From: Sasha Levin Date: Sun, 30 Jun 2024 02:22:20 +0000 (-0400) Subject: Fixes for 6.9 X-Git-Tag: v4.19.317~125 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e19c4808c680602a28dffd7a153189d6f95d4cd3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.9 Signed-off-by: Sasha Levin --- diff --git a/queue-6.9/alsa-emux-improve-patch-ioctl-data-validation.patch b/queue-6.9/alsa-emux-improve-patch-ioctl-data-validation.patch new file mode 100644 index 00000000000..e202e2e815b --- /dev/null +++ b/queue-6.9/alsa-emux-improve-patch-ioctl-data-validation.patch @@ -0,0 +1,81 @@ +From b9ee4faf7bab707d8c3845013c6ed2da067203dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Apr 2024 08:48:20 +0200 +Subject: ALSA: emux: improve patch ioctl data validation + +From: Oswald Buddenhagen + +[ Upstream commit 89b32ccb12ae67e630c6453d778ec30a592a212f ] + +In load_data(), make the validation of and skipping over the main info +block match that in load_guspatch(). + +In load_guspatch(), add checking that the specified patch length matches +the actually supplied data, like load_data() already did. + +Signed-off-by: Oswald Buddenhagen +Message-ID: <20240406064830.1029573-8-oswald.buddenhagen@gmx.de> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/synth/emux/soundfont.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/sound/synth/emux/soundfont.c b/sound/synth/emux/soundfont.c +index 16f00097cb95a..eed47e4830248 100644 +--- a/sound/synth/emux/soundfont.c ++++ b/sound/synth/emux/soundfont.c +@@ -701,7 +701,6 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count) + struct snd_soundfont *sf; + struct soundfont_sample_info sample_info; + struct snd_sf_sample *sp; +- long off; + + /* patch must be opened */ + sf = sflist->currsf; +@@ -711,12 +710,16 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count) + if (is_special_type(sf->type)) + return -EINVAL; + ++ if (count < (long)sizeof(sample_info)) { ++ return -EINVAL; ++ } + if (copy_from_user(&sample_info, data, sizeof(sample_info))) + return -EFAULT; ++ data += sizeof(sample_info); ++ count -= sizeof(sample_info); + +- off = sizeof(sample_info); +- +- if (sample_info.size != (count-off)/2) ++ // SoundFont uses S16LE samples. ++ if (sample_info.size * 2 != count) + return -EINVAL; + + /* Check for dup */ +@@ -744,7 +747,7 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count) + int rc; + rc = sflist->callback.sample_new + (sflist->callback.private_data, sp, sflist->memhdr, +- data + off, count - off); ++ data, count); + if (rc < 0) { + sf_sample_delete(sflist, sf, sp); + return rc; +@@ -957,10 +960,12 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data, + } + if (copy_from_user(&patch, data, sizeof(patch))) + return -EFAULT; +- + count -= sizeof(patch); + data += sizeof(patch); + ++ if ((patch.len << (patch.mode & WAVE_16_BITS ? 1 : 0)) != count) ++ return -EINVAL; ++ + sf = newsf(sflist, SNDRV_SFNT_PAT_TYPE_GUS|SNDRV_SFNT_PAT_SHARED, NULL); + if (sf == NULL) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.9/arm64-clear-the-initial-id-map-correctly-before-rema.patch b/queue-6.9/arm64-clear-the-initial-id-map-correctly-before-rema.patch new file mode 100644 index 00000000000..877f6ee2792 --- /dev/null +++ b/queue-6.9/arm64-clear-the-initial-id-map-correctly-before-rema.patch @@ -0,0 +1,41 @@ +From d3a07929f252ec705204d62fe1c08988799bbb7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 17:28:09 +0800 +Subject: arm64: Clear the initial ID map correctly before remapping + +From: Zenghui Yu + +[ Upstream commit ecc54006f158ae0245a13e59026da2f0239c1b86 ] + +In the attempt to clear and recreate the initial ID map for LPA2, we +wrongly use 'start - end' as the map size and make the memset() almost a +nop. + +Fix it by passing the correct map size. + +Fixes: 9684ec186f8f ("arm64: Enable LPA2 at boot if supported by the system") +Signed-off-by: Zenghui Yu +Reviewed-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20240621092809.162-1-yuzenghui@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/pi/map_kernel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/pi/map_kernel.c b/arch/arm64/kernel/pi/map_kernel.c +index 5fa08e13e17e5..f374a3e5a5fe1 100644 +--- a/arch/arm64/kernel/pi/map_kernel.c ++++ b/arch/arm64/kernel/pi/map_kernel.c +@@ -173,7 +173,7 @@ static void __init remap_idmap_for_lpa2(void) + * Don't bother with the FDT, we no longer need it after this. + */ + memset(init_idmap_pg_dir, 0, +- (u64)init_idmap_pg_dir - (u64)init_idmap_pg_end); ++ (u64)init_idmap_pg_end - (u64)init_idmap_pg_dir); + + create_init_idmap(init_idmap_pg_dir, mask); + dsb(ishst); +-- +2.43.0 + diff --git a/queue-6.9/bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch b/queue-6.9/bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch new file mode 100644 index 00000000000..444c69ecbe4 --- /dev/null +++ b/queue-6.9/bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch @@ -0,0 +1,39 @@ +From dbc57163a0d215200641a75dedc2d3a7bd7c855e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 10:17:42 +0000 +Subject: bpf: Add a check for struct bpf_fib_lookup size + +From: Anton Protopopov + +[ Upstream commit 59b418c7063d30e0a3e1f592d47df096db83185c ] + +The struct bpf_fib_lookup should not grow outside of its 64 bytes. +Add a static assert to validate this. + +Suggested-by: David Ahern +Signed-off-by: Anton Protopopov +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20240326101742.17421-4-aspsk@isovalent.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/filter.c b/net/core/filter.c +index ce255e0a2fbd9..15d850ea7d4ad 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -87,6 +87,9 @@ + + #include "dev.h" + ++/* Keep the struct bpf_fib_lookup small so that it fits into a cacheline */ ++static_assert(sizeof(struct bpf_fib_lookup) == 64, "struct bpf_fib_lookup size check"); ++ + static const struct bpf_func_proto * + bpf_sk_base_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog); + +-- +2.43.0 + diff --git a/queue-6.9/bpf-mark-bpf-prog-stack-with-kmsan_unposion_memory-i.patch b/queue-6.9/bpf-mark-bpf-prog-stack-with-kmsan_unposion_memory-i.patch new file mode 100644 index 00000000000..b76ae95e049 --- /dev/null +++ b/queue-6.9/bpf-mark-bpf-prog-stack-with-kmsan_unposion_memory-i.patch @@ -0,0 +1,91 @@ +From 0aec9e44ded6f63e43eb839f5eb286724874cec0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:58:01 -0700 +Subject: bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter + mode + +From: Martin KaFai Lau + +[ Upstream commit e8742081db7d01f980c6161ae1e8a1dbc1e30979 ] + +syzbot reported uninit memory usages during map_{lookup,delete}_elem. + +========== +BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline] +BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796 +__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline] +dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796 +____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline] +bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38 +___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997 +__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237 +========== + +The reproducer should be in the interpreter mode. + +The C reproducer is trying to run the following bpf prog: + + 0: (18) r0 = 0x0 + 2: (18) r1 = map[id:49] + 4: (b7) r8 = 16777216 + 5: (7b) *(u64 *)(r10 -8) = r8 + 6: (bf) r2 = r10 + 7: (07) r2 += -229 + ^^^^^^^^^^ + + 8: (b7) r3 = 8 + 9: (b7) r4 = 0 + 10: (85) call dev_map_lookup_elem#1543472 + 11: (95) exit + +It is due to the "void *key" (r2) passed to the helper. bpf allows uninit +stack memory access for bpf prog with the right privileges. This patch +uses kmsan_unpoison_memory() to mark the stack as initialized. + +This should address different syzbot reports on the uninit "void *key" +argument during map_{lookup,delete}_elem. + +Reported-by: syzbot+603bcd9b0bf1d94dbb9b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/000000000000f9ce6d061494e694@google.com/ +Reported-by: syzbot+eb02dc7f03dce0ef39f3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/000000000000a5c69c06147c2238@google.com/ +Reported-by: syzbot+b4e65ca24fd4d0c734c3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/000000000000ac56fb06143b6cfa@google.com/ +Reported-by: syzbot+d2b113dc9fea5e1d2848@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/0000000000000d69b206142d1ff7@google.com/ +Reported-by: syzbot+1a3cf6f08d68868f9db3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/0000000000006f876b061478e878@google.com/ +Tested-by: syzbot+1a3cf6f08d68868f9db3@syzkaller.appspotmail.com +Suggested-by: Yonghong Song +Suggested-by: Alexei Starovoitov +Signed-off-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20240328185801.1843078-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 9985988845e36..80bcfde927206 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2204,6 +2204,7 @@ static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn + u64 stack[stack_size / sizeof(u64)]; \ + u64 regs[MAX_BPF_EXT_REG] = {}; \ + \ ++ kmsan_unpoison_memory(stack, sizeof(stack)); \ + FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \ + ARG1 = (u64) (unsigned long) ctx; \ + return ___bpf_prog_run(regs, insn); \ +@@ -2217,6 +2218,7 @@ static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \ + u64 stack[stack_size / sizeof(u64)]; \ + u64 regs[MAX_BPF_EXT_REG]; \ + \ ++ kmsan_unpoison_memory(stack, sizeof(stack)); \ + FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \ + BPF_R1 = r1; \ + BPF_R2 = r2; \ +-- +2.43.0 + diff --git a/queue-6.9/bpf-take-return-from-set_memory_ro-into-account-with.patch b/queue-6.9/bpf-take-return-from-set_memory_ro-into-account-with.patch new file mode 100644 index 00000000000..00615bbaba4 --- /dev/null +++ b/queue-6.9/bpf-take-return-from-set_memory_ro-into-account-with.patch @@ -0,0 +1,88 @@ +From a3d6b8a49a5e83bc5070c6c0f5f32163249febf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 06:38:07 +0100 +Subject: bpf: Take return from set_memory_ro() into account with + bpf_prog_lock_ro() + +From: Christophe Leroy + +[ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ] + +set_memory_ro() can fail, leaving memory unprotected. + +Check its return and take it into account as an error. + +Link: https://github.com/KSPP/linux/issues/7 +Signed-off-by: Christophe Leroy +Cc: linux-hardening@vger.kernel.org +Reviewed-by: Kees Cook +Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 5 +++-- + kernel/bpf/core.c | 4 +++- + kernel/bpf/verifier.c | 8 ++++++-- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 219ee7a768744..35791b1c61c7d 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -887,14 +887,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default) + + #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) + +-static inline void bpf_prog_lock_ro(struct bpf_prog *fp) ++static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp) + { + #ifndef CONFIG_BPF_JIT_ALWAYS_ON + if (!fp->jited) { + set_vm_flush_reset_perms(fp); +- set_memory_ro((unsigned long)fp, fp->pages); ++ return set_memory_ro((unsigned long)fp, fp->pages); + } + #endif ++ return 0; + } + + static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 1ea5ce5bb5993..9985988845e36 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2403,7 +2403,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) + } + + finalize: +- bpf_prog_lock_ro(fp); ++ *err = bpf_prog_lock_ro(fp); ++ if (*err) ++ return fp; + + /* The tail call compatibility check can only be done at + * this late stage as we need to determine, if we deal +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index ab558eea1c9ee..d5fca9deac5a1 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -19354,10 +19354,14 @@ static int jit_subprogs(struct bpf_verifier_env *env) + * bpf_prog_load will add the kallsyms for the main program. + */ + for (i = 1; i < env->subprog_cnt; i++) { +- bpf_prog_lock_ro(func[i]); +- bpf_prog_kallsyms_add(func[i]); ++ err = bpf_prog_lock_ro(func[i]); ++ if (err) ++ goto out_free; + } + ++ for (i = 1; i < env->subprog_cnt; i++) ++ bpf_prog_kallsyms_add(func[i]); ++ + /* Last step: make now unused interpreter insns from main + * prog consistent for later dump requests, so they can + * later look the same as if they were interpreted only. +-- +2.43.0 + diff --git a/queue-6.9/bpf-take-return-from-set_memory_rox-into-account-wit.patch b/queue-6.9/bpf-take-return-from-set_memory_rox-into-account-wit.patch new file mode 100644 index 00000000000..07a3530753c --- /dev/null +++ b/queue-6.9/bpf-take-return-from-set_memory_rox-into-account-wit.patch @@ -0,0 +1,234 @@ +From f68a9aed103a9444f4463b3a192ee98f39a05c0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 06:38:08 +0100 +Subject: bpf: Take return from set_memory_rox() into account with + bpf_jit_binary_lock_ro() + +From: Christophe Leroy + +[ Upstream commit e60adf513275c3a38e5cb67f7fd12387e43a3ff5 ] + +set_memory_rox() can fail, leaving memory unprotected. + +Check return and bail out when bpf_jit_binary_lock_ro() returns +an error. + +Link: https://github.com/KSPP/linux/issues/7 +Signed-off-by: Christophe Leroy +Cc: linux-hardening@vger.kernel.org +Reviewed-by: Kees Cook +Reviewed-by: Puranjay Mohan +Reviewed-by: Ilya Leoshkevich # s390x +Acked-by: Tiezhu Yang # LoongArch +Reviewed-by: Johan Almbladh # MIPS Part +Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu> +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm/net/bpf_jit_32.c | 25 ++++++++++++------------- + arch/loongarch/net/bpf_jit.c | 22 ++++++++++++++++------ + arch/mips/net/bpf_jit_comp.c | 3 ++- + arch/parisc/net/bpf_jit_core.c | 8 +++++++- + arch/s390/net/bpf_jit_comp.c | 6 +++++- + arch/sparc/net/bpf_jit_comp_64.c | 6 +++++- + arch/x86/net/bpf_jit_comp32.c | 3 +-- + include/linux/filter.h | 5 +++-- + 8 files changed, 51 insertions(+), 27 deletions(-) + +diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c +index 72b5cd697f5d9..deeb8f292454b 100644 +--- a/arch/arm/net/bpf_jit_32.c ++++ b/arch/arm/net/bpf_jit_32.c +@@ -2252,28 +2252,21 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + /* If building the body of the JITed code fails somehow, + * we fall back to the interpretation. + */ +- if (build_body(&ctx) < 0) { +- image_ptr = NULL; +- bpf_jit_binary_free(header); +- prog = orig_prog; +- goto out_imms; +- } ++ if (build_body(&ctx) < 0) ++ goto out_free; + build_epilogue(&ctx); + + /* 3.) Extra pass to validate JITed Code */ +- if (validate_code(&ctx)) { +- image_ptr = NULL; +- bpf_jit_binary_free(header); +- prog = orig_prog; +- goto out_imms; +- } ++ if (validate_code(&ctx)) ++ goto out_free; + flush_icache_range((u32)header, (u32)(ctx.target + ctx.idx)); + + if (bpf_jit_enable > 1) + /* there are 2 passes here */ + bpf_jit_dump(prog->len, image_size, 2, ctx.target); + +- bpf_jit_binary_lock_ro(header); ++ if (bpf_jit_binary_lock_ro(header)) ++ goto out_free; + prog->bpf_func = (void *)ctx.target; + prog->jited = 1; + prog->jited_len = image_size; +@@ -2290,5 +2283,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_jit_prog_release_other(prog, prog == orig_prog ? + tmp : orig_prog); + return prog; ++ ++out_free: ++ image_ptr = NULL; ++ bpf_jit_binary_free(header); ++ prog = orig_prog; ++ goto out_imms; + } + +diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c +index e73323d759d0b..7dbefd4ba2107 100644 +--- a/arch/loongarch/net/bpf_jit.c ++++ b/arch/loongarch/net/bpf_jit.c +@@ -1294,16 +1294,19 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + flush_icache_range((unsigned long)header, (unsigned long)(ctx.image + ctx.idx)); + + if (!prog->is_func || extra_pass) { ++ int err; ++ + if (extra_pass && ctx.idx != jit_data->ctx.idx) { + pr_err_once("multi-func JIT bug %d != %d\n", + ctx.idx, jit_data->ctx.idx); +- bpf_jit_binary_free(header); +- prog->bpf_func = NULL; +- prog->jited = 0; +- prog->jited_len = 0; +- goto out_offset; ++ goto out_free; ++ } ++ err = bpf_jit_binary_lock_ro(header); ++ if (err) { ++ pr_err_once("bpf_jit_binary_lock_ro() returned %d\n", ++ err); ++ goto out_free; + } +- bpf_jit_binary_lock_ro(header); + } else { + jit_data->ctx = ctx; + jit_data->image = image_ptr; +@@ -1334,6 +1337,13 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + out_offset = -1; + + return prog; ++ ++out_free: ++ bpf_jit_binary_free(header); ++ prog->bpf_func = NULL; ++ prog->jited = 0; ++ prog->jited_len = 0; ++ goto out_offset; + } + + /* Indicate the JIT backend supports mixing bpf2bpf and tailcalls. */ +diff --git a/arch/mips/net/bpf_jit_comp.c b/arch/mips/net/bpf_jit_comp.c +index a40d926b65139..e355dfca44008 100644 +--- a/arch/mips/net/bpf_jit_comp.c ++++ b/arch/mips/net/bpf_jit_comp.c +@@ -1012,7 +1012,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_prog_fill_jited_linfo(prog, &ctx.descriptors[1]); + + /* Set as read-only exec and flush instruction cache */ +- bpf_jit_binary_lock_ro(header); ++ if (bpf_jit_binary_lock_ro(header)) ++ goto out_err; + flush_icache_range((unsigned long)header, + (unsigned long)&ctx.target[ctx.jit_index]); + +diff --git a/arch/parisc/net/bpf_jit_core.c b/arch/parisc/net/bpf_jit_core.c +index d6ee2fd455503..979f45d4d1fbe 100644 +--- a/arch/parisc/net/bpf_jit_core.c ++++ b/arch/parisc/net/bpf_jit_core.c +@@ -167,7 +167,13 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_flush_icache(jit_data->header, ctx->insns + ctx->ninsns); + + if (!prog->is_func || extra_pass) { +- bpf_jit_binary_lock_ro(jit_data->header); ++ if (bpf_jit_binary_lock_ro(jit_data->header)) { ++ bpf_jit_binary_free(jit_data->header); ++ prog->bpf_func = NULL; ++ prog->jited = 0; ++ prog->jited_len = 0; ++ goto out_offset; ++ } + prologue_len = ctx->epilogue_offset - ctx->body_len; + for (i = 0; i < prog->len; i++) + ctx->offset[i] += prologue_len; +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 1d168a98ae21b..4be8f5cadd026 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -2112,7 +2112,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp) + print_fn_code(jit.prg_buf, jit.size_prg); + } + if (!fp->is_func || extra_pass) { +- bpf_jit_binary_lock_ro(header); ++ if (bpf_jit_binary_lock_ro(header)) { ++ bpf_jit_binary_free(header); ++ fp = orig_fp; ++ goto free_addrs; ++ } + } else { + jit_data->header = header; + jit_data->ctx = jit; +diff --git a/arch/sparc/net/bpf_jit_comp_64.c b/arch/sparc/net/bpf_jit_comp_64.c +index fa0759bfe498e..73bf0aea8baf1 100644 +--- a/arch/sparc/net/bpf_jit_comp_64.c ++++ b/arch/sparc/net/bpf_jit_comp_64.c +@@ -1602,7 +1602,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_flush_icache(header, (u8 *)header + header->size); + + if (!prog->is_func || extra_pass) { +- bpf_jit_binary_lock_ro(header); ++ if (bpf_jit_binary_lock_ro(header)) { ++ bpf_jit_binary_free(header); ++ prog = orig_prog; ++ goto out_off; ++ } + } else { + jit_data->ctx = ctx; + jit_data->image = image_ptr; +diff --git a/arch/x86/net/bpf_jit_comp32.c b/arch/x86/net/bpf_jit_comp32.c +index c10083a8e68e6..de0f9e5f9f73a 100644 +--- a/arch/x86/net/bpf_jit_comp32.c ++++ b/arch/x86/net/bpf_jit_comp32.c +@@ -2600,8 +2600,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + if (bpf_jit_enable > 1) + bpf_jit_dump(prog->len, proglen, pass + 1, image); + +- if (image) { +- bpf_jit_binary_lock_ro(header); ++ if (image && !bpf_jit_binary_lock_ro(header)) { + prog->bpf_func = (void *)image; + prog->jited = 1; + prog->jited_len = proglen; +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 35791b1c61c7d..cf12bfa2a78cc 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -898,10 +898,11 @@ static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp) + return 0; + } + +-static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) ++static inline int __must_check ++bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr) + { + set_vm_flush_reset_perms(hdr); +- set_memory_rox((unsigned long)hdr, hdr->size >> PAGE_SHIFT); ++ return set_memory_rox((unsigned long)hdr, hdr->size >> PAGE_SHIFT); + } + + int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap); +-- +2.43.0 + diff --git a/queue-6.9/crypto-ecdh-explicitly-zeroize-private_key.patch b/queue-6.9/crypto-ecdh-explicitly-zeroize-private_key.patch new file mode 100644 index 00000000000..d569e052261 --- /dev/null +++ b/queue-6.9/crypto-ecdh-explicitly-zeroize-private_key.patch @@ -0,0 +1,46 @@ +From f1c45b25f8a8a4ae19affb9272edff8b36f81b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:24:30 -0500 +Subject: crypto: ecdh - explicitly zeroize private_key + +From: Joachim Vandersmissen + +[ Upstream commit 73e5984e540a76a2ee1868b91590c922da8c24c9 ] + +private_key is overwritten with the key parameter passed in by the +caller (if present), or alternatively a newly generated private key. +However, it is possible that the caller provides a key (or the newly +generated key) which is shorter than the previous key. In that +scenario, some key material from the previous key would not be +overwritten. The easiest solution is to explicitly zeroize the entire +private_key array first. + +Note that this patch slightly changes the behavior of this function: +previously, if the ecc_gen_privkey failed, the old private_key would +remain. Now, the private_key is always zeroized. This behavior is +consistent with the case where params.key is set and ecc_is_key_valid +fails. + +Signed-off-by: Joachim Vandersmissen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/ecdh.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/ecdh.c b/crypto/ecdh.c +index 80afee3234fbe..3049f147e0117 100644 +--- a/crypto/ecdh.c ++++ b/crypto/ecdh.c +@@ -33,6 +33,8 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf, + params.key_size > sizeof(u64) * ctx->ndigits) + return -EINVAL; + ++ memset(ctx->private_key, 0, sizeof(ctx->private_key)); ++ + if (!params.key || !params.key_size) + return ecc_gen_privkey(ctx->curve_id, ctx->ndigits, + ctx->private_key); +-- +2.43.0 + diff --git a/queue-6.9/drm-amd-display-correct-hostvm-flag.patch b/queue-6.9/drm-amd-display-correct-hostvm-flag.patch new file mode 100644 index 00000000000..ff43387c891 --- /dev/null +++ b/queue-6.9/drm-amd-display-correct-hostvm-flag.patch @@ -0,0 +1,42 @@ +From 8422627ac7b9be2713090fea07988038c77381ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 00:12:44 +0800 +Subject: drm/amd/display: correct hostvm flag + +From: Sherry Wang + +[ Upstream commit 3a13d1fddaf51b98cdba20b486cb8fd6080b71b7 ] + +[Why] +Hostvm should be enabled/disabled accordding to the status of +riommu_active, but hostvm always be disabled on DCN31 which causes +underflow + +[How] +Set correct hostvm flag on DCN31 + +Acked-by: Wayne Lin +Signed-off-by: Sherry Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c +index 04d142f974745..2fb1d00ff9654 100644 +--- a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c +@@ -892,7 +892,7 @@ static const struct dc_debug_options debug_defaults_drv = { + .disable_z10 = true, + .enable_legacy_fast_update = true, + .enable_z9_disable_interface = true, /* Allow support for the PMFW interface for disable Z9*/ +- .dml_hostvm_override = DML_HOSTVM_OVERRIDE_FALSE, ++ .dml_hostvm_override = DML_HOSTVM_NO_OVERRIDE, + .using_dml2 = false, + }; + +-- +2.43.0 + diff --git a/queue-6.9/drm-amd-display-skip-pipe-if-the-pipe-idx-not-set-pr.patch b/queue-6.9/drm-amd-display-skip-pipe-if-the-pipe-idx-not-set-pr.patch new file mode 100644 index 00000000000..5a5710e5e04 --- /dev/null +++ b/queue-6.9/drm-amd-display-skip-pipe-if-the-pipe-idx-not-set-pr.patch @@ -0,0 +1,51 @@ +From 3d9701961cd33a180ec9e9f4f97ecae8f843849c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 18:30:26 -0400 +Subject: drm/amd/display: Skip pipe if the pipe idx not set properly + +From: Muhammad Ahmed + +[ Upstream commit af114efe8d24b5711cfbedf7180f2ac1a296c24b ] + +[why] +Driver crashes when pipe idx not set properly + +[how] +Add code to skip the pipe that idx not set properly + +Reviewed-by: Charlene Liu +Acked-by: Tom Chung +Signed-off-by: Muhammad Ahmed +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c +index f15d1dbad6a96..b72ed3e78df05 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c +@@ -327,6 +327,8 @@ void dml2_calculate_rq_and_dlg_params(const struct dc *dc, struct dc_state *cont + dml_pipe_idx = dml2_helper_find_dml_pipe_idx_by_stream_id(in_ctx, context->res_ctx.pipe_ctx[dc_pipe_ctx_index].stream->stream_id); + } + ++ if (dml_pipe_idx == 0xFFFFFFFF) ++ continue; + ASSERT(in_ctx->v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_stream_id_valid[dml_pipe_idx]); + ASSERT(in_ctx->v20.scratch.dml_to_dc_pipe_mapping.dml_pipe_idx_to_stream_id[dml_pipe_idx] == context->res_ctx.pipe_ctx[dc_pipe_ctx_index].stream->stream_id); + +@@ -468,6 +470,9 @@ bool dml2_verify_det_buffer_configuration(struct dml2_context *in_ctx, struct dc + dml_pipe_idx = find_dml_pipe_idx_by_plane_id(in_ctx, plane_id); + else + dml_pipe_idx = dml2_helper_find_dml_pipe_idx_by_stream_id(in_ctx, display_state->res_ctx.pipe_ctx[i].stream->stream_id); ++ ++ if (dml_pipe_idx == 0xFFFFFFFF) ++ continue; + total_det_allocated += dml_get_det_buffer_size_kbytes(&in_ctx->v20.dml_core_ctx, dml_pipe_idx); + if (total_det_allocated > max_det_size) { + need_recalculation = true; +-- +2.43.0 + diff --git a/queue-6.9/drm-amdgpu-fix-pci-state-save-during-mode-1-reset.patch b/queue-6.9/drm-amdgpu-fix-pci-state-save-during-mode-1-reset.patch new file mode 100644 index 00000000000..c9652c90f0c --- /dev/null +++ b/queue-6.9/drm-amdgpu-fix-pci-state-save-during-mode-1-reset.patch @@ -0,0 +1,47 @@ +From d1ddb510daca824910a44ced97da567fbbe52317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 14:04:38 +0530 +Subject: drm/amdgpu: Fix pci state save during mode-1 reset + +From: Lijo Lazar + +[ Upstream commit 74fa02c4a5ea1ade5156a6ce494d3ea83881c2d8 ] + +Cache the PCI state before bus master is disabled. The saved state is +later used for other cases like restoring config space after mode-2 +reset. + +Fixes: 5c03e5843e6b ("drm/amdgpu:add smu mode1/2 support for aldebaran") +Signed-off-by: Lijo Lazar +Reviewed-by: Feifei Xu +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 941d6e379b8a6..eb8af023326ab 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -5121,11 +5121,14 @@ int amdgpu_device_mode1_reset(struct amdgpu_device *adev) + + dev_info(adev->dev, "GPU mode1 reset\n"); + ++ /* Cache the state before bus master disable. The saved config space ++ * values are used in other cases like restore after mode-2 reset. ++ */ ++ amdgpu_device_cache_pci_state(adev->pdev); ++ + /* disable BM */ + pci_clear_master(adev->pdev); + +- amdgpu_device_cache_pci_state(adev->pdev); +- + if (amdgpu_dpm_is_mode1_reset_supported(adev)) { + dev_info(adev->dev, "GPU smu mode1 reset\n"); + ret = amdgpu_dpm_mode1_reset(adev); +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch b/queue-6.9/drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch new file mode 100644 index 00000000000..a0e6ae29a48 --- /dev/null +++ b/queue-6.9/drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch @@ -0,0 +1,54 @@ +From 0219eecb6a51371c0f08ed33a2ddf271c52b4cec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 17:48:39 +0200 +Subject: drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that + sleep + +From: Laurent Pinchart + +[ Upstream commit ee7860cd8b5763017f8dc785c2851fecb7a0c565 ] + +The ilitek-ili9881c controls the reset GPIO using the non-sleeping +gpiod_set_value() function. This complains loudly when the GPIO +controller needs to sleep. As the caller can sleep, use +gpiod_set_value_cansleep() to fix the issue. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240317154839.21260-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240317154839.21260-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +index 2ffe5f68a8903..4c8c317191f3c 100644 +--- a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c ++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +@@ -1080,10 +1080,10 @@ static int ili9881c_prepare(struct drm_panel *panel) + msleep(5); + + /* And reset it */ +- gpiod_set_value(ctx->reset, 1); ++ gpiod_set_value_cansleep(ctx->reset, 1); + msleep(20); + +- gpiod_set_value(ctx->reset, 0); ++ gpiod_set_value_cansleep(ctx->reset, 0); + msleep(20); + + for (i = 0; i < ctx->desc->init_length; i++) { +@@ -1138,7 +1138,7 @@ static int ili9881c_unprepare(struct drm_panel *panel) + + mipi_dsi_dcs_enter_sleep_mode(ctx->dsi); + regulator_disable(ctx->power); +- gpiod_set_value(ctx->reset, 1); ++ gpiod_set_value_cansleep(ctx->reset, 1); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.9/drm-panel-simple-add-missing-display-timing-flags-fo.patch b/queue-6.9/drm-panel-simple-add-missing-display-timing-flags-fo.patch new file mode 100644 index 00000000000..5d119ac29ca --- /dev/null +++ b/queue-6.9/drm-panel-simple-add-missing-display-timing-flags-fo.patch @@ -0,0 +1,40 @@ +From 2a7a83b345b111b3d9a29976c695c6ae06831f81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jun 2024 09:56:12 +0800 +Subject: drm/panel: simple: Add missing display timing flags for KOE + TX26D202VM0BWA + +From: Liu Ying + +[ Upstream commit 37ce99b77762256ec9fda58d58fd613230151456 ] + +KOE TX26D202VM0BWA panel spec indicates the DE signal is active high in +timing chart, so add DISPLAY_FLAGS_DE_HIGH flag in display timing flags. +This aligns display_timing with panel_desc. + +Fixes: 8a07052440c2 ("drm/panel: simple: Add support for KOE TX26D202VM0BWA panel") +Signed-off-by: Liu Ying +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240624015612.341983-1-victor.liu@nxp.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240624015612.341983-1-victor.liu@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index e8fe5a69454d0..6aac6f2accb43 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2707,6 +2707,7 @@ static const struct display_timing koe_tx26d202vm0bwa_timing = { + .vfront_porch = { 3, 5, 10 }, + .vback_porch = { 2, 5, 10 }, + .vsync_len = { 5, 5, 5 }, ++ .flags = DISPLAY_FLAGS_DE_HIGH, + }; + + static const struct panel_desc koe_tx26d202vm0bwa = { +-- +2.43.0 + diff --git a/queue-6.9/drm-radeon-radeon_display-decrease-the-size-of-alloc.patch b/queue-6.9/drm-radeon-radeon_display-decrease-the-size-of-alloc.patch new file mode 100644 index 00000000000..9ae1da6cf8b --- /dev/null +++ b/queue-6.9/drm-radeon-radeon_display-decrease-the-size-of-alloc.patch @@ -0,0 +1,79 @@ +From 35105fb6074e89a273d497978dc62de390af6e91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Mar 2024 17:34:47 +0100 +Subject: drm/radeon/radeon_display: Decrease the size of allocated memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Erick Archer + +[ Upstream commit ae6a233092747e9652eb793d92f79d0820e01c6a ] + +This is an effort to get rid of all multiplications from allocation +functions in order to prevent integer overflows [1] [2]. + +In this case, the memory allocated to store RADEONFB_CONN_LIMIT pointers +to "drm_connector" structures can be avoided. This is because this +memory area is never accessed. + +Also, in the kzalloc function, it is preferred to use sizeof(*pointer) +instead of sizeof(type) due to the type of the variable can change and +one needs not change the former (unlike the latter). + +At the same time take advantage to remove the "#if 0" block, the code +where the removed memory area was accessed, and the RADEONFB_CONN_LIMIT +constant due to now is never used. + +Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1] +Link: https://github.com/KSPP/linux/issues/160 [2] +Acked-by: Christian König +Signed-off-by: Erick Archer +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon.h | 1 - + drivers/gpu/drm/radeon/radeon_display.c | 8 +------- + 2 files changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon.h b/drivers/gpu/drm/radeon/radeon.h +index 3e5ff17e3cafb..0999c8eaae94a 100644 +--- a/drivers/gpu/drm/radeon/radeon.h ++++ b/drivers/gpu/drm/radeon/radeon.h +@@ -132,7 +132,6 @@ extern int radeon_cik_support; + /* RADEON_IB_POOL_SIZE must be a power of 2 */ + #define RADEON_IB_POOL_SIZE 16 + #define RADEON_DEBUGFS_MAX_COMPONENTS 32 +-#define RADEONFB_CONN_LIMIT 4 + #define RADEON_BIOS_NUM_SCRATCH 8 + + /* internal ring indices */ +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index efd18c8d84c83..5f1d24d3120c4 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -683,7 +683,7 @@ static void radeon_crtc_init(struct drm_device *dev, int index) + struct radeon_device *rdev = dev->dev_private; + struct radeon_crtc *radeon_crtc; + +- radeon_crtc = kzalloc(sizeof(struct radeon_crtc) + (RADEONFB_CONN_LIMIT * sizeof(struct drm_connector *)), GFP_KERNEL); ++ radeon_crtc = kzalloc(sizeof(*radeon_crtc), GFP_KERNEL); + if (radeon_crtc == NULL) + return; + +@@ -709,12 +709,6 @@ static void radeon_crtc_init(struct drm_device *dev, int index) + dev->mode_config.cursor_width = radeon_crtc->max_cursor_width; + dev->mode_config.cursor_height = radeon_crtc->max_cursor_height; + +-#if 0 +- radeon_crtc->mode_set.crtc = &radeon_crtc->base; +- radeon_crtc->mode_set.connectors = (struct drm_connector **)(radeon_crtc + 1); +- radeon_crtc->mode_set.num_connectors = 0; +-#endif +- + if (rdev->is_atom_bios && (ASIC_IS_AVIVO(rdev) || radeon_r4xx_atom)) + radeon_atombios_init_crtc(dev, radeon_crtc); + else +-- +2.43.0 + diff --git a/queue-6.9/drm-xe-add-a-null-check-in-xe_ttm_stolen_mgr_init.patch b/queue-6.9/drm-xe-add-a-null-check-in-xe_ttm_stolen_mgr_init.patch new file mode 100644 index 00000000000..c06ab4ea4ed --- /dev/null +++ b/queue-6.9/drm-xe-add-a-null-check-in-xe_ttm_stolen_mgr_init.patch @@ -0,0 +1,40 @@ +From 29c7e7af29fc525aa4c86d9dd89e67625c5e9445 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 14:09:25 +0100 +Subject: drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init + +From: Nirmoy Das + +[ Upstream commit a6eff8f9c7e844cb24ccb188ca24abcd59734e74 ] + +Add an explicit check to ensure that the mgr is not NULL. + +Cc: Matthew Auld +Signed-off-by: Nirmoy Das +Reviewed-by: Matthew Auld +Signed-off-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20240319130925.22399-1-nirmoy.das@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c b/drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c +index 3107d2a12426c..fb35e46d68b49 100644 +--- a/drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c ++++ b/drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c +@@ -207,6 +207,11 @@ void xe_ttm_stolen_mgr_init(struct xe_device *xe) + u64 stolen_size, io_size, pgsize; + int err; + ++ if (!mgr) { ++ drm_dbg_kms(&xe->drm, "Stolen mgr init failed\n"); ++ return; ++ } ++ + if (IS_SRIOV_VF(xe)) + stolen_size = 0; + else if (IS_DGFX(xe)) +-- +2.43.0 + diff --git a/queue-6.9/drm-xe-check-pat.ops-before-dumping-pat-settings.patch b/queue-6.9/drm-xe-check-pat.ops-before-dumping-pat-settings.patch new file mode 100644 index 00000000000..252854c8637 --- /dev/null +++ b/queue-6.9/drm-xe-check-pat.ops-before-dumping-pat-settings.patch @@ -0,0 +1,44 @@ +From 7dcd3711e2e8fd17526063a41ec2a4b6cc6c5386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 12:51:06 +0200 +Subject: drm/xe: Check pat.ops before dumping PAT settings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Wajdeczko + +[ Upstream commit a918e771e6fbe1fa68932af5b0cdf473e23090cc ] + +We may leave pat.ops unset when running on brand new platform or +when running as a VF. While the former is unlikely, the latter +is valid (future) use case and will cause NPD when someone will +try to dump PAT settings by debugfs. + +It's better to check pointer to pat.ops instead of specific .dump +hook, as we have this hook always defined for every .ops variant. + +Signed-off-by: Michal Wajdeczko +Reviewed-by: Piotr Piórkowski +Link: https://patchwork.freedesktop.org/patch/msgid/20240409105106.1067-2-michal.wajdeczko@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_pat.c b/drivers/gpu/drm/xe/xe_pat.c +index e148934d554b0..351ab902eb600 100644 +--- a/drivers/gpu/drm/xe/xe_pat.c ++++ b/drivers/gpu/drm/xe/xe_pat.c +@@ -457,7 +457,7 @@ void xe_pat_dump(struct xe_gt *gt, struct drm_printer *p) + { + struct xe_device *xe = gt_to_xe(gt); + +- if (!xe->pat.ops->dump) ++ if (!xe->pat.ops) + return; + + xe->pat.ops->dump(gt, p); +-- +2.43.0 + diff --git a/queue-6.9/drm-xe-fix-potential-integer-overflow-in-page-size-c.patch b/queue-6.9/drm-xe-fix-potential-integer-overflow-in-page-size-c.patch new file mode 100644 index 00000000000..4d25a70b66f --- /dev/null +++ b/queue-6.9/drm-xe-fix-potential-integer-overflow-in-page-size-c.patch @@ -0,0 +1,39 @@ +From 9aed6248f72c8bce02b159e960ebe09aaa2c07ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 17:43:41 +0100 +Subject: drm/xe: Fix potential integer overflow in page size calculation + +From: Nirmoy Das + +[ Upstream commit 4f4fcafde343a54465f85a2909fc684918507a4b ] + +Explicitly cast tbo->page_alignment to u64 before bit-shifting to +prevent overflow when assigning to min_page_size. + +Cc: Matthew Auld +Cc: Matthew Brost +Signed-off-by: Nirmoy Das +Reviewed-by: Matthew Auld +Signed-off-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20240318164342.3094-1-nirmoy.das@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_ttm_vram_mgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_ttm_vram_mgr.c b/drivers/gpu/drm/xe/xe_ttm_vram_mgr.c +index 115ec745e5029..0678faf832126 100644 +--- a/drivers/gpu/drm/xe/xe_ttm_vram_mgr.c ++++ b/drivers/gpu/drm/xe/xe_ttm_vram_mgr.c +@@ -91,7 +91,7 @@ static int xe_ttm_vram_mgr_new(struct ttm_resource_manager *man, + + min_page_size = mgr->default_page_size; + if (tbo->page_alignment) +- min_page_size = tbo->page_alignment << PAGE_SHIFT; ++ min_page_size = (u64)tbo->page_alignment << PAGE_SHIFT; + + if (WARN_ON(min_page_size < mm->chunk_size)) { + err = -EINVAL; +-- +2.43.0 + diff --git a/queue-6.9/drm-xe-xe_devcoredump-check-null-before-assignments.patch b/queue-6.9/drm-xe-xe_devcoredump-check-null-before-assignments.patch new file mode 100644 index 00000000000..9fa239d5908 --- /dev/null +++ b/queue-6.9/drm-xe-xe_devcoredump-check-null-before-assignments.patch @@ -0,0 +1,72 @@ +From 85e6bfa961da053b0446e0578c9ba7b31fefc8fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 18:07:39 +0530 +Subject: drm/xe/xe_devcoredump: Check NULL before assignments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Himal Prasad Ghimiray + +[ Upstream commit b15e65349553b1689d15fbdebea874ca5ae2274a ] + +Assign 'xe_devcoredump_snapshot *' and 'xe_device *' only if +'coredump' is not NULL. + +v2 +- Fix commit messages. + +v3 +- Define variables before code.(Ashutosh/Jose) + +v4 +- Drop return check for coredump_to_xe. (Jose/Rodrigo) + +v5 +- Modify misleading commit message. (Matt) + +Cc: Matt Roper +Cc: Ashutosh Dixit +Cc: José Roberto de Souza +Cc: Rodrigo Vivi +Signed-off-by: Himal Prasad Ghimiray +Reviewed-by: Rodrigo Vivi +Reviewed-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20240328123739.3633428-1-himal.prasad.ghimiray@intel.com +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_devcoredump.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c +index 68d3d623a05bf..ccec291b02ccd 100644 +--- a/drivers/gpu/drm/xe/xe_devcoredump.c ++++ b/drivers/gpu/drm/xe/xe_devcoredump.c +@@ -74,17 +74,19 @@ static ssize_t xe_devcoredump_read(char *buffer, loff_t offset, + size_t count, void *data, size_t datalen) + { + struct xe_devcoredump *coredump = data; +- struct xe_device *xe = coredump_to_xe(coredump); +- struct xe_devcoredump_snapshot *ss = &coredump->snapshot; ++ struct xe_device *xe; ++ struct xe_devcoredump_snapshot *ss; + struct drm_printer p; + struct drm_print_iterator iter; + struct timespec64 ts; + int i; + +- /* Our device is gone already... */ +- if (!data || !coredump_to_xe(coredump)) ++ if (!coredump) + return -ENODEV; + ++ xe = coredump_to_xe(coredump); ++ ss = &coredump->snapshot; ++ + /* Ensure delayed work is captured before continuing */ + flush_work(&ss->work); + +-- +2.43.0 + diff --git a/queue-6.9/evm-enforce-signatures-on-unsupported-filesystem-for.patch b/queue-6.9/evm-enforce-signatures-on-unsupported-filesystem-for.patch new file mode 100644 index 00000000000..753630026a9 --- /dev/null +++ b/queue-6.9/evm-enforce-signatures-on-unsupported-filesystem-for.patch @@ -0,0 +1,73 @@ +From 95f380374864e6d7a58c904ff677d209c0695bb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2024 12:25:11 -0500 +Subject: evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 + +From: Stefan Berger + +[ Upstream commit 47add87ad181473e5ef2438918669540ba5016a6 ] + +Unsupported filesystems currently do not enforce any signatures. Add +support for signature enforcement of the "original" and "portable & +immutable" signatures when EVM_INIT_X509 is enabled. + +The "original" signature type contains filesystem specific metadata. +Thus it cannot be copied up and verified. However with EVM_INIT_X509 +and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature +may be written. + +When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from +/sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not +possible to write or remove xattrs on the overlay filesystem. + +This change still prevents EVM from writing HMAC signatures on +unsupported filesystem when EVM_INIT_HMAC is enabled. + +Co-developed-by: Mimi Zohar +Signed-off-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_main.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index 81dbade5b9b3d..518b3090cdb77 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -192,7 +192,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, + iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) + return iint->evm_status; + +- if (is_unsupported_fs(dentry)) ++ /* ++ * On unsupported filesystems without EVM_INIT_X509 enabled, skip ++ * signature verification. ++ */ ++ if (!(evm_initialized & EVM_INIT_X509) && is_unsupported_fs(dentry)) + return INTEGRITY_UNKNOWN; + + /* if status is not PASS, try to check again - against -ENOMEM */ +@@ -260,7 +264,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, + evm_status = INTEGRITY_PASS_IMMUTABLE; + } else if (!IS_RDONLY(inode) && + !(inode->i_sb->s_readonly_remount) && +- !IS_IMMUTABLE(inode)) { ++ !IS_IMMUTABLE(inode) && ++ !is_unsupported_fs(dentry)) { + evm_update_evmxattr(dentry, xattr_name, + xattr_value, + xattr_value_len); +@@ -418,9 +423,6 @@ enum integrity_status evm_verifyxattr(struct dentry *dentry, + if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) + return INTEGRITY_UNKNOWN; + +- if (is_unsupported_fs(dentry)) +- return INTEGRITY_UNKNOWN; +- + return evm_verify_hmac(dentry, xattr_name, xattr_value, + xattr_value_len); + } +-- +2.43.0 + diff --git a/queue-6.9/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch b/queue-6.9/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch new file mode 100644 index 00000000000..96bf8c87350 --- /dev/null +++ b/queue-6.9/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch @@ -0,0 +1,60 @@ +From c8445e507a29bc0a76175f1b5f51926b248feaea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 15:51:59 +0100 +Subject: gfs2: Fix NULL pointer dereference in gfs2_log_flush + +From: Andreas Gruenbacher + +[ Upstream commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828 ] + +In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush +lock to provide exclusion against gfs2_log_flush(). + +In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before +dereferencing it. Otherwise, we could run into a NULL pointer +dereference when outstanding glock work races with an unmount +(glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> +gfs2_log_flush). + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/log.c | 3 ++- + fs/gfs2/super.c | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index 8cddf955ebc0c..a6dd68b458cec 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -1108,7 +1108,8 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags) + lops_before_commit(sdp, tr); + if (gfs2_withdrawing_or_withdrawn(sdp)) + goto out_withdraw; +- gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); ++ if (sdp->sd_jdesc) ++ gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); + if (gfs2_withdrawing_or_withdrawn(sdp)) + goto out_withdraw; + +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index 2d780b4701a23..ee61fcb7f200d 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -67,9 +67,13 @@ void gfs2_jindex_free(struct gfs2_sbd *sdp) + sdp->sd_journals = 0; + spin_unlock(&sdp->sd_jindex_spin); + ++ down_write(&sdp->sd_log_flush_lock); + sdp->sd_jdesc = NULL; ++ up_write(&sdp->sd_log_flush_lock); ++ + while (!list_empty(&list)) { + jd = list_first_entry(&list, struct gfs2_jdesc, jd_list); ++ BUG_ON(jd->jd_log_bio); + gfs2_free_journal_extents(jd); + list_del(&jd->jd_list); + iput(jd->jd_inode); +-- +2.43.0 + diff --git a/queue-6.9/gpio-davinci-validate-the-obtained-number-of-irqs.patch b/queue-6.9/gpio-davinci-validate-the-obtained-number-of-irqs.patch new file mode 100644 index 00000000000..bb9be43003c --- /dev/null +++ b/queue-6.9/gpio-davinci-validate-the-obtained-number-of-irqs.patch @@ -0,0 +1,47 @@ +From b08e75275cce5d855545f748f6035bee126b479f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jun 2024 17:43:44 +0300 +Subject: gpio: davinci: Validate the obtained number of IRQs + +From: Aleksandr Mishin + +[ Upstream commit 7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164 ] + +Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken +DT due to any error this value can be any. Without this value validation +there can be out of chips->irqs array boundaries access in +davinci_gpio_probe(). + +Validate the obtained nirq value so that it won't exceed the maximum +number of IRQs per bank. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: eb3744a2dd01 ("gpio: davinci: Do not assume continuous IRQ numbering") +Signed-off-by: Aleksandr Mishin +Link: https://lore.kernel.org/r/20240618144344.16943-1-amishin@t-argos.ru +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-davinci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c +index bb499e3629125..1d0175d6350b7 100644 +--- a/drivers/gpio/gpio-davinci.c ++++ b/drivers/gpio/gpio-davinci.c +@@ -225,6 +225,11 @@ static int davinci_gpio_probe(struct platform_device *pdev) + else + nirq = DIV_ROUND_UP(ngpio, 16); + ++ if (nirq > MAX_INT_PER_BANK) { ++ dev_err(dev, "Too many IRQs!\n"); ++ return -EINVAL; ++ } ++ + chips = devm_kzalloc(dev, sizeof(*chips), GFP_KERNEL); + if (!chips) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-6.9/gpiolib-cdev-disallow-reconfiguration-without-direct.patch b/queue-6.9/gpiolib-cdev-disallow-reconfiguration-without-direct.patch new file mode 100644 index 00000000000..df0704424b6 --- /dev/null +++ b/queue-6.9/gpiolib-cdev-disallow-reconfiguration-without-direct.patch @@ -0,0 +1,88 @@ +From d0c68147529bf1fbf1ebf384c85b6f683cb079c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 13:29:22 +0800 +Subject: gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) + +From: Kent Gibson + +[ Upstream commit 9919cce62f68e6ab68dc2a975b5dc670f8ca7d40 ] + +linehandle_set_config() behaves badly when direction is not set. +The configuration validation is borrowed from linehandle_create(), where, +to verify the intent of the user, the direction must be set to in order +to effect a change to the electrical configuration of a line. But, when +applied to reconfiguration, that validation does not allow for the unset +direction case, making it possible to clear flags set previously without +specifying the line direction. + +Adding to the inconsistency, those changes are not immediately applied by +linehandle_set_config(), but will take effect when the line value is next +get or set. + +For example, by requesting a configuration with no flags set, an output +line with GPIOHANDLE_REQUEST_ACTIVE_LOW and GPIOHANDLE_REQUEST_OPEN_DRAIN +requested could have those flags cleared, inverting the sense of the line +and changing the line drive to push-pull on the next line value set. + +Ensure the intent of the user by disallowing configurations which do not +have direction set, returning an error to userspace to indicate that the +configuration is invalid. + +And, for clarity, use lflags, a local copy of gcnf.flags, throughout when +dealing with the requested flags, rather than a mixture of both. + +Fixes: e588bb1eae31 ("gpio: add new SET_CONFIG ioctl() to gpio chardev") +Signed-off-by: Kent Gibson +Link: https://lore.kernel.org/r/20240626052925.174272-2-warthog618@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-cdev.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index 9dad67ea25974..04261adf320b8 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -89,6 +89,10 @@ struct linehandle_state { + GPIOHANDLE_REQUEST_OPEN_DRAIN | \ + GPIOHANDLE_REQUEST_OPEN_SOURCE) + ++#define GPIOHANDLE_REQUEST_DIRECTION_FLAGS \ ++ (GPIOHANDLE_REQUEST_INPUT | \ ++ GPIOHANDLE_REQUEST_OUTPUT) ++ + static int linehandle_validate_flags(u32 flags) + { + /* Return an error if an unknown flag is set */ +@@ -169,21 +173,21 @@ static long linehandle_set_config(struct linehandle_state *lh, + if (ret) + return ret; + ++ /* Lines must be reconfigured explicitly as input or output. */ ++ if (!(lflags & GPIOHANDLE_REQUEST_DIRECTION_FLAGS)) ++ return -EINVAL; ++ + for (i = 0; i < lh->num_descs; i++) { + desc = lh->descs[i]; +- linehandle_flags_to_desc_flags(gcnf.flags, &desc->flags); ++ linehandle_flags_to_desc_flags(lflags, &desc->flags); + +- /* +- * Lines have to be requested explicitly for input +- * or output, else the line will be treated "as is". +- */ + if (lflags & GPIOHANDLE_REQUEST_OUTPUT) { + int val = !!gcnf.default_values[i]; + + ret = gpiod_direction_output(desc, val); + if (ret) + return ret; +- } else if (lflags & GPIOHANDLE_REQUEST_INPUT) { ++ } else { + ret = gpiod_direction_input(desc); + if (ret) + return ret; +-- +2.43.0 + diff --git a/queue-6.9/gpiolib-cdev-ignore-reconfiguration-without-directio.patch b/queue-6.9/gpiolib-cdev-ignore-reconfiguration-without-directio.patch new file mode 100644 index 00000000000..f8b0382834a --- /dev/null +++ b/queue-6.9/gpiolib-cdev-ignore-reconfiguration-without-directio.patch @@ -0,0 +1,73 @@ +From 1eb6d71d441d2959ea98e7fc42cc310f6af90e24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 13:29:23 +0800 +Subject: gpiolib: cdev: Ignore reconfiguration without direction + +From: Kent Gibson + +[ Upstream commit b440396387418fe2feaacd41ca16080e7a8bc9ad ] + +linereq_set_config() behaves badly when direction is not set. +The configuration validation is borrowed from linereq_create(), where, +to verify the intent of the user, the direction must be set to in order to +effect a change to the electrical configuration of a line. But, when +applied to reconfiguration, that validation does not allow for the unset +direction case, making it possible to clear flags set previously without +specifying the line direction. + +Adding to the inconsistency, those changes are not immediately applied by +linereq_set_config(), but will take effect when the line value is next get +or set. + +For example, by requesting a configuration with no flags set, an output +line with GPIO_V2_LINE_FLAG_ACTIVE_LOW and GPIO_V2_LINE_FLAG_OPEN_DRAIN +set could have those flags cleared, inverting the sense of the line and +changing the line drive to push-pull on the next line value set. + +Skip the reconfiguration of lines for which the direction is not set, and +only reconfigure the lines for which direction is set. + +Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") +Signed-off-by: Kent Gibson +Link: https://lore.kernel.org/r/20240626052925.174272-3-warthog618@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-cdev.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index 04261adf320b8..5639abce6ec57 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -1534,12 +1534,14 @@ static long linereq_set_config(struct linereq *lr, void __user *ip) + line = &lr->lines[i]; + desc = lr->lines[i].desc; + flags = gpio_v2_line_config_flags(&lc, i); +- gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); +- edflags = flags & GPIO_V2_LINE_EDGE_DETECTOR_FLAGS; + /* +- * Lines have to be requested explicitly for input +- * or output, else the line will be treated "as is". ++ * Lines not explicitly reconfigured as input or output ++ * are left unchanged. + */ ++ if (!(flags & GPIO_V2_LINE_DIRECTION_FLAGS)) ++ continue; ++ gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); ++ edflags = flags & GPIO_V2_LINE_EDGE_DETECTOR_FLAGS; + if (flags & GPIO_V2_LINE_FLAG_OUTPUT) { + int val = gpio_v2_line_config_output_value(&lc, i); + +@@ -1547,7 +1549,7 @@ static long linereq_set_config(struct linereq *lr, void __user *ip) + ret = gpiod_direction_output(desc, val); + if (ret) + return ret; +- } else if (flags & GPIO_V2_LINE_FLAG_INPUT) { ++ } else { + ret = gpiod_direction_input(desc); + if (ret) + return ret; +-- +2.43.0 + diff --git a/queue-6.9/iommu-amd-fix-gt-feature-enablement-again.patch b/queue-6.9/iommu-amd-fix-gt-feature-enablement-again.patch new file mode 100644 index 00000000000..064d8b957de --- /dev/null +++ b/queue-6.9/iommu-amd-fix-gt-feature-enablement-again.patch @@ -0,0 +1,54 @@ +From feda8a588e9d026f68b89fc5f1921b92153cb544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jun 2024 10:15:33 +0000 +Subject: iommu/amd: Fix GT feature enablement again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vasant Hegde + +[ Upstream commit 150bdf5f8d8f805d70bebbbfd07697bd2416771a ] + +Current code configures GCR3 even when device is attached to identity +domain. So that we can support SVA with identity domain. This means in +attach device path it updates Guest Translation related bits in DTE. + +Commit de111f6b4f6a ("iommu/amd: Enable Guest Translation after reading +IOMMU feature register") missed to enable Control[GT] bit in resume +path. Its causing certain laptop to fail to resume after suspend. + +This is because we have inconsistency between between control register +(GT is disabled) and DTE (where we have enabled guest translation related +bits) in resume path. And IOMMU hardware throws ILLEGAL_DEV_TABLE_ENTRY. + +Fix it by enabling GT bit in resume path. + +Reported-by: Błażej Szczygieł +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218975 +Fixes: de111f6b4f6a ("iommu/amd: Enable Guest Translation after reading IOMMU feature register") +Tested-by: Błażej Szczygieł +Signed-off-by: Vasant Hegde +Reviewed-by: Jerry Snitselaar +Link: https://lore.kernel.org/r/20240621101533.20216-1-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c +index e740dc54c4685..21798a0fa9268 100644 +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -2784,6 +2784,7 @@ static void early_enable_iommu(struct amd_iommu *iommu) + iommu_enable_command_buffer(iommu); + iommu_enable_event_buffer(iommu); + iommu_set_exclusion_range(iommu); ++ iommu_enable_gt(iommu); + iommu_enable_ga(iommu); + iommu_enable_xt(iommu); + iommu_enable_irtcachedis(iommu); +-- +2.43.0 + diff --git a/queue-6.9/iommu-amd-introduce-per-device-dte-update-function.patch b/queue-6.9/iommu-amd-introduce-per-device-dte-update-function.patch new file mode 100644 index 00000000000..1d176254590 --- /dev/null +++ b/queue-6.9/iommu-amd-introduce-per-device-dte-update-function.patch @@ -0,0 +1,91 @@ +From 0ae75037cf1bdae312432501c6de7c89799ef2f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 10:33:47 +0000 +Subject: iommu/amd: Introduce per device DTE update function + +From: Vasant Hegde + +[ Upstream commit c5ebd09625391000026b0860952e05d0f7fc4519 ] + +Consolidate per device update and flush logic into separate function. +Also make it as global function as it will be used in subsequent series +to update the DTE. + +Signed-off-by: Vasant Hegde +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20240418103400.6229-3-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Stable-dep-of: c362f32a59a8 ("iommu/amd: Invalidate cache before removing device from domain list") +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/amd_iommu.h | 1 + + drivers/iommu/amd/iommu.c | 26 ++++++++++++++++++-------- + 2 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/iommu/amd/amd_iommu.h b/drivers/iommu/amd/amd_iommu.h +index f482aab420f78..95a161fdbae2c 100644 +--- a/drivers/iommu/amd/amd_iommu.h ++++ b/drivers/iommu/amd/amd_iommu.h +@@ -56,6 +56,7 @@ int amd_iommu_clear_gcr3(struct iommu_dev_data *dev_data, ioasid_t pasid); + void amd_iommu_flush_all_caches(struct amd_iommu *iommu); + void amd_iommu_update_and_flush_device_table(struct protection_domain *domain); + void amd_iommu_domain_update(struct protection_domain *domain); ++void amd_iommu_dev_update_dte(struct iommu_dev_data *dev_data, bool set); + void amd_iommu_domain_flush_complete(struct protection_domain *domain); + void amd_iommu_domain_flush_pages(struct protection_domain *domain, + u64 address, size_t size); +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index fb727f5b0b82d..d19a12a158085 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -2002,6 +2002,21 @@ static void clear_dte_entry(struct amd_iommu *iommu, u16 devid) + amd_iommu_apply_erratum_63(iommu, devid); + } + ++/* Update and flush DTE for the given device */ ++void amd_iommu_dev_update_dte(struct iommu_dev_data *dev_data, bool set) ++{ ++ struct amd_iommu *iommu = get_amd_iommu_from_dev(dev_data->dev); ++ ++ if (set) ++ set_dte_entry(iommu, dev_data); ++ else ++ clear_dte_entry(iommu, dev_data->devid); ++ ++ clone_aliases(iommu, dev_data->dev); ++ device_flush_dte(dev_data); ++ iommu_completion_wait(iommu); ++} ++ + static int do_attach(struct iommu_dev_data *dev_data, + struct protection_domain *domain) + { +@@ -2036,10 +2051,7 @@ static int do_attach(struct iommu_dev_data *dev_data, + } + + /* Update device table */ +- set_dte_entry(iommu, dev_data); +- clone_aliases(iommu, dev_data->dev); +- +- device_flush_dte(dev_data); ++ amd_iommu_dev_update_dte(dev_data, true); + + return ret; + } +@@ -2058,11 +2070,9 @@ static void do_detach(struct iommu_dev_data *dev_data) + /* Update data structures */ + dev_data->domain = NULL; + list_del(&dev_data->list); +- clear_dte_entry(iommu, dev_data->devid); +- clone_aliases(iommu, dev_data->dev); + +- /* Flush the DTE entry */ +- device_flush_dte(dev_data); ++ /* Clear DTE and flush the entry */ ++ amd_iommu_dev_update_dte(dev_data, false); + + /* Flush IOTLB and wait for the flushes to finish */ + amd_iommu_domain_flush_all(domain); +-- +2.43.0 + diff --git a/queue-6.9/iommu-amd-invalidate-cache-before-removing-device-fr.patch b/queue-6.9/iommu-amd-invalidate-cache-before-removing-device-fr.patch new file mode 100644 index 00000000000..2de59d311fd --- /dev/null +++ b/queue-6.9/iommu-amd-invalidate-cache-before-removing-device-fr.patch @@ -0,0 +1,73 @@ +From 87c5fa4ce9c8ed264aaec20f6b3c6b74373b1ba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2024 06:05:52 +0000 +Subject: iommu/amd: Invalidate cache before removing device from domain list + +From: Vasant Hegde + +[ Upstream commit c362f32a59a84fe4453abecc6b53f5f70894a6d5 ] + +Commit 87a6f1f22c97 ("iommu/amd: Introduce per-device domain ID to fix +potential TLB aliasing issue") introduced per device domain ID when +domain is configured with v2 page table. And in invalidation path, it +uses per device structure (dev_data->gcr3_info.domid) to get the domain ID. + +In detach_device() path, current code tries to invalidate IOMMU cache +after removing dev_data from domain device list. This means when domain +is configured with v2 page table, amd_iommu_domain_flush_all() will not be +able to invalidate cache as device is already removed from domain device +list. + +This is causing change domain tests (changing domain type from identity to DMA) +to fail with IO_PAGE_FAULT issue. + +Hence invalidate cache and update DTE before updating data structures. + +Reported-by: FahHean Lee +Reported-by: Dheeraj Kumar Srivastava +Fixes: 87a6f1f22c97 ("iommu/amd: Introduce per-device domain ID to fix potential TLB aliasing issue") +Tested-by: Dheeraj Kumar Srivastava +Tested-by: Sairaj Arun Kodilkar +Tested-by: FahHean Lee +Signed-off-by: Vasant Hegde +Reviewed-by: Jerry Snitselaar +Link: https://lore.kernel.org/r/20240620060552.13984-1-vasant.hegde@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index d19a12a158085..e2b900ffbc158 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -2061,6 +2061,12 @@ static void do_detach(struct iommu_dev_data *dev_data) + struct protection_domain *domain = dev_data->domain; + struct amd_iommu *iommu = get_amd_iommu_from_dev_data(dev_data); + ++ /* Clear DTE and flush the entry */ ++ amd_iommu_dev_update_dte(dev_data, false); ++ ++ /* Flush IOTLB and wait for the flushes to finish */ ++ amd_iommu_domain_flush_all(domain); ++ + /* Clear GCR3 table */ + if (domain->pd_mode == PD_MODE_V2) { + update_gcr3(dev_data, 0, 0, false); +@@ -2071,12 +2077,6 @@ static void do_detach(struct iommu_dev_data *dev_data) + dev_data->domain = NULL; + list_del(&dev_data->list); + +- /* Clear DTE and flush the entry */ +- amd_iommu_dev_update_dte(dev_data, false); +- +- /* Flush IOTLB and wait for the flushes to finish */ +- amd_iommu_domain_flush_all(domain); +- + /* decrease reference counters - needs to happen after the flushes */ + domain->dev_iommu[iommu->index] -= 1; + domain->dev_cnt -= 1; +-- +2.43.0 + diff --git a/queue-6.9/iommu-arm-smmu-v3-do-not-allow-a-sva-domain-to-be-se.patch b/queue-6.9/iommu-arm-smmu-v3-do-not-allow-a-sva-domain-to-be-se.patch new file mode 100644 index 00000000000..3b8be8e5854 --- /dev/null +++ b/queue-6.9/iommu-arm-smmu-v3-do-not-allow-a-sva-domain-to-be-se.patch @@ -0,0 +1,42 @@ +From 5963468907186c606939084f277b849c58d8f7c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Mar 2024 15:07:49 -0300 +Subject: iommu/arm-smmu-v3: Do not allow a SVA domain to be set on the wrong + PASID + +From: Jason Gunthorpe + +[ Upstream commit fdc69d39e77f88264ee6e8174ff9aaf0953aecd9 ] + +The SVA code is wired to assume that the SVA is programmed onto the +mm->pasid. The current core code always does this, so it is fine. + +Add a check for clarity. + +Tested-by: Nicolin Chen +Tested-by: Shameer Kolothum +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/3-v6-228e7adf25eb+4155-smmuv3_newapi_p2_jgg@nvidia.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +index 2cd433a9c8a0f..41b44baef15e8 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +@@ -569,6 +569,9 @@ static int arm_smmu_sva_set_dev_pasid(struct iommu_domain *domain, + int ret = 0; + struct mm_struct *mm = domain->mm; + ++ if (mm_get_enqcmd_pasid(mm) != id) ++ return -EINVAL; ++ + mutex_lock(&sva_lock); + ret = __arm_smmu_sva_bind(dev, id, mm); + mutex_unlock(&sva_lock); +-- +2.43.0 + diff --git a/queue-6.9/irqchip-loongson-select-generic_irq_effective_aff_ma.patch b/queue-6.9/irqchip-loongson-select-generic_irq_effective_aff_ma.patch new file mode 100644 index 00000000000..42be1902180 --- /dev/null +++ b/queue-6.9/irqchip-loongson-select-generic_irq_effective_aff_ma.patch @@ -0,0 +1,40 @@ +From 1187c4c94610b158b88288e64108a6ac8e6dc4a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 20:11:29 +0800 +Subject: irqchip/loongson: Select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP for + IRQ_LOONGARCH_CPU + +From: Tiezhu Yang + +[ Upstream commit 42a7d887664b02a747ef5d479f6fd01081564af8 ] + +An interrupt's effective affinity can only be different from its configured +affinity if there are multiple CPUs. Make it clear that this option is only +meaningful when SMP is enabled. Otherwise, there exists "WARNING: unmet +direct dependencies detected for GENERIC_IRQ_EFFECTIVE_AFF_MASK" when make +menuconfig if CONFIG_SMP is not set on LoongArch. + +Signed-off-by: Tiezhu Yang +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240326121130.16622-3-yangtiezhu@loongson.cn +Signed-off-by: Sasha Levin +--- + drivers/irqchip/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index 72c07a12f5e18..bfa1d77749f3e 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -568,7 +568,7 @@ config IRQ_LOONGARCH_CPU + bool + select GENERIC_IRQ_CHIP + select IRQ_DOMAIN +- select GENERIC_IRQ_EFFECTIVE_AFF_MASK ++ select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP + select LOONGSON_HTVEC + select LOONGSON_LIOINTC + select LOONGSON_EIOINTC +-- +2.43.0 + diff --git a/queue-6.9/md-fix-overflow-in-is_mddev_idle.patch b/queue-6.9/md-fix-overflow-in-is_mddev_idle.patch new file mode 100644 index 00000000000..98b00605b42 --- /dev/null +++ b/queue-6.9/md-fix-overflow-in-is_mddev_idle.patch @@ -0,0 +1,104 @@ +From 4a45a13010724614f33c9096cee4a1ee19955aa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jan 2024 11:19:45 +0800 +Subject: md: Fix overflow in is_mddev_idle + +From: Li Nan + +[ Upstream commit 3f9f231236ce7e48780d8a4f1f8cb9fae2df1e4e ] + +UBSAN reports this problem: + + UBSAN: Undefined behaviour in drivers/md/md.c:8175:15 + signed integer overflow: + -2147483291 - 2072033152 cannot be represented in type 'int' + Call trace: + dump_backtrace+0x0/0x310 + show_stack+0x28/0x38 + dump_stack+0xec/0x15c + ubsan_epilogue+0x18/0x84 + handle_overflow+0x14c/0x19c + __ubsan_handle_sub_overflow+0x34/0x44 + is_mddev_idle+0x338/0x3d8 + md_do_sync+0x1bb8/0x1cf8 + md_thread+0x220/0x288 + kthread+0x1d8/0x1e0 + ret_from_fork+0x10/0x18 + +'curr_events' will overflow when stat accum or 'sync_io' is greater than +INT_MAX. + +Fix it by changing sync_io, last_events and curr_events to 64bit. + +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/20240117031946.2324519-2-linan666@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 7 ++++--- + drivers/md/md.h | 4 ++-- + include/linux/blkdev.h | 2 +- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index e575e74aabf5e..c88b50a4be82f 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8576,14 +8576,15 @@ static int is_mddev_idle(struct mddev *mddev, int init) + { + struct md_rdev *rdev; + int idle; +- int curr_events; ++ long long curr_events; + + idle = 1; + rcu_read_lock(); + rdev_for_each_rcu(rdev, mddev) { + struct gendisk *disk = rdev->bdev->bd_disk; +- curr_events = (int)part_stat_read_accum(disk->part0, sectors) - +- atomic_read(&disk->sync_io); ++ curr_events = ++ (long long)part_stat_read_accum(disk->part0, sectors) - ++ atomic64_read(&disk->sync_io); + /* sync IO will cause sync_io to increase before the disk_stats + * as sync_io is counted when a request starts, and + * disk_stats is counted when it completes. +diff --git a/drivers/md/md.h b/drivers/md/md.h +index 097d9dbd69b83..d0db98c0d33be 100644 +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -51,7 +51,7 @@ struct md_rdev { + + sector_t sectors; /* Device size (in 512bytes sectors) */ + struct mddev *mddev; /* RAID array if running */ +- int last_events; /* IO event timestamp */ ++ long long last_events; /* IO event timestamp */ + + /* + * If meta_bdev is non-NULL, it means that a separate device is +@@ -621,7 +621,7 @@ extern void mddev_unlock(struct mddev *mddev); + + static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors) + { +- atomic_add(nr_sectors, &bdev->bd_disk->sync_io); ++ atomic64_add(nr_sectors, &bdev->bd_disk->sync_io); + } + + static inline void md_sync_acct_bio(struct bio *bio, unsigned long nr_sectors) +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 00e62b81a7363..a28cccd15f753 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -174,7 +174,7 @@ struct gendisk { + struct list_head slave_bdevs; + #endif + struct timer_rand_state *random; +- atomic_t sync_io; /* RAID */ ++ atomic64_t sync_io; /* RAID */ + struct disk_events *ev; + + #ifdef CONFIG_BLK_DEV_ZONED +-- +2.43.0 + diff --git a/queue-6.9/media-dvbdev-initialize-sbuf.patch b/queue-6.9/media-dvbdev-initialize-sbuf.patch new file mode 100644 index 00000000000..a911312f6e3 --- /dev/null +++ b/queue-6.9/media-dvbdev-initialize-sbuf.patch @@ -0,0 +1,42 @@ +From 00b48a1a24602a90295eec5233b80cbf7935e389 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 14:50:25 +0000 +Subject: media: dvbdev: Initialize sbuf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Ribalda + +[ Upstream commit 17d1316de0d7dc1bdc5d6e3ad4efd30a9bf1a381 ] + +Because the size passed to copy_from_user() cannot be known beforehand, +it needs to be checked during runtime with check_object_size. That makes +gcc believe that the content of sbuf can be used before init. + +Fix: +./include/linux/thread_info.h:215:17: warning: ‘sbuf’ may be used uninitialized [-Wmaybe-uninitialized] + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 733d0bc4b4cc3..b43695bc51e75 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -956,7 +956,7 @@ int dvb_usercopy(struct file *file, + int (*func)(struct file *file, + unsigned int cmd, void *arg)) + { +- char sbuf[128]; ++ char sbuf[128] = {}; + void *mbuf = NULL; + void *parg = NULL; + int err = -EINVAL; +-- +2.43.0 + diff --git a/queue-6.9/mtd-partitions-redboot-added-conversion-of-operands-.patch b/queue-6.9/mtd-partitions-redboot-added-conversion-of-operands-.patch new file mode 100644 index 00000000000..47521c9aea1 --- /dev/null +++ b/queue-6.9/mtd-partitions-redboot-added-conversion-of-operands-.patch @@ -0,0 +1,40 @@ +From 602064648a9b8a5b2a8f2d0b178b6d0e452a26b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 12:37:58 +0300 +Subject: mtd: partitions: redboot: Added conversion of operands to a larger + type + +From: Denis Arefev + +[ Upstream commit 1162bc2f8f5de7da23d18aa4b7fbd4e93c369c50 ] + +The value of an arithmetic expression directory * master->erasesize is +subject to overflow due to a failure to cast operands to a larger data +type before perfroming arithmetic + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Denis Arefev +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240315093758.20790-1-arefev@swemel.ru +Signed-off-by: Sasha Levin +--- + drivers/mtd/parsers/redboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c +index a16b42a885816..3b55b676ca6b9 100644 +--- a/drivers/mtd/parsers/redboot.c ++++ b/drivers/mtd/parsers/redboot.c +@@ -102,7 +102,7 @@ static int parse_redboot_partitions(struct mtd_info *master, + offset -= master->erasesize; + } + } else { +- offset = directory * master->erasesize; ++ offset = (unsigned long) directory * master->erasesize; + while (mtd_block_isbad(master, offset)) { + offset += master->erasesize; + if (offset == master->size) +-- +2.43.0 + diff --git a/queue-6.9/net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch b/queue-6.9/net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch new file mode 100644 index 00000000000..cf0f6840457 --- /dev/null +++ b/queue-6.9/net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch @@ -0,0 +1,72 @@ +From be31f38286c0a8ac2dce8b4788d5ecd9bdd8bfbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 13:34:41 +0800 +Subject: net/dpaa2: Avoid explicit cpumask var allocation on stack + +From: Dawei Li + +[ Upstream commit d33fe1714a44ff540629b149d8fab4ac6967585c ] + +For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask +variable on stack is not recommended since it can cause potential stack +overflow. + +Instead, kernel code should always use *cpumask_var API(s) to allocate +cpumask var in config-neutral way, leaving allocation strategy to +CONFIG_CPUMASK_OFFSTACK. + +Use *cpumask_var API(s) to address it. + +Signed-off-by: Dawei Li +Link: https://lore.kernel.org/r/20240331053441.1276826-3-dawei.li@shingroup.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +index 888509cf1f210..40e8818295951 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -2896,11 +2896,14 @@ static int dpaa2_eth_xdp_xmit(struct net_device *net_dev, int n, + static int update_xps(struct dpaa2_eth_priv *priv) + { + struct net_device *net_dev = priv->net_dev; +- struct cpumask xps_mask; +- struct dpaa2_eth_fq *fq; + int i, num_queues, netdev_queues; ++ struct dpaa2_eth_fq *fq; ++ cpumask_var_t xps_mask; + int err = 0; + ++ if (!alloc_cpumask_var(&xps_mask, GFP_KERNEL)) ++ return -ENOMEM; ++ + num_queues = dpaa2_eth_queue_count(priv); + netdev_queues = (net_dev->num_tc ? : 1) * num_queues; + +@@ -2910,16 +2913,17 @@ static int update_xps(struct dpaa2_eth_priv *priv) + for (i = 0; i < netdev_queues; i++) { + fq = &priv->fq[i % num_queues]; + +- cpumask_clear(&xps_mask); +- cpumask_set_cpu(fq->target_cpu, &xps_mask); ++ cpumask_clear(xps_mask); ++ cpumask_set_cpu(fq->target_cpu, xps_mask); + +- err = netif_set_xps_queue(net_dev, &xps_mask, i); ++ err = netif_set_xps_queue(net_dev, xps_mask, i); + if (err) { + netdev_warn_once(net_dev, "Error setting XPS queue\n"); + break; + } + } + ++ free_cpumask_var(xps_mask); + return err; + } + +-- +2.43.0 + diff --git a/queue-6.9/net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch b/queue-6.9/net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch new file mode 100644 index 00000000000..8f21c53c1d6 --- /dev/null +++ b/queue-6.9/net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch @@ -0,0 +1,85 @@ +From 0c92ad72dec5df02ab660cf8588e655a4871e296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Mar 2024 13:34:40 +0800 +Subject: net/iucv: Avoid explicit cpumask var allocation on stack + +From: Dawei Li + +[ Upstream commit be4e1304419c99a164b4c0e101c7c2a756b635b9 ] + +For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask +variable on stack is not recommended since it can cause potential stack +overflow. + +Instead, kernel code should always use *cpumask_var API(s) to allocate +cpumask var in config-neutral way, leaving allocation strategy to +CONFIG_CPUMASK_OFFSTACK. + +Use *cpumask_var API(s) to address it. + +Signed-off-by: Dawei Li +Reviewed-by: Alexandra Winter +Link: https://lore.kernel.org/r/20240331053441.1276826-2-dawei.li@shingroup.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/iucv/iucv.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index a4ab615ca3e3e..5e37a8ceebcb8 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -520,7 +520,7 @@ static void iucv_setmask_mp(void) + */ + static void iucv_setmask_up(void) + { +- cpumask_t cpumask; ++ static cpumask_t cpumask; + int cpu; + + /* Disable all cpu but the first in cpu_irq_cpumask. */ +@@ -628,23 +628,33 @@ static int iucv_cpu_online(unsigned int cpu) + + static int iucv_cpu_down_prep(unsigned int cpu) + { +- cpumask_t cpumask; ++ cpumask_var_t cpumask; ++ int ret = 0; + + if (!iucv_path_table) + return 0; + +- cpumask_copy(&cpumask, &iucv_buffer_cpumask); +- cpumask_clear_cpu(cpu, &cpumask); +- if (cpumask_empty(&cpumask)) ++ if (!alloc_cpumask_var(&cpumask, GFP_KERNEL)) ++ return -ENOMEM; ++ ++ cpumask_copy(cpumask, &iucv_buffer_cpumask); ++ cpumask_clear_cpu(cpu, cpumask); ++ if (cpumask_empty(cpumask)) { + /* Can't offline last IUCV enabled cpu. */ +- return -EINVAL; ++ ret = -EINVAL; ++ goto __free_cpumask; ++ } + + iucv_retrieve_cpu(NULL); + if (!cpumask_empty(&iucv_irq_cpumask)) +- return 0; ++ goto __free_cpumask; ++ + smp_call_function_single(cpumask_first(&iucv_buffer_cpumask), + iucv_allow_cpu, NULL, 1); +- return 0; ++ ++__free_cpumask: ++ free_cpumask_var(cpumask); ++ return ret; + } + + /** +-- +2.43.0 + diff --git a/queue-6.9/nfsd-initialise-nfsd_info.mutex-early.patch b/queue-6.9/nfsd-initialise-nfsd_info.mutex-early.patch new file mode 100644 index 00000000000..3859c958587 --- /dev/null +++ b/queue-6.9/nfsd-initialise-nfsd_info.mutex-early.patch @@ -0,0 +1,55 @@ +From 7e2d4d473f49d08644c538518f72ced06023e407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2024 09:04:56 +1000 +Subject: nfsd: initialise nfsd_info.mutex early. + +From: NeilBrown + +[ Upstream commit e0011bca603c101f2a3c007bdb77f7006fa78fb1 ] + +nfsd_info.mutex can be dereferenced by svc_pool_stats_start() +immediately after the new netns is created. Currently this can +trigger an oops. + +Move the initialisation earlier before it can possibly be dereferenced. + +Fixes: 7b207ccd9833 ("svc: don't hold reference for poolstats, only mutex.") +Reported-by: Sourabh Jain +Closes: https://lore.kernel.org/all/c2e9f6de-1ec4-4d3a-b18d-d5a6ec0814a0@linux.ibm.com/ +Signed-off-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsctl.c | 2 ++ + fs/nfsd/nfssvc.c | 1 - + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index 4d23bb1d08c0a..332847daa1b41 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1679,6 +1679,8 @@ static __net_init int nfsd_net_init(struct net *net) + nn->nfsd_svcstats.program = &nfsd_program; + nn->nfsd_versions = NULL; + nn->nfsd4_minorversions = NULL; ++ nn->nfsd_info.mutex = &nfsd_mutex; ++ nn->nfsd_serv = NULL; + nfsd4_init_leases_net(nn); + get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); + seqlock_init(&nn->writeverf_lock); +diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c +index c0d17b92b249f..f23b00cb9f631 100644 +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -673,7 +673,6 @@ int nfsd_create_serv(struct net *net) + return error; + } + spin_lock(&nfsd_notifier_lock); +- nn->nfsd_info.mutex = &nfsd_mutex; + nn->nfsd_serv = serv; + spin_unlock(&nfsd_notifier_lock); + +-- +2.43.0 + diff --git a/queue-6.9/nvme-fixup-comment-for-nvme-rdma-provider-type.patch b/queue-6.9/nvme-fixup-comment-for-nvme-rdma-provider-type.patch new file mode 100644 index 00000000000..8c0df7ac69f --- /dev/null +++ b/queue-6.9/nvme-fixup-comment-for-nvme-rdma-provider-type.patch @@ -0,0 +1,38 @@ +From dc3bea538d3805d8084684b45188420a172d51ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 09:27:27 +0200 +Subject: nvme: fixup comment for nvme RDMA Provider Type + +From: Hannes Reinecke + +[ Upstream commit f80a55fa90fa76d01e3fffaa5d0413e522ab9a00 ] + +PRTYPE is the provider type, not the QP service type. + +Fixes: eb793e2c9286 ("nvme.h: add NVMe over Fabrics definitions") +Signed-off-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + include/linux/nvme.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/nvme.h b/include/linux/nvme.h +index 4255732022953..69ac2abf8acfe 100644 +--- a/include/linux/nvme.h ++++ b/include/linux/nvme.h +@@ -87,8 +87,8 @@ enum { + NVMF_RDMA_QPTYPE_DATAGRAM = 2, /* Reliable Datagram */ + }; + +-/* RDMA QP Service Type codes for Discovery Log Page entry TSAS +- * RDMA_QPTYPE field ++/* RDMA Provider Type codes for Discovery Log Page entry TSAS ++ * RDMA_PRTYPE field + */ + enum { + NVMF_RDMA_PRTYPE_NOT_SPECIFIED = 1, /* No Provider Specified */ +-- +2.43.0 + diff --git a/queue-6.9/nvmet-do-not-return-reserved-for-empty-tsas-values.patch b/queue-6.9/nvmet-do-not-return-reserved-for-empty-tsas-values.patch new file mode 100644 index 00000000000..639f5fe7e4b --- /dev/null +++ b/queue-6.9/nvmet-do-not-return-reserved-for-empty-tsas-values.patch @@ -0,0 +1,40 @@ +From c1fafd32a1bbaf5c25f1b29953361c4155027bf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 09:27:26 +0200 +Subject: nvmet: do not return 'reserved' for empty TSAS values + +From: Hannes Reinecke + +[ Upstream commit f31e85a4d7c6ac4a3e014129c9cdc31592ea29f3 ] + +The 'TSAS' value is only defined for TCP and RDMA, but returning +'reserved' for undefined values tricked nvmetcli to try to write +'reserved' when restoring from a config file. This caused an error +and the configuration would not be applied. + +Fixes: 3f123494db72 ("nvmet: make TCP sectype settable via configfs") +Signed-off-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index dfdff6aba6953..c9640e6d10cab 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -410,7 +410,7 @@ static ssize_t nvmet_addr_tsas_show(struct config_item *item, + return sprintf(page, "%s\n", nvmet_addr_tsas_rdma[i].name); + } + } +- return sprintf(page, "reserved\n"); ++ return sprintf(page, "\n"); + } + + static ssize_t nvmet_addr_tsas_store(struct config_item *item, +-- +2.43.0 + diff --git a/queue-6.9/nvmet-make-tsas-attribute-idempotent-for-rdma.patch b/queue-6.9/nvmet-make-tsas-attribute-idempotent-for-rdma.patch new file mode 100644 index 00000000000..a94f527b931 --- /dev/null +++ b/queue-6.9/nvmet-make-tsas-attribute-idempotent-for-rdma.patch @@ -0,0 +1,107 @@ +From 9d98081975c3faf60081c65f831dbcf9d3cce4a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 09:27:28 +0200 +Subject: nvmet: make 'tsas' attribute idempotent for RDMA + +From: Hannes Reinecke + +[ Upstream commit 0f1f5803920d2a6b88bee950914fd37421e17170 ] + +The RDMA transport defines values for TSAS, but it cannot be changed as +we only support the 'connected' mode. +So to avoid errors during reconfiguration we should allow to write the +current value. + +Fixes: 3f123494db72 ("nvmet: make TCP sectype settable via configfs") +Signed-off-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 39 ++++++++++++++++++++++++++-------- + include/linux/nvme.h | 2 ++ + 2 files changed, 32 insertions(+), 9 deletions(-) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index c9640e6d10cab..d80c3b93d6ce9 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -413,25 +413,46 @@ static ssize_t nvmet_addr_tsas_show(struct config_item *item, + return sprintf(page, "\n"); + } + ++static u8 nvmet_addr_tsas_rdma_store(const char *page) ++{ ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(nvmet_addr_tsas_rdma); i++) { ++ if (sysfs_streq(page, nvmet_addr_tsas_rdma[i].name)) ++ return nvmet_addr_tsas_rdma[i].type; ++ } ++ return NVMF_RDMA_QPTYPE_INVALID; ++} ++ ++static u8 nvmet_addr_tsas_tcp_store(const char *page) ++{ ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(nvmet_addr_tsas_tcp); i++) { ++ if (sysfs_streq(page, nvmet_addr_tsas_tcp[i].name)) ++ return nvmet_addr_tsas_tcp[i].type; ++ } ++ return NVMF_TCP_SECTYPE_INVALID; ++} ++ + static ssize_t nvmet_addr_tsas_store(struct config_item *item, + const char *page, size_t count) + { + struct nvmet_port *port = to_nvmet_port(item); + u8 treq = nvmet_port_disc_addr_treq_mask(port); +- u8 sectype; +- int i; ++ u8 sectype, qptype; + + if (nvmet_is_port_enabled(port, __func__)) + return -EACCES; + +- if (port->disc_addr.trtype != NVMF_TRTYPE_TCP) +- return -EINVAL; +- +- for (i = 0; i < ARRAY_SIZE(nvmet_addr_tsas_tcp); i++) { +- if (sysfs_streq(page, nvmet_addr_tsas_tcp[i].name)) { +- sectype = nvmet_addr_tsas_tcp[i].type; ++ if (port->disc_addr.trtype == NVMF_TRTYPE_RDMA) { ++ qptype = nvmet_addr_tsas_rdma_store(page); ++ if (qptype == port->disc_addr.tsas.rdma.qptype) ++ return count; ++ } else if (port->disc_addr.trtype == NVMF_TRTYPE_TCP) { ++ sectype = nvmet_addr_tsas_tcp_store(page); ++ if (sectype != NVMF_TCP_SECTYPE_INVALID) + goto found; +- } + } + + pr_err("Invalid value '%s' for tsas\n", page); +diff --git a/include/linux/nvme.h b/include/linux/nvme.h +index 69ac2abf8acfe..c693ac344ec05 100644 +--- a/include/linux/nvme.h ++++ b/include/linux/nvme.h +@@ -85,6 +85,7 @@ enum { + enum { + NVMF_RDMA_QPTYPE_CONNECTED = 1, /* Reliable Connected */ + NVMF_RDMA_QPTYPE_DATAGRAM = 2, /* Reliable Datagram */ ++ NVMF_RDMA_QPTYPE_INVALID = 0xff, + }; + + /* RDMA Provider Type codes for Discovery Log Page entry TSAS +@@ -110,6 +111,7 @@ enum { + NVMF_TCP_SECTYPE_NONE = 0, /* No Security */ + NVMF_TCP_SECTYPE_TLS12 = 1, /* TLSv1.2, NVMe-oF 1.1 and NVMe-TCP 3.6.1.1 */ + NVMF_TCP_SECTYPE_TLS13 = 2, /* TLSv1.3, NVMe-oF 1.1 and NVMe-TCP 3.6.1.1 */ ++ NVMF_TCP_SECTYPE_INVALID = 0xff, + }; + + #define NVME_AQ_DEPTH 32 +-- +2.43.0 + diff --git a/queue-6.9/randomize_kstack-remove-non-functional-per-arch-entr.patch b/queue-6.9/randomize_kstack-remove-non-functional-per-arch-entr.patch new file mode 100644 index 00000000000..4f5342acd0b --- /dev/null +++ b/queue-6.9/randomize_kstack-remove-non-functional-per-arch-entr.patch @@ -0,0 +1,121 @@ +From d6d5c8193d0d20ebe3118aaacb3a935f7b98944f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2024 14:47:15 -0700 +Subject: randomize_kstack: Remove non-functional per-arch entropy filtering + +From: Kees Cook + +[ Upstream commit 6db1208bf95b4c091897b597c415e11edeab2e2d ] + +An unintended consequence of commit 9c573cd31343 ("randomize_kstack: +Improve entropy diffusion") was that the per-architecture entropy size +filtering reduced how many bits were being added to the mix, rather than +how many bits were being used during the offsetting. All architectures +fell back to the existing default of 0x3FF (10 bits), which will consume +at most 1KiB of stack space. It seems that this is working just fine, +so let's avoid the confusion and update everything to use the default. + +The prior intent of the per-architecture limits were: + + arm64: capped at 0x1FF (9 bits), 5 bits effective + powerpc: uncapped (10 bits), 6 or 7 bits effective + riscv: uncapped (10 bits), 6 bits effective + x86: capped at 0xFF (8 bits), 5 (x86_64) or 6 (ia32) bits effective + s390: capped at 0xFF (8 bits), undocumented effective entropy + +Current discussion has led to just dropping the original per-architecture +filters. The additional entropy appears to be safe for arm64, x86, +and s390. Quoting Arnd, "There is no point pretending that 15.75KB is +somehow safe to use while 15.00KB is not." + +Co-developed-by: Yuntao Liu +Signed-off-by: Yuntao Liu +Fixes: 9c573cd31343 ("randomize_kstack: Improve entropy diffusion") +Link: https://lore.kernel.org/r/20240617133721.377540-1-liuyuntao12@huawei.com +Reviewed-by: Arnd Bergmann +Acked-by: Mark Rutland +Acked-by: Heiko Carstens # s390 +Link: https://lore.kernel.org/r/20240619214711.work.953-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/syscall.c | 16 +++++++--------- + arch/s390/include/asm/entry-common.h | 2 +- + arch/x86/include/asm/entry-common.h | 15 ++++++--------- + 3 files changed, 14 insertions(+), 19 deletions(-) + +diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c +index ad198262b9817..7230f6e20ab8b 100644 +--- a/arch/arm64/kernel/syscall.c ++++ b/arch/arm64/kernel/syscall.c +@@ -53,17 +53,15 @@ static void invoke_syscall(struct pt_regs *regs, unsigned int scno, + syscall_set_return_value(current, regs, 0, ret); + + /* +- * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), +- * but not enough for arm64 stack utilization comfort. To keep +- * reasonable stack head room, reduce the maximum offset to 9 bits. ++ * This value will get limited by KSTACK_OFFSET_MAX(), which is 10 ++ * bits. The actual entropy will be further reduced by the compiler ++ * when applying stack alignment constraints: the AAPCS mandates a ++ * 16-byte aligned SP at function boundaries, which will remove the ++ * 4 low bits from any entropy chosen here. + * +- * The actual entropy will be further reduced by the compiler when +- * applying stack alignment constraints: the AAPCS mandates a +- * 16-byte (i.e. 4-bit) aligned SP at function boundaries. +- * +- * The resulting 5 bits of entropy is seen in SP[8:4]. ++ * The resulting 6 bits of entropy is seen in SP[9:4]. + */ +- choose_random_kstack_offset(get_random_u16() & 0x1FF); ++ choose_random_kstack_offset(get_random_u16()); + } + + static inline bool has_syscall_work(unsigned long flags) +diff --git a/arch/s390/include/asm/entry-common.h b/arch/s390/include/asm/entry-common.h +index 7f5004065e8aa..35555c9446308 100644 +--- a/arch/s390/include/asm/entry-common.h ++++ b/arch/s390/include/asm/entry-common.h +@@ -54,7 +54,7 @@ static __always_inline void arch_exit_to_user_mode(void) + static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs, + unsigned long ti_work) + { +- choose_random_kstack_offset(get_tod_clock_fast() & 0xff); ++ choose_random_kstack_offset(get_tod_clock_fast()); + } + + #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare +diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/entry-common.h +index 7e523bb3d2d31..fb2809b20b0ac 100644 +--- a/arch/x86/include/asm/entry-common.h ++++ b/arch/x86/include/asm/entry-common.h +@@ -73,19 +73,16 @@ static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs, + #endif + + /* +- * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), +- * but not enough for x86 stack utilization comfort. To keep +- * reasonable stack head room, reduce the maximum offset to 8 bits. +- * +- * The actual entropy will be further reduced by the compiler when +- * applying stack alignment constraints (see cc_stack_align4/8 in ++ * This value will get limited by KSTACK_OFFSET_MAX(), which is 10 ++ * bits. The actual entropy will be further reduced by the compiler ++ * when applying stack alignment constraints (see cc_stack_align4/8 in + * arch/x86/Makefile), which will remove the 3 (x86_64) or 2 (ia32) + * low bits from any entropy chosen here. + * +- * Therefore, final stack offset entropy will be 5 (x86_64) or +- * 6 (ia32) bits. ++ * Therefore, final stack offset entropy will be 7 (x86_64) or ++ * 8 (ia32) bits. + */ +- choose_random_kstack_offset(rdtsc() & 0xFF); ++ choose_random_kstack_offset(rdtsc()); + } + #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare + +-- +2.43.0 + diff --git a/queue-6.9/rdma-restrack-fix-potential-invalid-address-access.patch b/queue-6.9/rdma-restrack-fix-potential-invalid-address-access.patch new file mode 100644 index 00000000000..9e81c8cd9b8 --- /dev/null +++ b/queue-6.9/rdma-restrack-fix-potential-invalid-address-access.patch @@ -0,0 +1,104 @@ +From 85492d38524796ba4135bfdcc292167edc667975 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 17:23:20 +0800 +Subject: RDMA/restrack: Fix potential invalid address access + +From: Wenchao Hao + +[ Upstream commit ca537a34775c103f7b14d7bbd976403f1d1525d8 ] + +struct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME +in ib_create_cq(), while if the module exited but forgot del this +rdma_restrack_entry, it would cause a invalid address access in +rdma_restrack_clean() when print the owner of this rdma_restrack_entry. + +These code is used to help find one forgotten PD release in one of the +ULPs. But it is not needed anymore, so delete them. + +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20240318092320.1215235-1-haowenchao2@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/restrack.c | 51 +----------------------------- + 1 file changed, 1 insertion(+), 50 deletions(-) + +diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c +index 01a499a8b88db..438ed35881752 100644 +--- a/drivers/infiniband/core/restrack.c ++++ b/drivers/infiniband/core/restrack.c +@@ -37,22 +37,6 @@ int rdma_restrack_init(struct ib_device *dev) + return 0; + } + +-static const char *type2str(enum rdma_restrack_type type) +-{ +- static const char * const names[RDMA_RESTRACK_MAX] = { +- [RDMA_RESTRACK_PD] = "PD", +- [RDMA_RESTRACK_CQ] = "CQ", +- [RDMA_RESTRACK_QP] = "QP", +- [RDMA_RESTRACK_CM_ID] = "CM_ID", +- [RDMA_RESTRACK_MR] = "MR", +- [RDMA_RESTRACK_CTX] = "CTX", +- [RDMA_RESTRACK_COUNTER] = "COUNTER", +- [RDMA_RESTRACK_SRQ] = "SRQ", +- }; +- +- return names[type]; +-}; +- + /** + * rdma_restrack_clean() - clean resource tracking + * @dev: IB device +@@ -60,47 +44,14 @@ static const char *type2str(enum rdma_restrack_type type) + void rdma_restrack_clean(struct ib_device *dev) + { + struct rdma_restrack_root *rt = dev->res; +- struct rdma_restrack_entry *e; +- char buf[TASK_COMM_LEN]; +- bool found = false; +- const char *owner; + int i; + + for (i = 0 ; i < RDMA_RESTRACK_MAX; i++) { + struct xarray *xa = &dev->res[i].xa; + +- if (!xa_empty(xa)) { +- unsigned long index; +- +- if (!found) { +- pr_err("restrack: %s", CUT_HERE); +- dev_err(&dev->dev, "BUG: RESTRACK detected leak of resources\n"); +- } +- xa_for_each(xa, index, e) { +- if (rdma_is_kernel_res(e)) { +- owner = e->kern_name; +- } else { +- /* +- * There is no need to call get_task_struct here, +- * because we can be here only if there are more +- * get_task_struct() call than put_task_struct(). +- */ +- get_task_comm(buf, e->task); +- owner = buf; +- } +- +- pr_err("restrack: %s %s object allocated by %s is not freed\n", +- rdma_is_kernel_res(e) ? "Kernel" : +- "User", +- type2str(e->type), owner); +- } +- found = true; +- } ++ WARN_ON(!xa_empty(xa)); + xa_destroy(xa); + } +- if (found) +- pr_err("restrack: %s", CUT_HERE); +- + kfree(rt); + } + +-- +2.43.0 + diff --git a/queue-6.9/risc-v-fix-vector-insn-load-store-width-mask.patch b/queue-6.9/risc-v-fix-vector-insn-load-store-width-mask.patch new file mode 100644 index 00000000000..04b76f67f2d --- /dev/null +++ b/queue-6.9/risc-v-fix-vector-insn-load-store-width-mask.patch @@ -0,0 +1,38 @@ +From 8dcfd02f47acbd98f2cb04cc2e3e1a24b2de013d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 14:28:00 -0400 +Subject: RISC-V: fix vector insn load/store width mask + +From: Jesse Taube + +[ Upstream commit 04a2aef59cfe192aa99020601d922359978cc72a ] + +RVFDQ_FL_FS_WIDTH_MASK should be 3 bits [14-12], shifted down by 12 bits. +Replace GENMASK(3, 0) with GENMASK(2, 0). + +Fixes: cd054837243b ("riscv: Allocate user's vector context in the first-use trap") +Signed-off-by: Jesse Taube +Reviewed-by: Charlie Jenkins +Link: https://lore.kernel.org/r/20240606182800.415831-1-jesse@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/insn.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/insn.h b/arch/riscv/include/asm/insn.h +index 06e439eeef9ad..09fde95a5e8f7 100644 +--- a/arch/riscv/include/asm/insn.h ++++ b/arch/riscv/include/asm/insn.h +@@ -145,7 +145,7 @@ + + /* parts of opcode for RVF, RVD and RVQ */ + #define RVFDQ_FL_FS_WIDTH_OFF 12 +-#define RVFDQ_FL_FS_WIDTH_MASK GENMASK(3, 0) ++#define RVFDQ_FL_FS_WIDTH_MASK GENMASK(2, 0) + #define RVFDQ_FL_FS_WIDTH_W 2 + #define RVFDQ_FL_FS_WIDTH_D 3 + #define RVFDQ_LS_FS_WIDTH_Q 4 +-- +2.43.0 + diff --git a/queue-6.9/riscv-stacktrace-convert-arch_stack_walk-to-noinstr.patch b/queue-6.9/riscv-stacktrace-convert-arch_stack_walk-to-noinstr.patch new file mode 100644 index 00000000000..1dddef08662 --- /dev/null +++ b/queue-6.9/riscv-stacktrace-convert-arch_stack_walk-to-noinstr.patch @@ -0,0 +1,44 @@ +From 9eb0f502e2a7a3b950ded48e33152d20eb735615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 15:11:06 +0800 +Subject: riscv: stacktrace: convert arch_stack_walk() to noinstr + +From: Andy Chiu + +[ Upstream commit 23b2188920a25e88d447dd7d819a0b0f62fb4455 ] + +arch_stack_walk() is called intensively in function_graph when the +kernel is compiled with CONFIG_TRACE_IRQFLAGS. As a result, the kernel +logs a lot of arch_stack_walk and its sub-functions into the ftrace +buffer. However, these functions should not appear on the trace log +because they are part of the ftrace itself. This patch references what +arm64 does for the smae function. So it further prevent the re-enter +kprobe issue, which is also possible on riscv. + +Related-to: commit 0fbcd8abf337 ("arm64: Prohibit instrumentation on arch_stack_walk()") +Fixes: 680341382da5 ("riscv: add CALLER_ADDRx support") +Signed-off-by: Andy Chiu +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20240613-dev-andyc-dyn-ftrace-v4-v1-1-1a538e12c01e@sifive.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/stacktrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index 528ec7cc9a622..0d3f00eb0baee 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -156,7 +156,7 @@ unsigned long __get_wchan(struct task_struct *task) + return pc; + } + +-noinline void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie, ++noinline noinstr void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie, + struct task_struct *task, struct pt_regs *regs) + { + walk_stackframe(task, regs, consume_entry, cookie); +-- +2.43.0 + diff --git a/queue-6.9/series b/queue-6.9/series index fa31a56c966..cdad06adc4f 100644 --- a/queue-6.9/series +++ b/queue-6.9/series @@ -62,3 +62,50 @@ af_unix-don-t-stop-recv-msg_dontwait-if-consumed-oob.patch af_unix-don-t-stop-recv-at-consumed-ex-oob-skb.patch af_unix-fix-wrong-ioctl-siocatmark-when-consumed-oob.patch net-mana-fix-possible-double-free-in-error-handling-.patch +bpf-take-return-from-set_memory_ro-into-account-with.patch +bpf-take-return-from-set_memory_rox-into-account-wit.patch +drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch +drm-xe-fix-potential-integer-overflow-in-page-size-c.patch +vduse-validate-block-features-only-with-block-device.patch +vduse-temporarily-fail-if-control-queue-feature-requ.patch +x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch +drm-xe-add-a-null-check-in-xe_ttm_stolen_mgr_init.patch +drm-amd-display-correct-hostvm-flag.patch +mtd-partitions-redboot-added-conversion-of-operands-.patch +wifi-ieee80211-check-for-null-in-ieee80211_mle_size_.patch +drm-amd-display-skip-pipe-if-the-pipe-idx-not-set-pr.patch +bpf-add-a-check-for-struct-bpf_fib_lookup-size.patch +bpf-mark-bpf-prog-stack-with-kmsan_unposion_memory-i.patch +drm-xe-xe_devcoredump-check-null-before-assignments.patch +rdma-restrack-fix-potential-invalid-address-access.patch +net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch +net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch +wifi-rtw89-download-firmware-with-five-times-retry.patch +crypto-ecdh-explicitly-zeroize-private_key.patch +alsa-emux-improve-patch-ioctl-data-validation.patch +media-dvbdev-initialize-sbuf.patch +md-fix-overflow-in-is_mddev_idle.patch +irqchip-loongson-select-generic_irq_effective_aff_ma.patch +iommu-arm-smmu-v3-do-not-allow-a-sva-domain-to-be-se.patch +soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch +gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch +evm-enforce-signatures-on-unsupported-filesystem-for.patch +drm-radeon-radeon_display-decrease-the-size-of-alloc.patch +drm-xe-check-pat.ops-before-dumping-pat-settings.patch +nvmet-do-not-return-reserved-for-empty-tsas-values.patch +nvme-fixup-comment-for-nvme-rdma-provider-type.patch +nvmet-make-tsas-attribute-idempotent-for-rdma.patch +drm-panel-simple-add-missing-display-timing-flags-fo.patch +gpio-davinci-validate-the-obtained-number-of-irqs.patch +arm64-clear-the-initial-id-map-correctly-before-rema.patch +nfsd-initialise-nfsd_info.mutex-early.patch +risc-v-fix-vector-insn-load-store-width-mask.patch +drm-amdgpu-fix-pci-state-save-during-mode-1-reset.patch +riscv-stacktrace-convert-arch_stack_walk-to-noinstr.patch +iommu-amd-introduce-per-device-dte-update-function.patch +iommu-amd-invalidate-cache-before-removing-device-fr.patch +iommu-amd-fix-gt-feature-enablement-again.patch +gpiolib-cdev-disallow-reconfiguration-without-direct.patch +gpiolib-cdev-ignore-reconfiguration-without-directio.patch +tools-power-turbostat-option-n-is-ambiguous.patch +randomize_kstack-remove-non-functional-per-arch-entr.patch diff --git a/queue-6.9/soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch b/queue-6.9/soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch new file mode 100644 index 00000000000..0cd513147de --- /dev/null +++ b/queue-6.9/soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch @@ -0,0 +1,71 @@ +From 4f11cd4194151a7354097ebdb3084d0d8fb4ada7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 11:55:07 -0500 +Subject: soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer + message + +From: Andrew Davis + +[ Upstream commit ddbf3204f600a4d1f153498f618369fca352ae00 ] + +mbox_send_message() sends a u32 bit message, not a pointer to a message. +We only convert to a pointer type as a generic type. If we want to send +a dummy message of 0, then simply send 0 (NULL). + +Signed-off-by: Andrew Davis +Link: https://lore.kernel.org/r/20240325165507.30323-1-afd@ti.com +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/wkup_m3_ipc.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/soc/ti/wkup_m3_ipc.c b/drivers/soc/ti/wkup_m3_ipc.c +index 6a1c6b34c414a..88f774db92084 100644 +--- a/drivers/soc/ti/wkup_m3_ipc.c ++++ b/drivers/soc/ti/wkup_m3_ipc.c +@@ -16,7 +16,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -314,7 +313,6 @@ static irqreturn_t wkup_m3_txev_handler(int irq, void *ipc_data) + static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc) + { + struct device *dev = m3_ipc->dev; +- mbox_msg_t dummy_msg = 0; + int ret; + + if (!m3_ipc->mbox) { +@@ -330,7 +328,7 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc) + * the RX callback to avoid multiple interrupts being received + * by the CM3. + */ +- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg); ++ ret = mbox_send_message(m3_ipc->mbox, NULL); + if (ret < 0) { + dev_err(dev, "%s: mbox_send_message() failed: %d\n", + __func__, ret); +@@ -352,7 +350,6 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc) + static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc) + { + struct device *dev = m3_ipc->dev; +- mbox_msg_t dummy_msg = 0; + int ret; + + if (!m3_ipc->mbox) { +@@ -361,7 +358,7 @@ static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc) + return -EIO; + } + +- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg); ++ ret = mbox_send_message(m3_ipc->mbox, NULL); + if (ret < 0) { + dev_err(dev, "%s: mbox_send_message() failed: %d\n", + __func__, ret); +-- +2.43.0 + diff --git a/queue-6.9/tools-power-turbostat-option-n-is-ambiguous.patch b/queue-6.9/tools-power-turbostat-option-n-is-ambiguous.patch new file mode 100644 index 00000000000..4dfd2c7e3c4 --- /dev/null +++ b/queue-6.9/tools-power-turbostat-option-n-is-ambiguous.patch @@ -0,0 +1,43 @@ +From 4c14994110232e9a0818ba3ec247f3f8f2d3d405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 May 2024 14:57:49 -0400 +Subject: tools/power turbostat: option '-n' is ambiguous + +From: David Arcari + +[ Upstream commit ebb5b260af67c677700cd51be6845c2cab3edfbd ] + +In some cases specifying the '-n' command line argument will cause +turbostat to fail. For instance 'turbostat -n 1' works fine; however, +'turbostat -n 1 -d' will fail. This is the result of the first call +to getopt_long_only() where "MP" is specified as the optstring. This can +be easily fixed by changing the optstring from "MP" to "MPn:" to remove +ambiguity between the arguments. + +tools/power turbostat: option '-n' is ambiguous; possibilities: '-num_iterations' '-no-msr' '-no-perf' + +Fixes: a0e86c90b83c ("tools/power turbostat: Add --no-perf option") + +Signed-off-by: David Arcari +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 98256468e2480..8071a3ef2a2e8 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -7851,7 +7851,7 @@ void cmdline(int argc, char **argv) + * Parse some options early, because they may make other options invalid, + * like adding the MSR counter with --add and at the same time using --no-msr. + */ +- while ((opt = getopt_long_only(argc, argv, "MP", long_options, &option_index)) != -1) { ++ while ((opt = getopt_long_only(argc, argv, "MPn:", long_options, &option_index)) != -1) { + switch (opt) { + case 'M': + no_msr = 1; +-- +2.43.0 + diff --git a/queue-6.9/vduse-temporarily-fail-if-control-queue-feature-requ.patch b/queue-6.9/vduse-temporarily-fail-if-control-queue-feature-requ.patch new file mode 100644 index 00000000000..bb4546a6c93 --- /dev/null +++ b/queue-6.9/vduse-temporarily-fail-if-control-queue-feature-requ.patch @@ -0,0 +1,66 @@ +From f716a840d24744c09eb412ad313bcd1791c76f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 12:10:24 +0100 +Subject: vduse: Temporarily fail if control queue feature requested +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Coquelin + +[ Upstream commit 56e71885b0349241c07631a7b979b61e81afab6a ] + +Virtio-net driver control queue implementation is not safe +when used with VDUSE. If the VDUSE application does not +reply to control queue messages, it currently ends up +hanging the kernel thread sending this command. + +Some work is on-going to make the control queue +implementation robust with VDUSE. Until it is completed, +let's fail features check if control-queue feature is +requested. + +Signed-off-by: Maxime Coquelin +Message-Id: <20240109111025.1320976-3-maxime.coquelin@redhat.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Eugenio Pérez +Reviewed-by: Xie Yongji +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c +index 7c3d117b22deb..ac8b5b52e3dc4 100644 +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -8,6 +8,7 @@ + * + */ + ++#include "linux/virtio_net.h" + #include + #include + #include +@@ -28,6 +29,7 @@ + #include + #include + #include ++#include + #include + + #include "iova_domain.h" +@@ -1714,6 +1716,9 @@ static bool features_is_valid(struct vduse_dev_config *config) + if ((config->device_id == VIRTIO_ID_BLOCK) && + (config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE))) + return false; ++ else if ((config->device_id == VIRTIO_ID_NET) && ++ (config->features & BIT_ULL(VIRTIO_NET_F_CTRL_VQ))) ++ return false; + + return true; + } +-- +2.43.0 + diff --git a/queue-6.9/vduse-validate-block-features-only-with-block-device.patch b/queue-6.9/vduse-validate-block-features-only-with-block-device.patch new file mode 100644 index 00000000000..46e9de28ff6 --- /dev/null +++ b/queue-6.9/vduse-validate-block-features-only-with-block-device.patch @@ -0,0 +1,65 @@ +From 719ab9dd398f2d1657148d6ba71415e30ec2e94f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 12:10:23 +0100 +Subject: vduse: validate block features only with block devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Coquelin + +[ Upstream commit a115b5716fc9a64652aa9cb332070087178ffafa ] + +This patch is preliminary work to enable network device +type support to VDUSE. + +As VIRTIO_BLK_F_CONFIG_WCE shares the same value as +VIRTIO_NET_F_HOST_TSO4, we need to restrict its check +to Virtio-blk device type. + +Acked-by: Jason Wang +Reviewed-by: Xie Yongji +Reviewed-by: Eugenio Pérez +Signed-off-by: Maxime Coquelin +Message-Id: <20240109111025.1320976-2-maxime.coquelin@redhat.com> +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: 56e71885b034 ("vduse: Temporarily fail if control queue feature requested") +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c +index 73c89701fc9d4..7c3d117b22deb 100644 +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -1705,13 +1705,14 @@ static bool device_is_allowed(u32 device_id) + return false; + } + +-static bool features_is_valid(u64 features) ++static bool features_is_valid(struct vduse_dev_config *config) + { +- if (!(features & (1ULL << VIRTIO_F_ACCESS_PLATFORM))) ++ if (!(config->features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM))) + return false; + + /* Now we only support read-only configuration space */ +- if (features & (1ULL << VIRTIO_BLK_F_CONFIG_WCE)) ++ if ((config->device_id == VIRTIO_ID_BLOCK) && ++ (config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE))) + return false; + + return true; +@@ -1738,7 +1739,7 @@ static bool vduse_validate_config(struct vduse_dev_config *config) + if (!device_is_allowed(config->device_id)) + return false; + +- if (!features_is_valid(config->features)) ++ if (!features_is_valid(config)) + return false; + + return true; +-- +2.43.0 + diff --git a/queue-6.9/wifi-ieee80211-check-for-null-in-ieee80211_mle_size_.patch b/queue-6.9/wifi-ieee80211-check-for-null-in-ieee80211_mle_size_.patch new file mode 100644 index 00000000000..2285e5ffdcf --- /dev/null +++ b/queue-6.9/wifi-ieee80211-check-for-null-in-ieee80211_mle_size_.patch @@ -0,0 +1,38 @@ +From 1eb939ad7095e4dcf07a625a3644d7e5f88cc8d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 18:53:17 +0200 +Subject: wifi: ieee80211: check for NULL in ieee80211_mle_size_ok() + +From: Johannes Berg + +[ Upstream commit b7793a1a2f370c28b17d9554b58e9dc51afcfcbd ] + +For simplicity, we may want to pass a NULL element, and +while we should then pass also a zero length, just be a +bit more careful here. + +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240318184907.4d983653cb8d.Ic3ea99b60c61ac2f7d38cb9fd202a03c97a05601@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/linux/ieee80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h +index ac5be38d8aaf0..4fd9735bb75e5 100644 +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -5166,7 +5166,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len) + bool check_common_len = false; + u16 control; + +- if (len < fixed) ++ if (!data || len < fixed) + return false; + + control = le16_to_cpu(mle->control); +-- +2.43.0 + diff --git a/queue-6.9/wifi-rtw89-download-firmware-with-five-times-retry.patch b/queue-6.9/wifi-rtw89-download-firmware-with-five-times-retry.patch new file mode 100644 index 00000000000..beeb4b6b661 --- /dev/null +++ b/queue-6.9/wifi-rtw89-download-firmware-with-five-times-retry.patch @@ -0,0 +1,94 @@ +From 7580c07becf4b1879b01390f5001fdcbca48dab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:52:48 +0800 +Subject: wifi: rtw89: download firmware with five times retry + +From: Chia-Yuan Li + +[ Upstream commit a9e1b0ec5bdeedcf062416af4081aa005f8bf1e7 ] + +After firmware boots, it reads keys info from efuse and checks secure +checksum, but suddenly failed to access efuse resulting in probe failure, +and driver throws messages: + + rtw89_8852be 0000:03:00.0: fw security fail + rtw89_8852be 0000:03:00.0: download firmware fail + rtw89_8852be 0000:03:00.0: [ERR]fwdl 0x1E0 = 0xe2 + rtw89_8852be 0000:03:00.0: [ERR]fwdl 0x83F0 = 0x210090 + +Retry five times to resolve rare abnormal hardware state. + +Signed-off-by: Chia-Yuan Li +Signed-off-by: Ping-Ke Shih +Link: https://msgid.link/20240329015251.22762-2-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/fw.c | 27 +++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c +index 185cd339c0855..6c75ebbb21caa 100644 +--- a/drivers/net/wireless/realtek/rtw89/fw.c ++++ b/drivers/net/wireless/realtek/rtw89/fw.c +@@ -1349,13 +1349,12 @@ static void rtw89_fw_prog_cnt_dump(struct rtw89_dev *rtwdev) + static void rtw89_fw_dl_fail_dump(struct rtw89_dev *rtwdev) + { + u32 val32; +- u16 val16; + + val32 = rtw89_read32(rtwdev, R_AX_WCPU_FW_CTRL); + rtw89_err(rtwdev, "[ERR]fwdl 0x1E0 = 0x%x\n", val32); + +- val16 = rtw89_read16(rtwdev, R_AX_BOOT_DBG + 2); +- rtw89_err(rtwdev, "[ERR]fwdl 0x83F2 = 0x%x\n", val16); ++ val32 = rtw89_read32(rtwdev, R_AX_BOOT_DBG); ++ rtw89_err(rtwdev, "[ERR]fwdl 0x83F0 = 0x%x\n", val32); + + rtw89_fw_prog_cnt_dump(rtwdev); + } +@@ -1394,8 +1393,9 @@ static int rtw89_fw_download_suit(struct rtw89_dev *rtwdev, + return 0; + } + +-int rtw89_fw_download(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, +- bool include_bb) ++static ++int __rtw89_fw_download(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, ++ bool include_bb) + { + const struct rtw89_mac_gen_def *mac = rtwdev->chip->mac_def; + struct rtw89_fw_info *fw_info = &rtwdev->fw; +@@ -1433,7 +1433,7 @@ int rtw89_fw_download(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, + ret = rtw89_fw_check_rdy(rtwdev, RTW89_FWDL_CHECK_FREERTOS_DONE); + if (ret) { + rtw89_warn(rtwdev, "download firmware fail\n"); +- return ret; ++ goto fwdl_err; + } + + return ret; +@@ -1443,6 +1443,21 @@ int rtw89_fw_download(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, + return ret; + } + ++int rtw89_fw_download(struct rtw89_dev *rtwdev, enum rtw89_fw_type type, ++ bool include_bb) ++{ ++ int retry; ++ int ret; ++ ++ for (retry = 0; retry < 5; retry++) { ++ ret = __rtw89_fw_download(rtwdev, type, include_bb); ++ if (!ret) ++ return 0; ++ } ++ ++ return ret; ++} ++ + int rtw89_wait_firmware_completion(struct rtw89_dev *rtwdev) + { + struct rtw89_fw_info *fw = &rtwdev->fw; +-- +2.43.0 + diff --git a/queue-6.9/x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch b/queue-6.9/x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch new file mode 100644 index 00000000000..41c8e830f9b --- /dev/null +++ b/queue-6.9/x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch @@ -0,0 +1,61 @@ +From 23fa83e5c46bc0783b6bb30ae1cc23aaf0a360e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 09:18:23 +0100 +Subject: x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup + +From: Uros Bizjak + +[ Upstream commit 5d31174f3c8c465d9dbe88f6b9d1fe5716f44981 ] + +The assembly snippet in restore_fpregs_from_fpstate() that implements +X86_BUG_FXSAVE_LEAK fixup loads the value from a random variable, +preferably the one that is already in the L1 cache. + +However, the access to fpinit_state via *fpstate pointer is not +implemented correctly. The "m" asm constraint requires dereferenced +pointer variable, otherwise the compiler just reloads the value +via temporary stack slot. The current asm code reflects this: + + mov %rdi,(%rsp) + ... + fildl (%rsp) + +With dereferenced pointer variable, the code does what the +comment above the asm snippet says: + + fildl (%rdi) + +Also, remove the pointless %P operand modifier. The modifier is +ineffective on non-symbolic references - it was used to prevent +%rip-relative addresses in .altinstr sections, but FILDL in the +.text section can use %rip-relative addresses without problems. + +Signed-off-by: Uros Bizjak +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: H. Peter Anvin +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20240315081849.5187-1-ubizjak@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 520deb411a702..1209c7aebb211 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -145,8 +145,8 @@ void restore_fpregs_from_fpstate(struct fpstate *fpstate, u64 mask) + asm volatile( + "fnclex\n\t" + "emms\n\t" +- "fildl %P[addr]" /* set F?P to defined value */ +- : : [addr] "m" (fpstate)); ++ "fildl %[addr]" /* set F?P to defined value */ ++ : : [addr] "m" (*fpstate)); + } + + if (use_xsave()) { +-- +2.43.0 +