From: Greg Kroah-Hartman Date: Mon, 29 Jul 2024 11:07:35 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.103~70 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de3da8b031044f48593b89a49eab23d1e8902601;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: drivers-soc-xilinx-check-return-status-of-get_api_version.patch jbd2-avoid-infinite-transaction-commit-loop.patch jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch jbd2-precompute-number-of-transaction-descriptor-blocks.patch kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch md-md-bitmap-fix-writing-non-bitmap-pages.patch media-imx-pxp-fix-err_ptr-dereference-in-pxp_probe.patch media-ivsc-csi-add-separate-lock-for-v4l2-control-handler.patch media-ivsc-csi-don-t-count-privacy-on-as-error.patch media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch selftests-landlock-add-cred_transfer-test.patch wifi-mwifiex-fix-interface-type-change.patch wifi-rtw88-usb-fix-disconnection-after-beacon-loss.patch --- diff --git a/queue-6.6/drivers-soc-xilinx-check-return-status-of-get_api_version.patch b/queue-6.6/drivers-soc-xilinx-check-return-status-of-get_api_version.patch new file mode 100644 index 00000000000..692dfb44598 --- /dev/null +++ b/queue-6.6/drivers-soc-xilinx-check-return-status-of-get_api_version.patch @@ -0,0 +1,48 @@ +From 9b003e14801cf85a8cebeddc87bc9fc77100fdce Mon Sep 17 00:00:00 2001 +From: Jay Buddhabhatti +Date: Wed, 15 May 2024 04:23:45 -0700 +Subject: drivers: soc: xilinx: check return status of get_api_version() + +From: Jay Buddhabhatti + +commit 9b003e14801cf85a8cebeddc87bc9fc77100fdce upstream. + +Currently return status is not getting checked for get_api_version +and because of that for x86 arch we are getting below smatch error. + + CC drivers/soc/xilinx/zynqmp_power.o +drivers/soc/xilinx/zynqmp_power.c: In function 'zynqmp_pm_probe': +drivers/soc/xilinx/zynqmp_power.c:295:12: warning: 'pm_api_version' is +used uninitialized [-Wuninitialized] + 295 | if (pm_api_version < ZYNQMP_PM_VERSION) + | ^ + CHECK drivers/soc/xilinx/zynqmp_power.c +drivers/soc/xilinx/zynqmp_power.c:295 zynqmp_pm_probe() error: +uninitialized symbol 'pm_api_version'. + +So, check return status of pm_get_api_version and return error in case +of failure to avoid checking uninitialized pm_api_version variable. + +Fixes: b9b3a8be28b3 ("firmware: xilinx: Remove eemi ops for get_api_version") +Signed-off-by: Jay Buddhabhatti +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240515112345.24673-1-jay.buddhabhatti@amd.com +Signed-off-by: Michal Simek +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/xilinx/zynqmp_power.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/soc/xilinx/zynqmp_power.c ++++ b/drivers/soc/xilinx/zynqmp_power.c +@@ -188,7 +188,9 @@ static int zynqmp_pm_probe(struct platfo + u32 pm_api_version; + struct mbox_client *client; + +- zynqmp_pm_get_api_version(&pm_api_version); ++ ret = zynqmp_pm_get_api_version(&pm_api_version); ++ if (ret) ++ return ret; + + /* Check PM API version number */ + if (pm_api_version < ZYNQMP_PM_VERSION) diff --git a/queue-6.6/jbd2-avoid-infinite-transaction-commit-loop.patch b/queue-6.6/jbd2-avoid-infinite-transaction-commit-loop.patch new file mode 100644 index 00000000000..6b003cfee84 --- /dev/null +++ b/queue-6.6/jbd2-avoid-infinite-transaction-commit-loop.patch @@ -0,0 +1,101 @@ +From 27ba5b67312a944576addc4df44ac3b709aabede Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 24 Jun 2024 19:01:19 +0200 +Subject: jbd2: avoid infinite transaction commit loop + +From: Jan Kara + +commit 27ba5b67312a944576addc4df44ac3b709aabede upstream. + +Commit 9f356e5a4f12 ("jbd2: Account descriptor blocks into +t_outstanding_credits") started to account descriptor blocks into +transactions outstanding credits. However it didn't appropriately +decrease the maximum amount of credits available to userspace. Thus if +the filesystem requests a transaction smaller than +j_max_transaction_buffers but large enough that when descriptor blocks +are added the size exceeds j_max_transaction_buffers, we confuse +add_transaction_credits() into thinking previous handles have grown the +transaction too much and enter infinite journal commit loop in +start_this_handle() -> add_transaction_credits() trying to create +transaction with enough credits available. + +Fix the problem by properly accounting for transaction space reserved +for descriptor blocks when verifying requested transaction handle size. + +CC: stable@vger.kernel.org +Fixes: 9f356e5a4f12 ("jbd2: Account descriptor blocks into t_outstanding_credits") +Reported-by: Alexander Coffin +Link: https://lore.kernel.org/all/CA+hUFcuGs04JHZ_WzA1zGN57+ehL2qmHOt5a7RMpo+rv6Vyxtw@mail.gmail.com +Signed-off-by: Jan Kara +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20240624170127.3253-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -191,6 +191,13 @@ static void sub_reserved_credits(journal + wake_up(&journal->j_wait_reserved); + } + ++/* Maximum number of blocks for user transaction payload */ ++static int jbd2_max_user_trans_buffers(journal_t *journal) ++{ ++ return journal->j_max_transaction_buffers - ++ journal->j_transaction_overhead_buffers; ++} ++ + /* + * Wait until we can add credits for handle to the running transaction. Called + * with j_state_lock held for reading. Returns 0 if handle joined the running +@@ -240,12 +247,12 @@ __must_hold(&journal->j_state_lock) + * big to fit this handle? Wait until reserved credits are freed. + */ + if (atomic_read(&journal->j_reserved_credits) + total > +- journal->j_max_transaction_buffers) { ++ jbd2_max_user_trans_buffers(journal)) { + read_unlock(&journal->j_state_lock); + jbd2_might_wait_for_commit(journal); + wait_event(journal->j_wait_reserved, + atomic_read(&journal->j_reserved_credits) + total <= +- journal->j_max_transaction_buffers); ++ jbd2_max_user_trans_buffers(journal)); + __acquire(&journal->j_state_lock); /* fake out sparse */ + return 1; + } +@@ -285,14 +292,14 @@ __must_hold(&journal->j_state_lock) + + needed = atomic_add_return(rsv_blocks, &journal->j_reserved_credits); + /* We allow at most half of a transaction to be reserved */ +- if (needed > journal->j_max_transaction_buffers / 2) { ++ if (needed > jbd2_max_user_trans_buffers(journal) / 2) { + sub_reserved_credits(journal, rsv_blocks); + atomic_sub(total, &t->t_outstanding_credits); + read_unlock(&journal->j_state_lock); + jbd2_might_wait_for_commit(journal); + wait_event(journal->j_wait_reserved, + atomic_read(&journal->j_reserved_credits) + rsv_blocks +- <= journal->j_max_transaction_buffers / 2); ++ <= jbd2_max_user_trans_buffers(journal) / 2); + __acquire(&journal->j_state_lock); /* fake out sparse */ + return 1; + } +@@ -322,12 +329,12 @@ static int start_this_handle(journal_t * + * size and limit the number of total credits to not exceed maximum + * transaction size per operation. + */ +- if ((rsv_blocks > journal->j_max_transaction_buffers / 2) || +- (rsv_blocks + blocks > journal->j_max_transaction_buffers)) { ++ if (rsv_blocks > jbd2_max_user_trans_buffers(journal) / 2 || ++ rsv_blocks + blocks > jbd2_max_user_trans_buffers(journal)) { + printk(KERN_ERR "JBD2: %s wants too many credits " + "credits:%d rsv_credits:%d max:%d\n", + current->comm, blocks, rsv_blocks, +- journal->j_max_transaction_buffers); ++ jbd2_max_user_trans_buffers(journal)); + WARN_ON(1); + return -ENOSPC; + } diff --git a/queue-6.6/jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch b/queue-6.6/jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch new file mode 100644 index 00000000000..22e37d43404 --- /dev/null +++ b/queue-6.6/jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch @@ -0,0 +1,66 @@ +From 4aa99c71e42ad60178c1154ec24e3df9c684fb67 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 24 Jun 2024 19:01:17 +0200 +Subject: jbd2: make jbd2_journal_get_max_txn_bufs() internal + +From: Jan Kara + +commit 4aa99c71e42ad60178c1154ec24e3df9c684fb67 upstream. + +There's no reason to have jbd2_journal_get_max_txn_bufs() public +function. Currently all users are internal and can use +journal->j_max_transaction_buffers instead. This saves some unnecessary +recomputations of the limit as a bonus which becomes important as this +function gets more complex in the following patch. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20240624170127.3253-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/commit.c | 2 +- + fs/jbd2/journal.c | 5 +++++ + include/linux/jbd2.h | 5 ----- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -767,7 +767,7 @@ start_journal_io: + if (first_block < journal->j_tail) + freed += journal->j_last - journal->j_first; + /* Update tail only if we free significant amount of space */ +- if (freed < jbd2_journal_get_max_txn_bufs(journal)) ++ if (freed < journal->j_max_transaction_buffers) + update_tail = 0; + } + J_ASSERT(commit_transaction->t_state == T_COMMIT); +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1690,6 +1690,11 @@ journal_t *jbd2_journal_init_inode(struc + return journal; + } + ++static int jbd2_journal_get_max_txn_bufs(journal_t *journal) ++{ ++ return (journal->j_total_len - journal->j_fc_wbufsize) / 4; ++} ++ + /* + * Given a journal_t structure, initialise the various fields for + * startup of a new journaling session. We use this both when creating +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1666,11 +1666,6 @@ int jbd2_wait_inode_data(journal_t *jour + int jbd2_fc_wait_bufs(journal_t *journal, int num_blks); + int jbd2_fc_release_bufs(journal_t *journal); + +-static inline int jbd2_journal_get_max_txn_bufs(journal_t *journal) +-{ +- return (journal->j_total_len - journal->j_fc_wbufsize) / 4; +-} +- + /* + * is_journal_abort + * diff --git a/queue-6.6/jbd2-precompute-number-of-transaction-descriptor-blocks.patch b/queue-6.6/jbd2-precompute-number-of-transaction-descriptor-blocks.patch new file mode 100644 index 00000000000..488faf3b074 --- /dev/null +++ b/queue-6.6/jbd2-precompute-number-of-transaction-descriptor-blocks.patch @@ -0,0 +1,197 @@ +From e3a00a23781c1f2fcda98a7aecaac515558e7a35 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 24 Jun 2024 19:01:18 +0200 +Subject: jbd2: precompute number of transaction descriptor blocks + +From: Jan Kara + +commit e3a00a23781c1f2fcda98a7aecaac515558e7a35 upstream. + +Instead of computing the number of descriptor blocks a transaction can +have each time we need it (which is currently when starting each +transaction but will become more frequent later) precompute the number +once during journal initialization together with maximum transaction +size. We perform the precomputation whenever journal feature set is +updated similarly as for computation of +journal->j_revoke_records_per_block. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20240624170127.3253-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 61 +++++++++++++++++++++++++++++++++++++------------- + fs/jbd2/transaction.c | 24 ------------------- + include/linux/jbd2.h | 7 +++++ + 3 files changed, 54 insertions(+), 38 deletions(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1451,6 +1451,48 @@ static int journal_revoke_records_per_bl + return space / record_size; + } + ++static int jbd2_journal_get_max_txn_bufs(journal_t *journal) ++{ ++ return (journal->j_total_len - journal->j_fc_wbufsize) / 4; ++} ++ ++/* ++ * Base amount of descriptor blocks we reserve for each transaction. ++ */ ++static int jbd2_descriptor_blocks_per_trans(journal_t *journal) ++{ ++ int tag_space = journal->j_blocksize - sizeof(journal_header_t); ++ int tags_per_block; ++ ++ /* Subtract UUID */ ++ tag_space -= 16; ++ if (jbd2_journal_has_csum_v2or3(journal)) ++ tag_space -= sizeof(struct jbd2_journal_block_tail); ++ /* Commit code leaves a slack space of 16 bytes at the end of block */ ++ tags_per_block = (tag_space - 16) / journal_tag_bytes(journal); ++ /* ++ * Revoke descriptors are accounted separately so we need to reserve ++ * space for commit block and normal transaction descriptor blocks. ++ */ ++ return 1 + DIV_ROUND_UP(jbd2_journal_get_max_txn_bufs(journal), ++ tags_per_block); ++} ++ ++/* ++ * Initialize number of blocks each transaction reserves for its bookkeeping ++ * and maximum number of blocks a transaction can use. This needs to be called ++ * after the journal size and the fastcommit area size are initialized. ++ */ ++static void jbd2_journal_init_transaction_limits(journal_t *journal) ++{ ++ journal->j_revoke_records_per_block = ++ journal_revoke_records_per_block(journal); ++ journal->j_transaction_overhead_buffers = ++ jbd2_descriptor_blocks_per_trans(journal); ++ journal->j_max_transaction_buffers = ++ jbd2_journal_get_max_txn_bufs(journal); ++} ++ + /* + * Load the on-disk journal superblock and read the key fields into the + * journal_t. +@@ -1492,8 +1534,8 @@ static int journal_load_superblock(journ + if (jbd2_journal_has_csum_v2or3(journal)) + journal->j_csum_seed = jbd2_chksum(journal, ~0, sb->s_uuid, + sizeof(sb->s_uuid)); +- journal->j_revoke_records_per_block = +- journal_revoke_records_per_block(journal); ++ /* After journal features are set, we can compute transaction limits */ ++ jbd2_journal_init_transaction_limits(journal); + + if (jbd2_has_feature_fast_commit(journal)) { + journal->j_fc_last = be32_to_cpu(sb->s_maxlen); +@@ -1690,11 +1732,6 @@ journal_t *jbd2_journal_init_inode(struc + return journal; + } + +-static int jbd2_journal_get_max_txn_bufs(journal_t *journal) +-{ +- return (journal->j_total_len - journal->j_fc_wbufsize) / 4; +-} +- + /* + * Given a journal_t structure, initialise the various fields for + * startup of a new journaling session. We use this both when creating +@@ -1740,8 +1777,6 @@ static int journal_reset(journal_t *jour + journal->j_commit_sequence = journal->j_transaction_sequence - 1; + journal->j_commit_request = journal->j_commit_sequence; + +- journal->j_max_transaction_buffers = jbd2_journal_get_max_txn_bufs(journal); +- + /* + * Now that journal recovery is done, turn fast commits off here. This + * way, if fast commit was enabled before the crash but if now FS has +@@ -2282,8 +2317,6 @@ jbd2_journal_initialize_fast_commit(jour + journal->j_fc_first = journal->j_last + 1; + journal->j_fc_off = 0; + journal->j_free = journal->j_last - journal->j_first; +- journal->j_max_transaction_buffers = +- jbd2_journal_get_max_txn_bufs(journal); + + return 0; + } +@@ -2371,8 +2404,7 @@ int jbd2_journal_set_features(journal_t + sb->s_feature_ro_compat |= cpu_to_be32(ro); + sb->s_feature_incompat |= cpu_to_be32(incompat); + unlock_buffer(journal->j_sb_buffer); +- journal->j_revoke_records_per_block = +- journal_revoke_records_per_block(journal); ++ jbd2_journal_init_transaction_limits(journal); + + return 1; + #undef COMPAT_FEATURE_ON +@@ -2403,8 +2435,7 @@ void jbd2_journal_clear_features(journal + sb->s_feature_compat &= ~cpu_to_be32(compat); + sb->s_feature_ro_compat &= ~cpu_to_be32(ro); + sb->s_feature_incompat &= ~cpu_to_be32(incompat); +- journal->j_revoke_records_per_block = +- journal_revoke_records_per_block(journal); ++ jbd2_journal_init_transaction_limits(journal); + } + EXPORT_SYMBOL(jbd2_journal_clear_features); + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -63,28 +63,6 @@ void jbd2_journal_free_transaction(trans + } + + /* +- * Base amount of descriptor blocks we reserve for each transaction. +- */ +-static int jbd2_descriptor_blocks_per_trans(journal_t *journal) +-{ +- int tag_space = journal->j_blocksize - sizeof(journal_header_t); +- int tags_per_block; +- +- /* Subtract UUID */ +- tag_space -= 16; +- if (jbd2_journal_has_csum_v2or3(journal)) +- tag_space -= sizeof(struct jbd2_journal_block_tail); +- /* Commit code leaves a slack space of 16 bytes at the end of block */ +- tags_per_block = (tag_space - 16) / journal_tag_bytes(journal); +- /* +- * Revoke descriptors are accounted separately so we need to reserve +- * space for commit block and normal transaction descriptor blocks. +- */ +- return 1 + DIV_ROUND_UP(journal->j_max_transaction_buffers, +- tags_per_block); +-} +- +-/* + * jbd2_get_transaction: obtain a new transaction_t object. + * + * Simply initialise a new transaction. Initialize it in +@@ -109,7 +87,7 @@ static void jbd2_get_transaction(journal + transaction->t_expires = jiffies + journal->j_commit_interval; + atomic_set(&transaction->t_updates, 0); + atomic_set(&transaction->t_outstanding_credits, +- jbd2_descriptor_blocks_per_trans(journal) + ++ journal->j_transaction_overhead_buffers + + atomic_read(&journal->j_reserved_credits)); + atomic_set(&transaction->t_outstanding_revokes, 0); + atomic_set(&transaction->t_handle_count, 0); +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1084,6 +1084,13 @@ struct journal_s + int j_revoke_records_per_block; + + /** ++ * @j_transaction_overhead: ++ * ++ * Number of blocks each transaction needs for its own bookkeeping ++ */ ++ int j_transaction_overhead_buffers; ++ ++ /** + * @j_commit_interval: + * + * What is the maximum transaction lifetime before we begin a commit? diff --git a/queue-6.6/kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch b/queue-6.6/kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch new file mode 100644 index 00000000000..8b9fee3337c --- /dev/null +++ b/queue-6.6/kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch @@ -0,0 +1,80 @@ +From 32f55e475ce2c4b8b124d335fcfaf1152ba977a1 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 7 Jun 2024 10:26:05 -0700 +Subject: KVM: nVMX: Request immediate exit iff pending nested event needs injection + +From: Sean Christopherson + +commit 32f55e475ce2c4b8b124d335fcfaf1152ba977a1 upstream. + +When requesting an immediate exit from L2 in order to inject a pending +event, do so only if the pending event actually requires manual injection, +i.e. if and only if KVM actually needs to regain control in order to +deliver the event. + +Avoiding the "immediate exit" isn't simply an optimization, it's necessary +to make forward progress, as the "already expired" VMX preemption timer +trick that KVM uses to force a VM-Exit has higher priority than events +that aren't directly injected. + +At present time, this is a glorified nop as all events processed by +vmx_has_nested_events() require injection, but that will not hold true in +the future, e.g. if there's a pending virtual interrupt in vmcs02.RVI. +I.e. if KVM is trying to deliver a virtual interrupt to L2, the expired +VMX preemption timer will trigger VM-Exit before the virtual interrupt is +delivered, and KVM will effectively hang the vCPU in an endless loop of +forced immediate VM-Exits (because the pending virtual interrupt never +goes away). + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240607172609.3205077-3-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 2 +- + arch/x86/kvm/vmx/nested.c | 2 +- + arch/x86/kvm/x86.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1758,7 +1758,7 @@ struct kvm_x86_nested_ops { + bool (*is_exception_vmexit)(struct kvm_vcpu *vcpu, u8 vector, + u32 error_code); + int (*check_events)(struct kvm_vcpu *vcpu); +- bool (*has_events)(struct kvm_vcpu *vcpu); ++ bool (*has_events)(struct kvm_vcpu *vcpu, bool for_injection); + void (*triple_fault)(struct kvm_vcpu *vcpu); + int (*get_state)(struct kvm_vcpu *vcpu, + struct kvm_nested_state __user *user_kvm_nested_state, +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3962,7 +3962,7 @@ static bool nested_vmx_preemption_timer_ + to_vmx(vcpu)->nested.preemption_timer_expired; + } + +-static bool vmx_has_nested_events(struct kvm_vcpu *vcpu) ++static bool vmx_has_nested_events(struct kvm_vcpu *vcpu, bool for_injection) + { + return nested_vmx_preemption_timer_pending(vcpu) || + to_vmx(vcpu)->nested.mtf_pending; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10254,7 +10254,7 @@ static int kvm_check_and_inject_events(s + + if (is_guest_mode(vcpu) && + kvm_x86_ops.nested_ops->has_events && +- kvm_x86_ops.nested_ops->has_events(vcpu)) ++ kvm_x86_ops.nested_ops->has_events(vcpu, true)) + *req_immediate_exit = true; + + /* +@@ -12882,7 +12882,7 @@ static inline bool kvm_vcpu_has_events(s + + if (is_guest_mode(vcpu) && + kvm_x86_ops.nested_ops->has_events && +- kvm_x86_ops.nested_ops->has_events(vcpu)) ++ kvm_x86_ops.nested_ops->has_events(vcpu, false)) + return true; + + if (kvm_xen_has_pending_events(vcpu)) diff --git a/queue-6.6/kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch b/queue-6.6/kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch new file mode 100644 index 00000000000..58e0bcaf2c5 --- /dev/null +++ b/queue-6.6/kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch @@ -0,0 +1,60 @@ +From 322a569c4b4188a0da2812f9e952780ce09b74ba Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 7 Jun 2024 10:26:06 -0700 +Subject: KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() + +From: Sean Christopherson + +commit 322a569c4b4188a0da2812f9e952780ce09b74ba upstream. + +Move the non-VMX chunk of the "interrupt blocked" checks to a separate +helper so that KVM can reuse the code to detect if interrupts are blocked +for L2, e.g. to determine if a virtual interrupt _for L2_ is a valid wake +event. If L1 disables HLT-exiting for L2, nested APICv is enabled, and L2 +HLTs, then L2 virtual interrupts are valid wake events, but if and only if +interrupts are unblocked for L2. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240607172609.3205077-4-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 11 ++++++++--- + arch/x86/kvm/vmx/vmx.h | 1 + + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -5048,14 +5048,19 @@ static int vmx_nmi_allowed(struct kvm_vc + return !vmx_nmi_blocked(vcpu); + } + ++bool __vmx_interrupt_blocked(struct kvm_vcpu *vcpu) ++{ ++ return !(vmx_get_rflags(vcpu) & X86_EFLAGS_IF) || ++ (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & ++ (GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS)); ++} ++ + bool vmx_interrupt_blocked(struct kvm_vcpu *vcpu) + { + if (is_guest_mode(vcpu) && nested_exit_on_intr(vcpu)) + return false; + +- return !(vmx_get_rflags(vcpu) & X86_EFLAGS_IF) || +- (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & +- (GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS)); ++ return __vmx_interrupt_blocked(vcpu); + } + + static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu, bool for_injection) +--- a/arch/x86/kvm/vmx/vmx.h ++++ b/arch/x86/kvm/vmx/vmx.h +@@ -400,6 +400,7 @@ u64 construct_eptp(struct kvm_vcpu *vcpu + bool vmx_guest_inject_ac(struct kvm_vcpu *vcpu); + void vmx_update_exception_bitmap(struct kvm_vcpu *vcpu); + bool vmx_nmi_blocked(struct kvm_vcpu *vcpu); ++bool __vmx_interrupt_blocked(struct kvm_vcpu *vcpu); + bool vmx_interrupt_blocked(struct kvm_vcpu *vcpu); + bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu); + void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked); diff --git a/queue-6.6/leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch b/queue-6.6/leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch new file mode 100644 index 00000000000..f6decfbacc1 --- /dev/null +++ b/queue-6.6/leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch @@ -0,0 +1,47 @@ +From e41d574b359ccd8d99be65c6f11502efa2b83136 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Tue, 11 Jun 2024 00:40:26 +0200 +Subject: leds: mt6360: Fix memory leak in mt6360_init_isnk_properties() + +From: Javier Carrasco + +commit e41d574b359ccd8d99be65c6f11502efa2b83136 upstream. + +The fwnode_for_each_child_node() loop requires manual intervention to +decrement the child refcount in case of an early return. + +Add the missing calls to fwnode_handle_put(child) to avoid memory leaks +in the error paths. + +Cc: stable@vger.kernel.org +Fixes: 679f8652064b ("leds: Add mt6360 driver") +Signed-off-by: Javier Carrasco +Acked-by: Pavel Machek +Link: https://lore.kernel.org/r/20240611-leds-mt6360-memleak-v1-1-93642eb5011e@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/flash/leds-mt6360.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/leds/flash/leds-mt6360.c ++++ b/drivers/leds/flash/leds-mt6360.c +@@ -633,14 +633,17 @@ static int mt6360_init_isnk_properties(s + + ret = fwnode_property_read_u32(child, "reg", ®); + if (ret || reg > MT6360_LED_ISNK3 || +- priv->leds_active & BIT(reg)) ++ priv->leds_active & BIT(reg)) { ++ fwnode_handle_put(child); + return -EINVAL; ++ } + + ret = fwnode_property_read_u32(child, "color", &color); + if (ret) { + dev_err(priv->dev, + "led %d, no color specified\n", + led->led_no); ++ fwnode_handle_put(child); + return ret; + } + diff --git a/queue-6.6/leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch b/queue-6.6/leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch new file mode 100644 index 00000000000..bb7ce7e97ef --- /dev/null +++ b/queue-6.6/leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch @@ -0,0 +1,55 @@ +From ce068e83976140badb19c7f1307926b4b562fac4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Mon, 27 May 2024 16:27:00 +0300 +Subject: leds: ss4200: Convert PCIBIOS_* return codes to errnos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit ce068e83976140badb19c7f1307926b4b562fac4 upstream. + +ich7_lpc_probe() uses pci_read_config_dword() that returns PCIBIOS_* +codes. The error handling code assumes incorrectly it's a normal errno +and checks for < 0. The return code is returned from the probe function +as is but probe functions should return normal errnos. + +Remove < 0 from the check and convert PCIBIOS_* returns code using +pcibios_err_to_errno() into normal errno before returning it. + +Fixes: a328e95b82c1 ("leds: LED driver for Intel NAS SS4200 series (v5)") +Cc: +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20240527132700.14260-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-ss4200.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/leds/leds-ss4200.c ++++ b/drivers/leds/leds-ss4200.c +@@ -356,8 +356,10 @@ static int ich7_lpc_probe(struct pci_dev + + nas_gpio_pci_dev = dev; + status = pci_read_config_dword(dev, PMBASE, &g_pm_io_base); +- if (status) ++ if (status) { ++ status = pcibios_err_to_errno(status); + goto out; ++ } + g_pm_io_base &= 0x00000ff80; + + status = pci_read_config_dword(dev, GPIO_CTRL, &gc); +@@ -369,8 +371,9 @@ static int ich7_lpc_probe(struct pci_dev + } + + status = pci_read_config_dword(dev, GPIO_BASE, &nas_gpio_io_base); +- if (0 > status) { ++ if (status) { + dev_info(&dev->dev, "Unable to read GPIOBASE.\n"); ++ status = pcibios_err_to_errno(status); + goto out; + } + dev_dbg(&dev->dev, ": GPIOBASE = 0x%08x\n", nas_gpio_io_base); diff --git a/queue-6.6/md-md-bitmap-fix-writing-non-bitmap-pages.patch b/queue-6.6/md-md-bitmap-fix-writing-non-bitmap-pages.patch new file mode 100644 index 00000000000..463845ac6c6 --- /dev/null +++ b/queue-6.6/md-md-bitmap-fix-writing-non-bitmap-pages.patch @@ -0,0 +1,100 @@ +From ab99a87542f194f28e2364a42afbf9fb48b1c724 Mon Sep 17 00:00:00 2001 +From: Ofir Gal +Date: Fri, 7 Jun 2024 10:27:44 +0300 +Subject: md/md-bitmap: fix writing non bitmap pages + +From: Ofir Gal + +commit ab99a87542f194f28e2364a42afbf9fb48b1c724 upstream. + +__write_sb_page() rounds up the io size to the optimal io size if it +doesn't exceed the data offset, but it doesn't check the final size +exceeds the bitmap length. + +For example: +page count - 1 +page size - 4K +data offset - 1M +optimal io size - 256K + +The final io size would be 256K (64 pages) but md_bitmap_storage_alloc() +allocated 1 page, the IO would write 1 valid page and 63 pages that +happens to be allocated afterwards. This leaks memory to the raid device +superblock. + +This issue caused a data transfer failure in nvme-tcp. The network +drivers checks the first page of an IO with sendpage_ok(), it returns +true if the page isn't a slabpage and refcount >= 1. If the page +!sendpage_ok() the network driver disables MSG_SPLICE_PAGES. + +As of now the network layer assumes all the pages of the IO are +sendpage_ok() when MSG_SPLICE_PAGES is on. + +The bitmap pages aren't slab pages, the first page of the IO is +sendpage_ok(), but the additional pages that happens to be allocated +after the bitmap pages might be !sendpage_ok(). That cause +skb_splice_from_iter() to stop the data transfer, in the case below it +hangs 'mdadm --create'. + +The bug is reproducible, in order to reproduce we need nvme-over-tcp +controllers with optimal IO size bigger than PAGE_SIZE. Creating a raid +with bitmap over those devices reproduces the bug. + +In order to simulate large optimal IO size you can use dm-stripe with a +single device. +Script to reproduce the issue on top of brd devices using dm-stripe is +attached below (will be added to blktest). + +I have added some logs to test the theory: +... +md: created bitmap (1 pages) for device md127 +__write_sb_page before md_super_write offset: 16, size: 262144. pfn: 0x53ee +=== __write_sb_page before md_super_write. logging pages === +pfn: 0x53ee, slab: 0 <-- the only page that allocated for the bitmap +pfn: 0x53ef, slab: 1 +pfn: 0x53f0, slab: 0 +pfn: 0x53f1, slab: 0 +pfn: 0x53f2, slab: 0 +pfn: 0x53f3, slab: 1 +... +nvme_tcp: sendpage_ok - pfn: 0x53ee, len: 262144, offset: 0 +skbuff: before sendpage_ok() - pfn: 0x53ee +skbuff: before sendpage_ok() - pfn: 0x53ef +WARNING at net/core/skbuff.c:6848 skb_splice_from_iter+0x142/0x450 +skbuff: !sendpage_ok - pfn: 0x53ef. is_slab: 1, page_count: 1 +... + +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Signed-off-by: Ofir Gal +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20240607072748.3182199-1-ofir.gal@volumez.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-bitmap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -227,6 +227,8 @@ static int __write_sb_page(struct md_rde + struct block_device *bdev; + struct mddev *mddev = bitmap->mddev; + struct bitmap_storage *store = &bitmap->storage; ++ unsigned int bitmap_limit = (bitmap->storage.file_pages - pg_index) << ++ PAGE_SHIFT; + loff_t sboff, offset = mddev->bitmap_info.offset; + sector_t ps = pg_index * PAGE_SIZE / SECTOR_SIZE; + unsigned int size = PAGE_SIZE; +@@ -269,11 +271,9 @@ static int __write_sb_page(struct md_rde + if (size == 0) + /* bitmap runs in to data */ + return -EINVAL; +- } else { +- /* DATA METADATA BITMAP - no problems */ + } + +- md_super_write(mddev, rdev, sboff + ps, (int) size, page); ++ md_super_write(mddev, rdev, sboff + ps, (int)min(size, bitmap_limit), page); + return 0; + } + diff --git a/queue-6.6/media-imx-pxp-fix-err_ptr-dereference-in-pxp_probe.patch b/queue-6.6/media-imx-pxp-fix-err_ptr-dereference-in-pxp_probe.patch new file mode 100644 index 00000000000..08c36e936b4 --- /dev/null +++ b/queue-6.6/media-imx-pxp-fix-err_ptr-dereference-in-pxp_probe.patch @@ -0,0 +1,35 @@ +From 57e9ce68ae98551da9c161aaab12b41fe8601856 Mon Sep 17 00:00:00 2001 +From: Harshit Mogalapalli +Date: Tue, 14 May 2024 02:50:38 -0700 +Subject: media: imx-pxp: Fix ERR_PTR dereference in pxp_probe() + +From: Harshit Mogalapalli + +commit 57e9ce68ae98551da9c161aaab12b41fe8601856 upstream. + +devm_regmap_init_mmio() can fail, add a check and bail out in case of +error. + +Fixes: 4e5bd3fdbeb3 ("media: imx-pxp: convert to regmap") +Cc: stable@vger.kernel.org +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240514095038.3464191-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx-pxp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/platform/nxp/imx-pxp.c ++++ b/drivers/media/platform/nxp/imx-pxp.c +@@ -1805,6 +1805,9 @@ static int pxp_probe(struct platform_dev + return PTR_ERR(mmio); + dev->regmap = devm_regmap_init_mmio(&pdev->dev, mmio, + &pxp_regmap_config); ++ if (IS_ERR(dev->regmap)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(dev->regmap), ++ "Failed to init regmap\n"); + + irq = platform_get_irq(pdev, 0); + if (irq < 0) diff --git a/queue-6.6/media-ivsc-csi-add-separate-lock-for-v4l2-control-handler.patch b/queue-6.6/media-ivsc-csi-add-separate-lock-for-v4l2-control-handler.patch new file mode 100644 index 00000000000..411e009edc8 --- /dev/null +++ b/queue-6.6/media-ivsc-csi-add-separate-lock-for-v4l2-control-handler.patch @@ -0,0 +1,69 @@ +From c6be6471004e0e4d10d0514146d8c41550823d63 Mon Sep 17 00:00:00 2001 +From: Wentong Wu +Date: Fri, 7 Jun 2024 21:25:46 +0800 +Subject: media: ivsc: csi: add separate lock for v4l2 control handler + +From: Wentong Wu + +commit c6be6471004e0e4d10d0514146d8c41550823d63 upstream. + +There're possibilities that privacy status change notification happens +in the middle of the ongoing mei command which already takes the command +lock, but v4l2_ctrl_s_ctrl() would also need the same lock prior to this +patch, so this may results in circular locking problem. This patch adds +one dedicated lock for v4l2 control handler to avoid described issue. + +Fixes: 29006e196a56 ("media: pci: intel: ivsc: Add CSI submodule") +Cc: stable@vger.kernel.org # for 6.6 and later +Reported-by: Hao Yao +Signed-off-by: Wentong Wu +Tested-by: Jason Chen +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ivsc/mei_csi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/pci/intel/ivsc/mei_csi.c ++++ b/drivers/media/pci/intel/ivsc/mei_csi.c +@@ -124,6 +124,8 @@ struct mei_csi { + struct v4l2_ctrl_handler ctrl_handler; + struct v4l2_ctrl *freq_ctrl; + struct v4l2_ctrl *privacy_ctrl; ++ /* lock for v4l2 controls */ ++ struct mutex ctrl_lock; + unsigned int remote_pad; + /* start streaming or not */ + int streaming; +@@ -609,11 +611,13 @@ static int mei_csi_init_controls(struct + u32 max; + int ret; + ++ mutex_init(&csi->ctrl_lock); ++ + ret = v4l2_ctrl_handler_init(&csi->ctrl_handler, 2); + if (ret) + return ret; + +- csi->ctrl_handler.lock = &csi->lock; ++ csi->ctrl_handler.lock = &csi->ctrl_lock; + + max = ARRAY_SIZE(link_freq_menu_items) - 1; + csi->freq_ctrl = v4l2_ctrl_new_int_menu(&csi->ctrl_handler, +@@ -772,6 +776,7 @@ err_entity: + + err_ctrl_handler: + v4l2_ctrl_handler_free(&csi->ctrl_handler); ++ mutex_destroy(&csi->ctrl_lock); + v4l2_async_nf_unregister(&csi->notifier); + v4l2_async_nf_cleanup(&csi->notifier); + +@@ -791,6 +796,7 @@ static void mei_csi_remove(struct mei_cl + v4l2_async_nf_unregister(&csi->notifier); + v4l2_async_nf_cleanup(&csi->notifier); + v4l2_ctrl_handler_free(&csi->ctrl_handler); ++ mutex_destroy(&csi->ctrl_lock); + v4l2_async_unregister_subdev(&csi->subdev); + v4l2_subdev_cleanup(&csi->subdev); + media_entity_cleanup(&csi->subdev.entity); diff --git a/queue-6.6/media-ivsc-csi-don-t-count-privacy-on-as-error.patch b/queue-6.6/media-ivsc-csi-don-t-count-privacy-on-as-error.patch new file mode 100644 index 00000000000..9d8657a9efc --- /dev/null +++ b/queue-6.6/media-ivsc-csi-don-t-count-privacy-on-as-error.patch @@ -0,0 +1,42 @@ +From a813f168336ec4ef725b836e598cd9dc14f76dd7 Mon Sep 17 00:00:00 2001 +From: Wentong Wu +Date: Fri, 7 Jun 2024 21:25:45 +0800 +Subject: media: ivsc: csi: don't count privacy on as error + +From: Wentong Wu + +commit a813f168336ec4ef725b836e598cd9dc14f76dd7 upstream. + +Prior to the ongoing command privacy is on, it would return -1 to +indicate the current privacy status, and the ongoing command would +be well executed by firmware as well, so this is not error. This +patch changes its behavior to notify privacy on directly by V4L2 +privacy control instead of reporting error. + +Fixes: 29006e196a56 ("media: pci: intel: ivsc: Add CSI submodule") +Cc: stable@vger.kernel.org # for 6.6 and later +Reported-by: Hao Yao +Signed-off-by: Wentong Wu +Tested-by: Jason Chen +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ivsc/mei_csi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/media/pci/intel/ivsc/mei_csi.c ++++ b/drivers/media/pci/intel/ivsc/mei_csi.c +@@ -191,7 +191,11 @@ static int mei_csi_send(struct mei_csi * + + /* command response status */ + ret = csi->cmd_response.status; +- if (ret) { ++ if (ret == -1) { ++ /* notify privacy on instead of reporting error */ ++ ret = 0; ++ v4l2_ctrl_s_ctrl(csi->privacy_ctrl, 1); ++ } else if (ret) { + ret = -EINVAL; + goto out; + } diff --git a/queue-6.6/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch b/queue-6.6/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch new file mode 100644 index 00000000000..63d1ee222b1 --- /dev/null +++ b/queue-6.6/media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch @@ -0,0 +1,136 @@ +From 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 10 Jun 2024 19:17:49 +0000 +Subject: media: uvcvideo: Fix integer overflow calculating timestamp + +From: Ricardo Ribalda + +commit 8676a5e796fa18f55897ca36a94b2adf7f73ebd1 upstream. + +The function uvc_video_clock_update() supports a single SOF overflow. Or +in other words, the maximum difference between the first ant the last +timestamp can be 4096 ticks or 4.096 seconds. + +This results in a maximum value for y2 of: 0x12FBECA00, that overflows +32bits. +y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + +Extend the size of y2 to u64 to support all its values. + +Without this patch: + # yavta -s 1920x1080 -f YUYV -t 1/5 -c /dev/video0 +Device /dev/v4l/by-id/usb-Shine-Optics_Integrated_Camera_0001-video-index0 opened. +Device `Integrated Camera: Integrated C' on `usb-0000:00:14.0-6' (driver 'uvcvideo') supports video, capture, without mplanes. +Video format set: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Video format: YUYV (56595559) 1920x1080 (stride 3840) field none buffer size 4147200 +Current frame rate: 1/5 +Setting frame rate to: 1/5 +Frame rate set: 1/5 +8 buffers requested. +length: 4147200 offset: 0 timestamp type/source: mono/SoE +Buffer 0/0 mapped at address 0x7947ea94c000. +length: 4147200 offset: 4149248 timestamp type/source: mono/SoE +Buffer 1/0 mapped at address 0x7947ea557000. +length: 4147200 offset: 8298496 timestamp type/source: mono/SoE +Buffer 2/0 mapped at address 0x7947ea162000. +length: 4147200 offset: 12447744 timestamp type/source: mono/SoE +Buffer 3/0 mapped at address 0x7947e9d6d000. +length: 4147200 offset: 16596992 timestamp type/source: mono/SoE +Buffer 4/0 mapped at address 0x7947e9978000. +length: 4147200 offset: 20746240 timestamp type/source: mono/SoE +Buffer 5/0 mapped at address 0x7947e9583000. +length: 4147200 offset: 24895488 timestamp type/source: mono/SoE +Buffer 6/0 mapped at address 0x7947e918e000. +length: 4147200 offset: 29044736 timestamp type/source: mono/SoE +Buffer 7/0 mapped at address 0x7947e8d99000. +0 (0) [-] none 0 4147200 B 507.554210 508.874282 242.836 fps ts mono/SoE +1 (1) [-] none 2 4147200 B 508.886298 509.074289 0.751 fps ts mono/SoE +2 (2) [-] none 3 4147200 B 509.076362 509.274307 5.261 fps ts mono/SoE +3 (3) [-] none 4 4147200 B 509.276371 509.474336 5.000 fps ts mono/SoE +4 (4) [-] none 5 4147200 B 509.476394 509.674394 4.999 fps ts mono/SoE +5 (5) [-] none 6 4147200 B 509.676506 509.874345 4.997 fps ts mono/SoE +6 (6) [-] none 7 4147200 B 509.876430 510.074370 5.002 fps ts mono/SoE +7 (7) [-] none 8 4147200 B 510.076434 510.274365 5.000 fps ts mono/SoE +8 (0) [-] none 9 4147200 B 510.276421 510.474333 5.000 fps ts mono/SoE +9 (1) [-] none 10 4147200 B 510.476391 510.674429 5.001 fps ts mono/SoE +10 (2) [-] none 11 4147200 B 510.676434 510.874283 4.999 fps ts mono/SoE +11 (3) [-] none 12 4147200 B 510.886264 511.074349 4.766 fps ts mono/SoE +12 (4) [-] none 13 4147200 B 511.070577 511.274304 5.426 fps ts mono/SoE +13 (5) [-] none 14 4147200 B 511.286249 511.474301 4.637 fps ts mono/SoE +14 (6) [-] none 15 4147200 B 511.470542 511.674251 5.426 fps ts mono/SoE +15 (7) [-] none 16 4147200 B 511.672651 511.874337 4.948 fps ts mono/SoE +16 (0) [-] none 17 4147200 B 511.873988 512.074462 4.967 fps ts mono/SoE +17 (1) [-] none 18 4147200 B 512.075982 512.278296 4.951 fps ts mono/SoE +18 (2) [-] none 19 4147200 B 512.282631 512.482423 4.839 fps ts mono/SoE +19 (3) [-] none 20 4147200 B 518.986637 512.686333 0.149 fps ts mono/SoE +20 (4) [-] none 21 4147200 B 518.342709 512.886386 -1.553 fps ts mono/SoE +21 (5) [-] none 22 4147200 B 517.909812 513.090360 -2.310 fps ts mono/SoE +22 (6) [-] none 23 4147200 B 517.590775 513.294454 -3.134 fps ts mono/SoE +23 (7) [-] none 24 4147200 B 513.298465 513.494335 -0.233 fps ts mono/SoE +24 (0) [-] none 25 4147200 B 513.510273 513.698375 4.721 fps ts mono/SoE +25 (1) [-] none 26 4147200 B 513.698904 513.902327 5.301 fps ts mono/SoE +26 (2) [-] none 27 4147200 B 513.895971 514.102348 5.074 fps ts mono/SoE +27 (3) [-] none 28 4147200 B 514.099091 514.306337 4.923 fps ts mono/SoE +28 (4) [-] none 29 4147200 B 514.310348 514.510567 4.734 fps ts mono/SoE +29 (5) [-] none 30 4147200 B 514.509295 514.710367 5.026 fps ts mono/SoE +30 (6) [-] none 31 4147200 B 521.532513 514.914398 0.142 fps ts mono/SoE +31 (7) [-] none 32 4147200 B 520.885277 515.118385 -1.545 fps ts mono/SoE +32 (0) [-] none 33 4147200 B 520.411140 515.318336 -2.109 fps ts mono/SoE +33 (1) [-] none 34 4147200 B 515.325425 515.522278 -0.197 fps ts mono/SoE +34 (2) [-] none 35 4147200 B 515.538276 515.726423 4.698 fps ts mono/SoE +35 (3) [-] none 36 4147200 B 515.720767 515.930373 5.480 fps ts mono/SoE + +Cc: stable@vger.kernel.org +Fixes: 66847ef013cc ("[media] uvcvideo: Add UVC timestamps support") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240610-hwtimestamp-followup-v1-2-f9eaed7be7f0@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -720,11 +720,11 @@ void uvc_video_clock_update(struct uvc_s + unsigned long flags; + u64 timestamp; + u32 delta_stc; +- u32 y1, y2; ++ u32 y1; + u32 x1, x2; + u32 mean; + u32 sof; +- u64 y; ++ u64 y, y2; + + if (!uvc_hw_timestamps_param) + return; +@@ -764,7 +764,7 @@ void uvc_video_clock_update(struct uvc_s + sof = y; + + uvc_dbg(stream->dev, CLOCK, +- "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %u SOF offset %u)\n", ++ "%s: PTS %u y %llu.%06llu SOF %u.%06llu (x1 %u x2 %u y1 %u y2 %llu SOF offset %u)\n", + stream->dev->name, buf->pts, + y >> 16, div_u64((y & 0xffff) * 1000000, 65536), + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), +@@ -779,7 +779,7 @@ void uvc_video_clock_update(struct uvc_s + goto done; + + y1 = NSEC_PER_SEC; +- y2 = (u32)ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; ++ y2 = ktime_to_ns(ktime_sub(last->host_time, first->host_time)) + y1; + + /* + * Interpolated and host SOF timestamps can wrap around at slightly +@@ -800,7 +800,7 @@ void uvc_video_clock_update(struct uvc_s + timestamp = ktime_to_ns(first->host_time) + y - y1; + + uvc_dbg(stream->dev, CLOCK, +- "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %u)\n", ++ "%s: SOF %u.%06llu y %llu ts %llu buf ts %llu (x1 %u/%u/%u x2 %u/%u/%u y1 %u y2 %llu)\n", + stream->dev->name, + sof >> 16, div_u64(((u64)sof & 0xffff) * 1000000LLU, 65536), + y, timestamp, vbuf->vb2_buf.timestamp, diff --git a/queue-6.6/selftests-landlock-add-cred_transfer-test.patch b/queue-6.6/selftests-landlock-add-cred_transfer-test.patch new file mode 100644 index 00000000000..a77c321def8 --- /dev/null +++ b/queue-6.6/selftests-landlock-add-cred_transfer-test.patch @@ -0,0 +1,123 @@ +From cc374782b6ca0fd634482391da977542443d3368 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 24 Jul 2024 16:54:26 +0200 +Subject: selftests/landlock: Add cred_transfer test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit cc374782b6ca0fd634482391da977542443d3368 upstream. + +Check that keyctl(KEYCTL_SESSION_TO_PARENT) preserves the parent's +restrictions. + +Fixes: e1199815b47b ("selftests/landlock: Add user space tests") +Co-developed-by: Jann Horn +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20240724.Ood5aige9she@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/landlock/base_test.c | 74 +++++++++++++++++++++++++++ + tools/testing/selftests/landlock/config | 1 + 2 files changed, 75 insertions(+) + +--- a/tools/testing/selftests/landlock/base_test.c ++++ b/tools/testing/selftests/landlock/base_test.c +@@ -9,6 +9,7 @@ + #define _GNU_SOURCE + #include + #include ++#include + #include + #include + #include +@@ -326,4 +327,77 @@ TEST(ruleset_fd_transfer) + ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); + } + ++TEST(cred_transfer) ++{ ++ struct landlock_ruleset_attr ruleset_attr = { ++ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR, ++ }; ++ int ruleset_fd, dir_fd; ++ pid_t child; ++ int status; ++ ++ drop_caps(_metadata); ++ ++ dir_fd = open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC); ++ EXPECT_LE(0, dir_fd); ++ EXPECT_EQ(0, close(dir_fd)); ++ ++ /* Denies opening directories. */ ++ ruleset_fd = ++ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); ++ ASSERT_LE(0, ruleset_fd); ++ EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); ++ ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); ++ EXPECT_EQ(0, close(ruleset_fd)); ++ ++ /* Checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++ ++ /* Needed for KEYCTL_SESSION_TO_PARENT permission checks */ ++ EXPECT_NE(-1, syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, ++ 0, 0)) ++ { ++ TH_LOG("Failed to join session keyring: %s", strerror(errno)); ++ } ++ ++ child = fork(); ++ ASSERT_LE(0, child); ++ if (child == 0) { ++ /* Checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++ ++ /* ++ * KEYCTL_SESSION_TO_PARENT is a no-op unless we have a ++ * different session keyring in the child, so make that happen. ++ */ ++ EXPECT_NE(-1, syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, ++ NULL, 0, 0, 0)); ++ ++ /* ++ * KEYCTL_SESSION_TO_PARENT installs credentials on the parent ++ * that never go through the cred_prepare hook, this path uses ++ * cred_transfer instead. ++ */ ++ EXPECT_EQ(0, syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT, 0, ++ 0, 0, 0)); ++ ++ /* Re-checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++ ++ _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE); ++ return; ++ } ++ ++ EXPECT_EQ(child, waitpid(child, &status, 0)); ++ EXPECT_EQ(1, WIFEXITED(status)); ++ EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status)); ++ ++ /* Re-checks ruleset enforcement. */ ++ EXPECT_EQ(-1, open("/", O_RDONLY | O_DIRECTORY | O_CLOEXEC)); ++ EXPECT_EQ(EACCES, errno); ++} ++ + TEST_HARNESS_MAIN +--- a/tools/testing/selftests/landlock/config ++++ b/tools/testing/selftests/landlock/config +@@ -1,5 +1,6 @@ + CONFIG_CGROUPS=y + CONFIG_CGROUP_SCHED=y ++CONFIG_KEYS=y + CONFIG_OVERLAY_FS=y + CONFIG_PROC_FS=y + CONFIG_SECURITY=y diff --git a/queue-6.6/series b/queue-6.6/series index 5f5e0b9fc31..f3737131556 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -399,3 +399,19 @@ ext4-check-dot-and-dotdot-of-dx_root-before-making-dir-indexed.patch ext4-make-sure-the-first-directory-block-is-not-a-hole.patch io_uring-tighten-task-exit-cancellations.patch trace-pid_list-change-gfp-flags-in-pid_list_fill_irq.patch +selftests-landlock-add-cred_transfer-test.patch +wifi-mwifiex-fix-interface-type-change.patch +wifi-rtw88-usb-fix-disconnection-after-beacon-loss.patch +drivers-soc-xilinx-check-return-status-of-get_api_version.patch +leds-ss4200-convert-pcibios_-return-codes-to-errnos.patch +md-md-bitmap-fix-writing-non-bitmap-pages.patch +leds-mt6360-fix-memory-leak-in-mt6360_init_isnk_properties.patch +media-ivsc-csi-add-separate-lock-for-v4l2-control-handler.patch +media-imx-pxp-fix-err_ptr-dereference-in-pxp_probe.patch +jbd2-make-jbd2_journal_get_max_txn_bufs-internal.patch +jbd2-precompute-number-of-transaction-descriptor-blocks.patch +jbd2-avoid-infinite-transaction-commit-loop.patch +media-uvcvideo-fix-integer-overflow-calculating-timestamp.patch +media-ivsc-csi-don-t-count-privacy-on-as-error.patch +kvm-vmx-split-out-the-non-virtualization-part-of-vmx_interrupt_blocked.patch +kvm-nvmx-request-immediate-exit-iff-pending-nested-event-needs-injection.patch diff --git a/queue-6.6/wifi-mwifiex-fix-interface-type-change.patch b/queue-6.6/wifi-mwifiex-fix-interface-type-change.patch new file mode 100644 index 00000000000..f8b00767bf2 --- /dev/null +++ b/queue-6.6/wifi-mwifiex-fix-interface-type-change.patch @@ -0,0 +1,40 @@ +From a17b9f590f6ec2b9f1b12b1db3bf1d181de6b272 Mon Sep 17 00:00:00 2001 +From: Rafael Beims +Date: Fri, 10 May 2024 13:04:58 +0200 +Subject: wifi: mwifiex: Fix interface type change + +From: Rafael Beims + +commit a17b9f590f6ec2b9f1b12b1db3bf1d181de6b272 upstream. + +When changing the interface type we also need to update the bss_num, the +driver private data is searched based on a unique (bss_type, bss_num) +tuple, therefore every time bss_type changes, bss_num must also change. + +This fixes for example an issue in which, after the mode changed, a +wireless scan on the changed interface would not finish, leading to +repeated -EBUSY messages to userspace when other scan requests were +sent. + +Fixes: c606008b7062 ("mwifiex: Properly initialize private structure on interface type changes") +Cc: stable@vger.kernel.org +Signed-off-by: Rafael Beims +Signed-off-by: Francesco Dolcini +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240510110458.15475-1-francesco@dolcini.it +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -926,6 +926,8 @@ mwifiex_init_new_priv_params(struct mwif + return -EOPNOTSUPP; + } + ++ priv->bss_num = mwifiex_get_unused_bss_num(adapter, priv->bss_type); ++ + spin_lock_irqsave(&adapter->main_proc_lock, flags); + adapter->main_locked = false; + spin_unlock_irqrestore(&adapter->main_proc_lock, flags); diff --git a/queue-6.6/wifi-rtw88-usb-fix-disconnection-after-beacon-loss.patch b/queue-6.6/wifi-rtw88-usb-fix-disconnection-after-beacon-loss.patch new file mode 100644 index 00000000000..0defa4839e9 --- /dev/null +++ b/queue-6.6/wifi-rtw88-usb-fix-disconnection-after-beacon-loss.patch @@ -0,0 +1,62 @@ +From 28818b4d871bc93cc4f5c7c7d7c526a6a096c09c Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Mon, 29 Apr 2024 20:57:52 +0300 +Subject: wifi: rtw88: usb: Fix disconnection after beacon loss + +From: Bitterblue Smith + +commit 28818b4d871bc93cc4f5c7c7d7c526a6a096c09c upstream. + +When there is beacon loss, for example due to unrelated Bluetooth +devices transmitting music nearby, the wifi connection dies soon +after the first beacon loss message: + +Apr 28 20:47:14 ideapad2 wpa_supplicant[1161]: wlp3s0f3u4: + CTRL-EVENT-BEACON-LOSS +Apr 28 20:47:15 ideapad2 wpa_supplicant[1161]: wlp3s0f3u4: + CTRL-EVENT-DISCONNECTED bssid=... reason=4 locally_generated=1 + +Apr 28 20:47:24 ideapad2 wpa_supplicant[1161]: wlp3s0f3u4: + CTRL-EVENT-BEACON-LOSS +Apr 28 20:47:25 ideapad2 wpa_supplicant[1161]: wlp3s0f3u4: + CTRL-EVENT-DISCONNECTED bssid=... reason=4 locally_generated=1 + +Apr 28 20:47:34 ideapad2 wpa_supplicant[1161]: wlp3s0f3u4: + CTRL-EVENT-BEACON-LOSS +Apr 28 20:47:35 ideapad2 wpa_supplicant[1161]: wlp3s0f3u4: + CTRL-EVENT-DISCONNECTED bssid=... reason=4 locally_generated=1 + +When the beacon loss happens, mac80211 makes rtw88 transmit a QOS +NULL frame and asks to confirm the ACK status. Even though rtw88 +confirms to mac80211 that the QOS NULL was transmitted successfully, +the connection still dies. This is because rtw88 is handing the QOS +NULL back to mac80211 with skb->data pointing to the headroom (the +TX descriptor) instead of ieee80211_hdr. + +Fix the disconnection by moving skb->data to the correct position +before ieee80211_tx_status_irqsafe(). + +The problem was observed with RTL8811AU (TP-Link Archer T2U Nano) +and the potential future rtw88_8821au driver. Also tested with +RTL8811CU (Tenda U9). + +Cc: stable@vger.kernel.org +Signed-off-by: Bitterblue Smith +Signed-off-by: Ping-Ke Shih +Link: https://msgid.link/ecbf0601-810d-4609-b8fc-8b0e38d2948d@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -273,6 +273,8 @@ static void rtw_usb_write_port_tx_comple + info = IEEE80211_SKB_CB(skb); + tx_data = rtw_usb_get_tx_data(skb); + ++ skb_pull(skb, rtwdev->chip->tx_pkt_desc_sz); ++ + /* enqueue to wait for tx report */ + if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) { + rtw_tx_report_enqueue(rtwdev, skb, tx_data->sn);