From: Greg Kroah-Hartman Date: Mon, 29 Jul 2024 07:57:35 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v6.1.103~96 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=77b36df7e1ebdd7d25f89b5fedb1cd4950408a76;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: af_packet-handle-outgoing-vlan-packets-without-hardware-offloading.patch ata-libata-scsi-do-not-overwrite-valid-sense-data-when-ck_cond-1.patch ata-libata-scsi-fix-offsets-for-the-fixed-format-sense-data.patch ata-libata-scsi-honor-the-d_sense-bit-for-ck_cond-1-and-no-error.patch btrfs-fix-extent-map-use-after-free-when-adding-pages-to-compressed-bio.patch char-tpm-fix-possible-memory-leak-in-tpm_bios_measurements_open.patch drm-gma500-fix-null-pointer-dereference-in-cdv_intel_lvds_get_modes.patch drm-gma500-fix-null-pointer-dereference-in-psb_intel_lvds_get_modes.patch drm-xe-use-write-back-caching-mode-for-system-memory-on-dgfx.patch dt-bindings-thermal-correct-thermal-zone-node-name-limit.patch exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch ext2-verify-bitmap-and-itable-block-numbers-before-using-them.patch fuse-verify-g-u-id-mount-options-correctly.patch hfs-fix-to-initialize-fields-of-hfs_inode_info-after-hfs_alloc_inode.patch io_uring-io-wq-limit-retrying-worker-initialisation.patch ipv4-fix-source-address-selection-with-route-leak.patch ipv6-fix-source-address-selection-with-route-leak.patch ipv6-take-care-of-scope-when-choosing-the-src-addr.patch kernel-rerun-task_work-while-freezing-in-get_signal.patch lsm-fixup-the-inode-xattr-capability-handling.patch md-raid5-fix-spares-errors-about-rcu-usage.patch media-i2c-kconfig-fix-missing-firmware-upload-config-select.patch media-stm32-dcmipp-correct-error-handling-in-dcmipp_create_subdevs.patch media-venus-fix-use-after-free-in-vdec_close.patch net-netconsole-disable-target-before-netpoll-cleanup.patch nfsd-support-write-delegations-in-layoutget.patch null_blk-fix-description-of-the-fua-parameter.patch revert-firewire-annotate-struct-fw_iso_packet-with-__counted_by.patch sched-fair-set_load_weight-must-also-call-reweight_task-for-sched_idle-tasks.patch selftests-nolibc-fix-printf-format-mismatch-in-expect_str_buf_eq.patch sysctl-always-initialize-i_uid-i_gid.patch thermal-drivers-broadcom-fix-race-between-removal-and-clock-disable.patch tick-broadcast-make-takeover-of-broadcast-hrtimer-reliable.patch tpm_tis_spi-add-missing-attpm20p-spi-device-id-entry.patch wifi-mac80211-chanctx-emulation-set-change_channel-when-in_reconfig.patch workqueue-always-queue-work-items-to-the-newest-pwq-for-order-workqueues.patch --- diff --git a/queue-6.10/af_packet-handle-outgoing-vlan-packets-without-hardware-offloading.patch b/queue-6.10/af_packet-handle-outgoing-vlan-packets-without-hardware-offloading.patch new file mode 100644 index 00000000000..a82d2ad9d02 --- /dev/null +++ b/queue-6.10/af_packet-handle-outgoing-vlan-packets-without-hardware-offloading.patch @@ -0,0 +1,173 @@ +From 79eecf631c14e7f4057186570ac20e2cfac3802e Mon Sep 17 00:00:00 2001 +From: Chengen Du +Date: Sat, 13 Jul 2024 19:47:35 +0800 +Subject: af_packet: Handle outgoing VLAN packets without hardware offloading + +From: Chengen Du + +commit 79eecf631c14e7f4057186570ac20e2cfac3802e upstream. + +The issue initially stems from libpcap. The ethertype will be overwritten +as the VLAN TPID if the network interface lacks hardware VLAN offloading. +In the outbound packet path, if hardware VLAN offloading is unavailable, +the VLAN tag is inserted into the payload but then cleared from the sk_buff +struct. Consequently, this can lead to a false negative when checking for +the presence of a VLAN tag, causing the packet sniffing outcome to lack +VLAN tag information (i.e., TCI-TPID). As a result, the packet capturing +tool may be unable to parse packets as expected. + +The TCI-TPID is missing because the prb_fill_vlan_info() function does not +modify the tp_vlan_tci/tp_vlan_tpid values, as the information is in the +payload and not in the sk_buff struct. The skb_vlan_tag_present() function +only checks vlan_all in the sk_buff struct. In cooked mode, the L2 header +is stripped, preventing the packet capturing tool from determining the +correct TCI-TPID value. Additionally, the protocol in SLL is incorrect, +which means the packet capturing tool cannot parse the L3 header correctly. + +Link: https://github.com/the-tcpdump-group/libpcap/issues/1105 +Link: https://lore.kernel.org/netdev/20240520070348.26725-1-chengen.du@canonical.com/T/#u +Fixes: 393e52e33c6c ("packet: deliver VLAN TCI to userspace") +Cc: stable@vger.kernel.org +Signed-off-by: Chengen Du +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20240713114735.62360-1-chengen.du@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 84 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -538,6 +538,61 @@ static void *packet_current_frame(struct + return packet_lookup_frame(po, rb, rb->head, status); + } + ++static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) ++{ ++ u8 *skb_orig_data = skb->data; ++ int skb_orig_len = skb->len; ++ struct vlan_hdr vhdr, *vh; ++ unsigned int header_len; ++ ++ if (!dev) ++ return 0; ++ ++ /* In the SOCK_DGRAM scenario, skb data starts at the network ++ * protocol, which is after the VLAN headers. The outer VLAN ++ * header is at the hard_header_len offset in non-variable ++ * length link layer headers. If it's a VLAN device, the ++ * min_header_len should be used to exclude the VLAN header ++ * size. ++ */ ++ if (dev->min_header_len == dev->hard_header_len) ++ header_len = dev->hard_header_len; ++ else if (is_vlan_dev(dev)) ++ header_len = dev->min_header_len; ++ else ++ return 0; ++ ++ skb_push(skb, skb->data - skb_mac_header(skb)); ++ vh = skb_header_pointer(skb, header_len, sizeof(vhdr), &vhdr); ++ if (skb_orig_data != skb->data) { ++ skb->data = skb_orig_data; ++ skb->len = skb_orig_len; ++ } ++ if (unlikely(!vh)) ++ return 0; ++ ++ return ntohs(vh->h_vlan_TCI); ++} ++ ++static __be16 vlan_get_protocol_dgram(struct sk_buff *skb) ++{ ++ __be16 proto = skb->protocol; ++ ++ if (unlikely(eth_type_vlan(proto))) { ++ u8 *skb_orig_data = skb->data; ++ int skb_orig_len = skb->len; ++ ++ skb_push(skb, skb->data - skb_mac_header(skb)); ++ proto = __vlan_get_protocol(skb, proto, NULL); ++ if (skb_orig_data != skb->data) { ++ skb->data = skb_orig_data; ++ skb->len = skb_orig_len; ++ } ++ } ++ ++ return proto; ++} ++ + static void prb_del_retire_blk_timer(struct tpacket_kbdq_core *pkc) + { + del_timer_sync(&pkc->retire_blk_timer); +@@ -1007,10 +1062,16 @@ static void prb_clear_rxhash(struct tpac + static void prb_fill_vlan_info(struct tpacket_kbdq_core *pkc, + struct tpacket3_hdr *ppd) + { ++ struct packet_sock *po = container_of(pkc, struct packet_sock, rx_ring.prb_bdqc); ++ + if (skb_vlan_tag_present(pkc->skb)) { + ppd->hv1.tp_vlan_tci = skb_vlan_tag_get(pkc->skb); + ppd->hv1.tp_vlan_tpid = ntohs(pkc->skb->vlan_proto); + ppd->tp_status = TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; ++ } else if (unlikely(po->sk.sk_type == SOCK_DGRAM && eth_type_vlan(pkc->skb->protocol))) { ++ ppd->hv1.tp_vlan_tci = vlan_get_tci(pkc->skb, pkc->skb->dev); ++ ppd->hv1.tp_vlan_tpid = ntohs(pkc->skb->protocol); ++ ppd->tp_status = TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; + } else { + ppd->hv1.tp_vlan_tci = 0; + ppd->hv1.tp_vlan_tpid = 0; +@@ -2428,6 +2489,10 @@ static int tpacket_rcv(struct sk_buff *s + h.h2->tp_vlan_tci = skb_vlan_tag_get(skb); + h.h2->tp_vlan_tpid = ntohs(skb->vlan_proto); + status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; ++ } else if (unlikely(sk->sk_type == SOCK_DGRAM && eth_type_vlan(skb->protocol))) { ++ h.h2->tp_vlan_tci = vlan_get_tci(skb, skb->dev); ++ h.h2->tp_vlan_tpid = ntohs(skb->protocol); ++ status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; + } else { + h.h2->tp_vlan_tci = 0; + h.h2->tp_vlan_tpid = 0; +@@ -2457,7 +2522,8 @@ static int tpacket_rcv(struct sk_buff *s + sll->sll_halen = dev_parse_header(skb, sll->sll_addr); + sll->sll_family = AF_PACKET; + sll->sll_hatype = dev->type; +- sll->sll_protocol = skb->protocol; ++ sll->sll_protocol = (sk->sk_type == SOCK_DGRAM) ? ++ vlan_get_protocol_dgram(skb) : skb->protocol; + sll->sll_pkttype = skb->pkt_type; + if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV))) + sll->sll_ifindex = orig_dev->ifindex; +@@ -3482,7 +3548,8 @@ static int packet_recvmsg(struct socket + /* Original length was stored in sockaddr_ll fields */ + origlen = PACKET_SKB_CB(skb)->sa.origlen; + sll->sll_family = AF_PACKET; +- sll->sll_protocol = skb->protocol; ++ sll->sll_protocol = (sock->type == SOCK_DGRAM) ? ++ vlan_get_protocol_dgram(skb) : skb->protocol; + } + + sock_recv_cmsgs(msg, sk, skb); +@@ -3539,6 +3606,21 @@ static int packet_recvmsg(struct socket + aux.tp_vlan_tci = skb_vlan_tag_get(skb); + aux.tp_vlan_tpid = ntohs(skb->vlan_proto); + aux.tp_status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; ++ } else if (unlikely(sock->type == SOCK_DGRAM && eth_type_vlan(skb->protocol))) { ++ struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; ++ struct net_device *dev; ++ ++ rcu_read_lock(); ++ dev = dev_get_by_index_rcu(sock_net(sk), sll->sll_ifindex); ++ if (dev) { ++ aux.tp_vlan_tci = vlan_get_tci(skb, dev); ++ aux.tp_vlan_tpid = ntohs(skb->protocol); ++ aux.tp_status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; ++ } else { ++ aux.tp_vlan_tci = 0; ++ aux.tp_vlan_tpid = 0; ++ } ++ rcu_read_unlock(); + } else { + aux.tp_vlan_tci = 0; + aux.tp_vlan_tpid = 0; diff --git a/queue-6.10/ata-libata-scsi-do-not-overwrite-valid-sense-data-when-ck_cond-1.patch b/queue-6.10/ata-libata-scsi-do-not-overwrite-valid-sense-data-when-ck_cond-1.patch new file mode 100644 index 00000000000..1b3e39efe17 --- /dev/null +++ b/queue-6.10/ata-libata-scsi-do-not-overwrite-valid-sense-data-when-ck_cond-1.patch @@ -0,0 +1,262 @@ +From 97981926224afe17ba3e22e0c2b7dd8b516ee574 Mon Sep 17 00:00:00 2001 +From: Igor Pylypiv +Date: Tue, 2 Jul 2024 02:47:30 +0000 +Subject: ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1 + +From: Igor Pylypiv + +commit 97981926224afe17ba3e22e0c2b7dd8b516ee574 upstream. + +Current ata_gen_passthru_sense() code performs two actions: +1. Generates sense data based on the ATA 'status' and ATA 'error' fields. +2. Populates "ATA Status Return sense data descriptor" / "Fixed format + sense data" with ATA taskfile fields. + +The problem is that #1 generates sense data even when a valid sense data +is already present (ATA_QCFLAG_SENSE_VALID is set). Factoring out #2 into +a separate function allows us to generate sense data only when there is +no valid sense data (ATA_QCFLAG_SENSE_VALID is not set). + +As a bonus, we can now delete a FIXME comment in atapi_qc_complete() +which states that we don't want to translate taskfile registers into +sense descriptors for ATAPI. + +Additionally, always set SAM_STAT_CHECK_CONDITION when CK_COND=1 because +SAT specification mandates that SATL shall return CHECK CONDITION if +the CK_COND bit is set. + +The ATA PASS-THROUGH handling logic in ata_scsi_qc_complete() is hard +to read/understand. Improve the readability of the code by moving checks +into self-explanatory boolean variables. + +Cc: stable@vger.kernel.org # 4.19+ +Co-developed-by: Niklas Cassel +Reviewed-by: Hannes Reinecke +Reviewed-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Signed-off-by: Igor Pylypiv +Link: https://lore.kernel.org/r/20240702024735.1152293-3-ipylypiv@google.com +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 169 +++++++++++++++++++++++++--------------------- + 1 file changed, 92 insertions(+), 77 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -230,6 +230,80 @@ void ata_scsi_set_sense_information(stru + SCSI_SENSE_BUFFERSIZE, information); + } + ++/** ++ * ata_scsi_set_passthru_sense_fields - Set ATA fields in sense buffer ++ * @qc: ATA PASS-THROUGH command. ++ * ++ * Populates "ATA Status Return sense data descriptor" / "Fixed format ++ * sense data" with ATA taskfile fields. ++ * ++ * LOCKING: ++ * None. ++ */ ++static void ata_scsi_set_passthru_sense_fields(struct ata_queued_cmd *qc) ++{ ++ struct scsi_cmnd *cmd = qc->scsicmd; ++ struct ata_taskfile *tf = &qc->result_tf; ++ unsigned char *sb = cmd->sense_buffer; ++ ++ if ((sb[0] & 0x7f) >= 0x72) { ++ unsigned char *desc; ++ u8 len; ++ ++ /* descriptor format */ ++ len = sb[7]; ++ desc = (char *)scsi_sense_desc_find(sb, len + 8, 9); ++ if (!desc) { ++ if (SCSI_SENSE_BUFFERSIZE < len + 14) ++ return; ++ sb[7] = len + 14; ++ desc = sb + 8 + len; ++ } ++ desc[0] = 9; ++ desc[1] = 12; ++ /* ++ * Copy registers into sense buffer. ++ */ ++ desc[2] = 0x00; ++ desc[3] = tf->error; ++ desc[5] = tf->nsect; ++ desc[7] = tf->lbal; ++ desc[9] = tf->lbam; ++ desc[11] = tf->lbah; ++ desc[12] = tf->device; ++ desc[13] = tf->status; ++ ++ /* ++ * Fill in Extend bit, and the high order bytes ++ * if applicable. ++ */ ++ if (tf->flags & ATA_TFLAG_LBA48) { ++ desc[2] |= 0x01; ++ desc[4] = tf->hob_nsect; ++ desc[6] = tf->hob_lbal; ++ desc[8] = tf->hob_lbam; ++ desc[10] = tf->hob_lbah; ++ } ++ } else { ++ /* Fixed sense format */ ++ sb[0] |= 0x80; ++ sb[3] = tf->error; ++ sb[4] = tf->status; ++ sb[5] = tf->device; ++ sb[6] = tf->nsect; ++ if (tf->flags & ATA_TFLAG_LBA48) { ++ sb[8] |= 0x80; ++ if (tf->hob_nsect) ++ sb[8] |= 0x40; ++ if (tf->hob_lbal || tf->hob_lbam || tf->hob_lbah) ++ sb[8] |= 0x20; ++ } ++ sb[9] = tf->lbal; ++ sb[10] = tf->lbam; ++ sb[11] = tf->lbah; ++ } ++} ++ + static void ata_scsi_set_invalid_field(struct ata_device *dev, + struct scsi_cmnd *cmd, u16 field, u8 bit) + { +@@ -837,10 +911,8 @@ static void ata_to_sense_error(unsigned + * ata_gen_passthru_sense - Generate check condition sense block. + * @qc: Command that completed. + * +- * This function is specific to the ATA descriptor format sense +- * block specified for the ATA pass through commands. Regardless +- * of whether the command errored or not, return a sense +- * block. Copy all controller registers into the sense ++ * This function is specific to the ATA pass through commands. ++ * Regardless of whether the command errored or not, return a sense + * block. If there was no error, we get the request from an ATA + * passthrough command, so we use the following sense data: + * sk = RECOVERED ERROR +@@ -875,63 +947,6 @@ static void ata_gen_passthru_sense(struc + */ + scsi_build_sense(cmd, 1, RECOVERED_ERROR, 0, 0x1D); + } +- +- if ((sb[0] & 0x7f) >= 0x72) { +- unsigned char *desc; +- u8 len; +- +- /* descriptor format */ +- len = sb[7]; +- desc = (char *)scsi_sense_desc_find(sb, len + 8, 9); +- if (!desc) { +- if (SCSI_SENSE_BUFFERSIZE < len + 14) +- return; +- sb[7] = len + 14; +- desc = sb + 8 + len; +- } +- desc[0] = 9; +- desc[1] = 12; +- /* +- * Copy registers into sense buffer. +- */ +- desc[2] = 0x00; +- desc[3] = tf->error; +- desc[5] = tf->nsect; +- desc[7] = tf->lbal; +- desc[9] = tf->lbam; +- desc[11] = tf->lbah; +- desc[12] = tf->device; +- desc[13] = tf->status; +- +- /* +- * Fill in Extend bit, and the high order bytes +- * if applicable. +- */ +- if (tf->flags & ATA_TFLAG_LBA48) { +- desc[2] |= 0x01; +- desc[4] = tf->hob_nsect; +- desc[6] = tf->hob_lbal; +- desc[8] = tf->hob_lbam; +- desc[10] = tf->hob_lbah; +- } +- } else { +- /* Fixed sense format */ +- sb[0] |= 0x80; +- sb[3] = tf->error; +- sb[4] = tf->status; +- sb[5] = tf->device; +- sb[6] = tf->nsect; +- if (tf->flags & ATA_TFLAG_LBA48) { +- sb[8] |= 0x80; +- if (tf->hob_nsect) +- sb[8] |= 0x40; +- if (tf->hob_lbal || tf->hob_lbam || tf->hob_lbah) +- sb[8] |= 0x20; +- } +- sb[9] = tf->lbal; +- sb[10] = tf->lbam; +- sb[11] = tf->lbah; +- } + } + + /** +@@ -1632,26 +1647,32 @@ static void ata_scsi_qc_complete(struct + { + struct scsi_cmnd *cmd = qc->scsicmd; + u8 *cdb = cmd->cmnd; +- int need_sense = (qc->err_mask != 0) && +- !(qc->flags & ATA_QCFLAG_SENSE_VALID); ++ bool have_sense = qc->flags & ATA_QCFLAG_SENSE_VALID; ++ bool is_ata_passthru = cdb[0] == ATA_16 || cdb[0] == ATA_12; ++ bool is_ck_cond_request = cdb[2] & 0x20; ++ bool is_error = qc->err_mask != 0; + + /* For ATA pass thru (SAT) commands, generate a sense block if + * user mandated it or if there's an error. Note that if we +- * generate because the user forced us to [CK_COND =1], a check ++ * generate because the user forced us to [CK_COND=1], a check + * condition is generated and the ATA register values are returned + * whether the command completed successfully or not. If there +- * was no error, we use the following sense data: ++ * was no error, and CK_COND=1, we use the following sense data: + * sk = RECOVERED ERROR + * asc,ascq = ATA PASS-THROUGH INFORMATION AVAILABLE + */ +- if (((cdb[0] == ATA_16) || (cdb[0] == ATA_12)) && +- ((cdb[2] & 0x20) || need_sense)) +- ata_gen_passthru_sense(qc); +- else if (need_sense) ++ if (is_ata_passthru && (is_ck_cond_request || is_error || have_sense)) { ++ if (!have_sense) ++ ata_gen_passthru_sense(qc); ++ ata_scsi_set_passthru_sense_fields(qc); ++ if (is_ck_cond_request) ++ set_status_byte(qc->scsicmd, SAM_STAT_CHECK_CONDITION); ++ } else if (is_error && !have_sense) { + ata_gen_ata_sense(qc); +- else ++ } else { + /* Keep the SCSI ML and status byte, clear host byte. */ + cmd->result &= 0x0000ffff; ++ } + + ata_qc_done(qc); + } +@@ -2590,14 +2611,8 @@ static void atapi_qc_complete(struct ata + /* handle completion from EH */ + if (unlikely(err_mask || qc->flags & ATA_QCFLAG_SENSE_VALID)) { + +- if (!(qc->flags & ATA_QCFLAG_SENSE_VALID)) { +- /* FIXME: not quite right; we don't want the +- * translation of taskfile registers into a +- * sense descriptors, since that's only +- * correct for ATA, not ATAPI +- */ ++ if (!(qc->flags & ATA_QCFLAG_SENSE_VALID)) + ata_gen_passthru_sense(qc); +- } + + /* SCSI EH automatically locks door if sdev->locked is + * set. Sometimes door lock request continues to diff --git a/queue-6.10/ata-libata-scsi-fix-offsets-for-the-fixed-format-sense-data.patch b/queue-6.10/ata-libata-scsi-fix-offsets-for-the-fixed-format-sense-data.patch new file mode 100644 index 00000000000..707a45566ee --- /dev/null +++ b/queue-6.10/ata-libata-scsi-fix-offsets-for-the-fixed-format-sense-data.patch @@ -0,0 +1,141 @@ +From 38dab832c3f4154968f95b267a3bb789e87554b0 Mon Sep 17 00:00:00 2001 +From: Igor Pylypiv +Date: Tue, 2 Jul 2024 02:47:29 +0000 +Subject: ata: libata-scsi: Fix offsets for the fixed format sense data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Igor Pylypiv + +commit 38dab832c3f4154968f95b267a3bb789e87554b0 upstream. + +Correct the ATA PASS-THROUGH fixed format sense data offsets to conform +to SPC-6 and SAT-5 specifications. Additionally, set the VALID bit to +indicate that the INFORMATION field contains valid information. + +INFORMATION +=========== + +SAT-5 Table 212 — "Fixed format sense data INFORMATION field for the ATA +PASS-THROUGH commands" defines the following format: + ++------+------------+ +| Byte | Field | ++------+------------+ +| 0 | ERROR | +| 1 | STATUS | +| 2 | DEVICE | +| 3 | COUNT(7:0) | ++------+------------+ + +SPC-6 Table 48 - "Fixed format sense data" specifies that the INFORMATION +field starts at byte 3 in sense buffer resulting in the following offsets +for the ATA PASS-THROUGH commands: + ++------------+-------------------------+ +| Field | Offset in sense buffer | ++------------+-------------------------+ +| ERROR | 3 | +| STATUS | 4 | +| DEVICE | 5 | +| COUNT(7:0) | 6 | ++------------+-------------------------+ + +COMMAND-SPECIFIC INFORMATION +============================ + +SAT-5 Table 213 - "Fixed format sense data COMMAND-SPECIFIC INFORMATION +field for ATA PASS-THROUGH" defines the following format: + ++------+-------------------+ +| Byte | Field | ++------+-------------------+ +| 0 | FLAGS | LOG INDEX | +| 1 | LBA (7:0) | +| 2 | LBA (15:8) | +| 3 | LBA (23:16) | ++------+-------------------+ + +SPC-6 Table 48 - "Fixed format sense data" specifies that +the COMMAND-SPECIFIC-INFORMATION field starts at byte 8 +in sense buffer resulting in the following offsets for +the ATA PASS-THROUGH commands: + +Offsets of these fields in the fixed sense format are as follows: + ++-------------------+-------------------------+ +| Field | Offset in sense buffer | ++-------------------+-------------------------+ +| FLAGS | LOG INDEX | 8 | +| LBA (7:0) | 9 | +| LBA (15:8) | 10 | +| LBA (23:16) | 11 | ++-------------------+-------------------------+ + +Reported-by: Akshat Jain +Fixes: 11093cb1ef56 ("libata-scsi: generate correct ATA pass-through sense") +Cc: stable@vger.kernel.org +Reviewed-by: Hannes Reinecke +Reviewed-by: Niklas Cassel +Signed-off-by: Igor Pylypiv +Link: https://lore.kernel.org/r/20240702024735.1152293-2-ipylypiv@google.com +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -855,7 +855,6 @@ static void ata_gen_passthru_sense(struc + struct scsi_cmnd *cmd = qc->scsicmd; + struct ata_taskfile *tf = &qc->result_tf; + unsigned char *sb = cmd->sense_buffer; +- unsigned char *desc = sb + 8; + u8 sense_key, asc, ascq; + + memset(sb, 0, SCSI_SENSE_BUFFERSIZE); +@@ -877,7 +876,8 @@ static void ata_gen_passthru_sense(struc + scsi_build_sense(cmd, 1, RECOVERED_ERROR, 0, 0x1D); + } + +- if ((cmd->sense_buffer[0] & 0x7f) >= 0x72) { ++ if ((sb[0] & 0x7f) >= 0x72) { ++ unsigned char *desc; + u8 len; + + /* descriptor format */ +@@ -916,21 +916,21 @@ static void ata_gen_passthru_sense(struc + } + } else { + /* Fixed sense format */ +- desc[0] = tf->error; +- desc[1] = tf->status; +- desc[2] = tf->device; +- desc[3] = tf->nsect; +- desc[7] = 0; ++ sb[0] |= 0x80; ++ sb[3] = tf->error; ++ sb[4] = tf->status; ++ sb[5] = tf->device; ++ sb[6] = tf->nsect; + if (tf->flags & ATA_TFLAG_LBA48) { +- desc[8] |= 0x80; ++ sb[8] |= 0x80; + if (tf->hob_nsect) +- desc[8] |= 0x40; ++ sb[8] |= 0x40; + if (tf->hob_lbal || tf->hob_lbam || tf->hob_lbah) +- desc[8] |= 0x20; ++ sb[8] |= 0x20; + } +- desc[9] = tf->lbal; +- desc[10] = tf->lbam; +- desc[11] = tf->lbah; ++ sb[9] = tf->lbal; ++ sb[10] = tf->lbam; ++ sb[11] = tf->lbah; + } + } + diff --git a/queue-6.10/ata-libata-scsi-honor-the-d_sense-bit-for-ck_cond-1-and-no-error.patch b/queue-6.10/ata-libata-scsi-honor-the-d_sense-bit-for-ck_cond-1-and-no-error.patch new file mode 100644 index 00000000000..484d52cbb04 --- /dev/null +++ b/queue-6.10/ata-libata-scsi-honor-the-d_sense-bit-for-ck_cond-1-and-no-error.patch @@ -0,0 +1,65 @@ +From 28ab9769117ca944cb6eb537af5599aa436287a4 Mon Sep 17 00:00:00 2001 +From: Igor Pylypiv +Date: Tue, 2 Jul 2024 02:47:31 +0000 +Subject: ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error + +From: Igor Pylypiv + +commit 28ab9769117ca944cb6eb537af5599aa436287a4 upstream. + +SAT-5 revision 8 specification removed the text about the ANSI INCITS +431-2007 compliance which was requiring SCSI/ATA Translation (SAT) to +return descriptor format sense data for the ATA PASS-THROUGH commands +regardless of the setting of the D_SENSE bit. + +Let's honor the D_SENSE bit for ATA PASS-THROUGH commands while +generating the "ATA PASS-THROUGH INFORMATION AVAILABLE" sense data. + +SAT-5 revision 7 +================ + +12.2.2.8 Fixed format sense data + +Table 212 shows the fields returned in the fixed format sense data +(see SPC-5) for ATA PASS-THROUGH commands. SATLs compliant with ANSI +INCITS 431-2007, SCSI/ATA Translation (SAT) return descriptor format +sense data for the ATA PASS-THROUGH commands regardless of the setting +of the D_SENSE bit. + +SAT-5 revision 8 +================ + +12.2.2.8 Fixed format sense data + +Table 211 shows the fields returned in the fixed format sense data +(see SPC-5) for ATA PASS-THROUGH commands. + +Cc: stable@vger.kernel.org # 4.19+ +Reported-by: Niklas Cassel +Closes: https://lore.kernel.org/linux-ide/Zn1WUhmLglM4iais@ryzen.lan +Reviewed-by: Niklas Cassel +Signed-off-by: Igor Pylypiv +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20240702024735.1152293-4-ipylypiv@google.com +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -941,11 +941,8 @@ static void ata_gen_passthru_sense(struc + &sense_key, &asc, &ascq); + ata_scsi_set_sense(qc->dev, cmd, sense_key, asc, ascq); + } else { +- /* +- * ATA PASS-THROUGH INFORMATION AVAILABLE +- * Always in descriptor format sense. +- */ +- scsi_build_sense(cmd, 1, RECOVERED_ERROR, 0, 0x1D); ++ /* ATA PASS-THROUGH INFORMATION AVAILABLE */ ++ ata_scsi_set_sense(qc->dev, cmd, RECOVERED_ERROR, 0, 0x1D); + } + } + diff --git a/queue-6.10/btrfs-fix-extent-map-use-after-free-when-adding-pages-to-compressed-bio.patch b/queue-6.10/btrfs-fix-extent-map-use-after-free-when-adding-pages-to-compressed-bio.patch new file mode 100644 index 00000000000..380521796a9 --- /dev/null +++ b/queue-6.10/btrfs-fix-extent-map-use-after-free-when-adding-pages-to-compressed-bio.patch @@ -0,0 +1,44 @@ +From 8e7860543a94784d744c7ce34b78a2e11beefa5c Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 4 Jul 2024 16:11:20 +0100 +Subject: btrfs: fix extent map use-after-free when adding pages to compressed bio + +From: Filipe Manana + +commit 8e7860543a94784d744c7ce34b78a2e11beefa5c upstream. + +At add_ra_bio_pages() we are accessing the extent map to calculate +'add_size' after we dropped our reference on the extent map, resulting +in a use-after-free. Fix this by computing 'add_size' before dropping our +extent map reference. + +Reported-by: syzbot+853d80cba98ce1157ae6@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/000000000000038144061c6d18f2@google.com/ +Fixes: 6a4049102055 ("btrfs: subpage: make add_ra_bio_pages() compatible") +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/compression.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/compression.c ++++ b/fs/btrfs/compression.c +@@ -514,6 +514,7 @@ static noinline int add_ra_bio_pages(str + put_page(page); + break; + } ++ add_size = min(em->start + em->len, page_end + 1) - cur; + free_extent_map(em); + + if (page->index == end_index) { +@@ -526,7 +527,6 @@ static noinline int add_ra_bio_pages(str + } + } + +- add_size = min(em->start + em->len, page_end + 1) - cur; + ret = bio_add_page(orig_bio, page, add_size, offset_in_page(cur)); + if (ret != add_size) { + unlock_extent(tree, cur, page_end, NULL); diff --git a/queue-6.10/char-tpm-fix-possible-memory-leak-in-tpm_bios_measurements_open.patch b/queue-6.10/char-tpm-fix-possible-memory-leak-in-tpm_bios_measurements_open.patch new file mode 100644 index 00000000000..441ad323784 --- /dev/null +++ b/queue-6.10/char-tpm-fix-possible-memory-leak-in-tpm_bios_measurements_open.patch @@ -0,0 +1,35 @@ +From 5d8e2971e817bb64225fc0b6327a78752f58a9aa Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Thu, 27 Jun 2024 15:31:09 +0900 +Subject: char: tpm: Fix possible memory leak in tpm_bios_measurements_open() + +From: Joe Hattori + +commit 5d8e2971e817bb64225fc0b6327a78752f58a9aa upstream. + +In tpm_bios_measurements_open(), get_device() is called on the device +embedded in struct tpm_chip. In the error path, however, put_device() is +not called. This results in a reference count leak, which prevents the +device from being properly released. This commit makes sure to call +put_device() when the seq_open() call fails. + +Cc: stable@vger.kernel.org # +v4.18 +Fixes: 9b01b5356629 ("tpm: Move shared eventlog functions to common.c") +Signed-off-by: Joe Hattori +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/eventlog/common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/tpm/eventlog/common.c ++++ b/drivers/char/tpm/eventlog/common.c +@@ -47,6 +47,8 @@ static int tpm_bios_measurements_open(st + if (!err) { + seq = file->private_data; + seq->private = chip; ++ } else { ++ put_device(&chip->dev); + } + + return err; diff --git a/queue-6.10/drm-gma500-fix-null-pointer-dereference-in-cdv_intel_lvds_get_modes.patch b/queue-6.10/drm-gma500-fix-null-pointer-dereference-in-cdv_intel_lvds_get_modes.patch new file mode 100644 index 00000000000..780afc8fd5a --- /dev/null +++ b/queue-6.10/drm-gma500-fix-null-pointer-dereference-in-cdv_intel_lvds_get_modes.patch @@ -0,0 +1,35 @@ +From cb520c3f366c77e8d69e4e2e2781a8ce48d98e79 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 9 Jul 2024 19:33:11 +0800 +Subject: drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes + +From: Ma Ke + +commit cb520c3f366c77e8d69e4e2e2781a8ce48d98e79 upstream. + +In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate() +is assigned to mode, which will lead to a NULL pointer dereference on +failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Fixes: 6a227d5fd6c4 ("gma500: Add support for Cedarview") +Signed-off-by: Ma Ke +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20240709113311.37168-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c +@@ -311,6 +311,9 @@ static int cdv_intel_lvds_get_modes(stru + if (mode_dev->panel_fixed_mode != NULL) { + struct drm_display_mode *mode = + drm_mode_duplicate(dev, mode_dev->panel_fixed_mode); ++ if (!mode) ++ return 0; ++ + drm_mode_probed_add(connector, mode); + return 1; + } diff --git a/queue-6.10/drm-gma500-fix-null-pointer-dereference-in-psb_intel_lvds_get_modes.patch b/queue-6.10/drm-gma500-fix-null-pointer-dereference-in-psb_intel_lvds_get_modes.patch new file mode 100644 index 00000000000..8d02bd576ef --- /dev/null +++ b/queue-6.10/drm-gma500-fix-null-pointer-dereference-in-psb_intel_lvds_get_modes.patch @@ -0,0 +1,35 @@ +From 2df7aac81070987b0f052985856aa325a38debf6 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 9 Jul 2024 17:20:11 +0800 +Subject: drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes + +From: Ma Ke + +commit 2df7aac81070987b0f052985856aa325a38debf6 upstream. + +In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is +assigned to mode, which will lead to a possible NULL pointer dereference +on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Fixes: 89c78134cc54 ("gma500: Add Poulsbo support") +Signed-off-by: Ma Ke +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20240709092011.3204970-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/gma500/psb_intel_lvds.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c +@@ -504,6 +504,9 @@ static int psb_intel_lvds_get_modes(stru + if (mode_dev->panel_fixed_mode != NULL) { + struct drm_display_mode *mode = + drm_mode_duplicate(dev, mode_dev->panel_fixed_mode); ++ if (!mode) ++ return 0; ++ + drm_mode_probed_add(connector, mode); + return 1; + } diff --git a/queue-6.10/drm-xe-use-write-back-caching-mode-for-system-memory-on-dgfx.patch b/queue-6.10/drm-xe-use-write-back-caching-mode-for-system-memory-on-dgfx.patch new file mode 100644 index 00000000000..356c4b2f7cb --- /dev/null +++ b/queue-6.10/drm-xe-use-write-back-caching-mode-for-system-memory-on-dgfx.patch @@ -0,0 +1,156 @@ +From 5207c393d3e7dda9aff813d6b3e2264370d241be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= +Date: Fri, 5 Jul 2024 15:28:28 +0200 +Subject: drm/xe: Use write-back caching mode for system memory on DGFX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Hellström + +commit 5207c393d3e7dda9aff813d6b3e2264370d241be upstream. + +The caching mode for buffer objects with VRAM as a possible +placement was forced to write-combined, regardless of placement. + +However, write-combined system memory is expensive to allocate and +even though it is pooled, the pool is expensive to shrink, since +it involves global CPU TLB flushes. + +Moreover write-combined system memory from TTM is only reliably +available on x86 and DGFX doesn't have an x86 restriction. + +So regardless of the cpu caching mode selected for a bo, +internally use write-back caching mode for system memory on DGFX. + +Coherency is maintained, but user-space clients may perceive a +difference in cpu access speeds. + +v2: +- Update RB- and Ack tags. +- Rephrase wording in xe_drm.h (Matt Roper) +v3: +- Really rephrase wording. + +Signed-off-by: Thomas Hellström +Fixes: 622f709ca629 ("drm/xe/uapi: Add support for CPU caching mode") +Cc: Pallavi Mishra +Cc: Matthew Auld +Cc: dri-devel@lists.freedesktop.org +Cc: Joonas Lahtinen +Cc: Effie Yu +Cc: Matthew Brost +Cc: Maarten Lankhorst +Cc: Jose Souza +Cc: Michal Mrozek +Cc: # v6.8+ +Acked-by: Matthew Auld +Acked-by: José Roberto de Souza +Reviewed-by: Rodrigo Vivi +Fixes: 622f709ca629 ("drm/xe/uapi: Add support for CPU caching mode") +Acked-by: Michal Mrozek +Acked-by: Effie Yu #On chat +Link: https://patchwork.freedesktop.org/patch/msgid/20240705132828.27714-1-thomas.hellstrom@linux.intel.com +(cherry picked from commit 01e0cfc994be484ddcb9e121e353e51d8bb837c0) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_bo.c | 47 +++++++++++++++++++++++---------------- + drivers/gpu/drm/xe/xe_bo_types.h | 3 +- + include/uapi/drm/xe_drm.h | 8 +++++- + 3 files changed, 37 insertions(+), 21 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_bo.c ++++ b/drivers/gpu/drm/xe/xe_bo.c +@@ -317,7 +317,7 @@ static struct ttm_tt *xe_ttm_tt_create(s + struct xe_device *xe = xe_bo_device(bo); + struct xe_ttm_tt *tt; + unsigned long extra_pages; +- enum ttm_caching caching; ++ enum ttm_caching caching = ttm_cached; + int err; + + tt = kzalloc(sizeof(*tt), GFP_KERNEL); +@@ -331,26 +331,35 @@ static struct ttm_tt *xe_ttm_tt_create(s + extra_pages = DIV_ROUND_UP(xe_device_ccs_bytes(xe, bo->size), + PAGE_SIZE); + +- switch (bo->cpu_caching) { +- case DRM_XE_GEM_CPU_CACHING_WC: +- caching = ttm_write_combined; +- break; +- default: +- caching = ttm_cached; +- break; +- } +- +- WARN_ON((bo->flags & XE_BO_FLAG_USER) && !bo->cpu_caching); +- + /* +- * Display scanout is always non-coherent with the CPU cache. +- * +- * For Xe_LPG and beyond, PPGTT PTE lookups are also non-coherent and +- * require a CPU:WC mapping. ++ * DGFX system memory is always WB / ttm_cached, since ++ * other caching modes are only supported on x86. DGFX ++ * GPU system memory accesses are always coherent with the ++ * CPU. + */ +- if ((!bo->cpu_caching && bo->flags & XE_BO_FLAG_SCANOUT) || +- (xe->info.graphics_verx100 >= 1270 && bo->flags & XE_BO_FLAG_PAGETABLE)) +- caching = ttm_write_combined; ++ if (!IS_DGFX(xe)) { ++ switch (bo->cpu_caching) { ++ case DRM_XE_GEM_CPU_CACHING_WC: ++ caching = ttm_write_combined; ++ break; ++ default: ++ caching = ttm_cached; ++ break; ++ } ++ ++ WARN_ON((bo->flags & XE_BO_FLAG_USER) && !bo->cpu_caching); ++ ++ /* ++ * Display scanout is always non-coherent with the CPU cache. ++ * ++ * For Xe_LPG and beyond, PPGTT PTE lookups are also ++ * non-coherent and require a CPU:WC mapping. ++ */ ++ if ((!bo->cpu_caching && bo->flags & XE_BO_FLAG_SCANOUT) || ++ (xe->info.graphics_verx100 >= 1270 && ++ bo->flags & XE_BO_FLAG_PAGETABLE)) ++ caching = ttm_write_combined; ++ } + + err = ttm_tt_init(&tt->ttm, &bo->ttm, page_flags, caching, extra_pages); + if (err) { +--- a/drivers/gpu/drm/xe/xe_bo_types.h ++++ b/drivers/gpu/drm/xe/xe_bo_types.h +@@ -66,7 +66,8 @@ struct xe_bo { + + /** + * @cpu_caching: CPU caching mode. Currently only used for userspace +- * objects. ++ * objects. Exceptions are system memory on DGFX, which is always ++ * WB. + */ + u16 cpu_caching; + +--- a/include/uapi/drm/xe_drm.h ++++ b/include/uapi/drm/xe_drm.h +@@ -776,7 +776,13 @@ struct drm_xe_gem_create { + #define DRM_XE_GEM_CPU_CACHING_WC 2 + /** + * @cpu_caching: The CPU caching mode to select for this object. If +- * mmaping the object the mode selected here will also be used. ++ * mmaping the object the mode selected here will also be used. The ++ * exception is when mapping system memory (including data evicted ++ * to system) on discrete GPUs. The caching mode selected will ++ * then be overridden to DRM_XE_GEM_CPU_CACHING_WB, and coherency ++ * between GPU- and CPU is guaranteed. The caching mode of ++ * existing CPU-mappings will be updated transparently to ++ * user-space clients. + */ + __u16 cpu_caching; + /** @pad: MBZ */ diff --git a/queue-6.10/dt-bindings-thermal-correct-thermal-zone-node-name-limit.patch b/queue-6.10/dt-bindings-thermal-correct-thermal-zone-node-name-limit.patch new file mode 100644 index 00000000000..3981106cdbd --- /dev/null +++ b/queue-6.10/dt-bindings-thermal-correct-thermal-zone-node-name-limit.patch @@ -0,0 +1,41 @@ +From 97e32381d0fc6c2602a767b0c46e15eb2b75971d Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 2 Jul 2024 16:52:48 +0200 +Subject: dt-bindings: thermal: correct thermal zone node name limit + +From: Krzysztof Kozlowski + +commit 97e32381d0fc6c2602a767b0c46e15eb2b75971d upstream. + +Linux kernel uses thermal zone node name during registering thermal +zones and has a hard-coded limit of 20 characters, including terminating +NUL byte. The bindings expect node names to finish with '-thermal' +which is eight bytes long, thus we have only 11 characters for the reset +of the node name (thus 10 for the pattern after leading fixed character). + +Reported-by: Rob Herring +Closes: https://lore.kernel.org/all/CAL_JsqKogbT_4DPd1n94xqeHaU_J8ve5K09WOyVsRX3jxxUW3w@mail.gmail.com/ +Fixes: 1202a442a31f ("dt-bindings: thermal: Add yaml bindings for thermal zones") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240702145248.47184-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/thermal/thermal-zones.yaml | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/thermal/thermal-zones.yaml ++++ b/Documentation/devicetree/bindings/thermal/thermal-zones.yaml +@@ -49,7 +49,10 @@ properties: + to take when the temperature crosses those thresholds. + + patternProperties: +- "^[a-zA-Z][a-zA-Z0-9\\-]{1,12}-thermal$": ++ # Node name is limited in size due to Linux kernel requirements - 19 ++ # characters in total (see THERMAL_NAME_LENGTH, including terminating NUL ++ # byte): ++ "^[a-zA-Z][a-zA-Z0-9\\-]{1,10}-thermal$": + type: object + description: + Each thermal zone node contains information about how frequently it diff --git a/queue-6.10/exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch b/queue-6.10/exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch new file mode 100644 index 00000000000..16e65d932d2 --- /dev/null +++ b/queue-6.10/exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch @@ -0,0 +1,57 @@ +From 89fc548767a2155231128cb98726d6d2ea1256c9 Mon Sep 17 00:00:00 2001 +From: Sungjong Seo +Date: Fri, 31 May 2024 19:14:44 +0900 +Subject: exfat: fix potential deadlock on __exfat_get_dentry_set + +From: Sungjong Seo + +commit 89fc548767a2155231128cb98726d6d2ea1256c9 upstream. + +When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array +is allocated in __exfat_get_entry_set. The problem is that the bh-array is +allocated with GFP_KERNEL. It does not make sense. In the following cases, +a deadlock for sbi->s_lock between the two processes may occur. + + CPU0 CPU1 + ---- ---- + kswapd + balance_pgdat + lock(fs_reclaim) + exfat_iterate + lock(&sbi->s_lock) + exfat_readdir + exfat_get_uniname_from_ext_entry + exfat_get_dentry_set + __exfat_get_dentry_set + kmalloc_array + ... + lock(fs_reclaim) + ... + evict + exfat_evict_inode + lock(&sbi->s_lock) + +To fix this, let's allocate bh-array with GFP_NOFS. + +Fixes: a3ff29a95fde ("exfat: support dynamic allocate bh for exfat_entry_set_cache") +Cc: stable@vger.kernel.org # v6.2+ +Reported-by: syzbot+412a392a2cd4a65e71db@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/lkml/000000000000fef47e0618c0327f@google.com +Signed-off-by: Sungjong Seo +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/exfat/dir.c ++++ b/fs/exfat/dir.c +@@ -813,7 +813,7 @@ static int __exfat_get_dentry_set(struct + + num_bh = EXFAT_B_TO_BLK_ROUND_UP(off + num_entries * DENTRY_SIZE, sb); + if (num_bh > ARRAY_SIZE(es->__bh)) { +- es->bh = kmalloc_array(num_bh, sizeof(*es->bh), GFP_KERNEL); ++ es->bh = kmalloc_array(num_bh, sizeof(*es->bh), GFP_NOFS); + if (!es->bh) { + brelse(bh); + return -ENOMEM; diff --git a/queue-6.10/ext2-verify-bitmap-and-itable-block-numbers-before-using-them.patch b/queue-6.10/ext2-verify-bitmap-and-itable-block-numbers-before-using-them.patch new file mode 100644 index 00000000000..5abfe451377 --- /dev/null +++ b/queue-6.10/ext2-verify-bitmap-and-itable-block-numbers-before-using-them.patch @@ -0,0 +1,57 @@ +From 322a6aff03937aa1ece33b4e46c298eafaf9ac41 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 24 Jun 2024 17:12:56 +0200 +Subject: ext2: Verify bitmap and itable block numbers before using them + +From: Jan Kara + +commit 322a6aff03937aa1ece33b4e46c298eafaf9ac41 upstream. + +Verify bitmap block numbers and inode table blocks are sane before using +them for checking bits in the block bitmap. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext2/balloc.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/ext2/balloc.c ++++ b/fs/ext2/balloc.c +@@ -77,26 +77,33 @@ static int ext2_valid_block_bitmap(struc + ext2_grpblk_t next_zero_bit; + ext2_fsblk_t bitmap_blk; + ext2_fsblk_t group_first_block; ++ ext2_grpblk_t max_bit; + + group_first_block = ext2_group_first_block_no(sb, block_group); ++ max_bit = ext2_group_last_block_no(sb, block_group) - group_first_block; + + /* check whether block bitmap block number is set */ + bitmap_blk = le32_to_cpu(desc->bg_block_bitmap); + offset = bitmap_blk - group_first_block; +- if (!ext2_test_bit(offset, bh->b_data)) ++ if (offset < 0 || offset > max_bit || ++ !ext2_test_bit(offset, bh->b_data)) + /* bad block bitmap */ + goto err_out; + + /* check whether the inode bitmap block number is set */ + bitmap_blk = le32_to_cpu(desc->bg_inode_bitmap); + offset = bitmap_blk - group_first_block; +- if (!ext2_test_bit(offset, bh->b_data)) ++ if (offset < 0 || offset > max_bit || ++ !ext2_test_bit(offset, bh->b_data)) + /* bad block bitmap */ + goto err_out; + + /* check whether the inode table block number is set */ + bitmap_blk = le32_to_cpu(desc->bg_inode_table); + offset = bitmap_blk - group_first_block; ++ if (offset < 0 || offset > max_bit || ++ offset + EXT2_SB(sb)->s_itb_per_group - 1 > max_bit) ++ goto err_out; + next_zero_bit = ext2_find_next_zero_bit(bh->b_data, + offset + EXT2_SB(sb)->s_itb_per_group, + offset); diff --git a/queue-6.10/fuse-verify-g-u-id-mount-options-correctly.patch b/queue-6.10/fuse-verify-g-u-id-mount-options-correctly.patch new file mode 100644 index 00000000000..7af5d8d272f --- /dev/null +++ b/queue-6.10/fuse-verify-g-u-id-mount-options-correctly.patch @@ -0,0 +1,81 @@ +From 525bd65aa759ec320af1dc06e114ed69733e9e23 Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Tue, 2 Jul 2024 17:22:41 -0500 +Subject: fuse: verify {g,u}id mount options correctly + +From: Eric Sandeen + +commit 525bd65aa759ec320af1dc06e114ed69733e9e23 upstream. + +As was done in +0200679fc795 ("tmpfs: verify {g,u}id mount options correctly") +we need to validate that the requested uid and/or gid is representable in +the filesystem's idmapping. + +Cribbing from the above commit log, + +The contract for {g,u}id mount options and {g,u}id values in general set +from userspace has always been that they are translated according to the +caller's idmapping. In so far, fuse has been doing the correct thing. +But since fuse is mountable in unprivileged contexts it is also +necessary to verify that the resulting {k,g}uid is representable in the +namespace of the superblock. + +Fixes: c30da2e981a7 ("fuse: convert to use the new mount API") +Cc: stable@vger.kernel.org # 5.4+ +Signed-off-by: Eric Sandeen +Link: https://lore.kernel.org/r/8f07d45d-c806-484d-a2e3-7a2199df1cd2@redhat.com +Reviewed-by: Christian Brauner +Reviewed-by: Josef Bacik +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -755,6 +755,8 @@ static int fuse_parse_param(struct fs_co + struct fs_parse_result result; + struct fuse_fs_context *ctx = fsc->fs_private; + int opt; ++ kuid_t kuid; ++ kgid_t kgid; + + if (fsc->purpose == FS_CONTEXT_FOR_RECONFIGURE) { + /* +@@ -799,16 +801,30 @@ static int fuse_parse_param(struct fs_co + break; + + case OPT_USER_ID: +- ctx->user_id = make_kuid(fsc->user_ns, result.uint_32); +- if (!uid_valid(ctx->user_id)) ++ kuid = make_kuid(fsc->user_ns, result.uint_32); ++ if (!uid_valid(kuid)) + return invalfc(fsc, "Invalid user_id"); ++ /* ++ * The requested uid must be representable in the ++ * filesystem's idmapping. ++ */ ++ if (!kuid_has_mapping(fsc->user_ns, kuid)) ++ return invalfc(fsc, "Invalid user_id"); ++ ctx->user_id = kuid; + ctx->user_id_present = true; + break; + + case OPT_GROUP_ID: +- ctx->group_id = make_kgid(fsc->user_ns, result.uint_32); +- if (!gid_valid(ctx->group_id)) ++ kgid = make_kgid(fsc->user_ns, result.uint_32);; ++ if (!gid_valid(kgid)) ++ return invalfc(fsc, "Invalid group_id"); ++ /* ++ * The requested gid must be representable in the ++ * filesystem's idmapping. ++ */ ++ if (!kgid_has_mapping(fsc->user_ns, kgid)) + return invalfc(fsc, "Invalid group_id"); ++ ctx->group_id = kgid; + ctx->group_id_present = true; + break; + diff --git a/queue-6.10/hfs-fix-to-initialize-fields-of-hfs_inode_info-after-hfs_alloc_inode.patch b/queue-6.10/hfs-fix-to-initialize-fields-of-hfs_inode_info-after-hfs_alloc_inode.patch new file mode 100644 index 00000000000..71d635be16b --- /dev/null +++ b/queue-6.10/hfs-fix-to-initialize-fields-of-hfs_inode_info-after-hfs_alloc_inode.patch @@ -0,0 +1,122 @@ +From 26a2ed107929a855155429b11e1293b83e6b2a8b Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sun, 16 Jun 2024 09:38:41 +0800 +Subject: hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() + +From: Chao Yu + +commit 26a2ed107929a855155429b11e1293b83e6b2a8b upstream. + +Syzbot reports uninitialized value access issue as below: + +loop0: detected capacity change from 0 to 64 +===================================================== +BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 + hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 + d_revalidate fs/namei.c:862 [inline] + lookup_fast+0x89e/0x8e0 fs/namei.c:1649 + walk_component fs/namei.c:2001 [inline] + link_path_walk+0x817/0x1480 fs/namei.c:2332 + path_lookupat+0xd9/0x6f0 fs/namei.c:2485 + filename_lookup+0x22e/0x740 fs/namei.c:2515 + user_path_at_empty+0x8b/0x390 fs/namei.c:2924 + user_path_at include/linux/namei.h:57 [inline] + do_mount fs/namespace.c:3689 [inline] + __do_sys_mount fs/namespace.c:3898 [inline] + __se_sys_mount+0x66b/0x810 fs/namespace.c:3875 + __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline] +BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 + hfs_ext_read_extent fs/hfs/extent.c:196 [inline] + hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 + block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271 + hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39 + filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426 + do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553 + do_read_cache_page mm/filemap.c:3595 [inline] + read_cache_page+0xfb/0x2f0 mm/filemap.c:3604 + read_mapping_page include/linux/pagemap.h:755 [inline] + hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78 + hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204 + hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406 + mount_bdev+0x628/0x920 fs/super.c:1359 + hfs_mount+0xcd/0xe0 fs/hfs/super.c:456 + legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610 + vfs_get_tree+0xdc/0x5d0 fs/super.c:1489 + do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145 + path_mount+0xf98/0x26a0 fs/namespace.c:3475 + do_mount fs/namespace.c:3488 [inline] + __do_sys_mount fs/namespace.c:3697 [inline] + __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674 + __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 + do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 + entry_SYSENTER_compat_after_hwframe+0x70/0x82 + +Uninit was created at: + __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 + __alloc_pages_node include/linux/gfp.h:238 [inline] + alloc_pages_node include/linux/gfp.h:261 [inline] + alloc_slab_page mm/slub.c:2190 [inline] + allocate_slab mm/slub.c:2354 [inline] + new_slab+0x2d7/0x1400 mm/slub.c:2407 + ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540 + __slab_alloc mm/slub.c:3625 [inline] + __slab_alloc_node mm/slub.c:3678 [inline] + slab_alloc_node mm/slub.c:3850 [inline] + kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879 + alloc_inode_sb include/linux/fs.h:3018 [inline] + hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165 + alloc_inode+0x83/0x440 fs/inode.c:260 + new_inode_pseudo fs/inode.c:1005 [inline] + new_inode+0x38/0x4f0 fs/inode.c:1031 + hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186 + hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228 + vfs_mkdir+0x49a/0x700 fs/namei.c:4126 + do_mkdirat+0x529/0x810 fs/namei.c:4149 + __do_sys_mkdirat fs/namei.c:4164 [inline] + __se_sys_mkdirat fs/namei.c:4162 [inline] + __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +It missed to initialize .tz_secondswest, .cached_start and .cached_blocks +fields in struct hfs_inode_info after hfs_alloc_inode(), fix it. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+3ae6be33a50b5aae4dab@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-fsdevel/0000000000005ad04005ee48897f@google.com +Signed-off-by: Chao Yu +Link: https://lore.kernel.org/r/20240616013841.2217-1-chao@kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -200,6 +200,7 @@ struct inode *hfs_new_inode(struct inode + HFS_I(inode)->flags = 0; + HFS_I(inode)->rsrc_inode = NULL; + HFS_I(inode)->fs_blocks = 0; ++ HFS_I(inode)->tz_secondswest = sys_tz.tz_minuteswest * 60; + if (S_ISDIR(mode)) { + inode->i_size = 2; + HFS_SB(sb)->folder_count++; +@@ -275,6 +276,8 @@ void hfs_inode_read_fork(struct inode *i + for (count = 0, i = 0; i < 3; i++) + count += be16_to_cpu(ext[i].count); + HFS_I(inode)->first_blocks = count; ++ HFS_I(inode)->cached_start = 0; ++ HFS_I(inode)->cached_blocks = 0; + + inode->i_size = HFS_I(inode)->phys_size = log_size; + HFS_I(inode)->fs_blocks = (log_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits; diff --git a/queue-6.10/io_uring-io-wq-limit-retrying-worker-initialisation.patch b/queue-6.10/io_uring-io-wq-limit-retrying-worker-initialisation.patch new file mode 100644 index 00000000000..474ddc6d4f2 --- /dev/null +++ b/queue-6.10/io_uring-io-wq-limit-retrying-worker-initialisation.patch @@ -0,0 +1,84 @@ +From 0453aad676ff99787124b9b3af4a5f59fbe808e2 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 10 Jul 2024 18:58:17 +0100 +Subject: io_uring/io-wq: limit retrying worker initialisation + +From: Pavel Begunkov + +commit 0453aad676ff99787124b9b3af4a5f59fbe808e2 upstream. + +If io-wq worker creation fails, we retry it by queueing up a task_work. +tasK_work is needed because it should be done from the user process +context. The problem is that retries are not limited, and if queueing a +task_work is the reason for the failure, we might get into an infinite +loop. + +It doesn't seem to happen now but it would with the following patch +executing task_work in the freezer's loop. For now, arbitrarily limit the +number of attempts to create a worker. + +Cc: stable@vger.kernel.org +Fixes: 3146cba99aa28 ("io-wq: make worker creation resilient against signals") +Reported-by: Julian Orth +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/8280436925db88448c7c85c6656edee1a43029ea.1720634146.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io-wq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -23,6 +23,7 @@ + #include "io_uring.h" + + #define WORKER_IDLE_TIMEOUT (5 * HZ) ++#define WORKER_INIT_LIMIT 3 + + enum { + IO_WORKER_F_UP = 0, /* up and active */ +@@ -58,6 +59,7 @@ struct io_worker { + + unsigned long create_state; + struct callback_head create_work; ++ int init_retries; + + union { + struct rcu_head rcu; +@@ -744,7 +746,7 @@ static bool io_wq_work_match_all(struct + return true; + } + +-static inline bool io_should_retry_thread(long err) ++static inline bool io_should_retry_thread(struct io_worker *worker, long err) + { + /* + * Prevent perpetual task_work retry, if the task (or its group) is +@@ -752,6 +754,8 @@ static inline bool io_should_retry_threa + */ + if (fatal_signal_pending(current)) + return false; ++ if (worker->init_retries++ >= WORKER_INIT_LIMIT) ++ return false; + + switch (err) { + case -EAGAIN: +@@ -778,7 +782,7 @@ static void create_worker_cont(struct ca + io_init_new_worker(wq, worker, tsk); + io_worker_release(worker); + return; +- } else if (!io_should_retry_thread(PTR_ERR(tsk))) { ++ } else if (!io_should_retry_thread(worker, PTR_ERR(tsk))) { + struct io_wq_acct *acct = io_wq_get_acct(worker); + + atomic_dec(&acct->nr_running); +@@ -845,7 +849,7 @@ fail: + tsk = create_io_thread(io_wq_worker, worker, NUMA_NO_NODE); + if (!IS_ERR(tsk)) { + io_init_new_worker(wq, worker, tsk); +- } else if (!io_should_retry_thread(PTR_ERR(tsk))) { ++ } else if (!io_should_retry_thread(worker, PTR_ERR(tsk))) { + kfree(worker); + goto fail; + } else { diff --git a/queue-6.10/ipv4-fix-source-address-selection-with-route-leak.patch b/queue-6.10/ipv4-fix-source-address-selection-with-route-leak.patch new file mode 100644 index 00000000000..da37bf3037c --- /dev/null +++ b/queue-6.10/ipv4-fix-source-address-selection-with-route-leak.patch @@ -0,0 +1,48 @@ +From 6807352353561187a718e87204458999dbcbba1b Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Wed, 10 Jul 2024 10:14:27 +0200 +Subject: ipv4: fix source address selection with route leak + +From: Nicolas Dichtel + +commit 6807352353561187a718e87204458999dbcbba1b upstream. + +By default, an address assigned to the output interface is selected when +the source address is not specified. This is problematic when a route, +configured in a vrf, uses an interface from another vrf (aka route leak). +The original vrf does not own the selected source address. + +Let's add a check against the output interface and call the appropriate +function to select the source address. + +CC: stable@vger.kernel.org +Fixes: 8cbb512c923d ("net: Add source address lookup op for VRF") +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20240710081521.3809742-2-nicolas.dichtel@6wind.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/fib_semantics.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -2270,6 +2270,15 @@ void fib_select_path(struct net *net, st + fib_select_default(fl4, res); + + check_saddr: +- if (!fl4->saddr) +- fl4->saddr = fib_result_prefsrc(net, res); ++ if (!fl4->saddr) { ++ struct net_device *l3mdev; ++ ++ l3mdev = dev_get_by_index_rcu(net, fl4->flowi4_l3mdev); ++ ++ if (!l3mdev || ++ l3mdev_master_dev_rcu(FIB_RES_DEV(*res)) == l3mdev) ++ fl4->saddr = fib_result_prefsrc(net, res); ++ else ++ fl4->saddr = inet_select_addr(l3mdev, 0, RT_SCOPE_LINK); ++ } + } diff --git a/queue-6.10/ipv6-fix-source-address-selection-with-route-leak.patch b/queue-6.10/ipv6-fix-source-address-selection-with-route-leak.patch new file mode 100644 index 00000000000..4dcabeee1a7 --- /dev/null +++ b/queue-6.10/ipv6-fix-source-address-selection-with-route-leak.patch @@ -0,0 +1,85 @@ +From 252442f2ae317d109ef0b4b39ce0608c09563042 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Wed, 10 Jul 2024 10:14:28 +0200 +Subject: ipv6: fix source address selection with route leak + +From: Nicolas Dichtel + +commit 252442f2ae317d109ef0b4b39ce0608c09563042 upstream. + +By default, an address assigned to the output interface is selected when +the source address is not specified. This is problematic when a route, +configured in a vrf, uses an interface from another vrf (aka route leak). +The original vrf does not own the selected source address. + +Let's add a check against the output interface and call the appropriate +function to select the source address. + +CC: stable@vger.kernel.org +Fixes: 0d240e7811c4 ("net: vrf: Implement get_saddr for IPv6") +Signed-off-by: Nicolas Dichtel +Link: https://patch.msgid.link/20240710081521.3809742-3-nicolas.dichtel@6wind.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip6_route.h | 20 ++++++++++++++------ + net/ipv6/ip6_output.c | 1 + + net/ipv6/route.c | 2 +- + 3 files changed, 16 insertions(+), 7 deletions(-) + +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -127,18 +127,26 @@ void rt6_age_exceptions(struct fib6_info + + static inline int ip6_route_get_saddr(struct net *net, struct fib6_info *f6i, + const struct in6_addr *daddr, +- unsigned int prefs, ++ unsigned int prefs, int l3mdev_index, + struct in6_addr *saddr) + { ++ struct net_device *l3mdev; ++ struct net_device *dev; ++ bool same_vrf; + int err = 0; + +- if (f6i && f6i->fib6_prefsrc.plen) { ++ rcu_read_lock(); ++ ++ l3mdev = dev_get_by_index_rcu(net, l3mdev_index); ++ if (!f6i || !f6i->fib6_prefsrc.plen || l3mdev) ++ dev = f6i ? fib6_info_nh_dev(f6i) : NULL; ++ same_vrf = !l3mdev || l3mdev_master_dev_rcu(dev) == l3mdev; ++ if (f6i && f6i->fib6_prefsrc.plen && same_vrf) + *saddr = f6i->fib6_prefsrc.addr; +- } else { +- struct net_device *dev = f6i ? fib6_info_nh_dev(f6i) : NULL; ++ else ++ err = ipv6_dev_get_saddr(net, same_vrf ? dev : l3mdev, daddr, prefs, saddr); + +- err = ipv6_dev_get_saddr(net, dev, daddr, prefs, saddr); +- } ++ rcu_read_unlock(); + + return err; + } +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1124,6 +1124,7 @@ static int ip6_dst_lookup_tail(struct ne + from = rt ? rcu_dereference(rt->from) : NULL; + err = ip6_route_get_saddr(net, from, &fl6->daddr, + sk ? READ_ONCE(inet6_sk(sk)->srcprefs) : 0, ++ fl6->flowi6_l3mdev, + &fl6->saddr); + rcu_read_unlock(); + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5689,7 +5689,7 @@ static int rt6_fill_node(struct net *net + goto nla_put_failure; + } else if (dest) { + struct in6_addr saddr_buf; +- if (ip6_route_get_saddr(net, rt, dest, 0, &saddr_buf) == 0 && ++ if (ip6_route_get_saddr(net, rt, dest, 0, 0, &saddr_buf) == 0 && + nla_put_in6_addr(skb, RTA_PREFSRC, &saddr_buf)) + goto nla_put_failure; + } diff --git a/queue-6.10/ipv6-take-care-of-scope-when-choosing-the-src-addr.patch b/queue-6.10/ipv6-take-care-of-scope-when-choosing-the-src-addr.patch new file mode 100644 index 00000000000..15ef2bd1061 --- /dev/null +++ b/queue-6.10/ipv6-take-care-of-scope-when-choosing-the-src-addr.patch @@ -0,0 +1,36 @@ +From abb9a68d2c64dd9b128ae1f2e635e4d805e7ce64 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Wed, 10 Jul 2024 10:14:29 +0200 +Subject: ipv6: take care of scope when choosing the src addr + +From: Nicolas Dichtel + +commit abb9a68d2c64dd9b128ae1f2e635e4d805e7ce64 upstream. + +When the source address is selected, the scope must be checked. For +example, if a loopback address is assigned to the vrf device, it must not +be chosen for packets sent outside. + +CC: stable@vger.kernel.org +Fixes: afbac6010aec ("net: ipv6: Address selection needs to consider L3 domains") +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20240710081521.3809742-4-nicolas.dichtel@6wind.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1873,7 +1873,8 @@ int ipv6_dev_get_saddr(struct net *net, + master, &dst, + scores, hiscore_idx); + +- if (scores[hiscore_idx].ifa) ++ if (scores[hiscore_idx].ifa && ++ scores[hiscore_idx].scopedist >= 0) + goto out; + } + diff --git a/queue-6.10/kernel-rerun-task_work-while-freezing-in-get_signal.patch b/queue-6.10/kernel-rerun-task_work-while-freezing-in-get_signal.patch new file mode 100644 index 00000000000..c513f61d64d --- /dev/null +++ b/queue-6.10/kernel-rerun-task_work-while-freezing-in-get_signal.patch @@ -0,0 +1,50 @@ +From 943ad0b62e3c21f324c4884caa6cb4a871bca05c Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 10 Jul 2024 18:58:18 +0100 +Subject: kernel: rerun task_work while freezing in get_signal() + +From: Pavel Begunkov + +commit 943ad0b62e3c21f324c4884caa6cb4a871bca05c upstream. + +io_uring can asynchronously add a task_work while the task is getting +freezed. TIF_NOTIFY_SIGNAL will prevent the task from sleeping in +do_freezer_trap(), and since the get_signal()'s relock loop doesn't +retry task_work, the task will spin there not being able to sleep +until the freezing is cancelled / the task is killed / etc. + +Run task_works in the freezer path. Keep the patch small and simple +so it can be easily back ported, but we might need to do some cleaning +after and look if there are other places with similar problems. + +Cc: stable@vger.kernel.org +Link: https://github.com/systemd/systemd/issues/33626 +Fixes: 12db8b690010c ("entry: Add support for TIF_NOTIFY_SIGNAL") +Reported-by: Julian Orth +Acked-by: Oleg Nesterov +Acked-by: Tejun Heo +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/89ed3a52933370deaaf61a0a620a6ac91f1e754d.1720634146.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + kernel/signal.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2600,6 +2600,14 @@ static void do_freezer_trap(void) + spin_unlock_irq(¤t->sighand->siglock); + cgroup_enter_frozen(); + schedule(); ++ ++ /* ++ * We could've been woken by task_work, run it to clear ++ * TIF_NOTIFY_SIGNAL. The caller will retry if necessary. ++ */ ++ clear_notify_signal(); ++ if (unlikely(task_work_pending(current))) ++ task_work_run(); + } + + static int ptrace_signal(int signr, kernel_siginfo_t *info, enum pid_type type) diff --git a/queue-6.10/lsm-fixup-the-inode-xattr-capability-handling.patch b/queue-6.10/lsm-fixup-the-inode-xattr-capability-handling.patch new file mode 100644 index 00000000000..ad1dce9ebc3 --- /dev/null +++ b/queue-6.10/lsm-fixup-the-inode-xattr-capability-handling.patch @@ -0,0 +1,293 @@ +From 61df7b82820494368bd46071ca97e43a3dfc3b11 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 2 May 2024 17:57:51 -0400 +Subject: lsm: fixup the inode xattr capability handling + +From: Paul Moore + +commit 61df7b82820494368bd46071ca97e43a3dfc3b11 upstream. + +The current security_inode_setxattr() and security_inode_removexattr() +hooks rely on individual LSMs to either call into the associated +capability hooks (cap_inode_setxattr() or cap_inode_removexattr()), or +return a magic value of 1 to indicate that the LSM layer itself should +perform the capability checks. Unfortunately, with the default return +value for these LSM hooks being 0, an individual LSM hook returning a +1 will cause the LSM hook processing to exit early, potentially +skipping a LSM. Thankfully, with the exception of the BPF LSM, none +of the LSMs which currently register inode xattr hooks should end up +returning a value of 1, and in the BPF LSM case, with the BPF LSM hooks +executing last there should be no real harm in stopping processing of +the LSM hooks. However, the reliance on the individual LSMs to either +call the capability hooks themselves, or signal the LSM with a return +value of 1, is fragile and relies on a specific set of LSMs being +enabled. This patch is an effort to resolve, or minimize, these +issues. + +Before we discuss the solution, there are a few observations and +considerations that we need to take into account: +* BPF LSM registers an implementation for every LSM hook, and that + implementation simply returns the hook's default return value, a + 0 in this case. We want to ensure that the default BPF LSM behavior + results in the capability checks being called. +* SELinux and Smack do not expect the traditional capability checks + to be applied to the xattrs that they "own". +* SELinux and Smack are currently written in such a way that the + xattr capability checks happen before any additional LSM specific + access control checks. SELinux does apply SELinux specific access + controls to all xattrs, even those not "owned" by SELinux. +* IMA and EVM also register xattr hooks but assume that the LSM layer + and specific LSMs have already authorized the basic xattr operation. + +In order to ensure we perform the capability based access controls +before the individual LSM access controls, perform only one capability +access control check for each operation, and clarify the logic around +applying the capability controls, we need a mechanism to determine if +any of the enabled LSMs "own" a particular xattr and want to take +responsibility for controlling access to that xattr. The solution in +this patch is to create a new LSM hook, 'inode_xattr_skipcap', that is +not exported to the rest of the kernel via a security_XXX() function, +but is used by the LSM layer to determine if a LSM wants to control +access to a given xattr and avoid the traditional capability controls. +Registering an inode_xattr_skipcap hook is optional, if a LSM declines +to register an implementation, or uses an implementation that simply +returns the default value (0), there is no effect as the LSM continues +to enforce the capability based controls (unless another LSM takes +ownership of the xattr). If none of the LSMs signal that the +capability checks should be skipped, the capability check is performed +and if access is granted the individual LSM xattr access control hooks +are executed, keeping with the DAC-before-LSM convention. + +Cc: stable@vger.kernel.org +Acked-by: Casey Schaufler +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 1 + security/security.c | 70 ++++++++++++++++++++++++++++-------------- + security/selinux/hooks.c | 28 ++++++++++++---- + security/smack/smack_lsm.c | 31 +++++++++++++++++- + 4 files changed, 98 insertions(+), 32 deletions(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -144,6 +144,7 @@ LSM_HOOK(int, 0, inode_setattr, struct m + LSM_HOOK(void, LSM_RET_VOID, inode_post_setattr, struct mnt_idmap *idmap, + struct dentry *dentry, int ia_valid) + LSM_HOOK(int, 0, inode_getattr, const struct path *path) ++LSM_HOOK(int, 0, inode_xattr_skipcap, const char *name) + LSM_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap, + struct dentry *dentry, const char *name, const void *value, + size_t size, int flags) +--- a/security/security.c ++++ b/security/security.c +@@ -2278,7 +2278,20 @@ int security_inode_getattr(const struct + * @size: size of xattr value + * @flags: flags + * +- * Check permission before setting the extended attributes. ++ * This hook performs the desired permission checks before setting the extended ++ * attributes (xattrs) on @dentry. It is important to note that we have some ++ * additional logic before the main LSM implementation calls to detect if we ++ * need to perform an additional capability check at the LSM layer. ++ * ++ * Normally we enforce a capability check prior to executing the various LSM ++ * hook implementations, but if a LSM wants to avoid this capability check, ++ * it can register a 'inode_xattr_skipcap' hook and return a value of 1 for ++ * xattrs that it wants to avoid the capability check, leaving the LSM fully ++ * responsible for enforcing the access control for the specific xattr. If all ++ * of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook, ++ * or return a 0 (the default return value), the capability check is still ++ * performed. If no 'inode_xattr_skipcap' hooks are registered the capability ++ * check is performed. + * + * Return: Returns 0 if permission is granted. + */ +@@ -2286,20 +2299,20 @@ int security_inode_setxattr(struct mnt_i + struct dentry *dentry, const char *name, + const void *value, size_t size, int flags) + { +- int ret; ++ int rc; + + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return 0; +- /* +- * SELinux and Smack integrate the cap call, +- * so assume that all LSMs supplying this call do so. +- */ +- ret = call_int_hook(inode_setxattr, idmap, dentry, name, value, size, +- flags); + +- if (ret == 1) +- ret = cap_inode_setxattr(dentry, name, value, size, flags); +- return ret; ++ /* enforce the capability checks at the lsm layer, if needed */ ++ if (!call_int_hook(inode_xattr_skipcap, name)) { ++ rc = cap_inode_setxattr(dentry, name, value, size, flags); ++ if (rc) ++ return rc; ++ } ++ ++ return call_int_hook(inode_setxattr, idmap, dentry, name, value, size, ++ flags); + } + + /** +@@ -2452,26 +2465,39 @@ int security_inode_listxattr(struct dent + * @dentry: file + * @name: xattr name + * +- * Check permission before removing the extended attribute identified by @name +- * for @dentry. ++ * This hook performs the desired permission checks before setting the extended ++ * attributes (xattrs) on @dentry. It is important to note that we have some ++ * additional logic before the main LSM implementation calls to detect if we ++ * need to perform an additional capability check at the LSM layer. ++ * ++ * Normally we enforce a capability check prior to executing the various LSM ++ * hook implementations, but if a LSM wants to avoid this capability check, ++ * it can register a 'inode_xattr_skipcap' hook and return a value of 1 for ++ * xattrs that it wants to avoid the capability check, leaving the LSM fully ++ * responsible for enforcing the access control for the specific xattr. If all ++ * of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook, ++ * or return a 0 (the default return value), the capability check is still ++ * performed. If no 'inode_xattr_skipcap' hooks are registered the capability ++ * check is performed. + * + * Return: Returns 0 if permission is granted. + */ + int security_inode_removexattr(struct mnt_idmap *idmap, + struct dentry *dentry, const char *name) + { +- int ret; ++ int rc; + + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return 0; +- /* +- * SELinux and Smack integrate the cap call, +- * so assume that all LSMs supplying this call do so. +- */ +- ret = call_int_hook(inode_removexattr, idmap, dentry, name); +- if (ret == 1) +- ret = cap_inode_removexattr(idmap, dentry, name); +- return ret; ++ ++ /* enforce the capability checks at the lsm layer, if needed */ ++ if (!call_int_hook(inode_xattr_skipcap, name)) { ++ rc = cap_inode_removexattr(idmap, dentry, name); ++ if (rc) ++ return rc; ++ } ++ ++ return call_int_hook(inode_removexattr, idmap, dentry, name); + } + + /** +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3177,6 +3177,23 @@ static bool has_cap_mac_admin(bool audit + return true; + } + ++/** ++ * selinux_inode_xattr_skipcap - Skip the xattr capability checks? ++ * @name: name of the xattr ++ * ++ * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs ++ * named @name; the LSM layer should avoid enforcing any traditional ++ * capability based access controls on this xattr. Returns 0 to indicate that ++ * SELinux does not "own" the access control rights to xattrs named @name and is ++ * deferring to the LSM layer for further access controls, including capability ++ * based controls. ++ */ ++static int selinux_inode_xattr_skipcap(const char *name) ++{ ++ /* require capability check if not a selinux xattr */ ++ return !strcmp(name, XATTR_NAME_SELINUX); ++} ++ + static int selinux_inode_setxattr(struct mnt_idmap *idmap, + struct dentry *dentry, const char *name, + const void *value, size_t size, int flags) +@@ -3188,15 +3205,9 @@ static int selinux_inode_setxattr(struct + u32 newsid, sid = current_sid(); + int rc = 0; + +- if (strcmp(name, XATTR_NAME_SELINUX)) { +- rc = cap_inode_setxattr(dentry, name, value, size, flags); +- if (rc) +- return rc; +- +- /* Not an attribute we recognize, so just check the +- ordinary setattr permission. */ ++ /* if not a selinux xattr, only check the ordinary setattr perm */ ++ if (strcmp(name, XATTR_NAME_SELINUX)) + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); +- } + + if (!selinux_initialized()) + return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); +@@ -7175,6 +7186,7 @@ static struct security_hook_list selinux + LSM_HOOK_INIT(inode_permission, selinux_inode_permission), + LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), + LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), ++ LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), + LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), + LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), + LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1283,6 +1283,33 @@ static int smack_inode_getattr(const str + } + + /** ++ * smack_inode_xattr_skipcap - Skip the xattr capability checks? ++ * @name: name of the xattr ++ * ++ * Returns 1 to indicate that Smack "owns" the access control rights to xattrs ++ * named @name; the LSM layer should avoid enforcing any traditional ++ * capability based access controls on this xattr. Returns 0 to indicate that ++ * Smack does not "own" the access control rights to xattrs named @name and is ++ * deferring to the LSM layer for further access controls, including capability ++ * based controls. ++ */ ++static int smack_inode_xattr_skipcap(const char *name) ++{ ++ if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) ++ return 0; ++ ++ if (strcmp(name, XATTR_NAME_SMACK) == 0 || ++ strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || ++ strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || ++ strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || ++ strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || ++ strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) ++ return 1; ++ ++ return 0; ++} ++ ++/** + * smack_inode_setxattr - Smack check for setting xattrs + * @idmap: idmap of the mount + * @dentry: the object +@@ -1325,8 +1352,7 @@ static int smack_inode_setxattr(struct m + size != TRANS_TRUE_SIZE || + strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) + rc = -EINVAL; +- } else +- rc = cap_inode_setxattr(dentry, name, value, size, flags); ++ } + + if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) + rc = -EPERM; +@@ -5053,6 +5079,7 @@ static struct security_hook_list smack_h + LSM_HOOK_INIT(inode_permission, smack_inode_permission), + LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), + LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), ++ LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), + LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), + LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), + LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), diff --git a/queue-6.10/md-raid5-fix-spares-errors-about-rcu-usage.patch b/queue-6.10/md-raid5-fix-spares-errors-about-rcu-usage.patch new file mode 100644 index 00000000000..83c8d5adf08 --- /dev/null +++ b/queue-6.10/md-raid5-fix-spares-errors-about-rcu-usage.patch @@ -0,0 +1,84 @@ +From 2314c2e3a70521f055dd011245dccf6fd97c7ee0 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Sat, 15 Jun 2024 16:51:43 +0800 +Subject: md/raid5: fix spares errors about rcu usage + +From: Yu Kuai + +commit 2314c2e3a70521f055dd011245dccf6fd97c7ee0 upstream. + +As commit ad8606702f26 ("md/raid5: remove rcu protection to access rdev +from conf") explains, rcu protection can be removed, however, there are +three places left, there won't be any real problems. + +drivers/md/raid5.c:8071:24: error: incompatible types in comparison expression (different address spaces): +drivers/md/raid5.c:8071:24: struct md_rdev [noderef] __rcu * +drivers/md/raid5.c:8071:24: struct md_rdev * +drivers/md/raid5.c:7569:25: error: incompatible types in comparison expression (different address spaces): +drivers/md/raid5.c:7569:25: struct md_rdev [noderef] __rcu * +drivers/md/raid5.c:7569:25: struct md_rdev * +drivers/md/raid5.c:7573:25: error: incompatible types in comparison expression (different address spaces): +drivers/md/raid5.c:7573:25: struct md_rdev [noderef] __rcu * +drivers/md/raid5.c:7573:25: struct md_rdev * + +Fixes: ad8606702f26 ("md/raid5: remove rcu protection to access rdev from conf") +Cc: stable@vger.kernel.org +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240615085143.1648223-1-yukuai1@huaweicloud.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -155,7 +155,7 @@ static int raid6_idx_to_slot(int idx, st + return slot; + } + +-static void print_raid5_conf (struct r5conf *conf); ++static void print_raid5_conf(struct r5conf *conf); + + static int stripe_operations_active(struct stripe_head *sh) + { +@@ -7580,11 +7580,11 @@ static struct r5conf *setup_conf(struct + if (test_bit(Replacement, &rdev->flags)) { + if (disk->replacement) + goto abort; +- RCU_INIT_POINTER(disk->replacement, rdev); ++ disk->replacement = rdev; + } else { + if (disk->rdev) + goto abort; +- RCU_INIT_POINTER(disk->rdev, rdev); ++ disk->rdev = rdev; + } + + if (test_bit(In_sync, &rdev->flags)) { +@@ -8066,7 +8066,7 @@ static void raid5_status(struct seq_file + seq_printf (seq, "]"); + } + +-static void print_raid5_conf (struct r5conf *conf) ++static void print_raid5_conf(struct r5conf *conf) + { + struct md_rdev *rdev; + int i; +@@ -8080,15 +8080,13 @@ static void print_raid5_conf (struct r5c + conf->raid_disks, + conf->raid_disks - conf->mddev->degraded); + +- rcu_read_lock(); + for (i = 0; i < conf->raid_disks; i++) { +- rdev = rcu_dereference(conf->disks[i].rdev); ++ rdev = conf->disks[i].rdev; + if (rdev) + pr_debug(" disk %d, o:%d, dev:%pg\n", + i, !test_bit(Faulty, &rdev->flags), + rdev->bdev); + } +- rcu_read_unlock(); + } + + static int raid5_spare_active(struct mddev *mddev) diff --git a/queue-6.10/media-i2c-kconfig-fix-missing-firmware-upload-config-select.patch b/queue-6.10/media-i2c-kconfig-fix-missing-firmware-upload-config-select.patch new file mode 100644 index 00000000000..3c899947f08 --- /dev/null +++ b/queue-6.10/media-i2c-kconfig-fix-missing-firmware-upload-config-select.patch @@ -0,0 +1,35 @@ +From fea074e97886b7ee2fe04a17bd60fd41723da1b7 Mon Sep 17 00:00:00 2001 +From: Kory Maincent +Date: Thu, 20 Jun 2024 12:25:43 +0200 +Subject: media: i2c: Kconfig: Fix missing firmware upload config select + +From: Kory Maincent + +commit fea074e97886b7ee2fe04a17bd60fd41723da1b7 upstream. + +FW_LOADER config only selects the firmware loader API, but we also need +the sysfs_upload symbols for firmware_upload_unregister() and +firmware_upload_register() to function properly. + +Fixes: 7a52ab415b43 ("media: i2c: Add driver for THine THP7312") +Cc: stable@vger.kernel.org +Signed-off-by: Kory Maincent +Reviewed-by: Laurent Pinchart +Reviewed-by: Paul Elder +Link: https://lore.kernel.org/r/20240620102544.1918105-1-kory.maincent@bootlin.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/i2c/Kconfig ++++ b/drivers/media/i2c/Kconfig +@@ -679,6 +679,7 @@ config VIDEO_THP7312 + tristate "THine THP7312 support" + depends on I2C + select FW_LOADER ++ select FW_UPLOAD + select MEDIA_CONTROLLER + select V4L2_CCI_I2C + select V4L2_FWNODE diff --git a/queue-6.10/media-stm32-dcmipp-correct-error-handling-in-dcmipp_create_subdevs.patch b/queue-6.10/media-stm32-dcmipp-correct-error-handling-in-dcmipp_create_subdevs.patch new file mode 100644 index 00000000000..5074e908997 --- /dev/null +++ b/queue-6.10/media-stm32-dcmipp-correct-error-handling-in-dcmipp_create_subdevs.patch @@ -0,0 +1,36 @@ +From a7351f0d3668b449fdc2cfd90403b1cb1f03ed6d Mon Sep 17 00:00:00 2001 +From: Alain Volmat +Date: Wed, 3 Jul 2024 13:59:16 +0200 +Subject: media: stm32: dcmipp: correct error handling in dcmipp_create_subdevs + +From: Alain Volmat + +commit a7351f0d3668b449fdc2cfd90403b1cb1f03ed6d upstream. + +Correct error handling within the dcmipp_create_subdevs by properly +decrementing the i counter when releasing the subdevs. + +Fixes: 28e0f3772296 ("media: stm32-dcmipp: STM32 DCMIPP camera interface driver") +Cc: stable@vger.kernel.org +Signed-off-by: Alain Volmat +Signed-off-by: Hans Verkuil +Acked-by: Sakari Ailus +[hverkuil: correct the indices: it's [i], not [i - 1].] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c ++++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c +@@ -202,8 +202,8 @@ static int dcmipp_create_subdevs(struct + return 0; + + err_init_entity: +- while (i > 0) +- dcmipp->pipe_cfg->ents[i - 1].release(dcmipp->entity[i - 1]); ++ while (i-- > 0) ++ dcmipp->pipe_cfg->ents[i].release(dcmipp->entity[i]); + return ret; + } + diff --git a/queue-6.10/media-venus-fix-use-after-free-in-vdec_close.patch b/queue-6.10/media-venus-fix-use-after-free-in-vdec_close.patch new file mode 100644 index 00000000000..2341861343c --- /dev/null +++ b/queue-6.10/media-venus-fix-use-after-free-in-vdec_close.patch @@ -0,0 +1,38 @@ +From a0157b5aa34eb43ec4c5510f9c260bbb03be937e Mon Sep 17 00:00:00 2001 +From: Dikshita Agarwal +Date: Thu, 9 May 2024 10:44:29 +0530 +Subject: media: venus: fix use after free in vdec_close + +From: Dikshita Agarwal + +commit a0157b5aa34eb43ec4c5510f9c260bbb03be937e upstream. + +There appears to be a possible use after free with vdec_close(). +The firmware will add buffer release work to the work queue through +HFI callbacks as a normal part of decoding. Randomly closing the +decoder device from userspace during normal decoding can incur +a read after free for inst. + +Fix it by cancelling the work in vdec_close. + +Cc: stable@vger.kernel.org +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Signed-off-by: Dikshita Agarwal +Acked-by: Vikash Garodia +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/vdec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -1747,6 +1747,7 @@ static int vdec_close(struct file *file) + + vdec_pm_get(inst); + ++ cancel_work_sync(&inst->delayed_process_work); + v4l2_m2m_ctx_release(inst->m2m_ctx); + v4l2_m2m_release(inst->m2m_dev); + vdec_ctrl_deinit(inst); diff --git a/queue-6.10/net-netconsole-disable-target-before-netpoll-cleanup.patch b/queue-6.10/net-netconsole-disable-target-before-netpoll-cleanup.patch new file mode 100644 index 00000000000..7286b6f5c31 --- /dev/null +++ b/queue-6.10/net-netconsole-disable-target-before-netpoll-cleanup.patch @@ -0,0 +1,52 @@ +From 97d9fba9a812cada5484667a46e14a4c976ca330 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 12 Jul 2024 07:34:15 -0700 +Subject: net: netconsole: Disable target before netpoll cleanup + +From: Breno Leitao + +commit 97d9fba9a812cada5484667a46e14a4c976ca330 upstream. + +Currently, netconsole cleans up the netpoll structure before disabling +the target. This approach can lead to race conditions, as message +senders (write_ext_msg() and write_msg()) check if the target is +enabled before using netpoll. The sender can validate that the target is +enabled, but, the netpoll might be de-allocated already, causing +undesired behaviours. + +This patch reverses the order of operations: +1. Disable the target +2. Clean up the netpoll structure + +This change eliminates the potential race condition, ensuring that +no messages are sent through a partially cleaned-up netpoll structure. + +Fixes: 2382b15bcc39 ("netconsole: take care of NETDEV_UNREGISTER event") +Cc: stable@vger.kernel.org +Signed-off-by: Breno Leitao +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20240712143415.1141039-1-leitao@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/netconsole.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/netconsole.c ++++ b/drivers/net/netconsole.c +@@ -974,6 +974,7 @@ restart: + /* rtnl_lock already held + * we might sleep in __netpoll_cleanup() + */ ++ nt->enabled = false; + spin_unlock_irqrestore(&target_list_lock, flags); + + __netpoll_cleanup(&nt->np); +@@ -981,7 +982,6 @@ restart: + spin_lock_irqsave(&target_list_lock, flags); + netdev_put(nt->np.dev, &nt->np.dev_tracker); + nt->np.dev = NULL; +- nt->enabled = false; + stopped = true; + netconsole_target_put(nt); + goto restart; diff --git a/queue-6.10/nfsd-support-write-delegations-in-layoutget.patch b/queue-6.10/nfsd-support-write-delegations-in-layoutget.patch new file mode 100644 index 00000000000..80ffe664041 --- /dev/null +++ b/queue-6.10/nfsd-support-write-delegations-in-layoutget.patch @@ -0,0 +1,60 @@ +From abc02e5602f7bf9bbae1e8999570a2ad5114578c Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 11 Jun 2024 15:36:46 -0400 +Subject: NFSD: Support write delegations in LAYOUTGET + +From: Chuck Lever + +commit abc02e5602f7bf9bbae1e8999570a2ad5114578c upstream. + +I noticed LAYOUTGET(LAYOUTIOMODE4_RW) returning NFS4ERR_ACCESS +unexpectedly. The NFS client had created a file with mode 0444, and +the server had returned a write delegation on the OPEN(CREATE). The +client was requesting a RW layout using the write delegation stateid +so that it could flush file modifications. + +Creating a read-only file does not seem to be problematic for +NFSv4.1 without pNFS, so I began looking at NFSD's implementation of +LAYOUTGET. + +The failure was because fh_verify() was doing a permission check as +part of verifying the FH presented during the LAYOUTGET. It uses the +loga_iomode value to specify the @accmode argument to fh_verify(). +fh_verify(MAY_WRITE) on a file whose mode is 0444 fails with -EACCES. + +To permit LAYOUT* operations in this case, add OWNER_OVERRIDE when +checking the access permission of the incoming file handle for +LAYOUTGET and LAYOUTCOMMIT. + +Cc: Christoph Hellwig +Cc: stable@vger.kernel.org # v6.6+ +Message-Id: 4E9C0D74-A06D-4DC3-A48A-73034DC40395@oracle.com +Reviewed-by: Jeff Layton +Reviewed-by: Christoph Hellwig +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -2269,7 +2269,7 @@ nfsd4_layoutget(struct svc_rqst *rqstp, + const struct nfsd4_layout_ops *ops; + struct nfs4_layout_stateid *ls; + __be32 nfserr; +- int accmode = NFSD_MAY_READ_IF_EXEC; ++ int accmode = NFSD_MAY_READ_IF_EXEC | NFSD_MAY_OWNER_OVERRIDE; + + switch (lgp->lg_seg.iomode) { + case IOMODE_READ: +@@ -2359,7 +2359,8 @@ nfsd4_layoutcommit(struct svc_rqst *rqst + struct nfs4_layout_stateid *ls; + __be32 nfserr; + +- nfserr = fh_verify(rqstp, current_fh, 0, NFSD_MAY_WRITE); ++ nfserr = fh_verify(rqstp, current_fh, 0, ++ NFSD_MAY_WRITE | NFSD_MAY_OWNER_OVERRIDE); + if (nfserr) + goto out; + diff --git a/queue-6.10/null_blk-fix-description-of-the-fua-parameter.patch b/queue-6.10/null_blk-fix-description-of-the-fua-parameter.patch new file mode 100644 index 00000000000..bd1d3a3747e --- /dev/null +++ b/queue-6.10/null_blk-fix-description-of-the-fua-parameter.patch @@ -0,0 +1,42 @@ +From 1c0b3fca381bf879e2168b362692f83808677f95 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 2 Jul 2024 16:32:34 +0900 +Subject: null_blk: Fix description of the fua parameter + +From: Damien Le Moal + +commit 1c0b3fca381bf879e2168b362692f83808677f95 upstream. + +The description of the fua module parameter is defined using +MODULE_PARM_DESC() with the first argument passed being "zoned". That is +the wrong name, obviously. Fix that by using the correct "fua" parameter +name so that "modinfo null_blk" displays correct information. + +Fixes: f4f84586c8b9 ("null_blk: Introduce fua attribute") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20240702073234.206458-1-dlemoal@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index 83a4ebe4763a..5de9ca4eceb4 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -227,7 +227,7 @@ MODULE_PARM_DESC(mbps, "Cache size in MiB for memory-backed device. Default: 0 ( + + static bool g_fua = true; + module_param_named(fua, g_fua, bool, 0444); +-MODULE_PARM_DESC(zoned, "Enable/disable FUA support when cache_size is used. Default: true"); ++MODULE_PARM_DESC(fua, "Enable/disable FUA support when cache_size is used. Default: true"); + + static unsigned int g_mbps; + module_param_named(mbps, g_mbps, uint, 0444); +-- +2.45.2 + diff --git a/queue-6.10/revert-firewire-annotate-struct-fw_iso_packet-with-__counted_by.patch b/queue-6.10/revert-firewire-annotate-struct-fw_iso_packet-with-__counted_by.patch new file mode 100644 index 00000000000..d958d9505e8 --- /dev/null +++ b/queue-6.10/revert-firewire-annotate-struct-fw_iso_packet-with-__counted_by.patch @@ -0,0 +1,38 @@ +From 00e3913b0416fe69d28745c0a2a340e2f76c219c Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Fri, 26 Jul 2024 01:16:48 +0900 +Subject: Revert "firewire: Annotate struct fw_iso_packet with __counted_by()" + +From: Takashi Sakamoto + +commit 00e3913b0416fe69d28745c0a2a340e2f76c219c upstream. + +This reverts commit d3155742db89df3b3c96da383c400e6ff4d23c25. + +The header_length field is byte unit, thus it can not express the number of +elements in header field. It seems that the argument for counted_by +attribute can have no arithmetic expression, therefore this commit just +reverts the issued commit. + +Suggested-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20240725161648.130404-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Sakamoto +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/firewire.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/include/linux/firewire.h ++++ b/include/linux/firewire.h +@@ -462,9 +462,8 @@ struct fw_iso_packet { + /* rx: Sync bit, wait for matching sy */ + u32 tag:2; /* tx: Tag in packet header */ + u32 sy:4; /* tx: Sy in packet header */ +- u32 header_length:8; /* Length of immediate header */ +- /* tx: Top of 1394 isoch. data_block */ +- u32 header[] __counted_by(header_length); ++ u32 header_length:8; /* Size of immediate header */ ++ u32 header[]; /* tx: Top of 1394 isoch. data_block */ + }; + + #define FW_ISO_CONTEXT_TRANSMIT 0 diff --git a/queue-6.10/sched-fair-set_load_weight-must-also-call-reweight_task-for-sched_idle-tasks.patch b/queue-6.10/sched-fair-set_load_weight-must-also-call-reweight_task-for-sched_idle-tasks.patch new file mode 100644 index 00000000000..a1544d6889e --- /dev/null +++ b/queue-6.10/sched-fair-set_load_weight-must-also-call-reweight_task-for-sched_idle-tasks.patch @@ -0,0 +1,107 @@ +From d329605287020c3d1c3b0dadc63d8208e7251382 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 25 Jun 2024 15:29:58 -1000 +Subject: sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks + +From: Tejun Heo + +commit d329605287020c3d1c3b0dadc63d8208e7251382 upstream. + +When a task's weight is being changed, set_load_weight() is called with +@update_load set. As weight changes aren't trivial for the fair class, +set_load_weight() calls fair.c::reweight_task() for fair class tasks. + +However, set_load_weight() first tests task_has_idle_policy() on entry and +skips calling reweight_task() for SCHED_IDLE tasks. This is buggy as +SCHED_IDLE tasks are just fair tasks with a very low weight and they would +incorrectly skip load, vlag and position updates. + +Fix it by updating reweight_task() to take struct load_weight as idle weight +can't be expressed with prio and making set_load_weight() call +reweight_task() for SCHED_IDLE tasks too when @update_load is set. + +Fixes: 9059393e4ec1 ("sched/fair: Use reweight_entity() for set_user_nice()") +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Tejun Heo +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org # v4.15+ +Link: http://lkml.kernel.org/r/20240624102331.GI31592@noisy.programming.kicks-ass.net +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 23 ++++++++++------------- + kernel/sched/fair.c | 7 +++---- + kernel/sched/sched.h | 2 +- + 3 files changed, 14 insertions(+), 18 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1326,27 +1326,24 @@ int tg_nop(struct task_group *tg, void * + static void set_load_weight(struct task_struct *p, bool update_load) + { + int prio = p->static_prio - MAX_RT_PRIO; +- struct load_weight *load = &p->se.load; ++ struct load_weight lw; + +- /* +- * SCHED_IDLE tasks get minimal weight: +- */ + if (task_has_idle_policy(p)) { +- load->weight = scale_load(WEIGHT_IDLEPRIO); +- load->inv_weight = WMULT_IDLEPRIO; +- return; ++ lw.weight = scale_load(WEIGHT_IDLEPRIO); ++ lw.inv_weight = WMULT_IDLEPRIO; ++ } else { ++ lw.weight = scale_load(sched_prio_to_weight[prio]); ++ lw.inv_weight = sched_prio_to_wmult[prio]; + } + + /* + * SCHED_OTHER tasks have to update their load when changing their + * weight + */ +- if (update_load && p->sched_class == &fair_sched_class) { +- reweight_task(p, prio); +- } else { +- load->weight = scale_load(sched_prio_to_weight[prio]); +- load->inv_weight = sched_prio_to_wmult[prio]; +- } ++ if (update_load && p->sched_class == &fair_sched_class) ++ reweight_task(p, &lw); ++ else ++ p->se.load = lw; + } + + #ifdef CONFIG_UCLAMP_TASK +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3835,15 +3835,14 @@ static void reweight_entity(struct cfs_r + } + } + +-void reweight_task(struct task_struct *p, int prio) ++void reweight_task(struct task_struct *p, const struct load_weight *lw) + { + struct sched_entity *se = &p->se; + struct cfs_rq *cfs_rq = cfs_rq_of(se); + struct load_weight *load = &se->load; +- unsigned long weight = scale_load(sched_prio_to_weight[prio]); + +- reweight_entity(cfs_rq, se, weight); +- load->inv_weight = sched_prio_to_wmult[prio]; ++ reweight_entity(cfs_rq, se, lw->weight); ++ load->inv_weight = lw->inv_weight; + } + + static inline int throttled_hierarchy(struct cfs_rq *cfs_rq); +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -2464,7 +2464,7 @@ extern void init_sched_dl_class(void); + extern void init_sched_rt_class(void); + extern void init_sched_fair_class(void); + +-extern void reweight_task(struct task_struct *p, int prio); ++extern void reweight_task(struct task_struct *p, const struct load_weight *lw); + + extern void resched_curr(struct rq *rq); + extern void resched_cpu(int cpu); diff --git a/queue-6.10/selftests-nolibc-fix-printf-format-mismatch-in-expect_str_buf_eq.patch b/queue-6.10/selftests-nolibc-fix-printf-format-mismatch-in-expect_str_buf_eq.patch new file mode 100644 index 00000000000..b912d8777e3 --- /dev/null +++ b/queue-6.10/selftests-nolibc-fix-printf-format-mismatch-in-expect_str_buf_eq.patch @@ -0,0 +1,49 @@ +From 92098b1c10cb29bcc6fa0908a766dc9e16b1e889 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 27 May 2024 18:15:58 +0200 +Subject: selftests/nolibc: fix printf format mismatch in expect_str_buf_eq() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 92098b1c10cb29bcc6fa0908a766dc9e16b1e889 upstream. + +Fix the following compiler warning on 32bit: + + i386-linux-gcc -Os -fno-ident -fno-asynchronous-unwind-tables -std=c89 -W -Wall -Wextra -fno-stack-protector -m32 -mstack-protector-guard=global -fstack-protector-all -o nolibc-test \ + -nostdlib -nostdinc -static -Isysroot/i386/include nolibc-test.c nolibc-test-linkage.c -lgcc + nolibc-test.c: In function 'expect_str_buf_eq': + nolibc-test.c:610:30: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'size_t' {aka 'unsigned int'} [-Werror=format=] + 610 | llen += printf(" = %lu <%s> ", expr, buf); + | ~~^ ~~~~ + | | | + | | size_t {aka unsigned int} + | long unsigned int + | %u + +Fixes: 1063649cf531 ("selftests/nolibc: Add tests for strlcat() and strlcpy()") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/nolibc/nolibc-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c +index 94bb6e11c16f..994477ee87be 100644 +--- a/tools/testing/selftests/nolibc/nolibc-test.c ++++ b/tools/testing/selftests/nolibc/nolibc-test.c +@@ -607,7 +607,7 @@ int expect_strne(const char *expr, int llen, const char *cmp) + static __attribute__((unused)) + int expect_str_buf_eq(size_t expr, const char *buf, size_t val, int llen, const char *cmp) + { +- llen += printf(" = %lu <%s> ", expr, buf); ++ llen += printf(" = %lu <%s> ", (unsigned long)expr, buf); + if (strcmp(buf, cmp) != 0) { + result(llen, FAIL); + return 1; +-- +2.45.2 + diff --git a/queue-6.10/series b/queue-6.10/series index eec45fbbd3d..39d5bef6017 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -541,3 +541,39 @@ mm-mglru-fix-overshooting-shrinker-memory.patch mm-mglru-fix-ineffective-protection-calculation.patch x86-efistub-avoid-returning-efi_success-on-error.patch x86-efistub-revert-to-heap-allocated-boot_params-for-pe-entrypoint.patch +revert-firewire-annotate-struct-fw_iso_packet-with-__counted_by.patch +exfat-fix-potential-deadlock-on-__exfat_get_dentry_set.patch +thermal-drivers-broadcom-fix-race-between-removal-and-clock-disable.patch +dt-bindings-thermal-correct-thermal-zone-node-name-limit.patch +tick-broadcast-make-takeover-of-broadcast-hrtimer-reliable.patch +net-netconsole-disable-target-before-netpoll-cleanup.patch +af_packet-handle-outgoing-vlan-packets-without-hardware-offloading.patch +workqueue-always-queue-work-items-to-the-newest-pwq-for-order-workqueues.patch +btrfs-fix-extent-map-use-after-free-when-adding-pages-to-compressed-bio.patch +kernel-rerun-task_work-while-freezing-in-get_signal.patch +ipv6-fix-source-address-selection-with-route-leak.patch +ipv4-fix-source-address-selection-with-route-leak.patch +ipv6-take-care-of-scope-when-choosing-the-src-addr.patch +drm-xe-use-write-back-caching-mode-for-system-memory-on-dgfx.patch +nfsd-support-write-delegations-in-layoutget.patch +wifi-mac80211-chanctx-emulation-set-change_channel-when-in_reconfig.patch +sched-fair-set_load_weight-must-also-call-reweight_task-for-sched_idle-tasks.patch +fuse-verify-g-u-id-mount-options-correctly.patch +md-raid5-fix-spares-errors-about-rcu-usage.patch +media-stm32-dcmipp-correct-error-handling-in-dcmipp_create_subdevs.patch +null_blk-fix-description-of-the-fua-parameter.patch +ata-libata-scsi-fix-offsets-for-the-fixed-format-sense-data.patch +selftests-nolibc-fix-printf-format-mismatch-in-expect_str_buf_eq.patch +tpm_tis_spi-add-missing-attpm20p-spi-device-id-entry.patch +char-tpm-fix-possible-memory-leak-in-tpm_bios_measurements_open.patch +media-venus-fix-use-after-free-in-vdec_close.patch +ata-libata-scsi-do-not-overwrite-valid-sense-data-when-ck_cond-1.patch +ata-libata-scsi-honor-the-d_sense-bit-for-ck_cond-1-and-no-error.patch +sysctl-always-initialize-i_uid-i_gid.patch +hfs-fix-to-initialize-fields-of-hfs_inode_info-after-hfs_alloc_inode.patch +ext2-verify-bitmap-and-itable-block-numbers-before-using-them.patch +media-i2c-kconfig-fix-missing-firmware-upload-config-select.patch +lsm-fixup-the-inode-xattr-capability-handling.patch +io_uring-io-wq-limit-retrying-worker-initialisation.patch +drm-gma500-fix-null-pointer-dereference-in-cdv_intel_lvds_get_modes.patch +drm-gma500-fix-null-pointer-dereference-in-psb_intel_lvds_get_modes.patch diff --git a/queue-6.10/sysctl-always-initialize-i_uid-i_gid.patch b/queue-6.10/sysctl-always-initialize-i_uid-i_gid.patch new file mode 100644 index 00000000000..36074615084 --- /dev/null +++ b/queue-6.10/sysctl-always-initialize-i_uid-i_gid.patch @@ -0,0 +1,47 @@ +From 98ca62ba9e2be5863c7d069f84f7166b45a5b2f4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 2 Apr 2024 23:10:34 +0200 +Subject: sysctl: always initialize i_uid/i_gid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 98ca62ba9e2be5863c7d069f84f7166b45a5b2f4 upstream. + +Always initialize i_uid/i_gid inside the sysfs core so set_ownership() +can safely skip setting them. + +Commit 5ec27ec735ba ("fs/proc/proc_sysctl.c: fix the default values of +i_uid/i_gid on /proc/sys inodes.") added defaults for i_uid/i_gid when +set_ownership() was not implemented. It also missed adjusting +net_ctl_set_ownership() to use the same default values in case the +computation of a better value failed. + +Fixes: 5ec27ec735ba ("fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Signed-off-by: Joel Granados +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -476,12 +476,10 @@ static struct inode *proc_sys_make_inode + make_empty_dir_inode(inode); + } + ++ inode->i_uid = GLOBAL_ROOT_UID; ++ inode->i_gid = GLOBAL_ROOT_GID; + if (root->set_ownership) + root->set_ownership(head, &inode->i_uid, &inode->i_gid); +- else { +- inode->i_uid = GLOBAL_ROOT_UID; +- inode->i_gid = GLOBAL_ROOT_GID; +- } + + return inode; + } diff --git a/queue-6.10/thermal-drivers-broadcom-fix-race-between-removal-and-clock-disable.patch b/queue-6.10/thermal-drivers-broadcom-fix-race-between-removal-and-clock-disable.patch new file mode 100644 index 00000000000..892885b1e2b --- /dev/null +++ b/queue-6.10/thermal-drivers-broadcom-fix-race-between-removal-and-clock-disable.patch @@ -0,0 +1,100 @@ +From e90c369cc2ffcf7145a46448de101f715a1f5584 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 9 Jul 2024 14:59:31 +0200 +Subject: thermal/drivers/broadcom: Fix race between removal and clock disable + +From: Krzysztof Kozlowski + +commit e90c369cc2ffcf7145a46448de101f715a1f5584 upstream. + +During the probe, driver enables clocks necessary to access registers +(in get_temp()) and then registers thermal zone with managed-resources +(devm) interface. Removal of device is not done in reversed order, +because: +1. Clock will be disabled in driver remove() callback - thermal zone is + still registered and accessible to users, +2. devm interface will unregister thermal zone. + +This leaves short window between (1) and (2) for accessing the +get_temp() callback with disabled clock. + +Fix this by enabling clock also via devm-interface, so entire cleanup +path will be in proper, reversed order. + +Fixes: 8454c8c09c77 ("thermal/drivers/bcm2835: Remove buggy call to thermal_of_zone_unregister") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240709-thermal-probe-v1-1-241644e2b6e0@linaro.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/broadcom/bcm2835_thermal.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +--- a/drivers/thermal/broadcom/bcm2835_thermal.c ++++ b/drivers/thermal/broadcom/bcm2835_thermal.c +@@ -185,7 +185,7 @@ static int bcm2835_thermal_probe(struct + return err; + } + +- data->clk = devm_clk_get(&pdev->dev, NULL); ++ data->clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(data->clk)) { + err = PTR_ERR(data->clk); + if (err != -EPROBE_DEFER) +@@ -193,10 +193,6 @@ static int bcm2835_thermal_probe(struct + return err; + } + +- err = clk_prepare_enable(data->clk); +- if (err) +- return err; +- + rate = clk_get_rate(data->clk); + if ((rate < 1920000) || (rate > 5000000)) + dev_warn(&pdev->dev, +@@ -211,7 +207,7 @@ static int bcm2835_thermal_probe(struct + dev_err(&pdev->dev, + "Failed to register the thermal device: %d\n", + err); +- goto err_clk; ++ return err; + } + + /* +@@ -236,7 +232,7 @@ static int bcm2835_thermal_probe(struct + dev_err(&pdev->dev, + "Not able to read trip_temp: %d\n", + err); +- goto err_tz; ++ return err; + } + + /* set bandgap reference voltage and enable voltage regulator */ +@@ -269,17 +265,11 @@ static int bcm2835_thermal_probe(struct + */ + err = thermal_add_hwmon_sysfs(tz); + if (err) +- goto err_tz; ++ return err; + + bcm2835_thermal_debugfs(pdev); + + return 0; +-err_tz: +- devm_thermal_of_zone_unregister(&pdev->dev, tz); +-err_clk: +- clk_disable_unprepare(data->clk); +- +- return err; + } + + static void bcm2835_thermal_remove(struct platform_device *pdev) +@@ -287,7 +277,6 @@ static void bcm2835_thermal_remove(struc + struct bcm2835_thermal_data *data = platform_get_drvdata(pdev); + + debugfs_remove_recursive(data->debugfsdir); +- clk_disable_unprepare(data->clk); + } + + static struct platform_driver bcm2835_thermal_driver = { diff --git a/queue-6.10/tick-broadcast-make-takeover-of-broadcast-hrtimer-reliable.patch b/queue-6.10/tick-broadcast-make-takeover-of-broadcast-hrtimer-reliable.patch new file mode 100644 index 00000000000..cc474da0dcd --- /dev/null +++ b/queue-6.10/tick-broadcast-make-takeover-of-broadcast-hrtimer-reliable.patch @@ -0,0 +1,109 @@ +From f7d43dd206e7e18c182f200e67a8db8c209907fa Mon Sep 17 00:00:00 2001 +From: Yu Liao +Date: Thu, 11 Jul 2024 20:48:43 +0800 +Subject: tick/broadcast: Make takeover of broadcast hrtimer reliable + +From: Yu Liao + +commit f7d43dd206e7e18c182f200e67a8db8c209907fa upstream. + +Running the LTP hotplug stress test on a aarch64 machine results in +rcu_sched stall warnings when the broadcast hrtimer was owned by the +un-plugged CPU. The issue is the following: + +CPU1 (owns the broadcast hrtimer) CPU2 + + tick_broadcast_enter() + // shutdown local timer device + broadcast_shutdown_local() + ... + tick_broadcast_exit() + clockevents_switch_state(dev, CLOCK_EVT_STATE_ONESHOT) + // timer device is not programmed + cpumask_set_cpu(cpu, tick_broadcast_force_mask) + + initiates offlining of CPU1 +take_cpu_down() +/* + * CPU1 shuts down and does not + * send broadcast IPI anymore + */ + takedown_cpu() + hotplug_cpu__broadcast_tick_pull() + // move broadcast hrtimer to this CPU + clockevents_program_event() + bc_set_next() + hrtimer_start() + /* + * timer device is not programmed + * because only the first expiring + * timer will trigger clockevent + * device reprogramming + */ + +What happens is that CPU2 exits broadcast mode with force bit set, then the +local timer device is not reprogrammed and CPU2 expects to receive the +expired event by the broadcast IPI. But this does not happen because CPU1 +is offlined by CPU2. CPU switches the clockevent device to ONESHOT state, +but does not reprogram the device. + +The subsequent reprogramming of the hrtimer broadcast device does not +program the clockevent device of CPU2 either because the pending expiry +time is already in the past and the CPU expects the event to be delivered. +As a consequence all CPUs which wait for a broadcast event to be delivered +are stuck forever. + +Fix this issue by reprogramming the local timer device if the broadcast +force bit of the CPU is set so that the broadcast hrtimer is delivered. + +[ tglx: Massage comment and change log. Add Fixes tag ] + +Fixes: 989dcb645ca7 ("tick: Handle broadcast wakeup of multiple cpus") +Signed-off-by: Yu Liao +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240711124843.64167-1-liaoyu15@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-broadcast.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/kernel/time/tick-broadcast.c ++++ b/kernel/time/tick-broadcast.c +@@ -1141,6 +1141,7 @@ void tick_broadcast_switch_to_oneshot(vo + #ifdef CONFIG_HOTPLUG_CPU + void hotplug_cpu__broadcast_tick_pull(int deadcpu) + { ++ struct tick_device *td = this_cpu_ptr(&tick_cpu_device); + struct clock_event_device *bc; + unsigned long flags; + +@@ -1148,6 +1149,28 @@ void hotplug_cpu__broadcast_tick_pull(in + bc = tick_broadcast_device.evtdev; + + if (bc && broadcast_needs_cpu(bc, deadcpu)) { ++ /* ++ * If the broadcast force bit of the current CPU is set, ++ * then the current CPU has not yet reprogrammed the local ++ * timer device to avoid a ping-pong race. See ++ * ___tick_broadcast_oneshot_control(). ++ * ++ * If the broadcast device is hrtimer based then ++ * programming the broadcast event below does not have any ++ * effect because the local clockevent device is not ++ * running and not programmed because the broadcast event ++ * is not earlier than the pending event of the local clock ++ * event device. As a consequence all CPUs waiting for a ++ * broadcast event are stuck forever. ++ * ++ * Detect this condition and reprogram the cpu local timer ++ * device to avoid the starvation. ++ */ ++ if (tick_check_broadcast_expired()) { ++ cpumask_clear_cpu(smp_processor_id(), tick_broadcast_force_mask); ++ tick_program_event(td->evtdev->next_event, 1); ++ } ++ + /* This moves the broadcast assignment to this CPU: */ + clockevents_program_event(bc, bc->next_event, 1); + } diff --git a/queue-6.10/tpm_tis_spi-add-missing-attpm20p-spi-device-id-entry.patch b/queue-6.10/tpm_tis_spi-add-missing-attpm20p-spi-device-id-entry.patch new file mode 100644 index 00000000000..86abed0ed07 --- /dev/null +++ b/queue-6.10/tpm_tis_spi-add-missing-attpm20p-spi-device-id-entry.patch @@ -0,0 +1,44 @@ +From 0543f29408a151c1c4a12e5da07ec45c2779b9b8 Mon Sep 17 00:00:00 2001 +From: Vitor Soares +Date: Fri, 21 Jun 2024 10:50:45 +0100 +Subject: tpm_tis_spi: add missing attpm20p SPI device ID entry + +From: Vitor Soares + +commit 0543f29408a151c1c4a12e5da07ec45c2779b9b8 upstream. + +"atmel,attpm20p" DT compatible is missing its SPI device ID entry, not +allowing module autoloading and leading to the following message: + + "SPI driver tpm_tis_spi has no spi_device_id for atmel,attpm20p" + +Based on: + commit 7eba41fe8c7b ("tpm_tis_spi: Add missing SPI ID") + +Fix this by adding the corresponding "attpm20p" spi_device_id entry. + +Fixes: 3c45308c44ed ("tpm_tis_spi: Add compatible string atmel,attpm20p") +Cc: stable@vger.kernel.org # +v6.9 +Signed-off-by: Vitor Soares +Reviewed-by: Lukas Wunner +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_spi_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/char/tpm/tpm_tis_spi_main.c b/drivers/char/tpm/tpm_tis_spi_main.c +index c9eca24bbad4..61b42c83ced8 100644 +--- a/drivers/char/tpm/tpm_tis_spi_main.c ++++ b/drivers/char/tpm/tpm_tis_spi_main.c +@@ -318,6 +318,7 @@ static void tpm_tis_spi_remove(struct spi_device *dev) + } + + static const struct spi_device_id tpm_tis_spi_id[] = { ++ { "attpm20p", (unsigned long)tpm_tis_spi_probe }, + { "st33htpm-spi", (unsigned long)tpm_tis_spi_probe }, + { "slb9670", (unsigned long)tpm_tis_spi_probe }, + { "tpm_tis_spi", (unsigned long)tpm_tis_spi_probe }, +-- +2.45.2 + diff --git a/queue-6.10/wifi-mac80211-chanctx-emulation-set-change_channel-when-in_reconfig.patch b/queue-6.10/wifi-mac80211-chanctx-emulation-set-change_channel-when-in_reconfig.patch new file mode 100644 index 00000000000..28fb092975f --- /dev/null +++ b/queue-6.10/wifi-mac80211-chanctx-emulation-set-change_channel-when-in_reconfig.patch @@ -0,0 +1,42 @@ +From 19b815ed71aadee9a2d31b7a700ef61ae8048010 Mon Sep 17 00:00:00 2001 +From: Zong-Zhe Yang +Date: Tue, 9 Jul 2024 15:35:31 +0800 +Subject: wifi: mac80211: chanctx emulation set CHANGE_CHANNEL when in_reconfig + +From: Zong-Zhe Yang + +commit 19b815ed71aadee9a2d31b7a700ef61ae8048010 upstream. + +Chanctx emulation didn't info IEEE80211_CONF_CHANGE_CHANNEL to drivers +during ieee80211_restart_hw (ieee80211_emulate_add_chanctx). It caused +non-chanctx drivers to not stand on the correct channel after recovery. +RX then behaved abnormally. Finally, disconnection/reconnection occurred. + +So, set IEEE80211_CONF_CHANGE_CHANNEL when in_reconfig. + +Signed-off-by: Zong-Zhe Yang +Link: https://patch.msgid.link/20240709073531.30565-1-kevin_yang@realtek.com +Cc: stable@vger.kernel.org +Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 7578ea56c12f..85a267bdb3e3 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -148,7 +148,7 @@ static u32 ieee80211_calc_hw_conf_chan(struct ieee80211_local *local, + offchannel_flag ^= local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL; + + /* force it also for scanning, since drivers might config differently */ +- if (offchannel_flag || local->scanning || ++ if (offchannel_flag || local->scanning || local->in_reconfig || + !cfg80211_chandef_identical(&local->hw.conf.chandef, &chandef)) { + local->hw.conf.chandef = chandef; + changed |= IEEE80211_CONF_CHANGE_CHANNEL; +-- +2.45.2 + diff --git a/queue-6.10/workqueue-always-queue-work-items-to-the-newest-pwq-for-order-workqueues.patch b/queue-6.10/workqueue-always-queue-work-items-to-the-newest-pwq-for-order-workqueues.patch new file mode 100644 index 00000000000..d3ee938288e --- /dev/null +++ b/queue-6.10/workqueue-always-queue-work-items-to-the-newest-pwq-for-order-workqueues.patch @@ -0,0 +1,45 @@ +From 58629d4871e8eb2c385b16a73a8451669db59f39 Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Wed, 3 Jul 2024 17:27:41 +0800 +Subject: workqueue: Always queue work items to the newest PWQ for order workqueues + +From: Lai Jiangshan + +commit 58629d4871e8eb2c385b16a73a8451669db59f39 upstream. + +To ensure non-reentrancy, __queue_work() attempts to enqueue a work +item to the pool of the currently executing worker. This is not only +unnecessary for an ordered workqueue, where order inherently suggests +non-reentrancy, but it could also disrupt the sequence if the item is +not enqueued on the newest PWQ. + +Just queue it to the newest PWQ and let order management guarantees +non-reentrancy. + +Signed-off-by: Lai Jiangshan +Fixes: 4c065dbce1e8 ("workqueue: Enable unbound cpumask update on ordered workqueues") +Cc: stable@vger.kernel.org # v6.9+ +Signed-off-by: Tejun Heo +(cherry picked from commit 74347be3edfd11277799242766edf844c43dd5d3) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/workqueue.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2298,9 +2298,13 @@ retry: + * If @work was previously on a different pool, it might still be + * running there, in which case the work needs to be queued on that + * pool to guarantee non-reentrancy. ++ * ++ * For ordered workqueue, work items must be queued on the newest pwq ++ * for accurate order management. Guaranteed order also guarantees ++ * non-reentrancy. See the comments above unplug_oldest_pwq(). + */ + last_pool = get_work_pool(work); +- if (last_pool && last_pool != pool) { ++ if (last_pool && last_pool != pool && !(wq->flags & __WQ_ORDERED)) { + struct worker *worker; + + raw_spin_lock(&last_pool->lock);