From 6a1c0190953b96a31ec041f62b923f7e23d09885 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 15 Apr 2024 14:47:56 +0200 Subject: [PATCH] 6.1-stable patches added patches: btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch btrfs-record-delayed-inode-root-in-transaction.patch drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch drm-ast-fix-soft-lockup.patch drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch io_uring-net-restore-msg_control-on-sendzc-retry.patch kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch perf-x86-fix-out-of-range-data.patch vhost-add-smp_rmb-in-vhost_enable_notify.patch vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch --- ...-pertrans-after-record_root_in_trans.patch | 65 +++++++++++ ...tly-model-root-qgroup-rsv-in-convert.patch | 38 ++++++ ...rd-delayed-inode-root-in-transaction.patch | 36 ++++++ ...eset-gpu-on-queue-preemption-failure.patch | 35 ++++++ queue-6.1/drm-ast-fix-soft-lockup.patch | 58 ++++++++++ ...ect-modes-with-dev-mode_config.mutex.patch | 56 +++++++++ ...vrr-disable-vrr-when-using-bigjoiner.patch | 46 ++++++++ ...-restore-msg_control-on-sendzc-retry.patch | 35 ++++++ ...er-free-issue-on-kprobe-registration.patch | 74 ++++++++++++ .../perf-x86-fix-out-of-range-data.patch | 109 ++++++++++++++++++ queue-6.1/series | 13 +++ ...t-add-smp_rmb-in-vhost_enable_notify.patch | 70 +++++++++++ ...-add-smp_rmb-in-vhost_vq_avail_empty.patch | 70 +++++++++++ ...efault-for-speculation_mitigations-n.patch | 47 ++++++++ 14 files changed, 752 insertions(+) create mode 100644 queue-6.1/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch create mode 100644 queue-6.1/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch create mode 100644 queue-6.1/btrfs-record-delayed-inode-root-in-transaction.patch create mode 100644 queue-6.1/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch create mode 100644 queue-6.1/drm-ast-fix-soft-lockup.patch create mode 100644 queue-6.1/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch create mode 100644 queue-6.1/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch create mode 100644 queue-6.1/io_uring-net-restore-msg_control-on-sendzc-retry.patch create mode 100644 queue-6.1/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch create mode 100644 queue-6.1/perf-x86-fix-out-of-range-data.patch create mode 100644 queue-6.1/vhost-add-smp_rmb-in-vhost_enable_notify.patch create mode 100644 queue-6.1/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch create mode 100644 queue-6.1/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch diff --git a/queue-6.1/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch b/queue-6.1/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch new file mode 100644 index 00000000000..8e6bf95064c --- /dev/null +++ b/queue-6.1/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch @@ -0,0 +1,65 @@ +From 211de93367304ab395357f8cb12568a4d1e20701 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:18:39 -0700 +Subject: btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans + +From: Boris Burkov + +commit 211de93367304ab395357f8cb12568a4d1e20701 upstream. + +The transaction is only able to free PERTRANS reservations for a root +once that root has been recorded with the TRANS tag on the roots radix +tree. Therefore, until we are sure that this root will get tagged, it +isn't safe to convert. Generally, this is not an issue as *some* +transaction will likely tag the root before long and this reservation +will get freed in that transaction, but technically it could stick +around until unmount and result in a warning about leaked metadata +reservation space. + +This path is most exercised by running the generic/269 fstest with +CONFIG_BTRFS_DEBUG. + +Fixes: a6496849671a ("btrfs: fix start transaction qgroup rsv double free") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -700,14 +700,6 @@ again: + h->reloc_reserved = reloc_reserved; + } + +- /* +- * Now that we have found a transaction to be a part of, convert the +- * qgroup reservation from prealloc to pertrans. A different transaction +- * can't race in and free our pertrans out from under us. +- */ +- if (qgroup_reserved) +- btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); +- + got_it: + if (!current->journal_info) + current->journal_info = h; +@@ -741,8 +733,15 @@ got_it: + * not just freed. + */ + btrfs_end_transaction(h); +- return ERR_PTR(ret); ++ goto reserve_fail; + } ++ /* ++ * Now that we have found a transaction to be a part of, convert the ++ * qgroup reservation from prealloc to pertrans. A different transaction ++ * can't race in and free our pertrans out from under us. ++ */ ++ if (qgroup_reserved) ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); + + return h; + diff --git a/queue-6.1/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch b/queue-6.1/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch new file mode 100644 index 00000000000..acf5a6a511d --- /dev/null +++ b/queue-6.1/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch @@ -0,0 +1,38 @@ +From 141fb8cd206ace23c02cd2791c6da52c1d77d42a Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Tue, 19 Mar 2024 10:54:22 -0700 +Subject: btrfs: qgroup: correctly model root qgroup rsv in convert + +From: Boris Burkov + +commit 141fb8cd206ace23c02cd2791c6da52c1d77d42a upstream. + +We use add_root_meta_rsv and sub_root_meta_rsv to track prealloc and +pertrans reservations for subvolumes when quotas are enabled. The +convert function does not properly increment pertrans after decrementing +prealloc, so the count is not accurate. + +Note: we check that the fs is not read-only to mirror the logic in +qgroup_convert_meta, which checks that before adding to the pertrans rsv. + +Fixes: 8287475a2055 ("btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4154,6 +4154,8 @@ void btrfs_qgroup_convert_reserved_meta( + BTRFS_QGROUP_RSV_META_PREALLOC); + trace_qgroup_meta_convert(root, num_bytes); + qgroup_convert_meta(fs_info, root->root_key.objectid, num_bytes); ++ if (!sb_rdonly(fs_info->sb)) ++ add_root_meta_rsv(root, num_bytes, BTRFS_QGROUP_RSV_META_PERTRANS); + } + + /* diff --git a/queue-6.1/btrfs-record-delayed-inode-root-in-transaction.patch b/queue-6.1/btrfs-record-delayed-inode-root-in-transaction.patch new file mode 100644 index 00000000000..8e533d36754 --- /dev/null +++ b/queue-6.1/btrfs-record-delayed-inode-root-in-transaction.patch @@ -0,0 +1,36 @@ +From 71537e35c324ea6fbd68377a4f26bb93a831ae35 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:14:24 -0700 +Subject: btrfs: record delayed inode root in transaction + +From: Boris Burkov + +commit 71537e35c324ea6fbd68377a4f26bb93a831ae35 upstream. + +When running delayed inode updates, we do not record the inode's root in +the transaction, but we do allocate PREALLOC and thus converted PERTRANS +space for it. To be sure we free that PERTRANS meta rsv, we must ensure +that we record the root in the transaction. + +Fixes: 4f5427ccce5d ("btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/delayed-inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -1115,6 +1115,9 @@ __btrfs_commit_inode_delayed_items(struc + if (ret) + return ret; + ++ ret = btrfs_record_root_in_trans(trans, node->root); ++ if (ret) ++ return ret; + ret = btrfs_update_delayed_inode(trans, node->root, path, node); + return ret; + } diff --git a/queue-6.1/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch b/queue-6.1/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch new file mode 100644 index 00000000000..bf33fffda50 --- /dev/null +++ b/queue-6.1/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch @@ -0,0 +1,35 @@ +From 8bdfb4ea95ca738d33ef71376c21eba20130f2eb Mon Sep 17 00:00:00 2001 +From: Harish Kasiviswanathan +Date: Tue, 26 Mar 2024 15:32:46 -0400 +Subject: drm/amdkfd: Reset GPU on queue preemption failure + +From: Harish Kasiviswanathan + +commit 8bdfb4ea95ca738d33ef71376c21eba20130f2eb upstream. + +Currently, with F32 HWS GPU reset is only when unmap queue fails. + +However, if compute queue doesn't repond to preemption request in time +unmap will return without any error. In this case, only preemption error +is logged and Reset is not triggered. Call GPU reset in this case also. + +Reviewed-by: Alex Deucher +Signed-off-by: Harish Kasiviswanathan +Reviewed-by: Mukul Joshi +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1805,6 +1805,7 @@ static int unmap_queues_cpsch(struct dev + pr_err("HIQ MQD's queue_doorbell_id0 is not 0, Queue preemption time out\n"); + while (halt_if_hws_hang) + schedule(); ++ kfd_hws_hang(dqm); + return -ETIME; + } + diff --git a/queue-6.1/drm-ast-fix-soft-lockup.patch b/queue-6.1/drm-ast-fix-soft-lockup.patch new file mode 100644 index 00000000000..f58d70eea7e --- /dev/null +++ b/queue-6.1/drm-ast-fix-soft-lockup.patch @@ -0,0 +1,58 @@ +From bc004f5038220b1891ef4107134ccae44be55109 Mon Sep 17 00:00:00 2001 +From: Jammy Huang +Date: Wed, 3 Apr 2024 17:02:46 +0800 +Subject: drm/ast: Fix soft lockup + +From: Jammy Huang + +commit bc004f5038220b1891ef4107134ccae44be55109 upstream. + +There is a while-loop in ast_dp_set_on_off() that could lead to +infinite-loop. This is because the register, VGACRI-Dx, checked in +this API is a scratch register actually controlled by a MCU, named +DPMCU, in BMC. + +These scratch registers are protected by scu-lock. If suc-lock is not +off, DPMCU can not update these registers and then host will have soft +lockup due to never updated status. + +DPMCU is used to control DP and relative registers to handshake with +host's VGA driver. Even the most time-consuming task, DP's link +training, is less than 100ms. 200ms should be enough. + +Signed-off-by: Jammy Huang +Fixes: 594e9c04b586 ("drm/ast: Create the driver for ASPEED proprietory Display-Port") +Reviewed-by: Jocelyn Falempe +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Cc: KuoHsiang Chou +Cc: Thomas Zimmermann +Cc: Dave Airlie +Cc: Jocelyn Falempe +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.19+ +Link: https://patchwork.freedesktop.org/patch/msgid/20240403090246.1495487-1-jammy_huang@aspeedtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_dp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/ast/ast_dp.c ++++ b/drivers/gpu/drm/ast/ast_dp.c +@@ -190,6 +190,7 @@ void ast_dp_set_on_off(struct drm_device + { + struct ast_private *ast = to_ast_private(dev); + u8 video_on_off = on; ++ u32 i = 0; + + // Video On/Off + ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xE3, (u8) ~AST_DP_VIDEO_ENABLE, on); +@@ -202,6 +203,8 @@ void ast_dp_set_on_off(struct drm_device + ASTDP_MIRROR_VIDEO_ENABLE) != video_on_off) { + // wait 1 ms + mdelay(1); ++ if (++i > 200) ++ break; + } + } + } diff --git a/queue-6.1/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch b/queue-6.1/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch new file mode 100644 index 00000000000..2c0179e5fb3 --- /dev/null +++ b/queue-6.1/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch @@ -0,0 +1,56 @@ +From 3eadd887dbac1df8f25f701e5d404d1b90fd0fea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 4 Apr 2024 23:33:25 +0300 +Subject: drm/client: Fully protect modes[] with dev->mode_config.mutex +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream. + +The modes[] array contains pointers to modes on the connectors' +mode lists, which are protected by dev->mode_config.mutex. +Thus we need to extend modes[] the same protection or by the +time we use it the elements may already be pointing to +freed/reused memory. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Jani Nikula +Reviewed-by: Thomas Zimmermann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -781,6 +781,7 @@ int drm_client_modeset_probe(struct drm_ + unsigned int total_modes_count = 0; + struct drm_client_offset *offsets; + unsigned int connector_count = 0; ++ /* points to modes protected by mode_config.mutex */ + struct drm_display_mode **modes; + struct drm_crtc **crtcs; + int i, ret = 0; +@@ -849,7 +850,6 @@ int drm_client_modeset_probe(struct drm_ + drm_client_pick_crtcs(client, connectors, connector_count, + crtcs, modes, 0, width, height); + } +- mutex_unlock(&dev->mode_config.mutex); + + drm_client_modeset_release(client); + +@@ -879,6 +879,7 @@ int drm_client_modeset_probe(struct drm_ + modeset->y = offset->y; + } + } ++ mutex_unlock(&dev->mode_config.mutex); + + mutex_unlock(&client->modeset_mutex); + out: diff --git a/queue-6.1/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch b/queue-6.1/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch new file mode 100644 index 00000000000..f056303d40a --- /dev/null +++ b/queue-6.1/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch @@ -0,0 +1,46 @@ +From dcd8992e47f13afb5c11a61e8d9c141c35e23751 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 5 Apr 2024 00:34:29 +0300 +Subject: drm/i915/vrr: Disable VRR when using bigjoiner +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit dcd8992e47f13afb5c11a61e8d9c141c35e23751 upstream. + +All joined pipes share the same transcoder/timing generator. +Currently we just do the commits per-pipe, which doesn't really +work if we need to change switch between non-VRR and VRR timings +generators on the fly, or even when sending the push to the +transcoder. For now just disable VRR when bigjoiner is needed. + +Cc: stable@vger.kernel.org +Tested-by: Vidya Srinivas +Reviewed-by: Vandita Kulkarni +Link: https://patchwork.freedesktop.org/patch/msgid/20240404213441.17637-6-ville.syrjala@linux.intel.com +Signed-off-by: Ville Syrjälä +(cherry picked from commit f9d5e51db65652dbd8a2102fd7619440e3599fd2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_vrr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_vrr.c ++++ b/drivers/gpu/drm/i915/display/intel_vrr.c +@@ -110,6 +110,13 @@ intel_vrr_compute_config(struct intel_cr + if (!intel_vrr_is_capable(connector)) + return; + ++ /* ++ * FIXME all joined pipes share the same transcoder. ++ * Need to account for that during VRR toggle/push/etc. ++ */ ++ if (crtc_state->bigjoiner_pipes) ++ return; ++ + if (adjusted_mode->flags & DRM_MODE_FLAG_INTERLACE) + return; + diff --git a/queue-6.1/io_uring-net-restore-msg_control-on-sendzc-retry.patch b/queue-6.1/io_uring-net-restore-msg_control-on-sendzc-retry.patch new file mode 100644 index 00000000000..8bd9373b85d --- /dev/null +++ b/queue-6.1/io_uring-net-restore-msg_control-on-sendzc-retry.patch @@ -0,0 +1,35 @@ +From 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 8 Apr 2024 18:11:09 +0100 +Subject: io_uring/net: restore msg_control on sendzc retry + +From: Pavel Begunkov + +commit 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 upstream. + +cac9e4418f4cb ("io_uring/net: save msghdr->msg_control for retries") +reinstatiates msg_control before every __sys_sendmsg_sock(), since the +function can overwrite the value in msghdr. We need to do same for +zerocopy sendmsg. + +Cc: stable@vger.kernel.org +Fixes: 493108d95f146 ("io_uring/net: zerocopy sendmsg") +Link: https://github.com/axboe/liburing/issues/1067 +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/cc1d5d9df0576fa66ddad4420d240a98a020b267.1712596179.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1229,6 +1229,7 @@ int io_sendmsg_zc(struct io_kiocb *req, + + if (req_has_async_data(req)) { + kmsg = req->async_data; ++ kmsg->msg.msg_control_user = sr->msg_control; + } else { + ret = io_sendmsg_copy_hdr(req, &iomsg); + if (ret) diff --git a/queue-6.1/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch b/queue-6.1/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch new file mode 100644 index 00000000000..72855b70dbc --- /dev/null +++ b/queue-6.1/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch @@ -0,0 +1,74 @@ +From 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Wed, 10 Apr 2024 09:58:02 +0800 +Subject: kprobes: Fix possible use-after-free issue on kprobe registration + +From: Zheng Yejian + +commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream. + +When unloading a module, its state is changing MODULE_STATE_LIVE -> + MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take +a time. `is_module_text_address()` and `__module_text_address()` +works with MODULE_STATE_LIVE and MODULE_STATE_GOING. +If we use `is_module_text_address()` and `__module_text_address()` +separately, there is a chance that the first one is succeeded but the +next one is failed because module->state becomes MODULE_STATE_UNFORMED +between those operations. + +In `check_kprobe_address_safe()`, if the second `__module_text_address()` +is failed, that is ignored because it expected a kernel_text address. +But it may have failed simply because module->state has been changed +to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify +non-exist module text address (use-after-free). + +To fix this problem, we should not use separated `is_module_text_address()` +and `__module_text_address()`, but use only `__module_text_address()` +once and do `try_module_get(module)` which is only available with +MODULE_STATE_LIVE. + +Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/ + +Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Yejian +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1567,10 +1567,17 @@ static int check_kprobe_address_safe(str + jump_label_lock(); + preempt_disable(); + +- /* Ensure it is not in reserved area nor out of text */ +- if (!(core_kernel_text((unsigned long) p->addr) || +- is_module_text_address((unsigned long) p->addr)) || +- in_gate_area_no_mm((unsigned long) p->addr) || ++ /* Ensure the address is in a text area, and find a module if exists. */ ++ *probed_mod = NULL; ++ if (!core_kernel_text((unsigned long) p->addr)) { ++ *probed_mod = __module_text_address((unsigned long) p->addr); ++ if (!(*probed_mod)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ } ++ /* Ensure it is not in reserved area. */ ++ if (in_gate_area_no_mm((unsigned long) p->addr) || + within_kprobe_blacklist((unsigned long) p->addr) || + jump_label_text_reserved(p->addr, p->addr) || + static_call_text_reserved(p->addr, p->addr) || +@@ -1580,8 +1587,7 @@ static int check_kprobe_address_safe(str + goto out; + } + +- /* Check if 'p' is probing a module. */ +- *probed_mod = __module_text_address((unsigned long) p->addr); ++ /* Get module refcount and reject __init functions for loaded modules. */ + if (*probed_mod) { + /* + * We must hold a refcount of the probed module while updating diff --git a/queue-6.1/perf-x86-fix-out-of-range-data.patch b/queue-6.1/perf-x86-fix-out-of-range-data.patch new file mode 100644 index 00000000000..af5f4762cf5 --- /dev/null +++ b/queue-6.1/perf-x86-fix-out-of-range-data.patch @@ -0,0 +1,109 @@ +From dec8ced871e17eea46f097542dd074d022be4bd1 Mon Sep 17 00:00:00 2001 +From: Namhyung Kim +Date: Tue, 5 Mar 2024 22:10:03 -0800 +Subject: perf/x86: Fix out of range data + +From: Namhyung Kim + +commit dec8ced871e17eea46f097542dd074d022be4bd1 upstream. + +On x86 each struct cpu_hw_events maintains a table for counter assignment but +it missed to update one for the deleted event in x86_pmu_del(). This +can make perf_clear_dirty_counters() reset used counter if it's called +before event scheduling or enabling. Then it would return out of range +data which doesn't make sense. + +The following code can reproduce the problem. + + $ cat repro.c + #include + #include + #include + #include + #include + #include + #include + #include + + struct perf_event_attr attr = { + .type = PERF_TYPE_HARDWARE, + .config = PERF_COUNT_HW_CPU_CYCLES, + .disabled = 1, + }; + + void *worker(void *arg) + { + int cpu = (long)arg; + int fd1 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); + int fd2 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); + void *p; + + do { + ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0); + p = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd1, 0); + ioctl(fd2, PERF_EVENT_IOC_ENABLE, 0); + + ioctl(fd2, PERF_EVENT_IOC_DISABLE, 0); + munmap(p, 4096); + ioctl(fd1, PERF_EVENT_IOC_DISABLE, 0); + } while (1); + + return NULL; + } + + int main(void) + { + int i; + int n = sysconf(_SC_NPROCESSORS_ONLN); + pthread_t *th = calloc(n, sizeof(*th)); + + for (i = 0; i < n; i++) + pthread_create(&th[i], NULL, worker, (void *)(long)i); + for (i = 0; i < n; i++) + pthread_join(th[i], NULL); + + free(th); + return 0; + } + +And you can see the out of range data using perf stat like this. +Probably it'd be easier to see on a large machine. + + $ gcc -o repro repro.c -pthread + $ ./repro & + $ sudo perf stat -A -I 1000 2>&1 | awk '{ if (length($3) > 15) print }' + 1.001028462 CPU6 196,719,295,683,763 cycles # 194290.996 GHz (71.54%) + 1.001028462 CPU3 396,077,485,787,730 branch-misses # 15804359784.80% of all branches (71.07%) + 1.001028462 CPU17 197,608,350,727,877 branch-misses # 14594186554.56% of all branches (71.22%) + 2.020064073 CPU4 198,372,472,612,140 cycles # 194681.113 GHz (70.95%) + 2.020064073 CPU6 199,419,277,896,696 cycles # 195720.007 GHz (70.57%) + 2.020064073 CPU20 198,147,174,025,639 cycles # 194474.654 GHz (71.03%) + 2.020064073 CPU20 198,421,240,580,145 stalled-cycles-frontend # 100.14% frontend cycles idle (70.93%) + 3.037443155 CPU4 197,382,689,923,416 cycles # 194043.065 GHz (71.30%) + 3.037443155 CPU20 196,324,797,879,414 cycles # 193003.773 GHz (71.69%) + 3.037443155 CPU5 197,679,956,608,205 stalled-cycles-backend # 1315606428.66% backend cycles idle (71.19%) + 3.037443155 CPU5 198,571,860,474,851 instructions # 13215422.58 insn per cycle + +It should move the contents in the cpuc->assign as well. + +Fixes: 5471eea5d3bf ("perf/x86: Reset the dirty counter to prevent the leak for an RDPMC task") +Signed-off-by: Namhyung Kim +Signed-off-by: Ingo Molnar +Reviewed-by: Kan Liang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240306061003.1894224-1-namhyung@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1644,6 +1644,7 @@ static void x86_pmu_del(struct perf_even + while (++i < cpuc->n_events) { + cpuc->event_list[i-1] = cpuc->event_list[i]; + cpuc->event_constraint[i-1] = cpuc->event_constraint[i]; ++ cpuc->assign[i-1] = cpuc->assign[i]; + } + cpuc->event_constraint[i-1] = NULL; + --cpuc->n_events; diff --git a/queue-6.1/series b/queue-6.1/series index 564a01432f2..05cc228215a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -39,3 +39,16 @@ net-ena-fix-incorrect-descriptor-free-behavior.patch tracing-fix-ftrace_record_recursion_size-kconfig-ent.patch tracing-hide-unused-ftrace_event_id_fops.patch iommu-vt-d-allocate-local-memory-for-page-request-qu.patch +btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch +btrfs-record-delayed-inode-root-in-transaction.patch +btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch +io_uring-net-restore-msg_control-on-sendzc-retry.patch +kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch +drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch +drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch +drm-ast-fix-soft-lockup.patch +drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch +vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch +vhost-add-smp_rmb-in-vhost_enable_notify.patch +perf-x86-fix-out-of-range-data.patch +x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch diff --git a/queue-6.1/vhost-add-smp_rmb-in-vhost_enable_notify.patch b/queue-6.1/vhost-add-smp_rmb-in-vhost_enable_notify.patch new file mode 100644 index 00000000000..fcec1a7ea44 --- /dev/null +++ b/queue-6.1/vhost-add-smp_rmb-in-vhost_enable_notify.patch @@ -0,0 +1,70 @@ +From df9ace7647d4123209395bb9967e998d5758c645 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 28 Mar 2024 10:21:48 +1000 +Subject: vhost: Add smp_rmb() in vhost_enable_notify() + +From: Gavin Shan + +commit df9ace7647d4123209395bb9967e998d5758c645 upstream. + +A smp_rmb() has been missed in vhost_enable_notify(), inspired by +Will. Otherwise, it's not ensured the available ring entries pushed +by guest can be observed by vhost in time, leading to stale available +ring entries fetched by vhost in vhost_get_vq_desc(), as reported by +Yihuang Yu on NVidia's grace-hopper (ARM64) platform. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \ + -m 4096M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=4096M \ + : \ + -netdev tap,id=vnet0,vhost=true \ + -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0 + : + guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM + virtio_net virtio0: output.0:id 100 is not a head! + +Add the missed smp_rmb() in vhost_enable_notify(). When it returns true, +it means there's still pending tx buffers. Since it might read indices, +so it still can bypass the smp_rmb() in vhost_get_vq_desc(). Note that +it should be safe until vq->avail_idx is changed by commit d3bb267bbdcb +("vhost: cache avail index in vhost_enable_notify()"). + +Fixes: d3bb267bbdcb ("vhost: cache avail index in vhost_enable_notify()") +Cc: # v5.18+ +Reported-by: Yihuang Yu +Suggested-by: Will Deacon +Signed-off-by: Gavin Shan +Acked-by: Jason Wang +Message-Id: <20240328002149.1141302-3-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2572,9 +2572,19 @@ bool vhost_enable_notify(struct vhost_de + &vq->avail->idx, r); + return false; + } ++ + vq->avail_idx = vhost16_to_cpu(vq, avail_idx); ++ if (vq->avail_idx != vq->last_avail_idx) { ++ /* Since we have updated avail_idx, the following ++ * call to vhost_get_vq_desc() will read available ++ * ring entries. Make sure that read happens after ++ * the avail_idx read. ++ */ ++ smp_rmb(); ++ return true; ++ } + +- return vq->avail_idx != vq->last_avail_idx; ++ return false; + } + EXPORT_SYMBOL_GPL(vhost_enable_notify); + diff --git a/queue-6.1/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch b/queue-6.1/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch new file mode 100644 index 00000000000..2f314606d40 --- /dev/null +++ b/queue-6.1/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch @@ -0,0 +1,70 @@ +From 22e1992cf7b034db5325660e98c41ca5afa5f519 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 28 Mar 2024 10:21:47 +1000 +Subject: vhost: Add smp_rmb() in vhost_vq_avail_empty() + +From: Gavin Shan + +commit 22e1992cf7b034db5325660e98c41ca5afa5f519 upstream. + +A smp_rmb() has been missed in vhost_vq_avail_empty(), spotted by +Will. Otherwise, it's not ensured the available ring entries pushed +by guest can be observed by vhost in time, leading to stale available +ring entries fetched by vhost in vhost_get_vq_desc(), as reported by +Yihuang Yu on NVidia's grace-hopper (ARM64) platform. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \ + -m 4096M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=4096M \ + : \ + -netdev tap,id=vnet0,vhost=true \ + -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0 + : + guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM + virtio_net virtio0: output.0:id 100 is not a head! + +Add the missed smp_rmb() in vhost_vq_avail_empty(). When tx_can_batch() +returns true, it means there's still pending tx buffers. Since it might +read indices, so it still can bypass the smp_rmb() in vhost_get_vq_desc(). +Note that it should be safe until vq->avail_idx is changed by commit +275bf960ac697 ("vhost: better detection of available buffers"). + +Fixes: 275bf960ac69 ("vhost: better detection of available buffers") +Cc: # v4.11+ +Reported-by: Yihuang Yu +Suggested-by: Will Deacon +Signed-off-by: Gavin Shan +Acked-by: Jason Wang +Message-Id: <20240328002149.1141302-2-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2523,9 +2523,19 @@ bool vhost_vq_avail_empty(struct vhost_d + r = vhost_get_avail_idx(vq, &avail_idx); + if (unlikely(r)) + return false; ++ + vq->avail_idx = vhost16_to_cpu(vq, avail_idx); ++ if (vq->avail_idx != vq->last_avail_idx) { ++ /* Since we have updated avail_idx, the following ++ * call to vhost_get_vq_desc() will read available ++ * ring entries. Make sure that read happens after ++ * the avail_idx read. ++ */ ++ smp_rmb(); ++ return false; ++ } + +- return vq->avail_idx == vq->last_avail_idx; ++ return true; + } + EXPORT_SYMBOL_GPL(vhost_vq_avail_empty); + diff --git a/queue-6.1/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch b/queue-6.1/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch new file mode 100644 index 00000000000..7aa3a63c627 --- /dev/null +++ b/queue-6.1/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch @@ -0,0 +1,47 @@ +From f337a6a21e2fd67eadea471e93d05dd37baaa9be Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 9 Apr 2024 10:51:05 -0700 +Subject: x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit f337a6a21e2fd67eadea471e93d05dd37baaa9be upstream. + +Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built +with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly +states that disabling SPECULATION_MITIGATIONS is supposed to turn off all +mitigations by default. + + │ If you say N, all mitigations will be disabled. You really + │ should know what you are doing to say so. + +As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in +some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n. + +Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs") +Signed-off-by: Sean Christopherson +Signed-off-by: Ingo Molnar +Reviewed-by: Daniel Sneddon +Cc: stable@vger.kernel.org +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20240409175108.1512861-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -2788,7 +2788,8 @@ enum cpu_mitigations { + }; + + static enum cpu_mitigations cpu_mitigations __ro_after_init = +- CPU_MITIGATIONS_AUTO; ++ IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : ++ CPU_MITIGATIONS_OFF; + + static int __init mitigations_parse_cmdline(char *arg) + { -- 2.47.2