From: Greg Kroah-Hartman Date: Wed, 22 Nov 2023 18:57:50 +0000 (+0000) Subject: 6.5-stable patches X-Git-Tag: v4.14.331~120 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aa94c116c705f6cca48d4dfd4c242351662eff5d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.5-stable patches added patches: acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch dm-crypt-account-large-pages-in-cc-n_allocated_pages.patch fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-signed-offset.patch genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch iommufd-fix-missing-update-of-domains_itree-after-splitting-iopt_area.patch keys-trusted-rollback-init_trusted-consistently.patch keys-trusted-tee-refactor-register-shm-usage.patch mm-damon-core-avoid-divide-by-zero-during-monitoring-results-update.patch mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch mm-damon-sysfs-schemes-handle-tried-region-directory-allocation-failure.patch mm-damon-sysfs-schemes-handle-tried-regions-sysfs-directory-allocation-failure.patch mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch parisc-add-nop-instructions-after-tlb-inserts.patch pci-keystone-don-t-discard-.probe-callback.patch pci-keystone-don-t-discard-.remove-callback.patch regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch sched-core-fix-rqcf_act_skip-leak.patch watchdog-move-softlockup_panic-back-to-early_param.patch wifi-ath11k-fix-dfs-radar-event-locking.patch wifi-ath11k-fix-gtk-offload-status-event-locking.patch wifi-ath11k-fix-htt-pktlog-locking.patch wifi-ath11k-fix-temperature-event-locking.patch wifi-ath12k-fix-dfs-radar-and-temperature-event-locking.patch wifi-ath12k-fix-htt-mlo-offset-event-locking.patch --- diff --git a/queue-6.5/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch b/queue-6.5/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch new file mode 100644 index 00000000000..1e363f7f7d1 --- /dev/null +++ b/queue-6.5/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch @@ -0,0 +1,45 @@ +From 0da9eccde3270b832c059ad618bf66e510c75d33 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Mon, 16 Oct 2023 18:08:28 +0200 +Subject: ACPI: resource: Do IRQ override on TongFang GMxXGxx + +From: Werner Sembach + +commit 0da9eccde3270b832c059ad618bf66e510c75d33 upstream. + +The TongFang GMxXGxx/TUXEDO Stellaris/Pollaris Gen5 needs IRQ overriding +for the keyboard to work. + +Adding an entry for this laptop to the override_table makes the internal +keyboard functional. + +Signed-off-by: Werner Sembach +Cc: All applicable +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -496,6 +496,18 @@ static const struct dmi_system_id mainge + } + }, + { ++ /* TongFang GMxXGxx/TUXEDO Polaris 15 Gen5 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GMxXGxx"), ++ }, ++ }, ++ { ++ /* TongFang GM6XGxX/TUXEDO Stellaris 16 Gen5 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GM6XGxX"), ++ }, ++ }, ++ { + .ident = "MAINGEAR Vector Pro 2 17", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), diff --git a/queue-6.5/dm-crypt-account-large-pages-in-cc-n_allocated_pages.patch b/queue-6.5/dm-crypt-account-large-pages-in-cc-n_allocated_pages.patch new file mode 100644 index 00000000000..196c42da89d --- /dev/null +++ b/queue-6.5/dm-crypt-account-large-pages-in-cc-n_allocated_pages.patch @@ -0,0 +1,66 @@ +From 9793c269da6cd339757de6ba5b2c8681b54c99af Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 31 Oct 2023 19:12:54 +0100 +Subject: dm crypt: account large pages in cc->n_allocated_pages + +From: Mikulas Patocka + +commit 9793c269da6cd339757de6ba5b2c8681b54c99af upstream. + +The commit 5054e778fcd9c ("dm crypt: allocate compound pages if +possible") changed dm-crypt to use compound pages to improve +performance. Unfortunately, there was an oversight: the allocation of +compound pages was not accounted at all. Normal pages are accounted in +a percpu counter cc->n_allocated_pages and dm-crypt is limited to +allocate at most 2% of memory. Because compound pages were not +accounted at all, dm-crypt could allocate memory over the 2% limit. + +Fix this by adding the accounting of compound pages, so that memory +consumption of dm-crypt is properly limited. + +Signed-off-by: Mikulas Patocka +Fixes: 5054e778fcd9c ("dm crypt: allocate compound pages if possible") +Cc: stable@vger.kernel.org # v6.5+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -1700,11 +1700,17 @@ retry: + order = min(order, remaining_order); + + while (order > 0) { ++ if (unlikely(percpu_counter_read_positive(&cc->n_allocated_pages) + ++ (1 << order) > dm_crypt_pages_per_client)) ++ goto decrease_order; + pages = alloc_pages(gfp_mask + | __GFP_NOMEMALLOC | __GFP_NORETRY | __GFP_NOWARN | __GFP_COMP, + order); +- if (likely(pages != NULL)) ++ if (likely(pages != NULL)) { ++ percpu_counter_add(&cc->n_allocated_pages, 1 << order); + goto have_pages; ++ } ++decrease_order: + order--; + } + +@@ -1742,10 +1748,13 @@ static void crypt_free_buffer_pages(stru + + if (clone->bi_vcnt > 0) { /* bio_for_each_folio_all crashes with an empty bio */ + bio_for_each_folio_all(fi, clone) { +- if (folio_test_large(fi.folio)) ++ if (folio_test_large(fi.folio)) { ++ percpu_counter_sub(&cc->n_allocated_pages, ++ 1 << folio_order(fi.folio)); + folio_put(fi.folio); +- else ++ } else { + mempool_free(&fi.folio->page, &cc->page_pool); ++ } + } + } + } diff --git a/queue-6.5/fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-signed-offset.patch b/queue-6.5/fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-signed-offset.patch new file mode 100644 index 00000000000..54dff971053 --- /dev/null +++ b/queue-6.5/fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-signed-offset.patch @@ -0,0 +1,34 @@ +From 8a32aa17c1cd48df1ddaa78e45abcb8c7a2220d6 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 27 Oct 2023 13:36:48 +0200 +Subject: fbdev: stifb: Make the STI next font pointer a 32-bit signed offset + +From: Helge Deller + +commit 8a32aa17c1cd48df1ddaa78e45abcb8c7a2220d6 upstream. + +The pointer to the next STI font is actually a signed 32-bit +offset. With this change the 64-bit kernel will correctly subract +the (signed 32-bit) offset instead of adding a (unsigned 32-bit) +offset. It has no effect on 32-bit kernels. + +This fixes the stifb driver with a 64-bit kernel on qemu. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/video/sticore.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/video/sticore.h ++++ b/include/video/sticore.h +@@ -232,7 +232,7 @@ struct sti_rom_font { + u8 height; + u8 font_type; /* language type */ + u8 bytes_per_char; +- u32 next_font; ++ s32 next_font; /* note: signed int */ + u8 underline_height; + u8 underline_pos; + u8 res008[2]; diff --git a/queue-6.5/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch b/queue-6.5/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch new file mode 100644 index 00000000000..dfdf5c0b461 --- /dev/null +++ b/queue-6.5/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch @@ -0,0 +1,82 @@ +From 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Tue, 24 Oct 2023 17:03:35 +0200 +Subject: genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware + +From: Herve Codina + +commit 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 upstream. + +irq_remove_generic_chip() calculates the Linux interrupt number for removing the +handler and interrupt chip based on gc::irq_base as a linear function of +the bit positions of set bits in the @msk argument. + +When the generic chip is present in an irq domain, i.e. created with a call +to irq_alloc_domain_generic_chips(), gc::irq_base contains not the base +Linux interrupt number. It contains the base hardware interrupt for this +chip. It is set to 0 for the first chip in the domain, 0 + N for the next +chip, where $N is the number of hardware interrupts per chip. + +That means the Linux interrupt number cannot be calculated based on +gc::irq_base for irqdomain based chips without a domain map lookup, which +is currently missing. + +Rework the code to take the irqdomain case into account and calculate the +Linux interrupt number by a irqdomain lookup of the domain specific +hardware interrupt number. + +[ tglx: Massage changelog. Reshuffle the logic and add a proper comment. ] + +Fixes: cfefd21e693d ("genirq: Add chip suspend and resume callbacks") +Signed-off-by: Herve Codina +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231024150335.322282-1-herve.codina@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/generic-chip.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/kernel/irq/generic-chip.c ++++ b/kernel/irq/generic-chip.c +@@ -544,21 +544,34 @@ EXPORT_SYMBOL_GPL(irq_setup_alt_chip); + void irq_remove_generic_chip(struct irq_chip_generic *gc, u32 msk, + unsigned int clr, unsigned int set) + { +- unsigned int i = gc->irq_base; ++ unsigned int i, virq; + + raw_spin_lock(&gc_lock); + list_del(&gc->list); + raw_spin_unlock(&gc_lock); + +- for (; msk; msk >>= 1, i++) { ++ for (i = 0; msk; msk >>= 1, i++) { + if (!(msk & 0x01)) + continue; + ++ /* ++ * Interrupt domain based chips store the base hardware ++ * interrupt number in gc::irq_base. Otherwise gc::irq_base ++ * contains the base Linux interrupt number. ++ */ ++ if (gc->domain) { ++ virq = irq_find_mapping(gc->domain, gc->irq_base + i); ++ if (!virq) ++ continue; ++ } else { ++ virq = gc->irq_base + i; ++ } ++ + /* Remove handler first. That will mask the irq line */ +- irq_set_handler(i, NULL); +- irq_set_chip(i, &no_irq_chip); +- irq_set_chip_data(i, NULL); +- irq_modify_status(i, clr, set); ++ irq_set_handler(virq, NULL); ++ irq_set_chip(virq, &no_irq_chip); ++ irq_set_chip_data(virq, NULL); ++ irq_modify_status(virq, clr, set); + } + } + EXPORT_SYMBOL_GPL(irq_remove_generic_chip); diff --git a/queue-6.5/iommufd-fix-missing-update-of-domains_itree-after-splitting-iopt_area.patch b/queue-6.5/iommufd-fix-missing-update-of-domains_itree-after-splitting-iopt_area.patch new file mode 100644 index 00000000000..94c9e7f3de7 --- /dev/null +++ b/queue-6.5/iommufd-fix-missing-update-of-domains_itree-after-splitting-iopt_area.patch @@ -0,0 +1,42 @@ +From e7250ab7ca4998fe026f2149805b03e09dc32498 Mon Sep 17 00:00:00 2001 +From: Koichiro Den +Date: Sat, 28 Oct 2023 01:29:42 +0900 +Subject: iommufd: Fix missing update of domains_itree after splitting iopt_area + +From: Koichiro Den + +commit e7250ab7ca4998fe026f2149805b03e09dc32498 upstream. + +In iopt_area_split(), if the original iopt_area has filled a domain and is +linked to domains_itree, pages_nodes have to be properly +reinserted. Otherwise the domains_itree becomes corrupted and we will UAF. + +Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping") +Link: https://lore.kernel.org/r/20231027162941.2864615-2-den@valinux.co.jp +Cc: stable@vger.kernel.org +Signed-off-by: Koichiro Den +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/io_pagetable.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/iommu/iommufd/io_pagetable.c ++++ b/drivers/iommu/iommufd/io_pagetable.c +@@ -1060,6 +1060,16 @@ static int iopt_area_split(struct iopt_a + if (WARN_ON(rc)) + goto err_remove_lhs; + ++ /* ++ * If the original area has filled a domain, domains_itree has to be ++ * updated. ++ */ ++ if (area->storage_domain) { ++ interval_tree_remove(&area->pages_node, &pages->domains_itree); ++ interval_tree_insert(&lhs->pages_node, &pages->domains_itree); ++ interval_tree_insert(&rhs->pages_node, &pages->domains_itree); ++ } ++ + lhs->storage_domain = area->storage_domain; + lhs->pages = area->pages; + rhs->storage_domain = area->storage_domain; diff --git a/queue-6.5/keys-trusted-rollback-init_trusted-consistently.patch b/queue-6.5/keys-trusted-rollback-init_trusted-consistently.patch new file mode 100644 index 00000000000..3c77ab31eb1 --- /dev/null +++ b/queue-6.5/keys-trusted-rollback-init_trusted-consistently.patch @@ -0,0 +1,54 @@ +From 31de287345f41bbfaec36a5c8cbdba035cf76442 Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Wed, 11 Oct 2023 02:08:25 +0300 +Subject: KEYS: trusted: Rollback init_trusted() consistently + +From: Jarkko Sakkinen + +commit 31de287345f41bbfaec36a5c8cbdba035cf76442 upstream. + +Do bind neither static calls nor trusted_key_exit() before a successful +init, in order to maintain a consistent state. In addition, depart the +init_trusted() in the case of a real error (i.e. getting back something +else than -ENODEV). + +Reported-by: Linus Torvalds +Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/ +Cc: stable@vger.kernel.org # v5.13+ +Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_core.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/security/keys/trusted-keys/trusted_core.c ++++ b/security/keys/trusted-keys/trusted_core.c +@@ -358,17 +358,17 @@ static int __init init_trusted(void) + if (!get_random) + get_random = kernel_get_random; + +- static_call_update(trusted_key_seal, +- trusted_key_sources[i].ops->seal); +- static_call_update(trusted_key_unseal, +- trusted_key_sources[i].ops->unseal); +- static_call_update(trusted_key_get_random, +- get_random); +- trusted_key_exit = trusted_key_sources[i].ops->exit; +- migratable = trusted_key_sources[i].ops->migratable; +- + ret = trusted_key_sources[i].ops->init(); +- if (!ret) ++ if (!ret) { ++ static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal); ++ static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal); ++ static_call_update(trusted_key_get_random, get_random); ++ ++ trusted_key_exit = trusted_key_sources[i].ops->exit; ++ migratable = trusted_key_sources[i].ops->migratable; ++ } ++ ++ if (!ret || ret != -ENODEV) + break; + } + diff --git a/queue-6.5/keys-trusted-tee-refactor-register-shm-usage.patch b/queue-6.5/keys-trusted-tee-refactor-register-shm-usage.patch new file mode 100644 index 00000000000..e1ef940d349 --- /dev/null +++ b/queue-6.5/keys-trusted-tee-refactor-register-shm-usage.patch @@ -0,0 +1,154 @@ +From c745cd1718b7825d69315fe7127e2e289e617598 Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Tue, 22 Aug 2023 16:59:33 +0530 +Subject: KEYS: trusted: tee: Refactor register SHM usage + +From: Sumit Garg + +commit c745cd1718b7825d69315fe7127e2e289e617598 upstream. + +The OP-TEE driver using the old SMC based ABI permits overlapping shared +buffers, but with the new FF-A based ABI each physical page may only +be registered once. + +As the key and blob buffer are allocated adjancently, there is no need +for redundant register shared memory invocation. Also, it is incompatibile +with FF-A based ABI limitation. So refactor register shared memory +implementation to use only single invocation to register both key and blob +buffers. + +[jarkko: Added cc to stable.] +Cc: stable@vger.kernel.org # v5.16+ +Fixes: 4615e5a34b95 ("optee: add FF-A support") +Reported-by: Jens Wiklander +Signed-off-by: Sumit Garg +Tested-by: Jens Wiklander +Reviewed-by: Jens Wiklander +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tee.c | 64 +++++++++---------------------- + 1 file changed, 20 insertions(+), 44 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tee.c ++++ b/security/keys/trusted-keys/trusted_tee.c +@@ -65,24 +65,16 @@ static int trusted_tee_seal(struct trust + int ret; + struct tee_ioctl_invoke_arg inv_arg; + struct tee_param param[4]; +- struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL; ++ struct tee_shm *reg_shm = NULL; + + memset(&inv_arg, 0, sizeof(inv_arg)); + memset(¶m, 0, sizeof(param)); + +- reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, +- p->key_len); +- if (IS_ERR(reg_shm_in)) { +- dev_err(pvt_data.dev, "key shm register failed\n"); +- return PTR_ERR(reg_shm_in); +- } +- +- reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob, +- sizeof(p->blob)); +- if (IS_ERR(reg_shm_out)) { +- dev_err(pvt_data.dev, "blob shm register failed\n"); +- ret = PTR_ERR(reg_shm_out); +- goto out; ++ reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, ++ sizeof(p->key) + sizeof(p->blob)); ++ if (IS_ERR(reg_shm)) { ++ dev_err(pvt_data.dev, "shm register failed\n"); ++ return PTR_ERR(reg_shm); + } + + inv_arg.func = TA_CMD_SEAL; +@@ -90,13 +82,13 @@ static int trusted_tee_seal(struct trust + inv_arg.num_params = 4; + + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT; +- param[0].u.memref.shm = reg_shm_in; ++ param[0].u.memref.shm = reg_shm; + param[0].u.memref.size = p->key_len; + param[0].u.memref.shm_offs = 0; + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT; +- param[1].u.memref.shm = reg_shm_out; ++ param[1].u.memref.shm = reg_shm; + param[1].u.memref.size = sizeof(p->blob); +- param[1].u.memref.shm_offs = 0; ++ param[1].u.memref.shm_offs = sizeof(p->key); + + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param); + if ((ret < 0) || (inv_arg.ret != 0)) { +@@ -107,11 +99,7 @@ static int trusted_tee_seal(struct trust + p->blob_len = param[1].u.memref.size; + } + +-out: +- if (reg_shm_out) +- tee_shm_free(reg_shm_out); +- if (reg_shm_in) +- tee_shm_free(reg_shm_in); ++ tee_shm_free(reg_shm); + + return ret; + } +@@ -124,24 +112,16 @@ static int trusted_tee_unseal(struct tru + int ret; + struct tee_ioctl_invoke_arg inv_arg; + struct tee_param param[4]; +- struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL; ++ struct tee_shm *reg_shm = NULL; + + memset(&inv_arg, 0, sizeof(inv_arg)); + memset(¶m, 0, sizeof(param)); + +- reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob, +- p->blob_len); +- if (IS_ERR(reg_shm_in)) { +- dev_err(pvt_data.dev, "blob shm register failed\n"); +- return PTR_ERR(reg_shm_in); +- } +- +- reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, +- sizeof(p->key)); +- if (IS_ERR(reg_shm_out)) { +- dev_err(pvt_data.dev, "key shm register failed\n"); +- ret = PTR_ERR(reg_shm_out); +- goto out; ++ reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key, ++ sizeof(p->key) + sizeof(p->blob)); ++ if (IS_ERR(reg_shm)) { ++ dev_err(pvt_data.dev, "shm register failed\n"); ++ return PTR_ERR(reg_shm); + } + + inv_arg.func = TA_CMD_UNSEAL; +@@ -149,11 +129,11 @@ static int trusted_tee_unseal(struct tru + inv_arg.num_params = 4; + + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT; +- param[0].u.memref.shm = reg_shm_in; ++ param[0].u.memref.shm = reg_shm; + param[0].u.memref.size = p->blob_len; +- param[0].u.memref.shm_offs = 0; ++ param[0].u.memref.shm_offs = sizeof(p->key); + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT; +- param[1].u.memref.shm = reg_shm_out; ++ param[1].u.memref.shm = reg_shm; + param[1].u.memref.size = sizeof(p->key); + param[1].u.memref.shm_offs = 0; + +@@ -166,11 +146,7 @@ static int trusted_tee_unseal(struct tru + p->key_len = param[1].u.memref.size; + } + +-out: +- if (reg_shm_out) +- tee_shm_free(reg_shm_out); +- if (reg_shm_in) +- tee_shm_free(reg_shm_in); ++ tee_shm_free(reg_shm); + + return ret; + } diff --git a/queue-6.5/mm-damon-core-avoid-divide-by-zero-during-monitoring-results-update.patch b/queue-6.5/mm-damon-core-avoid-divide-by-zero-during-monitoring-results-update.patch new file mode 100644 index 00000000000..a1207586f6d --- /dev/null +++ b/queue-6.5/mm-damon-core-avoid-divide-by-zero-during-monitoring-results-update.patch @@ -0,0 +1,52 @@ +From d35963bfb05877455228ecec6b194f624489f96a Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Oct 2023 19:49:21 +0000 +Subject: mm/damon/core: avoid divide-by-zero during monitoring results update + +From: SeongJae Park + +commit d35963bfb05877455228ecec6b194f624489f96a upstream. + +When monitoring attributes are changed, DAMON updates access rate of the +monitoring results accordingly. For that, it divides some values by the +maximum nr_accesses. However, due to the type of the related variables, +simple division-based calculation of the divisor can return zero. As a +result, divide-by-zero is possible. Fix it by using +damon_max_nr_accesses(), which handles the case. + +Link: https://lkml.kernel.org/r/20231019194924.100347-3-sj@kernel.org +Fixes: 2f5bef5a590b ("mm/damon/core: update monitoring results for new monitoring attributes") +Signed-off-by: SeongJae Park +Reported-by: Jakub Acs +Cc: [6.3+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/core.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/mm/damon/core.c ++++ b/mm/damon/core.c +@@ -476,20 +476,14 @@ static unsigned int damon_age_for_new_at + static unsigned int damon_accesses_bp_to_nr_accesses( + unsigned int accesses_bp, struct damon_attrs *attrs) + { +- unsigned int max_nr_accesses = +- attrs->aggr_interval / attrs->sample_interval; +- +- return accesses_bp * max_nr_accesses / 10000; ++ return accesses_bp * damon_max_nr_accesses(attrs) / 10000; + } + + /* convert nr_accesses to access ratio in bp (per 10,000) */ + static unsigned int damon_nr_accesses_to_accesses_bp( + unsigned int nr_accesses, struct damon_attrs *attrs) + { +- unsigned int max_nr_accesses = +- attrs->aggr_interval / attrs->sample_interval; +- +- return nr_accesses * 10000 / max_nr_accesses; ++ return nr_accesses * 10000 / damon_max_nr_accesses(attrs); + } + + static unsigned int damon_nr_accesses_for_new_attrs(unsigned int nr_accesses, diff --git a/queue-6.5/mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch b/queue-6.5/mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch new file mode 100644 index 00000000000..c5761e35f25 --- /dev/null +++ b/queue-6.5/mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch @@ -0,0 +1,72 @@ +From 35f5d94187a6a3a8df2cba54beccca1c2379edb8 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Oct 2023 19:49:20 +0000 +Subject: mm/damon: implement a function for max nr_accesses safe calculation + +From: SeongJae Park + +commit 35f5d94187a6a3a8df2cba54beccca1c2379edb8 upstream. + +Patch series "avoid divide-by-zero due to max_nr_accesses overflow". + +The maximum nr_accesses of given DAMON context can be calculated by +dividing the aggregation interval by the sampling interval. Some logics +in DAMON uses the maximum nr_accesses as a divisor. Hence, the value +shouldn't be zero. Such case is avoided since DAMON avoids setting the +agregation interval as samller than the sampling interval. However, since +nr_accesses is unsigned int while the intervals are unsigned long, the +maximum nr_accesses could be zero while casting. + +Avoid the divide-by-zero by implementing a function that handles the +corner case (first patch), and replaces the vulnerable direct max +nr_accesses calculations (remaining patches). + +Note that the patches for the replacements are divided for broken commits, +to make backporting on required tres easier. Especially, the last patch +is for a patch that not yet merged into the mainline but in mm tree. + + +This patch (of 4): + +The maximum nr_accesses of given DAMON context can be calculated by +dividing the aggregation interval by the sampling interval. Some logics +in DAMON uses the maximum nr_accesses as a divisor. Hence, the value +shouldn't be zero. Such case is avoided since DAMON avoids setting the +agregation interval as samller than the sampling interval. However, since +nr_accesses is unsigned int while the intervals are unsigned long, the +maximum nr_accesses could be zero while casting. Implement a function +that handles the corner case. + +Note that this commit is not fixing the real issue since this is only +introducing the safe function that will replaces the problematic +divisions. The replacements will be made by followup commits, to make +backporting on stable series easier. + +Link: https://lkml.kernel.org/r/20231019194924.100347-1-sj@kernel.org +Link: https://lkml.kernel.org/r/20231019194924.100347-2-sj@kernel.org +Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization") +Signed-off-by: SeongJae Park +Reported-by: Jakub Acs +Cc: [5.16+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/damon.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/include/linux/damon.h ++++ b/include/linux/damon.h +@@ -626,6 +626,13 @@ static inline bool damon_target_has_pid( + return ctx->ops.id == DAMON_OPS_VADDR || ctx->ops.id == DAMON_OPS_FVADDR; + } + ++static inline unsigned int damon_max_nr_accesses(const struct damon_attrs *attrs) ++{ ++ /* {aggr,sample}_interval are unsigned long, hence could overflow */ ++ return min(attrs->aggr_interval / attrs->sample_interval, ++ (unsigned long)UINT_MAX); ++} ++ + + int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive); + int damon_stop(struct damon_ctx **ctxs, int nr_ctxs); diff --git a/queue-6.5/mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch b/queue-6.5/mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch new file mode 100644 index 00000000000..bfdb7577c40 --- /dev/null +++ b/queue-6.5/mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch @@ -0,0 +1,40 @@ +From 44063f125af4bb4efd1d500d8091fa33a98af325 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Oct 2023 19:49:23 +0000 +Subject: mm/damon/lru_sort: avoid divide-by-zero in hot threshold calculation + +From: SeongJae Park + +commit 44063f125af4bb4efd1d500d8091fa33a98af325 upstream. + +When calculating the hotness threshold for lru_prio scheme of +DAMON_LRU_SORT, the module divides some values by the maximum nr_accesses. +However, due to the type of the related variables, simple division-based +calculation of the divisor can return zero. As a result, divide-by-zero +is possible. Fix it by using damon_max_nr_accesses(), which handles the +case. + +Link: https://lkml.kernel.org/r/20231019194924.100347-5-sj@kernel.org +Fixes: 40e983cca927 ("mm/damon: introduce DAMON-based LRU-lists Sorting") +Signed-off-by: SeongJae Park +Reported-by: Jakub Acs +Cc: [6.0+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/lru_sort.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/mm/damon/lru_sort.c ++++ b/mm/damon/lru_sort.c +@@ -193,9 +193,7 @@ static int damon_lru_sort_apply_paramete + if (err) + return err; + +- /* aggr_interval / sample_interval is the maximum nr_accesses */ +- hot_thres = damon_lru_sort_mon_attrs.aggr_interval / +- damon_lru_sort_mon_attrs.sample_interval * ++ hot_thres = damon_max_nr_accesses(&damon_lru_sort_mon_attrs) * + hot_thres_access_freq / 1000; + scheme = damon_lru_sort_new_hot_scheme(hot_thres); + if (!scheme) diff --git a/queue-6.5/mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch b/queue-6.5/mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch new file mode 100644 index 00000000000..bcdda09897a --- /dev/null +++ b/queue-6.5/mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch @@ -0,0 +1,48 @@ +From 3bafc47d3c4a2fc4d3b382aeb3c087f8fc84d9fd Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Oct 2023 19:49:22 +0000 +Subject: mm/damon/ops-common: avoid divide-by-zero during region hotness calculation + +From: SeongJae Park + +commit 3bafc47d3c4a2fc4d3b382aeb3c087f8fc84d9fd upstream. + +When calculating the hotness of each region for the under-quota regions +prioritization, DAMON divides some values by the maximum nr_accesses. +However, due to the type of the related variables, simple division-based +calculation of the divisor can return zero. As a result, divide-by-zero +is possible. Fix it by using damon_max_nr_accesses(), which handles the +case. + +Link: https://lkml.kernel.org/r/20231019194924.100347-4-sj@kernel.org +Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization") +Signed-off-by: SeongJae Park +Reported-by: Jakub Acs +Cc: [5.16+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/ops-common.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/mm/damon/ops-common.c ++++ b/mm/damon/ops-common.c +@@ -73,7 +73,6 @@ void damon_pmdp_mkold(pmd_t *pmd, struct + int damon_hot_score(struct damon_ctx *c, struct damon_region *r, + struct damos *s) + { +- unsigned int max_nr_accesses; + int freq_subscore; + unsigned int age_in_sec; + int age_in_log, age_subscore; +@@ -81,8 +80,8 @@ int damon_hot_score(struct damon_ctx *c, + unsigned int age_weight = s->quota.weight_age; + int hotness; + +- max_nr_accesses = c->attrs.aggr_interval / c->attrs.sample_interval; +- freq_subscore = r->nr_accesses * DAMON_MAX_SUBSCORE / max_nr_accesses; ++ freq_subscore = r->nr_accesses * DAMON_MAX_SUBSCORE / ++ damon_max_nr_accesses(&c->attrs); + + age_in_sec = (unsigned long)r->age * c->attrs.aggr_interval / 1000000; + for (age_in_log = 0; age_in_log < DAMON_MAX_AGE_IN_LOG && age_in_sec; diff --git a/queue-6.5/mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch b/queue-6.5/mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch new file mode 100644 index 00000000000..970436d379b --- /dev/null +++ b/queue-6.5/mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch @@ -0,0 +1,49 @@ +From b4936b544b08ed44949055b92bd25f77759ebafc Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 6 Nov 2023 23:34:06 +0000 +Subject: mm/damon/sysfs: check error from damon_sysfs_update_target() + +From: SeongJae Park + +commit b4936b544b08ed44949055b92bd25f77759ebafc upstream. + +Patch series "mm/damon/sysfs: fix unhandled return values". + +Some of DAMON sysfs interface code is not handling return values from some +functions. As a result, confusing user input handling or NULL-dereference +is possible. Check those properly. + + +This patch (of 3): + +damon_sysfs_update_target() returns error code for failures, but its +caller, damon_sysfs_set_targets() is ignoring that. The update function +seems making no critical change in case of such failures, but the behavior +will look like DAMON sysfs is silently ignoring or only partially +accepting the user input. Fix it. + +Link: https://lkml.kernel.org/r/20231106233408.51159-1-sj@kernel.org +Link: https://lkml.kernel.org/r/20231106233408.51159-2-sj@kernel.org +Fixes: 19467a950b49 ("mm/damon/sysfs: remove requested targets when online-commit inputs") +Signed-off-by: SeongJae Park +Cc: [5.19+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/damon/sysfs.c ++++ b/mm/damon/sysfs.c +@@ -1197,8 +1197,10 @@ static int damon_sysfs_set_targets(struc + + damon_for_each_target_safe(t, next, ctx) { + if (i < sysfs_targets->nr) { +- damon_sysfs_update_target(t, ctx, ++ err = damon_sysfs_update_target(t, ctx, + sysfs_targets->targets_arr[i]); ++ if (err) ++ return err; + } else { + if (damon_target_has_pid(ctx)) + put_pid(t->pid); diff --git a/queue-6.5/mm-damon-sysfs-schemes-handle-tried-region-directory-allocation-failure.patch b/queue-6.5/mm-damon-sysfs-schemes-handle-tried-region-directory-allocation-failure.patch new file mode 100644 index 00000000000..83f2715df93 --- /dev/null +++ b/queue-6.5/mm-damon-sysfs-schemes-handle-tried-region-directory-allocation-failure.patch @@ -0,0 +1,36 @@ +From ae636ae2bbfd9279f5681dbf320d1da817e52b68 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 6 Nov 2023 23:34:08 +0000 +Subject: mm/damon/sysfs-schemes: handle tried region directory allocation failure + +From: SeongJae Park + +commit ae636ae2bbfd9279f5681dbf320d1da817e52b68 upstream. + +DAMON sysfs interface's before_damos_apply callback +(damon_sysfs_before_damos_apply()), which creates the DAMOS tried regions +for each DAMOS action applied region, is not handling the allocation +failure for the sysfs directory data. As a result, NULL pointer +derefeence is possible. Fix it by handling the case. + +Link: https://lkml.kernel.org/r/20231106233408.51159-4-sj@kernel.org +Fixes: f1d13cacabe1 ("mm/damon/sysfs: implement DAMOS tried regions update command") +Signed-off-by: SeongJae Park +Cc: [6.2+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -1649,6 +1649,8 @@ static int damon_sysfs_before_damos_appl + + sysfs_regions = sysfs_schemes->schemes_arr[schemes_idx]->tried_regions; + region = damon_sysfs_scheme_region_alloc(r); ++ if (!region) ++ return 0; + list_add_tail(®ion->list, &sysfs_regions->regions_list); + sysfs_regions->nr_regions++; + if (kobject_init_and_add(®ion->kobj, diff --git a/queue-6.5/mm-damon-sysfs-schemes-handle-tried-regions-sysfs-directory-allocation-failure.patch b/queue-6.5/mm-damon-sysfs-schemes-handle-tried-regions-sysfs-directory-allocation-failure.patch new file mode 100644 index 00000000000..5a7b8b9086d --- /dev/null +++ b/queue-6.5/mm-damon-sysfs-schemes-handle-tried-regions-sysfs-directory-allocation-failure.patch @@ -0,0 +1,36 @@ +From 84055688b6bc075c92a88e2d6c3ad26ab93919f9 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 6 Nov 2023 23:34:07 +0000 +Subject: mm/damon/sysfs-schemes: handle tried regions sysfs directory allocation failure + +From: SeongJae Park + +commit 84055688b6bc075c92a88e2d6c3ad26ab93919f9 upstream. + +DAMOS tried regions sysfs directory allocation function +(damon_sysfs_scheme_regions_alloc()) is not handling the memory allocation +failure. In the case, the code will dereference NULL pointer. Handle the +failure to avoid such invalid access. + +Link: https://lkml.kernel.org/r/20231106233408.51159-3-sj@kernel.org +Fixes: 9277d0367ba1 ("mm/damon/sysfs-schemes: implement scheme region directory") +Signed-off-by: SeongJae Park +Cc: [6.2+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -125,6 +125,9 @@ damon_sysfs_scheme_regions_alloc(void) + struct damon_sysfs_scheme_regions *regions = kmalloc(sizeof(*regions), + GFP_KERNEL); + ++ if (!regions) ++ return NULL; ++ + regions->kobj = (struct kobject){}; + INIT_LIST_HEAD(®ions->regions_list); + regions->nr_regions = 0; diff --git a/queue-6.5/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch b/queue-6.5/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch new file mode 100644 index 00000000000..0ea384823f7 --- /dev/null +++ b/queue-6.5/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch @@ -0,0 +1,36 @@ +From 57925e16c9f7d18012bcf45bfa658f92c087981a Mon Sep 17 00:00:00 2001 +From: Rong Chen +Date: Thu, 26 Oct 2023 15:31:56 +0800 +Subject: mmc: meson-gx: Remove setting of CMD_CFG_ERROR + +From: Rong Chen + +commit 57925e16c9f7d18012bcf45bfa658f92c087981a upstream. + +For the t7 and older SoC families, the CMD_CFG_ERROR has no effect. +Starting from SoC family C3, setting this bit without SG LINK data +address will cause the controller to generate an IRQ and stop working. + +To fix it, don't set the bit CMD_CFG_ERROR anymore. + +Fixes: 18f92bc02f17 ("mmc: meson-gx: make sure the descriptor is stopped on errors") +Signed-off-by: Rong Chen +Reviewed-by: Jerome Brunet +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231026073156.2868310-1-rong.chen@amlogic.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/meson-gx-mmc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -801,7 +801,6 @@ static void meson_mmc_start_cmd(struct m + + cmd_cfg |= FIELD_PREP(CMD_CFG_CMD_INDEX_MASK, cmd->opcode); + cmd_cfg |= CMD_CFG_OWNER; /* owned by CPU */ +- cmd_cfg |= CMD_CFG_ERROR; /* stop in case of error */ + + meson_mmc_set_response_bits(cmd, &cmd_cfg); + diff --git a/queue-6.5/parisc-add-nop-instructions-after-tlb-inserts.patch b/queue-6.5/parisc-add-nop-instructions-after-tlb-inserts.patch new file mode 100644 index 00000000000..eba90d53d8e --- /dev/null +++ b/queue-6.5/parisc-add-nop-instructions-after-tlb-inserts.patch @@ -0,0 +1,304 @@ +From ad4aa06e1d92b06ed56c7240252927bd60632efe Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 20 Oct 2023 20:49:07 +0000 +Subject: parisc: Add nop instructions after TLB inserts + +From: John David Anglin + +commit ad4aa06e1d92b06ed56c7240252927bd60632efe upstream. + +An excerpt from the PA8800 ERS states: + +* The PA8800 violates the seven instruction pipeline rule when performing + TLB inserts or PxTLBE instructions with the PSW C bit on. The instruction + will take effect by the 12th instruction after the insert or purge. + +I believe we have a problem with handling TLB misses. We don't fill +the pipeline following TLB inserts. As a result, we likely fault again +after returning from the interruption. + +The above statement indicates that we need at least seven instructions +after the insert on pre PA8800 processors and we need 12 instructions +on PA8800/PA8900 processors. + +Here we add macros and code to provide the required number instructions +after a TLB insert. + +Signed-off-by: John David Anglin +Suggested-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 81 ++++++++++++++++++++++++++++----------------- + 1 file changed, 52 insertions(+), 29 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -36,6 +36,24 @@ + .level 2.0 + #endif + ++/* ++ * We need seven instructions after a TLB insert for it to take effect. ++ * The PA8800/PA8900 processors are an exception and need 12 instructions. ++ * The RFI changes both IAOQ_Back and IAOQ_Front, so it counts as one. ++ */ ++#ifdef CONFIG_64BIT ++#define NUM_PIPELINE_INSNS 12 ++#else ++#define NUM_PIPELINE_INSNS 7 ++#endif ++ ++ /* Insert num nops */ ++ .macro insert_nops num ++ .rept \num ++ nop ++ .endr ++ .endm ++ + /* Get aligned page_table_lock address for this mm from cr28/tr4 */ + .macro get_ptl reg + mfctl %cr28,\reg +@@ -415,24 +433,20 @@ + 3: + .endm + +- /* Release page_table_lock without reloading lock address. +- We use an ordered store to ensure all prior accesses are +- performed prior to releasing the lock. */ +- .macro ptl_unlock0 spc,tmp,tmp2 ++ /* Release page_table_lock if for user space. We use an ordered ++ store to ensure all prior accesses are performed prior to ++ releasing the lock. Note stw may not be executed, so we ++ provide one extra nop when CONFIG_TLB_PTLOCK is defined. */ ++ .macro ptl_unlock spc,tmp,tmp2 + #ifdef CONFIG_TLB_PTLOCK +-98: ldi __ARCH_SPIN_LOCK_UNLOCKED_VAL, \tmp2 ++98: get_ptl \tmp ++ ldi __ARCH_SPIN_LOCK_UNLOCKED_VAL, \tmp2 + or,COND(=) %r0,\spc,%r0 + stw,ma \tmp2,0(\tmp) + 99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) +-#endif +- .endm +- +- /* Release page_table_lock. */ +- .macro ptl_unlock1 spc,tmp,tmp2 +-#ifdef CONFIG_TLB_PTLOCK +-98: get_ptl \tmp +- ptl_unlock0 \spc,\tmp,\tmp2 +-99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) ++ insert_nops NUM_PIPELINE_INSNS - 4 ++#else ++ insert_nops NUM_PIPELINE_INSNS - 1 + #endif + .endm + +@@ -1124,7 +1138,7 @@ dtlb_miss_20w: + + idtlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1133,6 +1147,7 @@ dtlb_check_alias_20w: + + idtlbt pte,prot + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1150,7 +1165,7 @@ nadtlb_miss_20w: + + idtlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1159,6 +1174,7 @@ nadtlb_check_alias_20w: + + idtlbt pte,prot + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1184,7 +1200,7 @@ dtlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1194,6 +1210,7 @@ dtlb_check_alias_11: + idtlba pte,(va) + idtlbp prot,(va) + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1217,7 +1234,7 @@ nadtlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1227,6 +1244,7 @@ nadtlb_check_alias_11: + idtlba pte,(va) + idtlbp prot,(va) + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1246,7 +1264,7 @@ dtlb_miss_20: + + idtlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1255,6 +1273,7 @@ dtlb_check_alias_20: + + idtlbt pte,prot + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1274,7 +1293,7 @@ nadtlb_miss_20: + + idtlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1283,6 +1302,7 @@ nadtlb_check_alias_20: + + idtlbt pte,prot + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1319,7 +1339,7 @@ itlb_miss_20w: + + iitlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1343,7 +1363,7 @@ naitlb_miss_20w: + + iitlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1352,6 +1372,7 @@ naitlb_check_alias_20w: + + iitlbt pte,prot + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1377,7 +1398,7 @@ itlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1401,7 +1422,7 @@ naitlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1411,6 +1432,7 @@ naitlb_check_alias_11: + iitlba pte,(%sr0, va) + iitlbp prot,(%sr0, va) + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1431,7 +1453,7 @@ itlb_miss_20: + + iitlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1451,7 +1473,7 @@ naitlb_miss_20: + + iitlbt pte,prot + +- ptl_unlock1 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1460,6 +1482,7 @@ naitlb_check_alias_20: + + iitlbt pte,prot + ++ insert_nops NUM_PIPELINE_INSNS - 1 + rfir + nop + +@@ -1481,7 +1504,7 @@ dbit_trap_20w: + + idtlbt pte,prot + +- ptl_unlock0 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + #else +@@ -1507,7 +1530,7 @@ dbit_trap_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- ptl_unlock0 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + +@@ -1527,7 +1550,7 @@ dbit_trap_20: + + idtlbt pte,prot + +- ptl_unlock0 spc,t0,t1 ++ ptl_unlock spc,t0,t1 + rfir + nop + #endif diff --git a/queue-6.5/pci-keystone-don-t-discard-.probe-callback.patch b/queue-6.5/pci-keystone-don-t-discard-.probe-callback.patch new file mode 100644 index 00000000000..5f96aed5507 --- /dev/null +++ b/queue-6.5/pci-keystone-don-t-discard-.probe-callback.patch @@ -0,0 +1,51 @@ +From 7994db905c0fd692cf04c527585f08a91b560144 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Sun, 1 Oct 2023 19:02:54 +0200 +Subject: PCI: keystone: Don't discard .probe() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 7994db905c0fd692cf04c527585f08a91b560144 upstream. + +The __init annotation makes the ks_pcie_probe() function disappear after +booting completes. However a device can also be bound later. In that case, +we try to call ks_pcie_probe(), but the backing memory is likely already +overwritten. + +The right thing to do is do always have the probe callback available. Note +that the (wrong) __refdata annotation prevented this issue to be noticed by +modpost. + +Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") +Link: https://lore.kernel.org/r/20231001170254.2506508-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-keystone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -1101,7 +1101,7 @@ static const struct of_device_id ks_pcie + { }, + }; + +-static int __init ks_pcie_probe(struct platform_device *pdev) ++static int ks_pcie_probe(struct platform_device *pdev) + { + const struct dw_pcie_host_ops *host_ops; + const struct dw_pcie_ep_ops *ep_ops; +@@ -1319,7 +1319,7 @@ static int ks_pcie_remove(struct platfor + return 0; + } + +-static struct platform_driver ks_pcie_driver __refdata = { ++static struct platform_driver ks_pcie_driver = { + .probe = ks_pcie_probe, + .remove = ks_pcie_remove, + .driver = { diff --git a/queue-6.5/pci-keystone-don-t-discard-.remove-callback.patch b/queue-6.5/pci-keystone-don-t-discard-.remove-callback.patch new file mode 100644 index 00000000000..bc102e408b6 --- /dev/null +++ b/queue-6.5/pci-keystone-don-t-discard-.remove-callback.patch @@ -0,0 +1,52 @@ +From 200bddbb3f5202bbce96444fdc416305de14f547 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Sun, 1 Oct 2023 19:02:53 +0200 +Subject: PCI: keystone: Don't discard .remove() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 200bddbb3f5202bbce96444fdc416305de14f547 upstream. + +With CONFIG_PCIE_KEYSTONE=y and ks_pcie_remove() marked with __exit, the +function is discarded from the driver. In this case a bound device can +still get unbound, e.g via sysfs. Then no cleanup code is run resulting in +resource leaks or worse. + +The right thing to do is do always have the remove callback available. +Note that this driver cannot be compiled as a module, so ks_pcie_remove() +was always discarded before this change and modpost couldn't warn about +this issue. Furthermore the __ref annotation also prevents a warning. + +Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") +Link: https://lore.kernel.org/r/20231001170254.2506508-4-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-keystone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -1303,7 +1303,7 @@ err_link: + return ret; + } + +-static int __exit ks_pcie_remove(struct platform_device *pdev) ++static int ks_pcie_remove(struct platform_device *pdev) + { + struct keystone_pcie *ks_pcie = platform_get_drvdata(pdev); + struct device_link **link = ks_pcie->link; +@@ -1321,7 +1321,7 @@ static int __exit ks_pcie_remove(struct + + static struct platform_driver ks_pcie_driver __refdata = { + .probe = ks_pcie_probe, +- .remove = __exit_p(ks_pcie_remove), ++ .remove = ks_pcie_remove, + .driver = { + .name = "keystone-pcie", + .of_match_table = ks_pcie_of_match, diff --git a/queue-6.5/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch b/queue-6.5/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch new file mode 100644 index 00000000000..3ccc2ccb728 --- /dev/null +++ b/queue-6.5/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch @@ -0,0 +1,90 @@ +From 0ec7731655de196bc1e4af99e495b38778109d22 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 26 Oct 2023 16:49:19 +0100 +Subject: regmap: Ensure range selector registers are updated after cache sync + +From: Mark Brown + +commit 0ec7731655de196bc1e4af99e495b38778109d22 upstream. + +When we sync the register cache we do so with the cache bypassed in order +to avoid overhead from writing the synced values back into the cache. If +the regmap has ranges and the selector register for those ranges is in a +register which is cached this has the unfortunate side effect of meaning +that the physical and cached copies of the selector register can be out of +sync after a cache sync. The cache will have whatever the selector was when +the sync started and the hardware will have the selector for the register +that was synced last. + +Fix this by rewriting all cached selector registers after every sync, +ensuring that the hardware and cache have the same content. This will +result in extra writes that wouldn't otherwise be needed but is simple +so hopefully robust. We don't read from the hardware since not all +devices have physical read support. + +Given that nobody noticed this until now it is likely that we are rarely if +ever hitting this case. + +Reported-by: Hector Martin +Cc: stable@vger.kernel.org +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20231026-regmap-fix-selector-sync-v1-1-633ded82770d@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regcache.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -334,6 +334,11 @@ static int regcache_default_sync(struct + return 0; + } + ++static int rbtree_all(const void *key, const struct rb_node *node) ++{ ++ return 0; ++} ++ + /** + * regcache_sync - Sync the register cache with the hardware. + * +@@ -351,6 +356,7 @@ int regcache_sync(struct regmap *map) + unsigned int i; + const char *name; + bool bypass; ++ struct rb_node *node; + + if (WARN_ON(map->cache_type == REGCACHE_NONE)) + return -EINVAL; +@@ -392,6 +398,30 @@ out: + /* Restore the bypass state */ + map->cache_bypass = bypass; + map->no_sync_defaults = false; ++ ++ /* ++ * If we did any paging with cache bypassed and a cached ++ * paging register then the register and cache state might ++ * have gone out of sync, force writes of all the paging ++ * registers. ++ */ ++ rb_for_each(node, 0, &map->range_tree, rbtree_all) { ++ struct regmap_range_node *this = ++ rb_entry(node, struct regmap_range_node, node); ++ ++ /* If there's nothing in the cache there's nothing to sync */ ++ ret = regcache_read(map, this->selector_reg, &i); ++ if (ret != 0) ++ continue; ++ ++ ret = _regmap_write(map, this->selector_reg, i); ++ if (ret != 0) { ++ dev_err(map->dev, "Failed to write %x = %x: %d\n", ++ this->selector_reg, i, ret); ++ break; ++ } ++ } ++ + map->unlock(map->lock_arg); + + regmap_async_complete(map); diff --git a/queue-6.5/sched-core-fix-rqcf_act_skip-leak.patch b/queue-6.5/sched-core-fix-rqcf_act_skip-leak.patch new file mode 100644 index 00000000000..8c5a8e5ebff --- /dev/null +++ b/queue-6.5/sched-core-fix-rqcf_act_skip-leak.patch @@ -0,0 +1,78 @@ +From 5ebde09d91707a4a9bec1e3d213e3c12ffde348f Mon Sep 17 00:00:00 2001 +From: Hao Jia +Date: Thu, 12 Oct 2023 17:00:03 +0800 +Subject: sched/core: Fix RQCF_ACT_SKIP leak + +From: Hao Jia + +commit 5ebde09d91707a4a9bec1e3d213e3c12ffde348f upstream. + +Igor Raits and Bagas Sanjaya report a RQCF_ACT_SKIP leak warning. + +This warning may be triggered in the following situations: + + CPU0 CPU1 + +__schedule() + *rq->clock_update_flags <<= 1;* unregister_fair_sched_group() + pick_next_task_fair+0x4a/0x410 destroy_cfs_bandwidth() + newidle_balance+0x115/0x3e0 for_each_possible_cpu(i) *i=0* + rq_unpin_lock(this_rq, rf) __cfsb_csd_unthrottle() + raw_spin_rq_unlock(this_rq) + rq_lock(*CPU0_rq*, &rf) + rq_clock_start_loop_update() + rq->clock_update_flags & RQCF_ACT_SKIP <-- + raw_spin_rq_lock(this_rq) + +The purpose of RQCF_ACT_SKIP is to skip the update rq clock, +but the update is very early in __schedule(), but we clear +RQCF_*_SKIP very late, causing it to span that gap above +and triggering this warning. + +In __schedule() we can clear the RQCF_*_SKIP flag immediately +after update_rq_clock() to avoid this RQCF_ACT_SKIP leak warning. +And set rq->clock_update_flags to RQCF_UPDATED to avoid +rq->clock_update_flags < RQCF_ACT_SKIP warning that may be triggered later. + +Fixes: ebb83d84e49b ("sched/core: Avoid multiple calling update_rq_clock() in __cfsb_csd_unthrottle()") +Closes: https://lore.kernel.org/all/20230913082424.73252-1-jiahao.os@bytedance.com +Reported-by: Igor Raits +Reported-by: Bagas Sanjaya +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Hao Jia +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/a5dd536d-041a-2ce9-f4b7-64d8d85c86dc@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5377,8 +5377,6 @@ context_switch(struct rq *rq, struct tas + /* switch_mm_cid() requires the memory barriers above. */ + switch_mm_cid(rq, prev, next); + +- rq->clock_update_flags &= ~(RQCF_ACT_SKIP|RQCF_REQ_SKIP); +- + prepare_lock_switch(rq, next, rf); + + /* Here we just switch the register state and the stack. */ +@@ -6634,6 +6632,7 @@ static void __sched notrace __schedule(u + /* Promote REQ to ACT */ + rq->clock_update_flags <<= 1; + update_rq_clock(rq); ++ rq->clock_update_flags = RQCF_UPDATED; + + switch_count = &prev->nivcsw; + +@@ -6713,8 +6712,6 @@ static void __sched notrace __schedule(u + /* Also unlocks the rq: */ + rq = context_switch(rq, prev, next, &rf); + } else { +- rq->clock_update_flags &= ~(RQCF_ACT_SKIP|RQCF_REQ_SKIP); +- + rq_unpin_lock(rq, &rf); + __balance_callbacks(rq); + raw_spin_rq_unlock_irq(rq); diff --git a/queue-6.5/series b/queue-6.5/series index d3fd72e698c..1995a9230d5 100644 --- a/queue-6.5/series +++ b/queue-6.5/series @@ -256,3 +256,30 @@ hvc-xen-fix-event-channel-handling-for-secondary-consoles.patch pci-sysfs-protect-driver-s-d3cold-preference-from-user-space.patch mm-damon-sysfs-remove-requested-targets-when-online-commit-inputs.patch mm-damon-sysfs-update-monitoring-target-regions-for-online-input-commit.patch +watchdog-move-softlockup_panic-back-to-early_param.patch +iommufd-fix-missing-update-of-domains_itree-after-splitting-iopt_area.patch +fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-signed-offset.patch +dm-crypt-account-large-pages-in-cc-n_allocated_pages.patch +mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch +mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch +mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch +mm-damon-core-avoid-divide-by-zero-during-monitoring-results-update.patch +mm-damon-sysfs-schemes-handle-tried-region-directory-allocation-failure.patch +mm-damon-sysfs-schemes-handle-tried-regions-sysfs-directory-allocation-failure.patch +mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch +parisc-add-nop-instructions-after-tlb-inserts.patch +acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch +regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch +wifi-ath11k-fix-temperature-event-locking.patch +wifi-ath11k-fix-dfs-radar-event-locking.patch +wifi-ath11k-fix-htt-pktlog-locking.patch +wifi-ath11k-fix-gtk-offload-status-event-locking.patch +wifi-ath12k-fix-htt-mlo-offset-event-locking.patch +wifi-ath12k-fix-dfs-radar-and-temperature-event-locking.patch +mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch +genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch +sched-core-fix-rqcf_act_skip-leak.patch +keys-trusted-tee-refactor-register-shm-usage.patch +keys-trusted-rollback-init_trusted-consistently.patch +pci-keystone-don-t-discard-.remove-callback.patch +pci-keystone-don-t-discard-.probe-callback.patch diff --git a/queue-6.5/watchdog-move-softlockup_panic-back-to-early_param.patch b/queue-6.5/watchdog-move-softlockup_panic-back-to-early_param.patch new file mode 100644 index 00000000000..15dfb0df032 --- /dev/null +++ b/queue-6.5/watchdog-move-softlockup_panic-back-to-early_param.patch @@ -0,0 +1,55 @@ +From 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Fri, 27 Oct 2023 14:46:53 -0700 +Subject: watchdog: move softlockup_panic back to early_param + +From: Krister Johansen + +commit 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb upstream. + +Setting softlockup_panic from do_sysctl_args() causes it to take effect +later in boot. The lockup detector is enabled before SMP is brought +online, but do_sysctl_args runs afterwards. If a user wants to set +softlockup_panic on boot and have it trigger should a softlockup occur +during onlining of the non-boot processors, they could do this prior to +commit f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot +parameters to sysctl aliases"). However, after this commit the value +of softlockup_panic is set too late to be of help for this type of +problem. Restore the prior behavior. + +Signed-off-by: Krister Johansen +Cc: stable@vger.kernel.org +Fixes: f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot parameters to sysctl aliases") +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 1 - + kernel/watchdog.c | 7 +++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1574,7 +1574,6 @@ static const struct sysctl_alias sysctl_ + {"hung_task_panic", "kernel.hung_task_panic" }, + {"numa_zonelist_order", "vm.numa_zonelist_order" }, + {"softlockup_all_cpu_backtrace", "kernel.softlockup_all_cpu_backtrace" }, +- {"softlockup_panic", "kernel.softlockup_panic" }, + { } + }; + +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -283,6 +283,13 @@ static DEFINE_PER_CPU(struct hrtimer, wa + static DEFINE_PER_CPU(bool, softlockup_touch_sync); + static unsigned long soft_lockup_nmi_warn; + ++static int __init softlockup_panic_setup(char *str) ++{ ++ softlockup_panic = simple_strtoul(str, NULL, 0); ++ return 1; ++} ++__setup("softlockup_panic=", softlockup_panic_setup); ++ + static int __init nowatchdog_setup(char *str) + { + watchdog_user_enabled = 0; diff --git a/queue-6.5/wifi-ath11k-fix-dfs-radar-event-locking.patch b/queue-6.5/wifi-ath11k-fix-dfs-radar-event-locking.patch new file mode 100644 index 00000000000..9b7f8b3b20f --- /dev/null +++ b/queue-6.5/wifi-ath11k-fix-dfs-radar-event-locking.patch @@ -0,0 +1,49 @@ +From 3b6c14833165f689cc5928574ebafe52bbce5f1e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:31:15 +0200 +Subject: wifi: ath11k: fix dfs radar event locking + +From: Johan Hovold + +commit 3b6c14833165f689cc5928574ebafe52bbce5f1e upstream. + +The ath11k active pdevs are protected by RCU but the DFS radar event +handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Acked-by: Jeff Johnson +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019153115.26401-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -8337,6 +8337,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event + ev->detector_id, ev->segment_id, ev->timestamp, ev->is_chirp, + ev->freq_offset, ev->sidx); + ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id); + + if (!ar) { +@@ -8354,6 +8356,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event + ieee80211_radar_detected(ar->hw); + + exit: ++ rcu_read_unlock(); ++ + kfree(tb); + } + diff --git a/queue-6.5/wifi-ath11k-fix-gtk-offload-status-event-locking.patch b/queue-6.5/wifi-ath11k-fix-gtk-offload-status-event-locking.patch new file mode 100644 index 00000000000..c533dfe9ebe --- /dev/null +++ b/queue-6.5/wifi-ath11k-fix-gtk-offload-status-event-locking.patch @@ -0,0 +1,57 @@ +From 1dea3c0720a146bd7193969f2847ccfed5be2221 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:53:42 +0200 +Subject: wifi: ath11k: fix gtk offload status event locking + +From: Johan Hovold + +commit 1dea3c0720a146bd7193969f2847ccfed5be2221 upstream. + +The ath11k active pdevs are protected by RCU but the gtk offload status +event handling code calling ath11k_mac_get_arvif_by_vdev_id() was not +marked as a read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: a16d9b50cfba ("ath11k: support GTK rekey offload") +Cc: stable@vger.kernel.org # 5.18 +Cc: Carl Huang +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019155342.31631-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -8619,12 +8619,13 @@ static void ath11k_wmi_gtk_offload_statu + return; + } + ++ rcu_read_lock(); ++ + arvif = ath11k_mac_get_arvif_by_vdev_id(ab, ev->vdev_id); + if (!arvif) { + ath11k_warn(ab, "failed to get arvif for vdev_id:%d\n", + ev->vdev_id); +- kfree(tb); +- return; ++ goto exit; + } + + ath11k_dbg(ab, ATH11K_DBG_WMI, "event gtk offload refresh_cnt %d\n", +@@ -8641,6 +8642,8 @@ static void ath11k_wmi_gtk_offload_statu + + ieee80211_gtk_rekey_notify(arvif->vif, arvif->bssid, + (void *)&replay_ctr_be, GFP_ATOMIC); ++exit: ++ rcu_read_unlock(); + + kfree(tb); + } diff --git a/queue-6.5/wifi-ath11k-fix-htt-pktlog-locking.patch b/queue-6.5/wifi-ath11k-fix-htt-pktlog-locking.patch new file mode 100644 index 00000000000..7e617340139 --- /dev/null +++ b/queue-6.5/wifi-ath11k-fix-htt-pktlog-locking.patch @@ -0,0 +1,52 @@ +From 3f77c7d605b29df277d77e9ee75d96e7ad145d2d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 13:25:21 +0200 +Subject: wifi: ath11k: fix htt pktlog locking + +From: Johan Hovold + +commit 3f77c7d605b29df277d77e9ee75d96e7ad145d2d upstream. + +The ath11k active pdevs are protected by RCU but the htt pktlog handling +code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019112521.2071-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -1621,14 +1621,20 @@ static void ath11k_htt_pktlog(struct ath + u8 pdev_id; + + pdev_id = FIELD_GET(HTT_T2H_PPDU_STATS_INFO_PDEV_ID, data->hdr); ++ ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, pdev_id); + if (!ar) { + ath11k_warn(ab, "invalid pdev id %d on htt pktlog\n", pdev_id); +- return; ++ goto out; + } + + trace_ath11k_htt_pktlog(ar, data->payload, hdr->size, + ar->ab->pktlog_defs_checksum); ++ ++out: ++ rcu_read_unlock(); + } + + static void ath11k_htt_backpressure_event_handler(struct ath11k_base *ab, diff --git a/queue-6.5/wifi-ath11k-fix-temperature-event-locking.patch b/queue-6.5/wifi-ath11k-fix-temperature-event-locking.patch new file mode 100644 index 00000000000..f75864f9c5c --- /dev/null +++ b/queue-6.5/wifi-ath11k-fix-temperature-event-locking.patch @@ -0,0 +1,71 @@ +From 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:31:14 +0200 +Subject: wifi: ath11k: fix temperature event locking + +From: Johan Hovold + +commit 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 upstream. + +The ath11k active pdevs are protected by RCU but the temperature event +handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section as reported by RCU lockdep: + + ============================= + WARNING: suspicious RCU usage + 6.6.0-rc6 #7 Not tainted + ----------------------------- + drivers/net/wireless/ath/ath11k/mac.c:638 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + no locks held by swapper/0/0. + ... + Call trace: + ... + lockdep_rcu_suspicious+0x16c/0x22c + ath11k_mac_get_ar_by_pdev_id+0x194/0x1b0 [ath11k] + ath11k_wmi_tlv_op_rx+0xa84/0x2c1c [ath11k] + ath11k_htc_rx_completion_handler+0x388/0x510 [ath11k] + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23 + +Fixes: a41d10348b01 ("ath11k: add thermal sensor device support") +Cc: stable@vger.kernel.org # 5.7 +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019153115.26401-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -8383,15 +8383,19 @@ ath11k_wmi_pdev_temperature_event(struct + ath11k_dbg(ab, ATH11K_DBG_WMI, "event pdev temperature ev temp %d pdev_id %d\n", + ev->temp, ev->pdev_id); + ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id); + if (!ar) { + ath11k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev->pdev_id); +- kfree(tb); +- return; ++ goto exit; + } + + ath11k_thermal_event_temperature(ar, ev->temp); + ++exit: ++ rcu_read_unlock(); ++ + kfree(tb); + } + diff --git a/queue-6.5/wifi-ath12k-fix-dfs-radar-and-temperature-event-locking.patch b/queue-6.5/wifi-ath12k-fix-dfs-radar-and-temperature-event-locking.patch new file mode 100644 index 00000000000..2f4cc78d0af --- /dev/null +++ b/queue-6.5/wifi-ath12k-fix-dfs-radar-and-temperature-event-locking.patch @@ -0,0 +1,70 @@ +From 69bd216e049349886405b1c87a55dce3d35d1ba7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 13:36:49 +0200 +Subject: wifi: ath12k: fix dfs-radar and temperature event locking + +From: Johan Hovold + +commit 69bd216e049349886405b1c87a55dce3d35d1ba7 upstream. + +The ath12k active pdevs are protected by RCU but the DFS-radar and +temperature event handling code calling ath12k_mac_get_ar_by_pdev_id() +was not marked as a read-side critical section. + +Mark the code in question as RCU read-side critical sections to avoid +any potential use-after-free issues. + +Note that the temperature event handler looks like a place holder +currently but would still trigger an RCU lockdep splat. + +Compile tested only. + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Cc: stable@vger.kernel.org # v6.2 +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019113650.9060-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath12k/wmi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -6234,6 +6234,8 @@ ath12k_wmi_pdev_dfs_radar_detected_event + ev->detector_id, ev->segment_id, ev->timestamp, ev->is_chirp, + ev->freq_offset, ev->sidx); + ++ rcu_read_lock(); ++ + ar = ath12k_mac_get_ar_by_pdev_id(ab, le32_to_cpu(ev->pdev_id)); + + if (!ar) { +@@ -6251,6 +6253,8 @@ ath12k_wmi_pdev_dfs_radar_detected_event + ieee80211_radar_detected(ar->hw); + + exit: ++ rcu_read_unlock(); ++ + kfree(tb); + } + +@@ -6269,11 +6273,16 @@ ath12k_wmi_pdev_temperature_event(struct + ath12k_dbg(ab, ATH12K_DBG_WMI, + "pdev temperature ev temp %d pdev_id %d\n", ev.temp, ev.pdev_id); + ++ rcu_read_lock(); ++ + ar = ath12k_mac_get_ar_by_pdev_id(ab, le32_to_cpu(ev.pdev_id)); + if (!ar) { + ath12k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev.pdev_id); +- return; ++ goto exit; + } ++ ++exit: ++ rcu_read_unlock(); + } + + static void ath12k_fils_discovery_event(struct ath12k_base *ab, diff --git a/queue-6.5/wifi-ath12k-fix-htt-mlo-offset-event-locking.patch b/queue-6.5/wifi-ath12k-fix-htt-mlo-offset-event-locking.patch new file mode 100644 index 00000000000..32324881402 --- /dev/null +++ b/queue-6.5/wifi-ath12k-fix-htt-mlo-offset-event-locking.patch @@ -0,0 +1,55 @@ +From 6afc57ea315e0f660b1f870a681737bb7b71faef Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 13:36:50 +0200 +Subject: wifi: ath12k: fix htt mlo-offset event locking + +From: Johan Hovold + +commit 6afc57ea315e0f660b1f870a681737bb7b71faef upstream. + +The ath12k active pdevs are protected by RCU but the htt mlo-offset +event handling code calling ath12k_mac_get_ar_by_pdev_id() was not +marked as a read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Cc: stable@vger.kernel.org # v6.2 +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019113650.9060-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath12k/dp_rx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath12k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c +@@ -1658,11 +1658,12 @@ static void ath12k_htt_mlo_offset_event_ + msg = (struct ath12k_htt_mlo_offset_msg *)skb->data; + pdev_id = u32_get_bits(__le32_to_cpu(msg->info), + HTT_T2H_MLO_OFFSET_INFO_PDEV_ID); +- ar = ath12k_mac_get_ar_by_pdev_id(ab, pdev_id); + ++ rcu_read_lock(); ++ ar = ath12k_mac_get_ar_by_pdev_id(ab, pdev_id); + if (!ar) { + ath12k_warn(ab, "invalid pdev id %d on htt mlo offset\n", pdev_id); +- return; ++ goto exit; + } + + spin_lock_bh(&ar->data_lock); +@@ -1678,6 +1679,8 @@ static void ath12k_htt_mlo_offset_event_ + pdev->timestamp.mlo_comp_timer = __le32_to_cpu(msg->mlo_comp_timer); + + spin_unlock_bh(&ar->data_lock); ++exit: ++ rcu_read_unlock(); + } + + void ath12k_dp_htt_htc_t2h_msg_handler(struct ath12k_base *ab,