From 83612c8a05aec90f448abe3ecaacdc07c446bc12 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 15:31:09 +0200 Subject: [PATCH] 6.14-stable patches added patches: cifs-avoid-null-pointer-dereference-in-dbg-call.patch cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch cifs-fix-integer-overflow-in-match_server.patch cifs-propagate-min-offload-along-with-other-parameters-from-primary-to-secondary-channels.patch clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch clk-renesas-r9a07g043-fix-hp-clock-source-for-rz-five.patch crypto-ccp-fix-check-for-the-primary-asp-device.patch crypto-ccp-fix-uapi-definitions-of-psp-errors.patch dlm-fix-error-if-active-rsb-is-not-hashed.patch dlm-fix-error-if-inactive-rsb-is-not-hashed.patch dm-ebs-fix-prefetch-vs-suspend-race.patch dm-integrity-fix-non-constant-time-tag-verification.patch dm-integrity-set-ti-error-on-memory-allocation-failure.patch dm-verity-fix-prefetch-vs-suspend-race.patch dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch firmware-cs_dsp-test_control_parse-null-terminate-test-strings.patch ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch ftrace-properly-merge-notrace-hashes.patch fuse-io-uring-fix-a-possible-req-cancellation-race.patch gpio-mpc8xxx-fix-wakeup-source-leaks-on-device-unbind.patch gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch kvm-allow-building-irqbypass.ko-as-as-module-when-kvm.ko-is-a-module.patch kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch tracing-do-not-add-length-to-print-format-in-synthetic-events.patch tracing-fprobe-events-fix-possible-uaf-on-modules.patch tracing-fprobe-fix-to-lock-module-while-registering-fprobe.patch uprobes-avoid-false-positive-lockdep-splat-on-config_preempt_rt-y-in-the-ri_timer-uprobe-timer-callback-use-raw_write_seqcount_.patch x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch --- ...null-pointer-dereference-in-dbg-call.patch | 42 ++++ ...e-points-are-processed-by-the-server.patch | 85 +++++++ ...fix-integer-overflow-in-match_server.patch | 41 ++++ ...s-from-primary-to-secondary-channels.patch | 63 +++++ ...-status-bit-check-for-votable-clocks.patch | 49 ++++ ...e-pm_genpd_add_subdomain-result-code.patch | 92 +++++++ ...e-pm-subdomains-in-reverse-add-order.patch | 36 +++ ...t-retain_ff-before-moving-to-hw-ctrl.patch | 79 ++++++ ...g043-fix-hp-clock-source-for-rz-five.patch | 54 +++++ ...fix-check-for-the-primary-asp-device.patch | 54 +++++ ...p-fix-uapi-definitions-of-psp-errors.patch | 56 +++++ ...ix-error-if-active-rsb-is-not-hashed.patch | 34 +++ ...-error-if-inactive-rsb-is-not-hashed.patch | 34 +++ .../dm-ebs-fix-prefetch-vs-suspend-race.patch | 43 ++++ ...x-non-constant-time-tag-verification.patch | 164 +++++++++++++ ...i-error-on-memory-allocation-failure.patch | 41 ++++ ...-verity-fix-prefetch-vs-suspend-race.patch | 45 ++++ ...qcom-coresight-tpda-fix-too-many-reg.patch | 36 +++ ...qcom-coresight-tpdm-fix-too-many-reg.patch | 36 +++ ...ol_parse-null-terminate-test-strings.patch | 146 ++++++++++++ ...ond_resched-to-ftrace_graph_set_hash.patch | 39 +++ ...ftrace-properly-merge-notrace-hashes.patch | 46 ++++ ...fix-a-possible-req-cancellation-race.patch | 225 ++++++++++++++++++ ...wakeup-source-leaks-on-device-unbind.patch | 34 +++ ...resource-handling-in-acpi-probe-path.patch | 69 ++++++ ...wakeup-source-leaks-on-device-unbind.patch | 31 +++ ...en-reporting-tx-consumed-descriptors.patch | 40 ++++ ...as-as-module-when-kvm.ko-is-a-module.patch | 97 ++++++++ ...spapr_tce_vfio-on-pseries-kvm-guests.patch | 53 +++++ ...ate-to-protect-guest-memory-accesses.patch | 82 +++++++ ...ero-initialize-on-stack-cpuid-unions.patch | 55 +++++ ...rence-leaked-through-of_qcom_ice_get.patch | 37 +++ queue-6.14/series | 38 +++ ...hip-add-missing-rk3328-mapping-entry.patch | 61 +++++ ...-to-print-format-in-synthetic-events.patch | 56 +++++ ...e-events-fix-possible-uaf-on-modules.patch | 86 +++++++ ...lock-module-while-registering-fprobe.patch | 142 +++++++++++ ...mer-callback-use-raw_write_seqcount_.patch | 73 ++++++ ...n-target-initialization-for-pvh-dom0.patch | 162 +++++++++++++ 39 files changed, 2656 insertions(+) create mode 100644 queue-6.14/cifs-avoid-null-pointer-dereference-in-dbg-call.patch create mode 100644 queue-6.14/cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch create mode 100644 queue-6.14/cifs-fix-integer-overflow-in-match_server.patch create mode 100644 queue-6.14/cifs-propagate-min-offload-along-with-other-parameters-from-primary-to-secondary-channels.patch create mode 100644 queue-6.14/clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch create mode 100644 queue-6.14/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch create mode 100644 queue-6.14/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch create mode 100644 queue-6.14/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch create mode 100644 queue-6.14/clk-renesas-r9a07g043-fix-hp-clock-source-for-rz-five.patch create mode 100644 queue-6.14/crypto-ccp-fix-check-for-the-primary-asp-device.patch create mode 100644 queue-6.14/crypto-ccp-fix-uapi-definitions-of-psp-errors.patch create mode 100644 queue-6.14/dlm-fix-error-if-active-rsb-is-not-hashed.patch create mode 100644 queue-6.14/dlm-fix-error-if-inactive-rsb-is-not-hashed.patch create mode 100644 queue-6.14/dm-ebs-fix-prefetch-vs-suspend-race.patch create mode 100644 queue-6.14/dm-integrity-fix-non-constant-time-tag-verification.patch create mode 100644 queue-6.14/dm-integrity-set-ti-error-on-memory-allocation-failure.patch create mode 100644 queue-6.14/dm-verity-fix-prefetch-vs-suspend-race.patch create mode 100644 queue-6.14/dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch create mode 100644 queue-6.14/dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch create mode 100644 queue-6.14/firmware-cs_dsp-test_control_parse-null-terminate-test-strings.patch create mode 100644 queue-6.14/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch create mode 100644 queue-6.14/ftrace-properly-merge-notrace-hashes.patch create mode 100644 queue-6.14/fuse-io-uring-fix-a-possible-req-cancellation-race.patch create mode 100644 queue-6.14/gpio-mpc8xxx-fix-wakeup-source-leaks-on-device-unbind.patch create mode 100644 queue-6.14/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch create mode 100644 queue-6.14/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch create mode 100644 queue-6.14/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch create mode 100644 queue-6.14/kvm-allow-building-irqbypass.ko-as-as-module-when-kvm.ko-is-a-module.patch create mode 100644 queue-6.14/kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch create mode 100644 queue-6.14/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch create mode 100644 queue-6.14/kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch create mode 100644 queue-6.14/scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch create mode 100644 queue-6.14/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch create mode 100644 queue-6.14/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch create mode 100644 queue-6.14/tracing-fprobe-events-fix-possible-uaf-on-modules.patch create mode 100644 queue-6.14/tracing-fprobe-fix-to-lock-module-while-registering-fprobe.patch create mode 100644 queue-6.14/uprobes-avoid-false-positive-lockdep-splat-on-config_preempt_rt-y-in-the-ri_timer-uprobe-timer-callback-use-raw_write_seqcount_.patch create mode 100644 queue-6.14/x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch diff --git a/queue-6.14/cifs-avoid-null-pointer-dereference-in-dbg-call.patch b/queue-6.14/cifs-avoid-null-pointer-dereference-in-dbg-call.patch new file mode 100644 index 0000000000..92f6132dc6 --- /dev/null +++ b/queue-6.14/cifs-avoid-null-pointer-dereference-in-dbg-call.patch @@ -0,0 +1,42 @@ +From b4885bd5935bb26f0a414ad55679a372e53f9b9b Mon Sep 17 00:00:00 2001 +From: Alexandra Diupina +Date: Wed, 19 Mar 2025 17:28:58 +0300 +Subject: cifs: avoid NULL pointer dereference in dbg call + +From: Alexandra Diupina + +commit b4885bd5935bb26f0a414ad55679a372e53f9b9b upstream. + +cifs_server_dbg() implies server to be non-NULL so +move call under condition to avoid NULL pointer dereference. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors") +Cc: stable@vger.kernel.org +Signed-off-by: Alexandra Diupina +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2misc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/smb2misc.c ++++ b/fs/smb/client/smb2misc.c +@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_ + WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); + spin_unlock(&cifs_tcp_ses_lock); + +- if (tcon->ses) ++ if (tcon->ses) { + server = tcon->ses->server; +- +- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", +- tcon->tid, persistent_fid, volatile_fid); ++ cifs_server_dbg(FYI, ++ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", ++ tcon->tid, persistent_fid, volatile_fid); ++ } + + return 0; + } diff --git a/queue-6.14/cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch b/queue-6.14/cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch new file mode 100644 index 0000000000..0cd7f9f5bf --- /dev/null +++ b/queue-6.14/cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch @@ -0,0 +1,85 @@ +From 6f8a394aa952257575910d57cf0a63627fa949a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Sat, 5 Apr 2025 19:51:07 +0200 +Subject: cifs: Ensure that all non-client-specific reparse points are processed by the server +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit 6f8a394aa952257575910d57cf0a63627fa949a2 upstream. + +Fix regression in mounts to e.g. onedrive shares. + +Generally, reparse points are processed by the SMB server during the +SMB OPEN request, but there are few reparse points which do not have +OPEN-like meaning for the SMB server and has to be processed by the SMB +client. Those are symlinks and special files (fifo, socket, block, char). + +For Linux SMB client, it is required to process also name surrogate reparse +points as they represent another entity on the SMB server system. Linux +client will mark them as separate mount points. Examples of name surrogate +reparse points are NTFS junction points (e.g. created by the "mklink" tool +on Windows servers). + +So after processing the name surrogate reparse points, clear the +-EOPNOTSUPP error code returned from the parse_reparse_point() to let SMB +server to process reparse points. + +And remove printing misleading error message "unhandled reparse tag:" as +reparse points are handled by SMB server and hence unhandled fact is normal +operation. + +Fixes: cad3fc0a4c8c ("cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point()") +Fixes: b587fd128660 ("cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes") +Cc: stable@vger.kernel.org +Reported-by: Junwen Sun +Tested-by: Junwen Sun +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/inode.c | 10 ++++++++++ + fs/smb/client/reparse.c | 4 ---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1228,6 +1228,16 @@ static int reparse_info_to_fattr(struct + cifs_create_junction_fattr(fattr, sb); + goto out; + } ++ /* ++ * If the reparse point is unsupported by the Linux SMB ++ * client then let it process by the SMB server. So mask ++ * the -EOPNOTSUPP error code. This will allow Linux SMB ++ * client to send SMB OPEN request to server. If server ++ * does not support this reparse point too then server ++ * will return error during open the path. ++ */ ++ if (rc == -EOPNOTSUPP) ++ rc = 0; + } + + if (data->reparse.tag == IO_REPARSE_TAG_SYMLINK && !rc) { +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -1069,8 +1069,6 @@ int parse_reparse_point(struct reparse_d + const char *full_path, + struct cifs_open_info_data *data) + { +- struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb); +- + data->reparse.buf = buf; + + /* See MS-FSCC 2.1.2 */ +@@ -1097,8 +1095,6 @@ int parse_reparse_point(struct reparse_d + } + return 0; + default: +- cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n", +- le32_to_cpu(buf->ReparseTag)); + return -EOPNOTSUPP; + } + } diff --git a/queue-6.14/cifs-fix-integer-overflow-in-match_server.patch b/queue-6.14/cifs-fix-integer-overflow-in-match_server.patch new file mode 100644 index 0000000000..e5090b6676 --- /dev/null +++ b/queue-6.14/cifs-fix-integer-overflow-in-match_server.patch @@ -0,0 +1,41 @@ +From 2510859475d7f46ed7940db0853f3342bf1b65ee Mon Sep 17 00:00:00 2001 +From: Roman Smirnov +Date: Mon, 31 Mar 2025 11:22:49 +0300 +Subject: cifs: fix integer overflow in match_server() + +From: Roman Smirnov + +commit 2510859475d7f46ed7940db0853f3342bf1b65ee upstream. + +The echo_interval is not limited in any way during mounting, +which makes it possible to write a large number to it. This can +cause an overflow when multiplying ctx->echo_interval by HZ in +match_server(). + +Add constraints for echo_interval to smb3_fs_context_parse_param(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable") +Cc: stable@vger.kernel.org +Signed-off-by: Roman Smirnov +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/fs_context.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1377,6 +1377,11 @@ static int smb3_fs_context_parse_param(s + ctx->closetimeo = HZ * result.uint_32; + break; + case Opt_echo_interval: ++ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN || ++ result.uint_32 > SMB_ECHO_INTERVAL_MAX) { ++ cifs_errorf(fc, "echo interval is out of bounds\n"); ++ goto cifs_parse_mount_err; ++ } + ctx->echo_interval = result.uint_32; + break; + case Opt_snapshot: diff --git a/queue-6.14/cifs-propagate-min-offload-along-with-other-parameters-from-primary-to-secondary-channels.patch b/queue-6.14/cifs-propagate-min-offload-along-with-other-parameters-from-primary-to-secondary-channels.patch new file mode 100644 index 0000000000..f95b943e3f --- /dev/null +++ b/queue-6.14/cifs-propagate-min-offload-along-with-other-parameters-from-primary-to-secondary-channels.patch @@ -0,0 +1,63 @@ +From 1821e90be08e7d4a54cd167dd818d80d06e064e9 Mon Sep 17 00:00:00 2001 +From: Aman +Date: Thu, 6 Mar 2025 17:46:43 +0000 +Subject: CIFS: Propagate min offload along with other parameters from primary to secondary channels. + +From: Aman + +commit 1821e90be08e7d4a54cd167dd818d80d06e064e9 upstream. + +In a multichannel setup, it was observed that a few fields were not being +copied over to the secondary channels, which impacted performance in cases +where these options were relevant but not properly synchronized. To address +this, this patch introduces copying the following parameters from the +primary channel to the secondary channels: + +- min_offload +- compression.requested +- dfs_conn +- ignore_signature +- leaf_fullpath +- noblockcnt +- retrans +- sign + +By copying these parameters, we ensure consistency across channels and +prevent performance degradation due to missing or outdated settings. + +Cc: stable@vger.kernel.org +Signed-off-by: Aman +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 1 + + fs/smb/client/sess.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -1677,6 +1677,7 @@ cifs_get_tcp_session(struct smb3_fs_cont + /* Grab netns reference for this server. */ + cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns)); + ++ tcp_ses->sign = ctx->sign; + tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId); + tcp_ses->noblockcnt = ctx->rootfs; + tcp_ses->noblocksnd = ctx->noblocksnd || ctx->rootfs; +--- a/fs/smb/client/sess.c ++++ b/fs/smb/client/sess.c +@@ -522,6 +522,13 @@ cifs_ses_add_channel(struct cifs_ses *se + ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; + ctx->echo_interval = ses->server->echo_interval / HZ; + ctx->max_credits = ses->server->max_credits; ++ ctx->min_offload = ses->server->min_offload; ++ ctx->compress = ses->server->compression.requested; ++ ctx->dfs_conn = ses->server->dfs_conn; ++ ctx->ignore_signature = ses->server->ignore_signature; ++ ctx->leaf_fullpath = ses->server->leaf_fullpath; ++ ctx->rootfs = ses->server->noblockcnt; ++ ctx->retrans = ses->server->retrans; + + /* + * This will be used for encoding/decoding user/domain/pw diff --git a/queue-6.14/clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch b/queue-6.14/clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch new file mode 100644 index 0000000000..cce1bc8df8 --- /dev/null +++ b/queue-6.14/clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch @@ -0,0 +1,49 @@ +From 5eac348182d2b5ed1066459abedb7bc6b5466f81 Mon Sep 17 00:00:00 2001 +From: Ajit Pandey +Date: Tue, 28 Jan 2025 17:08:35 +0530 +Subject: clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks + +From: Ajit Pandey + +commit 5eac348182d2b5ed1066459abedb7bc6b5466f81 upstream. + +BRANCH_HALT_ENABLE and BRANCH_HALT_ENABLE_VOTED flags are used to check +halt status of branch clocks, which have an inverted logic for the halt +bit in CBCR register. However, the current logic in the _check_halt() +method only compares the BRANCH_HALT_ENABLE flags, ignoring the votable +branch clocks. + +Update the logic to correctly handle the invert logic for votable clocks +using the BRANCH_HALT_ENABLE_VOTED flags. + +Fixes: 9092d1083a62 ("clk: qcom: branch: Extend the invert logic for branch2 clocks") +Cc: stable@vger.kernel.org +Signed-off-by: Ajit Pandey +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250128-push_fix-v1-1-fafec6747881@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-branch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/qcom/clk-branch.c ++++ b/drivers/clk/qcom/clk-branch.c +@@ -28,7 +28,7 @@ static bool clk_branch_in_hwcg_mode(cons + + static bool clk_branch_check_halt(const struct clk_branch *br, bool enabling) + { +- bool invert = (br->halt_check == BRANCH_HALT_ENABLE); ++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE); + u32 val; + + regmap_read(br->clkr.regmap, br->halt_reg, &val); +@@ -44,7 +44,7 @@ static bool clk_branch2_check_halt(const + { + u32 val; + u32 mask; +- bool invert = (br->halt_check == BRANCH_HALT_ENABLE); ++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE); + + mask = CBCR_NOC_FSM_STATUS; + mask |= CBCR_CLK_OFF; diff --git a/queue-6.14/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch b/queue-6.14/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch new file mode 100644 index 0000000000..bfbf143ec7 --- /dev/null +++ b/queue-6.14/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch @@ -0,0 +1,92 @@ +From 65a733464553ea192797b889d1533a1a37216f32 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Fri, 17 Jan 2025 13:54:08 +0000 +Subject: clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code + +From: Bryan O'Donoghue + +commit 65a733464553ea192797b889d1533a1a37216f32 upstream. + +Adding a new clause to this if/else I noticed the existing usage of +pm_genpd_add_subdomain() wasn't capturing and returning the result code. + +pm_genpd_add_subdomain() returns an int and can fail. Capture that result +code and throw it up the call stack if something goes wrong. + +Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-2-13f2bb656dad@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 40 +++++++++++++++++++++++++++------------- + 1 file changed, 27 insertions(+), 13 deletions(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -506,6 +506,23 @@ err_disable_supply: + return ret; + } + ++static void gdsc_pm_subdomain_remove(struct gdsc_desc *desc, size_t num) ++{ ++ struct device *dev = desc->dev; ++ struct gdsc **scs = desc->scs; ++ int i; ++ ++ /* Remove subdomains */ ++ for (i = num - 1; i >= 0; i--) { ++ if (!scs[i]) ++ continue; ++ if (scs[i]->parent) ++ pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd); ++ else if (!IS_ERR_OR_NULL(dev->pm_domain)) ++ pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ } ++} ++ + int gdsc_register(struct gdsc_desc *desc, + struct reset_controller_dev *rcdev, struct regmap *regmap) + { +@@ -555,30 +572,27 @@ int gdsc_register(struct gdsc_desc *desc + if (!scs[i]) + continue; + if (scs[i]->parent) +- pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd); ++ ret = pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd); + else if (!IS_ERR_OR_NULL(dev->pm_domain)) +- pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ ret = pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ if (ret) ++ goto err_pm_subdomain_remove; + } + + return of_genpd_add_provider_onecell(dev->of_node, data); ++ ++err_pm_subdomain_remove: ++ gdsc_pm_subdomain_remove(desc, i); ++ ++ return ret; + } + + void gdsc_unregister(struct gdsc_desc *desc) + { +- int i; + struct device *dev = desc->dev; +- struct gdsc **scs = desc->scs; + size_t num = desc->num; + +- /* Remove subdomains */ +- for (i = num - 1; i >= 0; i--) { +- if (!scs[i]) +- continue; +- if (scs[i]->parent) +- pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd); +- else if (!IS_ERR_OR_NULL(dev->pm_domain)) +- pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); +- } ++ gdsc_pm_subdomain_remove(desc, num); + of_genpd_del_provider(dev->of_node); + } + diff --git a/queue-6.14/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch b/queue-6.14/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch new file mode 100644 index 0000000000..343c6b025a --- /dev/null +++ b/queue-6.14/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch @@ -0,0 +1,36 @@ +From 0e6dfde439df0bb977cddd3cf7fff150a084a9bf Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Fri, 17 Jan 2025 13:54:07 +0000 +Subject: clk: qcom: gdsc: Release pm subdomains in reverse add order + +From: Bryan O'Donoghue + +commit 0e6dfde439df0bb977cddd3cf7fff150a084a9bf upstream. + +gdsc_unregister() should release subdomains in the reverse order to the +order in which those subdomains were added. + +I've made this patch a standalone patch because it facilitates a subsequent +fix to stable. + +Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-1-13f2bb656dad@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -571,7 +571,7 @@ void gdsc_unregister(struct gdsc_desc *d + size_t num = desc->num; + + /* Remove subdomains */ +- for (i = 0; i < num; i++) { ++ for (i = num - 1; i >= 0; i--) { + if (!scs[i]) + continue; + if (scs[i]->parent) diff --git a/queue-6.14/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch b/queue-6.14/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch new file mode 100644 index 0000000000..cfdef5a293 --- /dev/null +++ b/queue-6.14/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch @@ -0,0 +1,79 @@ +From 25708f73ff171bb4171950c9f4be5aa8504b8459 Mon Sep 17 00:00:00 2001 +From: Taniya Das +Date: Fri, 14 Feb 2025 09:56:59 +0530 +Subject: clk: qcom: gdsc: Set retain_ff before moving to HW CTRL + +From: Taniya Das + +commit 25708f73ff171bb4171950c9f4be5aa8504b8459 upstream. + +Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON. +Once the GDSCR moves to HW control, SW no longer can determine the state +of the GDSCR and setting the retain_ff bit could destroy all the register +contents we intended to save. +Therefore, move the retain_ff configuration before switching the GDSC to +HW trigger mode. + +Cc: stable@vger.kernel.org +Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR") +Signed-off-by: Taniya Das +Reviewed-by: Imran Shaik +Tested-by: Imran Shaik # on QCS8300 +Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -292,6 +292,9 @@ static int gdsc_enable(struct generic_pm + */ + udelay(1); + ++ if (sc->flags & RETAIN_FF_ENABLE) ++ gdsc_retain_ff_on(sc); ++ + /* Turn on HW trigger mode if supported */ + if (sc->flags & HW_CTRL) { + ret = gdsc_hwctrl(sc, true); +@@ -308,9 +311,6 @@ static int gdsc_enable(struct generic_pm + udelay(1); + } + +- if (sc->flags & RETAIN_FF_ENABLE) +- gdsc_retain_ff_on(sc); +- + return 0; + } + +@@ -457,13 +457,6 @@ static int gdsc_init(struct gdsc *sc) + goto err_disable_supply; + } + +- /* Turn on HW trigger mode if supported */ +- if (sc->flags & HW_CTRL) { +- ret = gdsc_hwctrl(sc, true); +- if (ret < 0) +- goto err_disable_supply; +- } +- + /* + * Make sure the retain bit is set if the GDSC is already on, + * otherwise we end up turning off the GDSC and destroying all +@@ -471,6 +464,14 @@ static int gdsc_init(struct gdsc *sc) + */ + if (sc->flags & RETAIN_FF_ENABLE) + gdsc_retain_ff_on(sc); ++ ++ /* Turn on HW trigger mode if supported */ ++ if (sc->flags & HW_CTRL) { ++ ret = gdsc_hwctrl(sc, true); ++ if (ret < 0) ++ goto err_disable_supply; ++ } ++ + } else if (sc->flags & ALWAYS_ON) { + /* If ALWAYS_ON GDSCs are not ON, turn them ON */ + gdsc_enable(&sc->pd); diff --git a/queue-6.14/clk-renesas-r9a07g043-fix-hp-clock-source-for-rz-five.patch b/queue-6.14/clk-renesas-r9a07g043-fix-hp-clock-source-for-rz-five.patch new file mode 100644 index 0000000000..cb3f8e474f --- /dev/null +++ b/queue-6.14/clk-renesas-r9a07g043-fix-hp-clock-source-for-rz-five.patch @@ -0,0 +1,54 @@ +From 7f22a298d926664b51fcfe2f8ea5feb7f8b79952 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Mon, 27 Jan 2025 17:31:59 +0000 +Subject: clk: renesas: r9a07g043: Fix HP clock source for RZ/Five + +From: Lad Prabhakar + +commit 7f22a298d926664b51fcfe2f8ea5feb7f8b79952 upstream. + +According to the Rev.1.20 hardware manual for the RZ/Five SoC, the clock +source for HP is derived from PLL6 divided by 2. Correct the +implementation by configuring HP as a fixed clock source instead of a +MUX. + +The `CPG_PL6_ETH_SSEL' register, which is available on the RZ/G2UL SoC, +is not present on the RZ/Five SoC, necessitating this change. + +Fixes: 95d48d270305ad2c ("clk: renesas: r9a07g043: Add support for RZ/Five SoC") +Cc: stable@vger.kernel.org +Reported-by: Hien Huynh +Signed-off-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250127173159.34572-1-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/renesas/r9a07g043-cpg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/clk/renesas/r9a07g043-cpg.c ++++ b/drivers/clk/renesas/r9a07g043-cpg.c +@@ -89,7 +89,9 @@ static const struct clk_div_table dtable + + /* Mux clock tables */ + static const char * const sel_pll3_3[] = { ".pll3_533", ".pll3_400" }; ++#ifdef CONFIG_ARM64 + static const char * const sel_pll6_2[] = { ".pll6_250", ".pll5_250" }; ++#endif + static const char * const sel_sdhi[] = { ".clk_533", ".clk_400", ".clk_266" }; + + static const u32 mtable_sdhi[] = { 1, 2, 3 }; +@@ -137,7 +139,12 @@ static const struct cpg_core_clk r9a07g0 + DEF_DIV("P2", R9A07G043_CLK_P2, CLK_PLL3_DIV2_4_2, DIVPL3A, dtable_1_32), + DEF_FIXED("M0", R9A07G043_CLK_M0, CLK_PLL3_DIV2_4, 1, 1), + DEF_FIXED("ZT", R9A07G043_CLK_ZT, CLK_PLL3_DIV2_4_2, 1, 1), ++#ifdef CONFIG_ARM64 + DEF_MUX("HP", R9A07G043_CLK_HP, SEL_PLL6_2, sel_pll6_2), ++#endif ++#ifdef CONFIG_RISCV ++ DEF_FIXED("HP", R9A07G043_CLK_HP, CLK_PLL6_250, 1, 1), ++#endif + DEF_FIXED("SPI0", R9A07G043_CLK_SPI0, CLK_DIV_PLL3_C, 1, 2), + DEF_FIXED("SPI1", R9A07G043_CLK_SPI1, CLK_DIV_PLL3_C, 1, 4), + DEF_SD_MUX("SD0", R9A07G043_CLK_SD0, SEL_SDHI0, SEL_SDHI0_STS, sel_sdhi, diff --git a/queue-6.14/crypto-ccp-fix-check-for-the-primary-asp-device.patch b/queue-6.14/crypto-ccp-fix-check-for-the-primary-asp-device.patch new file mode 100644 index 0000000000..85b72a1804 --- /dev/null +++ b/queue-6.14/crypto-ccp-fix-check-for-the-primary-asp-device.patch @@ -0,0 +1,54 @@ +From 07bb097b92b987db518e72525b515d77904e966e Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 17 Jan 2025 17:05:47 -0600 +Subject: crypto: ccp - Fix check for the primary ASP device + +From: Tom Lendacky + +commit 07bb097b92b987db518e72525b515d77904e966e upstream. + +Currently, the ASP primary device check does not have support for PCI +domains, and, as a result, when the system is configured with PCI domains +(PCI segments) the wrong device can be selected as primary. This results +in commands submitted to the device timing out and failing. The device +check also relies on specific device and function assignments that may +not hold in the future. + +Fix the primary ASP device check to include support for PCI domains and +to perform proper checking of the Bus/Device/Function positions. + +Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support") +Cc: stable@vger.kernel.org +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sp-pci.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -189,14 +189,17 @@ static bool sp_pci_is_master(struct sp_d + pdev_new = to_pci_dev(dev_new); + pdev_cur = to_pci_dev(dev_cur); + +- if (pdev_new->bus->number < pdev_cur->bus->number) +- return true; ++ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus)) ++ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus); + +- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn)) +- return true; ++ if (pdev_new->bus->number != pdev_cur->bus->number) ++ return pdev_new->bus->number < pdev_cur->bus->number; + +- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn)) +- return true; ++ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn)) ++ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn); ++ ++ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn)) ++ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn); + + return false; + } diff --git a/queue-6.14/crypto-ccp-fix-uapi-definitions-of-psp-errors.patch b/queue-6.14/crypto-ccp-fix-uapi-definitions-of-psp-errors.patch new file mode 100644 index 0000000000..a541ca0fa9 --- /dev/null +++ b/queue-6.14/crypto-ccp-fix-uapi-definitions-of-psp-errors.patch @@ -0,0 +1,56 @@ +From b949f55644a6d1645c0a71f78afabf12aec7c33b Mon Sep 17 00:00:00 2001 +From: Dionna Glaze +Date: Sat, 8 Mar 2025 12:10:28 +1100 +Subject: crypto: ccp - Fix uAPI definitions of PSP errors + +From: Dionna Glaze + +commit b949f55644a6d1645c0a71f78afabf12aec7c33b upstream. + +Additions to the error enum after explicit 0x27 setting for +SEV_RET_INVALID_KEY leads to incorrect value assignments. + +Use explicit values to match the manufacturer specifications more +clearly. + +Fixes: 3a45dc2b419e ("crypto: ccp: Define the SEV-SNP commands") +CC: stable@vger.kernel.org +Signed-off-by: Dionna Glaze +Reviewed-by: Tom Lendacky +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/psp-sev.h | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/include/uapi/linux/psp-sev.h ++++ b/include/uapi/linux/psp-sev.h +@@ -73,13 +73,20 @@ typedef enum { + SEV_RET_INVALID_PARAM, + SEV_RET_RESOURCE_LIMIT, + SEV_RET_SECURE_DATA_INVALID, +- SEV_RET_INVALID_KEY = 0x27, +- SEV_RET_INVALID_PAGE_SIZE, +- SEV_RET_INVALID_PAGE_STATE, +- SEV_RET_INVALID_MDATA_ENTRY, +- SEV_RET_INVALID_PAGE_OWNER, +- SEV_RET_INVALID_PAGE_AEAD_OFLOW, +- SEV_RET_RMP_INIT_REQUIRED, ++ SEV_RET_INVALID_PAGE_SIZE = 0x0019, ++ SEV_RET_INVALID_PAGE_STATE = 0x001A, ++ SEV_RET_INVALID_MDATA_ENTRY = 0x001B, ++ SEV_RET_INVALID_PAGE_OWNER = 0x001C, ++ SEV_RET_AEAD_OFLOW = 0x001D, ++ SEV_RET_EXIT_RING_BUFFER = 0x001F, ++ SEV_RET_RMP_INIT_REQUIRED = 0x0020, ++ SEV_RET_BAD_SVN = 0x0021, ++ SEV_RET_BAD_VERSION = 0x0022, ++ SEV_RET_SHUTDOWN_REQUIRED = 0x0023, ++ SEV_RET_UPDATE_FAILED = 0x0024, ++ SEV_RET_RESTORE_REQUIRED = 0x0025, ++ SEV_RET_RMP_INITIALIZATION_FAILED = 0x0026, ++ SEV_RET_INVALID_KEY = 0x0027, + SEV_RET_MAX, + } sev_ret_code; + diff --git a/queue-6.14/dlm-fix-error-if-active-rsb-is-not-hashed.patch b/queue-6.14/dlm-fix-error-if-active-rsb-is-not-hashed.patch new file mode 100644 index 0000000000..f9637d6b28 --- /dev/null +++ b/queue-6.14/dlm-fix-error-if-active-rsb-is-not-hashed.patch @@ -0,0 +1,34 @@ +From a3672304abf2a847ac0c54c84842c64c5bfba279 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Fri, 28 Feb 2025 17:48:51 -0500 +Subject: dlm: fix error if active rsb is not hashed + +From: Alexander Aring + +commit a3672304abf2a847ac0c54c84842c64c5bfba279 upstream. + +If an active rsb is not hashed anymore and this could occur because we +releases and acquired locks we need to signal the followed code that +the lookup failed. Since the lookup was successful, but it isn't part of +the rsb hash anymore we need to signal it by setting error to -EBADR as +dlm_search_rsb_tree() does it. + +Cc: stable@vger.kernel.org +Fixes: 5be323b0c64d ("dlm: move dlm_search_rsb_tree() out of lock") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -741,6 +741,7 @@ static int find_rsb_dir(struct dlm_ls *l + read_lock_bh(&ls->ls_rsbtbl_lock); + if (!rsb_flag(r, RSB_HASHED)) { + read_unlock_bh(&ls->ls_rsbtbl_lock); ++ error = -EBADR; + goto do_new; + } + diff --git a/queue-6.14/dlm-fix-error-if-inactive-rsb-is-not-hashed.patch b/queue-6.14/dlm-fix-error-if-inactive-rsb-is-not-hashed.patch new file mode 100644 index 0000000000..81c5878f83 --- /dev/null +++ b/queue-6.14/dlm-fix-error-if-inactive-rsb-is-not-hashed.patch @@ -0,0 +1,34 @@ +From 94e6e889a786dd16542fc8f2a45405fa13e3bbb5 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Fri, 28 Feb 2025 17:48:50 -0500 +Subject: dlm: fix error if inactive rsb is not hashed + +From: Alexander Aring + +commit 94e6e889a786dd16542fc8f2a45405fa13e3bbb5 upstream. + +If an inactive rsb is not hashed anymore and this could occur because we +releases and acquired locks we need to signal the followed code that the +lookup failed. Since the lookup was successful, but it isn't part of the +rsb hash anymore we need to signal it by setting error to -EBADR as +dlm_search_rsb_tree() does it. + +Cc: stable@vger.kernel.org +Fixes: 01fdeca1cc2d ("dlm: use rcu to avoid an extra rsb struct lookup") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -784,6 +784,7 @@ static int find_rsb_dir(struct dlm_ls *l + } + } else { + write_unlock_bh(&ls->ls_rsbtbl_lock); ++ error = -EBADR; + goto do_new; + } + diff --git a/queue-6.14/dm-ebs-fix-prefetch-vs-suspend-race.patch b/queue-6.14/dm-ebs-fix-prefetch-vs-suspend-race.patch new file mode 100644 index 0000000000..fc4d1c80a4 --- /dev/null +++ b/queue-6.14/dm-ebs-fix-prefetch-vs-suspend-race.patch @@ -0,0 +1,43 @@ +From 9c565428788fb9b49066f94ab7b10efc686a0a4c Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 28 Mar 2025 16:19:07 +0100 +Subject: dm-ebs: fix prefetch-vs-suspend race + +From: Mikulas Patocka + +commit 9c565428788fb9b49066f94ab7b10efc686a0a4c upstream. + +There's a possible race condition in dm-ebs - dm bufio prefetch may be in +progress while the device is suspended. Fix this by calling +dm_bufio_client_reset in the postsuspend hook. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -390,6 +390,12 @@ static int ebs_map(struct dm_target *ti, + return DM_MAPIO_REMAPPED; + } + ++static void ebs_postsuspend(struct dm_target *ti) ++{ ++ struct ebs_c *ec = ti->private; ++ dm_bufio_client_reset(ec->bufio); ++} ++ + static void ebs_status(struct dm_target *ti, status_type_t type, + unsigned int status_flags, char *result, unsigned int maxlen) + { +@@ -447,6 +453,7 @@ static struct target_type ebs_target = { + .ctr = ebs_ctr, + .dtr = ebs_dtr, + .map = ebs_map, ++ .postsuspend = ebs_postsuspend, + .status = ebs_status, + .io_hints = ebs_io_hints, + .prepare_ioctl = ebs_prepare_ioctl, diff --git a/queue-6.14/dm-integrity-fix-non-constant-time-tag-verification.patch b/queue-6.14/dm-integrity-fix-non-constant-time-tag-verification.patch new file mode 100644 index 0000000000..c76cf0c556 --- /dev/null +++ b/queue-6.14/dm-integrity-fix-non-constant-time-tag-verification.patch @@ -0,0 +1,164 @@ +From 8bde1033f9cfc1c08628255cc434c6cf39c9d9ba Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck +Date: Fri, 28 Mar 2025 16:04:47 +0100 +Subject: dm-integrity: fix non-constant-time tag verification + +From: Jo Van Bulck + +commit 8bde1033f9cfc1c08628255cc434c6cf39c9d9ba upstream. + +When using dm-integrity in standalone mode with a keyed hmac algorithm, +integrity tags are calculated and verified internally. + +Using plain memcmp to compare the stored and computed tags may leak the +position of the first byte mismatch through side-channel analysis, +allowing to brute-force expected tags in linear time (e.g., by counting +single-stepping interrupts in confidential virtual machine environments). + +Co-developed-by: Luca Wilke +Signed-off-by: Luca Wilke +Signed-off-by: Jo Van Bulck +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 45 ++++++++++++++++++++++----------------------- + 1 file changed, 22 insertions(+), 23 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -516,7 +517,7 @@ static int sb_mac(struct dm_integrity_c + dm_integrity_io_error(ic, "crypto_shash_digest", r); + return r; + } +- if (memcmp(mac, actual_mac, mac_size)) { ++ if (crypto_memneq(mac, actual_mac, mac_size)) { + dm_integrity_io_error(ic, "superblock mac", -EILSEQ); + dm_audit_log_target(DM_MSG_PREFIX, "mac-superblock", ic->ti, 0); + return -EILSEQ; +@@ -859,7 +860,7 @@ static void rw_section_mac(struct dm_int + if (likely(wr)) + memcpy(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR); + else { +- if (memcmp(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR)) { ++ if (crypto_memneq(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR)) { + dm_integrity_io_error(ic, "journal mac", -EILSEQ); + dm_audit_log_target(DM_MSG_PREFIX, "mac-journal", ic->ti, 0); + } +@@ -1401,10 +1402,9 @@ static bool find_newer_committed_node(st + static int dm_integrity_rw_tag(struct dm_integrity_c *ic, unsigned char *tag, sector_t *metadata_block, + unsigned int *metadata_offset, unsigned int total_size, int op) + { +-#define MAY_BE_FILLER 1 +-#define MAY_BE_HASH 2 + unsigned int hash_offset = 0; +- unsigned int may_be = MAY_BE_HASH | (ic->discard ? MAY_BE_FILLER : 0); ++ unsigned char mismatch_hash = 0; ++ unsigned char mismatch_filler = !ic->discard; + + do { + unsigned char *data, *dp; +@@ -1425,7 +1425,7 @@ static int dm_integrity_rw_tag(struct dm + if (op == TAG_READ) { + memcpy(tag, dp, to_copy); + } else if (op == TAG_WRITE) { +- if (memcmp(dp, tag, to_copy)) { ++ if (crypto_memneq(dp, tag, to_copy)) { + memcpy(dp, tag, to_copy); + dm_bufio_mark_partial_buffer_dirty(b, *metadata_offset, *metadata_offset + to_copy); + } +@@ -1433,29 +1433,30 @@ static int dm_integrity_rw_tag(struct dm + /* e.g.: op == TAG_CMP */ + + if (likely(is_power_of_2(ic->tag_size))) { +- if (unlikely(memcmp(dp, tag, to_copy))) +- if (unlikely(!ic->discard) || +- unlikely(memchr_inv(dp, DISCARD_FILLER, to_copy) != NULL)) { +- goto thorough_test; +- } ++ if (unlikely(crypto_memneq(dp, tag, to_copy))) ++ goto thorough_test; + } else { + unsigned int i, ts; + thorough_test: + ts = total_size; + + for (i = 0; i < to_copy; i++, ts--) { +- if (unlikely(dp[i] != tag[i])) +- may_be &= ~MAY_BE_HASH; +- if (likely(dp[i] != DISCARD_FILLER)) +- may_be &= ~MAY_BE_FILLER; ++ /* ++ * Warning: the control flow must not be ++ * dependent on match/mismatch of ++ * individual bytes. ++ */ ++ mismatch_hash |= dp[i] ^ tag[i]; ++ mismatch_filler |= dp[i] ^ DISCARD_FILLER; + hash_offset++; + if (unlikely(hash_offset == ic->tag_size)) { +- if (unlikely(!may_be)) { ++ if (unlikely(mismatch_hash) && unlikely(mismatch_filler)) { + dm_bufio_release(b); + return ts; + } + hash_offset = 0; +- may_be = MAY_BE_HASH | (ic->discard ? MAY_BE_FILLER : 0); ++ mismatch_hash = 0; ++ mismatch_filler = !ic->discard; + } + } + } +@@ -1476,8 +1477,6 @@ thorough_test: + } while (unlikely(total_size)); + + return 0; +-#undef MAY_BE_FILLER +-#undef MAY_BE_HASH + } + + struct flush_request { +@@ -2076,7 +2075,7 @@ retry_kmap: + char checksums_onstack[MAX_T(size_t, HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)]; + + integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack); +- if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) { ++ if (unlikely(crypto_memneq(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) { + DMERR_LIMIT("Checksum failed when reading from journal, at sector 0x%llx", + logical_sector); + dm_audit_log_bio(DM_MSG_PREFIX, "journal-checksum", +@@ -2595,7 +2594,7 @@ static void dm_integrity_inline_recheck( + bio_put(outgoing_bio); + + integrity_sector_checksum(ic, dio->bio_details.bi_iter.bi_sector, outgoing_data, digest); +- if (unlikely(memcmp(digest, dio->integrity_payload, min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) { ++ if (unlikely(crypto_memneq(digest, dio->integrity_payload, min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) { + DMERR_LIMIT("%pg: Checksum failed at sector 0x%llx", + ic->dev->bdev, dio->bio_details.bi_iter.bi_sector); + atomic64_inc(&ic->number_of_mismatches); +@@ -2634,7 +2633,7 @@ static int dm_integrity_end_io(struct dm + char *mem = bvec_kmap_local(&bv); + //memset(mem, 0xff, ic->sectors_per_block << SECTOR_SHIFT); + integrity_sector_checksum(ic, dio->bio_details.bi_iter.bi_sector, mem, digest); +- if (unlikely(memcmp(digest, dio->integrity_payload + pos, ++ if (unlikely(crypto_memneq(digest, dio->integrity_payload + pos, + min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) { + kunmap_local(mem); + dm_integrity_free_payload(dio); +@@ -2911,7 +2910,7 @@ static void do_journal_write(struct dm_i + + integrity_sector_checksum(ic, sec + ((l - j) << ic->sb->log2_sectors_per_block), + (char *)access_journal_data(ic, i, l), test_tag); +- if (unlikely(memcmp(test_tag, journal_entry_tag(ic, je2), ic->tag_size))) { ++ if (unlikely(crypto_memneq(test_tag, journal_entry_tag(ic, je2), ic->tag_size))) { + dm_integrity_io_error(ic, "tag mismatch when replaying journal", -EILSEQ); + dm_audit_log_target(DM_MSG_PREFIX, "integrity-replay-journal", ic->ti, 0); + } diff --git a/queue-6.14/dm-integrity-set-ti-error-on-memory-allocation-failure.patch b/queue-6.14/dm-integrity-set-ti-error-on-memory-allocation-failure.patch new file mode 100644 index 0000000000..2cdcfe8b0e --- /dev/null +++ b/queue-6.14/dm-integrity-set-ti-error-on-memory-allocation-failure.patch @@ -0,0 +1,41 @@ +From 00204ae3d6712ee053353920e3ce2b00c35ef75b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 10 Feb 2025 16:14:22 +0100 +Subject: dm-integrity: set ti->error on memory allocation failure + +From: Mikulas Patocka + +commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream. + +The dm-integrity target didn't set the error string when memory +allocation failed. This patch fixes it. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -5084,16 +5084,19 @@ try_smaller_buffer: + + ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages); + if (!ic->recalc_bitmap) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } + ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages); + if (!ic->may_write_bitmap) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } + ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL); + if (!ic->bbs) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } diff --git a/queue-6.14/dm-verity-fix-prefetch-vs-suspend-race.patch b/queue-6.14/dm-verity-fix-prefetch-vs-suspend-race.patch new file mode 100644 index 0000000000..57f24f3834 --- /dev/null +++ b/queue-6.14/dm-verity-fix-prefetch-vs-suspend-race.patch @@ -0,0 +1,45 @@ +From 2de510fccbca3d1906b55f4be5f1de83fa2424ef Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 28 Mar 2025 16:17:45 +0100 +Subject: dm-verity: fix prefetch-vs-suspend race + +From: Mikulas Patocka + +commit 2de510fccbca3d1906b55f4be5f1de83fa2424ef upstream. + +There's a possible race condition in dm-verity - the prefetch work item +may race with suspend and it is possible that prefetch continues to run +while the device is suspended. Fix this by calling flush_workqueue and +dm_bufio_client_reset in the postsuspend hook. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-target.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -796,6 +796,13 @@ static int verity_map(struct dm_target * + return DM_MAPIO_SUBMITTED; + } + ++static void verity_postsuspend(struct dm_target *ti) ++{ ++ struct dm_verity *v = ti->private; ++ flush_workqueue(v->verify_wq); ++ dm_bufio_client_reset(v->bufio); ++} ++ + /* + * Status: V (valid) or C (corruption found) + */ +@@ -1766,6 +1773,7 @@ static struct target_type verity_target + .ctr = verity_ctr, + .dtr = verity_dtr, + .map = verity_map, ++ .postsuspend = verity_postsuspend, + .status = verity_status, + .prepare_ioctl = verity_prepare_ioctl, + .iterate_devices = verity_iterate_devices, diff --git a/queue-6.14/dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch b/queue-6.14/dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch new file mode 100644 index 0000000000..0fc491ec3a --- /dev/null +++ b/queue-6.14/dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch @@ -0,0 +1,36 @@ +From d72deaf05ac18e421d7e52a6be8966fd6ee185f4 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 26 Feb 2025 12:29:13 +0100 +Subject: dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg' + +From: Krzysztof Kozlowski + +commit d72deaf05ac18e421d7e52a6be8966fd6ee185f4 upstream. + +Binding listed variable number of IO addresses without defining them, +however example DTS code, all in-tree DTS and Linux kernel driver +mention only one address space, so drop the second to make binding +precise and correctly describe the hardware. + +Fixes: a8fbe1442c2b ("dt-bindings: arm: Adds CoreSight TPDA hardware definitions") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250226112914.94361-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml ++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml +@@ -55,8 +55,7 @@ properties: + - const: arm,primecell + + reg: +- minItems: 1 +- maxItems: 2 ++ maxItems: 1 + + clocks: + maxItems: 1 diff --git a/queue-6.14/dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch b/queue-6.14/dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch new file mode 100644 index 0000000000..f9a36dd44e --- /dev/null +++ b/queue-6.14/dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch @@ -0,0 +1,36 @@ +From 1e4e454223f770748775f211455513c79cb3121e Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 26 Feb 2025 12:29:14 +0100 +Subject: dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg' + +From: Krzysztof Kozlowski + +commit 1e4e454223f770748775f211455513c79cb3121e upstream. + +Binding listed variable number of IO addresses without defining them, +however example DTS code, all in-tree DTS and Linux kernel driver +mention only one address space, so drop the second to make binding +precise and correctly describe the hardware. + +Fixes: 6c781a35133d ("dt-bindings: arm: Add CoreSight TPDM hardware") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250226112914.94361-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml ++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml +@@ -41,8 +41,7 @@ properties: + - const: arm,primecell + + reg: +- minItems: 1 +- maxItems: 2 ++ maxItems: 1 + + qcom,dsb-element-bits: + description: diff --git a/queue-6.14/firmware-cs_dsp-test_control_parse-null-terminate-test-strings.patch b/queue-6.14/firmware-cs_dsp-test_control_parse-null-terminate-test-strings.patch new file mode 100644 index 0000000000..9b7a157841 --- /dev/null +++ b/queue-6.14/firmware-cs_dsp-test_control_parse-null-terminate-test-strings.patch @@ -0,0 +1,146 @@ +From 42ae6e2559e63c2d4096b698cd47aaeb974436df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 11 Feb 2025 16:00:02 +0100 +Subject: firmware: cs_dsp: test_control_parse: null-terminate test strings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 42ae6e2559e63c2d4096b698cd47aaeb974436df upstream. + +The char pointers in 'struct cs_dsp_mock_coeff_def' are expected to +point to C strings. They need to be terminated by a null byte. +However the code does not allocate that trailing null byte and only +works if by chance the allocation is followed by such a null byte. + +Refactor the repeated string allocation logic into a new helper which +makes sure the terminating null is always present. +It also makes the code more readable. + +Signed-off-by: Thomas Weißschuh +Fixes: 83baecd92e7c ("firmware: cs_dsp: Add KUnit testing of control parsing") +Cc: stable@vger.kernel.org +Reviewed-by: Richard Fitzgerald +Tested-by: Richard Fitzgerald +Link: https://patch.msgid.link/20250211-cs_dsp-kunit-strings-v1-1-d9bc2035d154@linutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + .../cirrus/test/cs_dsp_test_control_parse.c | 51 +++++++------------ + 1 file changed, 19 insertions(+), 32 deletions(-) + +diff --git a/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c b/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c +index cb90964740ea..942ba1af5e7c 100644 +--- a/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c ++++ b/drivers/firmware/cirrus/test/cs_dsp_test_control_parse.c +@@ -73,6 +73,18 @@ static const struct cs_dsp_mock_coeff_def mock_coeff_template = { + .length_bytes = 4, + }; + ++static char *cs_dsp_ctl_alloc_test_string(struct kunit *test, char c, size_t len) ++{ ++ char *str; ++ ++ str = kunit_kmalloc(test, len + 1, GFP_KERNEL); ++ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, str); ++ memset(str, c, len); ++ str[len] = '\0'; ++ ++ return str; ++} ++ + /* Algorithm info block without controls should load */ + static void cs_dsp_ctl_parse_no_coeffs(struct kunit *test) + { +@@ -160,12 +172,8 @@ static void cs_dsp_ctl_parse_max_v1_name(struct kunit *test) + struct cs_dsp_mock_coeff_def def = mock_coeff_template; + struct cs_dsp_coeff_ctl *ctl; + struct firmware *wmfw; +- char *name; + +- name = kunit_kzalloc(test, 256, GFP_KERNEL); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, name); +- memset(name, 'A', 255); +- def.fullname = name; ++ def.fullname = cs_dsp_ctl_alloc_test_string(test, 'A', 255); + + cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder, + cs_dsp_ctl_parse_test_algs[0].id, +@@ -252,14 +260,9 @@ static void cs_dsp_ctl_parse_max_short_name(struct kunit *test) + struct cs_dsp_test_local *local = priv->local; + struct cs_dsp_mock_coeff_def def = mock_coeff_template; + struct cs_dsp_coeff_ctl *ctl; +- char *name; + struct firmware *wmfw; + +- name = kunit_kmalloc(test, 255, GFP_KERNEL); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, name); +- memset(name, 'A', 255); +- +- def.shortname = name; ++ def.shortname = cs_dsp_ctl_alloc_test_string(test, 'A', 255); + + cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder, + cs_dsp_ctl_parse_test_algs[0].id, +@@ -273,7 +276,7 @@ static void cs_dsp_ctl_parse_max_short_name(struct kunit *test) + ctl = list_first_entry_or_null(&priv->dsp->ctl_list, struct cs_dsp_coeff_ctl, list); + KUNIT_ASSERT_NOT_NULL(test, ctl); + KUNIT_EXPECT_EQ(test, ctl->subname_len, 255); +- KUNIT_EXPECT_MEMEQ(test, ctl->subname, name, ctl->subname_len); ++ KUNIT_EXPECT_MEMEQ(test, ctl->subname, def.shortname, ctl->subname_len); + KUNIT_EXPECT_EQ(test, ctl->flags, def.flags); + KUNIT_EXPECT_EQ(test, ctl->type, def.type); + KUNIT_EXPECT_EQ(test, ctl->len, def.length_bytes); +@@ -323,12 +326,8 @@ static void cs_dsp_ctl_parse_with_max_fullname(struct kunit *test) + struct cs_dsp_mock_coeff_def def = mock_coeff_template; + struct cs_dsp_coeff_ctl *ctl; + struct firmware *wmfw; +- char *fullname; + +- fullname = kunit_kmalloc(test, 255, GFP_KERNEL); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, fullname); +- memset(fullname, 'A', 255); +- def.fullname = fullname; ++ def.fullname = cs_dsp_ctl_alloc_test_string(test, 'A', 255); + + cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder, + cs_dsp_ctl_parse_test_algs[0].id, +@@ -392,12 +391,8 @@ static void cs_dsp_ctl_parse_with_max_description(struct kunit *test) + struct cs_dsp_mock_coeff_def def = mock_coeff_template; + struct cs_dsp_coeff_ctl *ctl; + struct firmware *wmfw; +- char *description; + +- description = kunit_kmalloc(test, 65535, GFP_KERNEL); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, description); +- memset(description, 'A', 65535); +- def.description = description; ++ def.description = cs_dsp_ctl_alloc_test_string(test, 'A', 65535); + + cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder, + cs_dsp_ctl_parse_test_algs[0].id, +@@ -429,17 +424,9 @@ static void cs_dsp_ctl_parse_with_max_fullname_and_description(struct kunit *tes + struct cs_dsp_mock_coeff_def def = mock_coeff_template; + struct cs_dsp_coeff_ctl *ctl; + struct firmware *wmfw; +- char *fullname, *description; + +- fullname = kunit_kmalloc(test, 255, GFP_KERNEL); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, fullname); +- memset(fullname, 'A', 255); +- def.fullname = fullname; +- +- description = kunit_kmalloc(test, 65535, GFP_KERNEL); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, description); +- memset(description, 'A', 65535); +- def.description = description; ++ def.fullname = cs_dsp_ctl_alloc_test_string(test, 'A', 255); ++ def.description = cs_dsp_ctl_alloc_test_string(test, 'A', 65535); + + cs_dsp_mock_wmfw_start_alg_info_block(local->wmfw_builder, + cs_dsp_ctl_parse_test_algs[0].id, +-- +2.49.0 + diff --git a/queue-6.14/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch b/queue-6.14/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch new file mode 100644 index 0000000000..1152709b12 --- /dev/null +++ b/queue-6.14/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch @@ -0,0 +1,39 @@ +From 42ea22e754ba4f2b86f8760ca27f6f71da2d982c Mon Sep 17 00:00:00 2001 +From: zhoumin +Date: Tue, 1 Apr 2025 01:00:34 +0800 +Subject: ftrace: Add cond_resched() to ftrace_graph_set_hash() + +From: zhoumin + +commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream. + +When the kernel contains a large number of functions that can be traced, +the loop in ftrace_graph_set_hash() may take a lot of time to execute. +This may trigger the softlockup watchdog. + +Add cond_resched() within the loop to allow the kernel to remain +responsive even when processing a large number of functions. + +This matches the cond_resched() that is used in other locations of the +code that iterates over all functions that can be traced. + +Cc: stable@vger.kernel.org +Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables") +Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com +Signed-off-by: zhoumin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6853,6 +6853,7 @@ ftrace_graph_set_hash(struct ftrace_hash + } + } + } ++ cond_resched(); + } while_for_each_ftrace_rec(); + + return fail ? -EINVAL : 0; diff --git a/queue-6.14/ftrace-properly-merge-notrace-hashes.patch b/queue-6.14/ftrace-properly-merge-notrace-hashes.patch new file mode 100644 index 0000000000..47cdb7b152 --- /dev/null +++ b/queue-6.14/ftrace-properly-merge-notrace-hashes.patch @@ -0,0 +1,46 @@ +From 04a80a34c22f4db245f553d8696d1318d1c00ece Mon Sep 17 00:00:00 2001 +From: Andy Chiu +Date: Wed, 9 Apr 2025 00:02:57 +0800 +Subject: ftrace: Properly merge notrace hashes + +From: Andy Chiu + +commit 04a80a34c22f4db245f553d8696d1318d1c00ece upstream. + +The global notrace hash should be jointly decided by the intersection of +each subops's notrace hash, but not the filter hash. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20250408160258.48563-1-andybnac@gmail.com +Fixes: 5fccc7552ccb ("ftrace: Add subops logic to allow one ops to manage many") +Signed-off-by: Andy Chiu +[ fixed removing of freeing of filter_hash ] +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3524,16 +3524,16 @@ int ftrace_startup_subops(struct ftrace_ + ftrace_hash_empty(subops->func_hash->notrace_hash)) { + notrace_hash = EMPTY_HASH; + } else { +- size_bits = max(ops->func_hash->filter_hash->size_bits, +- subops->func_hash->filter_hash->size_bits); ++ size_bits = max(ops->func_hash->notrace_hash->size_bits, ++ subops->func_hash->notrace_hash->size_bits); + notrace_hash = alloc_ftrace_hash(size_bits); + if (!notrace_hash) { + free_ftrace_hash(filter_hash); + return -ENOMEM; + } + +- ret = intersect_hash(¬race_hash, ops->func_hash->filter_hash, +- subops->func_hash->filter_hash); ++ ret = intersect_hash(¬race_hash, ops->func_hash->notrace_hash, ++ subops->func_hash->notrace_hash); + if (ret < 0) { + free_ftrace_hash(filter_hash); + free_ftrace_hash(notrace_hash); diff --git a/queue-6.14/fuse-io-uring-fix-a-possible-req-cancellation-race.patch b/queue-6.14/fuse-io-uring-fix-a-possible-req-cancellation-race.patch new file mode 100644 index 0000000000..2b694d40ae --- /dev/null +++ b/queue-6.14/fuse-io-uring-fix-a-possible-req-cancellation-race.patch @@ -0,0 +1,225 @@ +From 09098e62e4be8f0755e58d6078aaf27cbd9a3a8d Mon Sep 17 00:00:00 2001 +From: Bernd Schubert +Date: Tue, 25 Mar 2025 18:29:31 +0100 +Subject: fuse: {io-uring} Fix a possible req cancellation race + +From: Bernd Schubert + +commit 09098e62e4be8f0755e58d6078aaf27cbd9a3a8d upstream. + +task-A (application) might be in request_wait_answer and +try to remove the request when it has FR_PENDING set. + +task-B (a fuse-server io-uring task) might handle this +request with FUSE_IO_URING_CMD_COMMIT_AND_FETCH, when +fetching the next request and accessed the req from +the pending list in fuse_uring_ent_assign_req(). +That code path was not protected by fiq->lock and so +might race with task-A. + +For scaling reasons we better don't use fiq->lock, but +add a handler to remove canceled requests from the queue. + +This also removes usage of fiq->lock from +fuse_uring_add_req_to_ring_ent() altogether, as it was +there just to protect against this race and incomplete. + +Also added is a comment why FR_PENDING is not cleared. + +Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support") +Cc: # v6.14 +Reported-by: Joanne Koong +Closes: https://lore.kernel.org/all/CAJnrk1ZgHNb78dz-yfNTpxmW7wtT88A=m-zF0ZoLXKLUHRjNTw@mail.gmail.com/ +Signed-off-by: Bernd Schubert +Reviewed-by: Joanne Koong +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 34 +++++++++++++++++++++++++--------- + fs/fuse/dev_uring.c | 15 +++++++++++---- + fs/fuse/dev_uring_i.h | 6 ++++++ + fs/fuse/fuse_dev_i.h | 1 + + fs/fuse/fuse_i.h | 3 +++ + 5 files changed, 46 insertions(+), 13 deletions(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 2c3a4d09e500..2645cd8accfd 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -407,6 +407,24 @@ static int queue_interrupt(struct fuse_req *req) + return 0; + } + ++bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock) ++{ ++ spin_lock(lock); ++ if (test_bit(FR_PENDING, &req->flags)) { ++ /* ++ * FR_PENDING does not get cleared as the request will end ++ * up in destruction anyway. ++ */ ++ list_del(&req->list); ++ spin_unlock(lock); ++ __fuse_put_request(req); ++ req->out.h.error = -EINTR; ++ return true; ++ } ++ spin_unlock(lock); ++ return false; ++} ++ + static void request_wait_answer(struct fuse_req *req) + { + struct fuse_conn *fc = req->fm->fc; +@@ -428,22 +446,20 @@ static void request_wait_answer(struct fuse_req *req) + } + + if (!test_bit(FR_FORCE, &req->flags)) { ++ bool removed; ++ + /* Only fatal signals may interrupt this */ + err = wait_event_killable(req->waitq, + test_bit(FR_FINISHED, &req->flags)); + if (!err) + return; + +- spin_lock(&fiq->lock); +- /* Request is not yet in userspace, bail out */ +- if (test_bit(FR_PENDING, &req->flags)) { +- list_del(&req->list); +- spin_unlock(&fiq->lock); +- __fuse_put_request(req); +- req->out.h.error = -EINTR; ++ if (test_bit(FR_URING, &req->flags)) ++ removed = fuse_uring_remove_pending_req(req); ++ else ++ removed = fuse_remove_pending_req(req, &fiq->lock); ++ if (removed) + return; +- } +- spin_unlock(&fiq->lock); + } + + /* +diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c +index ebd2931b4f2a..add7273c8dc4 100644 +--- a/fs/fuse/dev_uring.c ++++ b/fs/fuse/dev_uring.c +@@ -726,8 +726,6 @@ static void fuse_uring_add_req_to_ring_ent(struct fuse_ring_ent *ent, + struct fuse_req *req) + { + struct fuse_ring_queue *queue = ent->queue; +- struct fuse_conn *fc = req->fm->fc; +- struct fuse_iqueue *fiq = &fc->iq; + + lockdep_assert_held(&queue->lock); + +@@ -737,9 +735,7 @@ static void fuse_uring_add_req_to_ring_ent(struct fuse_ring_ent *ent, + ent->state); + } + +- spin_lock(&fiq->lock); + clear_bit(FR_PENDING, &req->flags); +- spin_unlock(&fiq->lock); + ent->fuse_req = req; + ent->state = FRRS_FUSE_REQ; + list_move(&ent->list, &queue->ent_w_req_queue); +@@ -1238,6 +1234,8 @@ void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req) + if (unlikely(queue->stopped)) + goto err_unlock; + ++ set_bit(FR_URING, &req->flags); ++ req->ring_queue = queue; + ent = list_first_entry_or_null(&queue->ent_avail_queue, + struct fuse_ring_ent, list); + if (ent) +@@ -1276,6 +1274,8 @@ bool fuse_uring_queue_bq_req(struct fuse_req *req) + return false; + } + ++ set_bit(FR_URING, &req->flags); ++ req->ring_queue = queue; + list_add_tail(&req->list, &queue->fuse_req_bg_queue); + + ent = list_first_entry_or_null(&queue->ent_avail_queue, +@@ -1306,6 +1306,13 @@ bool fuse_uring_queue_bq_req(struct fuse_req *req) + return true; + } + ++bool fuse_uring_remove_pending_req(struct fuse_req *req) ++{ ++ struct fuse_ring_queue *queue = req->ring_queue; ++ ++ return fuse_remove_pending_req(req, &queue->lock); ++} ++ + static const struct fuse_iqueue_ops fuse_io_uring_ops = { + /* should be send over io-uring as enhancement */ + .send_forget = fuse_dev_queue_forget, +diff --git a/fs/fuse/dev_uring_i.h b/fs/fuse/dev_uring_i.h +index 2102b3d0c1ae..e5b39a92b7ca 100644 +--- a/fs/fuse/dev_uring_i.h ++++ b/fs/fuse/dev_uring_i.h +@@ -142,6 +142,7 @@ void fuse_uring_abort_end_requests(struct fuse_ring *ring); + int fuse_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags); + void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req); + bool fuse_uring_queue_bq_req(struct fuse_req *req); ++bool fuse_uring_remove_pending_req(struct fuse_req *req); + + static inline void fuse_uring_abort(struct fuse_conn *fc) + { +@@ -200,6 +201,11 @@ static inline bool fuse_uring_ready(struct fuse_conn *fc) + return false; + } + ++static inline bool fuse_uring_remove_pending_req(struct fuse_req *req) ++{ ++ return false; ++} ++ + #endif /* CONFIG_FUSE_IO_URING */ + + #endif /* _FS_FUSE_DEV_URING_I_H */ +diff --git a/fs/fuse/fuse_dev_i.h b/fs/fuse/fuse_dev_i.h +index 3b2bfe1248d3..2481da3388c5 100644 +--- a/fs/fuse/fuse_dev_i.h ++++ b/fs/fuse/fuse_dev_i.h +@@ -61,6 +61,7 @@ int fuse_copy_out_args(struct fuse_copy_state *cs, struct fuse_args *args, + void fuse_dev_queue_forget(struct fuse_iqueue *fiq, + struct fuse_forget_link *forget); + void fuse_dev_queue_interrupt(struct fuse_iqueue *fiq, struct fuse_req *req); ++bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock); + + #endif + +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h +index fee96fe7887b..2086dac7243b 100644 +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -378,6 +378,7 @@ struct fuse_io_priv { + * FR_FINISHED: request is finished + * FR_PRIVATE: request is on private list + * FR_ASYNC: request is asynchronous ++ * FR_URING: request is handled through fuse-io-uring + */ + enum fuse_req_flag { + FR_ISREPLY, +@@ -392,6 +393,7 @@ enum fuse_req_flag { + FR_FINISHED, + FR_PRIVATE, + FR_ASYNC, ++ FR_URING, + }; + + /** +@@ -441,6 +443,7 @@ struct fuse_req { + + #ifdef CONFIG_FUSE_IO_URING + void *ring_entry; ++ void *ring_queue; + #endif + }; + +-- +2.49.0 + diff --git a/queue-6.14/gpio-mpc8xxx-fix-wakeup-source-leaks-on-device-unbind.patch b/queue-6.14/gpio-mpc8xxx-fix-wakeup-source-leaks-on-device-unbind.patch new file mode 100644 index 0000000000..f516c0fc25 --- /dev/null +++ b/queue-6.14/gpio-mpc8xxx-fix-wakeup-source-leaks-on-device-unbind.patch @@ -0,0 +1,34 @@ +From da47605e43af9996eb46c8a060f259a8c34cc3c5 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 6 Apr 2025 22:22:44 +0200 +Subject: gpio: mpc8xxx: Fix wakeup source leaks on device unbind + +From: Krzysztof Kozlowski + +commit da47605e43af9996eb46c8a060f259a8c34cc3c5 upstream. + +Device can be unbound, so driver must also release memory for the wakeup +source. + +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250406202245.53854-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mpc8xxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -410,7 +410,9 @@ static int mpc8xxx_probe(struct platform + goto err; + } + +- device_init_wakeup(dev, true); ++ ret = devm_device_init_wakeup(dev); ++ if (ret) ++ return dev_err_probe(dev, ret, "Failed to init wakeup\n"); + + return 0; + err: diff --git a/queue-6.14/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch b/queue-6.14/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch new file mode 100644 index 0000000000..f182dd60f9 --- /dev/null +++ b/queue-6.14/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch @@ -0,0 +1,69 @@ +From 8323f3a69de6f6e96bf22f32dd8e2920766050c2 Mon Sep 17 00:00:00 2001 +From: Guixin Liu +Date: Thu, 27 Mar 2025 11:23:49 +0800 +Subject: gpio: tegra186: fix resource handling in ACPI probe path + +From: Guixin Liu + +commit 8323f3a69de6f6e96bf22f32dd8e2920766050c2 upstream. + +When the Tegra186 GPIO controller is probed through ACPI matching, +the driver emits two error messages during probing: + "tegra186-gpio NVDA0508:00: invalid resource (null)" + "tegra186-gpio NVDA0508:00: invalid resource (null)" + +Fix this by getting resource first and then do the ioremap. + +Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support") +Cc: stable@vger.kernel.org +Signed-off-by: Guixin Liu +Link: https://lore.kernel.org/r/20250327032349.78809-1-kanie@linux.alibaba.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/gpio/gpio-tegra186.c ++++ b/drivers/gpio/gpio-tegra186.c +@@ -823,6 +823,7 @@ static int tegra186_gpio_probe(struct pl + struct gpio_irq_chip *irq; + struct tegra_gpio *gpio; + struct device_node *np; ++ struct resource *res; + char **names; + int err; + +@@ -842,19 +843,19 @@ static int tegra186_gpio_probe(struct pl + gpio->num_banks++; + + /* get register apertures */ +- gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security"); +- if (IS_ERR(gpio->secure)) { +- gpio->secure = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(gpio->secure)) +- return PTR_ERR(gpio->secure); +- } +- +- gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio"); +- if (IS_ERR(gpio->base)) { +- gpio->base = devm_platform_ioremap_resource(pdev, 1); +- if (IS_ERR(gpio->base)) +- return PTR_ERR(gpio->base); +- } ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security"); ++ if (!res) ++ res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ gpio->secure = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(gpio->secure)) ++ return PTR_ERR(gpio->secure); ++ ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio"); ++ if (!res) ++ res = platform_get_resource(pdev, IORESOURCE_MEM, 1); ++ gpio->base = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(gpio->base)) ++ return PTR_ERR(gpio->base); + + err = platform_irq_count(pdev); + if (err < 0) diff --git a/queue-6.14/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch b/queue-6.14/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch new file mode 100644 index 0000000000..0df5dcdde2 --- /dev/null +++ b/queue-6.14/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch @@ -0,0 +1,31 @@ +From c5672e310ad971d408752fce7596ed27adc6008f Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 6 Apr 2025 22:22:45 +0200 +Subject: gpio: zynq: Fix wakeup source leaks on device unbind + +From: Krzysztof Kozlowski + +commit c5672e310ad971d408752fce7596ed27adc6008f upstream. + +Device can be unbound, so driver must also release memory for the wakeup +source. + +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-zynq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-zynq.c ++++ b/drivers/gpio/gpio-zynq.c +@@ -1011,6 +1011,7 @@ static void zynq_gpio_remove(struct plat + ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) + dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n"); ++ device_init_wakeup(&pdev->dev, 0); + gpiochip_remove(&gpio->chip); + device_set_wakeup_capable(&pdev->dev, 0); + pm_runtime_disable(&pdev->dev); diff --git a/queue-6.14/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch b/queue-6.14/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch new file mode 100644 index 0000000000..d5642c8d98 --- /dev/null +++ b/queue-6.14/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch @@ -0,0 +1,40 @@ +From 15970e1b23f5c25db88c613fddf9131de086f28e Mon Sep 17 00:00:00 2001 +From: Joshua Washington +Date: Wed, 2 Apr 2025 00:10:37 +0000 +Subject: gve: handle overflow when reporting TX consumed descriptors + +From: Joshua Washington + +commit 15970e1b23f5c25db88c613fddf9131de086f28e upstream. + +When the tx tail is less than the head (in cases of wraparound), the TX +consumed descriptor statistic in DQ will be reported as +UINT32_MAX - head + tail, which is incorrect. Mask the difference of +head and tail according to the ring size when reporting the statistic. + +Cc: stable@vger.kernel.org +Fixes: 2c9198356d56 ("gve: Add consumed counts to ethtool stats") +Signed-off-by: Joshua Washington +Signed-off-by: Harshitha Ramamurthy +Reviewed-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250402001037.2717315-1-hramamurthy@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -392,7 +392,9 @@ gve_get_ethtool_stats(struct net_device + */ + data[i++] = 0; + data[i++] = 0; +- data[i++] = tx->dqo_tx.tail - tx->dqo_tx.head; ++ data[i++] = ++ (tx->dqo_tx.tail - tx->dqo_tx.head) & ++ tx->mask; + } + do { + start = diff --git a/queue-6.14/kvm-allow-building-irqbypass.ko-as-as-module-when-kvm.ko-is-a-module.patch b/queue-6.14/kvm-allow-building-irqbypass.ko-as-as-module-when-kvm.ko-is-a-module.patch new file mode 100644 index 0000000000..ffb6d1dbbd --- /dev/null +++ b/queue-6.14/kvm-allow-building-irqbypass.ko-as-as-module-when-kvm.ko-is-a-module.patch @@ -0,0 +1,97 @@ +From 459a35111b0a890172a78d51c01b204e13a34a18 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 14 Mar 2025 19:46:23 -0700 +Subject: KVM: Allow building irqbypass.ko as as module when kvm.ko is a module + +From: Sean Christopherson + +commit 459a35111b0a890172a78d51c01b204e13a34a18 upstream. + +Convert HAVE_KVM_IRQ_BYPASS into a tristate so that selecting +IRQ_BYPASS_MANAGER follows KVM={m,y}, i.e. doesn't force irqbypass.ko to +be built-in. + +Note, PPC allows building KVM as a module, but selects HAVE_KVM_IRQ_BYPASS +from a boolean Kconfig, i.e. KVM PPC unnecessarily forces irqbpass.ko to +be built-in. But that flaw is a longstanding PPC specific issue. + +Fixes: 61df71ee992d ("kvm: move "select IRQ_BYPASS_MANAGER" to common code") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250315024623.2363994-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 2 +- + virt/kvm/Kconfig | 2 +- + virt/kvm/eventfd.c | 10 +++++----- + 3 files changed, 7 insertions(+), 7 deletions(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -2382,7 +2382,7 @@ static inline bool kvm_is_visible_memslo + struct kvm_vcpu *kvm_get_running_vcpu(void); + struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void); + +-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS ++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS) + bool kvm_arch_has_irq_bypass(void); + int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *, + struct irq_bypass_producer *); +--- a/virt/kvm/Kconfig ++++ b/virt/kvm/Kconfig +@@ -75,7 +75,7 @@ config KVM_COMPAT + depends on KVM && COMPAT && !(S390 || ARM64 || RISCV) + + config HAVE_KVM_IRQ_BYPASS +- bool ++ tristate + select IRQ_BYPASS_MANAGER + + config HAVE_KVM_VCPU_ASYNC_IOCTL +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -149,7 +149,7 @@ irqfd_shutdown(struct work_struct *work) + /* + * It is now safe to release the object's resources + */ +-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS ++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS) + irq_bypass_unregister_consumer(&irqfd->consumer); + #endif + eventfd_ctx_put(irqfd->eventfd); +@@ -274,7 +274,7 @@ static void irqfd_update(struct kvm *kvm + write_seqcount_end(&irqfd->irq_entry_sc); + } + +-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS ++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS) + void __attribute__((weak)) kvm_arch_irq_bypass_stop( + struct irq_bypass_consumer *cons) + { +@@ -424,7 +424,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct + if (events & EPOLLIN) + schedule_work(&irqfd->inject); + +-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS ++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS) + if (kvm_arch_has_irq_bypass()) { + irqfd->consumer.token = (void *)irqfd->eventfd; + irqfd->consumer.add_producer = kvm_arch_irq_bypass_add_producer; +@@ -609,14 +609,14 @@ void kvm_irq_routing_update(struct kvm * + spin_lock_irq(&kvm->irqfds.lock); + + list_for_each_entry(irqfd, &kvm->irqfds.items, list) { +-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS ++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS) + /* Under irqfds.lock, so can read irq_entry safely */ + struct kvm_kernel_irq_routing_entry old = irqfd->irq_entry; + #endif + + irqfd_update(kvm, irqfd); + +-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS ++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS) + if (irqfd->producer && + kvm_arch_irqfd_route_changed(&old, &irqfd->irq_entry)) { + int ret = kvm_arch_update_irqfd_routing( diff --git a/queue-6.14/kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch b/queue-6.14/kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch new file mode 100644 index 0000000000..b3aa753f7e --- /dev/null +++ b/queue-6.14/kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch @@ -0,0 +1,53 @@ +From b4392813bbc3b05fc01a33c64d8b8c6c62c32cfa Mon Sep 17 00:00:00 2001 +From: Amit Machhiwal +Date: Thu, 20 Feb 2025 12:30:02 +0530 +Subject: KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests + +From: Amit Machhiwal + +commit b4392813bbc3b05fc01a33c64d8b8c6c62c32cfa upstream. + +Currently on book3s-hv, the capability KVM_CAP_SPAPR_TCE_VFIO is only +available for KVM Guests running on PowerNV and not for the KVM guests +running on pSeries hypervisors. This prevents a pSeries L2 guest from +leveraging the in-kernel acceleration for H_PUT_TCE_INDIRECT and +H_STUFF_TCE hcalls that results in slow startup times for large memory +guests. + +Support for VFIO on pSeries was restored in commit f431a8cde7f1 +("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries"), +making it possible to re-enable this capability on pSeries hosts. + +This change enables KVM_CAP_SPAPR_TCE_VFIO for nested PAPR guests on +pSeries, while maintaining the existing behavior on PowerNV. Booting an +L2 guest with 128GB of memory shows an average 11% improvement in +startup time. + +Fixes: f431a8cde7f1 ("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries") +Cc: stable@vger.kernel.org +Reviewed-by: Vaibhav Jain +Reviewed-by: Ritesh Harjani (IBM) +Signed-off-by: Amit Machhiwal +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250220070002.1478849-1-amachhiw@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/powerpc.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -550,12 +550,9 @@ int kvm_vm_ioctl_check_extension(struct + + #ifdef CONFIG_PPC_BOOK3S_64 + case KVM_CAP_SPAPR_TCE: ++ fallthrough; + case KVM_CAP_SPAPR_TCE_64: +- r = 1; +- break; + case KVM_CAP_SPAPR_TCE_VFIO: +- r = !!cpu_has_feature(CPU_FTR_HVMODE); +- break; + case KVM_CAP_PPC_RTAS: + case KVM_CAP_PPC_FIXUP_HCALL: + case KVM_CAP_PPC_ENABLE_HCALL: diff --git a/queue-6.14/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch b/queue-6.14/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch new file mode 100644 index 0000000000..58b42ac388 --- /dev/null +++ b/queue-6.14/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch @@ -0,0 +1,82 @@ +From ef01cac401f18647d62720cf773d7bb0541827da Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 1 Apr 2025 08:05:04 -0700 +Subject: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses + +From: Sean Christopherson + +commit ef01cac401f18647d62720cf773d7bb0541827da upstream. + +Acquire a lock on kvm->srcu when userspace is getting MP state to handle a +rather extreme edge case where "accepting" APIC events, i.e. processing +pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU +is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP +state will trigger a nested VM-Exit by way of ->check_nested_events(), and +emuating the nested VM-Exit can access guest memory. + +The splat was originally hit by syzkaller on a Google-internal kernel, and +reproduced on an upstream kernel by hacking the triple_fault_event_test +selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a +memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. + + ============================= + WARNING: suspicious RCU usage + 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted + ----------------------------- + include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by triple_fault_ev/1256: + #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] + + stack backtrace: + CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl+0x7f/0x90 + lockdep_rcu_suspicious+0x144/0x190 + kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] + kvm_vcpu_read_guest+0x3e/0x90 [kvm] + read_and_check_msr_entry+0x2e/0x180 [kvm_intel] + __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] + kvm_check_nested_events+0x1b/0x30 [kvm] + kvm_apic_accept_events+0x33/0x100 [kvm] + kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] + kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] + __x64_sys_ioctl+0x8b/0xb0 + do_syscall_64+0x6c/0x170 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250401150504.829812-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -11773,6 +11773,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru + if (kvm_mpx_supported()) + kvm_load_guest_fpu(vcpu); + ++ kvm_vcpu_srcu_read_lock(vcpu); ++ + r = kvm_apic_accept_events(vcpu); + if (r < 0) + goto out; +@@ -11786,6 +11788,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru + mp_state->mp_state = vcpu->arch.mp_state; + + out: ++ kvm_vcpu_srcu_read_unlock(vcpu); ++ + if (kvm_mpx_supported()) + kvm_put_guest_fpu(vcpu); + vcpu_put(vcpu); diff --git a/queue-6.14/kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch b/queue-6.14/kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch new file mode 100644 index 0000000000..aa09a6fc8b --- /dev/null +++ b/queue-6.14/kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch @@ -0,0 +1,55 @@ +From bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 14 Mar 2025 19:41:02 -0700 +Subject: KVM: x86: Explicitly zero-initialize on-stack CPUID unions + +From: Sean Christopherson + +commit bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 upstream. + +Explicitly zero/empty-initialize the unions used for PMU related CPUID +entries, instead of manually zeroing all fields (hopefully), or in the +case of 0x80000022, relying on the compiler to clobber the uninitialized +bitfields. + +Signed-off-by: Sean Christopherson +Reviewed-by: Jim Mattson +Message-ID: <20250315024102.2361628-1-seanjc@google.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/cpuid.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -1423,8 +1423,8 @@ static inline int __do_cpuid_func(struct + } + break; + case 0xa: { /* Architectural Performance Monitoring */ +- union cpuid10_eax eax; +- union cpuid10_edx edx; ++ union cpuid10_eax eax = { }; ++ union cpuid10_edx edx = { }; + + if (!enable_pmu || !static_cpu_has(X86_FEATURE_ARCH_PERFMON)) { + entry->eax = entry->ebx = entry->ecx = entry->edx = 0; +@@ -1440,8 +1440,6 @@ static inline int __do_cpuid_func(struct + + if (kvm_pmu_cap.version) + edx.split.anythread_deprecated = 1; +- edx.split.reserved1 = 0; +- edx.split.reserved2 = 0; + + entry->eax = eax.full; + entry->ebx = kvm_pmu_cap.events_mask; +@@ -1759,7 +1757,7 @@ static inline int __do_cpuid_func(struct + break; + /* AMD Extended Performance Monitoring and Debug */ + case 0x80000022: { +- union cpuid_0x80000022_ebx ebx; ++ union cpuid_0x80000022_ebx ebx = { }; + + entry->ecx = entry->edx = 0; + if (!enable_pmu || !kvm_cpu_cap_has(X86_FEATURE_PERFMON_V2)) { diff --git a/queue-6.14/scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch b/queue-6.14/scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch new file mode 100644 index 0000000000..9547dad6e8 --- /dev/null +++ b/queue-6.14/scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch @@ -0,0 +1,37 @@ +From ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Fri, 17 Jan 2025 14:18:52 +0000 +Subject: scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get + +From: Tudor Ambarus + +commit ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 upstream. + +The driver leaks the device reference taken with +of_find_device_by_node(). Fix the leak by using devm_of_qcom_ice_get(). + +Fixes: 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Abel Vesa +Acked-by: Martin K. Petersen # SCSI +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250117-qcom-ice-fix-dev-leak-v2-3-1ffa5b6884cb@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -125,7 +125,7 @@ static int ufs_qcom_ice_init(struct ufs_ + int err; + int i; + +- ice = of_qcom_ice_get(dev); ++ ice = devm_of_qcom_ice_get(dev); + if (ice == ERR_PTR(-EOPNOTSUPP)) { + dev_warn(dev, "Disabling inline encryption support\n"); + ice = NULL; diff --git a/queue-6.14/series b/queue-6.14/series index e829ca4b54..1a6b5a0783 100644 --- a/queue-6.14/series +++ b/queue-6.14/series @@ -365,3 +365,41 @@ mm-hwpoison-do-not-send-sigbus-to-processes-with-recovered-clean-pages.patch mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch mm-hwpoison-introduce-folio_contain_hwpoisoned_page-helper.patch sctp-detect-and-prevent-references-to-a-freed-transport-in-sendmsg.patch +x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch +uprobes-avoid-false-positive-lockdep-splat-on-config_preempt_rt-y-in-the-ri_timer-uprobe-timer-callback-use-raw_write_seqcount_.patch +tracing-fprobe-fix-to-lock-module-while-registering-fprobe.patch +tracing-fprobe-events-fix-possible-uaf-on-modules.patch +tracing-do-not-add-length-to-print-format-in-synthetic-events.patch +thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch +cifs-propagate-min-offload-along-with-other-parameters-from-primary-to-secondary-channels.patch +cifs-avoid-null-pointer-dereference-in-dbg-call.patch +cifs-fix-integer-overflow-in-match_server.patch +cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch +clk-renesas-r9a07g043-fix-hp-clock-source-for-rz-five.patch +clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch +clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch +clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch +clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch +crypto-ccp-fix-check-for-the-primary-asp-device.patch +crypto-ccp-fix-uapi-definitions-of-psp-errors.patch +dlm-fix-error-if-inactive-rsb-is-not-hashed.patch +dlm-fix-error-if-active-rsb-is-not-hashed.patch +dm-ebs-fix-prefetch-vs-suspend-race.patch +dm-integrity-set-ti-error-on-memory-allocation-failure.patch +dm-integrity-fix-non-constant-time-tag-verification.patch +dm-verity-fix-prefetch-vs-suspend-race.patch +dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch +dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch +firmware-cs_dsp-test_control_parse-null-terminate-test-strings.patch +ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch +ftrace-properly-merge-notrace-hashes.patch +fuse-io-uring-fix-a-possible-req-cancellation-race.patch +gpio-mpc8xxx-fix-wakeup-source-leaks-on-device-unbind.patch +gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch +gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch +gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch +kvm-allow-building-irqbypass.ko-as-as-module-when-kvm.ko-is-a-module.patch +kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch +kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch +kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch +scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch diff --git a/queue-6.14/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch b/queue-6.14/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch new file mode 100644 index 0000000000..7a833af7bb --- /dev/null +++ b/queue-6.14/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch @@ -0,0 +1,61 @@ +From ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e Mon Sep 17 00:00:00 2001 +From: Trevor Woerner +Date: Fri, 7 Feb 2025 12:50:47 -0500 +Subject: thermal/drivers/rockchip: Add missing rk3328 mapping entry + +From: Trevor Woerner + +commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream. + +The mapping table for the rk3328 is missing the entry for -25C which is +found in the TRM section 9.5.2 "Temperature-to-code mapping". + +NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as: + 4096-. Whereas the table in the TRM gives the code + "3774" for -25C, the kernel uses 4096-3774=322. + +[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as + well as through the downstream kernel code, it seems we may have + some troubles at our hands. Let me explain, please. + + To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that + the equation for the output when tsadc_q_sel equals 1 is (4096 - + tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output + equation is (1024 - tsadc_q) in that case. + + The downstream kernel code, however, treats the RK3308 and RK3328 + tables and their values as being the same. It even mentions 1024 as + the "offset" value in a comment block for the rk_tsadcv3_control() + function, just like the upstream code does, which is obviously wrong + "offset" value when correlated with the table on page 544 of part 1 + of the RK3308 TRM v1.1. + + With all this in mind, it's obvious that more work is needed to make + it clear where's the actual mistake (it could be that the TRM is + wrong), which I'll volunteer for as part of the SoC binning project. + In the meantime, this patch looks fine as-is to me, by offering + what's a clear improvement to the current state of the upstream + code" + +Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf +Cc: stable@vger.kernel.org +Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver") +Signed-off-by: Trevor Woerner +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/rockchip_thermal.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/rockchip_thermal.c ++++ b/drivers/thermal/rockchip_thermal.c +@@ -386,6 +386,7 @@ static const struct tsadc_table rk3328_c + {296, -40000}, + {304, -35000}, + {313, -30000}, ++ {322, -25000}, + {331, -20000}, + {340, -15000}, + {349, -10000}, diff --git a/queue-6.14/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch b/queue-6.14/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch new file mode 100644 index 0000000000..104d8b8d36 --- /dev/null +++ b/queue-6.14/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch @@ -0,0 +1,56 @@ +From e1a453a57bc76be678bd746f84e3d73f378a9511 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Mon, 7 Apr 2025 15:41:39 -0400 +Subject: tracing: Do not add length to print format in synthetic events + +From: Steven Rostedt + +commit e1a453a57bc76be678bd746f84e3d73f378a9511 upstream. + +The following causes a vsnprintf fault: + + # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events + # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger + # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger + +Because the synthetic event's "wakee" field is created as a dynamic string +(even though the string copied is not). The print format to print the +dynamic string changed from "%*s" to "%s" because another location +(__set_synth_event_print_fmt()) exported this to user space, and user +space did not need that. But it is still used in print_synth_event(), and +the output looks like: + + -0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155 + sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58 + -0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91 + bash-880 [002] d..5. 193.811371: wake_lat: wakee=(efault)kworker/u35:2delta=21 + -0 [001] d..5. 193.811516: wake_lat: wakee=(efault)sshd-sessiondelta=129 + sshd-session-879 [001] d..5. 193.967576: wake_lat: wakee=(efault)kworker/u34:5delta=50 + +The length isn't needed as the string is always nul terminated. Just print +the string and not add the length (which was hard coded to the max string +length anyway). + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Cc: Douglas Raillard +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/20250407154139.69955768@gandalf.local.home +Fixes: 4d38328eb442d ("tracing: Fix synth event printk format for str fields"); +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -370,7 +370,6 @@ static enum print_line_t print_synth_eve + union trace_synth_field *data = &entry->fields[n_u64]; + + trace_seq_printf(s, print_fmt, se->fields[i]->name, +- STR_VAR_LEN_MAX, + (char *)entry + data->as_dynamic.offset, + i == se->n_fields - 1 ? "" : " "); + n_u64++; diff --git a/queue-6.14/tracing-fprobe-events-fix-possible-uaf-on-modules.patch b/queue-6.14/tracing-fprobe-events-fix-possible-uaf-on-modules.patch new file mode 100644 index 0000000000..fd797ca876 --- /dev/null +++ b/queue-6.14/tracing-fprobe-events-fix-possible-uaf-on-modules.patch @@ -0,0 +1,86 @@ +From dd941507a9486252d6fcf11814387666792020f3 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Mon, 31 Mar 2025 23:05:07 +0900 +Subject: tracing: fprobe events: Fix possible UAF on modules + +From: Masami Hiramatsu (Google) + +commit dd941507a9486252d6fcf11814387666792020f3 upstream. + +Commit ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module +refcount") moved try_module_get() from __find_tracepoint_module_cb() +to find_tracepoint() caller, but that introduced a possible UAF +because the module can be unloaded before try_module_get(). In this +case, the module object should be freed too. Thus, try_module_get() +does not only fail but may access to the freed object. + +To avoid that, try_module_get() in __find_tracepoint_module_cb() +again. + +Link: https://lore.kernel.org/all/174342990779.781946.9138388479067729366.stgit@devnote2/ + +Fixes: ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module refcount") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_fprobe.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/kernel/trace/trace_fprobe.c ++++ b/kernel/trace/trace_fprobe.c +@@ -919,9 +919,15 @@ static void __find_tracepoint_module_cb( + struct __find_tracepoint_cb_data *data = priv; + + if (!data->tpoint && !strcmp(data->tp_name, tp->name)) { +- data->tpoint = tp; +- if (!data->mod) ++ /* If module is not specified, try getting module refcount. */ ++ if (!data->mod && mod) { ++ /* If failed to get refcount, ignore this tracepoint. */ ++ if (!try_module_get(mod)) ++ return; ++ + data->mod = mod; ++ } ++ data->tpoint = tp; + } + } + +@@ -933,7 +939,11 @@ static void __find_tracepoint_cb(struct + data->tpoint = tp; + } + +-/* Find a tracepoint from kernel and module. */ ++/* ++ * Find a tracepoint from kernel and module. If the tracepoint is on the module, ++ * the module's refcount is incremented and returned as *@tp_mod. Thus, if it is ++ * not NULL, caller must call module_put(*tp_mod) after used the tracepoint. ++ */ + static struct tracepoint *find_tracepoint(const char *tp_name, + struct module **tp_mod) + { +@@ -962,7 +972,10 @@ static void reenable_trace_fprobe(struct + } + } + +-/* Find a tracepoint from specified module. */ ++/* ++ * Find a tracepoint from specified module. In this case, this does not get the ++ * module's refcount. The caller must ensure the module is not freed. ++ */ + static struct tracepoint *find_tracepoint_in_module(struct module *mod, + const char *tp_name) + { +@@ -1169,11 +1182,6 @@ static int trace_fprobe_create_internal( + if (is_tracepoint) { + ctx->flags |= TPARG_FL_TPOINT; + tpoint = find_tracepoint(symbol, &tp_mod); +- /* lock module until register this tprobe. */ +- if (tp_mod && !try_module_get(tp_mod)) { +- tpoint = NULL; +- tp_mod = NULL; +- } + if (tpoint) { + ctx->funcname = kallsyms_lookup( + (unsigned long)tpoint->probestub, diff --git a/queue-6.14/tracing-fprobe-fix-to-lock-module-while-registering-fprobe.patch b/queue-6.14/tracing-fprobe-fix-to-lock-module-while-registering-fprobe.patch new file mode 100644 index 0000000000..d5dde778a0 --- /dev/null +++ b/queue-6.14/tracing-fprobe-fix-to-lock-module-while-registering-fprobe.patch @@ -0,0 +1,142 @@ +From d24fa977eec53399a9a49a2e1dc592430ea0a607 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Sun, 30 Mar 2025 12:34:47 +0900 +Subject: tracing: fprobe: Fix to lock module while registering fprobe + +From: Masami Hiramatsu (Google) + +commit d24fa977eec53399a9a49a2e1dc592430ea0a607 upstream. + +Since register_fprobe() does not get the module reference count while +registering fgraph filter, if the target functions (symbols) are in +modules, those modules can be unloaded when registering fprobe to +fgraph. + +To avoid this issue, get the reference counter of module for each +symbol, and put it after register the fprobe. + +Link: https://lore.kernel.org/all/174330568792.459674.16874380163991113156.stgit@devnote2/ + +Reported-by: Steven Rostedt +Closes: https://lore.kernel.org/all/20250325130628.3a9e234c@gandalf.local.home/ +Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/fprobe.c | 67 +++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 48 insertions(+), 19 deletions(-) + +--- a/kernel/trace/fprobe.c ++++ b/kernel/trace/fprobe.c +@@ -544,6 +544,7 @@ struct filter_match_data { + size_t index; + size_t size; + unsigned long *addrs; ++ struct module **mods; + }; + + static int filter_match_callback(void *data, const char *name, unsigned long addr) +@@ -557,30 +558,47 @@ static int filter_match_callback(void *d + if (!ftrace_location(addr)) + return 0; + +- if (match->addrs) +- match->addrs[match->index] = addr; ++ if (match->addrs) { ++ struct module *mod = __module_text_address(addr); ++ ++ if (mod && !try_module_get(mod)) ++ return 0; + ++ match->mods[match->index] = mod; ++ match->addrs[match->index] = addr; ++ } + match->index++; + return match->index == match->size; + } + + /* + * Make IP list from the filter/no-filter glob patterns. +- * Return the number of matched symbols, or -ENOENT. ++ * Return the number of matched symbols, or errno. ++ * If @addrs == NULL, this just counts the number of matched symbols. If @addrs ++ * is passed with an array, we need to pass the an @mods array of the same size ++ * to increment the module refcount for each symbol. ++ * This means we also need to call `module_put` for each element of @mods after ++ * using the @addrs. + */ +-static int ip_list_from_filter(const char *filter, const char *notfilter, +- unsigned long *addrs, size_t size) ++static int get_ips_from_filter(const char *filter, const char *notfilter, ++ unsigned long *addrs, struct module **mods, ++ size_t size) + { + struct filter_match_data match = { .filter = filter, .notfilter = notfilter, +- .index = 0, .size = size, .addrs = addrs}; ++ .index = 0, .size = size, .addrs = addrs, .mods = mods}; + int ret; + ++ if (addrs && !mods) ++ return -EINVAL; ++ + ret = kallsyms_on_each_symbol(filter_match_callback, &match); + if (ret < 0) + return ret; +- ret = module_kallsyms_on_each_symbol(NULL, filter_match_callback, &match); +- if (ret < 0) +- return ret; ++ if (IS_ENABLED(CONFIG_MODULES)) { ++ ret = module_kallsyms_on_each_symbol(NULL, filter_match_callback, &match); ++ if (ret < 0) ++ return ret; ++ } + + return match.index ?: -ENOENT; + } +@@ -642,24 +660,35 @@ static int fprobe_init(struct fprobe *fp + */ + int register_fprobe(struct fprobe *fp, const char *filter, const char *notfilter) + { +- unsigned long *addrs; +- int ret; ++ unsigned long *addrs __free(kfree) = NULL; ++ struct module **mods __free(kfree) = NULL; ++ int ret, num; + + if (!fp || !filter) + return -EINVAL; + +- ret = ip_list_from_filter(filter, notfilter, NULL, FPROBE_IPS_MAX); +- if (ret < 0) +- return ret; ++ num = get_ips_from_filter(filter, notfilter, NULL, NULL, FPROBE_IPS_MAX); ++ if (num < 0) ++ return num; + +- addrs = kcalloc(ret, sizeof(unsigned long), GFP_KERNEL); ++ addrs = kcalloc(num, sizeof(*addrs), GFP_KERNEL); + if (!addrs) + return -ENOMEM; +- ret = ip_list_from_filter(filter, notfilter, addrs, ret); +- if (ret > 0) +- ret = register_fprobe_ips(fp, addrs, ret); + +- kfree(addrs); ++ mods = kcalloc(num, sizeof(*mods), GFP_KERNEL); ++ if (!mods) ++ return -ENOMEM; ++ ++ ret = get_ips_from_filter(filter, notfilter, addrs, mods, num); ++ if (ret < 0) ++ return ret; ++ ++ ret = register_fprobe_ips(fp, addrs, ret); ++ ++ for (int i = 0; i < num; i++) { ++ if (mods[i]) ++ module_put(mods[i]); ++ } + return ret; + } + EXPORT_SYMBOL_GPL(register_fprobe); diff --git a/queue-6.14/uprobes-avoid-false-positive-lockdep-splat-on-config_preempt_rt-y-in-the-ri_timer-uprobe-timer-callback-use-raw_write_seqcount_.patch b/queue-6.14/uprobes-avoid-false-positive-lockdep-splat-on-config_preempt_rt-y-in-the-ri_timer-uprobe-timer-callback-use-raw_write_seqcount_.patch new file mode 100644 index 0000000000..00af35a5cd --- /dev/null +++ b/queue-6.14/uprobes-avoid-false-positive-lockdep-splat-on-config_preempt_rt-y-in-the-ri_timer-uprobe-timer-callback-use-raw_write_seqcount_.patch @@ -0,0 +1,73 @@ +From 0cd575cab10e114e95921321f069a08d45bc412e Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Fri, 4 Apr 2025 12:48:48 -0700 +Subject: uprobes: Avoid false-positive lockdep splat on CONFIG_PREEMPT_RT=y in the ri_timer() uprobe timer callback, use raw_write_seqcount_*() + +From: Andrii Nakryiko + +commit 0cd575cab10e114e95921321f069a08d45bc412e upstream. + +Avoid a false-positive lockdep warning in the CONFIG_PREEMPT_RT=y +configuration when using write_seqcount_begin() in the uprobe timer +callback by using raw_write_* APIs. + +Uprobe's use of timer callback is guaranteed to not race with itself +for a given uprobe_task, and as such seqcount's insistence on having +preemption disabled on the writer side is irrelevant. So switch to +raw_ variants of seqcount API instead of disabling preemption unnecessarily. + +Also, point out in the comments more explicitly why we use seqcount +despite our reader side being rather simple and never retrying. We favor +well-maintained kernel primitive in favor of open-coding our own memory +barriers. + +Fixes: 8622e45b5da1 ("uprobes: Reuse return_instances between multiple uretprobes within task") +Reported-by: Alexei Starovoitov +Suggested-by: Sebastian Siewior +Signed-off-by: Andrii Nakryiko +Signed-off-by: Ingo Molnar +Acked-by: Oleg Nesterov +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20250404194848.2109539-1-andrii@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/uprobes.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1955,6 +1955,9 @@ static void free_ret_instance(struct upr + * to-be-reused return instances for future uretprobes. If ri_timer() + * happens to be running right now, though, we fallback to safety and + * just perform RCU-delated freeing of ri. ++ * Admittedly, this is a rather simple use of seqcount, but it nicely ++ * abstracts away all the necessary memory barriers, so we use ++ * a well-supported kernel primitive here. + */ + if (raw_seqcount_try_begin(&utask->ri_seqcount, seq)) { + /* immediate reuse of ri without RCU GP is OK */ +@@ -2015,12 +2018,20 @@ static void ri_timer(struct timer_list * + /* RCU protects return_instance from freeing. */ + guard(rcu)(); + +- write_seqcount_begin(&utask->ri_seqcount); ++ /* ++ * See free_ret_instance() for notes on seqcount use. ++ * We also employ raw API variants to avoid lockdep false-positive ++ * warning complaining about enabled preemption. The timer can only be ++ * invoked once for a uprobe_task. Therefore there can only be one ++ * writer. The reader does not require an even sequence count to make ++ * progress, so it is OK to remain preemptible on PREEMPT_RT. ++ */ ++ raw_write_seqcount_begin(&utask->ri_seqcount); + + for_each_ret_instance_rcu(ri, utask->return_instances) + hprobe_expire(&ri->hprobe, false); + +- write_seqcount_end(&utask->ri_seqcount); ++ raw_write_seqcount_end(&utask->ri_seqcount); + } + + static struct uprobe_task *alloc_utask(void) diff --git a/queue-6.14/x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch b/queue-6.14/x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch new file mode 100644 index 0000000000..72b3afb6b9 --- /dev/null +++ b/queue-6.14/x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch @@ -0,0 +1,162 @@ +From 87af633689ce16ddb166c80f32b120e50b1295de Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Mon, 7 Apr 2025 10:28:37 +0200 +Subject: x86/xen: fix balloon target initialization for PVH dom0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +commit 87af633689ce16ddb166c80f32b120e50b1295de upstream. + +PVH dom0 re-uses logic from PV dom0, in which RAM ranges not assigned to +dom0 are re-used as scratch memory to map foreign and grant pages. Such +logic relies on reporting those unpopulated ranges as RAM to Linux, and +mark them as reserved. This way Linux creates the underlying page +structures required for metadata management. + +Such approach works fine on PV because the initial balloon target is +calculated using specific Xen data, that doesn't take into account the +memory type changes described above. However on HVM and PVH the initial +balloon target is calculated using get_num_physpages(), and that function +does take into account the unpopulated RAM regions used as scratch space +for remote domain mappings. + +This leads to PVH dom0 having an incorrect initial balloon target, which +causes malfunction (excessive memory freeing) of the balloon driver if the +dom0 memory target is later adjusted from the toolstack. + +Fix this by using xen_released_pages to account for any pages that are part +of the memory map, but are already unpopulated when the balloon driver is +initialized. This accounts for any regions used for scratch remote +mappings. Note on x86 xen_released_pages definition is moved to +enlighten.c so it's uniformly available for all Xen-enabled builds. + +Take the opportunity to unify PV with PVH/HVM guests regarding the usage of +get_num_physpages(), as that avoids having to add different logic for PV vs +PVH in both balloon_add_regions() and arch_xen_unpopulated_init(). + +Much like a6aa4eb994ee, the code in this changeset should have been part of +38620fc4e893. + +Fixes: a6aa4eb994ee ('xen/x86: add extra pages to unpopulated-alloc if available') +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Message-ID: <20250407082838.65495-1-roger.pau@citrix.com> +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/xen/enlighten.c | 10 ++++++++++ + arch/x86/xen/setup.c | 3 --- + drivers/xen/balloon.c | 34 ++++++++++++++++++++++++---------- + 3 files changed, 34 insertions(+), 13 deletions(-) + +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -70,6 +70,9 @@ EXPORT_SYMBOL(xen_start_flags); + */ + struct shared_info *HYPERVISOR_shared_info = &xen_dummy_shared_info; + ++/* Number of pages released from the initial allocation. */ ++unsigned long xen_released_pages; ++ + static __ref void xen_get_vendor(void) + { + init_cpu_devs(); +@@ -466,6 +469,13 @@ int __init arch_xen_unpopulated_init(str + xen_free_unpopulated_pages(1, &pg); + } + ++ /* ++ * Account for the region being in the physmap but unpopulated. ++ * The value in xen_released_pages is used by the balloon ++ * driver to know how much of the physmap is unpopulated and ++ * set an accurate initial memory target. ++ */ ++ xen_released_pages += xen_extra_mem[i].n_pfns; + /* Zero so region is not also added to the balloon driver. */ + xen_extra_mem[i].n_pfns = 0; + } +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -37,9 +37,6 @@ + + #define GB(x) ((uint64_t)(x) * 1024 * 1024 * 1024) + +-/* Number of pages released from the initial allocation. */ +-unsigned long xen_released_pages; +- + /* Memory map would allow PCI passthrough. */ + bool xen_pv_pci_possible; + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -675,7 +675,7 @@ void xen_free_ballooned_pages(unsigned i + } + EXPORT_SYMBOL(xen_free_ballooned_pages); + +-static void __init balloon_add_regions(void) ++static int __init balloon_add_regions(void) + { + unsigned long start_pfn, pages; + unsigned long pfn, extra_pfn_end; +@@ -698,26 +698,38 @@ static void __init balloon_add_regions(v + for (pfn = start_pfn; pfn < extra_pfn_end; pfn++) + balloon_append(pfn_to_page(pfn)); + +- balloon_stats.total_pages += extra_pfn_end - start_pfn; ++ /* ++ * Extra regions are accounted for in the physmap, but need ++ * decreasing from current_pages to balloon down the initial ++ * allocation, because they are already accounted for in ++ * total_pages. ++ */ ++ if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) { ++ WARN(1, "Extra pages underflow current target"); ++ return -ERANGE; ++ } ++ balloon_stats.current_pages -= extra_pfn_end - start_pfn; + } ++ ++ return 0; + } + + static int __init balloon_init(void) + { + struct task_struct *task; ++ int rc; + + if (!xen_domain()) + return -ENODEV; + + pr_info("Initialising balloon driver\n"); + +-#ifdef CONFIG_XEN_PV +- balloon_stats.current_pages = xen_pv_domain() +- ? min(xen_start_info->nr_pages - xen_released_pages, max_pfn) +- : get_num_physpages(); +-#else +- balloon_stats.current_pages = get_num_physpages(); +-#endif ++ if (xen_released_pages >= get_num_physpages()) { ++ WARN(1, "Released pages underflow current target"); ++ return -ERANGE; ++ } ++ ++ balloon_stats.current_pages = get_num_physpages() - xen_released_pages; + balloon_stats.target_pages = balloon_stats.current_pages; + balloon_stats.balloon_low = 0; + balloon_stats.balloon_high = 0; +@@ -734,7 +746,9 @@ static int __init balloon_init(void) + register_sysctl_init("xen/balloon", balloon_table); + #endif + +- balloon_add_regions(); ++ rc = balloon_add_regions(); ++ if (rc) ++ return rc; + + task = kthread_run(balloon_thread, NULL, "xen-balloon"); + if (IS_ERR(task)) { -- 2.47.3