From 3b975e882420c03bd89998f880dd91915d5e2042 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 6 Dec 2024 13:39:47 +0100 Subject: [PATCH] 6.6-stable patches added patches: btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch dm-fix-typo-in-error-message.patch dm-thin-add-missing-destroy_work_on_stack.patch iio-accel-kx022a-fix-raw-read-format.patch iio-adc-ad7923-fix-buffer-overflow-for-tx_buf-and-ring_xfer.patch iio-fix-fwnode_handle-in-__fwnode_iio_channel_get_by_name.patch iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch nfsd-make-sure-exp-active-before-svc_export_show.patch pci-of_property-assign-pci-instead-of-cpu-bus-address-to-dynamic-pci-nodes.patch pci-rockchip-ep-fix-address-translation-unit-programming.patch powerpc-adjust-adding-stack-protector-flags-to-kbuild_clags-for-clang.patch powerpc-fix-stack-protector-kconfig-test-for-clang.patch --- ...lookup_extent_info-in-walk_down_proc.patch | 31 +++ queue-6.6/dm-fix-typo-in-error-message.patch | 38 ++++ ...in-add-missing-destroy_work_on_stack.patch | 31 +++ ...iio-accel-kx022a-fix-raw-read-format.patch | 58 ++++++ ...er-overflow-for-tx_buf-and-ring_xfer.patch | 44 ++++ ...-in-__fwnode_iio_channel_get_by_name.patch | 37 ++++ ...nfinite-loop-for-gain_to_scaletables.patch | 37 ++++ ...eak-when-concurrent-nfsd4_open-occur.patch | 195 ++++++++++++++++++ ...re-exp-active-before-svc_export_show.patch | 60 ++++++ ...cpu-bus-address-to-dynamic-pci-nodes.patch | 44 ++++ ...address-translation-unit-programming.patch | 98 +++++++++ ...ctor-flags-to-kbuild_clags-for-clang.patch | 66 ++++++ ...ack-protector-kconfig-test-for-clang.patch | 81 ++++++++ queue-6.6/series | 13 ++ 14 files changed, 833 insertions(+) create mode 100644 queue-6.6/btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch create mode 100644 queue-6.6/dm-fix-typo-in-error-message.patch create mode 100644 queue-6.6/dm-thin-add-missing-destroy_work_on_stack.patch create mode 100644 queue-6.6/iio-accel-kx022a-fix-raw-read-format.patch create mode 100644 queue-6.6/iio-adc-ad7923-fix-buffer-overflow-for-tx_buf-and-ring_xfer.patch create mode 100644 queue-6.6/iio-fix-fwnode_handle-in-__fwnode_iio_channel_get_by_name.patch create mode 100644 queue-6.6/iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch create mode 100644 queue-6.6/nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch create mode 100644 queue-6.6/nfsd-make-sure-exp-active-before-svc_export_show.patch create mode 100644 queue-6.6/pci-of_property-assign-pci-instead-of-cpu-bus-address-to-dynamic-pci-nodes.patch create mode 100644 queue-6.6/pci-rockchip-ep-fix-address-translation-unit-programming.patch create mode 100644 queue-6.6/powerpc-adjust-adding-stack-protector-flags-to-kbuild_clags-for-clang.patch create mode 100644 queue-6.6/powerpc-fix-stack-protector-kconfig-test-for-clang.patch diff --git a/queue-6.6/btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch b/queue-6.6/btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch new file mode 100644 index 00000000000..39ced5ca188 --- /dev/null +++ b/queue-6.6/btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch @@ -0,0 +1,31 @@ +From a580fb2c3479d993556e1c31b237c9e5be4944a3 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 7 May 2024 14:12:10 -0400 +Subject: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() + +From: Josef Bacik + +commit a580fb2c3479d993556e1c31b237c9e5be4944a3 upstream. + +We handle errors here properly, ENOMEM isn't fatal, return the error. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Keerthana K +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -5170,7 +5170,6 @@ static noinline int walk_down_proc(struc + eb->start, level, 1, + &wc->refs[level], + &wc->flags[level]); +- BUG_ON(ret == -ENOMEM); + if (ret) + return ret; + if (unlikely(wc->refs[level] == 0)) { diff --git a/queue-6.6/dm-fix-typo-in-error-message.patch b/queue-6.6/dm-fix-typo-in-error-message.patch new file mode 100644 index 00000000000..4bfbb233d74 --- /dev/null +++ b/queue-6.6/dm-fix-typo-in-error-message.patch @@ -0,0 +1,38 @@ +From 2deb70d3e66d538404d9e71bff236e6d260da66e Mon Sep 17 00:00:00 2001 +From: Ssuhung Yeh +Date: Thu, 31 Oct 2024 18:25:59 +0800 +Subject: dm: Fix typo in error message + +From: Ssuhung Yeh + +commit 2deb70d3e66d538404d9e71bff236e6d260da66e upstream. + +Remove the redundant "i" at the beginning of the error message. This "i" +came from commit 1c1318866928 ("dm: prefer +'"%s...", __func__'"), the "i" is accidentally left. + +Signed-off-by: Ssuhung Yeh +Signed-off-by: Mikulas Patocka +Fixes: 1c1318866928 ("dm: prefer '"%s...", __func__'") +Cc: stable@vger.kernel.org # v6.3+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/persistent-data/dm-space-map-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c +index 3a19124ee279..22a551c407da 100644 +--- a/drivers/md/persistent-data/dm-space-map-common.c ++++ b/drivers/md/persistent-data/dm-space-map-common.c +@@ -51,7 +51,7 @@ static int index_check(const struct dm_block_validator *v, + block_size - sizeof(__le32), + INDEX_CSUM_XOR)); + if (csum_disk != mi_le->csum) { +- DMERR_LIMIT("i%s failed: csum %u != wanted %u", __func__, ++ DMERR_LIMIT("%s failed: csum %u != wanted %u", __func__, + le32_to_cpu(csum_disk), le32_to_cpu(mi_le->csum)); + return -EILSEQ; + } +-- +2.47.1 + diff --git a/queue-6.6/dm-thin-add-missing-destroy_work_on_stack.patch b/queue-6.6/dm-thin-add-missing-destroy_work_on_stack.patch new file mode 100644 index 00000000000..4e81a45ff9d --- /dev/null +++ b/queue-6.6/dm-thin-add-missing-destroy_work_on_stack.patch @@ -0,0 +1,31 @@ +From e74fa2447bf9ed03d085b6d91f0256cc1b53f1a8 Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Wed, 6 Nov 2024 09:03:12 +0800 +Subject: dm thin: Add missing destroy_work_on_stack() + +From: Yuan Can + +commit e74fa2447bf9ed03d085b6d91f0256cc1b53f1a8 upstream. + +This commit add missed destroy_work_on_stack() operations for pw->worker in +pool_work_wait(). + +Fixes: e7a3e871d895 ("dm thin: cleanup noflush_work to use a proper completion") +Cc: stable@vger.kernel.org +Signed-off-by: Yuan Can +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2486,6 +2486,7 @@ static void pool_work_wait(struct pool_w + init_completion(&pw->complete); + queue_work(pool->wq, &pw->worker); + wait_for_completion(&pw->complete); ++ destroy_work_on_stack(&pw->worker); + } + + /*----------------------------------------------------------------*/ diff --git a/queue-6.6/iio-accel-kx022a-fix-raw-read-format.patch b/queue-6.6/iio-accel-kx022a-fix-raw-read-format.patch new file mode 100644 index 00000000000..1510401e48e --- /dev/null +++ b/queue-6.6/iio-accel-kx022a-fix-raw-read-format.patch @@ -0,0 +1,58 @@ +From b7d2bc99b3bdc03fff9b416dd830632346d83530 Mon Sep 17 00:00:00 2001 +From: Matti Vaittinen +Date: Wed, 30 Oct 2024 15:16:11 +0200 +Subject: iio: accel: kx022a: Fix raw read format + +From: Matti Vaittinen + +commit b7d2bc99b3bdc03fff9b416dd830632346d83530 upstream. + +The KX022A provides the accelerometer data in two subsequent registers. +The registers are laid out so that the value obtained via bulk-read of +these registers can be interpreted as signed 16-bit little endian value. +The read value is converted to cpu_endianes and stored into 32bit integer. +The le16_to_cpu() casts value to unsigned 16-bit value, and when this is +assigned to 32-bit integer the resulting value will always be positive. + +This has not been a problem to users (at least not all users) of the sysfs +interface, who know the data format based on the scan info and who have +converted the read value back to 16-bit signed value. This isn't +compliant with the ABI however. + +This, however, will be a problem for those who use the in-kernel +interfaces, especially the iio_read_channel_processed_scale(). + +The iio_read_channel_processed_scale() performs multiplications to the +returned (always positive) raw value, which will cause strange results +when the data from the sensor has been negative. + +Fix the read_raw format by casting the result of the le_to_cpu() to +signed 16-bit value before assigning it to the integer. This will make +the negative readings to be correctly reported as negative. + +This fix will be visible to users by changing values returned via sysfs +to appear in correct (negative) format. + +Reported-by: Kalle Niemi +Fixes: 7c1d1677b322 ("iio: accel: Support Kionix/ROHM KX022A accelerometer") +Signed-off-by: Matti Vaittinen +Tested-by: Kalle Niemi +Cc: +Link: https://patch.msgid.link/ZyIxm_zamZfIGrnB@mva-rohm +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/kionix-kx022a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/accel/kionix-kx022a.c ++++ b/drivers/iio/accel/kionix-kx022a.c +@@ -475,7 +475,7 @@ static int kx022a_get_axis(struct kx022a + if (ret) + return ret; + +- *val = le16_to_cpu(data->buffer[0]); ++ *val = (s16)le16_to_cpu(data->buffer[0]); + + return IIO_VAL_INT; + } diff --git a/queue-6.6/iio-adc-ad7923-fix-buffer-overflow-for-tx_buf-and-ring_xfer.patch b/queue-6.6/iio-adc-ad7923-fix-buffer-overflow-for-tx_buf-and-ring_xfer.patch new file mode 100644 index 00000000000..14ccb9d05ab --- /dev/null +++ b/queue-6.6/iio-adc-ad7923-fix-buffer-overflow-for-tx_buf-and-ring_xfer.patch @@ -0,0 +1,44 @@ +From 3a4187ec454e19903fd15f6e1825a4b84e59a4cd Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Tue, 29 Oct 2024 13:46:37 +0000 +Subject: iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer + +From: Nuno Sa + +commit 3a4187ec454e19903fd15f6e1825a4b84e59a4cd upstream. + +The AD7923 was updated to support devices with 8 channels, but the size +of tx_buf and ring_xfer was not increased accordingly, leading to a +potential buffer overflow in ad7923_update_scan_mode(). + +Fixes: 851644a60d20 ("iio: adc: ad7923: Add support for the ad7908/ad7918/ad7928") +Cc: stable@vger.kernel.org +Signed-off-by: Nuno Sa +Signed-off-by: Zicheng Qu +Link: https://patch.msgid.link/20241029134637.2261336-1-quzicheng@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7923.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ad7923.c ++++ b/drivers/iio/adc/ad7923.c +@@ -48,7 +48,7 @@ + + struct ad7923_state { + struct spi_device *spi; +- struct spi_transfer ring_xfer[5]; ++ struct spi_transfer ring_xfer[9]; + struct spi_transfer scan_single_xfer[2]; + struct spi_message ring_msg; + struct spi_message scan_single_msg; +@@ -64,7 +64,7 @@ struct ad7923_state { + * Length = 8 channels + 4 extra for 8 byte timestamp + */ + __be16 rx_buf[12] __aligned(IIO_DMA_MINALIGN); +- __be16 tx_buf[4]; ++ __be16 tx_buf[8]; + }; + + struct ad7923_chip_info { diff --git a/queue-6.6/iio-fix-fwnode_handle-in-__fwnode_iio_channel_get_by_name.patch b/queue-6.6/iio-fix-fwnode_handle-in-__fwnode_iio_channel_get_by_name.patch new file mode 100644 index 00000000000..db27d100147 --- /dev/null +++ b/queue-6.6/iio-fix-fwnode_handle-in-__fwnode_iio_channel_get_by_name.patch @@ -0,0 +1,37 @@ +From 3993ca4add248f0f853f54f9273a7de850639f33 Mon Sep 17 00:00:00 2001 +From: Zicheng Qu +Date: Sat, 2 Nov 2024 09:25:25 +0000 +Subject: iio: Fix fwnode_handle in __fwnode_iio_channel_get_by_name() + +From: Zicheng Qu + +commit 3993ca4add248f0f853f54f9273a7de850639f33 upstream. + +In the fwnode_iio_channel_get_by_name(), iterating over parent nodes to +acquire IIO channels via fwnode_for_each_parent_node(). The variable +chan was mistakenly attempted on the original node instead of the +current parent node. This patch corrects the logic to ensure that +__fwnode_iio_channel_get_by_name() is called with the correct parent +node. + +Cc: stable@vger.kernel.org # v6.6+ +Fixes: 1e64b9c5f9a0 ("iio: inkern: move to fwnode properties") +Signed-off-by: Zicheng Qu +Link: https://patch.msgid.link/20241102092525.2389952-1-quzicheng@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -277,7 +277,7 @@ struct iio_channel *fwnode_iio_channel_g + return ERR_PTR(-ENODEV); + } + +- chan = __fwnode_iio_channel_get_by_name(fwnode, name); ++ chan = __fwnode_iio_channel_get_by_name(parent, name); + if (!IS_ERR(chan) || PTR_ERR(chan) != -ENODEV) { + fwnode_handle_put(parent); + return chan; diff --git a/queue-6.6/iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch b/queue-6.6/iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch new file mode 100644 index 00000000000..40c37892916 --- /dev/null +++ b/queue-6.6/iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch @@ -0,0 +1,37 @@ +From 7452f8a0814bb73f739ee0dab60f099f3361b151 Mon Sep 17 00:00:00 2001 +From: Zicheng Qu +Date: Thu, 31 Oct 2024 01:46:26 +0000 +Subject: iio: gts: fix infinite loop for gain_to_scaletables() + +From: Zicheng Qu + +commit 7452f8a0814bb73f739ee0dab60f099f3361b151 upstream. + +In iio_gts_build_avail_time_table(), it is checked that gts->num_itime is +non-zero, but gts->num_itime is not checked in gain_to_scaletables(). The +variable time_idx is initialized as gts->num_itime - 1. This implies that +time_idx might initially be set to -1 (0 - 1 = -1). Consequently, using +while (time_idx--) could lead to an infinite loop. + +Cc: stable@vger.kernel.org # v6.6+ +Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") +Signed-off-by: Zicheng Qu +Reviewed-by: Matti Vaittinen +Link: https://patch.msgid.link/20241031014626.2313077-1-quzicheng@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-gts-helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-gts-helper.c ++++ b/drivers/iio/industrialio-gts-helper.c +@@ -205,7 +205,7 @@ static int gain_to_scaletables(struct ii + memcpy(all_gains, gains[time_idx], gain_bytes); + new_idx = gts->num_hwgain; + +- while (time_idx--) { ++ while (time_idx-- > 0) { + for (j = 0; j < gts->num_hwgain; j++) { + int candidate = gains[time_idx][j]; + int chk; diff --git a/queue-6.6/nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch b/queue-6.6/nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch new file mode 100644 index 00000000000..5ece786c799 --- /dev/null +++ b/queue-6.6/nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch @@ -0,0 +1,195 @@ +From 98100e88dd8865999dc6379a3356cd799795fe7b Mon Sep 17 00:00:00 2001 +From: Yang Erkun +Date: Tue, 5 Nov 2024 19:03:14 +0800 +Subject: nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur + +From: Yang Erkun + +commit 98100e88dd8865999dc6379a3356cd799795fe7b upstream. + +The action force umount(umount -f) will attempt to kill all rpc_task even +umount operation may ultimately fail if some files remain open. +Consequently, if an action attempts to open a file, it can potentially +send two rpc_task to nfs server. + + NFS CLIENT +thread1 thread2 +open("file") +... +nfs4_do_open + _nfs4_do_open + _nfs4_open_and_get_state + _nfs4_proc_open + nfs4_run_open_task + /* rpc_task1 */ + rpc_run_task + rpc_wait_for_completion_task + + umount -f + nfs_umount_begin + rpc_killall_tasks + rpc_signal_task + rpc_task1 been wakeup + and return -512 + _nfs4_do_open // while loop + ... + nfs4_run_open_task + /* rpc_task2 */ + rpc_run_task + rpc_wait_for_completion_task + +While processing an open request, nfsd will first attempt to find or +allocate an nfs4_openowner. If it finds an nfs4_openowner that is not +marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since +two rpc_task can attempt to open the same file simultaneously from the +client to server, and because two instances of nfsd can run +concurrently, this situation can lead to lots of memory leak. +Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be +triggered. + + NFS SERVER +nfsd1 nfsd2 echo 0 > /proc/fs/nfsd/threads + +nfsd4_open + nfsd4_process_open1 + find_or_alloc_open_stateowner + // alloc oo1, stateid1 + nfsd4_open + nfsd4_process_open1 + find_or_alloc_open_stateowner + // find oo1, without NFS4_OO_CONFIRMED + release_openowner + unhash_openowner_locked + list_del_init(&oo->oo_perclient) + // cannot find this oo + // from client, LEAK!!! + alloc_stateowner // alloc oo2 + + nfsd4_process_open2 + init_open_stateid + // associate oo1 + // with stateid1, stateid1 LEAK!!! + nfs4_get_vfs_file + // alloc nfsd_file1 and nfsd_file_mark1 + // all LEAK!!! + + nfsd4_process_open2 + ... + + write_threads + ... + nfsd_destroy_serv + nfsd_shutdown_net + nfs4_state_shutdown_net + nfs4_state_destroy_net + destroy_client + __destroy_client + // won't find oo1!!! + nfsd_shutdown_generic + nfsd_file_cache_shutdown + kmem_cache_destroy + for nfsd_file_slab + and nfsd_file_mark_slab + // bark since nfsd_file1 + // and nfsd_file_mark1 + // still alive + +======================================================================= +BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on +__kmem_cache_shutdown() +----------------------------------------------------------------------- + +Slab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28 +flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) +CPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.1-2.fc37 04/01/2014 +Call Trace: + + dump_stack_lvl+0x53/0x70 + slab_err+0xb0/0xf0 + __kmem_cache_shutdown+0x15c/0x310 + kmem_cache_destroy+0x66/0x160 + nfsd_file_cache_shutdown+0xac/0x210 [nfsd] + nfsd_destroy_serv+0x251/0x2a0 [nfsd] + nfsd_svc+0x125/0x1e0 [nfsd] + write_threads+0x16a/0x2a0 [nfsd] + nfsctl_transaction_write+0x74/0xa0 [nfsd] + vfs_write+0x1ae/0x6d0 + ksys_write+0xc1/0x160 + do_syscall_64+0x5f/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Disabling lock debugging due to kernel taint +Object 0xff11000110e2ac38 @offset=3128 +Allocated in nfsd_file_do_acquire+0x20f/0xa30 [nfsd] age=1635 cpu=3 +pid=800 + nfsd_file_do_acquire+0x20f/0xa30 [nfsd] + nfsd_file_acquire_opened+0x5f/0x90 [nfsd] + nfs4_get_vfs_file+0x4c9/0x570 [nfsd] + nfsd4_process_open2+0x713/0x1070 [nfsd] + nfsd4_open+0x74b/0x8b0 [nfsd] + nfsd4_proc_compound+0x70b/0xc20 [nfsd] + nfsd_dispatch+0x1b4/0x3a0 [nfsd] + svc_process_common+0x5b8/0xc50 [sunrpc] + svc_process+0x2ab/0x3b0 [sunrpc] + svc_handle_xprt+0x681/0xa20 [sunrpc] + nfsd+0x183/0x220 [nfsd] + kthread+0x199/0x1e0 + ret_from_fork+0x31/0x60 + ret_from_fork_asm+0x1a/0x30 + +Add nfs4_openowner_unhashed to help found unhashed nfs4_openowner, and +break nfsd4_open process to fix this problem. + +Cc: stable@vger.kernel.org # v5.4+ +Reviewed-by: Jeff Layton +Signed-off-by: Yang Erkun +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1625,6 +1625,14 @@ static void release_open_stateid(struct + free_ol_stateid_reaplist(&reaplist); + } + ++static bool nfs4_openowner_unhashed(struct nfs4_openowner *oo) ++{ ++ lockdep_assert_held(&oo->oo_owner.so_client->cl_lock); ++ ++ return list_empty(&oo->oo_owner.so_strhash) && ++ list_empty(&oo->oo_perclient); ++} ++ + static void unhash_openowner_locked(struct nfs4_openowner *oo) + { + struct nfs4_client *clp = oo->oo_owner.so_client; +@@ -4632,6 +4640,12 @@ retry: + spin_lock(&oo->oo_owner.so_client->cl_lock); + spin_lock(&fp->fi_lock); + ++ if (nfs4_openowner_unhashed(oo)) { ++ mutex_unlock(&stp->st_mutex); ++ stp = NULL; ++ goto out_unlock; ++ } ++ + retstp = nfsd4_find_existing_open(fp, open); + if (retstp) + goto out_unlock; +@@ -5751,6 +5765,11 @@ nfsd4_process_open2(struct svc_rqst *rqs + + if (!stp) { + stp = init_open_stateid(fp, open); ++ if (!stp) { ++ status = nfserr_jukebox; ++ goto out; ++ } ++ + if (!open->op_stp) + new_stp = true; + } diff --git a/queue-6.6/nfsd-make-sure-exp-active-before-svc_export_show.patch b/queue-6.6/nfsd-make-sure-exp-active-before-svc_export_show.patch new file mode 100644 index 00000000000..3c114b1654f --- /dev/null +++ b/queue-6.6/nfsd-make-sure-exp-active-before-svc_export_show.patch @@ -0,0 +1,60 @@ +From be8f982c369c965faffa198b46060f8853e0f1f0 Mon Sep 17 00:00:00 2001 +From: Yang Erkun +Date: Mon, 21 Oct 2024 22:23:41 +0800 +Subject: nfsd: make sure exp active before svc_export_show + +From: Yang Erkun + +commit be8f982c369c965faffa198b46060f8853e0f1f0 upstream. + +The function `e_show` was called with protection from RCU. This only +ensures that `exp` will not be freed. Therefore, the reference count for +`exp` can drop to zero, which will trigger a refcount use-after-free +warning when `exp_get` is called. To resolve this issue, use +`cache_get_rcu` to ensure that `exp` remains active. + +------------[ cut here ]------------ +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 3 PID: 819 at lib/refcount.c:25 +refcount_warn_saturate+0xb1/0x120 +CPU: 3 UID: 0 PID: 819 Comm: cat Not tainted 6.12.0-rc3+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.16.1-2.fc37 04/01/2014 +RIP: 0010:refcount_warn_saturate+0xb1/0x120 +... +Call Trace: + + e_show+0x20b/0x230 [nfsd] + seq_read_iter+0x589/0x770 + seq_read+0x1e5/0x270 + vfs_read+0x125/0x530 + ksys_read+0xc1/0x160 + do_syscall_64+0x5f/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: bf18f163e89c ("NFSD: Using exp_get for export getting") +Cc: stable@vger.kernel.org # 4.20+ +Signed-off-by: Yang Erkun +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/export.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/export.c ++++ b/fs/nfsd/export.c +@@ -1385,9 +1385,12 @@ static int e_show(struct seq_file *m, vo + return 0; + } + +- exp_get(exp); ++ if (!cache_get_rcu(&exp->h)) ++ return 0; ++ + if (cache_check(cd, &exp->h, NULL)) + return 0; ++ + exp_put(exp); + return svc_export_show(m, cd, cp); + } diff --git a/queue-6.6/pci-of_property-assign-pci-instead-of-cpu-bus-address-to-dynamic-pci-nodes.patch b/queue-6.6/pci-of_property-assign-pci-instead-of-cpu-bus-address-to-dynamic-pci-nodes.patch new file mode 100644 index 00000000000..1f8f6aec48d --- /dev/null +++ b/queue-6.6/pci-of_property-assign-pci-instead-of-cpu-bus-address-to-dynamic-pci-nodes.patch @@ -0,0 +1,44 @@ +From 5e316d34b53039346e252d0019e2f4167af2c0ef Mon Sep 17 00:00:00 2001 +From: Andrea della Porta +Date: Fri, 8 Nov 2024 10:42:56 +0100 +Subject: PCI: of_property: Assign PCI instead of CPU bus address to dynamic PCI nodes + +From: Andrea della Porta + +commit 5e316d34b53039346e252d0019e2f4167af2c0ef upstream. + +When populating "ranges" property for a PCI bridge or endpoint, +of_pci_prop_ranges() incorrectly uses the CPU address of the resource. In +such PCI nodes, the window should instead be in PCI address space. Call +pci_bus_address() on the resource in order to obtain the PCI bus address. + +[Previous discussion at: +https://lore.kernel.org/all/8b4fa91380fc4754ea80f47330c613e4f6b6592c.1724159867.git.andrea.porta@suse.com/] + +Link: https://lore.kernel.org/r/20241108094256.28933-1-andrea.porta@suse.com +Fixes: 407d1a51921e ("PCI: Create device tree node for bridge") +Tested-by: Herve Codina +Signed-off-by: Andrea della Porta +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/of_property.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/of_property.c b/drivers/pci/of_property.c +index 5a0b98e69795..886c236e5de6 100644 +--- a/drivers/pci/of_property.c ++++ b/drivers/pci/of_property.c +@@ -126,7 +126,7 @@ static int of_pci_prop_ranges(struct pci_dev *pdev, struct of_changeset *ocs, + if (of_pci_get_addr_flags(&res[j], &flags)) + continue; + +- val64 = res[j].start; ++ val64 = pci_bus_address(pdev, &res[j] - pdev->resource); + of_pci_set_address(pdev, rp[i].parent_addr, val64, 0, flags, + false); + if (pci_is_bridge(pdev)) { +-- +2.47.1 + diff --git a/queue-6.6/pci-rockchip-ep-fix-address-translation-unit-programming.patch b/queue-6.6/pci-rockchip-ep-fix-address-translation-unit-programming.patch new file mode 100644 index 00000000000..d96511eda1c --- /dev/null +++ b/queue-6.6/pci-rockchip-ep-fix-address-translation-unit-programming.patch @@ -0,0 +1,98 @@ +From 64f093c4d99d797b68b407a9d8767aadc3e3ea7a Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Thu, 17 Oct 2024 10:58:36 +0900 +Subject: PCI: rockchip-ep: Fix address translation unit programming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Damien Le Moal + +commit 64f093c4d99d797b68b407a9d8767aadc3e3ea7a upstream. + +The Rockchip PCIe endpoint controller handles PCIe transfers addresses +by masking the lower bits of the programmed PCI address and using the +same number of lower bits masked from the CPU address space used for the +mapping. For a PCI mapping of bytes starting from , +the number of bits masked is the number of address bits changing in the +address range [pci_addr..pci_addr + size - 1]. + +However, rockchip_pcie_prog_ep_ob_atu() calculates num_pass_bits only +using the size of the mapping, resulting in an incorrect number of mask +bits depending on the value of the PCI address to map. + +Fix this by introducing the helper function +rockchip_pcie_ep_ob_atu_num_bits() to correctly calculate the number of +mask bits to use to program the address translation unit. The number of +mask bits is calculated depending on both the PCI address and size of +the mapping, and clamped between 8 and 20 using the macros +ROCKCHIP_PCIE_AT_MIN_NUM_BITS and ROCKCHIP_PCIE_AT_MAX_NUM_BITS. As +defined in the Rockchip RK3399 TRM V1.3 Part2, Sections 17.5.5.1.1 and +17.6.8.2.1, this clamping is necessary because: + + 1) The lower 8 bits of the PCI address to be mapped by the outbound + region are ignored. So a minimum of 8 address bits are needed and + imply that the PCI address must be aligned to 256. + + 2) The outbound memory regions are 1MB in size. So while we can specify + up to 63-bits for the PCI address (num_bits filed uses bits 0 to 5 of + the outbound address region 0 register), we must limit the number of + valid address bits to 20 to match the memory window maximum size (1 + << 20 = 1MB). + +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Link: https://lore.kernel.org/r/20241017015849.190271-2-dlemoal@kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 16 +++++++++++++--- + drivers/pci/controller/pcie-rockchip.h | 4 ++++ + 2 files changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -63,15 +63,25 @@ static void rockchip_pcie_clear_ep_ob_at + ROCKCHIP_PCIE_AT_OB_REGION_DESC1(region)); + } + ++static int rockchip_pcie_ep_ob_atu_num_bits(struct rockchip_pcie *rockchip, ++ u64 pci_addr, size_t size) ++{ ++ int num_pass_bits = fls64(pci_addr ^ (pci_addr + size - 1)); ++ ++ return clamp(num_pass_bits, ++ ROCKCHIP_PCIE_AT_MIN_NUM_BITS, ++ ROCKCHIP_PCIE_AT_MAX_NUM_BITS); ++} ++ + static void rockchip_pcie_prog_ep_ob_atu(struct rockchip_pcie *rockchip, u8 fn, + u32 r, u64 cpu_addr, u64 pci_addr, + size_t size) + { +- int num_pass_bits = fls64(size - 1); ++ int num_pass_bits; + u32 addr0, addr1, desc0; + +- if (num_pass_bits < 8) +- num_pass_bits = 8; ++ num_pass_bits = rockchip_pcie_ep_ob_atu_num_bits(rockchip, ++ pci_addr, size); + + addr0 = ((num_pass_bits - 1) & PCIE_CORE_OB_REGION_ADDR0_NUM_BITS) | + (lower_32_bits(pci_addr) & PCIE_CORE_OB_REGION_ADDR0_LO_ADDR); +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -245,6 +245,10 @@ + (PCIE_EP_PF_CONFIG_REGS_BASE + (((fn) << 12) & GENMASK(19, 12))) + #define ROCKCHIP_PCIE_EP_VIRT_FUNC_BASE(fn) \ + (PCIE_EP_PF_CONFIG_REGS_BASE + 0x10000 + (((fn) << 12) & GENMASK(19, 12))) ++ ++#define ROCKCHIP_PCIE_AT_MIN_NUM_BITS 8 ++#define ROCKCHIP_PCIE_AT_MAX_NUM_BITS 20 ++ + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \ + (PCIE_CORE_AXI_CONF_BASE + 0x0828 + (fn) * 0x0040 + (bar) * 0x0008) + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR1(fn, bar) \ diff --git a/queue-6.6/powerpc-adjust-adding-stack-protector-flags-to-kbuild_clags-for-clang.patch b/queue-6.6/powerpc-adjust-adding-stack-protector-flags-to-kbuild_clags-for-clang.patch new file mode 100644 index 00000000000..c6ebc10f63e --- /dev/null +++ b/queue-6.6/powerpc-adjust-adding-stack-protector-flags-to-kbuild_clags-for-clang.patch @@ -0,0 +1,66 @@ +From bee08a9e6ab03caf14481d97b35a258400ffab8f Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 9 Oct 2024 12:26:09 -0700 +Subject: powerpc: Adjust adding stack protector flags to KBUILD_CLAGS for clang + +From: Nathan Chancellor + +commit bee08a9e6ab03caf14481d97b35a258400ffab8f upstream. + +After fixing the HAVE_STACKPROTECTER checks for clang's in-progress +per-task stack protector support [1], the build fails during prepare0 +because '-mstack-protector-guard-offset' has not been added to +KBUILD_CFLAGS yet but the other '-mstack-protector-guard' flags have. + + clang: error: '-mstack-protector-guard=tls' is used without '-mstack-protector-guard-offset', and there is no default + clang: error: '-mstack-protector-guard=tls' is used without '-mstack-protector-guard-offset', and there is no default + make[4]: *** [scripts/Makefile.build:229: scripts/mod/empty.o] Error 1 + make[4]: *** [scripts/Makefile.build:102: scripts/mod/devicetable-offsets.s] Error 1 + +Mirror other architectures and add all '-mstack-protector-guard' flags +to KBUILD_CFLAGS atomically during stack_protector_prepare, which +resolves the issue and allows clang's implementation to fully work with +the kernel. + +Cc: stable@vger.kernel.org # 6.1+ +Link: https://github.com/llvm/llvm-project/pull/110928 [1] +Reviewed-by: Keith Packard +Tested-by: Keith Packard +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://patch.msgid.link/20241009-powerpc-fix-stackprotector-test-clang-v2-2-12fb86b31857@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Makefile | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -89,13 +89,6 @@ KBUILD_AFLAGS += -m$(BITS) + KBUILD_LDFLAGS += -m elf$(BITS)$(LDEMULATION) + endif + +-cflags-$(CONFIG_STACKPROTECTOR) += -mstack-protector-guard=tls +-ifdef CONFIG_PPC64 +-cflags-$(CONFIG_STACKPROTECTOR) += -mstack-protector-guard-reg=r13 +-else +-cflags-$(CONFIG_STACKPROTECTOR) += -mstack-protector-guard-reg=r2 +-endif +- + LDFLAGS_vmlinux-y := -Bstatic + LDFLAGS_vmlinux-$(CONFIG_RELOCATABLE) := -pie + LDFLAGS_vmlinux-$(CONFIG_RELOCATABLE) += -z notext +@@ -389,9 +382,11 @@ prepare: stack_protector_prepare + PHONY += stack_protector_prepare + stack_protector_prepare: prepare0 + ifdef CONFIG_PPC64 +- $(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "PACA_CANARY") print $$3;}' include/generated/asm-offsets.h)) ++ $(eval KBUILD_CFLAGS += -mstack-protector-guard=tls -mstack-protector-guard-reg=r13 \ ++ -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "PACA_CANARY") print $$3;}' include/generated/asm-offsets.h)) + else +- $(eval KBUILD_CFLAGS += -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TASK_CANARY") print $$3;}' include/generated/asm-offsets.h)) ++ $(eval KBUILD_CFLAGS += -mstack-protector-guard=tls -mstack-protector-guard-reg=r2 \ ++ -mstack-protector-guard-offset=$(shell awk '{if ($$2 == "TASK_CANARY") print $$3;}' include/generated/asm-offsets.h)) + endif + endif + diff --git a/queue-6.6/powerpc-fix-stack-protector-kconfig-test-for-clang.patch b/queue-6.6/powerpc-fix-stack-protector-kconfig-test-for-clang.patch new file mode 100644 index 00000000000..bc77c73a57c --- /dev/null +++ b/queue-6.6/powerpc-fix-stack-protector-kconfig-test-for-clang.patch @@ -0,0 +1,81 @@ +From 46e1879deea22eed31e9425d58635895fc0e8040 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 9 Oct 2024 12:26:08 -0700 +Subject: powerpc: Fix stack protector Kconfig test for clang + +From: Nathan Chancellor + +commit 46e1879deea22eed31e9425d58635895fc0e8040 upstream. + +Clang's in-progress per-task stack protector support [1] does not work +with the current Kconfig checks because '-mstack-protector-guard-offset' +is not provided, unlike all other architecture Kconfig checks. + + $ fd Kconfig -x rg -l mstack-protector-guard-offset + ./arch/arm/Kconfig + ./arch/riscv/Kconfig + ./arch/arm64/Kconfig + +This produces an error from clang, which is interpreted as the flags not +being supported at all when they really are. + + $ clang --target=powerpc64-linux-gnu \ + -mstack-protector-guard=tls \ + -mstack-protector-guard-reg=r13 \ + -c -o /dev/null -x c /dev/null + clang: error: '-mstack-protector-guard=tls' is used without '-mstack-protector-guard-offset', and there is no default + +This argument will always be provided by the build system, so mirror +other architectures and use '-mstack-protector-guard-offset=0' for +testing support, which fixes the issue for clang and does not regress +support with GCC. + +Even with the first problem addressed, the 32-bit test continues to fail +because Kbuild uses the powerpc64le-linux-gnu target for clang and +nothing flips the target to 32-bit, resulting in an error about an +invalid register valid: + + $ clang --target=powerpc64le-linux-gnu \ + -mstack-protector-guard=tls + -mstack-protector-guard-reg=r2 \ + -mstack-protector-guard-offset=0 \ + -x c -c -o /dev/null /dev/null + clang: error: invalid value 'r2' in 'mstack-protector-guard-reg=', expected one of: r13 + +While GCC allows arbitrary registers, the implementation of +'-mstack-protector-guard=tls' in LLVM shares the same code path as the +user space thread local storage implementation, which uses a fixed +register (2 for 32-bit and 13 for 62-bit), so the command line parsing +enforces this limitation. + +Use the Kconfig macro '$(m32-flag)', which expands to '-m32' when +supported, in the stack protector support cc-option call to properly +switch the target to a 32-bit one, which matches what happens in Kbuild. +While the 64-bit macro does not strictly need it, add the equivalent +64-bit option for symmetry. + +Cc: stable@vger.kernel.org # 6.1+ +Link: https://github.com/llvm/llvm-project/pull/110928 [1] +Reviewed-by: Keith Packard +Tested-by: Keith Packard +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://patch.msgid.link/20241009-powerpc-fix-stackprotector-test-clang-v2-1-12fb86b31857@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -271,8 +271,8 @@ config PPC + select HAVE_RSEQ + select HAVE_SETUP_PER_CPU_AREA if PPC64 + select HAVE_SOFTIRQ_ON_OWN_STACK +- select HAVE_STACKPROTECTOR if PPC32 && $(cc-option,-mstack-protector-guard=tls -mstack-protector-guard-reg=r2) +- select HAVE_STACKPROTECTOR if PPC64 && $(cc-option,-mstack-protector-guard=tls -mstack-protector-guard-reg=r13) ++ select HAVE_STACKPROTECTOR if PPC32 && $(cc-option,$(m32-flag) -mstack-protector-guard=tls -mstack-protector-guard-reg=r2 -mstack-protector-guard-offset=0) ++ select HAVE_STACKPROTECTOR if PPC64 && $(cc-option,$(m64-flag) -mstack-protector-guard=tls -mstack-protector-guard-reg=r13 -mstack-protector-guard-offset=0) + select HAVE_STATIC_CALL if PPC32 + select HAVE_SYSCALL_TRACEPOINTS + select HAVE_VIRT_CPU_ACCOUNTING diff --git a/queue-6.6/series b/queue-6.6/series index 2a211fab4b4..19de6a41342 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -652,3 +652,16 @@ fs-proc-kcore.c-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zer thermal-int3400-fix-reading-of-current_uuid-for-active-policy.patch leds-flash-mt6360-fix-device_for_each_child_node-refcounting-in-error-paths.patch ovl-properly-handle-large-files-in-ovl_security_fileattr.patch +dm-fix-typo-in-error-message.patch +dm-thin-add-missing-destroy_work_on_stack.patch +pci-of_property-assign-pci-instead-of-cpu-bus-address-to-dynamic-pci-nodes.patch +pci-rockchip-ep-fix-address-translation-unit-programming.patch +nfsd-make-sure-exp-active-before-svc_export_show.patch +nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch +iio-accel-kx022a-fix-raw-read-format.patch +iio-fix-fwnode_handle-in-__fwnode_iio_channel_get_by_name.patch +iio-adc-ad7923-fix-buffer-overflow-for-tx_buf-and-ring_xfer.patch +iio-gts-fix-infinite-loop-for-gain_to_scaletables.patch +powerpc-fix-stack-protector-kconfig-test-for-clang.patch +powerpc-adjust-adding-stack-protector-flags-to-kbuild_clags-for-clang.patch +btrfs-don-t-bug_on-on-enomem-from-btrfs_lookup_extent_info-in-walk_down_proc.patch -- 2.47.3