From: Sasha Levin Date: Tue, 20 Feb 2024 01:25:47 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.19.307~80 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c06c5a77439aa95ecdef33ac23116067a4998cd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arch-mm-remove-stale-mentions-of-disconigmem.patch-24462 b/queue-5.4/arch-mm-remove-stale-mentions-of-disconigmem.patch-24462 new file mode 100644 index 00000000000..205a4cbcccb --- /dev/null +++ b/queue-5.4/arch-mm-remove-stale-mentions-of-disconigmem.patch-24462 @@ -0,0 +1,155 @@ +From 74b2661bbbf0bb2c8a96af1637c1d39b02754f0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 19:42:55 -0700 +Subject: arch, mm: remove stale mentions of DISCONIGMEM + +From: Mike Rapoport + +[ Upstream commit d3c251ab95b69f3dc189c4657baeac1b4c050789 ] + +There are several places that mention DISCONIGMEM in comments or have +stale code guarded by CONFIG_DISCONTIGMEM. + +Remove the dead code and update the comments. + +Link: https://lkml.kernel.org/r/20210608091316.3622-7-rppt@kernel.org +Signed-off-by: Mike Rapoport +Acked-by: Arnd Bergmann +Reviewed-by: David Hildenbrand +Cc: Geert Uytterhoeven +Cc: Ivan Kokshaysky +Cc: Jonathan Corbet +Cc: Matt Turner +Cc: Richard Henderson +Cc: Vineet Gupta +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: e1a9ae457369 ("mips: Fix max_mapnr being uninitialized on early stages") +Signed-off-by: Sasha Levin +--- + arch/ia64/kernel/topology.c | 5 ++--- + arch/ia64/mm/numa.c | 5 ++--- + arch/mips/include/asm/mmzone.h | 6 ------ + arch/mips/mm/init.c | 3 --- + arch/nds32/include/asm/memory.h | 6 ------ + arch/xtensa/include/asm/page.h | 4 ---- + include/linux/gfp.h | 4 ++-- + 7 files changed, 6 insertions(+), 27 deletions(-) + +diff --git a/arch/ia64/kernel/topology.c b/arch/ia64/kernel/topology.c +index 09fc385c2acd..3639e0a7cb3b 100644 +--- a/arch/ia64/kernel/topology.c ++++ b/arch/ia64/kernel/topology.c +@@ -3,9 +3,8 @@ + * License. See the file "COPYING" in the main directory of this archive + * for more details. + * +- * This file contains NUMA specific variables and functions which can +- * be split away from DISCONTIGMEM and are used on NUMA machines with +- * contiguous memory. ++ * This file contains NUMA specific variables and functions which are used on ++ * NUMA machines with contiguous memory. + * 2002/08/07 Erich Focht + * Populate cpu entries in sysfs for non-numa systems as well + * Intel Corporation - Ashok Raj +diff --git a/arch/ia64/mm/numa.c b/arch/ia64/mm/numa.c +index 5e1015eb6d0d..ad6837d00e7d 100644 +--- a/arch/ia64/mm/numa.c ++++ b/arch/ia64/mm/numa.c +@@ -3,9 +3,8 @@ + * License. See the file "COPYING" in the main directory of this archive + * for more details. + * +- * This file contains NUMA specific variables and functions which can +- * be split away from DISCONTIGMEM and are used on NUMA machines with +- * contiguous memory. ++ * This file contains NUMA specific variables and functions which are used on ++ * NUMA machines with contiguous memory. + * + * 2002/08/07 Erich Focht + */ +diff --git a/arch/mips/include/asm/mmzone.h b/arch/mips/include/asm/mmzone.h +index b826b8473e95..7649ab45e80c 100644 +--- a/arch/mips/include/asm/mmzone.h ++++ b/arch/mips/include/asm/mmzone.h +@@ -20,10 +20,4 @@ + #define nid_to_addrbase(nid) 0 + #endif + +-#ifdef CONFIG_DISCONTIGMEM +- +-#define pfn_to_nid(pfn) pa_to_nid((pfn) << PAGE_SHIFT) +- +-#endif /* CONFIG_DISCONTIGMEM */ +- + #endif /* _ASM_MMZONE_H_ */ +diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c +index a73899933505..dee6a790d42d 100644 +--- a/arch/mips/mm/init.c ++++ b/arch/mips/mm/init.c +@@ -453,9 +453,6 @@ void __init mem_init(void) + BUILD_BUG_ON(IS_ENABLED(CONFIG_32BIT) && (_PFN_SHIFT > PAGE_SHIFT)); + + #ifdef CONFIG_HIGHMEM +-#ifdef CONFIG_DISCONTIGMEM +-#error "CONFIG_HIGHMEM and CONFIG_DISCONTIGMEM dont work together yet" +-#endif + max_mapnr = highend_pfn ? highend_pfn : max_low_pfn; + #else + max_mapnr = max_low_pfn; +diff --git a/arch/nds32/include/asm/memory.h b/arch/nds32/include/asm/memory.h +index 940d32842793..62faafbc28e4 100644 +--- a/arch/nds32/include/asm/memory.h ++++ b/arch/nds32/include/asm/memory.h +@@ -76,18 +76,12 @@ + * virt_to_page(k) convert a _valid_ virtual address to struct page * + * virt_addr_valid(k) indicates whether a virtual address is valid + */ +-#ifndef CONFIG_DISCONTIGMEM +- + #define ARCH_PFN_OFFSET PHYS_PFN_OFFSET + #define pfn_valid(pfn) ((pfn) >= PHYS_PFN_OFFSET && (pfn) < (PHYS_PFN_OFFSET + max_mapnr)) + + #define virt_to_page(kaddr) (pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)) + #define virt_addr_valid(kaddr) ((unsigned long)(kaddr) >= PAGE_OFFSET && (unsigned long)(kaddr) < (unsigned long)high_memory) + +-#else /* CONFIG_DISCONTIGMEM */ +-#error CONFIG_DISCONTIGMEM is not supported yet. +-#endif /* !CONFIG_DISCONTIGMEM */ +- + #define page_to_phys(page) (page_to_pfn(page) << PAGE_SHIFT) + + #endif +diff --git a/arch/xtensa/include/asm/page.h b/arch/xtensa/include/asm/page.h +index 09c56cba442e..5a42d663612b 100644 +--- a/arch/xtensa/include/asm/page.h ++++ b/arch/xtensa/include/asm/page.h +@@ -181,10 +181,6 @@ static inline unsigned long ___pa(unsigned long va) + #define pfn_valid(pfn) \ + ((pfn) >= ARCH_PFN_OFFSET && ((pfn) - ARCH_PFN_OFFSET) < max_mapnr) + +-#ifdef CONFIG_DISCONTIGMEM +-# error CONFIG_DISCONTIGMEM not supported +-#endif +- + #define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT) + #define page_to_virt(page) __va(page_to_pfn(page) << PAGE_SHIFT) + #define virt_addr_valid(kaddr) pfn_valid(__pa(kaddr) >> PAGE_SHIFT) +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index 61f2f6ff9467..c89f8456f18d 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -471,8 +471,8 @@ static inline int gfp_zonelist(gfp_t flags) + * There are two zonelists per node, one for all zones with memory and + * one containing just zones from the node the zonelist belongs to. + * +- * For the normal case of non-DISCONTIGMEM systems the NODE_DATA() gets +- * optimized to &contig_page_data at compile-time. ++ * For the case of non-NUMA systems the NODE_DATA() gets optimized to ++ * &contig_page_data at compile-time. + */ + static inline struct zonelist *node_zonelist(int nid, gfp_t flags) + { +-- +2.43.0 + diff --git a/queue-5.4/bus-moxtet-add-spi-device-table.patch-27471 b/queue-5.4/bus-moxtet-add-spi-device-table.patch-27471 new file mode 100644 index 00000000000..25148f1c6d8 --- /dev/null +++ b/queue-5.4/bus-moxtet-add-spi-device-table.patch-27471 @@ -0,0 +1,52 @@ +From bdf9b92aeed22ea19d6be05d65681228926f8f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 22:35:05 +0100 +Subject: bus: moxtet: Add spi device table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sjoerd Simons + +[ Upstream commit aaafe88d5500ba18b33be72458439367ef878788 ] + +The moxtet module fails to auto-load on. Add a SPI id table to +allow it to do so. + +Signed-off-by: Sjoerd Simons +Cc: +Reviewed-by: Marek Behún +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + drivers/bus/moxtet.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/bus/moxtet.c b/drivers/bus/moxtet.c +index 68413bf9cf87..d87f698d38a3 100644 +--- a/drivers/bus/moxtet.c ++++ b/drivers/bus/moxtet.c +@@ -833,6 +833,12 @@ static int moxtet_remove(struct spi_device *spi) + return 0; + } + ++static const struct spi_device_id moxtet_spi_ids[] = { ++ { "moxtet" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, moxtet_spi_ids); ++ + static const struct of_device_id moxtet_dt_ids[] = { + { .compatible = "cznic,moxtet" }, + {}, +@@ -844,6 +850,7 @@ static struct spi_driver moxtet_spi_driver = { + .name = "moxtet", + .of_match_table = moxtet_dt_ids, + }, ++ .id_table = moxtet_spi_ids, + .probe = moxtet_probe, + .remove = moxtet_remove, + }; +-- +2.43.0 + diff --git a/queue-5.4/kvm-arm64-vgic-its-avoid-potential-uaf-in-lpi-transl.patch-10468 b/queue-5.4/kvm-arm64-vgic-its-avoid-potential-uaf-in-lpi-transl.patch-10468 new file mode 100644 index 00000000000..c6158fde414 --- /dev/null +++ b/queue-5.4/kvm-arm64-vgic-its-avoid-potential-uaf-in-lpi-transl.patch-10468 @@ -0,0 +1,54 @@ +From 826e81a49aa06cbc43fdea586f2df27f55de94a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jan 2024 18:32:32 +0000 +Subject: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache + +From: Oliver Upton + +[ Upstream commit ad362fe07fecf0aba839ff2cc59a3617bd42c33f ] + +There is a potential UAF scenario in the case of an LPI translation +cache hit racing with an operation that invalidates the cache, such +as a DISCARD ITS command. The root of the problem is that +vgic_its_check_cache() does not elevate the refcount on the vgic_irq +before dropping the lock that serializes refcount changes. + +Have vgic_its_check_cache() raise the refcount on the returned vgic_irq +and add the corresponding decrement after queueing the interrupt. + +Cc: stable@vger.kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20240104183233.3560639-1-oliver.upton@linux.dev +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/vgic/vgic-its.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c +index e06bb8ed7688..0533881bd2ab 100644 +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -581,7 +581,11 @@ static struct vgic_irq *vgic_its_check_cache(struct kvm *kvm, phys_addr_t db, + unsigned long flags; + + raw_spin_lock_irqsave(&dist->lpi_list_lock, flags); ++ + irq = __vgic_its_check_cache(dist, db, devid, eventid); ++ if (irq) ++ vgic_get_irq_kref(irq); ++ + raw_spin_unlock_irqrestore(&dist->lpi_list_lock, flags); + + return irq; +@@ -761,6 +765,7 @@ int vgic_its_inject_cached_translation(struct kvm *kvm, struct kvm_msi *msi) + raw_spin_lock_irqsave(&irq->irq_lock, flags); + irq->pending_latch = true; + vgic_queue_irq_unlock(kvm, irq, flags); ++ vgic_put_irq(kvm, irq); + + return 0; + } +-- +2.43.0 + diff --git a/queue-5.4/mips-fix-max_mapnr-being-uninitialized-on-early-stag.patch-10655 b/queue-5.4/mips-fix-max_mapnr-being-uninitialized-on-early-stag.patch-10655 new file mode 100644 index 00000000000..1741d7786d0 --- /dev/null +++ b/queue-5.4/mips-fix-max_mapnr-being-uninitialized-on-early-stag.patch-10655 @@ -0,0 +1,91 @@ +From d15379b67f2e35eb6ba210ec5a3bc499dd8ff462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Dec 2023 14:14:20 +0300 +Subject: mips: Fix max_mapnr being uninitialized on early stages + +From: Serge Semin + +[ Upstream commit e1a9ae45736989c972a8d1c151bc390678ae6205 ] + +max_mapnr variable is utilized in the pfn_valid() method in order to +determine the upper PFN space boundary. Having it uninitialized +effectively makes any PFN passed to that method invalid. That in its turn +causes the kernel mm-subsystem occasion malfunctions even after the +max_mapnr variable is actually properly updated. For instance, +pfn_valid() is called in the init_unavailable_range() method in the +framework of the calls-chain on MIPS: +setup_arch() ++-> paging_init() + +-> free_area_init() + +-> memmap_init() + +-> memmap_init_zone_range() + +-> init_unavailable_range() + +Since pfn_valid() always returns "false" value before max_mapnr is +initialized in the mem_init() method, any flatmem page-holes will be left +in the poisoned/uninitialized state including the IO-memory pages. Thus +any further attempts to map/remap the IO-memory by using MMU may fail. +In particular it happened in my case on attempt to map the SRAM region. +The kernel bootup procedure just crashed on the unhandled unaligned access +bug raised in the __update_cache() method: + +> Unhandled kernel unaligned access[#1]: +> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc1-XXX-dirty #2056 +> ... +> Call Trace: +> [<8011ef9c>] __update_cache+0x88/0x1bc +> [<80385944>] ioremap_page_range+0x110/0x2a4 +> [<80126948>] ioremap_prot+0x17c/0x1f4 +> [<80711b80>] __devm_ioremap+0x8c/0x120 +> [<80711e0c>] __devm_ioremap_resource+0xf4/0x218 +> [<808bf244>] sram_probe+0x4f4/0x930 +> [<80889d20>] platform_probe+0x68/0xec +> ... + +Let's fix the problem by initializing the max_mapnr variable as soon as +the required data is available. In particular it can be done right in the +paging_init() method before free_area_init() is called since all the PFN +zone boundaries have already been calculated by that time. + +Cc: stable@vger.kernel.org +Signed-off-by: Serge Semin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/init.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c +index dee6a790d42d..800cc5bc7a38 100644 +--- a/arch/mips/mm/init.c ++++ b/arch/mips/mm/init.c +@@ -416,7 +416,12 @@ void __init paging_init(void) + (highend_pfn - max_low_pfn) << (PAGE_SHIFT - 10)); + max_zone_pfns[ZONE_HIGHMEM] = max_low_pfn; + } ++ ++ max_mapnr = highend_pfn ? highend_pfn : max_low_pfn; ++#else ++ max_mapnr = max_low_pfn; + #endif ++ high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT); + + free_area_init_nodes(max_zone_pfns); + } +@@ -452,13 +457,6 @@ void __init mem_init(void) + */ + BUILD_BUG_ON(IS_ENABLED(CONFIG_32BIT) && (_PFN_SHIFT > PAGE_SHIFT)); + +-#ifdef CONFIG_HIGHMEM +- max_mapnr = highend_pfn ? highend_pfn : max_low_pfn; +-#else +- max_mapnr = max_low_pfn; +-#endif +- high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT); +- + maar_init(); + memblock_free_all(); + setup_zero_pages(); /* Setup zeroed pages. */ +-- +2.43.0 + diff --git a/queue-5.4/revert-md-raid5-wait-for-md_sb_change_pending-in-rai.patch-4943 b/queue-5.4/revert-md-raid5-wait-for-md_sb_change_pending-in-rai.patch-4943 new file mode 100644 index 00000000000..39ef00ed6f6 --- /dev/null +++ b/queue-5.4/revert-md-raid5-wait-for-md_sb_change_pending-in-rai.patch-4943 @@ -0,0 +1,72 @@ +From 517cdda26555fd4432124e166a10139065de5a41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Nov 2023 10:22:16 -0800 +Subject: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d" + +From: Junxiao Bi + +[ Upstream commit bed9e27baf52a09b7ba2a3714f1e24e17ced386d ] + +This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74. + +That commit introduced the following race and can cause system hung. + + md_write_start: raid5d: + // mddev->in_sync == 1 + set "MD_SB_CHANGE_PENDING" + // running before md_write_start wakeup it + waiting "MD_SB_CHANGE_PENDING" cleared + >>>>>>>>> hung + wakeup mddev->thread + ... + waiting "MD_SB_CHANGE_PENDING" cleared + >>>> hung, raid5d should clear this flag + but get hung by same flag. + +The issue reverted commit fixing is fixed by last patch in a new way. + +Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d") +Cc: stable@vger.kernel.org # v5.19+ +Signed-off-by: Junxiao Bi +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20231108182216.73611-2-junxiao.bi@oracle.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index f3d60c4b34b8..0bea103f63d5 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -36,7 +36,6 @@ + */ + + #include +-#include + #include + #include + #include +@@ -6335,18 +6334,7 @@ static void raid5d(struct md_thread *thread) + spin_unlock_irq(&conf->device_lock); + md_check_recovery(mddev); + spin_lock_irq(&conf->device_lock); +- +- /* +- * Waiting on MD_SB_CHANGE_PENDING below may deadlock +- * seeing md_check_recovery() is needed to clear +- * the flag when using mdmon. +- */ +- continue; + } +- +- wait_event_lock_irq(mddev->sb_wait, +- !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags), +- conf->device_lock); + } + pr_debug("%d stripes handled\n", handled); + +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index fd80d498f6f..152e7ba73d4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -250,3 +250,8 @@ bus-moxtet-add-spi-device-table.patch arch-mm-remove-stale-mentions-of-disconigmem.patch mips-fix-max_mapnr-being-uninitialized-on-early-stag.patch kvm-arm64-vgic-its-avoid-potential-uaf-in-lpi-transl.patch +revert-md-raid5-wait-for-md_sb_change_pending-in-rai.patch-4943 +bus-moxtet-add-spi-device-table.patch-27471 +arch-mm-remove-stale-mentions-of-disconigmem.patch-24462 +mips-fix-max_mapnr-being-uninitialized-on-early-stag.patch-10655 +kvm-arm64-vgic-its-avoid-potential-uaf-in-lpi-transl.patch-10468