From: Greg Kroah-Hartman Date: Thu, 30 Nov 2023 14:37:25 +0000 (+0000) Subject: 5.15-stable patches X-Git-Tag: v5.15.141~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0f2642d88553aa8139e5100e963c93c014b8b8d8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: acpi-resource-skip-irq-override-on-asus-expertbook-b1402cva.patch bcache-fixup-multi-threaded-bch_sectors_dirty_init-wake-up-race.patch bcache-replace-a-mistaken-is_err-by-is_err_or_null-in-btree_gc_coalesce.patch hv_netvsc-fix-race-of-register_netdevice_notifier-and-vf-register.patch hv_netvsc-mark-vf-as-slave-before-exposing-it-to-user-mode.patch io_uring-fs-consider-link-flags-when-getting-path-for-linkat.patch md-fix-bi_status-reporting-in-md_end_clone_io.patch s390-dasd-protect-device-queue-against-concurrent-access.patch swiotlb-xen-provide-the-max_mapping_size-method.patch usb-serial-option-add-luat-air72-u-series-products.patch --- diff --git a/queue-5.15/acpi-resource-skip-irq-override-on-asus-expertbook-b1402cva.patch b/queue-5.15/acpi-resource-skip-irq-override-on-asus-expertbook-b1402cva.patch new file mode 100644 index 00000000000..3f82a63a3a1 --- /dev/null +++ b/queue-5.15/acpi-resource-skip-irq-override-on-asus-expertbook-b1402cva.patch @@ -0,0 +1,41 @@ +From bd911485294a6f0596e4592ed442438015cffc8a Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 15 Nov 2023 19:02:22 +0100 +Subject: ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA + +From: Hans de Goede + +commit bd911485294a6f0596e4592ed442438015cffc8a upstream. + +Like various other ASUS ExpertBook-s, the ASUS ExpertBook B1402CVA +has an ACPI DSDT table that describes IRQ 1 as ActiveLow while +the kernel overrides it to EdgeHigh. + +This prevents the keyboard from working. To fix this issue, add this laptop +to the skip_override_table so that the kernel does not override IRQ 1. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218114 +Cc: All applicable +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -440,6 +440,13 @@ static const struct dmi_system_id lenovo + }, + }, + { ++ /* Asus ExpertBook B1402CVA */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "B1402CVA"), ++ }, ++ }, ++ { + .ident = "LENOVO IdeaPad Flex 5 16ALC7", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), diff --git a/queue-5.15/bcache-fixup-multi-threaded-bch_sectors_dirty_init-wake-up-race.patch b/queue-5.15/bcache-fixup-multi-threaded-bch_sectors_dirty_init-wake-up-race.patch new file mode 100644 index 00000000000..53b83da0dee --- /dev/null +++ b/queue-5.15/bcache-fixup-multi-threaded-bch_sectors_dirty_init-wake-up-race.patch @@ -0,0 +1,124 @@ +From 2faac25d7958c4761bb8cec54adb79f806783ad6 Mon Sep 17 00:00:00 2001 +From: Mingzhe Zou +Date: Mon, 20 Nov 2023 13:25:00 +0800 +Subject: bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race + +From: Mingzhe Zou + +commit 2faac25d7958c4761bb8cec54adb79f806783ad6 upstream. + +We get a kernel crash about "unable to handle kernel paging request": + +```dmesg +[368033.032005] BUG: unable to handle kernel paging request at ffffffffad9ae4b5 +[368033.032007] PGD fc3a0d067 P4D fc3a0d067 PUD fc3a0e063 PMD 8000000fc38000e1 +[368033.032012] Oops: 0003 [#1] SMP PTI +[368033.032015] CPU: 23 PID: 55090 Comm: bch_dirtcnt[0] Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.es8_24.x86_64 #1 +[368033.032017] Hardware name: Tsinghua Tongfang THTF Chaoqiang Server/072T6D, BIOS 2.4.3 01/17/2017 +[368033.032027] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0 +[368033.032029] Code: 8b 02 48 85 c0 74 f6 48 89 c1 eb d0 c1 e9 12 83 e0 +03 83 e9 01 48 c1 e0 05 48 63 c9 48 05 c0 3d 02 00 48 03 04 cd 60 68 93 +ad <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 02 +[368033.032031] RSP: 0018:ffffbb48852abe00 EFLAGS: 00010082 +[368033.032032] RAX: ffffffffad9ae4b5 RBX: 0000000000000246 RCX: 0000000000003bf3 +[368033.032033] RDX: ffff97b0ff8e3dc0 RSI: 0000000000600000 RDI: ffffbb4884743c68 +[368033.032034] RBP: 0000000000000001 R08: 0000000000000000 R09: 000007ffffffffff +[368033.032035] R10: ffffbb486bb01000 R11: 0000000000000001 R12: ffffffffc068da70 +[368033.032036] R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 +[368033.032038] FS: 0000000000000000(0000) GS:ffff97b0ff8c0000(0000) knlGS:0000000000000000 +[368033.032039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[368033.032040] CR2: ffffffffad9ae4b5 CR3: 0000000fc3a0a002 CR4: 00000000003626e0 +[368033.032042] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[368033.032043] bcache: bch_cached_dev_attach() Caching rbd479 as bcache462 on set 8cff3c36-4a76-4242-afaa-7630206bc70b +[368033.032045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[368033.032046] Call Trace: +[368033.032054] _raw_spin_lock_irqsave+0x32/0x40 +[368033.032061] __wake_up_common_lock+0x63/0xc0 +[368033.032073] ? bch_ptr_invalid+0x10/0x10 [bcache] +[368033.033502] bch_dirty_init_thread+0x14c/0x160 [bcache] +[368033.033511] ? read_dirty_submit+0x60/0x60 [bcache] +[368033.033516] kthread+0x112/0x130 +[368033.033520] ? kthread_flush_work_fn+0x10/0x10 +[368033.034505] ret_from_fork+0x35/0x40 +``` + +The crash occurred when call wake_up(&state->wait), and then we want +to look at the value in the state. However, bch_sectors_dirty_init() +is not found in the stack of any task. Since state is allocated on +the stack, we guess that bch_sectors_dirty_init() has exited, causing +bch_dirty_init_thread() to be unable to handle kernel paging request. + +In order to verify this idea, we added some printing information during +wake_up(&state->wait). We find that "wake up" is printed twice, however +we only expect the last thread to wake up once. + +```dmesg +[ 994.641004] alcache: bch_dirty_init_thread() wake up +[ 994.641018] alcache: bch_dirty_init_thread() wake up +[ 994.641523] alcache: bch_sectors_dirty_init() init exit +``` + +There is a race. If bch_sectors_dirty_init() exits after the first wake +up, the second wake up will trigger this bug("unable to handle kernel +paging request"). + +Proceed as follows: + +bch_sectors_dirty_init + kthread_run ==============> bch_dirty_init_thread(bch_dirtcnt[0]) + ... ... + atomic_inc(&state.started) ... + ... ... + atomic_read(&state.enough) ... + ... atomic_set(&state->enough, 1) + kthread_run ======================================================> bch_dirty_init_thread(bch_dirtcnt[1]) + ... atomic_dec_and_test(&state->started) ... + atomic_inc(&state.started) ... ... + ... wake_up(&state->wait) ... + atomic_read(&state.enough) atomic_dec_and_test(&state->started) + ... ... + wait_event(state.wait, atomic_read(&state.started) == 0) ... + return ... + wake_up(&state->wait) + +We believe it is very common to wake up twice if there is no dirty, but +crash is an extremely low probability event. It's hard for us to reproduce +this issue. We attached and detached continuously for a week, with a total +of more than one million attaches and only one crash. + +Putting atomic_inc(&state.started) before kthread_run() can avoid waking +up twice. + +Fixes: b144e45fc576 ("bcache: make bch_sectors_dirty_init() to be multithreaded") +Signed-off-by: Mingzhe Zou +Cc: +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20231120052503.6122-8-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/writeback.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -1004,17 +1004,18 @@ void bch_sectors_dirty_init(struct bcach + if (atomic_read(&state.enough)) + break; + ++ atomic_inc(&state.started); + state.infos[i].state = &state; + state.infos[i].thread = + kthread_run(bch_dirty_init_thread, &state.infos[i], + "bch_dirtcnt[%d]", i); + if (IS_ERR(state.infos[i].thread)) { + pr_err("fails to run thread bch_dirty_init[%d]\n", i); ++ atomic_dec(&state.started); + for (--i; i >= 0; i--) + kthread_stop(state.infos[i].thread); + goto out; + } +- atomic_inc(&state.started); + } + + out: diff --git a/queue-5.15/bcache-replace-a-mistaken-is_err-by-is_err_or_null-in-btree_gc_coalesce.patch b/queue-5.15/bcache-replace-a-mistaken-is_err-by-is_err_or_null-in-btree_gc_coalesce.patch new file mode 100644 index 00000000000..6f6a3b9578c --- /dev/null +++ b/queue-5.15/bcache-replace-a-mistaken-is_err-by-is_err_or_null-in-btree_gc_coalesce.patch @@ -0,0 +1,52 @@ +From f72f4312d4388376fc8a1f6cf37cb21a0d41758b Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Mon, 20 Nov 2023 13:25:01 +0800 +Subject: bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() + +From: Coly Li + +commit f72f4312d4388376fc8a1f6cf37cb21a0d41758b upstream. + +Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in +node allocations") do the following change inside btree_gc_coalesce(), + +31 @@ -1340,7 +1340,7 @@ static int btree_gc_coalesce( +32 memset(new_nodes, 0, sizeof(new_nodes)); +33 closure_init_stack(&cl); +34 +35 - while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b)) +36 + while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b)) +37 keys += r[nodes++].keys; +38 +39 blocks = btree_default_blocks(b->c) * 2 / 3; + +At line 35 the original r[nodes].b is not always allocatored from +__bch_btree_node_alloc(), and possibly initialized as NULL pointer by +caller of btree_gc_coalesce(). Therefore the change at line 36 is not +correct. + +This patch replaces the mistaken IS_ERR() by IS_ERR_OR_NULL() to avoid +potential issue. + +Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") +Cc: # 6.5+ +Cc: Zheng Wang +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20231120052503.6122-9-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1342,7 +1342,7 @@ static int btree_gc_coalesce(struct btre + memset(new_nodes, 0, sizeof(new_nodes)); + closure_init_stack(&cl); + +- while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b)) ++ while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b)) + keys += r[nodes++].keys; + + blocks = btree_default_blocks(b->c) * 2 / 3; diff --git a/queue-5.15/hv_netvsc-fix-race-of-register_netdevice_notifier-and-vf-register.patch b/queue-5.15/hv_netvsc-fix-race-of-register_netdevice_notifier-and-vf-register.patch new file mode 100644 index 00000000000..c8381bb5650 --- /dev/null +++ b/queue-5.15/hv_netvsc-fix-race-of-register_netdevice_notifier-and-vf-register.patch @@ -0,0 +1,49 @@ +From 85520856466ed6bc3b1ccb013cddac70ceb437db Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Sun, 19 Nov 2023 08:23:42 -0800 +Subject: hv_netvsc: Fix race of register_netdevice_notifier and VF register + +From: Haiyang Zhang + +commit 85520856466ed6bc3b1ccb013cddac70ceb437db upstream. + +If VF NIC is registered earlier, NETDEV_REGISTER event is replayed, +but NETDEV_POST_INIT is not. + +Move register_netdevice_notifier() earlier, so the call back +function is set before probing. + +Cc: stable@vger.kernel.org +Fixes: e04e7a7bbd4b ("hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe()") +Reported-by: Dexuan Cui +Signed-off-by: Haiyang Zhang +Reviewed-by: Wojciech Drewek +Reviewed-by: Dexuan Cui +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2807,12 +2807,17 @@ static int __init netvsc_drv_init(void) + } + netvsc_ring_bytes = ring_size * PAGE_SIZE; + ++ register_netdevice_notifier(&netvsc_netdev_notifier); ++ + ret = vmbus_driver_register(&netvsc_drv); + if (ret) +- return ret; ++ goto err_vmbus_reg; + +- register_netdevice_notifier(&netvsc_netdev_notifier); + return 0; ++ ++err_vmbus_reg: ++ unregister_netdevice_notifier(&netvsc_netdev_notifier); ++ return ret; + } + + MODULE_LICENSE("GPL"); diff --git a/queue-5.15/hv_netvsc-mark-vf-as-slave-before-exposing-it-to-user-mode.patch b/queue-5.15/hv_netvsc-mark-vf-as-slave-before-exposing-it-to-user-mode.patch new file mode 100644 index 00000000000..4fc26817b7f --- /dev/null +++ b/queue-5.15/hv_netvsc-mark-vf-as-slave-before-exposing-it-to-user-mode.patch @@ -0,0 +1,95 @@ +From c807d6cd089d2f4951baa838081ec5ae3e2360f8 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Sun, 19 Nov 2023 08:23:43 -0800 +Subject: hv_netvsc: Mark VF as slave before exposing it to user-mode + +From: Long Li + +commit c807d6cd089d2f4951baa838081ec5ae3e2360f8 upstream. + +When a VF is being exposed form the kernel, it should be marked as "slave" +before exposing to the user-mode. The VF is not usable without netvsc +running as master. The user-mode should never see a VF without the "slave" +flag. + +This commit moves the code of setting the slave flag to the time before +VF is exposed to user-mode. + +Cc: stable@vger.kernel.org +Fixes: 0c195567a8f6 ("netvsc: transparent VF management") +Signed-off-by: Long Li +Signed-off-by: Haiyang Zhang +Acked-by: Stephen Hemminger +Acked-by: Dexuan Cui +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2227,9 +2227,6 @@ static int netvsc_vf_join(struct net_dev + goto upper_link_failed; + } + +- /* set slave flag before open to prevent IPv6 addrconf */ +- vf_netdev->flags |= IFF_SLAVE; +- + schedule_delayed_work(&ndev_ctx->vf_takeover, VF_TAKEOVER_INT); + + call_netdevice_notifiers(NETDEV_JOIN, vf_netdev); +@@ -2336,16 +2333,18 @@ static struct net_device *get_netvsc_bys + + } + +- /* Fallback path to check synthetic vf with +- * help of mac addr ++ /* Fallback path to check synthetic vf with help of mac addr. ++ * Because this function can be called before vf_netdev is ++ * initialized (NETDEV_POST_INIT) when its perm_addr has not been copied ++ * from dev_addr, also try to match to its dev_addr. ++ * Note: On Hyper-V and Azure, it's not possible to set a MAC address ++ * on a VF that matches to the MAC of a unrelated NETVSC device. + */ + list_for_each_entry(ndev_ctx, &netvsc_dev_list, list) { + ndev = hv_get_drvdata(ndev_ctx->device_ctx); +- if (ether_addr_equal(vf_netdev->perm_addr, ndev->perm_addr)) { +- netdev_notice(vf_netdev, +- "falling back to mac addr based matching\n"); ++ if (ether_addr_equal(vf_netdev->perm_addr, ndev->perm_addr) || ++ ether_addr_equal(vf_netdev->dev_addr, ndev->perm_addr)) + return ndev; +- } + } + + netdev_notice(vf_netdev, +@@ -2353,6 +2352,19 @@ static struct net_device *get_netvsc_bys + return NULL; + } + ++static int netvsc_prepare_bonding(struct net_device *vf_netdev) ++{ ++ struct net_device *ndev; ++ ++ ndev = get_netvsc_byslot(vf_netdev); ++ if (!ndev) ++ return NOTIFY_DONE; ++ ++ /* set slave flag before open to prevent IPv6 addrconf */ ++ vf_netdev->flags |= IFF_SLAVE; ++ return NOTIFY_DONE; ++} ++ + static int netvsc_register_vf(struct net_device *vf_netdev) + { + struct net_device_context *net_device_ctx; +@@ -2772,6 +2784,8 @@ static int netvsc_netdev_event(struct no + return NOTIFY_DONE; + + switch (event) { ++ case NETDEV_POST_INIT: ++ return netvsc_prepare_bonding(event_dev); + case NETDEV_REGISTER: + return netvsc_register_vf(event_dev); + case NETDEV_UNREGISTER: diff --git a/queue-5.15/io_uring-fs-consider-link-flags-when-getting-path-for-linkat.patch b/queue-5.15/io_uring-fs-consider-link-flags-when-getting-path-for-linkat.patch new file mode 100644 index 00000000000..de8fd29b9e0 --- /dev/null +++ b/queue-5.15/io_uring-fs-consider-link-flags-when-getting-path-for-linkat.patch @@ -0,0 +1,35 @@ +From 8479063f1fbee201a8739130e816cc331b675838 Mon Sep 17 00:00:00 2001 +From: Charles Mirabile +Date: Mon, 20 Nov 2023 05:55:45 -0500 +Subject: io_uring/fs: consider link->flags when getting path for LINKAT + +From: Charles Mirabile + +commit 8479063f1fbee201a8739130e816cc331b675838 upstream. + +In order for `AT_EMPTY_PATH` to work as expected, the fact +that the user wants that behavior needs to make it to `getname_flags` +or it will return ENOENT. + +Fixes: cf30da90bc3a ("io_uring: add support for IORING_OP_LINKAT") +Cc: +Link: https://github.com/axboe/liburing/issues/995 +Signed-off-by: Charles Mirabile +Link: https://lore.kernel.org/r/20231120105545.1209530-1-cmirabil@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -4049,7 +4049,7 @@ static int io_linkat_prep(struct io_kioc + newf = u64_to_user_ptr(READ_ONCE(sqe->addr2)); + lnk->flags = READ_ONCE(sqe->hardlink_flags); + +- lnk->oldpath = getname(oldf); ++ lnk->oldpath = getname_uflags(oldf, lnk->flags); + if (IS_ERR(lnk->oldpath)) + return PTR_ERR(lnk->oldpath); + diff --git a/queue-5.15/md-fix-bi_status-reporting-in-md_end_clone_io.patch b/queue-5.15/md-fix-bi_status-reporting-in-md_end_clone_io.patch new file mode 100644 index 00000000000..65c0d72afe2 --- /dev/null +++ b/queue-5.15/md-fix-bi_status-reporting-in-md_end_clone_io.patch @@ -0,0 +1,44 @@ +From 45b478951b2ba5aea70b2850c49c1aa83aedd0d2 Mon Sep 17 00:00:00 2001 +From: Song Liu +Date: Fri, 17 Nov 2023 15:56:30 -0800 +Subject: md: fix bi_status reporting in md_end_clone_io + +From: Song Liu + +commit 45b478951b2ba5aea70b2850c49c1aa83aedd0d2 upstream. + +md_end_clone_io() may overwrite error status in orig_bio->bi_status with +BLK_STS_OK. This could happen when orig_bio has BIO_CHAIN (split by +md_submit_bio => bio_split_to_limits, for example). As a result, upper +layer may miss error reported from md (or the device) and consider the +failed IO was successful. + +Fix this by only update orig_bio->bi_status when current bio reports +error and orig_bio is BLK_STS_OK. This is the same behavior as +__bio_chain_endio(). + +Fixes: 10764815ff47 ("md: add io accounting for raid0 and raid5") +Cc: stable@vger.kernel.org # v5.14+ +Reported-by: Bhanu Victor DiCara <00bvd0+linux@gmail.com> +Closes: https://lore.kernel.org/regressions/5727380.DvuYhMxLoT@bvd0/ +Signed-off-by: Song Liu +Tested-by: Xiao Ni +Reviewed-by: Yu Kuai +Acked-by: Guoqing Jiang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8627,7 +8627,8 @@ static void md_end_io_acct(struct bio *b + struct md_io_acct *md_io_acct = bio->bi_private; + struct bio *orig_bio = md_io_acct->orig_bio; + +- orig_bio->bi_status = bio->bi_status; ++ if (bio->bi_status && !orig_bio->bi_status) ++ orig_bio->bi_status = bio->bi_status; + + bio_end_io_acct(orig_bio, md_io_acct->start_time); + bio_put(bio); diff --git a/queue-5.15/s390-dasd-protect-device-queue-against-concurrent-access.patch b/queue-5.15/s390-dasd-protect-device-queue-against-concurrent-access.patch new file mode 100644 index 00000000000..e34ac2cf836 --- /dev/null +++ b/queue-5.15/s390-dasd-protect-device-queue-against-concurrent-access.patch @@ -0,0 +1,69 @@ +From db46cd1e0426f52999d50fa72cfa97fa39952885 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20H=C3=B6ppner?= +Date: Wed, 25 Oct 2023 15:24:37 +0200 +Subject: s390/dasd: protect device queue against concurrent access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Höppner + +commit db46cd1e0426f52999d50fa72cfa97fa39952885 upstream. + +In dasd_profile_start() the amount of requests on the device queue are +counted. The access to the device queue is unprotected against +concurrent access. With a lot of parallel I/O, especially with alias +devices enabled, the device queue can change while dasd_profile_start() +is accessing the queue. In the worst case this leads to a kernel panic +due to incorrect pointer accesses. + +Fix this by taking the device lock before accessing the queue and +counting the requests. Additionally the check for a valid profile data +pointer can be done earlier to avoid unnecessary locking in a hot path. + +Cc: +Fixes: 4fa52aa7a82f ("[S390] dasd: add enhanced DASD statistics interface") +Reviewed-by: Stefan Haberland +Signed-off-by: Jan Höppner +Signed-off-by: Stefan Haberland +Link: https://lore.kernel.org/r/20231025132437.1223363-3-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -697,18 +697,20 @@ static void dasd_profile_start(struct da + * we count each request only once. + */ + device = cqr->startdev; +- if (device->profile.data) { +- counter = 1; /* request is not yet queued on the start device */ +- list_for_each(l, &device->ccw_queue) +- if (++counter >= 31) +- break; +- } ++ if (!device->profile.data) ++ return; ++ ++ spin_lock(get_ccwdev_lock(device->cdev)); ++ counter = 1; /* request is not yet queued on the start device */ ++ list_for_each(l, &device->ccw_queue) ++ if (++counter >= 31) ++ break; ++ spin_unlock(get_ccwdev_lock(device->cdev)); ++ + spin_lock(&device->profile.lock); +- if (device->profile.data) { +- device->profile.data->dasd_io_nr_req[counter]++; +- if (rq_data_dir(req) == READ) +- device->profile.data->dasd_read_nr_req[counter]++; +- } ++ device->profile.data->dasd_io_nr_req[counter]++; ++ if (rq_data_dir(req) == READ) ++ device->profile.data->dasd_read_nr_req[counter]++; + spin_unlock(&device->profile.lock); + } + diff --git a/queue-5.15/series b/queue-5.15/series index ecffbf8b2af..78b8940a97c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -41,3 +41,13 @@ ext4-fix-slab-use-after-free-in-ext4_es_insert_exten.patch ext4-make-sure-allocate-pending-entry-not-fail.patch tracing-kprobes-return-eaddrnotavail-when-func-matches-several-symbols.patch proc-sysctl-prevent-aliased-sysctls-from-getting-passed-to-init.patch +acpi-resource-skip-irq-override-on-asus-expertbook-b1402cva.patch +swiotlb-xen-provide-the-max_mapping_size-method.patch +bcache-replace-a-mistaken-is_err-by-is_err_or_null-in-btree_gc_coalesce.patch +md-fix-bi_status-reporting-in-md_end_clone_io.patch +bcache-fixup-multi-threaded-bch_sectors_dirty_init-wake-up-race.patch +io_uring-fs-consider-link-flags-when-getting-path-for-linkat.patch +s390-dasd-protect-device-queue-against-concurrent-access.patch +usb-serial-option-add-luat-air72-u-series-products.patch +hv_netvsc-fix-race-of-register_netdevice_notifier-and-vf-register.patch +hv_netvsc-mark-vf-as-slave-before-exposing-it-to-user-mode.patch diff --git a/queue-5.15/swiotlb-xen-provide-the-max_mapping_size-method.patch b/queue-5.15/swiotlb-xen-provide-the-max_mapping_size-method.patch new file mode 100644 index 00000000000..e3adabbea2b --- /dev/null +++ b/queue-5.15/swiotlb-xen-provide-the-max_mapping_size-method.patch @@ -0,0 +1,53 @@ +From bff2a2d453a1b683378b4508b86b84389f551a00 Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Mon, 6 Nov 2023 18:12:30 +0100 +Subject: swiotlb-xen: provide the "max_mapping_size" method +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Keith Busch + +commit bff2a2d453a1b683378b4508b86b84389f551a00 upstream. + +There's a bug that when using the XEN hypervisor with bios with large +multi-page bio vectors on NVMe, the kernel deadlocks [1]. + +The deadlocks are caused by inability to map a large bio vector - +dma_map_sgtable always returns an error, this gets propagated to the block +layer as BLK_STS_RESOURCE and the block layer retries the request +indefinitely. + +XEN uses the swiotlb framework to map discontiguous pages into contiguous +runs that are submitted to the PCIe device. The swiotlb framework has a +limitation on the length of a mapping - this needs to be announced with +the max_mapping_size method to make sure that the hardware drivers do not +create larger mappings. + +Without max_mapping_size, the NVMe block driver would create large +mappings that overrun the maximum mapping size. + +Reported-by: Marek Marczykowski-Górecki +Link: https://lore.kernel.org/stable/ZTNH0qtmint%2FzLJZ@mail-itl/ [1] +Tested-by: Marek Marczykowski-Górecki +Suggested-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Keith Busch +Signed-off-by: Mikulas Patocka +Acked-by: Stefano Stabellini +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/151bef41-e817-aea9-675-a35fdac4ed@redhat.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/swiotlb-xen.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -564,4 +564,5 @@ const struct dma_map_ops xen_swiotlb_dma + .get_sgtable = dma_common_get_sgtable, + .alloc_pages = dma_common_alloc_pages, + .free_pages = dma_common_free_pages, ++ .max_mapping_size = swiotlb_max_mapping_size, + }; diff --git a/queue-5.15/usb-serial-option-add-luat-air72-u-series-products.patch b/queue-5.15/usb-serial-option-add-luat-air72-u-series-products.patch new file mode 100644 index 00000000000..ca56d1ec0d9 --- /dev/null +++ b/queue-5.15/usb-serial-option-add-luat-air72-u-series-products.patch @@ -0,0 +1,68 @@ +From da90e45d5afc4da2de7cd3ea7943d0f1baa47cc2 Mon Sep 17 00:00:00 2001 +From: Asuna Yang +Date: Wed, 22 Nov 2023 22:18:03 +0800 +Subject: USB: serial: option: add Luat Air72*U series products + +From: Asuna Yang + +commit da90e45d5afc4da2de7cd3ea7943d0f1baa47cc2 upstream. + +Update the USB serial option driver support for Luat Air72*U series +products. + +ID 1782:4e00 Spreadtrum Communications Inc. UNISOC-8910 + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1782 ProdID=4e00 Rev=00.00 +S: Manufacturer=UNISOC +S: Product=UNISOC-8910 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=400mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=4096ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +If#= 2: AT +If#= 3: PPP + AT +If#= 4: Debug + +Co-developed-by: Yangyu Chen +Signed-off-by: Yangyu Chen +Signed-off-by: Asuna Yang +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -609,6 +609,8 @@ static void option_instat_callback(struc + #define UNISOC_VENDOR_ID 0x1782 + /* TOZED LT70-C based on UNISOC SL8563 uses UNISOC's vendor ID */ + #define TOZED_PRODUCT_LT70C 0x4055 ++/* Luat Air72*U series based on UNISOC UIS8910 uses UNISOC's vendor ID */ ++#define LUAT_PRODUCT_AIR720U 0x4e00 + + /* Device flags */ + +@@ -2271,6 +2273,7 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids);