From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 06:22:33 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v4.14.323~65 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d5e3527fd9246cedf2a311a93e73df96d25dcd6a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: cpuidle-dt_idle_genpd-add-helper-function-to-remove-genpd-topology.patch dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch drm-amd-disable-s-g-for-apus-when-64gb-or-more-host-memory.patch drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch drm-amd-display-limit-dpia-link-rate-to-hbr3.patch drm-amdgpu-add-s-g-display-parameter.patch drm-amdgpu-fix-possible-uaf-in-amdgpu_cs_pass1.patch drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch drm-nouveau-nvkm-dp-add-workaround-to-fix-dp-1.3-dpcd-issues.patch drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch mptcp-avoid-bogus-reset-on-fallback-close.patch mptcp-fix-disconnect-vs-accept-race.patch net-mana-fix-mana-vf-unload-when-hardware-is-unresponsive.patch nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch nvme-pci-add-nvme_quirk_bogus_nid-for-samsung-pm9b1-256g-and-512g.patch radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch riscv-kexec-handle-r_riscv_call_plt-relocation-type.patch riscv-kexec-load-initrd-high-in-available-memory.patch riscv-mmio-fix-readx-to-delay-ordering.patch selftests-mptcp-join-fix-delete-and-re-add-test.patch selftests-mptcp-join-fix-implicit-ep-test.patch --- diff --git a/queue-6.1/cpuidle-dt_idle_genpd-add-helper-function-to-remove-genpd-topology.patch b/queue-6.1/cpuidle-dt_idle_genpd-add-helper-function-to-remove-genpd-topology.patch new file mode 100644 index 00000000000..5fb59668fc2 --- /dev/null +++ b/queue-6.1/cpuidle-dt_idle_genpd-add-helper-function-to-remove-genpd-topology.patch @@ -0,0 +1,80 @@ +From 9a8fa00dad3c7b260071f2f220cfb00505372c40 Mon Sep 17 00:00:00 2001 +From: Maulik Shah +Date: Mon, 3 Jul 2023 14:25:53 +0530 +Subject: cpuidle: dt_idle_genpd: Add helper function to remove genpd topology + +From: Maulik Shah + +commit 9a8fa00dad3c7b260071f2f220cfb00505372c40 upstream. + +Genpd parent and child domain topology created using dt_idle_pd_init_topology() +needs to be removed during error cases. + +Add new helper function dt_idle_pd_remove_topology() for same. + +Cc: stable@vger.kernel.org +Reviewed-by: Ulf Hanssson +Signed-off-by: Maulik Shah +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/dt_idle_genpd.c | 24 ++++++++++++++++++++++++ + drivers/cpuidle/dt_idle_genpd.h | 7 +++++++ + 2 files changed, 31 insertions(+) + +--- a/drivers/cpuidle/dt_idle_genpd.c ++++ b/drivers/cpuidle/dt_idle_genpd.c +@@ -152,6 +152,30 @@ int dt_idle_pd_init_topology(struct devi + return 0; + } + ++int dt_idle_pd_remove_topology(struct device_node *np) ++{ ++ struct device_node *node; ++ struct of_phandle_args child, parent; ++ int ret; ++ ++ for_each_child_of_node(np, node) { ++ if (of_parse_phandle_with_args(node, "power-domains", ++ "#power-domain-cells", 0, &parent)) ++ continue; ++ ++ child.np = node; ++ child.args_count = 0; ++ ret = of_genpd_remove_subdomain(&parent, &child); ++ of_node_put(parent.np); ++ if (ret) { ++ of_node_put(node); ++ return ret; ++ } ++ } ++ ++ return 0; ++} ++ + struct device *dt_idle_attach_cpu(int cpu, const char *name) + { + struct device *dev; +--- a/drivers/cpuidle/dt_idle_genpd.h ++++ b/drivers/cpuidle/dt_idle_genpd.h +@@ -14,6 +14,8 @@ struct generic_pm_domain *dt_idle_pd_all + + int dt_idle_pd_init_topology(struct device_node *np); + ++int dt_idle_pd_remove_topology(struct device_node *np); ++ + struct device *dt_idle_attach_cpu(int cpu, const char *name); + + void dt_idle_detach_cpu(struct device *dev); +@@ -35,6 +37,11 @@ static inline int dt_idle_pd_init_topolo + { + return 0; + } ++ ++static inline int dt_idle_pd_remove_topology(struct device_node *np) ++{ ++ return 0; ++} + + static inline struct device *dt_idle_attach_cpu(int cpu, const char *name) + { diff --git a/queue-6.1/dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch b/queue-6.1/dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch new file mode 100644 index 00000000000..0b543d24537 --- /dev/null +++ b/queue-6.1/dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch @@ -0,0 +1,98 @@ +From 8cda3ececf07d374774f6a13e5a94bc2dc04c26c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Fri, 26 May 2023 13:54:34 +0300 +Subject: dmaengine: pl330: Return DMA_PAUSED when transaction is paused +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 8cda3ececf07d374774f6a13e5a94bc2dc04c26c upstream. + +pl330_pause() does not set anything to indicate paused condition which +causes pl330_tx_status() to return DMA_IN_PROGRESS. This breaks 8250 +DMA flush after the fix in commit 57e9af7831dc ("serial: 8250_dma: Fix +DMA Rx rearm race"). The function comment for pl330_pause() claims +pause is supported but resume is not which is enough for 8250 DMA flush +to work as long as DMA status reports DMA_PAUSED when appropriate. + +Add PAUSED state for descriptor and mark BUSY descriptors with PAUSED +in pl330_pause(). Return DMA_PAUSED from pl330_tx_status() when the +descriptor is PAUSED. + +Reported-by: Richard Tresidder +Tested-by: Richard Tresidder +Fixes: 88987d2c7534 ("dmaengine: pl330: add DMA_PAUSE feature") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/linux-serial/f8a86ecd-64b1-573f-c2fa-59f541083f1a@electromag.com.au/ +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230526105434.14959-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -404,6 +404,12 @@ enum desc_status { + */ + BUSY, + /* ++ * Pause was called while descriptor was BUSY. Due to hardware ++ * limitations, only termination is possible for descriptors ++ * that have been paused. ++ */ ++ PAUSED, ++ /* + * Sitting on the channel work_list but xfer done + * by PL330 core + */ +@@ -2041,7 +2047,7 @@ static inline void fill_queue(struct dma + list_for_each_entry(desc, &pch->work_list, node) { + + /* If already submitted */ +- if (desc->status == BUSY) ++ if (desc->status == BUSY || desc->status == PAUSED) + continue; + + ret = pl330_submit_req(pch->thread, desc); +@@ -2326,6 +2332,7 @@ static int pl330_pause(struct dma_chan * + { + struct dma_pl330_chan *pch = to_pchan(chan); + struct pl330_dmac *pl330 = pch->dmac; ++ struct dma_pl330_desc *desc; + unsigned long flags; + + pm_runtime_get_sync(pl330->ddma.dev); +@@ -2335,6 +2342,10 @@ static int pl330_pause(struct dma_chan * + _stop(pch->thread); + spin_unlock(&pl330->lock); + ++ list_for_each_entry(desc, &pch->work_list, node) { ++ if (desc->status == BUSY) ++ desc->status = PAUSED; ++ } + spin_unlock_irqrestore(&pch->lock, flags); + pm_runtime_mark_last_busy(pl330->ddma.dev); + pm_runtime_put_autosuspend(pl330->ddma.dev); +@@ -2425,7 +2436,7 @@ pl330_tx_status(struct dma_chan *chan, d + else if (running && desc == running) + transferred = + pl330_get_current_xferred_count(pch, desc); +- else if (desc->status == BUSY) ++ else if (desc->status == BUSY || desc->status == PAUSED) + /* + * Busy but not running means either just enqueued, + * or finished and not yet marked done +@@ -2442,6 +2453,9 @@ pl330_tx_status(struct dma_chan *chan, d + case DONE: + ret = DMA_COMPLETE; + break; ++ case PAUSED: ++ ret = DMA_PAUSED; ++ break; + case PREP: + case BUSY: + ret = DMA_IN_PROGRESS; diff --git a/queue-6.1/drm-amd-disable-s-g-for-apus-when-64gb-or-more-host-memory.patch b/queue-6.1/drm-amd-disable-s-g-for-apus-when-64gb-or-more-host-memory.patch new file mode 100644 index 00000000000..b06943deae0 --- /dev/null +++ b/queue-6.1/drm-amd-disable-s-g-for-apus-when-64gb-or-more-host-memory.patch @@ -0,0 +1,95 @@ +From 08fffa74d9772d9538338be3f304006c94dde6f0 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 27 Jul 2023 10:22:20 -0500 +Subject: drm/amd: Disable S/G for APUs when 64GB or more host memory + +From: Mario Limonciello + +commit 08fffa74d9772d9538338be3f304006c94dde6f0 upstream. + +Users report a white flickering screen on multiple systems that +is tied to having 64GB or more memory. When S/G is enabled pages +will get pinned to both VRAM carve out and system RAM leading to +this. + +Until it can be fixed properly, disable S/G when 64GB of memory or +more is detected. This will force pages to be pinned into VRAM. +This should fix white screen flickers but if VRAM pressure is +encountered may lead to black screens. It's a trade-off for now. + +Fixes: 81d0bcf99009 ("drm/amdgpu: make display pinning more flexible (v2)") +Cc: Hamza Mahfooz +Cc: Roman Li +Cc: # 6.1.y: bf0207e172703 ("drm/amdgpu: add S/G display parameter") +Cc: # 6.4.y +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2735 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2354 +Signed-off-by: Mario Limonciello +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 26 ++++++++++++++++++++++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +--- + 3 files changed, 29 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -1263,6 +1263,7 @@ int amdgpu_device_gpu_recover(struct amd + void amdgpu_device_pci_config_reset(struct amdgpu_device *adev); + int amdgpu_device_pci_reset(struct amdgpu_device *adev); + bool amdgpu_device_need_post(struct amdgpu_device *adev); ++bool amdgpu_sg_display_supported(struct amdgpu_device *adev); + bool amdgpu_device_pcie_dynamic_switching_supported(void); + bool amdgpu_device_should_use_aspm(struct amdgpu_device *adev); + bool amdgpu_device_aspm_support_quirk(void); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1334,6 +1334,32 @@ bool amdgpu_device_need_post(struct amdg + } + + /* ++ * On APUs with >= 64GB white flickering has been observed w/ SG enabled. ++ * Disable S/G on such systems until we have a proper fix. ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/2354 ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/2735 ++ */ ++bool amdgpu_sg_display_supported(struct amdgpu_device *adev) ++{ ++ switch (amdgpu_sg_display) { ++ case -1: ++ break; ++ case 0: ++ return false; ++ case 1: ++ return true; ++ default: ++ return false; ++ } ++ if ((totalram_pages() << (PAGE_SHIFT - 10)) + ++ (adev->gmc.real_vram_size / 1024) >= 64000000) { ++ DRM_WARN("Disabling S/G due to >=64GB RAM\n"); ++ return false; ++ } ++ return true; ++} ++ ++/* + * Intel hosts such as Raptor Lake and Sapphire Rapids don't support dynamic + * speed switching. Until we have confirmation from Intel that a specific host + * supports it, it's safer that we keep it disabled for all. +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1634,9 +1634,8 @@ static int amdgpu_dm_init(struct amdgpu_ + } + break; + } +- if (init_data.flags.gpu_vm_support && +- (amdgpu_sg_display == 0)) +- init_data.flags.gpu_vm_support = false; ++ if (init_data.flags.gpu_vm_support) ++ init_data.flags.gpu_vm_support = amdgpu_sg_display_supported(adev); + + if (init_data.flags.gpu_vm_support) + adev->mode_info.gpu_vm_support = true; diff --git a/queue-6.1/drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch b/queue-6.1/drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch new file mode 100644 index 00000000000..1ad71ec6912 --- /dev/null +++ b/queue-6.1/drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch @@ -0,0 +1,48 @@ +From 96b020e2163fb2197266b2f71b1007495206e6bb Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Mon, 31 Jul 2023 07:35:05 -0100 +Subject: drm/amd/display: check attr flag before set cursor degamma on DCN3+ + +From: Melissa Wen + +commit 96b020e2163fb2197266b2f71b1007495206e6bb upstream. + +Don't set predefined degamma curve to cursor plane if the cursor +attribute flag is not set. Applying a degamma curve to the cursor by +default breaks userspace expectation. Checking the flag before +performing any color transformation prevents too dark cursor gamma in +DCN3+ on many Linux desktop environment (KDE Plasma, GNOME, +wlroots-based, etc.) as reported at: +- https://gitlab.freedesktop.org/drm/amd/-/issues/1513 + +This is the same approach followed by DCN2 drivers where the issue is +not present. + +Fixes: 03f54d7d3448 ("drm/amd/display: Add DCN3 DPP") +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1513 +Signed-off-by: Melissa Wen +Reviewed-by: Harry Wentland +Tested-by: Alex Hung +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dpp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dpp.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_dpp.c +@@ -357,8 +357,11 @@ void dpp3_set_cursor_attributes( + int cur_rom_en = 0; + + if (color_format == CURSOR_MODE_COLOR_PRE_MULTIPLIED_ALPHA || +- color_format == CURSOR_MODE_COLOR_UN_PRE_MULTIPLIED_ALPHA) +- cur_rom_en = 1; ++ color_format == CURSOR_MODE_COLOR_UN_PRE_MULTIPLIED_ALPHA) { ++ if (cursor_attributes->attribute_flags.bits.ENABLE_CURSOR_DEGAMMA) { ++ cur_rom_en = 1; ++ } ++ } + + REG_UPDATE_3(CURSOR0_CONTROL, + CUR0_MODE, color_format, diff --git a/queue-6.1/drm-amd-display-limit-dpia-link-rate-to-hbr3.patch b/queue-6.1/drm-amd-display-limit-dpia-link-rate-to-hbr3.patch new file mode 100644 index 00000000000..b7f896c32c5 --- /dev/null +++ b/queue-6.1/drm-amd-display-limit-dpia-link-rate-to-hbr3.patch @@ -0,0 +1,44 @@ +From 0e69ef6ea82e8eece7d2b2b45a0da9670eaaefff Mon Sep 17 00:00:00 2001 +From: Peichen Huang +Date: Wed, 31 May 2023 13:36:14 +0800 +Subject: drm/amd/display: limit DPIA link rate to HBR3 + +From: Peichen Huang + +commit 0e69ef6ea82e8eece7d2b2b45a0da9670eaaefff upstream. + +[Why] +DPIA doesn't support UHBR, driver should not enable UHBR +for dp tunneling + +[How] +limit DPIA link rate to HBR3 + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Acked-by: Stylon Wang +Signed-off-by: Peichen Huang +Reviewed-by: Mustapha Ghaddar +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -1141,6 +1141,11 @@ static bool detect_link_and_local_sink(s + (link->dpcd_caps.dongle_type != + DISPLAY_DONGLE_DP_HDMI_CONVERTER)) + converter_disable_audio = true; ++ ++ /* limited link rate to HBR3 for DPIA until we implement USB4 V2 */ ++ if (link->ep_type == DISPLAY_ENDPOINT_USB4_DPIA && ++ link->reported_link_cap.link_rate > LINK_RATE_HIGH3) ++ link->reported_link_cap.link_rate = LINK_RATE_HIGH3; + break; + } + diff --git a/queue-6.1/drm-amdgpu-add-s-g-display-parameter.patch b/queue-6.1/drm-amdgpu-add-s-g-display-parameter.patch new file mode 100644 index 00000000000..cd0f091964c --- /dev/null +++ b/queue-6.1/drm-amdgpu-add-s-g-display-parameter.patch @@ -0,0 +1,85 @@ +From bf0207e1727031798f300afa17f9bbeceac6da87 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 9 Feb 2023 09:00:02 -0500 +Subject: drm/amdgpu: add S/G display parameter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit bf0207e1727031798f300afa17f9bbeceac6da87 upstream. + +Some users have reported flickerng with S/G display. We've +tried extensively to reproduce and debug the issue on a wide +variety of platform configurations (DRAM bandwidth, etc.) and +a variety of monitors, but so far have not been able to. We +disabled S/G display on a number of platforms to address this +but that leads to failure to pin framebuffers errors and +blank displays when there is memory pressure or no displays +at all on systems with limited carveout (e.g., Chromebooks). +Add a option to disable this as a debugging option as a +way for users to disable this, depending on their use case, +and for us to help debug this further. + +v2: fix typo + +Reviewed-by: Harry Wentland +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 11 +++++++++++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ + 3 files changed, 15 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -242,6 +242,7 @@ extern int amdgpu_num_kcq; + + #define AMDGPU_VCNFW_LOG_SIZE (32 * 1024) + extern int amdgpu_vcnfw_log; ++extern int amdgpu_sg_display; + + #define AMDGPU_VM_MAX_NUM_CTX 4096 + #define AMDGPU_SG_THRESHOLD (256*1024*1024) +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -185,6 +185,7 @@ int amdgpu_num_kcq = -1; + int amdgpu_smartshift_bias; + int amdgpu_use_xgmi_p2p = 1; + int amdgpu_vcnfw_log; ++int amdgpu_sg_display = -1; /* auto */ + + static void amdgpu_drv_delayed_reset_work_handler(struct work_struct *work); + +@@ -930,6 +931,16 @@ MODULE_PARM_DESC(vcnfw_log, "Enable vcnf + module_param_named(vcnfw_log, amdgpu_vcnfw_log, int, 0444); + + /** ++ * DOC: sg_display (int) ++ * Disable S/G (scatter/gather) display (i.e., display from system memory). ++ * This option is only relevant on APUs. Set this option to 0 to disable ++ * S/G display if you experience flickering or other issues under memory ++ * pressure and report the issue. ++ */ ++MODULE_PARM_DESC(sg_display, "S/G Display (-1 = auto (default), 0 = disable)"); ++module_param_named(sg_display, amdgpu_sg_display, int, 0444); ++ ++/** + * DOC: smu_pptable_id (int) + * Used to override pptable id. id = 0 use VBIOS pptable. + * id > 0 use the soft pptable with specicfied id. +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1634,6 +1634,9 @@ static int amdgpu_dm_init(struct amdgpu_ + } + break; + } ++ if (init_data.flags.gpu_vm_support && ++ (amdgpu_sg_display == 0)) ++ init_data.flags.gpu_vm_support = false; + + if (init_data.flags.gpu_vm_support) + adev->mode_info.gpu_vm_support = true; diff --git a/queue-6.1/drm-amdgpu-fix-possible-uaf-in-amdgpu_cs_pass1.patch b/queue-6.1/drm-amdgpu-fix-possible-uaf-in-amdgpu_cs_pass1.patch new file mode 100644 index 00000000000..c1684bffff2 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-possible-uaf-in-amdgpu_cs_pass1.patch @@ -0,0 +1,37 @@ +From 90e065677e0362a777b9db97ea21d43a39211399 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 28 Jul 2023 11:14:05 -0400 +Subject: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 90e065677e0362a777b9db97ea21d43a39211399 upstream. + +Since the gang_size check is outside of chunk parsing +loop, we need to reset i before we free the chunk data. + +Suggested by Ye Zhang (@VAR10CK) of Baidu Security. + +Reviewed-by: Guchun Chen +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -287,7 +287,7 @@ static int amdgpu_cs_pass1(struct amdgpu + + if (!p->gang_size) { + ret = -EINVAL; +- goto free_partial_kdata; ++ goto free_all_kdata; + } + + for (i = 0; i < p->gang_size; ++i) { diff --git a/queue-6.1/drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch b/queue-6.1/drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch new file mode 100644 index 00000000000..c9dd834998b --- /dev/null +++ b/queue-6.1/drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch @@ -0,0 +1,112 @@ +From 1cb9e2ef66d53b020842b18762e30d0eb4384de8 Mon Sep 17 00:00:00 2001 +From: Karol Herbst +Date: Thu, 22 Jun 2023 17:20:17 +0200 +Subject: drm/nouveau/gr: enable memory loads on helper invocation on all channels + +From: Karol Herbst + +commit 1cb9e2ef66d53b020842b18762e30d0eb4384de8 upstream. + +We have a lurking bug where Fragment Shader Helper Invocations can't load +from memory. But this is actually required in OpenGL and is causing random +hangs or failures in random shaders. + +It is unknown how widespread this issue is, but shaders hitting this can +end up with infinite loops. + +We enable those only on all Kepler and newer GPUs where we use our own +Firmware. + +Nvidia's firmware provides a way to set a kernelspace controlled list of +mmio registers in the gr space from push buffers via MME macros. + +v2: drop code for gm200 and newer. + +Cc: Ben Skeggs +Cc: David Airlie +Cc: nouveau@lists.freedesktop.org +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Karol Herbst +Reviewed-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20230622152017.2512101-1-kherbst@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c | 4 +++- + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c | 10 ++++++++++ + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c | 1 + + drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c | 1 + + 6 files changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.h +@@ -123,6 +123,7 @@ void gk104_grctx_generate_r418800(struct + + extern const struct gf100_grctx_func gk110_grctx; + void gk110_grctx_generate_r419eb0(struct gf100_gr *); ++void gk110_grctx_generate_r419f78(struct gf100_gr *); + + extern const struct gf100_grctx_func gk110b_grctx; + extern const struct gf100_grctx_func gk208_grctx; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk104.c +@@ -916,7 +916,9 @@ static void + gk104_grctx_generate_r419f78(struct gf100_gr *gr) + { + struct nvkm_device *device = gr->base.engine.subdev.device; +- nvkm_mask(device, 0x419f78, 0x00000001, 0x00000000); ++ ++ /* bit 3 set disables loads in fp helper invocations, we need it enabled */ ++ nvkm_mask(device, 0x419f78, 0x00000009, 0x00000000); + } + + void +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110.c +@@ -820,6 +820,15 @@ gk110_grctx_generate_r419eb0(struct gf10 + nvkm_mask(device, 0x419eb0, 0x00001000, 0x00001000); + } + ++void ++gk110_grctx_generate_r419f78(struct gf100_gr *gr) ++{ ++ struct nvkm_device *device = gr->base.engine.subdev.device; ++ ++ /* bit 3 set disables loads in fp helper invocations, we need it enabled */ ++ nvkm_mask(device, 0x419f78, 0x00000008, 0x00000000); ++} ++ + const struct gf100_grctx_func + gk110_grctx = { + .main = gf100_grctx_generate_main, +@@ -852,4 +861,5 @@ gk110_grctx = { + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r418800 = gk104_grctx_generate_r418800, + .r419eb0 = gk110_grctx_generate_r419eb0, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk110b.c +@@ -101,4 +101,5 @@ gk110b_grctx = { + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r418800 = gk104_grctx_generate_r418800, + .r419eb0 = gk110_grctx_generate_r419eb0, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgk208.c +@@ -566,4 +566,5 @@ gk208_grctx = { + .dist_skip_table = gf117_grctx_generate_dist_skip_table, + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r418800 = gk104_grctx_generate_r418800, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm107.c +@@ -991,4 +991,5 @@ gm107_grctx = { + .r406500 = gm107_grctx_generate_r406500, + .gpc_tpc_nr = gk104_grctx_generate_gpc_tpc_nr, + .r419e00 = gm107_grctx_generate_r419e00, ++ .r419f78 = gk110_grctx_generate_r419f78, + }; diff --git a/queue-6.1/drm-nouveau-nvkm-dp-add-workaround-to-fix-dp-1.3-dpcd-issues.patch b/queue-6.1/drm-nouveau-nvkm-dp-add-workaround-to-fix-dp-1.3-dpcd-issues.patch new file mode 100644 index 00000000000..25f24546bba --- /dev/null +++ b/queue-6.1/drm-nouveau-nvkm-dp-add-workaround-to-fix-dp-1.3-dpcd-issues.patch @@ -0,0 +1,108 @@ +From e4060dad253352382b20420d8ef98daab24dbc17 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Fri, 28 Jul 2023 18:58:57 -0400 +Subject: drm/nouveau/nvkm/dp: Add workaround to fix DP 1.3+ DPCD issues + +From: Lyude Paul + +commit e4060dad253352382b20420d8ef98daab24dbc17 upstream. + +Currently we use the drm_dp_dpcd_read_caps() helper in the DRM side of +nouveau in order to read the DPCD of a DP connector, which makes sure we do +the right thing and also check for extended DPCD caps. However, it turns +out we're not currently doing this on the nvkm side since we don't have +access to the drm_dp_aux structure there - which means that the DRM side of +the driver and the NVKM side can end up with different DPCD capabilities +for the same connector. + +Ideally in order to fix this, we just want to use the +drm_dp_read_dpcd_caps() helper in nouveau. That's not currently possible +though, and is going to depend on having a bunch of the DP code moved out +of nvkm and into the DRM side of things as part of the GSP enablement work. + +Until then however, let's workaround this problem by porting a copy of +drm_dp_read_dpcd_caps() into NVKM - which should fix this issue. + +Signed-off-by: Lyude Paul +Reviewed-by: Karol Herbst +Link: https://gitlab.freedesktop.org/drm/nouveau/-/issues/211 +Link: https://patchwork.freedesktop.org/patch/msgid/20230728225858.350581-1-lyude@redhat.com +(cherry picked from commit cc4adf3a7323212f303bc9ff0f96346c44fcba06 in drm-misc-next) +Cc: # 6.3+ +Signed-off-by: Karol Herbst +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c | 48 +++++++++++++++++++++++++- + 1 file changed, 47 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/dp.c +@@ -26,6 +26,8 @@ + #include "head.h" + #include "ior.h" + ++#include ++ + #include + #include + #include +@@ -474,6 +476,50 @@ nvkm_dp_train(struct nvkm_outp *outp, u3 + return ret; + } + ++/* XXX: This is a big fat hack, and this is just drm_dp_read_dpcd_caps() ++ * converted to work inside nvkm. This is a temporary holdover until we start ++ * passing the drm_dp_aux device through NVKM ++ */ ++static int ++nvkm_dp_read_dpcd_caps(struct nvkm_outp *outp) ++{ ++ struct nvkm_i2c_aux *aux = outp->dp.aux; ++ u8 dpcd_ext[DP_RECEIVER_CAP_SIZE]; ++ int ret; ++ ++ ret = nvkm_rdaux(aux, DPCD_RC00_DPCD_REV, outp->dp.dpcd, DP_RECEIVER_CAP_SIZE); ++ if (ret < 0) ++ return ret; ++ ++ /* ++ * Prior to DP1.3 the bit represented by ++ * DP_EXTENDED_RECEIVER_CAP_FIELD_PRESENT was reserved. ++ * If it is set DP_DPCD_REV at 0000h could be at a value less than ++ * the true capability of the panel. The only way to check is to ++ * then compare 0000h and 2200h. ++ */ ++ if (!(outp->dp.dpcd[DP_TRAINING_AUX_RD_INTERVAL] & ++ DP_EXTENDED_RECEIVER_CAP_FIELD_PRESENT)) ++ return 0; ++ ++ ret = nvkm_rdaux(aux, DP_DP13_DPCD_REV, dpcd_ext, sizeof(dpcd_ext)); ++ if (ret < 0) ++ return ret; ++ ++ if (outp->dp.dpcd[DP_DPCD_REV] > dpcd_ext[DP_DPCD_REV]) { ++ OUTP_DBG(outp, "Extended DPCD rev less than base DPCD rev (%d > %d)\n", ++ outp->dp.dpcd[DP_DPCD_REV], dpcd_ext[DP_DPCD_REV]); ++ return 0; ++ } ++ ++ if (!memcmp(outp->dp.dpcd, dpcd_ext, sizeof(dpcd_ext))) ++ return 0; ++ ++ memcpy(outp->dp.dpcd, dpcd_ext, sizeof(dpcd_ext)); ++ ++ return 0; ++} ++ + void + nvkm_dp_disable(struct nvkm_outp *outp, struct nvkm_ior *ior) + { +@@ -630,7 +676,7 @@ nvkm_dp_enable(struct nvkm_outp *outp, b + memset(outp->dp.lttpr, 0x00, sizeof(outp->dp.lttpr)); + } + +- if (!nvkm_rdaux(aux, DPCD_RC00_DPCD_REV, outp->dp.dpcd, sizeof(outp->dp.dpcd))) { ++ if (!nvkm_dp_read_dpcd_caps(outp)) { + const u8 rates[] = { 0x1e, 0x14, 0x0a, 0x06, 0 }; + const u8 *rate; + int rate_max; diff --git a/queue-6.1/drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch b/queue-6.1/drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch new file mode 100644 index 00000000000..8d990cc3e04 --- /dev/null +++ b/queue-6.1/drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch @@ -0,0 +1,45 @@ +From 07dd476f6116966cb2006e25fdcf48f0715115ff Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Mon, 24 Jul 2023 13:26:10 +0200 +Subject: drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap() + +From: Boris Brezillon + +commit 07dd476f6116966cb2006e25fdcf48f0715115ff upstream. + +The dma-buf backend is supposed to provide its own vm_ops, but some +implementation just have nothing special to do and leave vm_ops +untouched, probably expecting this field to be zero initialized (this +is the case with the system_heap implementation for instance). +Let's reset vma->vm_ops to NULL to keep things working with these +implementations. + +Fixes: 26d3ac3cb04d ("drm/shmem-helpers: Redirect mmap for imported dma-buf") +Cc: +Cc: Daniel Vetter +Reported-by: Roman Stratiienko +Signed-off-by: Boris Brezillon +Tested-by: Roman Stratiienko +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230724112610.60974-1-boris.brezillon@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -622,7 +622,13 @@ int drm_gem_shmem_mmap(struct drm_gem_sh + int ret; + + if (obj->import_attach) { ++ /* Reset both vm_ops and vm_private_data, so we don't end up with ++ * vm_ops pointing to our implementation if the dma-buf backend ++ * doesn't set those fields. ++ */ + vma->vm_private_data = NULL; ++ vma->vm_ops = NULL; ++ + ret = dma_buf_mmap(obj->dma_buf, vma, 0); + + /* Drop the reference drm_gem_mmap_obj() acquired.*/ diff --git a/queue-6.1/hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch b/queue-6.1/hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch new file mode 100644 index 00000000000..2d86b9ea8eb --- /dev/null +++ b/queue-6.1/hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch @@ -0,0 +1,62 @@ +From f38963b9cd0645a336cf30c5da2e89e34e34fec3 Mon Sep 17 00:00:00 2001 +From: Tao Ren +Date: Fri, 4 Aug 2023 15:14:03 -0700 +Subject: hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100 + +From: Tao Ren + +commit f38963b9cd0645a336cf30c5da2e89e34e34fec3 upstream. + +Skip status check for both pfe1100 and pfe3000 because the communication +error is also observed on pfe1100 devices. + +Signed-off-by: Tao Ren +Fixes: 626bb2f3fb3c hwmon: (pmbus) add driver for BEL PFE1100 and PFE3000 +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230804221403.28931-1-rentao.bupt@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/bel-pfe.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/hwmon/pmbus/bel-pfe.c ++++ b/drivers/hwmon/pmbus/bel-pfe.c +@@ -17,12 +17,13 @@ + enum chips {pfe1100, pfe3000}; + + /* +- * Disable status check for pfe3000 devices, because some devices report +- * communication error (invalid command) for VOUT_MODE command (0x20) +- * although correct VOUT_MODE (0x16) is returned: it leads to incorrect +- * exponent in linear mode. ++ * Disable status check because some devices report communication error ++ * (invalid command) for VOUT_MODE command (0x20) although the correct ++ * VOUT_MODE (0x16) is returned: it leads to incorrect exponent in linear ++ * mode. ++ * This affects both pfe3000 and pfe1100. + */ +-static struct pmbus_platform_data pfe3000_plat_data = { ++static struct pmbus_platform_data pfe_plat_data = { + .flags = PMBUS_SKIP_STATUS_CHECK, + }; + +@@ -94,16 +95,15 @@ static int pfe_pmbus_probe(struct i2c_cl + int model; + + model = (int)i2c_match_id(pfe_device_id, client)->driver_data; ++ client->dev.platform_data = &pfe_plat_data; + + /* + * PFE3000-12-069RA devices may not stay in page 0 during device + * probe which leads to probe failure (read status word failed). + * So let's set the device to page 0 at the beginning. + */ +- if (model == pfe3000) { +- client->dev.platform_data = &pfe3000_plat_data; ++ if (model == pfe3000) + i2c_smbus_write_byte_data(client, PMBUS_PAGE, 0); +- } + + return pmbus_do_probe(client, &pfe_driver_info[model]); + } diff --git a/queue-6.1/mptcp-avoid-bogus-reset-on-fallback-close.patch b/queue-6.1/mptcp-avoid-bogus-reset-on-fallback-close.patch new file mode 100644 index 00000000000..ff4941ff530 --- /dev/null +++ b/queue-6.1/mptcp-avoid-bogus-reset-on-fallback-close.patch @@ -0,0 +1,41 @@ +From ff18f9ef30ee87740f741b964375d0cfb84e1ec2 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 3 Aug 2023 18:27:29 +0200 +Subject: mptcp: avoid bogus reset on fallback close + +From: Paolo Abeni + +commit ff18f9ef30ee87740f741b964375d0cfb84e1ec2 upstream. + +Since the blamed commit, the MPTCP protocol unconditionally sends +TCP resets on all the subflows on disconnect(). + +That fits full-blown MPTCP sockets - to implement the fastclose +mechanism - but causes unexpected corruption of the data stream, +caught as sporadic self-tests failures. + +Fixes: d21f83485518 ("mptcp: use fastclose on more edge scenarios") +Cc: stable@vger.kernel.org +Tested-by: Matthieu Baerts +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/419 +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Link: https://lore.kernel.org/r/20230803-upstream-net-20230803-misc-fixes-6-5-v1-3-6671b1ab11cc@tessares.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2367,7 +2367,7 @@ static void __mptcp_close_ssk(struct soc + + lock_sock_nested(ssk, SINGLE_DEPTH_NESTING); + +- if (flags & MPTCP_CF_FASTCLOSE) { ++ if ((flags & MPTCP_CF_FASTCLOSE) && !__mptcp_check_fallback(msk)) { + /* be sure to force the tcp_disconnect() path, + * to generate the egress reset + */ diff --git a/queue-6.1/mptcp-fix-disconnect-vs-accept-race.patch b/queue-6.1/mptcp-fix-disconnect-vs-accept-race.patch new file mode 100644 index 00000000000..78cf3e7bb55 --- /dev/null +++ b/queue-6.1/mptcp-fix-disconnect-vs-accept-race.patch @@ -0,0 +1,172 @@ +From 511b90e39250135a7f900f1c3afbce25543018a2 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 3 Aug 2023 18:27:30 +0200 +Subject: mptcp: fix disconnect vs accept race + +From: Paolo Abeni + +commit 511b90e39250135a7f900f1c3afbce25543018a2 upstream. + +Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in +recvmsg()"), the mptcp protocol is still prone to a race between +disconnect() (or shutdown) and accept. + +The root cause is that the mentioned commit checks the msk-level +flag, but mptcp_stream_accept() does acquire the msk-level lock, +as it can rely directly on the first subflow lock. + +As reported by Christoph than can lead to a race where an msk +socket is accepted after that mptcp_subflow_queue_clean() releases +the listener socket lock and just before it takes destructive +actions leading to the following splat: + +BUG: kernel NULL pointer dereference, address: 0000000000000012 +PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP +CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 +RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330 +Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 <0f> b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89 +RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300 +RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a +RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020 +R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880 +FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + do_accept+0x1ae/0x260 net/socket.c:1872 + __sys_accept4+0x9b/0x110 net/socket.c:1913 + __do_sys_accept4 net/socket.c:1954 [inline] + __se_sys_accept4 net/socket.c:1951 [inline] + __x64_sys_accept4+0x20/0x30 net/socket.c:1951 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Address the issue by temporary removing the pending request socket +from the accept queue, so that racing accept() can't touch them. + +After depleting the msk - the ssk still exists, as plain TCP sockets, +re-insert them into the accept queue, so that later inet_csk_listen_stop() +will complete the tcp socket disposal. + +Fixes: 2a6a870e44dd ("mptcp: stops worker on unaccepted sockets at listener close") +Cc: stable@vger.kernel.org +Reported-by: Christoph Paasch +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/423 +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Link: https://lore.kernel.org/r/20230803-upstream-net-20230803-misc-fixes-6-5-v1-4-6671b1ab11cc@tessares.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 60 +++++++++++++++++++++++++-------------------------- + 2 files changed, 30 insertions(+), 31 deletions(-) + +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -312,7 +312,6 @@ struct mptcp_sock { + + u32 setsockopt_seq; + char ca_name[TCP_CA_NAME_MAX]; +- struct mptcp_sock *dl_next; + }; + + #define mptcp_data_lock(sk) spin_lock_bh(&(sk)->sk_lock.slock) +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1724,16 +1724,31 @@ static void subflow_state_change(struct + void mptcp_subflow_queue_clean(struct sock *listener_sk, struct sock *listener_ssk) + { + struct request_sock_queue *queue = &inet_csk(listener_ssk)->icsk_accept_queue; +- struct mptcp_sock *msk, *next, *head = NULL; +- struct request_sock *req; +- struct sock *sk; +- +- /* build a list of all unaccepted mptcp sockets */ ++ struct request_sock *req, *head, *tail; ++ struct mptcp_subflow_context *subflow; ++ struct sock *sk, *ssk; ++ ++ /* Due to lock dependencies no relevant lock can be acquired under rskq_lock. ++ * Splice the req list, so that accept() can not reach the pending ssk after ++ * the listener socket is released below. ++ */ + spin_lock_bh(&queue->rskq_lock); +- for (req = queue->rskq_accept_head; req; req = req->dl_next) { +- struct mptcp_subflow_context *subflow; +- struct sock *ssk = req->sk; ++ head = queue->rskq_accept_head; ++ tail = queue->rskq_accept_tail; ++ queue->rskq_accept_head = NULL; ++ queue->rskq_accept_tail = NULL; ++ spin_unlock_bh(&queue->rskq_lock); ++ ++ if (!head) ++ return; ++ ++ /* can't acquire the msk socket lock under the subflow one, ++ * or will cause ABBA deadlock ++ */ ++ release_sock(listener_ssk); + ++ for (req = head; req; req = req->dl_next) { ++ ssk = req->sk; + if (!sk_is_mptcp(ssk)) + continue; + +@@ -1741,32 +1756,10 @@ void mptcp_subflow_queue_clean(struct so + if (!subflow || !subflow->conn) + continue; + +- /* skip if already in list */ + sk = subflow->conn; +- msk = mptcp_sk(sk); +- if (msk->dl_next || msk == head) +- continue; +- + sock_hold(sk); +- msk->dl_next = head; +- head = msk; +- } +- spin_unlock_bh(&queue->rskq_lock); +- if (!head) +- return; +- +- /* can't acquire the msk socket lock under the subflow one, +- * or will cause ABBA deadlock +- */ +- release_sock(listener_ssk); +- +- for (msk = head; msk; msk = next) { +- sk = (struct sock *)msk; + + lock_sock_nested(sk, SINGLE_DEPTH_NESTING); +- next = msk->dl_next; +- msk->dl_next = NULL; +- + __mptcp_unaccepted_force_close(sk); + release_sock(sk); + +@@ -1790,6 +1783,13 @@ void mptcp_subflow_queue_clean(struct so + + /* we are still under the listener msk socket lock */ + lock_sock_nested(listener_ssk, SINGLE_DEPTH_NESTING); ++ ++ /* restore the listener queue, to let the TCP code clean it up */ ++ spin_lock_bh(&queue->rskq_lock); ++ WARN_ON_ONCE(queue->rskq_accept_head); ++ queue->rskq_accept_head = head; ++ queue->rskq_accept_tail = tail; ++ spin_unlock_bh(&queue->rskq_lock); + } + + static int subflow_ulp_init(struct sock *sk) diff --git a/queue-6.1/net-mana-fix-mana-vf-unload-when-hardware-is-unresponsive.patch b/queue-6.1/net-mana-fix-mana-vf-unload-when-hardware-is-unresponsive.patch new file mode 100644 index 00000000000..e6138af7924 --- /dev/null +++ b/queue-6.1/net-mana-fix-mana-vf-unload-when-hardware-is-unresponsive.patch @@ -0,0 +1,96 @@ +From a7dfeda6fdeccab4c7c3dce9a72c4262b9530c80 Mon Sep 17 00:00:00 2001 +From: Souradeep Chakrabarti +Date: Wed, 9 Aug 2023 03:22:05 -0700 +Subject: net: mana: Fix MANA VF unload when hardware is unresponsive + +From: Souradeep Chakrabarti + +commit a7dfeda6fdeccab4c7c3dce9a72c4262b9530c80 upstream. + +When unloading the MANA driver, mana_dealloc_queues() waits for the MANA +hardware to complete any inflight packets and set the pending send count +to zero. But if the hardware has failed, mana_dealloc_queues() +could wait forever. + +Fix this by adding a timeout to the wait. Set the timeout to 120 seconds, +which is a somewhat arbitrary value that is more than long enough for +functional hardware to complete any sends. + +Cc: stable@vger.kernel.org +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Signed-off-by: Souradeep Chakrabarti +Link: https://lore.kernel.org/r/1691576525-24271-1-git-send-email-schakrabarti@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 37 +++++++++++++++++++++++--- + 1 file changed, 33 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1972,9 +1973,12 @@ int mana_attach(struct net_device *ndev) + static int mana_dealloc_queues(struct net_device *ndev) + { + struct mana_port_context *apc = netdev_priv(ndev); ++ unsigned long timeout = jiffies + 120 * HZ; + struct gdma_dev *gd = apc->ac->gdma_dev; + struct mana_txq *txq; ++ struct sk_buff *skb; + int i, err; ++ u32 tsleep; + + if (apc->port_is_up) + return -EINVAL; +@@ -1990,15 +1994,40 @@ static int mana_dealloc_queues(struct ne + * to false, but it doesn't matter since mana_start_xmit() drops any + * new packets due to apc->port_is_up being false. + * +- * Drain all the in-flight TX packets ++ * Drain all the in-flight TX packets. ++ * A timeout of 120 seconds for all the queues is used. ++ * This will break the while loop when h/w is not responding. ++ * This value of 120 has been decided here considering max ++ * number of queues. + */ ++ + for (i = 0; i < apc->num_queues; i++) { + txq = &apc->tx_qp[i].txq; +- +- while (atomic_read(&txq->pending_sends) > 0) +- usleep_range(1000, 2000); ++ tsleep = 1000; ++ while (atomic_read(&txq->pending_sends) > 0 && ++ time_before(jiffies, timeout)) { ++ usleep_range(tsleep, tsleep + 1000); ++ tsleep <<= 1; ++ } ++ if (atomic_read(&txq->pending_sends)) { ++ err = pcie_flr(to_pci_dev(gd->gdma_context->dev)); ++ if (err) { ++ netdev_err(ndev, "flr failed %d with %d pkts pending in txq %u\n", ++ err, atomic_read(&txq->pending_sends), ++ txq->gdma_txq_id); ++ } ++ break; ++ } + } + ++ for (i = 0; i < apc->num_queues; i++) { ++ txq = &apc->tx_qp[i].txq; ++ while ((skb = skb_dequeue(&txq->pending_skbs))) { ++ mana_unmap_skb(skb, apc); ++ dev_kfree_skb_any(skb); ++ } ++ atomic_set(&txq->pending_sends, 0); ++ } + /* We're 100% sure the queues can no longer be woken up, because + * we're sure now mana_poll_tx_cq() can't be running. + */ diff --git a/queue-6.1/nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch b/queue-6.1/nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch new file mode 100644 index 00000000000..4b1602814c5 --- /dev/null +++ b/queue-6.1/nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch @@ -0,0 +1,120 @@ +From f8654743a0e6909dc634cbfad6db6816f10f3399 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 29 Jul 2023 04:13:18 +0900 +Subject: nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput + +From: Ryusuke Konishi + +commit f8654743a0e6909dc634cbfad6db6816f10f3399 upstream. + +During unmount process of nilfs2, nothing holds nilfs_root structure after +nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously, +nilfs_evict_inode() could cause use-after-free read for nilfs_root if +inodes are left in "garbage_list" and released by nilfs_dispose_list at +the end of nilfs_detach_log_writer(), and this bug was fixed by commit +9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in +nilfs_evict_inode()"). + +However, it turned out that there is another possibility of UAF in the +call path where mark_inode_dirty_sync() is called from iput(): + +nilfs_detach_log_writer() + nilfs_dispose_list() + iput() + mark_inode_dirty_sync() + __mark_inode_dirty() + nilfs_dirty_inode() + __nilfs_mark_inode_dirty() + nilfs_load_inode_block() --> causes UAF of nilfs_root struct + +This can happen after commit 0ae45f63d4ef ("vfs: add support for a +lazytime mount option"), which changed iput() to call +mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME +flag and i_nlink is non-zero. + +This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty +data after degenerating to read-only") when using the syzbot reproducer, +but the issue has potentially existed before. + +Fix this issue by adding a "purging flag" to the nilfs structure, setting +that flag while disposing the "garbage_list" and checking it in +__nilfs_mark_inode_dirty(). + +Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root +in nilfs_evict_inode()"), this patch does not rely on ns_writer to +determine whether to skip operations, so as not to break recovery on +mount. The nilfs_salvage_orphan_logs routine dirties the buffer of +salvaged data before attaching the log writer, so changing +__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL +will cause recovery write to fail. The purpose of using the cleanup-only +flag is to allow for narrowing of such conditions. + +Link: https://lkml.kernel.org/r/20230728191318.33047-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+74db8b3087f293d3a13a@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/000000000000b4e906060113fd63@google.com +Fixes: 0ae45f63d4ef ("vfs: add support for a lazytime mount option") +Tested-by: Ryusuke Konishi +Cc: # 4.0+ +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 8 ++++++++ + fs/nilfs2/segment.c | 2 ++ + fs/nilfs2/the_nilfs.h | 2 ++ + 3 files changed, 12 insertions(+) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -1101,9 +1101,17 @@ int nilfs_set_file_dirty(struct inode *i + + int __nilfs_mark_inode_dirty(struct inode *inode, int flags) + { ++ struct the_nilfs *nilfs = inode->i_sb->s_fs_info; + struct buffer_head *ibh; + int err; + ++ /* ++ * Do not dirty inodes after the log writer has been detached ++ * and its nilfs_root struct has been freed. ++ */ ++ if (unlikely(nilfs_purging(nilfs))) ++ return 0; ++ + err = nilfs_load_inode_block(inode, &ibh); + if (unlikely(err)) { + nilfs_warn(inode->i_sb, +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2843,6 +2843,7 @@ void nilfs_detach_log_writer(struct supe + nilfs_segctor_destroy(nilfs->ns_writer); + nilfs->ns_writer = NULL; + } ++ set_nilfs_purging(nilfs); + + /* Force to free the list of dirty files */ + spin_lock(&nilfs->ns_inode_lock); +@@ -2855,4 +2856,5 @@ void nilfs_detach_log_writer(struct supe + up_write(&nilfs->ns_segctor_sem); + + nilfs_dispose_list(nilfs, &garbage_list, 1); ++ clear_nilfs_purging(nilfs); + } +--- a/fs/nilfs2/the_nilfs.h ++++ b/fs/nilfs2/the_nilfs.h +@@ -29,6 +29,7 @@ enum { + THE_NILFS_DISCONTINUED, /* 'next' pointer chain has broken */ + THE_NILFS_GC_RUNNING, /* gc process is running */ + THE_NILFS_SB_DIRTY, /* super block is dirty */ ++ THE_NILFS_PURGING, /* disposing dirty files for cleanup */ + }; + + /** +@@ -208,6 +209,7 @@ THE_NILFS_FNS(INIT, init) + THE_NILFS_FNS(DISCONTINUED, discontinued) + THE_NILFS_FNS(GC_RUNNING, gc_running) + THE_NILFS_FNS(SB_DIRTY, sb_dirty) ++THE_NILFS_FNS(PURGING, purging) + + /* + * Mount option operations diff --git a/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-samsung-pm9b1-256g-and-512g.patch b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-samsung-pm9b1-256g-and-512g.patch new file mode 100644 index 00000000000..511763f6c76 --- /dev/null +++ b/queue-6.1/nvme-pci-add-nvme_quirk_bogus_nid-for-samsung-pm9b1-256g-and-512g.patch @@ -0,0 +1,36 @@ +From 688b419c57c13637d95d7879e165fff3dec581eb Mon Sep 17 00:00:00 2001 +From: August Wikerfors +Date: Wed, 16 Nov 2022 18:17:27 +0100 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for Samsung PM9B1 256G and 512G + +From: August Wikerfors + +commit 688b419c57c13637d95d7879e165fff3dec581eb upstream. + +The Samsung PM9B1 512G SSD found in some Lenovo Yoga 7 14ARB7 laptop units +reports eui as 0001000200030004 when resuming from s2idle, causing the +device to be removed with this error in dmesg: + +nvme nvme0: identifiers changed for nsid 1 + +To fix this, add a quirk to ignore namespace identifiers for this device. + +Signed-off-by: August Wikerfors +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3504,7 +3504,8 @@ static const struct pci_device_id nvme_i + { PCI_DEVICE(0x1d97, 0x2263), /* SPCC */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x144d, 0xa80b), /* Samsung PM9B1 256G and 512G */ +- .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES | ++ NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x144d, 0xa809), /* Samsung MZALQ256HBJD 256G */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x1cc4, 0x6303), /* UMIS RPJTJ512MGE1QDY 512G */ diff --git a/queue-6.1/radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch b/queue-6.1/radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch new file mode 100644 index 00000000000..c9adc2dfbbb --- /dev/null +++ b/queue-6.1/radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch @@ -0,0 +1,41 @@ +From cac7ea57a06016e4914848b707477fb07ee4ae1c Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 27 Jul 2023 17:09:30 +0100 +Subject: radix tree test suite: fix incorrect allocation size for pthreads + +From: Colin Ian King + +commit cac7ea57a06016e4914848b707477fb07ee4ae1c upstream. + +Currently the pthread allocation for each array item is based on the size +of a pthread_t pointer and should be the size of the pthread_t structure, +so the allocation is under-allocating the correct size. Fix this by using +the size of each element in the pthreads array. + +Static analysis cppcheck reported: +tools/testing/radix-tree/regression1.c:180:2: warning: Size of pointer +'threads' used instead of size of its data. [pointerSize] + +Link: https://lkml.kernel.org/r/20230727160930.632674-1-colin.i.king@gmail.com +Fixes: 1366c37ed84b ("radix tree test harness") +Signed-off-by: Colin Ian King +Cc: Konstantin Khlebnikov +Cc: Matthew Wilcox (Oracle) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/radix-tree/regression1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/radix-tree/regression1.c ++++ b/tools/testing/radix-tree/regression1.c +@@ -177,7 +177,7 @@ void regression1_test(void) + nr_threads = 2; + pthread_barrier_init(&worker_barrier, NULL, nr_threads); + +- threads = malloc(nr_threads * sizeof(pthread_t *)); ++ threads = malloc(nr_threads * sizeof(*threads)); + + for (i = 0; i < nr_threads; i++) { + arg = i; diff --git a/queue-6.1/riscv-kexec-handle-r_riscv_call_plt-relocation-type.patch b/queue-6.1/riscv-kexec-handle-r_riscv_call_plt-relocation-type.patch new file mode 100644 index 00000000000..ff9f6b2bbe0 --- /dev/null +++ b/queue-6.1/riscv-kexec-handle-r_riscv_call_plt-relocation-type.patch @@ -0,0 +1,55 @@ +From d0b4f95a51038becce4bdab4789aa7ce59d4ea6e Mon Sep 17 00:00:00 2001 +From: Torsten Duwe +Date: Wed, 26 Jul 2023 11:53:59 +0200 +Subject: riscv/kexec: handle R_RISCV_CALL_PLT relocation type + +From: Torsten Duwe + +commit d0b4f95a51038becce4bdab4789aa7ce59d4ea6e upstream. + +R_RISCV_CALL has been deprecated and replaced by R_RISCV_CALL_PLT. See Enum +18-19 in Table 3. Relocation types here: + +https://github.com/riscv-non-isa/riscv-elf-psabi-doc/blob/master/riscv-elf.adoc + +It was deprecated in ("Deprecated R_RISCV_CALL, prefer R_RISCV_CALL_PLT"): + +https://github.com/riscv-non-isa/riscv-elf-psabi-doc/commit/a0dced85018d7a0ec17023c9389cbd70b1dbc1b0 + +Recent tools (at least GNU binutils-2.40) already use R_RISCV_CALL_PLT. +Kernels built with such binutils fail kexec_load_file(2) with: + + kexec_image: Unknown rela relocation: 19 + kexec_image: Error loading purgatory ret=-8 + +The binary code at the call site remains the same, so tell +arch_kexec_apply_relocations_add() to handle _PLT alike. + +Fixes: 838b3e28488f ("RISC-V: Load purgatory in kexec_file") +Signed-off-by: Torsten Duwe +Signed-off-by: Petr Tesarik +Cc: Li Zhengyu +Cc: stable@vger.kernel.org +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/all/b046b164af8efd33bbdb7d4003273bdf9196a5b0.1690365011.git.petr.tesarik.ext@huawei.com/ +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/elf_kexec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/riscv/kernel/elf_kexec.c b/arch/riscv/kernel/elf_kexec.c +index 5372b708fae2..38390d3bdcac 100644 +--- a/arch/riscv/kernel/elf_kexec.c ++++ b/arch/riscv/kernel/elf_kexec.c +@@ -425,6 +425,7 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi, + * sym, instead of searching the whole relsec. + */ + case R_RISCV_PCREL_HI20: ++ case R_RISCV_CALL_PLT: + case R_RISCV_CALL: + *(u64 *)loc = CLEAN_IMM(UITYPE, *(u64 *)loc) | + ENCODE_UJTYPE_IMM(val - addr); +-- +2.41.0 + diff --git a/queue-6.1/riscv-kexec-load-initrd-high-in-available-memory.patch b/queue-6.1/riscv-kexec-load-initrd-high-in-available-memory.patch new file mode 100644 index 00000000000..3cdc5e87892 --- /dev/null +++ b/queue-6.1/riscv-kexec-load-initrd-high-in-available-memory.patch @@ -0,0 +1,49 @@ +From 49af7a2cd5f678217b8b4f86a29411aebebf3e78 Mon Sep 17 00:00:00 2001 +From: Torsten Duwe +Date: Wed, 26 Jul 2023 11:54:01 +0200 +Subject: riscv/kexec: load initrd high in available memory + +From: Torsten Duwe + +commit 49af7a2cd5f678217b8b4f86a29411aebebf3e78 upstream. + +When initrd is loaded low, the secondary kernel fails like this: + + INITRD: 0xdc581000+0x00eef000 overlaps in-use memory region + +This initrd load address corresponds to the _end symbol, but the +reservation is aligned on PMD_SIZE, as explained by a comment in +setup_bootmem(). + +It is technically possible to align the initrd load address accordingly, +leaving a hole between the end of kernel and the initrd, but it is much +simpler to allocate the initrd top-down. + +Fixes: 838b3e28488f ("RISC-V: Load purgatory in kexec_file") +Signed-off-by: Torsten Duwe +Signed-off-by: Petr Tesarik +Cc: stable@vger.kernel.org +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/all/67c8eb9eea25717c2c8208d9bfbfaa39e6e2a1c6.1690365011.git.petr.tesarik.ext@huawei.com/ +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/elf_kexec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/elf_kexec.c b/arch/riscv/kernel/elf_kexec.c +index 38390d3bdcac..c08bb5c3b385 100644 +--- a/arch/riscv/kernel/elf_kexec.c ++++ b/arch/riscv/kernel/elf_kexec.c +@@ -281,7 +281,7 @@ static void *elf_kexec_load(struct kimage *image, char *kernel_buf, + kbuf.buffer = initrd; + kbuf.bufsz = kbuf.memsz = initrd_len; + kbuf.buf_align = PAGE_SIZE; +- kbuf.top_down = false; ++ kbuf.top_down = true; + kbuf.mem = KEXEC_BUF_MEM_UNKNOWN; + ret = kexec_add_buffer(&kbuf); + if (ret) +-- +2.41.0 + diff --git a/queue-6.1/riscv-mmio-fix-readx-to-delay-ordering.patch b/queue-6.1/riscv-mmio-fix-readx-to-delay-ordering.patch new file mode 100644 index 00000000000..20ebf6d3f49 --- /dev/null +++ b/queue-6.1/riscv-mmio-fix-readx-to-delay-ordering.patch @@ -0,0 +1,68 @@ +From 4eb2eb1b4c0eb07793c240744843498564a67b83 Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Thu, 3 Aug 2023 06:27:38 +0200 +Subject: riscv,mmio: Fix readX()-to-delay() ordering + +From: Andrea Parri + +commit 4eb2eb1b4c0eb07793c240744843498564a67b83 upstream. + +Section 2.1 of the Platform Specification [1] states: + + Unless otherwise specified by a given I/O device, I/O devices are on + ordering channel 0 (i.e., they are point-to-point strongly ordered). + +which is not sufficient to guarantee that a readX() by a hart completes +before a subsequent delay() on the same hart (cf. memory-barriers.txt, +"Kernel I/O barrier effects"). + +Set the I(nput) bit in __io_ar() to restore the ordering, align inline +comments. + +[1] https://github.com/riscv/riscv-platform-specs + +Signed-off-by: Andrea Parri +Link: https://lore.kernel.org/r/20230803042738.5937-1-parri.andrea@gmail.com +Fixes: fab957c11efe ("RISC-V: Atomic and Locking Code") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/mmio.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/riscv/include/asm/mmio.h ++++ b/arch/riscv/include/asm/mmio.h +@@ -101,9 +101,9 @@ static inline u64 __raw_readq(const vola + * Relaxed I/O memory access primitives. These follow the Device memory + * ordering rules but do not guarantee any ordering relative to Normal memory + * accesses. These are defined to order the indicated access (either a read or +- * write) with all other I/O memory accesses. Since the platform specification +- * defines that all I/O regions are strongly ordered on channel 2, no explicit +- * fences are required to enforce this ordering. ++ * write) with all other I/O memory accesses to the same peripheral. Since the ++ * platform specification defines that all I/O regions are strongly ordered on ++ * channel 0, no explicit fences are required to enforce this ordering. + */ + /* FIXME: These are now the same as asm-generic */ + #define __io_rbr() do {} while (0) +@@ -125,14 +125,14 @@ static inline u64 __raw_readq(const vola + #endif + + /* +- * I/O memory access primitives. Reads are ordered relative to any +- * following Normal memory access. Writes are ordered relative to any prior +- * Normal memory access. The memory barriers here are necessary as RISC-V ++ * I/O memory access primitives. Reads are ordered relative to any following ++ * Normal memory read and delay() loop. Writes are ordered relative to any ++ * prior Normal memory write. The memory barriers here are necessary as RISC-V + * doesn't define any ordering between the memory space and the I/O space. + */ + #define __io_br() do {} while (0) +-#define __io_ar(v) __asm__ __volatile__ ("fence i,r" : : : "memory") +-#define __io_bw() __asm__ __volatile__ ("fence w,o" : : : "memory") ++#define __io_ar(v) ({ __asm__ __volatile__ ("fence i,ir" : : : "memory"); }) ++#define __io_bw() ({ __asm__ __volatile__ ("fence w,o" : : : "memory"); }) + #define __io_aw() mmiowb_set_pending() + + #define readb(c) ({ u8 __v; __io_br(); __v = readb_cpu(c); __io_ar(__v); __v; }) diff --git a/queue-6.1/selftests-mptcp-join-fix-delete-and-re-add-test.patch b/queue-6.1/selftests-mptcp-join-fix-delete-and-re-add-test.patch new file mode 100644 index 00000000000..d10c188467b --- /dev/null +++ b/queue-6.1/selftests-mptcp-join-fix-delete-and-re-add-test.patch @@ -0,0 +1,49 @@ +From aaf2123a5cf46dbd97f84b6eee80269758064d93 Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Thu, 3 Aug 2023 18:27:27 +0200 +Subject: selftests: mptcp: join: fix 'delete and re-add' test + +From: Andrea Claudi + +commit aaf2123a5cf46dbd97f84b6eee80269758064d93 upstream. + +mptcp_join 'delete and re-add' test fails when using ip mptcp: + + $ ./mptcp_join.sh -iI + + 002 delete and re-add before delete[ ok ] + mptcp_info subflows=1 [ ok ] + Error: argument "ADDRESS" is wrong: invalid for non-zero id address + after delete[fail] got 2:2 subflows expected 1 + +This happens because endpoint delete includes an ip address while id is +not 0, contrary to what is indicated in the ip mptcp man page: + +"When used with the delete id operation, an IFADDR is only included when +the ID is 0." + +This fixes the issue using the $addr variable in pm_nl_del_endpoint() +only when id is 0. + +Fixes: 34aa6e3bccd8 ("selftests: mptcp: add ip mptcp wrappers") +Cc: stable@vger.kernel.org +Signed-off-by: Andrea Claudi +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Link: https://lore.kernel.org/r/20230803-upstream-net-20230803-misc-fixes-6-5-v1-1-6671b1ab11cc@tessares.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -650,6 +650,7 @@ pm_nl_del_endpoint() + local addr=$3 + + if [ $ip_mptcp -eq 1 ]; then ++ [ $id -ne 0 ] && addr='' + ip -n $ns mptcp endpoint delete id $id $addr + else + ip netns exec $ns ./pm_nl_ctl del $id $addr diff --git a/queue-6.1/selftests-mptcp-join-fix-implicit-ep-test.patch b/queue-6.1/selftests-mptcp-join-fix-implicit-ep-test.patch new file mode 100644 index 00000000000..19787e4157b --- /dev/null +++ b/queue-6.1/selftests-mptcp-join-fix-implicit-ep-test.patch @@ -0,0 +1,57 @@ +From c8c101ae390a3e817369e94a6f12a1ddea420702 Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Thu, 3 Aug 2023 18:27:28 +0200 +Subject: selftests: mptcp: join: fix 'implicit EP' test + +From: Andrea Claudi + +commit c8c101ae390a3e817369e94a6f12a1ddea420702 upstream. + +mptcp_join 'implicit EP' test currently fails when using ip mptcp: + + $ ./mptcp_join.sh -iI + + 001 implicit EP creation[fail] expected '10.0.2.2 10.0.2.2 id 1 implicit' found '10.0.2.2 id 1 rawflags 10 ' + Error: too many addresses or duplicate one: -22. + ID change is prevented[fail] expected '10.0.2.2 10.0.2.2 id 1 implicit' found '10.0.2.2 id 1 rawflags 10 ' + modif is allowed[fail] expected '10.0.2.2 10.0.2.2 id 1 signal' found '10.0.2.2 id 1 signal ' + +This happens because of two reasons: +- iproute v6.3.0 does not support the implicit flag, fixed with + iproute2-next commit 3a2535a41854 ("mptcp: add support for implicit + flag") +- pm_nl_check_endpoint wrongly expects the ip address to be repeated two + times in iproute output, and does not account for a final whitespace + in it. + +This fixes the issue trimming the whitespace in the output string and +removing the double address in the expected string. + +Fixes: 69c6ce7b6eca ("selftests: mptcp: add implicit endpoint test case") +Cc: stable@vger.kernel.org +Signed-off-by: Andrea Claudi +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Link: https://lore.kernel.org/r/20230803-upstream-net-20230803-misc-fixes-6-5-v1-2-6671b1ab11cc@tessares.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -741,10 +741,11 @@ pm_nl_check_endpoint() + fi + + if [ $ip_mptcp -eq 1 ]; then ++ # get line and trim trailing whitespace + line=$(ip -n $ns mptcp endpoint show $id) ++ line="${line% }" + # the dump order is: address id flags port dev +- expected_line="$addr" +- [ -n "$addr" ] && expected_line="$expected_line $addr" ++ [ -n "$addr" ] && expected_line="$addr" + expected_line="$expected_line $id" + [ -n "$_flags" ] && expected_line="$expected_line ${_flags//","/" "}" + [ -n "$dev" ] && expected_line="$expected_line $dev" diff --git a/queue-6.1/series b/queue-6.1/series index b0460838eea..bac731f8d0f 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -12,3 +12,25 @@ selftests-forwarding-set-default-ipv6-traceroute-utility.patch wireguard-allowedips-expand-maximum-node-depth.patch mmc-moxart-read-scr-register-without-changing-byte-order.patch ipv6-adjust-ndisc_is_useropt-to-also-return-true-for-pio.patch +selftests-mptcp-join-fix-delete-and-re-add-test.patch +selftests-mptcp-join-fix-implicit-ep-test.patch +mptcp-avoid-bogus-reset-on-fallback-close.patch +mptcp-fix-disconnect-vs-accept-race.patch +dmaengine-pl330-return-dma_paused-when-transaction-is-paused.patch +net-mana-fix-mana-vf-unload-when-hardware-is-unresponsive.patch +riscv-kexec-load-initrd-high-in-available-memory.patch +riscv-mmio-fix-readx-to-delay-ordering.patch +riscv-kexec-handle-r_riscv_call_plt-relocation-type.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-samsung-pm9b1-256g-and-512g.patch +drm-nouveau-gr-enable-memory-loads-on-helper-invocation-on-all-channels.patch +drm-nouveau-nvkm-dp-add-workaround-to-fix-dp-1.3-dpcd-issues.patch +drm-shmem-helper-reset-vma-vm_ops-before-calling-dma_buf_mmap.patch +drm-amdgpu-fix-possible-uaf-in-amdgpu_cs_pass1.patch +drm-amd-display-check-attr-flag-before-set-cursor-degamma-on-dcn3.patch +drm-amdgpu-add-s-g-display-parameter.patch +drm-amd-disable-s-g-for-apus-when-64gb-or-more-host-memory.patch +drm-amd-display-limit-dpia-link-rate-to-hbr3.patch +cpuidle-dt_idle_genpd-add-helper-function-to-remove-genpd-topology.patch +hwmon-pmbus-bel-pfe-enable-pmbus_skip_status_check-for-pfe1100.patch +radix-tree-test-suite-fix-incorrect-allocation-size-for-pthreads.patch +nilfs2-fix-use-after-free-of-nilfs_root-in-dirtying-inodes-via-iput.patch