From 5cc885560c2f023ebbba60c2d4505af05c856448 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 26 Jan 2024 14:55:00 -0800 Subject: [PATCH] 6.1-stable patches added patches: arm64-dts-qcom-sc7180-fix-usb-wakeup-interrupt-types.patch arm64-dts-qcom-sc7280-fix-usb_1-wakeup-interrupt-types.patch arm64-dts-qcom-sdm845-fix-usb-wakeup-interrupt-types.patch arm64-dts-qcom-sm8150-fix-usb-wakeup-interrupt-types.patch arm64-properly-install-vmlinuz.efi.patch async-introduce-async_schedule_dev_nocall.patch async-split-async_schedule_node_domain.patch btrfs-sysfs-validate-scrub_speed_max-value.patch bus-mhi-host-add-alignment-check-for-event-ring-read-pointer.patch bus-mhi-host-add-spinlock-to-protect-wp-access-when-queueing-tres.patch bus-mhi-host-drop-chan-lock-before-queuing-buffers.patch crypto-api-disallow-identical-driver-names.patch crypto-s390-aes-fix-buffer-overread-in-ctr-mode.patch ext4-allow-for-the-last-group-to-be-marked-as-trimmed.patch hwrng-core-fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch media-imx355-enable-runtime-pm-before-registering-async-sub-device.patch media-ov9734-enable-runtime-pm-before-registering-async-sub-device.patch mips-fix-max_mapnr-being-uninitialized-on-early-stages.patch opp-pass-rounded-rate-to-_set_opp.patch parisc-firmware-fix-f-extend-for-pdc-addresses.patch parisc-power-fix-power-soft-off-button-emulation-on-qemu.patch pm-devfreq-fix-buffer-overflow-in-trans_stat_show.patch pm-hibernate-enforce-ordering-during-image-compression-decompression.patch rpmsg-virtio-free-driver_override-when-rpmsg_remove.patch s390-vfio-ap-always-filter-entire-ap-matrix.patch s390-vfio-ap-let-on_scan_complete-callback-filter-matrix-and-update-guest-s-apcb.patch s390-vfio-ap-loop-over-the-shadow-apcb-when-filtering-guest-s-ap-configuration.patch s390-vfio-ap-unpin-pages-on-gisc-registration-failure.patch --- ...c7180-fix-usb-wakeup-interrupt-types.patch | 36 ++++ ...280-fix-usb_1-wakeup-interrupt-types.patch | 38 ++++ ...dm845-fix-usb-wakeup-interrupt-types.patch | 47 ++++ ...m8150-fix-usb-wakeup-interrupt-types.patch | 51 +++++ .../arm64-properly-install-vmlinuz.efi.patch | 47 ++++ ...-introduce-async_schedule_dev_nocall.patch | 75 +++++++ ...ync-split-async_schedule_node_domain.patch | 97 +++++++++ ...sysfs-validate-scrub_speed_max-value.patch | 35 +++ ...nt-check-for-event-ring-read-pointer.patch | 41 ++++ ...protect-wp-access-when-queueing-tres.patch | 95 ++++++++ ...rop-chan-lock-before-queuing-buffers.patch | 49 +++++ ...-api-disallow-identical-driver-names.patch | 29 +++ ...-aes-fix-buffer-overread-in-ctr-mode.patch | 54 +++++ ...e-last-group-to-be-marked-as-trimmed.patch | 86 ++++++++ ...age-fault-dead-lock-on-mmap-ed-hwrng.patch | 117 ++++++++++ ...-before-registering-async-sub-device.patch | 57 +++++ ...-before-registering-async-sub-device.patch | 71 ++++++ ...-being-uninitialized-on-early-stages.patch | 86 ++++++++ .../opp-pass-rounded-rate-to-_set_opp.patch | 42 ++++ ...mware-fix-f-extend-for-pdc-addresses.patch | 41 ++++ ...er-soft-off-button-emulation-on-qemu.patch | 32 +++ ...x-buffer-overflow-in-trans_stat_show.patch | 137 ++++++++++++ ...ring-image-compression-decompression.patch | 202 ++++++++++++++++++ ...ee-driver_override-when-rpmsg_remove.patch | 55 +++++ ...io-ap-always-filter-entire-ap-matrix.patch | 183 ++++++++++++++++ ...ilter-matrix-and-update-guest-s-apcb.patch | 67 ++++++ ...n-filtering-guest-s-ap-configuration.patch | 56 +++++ ...n-pages-on-gisc-registration-failure.patch | 39 ++++ queue-6.1/series | 28 +++ 29 files changed, 1993 insertions(+) create mode 100644 queue-6.1/arm64-dts-qcom-sc7180-fix-usb-wakeup-interrupt-types.patch create mode 100644 queue-6.1/arm64-dts-qcom-sc7280-fix-usb_1-wakeup-interrupt-types.patch create mode 100644 queue-6.1/arm64-dts-qcom-sdm845-fix-usb-wakeup-interrupt-types.patch create mode 100644 queue-6.1/arm64-dts-qcom-sm8150-fix-usb-wakeup-interrupt-types.patch create mode 100644 queue-6.1/arm64-properly-install-vmlinuz.efi.patch create mode 100644 queue-6.1/async-introduce-async_schedule_dev_nocall.patch create mode 100644 queue-6.1/async-split-async_schedule_node_domain.patch create mode 100644 queue-6.1/btrfs-sysfs-validate-scrub_speed_max-value.patch create mode 100644 queue-6.1/bus-mhi-host-add-alignment-check-for-event-ring-read-pointer.patch create mode 100644 queue-6.1/bus-mhi-host-add-spinlock-to-protect-wp-access-when-queueing-tres.patch create mode 100644 queue-6.1/bus-mhi-host-drop-chan-lock-before-queuing-buffers.patch create mode 100644 queue-6.1/crypto-api-disallow-identical-driver-names.patch create mode 100644 queue-6.1/crypto-s390-aes-fix-buffer-overread-in-ctr-mode.patch create mode 100644 queue-6.1/ext4-allow-for-the-last-group-to-be-marked-as-trimmed.patch create mode 100644 queue-6.1/hwrng-core-fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch create mode 100644 queue-6.1/media-imx355-enable-runtime-pm-before-registering-async-sub-device.patch create mode 100644 queue-6.1/media-ov9734-enable-runtime-pm-before-registering-async-sub-device.patch create mode 100644 queue-6.1/mips-fix-max_mapnr-being-uninitialized-on-early-stages.patch create mode 100644 queue-6.1/opp-pass-rounded-rate-to-_set_opp.patch create mode 100644 queue-6.1/parisc-firmware-fix-f-extend-for-pdc-addresses.patch create mode 100644 queue-6.1/parisc-power-fix-power-soft-off-button-emulation-on-qemu.patch create mode 100644 queue-6.1/pm-devfreq-fix-buffer-overflow-in-trans_stat_show.patch create mode 100644 queue-6.1/pm-hibernate-enforce-ordering-during-image-compression-decompression.patch create mode 100644 queue-6.1/rpmsg-virtio-free-driver_override-when-rpmsg_remove.patch create mode 100644 queue-6.1/s390-vfio-ap-always-filter-entire-ap-matrix.patch create mode 100644 queue-6.1/s390-vfio-ap-let-on_scan_complete-callback-filter-matrix-and-update-guest-s-apcb.patch create mode 100644 queue-6.1/s390-vfio-ap-loop-over-the-shadow-apcb-when-filtering-guest-s-ap-configuration.patch create mode 100644 queue-6.1/s390-vfio-ap-unpin-pages-on-gisc-registration-failure.patch diff --git a/queue-6.1/arm64-dts-qcom-sc7180-fix-usb-wakeup-interrupt-types.patch b/queue-6.1/arm64-dts-qcom-sc7180-fix-usb-wakeup-interrupt-types.patch new file mode 100644 index 00000000000..0087a8708a6 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sc7180-fix-usb-wakeup-interrupt-types.patch @@ -0,0 +1,36 @@ +From 9b956999bf725fd62613f719c3178fdbee6e5f47 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Nov 2023 17:43:23 +0100 +Subject: arm64: dts: qcom: sc7180: fix USB wakeup interrupt types + +From: Johan Hovold + +commit 9b956999bf725fd62613f719c3178fdbee6e5f47 upstream. + +The DP/DM wakeup interrupts are edge triggered and which edge to trigger +on depends on use-case and whether a Low speed or Full/High speed device +is connected. + +Fixes: 0b766e7fe5a2 ("arm64: dts: qcom: sc7180: Add USB related nodes") +Cc: stable@vger.kernel.org # 5.10 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231120164331.8116-4-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sc7180.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi +@@ -2769,8 +2769,8 @@ + + interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 6 IRQ_TYPE_LEVEL_HIGH>, +- <&pdc 8 IRQ_TYPE_LEVEL_HIGH>, +- <&pdc 9 IRQ_TYPE_LEVEL_HIGH>; ++ <&pdc 8 IRQ_TYPE_EDGE_BOTH>, ++ <&pdc 9 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.1/arm64-dts-qcom-sc7280-fix-usb_1-wakeup-interrupt-types.patch b/queue-6.1/arm64-dts-qcom-sc7280-fix-usb_1-wakeup-interrupt-types.patch new file mode 100644 index 00000000000..6ac02e69a72 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sc7280-fix-usb_1-wakeup-interrupt-types.patch @@ -0,0 +1,38 @@ +From c34199d967a946e55381404fa949382691737521 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Nov 2023 17:43:24 +0100 +Subject: arm64: dts: qcom: sc7280: fix usb_1 wakeup interrupt types + +From: Johan Hovold + +commit c34199d967a946e55381404fa949382691737521 upstream. + +A recent cleanup reordering the usb_1 wakeup interrupts inadvertently +switched the DP and SuperSpeed interrupt trigger types. + +Fixes: 4a7ffc10d195 ("arm64: dts: qcom: align DWC3 USB interrupts with DT schema") +Cc: stable@vger.kernel.org # 5.19 +Cc: Krzysztof Kozlowski +Signed-off-by: Johan Hovold +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20231120164331.8116-5-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sc7280.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi +@@ -3664,9 +3664,9 @@ + assigned-clock-rates = <19200000>, <200000000>; + + interrupts-extended = <&intc GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>, +- <&pdc 14 IRQ_TYPE_LEVEL_HIGH>, ++ <&pdc 14 IRQ_TYPE_EDGE_BOTH>, + <&pdc 15 IRQ_TYPE_EDGE_BOTH>, +- <&pdc 17 IRQ_TYPE_EDGE_BOTH>; ++ <&pdc 17 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "hs_phy_irq", + "dp_hs_phy_irq", + "dm_hs_phy_irq", diff --git a/queue-6.1/arm64-dts-qcom-sdm845-fix-usb-wakeup-interrupt-types.patch b/queue-6.1/arm64-dts-qcom-sdm845-fix-usb-wakeup-interrupt-types.patch new file mode 100644 index 00000000000..191029c5f87 --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sdm845-fix-usb-wakeup-interrupt-types.patch @@ -0,0 +1,47 @@ +From 84ad9ac8d9ca29033d589e79a991866b38e23b85 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Nov 2023 17:43:28 +0100 +Subject: arm64: dts: qcom: sdm845: fix USB wakeup interrupt types + +From: Johan Hovold + +commit 84ad9ac8d9ca29033d589e79a991866b38e23b85 upstream. + +The DP/DM wakeup interrupts are edge triggered and which edge to trigger +on depends on use-case and whether a Low speed or Full/High speed device +is connected. + +Fixes: ca4db2b538a1 ("arm64: dts: qcom: sdm845: Add USB-related nodes") +Cc: stable@vger.kernel.org # 4.20 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20231120164331.8116-9-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -4050,8 +4050,8 @@ + + interrupts = , + , +- , +- ; ++ , ++ ; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + +@@ -4101,8 +4101,8 @@ + + interrupts = , + , +- , +- ; ++ , ++ ; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.1/arm64-dts-qcom-sm8150-fix-usb-wakeup-interrupt-types.patch b/queue-6.1/arm64-dts-qcom-sm8150-fix-usb-wakeup-interrupt-types.patch new file mode 100644 index 00000000000..9b4049c617f --- /dev/null +++ b/queue-6.1/arm64-dts-qcom-sm8150-fix-usb-wakeup-interrupt-types.patch @@ -0,0 +1,51 @@ +From 54524b6987d1fffe64cbf3dded1b2fa6b903edf9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Nov 2023 17:43:30 +0100 +Subject: arm64: dts: qcom: sm8150: fix USB wakeup interrupt types + +From: Johan Hovold + +commit 54524b6987d1fffe64cbf3dded1b2fa6b903edf9 upstream. + +The DP/DM wakeup interrupts are edge triggered and which edge to trigger +on depends on use-case and whether a Low speed or Full/High speed device +is connected. + +Fixes: 0c9dde0d2015 ("arm64: dts: qcom: sm8150: Add secondary USB and PHY nodes") +Fixes: b33d2868e8d3 ("arm64: dts: qcom: sm8150: Add USB and PHY device nodes") +Cc: stable@vger.kernel.org # 5.10 +Cc: Jonathan Marek +Cc: Jack Pham +Signed-off-by: Johan Hovold +Reviewed-by: Jack Pham +Link: https://lore.kernel.org/r/20231120164331.8116-11-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sm8150.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sm8150.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8150.dtsi +@@ -3630,8 +3630,8 @@ + + interrupts = , + , +- , +- ; ++ , ++ ; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + +@@ -3679,8 +3679,8 @@ + + interrupts = , + , +- , +- ; ++ , ++ ; + interrupt-names = "hs_phy_irq", "ss_phy_irq", + "dm_hs_phy_irq", "dp_hs_phy_irq"; + diff --git a/queue-6.1/arm64-properly-install-vmlinuz.efi.patch b/queue-6.1/arm64-properly-install-vmlinuz.efi.patch new file mode 100644 index 00000000000..fbdf7ab203e --- /dev/null +++ b/queue-6.1/arm64-properly-install-vmlinuz.efi.patch @@ -0,0 +1,47 @@ +From 7b21ed7d119dc06b0ed2ba3e406a02cafe3a8d03 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 14 Dec 2023 11:18:50 -0500 +Subject: arm64: properly install vmlinuz.efi + +From: Josef Bacik + +commit 7b21ed7d119dc06b0ed2ba3e406a02cafe3a8d03 upstream. + +If you select CONFIG_EFI_ZBOOT, we will generate vmlinuz.efi, and then +when we go to install the kernel we'll install the vmlinux instead +because install.sh only recognizes Image.gz as wanting the compressed +install image. With CONFIG_EFI_ZBOOT we don't get the proper kernel +installed, which means it doesn't boot, which makes for a very confused +and subsequently angry kernel developer. + +Fix this by properly installing our compressed kernel if we've enabled +CONFIG_EFI_ZBOOT. + +Signed-off-by: Josef Bacik +Cc: # 6.1.x +Fixes: c37b830fef13 ("arm64: efi: enable generic EFI compressed boot") +Reviewed-by: Simon Glass +Link: https://lore.kernel.org/r/6edb1402769c2c14c4fbef8f7eaedb3167558789.1702570674.git.josef@toxicpanda.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/install.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/install.sh b/arch/arm64/boot/install.sh +index 7399d706967a..9b7a09808a3d 100755 +--- a/arch/arm64/boot/install.sh ++++ b/arch/arm64/boot/install.sh +@@ -17,7 +17,8 @@ + # $3 - kernel map file + # $4 - default install path (blank if root directory) + +-if [ "$(basename $2)" = "Image.gz" ]; then ++if [ "$(basename $2)" = "Image.gz" ] || [ "$(basename $2)" = "vmlinuz.efi" ] ++then + # Compressed install + echo "Installing compressed kernel" + base=vmlinuz +-- +2.43.0 + diff --git a/queue-6.1/async-introduce-async_schedule_dev_nocall.patch b/queue-6.1/async-introduce-async_schedule_dev_nocall.patch new file mode 100644 index 00000000000..5c0eb054737 --- /dev/null +++ b/queue-6.1/async-introduce-async_schedule_dev_nocall.patch @@ -0,0 +1,75 @@ +From 7d4b5d7a37bdd63a5a3371b988744b060d5bb86f Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 27 Dec 2023 21:38:23 +0100 +Subject: async: Introduce async_schedule_dev_nocall() + +From: Rafael J. Wysocki + +commit 7d4b5d7a37bdd63a5a3371b988744b060d5bb86f upstream. + +In preparation for subsequent changes, introduce a specialized variant +of async_schedule_dev() that will not invoke the argument function +synchronously when it cannot be scheduled for asynchronous execution. + +The new function, async_schedule_dev_nocall(), will be used for fixing +possible deadlocks in the system-wide power management core code. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Stanislaw Gruszka for the series. +Tested-by: Youngmin Nam +Reviewed-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/async.h | 2 ++ + kernel/async.c | 29 +++++++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +--- a/include/linux/async.h ++++ b/include/linux/async.h +@@ -90,6 +90,8 @@ async_schedule_dev(async_func_t func, st + return async_schedule_node(func, dev, dev_to_node(dev)); + } + ++bool async_schedule_dev_nocall(async_func_t func, struct device *dev); ++ + /** + * async_schedule_dev_domain - A device specific version of async_schedule_domain + * @func: function to execute asynchronously +--- a/kernel/async.c ++++ b/kernel/async.c +@@ -244,6 +244,35 @@ async_cookie_t async_schedule_node(async + EXPORT_SYMBOL_GPL(async_schedule_node); + + /** ++ * async_schedule_dev_nocall - A simplified variant of async_schedule_dev() ++ * @func: function to execute asynchronously ++ * @dev: device argument to be passed to function ++ * ++ * @dev is used as both the argument for the function and to provide NUMA ++ * context for where to run the function. ++ * ++ * If the asynchronous execution of @func is scheduled successfully, return ++ * true. Otherwise, do nothing and return false, unlike async_schedule_dev() ++ * that will run the function synchronously then. ++ */ ++bool async_schedule_dev_nocall(async_func_t func, struct device *dev) ++{ ++ struct async_entry *entry; ++ ++ entry = kzalloc(sizeof(struct async_entry), GFP_KERNEL); ++ ++ /* Give up if there is no memory or too much work. */ ++ if (!entry || atomic_read(&entry_count) > MAX_WORK) { ++ kfree(entry); ++ return false; ++ } ++ ++ __async_schedule_node_domain(func, dev, dev_to_node(dev), ++ &async_dfl_domain, entry); ++ return true; ++} ++ ++/** + * async_synchronize_full - synchronize all asynchronous function calls + * + * This function waits until all asynchronous function calls have been done. diff --git a/queue-6.1/async-split-async_schedule_node_domain.patch b/queue-6.1/async-split-async_schedule_node_domain.patch new file mode 100644 index 00000000000..aaf670afc12 --- /dev/null +++ b/queue-6.1/async-split-async_schedule_node_domain.patch @@ -0,0 +1,97 @@ +From 6aa09a5bccd8e224d917afdb4c278fc66aacde4d Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 27 Dec 2023 21:37:02 +0100 +Subject: async: Split async_schedule_node_domain() + +From: Rafael J. Wysocki + +commit 6aa09a5bccd8e224d917afdb4c278fc66aacde4d upstream. + +In preparation for subsequent changes, split async_schedule_node_domain() +in two pieces so as to allow the bottom part of it to be called from a +somewhat different code path. + +No functional impact. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Stanislaw Gruszka +Tested-by: Youngmin Nam +Reviewed-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + kernel/async.c | 56 ++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 34 insertions(+), 22 deletions(-) + +--- a/kernel/async.c ++++ b/kernel/async.c +@@ -145,6 +145,39 @@ static void async_run_entry_fn(struct wo + wake_up(&async_done); + } + ++static async_cookie_t __async_schedule_node_domain(async_func_t func, ++ void *data, int node, ++ struct async_domain *domain, ++ struct async_entry *entry) ++{ ++ async_cookie_t newcookie; ++ unsigned long flags; ++ ++ INIT_LIST_HEAD(&entry->domain_list); ++ INIT_LIST_HEAD(&entry->global_list); ++ INIT_WORK(&entry->work, async_run_entry_fn); ++ entry->func = func; ++ entry->data = data; ++ entry->domain = domain; ++ ++ spin_lock_irqsave(&async_lock, flags); ++ ++ /* allocate cookie and queue */ ++ newcookie = entry->cookie = next_cookie++; ++ ++ list_add_tail(&entry->domain_list, &domain->pending); ++ if (domain->registered) ++ list_add_tail(&entry->global_list, &async_global_pending); ++ ++ atomic_inc(&entry_count); ++ spin_unlock_irqrestore(&async_lock, flags); ++ ++ /* schedule for execution */ ++ queue_work_node(node, system_unbound_wq, &entry->work); ++ ++ return newcookie; ++} ++ + /** + * async_schedule_node_domain - NUMA specific version of async_schedule_domain + * @func: function to execute asynchronously +@@ -186,29 +219,8 @@ async_cookie_t async_schedule_node_domai + func(data, newcookie); + return newcookie; + } +- INIT_LIST_HEAD(&entry->domain_list); +- INIT_LIST_HEAD(&entry->global_list); +- INIT_WORK(&entry->work, async_run_entry_fn); +- entry->func = func; +- entry->data = data; +- entry->domain = domain; +- +- spin_lock_irqsave(&async_lock, flags); + +- /* allocate cookie and queue */ +- newcookie = entry->cookie = next_cookie++; +- +- list_add_tail(&entry->domain_list, &domain->pending); +- if (domain->registered) +- list_add_tail(&entry->global_list, &async_global_pending); +- +- atomic_inc(&entry_count); +- spin_unlock_irqrestore(&async_lock, flags); +- +- /* schedule for execution */ +- queue_work_node(node, system_unbound_wq, &entry->work); +- +- return newcookie; ++ return __async_schedule_node_domain(func, data, node, domain, entry); + } + EXPORT_SYMBOL_GPL(async_schedule_node_domain); + diff --git a/queue-6.1/btrfs-sysfs-validate-scrub_speed_max-value.patch b/queue-6.1/btrfs-sysfs-validate-scrub_speed_max-value.patch new file mode 100644 index 00000000000..5508e1de0a2 --- /dev/null +++ b/queue-6.1/btrfs-sysfs-validate-scrub_speed_max-value.patch @@ -0,0 +1,35 @@ +From 2b0122aaa800b021e36027d7f29e206f87c761d6 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Fri, 8 Dec 2023 11:41:56 +1100 +Subject: btrfs: sysfs: validate scrub_speed_max value + +From: David Disseldorp + +commit 2b0122aaa800b021e36027d7f29e206f87c761d6 upstream. + +The value set as scrub_speed_max accepts size with suffixes +(k/m/g/t/p/e) but we should still validate it for trailing characters, +similar to what we do with chunk_size_store. + +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: David Disseldorp +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/sysfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -1704,6 +1704,10 @@ static ssize_t btrfs_devinfo_scrub_speed + unsigned long long limit; + + limit = memparse(buf, &endptr); ++ /* There could be trailing '\n', also catch any typos after the value. */ ++ endptr = skip_spaces(endptr); ++ if (*endptr != 0) ++ return -EINVAL; + WRITE_ONCE(device->scrub_speed_max, limit); + return len; + } diff --git a/queue-6.1/bus-mhi-host-add-alignment-check-for-event-ring-read-pointer.patch b/queue-6.1/bus-mhi-host-add-alignment-check-for-event-ring-read-pointer.patch new file mode 100644 index 00000000000..676952053db --- /dev/null +++ b/queue-6.1/bus-mhi-host-add-alignment-check-for-event-ring-read-pointer.patch @@ -0,0 +1,41 @@ +From eff9704f5332a13b08fbdbe0f84059c9e7051d5f Mon Sep 17 00:00:00 2001 +From: Krishna chaitanya chundru +Date: Tue, 31 Oct 2023 15:21:05 +0530 +Subject: bus: mhi: host: Add alignment check for event ring read pointer + +From: Krishna chaitanya chundru + +commit eff9704f5332a13b08fbdbe0f84059c9e7051d5f upstream. + +Though we do check the event ring read pointer by "is_valid_ring_ptr" +to make sure it is in the buffer range, but there is another risk the +pointer may be not aligned. Since we are expecting event ring elements +are 128 bits(struct mhi_ring_element) aligned, an unaligned read pointer +could lead to multiple issues like DoS or ring buffer memory corruption. + +So add a alignment check for event ring read pointer. + +Fixes: ec32332df764 ("bus: mhi: core: Sanity check values from remote device before use") +cc: stable@vger.kernel.org +Signed-off-by: Krishna chaitanya chundru +Reviewed-by: Jeffrey Hugo +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20231031-alignment_check-v2-1-1441db7c5efd@quicinc.com +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/bus/mhi/host/main.c ++++ b/drivers/bus/mhi/host/main.c +@@ -268,7 +268,8 @@ static void mhi_del_ring_element(struct + + static bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr) + { +- return addr >= ring->iommu_base && addr < ring->iommu_base + ring->len; ++ return addr >= ring->iommu_base && addr < ring->iommu_base + ring->len && ++ !(addr & (sizeof(struct mhi_ring_element) - 1)); + } + + int mhi_destroy_device(struct device *dev, void *data) diff --git a/queue-6.1/bus-mhi-host-add-spinlock-to-protect-wp-access-when-queueing-tres.patch b/queue-6.1/bus-mhi-host-add-spinlock-to-protect-wp-access-when-queueing-tres.patch new file mode 100644 index 00000000000..3345ca1ba25 --- /dev/null +++ b/queue-6.1/bus-mhi-host-add-spinlock-to-protect-wp-access-when-queueing-tres.patch @@ -0,0 +1,95 @@ +From b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9 Mon Sep 17 00:00:00 2001 +From: Bhaumik Bhatt +Date: Mon, 11 Dec 2023 14:42:51 +0800 +Subject: bus: mhi: host: Add spinlock to protect WP access when queueing TREs + +From: Bhaumik Bhatt + +commit b89b6a863dd53bc70d8e52d50f9cfaef8ef5e9c9 upstream. + +Protect WP accesses such that multiple threads queueing buffers for +incoming data do not race. + +Meanwhile, if CONFIG_TRACE_IRQFLAGS is enabled, irq will be enabled once +__local_bh_enable_ip is called as part of write_unlock_bh. Hence, let's +take irqsave lock after TRE is generated to avoid running write_unlock_bh +when irqsave lock is held. + +Cc: stable@vger.kernel.org +Fixes: 189ff97cca53 ("bus: mhi: core: Add support for data transfer") +Signed-off-by: Bhaumik Bhatt +Signed-off-by: Qiang Yu +Reviewed-by: Jeffrey Hugo +Tested-by: Jeffrey Hugo +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/1702276972-41296-2-git-send-email-quic_qianyu@quicinc.com +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/main.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- a/drivers/bus/mhi/host/main.c ++++ b/drivers/bus/mhi/host/main.c +@@ -1124,17 +1124,15 @@ static int mhi_queue(struct mhi_device * + if (unlikely(MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state))) + return -EIO; + +- read_lock_irqsave(&mhi_cntrl->pm_lock, flags); +- + ret = mhi_is_ring_full(mhi_cntrl, tre_ring); +- if (unlikely(ret)) { +- ret = -EAGAIN; +- goto exit_unlock; +- } ++ if (unlikely(ret)) ++ return -EAGAIN; + + ret = mhi_gen_tre(mhi_cntrl, mhi_chan, buf_info, mflags); + if (unlikely(ret)) +- goto exit_unlock; ++ return ret; ++ ++ read_lock_irqsave(&mhi_cntrl->pm_lock, flags); + + /* Packet is queued, take a usage ref to exit M3 if necessary + * for host->device buffer, balanced put is done on buffer completion +@@ -1154,7 +1152,6 @@ static int mhi_queue(struct mhi_device * + if (dir == DMA_FROM_DEVICE) + mhi_cntrl->runtime_put(mhi_cntrl); + +-exit_unlock: + read_unlock_irqrestore(&mhi_cntrl->pm_lock, flags); + + return ret; +@@ -1206,6 +1203,9 @@ int mhi_gen_tre(struct mhi_controller *m + int eot, eob, chain, bei; + int ret; + ++ /* Protect accesses for reading and incrementing WP */ ++ write_lock_bh(&mhi_chan->lock); ++ + buf_ring = &mhi_chan->buf_ring; + tre_ring = &mhi_chan->tre_ring; + +@@ -1223,8 +1223,10 @@ int mhi_gen_tre(struct mhi_controller *m + + if (!info->pre_mapped) { + ret = mhi_cntrl->map_single(mhi_cntrl, buf_info); +- if (ret) ++ if (ret) { ++ write_unlock_bh(&mhi_chan->lock); + return ret; ++ } + } + + eob = !!(flags & MHI_EOB); +@@ -1241,6 +1243,8 @@ int mhi_gen_tre(struct mhi_controller *m + mhi_add_ring_element(mhi_cntrl, tre_ring); + mhi_add_ring_element(mhi_cntrl, buf_ring); + ++ write_unlock_bh(&mhi_chan->lock); ++ + return 0; + } + diff --git a/queue-6.1/bus-mhi-host-drop-chan-lock-before-queuing-buffers.patch b/queue-6.1/bus-mhi-host-drop-chan-lock-before-queuing-buffers.patch new file mode 100644 index 00000000000..18152642a87 --- /dev/null +++ b/queue-6.1/bus-mhi-host-drop-chan-lock-before-queuing-buffers.patch @@ -0,0 +1,49 @@ +From 01bd694ac2f682fb8017e16148b928482bc8fa4b Mon Sep 17 00:00:00 2001 +From: Qiang Yu +Date: Mon, 11 Dec 2023 14:42:52 +0800 +Subject: bus: mhi: host: Drop chan lock before queuing buffers + +From: Qiang Yu + +commit 01bd694ac2f682fb8017e16148b928482bc8fa4b upstream. + +Ensure read and write locks for the channel are not taken in succession by +dropping the read lock from parse_xfer_event() such that a callback given +to client can potentially queue buffers and acquire the write lock in that +process. Any queueing of buffers should be done without channel read lock +acquired as it can result in multiple locks and a soft lockup. + +Cc: # 5.7 +Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device") +Signed-off-by: Qiang Yu +Reviewed-by: Jeffrey Hugo +Tested-by: Jeffrey Hugo +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/1702276972-41296-3-git-send-email-quic_qianyu@quicinc.com +[mani: added fixes tag and cc'ed stable] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/bus/mhi/host/main.c ++++ b/drivers/bus/mhi/host/main.c +@@ -643,6 +643,8 @@ static int parse_xfer_event(struct mhi_c + mhi_del_ring_element(mhi_cntrl, tre_ring); + local_rp = tre_ring->rp; + ++ read_unlock_bh(&mhi_chan->lock); ++ + /* notify client */ + mhi_chan->xfer_cb(mhi_chan->mhi_dev, &result); + +@@ -668,6 +670,8 @@ static int parse_xfer_event(struct mhi_c + kfree(buf_info->cb_buf); + } + } ++ ++ read_lock_bh(&mhi_chan->lock); + } + break; + } /* CC_EOT */ diff --git a/queue-6.1/crypto-api-disallow-identical-driver-names.patch b/queue-6.1/crypto-api-disallow-identical-driver-names.patch new file mode 100644 index 00000000000..73ab21b0ec2 --- /dev/null +++ b/queue-6.1/crypto-api-disallow-identical-driver-names.patch @@ -0,0 +1,29 @@ +From 27016f75f5ed47e2d8e0ca75a8ff1f40bc1a5e27 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 7 Dec 2023 18:36:57 +0800 +Subject: crypto: api - Disallow identical driver names + +From: Herbert Xu + +commit 27016f75f5ed47e2d8e0ca75a8ff1f40bc1a5e27 upstream. + +Disallow registration of two algorithms with identical driver names. + +Cc: +Reported-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/algapi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -290,6 +290,7 @@ static struct crypto_larval *__crypto_re + } + + if (!strcmp(q->cra_driver_name, alg->cra_name) || ++ !strcmp(q->cra_driver_name, alg->cra_driver_name) || + !strcmp(q->cra_name, alg->cra_driver_name)) + goto err; + } diff --git a/queue-6.1/crypto-s390-aes-fix-buffer-overread-in-ctr-mode.patch b/queue-6.1/crypto-s390-aes-fix-buffer-overread-in-ctr-mode.patch new file mode 100644 index 00000000000..c9840665b29 --- /dev/null +++ b/queue-6.1/crypto-s390-aes-fix-buffer-overread-in-ctr-mode.patch @@ -0,0 +1,54 @@ +From d07f951903fa9922c375b8ab1ce81b18a0034e3b Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 28 Nov 2023 14:22:13 +0800 +Subject: crypto: s390/aes - Fix buffer overread in CTR mode + +From: Herbert Xu + +commit d07f951903fa9922c375b8ab1ce81b18a0034e3b upstream. + +When processing the last block, the s390 ctr code will always read +a whole block, even if there isn't a whole block of data left. Fix +this by using the actual length left and copy it into a buffer first +for processing. + +Fixes: 0200f3ecc196 ("crypto: s390 - add System z hardware support for CTR mode") +Cc: +Reported-by: Guangwu Zhang +Signed-off-by: Herbert Xu +Reviewd-by: Harald Freudenberger +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/crypto/aes_s390.c | 4 +++- + arch/s390/crypto/paes_s390.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/s390/crypto/aes_s390.c ++++ b/arch/s390/crypto/aes_s390.c +@@ -601,7 +601,9 @@ static int ctr_aes_crypt(struct skcipher + * final block may be < AES_BLOCK_SIZE, copy only nbytes + */ + if (nbytes) { +- cpacf_kmctr(sctx->fc, sctx->key, buf, walk.src.virt.addr, ++ memset(buf, 0, AES_BLOCK_SIZE); ++ memcpy(buf, walk.src.virt.addr, nbytes); ++ cpacf_kmctr(sctx->fc, sctx->key, buf, buf, + AES_BLOCK_SIZE, walk.iv); + memcpy(walk.dst.virt.addr, buf, nbytes); + crypto_inc(walk.iv, AES_BLOCK_SIZE); +--- a/arch/s390/crypto/paes_s390.c ++++ b/arch/s390/crypto/paes_s390.c +@@ -688,9 +688,11 @@ static int ctr_paes_crypt(struct skciphe + * final block may be < AES_BLOCK_SIZE, copy only nbytes + */ + if (nbytes) { ++ memset(buf, 0, AES_BLOCK_SIZE); ++ memcpy(buf, walk.src.virt.addr, nbytes); + while (1) { + if (cpacf_kmctr(ctx->fc, ¶m, buf, +- walk.src.virt.addr, AES_BLOCK_SIZE, ++ buf, AES_BLOCK_SIZE, + walk.iv) == AES_BLOCK_SIZE) + break; + if (__paes_convert_key(ctx)) diff --git a/queue-6.1/ext4-allow-for-the-last-group-to-be-marked-as-trimmed.patch b/queue-6.1/ext4-allow-for-the-last-group-to-be-marked-as-trimmed.patch new file mode 100644 index 00000000000..a87588ae23c --- /dev/null +++ b/queue-6.1/ext4-allow-for-the-last-group-to-be-marked-as-trimmed.patch @@ -0,0 +1,86 @@ +From 7c784d624819acbeefb0018bac89e632467cca5a Mon Sep 17 00:00:00 2001 +From: Suraj Jitindar Singh +Date: Wed, 13 Dec 2023 16:16:35 +1100 +Subject: ext4: allow for the last group to be marked as trimmed + +From: Suraj Jitindar Singh + +commit 7c784d624819acbeefb0018bac89e632467cca5a upstream. + +The ext4 filesystem tracks the trim status of blocks at the group +level. When an entire group has been trimmed then it is marked as +such and subsequent trim invocations with the same minimum trim size +will not be attempted on that group unless it is marked as able to be +trimmed again such as when a block is freed. + +Currently the last group can't be marked as trimmed due to incorrect +logic in ext4_last_grp_cluster(). ext4_last_grp_cluster() is supposed +to return the zero based index of the last cluster in a group. This is +then used by ext4_try_to_trim_range() to determine if the trim +operation spans the entire group and as such if the trim status of the +group should be recorded. + +ext4_last_grp_cluster() takes a 0 based group index, thus the valid +values for grp are 0..(ext4_get_groups_count - 1). Any group index +less than (ext4_get_groups_count - 1) is not the last group and must +have EXT4_CLUSTERS_PER_GROUP(sb) clusters. For the last group we need +to calculate the number of clusters based on the number of blocks in +the group. Finally subtract 1 from the number of clusters as zero +based indexing is expected. Rearrange the function slightly to make +it clear what we are calculating and returning. + +Reproducer: +// Create file system where the last group has fewer blocks than +// blocks per group +$ mkfs.ext4 -b 4096 -g 8192 /dev/nvme0n1 8191 +$ mount /dev/nvme0n1 /mnt + +Before Patch: +$ fstrim -v /mnt +/mnt: 25.9 MiB (27156480 bytes) trimmed +// Group not marked as trimmed so second invocation still discards blocks +$ fstrim -v /mnt +/mnt: 25.9 MiB (27156480 bytes) trimmed + +After Patch: +fstrim -v /mnt +/mnt: 25.9 MiB (27156480 bytes) trimmed +// Group marked as trimmed so second invocation DOESN'T discard any blocks +fstrim -v /mnt +/mnt: 0 B (0 bytes) trimmed + +Fixes: 45e4ab320c9b ("ext4: move setting of trimmed bit into ext4_try_to_trim_range()") +Cc: # 4.19+ +Signed-off-by: Suraj Jitindar Singh +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20231213051635.37731-1-surajjs@amazon.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6421,11 +6421,16 @@ __acquires(bitlock) + static ext4_grpblk_t ext4_last_grp_cluster(struct super_block *sb, + ext4_group_t grp) + { +- if (grp < ext4_get_groups_count(sb)) +- return EXT4_CLUSTERS_PER_GROUP(sb) - 1; +- return (ext4_blocks_count(EXT4_SB(sb)->s_es) - +- ext4_group_first_block_no(sb, grp) - 1) >> +- EXT4_CLUSTER_BITS(sb); ++ unsigned long nr_clusters_in_group; ++ ++ if (grp < (ext4_get_groups_count(sb) - 1)) ++ nr_clusters_in_group = EXT4_CLUSTERS_PER_GROUP(sb); ++ else ++ nr_clusters_in_group = (ext4_blocks_count(EXT4_SB(sb)->s_es) - ++ ext4_group_first_block_no(sb, grp)) ++ >> EXT4_CLUSTER_BITS(sb); ++ ++ return nr_clusters_in_group - 1; + } + + static bool ext4_trim_interrupted(void) diff --git a/queue-6.1/hwrng-core-fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch b/queue-6.1/hwrng-core-fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch new file mode 100644 index 00000000000..3db335d09d9 --- /dev/null +++ b/queue-6.1/hwrng-core-fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch @@ -0,0 +1,117 @@ +From 78aafb3884f6bc6636efcc1760c891c8500b9922 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Sat, 2 Dec 2023 09:01:54 +0800 +Subject: hwrng: core - Fix page fault dead lock on mmap-ed hwrng + +From: Herbert Xu + +commit 78aafb3884f6bc6636efcc1760c891c8500b9922 upstream. + +There is a dead-lock in the hwrng device read path. This triggers +when the user reads from /dev/hwrng into memory also mmap-ed from +/dev/hwrng. The resulting page fault triggers a recursive read +which then dead-locks. + +Fix this by using a stack buffer when calling copy_to_user. + +Reported-by: Edward Adam Davis +Reported-by: syzbot+c52ab18308964d248092@syzkaller.appspotmail.com +Fixes: 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte array") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/core.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +--- a/drivers/char/hw_random/core.c ++++ b/drivers/char/hw_random/core.c +@@ -24,10 +24,13 @@ + #include + #include + #include ++#include + #include + + #define RNG_MODULE_NAME "hw_random" + ++#define RNG_BUFFER_SIZE (SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES) ++ + static struct hwrng *current_rng; + /* the current rng has been explicitly chosen by user via sysfs */ + static int cur_rng_set_by_user; +@@ -59,7 +62,7 @@ static inline int rng_get_data(struct hw + + static size_t rng_buffer_size(void) + { +- return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES; ++ return RNG_BUFFER_SIZE; + } + + static void add_early_randomness(struct hwrng *rng) +@@ -211,6 +214,7 @@ static inline int rng_get_data(struct hw + static ssize_t rng_dev_read(struct file *filp, char __user *buf, + size_t size, loff_t *offp) + { ++ u8 buffer[RNG_BUFFER_SIZE]; + ssize_t ret = 0; + int err = 0; + int bytes_read, len; +@@ -238,34 +242,37 @@ static ssize_t rng_dev_read(struct file + if (bytes_read < 0) { + err = bytes_read; + goto out_unlock_reading; ++ } else if (bytes_read == 0 && ++ (filp->f_flags & O_NONBLOCK)) { ++ err = -EAGAIN; ++ goto out_unlock_reading; + } ++ + data_avail = bytes_read; + } + +- if (!data_avail) { +- if (filp->f_flags & O_NONBLOCK) { +- err = -EAGAIN; +- goto out_unlock_reading; +- } +- } else { +- len = data_avail; ++ len = data_avail; ++ if (len) { + if (len > size) + len = size; + + data_avail -= len; + +- if (copy_to_user(buf + ret, rng_buffer + data_avail, +- len)) { ++ memcpy(buffer, rng_buffer + data_avail, len); ++ } ++ mutex_unlock(&reading_mutex); ++ put_rng(rng); ++ ++ if (len) { ++ if (copy_to_user(buf + ret, buffer, len)) { + err = -EFAULT; +- goto out_unlock_reading; ++ goto out; + } + + size -= len; + ret += len; + } + +- mutex_unlock(&reading_mutex); +- put_rng(rng); + + if (need_resched()) + schedule_timeout_interruptible(1); +@@ -276,6 +283,7 @@ static ssize_t rng_dev_read(struct file + } + } + out: ++ memzero_explicit(buffer, sizeof(buffer)); + return ret ? : err; + + out_unlock_reading: diff --git a/queue-6.1/media-imx355-enable-runtime-pm-before-registering-async-sub-device.patch b/queue-6.1/media-imx355-enable-runtime-pm-before-registering-async-sub-device.patch new file mode 100644 index 00000000000..7c47f33b67b --- /dev/null +++ b/queue-6.1/media-imx355-enable-runtime-pm-before-registering-async-sub-device.patch @@ -0,0 +1,57 @@ +From efa5fe19c0a9199f49e36e1f5242ed5c88da617d Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Wed, 22 Nov 2023 17:46:06 +0800 +Subject: media: imx355: Enable runtime PM before registering async sub-device + +From: Bingbu Cao + +commit efa5fe19c0a9199f49e36e1f5242ed5c88da617d upstream. + +As the sensor device maybe accessible right after its async sub-device is +registered, such as ipu-bridge will try to power up sensor by sensor's +client device's runtime PM from the async notifier callback, if runtime PM +is not enabled, it will fail. + +So runtime PM should be ready before its async sub-device is registered +and accessible by others. + +Fixes: df0b5c4a7ddd ("media: add imx355 camera sensor driver") +Cc: stable@vger.kernel.org +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx355.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/media/i2c/imx355.c ++++ b/drivers/media/i2c/imx355.c +@@ -1784,10 +1784,6 @@ static int imx355_probe(struct i2c_clien + goto error_handler_free; + } + +- ret = v4l2_async_register_subdev_sensor(&imx355->sd); +- if (ret < 0) +- goto error_media_entity; +- + /* + * Device is already turned on by i2c-core with ACPI domain PM. + * Enable runtime PM and turn off the device. +@@ -1796,9 +1792,15 @@ static int imx355_probe(struct i2c_clien + pm_runtime_enable(&client->dev); + pm_runtime_idle(&client->dev); + ++ ret = v4l2_async_register_subdev_sensor(&imx355->sd); ++ if (ret < 0) ++ goto error_media_entity_runtime_pm; ++ + return 0; + +-error_media_entity: ++error_media_entity_runtime_pm: ++ pm_runtime_disable(&client->dev); ++ pm_runtime_set_suspended(&client->dev); + media_entity_cleanup(&imx355->sd.entity); + + error_handler_free: diff --git a/queue-6.1/media-ov9734-enable-runtime-pm-before-registering-async-sub-device.patch b/queue-6.1/media-ov9734-enable-runtime-pm-before-registering-async-sub-device.patch new file mode 100644 index 00000000000..61e16abfa68 --- /dev/null +++ b/queue-6.1/media-ov9734-enable-runtime-pm-before-registering-async-sub-device.patch @@ -0,0 +1,71 @@ +From e242e9c144050ed120cf666642ba96b7c4462a4c Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Wed, 22 Nov 2023 17:46:09 +0800 +Subject: media: ov9734: Enable runtime PM before registering async sub-device + +From: Bingbu Cao + +commit e242e9c144050ed120cf666642ba96b7c4462a4c upstream. + +As the sensor device maybe accessible right after its async sub-device is +registered, such as ipu-bridge will try to power up sensor by sensor's +client device's runtime PM from the async notifier callback, if runtime PM +is not enabled, it will fail. + +So runtime PM should be ready before its async sub-device is registered +and accessible by others. + +Fixes: d3f863a63fe4 ("media: i2c: Add ov9734 image sensor driver") +Cc: stable@vger.kernel.org +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov9734.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/media/i2c/ov9734.c ++++ b/drivers/media/i2c/ov9734.c +@@ -939,6 +939,7 @@ static void ov9734_remove(struct i2c_cli + media_entity_cleanup(&sd->entity); + v4l2_ctrl_handler_free(sd->ctrl_handler); + pm_runtime_disable(&client->dev); ++ pm_runtime_set_suspended(&client->dev); + mutex_destroy(&ov9734->mutex); + } + +@@ -984,13 +985,6 @@ static int ov9734_probe(struct i2c_clien + goto probe_error_v4l2_ctrl_handler_free; + } + +- ret = v4l2_async_register_subdev_sensor(&ov9734->sd); +- if (ret < 0) { +- dev_err(&client->dev, "failed to register V4L2 subdev: %d", +- ret); +- goto probe_error_media_entity_cleanup; +- } +- + /* + * Device is already turned on by i2c-core with ACPI domain PM. + * Enable runtime PM and turn off the device. +@@ -999,9 +993,18 @@ static int ov9734_probe(struct i2c_clien + pm_runtime_enable(&client->dev); + pm_runtime_idle(&client->dev); + ++ ret = v4l2_async_register_subdev_sensor(&ov9734->sd); ++ if (ret < 0) { ++ dev_err(&client->dev, "failed to register V4L2 subdev: %d", ++ ret); ++ goto probe_error_media_entity_cleanup_pm; ++ } ++ + return 0; + +-probe_error_media_entity_cleanup: ++probe_error_media_entity_cleanup_pm: ++ pm_runtime_disable(&client->dev); ++ pm_runtime_set_suspended(&client->dev); + media_entity_cleanup(&ov9734->sd.entity); + + probe_error_v4l2_ctrl_handler_free: diff --git a/queue-6.1/mips-fix-max_mapnr-being-uninitialized-on-early-stages.patch b/queue-6.1/mips-fix-max_mapnr-being-uninitialized-on-early-stages.patch new file mode 100644 index 00000000000..3e4d4ca7131 --- /dev/null +++ b/queue-6.1/mips-fix-max_mapnr-being-uninitialized-on-early-stages.patch @@ -0,0 +1,86 @@ +From e1a9ae45736989c972a8d1c151bc390678ae6205 Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Sat, 2 Dec 2023 14:14:20 +0300 +Subject: mips: Fix max_mapnr being uninitialized on early stages + +From: Serge Semin + +commit e1a9ae45736989c972a8d1c151bc390678ae6205 upstream. + +max_mapnr variable is utilized in the pfn_valid() method in order to +determine the upper PFN space boundary. Having it uninitialized +effectively makes any PFN passed to that method invalid. That in its turn +causes the kernel mm-subsystem occasion malfunctions even after the +max_mapnr variable is actually properly updated. For instance, +pfn_valid() is called in the init_unavailable_range() method in the +framework of the calls-chain on MIPS: +setup_arch() ++-> paging_init() + +-> free_area_init() + +-> memmap_init() + +-> memmap_init_zone_range() + +-> init_unavailable_range() + +Since pfn_valid() always returns "false" value before max_mapnr is +initialized in the mem_init() method, any flatmem page-holes will be left +in the poisoned/uninitialized state including the IO-memory pages. Thus +any further attempts to map/remap the IO-memory by using MMU may fail. +In particular it happened in my case on attempt to map the SRAM region. +The kernel bootup procedure just crashed on the unhandled unaligned access +bug raised in the __update_cache() method: + +> Unhandled kernel unaligned access[#1]: +> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc1-XXX-dirty #2056 +> ... +> Call Trace: +> [<8011ef9c>] __update_cache+0x88/0x1bc +> [<80385944>] ioremap_page_range+0x110/0x2a4 +> [<80126948>] ioremap_prot+0x17c/0x1f4 +> [<80711b80>] __devm_ioremap+0x8c/0x120 +> [<80711e0c>] __devm_ioremap_resource+0xf4/0x218 +> [<808bf244>] sram_probe+0x4f4/0x930 +> [<80889d20>] platform_probe+0x68/0xec +> ... + +Let's fix the problem by initializing the max_mapnr variable as soon as +the required data is available. In particular it can be done right in the +paging_init() method before free_area_init() is called since all the PFN +zone boundaries have already been calculated by that time. + +Cc: stable@vger.kernel.org +Signed-off-by: Serge Semin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/init.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/arch/mips/mm/init.c ++++ b/arch/mips/mm/init.c +@@ -417,7 +417,12 @@ void __init paging_init(void) + (highend_pfn - max_low_pfn) << (PAGE_SHIFT - 10)); + max_zone_pfns[ZONE_HIGHMEM] = max_low_pfn; + } ++ ++ max_mapnr = highend_pfn ? highend_pfn : max_low_pfn; ++#else ++ max_mapnr = max_low_pfn; + #endif ++ high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT); + + free_area_init(max_zone_pfns); + } +@@ -453,13 +458,6 @@ void __init mem_init(void) + */ + BUILD_BUG_ON(IS_ENABLED(CONFIG_32BIT) && (_PFN_SHIFT > PAGE_SHIFT)); + +-#ifdef CONFIG_HIGHMEM +- max_mapnr = highend_pfn ? highend_pfn : max_low_pfn; +-#else +- max_mapnr = max_low_pfn; +-#endif +- high_memory = (void *) __va(max_low_pfn << PAGE_SHIFT); +- + maar_init(); + memblock_free_all(); + setup_zero_pages(); /* Setup zeroed pages. */ diff --git a/queue-6.1/opp-pass-rounded-rate-to-_set_opp.patch b/queue-6.1/opp-pass-rounded-rate-to-_set_opp.patch new file mode 100644 index 00000000000..99bd6c6978f --- /dev/null +++ b/queue-6.1/opp-pass-rounded-rate-to-_set_opp.patch @@ -0,0 +1,42 @@ +From 7269c250db1b89cda72ca419b7bd5e37997309d6 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 5 Jan 2024 13:55:37 +0530 +Subject: OPP: Pass rounded rate to _set_opp() + +From: Viresh Kumar + +commit 7269c250db1b89cda72ca419b7bd5e37997309d6 upstream. + +The OPP core finds the eventual frequency to set with the help of +clk_round_rate() and the same was earlier getting passed to _set_opp() +and that's what would get configured. + +The commit 1efae8d2e777 ("OPP: Make dev_pm_opp_set_opp() independent of +frequency") mistakenly changed that. Fix it. + +Fixes: 1efae8d2e777 ("OPP: Make dev_pm_opp_set_opp() independent of frequency") +Cc: v5.18+ # v6.0+ +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/opp/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -1226,12 +1226,12 @@ int dev_pm_opp_set_rate(struct device *d + * value of the frequency. In such a case, do not abort but + * configure the hardware to the desired frequency forcefully. + */ +- forced = opp_table->rate_clk_single != target_freq; ++ forced = opp_table->rate_clk_single != freq; + } + +- ret = _set_opp(dev, opp_table, opp, &target_freq, forced); ++ ret = _set_opp(dev, opp_table, opp, &freq, forced); + +- if (target_freq) ++ if (freq) + dev_pm_opp_put(opp); + + put_opp_table: diff --git a/queue-6.1/parisc-firmware-fix-f-extend-for-pdc-addresses.patch b/queue-6.1/parisc-firmware-fix-f-extend-for-pdc-addresses.patch new file mode 100644 index 00000000000..cce1ed6a8ac --- /dev/null +++ b/queue-6.1/parisc-firmware-fix-f-extend-for-pdc-addresses.patch @@ -0,0 +1,41 @@ +From 735ae74f73e55c191d48689bd11ff4a06ea0508f Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 3 Jan 2024 21:02:16 +0100 +Subject: parisc/firmware: Fix F-extend for PDC addresses + +From: Helge Deller + +commit 735ae74f73e55c191d48689bd11ff4a06ea0508f upstream. + +When running with narrow firmware (64-bit kernel using a 32-bit +firmware), extend PDC addresses into the 0xfffffff0.00000000 +region instead of the 0xf0f0f0f0.00000000 region. + +This fixes the power button on the C3700 machine in qemu (64-bit CPU +with 32-bit firmware), and my assumption is that the previous code was +really never used (because most 64-bit machines have a 64-bit firmware), +or it just worked on very old machines because they may only decode +40-bit of virtual addresses. + +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/firmware.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/firmware.c ++++ b/arch/parisc/kernel/firmware.c +@@ -123,10 +123,10 @@ static unsigned long f_extend(unsigned l + #ifdef CONFIG_64BIT + if(unlikely(parisc_narrow_firmware)) { + if((address & 0xff000000) == 0xf0000000) +- return 0xf0f0f0f000000000UL | (u32)address; ++ return (0xfffffff0UL << 32) | (u32)address; + + if((address & 0xf0000000) == 0xf0000000) +- return 0xffffffff00000000UL | (u32)address; ++ return (0xffffffffUL << 32) | (u32)address; + } + #endif + return address; diff --git a/queue-6.1/parisc-power-fix-power-soft-off-button-emulation-on-qemu.patch b/queue-6.1/parisc-power-fix-power-soft-off-button-emulation-on-qemu.patch new file mode 100644 index 00000000000..ce4859d349d --- /dev/null +++ b/queue-6.1/parisc-power-fix-power-soft-off-button-emulation-on-qemu.patch @@ -0,0 +1,32 @@ +From 6472036581f947109b20664121db1d143e916f0b Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Wed, 3 Jan 2024 21:17:23 +0100 +Subject: parisc/power: Fix power soft-off button emulation on qemu + +From: Helge Deller + +commit 6472036581f947109b20664121db1d143e916f0b upstream. + +Make sure to start the kthread to check the power button on qemu as +well if the power button address was provided. +This fixes the qemu built-in system_powerdown runtime command. + +Fixes: d0c219472980 ("parisc/power: Add power soft-off when running on qemu") +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v6.0+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/parisc/power.c ++++ b/drivers/parisc/power.c +@@ -238,7 +238,7 @@ static int __init power_init(void) + if (running_on_qemu && soft_power_reg) + register_sys_off_handler(SYS_OFF_MODE_POWER_OFF, SYS_OFF_PRIO_DEFAULT, + qemu_power_off, (void *)soft_power_reg); +- else ++ if (!running_on_qemu || soft_power_reg) + power_task = kthread_run(kpowerswd, (void*)soft_power_reg, + KTHREAD_NAME); + if (IS_ERR(power_task)) { diff --git a/queue-6.1/pm-devfreq-fix-buffer-overflow-in-trans_stat_show.patch b/queue-6.1/pm-devfreq-fix-buffer-overflow-in-trans_stat_show.patch new file mode 100644 index 00000000000..d6bd4683940 --- /dev/null +++ b/queue-6.1/pm-devfreq-fix-buffer-overflow-in-trans_stat_show.patch @@ -0,0 +1,137 @@ +From 08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Tue, 24 Oct 2023 20:30:15 +0200 +Subject: PM / devfreq: Fix buffer overflow in trans_stat_show + +From: Christian Marangi + +commit 08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4 upstream. + +Fix buffer overflow in trans_stat_show(). + +Convert simple snprintf to the more secure scnprintf with size of +PAGE_SIZE. + +Add condition checking if we are exceeding PAGE_SIZE and exit early from +loop. Also add at the end a warning that we exceeded PAGE_SIZE and that +stats is disabled. + +Return -EFBIG in the case where we don't have enough space to write the +full transition table. + +Also document in the ABI that this function can return -EFBIG error. + +Link: https://lore.kernel.org/all/20231024183016.14648-2-ansuelsmth@gmail.com/ +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218041 +Fixes: e552bbaf5b98 ("PM / devfreq: Add sysfs node for representing frequency transition information.") +Signed-off-by: Christian Marangi +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/ABI/testing/sysfs-class-devfreq | 3 + + drivers/devfreq/devfreq.c | 59 +++++++++++++++++--------- + 2 files changed, 43 insertions(+), 19 deletions(-) + +--- a/Documentation/ABI/testing/sysfs-class-devfreq ++++ b/Documentation/ABI/testing/sysfs-class-devfreq +@@ -52,6 +52,9 @@ Description: + + echo 0 > /sys/class/devfreq/.../trans_stat + ++ If the transition table is bigger than PAGE_SIZE, reading ++ this will return an -EFBIG error. ++ + What: /sys/class/devfreq/.../available_frequencies + Date: October 2012 + Contact: Nishanth Menon +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -1687,7 +1687,7 @@ static ssize_t trans_stat_show(struct de + struct device_attribute *attr, char *buf) + { + struct devfreq *df = to_devfreq(dev); +- ssize_t len; ++ ssize_t len = 0; + int i, j; + unsigned int max_state; + +@@ -1696,7 +1696,7 @@ static ssize_t trans_stat_show(struct de + max_state = df->max_state; + + if (max_state == 0) +- return sprintf(buf, "Not Supported.\n"); ++ return scnprintf(buf, PAGE_SIZE, "Not Supported.\n"); + + mutex_lock(&df->lock); + if (!df->stop_polling && +@@ -1706,31 +1706,52 @@ static ssize_t trans_stat_show(struct de + } + mutex_unlock(&df->lock); + +- len = sprintf(buf, " From : To\n"); +- len += sprintf(buf + len, " :"); +- for (i = 0; i < max_state; i++) +- len += sprintf(buf + len, "%10lu", +- df->freq_table[i]); ++ len += scnprintf(buf + len, PAGE_SIZE - len, " From : To\n"); ++ len += scnprintf(buf + len, PAGE_SIZE - len, " :"); ++ for (i = 0; i < max_state; i++) { ++ if (len >= PAGE_SIZE - 1) ++ break; ++ len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu", ++ df->freq_table[i]); ++ } ++ if (len >= PAGE_SIZE - 1) ++ return PAGE_SIZE - 1; + +- len += sprintf(buf + len, " time(ms)\n"); ++ len += scnprintf(buf + len, PAGE_SIZE - len, " time(ms)\n"); + + for (i = 0; i < max_state; i++) { ++ if (len >= PAGE_SIZE - 1) ++ break; + if (df->freq_table[i] == df->previous_freq) +- len += sprintf(buf + len, "*"); ++ len += scnprintf(buf + len, PAGE_SIZE - len, "*"); + else +- len += sprintf(buf + len, " "); +- +- len += sprintf(buf + len, "%10lu:", df->freq_table[i]); +- for (j = 0; j < max_state; j++) +- len += sprintf(buf + len, "%10u", +- df->stats.trans_table[(i * max_state) + j]); ++ len += scnprintf(buf + len, PAGE_SIZE - len, " "); ++ if (len >= PAGE_SIZE - 1) ++ break; ++ ++ len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu:", ++ df->freq_table[i]); ++ for (j = 0; j < max_state; j++) { ++ if (len >= PAGE_SIZE - 1) ++ break; ++ len += scnprintf(buf + len, PAGE_SIZE - len, "%10u", ++ df->stats.trans_table[(i * max_state) + j]); ++ } ++ if (len >= PAGE_SIZE - 1) ++ break; ++ len += scnprintf(buf + len, PAGE_SIZE - len, "%10llu\n", (u64) ++ jiffies64_to_msecs(df->stats.time_in_state[i])); ++ } + +- len += sprintf(buf + len, "%10llu\n", (u64) +- jiffies64_to_msecs(df->stats.time_in_state[i])); ++ if (len < PAGE_SIZE - 1) ++ len += scnprintf(buf + len, PAGE_SIZE - len, "Total transition : %u\n", ++ df->stats.total_trans); ++ ++ if (len >= PAGE_SIZE - 1) { ++ pr_warn_once("devfreq transition table exceeds PAGE_SIZE. Disabling\n"); ++ return -EFBIG; + } + +- len += sprintf(buf + len, "Total transition : %u\n", +- df->stats.total_trans); + return len; + } + diff --git a/queue-6.1/pm-hibernate-enforce-ordering-during-image-compression-decompression.patch b/queue-6.1/pm-hibernate-enforce-ordering-during-image-compression-decompression.patch new file mode 100644 index 00000000000..f9cf90f90e9 --- /dev/null +++ b/queue-6.1/pm-hibernate-enforce-ordering-during-image-compression-decompression.patch @@ -0,0 +1,202 @@ +From 71cd7e80cfde548959952eac7063aeaea1f2e1c6 Mon Sep 17 00:00:00 2001 +From: Hongchen Zhang +Date: Thu, 16 Nov 2023 08:56:09 +0800 +Subject: PM: hibernate: Enforce ordering during image compression/decompression + +From: Hongchen Zhang + +commit 71cd7e80cfde548959952eac7063aeaea1f2e1c6 upstream. + +An S4 (suspend to disk) test on the LoongArch 3A6000 platform sometimes +fails with the following error messaged in the dmesg log: + + Invalid LZO compressed length + +That happens because when compressing/decompressing the image, the +synchronization between the control thread and the compress/decompress/crc +thread is based on a relaxed ordering interface, which is unreliable, and the +following situation may occur: + +CPU 0 CPU 1 +save_image_lzo lzo_compress_threadfn + atomic_set(&d->stop, 1); + atomic_read(&data[thr].stop) + data[thr].cmp = data[thr].cmp_len; + WRITE data[thr].cmp_len + +Then CPU0 gets a stale cmp_len and writes it to disk. During resume from S4, +wrong cmp_len is loaded. + +To maintain data consistency between the two threads, use the acquire/release +variants of atomic set and read operations. + +Fixes: 081a9d043c98 ("PM / Hibernate: Improve performance of LZO/plain hibernation, checksum image") +Cc: All applicable +Signed-off-by: Hongchen Zhang +Co-developed-by: Weihao Li +Signed-off-by: Weihao Li +[ rjw: Subject rewrite and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/swap.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -605,11 +605,11 @@ static int crc32_threadfn(void *data) + unsigned i; + + while (1) { +- wait_event(d->go, atomic_read(&d->ready) || ++ wait_event(d->go, atomic_read_acquire(&d->ready) || + kthread_should_stop()); + if (kthread_should_stop()) { + d->thr = NULL; +- atomic_set(&d->stop, 1); ++ atomic_set_release(&d->stop, 1); + wake_up(&d->done); + break; + } +@@ -618,7 +618,7 @@ static int crc32_threadfn(void *data) + for (i = 0; i < d->run_threads; i++) + *d->crc32 = crc32_le(*d->crc32, + d->unc[i], *d->unc_len[i]); +- atomic_set(&d->stop, 1); ++ atomic_set_release(&d->stop, 1); + wake_up(&d->done); + } + return 0; +@@ -648,12 +648,12 @@ static int lzo_compress_threadfn(void *d + struct cmp_data *d = data; + + while (1) { +- wait_event(d->go, atomic_read(&d->ready) || ++ wait_event(d->go, atomic_read_acquire(&d->ready) || + kthread_should_stop()); + if (kthread_should_stop()) { + d->thr = NULL; + d->ret = -1; +- atomic_set(&d->stop, 1); ++ atomic_set_release(&d->stop, 1); + wake_up(&d->done); + break; + } +@@ -662,7 +662,7 @@ static int lzo_compress_threadfn(void *d + d->ret = lzo1x_1_compress(d->unc, d->unc_len, + d->cmp + LZO_HEADER, &d->cmp_len, + d->wrk); +- atomic_set(&d->stop, 1); ++ atomic_set_release(&d->stop, 1); + wake_up(&d->done); + } + return 0; +@@ -797,7 +797,7 @@ static int save_image_lzo(struct swap_ma + + data[thr].unc_len = off; + +- atomic_set(&data[thr].ready, 1); ++ atomic_set_release(&data[thr].ready, 1); + wake_up(&data[thr].go); + } + +@@ -805,12 +805,12 @@ static int save_image_lzo(struct swap_ma + break; + + crc->run_threads = thr; +- atomic_set(&crc->ready, 1); ++ atomic_set_release(&crc->ready, 1); + wake_up(&crc->go); + + for (run_threads = thr, thr = 0; thr < run_threads; thr++) { + wait_event(data[thr].done, +- atomic_read(&data[thr].stop)); ++ atomic_read_acquire(&data[thr].stop)); + atomic_set(&data[thr].stop, 0); + + ret = data[thr].ret; +@@ -849,7 +849,7 @@ static int save_image_lzo(struct swap_ma + } + } + +- wait_event(crc->done, atomic_read(&crc->stop)); ++ wait_event(crc->done, atomic_read_acquire(&crc->stop)); + atomic_set(&crc->stop, 0); + } + +@@ -1131,12 +1131,12 @@ static int lzo_decompress_threadfn(void + struct dec_data *d = data; + + while (1) { +- wait_event(d->go, atomic_read(&d->ready) || ++ wait_event(d->go, atomic_read_acquire(&d->ready) || + kthread_should_stop()); + if (kthread_should_stop()) { + d->thr = NULL; + d->ret = -1; +- atomic_set(&d->stop, 1); ++ atomic_set_release(&d->stop, 1); + wake_up(&d->done); + break; + } +@@ -1149,7 +1149,7 @@ static int lzo_decompress_threadfn(void + flush_icache_range((unsigned long)d->unc, + (unsigned long)d->unc + d->unc_len); + +- atomic_set(&d->stop, 1); ++ atomic_set_release(&d->stop, 1); + wake_up(&d->done); + } + return 0; +@@ -1334,7 +1334,7 @@ static int load_image_lzo(struct swap_ma + } + + if (crc->run_threads) { +- wait_event(crc->done, atomic_read(&crc->stop)); ++ wait_event(crc->done, atomic_read_acquire(&crc->stop)); + atomic_set(&crc->stop, 0); + crc->run_threads = 0; + } +@@ -1370,7 +1370,7 @@ static int load_image_lzo(struct swap_ma + pg = 0; + } + +- atomic_set(&data[thr].ready, 1); ++ atomic_set_release(&data[thr].ready, 1); + wake_up(&data[thr].go); + } + +@@ -1389,7 +1389,7 @@ static int load_image_lzo(struct swap_ma + + for (run_threads = thr, thr = 0; thr < run_threads; thr++) { + wait_event(data[thr].done, +- atomic_read(&data[thr].stop)); ++ atomic_read_acquire(&data[thr].stop)); + atomic_set(&data[thr].stop, 0); + + ret = data[thr].ret; +@@ -1420,7 +1420,7 @@ static int load_image_lzo(struct swap_ma + ret = snapshot_write_next(snapshot); + if (ret <= 0) { + crc->run_threads = thr + 1; +- atomic_set(&crc->ready, 1); ++ atomic_set_release(&crc->ready, 1); + wake_up(&crc->go); + goto out_finish; + } +@@ -1428,13 +1428,13 @@ static int load_image_lzo(struct swap_ma + } + + crc->run_threads = thr; +- atomic_set(&crc->ready, 1); ++ atomic_set_release(&crc->ready, 1); + wake_up(&crc->go); + } + + out_finish: + if (crc->run_threads) { +- wait_event(crc->done, atomic_read(&crc->stop)); ++ wait_event(crc->done, atomic_read_acquire(&crc->stop)); + atomic_set(&crc->stop, 0); + } + stop = ktime_get(); diff --git a/queue-6.1/rpmsg-virtio-free-driver_override-when-rpmsg_remove.patch b/queue-6.1/rpmsg-virtio-free-driver_override-when-rpmsg_remove.patch new file mode 100644 index 00000000000..d03bc3ca970 --- /dev/null +++ b/queue-6.1/rpmsg-virtio-free-driver_override-when-rpmsg_remove.patch @@ -0,0 +1,55 @@ +From d5362c37e1f8a40096452fc201c30e705750e687 Mon Sep 17 00:00:00 2001 +From: Xiaolei Wang +Date: Fri, 15 Dec 2023 10:00:49 +0800 +Subject: rpmsg: virtio: Free driver_override when rpmsg_remove() + +From: Xiaolei Wang + +commit d5362c37e1f8a40096452fc201c30e705750e687 upstream. + +Free driver_override when rpmsg_remove(), otherwise +the following memory leak will occur: + +unreferenced object 0xffff0000d55d7080 (size 128): + comm "kworker/u8:2", pid 56, jiffies 4294893188 (age 214.272s) + hex dump (first 32 bytes): + 72 70 6d 73 67 5f 6e 73 00 00 00 00 00 00 00 00 rpmsg_ns........ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000009c94c9c1>] __kmem_cache_alloc_node+0x1f8/0x320 + [<000000002300d89b>] __kmalloc_node_track_caller+0x44/0x70 + [<00000000228a60c3>] kstrndup+0x4c/0x90 + [<0000000077158695>] driver_set_override+0xd0/0x164 + [<000000003e9c4ea5>] rpmsg_register_device_override+0x98/0x170 + [<000000001c0c89a8>] rpmsg_ns_register_device+0x24/0x30 + [<000000008bbf8fa2>] rpmsg_probe+0x2e0/0x3ec + [<00000000e65a68df>] virtio_dev_probe+0x1c0/0x280 + [<00000000443331cc>] really_probe+0xbc/0x2dc + [<00000000391064b1>] __driver_probe_device+0x78/0xe0 + [<00000000a41c9a5b>] driver_probe_device+0xd8/0x160 + [<000000009c3bd5df>] __device_attach_driver+0xb8/0x140 + [<0000000043cd7614>] bus_for_each_drv+0x7c/0xd4 + [<000000003b929a36>] __device_attach+0x9c/0x19c + [<00000000a94e0ba8>] device_initial_probe+0x14/0x20 + [<000000003c999637>] bus_probe_device+0xa0/0xac + +Signed-off-by: Xiaolei Wang +Fixes: b0b03b811963 ("rpmsg: Release rpmsg devices in backends") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231215020049.78750-1-xiaolei.wang@windriver.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/virtio_rpmsg_bus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rpmsg/virtio_rpmsg_bus.c ++++ b/drivers/rpmsg/virtio_rpmsg_bus.c +@@ -378,6 +378,7 @@ static void virtio_rpmsg_release_device( + struct rpmsg_device *rpdev = to_rpmsg_device(dev); + struct virtio_rpmsg_channel *vch = to_virtio_rpmsg_channel(rpdev); + ++ kfree(rpdev->driver_override); + kfree(vch); + } + diff --git a/queue-6.1/s390-vfio-ap-always-filter-entire-ap-matrix.patch b/queue-6.1/s390-vfio-ap-always-filter-entire-ap-matrix.patch new file mode 100644 index 00000000000..89d6435949f --- /dev/null +++ b/queue-6.1/s390-vfio-ap-always-filter-entire-ap-matrix.patch @@ -0,0 +1,183 @@ +From 850fb7fa8c684a4c6bf0e4b6978f4ddcc5d43d11 Mon Sep 17 00:00:00 2001 +From: Tony Krowiak +Date: Mon, 15 Jan 2024 13:54:31 -0500 +Subject: s390/vfio-ap: always filter entire AP matrix + +From: Tony Krowiak + +commit 850fb7fa8c684a4c6bf0e4b6978f4ddcc5d43d11 upstream. + +The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or +domain is assigned to the mdev. The purpose of the function is to update +the guest's AP configuration by filtering the matrix of adapters and +domains assigned to the mdev. When an adapter or domain is assigned, only +the APQNs associated with the APID of the new adapter or APQI of the new +domain are inspected. If an APQN does not reference a queue device bound to +the vfio_ap device driver, then it's APID will be filtered from the mdev's +matrix when updating the guest's AP configuration. + +Inspecting only the APID of the new adapter or APQI of the new domain will +result in passing AP queues through to a guest that are not bound to the +vfio_ap device driver under certain circumstances. Consider the following: + +guest's AP configuration (all also assigned to the mdev's matrix): +14.0004 +14.0005 +14.0006 +16.0004 +16.0005 +16.0006 + +unassign domain 4 +unbind queue 16.0005 +assign domain 4 + +When domain 4 is re-assigned, since only domain 4 will be inspected, the +APQNs that will be examined will be: +14.0004 +16.0004 + +Since both of those APQNs reference queue devices that are bound to the +vfio_ap device driver, nothing will get filtered from the mdev's matrix +when updating the guest's AP configuration. Consequently, queue 16.0005 +will get passed through despite not being bound to the driver. This +violates the linux device model requirement that a guest shall only be +given access to devices bound to the device driver facilitating their +pass-through. + +To resolve this problem, every adapter and domain assigned to the mdev will +be inspected when filtering the mdev's matrix. + +Signed-off-by: Tony Krowiak +Acked-by: Halil Pasic +Fixes: 48cae940c31d ("s390/vfio-ap: refresh guest's APCB by filtering AP resources assigned to mdev") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240115185441.31526-2-akrowiak@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/vfio_ap_ops.c | 57 +++++++++++--------------------------- + 1 file changed, 17 insertions(+), 40 deletions(-) + +--- a/drivers/s390/crypto/vfio_ap_ops.c ++++ b/drivers/s390/crypto/vfio_ap_ops.c +@@ -639,8 +639,7 @@ static bool vfio_ap_mdev_filter_cdoms(st + * Return: a boolean value indicating whether the KVM guest's APCB was changed + * by the filtering or not. + */ +-static bool vfio_ap_mdev_filter_matrix(unsigned long *apm, unsigned long *aqm, +- struct ap_matrix_mdev *matrix_mdev) ++static bool vfio_ap_mdev_filter_matrix(struct ap_matrix_mdev *matrix_mdev) + { + unsigned long apid, apqi, apqn; + DECLARE_BITMAP(prev_shadow_apm, AP_DEVICES); +@@ -661,8 +660,8 @@ static bool vfio_ap_mdev_filter_matrix(u + bitmap_and(matrix_mdev->shadow_apcb.aqm, matrix_mdev->matrix.aqm, + (unsigned long *)matrix_dev->info.aqm, AP_DOMAINS); + +- for_each_set_bit_inv(apid, apm, AP_DEVICES) { +- for_each_set_bit_inv(apqi, aqm, AP_DOMAINS) { ++ for_each_set_bit_inv(apid, matrix_mdev->matrix.apm, AP_DEVICES) { ++ for_each_set_bit_inv(apqi, matrix_mdev->matrix.aqm, AP_DOMAINS) { + /* + * If the APQN is not bound to the vfio_ap device + * driver, then we can't assign it to the guest's +@@ -931,7 +930,6 @@ static ssize_t assign_adapter_store(stru + { + int ret; + unsigned long apid; +- DECLARE_BITMAP(apm_delta, AP_DEVICES); + struct ap_matrix_mdev *matrix_mdev = dev_get_drvdata(dev); + + mutex_lock(&ap_perms_mutex); +@@ -960,11 +958,8 @@ static ssize_t assign_adapter_store(stru + } + + vfio_ap_mdev_link_adapter(matrix_mdev, apid); +- memset(apm_delta, 0, sizeof(apm_delta)); +- set_bit_inv(apid, apm_delta); + +- if (vfio_ap_mdev_filter_matrix(apm_delta, +- matrix_mdev->matrix.aqm, matrix_mdev)) ++ if (vfio_ap_mdev_filter_matrix(matrix_mdev)) + vfio_ap_mdev_update_guest_apcb(matrix_mdev); + + ret = count; +@@ -1140,7 +1135,6 @@ static ssize_t assign_domain_store(struc + { + int ret; + unsigned long apqi; +- DECLARE_BITMAP(aqm_delta, AP_DOMAINS); + struct ap_matrix_mdev *matrix_mdev = dev_get_drvdata(dev); + + mutex_lock(&ap_perms_mutex); +@@ -1169,11 +1163,8 @@ static ssize_t assign_domain_store(struc + } + + vfio_ap_mdev_link_domain(matrix_mdev, apqi); +- memset(aqm_delta, 0, sizeof(aqm_delta)); +- set_bit_inv(apqi, aqm_delta); + +- if (vfio_ap_mdev_filter_matrix(matrix_mdev->matrix.apm, aqm_delta, +- matrix_mdev)) ++ if (vfio_ap_mdev_filter_matrix(matrix_mdev)) + vfio_ap_mdev_update_guest_apcb(matrix_mdev); + + ret = count; +@@ -1859,9 +1850,7 @@ int vfio_ap_mdev_probe_queue(struct ap_d + if (matrix_mdev) { + vfio_ap_mdev_link_queue(matrix_mdev, q); + +- if (vfio_ap_mdev_filter_matrix(matrix_mdev->matrix.apm, +- matrix_mdev->matrix.aqm, +- matrix_mdev)) ++ if (vfio_ap_mdev_filter_matrix(matrix_mdev)) + vfio_ap_mdev_update_guest_apcb(matrix_mdev); + } + dev_set_drvdata(&apdev->device, q); +@@ -2212,34 +2201,22 @@ void vfio_ap_on_cfg_changed(struct ap_co + + static void vfio_ap_mdev_hot_plug_cfg(struct ap_matrix_mdev *matrix_mdev) + { +- bool do_hotplug = false; +- int filter_domains = 0; +- int filter_adapters = 0; +- DECLARE_BITMAP(apm, AP_DEVICES); +- DECLARE_BITMAP(aqm, AP_DOMAINS); ++ bool filter_domains, filter_adapters, filter_cdoms, do_hotplug = false; + + mutex_lock(&matrix_mdev->kvm->lock); + mutex_lock(&matrix_dev->mdevs_lock); + +- filter_adapters = bitmap_and(apm, matrix_mdev->matrix.apm, +- matrix_mdev->apm_add, AP_DEVICES); +- filter_domains = bitmap_and(aqm, matrix_mdev->matrix.aqm, +- matrix_mdev->aqm_add, AP_DOMAINS); +- +- if (filter_adapters && filter_domains) +- do_hotplug |= vfio_ap_mdev_filter_matrix(apm, aqm, matrix_mdev); +- else if (filter_adapters) +- do_hotplug |= +- vfio_ap_mdev_filter_matrix(apm, +- matrix_mdev->shadow_apcb.aqm, +- matrix_mdev); +- else +- do_hotplug |= +- vfio_ap_mdev_filter_matrix(matrix_mdev->shadow_apcb.apm, +- aqm, matrix_mdev); ++ filter_adapters = bitmap_intersects(matrix_mdev->matrix.apm, ++ matrix_mdev->apm_add, AP_DEVICES); ++ filter_domains = bitmap_intersects(matrix_mdev->matrix.aqm, ++ matrix_mdev->aqm_add, AP_DOMAINS); ++ filter_cdoms = bitmap_intersects(matrix_mdev->matrix.adm, ++ matrix_mdev->adm_add, AP_DOMAINS); ++ ++ if (filter_adapters || filter_domains) ++ do_hotplug = vfio_ap_mdev_filter_matrix(matrix_mdev); + +- if (bitmap_intersects(matrix_mdev->matrix.adm, matrix_mdev->adm_add, +- AP_DOMAINS)) ++ if (filter_cdoms) + do_hotplug |= vfio_ap_mdev_filter_cdoms(matrix_mdev); + + if (do_hotplug) diff --git a/queue-6.1/s390-vfio-ap-let-on_scan_complete-callback-filter-matrix-and-update-guest-s-apcb.patch b/queue-6.1/s390-vfio-ap-let-on_scan_complete-callback-filter-matrix-and-update-guest-s-apcb.patch new file mode 100644 index 00000000000..54d126ff4e9 --- /dev/null +++ b/queue-6.1/s390-vfio-ap-let-on_scan_complete-callback-filter-matrix-and-update-guest-s-apcb.patch @@ -0,0 +1,67 @@ +From 774d10196e648e2c0b78da817f631edfb3dfa557 Mon Sep 17 00:00:00 2001 +From: Tony Krowiak +Date: Mon, 15 Jan 2024 13:54:33 -0500 +Subject: s390/vfio-ap: let on_scan_complete() callback filter matrix and update guest's APCB + +From: Tony Krowiak + +commit 774d10196e648e2c0b78da817f631edfb3dfa557 upstream. + +When adapters and/or domains are added to the host's AP configuration, this +may result in multiple queue devices getting created and probed by the +vfio_ap device driver. For each queue device probed, the matrix of adapters +and domains assigned to a matrix mdev will be filtered to update the +guest's APCB. If any adapters or domains get added to or removed from the +APCB, the guest's AP configuration will be dynamically updated (i.e., hot +plug/unplug). To dynamically update the guest's configuration, its VCPUs +must be taken out of SIE for the period of time it takes to make the +update. This is disruptive to the guest's operation and if there are many +queues probed due to a change in the host's AP configuration, this could be +troublesome. The problem is exacerbated by the fact that the +'on_scan_complete' callback also filters the mdev's matrix and updates +the guest's AP configuration. + +In order to reduce the potential amount of disruption to the guest that may +result from a change to the host's AP configuration, let's bypass the +filtering of the matrix and updating of the guest's AP configuration in the +probe callback - if due to a host config change - and defer it until the +'on_scan_complete' callback is invoked after the AP bus finishes its device +scan operation. This way the filtering and updating will be performed only +once regardless of the number of queues added. + +Signed-off-by: Tony Krowiak +Reviewed-by: Halil Pasic +Fixes: 48cae940c31d ("s390/vfio-ap: refresh guest's APCB by filtering AP resources assigned to mdev") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240115185441.31526-4-akrowiak@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/vfio_ap_ops.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/s390/crypto/vfio_ap_ops.c ++++ b/drivers/s390/crypto/vfio_ap_ops.c +@@ -1851,9 +1851,22 @@ int vfio_ap_mdev_probe_queue(struct ap_d + if (matrix_mdev) { + vfio_ap_mdev_link_queue(matrix_mdev, q); + ++ /* ++ * If we're in the process of handling the adding of adapters or ++ * domains to the host's AP configuration, then let the ++ * vfio_ap device driver's on_scan_complete callback filter the ++ * matrix and update the guest's AP configuration after all of ++ * the new queue devices are probed. ++ */ ++ if (!bitmap_empty(matrix_mdev->apm_add, AP_DEVICES) || ++ !bitmap_empty(matrix_mdev->aqm_add, AP_DOMAINS)) ++ goto done; ++ + if (vfio_ap_mdev_filter_matrix(matrix_mdev)) + vfio_ap_mdev_update_guest_apcb(matrix_mdev); + } ++ ++done: + dev_set_drvdata(&apdev->device, q); + release_update_locks_for_mdev(matrix_mdev); + diff --git a/queue-6.1/s390-vfio-ap-loop-over-the-shadow-apcb-when-filtering-guest-s-ap-configuration.patch b/queue-6.1/s390-vfio-ap-loop-over-the-shadow-apcb-when-filtering-guest-s-ap-configuration.patch new file mode 100644 index 00000000000..270ae63f4b8 --- /dev/null +++ b/queue-6.1/s390-vfio-ap-loop-over-the-shadow-apcb-when-filtering-guest-s-ap-configuration.patch @@ -0,0 +1,56 @@ +From 16fb78cbf56e42b8efb2682a4444ab59e32e7959 Mon Sep 17 00:00:00 2001 +From: Tony Krowiak +Date: Mon, 15 Jan 2024 13:54:32 -0500 +Subject: s390/vfio-ap: loop over the shadow APCB when filtering guest's AP configuration + +From: Tony Krowiak + +commit 16fb78cbf56e42b8efb2682a4444ab59e32e7959 upstream. + +While filtering the mdev matrix, it doesn't make sense - and will have +unexpected results - to filter an APID from the matrix if the APID or one +of the associated APQIs is not in the host's AP configuration. There are +two reasons for this: + +1. An adapter or domain that is not in the host's AP configuration can be + assigned to the matrix; this is known as over-provisioning. Queue + devices, however, are only created for adapters and domains in the + host's AP configuration, so there will be no queues associated with an + over-provisioned adapter or domain to filter. + +2. The adapter or domain may have been externally removed from the host's + configuration via an SE or HMC attached to a DPM enabled LPAR. In this + case, the vfio_ap device driver would have been notified by the AP bus + via the on_config_changed callback and the adapter or domain would + have already been filtered. + +Since the matrix_mdev->shadow_apcb.apm and matrix_mdev->shadow_apcb.aqm are +copied from the mdev matrix sans the APIDs and APQIs not in the host's AP +configuration, let's loop over those bitmaps instead of those assigned to +the matrix. + +Signed-off-by: Tony Krowiak +Reviewed-by: Halil Pasic +Fixes: 48cae940c31d ("s390/vfio-ap: refresh guest's APCB by filtering AP resources assigned to mdev") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240115185441.31526-3-akrowiak@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/vfio_ap_ops.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/s390/crypto/vfio_ap_ops.c ++++ b/drivers/s390/crypto/vfio_ap_ops.c +@@ -660,8 +660,9 @@ static bool vfio_ap_mdev_filter_matrix(s + bitmap_and(matrix_mdev->shadow_apcb.aqm, matrix_mdev->matrix.aqm, + (unsigned long *)matrix_dev->info.aqm, AP_DOMAINS); + +- for_each_set_bit_inv(apid, matrix_mdev->matrix.apm, AP_DEVICES) { +- for_each_set_bit_inv(apqi, matrix_mdev->matrix.aqm, AP_DOMAINS) { ++ for_each_set_bit_inv(apid, matrix_mdev->shadow_apcb.apm, AP_DEVICES) { ++ for_each_set_bit_inv(apqi, matrix_mdev->shadow_apcb.aqm, ++ AP_DOMAINS) { + /* + * If the APQN is not bound to the vfio_ap device + * driver, then we can't assign it to the guest's diff --git a/queue-6.1/s390-vfio-ap-unpin-pages-on-gisc-registration-failure.patch b/queue-6.1/s390-vfio-ap-unpin-pages-on-gisc-registration-failure.patch new file mode 100644 index 00000000000..4d05d5b1550 --- /dev/null +++ b/queue-6.1/s390-vfio-ap-unpin-pages-on-gisc-registration-failure.patch @@ -0,0 +1,39 @@ +From 7b2d039da622daa9ba259ac6f38701d542b237c3 Mon Sep 17 00:00:00 2001 +From: Anthony Krowiak +Date: Thu, 9 Nov 2023 11:44:20 -0500 +Subject: s390/vfio-ap: unpin pages on gisc registration failure + +From: Anthony Krowiak + +commit 7b2d039da622daa9ba259ac6f38701d542b237c3 upstream. + +In the vfio_ap_irq_enable function, after the page containing the +notification indicator byte (NIB) is pinned, the function attempts +to register the guest ISC. If registration fails, the function sets the +status response code and returns without unpinning the page containing +the NIB. In order to avoid a memory leak, the NIB should be unpinned before +returning from the vfio_ap_irq_enable function. + +Co-developed-by: Janosch Frank +Signed-off-by: Janosch Frank +Signed-off-by: Anthony Krowiak +Reviewed-by: Matthew Rosato +Fixes: 783f0a3ccd79 ("s390/vfio-ap: add s390dbf logging to the vfio_ap_irq_enable function") +Cc: +Link: https://lore.kernel.org/r/20231109164427.460493-2-akrowiak@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/vfio_ap_ops.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/crypto/vfio_ap_ops.c ++++ b/drivers/s390/crypto/vfio_ap_ops.c +@@ -425,6 +425,7 @@ static struct ap_queue_status vfio_ap_ir + VFIO_AP_DBF_WARN("%s: gisc registration failed: nisc=%d, isc=%d, apqn=%#04x\n", + __func__, nisc, isc, q->apqn); + ++ vfio_unpin_pages(&q->matrix_mdev->vdev, nib, 1); + status.response_code = AP_RESPONSE_INVALID_GISA; + return status; + } diff --git a/queue-6.1/series b/queue-6.1/series index d84c9b7bd82..7ebddb2e763 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -4,6 +4,34 @@ usb-dwc3-gadget-handle-ep0-request-dequeuing-properl.patch revert-nsvm-check-for-reserved-encodings-of-tlb_cont.patch iio-adc-ad7091r-set-alert-bit-in-config-register.patch iio-adc-ad7091r-allow-users-to-configure-device-even.patch +ext4-allow-for-the-last-group-to-be-marked-as-trimmed.patch +arm64-properly-install-vmlinuz.efi.patch +opp-pass-rounded-rate-to-_set_opp.patch +btrfs-sysfs-validate-scrub_speed_max-value.patch +crypto-api-disallow-identical-driver-names.patch +pm-hibernate-enforce-ordering-during-image-compression-decompression.patch +hwrng-core-fix-page-fault-dead-lock-on-mmap-ed-hwrng.patch +crypto-s390-aes-fix-buffer-overread-in-ctr-mode.patch +s390-vfio-ap-unpin-pages-on-gisc-registration-failure.patch +pm-devfreq-fix-buffer-overflow-in-trans_stat_show.patch +media-imx355-enable-runtime-pm-before-registering-async-sub-device.patch +rpmsg-virtio-free-driver_override-when-rpmsg_remove.patch +media-ov9734-enable-runtime-pm-before-registering-async-sub-device.patch +s390-vfio-ap-always-filter-entire-ap-matrix.patch +s390-vfio-ap-loop-over-the-shadow-apcb-when-filtering-guest-s-ap-configuration.patch +s390-vfio-ap-let-on_scan_complete-callback-filter-matrix-and-update-guest-s-apcb.patch +mips-fix-max_mapnr-being-uninitialized-on-early-stages.patch +bus-mhi-host-add-alignment-check-for-event-ring-read-pointer.patch +bus-mhi-host-drop-chan-lock-before-queuing-buffers.patch +bus-mhi-host-add-spinlock-to-protect-wp-access-when-queueing-tres.patch +parisc-firmware-fix-f-extend-for-pdc-addresses.patch +parisc-power-fix-power-soft-off-button-emulation-on-qemu.patch +async-split-async_schedule_node_domain.patch +async-introduce-async_schedule_dev_nocall.patch iio-adc-ad7091r-enable-internal-vref-if-external-vre.patch dmaengine-fix-null-pointer-in-channel-unregistration.patch scsi-ufs-core-remove-the-ufshcd_hba_exit-call-from-u.patch +arm64-dts-qcom-sc7180-fix-usb-wakeup-interrupt-types.patch +arm64-dts-qcom-sdm845-fix-usb-wakeup-interrupt-types.patch +arm64-dts-qcom-sm8150-fix-usb-wakeup-interrupt-types.patch +arm64-dts-qcom-sc7280-fix-usb_1-wakeup-interrupt-types.patch -- 2.47.3