From: Greg Kroah-Hartman Date: Sat, 21 Mar 2026 17:10:37 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.1.167~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8174adf236e4c98a3ac0f2f37571d606b9048f92;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch --- diff --git a/queue-6.1/binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch b/queue-6.1/binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch new file mode 100644 index 0000000000..66793819fa --- /dev/null +++ b/queue-6.1/binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch @@ -0,0 +1,47 @@ +From 90f601b497d76f40fa66795c3ecf625b6aced9fd Mon Sep 17 00:00:00 2001 +From: Zilin Guan +Date: Wed, 5 Nov 2025 02:29:23 +0000 +Subject: binfmt_misc: restore write access before closing files opened by open_exec() + +From: Zilin Guan + +commit 90f601b497d76f40fa66795c3ecf625b6aced9fd upstream. + +bm_register_write() opens an executable file using open_exec(), which +internally calls do_open_execat() and denies write access on the file to +avoid modification while it is being executed. + +However, when an error occurs, bm_register_write() closes the file using +filp_close() directly. This does not restore the write permission, which +may cause subsequent write operations on the same file to fail. + +Fix this by calling exe_file_allow_write_access() before filp_close() to +restore the write permission properly. + +Fixes: e7850f4d844e ("binfmt_misc: fix possible deadlock in bm_register_write") +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20251105022923.1813587-1-zilin@seu.edu.cn +Signed-off-by: Christian Brauner +[ Use allow_write_access() instead of exe_file_allow_write_access() +according to commit 0357ef03c94ef +("fs: don't block write during exec on pre-content watched files"). ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_misc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -816,8 +816,10 @@ out: + inode_unlock(d_inode(root)); + + if (err) { +- if (f) ++ if (f) { ++ allow_write_access(f); + filp_close(f, NULL); ++ } + kfree(e); + return err; + } diff --git a/queue-6.1/pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch b/queue-6.1/pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch new file mode 100644 index 0000000000..9f8345324e --- /dev/null +++ b/queue-6.1/pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch @@ -0,0 +1,193 @@ +From 9abf79c8d7b40db0e5a34aa8c744ea60ff9a3fcf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Thu, 29 Jan 2026 18:52:33 +0100 +Subject: PCI/ACPI: Restrict program_hpx_type2() to AER bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Håkon Bugge + +commit 9abf79c8d7b40db0e5a34aa8c744ea60ff9a3fcf upstream. + +Previously program_hpx_type2() applied PCIe settings unconditionally, +which could incorrectly change bits like Extended Tag Field Enable and +Enable Relaxed Ordering. + +When _HPX was added to ACPI r3.0, the intent of the PCIe Setting +Record (Type 2) in sec 6.2.7.3 was to configure AER registers when the +OS does not own the AER Capability: + + The PCI Express setting record contains ... [the AER] Uncorrectable + Error Mask, Uncorrectable Error Severity, Correctable Error Mask + ... to be used when configuring registers in the Advanced Error + Reporting Extended Capability Structure ... + + OSPM [1] will only evaluate _HPX with Setting Record – Type 2 if + OSPM is not controlling the PCI Express Advanced Error Reporting + capability. + +ACPI r3.0b, sec 6.2.7.3, added more AER registers, including registers +in the PCIe Capability with AER-related bits, and the restriction that +the OS use this only when it owns PCIe native hotplug: + + ... when configuring PCI Express registers in the Advanced Error + Reporting Extended Capability Structure *or PCI Express Capability + Structure* ... + + An OS that has assumed ownership of native hot plug but does not + ... have ownership of the AER register set must use ... the Type 2 + record to program the AER registers ... + + However, since the Type 2 record also includes register bits that + have functions other than AER, the OS must ignore values ... that + are not applicable. + +Restrict program_hpx_type2() to only the intended purpose: + + - Apply settings only when OS owns PCIe native hotplug but not AER, + + - Only touch the AER-related bits (Error Reporting Enables) in Device + Control + + - Don't touch Link Control at all, since nothing there seems AER-related, + but log _HPX settings for debugging purposes + +Note that Read Completion Boundary is now configured elsewhere, since it is +unrelated to _HPX. + +[1] Operating System-directed configuration and Power Management + +Fixes: 40abb96c51bb ("[PATCH] pciehp: Fix programming hotplug parameters") +Signed-off-by: Håkon Bugge +Signed-off-by: Bjorn Helgaas +Link: https://patch.msgid.link/20260129175237.727059-3-haakon.bugge@oracle.com +[ Conflict in drivers/pci.h because the context has changed. ] +Signed-off-by: Håkon Bugge +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-acpi.c | 59 +++++++++++++++++++------------------------------ + drivers/pci/pci.h | 3 ++ + drivers/pci/pcie/aer.c | 3 -- + 3 files changed, 27 insertions(+), 38 deletions(-) + +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -246,21 +246,6 @@ static acpi_status decode_type1_hpx_reco + return AE_OK; + } + +-static bool pcie_root_rcb_set(struct pci_dev *dev) +-{ +- struct pci_dev *rp = pcie_find_root_port(dev); +- u16 lnkctl; +- +- if (!rp) +- return false; +- +- pcie_capability_read_word(rp, PCI_EXP_LNKCTL, &lnkctl); +- if (lnkctl & PCI_EXP_LNKCTL_RCB) +- return true; +- +- return false; +-} +- + /* _HPX PCI Express Setting Record (Type 2) */ + struct hpx_type2 { + u32 revision; +@@ -286,6 +271,7 @@ static void program_hpx_type2(struct pci + { + int pos; + u32 reg32; ++ const struct pci_host_bridge *host; + + if (!hpx) + return; +@@ -293,6 +279,15 @@ static void program_hpx_type2(struct pci + if (!pci_is_pcie(dev)) + return; + ++ host = pci_find_host_bridge(dev->bus); ++ ++ /* ++ * Only do the _HPX Type 2 programming if OS owns PCIe native ++ * hotplug but not AER. ++ */ ++ if (!host->native_pcie_hotplug || host->native_aer) ++ return; ++ + if (hpx->revision > 1) { + pci_warn(dev, "PCIe settings rev %d not supported\n", + hpx->revision); +@@ -300,33 +295,27 @@ static void program_hpx_type2(struct pci + } + + /* +- * Don't allow _HPX to change MPS or MRRS settings. We manage +- * those to make sure they're consistent with the rest of the +- * platform. ++ * We only allow _HPX to program DEVCTL bits related to AER, namely ++ * PCI_EXP_DEVCTL_CERE, PCI_EXP_DEVCTL_NFERE, PCI_EXP_DEVCTL_FERE, ++ * and PCI_EXP_DEVCTL_URRE. ++ * ++ * The rest of DEVCTL is managed by the OS to make sure it's ++ * consistent with the rest of the platform. + */ +- hpx->pci_exp_devctl_and |= PCI_EXP_DEVCTL_PAYLOAD | +- PCI_EXP_DEVCTL_READRQ; +- hpx->pci_exp_devctl_or &= ~(PCI_EXP_DEVCTL_PAYLOAD | +- PCI_EXP_DEVCTL_READRQ); ++ hpx->pci_exp_devctl_and |= ~PCI_EXP_AER_FLAGS; ++ hpx->pci_exp_devctl_or &= PCI_EXP_AER_FLAGS; + + /* Initialize Device Control Register */ + pcie_capability_clear_and_set_word(dev, PCI_EXP_DEVCTL, + ~hpx->pci_exp_devctl_and, hpx->pci_exp_devctl_or); + +- /* Initialize Link Control Register */ ++ /* Log if _HPX attempts to modify Link Control Register */ + if (pcie_cap_has_lnkctl(dev)) { +- +- /* +- * If the Root Port supports Read Completion Boundary of +- * 128, set RCB to 128. Otherwise, clear it. +- */ +- hpx->pci_exp_lnkctl_and |= PCI_EXP_LNKCTL_RCB; +- hpx->pci_exp_lnkctl_or &= ~PCI_EXP_LNKCTL_RCB; +- if (pcie_root_rcb_set(dev)) +- hpx->pci_exp_lnkctl_or |= PCI_EXP_LNKCTL_RCB; +- +- pcie_capability_clear_and_set_word(dev, PCI_EXP_LNKCTL, +- ~hpx->pci_exp_lnkctl_and, hpx->pci_exp_lnkctl_or); ++ if (hpx->pci_exp_lnkctl_and != 0xffff || ++ hpx->pci_exp_lnkctl_or != 0) ++ pci_info(dev, "_HPX attempts Link Control setting (AND %#06x OR %#06x)\n", ++ hpx->pci_exp_lnkctl_and, ++ hpx->pci_exp_lnkctl_or); + } + + /* Find Advanced Error Reporting Enhanced Capability */ +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -11,6 +11,9 @@ + + #define PCI_VSEC_ID_INTEL_TBT 0x1234 /* Thunderbolt */ + ++#define PCI_EXP_AER_FLAGS (PCI_EXP_DEVCTL_CERE | PCI_EXP_DEVCTL_NFERE | \ ++ PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE) ++ + extern const unsigned char pcie_link_speed[]; + extern bool pci_early_dump; + +--- a/drivers/pci/pcie/aer.c ++++ b/drivers/pci/pcie/aer.c +@@ -214,9 +214,6 @@ void pcie_ecrc_get_policy(char *str) + } + #endif /* CONFIG_PCIE_ECRC */ + +-#define PCI_EXP_AER_FLAGS (PCI_EXP_DEVCTL_CERE | PCI_EXP_DEVCTL_NFERE | \ +- PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE) +- + int pcie_aer_is_native(struct pci_dev *dev) + { + struct pci_host_bridge *host = pci_find_host_bridge(dev->bus); diff --git a/queue-6.1/series b/queue-6.1/series index 9da5f9b84c..ae3a2b0d05 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -394,3 +394,5 @@ eth-bnxt-always-recalculate-features-after-xdp-clearing-fix-null-deref.patch spi-cadence-quadspi-implement-refcount-to-handle-unbind-during-busy.patch drm-amdgpu-drop-redundant-sched-job-cleanup-when-cs-is-aborted.patch net-stmmac-remove-support-for-lpi_intr_o.patch +pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch +binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch