From 7828702cdf667496b76e1e34026a8c6e872e3fba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 14 Nov 2022 11:48:04 +0100 Subject: [PATCH] 5.15-stable patches added patches: ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch btrfs-fix-match-incorrectly-in-dev_args_match_device.patch btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch drm-amdgpu-disable-baco-on-special-beige_goby-card.patch drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch --- ...synchronize-cache-16-command-failure.patch | 53 +++++++ ...incorrectly-in-dev_args_match_device.patch | 62 ++++++++ ...error-check-in-btrfs_free_dummy_root.patch | 56 ++++++++ ...alize-device-s-zone-info-for-seeding.patch | 84 +++++++++++ ...ix-missing-can-header-initialization.patch | 40 ++++++ ...g-about-deprecated-openssl-functions.patch | 35 +++++ ...able-baco-on-special-beige_goby-card.patch | 34 +++++ ...fix-sg_table-handling-in-map_dma_buf.patch | 55 +++++++ ...contexts-input-is-for-a-real-context.patch | 56 ++++++++ ...ap-fs_dax-device-memory-as-decrypted.patch | 39 +++++ ...-detect-page-cache-for-uffd-continue.patch | 49 +++++++ ...hc-imx-fix-sdhci_reset_all-for-cqhci.patch | 60 ++++++++ ...-deadlock-in-nilfs_count_free_blocks.patch | 81 +++++++++++ ...ter-free-bug-of-ns_writer-on-remount.patch | 118 +++++++++++++++ ...fix-rfkill-causing-soft-blocked-wifi.patch | 61 ++++++++ queue-5.15/series | 18 +++ ...f-bounds-write-bug-in-udf_find_entry.patch | 135 ++++++++++++++++++ ...lacement-of-.data..decrypted-section.patch | 52 +++++++ ...ulatory-update-in-ath11k_regd_update.patch | 94 ++++++++++++ 19 files changed, 1182 insertions(+) create mode 100644 queue-5.15/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch create mode 100644 queue-5.15/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch create mode 100644 queue-5.15/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch create mode 100644 queue-5.15/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch create mode 100644 queue-5.15/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch create mode 100644 queue-5.15/cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch create mode 100644 queue-5.15/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch create mode 100644 queue-5.15/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch create mode 100644 queue-5.15/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch create mode 100644 queue-5.15/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch create mode 100644 queue-5.15/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch create mode 100644 queue-5.15/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch create mode 100644 queue-5.15/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch create mode 100644 queue-5.15/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch create mode 100644 queue-5.15/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch create mode 100644 queue-5.15/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch create mode 100644 queue-5.15/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch create mode 100644 queue-5.15/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch diff --git a/queue-5.15/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch b/queue-5.15/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch new file mode 100644 index 00000000000..43f52a2e214 --- /dev/null +++ b/queue-5.15/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch @@ -0,0 +1,53 @@ +From ea045fd344cb15c164e9ffc8b8cffb6883df8475 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Mon, 7 Nov 2022 13:02:29 +0900 +Subject: ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure + +From: Shin'ichiro Kawasaki + +commit ea045fd344cb15c164e9ffc8b8cffb6883df8475 upstream. + +SAT SCSI/ATA Translation specification requires SCSI SYNCHRONIZE CACHE +(10) and (16) commands both shall be translated to ATA flush command. +Also, ZBC Zoned Block Commands specification mandates SYNCHRONIZE CACHE +(16) command support. However, libata translates only SYNCHRONIZE CACHE +(10). This results in SYNCHRONIZE CACHE (16) command failures on SATA +drives and then libata translation does not conform to ZBC. To avoid the +failure, add support for SYNCHRONIZE CACHE (16). + +Signed-off-by: Shin'ichiro Kawasaki +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3259,6 +3259,7 @@ static unsigned int ata_scsiop_maint_in( + case REPORT_LUNS: + case REQUEST_SENSE: + case SYNCHRONIZE_CACHE: ++ case SYNCHRONIZE_CACHE_16: + case REZERO_UNIT: + case SEEK_6: + case SEEK_10: +@@ -3925,6 +3926,7 @@ static inline ata_xlat_func_t ata_get_xl + return ata_scsi_write_same_xlat; + + case SYNCHRONIZE_CACHE: ++ case SYNCHRONIZE_CACHE_16: + if (ata_try_flush_cache(dev)) + return ata_scsi_flush_xlat; + break; +@@ -4170,6 +4172,7 @@ void ata_scsi_simulate(struct ata_device + * turning this into a no-op. + */ + case SYNCHRONIZE_CACHE: ++ case SYNCHRONIZE_CACHE_16: + fallthrough; + + /* no-op's, complete with success */ diff --git a/queue-5.15/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch b/queue-5.15/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch new file mode 100644 index 00000000000..2da65ed8477 --- /dev/null +++ b/queue-5.15/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch @@ -0,0 +1,62 @@ +From 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001 Mon Sep 17 00:00:00 2001 +From: Liu Shixin +Date: Thu, 3 Nov 2022 16:33:01 +0800 +Subject: btrfs: fix match incorrectly in dev_args_match_device + +From: Liu Shixin + +commit 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001 upstream. + +syzkaller found a failed assertion: + + assertion failed: (args->devid != (u64)-1) || args->missing, in fs/btrfs/volumes.c:6921 + +This can be triggered when we set devid to (u64)-1 by ioctl. In this +case, the match of devid will be skipped and the match of device may +succeed incorrectly. + +Patch 562d7b1512f7 introduced this function which is used to match device. +This function contains two matching scenarios, we can distinguish them by +checking the value of args->missing rather than check whether args->devid +and args->uuid is default value. + +Reported-by: syzbot+031687116258450f9853@syzkaller.appspotmail.com +Fixes: 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args") +CC: stable@vger.kernel.org # 5.16+ +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Shixin +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6841,18 +6841,18 @@ static bool dev_args_match_fs_devices(co + static bool dev_args_match_device(const struct btrfs_dev_lookup_args *args, + const struct btrfs_device *device) + { +- ASSERT((args->devid != (u64)-1) || args->missing); ++ if (args->missing) { ++ if (test_bit(BTRFS_DEV_STATE_IN_FS_METADATA, &device->dev_state) && ++ !device->bdev) ++ return true; ++ return false; ++ } + +- if ((args->devid != (u64)-1) && device->devid != args->devid) ++ if (device->devid != args->devid) + return false; + if (args->uuid && memcmp(device->uuid, args->uuid, BTRFS_UUID_SIZE) != 0) + return false; +- if (!args->missing) +- return true; +- if (test_bit(BTRFS_DEV_STATE_IN_FS_METADATA, &device->dev_state) && +- !device->bdev) +- return true; +- return false; ++ return true; + } + + /* diff --git a/queue-5.15/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch b/queue-5.15/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch new file mode 100644 index 00000000000..81519f0e733 --- /dev/null +++ b/queue-5.15/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch @@ -0,0 +1,56 @@ +From 9b2f20344d450137d015b380ff0c2e2a6a170135 Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Tue, 1 Nov 2022 10:53:54 +0800 +Subject: btrfs: selftests: fix wrong error check in btrfs_free_dummy_root() + +From: Zhang Xiaoxu + +commit 9b2f20344d450137d015b380ff0c2e2a6a170135 upstream. + +The btrfs_alloc_dummy_root() uses ERR_PTR as the error return value +rather than NULL, if error happened, there will be a NULL pointer +dereference: + + BUG: KASAN: null-ptr-deref in btrfs_free_dummy_root+0x21/0x50 [btrfs] + Read of size 8 at addr 000000000000002c by task insmod/258926 + + CPU: 2 PID: 258926 Comm: insmod Tainted: G W 6.1.0-rc2+ #5 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + Call Trace: + + dump_stack_lvl+0x34/0x44 + kasan_report+0xb7/0x140 + kasan_check_range+0x145/0x1a0 + btrfs_free_dummy_root+0x21/0x50 [btrfs] + btrfs_test_free_space_cache+0x1a8c/0x1add [btrfs] + btrfs_run_sanity_tests+0x65/0x80 [btrfs] + init_btrfs_fs+0xec/0x154 [btrfs] + do_one_initcall+0x87/0x2a0 + do_init_module+0xdf/0x320 + load_module+0x3006/0x3390 + __do_sys_finit_module+0x113/0x1b0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fixes: aaedb55bc08f ("Btrfs: add tests for btrfs_get_extent") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Anand Jain +Signed-off-by: Zhang Xiaoxu +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/btrfs-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tests/btrfs-tests.c ++++ b/fs/btrfs/tests/btrfs-tests.c +@@ -199,7 +199,7 @@ void btrfs_free_dummy_fs_info(struct btr + + void btrfs_free_dummy_root(struct btrfs_root *root) + { +- if (!root) ++ if (IS_ERR_OR_NULL(root)) + return; + /* Will be freed by btrfs_free_fs_roots */ + if (WARN_ON(test_bit(BTRFS_ROOT_IN_RADIX, &root->state))) diff --git a/queue-5.15/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch b/queue-5.15/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch new file mode 100644 index 00000000000..80044b5da52 --- /dev/null +++ b/queue-5.15/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch @@ -0,0 +1,84 @@ +From a8d1b1647bf8244a5f270538e9e636e2657fffa3 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Fri, 4 Nov 2022 07:12:34 -0700 +Subject: btrfs: zoned: initialize device's zone info for seeding + +From: Johannes Thumshirn + +commit a8d1b1647bf8244a5f270538e9e636e2657fffa3 upstream. + +When performing seeding on a zoned filesystem it is necessary to +initialize each zoned device's btrfs_zoned_device_info structure, +otherwise mounting the filesystem will cause a NULL pointer dereference. + +This was uncovered by fstests' testcase btrfs/163. + +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Johannes Thumshirn +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 4 +++- + fs/btrfs/volumes.c | 11 +++++++++-- + fs/btrfs/volumes.h | 2 +- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2404,7 +2404,9 @@ static int btrfs_read_roots(struct btrfs + fs_info->dev_root = root; + } + /* Initialize fs_info for all devices in any case */ +- btrfs_init_devices_late(fs_info); ++ ret = btrfs_init_devices_late(fs_info); ++ if (ret) ++ goto out; + + /* If IGNOREDATACSUMS is set don't bother reading the csum root. */ + if (!btrfs_test_opt(fs_info, IGNOREDATACSUMS)) { +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -7681,10 +7681,11 @@ error: + return ret; + } + +-void btrfs_init_devices_late(struct btrfs_fs_info *fs_info) ++int btrfs_init_devices_late(struct btrfs_fs_info *fs_info) + { + struct btrfs_fs_devices *fs_devices = fs_info->fs_devices, *seed_devs; + struct btrfs_device *device; ++ int ret = 0; + + fs_devices->fs_info = fs_info; + +@@ -7693,12 +7694,18 @@ void btrfs_init_devices_late(struct btrf + device->fs_info = fs_info; + + list_for_each_entry(seed_devs, &fs_devices->seed_list, seed_list) { +- list_for_each_entry(device, &seed_devs->devices, dev_list) ++ list_for_each_entry(device, &seed_devs->devices, dev_list) { + device->fs_info = fs_info; ++ ret = btrfs_get_dev_zone_info(device, false); ++ if (ret) ++ break; ++ } + + seed_devs->fs_info = fs_info; + } + mutex_unlock(&fs_devices->device_list_mutex); ++ ++ return ret; + } + + static u64 btrfs_dev_stats_value(const struct extent_buffer *eb, +--- a/fs/btrfs/volumes.h ++++ b/fs/btrfs/volumes.h +@@ -539,7 +539,7 @@ int find_free_dev_extent(struct btrfs_de + void btrfs_dev_stat_inc_and_print(struct btrfs_device *dev, int index); + int btrfs_get_dev_stats(struct btrfs_fs_info *fs_info, + struct btrfs_ioctl_get_dev_stats *stats); +-void btrfs_init_devices_late(struct btrfs_fs_info *fs_info); ++int btrfs_init_devices_late(struct btrfs_fs_info *fs_info); + int btrfs_init_dev_stats(struct btrfs_fs_info *fs_info); + int btrfs_run_dev_stats(struct btrfs_trans_handle *trans); + void btrfs_rm_dev_replace_remove_srcdev(struct btrfs_device *srcdev); diff --git a/queue-5.15/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch b/queue-5.15/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch new file mode 100644 index 00000000000..39b68acc78f --- /dev/null +++ b/queue-5.15/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch @@ -0,0 +1,40 @@ +From 3eb3d283e8579a22b81dd2ac3987b77465b2a22f Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Fri, 4 Nov 2022 08:50:00 +0100 +Subject: can: j1939: j1939_send_one(): fix missing CAN header initialization + +From: Oliver Hartkopp + +commit 3eb3d283e8579a22b81dd2ac3987b77465b2a22f upstream. + +The read access to struct canxl_frame::len inside of a j1939 created +skbuff revealed a missing initialization of reserved and later filled +elements in struct can_frame. + +This patch initializes the 8 byte CAN header with zero. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Cc: Oleksij Rempel +Link: https://lore.kernel.org/linux-can/20221104052235.GA6474@pengutronix.de +Reported-by: syzbot+d168ec0caca4697e03b1@syzkaller.appspotmail.com +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20221104075000.105414-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -332,6 +332,9 @@ int j1939_send_one(struct j1939_priv *pr + /* re-claim the CAN_HDR from the SKB */ + cf = skb_push(skb, J1939_CAN_HDR); + ++ /* initialize header structure */ ++ memset(cf, 0, J1939_CAN_HDR); ++ + /* make it a full can frame again */ + skb_put(skb, J1939_CAN_FTR + (8 - dlc)); + diff --git a/queue-5.15/cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch b/queue-5.15/cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch new file mode 100644 index 00000000000..e3395337aaa --- /dev/null +++ b/queue-5.15/cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch @@ -0,0 +1,35 @@ +From 6bfb56e93bcef41859c2d5ab234ffd80b691be35 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 8 Jun 2022 13:18:39 -0700 +Subject: cert host tools: Stop complaining about deprecated OpenSSL functions + +From: Linus Torvalds + +commit 6bfb56e93bcef41859c2d5ab234ffd80b691be35 upstream. + +OpenSSL 3.0 deprecated the OpenSSL's ENGINE API. That is as may be, but +the kernel build host tools still use it. Disable the warning about +deprecated declarations until somebody who cares fixes it. + +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + scripts/sign-file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -30,6 +30,13 @@ + #include + + /* ++ * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. ++ * ++ * Remove this if/when that API is no longer used ++ */ ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" ++ ++/* + * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to + * assume that it's not available and its header file is missing and that we + * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts diff --git a/queue-5.15/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch b/queue-5.15/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch new file mode 100644 index 00000000000..1f7c6c77ae5 --- /dev/null +++ b/queue-5.15/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch @@ -0,0 +1,34 @@ +From 0c85c067c9d9d7a1b2cc2e01a236d5d0d4a872b5 Mon Sep 17 00:00:00 2001 +From: Guchun Chen +Date: Mon, 7 Nov 2022 16:46:59 +0800 +Subject: drm/amdgpu: disable BACO on special BEIGE_GOBY card + +From: Guchun Chen + +commit 0c85c067c9d9d7a1b2cc2e01a236d5d0d4a872b5 upstream. + +Still avoid intermittent failure. + +Signed-off-by: Guchun Chen +Reviewed-by: Lijo Lazar +Acked-by: Evan Quan +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -366,7 +366,9 @@ static void sienna_cichlid_check_bxco_su + if (((adev->pdev->device == 0x73A1) && + (adev->pdev->revision == 0x00)) || + ((adev->pdev->device == 0x73BF) && +- (adev->pdev->revision == 0xCF))) ++ (adev->pdev->revision == 0xCF)) || ++ ((adev->pdev->device == 0x7422) && ++ (adev->pdev->revision == 0x00))) + smu_baco->platform_support = false; + + } diff --git a/queue-5.15/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch b/queue-5.15/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch new file mode 100644 index 00000000000..e2eeb472e31 --- /dev/null +++ b/queue-5.15/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch @@ -0,0 +1,55 @@ +From f90daa975911961b65070ec72bd7dd8d448f9ef7 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Fri, 28 Oct 2022 16:50:26 +0100 +Subject: drm/i915/dmabuf: fix sg_table handling in map_dma_buf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit f90daa975911961b65070ec72bd7dd8d448f9ef7 upstream. + +We need to iterate over the original entries here for the sg_table, +pulling out the struct page for each one, to be remapped. However +currently this incorrectly iterates over the final dma mapped entries, +which is likely just one gigantic sg entry if the iommu is enabled, +leading to us only mapping the first struct page (and any physically +contiguous pages following it), even if there is potentially lots more +data to follow. + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7306 +Fixes: 1286ff739773 ("i915: add dmabuf/prime buffer sharing support.") +Signed-off-by: Matthew Auld +Cc: Lionel Landwerlin +Cc: Tvrtko Ursulin +Cc: Ville Syrjälä +Cc: Michael J. Ruhl +Cc: # v3.5+ +Reviewed-by: Michael J. Ruhl +Link: https://patchwork.freedesktop.org/patch/msgid/20221028155029.494736-1-matthew.auld@intel.com +(cherry picked from commit 28d52f99bbca7227008cf580c9194c9b3516968e) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c +@@ -34,13 +34,13 @@ static struct sg_table *i915_gem_map_dma + goto err; + } + +- ret = sg_alloc_table(st, obj->mm.pages->nents, GFP_KERNEL); ++ ret = sg_alloc_table(st, obj->mm.pages->orig_nents, GFP_KERNEL); + if (ret) + goto err_free; + + src = obj->mm.pages->sgl; + dst = st->sgl; +- for (i = 0; i < obj->mm.pages->nents; i++) { ++ for (i = 0; i < obj->mm.pages->orig_nents; i++) { + sg_set_page(dst, sg_page(src), src->length, 0); + dst = sg_next(dst); + src = sg_next(src); diff --git a/queue-5.15/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch b/queue-5.15/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch new file mode 100644 index 00000000000..4c4791e74f8 --- /dev/null +++ b/queue-5.15/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch @@ -0,0 +1,56 @@ +From 1de09a7281edecfdba19b3a07417f6d65243ab5f Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 7 Nov 2022 16:50:00 +0000 +Subject: mm/damon/dbgfs: check if rm_contexts input is for a real context + +From: SeongJae Park + +commit 1de09a7281edecfdba19b3a07417f6d65243ab5f upstream. + +A user could write a name of a file under 'damon/' debugfs directory, +which is not a user-created context, to 'rm_contexts' file. In the case, +'dbgfs_rm_context()' just assumes it's the valid DAMON context directory +only if a file of the name exist. As a result, invalid memory access +could happen as below. Fix the bug by checking if the given input is for +a directory. This check can filter out non-context inputs because +directories under 'damon/' debugfs directory can be created via only +'mk_contexts' file. + +This bug has found by syzbot[1]. + +[1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@google.com/ + +Link: https://lkml.kernel.org/r/20221107165001.5717-2-sj@kernel.org +Fixes: 75c1c2b53c78 ("mm/damon/dbgfs: support multiple contexts") +Signed-off-by: SeongJae Park +Reported-by: syzbot+6087eafb76a94c4ac9eb@syzkaller.appspotmail.com +Cc: [5.15.x] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/dbgfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/mm/damon/dbgfs.c ++++ b/mm/damon/dbgfs.c +@@ -441,6 +441,7 @@ out: + static int dbgfs_rm_context(char *name) + { + struct dentry *root, *dir, **new_dirs; ++ struct inode *inode; + struct damon_ctx **new_ctxs; + int i, j; + int ret = 0; +@@ -456,6 +457,12 @@ static int dbgfs_rm_context(char *name) + if (!dir) + return -ENOENT; + ++ inode = d_inode(dir); ++ if (!S_ISDIR(inode->i_mode)) { ++ ret = -EINVAL; ++ goto out_dput; ++ } ++ + new_dirs = kmalloc_array(dbgfs_nr_ctxs - 1, sizeof(*dbgfs_dirs), + GFP_KERNEL); + if (!new_dirs) { diff --git a/queue-5.15/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch b/queue-5.15/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch new file mode 100644 index 00000000000..8d0e517601a --- /dev/null +++ b/queue-5.15/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch @@ -0,0 +1,39 @@ +From 867400af90f1f953ff9e10b1b87ecaf9369a7eb8 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Wed, 2 Nov 2022 11:07:28 -0500 +Subject: mm/memremap.c: map FS_DAX device memory as decrypted + +From: Pankaj Gupta + +commit 867400af90f1f953ff9e10b1b87ecaf9369a7eb8 upstream. + +virtio_pmem use devm_memremap_pages() to map the device memory. By +default this memory is mapped as encrypted with SEV. Guest reboot changes +the current encryption key and guest no longer properly decrypts the FSDAX +device meta data. + +Mark the corresponding device memory region for FSDAX devices (mapped with +memremap_pages) as decrypted to retain the persistent memory property. + +Link: https://lkml.kernel.org/r/20221102160728.3184016-1-pankaj.gupta@amd.com +Fixes: b7b3c01b19159 ("mm/memremap_pages: support multiple ranges per invocation") +Signed-off-by: Pankaj Gupta +Cc: Dan Williams +Cc: Tom Lendacky +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memremap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/memremap.c ++++ b/mm/memremap.c +@@ -327,6 +327,7 @@ void *memremap_pages(struct dev_pagemap + WARN(1, "File system DAX not supported\n"); + return ERR_PTR(-EINVAL); + } ++ params.pgprot = pgprot_decrypted(params.pgprot); + break; + case MEMORY_DEVICE_GENERIC: + break; diff --git a/queue-5.15/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch b/queue-5.15/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch new file mode 100644 index 00000000000..4aafe3c6616 --- /dev/null +++ b/queue-5.15/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch @@ -0,0 +1,49 @@ +From 93b0d9178743a68723babe8448981f658aebc58e Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 2 Nov 2022 14:41:52 -0400 +Subject: mm/shmem: use page_mapping() to detect page cache for uffd continue + +From: Peter Xu + +commit 93b0d9178743a68723babe8448981f658aebc58e upstream. + +mfill_atomic_install_pte() checks page->mapping to detect whether one page +is used in the page cache. However as pointed out by Matthew, the page +can logically be a tail page rather than always the head in the case of +uffd minor mode with UFFDIO_CONTINUE. It means we could wrongly install +one pte with shmem thp tail page assuming it's an anonymous page. + +It's not that clear even for anonymous page, since normally anonymous +pages also have page->mapping being setup with the anon vma. It's safe +here only because the only such caller to mfill_atomic_install_pte() is +always passing in a newly allocated page (mcopy_atomic_pte()), whose +page->mapping is not yet setup. However that's not extremely obvious +either. + +For either of above, use page_mapping() instead. + +Link: https://lkml.kernel.org/r/Y2K+y7wnhC4vbnP2@x1n +Fixes: 153132571f02 ("userfaultfd/shmem: support UFFDIO_CONTINUE for shmem") +Signed-off-by: Peter Xu +Reported-by: Matthew Wilcox +Cc: Andrea Arcangeli +Cc: Hugh Dickins +Cc: Axel Rasmussen +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -63,7 +63,7 @@ int mfill_atomic_install_pte(struct mm_s + pte_t _dst_pte, *dst_pte; + bool writable = dst_vma->vm_flags & VM_WRITE; + bool vm_shared = dst_vma->vm_flags & VM_SHARED; +- bool page_in_cache = page->mapping; ++ bool page_in_cache = page_mapping(page); + spinlock_t *ptl; + struct inode *inode; + pgoff_t offset, max_off; diff --git a/queue-5.15/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch b/queue-5.15/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch new file mode 100644 index 00000000000..99cd34fdbc8 --- /dev/null +++ b/queue-5.15/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch @@ -0,0 +1,60 @@ +From fb1dec44c6750bb414f47b929c8c175a1a127c31 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 26 Oct 2022 12:42:06 -0700 +Subject: mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI + +From: Brian Norris + +commit fb1dec44c6750bb414f47b929c8c175a1a127c31 upstream. + +[[ NOTE: this is completely untested by the author, but included solely + because, as noted in commit df57d73276b8 ("mmc: sdhci-pci: Fix + SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers"), "other + drivers using CQHCI might benefit from a similar change, if they + also have CQHCI reset by SDHCI_RESET_ALL." We've now seen the same + bug on at least MSM, Arasan, and Intel hardware. ]] + +SDHCI_RESET_ALL resets will reset the hardware CQE state, but we aren't +tracking that properly in software. When out of sync, we may trigger +various timeouts. + +It's not typical to perform resets while CQE is enabled, but this may +occur in some suspend or error recovery scenarios. + +Include this fix by way of the new sdhci_and_cqhci_reset() helper. + +This patch depends on (and should not compile without) the patch +entitled "mmc: cqhci: Provide helper for resetting both SDHCI and +CQHCI". + +Fixes: bb6e358169bf ("mmc: sdhci-esdhc-imx: add CMDQ support") +Signed-off-by: Brian Norris +Reviewed-by: Haibo Chen +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221026124150.v4.4.I7d01f9ad11bacdc9213dee61b7918982aea39115@changeid +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include "sdhci-cqhci.h" + #include "sdhci-pltfm.h" + #include "sdhci-esdhc.h" + #include "cqhci.h" +@@ -1273,7 +1274,7 @@ static void esdhc_set_uhs_signaling(stru + + static void esdhc_reset(struct sdhci_host *host, u8 mask) + { +- sdhci_reset(host, mask); ++ sdhci_and_cqhci_reset(host, mask); + + sdhci_writel(host, host->ier, SDHCI_INT_ENABLE); + sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE); diff --git a/queue-5.15/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch b/queue-5.15/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch new file mode 100644 index 00000000000..bd7875d1523 --- /dev/null +++ b/queue-5.15/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch @@ -0,0 +1,81 @@ +From 8ac932a4921a96ca52f61935dbba64ea87bbd5dc Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 29 Oct 2022 13:49:12 +0900 +Subject: nilfs2: fix deadlock in nilfs_count_free_blocks() + +From: Ryusuke Konishi + +commit 8ac932a4921a96ca52f61935dbba64ea87bbd5dc upstream. + +A semaphore deadlock can occur if nilfs_get_block() detects metadata +corruption while locating data blocks and a superblock writeback occurs at +the same time: + +task 1 task 2 +------ ------ +* A file operation * +nilfs_truncate() + nilfs_get_block() + down_read(rwsem A) <-- + nilfs_bmap_lookup_contig() + ... generic_shutdown_super() + nilfs_put_super() + * Prepare to write superblock * + down_write(rwsem B) <-- + nilfs_cleanup_super() + * Detect b-tree corruption * nilfs_set_log_cursor() + nilfs_bmap_convert_error() nilfs_count_free_blocks() + __nilfs_error() down_read(rwsem A) <-- + nilfs_set_error() + down_write(rwsem B) <-- + + *** DEADLOCK *** + +Here, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem) +and then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata +corruption, __nilfs_error() is called from nilfs_bmap_convert_error() +inside the lock section. + +Since __nilfs_error() calls nilfs_set_error() unless the filesystem is +read-only and nilfs_set_error() attempts to writelock rwsem B (= +nilfs->ns_sem) to write back superblock exclusively, hierarchical lock +acquisition occurs in the order rwsem A -> rwsem B. + +Now, if another task starts updating the superblock, it may writelock +rwsem B during the lock sequence above, and can deadlock trying to +readlock rwsem A in nilfs_count_free_blocks(). + +However, there is actually no need to take rwsem A in +nilfs_count_free_blocks() because it, within the lock section, only reads +a single integer data on a shared struct with +nilfs_sufile_get_ncleansegs(). This has been the case after commit +aa474a220180 ("nilfs2: add local variable to cache the number of clean +segments"), that is, even before this bug was introduced. + +So, this resolves the deadlock problem by just not taking the semaphore in +nilfs_count_free_blocks(). + +Link: https://lkml.kernel.org/r/20221029044912.9139-1-konishi.ryusuke@gmail.com +Fixes: e828949e5b42 ("nilfs2: call nilfs_error inside bmap routines") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+45d6ce7b7ad7ef455d03@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: [2.6.38+ +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/the_nilfs.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -690,9 +690,7 @@ int nilfs_count_free_blocks(struct the_n + { + unsigned long ncleansegs; + +- down_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem); + ncleansegs = nilfs_sufile_get_ncleansegs(nilfs->ns_sufile); +- up_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem); + *nblocks = (sector_t)ncleansegs * nilfs->ns_blocks_per_segment; + return 0; + } diff --git a/queue-5.15/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch b/queue-5.15/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch new file mode 100644 index 00000000000..b2a2e524f32 --- /dev/null +++ b/queue-5.15/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch @@ -0,0 +1,118 @@ +From 8cccf05fe857a18ee26e20d11a8455a73ffd4efd Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 4 Nov 2022 23:29:59 +0900 +Subject: nilfs2: fix use-after-free bug of ns_writer on remount + +From: Ryusuke Konishi + +commit 8cccf05fe857a18ee26e20d11a8455a73ffd4efd upstream. + +If a nilfs2 filesystem is downgraded to read-only due to metadata +corruption on disk and is remounted read/write, or if emergency read-only +remount is performed, detaching a log writer and synchronizing the +filesystem can be done at the same time. + +In these cases, use-after-free of the log writer (hereinafter +nilfs->ns_writer) can happen as shown in the scenario below: + + Task1 Task2 + -------------------------------- ------------------------------ + nilfs_construct_segment + nilfs_segctor_sync + init_wait + init_waitqueue_entry + add_wait_queue + schedule + nilfs_remount (R/W remount case) + nilfs_attach_log_writer + nilfs_detach_log_writer + nilfs_segctor_destroy + kfree + finish_wait + _raw_spin_lock_irqsave + __raw_spin_lock_irqsave + do_raw_spin_lock + debug_spin_lock_before <-- use-after-free + +While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 +waked up, Task1 accesses nilfs->ns_writer which is already freed. This +scenario diagram is based on the Shigeru Yoshida's post [1]. + +This patch fixes the issue by not detaching nilfs->ns_writer on remount so +that this UAF race doesn't happen. Along with this change, this patch +also inserts a few necessary read-only checks with superblock instance +where only the ns_writer pointer was used to check if the filesystem is +read-only. + +Link: https://syzkaller.appspot.com/bug?id=79a4c002e960419ca173d55e863bd09e8112df8b +Link: https://lkml.kernel.org/r/20221103141759.1836312-1-syoshida@redhat.com [1] +Link: https://lkml.kernel.org/r/20221104142959.28296-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+f816fa82f8783f7a02bb@syzkaller.appspotmail.com +Reported-by: Shigeru Yoshida +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 15 ++++++++------- + fs/nilfs2/super.c | 2 -- + 2 files changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -317,7 +317,7 @@ void nilfs_relax_pressure_in_lock(struct + struct the_nilfs *nilfs = sb->s_fs_info; + struct nilfs_sc_info *sci = nilfs->ns_writer; + +- if (!sci || !sci->sc_flush_request) ++ if (sb_rdonly(sb) || unlikely(!sci) || !sci->sc_flush_request) + return; + + set_bit(NILFS_SC_PRIOR_FLUSH, &sci->sc_flags); +@@ -2243,7 +2243,7 @@ int nilfs_construct_segment(struct super + struct nilfs_transaction_info *ti; + int err; + +- if (!sci) ++ if (sb_rdonly(sb) || unlikely(!sci)) + return -EROFS; + + /* A call inside transactions causes a deadlock. */ +@@ -2282,7 +2282,7 @@ int nilfs_construct_dsync_segment(struct + struct nilfs_transaction_info ti; + int err = 0; + +- if (!sci) ++ if (sb_rdonly(sb) || unlikely(!sci)) + return -EROFS; + + nilfs_transaction_lock(sb, &ti, 0); +@@ -2778,11 +2778,12 @@ int nilfs_attach_log_writer(struct super + + if (nilfs->ns_writer) { + /* +- * This happens if the filesystem was remounted +- * read/write after nilfs_error degenerated it into a +- * read-only mount. ++ * This happens if the filesystem is made read-only by ++ * __nilfs_error or nilfs_remount and then remounted ++ * read/write. In these cases, reuse the existing ++ * writer. + */ +- nilfs_detach_log_writer(sb); ++ return 0; + } + + nilfs->ns_writer = nilfs_segctor_new(sb, root); +--- a/fs/nilfs2/super.c ++++ b/fs/nilfs2/super.c +@@ -1133,8 +1133,6 @@ static int nilfs_remount(struct super_bl + if ((bool)(*flags & SB_RDONLY) == sb_rdonly(sb)) + goto out; + if (*flags & SB_RDONLY) { +- /* Shutting down log writer */ +- nilfs_detach_log_writer(sb); + sb->s_flags |= SB_RDONLY; + + /* diff --git a/queue-5.15/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch b/queue-5.15/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch new file mode 100644 index 00000000000..c7d4cfb421f --- /dev/null +++ b/queue-5.15/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch @@ -0,0 +1,61 @@ +From 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a Mon Sep 17 00:00:00 2001 +From: Jorge Lopez +Date: Fri, 28 Oct 2022 10:55:27 -0500 +Subject: platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi + +From: Jorge Lopez + +commit 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a upstream. + +After upgrading BIOS to U82 01.02.01 Rev.A, the console is flooded +strange char "^@" which printed out every second and makes login +nearly impossible. Also the below messages were shown both in console +and journal/dmesg every second: + +usb 1-3: Device not responding to setup address. +usb 1-3: device not accepting address 4, error -71 +usb 1-3: device descriptor read/all, error -71 +usb usb1-port3: unable to enumerate USB device + +Wifi is soft blocked by checking rfkill. When unblocked manually, +after few seconds it would be soft blocked again. So I was suspecting +something triggered rfkill to soft block wifi. At the end it was +fixed by removing hp_wmi module. + +The root cause is the way hp-wmi driver handles command 1B on +post-2009 BIOS. In pre-2009 BIOS, command 1Bh return 0x4 to indicate +that BIOS no longer controls the power for the wireless devices. + +Signed-off-by: Jorge Lopez +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216468 +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20221028155527.7724-1-jorge.lopez2@hp.com +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/hp-wmi.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -984,8 +984,16 @@ static int __init hp_wmi_bios_setup(stru + wwan_rfkill = NULL; + rfkill2_count = 0; + +- if (hp_wmi_rfkill_setup(device)) +- hp_wmi_rfkill2_setup(device); ++ /* ++ * In pre-2009 BIOS, command 1Bh return 0x4 to indicate that ++ * BIOS no longer controls the power for the wireless ++ * devices. All features supported by this command will no ++ * longer be supported. ++ */ ++ if (!hp_wmi_bios_2009_later()) { ++ if (hp_wmi_rfkill_setup(device)) ++ hp_wmi_rfkill2_setup(device); ++ } + + thermal_profile_setup(); + diff --git a/queue-5.15/series b/queue-5.15/series index c282bd92974..afa56408d31 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -93,3 +93,21 @@ alsa-hda-realtek-add-positivo-c6300-model-quirk.patch alsa-usb-audio-yet-more-regression-for-for-the-delayed-card-registration.patch alsa-usb-audio-add-quirk-entry-for-m-audio-micro.patch alsa-usb-audio-add-dsd-support-for-accuphase-dac-60.patch +vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch +ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch +nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch +nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch +drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch +drm-amdgpu-disable-baco-on-special-beige_goby-card.patch +platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch +wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch +btrfs-fix-match-incorrectly-in-dev_args_match_device.patch +btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch +btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch +mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch +udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch +mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch +mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch +mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch +can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch +cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch diff --git a/queue-5.15/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch b/queue-5.15/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch new file mode 100644 index 00000000000..f02c1706b1d --- /dev/null +++ b/queue-5.15/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch @@ -0,0 +1,135 @@ +From c8af247de385ce49afabc3bf1cf4fd455c94bfe8 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 9 Nov 2022 01:35:42 +0000 +Subject: udf: Fix a slab-out-of-bounds write bug in udf_find_entry() + +From: ZhangPeng + +commit c8af247de385ce49afabc3bf1cf4fd455c94bfe8 upstream. + +Syzbot reported a slab-out-of-bounds Write bug: + +loop0: detected capacity change from 0 to 2048 +================================================================== +BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0 +fs/udf/namei.c:253 +Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610 + +CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted +6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/11/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report+0xcd/0x100 mm/kasan/report.c:495 + kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 + memcpy+0x3c/0x60 mm/kasan/shadow.c:66 + udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 + udf_lookup+0xef/0x340 fs/udf/namei.c:309 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7ffab0d164d9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9 +RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180 +RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000 +R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 3610: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 + kmalloc include/linux/slab.h:576 [inline] + udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243 + udf_lookup+0xef/0x340 fs/udf/namei.c:309 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The buggy address belongs to the object at ffff8880123ff800 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 150 bytes inside of + 256-byte region [ffff8880123ff800, ffff8880123ff900) + +The buggy address belongs to the physical page: +page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 pfn:0x123fe +head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40 +raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), +pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0 + create_dummy_stack mm/page_owner.c:67 [inline] + register_early_stack+0x77/0xd0 mm/page_owner.c:83 + init_page_owner+0x3a/0x731 mm/page_owner.c:93 + kernel_init_freeable+0x41c/0x5d5 init/main.c:1629 + kernel_init+0x19/0x2b0 init/main.c:1519 +page_owner free stack trace missing + +Memory state around the buggy address: + ffff8880123ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8880123ff800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880123ff880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 + ^ + ffff8880123ff900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8880123ff980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fix this by changing the memory size allocated for copy_name from +UDF_NAME_LEN(254) to UDF_NAME_LEN_CS0(255), because the total length +(lfi) of subsequent memcpy can be up to 255. + +CC: stable@vger.kernel.org +Reported-by: syzbot+69c9fdccc6dd08961d34@syzkaller.appspotmail.com +Fixes: 066b9cded00b ("udf: Use separate buffer for copying split names") +Signed-off-by: ZhangPeng +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20221109013542.442790-1-zhangpeng362@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -240,7 +240,7 @@ static struct fileIdentDesc *udf_find_en + poffset - lfi); + else { + if (!copy_name) { +- copy_name = kmalloc(UDF_NAME_LEN, ++ copy_name = kmalloc(UDF_NAME_LEN_CS0, + GFP_NOFS); + if (!copy_name) { + fi = ERR_PTR(-ENOMEM); diff --git a/queue-5.15/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch b/queue-5.15/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch new file mode 100644 index 00000000000..6a5343c6383 --- /dev/null +++ b/queue-5.15/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch @@ -0,0 +1,52 @@ +From 000f8870a47bdc36730357883b6aef42bced91ee Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 8 Nov 2022 10:49:34 -0700 +Subject: vmlinux.lds.h: Fix placement of '.data..decrypted' section + +From: Nathan Chancellor + +commit 000f8870a47bdc36730357883b6aef42bced91ee upstream. + +Commit d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP") +fixed an orphan section warning by adding the '.data..decrypted' section +to the linker script under the PERCPU_DECRYPTED_SECTION define but that +placement introduced a panic with !SMP, as the percpu sections are not +instantiated with that configuration so attempting to access variables +defined with DEFINE_PER_CPU_DECRYPTED() will result in a page fault. + +Move the '.data..decrypted' section to the DATA_MAIN define so that the +variables in it are properly instantiated at boot time with +CONFIG_SMP=n. + +Cc: stable@vger.kernel.org +Fixes: d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP") +Link: https://lore.kernel.org/cbbd3548-880c-d2ca-1b67-5bb93b291d5f@huawei.com/ +Debugged-by: Ard Biesheuvel +Reported-by: Zhao Wenhui +Tested-by: xiafukun +Signed-off-by: Nathan Chancellor +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221108174934.3384275-1-nathan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/vmlinux.lds.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -337,6 +337,7 @@ + #define DATA_DATA \ + *(.xiptext) \ + *(DATA_MAIN) \ ++ *(.data..decrypted) \ + *(.ref.data) \ + *(.data..shared_aligned) /* percpu related */ \ + MEM_KEEP(init.data*) \ +@@ -969,7 +970,6 @@ + #ifdef CONFIG_AMD_MEM_ENCRYPT + #define PERCPU_DECRYPTED_SECTION \ + . = ALIGN(PAGE_SIZE); \ +- *(.data..decrypted) \ + *(.data..percpu..decrypted) \ + . = ALIGN(PAGE_SIZE); + #else diff --git a/queue-5.15/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch b/queue-5.15/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch new file mode 100644 index 00000000000..1dc43aa5207 --- /dev/null +++ b/queue-5.15/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch @@ -0,0 +1,94 @@ +From f45cb6b29cd36514e13f7519770873d8c0457008 Mon Sep 17 00:00:00 2001 +From: Wen Gong +Date: Wed, 2 Nov 2022 13:48:03 +0200 +Subject: wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update() + +From: Wen Gong + +commit f45cb6b29cd36514e13f7519770873d8c0457008 upstream. + +(cherry picked from commit d99884ad9e3673a12879bc2830f6e5a66cccbd78 in ath-next +as users are seeing this bug more now, also cc stable) + +Running this test in a loop it is easy to reproduce an rtnl deadlock: + +iw reg set FI +ifconfig wlan0 down + +What happens is that thread A (workqueue) tries to update the regulatory: + + try to acquire the rtnl_lock of ar->regd_update_work + + rtnl_lock+0x17/0x20 + ath11k_regd_update+0x15a/0x260 [ath11k] + ath11k_regd_update_work+0x15/0x20 [ath11k] + process_one_work+0x228/0x670 + worker_thread+0x4d/0x440 + kthread+0x16d/0x1b0 + ret_from_fork+0x22/0x30 + +And thread B (ifconfig) tries to stop the interface: + + try to cancel_work_sync(&ar->regd_update_work) in ath11k_mac_op_stop(). + ifconfig 3109 [003] 2414.232506: probe: + + ath11k_mac_op_stop: (ffffffffc14187a0) + drv_stop+0x30 ([mac80211]) + ieee80211_do_stop+0x5d2 ([mac80211]) + ieee80211_stop+0x3e ([mac80211]) + __dev_close_many+0x9e ([kernel.kallsyms]) + __dev_change_flags+0xbe ([kernel.kallsyms]) + dev_change_flags+0x23 ([kernel.kallsyms]) + devinet_ioctl+0x5e3 ([kernel.kallsyms]) + inet_ioctl+0x197 ([kernel.kallsyms]) + sock_do_ioctl+0x4d ([kernel.kallsyms]) + sock_ioctl+0x264 ([kernel.kallsyms]) + __x64_sys_ioctl+0x92 ([kernel.kallsyms]) + do_syscall_64+0x3a ([kernel.kallsyms]) + entry_SYSCALL_64_after_hwframe+0x63 ([kernel.kallsyms]) + __GI___ioctl+0x7 (/lib/x86_64-linux-gnu/libc-2.23.so) + +The sequence of deadlock is: + +1. Thread B calls rtnl_lock(). + +2. Thread A starts to run and calls rtnl_lock() from within + ath11k_regd_update_work(), then enters wait state because the lock is owned by + thread B. + +3. Thread B continues to run and tries to call + cancel_work_sync(&ar->regd_update_work), but thread A is in + ath11k_regd_update_work() waiting for rtnl_lock(). So cancel_work_sync() + forever waits for ath11k_regd_update_work() to finish and we have a deadlock. + +Fix this by switching from using regulatory_set_wiphy_regd_sync() to +regulatory_set_wiphy_regd(). Now cfg80211 will schedule another workqueue which +handles the locking on it's own. So the ath11k workqueue can simply exit without +taking any locks, avoiding the deadlock. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 + +Cc: +Signed-off-by: Wen Gong +[kvalo: improve commit log] +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/reg.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/reg.c ++++ b/drivers/net/wireless/ath/ath11k/reg.c +@@ -247,11 +247,7 @@ int ath11k_regd_update(struct ath11k *ar + goto err; + } + +- rtnl_lock(); +- wiphy_lock(ar->hw->wiphy); +- ret = regulatory_set_wiphy_regd_sync(ar->hw->wiphy, regd_copy); +- wiphy_unlock(ar->hw->wiphy); +- rtnl_unlock(); ++ ret = regulatory_set_wiphy_regd(ar->hw->wiphy, regd_copy); + + kfree(regd_copy); + -- 2.47.3