From: Greg Kroah-Hartman Date: Tue, 30 Jul 2024 14:13:53 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.103~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5126a42064bc1364e5d8f11bdbf1d10e1b010dc0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-btusb-add-realtek-rtl8852be-support-id-0x13d3-0x3591.patch bluetooth-btusb-add-rtl8852be-device-0489-e125-to-device-tables.patch bpf-synchronize-dispatcher-update-with-bpf_dispatcher_xdp_func.patch io_uring-io-wq-limit-retrying-worker-initialisation.patch nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch pci-introduce-cleanup-helpers-for-device-reference-counts-and-locks.patch wifi-mac80211-allow-nss-change-only-up-to-capability.patch wifi-mac80211-track-capability-opmode-nss-separately.patch --- diff --git a/queue-6.1/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x13d3-0x3591.patch b/queue-6.1/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x13d3-0x3591.patch new file mode 100644 index 00000000000..8533ad520ff --- /dev/null +++ b/queue-6.1/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x13d3-0x3591.patch @@ -0,0 +1,65 @@ +From 473a89b4ed7fd52a419340f7c540d5c8fc96fc75 Mon Sep 17 00:00:00 2001 +From: WangYuli +Date: Sat, 22 Jun 2024 12:09:59 +0800 +Subject: Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 + +From: WangYuli + +commit 473a89b4ed7fd52a419340f7c540d5c8fc96fc75 upstream. + +Add the support ID(0x13d3, 0x3591) to usb_device_id table for +Realtek RTL8852BE. + +The device table is as follows: + +T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3591 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Cc: stable@vger.kernel.org +Signed-off-by: Wentao Guan +Signed-off-by: WangYuli +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Erpeng Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -545,6 +545,8 @@ static const struct usb_device_id blackl + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x13d3, 0x3571), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x13d3, 0x3591), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe125), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + diff --git a/queue-6.1/bluetooth-btusb-add-rtl8852be-device-0489-e125-to-device-tables.patch b/queue-6.1/bluetooth-btusb-add-rtl8852be-device-0489-e125-to-device-tables.patch new file mode 100644 index 00000000000..d45521bd0d5 --- /dev/null +++ b/queue-6.1/bluetooth-btusb-add-rtl8852be-device-0489-e125-to-device-tables.patch @@ -0,0 +1,63 @@ +From 295ef07a9dae6182ad4b689aa8c6a7dbba21474c Mon Sep 17 00:00:00 2001 +From: Hilda Wu +Date: Mon, 17 Jun 2024 17:05:18 +0800 +Subject: Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables + +From: Hilda Wu + +commit 295ef07a9dae6182ad4b689aa8c6a7dbba21474c upstream. + +Add the support ID 0489:e125 to usb_device_id table for +Realtek RTL8852B chip. + +The device info from /sys/kernel/debug/usb/devices as below. + +T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=03 Dev#= 5 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e125 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Hilda Wu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Erpeng Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -545,6 +545,8 @@ static const struct usb_device_id blackl + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x13d3, 0x3571), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0489, 0xe125), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + + /* Realtek Bluetooth devices */ + { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01), diff --git a/queue-6.1/bpf-synchronize-dispatcher-update-with-bpf_dispatcher_xdp_func.patch b/queue-6.1/bpf-synchronize-dispatcher-update-with-bpf_dispatcher_xdp_func.patch new file mode 100644 index 00000000000..71ce0012119 --- /dev/null +++ b/queue-6.1/bpf-synchronize-dispatcher-update-with-bpf_dispatcher_xdp_func.patch @@ -0,0 +1,69 @@ +From 4121d4481b72501aa4d22680be4ea1096d69d133 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Wed, 14 Dec 2022 13:35:42 +0100 +Subject: bpf: Synchronize dispatcher update with bpf_dispatcher_xdp_func + +From: Jiri Olsa + +commit 4121d4481b72501aa4d22680be4ea1096d69d133 upstream. + +Hao Sun reported crash in dispatcher image [1]. + +Currently we don't have any sync between bpf_dispatcher_update and +bpf_dispatcher_xdp_func, so following race is possible: + + cpu 0: cpu 1: + + bpf_prog_run_xdp + ... + bpf_dispatcher_xdp_func + in image at offset 0x0 + + bpf_dispatcher_update + update image at offset 0x800 + bpf_dispatcher_update + update image at offset 0x0 + + in image at offset 0x0 -> crash + +Fixing this by synchronizing dispatcher image update (which is done +in bpf_dispatcher_update function) with bpf_dispatcher_xdp_func that +reads and execute the dispatcher image. + +Calling synchronize_rcu after updating and installing new image ensures +that readers leave old image before it's changed in the next dispatcher +update. The update itself is locked with dispatcher's mutex. + +The bpf_prog_run_xdp is called under local_bh_disable and synchronize_rcu +will wait for it to leave [2]. + +[1] https://lore.kernel.org/bpf/Y5SFho7ZYXr9ifRn@krava/T/#m00c29ece654bc9f332a17df493bbca33e702896c +[2] https://lore.kernel.org/bpf/0B62D35A-E695-4B7A-A0D4-774767544C1A@gmail.com/T/#mff43e2c003ae99f4a38f353c7969be4c7162e877 + +Reported-by: Hao Sun +Signed-off-by: Jiri Olsa +Acked-by: Yonghong Song +Acked-by: Paul E. McKenney +Link: https://lore.kernel.org/r/20221214123542.1389719-1-jolsa@kernel.org +Signed-off-by: Martin KaFai Lau +Reported-by: syzbot+08ba1e474d350b613604@syzkaller.appspotmail.com +Signed-off-by: Sergio González Collado +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/dispatcher.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/bpf/dispatcher.c ++++ b/kernel/bpf/dispatcher.c +@@ -125,6 +125,11 @@ static void bpf_dispatcher_update(struct + + __BPF_DISPATCHER_UPDATE(d, new ?: (void *)&bpf_dispatcher_nop_func); + ++ /* Make sure all the callers executing the previous/old half of the ++ * image leave it, so following update call can modify it safely. ++ */ ++ synchronize_rcu(); ++ + if (new) + d->image_off = noff; + } diff --git a/queue-6.1/io_uring-io-wq-limit-retrying-worker-initialisation.patch b/queue-6.1/io_uring-io-wq-limit-retrying-worker-initialisation.patch new file mode 100644 index 00000000000..b151f0465c6 --- /dev/null +++ b/queue-6.1/io_uring-io-wq-limit-retrying-worker-initialisation.patch @@ -0,0 +1,84 @@ +From 0453aad676ff99787124b9b3af4a5f59fbe808e2 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 10 Jul 2024 18:58:17 +0100 +Subject: io_uring/io-wq: limit retrying worker initialisation + +From: Pavel Begunkov + +commit 0453aad676ff99787124b9b3af4a5f59fbe808e2 upstream. + +If io-wq worker creation fails, we retry it by queueing up a task_work. +tasK_work is needed because it should be done from the user process +context. The problem is that retries are not limited, and if queueing a +task_work is the reason for the failure, we might get into an infinite +loop. + +It doesn't seem to happen now but it would with the following patch +executing task_work in the freezer's loop. For now, arbitrarily limit the +number of attempts to create a worker. + +Cc: stable@vger.kernel.org +Fixes: 3146cba99aa28 ("io-wq: make worker creation resilient against signals") +Reported-by: Julian Orth +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/8280436925db88448c7c85c6656edee1a43029ea.1720634146.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io-wq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -22,6 +22,7 @@ + #include "io_uring.h" + + #define WORKER_IDLE_TIMEOUT (5 * HZ) ++#define WORKER_INIT_LIMIT 3 + + enum { + IO_WORKER_F_UP = 1, /* up and active */ +@@ -58,6 +59,7 @@ struct io_worker { + unsigned long create_state; + struct callback_head create_work; + int create_index; ++ int init_retries; + + union { + struct rcu_head rcu; +@@ -729,7 +731,7 @@ static bool io_wq_work_match_all(struct + return true; + } + +-static inline bool io_should_retry_thread(long err) ++static inline bool io_should_retry_thread(struct io_worker *worker, long err) + { + /* + * Prevent perpetual task_work retry, if the task (or its group) is +@@ -737,6 +739,8 @@ static inline bool io_should_retry_threa + */ + if (fatal_signal_pending(current)) + return false; ++ if (worker->init_retries++ >= WORKER_INIT_LIMIT) ++ return false; + + switch (err) { + case -EAGAIN: +@@ -763,7 +767,7 @@ static void create_worker_cont(struct ca + io_init_new_worker(wqe, worker, tsk); + io_worker_release(worker); + return; +- } else if (!io_should_retry_thread(PTR_ERR(tsk))) { ++ } else if (!io_should_retry_thread(worker, PTR_ERR(tsk))) { + struct io_wqe_acct *acct = io_wqe_get_acct(worker); + + atomic_dec(&acct->nr_running); +@@ -830,7 +834,7 @@ fail: + tsk = create_io_thread(io_wqe_worker, worker, wqe->node); + if (!IS_ERR(tsk)) { + io_init_new_worker(wqe, worker, tsk); +- } else if (!io_should_retry_thread(PTR_ERR(tsk))) { ++ } else if (!io_should_retry_thread(worker, PTR_ERR(tsk))) { + kfree(worker); + goto fail; + } else { diff --git a/queue-6.1/nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch b/queue-6.1/nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch new file mode 100644 index 00000000000..6660c7e327c --- /dev/null +++ b/queue-6.1/nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch @@ -0,0 +1,97 @@ +From 4811f7af6090e8f5a398fbdd766f903ef6c0d787 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 25 Jul 2024 14:20:07 +0900 +Subject: nilfs2: handle inconsistent state in nilfs_btnode_create_block() + +From: Ryusuke Konishi + +commit 4811f7af6090e8f5a398fbdd766f903ef6c0d787 upstream. + +Syzbot reported that a buffer state inconsistency was detected in +nilfs_btnode_create_block(), triggering a kernel bug. + +It is not appropriate to treat this inconsistency as a bug; it can occur +if the argument block address (the buffer index of the newly created +block) is a virtual block number and has been reallocated due to +corruption of the bitmap used to manage its allocation state. + +So, modify nilfs_btnode_create_block() and its callers to treat it as a +possible filesystem error, rather than triggering a kernel bug. + +Link: https://lkml.kernel.org/r/20240725052007.4562-1-konishi.ryusuke@gmail.com +Fixes: a60be987d45d ("nilfs2: B-tree node cache") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+89cc4f2324ed37988b60@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=89cc4f2324ed37988b60 +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btnode.c | 25 ++++++++++++++++++++----- + fs/nilfs2/btree.c | 4 ++-- + 2 files changed, 22 insertions(+), 7 deletions(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -51,12 +51,21 @@ nilfs_btnode_create_block(struct address + + bh = nilfs_grab_buffer(inode, btnc, blocknr, BIT(BH_NILFS_Node)); + if (unlikely(!bh)) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + if (unlikely(buffer_mapped(bh) || buffer_uptodate(bh) || + buffer_dirty(bh))) { +- brelse(bh); +- BUG(); ++ /* ++ * The block buffer at the specified new address was already ++ * in use. This can happen if it is a virtual block number ++ * and has been reallocated due to corruption of the bitmap ++ * used to manage its allocation state (if not, the buffer ++ * clearing of an abandoned b-tree node is missing somewhere). ++ */ ++ nilfs_error(inode->i_sb, ++ "state inconsistency probably due to duplicate use of b-tree node block address %llu (ino=%lu)", ++ (unsigned long long)blocknr, inode->i_ino); ++ goto failed; + } + memset(bh->b_data, 0, i_blocksize(inode)); + bh->b_bdev = inode->i_sb->s_bdev; +@@ -67,6 +76,12 @@ nilfs_btnode_create_block(struct address + unlock_page(bh->b_page); + put_page(bh->b_page); + return bh; ++ ++failed: ++ unlock_page(bh->b_page); ++ put_page(bh->b_page); ++ brelse(bh); ++ return ERR_PTR(-EIO); + } + + int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr, +@@ -217,8 +232,8 @@ retry: + } + + nbh = nilfs_btnode_create_block(btnc, newkey); +- if (!nbh) +- return -ENOMEM; ++ if (IS_ERR(nbh)) ++ return PTR_ERR(nbh); + + BUG_ON(nbh == obh); + ctxt->newbh = nbh; +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -63,8 +63,8 @@ static int nilfs_btree_get_new_block(con + struct buffer_head *bh; + + bh = nilfs_btnode_create_block(btnc, ptr); +- if (!bh) +- return -ENOMEM; ++ if (IS_ERR(bh)) ++ return PTR_ERR(bh); + + set_buffer_nilfs_volatile(bh); + *bhp = bh; diff --git a/queue-6.1/pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch b/queue-6.1/pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch new file mode 100644 index 00000000000..088546ce40a --- /dev/null +++ b/queue-6.1/pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch @@ -0,0 +1,87 @@ +From 11a1f4bc47362700fcbde717292158873fb847ed Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 18 Jun 2024 12:54:55 +0200 +Subject: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Wunner + +commit 11a1f4bc47362700fcbde717292158873fb847ed upstream. + +Keith reports a use-after-free when a DPC event occurs concurrently to +hot-removal of the same portion of the hierarchy: + +The dpc_handler() awaits readiness of the secondary bus below the +Downstream Port where the DPC event occurred. To do so, it polls the +config space of the first child device on the secondary bus. If that +child device is concurrently removed, accesses to its struct pci_dev +cause the kernel to oops. + +That's because pci_bridge_wait_for_secondary_bus() neglects to hold a +reference on the child device. Before v6.3, the function was only +called on resume from system sleep or on runtime resume. Holding a +reference wasn't necessary back then because the pciehp IRQ thread +could never run concurrently. (On resume from system sleep, IRQs are +not enabled until after the resume_noirq phase. And runtime resume is +always awaited before a PCI device is removed.) + +However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also +called on a DPC event. Commit 53b54ad074de ("PCI/DPC: Await readiness +of secondary bus after reset"), which introduced that, failed to +appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a +reference on the child device because dpc_handler() and pciehp may +indeed run concurrently. The commit was backported to v5.10+ stable +kernels, so that's the oldest one affected. + +Add the missing reference acquisition. + +Abridged stack trace: + + BUG: unable to handle page fault for address: 00000000091400c0 + CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 + RIP: pci_bus_read_config_dword+0x17/0x50 + pci_dev_wait() + pci_bridge_wait_for_secondary_bus() + dpc_reset_link() + pcie_do_recovery() + dpc_handler() + +Fixes: 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset") +Closes: https://lore.kernel.org/r/20240612181625.3604512-3-kbusch@meta.com/ +Link: https://lore.kernel.org/linux-pci/8e4bcd4116fd94f592f2bf2749f168099c480ddf.1718707743.git.lukas@wunner.de +Reported-by: Keith Busch +Tested-by: Keith Busch +Signed-off-by: Lukas Wunner +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Keith Busch +Reviewed-by: Mika Westerberg +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5007,7 +5007,7 @@ static int pci_bus_max_d3cold_delay(cons + int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type, + int timeout) + { +- struct pci_dev *child; ++ struct pci_dev *child __free(pci_dev_put) = NULL; + int delay; + + if (pci_dev_is_disconnected(dev)) +@@ -5036,8 +5036,8 @@ int pci_bridge_wait_for_secondary_bus(st + return 0; + } + +- child = list_first_entry(&dev->subordinate->devices, struct pci_dev, +- bus_list); ++ child = pci_dev_get(list_first_entry(&dev->subordinate->devices, ++ struct pci_dev, bus_list)); + up_read(&pci_bus_sem); + + /* diff --git a/queue-6.1/pci-introduce-cleanup-helpers-for-device-reference-counts-and-locks.patch b/queue-6.1/pci-introduce-cleanup-helpers-for-device-reference-counts-and-locks.patch new file mode 100644 index 00000000000..b033b7740ab --- /dev/null +++ b/queue-6.1/pci-introduce-cleanup-helpers-for-device-reference-counts-and-locks.patch @@ -0,0 +1,88 @@ +From ced085ef369af7a2b6da962ec2fbd01339f60693 Mon Sep 17 00:00:00 2001 +From: Ira Weiny +Date: Wed, 20 Dec 2023 16:17:35 -0800 +Subject: PCI: Introduce cleanup helpers for device reference counts and locks + +From: Ira Weiny + +commit ced085ef369af7a2b6da962ec2fbd01339f60693 upstream. + +The "goto error" pattern is notorious for introducing subtle resource +leaks. Use the new cleanup.h helpers for PCI device reference counts and +locks. + +Similar to the new put_device() and device_lock() cleanup helpers, +__free(put_device) and guard(device), define the same for PCI devices, +__free(pci_dev_put) and guard(pci_dev). These helpers eliminate the +need for "goto free;" and "goto unlock;" patterns. For example, A +'struct pci_dev *' instance declared as: + + struct pci_dev *pdev __free(pci_dev_put) = NULL; + +...will automatically call pci_dev_put() if @pdev is non-NULL when @pdev +goes out of scope (automatic variable scope). If a function wants to +invoke pci_dev_put() on error, but return @pdev on success, it can do: + + return no_free_ptr(pdev); + +...or: + + return_ptr(pdev); + +For potential cleanup opportunity there are 587 open-coded calls to +pci_dev_put() in the kernel with 65 instances within 10 lines of a goto +statement with the CXL driver threatening to add another one. + +The guard() helper holds the associated lock for the remainder of the +current scope in which it was invoked. So, for example: + + func(...) + { + if (...) { + ... + guard(pci_dev); /* pci_dev_lock() invoked here */ + ... + } /* <- implied pci_dev_unlock() triggered here */ + } + +There are 15 invocations of pci_dev_unlock() in the kernel with 5 +instances within 10 lines of a goto statement. Again, the CXL driver is +threatening to add another. + +Introduce these helpers to preclude the addition of new more error prone +goto put; / goto unlock; sequences. For now, these helpers are used in +drivers/cxl/pci.c to allow ACPI error reports to be fed back into the +CXL driver associated with the PCI device identified in the report. + +Cc: Bjorn Helgaas +Signed-off-by: Ira Weiny +Link: https://lore.kernel.org/r/20231220-cxl-cper-v5-8-1bb8a4ca2c7a@intel.com +[djbw: rewrite changelog] +Acked-by: Bjorn Helgaas +Reviewed-by: Jonathan Cameron +Acked-by: Ard Biesheuvel +Signed-off-by: Dan Williams +Signed-off-by: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pci.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1138,6 +1138,7 @@ int pci_get_interrupt_pin(struct pci_dev + u8 pci_common_swizzle(struct pci_dev *dev, u8 *pinp); + struct pci_dev *pci_dev_get(struct pci_dev *dev); + void pci_dev_put(struct pci_dev *dev); ++DEFINE_FREE(pci_dev_put, struct pci_dev *, if (_T) pci_dev_put(_T)) + void pci_remove_bus(struct pci_bus *b); + void pci_stop_and_remove_bus_device(struct pci_dev *dev); + void pci_stop_and_remove_bus_device_locked(struct pci_dev *dev); +@@ -1746,6 +1747,7 @@ void pci_cfg_access_unlock(struct pci_de + void pci_dev_lock(struct pci_dev *dev); + int pci_dev_trylock(struct pci_dev *dev); + void pci_dev_unlock(struct pci_dev *dev); ++DEFINE_GUARD(pci_dev, struct pci_dev *, pci_dev_lock(_T), pci_dev_unlock(_T)) + + /* + * PCI domain support. Sometimes called PCI segment (eg by ACPI), diff --git a/queue-6.1/series b/queue-6.1/series index 77c364a2e08..e570b18f1e7 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -381,3 +381,12 @@ drm-etnaviv-don-t-block-scheduler-when-gpu-is-still-active.patch drm-panfrost-mark-simple_ondemand-governor-as-softdep.patch rbd-rename-rbd_lock_state_releasing-and-releasing_wait.patch rbd-don-t-assume-rbd_lock_state_locked-for-exclusive-mappings.patch +bpf-synchronize-dispatcher-update-with-bpf_dispatcher_xdp_func.patch +bluetooth-btusb-add-rtl8852be-device-0489-e125-to-device-tables.patch +bluetooth-btusb-add-realtek-rtl8852be-support-id-0x13d3-0x3591.patch +nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch +pci-introduce-cleanup-helpers-for-device-reference-counts-and-locks.patch +pci-dpc-fix-use-after-free-on-concurrent-dpc-and-hot-removal.patch +io_uring-io-wq-limit-retrying-worker-initialisation.patch +wifi-mac80211-allow-nss-change-only-up-to-capability.patch +wifi-mac80211-track-capability-opmode-nss-separately.patch diff --git a/queue-6.1/wifi-mac80211-allow-nss-change-only-up-to-capability.patch b/queue-6.1/wifi-mac80211-allow-nss-change-only-up-to-capability.patch new file mode 100644 index 00000000000..893b8ec642e --- /dev/null +++ b/queue-6.1/wifi-mac80211-allow-nss-change-only-up-to-capability.patch @@ -0,0 +1,73 @@ +From 57b341e9ab13e5688491bfd54f8b5502416c8905 Mon Sep 17 00:00:00 2001 +From: Rameshkumar Sundaram +Date: Tue, 7 Feb 2023 17:11:46 +0530 +Subject: wifi: mac80211: Allow NSS change only up to capability + +From: Rameshkumar Sundaram + +commit 57b341e9ab13e5688491bfd54f8b5502416c8905 upstream. + +Stations can update bandwidth/NSS change in +VHT action frame with action type Operating Mode Notification. +(IEEE Std 802.11-2020 - 9.4.1.53 Operating Mode field) + +For Operating Mode Notification, an RX NSS change to a value +greater than AP's maximum NSS should not be allowed. +During fuzz testing, by forcefully sending VHT Op. mode notif. +frames from STA with random rx_nss values, it is found that AP +accepts rx_nss values greater that APs maximum NSS instead of +discarding such NSS change. + +Hence allow NSS change only up to maximum NSS that is negotiated +and capped to AP's capability during association. + +Signed-off-by: Rameshkumar Sundaram +Link: https://lore.kernel.org/r/20230207114146.10567-1-quic_ramess@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Hauke Mehrtens +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/vht.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/net/mac80211/vht.c ++++ b/net/mac80211/vht.c +@@ -637,7 +637,7 @@ u32 __ieee80211_vht_handle_opmode(struct + enum ieee80211_sta_rx_bandwidth new_bw; + struct sta_opmode_info sta_opmode = {}; + u32 changed = 0; +- u8 nss; ++ u8 nss, cur_nss; + + /* ignore - no support for BF yet */ + if (opmode & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF) +@@ -648,10 +648,25 @@ u32 __ieee80211_vht_handle_opmode(struct + nss += 1; + + if (link_sta->pub->rx_nss != nss) { +- link_sta->pub->rx_nss = nss; +- sta_opmode.rx_nss = nss; +- changed |= IEEE80211_RC_NSS_CHANGED; +- sta_opmode.changed |= STA_OPMODE_N_SS_CHANGED; ++ cur_nss = link_sta->pub->rx_nss; ++ /* Reset rx_nss and call ieee80211_sta_set_rx_nss() which ++ * will set the same to max nss value calculated based on capability. ++ */ ++ link_sta->pub->rx_nss = 0; ++ ieee80211_sta_set_rx_nss(link_sta); ++ /* Do not allow an nss change to rx_nss greater than max_nss ++ * negotiated and capped to APs capability during association. ++ */ ++ if (nss <= link_sta->pub->rx_nss) { ++ link_sta->pub->rx_nss = nss; ++ sta_opmode.rx_nss = nss; ++ changed |= IEEE80211_RC_NSS_CHANGED; ++ sta_opmode.changed |= STA_OPMODE_N_SS_CHANGED; ++ } else { ++ link_sta->pub->rx_nss = cur_nss; ++ pr_warn_ratelimited("Ignoring NSS change in VHT Operating Mode Notification from %pM with invalid nss %d", ++ link_sta->pub->addr, nss); ++ } + } + + switch (opmode & IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK) { diff --git a/queue-6.1/wifi-mac80211-track-capability-opmode-nss-separately.patch b/queue-6.1/wifi-mac80211-track-capability-opmode-nss-separately.patch new file mode 100644 index 00000000000..824e270dff0 --- /dev/null +++ b/queue-6.1/wifi-mac80211-track-capability-opmode-nss-separately.patch @@ -0,0 +1,191 @@ +From a8bca3e9371dc5e276af4168be099b2a05554c2a Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 28 Feb 2024 12:01:57 +0100 +Subject: wifi: mac80211: track capability/opmode NSS separately + +From: Johannes Berg + +commit a8bca3e9371dc5e276af4168be099b2a05554c2a upstream. + +We're currently tracking rx_nss for each station, and that +is meant to be initialized to the capability NSS and later +reduced by the operating mode notification NSS. + +However, we're mixing up capabilities and operating mode +NSS in the same variable. This forces us to recalculate +the NSS capability on operating mode notification RX, +which is a bit strange; due to the previous fix I had to +never keep rx_nss as zero, it also means that the capa is +never taken into account properly. + +Fix all this by storing the capability value, that can be +recalculated unconditionally whenever needed, and storing +the operating mode notification NSS separately, taking it +into account when assigning the final rx_nss value. + +Cc: stable@vger.kernel.org +Fixes: dd6c064cfc3f ("wifi: mac80211: set station RX-NSS on reconfig") +Reviewed-by: Miriam Rachel Korenblit +Link: https://msgid.link/20240228120157.0e1c41924d1d.I0acaa234e0267227b7e3ef81a59117c8792116bc@changeid +Signed-off-by: Johannes Berg +[Fixed trivial merge conflict in copyright year net/mac80211/sta_info.h] +Signed-off-by: Hauke Mehrtens +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 2 - + net/mac80211/ieee80211_i.h | 2 - + net/mac80211/rate.c | 2 - + net/mac80211/sta_info.h | 6 ++++- + net/mac80211/vht.c | 46 +++++++++++++++++++++------------------------ + 5 files changed, 30 insertions(+), 28 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1775,7 +1775,7 @@ static int sta_link_apply_parameters(str + sband->band); + } + +- ieee80211_sta_set_rx_nss(link_sta); ++ ieee80211_sta_init_nss(link_sta); + + return ret; + } +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -2071,7 +2071,7 @@ enum ieee80211_sta_rx_bandwidth + ieee80211_sta_cap_rx_bw(struct link_sta_info *link_sta); + enum ieee80211_sta_rx_bandwidth + ieee80211_sta_cur_vht_bw(struct link_sta_info *link_sta); +-void ieee80211_sta_set_rx_nss(struct link_sta_info *link_sta); ++void ieee80211_sta_init_nss(struct link_sta_info *link_sta); + enum ieee80211_sta_rx_bandwidth + ieee80211_chan_width_to_rx_bw(enum nl80211_chan_width width); + enum nl80211_chan_width +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -37,7 +37,7 @@ void rate_control_rate_init(struct sta_i + struct ieee80211_supported_band *sband; + struct ieee80211_chanctx_conf *chanctx_conf; + +- ieee80211_sta_set_rx_nss(&sta->deflink); ++ ieee80211_sta_init_nss(&sta->deflink); + + if (!ref) + return; +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -3,7 +3,7 @@ + * Copyright 2002-2005, Devicescape Software, Inc. + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright(c) 2015-2017 Intel Deutschland GmbH +- * Copyright(c) 2020-2022 Intel Corporation ++ * Copyright(c) 2020-2024 Intel Corporation + */ + + #ifndef STA_INFO_H +@@ -485,6 +485,8 @@ struct ieee80211_fragment_cache { + * same for non-MLD STA. This is used as key for searching link STA + * @link_id: Link ID uniquely identifying the link STA. This is 0 for non-MLD + * and set to the corresponding vif LinkId for MLD STA ++ * @op_mode_nss: NSS limit as set by operating mode notification, or 0 ++ * @capa_nss: NSS limit as determined by local and peer capabilities + * @link_hash_node: hash node for rhashtable + * @sta: Points to the STA info + * @gtk: group keys negotiated with this station, if any +@@ -520,6 +522,8 @@ struct link_sta_info { + u8 addr[ETH_ALEN]; + u8 link_id; + ++ u8 op_mode_nss, capa_nss; ++ + struct rhlist_head link_hash_node; + + struct sta_info *sta; +--- a/net/mac80211/vht.c ++++ b/net/mac80211/vht.c +@@ -4,7 +4,7 @@ + * + * Portions of this file + * Copyright(c) 2015 - 2016 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2023 Intel Corporation ++ * Copyright (C) 2018 - 2024 Intel Corporation + */ + + #include +@@ -541,15 +541,11 @@ ieee80211_sta_cur_vht_bw(struct link_sta + return bw; + } + +-void ieee80211_sta_set_rx_nss(struct link_sta_info *link_sta) ++void ieee80211_sta_init_nss(struct link_sta_info *link_sta) + { + u8 ht_rx_nss = 0, vht_rx_nss = 0, he_rx_nss = 0, eht_rx_nss = 0, rx_nss; + bool support_160; + +- /* if we received a notification already don't overwrite it */ +- if (link_sta->pub->rx_nss) +- return; +- + if (link_sta->pub->eht_cap.has_eht) { + int i; + const u8 *rx_nss_mcs = (void *)&link_sta->pub->eht_cap.eht_mcs_nss_supp; +@@ -627,7 +623,15 @@ void ieee80211_sta_set_rx_nss(struct lin + rx_nss = max(vht_rx_nss, ht_rx_nss); + rx_nss = max(he_rx_nss, rx_nss); + rx_nss = max(eht_rx_nss, rx_nss); +- link_sta->pub->rx_nss = max_t(u8, 1, rx_nss); ++ rx_nss = max_t(u8, 1, rx_nss); ++ link_sta->capa_nss = rx_nss; ++ ++ /* that shouldn't be set yet, but we can handle it anyway */ ++ if (link_sta->op_mode_nss) ++ link_sta->pub->rx_nss = ++ min_t(u8, rx_nss, link_sta->op_mode_nss); ++ else ++ link_sta->pub->rx_nss = rx_nss; + } + + u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata, +@@ -637,7 +641,7 @@ u32 __ieee80211_vht_handle_opmode(struct + enum ieee80211_sta_rx_bandwidth new_bw; + struct sta_opmode_info sta_opmode = {}; + u32 changed = 0; +- u8 nss, cur_nss; ++ u8 nss; + + /* ignore - no support for BF yet */ + if (opmode & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF) +@@ -647,23 +651,17 @@ u32 __ieee80211_vht_handle_opmode(struct + nss >>= IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT; + nss += 1; + +- if (link_sta->pub->rx_nss != nss) { +- cur_nss = link_sta->pub->rx_nss; +- /* Reset rx_nss and call ieee80211_sta_set_rx_nss() which +- * will set the same to max nss value calculated based on capability. +- */ +- link_sta->pub->rx_nss = 0; +- ieee80211_sta_set_rx_nss(link_sta); +- /* Do not allow an nss change to rx_nss greater than max_nss +- * negotiated and capped to APs capability during association. +- */ +- if (nss <= link_sta->pub->rx_nss) { +- link_sta->pub->rx_nss = nss; +- sta_opmode.rx_nss = nss; +- changed |= IEEE80211_RC_NSS_CHANGED; +- sta_opmode.changed |= STA_OPMODE_N_SS_CHANGED; ++ if (link_sta->op_mode_nss != nss) { ++ if (nss <= link_sta->capa_nss) { ++ link_sta->op_mode_nss = nss; ++ ++ if (nss != link_sta->pub->rx_nss) { ++ link_sta->pub->rx_nss = nss; ++ changed |= IEEE80211_RC_NSS_CHANGED; ++ sta_opmode.rx_nss = link_sta->pub->rx_nss; ++ sta_opmode.changed |= STA_OPMODE_N_SS_CHANGED; ++ } + } else { +- link_sta->pub->rx_nss = cur_nss; + pr_warn_ratelimited("Ignoring NSS change in VHT Operating Mode Notification from %pM with invalid nss %d", + link_sta->pub->addr, nss); + }