From: Greg Kroah-Hartman Date: Mon, 24 Jun 2024 17:01:26 +0000 (+0200) Subject: 6.9-stable patches X-Git-Tag: v6.1.96~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e7bde409eaf25b0046fa9eba4ba2d19b52c58f1;p=thirdparty%2Fkernel%2Fstable-queue.git 6.9-stable patches added patches: arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch i2c-ocores-set-iack-bit-after-core-is-enabled.patch ima-avoid-blocking-in-rcu-read-side-critical-section.patch mips-mipsmtregs-fix-target-register-for-mftc0.patch mips-pci-lantiq-restore-reset-gpio-polarity.patch mm-huge_memory-fix-misused-mapping_large_folio_support-for-anon-folios.patch mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch mm-page_table_check-fix-crash-on-zone_device.patch mm-shmem-fix-getting-incorrect-lruvec-when-replacing-a-shmem-folio.patch selftests-mptcp-userspace_pm-fixed-subtest-names.patch serial-8250_dw-revert-move-definitions-to-the-shared-header.patch spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch thermal-core-change-pm-notifier-priority-to-the-minimum.patch thermal-int340x-processor_thermal-support-shared-interrupts.patch virt-guest_memfd-fix-reference-leak-on-hwpoisoned-page.patch --- diff --git a/queue-6.9/arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch b/queue-6.9/arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch new file mode 100644 index 00000000000..b316ad4de27 --- /dev/null +++ b/queue-6.9/arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch @@ -0,0 +1,32 @@ +From dfd239a039b3581ca25f932e66b6e2c2bf77c798 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Fri, 14 Jun 2024 11:06:32 -0400 +Subject: arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc + +From: Frank Li + +commit dfd239a039b3581ca25f932e66b6e2c2bf77c798 upstream. + +The gpio in "reg_usdhc2_vmmc" should be 7 instead of 19. + +Cc: stable@vger.kernel.org +Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support") +Reviewed-by: Peng Fan +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -36,7 +36,7 @@ + regulator-name = "SD1_SPWR"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3000000>; +- gpio = <&lsio_gpio4 19 GPIO_ACTIVE_HIGH>; ++ gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>; + enable-active-high; + }; + }; diff --git a/queue-6.9/dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch b/queue-6.9/dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch new file mode 100644 index 00000000000..8ce0cb710f8 --- /dev/null +++ b/queue-6.9/dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch @@ -0,0 +1,33 @@ +From d4e001ffeccfc128c715057e866f301ac9b95728 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 20 Jun 2024 13:34:49 +0200 +Subject: dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema + +From: Krzysztof Kozlowski + +commit d4e001ffeccfc128c715057e866f301ac9b95728 upstream. + +The referenced i2c-controller.yaml schema is provided by dtschema +package (outside of Linux kernel), so use full path to reference it. + +Cc: stable@vger.kernel.org +Fixes: 7ea75dd386be ("dt-bindings: i2c: convert i2c-at91 to json-schema") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Conor Dooley +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml ++++ b/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml +@@ -77,7 +77,7 @@ required: + - clocks + + allOf: +- - $ref: i2c-controller.yaml ++ - $ref: /schemas/i2c/i2c-controller.yaml# + - if: + properties: + compatible: diff --git a/queue-6.9/dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch b/queue-6.9/dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch new file mode 100644 index 00000000000..5d202edeb9f --- /dev/null +++ b/queue-6.9/dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch @@ -0,0 +1,33 @@ +From 5c8cfd592bb7632200b4edac8f2c7ec892ed9d81 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 20 Jun 2024 13:34:50 +0200 +Subject: dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema + +From: Krzysztof Kozlowski + +commit 5c8cfd592bb7632200b4edac8f2c7ec892ed9d81 upstream. + +The referenced i2c-controller.yaml schema is provided by dtschema +package (outside of Linux kernel), so use full path to reference it. + +Cc: stable@vger.kernel.org +Fixes: 1acd4577a66f ("dt-bindings: i2c: convert i2c-cros-ec-tunnel to json-schema") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Conor Dooley +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml ++++ b/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml +@@ -21,7 +21,7 @@ description: | + google,cros-ec-spi or google,cros-ec-i2c. + + allOf: +- - $ref: i2c-controller.yaml# ++ - $ref: /schemas/i2c/i2c-controller.yaml# + + properties: + compatible: diff --git a/queue-6.9/efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch b/queue-6.9/efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch new file mode 100644 index 00000000000..351409d40ce --- /dev/null +++ b/queue-6.9/efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch @@ -0,0 +1,109 @@ +From 75dde792d6f6c2d0af50278bd374bf0c512fe196 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 10 Jun 2024 16:02:13 +0200 +Subject: efi/x86: Free EFI memory map only when installing a new one. + +From: Ard Biesheuvel + +commit 75dde792d6f6c2d0af50278bd374bf0c512fe196 upstream. + +The logic in __efi_memmap_init() is shared between two different +execution flows: +- mapping the EFI memory map early or late into the kernel VA space, so + that its entries can be accessed; +- the x86 specific cloning of the EFI memory map in order to insert new + entries that are created as a result of making a memory reservation + via a call to efi_mem_reserve(). + +In the former case, the underlying memory containing the kernel's view +of the EFI memory map (which may be heavily modified by the kernel +itself on x86) is not modified at all, and the only thing that changes +is the virtual mapping of this memory, which is different between early +and late boot. + +In the latter case, an entirely new allocation is created that carries a +new, updated version of the kernel's view of the EFI memory map. When +installing this new version, the old version will no longer be +referenced, and if the memory was allocated by the kernel, it will leak +unless it gets freed. + +The logic that implements this freeing currently lives on the code path +that is shared between these two use cases, but it should only apply to +the latter. So move it to the correct spot. + +While at it, drop the dummy definition for non-x86 architectures, as +that is no longer needed. + +Cc: +Fixes: f0ef6523475f ("efi: Fix efi_memmap_alloc() leaks") +Tested-by: Ashish Kalra +Link: https://lore.kernel.org/all/36ad5079-4326-45ed-85f6-928ff76483d3@amd.com +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/efi.h | 1 - + arch/x86/platform/efi/memmap.c | 12 +++++++++++- + drivers/firmware/efi/memmap.c | 9 --------- + 3 files changed, 11 insertions(+), 11 deletions(-) + +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -401,7 +401,6 @@ extern int __init efi_memmap_alloc(unsig + struct efi_memory_map_data *data); + extern void __efi_memmap_free(u64 phys, unsigned long size, + unsigned long flags); +-#define __efi_memmap_free __efi_memmap_free + + extern int __init efi_memmap_install(struct efi_memory_map_data *data); + extern int __init efi_memmap_split_count(efi_memory_desc_t *md, +--- a/arch/x86/platform/efi/memmap.c ++++ b/arch/x86/platform/efi/memmap.c +@@ -92,12 +92,22 @@ int __init efi_memmap_alloc(unsigned int + */ + int __init efi_memmap_install(struct efi_memory_map_data *data) + { ++ unsigned long size = efi.memmap.desc_size * efi.memmap.nr_map; ++ unsigned long flags = efi.memmap.flags; ++ u64 phys = efi.memmap.phys_map; ++ int ret; ++ + efi_memmap_unmap(); + + if (efi_enabled(EFI_PARAVIRT)) + return 0; + +- return __efi_memmap_init(data); ++ ret = __efi_memmap_init(data); ++ if (ret) ++ return ret; ++ ++ __efi_memmap_free(phys, size, flags); ++ return 0; + } + + /** +--- a/drivers/firmware/efi/memmap.c ++++ b/drivers/firmware/efi/memmap.c +@@ -15,10 +15,6 @@ + #include + #include + +-#ifndef __efi_memmap_free +-#define __efi_memmap_free(phys, size, flags) do { } while (0) +-#endif +- + /** + * __efi_memmap_init - Common code for mapping the EFI memory map + * @data: EFI memory map data +@@ -51,11 +47,6 @@ int __init __efi_memmap_init(struct efi_ + return -ENOMEM; + } + +- if (efi.memmap.flags & (EFI_MEMMAP_MEMBLOCK | EFI_MEMMAP_SLAB)) +- __efi_memmap_free(efi.memmap.phys_map, +- efi.memmap.desc_size * efi.memmap.nr_map, +- efi.memmap.flags); +- + map.phys_map = data->phys_map; + map.nr_map = data->size / data->desc_size; + map.map_end = map.map + data->size; diff --git a/queue-6.9/i2c-ocores-set-iack-bit-after-core-is-enabled.patch b/queue-6.9/i2c-ocores-set-iack-bit-after-core-is-enabled.patch new file mode 100644 index 00000000000..a1e5dadd98b --- /dev/null +++ b/queue-6.9/i2c-ocores-set-iack-bit-after-core-is-enabled.patch @@ -0,0 +1,39 @@ +From 5a72477273066b5b357801ab2d315ef14949d402 Mon Sep 17 00:00:00 2001 +From: Grygorii Tertychnyi +Date: Mon, 20 May 2024 17:39:32 +0200 +Subject: i2c: ocores: set IACK bit after core is enabled + +From: Grygorii Tertychnyi + +commit 5a72477273066b5b357801ab2d315ef14949d402 upstream. + +Setting IACK bit when core is disabled does not clear the "Interrupt Flag" +bit in the status register, and the interrupt remains pending. + +Sometimes it causes failure for the very first message transfer, that is +usually a device probe. + +Hence, set IACK bit after core is enabled to clear pending interrupt. + +Fixes: 18f98b1e3147 ("[PATCH] i2c: New bus driver for the OpenCores I2C controller") +Signed-off-by: Grygorii Tertychnyi +Acked-by: Peter Korsgaard +Cc: stable@vger.kernel.org +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-ocores.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-ocores.c ++++ b/drivers/i2c/busses/i2c-ocores.c +@@ -442,8 +442,8 @@ static int ocores_init(struct device *de + oc_setreg(i2c, OCI2C_PREHIGH, prescale >> 8); + + /* Init the device */ +- oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK); + oc_setreg(i2c, OCI2C_CONTROL, ctrl | OCI2C_CTRL_EN); ++ oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK); + + return 0; + } diff --git a/queue-6.9/ima-avoid-blocking-in-rcu-read-side-critical-section.patch b/queue-6.9/ima-avoid-blocking-in-rcu-read-side-critical-section.patch new file mode 100644 index 00000000000..c4935798586 --- /dev/null +++ b/queue-6.9/ima-avoid-blocking-in-rcu-read-side-critical-section.patch @@ -0,0 +1,345 @@ +From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001 +From: GUO Zihua +Date: Tue, 7 May 2024 01:25:41 +0000 +Subject: ima: Avoid blocking in RCU read-side critical section + +From: GUO Zihua + +commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream. + +A panic happens in ima_match_policy: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +PGD 42f873067 P4D 0 +Oops: 0000 [#1] SMP NOPTI +CPU: 5 PID: 1286325 Comm: kubeletmonit.sh +Kdump: loaded Tainted: P +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS 0.0.0 02/06/2015 +RIP: 0010:ima_match_policy+0x84/0x450 +Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 + 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d + f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea + 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f +RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 +RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 +RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 +R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 +R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 +FS: 00007f5195b51740(0000) +GS:ff3e278b12d40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ima_get_action+0x22/0x30 + process_measurement+0xb0/0x830 + ? page_add_file_rmap+0x15/0x170 + ? alloc_set_pte+0x269/0x4c0 + ? prep_new_page+0x81/0x140 + ? simple_xattr_get+0x75/0xa0 + ? selinux_file_open+0x9d/0xf0 + ima_file_check+0x64/0x90 + path_openat+0x571/0x1720 + do_filp_open+0x9b/0x110 + ? page_counter_try_charge+0x57/0xc0 + ? files_cgroup_alloc_fd+0x38/0x60 + ? __alloc_fd+0xd4/0x250 + ? do_sys_open+0x1bd/0x250 + do_sys_open+0x1bd/0x250 + do_syscall_64+0x5d/0x1d0 + entry_SYSCALL_64_after_hwframe+0x65/0xca + +Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by +ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a +RCU read-side critical section which contains kmalloc with GFP_KERNEL. +This implies a possible sleep and violates limitations of RCU read-side +critical sections on non-PREEMPT systems. + +Sleeping within RCU read-side critical section might cause +synchronize_rcu() returning early and break RCU protection, allowing a +UAF to happen. + +The root cause of this issue could be described as follows: +| Thread A | Thread B | +| |ima_match_policy | +| | rcu_read_lock | +|ima_lsm_update_rule | | +| synchronize_rcu | | +| | kmalloc(GFP_KERNEL)| +| | sleep | +==> synchronize_rcu returns early +| kfree(entry) | | +| | entry = entry->next| +==> UAF happens and entry now becomes NULL (or could be anything). +| | entry->action | +==> Accessing entry might cause panic. + +To fix this issue, we are converting all kmalloc that is called within +RCU read-side critical section to use GFP_ATOMIC. + +Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") +Cc: stable@vger.kernel.org +Signed-off-by: GUO Zihua +Acked-by: John Johansen +Reviewed-by: Mimi Zohar +Reviewed-by: Casey Schaufler +[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 2 +- + include/linux/security.h | 5 +++-- + kernel/auditfilter.c | 5 +++-- + security/apparmor/audit.c | 6 +++--- + security/apparmor/include/audit.h | 2 +- + security/integrity/ima/ima.h | 2 +- + security/integrity/ima/ima_policy.c | 15 +++++++++------ + security/security.c | 6 ++++-- + security/selinux/include/audit.h | 4 +++- + security/selinux/ss/services.c | 5 +++-- + security/smack/smack_lsm.c | 4 +++- + 11 files changed, 34 insertions(+), 22 deletions(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -412,7 +412,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_cr + + #ifdef CONFIG_AUDIT + LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) + LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) + LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -2048,7 +2048,8 @@ static inline void security_key_post_cre + + #ifdef CONFIG_AUDIT + #ifdef CONFIG_SECURITY +-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); ++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, ++ gfp_t gfp); + int security_audit_rule_known(struct audit_krule *krule); + int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); + void security_audit_rule_free(void *lsmrule); +@@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmr + #else + + static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + { + return 0; + } +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to + entry->rule.buflen += f_val; + f->lsm_str = str; + err = security_audit_rule_init(f->type, f->op, str, +- (void **)&f->lsm_rule); ++ (void **)&f->lsm_rule, ++ GFP_KERNEL); + /* Keep currently invalid fields around in case they + * become valid after a policy reload. */ + if (err == -EINVAL) { +@@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(s + + /* our own (refreshed) copy of lsm_rule */ + ret = security_audit_rule_init(df->type, df->op, df->lsm_str, +- (void **)&df->lsm_rule); ++ (void **)&df->lsm_rule, GFP_KERNEL); + /* Keep currently invalid fields around in case they + * become valid after a policy reload. */ + if (ret == -EINVAL) { +--- a/security/apparmor/audit.c ++++ b/security/apparmor/audit.c +@@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) + } + } + +-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) + { + struct aa_audit_rule *rule; + +@@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op + return -EINVAL; + } + +- rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); ++ rule = kzalloc(sizeof(struct aa_audit_rule), gfp); + + if (!rule) + return -ENOMEM; + + /* Currently rules are treated as coming from the root ns */ + rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, +- GFP_KERNEL, true, false); ++ gfp, true, false); + if (IS_ERR(rule->label)) { + int err = PTR_ERR(rule->label); + aa_audit_rule_free(rule); +--- a/security/apparmor/include/audit.h ++++ b/security/apparmor/include/audit.h +@@ -200,7 +200,7 @@ static inline int complain_error(int err + } + + void aa_audit_rule_free(void *vrule); +-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); ++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); + int aa_audit_rule_known(struct audit_krule *rule); + int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); + +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -540,7 +540,7 @@ static inline void ima_free_modsig(struc + #else + + static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, +- void **lsmrule) ++ void **lsmrule, gfp_t gfp) + { + return -EINVAL; + } +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rul + kfree(entry); + } + +-static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) ++static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, ++ gfp_t gfp) + { + struct ima_rule_entry *nentry; + int i; +@@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_co + * Immutable elements are copied over as pointers and data; only + * lsm rules can change + */ +- nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); ++ nentry = kmemdup(entry, sizeof(*nentry), gfp); + if (!nentry) + return NULL; + +@@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_co + + ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, + nentry->lsm[i].args_p, +- &nentry->lsm[i].rule); ++ &nentry->lsm[i].rule, ++ gfp); + if (!nentry->lsm[i].rule) + pr_warn("rule for LSM \'%s\' is undefined\n", + nentry->lsm[i].args_p); +@@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct im + int i; + struct ima_rule_entry *nentry; + +- nentry = ima_lsm_copy_rule(entry); ++ nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); + if (!nentry) + return -ENOMEM; + +@@ -664,7 +666,7 @@ retry: + } + + if (rc == -ESTALE && !rule_reinitialized) { +- lsm_rule = ima_lsm_copy_rule(rule); ++ lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); + if (lsm_rule) { + rule_reinitialized = true; + goto retry; +@@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_ + entry->lsm[lsm_rule].type = audit_type; + result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, + entry->lsm[lsm_rule].args_p, +- &entry->lsm[lsm_rule].rule); ++ &entry->lsm[lsm_rule].rule, ++ GFP_KERNEL); + if (!entry->lsm[lsm_rule].rule) { + pr_warn("rule for LSM \'%s\' is undefined\n", + entry->lsm[lsm_rule].args_p); +--- a/security/security.c ++++ b/security/security.c +@@ -5331,15 +5331,17 @@ void security_key_post_create_or_update( + * @op: rule operator + * @rulestr: rule context + * @lsmrule: receive buffer for audit rule struct ++ * @gfp: GFP flag used for kmalloc + * + * Allocate and initialize an LSM audit rule structure. + * + * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of + * an invalid rule. + */ +-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) ++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, ++ gfp_t gfp) + { +- return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); ++ return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); + } + + /** +--- a/security/selinux/include/audit.h ++++ b/security/selinux/include/audit.h +@@ -21,12 +21,14 @@ + * @op: the operator the rule uses + * @rulestr: the text "target" of the rule + * @rule: pointer to the new rule structure returned via this ++ * @gfp: GFP flag used for kmalloc + * + * Returns 0 if successful, -errno if not. On success, the rule structure + * will be allocated internally. The caller must free this structure with + * selinux_audit_rule_free() after use. + */ +-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); ++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, ++ gfp_t gfp); + + /** + * selinux_audit_rule_free - free an selinux audit rule structure. +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -3508,7 +3508,8 @@ void selinux_audit_rule_free(void *vrule + } + } + +-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, ++ gfp_t gfp) + { + struct selinux_state *state = &selinux_state; + struct selinux_policy *policy; +@@ -3549,7 +3550,7 @@ int selinux_audit_rule_init(u32 field, u + return -EINVAL; + } + +- tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); ++ tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); + if (!tmprule) + return -ENOMEM; + context_init(&tmprule->au_ctxt); +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4692,11 +4692,13 @@ static int smack_post_notification(const + * @op: required testing operator (=, !=, >, <, ...) + * @rulestr: smack label to be audited + * @vrule: pointer to save our own audit rule representation ++ * @gfp: type of the memory for the allocation + * + * Prepare to audit cases where (@field @op @rulestr) is true. + * The label to be audited is created if necessay. + */ +-static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) ++static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, ++ gfp_t gfp) + { + struct smack_known *skp; + char **rule = (char **)vrule; diff --git a/queue-6.9/mips-mipsmtregs-fix-target-register-for-mftc0.patch b/queue-6.9/mips-mipsmtregs-fix-target-register-for-mftc0.patch new file mode 100644 index 00000000000..d130eabfc5e --- /dev/null +++ b/queue-6.9/mips-mipsmtregs-fix-target-register-for-mftc0.patch @@ -0,0 +1,37 @@ +From 4a3e37b3caea817199757a0b13aa53dd7c9376c8 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Sun, 16 Jun 2024 14:25:02 +0100 +Subject: MIPS: mipsmtregs: Fix target register for MFTC0 + +From: Jiaxun Yang + +commit 4a3e37b3caea817199757a0b13aa53dd7c9376c8 upstream. + +Target register of mftc0 should be __res instead of $1, this is +a leftover from old .insn code. + +Fixes: dd6d29a61489 ("MIPS: Implement microMIPS MT ASE helpers") +Cc: stable@vger.kernel.org +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mipsmtregs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/mipsmtregs.h b/arch/mips/include/asm/mipsmtregs.h +index 30e86861c206..b1ee3c48e84b 100644 +--- a/arch/mips/include/asm/mipsmtregs.h ++++ b/arch/mips/include/asm/mipsmtregs.h +@@ -322,7 +322,7 @@ static inline void ehb(void) + " .set push \n" \ + " .set "MIPS_ISA_LEVEL" \n" \ + _ASM_SET_MFTC0 \ +- " mftc0 $1, " #rt ", " #sel " \n" \ ++ " mftc0 %0, " #rt ", " #sel " \n" \ + _ASM_UNSET_MFTC0 \ + " .set pop \n" \ + : "=r" (__res)); \ +-- +2.45.2 + diff --git a/queue-6.9/mips-pci-lantiq-restore-reset-gpio-polarity.patch b/queue-6.9/mips-pci-lantiq-restore-reset-gpio-polarity.patch new file mode 100644 index 00000000000..bdfd84dd366 --- /dev/null +++ b/queue-6.9/mips-pci-lantiq-restore-reset-gpio-polarity.patch @@ -0,0 +1,68 @@ +From 277a0363120276645ae598d8d5fea7265e076ae9 Mon Sep 17 00:00:00 2001 +From: Martin Schiller +Date: Fri, 7 Jun 2024 11:04:00 +0200 +Subject: MIPS: pci: lantiq: restore reset gpio polarity + +From: Martin Schiller + +commit 277a0363120276645ae598d8d5fea7265e076ae9 upstream. + +Commit 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") not +only switched to the gpiod API, but also inverted / changed the polarity +of the GPIO. + +According to the PCI specification, the RST# pin is an active-low +signal. However, most of the device trees that have been widely used for +a long time (mainly in the openWrt project) define this GPIO as +active-high and the old driver code inverted the signal internally. + +Apparently there are actually boards where the reset gpio must be +operated inverted. For this reason, we cannot use the GPIOD_OUT_LOW/HIGH +flag for initialization. Instead, we must explicitly set the gpio to +value 1 in order to take into account any "GPIO_ACTIVE_LOW" flag that +may have been set. + +In order to remain compatible with all these existing device trees, we +should therefore keep the logic as it was before the commit. + +Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Schiller +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/pci/pci-lantiq.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/pci/pci-lantiq.c ++++ b/arch/mips/pci/pci-lantiq.c +@@ -124,14 +124,14 @@ static int ltq_pci_startup(struct platfo + clk_disable(clk_external); + + /* setup reset gpio used by pci */ +- reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", +- GPIOD_OUT_LOW); ++ reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_ASIS); + error = PTR_ERR_OR_ZERO(reset_gpio); + if (error) { + dev_err(&pdev->dev, "failed to request gpio: %d\n", error); + return error; + } + gpiod_set_consumer_name(reset_gpio, "pci_reset"); ++ gpiod_direction_output(reset_gpio, 1); + + /* enable auto-switching between PCI and EBU */ + ltq_pci_w32(0xa, PCI_CR_CLK_CTRL); +@@ -194,10 +194,10 @@ static int ltq_pci_startup(struct platfo + + /* toggle reset pin */ + if (reset_gpio) { +- gpiod_set_value_cansleep(reset_gpio, 1); ++ gpiod_set_value_cansleep(reset_gpio, 0); + wmb(); + mdelay(1); +- gpiod_set_value_cansleep(reset_gpio, 0); ++ gpiod_set_value_cansleep(reset_gpio, 1); + } + return 0; + } diff --git a/queue-6.9/mm-huge_memory-fix-misused-mapping_large_folio_support-for-anon-folios.patch b/queue-6.9/mm-huge_memory-fix-misused-mapping_large_folio_support-for-anon-folios.patch new file mode 100644 index 00000000000..891da5d3e97 --- /dev/null +++ b/queue-6.9/mm-huge_memory-fix-misused-mapping_large_folio_support-for-anon-folios.patch @@ -0,0 +1,114 @@ +From 6a50c9b512f7734bc356f4bd47885a6f7c98491a Mon Sep 17 00:00:00 2001 +From: Ran Xiaokai +Date: Fri, 7 Jun 2024 17:40:48 +0800 +Subject: mm: huge_memory: fix misused mapping_large_folio_support() for anon folios + +From: Ran Xiaokai + +commit 6a50c9b512f7734bc356f4bd47885a6f7c98491a upstream. + +When I did a large folios split test, a WARNING "[ 5059.122759][ T166] +Cannot split file folio to non-0 order" was triggered. But the test cases +are only for anonmous folios. while mapping_large_folio_support() is only +reasonable for page cache folios. + +In split_huge_page_to_list_to_order(), the folio passed to +mapping_large_folio_support() maybe anonmous folio. The folio_test_anon() +check is missing. So the split of the anonmous THP is failed. This is +also the same for shmem_mapping(). We'd better add a check for both. But +the shmem_mapping() in __split_huge_page() is not involved, as for +anonmous folios, the end parameter is set to -1, so (head[i].index >= end) +is always false. shmem_mapping() is not called. + +Also add a VM_WARN_ON_ONCE() in mapping_large_folio_support() for anon +mapping, So we can detect the wrong use more easily. + +THP folios maybe exist in the pagecache even the file system doesn't +support large folio, it is because when CONFIG_TRANSPARENT_HUGEPAGE is +enabled, khugepaged will try to collapse read-only file-backed pages to +THP. But the mapping does not actually support multi order large folios +properly. + +Using /sys/kernel/debug/split_huge_pages to verify this, with this patch, +large anon THP is successfully split and the warning is ceased. + +Link: https://lkml.kernel.org/r/202406071740485174hcFl7jRxncsHDtI-Pz-o@zte.com.cn +Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") +Reviewed-by: Barry Song +Reviewed-by: Zi Yan +Acked-by: David Hildenbrand +Signed-off-by: Ran Xiaokai +Cc: Michal Hocko +Cc: xu xin +Cc: Yang Yang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pagemap.h | 4 ++++ + mm/huge_memory.c | 28 +++++++++++++++++----------- + 2 files changed, 21 insertions(+), 11 deletions(-) + +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -379,6 +379,10 @@ static inline void mapping_set_large_fol + */ + static inline bool mapping_large_folio_support(struct address_space *mapping) + { ++ /* AS_LARGE_FOLIO_SUPPORT is only reasonable for pagecache folios */ ++ VM_WARN_ONCE((unsigned long)mapping & PAGE_MAPPING_ANON, ++ "Anonymous mapping always supports large folio"); ++ + return IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) && + test_bit(AS_LARGE_FOLIO_SUPPORT, &mapping->flags); + } +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -3058,30 +3058,36 @@ int split_huge_page_to_list_to_order(str + if (new_order >= folio_order(folio)) + return -EINVAL; + +- /* Cannot split anonymous THP to order-1 */ +- if (new_order == 1 && folio_test_anon(folio)) { +- VM_WARN_ONCE(1, "Cannot split to order-1 folio"); +- return -EINVAL; +- } +- +- if (new_order) { +- /* Only swapping a whole PMD-mapped folio is supported */ +- if (folio_test_swapcache(folio)) ++ if (folio_test_anon(folio)) { ++ /* order-1 is not supported for anonymous THP. */ ++ if (new_order == 1) { ++ VM_WARN_ONCE(1, "Cannot split to order-1 folio"); + return -EINVAL; ++ } ++ } else if (new_order) { + /* Split shmem folio to non-zero order not supported */ + if (shmem_mapping(folio->mapping)) { + VM_WARN_ONCE(1, + "Cannot split shmem folio to non-0 order"); + return -EINVAL; + } +- /* No split if the file system does not support large folio */ +- if (!mapping_large_folio_support(folio->mapping)) { ++ /* ++ * No split if the file system does not support large folio. ++ * Note that we might still have THPs in such mappings due to ++ * CONFIG_READ_ONLY_THP_FOR_FS. But in that case, the mapping ++ * does not actually support large folios properly. ++ */ ++ if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && ++ !mapping_large_folio_support(folio->mapping)) { + VM_WARN_ONCE(1, + "Cannot split file folio to non-0 order"); + return -EINVAL; + } + } + ++ /* Only swapping a whole PMD-mapped folio is supported */ ++ if (folio_test_swapcache(folio) && new_order) ++ return -EINVAL; + + is_hzp = is_huge_zero_page(&folio->page); + if (is_hzp) { diff --git a/queue-6.9/mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch b/queue-6.9/mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch new file mode 100644 index 00000000000..d3d856ebfc4 --- /dev/null +++ b/queue-6.9/mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch @@ -0,0 +1,70 @@ +From 3afb76a66b5559a7b595155803ce23801558a7a9 Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Thu, 6 Jun 2024 14:06:22 -0400 +Subject: mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default + +From: Rafael Aquini + +commit 3afb76a66b5559a7b595155803ce23801558a7a9 upstream. + +An ASLR regression was noticed [1] and tracked down to file-mapped areas +being backed by THP in recent kernels. The 21-bit alignment constraint +for such mappings reduces the entropy for randomizing the placement of +64-bit library mappings and breaks ASLR completely for 32-bit libraries. + +The reported issue is easily addressed by increasing vm.mmap_rnd_bits and +vm.mmap_rnd_compat_bits. This patch just provides a simple way to set +ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS to their maximum values +allowed by the architecture at build time. + +[1] https://zolutal.github.io/aslrnt/ + +[akpm@linux-foundation.org: default to `y' if 32-bit, per Rafael] +Link: https://lkml.kernel.org/r/20240606180622.102099-1-aquini@redhat.com +Fixes: 1854bc6e2420 ("mm/readahead: Align file mappings for non-DAX") +Signed-off-by: Rafael Aquini +Cc: Arnd Bergmann +Cc: Heiko Carstens +Cc: Mike Rapoport (IBM) +Cc: Paul E. McKenney +Cc: Petr Mladek +Cc: Samuel Holland +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -1029,10 +1029,21 @@ config ARCH_MMAP_RND_BITS_MAX + config ARCH_MMAP_RND_BITS_DEFAULT + int + ++config FORCE_MAX_MMAP_RND_BITS ++ bool "Force maximum number of bits to use for ASLR of mmap base address" ++ default y if !64BIT ++ help ++ ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS represent the number ++ of bits to use for ASLR and if no custom value is assigned (EXPERT) ++ then the architecture's lower bound (minimum) value is assumed. ++ This toggle changes that default assumption to assume the arch upper ++ bound (maximum) value instead. ++ + config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT ++ default ARCH_MMAP_RND_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_BITS + help +@@ -1067,6 +1078,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_COMPAT_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help diff --git a/queue-6.9/mm-page_table_check-fix-crash-on-zone_device.patch b/queue-6.9/mm-page_table_check-fix-crash-on-zone_device.patch new file mode 100644 index 00000000000..208e0fca5f1 --- /dev/null +++ b/queue-6.9/mm-page_table_check-fix-crash-on-zone_device.patch @@ -0,0 +1,71 @@ +From 8bb592c2eca8fd2bc06db7d80b38da18da4a2f43 Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 5 Jun 2024 17:21:46 -0400 +Subject: mm/page_table_check: fix crash on ZONE_DEVICE + +From: Peter Xu + +commit 8bb592c2eca8fd2bc06db7d80b38da18da4a2f43 upstream. + +Not all pages may apply to pgtable check. One example is ZONE_DEVICE +pages: they map PFNs directly, and they don't allocate page_ext at all +even if there's struct page around. One may reference +devm_memremap_pages(). + +When both ZONE_DEVICE and page-table-check enabled, then try to map some +dax memories, one can trigger kernel bug constantly now when the kernel +was trying to inject some pfn maps on the dax device: + + kernel BUG at mm/page_table_check.c:55! + +While it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page +fault resolutions, skip all the checks if page_ext doesn't even exist in +pgtable checker, which applies to ZONE_DEVICE but maybe more. + +Link: https://lkml.kernel.org/r/20240605212146.994486-1-peterx@redhat.com +Fixes: df4e817b7108 ("mm: page table check") +Signed-off-by: Peter Xu +Reviewed-by: Pasha Tatashin +Reviewed-by: Dan Williams +Reviewed-by: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_table_check.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/mm/page_table_check.c ++++ b/mm/page_table_check.c +@@ -71,6 +71,9 @@ static void page_table_check_clear(unsig + page = pfn_to_page(pfn); + page_ext = page_ext_get(page); + ++ if (!page_ext) ++ return; ++ + BUG_ON(PageSlab(page)); + anon = PageAnon(page); + +@@ -108,6 +111,9 @@ static void page_table_check_set(unsigne + page = pfn_to_page(pfn); + page_ext = page_ext_get(page); + ++ if (!page_ext) ++ return; ++ + BUG_ON(PageSlab(page)); + anon = PageAnon(page); + +@@ -138,7 +144,10 @@ void __page_table_check_zero(struct page + BUG_ON(PageSlab(page)); + + page_ext = page_ext_get(page); +- BUG_ON(!page_ext); ++ ++ if (!page_ext) ++ return; ++ + for (i = 0; i < (1ul << order); i++) { + struct page_table_check *ptc = get_page_table_check(page_ext); + diff --git a/queue-6.9/mm-shmem-fix-getting-incorrect-lruvec-when-replacing-a-shmem-folio.patch b/queue-6.9/mm-shmem-fix-getting-incorrect-lruvec-when-replacing-a-shmem-folio.patch new file mode 100644 index 00000000000..b664ff7680c --- /dev/null +++ b/queue-6.9/mm-shmem-fix-getting-incorrect-lruvec-when-replacing-a-shmem-folio.patch @@ -0,0 +1,103 @@ +From 9094b4a1c76cfe84b906cc152bab34d4ba26fa5c Mon Sep 17 00:00:00 2001 +From: Baolin Wang +Date: Thu, 13 Jun 2024 16:21:19 +0800 +Subject: mm: shmem: fix getting incorrect lruvec when replacing a shmem folio + +From: Baolin Wang + +commit 9094b4a1c76cfe84b906cc152bab34d4ba26fa5c upstream. + +When testing shmem swapin, I encountered the warning below on my machine. +The reason is that replacing an old shmem folio with a new one causes +mem_cgroup_migrate() to clear the old folio's memcg data. As a result, +the old folio cannot get the correct memcg's lruvec needed to remove +itself from the LRU list when it is being freed. This could lead to +possible serious problems, such as LRU list crashes due to holding the +wrong LRU lock, and incorrect LRU statistics. + +To fix this issue, we can fallback to use the mem_cgroup_replace_folio() +to replace the old shmem folio. + +[ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960 +[ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff) +[ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 +[ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 +[ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000 +[ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000 +[ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) +[ 5241.100338] ------------[ cut here ]------------ +[ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150 +[...] +[ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150 +[ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150 +[ 5241.100376] sp : ffff80008b38b930 +[...] +[ 5241.100398] Call trace: +[ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150 +[ 5241.100401] __page_cache_release+0x90/0x300 +[ 5241.100404] __folio_put+0x50/0x108 +[ 5241.100406] shmem_replace_folio+0x1b4/0x240 +[ 5241.100409] shmem_swapin_folio+0x314/0x528 +[ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930 +[ 5241.100412] shmem_fault+0x74/0x160 +[ 5241.100414] __do_fault+0x40/0x218 +[ 5241.100417] do_shared_fault+0x34/0x1b0 +[ 5241.100419] do_fault+0x40/0x168 +[ 5241.100420] handle_pte_fault+0x80/0x228 +[ 5241.100422] __handle_mm_fault+0x1c4/0x440 +[ 5241.100424] handle_mm_fault+0x60/0x1f0 +[ 5241.100426] do_page_fault+0x120/0x488 +[ 5241.100429] do_translation_fault+0x4c/0x68 +[ 5241.100431] do_mem_abort+0x48/0xa0 +[ 5241.100434] el0_da+0x38/0xc0 +[ 5241.100436] el0t_64_sync_handler+0x68/0xc0 +[ 5241.100437] el0t_64_sync+0x14c/0x150 +[ 5241.100439] ---[ end trace 0000000000000000 ]--- + +[baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew] + Link: https://lkml.kernel.org/r/ccad3fe1375b468ebca3227b6b729f3eaf9d8046.1718423197.git.baolin.wang@linux.alibaba.com +Link: https://lkml.kernel.org/r/3c11000dd6c1df83015a8321a859e9775ebbc23e.1718266112.git.baolin.wang@linux.alibaba.com +Fixes: 85ce2c517ade ("memcontrol: only transfer the memcg data for migration") +Signed-off-by: Baolin Wang +Reviewed-by: Shakeel Butt +Cc: Matthew Wilcox (Oracle) +Cc: Hugh Dickins +Cc: Johannes Weiner +Cc: Nhat Pham +Cc: Michal Hocko +Cc: Roman Gushchin +Cc: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 3 +-- + mm/shmem.c | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -7531,8 +7531,7 @@ void __mem_cgroup_uncharge_folios(struct + * @new: Replacement folio. + * + * Charge @new as a replacement folio for @old. @old will +- * be uncharged upon free. This is only used by the page cache +- * (in replace_page_cache_folio()). ++ * be uncharged upon free. + * + * Both folios must be locked, @new->mapping must be set up. + */ +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1786,7 +1786,7 @@ static int shmem_replace_folio(struct fo + xa_lock_irq(&swap_mapping->i_pages); + error = shmem_replace_entry(swap_mapping, swap_index, old, new); + if (!error) { +- mem_cgroup_migrate(old, new); ++ mem_cgroup_replace_folio(old, new); + __lruvec_stat_mod_folio(new, NR_FILE_PAGES, 1); + __lruvec_stat_mod_folio(new, NR_SHMEM, 1); + __lruvec_stat_mod_folio(old, NR_FILE_PAGES, -1); diff --git a/queue-6.9/selftests-mptcp-userspace_pm-fixed-subtest-names.patch b/queue-6.9/selftests-mptcp-userspace_pm-fixed-subtest-names.patch new file mode 100644 index 00000000000..f48159a8417 --- /dev/null +++ b/queue-6.9/selftests-mptcp-userspace_pm-fixed-subtest-names.patch @@ -0,0 +1,234 @@ +From e874557fce1b6023efafd523aee0c347bf7f1694 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 14 Jun 2024 19:15:29 +0200 +Subject: selftests: mptcp: userspace_pm: fixed subtest names + +From: Matthieu Baerts (NGI0) + +commit e874557fce1b6023efafd523aee0c347bf7f1694 upstream. + +It is important to have fixed (sub)test names in TAP, because these +names are used to identify them. If they are not fixed, tracking cannot +be done. + +Some subtests from the userspace_pm selftest were using random numbers +in their names: the client and server address IDs from $RANDOM, and the +client port number randomly picked by the kernel when creating the +connection. These values have been replaced by 'client' and 'server' +words: that's even more helpful than showing random numbers. Note that +the addresses IDs are incremented and decremented in the test: +1 or -1 +are then displayed in these cases. + +Not to loose info that can be useful for debugging in case of issues, +these random numbers are now displayed at the beginning of the test. + +Fixes: f589234e1af0 ("selftests: mptcp: userspace_pm: format subtests results in TAP") +Cc: stable@vger.kernel.org +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20240614-upstream-net-20240614-selftests-mptcp-uspace-pm-fixed-test-names-v1-1-460ad3edb429@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/userspace_pm.sh | 46 +++++++++++++--------- + 1 file changed, 28 insertions(+), 18 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh ++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh +@@ -160,10 +160,12 @@ make_connection() + local is_v6=$1 + local app_port=$app4_port + local connect_addr="10.0.1.1" ++ local client_addr="10.0.1.2" + local listen_addr="0.0.0.0" + if [ "$is_v6" = "v6" ] + then + connect_addr="dead:beef:1::1" ++ client_addr="dead:beef:1::2" + listen_addr="::" + app_port=$app6_port + else +@@ -206,6 +208,7 @@ make_connection() + [ "$server_serverside" = 1 ] + then + test_pass ++ print_title "Connection info: ${client_addr}:${client_port} -> ${connect_addr}:${app_port}" + else + test_fail "Expected tokens (c:${client_token} - s:${server_token}) and server (c:${client_serverside} - s:${server_serverside})" + mptcp_lib_result_print_all_tap +@@ -297,7 +300,7 @@ test_announce() + ip netns exec "$ns2"\ + ./pm_nl_ctl ann 10.0.2.2 token "$client4_token" id $client_addr_id dev\ + ns2eth1 +- print_test "ADD_ADDR id:${client_addr_id} 10.0.2.2 (ns2) => ns1, reuse port" ++ print_test "ADD_ADDR id:client 10.0.2.2 (ns2) => ns1, reuse port" + sleep 0.5 + verify_announce_event $server_evts $ANNOUNCED $server4_token "10.0.2.2" $client_addr_id \ + "$client4_port" +@@ -306,7 +309,7 @@ test_announce() + :>"$server_evts" + ip netns exec "$ns2" ./pm_nl_ctl ann\ + dead:beef:2::2 token "$client6_token" id $client_addr_id dev ns2eth1 +- print_test "ADD_ADDR6 id:${client_addr_id} dead:beef:2::2 (ns2) => ns1, reuse port" ++ print_test "ADD_ADDR6 id:client dead:beef:2::2 (ns2) => ns1, reuse port" + sleep 0.5 + verify_announce_event "$server_evts" "$ANNOUNCED" "$server6_token" "dead:beef:2::2"\ + "$client_addr_id" "$client6_port" "v6" +@@ -316,7 +319,7 @@ test_announce() + client_addr_id=$((client_addr_id+1)) + ip netns exec "$ns2" ./pm_nl_ctl ann 10.0.2.2 token "$client4_token" id\ + $client_addr_id dev ns2eth1 port $new4_port +- print_test "ADD_ADDR id:${client_addr_id} 10.0.2.2 (ns2) => ns1, new port" ++ print_test "ADD_ADDR id:client+1 10.0.2.2 (ns2) => ns1, new port" + sleep 0.5 + verify_announce_event "$server_evts" "$ANNOUNCED" "$server4_token" "10.0.2.2"\ + "$client_addr_id" "$new4_port" +@@ -327,7 +330,7 @@ test_announce() + # ADD_ADDR from the server to client machine reusing the subflow port + ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server4_token" id\ + $server_addr_id dev ns1eth2 +- print_test "ADD_ADDR id:${server_addr_id} 10.0.2.1 (ns1) => ns2, reuse port" ++ print_test "ADD_ADDR id:server 10.0.2.1 (ns1) => ns2, reuse port" + sleep 0.5 + verify_announce_event "$client_evts" "$ANNOUNCED" "$client4_token" "10.0.2.1"\ + "$server_addr_id" "$app4_port" +@@ -336,7 +339,7 @@ test_announce() + :>"$client_evts" + ip netns exec "$ns1" ./pm_nl_ctl ann dead:beef:2::1 token "$server6_token" id\ + $server_addr_id dev ns1eth2 +- print_test "ADD_ADDR6 id:${server_addr_id} dead:beef:2::1 (ns1) => ns2, reuse port" ++ print_test "ADD_ADDR6 id:server dead:beef:2::1 (ns1) => ns2, reuse port" + sleep 0.5 + verify_announce_event "$client_evts" "$ANNOUNCED" "$client6_token" "dead:beef:2::1"\ + "$server_addr_id" "$app6_port" "v6" +@@ -346,7 +349,7 @@ test_announce() + server_addr_id=$((server_addr_id+1)) + ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server4_token" id\ + $server_addr_id dev ns1eth2 port $new4_port +- print_test "ADD_ADDR id:${server_addr_id} 10.0.2.1 (ns1) => ns2, new port" ++ print_test "ADD_ADDR id:server+1 10.0.2.1 (ns1) => ns2, new port" + sleep 0.5 + verify_announce_event "$client_evts" "$ANNOUNCED" "$client4_token" "10.0.2.1"\ + "$server_addr_id" "$new4_port" +@@ -380,7 +383,7 @@ test_remove() + local invalid_token=$(( client4_token - 1 )) + ip netns exec "$ns2" ./pm_nl_ctl rem token $invalid_token id\ + $client_addr_id > /dev/null 2>&1 +- print_test "RM_ADDR id:${client_addr_id} ns2 => ns1, invalid token" ++ print_test "RM_ADDR id:client ns2 => ns1, invalid token" + local type + type=$(mptcp_lib_evts_get_info type "$server_evts") + if [ "$type" = "" ] +@@ -394,7 +397,7 @@ test_remove() + local invalid_id=$(( client_addr_id + 1 )) + ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\ + $invalid_id > /dev/null 2>&1 +- print_test "RM_ADDR id:${invalid_id} ns2 => ns1, invalid id" ++ print_test "RM_ADDR id:client+1 ns2 => ns1, invalid id" + type=$(mptcp_lib_evts_get_info type "$server_evts") + if [ "$type" = "" ] + then +@@ -407,7 +410,7 @@ test_remove() + :>"$server_evts" + ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\ + $client_addr_id +- print_test "RM_ADDR id:${client_addr_id} ns2 => ns1" ++ print_test "RM_ADDR id:client ns2 => ns1" + sleep 0.5 + verify_remove_event "$server_evts" "$REMOVED" "$server4_token" "$client_addr_id" + +@@ -416,7 +419,7 @@ test_remove() + client_addr_id=$(( client_addr_id - 1 )) + ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\ + $client_addr_id +- print_test "RM_ADDR id:${client_addr_id} ns2 => ns1" ++ print_test "RM_ADDR id:client-1 ns2 => ns1" + sleep 0.5 + verify_remove_event "$server_evts" "$REMOVED" "$server4_token" "$client_addr_id" + +@@ -424,7 +427,7 @@ test_remove() + :>"$server_evts" + ip netns exec "$ns2" ./pm_nl_ctl rem token "$client6_token" id\ + $client_addr_id +- print_test "RM_ADDR6 id:${client_addr_id} ns2 => ns1" ++ print_test "RM_ADDR6 id:client-1 ns2 => ns1" + sleep 0.5 + verify_remove_event "$server_evts" "$REMOVED" "$server6_token" "$client_addr_id" + +@@ -434,7 +437,7 @@ test_remove() + # RM_ADDR from the server to client machine + ip netns exec "$ns1" ./pm_nl_ctl rem token "$server4_token" id\ + $server_addr_id +- print_test "RM_ADDR id:${server_addr_id} ns1 => ns2" ++ print_test "RM_ADDR id:server ns1 => ns2" + sleep 0.5 + verify_remove_event "$client_evts" "$REMOVED" "$client4_token" "$server_addr_id" + +@@ -443,7 +446,7 @@ test_remove() + server_addr_id=$(( server_addr_id - 1 )) + ip netns exec "$ns1" ./pm_nl_ctl rem token "$server4_token" id\ + $server_addr_id +- print_test "RM_ADDR id:${server_addr_id} ns1 => ns2" ++ print_test "RM_ADDR id:server-1 ns1 => ns2" + sleep 0.5 + verify_remove_event "$client_evts" "$REMOVED" "$client4_token" "$server_addr_id" + +@@ -451,7 +454,7 @@ test_remove() + :>"$client_evts" + ip netns exec "$ns1" ./pm_nl_ctl rem token "$server6_token" id\ + $server_addr_id +- print_test "RM_ADDR6 id:${server_addr_id} ns1 => ns2" ++ print_test "RM_ADDR6 id:server-1 ns1 => ns2" + sleep 0.5 + verify_remove_event "$client_evts" "$REMOVED" "$client6_token" "$server_addr_id" + } +@@ -479,8 +482,14 @@ verify_subflow_events() + local locid + local remid + local info ++ local e_dport_txt + +- info="${e_saddr} (${e_from}) => ${e_daddr}:${e_dport} (${e_to})" ++ # only display the fixed ports ++ if [ "${e_dport}" -ge "${app4_port}" ] && [ "${e_dport}" -le "${app6_port}" ]; then ++ e_dport_txt=":${e_dport}" ++ fi ++ ++ info="${e_saddr} (${e_from}) => ${e_daddr}${e_dport_txt} (${e_to})" + + if [ "$e_type" = "$SUB_ESTABLISHED" ] + then +@@ -766,7 +775,7 @@ test_subflows_v4_v6_mix() + :>"$client_evts" + ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server6_token" id\ + $server_addr_id dev ns1eth2 +- print_test "ADD_ADDR4 id:${server_addr_id} 10.0.2.1 (ns1) => ns2, reuse port" ++ print_test "ADD_ADDR4 id:server 10.0.2.1 (ns1) => ns2, reuse port" + sleep 0.5 + verify_announce_event "$client_evts" "$ANNOUNCED" "$client6_token" "10.0.2.1"\ + "$server_addr_id" "$app6_port" +@@ -861,7 +870,7 @@ test_listener() + local listener_pid=$! + + sleep 0.5 +- print_test "CREATE_LISTENER 10.0.2.2:$client4_port" ++ print_test "CREATE_LISTENER 10.0.2.2 (client port)" + verify_listener_events $client_evts $LISTENER_CREATED $AF_INET 10.0.2.2 $client4_port + + # ADD_ADDR from client to server machine reusing the subflow port +@@ -878,13 +887,14 @@ test_listener() + mptcp_lib_kill_wait $listener_pid + + sleep 0.5 +- print_test "CLOSE_LISTENER 10.0.2.2:$client4_port" ++ print_test "CLOSE_LISTENER 10.0.2.2 (client port)" + verify_listener_events $client_evts $LISTENER_CLOSED $AF_INET 10.0.2.2 $client4_port + } + + print_title "Make connections" + make_connection + make_connection "v6" ++print_title "Will be using address IDs ${client_addr_id} (client) and ${server_addr_id} (server)" + + test_announce + test_remove diff --git a/queue-6.9/serial-8250_dw-revert-move-definitions-to-the-shared-header.patch b/queue-6.9/serial-8250_dw-revert-move-definitions-to-the-shared-header.patch new file mode 100644 index 00000000000..9363641ba21 --- /dev/null +++ b/queue-6.9/serial-8250_dw-revert-move-definitions-to-the-shared-header.patch @@ -0,0 +1,118 @@ +From 2c94512055f362dd789e0f87b8566feeddec83c9 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 14 May 2024 22:05:54 +0300 +Subject: serial: 8250_dw: Revert "Move definitions to the shared header" + +From: Andy Shevchenko + +commit 2c94512055f362dd789e0f87b8566feeddec83c9 upstream. + +This reverts commit d9666dfb314e1ffd6eb9c3c4243fe3e094c047a7. + +The container of the struct dw8250_port_data is private to the actual +driver. In particular, 8250_lpss and 8250_dw use different data types +that are assigned to the UART port private_data. Hence, it must not +be used outside the specific driver. + +Fix the mistake made in the past by moving the respective definitions +to the specific driver. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240514190730.2787071-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_dw.c | 27 +++++++++++++++++++++++++++ + drivers/tty/serial/8250/8250_dwlib.h | 32 -------------------------------- + 2 files changed, 27 insertions(+), 32 deletions(-) + +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -57,6 +57,33 @@ + #define DW_UART_QUIRK_APMC0D08 BIT(4) + #define DW_UART_QUIRK_CPR_VALUE BIT(5) + ++struct dw8250_platform_data { ++ u8 usr_reg; ++ u32 cpr_value; ++ unsigned int quirks; ++}; ++ ++struct dw8250_data { ++ struct dw8250_port_data data; ++ const struct dw8250_platform_data *pdata; ++ ++ int msr_mask_on; ++ int msr_mask_off; ++ struct clk *clk; ++ struct clk *pclk; ++ struct notifier_block clk_notifier; ++ struct work_struct clk_work; ++ struct reset_control *rst; ++ ++ unsigned int skip_autocfg:1; ++ unsigned int uart_16550_compatible:1; ++}; ++ ++static inline struct dw8250_data *to_dw8250_data(struct dw8250_port_data *data) ++{ ++ return container_of(data, struct dw8250_data, data); ++} ++ + static inline struct dw8250_data *clk_to_dw8250_data(struct notifier_block *nb) + { + return container_of(nb, struct dw8250_data, clk_notifier); +--- a/drivers/tty/serial/8250/8250_dwlib.h ++++ b/drivers/tty/serial/8250/8250_dwlib.h +@@ -2,15 +2,10 @@ + /* Synopsys DesignWare 8250 library header file. */ + + #include +-#include + #include +-#include + + #include "8250.h" + +-struct clk; +-struct reset_control; +- + struct dw8250_port_data { + /* Port properties */ + int line; +@@ -26,36 +21,9 @@ struct dw8250_port_data { + bool hw_rs485_support; + }; + +-struct dw8250_platform_data { +- u8 usr_reg; +- u32 cpr_value; +- unsigned int quirks; +-}; +- +-struct dw8250_data { +- struct dw8250_port_data data; +- const struct dw8250_platform_data *pdata; +- +- int msr_mask_on; +- int msr_mask_off; +- struct clk *clk; +- struct clk *pclk; +- struct notifier_block clk_notifier; +- struct work_struct clk_work; +- struct reset_control *rst; +- +- unsigned int skip_autocfg:1; +- unsigned int uart_16550_compatible:1; +-}; +- + void dw8250_do_set_termios(struct uart_port *p, struct ktermios *termios, const struct ktermios *old); + void dw8250_setup_port(struct uart_port *p); + +-static inline struct dw8250_data *to_dw8250_data(struct dw8250_port_data *data) +-{ +- return container_of(data, struct dw8250_data, data); +-} +- + static inline u32 dw8250_readl_ext(struct uart_port *p, int offset) + { + if (p->iotype == UPIO_MEM32BE) diff --git a/queue-6.9/series b/queue-6.9/series index 99878359ce8..1deb853c96e 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -218,3 +218,23 @@ dmaengine-xilinx-xdma-fix-data-synchronisation-in-xdma_channel_isr.patch net-tcp_ao-don-t-leak-ao_info-on-error-path.patch gcov-add-support-for-gcc-14.patch kcov-don-t-lose-track-of-remote-references-during-softirqs.patch +efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch +serial-8250_dw-revert-move-definitions-to-the-shared-header.patch +mips-pci-lantiq-restore-reset-gpio-polarity.patch +mips-mipsmtregs-fix-target-register-for-mftc0.patch +mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch +mm-huge_memory-fix-misused-mapping_large_folio_support-for-anon-folios.patch +mm-shmem-fix-getting-incorrect-lruvec-when-replacing-a-shmem-folio.patch +selftests-mptcp-userspace_pm-fixed-subtest-names.patch +tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch +mm-page_table_check-fix-crash-on-zone_device.patch +ima-avoid-blocking-in-rcu-read-side-critical-section.patch +i2c-ocores-set-iack-bit-after-core-is-enabled.patch +dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch +virt-guest_memfd-fix-reference-leak-on-hwpoisoned-page.patch +dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch +thermal-int340x-processor_thermal-support-shared-interrupts.patch +spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch +arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch +thermal-core-change-pm-notifier-priority-to-the-minimum.patch +spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch diff --git a/queue-6.9/spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch b/queue-6.9/spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch new file mode 100644 index 00000000000..0779f18168f --- /dev/null +++ b/queue-6.9/spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch @@ -0,0 +1,35 @@ +From 63deee52811b2f84ed2da55ad47252f0e8145d62 Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Tue, 18 Jun 2024 15:29:50 +0200 +Subject: spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4 + +From: Patrice Chotard + +commit 63deee52811b2f84ed2da55ad47252f0e8145d62 upstream. + +In case usage of OCTAL mode, buswidth parameter can take the value 8. +As return value of stm32_qspi_get_mode() is used to configure fields +of CCR registers that are 2 bits only (fields IMODE, ADMODE, ADSIZE, + DMODE), clamp return value of stm32_qspi_get_mode() to 4. + +Fixes: a557fca630cc ("spi: stm32_qspi: Add transfer_one_message() spi callback") +Cc: stable@vger.kernel.org +Signed-off-by: Patrice Chotard +Link: https://msgid.link/r/20240618132951.2743935-3-patrice.chotard@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-stm32-qspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -349,7 +349,7 @@ static int stm32_qspi_wait_poll_status(s + + static int stm32_qspi_get_mode(u8 buswidth) + { +- if (buswidth == 4) ++ if (buswidth >= 4) + return CCR_BUSWIDTH_4; + + return buswidth; diff --git a/queue-6.9/spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch b/queue-6.9/spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch new file mode 100644 index 00000000000..8b0c8fbc47f --- /dev/null +++ b/queue-6.9/spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch @@ -0,0 +1,52 @@ +From c2bd0791c5f02e964402624dfff45ca8995f5397 Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Tue, 18 Jun 2024 15:29:49 +0200 +Subject: spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup() + +From: Patrice Chotard + +commit c2bd0791c5f02e964402624dfff45ca8995f5397 upstream. + +Misplaced parenthesis make test of mode wrong in case mode is equal to +SPI_TX_OCTAL or SPI_RX_OCTAL. + +Simplify this sanity test, if one of this bit is set, property +cs-gpio must be present in DT. + +Fixes: a557fca630cc ("spi: stm32_qspi: Add transfer_one_message() spi callback") +Cc: stable@vger.kernel.org +Signed-off-by: Patrice Chotard +Link: https://msgid.link/r/20240618132951.2743935-2-patrice.chotard@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-stm32-qspi.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -653,9 +653,7 @@ static int stm32_qspi_setup(struct spi_d + return -EINVAL; + + mode = spi->mode & (SPI_TX_OCTAL | SPI_RX_OCTAL); +- if ((mode == SPI_TX_OCTAL || mode == SPI_RX_OCTAL) || +- ((mode == (SPI_TX_OCTAL | SPI_RX_OCTAL)) && +- gpiod_count(qspi->dev, "cs") == -ENOENT)) { ++ if (mode && gpiod_count(qspi->dev, "cs") == -ENOENT) { + dev_err(qspi->dev, "spi-rx-bus-width\\/spi-tx-bus-width\\/cs-gpios\n"); + dev_err(qspi->dev, "configuration not supported\n"); + +@@ -676,10 +674,10 @@ static int stm32_qspi_setup(struct spi_d + qspi->cr_reg = CR_APMS | 3 << CR_FTHRES_SHIFT | CR_SSHIFT | CR_EN; + + /* +- * Dual flash mode is only enable in case SPI_TX_OCTAL and SPI_TX_OCTAL +- * are both set in spi->mode and "cs-gpios" properties is found in DT ++ * Dual flash mode is only enable in case SPI_TX_OCTAL or SPI_RX_OCTAL ++ * is set in spi->mode and "cs-gpios" properties is found in DT + */ +- if (mode == (SPI_TX_OCTAL | SPI_RX_OCTAL)) { ++ if (mode) { + qspi->cr_reg |= CR_DFM; + dev_dbg(qspi->dev, "Dual flash mode enable"); + } diff --git a/queue-6.9/tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch b/queue-6.9/tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch new file mode 100644 index 00000000000..69fa7c687a5 --- /dev/null +++ b/queue-6.9/tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch @@ -0,0 +1,57 @@ +From 9e046bb111f13461d3f9331e24e974324245140e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 14 Jun 2024 13:06:15 +0000 +Subject: tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() + +From: Eric Dumazet + +commit 9e046bb111f13461d3f9331e24e974324245140e upstream. + +Some applications were reporting ETIMEDOUT errors on apparently +good looking flows, according to packet dumps. + +We were able to root cause the issue to an accidental setting +of tp->retrans_stamp in the following scenario: + +- client sends TFO SYN with data. +- server has TFO disabled, ACKs only SYN but not payload. +- client receives SYNACK covering only SYN. +- tcp_ack() eats SYN and sets tp->retrans_stamp to 0. +- tcp_rcv_fastopen_synack() calls tcp_xmit_retransmit_queue() + to retransmit TFO payload w/o SYN, sets tp->retrans_stamp to "now", + but we are not in any loss recovery state. +- TFO payload is ACKed. +- we are not in any loss recovery state, and don't see any dupacks, + so we don't get to any code path that clears tp->retrans_stamp. +- tp->retrans_stamp stays non-zero for the lifetime of the connection. +- after first RTO, tcp_clamp_rto_to_user_timeout() clamps second RTO + to 1 jiffy due to bogus tp->retrans_stamp. +- on clamped RTO with non-zero icsk_retransmits, retransmits_timed_out() + sets start_ts from tp->retrans_stamp from TFO payload retransmit + hours/days ago, and computes bogus long elapsed time for loss recovery, + and suffers ETIMEDOUT early. + +Fixes: a7abf3cd76e1 ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()") +CC: stable@vger.kernel.org +Co-developed-by: Neal Cardwell +Signed-off-by: Neal Cardwell +Co-developed-by: Yuchung Cheng +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240614130615.396837-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6289,6 +6289,7 @@ static bool tcp_rcv_fastopen_synack(stru + skb_rbtree_walk_from(data) + tcp_mark_skb_lost(sk, data); + tcp_xmit_retransmit_queue(sk); ++ tp->retrans_stamp = 0; + NET_INC_STATS(sock_net(sk), + LINUX_MIB_TCPFASTOPENACTIVEFAIL); + return true; diff --git a/queue-6.9/thermal-core-change-pm-notifier-priority-to-the-minimum.patch b/queue-6.9/thermal-core-change-pm-notifier-priority-to-the-minimum.patch new file mode 100644 index 00000000000..380bb860ab2 --- /dev/null +++ b/queue-6.9/thermal-core-change-pm-notifier-priority-to-the-minimum.patch @@ -0,0 +1,51 @@ +From 494c7d055081da066424706b28faa9a4c719d852 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Fri, 14 Jun 2024 17:26:00 +0200 +Subject: thermal: core: Change PM notifier priority to the minimum + +From: Rafael J. Wysocki + +commit 494c7d055081da066424706b28faa9a4c719d852 upstream. + +It is reported that commit 5a5efdaffda5 ("thermal: core: Resume thermal +zones asynchronously") causes battery data in sysfs on Thinkpad P1 Gen2 +to become invalid after a resume from S3 (and it is necessary to reboot +the machine to restore correct battery data). Some investigation into +the problem indicated that it happened because, after the commit in +question, the ACPI battery PM notifier ran in parallel with +thermal_zone_device_resume() for one of the thermal zones which +apparently confused the platform firmware on the affected system. + +While the exact reason for the firmware confusion remains unclear, it +is arguably not particularly relevant, and the expected behavior of the +affected system can be restored by making the thermal PM notifier run +at the lowest priority which avoids interference between work items +spawned by it and the other PM notifiers (that will run before those +work items now). + +Fixes: 5a5efdaffda5 ("thermal: core: Resume thermal zones asynchronously") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218881 +Reported-by: fhortner@yahoo.de +Tested-by: fhortner@yahoo.de +Cc: 6.8+ # 6.8+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/thermal_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -1633,6 +1633,12 @@ static int thermal_pm_notify(struct noti + + static struct notifier_block thermal_pm_nb = { + .notifier_call = thermal_pm_notify, ++ /* ++ * Run at the lowest priority to avoid interference between the thermal ++ * zone resume work items spawned by thermal_pm_notify() and the other ++ * PM notifiers. ++ */ ++ .priority = INT_MIN, + }; + + static int __init thermal_init(void) diff --git a/queue-6.9/thermal-int340x-processor_thermal-support-shared-interrupts.patch b/queue-6.9/thermal-int340x-processor_thermal-support-shared-interrupts.patch new file mode 100644 index 00000000000..de15e3f02d7 --- /dev/null +++ b/queue-6.9/thermal-int340x-processor_thermal-support-shared-interrupts.patch @@ -0,0 +1,46 @@ +From 096597cfe4ea08b1830e775436d76d7c9d6d3037 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Tue, 18 Jun 2024 21:44:24 -0700 +Subject: thermal: int340x: processor_thermal: Support shared interrupts + +From: Srinivas Pandruvada + +commit 096597cfe4ea08b1830e775436d76d7c9d6d3037 upstream. + +On some systems the processor thermal device interrupt is shared with +other PCI devices. In this case return IRQ_NONE from the interrupt +handler when the interrupt is not for the processor thermal device. + +Signed-off-by: Srinivas Pandruvada +Fixes: f0658708e863 ("thermal: int340x: processor_thermal: Use non MSI interrupts by default") +Cc: 6.7+ # 6.7+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + .../intel/int340x_thermal/processor_thermal_device_pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c +index 14e34eabc419..4a1bfebb1b8e 100644 +--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c ++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c +@@ -150,7 +150,7 @@ static irqreturn_t proc_thermal_irq_handler(int irq, void *devid) + { + struct proc_thermal_pci *pci_info = devid; + struct proc_thermal_device *proc_priv; +- int ret = IRQ_HANDLED; ++ int ret = IRQ_NONE; + u32 status; + + proc_priv = pci_info->proc_priv; +@@ -175,6 +175,7 @@ static irqreturn_t proc_thermal_irq_handler(int irq, void *devid) + /* Disable enable interrupt flag */ + proc_thermal_mmio_write(pci_info, PROC_THERMAL_MMIO_INT_ENABLE_0, 0); + pkg_thermal_schedule_work(&pci_info->work); ++ ret = IRQ_HANDLED; + } + + pci_write_config_byte(pci_info->pdev, 0xdc, 0x01); +-- +2.45.2 + diff --git a/queue-6.9/virt-guest_memfd-fix-reference-leak-on-hwpoisoned-page.patch b/queue-6.9/virt-guest_memfd-fix-reference-leak-on-hwpoisoned-page.patch new file mode 100644 index 00000000000..5a282f0249c --- /dev/null +++ b/queue-6.9/virt-guest_memfd-fix-reference-leak-on-hwpoisoned-page.patch @@ -0,0 +1,50 @@ +From c31745d2c508796a0996c88bf2e55f552d513f65 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 11 Jun 2024 04:22:18 -0400 +Subject: virt: guest_memfd: fix reference leak on hwpoisoned page + +From: Paolo Bonzini + +commit c31745d2c508796a0996c88bf2e55f552d513f65 upstream. + +If kvm_gmem_get_pfn() detects an hwpoisoned page, it returns -EHWPOISON +but it does not put back the reference that kvm_gmem_get_folio() had +grabbed. Add the forgotten folio_put(). + +Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory") +Cc: stable@vger.kernel.org +Reviewed-by: Liam Merwick +Reviewed-by: Isaku Yamahata +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/guest_memfd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c +index 0f4e0cf4f158..747fe251e445 100644 +--- a/virt/kvm/guest_memfd.c ++++ b/virt/kvm/guest_memfd.c +@@ -510,8 +510,10 @@ int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot, + } + + if (folio_test_hwpoison(folio)) { ++ folio_unlock(folio); ++ folio_put(folio); + r = -EHWPOISON; +- goto out_unlock; ++ goto out_fput; + } + + page = folio_file_page(folio, index); +@@ -522,7 +524,6 @@ int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot, + + r = 0; + +-out_unlock: + folio_unlock(folio); + out_fput: + fput(file); +-- +2.45.2 +