From 6252fa70db3f8d5ac71334ad5d4854ddff78a785 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 3 Dec 2023 15:07:05 -0500 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...-kconfig-add-a-choice-for-endianness.patch | 63 ++++++++ ...ig_endian-depend-on-ld.bfd-or-ld.lld.patch | 59 +++++++ ...pu_big_endian-to-gnu-as-or-llvm-ias-.patch | 94 +++++++++++ ...n-t-disable-792-mhz-opp-unnecessaril.patch | 49 ++++++ ...n-t-warn-for-disabling-a-non-existin.patch | 93 +++++++++++ ...te-performance-with-disabled-delallo.patch | 47 ++++++ ...-new-if-it-is-unwritten-to-avoid-sta.patch | 145 +++++++++++++++++ ...-the-sti-next-font-pointer-a-32-bit-.patch | 39 +++++ ...t-mutex-to-avoid-lockdep-false-posit.patch | 117 ++++++++++++++ ...-changes-to-the-backing-overlay-file.patch | 110 +++++++++++++ ...fcnt-uaf-issue-when-receiving-igmp-q.patch | 114 ++++++++++++++ ...d-cfi_cmdset_0001-byte-swap-otp-info.patch | 80 ++++++++++ ...001-support-the-absence-of-protectio.patch | 80 ++++++++++ ...x-queues-after-hw-initialization-suc.patch | 46 ++++++ ...t-ravb-use-pm_runtime_resume_and_get.patch | 48 ++++++ ...mac-xgmac-disable-fpe-mmc-interrupts.patch | 54 +++++++ ...overlayfs-superblocks-at-global-sync.patch | 84 ++++++++++ ...l-pt-adjust-sample-flags-for-vm-exit.patch | 54 +++++++ ...perf-intel-pt-fix-async-branch-flags.patch | 42 +++++ ...etween-ravb_tx_timeout_work-and-net-.patch | 79 ++++++++++ ...s390-cmma-fix-detection-of-dat-pages.patch | 67 ++++++++ ...-vs-virt-confusion-in-mark_kernel_px.patch | 65 ++++++++ ...ntroduce-the-scsi_cmd_to_rq-function.patch | 54 +++++++ ...-system-crash-due-to-bad-pointer-acc.patch | 77 +++++++++ ...plify-the-code-for-aborting-scsi-com.patch | 148 ++++++++++++++++++ ...-scsi_cmd_to_rq-instead-of-scsi_cmnd.patch | 46 ++++++ queue-5.4/series | 27 ++++ queue-5.4/smb3-fix-touch-h-of-symlink.patch | 40 +++++ 28 files changed, 2021 insertions(+) create mode 100644 queue-5.4/arm64-kconfig-add-a-choice-for-endianness.patch create mode 100644 queue-5.4/arm64-make-cpu_big_endian-depend-on-ld.bfd-or-ld.lld.patch create mode 100644 queue-5.4/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-.patch create mode 100644 queue-5.4/cpufreq-imx6q-don-t-disable-792-mhz-opp-unnecessaril.patch create mode 100644 queue-5.4/cpufreq-imx6q-don-t-warn-for-disabling-a-non-existin.patch create mode 100644 queue-5.4/ext4-improve-write-performance-with-disabled-delallo.patch create mode 100644 queue-5.4/ext4-mark-buffer-new-if-it-is-unwritten-to-avoid-sta.patch create mode 100644 queue-5.4/fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-.patch create mode 100644 queue-5.4/ima-annotate-iint-mutex-to-avoid-lockdep-false-posit.patch create mode 100644 queue-5.4/ima-detect-changes-to-the-backing-overlay-file.patch create mode 100644 queue-5.4/ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch create mode 100644 queue-5.4/mtd-cfi_cmdset_0001-byte-swap-otp-info.patch create mode 100644 queue-5.4/mtd-cfi_cmdset_0001-support-the-absence-of-protectio.patch create mode 100644 queue-5.4/net-ravb-start-tx-queues-after-hw-initialization-suc.patch create mode 100644 queue-5.4/net-ravb-use-pm_runtime_resume_and_get.patch create mode 100644 queue-5.4/net-stmmac-xgmac-disable-fpe-mmc-interrupts.patch create mode 100644 queue-5.4/ovl-skip-overlayfs-superblocks-at-global-sync.patch create mode 100644 queue-5.4/perf-intel-pt-adjust-sample-flags-for-vm-exit.patch create mode 100644 queue-5.4/perf-intel-pt-fix-async-branch-flags.patch create mode 100644 queue-5.4/ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch create mode 100644 queue-5.4/s390-cmma-fix-detection-of-dat-pages.patch create mode 100644 queue-5.4/s390-mm-fix-phys-vs-virt-confusion-in-mark_kernel_px.patch create mode 100644 queue-5.4/scsi-core-introduce-the-scsi_cmd_to_rq-function.patch create mode 100644 queue-5.4/scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-acc.patch create mode 100644 queue-5.4/scsi-qla2xxx-simplify-the-code-for-aborting-scsi-com.patch create mode 100644 queue-5.4/scsi-qla2xxx-use-scsi_cmd_to_rq-instead-of-scsi_cmnd.patch create mode 100644 queue-5.4/smb3-fix-touch-h-of-symlink.patch diff --git a/queue-5.4/arm64-kconfig-add-a-choice-for-endianness.patch b/queue-5.4/arm64-kconfig-add-a-choice-for-endianness.patch new file mode 100644 index 00000000000..434ab5d0d92 --- /dev/null +++ b/queue-5.4/arm64-kconfig-add-a-choice-for-endianness.patch @@ -0,0 +1,63 @@ +From 7804e84316eab278104f4a13bdc6a519fcef4ab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 10:26:52 +0100 +Subject: arm64: Kconfig: add a choice for endianness + +From: Anders Roxell + +[ Upstream commit d8e85e144bbe12e8d82c6b05d690a34da62cc991 ] + +When building allmodconfig KCONFIG_ALLCONFIG=$(pwd)/arch/arm64/configs/defconfig +CONFIG_CPU_BIG_ENDIAN gets enabled. Which tends not to be what most +people want. Another concern that has come up is that ACPI isn't built +for an allmodconfig kernel today since that also depends on !CPU_BIG_ENDIAN. + +Rework so that we introduce a 'choice' and default the choice to +CPU_LITTLE_ENDIAN. That means that when we build an allmodconfig kernel +it will default to CPU_LITTLE_ENDIAN that most people tends to want. + +Reviewed-by: John Garry +Acked-by: Will Deacon +Signed-off-by: Anders Roxell +Signed-off-by: Catalin Marinas +Stable-dep-of: 146a15b87335 ("arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer") +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 384b1bf56667c..185262e0e1da3 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -877,10 +877,26 @@ config ARM64_PA_BITS + default 48 if ARM64_PA_BITS_48 + default 52 if ARM64_PA_BITS_52 + ++choice ++ prompt "Endianness" ++ default CPU_LITTLE_ENDIAN ++ help ++ Select the endianness of data accesses performed by the CPU. Userspace ++ applications will need to be compiled and linked for the endianness ++ that is selected here. ++ + config CPU_BIG_ENDIAN + bool "Build big-endian kernel" + help +- Say Y if you plan on running a kernel in big-endian mode. ++ Say Y if you plan on running a kernel with a big-endian userspace. ++ ++config CPU_LITTLE_ENDIAN ++ bool "Build little-endian kernel" ++ help ++ Say Y if you plan on running a kernel with a little-endian userspace. ++ This is usually the case for distributions targeting arm64. ++ ++endchoice + + config SCHED_MC + bool "Multi-core scheduler support" +-- +2.42.0 + diff --git a/queue-5.4/arm64-make-cpu_big_endian-depend-on-ld.bfd-or-ld.lld.patch b/queue-5.4/arm64-make-cpu_big_endian-depend-on-ld.bfd-or-ld.lld.patch new file mode 100644 index 00000000000..60466b62a8b --- /dev/null +++ b/queue-5.4/arm64-make-cpu_big_endian-depend-on-ld.bfd-or-ld.lld.patch @@ -0,0 +1,59 @@ +From 3012012bdce962b1e725e342cc20b11244403591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Feb 2021 17:57:20 -0700 +Subject: arm64: Make CPU_BIG_ENDIAN depend on ld.bfd or ld.lld 13.0.0+ + +From: Nathan Chancellor + +[ Upstream commit e9c6deee00e9197e75cd6aa0d265d3d45bd7cc28 ] + +Similar to commit 28187dc8ebd9 ("ARM: 9025/1: Kconfig: CPU_BIG_ENDIAN +depends on !LD_IS_LLD"), ld.lld prior to 13.0.0 does not properly +support aarch64 big endian, leading to the following build error when +CONFIG_CPU_BIG_ENDIAN is selected: + +ld.lld: error: unknown emulation: aarch64linuxb + +This has been resolved in LLVM 13. To avoid errors like this, only allow +CONFIG_CPU_BIG_ENDIAN to be selected if using ld.bfd or ld.lld 13.0.0 +and newer. + +While we are here, the indentation of this symbol used spaces since its +introduction in commit a872013d6d03 ("arm64: kconfig: allow +CPU_BIG_ENDIAN to be selected"). Change it to tabs to be consistent with +kernel coding style. + +Link: https://github.com/ClangBuiltLinux/linux/issues/380 +Link: https://github.com/ClangBuiltLinux/linux/issues/1288 +Link: https://github.com/llvm/llvm-project/commit/7605a9a009b5fa3bdac07e3131c8d82f6d08feb7 +Link: https://github.com/llvm/llvm-project/commit/eea34aae2e74e9b6fbdd5b95f479bc7f397bf387 +Reported-by: Arnd Bergmann +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20210209005719.803608-1-nathan@kernel.org +Signed-off-by: Will Deacon +Stable-dep-of: 146a15b87335 ("arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer") +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 185262e0e1da3..306772b7de5fc 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -886,8 +886,9 @@ choice + that is selected here. + + config CPU_BIG_ENDIAN +- bool "Build big-endian kernel" +- help ++ bool "Build big-endian kernel" ++ depends on !LD_IS_LLD || LLD_VERSION >= 130000 ++ help + Say Y if you plan on running a kernel with a big-endian userspace. + + config CPU_LITTLE_ENDIAN +-- +2.42.0 + diff --git a/queue-5.4/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-.patch b/queue-5.4/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-.patch new file mode 100644 index 00000000000..72b64fe70d5 --- /dev/null +++ b/queue-5.4/arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-.patch @@ -0,0 +1,94 @@ +From 85f92e443bd225e10b31d0034d1e743620e5c6c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 10:21:28 -0700 +Subject: arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer + +From: Nathan Chancellor + +[ Upstream commit 146a15b873353f8ac28dc281c139ff611a3c4848 ] + +Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly +byte-swap NOP when compiling for big-endian, and the resulting series of +bytes happened to match the encoding of FNMADD S21, S30, S0, S0. + +This went unnoticed until commit: + + 34f66c4c4d5518c1 ("arm64: Use a positive cpucap for FP/SIMD") + +Prior to that commit, the kernel would always enable the use of FPSIMD +early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of +FNMADD within the kernel was not detected, but could result in the +corruption of user or kernel FPSIMD state. + +After that commit, the instructions happen to trap during boot prior to +FPSIMD being detected and enabled, e.g. + +| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD +| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 +| Hardware name: linux,dummy-virt (DT) +| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +| pc : __pi_strcmp+0x1c/0x150 +| lr : populate_properties+0xe4/0x254 +| sp : ffffd014173d3ad0 +| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000 +| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008 +| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044 +| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005 +| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000 +| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000 +| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000 +| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000 +| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a +| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8 +| Kernel panic - not syncing: Unhandled exception +| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1 +| Hardware name: linux,dummy-virt (DT) +| Call trace: +| dump_backtrace+0xec/0x108 +| show_stack+0x18/0x2c +| dump_stack_lvl+0x50/0x68 +| dump_stack+0x18/0x24 +| panic+0x13c/0x340 +| el1t_64_irq_handler+0x0/0x1c +| el1_abort+0x0/0x5c +| el1h_64_sync+0x64/0x68 +| __pi_strcmp+0x1c/0x150 +| unflatten_dt_nodes+0x1e8/0x2d8 +| __unflatten_device_tree+0x5c/0x15c +| unflatten_device_tree+0x38/0x50 +| setup_arch+0x164/0x1e0 +| start_kernel+0x64/0x38c +| __primary_switched+0xbc/0xc4 + +Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is +either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked +commit. + +Closes: https://github.com/ClangBuiltLinux/linux/issues/1948 +Link: https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c +Signed-off-by: Nathan Chancellor +Cc: stable@vger.kernel.org +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20231025-disable-arm64-be-ias-b4-llvm-15-v1-1-b25263ed8b23@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 306772b7de5fc..b301b591dc35b 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -888,6 +888,8 @@ choice + config CPU_BIG_ENDIAN + bool "Build big-endian kernel" + depends on !LD_IS_LLD || LLD_VERSION >= 130000 ++ # https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c ++ depends on AS_IS_GNU || AS_VERSION >= 150000 + help + Say Y if you plan on running a kernel with a big-endian userspace. + +-- +2.42.0 + diff --git a/queue-5.4/cpufreq-imx6q-don-t-disable-792-mhz-opp-unnecessaril.patch b/queue-5.4/cpufreq-imx6q-don-t-disable-792-mhz-opp-unnecessaril.patch new file mode 100644 index 00000000000..4d29a5b1eb9 --- /dev/null +++ b/queue-5.4/cpufreq-imx6q-don-t-disable-792-mhz-opp-unnecessaril.patch @@ -0,0 +1,49 @@ +From 5816a32c25992fc73b3e10a25808d673079c936c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Nov 2023 14:41:13 +0100 +Subject: cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily + +From: Christoph Niedermaier + +[ Upstream commit 2e4e0984c7d696cc74cf2fd7e7f62997f0e9ebe6 ] + +For a 900MHz i.MX6ULL CPU the 792MHz OPP is disabled. There is no +convincing reason to disable this OPP. If a CPU can run at 900MHz, +it should also be able to cope with 792MHz. Looking at the voltage +level of 792MHz in [1] (page 24, table 10. "Operating Ranges") the +current defined OPP is above the minimum. So the voltage level +shouldn't be a problem. However in [2] (page 24, table 10. +"Operating Ranges"), it is not mentioned that 792MHz OPP isn't +allowed. Change it to only disable 792MHz OPP for i.MX6ULL types +below 792 MHz. + +[1] https://www.nxp.com/docs/en/data-sheet/IMX6ULLIEC.pdf +[2] https://www.nxp.com/docs/en/data-sheet/IMX6ULLCEC.pdf + +Fixes: 0aa9abd4c212 ("cpufreq: imx6q: check speed grades for i.MX6ULL") +Signed-off-by: Christoph Niedermaier +Reviewed-by: Marek Vasut +Reviewed-by: Fabio Estevam +[ Viresh: Edited subject ] +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/imx6q-cpufreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c +index 1ed62924df405..84f6dbd4e9795 100644 +--- a/drivers/cpufreq/imx6q-cpufreq.c ++++ b/drivers/cpufreq/imx6q-cpufreq.c +@@ -319,7 +319,7 @@ static int imx6ul_opp_check_speed_grading(struct device *dev) + imx6x_disable_freq_in_opp(dev, 696000000); + + if (of_machine_is_compatible("fsl,imx6ull")) { +- if (val != OCOTP_CFG3_6ULL_SPEED_792MHZ) ++ if (val < OCOTP_CFG3_6ULL_SPEED_792MHZ) + imx6x_disable_freq_in_opp(dev, 792000000); + + if (val != OCOTP_CFG3_6ULL_SPEED_900MHZ) +-- +2.42.0 + diff --git a/queue-5.4/cpufreq-imx6q-don-t-warn-for-disabling-a-non-existin.patch b/queue-5.4/cpufreq-imx6q-don-t-warn-for-disabling-a-non-existin.patch new file mode 100644 index 00000000000..60d97b05bb6 --- /dev/null +++ b/queue-5.4/cpufreq-imx6q-don-t-warn-for-disabling-a-non-existin.patch @@ -0,0 +1,93 @@ +From 787cb7894798c56f0563265896729a9749c85f43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:07:11 +0200 +Subject: cpufreq: imx6q: don't warn for disabling a non-existing frequency + +From: Christoph Niedermaier + +[ Upstream commit 11a3b0ac33d95aa84be426e801f800997262a225 ] + +It is confusing if a warning is given for disabling a non-existent +frequency of the operating performance points (OPP). In this case +the function dev_pm_opp_disable() returns -ENODEV. Check the return +value and avoid the output of a warning in this case. Avoid code +duplication by using a separate function. + +Signed-off-by: Christoph Niedermaier +[ Viresh : Updated commit subject ] +Signed-off-by: Viresh Kumar +Stable-dep-of: 2e4e0984c7d6 ("cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily") +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/imx6q-cpufreq.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c +index edef3399c9794..1ed62924df405 100644 +--- a/drivers/cpufreq/imx6q-cpufreq.c ++++ b/drivers/cpufreq/imx6q-cpufreq.c +@@ -210,6 +210,14 @@ static struct cpufreq_driver imx6q_cpufreq_driver = { + .suspend = cpufreq_generic_suspend, + }; + ++static void imx6x_disable_freq_in_opp(struct device *dev, unsigned long freq) ++{ ++ int ret = dev_pm_opp_disable(dev, freq); ++ ++ if (ret < 0 && ret != -ENODEV) ++ dev_warn(dev, "failed to disable %ldMHz OPP\n", freq / 1000000); ++} ++ + #define OCOTP_CFG3 0x440 + #define OCOTP_CFG3_SPEED_SHIFT 16 + #define OCOTP_CFG3_SPEED_1P2GHZ 0x3 +@@ -245,17 +253,15 @@ static void imx6q_opp_check_speed_grading(struct device *dev) + val &= 0x3; + + if (val < OCOTP_CFG3_SPEED_996MHZ) +- if (dev_pm_opp_disable(dev, 996000000)) +- dev_warn(dev, "failed to disable 996MHz OPP\n"); ++ imx6x_disable_freq_in_opp(dev, 996000000); + + if (of_machine_is_compatible("fsl,imx6q") || + of_machine_is_compatible("fsl,imx6qp")) { + if (val != OCOTP_CFG3_SPEED_852MHZ) +- if (dev_pm_opp_disable(dev, 852000000)) +- dev_warn(dev, "failed to disable 852MHz OPP\n"); ++ imx6x_disable_freq_in_opp(dev, 852000000); ++ + if (val != OCOTP_CFG3_SPEED_1P2GHZ) +- if (dev_pm_opp_disable(dev, 1200000000)) +- dev_warn(dev, "failed to disable 1.2GHz OPP\n"); ++ imx6x_disable_freq_in_opp(dev, 1200000000); + } + iounmap(base); + put_node: +@@ -308,20 +314,16 @@ static int imx6ul_opp_check_speed_grading(struct device *dev) + val >>= OCOTP_CFG3_SPEED_SHIFT; + val &= 0x3; + +- if (of_machine_is_compatible("fsl,imx6ul")) { ++ if (of_machine_is_compatible("fsl,imx6ul")) + if (val != OCOTP_CFG3_6UL_SPEED_696MHZ) +- if (dev_pm_opp_disable(dev, 696000000)) +- dev_warn(dev, "failed to disable 696MHz OPP\n"); +- } ++ imx6x_disable_freq_in_opp(dev, 696000000); + + if (of_machine_is_compatible("fsl,imx6ull")) { + if (val != OCOTP_CFG3_6ULL_SPEED_792MHZ) +- if (dev_pm_opp_disable(dev, 792000000)) +- dev_warn(dev, "failed to disable 792MHz OPP\n"); ++ imx6x_disable_freq_in_opp(dev, 792000000); + + if (val != OCOTP_CFG3_6ULL_SPEED_900MHZ) +- if (dev_pm_opp_disable(dev, 900000000)) +- dev_warn(dev, "failed to disable 900MHz OPP\n"); ++ imx6x_disable_freq_in_opp(dev, 900000000); + } + + return ret; +-- +2.42.0 + diff --git a/queue-5.4/ext4-improve-write-performance-with-disabled-delallo.patch b/queue-5.4/ext4-improve-write-performance-with-disabled-delallo.patch new file mode 100644 index 00000000000..d5fe1307d28 --- /dev/null +++ b/queue-5.4/ext4-improve-write-performance-with-disabled-delallo.patch @@ -0,0 +1,47 @@ +From b761964a221739a6175a704f4e3304bd8b809f3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 13:14:02 +0200 +Subject: ext4: improve write performance with disabled delalloc + +From: Jan Kara + +[ Upstream commit 8d5459c11f548131ce48b2fbf45cccc5c382558f ] + +When delayed allocation is disabled (either through mount option or +because we are running low on free space), ext4_write_begin() allocates +blocks with EXT4_GET_BLOCKS_IO_CREATE_EXT flag. With this flag extent +merging is disabled and since ext4_write_begin() is called for each page +separately, we end up with a *lot* of 1 block extents in the extent tree +and following writeback is writing 1 block at a time which results in +very poor write throughput (4 MB/s instead of 200 MB/s). These days when +ext4_get_block_unwritten() is used only by ext4_write_begin(), +ext4_page_mkwrite() and inline data conversion, we can safely allow +extent merging to happen from these paths since following writeback will +happen on different boundaries anyway. So use +EXT4_GET_BLOCKS_CREATE_UNRIT_EXT instead which restores the performance. + +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220520111402.4252-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Stable-dep-of: 2cd8bdb5efc1 ("ext4: mark buffer new if it is unwritten to avoid stale data exposure") +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 8a0bca3b653bc..9ca7db0c4039a 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -830,7 +830,7 @@ int ext4_get_block_unwritten(struct inode *inode, sector_t iblock, + ext4_debug("ext4_get_block_unwritten: inode %lu, create flag %d\n", + inode->i_ino, create); + return _ext4_get_block(inode, iblock, bh_result, +- EXT4_GET_BLOCKS_IO_CREATE_EXT); ++ EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT); + } + + /* Maximum number of blocks we map for direct IO at once. */ +-- +2.42.0 + diff --git a/queue-5.4/ext4-mark-buffer-new-if-it-is-unwritten-to-avoid-sta.patch b/queue-5.4/ext4-mark-buffer-new-if-it-is-unwritten-to-avoid-sta.patch new file mode 100644 index 00000000000..9526ab1a6de --- /dev/null +++ b/queue-5.4/ext4-mark-buffer-new-if-it-is-unwritten-to-avoid-sta.patch @@ -0,0 +1,145 @@ +From eb57900d1090262be4fa3b51cd416e0fe82cd0c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 16:15:50 +0530 +Subject: ext4: mark buffer new if it is unwritten to avoid stale data exposure + +From: Ojaswin Mujoo + +[ Upstream commit 2cd8bdb5efc1e0d5b11a4b7ba6b922fd2736a87f ] + +** Short Version ** + +In ext4 with dioread_nolock, we could have a scenario where the bh returned by +get_blocks (ext4_get_block_unwritten()) in __block_write_begin_int() has +UNWRITTEN and MAPPED flag set. Since such a bh does not have NEW flag set we +never zero out the range of bh that is not under write, causing whatever stale +data is present in the folio at that time to be written out to disk. To fix this +mark the buffer as new, in case it is unwritten, in ext4_get_block_unwritten(). + +** Long Version ** + +The issue mentioned above was resulting in two different bugs: + +1. On block size < page size case in ext4, generic/269 was reliably +failing with dioread_nolock. The state of the write was as follows: + + * The write was extending i_size. + * The last block of the file was fallocated and had an unwritten extent + * We were near ENOSPC and hence we were switching to non-delayed alloc + allocation. + +In this case, the back trace that triggers the bug is as follows: + + ext4_da_write_begin() + /* switch to nodelalloc due to low space */ + ext4_write_begin() + ext4_should_dioread_nolock() // true since mount flags still have delalloc + __block_write_begin(..., ext4_get_block_unwritten) + __block_write_begin_int() + for(each buffer head in page) { + /* first iteration, this is bh1 which contains i_size */ + if (!buffer_mapped) + get_block() /* returns bh with only UNWRITTEN and MAPPED */ + /* second iteration, bh2 */ + if (!buffer_mapped) + get_block() /* we fail here, could be ENOSPC */ + } + if (err) + /* + * this would zero out all new buffers and mark them uptodate. + * Since bh1 was never marked new, we skip it here which causes + * the bug later. + */ + folio_zero_new_buffers(); + /* ext4_wrte_begin() error handling */ + ext4_truncate_failed_write() + ext4_truncate() + ext4_block_truncate_page() + __ext4_block_zero_page_range() + if(!buffer_uptodate()) + ext4_read_bh_lock() + ext4_read_bh() -> ... ext4_submit_bh_wbc() + BUG_ON(buffer_unwritten(bh)); /* !!! */ + +2. The second issue is stale data exposure with page size >= blocksize +with dioread_nolock. The conditions needed for it to happen are same as +the previous issue ie dioread_nolock around ENOSPC condition. The issue +is also similar where in __block_write_begin_int() when we call +ext4_get_block_unwritten() on the buffer_head and the underlying extent +is unwritten, we get an unwritten and mapped buffer head. Since it is +not new, we never zero out the partial range which is not under write, +thus writing stale data to disk. This can be easily observed with the +following reproducer: + + fallocate -l 4k testfile + xfs_io -c "pwrite 2k 2k" testfile + # hexdump output will have stale data in from byte 0 to 2k in testfile + hexdump -C testfile + +NOTE: To trigger this, we need dioread_nolock enabled and write happening via +ext4_write_begin(), which is usually used when we have -o nodealloc. Since +dioread_nolock is disabled with nodelalloc, the only alternate way to call +ext4_write_begin() is to ensure that delayed alloc switches to nodelalloc ie +ext4_da_write_begin() calls ext4_write_begin(). This will usually happen when +ext4 is almost full like the way generic/269 was triggering it in Issue 1 above. +This might make the issue harder to hit. Hence, for reliable replication, I used +the below patch to temporarily allow dioread_nolock with nodelalloc and then +mount the disk with -o nodealloc,dioread_nolock. With this you can hit the stale +data issue 100% of times: + +@@ -508,8 +508,8 @@ static inline int ext4_should_dioread_nolock(struct inode *inode) + if (ext4_should_journal_data(inode)) + return 0; + /* temporary fix to prevent generic/422 test failures */ +- if (!test_opt(inode->i_sb, DELALLOC)) +- return 0; ++ // if (!test_opt(inode->i_sb, DELALLOC)) ++ // return 0; + return 1; + } + +After applying this patch to mark buffer as NEW, both the above issues are +fixed. + +Signed-off-by: Ojaswin Mujoo +Cc: stable@kernel.org +Reviewed-by: Jan Kara +Reviewed-by: "Ritesh Harjani (IBM)" +Link: https://lore.kernel.org/r/d0ed09d70a9733fbb5349c5c7b125caac186ecdf.1695033645.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 9ca7db0c4039a..0847657400a92 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -827,10 +827,22 @@ int ext4_get_block(struct inode *inode, sector_t iblock, + int ext4_get_block_unwritten(struct inode *inode, sector_t iblock, + struct buffer_head *bh_result, int create) + { ++ int ret = 0; ++ + ext4_debug("ext4_get_block_unwritten: inode %lu, create flag %d\n", + inode->i_ino, create); +- return _ext4_get_block(inode, iblock, bh_result, ++ ret = _ext4_get_block(inode, iblock, bh_result, + EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT); ++ ++ /* ++ * If the buffer is marked unwritten, mark it as new to make sure it is ++ * zeroed out correctly in case of partial writes. Otherwise, there is ++ * a chance of stale data getting exposed. ++ */ ++ if (ret == 0 && buffer_unwritten(bh_result)) ++ set_buffer_new(bh_result); ++ ++ return ret; + } + + /* Maximum number of blocks we map for direct IO at once. */ +-- +2.42.0 + diff --git a/queue-5.4/fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-.patch b/queue-5.4/fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-.patch new file mode 100644 index 00000000000..78c13a3a9bd --- /dev/null +++ b/queue-5.4/fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-.patch @@ -0,0 +1,39 @@ +From c7c41185a379f6a8e016ab0495d3a8f3f73313c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Oct 2023 13:36:48 +0200 +Subject: fbdev: stifb: Make the STI next font pointer a 32-bit signed offset + +From: Helge Deller + +[ Upstream commit 8a32aa17c1cd48df1ddaa78e45abcb8c7a2220d6 ] + +The pointer to the next STI font is actually a signed 32-bit +offset. With this change the 64-bit kernel will correctly subract +the (signed 32-bit) offset instead of adding a (unsigned 32-bit) +offset. It has no effect on 32-bit kernels. + +This fixes the stifb driver with a 64-bit kernel on qemu. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sticore.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/sticore.h b/drivers/video/fbdev/sticore.h +index fb8f58f9867a7..0416e2bc27d85 100644 +--- a/drivers/video/fbdev/sticore.h ++++ b/drivers/video/fbdev/sticore.h +@@ -237,7 +237,7 @@ struct sti_rom_font { + u8 height; + u8 font_type; /* language type */ + u8 bytes_per_char; +- u32 next_font; ++ s32 next_font; /* note: signed int */ + u8 underline_height; + u8 underline_pos; + u8 res008[2]; +-- +2.42.0 + diff --git a/queue-5.4/ima-annotate-iint-mutex-to-avoid-lockdep-false-posit.patch b/queue-5.4/ima-annotate-iint-mutex-to-avoid-lockdep-false-posit.patch new file mode 100644 index 00000000000..ad8913915fd --- /dev/null +++ b/queue-5.4/ima-annotate-iint-mutex-to-avoid-lockdep-false-posit.patch @@ -0,0 +1,117 @@ +From 0ceacef5844dc04426a2389d39e58dac3f22dd9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 14:15:58 +0300 +Subject: ima: annotate iint mutex to avoid lockdep false positive warnings + +From: Amir Goldstein + +[ Upstream commit e044374a8a0a99e46f4e6d6751d3042b6d9cc12e ] + +It is not clear that IMA should be nested at all, but as long is it +measures files both on overlayfs and on underlying fs, we need to +annotate the iint mutex to avoid lockdep false positives related to +IMA + overlayfs, same as overlayfs annotates the inode mutex. + +Reported-and-tested-by: syzbot+b42fe626038981fb7bfa@syzkaller.appspotmail.com +Signed-off-by: Amir Goldstein +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/iint.c | 48 ++++++++++++++++++++++++++++++--------- + 1 file changed, 37 insertions(+), 11 deletions(-) + +diff --git a/security/integrity/iint.c b/security/integrity/iint.c +index ff37143000b4c..ffdc3ca1e9c16 100644 +--- a/security/integrity/iint.c ++++ b/security/integrity/iint.c +@@ -66,9 +66,32 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode) + return iint; + } + +-static void iint_free(struct integrity_iint_cache *iint) ++#define IMA_MAX_NESTING (FILESYSTEM_MAX_STACK_DEPTH+1) ++ ++/* ++ * It is not clear that IMA should be nested at all, but as long is it measures ++ * files both on overlayfs and on underlying fs, we need to annotate the iint ++ * mutex to avoid lockdep false positives related to IMA + overlayfs. ++ * See ovl_lockdep_annotate_inode_mutex_key() for more details. ++ */ ++static inline void iint_lockdep_annotate(struct integrity_iint_cache *iint, ++ struct inode *inode) ++{ ++#ifdef CONFIG_LOCKDEP ++ static struct lock_class_key iint_mutex_key[IMA_MAX_NESTING]; ++ ++ int depth = inode->i_sb->s_stack_depth; ++ ++ if (WARN_ON_ONCE(depth < 0 || depth >= IMA_MAX_NESTING)) ++ depth = 0; ++ ++ lockdep_set_class(&iint->mutex, &iint_mutex_key[depth]); ++#endif ++} ++ ++static void iint_init_always(struct integrity_iint_cache *iint, ++ struct inode *inode) + { +- kfree(iint->ima_hash); + iint->ima_hash = NULL; + iint->version = 0; + iint->flags = 0UL; +@@ -80,6 +103,14 @@ static void iint_free(struct integrity_iint_cache *iint) + iint->ima_creds_status = INTEGRITY_UNKNOWN; + iint->evm_status = INTEGRITY_UNKNOWN; + iint->measured_pcrs = 0; ++ mutex_init(&iint->mutex); ++ iint_lockdep_annotate(iint, inode); ++} ++ ++static void iint_free(struct integrity_iint_cache *iint) ++{ ++ kfree(iint->ima_hash); ++ mutex_destroy(&iint->mutex); + kmem_cache_free(iint_cache, iint); + } + +@@ -112,6 +143,8 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) + if (!iint) + return NULL; + ++ iint_init_always(iint, inode); ++ + write_lock(&integrity_iint_lock); + + p = &integrity_iint_tree.rb_node; +@@ -161,25 +194,18 @@ void integrity_inode_free(struct inode *inode) + iint_free(iint); + } + +-static void init_once(void *foo) ++static void iint_init_once(void *foo) + { + struct integrity_iint_cache *iint = foo; + + memset(iint, 0, sizeof(*iint)); +- iint->ima_file_status = INTEGRITY_UNKNOWN; +- iint->ima_mmap_status = INTEGRITY_UNKNOWN; +- iint->ima_bprm_status = INTEGRITY_UNKNOWN; +- iint->ima_read_status = INTEGRITY_UNKNOWN; +- iint->ima_creds_status = INTEGRITY_UNKNOWN; +- iint->evm_status = INTEGRITY_UNKNOWN; +- mutex_init(&iint->mutex); + } + + static int __init integrity_iintcache_init(void) + { + iint_cache = + kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), +- 0, SLAB_PANIC, init_once); ++ 0, SLAB_PANIC, iint_init_once); + return 0; + } + DEFINE_LSM(integrity) = { +-- +2.42.0 + diff --git a/queue-5.4/ima-detect-changes-to-the-backing-overlay-file.patch b/queue-5.4/ima-detect-changes-to-the-backing-overlay-file.patch new file mode 100644 index 00000000000..6a77a6b2c78 --- /dev/null +++ b/queue-5.4/ima-detect-changes-to-the-backing-overlay-file.patch @@ -0,0 +1,110 @@ +From be81730849472a9a8c5cbf43ec154b1e85b05bc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 14:47:02 -0400 +Subject: ima: detect changes to the backing overlay file + +From: Mimi Zohar + +[ Upstream commit b836c4d29f2744200b2af41e14bf50758dddc818 ] + +Commit 18b44bc5a672 ("ovl: Always reevaluate the file signature for +IMA") forced signature re-evaulation on every file access. + +Instead of always re-evaluating the file's integrity, detect a change +to the backing file, by comparing the cached file metadata with the +backing file's metadata. Verifying just the i_version has not changed +is insufficient. In addition save and compare the i_ino and s_dev +as well. + +Reviewed-by: Amir Goldstein +Tested-by: Eric Snowberg +Tested-by: Raul E Rangel +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_api.c | 5 +++++ + security/integrity/ima/ima_main.c | 16 +++++++++++++++- + security/integrity/integrity.h | 2 ++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c +index 610759fe63b8a..364979233a174 100644 +--- a/security/integrity/ima/ima_api.c ++++ b/security/integrity/ima/ima_api.c +@@ -209,6 +209,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, + { + const char *audit_cause = "failed"; + struct inode *inode = file_inode(file); ++ struct inode *real_inode = d_real_inode(file_dentry(file)); + const char *filename = file->f_path.dentry->d_name.name; + int result = 0; + int length; +@@ -259,6 +260,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, + iint->ima_hash = tmpbuf; + memcpy(iint->ima_hash, &hash, length); + iint->version = i_version; ++ if (real_inode != inode) { ++ iint->real_ino = real_inode->i_ino; ++ iint->real_dev = real_inode->i_sb->s_dev; ++ } + + /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ + if (!result) +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index 6a2377eee03d8..09b9c2b252944 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include "ima.h" + +@@ -193,7 +194,7 @@ static int process_measurement(struct file *file, const struct cred *cred, + u32 secid, char *buf, loff_t size, int mask, + enum ima_hooks func) + { +- struct inode *inode = file_inode(file); ++ struct inode *backing_inode, *inode = file_inode(file); + struct integrity_iint_cache *iint = NULL; + struct ima_template_desc *template_desc = NULL; + char *pathbuf = NULL; +@@ -267,6 +268,19 @@ static int process_measurement(struct file *file, const struct cred *cred, + iint->measured_pcrs = 0; + } + ++ /* Detect and re-evaluate changes made to the backing file. */ ++ backing_inode = d_real_inode(file_dentry(file)); ++ if (backing_inode != inode && ++ (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) { ++ if (!IS_I_VERSION(backing_inode) || ++ backing_inode->i_sb->s_dev != iint->real_dev || ++ backing_inode->i_ino != iint->real_ino || ++ !inode_eq_iversion(backing_inode, iint->version)) { ++ iint->flags &= ~IMA_DONE_MASK; ++ iint->measured_pcrs = 0; ++ } ++ } ++ + /* Determine if already appraised/measured based on bitmask + * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, + * IMA_AUDIT, IMA_AUDITED) +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index d9323d31a3a83..f63516ebec5db 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -124,6 +124,8 @@ struct integrity_iint_cache { + unsigned long flags; + unsigned long measured_pcrs; + unsigned long atomic_flags; ++ unsigned long real_ino; ++ dev_t real_dev; + enum integrity_status ima_file_status:4; + enum integrity_status ima_mmap_status:4; + enum integrity_status ima_bprm_status:4; +-- +2.42.0 + diff --git a/queue-5.4/ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch b/queue-5.4/ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch new file mode 100644 index 00000000000..ac4f24aee60 --- /dev/null +++ b/queue-5.4/ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch @@ -0,0 +1,114 @@ +From cf4937dd9cf10cac29442fd8294aebbd3b2129f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Nov 2023 15:13:14 +0800 +Subject: ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet + +From: Zhengchao Shao + +[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ] + +When I perform the following test operations: +1.ip link add br0 type bridge +2.brctl addif br0 eth0 +3.ip addr add 239.0.0.1/32 dev eth0 +4.ip addr add 239.0.0.1/32 dev br0 +5.ip addr add 224.0.0.1/32 dev br0 +6.while ((1)) + do + ifconfig br0 up + ifconfig br0 down + done +7.send IGMPv2 query packets to port eth0 continuously. For example, +./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00 +1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00" + +The preceding tests may trigger the refcnt uaf issue of the mc list. The +stack is as follows: + refcount_t: addition on 0; use-after-free. + WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25) + CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:refcount_warn_saturate (lib/refcount.c:25) + RSP: 0018:ffffb68f00657910 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908 + RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900 + RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff + R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680 + R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00 + FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0 + Call Trace: + + igmp_heard_query (net/ipv4/igmp.c:1068) + igmp_rcv (net/ipv4/igmp.c:1132) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) + ip_local_deliver_finish (net/ipv4/ip_input.c:234) + __netif_receive_skb_one_core (net/core/dev.c:5529) + netif_receive_skb_internal (net/core/dev.c:5729) + netif_receive_skb (net/core/dev.c:5788) + br_handle_frame_finish (net/bridge/br_input.c:216) + nf_hook_bridge_pre (net/bridge/br_input.c:294) + __netif_receive_skb_core (net/core/dev.c:5423) + __netif_receive_skb_list_core (net/core/dev.c:5606) + __netif_receive_skb_list (net/core/dev.c:5674) + netif_receive_skb_list_internal (net/core/dev.c:5764) + napi_gro_receive (net/core/gro.c:609) + e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467) + e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805) + __napi_poll (net/core/dev.c:6533) + net_rx_action (net/core/dev.c:6735) + __do_softirq (kernel/softirq.c:554) + run_ksoftirqd (kernel/softirq.c:913) + smpboot_thread_fn (kernel/smpboot.c:164) + kthread (kernel/kthread.c:388) + ret_from_fork (arch/x86/kernel/process.c:153) + ret_from_fork_asm (arch/x86/entry/entry_64.S:250) + + +The root causes are as follows: +Thread A Thread B +... netif_receive_skb +br_dev_stop ... + br_multicast_leave_snoopers ... + __ip_mc_dec_group ... + __igmp_group_dropped igmp_rcv + igmp_stop_timer igmp_heard_query //ref = 1 + ip_ma_put igmp_mod_timer + refcount_dec_and_test igmp_start_timer //ref = 0 + ... refcount_inc //ref increases from 0 +When the device receives an IGMPv2 Query message, it starts the timer +immediately, regardless of whether the device is running. If the device is +down and has left the multicast group, it will cause the mc list refcount +uaf issue. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Zhengchao Shao +Reviewed-by: Eric Dumazet +Reviewed-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index cb031e851c127..715f99e76826e 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -218,8 +218,10 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay) + int tv = prandom_u32() % max_delay; + + im->tm_running = 1; +- if (!mod_timer(&im->timer, jiffies+tv+2)) +- refcount_inc(&im->refcnt); ++ if (refcount_inc_not_zero(&im->refcnt)) { ++ if (mod_timer(&im->timer, jiffies + tv + 2)) ++ ip_ma_put(im); ++ } + } + + static void igmp_gq_start_timer(struct in_device *in_dev) +-- +2.42.0 + diff --git a/queue-5.4/mtd-cfi_cmdset_0001-byte-swap-otp-info.patch b/queue-5.4/mtd-cfi_cmdset_0001-byte-swap-otp-info.patch new file mode 100644 index 00000000000..2597e1877b9 --- /dev/null +++ b/queue-5.4/mtd-cfi_cmdset_0001-byte-swap-otp-info.patch @@ -0,0 +1,80 @@ +From a4ae02a562048f5804f9e40ea39297efbfbfb062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 22:30:29 +0200 +Subject: mtd: cfi_cmdset_0001: Byte swap OTP info + +From: Linus Walleij + +[ Upstream commit 565fe150624ee77dc63a735cc1b3bff5101f38a3 ] + +Currently the offset into the device when looking for OTP +bits can go outside of the address of the MTD NOR devices, +and if that memory isn't readable, bad things happen +on the IXP4xx (added prints that illustrate the problem before +the crash): + +cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x00000100 +ixp4xx_copy_from copy from 0x00000100 to 0xc880dd78 +cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x12000000 +ixp4xx_copy_from copy from 0x12000000 to 0xc880dd78 +8<--- cut here --- +Unable to handle kernel paging request at virtual address db000000 +[db000000] *pgd=00000000 +(...) + +This happens in this case because the IXP4xx is big endian and +the 32- and 16-bit fields in the struct cfi_intelext_otpinfo are not +properly byteswapped. Compare to how the code in read_pri_intelext() +byteswaps the fields in struct cfi_pri_intelext. + +Adding a small byte swapping loop for the OTP in read_pri_intelext() +and the crash goes away. + +The problem went unnoticed for many years until I enabled +CONFIG_MTD_OTP on the IXP4xx as well, triggering the bug. + +Cc: stable@vger.kernel.org +Reviewed-by: Nicolas Pitre +Signed-off-by: Linus Walleij +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20231020-mtd-otp-byteswap-v4-1-0d132c06aa9d@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/chips/cfi_cmdset_0001.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c +index 1d77687b67169..dc350272d9ef6 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -420,9 +420,25 @@ read_pri_intelext(struct map_info *map, __u16 adr) + extra_size = 0; + + /* Protection Register info */ +- if (extp->NumProtectionFields) ++ if (extp->NumProtectionFields) { ++ struct cfi_intelext_otpinfo *otp = ++ (struct cfi_intelext_otpinfo *)&extp->extra[0]; ++ + extra_size += (extp->NumProtectionFields - 1) * +- sizeof(struct cfi_intelext_otpinfo); ++ sizeof(struct cfi_intelext_otpinfo); ++ ++ if (extp_size >= sizeof(*extp) + extra_size) { ++ int i; ++ ++ /* Do some byteswapping if necessary */ ++ for (i = 0; i < extp->NumProtectionFields - 1; i++) { ++ otp->ProtRegAddr = le32_to_cpu(otp->ProtRegAddr); ++ otp->FactGroups = le16_to_cpu(otp->FactGroups); ++ otp->UserGroups = le16_to_cpu(otp->UserGroups); ++ otp++; ++ } ++ } ++ } + } + + if (extp->MinorVersion >= '1') { +-- +2.42.0 + diff --git a/queue-5.4/mtd-cfi_cmdset_0001-support-the-absence-of-protectio.patch b/queue-5.4/mtd-cfi_cmdset_0001-support-the-absence-of-protectio.patch new file mode 100644 index 00000000000..88f866ee436 --- /dev/null +++ b/queue-5.4/mtd-cfi_cmdset_0001-support-the-absence-of-protectio.patch @@ -0,0 +1,80 @@ +From e2b25543a142a226cdf4a9e2435bc6c7e9620893 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 16:23:26 +0200 +Subject: mtd: cfi_cmdset_0001: Support the absence of protection registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jean-Philippe Brucker + +[ Upstream commit b359ed5184aebf9d987e54abc5dae7ac03ed29ae ] + +The flash controller implemented by the Arm Base platform behaves like +the Intel StrataFlash J3 device, but omits several features. In +particular it doesn't implement a protection register, so "Number of +Protection register fields" in the Primary Vendor-Specific Extended +Query, is 0. + +The Intel StrataFlash J3 datasheet only lists 1 as a valid value for +NumProtectionFields. It describes the field as: + + "Number of Protection register fields in JEDEC ID space. + “00h,” indicates that 256 protection bytes are available" + +While a value of 0 may arguably not be architecturally valid, the +driver's current behavior is certainly wrong: if NumProtectionFields is +0, read_pri_intelext() adds a negative value to the unsigned extra_size, +and ends up in an infinite loop. + +Fix it by ignoring a NumProtectionFields of 0. + +Signed-off-by: Jean-Philippe Brucker +Tested-by: Sudeep Holla +Tested-by: Catalin Marinas +Signed-off-by: Vignesh Raghavendra +Stable-dep-of: 565fe150624e ("mtd: cfi_cmdset_0001: Byte swap OTP info") +Signed-off-by: Sasha Levin +--- + drivers/mtd/chips/cfi_cmdset_0001.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c +index 79a53cb8507b6..1d77687b67169 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -420,8 +420,9 @@ read_pri_intelext(struct map_info *map, __u16 adr) + extra_size = 0; + + /* Protection Register info */ +- extra_size += (extp->NumProtectionFields - 1) * +- sizeof(struct cfi_intelext_otpinfo); ++ if (extp->NumProtectionFields) ++ extra_size += (extp->NumProtectionFields - 1) * ++ sizeof(struct cfi_intelext_otpinfo); + } + + if (extp->MinorVersion >= '1') { +@@ -695,14 +696,16 @@ static int cfi_intelext_partition_fixup(struct mtd_info *mtd, + */ + if (extp && extp->MajorVersion == '1' && extp->MinorVersion >= '3' + && extp->FeatureSupport & (1 << 9)) { ++ int offs = 0; + struct cfi_private *newcfi; + struct flchip *chip; + struct flchip_shared *shared; +- int offs, numregions, numparts, partshift, numvirtchips, i, j; ++ int numregions, numparts, partshift, numvirtchips, i, j; + + /* Protection Register info */ +- offs = (extp->NumProtectionFields - 1) * +- sizeof(struct cfi_intelext_otpinfo); ++ if (extp->NumProtectionFields) ++ offs = (extp->NumProtectionFields - 1) * ++ sizeof(struct cfi_intelext_otpinfo); + + /* Burst Read info */ + offs += extp->extra[offs+1]+2; +-- +2.42.0 + diff --git a/queue-5.4/net-ravb-start-tx-queues-after-hw-initialization-suc.patch b/queue-5.4/net-ravb-start-tx-queues-after-hw-initialization-suc.patch new file mode 100644 index 00000000000..1282fb6ecb2 --- /dev/null +++ b/queue-5.4/net-ravb-start-tx-queues-after-hw-initialization-suc.patch @@ -0,0 +1,46 @@ +From c4e211ca7d342d16bb3afe4df2e6c6c5d9bed395 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 10:04:37 +0200 +Subject: net: ravb: Start TX queues after HW initialization succeeded + +From: Claudiu Beznea + +[ Upstream commit 6f32c086602050fc11157adeafaa1c1eb393f0af ] + +ravb_phy_start() may fail. If that happens, the TX queues will remain +started. Thus, move the netif_tx_start_all_queues() after PHY is +successfully initialized. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Reviewed-by: Sergey Shtylyov +Signed-off-by: Claudiu Beznea +Reviewed-by: Kalesh AP +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 815aa18782165..42e62f51ba6d1 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1380,13 +1380,13 @@ static int ravb_open(struct net_device *ndev) + if (priv->chip_id == RCAR_GEN2) + ravb_ptp_init(ndev, priv->pdev); + +- netif_tx_start_all_queues(ndev); +- + /* PHY control start */ + error = ravb_phy_start(ndev); + if (error) + goto out_ptp_stop; + ++ netif_tx_start_all_queues(ndev); ++ + return 0; + + out_ptp_stop: +-- +2.42.0 + diff --git a/queue-5.4/net-ravb-use-pm_runtime_resume_and_get.patch b/queue-5.4/net-ravb-use-pm_runtime_resume_and_get.patch new file mode 100644 index 00000000000..004b8470173 --- /dev/null +++ b/queue-5.4/net-ravb-use-pm_runtime_resume_and_get.patch @@ -0,0 +1,48 @@ +From e0ec0bd82e97d3a1b556ff719876ca802205e5c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 10:04:35 +0200 +Subject: net: ravb: Use pm_runtime_resume_and_get() + +From: Claudiu Beznea + +[ Upstream commit 88b74831faaee455c2af380382d979fc38e79270 ] + +pm_runtime_get_sync() may return an error. In case it returns with an error +dev->power.usage_count needs to be decremented. pm_runtime_resume_and_get() +takes care of this. Thus use it. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Reviewed-by: Sergey Shtylyov +Signed-off-by: Claudiu Beznea +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 765e55b489dbf..815aa18782165 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2039,7 +2039,9 @@ static int ravb_probe(struct platform_device *pdev) + ndev->hw_features = NETIF_F_RXCSUM; + + pm_runtime_enable(&pdev->dev); +- pm_runtime_get_sync(&pdev->dev); ++ error = pm_runtime_resume_and_get(&pdev->dev); ++ if (error < 0) ++ goto out_rpm_disable; + + /* The Ether-specific entries in the device structure. */ + ndev->base_addr = res->start; +@@ -2210,6 +2212,7 @@ static int ravb_probe(struct platform_device *pdev) + free_netdev(ndev); + + pm_runtime_put(&pdev->dev); ++out_rpm_disable: + pm_runtime_disable(&pdev->dev); + return error; + } +-- +2.42.0 + diff --git a/queue-5.4/net-stmmac-xgmac-disable-fpe-mmc-interrupts.patch b/queue-5.4/net-stmmac-xgmac-disable-fpe-mmc-interrupts.patch new file mode 100644 index 00000000000..d2d8bc85c29 --- /dev/null +++ b/queue-5.4/net-stmmac-xgmac-disable-fpe-mmc-interrupts.patch @@ -0,0 +1,54 @@ +From 4f31b563b388e0796bfa049149febf8228411d46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Nov 2023 14:01:26 +0800 +Subject: net: stmmac: xgmac: Disable FPE MMC interrupts + +From: Furong Xu <0x1207@gmail.com> + +[ Upstream commit e54d628a2721bfbb002c19f6e8ca6746cec7640f ] + +Commit aeb18dd07692 ("net: stmmac: xgmac: Disable MMC interrupts +by default") tries to disable MMC interrupts to avoid a storm of +unhandled interrupts, but leaves the FPE(Frame Preemption) MMC +interrupts enabled, FPE MMC interrupts can cause the same problem. +Now we mask FPE TX and RX interrupts to disable all MMC interrupts. + +Fixes: aeb18dd07692 ("net: stmmac: xgmac: Disable MMC interrupts by default") +Reviewed-by: Larysa Zaremba +Signed-off-by: Furong Xu <0x1207@gmail.com> +Reviewed-by: Serge Semin +Reviewed-by: Wojciech Drewek +Link: https://lore.kernel.org/r/20231125060126.2328690-1-0x1207@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c +index 252cf48c58166..5b9f344fdd32a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c +@@ -170,8 +170,10 @@ + #define MMC_XGMAC_RX_DISCARD_OCT_GB 0x1b4 + #define MMC_XGMAC_RX_ALIGN_ERR_PKT 0x1bc + ++#define MMC_XGMAC_TX_FPE_INTR_MASK 0x204 + #define MMC_XGMAC_TX_FPE_FRAG 0x208 + #define MMC_XGMAC_TX_HOLD_REQ 0x20c ++#define MMC_XGMAC_RX_FPE_INTR_MASK 0x224 + #define MMC_XGMAC_RX_PKT_ASSEMBLY_ERR 0x228 + #define MMC_XGMAC_RX_PKT_SMD_ERR 0x22c + #define MMC_XGMAC_RX_PKT_ASSEMBLY_OK 0x230 +@@ -336,6 +338,8 @@ static void dwxgmac_mmc_intr_all_mask(void __iomem *mmcaddr) + { + writel(0x0, mmcaddr + MMC_RX_INTR_MASK); + writel(0x0, mmcaddr + MMC_TX_INTR_MASK); ++ writel(MMC_DEFAULT_MASK, mmcaddr + MMC_XGMAC_TX_FPE_INTR_MASK); ++ writel(MMC_DEFAULT_MASK, mmcaddr + MMC_XGMAC_RX_FPE_INTR_MASK); + writel(MMC_DEFAULT_MASK, mmcaddr + MMC_XGMAC_RX_IPC_INTR_MASK); + } + +-- +2.42.0 + diff --git a/queue-5.4/ovl-skip-overlayfs-superblocks-at-global-sync.patch b/queue-5.4/ovl-skip-overlayfs-superblocks-at-global-sync.patch new file mode 100644 index 00000000000..07c9dbf7514 --- /dev/null +++ b/queue-5.4/ovl-skip-overlayfs-superblocks-at-global-sync.patch @@ -0,0 +1,84 @@ +From 06cad914b6f00266a3156bb1b3000a22a1582acf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 11:29:47 +0300 +Subject: ovl: skip overlayfs superblocks at global sync + +From: Konstantin Khlebnikov + +[ Upstream commit 32b1924b210a70dcacdf65abd687c5ef86a67541 ] + +Stacked filesystems like overlayfs has no own writeback, but they have to +forward syncfs() requests to backend for keeping data integrity. + +During global sync() each overlayfs instance calls method ->sync_fs() for +backend although it itself is in global list of superblocks too. As a +result one syscall sync() could write one superblock several times and send +multiple disk barriers. + +This patch adds flag SB_I_SKIP_SYNC into sb->sb_iflags to avoid that. + +Reported-by: Dmitry Monakhov +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Stable-dep-of: b836c4d29f27 ("ima: detect changes to the backing overlay file") +Signed-off-by: Sasha Levin +--- + fs/overlayfs/super.c | 5 +++-- + fs/sync.c | 3 ++- + include/linux/fs.h | 2 ++ + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c +index f5cf0938f298d..fcf453f7f4aef 100644 +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -263,8 +263,8 @@ static int ovl_sync_fs(struct super_block *sb, int wait) + return 0; + + /* +- * If this is a sync(2) call or an emergency sync, all the super blocks +- * will be iterated, including upper_sb, so no need to do anything. ++ * Not called for sync(2) call or an emergency sync (SB_I_SKIP_SYNC). ++ * All the super blocks will be iterated, including upper_sb. + * + * If this is a syncfs(2) call, then we do need to call + * sync_filesystem() on upper_sb, but enough if we do it when being +@@ -1710,6 +1710,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) + sb->s_xattr = ovl_xattr_handlers; + sb->s_fs_info = ofs; + sb->s_flags |= SB_POSIXACL; ++ sb->s_iflags |= SB_I_SKIP_SYNC; + + err = -ENOMEM; + root_dentry = d_make_root(ovl_new_inode(sb, S_IFDIR, 0)); +diff --git a/fs/sync.c b/fs/sync.c +index 4d1ff010bc5af..16c2630ee4bf1 100644 +--- a/fs/sync.c ++++ b/fs/sync.c +@@ -76,7 +76,8 @@ static void sync_inodes_one_sb(struct super_block *sb, void *arg) + + static void sync_fs_one_sb(struct super_block *sb, void *arg) + { +- if (!sb_rdonly(sb) && sb->s_op->sync_fs) ++ if (!sb_rdonly(sb) && !(sb->s_iflags & SB_I_SKIP_SYNC) && ++ sb->s_op->sync_fs) + sb->s_op->sync_fs(sb, *(int *)arg); + } + +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 4b1553f570f2c..fbbd7ef7f6535 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1404,6 +1404,8 @@ extern int send_sigurg(struct fown_struct *fown); + #define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020 + #define SB_I_UNTRUSTED_MOUNTER 0x00000040 + ++#define SB_I_SKIP_SYNC 0x00000100 /* Skip superblock at global sync */ ++ + /* Possible states of 'frozen' field */ + enum { + SB_UNFROZEN = 0, /* FS is unfrozen */ +-- +2.42.0 + diff --git a/queue-5.4/perf-intel-pt-adjust-sample-flags-for-vm-exit.patch b/queue-5.4/perf-intel-pt-adjust-sample-flags-for-vm-exit.patch new file mode 100644 index 00000000000..6837771e063 --- /dev/null +++ b/queue-5.4/perf-intel-pt-adjust-sample-flags-for-vm-exit.patch @@ -0,0 +1,54 @@ +From 066b799f813d593968446cf973dd49952030b7a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Feb 2021 11:57:59 +0200 +Subject: perf intel-pt: Adjust sample flags for VM-Exit + +From: Adrian Hunter + +[ Upstream commit 695fc4510615f8db40ebaf7a2c011f0a594b5f77 ] + +Use the change of NR to detect whether an asynchronous branch is a VM-Exit. + +Note VM-Entry is determined from the vmlaunch or vmresume instruction, +in which case, sample flags will show "VMentry" even if the VM-Entry fails. + +Signed-off-by: Adrian Hunter +Acked-by: Andi Kleen +Cc: Alexander Shishkin +Cc: Jiri Olsa +Link: https://lore.kernel.org/r/20210218095801.19576-10-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: f2d87895cbc4 ("perf intel-pt: Fix async branch flags") +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index b40832419a279..bead66d65dc0b 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -997,13 +997,16 @@ static void intel_pt_sample_flags(struct intel_pt_queue *ptq) + if (ptq->state->flags & INTEL_PT_ABORT_TX) { + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_TX_ABORT; + } else if (ptq->state->flags & INTEL_PT_ASYNC) { +- if (ptq->state->to_ip) ++ if (!ptq->state->to_ip) ++ ptq->flags = PERF_IP_FLAG_BRANCH | ++ PERF_IP_FLAG_TRACE_END; ++ else if (ptq->state->from_nr && !ptq->state->to_nr) ++ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL | ++ PERF_IP_FLAG_VMEXIT; ++ else + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL | + PERF_IP_FLAG_ASYNC | + PERF_IP_FLAG_INTERRUPT; +- else +- ptq->flags = PERF_IP_FLAG_BRANCH | +- PERF_IP_FLAG_TRACE_END; + ptq->insn_len = 0; + } else { + if (ptq->state->from_ip) +-- +2.42.0 + diff --git a/queue-5.4/perf-intel-pt-fix-async-branch-flags.patch b/queue-5.4/perf-intel-pt-fix-async-branch-flags.patch new file mode 100644 index 00000000000..a7d42abdf04 --- /dev/null +++ b/queue-5.4/perf-intel-pt-fix-async-branch-flags.patch @@ -0,0 +1,42 @@ +From d20ed623e00c1bb490b735a413de98503691796d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 10:29:53 +0300 +Subject: perf intel-pt: Fix async branch flags + +From: Adrian Hunter + +[ Upstream commit f2d87895cbc4af80649850dcf5da36de6b2ed3dd ] + +Ensure PERF_IP_FLAG_ASYNC is set always for asynchronous branches (i.e. +interrupts etc). + +Fixes: 90e457f7be08 ("perf tools: Add Intel PT support") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Acked-by: Namhyung Kim +Link: https://lore.kernel.org/r/20230928072953.19369-1-adrian.hunter@intel.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index bead66d65dc0b..8da264dd8c286 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -999,9 +999,11 @@ static void intel_pt_sample_flags(struct intel_pt_queue *ptq) + } else if (ptq->state->flags & INTEL_PT_ASYNC) { + if (!ptq->state->to_ip) + ptq->flags = PERF_IP_FLAG_BRANCH | ++ PERF_IP_FLAG_ASYNC | + PERF_IP_FLAG_TRACE_END; + else if (ptq->state->from_nr && !ptq->state->to_nr) + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL | ++ PERF_IP_FLAG_ASYNC | + PERF_IP_FLAG_VMEXIT; + else + ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL | +-- +2.42.0 + diff --git a/queue-5.4/ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch b/queue-5.4/ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch new file mode 100644 index 00000000000..a7e76e936a8 --- /dev/null +++ b/queue-5.4/ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch @@ -0,0 +1,79 @@ +From 05a34ef0daf11bd2a8e58aac24fc31a270af3809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Nov 2023 21:24:20 +0900 +Subject: ravb: Fix races between ravb_tx_timeout_work() and net related ops + +From: Yoshihiro Shimoda + +[ Upstream commit 9870257a0a338cd8d6c1cddab74e703f490f6779 ] + +Fix races between ravb_tx_timeout_work() and functions of net_device_ops +and ethtool_ops by using rtnl_trylock() and rtnl_unlock(). Note that +since ravb_close() is under the rtnl lock and calls cancel_work_sync(), +ravb_tx_timeout_work() should calls rtnl_trylock(). Otherwise, a deadlock +may happen in ravb_tx_timeout_work() like below: + +CPU0 CPU1 + ravb_tx_timeout() + schedule_work() +... +__dev_close_many() +// Under rtnl lock +ravb_close() +cancel_work_sync() +// Waiting + ravb_tx_timeout_work() + rtnl_lock() + // This is possible to cause a deadlock + +If rtnl_trylock() fails, rescheduling the work with sleep for 1 msec. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20231127122420.3706751-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 367da05ddb1e7..765e55b489dbf 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1435,6 +1435,12 @@ static void ravb_tx_timeout_work(struct work_struct *work) + struct net_device *ndev = priv->ndev; + int error; + ++ if (!rtnl_trylock()) { ++ usleep_range(1000, 2000); ++ schedule_work(&priv->work); ++ return; ++ } ++ + netif_tx_stop_all_queues(ndev); + + /* Stop PTP Clock driver */ +@@ -1467,7 +1473,7 @@ static void ravb_tx_timeout_work(struct work_struct *work) + */ + netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n", + __func__, error); +- return; ++ goto out_unlock; + } + ravb_emac_init(ndev); + +@@ -1477,6 +1483,9 @@ static void ravb_tx_timeout_work(struct work_struct *work) + ravb_ptp_init(ndev, priv->pdev); + + netif_tx_start_all_queues(ndev); ++ ++out_unlock: ++ rtnl_unlock(); + } + + /* Packet transmit function for Ethernet AVB */ +-- +2.42.0 + diff --git a/queue-5.4/s390-cmma-fix-detection-of-dat-pages.patch b/queue-5.4/s390-cmma-fix-detection-of-dat-pages.patch new file mode 100644 index 00000000000..9a556f078f8 --- /dev/null +++ b/queue-5.4/s390-cmma-fix-detection-of-dat-pages.patch @@ -0,0 +1,67 @@ +From 71de14f230aae677f94a799a2dfcee84f9037077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 10:15:19 +0200 +Subject: s390/cmma: fix detection of DAT pages + +From: Heiko Carstens + +[ Upstream commit 44d93045247661acbd50b1629e62f415f2747577 ] + +If the cmma no-dat feature is available the kernel page tables are walked +to identify and mark all pages which are used for address translation (all +region, segment, and page tables). In a subsequent loop all other pages are +marked as "no-dat" pages with the ESSA instruction. + +This information is visible to the hypervisor, so that the hypervisor can +optimize purging of guest TLB entries. The initial loop however is +incorrect: only the first three of the four pages which belong to segment +and region tables will be marked as being used for DAT. The last page is +incorrectly marked as no-dat. + +This can result in incorrect guest TLB flushes. + +Fix this by simply marking all four pages. + +Cc: +Reviewed-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/mm/page-states.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/mm/page-states.c b/arch/s390/mm/page-states.c +index 10d81deef330f..bef7e07da98ef 100644 +--- a/arch/s390/mm/page-states.c ++++ b/arch/s390/mm/page-states.c +@@ -131,7 +131,7 @@ static void mark_kernel_pud(p4d_t *p4d, unsigned long addr, unsigned long end) + continue; + if (!pud_folded(*pud)) { + page = phys_to_page(pud_val(*pud)); +- for (i = 0; i < 3; i++) ++ for (i = 0; i < 4; i++) + set_bit(PG_arch_1, &page[i].flags); + } + mark_kernel_pmd(pud, addr, next); +@@ -152,7 +152,7 @@ static void mark_kernel_p4d(pgd_t *pgd, unsigned long addr, unsigned long end) + continue; + if (!p4d_folded(*p4d)) { + page = phys_to_page(p4d_val(*p4d)); +- for (i = 0; i < 3; i++) ++ for (i = 0; i < 4; i++) + set_bit(PG_arch_1, &page[i].flags); + } + mark_kernel_pud(p4d, addr, next); +@@ -174,7 +174,7 @@ static void mark_kernel_pgd(void) + continue; + if (!pgd_folded(*pgd)) { + page = phys_to_page(pgd_val(*pgd)); +- for (i = 0; i < 3; i++) ++ for (i = 0; i < 4; i++) + set_bit(PG_arch_1, &page[i].flags); + } + mark_kernel_p4d(pgd, addr, next); +-- +2.42.0 + diff --git a/queue-5.4/s390-mm-fix-phys-vs-virt-confusion-in-mark_kernel_px.patch b/queue-5.4/s390-mm-fix-phys-vs-virt-confusion-in-mark_kernel_px.patch new file mode 100644 index 00000000000..cc1016f0559 --- /dev/null +++ b/queue-5.4/s390-mm-fix-phys-vs-virt-confusion-in-mark_kernel_px.patch @@ -0,0 +1,65 @@ +From 75b811b2bb8a3c3bc0c83064628f70c25b4ee9c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 18:32:55 +0200 +Subject: s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions + family + +From: Alexander Gordeev + +[ Upstream commit 3784231b1e091857bd129fd9658a8b3cedbdcd58 ] + +Due to historical reasons mark_kernel_pXd() functions +misuse the notion of physical vs virtual addresses +difference. + +Signed-off-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Stable-dep-of: 44d930452476 ("s390/cmma: fix detection of DAT pages") +Signed-off-by: Sasha Levin +--- + arch/s390/mm/page-states.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/mm/page-states.c b/arch/s390/mm/page-states.c +index fc141893d0284..10d81deef330f 100644 +--- a/arch/s390/mm/page-states.c ++++ b/arch/s390/mm/page-states.c +@@ -112,7 +112,7 @@ static void mark_kernel_pmd(pud_t *pud, unsigned long addr, unsigned long end) + next = pmd_addr_end(addr, end); + if (pmd_none(*pmd) || pmd_large(*pmd)) + continue; +- page = virt_to_page(pmd_val(*pmd)); ++ page = phys_to_page(pmd_val(*pmd)); + set_bit(PG_arch_1, &page->flags); + } while (pmd++, addr = next, addr != end); + } +@@ -130,7 +130,7 @@ static void mark_kernel_pud(p4d_t *p4d, unsigned long addr, unsigned long end) + if (pud_none(*pud) || pud_large(*pud)) + continue; + if (!pud_folded(*pud)) { +- page = virt_to_page(pud_val(*pud)); ++ page = phys_to_page(pud_val(*pud)); + for (i = 0; i < 3; i++) + set_bit(PG_arch_1, &page[i].flags); + } +@@ -151,7 +151,7 @@ static void mark_kernel_p4d(pgd_t *pgd, unsigned long addr, unsigned long end) + if (p4d_none(*p4d)) + continue; + if (!p4d_folded(*p4d)) { +- page = virt_to_page(p4d_val(*p4d)); ++ page = phys_to_page(p4d_val(*p4d)); + for (i = 0; i < 3; i++) + set_bit(PG_arch_1, &page[i].flags); + } +@@ -173,7 +173,7 @@ static void mark_kernel_pgd(void) + if (pgd_none(*pgd)) + continue; + if (!pgd_folded(*pgd)) { +- page = virt_to_page(pgd_val(*pgd)); ++ page = phys_to_page(pgd_val(*pgd)); + for (i = 0; i < 3; i++) + set_bit(PG_arch_1, &page[i].flags); + } +-- +2.42.0 + diff --git a/queue-5.4/scsi-core-introduce-the-scsi_cmd_to_rq-function.patch b/queue-5.4/scsi-core-introduce-the-scsi_cmd_to_rq-function.patch new file mode 100644 index 00000000000..94388a3ba5f --- /dev/null +++ b/queue-5.4/scsi-core-introduce-the-scsi_cmd_to_rq-function.patch @@ -0,0 +1,54 @@ +From d0f346c9e21dbd4dc404d9a10e313ed95318386a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 16:03:04 -0700 +Subject: scsi: core: Introduce the scsi_cmd_to_rq() function + +From: Bart Van Assche + +[ Upstream commit 51f3a478892873337c54068d1185bcd797000a52 ] + +The 'request' member of struct scsi_cmnd is superfluous. The struct request +and struct scsi_cmnd data structures are adjacent and hence the request +pointer can be derived easily from a scsi_cmnd pointer. Introduce a helper +function that performs that conversion in a type-safe way. This patch is +the first step towards removing the request member from struct +scsi_cmnd. Making that change has the following advantages: + + - This is a performance optimization since adding an offset to a pointer + takes less time than dereferencing a pointer. + + - struct scsi_cmnd becomes smaller. + +Link: https://lore.kernel.org/r/20210809230355.8186-2-bvanassche@acm.org +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Ming Lei +Reviewed-by: Hannes Reinecke +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Stable-dep-of: 19597cad64d6 ("scsi: qla2xxx: Fix system crash due to bad pointer access") +Signed-off-by: Sasha Levin +--- + include/scsi/scsi_cmnd.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h +index 7738a055d9535..dafde3d764d03 100644 +--- a/include/scsi/scsi_cmnd.h ++++ b/include/scsi/scsi_cmnd.h +@@ -143,6 +143,12 @@ struct scsi_cmnd { + unsigned char tag; /* SCSI-II queued command tag */ + }; + ++/* Variant of blk_mq_rq_from_pdu() that verifies the type of its argument. */ ++static inline struct request *scsi_cmd_to_rq(struct scsi_cmnd *scmd) ++{ ++ return blk_mq_rq_from_pdu(scmd); ++} ++ + /* + * Return the driver private allocation behind the command. + * Only works if cmd_size is set in the host template. +-- +2.42.0 + diff --git a/queue-5.4/scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-acc.patch b/queue-5.4/scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-acc.patch new file mode 100644 index 00000000000..09271ce2e52 --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-acc.patch @@ -0,0 +1,77 @@ +From 0076df71443c65ab7a1479b25490fe1c967b55ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 12:19:12 +0530 +Subject: scsi: qla2xxx: Fix system crash due to bad pointer access + +From: Quinn Tran + +[ Upstream commit 19597cad64d608aa8ac2f8aef50a50187a565223 ] + +User experiences system crash when running AER error injection. The +perturbation causes the abort-all-I/O path to trigger. The driver assumes +all I/O on this path is FCP only. If there is both NVMe & FCP traffic, a +system crash happens. Add additional check to see if I/O is FCP or not +before access. + +PID: 999019 TASK: ff35d769f24722c0 CPU: 53 COMMAND: "kworker/53:1" + 0 [ff3f78b964847b58] machine_kexec at ffffffffae86973d + 1 [ff3f78b964847ba8] __crash_kexec at ffffffffae9be29d + 2 [ff3f78b964847c70] crash_kexec at ffffffffae9bf528 + 3 [ff3f78b964847c78] oops_end at ffffffffae8282ab + 4 [ff3f78b964847c98] exc_page_fault at ffffffffaf2da502 + 5 [ff3f78b964847cc0] asm_exc_page_fault at ffffffffaf400b62 + [exception RIP: qla2x00_abort_srb+444] + RIP: ffffffffc07b5f8c RSP: ff3f78b964847d78 RFLAGS: 00010046 + RAX: 0000000000000282 RBX: ff35d74a0195a200 RCX: ff35d76886fd03a0 + RDX: 0000000000000001 RSI: ffffffffc07c5ec8 RDI: ff35d74a0195a200 + RBP: ff35d76913d22080 R8: ff35d7694d103200 R9: ff35d7694d103200 + R10: 0000000100000000 R11: ffffffffb05d6630 R12: 0000000000010000 + R13: ff3f78b964847df8 R14: ff35d768d8754000 R15: ff35d768877248e0 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + 6 [ff3f78b964847d70] qla2x00_abort_srb at ffffffffc07b5f84 [qla2xxx] + 7 [ff3f78b964847de0] __qla2x00_abort_all_cmds at ffffffffc07b6238 [qla2xxx] + 8 [ff3f78b964847e38] qla2x00_abort_all_cmds at ffffffffc07ba635 [qla2xxx] + 9 [ff3f78b964847e58] qla2x00_terminate_rport_io at ffffffffc08145eb [qla2xxx] +10 [ff3f78b964847e70] fc_terminate_rport_io at ffffffffc045987e [scsi_transport_fc] +11 [ff3f78b964847e88] process_one_work at ffffffffae914f15 +12 [ff3f78b964847ed0] worker_thread at ffffffffae9154c0 +13 [ff3f78b964847f10] kthread at ffffffffae91c456 +14 [ff3f78b964847f50] ret_from_fork at ffffffffae8036ef + +Cc: stable@vger.kernel.org +Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20231030064912.37912-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index eb6fb78ebefde..6da85ad96c9b8 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1705,8 +1705,16 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res, + } + + spin_lock_irqsave(qp->qp_lock_ptr, *flags); +- if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd))) +- sp->done(sp, res); ++ switch (sp->type) { ++ case SRB_SCSI_CMD: ++ if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd))) ++ sp->done(sp, res); ++ break; ++ default: ++ if (ret_cmd) ++ sp->done(sp, res); ++ break; ++ } + } else { + sp->done(sp, res); + } +-- +2.42.0 + diff --git a/queue-5.4/scsi-qla2xxx-simplify-the-code-for-aborting-scsi-com.patch b/queue-5.4/scsi-qla2xxx-simplify-the-code-for-aborting-scsi-com.patch new file mode 100644 index 00000000000..41f11dfcd0e --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-simplify-the-code-for-aborting-scsi-com.patch @@ -0,0 +1,148 @@ +From b9082ca9d25d2ef2cb12cd011dbb577ef1d7da4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2020 20:34:37 -0800 +Subject: scsi: qla2xxx: Simplify the code for aborting SCSI commands + +From: Bart Van Assche + +[ Upstream commit c81ef0ed4477c637d1f1dd96ecd8e8fbe18b7283 ] + +Since the SCSI core does not reuse the tag of the SCSI command that is +being aborted by .eh_abort() before .eh_abort() has finished it is not +necessary to check from inside that callback whether or not the SCSI +command has already completed. Instead, rely on the firmware to return an +error code when attempting to abort a command that has already +completed. Additionally, rely on the firmware to return an error code when +attempting to abort an already aborted command. + +In qla2x00_abort_srb(), use blk_mq_request_started() instead of +sp->completed and sp->aborted. + +Link: https://lore.kernel.org/r/20200220043441.20504-2-bvanassche@acm.org +Cc: Martin Wilck +Cc: Quinn Tran +Reviewed-by: Daniel Wagner +Reviewed-by: Roman Bolshakov +Acked-by: Himanshu Madhani +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Stable-dep-of: 19597cad64d6 ("scsi: qla2xxx: Fix system crash due to bad pointer access") +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_def.h | 3 --- + drivers/scsi/qla2xxx/qla_isr.c | 5 ----- + drivers/scsi/qla2xxx/qla_os.c | 27 ++++++++++++++------------- + 3 files changed, 14 insertions(+), 21 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h +index 2ef6277244f57..bfddae586995a 100644 +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -596,9 +596,6 @@ typedef struct srb { + struct fc_port *fcport; + struct scsi_qla_host *vha; + unsigned int start_timer:1; +- unsigned int abort:1; +- unsigned int aborted:1; +- unsigned int completed:1; + + uint32_t handle; + uint16_t flags; +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index aca8ec3ff9391..c5021bd1ad5e5 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2479,11 +2479,6 @@ qla2x00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt) + return; + } + +- if (sp->abort) +- sp->aborted = 1; +- else +- sp->completed = 1; +- + if (sp->cmd_type != TYPE_SRB) { + req->outstanding_cmds[handle] = NULL; + ql_dbg(ql_dbg_io, vha, 0x3015, +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 57f8d2378f778..8329b80c41eb7 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1243,17 +1243,6 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) + return fast_fail_status != SUCCESS ? fast_fail_status : FAILED; + + spin_lock_irqsave(qpair->qp_lock_ptr, flags); +- if (sp->completed) { +- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); +- return SUCCESS; +- } +- +- if (sp->abort || sp->aborted) { +- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); +- return FAILED; +- } +- +- sp->abort = 1; + sp->comp = ∁ + spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + +@@ -1661,6 +1650,10 @@ qla2x00_loop_reset(scsi_qla_host_t *vha) + return QLA_SUCCESS; + } + ++/* ++ * The caller must ensure that no completion interrupts will happen ++ * while this function is in progress. ++ */ + static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res, + unsigned long *flags) + __releases(qp->qp_lock_ptr) +@@ -1669,6 +1662,7 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res, + DECLARE_COMPLETION_ONSTACK(comp); + scsi_qla_host_t *vha = qp->vha; + struct qla_hw_data *ha = vha->hw; ++ struct scsi_cmnd *cmd = GET_CMD_SP(sp); + int rval; + bool ret_cmd; + uint32_t ratov_j; +@@ -1688,7 +1682,6 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res, + } + + sp->comp = ∁ +- sp->abort = 1; + spin_unlock_irqrestore(qp->qp_lock_ptr, *flags); + + rval = ha->isp_ops->abort_command(sp); +@@ -1712,13 +1705,17 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res, + } + + spin_lock_irqsave(qp->qp_lock_ptr, *flags); +- if (ret_cmd && (!sp->completed || !sp->aborted)) ++ if (ret_cmd && blk_mq_request_started(cmd->request)) + sp->done(sp, res); + } else { + sp->done(sp, res); + } + } + ++/* ++ * The caller must ensure that no completion interrupts will happen ++ * while this function is in progress. ++ */ + static void + __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res) + { +@@ -1776,6 +1773,10 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res) + spin_unlock_irqrestore(qp->qp_lock_ptr, flags); + } + ++/* ++ * The caller must ensure that no completion interrupts will happen ++ * while this function is in progress. ++ */ + void + qla2x00_abort_all_cmds(scsi_qla_host_t *vha, int res) + { +-- +2.42.0 + diff --git a/queue-5.4/scsi-qla2xxx-use-scsi_cmd_to_rq-instead-of-scsi_cmnd.patch b/queue-5.4/scsi-qla2xxx-use-scsi_cmd_to_rq-instead-of-scsi_cmnd.patch new file mode 100644 index 00000000000..c427c2b384b --- /dev/null +++ b/queue-5.4/scsi-qla2xxx-use-scsi_cmd_to_rq-instead-of-scsi_cmnd.patch @@ -0,0 +1,46 @@ +From f2bda75431e401cf645d5ff6890b14d18be641a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 16:03:41 -0700 +Subject: scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request + +From: Bart Van Assche + +[ Upstream commit c7d6b2c2cd5656b05849afb0de3f422da1742d0f ] + +Prepare for removal of the request pointer by using scsi_cmd_to_rq() +instead. This patch does not change any functionality. + +Link: https://lore.kernel.org/r/20210809230355.8186-39-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Stable-dep-of: 19597cad64d6 ("scsi: qla2xxx: Fix system crash due to bad pointer access") +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 8329b80c41eb7..eb6fb78ebefde 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -814,7 +814,7 @@ qla2xxx_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) + uint16_t hwq; + struct qla_qpair *qpair = NULL; + +- tag = blk_mq_unique_tag(cmd->request); ++ tag = blk_mq_unique_tag(scsi_cmd_to_rq(cmd)); + hwq = blk_mq_unique_tag_to_hwq(tag); + qpair = ha->queue_pair_map[hwq]; + +@@ -1705,7 +1705,7 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res, + } + + spin_lock_irqsave(qp->qp_lock_ptr, *flags); +- if (ret_cmd && blk_mq_request_started(cmd->request)) ++ if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd))) + sp->done(sp, res); + } else { + sp->done(sp, res); +-- +2.42.0 + diff --git a/queue-5.4/series b/queue-5.4/series index e7dfb207e67..525fbab3090 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -64,3 +64,30 @@ btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch btrfs-send-ensure-send_fd-is-writable.patch btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch input-xpad-add-hyperx-clutch-gladiate-support.patch +ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch +net-stmmac-xgmac-disable-fpe-mmc-interrupts.patch +ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch +net-ravb-use-pm_runtime_resume_and_get.patch +net-ravb-start-tx-queues-after-hw-initialization-suc.patch +perf-intel-pt-adjust-sample-flags-for-vm-exit.patch +perf-intel-pt-fix-async-branch-flags.patch +ext4-improve-write-performance-with-disabled-delallo.patch +ext4-mark-buffer-new-if-it-is-unwritten-to-avoid-sta.patch +smb3-fix-touch-h-of-symlink.patch +s390-mm-fix-phys-vs-virt-confusion-in-mark_kernel_px.patch +s390-cmma-fix-detection-of-dat-pages.patch +arm64-kconfig-add-a-choice-for-endianness.patch +arm64-make-cpu_big_endian-depend-on-ld.bfd-or-ld.lld.patch +arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-.patch +mtd-cfi_cmdset_0001-support-the-absence-of-protectio.patch +mtd-cfi_cmdset_0001-byte-swap-otp-info.patch +fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-.patch +ima-annotate-iint-mutex-to-avoid-lockdep-false-posit.patch +ovl-skip-overlayfs-superblocks-at-global-sync.patch +ima-detect-changes-to-the-backing-overlay-file.patch +scsi-qla2xxx-simplify-the-code-for-aborting-scsi-com.patch +scsi-core-introduce-the-scsi_cmd_to_rq-function.patch +scsi-qla2xxx-use-scsi_cmd_to_rq-instead-of-scsi_cmnd.patch +scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-acc.patch +cpufreq-imx6q-don-t-warn-for-disabling-a-non-existin.patch +cpufreq-imx6q-don-t-disable-792-mhz-opp-unnecessaril.patch diff --git a/queue-5.4/smb3-fix-touch-h-of-symlink.patch b/queue-5.4/smb3-fix-touch-h-of-symlink.patch new file mode 100644 index 00000000000..1d92c120d6b --- /dev/null +++ b/queue-5.4/smb3-fix-touch-h-of-symlink.patch @@ -0,0 +1,40 @@ +From 46a4b3c859d93ff6de2930ac65868aeba2b0d401 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Oct 2023 12:18:23 -0500 +Subject: smb3: fix touch -h of symlink + +From: Steve French + +[ Upstream commit 475efd9808a3094944a56240b2711349e433fb66 ] + +For example: + touch -h -t 02011200 testfile +where testfile is a symlink would not change the timestamp, but + touch -t 02011200 testfile +does work to change the timestamp of the target + +Suggested-by: David Howells +Reported-by: Micah Veilleux +Closes: https://bugzilla.samba.org/show_bug.cgi?id=14476 +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index b6149952ab846..917441e3018ad 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -1062,6 +1062,7 @@ const struct inode_operations cifs_file_inode_ops = { + + const struct inode_operations cifs_symlink_inode_ops = { + .get_link = cifs_get_link, ++ .setattr = cifs_setattr, + .permission = cifs_permission, + .listxattr = cifs_listxattr, + }; +-- +2.42.0 + -- 2.47.3