensure-info-enable-callback-is-always-set.patch @@ -0,0 +1,54 @@ +From fd53aa40e65f518453115b6f56183b0c201db26b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Thu, 23 Jan 2025 08:22:40 +0100 +Subject: ptp: Ensure info->enable callback is always set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit fd53aa40e65f518453115b6f56183b0c201db26b upstream. + +The ioctl and sysfs handlers unconditionally call the ->enable callback. +Not all drivers implement that callback, leading to NULL dereferences. +Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. + +Instead use a dummy callback if no better was specified by the driver. + +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Acked-by: Richard Cochran +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_clock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -189,6 +189,11 @@ static int ptp_getcycles64(struct ptp_cl + return info->gettime64(info, ts); + } + ++static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on) ++{ ++ return -EOPNOTSUPP; ++} ++ + static void ptp_aux_kworker(struct kthread_work *work) + { + struct ptp_clock *ptp = container_of(work, struct ptp_clock, +@@ -251,6 +256,9 @@ struct ptp_clock *ptp_clock_register(str + ptp->info->getcrosscycles = ptp->info->getcrosststamp; + } + ++ if (!ptp->info->enable) ++ ptp->info->enable = ptp_enable; ++ + if (ptp->info->do_aux_work) { + kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker); + ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index); diff --git a/queue-6.6/rtc-zynqmp-fix-optional-clock-name-property.patch b/queue-6.6/rtc-zynqmp-fix-optional-clock-name-property.patch new file mode 100644 index 0000000000..bb84807c4d --- /dev/null +++ b/queue-6.6/rtc-zynqmp-fix-optional-clock-name-property.patch @@ -0,0 +1,39 @@ +From 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 Mon Sep 17 00:00:00 2001 +From: Michal Simek +Date: Wed, 27 Nov 2024 17:01:22 +0100 +Subject: rtc: zynqmp: Fix optional clock name property + +From: Michal Simek + +commit 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 upstream. + +Clock description in DT binding introduced by commit f69060c14431 +("dt-bindings: rtc: zynqmp: Add clock information") is talking about "rtc" +clock name but driver is checking "rtc_clk" name instead. +Because clock is optional property likely in was never handled properly by +the driver. + +Fixes: 07dcc6f9c762 ("rtc: zynqmp: Add calibration set and get support") +Signed-off-by: Michal Simek +Cc: stable@kernel.org +Reviewed-by: Peter Korsgaard +Link: https://lore.kernel.org/r/cd5f0c9d01ec1f5a240e37a7e0d85b8dacb3a869.1732723280.git.michal.simek@amd.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-zynqmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-zynqmp.c ++++ b/drivers/rtc/rtc-zynqmp.c +@@ -318,8 +318,8 @@ static int xlnx_rtc_probe(struct platfor + return ret; + } + +- /* Getting the rtc_clk info */ +- xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc_clk"); ++ /* Getting the rtc info */ ++ xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc"); + if (IS_ERR(xrtcdev->rtc_clk)) { + if (PTR_ERR(xrtcdev->rtc_clk) != -EPROBE_DEFER) + dev_warn(&pdev->dev, "Device clock not found.\n"); diff --git a/queue-6.6/rtla-add-trace_instance_stop.patch b/queue-6.6/rtla-add-trace_instance_stop.patch new file mode 100644 index 0000000000..bcd1987dab --- /dev/null +++ b/queue-6.6/rtla-add-trace_instance_stop.patch @@ -0,0 +1,55 @@ +From e879b5dcf8d044f3865a32d95cc5b213f314c54f Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:27 +0100 +Subject: rtla: Add trace_instance_stop + +From: Tomas Glozar + +commit e879b5dcf8d044f3865a32d95cc5b213f314c54f upstream. + +Support not only turning trace on for the timerlat tracer, but also +turning it off. + +This will be used in subsequent patches to stop the timerlat tracer +without also wiping the trace buffer. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-2-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/trace.c | 8 ++++++++ + tools/tracing/rtla/src/trace.h | 1 + + 2 files changed, 9 insertions(+) + +--- a/tools/tracing/rtla/src/trace.c ++++ b/tools/tracing/rtla/src/trace.c +@@ -197,6 +197,14 @@ int trace_instance_start(struct trace_in + } + + /* ++ * trace_instance_stop - stop tracing a given rtla instance ++ */ ++int trace_instance_stop(struct trace_instance *trace) ++{ ++ return tracefs_trace_off(trace->inst); ++} ++ ++/* + * trace_events_free - free a list of trace events + */ + static void trace_events_free(struct trace_events *events) +--- a/tools/tracing/rtla/src/trace.h ++++ b/tools/tracing/rtla/src/trace.h +@@ -21,6 +21,7 @@ struct trace_instance { + + int trace_instance_init(struct trace_instance *trace, char *tool_name); + int trace_instance_start(struct trace_instance *trace); ++int trace_instance_stop(struct trace_instance *trace); + void trace_instance_destroy(struct trace_instance *trace); + + struct trace_seq *get_trace_seq(void); diff --git a/queue-6.6/rtla-osnoise-distinguish-missing-workload-option.patch b/queue-6.6/rtla-osnoise-distinguish-missing-workload-option.patch new file mode 100644 index 0000000000..f835627d83 --- /dev/null +++ b/queue-6.6/rtla-osnoise-distinguish-missing-workload-option.patch @@ -0,0 +1,36 @@ +From 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Tue, 7 Jan 2025 15:48:21 +0100 +Subject: rtla/osnoise: Distinguish missing workload option + +From: Tomas Glozar + +commit 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c upstream. + +osnoise_set_workload returns -1 for both missing OSNOISE_WORKLOAD option +and failure in setting the option. + +Return -1 for missing and -2 for failure to distinguish them. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Link: https://lore.kernel.org/20250107144823.239782-2-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/osnoise.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/osnoise.c ++++ b/tools/tracing/rtla/src/osnoise.c +@@ -867,7 +867,7 @@ int osnoise_set_workload(struct osnoise_ + + retval = osnoise_options_set_option("OSNOISE_WORKLOAD", onoff); + if (retval < 0) +- return -1; ++ return -2; + + context->opt_workload = onoff; + diff --git a/queue-6.6/rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch b/queue-6.6/rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch new file mode 100644 index 0000000000..27da2b04e5 --- /dev/null +++ b/queue-6.6/rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch @@ -0,0 +1,72 @@ +From d8d866171a414ed88bd0d720864095fd75461134 Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Tue, 7 Jan 2025 15:48:22 +0100 +Subject: rtla/timerlat_hist: Set OSNOISE_WORKLOAD for kernel threads + +From: Tomas Glozar + +commit d8d866171a414ed88bd0d720864095fd75461134 upstream. + +When using rtla timerlat with userspace threads (-u or -U), rtla +disables the OSNOISE_WORKLOAD option in +/sys/kernel/tracing/osnoise/options. This option is not re-enabled in a +subsequent run with kernel-space threads, leading to rtla collecting no +results if the previous run exited abnormally: + +$ rtla timerlat hist -u +^\Quit (core dumped) +$ rtla timerlat hist -k -d 1s +Index +over: +count: +min: +avg: +max: +ALL: IRQ Thr Usr +count: 0 0 0 +min: - - - +avg: - - - +max: - - - + +The issue persists until OSNOISE_WORKLOAD is set manually by running: +$ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + +Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if +available to fix the issue. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Link: https://lore.kernel.org/20250107144823.239782-3-tglozar@redhat.com +Fixes: ed774f7481fa ("rtla/timerlat_hist: Add timerlat user-space support") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_hist.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/tools/tracing/rtla/src/timerlat_hist.c ++++ b/tools/tracing/rtla/src/timerlat_hist.c +@@ -900,12 +900,15 @@ timerlat_hist_apply_config(struct osnois + auto_house_keeping(¶ms->monitored_cpus); + } + +- if (params->user_hist) { +- retval = osnoise_set_workload(tool->context, 0); +- if (retval) { +- err_msg("Failed to set OSNOISE_WORKLOAD option\n"); +- goto out_err; +- } ++ /* ++ * Set workload according to type of thread if the kernel supports it. ++ * On kernels without support, user threads will have already failed ++ * on missing timerlat_fd, and kernel threads do not need it. ++ */ ++ retval = osnoise_set_workload(tool->context, params->kernel_workload); ++ if (retval < -1) { ++ err_msg("Failed to set OSNOISE_WORKLOAD option\n"); ++ goto out_err; + } + + return 0; diff --git a/queue-6.6/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch b/queue-6.6/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch new file mode 100644 index 0000000000..a0fa5e39dd --- /dev/null +++ b/queue-6.6/rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch @@ -0,0 +1,71 @@ +From c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:28 +0100 +Subject: rtla/timerlat_hist: Stop timerlat tracer on signal + +From: Tomas Glozar + +commit c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 upstream. + +Currently, when either SIGINT from the user or SIGALRM from the duration +timer is caught by rtla-timerlat, stop_tracing is set to break out of +the main loop. This is not sufficient for cases where the timerlat +tracer is producing more data than rtla can consume, since in that case, +rtla is looping indefinitely inside tracefs_iterate_raw_events, never +reaches the check of stop_tracing and hangs. + +In addition to setting stop_tracing, also stop the timerlat tracer on +received signal (SIGINT or SIGALRM). This will stop new samples so that +the existing samples may be processed and tracefs_iterate_raw_events +eventually exits. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-3-tglozar@redhat.com +Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_hist.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/timerlat_hist.c ++++ b/tools/tracing/rtla/src/timerlat_hist.c +@@ -949,9 +949,12 @@ out_err: + } + + static int stop_tracing; ++static struct trace_instance *hist_inst = NULL; + static void stop_hist(int sig) + { + stop_tracing = 1; ++ if (hist_inst) ++ trace_instance_stop(hist_inst); + } + + /* +@@ -997,6 +1000,12 @@ int timerlat_hist_main(int argc, char *a + } + + trace = &tool->trace; ++ /* ++ * Save trace instance into global variable so that SIGINT can stop ++ * the timerlat tracer. ++ * Otherwise, rtla could loop indefinitely when overloaded. ++ */ ++ hist_inst = trace; + + retval = enable_timerlat(trace); + if (retval) { +@@ -1129,7 +1138,7 @@ int timerlat_hist_main(int argc, char *a + + return_value = 0; + +- if (trace_is_off(&tool->trace, &record->trace)) { ++ if (trace_is_off(&tool->trace, &record->trace) && !stop_tracing) { + printf("rtla timerlat hit stop tracing\n"); + + if (!params->no_aa) diff --git a/queue-6.6/rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch b/queue-6.6/rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch new file mode 100644 index 0000000000..d2887a3323 --- /dev/null +++ b/queue-6.6/rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch @@ -0,0 +1,64 @@ +From 217f0b1e990e30a1f06f6d531fdb4530f4788d48 Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Tue, 7 Jan 2025 15:48:23 +0100 +Subject: rtla/timerlat_top: Set OSNOISE_WORKLOAD for kernel threads + +From: Tomas Glozar + +commit 217f0b1e990e30a1f06f6d531fdb4530f4788d48 upstream. + +When using rtla timerlat with userspace threads (-u or -U), rtla +disables the OSNOISE_WORKLOAD option in +/sys/kernel/tracing/osnoise/options. This option is not re-enabled in a +subsequent run with kernel-space threads, leading to rtla collecting no +results if the previous run exited abnormally: + +$ rtla timerlat top -u +^\Quit (core dumped) +$ rtla timerlat top -k -d 1s + Timer Latency + 0 00:00:01 | IRQ Timer Latency (us) | Thread Timer Latency (us) +CPU COUNT | cur min avg max | cur min avg max + +The issue persists until OSNOISE_WORKLOAD is set manually by running: +$ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + +Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if +available to fix the issue. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Link: https://lore.kernel.org/20250107144823.239782-4-tglozar@redhat.com +Fixes: cdca4f4e5e8e ("rtla/timerlat_top: Add timerlat user-space support") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_top.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/tools/tracing/rtla/src/timerlat_top.c ++++ b/tools/tracing/rtla/src/timerlat_top.c +@@ -679,12 +679,15 @@ timerlat_top_apply_config(struct osnoise + auto_house_keeping(¶ms->monitored_cpus); + } + +- if (params->user_top) { +- retval = osnoise_set_workload(top->context, 0); +- if (retval) { +- err_msg("Failed to set OSNOISE_WORKLOAD option\n"); +- goto out_err; +- } ++ /* ++ * Set workload according to type of thread if the kernel supports it. ++ * On kernels without support, user threads will have already failed ++ * on missing timerlat_fd, and kernel threads do not need it. ++ */ ++ retval = osnoise_set_workload(top->context, params->kernel_workload); ++ if (retval < -1) { ++ err_msg("Failed to set OSNOISE_WORKLOAD option\n"); ++ goto out_err; + } + + return 0; diff --git a/queue-6.6/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch b/queue-6.6/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch new file mode 100644 index 0000000000..7dc7e61dcc --- /dev/null +++ b/queue-6.6/rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch @@ -0,0 +1,72 @@ +From a4dfce7559d75430c464294ddee554be2a413c4a Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Thu, 16 Jan 2025 15:49:29 +0100 +Subject: rtla/timerlat_top: Stop timerlat tracer on signal + +From: Tomas Glozar + +commit a4dfce7559d75430c464294ddee554be2a413c4a upstream. + +Currently, when either SIGINT from the user or SIGALRM from the duration +timer is caught by rtla-timerlat, stop_tracing is set to break out of +the main loop. This is not sufficient for cases where the timerlat +tracer is producing more data than rtla can consume, since in that case, +rtla is looping indefinitely inside tracefs_iterate_raw_events, never +reaches the check of stop_tracing and hangs. + +In addition to setting stop_tracing, also stop the timerlat tracer on +received signal (SIGINT or SIGALRM). This will stop new samples so that +the existing samples may be processed and tracefs_iterate_raw_events +eventually exits. + +Cc: stable@vger.kernel.org +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-4-tglozar@redhat.com +Fixes: a828cd18bc4a ("rtla: Add timerlat tool and timelart top mode") +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat_top.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/tools/tracing/rtla/src/timerlat_top.c ++++ b/tools/tracing/rtla/src/timerlat_top.c +@@ -728,9 +728,12 @@ out_err: + } + + static int stop_tracing; ++static struct trace_instance *top_inst = NULL; + static void stop_top(int sig) + { + stop_tracing = 1; ++ if (top_inst) ++ trace_instance_stop(top_inst); + } + + /* +@@ -777,6 +780,13 @@ int timerlat_top_main(int argc, char *ar + } + + trace = &top->trace; ++ /* ++ * Save trace instance into global variable so that SIGINT can stop ++ * the timerlat tracer. ++ * Otherwise, rtla could loop indefinitely when overloaded. ++ */ ++ top_inst = trace; ++ + + retval = enable_timerlat(trace); + if (retval) { +@@ -925,7 +935,7 @@ int timerlat_top_main(int argc, char *ar + + return_value = 0; + +- if (trace_is_off(&top->trace, &record->trace)) { ++ if (trace_is_off(&top->trace, &record->trace) && !stop_tracing) { + printf("rtla timerlat hit stop tracing\n"); + + if (!params->no_aa) diff --git a/queue-6.6/scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch b/queue-6.6/scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch new file mode 100644 index 0000000000..f7834d46be --- /dev/null +++ b/queue-6.6/scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch @@ -0,0 +1,34 @@ +From 4ebc417ef9cb34010a71270421fe320ec5d88aa2 Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Fri, 10 Jan 2025 11:36:33 +0100 +Subject: scripts/gdb: fix aarch64 userspace detection in get_current_task + +From: Jan Kiszka + +commit 4ebc417ef9cb34010a71270421fe320ec5d88aa2 upstream. + +At least recent gdb releases (seen with 14.2) return SP_EL0 as signed long +which lets the right-shift always return 0. + +Link: https://lkml.kernel.org/r/dcd2fabc-9131-4b48-8419-6444e2d67454@siemens.com +Signed-off-by: Jan Kiszka +Cc: Barry Song +Cc: Kieran Bingham +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gdb/linux/cpus.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/gdb/linux/cpus.py ++++ b/scripts/gdb/linux/cpus.py +@@ -172,7 +172,7 @@ def get_current_task(cpu): + var_ptr = gdb.parse_and_eval("&pcpu_hot.current_task") + return per_cpu(var_ptr, cpu).dereference() + elif utils.is_target_arch("aarch64"): +- current_task_addr = gdb.parse_and_eval("$SP_EL0") ++ current_task_addr = gdb.parse_and_eval("(unsigned long)$SP_EL0") + if (current_task_addr >> 63) != 0: + current_task = current_task_addr.cast(task_ptr_type) + return current_task.dereference() diff --git a/queue-6.6/selftests-mptcp-connect-f-no-reconnect.patch b/queue-6.6/selftests-mptcp-connect-f-no-reconnect.patch new file mode 100644 index 0000000000..524bcea739 --- /dev/null +++ b/queue-6.6/selftests-mptcp-connect-f-no-reconnect.patch @@ -0,0 +1,45 @@ +From 5368a67307b3b2c347dc8965ac55b888be665934 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 4 Feb 2025 23:19:53 +0100 +Subject: selftests: mptcp: connect: -f: no reconnect + +From: Matthieu Baerts (NGI0) + +commit 5368a67307b3b2c347dc8965ac55b888be665934 upstream. + +The '-f' parameter is there to force the kernel to emit MPTCP FASTCLOSE +by closing the connection with unread bytes in the receive queue. + +The xdisconnect() helper was used to stop the connection, but it does +more than that: it will shut it down, then wait before reconnecting to +the same address. This causes the mptcp_join's "fastclose test" to fail +all the time. + +This failure is due to a recent change, with commit 218cc166321f +("selftests: mptcp: avoid spurious errors on disconnect"), but that went +unnoticed because the test is currently ignored. The recent modification +only shown an existing issue: xdisconnect() doesn't need to be used +here, only the shutdown() part is needed. + +Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250204-net-mptcp-sft-conn-f-v1-1-6b470c72fffa@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1302,7 +1302,7 @@ again: + return ret; + + if (cfg_truncate > 0) { +- xdisconnect(fd); ++ shutdown(fd, SHUT_WR); + } else if (--cfg_repeat > 0) { + xdisconnect(fd); + diff --git a/queue-6.6/series b/queue-6.6/series index 9652c07477..1d8563eff6 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -215,3 +215,42 @@ media-uvcvideo-fix-event-flags-in-uvc_ctrl_send_events.patch media-uvcvideo-support-partial-control-reads.patch media-uvcvideo-remove-redundant-null-assignment.patch mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects.patch +ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch +crypto-qce-fix-goto-jump-in-error-path.patch +crypto-qce-unregister-previously-registered-algos-in-error-path.patch +nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch +nvmem-core-improve-range-check-for-nvmem_cell_write.patch +nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch +nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch +nvmem-imx-ocotp-ele-set-word-length-to-1.patch +io_uring-fix-multishots-with-selected-buffers.patch +io_uring-net-don-t-retry-connect-operation-on-epollerr.patch +vfio-platform-check-the-bounds-of-read-write-syscalls.patch +selftests-mptcp-connect-f-no-reconnect.patch +pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch +ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch +ocfs2-handle-a-symlink-read-error-correctly.patch +nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch +mailbox-tegra-hsp-clear-mailbox-before-using-message.patch +nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch +i3c-master-fix-missing-ret-assignment-in-set_speed.patch +irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch +mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch +misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch +misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch +misc-fastrpc-fix-registered-buffer-page-address.patch +misc-fastrpc-fix-copy-buffer-page-size.patch +net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch +net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch +maple_tree-simplify-split-calculation.patch +scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch +tracing-osnoise-fix-resetting-of-tracepoints.patch +rtla-osnoise-distinguish-missing-workload-option.patch +rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch +rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch +rtla-add-trace_instance_stop.patch +rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch +rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch +pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch +ptp-ensure-info-enable-callback-is-always-set.patch +rtc-zynqmp-fix-optional-clock-name-property.patch diff --git a/queue-6.6/tracing-osnoise-fix-resetting-of-tracepoints.patch b/queue-6.6/tracing-osnoise-fix-resetting-of-tracepoints.patch new file mode 100644 index 0000000000..dab1d428dd --- /dev/null +++ b/queue-6.6/tracing-osnoise-fix-resetting-of-tracepoints.patch @@ -0,0 +1,124 @@ +From e3ff4245928f948f3eb2e852aa350b870421c358 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 23 Jan 2025 20:41:59 -0500 +Subject: tracing/osnoise: Fix resetting of tracepoints + +From: Steven Rostedt + +commit e3ff4245928f948f3eb2e852aa350b870421c358 upstream. + +If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD +disabled, but then that option is enabled and timerlat is removed, the +tracepoints that were enabled on timerlat registration do not get +disabled. If the option is disabled again and timelat is started, then it +triggers a warning in the tracepoint code due to registering the +tracepoint again without ever disabling it. + +Do not use the same user space defined options to know to disable the +tracepoints when timerlat is removed. Instead, set a global flag when it +is enabled and use that flag to know to disable the events. + + ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + ~# echo timerlat > /sys/kernel/tracing/current_tracer + ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + ~# echo nop > /sys/kernel/tracing/current_tracer + ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options + ~# echo timerlat > /sys/kernel/tracing/current_tracer + +Triggers: + + ------------[ cut here ]------------ + WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0 + Modules linked in: + CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + RIP: 0010:tracepoint_add_func+0x3b6/0x3f0 + Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b + RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202 + RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410 + RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002 + R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001 + R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008 + FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0 + Call Trace: + + ? __warn.cold+0xb7/0x14d + ? tracepoint_add_func+0x3b6/0x3f0 + ? report_bug+0xea/0x170 + ? handle_bug+0x58/0x90 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + ? tracepoint_add_func+0x3b6/0x3f0 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + tracepoint_probe_register+0x78/0xb0 + ? __pfx_trace_sched_migrate_callback+0x10/0x10 + osnoise_workload_start+0x2b5/0x370 + timerlat_tracer_init+0x76/0x1b0 + tracing_set_tracer+0x244/0x400 + tracing_set_trace_write+0xa0/0xe0 + vfs_write+0xfc/0x570 + ? do_sys_openat2+0x9c/0xe0 + ksys_write+0x72/0xf0 + do_syscall_64+0x79/0x1c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Tomas Glozar +Cc: Gabriele Monaco +Cc: Luis Goncalves +Cc: John Kacur +Link: https://lore.kernel.org/20250123204159.4450c88e@gandalf.local.home +Fixes: e88ed227f639e ("tracing/timerlat: Add user-space interface") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_osnoise.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1235,6 +1235,8 @@ static void trace_sched_migrate_callback + } + } + ++static bool monitor_enabled; ++ + static int register_migration_monitor(void) + { + int ret = 0; +@@ -1243,16 +1245,25 @@ static int register_migration_monitor(vo + * Timerlat thread migration check is only required when running timerlat in user-space. + * Thus, enable callback only if timerlat is set with no workload. + */ +- if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) ++ if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) { ++ if (WARN_ON_ONCE(monitor_enabled)) ++ return 0; ++ + ret = register_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); ++ if (!ret) ++ monitor_enabled = true; ++ } + + return ret; + } + + static void unregister_migration_monitor(void) + { +- if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) +- unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); ++ if (!monitor_enabled) ++ return; ++ ++ unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); ++ monitor_enabled = false; + } + #else + static int register_migration_monitor(void) diff --git a/queue-6.6/vfio-platform-check-the-bounds-of-read-write-syscalls.patch b/queue-6.6/vfio-platform-check-the-bounds-of-read-write-syscalls.patch new file mode 100644 index 0000000000..d5d4818d24 --- /dev/null +++ b/queue-6.6/vfio-platform-check-the-bounds-of-read-write-syscalls.patch @@ -0,0 +1,54 @@ +From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 22 Jan 2025 10:38:30 -0700 +Subject: vfio/platform: check the bounds of read/write syscalls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Williamson + +commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream. + +count and offset are passed from user space and not checked, only +offset is capped to 40 bits, which can be used to read/write out of +bounds of the device. + +Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”) +Cc: stable@vger.kernel.org +Reported-by: Mostafa Saleh +Reviewed-by: Eric Auger +Reviewed-by: Mostafa Saleh +Tested-by: Mostafa Saleh +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -393,6 +393,11 @@ static ssize_t vfio_platform_read_mmio(s + + count = min_t(size_t, count, reg->size - off); + ++ if (off >= reg->size) ++ return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ + if (!reg->ioaddr) { + reg->ioaddr = + ioremap(reg->addr, reg->size); +@@ -474,6 +479,11 @@ static ssize_t vfio_platform_write_mmio( + + if (off >= reg->size) + return -EINVAL; ++ ++ count = min_t(size_t, count, reg->size - off); ++ ++ if (off >= reg->size) ++ return -EINVAL; + + count = min_t(size_t, count, reg->size - off); + -- 2.47.2