From: Sasha Levin Date: Tue, 29 Apr 2025 01:39:19 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v5.4.293~49 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=673b89b31dc5a93ff1129769ee6f32ee4c8ee0a0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch b/queue-5.15/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch new file mode 100644 index 0000000000..09bd4b4469 --- /dev/null +++ b/queue-5.15/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch @@ -0,0 +1,46 @@ +From 80474352bd34f0a0a8bd521586547ed7ac5addb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:15:42 -0700 +Subject: ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls + +From: Jean-Marc Eurin + +[ Upstream commit 7ab4f0e37a0f4207e742a8de69be03984db6ebf0 ] + +The end of table checks should be done with the structure size, +but 2 of the 3 similar calls use the pointer size. + +Signed-off-by: Jean-Marc Eurin +Link: https://patch.msgid.link/20250402001542.2600671-1-jmeurin@google.com +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/pptt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c +index fe69dc518f31e..9fa339639d0c0 100644 +--- a/drivers/acpi/pptt.c ++++ b/drivers/acpi/pptt.c +@@ -217,7 +217,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr, + node_entry = ACPI_PTR_DIFF(node, table_hdr); + entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr, + sizeof(struct acpi_table_pptt)); +- proc_sz = sizeof(struct acpi_pptt_processor *); ++ proc_sz = sizeof(struct acpi_pptt_processor); + + while ((unsigned long)entry + proc_sz < table_end) { + cpu_node = (struct acpi_pptt_processor *)entry; +@@ -258,7 +258,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he + table_end = (unsigned long)table_hdr + table_hdr->length; + entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr, + sizeof(struct acpi_table_pptt)); +- proc_sz = sizeof(struct acpi_pptt_processor *); ++ proc_sz = sizeof(struct acpi_pptt_processor); + + /* find the processor structure associated with this cpuid */ + while ((unsigned long)entry + proc_sz < table_end) { +-- +2.39.5 + diff --git a/queue-5.15/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch b/queue-5.15/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch new file mode 100644 index 0000000000..d3a4628244 --- /dev/null +++ b/queue-5.15/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch @@ -0,0 +1,61 @@ +From 2823129c1ecc7f88a2db315242bdec0cb64f6321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Feb 2025 23:37:33 +0100 +Subject: clk: check for disabled clock-provider in + of_clk_get_hw_from_clkspec() + +From: Heiko Stuebner + +[ Upstream commit b20150d499b3ee5c2d632fbc5ac94f98dd33accf ] + +of_clk_get_hw_from_clkspec() checks all available clock-providers by +comparing their of nodes to the one from the clkspec. If no matching +clock provider is found, the function returns -EPROBE_DEFER to cause a +re-check at a later date. If a matching clock provider is found, an +authoritative answer can be retrieved from it whether the clock exists +or not. + +This does not take into account that the clock-provider may never +appear, because it's node is disabled. This can happen when a clock is +optional, provided by a separate block which never gets enabled. + +One example of this happening is the rk3588's VOP, which has optional +additional display clocks coming from PLLs inside the hdmiphy blocks. +These can be used for better rates, but the system will also work +without them. + +The problem around that is described in the followups to[1]. As we +already know the of node of the presumed clock provider, add a check via +of_device_is_available() whether this is a "valid" device node. This +prevents eternal defer loops. + +Link: https://lore.kernel.org/dri-devel/20250215-vop2-hdmi1-disp-modes-v1-3-81962a7151d6@collabora.com/ [1] +Reviewed-by: Sebastian Reichel +Tested-by: Cristian Ciocaltea +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250222223733.2990179-1-heiko@sntech.de +[sboyd@kernel.org: Reword commit text a bit] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index dc2bcf58fc107..13f7e2ea644d9 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -4993,6 +4993,10 @@ of_clk_get_hw_from_clkspec(struct of_phandle_args *clkspec) + if (!clkspec) + return ERR_PTR(-EINVAL); + ++ /* Check if node in clkspec is in disabled/fail state */ ++ if (!of_device_is_available(clkspec->np)) ++ return ERR_PTR(-ENOENT); ++ + mutex_lock(&of_clk_mutex); + list_for_each_entry(provider, &of_clk_providers, link) { + if (provider->node == clkspec->np) { +-- +2.39.5 + diff --git a/queue-5.15/crypto-null-use-spin-lock-instead-of-mutex.patch b/queue-5.15/crypto-null-use-spin-lock-instead-of-mutex.patch new file mode 100644 index 0000000000..8b864d20a1 --- /dev/null +++ b/queue-5.15/crypto-null-use-spin-lock-instead-of-mutex.patch @@ -0,0 +1,101 @@ +From 879bb506d6d272002dcbe65948e8efc14d542bdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 14:10:07 +0800 +Subject: crypto: null - Use spin lock instead of mutex + +From: Herbert Xu + +[ Upstream commit dcc47a028c24e793ce6d6efebfef1a1e92f80297 ] + +As the null algorithm may be freed in softirq context through +af_alg, use spin locks instead of mutexes to protect the default +null algorithm. + +Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/crypto_null.c | 39 ++++++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/crypto/crypto_null.c b/crypto/crypto_null.c +index 5b84b0f7cc178..3378670286535 100644 +--- a/crypto/crypto_null.c ++++ b/crypto/crypto_null.c +@@ -17,10 +17,10 @@ + #include + #include + #include +-#include ++#include + #include + +-static DEFINE_MUTEX(crypto_default_null_skcipher_lock); ++static DEFINE_SPINLOCK(crypto_default_null_skcipher_lock); + static struct crypto_sync_skcipher *crypto_default_null_skcipher; + static int crypto_default_null_skcipher_refcnt; + +@@ -152,23 +152,32 @@ MODULE_ALIAS_CRYPTO("cipher_null"); + + struct crypto_sync_skcipher *crypto_get_default_null_skcipher(void) + { ++ struct crypto_sync_skcipher *ntfm = NULL; + struct crypto_sync_skcipher *tfm; + +- mutex_lock(&crypto_default_null_skcipher_lock); ++ spin_lock_bh(&crypto_default_null_skcipher_lock); + tfm = crypto_default_null_skcipher; + + if (!tfm) { +- tfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0); +- if (IS_ERR(tfm)) +- goto unlock; +- +- crypto_default_null_skcipher = tfm; ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); ++ ++ ntfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0); ++ if (IS_ERR(ntfm)) ++ return ntfm; ++ ++ spin_lock_bh(&crypto_default_null_skcipher_lock); ++ tfm = crypto_default_null_skcipher; ++ if (!tfm) { ++ tfm = ntfm; ++ ntfm = NULL; ++ crypto_default_null_skcipher = tfm; ++ } + } + + crypto_default_null_skcipher_refcnt++; ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); + +-unlock: +- mutex_unlock(&crypto_default_null_skcipher_lock); ++ crypto_free_sync_skcipher(ntfm); + + return tfm; + } +@@ -176,12 +185,16 @@ EXPORT_SYMBOL_GPL(crypto_get_default_null_skcipher); + + void crypto_put_default_null_skcipher(void) + { +- mutex_lock(&crypto_default_null_skcipher_lock); ++ struct crypto_sync_skcipher *tfm = NULL; ++ ++ spin_lock_bh(&crypto_default_null_skcipher_lock); + if (!--crypto_default_null_skcipher_refcnt) { +- crypto_free_sync_skcipher(crypto_default_null_skcipher); ++ tfm = crypto_default_null_skcipher; + crypto_default_null_skcipher = NULL; + } +- mutex_unlock(&crypto_default_null_skcipher_lock); ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); ++ ++ crypto_free_sync_skcipher(tfm); + } + EXPORT_SYMBOL_GPL(crypto_put_default_null_skcipher); + +-- +2.39.5 + diff --git a/queue-5.15/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch b/queue-5.15/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch new file mode 100644 index 0000000000..62c123ab56 --- /dev/null +++ b/queue-5.15/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch @@ -0,0 +1,51 @@ +From b5ce65e8be0ae1a32a86f8cc32618eb09a81894d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 15:00:06 -0800 +Subject: dmaengine: dmatest: Fix dmatest waiting less when interrupted + +From: Vinicius Costa Gomes + +[ Upstream commit e87ca16e99118ab4e130a41bdf12abbf6a87656c ] + +Change the "wait for operation finish" logic to take interrupts into +account. + +When using dmatest with idxd DMA engine, it's possible that during +longer tests, the interrupt notifying the finish of an operation +happens during wait_event_freezable_timeout(), which causes dmatest to +cleanup all the resources, some of which might still be in use. + +This fix ensures that the wait logic correctly handles interrupts, +preventing premature cleanup of resources. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202502171134.8c403348-lkp@intel.com +Signed-off-by: Vinicius Costa Gomes +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20250305230007.590178-1-vinicius.gomes@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index f696246f57fdb..0d8d01673010c 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -828,9 +828,9 @@ static int dmatest_func(void *data) + } else { + dma_async_issue_pending(chan); + +- wait_event_freezable_timeout(thread->done_wait, +- done->done, +- msecs_to_jiffies(params->timeout)); ++ wait_event_timeout(thread->done_wait, ++ done->done, ++ msecs_to_jiffies(params->timeout)); + + status = dma_async_is_tx_complete(chan, cookie, NULL, + NULL); +-- +2.39.5 + diff --git a/queue-5.15/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch b/queue-5.15/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch new file mode 100644 index 0000000000..99fbcb23b0 --- /dev/null +++ b/queue-5.15/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch @@ -0,0 +1,78 @@ +From 435803d731cabfa7b850a25edcb8ba81c4a4e8de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 11:54:52 +0530 +Subject: ext4: make block validity check resistent to sb bh corruption + +From: Ojaswin Mujoo + +[ Upstream commit ccad447a3d331a239477c281533bacb585b54a98 ] + +Block validity checks need to be skipped in case they are called +for journal blocks since they are part of system's protected +zone. + +Currently, this is done by checking inode->ino against +sbi->s_es->s_journal_inum, which is a direct read from the ext4 sb +buffer head. If someone modifies this underneath us then the +s_journal_inum field might get corrupted. To prevent against this, +change the check to directly compare the inode with journal->j_inode. + +**Slight change in behavior**: During journal init path, +check_block_validity etc might be called for journal inode when +sbi->s_journal is not set yet. In this case we now proceed with +ext4_inode_block_valid() instead of returning early. Since systems zones +have not been set yet, it is okay to proceed so we can perform basic +checks on the blocks. + +Suggested-by: Baokun Li +Reviewed-by: Baokun Li +Reviewed-by: Jan Kara +Reviewed-by: Zhang Yi +Signed-off-by: Ojaswin Mujoo +Link: https://patch.msgid.link/0c06bc9ebfcd6ccfed84a36e79147bf45ff5adc1.1743142920.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/block_validity.c | 5 ++--- + fs/ext4/inode.c | 7 ++++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 6fe3c941b5651..4d6ba140276b5 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -351,10 +351,9 @@ int ext4_check_blockref(const char *function, unsigned int line, + { + __le32 *bref = p; + unsigned int blk; ++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; + +- if (ext4_has_feature_journal(inode->i_sb) && +- (inode->i_ino == +- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ if (journal && inode == journal->j_inode) + return 0; + + while (bref < p+max) { +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index e50dfe3d60139..12f3b4fd201bb 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -409,10 +409,11 @@ static int __check_block_validity(struct inode *inode, const char *func, + unsigned int line, + struct ext4_map_blocks *map) + { +- if (ext4_has_feature_journal(inode->i_sb) && +- (inode->i_ino == +- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; ++ ++ if (journal && inode == journal->j_inode) + return 0; ++ + if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, + "lblock %lu mapped to illegal pblock %llu " +-- +2.39.5 + diff --git a/queue-5.15/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch b/queue-5.15/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch new file mode 100644 index 0000000000..82639fedf8 --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch @@ -0,0 +1,45 @@ +From 1ec32ba2576cf50596bad65482ab27f182c646c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 20:16:38 +0800 +Subject: fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size + +From: Edward Adam Davis + +[ Upstream commit ff355926445897cc9fdea3b00611e514232c213c ] + +Syzbot reported a WARNING in ntfs_extend_initialized_size. +The data type of in->i_valid and to is u64 in ntfs_file_mmap(). +If their values are greater than LLONG_MAX, overflow will occur because +the data types of the parameters valid and new_valid corresponding to +the function ntfs_extend_initialized_size() are loff_t. + +Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(), +the "ni->i_valid < to" has been determined, so the same WARN_ON determination +is not required in ntfs_extend_initialized_size(). +Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make +a WARN_ON check. + +Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55 +Signed-off-by: Edward Adam Davis +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c +index 2d5d234a4533d..74cf9c51e3228 100644 +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -435,6 +435,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count, + } + + if (extend_init && !is_compressed(ni)) { ++ WARN_ON(ni->i_valid >= pos); + err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos); + if (err) + goto out; +-- +2.39.5 + diff --git a/queue-5.15/kvm-s390-don-t-use-pk-through-tracepoints.patch b/queue-5.15/kvm-s390-don-t-use-pk-through-tracepoints.patch new file mode 100644 index 0000000000..c6a83bcdc7 --- /dev/null +++ b/queue-5.15/kvm-s390-don-t-use-pk-through-tracepoints.patch @@ -0,0 +1,53 @@ +From dd2227f66310174132433e9814d40c43eb2d88cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:13:56 +0100 +Subject: KVM: s390: Don't use %pK through tracepoints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 6c9567e0850be2f0f94ab64fa6512413fd1a1eb1 ] + +Restricted pointers ("%pK") are not meant to be used through TP_format(). +It can unintentionally expose security sensitive, raw pointer values. + +Use regular pointer formatting instead. + +Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/ +Signed-off-by: Thomas Weißschuh +Reviewed-by: Michael Mueller +Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de +Signed-off-by: Janosch Frank +Message-ID: <20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de> +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/trace-s390.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h +index 6f0209d45164f..9c5f546a2e1a3 100644 +--- a/arch/s390/kvm/trace-s390.h ++++ b/arch/s390/kvm/trace-s390.h +@@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu, + __entry->sie_block = sie_block; + ), + +- TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK", ++ TP_printk("create cpu %d at 0x%p, sie block at 0x%p", + __entry->id, __entry->vcpu, __entry->sie_block) + ); + +@@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css, + __entry->kvm = kvm; + ), + +- TP_printk("enabling channel I/O support (kvm @ %pK)\n", ++ TP_printk("enabling channel I/O support (kvm @ %p)\n", + __entry->kvm) + ); + +-- +2.39.5 + diff --git a/queue-5.15/loop-aio-inherit-the-ioprio-of-original-request.patch b/queue-5.15/loop-aio-inherit-the-ioprio-of-original-request.patch new file mode 100644 index 0000000000..8e2ebbac4a --- /dev/null +++ b/queue-5.15/loop-aio-inherit-the-ioprio-of-original-request.patch @@ -0,0 +1,39 @@ +From 6e58f63400e711449aa02806c4e06675639142ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 11:01:59 +0800 +Subject: loop: aio inherit the ioprio of original request + +From: Yunlong Xing + +[ Upstream commit 1fdb8188c3d505452b40cdb365b1bb32be533a8e ] + +Set cmd->iocb.ki_ioprio to the ioprio of loop device's request. +The purpose is to inherit the original request ioprio in the aio +flow. + +Signed-off-by: Yunlong Xing +Signed-off-by: Zhiguo Niu +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250414030159.501180-1-yunlong.xing@unisoc.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 4b7318f1a6f33..a612370dd9ecf 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -605,7 +605,7 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd, + cmd->iocb.ki_filp = file; + cmd->iocb.ki_complete = lo_rw_aio_complete; + cmd->iocb.ki_flags = IOCB_DIRECT; +- cmd->iocb.ki_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0); ++ cmd->iocb.ki_ioprio = req_get_ioprio(rq); + + if (rw == WRITE) + ret = call_write_iter(file, &cmd->iocb, &iter); +-- +2.39.5 + diff --git a/queue-5.15/md-raid1-add-check-for-missing-source-disk-in-proces.patch b/queue-5.15/md-raid1-add-check-for-missing-source-disk-in-proces.patch new file mode 100644 index 0000000000..0b5e01d489 --- /dev/null +++ b/queue-5.15/md-raid1-add-check-for-missing-source-disk-in-proces.patch @@ -0,0 +1,77 @@ +From f957e70308c6ad53555f9ae7dfa1737ad1408453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:38:08 +0300 +Subject: md/raid1: Add check for missing source disk in process_checks() + +From: Meir Elisha + +[ Upstream commit b7c178d9e57c8fd4238ff77263b877f6f16182ba ] + +During recovery/check operations, the process_checks function loops +through available disks to find a 'primary' source with successfully +read data. + +If no suitable source disk is found after checking all possibilities, +the 'primary' index will reach conf->raid_disks * 2. Add an explicit +check for this condition after the loop. If no source disk was found, +print an error message and return early to prevent further processing +without a valid primary source. + +Link: https://lore.kernel.org/linux-raid/20250408143808.1026534-1-meir.elisha@volumez.com +Signed-off-by: Meir Elisha +Suggested-and-reviewed-by: Yu Kuai +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 8427c9767a61b..de87606b2e04c 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2063,14 +2063,9 @@ static int fix_sync_read_error(struct r1bio *r1_bio) + if (!rdev_set_badblocks(rdev, sect, s, 0)) + abort = 1; + } +- if (abort) { +- conf->recovery_disabled = +- mddev->recovery_disabled; +- set_bit(MD_RECOVERY_INTR, &mddev->recovery); +- md_done_sync(mddev, r1_bio->sectors, 0); +- put_buf(r1_bio); ++ if (abort) + return 0; +- } ++ + /* Try next page */ + sectors -= s; + sect += s; +@@ -2210,10 +2205,21 @@ static void sync_request_write(struct mddev *mddev, struct r1bio *r1_bio) + int disks = conf->raid_disks * 2; + struct bio *wbio; + +- if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) +- /* ouch - failed to read all of that. */ +- if (!fix_sync_read_error(r1_bio)) ++ if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) { ++ /* ++ * ouch - failed to read all of that. ++ * No need to fix read error for check/repair ++ * because all member disks are read. ++ */ ++ if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery) || ++ !fix_sync_read_error(r1_bio)) { ++ conf->recovery_disabled = mddev->recovery_disabled; ++ set_bit(MD_RECOVERY_INTR, &mddev->recovery); ++ md_done_sync(mddev, r1_bio->sectors, 0); ++ put_buf(r1_bio); + return; ++ } ++ } + + if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery)) + process_checks(r1_bio); +-- +2.39.5 + diff --git a/queue-5.15/mips-cm-detect-cm-quirks-from-device-tree.patch b/queue-5.15/mips-cm-detect-cm-quirks-from-device-tree.patch new file mode 100644 index 0000000000..85689f73f5 --- /dev/null +++ b/queue-5.15/mips-cm-detect-cm-quirks-from-device-tree.patch @@ -0,0 +1,107 @@ +From 1e1d28c9c35987b38b236ae8a2b5a7edcbdf41d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 12:01:56 +0100 +Subject: MIPS: cm: Detect CM quirks from device tree + +From: Gregory CLEMENT + +[ Upstream commit e27fbe16af5cfc40639de4ced67d1a866a1953e9 ] + +Some information that should be retrieved at runtime for the Coherence +Manager can be either absent or wrong. This patch allows checking if +some of this information is available from the device tree and updates +the internal variable accordingly. + +For now, only the compatible string associated with the broken HCI is +being retrieved. + +Signed-off-by: Gregory CLEMENT +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 22 ++++++++++++++++++++++ + arch/mips/kernel/mips-cm.c | 14 ++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index 696b40beb774f..0f31324998c0a 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -47,6 +47,16 @@ extern phys_addr_t __mips_cm_phys_base(void); + */ + extern int mips_cm_is64; + ++/* ++ * mips_cm_is_l2_hci_broken - determine if HCI is broken ++ * ++ * Some CM reports show that Hardware Cache Initialization is ++ * complete, but in reality it's not the case. They also incorrectly ++ * indicate that Hardware Cache Initialization is supported. This ++ * flags allows warning about this broken feature. ++ */ ++extern bool mips_cm_is_l2_hci_broken; ++ + /** + * mips_cm_error_report - Report CM cache errors + */ +@@ -85,6 +95,18 @@ static inline bool mips_cm_present(void) + #endif + } + ++/** ++ * mips_cm_update_property - update property from the device tree ++ * ++ * Retrieve the properties from the device tree if a CM node exist and ++ * update the internal variable based on this. ++ */ ++#ifdef CONFIG_MIPS_CM ++extern void mips_cm_update_property(void); ++#else ++static void mips_cm_update_property(void) {} ++#endif ++ + /** + * mips_cm_has_l2sync - determine whether an L2-only sync region is present + * +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index b4f7d950c8468..e21c2fd761674 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -5,6 +5,7 @@ + */ + + #include ++#include + #include + #include + +@@ -14,6 +15,7 @@ + void __iomem *mips_gcr_base; + void __iomem *mips_cm_l2sync_base; + int mips_cm_is64; ++bool mips_cm_is_l2_hci_broken; + + static char *cm2_tr[8] = { + "mem", "gcr", "gic", "mmio", +@@ -238,6 +240,18 @@ static void mips_cm_probe_l2sync(void) + mips_cm_l2sync_base = ioremap(addr, MIPS_CM_L2SYNC_SIZE); + } + ++void mips_cm_update_property(void) ++{ ++ struct device_node *cm_node; ++ ++ cm_node = of_find_compatible_node(of_root, NULL, "mobileye,eyeq6-cm"); ++ if (!cm_node) ++ return; ++ pr_info("HCI (Hardware Cache Init for the L2 cache) in GCR_L2_RAM_CONFIG from the CM3 is broken"); ++ mips_cm_is_l2_hci_broken = true; ++ of_node_put(cm_node); ++} ++ + int mips_cm_probe(void) + { + phys_addr_t addr; +-- +2.39.5 + diff --git a/queue-5.15/ntb-reduce-stack-usage-in-idt_scan_mws.patch b/queue-5.15/ntb-reduce-stack-usage-in-idt_scan_mws.patch new file mode 100644 index 0000000000..5871f76c01 --- /dev/null +++ b/queue-5.15/ntb-reduce-stack-usage-in-idt_scan_mws.patch @@ -0,0 +1,77 @@ +From f3fa916c073ac7ece82e9ecacb84cc1aac031825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 09:57:25 +0100 +Subject: ntb: reduce stack usage in idt_scan_mws + +From: Arnd Bergmann + +[ Upstream commit aff12700b8dd7422bfe2277696e192af4df9de8f ] + +idt_scan_mws() puts a large fixed-size array on the stack and copies +it into a smaller dynamically allocated array at the end. On 32-bit +targets, the fixed size can easily exceed the warning limit for +possible stack overflow: + +drivers/ntb/hw/idt/ntb_hw_idt.c:1041:27: error: stack frame size (1032) exceeds limit (1024) in 'idt_scan_mws' [-Werror,-Wframe-larger-than] + +Change it to instead just always use dynamic allocation for the +array from the start. It's too big for the stack, but not actually +all that much for a permanent allocation. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202205111109.PiKTruEj-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Dave Jiang +Reviewed-by: Damien Le Moal +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index 72060acb9cafc..366e19dbae316 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -1041,7 +1041,7 @@ static inline char *idt_get_mw_name(enum idt_mw_type mw_type) + static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + unsigned char *mw_cnt) + { +- struct idt_mw_cfg mws[IDT_MAX_NR_MWS], *ret_mws; ++ struct idt_mw_cfg *mws; + const struct idt_ntb_bar *bars; + enum idt_mw_type mw_type; + unsigned char widx, bidx, en_cnt; +@@ -1049,6 +1049,11 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + int aprt_size; + u32 data; + ++ mws = devm_kcalloc(&ndev->ntb.pdev->dev, IDT_MAX_NR_MWS, ++ sizeof(*mws), GFP_KERNEL); ++ if (!mws) ++ return ERR_PTR(-ENOMEM); ++ + /* Retrieve the array of the BARs registers */ + bars = portdata_tbl[port].bars; + +@@ -1103,16 +1108,7 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + } + } + +- /* Allocate memory for memory window descriptors */ +- ret_mws = devm_kcalloc(&ndev->ntb.pdev->dev, *mw_cnt, sizeof(*ret_mws), +- GFP_KERNEL); +- if (!ret_mws) +- return ERR_PTR(-ENOMEM); +- +- /* Copy the info of detected memory windows */ +- memcpy(ret_mws, mws, (*mw_cnt)*sizeof(*ret_mws)); +- +- return ret_mws; ++ return mws; + } + + /* +-- +2.39.5 + diff --git a/queue-5.15/nvme-re-read-ana-log-page-after-ns-scan-completes.patch b/queue-5.15/nvme-re-read-ana-log-page-after-ns-scan-completes.patch new file mode 100644 index 0000000000..b628be243d --- /dev/null +++ b/queue-5.15/nvme-re-read-ana-log-page-after-ns-scan-completes.patch @@ -0,0 +1,47 @@ +From 90aa10f9109354377f84b6f6e1d1cb71d58ef80e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:19:30 +0200 +Subject: nvme: re-read ANA log page after ns scan completes + +From: Hannes Reinecke + +[ Upstream commit 62baf70c327444338c34703c71aa8cc8e4189bd6 ] + +When scanning for new namespaces we might have missed an ANA AEN. + +The NVMe base spec (NVMe Base Specification v2.1, Figure 151 'Asynchonous +Event Information - Notice': Asymmetric Namespace Access Change) states: + + A controller shall not send this even if an Attached Namespace + Attribute Changed asynchronous event [...] is sent for the same event. + +so we need to re-read the ANA log page after we rescanned the namespace +list to update the ANA states of the new namespaces. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 85d965fe8838c..68d4546dda3bb 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4225,6 +4225,11 @@ static void nvme_scan_work(struct work_struct *work) + /* Requeue if we have missed AENs */ + if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) + nvme_queue_scan(ctrl); ++#ifdef CONFIG_NVME_MULTIPATH ++ else ++ /* Re-read the ANA log page to not miss updates */ ++ queue_work(nvme_wq, &ctrl->ana_work); ++#endif + } + + /* +-- +2.39.5 + diff --git a/queue-5.15/nvme-requeue-namespace-scan-on-missed-aens.patch b/queue-5.15/nvme-requeue-namespace-scan-on-missed-aens.patch new file mode 100644 index 0000000000..b181b2e1ff --- /dev/null +++ b/queue-5.15/nvme-requeue-namespace-scan-on-missed-aens.patch @@ -0,0 +1,42 @@ +From 81131d412a30441b9a91e0f627e8f98f66b9a16b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:19:29 +0200 +Subject: nvme: requeue namespace scan on missed AENs + +From: Hannes Reinecke + +[ Upstream commit 9546ad1a9bda7362492114f5866b95b0ac4a100e ] + +Scanning for namespaces can take some time, so if the target is +reconfigured while the scan is running we may miss a Attached Namespace +Attribute Changed AEN. + +Check if the NVME_AER_NOTICE_NS_CHANGED bit is set once the scan has +finished, and requeue scanning to pick up any missed change. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 6748532c776b8..85d965fe8838c 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4221,6 +4221,10 @@ static void nvme_scan_work(struct work_struct *work) + if (nvme_scan_ns_list(ctrl) != 0) + nvme_scan_ns_sequential(ctrl); + mutex_unlock(&ctrl->scan_lock); ++ ++ /* Requeue if we have missed AENs */ ++ if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) ++ nvme_queue_scan(ctrl); + } + + /* +-- +2.39.5 + diff --git a/queue-5.15/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch b/queue-5.15/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch new file mode 100644 index 0000000000..cd4a8847fe --- /dev/null +++ b/queue-5.15/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch @@ -0,0 +1,36 @@ +From 09e2bb1dc7ef47c74d582cbd95f5c573194e28d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:10 +0200 +Subject: nvmet-fc: put ref when assoc->del_work is already scheduled + +From: Daniel Wagner + +[ Upstream commit 70289ae5cac4d3a39575405aaf63330486cea030 ] + +Do not leak the tgtport reference when the work is already scheduled. + +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index 9f6d91e79aac5..812d085d49c99 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1091,7 +1091,8 @@ static void + nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc) + { + nvmet_fc_tgtport_get(assoc->tgtport); +- queue_work(nvmet_wq, &assoc->del_work); ++ if (!queue_work(nvmet_wq, &assoc->del_work)) ++ nvmet_fc_tgtport_put(assoc->tgtport); + } + + static struct nvmet_fc_tgt_assoc * +-- +2.39.5 + diff --git a/queue-5.15/nvmet-fc-take-tgtport-reference-only-once.patch b/queue-5.15/nvmet-fc-take-tgtport-reference-only-once.patch new file mode 100644 index 0000000000..8204cc132e --- /dev/null +++ b/queue-5.15/nvmet-fc-take-tgtport-reference-only-once.patch @@ -0,0 +1,77 @@ +From 13c47ad6746bb06acddef14a352cb19886abc13f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:09 +0200 +Subject: nvmet-fc: take tgtport reference only once + +From: Daniel Wagner + +[ Upstream commit b0b26ad0e1943de25ce82a7e5af3574f31b1cf99 ] + +The reference counting code can be simplified. Instead taking a tgtport +refrerence at the beginning of nvmet_fc_alloc_hostport and put it back +if not a new hostport object is allocated, only take it when a new +hostport object is allocated. + +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fc.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index 88893e78661c6..9f6d91e79aac5 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1030,33 +1030,24 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle) + struct nvmet_fc_hostport *newhost, *match = NULL; + unsigned long flags; + ++ /* ++ * Caller holds a reference on tgtport. ++ */ ++ + /* if LLDD not implemented, leave as NULL */ + if (!hosthandle) + return NULL; + +- /* +- * take reference for what will be the newly allocated hostport if +- * we end up using a new allocation +- */ +- if (!nvmet_fc_tgtport_get(tgtport)) +- return ERR_PTR(-EINVAL); +- + spin_lock_irqsave(&tgtport->lock, flags); + match = nvmet_fc_match_hostport(tgtport, hosthandle); + spin_unlock_irqrestore(&tgtport->lock, flags); + +- if (match) { +- /* no new allocation - release reference */ +- nvmet_fc_tgtport_put(tgtport); ++ if (match) + return match; +- } + + newhost = kzalloc(sizeof(*newhost), GFP_KERNEL); +- if (!newhost) { +- /* no new allocation - release reference */ +- nvmet_fc_tgtport_put(tgtport); ++ if (!newhost) + return ERR_PTR(-ENOMEM); +- } + + spin_lock_irqsave(&tgtport->lock, flags); + match = nvmet_fc_match_hostport(tgtport, hosthandle); +@@ -1065,6 +1056,7 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle) + kfree(newhost); + newhost = match; + } else { ++ nvmet_fc_tgtport_get(tgtport); + newhost->tgtport = tgtport; + newhost->hosthandle = hosthandle; + INIT_LIST_HEAD(&newhost->host_list); +-- +2.39.5 + diff --git a/queue-5.15/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch b/queue-5.15/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch new file mode 100644 index 0000000000..2abba01d9b --- /dev/null +++ b/queue-5.15/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch @@ -0,0 +1,58 @@ +From 4ffc9f00961328b066d1768ef01ec884333ed13a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:09 -0700 +Subject: objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior + in wcd934x_slim_irq_handler() + +From: Josh Poimboeuf + +[ Upstream commit 060aed9c0093b341480770457093449771cf1496 ] + +If 'port_id' is negative, the shift counts in wcd934x_slim_irq_handler() +also become negative, resulting in undefined behavior due to shift out +of bounds. + +If I'm reading the code correctly, that appears to be not possible, but +with KCOV enabled, Clang's range analysis isn't always able to determine +that and generates undefined behavior. + +As a result the code generation isn't optimal, and undefined behavior +should be avoided regardless. Improve code generation and remove the +undefined behavior by converting the signed variables to unsigned. + +Fixes the following warning with UBSAN: + + sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section + +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Acked-by: Mark Brown +Cc: Srinivas Kandagatla +Cc: Liam Girdwood +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/7e863839ec7301bf9c0f429a03873d44e484c31c.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd934x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c +index 94ffd2ba29aef..765ac2a3e9638 100644 +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -2281,7 +2281,7 @@ static irqreturn_t wcd934x_slim_irq_handler(int irq, void *data) + { + struct wcd934x_codec *wcd = data; + unsigned long status = 0; +- int i, j, port_id; ++ unsigned int i, j, port_id; + unsigned int val, int_val = 0; + irqreturn_t ret = IRQ_NONE; + bool tx; +-- +2.39.5 + diff --git a/queue-5.15/objtool-stop-unret-validation-on-ud2.patch b/queue-5.15/objtool-stop-unret-validation-on-ud2.patch new file mode 100644 index 0000000000..465ac3e46c --- /dev/null +++ b/queue-5.15/objtool-stop-unret-validation-on-ud2.patch @@ -0,0 +1,38 @@ +From 092d1ce26bb40e8e82477acf58f38031fc02e13a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 00:02:15 -0700 +Subject: objtool: Stop UNRET validation on UD2 + +From: Josh Poimboeuf + +[ Upstream commit 9f9cc012c2cbac4833746a0182e06a8eec940d19 ] + +In preparation for simplifying INSN_SYSCALL, make validate_unret() +terminate control flow on UD2 just like validate_branch() already does. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/ce841269e7e28c8b7f32064464a9821034d724ff.1744095216.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index c2596b1e1fb1e..d2366ec61edc4 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -3416,6 +3416,9 @@ static int validate_entry(struct objtool_file *file, struct instruction *insn) + break; + } + ++ if (insn->dead_end) ++ return 0; ++ + if (!next) { + WARN_FUNC("teh end!", insn->sec, insn->offset); + return -1; +-- +2.39.5 + diff --git a/queue-5.15/parisc-pdt-fix-missing-prototype-warning.patch b/queue-5.15/parisc-pdt-fix-missing-prototype-warning.patch new file mode 100644 index 0000000000..da6a01392f --- /dev/null +++ b/queue-5.15/parisc-pdt-fix-missing-prototype-warning.patch @@ -0,0 +1,51 @@ +From a8c3bc769727bf66dc8aed571cbdc741cbc48857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2025 01:43:04 +0800 +Subject: parisc: PDT: Fix missing prototype warning + +From: Yu-Chun Lin + +[ Upstream commit b899981750dcb958ceffa4462d903963ee494aa2 ] + +As reported by the kernel test robot, the following error occurs: + +arch/parisc/kernel/pdt.c:65:6: warning: no previous prototype for 'arch_report_meminfo' [-Wmissing-prototypes] + 65 | void arch_report_meminfo(struct seq_file *m) + | ^~~~~~~~~~~~~~~~~~~ + +arch_report_meminfo() is declared in include/linux/proc_fs.h and only +defined when CONFIG_PROC_FS is enabled. Wrap its definition in #ifdef +CONFIG_PROC_FS to fix the -Wmissing-prototypes warning. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202502082315.IPaHaTyM-lkp@intel.com/ +Signed-off-by: Yu-Chun Lin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/pdt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/parisc/kernel/pdt.c b/arch/parisc/kernel/pdt.c +index fcc761b0e11b9..d20e8283c5b8a 100644 +--- a/arch/parisc/kernel/pdt.c ++++ b/arch/parisc/kernel/pdt.c +@@ -62,6 +62,7 @@ static unsigned long pdt_entry[MAX_PDT_ENTRIES] __page_aligned_bss; + #define PDT_ADDR_PERM_ERR (pdt_type != PDT_PDC ? 2UL : 0UL) + #define PDT_ADDR_SINGLE_ERR 1UL + ++#ifdef CONFIG_PROC_FS + /* report PDT entries via /proc/meminfo */ + void arch_report_meminfo(struct seq_file *m) + { +@@ -73,6 +74,7 @@ void arch_report_meminfo(struct seq_file *m) + seq_printf(m, "PDT_cur_entries: %7lu\n", + pdt_status.pdt_entries); + } ++#endif + + static int get_info_pat_new(void) + { +-- +2.39.5 + diff --git a/queue-5.15/qibfs-fix-_another_-leak.patch b/queue-5.15/qibfs-fix-_another_-leak.patch new file mode 100644 index 0000000000..d7c7787561 --- /dev/null +++ b/queue-5.15/qibfs-fix-_another_-leak.patch @@ -0,0 +1,36 @@ +From a4e66a7206e269256319a05d85a17c14882e0556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 17:50:34 -0600 +Subject: qibfs: fix _another_ leak + +From: Al Viro + +[ Upstream commit bdb43af4fdb39f844ede401bdb1258f67a580a27 ] + +failure to allocate inode => leaked dentry... + +this one had been there since the initial merge; to be fair, +if we are that far OOM, the odds of failing at that particular +allocation are low... + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/qib/qib_fs.c b/drivers/infiniband/hw/qib/qib_fs.c +index 8665e506404f9..774037ea44a92 100644 +--- a/drivers/infiniband/hw/qib/qib_fs.c ++++ b/drivers/infiniband/hw/qib/qib_fs.c +@@ -56,6 +56,7 @@ static int qibfs_mknod(struct inode *dir, struct dentry *dentry, + struct inode *inode = new_inode(dir->i_sb); + + if (!inode) { ++ dput(dentry); + error = -EPERM; + goto bail; + } +-- +2.39.5 + diff --git a/queue-5.15/s390-sclp-add-check-for-get_zeroed_page.patch b/queue-5.15/s390-sclp-add-check-for-get_zeroed_page.patch new file mode 100644 index 0000000000..d32119fd94 --- /dev/null +++ b/queue-5.15/s390-sclp-add-check-for-get_zeroed_page.patch @@ -0,0 +1,61 @@ +From 8c0c671a04785ad4a694be16e94153b7b4c5b5d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 10:52:16 +0800 +Subject: s390/sclp: Add check for get_zeroed_page() + +From: Haoxiang Li + +[ Upstream commit 3db42c75a921854a99db0a2775814fef97415bac ] + +Add check for the return value of get_zeroed_page() in +sclp_console_init() to prevent null pointer dereference. +Furthermore, to solve the memory leak caused by the loop +allocation, add a free helper to do the free job. + +Signed-off-by: Haoxiang Li +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250218025216.2421548-1-haoxiang_li2024@163.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp_con.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/s390/char/sclp_con.c b/drivers/s390/char/sclp_con.c +index de028868c6f4a..4e5d5da258d68 100644 +--- a/drivers/s390/char/sclp_con.c ++++ b/drivers/s390/char/sclp_con.c +@@ -260,6 +260,19 @@ static struct console sclp_console = + .index = 0 /* ttyS0 */ + }; + ++/* ++ * Release allocated pages. ++ */ ++static void __init __sclp_console_free_pages(void) ++{ ++ struct list_head *page, *p; ++ ++ list_for_each_safe(page, p, &sclp_con_pages) { ++ list_del(page); ++ free_page((unsigned long)page); ++ } ++} ++ + /* + * called by console_init() in drivers/char/tty_io.c at boot-time. + */ +@@ -279,6 +292,10 @@ sclp_console_init(void) + /* Allocate pages for output buffering */ + for (i = 0; i < sclp_console_pages; i++) { + page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); ++ if (!page) { ++ __sclp_console_free_pages(); ++ return -ENOMEM; ++ } + list_add_tail(page, &sclp_con_pages); + } + sclp_conbuf = NULL; +-- +2.39.5 + diff --git a/queue-5.15/s390-tty-fix-a-potential-memory-leak-bug.patch b/queue-5.15/s390-tty-fix-a-potential-memory-leak-bug.patch new file mode 100644 index 0000000000..e5cace92cd --- /dev/null +++ b/queue-5.15/s390-tty-fix-a-potential-memory-leak-bug.patch @@ -0,0 +1,55 @@ +From 6a8930be429a490ecbb1cc70fda094b8d128bd1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 11:41:04 +0800 +Subject: s390/tty: Fix a potential memory leak bug + +From: Haoxiang Li + +[ Upstream commit ad9bb8f049717d64c5e62b2a44954be9f681c65b ] + +The check for get_zeroed_page() leads to a direct return +and overlooked the memory leak caused by loop allocation. +Add a free helper to free spaces allocated by get_zeroed_page(). + +Signed-off-by: Haoxiang Li +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250218034104.2436469-1-haoxiang_li2024@163.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp_tty.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/s390/char/sclp_tty.c b/drivers/s390/char/sclp_tty.c +index 971fbb52740bf..432dad2a22664 100644 +--- a/drivers/s390/char/sclp_tty.c ++++ b/drivers/s390/char/sclp_tty.c +@@ -490,6 +490,17 @@ static const struct tty_operations sclp_ops = { + .flush_buffer = sclp_tty_flush_buffer, + }; + ++/* Release allocated pages. */ ++static void __init __sclp_tty_free_pages(void) ++{ ++ struct list_head *page, *p; ++ ++ list_for_each_safe(page, p, &sclp_tty_pages) { ++ list_del(page); ++ free_page((unsigned long)page); ++ } ++} ++ + static int __init + sclp_tty_init(void) + { +@@ -516,6 +527,7 @@ sclp_tty_init(void) + for (i = 0; i < MAX_KMEM_PAGES; i++) { + page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); + if (page == NULL) { ++ __sclp_tty_free_pages(); + tty_driver_kref_put(driver); + return -ENOMEM; + } +-- +2.39.5 + diff --git a/queue-5.15/sched-isolation-make-config_cpu_isolation-depend-on-.patch b/queue-5.15/sched-isolation-make-config_cpu_isolation-depend-on-.patch new file mode 100644 index 0000000000..22f61d70cc --- /dev/null +++ b/queue-5.15/sched-isolation-make-config_cpu_isolation-depend-on-.patch @@ -0,0 +1,46 @@ +From 6cb64f1bf91243643365308d6172a58a291ddde8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Mar 2025 15:49:55 +0200 +Subject: sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP + +From: Oleg Nesterov + +[ Upstream commit 975776841e689dd8ba36df9fa72ac3eca3c2957a ] + +kernel/sched/isolation.c obviously makes no sense without CONFIG_SMP, but +the Kconfig entry we have right now: + + config CPU_ISOLATION + bool "CPU isolation" + depends on SMP || COMPILE_TEST + +allows the creation of pointless .config's which cause +build failures. + +Reported-by: kernel test robot +Signed-off-by: Oleg Nesterov +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250330134955.GA7910@redhat.com + +Closes: https://lore.kernel.org/oe-kbuild-all/202503260646.lrUqD3j5-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 4c9cacc866d4c..b66259bfd2352 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -674,7 +674,7 @@ endmenu # "CPU/Task time and stats accounting" + + config CPU_ISOLATION + bool "CPU isolation" +- depends on SMP || COMPILE_TEST ++ depends on SMP + default y + help + Make sure that CPUs running critical tasks are not disturbed by +-- +2.39.5 + diff --git a/queue-5.15/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch b/queue-5.15/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch new file mode 100644 index 0000000000..36fc4f9539 --- /dev/null +++ b/queue-5.15/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch @@ -0,0 +1,59 @@ +From 14309b7a47029190d54e52ebee0f867bc0f9d468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:51:35 +0800 +Subject: scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes + +From: Xingui Yang + +[ Upstream commit daff37f00c7506ca322ccfce95d342022f06ec58 ] + +The hw port ID of phy may change when inserting disks in batches, causing +the port ID in hisi_sas_port and itct to be inconsistent with the hardware, +resulting in I/O errors. The solution is to set the device state to gone to +intercept I/O sent to the device, and then execute linkreset to discard and +find the disk to re-update its information. + +Signed-off-by: Xingui Yang +Link: https://lore.kernel.org/r/20250312095135.3048379-3-yangxingui@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 0ca80e00835cb..8c32f815a968a 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -852,8 +852,28 @@ static void hisi_sas_phyup_work(struct work_struct *work) + container_of(work, typeof(*phy), works[HISI_PHYE_PHY_UP]); + struct hisi_hba *hisi_hba = phy->hisi_hba; + struct asd_sas_phy *sas_phy = &phy->sas_phy; ++ struct asd_sas_port *sas_port = sas_phy->port; ++ struct hisi_sas_port *port = phy->port; ++ struct device *dev = hisi_hba->dev; ++ struct domain_device *port_dev; + int phy_no = sas_phy->id; + ++ if (!test_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags) && ++ sas_port && port && (port->id != phy->port_id)) { ++ dev_info(dev, "phy%d's hw port id changed from %d to %llu\n", ++ phy_no, port->id, phy->port_id); ++ port_dev = sas_port->port_dev; ++ if (port_dev && !dev_is_expander(port_dev->dev_type)) { ++ /* ++ * Set the device state to gone to block ++ * sending IO to the device. ++ */ ++ set_bit(SAS_DEV_GONE, &port_dev->state); ++ hisi_sas_notify_phy_event(phy, HISI_PHYE_LINK_RESET); ++ return; ++ } ++ } ++ + phy->wait_phyup_cnt = 0; + if (phy->identify.target_port_protocols == SAS_PROTOCOL_SSP) + hisi_hba->hw->sl_notify_ssp(hisi_hba, phy_no); +-- +2.39.5 + diff --git a/queue-5.15/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch b/queue-5.15/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch new file mode 100644 index 0000000000..ef5d69b541 --- /dev/null +++ b/queue-5.15/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch @@ -0,0 +1,36 @@ +From 836a536b0331d9d57dacf09cd551d0854e7396ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 23:03:05 +0000 +Subject: scsi: pm80xx: Set phy_attached to zero when device is gone + +From: Igor Pylypiv + +[ Upstream commit f7b705c238d1483f0a766e2b20010f176e5c0fb7 ] + +When a fatal error occurs, a phy down event may not be received to set +phy->phy_attached to zero. + +Signed-off-by: Igor Pylypiv +Signed-off-by: Salomon Dushimirimana +Link: https://lore.kernel.org/r/20250319230305.3172920-1-salomondush@google.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_sas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c +index 2c003c17fe6aa..0c79f2a9eba76 100644 +--- a/drivers/scsi/pm8001/pm8001_sas.c ++++ b/drivers/scsi/pm8001/pm8001_sas.c +@@ -892,6 +892,7 @@ static void pm8001_dev_gone_notify(struct domain_device *dev) + spin_lock_irqsave(&pm8001_ha->lock, flags); + } + PM8001_CHIP_DISP->dereg_dev_req(pm8001_ha, device_id); ++ pm8001_ha->phy[pm8001_dev->attached_phy].phy_attached = 0; + pm8001_free_dev(pm8001_dev); + } else { + pm8001_dbg(pm8001_ha, DISC, "Found dev has gone.\n"); +-- +2.39.5 + diff --git a/queue-5.15/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch b/queue-5.15/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch new file mode 100644 index 0000000000..23115897ad --- /dev/null +++ b/queue-5.15/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch @@ -0,0 +1,62 @@ +From ce05912bf27ec000bf54de2577b7a9254d45ec59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 16:09:40 +0800 +Subject: selftests/mincore: Allow read-ahead pages to reach the end of the + file + +From: Qiuxu Zhuo + +[ Upstream commit 197c1eaa7ba633a482ed7588eea6fd4aa57e08d4 ] + +When running the mincore_selftest on a system with an XFS file system, it +failed the "check_file_mmap" test case due to the read-ahead pages reaching +the end of the file. The failure log is as below: + + RUN global.check_file_mmap ... + mincore_selftest.c:264:check_file_mmap:Expected i (1024) < vec_size (1024) + mincore_selftest.c:265:check_file_mmap:Read-ahead pages reached the end of the file + check_file_mmap: Test failed + FAIL global.check_file_mmap + +This is because the read-ahead window size of the XFS file system on this +machine is 4 MB, which is larger than the size from the #PF address to the +end of the file. As a result, all the pages for this file are populated. + + blockdev --getra /dev/nvme0n1p5 + 8192 + blockdev --getbsz /dev/nvme0n1p5 + 512 + +This issue can be fixed by extending the current FILE_SIZE 4MB to a larger +number, but it will still fail if the read-ahead window size of the file +system is larger enough. Additionally, in the real world, read-ahead pages +reaching the end of the file can happen and is an expected behavior. +Therefore, allowing read-ahead pages to reach the end of the file is a +better choice for the "check_file_mmap" test case. + +Link: https://lore.kernel.org/r/20250311080940.21413-1-qiuxu.zhuo@intel.com +Reported-by: Yi Lai +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/mincore/mincore_selftest.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/testing/selftests/mincore/mincore_selftest.c b/tools/testing/selftests/mincore/mincore_selftest.c +index 4c88238fc8f05..c0ae86c28d7f3 100644 +--- a/tools/testing/selftests/mincore/mincore_selftest.c ++++ b/tools/testing/selftests/mincore/mincore_selftest.c +@@ -261,9 +261,6 @@ TEST(check_file_mmap) + TH_LOG("No read-ahead pages found in memory"); + } + +- EXPECT_LT(i, vec_size) { +- TH_LOG("Read-ahead pages reached the end of the file"); +- } + /* + * End of the readahead window. The rest of the pages shouldn't + * be in memory. +-- +2.39.5 + diff --git a/queue-5.15/selftests-ublk-fix-test_stripe_04.patch b/queue-5.15/selftests-ublk-fix-test_stripe_04.patch new file mode 100644 index 0000000000..4369c52cdf --- /dev/null +++ b/queue-5.15/selftests-ublk-fix-test_stripe_04.patch @@ -0,0 +1,58 @@ +From 75ef7813368146573a265d73de96c3f8cdb4b223 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 08:18:49 +0800 +Subject: selftests: ublk: fix test_stripe_04 + +From: Ming Lei + +[ Upstream commit 72070e57b0a518ec8e562a2b68fdfc796ef5c040 ] + +Commit 57ed58c13256 ("selftests: ublk: enable zero copy for stripe target") +added test entry of test_stripe_04, but forgot to add the test script. + +So fix the test by adding the script file. + +Reported-by: Uday Shankar +Signed-off-by: Ming Lei +Reviewed-by: Uday Shankar +Link: https://lore.kernel.org/r/20250404001849.1443064-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ublk/test_stripe_04.sh | 24 +++++++++++++++++++ + 1 file changed, 24 insertions(+) + create mode 100755 tools/testing/selftests/ublk/test_stripe_04.sh + +diff --git a/tools/testing/selftests/ublk/test_stripe_04.sh b/tools/testing/selftests/ublk/test_stripe_04.sh +new file mode 100755 +index 0000000000000..1f2b642381d17 +--- /dev/null ++++ b/tools/testing/selftests/ublk/test_stripe_04.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++. "$(cd "$(dirname "$0")" && pwd)"/test_common.sh ++ ++TID="stripe_04" ++ERR_CODE=0 ++ ++_prep_test "stripe" "mkfs & mount & umount on zero copy" ++ ++backfile_0=$(_create_backfile 256M) ++backfile_1=$(_create_backfile 256M) ++dev_id=$(_add_ublk_dev -t stripe -z -q 2 "$backfile_0" "$backfile_1") ++_check_add_dev $TID $? "$backfile_0" "$backfile_1" ++ ++_mkfs_mount_test /dev/ublkb"${dev_id}" ++ERR_CODE=$? ++ ++_cleanup_test "stripe" ++ ++_remove_backfile "$backfile_0" ++_remove_backfile "$backfile_1" ++ ++_show_result $TID $ERR_CODE +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index cf4f931fc4..24741547e7 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -321,3 +321,41 @@ usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch usb-wdm-add-annotation.patch +mips-cm-detect-cm-quirks-from-device-tree.patch +crypto-null-use-spin-lock-instead-of-mutex.patch +clk-check-for-disabled-clock-provider-in-of_clk_get_.patch +parisc-pdt-fix-missing-prototype-warning.patch +s390-sclp-add-check-for-get_zeroed_page.patch +s390-tty-fix-a-potential-memory-leak-bug.patch +x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch +usb-host-max3421-hcd-add-missing-spi_device_id-table.patch +fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch +usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch +sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch +dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch +usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch +usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch +objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch +qibfs-fix-_another_-leak.patch +ntb-reduce-stack-usage-in-idt_scan_mws.patch +sched-isolation-make-config_cpu_isolation-depend-on-.patch +kvm-s390-don-t-use-pk-through-tracepoints.patch +udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch +selftests-ublk-fix-test_stripe_04.patch +xen-change-xen-acpi-processor-dom0-dependency.patch +nvme-requeue-namespace-scan-on-missed-aens.patch +acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch +nvme-re-read-ana-log-page-after-ns-scan-completes.patch +objtool-stop-unret-validation-on-ud2.patch +selftests-mincore-allow-read-ahead-pages-to-reach-th.patch +x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch +x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch +x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch +nvmet-fc-take-tgtport-reference-only-once.patch +nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch +ext4-make-block-validity-check-resistent-to-sb-bh-co.patch +scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch +scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch +loop-aio-inherit-the-ioprio-of-original-request.patch +ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch +md-raid1-add-check-for-missing-source-disk-in-proces.patch diff --git a/queue-5.15/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch b/queue-5.15/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch new file mode 100644 index 0000000000..699bcf1308 --- /dev/null +++ b/queue-5.15/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch @@ -0,0 +1,108 @@ +From 3c2b3e60c381a9ef2d37d61c179da6eb641ee012 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 11:40:59 -0800 +Subject: sound/virtio: Fix cancel_sync warnings on uninitialized work_structs + +From: John Stultz + +[ Upstream commit 3c7df2e27346eb40a0e86230db1ccab195c97cfe ] + +Betty reported hitting the following warning: + +[ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182 +... +[ 8.713282][ T221] Call trace: +[ 8.713365][ T221] __flush_work+0x8d0/0x914 +[ 8.713468][ T221] __cancel_work_sync+0xac/0xfc +[ 8.713570][ T221] cancel_work_sync+0x24/0x34 +[ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] +[ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] +[ 8.714035][ T221] virtio_dev_probe+0x28c/0x390 +[ 8.714139][ T221] really_probe+0x1bc/0x4c8 +... + +It seems we're hitting the error path in virtsnd_probe(), which +triggers a virtsnd_remove() which iterates over the substreams +calling cancel_work_sync() on the elapsed_period work_struct. + +Looking at the code, from earlier in: +virtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg() + +We set snd->nsubstreams, allocate the snd->substreams, and if +we then hit an error on the info allocation or something in +virtsnd_ctl_query_info() fails, we will exit without having +initialized the elapsed_period work_struct. + +When that error path unwinds we then call virtsnd_remove() +which as long as the substreams array is allocated, will iterate +through calling cancel_work_sync() on the uninitialized work +struct hitting this warning. + +Takashi Iwai suggested this fix, which initializes the substreams +structure right after allocation, so that if we hit the error +paths we avoid trying to cleanup uninitialized data. + +Note: I have not yet managed to reproduce the issue myself, so +this patch has had limited testing. + +Feedback or thoughts would be appreciated! + +Cc: Anton Yakovlev +Cc: "Michael S. Tsirkin" +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: virtualization@lists.linux.dev +Cc: linux-sound@vger.kernel.org +Cc: kernel-team@android.com +Reported-by: Betty Zhou +Suggested-by: Takashi Iwai +Signed-off-by: John Stultz +Message-Id: <20250116194114.3375616-1-jstultz@google.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + sound/virtio/virtio_pcm.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/sound/virtio/virtio_pcm.c b/sound/virtio/virtio_pcm.c +index c10d91fff2fb0..1ddec1f4f05d5 100644 +--- a/sound/virtio/virtio_pcm.c ++++ b/sound/virtio/virtio_pcm.c +@@ -337,6 +337,21 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd) + if (!snd->substreams) + return -ENOMEM; + ++ /* ++ * Initialize critical substream fields early in case we hit an ++ * error path and end up trying to clean up uninitialized structures ++ * elsewhere. ++ */ ++ for (i = 0; i < snd->nsubstreams; ++i) { ++ struct virtio_pcm_substream *vss = &snd->substreams[i]; ++ ++ vss->snd = snd; ++ vss->sid = i; ++ INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed); ++ init_waitqueue_head(&vss->msg_empty); ++ spin_lock_init(&vss->lock); ++ } ++ + info = kcalloc(snd->nsubstreams, sizeof(*info), GFP_KERNEL); + if (!info) + return -ENOMEM; +@@ -350,12 +365,6 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd) + struct virtio_pcm_substream *vss = &snd->substreams[i]; + struct virtio_pcm *vpcm; + +- vss->snd = snd; +- vss->sid = i; +- INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed); +- init_waitqueue_head(&vss->msg_empty); +- spin_lock_init(&vss->lock); +- + rc = virtsnd_pcm_build_hw(vss, &info[i]); + if (rc) + goto on_exit; +-- +2.39.5 + diff --git a/queue-5.15/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch b/queue-5.15/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch new file mode 100644 index 0000000000..7382a16bae --- /dev/null +++ b/queue-5.15/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch @@ -0,0 +1,90 @@ +From 9b06801c7050d26afa139bfbc45bbe9c34da04fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:33:54 +0000 +Subject: ubsan: Fix panic from test_ubsan_out_of_bounds + +From: Mostafa Saleh + +[ Upstream commit 9b044614be12d78d3a93767708b8d02fb7dfa9b0 ] + +Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the +kernel: + +[ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan] +[ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT +[ 31.648153] Hardware name: linux,dummy-virt (DT) +[ 31.648970] Call trace: +[ 31.649345] show_stack+0x18/0x24 (C) +[ 31.650960] dump_stack_lvl+0x40/0x84 +[ 31.651559] dump_stack+0x18/0x24 +[ 31.652264] panic+0x138/0x3b4 +[ 31.652812] __ktime_get_real_seconds+0x0/0x10 +[ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan] +[ 31.654388] init_module+0x24/0xff4 [test_ubsan] +[ 31.655077] do_one_initcall+0xd4/0x280 +[ 31.655680] do_init_module+0x58/0x2b4 + +That happens because the test corrupts other data in the stack: +400: d5384108 mrs x8, sp_el0 +404: f9426d08 ldr x8, [x8, #1240] +408: f85f83a9 ldur x9, [x29, #-8] +40c: eb09011f cmp x8, x9 +410: 54000301 b.ne 470 // b.any + +As there is no guarantee the compiler will order the local variables +as declared in the module: + volatile char above[4] = { }; /* Protect surrounding memory. */ + volatile int arr[4]; + volatile char below[4] = { }; /* Protect surrounding memory. */ + +There is another problem where the out-of-bound index is 5 which is larger +than the extra surrounding memory for protection. + +So, use a struct to enforce the ordering, and fix the index to be 4. +Also, remove some of the volatiles and rely on OPTIMIZER_HIDE_VAR() + +Signed-off-by: Mostafa Saleh +Link: https://lore.kernel.org/r/20250415203354.4109415-1-smostafa@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/test_ubsan.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c +index 2062be1f2e80f..f90f2b9842ec4 100644 +--- a/lib/test_ubsan.c ++++ b/lib/test_ubsan.c +@@ -35,18 +35,22 @@ static void test_ubsan_shift_out_of_bounds(void) + + static void test_ubsan_out_of_bounds(void) + { +- volatile int i = 4, j = 5, k = -1; +- volatile char above[4] = { }; /* Protect surrounding memory. */ +- volatile int arr[4]; +- volatile char below[4] = { }; /* Protect surrounding memory. */ ++ int i = 4, j = 4, k = -1; ++ volatile struct { ++ char above[4]; /* Protect surrounding memory. */ ++ int arr[4]; ++ char below[4]; /* Protect surrounding memory. */ ++ } data; + +- above[0] = below[0]; ++ OPTIMIZER_HIDE_VAR(i); ++ OPTIMIZER_HIDE_VAR(j); ++ OPTIMIZER_HIDE_VAR(k); + + UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); +- arr[j] = i; ++ data.arr[j] = i; + + UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); +- arr[k] = i; ++ data.arr[k] = i; + } + + enum ubsan_test_enum { +-- +2.39.5 + diff --git a/queue-5.15/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch b/queue-5.15/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch new file mode 100644 index 0000000000..da3103dc2a --- /dev/null +++ b/queue-5.15/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch @@ -0,0 +1,38 @@ +From f40c4a8c24051772427be409991a6cc6f4482d2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 11:41:26 -0500 +Subject: udmabuf: fix a buf size overflow issue during udmabuf creation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaogang Chen + +[ Upstream commit 021ba7f1babd029e714d13a6bf2571b08af96d0f ] + +by casting size_limit_mb to u64 when calculate pglimit. + +Signed-off-by: Xiaogang Chen +Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/udmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c +index a8094d57d2d06..84f7611c765b9 100644 +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -186,7 +186,7 @@ static long udmabuf_create(struct miscdevice *device, + if (!ubuf) + return -ENOMEM; + +- pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT; ++ pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT; + for (i = 0; i < head->count; i++) { + if (!IS_ALIGNED(list[i].offset, PAGE_SIZE)) + goto err; +-- +2.39.5 + diff --git a/queue-5.15/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch b/queue-5.15/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch new file mode 100644 index 0000000000..5213b31e9e --- /dev/null +++ b/queue-5.15/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch @@ -0,0 +1,68 @@ +From 06f114b88549363fccafd29819a25bd9f1091d71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 21:28:04 +0200 +Subject: usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko + +[ Upstream commit 461f24bff86808ee5fbfe74751a825f8a7ab24e0 ] + +Intel Merrifield SoC uses these endpoints for tracing and they cannot +be re-allocated if being used because the side band flow control signals +are hard wired to certain endpoints: + +• 1 High BW Bulk IN (IN#1) (RTIT) +• 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8) + +In device mode, since RTIT (EP#1) and EXI/RunControl (EP#8) uses +External Buffer Control (EBC) mode, these endpoints are to be mapped to +EBC mode (to be done by EXI target driver). Additionally TRB for RTIT +and EXI are maintained in STM (System Trace Module) unit and the EXI +target driver will as well configure the TRB location for EP #1 IN +and EP#8 (IN and OUT). Since STM/PTI and EXI hardware blocks manage +these endpoints and interface to OTG3 controller through EBC interface, +there is no need to enable any events (such as XferComplete etc) +for these end points. + +Signed-off-by: Andy Shevchenko +Tested-by: Ferry Toth +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250212193116.2487289-5-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 1872de3ce98bd..5e0b326875fac 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -132,11 +132,21 @@ static const struct property_entry dwc3_pci_intel_byt_properties[] = { + {} + }; + ++/* ++ * Intel Merrifield SoC uses these endpoints for tracing and they cannot ++ * be re-allocated if being used because the side band flow control signals ++ * are hard wired to certain endpoints: ++ * - 1 High BW Bulk IN (IN#1) (RTIT) ++ * - 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8) ++ */ ++static const u8 dwc3_pci_mrfld_reserved_endpoints[] = { 3, 16, 17 }; ++ + static const struct property_entry dwc3_pci_mrfld_properties[] = { + PROPERTY_ENTRY_STRING("dr_mode", "otg"), + PROPERTY_ENTRY_STRING("linux,extcon-name", "mrfld_bcove_pwrsrc"), + PROPERTY_ENTRY_BOOL("snps,dis_u3_susphy_quirk"), + PROPERTY_ENTRY_BOOL("snps,dis_u2_susphy_quirk"), ++ PROPERTY_ENTRY_U8_ARRAY("snps,reserved-endpoints", dwc3_pci_mrfld_reserved_endpoints), + PROPERTY_ENTRY_BOOL("snps,usb2-gadget-lpm-disable"), + PROPERTY_ENTRY_BOOL("linux,sysdev_is_parent"), + {} +-- +2.39.5 + diff --git a/queue-5.15/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch b/queue-5.15/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch new file mode 100644 index 0000000000..ec4b25212b --- /dev/null +++ b/queue-5.15/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch @@ -0,0 +1,41 @@ +From 401a96ecc1591dcea6db1e4e13c13b7c4a9e55a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 20:27:05 -0500 +Subject: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() + +From: Chenyuan Yang + +[ Upstream commit 8c75f3e6a433d92084ad4e78b029ae680865420f ] + +The variable d->name, returned by devm_kasprintf(), could be NULL. +A pointer check is added to prevent potential NULL pointer dereference. +This is similar to the fix in commit 3027e7b15b02 +("ice: Fix some null pointer dereference issues in ice_ptp.c"). + +This issue is found by our static analysis tool + +Signed-off-by: Chenyuan Yang +Link: https://lore.kernel.org/r/20250311012705.1233829-1-chenyuan0y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/udc/aspeed-vhub/dev.c b/drivers/usb/gadget/udc/aspeed-vhub/dev.c +index d918e8b2af3c2..c5f7123837751 100644 +--- a/drivers/usb/gadget/udc/aspeed-vhub/dev.c ++++ b/drivers/usb/gadget/udc/aspeed-vhub/dev.c +@@ -538,6 +538,9 @@ int ast_vhub_init_dev(struct ast_vhub *vhub, unsigned int idx) + d->vhub = vhub; + d->index = idx; + d->name = devm_kasprintf(parent, GFP_KERNEL, "port%d", idx+1); ++ if (!d->name) ++ return -ENOMEM; ++ + d->regs = vhub->regs + 0x100 + 0x10 * idx; + + ast_vhub_init_ep0(vhub, &d->ep0, d); +-- +2.39.5 + diff --git a/queue-5.15/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch b/queue-5.15/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch new file mode 100644 index 0000000000..040d128e00 --- /dev/null +++ b/queue-5.15/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch @@ -0,0 +1,51 @@ +From 2770e5c430b5aedd4147bf20a016701a663a373a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 20:51:13 +0100 +Subject: usb: host: max3421-hcd: Add missing spi_device_id table + +From: Alexander Stein + +[ Upstream commit 41d5e3806cf589f658f92c75195095df0b66f66a ] + +"maxim,max3421" DT compatible is missing its SPI device ID entry, not +allowing module autoloading and leading to the following message: + "SPI driver max3421-hcd has no spi_device_id for maxim,max3421" + +Fix this by adding the spi_device_id table. + +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20250128195114.56321-1-alexander.stein@mailbox.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/max3421-hcd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c +index 6d95b90683bc8..37a5914f79871 100644 +--- a/drivers/usb/host/max3421-hcd.c ++++ b/drivers/usb/host/max3421-hcd.c +@@ -1956,6 +1956,12 @@ max3421_remove(struct spi_device *spi) + return 0; + } + ++static const struct spi_device_id max3421_spi_ids[] = { ++ { "max3421" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, max3421_spi_ids); ++ + static const struct of_device_id max3421_of_match_table[] = { + { .compatible = "maxim,max3421", }, + {}, +@@ -1965,6 +1971,7 @@ MODULE_DEVICE_TABLE(of, max3421_of_match_table); + static struct spi_driver max3421_driver = { + .probe = max3421_probe, + .remove = max3421_remove, ++ .id_table = max3421_spi_ids, + .driver = { + .name = "max3421-hcd", + .of_match_table = of_match_ptr(max3421_of_match_table), +-- +2.39.5 + diff --git a/queue-5.15/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch b/queue-5.15/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch new file mode 100644 index 0000000000..41c6a2d05c --- /dev/null +++ b/queue-5.15/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch @@ -0,0 +1,57 @@ +From 5dca9e3b03e76fd57630ded238714ad2b45de6d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 17:45:51 +0200 +Subject: usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems + Running + +From: Michal Pecio + +[ Upstream commit 28a76fcc4c85dd39633fb96edb643c91820133e3 ] + +Nothing prevents a broken HC from claiming that an endpoint is Running +and repeatedly rejecting Stop Endpoint with Context State Error. + +Avoid infinite retries and give back cancelled TDs. + +No such cases known so far, but HCs have bugs. + +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250311154551.4035726-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 64bf50ea62a49..cd94b0a4e0211 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1183,16 +1183,19 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, + * Stopped state, but it will soon change to Running. + * + * Assume this bug on unexpected Stop Endpoint failures. +- * Keep retrying until the EP starts and stops again, on +- * chips where this is known to help. Wait for 100ms. ++ * Keep retrying until the EP starts and stops again. + */ +- if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100))) +- break; + fallthrough; + case EP_STATE_RUNNING: + /* Race, HW handled stop ep cmd before ep was running */ + xhci_dbg(xhci, "Stop ep completion ctx error, ctx_state %d\n", + GET_EP_CTX_STATE(ep_ctx)); ++ /* ++ * Don't retry forever if we guessed wrong or a defective HC never starts ++ * the EP or says 'Running' but fails the command. We must give back TDs. ++ */ ++ if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100))) ++ break; + + command = xhci_alloc_command(xhci, false, GFP_ATOMIC); + if (!command) +-- +2.39.5 + diff --git a/queue-5.15/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch b/queue-5.15/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch new file mode 100644 index 0000000000..8f9be59e6e --- /dev/null +++ b/queue-5.15/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch @@ -0,0 +1,113 @@ +From dae63a0ad040a7f4142282641cda111228975295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:34 -0700 +Subject: x86/bugs: Don't fill RSB on context switch with eIBRS + +From: Josh Poimboeuf + +[ Upstream commit 27ce8299bc1ec6df8306073785ff82b30b3cc5ee ] + +User->user Spectre v2 attacks (including RSB) across context switches +are already mitigated by IBPB in cond_mitigation(), if enabled globally +or if either the prev or the next task has opted in to protection. RSB +filling without IBPB serves no purpose for protecting user space, as +indirect branches are still vulnerable. + +User->kernel RSB attacks are mitigated by eIBRS. In which case the RSB +filling on context switch isn't needed, so remove it. + +Suggested-by: Pawan Gupta +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Pawan Gupta +Reviewed-by: Amit Shah +Reviewed-by: Nikolay Borisov +Link: https://lore.kernel.org/r/98cdefe42180358efebf78e3b80752850c7a3e1b.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++------------ + arch/x86/mm/tlb.c | 6 +++--- + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 018ef230f02ce..75cd45f2338dc 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1553,7 +1553,7 @@ static void __init spec_ctrl_disable_kernel_rrsba(void) + rrsba_disabled = true; + } + +-static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) ++static void __init spectre_v2_select_rsb_mitigation(enum spectre_v2_mitigation mode) + { + /* + * Similar to context switches, there are two types of RSB attacks +@@ -1577,7 +1577,7 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + */ + switch (mode) { + case SPECTRE_V2_NONE: +- return; ++ break; + + case SPECTRE_V2_EIBRS: + case SPECTRE_V2_EIBRS_LFENCE: +@@ -1586,18 +1586,21 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); + setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + } +- return; ++ break; + + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_IBRS: +- pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); ++ pr_info("Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); + setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); +- return; +- } ++ break; + +- pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit"); +- dump_stack(); ++ default: ++ pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation\n"); ++ dump_stack(); ++ break; ++ } + } + + /* +@@ -1822,10 +1825,7 @@ static void __init spectre_v2_select_mitigation(void) + * + * FIXME: Is this pointless for retbleed-affected AMD? + */ +- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); +- pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); +- +- spectre_v2_determine_rsb_fill_type_at_vmexit(mode); ++ spectre_v2_select_rsb_mitigation(mode); + + /* + * Retpoline protects the kernel, but doesn't protect firmware. IBRS +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 19d083ad2de79..94a23fcb20737 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -384,9 +384,9 @@ static void cond_mitigation(struct task_struct *next) + prev_mm = this_cpu_read(cpu_tlbstate.last_user_mm_spec); + + /* +- * Avoid user/user BTB poisoning by flushing the branch predictor +- * when switching between processes. This stops one process from +- * doing Spectre-v2 attacks on another. ++ * Avoid user->user BTB/RSB poisoning by flushing them when switching ++ * between processes. This stops one process from doing Spectre-v2 ++ * attacks on another. + * + * Both, the conditional and the always IBPB mode use the mm + * pointer to avoid the IBPB when switching between tasks of the +-- +2.39.5 + diff --git a/queue-5.15/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch b/queue-5.15/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch new file mode 100644 index 0000000000..b9750b40e9 --- /dev/null +++ b/queue-5.15/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch @@ -0,0 +1,64 @@ +From e43592ee8132b1291a90e6659fd82b3163409e5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:33 -0700 +Subject: x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline + +From: Josh Poimboeuf + +[ Upstream commit 18bae0dfec15b24ec14ca17dc18603372f5f254f ] + +eIBRS protects against guest->host RSB underflow/poisoning attacks. +Adding retpoline to the mix doesn't change that. Retpoline has a +balanced CALL/RET anyway. + +So the current full RSB filling on VMEXIT with eIBRS+retpoline is +overkill. Disable it or do the VMEXIT_LITE mitigation if needed. + +Suggested-by: Pawan Gupta +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Pawan Gupta +Reviewed-by: Amit Shah +Reviewed-by: Nikolay Borisov +Cc: Paolo Bonzini +Cc: Vitaly Kuznetsov +Cc: Sean Christopherson +Cc: David Woodhouse +Link: https://lore.kernel.org/r/84a1226e5c9e2698eae1b5ade861f1b8bf3677dc.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index dfc02fb32375c..018ef230f02ce 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1579,20 +1579,20 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + case SPECTRE_V2_NONE: + return; + +- case SPECTRE_V2_EIBRS_LFENCE: + case SPECTRE_V2_EIBRS: ++ case SPECTRE_V2_EIBRS_LFENCE: ++ case SPECTRE_V2_EIBRS_RETPOLINE: + if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + } + return; + +- case SPECTRE_V2_EIBRS_RETPOLINE: + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_IBRS: +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); + pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); + return; + } + +-- +2.39.5 + diff --git a/queue-5.15/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch b/queue-5.15/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch new file mode 100644 index 0000000000..d41a4466bc --- /dev/null +++ b/queue-5.15/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch @@ -0,0 +1,41 @@ +From 113b70793daeb2a9ba11a37d243b4c9d432daf7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:31 -0700 +Subject: x86/bugs: Use SBPB in write_ibpb() if applicable + +From: Josh Poimboeuf + +[ Upstream commit fc9fd3f98423367c79e0bd85a9515df26dc1b3cc ] + +write_ibpb() does IBPB, which (among other things) flushes branch type +predictions on AMD. If the CPU has SRSO_NO, or if the SRSO mitigation +has been disabled, branch type flushing isn't needed, in which case the +lighter-weight SBPB can be used. + +The 'x86_pred_cmd' variable already keeps track of whether IBPB or SBPB +should be used. Use that instead of hardcoding IBPB. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/17c5dcd14b29199b75199d67ff7758de9d9a4928.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S +index f4419afc7147d..bda217961172b 100644 +--- a/arch/x86/entry/entry.S ++++ b/arch/x86/entry/entry.S +@@ -16,7 +16,7 @@ + + SYM_FUNC_START(entry_ibpb) + movl $MSR_IA32_PRED_CMD, %ecx +- movl $PRED_CMD_IBPB, %eax ++ movl _ASM_RIP(x86_pred_cmd), %eax + xorl %edx, %edx + wrmsr + +-- +2.39.5 + diff --git a/queue-5.15/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch b/queue-5.15/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch new file mode 100644 index 0000000000..2d188054aa --- /dev/null +++ b/queue-5.15/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch @@ -0,0 +1,97 @@ +From 458227fd473ec852861996f300151ad1118bc4a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 21:48:48 +0100 +Subject: x86/Kconfig: Make CONFIG_PCI_CNB20LE_QUIRK depend on X86_32 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Jończyk + +[ Upstream commit d9f87802676bb23b9425aea8ad95c76ad9b50c6e ] + +I was unable to find a good description of the ServerWorks CNB20LE +chipset. However, it was probably exclusively used with the Pentium III +processor (this CPU model was used in all references to it that I +found where the CPU model was provided: dmesgs in [1] and [2]; +[3] page 2; [4]-[7]). + +As is widely known, the Pentium III processor did not support the 64-bit +mode, support for which was introduced by Intel a couple of years later. +So it is safe to assume that no systems with the CNB20LE chipset have +amd64 and the CONFIG_PCI_CNB20LE_QUIRK may now depend on X86_32. + +Additionally, I have determined that most computers with the CNB20LE +chipset did have ACPI support and this driver was inactive on them. +I have submitted a patch to remove this driver, but it was met with +resistance [8]. + +[1] Jim Studt, Re: Problem with ServerWorks CNB20LE and lost interrupts + Linux Kernel Mailing List, https://lkml.org/lkml/2002/1/11/111 + +[2] RedHat Bug 665109 - e100 problems on old Compaq Proliant DL320 + https://bugzilla.redhat.com/show_bug.cgi?id=665109 + +[3] R. Hughes-Jones, S. Dallison, G. Fairey, Performance Measurements on + Gigabit Ethernet NICs and Server Quality Motherboards, + http://datatag.web.cern.ch/papers/pfldnet2003-rhj.doc + +[4] "Hardware for Linux", + Probe #d6b5151873 of Intel STL2-bd A28808-302 Desktop Computer (STL2) + https://linux-hardware.org/?probe=d6b5151873 + +[5] "Hardware for Linux", Probe #0b5d843f10 of Compaq ProLiant DL380 + https://linux-hardware.org/?probe=0b5d843f10 + +[6] Ubuntu Forums, Dell Poweredge 2400 - Adaptec SCSI Bus AIC-7880 + https://ubuntuforums.org/showthread.php?t=1689552 + +[7] Ira W. Snyder, "BISECTED: 2.6.35 (and -git) fail to boot: APIC problems" + https://lkml.org/lkml/2010/8/13/220 + +[8] Bjorn Helgaas, "Re: [PATCH] x86/pci: drop ServerWorks / Broadcom + CNB20LE PCI host bridge driver" + https://lore.kernel.org/lkml/20220318165535.GA840063@bhelgaas/T/ + +Signed-off-by: Mateusz Jończyk +Signed-off-by: David Heideberg +Signed-off-by: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250321-x86_x2apic-v3-6-b0cbaa6fa338@ixit.cz +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index de6a66ad3fa62..b0bcdf8add86b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2742,13 +2742,21 @@ config MMCONF_FAM10H + depends on X86_64 && PCI_MMCONFIG && ACPI + + config PCI_CNB20LE_QUIRK +- bool "Read CNB20LE Host Bridge Windows" if EXPERT +- depends on PCI ++ bool "Read PCI host bridge windows from the CNB20LE chipset" if EXPERT ++ depends on X86_32 && PCI + help + Read the PCI windows out of the CNB20LE host bridge. This allows + PCI hotplug to work on systems with the CNB20LE chipset which do + not have ACPI. + ++ The ServerWorks (later Broadcom) CNB20LE was a chipset designed ++ most probably only for Pentium III. ++ ++ To find out if you have such a chipset, search for a PCI device with ++ 1166:0009 PCI IDs, for example by executing ++ lspci -nn | grep '1166:0009' ++ The code is inactive if there is none. ++ + There's no public spec for this chipset, and this functionality + is known to be incomplete. + +-- +2.39.5 + diff --git a/queue-5.15/xen-change-xen-acpi-processor-dom0-dependency.patch b/queue-5.15/xen-change-xen-acpi-processor-dom0-dependency.patch new file mode 100644 index 0000000000..47d099825e --- /dev/null +++ b/queue-5.15/xen-change-xen-acpi-processor-dom0-dependency.patch @@ -0,0 +1,40 @@ +From 14c25b489ef77eca1714dd31c0eceaaca8d7250c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 13:29:12 -0400 +Subject: xen: Change xen-acpi-processor dom0 dependency + +From: Jason Andryuk + +[ Upstream commit 0f2946bb172632e122d4033e0b03f85230a29510 ] + +xen-acpi-processor functions under a PVH dom0 with only a +xen_initial_domain() runtime check. Change the Kconfig dependency from +PV dom0 to generic dom0 to reflect that. + +Suggested-by: Jan Beulich +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Tested-by: Jan Beulich +Signed-off-by: Juergen Gross +Message-ID: <20250331172913.51240-1-jason.andryuk@amd.com> +Signed-off-by: Sasha Levin +--- + drivers/xen/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig +index 1b2c3aca6887c..474b0173323a6 100644 +--- a/drivers/xen/Kconfig ++++ b/drivers/xen/Kconfig +@@ -241,7 +241,7 @@ config XEN_PRIVCMD + + config XEN_ACPI_PROCESSOR + tristate "Xen ACPI processor" +- depends on XEN && XEN_PV_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ ++ depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ + default m + help + This ACPI processor uploads Power Management information to the Xen +-- +2.39.5 +