From: Sasha Levin Date: Sun, 18 May 2025 10:30:31 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v5.15.184~59 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7136bb32a6ae87316e72d591dd14e202db753845;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch b/queue-6.1/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch new file mode 100644 index 0000000000..b23581f53c --- /dev/null +++ b/queue-6.1/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch @@ -0,0 +1,46 @@ +From e2ef628c266c5d21c29b4d6f5e1887eef3869a46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 09:31:04 +0200 +Subject: ALSA: sh: SND_AICA should depend on SH_DMA_API + +From: Geert Uytterhoeven + +[ Upstream commit 66e48ef6ef506c89ec1b3851c6f9f5f80b5835ff ] + +If CONFIG_SH_DMA_API=n: + + WARNING: unmet direct dependencies detected for G2_DMA + Depends on [n]: SH_DREAMCAST [=y] && SH_DMA_API [=n] + Selected by [y]: + - SND_AICA [=y] && SOUND [=y] && SND [=y] && SND_SUPERH [=y] && SH_DREAMCAST [=y] + +SND_AICA selects G2_DMA. As the latter depends on SH_DMA_API, the +former should depend on SH_DMA_API, too. + +Fixes: f477a538c14d07f8 ("sh: dma: fix kconfig dependency for G2_DMA") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505131320.PzgTtl9H-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/b90625f8a9078d0d304bafe862cbe3a3fab40082.1747121335.git.geert+renesas@glider.be +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/sh/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/sh/Kconfig b/sound/sh/Kconfig +index b75fbb3236a7b..f5fa09d740b4c 100644 +--- a/sound/sh/Kconfig ++++ b/sound/sh/Kconfig +@@ -14,7 +14,7 @@ if SND_SUPERH + + config SND_AICA + tristate "Dreamcast Yamaha AICA sound" +- depends on SH_DREAMCAST ++ depends on SH_DREAMCAST && SH_DMA_API + select SND_PCM + select G2_DMA + help +-- +2.39.5 + diff --git a/queue-6.1/binfmt-fix-whitespace-issues.patch b/queue-6.1/binfmt-fix-whitespace-issues.patch new file mode 100644 index 0000000000..64773b38b7 --- /dev/null +++ b/queue-6.1/binfmt-fix-whitespace-issues.patch @@ -0,0 +1,127 @@ +From f21b39d6ab9b90b8480fab7d819b78eb08a9fd25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 00:14:20 -0700 +Subject: binfmt: Fix whitespace issues + +From: Kees Cook + +[ Upstream commit 8f6e3f9e5a0f58e458a348b7e36af11d0e9702af ] + +Fix the annoying whitespace issues that have been following these files +around for years. + +Cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Kees Cook +Acked-by: Christian Brauner (Microsoft) +Link: https://lore.kernel.org/r/20221018071350.never.230-kees@kernel.org +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 14 +++++++------- + fs/binfmt_elf_fdpic.c | 2 +- + fs/exec.c | 2 +- + include/uapi/linux/elf.h | 2 +- + 4 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 89e7e4826efce..d1cf3d25da4b6 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -248,7 +248,7 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec, + } while (0) + + #ifdef ARCH_DLINFO +- /* ++ /* + * ARCH_DLINFO must come first so PPC can do its special alignment of + * AUXV. + * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in +@@ -1021,7 +1021,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + executable_stack); + if (retval < 0) + goto out_free_dentry; +- ++ + elf_bss = 0; + elf_brk = 0; + +@@ -1044,7 +1044,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + + if (unlikely (elf_brk > elf_bss)) { + unsigned long nbyte; +- ++ + /* There was a PT_LOAD segment with p_memsz > p_filesz + before this one. Map anonymous pages, if needed, + and clear the area. */ +@@ -1522,7 +1522,7 @@ static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset) + phdr->p_align = 0; + } + +-static void fill_note(struct memelfnote *note, const char *name, int type, ++static void fill_note(struct memelfnote *note, const char *name, int type, + unsigned int sz, void *data) + { + note->name = name; +@@ -2005,8 +2005,8 @@ static int elf_dump_thread_status(long signr, struct elf_thread_status *t) + t->num_notes = 0; + + fill_prstatus(&t->prstatus.common, p, signr); +- elf_core_copy_task_regs(p, &t->prstatus.pr_reg); +- ++ elf_core_copy_task_regs(p, &t->prstatus.pr_reg); ++ + fill_note(&t->notes[0], "CORE", NT_PRSTATUS, sizeof(t->prstatus), + &(t->prstatus)); + t->num_notes++; +@@ -2296,7 +2296,7 @@ static int elf_core_dump(struct coredump_params *cprm) + if (!elf_core_write_extra_phdrs(cprm, offset)) + goto end_coredump; + +- /* write out the notes section */ ++ /* write out the notes section */ + if (!write_note_info(&info, cprm)) + goto end_coredump; + +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index c71a409273150..b2d3b6e43bb56 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -1603,7 +1603,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm) + if (!elf_core_write_extra_phdrs(cprm, offset)) + goto end_coredump; + +- /* write out the notes section */ ++ /* write out the notes section */ + if (!writenote(thread_list->notes, cprm)) + goto end_coredump; + if (!writenote(&psinfo_note, cprm)) +diff --git a/fs/exec.c b/fs/exec.c +index 2039414cc6621..b65af8f9a4f9b 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -169,7 +169,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) + exit: + fput(file); + out: +- return error; ++ return error; + } + #endif /* #ifdef CONFIG_USELIB */ + +diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h +index c7b056af9ef0a..3e5f07be26fc8 100644 +--- a/include/uapi/linux/elf.h ++++ b/include/uapi/linux/elf.h +@@ -91,7 +91,7 @@ typedef __s64 Elf64_Sxword; + #define DT_INIT 12 + #define DT_FINI 13 + #define DT_SONAME 14 +-#define DT_RPATH 15 ++#define DT_RPATH 15 + #define DT_SYMBOLIC 16 + #define DT_REL 17 + #define DT_RELSZ 18 +-- +2.39.5 + diff --git a/queue-6.1/binfmt_elf-calculate-total_size-earlier.patch b/queue-6.1/binfmt_elf-calculate-total_size-earlier.patch new file mode 100644 index 0000000000..575d90379b --- /dev/null +++ b/queue-6.1/binfmt_elf-calculate-total_size-earlier.patch @@ -0,0 +1,97 @@ +From 924e00e1d16bcd73f2c3140763c91d08284593d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:31:47 -0700 +Subject: binfmt_elf: Calculate total_size earlier + +From: Kees Cook + +[ Upstream commit 2d4cf7b190bbfadd4986bf5c34da17c1a88adf8e ] + +In preparation to support PT_LOAD with large p_align values on +non-PT_INTERP ET_DYN executables (i.e. "static pie"), we'll need to use +the total_size details earlier. Move this separately now to make the +next patch more readable. As total_size and load_bias are currently +calculated separately, this has no behavioral impact. + +Link: https://lore.kernel.org/r/20240508173149.677910-2-keescook@chromium.org +Signed-off-by: Kees Cook +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 52 +++++++++++++++++++++++++------------------------ + 1 file changed, 27 insertions(+), 25 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index ff796910265da..26abe256e91fb 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1093,7 +1093,34 @@ static int load_elf_binary(struct linux_binprm *bprm) + * Header for ET_DYN binaries to calculate the + * randomization (load_bias) for all the LOAD + * Program Headers. ++ */ ++ ++ /* ++ * Calculate the entire size of the ELF mapping ++ * (total_size), used for the initial mapping, ++ * due to load_addr_set which is set to true later ++ * once the initial mapping is performed. ++ * ++ * Note that this is only sensible when the LOAD ++ * segments are contiguous (or overlapping). If ++ * used for LOADs that are far apart, this would ++ * cause the holes between LOADs to be mapped, ++ * running the risk of having the mapping fail, ++ * as it would be larger than the ELF file itself. + * ++ * As a result, only ET_DYN does this, since ++ * some ET_EXEC (e.g. ia64) may have large virtual ++ * memory holes between LOADs. ++ * ++ */ ++ total_size = total_mapping_size(elf_phdata, ++ elf_ex->e_phnum); ++ if (!total_size) { ++ retval = -EINVAL; ++ goto out_free_dentry; ++ } ++ ++ /* + * There are effectively two types of ET_DYN + * binaries: programs (i.e. PIE: ET_DYN with INTERP) + * and loaders (ET_DYN without INTERP, since they +@@ -1134,31 +1161,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + * is then page aligned. + */ + load_bias = ELF_PAGESTART(load_bias - vaddr); +- +- /* +- * Calculate the entire size of the ELF mapping +- * (total_size), used for the initial mapping, +- * due to load_addr_set which is set to true later +- * once the initial mapping is performed. +- * +- * Note that this is only sensible when the LOAD +- * segments are contiguous (or overlapping). If +- * used for LOADs that are far apart, this would +- * cause the holes between LOADs to be mapped, +- * running the risk of having the mapping fail, +- * as it would be larger than the ELF file itself. +- * +- * As a result, only ET_DYN does this, since +- * some ET_EXEC (e.g. ia64) may have large virtual +- * memory holes between LOADs. +- * +- */ +- total_size = total_mapping_size(elf_phdata, +- elf_ex->e_phnum); +- if (!total_size) { +- retval = -EINVAL; +- goto out_free_dentry; +- } + } + + error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt, +-- +2.39.5 + diff --git a/queue-6.1/binfmt_elf-elf_bss-no-longer-used-by-load_elf_binary.patch b/queue-6.1/binfmt_elf-elf_bss-no-longer-used-by-load_elf_binary.patch new file mode 100644 index 0000000000..03e4bb36b6 --- /dev/null +++ b/queue-6.1/binfmt_elf-elf_bss-no-longer-used-by-load_elf_binary.patch @@ -0,0 +1,70 @@ +From bd677cad52559f6eaffce48d827bb2eb4c9f0e19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 20:24:30 -0700 +Subject: binfmt_elf: elf_bss no longer used by load_elf_binary() + +From: Kees Cook + +[ Upstream commit 8ed2ef21ff564cf4a25c098ace510ee6513c9836 ] + +With the BSS handled generically via the new filesz/memsz mismatch +handling logic in elf_load(), elf_bss no longer needs to be tracked. +Drop the variable. + +Cc: Eric Biederman +Cc: Alexander Viro +Cc: Christian Brauner +Cc: linux-fsdevel@vger.kernel.org +Cc: linux-mm@kvack.org +Suggested-by: Eric Biederman +Tested-by: Pedro Falcato +Signed-off-by: Sebastian Ott +Link: https://lore.kernel.org/r/20230929032435.2391507-2-keescook@chromium.org +Signed-off-by: Kees Cook +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index ea2968d343bb6..2672b9dca1af0 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -855,7 +855,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + unsigned long error; + struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL; + struct elf_phdr *elf_property_phdata = NULL; +- unsigned long elf_bss, elf_brk; ++ unsigned long elf_brk; + int retval, i; + unsigned long elf_entry; + unsigned long e_entry; +@@ -1047,7 +1047,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + if (retval < 0) + goto out_free_dentry; + +- elf_bss = 0; + elf_brk = 0; + + start_code = ~0UL; +@@ -1210,8 +1209,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + + k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz; + +- if (k > elf_bss) +- elf_bss = k; + if ((elf_ppnt->p_flags & PF_X) && end_code < k) + end_code = k; + if (end_data < k) +@@ -1223,7 +1220,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + + e_entry = elf_ex->e_entry + load_bias; + phdr_addr += load_bias; +- elf_bss += load_bias; + elf_brk += load_bias; + start_code += load_bias; + end_code += load_bias; +-- +2.39.5 + diff --git a/queue-6.1/binfmt_elf-honor-pt_load-alignment-for-static-pie.patch b/queue-6.1/binfmt_elf-honor-pt_load-alignment-for-static-pie.patch new file mode 100644 index 0000000000..465a24afe1 --- /dev/null +++ b/queue-6.1/binfmt_elf-honor-pt_load-alignment-for-static-pie.patch @@ -0,0 +1,131 @@ +From 30221e93aec855721e7b394605728289e7a07950 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:31:48 -0700 +Subject: binfmt_elf: Honor PT_LOAD alignment for static PIE + +From: Kees Cook + +[ Upstream commit 3545deff0ec7a37de7ed9632e262598582b140e9 ] + +The p_align values in PT_LOAD were ignored for static PIE executables +(i.e. ET_DYN without PT_INTERP). This is because there is no way to +request a non-fixed mmap region with a specific alignment. ET_DYN with +PT_INTERP uses a separate base address (ELF_ET_DYN_BASE) and binfmt_elf +performs the ASLR itself, which means it can also apply alignment. For +the mmap region, the address selection happens deep within the vm_mmap() +implementation (when the requested address is 0). + +The earlier attempt to implement this: + + commit 9630f0d60fec ("fs/binfmt_elf: use PT_LOAD p_align values for static PIE") + commit 925346c129da ("fs/binfmt_elf: fix PT_LOAD p_align values for loaders") + +did not take into account the different base address origins, and were +eventually reverted: + + aeb7923733d1 ("revert "fs/binfmt_elf: use PT_LOAD p_align values for static PIE"") + +In order to get the correct alignment from an mmap base, binfmt_elf must +perform a 0-address load first, then tear down the mapping and perform +alignment on the resulting address. Since this is slightly more overhead, +only do this when it is needed (i.e. the alignment is not the default +ELF alignment). This does, however, have the benefit of being able to +use MAP_FIXED_NOREPLACE, to avoid potential collisions. + +With this fixed, enable the static PIE self tests again. + +Reported-by: H.J. Lu +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=215275 +Link: https://lore.kernel.org/r/20240508173149.677910-3-keescook@chromium.org +Signed-off-by: Kees Cook +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 42 +++++++++++++++++++++++---- + tools/testing/selftests/exec/Makefile | 2 +- + 2 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 26abe256e91fb..fd3d800f69c1c 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1120,10 +1120,13 @@ static int load_elf_binary(struct linux_binprm *bprm) + goto out_free_dentry; + } + ++ /* Calculate any requested alignment. */ ++ alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum); ++ + /* + * There are effectively two types of ET_DYN +- * binaries: programs (i.e. PIE: ET_DYN with INTERP) +- * and loaders (ET_DYN without INTERP, since they ++ * binaries: programs (i.e. PIE: ET_DYN with PT_INTERP) ++ * and loaders (ET_DYN without PT_INTERP, since they + * _are_ the ELF interpreter). The loaders must + * be loaded away from programs since the program + * may otherwise collide with the loader (especially +@@ -1143,15 +1146,44 @@ static int load_elf_binary(struct linux_binprm *bprm) + * without MAP_FIXED nor MAP_FIXED_NOREPLACE). + */ + if (interpreter) { ++ /* On ET_DYN with PT_INTERP, we do the ASLR. */ + load_bias = ELF_ET_DYN_BASE; + if (current->flags & PF_RANDOMIZE) + load_bias += arch_mmap_rnd(); +- alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum); ++ /* Adjust alignment as requested. */ + if (alignment) + load_bias &= ~(alignment - 1); + elf_flags |= MAP_FIXED_NOREPLACE; +- } else +- load_bias = 0; ++ } else { ++ /* ++ * For ET_DYN without PT_INTERP, we rely on ++ * the architectures's (potentially ASLR) mmap ++ * base address (via a load_bias of 0). ++ * ++ * When a large alignment is requested, we ++ * must do the allocation at address "0" right ++ * now to discover where things will load so ++ * that we can adjust the resulting alignment. ++ * In this case (load_bias != 0), we can use ++ * MAP_FIXED_NOREPLACE to make sure the mapping ++ * doesn't collide with anything. ++ */ ++ if (alignment > ELF_MIN_ALIGN) { ++ load_bias = elf_load(bprm->file, 0, elf_ppnt, ++ elf_prot, elf_flags, total_size); ++ if (BAD_ADDR(load_bias)) { ++ retval = IS_ERR_VALUE(load_bias) ? ++ PTR_ERR((void*)load_bias) : -EINVAL; ++ goto out_free_dentry; ++ } ++ vm_munmap(load_bias, total_size); ++ /* Adjust alignment as requested. */ ++ if (alignment) ++ load_bias &= ~(alignment - 1); ++ elf_flags |= MAP_FIXED_NOREPLACE; ++ } else ++ load_bias = 0; ++ } + + /* + * Since load_bias is used for all subsequent loading +diff --git a/tools/testing/selftests/exec/Makefile b/tools/testing/selftests/exec/Makefile +index b54986078d7ea..a705493c04bb7 100644 +--- a/tools/testing/selftests/exec/Makefile ++++ b/tools/testing/selftests/exec/Makefile +@@ -6,7 +6,7 @@ CFLAGS += -D_GNU_SOURCE + ALIGNS := 0x1000 0x200000 0x1000000 + ALIGN_PIES := $(patsubst %,load_address.%,$(ALIGNS)) + ALIGN_STATIC_PIES := $(patsubst %,load_address.static.%,$(ALIGNS)) +-ALIGNMENT_TESTS := $(ALIGN_PIES) ++ALIGNMENT_TESTS := $(ALIGN_PIES) $(ALIGN_STATIC_PIES) + + TEST_PROGS := binfmt_script.py + TEST_GEN_PROGS := execveat non-regular $(ALIGNMENT_TESTS) +-- +2.39.5 + diff --git a/queue-6.1/binfmt_elf-leave-a-gap-between-.bss-and-brk.patch b/queue-6.1/binfmt_elf-leave-a-gap-between-.bss-and-brk.patch new file mode 100644 index 0000000000..68ae9cec21 --- /dev/null +++ b/queue-6.1/binfmt_elf-leave-a-gap-between-.bss-and-brk.patch @@ -0,0 +1,42 @@ +From 731c39b3e501836103b2866f105d437290fe2d72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Feb 2024 22:25:44 -0800 +Subject: binfmt_elf: Leave a gap between .bss and brk + +From: Kees Cook + +[ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ] + +Currently the brk starts its randomization immediately after .bss, +which means there is a chance that when the random offset is 0, linear +overflows from .bss can reach into the brk area. Leave at least a single +page gap between .bss and brk (when it has not already been explicitly +relocated into the mmap range). + +Reported-by: +Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/ +Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org +Signed-off-by: Kees Cook +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 2672b9dca1af0..ff796910265da 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1294,6 +1294,9 @@ static int load_elf_binary(struct linux_binprm *bprm) + if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && + elf_ex->e_type == ET_DYN && !interpreter) { + mm->brk = mm->start_brk = ELF_ET_DYN_BASE; ++ } else { ++ /* Otherwise leave a gap between .bss and brk. */ ++ mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; + } + + mm->brk = mm->start_brk = arch_randomize_brk(mm); +-- +2.39.5 + diff --git a/queue-6.1/binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch b/queue-6.1/binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch new file mode 100644 index 0000000000..1ee5aa1510 --- /dev/null +++ b/queue-6.1/binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch @@ -0,0 +1,198 @@ +From c2e4a40d2494b57044dd82b182b6cd32b4010aca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 15:45:06 -0700 +Subject: binfmt_elf: Move brk for static PIE even if ASLR disabled + +From: Kees Cook + +[ Upstream commit 11854fe263eb1b9a8efa33b0c087add7719ea9b4 ] + +In commit bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing +direct loader exec"), the brk was moved out of the mmap region when +loading static PIE binaries (ET_DYN without INTERP). The common case +for these binaries was testing new ELF loaders, so the brk needed to +be away from mmap to avoid colliding with stack, future mmaps (of the +loader-loaded binary), etc. But this was only done when ASLR was enabled, +in an attempt to minimize changes to memory layouts. + +After adding support to respect alignment requirements for static PIE +binaries in commit 3545deff0ec7 ("binfmt_elf: Honor PT_LOAD alignment +for static PIE"), it became possible to have a large gap after the +final PT_LOAD segment and the top of the mmap region. This means that +future mmap allocations might go after the last PT_LOAD segment (where +brk might be if ASLR was disabled) instead of before them (where they +traditionally ended up). + +On arm64, running with ASLR disabled, Ubuntu 22.04's "ldconfig" binary, +a static PIE, has alignment requirements that leaves a gap large enough +after the last PT_LOAD segment to fit the vdso and vvar, but still leave +enough space for the brk (which immediately follows the last PT_LOAD +segment) to be allocated by the binary. + +fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real +fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real +fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0 +***[brk will go here at fffff7ffa000]*** +fffff7ffc000-fffff7ffe000 r--p 00000000 00:00 0 [vvar] +fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso] +fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack] + +After commit 0b3bc3354eb9 ("arm64: vdso: Switch to generic storage +implementation"), the arm64 vvar grew slightly, and suddenly the brk +collided with the allocation. + +fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real +fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real +fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0 +***[oops, no room any more, vvar is at fffff7ffa000!]*** +fffff7ffa000-fffff7ffe000 r--p 00000000 00:00 0 [vvar] +fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso] +fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack] + +The solution is to unconditionally move the brk out of the mmap region +for static PIE binaries. Whether ASLR is enabled or not does not change if +there may be future mmap allocation collisions with a growing brk region. + +Update memory layout comments (with kernel-doc headings), consolidate +the setting of mm->brk to later (it isn't needed early), move static PIE +brk out of mmap unconditionally, and make sure brk(2) knows to base brk +position off of mm->start_brk not mm->end_data no matter what the cause of +moving it is (via current->brk_randomized). + +For the CONFIG_COMPAT_BRK case, though, leave the logic unchanged, as we +can never safely move the brk. These systems, however, are not using +specially aligned static PIE binaries. + +Reported-by: Ryan Roberts +Closes: https://lore.kernel.org/lkml/f93db308-4a0e-4806-9faf-98f890f5a5e6@arm.com/ +Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") +Link: https://lore.kernel.org/r/20250425224502.work.520-kees@kernel.org +Reviewed-by: Ryan Roberts +Tested-by: Ryan Roberts +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 71 ++++++++++++++++++++++++++++++++----------------- + 1 file changed, 47 insertions(+), 24 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index fd3d800f69c1c..762704eed9ce9 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -856,6 +856,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL; + struct elf_phdr *elf_property_phdata = NULL; + unsigned long elf_brk; ++ bool brk_moved = false; + int retval, i; + unsigned long elf_entry; + unsigned long e_entry; +@@ -1123,15 +1124,19 @@ static int load_elf_binary(struct linux_binprm *bprm) + /* Calculate any requested alignment. */ + alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum); + +- /* +- * There are effectively two types of ET_DYN +- * binaries: programs (i.e. PIE: ET_DYN with PT_INTERP) +- * and loaders (ET_DYN without PT_INTERP, since they +- * _are_ the ELF interpreter). The loaders must +- * be loaded away from programs since the program +- * may otherwise collide with the loader (especially +- * for ET_EXEC which does not have a randomized +- * position). For example to handle invocations of ++ /** ++ * DOC: PIE handling ++ * ++ * There are effectively two types of ET_DYN ELF ++ * binaries: programs (i.e. PIE: ET_DYN with ++ * PT_INTERP) and loaders (i.e. static PIE: ET_DYN ++ * without PT_INTERP, usually the ELF interpreter ++ * itself). Loaders must be loaded away from programs ++ * since the program may otherwise collide with the ++ * loader (especially for ET_EXEC which does not have ++ * a randomized position). ++ * ++ * For example, to handle invocations of + * "./ld.so someprog" to test out a new version of + * the loader, the subsequent program that the + * loader loads must avoid the loader itself, so +@@ -1144,6 +1149,9 @@ static int load_elf_binary(struct linux_binprm *bprm) + * ELF_ET_DYN_BASE and loaders are loaded into the + * independently randomized mmap region (0 load_bias + * without MAP_FIXED nor MAP_FIXED_NOREPLACE). ++ * ++ * See below for "brk" handling details, which is ++ * also affected by program vs loader and ASLR. + */ + if (interpreter) { + /* On ET_DYN with PT_INTERP, we do the ASLR. */ +@@ -1260,8 +1268,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + start_data += load_bias; + end_data += load_bias; + +- current->mm->start_brk = current->mm->brk = ELF_PAGEALIGN(elf_brk); +- + if (interpreter) { + elf_entry = load_elf_interp(interp_elf_ex, + interpreter, +@@ -1317,27 +1323,44 @@ static int load_elf_binary(struct linux_binprm *bprm) + mm->end_data = end_data; + mm->start_stack = bprm->p; + +- if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { ++ /** ++ * DOC: "brk" handling ++ * ++ * For architectures with ELF randomization, when executing a ++ * loader directly (i.e. static PIE: ET_DYN without PT_INTERP), ++ * move the brk area out of the mmap region and into the unused ++ * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide ++ * early with the stack growing down or other regions being put ++ * into the mmap region by the kernel (e.g. vdso). ++ * ++ * In the CONFIG_COMPAT_BRK case, though, everything is turned ++ * off because we're not allowed to move the brk at all. ++ */ ++ if (!IS_ENABLED(CONFIG_COMPAT_BRK) && ++ IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && ++ elf_ex->e_type == ET_DYN && !interpreter) { ++ elf_brk = ELF_ET_DYN_BASE; ++ /* This counts as moving the brk, so let brk(2) know. */ ++ brk_moved = true; ++ } ++ mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk); ++ ++ if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) { + /* +- * For architectures with ELF randomization, when executing +- * a loader directly (i.e. no interpreter listed in ELF +- * headers), move the brk area out of the mmap region +- * (since it grows up, and may collide early with the stack +- * growing down), and into the unused ELF_ET_DYN_BASE region. ++ * If we didn't move the brk to ELF_ET_DYN_BASE (above), ++ * leave a gap between .bss and brk. + */ +- if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && +- elf_ex->e_type == ET_DYN && !interpreter) { +- mm->brk = mm->start_brk = ELF_ET_DYN_BASE; +- } else { +- /* Otherwise leave a gap between .bss and brk. */ ++ if (!brk_moved) + mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; +- } + + mm->brk = mm->start_brk = arch_randomize_brk(mm); ++ brk_moved = true; ++ } ++ + #ifdef compat_brk_randomized ++ if (brk_moved) + current->brk_randomized = 1; + #endif +- } + + if (current->personality & MMAP_PAGE_ZERO) { + /* Why this, you ask??? Well SVr4 maps page 0 as read-only, +-- +2.39.5 + diff --git a/queue-6.1/binfmt_elf-support-segments-with-0-filesz-and-misali.patch b/queue-6.1/binfmt_elf-support-segments-with-0-filesz-and-misali.patch new file mode 100644 index 0000000000..5d33a2a070 --- /dev/null +++ b/queue-6.1/binfmt_elf-support-segments-with-0-filesz-and-misali.patch @@ -0,0 +1,245 @@ +From 4a2d3f95f6153e4126bdc1d31d3ffb30203410da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 20:24:29 -0700 +Subject: binfmt_elf: Support segments with 0 filesz and misaligned starts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric W. Biederman + +[ Upstream commit 585a018627b4d7ed37387211f667916840b5c5ea ] + +Implement a helper elf_load() that wraps elf_map() and performs all +of the necessary work to ensure that when "memsz > filesz" the bytes +described by "memsz > filesz" are zeroed. + +An outstanding issue is if the first segment has filesz 0, and has a +randomized location. But that is the same as today. + +In this change I replaced an open coded padzero() that did not clear +all of the way to the end of the page, with padzero() that does. + +I also stopped checking the return of padzero() as there is at least +one known case where testing for failure is the wrong thing to do. +It looks like binfmt_elf_fdpic may have the proper set of tests +for when error handling can be safely completed. + +I found a couple of commits in the old history +https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git, +that look very interesting in understanding this code. + +commit 39b56d902bf3 ("[PATCH] binfmt_elf: clearing bss may fail") +commit c6e2227e4a3e ("[SPARC64]: Missing user access return value checks in fs/binfmt_elf.c and fs/compat.c") +commit 5bf3be033f50 ("v2.4.10.1 -> v2.4.10.2") + +Looking at commit 39b56d902bf3 ("[PATCH] binfmt_elf: clearing bss may fail"): +> commit 39b56d902bf35241e7cba6cc30b828ed937175ad +> Author: Pavel Machek +> Date: Wed Feb 9 22:40:30 2005 -0800 +> +> [PATCH] binfmt_elf: clearing bss may fail +> +> So we discover that Borland's Kylix application builder emits weird elf +> files which describe a non-writeable bss segment. +> +> So remove the clear_user() check at the place where we zero out the bss. I +> don't _think_ there are any security implications here (plus we've never +> checked that clear_user() return value, so whoops if it is a problem). +> +> Signed-off-by: Pavel Machek +> Signed-off-by: Andrew Morton +> Signed-off-by: Linus Torvalds + +It seems pretty clear that binfmt_elf_fdpic with skipping clear_user() for +non-writable segments and otherwise calling clear_user(), aka padzero(), +and checking it's return code is the right thing to do. + +I just skipped the error checking as that avoids breaking things. + +And notably, it looks like Borland's Kylix died in 2005 so it might be +safe to just consider read-only segments with memsz > filesz an error. + +Reported-by: Sebastian Ott +Reported-by: Thomas Weißschuh +Closes: https://lkml.kernel.org/r/20230914-bss-alloc-v1-1-78de67d2c6dd@weissschuh.net +Signed-off-by: "Eric W. Biederman" +Link: https://lore.kernel.org/r/87sf71f123.fsf@email.froward.int.ebiederm.org +Tested-by: Pedro Falcato +Signed-off-by: Sebastian Ott +Link: https://lore.kernel.org/r/20230929032435.2391507-1-keescook@chromium.org +Signed-off-by: Kees Cook +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 111 +++++++++++++++++++++--------------------------- + 1 file changed, 48 insertions(+), 63 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index d1cf3d25da4b6..ea2968d343bb6 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -109,25 +109,6 @@ static struct linux_binfmt elf_format = { + + #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE)) + +-static int set_brk(unsigned long start, unsigned long end, int prot) +-{ +- start = ELF_PAGEALIGN(start); +- end = ELF_PAGEALIGN(end); +- if (end > start) { +- /* +- * Map the last of the bss segment. +- * If the header is requesting these pages to be +- * executable, honour that (ppc32 needs this). +- */ +- int error = vm_brk_flags(start, end - start, +- prot & PROT_EXEC ? VM_EXEC : 0); +- if (error) +- return error; +- } +- current->mm->start_brk = current->mm->brk = end; +- return 0; +-} +- + /* We need to explicitly zero any fractional pages + after the data section (i.e. bss). This would + contain the junk from the file that should not +@@ -401,6 +382,51 @@ static unsigned long elf_map(struct file *filep, unsigned long addr, + return(map_addr); + } + ++static unsigned long elf_load(struct file *filep, unsigned long addr, ++ const struct elf_phdr *eppnt, int prot, int type, ++ unsigned long total_size) ++{ ++ unsigned long zero_start, zero_end; ++ unsigned long map_addr; ++ ++ if (eppnt->p_filesz) { ++ map_addr = elf_map(filep, addr, eppnt, prot, type, total_size); ++ if (BAD_ADDR(map_addr)) ++ return map_addr; ++ if (eppnt->p_memsz > eppnt->p_filesz) { ++ zero_start = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) + ++ eppnt->p_filesz; ++ zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) + ++ eppnt->p_memsz; ++ ++ /* Zero the end of the last mapped page */ ++ padzero(zero_start); ++ } ++ } else { ++ map_addr = zero_start = ELF_PAGESTART(addr); ++ zero_end = zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) + ++ eppnt->p_memsz; ++ } ++ if (eppnt->p_memsz > eppnt->p_filesz) { ++ /* ++ * Map the last of the segment. ++ * If the header is requesting these pages to be ++ * executable, honour that (ppc32 needs this). ++ */ ++ int error; ++ ++ zero_start = ELF_PAGEALIGN(zero_start); ++ zero_end = ELF_PAGEALIGN(zero_end); ++ ++ error = vm_brk_flags(zero_start, zero_end - zero_start, ++ prot & PROT_EXEC ? VM_EXEC : 0); ++ if (error) ++ map_addr = error; ++ } ++ return map_addr; ++} ++ ++ + static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr) + { + elf_addr_t min_addr = -1; +@@ -830,7 +856,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL; + struct elf_phdr *elf_property_phdata = NULL; + unsigned long elf_bss, elf_brk; +- int bss_prot = 0; + int retval, i; + unsigned long elf_entry; + unsigned long e_entry; +@@ -1042,33 +1067,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + if (elf_ppnt->p_type != PT_LOAD) + continue; + +- if (unlikely (elf_brk > elf_bss)) { +- unsigned long nbyte; +- +- /* There was a PT_LOAD segment with p_memsz > p_filesz +- before this one. Map anonymous pages, if needed, +- and clear the area. */ +- retval = set_brk(elf_bss + load_bias, +- elf_brk + load_bias, +- bss_prot); +- if (retval) +- goto out_free_dentry; +- nbyte = ELF_PAGEOFFSET(elf_bss); +- if (nbyte) { +- nbyte = ELF_MIN_ALIGN - nbyte; +- if (nbyte > elf_brk - elf_bss) +- nbyte = elf_brk - elf_bss; +- if (clear_user((void __user *)elf_bss + +- load_bias, nbyte)) { +- /* +- * This bss-zeroing can fail if the ELF +- * file specifies odd protections. So +- * we don't check the return value +- */ +- } +- } +- } +- + elf_prot = make_prot(elf_ppnt->p_flags, &arch_state, + !!interpreter, false); + +@@ -1164,7 +1162,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + } + } + +- error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, ++ error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt, + elf_prot, elf_flags, total_size); + if (BAD_ADDR(error)) { + retval = IS_ERR((void *)error) ? +@@ -1219,10 +1217,8 @@ static int load_elf_binary(struct linux_binprm *bprm) + if (end_data < k) + end_data = k; + k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz; +- if (k > elf_brk) { +- bss_prot = elf_prot; ++ if (k > elf_brk) + elf_brk = k; +- } + } + + e_entry = elf_ex->e_entry + load_bias; +@@ -1234,18 +1230,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + start_data += load_bias; + end_data += load_bias; + +- /* Calling set_brk effectively mmaps the pages that we need +- * for the bss and break sections. We must do this before +- * mapping in the interpreter, to make sure it doesn't wind +- * up getting placed where the bss needs to go. +- */ +- retval = set_brk(elf_bss, elf_brk, bss_prot); +- if (retval) +- goto out_free_dentry; +- if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) { +- retval = -EFAULT; /* Nobody gets to see this, but.. */ +- goto out_free_dentry; +- } ++ current->mm->start_brk = current->mm->brk = ELF_PAGEALIGN(elf_brk); + + if (interpreter) { + elf_entry = load_elf_interp(interp_elf_ex, +-- +2.39.5 + diff --git a/queue-6.1/clocksource-i8253-use-raw_spinlock_irqsave-in-clocke.patch b/queue-6.1/clocksource-i8253-use-raw_spinlock_irqsave-in-clocke.patch new file mode 100644 index 0000000000..b81af8b28f --- /dev/null +++ b/queue-6.1/clocksource-i8253-use-raw_spinlock_irqsave-in-clocke.patch @@ -0,0 +1,59 @@ +From d5d364a05073f22d9252a8ad86162d1dcf7a4ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 15:31:16 +0200 +Subject: clocksource/i8253: Use raw_spinlock_irqsave() in + clockevent_i8253_disable() + +From: Sebastian Andrzej Siewior + +[ Upstream commit 94cff94634e506a4a44684bee1875d2dbf782722 ] + +On x86 during boot, clockevent_i8253_disable() can be invoked via +x86_late_time_init -> hpet_time_init() -> pit_timer_init() which happens +with enabled interrupts. + +If some of the old i8253 hardware is actually used then lockdep will notice +that i8253_lock is used in hard interrupt context. This causes lockdep to +complain because it observed the lock being acquired with interrupts +enabled and in hard interrupt context. + +Make clockevent_i8253_disable() acquire the lock with +raw_spinlock_irqsave() to cure this. + +[ tglx: Massage change log and use guard() ] + +Fixes: c8c4076723dac ("x86/timer: Skip PIT initialization on modern chipsets") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250404133116.p-XRWJXf@linutronix.de +Signed-off-by: Sasha Levin +--- + drivers/clocksource/i8253.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/clocksource/i8253.c b/drivers/clocksource/i8253.c +index 39f7c2d736d16..b603c25f3dfaa 100644 +--- a/drivers/clocksource/i8253.c ++++ b/drivers/clocksource/i8253.c +@@ -103,7 +103,7 @@ int __init clocksource_i8253_init(void) + #ifdef CONFIG_CLKEVT_I8253 + void clockevent_i8253_disable(void) + { +- raw_spin_lock(&i8253_lock); ++ guard(raw_spinlock_irqsave)(&i8253_lock); + + /* + * Writing the MODE register should stop the counter, according to +@@ -132,8 +132,6 @@ void clockevent_i8253_disable(void) + outb_p(0, PIT_CH0); + + outb_p(0x30, PIT_MODE); +- +- raw_spin_unlock(&i8253_lock); + } + + static int pit_shutdown(struct clock_event_device *evt) +-- +2.39.5 + diff --git a/queue-6.1/drm-amd-add-suspend-hibernate-notification-callback-.patch b/queue-6.1/drm-amd-add-suspend-hibernate-notification-callback-.patch new file mode 100644 index 0000000000..7bf4221e57 --- /dev/null +++ b/queue-6.1/drm-amd-add-suspend-hibernate-notification-callback-.patch @@ -0,0 +1,149 @@ +From 73a5b69a42c68d8e7767fbbfc5c678fbf835673d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2024 21:26:56 -0600 +Subject: drm/amd: Add Suspend/Hibernate notification callback support + +From: Mario Limonciello + +[ Upstream commit 2965e6355dcdf157b5fafa25a2715f00064da8bf ] + +As part of the suspend sequence VRAM needs to be evicted on dGPUs. +In order to make suspend/resume more reliable we moved this into +the pmops prepare() callback so that the suspend sequence would fail +but the system could remain operational under high memory usage suspend. + +Another class of issues exist though where due to memory fragementation +there isn't a large enough contiguous space and swap isn't accessible. + +Add support for a suspend/hibernate notification callback that could +evict VRAM before tasks are frozen. This should allow paging out to swap +if necessary. + +Link: https://github.com/ROCm/ROCK-Kernel-Driver/issues/174 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3476 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2362 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3781 +Reviewed-by: Lijo Lazar +Link: https://lore.kernel.org/r/20241128032656.2090059-2-superm1@kernel.org +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 46 +++++++++++++++++++++- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 - + 3 files changed, 46 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +index 705703bab2fdd..019a83c7170d4 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -781,6 +781,7 @@ struct amdgpu_device { + bool need_swiotlb; + bool accel_working; + struct notifier_block acpi_nb; ++ struct notifier_block pm_nb; + struct amdgpu_i2c_chan *i2c_bus[AMDGPU_MAX_I2C_BUS]; + struct debugfs_blob_wrapper debugfs_vbios_blob; + struct debugfs_blob_wrapper debugfs_discovery_blob; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index aac0e49f77c7f..32c571e9288ae 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -140,6 +140,8 @@ const char *amdgpu_asic_name[] = { + }; + + static inline void amdgpu_device_stop_pending_resets(struct amdgpu_device *adev); ++static int amdgpu_device_pm_notifier(struct notifier_block *nb, unsigned long mode, ++ void *data); + + /** + * DOC: pcie_replay_count +@@ -3992,6 +3994,11 @@ int amdgpu_device_init(struct amdgpu_device *adev, + + amdgpu_device_check_iommu_direct_map(adev); + ++ adev->pm_nb.notifier_call = amdgpu_device_pm_notifier; ++ r = register_pm_notifier(&adev->pm_nb); ++ if (r) ++ goto failed; ++ + return 0; + + release_ras_con: +@@ -4053,6 +4060,8 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev) + flush_delayed_work(&adev->delayed_init_work); + adev->shutdown = true; + ++ unregister_pm_notifier(&adev->pm_nb); ++ + /* make sure IB test finished before entering exclusive mode + * to avoid preemption on IB test + * */ +@@ -4183,6 +4192,41 @@ static int amdgpu_device_evict_resources(struct amdgpu_device *adev) + /* + * Suspend & resume. + */ ++/** ++ * amdgpu_device_pm_notifier - Notification block for Suspend/Hibernate events ++ * @nb: notifier block ++ * @mode: suspend mode ++ * @data: data ++ * ++ * This function is called when the system is about to suspend or hibernate. ++ * It is used to evict resources from the device before the system goes to ++ * sleep while there is still access to swap. ++ */ ++static int amdgpu_device_pm_notifier(struct notifier_block *nb, unsigned long mode, ++ void *data) ++{ ++ struct amdgpu_device *adev = container_of(nb, struct amdgpu_device, pm_nb); ++ int r; ++ ++ switch (mode) { ++ case PM_HIBERNATION_PREPARE: ++ adev->in_s4 = true; ++ fallthrough; ++ case PM_SUSPEND_PREPARE: ++ r = amdgpu_device_evict_resources(adev); ++ /* ++ * This is considered non-fatal at this time because ++ * amdgpu_device_prepare() will also fatally evict resources. ++ * See https://gitlab.freedesktop.org/drm/amd/-/issues/3781 ++ */ ++ if (r) ++ drm_warn(adev_to_drm(adev), "Failed to evict resources, freeze active processes if problems occur: %d\n", r); ++ break; ++ } ++ ++ return NOTIFY_DONE; ++} ++ + /** + * amdgpu_device_prepare - prepare for device suspend + * +@@ -4222,7 +4266,7 @@ int amdgpu_device_prepare(struct drm_device *dev) + return 0; + + unprepare: +- adev->in_s0ix = adev->in_s3 = false; ++ adev->in_s0ix = adev->in_s3 = adev->in_s4 = false; + + return r; + } +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 0a85a59519cac..06958608c9849 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -2468,7 +2468,6 @@ static int amdgpu_pmops_freeze(struct device *dev) + struct amdgpu_device *adev = drm_to_adev(drm_dev); + int r; + +- adev->in_s4 = true; + r = amdgpu_device_suspend(drm_dev, true); + if (r) + return r; +-- +2.39.5 + diff --git a/queue-6.1/drm-amd-stop-evicting-resources-on-apus-in-suspend.patch b/queue-6.1/drm-amd-stop-evicting-resources-on-apus-in-suspend.patch new file mode 100644 index 0000000000..282b1f0d9c --- /dev/null +++ b/queue-6.1/drm-amd-stop-evicting-resources-on-apus-in-suspend.patch @@ -0,0 +1,118 @@ +From 12ab9da2db8125c559eb2fb9a8dd53f114d9419f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Feb 2024 23:52:55 -0600 +Subject: drm/amd: Stop evicting resources on APUs in suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 226db36032c61d8717dfdd052adac351b22d3e83 ] + +commit 5095d5418193 ("drm/amd: Evict resources during PM ops prepare() +callback") intentionally moved the eviction of resources to earlier in +the suspend process, but this introduced a subtle change that it occurs +before adev->in_s0ix or adev->in_s3 are set. This meant that APUs +actually started to evict resources at suspend time as well. + +Explicitly set s0ix or s3 in the prepare() stage, and unset them if the +prepare() stage failed. + +v2: squash in warning fix from Stephen Rothwell + +Reported-by: Jürg Billeter +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3132#note_2271038 +Fixes: 5095d5418193 ("drm/amd: Evict resources during PM ops prepare() callback") +Acked-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 ++ + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +++++++++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 +++++++++-- + 3 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +index dd22d2559720c..705703bab2fdd 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -1408,9 +1408,11 @@ static inline int amdgpu_acpi_smart_shift_update(struct drm_device *dev, + #if defined(CONFIG_ACPI) && defined(CONFIG_SUSPEND) + bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev); + bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev); ++void amdgpu_choose_low_power_state(struct amdgpu_device *adev); + #else + static inline bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) { return false; } + static inline bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev) { return false; } ++static inline void amdgpu_choose_low_power_state(struct amdgpu_device *adev) { } + #endif + + #if defined(CONFIG_DRM_AMD_DC) +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +index 5fa7f6d8aa309..70d761f79770d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -1118,4 +1118,19 @@ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) + #endif /* CONFIG_AMD_PMC */ + } + ++/** ++ * amdgpu_choose_low_power_state ++ * ++ * @adev: amdgpu_device_pointer ++ * ++ * Choose the target low power state for the GPU ++ */ ++void amdgpu_choose_low_power_state(struct amdgpu_device *adev) ++{ ++ if (amdgpu_acpi_is_s0ix_active(adev)) ++ adev->in_s0ix = true; ++ else if (amdgpu_acpi_is_s3_active(adev)) ++ adev->in_s3 = true; ++} ++ + #endif /* CONFIG_SUSPEND */ +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index fcd0c61499f89..52f4ef4e8b4b0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4195,13 +4195,15 @@ int amdgpu_device_prepare(struct drm_device *dev) + struct amdgpu_device *adev = drm_to_adev(dev); + int i, r; + ++ amdgpu_choose_low_power_state(adev); ++ + if (dev->switch_power_state == DRM_SWITCH_POWER_OFF) + return 0; + + /* Evict the majority of BOs before starting suspend sequence */ + r = amdgpu_device_evict_resources(adev); + if (r) +- return r; ++ goto unprepare; + + flush_delayed_work(&adev->gfx.gfx_off_delay_work); + +@@ -4212,10 +4214,15 @@ int amdgpu_device_prepare(struct drm_device *dev) + continue; + r = adev->ip_blocks[i].version->funcs->prepare_suspend((void *)adev); + if (r) +- return r; ++ goto unprepare; + } + + return 0; ++ ++unprepare: ++ adev->in_s0ix = adev->in_s3 = false; ++ ++ return r; + } + + /** +-- +2.39.5 + diff --git a/queue-6.1/drm-amdgpu-fix-the-runtime-resume-failure-issue.patch b/queue-6.1/drm-amdgpu-fix-the-runtime-resume-failure-issue.patch new file mode 100644 index 0000000000..c9bbfce252 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-the-runtime-resume-failure-issue.patch @@ -0,0 +1,40 @@ +From c9669c17b92e3546b8551d6c5f9f55b21a73ed81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Feb 2024 17:16:49 +0800 +Subject: drm/amdgpu: Fix the runtime resume failure issue + +From: Ma Jun + +[ Upstream commit bbfaf2aea7164db59739728d62d9cc91d64ff856 ] + +Don't set power state flag when system enter runtime suspend, +or it may cause runtime resume failure issue. + +Fixes: 3a9626c816db ("drm/amd: Stop evicting resources on APUs in suspend") +Signed-off-by: Ma Jun +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +index 70d761f79770d..46916680f044b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -1127,6 +1127,9 @@ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) + */ + void amdgpu_choose_low_power_state(struct amdgpu_device *adev) + { ++ if (adev->in_runpm) ++ return; ++ + if (amdgpu_acpi_is_s0ix_active(adev)) + adev->in_s0ix = true; + else if (amdgpu_acpi_is_s3_active(adev)) +-- +2.39.5 + diff --git a/queue-6.1/drm-amdgpu-trigger-flr_work-if-reading-pf2vf-data-fa.patch b/queue-6.1/drm-amdgpu-trigger-flr_work-if-reading-pf2vf-data-fa.patch new file mode 100644 index 0000000000..af7ef98fbb --- /dev/null +++ b/queue-6.1/drm-amdgpu-trigger-flr_work-if-reading-pf2vf-data-fa.patch @@ -0,0 +1,202 @@ +From e0615f932a0a0dd2f4f7d0a5a77740b4caacfa6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Feb 2024 16:04:35 -0500 +Subject: drm/amdgpu: trigger flr_work if reading pf2vf data failed + +From: Zhigang Luo + +[ Upstream commit ab66c832847fcdffc97d4591ba5547e3990d9d33 ] + +if reading pf2vf data failed 30 times continuously, it means something is +wrong. Need to trigger flr_work to recover the issue. + +also use dev_err to print the error message to get which device has +issue and add warning message if waiting IDH_FLR_NOTIFICATION_CMPL +timeout. + +Signed-off-by: Zhigang Luo +Acked-by: Hawking Zhang +Signed-off-by: Alex Deucher +Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 15 +++++++---- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 29 ++++++++++++++++++---- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 +++ + drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c | 2 ++ + drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c | 2 ++ + 5 files changed, 41 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 52f4ef4e8b4b0..aac0e49f77c7f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -139,6 +139,8 @@ const char *amdgpu_asic_name[] = { + "LAST", + }; + ++static inline void amdgpu_device_stop_pending_resets(struct amdgpu_device *adev); ++ + /** + * DOC: pcie_replay_count + * +@@ -4638,6 +4640,8 @@ static int amdgpu_device_reset_sriov(struct amdgpu_device *adev, + retry: + amdgpu_amdkfd_pre_reset(adev); + ++ amdgpu_device_stop_pending_resets(adev); ++ + if (from_hypervisor) + r = amdgpu_virt_request_full_gpu(adev, true); + else +@@ -5509,11 +5513,12 @@ int amdgpu_device_gpu_recover(struct amdgpu_device *adev, + tmp_adev->asic_reset_res = r; + } + +- /* +- * Drop all pending non scheduler resets. Scheduler resets +- * were already dropped during drm_sched_stop +- */ +- amdgpu_device_stop_pending_resets(tmp_adev); ++ if (!amdgpu_sriov_vf(tmp_adev)) ++ /* ++ * Drop all pending non scheduler resets. Scheduler resets ++ * were already dropped during drm_sched_stop ++ */ ++ amdgpu_device_stop_pending_resets(tmp_adev); + } + + tmp_vram_lost_counter = atomic_read(&((adev)->vram_lost_counter)); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +index d7b76a3d2d558..6174bef0ecb88 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +@@ -32,6 +32,7 @@ + + #include "amdgpu.h" + #include "amdgpu_ras.h" ++#include "amdgpu_reset.h" + #include "vi.h" + #include "soc15.h" + #include "nv.h" +@@ -456,7 +457,7 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev) + return -EINVAL; + + if (pf2vf_info->size > 1024) { +- DRM_ERROR("invalid pf2vf message size\n"); ++ dev_err(adev->dev, "invalid pf2vf message size: 0x%x\n", pf2vf_info->size); + return -EINVAL; + } + +@@ -467,7 +468,9 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev) + adev->virt.fw_reserve.p_pf2vf, pf2vf_info->size, + adev->virt.fw_reserve.checksum_key, checksum); + if (checksum != checkval) { +- DRM_ERROR("invalid pf2vf message\n"); ++ dev_err(adev->dev, ++ "invalid pf2vf message: header checksum=0x%x calculated checksum=0x%x\n", ++ checksum, checkval); + return -EINVAL; + } + +@@ -481,7 +484,9 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev) + adev->virt.fw_reserve.p_pf2vf, pf2vf_info->size, + 0, checksum); + if (checksum != checkval) { +- DRM_ERROR("invalid pf2vf message\n"); ++ dev_err(adev->dev, ++ "invalid pf2vf message: header checksum=0x%x calculated checksum=0x%x\n", ++ checksum, checkval); + return -EINVAL; + } + +@@ -517,7 +522,7 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev) + ((struct amd_sriov_msg_pf2vf_info *)pf2vf_info)->uuid; + break; + default: +- DRM_ERROR("invalid pf2vf version\n"); ++ dev_err(adev->dev, "invalid pf2vf version: 0x%x\n", pf2vf_info->version); + return -EINVAL; + } + +@@ -617,8 +622,21 @@ static void amdgpu_virt_update_vf2pf_work_item(struct work_struct *work) + int ret; + + ret = amdgpu_virt_read_pf2vf_data(adev); +- if (ret) ++ if (ret) { ++ adev->virt.vf2pf_update_retry_cnt++; ++ if ((adev->virt.vf2pf_update_retry_cnt >= AMDGPU_VF2PF_UPDATE_MAX_RETRY_LIMIT) && ++ amdgpu_sriov_runtime(adev) && !amdgpu_in_reset(adev)) { ++ if (amdgpu_reset_domain_schedule(adev->reset_domain, ++ &adev->virt.flr_work)) ++ return; ++ else ++ dev_err(adev->dev, "Failed to queue work! at %s", __func__); ++ } ++ + goto out; ++ } ++ ++ adev->virt.vf2pf_update_retry_cnt = 0; + amdgpu_virt_write_vf2pf_data(adev); + + out: +@@ -639,6 +657,7 @@ void amdgpu_virt_init_data_exchange(struct amdgpu_device *adev) + adev->virt.fw_reserve.p_pf2vf = NULL; + adev->virt.fw_reserve.p_vf2pf = NULL; + adev->virt.vf2pf_update_interval_ms = 0; ++ adev->virt.vf2pf_update_retry_cnt = 0; + + if (adev->mman.fw_vram_usage_va != NULL) { + /* go through this logic in ip_init and reset to init workqueue*/ +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +index dc6aaa4d67be7..fc2859726f0a6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +@@ -51,6 +51,8 @@ + /* tonga/fiji use this offset */ + #define mmBIF_IOV_FUNC_IDENTIFIER 0x1503 + ++#define AMDGPU_VF2PF_UPDATE_MAX_RETRY_LIMIT 30 ++ + enum amdgpu_sriov_vf_mode { + SRIOV_VF_MODE_BARE_METAL = 0, + SRIOV_VF_MODE_ONE_VF, +@@ -250,6 +252,7 @@ struct amdgpu_virt { + /* vf2pf message */ + struct delayed_work vf2pf_work; + uint32_t vf2pf_update_interval_ms; ++ int vf2pf_update_retry_cnt; + + /* multimedia bandwidth config */ + bool is_mm_bw_enabled; +diff --git a/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c b/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c +index 12906ba74462f..d39c6baae007a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c ++++ b/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c +@@ -276,6 +276,8 @@ static void xgpu_ai_mailbox_flr_work(struct work_struct *work) + timeout -= 10; + } while (timeout > 1); + ++ dev_warn(adev->dev, "waiting IDH_FLR_NOTIFICATION_CMPL timeout\n"); ++ + flr_done: + atomic_set(&adev->reset_domain->in_gpu_reset, 0); + up_write(&adev->reset_domain->sem); +diff --git a/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c b/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c +index e07757eea7adf..a311a2425ec01 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c ++++ b/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c +@@ -300,6 +300,8 @@ static void xgpu_nv_mailbox_flr_work(struct work_struct *work) + timeout -= 10; + } while (timeout > 1); + ++ dev_warn(adev->dev, "waiting IDH_FLR_NOTIFICATION_CMPL timeout\n"); ++ + flr_done: + atomic_set(&adev->reset_domain->in_gpu_reset, 0); + up_write(&adev->reset_domain->sem); +-- +2.39.5 + diff --git a/queue-6.1/hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch b/queue-6.1/hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch new file mode 100644 index 0000000000..e0408fc179 --- /dev/null +++ b/queue-6.1/hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch @@ -0,0 +1,39 @@ +From 87e34953f1a0e8177dd9ce09ef0911ea15ed13ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 23:11:46 +0000 +Subject: HID: thrustmaster: fix memory leak in thrustmaster_interrupts() + +From: Qasim Ijaz + +[ Upstream commit 09d546303b370113323bfff456c4e8cff8756005 ] + +In thrustmaster_interrupts(), the allocated send_buf is not +freed if the usb_check_int_endpoints() check fails, leading +to a memory leak. + +Fix this by ensuring send_buf is freed before returning in +the error path. + +Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check") +Signed-off-by: Qasim Ijaz +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-thrustmaster.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c +index 3b81468a1df29..0bf70664c35ee 100644 +--- a/drivers/hid/hid-thrustmaster.c ++++ b/drivers/hid/hid-thrustmaster.c +@@ -174,6 +174,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev) + u8 ep_addr[2] = {b_ep, 0}; + + if (!usb_check_int_endpoints(usbif, ep_addr)) { ++ kfree(send_buf); + hid_err(hdev, "Unexpected non-int endpoint\n"); + return; + } +-- +2.39.5 + diff --git a/queue-6.1/hid-uclogic-add-null-check-in-uclogic_input_configur.patch b/queue-6.1/hid-uclogic-add-null-check-in-uclogic_input_configur.patch new file mode 100644 index 0000000000..d3d3d016da --- /dev/null +++ b/queue-6.1/hid-uclogic-add-null-check-in-uclogic_input_configur.patch @@ -0,0 +1,46 @@ +From 2b9a65e17650515aa02b2209beb87191c2ece377 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:48:53 +0800 +Subject: HID: uclogic: Add NULL check in uclogic_input_configured() + +From: Henry Martin + +[ Upstream commit bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +uclogic_input_configured() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: dd613a4e45f8 ("HID: uclogic: Correct devm device reference for hidinput input_dev name") +Signed-off-by: Henry Martin +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c +index 39114d5c55a0e..5b35f9f321d41 100644 +--- a/drivers/hid/hid-uclogic-core.c ++++ b/drivers/hid/hid-uclogic-core.c +@@ -142,11 +142,12 @@ static int uclogic_input_configured(struct hid_device *hdev, + suffix = "System Control"; + break; + } +- } +- +- if (suffix) ++ } else { + hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, + "%s %s", hdev->name, suffix); ++ if (!hi->input->name) ++ return -ENOMEM; ++ } + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.1/iio-adc-ad7266-fix-potential-timestamp-alignment-iss.patch b/queue-6.1/iio-adc-ad7266-fix-potential-timestamp-alignment-iss.patch new file mode 100644 index 0000000000..c205290d0c --- /dev/null +++ b/queue-6.1/iio-adc-ad7266-fix-potential-timestamp-alignment-iss.patch @@ -0,0 +1,45 @@ +From 1d7e168e74e778e607328804afb9b8a0137f962e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Apr 2025 11:34:24 +0100 +Subject: iio: adc: ad7266: Fix potential timestamp alignment issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit 52d349884738c346961e153f195f4c7fe186fcf4 ] + +On architectures where an s64 is only 32-bit aligned insufficient padding +would be left between the earlier elements and the timestamp. Use +aligned_s64 to enforce the correct placement and ensure the storage is +large enough. + +Fixes: 54e018da3141 ("iio:ad7266: Mark transfer buffer as __be16") # aligned_s64 is much newer. +Reported-by: David Lechner +Reviewed-by: Nuno Sá +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250413103443.2420727-2-jic23@kernel.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7266.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c +index 98648c679a55c..2ace3aafe4978 100644 +--- a/drivers/iio/adc/ad7266.c ++++ b/drivers/iio/adc/ad7266.c +@@ -44,7 +44,7 @@ struct ad7266_state { + */ + struct { + __be16 sample[2]; +- s64 timestamp; ++ aligned_s64 timestamp; + } data __aligned(IIO_DMA_MINALIGN); + }; + +-- +2.39.5 + diff --git a/queue-6.1/iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch b/queue-6.1/iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch new file mode 100644 index 0000000000..01102a4f90 --- /dev/null +++ b/queue-6.1/iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch @@ -0,0 +1,44 @@ +From 9403665acc2c679041de84365f3941f552a9d8a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Apr 2025 11:34:25 +0100 +Subject: iio: adc: ad7768-1: Fix insufficient alignment of timestamp. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit ffbc26bc91c1f1eb3dcf5d8776e74cbae21ee13a ] + +On architectures where an s64 is not 64-bit aligned, this may result +insufficient alignment of the timestamp and the structure being too small. +Use aligned_s64 to force the alignment. + +Fixes: a1caeebab07e ("iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp()") # aligned_s64 newer +Reported-by: David Lechner +Reviewed-by: Nuno Sá +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250413103443.2420727-3-jic23@kernel.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7768-1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c +index 74b0c85944bd6..967f06cd3f94e 100644 +--- a/drivers/iio/adc/ad7768-1.c ++++ b/drivers/iio/adc/ad7768-1.c +@@ -169,7 +169,7 @@ struct ad7768_state { + union { + struct { + __be32 chan; +- s64 timestamp; ++ aligned_s64 timestamp; + } scan; + __be32 d32; + u8 d8[2]; +-- +2.39.5 + diff --git a/queue-6.1/iio-chemical-sps30-use-aligned_s64-for-timestamp.patch b/queue-6.1/iio-chemical-sps30-use-aligned_s64-for-timestamp.patch new file mode 100644 index 0000000000..ba20c65a47 --- /dev/null +++ b/queue-6.1/iio-chemical-sps30-use-aligned_s64-for-timestamp.patch @@ -0,0 +1,43 @@ +From 41c58a736224c6cd6e5ce593ff630c4b2c83a608 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 11:52:37 -0500 +Subject: iio: chemical: sps30: use aligned_s64 for timestamp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Lechner + +[ Upstream commit bb49d940344bcb8e2b19e69d7ac86f567887ea9a ] + +Follow the pattern of other drivers and use aligned_s64 for the +timestamp. This will ensure that the timestamp is correctly aligned on +all architectures. + +Fixes: a5bf6fdd19c3 ("iio:chemical:sps30: Fix timestamp alignment") +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250417-iio-more-timestamp-alignment-v1-5-eafac1e22318@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/chemical/sps30.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/chemical/sps30.c b/drivers/iio/chemical/sps30.c +index 814ce0aad1ccc..4085a36cd1db7 100644 +--- a/drivers/iio/chemical/sps30.c ++++ b/drivers/iio/chemical/sps30.c +@@ -108,7 +108,7 @@ static irqreturn_t sps30_trigger_handler(int irq, void *p) + int ret; + struct { + s32 data[4]; /* PM1, PM2P5, PM4, PM10 */ +- s64 ts; ++ aligned_s64 ts; + } scan; + + mutex_lock(&state->lock); +-- +2.39.5 + diff --git a/queue-6.1/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch b/queue-6.1/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch new file mode 100644 index 0000000000..eb1902782e --- /dev/null +++ b/queue-6.1/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch @@ -0,0 +1,64 @@ +From 5946d82ee5680a0890ecda20bde3f04dff1a2f65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:19:35 +0200 +Subject: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. + +From: Mathieu Othacehe + +[ Upstream commit c92d6089d8ad7d4d815ebcedee3f3907b539ff1f ] + +There is a situation where after THALT is set high, TGO stays high as +well. Because jiffies are never updated, as we are in a context with +interrupts disabled, we never exit that loop and have a deadlock. + +That deadlock was noticed on a sama5d4 device that stayed locked for days. + +Use retries instead of jiffies so that the timeout really works and we do +not have a deadlock anymore. + +Fixes: e86cd53afc590 ("net/macb: better manage tx errors") +Signed-off-by: Mathieu Othacehe +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250509121935.16282-1-othacehe@gnu.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index fc3342944dbcc..d2f4709dee0de 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -962,22 +962,15 @@ static void macb_update_stats(struct macb *bp) + + static int macb_halt_tx(struct macb *bp) + { +- unsigned long halt_time, timeout; +- u32 status; ++ u32 status; + + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(THALT)); + +- timeout = jiffies + usecs_to_jiffies(MACB_HALT_TIMEOUT); +- do { +- halt_time = jiffies; +- status = macb_readl(bp, TSR); +- if (!(status & MACB_BIT(TGO))) +- return 0; +- +- udelay(250); +- } while (time_before(halt_time, timeout)); +- +- return -ETIMEDOUT; ++ /* Poll TSR until TGO is cleared or timeout. */ ++ return read_poll_timeout_atomic(macb_readl, status, ++ !(status & MACB_BIT(TGO)), ++ 250, MACB_HALT_TIMEOUT, false, ++ bp, TSR); + } + + static void macb_tx_unmap(struct macb *bp, struct macb_tx_skb *tx_skb, int budget) +-- +2.39.5 + diff --git a/queue-6.1/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch b/queue-6.1/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch new file mode 100644 index 0000000000..d4e7c738a7 --- /dev/null +++ b/queue-6.1/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch @@ -0,0 +1,92 @@ +From d50e65937ffe42d3dd9519877f79c4bc4b3751e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:38:16 +0300 +Subject: net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING + +From: Vladimir Oltean + +[ Upstream commit 498625a8ab2c8e1c9ab5105744310e8d6952cc01 ] + +It has been reported that when under a bridge with stp_state=1, the logs +get spammed with this message: + +[ 251.734607] fsl_dpaa2_eth dpni.5 eth0: Couldn't decode source port + +Further debugging shows the following info associated with packets: +source_port=-1, switch_id=-1, vid=-1, vbid=1 + +In other words, they are data plane packets which are supposed to be +decoded by dsa_tag_8021q_find_port_by_vbid(), but the latter (correctly) +refuses to do so, because no switch port is currently in +BR_STATE_LEARNING or BR_STATE_FORWARDING - so the packet is effectively +unexpected. + +The error goes away after the port progresses to BR_STATE_LEARNING in 15 +seconds (the default forward_time of the bridge), because then, +dsa_tag_8021q_find_port_by_vbid() can correctly associate the data plane +packets with a plausible bridge port in a plausible STP state. + +Re-reading IEEE 802.1D-1990, I see the following: + +"4.4.2 Learning: (...) The Forwarding Process shall discard received +frames." + +IEEE 802.1D-2004 further clarifies: + +"DISABLED, BLOCKING, LISTENING, and BROKEN all correspond to the +DISCARDING port state. While those dot1dStpPortStates serve to +distinguish reasons for discarding frames, the operation of the +Forwarding and Learning processes is the same for all of them. (...) +LISTENING represents a port that the spanning tree algorithm has +selected to be part of the active topology (computing a Root Port or +Designated Port role) but is temporarily discarding frames to guard +against loops or incorrect learning." + +Well, this is not what the driver does - instead it sets +mac[port].ingress = true. + +To get rid of the log spam, prevent unexpected data plane packets to +be received by software by discarding them on ingress in the LISTENING +state. + +In terms of blame attribution: the prints only date back to commit +d7f9787a763f ("net: dsa: tag_8021q: add support for imprecise RX based +on the VBID"). However, the settings would permit a LISTENING port to +forward to a FORWARDING port, and the standard suggests that's not OK. + +Fixes: 640f763f98c2 ("net: dsa: sja1105: Add support for Spanning Tree Protocol") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20250509113816.2221992-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index f1f1368e8146f..d51d982c4bc01 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -2083,6 +2083,7 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port, + switch (state) { + case BR_STATE_DISABLED: + case BR_STATE_BLOCKING: ++ case BR_STATE_LISTENING: + /* From UM10944 description of DRPDTAG (why put this there?): + * "Management traffic flows to the port regardless of the state + * of the INGRESS flag". So BPDUs are still be allowed to pass. +@@ -2092,11 +2093,6 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port, + mac[port].egress = false; + mac[port].dyn_learn = false; + break; +- case BR_STATE_LISTENING: +- mac[port].ingress = true; +- mac[port].egress = false; +- mac[port].dyn_learn = false; +- break; + case BR_STATE_LEARNING: + mac[port].ingress = true; + mac[port].egress = false; +-- +2.39.5 + diff --git a/queue-6.1/net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch b/queue-6.1/net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch new file mode 100644 index 0000000000..e393de3708 --- /dev/null +++ b/queue-6.1/net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch @@ -0,0 +1,57 @@ +From 09fa366889e70216b949376a59545227fcbf8677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 14:16:00 +0930 +Subject: net: mctp: Ensure keys maintain only one ref to corresponding dev + +From: Andrew Jeffery + +[ Upstream commit e4f349bd6e58051df698b82f94721f18a02a293d ] + +mctp_flow_prepare_output() is called in mctp_route_output(), which +places outbound packets onto a given interface. The packet may represent +a message fragment, in which case we provoke an unbalanced reference +count to the underlying device. This causes trouble if we ever attempt +to remove the interface: + + [ 48.702195] usb 1-1: USB disconnect, device number 2 + [ 58.883056] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2 + [ 69.022548] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2 + [ 79.172568] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2 + ... + +Predicate the invocation of mctp_dev_set_key() in +mctp_flow_prepare_output() on not already having associated the device +with the key. It's not yet realistic to uphold the property that the key +maintains only one device reference earlier in the transmission sequence +as the route (and therefore the device) may not be known at the time the +key is associated with the socket. + +Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers") +Acked-by: Jeremy Kerr +Signed-off-by: Andrew Jeffery +Link: https://patch.msgid.link/20250508-mctp-dev-refcount-v1-1-d4f965c67bb5@codeconstruct.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index e72cdd4ce588f..62952ad5cb636 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -274,8 +274,10 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + + key = flow->key; + +- if (WARN_ON(key->dev && key->dev != dev)) ++ if (key->dev) { ++ WARN_ON(key->dev != dev); + return; ++ } + + mctp_dev_set_key(dev, key); + } +-- +2.39.5 + diff --git a/queue-6.1/net-mlx5e-disable-macsec-offload-for-uplink-represen.patch b/queue-6.1/net-mlx5e-disable-macsec-offload-for-uplink-represen.patch new file mode 100644 index 0000000000..87af8c6e49 --- /dev/null +++ b/queue-6.1/net-mlx5e-disable-macsec-offload-for-uplink-represen.patch @@ -0,0 +1,156 @@ +From 4a1be77eaad40623f82907d829becbce8b0d9dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 May 2025 13:15:52 +0300 +Subject: net/mlx5e: Disable MACsec offload for uplink representor profile + +From: Carolina Jubran + +[ Upstream commit 588431474eb7572e57a927fa8558c9ba2f8af143 ] + +MACsec offload is not supported in switchdev mode for uplink +representors. When switching to the uplink representor profile, the +MACsec offload feature must be cleared from the netdevice's features. + +If left enabled, attempts to add offloads result in a null pointer +dereference, as the uplink representor does not support MACsec offload +even though the feature bit remains set. + +Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). + +Kernel log: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] +CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__mutex_lock+0x128/0x1dd0 +Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff +RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 +RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 +RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 +R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 +FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +Call Trace: + + ? die_addr+0x3d/0xa0 + ? exc_general_protection+0x144/0x220 + ? asm_exc_general_protection+0x22/0x30 + ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + ? __mutex_lock+0x128/0x1dd0 + ? lockdep_set_lock_cmp_fn+0x190/0x190 + ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + ? mutex_lock_io_nested+0x1ae0/0x1ae0 + ? lock_acquire+0x1c2/0x530 + ? macsec_upd_offload+0x145/0x380 + ? lockdep_hardirqs_on_prepare+0x400/0x400 + ? kasan_save_stack+0x30/0x40 + ? kasan_save_stack+0x20/0x40 + ? kasan_save_track+0x10/0x30 + ? __kasan_kmalloc+0x77/0x90 + ? __kmalloc_noprof+0x249/0x6b0 + ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 + ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] + macsec_update_offload+0x26c/0x820 + ? macsec_set_mac_address+0x4b0/0x4b0 + ? lockdep_hardirqs_on_prepare+0x284/0x400 + ? _raw_spin_unlock_irqrestore+0x47/0x50 + macsec_upd_offload+0x2c8/0x380 + ? macsec_update_offload+0x820/0x820 + ? __nla_parse+0x22/0x30 + ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 + genl_family_rcv_msg_doit+0x1cc/0x2a0 + ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 + ? cap_capable+0xd4/0x330 + genl_rcv_msg+0x3ea/0x670 + ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 + ? lockdep_set_lock_cmp_fn+0x190/0x190 + ? macsec_update_offload+0x820/0x820 + netlink_rcv_skb+0x12b/0x390 + ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 + ? netlink_ack+0xd80/0xd80 + ? rwsem_down_read_slowpath+0xf90/0xf90 + ? netlink_deliver_tap+0xcd/0xac0 + ? netlink_deliver_tap+0x155/0xac0 + ? _copy_from_iter+0x1bb/0x12c0 + genl_rcv+0x24/0x40 + netlink_unicast+0x440/0x700 + ? netlink_attachskb+0x760/0x760 + ? lock_acquire+0x1c2/0x530 + ? __might_fault+0xbb/0x170 + netlink_sendmsg+0x749/0xc10 + ? netlink_unicast+0x700/0x700 + ? __might_fault+0xbb/0x170 + ? netlink_unicast+0x700/0x700 + __sock_sendmsg+0xc5/0x190 + ____sys_sendmsg+0x53f/0x760 + ? import_iovec+0x7/0x10 + ? kernel_sendmsg+0x30/0x30 + ? __copy_msghdr+0x3c0/0x3c0 + ? filter_irq_stacks+0x90/0x90 + ? stack_depot_save_flags+0x28/0xa30 + ___sys_sendmsg+0xeb/0x170 + ? kasan_save_stack+0x30/0x40 + ? copy_msghdr_from_user+0x110/0x110 + ? do_syscall_64+0x6d/0x140 + ? lock_acquire+0x1c2/0x530 + ? __virt_addr_valid+0x116/0x3b0 + ? __virt_addr_valid+0x1da/0x3b0 + ? lock_downgrade+0x680/0x680 + ? __delete_object+0x21/0x50 + __sys_sendmsg+0xf7/0x180 + ? __sys_sendmsg_sock+0x20/0x20 + ? kmem_cache_free+0x14c/0x4e0 + ? __x64_sys_close+0x78/0xd0 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +RIP: 0033:0x7f855e113367 +Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 +RSP: 002b:00007ffd15e90c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f855e113367 +RDX: 0000000000000000 RSI: 00007ffd15e90cf0 RDI: 0000000000000004 +RBP: 00007ffd15e90dbc R08: 0000000000000028 R09: 000000000045d100 +R10: 00007f855e011dd8 R11: 0000000000000246 R12: 0000000000000019 +R13: 0000000067c6b785 R14: 00000000004a1e80 R15: 0000000000000000 + +Modules linked in: 8021q garp mrp sch_ingress openvswitch nsh mlx5_ib mlx5_fwctl mlx5_dpll mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core] +---[ end trace 0000000000000000 ]--- + +Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support") +Signed-off-by: Carolina Jubran +Reviewed-by: Shahar Shitrit +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1746958552-561295-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index f520949b2024c..887d446354006 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4023,6 +4023,10 @@ static netdev_features_t mlx5e_fix_uplink_rep_features(struct net_device *netdev + if (netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER) + netdev_warn(netdev, "Disabling HW_VLAN CTAG FILTERING, not supported in switchdev mode\n"); + ++ features &= ~NETIF_F_HW_MACSEC; ++ if (netdev->features & NETIF_F_HW_MACSEC) ++ netdev_warn(netdev, "Disabling HW MACsec offload, not supported in switchdev mode\n"); ++ + return features; + } + +-- +2.39.5 + diff --git a/queue-6.1/net-tls-fix-kernel-panic-when-alloc_page-failed.patch b/queue-6.1/net-tls-fix-kernel-panic-when-alloc_page-failed.patch new file mode 100644 index 0000000000..1d0495fadf --- /dev/null +++ b/queue-6.1/net-tls-fix-kernel-panic-when-alloc_page-failed.patch @@ -0,0 +1,61 @@ +From e2dd25940030c57d9de6238d6e80dcae453693dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:20:13 +0800 +Subject: net/tls: fix kernel panic when alloc_page failed + +From: Pengtao He + +[ Upstream commit 491deb9b8c4ad12fe51d554a69b8165b9ef9429f ] + +We cannot set frag_list to NULL pointer when alloc_page failed. +It will be used in tls_strp_check_queue_ok when the next time +tls_strp_read_sock is called. + +This is because we don't reset full_len in tls_strp_flush_anchor_copy() +so the recv path will try to continue handling the partial record +on the next call but we dettached the rcvq from the frag list. +Alternative fix would be to reset full_len. + +Unable to handle kernel NULL pointer dereference +at virtual address 0000000000000028 + Call trace: + tls_strp_check_rcv+0x128/0x27c + tls_strp_data_ready+0x34/0x44 + tls_data_ready+0x3c/0x1f0 + tcp_data_ready+0x9c/0xe4 + tcp_data_queue+0xf6c/0x12d0 + tcp_rcv_established+0x52c/0x798 + +Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser") +Signed-off-by: Pengtao He +Link: https://patch.msgid.link/20250514132013.17274-1-hept.hept.hept@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_strp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index f37f4a0fcd3c2..44d7f1aef9f12 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -396,7 +396,6 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort) + return 0; + + shinfo = skb_shinfo(strp->anchor); +- shinfo->frag_list = NULL; + + /* If we don't know the length go max plus page for cipher overhead */ + need_spc = strp->stm.full_len ?: TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE; +@@ -412,6 +411,8 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort) + page, 0, 0); + } + ++ shinfo->frag_list = NULL; ++ + strp->copy_mode = 1; + strp->stm.offset = 0; + +-- +2.39.5 + diff --git a/queue-6.1/net_sched-flush-gso_skb-list-too-during-change.patch b/queue-6.1/net_sched-flush-gso_skb-list-too-during-change.patch new file mode 100644 index 0000000000..e132bcea5a --- /dev/null +++ b/queue-6.1/net_sched-flush-gso_skb-list-too-during-change.patch @@ -0,0 +1,147 @@ +From a5583969dce663e5a059b68e2ac3fbba600f9624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 21:35:58 -0700 +Subject: net_sched: Flush gso_skb list too during ->change() + +From: Cong Wang + +[ Upstream commit 2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 ] + +Previously, when reducing a qdisc's limit via the ->change() operation, only +the main skb queue was trimmed, potentially leaving packets in the gso_skb +list. This could result in NULL pointer dereference when we only check +sch->limit against sch->q.qlen. + +This patch introduces a new helper, qdisc_dequeue_internal(), which ensures +both the gso_skb list and the main queue are properly flushed when trimming +excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) +are updated to use this helper in their ->change() routines. + +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") +Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") +Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Reported-by: Will +Reported-by: Savy +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 15 +++++++++++++++ + net/sched/sch_codel.c | 2 +- + net/sched/sch_fq.c | 2 +- + net/sched/sch_fq_codel.c | 2 +- + net/sched/sch_fq_pie.c | 2 +- + net/sched/sch_hhf.c | 2 +- + net/sched/sch_pie.c | 2 +- + 7 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 80f657bf2e047..b34e9e93a1463 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -997,6 +997,21 @@ static inline struct sk_buff *__qdisc_dequeue_head(struct qdisc_skb_head *qh) + return skb; + } + ++static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool direct) ++{ ++ struct sk_buff *skb; ++ ++ skb = __skb_dequeue(&sch->gso_skb); ++ if (skb) { ++ sch->q.qlen--; ++ return skb; ++ } ++ if (direct) ++ return __qdisc_dequeue_head(&sch->q); ++ else ++ return sch->dequeue(sch); ++} ++ + static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch) + { + struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index 5f2e068157456..63c02040b426a 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -168,7 +168,7 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt, + + qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + + dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); +diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c +index f59a2cb2c803d..91f5ef6be0f23 100644 +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -901,7 +901,7 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt, + sch_tree_lock(sch); + } + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = fq_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + if (!skb) + break; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 9330923a624c0..47b5a056165cb 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -431,7 +431,7 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + + while (sch->q.qlen > sch->limit || + q->memory_usage > q->memory_limit) { +- struct sk_buff *skb = fq_codel_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + q->cstats.drop_len += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); +diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c +index 68e6acd0f130d..607c580d75e4b 100644 +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -357,7 +357,7 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + + /* Drop excess packets if new limit is lower */ + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = fq_pie_qdisc_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + len_dropped += qdisc_pkt_len(skb); + num_dropped += 1; +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index d26cd436cbe31..83fc44f20e31c 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -560,7 +560,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt, + qlen = sch->q.qlen; + prev_backlog = sch->qstats.backlog; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = hhf_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + rtnl_kfree_skbs(skb, skb); + } +diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c +index b60b31ef71cc5..e1bb151a97195 100644 +--- a/net/sched/sch_pie.c ++++ b/net/sched/sch_pie.c +@@ -190,7 +190,7 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt, + /* Drop excess packets if new limit is lower */ + qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + + dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); +-- +2.39.5 + diff --git a/queue-6.1/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch b/queue-6.1/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch new file mode 100644 index 0000000000..8dfa78b449 --- /dev/null +++ b/queue-6.1/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch @@ -0,0 +1,97 @@ +From 816949b45ea78e239b5bc56122fbb71b4c893855 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:25:08 +0800 +Subject: nfs: handle failure of nfs_get_lock_context in unlock path + +From: Li Lingfeng + +[ Upstream commit c457dc1ec770a22636b473ce5d35614adfe97636 ] + +When memory is insufficient, the allocation of nfs_lock_context in +nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat +an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) +as valid and proceed to execute rpc_run_task(), this will trigger a NULL +pointer dereference in nfs4_locku_prepare. For example: + +BUG: kernel NULL pointer dereference, address: 000000000000000c +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 +Workqueue: rpciod rpc_async_schedule +RIP: 0010:nfs4_locku_prepare+0x35/0xc2 +Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 +RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 +RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 +RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 +R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 +R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 +FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 +Call Trace: + + __rpc_execute+0xbc/0x480 + rpc_async_schedule+0x2f/0x40 + process_one_work+0x232/0x5d0 + worker_thread+0x1da/0x3d0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x240 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Modules linked in: +CR2: 000000000000000c +---[ end trace 0000000000000000 ]--- + +Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and +return NULL to terminate subsequent rpc_run_task, preventing NULL pointer +dereference. + +Fixes: f30cb757f680 ("NFS: Always wait for I/O completion before unlock") +Signed-off-by: Li Lingfeng +Reviewed-by: Jeff Layton +Link: https://lore.kernel.org/r/20250417072508.3850532-1-lilingfeng3@huawei.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 5b06b8d4e0147..acef50824d1a2 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6886,10 +6886,18 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, + struct nfs4_unlockdata *p; + struct nfs4_state *state = lsp->ls_state; + struct inode *inode = state->inode; ++ struct nfs_lock_context *l_ctx; + + p = kzalloc(sizeof(*p), GFP_KERNEL); + if (p == NULL) + return NULL; ++ l_ctx = nfs_get_lock_context(ctx); ++ if (!IS_ERR(l_ctx)) { ++ p->l_ctx = l_ctx; ++ } else { ++ kfree(p); ++ return NULL; ++ } + p->arg.fh = NFS_FH(inode); + p->arg.fl = &p->fl; + p->arg.seqid = seqid; +@@ -6897,7 +6905,6 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, + p->lsp = lsp; + /* Ensure we don't close file until we're done freeing locks! */ + p->ctx = get_nfs_open_context(ctx); +- p->l_ctx = nfs_get_lock_context(ctx); + locks_init_lock(&p->fl); + locks_copy_lock(&p->fl, fl); + p->server = NFS_SERVER(inode); +-- +2.39.5 + diff --git a/queue-6.1/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch b/queue-6.1/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch new file mode 100644 index 0000000000..173b5d8671 --- /dev/null +++ b/queue-6.1/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch @@ -0,0 +1,50 @@ +From 9adfd00d616618eb1953363f8d74a7c1d1f9e7ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 10:50:13 -0400 +Subject: NFSv4/pnfs: Reset the layout state after a layoutreturn + +From: Trond Myklebust + +[ Upstream commit 6d6d7f91cc8c111d40416ac9240a3bb9396c5235 ] + +If there are still layout segments in the layout plh_return_lsegs list +after a layout return, we should be resetting the state to ensure they +eventually get returned as well. + +Fixes: 68f744797edd ("pNFS: Do not free layout segments that are marked for return") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index f682869320198..fe0ddbce3bcb2 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -732,6 +732,14 @@ pnfs_mark_matching_lsegs_invalid(struct pnfs_layout_hdr *lo, + return remaining; + } + ++static void pnfs_reset_return_info(struct pnfs_layout_hdr *lo) ++{ ++ struct pnfs_layout_segment *lseg; ++ ++ list_for_each_entry(lseg, &lo->plh_return_segs, pls_list) ++ pnfs_set_plh_return_info(lo, lseg->pls_range.iomode, 0); ++} ++ + static void + pnfs_free_returned_lsegs(struct pnfs_layout_hdr *lo, + struct list_head *free_me, +@@ -1180,6 +1188,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo, + pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq); + pnfs_free_returned_lsegs(lo, &freeme, range, seq); + pnfs_set_layout_stateid(lo, stateid, NULL, true); ++ pnfs_reset_return_info(lo); + } else + pnfs_mark_layout_stateid_invalid(lo, &freeme); + out_unlock: +-- +2.39.5 + diff --git a/queue-6.1/nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch b/queue-6.1/nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch new file mode 100644 index 0000000000..52eb4b4c10 --- /dev/null +++ b/queue-6.1/nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch @@ -0,0 +1,40 @@ +From 6c3e0b4252149ecd523fbc9886efbe8143bf7ccf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 16:57:06 +0200 +Subject: nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable + +From: Keith Busch + +[ Upstream commit 3d8932133dcecbd9bef1559533c1089601006f45 ] + +We need to lock this queue for that condition because the timeout work +executes per-namespace and can poll the poll CQ. + +Reported-by: Hannes Reinecke +Closes: https://lore.kernel.org/all/20240902130728.1999-1-hare@kernel.org/ +Fixes: a0fa9647a54e ("NVMe: add blk polling support") +Signed-off-by: Keith Busch +Signed-off-by: Daniel Wagner +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 553e6bb461b39..49a3cb8f1f105 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1154,7 +1154,9 @@ static void nvme_poll_irqdisable(struct nvme_queue *nvmeq) + WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags)); + + disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ spin_lock(&nvmeq->cq_poll_lock); + nvme_poll_cq(nvmeq, NULL); ++ spin_unlock(&nvmeq->cq_poll_lock); + enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); + } + +-- +2.39.5 + diff --git a/queue-6.1/nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch b/queue-6.1/nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch new file mode 100644 index 0000000000..36e3c34ea4 --- /dev/null +++ b/queue-6.1/nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch @@ -0,0 +1,64 @@ +From 67f0196532054259b6c8984b8543b79a4a78612b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 20:35:40 -0700 +Subject: nvme-pci: make nvme_pci_npages_prp() __always_inline + +From: Kees Cook + +[ Upstream commit 40696426b8c8c4f13cf6ac52f0470eed144be4b2 ] + +The only reason nvme_pci_npages_prp() could be used as a compile-time +known result in BUILD_BUG_ON() is because the compiler was always choosing +to inline the function. Under special circumstances (sanitizer coverage +functions disabled for __init functions on ARCH=um), the compiler decided +to stop inlining it: + + drivers/nvme/host/pci.c: In function 'nvme_init': + include/linux/compiler_types.h:557:45: error: call to '__compiletime_assert_678' declared with attribute error: BUILD_BUG_ON failed: nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS + 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + | ^ + include/linux/compiler_types.h:538:25: note: in definition of macro '__compiletime_assert' + 538 | prefix ## suffix(); \ + | ^~~~~~ + include/linux/compiler_types.h:557:9: note: in expansion of macro '_compiletime_assert' + 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + | ^~~~~~~~~~~~~~~~~~~ + include/linux/build_bug.h:39:37: note: in expansion of macro 'compiletime_assert' + 39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) + | ^~~~~~~~~~~~~~~~~~ + include/linux/build_bug.h:50:9: note: in expansion of macro 'BUILD_BUG_ON_MSG' + 50 | BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition) + | ^~~~~~~~~~~~~~~~ + drivers/nvme/host/pci.c:3804:9: note: in expansion of macro 'BUILD_BUG_ON' + 3804 | BUILD_BUG_ON(nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS); + | ^~~~~~~~~~~~ + +Force it to be __always_inline to make sure it is always available for +use with BUILD_BUG_ON(). + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505061846.12FMyRjj-lkp@intel.com/ +Fixes: c372cdd1efdf ("nvme-pci: iod npages fits in s8") +Signed-off-by: Kees Cook +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index da858463b2557..553e6bb461b39 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -376,7 +376,7 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db, + * as it only leads to a small amount of wasted memory for the lifetime of + * the I/O. + */ +-static int nvme_pci_npages_prp(void) ++static __always_inline int nvme_pci_npages_prp(void) + { + unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE; + unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE); +-- +2.39.5 + diff --git a/queue-6.1/octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch b/queue-6.1/octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch new file mode 100644 index 0000000000..6b5c4b01ac --- /dev/null +++ b/queue-6.1/octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch @@ -0,0 +1,47 @@ +From ad73672fe0af796f52a02662fa053dee86aeff11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 18:12:36 +0530 +Subject: octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy + +From: Subbaraya Sundeep + +[ Upstream commit 865ab2461375e3a5a2526f91f9a9f17b8931bc9e ] + +MASCEC hardware block has a field called maximum transmit size for +TX secy. Max packet size going out of MCS block has be programmed +taking into account full packet size which has L2 header,SecTag +and ICV. MACSEC offload driver is configuring max transmit size as +macsec interface MTU which is incorrect. Say with 1500 MTU of real +device, macsec interface created on top of real device will have MTU of +1468(1500 - (SecTag + ICV)). This is causing packets from macsec +interface of size greater than or equal to 1468 are not getting +transmitted out because driver programmed max transmit size as 1468 +instead of 1514(1500 + ETH_HDR_LEN). + +Fixes: c54ffc73601c ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading") +Signed-off-by: Subbaraya Sundeep +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1747053756-4529-1-git-send-email-sbhatta@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +index a487a98eac88c..6da8d8f2a8701 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +@@ -428,7 +428,8 @@ static int cn10k_mcs_write_tx_secy(struct otx2_nic *pfvf, + if (sw_tx_sc->encrypt) + sectag_tci |= (MCS_TCI_E | MCS_TCI_C); + +- policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU, secy->netdev->mtu); ++ policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU, ++ pfvf->netdev->mtu + OTX2_ETH_HLEN); + /* Write SecTag excluding AN bits(1..0) */ + policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_TCI, sectag_tci >> 2); + policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_OFFSET, tag_offset); +-- +2.39.5 + diff --git a/queue-6.1/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch b/queue-6.1/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch new file mode 100644 index 0000000000..4b724db708 --- /dev/null +++ b/queue-6.1/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch @@ -0,0 +1,76 @@ +From 00b45749282028f75498a73ec3c5576f1e760b6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 15:17:02 +0200 +Subject: platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit bfcfe6d335a967f8ea0c1980960e6f0205b5de6e ] + +The wlan_ctrl_by_user detection was introduced by commit a50bd128f28c +("asus-wmi: record wlan status while controlled by userapp"). + +Quoting from that commit's commit message: + +""" +When you call WMIMethod(DSTS, 0x00010011) to get WLAN status, it may return + +(1) 0x00050001 (On) +(2) 0x00050000 (Off) +(3) 0x00030001 (On) +(4) 0x00030000 (Off) +(5) 0x00000002 (Unknown) + +(1), (2) means that the model has hardware GPIO for WLAN, you can call +WMIMethod(DEVS, 0x00010011, 1 or 0) to turn WLAN on/off. +(3), (4) means that the model doesn’t have hardware GPIO, you need to use +API or driver library to turn WLAN on/off, and call +WMIMethod(DEVS, 0x00010012, 1 or 0) to set WLAN LED status. +After you set WLAN LED status, you can see the WLAN status is changed with +WMIMethod(DSTS, 0x00010011). Because the status is recorded lastly +(ex: Windows), you can use it for synchronization. +(5) means that the model doesn’t have WLAN device. + +WLAN is the ONLY special case with upper rule. +""" + +The wlan_ctrl_by_user flag should be set on 0x0003000? ((3), (4) above) +return values, but the flag mistakenly also gets set on laptops with +0x0005000? ((1), (2)) return values. This is causing rfkill problems on +laptops where 0x0005000? is returned. + +Fix the check to only set the wlan_ctrl_by_user flag for 0x0003000? +return values. + +Fixes: a50bd128f28c ("asus-wmi: record wlan status while controlled by userapp") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219786 +Signed-off-by: Hans de Goede +Reviewed-by: Armin Wolf +Link: https://lore.kernel.org/r/20250501131702.103360-2-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 296150eaef929..33eacb4fc4c45 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -3804,7 +3804,8 @@ static int asus_wmi_add(struct platform_device *pdev) + goto fail_leds; + + asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_WLAN, &result); +- if (result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) ++ if ((result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) == ++ (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) + asus->driver->wlan_ctrl_by_user = 1; + + if (!(asus->driver->wlan_ctrl_by_user && ashs_present())) { +-- +2.39.5 + diff --git a/queue-6.1/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch b/queue-6.1/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch new file mode 100644 index 0000000000..3da180ae89 --- /dev/null +++ b/queue-6.1/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch @@ -0,0 +1,45 @@ +From aca63d9225b4ec94908f205f4d2501ca8c239699 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 10:18:27 +0530 +Subject: qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() + +From: Abdun Nihaal + +[ Upstream commit 9d8a99c5a7c7f4f7eca2c168a4ec254409670035 ] + +In one of the error paths in qlcnic_sriov_channel_cfg_cmd(), the memory +allocated in qlcnic_sriov_alloc_bc_mbx_args() for mailbox arguments is +not freed. Fix that by jumping to the error path that frees them, by +calling qlcnic_free_mbx_args(). This was found using static analysis. + +Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation") +Signed-off-by: Abdun Nihaal +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250512044829.36400-1-abdun.nihaal@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 28d24d59efb84..d57b976b90409 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -1484,8 +1484,11 @@ static int qlcnic_sriov_channel_cfg_cmd(struct qlcnic_adapter *adapter, u8 cmd_o + } + + cmd_op = (cmd.rsp.arg[0] & 0xff); +- if (cmd.rsp.arg[0] >> 25 == 2) +- return 2; ++ if (cmd.rsp.arg[0] >> 25 == 2) { ++ ret = 2; ++ goto out; ++ } ++ + if (cmd_op == QLCNIC_BC_CMD_CHANNEL_INIT) + set_bit(QLC_BC_VF_STATE, &vf->state); + else +-- +2.39.5 + diff --git a/queue-6.1/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch b/queue-6.1/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch new file mode 100644 index 0000000000..cd7393f44e --- /dev/null +++ b/queue-6.1/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch @@ -0,0 +1,69 @@ +From 97338c1278a606b61d8ede4733949472e2fa0d69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Apr 2025 09:57:14 +0200 +Subject: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug + +From: Zhu Yanjun + +[ Upstream commit f81b33582f9339d2dc17c69b92040d3650bb4bae ] + +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcf/0x610 mm/kasan/report.c:489 + kasan_report+0xb5/0xe0 mm/kasan/report.c:602 + rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 + rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 + __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 + rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 + create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 + ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 + ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 + vfs_write fs/read_write.c:677 [inline] + vfs_write+0x26a/0xcc0 fs/read_write.c:659 + ksys_write+0x1b8/0x200 fs/read_write.c:731 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +In the function rxe_create_cq, when rxe_cq_from_init fails, the function +rxe_cleanup will be called to handle the allocated resources. In fact, +some memory resources have already been freed in the function +rxe_cq_from_init. Thus, this problem will occur. + +The solution is to let rxe_cleanup do all the work. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://paste.ubuntu.com/p/tJgC42wDf6/ +Tested-by: liuyi +Signed-off-by: Zhu Yanjun +Link: https://patch.msgid.link/20250412075714.3257358-1-yanjun.zhu@linux.dev +Reviewed-by: Daisuke Matsuda +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_cq.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_cq.c b/drivers/infiniband/sw/rxe/rxe_cq.c +index b1a0ab3cd4bd1..43dfc6fd8a3ed 100644 +--- a/drivers/infiniband/sw/rxe/rxe_cq.c ++++ b/drivers/infiniband/sw/rxe/rxe_cq.c +@@ -71,11 +71,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe, + + err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata, + cq->queue->buf, cq->queue->buf_size, &cq->queue->ip); +- if (err) { +- vfree(cq->queue->buf); +- kfree(cq->queue); ++ if (err) + return err; +- } + + cq->is_user = uresp; + +-- +2.39.5 + diff --git a/queue-6.1/regulator-max20086-fix-invalid-memory-access.patch b/queue-6.1/regulator-max20086-fix-invalid-memory-access.patch new file mode 100644 index 0000000000..8e6bd38ef4 --- /dev/null +++ b/queue-6.1/regulator-max20086-fix-invalid-memory-access.patch @@ -0,0 +1,73 @@ +From 4568e85c992bf6b3a500fd63ecfc6d31fbed7d69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 09:49:43 +0300 +Subject: regulator: max20086: fix invalid memory access + +From: Cosmin Tanislav + +[ Upstream commit 6b0cd72757c69bc2d45da42b41023e288d02e772 ] + +max20086_parse_regulators_dt() calls of_regulator_match() using an +array of struct of_regulator_match allocated on the stack for the +matches argument. + +of_regulator_match() calls devm_of_regulator_put_matches(), which calls +devres_alloc() to allocate a struct devm_of_regulator_matches which will +be de-allocated using devm_of_regulator_put_matches(). + +struct devm_of_regulator_matches is populated with the stack allocated +matches array. + +If the device fails to probe, devm_of_regulator_put_matches() will be +called and will try to call of_node_put() on that stack pointer, +generating the following dmesg entries: + +max20086 6-0028: Failed to read DEVICE_ID reg: -121 +kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet +kobject_put() is being called. + +Followed by a stack trace matching the call flow described above. + +Switch to allocating the matches array using devm_kcalloc() to +avoid accessing the stack pointer long after it's out of scope. + +This also has the advantage of allowing multiple max20086 to probe +without overriding the data stored inside the global of_regulator_match. + +Fixes: bfff546aae50 ("regulator: Add MAX20086-MAX20089 driver") +Signed-off-by: Cosmin Tanislav +Link: https://patch.msgid.link/20250508064947.2567255-1-demonsingur@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/max20086-regulator.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/max20086-regulator.c b/drivers/regulator/max20086-regulator.c +index b8bf76c170fea..332fb58f90952 100644 +--- a/drivers/regulator/max20086-regulator.c ++++ b/drivers/regulator/max20086-regulator.c +@@ -133,7 +133,7 @@ static int max20086_regulators_register(struct max20086 *chip) + + static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on) + { +- struct of_regulator_match matches[MAX20086_MAX_REGULATORS] = { }; ++ struct of_regulator_match *matches; + struct device_node *node; + unsigned int i; + int ret; +@@ -144,6 +144,11 @@ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on) + return -ENODEV; + } + ++ matches = devm_kcalloc(chip->dev, chip->info->num_outputs, ++ sizeof(*matches), GFP_KERNEL); ++ if (!matches) ++ return -ENOMEM; ++ + for (i = 0; i < chip->info->num_outputs; ++i) + matches[i].name = max20086_output_names[i]; + +-- +2.39.5 + diff --git a/queue-6.1/revert-drm-amd-stop-evicting-resources-on-apus-in-su.patch b/queue-6.1/revert-drm-amd-stop-evicting-resources-on-apus-in-su.patch new file mode 100644 index 0000000000..685642728c --- /dev/null +++ b/queue-6.1/revert-drm-amd-stop-evicting-resources-on-apus-in-su.patch @@ -0,0 +1,114 @@ +From ad5388eb14a8e71c24776057f977021ad464a407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 13:00:16 -0400 +Subject: Revert "drm/amd: Stop evicting resources on APUs in suspend" + +From: Alex Deucher + +[ Upstream commit d0ce1aaa8531a4a4707711cab5721374751c51b0 ] + +This reverts commit 3a9626c816db901def438dc2513622e281186d39. + +This breaks S4 because we end up setting the s3/s0ix flags +even when we are entering s4 since prepare is used by both +flows. The causes both the S3/s0ix and s4 flags to be set +which breaks several checks in the driver which assume they +are mutually exclusive. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3634 +Cc: Mario Limonciello +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit ce8f7d95899c2869b47ea6ce0b3e5bf304b2fff4) +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 -- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 18 ------------------ + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 ++--------- + 3 files changed, 2 insertions(+), 29 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +index 019a83c7170d4..af86402c70a9f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -1409,11 +1409,9 @@ static inline int amdgpu_acpi_smart_shift_update(struct drm_device *dev, + #if defined(CONFIG_ACPI) && defined(CONFIG_SUSPEND) + bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev); + bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev); +-void amdgpu_choose_low_power_state(struct amdgpu_device *adev); + #else + static inline bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) { return false; } + static inline bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev) { return false; } +-static inline void amdgpu_choose_low_power_state(struct amdgpu_device *adev) { } + #endif + + #if defined(CONFIG_DRM_AMD_DC) +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +index 46916680f044b..5fa7f6d8aa309 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -1118,22 +1118,4 @@ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) + #endif /* CONFIG_AMD_PMC */ + } + +-/** +- * amdgpu_choose_low_power_state +- * +- * @adev: amdgpu_device_pointer +- * +- * Choose the target low power state for the GPU +- */ +-void amdgpu_choose_low_power_state(struct amdgpu_device *adev) +-{ +- if (adev->in_runpm) +- return; +- +- if (amdgpu_acpi_is_s0ix_active(adev)) +- adev->in_s0ix = true; +- else if (amdgpu_acpi_is_s3_active(adev)) +- adev->in_s3 = true; +-} +- + #endif /* CONFIG_SUSPEND */ +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 32c571e9288ae..57a7f72f366f7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4241,15 +4241,13 @@ int amdgpu_device_prepare(struct drm_device *dev) + struct amdgpu_device *adev = drm_to_adev(dev); + int i, r; + +- amdgpu_choose_low_power_state(adev); +- + if (dev->switch_power_state == DRM_SWITCH_POWER_OFF) + return 0; + + /* Evict the majority of BOs before starting suspend sequence */ + r = amdgpu_device_evict_resources(adev); + if (r) +- goto unprepare; ++ return r; + + flush_delayed_work(&adev->gfx.gfx_off_delay_work); + +@@ -4260,15 +4258,10 @@ int amdgpu_device_prepare(struct drm_device *dev) + continue; + r = adev->ip_blocks[i].version->funcs->prepare_suspend((void *)adev); + if (r) +- goto unprepare; ++ return r; + } + + return 0; +- +-unprepare: +- adev->in_s0ix = adev->in_s3 = adev->in_s4 = false; +- +- return r; + } + + /** +-- +2.39.5 + diff --git a/queue-6.1/selftests-exec-build-both-static-and-non-static-load.patch b/queue-6.1/selftests-exec-build-both-static-and-non-static-load.patch new file mode 100644 index 0000000000..8634d01afa --- /dev/null +++ b/queue-6.1/selftests-exec-build-both-static-and-non-static-load.patch @@ -0,0 +1,182 @@ +From c6d64fc55845d84fa380500959f48b5feb1cbdd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 10:31:46 -0700 +Subject: selftests/exec: Build both static and non-static load_address tests + +From: Kees Cook + +[ Upstream commit b57a2907c9d96c56494ef25f8ec821cd0b355dd6 ] + +After commit 4d1cd3b2c5c1 ("tools/testing/selftests/exec: fix link +error"), the load address alignment tests tried to build statically. +This was silently ignored in some cases. However, after attempting to +further fix the build by switching to "-static-pie", the test started +failing. This appears to be due to non-PT_INTERP ET_DYN execs ("static +PIE") not doing alignment correctly, which remains unfixed[1]. See commit +aeb7923733d1 ("revert "fs/binfmt_elf: use PT_LOAD p_align values for +static PIE"") for more details. + +Provide rules to build both static and non-static PIE binaries, improve +debug reporting, and perform several test steps instead of a single +all-or-nothing test. However, do not actually enable static-pie tests; +alignment specification is only supported for ET_DYN with PT_INTERP +("regular PIE"). + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215275 [1] +Link: https://lore.kernel.org/r/20240508173149.677910-1-keescook@chromium.org +Signed-off-by: Kees Cook +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/exec/Makefile | 19 +++--- + tools/testing/selftests/exec/load_address.c | 67 +++++++++++++++++---- + 2 files changed, 66 insertions(+), 20 deletions(-) + +diff --git a/tools/testing/selftests/exec/Makefile b/tools/testing/selftests/exec/Makefile +index a0b8688b08369..b54986078d7ea 100644 +--- a/tools/testing/selftests/exec/Makefile ++++ b/tools/testing/selftests/exec/Makefile +@@ -3,8 +3,13 @@ CFLAGS = -Wall + CFLAGS += -Wno-nonnull + CFLAGS += -D_GNU_SOURCE + ++ALIGNS := 0x1000 0x200000 0x1000000 ++ALIGN_PIES := $(patsubst %,load_address.%,$(ALIGNS)) ++ALIGN_STATIC_PIES := $(patsubst %,load_address.static.%,$(ALIGNS)) ++ALIGNMENT_TESTS := $(ALIGN_PIES) ++ + TEST_PROGS := binfmt_script.py +-TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 non-regular ++TEST_GEN_PROGS := execveat non-regular $(ALIGNMENT_TESTS) + TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir + # Makefile is a run-time dependency, since it's accessed by the execveat test + TEST_FILES := Makefile +@@ -28,9 +33,9 @@ $(OUTPUT)/execveat.symlink: $(OUTPUT)/execveat + $(OUTPUT)/execveat.denatured: $(OUTPUT)/execveat + cp $< $@ + chmod -x $@ +-$(OUTPUT)/load_address_4096: load_address.c +- $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x1000 -pie -static $< -o $@ +-$(OUTPUT)/load_address_2097152: load_address.c +- $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x200000 -pie -static $< -o $@ +-$(OUTPUT)/load_address_16777216: load_address.c +- $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x1000000 -pie -static $< -o $@ ++$(OUTPUT)/load_address.0x%: load_address.c ++ $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=$(lastword $(subst ., ,$@)) \ ++ -fPIE -pie $< -o $@ ++$(OUTPUT)/load_address.static.0x%: load_address.c ++ $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=$(lastword $(subst ., ,$@)) \ ++ -fPIE -static-pie $< -o $@ +diff --git a/tools/testing/selftests/exec/load_address.c b/tools/testing/selftests/exec/load_address.c +index 17e3207d34ae7..8257fddba8c8d 100644 +--- a/tools/testing/selftests/exec/load_address.c ++++ b/tools/testing/selftests/exec/load_address.c +@@ -5,11 +5,13 @@ + #include + #include + #include ++#include + #include "../kselftest.h" + + struct Statistics { + unsigned long long load_address; + unsigned long long alignment; ++ bool interp; + }; + + int ExtractStatistics(struct dl_phdr_info *info, size_t size, void *data) +@@ -26,11 +28,20 @@ int ExtractStatistics(struct dl_phdr_info *info, size_t size, void *data) + stats->alignment = 0; + + for (i = 0; i < info->dlpi_phnum; i++) { ++ unsigned long long align; ++ ++ if (info->dlpi_phdr[i].p_type == PT_INTERP) { ++ stats->interp = true; ++ continue; ++ } ++ + if (info->dlpi_phdr[i].p_type != PT_LOAD) + continue; + +- if (info->dlpi_phdr[i].p_align > stats->alignment) +- stats->alignment = info->dlpi_phdr[i].p_align; ++ align = info->dlpi_phdr[i].p_align; ++ ++ if (align > stats->alignment) ++ stats->alignment = align; + } + + return 1; // Terminate dl_iterate_phdr. +@@ -38,27 +49,57 @@ int ExtractStatistics(struct dl_phdr_info *info, size_t size, void *data) + + int main(int argc, char **argv) + { +- struct Statistics extracted; +- unsigned long long misalign; ++ struct Statistics extracted = { }; ++ unsigned long long misalign, pow2; ++ bool interp_needed; ++ char buf[1024]; ++ FILE *maps; + int ret; + + ksft_print_header(); +- ksft_set_plan(1); ++ ksft_set_plan(4); ++ ++ /* Dump maps file for debugging reference. */ ++ maps = fopen("/proc/self/maps", "r"); ++ if (!maps) ++ ksft_exit_fail_msg("FAILED: /proc/self/maps: %s\n", strerror(errno)); ++ while (fgets(buf, sizeof(buf), maps)) { ++ ksft_print_msg("%s", buf); ++ } ++ fclose(maps); + ++ /* Walk the program headers. */ + ret = dl_iterate_phdr(ExtractStatistics, &extracted); + if (ret != 1) + ksft_exit_fail_msg("FAILED: dl_iterate_phdr\n"); + +- if (extracted.alignment == 0) +- ksft_exit_fail_msg("FAILED: No alignment found\n"); +- else if (extracted.alignment & (extracted.alignment - 1)) +- ksft_exit_fail_msg("FAILED: Alignment is not a power of 2\n"); ++ /* Report our findings. */ ++ ksft_print_msg("load_address=%#llx alignment=%#llx\n", ++ extracted.load_address, extracted.alignment); ++ ++ /* If we're named with ".static." we expect no INTERP. */ ++ interp_needed = strstr(argv[0], ".static.") == NULL; ++ ++ /* Were we built as expected? */ ++ ksft_test_result(interp_needed == extracted.interp, ++ "%s INTERP program header %s\n", ++ interp_needed ? "Wanted" : "Unwanted", ++ extracted.interp ? "seen" : "missing"); ++ ++ /* Did we find an alignment? */ ++ ksft_test_result(extracted.alignment != 0, ++ "Alignment%s found\n", extracted.alignment ? "" : " NOT"); ++ ++ /* Is the alignment sane? */ ++ pow2 = extracted.alignment & (extracted.alignment - 1); ++ ksft_test_result(pow2 == 0, ++ "Alignment is%s a power of 2: %#llx\n", ++ pow2 == 0 ? "" : " NOT", extracted.alignment); + ++ /* Is the load address aligned? */ + misalign = extracted.load_address & (extracted.alignment - 1); +- if (misalign) +- ksft_exit_fail_msg("FAILED: alignment = %llu, load_address = %llu\n", +- extracted.alignment, extracted.load_address); ++ ksft_test_result(misalign == 0, "Load Address is %saligned (%#llx)\n", ++ misalign ? "MIS" : "", misalign); + +- ksft_test_result_pass("Completed\n"); + ksft_finished(); + } +-- +2.39.5 + diff --git a/queue-6.1/selftests-exec-load_address-conform-test-to-tap-form.patch b/queue-6.1/selftests-exec-load_address-conform-test-to-tap-form.patch new file mode 100644 index 0000000000..e3e703acc6 --- /dev/null +++ b/queue-6.1/selftests-exec-load_address-conform-test-to-tap-form.patch @@ -0,0 +1,79 @@ +From 17b2acf4bc6a14386d20e004318d0f6b292a2e13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 20:59:24 +0500 +Subject: selftests/exec: load_address: conform test to TAP format output + +From: Muhammad Usama Anjum + +[ Upstream commit c4095067736b7ed50316a2bc7c9577941e87ad45 ] + +Conform the layout, informational and status messages to TAP. No +functional change is intended other than the layout of output messages. + +Signed-off-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/r/20240304155928.1818928-2-usama.anjum@collabora.com +Signed-off-by: Kees Cook +Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/exec/load_address.c | 34 +++++++++------------ + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/tools/testing/selftests/exec/load_address.c b/tools/testing/selftests/exec/load_address.c +index d487c2f6a6150..17e3207d34ae7 100644 +--- a/tools/testing/selftests/exec/load_address.c ++++ b/tools/testing/selftests/exec/load_address.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include "../kselftest.h" + + struct Statistics { + unsigned long long load_address; +@@ -41,28 +42,23 @@ int main(int argc, char **argv) + unsigned long long misalign; + int ret; + ++ ksft_print_header(); ++ ksft_set_plan(1); ++ + ret = dl_iterate_phdr(ExtractStatistics, &extracted); +- if (ret != 1) { +- fprintf(stderr, "FAILED\n"); +- return 1; +- } ++ if (ret != 1) ++ ksft_exit_fail_msg("FAILED: dl_iterate_phdr\n"); + +- if (extracted.alignment == 0) { +- fprintf(stderr, "No alignment found\n"); +- return 1; +- } else if (extracted.alignment & (extracted.alignment - 1)) { +- fprintf(stderr, "Alignment is not a power of 2\n"); +- return 1; +- } ++ if (extracted.alignment == 0) ++ ksft_exit_fail_msg("FAILED: No alignment found\n"); ++ else if (extracted.alignment & (extracted.alignment - 1)) ++ ksft_exit_fail_msg("FAILED: Alignment is not a power of 2\n"); + + misalign = extracted.load_address & (extracted.alignment - 1); +- if (misalign) { +- printf("alignment = %llu, load_address = %llu\n", +- extracted.alignment, extracted.load_address); +- fprintf(stderr, "FAILED\n"); +- return 1; +- } ++ if (misalign) ++ ksft_exit_fail_msg("FAILED: alignment = %llu, load_address = %llu\n", ++ extracted.alignment, extracted.load_address); + +- fprintf(stderr, "PASS\n"); +- return 0; ++ ksft_test_result_pass("Completed\n"); ++ ksft_finished(); + } +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..d2020ca13e --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,39 @@ +binfmt-fix-whitespace-issues.patch +binfmt_elf-support-segments-with-0-filesz-and-misali.patch +binfmt_elf-elf_bss-no-longer-used-by-load_elf_binary.patch +selftests-exec-load_address-conform-test-to-tap-form.patch +binfmt_elf-leave-a-gap-between-.bss-and-brk.patch +selftests-exec-build-both-static-and-non-static-load.patch +binfmt_elf-calculate-total_size-earlier.patch +binfmt_elf-honor-pt_load-alignment-for-static-pie.patch +binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch +platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch +tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch +tpm-tis-double-the-timeout-b-to-4s.patch +iio-adc-ad7266-fix-potential-timestamp-alignment-iss.patch +drm-amd-stop-evicting-resources-on-apus-in-suspend.patch +drm-amdgpu-fix-the-runtime-resume-failure-issue.patch +drm-amdgpu-trigger-flr_work-if-reading-pf2vf-data-fa.patch +drm-amd-add-suspend-hibernate-notification-callback-.patch +revert-drm-amd-stop-evicting-resources-on-apus-in-su.patch +iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch +iio-chemical-sps30-use-aligned_s64-for-timestamp.patch +clocksource-i8253-use-raw_spinlock_irqsave-in-clocke.patch +rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch +hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch +hid-uclogic-add-null-check-in-uclogic_input_configur.patch +nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch +spi-loopback-test-do-not-split-1024-byte-hexdumps.patch +net_sched-flush-gso_skb-list-too-during-change.patch +net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch +net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch +net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch +nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch +nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch +alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch +net-mlx5e-disable-macsec-offload-for-uplink-represen.patch +qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch +regulator-max20086-fix-invalid-memory-access.patch +octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch +net-tls-fix-kernel-panic-when-alloc_page-failed.patch +nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch diff --git a/queue-6.1/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch b/queue-6.1/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch new file mode 100644 index 0000000000..01b0591530 --- /dev/null +++ b/queue-6.1/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch @@ -0,0 +1,43 @@ +From 57041fbe149d64e96a162b0f561409589f444498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 13:10:35 +0200 +Subject: spi: loopback-test: Do not split 1024-byte hexdumps + +From: Geert Uytterhoeven + +[ Upstream commit a73fa3690a1f3014d6677e368dce4e70767a6ba2 ] + +spi_test_print_hex_dump() prints buffers holding less than 1024 bytes in +full. Larger buffers are truncated: only the first 512 and the last 512 +bytes are printed, separated by a truncation message. The latter is +confusing in case the buffer holds exactly 1024 bytes, as all data is +printed anyway. + +Fix this by printing buffers holding up to and including 1024 bytes in +full. + +Fixes: 84e0c4e5e2c4ef42 ("spi: add loopback test driver to allow for spi_master regression tests") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/37ee1bc90c6554c9347040adabf04188c8f704aa.1746184171.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-loopback-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c +index dd7de8fa37d04..ab29ae463f677 100644 +--- a/drivers/spi/spi-loopback-test.c ++++ b/drivers/spi/spi-loopback-test.c +@@ -410,7 +410,7 @@ MODULE_LICENSE("GPL"); + static void spi_test_print_hex_dump(char *pre, const void *ptr, size_t len) + { + /* limit the hex_dump */ +- if (len < 1024) { ++ if (len <= 1024) { + print_hex_dump(KERN_INFO, pre, + DUMP_PREFIX_OFFSET, 16, 1, + ptr, len, 0); +-- +2.39.5 + diff --git a/queue-6.1/tpm-tis-double-the-timeout-b-to-4s.patch b/queue-6.1/tpm-tis-double-the-timeout-b-to-4s.patch new file mode 100644 index 0000000000..fe699559c0 --- /dev/null +++ b/queue-6.1/tpm-tis-double-the-timeout-b-to-4s.patch @@ -0,0 +1,76 @@ +From c58ce9336cc357d0c54c5ebb31c2661175a21cd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 10:23:14 +0200 +Subject: tpm: tis: Double the timeout B to 4s + +From: Michal Suchanek + +[ Upstream commit 2f661f71fda1fc0c42b7746ca5b7da529eb6b5be ] + +With some Infineon chips the timeouts in tpm_tis_send_data (both B and +C) can reach up to about 2250 ms. + +Timeout C is retried since +commit de9e33df7762 ("tpm, tpm_tis: Workaround failed command reception on Infineon devices") + +Timeout B still needs to be extended. + +The problem is most commonly encountered with context related operation +such as load context/save context. These are issued directly by the +kernel, and there is no retry logic for them. + +When a filesystem is set up to use the TPM for unlocking the boot fails, +and restarting the userspace service is ineffective. This is likely +because ignoring a load context/save context result puts the real TPM +state and the TPM state expected by the kernel out of sync. + +Chips known to be affected: +tpm_tis IFX1522:00: 2.0 TPM (device-id 0x1D, rev-id 54) +Description: SLB9672 +Firmware Revision: 15.22 + +tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 22) +Firmware Revision: 7.83 + +tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16) +Firmware Revision: 5.63 + +Link: https://lore.kernel.org/linux-integrity/Z5pI07m0Muapyu9w@kitsune.suse.cz/ +Signed-off-by: Michal Suchanek +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_core.h | 2 +- + include/linux/tpm.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h +index be72681ab8ea2..5f29eebef52b8 100644 +--- a/drivers/char/tpm/tpm_tis_core.h ++++ b/drivers/char/tpm/tpm_tis_core.h +@@ -53,7 +53,7 @@ enum tis_int_flags { + enum tis_defaults { + TIS_MEM_LEN = 0x5000, + TIS_SHORT_TIMEOUT = 750, /* ms */ +- TIS_LONG_TIMEOUT = 2000, /* 2 sec */ ++ TIS_LONG_TIMEOUT = 4000, /* 4 secs */ + TIS_TIMEOUT_MIN_ATML = 14700, /* usecs */ + TIS_TIMEOUT_MAX_ATML = 15000, /* usecs */ + }; +diff --git a/include/linux/tpm.h b/include/linux/tpm.h +index dd0784a6e07d9..4a4112bb1d1b8 100644 +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -181,7 +181,7 @@ enum tpm2_const { + + enum tpm2_timeouts { + TPM2_TIMEOUT_A = 750, +- TPM2_TIMEOUT_B = 2000, ++ TPM2_TIMEOUT_B = 4000, + TPM2_TIMEOUT_C = 200, + TPM2_TIMEOUT_D = 30, + TPM2_DURATION_SHORT = 20, +-- +2.39.5 + diff --git a/queue-6.1/tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch b/queue-6.1/tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch new file mode 100644 index 0000000000..36092e55ed --- /dev/null +++ b/queue-6.1/tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch @@ -0,0 +1,153 @@ +From a3402404629658e3cbdf88f469c562455d484f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 12:44:41 +0900 +Subject: tracing: probes: Fix a possible race in trace_probe_log APIs + +From: Masami Hiramatsu (Google) + +[ Upstream commit fd837de3c9cb1a162c69bc1fb1f438467fe7f2f5 ] + +Since the shared trace_probe_log variable can be accessed and +modified via probe event create operation of kprobe_events, +uprobe_events, and dynamic_events, it should be protected. +In the dynamic_events, all operations are serialized by +`dyn_event_ops_mutex`. But kprobe_events and uprobe_events +interfaces are not serialized. + +To solve this issue, introduces dyn_event_create(), which runs +create() operation under the mutex, for kprobe_events and +uprobe_events. This also uses lockdep to check the mutex is +held when using trace_probe_log* APIs. + +Link: https://lore.kernel.org/all/174684868120.551552.3068655787654268804.stgit@devnote2/ + +Reported-by: Paul Cacheux +Closes: https://lore.kernel.org/all/20250510074456.805a16872b591e2971a4d221@kernel.org/ +Fixes: ab105a4fb894 ("tracing: Use tracing error_log with probe events") +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_dynevent.c | 16 +++++++++++++++- + kernel/trace/trace_dynevent.h | 1 + + kernel/trace/trace_kprobe.c | 2 +- + kernel/trace/trace_probe.c | 9 +++++++++ + kernel/trace/trace_uprobe.c | 2 +- + 5 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/trace_dynevent.c b/kernel/trace/trace_dynevent.c +index 4376887e0d8aa..c9b0533407ede 100644 +--- a/kernel/trace/trace_dynevent.c ++++ b/kernel/trace/trace_dynevent.c +@@ -16,7 +16,7 @@ + #include "trace_output.h" /* for trace_event_sem */ + #include "trace_dynevent.h" + +-static DEFINE_MUTEX(dyn_event_ops_mutex); ++DEFINE_MUTEX(dyn_event_ops_mutex); + static LIST_HEAD(dyn_event_ops_list); + + bool trace_event_dyn_try_get_ref(struct trace_event_call *dyn_call) +@@ -125,6 +125,20 @@ int dyn_event_release(const char *raw_command, struct dyn_event_operations *type + return ret; + } + ++/* ++ * Locked version of event creation. The event creation must be protected by ++ * dyn_event_ops_mutex because of protecting trace_probe_log. ++ */ ++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type) ++{ ++ int ret; ++ ++ mutex_lock(&dyn_event_ops_mutex); ++ ret = type->create(raw_command); ++ mutex_unlock(&dyn_event_ops_mutex); ++ return ret; ++} ++ + static int create_dyn_event(const char *raw_command) + { + struct dyn_event_operations *ops; +diff --git a/kernel/trace/trace_dynevent.h b/kernel/trace/trace_dynevent.h +index 936477a111d3e..beee3f8d75444 100644 +--- a/kernel/trace/trace_dynevent.h ++++ b/kernel/trace/trace_dynevent.h +@@ -100,6 +100,7 @@ void *dyn_event_seq_next(struct seq_file *m, void *v, loff_t *pos); + void dyn_event_seq_stop(struct seq_file *m, void *v); + int dyn_events_release_all(struct dyn_event_operations *type); + int dyn_event_release(const char *raw_command, struct dyn_event_operations *type); ++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type); + + /* + * for_each_dyn_event - iterate over the dyn_event list +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 72655d81b37d3..cc155c4117684 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -975,7 +975,7 @@ static int create_or_delete_trace_kprobe(const char *raw_command) + if (raw_command[0] == '-') + return dyn_event_release(raw_command, &trace_kprobe_ops); + +- ret = trace_kprobe_create(raw_command); ++ ret = dyn_event_create(raw_command, &trace_kprobe_ops); + return ret == -ECANCELED ? -EINVAL : ret; + } + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index ba48b5e270e1f..3888a59c9dfe9 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -143,9 +143,12 @@ static const struct fetch_type *find_fetch_type(const char *type) + } + + static struct trace_probe_log trace_probe_log; ++extern struct mutex dyn_event_ops_mutex; + + void trace_probe_log_init(const char *subsystem, int argc, const char **argv) + { ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + trace_probe_log.subsystem = subsystem; + trace_probe_log.argc = argc; + trace_probe_log.argv = argv; +@@ -154,11 +157,15 @@ void trace_probe_log_init(const char *subsystem, int argc, const char **argv) + + void trace_probe_log_clear(void) + { ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + memset(&trace_probe_log, 0, sizeof(trace_probe_log)); + } + + void trace_probe_log_set_index(int index) + { ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + trace_probe_log.index = index; + } + +@@ -167,6 +174,8 @@ void __trace_probe_log_err(int offset, int err_type) + char *command, *p; + int i, len = 0, pos = 0; + ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + if (!trace_probe_log.argv) + return; + +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index a6a3ff2a441ed..53ef3cb65098d 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -732,7 +732,7 @@ static int create_or_delete_trace_uprobe(const char *raw_command) + if (raw_command[0] == '-') + return dyn_event_release(raw_command, &trace_uprobe_ops); + +- ret = trace_uprobe_create(raw_command); ++ ret = dyn_event_create(raw_command, &trace_uprobe_ops); + return ret == -ECANCELED ? -EINVAL : ret; + } + +-- +2.39.5 +