From 206fe2aef886e1116ba60a12012da4976eb94666 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 19 Feb 2024 17:50:43 +0100 Subject: [PATCH] 6.1-stable patches added patches: alsa-hda-cs8409-suppress-vmaster-control-for-dolphin-models.patch alsa-hda-realtek-apply-headset-jack-quirk-for-non-bass-alc287-thinkpads.patch alsa-hda-realtek-enable-headset-mic-on-vaio-vjfe-adl.patch alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power.patch asoc-codecs-wcd938x-handle-deferred-probe.patch binder-signal-epoll-threads-of-self-work.patch drm-virtio-set-segment-size-for-virtio_gpu-device.patch ext4-avoid-bb_free-and-bb_fragments-inconsistency-in-mb_free_blocks.patch ext4-fix-double-free-of-blocks-due-to-wrong-extents-moved_len.patch firewire-core-correct-documentation-of-fw_csr_string-kernel-api.patch iio-accel-bma400-fix-a-compilation-problem.patch iio-adc-ad_sigma_delta-ensure-proper-dma-alignment.patch iio-commom-st_sensors-ensure-proper-dma-alignment.patch iio-core-fix-memleak-in-iio_device_register_sysfs.patch iio-imu-adis-ensure-proper-dma-alignment.patch iio-imu-bno055-serdev-requires-regmap.patch iio-magnetometer-rm3100-add-boundary-check-for-the-value-read-from-rm3100_reg_tmrc.patch kbuild-fix-changing-elf-file-type-for-output-of-gen_btf-for-big-endian.patch lsm-fix-the-logic-in-security_inode_getsecctx.patch media-rc-bpf-attach-detach-requires-write-permission.patch media-revert-media-rkisp1-drop-irqf_shared.patch misc-fastrpc-mark-all-sessions-as-invalid-in-cb_remove.patch mptcp-check-addrs-list-in-userspace_pm_get_local_id.patch mptcp-drop-the-push_pending-field.patch mptcp-fix-data-re-injection-from-stale-subflow.patch mptcp-get-rid-of-msk-subflow.patch net-hsr-remove-warn_once-in-send_hsr_supervision_frame.patch net-stmmac-do-not-clear-tbs-enable-bit-on-link-up-down.patch nfc-nci-free-rx_data_reassembly-skb-on-nci-device-cleanup.patch revert-drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch scsi-revert-scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch selftests-mptcp-add-missing-kconfig-for-nf-filter-in-v6.patch selftests-mptcp-add-missing-kconfig-for-nf-filter.patch selftests-mptcp-add-missing-kconfig-for-nf-mangle.patch selftests-mptcp-increase-timeout-to-30-min.patch staging-iio-ad5933-fix-type-mismatch-regression.patch tracing-fix-wasted-memory-in-saved_cmdlines-logic.patch um-fix-adding-no-pie-for-clang.patch xen-netback-properly-sync-tx-responses.patch --- ...s-vmaster-control-for-dolphin-models.patch | 35 +++ ...-quirk-for-non-bass-alc287-thinkpads.patch | 52 +++++ ...-enable-headset-mic-on-vaio-vjfe-adl.patch | 31 +++ ...mute-micmute-leds-for-hp-zbook-power.patch | 33 +++ ...codecs-wcd938x-handle-deferred-probe.patch | 37 ++++ ...er-signal-epoll-threads-of-self-work.patch | 55 +++++ ...t-segment-size-for-virtio_gpu-device.patch | 37 ++++ ...ents-inconsistency-in-mb_free_blocks.patch | 101 +++++++++ ...locks-due-to-wrong-extents-moved_len.patch | 68 ++++++ ...entation-of-fw_csr_string-kernel-api.patch | 39 ++++ ...cel-bma400-fix-a-compilation-problem.patch | 43 ++++ ...ma_delta-ensure-proper-dma-alignment.patch | 48 ++++ ..._sensors-ensure-proper-dma-alignment.patch | 45 ++++ ...memleak-in-iio_device_register_sysfs.patch | 40 ++++ ...imu-adis-ensure-proper-dma-alignment.patch | 47 ++++ ...io-imu-bno055-serdev-requires-regmap.patch | 58 +++++ ...-the-value-read-from-rm3100_reg_tmrc.patch | 52 +++++ ...for-output-of-gen_btf-for-big-endian.patch | 75 +++++++ ...he-logic-in-security_inode_getsecctx.patch | 60 +++++ ...ach-detach-requires-write-permission.patch | 82 +++++++ ...revert-media-rkisp1-drop-irqf_shared.patch | 38 ++++ ...all-sessions-as-invalid-in-cb_remove.patch | 36 +++ ...rs-list-in-userspace_pm_get_local_id.patch | 50 +++++ .../mptcp-drop-the-push_pending-field.patch | 84 +++++++ ...data-re-injection-from-stale-subflow.patch | 52 +++++ queue-6.1/mptcp-get-rid-of-msk-subflow.patch | 182 ++++++++++++++++ ...n_once-in-send_hsr_supervision_frame.patch | 72 ++++++ ...clear-tbs-enable-bit-on-link-up-down.patch | 36 +++ ...reassembly-skb-on-nci-device-cleanup.patch | 45 ++++ ...-any-delayed-gfxoff-on-suspend-entry.patch | 58 +++++ ...-potential-deadlock-on-fip-ctlr_lock.patch | 113 ++++++++++ ...-missing-kconfig-for-nf-filter-in-v6.patch | 39 ++++ ...cp-add-missing-kconfig-for-nf-filter.patch | 38 ++++ ...cp-add-missing-kconfig-for-nf-mangle.patch | 37 ++++ ...sts-mptcp-increase-timeout-to-30-min.patch | 43 ++++ queue-6.1/series | 39 ++++ ...-ad5933-fix-type-mismatch-regression.patch | 42 ++++ ...asted-memory-in-saved_cmdlines-logic.patch | 181 ++++++++++++++++ .../um-fix-adding-no-pie-for-clang.patch | 63 ++++++ ...n-netback-properly-sync-tx-responses.patch | 205 ++++++++++++++++++ 40 files changed, 2491 insertions(+) create mode 100644 queue-6.1/alsa-hda-cs8409-suppress-vmaster-control-for-dolphin-models.patch create mode 100644 queue-6.1/alsa-hda-realtek-apply-headset-jack-quirk-for-non-bass-alc287-thinkpads.patch create mode 100644 queue-6.1/alsa-hda-realtek-enable-headset-mic-on-vaio-vjfe-adl.patch create mode 100644 queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power.patch create mode 100644 queue-6.1/asoc-codecs-wcd938x-handle-deferred-probe.patch create mode 100644 queue-6.1/binder-signal-epoll-threads-of-self-work.patch create mode 100644 queue-6.1/drm-virtio-set-segment-size-for-virtio_gpu-device.patch create mode 100644 queue-6.1/ext4-avoid-bb_free-and-bb_fragments-inconsistency-in-mb_free_blocks.patch create mode 100644 queue-6.1/ext4-fix-double-free-of-blocks-due-to-wrong-extents-moved_len.patch create mode 100644 queue-6.1/firewire-core-correct-documentation-of-fw_csr_string-kernel-api.patch create mode 100644 queue-6.1/iio-accel-bma400-fix-a-compilation-problem.patch create mode 100644 queue-6.1/iio-adc-ad_sigma_delta-ensure-proper-dma-alignment.patch create mode 100644 queue-6.1/iio-commom-st_sensors-ensure-proper-dma-alignment.patch create mode 100644 queue-6.1/iio-core-fix-memleak-in-iio_device_register_sysfs.patch create mode 100644 queue-6.1/iio-imu-adis-ensure-proper-dma-alignment.patch create mode 100644 queue-6.1/iio-imu-bno055-serdev-requires-regmap.patch create mode 100644 queue-6.1/iio-magnetometer-rm3100-add-boundary-check-for-the-value-read-from-rm3100_reg_tmrc.patch create mode 100644 queue-6.1/kbuild-fix-changing-elf-file-type-for-output-of-gen_btf-for-big-endian.patch create mode 100644 queue-6.1/lsm-fix-the-logic-in-security_inode_getsecctx.patch create mode 100644 queue-6.1/media-rc-bpf-attach-detach-requires-write-permission.patch create mode 100644 queue-6.1/media-revert-media-rkisp1-drop-irqf_shared.patch create mode 100644 queue-6.1/misc-fastrpc-mark-all-sessions-as-invalid-in-cb_remove.patch create mode 100644 queue-6.1/mptcp-check-addrs-list-in-userspace_pm_get_local_id.patch create mode 100644 queue-6.1/mptcp-drop-the-push_pending-field.patch create mode 100644 queue-6.1/mptcp-fix-data-re-injection-from-stale-subflow.patch create mode 100644 queue-6.1/mptcp-get-rid-of-msk-subflow.patch create mode 100644 queue-6.1/net-hsr-remove-warn_once-in-send_hsr_supervision_frame.patch create mode 100644 queue-6.1/net-stmmac-do-not-clear-tbs-enable-bit-on-link-up-down.patch create mode 100644 queue-6.1/nfc-nci-free-rx_data_reassembly-skb-on-nci-device-cleanup.patch create mode 100644 queue-6.1/revert-drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch create mode 100644 queue-6.1/scsi-revert-scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch create mode 100644 queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter-in-v6.patch create mode 100644 queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter.patch create mode 100644 queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-mangle.patch create mode 100644 queue-6.1/selftests-mptcp-increase-timeout-to-30-min.patch create mode 100644 queue-6.1/staging-iio-ad5933-fix-type-mismatch-regression.patch create mode 100644 queue-6.1/tracing-fix-wasted-memory-in-saved_cmdlines-logic.patch create mode 100644 queue-6.1/um-fix-adding-no-pie-for-clang.patch create mode 100644 queue-6.1/xen-netback-properly-sync-tx-responses.patch diff --git a/queue-6.1/alsa-hda-cs8409-suppress-vmaster-control-for-dolphin-models.patch b/queue-6.1/alsa-hda-cs8409-suppress-vmaster-control-for-dolphin-models.patch new file mode 100644 index 00000000000..2e708a76fb1 --- /dev/null +++ b/queue-6.1/alsa-hda-cs8409-suppress-vmaster-control-for-dolphin-models.patch @@ -0,0 +1,35 @@ +From a2ed0a44d637ef9deca595054c206da7d6cbdcbc Mon Sep 17 00:00:00 2001 +From: Vitaly Rodionov +Date: Mon, 22 Jan 2024 18:47:10 +0000 +Subject: ALSA: hda/cs8409: Suppress vmaster control for Dolphin models + +From: Vitaly Rodionov + +commit a2ed0a44d637ef9deca595054c206da7d6cbdcbc upstream. + +Customer has reported an issue with specific desktop platform +where two CS42L42 codecs are connected to CS8409 HDA bridge. +If "Master Volume Control" is created then on Ubuntu OS UCM +left/right balance slider in UI audio settings has no effect. +This patch will fix this issue for a target paltform. + +Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin") +Signed-off-by: Vitaly Rodionov +Cc: +Link: https://lore.kernel.org/r/20240122184710.5802-1-vitalyr@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_cs8409.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_cs8409.c ++++ b/sound/pci/hda/patch_cs8409.c +@@ -1371,6 +1371,7 @@ void dolphin_fixups(struct hda_codec *co + spec->scodecs[CS8409_CODEC1] = &dolphin_cs42l42_1; + spec->scodecs[CS8409_CODEC1]->codec = codec; + spec->num_scodecs = 2; ++ spec->gen.suppress_vmaster = 1; + + codec->patch_ops = cs8409_dolphin_patch_ops; + diff --git a/queue-6.1/alsa-hda-realtek-apply-headset-jack-quirk-for-non-bass-alc287-thinkpads.patch b/queue-6.1/alsa-hda-realtek-apply-headset-jack-quirk-for-non-bass-alc287-thinkpads.patch new file mode 100644 index 00000000000..750b728f383 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-apply-headset-jack-quirk-for-non-bass-alc287-thinkpads.patch @@ -0,0 +1,52 @@ +From 2468e8922d2f6da81a6192b73023eff67e3fefdd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Relvas?= +Date: Wed, 31 Jan 2024 11:34:09 +0000 +Subject: ALSA: hda/realtek: Apply headset jack quirk for non-bass alc287 thinkpads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Relvas + +commit 2468e8922d2f6da81a6192b73023eff67e3fefdd upstream. + +There currently exists two thinkpad headset jack fixups: +ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK +ALC285_FIXUP_THINKPAD_HEADSET_JACK + +The latter is applied to alc285 and alc287 thinkpads which contain +bass speakers. +However, the former was only being applied to alc285 thinkpads, +leaving non-bass alc287 thinkpads with no headset button controls. +This patch fixes that by adding ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK +to the alc287 chains, allowing the detection of headset buttons. + +Signed-off-by: José Relvas +Cc: +Link: https://lore.kernel.org/r/20240131113407.34698-3-josemonsantorelvas@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9377,7 +9377,7 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = cs35l41_fixup_i2c_two, + .chained = true, +- .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ .chain_id = ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK, + }, + [ALC245_FIXUP_HP_MUTE_LED_COEFBIT] = { + .type = HDA_FIXUP_FUNC, +@@ -9392,6 +9392,8 @@ static const struct hda_fixup alc269_fix + [ALC287_FIXUP_THINKPAD_I2S_SPK] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc287_fixup_bind_dacs, ++ .chained = true, ++ .chain_id = ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK, + }, + [ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD] = { + .type = HDA_FIXUP_FUNC, diff --git a/queue-6.1/alsa-hda-realtek-enable-headset-mic-on-vaio-vjfe-adl.patch b/queue-6.1/alsa-hda-realtek-enable-headset-mic-on-vaio-vjfe-adl.patch new file mode 100644 index 00000000000..b2bc36bdb07 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-enable-headset-mic-on-vaio-vjfe-adl.patch @@ -0,0 +1,31 @@ +From c7de2d9bb68a5fc71c25ff96705a80a76c8436eb Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Thu, 1 Feb 2024 09:21:14 -0300 +Subject: ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL + +From: Edson Juliano Drosdeck + +commit c7de2d9bb68a5fc71c25ff96705a80a76c8436eb upstream. + +Vaio VJFE-ADL is equipped with ALC269VC, and it needs +ALC298_FIXUP_SPK_VOLUME quirk to make its headset mic work. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://lore.kernel.org/r/20240201122114.30080-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10053,6 +10053,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC), + SND_PCI_QUIRK(0x2782, 0x0232, "CHUWI CoreBook XPro", ALC269VB_FIXUP_CHUWI_COREBOOK_XPRO), ++ SND_PCI_QUIRK(0x2782, 0x1707, "Vaio VJFE-ADL", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC), + SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED), + SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10), diff --git a/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power.patch b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power.patch new file mode 100644 index 00000000000..992a8daa714 --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power.patch @@ -0,0 +1,33 @@ +From 1513664f340289cf10402753110f3cff12a738aa Mon Sep 17 00:00:00 2001 +From: Andy Chi +Date: Mon, 22 Jan 2024 15:48:24 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power + +From: Andy Chi + +commit 1513664f340289cf10402753110f3cff12a738aa upstream. + +The HP ZBook Power using ALC236 codec which using 0x02 to +control mute LED and 0x01 to control micmute LED. +Therefore, add a quirk to make it works. + +Signed-off-by: Andy Chi +Cc: +Link: https://lore.kernel.org/r/20240122074826.1020964-1-andy.chi@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9726,6 +9726,8 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8c97, "HP ZBook", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8ca1, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8cf5, "HP ZBook Studio 16", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED), diff --git a/queue-6.1/asoc-codecs-wcd938x-handle-deferred-probe.patch b/queue-6.1/asoc-codecs-wcd938x-handle-deferred-probe.patch new file mode 100644 index 00000000000..30e6cae23c1 --- /dev/null +++ b/queue-6.1/asoc-codecs-wcd938x-handle-deferred-probe.patch @@ -0,0 +1,37 @@ +From 086df711d9b886194481b4fbe525eb43e9ae7403 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 17 Jan 2024 16:12:06 +0100 +Subject: ASoC: codecs: wcd938x: handle deferred probe + +From: Krzysztof Kozlowski + +commit 086df711d9b886194481b4fbe525eb43e9ae7403 upstream. + +WCD938x sound codec driver ignores return status of getting regulators +and returns EINVAL instead of EPROBE_DEFER. If regulator provider +probes after the codec, system is left without probed audio: + + wcd938x_codec audio-codec: wcd938x_probe: Fail to obtain platform data + wcd938x_codec: probe of audio-codec failed with error -22 + +Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") +Cc: +Signed-off-by: Krzysztof Kozlowski +Link: https://msgid.link/r/20240117151208.1219755-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3588,7 +3588,7 @@ static int wcd938x_probe(struct platform + ret = wcd938x_populate_dt_data(wcd938x, dev); + if (ret) { + dev_err(dev, "%s: Fail to obtain platform data\n", __func__); +- return -EINVAL; ++ return ret; + } + + ret = wcd938x_add_slave_components(wcd938x, dev, &match); diff --git a/queue-6.1/binder-signal-epoll-threads-of-self-work.patch b/queue-6.1/binder-signal-epoll-threads-of-self-work.patch new file mode 100644 index 00000000000..a620eeaae93 --- /dev/null +++ b/queue-6.1/binder-signal-epoll-threads-of-self-work.patch @@ -0,0 +1,55 @@ +From 97830f3c3088638ff90b20dfba2eb4d487bf14d7 Mon Sep 17 00:00:00 2001 +From: Carlos Llamas +Date: Wed, 31 Jan 2024 21:53:46 +0000 +Subject: binder: signal epoll threads of self-work +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Carlos Llamas + +commit 97830f3c3088638ff90b20dfba2eb4d487bf14d7 upstream. + +In (e)poll mode, threads often depend on I/O events to determine when +data is ready for consumption. Within binder, a thread may initiate a +command via BINDER_WRITE_READ without a read buffer and then make use +of epoll_wait() or similar to consume any responses afterwards. + +It is then crucial that epoll threads are signaled via wakeup when they +queue their own work. Otherwise, they risk waiting indefinitely for an +event leaving their work unhandled. What is worse, subsequent commands +won't trigger a wakeup either as the thread has pending work. + +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Cc: Arve Hjønnevåg +Cc: Martijn Coenen +Cc: Alice Ryhl +Cc: Steven Moreland +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Carlos Llamas +Link: https://lore.kernel.org/r/20240131215347.1808751-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -477,6 +477,16 @@ binder_enqueue_thread_work_ilocked(struc + { + WARN_ON(!list_empty(&thread->waiting_thread_node)); + binder_enqueue_work_ilocked(work, &thread->todo); ++ ++ /* (e)poll-based threads require an explicit wakeup signal when ++ * queuing their own work; they rely on these events to consume ++ * messages without I/O block. Without it, threads risk waiting ++ * indefinitely without handling the work. ++ */ ++ if (thread->looper & BINDER_LOOPER_STATE_POLL && ++ thread->pid == current->pid && !thread->process_todo) ++ wake_up_interruptible_sync(&thread->wait); ++ + thread->process_todo = true; + } + diff --git a/queue-6.1/drm-virtio-set-segment-size-for-virtio_gpu-device.patch b/queue-6.1/drm-virtio-set-segment-size-for-virtio_gpu-device.patch new file mode 100644 index 00000000000..22e2b39d403 --- /dev/null +++ b/queue-6.1/drm-virtio-set-segment-size-for-virtio_gpu-device.patch @@ -0,0 +1,37 @@ +From 9c64e749cebd9c2d3d55261530a98bcccb83b950 Mon Sep 17 00:00:00 2001 +From: Sebastian Ott +Date: Tue, 23 Jan 2024 19:14:14 +0100 +Subject: drm/virtio: Set segment size for virtio_gpu device + +From: Sebastian Ott + +commit 9c64e749cebd9c2d3d55261530a98bcccb83b950 upstream. + +Set the segment size of the virtio_gpu device to the value +used by the drm helpers when allocating sg lists to fix the +following complaint from DMA_API debug code: + +DMA-API: virtio-pci 0000:07:00.0: mapping sg segment longer than +device claims to support [len=262144] [max=65536] + +Cc: stable@vger.kernel.org +Tested-by: Zhenyu Zhang +Acked-by: Vivek Kasireddy +Signed-off-by: Sebastian Ott +Signed-off-by: Dmitry Osipenko +Link: https://patchwork.freedesktop.org/patch/msgid/7258a4cc-da16-5c34-a042-2a23ee396d56@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/virtio/virtgpu_drv.c ++++ b/drivers/gpu/drm/virtio/virtgpu_drv.c +@@ -93,6 +93,7 @@ static int virtio_gpu_probe(struct virti + goto err_free; + } + ++ dma_set_max_seg_size(dev->dev, dma_max_mapping_size(dev->dev) ?: UINT_MAX); + ret = virtio_gpu_init(vdev, dev); + if (ret) + goto err_free; diff --git a/queue-6.1/ext4-avoid-bb_free-and-bb_fragments-inconsistency-in-mb_free_blocks.patch b/queue-6.1/ext4-avoid-bb_free-and-bb_fragments-inconsistency-in-mb_free_blocks.patch new file mode 100644 index 00000000000..ec7bb1bda78 --- /dev/null +++ b/queue-6.1/ext4-avoid-bb_free-and-bb_fragments-inconsistency-in-mb_free_blocks.patch @@ -0,0 +1,101 @@ +From 2331fd4a49864e1571b4f50aa3aa1536ed6220d0 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 4 Jan 2024 22:20:36 +0800 +Subject: ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks() + +From: Baokun Li + +commit 2331fd4a49864e1571b4f50aa3aa1536ed6220d0 upstream. + +After updating bb_free in mb_free_blocks, it is possible to return without +updating bb_fragments because the block being freed is found to have +already been freed, which leads to inconsistency between bb_free and +bb_fragments. + +Since the group may be unlocked in ext4_grp_locked_error(), this can lead +to problems such as dividing by zero when calculating the average fragment +length. Hence move the update of bb_free to after the block double-free +check guarantees that the corresponding statistics are updated only after +the core block bitmap is modified. + +Fixes: eabe0444df90 ("ext4: speed-up releasing blocks on commit") +CC: # 3.10 +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-5-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 39 +++++++++++++++++++++------------------ + 1 file changed, 21 insertions(+), 18 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1785,11 +1785,6 @@ static void mb_free_blocks(struct inode + mb_check_buddy(e4b); + mb_free_blocks_double(inode, e4b, first, count); + +- this_cpu_inc(discard_pa_seq); +- e4b->bd_info->bb_free += count; +- if (first < e4b->bd_info->bb_first_free) +- e4b->bd_info->bb_first_free = first; +- + /* access memory sequentially: check left neighbour, + * clear range and then check right neighbour + */ +@@ -1803,23 +1798,31 @@ static void mb_free_blocks(struct inode + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t blocknr; + ++ /* ++ * Fastcommit replay can free already freed blocks which ++ * corrupts allocation info. Regenerate it. ++ */ ++ if (sbi->s_mount_state & EXT4_FC_REPLAY) { ++ mb_regenerate_buddy(e4b); ++ goto check; ++ } ++ + blocknr = ext4_group_first_block_no(sb, e4b->bd_group); + blocknr += EXT4_C2B(sbi, block); +- if (!(sbi->s_mount_state & EXT4_FC_REPLAY)) { +- ext4_grp_locked_error(sb, e4b->bd_group, +- inode ? inode->i_ino : 0, +- blocknr, +- "freeing already freed block (bit %u); block bitmap corrupt.", +- block); +- ext4_mark_group_bitmap_corrupted( +- sb, e4b->bd_group, ++ ext4_grp_locked_error(sb, e4b->bd_group, ++ inode ? inode->i_ino : 0, blocknr, ++ "freeing already freed block (bit %u); block bitmap corrupt.", ++ block); ++ ext4_mark_group_bitmap_corrupted(sb, e4b->bd_group, + EXT4_GROUP_INFO_BBITMAP_CORRUPT); +- } else { +- mb_regenerate_buddy(e4b); +- } +- goto done; ++ return; + } + ++ this_cpu_inc(discard_pa_seq); ++ e4b->bd_info->bb_free += count; ++ if (first < e4b->bd_info->bb_first_free) ++ e4b->bd_info->bb_first_free = first; ++ + /* let's maintain fragments counter */ + if (left_is_free && right_is_free) + e4b->bd_info->bb_fragments--; +@@ -1844,9 +1847,9 @@ static void mb_free_blocks(struct inode + if (first <= last) + mb_buddy_mark_free(e4b, first >> 1, last >> 1); + +-done: + mb_set_largest_free_order(sb, e4b->bd_info); + mb_update_avg_fragment_size(sb, e4b->bd_info); ++check: + mb_check_buddy(e4b); + } + diff --git a/queue-6.1/ext4-fix-double-free-of-blocks-due-to-wrong-extents-moved_len.patch b/queue-6.1/ext4-fix-double-free-of-blocks-due-to-wrong-extents-moved_len.patch new file mode 100644 index 00000000000..375c2e77aba --- /dev/null +++ b/queue-6.1/ext4-fix-double-free-of-blocks-due-to-wrong-extents-moved_len.patch @@ -0,0 +1,68 @@ +From 55583e899a5357308274601364741a83e78d6ac4 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 4 Jan 2024 22:20:33 +0800 +Subject: ext4: fix double-free of blocks due to wrong extents moved_len + +From: Baokun Li + +commit 55583e899a5357308274601364741a83e78d6ac4 upstream. + +In ext4_move_extents(), moved_len is only updated when all moves are +successfully executed, and only discards orig_inode and donor_inode +preallocations when moved_len is not zero. When the loop fails to exit +after successfully moving some extents, moved_len is not updated and +remains at 0, so it does not discard the preallocations. + +If the moved extents overlap with the preallocated extents, the +overlapped extents are freed twice in ext4_mb_release_inode_pa() and +ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: +Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is +incremented twice. Hence when trim is executed, a zero-division bug is +triggered in mb_update_avg_fragment_size() because bb_free is not zero +and bb_fragments is zero. + +Therefore, update move_len after each extent move to avoid the issue. + +Reported-by: Wei Chen +Reported-by: xingwei lee +Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@mail.gmail.com +Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base") +CC: # 3.18 +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/move_extent.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -621,6 +621,7 @@ ext4_move_extents(struct file *o_filp, s + goto out; + o_end = o_start + len; + ++ *moved_len = 0; + while (o_start < o_end) { + struct ext4_extent *ex; + ext4_lblk_t cur_blk, next_blk; +@@ -675,7 +676,7 @@ ext4_move_extents(struct file *o_filp, s + */ + ext4_double_up_write_data_sem(orig_inode, donor_inode); + /* Swap original branches with new branches */ +- move_extent_per_page(o_filp, donor_inode, ++ *moved_len += move_extent_per_page(o_filp, donor_inode, + orig_page_index, donor_page_index, + offset_in_page, cur_len, + unwritten, &ret); +@@ -685,9 +686,6 @@ ext4_move_extents(struct file *o_filp, s + o_start += cur_len; + d_start += cur_len; + } +- *moved_len = o_start - orig_blk; +- if (*moved_len > len) +- *moved_len = len; + + out: + if (*moved_len) { diff --git a/queue-6.1/firewire-core-correct-documentation-of-fw_csr_string-kernel-api.patch b/queue-6.1/firewire-core-correct-documentation-of-fw_csr_string-kernel-api.patch new file mode 100644 index 00000000000..f08adea7f09 --- /dev/null +++ b/queue-6.1/firewire-core-correct-documentation-of-fw_csr_string-kernel-api.patch @@ -0,0 +1,39 @@ +From 5f9ab17394f831cb7986ec50900fa37507a127f1 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Thu, 1 Feb 2024 20:53:18 +0900 +Subject: firewire: core: correct documentation of fw_csr_string() kernel API + +From: Takashi Sakamoto + +commit 5f9ab17394f831cb7986ec50900fa37507a127f1 upstream. + +Against its current description, the kernel API can accepts all types of +directory entries. + +This commit corrects the documentation. + +Cc: stable@vger.kernel.org +Fixes: 3c2c58cb33b3 ("firewire: core: fw_csr_string addendum") +Link: https://lore.kernel.org/r/20240130100409.30128-2-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Sakamoto +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firewire/core-device.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/firewire/core-device.c ++++ b/drivers/firewire/core-device.c +@@ -100,10 +100,9 @@ static int textual_leaf_to_string(const + * @buf: where to put the string + * @size: size of @buf, in bytes + * +- * The string is taken from a minimal ASCII text descriptor leaf after +- * the immediate entry with @key. The string is zero-terminated. +- * An overlong string is silently truncated such that it and the +- * zero byte fit into @size. ++ * The string is taken from a minimal ASCII text descriptor leaf just after the entry with the ++ * @key. The string is zero-terminated. An overlong string is silently truncated such that it ++ * and the zero byte fit into @size. + * + * Returns strlen(buf) or a negative error code. + */ diff --git a/queue-6.1/iio-accel-bma400-fix-a-compilation-problem.patch b/queue-6.1/iio-accel-bma400-fix-a-compilation-problem.patch new file mode 100644 index 00000000000..41c0e8d73ac --- /dev/null +++ b/queue-6.1/iio-accel-bma400-fix-a-compilation-problem.patch @@ -0,0 +1,43 @@ +From 4cb81840d8f29b66d9d05c6d7f360c9560f7e2f4 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 31 Jan 2024 16:52:46 -0600 +Subject: iio: accel: bma400: Fix a compilation problem + +From: Mario Limonciello + +commit 4cb81840d8f29b66d9d05c6d7f360c9560f7e2f4 upstream. + +The kernel fails when compiling without `CONFIG_REGMAP_I2C` but with +`CONFIG_BMA400`. +``` +ld: drivers/iio/accel/bma400_i2c.o: in function `bma400_i2c_probe': +bma400_i2c.c:(.text+0x23): undefined reference to `__devm_regmap_init_i2c' +``` + +Link: https://download.01.org/0day-ci/archive/20240131/202401311634.FE5CBVwe-lkp@intel.com/config +Fixes: 465c811f1f20 ("iio: accel: Add driver for the BMA400") +Fixes: 9bea10642396 ("iio: accel: bma400: add support for bma400 spi") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20240131225246.14169-1-mario.limonciello@amd.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/accel/Kconfig ++++ b/drivers/iio/accel/Kconfig +@@ -219,10 +219,12 @@ config BMA400 + + config BMA400_I2C + tristate ++ select REGMAP_I2C + depends on BMA400 + + config BMA400_SPI + tristate ++ select REGMAP_SPI + depends on BMA400 + + config BMC150_ACCEL diff --git a/queue-6.1/iio-adc-ad_sigma_delta-ensure-proper-dma-alignment.patch b/queue-6.1/iio-adc-ad_sigma_delta-ensure-proper-dma-alignment.patch new file mode 100644 index 00000000000..00ee4b9ff65 --- /dev/null +++ b/queue-6.1/iio-adc-ad_sigma_delta-ensure-proper-dma-alignment.patch @@ -0,0 +1,48 @@ +From 59598510be1d49e1cff7fd7593293bb8e1b2398b Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Wed, 17 Jan 2024 13:41:03 +0100 +Subject: iio: adc: ad_sigma_delta: ensure proper DMA alignment + +From: Nuno Sa + +commit 59598510be1d49e1cff7fd7593293bb8e1b2398b upstream. + +Aligning the buffer to the L1 cache is not sufficient in some platforms +as they might have larger cacheline sizes for caches after L1 and thus, +we can't guarantee DMA safety. + +That was the whole reason to introduce IIO_DMA_MINALIGN in [1]. Do the same +for the sigma_delta ADCs. + +[1]: https://lore.kernel.org/linux-iio/20220508175712.647246-2-jic23@kernel.org/ + +Fixes: 0fb6ee8d0b5e ("iio: ad_sigma_delta: Don't put SPI transfer buffer on the stack") +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20240117-dev_sigma_delta_no_irq_flags-v1-1-db39261592cf@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/iio/adc/ad_sigma_delta.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/include/linux/iio/adc/ad_sigma_delta.h ++++ b/include/linux/iio/adc/ad_sigma_delta.h +@@ -8,6 +8,8 @@ + #ifndef __AD_SIGMA_DELTA_H__ + #define __AD_SIGMA_DELTA_H__ + ++#include ++ + enum ad_sigma_delta_mode { + AD_SD_MODE_CONTINUOUS = 0, + AD_SD_MODE_SINGLE = 1, +@@ -99,7 +101,7 @@ struct ad_sigma_delta { + * 'rx_buf' is up to 32 bits per sample + 64 bit timestamp, + * rounded to 16 bytes to take into account padding. + */ +- uint8_t tx_buf[4] ____cacheline_aligned; ++ uint8_t tx_buf[4] __aligned(IIO_DMA_MINALIGN); + uint8_t rx_buf[16] __aligned(8); + }; + diff --git a/queue-6.1/iio-commom-st_sensors-ensure-proper-dma-alignment.patch b/queue-6.1/iio-commom-st_sensors-ensure-proper-dma-alignment.patch new file mode 100644 index 00000000000..02568002045 --- /dev/null +++ b/queue-6.1/iio-commom-st_sensors-ensure-proper-dma-alignment.patch @@ -0,0 +1,45 @@ +From 862cf85fef85becc55a173387527adb4f076fab0 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Wed, 31 Jan 2024 10:16:47 +0100 +Subject: iio: commom: st_sensors: ensure proper DMA alignment + +From: Nuno Sa + +commit 862cf85fef85becc55a173387527adb4f076fab0 upstream. + +Aligning the buffer to the L1 cache is not sufficient in some platforms +as they might have larger cacheline sizes for caches after L1 and thus, +we can't guarantee DMA safety. + +That was the whole reason to introduce IIO_DMA_MINALIGN in [1]. Do the same +for st_sensors common buffer. + +While at it, moved the odr_lock before buffer_data as we definitely +don't want any other data to share a cacheline with the buffer. + +[1]: https://lore.kernel.org/linux-iio/20220508175712.647246-2-jic23@kernel.org/ + +Fixes: e031d5f558f1 ("iio:st_sensors: remove buffer allocation at each buffer enable") +Signed-off-by: Nuno Sa +Cc: +Link: https://lore.kernel.org/r/20240131-dev_dma_safety_stm-v2-1-580c07fae51b@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/iio/common/st_sensors.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/iio/common/st_sensors.h ++++ b/include/linux/iio/common/st_sensors.h +@@ -261,9 +261,9 @@ struct st_sensor_data { + bool hw_irq_trigger; + s64 hw_timestamp; + +- char buffer_data[ST_SENSORS_MAX_BUFFER_SIZE] ____cacheline_aligned; +- + struct mutex odr_lock; ++ ++ char buffer_data[ST_SENSORS_MAX_BUFFER_SIZE] __aligned(IIO_DMA_MINALIGN); + }; + + #ifdef CONFIG_IIO_BUFFER diff --git a/queue-6.1/iio-core-fix-memleak-in-iio_device_register_sysfs.patch b/queue-6.1/iio-core-fix-memleak-in-iio_device_register_sysfs.patch new file mode 100644 index 00000000000..01d83e7691c --- /dev/null +++ b/queue-6.1/iio-core-fix-memleak-in-iio_device_register_sysfs.patch @@ -0,0 +1,40 @@ +From 95a0d596bbd0552a78e13ced43f2be1038883c81 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Fri, 8 Dec 2023 15:31:19 +0800 +Subject: iio: core: fix memleak in iio_device_register_sysfs + +From: Dinghao Liu + +commit 95a0d596bbd0552a78e13ced43f2be1038883c81 upstream. + +When iio_device_register_sysfs_group() fails, we should +free iio_dev_opaque->chan_attr_group.attrs to prevent +potential memleak. + +Fixes: 32f171724e5c ("iio: core: rework iio device group creation") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20231208073119.29283-1-dinghao.liu@zju.edu.cn +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1601,10 +1601,13 @@ static int iio_device_register_sysfs(str + ret = iio_device_register_sysfs_group(indio_dev, + &iio_dev_opaque->chan_attr_group); + if (ret) +- goto error_clear_attrs; ++ goto error_free_chan_attrs; + + return 0; + ++error_free_chan_attrs: ++ kfree(iio_dev_opaque->chan_attr_group.attrs); ++ iio_dev_opaque->chan_attr_group.attrs = NULL; + error_clear_attrs: + iio_free_chan_devattr_list(&iio_dev_opaque->channel_attr_list); + diff --git a/queue-6.1/iio-imu-adis-ensure-proper-dma-alignment.patch b/queue-6.1/iio-imu-adis-ensure-proper-dma-alignment.patch new file mode 100644 index 00000000000..392965259f2 --- /dev/null +++ b/queue-6.1/iio-imu-adis-ensure-proper-dma-alignment.patch @@ -0,0 +1,47 @@ +From 8e98b87f515d8c4bae521048a037b2cc431c3fd5 Mon Sep 17 00:00:00 2001 +From: Nuno Sa +Date: Wed, 17 Jan 2024 14:10:49 +0100 +Subject: iio: imu: adis: ensure proper DMA alignment + +From: Nuno Sa + +commit 8e98b87f515d8c4bae521048a037b2cc431c3fd5 upstream. + +Aligning the buffer to the L1 cache is not sufficient in some platforms +as they might have larger cacheline sizes for caches after L1 and thus, +we can't guarantee DMA safety. + +That was the whole reason to introduce IIO_DMA_MINALIGN in [1]. Do the same +for the sigma_delta ADCs. + +[1]: https://lore.kernel.org/linux-iio/20220508175712.647246-2-jic23@kernel.org/ + +Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library") +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20240117-adis-improv-v1-1-7f90e9fad200@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/iio/imu/adis.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/iio/imu/adis.h ++++ b/include/linux/iio/imu/adis.h +@@ -11,6 +11,7 @@ + + #include + #include ++#include + #include + + #define ADIS_WRITE_REG(reg) ((0x80 | (reg))) +@@ -131,7 +132,7 @@ struct adis { + unsigned long irq_flag; + void *buffer; + +- u8 tx[10] ____cacheline_aligned; ++ u8 tx[10] __aligned(IIO_DMA_MINALIGN); + u8 rx[4]; + }; + diff --git a/queue-6.1/iio-imu-bno055-serdev-requires-regmap.patch b/queue-6.1/iio-imu-bno055-serdev-requires-regmap.patch new file mode 100644 index 00000000000..7f122681072 --- /dev/null +++ b/queue-6.1/iio-imu-bno055-serdev-requires-regmap.patch @@ -0,0 +1,58 @@ +From 35ec2d03b282a939949090bd8c39eb37a5856721 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 10 Jan 2024 10:56:11 -0800 +Subject: iio: imu: bno055: serdev requires REGMAP + +From: Randy Dunlap + +commit 35ec2d03b282a939949090bd8c39eb37a5856721 upstream. + +There are a ton of build errors when REGMAP is not set, so select +REGMAP to fix all of them. + +Examples (not all of them): + +../drivers/iio/imu/bno055/bno055_ser_core.c:495:15: error: variable 'bno055_ser_regmap_bus' has initializer but incomplete type + 495 | static struct regmap_bus bno055_ser_regmap_bus = { +../drivers/iio/imu/bno055/bno055_ser_core.c:496:10: error: 'struct regmap_bus' has no member named 'write' + 496 | .write = bno055_ser_write_reg, +../drivers/iio/imu/bno055/bno055_ser_core.c:497:10: error: 'struct regmap_bus' has no member named 'read' + 497 | .read = bno055_ser_read_reg, +../drivers/iio/imu/bno055/bno055_ser_core.c: In function 'bno055_ser_probe': +../drivers/iio/imu/bno055/bno055_ser_core.c:532:18: error: implicit declaration of function 'devm_regmap_init'; did you mean 'vmem_map_init'? [-Werror=implicit-function-declaration] + 532 | regmap = devm_regmap_init(&serdev->dev, &bno055_ser_regmap_bus, +../drivers/iio/imu/bno055/bno055_ser_core.c:532:16: warning: assignment to 'struct regmap *' from 'int' makes pointer from integer without a cast [-Wint-conversion] + 532 | regmap = devm_regmap_init(&serdev->dev, &bno055_ser_regmap_bus, +../drivers/iio/imu/bno055/bno055_ser_core.c: At top level: +../drivers/iio/imu/bno055/bno055_ser_core.c:495:26: error: storage size of 'bno055_ser_regmap_bus' isn't known + 495 | static struct regmap_bus bno055_ser_regmap_bus = { + +Fixes: 2eef5a9cc643 ("iio: imu: add BNO055 serdev driver") +Signed-off-by: Randy Dunlap +Cc: Andrea Merello +Cc: Jonathan Cameron +Cc: Lars-Peter Clausen +Cc: linux-iio@vger.kernel.org +Cc: +Link: https://lore.kernel.org/r/20240110185611.19723-1-rdunlap@infradead.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/bno055/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iio/imu/bno055/Kconfig b/drivers/iio/imu/bno055/Kconfig +index 83e53acfbe88..c7f5866a177d 100644 +--- a/drivers/iio/imu/bno055/Kconfig ++++ b/drivers/iio/imu/bno055/Kconfig +@@ -8,6 +8,7 @@ config BOSCH_BNO055 + config BOSCH_BNO055_SERIAL + tristate "Bosch BNO055 attached via UART" + depends on SERIAL_DEV_BUS ++ select REGMAP + select BOSCH_BNO055 + help + Enable this to support Bosch BNO055 IMUs attached via UART. +-- +2.43.2 + diff --git a/queue-6.1/iio-magnetometer-rm3100-add-boundary-check-for-the-value-read-from-rm3100_reg_tmrc.patch b/queue-6.1/iio-magnetometer-rm3100-add-boundary-check-for-the-value-read-from-rm3100_reg_tmrc.patch new file mode 100644 index 00000000000..932590f6048 --- /dev/null +++ b/queue-6.1/iio-magnetometer-rm3100-add-boundary-check-for-the-value-read-from-rm3100_reg_tmrc.patch @@ -0,0 +1,52 @@ +From 792595bab4925aa06532a14dd256db523eb4fa5e Mon Sep 17 00:00:00 2001 +From: "zhili.liu" +Date: Tue, 2 Jan 2024 09:07:11 +0800 +Subject: iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC + +From: zhili.liu + +commit 792595bab4925aa06532a14dd256db523eb4fa5e upstream. + +Recently, we encounter kernel crash in function rm3100_common_probe +caused by out of bound access of array rm3100_samp_rates (because of +underlying hardware failures). Add boundary check to prevent out of +bound access. + +Fixes: 121354b2eceb ("iio: magnetometer: Add driver support for PNI RM3100") +Suggested-by: Zhouyi Zhou +Signed-off-by: zhili.liu +Link: https://lore.kernel.org/r/1704157631-3814-1-git-send-email-zhouzhouyi@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/magnetometer/rm3100-core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/iio/magnetometer/rm3100-core.c ++++ b/drivers/iio/magnetometer/rm3100-core.c +@@ -530,6 +530,7 @@ int rm3100_common_probe(struct device *d + struct rm3100_data *data; + unsigned int tmp; + int ret; ++ int samp_rate_index; + + indio_dev = devm_iio_device_alloc(dev, sizeof(*data)); + if (!indio_dev) +@@ -586,9 +587,14 @@ int rm3100_common_probe(struct device *d + ret = regmap_read(regmap, RM3100_REG_TMRC, &tmp); + if (ret < 0) + return ret; ++ ++ samp_rate_index = tmp - RM3100_TMRC_OFFSET; ++ if (samp_rate_index < 0 || samp_rate_index >= RM3100_SAMP_NUM) { ++ dev_err(dev, "The value read from RM3100_REG_TMRC is invalid!\n"); ++ return -EINVAL; ++ } + /* Initializing max wait time, which is double conversion time. */ +- data->conversion_time = rm3100_samp_rates[tmp - RM3100_TMRC_OFFSET][2] +- * 2; ++ data->conversion_time = rm3100_samp_rates[samp_rate_index][2] * 2; + + /* Cycle count values may not be what we want. */ + if ((tmp - RM3100_TMRC_OFFSET) == 0) diff --git a/queue-6.1/kbuild-fix-changing-elf-file-type-for-output-of-gen_btf-for-big-endian.patch b/queue-6.1/kbuild-fix-changing-elf-file-type-for-output-of-gen_btf-for-big-endian.patch new file mode 100644 index 00000000000..0e5e6cfcde3 --- /dev/null +++ b/queue-6.1/kbuild-fix-changing-elf-file-type-for-output-of-gen_btf-for-big-endian.patch @@ -0,0 +1,75 @@ +From e3a9ee963ad8ba677ca925149812c5932b49af69 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 12 Feb 2024 19:05:10 -0700 +Subject: kbuild: Fix changing ELF file type for output of gen_btf for big endian + +From: Nathan Chancellor + +commit e3a9ee963ad8ba677ca925149812c5932b49af69 upstream. + +Commit 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF") +changed the ELF type of .btf.vmlinux.bin.o to ET_REL via dd, which works +fine for little endian platforms: + + 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| + -00000010 03 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................| + +00000010 01 00 b7 00 01 00 00 00 00 00 00 80 00 80 ff ff |................| + +However, for big endian platforms, it changes the wrong byte, resulting +in an invalid ELF file type, which ld.lld rejects: + + 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............| + -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| + +00000010 01 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| + + Type: : 103 + + ld.lld: error: .btf.vmlinux.bin.o: unknown file type + +Fix this by updating the entire 16-bit e_type field rather than just a +single byte, so that everything works correctly for all platforms and +linkers. + + 00000000 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 |.ELF............| + -00000010 00 03 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| + +00000010 00 01 00 16 00 00 00 01 00 00 00 00 00 10 00 00 |................| + + Type: REL (Relocatable file) + +While in the area, update the comment to mention that binutils 2.35+ +matches LLD's behavior of rejecting an ET_EXEC input, which occurred +after the comment was added. + +Cc: stable@vger.kernel.org +Fixes: 90ceddcb4950 ("bpf: Support llvm-objcopy for vmlinux BTF") +Link: https://github.com/llvm/llvm-project/pull/75643 +Suggested-by: Masahiro Yamada +Signed-off-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Reviewed-by: Nicolas Schier +Reviewed-by: Kees Cook +Reviewed-by: Justin Stitt +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/link-vmlinux.sh | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -135,8 +135,13 @@ gen_btf() + ${OBJCOPY} --only-section=.BTF --set-section-flags .BTF=alloc,readonly \ + --strip-all ${1} ${2} 2>/dev/null + # Change e_type to ET_REL so that it can be used to link final vmlinux. +- # Unlike GNU ld, lld does not allow an ET_EXEC input. +- printf '\1' | dd of=${2} conv=notrunc bs=1 seek=16 status=none ++ # GNU ld 2.35+ and lld do not allow an ET_EXEC input. ++ if is_enabled CONFIG_CPU_BIG_ENDIAN; then ++ et_rel='\0\1' ++ else ++ et_rel='\1\0' ++ fi ++ printf "${et_rel}" | dd of=${2} conv=notrunc bs=1 seek=16 status=none + } + + # Create ${2} .S file with all symbols from the ${1} object file diff --git a/queue-6.1/lsm-fix-the-logic-in-security_inode_getsecctx.patch b/queue-6.1/lsm-fix-the-logic-in-security_inode_getsecctx.patch new file mode 100644 index 00000000000..abca0bbad25 --- /dev/null +++ b/queue-6.1/lsm-fix-the-logic-in-security_inode_getsecctx.patch @@ -0,0 +1,60 @@ +From 99b817c173cd213671daecd25ca27f56b0c7c4ec Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 26 Jan 2024 11:44:03 +0100 +Subject: lsm: fix the logic in security_inode_getsecctx() + +From: Ondrej Mosnacek + +commit 99b817c173cd213671daecd25ca27f56b0c7c4ec upstream. + +The inode_getsecctx LSM hook has previously been corrected to have +-EOPNOTSUPP instead of 0 as the default return value to fix BPF LSM +behavior. However, the call_int_hook()-generated loop in +security_inode_getsecctx() was left treating 0 as the neutral value, so +after an LSM returns 0, the loop continues to try other LSMs, and if one +of them returns a non-zero value, the function immediately returns with +said value. So in a situation where SELinux and the BPF LSMs registered +this hook, -EOPNOTSUPP would be incorrectly returned whenever SELinux +returned 0. + +Fix this by open-coding the call_int_hook() loop and making it use the +correct LSM_RET_DEFAULT() value as the neutral one, similar to what +other hooks do. + +Cc: stable@vger.kernel.org +Reported-by: Stephen Smalley +Link: https://lore.kernel.org/selinux/CAEjxPJ4ev-pasUwGx48fDhnmjBnq_Wh90jYPwRQRAqXxmOKD4Q@mail.gmail.com/ +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2257983 +Fixes: b36995b8609a ("lsm: fix default return value for inode_getsecctx") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Casey Schaufler +[PM: subject line tweak] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/security.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/security/security.c ++++ b/security/security.c +@@ -2186,7 +2186,19 @@ EXPORT_SYMBOL(security_inode_setsecctx); + + int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) + { +- return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen); ++ struct security_hook_list *hp; ++ int rc; ++ ++ /* ++ * Only one module will provide a security context. ++ */ ++ hlist_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) { ++ rc = hp->hook.inode_getsecctx(inode, ctx, ctxlen); ++ if (rc != LSM_RET_DEFAULT(inode_getsecctx)) ++ return rc; ++ } ++ ++ return LSM_RET_DEFAULT(inode_getsecctx); + } + EXPORT_SYMBOL(security_inode_getsecctx); + diff --git a/queue-6.1/media-rc-bpf-attach-detach-requires-write-permission.patch b/queue-6.1/media-rc-bpf-attach-detach-requires-write-permission.patch new file mode 100644 index 00000000000..9bb928d7bde --- /dev/null +++ b/queue-6.1/media-rc-bpf-attach-detach-requires-write-permission.patch @@ -0,0 +1,82 @@ +From 6a9d552483d50953320b9d3b57abdee8d436f23f Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Thu, 13 Apr 2023 10:50:32 +0200 +Subject: media: rc: bpf attach/detach requires write permission + +From: Sean Young + +commit 6a9d552483d50953320b9d3b57abdee8d436f23f upstream. + +Note that bpf attach/detach also requires CAP_NET_ADMIN. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/bpf-lirc.c | 6 +++--- + drivers/media/rc/lirc_dev.c | 5 ++++- + drivers/media/rc/rc-core-priv.h | 2 +- + 3 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/media/rc/bpf-lirc.c ++++ b/drivers/media/rc/bpf-lirc.c +@@ -253,7 +253,7 @@ int lirc_prog_attach(const union bpf_att + if (attr->attach_flags) + return -EINVAL; + +- rcdev = rc_dev_get_from_fd(attr->target_fd); ++ rcdev = rc_dev_get_from_fd(attr->target_fd, true); + if (IS_ERR(rcdev)) + return PTR_ERR(rcdev); + +@@ -278,7 +278,7 @@ int lirc_prog_detach(const union bpf_att + if (IS_ERR(prog)) + return PTR_ERR(prog); + +- rcdev = rc_dev_get_from_fd(attr->target_fd); ++ rcdev = rc_dev_get_from_fd(attr->target_fd, true); + if (IS_ERR(rcdev)) { + bpf_prog_put(prog); + return PTR_ERR(rcdev); +@@ -303,7 +303,7 @@ int lirc_prog_query(const union bpf_attr + if (attr->query.query_flags) + return -EINVAL; + +- rcdev = rc_dev_get_from_fd(attr->query.target_fd); ++ rcdev = rc_dev_get_from_fd(attr->query.target_fd, false); + if (IS_ERR(rcdev)) + return PTR_ERR(rcdev); + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -814,7 +814,7 @@ void __exit lirc_dev_exit(void) + unregister_chrdev_region(lirc_base_dev, RC_DEV_MAX); + } + +-struct rc_dev *rc_dev_get_from_fd(int fd) ++struct rc_dev *rc_dev_get_from_fd(int fd, bool write) + { + struct fd f = fdget(fd); + struct lirc_fh *fh; +@@ -828,6 +828,9 @@ struct rc_dev *rc_dev_get_from_fd(int fd + return ERR_PTR(-EINVAL); + } + ++ if (write && !(f.file->f_mode & FMODE_WRITE)) ++ return ERR_PTR(-EPERM); ++ + fh = f.file->private_data; + dev = fh->rc; + +--- a/drivers/media/rc/rc-core-priv.h ++++ b/drivers/media/rc/rc-core-priv.h +@@ -325,7 +325,7 @@ void lirc_raw_event(struct rc_dev *dev, + void lirc_scancode_event(struct rc_dev *dev, struct lirc_scancode *lsc); + int lirc_register(struct rc_dev *dev); + void lirc_unregister(struct rc_dev *dev); +-struct rc_dev *rc_dev_get_from_fd(int fd); ++struct rc_dev *rc_dev_get_from_fd(int fd, bool write); + #else + static inline int lirc_dev_init(void) { return 0; } + static inline void lirc_dev_exit(void) {} diff --git a/queue-6.1/media-revert-media-rkisp1-drop-irqf_shared.patch b/queue-6.1/media-revert-media-rkisp1-drop-irqf_shared.patch new file mode 100644 index 00000000000..868e8cfdef0 --- /dev/null +++ b/queue-6.1/media-revert-media-rkisp1-drop-irqf_shared.patch @@ -0,0 +1,38 @@ +From a107d643b2a3382e0a2d2c4ef08bf8c6bff4561d Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Mon, 18 Dec 2023 08:54:00 +0100 +Subject: media: Revert "media: rkisp1: Drop IRQF_SHARED" + +From: Tomi Valkeinen + +commit a107d643b2a3382e0a2d2c4ef08bf8c6bff4561d upstream. + +This reverts commit 85d2a31fe4d9be1555f621ead7a520d8791e0f74. + +The rkisp1 does share interrupt lines on some platforms, after all. Thus +we need to revert this, and implement a fix for the rkisp1 shared irq +handling in a follow-up patch. + +Closes: https://lore.kernel.org/all/87o7eo8vym.fsf@gmail.com/ +Link: https://lore.kernel.org/r/20231218-rkisp-shirq-fix-v1-1-173007628248@ideasonboard.com + +Reported-by: Mikhail Rudenko +Signed-off-by: Tomi Valkeinen +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c ++++ b/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c +@@ -559,7 +559,7 @@ static int rkisp1_probe(struct platform_ + rkisp1->irqs[il] = irq; + } + +- ret = devm_request_irq(dev, irq, info->isrs[i].isr, 0, ++ ret = devm_request_irq(dev, irq, info->isrs[i].isr, IRQF_SHARED, + dev_driver_string(dev), dev); + if (ret) { + dev_err(dev, "request irq failed: %d\n", ret); diff --git a/queue-6.1/misc-fastrpc-mark-all-sessions-as-invalid-in-cb_remove.patch b/queue-6.1/misc-fastrpc-mark-all-sessions-as-invalid-in-cb_remove.patch new file mode 100644 index 00000000000..1d01d35c145 --- /dev/null +++ b/queue-6.1/misc-fastrpc-mark-all-sessions-as-invalid-in-cb_remove.patch @@ -0,0 +1,36 @@ +From a4e61de63e34860c36a71d1a364edba16fb6203b Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Mon, 8 Jan 2024 17:18:33 +0530 +Subject: misc: fastrpc: Mark all sessions as invalid in cb_remove + +From: Ekansh Gupta + +commit a4e61de63e34860c36a71d1a364edba16fb6203b upstream. + +In remoteproc shutdown sequence, rpmsg_remove will get called which +would depopulate all the child nodes that have been created during +rpmsg_probe. This would result in cb_remove call for all the context +banks for the remoteproc. In cb_remove function, session 0 is +getting skipped which is not correct as session 0 will never become +available again. Add changes to mark session 0 also as invalid. + +Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") +Cc: stable +Signed-off-by: Ekansh Gupta +Link: https://lore.kernel.org/r/20240108114833.20480-1-quic_ekangupt@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1990,7 +1990,7 @@ static int fastrpc_cb_remove(struct plat + int i; + + spin_lock_irqsave(&cctx->lock, flags); +- for (i = 1; i < FASTRPC_MAX_SESSIONS; i++) { ++ for (i = 0; i < FASTRPC_MAX_SESSIONS; i++) { + if (cctx->session[i].sid == sess->sid) { + cctx->session[i].valid = false; + cctx->sesscount--; diff --git a/queue-6.1/mptcp-check-addrs-list-in-userspace_pm_get_local_id.patch b/queue-6.1/mptcp-check-addrs-list-in-userspace_pm_get_local_id.patch new file mode 100644 index 00000000000..8641c180cc2 --- /dev/null +++ b/queue-6.1/mptcp-check-addrs-list-in-userspace_pm_get_local_id.patch @@ -0,0 +1,50 @@ +From f012d796a6de662692159c539689e47e662853a8 Mon Sep 17 00:00:00 2001 +From: Geliang Tang +Date: Thu, 8 Feb 2024 19:03:53 +0100 +Subject: mptcp: check addrs list in userspace_pm_get_local_id + +From: Geliang Tang + +commit f012d796a6de662692159c539689e47e662853a8 upstream. + +Before adding a new entry in mptcp_userspace_pm_get_local_id(), it's +better to check whether this address is already in userspace pm local +address list. If it's in the list, no need to add a new entry, just +return it's address ID and use this address. + +Fixes: 8b20137012d9 ("mptcp: read attributes of addr entries managed by userspace PMs") +Cc: stable@vger.kernel.org +Signed-off-by: Geliang Tang +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_userspace.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/net/mptcp/pm_userspace.c ++++ b/net/mptcp/pm_userspace.c +@@ -132,10 +132,21 @@ int mptcp_userspace_pm_get_flags_and_ifi + int mptcp_userspace_pm_get_local_id(struct mptcp_sock *msk, + struct mptcp_addr_info *skc) + { +- struct mptcp_pm_addr_entry new_entry; ++ struct mptcp_pm_addr_entry *entry = NULL, *e, new_entry; + __be16 msk_sport = ((struct inet_sock *) + inet_sk((struct sock *)msk))->inet_sport; + ++ spin_lock_bh(&msk->pm.lock); ++ list_for_each_entry(e, &msk->pm.userspace_pm_local_addr_list, list) { ++ if (mptcp_addresses_equal(&e->addr, skc, false)) { ++ entry = e; ++ break; ++ } ++ } ++ spin_unlock_bh(&msk->pm.lock); ++ if (entry) ++ return entry->addr.id; ++ + memset(&new_entry, 0, sizeof(struct mptcp_pm_addr_entry)); + new_entry.addr = *skc; + new_entry.addr.id = 0; diff --git a/queue-6.1/mptcp-drop-the-push_pending-field.patch b/queue-6.1/mptcp-drop-the-push_pending-field.patch new file mode 100644 index 00000000000..824f4689bf4 --- /dev/null +++ b/queue-6.1/mptcp-drop-the-push_pending-field.patch @@ -0,0 +1,84 @@ +From bdd70eb68913c960acb895b00a8c62eb64715b1f Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 8 Feb 2024 19:03:49 +0100 +Subject: mptcp: drop the push_pending field + +From: Paolo Abeni + +commit bdd70eb68913c960acb895b00a8c62eb64715b1f upstream. + +Such field is there to avoid acquiring the data lock in a few spots, +but it adds complexity to the already non trivial locking schema. + +All the relevant call sites (mptcp-level re-injection, set socket +options), are slow-path, drop such field in favor of 'cb_flags', adding +the relevant locking. + +This patch could be seen as an improvement, instead of a fix. But it +simplifies the next patch. The 'Fixes' tag has been added to help having +this series backported to stable. + +Fixes: e9d09baca676 ("mptcp: avoid atomic bit manipulation when possible") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 12 ++++++------ + net/mptcp/protocol.h | 1 - + 2 files changed, 6 insertions(+), 7 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1582,8 +1582,11 @@ static void mptcp_update_post_push(struc + + void mptcp_check_and_set_pending(struct sock *sk) + { +- if (mptcp_send_head(sk)) +- mptcp_sk(sk)->push_pending |= BIT(MPTCP_PUSH_PENDING); ++ if (mptcp_send_head(sk)) { ++ mptcp_data_lock(sk); ++ mptcp_sk(sk)->cb_flags |= BIT(MPTCP_PUSH_PENDING); ++ mptcp_data_unlock(sk); ++ } + } + + void __mptcp_push_pending(struct sock *sk, unsigned int flags) +@@ -3140,7 +3143,6 @@ static int mptcp_disconnect(struct sock + msk->last_snd = NULL; + WRITE_ONCE(msk->flags, 0); + msk->cb_flags = 0; +- msk->push_pending = 0; + msk->recovery = false; + msk->can_ack = false; + msk->fully_established = false; +@@ -3384,8 +3386,7 @@ static void mptcp_release_cb(struct sock + struct mptcp_sock *msk = mptcp_sk(sk); + + for (;;) { +- unsigned long flags = (msk->cb_flags & MPTCP_FLAGS_PROCESS_CTX_NEED) | +- msk->push_pending; ++ unsigned long flags = (msk->cb_flags & MPTCP_FLAGS_PROCESS_CTX_NEED); + struct list_head join_list; + + if (!flags) +@@ -3401,7 +3402,6 @@ static void mptcp_release_cb(struct sock + * datapath acquires the msk socket spinlock while helding + * the subflow socket lock + */ +- msk->push_pending = 0; + msk->cb_flags &= ~flags; + spin_unlock_bh(&sk->sk_lock.slock); + +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -272,7 +272,6 @@ struct mptcp_sock { + int rmem_released; + unsigned long flags; + unsigned long cb_flags; +- unsigned long push_pending; + bool recovery; /* closing subflow write queue reinjected */ + bool can_ack; + bool fully_established; diff --git a/queue-6.1/mptcp-fix-data-re-injection-from-stale-subflow.patch b/queue-6.1/mptcp-fix-data-re-injection-from-stale-subflow.patch new file mode 100644 index 00000000000..ad166e08bc9 --- /dev/null +++ b/queue-6.1/mptcp-fix-data-re-injection-from-stale-subflow.patch @@ -0,0 +1,52 @@ +From b6c620dc43ccb4e802894e54b651cf81495e9598 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 31 Jan 2024 22:49:46 +0100 +Subject: mptcp: fix data re-injection from stale subflow + +From: Paolo Abeni + +commit b6c620dc43ccb4e802894e54b651cf81495e9598 upstream. + +When the MPTCP PM detects that a subflow is stale, all the packet +scheduler must re-inject all the mptcp-level unacked data. To avoid +acquiring unneeded locks, it first try to check if any unacked data +is present at all in the RTX queue, but such check is currently +broken, as it uses TCP-specific helper on an MPTCP socket. + +Funnily enough fuzzers and static checkers are happy, as the accessed +memory still belongs to the mptcp_sock struct, and even from a +functional perspective the recovery completed successfully, as +the short-cut test always failed. + +A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize +tcp_sock fast path variables") - exposed the issue, as the tcp field +reorganization makes the mptcp code always skip the re-inection. + +Fix the issue dropping the bogus call: we are on a slow path, the early +optimization proved once again to be evil. + +Fixes: 1e1d9d6f119c ("mptcp: handle pending data on closed subflow") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/468 +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://lore.kernel.org/r/20240131-upstream-net-20240131-mptcp-ci-issues-v1-1-4c1c11e571ff@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2336,9 +2336,6 @@ bool __mptcp_retransmit_pending_data(str + if (__mptcp_check_fallback(mptcp_sk(sk))) + return false; + +- if (tcp_rtx_and_write_queues_empty(sk)) +- return false; +- + /* the closing socket has some data untransmitted and/or unacked: + * some data in the mptcp rtx queue has not really xmitted yet. + * keep it simple and re-inject the whole mptcp level rtx queue diff --git a/queue-6.1/mptcp-get-rid-of-msk-subflow.patch b/queue-6.1/mptcp-get-rid-of-msk-subflow.patch new file mode 100644 index 00000000000..2fdb413bbd2 --- /dev/null +++ b/queue-6.1/mptcp-get-rid-of-msk-subflow.patch @@ -0,0 +1,182 @@ +From 39880bd808ad2ddfb9b7fee129568c3b814f0609 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Fri, 11 Aug 2023 17:57:26 +0200 +Subject: mptcp: get rid of msk->subflow + +From: Paolo Abeni + +commit 39880bd808ad2ddfb9b7fee129568c3b814f0609 upstream. + +This is a partial backport of the upstram commit 39880bd808ad ("mptcp: +get rid of msk->subflow"). It's partial to avoid a long a complex +dependency chain not suitable for stable. + +The only bit remaning from the original commit is the introduction of a +new field avoid a race at close time causing an UaF: + +BUG: KASAN: use-after-free in mptcp_subflow_queue_clean+0x2c9/0x390 include/net/mptcp.h:104 +Read of size 1 at addr ffff88803bf72884 by task syz-executor.6/23092 + +CPU: 0 PID: 23092 Comm: syz-executor.6 Not tainted 6.1.65-gc6114c845984 #50 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x125/0x18f lib/dump_stack.c:106 + print_report+0x163/0x4f0 mm/kasan/report.c:284 + kasan_report+0xc4/0x100 mm/kasan/report.c:495 + mptcp_subflow_queue_clean+0x2c9/0x390 include/net/mptcp.h:104 + mptcp_check_listen_stop+0x190/0x2a0 net/mptcp/protocol.c:3009 + __mptcp_close+0x9a/0x970 net/mptcp/protocol.c:3024 + mptcp_close+0x2a/0x130 net/mptcp/protocol.c:3089 + inet_release+0x13d/0x190 net/ipv4/af_inet.c:429 + sock_close+0xcf/0x230 net/socket.c:652 + __fput+0x3a2/0x870 fs/file_table.c:320 + task_work_run+0x24e/0x300 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop+0xa4/0xc0 kernel/entry/common.c:171 + exit_to_user_mode_prepare+0x51/0x90 kernel/entry/common.c:204 + syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:286 + do_syscall_64+0x53/0xa0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x64/0xce +RIP: 0033:0x41d791 +Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 74 2a 00 00 c3 48 83 ec 08 e8 9a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 e3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 +RSP: 002b:00000000008bfb90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 +RAX: 0000000000000000 RBX: 0000000000000004 RCX: 000000000041d791 +RDX: 0000001b33920000 RSI: ffffffff8139adff RDI: 0000000000000003 +RBP: 000000000079d980 R08: 0000001b33d20000 R09: 0000000000000951 +R10: 000000008139a955 R11: 0000000000000293 R12: 00000000000c739b +R13: 000000000079bf8c R14: 00007fa301053000 R15: 00000000000c705a + + +Allocated by task 22528: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x40/0x70 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:374 [inline] + __kasan_kmalloc+0xa0/0xb0 mm/kasan/common.c:383 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:955 [inline] + __kmalloc+0xaa/0x1c0 mm/slab_common.c:968 + kmalloc include/linux/slab.h:558 [inline] + sk_prot_alloc+0xac/0x200 net/core/sock.c:2038 + sk_clone_lock+0x56/0x1090 net/core/sock.c:2236 + inet_csk_clone_lock+0x26/0x420 net/ipv4/inet_connection_sock.c:1141 + tcp_create_openreq_child+0x30/0x1910 net/ipv4/tcp_minisocks.c:474 + tcp_v6_syn_recv_sock+0x413/0x1a90 net/ipv6/tcp_ipv6.c:1283 + subflow_syn_recv_sock+0x621/0x1300 net/mptcp/subflow.c:730 + tcp_get_cookie_sock+0xf0/0x5f0 net/ipv4/syncookies.c:201 + cookie_v6_check+0x130f/0x1c50 net/ipv6/syncookies.c:261 + tcp_v6_do_rcv+0x7e0/0x12b0 net/ipv6/tcp_ipv6.c:1147 + tcp_v6_rcv+0x2494/0x2f50 net/ipv6/tcp_ipv6.c:1743 + ip6_protocol_deliver_rcu+0xba3/0x1620 net/ipv6/ip6_input.c:438 + ip6_input+0x1bc/0x470 net/ipv6/ip6_input.c:483 + ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:302 + __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5525 + process_backlog+0x353/0x660 net/core/dev.c:5967 + __napi_poll+0xc6/0x5a0 net/core/dev.c:6534 + net_rx_action+0x652/0xea0 net/core/dev.c:6601 + __do_softirq+0x176/0x525 kernel/softirq.c:571 + +Freed by task 23093: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x40/0x70 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:516 + ____kasan_slab_free+0x13a/0x1b0 mm/kasan/common.c:236 + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1724 [inline] + slab_free_freelist_hook mm/slub.c:1750 [inline] + slab_free mm/slub.c:3661 [inline] + __kmem_cache_free+0x1eb/0x340 mm/slub.c:3674 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x4ad/0x620 net/core/sock.c:2160 + tcp_v6_rcv+0x269c/0x2f50 net/ipv6/tcp_ipv6.c:1761 + ip6_protocol_deliver_rcu+0xba3/0x1620 net/ipv6/ip6_input.c:438 + ip6_input+0x1bc/0x470 net/ipv6/ip6_input.c:483 + ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:302 + __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5525 + process_backlog+0x353/0x660 net/core/dev.c:5967 + __napi_poll+0xc6/0x5a0 net/core/dev.c:6534 + net_rx_action+0x652/0xea0 net/core/dev.c:6601 + __do_softirq+0x176/0x525 kernel/softirq.c:571 + +The buggy address belongs to the object at ffff88803bf72000 + which belongs to the cache kmalloc-4k of size 4096 +The buggy address is located 2180 bytes inside of + 4096-byte region [ffff88803bf72000, ffff88803bf73000) + +The buggy address belongs to the physical page: +page:00000000a72e4e51 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3bf70 +head:00000000a72e4e51 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x100000000010200(slab|head|node=0|zone=1) +raw: 0100000000010200 ffffea0000a0ea00 dead000000000002 ffff888100042140 +raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88803bf72780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88803bf72800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88803bf72880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88803bf72900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88803bf72980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Prevent the MPTCP worker from freeing the first subflow for unaccepted +socket when such sockets transition to TCP_CLOSE state, and let that +happen at accept() or listener close() time. + +Fixes: b6985b9b8295 ("mptcp: use the workqueue to destroy unaccepted sockets") +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Reported-by: Christoph Paasch +Tested-by: Christoph Paasch +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 9 ++++----- + net/mptcp/protocol.h | 3 ++- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2422,7 +2422,7 @@ static void __mptcp_close_ssk(struct soc + goto out_release; + } + +- dispose_it = !msk->subflow || ssk != msk->subflow->sk; ++ dispose_it = msk->free_first || ssk != msk->first; + if (dispose_it) + list_del(&subflow->node); + +@@ -2440,7 +2440,6 @@ static void __mptcp_close_ssk(struct soc + need_push = (flags & MPTCP_CF_PUSH) && __mptcp_retransmit_pending_data(sk); + if (!dispose_it) { + __mptcp_subflow_disconnect(ssk, subflow, flags); +- msk->subflow->state = SS_UNCONNECTED; + release_sock(ssk); + + goto out; +@@ -3341,10 +3340,10 @@ static void mptcp_destroy(struct sock *s + { + struct mptcp_sock *msk = mptcp_sk(sk); + +- /* clears msk->subflow, allowing the following to close +- * even the initial subflow +- */ + mptcp_dispose_initial_subflow(msk); ++ ++ /* allow the following to close even the initial subflow */ ++ msk->free_first = 1; + mptcp_destroy_common(msk, 0); + sk_sockets_allocated_dec(sk); + } +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -287,7 +287,8 @@ struct mptcp_sock { + cork:1, + nodelay:1, + fastopening:1, +- in_accept_queue:1; ++ in_accept_queue:1, ++ free_first:1; + struct work_struct work; + struct sk_buff *ooo_last_skb; + struct rb_root out_of_order_queue; diff --git a/queue-6.1/net-hsr-remove-warn_once-in-send_hsr_supervision_frame.patch b/queue-6.1/net-hsr-remove-warn_once-in-send_hsr_supervision_frame.patch new file mode 100644 index 00000000000..6b996d80b18 --- /dev/null +++ b/queue-6.1/net-hsr-remove-warn_once-in-send_hsr_supervision_frame.patch @@ -0,0 +1,72 @@ +From 37e8c97e539015637cb920d3e6f1e404f707a06e Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Wed, 24 Jan 2024 02:21:47 -0800 +Subject: net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() + +From: Nikita Zhandarovich + +commit 37e8c97e539015637cb920d3e6f1e404f707a06e upstream. + +Syzkaller reported [1] hitting a warning after failing to allocate +resources for skb in hsr_init_skb(). Since a WARN_ONCE() call will +not help much in this case, it might be prudent to switch to +netdev_warn_once(). At the very least it will suppress syzkaller +reports such as [1]. + +Just in case, use netdev_warn_once() in send_prp_supervision_frame() +for similar reasons. + +[1] +HSR: Could not send supervision frame +WARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294 +RIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294 +... +Call Trace: + + hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382 + call_timer_fn+0x193/0x590 kernel/time/timer.c:1700 + expire_timers kernel/time/timer.c:1751 [inline] + __run_timers+0x764/0xb20 kernel/time/timer.c:2022 + run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035 + __do_softirq+0x21a/0x8de kernel/softirq.c:553 + invoke_softirq kernel/softirq.c:427 [inline] + __irq_exit_rcu kernel/softirq.c:632 [inline] + irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644 + sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076 + + + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649 +... + +This issue is also found in older kernels (at least up to 5.10). + +Cc: stable@vger.kernel.org +Reported-by: syzbot+3ae0a3f42c84074b7c8e@syzkaller.appspotmail.com +Fixes: 121c33b07b31 ("net: hsr: introduce common code for skb initialization") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/hsr/hsr_device.c ++++ b/net/hsr/hsr_device.c +@@ -291,7 +291,7 @@ static void send_hsr_supervision_frame(s + + skb = hsr_init_skb(master); + if (!skb) { +- WARN_ONCE(1, "HSR: Could not send supervision frame\n"); ++ netdev_warn_once(master->dev, "HSR: Could not send supervision frame\n"); + return; + } + +@@ -338,7 +338,7 @@ static void send_prp_supervision_frame(s + + skb = hsr_init_skb(master); + if (!skb) { +- WARN_ONCE(1, "PRP: Could not send supervision frame\n"); ++ netdev_warn_once(master->dev, "PRP: Could not send supervision frame\n"); + return; + } + diff --git a/queue-6.1/net-stmmac-do-not-clear-tbs-enable-bit-on-link-up-down.patch b/queue-6.1/net-stmmac-do-not-clear-tbs-enable-bit-on-link-up-down.patch new file mode 100644 index 00000000000..ac5b44bf820 --- /dev/null +++ b/queue-6.1/net-stmmac-do-not-clear-tbs-enable-bit-on-link-up-down.patch @@ -0,0 +1,36 @@ +From 4896bb7c0b31a0a3379b290ea7729900c59e0c69 Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Fri, 26 Jan 2024 10:10:41 +0100 +Subject: net: stmmac: do not clear TBS enable bit on link up/down + +From: Esben Haabendal + +commit 4896bb7c0b31a0a3379b290ea7729900c59e0c69 upstream. + +With the dma conf being reallocated on each call to stmmac_open(), any +information in there is lost, unless we specifically handle it. + +The STMMAC_TBS_EN bit is set when adding an etf qdisc, and the etf qdisc +therefore would stop working when link was set down and then back up. + +Fixes: ba39b344e924 ("net: ethernet: stmicro: stmmac: generate stmmac dma conf before open") +Cc: stable@vger.kernel.org +Signed-off-by: Esben Haabendal +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3826,6 +3826,9 @@ static int __stmmac_open(struct net_devi + priv->rx_copybreak = STMMAC_RX_COPYBREAK; + + buf_sz = dma_conf->dma_buf_sz; ++ for (int i = 0; i < MTL_MAX_TX_QUEUES; i++) ++ if (priv->dma_conf.tx_queue[i].tbs & STMMAC_TBS_EN) ++ dma_conf->tx_queue[i].tbs = priv->dma_conf.tx_queue[i].tbs; + memcpy(&priv->dma_conf, dma_conf, sizeof(*dma_conf)); + + stmmac_reset_queues_param(priv); diff --git a/queue-6.1/nfc-nci-free-rx_data_reassembly-skb-on-nci-device-cleanup.patch b/queue-6.1/nfc-nci-free-rx_data_reassembly-skb-on-nci-device-cleanup.patch new file mode 100644 index 00000000000..0672e65adad --- /dev/null +++ b/queue-6.1/nfc-nci-free-rx_data_reassembly-skb-on-nci-device-cleanup.patch @@ -0,0 +1,45 @@ +From bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Thu, 25 Jan 2024 12:53:09 +0300 +Subject: nfc: nci: free rx_data_reassembly skb on NCI device cleanup + +From: Fedor Pchelkin + +commit bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c upstream. + +rx_data_reassembly skb is stored during NCI data exchange for processing +fragmented packets. It is dropped only when the last fragment is processed +or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received. +However, the NCI device may be deallocated before that which leads to skb +leak. + +As by design the rx_data_reassembly skb is bound to the NCI device and +nothing prevents the device to be freed before the skb is processed in +some way and cleaned, free it on the NCI device cleanup. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Cc: stable@vger.kernel.org +Reported-by: syzbot+6b7c68d9c21e4ee4251b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/ +Signed-off-by: Fedor Pchelkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/nci/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -1207,6 +1207,10 @@ void nci_free_device(struct nci_dev *nde + { + nfc_free_device(ndev->nfc_dev); + nci_hci_deallocate(ndev); ++ ++ /* drop partial rx data packet if present */ ++ if (ndev->rx_data_reassembly) ++ kfree_skb(ndev->rx_data_reassembly); + kfree(ndev); + } + EXPORT_SYMBOL(nci_free_device); diff --git a/queue-6.1/revert-drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch b/queue-6.1/revert-drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch new file mode 100644 index 00000000000..ac6e76c7c7f --- /dev/null +++ b/queue-6.1/revert-drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch @@ -0,0 +1,58 @@ +From 916361685319098f696b798ef1560f69ed96e934 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 7 Feb 2024 23:52:54 -0600 +Subject: Revert "drm/amd: flush any delayed gfxoff on suspend entry" + +From: Mario Limonciello + +commit 916361685319098f696b798ef1560f69ed96e934 upstream. + +commit ab4750332dbe ("drm/amdgpu/sdma5.2: add begin/end_use ring +callbacks") caused GFXOFF control to be used more heavily and the +codepath that was removed from commit 0dee72639533 ("drm/amd: flush any +delayed gfxoff on suspend entry") now can be exercised at suspend again. + +Users report that by using GNOME to suspend the lockscreen trigger will +cause SDMA traffic and the system can deadlock. + +This reverts commit 0dee726395333fea833eaaf838bc80962df886c8. + +Acked-by: Alex Deucher +Fixes: ab4750332dbe ("drm/amdgpu/sdma5.2: add begin/end_use ring callbacks") +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 - + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 9 ++++++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4203,7 +4203,6 @@ int amdgpu_device_suspend(struct drm_dev + drm_fb_helper_set_suspend_unlocked(adev_to_drm(adev)->fb_helper, true); + + cancel_delayed_work_sync(&adev->delayed_init_work); +- flush_delayed_work(&adev->gfx.gfx_off_delay_work); + + amdgpu_ras_suspend(adev); + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c +@@ -585,8 +585,15 @@ void amdgpu_gfx_off_ctrl(struct amdgpu_d + + if (adev->gfx.gfx_off_req_count == 0 && + !adev->gfx.gfx_off_state) { +- schedule_delayed_work(&adev->gfx.gfx_off_delay_work, ++ /* If going to s2idle, no need to wait */ ++ if (adev->in_s0ix) { ++ if (!amdgpu_dpm_set_powergating_by_smu(adev, ++ AMD_IP_BLOCK_TYPE_GFX, true)) ++ adev->gfx.gfx_off_state = true; ++ } else { ++ schedule_delayed_work(&adev->gfx.gfx_off_delay_work, + delay); ++ } + } + } else { + if (adev->gfx.gfx_off_req_count == 0) { diff --git a/queue-6.1/scsi-revert-scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch b/queue-6.1/scsi-revert-scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch new file mode 100644 index 00000000000..b64e89393de --- /dev/null +++ b/queue-6.1/scsi-revert-scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch @@ -0,0 +1,113 @@ +From 977fe773dcc7098d8eaf4ee6382cb51e13e784cb Mon Sep 17 00:00:00 2001 +From: Lee Duncan +Date: Fri, 9 Feb 2024 10:07:34 -0800 +Subject: scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" + +From: Lee Duncan + +commit 977fe773dcc7098d8eaf4ee6382cb51e13e784cb upstream. + +This reverts commit 1a1975551943f681772720f639ff42fbaa746212. + +This commit causes interrupts to be lost for FCoE devices, since it changed +sping locks from "bh" to "irqsave". + +Instead, a work queue should be used, and will be addressed in a separate +commit. + +Fixes: 1a1975551943 ("scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock") +Signed-off-by: Lee Duncan +Link: https://lore.kernel.org/r/c578cdcd46b60470535c4c4a953e6a1feca0dffd.1707500786.git.lduncan@suse.com +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -319,17 +319,16 @@ static void fcoe_ctlr_announce(struct fc + { + struct fcoe_fcf *sel; + struct fcoe_fcf *fcf; +- unsigned long flags; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_irqsave(&fip->ctlr_lock, flags); ++ spin_lock_bh(&fip->ctlr_lock); + + kfree_skb(fip->flogi_req); + fip->flogi_req = NULL; + list_for_each_entry(fcf, &fip->fcfs, list) + fcf->flogi_sent = 0; + +- spin_unlock_irqrestore(&fip->ctlr_lock, flags); ++ spin_unlock_bh(&fip->ctlr_lock); + sel = fip->sel_fcf; + + if (sel && ether_addr_equal(sel->fcf_mac, fip->dest_addr)) +@@ -700,7 +699,6 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr + { + struct fc_frame *fp; + struct fc_frame_header *fh; +- unsigned long flags; + u16 old_xid; + u8 op; + u8 mac[ETH_ALEN]; +@@ -734,11 +732,11 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr + op = FIP_DT_FLOGI; + if (fip->mode == FIP_MODE_VN2VN) + break; +- spin_lock_irqsave(&fip->ctlr_lock, flags); ++ spin_lock_bh(&fip->ctlr_lock); + kfree_skb(fip->flogi_req); + fip->flogi_req = skb; + fip->flogi_req_send = 1; +- spin_unlock_irqrestore(&fip->ctlr_lock, flags); ++ spin_unlock_bh(&fip->ctlr_lock); + schedule_work(&fip->timer_work); + return -EINPROGRESS; + case ELS_FDISC: +@@ -1707,11 +1705,10 @@ static int fcoe_ctlr_flogi_send_locked(s + static int fcoe_ctlr_flogi_retry(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; +- unsigned long flags; + int error; + + mutex_lock(&fip->ctlr_mutex); +- spin_lock_irqsave(&fip->ctlr_lock, flags); ++ spin_lock_bh(&fip->ctlr_lock); + LIBFCOE_FIP_DBG(fip, "re-sending FLOGI - reselect\n"); + fcf = fcoe_ctlr_select(fip); + if (!fcf || fcf->flogi_sent) { +@@ -1722,7 +1719,7 @@ static int fcoe_ctlr_flogi_retry(struct + fcoe_ctlr_solicit(fip, NULL); + error = fcoe_ctlr_flogi_send_locked(fip); + } +- spin_unlock_irqrestore(&fip->ctlr_lock, flags); ++ spin_unlock_bh(&fip->ctlr_lock); + mutex_unlock(&fip->ctlr_mutex); + return error; + } +@@ -1739,9 +1736,8 @@ static int fcoe_ctlr_flogi_retry(struct + static void fcoe_ctlr_flogi_send(struct fcoe_ctlr *fip) + { + struct fcoe_fcf *fcf; +- unsigned long flags; + +- spin_lock_irqsave(&fip->ctlr_lock, flags); ++ spin_lock_bh(&fip->ctlr_lock); + fcf = fip->sel_fcf; + if (!fcf || !fip->flogi_req_send) + goto unlock; +@@ -1768,7 +1764,7 @@ static void fcoe_ctlr_flogi_send(struct + } else /* XXX */ + LIBFCOE_FIP_DBG(fip, "No FCF selected - defer send\n"); + unlock: +- spin_unlock_irqrestore(&fip->ctlr_lock, flags); ++ spin_unlock_bh(&fip->ctlr_lock); + } + + /** diff --git a/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter-in-v6.patch b/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter-in-v6.patch new file mode 100644 index 00000000000..94a84b3e530 --- /dev/null +++ b/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter-in-v6.patch @@ -0,0 +1,39 @@ +From 8c86fad2cecdc6bf7283ecd298b4d0555bd8b8aa Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 31 Jan 2024 22:49:48 +0100 +Subject: selftests: mptcp: add missing kconfig for NF Filter in v6 + +From: Matthieu Baerts (NGI0) + +commit 8c86fad2cecdc6bf7283ecd298b4d0555bd8b8aa upstream. + +Since the commit mentioned below, 'mptcp_join' selftests is using +IPTables to add rules to the Filter table for IPv6. + +It is then required to have IP6_NF_FILTER KConfig. + +This KConfig is usually enabled by default in many defconfig, but we +recently noticed that some CI were running our selftests without them +enabled. + +Fixes: 523514ed0a99 ("selftests: mptcp: add ADD_ADDR IPv6 test cases") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://lore.kernel.org/r/20240131-upstream-net-20240131-mptcp-ci-issues-v1-3-4c1c11e571ff@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/config ++++ b/tools/testing/selftests/net/mptcp/config +@@ -25,6 +25,7 @@ CONFIG_IP_MULTIPLE_TABLES=y + CONFIG_IP_NF_FILTER=m + CONFIG_IP_NF_TARGET_REJECT=m + CONFIG_IPV6_MULTIPLE_TABLES=y ++CONFIG_IP6_NF_FILTER=m + CONFIG_NET_ACT_CSUM=m + CONFIG_NET_ACT_PEDIT=m + CONFIG_NET_CLS_ACT=y diff --git a/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter.patch b/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter.patch new file mode 100644 index 00000000000..c84995d2d74 --- /dev/null +++ b/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-filter.patch @@ -0,0 +1,38 @@ +From 3645c844902bd4e173d6704fc2a37e8746904d67 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 31 Jan 2024 22:49:47 +0100 +Subject: selftests: mptcp: add missing kconfig for NF Filter + +From: Matthieu Baerts (NGI0) + +commit 3645c844902bd4e173d6704fc2a37e8746904d67 upstream. + +Since the commit mentioned below, 'mptcp_join' selftests is using +IPTables to add rules to the Filter table. + +It is then required to have IP_NF_FILTER KConfig. + +This KConfig is usually enabled by default in many defconfig, but we +recently noticed that some CI were running our selftests without them +enabled. + +Fixes: 8d014eaa9254 ("selftests: mptcp: add ADD_ADDR timeout test case") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/config ++++ b/tools/testing/selftests/net/mptcp/config +@@ -22,6 +22,7 @@ CONFIG_NFT_TPROXY=m + CONFIG_NFT_SOCKET=m + CONFIG_IP_ADVANCED_ROUTER=y + CONFIG_IP_MULTIPLE_TABLES=y ++CONFIG_IP_NF_FILTER=m + CONFIG_IP_NF_TARGET_REJECT=m + CONFIG_IPV6_MULTIPLE_TABLES=y + CONFIG_NET_ACT_CSUM=m diff --git a/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-mangle.patch b/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-mangle.patch new file mode 100644 index 00000000000..4c1b36617f9 --- /dev/null +++ b/queue-6.1/selftests-mptcp-add-missing-kconfig-for-nf-mangle.patch @@ -0,0 +1,37 @@ +From 2d41f10fa497182df9012d3e95d9cea24eb42e61 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 31 Jan 2024 22:49:49 +0100 +Subject: selftests: mptcp: add missing kconfig for NF Mangle + +From: Matthieu Baerts (NGI0) + +commit 2d41f10fa497182df9012d3e95d9cea24eb42e61 upstream. + +Since the commit mentioned below, 'mptcp_join' selftests is using +IPTables to add rules to the Mangle table, only in IPv4. + +This KConfig is usually enabled by default in many defconfig, but we +recently noticed that some CI were running our selftests without them +enabled. + +Fixes: b6e074e171bc ("selftests: mptcp: add infinite map testcase") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://lore.kernel.org/r/20240131-upstream-net-20240131-mptcp-ci-issues-v1-4-4c1c11e571ff@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/config ++++ b/tools/testing/selftests/net/mptcp/config +@@ -23,6 +23,7 @@ CONFIG_NFT_SOCKET=m + CONFIG_IP_ADVANCED_ROUTER=y + CONFIG_IP_MULTIPLE_TABLES=y + CONFIG_IP_NF_FILTER=m ++CONFIG_IP_NF_MANGLE=m + CONFIG_IP_NF_TARGET_REJECT=m + CONFIG_IPV6_MULTIPLE_TABLES=y + CONFIG_IP6_NF_FILTER=m diff --git a/queue-6.1/selftests-mptcp-increase-timeout-to-30-min.patch b/queue-6.1/selftests-mptcp-increase-timeout-to-30-min.patch new file mode 100644 index 00000000000..0f085f554b1 --- /dev/null +++ b/queue-6.1/selftests-mptcp-increase-timeout-to-30-min.patch @@ -0,0 +1,43 @@ +From 4d4dfb2019d7010efb65926d9d1c1793f9a367c6 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 31 Jan 2024 22:49:50 +0100 +Subject: selftests: mptcp: increase timeout to 30 min + +From: Matthieu Baerts (NGI0) + +commit 4d4dfb2019d7010efb65926d9d1c1793f9a367c6 upstream. + +On very slow environments -- e.g. when QEmu is used without KVM --, +mptcp_join.sh selftest can take a bit more than 20 minutes. Bump the +default timeout by 50% as it seems normal to take that long on some +environments. + +When a debug kernel config is used, this selftest will take even longer, +but that's certainly not a common test env to consider for the timeout. + +The Fixes tag that has been picked here is there simply to help having +this patch backported to older stable versions. It is difficult to point +to the exact commit that made some env reaching the timeout from time to +time. + +Fixes: d17b968b9876 ("selftests: mptcp: increase timeout to 20 minutes") +Cc: stable@vger.kernel.org +Acked-by: Paolo Abeni +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://lore.kernel.org/r/20240131-upstream-net-20240131-mptcp-ci-issues-v1-5-4c1c11e571ff@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/settings | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/mptcp/settings b/tools/testing/selftests/net/mptcp/settings +index 79b65bdf05db..abc5648b59ab 100644 +--- a/tools/testing/selftests/net/mptcp/settings ++++ b/tools/testing/selftests/net/mptcp/settings +@@ -1 +1 @@ +-timeout=1200 ++timeout=1800 +-- +2.43.2 + diff --git a/queue-6.1/series b/queue-6.1/series index 7b1009b638c..2790b782923 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -63,3 +63,42 @@ powerpc-kasan-limit-kasan-thread-size-increase-to-32.patch i2c-pasemi-split-driver-into-two-separate-modules.patch i2c-i801-fix-block-process-call-transactions.patch modpost-trim-leading-spaces-when-processing-source-f.patch +mptcp-get-rid-of-msk-subflow.patch +mptcp-fix-data-re-injection-from-stale-subflow.patch +selftests-mptcp-add-missing-kconfig-for-nf-filter.patch +selftests-mptcp-add-missing-kconfig-for-nf-filter-in-v6.patch +selftests-mptcp-add-missing-kconfig-for-nf-mangle.patch +selftests-mptcp-increase-timeout-to-30-min.patch +mptcp-drop-the-push_pending-field.patch +mptcp-check-addrs-list-in-userspace_pm_get_local_id.patch +media-revert-media-rkisp1-drop-irqf_shared.patch +scsi-revert-scsi-fcoe-fix-potential-deadlock-on-fip-ctlr_lock.patch +revert-drm-amd-flush-any-delayed-gfxoff-on-suspend-entry.patch +drm-virtio-set-segment-size-for-virtio_gpu-device.patch +lsm-fix-the-logic-in-security_inode_getsecctx.patch +firewire-core-correct-documentation-of-fw_csr_string-kernel-api.patch +alsa-hda-realtek-apply-headset-jack-quirk-for-non-bass-alc287-thinkpads.patch +kbuild-fix-changing-elf-file-type-for-output-of-gen_btf-for-big-endian.patch +nfc-nci-free-rx_data_reassembly-skb-on-nci-device-cleanup.patch +net-hsr-remove-warn_once-in-send_hsr_supervision_frame.patch +net-stmmac-do-not-clear-tbs-enable-bit-on-link-up-down.patch +xen-netback-properly-sync-tx-responses.patch +um-fix-adding-no-pie-for-clang.patch +alsa-hda-realtek-enable-headset-mic-on-vaio-vjfe-adl.patch +asoc-codecs-wcd938x-handle-deferred-probe.patch +alsa-hda-cs8409-suppress-vmaster-control-for-dolphin-models.patch +alsa-hda-realtek-fix-mute-micmute-leds-for-hp-zbook-power.patch +binder-signal-epoll-threads-of-self-work.patch +misc-fastrpc-mark-all-sessions-as-invalid-in-cb_remove.patch +ext4-fix-double-free-of-blocks-due-to-wrong-extents-moved_len.patch +ext4-avoid-bb_free-and-bb_fragments-inconsistency-in-mb_free_blocks.patch +tracing-fix-wasted-memory-in-saved_cmdlines-logic.patch +staging-iio-ad5933-fix-type-mismatch-regression.patch +iio-magnetometer-rm3100-add-boundary-check-for-the-value-read-from-rm3100_reg_tmrc.patch +iio-core-fix-memleak-in-iio_device_register_sysfs.patch +iio-commom-st_sensors-ensure-proper-dma-alignment.patch +iio-accel-bma400-fix-a-compilation-problem.patch +iio-adc-ad_sigma_delta-ensure-proper-dma-alignment.patch +iio-imu-adis-ensure-proper-dma-alignment.patch +iio-imu-bno055-serdev-requires-regmap.patch +media-rc-bpf-attach-detach-requires-write-permission.patch diff --git a/queue-6.1/staging-iio-ad5933-fix-type-mismatch-regression.patch b/queue-6.1/staging-iio-ad5933-fix-type-mismatch-regression.patch new file mode 100644 index 00000000000..f678db9bd94 --- /dev/null +++ b/queue-6.1/staging-iio-ad5933-fix-type-mismatch-regression.patch @@ -0,0 +1,42 @@ +From 6db053cd949fcd6254cea9f2cd5d39f7bd64379c Mon Sep 17 00:00:00 2001 +From: David Schiller +Date: Mon, 22 Jan 2024 14:49:17 +0100 +Subject: staging: iio: ad5933: fix type mismatch regression + +From: David Schiller + +commit 6db053cd949fcd6254cea9f2cd5d39f7bd64379c upstream. + +Commit 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse +warning") fixed a compiler warning, but introduced a bug that resulted +in one of the two 16 bit IIO channels always being zero (when both are +enabled). + +This is because int is 32 bits wide on most architectures and in the +case of a little-endian machine the two most significant bytes would +occupy the buffer for the second channel as 'val' is being passed as a +void pointer to 'iio_push_to_buffers()'. + +Fix by defining 'val' as u16. Tested working on ARM64. + +Fixes: 4c3577db3e4f ("Staging: iio: impedance-analyzer: Fix sparse warning") +Signed-off-by: David Schiller +Link: https://lore.kernel.org/r/20240122134916.2137957-1-david.schiller@jku.at +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/impedance-analyzer/ad5933.c ++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c +@@ -608,7 +608,7 @@ static void ad5933_work(struct work_stru + struct ad5933_state, work.work); + struct iio_dev *indio_dev = i2c_get_clientdata(st->client); + __be16 buf[2]; +- int val[2]; ++ u16 val[2]; + unsigned char status; + int ret; + diff --git a/queue-6.1/tracing-fix-wasted-memory-in-saved_cmdlines-logic.patch b/queue-6.1/tracing-fix-wasted-memory-in-saved_cmdlines-logic.patch new file mode 100644 index 00000000000..c429c6eb425 --- /dev/null +++ b/queue-6.1/tracing-fix-wasted-memory-in-saved_cmdlines-logic.patch @@ -0,0 +1,181 @@ +From 44dc5c41b5b1267d4dd037d26afc0c4d3a568acb Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Google)" +Date: Fri, 9 Feb 2024 06:36:22 -0500 +Subject: tracing: Fix wasted memory in saved_cmdlines logic + +From: Steven Rostedt (Google) + +commit 44dc5c41b5b1267d4dd037d26afc0c4d3a568acb upstream. + +While looking at improving the saved_cmdlines cache I found a huge amount +of wasted memory that should be used for the cmdlines. + +The tracing data saves pids during the trace. At sched switch, if a trace +occurred, it will save the comm of the task that did the trace. This is +saved in a "cache" that maps pids to comms and exposed to user space via +the /sys/kernel/tracing/saved_cmdlines file. Currently it only caches by +default 128 comms. + +The structure that uses this creates an array to store the pids using +PID_MAX_DEFAULT (which is usually set to 32768). This causes the structure +to be of the size of 131104 bytes on 64 bit machines. + +In hex: 131104 = 0x20020, and since the kernel allocates generic memory in +powers of two, the kernel would allocate 0x40000 or 262144 bytes to store +this structure. That leaves 131040 bytes of wasted space. + +Worse, the structure points to an allocated array to store the comm names, +which is 16 bytes times the amount of names to save (currently 128), which +is 2048 bytes. Instead of allocating a separate array, make the structure +end with a variable length string and use the extra space for that. + +This is similar to a recommendation that Linus had made about eventfs_inode names: + + https://lore.kernel.org/all/20240130190355.11486-5-torvalds@linux-foundation.org/ + +Instead of allocating a separate string array to hold the saved comms, +have the structure end with: char saved_cmdlines[]; and round up to the +next power of two over sizeof(struct saved_cmdline_buffers) + num_cmdlines * TASK_COMM_LEN +It will use this extra space for the saved_cmdline portion. + +Now, instead of saving only 128 comms by default, by using this wasted +space at the end of the structure it can save over 8000 comms and even +saves space by removing the need for allocating the other array. + +Link: https://lore.kernel.org/linux-trace-kernel/20240209063622.1f7b6d5f@rorschach.local.home + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Vincent Donnefort +Cc: Sven Schnelle +Cc: Mete Durlu +Fixes: 939c7a4f04fcd ("tracing: Introduce saved_cmdlines_size file") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 75 +++++++++++++++++++++++++-------------------------- + 1 file changed, 37 insertions(+), 38 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2249,7 +2249,7 @@ struct saved_cmdlines_buffer { + unsigned *map_cmdline_to_pid; + unsigned cmdline_num; + int cmdline_idx; +- char *saved_cmdlines; ++ char saved_cmdlines[]; + }; + static struct saved_cmdlines_buffer *savedcmd; + +@@ -2263,47 +2263,58 @@ static inline void set_cmdline(int idx, + strncpy(get_saved_cmdlines(idx), cmdline, TASK_COMM_LEN); + } + +-static int allocate_cmdlines_buffer(unsigned int val, +- struct saved_cmdlines_buffer *s) ++static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) + { ++ int order = get_order(sizeof(*s) + s->cmdline_num * TASK_COMM_LEN); ++ ++ kfree(s->map_cmdline_to_pid); ++ free_pages((unsigned long)s, order); ++} ++ ++static struct saved_cmdlines_buffer *allocate_cmdlines_buffer(unsigned int val) ++{ ++ struct saved_cmdlines_buffer *s; ++ struct page *page; ++ int orig_size, size; ++ int order; ++ ++ /* Figure out how much is needed to hold the given number of cmdlines */ ++ orig_size = sizeof(*s) + val * TASK_COMM_LEN; ++ order = get_order(orig_size); ++ size = 1 << (order + PAGE_SHIFT); ++ page = alloc_pages(GFP_KERNEL, order); ++ if (!page) ++ return NULL; ++ ++ s = page_address(page); ++ memset(s, 0, sizeof(*s)); ++ ++ /* Round up to actual allocation */ ++ val = (size - sizeof(*s)) / TASK_COMM_LEN; ++ s->cmdline_num = val; ++ + s->map_cmdline_to_pid = kmalloc_array(val, + sizeof(*s->map_cmdline_to_pid), + GFP_KERNEL); +- if (!s->map_cmdline_to_pid) +- return -ENOMEM; +- +- s->saved_cmdlines = kmalloc_array(TASK_COMM_LEN, val, GFP_KERNEL); +- if (!s->saved_cmdlines) { +- kfree(s->map_cmdline_to_pid); +- return -ENOMEM; ++ if (!s->map_cmdline_to_pid) { ++ free_saved_cmdlines_buffer(s); ++ return NULL; + } + + s->cmdline_idx = 0; +- s->cmdline_num = val; + memset(&s->map_pid_to_cmdline, NO_CMDLINE_MAP, + sizeof(s->map_pid_to_cmdline)); + memset(s->map_cmdline_to_pid, NO_CMDLINE_MAP, + val * sizeof(*s->map_cmdline_to_pid)); + +- return 0; ++ return s; + } + + static int trace_create_savedcmd(void) + { +- int ret; +- +- savedcmd = kmalloc(sizeof(*savedcmd), GFP_KERNEL); +- if (!savedcmd) +- return -ENOMEM; ++ savedcmd = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT); + +- ret = allocate_cmdlines_buffer(SAVED_CMDLINES_DEFAULT, savedcmd); +- if (ret < 0) { +- kfree(savedcmd); +- savedcmd = NULL; +- return -ENOMEM; +- } +- +- return 0; ++ return savedcmd ? 0 : -ENOMEM; + } + + int is_tracing_stopped(void) +@@ -5972,26 +5983,14 @@ tracing_saved_cmdlines_size_read(struct + return simple_read_from_buffer(ubuf, cnt, ppos, buf, r); + } + +-static void free_saved_cmdlines_buffer(struct saved_cmdlines_buffer *s) +-{ +- kfree(s->saved_cmdlines); +- kfree(s->map_cmdline_to_pid); +- kfree(s); +-} +- + static int tracing_resize_saved_cmdlines(unsigned int val) + { + struct saved_cmdlines_buffer *s, *savedcmd_temp; + +- s = kmalloc(sizeof(*s), GFP_KERNEL); ++ s = allocate_cmdlines_buffer(val); + if (!s) + return -ENOMEM; + +- if (allocate_cmdlines_buffer(val, s) < 0) { +- kfree(s); +- return -ENOMEM; +- } +- + preempt_disable(); + arch_spin_lock(&trace_cmdline_lock); + savedcmd_temp = savedcmd; diff --git a/queue-6.1/um-fix-adding-no-pie-for-clang.patch b/queue-6.1/um-fix-adding-no-pie-for-clang.patch new file mode 100644 index 00000000000..b8ca0fa2857 --- /dev/null +++ b/queue-6.1/um-fix-adding-no-pie-for-clang.patch @@ -0,0 +1,63 @@ +From 846cfbeed09b45d985079a9173cf390cc053715b Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 23 Jan 2024 15:59:54 -0700 +Subject: um: Fix adding '-no-pie' for clang + +From: Nathan Chancellor + +commit 846cfbeed09b45d985079a9173cf390cc053715b upstream. + +The kernel builds with -fno-PIE, so commit 883354afbc10 ("um: link +vmlinux with -no-pie") added the compiler linker flag '-no-pie' via +cc-option because '-no-pie' was only supported in GCC 6.1.0 and newer. + +While this works for GCC, this does not work for clang because cc-option +uses '-c', which stops the pipeline right before linking, so '-no-pie' +is unconsumed and clang warns, causing cc-option to fail just as it +would if the option was entirely unsupported: + + $ clang -Werror -no-pie -c -o /dev/null -x c /dev/null + clang-16: error: argument unused during compilation: '-no-pie' [-Werror,-Wunused-command-line-argument] + +A recent version of clang exposes this because it generates a relocation +under '-mcmodel=large' that is not supported in PIE mode: + + /usr/sbin/ld: init/main.o: relocation R_X86_64_32 against symbol `saved_command_line' can not be used when making a PIE object; recompile with -fPIE + /usr/sbin/ld: failed to set dynamic section sizes: bad value + clang: error: linker command failed with exit code 1 (use -v to see invocation) + +Remove the cc-option check altogether. It is wasteful to invoke the +compiler to check for '-no-pie' because only one supported compiler +version does not support it, GCC 5.x (as it is supported with the +minimum version of clang and GCC 6.1.0+). Use a combination of the +gcc-min-version macro and CONFIG_CC_IS_CLANG to unconditionally add +'-no-pie' with CONFIG_LD_SCRIPT_DYN=y, so that it is enabled with all +compilers that support this. Furthermore, using gcc-min-version can help +turn this back into + + LINK-$(CONFIG_LD_SCRIPT_DYN) += -no-pie + +when the minimum version of GCC is bumped past 6.1.0. + +Cc: stable@vger.kernel.org +Closes: https://github.com/ClangBuiltLinux/linux/issues/1982 +Signed-off-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -118,7 +118,9 @@ archprepare: + $(Q)$(MAKE) $(build)=$(HOST_DIR)/um include/generated/user_constants.h + + LINK-$(CONFIG_LD_SCRIPT_STATIC) += -static +-LINK-$(CONFIG_LD_SCRIPT_DYN) += $(call cc-option, -no-pie) ++ifdef CONFIG_LD_SCRIPT_DYN ++LINK-$(call gcc-min-version, 60100)$(CONFIG_CC_IS_CLANG) += -no-pie ++endif + LINK-$(CONFIG_LD_SCRIPT_DYN_RPATH) += -Wl,-rpath,/lib + + CFLAGS_NO_HARDENING := $(call cc-option, -fno-PIC,) $(call cc-option, -fno-pic,) \ diff --git a/queue-6.1/xen-netback-properly-sync-tx-responses.patch b/queue-6.1/xen-netback-properly-sync-tx-responses.patch new file mode 100644 index 00000000000..57e91cc85db --- /dev/null +++ b/queue-6.1/xen-netback-properly-sync-tx-responses.patch @@ -0,0 +1,205 @@ +From 7b55984c96ffe9e236eb9c82a2196e0b1f84990d Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 29 Jan 2024 14:03:08 +0100 +Subject: xen-netback: properly sync TX responses + +From: Jan Beulich + +commit 7b55984c96ffe9e236eb9c82a2196e0b1f84990d upstream. + +Invoking the make_tx_response() / push_tx_responses() pair with no lock +held would be acceptable only if all such invocations happened from the +same context (NAPI instance or dealloc thread). Since this isn't the +case, and since the interface "spec" also doesn't demand that multicast +operations may only be performed with no in-flight transmits, +MCAST_{ADD,DEL} processing also needs to acquire the response lock +around the invocations. + +To prevent similar mistakes going forward, "downgrade" the present +functions to private helpers of just the two remaining ones using them +directly, with no forward declarations anymore. This involves renaming +what so far was make_tx_response(), for the new function of that name +to serve the new (wrapper) purpose. + +While there, +- constify the txp parameters, +- correct xenvif_idx_release()'s status parameter's type, +- rename {,_}make_tx_response()'s status parameters for consistency with + xenvif_idx_release()'s. + +Fixes: 210c34dcd8d9 ("xen-netback: add support for multicast control") +Cc: stable@vger.kernel.org +Signed-off-by: Jan Beulich +Reviewed-by: Paul Durrant +Link: https://lore.kernel.org/r/980c6c3d-e10e-4459-8565-e8fbde122f00@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 84 ++++++++++++++++++-------------------- + 1 file changed, 40 insertions(+), 44 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -104,13 +104,12 @@ bool provides_xdp_headroom = true; + module_param(provides_xdp_headroom, bool, 0644); + + static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx, +- u8 status); ++ s8 status); + + static void make_tx_response(struct xenvif_queue *queue, +- struct xen_netif_tx_request *txp, ++ const struct xen_netif_tx_request *txp, + unsigned int extra_count, +- s8 st); +-static void push_tx_responses(struct xenvif_queue *queue); ++ s8 status); + + static void xenvif_idx_unmap(struct xenvif_queue *queue, u16 pending_idx); + +@@ -208,13 +207,9 @@ static void xenvif_tx_err(struct xenvif_ + unsigned int extra_count, RING_IDX end) + { + RING_IDX cons = queue->tx.req_cons; +- unsigned long flags; + + do { +- spin_lock_irqsave(&queue->response_lock, flags); + make_tx_response(queue, txp, extra_count, XEN_NETIF_RSP_ERROR); +- push_tx_responses(queue); +- spin_unlock_irqrestore(&queue->response_lock, flags); + if (cons == end) + break; + RING_COPY_REQUEST(&queue->tx, cons++, txp); +@@ -465,12 +460,7 @@ static void xenvif_get_requests(struct x + for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS; + nr_slots--) { + if (unlikely(!txp->size)) { +- unsigned long flags; +- +- spin_lock_irqsave(&queue->response_lock, flags); + make_tx_response(queue, txp, 0, XEN_NETIF_RSP_OKAY); +- push_tx_responses(queue); +- spin_unlock_irqrestore(&queue->response_lock, flags); + ++txp; + continue; + } +@@ -496,14 +486,8 @@ static void xenvif_get_requests(struct x + + for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++txp) { + if (unlikely(!txp->size)) { +- unsigned long flags; +- +- spin_lock_irqsave(&queue->response_lock, flags); + make_tx_response(queue, txp, 0, + XEN_NETIF_RSP_OKAY); +- push_tx_responses(queue); +- spin_unlock_irqrestore(&queue->response_lock, +- flags); + continue; + } + +@@ -997,7 +981,6 @@ static void xenvif_tx_build_gops(struct + (ret == 0) ? + XEN_NETIF_RSP_OKAY : + XEN_NETIF_RSP_ERROR); +- push_tx_responses(queue); + continue; + } + +@@ -1009,7 +992,6 @@ static void xenvif_tx_build_gops(struct + + make_tx_response(queue, &txreq, extra_count, + XEN_NETIF_RSP_OKAY); +- push_tx_responses(queue); + continue; + } + +@@ -1444,8 +1426,35 @@ int xenvif_tx_action(struct xenvif_queue + return work_done; + } + ++static void _make_tx_response(struct xenvif_queue *queue, ++ const struct xen_netif_tx_request *txp, ++ unsigned int extra_count, ++ s8 status) ++{ ++ RING_IDX i = queue->tx.rsp_prod_pvt; ++ struct xen_netif_tx_response *resp; ++ ++ resp = RING_GET_RESPONSE(&queue->tx, i); ++ resp->id = txp->id; ++ resp->status = status; ++ ++ while (extra_count-- != 0) ++ RING_GET_RESPONSE(&queue->tx, ++i)->status = XEN_NETIF_RSP_NULL; ++ ++ queue->tx.rsp_prod_pvt = ++i; ++} ++ ++static void push_tx_responses(struct xenvif_queue *queue) ++{ ++ int notify; ++ ++ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&queue->tx, notify); ++ if (notify) ++ notify_remote_via_irq(queue->tx_irq); ++} ++ + static void xenvif_idx_release(struct xenvif_queue *queue, u16 pending_idx, +- u8 status) ++ s8 status) + { + struct pending_tx_info *pending_tx_info; + pending_ring_idx_t index; +@@ -1455,8 +1464,8 @@ static void xenvif_idx_release(struct xe + + spin_lock_irqsave(&queue->response_lock, flags); + +- make_tx_response(queue, &pending_tx_info->req, +- pending_tx_info->extra_count, status); ++ _make_tx_response(queue, &pending_tx_info->req, ++ pending_tx_info->extra_count, status); + + /* Release the pending index before pusing the Tx response so + * its available before a new Tx request is pushed by the +@@ -1470,32 +1479,19 @@ static void xenvif_idx_release(struct xe + spin_unlock_irqrestore(&queue->response_lock, flags); + } + +- + static void make_tx_response(struct xenvif_queue *queue, +- struct xen_netif_tx_request *txp, ++ const struct xen_netif_tx_request *txp, + unsigned int extra_count, +- s8 st) ++ s8 status) + { +- RING_IDX i = queue->tx.rsp_prod_pvt; +- struct xen_netif_tx_response *resp; +- +- resp = RING_GET_RESPONSE(&queue->tx, i); +- resp->id = txp->id; +- resp->status = st; +- +- while (extra_count-- != 0) +- RING_GET_RESPONSE(&queue->tx, ++i)->status = XEN_NETIF_RSP_NULL; ++ unsigned long flags; + +- queue->tx.rsp_prod_pvt = ++i; +-} ++ spin_lock_irqsave(&queue->response_lock, flags); + +-static void push_tx_responses(struct xenvif_queue *queue) +-{ +- int notify; ++ _make_tx_response(queue, txp, extra_count, status); ++ push_tx_responses(queue); + +- RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&queue->tx, notify); +- if (notify) +- notify_remote_via_irq(queue->tx_irq); ++ spin_unlock_irqrestore(&queue->response_lock, flags); + } + + static void xenvif_idx_unmap(struct xenvif_queue *queue, u16 pending_idx) -- 2.47.3