From 4161b7f6c020e1b9635676340ba56459f1f617bd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 14 Nov 2022 11:38:35 +0100 Subject: [PATCH] 6.0-stable patches added patches: arch-x86-mm-hugetlbpage.c-pud_huge-returns-0-when-using-2-level-paging.patch ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch btrfs-fix-match-incorrectly-in-dev_args_match_device.patch btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch btrfs-zoned-clone-zoned-device-info-when-cloning-a-device.patch btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch can-isotp-fix-tx-state-handling-for-echo-tx-processing.patch can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch can-rcar_canfd-add-missing-ecc-error-checks-for-channels-2-7.patch dmaengine-idxd-do-not-enable-user-type-work-queue-without-shared-virtual-addressing.patch drm-amd-display-fix-reg-timeout-in-enc314_enable_fifo.patch drm-amd-display-update-sr-watermarks-for-dcn314.patch drm-amd-pm-update-smu-ip-v13.0.4-msg-interface-header.patch drm-amdgpu-disable-baco-on-special-beige_goby-card.patch drm-amdgpu-workaround-for-tlb-seq-race.patch drm-amdkfd-fix-error-handling-in-criu_checkpoint.patch drm-amdkfd-fix-error-handling-in-kfd_criu_restore_events.patch drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch mm-hugetlb_vmemmap-include-missing-linux-moduleparam.h.patch mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch net-ethernet-ti-am65-cpsw-fix-segmentation-fault-at-module-unload.patch nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch phy-qcom-qmp-combo-fix-null-deref-on-runtime-resume.patch platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch spi-intel-use-correct-mask-for-flash-and-protected-regions.patch udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch --- ...-returns-0-when-using-2-level-paging.patch | 96 +++++++ ...synchronize-cache-16-command-failure.patch | 53 ++++ ...incorrectly-in-dev_args_match_device.patch | 62 +++++ ...error-check-in-btrfs_free_dummy_root.patch | 56 +++++ ...ed-device-info-when-cloning-a-device.patch | 126 ++++++++++ ...alize-device-s-zone-info-for-seeding.patch | 84 +++++++ ...tate-handling-for-echo-tx-processing.patch | 234 ++++++++++++++++++ ...ix-missing-can-header-initialization.patch | 40 +++ ...ng-ecc-error-checks-for-channels-2-7.patch | 64 +++++ ...ue-without-shared-virtual-addressing.patch | 78 ++++++ ...ix-reg-timeout-in-enc314_enable_fifo.patch | 82 ++++++ ...play-update-sr-watermarks-for-dcn314.patch | 122 +++++++++ ...-smu-ip-v13.0.4-msg-interface-header.patch | 70 ++++++ ...able-baco-on-special-beige_goby-card.patch | 34 +++ ...m-amdgpu-workaround-for-tlb-seq-race.patch | 55 ++++ ...ix-error-handling-in-criu_checkpoint.patch | 96 +++++++ ...-handling-in-kfd_criu_restore_events.patch | 42 ++++ ...fix-sg_table-handling-in-map_dma_buf.patch | 55 ++++ ...-of-buffer-id-when-providing-buffers.patch | 40 +++ ...contexts-input-is-for-a-real-context.patch | 56 +++++ ...-include-missing-linux-moduleparam.h.patch | 40 +++ ...ap-fs_dax-device-memory-as-decrypted.patch | 39 +++ ...-detect-page-cache-for-uffd-continue.patch | 49 ++++ ...hc-imx-fix-sdhci_reset_all-for-cqhci.patch | 60 +++++ ...-segmentation-fault-at-module-unload.patch | 82 ++++++ ...-deadlock-in-nilfs_count_free_blocks.patch | 81 ++++++ ...ter-free-bug-of-ns_writer-on-remount.patch | 118 +++++++++ ...mbo-fix-null-deref-on-runtime-resume.patch | 41 +++ ...fix-rfkill-causing-soft-blocked-wifi.patch | 61 +++++ queue-6.0/series | 33 +++ ...mask-for-flash-and-protected-regions.patch | 45 ++++ ...f-bounds-write-bug-in-udf_find_entry.patch | 135 ++++++++++ ...lacement-of-.data..decrypted-section.patch | 52 ++++ ...ulatory-update-in-ath11k_regd_update.patch | 94 +++++++ 34 files changed, 2475 insertions(+) create mode 100644 queue-6.0/arch-x86-mm-hugetlbpage.c-pud_huge-returns-0-when-using-2-level-paging.patch create mode 100644 queue-6.0/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch create mode 100644 queue-6.0/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch create mode 100644 queue-6.0/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch create mode 100644 queue-6.0/btrfs-zoned-clone-zoned-device-info-when-cloning-a-device.patch create mode 100644 queue-6.0/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch create mode 100644 queue-6.0/can-isotp-fix-tx-state-handling-for-echo-tx-processing.patch create mode 100644 queue-6.0/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch create mode 100644 queue-6.0/can-rcar_canfd-add-missing-ecc-error-checks-for-channels-2-7.patch create mode 100644 queue-6.0/dmaengine-idxd-do-not-enable-user-type-work-queue-without-shared-virtual-addressing.patch create mode 100644 queue-6.0/drm-amd-display-fix-reg-timeout-in-enc314_enable_fifo.patch create mode 100644 queue-6.0/drm-amd-display-update-sr-watermarks-for-dcn314.patch create mode 100644 queue-6.0/drm-amd-pm-update-smu-ip-v13.0.4-msg-interface-header.patch create mode 100644 queue-6.0/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch create mode 100644 queue-6.0/drm-amdgpu-workaround-for-tlb-seq-race.patch create mode 100644 queue-6.0/drm-amdkfd-fix-error-handling-in-criu_checkpoint.patch create mode 100644 queue-6.0/drm-amdkfd-fix-error-handling-in-kfd_criu_restore_events.patch create mode 100644 queue-6.0/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch create mode 100644 queue-6.0/io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch create mode 100644 queue-6.0/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch create mode 100644 queue-6.0/mm-hugetlb_vmemmap-include-missing-linux-moduleparam.h.patch create mode 100644 queue-6.0/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch create mode 100644 queue-6.0/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch create mode 100644 queue-6.0/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch create mode 100644 queue-6.0/net-ethernet-ti-am65-cpsw-fix-segmentation-fault-at-module-unload.patch create mode 100644 queue-6.0/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch create mode 100644 queue-6.0/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch create mode 100644 queue-6.0/phy-qcom-qmp-combo-fix-null-deref-on-runtime-resume.patch create mode 100644 queue-6.0/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch create mode 100644 queue-6.0/spi-intel-use-correct-mask-for-flash-and-protected-regions.patch create mode 100644 queue-6.0/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch create mode 100644 queue-6.0/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch create mode 100644 queue-6.0/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch diff --git a/queue-6.0/arch-x86-mm-hugetlbpage.c-pud_huge-returns-0-when-using-2-level-paging.patch b/queue-6.0/arch-x86-mm-hugetlbpage.c-pud_huge-returns-0-when-using-2-level-paging.patch new file mode 100644 index 00000000000..974f07c3829 --- /dev/null +++ b/queue-6.0/arch-x86-mm-hugetlbpage.c-pud_huge-returns-0-when-using-2-level-paging.patch @@ -0,0 +1,96 @@ +From 1fdbed657a4726639c4f17841fd2a0fb646c746e Mon Sep 17 00:00:00 2001 +From: Naoya Horiguchi +Date: Mon, 7 Nov 2022 11:10:10 +0900 +Subject: arch/x86/mm/hugetlbpage.c: pud_huge() returns 0 when using 2-level paging +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Naoya Horiguchi + +commit 1fdbed657a4726639c4f17841fd2a0fb646c746e upstream. + +The following bug is reported to be triggered when starting X on x86-32 +system with i915: + + [ 225.777375] kernel BUG at mm/memory.c:2664! + [ 225.777391] invalid opcode: 0000 [#1] PREEMPT SMP + [ 225.777405] CPU: 0 PID: 2402 Comm: Xorg Not tainted 6.1.0-rc3-bdg+ #86 + [ 225.777415] Hardware name: /8I865G775-G, BIOS F1 08/29/2006 + [ 225.777421] EIP: __apply_to_page_range+0x24d/0x31c + [ 225.777437] Code: ff ff 8b 55 e8 8b 45 cc e8 0a 11 ec ff 89 d8 83 c4 28 5b 5e 5f 5d c3 81 7d e0 a0 ef 96 c1 74 ad 8b 45 d0 e8 2d 83 49 00 eb a3 <0f> 0b 25 00 f0 ff ff 81 eb 00 00 00 40 01 c3 8b 45 ec 8b 00 e8 76 + [ 225.777446] EAX: 00000001 EBX: c53a3b58 ECX: b5c00000 EDX: c258aa00 + [ 225.777454] ESI: b5c00000 EDI: b5900000 EBP: c4b0fdb4 ESP: c4b0fd80 + [ 225.777462] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010202 + [ 225.777470] CR0: 80050033 CR2: b5900000 CR3: 053a3000 CR4: 000006d0 + [ 225.777479] Call Trace: + [ 225.777486] ? i915_memcpy_init_early+0x63/0x63 [i915] + [ 225.777684] apply_to_page_range+0x21/0x27 + [ 225.777694] ? i915_memcpy_init_early+0x63/0x63 [i915] + [ 225.777870] remap_io_mapping+0x49/0x75 [i915] + [ 225.778046] ? i915_memcpy_init_early+0x63/0x63 [i915] + [ 225.778220] ? mutex_unlock+0xb/0xd + [ 225.778231] ? i915_vma_pin_fence+0x6d/0xf7 [i915] + [ 225.778420] vm_fault_gtt+0x2a9/0x8f1 [i915] + [ 225.778644] ? lock_is_held_type+0x56/0xe7 + [ 225.778655] ? lock_is_held_type+0x7a/0xe7 + [ 225.778663] ? 0xc1000000 + [ 225.778670] __do_fault+0x21/0x6a + [ 225.778679] handle_mm_fault+0x708/0xb21 + [ 225.778686] ? mt_find+0x21e/0x5ae + [ 225.778696] exc_page_fault+0x185/0x705 + [ 225.778704] ? doublefault_shim+0x127/0x127 + [ 225.778715] handle_exception+0x130/0x130 + [ 225.778723] EIP: 0xb700468a + +Recently pud_huge() got aware of non-present entry by commit 3a194f3f8ad0 +("mm/hugetlb: make pud_huge() and follow_huge_pud() aware of non-present +pud entry") to handle some special states of gigantic page. However, it's +overlooked that pud_none() always returns false when running with 2-level +paging, and as a result pud_huge() can return true pointlessly. + +Introduce "#if CONFIG_PGTABLE_LEVELS > 2" to pud_huge() to deal with this. + +Link: https://lkml.kernel.org/r/20221107021010.2449306-1-naoya.horiguchi@linux.dev +Fixes: 3a194f3f8ad0 ("mm/hugetlb: make pud_huge() and follow_huge_pud() aware of non-present pud entry") +Signed-off-by: Naoya Horiguchi +Reported-by: Ville Syrjälä +Tested-by: Ville Syrjälä +Reviewed-by: Miaohe Lin +Cc: David Hildenbrand +Cc: Liu Shixin +Cc: Mike Kravetz +Cc: Muchun Song +Cc: Oscar Salvador +Cc: Yang Shi +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/hugetlbpage.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c +index 6b3033845c6d..5804bbae4f01 100644 +--- a/arch/x86/mm/hugetlbpage.c ++++ b/arch/x86/mm/hugetlbpage.c +@@ -37,8 +37,12 @@ int pmd_huge(pmd_t pmd) + */ + int pud_huge(pud_t pud) + { ++#if CONFIG_PGTABLE_LEVELS > 2 + return !pud_none(pud) && + (pud_val(pud) & (_PAGE_PRESENT|_PAGE_PSE)) != _PAGE_PRESENT; ++#else ++ return 0; ++#endif + } + + #ifdef CONFIG_HUGETLB_PAGE +-- +2.38.1 + diff --git a/queue-6.0/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch b/queue-6.0/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch new file mode 100644 index 00000000000..c11e8141c6b --- /dev/null +++ b/queue-6.0/ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch @@ -0,0 +1,53 @@ +From ea045fd344cb15c164e9ffc8b8cffb6883df8475 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Mon, 7 Nov 2022 13:02:29 +0900 +Subject: ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure + +From: Shin'ichiro Kawasaki + +commit ea045fd344cb15c164e9ffc8b8cffb6883df8475 upstream. + +SAT SCSI/ATA Translation specification requires SCSI SYNCHRONIZE CACHE +(10) and (16) commands both shall be translated to ATA flush command. +Also, ZBC Zoned Block Commands specification mandates SYNCHRONIZE CACHE +(16) command support. However, libata translates only SYNCHRONIZE CACHE +(10). This results in SYNCHRONIZE CACHE (16) command failures on SATA +drives and then libata translation does not conform to ZBC. To avoid the +failure, add support for SYNCHRONIZE CACHE (16). + +Signed-off-by: Shin'ichiro Kawasaki +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3266,6 +3266,7 @@ static unsigned int ata_scsiop_maint_in( + case REPORT_LUNS: + case REQUEST_SENSE: + case SYNCHRONIZE_CACHE: ++ case SYNCHRONIZE_CACHE_16: + case REZERO_UNIT: + case SEEK_6: + case SEEK_10: +@@ -3924,6 +3925,7 @@ static inline ata_xlat_func_t ata_get_xl + return ata_scsi_write_same_xlat; + + case SYNCHRONIZE_CACHE: ++ case SYNCHRONIZE_CACHE_16: + if (ata_try_flush_cache(dev)) + return ata_scsi_flush_xlat; + break; +@@ -4147,6 +4149,7 @@ void ata_scsi_simulate(struct ata_device + * turning this into a no-op. + */ + case SYNCHRONIZE_CACHE: ++ case SYNCHRONIZE_CACHE_16: + fallthrough; + + /* no-op's, complete with success */ diff --git a/queue-6.0/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch b/queue-6.0/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch new file mode 100644 index 00000000000..10fe9dfa980 --- /dev/null +++ b/queue-6.0/btrfs-fix-match-incorrectly-in-dev_args_match_device.patch @@ -0,0 +1,62 @@ +From 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001 Mon Sep 17 00:00:00 2001 +From: Liu Shixin +Date: Thu, 3 Nov 2022 16:33:01 +0800 +Subject: btrfs: fix match incorrectly in dev_args_match_device + +From: Liu Shixin + +commit 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001 upstream. + +syzkaller found a failed assertion: + + assertion failed: (args->devid != (u64)-1) || args->missing, in fs/btrfs/volumes.c:6921 + +This can be triggered when we set devid to (u64)-1 by ioctl. In this +case, the match of devid will be skipped and the match of device may +succeed incorrectly. + +Patch 562d7b1512f7 introduced this function which is used to match device. +This function contains two matching scenarios, we can distinguish them by +checking the value of args->missing rather than check whether args->devid +and args->uuid is default value. + +Reported-by: syzbot+031687116258450f9853@syzkaller.appspotmail.com +Fixes: 562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args") +CC: stable@vger.kernel.org # 5.16+ +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Shixin +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6805,18 +6805,18 @@ static bool dev_args_match_fs_devices(co + static bool dev_args_match_device(const struct btrfs_dev_lookup_args *args, + const struct btrfs_device *device) + { +- ASSERT((args->devid != (u64)-1) || args->missing); ++ if (args->missing) { ++ if (test_bit(BTRFS_DEV_STATE_IN_FS_METADATA, &device->dev_state) && ++ !device->bdev) ++ return true; ++ return false; ++ } + +- if ((args->devid != (u64)-1) && device->devid != args->devid) ++ if (device->devid != args->devid) + return false; + if (args->uuid && memcmp(device->uuid, args->uuid, BTRFS_UUID_SIZE) != 0) + return false; +- if (!args->missing) +- return true; +- if (test_bit(BTRFS_DEV_STATE_IN_FS_METADATA, &device->dev_state) && +- !device->bdev) +- return true; +- return false; ++ return true; + } + + /* diff --git a/queue-6.0/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch b/queue-6.0/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch new file mode 100644 index 00000000000..fecffb6cdda --- /dev/null +++ b/queue-6.0/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch @@ -0,0 +1,56 @@ +From 9b2f20344d450137d015b380ff0c2e2a6a170135 Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Tue, 1 Nov 2022 10:53:54 +0800 +Subject: btrfs: selftests: fix wrong error check in btrfs_free_dummy_root() + +From: Zhang Xiaoxu + +commit 9b2f20344d450137d015b380ff0c2e2a6a170135 upstream. + +The btrfs_alloc_dummy_root() uses ERR_PTR as the error return value +rather than NULL, if error happened, there will be a NULL pointer +dereference: + + BUG: KASAN: null-ptr-deref in btrfs_free_dummy_root+0x21/0x50 [btrfs] + Read of size 8 at addr 000000000000002c by task insmod/258926 + + CPU: 2 PID: 258926 Comm: insmod Tainted: G W 6.1.0-rc2+ #5 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + Call Trace: + + dump_stack_lvl+0x34/0x44 + kasan_report+0xb7/0x140 + kasan_check_range+0x145/0x1a0 + btrfs_free_dummy_root+0x21/0x50 [btrfs] + btrfs_test_free_space_cache+0x1a8c/0x1add [btrfs] + btrfs_run_sanity_tests+0x65/0x80 [btrfs] + init_btrfs_fs+0xec/0x154 [btrfs] + do_one_initcall+0x87/0x2a0 + do_init_module+0xdf/0x320 + load_module+0x3006/0x3390 + __do_sys_finit_module+0x113/0x1b0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fixes: aaedb55bc08f ("Btrfs: add tests for btrfs_get_extent") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Anand Jain +Signed-off-by: Zhang Xiaoxu +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/btrfs-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tests/btrfs-tests.c ++++ b/fs/btrfs/tests/btrfs-tests.c +@@ -200,7 +200,7 @@ void btrfs_free_dummy_fs_info(struct btr + + void btrfs_free_dummy_root(struct btrfs_root *root) + { +- if (!root) ++ if (IS_ERR_OR_NULL(root)) + return; + /* Will be freed by btrfs_free_fs_roots */ + if (WARN_ON(test_bit(BTRFS_ROOT_IN_RADIX, &root->state))) diff --git a/queue-6.0/btrfs-zoned-clone-zoned-device-info-when-cloning-a-device.patch b/queue-6.0/btrfs-zoned-clone-zoned-device-info-when-cloning-a-device.patch new file mode 100644 index 00000000000..e0f055007bb --- /dev/null +++ b/queue-6.0/btrfs-zoned-clone-zoned-device-info-when-cloning-a-device.patch @@ -0,0 +1,126 @@ +From 21e61ec6d0bb786818490e926aa9aeb4de95ad0d Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Fri, 4 Nov 2022 07:12:33 -0700 +Subject: btrfs: zoned: clone zoned device info when cloning a device + +From: Johannes Thumshirn + +commit 21e61ec6d0bb786818490e926aa9aeb4de95ad0d upstream. + +When cloning a btrfs_device, we're not cloning the associated +btrfs_zoned_device_info structure of the device in case of a zoned +filesystem. + +Later on this leads to a NULL pointer dereference when accessing the +device's zone_info for instance when setting a zone as active. + +This was uncovered by fstests' testcase btrfs/161. + +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 12 ++++++++++++ + fs/btrfs/zoned.c | 40 ++++++++++++++++++++++++++++++++++++++++ + fs/btrfs/zoned.h | 11 +++++++++++ + 3 files changed, 63 insertions(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1009,6 +1009,18 @@ static struct btrfs_fs_devices *clone_fs + rcu_assign_pointer(device->name, name); + } + ++ if (orig_dev->zone_info) { ++ struct btrfs_zoned_device_info *zone_info; ++ ++ zone_info = btrfs_clone_dev_zone_info(orig_dev); ++ if (!zone_info) { ++ btrfs_free_device(device); ++ ret = -ENOMEM; ++ goto error; ++ } ++ device->zone_info = zone_info; ++ } ++ + list_add(&device->dev_list, &fs_devices->devices); + device->fs_devices = fs_devices; + fs_devices->num_devices++; +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -639,6 +639,46 @@ void btrfs_destroy_dev_zone_info(struct + device->zone_info = NULL; + } + ++struct btrfs_zoned_device_info *btrfs_clone_dev_zone_info(struct btrfs_device *orig_dev) ++{ ++ struct btrfs_zoned_device_info *zone_info; ++ ++ zone_info = kmemdup(orig_dev->zone_info, sizeof(*zone_info), GFP_KERNEL); ++ if (!zone_info) ++ return NULL; ++ ++ zone_info->seq_zones = bitmap_zalloc(zone_info->nr_zones, GFP_KERNEL); ++ if (!zone_info->seq_zones) ++ goto out; ++ ++ bitmap_copy(zone_info->seq_zones, orig_dev->zone_info->seq_zones, ++ zone_info->nr_zones); ++ ++ zone_info->empty_zones = bitmap_zalloc(zone_info->nr_zones, GFP_KERNEL); ++ if (!zone_info->empty_zones) ++ goto out; ++ ++ bitmap_copy(zone_info->empty_zones, orig_dev->zone_info->empty_zones, ++ zone_info->nr_zones); ++ ++ zone_info->active_zones = bitmap_zalloc(zone_info->nr_zones, GFP_KERNEL); ++ if (!zone_info->active_zones) ++ goto out; ++ ++ bitmap_copy(zone_info->active_zones, orig_dev->zone_info->active_zones, ++ zone_info->nr_zones); ++ zone_info->zone_cache = NULL; ++ ++ return zone_info; ++ ++out: ++ bitmap_free(zone_info->seq_zones); ++ bitmap_free(zone_info->empty_zones); ++ bitmap_free(zone_info->active_zones); ++ kfree(zone_info); ++ return NULL; ++} ++ + int btrfs_get_dev_zone(struct btrfs_device *device, u64 pos, + struct blk_zone *zone) + { +--- a/fs/btrfs/zoned.h ++++ b/fs/btrfs/zoned.h +@@ -36,6 +36,7 @@ int btrfs_get_dev_zone(struct btrfs_devi + int btrfs_get_dev_zone_info_all_devices(struct btrfs_fs_info *fs_info); + int btrfs_get_dev_zone_info(struct btrfs_device *device, bool populate_cache); + void btrfs_destroy_dev_zone_info(struct btrfs_device *device); ++struct btrfs_zoned_device_info *btrfs_clone_dev_zone_info(struct btrfs_device *orig_dev); + int btrfs_check_zoned_mode(struct btrfs_fs_info *fs_info); + int btrfs_check_mountopts_zoned(struct btrfs_fs_info *info); + int btrfs_sb_log_location_bdev(struct block_device *bdev, int mirror, int rw, +@@ -103,6 +104,16 @@ static inline int btrfs_get_dev_zone_inf + + static inline void btrfs_destroy_dev_zone_info(struct btrfs_device *device) { } + ++/* ++ * In case the kernel is compiled without CONFIG_BLK_DEV_ZONED we'll never call ++ * into btrfs_clone_dev_zone_info() so it's safe to return NULL here. ++ */ ++static inline struct btrfs_zoned_device_info *btrfs_clone_dev_zone_info( ++ struct btrfs_device *orig_dev) ++{ ++ return NULL; ++} ++ + static inline int btrfs_check_zoned_mode(const struct btrfs_fs_info *fs_info) + { + if (!btrfs_is_zoned(fs_info)) diff --git a/queue-6.0/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch b/queue-6.0/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch new file mode 100644 index 00000000000..40e56e73439 --- /dev/null +++ b/queue-6.0/btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch @@ -0,0 +1,84 @@ +From a8d1b1647bf8244a5f270538e9e636e2657fffa3 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Fri, 4 Nov 2022 07:12:34 -0700 +Subject: btrfs: zoned: initialize device's zone info for seeding + +From: Johannes Thumshirn + +commit a8d1b1647bf8244a5f270538e9e636e2657fffa3 upstream. + +When performing seeding on a zoned filesystem it is necessary to +initialize each zoned device's btrfs_zoned_device_info structure, +otherwise mounting the filesystem will cause a NULL pointer dereference. + +This was uncovered by fstests' testcase btrfs/163. + +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Johannes Thumshirn +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 4 +++- + fs/btrfs/volumes.c | 11 +++++++++-- + fs/btrfs/volumes.h | 2 +- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2544,7 +2544,9 @@ static int btrfs_read_roots(struct btrfs + fs_info->dev_root = root; + } + /* Initialize fs_info for all devices in any case */ +- btrfs_init_devices_late(fs_info); ++ ret = btrfs_init_devices_late(fs_info); ++ if (ret) ++ goto out; + + /* + * This tree can share blocks with some other fs tree during relocation +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -7643,10 +7643,11 @@ error: + return ret; + } + +-void btrfs_init_devices_late(struct btrfs_fs_info *fs_info) ++int btrfs_init_devices_late(struct btrfs_fs_info *fs_info) + { + struct btrfs_fs_devices *fs_devices = fs_info->fs_devices, *seed_devs; + struct btrfs_device *device; ++ int ret = 0; + + fs_devices->fs_info = fs_info; + +@@ -7655,12 +7656,18 @@ void btrfs_init_devices_late(struct btrf + device->fs_info = fs_info; + + list_for_each_entry(seed_devs, &fs_devices->seed_list, seed_list) { +- list_for_each_entry(device, &seed_devs->devices, dev_list) ++ list_for_each_entry(device, &seed_devs->devices, dev_list) { + device->fs_info = fs_info; ++ ret = btrfs_get_dev_zone_info(device, false); ++ if (ret) ++ break; ++ } + + seed_devs->fs_info = fs_info; + } + mutex_unlock(&fs_devices->device_list_mutex); ++ ++ return ret; + } + + static u64 btrfs_dev_stats_value(const struct extent_buffer *eb, +--- a/fs/btrfs/volumes.h ++++ b/fs/btrfs/volumes.h +@@ -629,7 +629,7 @@ int find_free_dev_extent(struct btrfs_de + void btrfs_dev_stat_inc_and_print(struct btrfs_device *dev, int index); + int btrfs_get_dev_stats(struct btrfs_fs_info *fs_info, + struct btrfs_ioctl_get_dev_stats *stats); +-void btrfs_init_devices_late(struct btrfs_fs_info *fs_info); ++int btrfs_init_devices_late(struct btrfs_fs_info *fs_info); + int btrfs_init_dev_stats(struct btrfs_fs_info *fs_info); + int btrfs_run_dev_stats(struct btrfs_trans_handle *trans); + void btrfs_rm_dev_replace_remove_srcdev(struct btrfs_device *srcdev); diff --git a/queue-6.0/can-isotp-fix-tx-state-handling-for-echo-tx-processing.patch b/queue-6.0/can-isotp-fix-tx-state-handling-for-echo-tx-processing.patch new file mode 100644 index 00000000000..3ce34d884d8 --- /dev/null +++ b/queue-6.0/can-isotp-fix-tx-state-handling-for-echo-tx-processing.patch @@ -0,0 +1,234 @@ +From 866337865f3747c68a3e7bb837611e39cec1ecd6 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Fri, 4 Nov 2022 15:25:51 +0100 +Subject: can: isotp: fix tx state handling for echo tx processing + +From: Oliver Hartkopp + +commit 866337865f3747c68a3e7bb837611e39cec1ecd6 upstream. + +In commit 4b7fe92c0690 ("can: isotp: add local echo tx processing for +consecutive frames") the data flow for consecutive frames (CF) has been +reworked to improve the reliability of long data transfers. + +This rework did not touch the transmission and the tx state changes of +single frame (SF) transfers which likely led to the WARN in the +isotp_tx_timer_handler() catching a wrong tx state. This patch makes use +of the improved frame processing for SF frames and sets the ISOTP_SENDING +state in isotp_sendmsg() within the cmpxchg() condition handling. + +A review of the state machine and the timer handling additionally revealed +a missing echo timeout handling in the case of the burst mode in +isotp_rcv_echo() and removes a potential timer configuration uncertainty +in isotp_rcv_fc() when the receiver requests consecutive frames. + +Fixes: 4b7fe92c0690 ("can: isotp: add local echo tx processing for consecutive frames") +Link: https://lore.kernel.org/linux-can/CAO4mrfe3dG7cMP1V5FLUkw7s+50c9vichigUMQwsxX4M=45QEw@mail.gmail.com/T/#u +Reported-by: Wei Chen +Cc: stable@vger.kernel.org # v6.0 +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20221104142551.16924-1-socketcan@hartkopp.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 71 +++++++++++++++++++++++++++++--------------------------- + 1 file changed, 38 insertions(+), 33 deletions(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -111,6 +111,9 @@ MODULE_ALIAS("can-proto-6"); + #define ISOTP_FC_WT 1 /* wait */ + #define ISOTP_FC_OVFLW 2 /* overflow */ + ++#define ISOTP_FC_TIMEOUT 1 /* 1 sec */ ++#define ISOTP_ECHO_TIMEOUT 2 /* 2 secs */ ++ + enum { + ISOTP_IDLE = 0, + ISOTP_WAIT_FIRST_FC, +@@ -258,7 +261,8 @@ static int isotp_send_fc(struct sock *sk + so->lastrxcf_tstamp = ktime_set(0, 0); + + /* start rx timeout watchdog */ +- hrtimer_start(&so->rxtimer, ktime_set(1, 0), HRTIMER_MODE_REL_SOFT); ++ hrtimer_start(&so->rxtimer, ktime_set(ISOTP_FC_TIMEOUT, 0), ++ HRTIMER_MODE_REL_SOFT); + return 0; + } + +@@ -344,6 +348,8 @@ static int check_pad(struct isotp_sock * + return 0; + } + ++static void isotp_send_cframe(struct isotp_sock *so); ++ + static int isotp_rcv_fc(struct isotp_sock *so, struct canfd_frame *cf, int ae) + { + struct sock *sk = &so->sk; +@@ -398,14 +404,15 @@ static int isotp_rcv_fc(struct isotp_soc + case ISOTP_FC_CTS: + so->tx.bs = 0; + so->tx.state = ISOTP_SENDING; +- /* start cyclic timer for sending CF frame */ +- hrtimer_start(&so->txtimer, so->tx_gap, ++ /* send CF frame and enable echo timeout handling */ ++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_ECHO_TIMEOUT, 0), + HRTIMER_MODE_REL_SOFT); ++ isotp_send_cframe(so); + break; + + case ISOTP_FC_WT: + /* start timer to wait for next FC frame */ +- hrtimer_start(&so->txtimer, ktime_set(1, 0), ++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_FC_TIMEOUT, 0), + HRTIMER_MODE_REL_SOFT); + break; + +@@ -600,7 +607,7 @@ static int isotp_rcv_cf(struct sock *sk, + /* perform blocksize handling, if enabled */ + if (!so->rxfc.bs || ++so->rx.bs < so->rxfc.bs) { + /* start rx timeout watchdog */ +- hrtimer_start(&so->rxtimer, ktime_set(1, 0), ++ hrtimer_start(&so->rxtimer, ktime_set(ISOTP_FC_TIMEOUT, 0), + HRTIMER_MODE_REL_SOFT); + return 0; + } +@@ -829,7 +836,7 @@ static void isotp_rcv_echo(struct sk_buf + struct isotp_sock *so = isotp_sk(sk); + struct canfd_frame *cf = (struct canfd_frame *)skb->data; + +- /* only handle my own local echo skb's */ ++ /* only handle my own local echo CF/SF skb's (no FF!) */ + if (skb->sk != sk || so->cfecho != *(u32 *)cf->data) + return; + +@@ -849,13 +856,16 @@ static void isotp_rcv_echo(struct sk_buf + if (so->txfc.bs && so->tx.bs >= so->txfc.bs) { + /* stop and wait for FC with timeout */ + so->tx.state = ISOTP_WAIT_FC; +- hrtimer_start(&so->txtimer, ktime_set(1, 0), ++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_FC_TIMEOUT, 0), + HRTIMER_MODE_REL_SOFT); + return; + } + + /* no gap between data frames needed => use burst mode */ + if (!so->tx_gap) { ++ /* enable echo timeout handling */ ++ hrtimer_start(&so->txtimer, ktime_set(ISOTP_ECHO_TIMEOUT, 0), ++ HRTIMER_MODE_REL_SOFT); + isotp_send_cframe(so); + return; + } +@@ -879,7 +889,7 @@ static enum hrtimer_restart isotp_tx_tim + /* start timeout for unlikely lost echo skb */ + hrtimer_set_expires(&so->txtimer, + ktime_add(ktime_get(), +- ktime_set(2, 0))); ++ ktime_set(ISOTP_ECHO_TIMEOUT, 0))); + restart = HRTIMER_RESTART; + + /* push out the next consecutive frame */ +@@ -907,7 +917,8 @@ static enum hrtimer_restart isotp_tx_tim + break; + + default: +- WARN_ON_ONCE(1); ++ WARN_ONCE(1, "can-isotp: tx timer state %08X cfecho %08X\n", ++ so->tx.state, so->cfecho); + } + + return restart; +@@ -923,7 +934,7 @@ static int isotp_sendmsg(struct socket * + struct canfd_frame *cf; + int ae = (so->opt.flags & CAN_ISOTP_EXTEND_ADDR) ? 1 : 0; + int wait_tx_done = (so->opt.flags & CAN_ISOTP_WAIT_TX_DONE) ? 1 : 0; +- s64 hrtimer_sec = 0; ++ s64 hrtimer_sec = ISOTP_ECHO_TIMEOUT; + int off; + int err; + +@@ -942,6 +953,8 @@ static int isotp_sendmsg(struct socket * + err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); + if (err) + goto err_out; ++ ++ so->tx.state = ISOTP_SENDING; + } + + if (!size || size > MAX_MSG_LENGTH) { +@@ -986,6 +999,10 @@ static int isotp_sendmsg(struct socket * + cf = (struct canfd_frame *)skb->data; + skb_put_zero(skb, so->ll.mtu); + ++ /* cfecho should have been zero'ed by init / former isotp_rcv_echo() */ ++ if (so->cfecho) ++ pr_notice_once("can-isotp: uninit cfecho %08X\n", so->cfecho); ++ + /* check for single frame transmission depending on TX_DL */ + if (size <= so->tx.ll_dl - SF_PCI_SZ4 - ae - off) { + /* The message size generally fits into a SingleFrame - good. +@@ -1011,11 +1028,8 @@ static int isotp_sendmsg(struct socket * + else + cf->data[ae] |= size; + +- so->tx.state = ISOTP_IDLE; +- wake_up_interruptible(&so->wait); +- +- /* don't enable wait queue for a single frame transmission */ +- wait_tx_done = 0; ++ /* set CF echo tag for isotp_rcv_echo() (SF-mode) */ ++ so->cfecho = *(u32 *)cf->data; + } else { + /* send first frame */ + +@@ -1031,31 +1045,23 @@ static int isotp_sendmsg(struct socket * + /* disable wait for FCs due to activated block size */ + so->txfc.bs = 0; + +- /* cfecho should have been zero'ed by init */ +- if (so->cfecho) +- pr_notice_once("can-isotp: no fc cfecho %08X\n", +- so->cfecho); +- +- /* set consecutive frame echo tag */ ++ /* set CF echo tag for isotp_rcv_echo() (CF-mode) */ + so->cfecho = *(u32 *)cf->data; +- +- /* switch directly to ISOTP_SENDING state */ +- so->tx.state = ISOTP_SENDING; +- +- /* start timeout for unlikely lost echo skb */ +- hrtimer_sec = 2; + } else { + /* standard flow control check */ + so->tx.state = ISOTP_WAIT_FIRST_FC; + + /* start timeout for FC */ +- hrtimer_sec = 1; +- } ++ hrtimer_sec = ISOTP_FC_TIMEOUT; + +- hrtimer_start(&so->txtimer, ktime_set(hrtimer_sec, 0), +- HRTIMER_MODE_REL_SOFT); ++ /* no CF echo tag for isotp_rcv_echo() (FF-mode) */ ++ so->cfecho = 0; ++ } + } + ++ hrtimer_start(&so->txtimer, ktime_set(hrtimer_sec, 0), ++ HRTIMER_MODE_REL_SOFT); ++ + /* send the first or only CAN frame */ + cf->flags = so->ll.tx_flags; + +@@ -1068,8 +1074,7 @@ static int isotp_sendmsg(struct socket * + __func__, ERR_PTR(err)); + + /* no transmission -> no timeout monitoring */ +- if (hrtimer_sec) +- hrtimer_cancel(&so->txtimer); ++ hrtimer_cancel(&so->txtimer); + + /* reset consecutive frame echo tag */ + so->cfecho = 0; diff --git a/queue-6.0/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch b/queue-6.0/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch new file mode 100644 index 00000000000..39b68acc78f --- /dev/null +++ b/queue-6.0/can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch @@ -0,0 +1,40 @@ +From 3eb3d283e8579a22b81dd2ac3987b77465b2a22f Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Fri, 4 Nov 2022 08:50:00 +0100 +Subject: can: j1939: j1939_send_one(): fix missing CAN header initialization + +From: Oliver Hartkopp + +commit 3eb3d283e8579a22b81dd2ac3987b77465b2a22f upstream. + +The read access to struct canxl_frame::len inside of a j1939 created +skbuff revealed a missing initialization of reserved and later filled +elements in struct can_frame. + +This patch initializes the 8 byte CAN header with zero. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Cc: Oleksij Rempel +Link: https://lore.kernel.org/linux-can/20221104052235.GA6474@pengutronix.de +Reported-by: syzbot+d168ec0caca4697e03b1@syzkaller.appspotmail.com +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20221104075000.105414-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -332,6 +332,9 @@ int j1939_send_one(struct j1939_priv *pr + /* re-claim the CAN_HDR from the SKB */ + cf = skb_push(skb, J1939_CAN_HDR); + ++ /* initialize header structure */ ++ memset(cf, 0, J1939_CAN_HDR); ++ + /* make it a full can frame again */ + skb_put(skb, J1939_CAN_FTR + (8 - dlc)); + diff --git a/queue-6.0/can-rcar_canfd-add-missing-ecc-error-checks-for-channels-2-7.patch b/queue-6.0/can-rcar_canfd-add-missing-ecc-error-checks-for-channels-2-7.patch new file mode 100644 index 00000000000..d815285b467 --- /dev/null +++ b/queue-6.0/can-rcar_canfd-add-missing-ecc-error-checks-for-channels-2-7.patch @@ -0,0 +1,64 @@ +From 8b043dfb3dc7c32f9c2c0c93e3c2de346ee5e358 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Fri, 28 Oct 2022 12:06:45 +0200 +Subject: can: rcar_canfd: Add missing ECC error checks for channels 2-7 + +From: Geert Uytterhoeven + +commit 8b043dfb3dc7c32f9c2c0c93e3c2de346ee5e358 upstream. + +When introducing support for R-Car V3U, which has 8 instead of 2 +channels, the ECC error bitmask was extended to take into account the +extra channels, but rcar_canfd_global_error() was not updated to act +upon the extra bits. + +Replace the RCANFD_GERFL_EEF[01] macros by a new macro that takes the +channel number, fixing R-Car V3U while simplifying the code. + +Fixes: 45721c406dcf50d4 ("can: rcar_canfd: Add support for r8a779a0 SoC") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Biju Das +Link: https://lore.kernel.org/all/4edb2ea46cc64d0532a08a924179827481e14b4f.1666951503.git.geert+renesas@glider.be +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/rcar/rcar_canfd.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/net/can/rcar/rcar_canfd.c ++++ b/drivers/net/can/rcar/rcar_canfd.c +@@ -81,8 +81,7 @@ enum rcanfd_chip_id { + + /* RSCFDnCFDGERFL / RSCFDnGERFL */ + #define RCANFD_GERFL_EEF0_7 GENMASK(23, 16) +-#define RCANFD_GERFL_EEF1 BIT(17) +-#define RCANFD_GERFL_EEF0 BIT(16) ++#define RCANFD_GERFL_EEF(ch) BIT(16 + (ch)) + #define RCANFD_GERFL_CMPOF BIT(3) /* CAN FD only */ + #define RCANFD_GERFL_THLES BIT(2) + #define RCANFD_GERFL_MES BIT(1) +@@ -90,7 +89,7 @@ enum rcanfd_chip_id { + + #define RCANFD_GERFL_ERR(gpriv, x) \ + ((x) & (reg_v3u(gpriv, RCANFD_GERFL_EEF0_7, \ +- RCANFD_GERFL_EEF0 | RCANFD_GERFL_EEF1) | \ ++ RCANFD_GERFL_EEF(0) | RCANFD_GERFL_EEF(1)) | \ + RCANFD_GERFL_MES | \ + ((gpriv)->fdmode ? RCANFD_GERFL_CMPOF : 0))) + +@@ -936,12 +935,8 @@ static void rcar_canfd_global_error(stru + u32 ridx = ch + RCANFD_RFFIFO_IDX; + + gerfl = rcar_canfd_read(priv->base, RCANFD_GERFL); +- if ((gerfl & RCANFD_GERFL_EEF0) && (ch == 0)) { +- netdev_dbg(ndev, "Ch0: ECC Error flag\n"); +- stats->tx_dropped++; +- } +- if ((gerfl & RCANFD_GERFL_EEF1) && (ch == 1)) { +- netdev_dbg(ndev, "Ch1: ECC Error flag\n"); ++ if (gerfl & RCANFD_GERFL_EEF(ch)) { ++ netdev_dbg(ndev, "Ch%u: ECC Error flag\n", ch); + stats->tx_dropped++; + } + if (gerfl & RCANFD_GERFL_MES) { diff --git a/queue-6.0/dmaengine-idxd-do-not-enable-user-type-work-queue-without-shared-virtual-addressing.patch b/queue-6.0/dmaengine-idxd-do-not-enable-user-type-work-queue-without-shared-virtual-addressing.patch new file mode 100644 index 00000000000..e3d6ed933b8 --- /dev/null +++ b/queue-6.0/dmaengine-idxd-do-not-enable-user-type-work-queue-without-shared-virtual-addressing.patch @@ -0,0 +1,78 @@ +From 0ec8ce07394442d722806fe61b901a5b2b17249d Mon Sep 17 00:00:00 2001 +From: Fenghua Yu +Date: Fri, 14 Oct 2022 15:25:41 -0700 +Subject: dmaengine: idxd: Do not enable user type Work Queue without Shared Virtual Addressing + +From: Fenghua Yu + +commit 0ec8ce07394442d722806fe61b901a5b2b17249d upstream. + +When the idxd_user_drv driver is bound to a Work Queue (WQ) device +without IOMMU or with IOMMU Passthrough without Shared Virtual +Addressing (SVA), the application gains direct access to physical +memory via the device by programming physical address to a submitted +descriptor. This allows direct userspace read and write access to +arbitrary physical memory. This is inconsistent with the security +goals of a good kernel API. + +Unlike vfio_pci driver, the IDXD char device driver does not provide any +ways to pin user pages and translate the address from user VA to IOVA or +PA without IOMMU SVA. Therefore the application has no way to instruct the +device to perform DMA function. This makes the char device not usable for +normal application usage. + +Since user type WQ without SVA cannot be used for normal application usage +and presents the security issue, bind idxd_user_drv driver and enable user +type WQ only when SVA is enabled (i.e. user PASID is enabled). + +Fixes: 448c3de8ac83 ("dmaengine: idxd: create user driver for wq 'device'") +Cc: stable@vger.kernel.org +Suggested-by: Arjan Van De Ven +Signed-off-by: Fenghua Yu +Reviewed-by: Dave Jiang +Reviewed-by: Jerry Snitselaar +Link: https://lore.kernel.org/r/20221014222541.3912195-1-fenghua.yu@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/idxd/cdev.c | 18 ++++++++++++++++++ + include/uapi/linux/idxd.h | 1 + + 2 files changed, 19 insertions(+) + +--- a/drivers/dma/idxd/cdev.c ++++ b/drivers/dma/idxd/cdev.c +@@ -312,6 +312,24 @@ static int idxd_user_drv_probe(struct id + if (idxd->state != IDXD_DEV_ENABLED) + return -ENXIO; + ++ /* ++ * User type WQ is enabled only when SVA is enabled for two reasons: ++ * - If no IOMMU or IOMMU Passthrough without SVA, userspace ++ * can directly access physical address through the WQ. ++ * - The IDXD cdev driver does not provide any ways to pin ++ * user pages and translate the address from user VA to IOVA or ++ * PA without IOMMU SVA. Therefore the application has no way ++ * to instruct the device to perform DMA function. This makes ++ * the cdev not usable for normal application usage. ++ */ ++ if (!device_user_pasid_enabled(idxd)) { ++ idxd->cmd_status = IDXD_SCMD_WQ_USER_NO_IOMMU; ++ dev_dbg(&idxd->pdev->dev, ++ "User type WQ cannot be enabled without SVA.\n"); ++ ++ return -EOPNOTSUPP; ++ } ++ + mutex_lock(&wq->wq_lock); + wq->type = IDXD_WQT_USER; + rc = drv_enable_wq(wq); +--- a/include/uapi/linux/idxd.h ++++ b/include/uapi/linux/idxd.h +@@ -29,6 +29,7 @@ enum idxd_scmd_stat { + IDXD_SCMD_WQ_NO_SIZE = 0x800e0000, + IDXD_SCMD_WQ_NO_PRIV = 0x800f0000, + IDXD_SCMD_WQ_IRQ_ERR = 0x80100000, ++ IDXD_SCMD_WQ_USER_NO_IOMMU = 0x80110000, + }; + + #define IDXD_SCMD_SOFTERR_MASK 0x80000000 diff --git a/queue-6.0/drm-amd-display-fix-reg-timeout-in-enc314_enable_fifo.patch b/queue-6.0/drm-amd-display-fix-reg-timeout-in-enc314_enable_fifo.patch new file mode 100644 index 00000000000..22b50471741 --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-reg-timeout-in-enc314_enable_fifo.patch @@ -0,0 +1,82 @@ +From ce62198d8b62734a985d22652e75a649be052390 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 27 Oct 2022 15:34:33 -0400 +Subject: drm/amd/display: Fix reg timeout in enc314_enable_fifo + +From: Nicholas Kazlauskas + +commit ce62198d8b62734a985d22652e75a649be052390 upstream. + +[Why] +The link enablement sequence can end up resetting the encoder while +the PHY symclk isn't yet on. + +This means that waiting for symclk on will timeout, along with the reset +bit never asserting high. + +This causes unnecessary delay when enabling the link and produces a +warning affecting multiple IGT tests. + +[How] +Don't wait for the symclk to be on here because firmware already does. + +Don't wait for reset if we know the symclk isn't on. + +Split the reset into a helper function that checks the bit and decides +whether or not a delay is sufficient. + +Reviewed-by: Roman Li +Acked-by: Alan Liu +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0.x +Signed-off-by: Greg Kroah-Hartman +--- + .../dc/dcn314/dcn314_dio_stream_encoder.c | 24 ++++++++++++++----- + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c +index 7e773bf7b895..38842f938bed 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_dio_stream_encoder.c +@@ -49,18 +49,30 @@ + #define CTX \ + enc1->base.ctx + ++static void enc314_reset_fifo(struct stream_encoder *enc, bool reset) ++{ ++ struct dcn10_stream_encoder *enc1 = DCN10STRENC_FROM_STRENC(enc); ++ uint32_t reset_val = reset ? 1 : 0; ++ uint32_t is_symclk_on; ++ ++ REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_RESET, reset_val); ++ REG_GET(DIG_FE_CNTL, DIG_SYMCLK_FE_ON, &is_symclk_on); ++ ++ if (is_symclk_on) ++ REG_WAIT(DIG_FIFO_CTRL0, DIG_FIFO_RESET_DONE, reset_val, 10, 5000); ++ else ++ udelay(10); ++} + + static void enc314_enable_fifo(struct stream_encoder *enc) + { + struct dcn10_stream_encoder *enc1 = DCN10STRENC_FROM_STRENC(enc); + +- /* TODO: Confirm if we need to wait for DIG_SYMCLK_FE_ON */ +- REG_WAIT(DIG_FE_CNTL, DIG_SYMCLK_FE_ON, 1, 10, 5000); + REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_READ_START_LEVEL, 0x7); +- REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_RESET, 1); +- REG_WAIT(DIG_FIFO_CTRL0, DIG_FIFO_RESET_DONE, 1, 10, 5000); +- REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_RESET, 0); +- REG_WAIT(DIG_FIFO_CTRL0, DIG_FIFO_RESET_DONE, 0, 10, 5000); ++ ++ enc314_reset_fifo(enc, true); ++ enc314_reset_fifo(enc, false); ++ + REG_UPDATE(DIG_FIFO_CTRL0, DIG_FIFO_ENABLE, 1); + } + +-- +2.38.1 + diff --git a/queue-6.0/drm-amd-display-update-sr-watermarks-for-dcn314.patch b/queue-6.0/drm-amd-display-update-sr-watermarks-for-dcn314.patch new file mode 100644 index 00000000000..0ddc3efacc5 --- /dev/null +++ b/queue-6.0/drm-amd-display-update-sr-watermarks-for-dcn314.patch @@ -0,0 +1,122 @@ +From 632d06985235d988c9d7e6eec8fa655be0761fd0 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Tue, 25 Oct 2022 11:26:04 -0400 +Subject: drm/amd/display: Update SR watermarks for DCN314 + +From: Nicholas Kazlauskas + +commit 632d06985235d988c9d7e6eec8fa655be0761fd0 upstream. + +[Why & How] +New values requested by hardware after fine-tuning. +Update for all memory types. + +Reviewed-by: Jun Lei +Acked-by: Alan Liu +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c | 32 +++++----- + drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c | 4 - + 2 files changed, 18 insertions(+), 18 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c +@@ -356,32 +356,32 @@ static struct wm_table ddr5_wm_table = { + .wm_inst = WM_A, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 9, +- .sr_enter_plus_exit_time_us = 11, ++ .sr_exit_time_us = 12.5, ++ .sr_enter_plus_exit_time_us = 14.5, + .valid = true, + }, + { + .wm_inst = WM_B, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 9, +- .sr_enter_plus_exit_time_us = 11, ++ .sr_exit_time_us = 12.5, ++ .sr_enter_plus_exit_time_us = 14.5, + .valid = true, + }, + { + .wm_inst = WM_C, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 9, +- .sr_enter_plus_exit_time_us = 11, ++ .sr_exit_time_us = 12.5, ++ .sr_enter_plus_exit_time_us = 14.5, + .valid = true, + }, + { + .wm_inst = WM_D, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.72, +- .sr_exit_time_us = 9, +- .sr_enter_plus_exit_time_us = 11, ++ .sr_exit_time_us = 12.5, ++ .sr_enter_plus_exit_time_us = 14.5, + .valid = true, + }, + } +@@ -393,32 +393,32 @@ static struct wm_table lpddr5_wm_table = + .wm_inst = WM_A, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.65333, +- .sr_exit_time_us = 11.5, +- .sr_enter_plus_exit_time_us = 14.5, ++ .sr_exit_time_us = 16.5, ++ .sr_enter_plus_exit_time_us = 18.5, + .valid = true, + }, + { + .wm_inst = WM_B, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.65333, +- .sr_exit_time_us = 11.5, +- .sr_enter_plus_exit_time_us = 14.5, ++ .sr_exit_time_us = 16.5, ++ .sr_enter_plus_exit_time_us = 18.5, + .valid = true, + }, + { + .wm_inst = WM_C, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.65333, +- .sr_exit_time_us = 11.5, +- .sr_enter_plus_exit_time_us = 14.5, ++ .sr_exit_time_us = 16.5, ++ .sr_enter_plus_exit_time_us = 18.5, + .valid = true, + }, + { + .wm_inst = WM_D, + .wm_type = WM_TYPE_PSTATE_CHG, + .pstate_latency_us = 11.65333, +- .sr_exit_time_us = 11.5, +- .sr_enter_plus_exit_time_us = 14.5, ++ .sr_exit_time_us = 16.5, ++ .sr_enter_plus_exit_time_us = 18.5, + .valid = true, + }, + } +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn314/dcn314_fpu.c +@@ -146,8 +146,8 @@ struct _vcs_dpi_soc_bounding_box_st dcn3 + }, + }, + .num_states = 5, +- .sr_exit_time_us = 9.0, +- .sr_enter_plus_exit_time_us = 11.0, ++ .sr_exit_time_us = 16.5, ++ .sr_enter_plus_exit_time_us = 18.5, + .sr_exit_z8_time_us = 442.0, + .sr_enter_plus_exit_z8_time_us = 560.0, + .writeback_latency_us = 12.0, diff --git a/queue-6.0/drm-amd-pm-update-smu-ip-v13.0.4-msg-interface-header.patch b/queue-6.0/drm-amd-pm-update-smu-ip-v13.0.4-msg-interface-header.patch new file mode 100644 index 00000000000..dece69d162b --- /dev/null +++ b/queue-6.0/drm-amd-pm-update-smu-ip-v13.0.4-msg-interface-header.patch @@ -0,0 +1,70 @@ +From bc66c9ab162d2a633ee3eb864d7bc2369e79c1e4 Mon Sep 17 00:00:00 2001 +From: Tim Huang +Date: Thu, 3 Nov 2022 11:05:19 +0800 +Subject: drm/amd/pm: update SMU IP v13.0.4 msg interface header + +From: Tim Huang + +commit bc66c9ab162d2a633ee3eb864d7bc2369e79c1e4 upstream. + +Some of the unused messages that were used earlier in development have +been freed up as spare messages, no intended functional changes. + +Signed-off-by: Mario Limonciello +Signed-off-by: Tim Huang +Acked-by: Alex Deucher +Reviewed-by: Yifan Zhang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.0.x +Signed-off-by: Greg Kroah-Hartman +--- + .../amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h +index d9b0cd752200..f4d6c07b56ea 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h ++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu_v13_0_4_ppsmc.h +@@ -54,14 +54,14 @@ + #define PPSMC_MSG_TestMessage 0x01 ///< To check if PMFW is alive and responding. Requirement specified by PMFW team + #define PPSMC_MSG_GetPmfwVersion 0x02 ///< Get PMFW version + #define PPSMC_MSG_GetDriverIfVersion 0x03 ///< Get PMFW_DRIVER_IF version +-#define PPSMC_MSG_EnableGfxOff 0x04 ///< Enable GFXOFF +-#define PPSMC_MSG_DisableGfxOff 0x05 ///< Disable GFXOFF ++#define PPSMC_MSG_SPARE0 0x04 ///< SPARE ++#define PPSMC_MSG_SPARE1 0x05 ///< SPARE + #define PPSMC_MSG_PowerDownVcn 0x06 ///< Power down VCN + #define PPSMC_MSG_PowerUpVcn 0x07 ///< Power up VCN; VCN is power gated by default + #define PPSMC_MSG_SetHardMinVcn 0x08 ///< For wireless display + #define PPSMC_MSG_SetSoftMinGfxclk 0x09 ///< Set SoftMin for GFXCLK, argument is frequency in MHz +-#define PPSMC_MSG_ActiveProcessNotify 0x0A ///< Needs update +-#define PPSMC_MSG_ForcePowerDownGfx 0x0B ///< Force power down GFX, i.e. enter GFXOFF ++#define PPSMC_MSG_SPARE2 0x0A ///< SPARE ++#define PPSMC_MSG_SPARE3 0x0B ///< SPARE + #define PPSMC_MSG_PrepareMp1ForUnload 0x0C ///< Prepare PMFW for GFX driver unload + #define PPSMC_MSG_SetDriverDramAddrHigh 0x0D ///< Set high 32 bits of DRAM address for Driver table transfer + #define PPSMC_MSG_SetDriverDramAddrLow 0x0E ///< Set low 32 bits of DRAM address for Driver table transfer +@@ -73,8 +73,7 @@ + #define PPSMC_MSG_SetSoftMinFclk 0x14 ///< Set hard min for FCLK + #define PPSMC_MSG_SetSoftMinVcn 0x15 ///< Set soft min for VCN clocks (VCLK and DCLK) + +- +-#define PPSMC_MSG_EnableGfxImu 0x16 ///< Needs update ++#define PPSMC_MSG_EnableGfxImu 0x16 ///< Enable GFX IMU + + #define PPSMC_MSG_GetGfxclkFrequency 0x17 ///< Get GFX clock frequency + #define PPSMC_MSG_GetFclkFrequency 0x18 ///< Get FCLK frequency +@@ -102,8 +101,8 @@ + #define PPSMC_MSG_SetHardMinIspxclkByFreq 0x2C ///< Set HardMin by frequency for ISPXCLK + #define PPSMC_MSG_PowerDownUmsch 0x2D ///< Power down VCN.UMSCH (aka VSCH) scheduler + #define PPSMC_MSG_PowerUpUmsch 0x2E ///< Power up VCN.UMSCH (aka VSCH) scheduler +-#define PPSMC_Message_IspStutterOn_MmhubPgDis 0x2F ///< ISP StutterOn mmHub PgDis +-#define PPSMC_Message_IspStutterOff_MmhubPgEn 0x30 ///< ISP StufferOff mmHub PgEn ++#define PPSMC_MSG_IspStutterOn_MmhubPgDis 0x2F ///< ISP StutterOn mmHub PgDis ++#define PPSMC_MSG_IspStutterOff_MmhubPgEn 0x30 ///< ISP StufferOff mmHub PgEn + + #define PPSMC_Message_Count 0x31 ///< Total number of PPSMC messages + /** @}*/ +-- +2.38.1 + diff --git a/queue-6.0/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch b/queue-6.0/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch new file mode 100644 index 00000000000..a88263982f3 --- /dev/null +++ b/queue-6.0/drm-amdgpu-disable-baco-on-special-beige_goby-card.patch @@ -0,0 +1,34 @@ +From 0c85c067c9d9d7a1b2cc2e01a236d5d0d4a872b5 Mon Sep 17 00:00:00 2001 +From: Guchun Chen +Date: Mon, 7 Nov 2022 16:46:59 +0800 +Subject: drm/amdgpu: disable BACO on special BEIGE_GOBY card + +From: Guchun Chen + +commit 0c85c067c9d9d7a1b2cc2e01a236d5d0d4a872b5 upstream. + +Still avoid intermittent failure. + +Signed-off-by: Guchun Chen +Reviewed-by: Lijo Lazar +Acked-by: Evan Quan +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -376,7 +376,9 @@ static void sienna_cichlid_check_bxco_su + if (((adev->pdev->device == 0x73A1) && + (adev->pdev->revision == 0x00)) || + ((adev->pdev->device == 0x73BF) && +- (adev->pdev->revision == 0xCF))) ++ (adev->pdev->revision == 0xCF)) || ++ ((adev->pdev->device == 0x7422) && ++ (adev->pdev->revision == 0x00))) + smu_baco->platform_support = false; + + } diff --git a/queue-6.0/drm-amdgpu-workaround-for-tlb-seq-race.patch b/queue-6.0/drm-amdgpu-workaround-for-tlb-seq-race.patch new file mode 100644 index 00000000000..893795a33e9 --- /dev/null +++ b/queue-6.0/drm-amdgpu-workaround-for-tlb-seq-race.patch @@ -0,0 +1,55 @@ +From 77c092e054262b594614bad5e5f47e57c5d29639 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Wed, 2 Nov 2022 14:55:13 +0100 +Subject: drm/amdgpu: workaround for TLB seq race +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit 77c092e054262b594614bad5e5f47e57c5d29639 upstream. + +It can happen that we query the sequence value before the callback +had a chance to run. + +Workaround that by grabbing the fence lock and releasing it again. +Should be replaced by hw handling soon. + +Signed-off-by: Christian König +CC: stable@vger.kernel.org # 5.19+ +Fixes: 5255e146c99a6 ("drm/amdgpu: rework TLB flushing") +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2113 +Acked-by: Alex Deucher +Acked-by: Philip Yang +Tested-by: Stefan Springer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h +@@ -485,6 +485,21 @@ void amdgpu_debugfs_vm_bo_info(struct am + */ + static inline uint64_t amdgpu_vm_tlb_seq(struct amdgpu_vm *vm) + { ++ unsigned long flags; ++ spinlock_t *lock; ++ ++ /* ++ * Workaround to stop racing between the fence signaling and handling ++ * the cb. The lock is static after initially setting it up, just make ++ * sure that the dma_fence structure isn't freed up. ++ */ ++ rcu_read_lock(); ++ lock = vm->last_tlb_flush->lock; ++ rcu_read_unlock(); ++ ++ spin_lock_irqsave(lock, flags); ++ spin_unlock_irqrestore(lock, flags); ++ + return atomic64_read(&vm->tlb_seq); + } + diff --git a/queue-6.0/drm-amdkfd-fix-error-handling-in-criu_checkpoint.patch b/queue-6.0/drm-amdkfd-fix-error-handling-in-criu_checkpoint.patch new file mode 100644 index 00000000000..f78fd760610 --- /dev/null +++ b/queue-6.0/drm-amdkfd-fix-error-handling-in-criu_checkpoint.patch @@ -0,0 +1,96 @@ +From b91c23e099f0b65d62159da13458c5eefa76083f Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Tue, 1 Nov 2022 15:02:48 -0400 +Subject: drm/amdkfd: Fix error handling in criu_checkpoint + +From: Felix Kuehling + +commit b91c23e099f0b65d62159da13458c5eefa76083f upstream. + +Checkpoint BOs last. That way we don't need to close dmabuf FDs if +something else fails later. This avoids problematic access to user mode +memory in the error handling code path. + +criu_checkpoint_bos has its own error handling and cleanup that does not +depend on access to user memory. + +In the private data, keep BOs before the remaining objects. This is +necessary to restore things in the correct order as restoring events +depends on the events-page BO being restored first. + +Fixes: be072b06c739 ("drm/amdkfd: CRIU export BOs as prime dmabuf objects") +Reported-by: Jann Horn +CC: Rajneesh Bhardwaj +Signed-off-by: Felix Kuehling +Reviewed-and-tested-by: Rajneesh Bhardwaj +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 34 +++++++++++++------------------ + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -1928,7 +1928,7 @@ static int criu_checkpoint(struct file * + { + int ret; + uint32_t num_devices, num_bos, num_objects; +- uint64_t priv_size, priv_offset = 0; ++ uint64_t priv_size, priv_offset = 0, bo_priv_offset; + + if (!args->devices || !args->bos || !args->priv_data) + return -EINVAL; +@@ -1972,38 +1972,34 @@ static int criu_checkpoint(struct file * + if (ret) + goto exit_unlock; + +- ret = criu_checkpoint_bos(p, num_bos, (uint8_t __user *)args->bos, +- (uint8_t __user *)args->priv_data, &priv_offset); +- if (ret) +- goto exit_unlock; ++ /* Leave room for BOs in the private data. They need to be restored ++ * before events, but we checkpoint them last to simplify the error ++ * handling. ++ */ ++ bo_priv_offset = priv_offset; ++ priv_offset += num_bos * sizeof(struct kfd_criu_bo_priv_data); + + if (num_objects) { + ret = kfd_criu_checkpoint_queues(p, (uint8_t __user *)args->priv_data, + &priv_offset); + if (ret) +- goto close_bo_fds; ++ goto exit_unlock; + + ret = kfd_criu_checkpoint_events(p, (uint8_t __user *)args->priv_data, + &priv_offset); + if (ret) +- goto close_bo_fds; ++ goto exit_unlock; + + ret = kfd_criu_checkpoint_svm(p, (uint8_t __user *)args->priv_data, &priv_offset); + if (ret) +- goto close_bo_fds; ++ goto exit_unlock; + } + +-close_bo_fds: +- if (ret) { +- /* If IOCTL returns err, user assumes all FDs opened in criu_dump_bos are closed */ +- uint32_t i; +- struct kfd_criu_bo_bucket *bo_buckets = (struct kfd_criu_bo_bucket *) args->bos; +- +- for (i = 0; i < num_bos; i++) { +- if (bo_buckets[i].alloc_flags & KFD_IOC_ALLOC_MEM_FLAGS_VRAM) +- close_fd(bo_buckets[i].dmabuf_fd); +- } +- } ++ /* This must be the last thing in this function that can fail. ++ * Otherwise we leak dmabuf file descriptors. ++ */ ++ ret = criu_checkpoint_bos(p, num_bos, (uint8_t __user *)args->bos, ++ (uint8_t __user *)args->priv_data, &bo_priv_offset); + + exit_unlock: + mutex_unlock(&p->mutex); diff --git a/queue-6.0/drm-amdkfd-fix-error-handling-in-kfd_criu_restore_events.patch b/queue-6.0/drm-amdkfd-fix-error-handling-in-kfd_criu_restore_events.patch new file mode 100644 index 00000000000..8e6bd7df1bf --- /dev/null +++ b/queue-6.0/drm-amdkfd-fix-error-handling-in-kfd_criu_restore_events.patch @@ -0,0 +1,42 @@ +From 66f7903779fbbc620bf1040017e4833ef6a0b541 Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Thu, 3 Nov 2022 17:01:46 -0400 +Subject: drm/amdkfd: Fix error handling in kfd_criu_restore_events + +From: Felix Kuehling + +commit 66f7903779fbbc620bf1040017e4833ef6a0b541 upstream. + +mutex_unlock before the exit label because all the error code paths that +jump there didn't take that lock. This fixes unbalanced locking errors +in case of restore errors. + +Fixes: 40e8a766a761 ("drm/amdkfd: CRIU checkpoint and restore events") +Signed-off-by: Felix Kuehling +Reviewed-by: Rajneesh Bhardwaj +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_events.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c +@@ -506,6 +506,7 @@ int kfd_criu_restore_event(struct file * + ret = create_other_event(p, ev, &ev_priv->event_id); + break; + } ++ mutex_unlock(&p->event_mutex); + + exit: + if (ret) +@@ -513,8 +514,6 @@ exit: + + kfree(ev_priv); + +- mutex_unlock(&p->event_mutex); +- + return ret; + } + diff --git a/queue-6.0/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch b/queue-6.0/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch new file mode 100644 index 00000000000..a8aec832666 --- /dev/null +++ b/queue-6.0/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch @@ -0,0 +1,55 @@ +From f90daa975911961b65070ec72bd7dd8d448f9ef7 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Fri, 28 Oct 2022 16:50:26 +0100 +Subject: drm/i915/dmabuf: fix sg_table handling in map_dma_buf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit f90daa975911961b65070ec72bd7dd8d448f9ef7 upstream. + +We need to iterate over the original entries here for the sg_table, +pulling out the struct page for each one, to be remapped. However +currently this incorrectly iterates over the final dma mapped entries, +which is likely just one gigantic sg entry if the iommu is enabled, +leading to us only mapping the first struct page (and any physically +contiguous pages following it), even if there is potentially lots more +data to follow. + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7306 +Fixes: 1286ff739773 ("i915: add dmabuf/prime buffer sharing support.") +Signed-off-by: Matthew Auld +Cc: Lionel Landwerlin +Cc: Tvrtko Ursulin +Cc: Ville Syrjälä +Cc: Michael J. Ruhl +Cc: # v3.5+ +Reviewed-by: Michael J. Ruhl +Link: https://patchwork.freedesktop.org/patch/msgid/20221028155029.494736-1-matthew.auld@intel.com +(cherry picked from commit 28d52f99bbca7227008cf580c9194c9b3516968e) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_dmabuf.c +@@ -40,13 +40,13 @@ static struct sg_table *i915_gem_map_dma + goto err; + } + +- ret = sg_alloc_table(st, obj->mm.pages->nents, GFP_KERNEL); ++ ret = sg_alloc_table(st, obj->mm.pages->orig_nents, GFP_KERNEL); + if (ret) + goto err_free; + + src = obj->mm.pages->sgl; + dst = st->sgl; +- for (i = 0; i < obj->mm.pages->nents; i++) { ++ for (i = 0; i < obj->mm.pages->orig_nents; i++) { + sg_set_page(dst, sg_page(src), src->length, 0); + dst = sg_next(dst); + src = sg_next(src); diff --git a/queue-6.0/io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch b/queue-6.0/io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch new file mode 100644 index 00000000000..489e9f96f94 --- /dev/null +++ b/queue-6.0/io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch @@ -0,0 +1,40 @@ +From 3851d25c75ed03117268a8feb34adca5a843a126 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 10 Nov 2022 10:50:55 -0700 +Subject: io_uring: check for rollover of buffer ID when providing buffers + +From: Jens Axboe + +commit 3851d25c75ed03117268a8feb34adca5a843a126 upstream. + +We already check if the chosen starting offset for the buffer IDs fit +within an unsigned short, as 65535 is the maximum value for a provided +buffer. But if the caller asks to add N buffers at offset M, and M + N +would exceed the size of the unsigned short, we simply add buffers with +wrapping around the ID. + +This is not necessarily a bug and could in fact be a valid use case, but +it seems confusing and inconsistent with the initial check for starting +offset. Let's check for wrap consistently, and error the addition if we +do need to wrap. + +Reported-by: Olivier Langlois +Link: https://github.com/axboe/liburing/issues/726 +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/kbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -346,6 +346,8 @@ int io_provide_buffers_prep(struct io_ki + tmp = READ_ONCE(sqe->off); + if (tmp > USHRT_MAX) + return -E2BIG; ++ if (tmp + p->nbufs >= USHRT_MAX) ++ return -EINVAL; + p->bid = tmp; + return 0; + } diff --git a/queue-6.0/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch b/queue-6.0/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch new file mode 100644 index 00000000000..9b18eaefa3f --- /dev/null +++ b/queue-6.0/mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch @@ -0,0 +1,56 @@ +From 1de09a7281edecfdba19b3a07417f6d65243ab5f Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 7 Nov 2022 16:50:00 +0000 +Subject: mm/damon/dbgfs: check if rm_contexts input is for a real context + +From: SeongJae Park + +commit 1de09a7281edecfdba19b3a07417f6d65243ab5f upstream. + +A user could write a name of a file under 'damon/' debugfs directory, +which is not a user-created context, to 'rm_contexts' file. In the case, +'dbgfs_rm_context()' just assumes it's the valid DAMON context directory +only if a file of the name exist. As a result, invalid memory access +could happen as below. Fix the bug by checking if the given input is for +a directory. This check can filter out non-context inputs because +directories under 'damon/' debugfs directory can be created via only +'mk_contexts' file. + +This bug has found by syzbot[1]. + +[1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@google.com/ + +Link: https://lkml.kernel.org/r/20221107165001.5717-2-sj@kernel.org +Fixes: 75c1c2b53c78 ("mm/damon/dbgfs: support multiple contexts") +Signed-off-by: SeongJae Park +Reported-by: syzbot+6087eafb76a94c4ac9eb@syzkaller.appspotmail.com +Cc: [5.15.x] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/dbgfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/mm/damon/dbgfs.c ++++ b/mm/damon/dbgfs.c +@@ -882,6 +882,7 @@ out: + static int dbgfs_rm_context(char *name) + { + struct dentry *root, *dir, **new_dirs; ++ struct inode *inode; + struct damon_ctx **new_ctxs; + int i, j; + int ret = 0; +@@ -897,6 +898,12 @@ static int dbgfs_rm_context(char *name) + if (!dir) + return -ENOENT; + ++ inode = d_inode(dir); ++ if (!S_ISDIR(inode->i_mode)) { ++ ret = -EINVAL; ++ goto out_dput; ++ } ++ + new_dirs = kmalloc_array(dbgfs_nr_ctxs - 1, sizeof(*dbgfs_dirs), + GFP_KERNEL); + if (!new_dirs) { diff --git a/queue-6.0/mm-hugetlb_vmemmap-include-missing-linux-moduleparam.h.patch b/queue-6.0/mm-hugetlb_vmemmap-include-missing-linux-moduleparam.h.patch new file mode 100644 index 00000000000..e5a39877238 --- /dev/null +++ b/queue-6.0/mm-hugetlb_vmemmap-include-missing-linux-moduleparam.h.patch @@ -0,0 +1,40 @@ +From db5e8d84319bcdb51e1d3cfa42b410291d6d1cfa Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Wed, 2 Nov 2022 19:09:17 +0100 +Subject: mm: hugetlb_vmemmap: include missing linux/moduleparam.h + +From: Vasily Gorbik + +commit db5e8d84319bcdb51e1d3cfa42b410291d6d1cfa upstream. + +The kernel test robot reported build failures with a 'randconfig' on s390: +>> mm/hugetlb_vmemmap.c:421:11: error: a function declaration without a +prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] + core_param(hugetlb_free_vmemmap, vmemmap_optimize_enabled, bool, 0); + ^ + +Link: https://lore.kernel.org/linux-mm/202210300751.rG3UDsuc-lkp@intel.com/ +Link: https://lkml.kernel.org/r/patch.git-296b83ca939b.your-ad-here.call-01667411912-ext-5073@work.hours +Fixes: 30152245c63b ("mm: hugetlb_vmemmap: replace early_param() with core_param()") +Signed-off-by: Vasily Gorbik +Reported-by: kernel test robot +Reviewed-by: Muchun Song +Cc: Gerald Schaefer +Cc: Mike Kravetz +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb_vmemmap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/hugetlb_vmemmap.c ++++ b/mm/hugetlb_vmemmap.c +@@ -11,6 +11,7 @@ + #define pr_fmt(fmt) "HugeTLB: " fmt + + #include ++#include + #include + #include + #include diff --git a/queue-6.0/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch b/queue-6.0/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch new file mode 100644 index 00000000000..afe1c3ac7d2 --- /dev/null +++ b/queue-6.0/mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch @@ -0,0 +1,39 @@ +From 867400af90f1f953ff9e10b1b87ecaf9369a7eb8 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Wed, 2 Nov 2022 11:07:28 -0500 +Subject: mm/memremap.c: map FS_DAX device memory as decrypted + +From: Pankaj Gupta + +commit 867400af90f1f953ff9e10b1b87ecaf9369a7eb8 upstream. + +virtio_pmem use devm_memremap_pages() to map the device memory. By +default this memory is mapped as encrypted with SEV. Guest reboot changes +the current encryption key and guest no longer properly decrypts the FSDAX +device meta data. + +Mark the corresponding device memory region for FSDAX devices (mapped with +memremap_pages) as decrypted to retain the persistent memory property. + +Link: https://lkml.kernel.org/r/20221102160728.3184016-1-pankaj.gupta@amd.com +Fixes: b7b3c01b19159 ("mm/memremap_pages: support multiple ranges per invocation") +Signed-off-by: Pankaj Gupta +Cc: Dan Williams +Cc: Tom Lendacky +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memremap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/memremap.c ++++ b/mm/memremap.c +@@ -330,6 +330,7 @@ void *memremap_pages(struct dev_pagemap + WARN(1, "File system DAX not supported\n"); + return ERR_PTR(-EINVAL); + } ++ params.pgprot = pgprot_decrypted(params.pgprot); + break; + case MEMORY_DEVICE_GENERIC: + break; diff --git a/queue-6.0/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch b/queue-6.0/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch new file mode 100644 index 00000000000..3fcd4b68de9 --- /dev/null +++ b/queue-6.0/mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch @@ -0,0 +1,49 @@ +From 93b0d9178743a68723babe8448981f658aebc58e Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 2 Nov 2022 14:41:52 -0400 +Subject: mm/shmem: use page_mapping() to detect page cache for uffd continue + +From: Peter Xu + +commit 93b0d9178743a68723babe8448981f658aebc58e upstream. + +mfill_atomic_install_pte() checks page->mapping to detect whether one page +is used in the page cache. However as pointed out by Matthew, the page +can logically be a tail page rather than always the head in the case of +uffd minor mode with UFFDIO_CONTINUE. It means we could wrongly install +one pte with shmem thp tail page assuming it's an anonymous page. + +It's not that clear even for anonymous page, since normally anonymous +pages also have page->mapping being setup with the anon vma. It's safe +here only because the only such caller to mfill_atomic_install_pte() is +always passing in a newly allocated page (mcopy_atomic_pte()), whose +page->mapping is not yet setup. However that's not extremely obvious +either. + +For either of above, use page_mapping() instead. + +Link: https://lkml.kernel.org/r/Y2K+y7wnhC4vbnP2@x1n +Fixes: 153132571f02 ("userfaultfd/shmem: support UFFDIO_CONTINUE for shmem") +Signed-off-by: Peter Xu +Reported-by: Matthew Wilcox +Cc: Andrea Arcangeli +Cc: Hugh Dickins +Cc: Axel Rasmussen +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -64,7 +64,7 @@ int mfill_atomic_install_pte(struct mm_s + pte_t _dst_pte, *dst_pte; + bool writable = dst_vma->vm_flags & VM_WRITE; + bool vm_shared = dst_vma->vm_flags & VM_SHARED; +- bool page_in_cache = page->mapping; ++ bool page_in_cache = page_mapping(page); + spinlock_t *ptl; + struct inode *inode; + pgoff_t offset, max_off; diff --git a/queue-6.0/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch b/queue-6.0/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch new file mode 100644 index 00000000000..7ac303e9a6d --- /dev/null +++ b/queue-6.0/mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch @@ -0,0 +1,60 @@ +From fb1dec44c6750bb414f47b929c8c175a1a127c31 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 26 Oct 2022 12:42:06 -0700 +Subject: mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI + +From: Brian Norris + +commit fb1dec44c6750bb414f47b929c8c175a1a127c31 upstream. + +[[ NOTE: this is completely untested by the author, but included solely + because, as noted in commit df57d73276b8 ("mmc: sdhci-pci: Fix + SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers"), "other + drivers using CQHCI might benefit from a similar change, if they + also have CQHCI reset by SDHCI_RESET_ALL." We've now seen the same + bug on at least MSM, Arasan, and Intel hardware. ]] + +SDHCI_RESET_ALL resets will reset the hardware CQE state, but we aren't +tracking that properly in software. When out of sync, we may trigger +various timeouts. + +It's not typical to perform resets while CQE is enabled, but this may +occur in some suspend or error recovery scenarios. + +Include this fix by way of the new sdhci_and_cqhci_reset() helper. + +This patch depends on (and should not compile without) the patch +entitled "mmc: cqhci: Provide helper for resetting both SDHCI and +CQHCI". + +Fixes: bb6e358169bf ("mmc: sdhci-esdhc-imx: add CMDQ support") +Signed-off-by: Brian Norris +Reviewed-by: Haibo Chen +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221026124150.v4.4.I7d01f9ad11bacdc9213dee61b7918982aea39115@changeid +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include "sdhci-cqhci.h" + #include "sdhci-pltfm.h" + #include "sdhci-esdhc.h" + #include "cqhci.h" +@@ -1288,7 +1289,7 @@ static void esdhc_set_uhs_signaling(stru + + static void esdhc_reset(struct sdhci_host *host, u8 mask) + { +- sdhci_reset(host, mask); ++ sdhci_and_cqhci_reset(host, mask); + + sdhci_writel(host, host->ier, SDHCI_INT_ENABLE); + sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE); diff --git a/queue-6.0/net-ethernet-ti-am65-cpsw-fix-segmentation-fault-at-module-unload.patch b/queue-6.0/net-ethernet-ti-am65-cpsw-fix-segmentation-fault-at-module-unload.patch new file mode 100644 index 00000000000..37bac679747 --- /dev/null +++ b/queue-6.0/net-ethernet-ti-am65-cpsw-fix-segmentation-fault-at-module-unload.patch @@ -0,0 +1,82 @@ +From 1a0c016a4831ea29be09bbc8162d4a2a0690b4b8 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 2 Nov 2022 12:31:44 +0200 +Subject: net: ethernet: ti: am65-cpsw: Fix segmentation fault at module unload + +From: Roger Quadros + +commit 1a0c016a4831ea29be09bbc8162d4a2a0690b4b8 upstream. + +Move am65_cpsw_nuss_phylink_cleanup() call to after +am65_cpsw_nuss_cleanup_ndev() so phylink is still valid +to prevent the below Segmentation fault on module remove when +first slave link is up. + +[ 31.652944] Unable to handle kernel paging request at virtual address 00040008000005f4 +[ 31.684627] Mem abort info: +[ 31.687446] ESR = 0x0000000096000004 +[ 31.704614] EC = 0x25: DABT (current EL), IL = 32 bits +[ 31.720663] SET = 0, FnV = 0 +[ 31.723729] EA = 0, S1PTW = 0 +[ 31.740617] FSC = 0x04: level 0 translation fault +[ 31.756624] Data abort info: +[ 31.759508] ISV = 0, ISS = 0x00000004 +[ 31.776705] CM = 0, WnR = 0 +[ 31.779695] [00040008000005f4] address between user and kernel address ranges +[ 31.808644] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +[ 31.814928] Modules linked in: wlcore_sdio wl18xx wlcore mac80211 libarc4 cfg80211 rfkill crct10dif_ce phy_gmii_sel ti_am65_cpsw_nuss(-) sch_fq_codel ipv6 +[ 31.828776] CPU: 0 PID: 1026 Comm: modprobe Not tainted 6.1.0-rc2-00012-gfabfcf7dafdb-dirty #160 +[ 31.837547] Hardware name: Texas Instruments AM625 (DT) +[ 31.842760] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 31.849709] pc : phy_stop+0x18/0xf8 +[ 31.853202] lr : phylink_stop+0x38/0xf8 +[ 31.857031] sp : ffff80000a0839f0 +[ 31.860335] x29: ffff80000a0839f0 x28: ffff000000de1c80 x27: 0000000000000000 +[ 31.867462] x26: 0000000000000000 x25: 0000000000000000 x24: ffff80000a083b98 +[ 31.874589] x23: 0000000000000800 x22: 0000000000000001 x21: ffff000001bfba90 +[ 31.881715] x20: ffff0000015ee000 x19: 0004000800000200 x18: 0000000000000000 +[ 31.888842] x17: ffff800076c45000 x16: ffff800008004000 x15: 000058e39660b106 +[ 31.895969] x14: 0000000000000144 x13: 0000000000000144 x12: 0000000000000000 +[ 31.903095] x11: 000000000000275f x10: 00000000000009e0 x9 : ffff80000a0837d0 +[ 31.910222] x8 : ffff000000de26c0 x7 : ffff00007fbd6540 x6 : ffff00007fbd64c0 +[ 31.917349] x5 : ffff00007fbd0b10 x4 : ffff00007fbd0b10 x3 : ffff00007fbd3920 +[ 31.924476] x2 : d0a07fcff8b8d500 x1 : 0000000000000000 x0 : 0004000800000200 +[ 31.931603] Call trace: +[ 31.934042] phy_stop+0x18/0xf8 +[ 31.937177] phylink_stop+0x38/0xf8 +[ 31.940657] am65_cpsw_nuss_ndo_slave_stop+0x28/0x1e0 [ti_am65_cpsw_nuss] +[ 31.947452] __dev_close_many+0xa4/0x140 +[ 31.951371] dev_close_many+0x84/0x128 +[ 31.955115] unregister_netdevice_many+0x130/0x6d0 +[ 31.959897] unregister_netdevice_queue+0x94/0xd8 +[ 31.964591] unregister_netdev+0x24/0x38 +[ 31.968504] am65_cpsw_nuss_cleanup_ndev.isra.0+0x48/0x70 [ti_am65_cpsw_nuss] +[ 31.975637] am65_cpsw_nuss_remove+0x58/0xf8 [ti_am65_cpsw_nuss] + +Cc: # v5.18+ +Fixes: e8609e69470f ("net: ethernet: ti: am65-cpsw: Convert to PHYLINK") +Signed-off-by: Roger Quadros +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -2791,7 +2791,6 @@ static int am65_cpsw_nuss_remove(struct + if (ret < 0) + return ret; + +- am65_cpsw_nuss_phylink_cleanup(common); + am65_cpsw_unregister_devlink(common); + am65_cpsw_unregister_notifiers(common); + +@@ -2799,6 +2798,7 @@ static int am65_cpsw_nuss_remove(struct + * dma_deconfigure(dev) before devres_release_all(dev) + */ + am65_cpsw_nuss_cleanup_ndev(common); ++ am65_cpsw_nuss_phylink_cleanup(common); + + of_platform_device_destroy(common->mdio_dev, NULL); + diff --git a/queue-6.0/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch b/queue-6.0/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch new file mode 100644 index 00000000000..bd7875d1523 --- /dev/null +++ b/queue-6.0/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch @@ -0,0 +1,81 @@ +From 8ac932a4921a96ca52f61935dbba64ea87bbd5dc Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 29 Oct 2022 13:49:12 +0900 +Subject: nilfs2: fix deadlock in nilfs_count_free_blocks() + +From: Ryusuke Konishi + +commit 8ac932a4921a96ca52f61935dbba64ea87bbd5dc upstream. + +A semaphore deadlock can occur if nilfs_get_block() detects metadata +corruption while locating data blocks and a superblock writeback occurs at +the same time: + +task 1 task 2 +------ ------ +* A file operation * +nilfs_truncate() + nilfs_get_block() + down_read(rwsem A) <-- + nilfs_bmap_lookup_contig() + ... generic_shutdown_super() + nilfs_put_super() + * Prepare to write superblock * + down_write(rwsem B) <-- + nilfs_cleanup_super() + * Detect b-tree corruption * nilfs_set_log_cursor() + nilfs_bmap_convert_error() nilfs_count_free_blocks() + __nilfs_error() down_read(rwsem A) <-- + nilfs_set_error() + down_write(rwsem B) <-- + + *** DEADLOCK *** + +Here, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem) +and then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata +corruption, __nilfs_error() is called from nilfs_bmap_convert_error() +inside the lock section. + +Since __nilfs_error() calls nilfs_set_error() unless the filesystem is +read-only and nilfs_set_error() attempts to writelock rwsem B (= +nilfs->ns_sem) to write back superblock exclusively, hierarchical lock +acquisition occurs in the order rwsem A -> rwsem B. + +Now, if another task starts updating the superblock, it may writelock +rwsem B during the lock sequence above, and can deadlock trying to +readlock rwsem A in nilfs_count_free_blocks(). + +However, there is actually no need to take rwsem A in +nilfs_count_free_blocks() because it, within the lock section, only reads +a single integer data on a shared struct with +nilfs_sufile_get_ncleansegs(). This has been the case after commit +aa474a220180 ("nilfs2: add local variable to cache the number of clean +segments"), that is, even before this bug was introduced. + +So, this resolves the deadlock problem by just not taking the semaphore in +nilfs_count_free_blocks(). + +Link: https://lkml.kernel.org/r/20221029044912.9139-1-konishi.ryusuke@gmail.com +Fixes: e828949e5b42 ("nilfs2: call nilfs_error inside bmap routines") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+45d6ce7b7ad7ef455d03@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: [2.6.38+ +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/the_nilfs.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -690,9 +690,7 @@ int nilfs_count_free_blocks(struct the_n + { + unsigned long ncleansegs; + +- down_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem); + ncleansegs = nilfs_sufile_get_ncleansegs(nilfs->ns_sufile); +- up_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem); + *nblocks = (sector_t)ncleansegs * nilfs->ns_blocks_per_segment; + return 0; + } diff --git a/queue-6.0/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch b/queue-6.0/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch new file mode 100644 index 00000000000..b2a2e524f32 --- /dev/null +++ b/queue-6.0/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch @@ -0,0 +1,118 @@ +From 8cccf05fe857a18ee26e20d11a8455a73ffd4efd Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 4 Nov 2022 23:29:59 +0900 +Subject: nilfs2: fix use-after-free bug of ns_writer on remount + +From: Ryusuke Konishi + +commit 8cccf05fe857a18ee26e20d11a8455a73ffd4efd upstream. + +If a nilfs2 filesystem is downgraded to read-only due to metadata +corruption on disk and is remounted read/write, or if emergency read-only +remount is performed, detaching a log writer and synchronizing the +filesystem can be done at the same time. + +In these cases, use-after-free of the log writer (hereinafter +nilfs->ns_writer) can happen as shown in the scenario below: + + Task1 Task2 + -------------------------------- ------------------------------ + nilfs_construct_segment + nilfs_segctor_sync + init_wait + init_waitqueue_entry + add_wait_queue + schedule + nilfs_remount (R/W remount case) + nilfs_attach_log_writer + nilfs_detach_log_writer + nilfs_segctor_destroy + kfree + finish_wait + _raw_spin_lock_irqsave + __raw_spin_lock_irqsave + do_raw_spin_lock + debug_spin_lock_before <-- use-after-free + +While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 +waked up, Task1 accesses nilfs->ns_writer which is already freed. This +scenario diagram is based on the Shigeru Yoshida's post [1]. + +This patch fixes the issue by not detaching nilfs->ns_writer on remount so +that this UAF race doesn't happen. Along with this change, this patch +also inserts a few necessary read-only checks with superblock instance +where only the ns_writer pointer was used to check if the filesystem is +read-only. + +Link: https://syzkaller.appspot.com/bug?id=79a4c002e960419ca173d55e863bd09e8112df8b +Link: https://lkml.kernel.org/r/20221103141759.1836312-1-syoshida@redhat.com [1] +Link: https://lkml.kernel.org/r/20221104142959.28296-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+f816fa82f8783f7a02bb@syzkaller.appspotmail.com +Reported-by: Shigeru Yoshida +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 15 ++++++++------- + fs/nilfs2/super.c | 2 -- + 2 files changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -317,7 +317,7 @@ void nilfs_relax_pressure_in_lock(struct + struct the_nilfs *nilfs = sb->s_fs_info; + struct nilfs_sc_info *sci = nilfs->ns_writer; + +- if (!sci || !sci->sc_flush_request) ++ if (sb_rdonly(sb) || unlikely(!sci) || !sci->sc_flush_request) + return; + + set_bit(NILFS_SC_PRIOR_FLUSH, &sci->sc_flags); +@@ -2243,7 +2243,7 @@ int nilfs_construct_segment(struct super + struct nilfs_transaction_info *ti; + int err; + +- if (!sci) ++ if (sb_rdonly(sb) || unlikely(!sci)) + return -EROFS; + + /* A call inside transactions causes a deadlock. */ +@@ -2282,7 +2282,7 @@ int nilfs_construct_dsync_segment(struct + struct nilfs_transaction_info ti; + int err = 0; + +- if (!sci) ++ if (sb_rdonly(sb) || unlikely(!sci)) + return -EROFS; + + nilfs_transaction_lock(sb, &ti, 0); +@@ -2778,11 +2778,12 @@ int nilfs_attach_log_writer(struct super + + if (nilfs->ns_writer) { + /* +- * This happens if the filesystem was remounted +- * read/write after nilfs_error degenerated it into a +- * read-only mount. ++ * This happens if the filesystem is made read-only by ++ * __nilfs_error or nilfs_remount and then remounted ++ * read/write. In these cases, reuse the existing ++ * writer. + */ +- nilfs_detach_log_writer(sb); ++ return 0; + } + + nilfs->ns_writer = nilfs_segctor_new(sb, root); +--- a/fs/nilfs2/super.c ++++ b/fs/nilfs2/super.c +@@ -1133,8 +1133,6 @@ static int nilfs_remount(struct super_bl + if ((bool)(*flags & SB_RDONLY) == sb_rdonly(sb)) + goto out; + if (*flags & SB_RDONLY) { +- /* Shutting down log writer */ +- nilfs_detach_log_writer(sb); + sb->s_flags |= SB_RDONLY; + + /* diff --git a/queue-6.0/phy-qcom-qmp-combo-fix-null-deref-on-runtime-resume.patch b/queue-6.0/phy-qcom-qmp-combo-fix-null-deref-on-runtime-resume.patch new file mode 100644 index 00000000000..b5c95f030b1 --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-combo-fix-null-deref-on-runtime-resume.patch @@ -0,0 +1,41 @@ +From 04948e757148f870a31f4887ea2239403f516c3c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 26 Oct 2022 18:21:16 +0200 +Subject: phy: qcom-qmp-combo: fix NULL-deref on runtime resume + +From: Johan Hovold + +commit 04948e757148f870a31f4887ea2239403f516c3c upstream. + +Commit fc64623637da ("phy: qcom-qmp-combo,usb: add support for separate +PCS_USB region") started treating the PCS_USB registers as potentially +separate from the PCS registers but used the wrong base when no PCS_USB +offset has been provided. + +Fix the PCS_USB base used at runtime resume to prevent dereferencing a +NULL pointer on platforms that do not provide a PCS_USB offset (e.g. +SC7180). + +Fixes: fc64623637da ("phy: qcom-qmp-combo,usb: add support for separate PCS_USB region") +Cc: stable@vger.kernel.org # 5.20 +Signed-off-by: Johan Hovold +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Andrew Halaney +Link: https://lore.kernel.org/r/20221026162116.26462-1-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -1914,7 +1914,7 @@ static void qcom_qmp_phy_combo_enable_au + static void qcom_qmp_phy_combo_disable_autonomous_mode(struct qmp_phy *qphy) + { + const struct qmp_phy_cfg *cfg = qphy->cfg; +- void __iomem *pcs_usb = qphy->pcs_usb ?: qphy->pcs_usb; ++ void __iomem *pcs_usb = qphy->pcs_usb ?: qphy->pcs; + void __iomem *pcs_misc = qphy->pcs_misc; + + /* Disable i/o clamp_n on resume for normal mode */ diff --git a/queue-6.0/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch b/queue-6.0/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch new file mode 100644 index 00000000000..e1a4fe0c047 --- /dev/null +++ b/queue-6.0/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch @@ -0,0 +1,61 @@ +From 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a Mon Sep 17 00:00:00 2001 +From: Jorge Lopez +Date: Fri, 28 Oct 2022 10:55:27 -0500 +Subject: platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi + +From: Jorge Lopez + +commit 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a upstream. + +After upgrading BIOS to U82 01.02.01 Rev.A, the console is flooded +strange char "^@" which printed out every second and makes login +nearly impossible. Also the below messages were shown both in console +and journal/dmesg every second: + +usb 1-3: Device not responding to setup address. +usb 1-3: device not accepting address 4, error -71 +usb 1-3: device descriptor read/all, error -71 +usb usb1-port3: unable to enumerate USB device + +Wifi is soft blocked by checking rfkill. When unblocked manually, +after few seconds it would be soft blocked again. So I was suspecting +something triggered rfkill to soft block wifi. At the end it was +fixed by removing hp_wmi module. + +The root cause is the way hp-wmi driver handles command 1B on +post-2009 BIOS. In pre-2009 BIOS, command 1Bh return 0x4 to indicate +that BIOS no longer controls the power for the wireless devices. + +Signed-off-by: Jorge Lopez +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216468 +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20221028155527.7724-1-jorge.lopez2@hp.com +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/hp-wmi.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -1298,8 +1298,16 @@ static int __init hp_wmi_bios_setup(stru + wwan_rfkill = NULL; + rfkill2_count = 0; + +- if (hp_wmi_rfkill_setup(device)) +- hp_wmi_rfkill2_setup(device); ++ /* ++ * In pre-2009 BIOS, command 1Bh return 0x4 to indicate that ++ * BIOS no longer controls the power for the wireless ++ * devices. All features supported by this command will no ++ * longer be supported. ++ */ ++ if (!hp_wmi_bios_2009_later()) { ++ if (hp_wmi_rfkill_setup(device)) ++ hp_wmi_rfkill2_setup(device); ++ } + + err = hp_wmi_hwmon_init(); + diff --git a/queue-6.0/series b/queue-6.0/series index 69eb1dff87c..06cddd39ec7 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -129,3 +129,36 @@ alsa-hda-realtek-add-positivo-c6300-model-quirk.patch alsa-usb-audio-yet-more-regression-for-for-the-delayed-card-registration.patch alsa-usb-audio-add-quirk-entry-for-m-audio-micro.patch alsa-usb-audio-add-dsd-support-for-accuphase-dac-60.patch +vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch +ata-libata-scsi-fix-synchronize-cache-16-command-failure.patch +nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch +nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch +drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch +drm-amd-display-fix-reg-timeout-in-enc314_enable_fifo.patch +drm-amd-pm-update-smu-ip-v13.0.4-msg-interface-header.patch +drm-amd-display-update-sr-watermarks-for-dcn314.patch +drm-amdgpu-workaround-for-tlb-seq-race.patch +drm-amdgpu-disable-baco-on-special-beige_goby-card.patch +drm-amdkfd-fix-error-handling-in-criu_checkpoint.patch +drm-amdkfd-fix-error-handling-in-kfd_criu_restore_events.patch +platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch +wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch +btrfs-fix-match-incorrectly-in-dev_args_match_device.patch +btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch +btrfs-zoned-clone-zoned-device-info-when-cloning-a-device.patch +btrfs-zoned-initialize-device-s-zone-info-for-seeding.patch +io_uring-check-for-rollover-of-buffer-id-when-providing-buffers.patch +phy-qcom-qmp-combo-fix-null-deref-on-runtime-resume.patch +net-ethernet-ti-am65-cpsw-fix-segmentation-fault-at-module-unload.patch +mms-sdhci-esdhc-imx-fix-sdhci_reset_all-for-cqhci.patch +udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch +spi-intel-use-correct-mask-for-flash-and-protected-regions.patch +arch-x86-mm-hugetlbpage.c-pud_huge-returns-0-when-using-2-level-paging.patch +mm-hugetlb_vmemmap-include-missing-linux-moduleparam.h.patch +dmaengine-idxd-do-not-enable-user-type-work-queue-without-shared-virtual-addressing.patch +mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch +mm-memremap.c-map-fs_dax-device-memory-as-decrypted.patch +mm-shmem-use-page_mapping-to-detect-page-cache-for-uffd-continue.patch +can-j1939-j1939_send_one-fix-missing-can-header-initialization.patch +can-isotp-fix-tx-state-handling-for-echo-tx-processing.patch +can-rcar_canfd-add-missing-ecc-error-checks-for-channels-2-7.patch diff --git a/queue-6.0/spi-intel-use-correct-mask-for-flash-and-protected-regions.patch b/queue-6.0/spi-intel-use-correct-mask-for-flash-and-protected-regions.patch new file mode 100644 index 00000000000..71afcee2098 --- /dev/null +++ b/queue-6.0/spi-intel-use-correct-mask-for-flash-and-protected-regions.patch @@ -0,0 +1,45 @@ +From 92a66cbf6b30eda5719fbdfb24cd15fb341bba32 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Tue, 25 Oct 2022 09:28:00 +0300 +Subject: spi: intel: Use correct mask for flash and protected regions + +From: Mika Westerberg + +commit 92a66cbf6b30eda5719fbdfb24cd15fb341bba32 upstream. + +The flash and protected region mask is actually 0x7fff (30:16 and 14:0) +and not 0x3fff so fix this accordingly. While there use GENMASK() instead. + +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Link: https://lore.kernel.org/r/20221025062800.22357-1-mika.westerberg@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-intel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-intel.c ++++ b/drivers/spi/spi-intel.c +@@ -52,17 +52,17 @@ + #define FRACC 0x50 + + #define FREG(n) (0x54 + ((n) * 4)) +-#define FREG_BASE_MASK 0x3fff ++#define FREG_BASE_MASK GENMASK(14, 0) + #define FREG_LIMIT_SHIFT 16 +-#define FREG_LIMIT_MASK (0x03fff << FREG_LIMIT_SHIFT) ++#define FREG_LIMIT_MASK GENMASK(30, 16) + + /* Offset is from @ispi->pregs */ + #define PR(n) ((n) * 4) + #define PR_WPE BIT(31) + #define PR_LIMIT_SHIFT 16 +-#define PR_LIMIT_MASK (0x3fff << PR_LIMIT_SHIFT) ++#define PR_LIMIT_MASK GENMASK(30, 16) + #define PR_RPE BIT(15) +-#define PR_BASE_MASK 0x3fff ++#define PR_BASE_MASK GENMASK(14, 0) + + /* Offsets are from @ispi->sregs */ + #define SSFSTS_CTL 0x00 diff --git a/queue-6.0/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch b/queue-6.0/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch new file mode 100644 index 00000000000..f02c1706b1d --- /dev/null +++ b/queue-6.0/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch @@ -0,0 +1,135 @@ +From c8af247de385ce49afabc3bf1cf4fd455c94bfe8 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 9 Nov 2022 01:35:42 +0000 +Subject: udf: Fix a slab-out-of-bounds write bug in udf_find_entry() + +From: ZhangPeng + +commit c8af247de385ce49afabc3bf1cf4fd455c94bfe8 upstream. + +Syzbot reported a slab-out-of-bounds Write bug: + +loop0: detected capacity change from 0 to 2048 +================================================================== +BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0 +fs/udf/namei.c:253 +Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610 + +CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted +6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/11/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report+0xcd/0x100 mm/kasan/report.c:495 + kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 + memcpy+0x3c/0x60 mm/kasan/shadow.c:66 + udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 + udf_lookup+0xef/0x340 fs/udf/namei.c:309 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7ffab0d164d9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9 +RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180 +RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000 +R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 3610: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 + kmalloc include/linux/slab.h:576 [inline] + udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243 + udf_lookup+0xef/0x340 fs/udf/namei.c:309 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The buggy address belongs to the object at ffff8880123ff800 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 150 bytes inside of + 256-byte region [ffff8880123ff800, ffff8880123ff900) + +The buggy address belongs to the physical page: +page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 pfn:0x123fe +head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40 +raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), +pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0 + create_dummy_stack mm/page_owner.c:67 [inline] + register_early_stack+0x77/0xd0 mm/page_owner.c:83 + init_page_owner+0x3a/0x731 mm/page_owner.c:93 + kernel_init_freeable+0x41c/0x5d5 init/main.c:1629 + kernel_init+0x19/0x2b0 init/main.c:1519 +page_owner free stack trace missing + +Memory state around the buggy address: + ffff8880123ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8880123ff800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880123ff880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 + ^ + ffff8880123ff900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8880123ff980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fix this by changing the memory size allocated for copy_name from +UDF_NAME_LEN(254) to UDF_NAME_LEN_CS0(255), because the total length +(lfi) of subsequent memcpy can be up to 255. + +CC: stable@vger.kernel.org +Reported-by: syzbot+69c9fdccc6dd08961d34@syzkaller.appspotmail.com +Fixes: 066b9cded00b ("udf: Use separate buffer for copying split names") +Signed-off-by: ZhangPeng +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20221109013542.442790-1-zhangpeng362@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -240,7 +240,7 @@ static struct fileIdentDesc *udf_find_en + poffset - lfi); + else { + if (!copy_name) { +- copy_name = kmalloc(UDF_NAME_LEN, ++ copy_name = kmalloc(UDF_NAME_LEN_CS0, + GFP_NOFS); + if (!copy_name) { + fi = ERR_PTR(-ENOMEM); diff --git a/queue-6.0/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch b/queue-6.0/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch new file mode 100644 index 00000000000..6e407f61b3c --- /dev/null +++ b/queue-6.0/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch @@ -0,0 +1,52 @@ +From 000f8870a47bdc36730357883b6aef42bced91ee Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 8 Nov 2022 10:49:34 -0700 +Subject: vmlinux.lds.h: Fix placement of '.data..decrypted' section + +From: Nathan Chancellor + +commit 000f8870a47bdc36730357883b6aef42bced91ee upstream. + +Commit d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP") +fixed an orphan section warning by adding the '.data..decrypted' section +to the linker script under the PERCPU_DECRYPTED_SECTION define but that +placement introduced a panic with !SMP, as the percpu sections are not +instantiated with that configuration so attempting to access variables +defined with DEFINE_PER_CPU_DECRYPTED() will result in a page fault. + +Move the '.data..decrypted' section to the DATA_MAIN define so that the +variables in it are properly instantiated at boot time with +CONFIG_SMP=n. + +Cc: stable@vger.kernel.org +Fixes: d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP") +Link: https://lore.kernel.org/cbbd3548-880c-d2ca-1b67-5bb93b291d5f@huawei.com/ +Debugged-by: Ard Biesheuvel +Reported-by: Zhao Wenhui +Tested-by: xiafukun +Signed-off-by: Nathan Chancellor +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221108174934.3384275-1-nathan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/vmlinux.lds.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -333,6 +333,7 @@ + #define DATA_DATA \ + *(.xiptext) \ + *(DATA_MAIN) \ ++ *(.data..decrypted) \ + *(.ref.data) \ + *(.data..shared_aligned) /* percpu related */ \ + MEM_KEEP(init.data*) \ +@@ -975,7 +976,6 @@ + #ifdef CONFIG_AMD_MEM_ENCRYPT + #define PERCPU_DECRYPTED_SECTION \ + . = ALIGN(PAGE_SIZE); \ +- *(.data..decrypted) \ + *(.data..percpu..decrypted) \ + . = ALIGN(PAGE_SIZE); + #else diff --git a/queue-6.0/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch b/queue-6.0/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch new file mode 100644 index 00000000000..cf21c592136 --- /dev/null +++ b/queue-6.0/wifi-ath11k-avoid-deadlock-during-regulatory-update-in-ath11k_regd_update.patch @@ -0,0 +1,94 @@ +From f45cb6b29cd36514e13f7519770873d8c0457008 Mon Sep 17 00:00:00 2001 +From: Wen Gong +Date: Wed, 2 Nov 2022 13:48:03 +0200 +Subject: wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update() + +From: Wen Gong + +commit f45cb6b29cd36514e13f7519770873d8c0457008 upstream. + +(cherry picked from commit d99884ad9e3673a12879bc2830f6e5a66cccbd78 in ath-next +as users are seeing this bug more now, also cc stable) + +Running this test in a loop it is easy to reproduce an rtnl deadlock: + +iw reg set FI +ifconfig wlan0 down + +What happens is that thread A (workqueue) tries to update the regulatory: + + try to acquire the rtnl_lock of ar->regd_update_work + + rtnl_lock+0x17/0x20 + ath11k_regd_update+0x15a/0x260 [ath11k] + ath11k_regd_update_work+0x15/0x20 [ath11k] + process_one_work+0x228/0x670 + worker_thread+0x4d/0x440 + kthread+0x16d/0x1b0 + ret_from_fork+0x22/0x30 + +And thread B (ifconfig) tries to stop the interface: + + try to cancel_work_sync(&ar->regd_update_work) in ath11k_mac_op_stop(). + ifconfig 3109 [003] 2414.232506: probe: + + ath11k_mac_op_stop: (ffffffffc14187a0) + drv_stop+0x30 ([mac80211]) + ieee80211_do_stop+0x5d2 ([mac80211]) + ieee80211_stop+0x3e ([mac80211]) + __dev_close_many+0x9e ([kernel.kallsyms]) + __dev_change_flags+0xbe ([kernel.kallsyms]) + dev_change_flags+0x23 ([kernel.kallsyms]) + devinet_ioctl+0x5e3 ([kernel.kallsyms]) + inet_ioctl+0x197 ([kernel.kallsyms]) + sock_do_ioctl+0x4d ([kernel.kallsyms]) + sock_ioctl+0x264 ([kernel.kallsyms]) + __x64_sys_ioctl+0x92 ([kernel.kallsyms]) + do_syscall_64+0x3a ([kernel.kallsyms]) + entry_SYSCALL_64_after_hwframe+0x63 ([kernel.kallsyms]) + __GI___ioctl+0x7 (/lib/x86_64-linux-gnu/libc-2.23.so) + +The sequence of deadlock is: + +1. Thread B calls rtnl_lock(). + +2. Thread A starts to run and calls rtnl_lock() from within + ath11k_regd_update_work(), then enters wait state because the lock is owned by + thread B. + +3. Thread B continues to run and tries to call + cancel_work_sync(&ar->regd_update_work), but thread A is in + ath11k_regd_update_work() waiting for rtnl_lock(). So cancel_work_sync() + forever waits for ath11k_regd_update_work() to finish and we have a deadlock. + +Fix this by switching from using regulatory_set_wiphy_regd_sync() to +regulatory_set_wiphy_regd(). Now cfg80211 will schedule another workqueue which +handles the locking on it's own. So the ath11k workqueue can simply exit without +taking any locks, avoiding the deadlock. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 + +Cc: +Signed-off-by: Wen Gong +[kvalo: improve commit log] +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/reg.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/reg.c ++++ b/drivers/net/wireless/ath/ath11k/reg.c +@@ -287,11 +287,7 @@ int ath11k_regd_update(struct ath11k *ar + goto err; + } + +- rtnl_lock(); +- wiphy_lock(ar->hw->wiphy); +- ret = regulatory_set_wiphy_regd_sync(ar->hw->wiphy, regd_copy); +- wiphy_unlock(ar->hw->wiphy); +- rtnl_unlock(); ++ ret = regulatory_set_wiphy_regd(ar->hw->wiphy, regd_copy); + + kfree(regd_copy); + -- 2.47.3