From 7d17526231079eccf861790d695b66e05194b3e7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 10 Jan 2023 09:12:33 +0100 Subject: [PATCH] 6.1-stable patches added patches: block-don-t-allow-splitting-of-a-req_nowait-bio.patch bpf-fix-panic-due-to-wrong-pageattr-of-im-image.patch fbdev-matroxfb-g200ew-increase-max-memory-from-1-mb-to-16-mb.patch io_uring-fix-cq-waiting-timeout-handling.patch io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch io_uring-pin-context-while-queueing-deferred-tw.patch net-dsa-qca8k-fix-wrong-length-value-for-mgmt-eth-packet.patch net-dsa-tag_qca-fix-wrong-mgmt_data2-size.patch nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch revert-drm-amd-display-enable-freesync-video-mode-by-default.patch revert-net-dsa-qca8k-cache-lo-and-hi-for-mdio-write.patch x86-bugs-flush-ibp-in-ib_prctl_set.patch x86-kexec-fix-double-free-of-elf-header-buffer.patch --- ...-allow-splitting-of-a-req_nowait-bio.patch | 47 +++++ ...ic-due-to-wrong-pageattr-of-im-image.patch | 79 ++++++++ ...crease-max-memory-from-1-mb-to-16-mb.patch | 60 ++++++ ...ring-fix-cq-waiting-timeout-handling.patch | 54 ++++++ ...er-if-task_work-creation-is-canceled.patch | 34 ++++ ...n-context-while-queueing-deferred-tw.patch | 54 ++++++ ...ong-length-value-for-mgmt-eth-packet.patch | 106 +++++++++++ ...sa-tag_qca-fix-wrong-mgmt_data2-size.patch | 39 ++++ ...r-in-v4root-vs.-mount-upcall-timeout.patch | 52 +++++ ...nable-freesync-video-mode-by-default.patch | 130 +++++++++++++ ...qca8k-cache-lo-and-hi-for-mdio-write.patch | 177 ++++++++++++++++++ queue-6.1/series | 13 ++ .../x86-bugs-flush-ibp-in-ib_prctl_set.patch | 31 +++ ...fix-double-free-of-elf-header-buffer.patch | 46 +++++ 14 files changed, 922 insertions(+) create mode 100644 queue-6.1/block-don-t-allow-splitting-of-a-req_nowait-bio.patch create mode 100644 queue-6.1/bpf-fix-panic-due-to-wrong-pageattr-of-im-image.patch create mode 100644 queue-6.1/fbdev-matroxfb-g200ew-increase-max-memory-from-1-mb-to-16-mb.patch create mode 100644 queue-6.1/io_uring-fix-cq-waiting-timeout-handling.patch create mode 100644 queue-6.1/io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch create mode 100644 queue-6.1/io_uring-pin-context-while-queueing-deferred-tw.patch create mode 100644 queue-6.1/net-dsa-qca8k-fix-wrong-length-value-for-mgmt-eth-packet.patch create mode 100644 queue-6.1/net-dsa-tag_qca-fix-wrong-mgmt_data2-size.patch create mode 100644 queue-6.1/nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch create mode 100644 queue-6.1/revert-drm-amd-display-enable-freesync-video-mode-by-default.patch create mode 100644 queue-6.1/revert-net-dsa-qca8k-cache-lo-and-hi-for-mdio-write.patch create mode 100644 queue-6.1/x86-bugs-flush-ibp-in-ib_prctl_set.patch create mode 100644 queue-6.1/x86-kexec-fix-double-free-of-elf-header-buffer.patch diff --git a/queue-6.1/block-don-t-allow-splitting-of-a-req_nowait-bio.patch b/queue-6.1/block-don-t-allow-splitting-of-a-req_nowait-bio.patch new file mode 100644 index 00000000000..fb0da2bad3c --- /dev/null +++ b/queue-6.1/block-don-t-allow-splitting-of-a-req_nowait-bio.patch @@ -0,0 +1,47 @@ +From 9cea62b2cbabff8ed46f2df17778b624ad9dd25a Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 4 Jan 2023 08:52:06 -0700 +Subject: block: don't allow splitting of a REQ_NOWAIT bio + +From: Jens Axboe + +commit 9cea62b2cbabff8ed46f2df17778b624ad9dd25a upstream. + +If we split a bio marked with REQ_NOWAIT, then we can trigger spurious +EAGAIN if constituent parts of that split bio end up failing request +allocations. Parts will complete just fine, but just a single failure +in one of the chained bios will yield an EAGAIN final result for the +parent bio. + +Return EAGAIN early if we end up needing to split such a bio, which +allows for saner recovery handling. + +Cc: stable@vger.kernel.org # 5.15+ +Link: https://github.com/axboe/liburing/issues/766 +Reported-by: Michael Kelley +Reviewed-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-merge.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -300,6 +300,16 @@ static struct bio *bio_split_rw(struct b + *segs = nsegs; + return NULL; + split: ++ /* ++ * We can't sanely support splitting for a REQ_NOWAIT bio. End it ++ * with EAGAIN if splitting is required and return an error pointer. ++ */ ++ if (bio->bi_opf & REQ_NOWAIT) { ++ bio->bi_status = BLK_STS_AGAIN; ++ bio_endio(bio); ++ return ERR_PTR(-EAGAIN); ++ } ++ + *segs = nsegs; + + /* diff --git a/queue-6.1/bpf-fix-panic-due-to-wrong-pageattr-of-im-image.patch b/queue-6.1/bpf-fix-panic-due-to-wrong-pageattr-of-im-image.patch new file mode 100644 index 00000000000..448df52b001 --- /dev/null +++ b/queue-6.1/bpf-fix-panic-due-to-wrong-pageattr-of-im-image.patch @@ -0,0 +1,79 @@ +From 9ed1d9aeef5842ecacb660fce933613b58af1e00 Mon Sep 17 00:00:00 2001 +From: Chuang Wang +Date: Sat, 24 Dec 2022 21:31:46 +0800 +Subject: bpf: Fix panic due to wrong pageattr of im->image + +From: Chuang Wang + +commit 9ed1d9aeef5842ecacb660fce933613b58af1e00 upstream. + +In the scenario where livepatch and kretfunc coexist, the pageattr of +im->image is rox after arch_prepare_bpf_trampoline in +bpf_trampoline_update, and then modify_fentry or register_fentry returns +-EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag +will be configured, and arch_prepare_bpf_trampoline will be re-executed. + +At this time, because the pageattr of im->image is rox, +arch_prepare_bpf_trampoline will read and write im->image, which causes +a fault. as follows: + + insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c + bpftrace -e 'kretfunc:cmdline_proc_show {}' + +BUG: unable to handle page fault for address: ffffffffa0206000 +PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061 +Oops: 0003 [#1] PREEMPT SMP PTI +CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5 +RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0 +RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202 +RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000 +RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030 +RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400 +R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8 +R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10 +FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + bpf_trampoline_update+0x25a/0x6b0 + __bpf_trampoline_link_prog+0x101/0x240 + bpf_trampoline_link_prog+0x2d/0x50 + bpf_tracing_prog_attach+0x24c/0x530 + bpf_raw_tp_link_attach+0x73/0x1d0 + __sys_bpf+0x100e/0x2570 + __x64_sys_bpf+0x1c/0x30 + do_syscall_64+0x5b/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +With this patch, when modify_fentry or register_fentry returns -EAGAIN +from bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset +to nx+rw. + +Cc: stable@vger.kernel.org +Fixes: 00963a2e75a8 ("bpf: Support bpf_trampoline on functions with IPMODIFY (e.g. livepatch)") +Signed-off-by: Chuang Wang +Acked-by: Jiri Olsa +Acked-by: Song Liu +Link: https://lore.kernel.org/r/20221224133146.780578-1-nashuiliang@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/trampoline.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -489,6 +489,10 @@ again: + /* reset fops->func and fops->trampoline for re-register */ + tr->fops->func = NULL; + tr->fops->trampoline = 0; ++ ++ /* reset im->image memory attr for arch_prepare_bpf_trampoline */ ++ set_memory_nx((long)im->image, 1); ++ set_memory_rw((long)im->image, 1); + goto again; + } + #endif diff --git a/queue-6.1/fbdev-matroxfb-g200ew-increase-max-memory-from-1-mb-to-16-mb.patch b/queue-6.1/fbdev-matroxfb-g200ew-increase-max-memory-from-1-mb-to-16-mb.patch new file mode 100644 index 00000000000..0107edc8e14 --- /dev/null +++ b/queue-6.1/fbdev-matroxfb-g200ew-increase-max-memory-from-1-mb-to-16-mb.patch @@ -0,0 +1,60 @@ +From f685dd7a8025f2554f73748cfdb8143a21fb92c7 Mon Sep 17 00:00:00 2001 +From: Paul Menzel +Date: Mon, 2 Jan 2023 14:57:30 +0100 +Subject: fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Menzel + +commit f685dd7a8025f2554f73748cfdb8143a21fb92c7 upstream. + +Commit 62d89a7d49af ("video: fbdev: matroxfb: set maxvram of vbG200eW to +the same as vbG200 to avoid black screen") accidently decreases the +maximum memory size for the Matrox G200eW (102b:0532) from 8 MB to 1 MB +by missing one zero. This caused the driver initialization to fail with +the messages below, as the minimum required VRAM size is 2 MB: + + [ 9.436420] matroxfb: Matrox MGA-G200eW (PCI) detected + [ 9.444502] matroxfb: cannot determine memory size + [ 9.449316] matroxfb: probe of 0000:0a:03.0 failed with error -1 + +So, add the missing 0 to make it the intended 16 MB. Successfully tested on +the Dell PowerEdge R910/0KYD3D, BIOS 2.10.0 08/29/2013, that the warning is +gone. + +While at it, add a leading 0 to the maxdisplayable entry, so it’s aligned +properly. The value could probably also be increased from 8 MB to 16 MB, as +the G200 uses the same values, but I have not checked any datasheet. + +Note, matroxfb is obsolete and superseded by the maintained DRM driver +mga200, which is used by default on most systems where both drivers are +available. Therefore, on most systems it was only a cosmetic issue. + +Fixes: 62d89a7d49af ("video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen") +Link: https://lore.kernel.org/linux-fbdev/972999d3-b75d-5680-fcef-6e6905c52ac5@suse.de/T/#mb6953a9995ebd18acc8552f99d6db39787aec775 +Cc: it+linux-fbdev@molgen.mpg.de +Cc: Z. Liu +Cc: Rich Felker +Cc: stable@vger.kernel.org +Signed-off-by: Paul Menzel +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/matrox/matroxfb_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/matrox/matroxfb_base.c ++++ b/drivers/video/fbdev/matrox/matroxfb_base.c +@@ -1378,8 +1378,8 @@ static struct video_board vbG200 = { + .lowlevel = &matrox_G100 + }; + static struct video_board vbG200eW = { +- .maxvram = 0x100000, +- .maxdisplayable = 0x800000, ++ .maxvram = 0x1000000, ++ .maxdisplayable = 0x0800000, + .accelID = FB_ACCEL_MATROX_MGAG200, + .lowlevel = &matrox_G100 + }; diff --git a/queue-6.1/io_uring-fix-cq-waiting-timeout-handling.patch b/queue-6.1/io_uring-fix-cq-waiting-timeout-handling.patch new file mode 100644 index 00000000000..237e72c6ca6 --- /dev/null +++ b/queue-6.1/io_uring-fix-cq-waiting-timeout-handling.patch @@ -0,0 +1,54 @@ +From 12521a5d5cb7ff0ad43eadfc9c135d86e1131fa8 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Thu, 5 Jan 2023 10:49:15 +0000 +Subject: io_uring: fix CQ waiting timeout handling + +From: Pavel Begunkov + +commit 12521a5d5cb7ff0ad43eadfc9c135d86e1131fa8 upstream. + +Jiffy to ktime CQ waiting conversion broke how we treat timeouts, in +particular we rearm it anew every time we get into +io_cqring_wait_schedule() without adjusting the timeout. Waiting for 2 +CQEs and getting a task_work in the middle may double the timeout value, +or even worse in some cases task may wait indefinitely. + +Cc: stable@vger.kernel.org +Fixes: 228339662b398 ("io_uring: don't convert to jiffies for waiting on timeouts") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/f7bffddd71b08f28a877d44d37ac953ddb01590d.1672915663.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2364,7 +2364,7 @@ int io_run_task_work_sig(struct io_ring_ + /* when returns >0, the caller should retry */ + static inline int io_cqring_wait_schedule(struct io_ring_ctx *ctx, + struct io_wait_queue *iowq, +- ktime_t timeout) ++ ktime_t *timeout) + { + int ret; + unsigned long check_cq; +@@ -2382,7 +2382,7 @@ static inline int io_cqring_wait_schedul + if (check_cq & BIT(IO_CHECK_CQ_DROPPED_BIT)) + return -EBADR; + } +- if (!schedule_hrtimeout(&timeout, HRTIMER_MODE_ABS)) ++ if (!schedule_hrtimeout(timeout, HRTIMER_MODE_ABS)) + return -ETIME; + return 1; + } +@@ -2452,7 +2452,7 @@ static int io_cqring_wait(struct io_ring + } + prepare_to_wait_exclusive(&ctx->cq_wait, &iowq.wq, + TASK_INTERRUPTIBLE); +- ret = io_cqring_wait_schedule(ctx, &iowq, timeout); ++ ret = io_cqring_wait_schedule(ctx, &iowq, &timeout); + cond_resched(); + } while (ret > 0); + diff --git a/queue-6.1/io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch b/queue-6.1/io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch new file mode 100644 index 00000000000..f753aff7f4a --- /dev/null +++ b/queue-6.1/io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch @@ -0,0 +1,34 @@ +From af82425c6a2d2f347c79b63ce74fca6dc6be157f Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 2 Jan 2023 16:49:46 -0700 +Subject: io_uring/io-wq: free worker if task_work creation is canceled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jens Axboe + +commit af82425c6a2d2f347c79b63ce74fca6dc6be157f upstream. + +If we cancel the task_work, the worker will never come into existance. +As this is the last reference to it, ensure that we get it freed +appropriately. + +Cc: stable@vger.kernel.org +Reported-by: 진호 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io-wq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -1230,6 +1230,7 @@ static void io_wq_cancel_tw_create(struc + + worker = container_of(cb, struct io_worker, create_work); + io_worker_cancel_cb(worker); ++ kfree(worker); + } + } + diff --git a/queue-6.1/io_uring-pin-context-while-queueing-deferred-tw.patch b/queue-6.1/io_uring-pin-context-while-queueing-deferred-tw.patch new file mode 100644 index 00000000000..f3ebf9d160b --- /dev/null +++ b/queue-6.1/io_uring-pin-context-while-queueing-deferred-tw.patch @@ -0,0 +1,54 @@ +From 9ffa13ff78a0a55df968a72d6f0ebffccee5c9f4 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 4 Jan 2023 01:34:02 +0000 +Subject: io_uring: pin context while queueing deferred tw + +From: Pavel Begunkov + +commit 9ffa13ff78a0a55df968a72d6f0ebffccee5c9f4 upstream. + +Unlike normal tw, nothing prevents deferred tw to be executed right +after an tw item added to ->work_llist in io_req_local_work_add(). For +instance, the waiting task may get waken up by CQ posting or a normal +tw. Thus we need to pin the ring for the rest of io_req_local_work_add() + +Cc: stable@vger.kernel.org +Fixes: c0e0d6ba25f18 ("io_uring: add IORING_SETUP_DEFER_TASKRUN") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/1a79362b9c10b8523ef70b061d96523650a23344.1672795998.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1109,13 +1109,18 @@ static void io_req_local_work_add(struct + { + struct io_ring_ctx *ctx = req->ctx; + +- if (!llist_add(&req->io_task_work.node, &ctx->work_llist)) ++ percpu_ref_get(&ctx->refs); ++ ++ if (!llist_add(&req->io_task_work.node, &ctx->work_llist)) { ++ percpu_ref_put(&ctx->refs); + return; ++ } + /* need it for the following io_cqring_wake() */ + smp_mb__after_atomic(); + + if (unlikely(atomic_read(&req->task->io_uring->in_idle))) { + io_move_task_work_from_local(ctx); ++ percpu_ref_put(&ctx->refs); + return; + } + +@@ -1125,6 +1130,7 @@ static void io_req_local_work_add(struct + if (ctx->has_evfd) + io_eventfd_signal(ctx); + __io_cqring_wake(ctx); ++ percpu_ref_put(&ctx->refs); + } + + static inline void __io_req_task_work_add(struct io_kiocb *req, bool allow_local) diff --git a/queue-6.1/net-dsa-qca8k-fix-wrong-length-value-for-mgmt-eth-packet.patch b/queue-6.1/net-dsa-qca8k-fix-wrong-length-value-for-mgmt-eth-packet.patch new file mode 100644 index 00000000000..93a69702d1a --- /dev/null +++ b/queue-6.1/net-dsa-qca8k-fix-wrong-length-value-for-mgmt-eth-packet.patch @@ -0,0 +1,106 @@ +From 9807ae69746196ee4bbffe7d22d22ab2b61c6ed0 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Thu, 29 Dec 2022 17:33:32 +0100 +Subject: net: dsa: qca8k: fix wrong length value for mgmt eth packet + +From: Christian Marangi + +commit 9807ae69746196ee4bbffe7d22d22ab2b61c6ed0 upstream. + +The assumption that Documentation was right about how this value work was +wrong. It was discovered that the length value of the mgmt header is in +step of word size. + +As an example to process 4 byte of data the correct length to set is 2. +To process 8 byte 4, 12 byte 6, 16 byte 8... + +Odd values will always return the next size on the ack packet. +(length of 3 (6 byte) will always return 8 bytes of data) + +This means that a value of 15 (0xf) actually means reading/writing 32 bytes +of data instead of 16 bytes. This behaviour is totally absent and not +documented in the switch Documentation. + +In fact from Documentation the max value that mgmt eth can process is +16 byte of data while in reality it can process 32 bytes at once. + +To handle this we always round up the length after deviding it for word +size. We check if the result is odd and we round another time to align +to what the switch will provide in the ack packet. +The workaround for the length limit of 15 is still needed as the length +reg max value is 0xf(15) + +Reported-by: Ronald Wahl +Tested-by: Ronald Wahl +Fixes: 90386223f44e ("net: dsa: qca8k: add support for larger read/write size with mgmt Ethernet") +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org # v5.18+ +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/qca/qca8k-8xxx.c | 45 ++++++++++++++++++++++++++++++--------- + 1 file changed, 35 insertions(+), 10 deletions(-) + +--- a/drivers/net/dsa/qca/qca8k-8xxx.c ++++ b/drivers/net/dsa/qca/qca8k-8xxx.c +@@ -111,7 +111,16 @@ static void qca8k_rw_reg_ack_handler(str + + command = get_unaligned_le32(&mgmt_ethhdr->command); + cmd = FIELD_GET(QCA_HDR_MGMT_CMD, command); ++ + len = FIELD_GET(QCA_HDR_MGMT_LENGTH, command); ++ /* Special case for len of 15 as this is the max value for len and needs to ++ * be increased before converting it from word to dword. ++ */ ++ if (len == 15) ++ len++; ++ ++ /* We can ignore odd value, we always round up them in the alloc function. */ ++ len *= sizeof(u16); + + /* Make sure the seq match the requested packet */ + if (get_unaligned_le32(&mgmt_ethhdr->seq) == mgmt_eth_data->seq) +@@ -158,17 +167,33 @@ static struct sk_buff *qca8k_alloc_mdio_ + if (!skb) + return NULL; + +- /* Max value for len reg is 15 (0xf) but the switch actually return 16 byte +- * Actually for some reason the steps are: +- * 0: nothing +- * 1-4: first 4 byte +- * 5-6: first 12 byte +- * 7-15: all 16 byte ++ /* Hdr mgmt length value is in step of word size. ++ * As an example to process 4 byte of data the correct length to set is 2. ++ * To process 8 byte 4, 12 byte 6, 16 byte 8... ++ * ++ * Odd values will always return the next size on the ack packet. ++ * (length of 3 (6 byte) will always return 8 bytes of data) ++ * ++ * This means that a value of 15 (0xf) actually means reading/writing 32 bytes ++ * of data. ++ * ++ * To correctly calculate the length we devide the requested len by word and ++ * round up. ++ * On the ack function we can skip the odd check as we already handle the ++ * case here. + */ +- if (len == 16) +- real_len = 15; +- else +- real_len = len; ++ real_len = DIV_ROUND_UP(len, sizeof(u16)); ++ ++ /* We check if the result len is odd and we round up another time to ++ * the next size. (length of 3 will be increased to 4 as switch will always ++ * return 8 bytes) ++ */ ++ if (real_len % sizeof(u16) != 0) ++ real_len++; ++ ++ /* Max reg value is 0xf(15) but switch will always return the next size (32 byte) */ ++ if (real_len == 16) ++ real_len--; + + skb_reset_mac_header(skb); + skb_set_network_header(skb, skb->len); diff --git a/queue-6.1/net-dsa-tag_qca-fix-wrong-mgmt_data2-size.patch b/queue-6.1/net-dsa-tag_qca-fix-wrong-mgmt_data2-size.patch new file mode 100644 index 00000000000..c135d43c3a1 --- /dev/null +++ b/queue-6.1/net-dsa-tag_qca-fix-wrong-mgmt_data2-size.patch @@ -0,0 +1,39 @@ +From d9dba91be71f03cc75bcf39fc0d5d99ff33f1ae0 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Thu, 29 Dec 2022 17:33:33 +0100 +Subject: net: dsa: tag_qca: fix wrong MGMT_DATA2 size + +From: Christian Marangi + +commit d9dba91be71f03cc75bcf39fc0d5d99ff33f1ae0 upstream. + +It was discovered that MGMT_DATA2 can contain up to 28 bytes of data +instead of the 12 bytes written in the Documentation by accounting the +limit of 16 bytes declared in Documentation subtracting the first 4 byte +in the packet header. + +Update the define with the real world value. + +Tested-by: Ronald Wahl +Fixes: c2ee8181fddb ("net: dsa: tag_qca: add define for handling mgmt Ethernet packet") +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org # v5.18+ +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/dsa/tag_qca.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/dsa/tag_qca.h ++++ b/include/linux/dsa/tag_qca.h +@@ -45,8 +45,8 @@ struct sk_buff; + QCA_HDR_MGMT_COMMAND_LEN + \ + QCA_HDR_MGMT_DATA1_LEN) + +-#define QCA_HDR_MGMT_DATA2_LEN 12 /* Other 12 byte for the mdio data */ +-#define QCA_HDR_MGMT_PADDING_LEN 34 /* Padding to reach the min Ethernet packet */ ++#define QCA_HDR_MGMT_DATA2_LEN 28 /* Other 28 byte for the mdio data */ ++#define QCA_HDR_MGMT_PADDING_LEN 18 /* Padding to reach the min Ethernet packet */ + + #define QCA_HDR_MGMT_PKT_LEN (QCA_HDR_MGMT_HEADER_LEN + \ + QCA_HDR_LEN + \ diff --git a/queue-6.1/nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch b/queue-6.1/nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch new file mode 100644 index 00000000000..bcf184ec580 --- /dev/null +++ b/queue-6.1/nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch @@ -0,0 +1,52 @@ +From cad853374d85fe678d721512cecfabd7636e51f3 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 13 Dec 2022 13:08:26 -0500 +Subject: nfsd: fix handling of readdir in v4root vs. mount upcall timeout + +From: Jeff Layton + +commit cad853374d85fe678d721512cecfabd7636e51f3 upstream. + +If v4 READDIR operation hits a mountpoint and gets back an error, +then it will include that entry in the reply and set RDATTR_ERROR for it +to the error. + +That's fine for "normal" exported filesystems, but on the v4root, we +need to be more careful to only expose the existence of dentries that +lead to exports. + +If the mountd upcall times out while checking to see whether a +mountpoint on the v4root is exported, then we have no recourse other +than to fail the whole operation. + +Cc: Steve Dickson +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216777 +Reported-by: JianHong Yin +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3570,6 +3570,17 @@ nfsd4_encode_dirent(void *ccdv, const ch + case nfserr_noent: + xdr_truncate_encode(xdr, start_offset); + goto skip_entry; ++ case nfserr_jukebox: ++ /* ++ * The pseudoroot should only display dentries that lead to ++ * exports. If we get EJUKEBOX here, then we can't tell whether ++ * this entry should be included. Just fail the whole READDIR ++ * with NFS4ERR_DELAY in that case, and hope that the situation ++ * will resolve itself by the client's next attempt. ++ */ ++ if (cd->rd_fhp->fh_export->ex_flags & NFSEXP_V4ROOT) ++ goto fail; ++ fallthrough; + default: + /* + * If the client requested the RDATTR_ERROR attribute, diff --git a/queue-6.1/revert-drm-amd-display-enable-freesync-video-mode-by-default.patch b/queue-6.1/revert-drm-amd-display-enable-freesync-video-mode-by-default.patch new file mode 100644 index 00000000000..ee72c3f9da1 --- /dev/null +++ b/queue-6.1/revert-drm-amd-display-enable-freesync-video-mode-by-default.patch @@ -0,0 +1,130 @@ +From 6fe6ece398f7431784847e922a2c8c385dc58a35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michel=20D=C3=A4nzer?= +Date: Wed, 21 Dec 2022 16:24:13 +0100 +Subject: Revert "drm/amd/display: Enable Freesync Video Mode by default" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michel Dänzer + +commit 6fe6ece398f7431784847e922a2c8c385dc58a35 upstream. + +This reverts commit de05abe6b9d0fe08f65d744f7f75a4cba4df27ad. + +The bug referenced below was bisected to this commit. There has been no +activity toward fixing it in 3 months, so let's revert for now. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2162 +Signed-off-by: Michel Dänzer +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 27 ++++++++++++++++++++++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 +++++---- + 3 files changed, 35 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -196,6 +196,7 @@ extern int amdgpu_emu_mode; + extern uint amdgpu_smu_memory_pool_size; + extern int amdgpu_smu_pptable_id; + extern uint amdgpu_dc_feature_mask; ++extern uint amdgpu_freesync_vid_mode; + extern uint amdgpu_dc_debug_mask; + extern uint amdgpu_dc_visual_confirm; + extern uint amdgpu_dm_abm_level; +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -180,6 +180,7 @@ int amdgpu_mes_kiq; + int amdgpu_noretry = -1; + int amdgpu_force_asic_type = -1; + int amdgpu_tmz = -1; /* auto */ ++uint amdgpu_freesync_vid_mode; + int amdgpu_reset_method = -1; /* auto */ + int amdgpu_num_kcq = -1; + int amdgpu_smartshift_bias; +@@ -878,6 +879,32 @@ MODULE_PARM_DESC(tmz, "Enable TMZ featur + module_param_named(tmz, amdgpu_tmz, int, 0444); + + /** ++ * DOC: freesync_video (uint) ++ * Enable the optimization to adjust front porch timing to achieve seamless ++ * mode change experience when setting a freesync supported mode for which full ++ * modeset is not needed. ++ * ++ * The Display Core will add a set of modes derived from the base FreeSync ++ * video mode into the corresponding connector's mode list based on commonly ++ * used refresh rates and VRR range of the connected display, when users enable ++ * this feature. From the userspace perspective, they can see a seamless mode ++ * change experience when the change between different refresh rates under the ++ * same resolution. Additionally, userspace applications such as Video playback ++ * can read this modeset list and change the refresh rate based on the video ++ * frame rate. Finally, the userspace can also derive an appropriate mode for a ++ * particular refresh rate based on the FreeSync Mode and add it to the ++ * connector's mode list. ++ * ++ * Note: This is an experimental feature. ++ * ++ * The default value: 0 (off). ++ */ ++MODULE_PARM_DESC( ++ freesync_video, ++ "Enable freesync modesetting optimization feature (0 = off (default), 1 = on)"); ++module_param_named(freesync_video, amdgpu_freesync_vid_mode, uint, 0444); ++ ++/** + * DOC: reset_method (int) + * GPU reset method (-1 = auto (default), 0 = legacy, 1 = mode0, 2 = mode1, 3 = mode2, 4 = baco) + */ +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -5807,7 +5807,8 @@ create_stream_for_sink(struct amdgpu_dm_ + */ + DRM_DEBUG_DRIVER("No preferred mode found\n"); + } else { +- recalculate_timing = is_freesync_video_mode(&mode, aconnector); ++ recalculate_timing = amdgpu_freesync_vid_mode && ++ is_freesync_video_mode(&mode, aconnector); + if (recalculate_timing) { + freesync_mode = get_highest_refresh_rate_mode(aconnector, false); + drm_mode_copy(&saved_mode, &mode); +@@ -6892,7 +6893,7 @@ static void amdgpu_dm_connector_add_free + struct amdgpu_dm_connector *amdgpu_dm_connector = + to_amdgpu_dm_connector(connector); + +- if (!edid) ++ if (!(amdgpu_freesync_vid_mode && edid)) + return; + + if (amdgpu_dm_connector->max_vfreq - amdgpu_dm_connector->min_vfreq > 10) +@@ -8753,7 +8754,8 @@ static int dm_update_crtc_state(struct a + * TODO: Refactor this function to allow this check to work + * in all conditions. + */ +- if (dm_new_crtc_state->stream && ++ if (amdgpu_freesync_vid_mode && ++ dm_new_crtc_state->stream && + is_timing_unchanged_for_freesync(new_crtc_state, old_crtc_state)) + goto skip_modeset; + +@@ -8788,7 +8790,7 @@ static int dm_update_crtc_state(struct a + if (!dm_old_crtc_state->stream) + goto skip_modeset; + +- if (dm_new_crtc_state->stream && ++ if (amdgpu_freesync_vid_mode && dm_new_crtc_state->stream && + is_timing_unchanged_for_freesync(new_crtc_state, + old_crtc_state)) { + new_crtc_state->mode_changed = false; +@@ -8800,7 +8802,7 @@ static int dm_update_crtc_state(struct a + set_freesync_fixed_config(dm_new_crtc_state); + + goto skip_modeset; +- } else if (aconnector && ++ } else if (amdgpu_freesync_vid_mode && aconnector && + is_freesync_video_mode(&new_crtc_state->mode, + aconnector)) { + struct drm_display_mode *high_mode; diff --git a/queue-6.1/revert-net-dsa-qca8k-cache-lo-and-hi-for-mdio-write.patch b/queue-6.1/revert-net-dsa-qca8k-cache-lo-and-hi-for-mdio-write.patch new file mode 100644 index 00000000000..1e1ccc83c8b --- /dev/null +++ b/queue-6.1/revert-net-dsa-qca8k-cache-lo-and-hi-for-mdio-write.patch @@ -0,0 +1,177 @@ +From 03cb9e6d0b32b768e3d9d473c5c4ca1100877664 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Thu, 29 Dec 2022 17:33:34 +0100 +Subject: Revert "net: dsa: qca8k: cache lo and hi for mdio write" + +From: Christian Marangi + +commit 03cb9e6d0b32b768e3d9d473c5c4ca1100877664 upstream. + +This reverts commit 2481d206fae7884cd07014fd1318e63af35e99eb. + +The Documentation is very confusing about the topic. +The cache logic for hi and lo is wrong and actually miss some regs to be +actually written. + +What the Documentation actually intended was that it's possible to skip +writing hi OR lo if half of the reg is not needed to be written or read. + +Revert the change in favor of a better and correct implementation. + +Reported-by: Ronald Wahl +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org # v5.18+ +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/qca/qca8k-8xxx.c | 61 +++++++-------------------------------- + drivers/net/dsa/qca/qca8k.h | 5 --- + 2 files changed, 12 insertions(+), 54 deletions(-) + +--- a/drivers/net/dsa/qca/qca8k-8xxx.c ++++ b/drivers/net/dsa/qca/qca8k-8xxx.c +@@ -37,44 +37,6 @@ qca8k_split_addr(u32 regaddr, u16 *r1, u + } + + static int +-qca8k_set_lo(struct qca8k_priv *priv, int phy_id, u32 regnum, u16 lo) +-{ +- u16 *cached_lo = &priv->mdio_cache.lo; +- struct mii_bus *bus = priv->bus; +- int ret; +- +- if (lo == *cached_lo) +- return 0; +- +- ret = bus->write(bus, phy_id, regnum, lo); +- if (ret < 0) +- dev_err_ratelimited(&bus->dev, +- "failed to write qca8k 32bit lo register\n"); +- +- *cached_lo = lo; +- return 0; +-} +- +-static int +-qca8k_set_hi(struct qca8k_priv *priv, int phy_id, u32 regnum, u16 hi) +-{ +- u16 *cached_hi = &priv->mdio_cache.hi; +- struct mii_bus *bus = priv->bus; +- int ret; +- +- if (hi == *cached_hi) +- return 0; +- +- ret = bus->write(bus, phy_id, regnum, hi); +- if (ret < 0) +- dev_err_ratelimited(&bus->dev, +- "failed to write qca8k 32bit hi register\n"); +- +- *cached_hi = hi; +- return 0; +-} +- +-static int + qca8k_mii_read32(struct mii_bus *bus, int phy_id, u32 regnum, u32 *val) + { + int ret; +@@ -97,7 +59,7 @@ qca8k_mii_read32(struct mii_bus *bus, in + } + + static void +-qca8k_mii_write32(struct qca8k_priv *priv, int phy_id, u32 regnum, u32 val) ++qca8k_mii_write32(struct mii_bus *bus, int phy_id, u32 regnum, u32 val) + { + u16 lo, hi; + int ret; +@@ -105,9 +67,12 @@ qca8k_mii_write32(struct qca8k_priv *pri + lo = val & 0xffff; + hi = (u16)(val >> 16); + +- ret = qca8k_set_lo(priv, phy_id, regnum, lo); ++ ret = bus->write(bus, phy_id, regnum, lo); + if (ret >= 0) +- ret = qca8k_set_hi(priv, phy_id, regnum + 1, hi); ++ ret = bus->write(bus, phy_id, regnum + 1, hi); ++ if (ret < 0) ++ dev_err_ratelimited(&bus->dev, ++ "failed to write qca8k 32bit register\n"); + } + + static int +@@ -417,7 +382,7 @@ qca8k_regmap_write(void *ctx, uint32_t r + if (ret < 0) + goto exit; + +- qca8k_mii_write32(priv, 0x10 | r2, r1, val); ++ qca8k_mii_write32(bus, 0x10 | r2, r1, val); + + exit: + mutex_unlock(&bus->mdio_lock); +@@ -450,7 +415,7 @@ qca8k_regmap_update_bits(void *ctx, uint + + val &= ~mask; + val |= write_val; +- qca8k_mii_write32(priv, 0x10 | r2, r1, val); ++ qca8k_mii_write32(bus, 0x10 | r2, r1, val); + + exit: + mutex_unlock(&bus->mdio_lock); +@@ -725,14 +690,14 @@ qca8k_mdio_write(struct qca8k_priv *priv + if (ret) + goto exit; + +- qca8k_mii_write32(priv, 0x10 | r2, r1, val); ++ qca8k_mii_write32(bus, 0x10 | r2, r1, val); + + ret = qca8k_mdio_busy_wait(bus, QCA8K_MDIO_MASTER_CTRL, + QCA8K_MDIO_MASTER_BUSY); + + exit: + /* even if the busy_wait timeouts try to clear the MASTER_EN */ +- qca8k_mii_write32(priv, 0x10 | r2, r1, 0); ++ qca8k_mii_write32(bus, 0x10 | r2, r1, 0); + + mutex_unlock(&bus->mdio_lock); + +@@ -762,7 +727,7 @@ qca8k_mdio_read(struct qca8k_priv *priv, + if (ret) + goto exit; + +- qca8k_mii_write32(priv, 0x10 | r2, r1, val); ++ qca8k_mii_write32(bus, 0x10 | r2, r1, val); + + ret = qca8k_mdio_busy_wait(bus, QCA8K_MDIO_MASTER_CTRL, + QCA8K_MDIO_MASTER_BUSY); +@@ -773,7 +738,7 @@ qca8k_mdio_read(struct qca8k_priv *priv, + + exit: + /* even if the busy_wait timeouts try to clear the MASTER_EN */ +- qca8k_mii_write32(priv, 0x10 | r2, r1, 0); ++ qca8k_mii_write32(bus, 0x10 | r2, r1, 0); + + mutex_unlock(&bus->mdio_lock); + +@@ -1943,8 +1908,6 @@ qca8k_sw_probe(struct mdio_device *mdiod + } + + priv->mdio_cache.page = 0xffff; +- priv->mdio_cache.lo = 0xffff; +- priv->mdio_cache.hi = 0xffff; + + /* Check the detected switch id */ + ret = qca8k_read_switch_id(priv); +--- a/drivers/net/dsa/qca/qca8k.h ++++ b/drivers/net/dsa/qca/qca8k.h +@@ -375,11 +375,6 @@ struct qca8k_mdio_cache { + * mdio writes + */ + u16 page; +-/* lo and hi can also be cached and from Documentation we can skip one +- * extra mdio write if lo or hi is didn't change. +- */ +- u16 lo; +- u16 hi; + }; + + struct qca8k_pcs { diff --git a/queue-6.1/series b/queue-6.1/series index 6caae907b1b..2a86ef961ad 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -131,3 +131,16 @@ kunit-alloc_string_stream_fragment-error-handling-bu.patch nvmet-use-nvme_cmd_effects_csupp-instead-of-open-cod.patch nvme-also-return-i-o-command-effects-from-nvme_comma.patch asoc-sof-intel-pci-tgl-unblock-s5-entry-if-dma-stop-.patch +x86-kexec-fix-double-free-of-elf-header-buffer.patch +x86-bugs-flush-ibp-in-ib_prctl_set.patch +nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch +fbdev-matroxfb-g200ew-increase-max-memory-from-1-mb-to-16-mb.patch +bpf-fix-panic-due-to-wrong-pageattr-of-im-image.patch +revert-drm-amd-display-enable-freesync-video-mode-by-default.patch +revert-net-dsa-qca8k-cache-lo-and-hi-for-mdio-write.patch +net-dsa-qca8k-fix-wrong-length-value-for-mgmt-eth-packet.patch +net-dsa-tag_qca-fix-wrong-mgmt_data2-size.patch +block-don-t-allow-splitting-of-a-req_nowait-bio.patch +io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch +io_uring-pin-context-while-queueing-deferred-tw.patch +io_uring-fix-cq-waiting-timeout-handling.patch diff --git a/queue-6.1/x86-bugs-flush-ibp-in-ib_prctl_set.patch b/queue-6.1/x86-bugs-flush-ibp-in-ib_prctl_set.patch new file mode 100644 index 00000000000..b4b2c83565b --- /dev/null +++ b/queue-6.1/x86-bugs-flush-ibp-in-ib_prctl_set.patch @@ -0,0 +1,31 @@ +From a664ec9158eeddd75121d39c9a0758016097fa96 Mon Sep 17 00:00:00 2001 +From: Rodrigo Branco +Date: Tue, 3 Jan 2023 14:17:51 -0600 +Subject: x86/bugs: Flush IBP in ib_prctl_set() + +From: Rodrigo Branco + +commit a664ec9158eeddd75121d39c9a0758016097fa96 upstream. + +We missed the window between the TIF flag update and the next reschedule. + +Signed-off-by: Rodrigo Branco +Reviewed-by: Borislav Petkov (AMD) +Signed-off-by: Ingo Molnar +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/bugs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1951,6 +1951,8 @@ static int ib_prctl_set(struct task_stru + if (ctrl == PR_SPEC_FORCE_DISABLE) + task_set_spec_ib_force_disable(task); + task_update_spec_tif(task); ++ if (task == current) ++ indirect_branch_prediction_barrier(); + break; + default: + return -ERANGE; diff --git a/queue-6.1/x86-kexec-fix-double-free-of-elf-header-buffer.patch b/queue-6.1/x86-kexec-fix-double-free-of-elf-header-buffer.patch new file mode 100644 index 00000000000..137332f7be5 --- /dev/null +++ b/queue-6.1/x86-kexec-fix-double-free-of-elf-header-buffer.patch @@ -0,0 +1,46 @@ +From d00dd2f2645dca04cf399d8fc692f3f69b6dd996 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Nov 2022 12:51:22 +0100 +Subject: x86/kexec: Fix double-free of elf header buffer + +From: Takashi Iwai + +commit d00dd2f2645dca04cf399d8fc692f3f69b6dd996 upstream. + +After + + b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer"), + +freeing image->elf_headers in the error path of crash_load_segments() +is not needed because kimage_file_post_load_cleanup() will take +care of that later. And not clearing it could result in a double-free. + +Drop the superfluous vfree() call at the error path of +crash_load_segments(). + +Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") +Signed-off-by: Takashi Iwai +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Baoquan He +Acked-by: Vlastimil Babka +Cc: +Link: https://lore.kernel.org/r/20221122115122.13937-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/crash.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -401,10 +401,8 @@ int crash_load_segments(struct kimage *i + kbuf.buf_align = ELF_CORE_HEADER_ALIGN; + kbuf.mem = KEXEC_BUF_MEM_UNKNOWN; + ret = kexec_add_buffer(&kbuf); +- if (ret) { +- vfree((void *)image->elf_headers); ++ if (ret) + return ret; +- } + image->elf_load_addr = kbuf.mem; + pr_debug("Loaded ELF headers at 0x%lx bufsz=0x%lx memsz=0x%lx\n", + image->elf_load_addr, kbuf.bufsz, kbuf.memsz); -- 2.47.3