From: Greg Kroah-Hartman Date: Tue, 30 Jul 2024 09:13:20 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.103~47 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0c6089b19b696b6816254b84973311028da1cd1e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch decompress_bunzip2-fix-rare-decompression-failure.patch devres-fix-devm_krealloc-wasting-memory.patch devres-fix-memory-leakage-caused-by-driver-api-devm_free_percpu.patch gve-fix-an-edge-case-for-tso-skb-validity-check.patch kbuild-fix-s-c-in-x86-stack-protector-scripts.patch kobject_uevent-fix-oob-access-within-zap_modalias_env.patch mm-numa_balancing-teach-mpol_to_str-about-the-balancing-mode.patch rtc-cmos-fix-return-value-of-nvmem-callbacks.patch ubi-eba-properly-rollback-inside-self_check_eba.patch --- diff --git a/queue-5.15/clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch b/queue-5.15/clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch new file mode 100644 index 00000000000..c0e2fc69715 --- /dev/null +++ b/queue-5.15/clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch @@ -0,0 +1,46 @@ +From a83b22754e351f13fb46596c85f667dc33da71ec Mon Sep 17 00:00:00 2001 +From: Bastien Curutchet +Date: Thu, 18 Jul 2024 13:55:34 +0200 +Subject: clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use + +From: Bastien Curutchet + +commit a83b22754e351f13fb46596c85f667dc33da71ec upstream. + +The flag attribute of the struct clk_init_data isn't initialized before +the devm_clk_hw_register() call. This can lead to unexpected behavior +during registration. + +Initialize the entire clk_init_data to zero at declaration. + +Cc: stable@vger.kernel.org +Fixes: 58e1e2d2cd89 ("clk: davinci: cfgchip: Add TI DA8XX USB PHY clocks") +Signed-off-by: Bastien Curutchet +Reviewed-by: David Lechner +Link: https://lore.kernel.org/r/20240718115534.41513-1-bastien.curutchet@bootlin.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/davinci/da8xx-cfgchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/davinci/da8xx-cfgchip.c ++++ b/drivers/clk/davinci/da8xx-cfgchip.c +@@ -505,7 +505,7 @@ da8xx_cfgchip_register_usb0_clk48(struct + const char * const parent_names[] = { "usb_refclkin", "pll0_auxclk" }; + struct clk *fck_clk; + struct da8xx_usb0_clk48 *usb0; +- struct clk_init_data init; ++ struct clk_init_data init = {}; + int ret; + + fck_clk = devm_clk_get(dev, "fck"); +@@ -580,7 +580,7 @@ da8xx_cfgchip_register_usb1_clk48(struct + { + const char * const parent_names[] = { "usb0_clk48", "usb_refclkin" }; + struct da8xx_usb1_clk48 *usb1; +- struct clk_init_data init; ++ struct clk_init_data init = {}; + int ret; + + usb1 = devm_kzalloc(dev, sizeof(*usb1), GFP_KERNEL); diff --git a/queue-5.15/decompress_bunzip2-fix-rare-decompression-failure.patch b/queue-5.15/decompress_bunzip2-fix-rare-decompression-failure.patch new file mode 100644 index 00000000000..0bcb5d142e4 --- /dev/null +++ b/queue-5.15/decompress_bunzip2-fix-rare-decompression-failure.patch @@ -0,0 +1,41 @@ +From bf6acd5d16057d7accbbb1bf7dc6d8c56eeb4ecc Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Wed, 17 Jul 2024 17:20:16 +0100 +Subject: decompress_bunzip2: fix rare decompression failure + +From: Ross Lagerwall + +commit bf6acd5d16057d7accbbb1bf7dc6d8c56eeb4ecc upstream. + +The decompression code parses a huffman tree and counts the number of +symbols for a given bit length. In rare cases, there may be >= 256 +symbols with a given bit length, causing the unsigned char to overflow. +This causes a decompression failure later when the code tries and fails to +find the bit length for a given symbol. + +Since the maximum number of symbols is 258, use unsigned short instead. + +Link: https://lkml.kernel.org/r/20240717162016.1514077-1-ross.lagerwall@citrix.com +Fixes: bc22c17e12c1 ("bzip2/lzma: library support for gzip, bzip2 and lzma decompression") +Signed-off-by: Ross Lagerwall +Cc: Alain Knaff +Cc: "H. Peter Anvin" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/decompress_bunzip2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/decompress_bunzip2.c ++++ b/lib/decompress_bunzip2.c +@@ -232,7 +232,8 @@ static int INIT get_next_block(struct bu + RUNB) */ + symCount = symTotal+2; + for (j = 0; j < groupCount; j++) { +- unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; ++ unsigned char length[MAX_SYMBOLS]; ++ unsigned short temp[MAX_HUFCODE_BITS+1]; + int minLen, maxLen, pp; + /* Read Huffman code lengths for each symbol. They're + stored in a way similar to mtf; record a starting diff --git a/queue-5.15/devres-fix-devm_krealloc-wasting-memory.patch b/queue-5.15/devres-fix-devm_krealloc-wasting-memory.patch new file mode 100644 index 00000000000..30d1d1ebbcb --- /dev/null +++ b/queue-5.15/devres-fix-devm_krealloc-wasting-memory.patch @@ -0,0 +1,38 @@ +From c884e3249f753dcef7a2b2023541ac1dc46b318e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Tue, 2 Jul 2024 22:51:50 +0800 +Subject: devres: Fix devm_krealloc() wasting memory + +From: Zijun Hu + +commit c884e3249f753dcef7a2b2023541ac1dc46b318e upstream. + +Driver API devm_krealloc() calls alloc_dr() with wrong argument +@total_new_size, so causes more memory to be allocated than required +fix this memory waste by using @new_size as the argument for alloc_dr(). + +Fixes: f82485722e5d ("devres: provide devm_krealloc()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/1719931914-19035-2-git-send-email-quic_zijuhu@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/devres.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/base/devres.c ++++ b/drivers/base/devres.c +@@ -890,9 +890,12 @@ void *devm_krealloc(struct device *dev, + /* + * Otherwise: allocate new, larger chunk. We need to allocate before + * taking the lock as most probably the caller uses GFP_KERNEL. ++ * alloc_dr() will call check_dr_size() to reserve extra memory ++ * for struct devres automatically, so size @new_size user request ++ * is delivered to it directly as devm_kmalloc() does. + */ + new_dr = alloc_dr(devm_kmalloc_release, +- total_new_size, gfp, dev_to_node(dev)); ++ new_size, gfp, dev_to_node(dev)); + if (!new_dr) + return NULL; + diff --git a/queue-5.15/devres-fix-memory-leakage-caused-by-driver-api-devm_free_percpu.patch b/queue-5.15/devres-fix-memory-leakage-caused-by-driver-api-devm_free_percpu.patch new file mode 100644 index 00000000000..da14339b6cd --- /dev/null +++ b/queue-5.15/devres-fix-memory-leakage-caused-by-driver-api-devm_free_percpu.patch @@ -0,0 +1,37 @@ +From bd50a974097bb82d52a458bd3ee39fb723129a0c Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Tue, 2 Jul 2024 22:51:51 +0800 +Subject: devres: Fix memory leakage caused by driver API devm_free_percpu() + +From: Zijun Hu + +commit bd50a974097bb82d52a458bd3ee39fb723129a0c upstream. + +It will cause memory leakage when use driver API devm_free_percpu() +to free memory allocated by devm_alloc_percpu(), fixed by using +devres_release() instead of devres_destroy() within devm_free_percpu(). + +Fixes: ff86aae3b411 ("devres: add devm_alloc_percpu()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/1719931914-19035-3-git-send-email-quic_zijuhu@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/devres.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/base/devres.c ++++ b/drivers/base/devres.c +@@ -1219,7 +1219,11 @@ EXPORT_SYMBOL_GPL(__devm_alloc_percpu); + */ + void devm_free_percpu(struct device *dev, void __percpu *pdata) + { +- WARN_ON(devres_destroy(dev, devm_percpu_release, devm_percpu_match, ++ /* ++ * Use devres_release() to prevent memory leakage as ++ * devm_free_pages() does. ++ */ ++ WARN_ON(devres_release(dev, devm_percpu_release, devm_percpu_match, + (__force void *)pdata)); + } + EXPORT_SYMBOL_GPL(devm_free_percpu); diff --git a/queue-5.15/gve-fix-an-edge-case-for-tso-skb-validity-check.patch b/queue-5.15/gve-fix-an-edge-case-for-tso-skb-validity-check.patch new file mode 100644 index 00000000000..a161262c347 --- /dev/null +++ b/queue-5.15/gve-fix-an-edge-case-for-tso-skb-validity-check.patch @@ -0,0 +1,91 @@ +From 36e3b949e35964e22b9a57f960660fc599038dd4 Mon Sep 17 00:00:00 2001 +From: Bailey Forrest +Date: Wed, 24 Jul 2024 07:34:31 -0700 +Subject: gve: Fix an edge case for TSO skb validity check + +From: Bailey Forrest + +commit 36e3b949e35964e22b9a57f960660fc599038dd4 upstream. + +The NIC requires each TSO segment to not span more than 10 +descriptors. NIC further requires each descriptor to not exceed +16KB - 1 (GVE_TX_MAX_BUF_SIZE_DQO). + +The descriptors for an skb are generated by +gve_tx_add_skb_no_copy_dqo() for DQO RDA queue format. +gve_tx_add_skb_no_copy_dqo() loops through each skb frag and +generates a descriptor for the entire frag if the frag size is +not greater than GVE_TX_MAX_BUF_SIZE_DQO. If the frag size is +greater than GVE_TX_MAX_BUF_SIZE_DQO, it is split into descriptor(s) +of size GVE_TX_MAX_BUF_SIZE_DQO and a descriptor is generated for +the remainder (frag size % GVE_TX_MAX_BUF_SIZE_DQO). + +gve_can_send_tso() checks if the descriptors thus generated for an +skb would meet the requirement that each TSO-segment not span more +than 10 descriptors. However, the current code misses an edge case +when a TSO segment spans multiple descriptors within a large frag. +This change fixes the edge case. + +gve_can_send_tso() relies on the assumption that max gso size (9728) +is less than GVE_TX_MAX_BUF_SIZE_DQO and therefore within an skb +fragment a TSO segment can never span more than 2 descriptors. + +Fixes: a57e5de476be ("gve: DQO: Add TX path") +Signed-off-by: Praveen Kaligineedi +Signed-off-by: Bailey Forrest +Reviewed-by: Jeroen de Borst +Cc: stable@vger.kernel.org +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240724143431.3343722-1-pkaligineedi@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_tx_dqo.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c ++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +@@ -606,22 +606,42 @@ static bool gve_can_send_tso(const struc + const struct skb_shared_info *shinfo = skb_shinfo(skb); + const int gso_size = shinfo->gso_size; + int cur_seg_num_bufs; ++ int prev_frag_size; + int cur_seg_size; + int i; + + cur_seg_size = skb_headlen(skb) - header_len; ++ prev_frag_size = skb_headlen(skb); + cur_seg_num_bufs = cur_seg_size > 0; + + for (i = 0; i < shinfo->nr_frags; i++) { + if (cur_seg_size >= gso_size) { + cur_seg_size %= gso_size; + cur_seg_num_bufs = cur_seg_size > 0; ++ ++ if (prev_frag_size > GVE_TX_MAX_BUF_SIZE_DQO) { ++ int prev_frag_remain = prev_frag_size % ++ GVE_TX_MAX_BUF_SIZE_DQO; ++ ++ /* If the last descriptor of the previous frag ++ * is less than cur_seg_size, the segment will ++ * span two descriptors in the previous frag. ++ * Since max gso size (9728) is less than ++ * GVE_TX_MAX_BUF_SIZE_DQO, it is impossible ++ * for the segment to span more than two ++ * descriptors. ++ */ ++ if (prev_frag_remain && ++ cur_seg_size > prev_frag_remain) ++ cur_seg_num_bufs++; ++ } + } + + if (unlikely(++cur_seg_num_bufs > max_bufs_per_seg)) + return false; + +- cur_seg_size += skb_frag_size(&shinfo->frags[i]); ++ prev_frag_size = skb_frag_size(&shinfo->frags[i]); ++ cur_seg_size += prev_frag_size; + } + + return true; diff --git a/queue-5.15/kbuild-fix-s-c-in-x86-stack-protector-scripts.patch b/queue-5.15/kbuild-fix-s-c-in-x86-stack-protector-scripts.patch new file mode 100644 index 00000000000..de3c02ec86d --- /dev/null +++ b/queue-5.15/kbuild-fix-s-c-in-x86-stack-protector-scripts.patch @@ -0,0 +1,58 @@ +From 3415b10a03945b0da4a635e146750dfe5ce0f448 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 26 Jul 2024 11:05:00 -0700 +Subject: kbuild: Fix '-S -c' in x86 stack protector scripts + +From: Nathan Chancellor + +commit 3415b10a03945b0da4a635e146750dfe5ce0f448 upstream. + +After a recent change in clang to stop consuming all instances of '-S' +and '-c' [1], the stack protector scripts break due to the kernel's use +of -Werror=unused-command-line-argument to catch cases where flags are +not being properly consumed by the compiler driver: + + $ echo | clang -o - -x c - -S -c -Werror=unused-command-line-argument + clang: error: argument unused during compilation: '-c' [-Werror,-Wunused-command-line-argument] + +This results in CONFIG_STACKPROTECTOR getting disabled because +CONFIG_CC_HAS_SANE_STACKPROTECTOR is no longer set. + +'-c' and '-S' both instruct the compiler to stop at different stages of +the pipeline ('-S' after compiling, '-c' after assembling), so having +them present together in the same command makes little sense. In this +case, the test wants to stop before assembling because it is looking at +the textual assembly output of the compiler for either '%fs' or '%gs', +so remove '-c' from the list of arguments to resolve the error. + +All versions of GCC continue to work after this change, along with +versions of clang that do or do not contain the change mentioned above. + +Cc: stable@vger.kernel.org +Fixes: 4f7fd4d7a791 ("[PATCH] Add the -fstack-protector option to the CFLAGS") +Fixes: 60a5317ff0f4 ("x86: implement x86_32 stack protector") +Link: https://github.com/llvm/llvm-project/commit/6461e537815f7fa68cef06842505353cf5600e9c [1] +Signed-off-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gcc-x86_32-has-stack-protector.sh | 2 +- + scripts/gcc-x86_64-has-stack-protector.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/gcc-x86_32-has-stack-protector.sh ++++ b/scripts/gcc-x86_32-has-stack-protector.sh +@@ -5,4 +5,4 @@ + # -mstack-protector-guard-reg, added by + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81708 + +-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -m32 -O0 -fstack-protector -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard - -o - 2> /dev/null | grep -q "%fs" ++echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -m32 -O0 -fstack-protector -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard - -o - 2> /dev/null | grep -q "%fs" +--- a/scripts/gcc-x86_64-has-stack-protector.sh ++++ b/scripts/gcc-x86_64-has-stack-protector.sh +@@ -1,4 +1,4 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + +-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -m64 -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs" ++echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -m64 -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs" diff --git a/queue-5.15/kobject_uevent-fix-oob-access-within-zap_modalias_env.patch b/queue-5.15/kobject_uevent-fix-oob-access-within-zap_modalias_env.patch new file mode 100644 index 00000000000..db9a5665fe8 --- /dev/null +++ b/queue-5.15/kobject_uevent-fix-oob-access-within-zap_modalias_env.patch @@ -0,0 +1,50 @@ +From dd6e9894b451e7c85cceb8e9dc5432679a70e7dc Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 30 May 2024 21:14:37 +0800 +Subject: kobject_uevent: Fix OOB access within zap_modalias_env() + +From: Zijun Hu + +commit dd6e9894b451e7c85cceb8e9dc5432679a70e7dc upstream. + +zap_modalias_env() wrongly calculates size of memory block to move, so +will cause OOB memory access issue if variable MODALIAS is not the last +one within its @env parameter, fixed by correcting size to memmove. + +Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Reviewed-by: Lk Sii +Link: https://lore.kernel.org/r/1717074877-11352-1-git-send-email-quic_zijuhu@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + lib/kobject_uevent.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/lib/kobject_uevent.c ++++ b/lib/kobject_uevent.c +@@ -432,8 +432,23 @@ static void zap_modalias_env(struct kobj + len = strlen(env->envp[i]) + 1; + + if (i != env->envp_idx - 1) { ++ /* @env->envp[] contains pointers to @env->buf[] ++ * with @env->buflen chars, and we are removing ++ * variable MODALIAS here pointed by @env->envp[i] ++ * with length @len as shown below: ++ * ++ * 0 @env->buf[] @env->buflen ++ * --------------------------------------------- ++ * ^ ^ ^ ^ ++ * | |-> @len <-| target block | ++ * @env->envp[0] @env->envp[i] @env->envp[i + 1] ++ * ++ * so the "target block" indicated above is moved ++ * backward by @len, and its right size is ++ * @env->buflen - (@env->envp[i + 1] - @env->envp[0]). ++ */ + memmove(env->envp[i], env->envp[i + 1], +- env->buflen - len); ++ env->buflen - (env->envp[i + 1] - env->envp[0])); + + for (j = i; j < env->envp_idx - 1; j++) + env->envp[j] = env->envp[j + 1] - len; diff --git a/queue-5.15/mm-numa_balancing-teach-mpol_to_str-about-the-balancing-mode.patch b/queue-5.15/mm-numa_balancing-teach-mpol_to_str-about-the-balancing-mode.patch new file mode 100644 index 00000000000..68fcb1c9cd9 --- /dev/null +++ b/queue-5.15/mm-numa_balancing-teach-mpol_to_str-about-the-balancing-mode.patch @@ -0,0 +1,111 @@ +From af649773fb25250cd22625af021fb6275c56a3ee Mon Sep 17 00:00:00 2001 +From: Tvrtko Ursulin +Date: Mon, 8 Jul 2024 08:56:32 +0100 +Subject: mm/numa_balancing: teach mpol_to_str about the balancing mode + +From: Tvrtko Ursulin + +commit af649773fb25250cd22625af021fb6275c56a3ee upstream. + +Since balancing mode was added in bda420b98505 ("numa balancing: migrate +on fault among multiple bound nodes"), it was possible to set this mode +but it wouldn't be shown in /proc//numa_maps since there was no +support for it in the mpol_to_str() helper. + +Furthermore, because the balancing mode sets the MPOL_F_MORON flag, it +would be displayed as 'default' due a workaround introduced a few years +earlier in 8790c71a18e5 ("mm/mempolicy.c: fix mempolicy printing in +numa_maps"). + +To tidy this up we implement two changes: + +Replace the MPOL_F_MORON check by pointer comparison against the +preferred_node_policy array. By doing this we generalise the current +special casing and replace the incorrect 'default' with the correct 'bind' +for the mode. + +Secondly, we add a string representation and corresponding handling for +the MPOL_F_NUMA_BALANCING flag. + +With the two changes together we start showing the balancing flag when it +is set and therefore complete the fix. + +Representation format chosen is to separate multiple flags with vertical +bars, following what existed long time ago in kernel 2.6.25. But as +between then and now there wasn't a way to display multiple flags, this +patch does not change the format in practice. + +Some /proc//numa_maps output examples: + + 555559580000 bind=balancing:0-1,3 file=... + 555585800000 bind=balancing|static:0,2 file=... + 555635240000 prefer=relative:0 file= + +Link: https://lkml.kernel.org/r/20240708075632.95857-1-tursulin@igalia.com +Signed-off-by: Tvrtko Ursulin +Fixes: bda420b98505 ("numa balancing: migrate on fault among multiple bound nodes") +References: 8790c71a18e5 ("mm/mempolicy.c: fix mempolicy printing in numa_maps") +Reviewed-by: "Huang, Ying" +Cc: Mel Gorman +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Rik van Riel +Cc: Johannes Weiner +Cc: "Matthew Wilcox (Oracle)" +Cc: Dave Hansen +Cc: Andi Kleen +Cc: Michal Hocko +Cc: David Rientjes +Cc: [5.12+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2921,8 +2921,9 @@ out: + * @pol: pointer to mempolicy to be formatted + * + * Convert @pol into a string. If @buffer is too short, truncate the string. +- * Recommend a @maxlen of at least 32 for the longest mode, "interleave", the +- * longest flag, "relative", and to display at least a few node ids. ++ * Recommend a @maxlen of at least 51 for the longest mode, "weighted ++ * interleave", plus the longest flag flags, "relative|balancing", and to ++ * display at least a few node ids. + */ + void mpol_to_str(char *buffer, int maxlen, struct mempolicy *pol) + { +@@ -2931,7 +2932,10 @@ void mpol_to_str(char *buffer, int maxle + unsigned short mode = MPOL_DEFAULT; + unsigned short flags = 0; + +- if (pol && pol != &default_policy && !(pol->flags & MPOL_F_MORON)) { ++ if (pol && ++ pol != &default_policy && ++ !(pol >= &preferred_node_policy[0] && ++ pol <= &preferred_node_policy[ARRAY_SIZE(preferred_node_policy) - 1])) { + mode = pol->mode; + flags = pol->flags; + } +@@ -2958,12 +2962,18 @@ void mpol_to_str(char *buffer, int maxle + p += snprintf(p, buffer + maxlen - p, "="); + + /* +- * Currently, the only defined flags are mutually exclusive ++ * Static and relative are mutually exclusive. + */ + if (flags & MPOL_F_STATIC_NODES) + p += snprintf(p, buffer + maxlen - p, "static"); + else if (flags & MPOL_F_RELATIVE_NODES) + p += snprintf(p, buffer + maxlen - p, "relative"); ++ ++ if (flags & MPOL_F_NUMA_BALANCING) { ++ if (!is_power_of_2(flags & MPOL_MODE_FLAGS)) ++ p += snprintf(p, buffer + maxlen - p, "|"); ++ p += snprintf(p, buffer + maxlen - p, "balancing"); ++ } + } + + if (!nodes_empty(nodes)) diff --git a/queue-5.15/rtc-cmos-fix-return-value-of-nvmem-callbacks.patch b/queue-5.15/rtc-cmos-fix-return-value-of-nvmem-callbacks.patch new file mode 100644 index 00000000000..ba5a13c40c9 --- /dev/null +++ b/queue-5.15/rtc-cmos-fix-return-value-of-nvmem-callbacks.patch @@ -0,0 +1,77 @@ +From 1c184baccf0d5e2ef4cc1562261d0e48508a1c2b Mon Sep 17 00:00:00 2001 +From: Joy Chakraborty +Date: Wed, 12 Jun 2024 08:36:35 +0000 +Subject: rtc: cmos: Fix return value of nvmem callbacks + +From: Joy Chakraborty + +commit 1c184baccf0d5e2ef4cc1562261d0e48508a1c2b upstream. + +Read/write callbacks registered with nvmem core expect 0 to be returned +on success and a negative value to be returned on failure. + +cmos_nvram_read()/cmos_nvram_write() currently return the number of +bytes read or written, fix to return 0 on success and -EIO incase number +of bytes requested was not read or written. + +Fixes: 8b5b7958fd1c ("rtc: cmos: use generic nvmem") +Cc: stable@vger.kernel.org +Signed-off-by: Joy Chakraborty +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240612083635.1253039-1-joychakr@google.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-cmos.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -643,11 +643,10 @@ static int cmos_nvram_read(void *priv, u + size_t count) + { + unsigned char *buf = val; +- int retval; + + off += NVRAM_OFFSET; + spin_lock_irq(&rtc_lock); +- for (retval = 0; count; count--, off++, retval++) { ++ for (; count; count--, off++) { + if (off < 128) + *buf++ = CMOS_READ(off); + else if (can_bank2) +@@ -657,7 +656,7 @@ static int cmos_nvram_read(void *priv, u + } + spin_unlock_irq(&rtc_lock); + +- return retval; ++ return count ? -EIO : 0; + } + + static int cmos_nvram_write(void *priv, unsigned int off, void *val, +@@ -665,7 +664,6 @@ static int cmos_nvram_write(void *priv, + { + struct cmos_rtc *cmos = priv; + unsigned char *buf = val; +- int retval; + + /* NOTE: on at least PCs and Ataris, the boot firmware uses a + * checksum on part of the NVRAM data. That's currently ignored +@@ -674,7 +672,7 @@ static int cmos_nvram_write(void *priv, + */ + off += NVRAM_OFFSET; + spin_lock_irq(&rtc_lock); +- for (retval = 0; count; count--, off++, retval++) { ++ for (; count; count--, off++) { + /* don't trash RTC registers */ + if (off == cmos->day_alrm + || off == cmos->mon_alrm +@@ -689,7 +687,7 @@ static int cmos_nvram_write(void *priv, + } + spin_unlock_irq(&rtc_lock); + +- return retval; ++ return count ? -EIO : 0; + } + + /*----------------------------------------------------------------*/ diff --git a/queue-5.15/series b/queue-5.15/series index 714ae244c5f..4cf923304d2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -211,3 +211,13 @@ fs-ntfs3-update-log-page_-mask-bits-if-log-page_size-changed.patch scsi-qla2xxx-return-enobufs-if-sg_cnt-is-more-than-one-for-els-cmds.patch f2fs-fix-to-don-t-dirty-inode-for-readonly-filesystem.patch f2fs-fix-return-value-of-f2fs_convert_inline_inode.patch +clk-davinci-da8xx-cfgchip-initialize-clk_init_data-before-use.patch +ubi-eba-properly-rollback-inside-self_check_eba.patch +decompress_bunzip2-fix-rare-decompression-failure.patch +kbuild-fix-s-c-in-x86-stack-protector-scripts.patch +kobject_uevent-fix-oob-access-within-zap_modalias_env.patch +gve-fix-an-edge-case-for-tso-skb-validity-check.patch +devres-fix-devm_krealloc-wasting-memory.patch +devres-fix-memory-leakage-caused-by-driver-api-devm_free_percpu.patch +mm-numa_balancing-teach-mpol_to_str-about-the-balancing-mode.patch +rtc-cmos-fix-return-value-of-nvmem-callbacks.patch diff --git a/queue-5.15/ubi-eba-properly-rollback-inside-self_check_eba.patch b/queue-5.15/ubi-eba-properly-rollback-inside-self_check_eba.patch new file mode 100644 index 00000000000..757dd7ff361 --- /dev/null +++ b/queue-5.15/ubi-eba-properly-rollback-inside-self_check_eba.patch @@ -0,0 +1,44 @@ +From 745d9f4a31defec731119ee8aad8ba9f2536dd9a Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Thu, 29 Feb 2024 23:42:36 +0300 +Subject: ubi: eba: properly rollback inside self_check_eba + +From: Fedor Pchelkin + +commit 745d9f4a31defec731119ee8aad8ba9f2536dd9a upstream. + +In case of a memory allocation failure in the volumes loop we can only +process the already allocated scan_eba and fm_eba array elements on the +error path - others are still uninitialized. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 00abf3041590 ("UBI: Add self_check_eba()") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/ubi/eba.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -1560,6 +1560,7 @@ int self_check_eba(struct ubi_device *ub + GFP_KERNEL); + if (!fm_eba[i]) { + ret = -ENOMEM; ++ kfree(scan_eba[i]); + goto out_free; + } + +@@ -1595,7 +1596,7 @@ int self_check_eba(struct ubi_device *ub + } + + out_free: +- for (i = 0; i < num_volumes; i++) { ++ while (--i >= 0) { + if (!ubi->volumes[i]) + continue; +