From: Sasha Levin Date: Sun, 8 Sep 2024 13:22:03 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v4.19.322~69 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e906077f104e4b35f4d2e8bd97617ab357a5df9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch b/queue-6.1/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch new file mode 100644 index 00000000000..0048629d862 --- /dev/null +++ b/queue-6.1/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch @@ -0,0 +1,58 @@ +From ed3a4035734f65b468dd74dcbe9c80145d43c322 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 13:56:22 -0700 +Subject: af_unix: Remove put_pid()/put_cred() in copy_peercred(). + +From: Kuniyuki Iwashima + +[ Upstream commit e4bd881d987121dbf1a288641491955a53d9f8f7 ] + +When (AF_UNIX, SOCK_STREAM) socket connect()s to a listening socket, +the listener's sk_peer_pid/sk_peer_cred are copied to the client in +copy_peercred(). + +Then, the client's sk_peer_pid and sk_peer_cred are always NULL, so +we need not call put_pid() and put_cred() there. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 7d59f9a6c904..5ce60087086c 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -680,9 +680,6 @@ static void init_peercred(struct sock *sk) + + static void copy_peercred(struct sock *sk, struct sock *peersk) + { +- const struct cred *old_cred; +- struct pid *old_pid; +- + if (sk < peersk) { + spin_lock(&sk->sk_peer_lock); + spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING); +@@ -690,16 +687,12 @@ static void copy_peercred(struct sock *sk, struct sock *peersk) + spin_lock(&peersk->sk_peer_lock); + spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING); + } +- old_pid = sk->sk_peer_pid; +- old_cred = sk->sk_peer_cred; ++ + sk->sk_peer_pid = get_pid(peersk->sk_peer_pid); + sk->sk_peer_cred = get_cred(peersk->sk_peer_cred); + + spin_unlock(&sk->sk_peer_lock); + spin_unlock(&peersk->sk_peer_lock); +- +- put_pid(old_pid); +- put_cred(old_cred); + } + + static int unix_listen(struct socket *sock, int backlog) +-- +2.43.0 + diff --git a/queue-6.1/alsa-control-apply-sanity-check-of-input-values-for-.patch b/queue-6.1/alsa-control-apply-sanity-check-of-input-values-for-.patch new file mode 100644 index 00000000000..2ab9af701e9 --- /dev/null +++ b/queue-6.1/alsa-control-apply-sanity-check-of-input-values-for-.patch @@ -0,0 +1,61 @@ +From fa4823ae83dbe1fd42ef16a90397d5dd0e305f76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jun 2024 09:34:44 +0200 +Subject: ALSA: control: Apply sanity check of input values for user elements + +From: Takashi Iwai + +[ Upstream commit 50ed081284fe2bfd1f25e8b92f4f6a4990e73c0a ] + +Although we have already a mechanism for sanity checks of input values +for control writes, it's not applied unless the kconfig +CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason. +Nevertheless, it still makes sense to apply the same check for user +elements despite of its cost, as that's the only way to filter out the +invalid values; the user controls are handled solely in ALSA core +code, and there is no corresponding driver, after all. + +This patch adds the same input value validation for user control +elements at its put callback. The kselftest will be happier with this +change, as the incorrect values will be bailed out now with errors. + +For other normal controls, the check is applied still only when +CONFIG_SND_CTL_INPUT_VALIDATION is set. + +Reported-by: Paul Menzel +Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de +Reviewed-by: Jaroslav Kysela +Reviewed-by: Mark Brown +Reviewed-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/20240616073454.16512-4-tiwai@suse.de +Signed-off-by: Sasha Levin +--- + sound/core/control.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/core/control.c b/sound/core/control.c +index 82aa1af1d1d8..92266c97238d 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1477,12 +1477,16 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol, + static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { +- int change; ++ int err, change; + struct user_element *ue = kcontrol->private_data; + unsigned int size = ue->elem_data_size; + char *dst = ue->elem_data + + snd_ctl_get_ioff(kcontrol, &ucontrol->id) * size; + ++ err = sanity_check_input_values(ue->card, ucontrol, &ue->info, false); ++ if (err < 0) ++ return err; ++ + change = memcmp(&ucontrol->value, dst, size) != 0; + if (change) + memcpy(dst, &ucontrol->value, size); +-- +2.43.0 + diff --git a/queue-6.1/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch b/queue-6.1/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch new file mode 100644 index 00000000000..07765fe93e3 --- /dev/null +++ b/queue-6.1/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch @@ -0,0 +1,61 @@ +From 940986109ce5a032a8058750a53e21a86b4c81c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jun 2024 09:34:47 +0200 +Subject: ALSA: hda: Add input value sanity checks to HDMI channel map controls + +From: Takashi Iwai + +[ Upstream commit 6278056e42d953e207e2afd416be39d09ed2d496 ] + +Add a simple sanity check to HD-audio HDMI Channel Map controls. +Although the value might not be accepted for the actual connection, we +can filter out some bogus values beforehand, and that should be enough +for making kselftest happier. + +Reviewed-by: Jaroslav Kysela +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/20240616073454.16512-7-tiwai@suse.de +Signed-off-by: Sasha Levin +--- + sound/hda/hdmi_chmap.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/sound/hda/hdmi_chmap.c b/sound/hda/hdmi_chmap.c +index 5d8e1d944b0a..7b276047f85a 100644 +--- a/sound/hda/hdmi_chmap.c ++++ b/sound/hda/hdmi_chmap.c +@@ -753,6 +753,20 @@ static int hdmi_chmap_ctl_get(struct snd_kcontrol *kcontrol, + return 0; + } + ++/* a simple sanity check for input values to chmap kcontrol */ ++static int chmap_value_check(struct hdac_chmap *hchmap, ++ const struct snd_ctl_elem_value *ucontrol) ++{ ++ int i; ++ ++ for (i = 0; i < hchmap->channels_max; i++) { ++ if (ucontrol->value.integer.value[i] < 0 || ++ ucontrol->value.integer.value[i] > SNDRV_CHMAP_LAST) ++ return -EINVAL; ++ } ++ return 0; ++} ++ + static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { +@@ -764,6 +778,10 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol, + unsigned char chmap[8], per_pin_chmap[8]; + int i, err, ca, prepared = 0; + ++ err = chmap_value_check(hchmap, ucontrol); ++ if (err < 0) ++ return err; ++ + /* No monitor is connected in dyn_pcm_assign. + * It's invalid to setup the chmap + */ +-- +2.43.0 + diff --git a/queue-6.1/asoc-topology-properly-initialize-soc_enum-values.patch b/queue-6.1/asoc-topology-properly-initialize-soc_enum-values.patch new file mode 100644 index 00000000000..e2d0b4c4985 --- /dev/null +++ b/queue-6.1/asoc-topology-properly-initialize-soc_enum-values.patch @@ -0,0 +1,38 @@ +From 914177c2468799434396450f58d2839f0502521a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 12:18:40 +0200 +Subject: ASoC: topology: Properly initialize soc_enum values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit 8ec2a2643544ce352f012ad3d248163199d05dfc ] + +soc_tplg_denum_create_values() should properly set its values field. + +Signed-off-by: Amadeusz Sławiński +Link: https://patch.msgid.link/20240627101850.2191513-4-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-topology.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index fcb8a36d4a06..77296c950376 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -889,6 +889,8 @@ static int soc_tplg_denum_create_values(struct soc_tplg *tplg, struct soc_enum * + se->dobj.control.dvalues[i] = le32_to_cpu(ec->values[i]); + } + ++ se->items = le32_to_cpu(ec->items); ++ se->values = (const unsigned int *)se->dobj.control.dvalues; + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/ata-pata_macio-use-warn-instead-of-bug.patch b/queue-6.1/ata-pata_macio-use-warn-instead-of-bug.patch new file mode 100644 index 00000000000..9add1261023 --- /dev/null +++ b/queue-6.1/ata-pata_macio-use-warn-instead-of-bug.patch @@ -0,0 +1,53 @@ +From 474ce7a199dc638d899f7b64664b68ced9d58590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 13:04:07 +1000 +Subject: ata: pata_macio: Use WARN instead of BUG + +From: Michael Ellerman + +[ Upstream commit d4bc0a264fb482b019c84fbc7202dd3cab059087 ] + +The overflow/underflow conditions in pata_macio_qc_prep() should never +happen. But if they do there's no need to kill the system entirely, a +WARN and failing the IO request should be sufficient and might allow the +system to keep running. + +Signed-off-by: Michael Ellerman +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_macio.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c +index 9ccaac9e2bc3..f19ede2965a1 100644 +--- a/drivers/ata/pata_macio.c ++++ b/drivers/ata/pata_macio.c +@@ -540,7 +540,8 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc) + + while (sg_len) { + /* table overflow should never happen */ +- BUG_ON (pi++ >= MAX_DCMDS); ++ if (WARN_ON_ONCE(pi >= MAX_DCMDS)) ++ return AC_ERR_SYSTEM; + + len = (sg_len < MAX_DBDMA_SEG) ? sg_len : MAX_DBDMA_SEG; + table->command = cpu_to_le16(write ? OUTPUT_MORE: INPUT_MORE); +@@ -552,11 +553,13 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc) + addr += len; + sg_len -= len; + ++table; ++ ++pi; + } + } + + /* Should never happen according to Tejun */ +- BUG_ON(!pi); ++ if (WARN_ON_ONCE(!pi)) ++ return AC_ERR_SYSTEM; + + /* Convert the last command to an input/output */ + table--; +-- +2.43.0 + diff --git a/queue-6.1/bareudp-fix-device-stats-updates.patch b/queue-6.1/bareudp-fix-device-stats-updates.patch new file mode 100644 index 00000000000..d5a10b2997b --- /dev/null +++ b/queue-6.1/bareudp-fix-device-stats-updates.patch @@ -0,0 +1,106 @@ +From f62fed25e0b0a933b4913895ab46e3faed528089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 17:31:07 +0200 +Subject: bareudp: Fix device stats updates. + +From: Guillaume Nault + +[ Upstream commit 4963d2343af81f493519f9c3ea9f2169eaa7353a ] + +Bareudp devices update their stats concurrently. +Therefore they need proper atomic increments. + +Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") +Signed-off-by: Guillaume Nault +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/04b7b9d0b480158eb3ab4366ec80aa2ab7e41fcb.1725031794.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bareudp.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c +index 683203f87ae2..277493e41b07 100644 +--- a/drivers/net/bareudp.c ++++ b/drivers/net/bareudp.c +@@ -82,7 +82,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + + if (skb_copy_bits(skb, BAREUDP_BASE_HLEN, &ipversion, + sizeof(ipversion))) { +- bareudp->dev->stats.rx_dropped++; ++ DEV_STATS_INC(bareudp->dev, rx_dropped); + goto drop; + } + ipversion >>= 4; +@@ -92,7 +92,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + } else if (ipversion == 6 && bareudp->multi_proto_mode) { + proto = htons(ETH_P_IPV6); + } else { +- bareudp->dev->stats.rx_dropped++; ++ DEV_STATS_INC(bareudp->dev, rx_dropped); + goto drop; + } + } else if (bareudp->ethertype == htons(ETH_P_MPLS_UC)) { +@@ -106,7 +106,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + ipv4_is_multicast(tunnel_hdr->daddr)) { + proto = htons(ETH_P_MPLS_MC); + } else { +- bareudp->dev->stats.rx_dropped++; ++ DEV_STATS_INC(bareudp->dev, rx_dropped); + goto drop; + } + } else { +@@ -122,7 +122,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + (addr_type & IPV6_ADDR_MULTICAST)) { + proto = htons(ETH_P_MPLS_MC); + } else { +- bareudp->dev->stats.rx_dropped++; ++ DEV_STATS_INC(bareudp->dev, rx_dropped); + goto drop; + } + } +@@ -134,12 +134,12 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + proto, + !net_eq(bareudp->net, + dev_net(bareudp->dev)))) { +- bareudp->dev->stats.rx_dropped++; ++ DEV_STATS_INC(bareudp->dev, rx_dropped); + goto drop; + } + tun_dst = udp_tun_rx_dst(skb, family, TUNNEL_KEY, 0, 0); + if (!tun_dst) { +- bareudp->dev->stats.rx_dropped++; ++ DEV_STATS_INC(bareudp->dev, rx_dropped); + goto drop; + } + skb_dst_set(skb, &tun_dst->dst); +@@ -165,8 +165,8 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) + &((struct ipv6hdr *)oiph)->saddr); + } + if (err > 1) { +- ++bareudp->dev->stats.rx_frame_errors; +- ++bareudp->dev->stats.rx_errors; ++ DEV_STATS_INC(bareudp->dev, rx_frame_errors); ++ DEV_STATS_INC(bareudp->dev, rx_errors); + goto drop; + } + } +@@ -462,11 +462,11 @@ static netdev_tx_t bareudp_xmit(struct sk_buff *skb, struct net_device *dev) + dev_kfree_skb(skb); + + if (err == -ELOOP) +- dev->stats.collisions++; ++ DEV_STATS_INC(dev, collisions); + else if (err == -ENETUNREACH) +- dev->stats.tx_carrier_errors++; ++ DEV_STATS_INC(dev, tx_carrier_errors); + +- dev->stats.tx_errors++; ++ DEV_STATS_INC(dev, tx_errors); + return NETDEV_TX_OK; + } + +-- +2.43.0 + diff --git a/queue-6.1/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch b/queue-6.1/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch new file mode 100644 index 00000000000..c41247f9cd4 --- /dev/null +++ b/queue-6.1/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch @@ -0,0 +1,90 @@ +From 41bcd47a990c757330cd188867c5772e5bd0c17c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 14:12:13 -0400 +Subject: btrfs: clean up our handling of refs == 0 in snapshot delete + +From: Josef Bacik + +[ Upstream commit b8ccef048354074a548f108e51d0557d6adfd3a3 ] + +In reada we BUG_ON(refs == 0), which could be unkind since we aren't +holding a lock on the extent leaf and thus could get a transient +incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which +could happen if we have extent tree corruption. Change that to return +-EUCLEAN. In do_walk_down() we catch this case and handle it correctly, +however we return -EIO, which -EUCLEAN is a more appropriate error code. +Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert +that to proper error handling. Also adjust the error message so we can +actually do something with the information. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index d6efdcf95991..0d97c8ee6b4f 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -5141,7 +5141,15 @@ static noinline void reada_walk_down(struct btrfs_trans_handle *trans, + /* We don't care about errors in readahead. */ + if (ret < 0) + continue; +- BUG_ON(refs == 0); ++ ++ /* ++ * This could be racey, it's conceivable that we raced and end ++ * up with a bogus refs count, if that's the case just skip, if ++ * we are actually corrupt we will notice when we look up ++ * everything again with our locks. ++ */ ++ if (refs == 0) ++ continue; + + if (wc->stage == DROP_REFERENCE) { + if (refs == 1) +@@ -5208,7 +5216,11 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans, + BUG_ON(ret == -ENOMEM); + if (ret) + return ret; +- BUG_ON(wc->refs[level] == 0); ++ if (unlikely(wc->refs[level] == 0)) { ++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", ++ eb->start); ++ return -EUCLEAN; ++ } + } + + if (wc->stage == DROP_REFERENCE) { +@@ -5338,8 +5350,9 @@ static noinline int do_walk_down(struct btrfs_trans_handle *trans, + goto out_unlock; + + if (unlikely(wc->refs[level - 1] == 0)) { +- btrfs_err(fs_info, "Missing references."); +- ret = -EIO; ++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", ++ bytenr); ++ ret = -EUCLEAN; + goto out_unlock; + } + *lookup_info = 0; +@@ -5540,7 +5553,12 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans, + path->locks[level] = 0; + return ret; + } +- BUG_ON(wc->refs[level] == 0); ++ if (unlikely(wc->refs[level] == 0)) { ++ btrfs_tree_unlock_rw(eb, path->locks[level]); ++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", ++ eb->start); ++ return -EUCLEAN; ++ } + if (wc->refs[level] == 1) { + btrfs_tree_unlock_rw(eb, path->locks[level]); + path->locks[level] = 0; +-- +2.43.0 + diff --git a/queue-6.1/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch b/queue-6.1/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch new file mode 100644 index 00000000000..a221b613ce3 --- /dev/null +++ b/queue-6.1/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch @@ -0,0 +1,56 @@ +From d52fec85528c9d3d3832ee9ca5760bc76713733b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 21:59:24 +0200 +Subject: btrfs: initialize location to fix -Wmaybe-uninitialized in + btrfs_lookup_dentry() + +From: David Sterba + +[ Upstream commit b8e947e9f64cac9df85a07672b658df5b2bcff07 ] + +Some arch + compiler combinations report a potentially unused variable +location in btrfs_lookup_dentry(). This is a false alert as the variable +is passed by value and always valid or there's an error. The compilers +cannot probably reason about that although btrfs_inode_by_name() is in +the same file. + + > + /kisskb/src/fs/btrfs/inode.c: error: 'location.objectid' may be used + +uninitialized in this function [-Werror=maybe-uninitialized]: => 5603:9 + > + /kisskb/src/fs/btrfs/inode.c: error: 'location.type' may be used + +uninitialized in this function [-Werror=maybe-uninitialized]: => 5674:5 + + m68k-gcc8/m68k-allmodconfig + mips-gcc8/mips-allmodconfig + powerpc-gcc5/powerpc-all{mod,yes}config + powerpc-gcc5/ppc64_defconfig + +Initialize it to zero, this should fix the warnings and won't change the +behaviour as btrfs_inode_by_name() accepts only a root or inode item +types, otherwise returns an error. + +Reported-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Link: https://lore.kernel.org/linux-btrfs/bd4e9928-17b3-9257-8ba7-6b7f9bbb639a@linux-m68k.org/ +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 934e360d1aef..e5017b2ade57 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5890,7 +5890,7 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry) + struct inode *inode; + struct btrfs_root *root = BTRFS_I(dir)->root; + struct btrfs_root *sub_root = root; +- struct btrfs_key location; ++ struct btrfs_key location = { 0 }; + u8 di_type = 0; + int ret = 0; + +-- +2.43.0 + diff --git a/queue-6.1/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch b/queue-6.1/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch new file mode 100644 index 00000000000..6b553df2e7e --- /dev/null +++ b/queue-6.1/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch @@ -0,0 +1,46 @@ +From d9742ea3d20e6cc9eb836831490103335357c4fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 14:12:12 -0400 +Subject: btrfs: replace BUG_ON with ASSERT in walk_down_proc() + +From: Josef Bacik + +[ Upstream commit 1f9d44c0a12730a24f8bb75c5e1102207413cc9b ] + +We have a couple of areas where we check to make sure the tree block is +locked before looking up or messing with references. This is old code +so it has this as BUG_ON(). Convert this to ASSERT() for developers. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 528cd88a77fd..d6efdcf95991 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -5200,7 +5200,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans, + if (lookup_info && + ((wc->stage == DROP_REFERENCE && wc->refs[level] != 1) || + (wc->stage == UPDATE_BACKREF && !(wc->flags[level] & flag)))) { +- BUG_ON(!path->locks[level]); ++ ASSERT(path->locks[level]); + ret = btrfs_lookup_extent_info(trans, fs_info, + eb->start, level, 1, + &wc->refs[level], +@@ -5224,7 +5224,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans, + + /* wc->stage == UPDATE_BACKREF */ + if (!(wc->flags[level] & flag)) { +- BUG_ON(!path->locks[level]); ++ ASSERT(path->locks[level]); + ret = btrfs_inc_ref(trans, root, eb, 1); + BUG_ON(ret); /* -ENOMEM */ + ret = btrfs_dec_ref(trans, root, eb, 0); +-- +2.43.0 + diff --git a/queue-6.1/btrfs-replace-bug_on-with-error-handling-at-update_r.patch b/queue-6.1/btrfs-replace-bug_on-with-error-handling-at-update_r.patch new file mode 100644 index 00000000000..6da0a8eb7d4 --- /dev/null +++ b/queue-6.1/btrfs-replace-bug_on-with-error-handling-at-update_r.patch @@ -0,0 +1,50 @@ +From 77019734ec825b126a810c13ea6f35933b73e9a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 15:55:16 +0100 +Subject: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() + +From: Filipe Manana + +[ Upstream commit b56329a782314fde5b61058e2a25097af7ccb675 ] + +Instead of a BUG_ON() just return an error, log an error message and +abort the transaction in case we find an extent buffer belonging to the +relocation tree that doesn't have the full backref flag set. This is +unexpected and should never happen (save for bugs or a potential bad +memory). + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index e08688844f1e..66d1f34c3fc6 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -324,8 +324,16 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, + } + + owner = btrfs_header_owner(buf); +- BUG_ON(owner == BTRFS_TREE_RELOC_OBJECTID && +- !(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF)); ++ if (unlikely(owner == BTRFS_TREE_RELOC_OBJECTID && ++ !(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF))) { ++ btrfs_crit(fs_info, ++"found tree block at bytenr %llu level %d root %llu refs %llu flags %llx without full backref flag set", ++ buf->start, btrfs_header_level(buf), ++ btrfs_root_id(root), refs, flags); ++ ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); ++ return ret; ++ } + + if (refs > 1) { + if ((owner == root->root_key.objectid || +-- +2.43.0 + diff --git a/queue-6.1/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch b/queue-6.1/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch new file mode 100644 index 00000000000..df12d487fcc --- /dev/null +++ b/queue-6.1/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch @@ -0,0 +1,99 @@ +From 647b63078f0b1bdd513912ba5867b40427c5b36e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 12:28:42 -0700 +Subject: can: bcm: Remove proc entry when dev is unregistered. + +From: Kuniyuki Iwashima + +[ Upstream commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 ] + +syzkaller reported a warning in bcm_connect() below. [0] + +The repro calls connect() to vxcan1, removes vxcan1, and calls +connect() with ifindex == 0. + +Calling connect() for a BCM socket allocates a proc entry. +Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). + +However, removing the bound device resets bcm_sk(sk)->bound to 0 +in bcm_notify(). + +The 2nd connect() tries to allocate a proc entry with the same +name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the +original proc entry. + +Since the proc entry is available only for connect()ed sockets, +let's clean up the entry when the bound netdev is unregistered. + +[0]: +proc_dir_entry 'can-bcm/2456' already registered +WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 +Modules linked in: +CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 +Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 +RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 +RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 +RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 +R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec +FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 + bcm_connect+0x472/0x840 net/can/bcm.c:1673 + __sys_connect_file net/socket.c:2049 [inline] + __sys_connect+0x5d2/0x690 net/socket.c:2066 + __do_sys_connect net/socket.c:2076 [inline] + __se_sys_connect net/socket.c:2073 [inline] + __x64_sys_connect+0x8f/0x100 net/socket.c:2073 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +RIP: 0033:0x7fbd708b0e5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d +RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 +R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 +R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 + +remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456' + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/all/20240722192842.37421-1-kuniyu@amazon.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 925d48cc50f8..4ecb5cd8a22d 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1428,6 +1428,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg, + + /* remove device reference, if this is our bound device */ + if (bo->bound && bo->ifindex == dev->ifindex) { ++#if IS_ENABLED(CONFIG_PROC_FS) ++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir); ++#endif + bo->bound = 0; + bo->ifindex = 0; + notify_enodev = 1; +-- +2.43.0 + diff --git a/queue-6.1/can-m_can-release-irq-on-error-in-m_can_open.patch b/queue-6.1/can-m_can-release-irq-on-error-in-m_can_open.patch new file mode 100644 index 00000000000..2eb10388001 --- /dev/null +++ b/queue-6.1/can-m_can-release-irq-on-error-in-m_can_open.patch @@ -0,0 +1,54 @@ +From 0446c91e7ef12c341d02b01d34772dce3e5efe70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 15:01:58 +0100 +Subject: can: m_can: Release irq on error in m_can_open + +From: Simon Horman + +[ Upstream commit 06d4ef3056a7ac31be331281bb7a6302ef5a7f8a ] + +It appears that the irq requested in m_can_open() may be leaked +if an error subsequently occurs: if m_can_start() fails. + +Address this by calling free_irq in the unwind path for +such cases. + +Flagged by Smatch. +Compile tested only. + +Fixes: eaacfeaca7ad ("can: m_can: Call the RAM init directly from m_can_chip_config") +Acked-by: Marc Kleine-Budde +Signed-off-by: Simon Horman +Link: https://lore.kernel.org/all/20240805-mcan-irq-v2-1-7154c0484819@kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index 2de998b98cb5..561f25cdad3f 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1815,7 +1815,7 @@ static int m_can_open(struct net_device *dev) + /* start the m_can controller */ + err = m_can_start(dev); + if (err) +- goto exit_irq_fail; ++ goto exit_start_fail; + + if (!cdev->is_peripheral) + napi_enable(&cdev->napi); +@@ -1824,6 +1824,9 @@ static int m_can_open(struct net_device *dev) + + return 0; + ++exit_start_fail: ++ if (cdev->is_peripheral || dev->irq) ++ free_irq(dev->irq, dev); + exit_irq_fail: + if (cdev->is_peripheral) + destroy_workqueue(cdev->tx_wq); +-- +2.43.0 + diff --git a/queue-6.1/can-mcp251xfd-fix-ring-configuration-when-switching-.patch b/queue-6.1/can-mcp251xfd-fix-ring-configuration-when-switching-.patch new file mode 100644 index 00000000000..93cd828d571 --- /dev/null +++ b/queue-6.1/can-mcp251xfd-fix-ring-configuration-when-switching-.patch @@ -0,0 +1,84 @@ +From 873d2e7cebaa9bc9e046c9526e84c86a89a4cb03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jul 2024 17:28:27 +0200 +Subject: can: mcp251xfd: fix ring configuration when switching from CAN-CC to + CAN-FD mode + +From: Marc Kleine-Budde + +[ Upstream commit 50ea5449c56310d2d31c28ba91a59232116d3c1e ] + +If the ring (rx, tx) and/or coalescing parameters (rx-frames-irq, +tx-frames-irq) have been configured while the interface was in CAN-CC +mode, but the interface is brought up in CAN-FD mode, the ring +parameters might be too big. + +Use the default CAN-FD values in this case. + +Fixes: 9263c2e92be9 ("can: mcp251xfd: ring: add support for runtime configurable RX/TX ring parameters") +Link: https://lore.kernel.org/all/20240805-mcp251xfd-fix-ringconfig-v1-1-72086f0ca5ee@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-ram.c | 11 +++++++++- + .../net/can/spi/mcp251xfd/mcp251xfd-ring.c | 20 ++++++++++++++++--- + 2 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ram.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ram.c +index 9e8e82cdba46..61b0d6fa52dd 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ram.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ram.c +@@ -97,7 +97,16 @@ void can_ram_get_layout(struct can_ram_layout *layout, + if (ring) { + u8 num_rx_coalesce = 0, num_tx_coalesce = 0; + +- num_rx = can_ram_rounddown_pow_of_two(config, &config->rx, 0, ring->rx_pending); ++ /* If the ring parameters have been configured in ++ * CAN-CC mode, but and we are in CAN-FD mode now, ++ * they might be to big. Use the default CAN-FD values ++ * in this case. ++ */ ++ num_rx = ring->rx_pending; ++ if (num_rx > layout->max_rx) ++ num_rx = layout->default_rx; ++ ++ num_rx = can_ram_rounddown_pow_of_two(config, &config->rx, 0, num_rx); + + /* The ethtool doc says: + * To disable coalescing, set usecs = 0 and max_frames = 1. +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c +index 4d0246a0779a..915d505a304f 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c +@@ -458,11 +458,25 @@ int mcp251xfd_ring_alloc(struct mcp251xfd_priv *priv) + + /* switching from CAN-2.0 to CAN-FD mode or vice versa */ + if (fd_mode != test_bit(MCP251XFD_FLAGS_FD_MODE, priv->flags)) { ++ const struct ethtool_ringparam ring = { ++ .rx_pending = priv->rx_obj_num, ++ .tx_pending = priv->tx->obj_num, ++ }; ++ const struct ethtool_coalesce ec = { ++ .rx_coalesce_usecs_irq = priv->rx_coalesce_usecs_irq, ++ .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq, ++ .tx_coalesce_usecs_irq = priv->tx_coalesce_usecs_irq, ++ .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq, ++ }; + struct can_ram_layout layout; + +- can_ram_get_layout(&layout, &mcp251xfd_ram_config, NULL, NULL, fd_mode); +- priv->rx_obj_num = layout.default_rx; +- tx_ring->obj_num = layout.default_tx; ++ can_ram_get_layout(&layout, &mcp251xfd_ram_config, &ring, &ec, fd_mode); ++ ++ priv->rx_obj_num = layout.cur_rx; ++ priv->rx_obj_num_coalesce_irq = layout.rx_coalesce; ++ ++ tx_ring->obj_num = layout.cur_tx; ++ priv->tx_obj_num_coalesce_irq = layout.tx_coalesce; + } + + if (fd_mode) { +-- +2.43.0 + diff --git a/queue-6.1/cgroup-protect-css-cgroup-write-under-css_set_lock.patch b/queue-6.1/cgroup-protect-css-cgroup-write-under-css_set_lock.patch new file mode 100644 index 00000000000..aba8947ecc1 --- /dev/null +++ b/queue-6.1/cgroup-protect-css-cgroup-write-under-css_set_lock.patch @@ -0,0 +1,45 @@ +From f5ff2de2faf0b99bfd385fb863971b9ce1759ee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 14:52:29 -0400 +Subject: cgroup: Protect css->cgroup write under css_set_lock + +From: Waiman Long + +[ Upstream commit 57b56d16800e8961278ecff0dc755d46c4575092 ] + +The writing of css->cgroup associated with the cgroup root in +rebind_subsystems() is currently protected only by cgroup_mutex. +However, the reading of css->cgroup in both proc_cpuset_show() and +proc_cgroup_show() is protected just by css_set_lock. That makes the +readers susceptible to racing problems like data tearing or caching. +It is also a problem that can be reported by KCSAN. + +This can be fixed by using READ_ONCE() and WRITE_ONCE() to access +css->cgroup. Alternatively, the writing of css->cgroup can be moved +under css_set_lock as well which is done by this patch. + +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 455f67ff31b5..f6656fd410d0 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -1852,9 +1852,9 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + RCU_INIT_POINTER(scgrp->subsys[ssid], NULL); + rcu_assign_pointer(dcgrp->subsys[ssid], css); + ss->root = dst_root; +- css->cgroup = dcgrp; + + spin_lock_irq(&css_set_lock); ++ css->cgroup = dcgrp; + WARN_ON(!list_empty(&dcgrp->e_csets[ss->id])); + list_for_each_entry_safe(cset, cset_pos, &scgrp->e_csets[ss->id], + e_cset_node[ss->id]) { +-- +2.43.0 + diff --git a/queue-6.1/cifs-fix-falloc_fl_zero_range-to-preflush-buffered-p.patch b/queue-6.1/cifs-fix-falloc_fl_zero_range-to-preflush-buffered-p.patch new file mode 100644 index 00000000000..a02ec82a93f --- /dev/null +++ b/queue-6.1/cifs-fix-falloc_fl_zero_range-to-preflush-buffered-p.patch @@ -0,0 +1,103 @@ +From a8c9b22290dea9c28812cb15717b543c95b102b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 21:08:25 +0100 +Subject: cifs: Fix FALLOC_FL_ZERO_RANGE to preflush buffered part of target + region + +From: David Howells + +[ Upstream commit 91d1dfae464987aaf6c79ff51d8674880fb3be77 ] + +Under certain conditions, the range to be cleared by FALLOC_FL_ZERO_RANGE +may only be buffered locally and not yet have been flushed to the server. +For example: + + xfs_io -f -t -c "pwrite -S 0x41 0 4k" \ + -c "pwrite -S 0x42 4k 4k" \ + -c "fzero 0 4k" \ + -c "pread -v 0 8k" /xfstest.test/foo + +will write two 4KiB blocks of data, which get buffered in the pagecache, +and then fallocate() is used to clear the first 4KiB block on the server - +but we don't flush the data first, which means the EOF position on the +server is wrong, and so the FSCTL_SET_ZERO_DATA RPC fails (and xfs_io +ignores the error), but then when we try to read it, we see the old data. + +Fix this by preflushing any part of the target region that above the +server's idea of the EOF position to force the server to update its EOF +position. + +Note, however, that we don't want to simply expand the file by moving the +EOF before doing the FSCTL_SET_ZERO_DATA[*] because someone else might see +the zeroed region or if the RPC fails we then have to try to clean it up or +risk getting corruption. + +[*] And we have to move the EOF first otherwise FSCTL_SET_ZERO_DATA won't +do what we want. + +This fixes the generic/008 xfstest. + +[!] Note: A better way to do this might be to split the operation into two +parts: we only do FSCTL_SET_ZERO_DATA for the part of the range below the +server's EOF and then, if that worked, invalidate the buffered pages for the +part above the range. + +Fixes: 6b69040247e1 ("cifs/smb3: Fix data inconsistent when zero file range") +Signed-off-by: David Howells +cc: Steve French +cc: Zhang Xiaoxu +cc: Pavel Shilovsky +cc: Paulo Alcantara +cc: Shyam Prasad N +cc: Rohith Surabattula +cc: Jeff Layton +cc: linux-cifs@vger.kernel.org +cc: linux-mm@kvack.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2ops.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c +index 2291081653a8..5e9478f31d47 100644 +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -3443,13 +3443,15 @@ static long smb3_zero_data(struct file *file, struct cifs_tcon *tcon, + } + + static long smb3_zero_range(struct file *file, struct cifs_tcon *tcon, +- loff_t offset, loff_t len, bool keep_size) ++ unsigned long long offset, unsigned long long len, ++ bool keep_size) + { + struct cifs_ses *ses = tcon->ses; + struct inode *inode = file_inode(file); + struct cifsInodeInfo *cifsi = CIFS_I(inode); + struct cifsFileInfo *cfile = file->private_data; +- unsigned long long new_size; ++ struct netfs_inode *ictx = netfs_inode(inode); ++ unsigned long long i_size, new_size, remote_size; + long rc; + unsigned int xid; + __le64 eof; +@@ -3462,6 +3464,16 @@ static long smb3_zero_range(struct file *file, struct cifs_tcon *tcon, + inode_lock(inode); + filemap_invalidate_lock(inode->i_mapping); + ++ i_size = i_size_read(inode); ++ remote_size = ictx->remote_i_size; ++ if (offset + len >= remote_size && offset < i_size) { ++ unsigned long long top = umin(offset + len, i_size); ++ ++ rc = filemap_write_and_wait_range(inode->i_mapping, offset, top - 1); ++ if (rc < 0) ++ goto zero_range_exit; ++ } ++ + /* + * We zero the range through ioctl, so we need remove the page caches + * first, otherwise the data may be inconsistent with the server. +-- +2.43.0 + diff --git a/queue-6.1/crypto-qat-fix-unintentional-re-enabling-of-error-in.patch b/queue-6.1/crypto-qat-fix-unintentional-re-enabling-of-error-in.patch new file mode 100644 index 00000000000..1c81cad079d --- /dev/null +++ b/queue-6.1/crypto-qat-fix-unintentional-re-enabling-of-error-in.patch @@ -0,0 +1,65 @@ +From d14c0a1cffd58ee449911cd7a2688ad30c854904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 15:41:19 +0100 +Subject: crypto: qat - fix unintentional re-enabling of error interrupts + +From: Hareshx Sankar Raj + +[ Upstream commit f0622894c59458fceb33c4197462bc2006f3fc6b ] + +The logic that detects pending VF2PF interrupts unintentionally clears +the section of the error mask register(s) not related to VF2PF. +This might cause interrupts unrelated to VF2PF, reported through +errsou3 and errsou5, to be reported again after the execution +of the function disable_pending_vf2pf_interrupts() in dh895xcc +and GEN2 devices. + +Fix by updating only section of errmsk3 and errmsk5 related to VF2PF. + +Signed-off-by: Hareshx Sankar Raj +Reviewed-by: Damian Muszynski +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_gen2_pfvf.c | 4 +++- + drivers/crypto/qat/qat_dh895xcc/adf_dh895xcc_hw_data.c | 8 ++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_gen2_pfvf.c b/drivers/crypto/qat/qat_common/adf_gen2_pfvf.c +index 70ef11963938..43af81fcab86 100644 +--- a/drivers/crypto/qat/qat_common/adf_gen2_pfvf.c ++++ b/drivers/crypto/qat/qat_common/adf_gen2_pfvf.c +@@ -100,7 +100,9 @@ static u32 adf_gen2_disable_pending_vf2pf_interrupts(void __iomem *pmisc_addr) + errmsk3 |= ADF_GEN2_ERR_MSK_VF2PF(ADF_GEN2_VF_MSK); + ADF_CSR_WR(pmisc_addr, ADF_GEN2_ERRMSK3, errmsk3); + +- errmsk3 &= ADF_GEN2_ERR_MSK_VF2PF(sources | disabled); ++ /* Update only section of errmsk3 related to VF2PF */ ++ errmsk3 &= ~ADF_GEN2_ERR_MSK_VF2PF(ADF_GEN2_VF_MSK); ++ errmsk3 |= ADF_GEN2_ERR_MSK_VF2PF(sources | disabled); + ADF_CSR_WR(pmisc_addr, ADF_GEN2_ERRMSK3, errmsk3); + + /* Return the sources of the (new) interrupt(s) */ +diff --git a/drivers/crypto/qat/qat_dh895xcc/adf_dh895xcc_hw_data.c b/drivers/crypto/qat/qat_dh895xcc/adf_dh895xcc_hw_data.c +index cb3bdd3618fb..85295c7ee0e0 100644 +--- a/drivers/crypto/qat/qat_dh895xcc/adf_dh895xcc_hw_data.c ++++ b/drivers/crypto/qat/qat_dh895xcc/adf_dh895xcc_hw_data.c +@@ -180,8 +180,12 @@ static u32 disable_pending_vf2pf_interrupts(void __iomem *pmisc_addr) + ADF_CSR_WR(pmisc_addr, ADF_GEN2_ERRMSK3, errmsk3); + ADF_CSR_WR(pmisc_addr, ADF_GEN2_ERRMSK5, errmsk5); + +- errmsk3 &= ADF_DH895XCC_ERR_MSK_VF2PF_L(sources | disabled); +- errmsk5 &= ADF_DH895XCC_ERR_MSK_VF2PF_U(sources | disabled); ++ /* Update only section of errmsk3 and errmsk5 related to VF2PF */ ++ errmsk3 &= ~ADF_DH895XCC_ERR_MSK_VF2PF_L(ADF_DH895XCC_VF_MSK); ++ errmsk5 &= ~ADF_DH895XCC_ERR_MSK_VF2PF_U(ADF_DH895XCC_VF_MSK); ++ ++ errmsk3 |= ADF_DH895XCC_ERR_MSK_VF2PF_L(sources | disabled); ++ errmsk5 |= ADF_DH895XCC_ERR_MSK_VF2PF_U(sources | disabled); + ADF_CSR_WR(pmisc_addr, ADF_GEN2_ERRMSK3, errmsk3); + ADF_CSR_WR(pmisc_addr, ADF_GEN2_ERRMSK5, errmsk5); + +-- +2.43.0 + diff --git a/queue-6.1/devres-initialize-an-uninitialized-struct-member.patch b/queue-6.1/devres-initialize-an-uninitialized-struct-member.patch new file mode 100644 index 00000000000..7e1dc9a4acf --- /dev/null +++ b/queue-6.1/devres-initialize-an-uninitialized-struct-member.patch @@ -0,0 +1,35 @@ +From 46dad5fcbca09925400863701f6e131645326d56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 22:51:52 +0800 +Subject: devres: Initialize an uninitialized struct member + +From: Zijun Hu + +[ Upstream commit 56a20ad349b5c51909cf8810f7c79b288864ad33 ] + +Initialize an uninitialized struct member for driver API +devres_open_group(). + +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/1719931914-19035-4-git-send-email-quic_zijuhu@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/devres.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/devres.c b/drivers/base/devres.c +index f9add2ecdc55..35d1e2864696 100644 +--- a/drivers/base/devres.c ++++ b/drivers/base/devres.c +@@ -564,6 +564,7 @@ void * devres_open_group(struct device *dev, void *id, gfp_t gfp) + grp->id = grp; + if (id) + grp->id = id; ++ grp->color = 0; + + spin_lock_irqsave(&dev->devres_lock, flags); + add_dr(dev, &grp->node[0]); +-- +2.43.0 + diff --git a/queue-6.1/dm-init-handle-minors-larger-than-255.patch b/queue-6.1/dm-init-handle-minors-larger-than-255.patch new file mode 100644 index 00000000000..dbad1808bd4 --- /dev/null +++ b/queue-6.1/dm-init-handle-minors-larger-than-255.patch @@ -0,0 +1,43 @@ +From 06e890d546576e4e546ead83e6aea10bf667c076 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 12:13:24 +0200 +Subject: dm init: Handle minors larger than 255 + +From: Benjamin Marzinski + +[ Upstream commit 140ce37fd78a629105377e17842465258a5459ef ] + +dm_parse_device_entry() simply copies the minor number into dmi.dev, but +the dev_t format splits the minor number between the lowest 8 bytes and +highest 12 bytes. If the minor number is larger than 255, part of it +will end up getting treated as the major number + +Fix this by checking that the minor number is valid and then encoding it +as a dev_t. + +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c +index dc4381d68313..6e9e73a55874 100644 +--- a/drivers/md/dm-init.c ++++ b/drivers/md/dm-init.c +@@ -213,8 +213,10 @@ static char __init *dm_parse_device_entry(struct dm_device *dev, char *str) + strscpy(dev->dmi.uuid, field[1], sizeof(dev->dmi.uuid)); + /* minor */ + if (strlen(field[2])) { +- if (kstrtoull(field[2], 0, &dev->dmi.dev)) ++ if (kstrtoull(field[2], 0, &dev->dmi.dev) || ++ dev->dmi.dev >= (1 << MINORBITS)) + return ERR_PTR(-EINVAL); ++ dev->dmi.dev = huge_encode_dev((dev_t)dev->dmi.dev); + dev->dmi.flags |= DM_PERSISTENT_DEV_FLAG; + } + /* flags */ +-- +2.43.0 + diff --git a/queue-6.1/dma-mapping-benchmark-don-t-starve-others-when-doing.patch b/queue-6.1/dma-mapping-benchmark-don-t-starve-others-when-doing.patch new file mode 100644 index 00000000000..74eb7019d3c --- /dev/null +++ b/queue-6.1/dma-mapping-benchmark-don-t-starve-others-when-doing.patch @@ -0,0 +1,110 @@ +From cb92224b3c6f588338adb06e15752549dcb27d93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 17:28:55 +0800 +Subject: dma-mapping: benchmark: Don't starve others when doing the test + +From: Yicong Yang + +[ Upstream commit 54624acf8843375a6de3717ac18df3b5104c39c5 ] + +The test thread will start N benchmark kthreads and then schedule out +until the test time finished and notify the benchmark kthreads to stop. +The benchmark kthreads will keep running until notified to stop. +There's a problem with current implementation when the benchmark +kthreads number is equal to the CPUs on a non-preemptible kernel: +since the scheduler will balance the kthreads across the CPUs and +when the test time's out the test thread won't get a chance to be +scheduled on any CPU then cannot notify the benchmark kthreads to stop. + +This can be easily reproduced on a VM (simulated with 16 CPUs) with +PREEMPT_VOLUNTARY: +estuary:/mnt$ ./dma_map_benchmark -t 16 -s 1 + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 10-...!: (5221 ticks this GP) idle=ed24/1/0x4000000000000000 softirq=142/142 fqs=0 + rcu: (t=5254 jiffies g=-559 q=45 ncpus=16) + rcu: rcu_sched kthread starved for 5255 jiffies! g-559 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=12 + rcu: Unless rcu_sched kthread gets sufficient CPU time, OOM is now expected behavior. + rcu: RCU grace-period kthread stack dump: + task:rcu_sched state:R running task stack:0 pid:16 tgid:16 ppid:2 flags:0x00000008 + Call trace + __switch_to+0xec/0x138 + __schedule+0x2f8/0x1080 + schedule+0x30/0x130 + schedule_timeout+0xa0/0x188 + rcu_gp_fqs_loop+0x128/0x528 + rcu_gp_kthread+0x1c8/0x208 + kthread+0xec/0xf8 + ret_from_fork+0x10/0x20 + Sending NMI from CPU 10 to CPUs 0: + NMI backtrace for cpu 0 + CPU: 0 PID: 332 Comm: dma-map-benchma Not tainted 6.10.0-rc1-vanilla-LSE #8 + Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 + pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : arm_smmu_cmdq_issue_cmdlist+0x218/0x730 + lr : arm_smmu_cmdq_issue_cmdlist+0x488/0x730 + sp : ffff80008748b630 + x29: ffff80008748b630 x28: 0000000000000000 x27: ffff80008748b780 + x26: 0000000000000000 x25: 000000000000bc70 x24: 000000000001bc70 + x23: ffff0000c12af080 x22: 0000000000010000 x21: 000000000000ffff + x20: ffff80008748b700 x19: ffff0000c12af0c0 x18: 0000000000010000 + x17: 0000000000000001 x16: 0000000000000040 x15: ffffffffffffffff + x14: 0001ffffffffffff x13: 000000000000ffff x12: 00000000000002f1 + x11: 000000000001ffff x10: 0000000000000031 x9 : ffff800080b6b0b8 + x8 : ffff0000c2a48000 x7 : 000000000001bc71 x6 : 0001800000000000 + x5 : 00000000000002f1 x4 : 01ffffffffffffff x3 : 000000000009aaf1 + x2 : 0000000000000018 x1 : 000000000000000f x0 : ffff0000c12af18c + Call trace: + arm_smmu_cmdq_issue_cmdlist+0x218/0x730 + __arm_smmu_tlb_inv_range+0xe0/0x1a8 + arm_smmu_iotlb_sync+0xc0/0x128 + __iommu_dma_unmap+0x248/0x320 + iommu_dma_unmap_page+0x5c/0xe8 + dma_unmap_page_attrs+0x38/0x1d0 + map_benchmark_thread+0x118/0x2c0 + kthread+0xec/0xf8 + ret_from_fork+0x10/0x20 + +Solve this by adding scheduling point in the kthread loop, +so if there're other threads in the system they may have +a chance to run, especially the thread to notify the test +end. However this may degrade the test concurrency so it's +recommended to run this on an idle system. + +Signed-off-by: Yicong Yang +Acked-by: Barry Song +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/map_benchmark.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/kernel/dma/map_benchmark.c b/kernel/dma/map_benchmark.c +index dafdc47ae5fc..3efdc5cfe390 100644 +--- a/kernel/dma/map_benchmark.c ++++ b/kernel/dma/map_benchmark.c +@@ -89,6 +89,22 @@ static int map_benchmark_thread(void *data) + atomic64_add(map_sq, &map->sum_sq_map); + atomic64_add(unmap_sq, &map->sum_sq_unmap); + atomic64_inc(&map->loops); ++ ++ /* ++ * We may test for a long time so periodically check whether ++ * we need to schedule to avoid starving the others. Otherwise ++ * we may hangup the kernel in a non-preemptible kernel when ++ * the test kthreads number >= CPU number, the test kthreads ++ * will run endless on every CPU since the thread resposible ++ * for notifying the kthread stop (in do_map_benchmark()) ++ * could not be scheduled. ++ * ++ * Note this may degrade the test concurrency since the test ++ * threads may need to share the CPU time with other load ++ * in the system. So it's recommended to run this benchmark ++ * on an idle system. ++ */ ++ cond_resched(); + } + + out: +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-check-denominator-pbn_div-before-use.patch b/queue-6.1/drm-amd-display-check-denominator-pbn_div-before-use.patch new file mode 100644 index 00000000000..ba5691f82ca --- /dev/null +++ b/queue-6.1/drm-amd-display-check-denominator-pbn_div-before-use.patch @@ -0,0 +1,40 @@ +From ea84ace9571d5e4721ba7f3331d421dc8004e6c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 16:21:20 -0600 +Subject: drm/amd/display: Check denominator pbn_div before used + +From: Alex Hung + +[ Upstream commit 116a678f3a9abc24f5c9d2525b7393d18d9eb58e ] + +[WHAT & HOW] +A denominator cannot be 0, and is checked before used. + +This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity. + +Reviewed-by: Harry Wentland +Signed-off-by: Jerry Zuo +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 0be1a1149a3f..393e32259a77 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -6767,7 +6767,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state, + } + } + +- if (j == dc_state->stream_count) ++ if (j == dc_state->stream_count || pbn_div == 0) + continue; + + slot_num = DIV_ROUND_UP(pbn, pbn_div); +-- +2.43.0 + diff --git a/queue-6.1/drm-amd-display-check-hdcp-returned-status.patch b/queue-6.1/drm-amd-display-check-hdcp-returned-status.patch new file mode 100644 index 00000000000..6ed555563be --- /dev/null +++ b/queue-6.1/drm-amd-display-check-hdcp-returned-status.patch @@ -0,0 +1,57 @@ +From a34c726a9349aafdd0f70328aaca9d508b9b20b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2024 10:36:49 -0600 +Subject: drm/amd/display: Check HDCP returned status + +From: Alex Hung + +[ Upstream commit 5d93060d430b359e16e7c555c8f151ead1ac614b ] + +[WHAT & HOW] +Check mod_hdcp_execute_and_set() return values in authenticated_dp. + +This fixes 3 CHECKED_RETURN issues reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/modules/hdcp/hdcp1_execution.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c +index 1ddb4f5eac8e..93c0455766dd 100644 +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c +@@ -433,17 +433,20 @@ static enum mod_hdcp_status authenticated_dp(struct mod_hdcp *hdcp, + } + + if (status == MOD_HDCP_STATUS_SUCCESS) +- mod_hdcp_execute_and_set(mod_hdcp_read_bstatus, ++ if (!mod_hdcp_execute_and_set(mod_hdcp_read_bstatus, + &input->bstatus_read, &status, +- hdcp, "bstatus_read"); ++ hdcp, "bstatus_read")) ++ goto out; + if (status == MOD_HDCP_STATUS_SUCCESS) +- mod_hdcp_execute_and_set(check_link_integrity_dp, ++ if (!mod_hdcp_execute_and_set(check_link_integrity_dp, + &input->link_integrity_check, &status, +- hdcp, "link_integrity_check"); ++ hdcp, "link_integrity_check")) ++ goto out; + if (status == MOD_HDCP_STATUS_SUCCESS) +- mod_hdcp_execute_and_set(check_no_reauthentication_request_dp, ++ if (!mod_hdcp_execute_and_set(check_no_reauthentication_request_dp, + &input->reauth_request_check, &status, +- hdcp, "reauth_request_check"); ++ hdcp, "reauth_request_check")) ++ goto out; + out: + return status; + } +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-check-for-linear_aligned-correctly-in-che.patch b/queue-6.1/drm-amdgpu-check-for-linear_aligned-correctly-in-che.patch new file mode 100644 index 00000000000..77d3609f235 --- /dev/null +++ b/queue-6.1/drm-amdgpu-check-for-linear_aligned-correctly-in-che.patch @@ -0,0 +1,40 @@ +From 40f7ee9bcc8477735c754a95285ff72b01926c7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Jun 2024 16:36:27 -0400 +Subject: drm/amdgpu: check for LINEAR_ALIGNED correctly in + check_tiling_flags_gfx6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Olšák + +[ Upstream commit 11317d2963fa79767cd7c6231a00a9d77f2e0f54 ] + +Fix incorrect check. + +Signed-off-by: Marek Olšák +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index aabde6ebb190..ac773b191071 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -873,8 +873,7 @@ static int check_tiling_flags_gfx6(struct amdgpu_framebuffer *afb) + { + u64 micro_tile_mode; + +- /* Zero swizzle mode means linear */ +- if (AMDGPU_TILING_GET(afb->tiling_flags, SWIZZLE_MODE) == 0) ++ if (AMDGPU_TILING_GET(afb->tiling_flags, ARRAY_MODE) == 1) /* LINEAR_ALIGNED */ + return 0; + + micro_tile_mode = AMDGPU_TILING_GET(afb->tiling_flags, MICRO_TILE_MODE); +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-clear-rb_overflow-bit-when-enabling-inter.patch b/queue-6.1/drm-amdgpu-clear-rb_overflow-bit-when-enabling-inter.patch new file mode 100644 index 00000000000..16b33b69ddb --- /dev/null +++ b/queue-6.1/drm-amdgpu-clear-rb_overflow-bit-when-enabling-inter.patch @@ -0,0 +1,72 @@ +From f5d6096f092626a49e17291001a596b5d1d7f0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 07:58:24 +0200 +Subject: drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Danijel Slivka + +[ Upstream commit afbf7955ff01e952dbdd465fa25a2ba92d00291c ] + +Why: +Setting IH_RB_WPTR register to 0 will not clear the RB_OVERFLOW bit +if RB_ENABLE is not set. + +How to fix: +Set WPTR_OVERFLOW_CLEAR bit after RB_ENABLE bit is set. +The RB_ENABLE bit is required to be set, together with +WPTR_OVERFLOW_ENABLE bit so that setting WPTR_OVERFLOW_CLEAR bit +would clear the RB_OVERFLOW. + +Signed-off-by: Danijel Slivka +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/ih_v6_0.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/ih_v6_0.c b/drivers/gpu/drm/amd/amdgpu/ih_v6_0.c +index 657e4ca6f9dd..fccbec438bbe 100644 +--- a/drivers/gpu/drm/amd/amdgpu/ih_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/ih_v6_0.c +@@ -135,6 +135,34 @@ static int ih_v6_0_toggle_ring_interrupts(struct amdgpu_device *adev, + + tmp = RREG32(ih_regs->ih_rb_cntl); + tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, RB_ENABLE, (enable ? 1 : 0)); ++ ++ if (enable) { ++ /* Unset the CLEAR_OVERFLOW bit to make sure the next step ++ * is switching the bit from 0 to 1 ++ */ ++ tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 0); ++ if (amdgpu_sriov_vf(adev) && amdgpu_sriov_reg_indirect_ih(adev)) { ++ if (psp_reg_program(&adev->psp, ih_regs->psp_reg_id, tmp)) ++ return -ETIMEDOUT; ++ } else { ++ WREG32_NO_KIQ(ih_regs->ih_rb_cntl, tmp); ++ } ++ ++ /* Clear RB_OVERFLOW bit */ ++ tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 1); ++ if (amdgpu_sriov_vf(adev) && amdgpu_sriov_reg_indirect_ih(adev)) { ++ if (psp_reg_program(&adev->psp, ih_regs->psp_reg_id, tmp)) ++ return -ETIMEDOUT; ++ } else { ++ WREG32_NO_KIQ(ih_regs->ih_rb_cntl, tmp); ++ } ++ ++ /* Unset the CLEAR_OVERFLOW bit immediately so new overflows ++ * can be detected. ++ */ ++ tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 0); ++ } ++ + /* enable_intr field is only valid in ring0 */ + if (ih == &adev->irq.ih) + tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, ENABLE_INTR, (enable ? 1 : 0)); +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-fix-smatch-static-checker-warning.patch b/queue-6.1/drm-amdgpu-fix-smatch-static-checker-warning.patch new file mode 100644 index 00000000000..feedfccf1f3 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-smatch-static-checker-warning.patch @@ -0,0 +1,42 @@ +From 1f2f878e9ff40b32d07dbb5da3ccb8c1120c0aa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 17:53:30 +0800 +Subject: drm/amdgpu: Fix smatch static checker warning + +From: Hawking Zhang + +[ Upstream commit bdbdc7cecd00305dc844a361f9883d3a21022027 ] + +adev->gfx.imu.funcs could be NULL + +Signed-off-by: Hawking Zhang +Reviewed-by: Likun Gao +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index 1f9f7fdd4b8e..c76895cca4d9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -4330,11 +4330,11 @@ static int gfx_v11_0_hw_init(void *handle) + /* RLC autoload sequence 1: Program rlc ram */ + if (adev->gfx.imu.funcs->program_rlc_ram) + adev->gfx.imu.funcs->program_rlc_ram(adev); ++ /* rlc autoload firmware */ ++ r = gfx_v11_0_rlc_backdoor_autoload_enable(adev); ++ if (r) ++ return r; + } +- /* rlc autoload firmware */ +- r = gfx_v11_0_rlc_backdoor_autoload_enable(adev); +- if (r) +- return r; + } else { + if (adev->firmware.load_type == AMDGPU_FW_LOAD_DIRECT) { + if (adev->gfx.imu.funcs && (amdgpu_dpm > 0)) { +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-set-no_hw_access-when-vf-request-full-gpu.patch b/queue-6.1/drm-amdgpu-set-no_hw_access-when-vf-request-full-gpu.patch new file mode 100644 index 00000000000..d72eb5add62 --- /dev/null +++ b/queue-6.1/drm-amdgpu-set-no_hw_access-when-vf-request-full-gpu.patch @@ -0,0 +1,46 @@ +From 41f823867c964e1aeb925eb7409d2a1a046bacbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2024 15:06:23 +0800 +Subject: drm/amdgpu: Set no_hw_access when VF request full GPU fails + +From: Yifan Zha + +[ Upstream commit 33f23fc3155b13c4a96d94a0a22dc26db767440b ] + +[Why] +If VF request full GPU access and the request failed, +the VF driver can get stuck accessing registers for an extended period during +the unload of KMS. + +[How] +Set no_hw_access flag when VF request for full GPU access fails +This prevents further hardware access attempts, avoiding the prolonged +stuck state. + +Signed-off-by: Yifan Zha +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +index af50e6ce39e1..d7b76a3d2d55 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +@@ -132,8 +132,10 @@ int amdgpu_virt_request_full_gpu(struct amdgpu_device *adev, bool init) + + if (virt->ops && virt->ops->req_full_gpu) { + r = virt->ops->req_full_gpu(adev, init); +- if (r) ++ if (r) { ++ adev->no_hw_access = true; + return r; ++ } + + adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME; + } +-- +2.43.0 + diff --git a/queue-6.1/elf-fix-kernel.randomize_va_space-double-read.patch b/queue-6.1/elf-fix-kernel.randomize_va_space-double-read.patch new file mode 100644 index 00000000000..f097a60eb3d --- /dev/null +++ b/queue-6.1/elf-fix-kernel.randomize_va_space-double-read.patch @@ -0,0 +1,49 @@ +From de6ac83db9c5435853234bf6eb27228b73c847ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 21:54:50 +0300 +Subject: ELF: fix kernel.randomize_va_space double read + +From: Alexey Dobriyan + +[ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] + +ELF loader uses "randomize_va_space" twice. It is sysctl and can change +at any moment, so 2 loads could see 2 different values in theory with +unpredictable consequences. + +Issue exactly one load for consistent value across one exec. + +Signed-off-by: Alexey Dobriyan +Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index e6c9c0e08448..89e7e4826efc 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1009,7 +1009,8 @@ static int load_elf_binary(struct linux_binprm *bprm) + if (elf_read_implies_exec(*elf_ex, executable_stack)) + current->personality |= READ_IMPLIES_EXEC; + +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) ++ const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); ++ if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) + current->flags |= PF_RANDOMIZE; + + setup_new_exec(bprm); +@@ -1301,7 +1302,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + mm->end_data = end_data; + mm->start_stack = bprm->p; + +- if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { ++ if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { + /* + * For architectures with ELF randomization, when executing + * a loader directly (i.e. no interpreter listed in ELF +-- +2.43.0 + diff --git a/queue-6.1/ext4-fix-possible-tid_t-sequence-overflows.patch b/queue-6.1/ext4-fix-possible-tid_t-sequence-overflows.patch new file mode 100644 index 00000000000..7806eafa4db --- /dev/null +++ b/queue-6.1/ext4-fix-possible-tid_t-sequence-overflows.patch @@ -0,0 +1,67 @@ +From 9fa647eafdaf671606c20fb3378983ac56efd554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 10:20:30 +0100 +Subject: ext4: fix possible tid_t sequence overflows + +From: Luis Henriques (SUSE) + +[ Upstream commit 63469662cc45d41705f14b4648481d5d29cf5999 ] + +In the fast commit code there are a few places where tid_t variables are +being compared without taking into account the fact that these sequence +numbers may wrap. Fix this issue by using the helper functions tid_gt() +and tid_geq(). + +Signed-off-by: Luis Henriques (SUSE) +Reviewed-by: Jan Kara +Reviewed-by: Harshad Shirwadkar +Link: https://patch.msgid.link/20240529092030.9557-3-luis.henriques@linux.dev +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/fast_commit.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c +index 19353a2f44bb..2ef773d40ffd 100644 +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -353,7 +353,7 @@ void ext4_fc_mark_ineligible(struct super_block *sb, int reason, handle_t *handl + read_unlock(&sbi->s_journal->j_state_lock); + } + spin_lock(&sbi->s_fc_lock); +- if (sbi->s_fc_ineligible_tid < tid) ++ if (tid_gt(tid, sbi->s_fc_ineligible_tid)) + sbi->s_fc_ineligible_tid = tid; + spin_unlock(&sbi->s_fc_lock); + WARN_ON(reason >= EXT4_FC_REASON_MAX); +@@ -1235,7 +1235,7 @@ int ext4_fc_commit(journal_t *journal, tid_t commit_tid) + if (ret == -EALREADY) { + /* There was an ongoing commit, check if we need to restart */ + if (atomic_read(&sbi->s_fc_subtid) <= subtid && +- commit_tid > journal->j_commit_sequence) ++ tid_gt(commit_tid, journal->j_commit_sequence)) + goto restart_fc; + ext4_fc_update_stats(sb, EXT4_FC_STATUS_SKIPPED, 0, 0, + commit_tid); +@@ -1310,7 +1310,7 @@ static void ext4_fc_cleanup(journal_t *journal, int full, tid_t tid) + list_del_init(&iter->i_fc_list); + ext4_clear_inode_state(&iter->vfs_inode, + EXT4_STATE_FC_COMMITTING); +- if (iter->i_sync_tid <= tid) ++ if (tid_geq(tid, iter->i_sync_tid)) + ext4_fc_reset_inode(&iter->vfs_inode); + /* Make sure EXT4_STATE_FC_COMMITTING bit is clear */ + smp_mb(); +@@ -1341,7 +1341,7 @@ static void ext4_fc_cleanup(journal_t *journal, int full, tid_t tid) + list_splice_init(&sbi->s_fc_q[FC_Q_STAGING], + &sbi->s_fc_q[FC_Q_MAIN]); + +- if (tid >= sbi->s_fc_ineligible_tid) { ++ if (tid_geq(tid, sbi->s_fc_ineligible_tid)) { + sbi->s_fc_ineligible_tid = 0; + ext4_clear_mount_flag(sb, EXT4_MF_FC_INELIGIBLE); + } +-- +2.43.0 + diff --git a/queue-6.1/firmware-cs_dsp-don-t-allow-writes-to-read-only-cont.patch b/queue-6.1/firmware-cs_dsp-don-t-allow-writes-to-read-only-cont.patch new file mode 100644 index 00000000000..0e729aa107b --- /dev/null +++ b/queue-6.1/firmware-cs_dsp-don-t-allow-writes-to-read-only-cont.patch @@ -0,0 +1,48 @@ +From c6decd8557f7c17d7eccd0c1a59bcdc3b15788ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 12:08:09 +0100 +Subject: firmware: cs_dsp: Don't allow writes to read-only controls + +From: Richard Fitzgerald + +[ Upstream commit 62412a9357b16a4e39dc582deb2e2a682b92524c ] + +Add a check to cs_dsp_coeff_write_ctrl() to abort if the control +is not writeable. + +The cs_dsp code originated as an ASoC driver (wm_adsp) where all +controls were exported as ALSA controls. It relied on ALSA to +enforce the read-only permission. Now that the code has been +separated from ALSA/ASoC it must perform its own permission check. + +This isn't currently causing any problems so there shouldn't be any +need to backport this. If the client of cs_dsp exposes the control as +an ALSA control, it should set permissions on that ALSA control to +protect it. The few uses of cs_dsp_coeff_write_ctrl() inside drivers +are for writable controls. + +Signed-off-by: Richard Fitzgerald +Link: https://patch.msgid.link/20240702110809.16836-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index 68005cce0136..cf4f4da0cb87 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -764,6 +764,9 @@ int cs_dsp_coeff_write_ctrl(struct cs_dsp_coeff_ctl *ctl, + + lockdep_assert_held(&ctl->dsp->pwr_lock); + ++ if (ctl->flags && !(ctl->flags & WMFW_CTL_FLAG_WRITEABLE)) ++ return -EPERM; ++ + if (len + off * sizeof(u32) > ctl->len) + return -EINVAL; + +-- +2.43.0 + diff --git a/queue-6.1/fou-fix-null-ptr-deref-in-gro.patch b/queue-6.1/fou-fix-null-ptr-deref-in-gro.patch new file mode 100644 index 00000000000..4babba944f1 --- /dev/null +++ b/queue-6.1/fou-fix-null-ptr-deref-in-gro.patch @@ -0,0 +1,172 @@ +From ed70df7c9b10f49b55ccde0c1124ab62318bce63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 10:39:27 -0700 +Subject: fou: Fix null-ptr-deref in GRO. + +From: Kuniyuki Iwashima + +[ Upstream commit 7e4196935069947d8b70b09c1660b67b067e75cb ] + +We observed a null-ptr-deref in fou_gro_receive() while shutting down +a host. [0] + +The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol +in struct fou. + +When fou_release() is called due to netns dismantle or explicit tunnel +teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. +Then, the tunnel socket is destroyed after a single RCU grace period. + +So, in-flight udp4_gro_receive() could find the socket and execute the +FOU GRO handler, where sk->sk_user_data could be NULL. + +Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL +checks in FOU GRO handlers. + +[0]: +BUG: kernel NULL pointer dereference, address: 0000000000000008 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 +SMP PTI +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 +Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 +RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] +Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 +RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 +RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 +RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 +RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 +R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 +R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 +FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) + ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) + ? no_context (arch/x86/mm/fault.c:752) + ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) + ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) + ? fou_gro_receive (net/ipv4/fou.c:233) [fou] + udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) + udp4_gro_receive (net/ipv4/udp_offload.c:604) + inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) + dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) + napi_gro_receive (net/core/dev.c:6170) + ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] + ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] + napi_poll (net/core/dev.c:6847) + net_rx_action (net/core/dev.c:6917) + __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) + asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) + + do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) + irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) + common_interrupt (arch/x86/kernel/irq.c:239) + asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) +RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) +Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 +RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 +RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 +RDX: ffff93daee800000 RSI: ffff93daee87dc00 RDI: ffff93daee87dc64 +RBP: 0000000000000001 R08: ffffffffb5e7b6c0 R09: 0000000000000044 +R10: ffff93daee831b04 R11: 00000000000001cd R12: 0000000000000001 +R13: ffffffffb5e7b740 R14: 0000000000000001 R15: 0000000000000000 + ? sched_clock_cpu (kernel/sched/clock.c:371) + acpi_idle_enter (drivers/acpi/processor_idle.c:712 (discriminator 3)) + cpuidle_enter_state (drivers/cpuidle/cpuidle.c:237) + cpuidle_enter (drivers/cpuidle/cpuidle.c:353) + cpuidle_idle_call (kernel/sched/idle.c:158 kernel/sched/idle.c:239) + do_idle (kernel/sched/idle.c:302) + cpu_startup_entry (kernel/sched/idle.c:395 (discriminator 1)) + start_kernel (init/main.c:1048) + secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:310) +Modules linked in: udp_diag tcp_diag inet_diag nft_nat ipip tunnel4 dummy fou ip_tunnel nft_masq nft_chain_nat nf_nat wireguard nft_ct curve25519_x86_64 libcurve25519_generic nf_conntrack libchacha20poly1305 nf_defrag_ipv6 nf_defrag_ipv4 nft_objref chacha_x86_64 nft_counter nf_tables nfnetlink poly1305_x86_64 ip6_udp_tunnel udp_tunnel libchacha crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper mousedev psmouse button ena ptp pps_core crc32c_intel +CR2: 0000000000000008 + +Fixes: d92283e338f6 ("fou: change to use UDP socket GRO") +Reported-by: Alphonse Kurian +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20240902173927.62706-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/fou.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index 358bff068eef..7bcc933103e2 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -48,7 +48,7 @@ struct fou_net { + + static inline struct fou *fou_from_sock(struct sock *sk) + { +- return sk->sk_user_data; ++ return rcu_dereference_sk_user_data(sk); + } + + static int fou_recv_pull(struct sk_buff *skb, struct fou *fou, size_t len) +@@ -231,9 +231,15 @@ static struct sk_buff *fou_gro_receive(struct sock *sk, + struct sk_buff *skb) + { + const struct net_offload __rcu **offloads; +- u8 proto = fou_from_sock(sk)->protocol; ++ struct fou *fou = fou_from_sock(sk); + const struct net_offload *ops; + struct sk_buff *pp = NULL; ++ u8 proto; ++ ++ if (!fou) ++ goto out; ++ ++ proto = fou->protocol; + + /* We can clear the encap_mark for FOU as we are essentially doing + * one of two possible things. We are either adding an L4 tunnel +@@ -261,14 +267,24 @@ static int fou_gro_complete(struct sock *sk, struct sk_buff *skb, + int nhoff) + { + const struct net_offload __rcu **offloads; +- u8 proto = fou_from_sock(sk)->protocol; ++ struct fou *fou = fou_from_sock(sk); + const struct net_offload *ops; +- int err = -ENOSYS; ++ u8 proto; ++ int err; ++ ++ if (!fou) { ++ err = -ENOENT; ++ goto out; ++ } ++ ++ proto = fou->protocol; + + offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads; + ops = rcu_dereference(offloads[proto]); +- if (WARN_ON(!ops || !ops->callbacks.gro_complete)) ++ if (WARN_ON(!ops || !ops->callbacks.gro_complete)) { ++ err = -ENOSYS; + goto out; ++ } + + err = ops->callbacks.gro_complete(skb, nhoff); + +@@ -318,6 +334,9 @@ static struct sk_buff *gue_gro_receive(struct sock *sk, + struct gro_remcsum grc; + u8 proto; + ++ if (!fou) ++ goto out; ++ + skb_gro_remcsum_init(&grc); + + off = skb_gro_offset(skb); +-- +2.43.0 + diff --git a/queue-6.1/fs-ntfs3-check-more-cases-when-directory-is-corrupte.patch b/queue-6.1/fs-ntfs3-check-more-cases-when-directory-is-corrupte.patch new file mode 100644 index 00000000000..03819f896c5 --- /dev/null +++ b/queue-6.1/fs-ntfs3-check-more-cases-when-directory-is-corrupte.patch @@ -0,0 +1,162 @@ +From 0b66c2d331806e9a53a575dad5d0e650b79f42ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 14:53:57 +0300 +Subject: fs/ntfs3: Check more cases when directory is corrupted + +From: Konstantin Komarov + +[ Upstream commit 744375343662058cbfda96d871786e5a5cbe1947 ] + +Mark ntfs dirty in this case. +Rename ntfs_filldir to ntfs_dir_emit. + +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/dir.c | 52 +++++++++++++++++++++++++++++++------------------- + 1 file changed, 32 insertions(+), 20 deletions(-) + +diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c +index dcd689ed4baa..a4ab0164d150 100644 +--- a/fs/ntfs3/dir.c ++++ b/fs/ntfs3/dir.c +@@ -272,9 +272,12 @@ struct inode *dir_search_u(struct inode *dir, const struct cpu_str *uni, + return err == -ENOENT ? NULL : err ? ERR_PTR(err) : inode; + } + +-static inline int ntfs_filldir(struct ntfs_sb_info *sbi, struct ntfs_inode *ni, +- const struct NTFS_DE *e, u8 *name, +- struct dir_context *ctx) ++/* ++ * returns false if 'ctx' if full ++ */ ++static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi, ++ struct ntfs_inode *ni, const struct NTFS_DE *e, ++ u8 *name, struct dir_context *ctx) + { + const struct ATTR_FILE_NAME *fname; + unsigned long ino; +@@ -284,29 +287,29 @@ static inline int ntfs_filldir(struct ntfs_sb_info *sbi, struct ntfs_inode *ni, + fname = Add2Ptr(e, sizeof(struct NTFS_DE)); + + if (fname->type == FILE_NAME_DOS) +- return 0; ++ return true; + + if (!mi_is_ref(&ni->mi, &fname->home)) +- return 0; ++ return true; + + ino = ino_get(&e->ref); + + if (ino == MFT_REC_ROOT) +- return 0; ++ return true; + + /* Skip meta files. Unless option to show metafiles is set. */ + if (!sbi->options->showmeta && ntfs_is_meta_file(sbi, ino)) +- return 0; ++ return true; + + if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN)) +- return 0; ++ return true; + + name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name, + PATH_MAX); + if (name_len <= 0) { + ntfs_warn(sbi->sb, "failed to convert name for inode %lx.", + ino); +- return 0; ++ return true; + } + + /* +@@ -336,17 +339,20 @@ static inline int ntfs_filldir(struct ntfs_sb_info *sbi, struct ntfs_inode *ni, + } + } + +- return !dir_emit(ctx, (s8 *)name, name_len, ino, dt_type); ++ return dir_emit(ctx, (s8 *)name, name_len, ino, dt_type); + } + + /* + * ntfs_read_hdr - Helper function for ntfs_readdir(). ++ * ++ * returns 0 if ok. ++ * returns -EINVAL if directory is corrupted. ++ * returns +1 if 'ctx' is full. + */ + static int ntfs_read_hdr(struct ntfs_sb_info *sbi, struct ntfs_inode *ni, + const struct INDEX_HDR *hdr, u64 vbo, u64 pos, + u8 *name, struct dir_context *ctx) + { +- int err; + const struct NTFS_DE *e; + u32 e_size; + u32 end = le32_to_cpu(hdr->used); +@@ -354,12 +360,12 @@ static int ntfs_read_hdr(struct ntfs_sb_info *sbi, struct ntfs_inode *ni, + + for (;; off += e_size) { + if (off + sizeof(struct NTFS_DE) > end) +- return -1; ++ return -EINVAL; + + e = Add2Ptr(hdr, off); + e_size = le16_to_cpu(e->size); + if (e_size < sizeof(struct NTFS_DE) || off + e_size > end) +- return -1; ++ return -EINVAL; + + if (de_is_last(e)) + return 0; +@@ -369,14 +375,15 @@ static int ntfs_read_hdr(struct ntfs_sb_info *sbi, struct ntfs_inode *ni, + continue; + + if (le16_to_cpu(e->key_size) < SIZEOF_ATTRIBUTE_FILENAME) +- return -1; ++ return -EINVAL; + + ctx->pos = vbo + off; + + /* Submit the name to the filldir callback. */ +- err = ntfs_filldir(sbi, ni, e, name, ctx); +- if (err) +- return err; ++ if (!ntfs_dir_emit(sbi, ni, e, name, ctx)) { ++ /* ctx is full. */ ++ return +1; ++ } + } + } + +@@ -475,8 +482,6 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx) + + vbo = (u64)bit << index_bits; + if (vbo >= i_size) { +- ntfs_inode_err(dir, "Looks like your dir is corrupt"); +- ctx->pos = eod; + err = -EINVAL; + goto out; + } +@@ -499,9 +504,16 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx) + __putname(name); + put_indx_node(node); + +- if (err == -ENOENT) { ++ if (err == 1) { ++ /* 'ctx' is full. */ ++ err = 0; ++ } else if (err == -ENOENT) { + err = 0; + ctx->pos = pos; ++ } else if (err < 0) { ++ if (err == -EINVAL) ++ ntfs_inode_err(dir, "directory corrupted"); ++ ctx->pos = eod; + } + + return err; +-- +2.43.0 + diff --git a/queue-6.1/fs-ntfs3-one-more-reason-to-mark-inode-bad.patch b/queue-6.1/fs-ntfs3-one-more-reason-to-mark-inode-bad.patch new file mode 100644 index 00000000000..213ff412b95 --- /dev/null +++ b/queue-6.1/fs-ntfs3-one-more-reason-to-mark-inode-bad.patch @@ -0,0 +1,36 @@ +From f90a4dd8370c7a5eb3551d7eb848f696d1ea6463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 10:55:12 +0300 +Subject: fs/ntfs3: One more reason to mark inode bad + +From: Konstantin Komarov + +[ Upstream commit a0dde5d7a58b6bf9184ef3d8c6e62275c3645584 ] + +In addition to returning an error, mark the node as bad. + +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/frecord.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 6cce71cc750e..7bfdc91fae1e 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -1601,8 +1601,10 @@ int ni_delete_all(struct ntfs_inode *ni) + asize = le32_to_cpu(attr->size); + roff = le16_to_cpu(attr->nres.run_off); + +- if (roff > asize) ++ if (roff > asize) { ++ _ntfs_bad_inode(&ni->vfs_inode); + return -EINVAL; ++ } + + /* run==1 means unpack and deallocate. */ + run_unpack_ex(RUN_DEALLOCATE, sbi, ni->mi.rno, svcn, evcn, svcn, +-- +2.43.0 + diff --git a/queue-6.1/hid-amd_sfh-free-driver_data-after-destroying-hid-de.patch b/queue-6.1/hid-amd_sfh-free-driver_data-after-destroying-hid-de.patch new file mode 100644 index 00000000000..5fbcc7b4f33 --- /dev/null +++ b/queue-6.1/hid-amd_sfh-free-driver_data-after-destroying-hid-de.patch @@ -0,0 +1,311 @@ +From 9c8719a7c07136505b44b86792a69e5e61eaa57d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 10:44:35 +0200 +Subject: HID: amd_sfh: free driver_data after destroying hid device + +From: Olivier Sobrie + +[ Upstream commit 97155021ae17b86985121b33cf8098bcde00d497 ] + +HID driver callbacks aren't called anymore once hid_destroy_device() has +been called. Hence, hid driver_data should be freed only after the +hid_destroy_device() function returned as driver_data is used in several +callbacks. + +I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling +KASAN to debug memory allocation, I got this output: + + [ 13.050438] ================================================================== + [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] + [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 + [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 + + [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 + [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 + [ 13.067860] Call Trace: + [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 + [ 13.071486] + [ 13.071492] dump_stack_lvl+0x5d/0x80 + [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) + [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.082199] print_report+0x174/0x505 + [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 + [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.097464] kasan_report+0xc8/0x150 + [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] + [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] + [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] + [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 + [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 + [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] + [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.150446] ? __devm_add_action+0x167/0x1d0 + [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] + [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.161814] platform_probe+0xa2/0x150 + [ 13.165029] really_probe+0x1e3/0x8a0 + [ 13.168243] __driver_probe_device+0x18c/0x370 + [ 13.171500] driver_probe_device+0x4a/0x120 + [ 13.175000] __driver_attach+0x190/0x4a0 + [ 13.178521] ? __pfx___driver_attach+0x10/0x10 + [ 13.181771] bus_for_each_dev+0x106/0x180 + [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 + [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 + [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.194382] bus_add_driver+0x29e/0x4d0 + [ 13.197328] driver_register+0x1a5/0x360 + [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] + [ 13.203362] do_one_initcall+0xa7/0x380 + [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 + [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.213211] ? kasan_unpoison+0x44/0x70 + [ 13.216688] do_init_module+0x238/0x750 + [ 13.219696] load_module+0x5011/0x6af0 + [ 13.223096] ? kasan_save_stack+0x30/0x50 + [ 13.226743] ? kasan_save_track+0x14/0x30 + [ 13.230080] ? kasan_save_free_info+0x3b/0x60 + [ 13.233323] ? poison_slab_object+0x109/0x180 + [ 13.236778] ? __pfx_load_module+0x10/0x10 + [ 13.239703] ? poison_slab_object+0x109/0x180 + [ 13.243070] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.245924] ? init_module_from_file+0x13d/0x150 + [ 13.248745] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.251503] ? init_module_from_file+0xdf/0x150 + [ 13.254198] init_module_from_file+0xdf/0x150 + [ 13.256826] ? __pfx_init_module_from_file+0x10/0x10 + [ 13.259428] ? kasan_save_track+0x14/0x30 + [ 13.261959] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.264471] ? kasan_save_free_info+0x3b/0x60 + [ 13.267026] ? poison_slab_object+0x109/0x180 + [ 13.269494] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.271949] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.274324] ? _raw_spin_lock+0x85/0xe0 + [ 13.276671] ? __pfx__raw_spin_lock+0x10/0x10 + [ 13.278963] ? __rseq_handle_notify_resume+0x1a6/0xad0 + [ 13.281193] idempotent_init_module+0x23b/0x650 + [ 13.283420] ? __pfx_idempotent_init_module+0x10/0x10 + [ 13.285619] ? __pfx___seccomp_filter+0x10/0x10 + [ 13.287714] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.289828] ? __fget_light+0x57/0x420 + [ 13.291870] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.293880] ? security_capable+0x74/0xb0 + [ 13.295820] __x64_sys_finit_module+0xbe/0x130 + [ 13.297874] do_syscall_64+0x82/0x190 + [ 13.299898] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.301905] ? irqtime_account_irq+0x3d/0x1f0 + [ 13.303877] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.305753] ? __irq_exit_rcu+0x4e/0x130 + [ 13.307577] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.309489] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [ 13.311371] RIP: 0033:0x7a21f96ade9d + [ 13.313234] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48 + [ 13.317051] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 + [ 13.319024] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d + [ 13.321100] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c + [ 13.323314] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0 + [ 13.325505] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000 + [ 13.327637] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530 + [ 13.329737] + + [ 13.333945] Allocated by task 139: + [ 13.336111] kasan_save_stack+0x30/0x50 + [ 13.336121] kasan_save_track+0x14/0x30 + [ 13.336125] __kasan_kmalloc+0xaa/0xb0 + [ 13.336129] amdtp_hid_probe+0xb1/0x440 [amd_sfh] + [ 13.336138] amd_sfh_hid_client_init+0xb8a/0x10f0 [amd_sfh] + [ 13.336144] sfh_init_work+0x47/0x120 [amd_sfh] + [ 13.336150] process_one_work+0x673/0xeb0 + [ 13.336155] worker_thread+0x795/0x1250 + [ 13.336160] kthread+0x290/0x350 + [ 13.336164] ret_from_fork+0x34/0x70 + [ 13.336169] ret_from_fork_asm+0x1a/0x30 + + [ 13.338175] Freed by task 139: + [ 13.340064] kasan_save_stack+0x30/0x50 + [ 13.340072] kasan_save_track+0x14/0x30 + [ 13.340076] kasan_save_free_info+0x3b/0x60 + [ 13.340081] poison_slab_object+0x109/0x180 + [ 13.340085] __kasan_slab_free+0x32/0x50 + [ 13.340089] kfree+0xe5/0x310 + [ 13.340094] amdtp_hid_remove+0xb2/0x160 [amd_sfh] + [ 13.340102] amd_sfh_hid_client_deinit+0x324/0x640 [amd_sfh] + [ 13.340107] amd_sfh_hid_client_init+0x94a/0x10f0 [amd_sfh] + [ 13.340113] sfh_init_work+0x47/0x120 [amd_sfh] + [ 13.340118] process_one_work+0x673/0xeb0 + [ 13.340123] worker_thread+0x795/0x1250 + [ 13.340127] kthread+0x290/0x350 + [ 13.340132] ret_from_fork+0x34/0x70 + [ 13.340136] ret_from_fork_asm+0x1a/0x30 + + [ 13.342482] The buggy address belongs to the object at ffff88813152f400 + which belongs to the cache kmalloc-64 of size 64 + [ 13.347357] The buggy address is located 8 bytes inside of + freed 64-byte region [ffff88813152f400, ffff88813152f440) + + [ 13.347367] The buggy address belongs to the physical page: + [ 13.355409] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13152f + [ 13.355416] anon flags: 0x2ffff8000000000(node=0|zone=2|lastcpupid=0x1ffff) + [ 13.355423] page_type: 0xffffefff(slab) + [ 13.355429] raw: 02ffff8000000000 ffff8881000428c0 ffffea0004c43a00 0000000000000005 + [ 13.355435] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000 + [ 13.355439] page dumped because: kasan: bad access detected + + [ 13.357295] Memory state around the buggy address: + [ 13.357299] ffff88813152f300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + [ 13.357303] ffff88813152f380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + [ 13.357306] >ffff88813152f400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + [ 13.357309] ^ + [ 13.357311] ffff88813152f480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc + [ 13.357315] ffff88813152f500: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc + [ 13.357318] ================================================================== + [ 13.357405] Disabling lock debugging due to kernel taint + [ 13.383534] Oops: general protection fault, probably for non-canonical address 0xe0a1bc4140000013: 0000 [#1] PREEMPT SMP KASAN NOPTI + [ 13.383544] KASAN: maybe wild-memory-access in range [0x050e020a00000098-0x050e020a0000009f] + [ 13.383551] CPU: 3 PID: 479 Comm: (udev-worker) Tainted: G B 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 + [ 13.383561] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 + [ 13.383565] RIP: 0010:amd_sfh_get_report+0x81/0x530 [amd_sfh] + [ 13.383580] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 78 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 1a 03 00 00 45 8b 74 24 10 45 + [ 13.383585] RSP: 0018:ffff8881261f7388 EFLAGS: 00010212 + [ 13.383592] RAX: dffffc0000000000 RBX: ffff88813152f400 RCX: 0000000000000002 + [ 13.383597] RDX: 00a1c04140000013 RSI: 0000000000000008 RDI: 050e020a0000009b + [ 13.383600] RBP: ffff88814d010000 R08: 0000000000000002 R09: fffffbfff3ddb8c0 + [ 13.383604] R10: ffffffff9eedc607 R11: ffff88810ce98000 R12: 050e020a0000008b + [ 13.383607] R13: ffff88814d010000 R14: dffffc0000000000 R15: 0000000000000004 + [ 13.383611] FS: 00007a21f94d0880(0000) GS:ffff8887e7d80000(0000) knlGS:0000000000000000 + [ 13.383615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 13.383618] CR2: 00007e0014c438f0 CR3: 000000012614c000 CR4: 0000000000f50ef0 + [ 13.383622] PKRU: 55555554 + [ 13.383625] Call Trace: + [ 13.383629] + [ 13.383632] ? __die_body.cold+0x19/0x27 + [ 13.383644] ? die_addr+0x46/0x70 + [ 13.383652] ? exc_general_protection+0x150/0x240 + [ 13.383664] ? asm_exc_general_protection+0x26/0x30 + [ 13.383674] ? amd_sfh_get_report+0x81/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.383686] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.383697] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] + [ 13.383706] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.383713] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] + [ 13.383727] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] + [ 13.383739] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.383745] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] + [ 13.383753] ? _raw_spin_lock_irqsave+0x96/0xf0 + [ 13.383762] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 + [ 13.383768] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] + [ 13.383790] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.383795] ? __devm_add_action+0x167/0x1d0 + [ 13.383806] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] + [ 13.383818] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.383826] platform_probe+0xa2/0x150 + [ 13.383832] really_probe+0x1e3/0x8a0 + [ 13.383838] __driver_probe_device+0x18c/0x370 + [ 13.383844] driver_probe_device+0x4a/0x120 + [ 13.383851] __driver_attach+0x190/0x4a0 + [ 13.383857] ? __pfx___driver_attach+0x10/0x10 + [ 13.383863] bus_for_each_dev+0x106/0x180 + [ 13.383868] ? __pfx__raw_spin_lock+0x10/0x10 + [ 13.383874] ? __pfx_bus_for_each_dev+0x10/0x10 + [ 13.383880] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.383887] bus_add_driver+0x29e/0x4d0 + [ 13.383895] driver_register+0x1a5/0x360 + [ 13.383902] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] + [ 13.383910] do_one_initcall+0xa7/0x380 + [ 13.383919] ? __pfx_do_one_initcall+0x10/0x10 + [ 13.383927] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.383933] ? kasan_unpoison+0x44/0x70 + [ 13.383943] do_init_module+0x238/0x750 + [ 13.383955] load_module+0x5011/0x6af0 + [ 13.383962] ? kasan_save_stack+0x30/0x50 + [ 13.383968] ? kasan_save_track+0x14/0x30 + [ 13.383973] ? kasan_save_free_info+0x3b/0x60 + [ 13.383980] ? poison_slab_object+0x109/0x180 + [ 13.383993] ? __pfx_load_module+0x10/0x10 + [ 13.384007] ? poison_slab_object+0x109/0x180 + [ 13.384012] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384018] ? init_module_from_file+0x13d/0x150 + [ 13.384025] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384032] ? init_module_from_file+0xdf/0x150 + [ 13.384037] init_module_from_file+0xdf/0x150 + [ 13.384044] ? __pfx_init_module_from_file+0x10/0x10 + [ 13.384050] ? kasan_save_track+0x14/0x30 + [ 13.384055] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384060] ? kasan_save_free_info+0x3b/0x60 + [ 13.384066] ? poison_slab_object+0x109/0x180 + [ 13.384071] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384080] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384085] ? _raw_spin_lock+0x85/0xe0 + [ 13.384091] ? __pfx__raw_spin_lock+0x10/0x10 + [ 13.384096] ? __rseq_handle_notify_resume+0x1a6/0xad0 + [ 13.384106] idempotent_init_module+0x23b/0x650 + [ 13.384114] ? __pfx_idempotent_init_module+0x10/0x10 + [ 13.384120] ? __pfx___seccomp_filter+0x10/0x10 + [ 13.384129] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384135] ? __fget_light+0x57/0x420 + [ 13.384142] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384147] ? security_capable+0x74/0xb0 + [ 13.384157] __x64_sys_finit_module+0xbe/0x130 + [ 13.384164] do_syscall_64+0x82/0x190 + [ 13.384174] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384179] ? irqtime_account_irq+0x3d/0x1f0 + [ 13.384188] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384193] ? __irq_exit_rcu+0x4e/0x130 + [ 13.384201] ? srso_alias_return_thunk+0x5/0xfbef5 + [ 13.384206] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [ 13.384212] RIP: 0033:0x7a21f96ade9d + [ 13.384263] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48 + [ 13.384267] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 + [ 13.384273] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d + [ 13.384277] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c + [ 13.384280] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0 + [ 13.384284] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000 + [ 13.384288] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530 + [ 13.384297] + [ 13.384299] Modules linked in: soundwire_amd(+) hid_sensor_gyro_3d(+) hid_sensor_magn_3d hid_sensor_accel_3d soundwire_generic_allocation amdxcp hid_sensor_trigger drm_exec industrialio_triggered_buffer soundwire_bus gpu_sched kvm_amd kfifo_buf qmi_helpers joydev drm_buddy hid_sensor_iio_common mousedev snd_soc_core industrialio i2c_algo_bit mac80211 snd_compress drm_suballoc_helper kvm snd_hda_intel drm_ttm_helper ac97_bus snd_pcm_dmaengine snd_intel_dspcfg ttm thinkpad_acpi(+) snd_intel_sdw_acpi hid_sensor_hub snd_rpl_pci_acp6x drm_display_helper snd_hda_codec hid_multitouch libarc4 snd_acp_pci platform_profile think_lmi(+) hid_generic firmware_attributes_class wmi_bmof cec snd_acp_legacy_common sparse_keymap rapl snd_hda_core psmouse cfg80211 pcspkr snd_pci_acp6x snd_hwdep video snd_pcm snd_pci_acp5x snd_timer snd_rn_pci_acp3x ucsi_acpi snd_acp_config snd sp5100_tco rfkill snd_soc_acpi typec_ucsi thunderbolt amd_sfh k10temp mhi soundcore i2c_piix4 snd_pci_acp3x typec i2c_hid_acpi roles i2c_hid wmi acpi_tad amd_pmc + [ 13.384454] mac_hid i2c_dev crypto_user loop nfnetlink zram ip_tables x_tables dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic gf128mul ghash_clmulni_intel serio_raw sha512_ssse3 atkbd sha256_ssse3 libps2 sha1_ssse3 vivaldi_fmap nvme aesni_intel crypto_simd nvme_core cryptd ccp xhci_pci i8042 nvme_auth xhci_pci_renesas serio vfat fat btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq + [ 13.384552] ---[ end trace 0000000000000000 ]--- + +KASAN reports a use-after-free of hid->driver_data in function +amd_sfh_get_report(). The backtrace indicates that the function is called +by amdtp_hid_request() which is one of the callbacks of hid device. +The current make sure that driver_data is freed only once +hid_destroy_device() returned. + +Note that I observed the crash both on v6.9.9 and v6.10.0. The +code seems to be as it was from the early days of the driver. + +Signed-off-by: Olivier Sobrie +Acked-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/amd_sfh_hid.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c +index 1b18291fc5af..d682b99c25b1 100644 +--- a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c ++++ b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c +@@ -171,11 +171,13 @@ int amdtp_hid_probe(u32 cur_hid_dev, struct amdtp_cl_data *cli_data) + void amdtp_hid_remove(struct amdtp_cl_data *cli_data) + { + int i; ++ struct amdtp_hid_data *hid_data; + + for (i = 0; i < cli_data->num_hid_devices; ++i) { + if (cli_data->hid_sensor_hubs[i]) { +- kfree(cli_data->hid_sensor_hubs[i]->driver_data); ++ hid_data = cli_data->hid_sensor_hubs[i]->driver_data; + hid_destroy_device(cli_data->hid_sensor_hubs[i]); ++ kfree(hid_data); + cli_data->hid_sensor_hubs[i] = NULL; + } + } +-- +2.43.0 + diff --git a/queue-6.1/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch b/queue-6.1/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch new file mode 100644 index 00000000000..ab60e9104b0 --- /dev/null +++ b/queue-6.1/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch @@ -0,0 +1,38 @@ +From c9450e5268ce78bd9adb4b20a414f5395c398291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 19:42:43 -0400 +Subject: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup + +From: Camila Alvarez + +[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ] + +report_fixup for the Cougar 500k Gaming Keyboard was not verifying +that the report descriptor size was correct before accessing it + +Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452 +Signed-off-by: Camila Alvarez +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cougar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c +index cb8bd8aae15b..0fa785f52707 100644 +--- a/drivers/hid/hid-cougar.c ++++ b/drivers/hid/hid-cougar.c +@@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void) + static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +- if (rdesc[2] == 0x09 && rdesc[3] == 0x02 && ++ if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 && + (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) { + hid_info(hdev, + "usage count exceeds max: fixing up report descriptor\n"); +-- +2.43.0 + diff --git a/queue-6.1/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch b/queue-6.1/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch new file mode 100644 index 00000000000..23aa35de078 --- /dev/null +++ b/queue-6.1/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch @@ -0,0 +1,44 @@ +From d8066d6307eedff61797ccb761bec21cf79d4130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:43:04 -0700 +Subject: hwmon: (adc128d818) Fix underflows seen when writing limit attributes + +From: Guenter Roeck + +[ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/adc128d818.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c +index 97b330b6c165..bad2d39d9733 100644 +--- a/drivers/hwmon/adc128d818.c ++++ b/drivers/hwmon/adc128d818.c +@@ -176,7 +176,7 @@ static ssize_t adc128_in_store(struct device *dev, + + mutex_lock(&data->update_lock); + /* 10 mV LSB on limit registers */ +- regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255); ++ regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10); + data->in[index][nr] = regval << 4; + reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr); + i2c_smbus_write_byte_data(data->client, reg, regval); +@@ -214,7 +214,7 @@ static ssize_t adc128_temp_store(struct device *dev, + return err; + + mutex_lock(&data->update_lock); +- regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); ++ regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); + data->temp[index] = regval << 1; + i2c_smbus_write_byte_data(data->client, + index == 1 ? ADC128_REG_TEMP_MAX +-- +2.43.0 + diff --git a/queue-6.1/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch b/queue-6.1/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch new file mode 100644 index 00000000000..cdfbb7ecd6b --- /dev/null +++ b/queue-6.1/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch @@ -0,0 +1,63 @@ +From 903aa11fcc99de0c67818337057b6fbc0be0ac52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:48:42 -0700 +Subject: hwmon: (lm95234) Fix underflows seen when writing limit attributes + +From: Guenter Roeck + +[ Upstream commit af64e3e1537896337405f880c1e9ac1f8c0c6198 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm95234.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/hwmon/lm95234.c b/drivers/hwmon/lm95234.c +index b4a9d0c223c4..db570fe84132 100644 +--- a/drivers/hwmon/lm95234.c ++++ b/drivers/hwmon/lm95234.c +@@ -301,7 +301,8 @@ static ssize_t tcrit2_store(struct device *dev, struct device_attribute *attr, + if (ret < 0) + return ret; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, index ? 255 : 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, (index ? 255 : 127) * 1000), ++ 1000); + + mutex_lock(&data->update_lock); + data->tcrit2[index] = val; +@@ -350,7 +351,7 @@ static ssize_t tcrit1_store(struct device *dev, struct device_attribute *attr, + if (ret < 0) + return ret; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000); + + mutex_lock(&data->update_lock); + data->tcrit1[index] = val; +@@ -391,7 +392,7 @@ static ssize_t tcrit1_hyst_store(struct device *dev, + if (ret < 0) + return ret; + +- val = DIV_ROUND_CLOSEST(val, 1000); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, -255000, 255000), 1000); + val = clamp_val((int)data->tcrit1[index] - val, 0, 31); + + mutex_lock(&data->update_lock); +@@ -431,7 +432,7 @@ static ssize_t offset_store(struct device *dev, struct device_attribute *attr, + return ret; + + /* Accuracy is 1/2 degrees C */ +- val = clamp_val(DIV_ROUND_CLOSEST(val, 500), -128, 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, -64000, 63500), 500); + + mutex_lock(&data->update_lock); + data->toffset[index] = val; +-- +2.43.0 + diff --git a/queue-6.1/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch b/queue-6.1/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch new file mode 100644 index 00000000000..204ad66f264 --- /dev/null +++ b/queue-6.1/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch @@ -0,0 +1,36 @@ +From c2141c44bbaf0229f1125b8eba47828d40dc3f03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:50:08 -0700 +Subject: hwmon: (nct6775-core) Fix underflows seen when writing limit + attributes + +From: Guenter Roeck + +[ Upstream commit 0403e10bf0824bf0ec2bb135d4cf1c0cc3bf4bf0 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c +index 9720ad214c20..83e424945b59 100644 +--- a/drivers/hwmon/nct6775-core.c ++++ b/drivers/hwmon/nct6775-core.c +@@ -2171,7 +2171,7 @@ store_temp_offset(struct device *dev, struct device_attribute *attr, + if (err < 0) + return err; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); + + mutex_lock(&data->update_lock); + data->temp_offset[nr] = val; +-- +2.43.0 + diff --git a/queue-6.1/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch b/queue-6.1/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch new file mode 100644 index 00000000000..cc813eaf10d --- /dev/null +++ b/queue-6.1/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch @@ -0,0 +1,44 @@ +From 4088d7b67abd995560da41ad1f6dfd7d24ffc10d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jul 2024 23:51:34 -0700 +Subject: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes + +From: Guenter Roeck + +[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ] + +DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large +negative number such as -9223372036854775808 is provided by the user. +Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. + +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/w83627ehf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c +index 939d4c35e713..66d71aba4171 100644 +--- a/drivers/hwmon/w83627ehf.c ++++ b/drivers/hwmon/w83627ehf.c +@@ -895,7 +895,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr, + if (err < 0) + return err; + +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000); + + mutex_lock(&data->update_lock); + data->target_temp[nr] = val; +@@ -920,7 +920,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr, + return err; + + /* Limit the temp to 0C - 15C */ +- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15); ++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000); + + mutex_lock(&data->update_lock); + reg = w83627ehf_read_value(data, W83627EHF_REG_TOLERANCE[nr]); +-- +2.43.0 + diff --git a/queue-6.1/i3c-mipi-i3c-hci-error-out-instead-on-bug_on-in-ibi-.patch b/queue-6.1/i3c-mipi-i3c-hci-error-out-instead-on-bug_on-in-ibi-.patch new file mode 100644 index 00000000000..f21000a78a8 --- /dev/null +++ b/queue-6.1/i3c-mipi-i3c-hci-error-out-instead-on-bug_on-in-ibi-.patch @@ -0,0 +1,40 @@ +From bdfd494bd17150bd8d784671f7538e71971417b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jun 2024 16:15:58 +0300 +Subject: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup + +From: Jarkko Nikula + +[ Upstream commit 8a2be2f1db268ec735419e53ef04ca039fc027dc ] + +Definitely condition dma_get_cache_alignment * defined value > 256 +during driver initialization is not reason to BUG_ON(). Turn that to +graceful error out with -EINVAL. + +Signed-off-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20240628131559.502822-3-jarkko.nikula@linux.intel.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/mipi-i3c-hci/dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c +index 337c95d43f3f..edc3a69bfe31 100644 +--- a/drivers/i3c/master/mipi-i3c-hci/dma.c ++++ b/drivers/i3c/master/mipi-i3c-hci/dma.c +@@ -291,7 +291,10 @@ static int hci_dma_init(struct i3c_hci *hci) + + rh->ibi_chunk_sz = dma_get_cache_alignment(); + rh->ibi_chunk_sz *= IBI_CHUNK_CACHELINES; +- BUG_ON(rh->ibi_chunk_sz > 256); ++ if (rh->ibi_chunk_sz > 256) { ++ ret = -EINVAL; ++ goto err_out; ++ } + + ibi_status_ring_sz = rh->ibi_status_sz * rh->ibi_status_entries; + ibi_data_ring_sz = rh->ibi_chunk_sz * rh->ibi_chunks_total; +-- +2.43.0 + diff --git a/queue-6.1/ice-add-netif_device_attach-detach-into-pf-reset-flo.patch b/queue-6.1/ice-add-netif_device_attach-detach-into-pf-reset-flo.patch new file mode 100644 index 00000000000..0aec3cf8b92 --- /dev/null +++ b/queue-6.1/ice-add-netif_device_attach-detach-into-pf-reset-flo.patch @@ -0,0 +1,107 @@ +From f31ce171d39d4815de5c4ef6b0698ee8b22d2d76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 18:06:40 +0200 +Subject: ice: Add netif_device_attach/detach into PF reset flow + +From: Dawid Osuchowski + +[ Upstream commit d11a67634227f9f9da51938af085fb41a733848f ] + +Ethtool callbacks can be executed while reset is in progress and try to +access deleted resources, e.g. getting coalesce settings can result in a +NULL pointer dereference seen below. + +Reproduction steps: +Once the driver is fully initialized, trigger reset: + # echo 1 > /sys/class/net//device/reset +when reset is in progress try to get coalesce settings using ethtool: + # ethtool -c + +BUG: kernel NULL pointer dereference, address: 0000000000000020 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 +RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] +RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 +RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 +R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 +FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 +Call Trace: + +ice_get_coalesce+0x17/0x30 [ice] +coalesce_prepare_data+0x61/0x80 +ethnl_default_doit+0xde/0x340 +genl_family_rcv_msg_doit+0xf2/0x150 +genl_rcv_msg+0x1b3/0x2c0 +netlink_rcv_skb+0x5b/0x110 +genl_rcv+0x28/0x40 +netlink_unicast+0x19c/0x290 +netlink_sendmsg+0x222/0x490 +__sys_sendto+0x1df/0x1f0 +__x64_sys_sendto+0x24/0x30 +do_syscall_64+0x82/0x160 +entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7faee60d8e27 + +Calling netif_device_detach() before reset makes the net core not call +the driver when ethtool command is issued, the attempt to execute an +ethtool command during reset will result in the following message: + + netlink error: No such device + +instead of NULL pointer dereference. Once reset is done and +ice_rebuild() is executing, the netif_device_attach() is called to allow +for ethtool operations to occur again in a safe manner. + +Fixes: fcea6f3da546 ("ice: Add stats and ethtool support") +Suggested-by: Jakub Kicinski +Reviewed-by: Igor Bagnucki +Signed-off-by: Dawid Osuchowski +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Reviewed-by: Michal Schmidt +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 9dbfbc90485e..15876f388d68 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -611,6 +611,9 @@ ice_prepare_for_reset(struct ice_pf *pf, enum ice_reset_req reset_type) + memset(&vsi->mqprio_qopt, 0, sizeof(vsi->mqprio_qopt)); + } + } ++ ++ if (vsi->netdev) ++ netif_device_detach(vsi->netdev); + skip: + + /* clear SW filtering DB */ +@@ -7140,6 +7143,7 @@ static void ice_update_pf_netdev_link(struct ice_pf *pf) + */ + static void ice_rebuild(struct ice_pf *pf, enum ice_reset_req reset_type) + { ++ struct ice_vsi *vsi = ice_get_main_vsi(pf); + struct device *dev = ice_pf_to_dev(pf); + struct ice_hw *hw = &pf->hw; + bool dvm; +@@ -7292,6 +7296,9 @@ static void ice_rebuild(struct ice_pf *pf, enum ice_reset_req reset_type) + ice_rebuild_arfs(pf); + } + ++ if (vsi && vsi->netdev) ++ netif_device_attach(vsi->netdev); ++ + ice_update_pf_netdev_link(pf); + + /* tell the firmware we are up */ +-- +2.43.0 + diff --git a/queue-6.1/ice-allow-hot-swapping-xdp-programs.patch b/queue-6.1/ice-allow-hot-swapping-xdp-programs.patch new file mode 100644 index 00000000000..c0f6e9e5903 --- /dev/null +++ b/queue-6.1/ice-allow-hot-swapping-xdp-programs.patch @@ -0,0 +1,87 @@ +From 78f85b7cd897ab9a40f4700136d90bbcf30f2e41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 13:33:26 +0200 +Subject: ice: allow hot-swapping XDP programs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Fijalkowski + +[ Upstream commit 469748429ac81f0a6a344637fc9d3b1d16a9f3d8 ] + +Currently ice driver's .ndo_bpf callback brings interface down and up +independently of XDP resources' presence. This is only needed when +either these resources have to be configured or removed. It means that +if one is switching XDP programs on-the-fly with running traffic, +packets will be dropped. + +To avoid this, compare early on ice_xdp_setup_prog() state of incoming +bpf_prog pointer vs the bpf_prog pointer that is already assigned to +VSI. Do the swap in case VSI has bpf_prog and incoming one are non-NULL. + +Lastly, while at it, put old bpf_prog *after* the update of Rx ring's +bpf_prog pointer. In theory previous code could expose us to a state +where Rx ring's bpf_prog would still be referring to old_prog that got +released with earlier bpf_prog_put(). + +Signed-off-by: Maciej Fijalkowski +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Alexander Lobakin +Tested-by: Chandan Kumar Rout (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Stable-dep-of: 04c7e14e5b0b ("ice: do not bring the VSI up, if it was down before the XDP setup") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index cd9bcc3536fb..1973b032fe05 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2633,11 +2633,11 @@ static void ice_vsi_assign_bpf_prog(struct ice_vsi *vsi, struct bpf_prog *prog) + int i; + + old_prog = xchg(&vsi->xdp_prog, prog); +- if (old_prog) +- bpf_prog_put(old_prog); +- + ice_for_each_rxq(vsi, i) + WRITE_ONCE(vsi->rx_rings[i]->xdp_prog, vsi->xdp_prog); ++ ++ if (old_prog) ++ bpf_prog_put(old_prog); + } + + /** +@@ -2917,6 +2917,12 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + return -EOPNOTSUPP; + } + ++ /* hot swap progs and avoid toggling link */ ++ if (ice_is_xdp_ena_vsi(vsi) == !!prog) { ++ ice_vsi_assign_bpf_prog(vsi, prog); ++ return 0; ++ } ++ + /* need to stop netdev while setting up the program for Rx rings */ + if (if_running && !test_and_set_bit(ICE_VSI_DOWN, vsi->state)) { + ret = ice_down(vsi); +@@ -2947,13 +2953,6 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + xdp_ring_err = ice_realloc_zc_buf(vsi, false); + if (xdp_ring_err) + NL_SET_ERR_MSG_MOD(extack, "Freeing XDP Rx resources failed"); +- } else { +- /* safe to call even when prog == vsi->xdp_prog as +- * dev_xdp_install in net/core/dev.c incremented prog's +- * refcount so corresponding bpf_prog_put won't cause +- * underflow +- */ +- ice_vsi_assign_bpf_prog(vsi, prog); + } + + if (if_running) +-- +2.43.0 + diff --git a/queue-6.1/ice-do-not-bring-the-vsi-up-if-it-was-down-before-th.patch b/queue-6.1/ice-do-not-bring-the-vsi-up-if-it-was-down-before-th.patch new file mode 100644 index 00000000000..e0e8eee33ec --- /dev/null +++ b/queue-6.1/ice-do-not-bring-the-vsi-up-if-it-was-down-before-th.patch @@ -0,0 +1,57 @@ +From 83ea28c7f6891ee54b30f71297faf860dfe9a537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2024 11:59:31 +0200 +Subject: ice: do not bring the VSI up, if it was down before the XDP setup + +From: Larysa Zaremba + +[ Upstream commit 04c7e14e5b0b6227e7b00d7a96ca2f2426ab9171 ] + +After XDP configuration is completed, we bring the interface up +unconditionally, regardless of its state before the call to .ndo_bpf(). + +Preserve the information whether the interface had to be brought down and +later bring it up only in such case. + +Fixes: efc2214b6047 ("ice: Add support for XDP") +Reviewed-by: Wojciech Drewek +Reviewed-by: Jacob Keller +Tested-by: Chandan Kumar Rout +Acked-by: Maciej Fijalkowski +Signed-off-by: Larysa Zaremba +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 1973b032fe05..3f01942e4982 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2909,8 +2909,8 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + struct netlink_ext_ack *extack) + { + unsigned int frame_size = vsi->netdev->mtu + ICE_ETH_PKT_HDR_PAD; +- bool if_running = netif_running(vsi->netdev); + int ret = 0, xdp_ring_err = 0; ++ bool if_running; + + if (frame_size > ice_max_xdp_frame_size(vsi)) { + NL_SET_ERR_MSG_MOD(extack, "MTU too large for loading XDP"); +@@ -2923,8 +2923,11 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + return 0; + } + ++ if_running = netif_running(vsi->netdev) && ++ !test_and_set_bit(ICE_VSI_DOWN, vsi->state); ++ + /* need to stop netdev while setting up the program for Rx rings */ +- if (if_running && !test_and_set_bit(ICE_VSI_DOWN, vsi->state)) { ++ if (if_running) { + ret = ice_down(vsi); + if (ret) { + NL_SET_ERR_MSG_MOD(extack, "Preparing device for XDP attach failed"); +-- +2.43.0 + diff --git a/queue-6.1/ice-use-ice_max_xdp_frame_size-in-ice_xdp_setup_prog.patch b/queue-6.1/ice-use-ice_max_xdp_frame_size-in-ice_xdp_setup_prog.patch new file mode 100644 index 00000000000..2c1e7d88a01 --- /dev/null +++ b/queue-6.1/ice-use-ice_max_xdp_frame_size-in-ice_xdp_setup_prog.patch @@ -0,0 +1,81 @@ +From 904d5fed6e5b9bf4e471e9968d4f024e8c5500d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 21:45:00 +0100 +Subject: ice: Use ice_max_xdp_frame_size() in ice_xdp_setup_prog() + +From: Maciej Fijalkowski + +[ Upstream commit 60bc72b3c4e9127f29686770005da40b10be0576 ] + +This should have been used in there from day 1, let us address that +before introducing XDP multi-buffer support for Rx side. + +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Daniel Borkmann +Reviewed-by: Alexander Lobakin +Link: https://lore.kernel.org/bpf/20230131204506.219292-8-maciej.fijalkowski@intel.com +Stable-dep-of: 04c7e14e5b0b ("ice: do not bring the VSI up, if it was down before the XDP setup") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 28 +++++++++++------------ + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 15876f388d68..cd9bcc3536fb 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2886,6 +2886,18 @@ int ice_vsi_determine_xdp_res(struct ice_vsi *vsi) + return 0; + } + ++/** ++ * ice_max_xdp_frame_size - returns the maximum allowed frame size for XDP ++ * @vsi: Pointer to VSI structure ++ */ ++static int ice_max_xdp_frame_size(struct ice_vsi *vsi) ++{ ++ if (test_bit(ICE_FLAG_LEGACY_RX, vsi->back->flags)) ++ return ICE_RXBUF_1664; ++ else ++ return ICE_RXBUF_3072; ++} ++ + /** + * ice_xdp_setup_prog - Add or remove XDP eBPF program + * @vsi: VSI to setup XDP for +@@ -2896,11 +2908,11 @@ static int + ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + struct netlink_ext_ack *extack) + { +- int frame_size = vsi->netdev->mtu + ICE_ETH_PKT_HDR_PAD; ++ unsigned int frame_size = vsi->netdev->mtu + ICE_ETH_PKT_HDR_PAD; + bool if_running = netif_running(vsi->netdev); + int ret = 0, xdp_ring_err = 0; + +- if (frame_size > vsi->rx_buf_len) { ++ if (frame_size > ice_max_xdp_frame_size(vsi)) { + NL_SET_ERR_MSG_MOD(extack, "MTU too large for loading XDP"); + return -EOPNOTSUPP; + } +@@ -7329,18 +7341,6 @@ static void ice_rebuild(struct ice_pf *pf, enum ice_reset_req reset_type) + dev_err(dev, "Rebuild failed, unload and reload driver\n"); + } + +-/** +- * ice_max_xdp_frame_size - returns the maximum allowed frame size for XDP +- * @vsi: Pointer to VSI structure +- */ +-static int ice_max_xdp_frame_size(struct ice_vsi *vsi) +-{ +- if (test_bit(ICE_FLAG_LEGACY_RX, vsi->back->flags)) +- return ICE_RXBUF_1664; +- else +- return ICE_RXBUF_3072; +-} +- + /** + * ice_change_mtu - NDO callback to change the MTU + * @netdev: network interface device structure +-- +2.43.0 + diff --git a/queue-6.1/igb-fix-not-clearing-timesync-interrupts-for-82580.patch b/queue-6.1/igb-fix-not-clearing-timesync-interrupts-for-82580.patch new file mode 100644 index 00000000000..0e275671661 --- /dev/null +++ b/queue-6.1/igb-fix-not-clearing-timesync-interrupts-for-82580.patch @@ -0,0 +1,70 @@ +From 9757cf3483332c721b508d9c16afc651793edf0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Aug 2024 21:55:53 -0700 +Subject: igb: Fix not clearing TimeSync interrupts for 82580 + +From: Daiwei Li + +[ Upstream commit ba8cf80724dbc09825b52498e4efacb563935408 ] + +82580 NICs have a hardware bug that makes it +necessary to write into the TSICR (TimeSync Interrupt Cause) register +to clear it: +https://lore.kernel.org/all/CDCB8BE0.1EC2C%25matthew.vick@intel.com/ + +Add a conditional so only for 82580 we write into the TSICR register, +so we don't risk losing events for other models. + +Without this change, when running ptp4l with an Intel 82580 card, +I get the following output: + +> timed out while polling for tx timestamp increasing tx_timestamp_timeout or +> increasing kworker priority may correct this issue, but a driver bug likely +> causes it + +This goes away with this change. + +This (partially) reverts commit ee14cc9ea19b ("igb: Fix missing time sync events"). + +Fixes: ee14cc9ea19b ("igb: Fix missing time sync events") +Closes: https://lore.kernel.org/intel-wired-lan/CAN0jFd1kO0MMtOh8N2Ztxn6f7vvDKp2h507sMryobkBKe=xk=w@mail.gmail.com/ +Tested-by: Daiwei Li +Suggested-by: Vinicius Costa Gomes +Signed-off-by: Daiwei Li +Acked-by: Vinicius Costa Gomes +Reviewed-by: Kurt Kanzenbach +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 81d9a5338be5..76bd41058f3a 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6925,10 +6925,20 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) + + static void igb_tsync_interrupt(struct igb_adapter *adapter) + { ++ const u32 mask = (TSINTR_SYS_WRAP | E1000_TSICR_TXTS | ++ TSINTR_TT0 | TSINTR_TT1 | ++ TSINTR_AUTT0 | TSINTR_AUTT1); + struct e1000_hw *hw = &adapter->hw; + u32 tsicr = rd32(E1000_TSICR); + struct ptp_clock_event event; + ++ if (hw->mac.type == e1000_82580) { ++ /* 82580 has a hardware bug that requires an explicit ++ * write to clear the TimeSync interrupt cause. ++ */ ++ wr32(E1000_TSICR, tsicr & mask); ++ } ++ + if (tsicr & TSINTR_SYS_WRAP) { + event.type = PTP_CLOCK_PPS; + if (adapter->ptp_caps.pps) +-- +2.43.0 + diff --git a/queue-6.1/igc-unlock-on-error-in-igc_io_resume.patch b/queue-6.1/igc-unlock-on-error-in-igc_io_resume.patch new file mode 100644 index 00000000000..d6ae4a71ddb --- /dev/null +++ b/queue-6.1/igc-unlock-on-error-in-igc_io_resume.patch @@ -0,0 +1,35 @@ +From 028c5ea808ef2fb750c79194488aad99dda2c496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 22:22:45 +0300 +Subject: igc: Unlock on error in igc_io_resume() + +From: Dan Carpenter + +[ Upstream commit ef4a99a0164e3972abb421cbb1b09ea6c61414df ] + +Call rtnl_unlock() on this error path, before returning. + +Fixes: bc23aa949aeb ("igc: Add pcie error handler support") +Signed-off-by: Dan Carpenter +Reviewed-by: Gerhard Engleder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 39f8f28288aa..6ae2d0b723c8 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -7063,6 +7063,7 @@ static void igc_io_resume(struct pci_dev *pdev) + rtnl_lock(); + if (netif_running(netdev)) { + if (igc_open(netdev)) { ++ rtnl_unlock(); + netdev_err(netdev, "igc_open failed after reset\n"); + return; + } +-- +2.43.0 + diff --git a/queue-6.1/input-ili210x-use-kvmalloc-to-allocate-buffer-for-fi.patch b/queue-6.1/input-ili210x-use-kvmalloc-to-allocate-buffer-for-fi.patch new file mode 100644 index 00000000000..d42859822ad --- /dev/null +++ b/queue-6.1/input-ili210x-use-kvmalloc-to-allocate-buffer-for-fi.patch @@ -0,0 +1,58 @@ +From 518837cd256f0b2b2a3d8ac79862722c28e77144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jun 2024 16:47:53 -0700 +Subject: Input: ili210x - use kvmalloc() to allocate buffer for firmware + update + +From: Dmitry Torokhov + +[ Upstream commit 17f5eebf6780eee50f887542e1833fda95f53e4d ] + +Allocating a contiguous buffer of 64K may fail if memory is sufficiently +fragmented, and may cause OOM kill of an unrelated process. However we +do not need to have contiguous memory. We also do not need to zero +out the buffer since it will be overwritten with firmware data. + +Switch to using kvmalloc() instead of kzalloc(). + +Link: https://lore.kernel.org/r/20240609234757.610273-1-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ili210x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/touchscreen/ili210x.c b/drivers/input/touchscreen/ili210x.c +index e3a36cd3656c..8c8eea5173f7 100644 +--- a/drivers/input/touchscreen/ili210x.c ++++ b/drivers/input/touchscreen/ili210x.c +@@ -586,7 +586,7 @@ static int ili251x_firmware_to_buffer(const struct firmware *fw, + * once, copy them all into this buffer at the right locations, and then + * do all operations on this linear buffer. + */ +- fw_buf = kzalloc(SZ_64K, GFP_KERNEL); ++ fw_buf = kvmalloc(SZ_64K, GFP_KERNEL); + if (!fw_buf) + return -ENOMEM; + +@@ -616,7 +616,7 @@ static int ili251x_firmware_to_buffer(const struct firmware *fw, + return 0; + + err_big: +- kfree(fw_buf); ++ kvfree(fw_buf); + return error; + } + +@@ -859,7 +859,7 @@ static ssize_t ili210x_firmware_update_store(struct device *dev, + ili210x_hardware_reset(priv->reset_gpio); + dev_dbg(dev, "Firmware update ended, error=%i\n", error); + enable_irq(client->irq); +- kfree(fwbuf); ++ kvfree(fwbuf); + return error; + } + +-- +2.43.0 + diff --git a/queue-6.1/input-uinput-reject-requests-with-unreasonable-numbe.patch b/queue-6.1/input-uinput-reject-requests-with-unreasonable-numbe.patch new file mode 100644 index 00000000000..492a3492f07 --- /dev/null +++ b/queue-6.1/input-uinput-reject-requests-with-unreasonable-numbe.patch @@ -0,0 +1,59 @@ +From 9b42eb66ff8ed07786cd5a8011cf7f380db3a568 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Aug 2024 17:50:25 -0700 +Subject: Input: uinput - reject requests with unreasonable number of slots + +From: Dmitry Torokhov + +[ Upstream commit 206f533a0a7c683982af473079c4111f4a0f9f5e ] + +From: Dmitry Torokhov + +When exercising uinput interface syzkaller may try setting up device +with a really large number of slots, which causes memory allocation +failure in input_mt_init_slots(). While this allocation failure is +handled properly and request is rejected, it results in syzkaller +reports. Additionally, such request may put undue burden on the +system which will try to free a lot of memory for a bogus request. + +Fix it by limiting allowed number of slots to 100. This can easily +be extended if we see devices that can track more than 100 contacts. + +Reported-by: Tetsuo Handa +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5 +Link: https://lore.kernel.org/r/Zqgi7NYEbpRsJfa2@google.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/uinput.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c +index f2593133e524..790db3ceb208 100644 +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -416,6 +416,20 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, + return -EINVAL; + } + ++ /* ++ * Limit number of contacts to a reasonable value (100). This ++ * ensures that we need less than 2 pages for struct input_mt ++ * (we are not using in-kernel slot assignment so not going to ++ * allocate memory for the "red" table), and we should have no ++ * trouble getting this much memory. ++ */ ++ if (code == ABS_MT_SLOT && max > 99) { ++ printk(KERN_DEBUG ++ "%s: unreasonably large number of slots requested: %d\n", ++ UINPUT_NAME, max); ++ return -EINVAL; ++ } ++ + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/iommu-sun50i-clear-bypass-register.patch b/queue-6.1/iommu-sun50i-clear-bypass-register.patch new file mode 100644 index 00000000000..62238e36d7a --- /dev/null +++ b/queue-6.1/iommu-sun50i-clear-bypass-register.patch @@ -0,0 +1,43 @@ +From 25294d4f3332eb4eb68b0674f5e9da45a191640b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jun 2024 23:40:52 +0100 +Subject: iommu: sun50i: clear bypass register + +From: Jernej Skrabec + +[ Upstream commit 927c70c93d929f4c2dcaf72f51b31bb7d118a51a ] + +The Allwinner H6 IOMMU has a bypass register, which allows to circumvent +the page tables for each possible master. The reset value for this +register is 0, which disables the bypass. +The Allwinner H616 IOMMU resets this register to 0x7f, which activates +the bypass for all masters, which is not what we want. + +Always clear this register to 0, to enforce the usage of page tables, +and make this driver compatible with the H616 in this respect. + +Signed-off-by: Jernej Skrabec +Signed-off-by: Andre Przywara +Reviewed-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20240616224056.29159-2-andre.przywara@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/sun50i-iommu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c +index 5b585eace3d4..e8dc1a7d9491 100644 +--- a/drivers/iommu/sun50i-iommu.c ++++ b/drivers/iommu/sun50i-iommu.c +@@ -449,6 +449,7 @@ static int sun50i_iommu_enable(struct sun50i_iommu *iommu) + IOMMU_TLB_PREFETCH_MASTER_ENABLE(3) | + IOMMU_TLB_PREFETCH_MASTER_ENABLE(4) | + IOMMU_TLB_PREFETCH_MASTER_ENABLE(5)); ++ iommu_write(iommu, IOMMU_BYPASS_REG, 0); + iommu_write(iommu, IOMMU_INT_ENABLE_REG, IOMMU_INT_MASK); + iommu_write(iommu, IOMMU_DM_AUT_CTRL_REG(SUN50I_IOMMU_ACI_NONE), + IOMMU_DM_AUT_CTRL_RD_UNAVAIL(SUN50I_IOMMU_ACI_NONE, 0) | +-- +2.43.0 + diff --git a/queue-6.1/iommu-vt-d-handle-volatile-descriptor-status-read.patch b/queue-6.1/iommu-vt-d-handle-volatile-descriptor-status-read.patch new file mode 100644 index 00000000000..032411fc5df --- /dev/null +++ b/queue-6.1/iommu-vt-d-handle-volatile-descriptor-status-read.patch @@ -0,0 +1,56 @@ +From 5bb191bac9730cdd6261cd59645637240b26d81c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 21:08:33 +0800 +Subject: iommu/vt-d: Handle volatile descriptor status read + +From: Jacob Pan + +[ Upstream commit b5e86a95541cea737394a1da967df4cd4d8f7182 ] + +Queued invalidation wait descriptor status is volatile in that IOMMU +hardware writes the data upon completion. + +Use READ_ONCE() to prevent compiler optimizations which ensures memory +reads every time. As a side effect, READ_ONCE() also enforces strict +types and may add an extra instruction. But it should not have negative +performance impact since we use cpu_relax anyway and the extra time(by +adding an instruction) may allow IOMMU HW request cacheline ownership +easier. + +e.g. gcc 12.3 +BEFORE: + 81 38 ad de 00 00 cmpl $0x2,(%rax) + +AFTER (with READ_ONCE()) + 772f: 8b 00 mov (%rax),%eax + 7731: 3d ad de 00 00 cmp $0x2,%eax + //status data is 32 bit + +Signed-off-by: Jacob Pan +Reviewed-by: Kevin Tian +Reviewed-by: Yi Liu +Link: https://lore.kernel.org/r/20240607173817.3914600-1-jacob.jun.pan@linux.intel.com +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20240702130839.108139-2-baolu.lu@linux.intel.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel/dmar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel/dmar.c b/drivers/iommu/intel/dmar.c +index 4759f79ad7b9..345c161ffb27 100644 +--- a/drivers/iommu/intel/dmar.c ++++ b/drivers/iommu/intel/dmar.c +@@ -1402,7 +1402,7 @@ int qi_submit_sync(struct intel_iommu *iommu, struct qi_desc *desc, + */ + writel(qi->free_head << shift, iommu->reg + DMAR_IQT_REG); + +- while (qi->desc_status[wait_index] != QI_DONE) { ++ while (READ_ONCE(qi->desc_status[wait_index]) != QI_DONE) { + /* + * We will leave the interrupts disabled, to prevent interrupt + * context to queue another cmd while a cmd is already submitted +-- +2.43.0 + diff --git a/queue-6.1/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch b/queue-6.1/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch new file mode 100644 index 00000000000..ef3954f2b2b --- /dev/null +++ b/queue-6.1/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch @@ -0,0 +1,46 @@ +From 59e606106ce8d67a9bf9cce110e651471490ec91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 11:38:28 +0200 +Subject: irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 3cef738208e5c3cb7084e208caf9bbf684f24feb ] + +IRQs 0 (IPI) and 1 (MSI) are handled internally by this driver, +generic_handle_domain_irq() is never called for these IRQs. + +Disallow mapping these IRQs. + +[ Marek: changed commit message ] + +Signed-off-by: Pali Rohár +Signed-off-by: Marek Behún +Signed-off-by: Thomas Gleixner +Reviewed-by: Andrew Lunn +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-armada-370-xp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/irqchip/irq-armada-370-xp.c b/drivers/irqchip/irq-armada-370-xp.c +index ee18eb3e72b7..ab02b44a3b4e 100644 +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -567,6 +567,10 @@ static struct irq_chip armada_370_xp_irq_chip = { + static int armada_370_xp_mpic_irq_map(struct irq_domain *h, + unsigned int virq, irq_hw_number_t hw) + { ++ /* IRQs 0 and 1 cannot be mapped, they are handled internally */ ++ if (hw <= 1) ++ return -EINVAL; ++ + armada_370_xp_irq_mask(irq_get_irq_data(virq)); + if (!is_percpu_irq(hw)) + writel(hw, per_cpu_int_base + +-- +2.43.0 + diff --git a/queue-6.1/irqchip-gic-v4-always-configure-affinity-on-vpe-acti.patch b/queue-6.1/irqchip-gic-v4-always-configure-affinity-on-vpe-acti.patch new file mode 100644 index 00000000000..b7c7381a005 --- /dev/null +++ b/queue-6.1/irqchip-gic-v4-always-configure-affinity-on-vpe-acti.patch @@ -0,0 +1,83 @@ +From 27fabf1b7f8e8f557257513651d8ea38634a1830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jul 2024 10:31:53 +0100 +Subject: irqchip/gic-v4: Always configure affinity on VPE activation + +From: Marc Zyngier + +[ Upstream commit 7d2c2048a86477461f7bc75d064579ed349472bc ] + +There are currently two paths to set the initial affinity of a VPE: + + - at activation time on GICv4 without the stupid VMOVP list, and + on GICv4.1 + + - at map time for GICv4 with VMOVP list + +The latter location may end-up modifying the affinity of VPE that is +currently running, making the results unpredictible. + +Instead, unify the two paths, making sure to set the initial affinity only +at activation time. + +Reported-by: Nianyao Tang +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Tested-by: Nianyao Tang +Link: https://lore.kernel.org/r/20240705093155.871070-2-maz@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index a7a952bbfdc2..009e0fb43738 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -1800,13 +1800,9 @@ static void its_map_vm(struct its_node *its, struct its_vm *vm) + + for (i = 0; i < vm->nr_vpes; i++) { + struct its_vpe *vpe = vm->vpes[i]; +- struct irq_data *d = irq_get_irq_data(vpe->irq); + +- /* Map the VPE to the first possible CPU */ +- vpe->col_idx = cpumask_first(cpu_online_mask); + its_send_vmapp(its, vpe, true); + its_send_vinvall(its, vpe); +- irq_data_update_effective_affinity(d, cpumask_of(vpe->col_idx)); + } + } + +@@ -4525,6 +4521,10 @@ static int its_vpe_irq_domain_activate(struct irq_domain *domain, + struct its_vpe *vpe = irq_data_get_irq_chip_data(d); + struct its_node *its; + ++ /* Map the VPE to the first possible CPU */ ++ vpe->col_idx = cpumask_first(cpu_online_mask); ++ irq_data_update_effective_affinity(d, cpumask_of(vpe->col_idx)); ++ + /* + * If we use the list map, we issue VMAPP on demand... Unless + * we're on a GICv4.1 and we eagerly map the VPE on all ITSs +@@ -4533,9 +4533,6 @@ static int its_vpe_irq_domain_activate(struct irq_domain *domain, + if (!gic_requires_eager_mapping()) + return 0; + +- /* Map the VPE to the first possible CPU */ +- vpe->col_idx = cpumask_first(cpu_online_mask); +- + list_for_each_entry(its, &its_nodes, entry) { + if (!is_v4(its)) + continue; +@@ -4544,8 +4541,6 @@ static int its_vpe_irq_domain_activate(struct irq_domain *domain, + its_send_vinvall(its, vpe); + } + +- irq_data_update_effective_affinity(d, cpumask_of(vpe->col_idx)); +- + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/irqchip-gic-v4-make-sure-a-vpe-is-locked-when-vmapp-.patch b/queue-6.1/irqchip-gic-v4-make-sure-a-vpe-is-locked-when-vmapp-.patch new file mode 100644 index 00000000000..790ca5acc65 --- /dev/null +++ b/queue-6.1/irqchip-gic-v4-make-sure-a-vpe-is-locked-when-vmapp-.patch @@ -0,0 +1,53 @@ +From 95832f86976b9c6720c01a74fd38f07c03e4c787 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jul 2024 10:31:55 +0100 +Subject: irqchip/gic-v4: Make sure a VPE is locked when VMAPP is issued + +From: Marc Zyngier + +[ Upstream commit a84a07fa3100d7ad46a3d6882af25a3df9c9e7e3 ] + +In order to make sure that vpe->col_idx is correctly sampled when a VMAPP +command is issued, the vpe_lock must be held for the VPE. This is now +possible since the introduction of the per-VM vmapp_lock, which can be +taken before vpe_lock in the correct locking order. + +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Tested-by: Nianyao Tang +Link: https://lore.kernel.org/r/20240705093155.871070-4-maz@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 009e0fb43738..81c91035687a 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -1801,7 +1801,9 @@ static void its_map_vm(struct its_node *its, struct its_vm *vm) + for (i = 0; i < vm->nr_vpes; i++) { + struct its_vpe *vpe = vm->vpes[i]; + +- its_send_vmapp(its, vpe, true); ++ scoped_guard(raw_spinlock, &vpe->vpe_lock) ++ its_send_vmapp(its, vpe, true); ++ + its_send_vinvall(its, vpe); + } + } +@@ -1822,8 +1824,10 @@ static void its_unmap_vm(struct its_node *its, struct its_vm *vm) + if (!--vm->vlpi_count[its->list_nr]) { + int i; + +- for (i = 0; i < vm->nr_vpes; i++) ++ for (i = 0; i < vm->nr_vpes; i++) { ++ guard(raw_spinlock)(&vm->vpes[i]->vpe_lock); + its_send_vmapp(its, vm->vpes[i], false); ++ } + } + + raw_spin_unlock_irqrestore(&vmovp_lock, flags); +-- +2.43.0 + diff --git a/queue-6.1/kselftests-dmabuf-heaps-ensure-the-driver-name-is-nu.patch b/queue-6.1/kselftests-dmabuf-heaps-ensure-the-driver-name-is-nu.patch new file mode 100644 index 00000000000..43840580f87 --- /dev/null +++ b/queue-6.1/kselftests-dmabuf-heaps-ensure-the-driver-name-is-nu.patch @@ -0,0 +1,55 @@ +From 06c4c83e9be6a9350223deb194d4a5411311e96c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 10:46:04 +0800 +Subject: kselftests: dmabuf-heaps: Ensure the driver name is null-terminated + +From: Zenghui Yu + +[ Upstream commit 291e4baf70019f17a81b7b47aeb186b27d222159 ] + +Even if a vgem device is configured in, we will skip the import_vgem_fd() +test almost every time. + + TAP version 13 + 1..11 + # Testing heap: system + # ======================================= + # Testing allocation and importing: + ok 1 # SKIP Could not open vgem -1 + +The problem is that we use the DRM_IOCTL_VERSION ioctl to query the driver +version information but leave the name field a non-null-terminated string. +Terminate it properly to actually test against the vgem device. + +While at it, let's check the length of the driver name is exactly 4 bytes +and return early otherwise (in case there is a name like "vgemfoo" that +gets converted to "vgem\0" unexpectedly). + +Signed-off-by: Zenghui Yu +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20240729024604.2046-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c b/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c +index 890a8236a8ba..2809f9a25c43 100644 +--- a/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c ++++ b/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c +@@ -28,9 +28,11 @@ static int check_vgem(int fd) + version.name = name; + + ret = ioctl(fd, DRM_IOCTL_VERSION, &version); +- if (ret) ++ if (ret || version.name_len != 4) + return 0; + ++ name[4] = '\0'; ++ + return !strcmp(name, "vgem"); + } + +-- +2.43.0 + diff --git a/queue-6.1/leds-spi-byte-call-of_node_put-on-error-path.patch b/queue-6.1/leds-spi-byte-call-of_node_put-on-error-path.patch new file mode 100644 index 00000000000..808fdfac95b --- /dev/null +++ b/queue-6.1/leds-spi-byte-call-of_node_put-on-error-path.patch @@ -0,0 +1,61 @@ +From 56d9aab7f3592a4942a0d99a72ed7c63343778ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 20:29:18 +0300 +Subject: leds: spi-byte: Call of_node_put() on error path + +From: Andy Shevchenko + +[ Upstream commit 7f9ab862e05c5bc755f65bf6db7edcffb3b49dfc ] + +Add a missing call to of_node_put(np) on error. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240606173037.3091598-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-spi-byte.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/leds-spi-byte.c b/drivers/leds/leds-spi-byte.c +index 2bc5c99daf51..6883d3ba382f 100644 +--- a/drivers/leds/leds-spi-byte.c ++++ b/drivers/leds/leds-spi-byte.c +@@ -91,7 +91,6 @@ static int spi_byte_probe(struct spi_device *spi) + dev_err(dev, "Device must have exactly one LED sub-node."); + return -EINVAL; + } +- child = of_get_next_available_child(dev_of_node(dev), NULL); + + led = devm_kzalloc(dev, sizeof(*led), GFP_KERNEL); + if (!led) +@@ -107,11 +106,13 @@ static int spi_byte_probe(struct spi_device *spi) + led->ldev.max_brightness = led->cdef->max_value - led->cdef->off_value; + led->ldev.brightness_set_blocking = spi_byte_brightness_set_blocking; + ++ child = of_get_next_available_child(dev_of_node(dev), NULL); + state = of_get_property(child, "default-state", NULL); + if (state) { + if (!strcmp(state, "on")) { + led->ldev.brightness = led->ldev.max_brightness; + } else if (strcmp(state, "off")) { ++ of_node_put(child); + /* all other cases except "off" */ + dev_err(dev, "default-state can only be 'on' or 'off'"); + return -EINVAL; +@@ -122,9 +123,12 @@ static int spi_byte_probe(struct spi_device *spi) + + ret = devm_led_classdev_register(&spi->dev, &led->ldev); + if (ret) { ++ of_node_put(child); + mutex_destroy(&led->mutex); + return ret; + } ++ ++ of_node_put(child); + spi_set_drvdata(spi, led); + + return 0; +-- +2.43.0 + diff --git a/queue-6.1/lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch b/queue-6.1/lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch new file mode 100644 index 00000000000..0556abe6624 --- /dev/null +++ b/queue-6.1/lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch @@ -0,0 +1,39 @@ +From ed69d2a8a7439d143830fc8f73523537302efce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Aug 2024 21:04:35 -0400 +Subject: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() + +From: Kent Overstreet + +[ Upstream commit b2f11c6f3e1fc60742673b8675c95b78447f3dae ] + +If we need to increase the tree depth, allocate a new node, and then +race with another thread that increased the tree depth before us, we'll +still have a preallocated node that might be used later. + +If we then use that node for a new non-root node, it'll still have a +pointer to the old root instead of being zeroed - fix this by zeroing it +in the cmpxchg failure path. + +Signed-off-by: Kent Overstreet +Signed-off-by: Sasha Levin +--- + lib/generic-radix-tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c +index 7dfa88282b00..78f081d695d0 100644 +--- a/lib/generic-radix-tree.c ++++ b/lib/generic-radix-tree.c +@@ -131,6 +131,8 @@ void *__genradix_ptr_alloc(struct __genradix *radix, size_t offset, + if ((v = cmpxchg_release(&radix->root, r, new_root)) == r) { + v = new_root; + new_node = NULL; ++ } else { ++ new_node->children[0] = NULL; + } + } + +-- +2.43.0 + diff --git a/queue-6.1/libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch b/queue-6.1/libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch new file mode 100644 index 00000000000..38d0edbf0a0 --- /dev/null +++ b/queue-6.1/libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch @@ -0,0 +1,59 @@ +From d45284cb7f57edc8983f38968dfc1459f3405743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 10:34:36 +0200 +Subject: libbpf: Add NULL checks to bpf_object__{prev_map,next_map} + +From: Andreas Ziegler + +[ Upstream commit cedc12c5b57f7efa6dbebfb2b140e8675f5a2616 ] + +In the current state, an erroneous call to +bpf_object__find_map_by_name(NULL, ...) leads to a segmentation +fault through the following call chain: + + bpf_object__find_map_by_name(obj = NULL, ...) + -> bpf_object__for_each_map(pos, obj = NULL) + -> bpf_object__next_map((obj = NULL), NULL) + -> return (obj = NULL)->maps + +While calling bpf_object__find_map_by_name with obj = NULL is +obviously incorrect, this should not lead to a segmentation +fault but rather be handled gracefully. + +As __bpf_map__iter already handles this situation correctly, we +can delegate the check for the regular case there and only add +a check in case the prev or next parameter is NULL. + +Signed-off-by: Andreas Ziegler +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240703083436.505124-1-ziegler.andreas@siemens.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index bb27dfd6b97a..878f05a42421 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -9364,7 +9364,7 @@ __bpf_map__iter(const struct bpf_map *m, const struct bpf_object *obj, int i) + struct bpf_map * + bpf_object__next_map(const struct bpf_object *obj, const struct bpf_map *prev) + { +- if (prev == NULL) ++ if (prev == NULL && obj != NULL) + return obj->maps; + + return __bpf_map__iter(prev, obj, 1); +@@ -9373,7 +9373,7 @@ bpf_object__next_map(const struct bpf_object *obj, const struct bpf_map *prev) + struct bpf_map * + bpf_object__prev_map(const struct bpf_object *obj, const struct bpf_map *next) + { +- if (next == NULL) { ++ if (next == NULL && obj != NULL) { + if (!obj->nr_maps) + return NULL; + return obj->maps + obj->nr_maps - 1; +-- +2.43.0 + diff --git a/queue-6.1/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch b/queue-6.1/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch new file mode 100644 index 00000000000..84934cca086 --- /dev/null +++ b/queue-6.1/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch @@ -0,0 +1,39 @@ +From 8e3ecd057f6b9a1612195dd66c0b4509c270f28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 09:35:22 +0800 +Subject: media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse + +From: Chen Ni + +[ Upstream commit 4caf6d93d9f2c11d6441c64e1c549c445fa322ed ] + +Add check for the return value of v4l2_fwnode_endpoint_parse() and +return the error if it fails in order to catch the error. + +Signed-off-by: Chen Ni +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c +index a30461de3e84..d173ac80e01c 100644 +--- a/drivers/media/platform/qcom/camss/camss.c ++++ b/drivers/media/platform/qcom/camss/camss.c +@@ -1038,8 +1038,11 @@ static int camss_of_parse_endpoint_node(struct device *dev, + struct v4l2_mbus_config_mipi_csi2 *mipi_csi2; + struct v4l2_fwnode_endpoint vep = { { 0 } }; + unsigned int i; ++ int ret; + +- v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep); ++ ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep); ++ if (ret) ++ return ret; + + csd->interface.csiphy_id = vep.base.port; + +-- +2.43.0 + diff --git a/queue-6.1/media-vivid-don-t-set-hdmi-tx-controls-if-there-are-.patch b/queue-6.1/media-vivid-don-t-set-hdmi-tx-controls-if-there-are-.patch new file mode 100644 index 00000000000..9955d931a7b --- /dev/null +++ b/queue-6.1/media-vivid-don-t-set-hdmi-tx-controls-if-there-are-.patch @@ -0,0 +1,56 @@ +From fd714c7829c108771b22ea94c14f2dd7a8d1148c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 12:52:59 +0300 +Subject: media: vivid: don't set HDMI TX controls if there are no HDMI outputs + +From: Hans Verkuil + +[ Upstream commit 17763960b1784578e8fe915304b330922f646209 ] + +When setting the EDID it would attempt to update two controls +that are only present if there is an HDMI output configured. + +If there isn't any (e.g. when the vivid module is loaded with +node_types=1), then calling VIDIOC_S_EDID would crash. + +Fix this by first checking if outputs are present. + +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +index bff95cb57718..3864df45077d 100644 +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -1810,8 +1810,10 @@ int vidioc_s_edid(struct file *file, void *_fh, + return -EINVAL; + if (edid->blocks == 0) { + dev->edid_blocks = 0; +- v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, 0); +- v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, 0); ++ if (dev->num_outputs) { ++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, 0); ++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, 0); ++ } + phys_addr = CEC_PHYS_ADDR_INVALID; + goto set_phys_addr; + } +@@ -1835,8 +1837,10 @@ int vidioc_s_edid(struct file *file, void *_fh, + display_present |= + dev->display_present[i] << j++; + +- v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, display_present); +- v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, display_present); ++ if (dev->num_outputs) { ++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, display_present); ++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, display_present); ++ } + + set_phys_addr: + /* TODO: a proper hotplug detect cycle should be emulated here */ +-- +2.43.0 + diff --git a/queue-6.1/media-vivid-fix-wrong-sizeimage-value-for-mplane.patch b/queue-6.1/media-vivid-fix-wrong-sizeimage-value-for-mplane.patch new file mode 100644 index 00000000000..183a4777445 --- /dev/null +++ b/queue-6.1/media-vivid-fix-wrong-sizeimage-value-for-mplane.patch @@ -0,0 +1,87 @@ +From b834ac2dc7abcdf97980860cef5537f60c435b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 12:59:13 +0200 +Subject: media: vivid: fix wrong sizeimage value for mplane + +From: Hans Verkuil + +[ Upstream commit 0fd7c0c2c156270dceb8c15fad3120cdce03e539 ] + +In several places a division by fmt->vdownsampling[p] was +missing in the sizeimage[p] calculation, causing incorrect +behavior for multiplanar formats were some planes are smaller +than the first plane. + +Found by new v4l2-compliance tests. + +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 5 +++-- + drivers/media/test-drivers/vivid/vivid-vid-out.c | 16 +++++++++------- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +index c0999581c599..bff95cb57718 100644 +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -113,8 +113,9 @@ static int vid_cap_queue_setup(struct vb2_queue *vq, + if (*nplanes != buffers) + return -EINVAL; + for (p = 0; p < buffers; p++) { +- if (sizes[p] < tpg_g_line_width(&dev->tpg, p) * h + +- dev->fmt_cap->data_offset[p]) ++ if (sizes[p] < tpg_g_line_width(&dev->tpg, p) * h / ++ dev->fmt_cap->vdownsampling[p] + ++ dev->fmt_cap->data_offset[p]) + return -EINVAL; + } + } else { +diff --git a/drivers/media/test-drivers/vivid/vivid-vid-out.c b/drivers/media/test-drivers/vivid/vivid-vid-out.c +index 9f731f085179..e96d3d014143 100644 +--- a/drivers/media/test-drivers/vivid/vivid-vid-out.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-out.c +@@ -63,14 +63,16 @@ static int vid_out_queue_setup(struct vb2_queue *vq, + if (sizes[0] < size) + return -EINVAL; + for (p = 1; p < planes; p++) { +- if (sizes[p] < dev->bytesperline_out[p] * h + +- vfmt->data_offset[p]) ++ if (sizes[p] < dev->bytesperline_out[p] * h / ++ vfmt->vdownsampling[p] + ++ vfmt->data_offset[p]) + return -EINVAL; + } + } else { + for (p = 0; p < planes; p++) +- sizes[p] = p ? dev->bytesperline_out[p] * h + +- vfmt->data_offset[p] : size; ++ sizes[p] = p ? dev->bytesperline_out[p] * h / ++ vfmt->vdownsampling[p] + ++ vfmt->data_offset[p] : size; + } + + if (vq->num_buffers + *nbuffers < 2) +@@ -127,7 +129,7 @@ static int vid_out_buf_prepare(struct vb2_buffer *vb) + + for (p = 0; p < planes; p++) { + if (p) +- size = dev->bytesperline_out[p] * h; ++ size = dev->bytesperline_out[p] * h / vfmt->vdownsampling[p]; + size += vb->planes[p].data_offset; + + if (vb2_get_plane_payload(vb, p) < size) { +@@ -334,8 +336,8 @@ int vivid_g_fmt_vid_out(struct file *file, void *priv, + for (p = 0; p < mp->num_planes; p++) { + mp->plane_fmt[p].bytesperline = dev->bytesperline_out[p]; + mp->plane_fmt[p].sizeimage = +- mp->plane_fmt[p].bytesperline * mp->height + +- fmt->data_offset[p]; ++ mp->plane_fmt[p].bytesperline * mp->height / ++ fmt->vdownsampling[p] + fmt->data_offset[p]; + } + for (p = fmt->buffers; p < fmt->planes; p++) { + unsigned stride = dev->bytesperline_out[p]; +-- +2.43.0 + diff --git a/queue-6.1/mips-cevt-r4k-don-t-call-get_c0_compare_int-if-timer.patch b/queue-6.1/mips-cevt-r4k-don-t-call-get_c0_compare_int-if-timer.patch new file mode 100644 index 00000000000..103c1ea9bb1 --- /dev/null +++ b/queue-6.1/mips-cevt-r4k-don-t-call-get_c0_compare_int-if-timer.patch @@ -0,0 +1,78 @@ +From 4ed596a366e5035dfc9b9035ff9486ffd745fa3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Aug 2024 10:59:08 +0100 +Subject: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is + installed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiaxun Yang + +[ Upstream commit 50f2b98dc83de7809a5c5bf0ccf9af2e75c37c13 ] + +This avoids warning: + +[ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 + +Caused by get_c0_compare_int on secondary CPU. + +We also skipped saving IRQ number to struct clock_event_device *cd as +it's never used by clockevent core, as per comments it's only meant +for "non CPU local devices". + +Reported-by: Serge Semin +Closes: https://lore.kernel.org/linux-mips/6szkkqxpsw26zajwysdrwplpjvhl5abpnmxgu2xuj3dkzjnvsf@4daqrz4mf44k/ +Signed-off-by: Jiaxun Yang +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Serge Semin +Tested-by: Serge Semin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/cevt-r4k.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/arch/mips/kernel/cevt-r4k.c b/arch/mips/kernel/cevt-r4k.c +index 32ec67c9ab67..77028aa8c107 100644 +--- a/arch/mips/kernel/cevt-r4k.c ++++ b/arch/mips/kernel/cevt-r4k.c +@@ -303,13 +303,6 @@ int r4k_clockevent_init(void) + if (!c0_compare_int_usable()) + return -ENXIO; + +- /* +- * With vectored interrupts things are getting platform specific. +- * get_c0_compare_int is a hook to allow a platform to return the +- * interrupt number of its liking. +- */ +- irq = get_c0_compare_int(); +- + cd = &per_cpu(mips_clockevent_device, cpu); + + cd->name = "MIPS"; +@@ -320,7 +313,6 @@ int r4k_clockevent_init(void) + min_delta = calculate_min_delta(); + + cd->rating = 300; +- cd->irq = irq; + cd->cpumask = cpumask_of(cpu); + cd->set_next_event = mips_next_event; + cd->event_handler = mips_event_handler; +@@ -332,6 +324,13 @@ int r4k_clockevent_init(void) + + cp0_timer_irq_installed = 1; + ++ /* ++ * With vectored interrupts things are getting platform specific. ++ * get_c0_compare_int is a hook to allow a platform to return the ++ * interrupt number of its liking. ++ */ ++ irq = get_c0_compare_int(); ++ + if (request_irq(irq, c0_compare_interrupt, flags, "timer", + c0_compare_interrupt)) + pr_err("Failed to request irq %d (timer)\n", irq); +-- +2.43.0 + diff --git a/queue-6.1/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch b/queue-6.1/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch new file mode 100644 index 00000000000..f6822fe34ad --- /dev/null +++ b/queue-6.1/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch @@ -0,0 +1,58 @@ +From 394b029fd9d3153a543c40e3b345e3c9ea5c2307 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 10:19:57 +0200 +Subject: net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN + +From: Jonas Gorski + +[ Upstream commit bee2ef946d3184e99077be526567d791c473036f ] + +When userspace wants to take over a fdb entry by setting it as +EXTERN_LEARNED, we set both flags BR_FDB_ADDED_BY_EXT_LEARN and +BR_FDB_ADDED_BY_USER in br_fdb_external_learn_add(). + +If the bridge updates the entry later because its port changed, we clear +the BR_FDB_ADDED_BY_EXT_LEARN flag, but leave the BR_FDB_ADDED_BY_USER +flag set. + +If userspace then wants to take over the entry again, +br_fdb_external_learn_add() sees that BR_FDB_ADDED_BY_USER and skips +setting the BR_FDB_ADDED_BY_EXT_LEARN flags, thus silently ignores the +update. + +Fix this by always allowing to set BR_FDB_ADDED_BY_EXT_LEARN regardless +if this was a user fdb entry or not. + +Fixes: 710ae7287737 ("net: bridge: Mark FDB entries that were added by user as such") +Signed-off-by: Jonas Gorski +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20240903081958.29951-1-jonas.gorski@bisdn.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index e7f4fccb6adb..882b6a67e11f 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -1388,12 +1388,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + modified = true; + } + +- if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { ++ if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { + /* Refresh entry */ + fdb->used = jiffies; +- } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) { +- /* Take over SW learned entry */ +- set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags); ++ } else { + modified = true; + } + +-- +2.43.0 + diff --git a/queue-6.1/net-dpaa-avoid-on-stack-arrays-of-nr_cpus-elements.patch b/queue-6.1/net-dpaa-avoid-on-stack-arrays-of-nr_cpus-elements.patch new file mode 100644 index 00000000000..cd51f2dce45 --- /dev/null +++ b/queue-6.1/net-dpaa-avoid-on-stack-arrays-of-nr_cpus-elements.patch @@ -0,0 +1,132 @@ +From 33a519e479b1edfc537ac4e6029b5a86ab6742e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jul 2024 01:53:32 +0300 +Subject: net: dpaa: avoid on-stack arrays of NR_CPUS elements + +From: Vladimir Oltean + +[ Upstream commit 555a05d84ca2c587e2d4777006e2c2fb3dfbd91d ] + +The dpaa-eth driver is written for PowerPC and Arm SoCs which have 1-24 +CPUs. It depends on CONFIG_NR_CPUS having a reasonably small value in +Kconfig. Otherwise, there are 2 functions which allocate on-stack arrays +of NR_CPUS elements, and these can quickly explode in size, leading to +warnings such as: + + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:3280:12: warning: + stack frame size (16664) exceeds limit (2048) in 'dpaa_eth_probe' [-Wframe-larger-than] + +The problem is twofold: +- Reducing the array size to the boot-time num_possible_cpus() (rather + than the compile-time NR_CPUS) creates a variable-length array, + which should be avoided in the Linux kernel. +- Using NR_CPUS as an array size makes the driver blow up in stack + consumption with generic, as opposed to hand-crafted, .config files. + +A simple solution is to use dynamic allocation for num_possible_cpus() +elements (aka a small number determined at runtime). + +Link: https://lore.kernel.org/all/202406261920.l5pzM1rj-lkp@intel.com/ +Signed-off-by: Vladimir Oltean +Reviewed-by: Breno Leitao +Acked-by: Madalin Bucur +Link: https://patch.msgid.link/20240713225336.1746343-2-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/freescale/dpaa/dpaa_eth.c | 20 ++++++++++++++----- + .../ethernet/freescale/dpaa/dpaa_ethtool.c | 10 +++++++++- + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +index 981cc3248047..19506f2be4d4 100644 +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -916,14 +916,18 @@ static inline void dpaa_setup_egress(const struct dpaa_priv *priv, + } + } + +-static void dpaa_fq_setup(struct dpaa_priv *priv, +- const struct dpaa_fq_cbs *fq_cbs, +- struct fman_port *tx_port) ++static int dpaa_fq_setup(struct dpaa_priv *priv, ++ const struct dpaa_fq_cbs *fq_cbs, ++ struct fman_port *tx_port) + { + int egress_cnt = 0, conf_cnt = 0, num_portals = 0, portal_cnt = 0, cpu; + const cpumask_t *affine_cpus = qman_affine_cpus(); +- u16 channels[NR_CPUS]; + struct dpaa_fq *fq; ++ u16 *channels; ++ ++ channels = kcalloc(num_possible_cpus(), sizeof(u16), GFP_KERNEL); ++ if (!channels) ++ return -ENOMEM; + + for_each_cpu_and(cpu, affine_cpus, cpu_online_mask) + channels[num_portals++] = qman_affine_channel(cpu); +@@ -982,6 +986,10 @@ static void dpaa_fq_setup(struct dpaa_priv *priv, + break; + } + } ++ ++ kfree(channels); ++ ++ return 0; + } + + static inline int dpaa_tx_fq_to_id(const struct dpaa_priv *priv, +@@ -3454,7 +3462,9 @@ static int dpaa_eth_probe(struct platform_device *pdev) + */ + dpaa_eth_add_channel(priv->channel, &pdev->dev); + +- dpaa_fq_setup(priv, &dpaa_fq_cbs, priv->mac_dev->port[TX]); ++ err = dpaa_fq_setup(priv, &dpaa_fq_cbs, priv->mac_dev->port[TX]); ++ if (err) ++ goto free_dpaa_bps; + + /* Create a congestion group for this netdev, with + * dynamically-allocated CGR ID. +diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +index 769e936a263c..fcb0cba4611e 100644 +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -515,12 +515,16 @@ static int dpaa_set_coalesce(struct net_device *dev, + struct netlink_ext_ack *extack) + { + const cpumask_t *cpus = qman_affine_cpus(); +- bool needs_revert[NR_CPUS] = {false}; + struct qman_portal *portal; + u32 period, prev_period; + u8 thresh, prev_thresh; ++ bool *needs_revert; + int cpu, res; + ++ needs_revert = kcalloc(num_possible_cpus(), sizeof(bool), GFP_KERNEL); ++ if (!needs_revert) ++ return -ENOMEM; ++ + period = c->rx_coalesce_usecs; + thresh = c->rx_max_coalesced_frames; + +@@ -543,6 +547,8 @@ static int dpaa_set_coalesce(struct net_device *dev, + needs_revert[cpu] = true; + } + ++ kfree(needs_revert); ++ + return 0; + + revert_values: +@@ -556,6 +562,8 @@ static int dpaa_set_coalesce(struct net_device *dev, + qman_dqrr_set_ithresh(portal, prev_thresh); + } + ++ kfree(needs_revert); ++ + return res; + } + +-- +2.43.0 + diff --git a/queue-6.1/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch b/queue-6.1/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch new file mode 100644 index 00000000000..b61adda75d7 --- /dev/null +++ b/queue-6.1/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch @@ -0,0 +1,62 @@ +From 034f3056a604a227079b6da0b43e5e3c45aa2def Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 22:33:41 +0200 +Subject: net: dsa: vsc73xx: fix possible subblocks range of CAPT block + +From: Pawel Dembicki + +[ Upstream commit 8e69c96df771ab469cec278edb47009351de4da6 ] + +CAPT block (CPU Capture Buffer) have 7 sublocks: 0-3, 4, 6, 7. +Function 'vsc73xx_is_addr_valid' allows to use only block 0 at this +moment. + +This patch fix it. + +Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver") +Signed-off-by: Pawel Dembicki +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20240903203340.1518789-1-paweldembicki@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/vitesse-vsc73xx-core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c +index c8e9ca5d5c28..de444d201e0f 100644 +--- a/drivers/net/dsa/vitesse-vsc73xx-core.c ++++ b/drivers/net/dsa/vitesse-vsc73xx-core.c +@@ -35,7 +35,7 @@ + #define VSC73XX_BLOCK_ANALYZER 0x2 /* Only subblock 0 */ + #define VSC73XX_BLOCK_MII 0x3 /* Subblocks 0 and 1 */ + #define VSC73XX_BLOCK_MEMINIT 0x3 /* Only subblock 2 */ +-#define VSC73XX_BLOCK_CAPTURE 0x4 /* Only subblock 2 */ ++#define VSC73XX_BLOCK_CAPTURE 0x4 /* Subblocks 0-4, 6, 7 */ + #define VSC73XX_BLOCK_ARBITER 0x5 /* Only subblock 0 */ + #define VSC73XX_BLOCK_SYSTEM 0x7 /* Only subblock 0 */ + +@@ -371,13 +371,19 @@ int vsc73xx_is_addr_valid(u8 block, u8 subblock) + break; + + case VSC73XX_BLOCK_MII: +- case VSC73XX_BLOCK_CAPTURE: + case VSC73XX_BLOCK_ARBITER: + switch (subblock) { + case 0 ... 1: + return 1; + } + break; ++ case VSC73XX_BLOCK_CAPTURE: ++ switch (subblock) { ++ case 0 ... 4: ++ case 6 ... 7: ++ return 1; ++ } ++ break; + } + + return 0; +-- +2.43.0 + diff --git a/queue-6.1/netfilter-nf_conncount-fix-wrong-variable-type.patch b/queue-6.1/netfilter-nf_conncount-fix-wrong-variable-type.patch new file mode 100644 index 00000000000..e6ec378e57c --- /dev/null +++ b/queue-6.1/netfilter-nf_conncount-fix-wrong-variable-type.patch @@ -0,0 +1,70 @@ +From 8eeb072d2f2177477bc0510f373a93a169af9a3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 11:48:47 +0800 +Subject: netfilter: nf_conncount: fix wrong variable type + +From: Yunjian Wang + +[ Upstream commit 0b88d1654d556264bcd24a9cb6383f0888e30131 ] + +Now there is a issue is that code checks reports a warning: implicit +narrowing conversion from type 'unsigned int' to small type 'u8' (the +'keylen' variable). Fix it by removing the 'keylen' variable. + +Signed-off-by: Yunjian Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 5d8ed6c90b7e..5885810da412 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -321,7 +321,6 @@ insert_tree(struct net *net, + struct nf_conncount_rb *rbconn; + struct nf_conncount_tuple *conn; + unsigned int count = 0, gc_count = 0; +- u8 keylen = data->keylen; + bool do_gc = true; + + spin_lock_bh(&nf_conncount_locks[hash]); +@@ -333,7 +332,7 @@ insert_tree(struct net *net, + rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node); + + parent = *rbnode; +- diff = key_diff(key, rbconn->key, keylen); ++ diff = key_diff(key, rbconn->key, data->keylen); + if (diff < 0) { + rbnode = &((*rbnode)->rb_left); + } else if (diff > 0) { +@@ -378,7 +377,7 @@ insert_tree(struct net *net, + + conn->tuple = *tuple; + conn->zone = *zone; +- memcpy(rbconn->key, key, sizeof(u32) * keylen); ++ memcpy(rbconn->key, key, sizeof(u32) * data->keylen); + + nf_conncount_list_init(&rbconn->list); + list_add(&conn->node, &rbconn->list.head); +@@ -403,7 +402,6 @@ count_tree(struct net *net, + struct rb_node *parent; + struct nf_conncount_rb *rbconn; + unsigned int hash; +- u8 keylen = data->keylen; + + hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS; + root = &data->root[hash]; +@@ -414,7 +412,7 @@ count_tree(struct net *net, + + rbconn = rb_entry(parent, struct nf_conncount_rb, node); + +- diff = key_diff(key, rbconn->key, keylen); ++ diff = key_diff(key, rbconn->key, data->keylen); + if (diff < 0) { + parent = rcu_dereference_raw(parent->rb_left); + } else if (diff > 0) { +-- +2.43.0 + diff --git a/queue-6.1/nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch b/queue-6.1/nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch new file mode 100644 index 00000000000..b10e16d3fba --- /dev/null +++ b/queue-6.1/nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch @@ -0,0 +1,44 @@ +From 680da057df4539f18b0707ccfd502b4a6cfdb1e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 14:05:00 -0400 +Subject: NFSv4: Add missing rescheduling points in + nfs_client_return_marked_delegations + +From: Trond Myklebust + +[ Upstream commit a017ad1313fc91bdf235097fd0a02f673fc7bb11 ] + +We're seeing reports of soft lockups when iterating through the loops, +so let's add rescheduling points. + +Signed-off-by: Trond Myklebust +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 05ae23657527..f7b4df29ac5f 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -47,6 +47,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -219,6 +220,7 @@ static int __nfs_list_for_each_server(struct list_head *head, + ret = fn(server, data); + if (ret) + goto out; ++ cond_resched(); + rcu_read_lock(); + } + rcu_read_unlock(); +-- +2.43.0 + diff --git a/queue-6.1/of-irq-prevent-device-address-out-of-bounds-read-in-.patch b/queue-6.1/of-irq-prevent-device-address-out-of-bounds-read-in-.patch new file mode 100644 index 00000000000..e267763754b --- /dev/null +++ b/queue-6.1/of-irq-prevent-device-address-out-of-bounds-read-in-.patch @@ -0,0 +1,131 @@ +From e887c17f1b5c10a776c8274c9b7f706854cc978e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 12:06:51 +0200 +Subject: of/irq: Prevent device address out-of-bounds read in interrupt map + walk + +From: Stefan Wiehler + +[ Upstream commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 ] + +When of_irq_parse_raw() is invoked with a device address smaller than +the interrupt parent node (from #address-cells property), KASAN detects +the following out-of-bounds read when populating the initial match table +(dyndbg="func of_irq_parse_* +p"): + + OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 + OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 + OF: intspec=4 + OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 + OF: -> addrsize=3 + ================================================================== + BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 + Read of size 4 at addr ffffff81beca5608 by task bash/764 + + CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 + Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 + Call trace: + dump_backtrace+0xdc/0x130 + show_stack+0x1c/0x30 + dump_stack_lvl+0x6c/0x84 + print_report+0x150/0x448 + kasan_report+0x98/0x140 + __asan_load4+0x78/0xa0 + of_irq_parse_raw+0x2b8/0x8d0 + of_irq_parse_one+0x24c/0x270 + parse_interrupts+0xc0/0x120 + of_fwnode_add_links+0x100/0x2d0 + fw_devlink_parse_fwtree+0x64/0xc0 + device_add+0xb38/0xc30 + of_device_add+0x64/0x90 + of_platform_device_create_pdata+0xd0/0x170 + of_platform_bus_create+0x244/0x600 + of_platform_notify+0x1b0/0x254 + blocking_notifier_call_chain+0x9c/0xd0 + __of_changeset_entry_notify+0x1b8/0x230 + __of_changeset_apply_notify+0x54/0xe4 + of_overlay_fdt_apply+0xc04/0xd94 + ... + + The buggy address belongs to the object at ffffff81beca5600 + which belongs to the cache kmalloc-128 of size 128 + The buggy address is located 8 bytes inside of + 128-byte region [ffffff81beca5600, ffffff81beca5680) + + The buggy address belongs to the physical page: + page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 + head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 + flags: 0x8000000000010200(slab|head|zone=2) + raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 + raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc + ================================================================== + OF: -> got it ! + +Prevent the out-of-bounds read by copying the device address into a +buffer of sufficient size. + +Signed-off-by: Stefan Wiehler +Link: https://lore.kernel.org/r/20240812100652.3800963-1-stefan.wiehler@nokia.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/irq.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/of/irq.c b/drivers/of/irq.c +index 88c24d88c4b9..a8e306606c4b 100644 +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -344,7 +344,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + struct device_node *p; + const __be32 *addr; + u32 intsize; +- int i, res; ++ int i, res, addr_len; ++ __be32 addr_buf[3] = { 0 }; + + pr_debug("of_irq_parse_one: dev=%pOF, index=%d\n", device, index); + +@@ -353,13 +354,19 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + return of_irq_parse_oldworld(device, index, out_irq); + + /* Get the reg property (if any) */ +- addr = of_get_property(device, "reg", NULL); ++ addr = of_get_property(device, "reg", &addr_len); ++ ++ /* Prevent out-of-bounds read in case of longer interrupt parent address size */ ++ if (addr_len > (3 * sizeof(__be32))) ++ addr_len = 3 * sizeof(__be32); ++ if (addr) ++ memcpy(addr_buf, addr, addr_len); + + /* Try the new-style interrupts-extended first */ + res = of_parse_phandle_with_args(device, "interrupts-extended", + "#interrupt-cells", index, out_irq); + if (!res) +- return of_irq_parse_raw(addr, out_irq); ++ return of_irq_parse_raw(addr_buf, out_irq); + + /* Look for the interrupt parent. */ + p = of_irq_find_parent(device); +@@ -389,7 +396,7 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar + + + /* Check if there are any interrupt-map translations to process */ +- res = of_irq_parse_raw(addr, out_irq); ++ res = of_irq_parse_raw(addr_buf, out_irq); + out: + of_node_put(p); + return res; +-- +2.43.0 + diff --git a/queue-6.1/pci-add-missing-bridge-lock-to-pci_bus_lock.patch b/queue-6.1/pci-add-missing-bridge-lock-to-pci_bus_lock.patch new file mode 100644 index 00000000000..1d8bc546889 --- /dev/null +++ b/queue-6.1/pci-add-missing-bridge-lock-to-pci_bus_lock.patch @@ -0,0 +1,163 @@ +From e938a5ec717484aaf1d6a084b34e38f297164ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 18:04:35 -0700 +Subject: PCI: Add missing bridge lock to pci_bus_lock() + +From: Dan Williams + +[ Upstream commit a4e772898f8bf2e7e1cf661a12c60a5612c4afab ] + +One of the true positives that the cfg_access_lock lockdep effort +identified is this sequence: + + WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 + RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 + Call Trace: + + ? __warn+0x8c/0x190 + ? pci_bridge_secondary_bus_reset+0x5d/0x70 + ? report_bug+0x1f8/0x200 + ? handle_bug+0x3c/0x70 + ? exc_invalid_op+0x18/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? pci_bridge_secondary_bus_reset+0x5d/0x70 + pci_reset_bus+0x1d8/0x270 + vmd_probe+0x778/0xa10 + pci_device_probe+0x95/0x120 + +Where pci_reset_bus() users are triggering unlocked secondary bus resets. +Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses +pci_bus_lock() before issuing the reset which locks everything *but* the +bridge itself. + +For the same motivation as adding: + + bridge = pci_upstream_bridge(dev); + if (bridge) + pci_dev_lock(bridge); + +to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add +pci_dev_lock() for @bus->self to pci_bus_lock(). + +Link: https://lore.kernel.org/r/171711747501.1628941.15217746952476635316.stgit@dwillia2-xfh.jf.intel.com +Reported-by: Imre Deak +Closes: http://lore.kernel.org/r/6657833b3b5ae_14984b29437@dwillia2-xfh.jf.intel.com.notmuch +Signed-off-by: Dan Williams +Signed-off-by: Keith Busch +[bhelgaas: squash in recursive locking deadlock fix from Keith Busch: +https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com] +Signed-off-by: Bjorn Helgaas +Tested-by: Hans de Goede +Tested-by: Kalle Valo +Reviewed-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 2d373ab3ccb3..f7592348ebee 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5584,10 +5584,12 @@ static void pci_bus_lock(struct pci_bus *bus) + { + struct pci_dev *dev; + ++ pci_dev_lock(bus->self); + list_for_each_entry(dev, &bus->devices, bus_list) { +- pci_dev_lock(dev); + if (dev->subordinate) + pci_bus_lock(dev->subordinate); ++ else ++ pci_dev_lock(dev); + } + } + +@@ -5599,8 +5601,10 @@ static void pci_bus_unlock(struct pci_bus *bus) + list_for_each_entry(dev, &bus->devices, bus_list) { + if (dev->subordinate) + pci_bus_unlock(dev->subordinate); +- pci_dev_unlock(dev); ++ else ++ pci_dev_unlock(dev); + } ++ pci_dev_unlock(bus->self); + } + + /* Return 1 on successful lock, 0 on contention */ +@@ -5608,15 +5612,15 @@ static int pci_bus_trylock(struct pci_bus *bus) + { + struct pci_dev *dev; + ++ if (!pci_dev_trylock(bus->self)) ++ return 0; ++ + list_for_each_entry(dev, &bus->devices, bus_list) { +- if (!pci_dev_trylock(dev)) +- goto unlock; + if (dev->subordinate) { +- if (!pci_bus_trylock(dev->subordinate)) { +- pci_dev_unlock(dev); ++ if (!pci_bus_trylock(dev->subordinate)) + goto unlock; +- } +- } ++ } else if (!pci_dev_trylock(dev)) ++ goto unlock; + } + return 1; + +@@ -5624,8 +5628,10 @@ static int pci_bus_trylock(struct pci_bus *bus) + list_for_each_entry_continue_reverse(dev, &bus->devices, bus_list) { + if (dev->subordinate) + pci_bus_unlock(dev->subordinate); +- pci_dev_unlock(dev); ++ else ++ pci_dev_unlock(dev); + } ++ pci_dev_unlock(bus->self); + return 0; + } + +@@ -5657,9 +5663,10 @@ static void pci_slot_lock(struct pci_slot *slot) + list_for_each_entry(dev, &slot->bus->devices, bus_list) { + if (!dev->slot || dev->slot != slot) + continue; +- pci_dev_lock(dev); + if (dev->subordinate) + pci_bus_lock(dev->subordinate); ++ else ++ pci_dev_lock(dev); + } + } + +@@ -5685,14 +5692,13 @@ static int pci_slot_trylock(struct pci_slot *slot) + list_for_each_entry(dev, &slot->bus->devices, bus_list) { + if (!dev->slot || dev->slot != slot) + continue; +- if (!pci_dev_trylock(dev)) +- goto unlock; + if (dev->subordinate) { + if (!pci_bus_trylock(dev->subordinate)) { + pci_dev_unlock(dev); + goto unlock; + } +- } ++ } else if (!pci_dev_trylock(dev)) ++ goto unlock; + } + return 1; + +@@ -5703,7 +5709,8 @@ static int pci_slot_trylock(struct pci_slot *slot) + continue; + if (dev->subordinate) + pci_bus_unlock(dev->subordinate); +- pci_dev_unlock(dev); ++ else ++ pci_dev_unlock(dev); + } + return 0; + } +-- +2.43.0 + diff --git a/queue-6.1/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch b/queue-6.1/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch new file mode 100644 index 00000000000..e3d49f3d034 --- /dev/null +++ b/queue-6.1/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch @@ -0,0 +1,58 @@ +From f1f5a897359d413dcf3baf4438d84f1c9035510e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 13:15:06 +0530 +Subject: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv + +From: Krishna Kumar + +[ Upstream commit 335e35b748527f0c06ded9eebb65387f60647fda ] + +The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel +crash when we try to hot-unplug/disable the PCIe switch/bridge from +the PHB. + +The crash occurs because although the MSI data structure has been +released during disable/hot-unplug path and it has been assigned +with NULL, still during unregistration the code was again trying to +explicitly disable the MSI which causes the NULL pointer dereference and +kernel crash. + +The patch fixes the check during unregistration path to prevent invoking +pci_disable_msi/msix() since its data structure is already freed. + +Reported-by: Timothy Pearson +Closes: https://lore.kernel.org/all/1981605666.2142272.1703742465927.JavaMail.zimbra@raptorengineeringinc.com/ +Acked-by: Bjorn Helgaas +Tested-by: Shawn Anastasio +Signed-off-by: Krishna Kumar +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20240701074513.94873-2-krishnak@linux.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pnv_php.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index 881d420637bf..092c9ac0d26d 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -39,7 +39,6 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, + bool disable_device) + { + struct pci_dev *pdev = php_slot->pdev; +- int irq = php_slot->irq; + u16 ctrl; + + if (php_slot->irq > 0) { +@@ -58,7 +57,7 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot, + php_slot->wq = NULL; + } + +- if (disable_device || irq > 0) { ++ if (disable_device) { + if (pdev->msix_enabled) + pci_disable_msix(pdev); + else if (pdev->msi_enabled) +-- +2.43.0 + diff --git a/queue-6.1/pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch b/queue-6.1/pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch new file mode 100644 index 00000000000..139339d1bd1 --- /dev/null +++ b/queue-6.1/pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch @@ -0,0 +1,129 @@ +From 944d06c7be29754e2b99a21443b175eed6febc90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jun 2024 13:45:29 +0200 +Subject: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kishon Vijay Abraham I + +[ Upstream commit 86f271f22bbb6391410a07e08d6ca3757fda01fa ] + +Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 +(SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an +inbound PCIe TLP spans more than two internal AXI 128-byte bursts, +the bus may corrupt the packet payload and the corrupt data may +cause associated applications or the processor to hang. + +The workaround for Errata #i2037 is to limit the maximum read +request size and maximum payload size to 128 bytes. Add workaround +for Errata #i2037 here. + +The errata and workaround is applicable only to AM65x SR 1.0 and +later versions of the silicon will have this fixed. + +[1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf + +Link: https://lore.kernel.org/linux-pci/16e1fcae-1ea7-46be-b157-096e05661b15@siemens.com +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Achal Verma +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Jan Kiszka +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Siddharth Vadapalli +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pci-keystone.c | 44 ++++++++++++++++++++++- + 1 file changed, 43 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c +index 6007ffcb4752..e738013c6d4f 100644 +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -35,6 +35,11 @@ + #define PCIE_DEVICEID_SHIFT 16 + + /* Application registers */ ++#define PID 0x000 ++#define RTL GENMASK(15, 11) ++#define RTL_SHIFT 11 ++#define AM6_PCI_PG1_RTL_VER 0x15 ++ + #define CMD_STATUS 0x004 + #define LTSSM_EN_VAL BIT(0) + #define OB_XLAT_EN_VAL BIT(1) +@@ -105,6 +110,8 @@ + + #define to_keystone_pcie(x) dev_get_drvdata((x)->dev) + ++#define PCI_DEVICE_ID_TI_AM654X 0xb00c ++ + struct ks_pcie_of_data { + enum dw_pcie_device_mode mode; + const struct dw_pcie_host_ops *host_ops; +@@ -519,7 +526,11 @@ static int ks_pcie_start_link(struct dw_pcie *pci) + static void ks_pcie_quirk(struct pci_dev *dev) + { + struct pci_bus *bus = dev->bus; ++ struct keystone_pcie *ks_pcie; ++ struct device *bridge_dev; + struct pci_dev *bridge; ++ u32 val; ++ + static const struct pci_device_id rc_pci_devids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2HK), + .class = PCI_CLASS_BRIDGE_PCI_NORMAL, .class_mask = ~0, }, +@@ -531,6 +542,11 @@ static void ks_pcie_quirk(struct pci_dev *dev) + .class = PCI_CLASS_BRIDGE_PCI_NORMAL, .class_mask = ~0, }, + { 0, }, + }; ++ static const struct pci_device_id am6_pci_devids[] = { ++ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCI_DEVICE_ID_TI_AM654X), ++ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, }, ++ { 0, }, ++ }; + + if (pci_is_root_bus(bus)) + bridge = dev; +@@ -552,10 +568,36 @@ static void ks_pcie_quirk(struct pci_dev *dev) + */ + if (pci_match_id(rc_pci_devids, bridge)) { + if (pcie_get_readrq(dev) > 256) { +- dev_info(&dev->dev, "limiting MRRS to 256\n"); ++ dev_info(&dev->dev, "limiting MRRS to 256 bytes\n"); + pcie_set_readrq(dev, 256); + } + } ++ ++ /* ++ * Memory transactions fail with PCI controller in AM654 PG1.0 ++ * when MRRS is set to more than 128 bytes. Force the MRRS to ++ * 128 bytes in all downstream devices. ++ */ ++ if (pci_match_id(am6_pci_devids, bridge)) { ++ bridge_dev = pci_get_host_bridge_device(dev); ++ if (!bridge_dev && !bridge_dev->parent) ++ return; ++ ++ ks_pcie = dev_get_drvdata(bridge_dev->parent); ++ if (!ks_pcie) ++ return; ++ ++ val = ks_pcie_app_readl(ks_pcie, PID); ++ val &= RTL; ++ val >>= RTL_SHIFT; ++ if (val != AM6_PCI_PG1_RTL_VER) ++ return; ++ ++ if (pcie_get_readrq(dev) > 128) { ++ dev_info(&dev->dev, "limiting MRRS to 128 bytes\n"); ++ pcie_set_readrq(dev, 128); ++ } ++ } + } + DECLARE_PCI_FIXUP_ENABLE(PCI_ANY_ID, PCI_ANY_ID, ks_pcie_quirk); + +-- +2.43.0 + diff --git a/queue-6.1/pcmcia-use-resource_size-function-on-resource-object.patch b/queue-6.1/pcmcia-use-resource_size-function-on-resource-object.patch new file mode 100644 index 00000000000..6fff52d502c --- /dev/null +++ b/queue-6.1/pcmcia-use-resource_size-function-on-resource-object.patch @@ -0,0 +1,46 @@ +From 1cce36c1e334fa0179e7f4e2005e00729314701e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 May 2024 23:31:21 +0100 +Subject: pcmcia: Use resource_size function on resource object + +From: Jules Irenge + +[ Upstream commit 24a025497e7e883bd2adef5d0ece1e9b9268009f ] + +Cocinnele reports a warning + +WARNING: Suspicious code. resource_size is maybe missing with root + +The root cause is the function resource_size is not used when needed + +Use resource_size() on variable "root" of type resource + +Signed-off-by: Jules Irenge +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/yenta_socket.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pcmcia/yenta_socket.c b/drivers/pcmcia/yenta_socket.c +index 3966a6ceb1ac..a1c16352c01c 100644 +--- a/drivers/pcmcia/yenta_socket.c ++++ b/drivers/pcmcia/yenta_socket.c +@@ -638,11 +638,11 @@ static int yenta_search_one_res(struct resource *root, struct resource *res, + start = PCIBIOS_MIN_CARDBUS_IO; + end = ~0U; + } else { +- unsigned long avail = root->end - root->start; ++ unsigned long avail = resource_size(root); + int i; + size = BRIDGE_MEM_MAX; +- if (size > avail/8) { +- size = (avail+1)/8; ++ if (size > (avail - 1) / 8) { ++ size = avail / 8; + /* round size down to next power of 2 */ + i = 0; + while ((size /= 2) != 0) +-- +2.43.0 + diff --git a/queue-6.1/phy-zynqmp-take-the-phy-mutex-in-xlate.patch b/queue-6.1/phy-zynqmp-take-the-phy-mutex-in-xlate.patch new file mode 100644 index 00000000000..a87b91a5f99 --- /dev/null +++ b/queue-6.1/phy-zynqmp-take-the-phy-mutex-in-xlate.patch @@ -0,0 +1,39 @@ +From f3d02435e4cc501781d129c0b2d3b601386a3de5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jun 2024 16:55:39 -0400 +Subject: phy: zynqmp: Take the phy mutex in xlate + +From: Sean Anderson + +[ Upstream commit d79c6840917097285e03a49f709321f5fb972750 ] + +Take the phy mutex in xlate to protect against concurrent +modification/access to gtr_phy. This does not typically cause any +issues, since in most systems the phys are only xlated once and +thereafter accessed with the phy API (which takes the locks). However, +we are about to allow userspace to access phys for debugging, so it's +important to avoid any data races. + +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20240628205540.3098010-5-sean.anderson@linux.dev +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/xilinx/phy-zynqmp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/phy/xilinx/phy-zynqmp.c b/drivers/phy/xilinx/phy-zynqmp.c +index ac9a9124a36d..cc36fb7616ae 100644 +--- a/drivers/phy/xilinx/phy-zynqmp.c ++++ b/drivers/phy/xilinx/phy-zynqmp.c +@@ -847,6 +847,7 @@ static struct phy *xpsgtr_xlate(struct device *dev, + phy_type = args->args[1]; + phy_instance = args->args[2]; + ++ guard(mutex)(>r_phy->phy->mutex); + ret = xpsgtr_set_lane_type(gtr_phy, phy_type, phy_instance); + if (ret < 0) { + dev_err(gtr_dev->dev, "Invalid PHY type and/or instance\n"); +-- +2.43.0 + diff --git a/queue-6.1/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch b/queue-6.1/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch new file mode 100644 index 00000000000..0ff65624140 --- /dev/null +++ b/queue-6.1/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch @@ -0,0 +1,54 @@ +From 0033f98df25b669a99a34422ac5287f2e88746a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 09:54:28 +0300 +Subject: platform/x86: dell-smbios: Fix error path in dell_smbios_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksandr Mishin + +[ Upstream commit ffc17e1479e8e9459b7afa80e5d9d40d0dd78abb ] + +In case of error in build_tokens_sysfs(), all the memory that has been +allocated is freed at end of this function. But then free_group() is +called which performs memory deallocation again. + +Also, instead of free_group() call, there should be exit_dell_smbios_smm() +and exit_dell_smbios_wmi() calls, since there is initialization, but there +is no release of resources in case of an error. + +Fix these issues by replacing free_group() call with +exit_dell_smbios_wmi() and exit_dell_smbios_smm(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens") +Signed-off-by: Aleksandr Mishin +Link: https://lore.kernel.org/r/20240830065428.9544-1-amishin@t-argos.ru +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell-smbios-base.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell/dell-smbios-base.c b/drivers/platform/x86/dell/dell-smbios-base.c +index 86b95206cb1b..6fb538a13868 100644 +--- a/drivers/platform/x86/dell/dell-smbios-base.c ++++ b/drivers/platform/x86/dell/dell-smbios-base.c +@@ -590,7 +590,10 @@ static int __init dell_smbios_init(void) + return 0; + + fail_sysfs: +- free_group(platform_device); ++ if (!wmi) ++ exit_dell_smbios_wmi(); ++ if (!smm) ++ exit_dell_smbios_smm(); + + fail_create_group: + platform_device_del(platform_device); +-- +2.43.0 + diff --git a/queue-6.1/regulator-add-of_regulator_bulk_get_all.patch b/queue-6.1/regulator-add-of_regulator_bulk_get_all.patch new file mode 100644 index 00000000000..c35858c393e --- /dev/null +++ b/queue-6.1/regulator-add-of_regulator_bulk_get_all.patch @@ -0,0 +1,152 @@ +From 2033152d5c09551ef4ef90e99ea46f0ce8aed900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 07:36:01 +0000 +Subject: regulator: Add of_regulator_bulk_get_all + +From: Corentin Labbe + +[ Upstream commit 27b9ecc7a9ba1d0014779bfe5a6dbf630899c6e7 ] + +It work exactly like regulator_bulk_get() but instead of working on a +provided list of names, it seek all consumers properties matching +xxx-supply. + +Signed-off-by: Corentin Labbe +Link: https://lore.kernel.org/r/20221115073603.3425396-2-clabbe@baylibre.com +Signed-off-by: Mark Brown +Stable-dep-of: 1a5caec7f80c ("regulator: core: Stub devm_regulator_bulk_get_const() if !CONFIG_REGULATOR") +Signed-off-by: Sasha Levin +--- + drivers/regulator/of_regulator.c | 92 ++++++++++++++++++++++++++++++ + include/linux/regulator/consumer.h | 8 +++ + 2 files changed, 100 insertions(+) + +diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c +index cd726d4e8fbf..c3571781a8cc 100644 +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -701,3 +701,95 @@ struct regulator_dev *of_parse_coupled_regulator(struct regulator_dev *rdev, + + return c_rdev; + } ++ ++/* ++ * Check if name is a supply name according to the '*-supply' pattern ++ * return 0 if false ++ * return length of supply name without the -supply ++ */ ++static int is_supply_name(const char *name) ++{ ++ int strs, i; ++ ++ strs = strlen(name); ++ /* string need to be at minimum len(x-supply) */ ++ if (strs < 8) ++ return 0; ++ for (i = strs - 6; i > 0; i--) { ++ /* find first '-' and check if right part is supply */ ++ if (name[i] != '-') ++ continue; ++ if (strcmp(name + i + 1, "supply") != 0) ++ return 0; ++ return i; ++ } ++ return 0; ++} ++ ++/* ++ * of_regulator_bulk_get_all - get multiple regulator consumers ++ * ++ * @dev: Device to supply ++ * @np: device node to search for consumers ++ * @consumers: Configuration of consumers; clients are stored here. ++ * ++ * @return number of regulators on success, an errno on failure. ++ * ++ * This helper function allows drivers to get several regulator ++ * consumers in one operation. If any of the regulators cannot be ++ * acquired then any regulators that were allocated will be freed ++ * before returning to the caller. ++ */ ++int of_regulator_bulk_get_all(struct device *dev, struct device_node *np, ++ struct regulator_bulk_data **consumers) ++{ ++ int num_consumers = 0; ++ struct regulator *tmp; ++ struct property *prop; ++ int i, n = 0, ret; ++ char name[64]; ++ ++ *consumers = NULL; ++ ++ /* ++ * first pass: get numbers of xxx-supply ++ * second pass: fill consumers ++ */ ++restart: ++ for_each_property_of_node(np, prop) { ++ i = is_supply_name(prop->name); ++ if (i == 0) ++ continue; ++ if (!*consumers) { ++ num_consumers++; ++ continue; ++ } else { ++ memcpy(name, prop->name, i); ++ name[i] = '\0'; ++ tmp = regulator_get(dev, name); ++ if (!tmp) { ++ ret = -EINVAL; ++ goto error; ++ } ++ (*consumers)[n].consumer = tmp; ++ n++; ++ continue; ++ } ++ } ++ if (*consumers) ++ return num_consumers; ++ if (num_consumers == 0) ++ return 0; ++ *consumers = kmalloc_array(num_consumers, ++ sizeof(struct regulator_bulk_data), ++ GFP_KERNEL); ++ if (!*consumers) ++ return -ENOMEM; ++ goto restart; ++ ++error: ++ while (--n >= 0) ++ regulator_put(consumers[n]->consumer); ++ return ret; ++} ++EXPORT_SYMBOL_GPL(of_regulator_bulk_get_all); +diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h +index a9ca87a8f4e6..40c80c844ce5 100644 +--- a/include/linux/regulator/consumer.h ++++ b/include/linux/regulator/consumer.h +@@ -244,6 +244,8 @@ int regulator_disable_deferred(struct regulator *regulator, int ms); + + int __must_check regulator_bulk_get(struct device *dev, int num_consumers, + struct regulator_bulk_data *consumers); ++int __must_check of_regulator_bulk_get_all(struct device *dev, struct device_node *np, ++ struct regulator_bulk_data **consumers); + int __must_check devm_regulator_bulk_get(struct device *dev, int num_consumers, + struct regulator_bulk_data *consumers); + void devm_regulator_bulk_put(struct regulator_bulk_data *consumers); +@@ -479,6 +481,12 @@ static inline int devm_regulator_bulk_get(struct device *dev, int num_consumers, + return 0; + } + ++static inline int of_regulator_bulk_get_all(struct device *dev, struct device_node *np, ++ struct regulator_bulk_data **consumers) ++{ ++ return 0; ++} ++ + static inline int regulator_bulk_enable(int num_consumers, + struct regulator_bulk_data *consumers) + { +-- +2.43.0 + diff --git a/queue-6.1/regulator-core-stub-devm_regulator_bulk_get_const-if.patch b/queue-6.1/regulator-core-stub-devm_regulator_bulk_get_const-if.patch new file mode 100644 index 00000000000..dcf5ec316ef --- /dev/null +++ b/queue-6.1/regulator-core-stub-devm_regulator_bulk_get_const-if.patch @@ -0,0 +1,54 @@ +From ec2ec69e449515de2d5ef28b91d97abbafc9321a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 07:35:12 -0700 +Subject: regulator: core: Stub devm_regulator_bulk_get_const() if + !CONFIG_REGULATOR + +From: Douglas Anderson + +[ Upstream commit 1a5caec7f80ca2e659c03f45378ee26915f4eda2 ] + +When adding devm_regulator_bulk_get_const() I missed adding a stub for +when CONFIG_REGULATOR is not enabled. Under certain conditions (like +randconfig testing) this can cause the compiler to reports errors +like: + + error: implicit declaration of function 'devm_regulator_bulk_get_const'; + did you mean 'devm_regulator_bulk_get_enable'? + +Add the stub. + +Fixes: 1de452a0edda ("regulator: core: Allow drivers to define their init data as const") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202408301813.TesFuSbh-lkp@intel.com/ +Cc: Neil Armstrong +Signed-off-by: Douglas Anderson +Link: https://patch.msgid.link/20240830073511.1.Ib733229a8a19fad8179213c05e1af01b51e42328@changeid +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/linux/regulator/consumer.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h +index 40c80c844ce5..60bc7e143869 100644 +--- a/include/linux/regulator/consumer.h ++++ b/include/linux/regulator/consumer.h +@@ -487,6 +487,14 @@ static inline int of_regulator_bulk_get_all(struct device *dev, struct device_no + return 0; + } + ++static inline int devm_regulator_bulk_get_const( ++ struct device *dev, int num_consumers, ++ const struct regulator_bulk_data *in_consumers, ++ struct regulator_bulk_data **out_consumers) ++{ ++ return 0; ++} ++ + static inline int regulator_bulk_enable(int num_consumers, + struct regulator_bulk_data *consumers) + { +-- +2.43.0 + diff --git a/queue-6.1/riscv-set-trap-vector-earlier.patch b/queue-6.1/riscv-set-trap-vector-earlier.patch new file mode 100644 index 00000000000..c4035170c0b --- /dev/null +++ b/queue-6.1/riscv-set-trap-vector-earlier.patch @@ -0,0 +1,40 @@ +From e6b10ba76cde5ed1934f221dbc918b732b86a636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:24:45 +0800 +Subject: riscv: set trap vector earlier + +From: yang.zhang + +[ Upstream commit 6ad8735994b854b23c824dd6b1dd2126e893a3b4 ] + +The exception vector of the booting hart is not set before enabling +the mmu and then still points to the value of the previous firmware, +typically _start. That makes it hard to debug setup_vm() when bad +things happen. So fix that by setting the exception vector earlier. + +Reviewed-by: Alexandre Ghiti +Signed-off-by: yang.zhang +Link: https://lore.kernel.org/r/20240508022445.6131-1-gaoshanliukou@163.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/head.S | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S +index 4bf6c449d78b..1a017ad53343 100644 +--- a/arch/riscv/kernel/head.S ++++ b/arch/riscv/kernel/head.S +@@ -307,6 +307,9 @@ clear_bss_done: + #else + mv a0, s1 + #endif /* CONFIG_BUILTIN_DTB */ ++ /* Set trap vector to spin forever to help debug */ ++ la a3, .Lsecondary_park ++ csrw CSR_TVEC, a3 + call setup_vm + #ifdef CONFIG_MMU + la a0, early_pg_dir +-- +2.43.0 + diff --git a/queue-6.1/rust-kbuild-fix-export-of-bss-symbols.patch b/queue-6.1/rust-kbuild-fix-export-of-bss-symbols.patch new file mode 100644 index 00000000000..8a035997d41 --- /dev/null +++ b/queue-6.1/rust-kbuild-fix-export-of-bss-symbols.patch @@ -0,0 +1,42 @@ +From b89505d4b88ab077bf489fb0b4687302480f1ade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 07:49:30 +0000 +Subject: rust: kbuild: fix export of bss symbols + +From: Andreas Hindborg + +[ Upstream commit b8673d56935c32a4e0a1a0b40951fdd313dbf340 ] + +Symbols in the bss segment are not currently exported. This is a problem +for Rust modules that link against statics, that are resident in the kernel +image. Thus export symbols in the bss segment. + +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Signed-off-by: Andreas Hindborg +Reviewed-by: Alice Ryhl +Tested-by: Alice Ryhl +Reviewed-by: Gary Guo +Link: https://lore.kernel.org/r/20240815074519.2684107-2-nmi@metaspace.dk +[ Reworded slightly. - Miguel ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + rust/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rust/Makefile b/rust/Makefile +index 9321a4c83b71..28ba3b9ee18d 100644 +--- a/rust/Makefile ++++ b/rust/Makefile +@@ -303,7 +303,7 @@ $(obj)/bindings/bindings_helpers_generated.rs: $(src)/helpers.c FORCE + quiet_cmd_exports = EXPORTS $@ + cmd_exports = \ + $(NM) -p --defined-only $< \ +- | awk '/ (T|R|D) / {printf "EXPORT_SYMBOL_RUST_GPL(%s);\n",$$3}' > $@ ++ | awk '/ (T|R|D|B) / {printf "EXPORT_SYMBOL_RUST_GPL(%s);\n",$$3}' > $@ + + $(obj)/exports_core_generated.h: $(obj)/core.o FORCE + $(call if_changed,exports) +-- +2.43.0 + diff --git a/queue-6.1/rust-use-awk-instead-of-recent-xargs.patch b/queue-6.1/rust-use-awk-instead-of-recent-xargs.patch new file mode 100644 index 00000000000..436eb49dd2f --- /dev/null +++ b/queue-6.1/rust-use-awk-instead-of-recent-xargs.patch @@ -0,0 +1,43 @@ +From f06ebc162aad00fb6fd26cb61c93bcc5361545cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 20:49:25 +0000 +Subject: rust: Use awk instead of recent xargs + +From: Matthew Maurer + +[ Upstream commit 45f97e6385cad6d0e48a27ddcd08793bb4d35851 ] + +`awk` is already required by the kernel build, and the `xargs` feature +used in current Rust detection is not present in all `xargs` (notably, +toybox based xargs, used in the Android kernel build). + +Signed-off-by: Matthew Maurer +Reviewed-by: Alice Ryhl +Tested-by: Alice Ryhl +Reviewed-by: Martin Rodriguez Reboredo +Link: https://lore.kernel.org/r/20230928205045.2375899-1-mmaurer@google.com +Signed-off-by: Miguel Ojeda +Stable-dep-of: b8673d56935c ("rust: kbuild: fix export of bss symbols") +Signed-off-by: Sasha Levin +--- + rust/Makefile | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/rust/Makefile b/rust/Makefile +index 6d0c0e9757f2..9321a4c83b71 100644 +--- a/rust/Makefile ++++ b/rust/Makefile +@@ -303,9 +303,7 @@ $(obj)/bindings/bindings_helpers_generated.rs: $(src)/helpers.c FORCE + quiet_cmd_exports = EXPORTS $@ + cmd_exports = \ + $(NM) -p --defined-only $< \ +- | grep -E ' (T|R|D) ' | cut -d ' ' -f 3 \ +- | xargs -Isymbol \ +- echo 'EXPORT_SYMBOL_RUST_GPL(symbol);' > $@ ++ | awk '/ (T|R|D) / {printf "EXPORT_SYMBOL_RUST_GPL(%s);\n",$$3}' > $@ + + $(obj)/exports_core_generated.h: $(obj)/core.o FORCE + $(call if_changed,exports) +-- +2.43.0 + diff --git a/queue-6.1/s390-vmlinux.lds.s-move-ro_after_init-section-behind.patch b/queue-6.1/s390-vmlinux.lds.s-move-ro_after_init-section-behind.patch new file mode 100644 index 00000000000..166ce6e7eec --- /dev/null +++ b/queue-6.1/s390-vmlinux.lds.s-move-ro_after_init-section-behind.patch @@ -0,0 +1,75 @@ +From 363eb4383ddfffe5e3cebf13ade342b312dd0b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 13:06:43 +0200 +Subject: s390/vmlinux.lds.S: Move ro_after_init section behind rodata section + +From: Heiko Carstens + +[ Upstream commit 75c10d5377d8821efafed32e4d72068d9c1f8ec0 ] + +The .data.rel.ro and .got section were added between the rodata and +ro_after_init data section, which adds an RW mapping in between all RO +mapping of the kernel image: + +---[ Kernel Image Start ]--- +0x000003ffe0000000-0x000003ffe0e00000 14M PMD RO X +0x000003ffe0e00000-0x000003ffe0ec7000 796K PTE RO X +0x000003ffe0ec7000-0x000003ffe0f00000 228K PTE RO NX +0x000003ffe0f00000-0x000003ffe1300000 4M PMD RO NX +0x000003ffe1300000-0x000003ffe1331000 196K PTE RO NX +0x000003ffe1331000-0x000003ffe13b3000 520K PTE RW NX <--- +0x000003ffe13b3000-0x000003ffe13d5000 136K PTE RO NX +0x000003ffe13d5000-0x000003ffe1400000 172K PTE RW NX +0x000003ffe1400000-0x000003ffe1500000 1M PMD RW NX +0x000003ffe1500000-0x000003ffe1700000 2M PTE RW NX +0x000003ffe1700000-0x000003ffe1800000 1M PMD RW NX +0x000003ffe1800000-0x000003ffe187e000 504K PTE RW NX +---[ Kernel Image End ]--- + +Move the ro_after_init data section again right behind the rodata +section to prevent interleaving RO and RW mappings: + +---[ Kernel Image Start ]--- +0x000003ffe0000000-0x000003ffe0e00000 14M PMD RO X +0x000003ffe0e00000-0x000003ffe0ec7000 796K PTE RO X +0x000003ffe0ec7000-0x000003ffe0f00000 228K PTE RO NX +0x000003ffe0f00000-0x000003ffe1300000 4M PMD RO NX +0x000003ffe1300000-0x000003ffe1353000 332K PTE RO NX +0x000003ffe1353000-0x000003ffe1400000 692K PTE RW NX +0x000003ffe1400000-0x000003ffe1500000 1M PMD RW NX +0x000003ffe1500000-0x000003ffe1700000 2M PTE RW NX +0x000003ffe1700000-0x000003ffe1800000 1M PMD RW NX +0x000003ffe1800000-0x000003ffe187e000 504K PTE RW NX +---[ Kernel Image End ]--- + +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/vmlinux.lds.S | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S +index 729d4f949cfe..52d6e5d1b453 100644 +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -71,6 +71,15 @@ SECTIONS + . = ALIGN(PAGE_SIZE); + __end_ro_after_init = .; + ++ .data.rel.ro : { ++ *(.data.rel.ro .data.rel.ro.*) ++ } ++ .got : { ++ __got_start = .; ++ *(.got) ++ __got_end = .; ++ } ++ + RW_DATA(0x100, PAGE_SIZE, THREAD_SIZE) + BOOT_DATA_PRESERVED + +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 22938952bd1..1d85d2e9c78 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -39,3 +39,93 @@ sched-sch_cake-fix-bulk-flow-accounting-logic-for-host-fairness.patch nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch nilfs2-protect-references-to-superblock-parameters-exposed-in-sysfs.patch nilfs2-fix-state-management-in-error-path-of-log-writing-function.patch +alsa-control-apply-sanity-check-of-input-values-for-.patch +alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch +smack-unix-sockets-fix-accept-ed-socket-label.patch +elf-fix-kernel.randomize_va_space-double-read.patch +irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch +af_unix-remove-put_pid-put_cred-in-copy_peercred.patch +x86-kmsan-fix-hook-for-unaligned-accesses.patch +iommu-sun50i-clear-bypass-register.patch +netfilter-nf_conncount-fix-wrong-variable-type.patch +udf-avoid-excessive-partition-lengths.patch +fs-ntfs3-one-more-reason-to-mark-inode-bad.patch +media-vivid-fix-wrong-sizeimage-value-for-mplane.patch +leds-spi-byte-call-of_node_put-on-error-path.patch +wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch +usb-uas-set-host-status-byte-on-data-completion-erro.patch +usb-gadget-aspeed_udc-validate-endpoint-index-for-as.patch +drm-amd-display-check-hdcp-returned-status.patch +drm-amdgpu-fix-smatch-static-checker-warning.patch +drm-amdgpu-clear-rb_overflow-bit-when-enabling-inter.patch +media-vivid-don-t-set-hdmi-tx-controls-if-there-are-.patch +pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch +input-ili210x-use-kvmalloc-to-allocate-buffer-for-fi.patch +media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch +pcmcia-use-resource_size-function-on-resource-object.patch +drm-amd-display-check-denominator-pbn_div-before-use.patch +drm-amdgpu-check-for-linear_aligned-correctly-in-che.patch +can-bcm-remove-proc-entry-when-dev-is-unregistered.patch +can-m_can-release-irq-on-error-in-m_can_open.patch +can-mcp251xfd-fix-ring-configuration-when-switching-.patch +rust-use-awk-instead-of-recent-xargs.patch +rust-kbuild-fix-export-of-bss-symbols.patch +cifs-fix-falloc_fl_zero_range-to-preflush-buffered-p.patch +igb-fix-not-clearing-timesync-interrupts-for-82580.patch +ice-add-netif_device_attach-detach-into-pf-reset-flo.patch +platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch +regulator-add-of_regulator_bulk_get_all.patch +regulator-core-stub-devm_regulator_bulk_get_const-if.patch +igc-unlock-on-error-in-igc_io_resume.patch +ice-use-ice_max_xdp_frame_size-in-ice_xdp_setup_prog.patch +ice-allow-hot-swapping-xdp-programs.patch +ice-do-not-bring-the-vsi-up-if-it-was-down-before-th.patch +usbnet-modern-method-to-get-random-mac.patch +bareudp-fix-device-stats-updates.patch +fou-fix-null-ptr-deref-in-gro.patch +net-bridge-br_fdb_external_learn_add-always-set-ext_.patch +net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch +firmware-cs_dsp-don-t-allow-writes-to-read-only-cont.patch +phy-zynqmp-take-the-phy-mutex-in-xlate.patch +asoc-topology-properly-initialize-soc_enum-values.patch +dm-init-handle-minors-larger-than-255.patch +iommu-vt-d-handle-volatile-descriptor-status-read.patch +cgroup-protect-css-cgroup-write-under-css_set_lock.patch +um-line-always-fill-error_out-in-setup_one_line.patch +devres-initialize-an-uninitialized-struct-member.patch +pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch +crypto-qat-fix-unintentional-re-enabling-of-error-in.patch +hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch +hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch +hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch +hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch +libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch +drm-amdgpu-set-no_hw_access-when-vf-request-full-gpu.patch +ext4-fix-possible-tid_t-sequence-overflows.patch +dma-mapping-benchmark-don-t-starve-others-when-doing.patch +wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch +smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch +fs-ntfs3-check-more-cases-when-directory-is-corrupte.patch +btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch +btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch +btrfs-replace-bug_on-with-error-handling-at-update_r.patch +riscv-set-trap-vector-earlier.patch +pci-add-missing-bridge-lock-to-pci_bus_lock.patch +tcp-don-t-drop-syn-ack-for-simultaneous-connect.patch +net-dpaa-avoid-on-stack-arrays-of-nr_cpus-elements.patch +irqchip-gic-v4-always-configure-affinity-on-vpe-acti.patch +irqchip-gic-v4-make-sure-a-vpe-is-locked-when-vmapp-.patch +i3c-mipi-i3c-hci-error-out-instead-on-bug_on-in-ibi-.patch +kselftests-dmabuf-heaps-ensure-the-driver-name-is-nu.patch +btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch +s390-vmlinux.lds.s-move-ro_after_init-section-behind.patch +hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch +hid-amd_sfh-free-driver_data-after-destroying-hid-de.patch +input-uinput-reject-requests-with-unreasonable-numbe.patch +usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch +squashfs-sanity-check-symbolic-link-size.patch +of-irq-prevent-device-address-out-of-bounds-read-in-.patch +lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch +mips-cevt-r4k-don-t-call-get_c0_compare_int-if-timer.patch +ata-pata_macio-use-warn-instead-of-bug.patch +nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch diff --git a/queue-6.1/smack-unix-sockets-fix-accept-ed-socket-label.patch b/queue-6.1/smack-unix-sockets-fix-accept-ed-socket-label.patch new file mode 100644 index 00000000000..bc112eb5665 --- /dev/null +++ b/queue-6.1/smack-unix-sockets-fix-accept-ed-socket-label.patch @@ -0,0 +1,60 @@ +From 5280b4836d9055d8e2622908f38efbaaf6a9f84a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 01:44:30 +0300 +Subject: smack: unix sockets: fix accept()ed socket label + +From: Konstantin Andreev + +[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ] + +When a process accept()s connection from a unix socket +(either stream or seqpacket) +it gets the socket with the label of the connecting process. + +For example, if a connecting process has a label 'foo', +the accept()ed socket will also have 'in' and 'out' labels 'foo', +regardless of the label of the listener process. + +This is because kernel creates unix child sockets +in the context of the connecting process. + +I do not see any obvious way for the listener to abuse +alien labels coming with the new socket, but, +to be on the safe side, it's better fix new socket labels. + +Signed-off-by: Konstantin Andreev +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 75b3e91d5a5f..c18366dbbfed 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3706,12 +3706,18 @@ static int smack_unix_stream_connect(struct sock *sock, + } + } + +- /* +- * Cross reference the peer labels for SO_PEERSEC. +- */ + if (rc == 0) { ++ /* ++ * Cross reference the peer labels for SO_PEERSEC. ++ */ + nsp->smk_packet = ssp->smk_out; + ssp->smk_packet = osp->smk_out; ++ ++ /* ++ * new/child/established socket must inherit listening socket labels ++ */ ++ nsp->smk_out = osp->smk_out; ++ nsp->smk_in = osp->smk_in; + } + + return rc; +-- +2.43.0 + diff --git a/queue-6.1/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch b/queue-6.1/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch new file mode 100644 index 00000000000..ae464a1fb4c --- /dev/null +++ b/queue-6.1/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch @@ -0,0 +1,45 @@ +From a46751ec62e930d4caef96be496ec6794a0073b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jul 2024 14:52:13 +0800 +Subject: smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() + +From: Zqiang + +[ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ] + +For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by +INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for +the debug check in __init_work() to work correctly. + +But this lacks the counterpart to remove the tracked object from debug +objects again, which will cause a debug object warning once the stack is +freed. + +Add the missing destroy_work_on_stack() invocation to cure that. + +[ tglx: Massaged changelog ] + +Signed-off-by: Zqiang +Signed-off-by: Thomas Gleixner +Tested-by: Paul E. McKenney +Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/smp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/smp.c b/kernel/smp.c +index 63e466bb6b03..0acd433afa7b 100644 +--- a/kernel/smp.c ++++ b/kernel/smp.c +@@ -1262,6 +1262,7 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, bool phys) + + queue_work_on(cpu, system_wq, &sscs.work); + wait_for_completion(&sscs.done); ++ destroy_work_on_stack(&sscs.work); + + return sscs.ret; + } +-- +2.43.0 + diff --git a/queue-6.1/squashfs-sanity-check-symbolic-link-size.patch b/queue-6.1/squashfs-sanity-check-symbolic-link-size.patch new file mode 100644 index 00000000000..3096105ebd2 --- /dev/null +++ b/queue-6.1/squashfs-sanity-check-symbolic-link-size.patch @@ -0,0 +1,68 @@ +From 9c3a68a4af422d14921ef928ed2edd4e8eee20f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2024 00:28:21 +0100 +Subject: Squashfs: sanity check symbolic link size + +From: Phillip Lougher + +[ Upstream commit 810ee43d9cd245d138a2733d87a24858a23f577d ] + +Syzkiller reports a "KMSAN: uninit-value in pick_link" bug. + +This is caused by an uninitialised page, which is ultimately caused +by a corrupted symbolic link size read from disk. + +The reason why the corrupted symlink size causes an uninitialised +page is due to the following sequence of events: + +1. squashfs_read_inode() is called to read the symbolic + link from disk. This assigns the corrupted value + 3875536935 to inode->i_size. + +2. Later squashfs_symlink_read_folio() is called, which assigns + this corrupted value to the length variable, which being a + signed int, overflows producing a negative number. + +3. The following loop that fills in the page contents checks that + the copied bytes is less than length, which being negative means + the loop is skipped, producing an uninitialised page. + +This patch adds a sanity check which checks that the symbolic +link size is not larger than expected. + +-- + +Signed-off-by: Phillip Lougher +Link: https://lore.kernel.org/r/20240811232821.13903-1-phillip@squashfs.org.uk +Reported-by: Lizhi Xu +Reported-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/000000000000a90e8c061e86a76b@google.com/ +V2: fix spelling mistake. +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/squashfs/inode.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c +index 24463145b351..f31649080a88 100644 +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -276,8 +276,13 @@ int squashfs_read_inode(struct inode *inode, long long ino) + if (err < 0) + goto failed_read; + +- set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + inode->i_size = le32_to_cpu(sqsh_ino->symlink_size); ++ if (inode->i_size > PAGE_SIZE) { ++ ERROR("Corrupted symlink\n"); ++ return -EINVAL; ++ } ++ ++ set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); + inode->i_op = &squashfs_symlink_inode_ops; + inode_nohighmem(inode); + inode->i_data.a_ops = &squashfs_symlink_aops; +-- +2.43.0 + diff --git a/queue-6.1/tcp-don-t-drop-syn-ack-for-simultaneous-connect.patch b/queue-6.1/tcp-don-t-drop-syn-ack-for-simultaneous-connect.patch new file mode 100644 index 00000000000..0eb680217af --- /dev/null +++ b/queue-6.1/tcp-don-t-drop-syn-ack-for-simultaneous-connect.patch @@ -0,0 +1,108 @@ +From 4b49a6f40d9d395b2ddc453be35712ace6b1e0e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jul 2024 10:12:45 -0700 +Subject: tcp: Don't drop SYN+ACK for simultaneous connect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 23e89e8ee7be73e21200947885a6d3a109a2c58d ] + +RFC 9293 states that in the case of simultaneous connect(), the connection +gets established when SYN+ACK is received. [0] + + TCP Peer A TCP Peer B + + 1. CLOSED CLOSED + 2. SYN-SENT --> ... + 3. SYN-RECEIVED <-- <-- SYN-SENT + 4. ... --> SYN-RECEIVED + 5. SYN-RECEIVED --> ... + 6. ESTABLISHED <-- <-- SYN-RECEIVED + 7. ... --> ESTABLISHED + +However, since commit 0c24604b68fc ("tcp: implement RFC 5961 4.2"), such a +SYN+ACK is dropped in tcp_validate_incoming() and responded with Challenge +ACK. + +For example, the write() syscall in the following packetdrill script fails +with -EAGAIN, and wrong SNMP stats get incremented. + + 0 socket(..., SOCK_STREAM|SOCK_NONBLOCK, IPPROTO_TCP) = 3 + +0 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress) + + +0 > S 0:0(0) + +0 < S 0:0(0) win 1000 + +0 > S. 0:0(0) ack 1 + +0 < S. 0:0(0) ack 1 win 1000 + + +0 write(3, ..., 100) = 100 + +0 > P. 1:101(100) ack 1 + + -- + + # packetdrill cross-synack.pkt + cross-synack.pkt:13: runtime error in write call: Expected result 100 but got -1 with errno 11 (Resource temporarily unavailable) + # nstat + ... + TcpExtTCPChallengeACK 1 0.0 + TcpExtTCPSYNChallenge 1 0.0 + +The problem is that bpf_skops_established() is triggered by the Challenge +ACK instead of SYN+ACK. This causes the bpf prog to miss the chance to +check if the peer supports a TCP option that is expected to be exchanged +in SYN and SYN+ACK. + +Let's accept a bare SYN+ACK for active-open TCP_SYN_RECV sockets to avoid +such a situation. + +Note that tcp_ack_snd_check() in tcp_rcv_state_process() is skipped not to +send an unnecessary ACK, but this could be a bit risky for net.git, so this +targets for net-next. + +Link: https://www.rfc-editor.org/rfc/rfc9293.html#section-3.5-7 [0] +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240710171246.87533-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index b1b4f44d2137..b7d038b24a6d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5843,6 +5843,11 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, + * RFC 5961 4.2 : Send a challenge ack + */ + if (th->syn) { ++ if (sk->sk_state == TCP_SYN_RECV && sk->sk_socket && th->ack && ++ TCP_SKB_CB(skb)->seq + 1 == TCP_SKB_CB(skb)->end_seq && ++ TCP_SKB_CB(skb)->seq + 1 == tp->rcv_nxt && ++ TCP_SKB_CB(skb)->ack_seq == tp->snd_nxt) ++ goto pass; + syn_challenge: + if (syn_inerr) + TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS); +@@ -5852,6 +5857,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, + goto discard; + } + ++pass: + bpf_skops_parse_hdr(sk, skb); + + return true; +@@ -6635,6 +6641,9 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + tcp_fast_path_on(tp); + if (sk->sk_shutdown & SEND_SHUTDOWN) + tcp_shutdown(sk, SEND_SHUTDOWN); ++ ++ if (sk->sk_socket) ++ goto consume; + break; + + case TCP_FIN_WAIT1: { +-- +2.43.0 + diff --git a/queue-6.1/udf-avoid-excessive-partition-lengths.patch b/queue-6.1/udf-avoid-excessive-partition-lengths.patch new file mode 100644 index 00000000000..e464423742b --- /dev/null +++ b/queue-6.1/udf-avoid-excessive-partition-lengths.patch @@ -0,0 +1,63 @@ +From 17bc487a7a03dbe354ad018e1aa697c40b98961a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 12:52:17 +0200 +Subject: udf: Avoid excessive partition lengths + +From: Jan Kara + +[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ] + +Avoid mounting filesystems where the partition would overflow the +32-bits used for block number. Also refuse to mount filesystems where +the partition length is so large we cannot safely index bits in a +block bitmap. + +Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 3b6419f29a4c..fa790be4f19f 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1084,12 +1084,19 @@ static int udf_fill_partdesc_info(struct super_block *sb, + struct udf_part_map *map; + struct udf_sb_info *sbi = UDF_SB(sb); + struct partitionHeaderDesc *phd; ++ u32 sum; + int err; + + map = &sbi->s_partmaps[p_index]; + + map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */ + map->s_partition_root = le32_to_cpu(p->partitionStartingLocation); ++ if (check_add_overflow(map->s_partition_root, map->s_partition_len, ++ &sum)) { ++ udf_err(sb, "Partition %d has invalid location %u + %u\n", ++ p_index, map->s_partition_root, map->s_partition_len); ++ return -EFSCORRUPTED; ++ } + + if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY)) + map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY; +@@ -1145,6 +1152,14 @@ static int udf_fill_partdesc_info(struct super_block *sb, + bitmap->s_extPosition = le32_to_cpu( + phd->unallocSpaceBitmap.extPosition); + map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP; ++ /* Check whether math over bitmap won't overflow. */ ++ if (check_add_overflow(map->s_partition_len, ++ sizeof(struct spaceBitmapDesc) << 3, ++ &sum)) { ++ udf_err(sb, "Partition %d is too long (%u)\n", p_index, ++ map->s_partition_len); ++ return -EFSCORRUPTED; ++ } + udf_debug("unallocSpaceBitmap (part %d) @ %u\n", + p_index, bitmap->s_extPosition); + } +-- +2.43.0 + diff --git a/queue-6.1/um-line-always-fill-error_out-in-setup_one_line.patch b/queue-6.1/um-line-always-fill-error_out-in-setup_one_line.patch new file mode 100644 index 00000000000..3eb5174311b --- /dev/null +++ b/queue-6.1/um-line-always-fill-error_out-in-setup_one_line.patch @@ -0,0 +1,44 @@ +From d600f4958938cab2d9b7962942b6540da151e4e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 17:22:36 +0200 +Subject: um: line: always fill *error_out in setup_one_line() + +From: Johannes Berg + +[ Upstream commit 824ac4a5edd3f7494ab1996826c4f47f8ef0f63d ] + +The pointer isn't initialized by callers, but I have +encountered cases where it's still printed; initialize +it in all possible cases in setup_one_line(). + +Link: https://patch.msgid.link/20240703172235.ad863568b55f.Iaa1eba4db8265d7715ba71d5f6bb8c7ff63d27e9@changeid +Acked-By: Anton Ivanov +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/line.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c +index 95ad6b190d1d..6b4faca401ea 100644 +--- a/arch/um/drivers/line.c ++++ b/arch/um/drivers/line.c +@@ -383,6 +383,7 @@ int setup_one_line(struct line *lines, int n, char *init, + parse_chan_pair(NULL, line, n, opts, error_out); + err = 0; + } ++ *error_out = "configured as 'none'"; + } else { + char *new = kstrdup(init, GFP_KERNEL); + if (!new) { +@@ -406,6 +407,7 @@ int setup_one_line(struct line *lines, int n, char *init, + } + } + if (err) { ++ *error_out = "failed to parse channel pair"; + line->init_str = NULL; + line->valid = 0; + kfree(new); +-- +2.43.0 + diff --git a/queue-6.1/usb-gadget-aspeed_udc-validate-endpoint-index-for-as.patch b/queue-6.1/usb-gadget-aspeed_udc-validate-endpoint-index-for-as.patch new file mode 100644 index 00000000000..b1ee41bde9c --- /dev/null +++ b/queue-6.1/usb-gadget-aspeed_udc-validate-endpoint-index-for-as.patch @@ -0,0 +1,40 @@ +From b43fea3f7c76e361fc46afa3469bd5c2caa4ff51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 10:23:06 +0800 +Subject: usb: gadget: aspeed_udc: validate endpoint index for ast udc + +From: Ma Ke + +[ Upstream commit ee0d382feb44ec0f445e2ad63786cd7f3f6a8199 ] + +We should verify the bound of the array to assure that host +may not manipulate the index to point past endpoint array. + +Found by static analysis. + +Signed-off-by: Ma Ke +Reviewed-by: Andrew Jeffery +Acked-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20240625022306.2568122-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/aspeed_udc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c +index cedf17e38245..1a5a1115c1d9 100644 +--- a/drivers/usb/gadget/udc/aspeed_udc.c ++++ b/drivers/usb/gadget/udc/aspeed_udc.c +@@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc) + break; + case USB_RECIP_ENDPOINT: + epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK; ++ if (epnum >= AST_UDC_NUM_ENDPOINTS) ++ goto stall; + status = udc->ep[epnum].stopped; + break; + default: +-- +2.43.0 + diff --git a/queue-6.1/usb-uas-set-host-status-byte-on-data-completion-erro.patch b/queue-6.1/usb-uas-set-host-status-byte-on-data-completion-erro.patch new file mode 100644 index 00000000000..c9ffa76571b --- /dev/null +++ b/queue-6.1/usb-uas-set-host-status-byte-on-data-completion-erro.patch @@ -0,0 +1,41 @@ +From a5e2d73cd686ba42f90feda18c258f2d253f898b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 23:32:57 -0400 +Subject: usb: uas: set host status byte on data completion error + +From: Shantanu Goel + +[ Upstream commit 9d32685a251a754f1823d287df233716aa23bcb9 ] + +Set the host status byte when a data completion error is encountered +otherwise the upper layer may end up using the invalid zero'ed data. +The following output was observed from scsi/sd.c prior to this fix. + +[ 11.872824] sd 0:0:0:1: [sdf] tag#9 data cmplt err -75 uas-tag 1 inflight: +[ 11.872826] sd 0:0:0:1: [sdf] tag#9 CDB: Read capacity(16) 9e 10 00 00 00 00 00 00 00 00 00 00 00 20 00 00 +[ 11.872830] sd 0:0:0:1: [sdf] Sector size 0 reported, assuming 512. + +Signed-off-by: Shantanu Goel +Acked-by: Oliver Neukum +Link: https://lore.kernel.org/r/87msnx4ec6.fsf@yahoo.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/uas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index af619efe8eab..b565c1eb84b3 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -422,6 +422,7 @@ static void uas_data_cmplt(struct urb *urb) + uas_log_cmd_state(cmnd, "data cmplt err", status); + /* error: no data transfered */ + scsi_set_resid(cmnd, sdb->length); ++ set_host_byte(cmnd, DID_ERROR); + } else { + scsi_set_resid(cmnd, sdb->length - urb->actual_length); + } +-- +2.43.0 + diff --git a/queue-6.1/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch b/queue-6.1/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch new file mode 100644 index 00000000000..95423889edd --- /dev/null +++ b/queue-6.1/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch @@ -0,0 +1,44 @@ +From eca5c465d611c6ea98ce23c237caac912ef7573f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 19:28:05 +0200 +Subject: usbnet: ipheth: race between ipheth_close and error handling + +From: Oliver Neukum + +[ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] + +ipheth_sndbulk_callback() can submit carrier_work +as a part of its error handling. That means that +the driver must make sure that the work is cancelled +after it has made sure that no more URB can terminate +with an error condition. + +Hence the order of actions in ipheth_close() needs +to be inverted. + +Signed-off-by: Oliver Neukum +Signed-off-by: Foster Snowhill +Tested-by: Georgi Valkov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ipheth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index 6a769df0b421..13381d87eeb0 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net) + { + struct ipheth_device *dev = netdev_priv(net); + +- cancel_delayed_work_sync(&dev->carrier_work); + netif_stop_queue(net); ++ cancel_delayed_work_sync(&dev->carrier_work); + return 0; + } + +-- +2.43.0 + diff --git a/queue-6.1/usbnet-modern-method-to-get-random-mac.patch b/queue-6.1/usbnet-modern-method-to-get-random-mac.patch new file mode 100644 index 00000000000..b0bde5420cb --- /dev/null +++ b/queue-6.1/usbnet-modern-method-to-get-random-mac.patch @@ -0,0 +1,75 @@ +From 5474b3792aad010eac0e2d9190fc7c040e1e07ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 19:50:55 +0200 +Subject: usbnet: modern method to get random MAC + +From: Oliver Neukum + +[ Upstream commit bab8eb0dd4cb995caa4a0529d5655531c2ec5e8e ] + +The driver generates a random MAC once on load +and uses it over and over, including on two devices +needing a random MAC at the same time. + +Jakub suggested revamping the driver to the modern +API for setting a random MAC rather than fixing +the old stuff. + +The bug is as old as the driver. + +Signed-off-by: Oliver Neukum +Reviewed-by: Simon Horman +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://patch.msgid.link/20240829175201.670718-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 405e588f8a3a..0f848d318544 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -61,9 +61,6 @@ + + /*-------------------------------------------------------------------------*/ + +-// randomly generated ethernet address +-static u8 node_id [ETH_ALEN]; +- + /* use ethtool to change the level for any given device */ + static int msg_level = -1; + module_param (msg_level, int, 0); +@@ -1726,7 +1723,6 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + + dev->net = net; + strscpy(net->name, "usb%d", sizeof(net->name)); +- eth_hw_addr_set(net, node_id); + + /* rx and tx sides can use different message sizes; + * bind() should set rx_urb_size in that case. +@@ -1800,9 +1796,9 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + goto out4; + } + +- /* let userspace know we have a random address */ +- if (ether_addr_equal(net->dev_addr, node_id)) +- net->addr_assign_type = NET_ADDR_RANDOM; ++ /* this flags the device for user space */ ++ if (!is_valid_ether_addr(net->dev_addr)) ++ eth_hw_addr_random(net); + + if ((dev->driver_info->flags & FLAG_WLAN) != 0) + SET_NETDEV_DEVTYPE(net, &wlan_type); +@@ -2212,7 +2208,6 @@ static int __init usbnet_init(void) + BUILD_BUG_ON( + sizeof_field(struct sk_buff, cb) < sizeof(struct skb_data)); + +- eth_random_addr(node_id); + return 0; + } + module_init(usbnet_init); +-- +2.43.0 + diff --git a/queue-6.1/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch b/queue-6.1/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch new file mode 100644 index 00000000000..092f0bc10ff --- /dev/null +++ b/queue-6.1/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch @@ -0,0 +1,38 @@ +From efbd195751758392afcdd49f6feae67f9b914e02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 14:26:09 +0200 +Subject: wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 + +From: Arend van Spriel + +[ Upstream commit dbb5265a5d7cca1cdba7736dba313ab7d07bc19d ] + +After being asked about support for WPA3 for BCM43224 chipset it +was found that all it takes is setting the MFP_CAPABLE flag and +mac80211 will take care of all that is needed [1]. + +Link: https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/ [1] +Signed-off-by: Arend van Spriel +Tested-by: Reijer Boekhoff +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240617122609.349582-1-arend.vanspriel@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +index a4034d44609b..94b1e4f15b41 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +@@ -1089,6 +1089,7 @@ static int ieee_hw_init(struct ieee80211_hw *hw) + ieee80211_hw_set(hw, AMPDU_AGGREGATION); + ieee80211_hw_set(hw, SIGNAL_DBM); + ieee80211_hw_set(hw, REPORTS_TX_ACK_STATUS); ++ ieee80211_hw_set(hw, MFP_CAPABLE); + + hw->extra_tx_headroom = brcms_c_get_header_len(); + hw->queues = N_TX_QUEUES; +-- +2.43.0 + diff --git a/queue-6.1/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch b/queue-6.1/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch new file mode 100644 index 00000000000..f7cf9adda2c --- /dev/null +++ b/queue-6.1/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch @@ -0,0 +1,112 @@ +From 137f396b3935ce527b605b058356cdcb2860434d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 09:24:09 +0200 +Subject: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() + +From: Sascha Hauer + +[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ] + +mwifiex_get_priv_by_id() returns the priv pointer corresponding to +the bss_num and bss_type, but without checking if the priv is actually +currently in use. +Unused priv pointers do not have a wiphy attached to them which can +lead to NULL pointer dereferences further down the callstack. Fix +this by returning only used priv pointers which have priv->bss_mode +set to something else than NL80211_IFTYPE_UNSPECIFIED. + +Said NULL pointer dereference happened when an Accesspoint was started +with wpa_supplicant -i mlan0 with this config: + +network={ + ssid="somessid" + mode=2 + frequency=2412 + key_mgmt=WPA-PSK WPA-PSK-SHA256 + proto=RSN + group=CCMP + pairwise=CCMP + psk="12345678" +} + +When waiting for the AP to be established, interrupting wpa_supplicant +with and starting it again this happens: + +| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 +| Mem abort info: +| ESR = 0x0000000096000004 +| EC = 0x25: DABT (current EL), IL = 32 bits +| SET = 0, FnV = 0 +| EA = 0, S1PTW = 0 +| FSC = 0x04: level 0 translation fault +| Data abort info: +| ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +| CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 +| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 +| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio ++mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs ++imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 +| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 +| Hardware name: somemachine (DT) +| Workqueue: events sdio_irq_work +| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] +| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] +| sp : ffff8000818b3a70 +| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 +| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 +| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 +| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 +| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 +| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 +| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 +| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 +| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 +| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 +| Call trace: +| mwifiex_get_cfp+0xd8/0x15c [mwifiex] +| mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] +| mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] +| mwifiex_process_sta_event+0x298/0xf0c [mwifiex] +| mwifiex_process_event+0x110/0x238 [mwifiex] +| mwifiex_main_process+0x428/0xa44 [mwifiex] +| mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] +| process_sdio_pending_irqs+0x64/0x1b8 +| sdio_irq_work+0x4c/0x7c +| process_one_work+0x148/0x2a0 +| worker_thread+0x2fc/0x40c +| kthread+0x110/0x114 +| ret_from_fork+0x10/0x20 +| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) +| ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Sascha Hauer +Acked-by: Brian Norris +Reviewed-by: Francesco Dolcini +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/main.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h +index 63f861e6b28a..fb98eb342bd9 100644 +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -1301,6 +1301,9 @@ mwifiex_get_priv_by_id(struct mwifiex_adapter *adapter, + + for (i = 0; i < adapter->priv_num; i++) { + if (adapter->priv[i]) { ++ if (adapter->priv[i]->bss_mode == NL80211_IFTYPE_UNSPECIFIED) ++ continue; ++ + if ((adapter->priv[i]->bss_num == bss_num) && + (adapter->priv[i]->bss_type == bss_type)) + break; +-- +2.43.0 + diff --git a/queue-6.1/x86-kmsan-fix-hook-for-unaligned-accesses.patch b/queue-6.1/x86-kmsan-fix-hook-for-unaligned-accesses.patch new file mode 100644 index 00000000000..b7566e89e21 --- /dev/null +++ b/queue-6.1/x86-kmsan-fix-hook-for-unaligned-accesses.patch @@ -0,0 +1,56 @@ +From d44e991a6b17ffc2f24fd0cd5fa3dd21e665680a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 May 2024 23:50:29 +0200 +Subject: x86/kmsan: Fix hook for unaligned accesses + +From: Brian Johannesmeyer + +[ Upstream commit bf6ab33d8487f5e2a0998ce75286eae65bb0a6d6 ] + +When called with a 'from' that is not 4-byte-aligned, string_memcpy_fromio() +calls the movs() macro to copy the first few bytes, so that 'from' becomes +4-byte-aligned before calling rep_movs(). This movs() macro modifies 'to', and +the subsequent line modifies 'n'. + +As a result, on unaligned accesses, kmsan_unpoison_memory() uses the updated +(aligned) values of 'to' and 'n'. Hence, it does not unpoison the entire +region. + +Save the original values of 'to' and 'n', and pass those to +kmsan_unpoison_memory(), so that the entire region is unpoisoned. + +Signed-off-by: Brian Johannesmeyer +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Alexander Potapenko +Link: https://lore.kernel.org/r/20240523215029.4160518-1-bjohannesmeyer@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/iomem.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/lib/iomem.c b/arch/x86/lib/iomem.c +index e0411a3774d4..5eecb45d05d5 100644 +--- a/arch/x86/lib/iomem.c ++++ b/arch/x86/lib/iomem.c +@@ -25,6 +25,9 @@ static __always_inline void rep_movs(void *to, const void *from, size_t n) + + static void string_memcpy_fromio(void *to, const volatile void __iomem *from, size_t n) + { ++ const void *orig_to = to; ++ const size_t orig_n = n; ++ + if (unlikely(!n)) + return; + +@@ -39,7 +42,7 @@ static void string_memcpy_fromio(void *to, const volatile void __iomem *from, si + } + rep_movs(to, (const void *)from, n); + /* KMSAN must treat values read from devices as initialized. */ +- kmsan_unpoison_memory(to, n); ++ kmsan_unpoison_memory(orig_to, orig_n); + } + + static void string_memcpy_toio(volatile void __iomem *to, const void *from, size_t n) +-- +2.43.0 +