From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 14:10:55 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v6.6.54~55 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b0bf07e6360e585f97406418a10d74a6523b4f12;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: arm-dts-imx6ul-geam-fix-fsl-pins-property-in-tscgrp-pinctrl.patch arm-dts-imx6ull-seeed-npi-fix-fsl-pins-property-in-tscgrp-pinctrl.patch arm64-dts-mediatek-mt8186-corsola-disable-dpi-display-interface.patch arm64-dts-qcom-sa8775p-mark-apps-and-pcie-smmus-as-dma-coherent.patch arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch arm64-errata-enable-the-ac03_cpu_38-workaround-for-ampere1a.patch arm64-esr-define-esr_elx_ec_-constants-as-ul.patch bcachefs-fix-negative-timespecs.patch btrfs-always-update-fstrim_range-on-failure-in-fitrim-ioctl.patch btrfs-fix-race-setting-file-private-on-concurrent-lseek-using-same-fd.patch btrfs-tree-checker-fix-the-wrong-output-of-data-backref-objectid.patch cpuidle-riscv-sbi-use-scoped-device-node-handling-to-fix-missing-of_node_put.patch dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch edac-igen6-fix-conversion-of-system-address-to-physical-memory-address.patch eventpoll-annotate-data-race-of-busy_poll_usecs.patch f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch f2fs-check-discard-support-for-conventional-zones.patch f2fs-fix-several-potential-integer-overflows-in-file-offsets.patch f2fs-fix-to-check-atomic_file-in-f2fs-ioctl-interfaces.patch f2fs-prevent-possible-int-overflow-in-dir_block_index.patch f2fs-require-fmode_write-for-atomic-write-ioctls.patch fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch hwrng-bcm2835-add-missing-clk_disable_unprepare-in-bcm2835_rng_init.patch hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch hwrng-mtk-use-devm_pm_runtime_enable.patch icmp-change-the-order-of-rate-limits.patch lsm-add-the-inode_free_security_rcu-lsm-implementation-hook.patch md-don-t-flush-sync_work-in-md_write_start.patch netfs-delete-subtree-of-fs-netfs-when-netfs-module-exits.patch nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch spi-fspi-involve-lut_num-for-struct-nxp_fspi_devtype_data.patch tools-nolibc-include-arch.h-from-string.h.patch vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch --- diff --git a/queue-6.10/arm-dts-imx6ul-geam-fix-fsl-pins-property-in-tscgrp-pinctrl.patch b/queue-6.10/arm-dts-imx6ul-geam-fix-fsl-pins-property-in-tscgrp-pinctrl.patch new file mode 100644 index 00000000000..c2713c4bb57 --- /dev/null +++ b/queue-6.10/arm-dts-imx6ul-geam-fix-fsl-pins-property-in-tscgrp-pinctrl.patch @@ -0,0 +1,36 @@ +From 1b0e32753d8550908dff8982410357b5114be78c Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 31 Aug 2024 12:11:28 +0200 +Subject: ARM: dts: imx6ul-geam: fix fsl,pins property in tscgrp pinctrl + +From: Krzysztof Kozlowski + +commit 1b0e32753d8550908dff8982410357b5114be78c upstream. + +The property is "fsl,pins", not "fsl,pin". Wrong property means the pin +configuration was not applied. Fixes dtbs_check warnings: + + imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pins' is a required property + imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pin' does not match any of the regexes: 'pinctrl-[0-9]+' + +Cc: stable@vger.kernel.org +Fixes: a58e4e608bc8 ("ARM: dts: imx6ul-geam: Add Engicam IMX6UL GEA M6UL initial support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Michael Trimarchi +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts ++++ b/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts +@@ -365,7 +365,7 @@ + }; + + pinctrl_tsc: tscgrp { +- fsl,pin = < ++ fsl,pins = < + MX6UL_PAD_GPIO1_IO01__GPIO1_IO01 0xb0 + MX6UL_PAD_GPIO1_IO02__GPIO1_IO02 0xb0 + MX6UL_PAD_GPIO1_IO03__GPIO1_IO03 0xb0 diff --git a/queue-6.10/arm-dts-imx6ull-seeed-npi-fix-fsl-pins-property-in-tscgrp-pinctrl.patch b/queue-6.10/arm-dts-imx6ull-seeed-npi-fix-fsl-pins-property-in-tscgrp-pinctrl.patch new file mode 100644 index 00000000000..08d52d442d1 --- /dev/null +++ b/queue-6.10/arm-dts-imx6ull-seeed-npi-fix-fsl-pins-property-in-tscgrp-pinctrl.patch @@ -0,0 +1,83 @@ +From 3dedd4889cfc2851444a1f7626b293c0bfd1e42c Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 31 Aug 2024 12:11:29 +0200 +Subject: ARM: dts: imx6ull-seeed-npi: fix fsl,pins property in tscgrp pinctrl + +From: Krzysztof Kozlowski + +commit 3dedd4889cfc2851444a1f7626b293c0bfd1e42c upstream. + +The property is "fsl,pins", not "fsl,pin". Wrong property means the pin +configuration was not applied. Fixes dtbs_check warnings: + + imx6ull-seeed-npi-dev-board-emmc.dtb: pinctrl@20e0000: uart1grp: 'fsl,pins' is a required property + imx6ull-seeed-npi-dev-board-emmc.dtb: pinctrl@20e0000: uart1grp: 'fsl,pin' does not match any of the regexes: 'pinctrl-[0-9]+' + +Cc: stable@vger.kernel.org +Fixes: e3b5697195c8 ("ARM: dts: imx6ull: add seeed studio NPi dev board") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Parthiban Nallathambi +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + .../dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi b/arch/arm/boot/dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi +index 6bb12e0bbc7e..50654dbf62e0 100644 +--- a/arch/arm/boot/dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi +@@ -339,14 +339,14 @@ MX6UL_PAD_JTAG_TRST_B__SAI2_TX_DATA 0x120b0 + }; + + pinctrl_uart1: uart1grp { +- fsl,pin = < ++ fsl,pins = < + MX6UL_PAD_UART1_TX_DATA__UART1_DCE_TX 0x1b0b1 + MX6UL_PAD_UART1_RX_DATA__UART1_DCE_RX 0x1b0b1 + >; + }; + + pinctrl_uart2: uart2grp { +- fsl,pin = < ++ fsl,pins = < + MX6UL_PAD_UART2_TX_DATA__UART2_DCE_TX 0x1b0b1 + MX6UL_PAD_UART2_RX_DATA__UART2_DCE_RX 0x1b0b1 + MX6UL_PAD_UART2_CTS_B__UART2_DCE_CTS 0x1b0b1 +@@ -355,7 +355,7 @@ MX6UL_PAD_UART2_RTS_B__UART2_DCE_RTS 0x1b0b1 + }; + + pinctrl_uart3: uart3grp { +- fsl,pin = < ++ fsl,pins = < + MX6UL_PAD_UART3_TX_DATA__UART3_DCE_TX 0x1b0b1 + MX6UL_PAD_UART3_RX_DATA__UART3_DCE_RX 0x1b0b1 + MX6UL_PAD_UART3_CTS_B__UART3_DCE_CTS 0x1b0b1 +@@ -364,21 +364,21 @@ MX6UL_PAD_UART3_RTS_B__UART3_DCE_RTS 0x1b0b1 + }; + + pinctrl_uart4: uart4grp { +- fsl,pin = < ++ fsl,pins = < + MX6UL_PAD_UART4_TX_DATA__UART4_DCE_TX 0x1b0b1 + MX6UL_PAD_UART4_RX_DATA__UART4_DCE_RX 0x1b0b1 + >; + }; + + pinctrl_uart5: uart5grp { +- fsl,pin = < ++ fsl,pins = < + MX6UL_PAD_UART5_TX_DATA__UART5_DCE_TX 0x1b0b1 + MX6UL_PAD_UART5_RX_DATA__UART5_DCE_RX 0x1b0b1 + >; + }; + + pinctrl_usb_otg1_id: usbotg1idgrp { +- fsl,pin = < ++ fsl,pins = < + MX6UL_PAD_GPIO1_IO00__ANATOP_OTG1_ID 0x17059 + >; + }; +-- +2.46.2 + diff --git a/queue-6.10/arm64-dts-mediatek-mt8186-corsola-disable-dpi-display-interface.patch b/queue-6.10/arm64-dts-mediatek-mt8186-corsola-disable-dpi-display-interface.patch new file mode 100644 index 00000000000..8e732aab591 --- /dev/null +++ b/queue-6.10/arm64-dts-mediatek-mt8186-corsola-disable-dpi-display-interface.patch @@ -0,0 +1,51 @@ +From 3079fb09ddac159bd8bb87f6f15b924e265f8d4d Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 21 Aug 2024 12:28:34 +0800 +Subject: arm64: dts: mediatek: mt8186-corsola: Disable DPI display interface +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen-Yu Tsai + +commit 3079fb09ddac159bd8bb87f6f15b924e265f8d4d upstream. + +The DPI display interface feeds the external display pipeline. However +the pipeline representation is currently incomplete. Efforts are still +under way to come up with a way to represent the "creative" repurposing +of the DP bridge chip's internal output mux, which is meant to support +USB type-C orientation changes, to output to one of two type-C ports. + +Until that is finalized, the external display can't be fully described, +and thus won't work. Even worse, the half complete graph potentially +confuses the OS, breaking the internal display as well. + +Disable the external display interface across the whole Corsola family +until the DP / USB Type-C muxing graph binding is ready. + +Reported-by: Alper Nebi Yasak +Closes: https://lore.kernel.org/linux-mediatek/38a703a9-6efb-456a-a248-1dd3687e526d@gmail.com/ +Fixes: 8855d01fb81f ("arm64: dts: mediatek: Add MT8186 Krabby platform based Tentacruel / Tentacool") +Cc: +Signed-off-by: Chen-Yu Tsai +Tested-by: Alper Nebi Yasak +Reviewed-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20240821042836.2631815-1-wenst@chromium.org +Signed-off-by: Matthias Brugger +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi +@@ -321,7 +321,8 @@ + pinctrl-names = "default", "sleep"; + pinctrl-0 = <&dpi_pins_default>; + pinctrl-1 = <&dpi_pins_sleep>; +- status = "okay"; ++ /* TODO Re-enable after DP to Type-C port muxing can be described */ ++ status = "disabled"; + }; + + &dpi_out { diff --git a/queue-6.10/arm64-dts-qcom-sa8775p-mark-apps-and-pcie-smmus-as-dma-coherent.patch b/queue-6.10/arm64-dts-qcom-sa8775p-mark-apps-and-pcie-smmus-as-dma-coherent.patch new file mode 100644 index 00000000000..27c8b390ae1 --- /dev/null +++ b/queue-6.10/arm64-dts-qcom-sa8775p-mark-apps-and-pcie-smmus-as-dma-coherent.patch @@ -0,0 +1,45 @@ +From 421688265d7f5d3ff4211982e7231765378bb64f Mon Sep 17 00:00:00 2001 +From: Qingqing Zhou +Date: Thu, 25 Jul 2024 12:51:17 +0530 +Subject: arm64: dts: qcom: sa8775p: Mark APPS and PCIe SMMUs as DMA coherent + +From: Qingqing Zhou + +commit 421688265d7f5d3ff4211982e7231765378bb64f upstream. + +The SMMUs on sa8775p are cache-coherent. GPU SMMU is marked as such, +mark the APPS and PCIe ones as well. + +Fixes: 603f96d4c9d0 ("arm64: dts: qcom: add initial support for qcom sa8775p-ride") +Fixes: 2dba7a613a6e ("arm64: dts: qcom: sa8775p: add the pcie smmu node") +Cc: stable@vger.kernel.org +Reviewed-by: Konrad Dybcio +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Qingqing Zhou +Rule: add +Link: https://lore.kernel.org/stable/20240723075948.9545-1-quic_qqzhou%40quicinc.com +Link: https://lore.kernel.org/r/20240725072117.22425-1-quic_qqzhou@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sa8775p.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/sa8775p.dtsi ++++ b/arch/arm64/boot/dts/qcom/sa8775p.dtsi +@@ -2104,6 +2104,7 @@ + reg = <0x0 0x15000000 0x0 0x100000>; + #iommu-cells = <2>; + #global-interrupts = <2>; ++ dma-coherent; + + interrupts = , + , +@@ -2242,6 +2243,7 @@ + reg = <0x0 0x15200000 0x0 0x80000>; + #iommu-cells = <2>; + #global-interrupts = <2>; ++ dma-coherent; + + interrupts = , + , diff --git a/queue-6.10/arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch b/queue-6.10/arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch new file mode 100644 index 00000000000..b98659954c7 --- /dev/null +++ b/queue-6.10/arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch @@ -0,0 +1,55 @@ +From def33fb1191207f5afa6dcb681d71fef2a6c1293 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Mon, 15 Jul 2024 19:44:20 +0200 +Subject: arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity + +From: Dragan Simic + +commit def33fb1191207f5afa6dcb681d71fef2a6c1293 upstream. + +All batches of the Pine64 Pinebook Pro, except the latest batch (as of 2024) +whose hardware design was revised due to the component shortage, use a 1S +lithium battery whose nominal/design capacity is 10,000 mAh, according to the +battery datasheet. [1][2] Let's correct the design full-charge value in the +Pinebook Pro board dts, to improve the accuracy of the hardware description, +and to hopefully improve the accuracy of the fuel gauge a bit on all units +that don't belong to the latest batch. + +The above-mentioned latest batch uses a different 1S lithium battery with +a slightly lower capacity, more precisely 9,600 mAh. To make the fuel gauge +work reliably on the latest batch, a sample battery would need to be sent to +CellWise, to obtain its proprietary battery profile, whose data goes into +"cellwise,battery-profile" in the Pinebook Pro board dts. Without that data, +the fuel gauge reportedly works unreliably, so changing the design capacity +won't have any negative effects on the already unreliable operation of the +fuel gauge in the Pinebook Pros that belong to the latest batch. + +According to the battery datasheet, its voltage can go as low as 2.75 V while +discharging, but it's better to leave the current 3.0 V value in the dts file, +because of the associated Pinebook Pro's voltage regulation issues. + +[1] https://wiki.pine64.org/index.php/Pinebook_Pro#Battery +[2] https://files.pine64.org/doc/datasheet/pinebook/40110175P%203.8V%2010000mAh%E8%A7%84%E6%A0%BC%E4%B9%A6-14.pdf + +Fixes: c7c4d698cd28 ("arm64: dts: rockchip: add fuel gauge to Pinebook Pro dts") +Cc: stable@vger.kernel.org +Cc: Marek Kraus +Signed-off-by: Dragan Simic +Link: https://lore.kernel.org/r/731f8ef9b1a867bcc730d19ed277c8c0534c0842.1721065172.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts +@@ -37,7 +37,7 @@ + + bat: battery { + compatible = "simple-battery"; +- charge-full-design-microamp-hours = <9800000>; ++ charge-full-design-microamp-hours = <10000000>; + voltage-max-design-microvolt = <4350000>; + voltage-min-design-microvolt = <3000000>; + }; diff --git a/queue-6.10/arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch b/queue-6.10/arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch new file mode 100644 index 00000000000..4c56c74b94f --- /dev/null +++ b/queue-6.10/arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch @@ -0,0 +1,60 @@ +From 8c51521de18755d4112a77a598a348b38d0af370 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Sun, 4 Aug 2024 23:10:24 +0200 +Subject: arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dragan Simic + +commit 8c51521de18755d4112a77a598a348b38d0af370 upstream. + +Increase the frequency of the PWM signal that drives the LED backlight of +the Pinebook Pro's panel, from about 1.35 KHz (which equals to the PWM +period of 740,740 ns), to exactly 8 kHz (which equals to the PWM period of +125,000 ns). Using a higher PWM frequency for the panel backlight, which +reduces the flicker, can only be beneficial to the end users' eyes. + +On top of that, increasing the backlight PWM signal frequency reportedly +eliminates the buzzing emitted from the Pinebook Pro's built-in speakers +when certain backlight levels are set, which cause some weird interference +with some of the components of the Pinebook Pro's audio chain. + +The old value for the backlight PWM period, i.e. 740,740 ns, is pretty much +an arbitrary value that was selected during the very early bring-up of the +Pinebook Pro, only because that value seemed to minimize horizontal line +distortion on the display, which resulted from the old X.org drivers causing +screen tearing when dragging windows around. That's no longer an issue, so +there are no reasons to stick with the old PWM period value. + +The lower and the upper backlight PWM frequency limits for the Pinebook Pro's +panel, according to its datasheet, are 200 Hz and 10 kHz, respectively. [1] +These changes still leave some headroom, which may have some positive effects +on the lifetime expectancy of the panel's backlight LEDs. + +[1] https://files.pine64.org/doc/datasheet/PinebookPro/NV140FHM-N49_Rev.P0_20160804_201710235838.pdf + +Fixes: 5a65505a6988 ("arm64: dts: rockchip: Add initial support for Pinebook Pro") +Cc: stable@vger.kernel.org +Reported-by: Nikola Radojevic +Signed-off-by: Dragan Simic +Tested-by: Nikola Radojević +Link: https://lore.kernel.org/r/2a23b6cfd8c0513e5b233b4006ee3d3ed09b824f.1722805655.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts +@@ -32,7 +32,7 @@ + backlight: edp-backlight { + compatible = "pwm-backlight"; + power-supply = <&vcc_12v>; +- pwms = <&pwm0 0 740740 0>; ++ pwms = <&pwm0 0 125000 0>; + }; + + bat: battery { diff --git a/queue-6.10/arm64-errata-enable-the-ac03_cpu_38-workaround-for-ampere1a.patch b/queue-6.10/arm64-errata-enable-the-ac03_cpu_38-workaround-for-ampere1a.patch new file mode 100644 index 00000000000..6e73bb5defb --- /dev/null +++ b/queue-6.10/arm64-errata-enable-the-ac03_cpu_38-workaround-for-ampere1a.patch @@ -0,0 +1,91 @@ +From db0d8a84348b876df7c4276f0cbce5df3b769f5f Mon Sep 17 00:00:00 2001 +From: D Scott Phillips +Date: Tue, 27 Aug 2024 14:17:01 -0700 +Subject: arm64: errata: Enable the AC03_CPU_38 workaround for ampere1a + +From: D Scott Phillips + +commit db0d8a84348b876df7c4276f0cbce5df3b769f5f upstream. + +The ampere1a cpu is affected by erratum AC04_CPU_10 which is the same +bug as AC03_CPU_38. Add ampere1a to the AC03_CPU_38 workaround midr list. + +Cc: +Signed-off-by: D Scott Phillips +Acked-by: Oliver Upton +Link: https://lore.kernel.org/r/20240827211701.2216719-1-scott@os.amperecomputing.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arch/arm64/silicon-errata.rst | 2 ++ + arch/arm64/Kconfig | 2 +- + arch/arm64/include/asm/cputype.h | 2 ++ + arch/arm64/kernel/cpu_errata.c | 10 +++++++++- + 4 files changed, 14 insertions(+), 2 deletions(-) + +--- a/Documentation/arch/arm64/silicon-errata.rst ++++ b/Documentation/arch/arm64/silicon-errata.rst +@@ -55,6 +55,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | Ampere | AmpereOne | AC03_CPU_38 | AMPERE_ERRATUM_AC03_CPU_38 | + +----------------+-----------------+-----------------+-----------------------------+ ++| Ampere | AmpereOne AC04 | AC04_CPU_10 | AMPERE_ERRATUM_AC03_CPU_38 | +++----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Cortex-A510 | #2457168 | ARM64_ERRATUM_2457168 | + +----------------+-----------------+-----------------+-----------------------------+ +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -422,7 +422,7 @@ config AMPERE_ERRATUM_AC03_CPU_38 + default y + help + This option adds an alternative code sequence to work around Ampere +- erratum AC03_CPU_38 on AmpereOne. ++ errata AC03_CPU_38 and AC04_CPU_10 on AmpereOne. + + The affected design reports FEAT_HAFDBS as not implemented in + ID_AA64MMFR1_EL1.HAFDBS, but (V)TCR_ELx.{HA,HD} are not RES0 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -143,6 +143,7 @@ + #define APPLE_CPU_PART_M2_AVALANCHE_MAX 0x039 + + #define AMPERE_CPU_PART_AMPERE1 0xAC3 ++#define AMPERE_CPU_PART_AMPERE1A 0xAC4 + + #define MICROSOFT_CPU_PART_AZURE_COBALT_100 0xD49 /* Based on r0p0 of ARM Neoverse N2 */ + +@@ -212,6 +213,7 @@ + #define MIDR_APPLE_M2_BLIZZARD_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_BLIZZARD_MAX) + #define MIDR_APPLE_M2_AVALANCHE_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_AVALANCHE_MAX) + #define MIDR_AMPERE1 MIDR_CPU_MODEL(ARM_CPU_IMP_AMPERE, AMPERE_CPU_PART_AMPERE1) ++#define MIDR_AMPERE1A MIDR_CPU_MODEL(ARM_CPU_IMP_AMPERE, AMPERE_CPU_PART_AMPERE1A) + #define MIDR_MICROSOFT_AZURE_COBALT_100 MIDR_CPU_MODEL(ARM_CPU_IMP_MICROSOFT, MICROSOFT_CPU_PART_AZURE_COBALT_100) + + /* Fujitsu Erratum 010001 affects A64FX 1.0 and 1.1, (v0r0 and v1r0) */ +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -456,6 +456,14 @@ static const struct midr_range erratum_s + }; + #endif + ++#ifdef CONFIG_AMPERE_ERRATUM_AC03_CPU_38 ++static const struct midr_range erratum_ac03_cpu_38_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_AMPERE1), ++ MIDR_ALL_VERSIONS(MIDR_AMPERE1A), ++ {}, ++}; ++#endif ++ + const struct arm64_cpu_capabilities arm64_errata[] = { + #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE + { +@@ -772,7 +780,7 @@ const struct arm64_cpu_capabilities arm6 + { + .desc = "AmpereOne erratum AC03_CPU_38", + .capability = ARM64_WORKAROUND_AMPERE_AC03_CPU_38, +- ERRATA_MIDR_ALL_VERSIONS(MIDR_AMPERE1), ++ ERRATA_MIDR_RANGE_LIST(erratum_ac03_cpu_38_list), + }, + #endif + { diff --git a/queue-6.10/arm64-esr-define-esr_elx_ec_-constants-as-ul.patch b/queue-6.10/arm64-esr-define-esr_elx_ec_-constants-as-ul.patch new file mode 100644 index 00000000000..efabf6d4d93 --- /dev/null +++ b/queue-6.10/arm64-esr-define-esr_elx_ec_-constants-as-ul.patch @@ -0,0 +1,142 @@ +From b6db3eb6c373b97d9e433530d748590421bbeea7 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Tue, 10 Sep 2024 11:50:16 +0300 +Subject: arm64: esr: Define ESR_ELx_EC_* constants as UL + +From: Anastasia Belova + +commit b6db3eb6c373b97d9e433530d748590421bbeea7 upstream. + +Add explicit casting to prevent expantion of 32th bit of +u32 into highest half of u64 in several places. + +For example, in inject_abt64: +ESR_ELx_EC_DABT_LOW << ESR_ELx_EC_SHIFT = 0x24 << 26. +This operation's result is int with 1 in 32th bit. +While casting this value into u64 (esr is u64) 1 +fills 32 highest bits. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Cc: +Fixes: aa8eff9bfbd5 ("arm64: KVM: fault injection into a guest") +Signed-off-by: Anastasia Belova +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/stable/20240910085016.32120-1-abelova%40astralinux.ru +Link: https://lore.kernel.org/r/20240910085016.32120-1-abelova@astralinux.ru +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/esr.h | 88 +++++++++++++++++++++---------------------- + 1 file changed, 44 insertions(+), 44 deletions(-) + +--- a/arch/arm64/include/asm/esr.h ++++ b/arch/arm64/include/asm/esr.h +@@ -10,63 +10,63 @@ + #include + #include + +-#define ESR_ELx_EC_UNKNOWN (0x00) +-#define ESR_ELx_EC_WFx (0x01) ++#define ESR_ELx_EC_UNKNOWN UL(0x00) ++#define ESR_ELx_EC_WFx UL(0x01) + /* Unallocated EC: 0x02 */ +-#define ESR_ELx_EC_CP15_32 (0x03) +-#define ESR_ELx_EC_CP15_64 (0x04) +-#define ESR_ELx_EC_CP14_MR (0x05) +-#define ESR_ELx_EC_CP14_LS (0x06) +-#define ESR_ELx_EC_FP_ASIMD (0x07) +-#define ESR_ELx_EC_CP10_ID (0x08) /* EL2 only */ +-#define ESR_ELx_EC_PAC (0x09) /* EL2 and above */ ++#define ESR_ELx_EC_CP15_32 UL(0x03) ++#define ESR_ELx_EC_CP15_64 UL(0x04) ++#define ESR_ELx_EC_CP14_MR UL(0x05) ++#define ESR_ELx_EC_CP14_LS UL(0x06) ++#define ESR_ELx_EC_FP_ASIMD UL(0x07) ++#define ESR_ELx_EC_CP10_ID UL(0x08) /* EL2 only */ ++#define ESR_ELx_EC_PAC UL(0x09) /* EL2 and above */ + /* Unallocated EC: 0x0A - 0x0B */ +-#define ESR_ELx_EC_CP14_64 (0x0C) +-#define ESR_ELx_EC_BTI (0x0D) +-#define ESR_ELx_EC_ILL (0x0E) ++#define ESR_ELx_EC_CP14_64 UL(0x0C) ++#define ESR_ELx_EC_BTI UL(0x0D) ++#define ESR_ELx_EC_ILL UL(0x0E) + /* Unallocated EC: 0x0F - 0x10 */ +-#define ESR_ELx_EC_SVC32 (0x11) +-#define ESR_ELx_EC_HVC32 (0x12) /* EL2 only */ +-#define ESR_ELx_EC_SMC32 (0x13) /* EL2 and above */ ++#define ESR_ELx_EC_SVC32 UL(0x11) ++#define ESR_ELx_EC_HVC32 UL(0x12) /* EL2 only */ ++#define ESR_ELx_EC_SMC32 UL(0x13) /* EL2 and above */ + /* Unallocated EC: 0x14 */ +-#define ESR_ELx_EC_SVC64 (0x15) +-#define ESR_ELx_EC_HVC64 (0x16) /* EL2 and above */ +-#define ESR_ELx_EC_SMC64 (0x17) /* EL2 and above */ +-#define ESR_ELx_EC_SYS64 (0x18) +-#define ESR_ELx_EC_SVE (0x19) +-#define ESR_ELx_EC_ERET (0x1a) /* EL2 only */ ++#define ESR_ELx_EC_SVC64 UL(0x15) ++#define ESR_ELx_EC_HVC64 UL(0x16) /* EL2 and above */ ++#define ESR_ELx_EC_SMC64 UL(0x17) /* EL2 and above */ ++#define ESR_ELx_EC_SYS64 UL(0x18) ++#define ESR_ELx_EC_SVE UL(0x19) ++#define ESR_ELx_EC_ERET UL(0x1a) /* EL2 only */ + /* Unallocated EC: 0x1B */ +-#define ESR_ELx_EC_FPAC (0x1C) /* EL1 and above */ +-#define ESR_ELx_EC_SME (0x1D) ++#define ESR_ELx_EC_FPAC UL(0x1C) /* EL1 and above */ ++#define ESR_ELx_EC_SME UL(0x1D) + /* Unallocated EC: 0x1E */ +-#define ESR_ELx_EC_IMP_DEF (0x1f) /* EL3 only */ +-#define ESR_ELx_EC_IABT_LOW (0x20) +-#define ESR_ELx_EC_IABT_CUR (0x21) +-#define ESR_ELx_EC_PC_ALIGN (0x22) ++#define ESR_ELx_EC_IMP_DEF UL(0x1f) /* EL3 only */ ++#define ESR_ELx_EC_IABT_LOW UL(0x20) ++#define ESR_ELx_EC_IABT_CUR UL(0x21) ++#define ESR_ELx_EC_PC_ALIGN UL(0x22) + /* Unallocated EC: 0x23 */ +-#define ESR_ELx_EC_DABT_LOW (0x24) +-#define ESR_ELx_EC_DABT_CUR (0x25) +-#define ESR_ELx_EC_SP_ALIGN (0x26) +-#define ESR_ELx_EC_MOPS (0x27) +-#define ESR_ELx_EC_FP_EXC32 (0x28) ++#define ESR_ELx_EC_DABT_LOW UL(0x24) ++#define ESR_ELx_EC_DABT_CUR UL(0x25) ++#define ESR_ELx_EC_SP_ALIGN UL(0x26) ++#define ESR_ELx_EC_MOPS UL(0x27) ++#define ESR_ELx_EC_FP_EXC32 UL(0x28) + /* Unallocated EC: 0x29 - 0x2B */ +-#define ESR_ELx_EC_FP_EXC64 (0x2C) ++#define ESR_ELx_EC_FP_EXC64 UL(0x2C) + /* Unallocated EC: 0x2D - 0x2E */ +-#define ESR_ELx_EC_SERROR (0x2F) +-#define ESR_ELx_EC_BREAKPT_LOW (0x30) +-#define ESR_ELx_EC_BREAKPT_CUR (0x31) +-#define ESR_ELx_EC_SOFTSTP_LOW (0x32) +-#define ESR_ELx_EC_SOFTSTP_CUR (0x33) +-#define ESR_ELx_EC_WATCHPT_LOW (0x34) +-#define ESR_ELx_EC_WATCHPT_CUR (0x35) ++#define ESR_ELx_EC_SERROR UL(0x2F) ++#define ESR_ELx_EC_BREAKPT_LOW UL(0x30) ++#define ESR_ELx_EC_BREAKPT_CUR UL(0x31) ++#define ESR_ELx_EC_SOFTSTP_LOW UL(0x32) ++#define ESR_ELx_EC_SOFTSTP_CUR UL(0x33) ++#define ESR_ELx_EC_WATCHPT_LOW UL(0x34) ++#define ESR_ELx_EC_WATCHPT_CUR UL(0x35) + /* Unallocated EC: 0x36 - 0x37 */ +-#define ESR_ELx_EC_BKPT32 (0x38) ++#define ESR_ELx_EC_BKPT32 UL(0x38) + /* Unallocated EC: 0x39 */ +-#define ESR_ELx_EC_VECTOR32 (0x3A) /* EL2 only */ ++#define ESR_ELx_EC_VECTOR32 UL(0x3A) /* EL2 only */ + /* Unallocated EC: 0x3B */ +-#define ESR_ELx_EC_BRK64 (0x3C) ++#define ESR_ELx_EC_BRK64 UL(0x3C) + /* Unallocated EC: 0x3D - 0x3F */ +-#define ESR_ELx_EC_MAX (0x3F) ++#define ESR_ELx_EC_MAX UL(0x3F) + + #define ESR_ELx_EC_SHIFT (26) + #define ESR_ELx_EC_WIDTH (6) diff --git a/queue-6.10/bcachefs-fix-negative-timespecs.patch b/queue-6.10/bcachefs-fix-negative-timespecs.patch new file mode 100644 index 00000000000..0b5f2699944 --- /dev/null +++ b/queue-6.10/bcachefs-fix-negative-timespecs.patch @@ -0,0 +1,60 @@ +From a3ed1cc4136df01e74a8b6df8c562db69e752bad Mon Sep 17 00:00:00 2001 +From: Alyssa Ross +Date: Sat, 7 Sep 2024 18:00:26 +0200 +Subject: bcachefs: Fix negative timespecs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alyssa Ross + +commit a3ed1cc4136df01e74a8b6df8c562db69e752bad upstream. + +This fixes two problems in the handling of negative times: + + • rem is signed, but the rem * c->sb.nsec_per_time_unit operation + produced a bogus unsigned result, because s32 * u32 = u32. + + • The timespec was not normalized (it could contain more than a + billion nanoseconds). + +For example, { .tv_sec = -14245441, .tv_nsec = 750000000 }, after +being round tripped through timespec_to_bch2_time and then +bch2_time_to_timespec would come back as +{ .tv_sec = -14245440, .tv_nsec = 4044967296 } (more than 4 billion +nanoseconds). + +Cc: stable@vger.kernel.org +Fixes: 595c1e9bab7f ("bcachefs: Fix time handling") +Closes: https://github.com/koverstreet/bcachefs/issues/743 +Co-developed-by: Erin Shepherd +Signed-off-by: Erin Shepherd +Co-developed-by: Ryan Lahfa +Signed-off-by: Ryan Lahfa +Signed-off-by: Alyssa Ross +Signed-off-by: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman +--- + fs/bcachefs/bcachefs.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/bcachefs/bcachefs.h ++++ b/fs/bcachefs/bcachefs.h +@@ -1197,12 +1197,15 @@ static inline bool btree_id_cached(const + static inline struct timespec64 bch2_time_to_timespec(const struct bch_fs *c, s64 time) + { + struct timespec64 t; ++ s64 sec; + s32 rem; + + time += c->sb.time_base_lo; + +- t.tv_sec = div_s64_rem(time, c->sb.time_units_per_sec, &rem); +- t.tv_nsec = rem * c->sb.nsec_per_time_unit; ++ sec = div_s64_rem(time, c->sb.time_units_per_sec, &rem); ++ ++ set_normalized_timespec64(&t, sec, rem * (s64)c->sb.nsec_per_time_unit); ++ + return t; + } + diff --git a/queue-6.10/btrfs-always-update-fstrim_range-on-failure-in-fitrim-ioctl.patch b/queue-6.10/btrfs-always-update-fstrim_range-on-failure-in-fitrim-ioctl.patch new file mode 100644 index 00000000000..1174d754835 --- /dev/null +++ b/queue-6.10/btrfs-always-update-fstrim_range-on-failure-in-fitrim-ioctl.patch @@ -0,0 +1,62 @@ +From 3368597206dc3c6c3c2247ee146beada14c67380 Mon Sep 17 00:00:00 2001 +From: Luca Stefani +Date: Mon, 2 Sep 2024 13:10:53 +0200 +Subject: btrfs: always update fstrim_range on failure in FITRIM ioctl + +From: Luca Stefani + +commit 3368597206dc3c6c3c2247ee146beada14c67380 upstream. + +Even in case of failure we could've discarded some data and userspace +should be made aware of it, so copy fstrim_range to userspace +regardless. + +Also make sure to update the trimmed bytes amount even if +btrfs_trim_free_extents fails. + +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Qu Wenruo +Signed-off-by: Luca Stefani +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 4 ++-- + fs/btrfs/ioctl.c | 4 +--- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -6426,13 +6426,13 @@ int btrfs_trim_fs(struct btrfs_fs_info * + continue; + + ret = btrfs_trim_free_extents(device, &group_trimmed); ++ ++ trimmed += group_trimmed; + if (ret) { + dev_failed++; + dev_ret = ret; + break; + } +- +- trimmed += group_trimmed; + } + mutex_unlock(&fs_devices->device_list_mutex); + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -543,13 +543,11 @@ static noinline int btrfs_ioctl_fitrim(s + + range.minlen = max(range.minlen, minlen); + ret = btrfs_trim_fs(fs_info, &range); +- if (ret < 0) +- return ret; + + if (copy_to_user(arg, &range, sizeof(range))) + return -EFAULT; + +- return 0; ++ return ret; + } + + int __pure btrfs_is_empty_uuid(u8 *uuid) diff --git a/queue-6.10/btrfs-fix-race-setting-file-private-on-concurrent-lseek-using-same-fd.patch b/queue-6.10/btrfs-fix-race-setting-file-private-on-concurrent-lseek-using-same-fd.patch new file mode 100644 index 00000000000..e69dac7a64f --- /dev/null +++ b/queue-6.10/btrfs-fix-race-setting-file-private-on-concurrent-lseek-using-same-fd.patch @@ -0,0 +1,146 @@ +From 7ee85f5515e86a4e2a2f51969795920733912bad Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 3 Sep 2024 10:55:36 +0100 +Subject: btrfs: fix race setting file private on concurrent lseek using same fd + +From: Filipe Manana + +commit 7ee85f5515e86a4e2a2f51969795920733912bad upstream. + +When doing concurrent lseek(2) system calls against the same file +descriptor, using multiple threads belonging to the same process, we have +a short time window where a race happens and can result in a memory leak. + +The race happens like this: + +1) A program opens a file descriptor for a file and then spawns two + threads (with the pthreads library for example), lets call them + task A and task B; + +2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at + file.c:find_desired_extent() while holding a read lock on the inode; + +3) At the start of find_desired_extent(), it extracts the file's + private_data pointer into a local variable named 'private', which has + a value of NULL; + +4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode + in shared mode and enters file.c:find_desired_extent(), where it also + extracts file->private_data into its local variable 'private', which + has a NULL value; + +5) Because it saw a NULL file private, task A allocates a private + structure and assigns to the file structure; + +6) Task B also saw a NULL file private so it also allocates its own file + private and then assigns it to the same file structure, since both + tasks are using the same file descriptor. + + At this point we leak the private structure allocated by task A. + +Besides the memory leak, there's also the detail that both tasks end up +using the same cached state record in the private structure (struct +btrfs_file_private::llseek_cached_state), which can result in a +use-after-free problem since one task can free it while the other is +still using it (only one task took a reference count on it). Also, sharing +the cached state is not a good idea since it could result in incorrect +results in the future - right now it should not be a problem because it +end ups being used only in extent-io-tree.c:count_range_bits() where we do +range validation before using the cached state. + +Fix this by protecting the private assignment and check of a file while +holding the inode's spinlock and keep track of the task that allocated +the private, so that it's used only by that task in order to prevent +user-after-free issues with the cached state record as well as potentially +using it incorrectly in the future. + +Fixes: 3c32c7212f16 ("btrfs: use cached state when looking for delalloc ranges with lseek") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/btrfs_inode.h | 1 + + fs/btrfs/ctree.h | 2 ++ + fs/btrfs/file.c | 34 +++++++++++++++++++++++++++++++--- + 3 files changed, 34 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/btrfs_inode.h ++++ b/fs/btrfs/btrfs_inode.h +@@ -126,6 +126,7 @@ struct btrfs_inode { + * logged_trans), to access/update delalloc_bytes, new_delalloc_bytes, + * defrag_bytes, disk_i_size, outstanding_extents, csum_bytes and to + * update the VFS' inode number of bytes used. ++ * Also protects setting struct file::private_data. + */ + spinlock_t lock; + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -457,6 +457,8 @@ struct btrfs_file_private { + void *filldir_buf; + u64 last_index; + struct extent_state *llseek_cached_state; ++ /* Task that allocated this structure. */ ++ struct task_struct *owner_task; + }; + + static inline u32 BTRFS_LEAF_DATA_SIZE(const struct btrfs_fs_info *info) +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -3689,7 +3689,7 @@ static bool find_desired_extent_in_hole( + static loff_t find_desired_extent(struct file *file, loff_t offset, int whence) + { + struct btrfs_inode *inode = BTRFS_I(file->f_mapping->host); +- struct btrfs_file_private *private = file->private_data; ++ struct btrfs_file_private *private; + struct btrfs_fs_info *fs_info = inode->root->fs_info; + struct extent_state *cached_state = NULL; + struct extent_state **delalloc_cached_state; +@@ -3717,7 +3717,19 @@ static loff_t find_desired_extent(struct + inode_get_bytes(&inode->vfs_inode) == i_size) + return i_size; + +- if (!private) { ++ spin_lock(&inode->lock); ++ private = file->private_data; ++ spin_unlock(&inode->lock); ++ ++ if (private && private->owner_task != current) { ++ /* ++ * Not allocated by us, don't use it as its cached state is used ++ * by the task that allocated it and we don't want neither to ++ * mess with it nor get incorrect results because it reflects an ++ * invalid state for the current task. ++ */ ++ private = NULL; ++ } else if (!private) { + private = kzalloc(sizeof(*private), GFP_KERNEL); + /* + * No worries if memory allocation failed. +@@ -3725,7 +3737,23 @@ static loff_t find_desired_extent(struct + * lseek SEEK_HOLE/DATA calls to a file when there's delalloc, + * so everything will still be correct. + */ +- file->private_data = private; ++ if (private) { ++ bool free = false; ++ ++ private->owner_task = current; ++ ++ spin_lock(&inode->lock); ++ if (file->private_data) ++ free = true; ++ else ++ file->private_data = private; ++ spin_unlock(&inode->lock); ++ ++ if (free) { ++ kfree(private); ++ private = NULL; ++ } ++ } + } + + if (private) diff --git a/queue-6.10/btrfs-tree-checker-fix-the-wrong-output-of-data-backref-objectid.patch b/queue-6.10/btrfs-tree-checker-fix-the-wrong-output-of-data-backref-objectid.patch new file mode 100644 index 00000000000..6cd446a1c66 --- /dev/null +++ b/queue-6.10/btrfs-tree-checker-fix-the-wrong-output-of-data-backref-objectid.patch @@ -0,0 +1,59 @@ +From b0b595e61d97de61c15b379b754b2caa90e83e5c Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 11 Sep 2024 07:06:45 +0930 +Subject: btrfs: tree-checker: fix the wrong output of data backref objectid + +From: Qu Wenruo + +commit b0b595e61d97de61c15b379b754b2caa90e83e5c upstream. + +[BUG] +There are some reports about invalid data backref objectids, the report +looks like this: + + BTRFS critical (device sda): corrupt leaf: block=333654787489792 slot=110 extent bytenr=333413935558656 len=65536 invalid data ref objectid value 2543 + +The data ref objectid is the inode number inside the subvolume. + +But in above case, the value is completely sane, not really showing the +problem. + +[CAUSE] +The root cause of the problem is the deprecated feature, inode cache. + +This feature results a special inode number, -12ULL, and it's no longer +recognized by tree-checker, triggering the error. + +The direct problem here is the output of data ref objectid. The value +shown is in fact the dref_root (subvolume id), not the dref_objectid +(inode number). + +[FIX] +Fix the output to use dref_objectid instead. + +Reported-by: Neil Parton +Reported-by: Archange +Link: https://lore.kernel.org/linux-btrfs/CAAYHqBbrrgmh6UmW3ANbysJX9qG9Pbg3ZwnKsV=5mOpv_qix_Q@mail.gmail.com/ +Link: https://lore.kernel.org/linux-btrfs/9541deea-9056-406e-be16-a996b549614d@archlinux.org/ +Fixes: f333a3c7e832 ("btrfs: tree-checker: validate dref root and objectid") +CC: stable@vger.kernel.org # 6.11 +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1499,7 +1499,7 @@ static int check_extent_item(struct exte + dref_objectid > BTRFS_LAST_FREE_OBJECTID)) { + extent_err(leaf, slot, + "invalid data ref objectid value %llu", +- dref_root); ++ dref_objectid); + return -EUCLEAN; + } + if (unlikely(!IS_ALIGNED(dref_offset, diff --git a/queue-6.10/cpuidle-riscv-sbi-use-scoped-device-node-handling-to-fix-missing-of_node_put.patch b/queue-6.10/cpuidle-riscv-sbi-use-scoped-device-node-handling-to-fix-missing-of_node_put.patch new file mode 100644 index 00000000000..b1624b5ce0d --- /dev/null +++ b/queue-6.10/cpuidle-riscv-sbi-use-scoped-device-node-handling-to-fix-missing-of_node_put.patch @@ -0,0 +1,82 @@ +From a309320ddbac6b1583224fcb6bacd424bcf8637f Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 20 Aug 2024 11:40:22 +0200 +Subject: cpuidle: riscv-sbi: Use scoped device node handling to fix missing of_node_put + +From: Krzysztof Kozlowski + +commit a309320ddbac6b1583224fcb6bacd424bcf8637f upstream. + +Two return statements in sbi_cpuidle_dt_init_states() did not drop the +OF node reference count. Solve the issue and simplify entire error +handling with scoped/cleanup.h. + +Fixes: 6abf32f1d9c5 ("cpuidle: Add RISC-V SBI CPU idle driver") +Cc: All applicable +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Anup Patel +Link: https://patch.msgid.link/20240820094023.61155-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/cpuidle-riscv-sbi.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/drivers/cpuidle/cpuidle-riscv-sbi.c ++++ b/drivers/cpuidle/cpuidle-riscv-sbi.c +@@ -8,6 +8,7 @@ + + #define pr_fmt(fmt) "cpuidle-riscv-sbi: " fmt + ++#include + #include + #include + #include +@@ -236,19 +237,16 @@ static int sbi_cpuidle_dt_init_states(st + { + struct sbi_cpuidle_data *data = per_cpu_ptr(&sbi_cpuidle_data, cpu); + struct device_node *state_node; +- struct device_node *cpu_node; + u32 *states; + int i, ret; + +- cpu_node = of_cpu_device_node_get(cpu); ++ struct device_node *cpu_node __free(device_node) = of_cpu_device_node_get(cpu); + if (!cpu_node) + return -ENODEV; + + states = devm_kcalloc(dev, state_count, sizeof(*states), GFP_KERNEL); +- if (!states) { +- ret = -ENOMEM; +- goto fail; +- } ++ if (!states) ++ return -ENOMEM; + + /* Parse SBI specific details from state DT nodes */ + for (i = 1; i < state_count; i++) { +@@ -264,10 +262,8 @@ static int sbi_cpuidle_dt_init_states(st + + pr_debug("sbi-state %#x index %d\n", states[i], i); + } +- if (i != state_count) { +- ret = -ENODEV; +- goto fail; +- } ++ if (i != state_count) ++ return -ENODEV; + + /* Initialize optional data, used for the hierarchical topology. */ + ret = sbi_dt_cpu_init_topology(drv, data, state_count, cpu); +@@ -277,10 +273,7 @@ static int sbi_cpuidle_dt_init_states(st + /* Store states in the per-cpu struct. */ + data->states = states; + +-fail: +- of_node_put(cpu_node); +- +- return ret; ++ return 0; + } + + static void sbi_cpuidle_deinit_cpu(int cpu) diff --git a/queue-6.10/dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch b/queue-6.10/dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch new file mode 100644 index 00000000000..e31f71a9e6a --- /dev/null +++ b/queue-6.10/dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch @@ -0,0 +1,34 @@ +From 12736adc43b7cd5cb83f274f8f37b0f89d107c97 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Thu, 5 Sep 2024 17:43:35 +0800 +Subject: dt-bindings: spi: nxp-fspi: add imx8ulp support + +From: Haibo Chen + +commit 12736adc43b7cd5cb83f274f8f37b0f89d107c97 upstream. + +The flexspi on imx8ulp only has 16 number of LUTs, it is different +with flexspi on other imx SoC which has 32 number of LUTs. + +Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node") +Cc: stable@kernel.org +Acked-by: Krzysztof Kozlowski +Signed-off-by: Haibo Chen +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20240905094338.1986871-2-haibo.chen@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml ++++ b/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml +@@ -21,6 +21,7 @@ properties: + - nxp,imx8mm-fspi + - nxp,imx8mp-fspi + - nxp,imx8qxp-fspi ++ - nxp,imx8ulp-fspi + - nxp,lx2160a-fspi + - items: + - enum: diff --git a/queue-6.10/edac-igen6-fix-conversion-of-system-address-to-physical-memory-address.patch b/queue-6.10/edac-igen6-fix-conversion-of-system-address-to-physical-memory-address.patch new file mode 100644 index 00000000000..b6479b40377 --- /dev/null +++ b/queue-6.10/edac-igen6-fix-conversion-of-system-address-to-physical-memory-address.patch @@ -0,0 +1,35 @@ +From 0ad875f442e95d69a1145a38aabac2fd29984fe3 Mon Sep 17 00:00:00 2001 +From: Qiuxu Zhuo +Date: Wed, 14 Aug 2024 14:10:11 +0800 +Subject: EDAC/igen6: Fix conversion of system address to physical memory address + +From: Qiuxu Zhuo + +commit 0ad875f442e95d69a1145a38aabac2fd29984fe3 upstream. + +The conversion of system address to physical memory address (as viewed by +the memory controller) by igen6_edac is incorrect when the system address +is above the TOM (Total amount Of populated physical Memory) for Elkhart +Lake and Ice Lake (Neural Network Processor). Fix this conversion. + +Fixes: 10590a9d4f23 ("EDAC/igen6: Add EDAC driver for Intel client SoCs using IBECC") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/stable/20240814061011.43545-1-qiuxu.zhuo%40intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/igen6_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/igen6_edac.c ++++ b/drivers/edac/igen6_edac.c +@@ -311,7 +311,7 @@ static u64 ehl_err_addr_to_imc_addr(u64 + if (igen6_tom <= _4GB) + return eaddr + igen6_tolud - _4GB; + +- if (eaddr < _4GB) ++ if (eaddr >= igen6_tom) + return eaddr + igen6_tolud - igen6_tom; + + return eaddr; diff --git a/queue-6.10/eventpoll-annotate-data-race-of-busy_poll_usecs.patch b/queue-6.10/eventpoll-annotate-data-race-of-busy_poll_usecs.patch new file mode 100644 index 00000000000..f4e072c634a --- /dev/null +++ b/queue-6.10/eventpoll-annotate-data-race-of-busy_poll_usecs.patch @@ -0,0 +1,40 @@ +From b9ca079dd6b09e08863aa998edf5c47597806c05 Mon Sep 17 00:00:00 2001 +From: Martin Karsten +Date: Tue, 6 Aug 2024 12:33:01 +0000 +Subject: eventpoll: Annotate data-race of busy_poll_usecs + +From: Martin Karsten + +commit b9ca079dd6b09e08863aa998edf5c47597806c05 upstream. + +A struct eventpoll's busy_poll_usecs field can be modified via a user +ioctl at any time. All reads of this field should be annotated with +READ_ONCE. + +Fixes: 85455c795c07 ("eventpoll: support busy poll per epoll instance") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Karsten +Link: https://lore.kernel.org/r/20240806123301.167557-1-jdamato@fastly.com +Reviewed-by: Joe Damato +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/eventpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 6c0a1e9715ea..145f5349c612 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -420,7 +420,7 @@ static bool busy_loop_ep_timeout(unsigned long start_time, + + static bool ep_busy_loop_on(struct eventpoll *ep) + { +- return !!ep->busy_poll_usecs || net_busy_loop_on(); ++ return !!READ_ONCE(ep->busy_poll_usecs) || net_busy_loop_on(); + } + + static bool ep_busy_loop_end(void *p, unsigned long start_time) +-- +2.46.2 + diff --git a/queue-6.10/f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch b/queue-6.10/f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch new file mode 100644 index 00000000000..741ad30c0ed --- /dev/null +++ b/queue-6.10/f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch @@ -0,0 +1,43 @@ +From 50438dbc483ca6a133d2bce9d5d6747bcee38371 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Wed, 24 Jul 2024 10:51:58 -0700 +Subject: f2fs: avoid potential int overflow in sanity_check_area_boundary() + +From: Nikita Zhandarovich + +commit 50438dbc483ca6a133d2bce9d5d6747bcee38371 upstream. + +While calculating the end addresses of main area and segment 0, u32 +may be not enough to hold the result without the danger of int +overflow. + +Just in case, play it safe and cast one of the operands to a +wider type (u64). + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: fd694733d523 ("f2fs: cover large section in sanity check of super") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -3366,9 +3366,9 @@ static inline bool sanity_check_area_bou + u32 segment_count = le32_to_cpu(raw_super->segment_count); + u32 log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); + u64 main_end_blkaddr = main_blkaddr + +- (segment_count_main << log_blocks_per_seg); ++ ((u64)segment_count_main << log_blocks_per_seg); + u64 seg_end_blkaddr = segment0_blkaddr + +- (segment_count << log_blocks_per_seg); ++ ((u64)segment_count << log_blocks_per_seg); + + if (segment0_blkaddr != cp_blkaddr) { + f2fs_info(sbi, "Mismatch start address, segment0(%u) cp_blkaddr(%u)", diff --git a/queue-6.10/f2fs-check-discard-support-for-conventional-zones.patch b/queue-6.10/f2fs-check-discard-support-for-conventional-zones.patch new file mode 100644 index 00000000000..b9e55be3c55 --- /dev/null +++ b/queue-6.10/f2fs-check-discard-support-for-conventional-zones.patch @@ -0,0 +1,68 @@ +From 43aec4d01bd2ce961817a777b3846f8318f398e4 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Fri, 16 Aug 2024 13:07:03 +0900 +Subject: f2fs: check discard support for conventional zones + +From: Shin'ichiro Kawasaki + +commit 43aec4d01bd2ce961817a777b3846f8318f398e4 upstream. + +As the helper function f2fs_bdev_support_discard() shows, f2fs checks if +the target block devices support discard by calling +bdev_max_discard_sectors() and bdev_is_zoned(). This check works well +for most cases, but it does not work for conventional zones on zoned +block devices. F2fs assumes that zoned block devices support discard, +and calls __submit_discard_cmd(). When __submit_discard_cmd() is called +for sequential write required zones, it works fine since +__submit_discard_cmd() issues zone reset commands instead of discard +commands. However, when __submit_discard_cmd() is called for +conventional zones, __blkdev_issue_discard() is called even when the +devices do not support discard. + +The inappropriate __blkdev_issue_discard() call was not a problem before +the commit 30f1e7241422 ("block: move discard checks into the ioctl +handler") because __blkdev_issue_discard() checked if the target devices +support discard or not. If not, it returned EOPNOTSUPP. After the +commit, __blkdev_issue_discard() no longer checks it. It always returns +zero and sets NULL to the given bio pointer. This NULL pointer triggers +f2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the +commands below at the umount step, where /dev/nullb0 is a zoned null_blk +with 5GB total size, 128MB zone size and 10 conventional zones. + +$ mkfs.f2fs -f -m /dev/nullb0 +$ mount /dev/nullb0 /mnt +$ for ((i=0;i<5;i++)); do dd if=/dev/zero of=/mnt/test bs=65536 count=1600 conv=fsync; done +$ umount /mnt + +To fix the BUG, avoid the inappropriate __blkdev_issue_discard() call. +When discard is requested for conventional zones, check if the device +supports discard or not. If not, return EOPNOTSUPP. + +Fixes: 30f1e7241422 ("block: move discard checks into the ioctl handler") +Cc: stable@vger.kernel.org +Signed-off-by: Shin'ichiro Kawasaki +Reviewed-by: Damien Le Moal +Reviewed-by: Chao Yu +Reviewed-by: Christoph Hellwig +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/segment.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1290,6 +1290,13 @@ static int __submit_discard_cmd(struct f + wait_list, issued); + return 0; + } ++ ++ /* ++ * Issue discard for conventional zones only if the device ++ * supports discard. ++ */ ++ if (!bdev_max_discard_sectors(bdev)) ++ return -EOPNOTSUPP; + } + #endif + diff --git a/queue-6.10/f2fs-fix-several-potential-integer-overflows-in-file-offsets.patch b/queue-6.10/f2fs-fix-several-potential-integer-overflows-in-file-offsets.patch new file mode 100644 index 00000000000..eba713af0ba --- /dev/null +++ b/queue-6.10/f2fs-fix-several-potential-integer-overflows-in-file-offsets.patch @@ -0,0 +1,62 @@ +From 1cade98cf6415897bf9342ee451cc5b40b58c638 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Wed, 24 Jul 2024 10:28:38 -0700 +Subject: f2fs: fix several potential integer overflows in file offsets + +From: Nikita Zhandarovich + +commit 1cade98cf6415897bf9342ee451cc5b40b58c638 upstream. + +When dealing with large extents and calculating file offsets by +summing up according extent offsets and lengths of unsigned int type, +one may encounter possible integer overflow if the values are +big enough. + +Prevent this from happening by expanding one of the addends to +(pgoff_t) type. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: d323d005ac4a ("f2fs: support file defragment") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 4 ++-- + fs/f2fs/file.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -366,7 +366,7 @@ static unsigned int __free_extent_tree(s + static void __drop_largest_extent(struct extent_tree *et, + pgoff_t fofs, unsigned int len) + { +- if (fofs < et->largest.fofs + et->largest.len && ++ if (fofs < (pgoff_t)et->largest.fofs + et->largest.len && + fofs + len > et->largest.fofs) { + et->largest.len = 0; + et->largest_updated = true; +@@ -456,7 +456,7 @@ static bool __lookup_extent_tree(struct + + if (type == EX_READ && + et->largest.fofs <= pgofs && +- et->largest.fofs + et->largest.len > pgofs) { ++ (pgoff_t)et->largest.fofs + et->largest.len > pgofs) { + *ei = et->largest; + ret = true; + stat_inc_largest_node_hit(sbi); +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2718,7 +2718,7 @@ static int f2fs_defragment_range(struct + * block addresses are continuous. + */ + if (f2fs_lookup_read_extent_cache(inode, pg_start, &ei)) { +- if (ei.fofs + ei.len >= pg_end) ++ if ((pgoff_t)ei.fofs + ei.len >= pg_end) + goto out; + } + diff --git a/queue-6.10/f2fs-fix-to-check-atomic_file-in-f2fs-ioctl-interfaces.patch b/queue-6.10/f2fs-fix-to-check-atomic_file-in-f2fs-ioctl-interfaces.patch new file mode 100644 index 00000000000..69f54f070bc --- /dev/null +++ b/queue-6.10/f2fs-fix-to-check-atomic_file-in-f2fs-ioctl-interfaces.patch @@ -0,0 +1,58 @@ +From bfe5c02654261bfb8bd9cb174a67f3279ea99e58 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 4 Sep 2024 11:20:47 +0800 +Subject: f2fs: fix to check atomic_file in f2fs ioctl interfaces + +From: Chao Yu + +commit bfe5c02654261bfb8bd9cb174a67f3279ea99e58 upstream. + +Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(), +f2fs_move_file_range(), and f2fs_defragment_range() missed to +check atomic_write status, which may cause potential race issue, +fix it. + +Cc: stable@vger.kernel.org +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2703,7 +2703,8 @@ static int f2fs_defragment_range(struct + (range->start + range->len) >> PAGE_SHIFT, + DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE)); + +- if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED)) { ++ if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED) || ++ f2fs_is_atomic_file(inode)) { + err = -EINVAL; + goto unlock_out; + } +@@ -2936,6 +2937,11 @@ static int f2fs_move_file_range(struct f + goto out_unlock; + } + ++ if (f2fs_is_atomic_file(src) || f2fs_is_atomic_file(dst)) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + ret = -EINVAL; + if (pos_in + len > src->i_size || pos_in + len < pos_in) + goto out_unlock; +@@ -3319,6 +3325,11 @@ static int f2fs_ioc_set_pin_file(struct + + inode_lock(inode); + ++ if (f2fs_is_atomic_file(inode)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + if (!pin) { + clear_inode_flag(inode, FI_PIN_FILE); + f2fs_i_gc_failures_write(inode, 0); diff --git a/queue-6.10/f2fs-prevent-possible-int-overflow-in-dir_block_index.patch b/queue-6.10/f2fs-prevent-possible-int-overflow-in-dir_block_index.patch new file mode 100644 index 00000000000..f78e01e3999 --- /dev/null +++ b/queue-6.10/f2fs-prevent-possible-int-overflow-in-dir_block_index.patch @@ -0,0 +1,42 @@ +From 47f268f33dff4a5e31541a990dc09f116f80e61c Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Wed, 24 Jul 2024 10:05:44 -0700 +Subject: f2fs: prevent possible int overflow in dir_block_index() + +From: Nikita Zhandarovich + +commit 47f268f33dff4a5e31541a990dc09f116f80e61c upstream. + +The result of multiplication between values derived from functions +dir_buckets() and bucket_blocks() *could* technically reach +2^30 * 2^2 = 2^32. + +While unlikely to happen, it is prudent to ensure that it will not +lead to integer overflow. Thus, use mul_u32_u32() as it's more +appropriate to mitigate the issue. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 3843154598a0 ("f2fs: introduce large directory support") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -157,7 +157,8 @@ static unsigned long dir_block_index(uns + unsigned long bidx = 0; + + for (i = 0; i < level; i++) +- bidx += dir_buckets(i, dir_level) * bucket_blocks(i); ++ bidx += mul_u32_u32(dir_buckets(i, dir_level), ++ bucket_blocks(i)); + bidx += idx * bucket_blocks(level); + return bidx; + } diff --git a/queue-6.10/f2fs-require-fmode_write-for-atomic-write-ioctls.patch b/queue-6.10/f2fs-require-fmode_write-for-atomic-write-ioctls.patch new file mode 100644 index 00000000000..53d1f3a9a1f --- /dev/null +++ b/queue-6.10/f2fs-require-fmode_write-for-atomic-write-ioctls.patch @@ -0,0 +1,71 @@ +From 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 6 Aug 2024 16:07:16 +0200 +Subject: f2fs: Require FMODE_WRITE for atomic write ioctls + +From: Jann Horn + +commit 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e upstream. + +The F2FS ioctls for starting and committing atomic writes check for +inode_owner_or_capable(), but this does not give LSMs like SELinux or +Landlock an opportunity to deny the write access - if the caller's FSUID +matches the inode's UID, inode_owner_or_capable() immediately returns true. + +There are scenarios where LSMs want to deny a process the ability to write +particular files, even files that the FSUID of the process owns; but this +can currently partially be bypassed using atomic write ioctls in two ways: + + - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can + truncate an inode to size 0 + - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert + changes another process concurrently made to a file + +Fix it by requiring FMODE_WRITE for these operations, just like for +F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these +ioctls when intending to write into the file, that seems unlikely to break +anything. + +Fixes: 88b88a667971 ("f2fs: support atomic writes") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Reviewed-by: Chao Yu +Reviewed-by: Eric Biggers +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2122,6 +2122,9 @@ static int f2fs_ioc_start_atomic_write(s + loff_t isize; + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(idmap, inode)) + return -EACCES; + +@@ -2229,6 +2232,9 @@ static int f2fs_ioc_commit_atomic_write( + struct mnt_idmap *idmap = file_mnt_idmap(filp); + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(idmap, inode)) + return -EACCES; + +@@ -2261,6 +2267,9 @@ static int f2fs_ioc_abort_atomic_write(s + struct mnt_idmap *idmap = file_mnt_idmap(filp); + int ret; + ++ if (!(filp->f_mode & FMODE_WRITE)) ++ return -EBADF; ++ + if (!inode_owner_or_capable(idmap, inode)) + return -EACCES; + diff --git a/queue-6.10/fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch b/queue-6.10/fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch new file mode 100644 index 00000000000..b181aca2e73 --- /dev/null +++ b/queue-6.10/fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch @@ -0,0 +1,90 @@ +From 26f204380a3c182e5adf1a798db0724d6111b597 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 21 Aug 2024 11:56:05 +0200 +Subject: fs: Fix file_set_fowner LSM hook inconsistencies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 26f204380a3c182e5adf1a798db0724d6111b597 upstream. + +The fcntl's F_SETOWN command sets the process that handle SIGIO/SIGURG +for the related file descriptor. Before this change, the +file_set_fowner LSM hook was always called, ignoring the VFS logic which +may not actually change the process that handles SIGIO (e.g. TUN, TTY, +dnotify), nor update the related UID/EUID. + +Moreover, because security_file_set_fowner() was called without lock +(e.g. f_owner.lock), concurrent F_SETOWN commands could result to a race +condition and inconsistent LSM states (e.g. SELinux's fown_sid) compared +to struct fown_struct's UID/EUID. + +This change makes sure the LSM states are always in sync with the VFS +state by moving the security_file_set_fowner() call close to the +UID/EUID updates and using the same f_owner.lock . + +Rename f_modown() to __f_setown() to simplify code. + +Cc: stable@vger.kernel.org +Cc: Al Viro +Cc: Casey Schaufler +Cc: Christian Brauner +Cc: James Morris +Cc: Jann Horn +Cc: Ondrej Mosnacek +Cc: Paul Moore +Cc: Serge E. Hallyn +Cc: Stephen Smalley +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Mickaël Salaün +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + fs/fcntl.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -87,8 +87,8 @@ static int setfl(int fd, struct file * f + return error; + } + +-static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, +- int force) ++void __f_setown(struct file *filp, struct pid *pid, enum pid_type type, ++ int force) + { + write_lock_irq(&filp->f_owner.lock); + if (force || !filp->f_owner.pid) { +@@ -98,19 +98,13 @@ static void f_modown(struct file *filp, + + if (pid) { + const struct cred *cred = current_cred(); ++ security_file_set_fowner(filp); + filp->f_owner.uid = cred->uid; + filp->f_owner.euid = cred->euid; + } + } + write_unlock_irq(&filp->f_owner.lock); + } +- +-void __f_setown(struct file *filp, struct pid *pid, enum pid_type type, +- int force) +-{ +- security_file_set_fowner(filp); +- f_modown(filp, pid, type, force); +-} + EXPORT_SYMBOL(__f_setown); + + int f_setown(struct file *filp, int who, int force) +@@ -146,7 +140,7 @@ EXPORT_SYMBOL(f_setown); + + void f_delown(struct file *filp) + { +- f_modown(filp, NULL, PIDTYPE_TGID, 1); ++ __f_setown(filp, NULL, PIDTYPE_TGID, 1); + } + + pid_t f_getown(struct file *filp) diff --git a/queue-6.10/hwrng-bcm2835-add-missing-clk_disable_unprepare-in-bcm2835_rng_init.patch b/queue-6.10/hwrng-bcm2835-add-missing-clk_disable_unprepare-in-bcm2835_rng_init.patch new file mode 100644 index 00000000000..0734eb8a3d8 --- /dev/null +++ b/queue-6.10/hwrng-bcm2835-add-missing-clk_disable_unprepare-in-bcm2835_rng_init.patch @@ -0,0 +1,36 @@ +From d57e2f7cffd57fe2800332dec768ec1b67a4159f Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Sat, 3 Aug 2024 14:49:22 +0800 +Subject: hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init + +From: Gaosheng Cui + +commit d57e2f7cffd57fe2800332dec768ec1b67a4159f upstream. + +Add the missing clk_disable_unprepare() before return in +bcm2835_rng_init(). + +Fixes: e5f9f41d5e62 ("hwrng: bcm2835 - add reset support") +Cc: +Signed-off-by: Gaosheng Cui +Reviewed-by: Florian Fainelli +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/bcm2835-rng.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/char/hw_random/bcm2835-rng.c ++++ b/drivers/char/hw_random/bcm2835-rng.c +@@ -94,8 +94,10 @@ static int bcm2835_rng_init(struct hwrng + return ret; + + ret = reset_control_reset(priv->reset); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(priv->clk); + return ret; ++ } + + if (priv->mask_interrupts) { + /* mask the interrupt */ diff --git a/queue-6.10/hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch b/queue-6.10/hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch new file mode 100644 index 00000000000..7bde312eed7 --- /dev/null +++ b/queue-6.10/hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch @@ -0,0 +1,31 @@ +From 4b7acc85de14ee8a2236f54445dc635d47eceac0 Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Sat, 3 Aug 2024 14:49:23 +0800 +Subject: hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume + +From: Gaosheng Cui + +commit 4b7acc85de14ee8a2236f54445dc635d47eceac0 upstream. + +Add the missing clk_disable_unprepare() before return in +cctrng_resume(). + +Fixes: a583ed310bb6 ("hwrng: cctrng - introduce Arm CryptoCell driver") +Cc: +Signed-off-by: Gaosheng Cui +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/cctrng.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/hw_random/cctrng.c ++++ b/drivers/char/hw_random/cctrng.c +@@ -622,6 +622,7 @@ static int __maybe_unused cctrng_resume( + /* wait for Cryptocell reset completion */ + if (!cctrng_wait_for_reset_completion(drvdata)) { + dev_err(dev, "Cryptocell reset not completed"); ++ clk_disable_unprepare(drvdata->clk); + return -EBUSY; + } + diff --git a/queue-6.10/hwrng-mtk-use-devm_pm_runtime_enable.patch b/queue-6.10/hwrng-mtk-use-devm_pm_runtime_enable.patch new file mode 100644 index 00000000000..baef892eeae --- /dev/null +++ b/queue-6.10/hwrng-mtk-use-devm_pm_runtime_enable.patch @@ -0,0 +1,37 @@ +From 78cb66caa6ab5385ac2090f1aae5f3c19e08f522 Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Mon, 26 Aug 2024 15:04:15 +0800 +Subject: hwrng: mtk - Use devm_pm_runtime_enable + +From: Guoqing Jiang + +commit 78cb66caa6ab5385ac2090f1aae5f3c19e08f522 upstream. + +Replace pm_runtime_enable with the devres-enabled version which +can trigger pm_runtime_disable. + +Otherwise, the below appears during reload driver. + +mtk_rng 1020f000.rng: Unbalanced pm_runtime_enable! + +Fixes: 81d2b34508c6 ("hwrng: mtk - add runtime PM support") +Cc: +Suggested-by: Chen-Yu Tsai +Signed-off-by: Guoqing Jiang +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/mtk-rng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/hw_random/mtk-rng.c ++++ b/drivers/char/hw_random/mtk-rng.c +@@ -142,7 +142,7 @@ static int mtk_rng_probe(struct platform + dev_set_drvdata(&pdev->dev, priv); + pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); +- pm_runtime_enable(&pdev->dev); ++ devm_pm_runtime_enable(&pdev->dev); + + dev_info(&pdev->dev, "registered RNG driver\n"); + diff --git a/queue-6.10/icmp-change-the-order-of-rate-limits.patch b/queue-6.10/icmp-change-the-order-of-rate-limits.patch new file mode 100644 index 00000000000..954fd7bbb97 --- /dev/null +++ b/queue-6.10/icmp-change-the-order-of-rate-limits.patch @@ -0,0 +1,374 @@ +From 8c2bd38b95f75f3d2a08c93e35303e26d480d24e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 29 Aug 2024 14:46:39 +0000 +Subject: icmp: change the order of rate limits + +From: Eric Dumazet + +commit 8c2bd38b95f75f3d2a08c93e35303e26d480d24e upstream. + +ICMP messages are ratelimited : + +After the blamed commits, the two rate limiters are applied in this order: + +1) host wide ratelimit (icmp_global_allow()) + +2) Per destination ratelimit (inetpeer based) + +In order to avoid side-channels attacks, we need to apply +the per destination check first. + +This patch makes the following change : + +1) icmp_global_allow() checks if the host wide limit is reached. + But credits are not yet consumed. This is deferred to 3) + +2) The per destination limit is checked/updated. + This might add a new node in inetpeer tree. + +3) icmp_global_consume() consumes tokens if prior operations succeeded. + +This means that host wide ratelimit is still effective +in keeping inetpeer tree small even under DDOS. + +As a bonus, I removed icmp_global.lock as the fast path +can use a lock-free operation. + +Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited") +Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") +Reported-by: Keyu Man +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Cc: Jesper Dangaard Brouer +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20240829144641.3880376-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 2 + + net/ipv4/icmp.c | 103 +++++++++++++++++++++++++++++-------------------------- + net/ipv6/icmp.c | 28 +++++++++----- + 3 files changed, 76 insertions(+), 57 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -795,6 +795,8 @@ static inline void ip_cmsg_recv(struct m + } + + bool icmp_global_allow(void); ++void icmp_global_consume(void); ++ + extern int sysctl_icmp_msgs_per_sec; + extern int sysctl_icmp_msgs_burst; + +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -224,57 +224,59 @@ int sysctl_icmp_msgs_per_sec __read_most + int sysctl_icmp_msgs_burst __read_mostly = 50; + + static struct { +- spinlock_t lock; +- u32 credit; ++ atomic_t credit; + u32 stamp; +-} icmp_global = { +- .lock = __SPIN_LOCK_UNLOCKED(icmp_global.lock), +-}; ++} icmp_global; + + /** + * icmp_global_allow - Are we allowed to send one more ICMP message ? + * + * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec. + * Returns false if we reached the limit and can not send another packet. +- * Note: called with BH disabled ++ * Works in tandem with icmp_global_consume(). + */ + bool icmp_global_allow(void) + { +- u32 credit, delta, incr = 0, now = (u32)jiffies; +- bool rc = false; ++ u32 delta, now, oldstamp; ++ int incr, new, old; + +- /* Check if token bucket is empty and cannot be refilled +- * without taking the spinlock. The READ_ONCE() are paired +- * with the following WRITE_ONCE() in this same function. ++ /* Note: many cpus could find this condition true. ++ * Then later icmp_global_consume() could consume more credits, ++ * this is an acceptable race. + */ +- if (!READ_ONCE(icmp_global.credit)) { +- delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ); +- if (delta < HZ / 50) +- return false; +- } ++ if (atomic_read(&icmp_global.credit) > 0) ++ return true; + +- spin_lock(&icmp_global.lock); +- delta = min_t(u32, now - icmp_global.stamp, HZ); +- if (delta >= HZ / 50) { +- incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; +- if (incr) +- WRITE_ONCE(icmp_global.stamp, now); +- } +- credit = min_t(u32, icmp_global.credit + incr, +- READ_ONCE(sysctl_icmp_msgs_burst)); +- if (credit) { +- /* We want to use a credit of one in average, but need to randomize +- * it for security reasons. +- */ +- credit = max_t(int, credit - get_random_u32_below(3), 0); +- rc = true; ++ now = jiffies; ++ oldstamp = READ_ONCE(icmp_global.stamp); ++ delta = min_t(u32, now - oldstamp, HZ); ++ if (delta < HZ / 50) ++ return false; ++ ++ incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ; ++ if (!incr) ++ return false; ++ ++ if (cmpxchg(&icmp_global.stamp, oldstamp, now) == oldstamp) { ++ old = atomic_read(&icmp_global.credit); ++ do { ++ new = min(old + incr, READ_ONCE(sysctl_icmp_msgs_burst)); ++ } while (!atomic_try_cmpxchg(&icmp_global.credit, &old, new)); + } +- WRITE_ONCE(icmp_global.credit, credit); +- spin_unlock(&icmp_global.lock); +- return rc; ++ return true; + } + EXPORT_SYMBOL(icmp_global_allow); + ++void icmp_global_consume(void) ++{ ++ int credits = get_random_u32_below(3); ++ ++ /* Note: this might make icmp_global.credit negative. */ ++ if (credits) ++ atomic_sub(credits, &icmp_global.credit); ++} ++EXPORT_SYMBOL(icmp_global_consume); ++ + static bool icmpv4_mask_allow(struct net *net, int type, int code) + { + if (type > NR_ICMP_TYPES) +@@ -291,14 +293,16 @@ static bool icmpv4_mask_allow(struct net + return false; + } + +-static bool icmpv4_global_allow(struct net *net, int type, int code) ++static bool icmpv4_global_allow(struct net *net, int type, int code, ++ bool *apply_ratelimit) + { + if (icmpv4_mask_allow(net, type, code)) + return true; + +- if (icmp_global_allow()) ++ if (icmp_global_allow()) { ++ *apply_ratelimit = true; + return true; +- ++ } + __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL); + return false; + } +@@ -308,15 +312,16 @@ static bool icmpv4_global_allow(struct n + */ + + static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt, +- struct flowi4 *fl4, int type, int code) ++ struct flowi4 *fl4, int type, int code, ++ bool apply_ratelimit) + { + struct dst_entry *dst = &rt->dst; + struct inet_peer *peer; + bool rc = true; + int vif; + +- if (icmpv4_mask_allow(net, type, code)) +- goto out; ++ if (!apply_ratelimit) ++ return true; + + /* No rate limit on loopback */ + if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) +@@ -331,6 +336,8 @@ static bool icmpv4_xrlim_allow(struct ne + out: + if (!rc) + __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST); ++ else ++ icmp_global_consume(); + return rc; + } + +@@ -402,6 +409,7 @@ static void icmp_reply(struct icmp_bxm * + struct ipcm_cookie ipc; + struct rtable *rt = skb_rtable(skb); + struct net *net = dev_net(rt->dst.dev); ++ bool apply_ratelimit = false; + struct flowi4 fl4; + struct sock *sk; + struct inet_sock *inet; +@@ -413,11 +421,11 @@ static void icmp_reply(struct icmp_bxm * + if (ip_options_echo(net, &icmp_param->replyopts.opt.opt, skb)) + return; + +- /* Needed by both icmp_global_allow and icmp_xmit_lock */ ++ /* Needed by both icmpv4_global_allow and icmp_xmit_lock */ + local_bh_disable(); + +- /* global icmp_msgs_per_sec */ +- if (!icmpv4_global_allow(net, type, code)) ++ /* is global icmp_msgs_per_sec exhausted ? */ ++ if (!icmpv4_global_allow(net, type, code, &apply_ratelimit)) + goto out_bh_enable; + + sk = icmp_xmit_lock(net); +@@ -450,7 +458,7 @@ static void icmp_reply(struct icmp_bxm * + rt = ip_route_output_key(net, &fl4); + if (IS_ERR(rt)) + goto out_unlock; +- if (icmpv4_xrlim_allow(net, rt, &fl4, type, code)) ++ if (icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit)) + icmp_push_reply(sk, icmp_param, &fl4, &ipc, &rt); + ip_rt_put(rt); + out_unlock: +@@ -596,6 +604,7 @@ void __icmp_send(struct sk_buff *skb_in, + int room; + struct icmp_bxm icmp_param; + struct rtable *rt = skb_rtable(skb_in); ++ bool apply_ratelimit = false; + struct ipcm_cookie ipc; + struct flowi4 fl4; + __be32 saddr; +@@ -677,7 +686,7 @@ void __icmp_send(struct sk_buff *skb_in, + } + } + +- /* Needed by both icmp_global_allow and icmp_xmit_lock */ ++ /* Needed by both icmpv4_global_allow and icmp_xmit_lock */ + local_bh_disable(); + + /* Check global sysctl_icmp_msgs_per_sec ratelimit, unless +@@ -685,7 +694,7 @@ void __icmp_send(struct sk_buff *skb_in, + * loopback, then peer ratelimit still work (in icmpv4_xrlim_allow) + */ + if (!(skb_in->dev && (skb_in->dev->flags&IFF_LOOPBACK)) && +- !icmpv4_global_allow(net, type, code)) ++ !icmpv4_global_allow(net, type, code, &apply_ratelimit)) + goto out_bh_enable; + + sk = icmp_xmit_lock(net); +@@ -744,7 +753,7 @@ void __icmp_send(struct sk_buff *skb_in, + goto out_unlock; + + /* peer icmp_ratelimit */ +- if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code)) ++ if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit)) + goto ende; + + /* RFC says return as much as we can without exceeding 576 bytes. */ +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -175,14 +175,16 @@ static bool icmpv6_mask_allow(struct net + return false; + } + +-static bool icmpv6_global_allow(struct net *net, int type) ++static bool icmpv6_global_allow(struct net *net, int type, ++ bool *apply_ratelimit) + { + if (icmpv6_mask_allow(net, type)) + return true; + +- if (icmp_global_allow()) ++ if (icmp_global_allow()) { ++ *apply_ratelimit = true; + return true; +- ++ } + __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL); + return false; + } +@@ -191,13 +193,13 @@ static bool icmpv6_global_allow(struct n + * Check the ICMP output rate limit + */ + static bool icmpv6_xrlim_allow(struct sock *sk, u8 type, +- struct flowi6 *fl6) ++ struct flowi6 *fl6, bool apply_ratelimit) + { + struct net *net = sock_net(sk); + struct dst_entry *dst; + bool res = false; + +- if (icmpv6_mask_allow(net, type)) ++ if (!apply_ratelimit) + return true; + + /* +@@ -228,6 +230,8 @@ static bool icmpv6_xrlim_allow(struct so + if (!res) + __ICMP6_INC_STATS(net, ip6_dst_idev(dst), + ICMP6_MIB_RATELIMITHOST); ++ else ++ icmp_global_consume(); + dst_release(dst); + return res; + } +@@ -452,6 +456,7 @@ void icmp6_send(struct sk_buff *skb, u8 + struct net *net; + struct ipv6_pinfo *np; + const struct in6_addr *saddr = NULL; ++ bool apply_ratelimit = false; + struct dst_entry *dst; + struct icmp6hdr tmp_hdr; + struct flowi6 fl6; +@@ -533,11 +538,12 @@ void icmp6_send(struct sk_buff *skb, u8 + return; + } + +- /* Needed by both icmp_global_allow and icmpv6_xmit_lock */ ++ /* Needed by both icmpv6_global_allow and icmpv6_xmit_lock */ + local_bh_disable(); + + /* Check global sysctl_icmp_msgs_per_sec ratelimit */ +- if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type)) ++ if (!(skb->dev->flags & IFF_LOOPBACK) && ++ !icmpv6_global_allow(net, type, &apply_ratelimit)) + goto out_bh_enable; + + mip6_addr_swap(skb, parm); +@@ -575,7 +581,7 @@ void icmp6_send(struct sk_buff *skb, u8 + + np = inet6_sk(sk); + +- if (!icmpv6_xrlim_allow(sk, type, &fl6)) ++ if (!icmpv6_xrlim_allow(sk, type, &fl6, apply_ratelimit)) + goto out; + + tmp_hdr.icmp6_type = type; +@@ -717,6 +723,7 @@ static enum skb_drop_reason icmpv6_echo_ + struct ipv6_pinfo *np; + const struct in6_addr *saddr = NULL; + struct icmp6hdr *icmph = icmp6_hdr(skb); ++ bool apply_ratelimit = false; + struct icmp6hdr tmp_hdr; + struct flowi6 fl6; + struct icmpv6_msg msg; +@@ -781,8 +788,9 @@ static enum skb_drop_reason icmpv6_echo_ + goto out; + + /* Check the ratelimit */ +- if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) || +- !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6)) ++ if ((!(skb->dev->flags & IFF_LOOPBACK) && ++ !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY, &apply_ratelimit)) || ++ !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6, apply_ratelimit)) + goto out_dst_release; + + idev = __in6_dev_get(skb->dev); diff --git a/queue-6.10/lsm-add-the-inode_free_security_rcu-lsm-implementation-hook.patch b/queue-6.10/lsm-add-the-inode_free_security_rcu-lsm-implementation-hook.patch new file mode 100644 index 00000000000..d3937a5335d --- /dev/null +++ b/queue-6.10/lsm-add-the-inode_free_security_rcu-lsm-implementation-hook.patch @@ -0,0 +1,183 @@ +From 63dff3e48871b0583be5032ff8fb7260c349a18c Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 9 Jul 2024 19:43:06 -0400 +Subject: lsm: add the inode_free_security_rcu() LSM implementation hook + +From: Paul Moore + +commit 63dff3e48871b0583be5032ff8fb7260c349a18c upstream. + +The LSM framework has an existing inode_free_security() hook which +is used by LSMs that manage state associated with an inode, but +due to the use of RCU to protect the inode, special care must be +taken to ensure that the LSMs do not fully release the inode state +until it is safe from a RCU perspective. + +This patch implements a new inode_free_security_rcu() implementation +hook which is called when it is safe to free the LSM's internal inode +state. Unfortunately, this new hook does not have access to the inode +itself as it may already be released, so the existing +inode_free_security() hook is retained for those LSMs which require +access to the inode. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+5446fbf332b0602ede0b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/00000000000076ba3b0617f65cc8@google.com +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 1 + + security/integrity/ima/ima.h | 2 +- + security/integrity/ima/ima_iint.c | 20 ++++++++------------ + security/integrity/ima/ima_main.c | 2 +- + security/landlock/fs.c | 9 ++++++--- + security/security.c | 32 ++++++++++++++++---------------- + 6 files changed, 33 insertions(+), 33 deletions(-) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -114,6 +114,7 @@ LSM_HOOK(int, 0, path_notify, const stru + unsigned int obj_type) + LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode) + LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode) ++LSM_HOOK(void, LSM_RET_VOID, inode_free_security_rcu, void *inode_security) + LSM_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode, + struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, + int *xattr_count) +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -223,7 +223,7 @@ static inline void ima_inode_set_iint(co + + struct ima_iint_cache *ima_iint_find(struct inode *inode); + struct ima_iint_cache *ima_inode_get(struct inode *inode); +-void ima_inode_free(struct inode *inode); ++void ima_inode_free_rcu(void *inode_security); + void __init ima_iintcache_init(void); + + extern const int read_idmap[]; +--- a/security/integrity/ima/ima_iint.c ++++ b/security/integrity/ima/ima_iint.c +@@ -109,22 +109,18 @@ struct ima_iint_cache *ima_inode_get(str + } + + /** +- * ima_inode_free - Called on inode free +- * @inode: Pointer to the inode ++ * ima_inode_free_rcu - Called to free an inode via a RCU callback ++ * @inode_security: The inode->i_security pointer + * +- * Free the iint associated with an inode. ++ * Free the IMA data associated with an inode. + */ +-void ima_inode_free(struct inode *inode) ++void ima_inode_free_rcu(void *inode_security) + { +- struct ima_iint_cache *iint; ++ struct ima_iint_cache **iint_p = inode_security + ima_blob_sizes.lbs_inode; + +- if (!IS_IMA(inode)) +- return; +- +- iint = ima_iint_find(inode); +- ima_inode_set_iint(inode, NULL); +- +- ima_iint_free(iint); ++ /* *iint_p should be NULL if !IS_IMA(inode) */ ++ if (*iint_p) ++ ima_iint_free(*iint_p); + } + + static void ima_iint_init_once(void *foo) +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -1193,7 +1193,7 @@ static struct security_hook_list ima_hoo + #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS + LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request), + #endif +- LSM_HOOK_INIT(inode_free_security, ima_inode_free), ++ LSM_HOOK_INIT(inode_free_security_rcu, ima_inode_free_rcu), + }; + + static const struct lsm_id ima_lsmid = { +--- a/security/landlock/fs.c ++++ b/security/landlock/fs.c +@@ -1207,13 +1207,16 @@ static int current_check_refer_path(stru + + /* Inode hooks */ + +-static void hook_inode_free_security(struct inode *const inode) ++static void hook_inode_free_security_rcu(void *inode_security) + { ++ struct landlock_inode_security *inode_sec; ++ + /* + * All inodes must already have been untied from their object by + * release_inode() or hook_sb_delete(). + */ +- WARN_ON_ONCE(landlock_inode(inode)->object); ++ inode_sec = inode_security + landlock_blob_sizes.lbs_inode; ++ WARN_ON_ONCE(inode_sec->object); + } + + /* Super-block hooks */ +@@ -1637,7 +1640,7 @@ static int hook_file_ioctl_compat(struct + } + + static struct security_hook_list landlock_hooks[] __ro_after_init = { +- LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), ++ LSM_HOOK_INIT(inode_free_security_rcu, hook_inode_free_security_rcu), + + LSM_HOOK_INIT(sb_delete, hook_sb_delete), + LSM_HOOK_INIT(sb_mount, hook_sb_mount), +--- a/security/security.c ++++ b/security/security.c +@@ -1596,9 +1596,8 @@ int security_inode_alloc(struct inode *i + + static void inode_free_by_rcu(struct rcu_head *head) + { +- /* +- * The rcu head is at the start of the inode blob +- */ ++ /* The rcu head is at the start of the inode blob */ ++ call_void_hook(inode_free_security_rcu, head); + kmem_cache_free(lsm_inode_cache, head); + } + +@@ -1606,23 +1605,24 @@ static void inode_free_by_rcu(struct rcu + * security_inode_free() - Free an inode's LSM blob + * @inode: the inode + * +- * Deallocate the inode security structure and set @inode->i_security to NULL. ++ * Release any LSM resources associated with @inode, although due to the ++ * inode's RCU protections it is possible that the resources will not be ++ * fully released until after the current RCU grace period has elapsed. ++ * ++ * It is important for LSMs to note that despite being present in a call to ++ * security_inode_free(), @inode may still be referenced in a VFS path walk ++ * and calls to security_inode_permission() may be made during, or after, ++ * a call to security_inode_free(). For this reason the inode->i_security ++ * field is released via a call_rcu() callback and any LSMs which need to ++ * retain inode state for use in security_inode_permission() should only ++ * release that state in the inode_free_security_rcu() LSM hook callback. + */ + void security_inode_free(struct inode *inode) + { + call_void_hook(inode_free_security, inode); +- /* +- * The inode may still be referenced in a path walk and +- * a call to security_inode_permission() can be made +- * after inode_free_security() is called. Ideally, the VFS +- * wouldn't do this, but fixing that is a much harder +- * job. For now, simply free the i_security via RCU, and +- * leave the current inode->i_security pointer intact. +- * The inode will be freed after the RCU grace period too. +- */ +- if (inode->i_security) +- call_rcu((struct rcu_head *)inode->i_security, +- inode_free_by_rcu); ++ if (!inode->i_security) ++ return; ++ call_rcu((struct rcu_head *)inode->i_security, inode_free_by_rcu); + } + + /** diff --git a/queue-6.10/md-don-t-flush-sync_work-in-md_write_start.patch b/queue-6.10/md-don-t-flush-sync_work-in-md_write_start.patch new file mode 100644 index 00000000000..4837607eda3 --- /dev/null +++ b/queue-6.10/md-don-t-flush-sync_work-in-md_write_start.patch @@ -0,0 +1,35 @@ +From 86ad4cda79e0dade87d4bb0d32e1fe541d4a63e8 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Thu, 1 Aug 2024 20:47:46 +0800 +Subject: md: Don't flush sync_work in md_write_start() + +From: Yu Kuai + +commit 86ad4cda79e0dade87d4bb0d32e1fe541d4a63e8 upstream. + +Because flush sync_work may trigger mddev_suspend() if there are spares, +and this should never be done in IO path because mddev_suspend() is used +to wait for IO. + +This problem is found by code review. + +Fixes: bc08041b32ab ("md: suspend array in md_start_sync() if array need reconfiguration") +Cc: stable@vger.kernel.org +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240801124746.242558-1-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8648,7 +8648,6 @@ void md_write_start(struct mddev *mddev, + BUG_ON(mddev->ro == MD_RDONLY); + if (mddev->ro == MD_AUTO_READ) { + /* need to switch to read/write */ +- flush_work(&mddev->sync_work); + mddev->ro = MD_RDWR; + set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); + md_wakeup_thread(mddev->thread); diff --git a/queue-6.10/netfs-delete-subtree-of-fs-netfs-when-netfs-module-exits.patch b/queue-6.10/netfs-delete-subtree-of-fs-netfs-when-netfs-module-exits.patch new file mode 100644 index 00000000000..75e8ee6ccf9 --- /dev/null +++ b/queue-6.10/netfs-delete-subtree-of-fs-netfs-when-netfs-module-exits.patch @@ -0,0 +1,61 @@ +From 3c58a9575e02c2b90a3180007d57105ceaa7c246 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 26 Aug 2024 19:34:04 +0800 +Subject: netfs: Delete subtree of 'fs/netfs' when netfs module exits + +From: Baokun Li + +commit 3c58a9575e02c2b90a3180007d57105ceaa7c246 upstream. + +In netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs', +but in netfs_exit(), we only delete the proc entry of 'fs/netfs' without +deleting its subtree. This triggers the following WARNING: + +================================================================== +remove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests' +WARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0 +Modules linked in: netfs(-) +CPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860 +RIP: 0010:remove_proc_entry+0x160/0x1c0 +Call Trace: + + netfs_exit+0x12/0x620 [netfs] + __do_sys_delete_module.isra.0+0x14c/0x2e0 + do_syscall_64+0x4b/0x110 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +================================================================== + +Therefore use remove_proc_subtree() instead of remove_proc_entry() to +fix the above problem. + +Fixes: 7eb5b3e3a0a5 ("netfs, fscache: Move /proc/fs/fscache to /proc/fs/netfs and put in a symlink") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Link: https://lore.kernel.org/r/20240826113404.3214786-1-libaokun@huaweicloud.com +Acked-by: David Howells +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/netfs/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/netfs/main.c ++++ b/fs/netfs/main.c +@@ -138,7 +138,7 @@ static int __init netfs_init(void) + + error_fscache: + error_procfile: +- remove_proc_entry("fs/netfs", NULL); ++ remove_proc_subtree("fs/netfs", NULL); + error_proc: + mempool_exit(&netfs_subrequest_pool); + error_subreqpool: +@@ -155,7 +155,7 @@ fs_initcall(netfs_init); + static void __exit netfs_exit(void) + { + fscache_exit(); +- remove_proc_entry("fs/netfs", NULL); ++ remove_proc_subtree("fs/netfs", NULL); + mempool_exit(&netfs_subrequest_pool); + kmem_cache_destroy(netfs_subrequest_slab); + mempool_exit(&netfs_request_pool); diff --git a/queue-6.10/nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch b/queue-6.10/nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch new file mode 100644 index 00000000000..18dc2c93a92 --- /dev/null +++ b/queue-6.10/nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch @@ -0,0 +1,35 @@ +From 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng +Date: Wed, 4 Sep 2024 20:34:57 +0800 +Subject: nfs: fix memory leak in error path of nfs4_do_reclaim + +From: Li Lingfeng + +commit 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 upstream. + +Commit c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in +nfs4_do_reclaim()") separate out the freeing of the state owners from +nfs4_purge_state_owners() and finish it outside the rcu lock. +However, the error path is omitted. As a result, the state owners in +"freeme" will not be released. +Fix it by adding freeing in the error path. + +Fixes: c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()") +Signed-off-by: Li Lingfeng +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4state.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1956,6 +1956,7 @@ restart: + set_bit(ops->owner_flag_bit, &sp->so_flags); + nfs4_put_state_owner(sp); + status = nfs4_recovery_handle_error(clp, status); ++ nfs4_free_state_owners(&freeme); + return (status != 0) ? status : -EAGAIN; + } + diff --git a/queue-6.10/padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch b/queue-6.10/padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch new file mode 100644 index 00000000000..31ee6d445de --- /dev/null +++ b/queue-6.10/padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch @@ -0,0 +1,46 @@ +From 9a22b2812393d93d84358a760c347c21939029a6 Mon Sep 17 00:00:00 2001 +From: VanGiang Nguyen +Date: Fri, 9 Aug 2024 06:21:42 +0000 +Subject: padata: use integer wrap around to prevent deadlock on seq_nr overflow + +From: VanGiang Nguyen + +commit 9a22b2812393d93d84358a760c347c21939029a6 upstream. + +When submitting more than 2^32 padata objects to padata_do_serial, the +current sorting implementation incorrectly sorts padata objects with +overflowed seq_nr, causing them to be placed before existing objects in +the reorder list. This leads to a deadlock in the serialization process +as padata_find_next cannot match padata->seq_nr and pd->processed +because the padata instance with overflowed seq_nr will be selected +next. + +To fix this, we use an unsigned integer wrap around to correctly sort +padata objects in scenarios with integer overflow. + +Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs") +Cc: +Co-developed-by: Christian Gafert +Signed-off-by: Christian Gafert +Co-developed-by: Max Ferger +Signed-off-by: Max Ferger +Signed-off-by: Van Giang Nguyen +Acked-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + kernel/padata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -404,7 +404,8 @@ void padata_do_serial(struct padata_priv + /* Sort in ascending order of sequence number. */ + list_for_each_prev(pos, &reorder->list) { + cur = list_entry(pos, struct padata_priv, list); +- if (cur->seq_nr < padata->seq_nr) ++ /* Compare by difference to consider integer wrap around */ ++ if ((signed int)(cur->seq_nr - padata->seq_nr) < 0) + break; + } + list_add(&padata->list, pos); diff --git a/queue-6.10/series b/queue-6.10/series index 36ef4b20ec0..36de71ca69f 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -561,3 +561,38 @@ wifi-rtw88-8822c-fix-reported-rx-band-width.patch wifi-rtw88-8703b-fix-reported-rx-band-width.patch wifi-mt76-mt7615-check-devm_kasprintf-returned-value.patch debugobjects-fix-conditions-in-fill_pool.patch +btrfs-fix-race-setting-file-private-on-concurrent-lseek-using-same-fd.patch +btrfs-tree-checker-fix-the-wrong-output-of-data-backref-objectid.patch +btrfs-always-update-fstrim_range-on-failure-in-fitrim-ioctl.patch +f2fs-fix-several-potential-integer-overflows-in-file-offsets.patch +f2fs-prevent-possible-int-overflow-in-dir_block_index.patch +f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch +f2fs-require-fmode_write-for-atomic-write-ioctls.patch +f2fs-check-discard-support-for-conventional-zones.patch +f2fs-fix-to-check-atomic_file-in-f2fs-ioctl-interfaces.patch +hwrng-mtk-use-devm_pm_runtime_enable.patch +hwrng-bcm2835-add-missing-clk_disable_unprepare-in-bcm2835_rng_init.patch +hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch +arm64-esr-define-esr_elx_ec_-constants-as-ul.patch +arm64-errata-enable-the-ac03_cpu_38-workaround-for-ampere1a.patch +arm64-dts-mediatek-mt8186-corsola-disable-dpi-display-interface.patch +arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch +arm64-dts-qcom-sa8775p-mark-apps-and-pcie-smmus-as-dma-coherent.patch +arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch +vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch +netfs-delete-subtree-of-fs-netfs-when-netfs-module-exits.patch +fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch +nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch +bcachefs-fix-negative-timespecs.patch +edac-igen6-fix-conversion-of-system-address-to-physical-memory-address.patch +icmp-change-the-order-of-rate-limits.patch +eventpoll-annotate-data-race-of-busy_poll_usecs.patch +md-don-t-flush-sync_work-in-md_write_start.patch +cpuidle-riscv-sbi-use-scoped-device-node-handling-to-fix-missing-of_node_put.patch +padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch +lsm-add-the-inode_free_security_rcu-lsm-implementation-hook.patch +spi-fspi-involve-lut_num-for-struct-nxp_fspi_devtype_data.patch +dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch +arm-dts-imx6ul-geam-fix-fsl-pins-property-in-tscgrp-pinctrl.patch +arm-dts-imx6ull-seeed-npi-fix-fsl-pins-property-in-tscgrp-pinctrl.patch +tools-nolibc-include-arch.h-from-string.h.patch diff --git a/queue-6.10/spi-fspi-involve-lut_num-for-struct-nxp_fspi_devtype_data.patch b/queue-6.10/spi-fspi-involve-lut_num-for-struct-nxp_fspi_devtype_data.patch new file mode 100644 index 00000000000..7a9a1e96aca --- /dev/null +++ b/queue-6.10/spi-fspi-involve-lut_num-for-struct-nxp_fspi_devtype_data.patch @@ -0,0 +1,163 @@ +From 190b7e2efb1ed8435fc7431d9c7a2447d05d5066 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Thu, 5 Sep 2024 17:43:36 +0800 +Subject: spi: fspi: involve lut_num for struct nxp_fspi_devtype_data + +From: Haibo Chen + +commit 190b7e2efb1ed8435fc7431d9c7a2447d05d5066 upstream. + +The flexspi on different SoCs may have different number of LUTs. +So involve lut_num in nxp_fspi_devtype_data to make distinguish. +This patch prepare for the adding of imx8ulp. + +Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node") +Cc: stable@kernel.org +Signed-off-by: Haibo Chen +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20240905094338.1986871-3-haibo.chen@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-nxp-fspi.c | 44 +++++++++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 19 deletions(-) + +--- a/drivers/spi/spi-nxp-fspi.c ++++ b/drivers/spi/spi-nxp-fspi.c +@@ -57,13 +57,6 @@ + #include + #include + +-/* +- * The driver only uses one single LUT entry, that is updated on +- * each call of exec_op(). Index 0 is preset at boot with a basic +- * read operation, so let's use the last entry (31). +- */ +-#define SEQID_LUT 31 +- + /* Registers used by the driver */ + #define FSPI_MCR0 0x00 + #define FSPI_MCR0_AHB_TIMEOUT(x) ((x) << 24) +@@ -263,9 +256,6 @@ + #define FSPI_TFDR 0x180 + + #define FSPI_LUT_BASE 0x200 +-#define FSPI_LUT_OFFSET (SEQID_LUT * 4 * 4) +-#define FSPI_LUT_REG(idx) \ +- (FSPI_LUT_BASE + FSPI_LUT_OFFSET + (idx) * 4) + + /* register map end */ + +@@ -341,6 +331,7 @@ struct nxp_fspi_devtype_data { + unsigned int txfifo; + unsigned int ahb_buf_size; + unsigned int quirks; ++ unsigned int lut_num; + bool little_endian; + }; + +@@ -349,6 +340,7 @@ static struct nxp_fspi_devtype_data lx21 + .txfifo = SZ_1K, /* (128 * 64 bits) */ + .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */ + .quirks = 0, ++ .lut_num = 32, + .little_endian = true, /* little-endian */ + }; + +@@ -357,6 +349,7 @@ static struct nxp_fspi_devtype_data imx8 + .txfifo = SZ_1K, /* (128 * 64 bits) */ + .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */ + .quirks = 0, ++ .lut_num = 32, + .little_endian = true, /* little-endian */ + }; + +@@ -365,6 +358,7 @@ static struct nxp_fspi_devtype_data imx8 + .txfifo = SZ_1K, /* (128 * 64 bits) */ + .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */ + .quirks = 0, ++ .lut_num = 32, + .little_endian = true, /* little-endian */ + }; + +@@ -373,6 +367,7 @@ static struct nxp_fspi_devtype_data imx8 + .txfifo = SZ_1K, /* (128 * 64 bits) */ + .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */ + .quirks = FSPI_QUIRK_USE_IP_ONLY, ++ .lut_num = 32, + .little_endian = true, /* little-endian */ + }; + +@@ -544,6 +539,8 @@ static void nxp_fspi_prepare_lut(struct + void __iomem *base = f->iobase; + u32 lutval[4] = {}; + int lutidx = 1, i; ++ u32 lut_offset = (f->devtype_data->lut_num - 1) * 4 * 4; ++ u32 target_lut_reg; + + /* cmd */ + lutval[0] |= LUT_DEF(0, LUT_CMD, LUT_PAD(op->cmd.buswidth), +@@ -588,8 +585,10 @@ static void nxp_fspi_prepare_lut(struct + fspi_writel(f, FSPI_LCKER_UNLOCK, f->iobase + FSPI_LCKCR); + + /* fill LUT */ +- for (i = 0; i < ARRAY_SIZE(lutval); i++) +- fspi_writel(f, lutval[i], base + FSPI_LUT_REG(i)); ++ for (i = 0; i < ARRAY_SIZE(lutval); i++) { ++ target_lut_reg = FSPI_LUT_BASE + lut_offset + i * 4; ++ fspi_writel(f, lutval[i], base + target_lut_reg); ++ } + + dev_dbg(f->dev, "CMD[%02x] lutval[0:%08x 1:%08x 2:%08x 3:%08x], size: 0x%08x\n", + op->cmd.opcode, lutval[0], lutval[1], lutval[2], lutval[3], op->data.nbytes); +@@ -876,7 +875,7 @@ static int nxp_fspi_do_op(struct nxp_fsp + void __iomem *base = f->iobase; + int seqnum = 0; + int err = 0; +- u32 reg; ++ u32 reg, seqid_lut; + + reg = fspi_readl(f, base + FSPI_IPRXFCR); + /* invalid RXFIFO first */ +@@ -892,8 +891,9 @@ static int nxp_fspi_do_op(struct nxp_fsp + * the LUT at each exec_op() call. And also specify the DATA + * length, since it's has not been specified in the LUT. + */ ++ seqid_lut = f->devtype_data->lut_num - 1; + fspi_writel(f, op->data.nbytes | +- (SEQID_LUT << FSPI_IPCR1_SEQID_SHIFT) | ++ (seqid_lut << FSPI_IPCR1_SEQID_SHIFT) | + (seqnum << FSPI_IPCR1_SEQNUM_SHIFT), + base + FSPI_IPCR1); + +@@ -1017,7 +1017,7 @@ static int nxp_fspi_default_setup(struct + { + void __iomem *base = f->iobase; + int ret, i; +- u32 reg; ++ u32 reg, seqid_lut; + + /* disable and unprepare clock to avoid glitch pass to controller */ + nxp_fspi_clk_disable_unprep(f); +@@ -1092,11 +1092,17 @@ static int nxp_fspi_default_setup(struct + fspi_writel(f, reg, base + FSPI_FLSHB1CR1); + fspi_writel(f, reg, base + FSPI_FLSHB2CR1); + ++ /* ++ * The driver only uses one single LUT entry, that is updated on ++ * each call of exec_op(). Index 0 is preset at boot with a basic ++ * read operation, so let's use the last entry. ++ */ ++ seqid_lut = f->devtype_data->lut_num - 1; + /* AHB Read - Set lut sequence ID for all CS. */ +- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHA1CR2); +- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHA2CR2); +- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHB1CR2); +- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHB2CR2); ++ fspi_writel(f, seqid_lut, base + FSPI_FLSHA1CR2); ++ fspi_writel(f, seqid_lut, base + FSPI_FLSHA2CR2); ++ fspi_writel(f, seqid_lut, base + FSPI_FLSHB1CR2); ++ fspi_writel(f, seqid_lut, base + FSPI_FLSHB2CR2); + + f->selected = -1; + diff --git a/queue-6.10/tools-nolibc-include-arch.h-from-string.h.patch b/queue-6.10/tools-nolibc-include-arch.h-from-string.h.patch new file mode 100644 index 00000000000..ebaeb584103 --- /dev/null +++ b/queue-6.10/tools-nolibc-include-arch.h-from-string.h.patch @@ -0,0 +1,38 @@ +From 6ea2987c9a7b6c5f37d08a3eaa664c9ff7467670 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Thu, 25 Jul 2024 18:54:18 +0200 +Subject: tools/nolibc: include arch.h from string.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 6ea2987c9a7b6c5f37d08a3eaa664c9ff7467670 upstream. + +string.h tests for the macros NOLIBC_ARCH_HAS_$FUNC to use the +architecture-optimized function variants. +However if string.h is included before arch.h header then that check +does not work, leading to duplicate function definitions. + +Fixes: 553845eebd60 ("tools/nolibc: x86-64: Use `rep movsb` for `memcpy()` and `memmove()`") +Fixes: 12108aa8c1a1 ("tools/nolibc: x86-64: Use `rep stosb` for `memset()`") +Cc: stable@vger.kernel.org +Acked-by: Willy Tarreau +Link: https://lore.kernel.org/r/20240725-arch-has-func-v1-1-5521ed354acd@weissschuh.net +Signed-off-by: Thomas Weißschuh +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/string.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/include/nolibc/string.h ++++ b/tools/include/nolibc/string.h +@@ -7,6 +7,7 @@ + #ifndef _NOLIBC_STRING_H + #define _NOLIBC_STRING_H + ++#include "arch.h" + #include "std.h" + + static void *malloc(size_t len); diff --git a/queue-6.10/vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch b/queue-6.10/vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch new file mode 100644 index 00000000000..13b3274d1d9 --- /dev/null +++ b/queue-6.10/vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch @@ -0,0 +1,91 @@ +From 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 Mon Sep 17 00:00:00 2001 +From: Julian Sun +Date: Fri, 23 Aug 2024 21:07:30 +0800 +Subject: vfs: fix race between evice_inodes() and find_inode()&iput() + +From: Julian Sun + +commit 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 upstream. + +Hi, all + +Recently I noticed a bug[1] in btrfs, after digged it into +and I believe it'a race in vfs. + +Let's assume there's a inode (ie ino 261) with i_count 1 is +called by iput(), and there's a concurrent thread calling +generic_shutdown_super(). + +cpu0: cpu1: +iput() // i_count is 1 + ->spin_lock(inode) + ->dec i_count to 0 + ->iput_final() generic_shutdown_super() + ->__inode_add_lru() ->evict_inodes() + // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; + // return before // inode 261 passed the above check + // list_lru_add_obj() // and then schedule out + ->spin_unlock() +// note here: the inode 261 +// was still at sb list and hash list, +// and I_FREEING|I_WILL_FREE was not been set + +btrfs_iget() + // after some function calls + ->find_inode() + // found the above inode 261 + ->spin_lock(inode) + // check I_FREEING|I_WILL_FREE + // and passed + ->__iget() + ->spin_unlock(inode) // schedule back + ->spin_lock(inode) + // check (I_NEW|I_FREEING|I_WILL_FREE) flags, + // passed and set I_FREEING +iput() ->spin_unlock(inode) + ->spin_lock(inode) ->evict() + // dec i_count to 0 + ->iput_final() + ->spin_unlock() + ->evict() + +Now, we have two threads simultaneously evicting +the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) +statement both within clear_inode() and iput(). + +To fix the bug, recheck the inode->i_count after holding i_lock. +Because in the most scenarios, the first check is valid, and +the overhead of spin_lock() can be reduced. + +If there is any misunderstanding, please let me know, thanks. + +[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ +[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() +return false when I reproduced the bug. + +Reported-by: syzbot+67ba3c42bcbb4665d3ad@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad +CC: stable@vger.kernel.org +Fixes: 63997e98a3be ("split invalidate_inodes()") +Signed-off-by: Julian Sun +Link: https://lore.kernel.org/r/20240823130730.658881-1-sunjunchao2870@gmail.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -758,6 +758,10 @@ again: + continue; + + spin_lock(&inode->i_lock); ++ if (atomic_read(&inode->i_count)) { ++ spin_unlock(&inode->i_lock); ++ continue; ++ } + if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) { + spin_unlock(&inode->i_lock); + continue;