From f8172fe804a7ff4d1d2afb190b36f70f4bb383c8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 15 Jul 2022 15:35:57 +0200 Subject: [PATCH] 5.10-stable patches added patches: alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch fix-race-between-exit_itimers-and-proc-pid-timers.patch fs-remap-constrain-dedupe-of-eof-blocks.patch ip-fix-dflt-addr-selection-for-connected-nexthop.patch mm-split-huge-pud-on-wp_huge_pud-fallback.patch net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch revert-evm-fix-memleak-in-init_desc.patch sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch tracing-histograms-fix-memory-leak-problem.patch wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch --- ...-for-another-hp-prodesk-600-g3-model.patch | 32 +++ ...the-headset-mic-on-a-xiaomi-s-laptop.patch | 31 +++ ...ek-fix-headset-mic-for-acer-sf313-51.patch | 33 +++ ...problem-for-a-hp-machine-with-alc221.patch | 58 +++++ ...problem-for-a-hp-machine-with-alc671.patch | 32 +++ ...sabled-spectre-workarounds-only-once.patch | 33 +++ ...te-after-emulating-thumb-instruction.patch | 117 ++++++++++ ...tes-on-compressed-and-inline-extents.patch | 76 +++++++ ...en-preloading-css_sets-for-migration.patch | 201 ++++++++++++++++++ ...ker-list-corruption-by-madvise-ioctl.patch | 39 ++++ ...on-panfrost_mmu_map_fault_addr-error.patch | 34 +++ ...een-exit_itimers-and-proc-pid-timers.patch | 90 ++++++++ ...remap-constrain-dedupe-of-eof-blocks.patch | 46 ++++ ...addr-selection-for-connected-nexthop.patch | 92 ++++++++ ...lit-huge-pud-on-wp_huge_pud-fallback.patch | 78 +++++++ ...mit-not-to-dereference-stale-pointer.patch | 53 +++++ ...ing-of-permission-flags-for-symlinks.patch | 45 ++++ .../revert-evm-fix-memleak-in-init_desc.patch | 59 +++++ queue-5.10/series | 22 ++ ...re-un-map-to-static-inline-functions.patch | 52 +++++ ...g-histograms-fix-memory-leak-problem.patch | 80 +++++++ ...ue-selection-for-mesh-ocb-interfaces.patch | 38 ++++ ...f_rx_next_skb-with-an-empty-rx-queue.patch | 60 ++++++ 23 files changed, 1401 insertions(+) create mode 100644 queue-5.10/alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch create mode 100644 queue-5.10/alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch create mode 100644 queue-5.10/alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch create mode 100644 queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch create mode 100644 queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch create mode 100644 queue-5.10/arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch create mode 100644 queue-5.10/arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch create mode 100644 queue-5.10/btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch create mode 100644 queue-5.10/cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch create mode 100644 queue-5.10/drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch create mode 100644 queue-5.10/drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch create mode 100644 queue-5.10/fix-race-between-exit_itimers-and-proc-pid-timers.patch create mode 100644 queue-5.10/fs-remap-constrain-dedupe-of-eof-blocks.patch create mode 100644 queue-5.10/ip-fix-dflt-addr-selection-for-connected-nexthop.patch create mode 100644 queue-5.10/mm-split-huge-pud-on-wp_huge_pud-fallback.patch create mode 100644 queue-5.10/net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch create mode 100644 queue-5.10/nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch create mode 100644 queue-5.10/revert-evm-fix-memleak-in-init_desc.patch create mode 100644 queue-5.10/sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch create mode 100644 queue-5.10/tracing-histograms-fix-memory-leak-problem.patch create mode 100644 queue-5.10/wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch create mode 100644 queue-5.10/xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch diff --git a/queue-5.10/alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch b/queue-5.10/alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch new file mode 100644 index 00000000000..d63f705f90a --- /dev/null +++ b/queue-5.10/alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch @@ -0,0 +1,32 @@ +From d16d69bf5a25d91c6d8f3e29711be12551bf56cd Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Mon, 11 Jul 2022 18:17:44 +0800 +Subject: ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model + +From: Meng Tang + +commit d16d69bf5a25d91c6d8f3e29711be12551bf56cd upstream. + +There is another HP ProDesk 600 G3 model with the PCI SSID 103c:82b4 +that requires the quirk HP_MIC_NO_PRESENCE. Add the corresponding +entry to the quirk table. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220711101744.25189-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -937,6 +937,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x103c, 0x82b4, "HP ProDesk 600 G3", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK), diff --git a/queue-5.10/alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch b/queue-5.10/alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch new file mode 100644 index 00000000000..bd4ae9ef042 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch @@ -0,0 +1,31 @@ +From 9b043a8f386485c74c0f8eea2c287d5bdbdf3279 Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Wed, 13 Jul 2022 17:41:33 +0800 +Subject: ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop + +From: Meng Tang + +commit 9b043a8f386485c74c0f8eea2c287d5bdbdf3279 upstream. + +The headset on this machine is not defined, after applying the quirk +ALC256_FIXUP_ASUS_HEADSET_MIC, the headset-mic works well + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220713094133.9894-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9087,6 +9087,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC), + SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED), diff --git a/queue-5.10/alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch b/queue-5.10/alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch new file mode 100644 index 00000000000..ebe7e146bdd --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch @@ -0,0 +1,33 @@ +From 5f3fe25e70559fa3b096ab17e13316c93ddb7020 Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Mon, 11 Jul 2022 16:15:27 +0800 +Subject: ALSA: hda/realtek: Fix headset mic for Acer SF313-51 + +From: Meng Tang + +commit 5f3fe25e70559fa3b096ab17e13316c93ddb7020 upstream. + +The issue on Acer SWIFT SF313-51 is that headset microphone +doesn't work. The following quirk fixed headset microphone issue. +Note that the fixup of SF314-54/55 (ALC256_FIXUP_ACER_HEADSET_MIC) +was not successful on my SF313-51. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220711081527.6254-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8633,6 +8633,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x129c, "Acer SWIFT SF314-55", ALC256_FIXUP_ACER_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1025, 0x129d, "Acer SWIFT SF313-51", ALC256_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1300, "Acer SWIFT SF314-56", ALC256_FIXUP_ACER_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1308, "Acer Aspire Z24-890", ALC286_FIXUP_ACER_AIO_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC), diff --git a/queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch b/queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch new file mode 100644 index 00000000000..254e2a31455 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch @@ -0,0 +1,58 @@ +From 4ba5c853d7945b3855c3dcb293f7f9f019db641e Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Wed, 13 Jul 2022 14:33:32 +0800 +Subject: ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 + +From: Meng Tang + +commit 4ba5c853d7945b3855c3dcb293f7f9f019db641e upstream. + +On a HP 288 Pro G2 MT (X9W02AV), the front mic could not be detected. +In order to get it working, the pin configuration needs to be set +correctly, and the ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE fixup needs +to be applied. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220713063332.30095-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6725,6 +6725,7 @@ enum { + ALC298_FIXUP_LENOVO_SPK_VOLUME, + ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER, + ALC269_FIXUP_ATIV_BOOK_8, ++ ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE, + ALC221_FIXUP_HP_MIC_NO_PRESENCE, + ALC256_FIXUP_ASUS_HEADSET_MODE, + ALC256_FIXUP_ASUS_MIC, +@@ -7651,6 +7652,16 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_NO_SHUTUP + }, ++ [ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */ ++ { 0x1a, 0x01813030 }, /* use as headphone mic, without its own jack detect */ ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_HEADSET_MODE ++ }, + [ALC221_FIXUP_HP_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -8758,6 +8769,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x2335, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), + SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), ++ SND_PCI_QUIRK(0x103c, 0x2b5e, "HP 288 Pro G2 MT", ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x802e, "HP Z240 SFF", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC), diff --git a/queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch b/queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch new file mode 100644 index 00000000000..856de50c562 --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch @@ -0,0 +1,32 @@ +From dbe75d314748e08fc6e4576d153d8a69621ee5ca Mon Sep 17 00:00:00 2001 +From: Meng Tang +Date: Tue, 12 Jul 2022 17:22:22 +0800 +Subject: ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 + +From: Meng Tang + +commit dbe75d314748e08fc6e4576d153d8a69621ee5ca upstream. + +On a HP 288 Pro G6, the front mic could not be detected.In order to +get it working, the pin configuration needs to be set correctly, and +the ALC671_FIXUP_HP_HEADSET_MIC2 fixup needs to be applied. + +Signed-off-by: Meng Tang +Cc: +Link: https://lore.kernel.org/r/20220712092222.21738-1-tangmeng@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10928,6 +10928,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB), + SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2), ++ SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2), + SND_PCI_QUIRK(0x1043, 0x1080, "Asus UX501VW", ALC668_FIXUP_HEADSET_MODE), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50), diff --git a/queue-5.10/arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch b/queue-5.10/arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch new file mode 100644 index 00000000000..23b6e4cc45c --- /dev/null +++ b/queue-5.10/arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch @@ -0,0 +1,33 @@ +From e4ced82deb5fb17222fb82e092c3f8311955b585 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Tue, 28 Jun 2022 08:55:45 +0100 +Subject: ARM: 9213/1: Print message about disabled Spectre workarounds only once + +From: Dmitry Osipenko + +commit e4ced82deb5fb17222fb82e092c3f8311955b585 upstream. + +Print the message about disabled Spectre workarounds only once. The +message is printed each time CPU goes out from idling state on NVIDIA +Tegra boards, causing storm in KMSG that makes system unusable. + +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Osipenko +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mm/proc-v7-bugs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -108,8 +108,7 @@ static unsigned int spectre_v2_install_w + #else + static unsigned int spectre_v2_install_workaround(unsigned int method) + { +- pr_info("CPU%u: Spectre V2: workarounds disabled by configuration\n", +- smp_processor_id()); ++ pr_info_once("Spectre V2: workarounds disabled by configuration\n"); + + return SPECTRE_VULNERABLE; + } diff --git a/queue-5.10/arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch b/queue-5.10/arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch new file mode 100644 index 00000000000..b37d4c655c5 --- /dev/null +++ b/queue-5.10/arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch @@ -0,0 +1,117 @@ +From e5c46fde75e43c15a29b40e5fc5641727f97ae47 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 30 Jun 2022 16:46:54 +0100 +Subject: ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction + +From: Ard Biesheuvel + +commit e5c46fde75e43c15a29b40e5fc5641727f97ae47 upstream. + +After emulating a misaligned load or store issued in Thumb mode, we have +to advance the IT state by hand, or it will get out of sync with the +actual instruction stream, which means we'll end up applying the wrong +condition code to subsequent instructions. This might corrupt the +program state rather catastrophically. + +So borrow the it_advance() helper from the probing code, and use it on +CPSR if the emulated instruction is Thumb. + +Cc: +Reviewed-by: Linus Walleij +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/ptrace.h | 26 ++++++++++++++++++++++++++ + arch/arm/mm/alignment.c | 3 +++ + arch/arm/probes/decode.h | 26 +------------------------- + 3 files changed, 30 insertions(+), 25 deletions(-) + +--- a/arch/arm/include/asm/ptrace.h ++++ b/arch/arm/include/asm/ptrace.h +@@ -164,5 +164,31 @@ static inline unsigned long user_stack_p + ((current_stack_pointer | (THREAD_SIZE - 1)) - 7) - 1; \ + }) + ++ ++/* ++ * Update ITSTATE after normal execution of an IT block instruction. ++ * ++ * The 8 IT state bits are split into two parts in CPSR: ++ * ITSTATE<1:0> are in CPSR<26:25> ++ * ITSTATE<7:2> are in CPSR<15:10> ++ */ ++static inline unsigned long it_advance(unsigned long cpsr) ++{ ++ if ((cpsr & 0x06000400) == 0) { ++ /* ITSTATE<2:0> == 0 means end of IT block, so clear IT state */ ++ cpsr &= ~PSR_IT_MASK; ++ } else { ++ /* We need to shift left ITSTATE<4:0> */ ++ const unsigned long mask = 0x06001c00; /* Mask ITSTATE<4:0> */ ++ unsigned long it = cpsr & mask; ++ it <<= 1; ++ it |= it >> (27 - 10); /* Carry ITSTATE<2> to correct place */ ++ it &= mask; ++ cpsr &= ~mask; ++ cpsr |= it; ++ } ++ return cpsr; ++} ++ + #endif /* __ASSEMBLY__ */ + #endif +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -935,6 +935,9 @@ do_alignment(unsigned long addr, unsigne + if (type == TYPE_LDST) + do_alignment_finish_ldst(addr, instr, regs, offset); + ++ if (thumb_mode(regs)) ++ regs->ARM_cpsr = it_advance(regs->ARM_cpsr); ++ + return 0; + + bad_or_fault: +--- a/arch/arm/probes/decode.h ++++ b/arch/arm/probes/decode.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + + void __init arm_probes_decode_init(void); +@@ -35,31 +36,6 @@ void __init find_str_pc_offset(void); + #endif + + +-/* +- * Update ITSTATE after normal execution of an IT block instruction. +- * +- * The 8 IT state bits are split into two parts in CPSR: +- * ITSTATE<1:0> are in CPSR<26:25> +- * ITSTATE<7:2> are in CPSR<15:10> +- */ +-static inline unsigned long it_advance(unsigned long cpsr) +- { +- if ((cpsr & 0x06000400) == 0) { +- /* ITSTATE<2:0> == 0 means end of IT block, so clear IT state */ +- cpsr &= ~PSR_IT_MASK; +- } else { +- /* We need to shift left ITSTATE<4:0> */ +- const unsigned long mask = 0x06001c00; /* Mask ITSTATE<4:0> */ +- unsigned long it = cpsr & mask; +- it <<= 1; +- it |= it >> (27 - 10); /* Carry ITSTATE<2> to correct place */ +- it &= mask; +- cpsr &= ~mask; +- cpsr |= it; +- } +- return cpsr; +-} +- + static inline void __kprobes bx_write_pc(long pcv, struct pt_regs *regs) + { + long cpsr = regs->ARM_cpsr; diff --git a/queue-5.10/btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch b/queue-5.10/btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch new file mode 100644 index 00000000000..c3cf507fbd1 --- /dev/null +++ b/queue-5.10/btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch @@ -0,0 +1,76 @@ +From a4527e1853f8ff6e0b7c2dadad6268bd38427a31 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 4 Jul 2022 12:42:03 +0100 +Subject: btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents + +From: Filipe Manana + +commit a4527e1853f8ff6e0b7c2dadad6268bd38427a31 upstream. + +When doing a direct IO read or write, we always return -ENOTBLK when we +find a compressed extent (or an inline extent) so that we fallback to +buffered IO. This however is not ideal in case we are in a NOWAIT context +(io_uring for example), because buffered IO can block and we currently +have no support for NOWAIT semantics for buffered IO, so if we need to +fallback to buffered IO we should first signal the caller that we may +need to block by returning -EAGAIN instead. + +This behaviour can also result in short reads being returned to user +space, which although it's not incorrect and user space should be able +to deal with partial reads, it's somewhat surprising and even some popular +applications like QEMU (Link tag #1) and MariaDB (Link tag #2) don't +deal with short reads properly (or at all). + +The short read case happens when we try to read from a range that has a +non-compressed and non-inline extent followed by a compressed extent. +After having read the first extent, when we find the compressed extent we +return -ENOTBLK from btrfs_dio_iomap_begin(), which results in iomap to +treat the request as a short read, returning 0 (success) and waiting for +previously submitted bios to complete (this happens at +fs/iomap/direct-io.c:__iomap_dio_rw()). After that, and while at +btrfs_file_read_iter(), we call filemap_read() to use buffered IO to +read the remaining data, and pass it the number of bytes we were able to +read with direct IO. Than at filemap_read() if we get a page fault error +when accessing the read buffer, we return a partial read instead of an +-EFAULT error, because the number of bytes previously read is greater +than zero. + +So fix this by returning -EAGAIN for NOWAIT direct IO when we find a +compressed or an inline extent. + +Reported-by: Dominique MARTINET +Link: https://lore.kernel.org/linux-btrfs/YrrFGO4A1jS0GI0G@atmark-techno.com/ +Link: https://jira.mariadb.org/browse/MDEV-27900?focusedCommentId=216582&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-216582 +Tested-by: Dominique MARTINET +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Christoph Hellwig +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7480,7 +7480,19 @@ static int btrfs_dio_iomap_begin(struct + if (test_bit(EXTENT_FLAG_COMPRESSED, &em->flags) || + em->block_start == EXTENT_MAP_INLINE) { + free_extent_map(em); +- ret = -ENOTBLK; ++ /* ++ * If we are in a NOWAIT context, return -EAGAIN in order to ++ * fallback to buffered IO. This is not only because we can ++ * block with buffered IO (no support for NOWAIT semantics at ++ * the moment) but also to avoid returning short reads to user ++ * space - this happens if we were able to read some data from ++ * previous non-compressed extents and then when we fallback to ++ * buffered IO, at btrfs_file_read_iter() by calling ++ * filemap_read(), we fail to fault in pages for the read buffer, ++ * in which case filemap_read() returns a short read (the number ++ * of bytes previously read is > 0, so it does not return -EFAULT). ++ */ ++ ret = (flags & IOMAP_NOWAIT) ? -EAGAIN : -ENOTBLK; + goto unlock_err; + } + diff --git a/queue-5.10/cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch b/queue-5.10/cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch new file mode 100644 index 00000000000..3074bbc7513 --- /dev/null +++ b/queue-5.10/cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch @@ -0,0 +1,201 @@ +From 07fd5b6cdf3cc30bfde8fe0f644771688be04447 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 13 Jun 2022 12:19:50 -1000 +Subject: cgroup: Use separate src/dst nodes when preloading css_sets for migration + +From: Tejun Heo + +commit 07fd5b6cdf3cc30bfde8fe0f644771688be04447 upstream. + +Each cset (css_set) is pinned by its tasks. When we're moving tasks around +across csets for a migration, we need to hold the source and destination +csets to ensure that they don't go away while we're moving tasks about. This +is done by linking cset->mg_preload_node on either the +mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the +same cset->mg_preload_node for both the src and dst lists was deemed okay as +a cset can't be both the source and destination at the same time. + +Unfortunately, this overloading becomes problematic when multiple tasks are +involved in a migration and some of them are identity noop migrations while +others are actually moving across cgroups. For example, this can happen with +the following sequence on cgroup1: + + #1> mkdir -p /sys/fs/cgroup/misc/a/b + #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs + #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS & + #4> PID=$! + #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks + #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs + +the process including the group leader back into a. In this final migration, +non-leader threads would be doing identity migration while the group leader +is doing an actual one. + +After #3, let's say the whole process was in cset A, and that after #4, the +leader moves to cset B. Then, during #6, the following happens: + + 1. cgroup_migrate_add_src() is called on B for the leader. + + 2. cgroup_migrate_add_src() is called on A for the other threads. + + 3. cgroup_migrate_prepare_dst() is called. It scans the src list. + + 4. It notices that B wants to migrate to A, so it tries to A to the dst + list but realizes that its ->mg_preload_node is already busy. + + 5. and then it notices A wants to migrate to A as it's an identity + migration, it culls it by list_del_init()'ing its ->mg_preload_node and + putting references accordingly. + + 6. The rest of migration takes place with B on the src list but nothing on + the dst list. + +This means that A isn't held while migration is in progress. If all tasks +leave A before the migration finishes and the incoming task pins it, the +cset will be destroyed leading to use-after-free. + +This is caused by overloading cset->mg_preload_node for both src and dst +preload lists. We wanted to exclude the cset from the src list but ended up +inadvertently excluding it from the dst list too. + +This patch fixes the issue by separating out cset->mg_preload_node into +->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst +preloadings don't interfere with each other. + +Signed-off-by: Tejun Heo +Reported-by: Mukesh Ojha +Reported-by: shisiyuan +Link: http://lkml.kernel.org/r/1654187688-27411-1-git-send-email-shisiyuan@xiaomi.com +Link: https://www.spinics.net/lists/cgroups/msg33313.html +Fixes: f817de98513d ("cgroup: prepare migration path for unified hierarchy") +Cc: stable@vger.kernel.org # v3.16+ +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cgroup-defs.h | 3 ++- + kernel/cgroup/cgroup.c | 37 +++++++++++++++++++++++-------------- + 2 files changed, 25 insertions(+), 15 deletions(-) + +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -260,7 +260,8 @@ struct css_set { + * List of csets participating in the on-going migration either as + * source or destination. Protected by cgroup_mutex. + */ +- struct list_head mg_preload_node; ++ struct list_head mg_src_preload_node; ++ struct list_head mg_dst_preload_node; + struct list_head mg_node; + + /* +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -736,7 +736,8 @@ struct css_set init_css_set = { + .task_iters = LIST_HEAD_INIT(init_css_set.task_iters), + .threaded_csets = LIST_HEAD_INIT(init_css_set.threaded_csets), + .cgrp_links = LIST_HEAD_INIT(init_css_set.cgrp_links), +- .mg_preload_node = LIST_HEAD_INIT(init_css_set.mg_preload_node), ++ .mg_src_preload_node = LIST_HEAD_INIT(init_css_set.mg_src_preload_node), ++ .mg_dst_preload_node = LIST_HEAD_INIT(init_css_set.mg_dst_preload_node), + .mg_node = LIST_HEAD_INIT(init_css_set.mg_node), + + /* +@@ -1211,7 +1212,8 @@ static struct css_set *find_css_set(stru + INIT_LIST_HEAD(&cset->threaded_csets); + INIT_HLIST_NODE(&cset->hlist); + INIT_LIST_HEAD(&cset->cgrp_links); +- INIT_LIST_HEAD(&cset->mg_preload_node); ++ INIT_LIST_HEAD(&cset->mg_src_preload_node); ++ INIT_LIST_HEAD(&cset->mg_dst_preload_node); + INIT_LIST_HEAD(&cset->mg_node); + + /* Copy the set of subsystem state objects generated in +@@ -2556,21 +2558,27 @@ int cgroup_migrate_vet_dst(struct cgroup + */ + void cgroup_migrate_finish(struct cgroup_mgctx *mgctx) + { +- LIST_HEAD(preloaded); + struct css_set *cset, *tmp_cset; + + lockdep_assert_held(&cgroup_mutex); + + spin_lock_irq(&css_set_lock); + +- list_splice_tail_init(&mgctx->preloaded_src_csets, &preloaded); +- list_splice_tail_init(&mgctx->preloaded_dst_csets, &preloaded); ++ list_for_each_entry_safe(cset, tmp_cset, &mgctx->preloaded_src_csets, ++ mg_src_preload_node) { ++ cset->mg_src_cgrp = NULL; ++ cset->mg_dst_cgrp = NULL; ++ cset->mg_dst_cset = NULL; ++ list_del_init(&cset->mg_src_preload_node); ++ put_css_set_locked(cset); ++ } + +- list_for_each_entry_safe(cset, tmp_cset, &preloaded, mg_preload_node) { ++ list_for_each_entry_safe(cset, tmp_cset, &mgctx->preloaded_dst_csets, ++ mg_dst_preload_node) { + cset->mg_src_cgrp = NULL; + cset->mg_dst_cgrp = NULL; + cset->mg_dst_cset = NULL; +- list_del_init(&cset->mg_preload_node); ++ list_del_init(&cset->mg_dst_preload_node); + put_css_set_locked(cset); + } + +@@ -2612,7 +2620,7 @@ void cgroup_migrate_add_src(struct css_s + + src_cgrp = cset_cgroup_from_root(src_cset, dst_cgrp->root); + +- if (!list_empty(&src_cset->mg_preload_node)) ++ if (!list_empty(&src_cset->mg_src_preload_node)) + return; + + WARN_ON(src_cset->mg_src_cgrp); +@@ -2623,7 +2631,7 @@ void cgroup_migrate_add_src(struct css_s + src_cset->mg_src_cgrp = src_cgrp; + src_cset->mg_dst_cgrp = dst_cgrp; + get_css_set(src_cset); +- list_add_tail(&src_cset->mg_preload_node, &mgctx->preloaded_src_csets); ++ list_add_tail(&src_cset->mg_src_preload_node, &mgctx->preloaded_src_csets); + } + + /** +@@ -2648,7 +2656,7 @@ int cgroup_migrate_prepare_dst(struct cg + + /* look up the dst cset for each src cset and link it to src */ + list_for_each_entry_safe(src_cset, tmp_cset, &mgctx->preloaded_src_csets, +- mg_preload_node) { ++ mg_src_preload_node) { + struct css_set *dst_cset; + struct cgroup_subsys *ss; + int ssid; +@@ -2667,7 +2675,7 @@ int cgroup_migrate_prepare_dst(struct cg + if (src_cset == dst_cset) { + src_cset->mg_src_cgrp = NULL; + src_cset->mg_dst_cgrp = NULL; +- list_del_init(&src_cset->mg_preload_node); ++ list_del_init(&src_cset->mg_src_preload_node); + put_css_set(src_cset); + put_css_set(dst_cset); + continue; +@@ -2675,8 +2683,8 @@ int cgroup_migrate_prepare_dst(struct cg + + src_cset->mg_dst_cset = dst_cset; + +- if (list_empty(&dst_cset->mg_preload_node)) +- list_add_tail(&dst_cset->mg_preload_node, ++ if (list_empty(&dst_cset->mg_dst_preload_node)) ++ list_add_tail(&dst_cset->mg_dst_preload_node, + &mgctx->preloaded_dst_csets); + else + put_css_set(dst_cset); +@@ -2922,7 +2930,8 @@ static int cgroup_update_dfl_csses(struc + goto out_finish; + + spin_lock_irq(&css_set_lock); +- list_for_each_entry(src_cset, &mgctx.preloaded_src_csets, mg_preload_node) { ++ list_for_each_entry(src_cset, &mgctx.preloaded_src_csets, ++ mg_src_preload_node) { + struct task_struct *task, *ntask; + + /* all tasks in src_csets need to be migrated */ diff --git a/queue-5.10/drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch b/queue-5.10/drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch new file mode 100644 index 00000000000..afea2dc0799 --- /dev/null +++ b/queue-5.10/drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch @@ -0,0 +1,39 @@ +From 9fc33eaaa979d112d10fea729edcd2a2e21aa912 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:06:01 +0300 +Subject: drm/panfrost: Fix shrinker list corruption by madvise IOCTL + +From: Dmitry Osipenko + +commit 9fc33eaaa979d112d10fea729edcd2a2e21aa912 upstream. + +Calling madvise IOCTL twice on BO causes memory shrinker list corruption +and crashes kernel because BO is already on the list and it's added to +the list again, while BO should be removed from the list before it's +re-added. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 013b65101315 ("drm/panfrost: Add madvise and shrinker support") +Acked-by: Alyssa Rosenzweig +Reviewed-by: Steven Price +Signed-off-by: Dmitry Osipenko +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20220630200601.1884120-3-dmitry.osipenko@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c +@@ -427,8 +427,8 @@ static int panfrost_ioctl_madvise(struct + + if (args->retained) { + if (args->madv == PANFROST_MADV_DONTNEED) +- list_add_tail(&bo->base.madv_list, +- &pfdev->shrinker_list); ++ list_move_tail(&bo->base.madv_list, ++ &pfdev->shrinker_list); + else if (args->madv == PANFROST_MADV_WILLNEED) + list_del_init(&bo->base.madv_list); + } diff --git a/queue-5.10/drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch b/queue-5.10/drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch new file mode 100644 index 00000000000..a7b1e85cc7d --- /dev/null +++ b/queue-5.10/drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch @@ -0,0 +1,34 @@ +From fb6e0637ab7ebd8e61fe24f4d663c4bae99cfa62 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 30 Jun 2022 23:06:00 +0300 +Subject: drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error + +From: Dmitry Osipenko + +commit fb6e0637ab7ebd8e61fe24f4d663c4bae99cfa62 upstream. + +When panfrost_mmu_map_fault_addr() fails, the BO's mapping should be +unreferenced and not the shmem object which backs the mapping. + +Cc: stable@vger.kernel.org +Fixes: bdefca2d8dc0 ("drm/panfrost: Add the panfrost_gem_mapping concept") +Reviewed-by: Steven Price +Signed-off-by: Dmitry Osipenko +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20220630200601.1884120-2-dmitry.osipenko@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -491,7 +491,7 @@ err_map: + err_pages: + drm_gem_shmem_put_pages(&bo->base); + err_bo: +- drm_gem_object_put(&bo->base.base); ++ panfrost_gem_mapping_put(bomapping); + return ret; + } + diff --git a/queue-5.10/fix-race-between-exit_itimers-and-proc-pid-timers.patch b/queue-5.10/fix-race-between-exit_itimers-and-proc-pid-timers.patch new file mode 100644 index 00000000000..8dc5db19aa6 --- /dev/null +++ b/queue-5.10/fix-race-between-exit_itimers-and-proc-pid-timers.patch @@ -0,0 +1,90 @@ +From d5b36a4dbd06c5e8e36ca8ccc552f679069e2946 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Mon, 11 Jul 2022 18:16:25 +0200 +Subject: fix race between exit_itimers() and /proc/pid/timers + +From: Oleg Nesterov + +commit d5b36a4dbd06c5e8e36ca8ccc552f679069e2946 upstream. + +As Chris explains, the comment above exit_itimers() is not correct, +we can race with proc_timers_seq_ops. Change exit_itimers() to clear +signal->posix_timers with ->siglock held. + +Cc: +Reported-by: chris@accessvector.net +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 2 +- + include/linux/sched/task.h | 2 +- + kernel/exit.c | 2 +- + kernel/time/posix-timers.c | 19 ++++++++++++++----- + 4 files changed, 17 insertions(+), 8 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1286,7 +1286,7 @@ int begin_new_exec(struct linux_binprm * + bprm->mm = NULL; + + #ifdef CONFIG_POSIX_TIMERS +- exit_itimers(me->signal); ++ exit_itimers(me); + flush_itimer_signals(); + #endif + +--- a/include/linux/sched/task.h ++++ b/include/linux/sched/task.h +@@ -82,7 +82,7 @@ static inline void exit_thread(struct ta + extern void do_group_exit(int); + + extern void exit_files(struct task_struct *); +-extern void exit_itimers(struct signal_struct *); ++extern void exit_itimers(struct task_struct *); + + extern pid_t kernel_clone(struct kernel_clone_args *kargs); + struct task_struct *fork_idle(int); +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -782,7 +782,7 @@ void __noreturn do_exit(long code) + + #ifdef CONFIG_POSIX_TIMERS + hrtimer_cancel(&tsk->signal->real_timer); +- exit_itimers(tsk->signal); ++ exit_itimers(tsk); + #endif + if (tsk->mm) + setmax_mm_hiwater_rss(&tsk->signal->maxrss, tsk->mm); +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -1051,15 +1051,24 @@ retry_delete: + } + + /* +- * This is called by do_exit or de_thread, only when there are no more +- * references to the shared signal_struct. ++ * This is called by do_exit or de_thread, only when nobody else can ++ * modify the signal->posix_timers list. Yet we need sighand->siglock ++ * to prevent the race with /proc/pid/timers. + */ +-void exit_itimers(struct signal_struct *sig) ++void exit_itimers(struct task_struct *tsk) + { ++ struct list_head timers; + struct k_itimer *tmr; + +- while (!list_empty(&sig->posix_timers)) { +- tmr = list_entry(sig->posix_timers.next, struct k_itimer, list); ++ if (list_empty(&tsk->signal->posix_timers)) ++ return; ++ ++ spin_lock_irq(&tsk->sighand->siglock); ++ list_replace_init(&tsk->signal->posix_timers, &timers); ++ spin_unlock_irq(&tsk->sighand->siglock); ++ ++ while (!list_empty(&timers)) { ++ tmr = list_first_entry(&timers, struct k_itimer, list); + itimer_delete(tmr); + } + } diff --git a/queue-5.10/fs-remap-constrain-dedupe-of-eof-blocks.patch b/queue-5.10/fs-remap-constrain-dedupe-of-eof-blocks.patch new file mode 100644 index 00000000000..9bed2f83e07 --- /dev/null +++ b/queue-5.10/fs-remap-constrain-dedupe-of-eof-blocks.patch @@ -0,0 +1,46 @@ +From 5750676b64a561f7ec920d7c6ba130fc9c7378f3 Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Wed, 13 Jul 2022 17:49:15 +1000 +Subject: fs/remap: constrain dedupe of EOF blocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dave Chinner + +commit 5750676b64a561f7ec920d7c6ba130fc9c7378f3 upstream. + +If dedupe of an EOF block is not constrainted to match against only +other EOF blocks with the same EOF offset into the block, it can +match against any other block that has the same matching initial +bytes in it, even if the bytes beyond EOF in the source file do +not match. + +Fix this by constraining the EOF block matching to only match +against other EOF blocks that have identical EOF offsets and data. +This allows "whole file dedupe" to continue to work without allowing +eof blocks to randomly match against partial full blocks with the +same data. + +Reported-by: Ansgar Lößer +Fixes: 1383a7ed6749 ("vfs: check file ranges before cloning files") +Link: https://lore.kernel.org/linux-fsdevel/a7c93559-4ba1-df2f-7a85-55a143696405@tu-darmstadt.de/ +Signed-off-by: Dave Chinner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/remap_range.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/remap_range.c ++++ b/fs/remap_range.c +@@ -71,7 +71,8 @@ static int generic_remap_checks(struct f + * Otherwise, make sure the count is also block-aligned, having + * already confirmed the starting offsets' block alignment. + */ +- if (pos_in + count == size_in) { ++ if (pos_in + count == size_in && ++ (!(remap_flags & REMAP_FILE_DEDUP) || pos_out + count == size_out)) { + bcount = ALIGN(size_in, bs) - pos_in; + } else { + if (!IS_ALIGNED(count, bs)) diff --git a/queue-5.10/ip-fix-dflt-addr-selection-for-connected-nexthop.patch b/queue-5.10/ip-fix-dflt-addr-selection-for-connected-nexthop.patch new file mode 100644 index 00000000000..7d421ae2844 --- /dev/null +++ b/queue-5.10/ip-fix-dflt-addr-selection-for-connected-nexthop.patch @@ -0,0 +1,92 @@ +From 747c14307214b55dbd8250e1ab44cad8305756f1 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Wed, 13 Jul 2022 13:48:52 +0200 +Subject: ip: fix dflt addr selection for connected nexthop + +From: Nicolas Dichtel + +commit 747c14307214b55dbd8250e1ab44cad8305756f1 upstream. + +When a nexthop is added, without a gw address, the default scope was set +to 'host'. Thus, when a source address is selected, 127.0.0.1 may be chosen +but rejected when the route is used. + +When using a route without a nexthop id, the scope can be configured in the +route, thus the problem doesn't exist. + +To explain more deeply: when a user creates a nexthop, it cannot specify +the scope. To create it, the function nh_create_ipv4() calls fib_check_nh() +with scope set to 0. fib_check_nh() calls fib_check_nh_nongw() wich was +setting scope to 'host'. Then, nh_create_ipv4() calls +fib_info_update_nhc_saddr() with scope set to 'host'. The src addr is +chosen before the route is inserted. + +When a 'standard' route (ie without a reference to a nexthop) is added, +fib_create_info() calls fib_info_update_nhc_saddr() with the scope set by +the user. iproute2 set the scope to 'link' by default. + +Here is a way to reproduce the problem: +ip netns add foo +ip -n foo link set lo up +ip netns add bar +ip -n bar link set lo up +sleep 1 + +ip -n foo link add name eth0 type dummy +ip -n foo link set eth0 up +ip -n foo address add 192.168.0.1/24 dev eth0 + +ip -n foo link add name veth0 type veth peer name veth1 netns bar +ip -n foo link set veth0 up +ip -n bar link set veth1 up + +ip -n bar address add 192.168.1.1/32 dev veth1 +ip -n bar route add default dev veth1 + +ip -n foo nexthop add id 1 dev veth0 +ip -n foo route add 192.168.1.1 nhid 1 + +Try to get/use the route: +> $ ip -n foo route get 192.168.1.1 +> RTNETLINK answers: Invalid argument +> $ ip netns exec foo ping -c1 192.168.1.1 +> ping: connect: Invalid argument + +Try without nexthop group (iproute2 sets scope to 'link' by dflt): +ip -n foo route del 192.168.1.1 +ip -n foo route add 192.168.1.1 dev veth0 + +Try to get/use the route: +> $ ip -n foo route get 192.168.1.1 +> 192.168.1.1 dev veth0 src 192.168.0.1 uid 0 +> cache +> $ ip netns exec foo ping -c1 192.168.1.1 +> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. +> 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.039 ms +> +> --- 192.168.1.1 ping statistics --- +> 1 packets transmitted, 1 received, 0% packet loss, time 0ms +> rtt min/avg/max/mdev = 0.039/0.039/0.039/0.000 ms + +CC: stable@vger.kernel.org +Fixes: 597cfe4fc339 ("nexthop: Add support for IPv4 nexthops") +Reported-by: Edwin Brossette +Signed-off-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20220713114853.29406-1-nicolas.dichtel@6wind.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1229,7 +1229,7 @@ static int fib_check_nh_nongw(struct net + + nh->fib_nh_dev = in_dev->dev; + dev_hold(nh->fib_nh_dev); +- nh->fib_nh_scope = RT_SCOPE_HOST; ++ nh->fib_nh_scope = RT_SCOPE_LINK; + if (!netif_carrier_ok(nh->fib_nh_dev)) + nh->fib_nh_flags |= RTNH_F_LINKDOWN; + err = 0; diff --git a/queue-5.10/mm-split-huge-pud-on-wp_huge_pud-fallback.patch b/queue-5.10/mm-split-huge-pud-on-wp_huge_pud-fallback.patch new file mode 100644 index 00000000000..c3398d516c5 --- /dev/null +++ b/queue-5.10/mm-split-huge-pud-on-wp_huge_pud-fallback.patch @@ -0,0 +1,78 @@ +From 14c99d65941538aa33edd8dc7b1bbbb593c324a2 Mon Sep 17 00:00:00 2001 +From: "Gowans, James" +Date: Thu, 23 Jun 2022 05:24:03 +0000 +Subject: mm: split huge PUD on wp_huge_pud fallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gowans, James + +commit 14c99d65941538aa33edd8dc7b1bbbb593c324a2 upstream. + +Currently the implementation will split the PUD when a fallback is taken +inside the create_huge_pud function. This isn't where it should be done: +the splitting should be done in wp_huge_pud, just like it's done for PMDs. +Reason being that if a callback is taken during create, there is no PUD +yet so nothing to split, whereas if a fallback is taken when encountering +a write protection fault there is something to split. + +It looks like this was the original intention with the commit where the +splitting was introduced, but somehow it got moved to the wrong place +between v1 and v2 of the patch series. Rebase mistake perhaps. + +Link: https://lkml.kernel.org/r/6f48d622eb8bce1ae5dd75327b0b73894a2ec407.camel@amazon.com +Fixes: 327e9fd48972 ("mm: Split huge pages on write-notify or COW") +Signed-off-by: James Gowans +Reviewed-by: Thomas Hellström +Cc: Christian König +Cc: Jan H. Schönherr +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4369,6 +4369,19 @@ static vm_fault_t create_huge_pud(struct + defined(CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD) + /* No support for anonymous transparent PUD pages yet */ + if (vma_is_anonymous(vmf->vma)) ++ return VM_FAULT_FALLBACK; ++ if (vmf->vma->vm_ops->huge_fault) ++ return vmf->vma->vm_ops->huge_fault(vmf, PE_SIZE_PUD); ++#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ ++ return VM_FAULT_FALLBACK; ++} ++ ++static vm_fault_t wp_huge_pud(struct vm_fault *vmf, pud_t orig_pud) ++{ ++#if defined(CONFIG_TRANSPARENT_HUGEPAGE) && \ ++ defined(CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD) ++ /* No support for anonymous transparent PUD pages yet */ ++ if (vma_is_anonymous(vmf->vma)) + goto split; + if (vmf->vma->vm_ops->huge_fault) { + vm_fault_t ret = vmf->vma->vm_ops->huge_fault(vmf, PE_SIZE_PUD); +@@ -4379,19 +4392,7 @@ static vm_fault_t create_huge_pud(struct + split: + /* COW or write-notify not handled on PUD level: split pud.*/ + __split_huge_pud(vmf->vma, vmf->pud, vmf->address); +-#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ +- return VM_FAULT_FALLBACK; +-} +- +-static vm_fault_t wp_huge_pud(struct vm_fault *vmf, pud_t orig_pud) +-{ +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +- /* No support for anonymous transparent PUD pages yet */ +- if (vma_is_anonymous(vmf->vma)) +- return VM_FAULT_FALLBACK; +- if (vmf->vma->vm_ops->huge_fault) +- return vmf->vma->vm_ops->huge_fault(vmf, PE_SIZE_PUD); +-#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ ++#endif /* CONFIG_TRANSPARENT_HUGEPAGE && CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */ + return VM_FAULT_FALLBACK; + } + diff --git a/queue-5.10/net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch b/queue-5.10/net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch new file mode 100644 index 00000000000..cf773ec3d84 --- /dev/null +++ b/queue-5.10/net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch @@ -0,0 +1,53 @@ +From 820b8963adaea34a87abbecb906d1f54c0aabfb7 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Wed, 6 Jul 2022 10:50:40 -0400 +Subject: net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer + +From: Steven Rostedt (Google) + +commit 820b8963adaea34a87abbecb906d1f54c0aabfb7 upstream. + +The trace event sock_exceed_buf_limit saves the prot->sysctl_mem pointer +and then dereferences it in the TP_printk() portion. This is unsafe as the +TP_printk() portion is executed at the time the buffer is read. That is, +it can be seconds, minutes, days, months, even years later. If the proto +is freed, then this dereference will can also lead to a kernel crash. + +Instead, save the sysctl_mem array into the ring buffer and have the +TP_printk() reference that instead. This is the proper and safe way to +read pointers in trace events. + +Link: https://lore.kernel.org/all/20220706052130.16368-12-kuniyu@amazon.com/ + +Cc: stable@vger.kernel.org +Fixes: 3847ce32aea9f ("core: add tracepoints for queueing skb to rcvbuf") +Signed-off-by: Steven Rostedt (Google) +Acked-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/sock.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/include/trace/events/sock.h ++++ b/include/trace/events/sock.h +@@ -98,7 +98,7 @@ TRACE_EVENT(sock_exceed_buf_limit, + + TP_STRUCT__entry( + __array(char, name, 32) +- __field(long *, sysctl_mem) ++ __array(long, sysctl_mem, 3) + __field(long, allocated) + __field(int, sysctl_rmem) + __field(int, rmem_alloc) +@@ -110,7 +110,9 @@ TRACE_EVENT(sock_exceed_buf_limit, + + TP_fast_assign( + strncpy(__entry->name, prot->name, 32); +- __entry->sysctl_mem = prot->sysctl_mem; ++ __entry->sysctl_mem[0] = READ_ONCE(prot->sysctl_mem[0]); ++ __entry->sysctl_mem[1] = READ_ONCE(prot->sysctl_mem[1]); ++ __entry->sysctl_mem[2] = READ_ONCE(prot->sysctl_mem[2]); + __entry->allocated = allocated; + __entry->sysctl_rmem = sk_get_rmem0(sk, prot); + __entry->rmem_alloc = atomic_read(&sk->sk_rmem_alloc); diff --git a/queue-5.10/nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch b/queue-5.10/nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch new file mode 100644 index 00000000000..b95a1454c60 --- /dev/null +++ b/queue-5.10/nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch @@ -0,0 +1,45 @@ +From 5924e6ec1585445f251ea92713eb15beb732622a Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 23 Jun 2022 17:54:01 +0900 +Subject: nilfs2: fix incorrect masking of permission flags for symlinks + +From: Ryusuke Konishi + +commit 5924e6ec1585445f251ea92713eb15beb732622a upstream. + +The permission flags of newly created symlinks are wrongly dropped on +nilfs2 with the current umask value even though symlinks should have 777 +(rwxrwxrwx) permissions: + + $ umask + 0022 + $ touch file && ln -s file symlink; ls -l file symlink + -rw-r--r--. 1 root root 0 Jun 23 16:29 file + lrwxr-xr-x. 1 root root 4 Jun 23 16:29 symlink -> file + +This fixes the bug by inserting a missing check that excludes +symlinks. + +Link: https://lkml.kernel.org/r/1655974441-5612-1-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: Tommy Pettersson +Reported-by: Ciprian Craciun +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/nilfs.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nilfs2/nilfs.h ++++ b/fs/nilfs2/nilfs.h +@@ -198,6 +198,9 @@ static inline int nilfs_acl_chmod(struct + + static inline int nilfs_init_acl(struct inode *inode, struct inode *dir) + { ++ if (S_ISLNK(inode->i_mode)) ++ return 0; ++ + inode->i_mode &= ~current_umask(); + return 0; + } diff --git a/queue-5.10/revert-evm-fix-memleak-in-init_desc.patch b/queue-5.10/revert-evm-fix-memleak-in-init_desc.patch new file mode 100644 index 00000000000..2c88e1321f8 --- /dev/null +++ b/queue-5.10/revert-evm-fix-memleak-in-init_desc.patch @@ -0,0 +1,59 @@ +From 51dd64bb99e4478fc5280171acd8e1b529eadaf7 Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Fri, 27 May 2022 19:17:26 +0800 +Subject: Revert "evm: Fix memleak in init_desc" + +From: Xiu Jianfeng + +commit 51dd64bb99e4478fc5280171acd8e1b529eadaf7 upstream. + +This reverts commit ccf11dbaa07b328fa469415c362d33459c140a37. + +Commit ccf11dbaa07b ("evm: Fix memleak in init_desc") said there is +memleak in init_desc. That may be incorrect, as we can see, tmp_tfm is +saved in one of the two global variables hmac_tfm or evm_tfm[hash_algo], +then if init_desc is called next time, there is no need to alloc tfm +again, so in the error path of kmalloc desc or crypto_shash_init(desc), +It is not a problem without freeing tmp_tfm. + +And also that commit did not reset the global variable to NULL after +freeing tmp_tfm and this makes *tfm a dangling pointer which may cause a +UAF issue. + +Reported-by: Guozihua (Scott) +Signed-off-by: Xiu Jianfeng +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/evm/evm_crypto.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/security/integrity/evm/evm_crypto.c ++++ b/security/integrity/evm/evm_crypto.c +@@ -73,7 +73,7 @@ static struct shash_desc *init_desc(char + { + long rc; + const char *algo; +- struct crypto_shash **tfm, *tmp_tfm = NULL; ++ struct crypto_shash **tfm, *tmp_tfm; + struct shash_desc *desc; + + if (type == EVM_XATTR_HMAC) { +@@ -118,16 +118,13 @@ unlock: + alloc: + desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm), + GFP_KERNEL); +- if (!desc) { +- crypto_free_shash(tmp_tfm); ++ if (!desc) + return ERR_PTR(-ENOMEM); +- } + + desc->tfm = *tfm; + + rc = crypto_shash_init(desc); + if (rc) { +- crypto_free_shash(tmp_tfm); + kfree(desc); + return ERR_PTR(rc); + } diff --git a/queue-5.10/series b/queue-5.10/series index 18a2b680ea2..49e0607308d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1 +1,23 @@ alsa-hda-add-fixup-for-dell-latitidue-e5430.patch +alsa-hda-conexant-apply-quirk-for-another-hp-prodesk-600-g3-model.patch +alsa-hda-realtek-fix-headset-mic-for-acer-sf313-51.patch +alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch +alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc221.patch +alsa-hda-realtek-enable-the-headset-mic-on-a-xiaomi-s-laptop.patch +xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch +fix-race-between-exit_itimers-and-proc-pid-timers.patch +mm-split-huge-pud-on-wp_huge_pud-fallback.patch +tracing-histograms-fix-memory-leak-problem.patch +net-sock-tracing-fix-sock_exceed_buf_limit-not-to-dereference-stale-pointer.patch +ip-fix-dflt-addr-selection-for-connected-nexthop.patch +arm-9213-1-print-message-about-disabled-spectre-workarounds-only-once.patch +arm-9214-1-alignment-advance-it-state-after-emulating-thumb-instruction.patch +wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch +cgroup-use-separate-src-dst-nodes-when-preloading-css_sets-for-migration.patch +btrfs-return-eagain-for-nowait-dio-reads-writes-on-compressed-and-inline-extents.patch +drm-panfrost-put-mapping-instead-of-shmem-obj-on-panfrost_mmu_map_fault_addr-error.patch +drm-panfrost-fix-shrinker-list-corruption-by-madvise-ioctl.patch +fs-remap-constrain-dedupe-of-eof-blocks.patch +nilfs2-fix-incorrect-masking-of-permission-flags-for-symlinks.patch +sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch +revert-evm-fix-memleak-in-init_desc.patch diff --git a/queue-5.10/sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch b/queue-5.10/sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch new file mode 100644 index 00000000000..491c4b18bc9 --- /dev/null +++ b/queue-5.10/sh-convert-nommu-io-re-un-map-to-static-inline-functions.patch @@ -0,0 +1,52 @@ +From d684e0a52d36f8939eda30a0f31ee235ee4ee741 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 20 Jun 2022 09:01:43 +0200 +Subject: sh: convert nommu io{re,un}map() to static inline functions + +From: Geert Uytterhoeven + +commit d684e0a52d36f8939eda30a0f31ee235ee4ee741 upstream. + +Recently, nommu iounmap() was converted from a static inline function to a +macro again, basically reverting commit 4580ba4ad2e6b8dd ("sh: Convert +iounmap() macros to inline functions"). With -Werror, this leads to build +failures like: + + drivers/iio/adc/xilinx-ams.c: In function `ams_iounmap_ps': + drivers/iio/adc/xilinx-ams.c:1195:14: error: unused variable `ams' [-Werror=unused-variable] + 1195 | struct ams *ams = data; + | ^~~ + +Fix this by replacing the macros for ioremap() and iounmap() by static +inline functions, based on . + +Link: https://lkml.kernel.org/r/8d1b1766260961799b04035e7bc39a7f59729f72.1655708312.git.geert+renesas@glider.be +Fixes: 13f1fc870dd74713 ("sh: move the ioremap implementation out of line") +Signed-off-by: Geert Uytterhoeven +Reported-by: kernel test robot +Reported-by: Jonathan Cameron +Acked-by: Jonathan Cameron +Reviewed-by: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/include/asm/io.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/sh/include/asm/io.h ++++ b/arch/sh/include/asm/io.h +@@ -271,8 +271,12 @@ static inline void __iomem *ioremap_prot + #endif /* CONFIG_HAVE_IOREMAP_PROT */ + + #else /* CONFIG_MMU */ +-#define iounmap(addr) do { } while (0) +-#define ioremap(offset, size) ((void __iomem *)(unsigned long)(offset)) ++static inline void __iomem *ioremap(phys_addr_t offset, size_t size) ++{ ++ return (void __iomem *)(unsigned long)offset; ++} ++ ++static inline void iounmap(volatile void __iomem *addr) { } + #endif /* CONFIG_MMU */ + + #define ioremap_uc ioremap diff --git a/queue-5.10/tracing-histograms-fix-memory-leak-problem.patch b/queue-5.10/tracing-histograms-fix-memory-leak-problem.patch new file mode 100644 index 00000000000..7fefda684f0 --- /dev/null +++ b/queue-5.10/tracing-histograms-fix-memory-leak-problem.patch @@ -0,0 +1,80 @@ +From 7edc3945bdce9c39198a10d6129377a5c53559c2 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Mon, 11 Jul 2022 09:47:31 +0800 +Subject: tracing/histograms: Fix memory leak problem + +From: Zheng Yejian + +commit 7edc3945bdce9c39198a10d6129377a5c53559c2 upstream. + +This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac. + +As commit 46bbe5c671e0 ("tracing: fix double free") said, the +"double free" problem reported by clang static analyzer is: + > In parse_var_defs() if there is a problem allocating + > var_defs.expr, the earlier var_defs.name is freed. + > This free is duplicated by free_var_defs() which frees + > the rest of the list. + +However, if there is a problem allocating N-th var_defs.expr: + + in parse_var_defs(), the freed 'earlier var_defs.name' is + actually the N-th var_defs.name; + + then in free_var_defs(), the names from 0th to (N-1)-th are freed; + + IF ALLOCATING PROBLEM HAPPENED HERE!!! -+ + \ + | + 0th 1th (N-1)-th N-th V + +-------------+-------------+-----+-------------+----------- +var_defs: | name | expr | name | expr | ... | name | expr | name | /// + +-------------+-------------+-----+-------------+----------- + +These two frees don't act on same name, so there was no "double free" +problem before. Conversely, after that commit, we get a "memory leak" +problem because the above "N-th var_defs.name" is not freed. + +If enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th +var_defs.expr allocated, then execute on shell like: + $ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \ +/sys/kernel/debug/tracing/events/kmem/kmalloc/trigger + +Then kmemleak reports: + unreferenced object 0xffff8fb100ef3518 (size 8): + comm "bash", pid 196, jiffies 4295681690 (age 28.538s) + hex dump (first 8 bytes): + 76 31 00 00 b1 8f ff ff v1...... + backtrace: + [<0000000038fe4895>] kstrdup+0x2d/0x60 + [<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0 + [<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110 + [<0000000066737a4c>] event_trigger_write+0x75/0xd0 + [<000000007341e40c>] vfs_write+0xbb/0x2a0 + [<0000000087fde4c2>] ksys_write+0x59/0xd0 + [<00000000581e9cdf>] do_syscall_64+0x3a/0x80 + [<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Link: https://lkml.kernel.org/r/20220711014731.69520-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 46bbe5c671e0 ("tracing: fix double free") +Reported-by: Hulk Robot +Suggested-by: Steven Rostedt +Reviewed-by: Tom Zanussi +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -3943,6 +3943,8 @@ static int parse_var_defs(struct hist_tr + + s = kstrdup(field_str, GFP_KERNEL); + if (!s) { ++ kfree(hist_data->attrs->var_defs.name[n_vars]); ++ hist_data->attrs->var_defs.name[n_vars] = NULL; + ret = -ENOMEM; + goto free; + } diff --git a/queue-5.10/wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch b/queue-5.10/wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch new file mode 100644 index 00000000000..6934c0c9306 --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-queue-selection-for-mesh-ocb-interfaces.patch @@ -0,0 +1,38 @@ +From 50e2ab39291947b6c6c7025cf01707c270fcde59 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sat, 2 Jul 2022 16:52:27 +0200 +Subject: wifi: mac80211: fix queue selection for mesh/OCB interfaces + +From: Felix Fietkau + +commit 50e2ab39291947b6c6c7025cf01707c270fcde59 upstream. + +When using iTXQ, the code assumes that there is only one vif queue for +broadcast packets, using the BE queue. Allowing non-BE queue marking +violates that assumption and txq->ac == skb_queue_mapping is no longer +guaranteed. This can cause issues with queue handling in the driver and +also causes issues with the recent ATF change, resulting in an AQL +underflow warning. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220702145227.39356-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/wme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/wme.c ++++ b/net/mac80211/wme.c +@@ -145,8 +145,8 @@ u16 __ieee80211_select_queue(struct ieee + bool qos; + + /* all mesh/ocb stations are required to support WME */ +- if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT || +- sdata->vif.type == NL80211_IFTYPE_OCB) ++ if (sta && (sdata->vif.type == NL80211_IFTYPE_MESH_POINT || ++ sdata->vif.type == NL80211_IFTYPE_OCB)) + qos = true; + else if (sta) + qos = sta->sta.wme; diff --git a/queue-5.10/xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch b/queue-5.10/xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch new file mode 100644 index 00000000000..dab0867f1be --- /dev/null +++ b/queue-5.10/xen-netback-avoid-entering-xenvif_rx_next_skb-with-an-empty-rx-queue.patch @@ -0,0 +1,60 @@ +From 94e8100678889ab428e68acadf042de723f094b9 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Wed, 13 Jul 2022 15:53:22 +0200 +Subject: xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue + +From: Juergen Gross + +commit 94e8100678889ab428e68acadf042de723f094b9 upstream. + +xenvif_rx_next_skb() is expecting the rx queue not being empty, but +in case the loop in xenvif_rx_action() is doing multiple iterations, +the availability of another skb in the rx queue is not being checked. + +This can lead to crashes: + +[40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 +[40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback] +[40072.537534] PGD 0 P4D 0 +[40072.537644] Oops: 0000 [#1] SMP NOPTI +[40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5 +[40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021 +[40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000 +[40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback] +[40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246 +[40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7 +[40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8 +[40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008 +[40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708 +[40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0 +[40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000 +[40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660 +[40072.539211] Call Trace: +[40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback] +[40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback] + +Fix that by stopping the loop in case the rx queue becomes empty. + +Cc: stable@vger.kernel.org +Fixes: 98f6d57ced73 ("xen-netback: process guest rx packets in batches") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Paul Durrant +Link: https://lore.kernel.org/r/20220713135322.19616-1-jgross@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/rx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/xen-netback/rx.c ++++ b/drivers/net/xen-netback/rx.c +@@ -495,6 +495,7 @@ void xenvif_rx_action(struct xenvif_queu + queue->rx_copy.completed = &completed_skbs; + + while (xenvif_rx_ring_slots_available(queue) && ++ !skb_queue_empty(&queue->rx_queue) && + work_done < RX_BATCH_SIZE) { + xenvif_rx_skb(queue); + work_done++; -- 2.47.3