From: Sasha Levin Date: Mon, 30 Sep 2024 23:03:14 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.6.54~128 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f1045dee395df45f5811ec67f7ce1c2517051a15;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch b/queue-5.4/acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch new file mode 100644 index 00000000000..dc96f6a3172 --- /dev/null +++ b/queue-5.4/acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch @@ -0,0 +1,49 @@ +From 159b4fb42b66ba9684f61a076c68a9e210b2b4fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Jul 2024 01:53:39 +0300 +Subject: ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() + +From: Aleksandr Mishin + +[ Upstream commit 07442c46abad1d50ac82af5e0f9c5de2732c4592 ] + +In tps68470_pmic_opregion_probe() pointer 'dev' is compared to NULL which +is useless. + +Fix this issue by removing unneeded check. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e13452ac3790 ("ACPI / PMIC: Add TI PMIC TPS68470 operation region driver") +Suggested-by: Andy Shevchenko +Signed-off-by: Aleksandr Mishin +Reviewed-by: Sakari Ailus +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20240730225339.13165-1-amishin@t-argos.ru +[ rjw: Subject edit ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/pmic/tps68470_pmic.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/pmic/tps68470_pmic.c b/drivers/acpi/pmic/tps68470_pmic.c +index ebd03e4729555..0d1a82eeb4b0b 100644 +--- a/drivers/acpi/pmic/tps68470_pmic.c ++++ b/drivers/acpi/pmic/tps68470_pmic.c +@@ -376,10 +376,8 @@ static int tps68470_pmic_opregion_probe(struct platform_device *pdev) + struct tps68470_pmic_opregion *opregion; + acpi_status status; + +- if (!dev || !tps68470_regmap) { +- dev_warn(dev, "dev or regmap is NULL\n"); +- return -EINVAL; +- } ++ if (!tps68470_regmap) ++ return dev_err_probe(dev, -EINVAL, "regmap is missing\n"); + + if (!handle) { + dev_warn(dev, "acpi handle is NULL\n"); +-- +2.43.0 + diff --git a/queue-5.4/arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch b/queue-5.4/arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch new file mode 100644 index 00000000000..4179f101d91 --- /dev/null +++ b/queue-5.4/arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch @@ -0,0 +1,38 @@ +From 1006164ab7c12e3d0eaed7b2fac7d90c7dab5b47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 11:56:36 +0200 +Subject: ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property + +From: Krzysztof Kozlowski + +[ Upstream commit 0e49cfe364dea4345551516eb2fe53135a10432b ] + +There is no "fsl,phy" property in pin controller pincfg nodes: + + imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,pins' is a required property + imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,phy' does not match any of the regexes: 'pinctrl-[0-9]+' + +Fixes: f496e6750083 ("ARM: dts: Add ZII support for ZII i.MX7 RMU2 board") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7d-zii-rmu2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx7d-zii-rmu2.dts b/arch/arm/boot/dts/imx7d-zii-rmu2.dts +index 2b8d6cc45a538..7d9209cd4c316 100644 +--- a/arch/arm/boot/dts/imx7d-zii-rmu2.dts ++++ b/arch/arm/boot/dts/imx7d-zii-rmu2.dts +@@ -350,7 +350,7 @@ MX7D_PAD_SD3_RESET_B__SD3_RESET_B 0x59 + + &iomuxc_lpsr { + pinctrl_enet1_phy_interrupt: enet1phyinterruptgrp { +- fsl,phy = < ++ fsl,pins = < + MX7D_PAD_LPSR_GPIO1_IO02__GPIO1_IO2 0x08 + >; + }; +-- +2.43.0 + diff --git a/queue-5.4/arm-versatile-fix-of-node-leak-in-cpus-prepare.patch b/queue-5.4/arm-versatile-fix-of-node-leak-in-cpus-prepare.patch new file mode 100644 index 00000000000..0c2a8390b2a --- /dev/null +++ b/queue-5.4/arm-versatile-fix-of-node-leak-in-cpus-prepare.patch @@ -0,0 +1,37 @@ +From a7c9dfff087e224f2a8dc23c26cba905cda22cd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 07:49:33 +0200 +Subject: ARM: versatile: fix OF node leak in CPUs prepare + +From: Krzysztof Kozlowski + +[ Upstream commit f2642d97f2105ed17b2ece0c597450f2ff95d704 ] + +Machine code is leaking OF node reference from of_find_matching_node() +in realview_smp_prepare_cpus(). + +Fixes: 5420b4b15617 ("ARM: realview: add an DT SMP boot method") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Liviu Dudau +Link: https://lore.kernel.org/20240826054934.10724-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/mach-realview/platsmp-dt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-realview/platsmp-dt.c b/arch/arm/mach-realview/platsmp-dt.c +index 5ae783767a5d3..083e6a6f75205 100644 +--- a/arch/arm/mach-realview/platsmp-dt.c ++++ b/arch/arm/mach-realview/platsmp-dt.c +@@ -66,6 +66,7 @@ static void __init realview_smp_prepare_cpus(unsigned int max_cpus) + return; + } + map = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(map)) { + pr_err("PLATSMP: No syscon regmap\n"); + return; +-- +2.43.0 + diff --git a/queue-5.4/block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch b/queue-5.4/block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch new file mode 100644 index 00000000000..f8462f4cd82 --- /dev/null +++ b/queue-5.4/block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch @@ -0,0 +1,61 @@ +From ec4734f4cf55cd89c648b9a1083b6fa2e6918148 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 21:03:27 +0800 +Subject: block, bfq: choose the last bfqq from merge chain in + bfq_setup_cooperator() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 0e456dba86c7f9a19792204a044835f1ca2c8dbb ] + +Consider the following merge chain: + +Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \--------------\ \-------------\ \-------------\| + V V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 + +IO from Process 1 will get bfqf2 from BIC1 first, then +bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then +handle this IO from bfqq3. However, the merge chain can be much deeper +and bfqq3 can be merged to other bfqq as well. + +Fix this problem by iterating to the last bfqq in +bfq_setup_cooperator(). + +Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 6ed6ff0864fd2..015c1879edd2a 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2610,8 +2610,12 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + struct bfq_queue *in_service_bfqq, *new_bfqq; + + /* if a merge has already been setup, then proceed with that first */ +- if (bfqq->new_bfqq) +- return bfqq->new_bfqq; ++ new_bfqq = bfqq->new_bfqq; ++ if (new_bfqq) { ++ while (new_bfqq->new_bfqq) ++ new_bfqq = new_bfqq->new_bfqq; ++ return new_bfqq; ++ } + + /* + * Do not perform queue merging if the device is non +-- +2.43.0 + diff --git a/queue-5.4/block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch b/queue-5.4/block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch new file mode 100644 index 00000000000..3a87227f98e --- /dev/null +++ b/queue-5.4/block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch @@ -0,0 +1,66 @@ +From 2994c1f2f79a46ed4f83d751770831a91176ed24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 21:03:28 +0800 +Subject: block, bfq: don't break merge chain in bfq_split_bfqq() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 42c306ed723321af4003b2a41bb73728cab54f85 ] + +Consider the following scenario: + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + Λ | | | + \-------------\ \-------------\ \--------------\| + V V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 +ref 0 1 2 4 + +If Process 1 issue a new IO and bfqq2 is found, and then bfq_init_rq() +decide to spilt bfqq2 by bfq_split_bfqq(). Howerver, procress reference +of bfqq2 is 1 and bfq_split_bfqq() just clear the coop flag, which will +break the merge chain. + +Expected result: caller will allocate a new bfqq for BIC1 + + Process 1 Process 2 Process 3 Process 4 + (BIC1) (BIC2) (BIC3) (BIC4) + | | | + \-------------\ \--------------\| + V V + bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 +ref 0 0 1 3 + +Since the condition is only used for the last bfqq4 when the previous +bfqq2 and bfqq3 are already splited. Fix the problem by checking if +bfqq is the last one in the merge chain as well. + +Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240902130329.3787024-4-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 015c1879edd2a..897a3aae12b80 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5994,7 +5994,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq) + { + bfq_log_bfqq(bfqq->bfqd, bfqq, "splitting queue"); + +- if (bfqq_process_refs(bfqq) == 1) { ++ if (bfqq_process_refs(bfqq) == 1 && !bfqq->new_bfqq) { + bfqq->pid = current->pid; + bfq_clear_bfqq_coop(bfqq); + bfq_clear_bfqq_split_coop(bfqq); +-- +2.43.0 + diff --git a/queue-5.4/block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch b/queue-5.4/block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch new file mode 100644 index 00000000000..46908037580 --- /dev/null +++ b/queue-5.4/block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch @@ -0,0 +1,225 @@ +From bd95b3a2ba5294e417e91b558d861d569ca23a26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 21:03:26 +0800 +Subject: block, bfq: fix possible UAF for bfqq->bic with merge chain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Kuai + +[ Upstream commit 18ad4df091dd5d067d2faa8fce1180b79f7041a7 ] + +1) initial state, three tasks: + + Process 1 Process 2 Process 3 + (BIC1) (BIC2) (BIC3) + | Λ | Λ | Λ + | | | | | | + V | V | V | + bfqq1 bfqq2 bfqq3 +process ref: 1 1 1 + +2) bfqq1 merged to bfqq2: + + Process 1 Process 2 Process 3 + (BIC1) (BIC2) (BIC3) + | | | Λ + \--------------\| | | + V V | + bfqq1--------->bfqq2 bfqq3 +process ref: 0 2 1 + +3) bfqq2 merged to bfqq3: + + Process 1 Process 2 Process 3 + (BIC1) (BIC2) (BIC3) + here -> Λ | | + \--------------\ \-------------\| + V V + bfqq1--------->bfqq2---------->bfqq3 +process ref: 0 1 3 + +In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then +get bfqq3 through merge chain, and finially handle IO by bfqq3. +Howerver, current code will think bfqq2 is owned by BIC1, like initial +state, and set bfqq2->bic to BIC1. + +bfq_insert_request +-> by Process 1 + bfqq = bfq_init_rq(rq) + bfqq = bfq_get_bfqq_handle_split + bfqq = bic_to_bfqq + -> get bfqq2 from BIC1 + bfqq->ref++ + rq->elv.priv[0] = bic + rq->elv.priv[1] = bfqq + if (bfqq_process_refs(bfqq) == 1) + bfqq->bic = bic + -> record BIC1 to bfqq2 + + __bfq_insert_request + new_bfqq = bfq_setup_cooperator + -> get bfqq3 from bfqq2->new_bfqq + bfqq_request_freed(bfqq) + new_bfqq->ref++ + rq->elv.priv[1] = new_bfqq + -> handle IO by bfqq3 + +Fix the problem by checking bfqq is from merge chain fist. And this +might fix a following problem reported by our syzkaller(unreproducible): + +================================================================== +BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] +BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] +BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 +Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 + +CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +Workqueue: kblockd blk_mq_requeue_work +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:364 [inline] + print_report+0x10d/0x610 mm/kasan/report.c:475 + kasan_report+0x8e/0xc0 mm/kasan/report.c:588 + bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] + bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] + bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 + bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 + bfq_init_rq block/bfq-iosched.c:6876 [inline] + bfq_insert_request block/bfq-iosched.c:6254 [inline] + bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 + blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 + blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + + +Allocated by task 20776: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:188 [inline] + slab_post_alloc_hook mm/slab.h:763 [inline] + slab_alloc_node mm/slub.c:3458 [inline] + kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 + ioc_create_icq block/blk-ioc.c:370 [inline] + ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436 + bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812 + blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403 + __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517 + blk_mq_get_new_requests block/blk-mq.c:2940 [inline] + blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042 + __submit_bio+0x331/0x6f0 block/blk-core.c:624 + __submit_bio_noacct_mq block/blk-core.c:703 [inline] + submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732 + submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826 + xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958 + xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619 + xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + +Freed by task 946: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:164 [inline] + slab_free_hook mm/slub.c:1815 [inline] + slab_free_freelist_hook mm/slub.c:1841 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0x118/0x6f0 mm/slub.c:3808 + rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189 + rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462 + __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553 + +Last potentially related work creation: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 + __call_rcu_common kernel/rcu/tree.c:2712 [inline] + call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826 + ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105 + ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + +Second to last potentially related work creation: + kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 + __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 + __call_rcu_common kernel/rcu/tree.c:2712 [inline] + call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826 + ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105 + ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 + worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 + kthread+0x33c/0x440 kernel/kthread.c:388 + ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 + +The buggy address belongs to the object at ffff888123839d68 + which belongs to the cache bfq_io_cq of size 1360 +The buggy address is located 336 bytes inside of + freed 1360-byte region [ffff888123839d68, ffff88812383a2b8) + +The buggy address belongs to the physical page: +page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838 +head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff) +page_type: 0xffffffff() +raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488 +raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20240902130329.3787024-2-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index c73c8b0f5e400..6ed6ff0864fd2 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -6175,7 +6175,8 @@ static struct bfq_queue *bfq_init_rq(struct request *rq) + * addition, if the queue has also just been split, we have to + * resume its state. + */ +- if (likely(bfqq != &bfqd->oom_bfqq) && bfqq_process_refs(bfqq) == 1) { ++ if (likely(bfqq != &bfqd->oom_bfqq) && !bfqq->new_bfqq && ++ bfqq_process_refs(bfqq) == 1) { + bfqq->bic = bic; + if (split) { + /* +-- +2.43.0 + diff --git a/queue-5.4/bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch b/queue-5.4/bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch new file mode 100644 index 00000000000..b5cbc42122b --- /dev/null +++ b/queue-5.4/bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch @@ -0,0 +1,45 @@ +From 41b7b7b2061d763749874a076f3f5d75c9d270e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 16:51:52 -0400 +Subject: Bluetooth: btusb: Fix not handling ZPL/short-transfer + +From: Luiz Augusto von Dentz + +[ Upstream commit 7b05933340f4490ef5b09e84d644d12484b05fdf ] + +Requesting transfers of the exact same size of wMaxPacketSize may result +in ZPL/short-transfer since the USB stack cannot handle it as we are +limiting the buffer size to be the same as wMaxPacketSize. + +Also, in terms of throughput this change has the same effect to +interrupt endpoint as 290ba200815f "Bluetooth: Improve USB driver throughput +by increasing the frame size" had for the bulk endpoint, so users of the +advertisement bearer (e.g. BT Mesh) may benefit from this change. + +Fixes: 5e23b923da03 ("[Bluetooth] Add generic driver for Bluetooth USB devices") +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Kiran K +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index b9752625c88b4..87392ceee3dba 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -834,7 +834,10 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags) + if (!urb) + return -ENOMEM; + +- size = le16_to_cpu(data->intr_ep->wMaxPacketSize); ++ /* Use maximum HCI Event size so the USB stack handles ++ * ZPL/short-transfer automatically. ++ */ ++ size = HCI_MAX_EVENT_SIZE; + + buf = kmalloc(size, mem_flags); + if (!buf) { +-- +2.43.0 + diff --git a/queue-5.4/bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch b/queue-5.4/bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch new file mode 100644 index 00000000000..9b73b2571ef --- /dev/null +++ b/queue-5.4/bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch @@ -0,0 +1,74 @@ +From b3e02efc9ed57cf1190983dcbc77e8ca1d47fb37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 21:17:46 +0200 +Subject: bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit + +From: Daniel Borkmann + +[ Upstream commit cfe69c50b05510b24e26ccb427c7cc70beafd6c1 ] + +The bpf_strtol() and bpf_strtoul() helpers are currently broken on 32bit: + +The argument type ARG_PTR_TO_LONG is BPF-side "long", not kernel-side "long" +and therefore always considered fixed 64bit no matter if 64 or 32bit underlying +architecture. + +This contract breaks in case of the two mentioned helpers since their BPF_CALL +definition for the helpers was added with {unsigned,}long *res. Meaning, the +transition from BPF-side "long" (BPF program) to kernel-side "long" (BPF helper) +breaks here. + +Both helpers call __bpf_strtoll() with "long long" correctly, but later assigning +the result into 32-bit "*(long *)" on 32bit architectures. From a BPF program +point of view, this means upper bits will be seen as uninitialised. + +Therefore, fix both BPF_CALL signatures to {s,u}64 types to fix this situation. + +Now, changing also uapi/bpf.h helper documentation which generates bpf_helper_defs.h +for BPF programs is tricky: Changing signatures there to __{s,u}64 would trigger +compiler warnings (incompatible pointer types passing 'long *' to parameter of type +'__s64 *' (aka 'long long *')) for existing BPF programs. + +Leaving the signatures as-is would be fine as from BPF program point of view it is +still BPF-side "long" and thus equivalent to __{s,u}64 on 64 or 32bit underlying +architectures. + +Note that bpf_strtol() and bpf_strtoul() are the only helpers with this issue. + +Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers") +Reported-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/481fcec8-c12c-9abb-8ecb-76c71c009959@iogearbox.net +Link: https://lore.kernel.org/r/20240913191754.13290-1-daniel@iogearbox.net +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 9bfb4685d0684..a9708b4448148 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -445,7 +445,7 @@ static int __bpf_strtoll(const char *buf, size_t buf_len, u64 flags, + } + + BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags, +- long *, res) ++ s64 *, res) + { + long long _res; + int err; +@@ -470,7 +470,7 @@ const struct bpf_func_proto bpf_strtol_proto = { + }; + + BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags, +- unsigned long *, res) ++ u64 *, res) + { + unsigned long long _res; + bool is_negative; +-- +2.43.0 + diff --git a/queue-5.4/can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch b/queue-5.4/can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch new file mode 100644 index 00000000000..a95c74412fa --- /dev/null +++ b/queue-5.4/can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch @@ -0,0 +1,99 @@ +From 93b4bcb6c4ca924c9b51fc4ac4914d464ccd6875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 18:22:37 -0700 +Subject: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). + +From: Kuniyuki Iwashima + +[ Upstream commit 94b0818fa63555a65f6ba107080659ea6bcca63e ] + +syzbot reported a warning in bcm_release(). [0] + +The blamed change fixed another warning that is triggered when +connect() is issued again for a socket whose connect()ed device has +been unregistered. + +However, if the socket is just close()d without the 2nd connect(), the +remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry() +in bcm_release(). + +Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify(). + +[0] +name '4986' +WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 +Modules linked in: +CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 +RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 +Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07 +RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246 +RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a +R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640 +R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000 +FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + bcm_release+0x250/0x880 net/can/bcm.c:1578 + __sock_release net/socket.c:659 [inline] + sock_close+0xbc/0x240 net/socket.c:1421 + __fput+0x24a/0x8a0 fs/file_table.c:422 + task_work_run+0x24f/0x310 kernel/task_work.c:228 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0xa2f/0x27f0 kernel/exit.c:882 + do_group_exit+0x207/0x2c0 kernel/exit.c:1031 + __do_sys_exit_group kernel/exit.c:1042 [inline] + __se_sys_exit_group kernel/exit.c:1040 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040 + x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fcfb51ee969 +Code: Unable to access opcode bytes at 0x7fcfb51ee93f. +RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969 +RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 +RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000 +R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0 +R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160 + + +Fixes: 76fe372ccb81 ("can: bcm: Remove proc entry when dev is unregistered.") +Reported-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0532ac7a06fb1a03187e +Tested-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20240905012237.79683-1-kuniyu@amazon.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index cc7fb30eafc0b..1b5409b39a752 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1426,8 +1426,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg, + /* remove device reference, if this is our bound device */ + if (bo->bound && bo->ifindex == dev->ifindex) { + #if IS_ENABLED(CONFIG_PROC_FS) +- if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) ++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) { + remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir); ++ bo->bcm_proc_read = NULL; ++ } + #endif + bo->bound = 0; + bo->ifindex = 0; +-- +2.43.0 + diff --git a/queue-5.4/can-j1939-use-correct-function-name-in-comment.patch b/queue-5.4/can-j1939-use-correct-function-name-in-comment.patch new file mode 100644 index 00000000000..b8b0f1da01d --- /dev/null +++ b/queue-5.4/can-j1939-use-correct-function-name-in-comment.patch @@ -0,0 +1,44 @@ +From 48956cd666e572e497634341bcc2a7d252337ca8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 20:48:23 +0800 +Subject: can: j1939: use correct function name in comment + +From: Zhang Changzhong + +[ Upstream commit dc2ddcd136fe9b6196a7dd01f75f824beb02d43f ] + +The function j1939_cancel_all_active_sessions() was renamed to +j1939_cancel_active_session() but name in comment wasn't updated. + +Signed-off-by: Zhang Changzhong +Acked-by: Oleksij Rempel +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Link: https://patch.msgid.link/1724935703-44621-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 009c5a67cfbdc..1d926a0372e61 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1171,10 +1171,10 @@ static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer) + break; + case -ENETDOWN: + /* In this case we should get a netdev_event(), all active +- * sessions will be cleared by +- * j1939_cancel_all_active_sessions(). So handle this as an +- * error, but let j1939_cancel_all_active_sessions() do the +- * cleanup including propagation of the error to user space. ++ * sessions will be cleared by j1939_cancel_active_session(). ++ * So handle this as an error, but let ++ * j1939_cancel_active_session() do the cleanup including ++ * propagation of the error to user space. + */ + break; + case -EOVERFLOW: +-- +2.43.0 + diff --git a/queue-5.4/clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch b/queue-5.4/clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch new file mode 100644 index 00000000000..fb4b20ad022 --- /dev/null +++ b/queue-5.4/clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch @@ -0,0 +1,42 @@ +From 87a3916f8d105dbf63abab6877ed7464f7f538f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 17:03:53 +0000 +Subject: clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 + +From: Jonas Karlman + +[ Upstream commit 1d34b9757523c1ad547bd6d040381f62d74a3189 ] + +Similar to DCLK_LCDC on RK3328, the DCLK_VOP on RK3228 is typically +parented by the hdmiphy clk and it is expected that the DCLK_VOP and +hdmiphy clk rate are kept in sync. + +Use CLK_SET_RATE_PARENT and CLK_SET_RATE_NO_REPARENT flags, same as used +on RK3328, to make full use of all possible supported display modes. + +Fixes: 0a9d4ac08ebc ("clk: rockchip: set the clock ids for RK3228 VOP") +Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228") +Signed-off-by: Jonas Karlman +Link: https://lore.kernel.org/r/20240615170417.3134517-3-jonas@kwiboo.se +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3228.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3228.c b/drivers/clk/rockchip/clk-rk3228.c +index 47d6482dda9df..a2b4d54875142 100644 +--- a/drivers/clk/rockchip/clk-rk3228.c ++++ b/drivers/clk/rockchip/clk-rk3228.c +@@ -408,7 +408,7 @@ static struct rockchip_clk_branch rk3228_clk_branches[] __initdata = { + RK2928_CLKSEL_CON(29), 0, 3, DFLAGS), + DIV(0, "sclk_vop_pre", "sclk_vop_src", 0, + RK2928_CLKSEL_CON(27), 8, 8, DFLAGS), +- MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, 0, ++ MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, CLK_SET_RATE_PARENT | CLK_SET_RATE_NO_REPARENT, + RK2928_CLKSEL_CON(27), 1, 1, MFLAGS), + + FACTOR(0, "xin12m", "xin24m", 0, 1, 2), +-- +2.43.0 + diff --git a/queue-5.4/clk-ti-dra7-atl-fix-leak-of-of_nodes.patch b/queue-5.4/clk-ti-dra7-atl-fix-leak-of-of_nodes.patch new file mode 100644 index 00000000000..be10e7f454f --- /dev/null +++ b/queue-5.4/clk-ti-dra7-atl-fix-leak-of-of_nodes.patch @@ -0,0 +1,39 @@ +From 3f43c49eddf988ce870efae9497f0bff39d02bde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2024 10:35:29 -0500 +Subject: clk: ti: dra7-atl: Fix leak of of_nodes + +From: David Lechner + +[ Upstream commit 9d6e9f10e2e031fb7bfb3030a7d1afc561a28fea ] + +This fix leaking the of_node references in of_dra7_atl_clk_probe(). + +The docs for of_parse_phandle_with_args() say that the caller must call +of_node_put() on the returned node. This adds the missing of_node_put() +to fix the leak. + +Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)") +Signed-off-by: David Lechner +Link: https://lore.kernel.org/r/20240826-clk-fix-leak-v1-1-f55418a13aa6@baylibre.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clk-dra7-atl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c +index 62ea790d79f96..640642b3e9a2f 100644 +--- a/drivers/clk/ti/clk-dra7-atl.c ++++ b/drivers/clk/ti/clk-dra7-atl.c +@@ -257,6 +257,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + } + + clk = of_clk_get_from_provider(&clkspec); ++ of_node_put(clkspec.np); + if (IS_ERR(clk)) { + pr_err("%s: failed to get atl clock %d from provider\n", + __func__, i); +-- +2.43.0 + diff --git a/queue-5.4/clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch b/queue-5.4/clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch new file mode 100644 index 00000000000..242934acc7c --- /dev/null +++ b/queue-5.4/clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch @@ -0,0 +1,51 @@ +From 83468ef8da3d06e07c92078f87ecdedc014dab7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jul 2024 15:27:13 +0530 +Subject: clocksource/drivers/qcom: Add missing iounmap() on errors in + msm_dt_timer_init() + +From: Ankit Agrawal + +[ Upstream commit ca140a0dc0a18acd4653b56db211fec9b2339986 ] + +Add the missing iounmap() when clock frequency fails to get read by the +of_property_read_u32() call, or if the call to msm_timer_init() fails. + +Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer") +Signed-off-by: Ankit Agrawal +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20240713095713.GA430091@bnew-VirtualBox +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-qcom.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-qcom.c b/drivers/clocksource/timer-qcom.c +index b4afe3a675835..eac4c95c6127f 100644 +--- a/drivers/clocksource/timer-qcom.c ++++ b/drivers/clocksource/timer-qcom.c +@@ -233,6 +233,7 @@ static int __init msm_dt_timer_init(struct device_node *np) + } + + if (of_property_read_u32(np, "clock-frequency", &freq)) { ++ iounmap(cpu0_base); + pr_err("Unknown frequency\n"); + return -EINVAL; + } +@@ -243,7 +244,11 @@ static int __init msm_dt_timer_init(struct device_node *np) + freq /= 4; + writel_relaxed(DGT_CLK_CTL_DIV_4, source_base + DGT_CLK_CTL); + +- return msm_timer_init(freq, 32, irq, !!percpu_offset); ++ ret = msm_timer_init(freq, 32, irq, !!percpu_offset); ++ if (ret) ++ iounmap(cpu0_base); ++ ++ return ret; + } + TIMER_OF_DECLARE(kpss_timer, "qcom,kpss-timer", msm_dt_timer_init); + TIMER_OF_DECLARE(scss_timer, "qcom,scss-timer", msm_dt_timer_init); +-- +2.43.0 + diff --git a/queue-5.4/coresight-tmc-sg-do-not-leak-sg_table.patch b/queue-5.4/coresight-tmc-sg-do-not-leak-sg_table.patch new file mode 100644 index 00000000000..d05117c000e --- /dev/null +++ b/queue-5.4/coresight-tmc-sg-do-not-leak-sg_table.patch @@ -0,0 +1,73 @@ +From dcc95f487e1816f1e9c99bb141b88a7a549a3c6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 14:28:46 +0100 +Subject: coresight: tmc: sg: Do not leak sg_table + +From: Suzuki K Poulose + +[ Upstream commit c58dc5a1f886f2fcc1133746d0cbaa1fe7fd44ff ] + +Running perf with cs_etm on Juno triggers the following kmemleak warning ! + +:~# cat /sys/kernel/debug/kmemleak + unreferenced object 0xffffff8806b6d720 (size 96): + comm "perf", pid 562, jiffies 4297810960 + hex dump (first 32 bytes): + 38 d8 13 07 88 ff ff ff 00 d0 9e 85 c0 ff ff ff 8............... + 00 10 00 88 c0 ff ff ff 00 f0 ff f7 ff 00 00 00 ................ + backtrace (crc 1dbf6e00): + [] kmemleak_alloc+0xbc/0xd8 + [] kmalloc_trace_noprof+0x220/0x2e8 + [] tmc_alloc_sg_table+0x48/0x208 [coresight_tmc] + [] tmc_etr_alloc_sg_buf+0xac/0x240 [coresight_tmc] + [] tmc_alloc_etr_buf.constprop.0+0x1f0/0x260 [coresight_tmc] + [] alloc_etr_buf.constprop.0.isra.0+0x74/0xa8 [coresight_tmc] + [] tmc_alloc_etr_buffer+0x110/0x260 [coresight_tmc] + [] etm_setup_aux+0x204/0x3b0 [coresight] + [] rb_alloc_aux+0x20c/0x318 + [] perf_mmap+0x2e4/0x7a0 + [] mmap_region+0x3b0/0xa08 + [] do_mmap+0x3a0/0x500 + [] vm_mmap_pgoff+0x100/0x1d0 + [] ksys_mmap_pgoff+0xb8/0x110 + [] __arm64_sys_mmap+0x38/0x58 + [] invoke_syscall.constprop.0+0x58/0x100 + +This due to the fact that we do not free the "sg_table" itself while +freeing up the SG table and data pages. Fix this by freeing the sg_table +in tmc_free_sg_table(). + +Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework") +Cc: Mike Leach +Cc: James Clark +Signed-off-by: Suzuki K Poulose +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20240702132846.1677261-1-suzuki.poulose@arm.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c +index 2a0a12c194c05..17a5ceff48f24 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -257,6 +257,7 @@ void tmc_free_sg_table(struct tmc_sg_table *sg_table) + { + tmc_free_table_pages(sg_table); + tmc_free_data_pages(sg_table); ++ kfree(sg_table); + } + + /* +@@ -337,7 +338,6 @@ struct tmc_sg_table *tmc_alloc_sg_table(struct device *dev, + rc = tmc_alloc_table_pages(sg_table); + if (rc) { + tmc_free_sg_table(sg_table); +- kfree(sg_table); + return ERR_PTR(rc); + } + +-- +2.43.0 + diff --git a/queue-5.4/drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch b/queue-5.4/drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch new file mode 100644 index 00000000000..5f9fe96f83f --- /dev/null +++ b/queue-5.4/drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch @@ -0,0 +1,36 @@ +From 72a15be01d1e4555dc19a9ad55801bab6972e086 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 17:09:27 +0800 +Subject: drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() + +From: Yuesong Li + +[ Upstream commit 94ebc3d3235c5c516f67315059ce657e5090e94b ] + +cocci reported a double assignment problem. Upon reviewing previous +commits, it appears this may actually be an incorrect assignment. + +Fixes: 8b9550344d39 ("drm/ipp: clean up debug messages") +Signed-off-by: Yuesong Li +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_gsc.c b/drivers/gpu/drm/exynos/exynos_drm_gsc.c +index bcf830c5b8ea9..1bc2afcf9f088 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_gsc.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_gsc.c +@@ -1169,7 +1169,7 @@ static int gsc_bind(struct device *dev, struct device *master, void *data) + struct exynos_drm_ipp *ipp = &ctx->ipp; + + ctx->drm_dev = drm_dev; +- ctx->drm_dev = drm_dev; ++ ipp->drm_dev = drm_dev; + exynos_drm_register_dma(drm_dev, dev, &ctx->dma_priv); + + exynos_drm_ipp_register(dev, ipp, &ipp_funcs, +-- +2.43.0 + diff --git a/queue-5.4/drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch b/queue-5.4/drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch new file mode 100644 index 00000000000..b651dd55c62 --- /dev/null +++ b/queue-5.4/drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch @@ -0,0 +1,43 @@ +From 93da2379fc00d423fcb90c9e841d2bd77b992ea0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jul 2024 01:50:23 +0800 +Subject: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write + error + +From: Junlin Li + +[ Upstream commit 46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14 ] + +Ensure index in rtl2830_pid_filter does not exceed 31 to prevent +out-of-bounds access. + +dev->filters is a 32-bit value, so set_bit and clear_bit functions should +only operate on indices from 0 to 31. If index is 32, it will attempt to +access a non-existent 33rd bit, leading to out-of-bounds access. +Change the boundary check from index > 32 to index >= 32 to resolve this +issue. + +Fixes: df70ddad81b4 ("[media] rtl2830: implement PID filter") +Signed-off-by: Junlin Li +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/rtl2830.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/rtl2830.c b/drivers/media/dvb-frontends/rtl2830.c +index e6b8367c8cce4..84c00c6894d3d 100644 +--- a/drivers/media/dvb-frontends/rtl2830.c ++++ b/drivers/media/dvb-frontends/rtl2830.c +@@ -609,7 +609,7 @@ static int rtl2830_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid, int on + index, pid, onoff); + + /* skip invalid PIDs (0x2000) */ +- if (pid > 0x1fff || index > 32) ++ if (pid > 0x1fff || index >= 32) + return 0; + + if (onoff) +-- +2.43.0 + diff --git a/queue-5.4/drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch b/queue-5.4/drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch new file mode 100644 index 00000000000..6b37f024f2d --- /dev/null +++ b/queue-5.4/drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch @@ -0,0 +1,44 @@ +From 7813e7542623b5b6e7d0c159489be047fafe239c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 21:24:13 +0800 +Subject: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write + error + +From: Junlin Li + +[ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ] + +Ensure index in rtl2832_pid_filter does not exceed 31 to prevent +out-of-bounds access. + +dev->filters is a 32-bit value, so set_bit and clear_bit functions should +only operate on indices from 0 to 31. If index is 32, it will attempt to +access a non-existent 33rd bit, leading to out-of-bounds access. +Change the boundary check from index > 32 to index >= 32 to resolve this +issue. + +Signed-off-by: Junlin Li +Signed-off-by: Hans Verkuil +Fixes: 4b01e01a81b6 ("[media] rtl2832: implement PID filter") +[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/rtl2832.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c +index e5bffaaeed38a..1c3e572cad3fd 100644 +--- a/drivers/media/dvb-frontends/rtl2832.c ++++ b/drivers/media/dvb-frontends/rtl2832.c +@@ -982,7 +982,7 @@ static int rtl2832_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid, + index, pid, onoff, dev->slave_ts); + + /* skip invalid PIDs (0x2000) */ +- if (pid > 0x1fff || index > 32) ++ if (pid > 0x1fff || index >= 32) + return 0; + + if (onoff) +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch b/queue-5.4/drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch new file mode 100644 index 00000000000..d7c8f934e12 --- /dev/null +++ b/queue-5.4/drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch @@ -0,0 +1,79 @@ +From e0e2f6da0cf23bc41c08fda2c0fc045d19211f24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 13:23:56 -0400 +Subject: drm/amdgpu: properly handle vbios fake edid sizing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 8155566a26b8d6c1dd914f06a0c652e4e2f2adf1 ] + +The comment in the vbios structure says: +// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128 + +This fake edid struct has not been used in a long time, so I'm +not sure if there were actually any boards out there with a non-128 byte +EDID, but align the code with the comment. + +Reviewed-by: Thomas Weißschuh +Reported-by: Thomas Weißschuh +Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/amdgpu/atombios_encoders.c | 29 ++++++++++--------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c +index 754d1e1387155..74951666733a7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c ++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c +@@ -2098,26 +2098,29 @@ amdgpu_atombios_encoder_get_lcd_info(struct amdgpu_encoder *encoder) + fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record; + if (fake_edid_record->ucFakeEDIDLength) { + struct edid *edid; +- int edid_size = +- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength); +- edid = kmalloc(edid_size, GFP_KERNEL); ++ int edid_size; ++ ++ if (fake_edid_record->ucFakeEDIDLength == 128) ++ edid_size = fake_edid_record->ucFakeEDIDLength; ++ else ++ edid_size = fake_edid_record->ucFakeEDIDLength * 128; ++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0], ++ edid_size, GFP_KERNEL); + if (edid) { +- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0], +- fake_edid_record->ucFakeEDIDLength); +- + if (drm_edid_is_valid(edid)) { + adev->mode_info.bios_hardcoded_edid = edid; + adev->mode_info.bios_hardcoded_edid_size = edid_size; +- } else ++ } else { + kfree(edid); ++ } + } ++ record += struct_size(fake_edid_record, ++ ucFakeEDIDString, ++ edid_size); ++ } else { ++ /* empty fake edid record must be 3 bytes long */ ++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + } +- record += fake_edid_record->ucFakeEDIDLength ? +- struct_size(fake_edid_record, +- ucFakeEDIDString, +- fake_edid_record->ucFakeEDIDLength) : +- /* empty fake edid record must be 3 bytes long */ +- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + break; + case LCD_PANEL_RESOLUTION_RECORD_TYPE: + panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-replace-one-element-array-with-flexible-a.patch b/queue-5.4/drm-amdgpu-replace-one-element-array-with-flexible-a.patch new file mode 100644 index 00000000000..ad0fd7d5ac7 --- /dev/null +++ b/queue-5.4/drm-amdgpu-replace-one-element-array-with-flexible-a.patch @@ -0,0 +1,68 @@ +From 25ea5a34abadb9fccc9ce2cc812d7425addddbe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 14:30:44 +1300 +Subject: drm/amdgpu: Replace one-element array with flexible-array member + +From: Paulo Miguel Almeida + +[ Upstream commit 320e2590e281d0a7865e861f50155b5b435e9813 ] + +One-element arrays are deprecated, and we are replacing them with +flexible array members instead. So, replace one-element array with +flexible-array member in struct _ATOM_FAKE_EDID_PATCH_RECORD and +refactor the rest of the code accordingly. + +Important to mention is that doing a build before/after this patch +results in no binary output differences. + +This helps with the ongoing efforts to tighten the FORTIFY_SOURCE +routines on memcpy() and help us make progress towards globally +enabling -fstrict-flex-arrays=3 [1]. + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/238 +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1] + +Signed-off-by: Paulo Miguel Almeida +Signed-off-by: Alex Deucher +Stable-dep-of: 8155566a26b8 ("drm/amdgpu: properly handle vbios fake edid sizing") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 7 +++++-- + drivers/gpu/drm/amd/include/atombios.h | 2 +- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c +index 1e94a9b652f70..754d1e1387155 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c ++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c +@@ -2113,8 +2113,11 @@ amdgpu_atombios_encoder_get_lcd_info(struct amdgpu_encoder *encoder) + } + } + record += fake_edid_record->ucFakeEDIDLength ? +- fake_edid_record->ucFakeEDIDLength + 2 : +- sizeof(ATOM_FAKE_EDID_PATCH_RECORD); ++ struct_size(fake_edid_record, ++ ucFakeEDIDString, ++ fake_edid_record->ucFakeEDIDLength) : ++ /* empty fake edid record must be 3 bytes long */ ++ sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + break; + case LCD_PANEL_RESOLUTION_RECORD_TYPE: + panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record; +diff --git a/drivers/gpu/drm/amd/include/atombios.h b/drivers/gpu/drm/amd/include/atombios.h +index 8ba21747b40a3..c9f70accd46d8 100644 +--- a/drivers/gpu/drm/amd/include/atombios.h ++++ b/drivers/gpu/drm/amd/include/atombios.h +@@ -4107,7 +4107,7 @@ typedef struct _ATOM_FAKE_EDID_PATCH_RECORD + { + UCHAR ucRecordType; + UCHAR ucFakeEDIDLength; // = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128 +- UCHAR ucFakeEDIDString[1]; // This actually has ucFakeEdidLength elements. ++ UCHAR ucFakeEDIDString[]; // This actually has ucFakeEdidLength elements. + } ATOM_FAKE_EDID_PATCH_RECORD; + + typedef struct _ATOM_PANEL_RESOLUTION_PATCH_RECORD +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch b/queue-5.4/drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch new file mode 100644 index 00000000000..d4a239177e3 --- /dev/null +++ b/queue-5.4/drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch @@ -0,0 +1,52 @@ +From b11a33f2c93eb97544b0b9f4871cb13f2fe8f3e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 13:54:00 +0000 +Subject: drm/msm/a5xx: disable preemption in submits by default + +From: Vladimir Lypak + +[ Upstream commit db9dec2db76146d65e1cfbb6afb2e2bd5dab67f8 ] + +Fine grain preemption (switching from/to points within submits) +requires extra handling in command stream of those submits, especially +when rendering with tiling (using GMEM). However this handling is +missing at this point in mesa (and always was). For this reason we get +random GPU faults and hangs if more than one priority level is used +because local preemption is enabled prior to executing command stream +from submit. +With that said it was ahead of time to enable local preemption by +default considering the fact that even on downstream kernel it is only +enabled if requested via UAPI. + +Fixes: a7a4c19c36de ("drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register") +Signed-off-by: Vladimir Lypak +Patchwork: https://patchwork.freedesktop.org/patch/612041/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +index 65c2c5361e5fc..c3f35bee9b8d8 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +@@ -134,9 +134,13 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit, + OUT_PKT7(ring, CP_SET_PROTECTED_MODE, 1); + OUT_RING(ring, 1); + +- /* Enable local preemption for finegrain preemption */ ++ /* ++ * Disable local preemption by default because it requires ++ * user-space to be aware of it and provide additional handling ++ * to restore rendering state or do various flushes on switch. ++ */ + OUT_PKT7(ring, CP_PREEMPT_ENABLE_LOCAL, 1); +- OUT_RING(ring, 0x1); ++ OUT_RING(ring, 0x0); + + /* Allow CP_CONTEXT_SWITCH_YIELD packets in the IB2 */ + OUT_PKT7(ring, CP_YIELD_ENABLE, 1); +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch b/queue-5.4/drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch new file mode 100644 index 00000000000..677007e401f --- /dev/null +++ b/queue-5.4/drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch @@ -0,0 +1,124 @@ +From 4eb4047067fd4bc5647f9b385dbf12694fc9c89b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 13:54:02 +0000 +Subject: drm/msm/a5xx: fix races in preemption evaluation stage + +From: Vladimir Lypak + +[ Upstream commit ce050f307ad93bcc5958d0dd35fc276fd394d274 ] + +On A5XX GPUs when preemption is used it's invietable to enter a soft +lock-up state in which GPU is stuck at empty ring-buffer doing nothing. +This appears as full UI lockup and not detected as GPU hang (because +it's not). This happens due to not triggering preemption when it was +needed. Sometimes this state can be recovered by some new submit but +generally it won't happen because applications are waiting for old +submits to retire. + +One of the reasons why this happens is a race between a5xx_submit and +a5xx_preempt_trigger called from IRQ during submit retire. Former thread +updates ring->cur of previously empty and not current ring right after +latter checks it for emptiness. Then both threads can just exit because +for first one preempt_state wasn't NONE yet and for second one all rings +appeared to be empty. + +To prevent such situations from happening we need to establish guarantee +for preempt_trigger to make decision after each submit or retire. To +implement this we serialize preemption initiation using spinlock. If +switch is already in progress we need to re-trigger preemption when it +finishes. + +Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") +Signed-off-by: Vladimir Lypak +Patchwork: https://patchwork.freedesktop.org/patch/612045/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 + + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 24 +++++++++++++++++++++-- + 2 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h +index 833468ce6b6d7..cf29cc6238c7e 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h +@@ -35,6 +35,7 @@ struct a5xx_gpu { + uint64_t preempt_iova[MSM_GPU_MAX_RINGS]; + + atomic_t preempt_state; ++ spinlock_t preempt_start_lock; + struct timer_list preempt_timer; + }; + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +index 0a892f4f59d1d..e55a6a068c39a 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +@@ -98,12 +98,19 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu) + if (gpu->nr_rings == 1) + return; + ++ /* ++ * Serialize preemption start to ensure that we always make ++ * decision on latest state. Otherwise we can get stuck in ++ * lower priority or empty ring. ++ */ ++ spin_lock_irqsave(&a5xx_gpu->preempt_start_lock, flags); ++ + /* + * Try to start preemption by moving from NONE to START. If + * unsuccessful, a preemption is already in flight + */ + if (!try_preempt_state(a5xx_gpu, PREEMPT_NONE, PREEMPT_START)) +- return; ++ goto out; + + /* Get the next ring to preempt to */ + ring = get_next_ring(gpu); +@@ -128,9 +135,11 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu) + set_preempt_state(a5xx_gpu, PREEMPT_ABORT); + update_wptr(gpu, a5xx_gpu->cur_ring); + set_preempt_state(a5xx_gpu, PREEMPT_NONE); +- return; ++ goto out; + } + ++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags); ++ + /* Make sure the wptr doesn't update while we're in motion */ + spin_lock_irqsave(&ring->lock, flags); + a5xx_gpu->preempt[ring->id]->wptr = get_wptr(ring); +@@ -154,6 +163,10 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu) + + /* And actually start the preemption */ + gpu_write(gpu, REG_A5XX_CP_CONTEXT_SWITCH_CNTL, 1); ++ return; ++ ++out: ++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags); + } + + void a5xx_preempt_irq(struct msm_gpu *gpu) +@@ -191,6 +204,12 @@ void a5xx_preempt_irq(struct msm_gpu *gpu) + update_wptr(gpu, a5xx_gpu->cur_ring); + + set_preempt_state(a5xx_gpu, PREEMPT_NONE); ++ ++ /* ++ * Try to trigger preemption again in case there was a submit or ++ * retire during ring switch ++ */ ++ a5xx_preempt_trigger(gpu); + } + + void a5xx_preempt_hw_init(struct msm_gpu *gpu) +@@ -289,5 +308,6 @@ void a5xx_preempt_init(struct msm_gpu *gpu) + } + } + ++ spin_lock_init(&a5xx_gpu->preempt_start_lock); + timer_setup(&a5xx_gpu->preempt_timer, a5xx_preempt_timer, 0); + } +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-a5xx-properly-clear-preemption-records-on-re.patch b/queue-5.4/drm-msm-a5xx-properly-clear-preemption-records-on-re.patch new file mode 100644 index 00000000000..13c43e3e778 --- /dev/null +++ b/queue-5.4/drm-msm-a5xx-properly-clear-preemption-records-on-re.patch @@ -0,0 +1,41 @@ +From 7671adf8edfccd03e7f3de0b357e030ed9a6c98a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 13:54:01 +0000 +Subject: drm/msm/a5xx: properly clear preemption records on resume + +From: Vladimir Lypak + +[ Upstream commit 64fd6d01a52904bdbda0ce810a45a428c995a4ca ] + +Two fields of preempt_record which are used by CP aren't reset on +resume: "data" and "info". This is the reason behind faults which happen +when we try to switch to the ring that was active last before suspend. +In addition those faults can't be recovered from because we use suspend +and resume to do so (keeping values of those fields again). + +Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") +Signed-off-by: Vladimir Lypak +Reviewed-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/612043/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +index 9cf9353a7ff11..0a892f4f59d1d 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +@@ -207,6 +207,8 @@ void a5xx_preempt_hw_init(struct msm_gpu *gpu) + return; + + for (i = 0; i < gpu->nr_rings; i++) { ++ a5xx_gpu->preempt[i]->data = 0; ++ a5xx_gpu->preempt[i]->info = 0; + a5xx_gpu->preempt[i]->wptr = 0; + a5xx_gpu->preempt[i]->rptr = 0; + a5xx_gpu->preempt[i]->rbase = gpu->rb[i]->iova; +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch b/queue-5.4/drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch new file mode 100644 index 00000000000..5ee263e1aba --- /dev/null +++ b/queue-5.4/drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch @@ -0,0 +1,44 @@ +From 27c2549975d5597585da72c246a48c3dbe56dc91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jul 2024 12:13:12 +0300 +Subject: drm/msm: Fix incorrect file name output in adreno_request_fw() + +From: Aleksandr Mishin + +[ Upstream commit e19366911340c2313a1abbb09c54eaf9bdea4f58 ] + +In adreno_request_fw() when debugging information is printed to the log +after firmware load, an incorrect filename is printed. 'newname' is used +instead of 'fwname', so prefix "qcom/" is being added to filename. +Looks like "copy-paste" mistake. + +Fix this mistake by replacing 'newname' with 'fwname'. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2c41ef1b6f7d ("drm/msm/adreno: deal with linux-firmware fw paths") +Signed-off-by: Aleksandr Mishin +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/602382/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +index 6f83253a8c585..3edecd4fc8f60 100644 +--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +@@ -247,7 +247,7 @@ adreno_request_fw(struct adreno_gpu *adreno_gpu, const char *fwname) + ret = request_firmware_direct(&fw, fwname, drm->dev); + if (!ret) { + DRM_DEV_INFO(drm->dev, "loaded %s from legacy location\n", +- newname); ++ fwname); + adreno_gpu->fwloc = FW_LOCATION_LEGACY; + goto out; + } else if (adreno_gpu->fwloc != FW_LOCATION_UNKNOWN) { +-- +2.43.0 + diff --git a/queue-5.4/drm-msm-fix-s-null-argument-error.patch b/queue-5.4/drm-msm-fix-s-null-argument-error.patch new file mode 100644 index 00000000000..9ff969ea419 --- /dev/null +++ b/queue-5.4/drm-msm-fix-s-null-argument-error.patch @@ -0,0 +1,48 @@ +From 1e7370e071aed8bd546bfa7a86346f9fa5dc8adc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 09:53:37 -0700 +Subject: drm/msm: fix %s null argument error + +From: Sherry Yang + +[ Upstream commit 25b85075150fe8adddb096db8a4b950353045ee1 ] + +The following build error was triggered because of NULL string argument: + +BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c: In function 'mdp5_smp_dump': +BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=] +BUILDSTDERR: 352 | drm_printf(p, "%s:%d\t%d\t%s\n", +BUILDSTDERR: | ^~ +BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=] + +This happens from the commit a61ddb4393ad ("drm: enable (most) W=1 +warnings by default across the subsystem"). Using "(null)" instead +to fix it. + +Fixes: bc5289eed481 ("drm/msm/mdp5: add debugfs to show smp block status") +Signed-off-by: Sherry Yang +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/611071/ +Link: https://lore.kernel.org/r/20240827165337.1075904-1-sherry.yang@oracle.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c +index b31cfb554fa23..a1cc205192f34 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c +@@ -358,7 +358,7 @@ void mdp5_smp_dump(struct mdp5_smp *smp, struct drm_printer *p) + + drm_printf(p, "%s:%d\t%d\t%s\n", + pipe2name(pipe), j, inuse, +- plane ? plane->name : NULL); ++ plane ? plane->name : "(null)"); + + total += inuse; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch b/queue-5.4/drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch new file mode 100644 index 00000000000..06113510955 --- /dev/null +++ b/queue-5.4/drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch @@ -0,0 +1,225 @@ +From 9f64f664d5b92c1f8c8447f169450d34dcb5694b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:19:04 -0700 +Subject: drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets + +From: Nikita Zhandarovich + +[ Upstream commit 3fbaf475a5b8361ebee7da18964db809e37518b7 ] + +Several cs track offsets (such as 'track->db_s_read_offset') +either are initialized with or plainly take big enough values that, +once shifted 8 bits left, may be hit with integer overflow if the +resulting values end up going over u32 limit. + +Same goes for a few instances of 'surf.layer_size * mslice' +multiplications that are added to 'offset' variable - they may +potentially overflow as well and need to be validated properly. + +While some debug prints in this code section take possible overflow +issues into account, simply casting to (unsigned long) may be +erroneous in its own way, as depending on CPU architecture one is +liable to get different results. + +Fix said problems by: + - casting 'offset' to fixed u64 data type instead of + ambiguous unsigned long. + - casting one of the operands in vulnerable to integer + overflow cases to u64. + - adjust format specifiers in debug prints to properly + represent 'offset' values. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/evergreen_cs.c | 62 +++++++++++++-------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c +index c410cad28f19f..468efa5ac8fc7 100644 +--- a/drivers/gpu/drm/radeon/evergreen_cs.c ++++ b/drivers/gpu/drm/radeon/evergreen_cs.c +@@ -396,7 +396,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + struct evergreen_cs_track *track = p->track; + struct eg_surface surf; + unsigned pitch, slice, mslice; +- unsigned long offset; ++ u64 offset; + int r; + + mslice = G_028C6C_SLICE_MAX(track->cb_color_view[id]) + 1; +@@ -434,14 +434,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + return r; + } + +- offset = track->cb_color_bo_offset[id] << 8; ++ offset = (u64)track->cb_color_bo_offset[id] << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d cb[%d] bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d cb[%d] bo base %llu not aligned with %ld\n", + __func__, __LINE__, id, offset, surf.base_align); + return -EINVAL; + } + +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->cb_color_bo[id])) { + /* old ddx are broken they allocate bo with w*h*bpp but + * program slice with ALIGN(h, 8), catch this and patch +@@ -449,14 +449,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + */ + if (!surf.mode) { + uint32_t *ib = p->ib.ptr; +- unsigned long tmp, nby, bsize, size, min = 0; ++ u64 tmp, nby, bsize, size, min = 0; + + /* find the height the ddx wants */ + if (surf.nby > 8) { + min = surf.nby - 8; + } + bsize = radeon_bo_size(track->cb_color_bo[id]); +- tmp = track->cb_color_bo_offset[id] << 8; ++ tmp = (u64)track->cb_color_bo_offset[id] << 8; + for (nby = surf.nby; nby > min; nby--) { + size = nby * surf.nbx * surf.bpe * surf.nsamples; + if ((tmp + size * mslice) <= bsize) { +@@ -468,7 +468,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + slice = ((nby * surf.nbx) / 64) - 1; + if (!evergreen_surface_check(p, &surf, "cb")) { + /* check if this one works */ +- tmp += surf.layer_size * mslice; ++ tmp += (u64)surf.layer_size * mslice; + if (tmp <= bsize) { + ib[track->cb_color_slice_idx[id]] = slice; + goto old_ddx_ok; +@@ -477,9 +477,9 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i + } + } + dev_warn(p->dev, "%s:%d cb[%d] bo too small (layer size %d, " +- "offset %d, max layer %d, bo size %ld, slice %d)\n", ++ "offset %llu, max layer %d, bo size %ld, slice %d)\n", + __func__, __LINE__, id, surf.layer_size, +- track->cb_color_bo_offset[id] << 8, mslice, ++ (u64)track->cb_color_bo_offset[id] << 8, mslice, + radeon_bo_size(track->cb_color_bo[id]), slice); + dev_warn(p->dev, "%s:%d problematic surf: (%d %d) (%d %d %d %d %d %d %d)\n", + __func__, __LINE__, surf.nbx, surf.nby, +@@ -563,7 +563,7 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p) + struct evergreen_cs_track *track = p->track; + struct eg_surface surf; + unsigned pitch, slice, mslice; +- unsigned long offset; ++ u64 offset; + int r; + + mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1; +@@ -609,18 +609,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p) + return r; + } + +- offset = track->db_s_read_offset << 8; ++ offset = (u64)track->db_s_read_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_s_read_bo)) { + dev_warn(p->dev, "%s:%d stencil read bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_s_read_offset << 8, mslice, ++ (u64)track->db_s_read_offset << 8, mslice, + radeon_bo_size(track->db_s_read_bo)); + dev_warn(p->dev, "%s:%d stencil invalid (0x%08x 0x%08x 0x%08x 0x%08x)\n", + __func__, __LINE__, track->db_depth_size, +@@ -628,18 +628,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p) + return -EINVAL; + } + +- offset = track->db_s_write_offset << 8; ++ offset = (u64)track->db_s_write_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_s_write_bo)) { + dev_warn(p->dev, "%s:%d stencil write bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_s_write_offset << 8, mslice, ++ (u64)track->db_s_write_offset << 8, mslice, + radeon_bo_size(track->db_s_write_bo)); + return -EINVAL; + } +@@ -660,7 +660,7 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p) + struct evergreen_cs_track *track = p->track; + struct eg_surface surf; + unsigned pitch, slice, mslice; +- unsigned long offset; ++ u64 offset; + int r; + + mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1; +@@ -707,34 +707,34 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p) + return r; + } + +- offset = track->db_z_read_offset << 8; ++ offset = (u64)track->db_z_read_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_z_read_bo)) { + dev_warn(p->dev, "%s:%d depth read bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_z_read_offset << 8, mslice, ++ (u64)track->db_z_read_offset << 8, mslice, + radeon_bo_size(track->db_z_read_bo)); + return -EINVAL; + } + +- offset = track->db_z_write_offset << 8; ++ offset = (u64)track->db_z_write_offset << 8; + if (offset & (surf.base_align - 1)) { +- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n", ++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n", + __func__, __LINE__, offset, surf.base_align); + return -EINVAL; + } +- offset += surf.layer_size * mslice; ++ offset += (u64)surf.layer_size * mslice; + if (offset > radeon_bo_size(track->db_z_write_bo)) { + dev_warn(p->dev, "%s:%d depth write bo too small (layer size %d, " +- "offset %ld, max layer %d, bo size %ld)\n", ++ "offset %llu, max layer %d, bo size %ld)\n", + __func__, __LINE__, surf.layer_size, +- (unsigned long)track->db_z_write_offset << 8, mslice, ++ (u64)track->db_z_write_offset << 8, mslice, + radeon_bo_size(track->db_z_write_bo)); + return -EINVAL; + } +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-properly-handle-vbios-fake-edid-sizing.patch b/queue-5.4/drm-radeon-properly-handle-vbios-fake-edid-sizing.patch new file mode 100644 index 00000000000..1a511a1f841 --- /dev/null +++ b/queue-5.4/drm-radeon-properly-handle-vbios-fake-edid-sizing.patch @@ -0,0 +1,79 @@ +From 35bd2a10df4b3f87c446ebe5a439013182880f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2024 13:31:58 -0400 +Subject: drm/radeon: properly handle vbios fake edid sizing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 17c6baff3d5f65c8da164137a58742541a060b2f ] + +The comment in the vbios structure says: +// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128 + +This fake edid struct has not been used in a long time, so I'm +not sure if there were actually any boards out there with a non-128 byte +EDID, but align the code with the comment. + +Reviewed-by: Thomas Weißschuh +Reported-by: Thomas Weißschuh +Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html +Fixes: c324acd5032f ("drm/radeon/kms: parse the extended LCD info block") +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 29 +++++++++++++----------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 2b3f702ef8c9b..657fb1362419d 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -1730,26 +1730,29 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct + fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record; + if (fake_edid_record->ucFakeEDIDLength) { + struct edid *edid; +- int edid_size = +- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength); +- edid = kmalloc(edid_size, GFP_KERNEL); ++ int edid_size; ++ ++ if (fake_edid_record->ucFakeEDIDLength == 128) ++ edid_size = fake_edid_record->ucFakeEDIDLength; ++ else ++ edid_size = fake_edid_record->ucFakeEDIDLength * 128; ++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0], ++ edid_size, GFP_KERNEL); + if (edid) { +- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0], +- fake_edid_record->ucFakeEDIDLength); +- + if (drm_edid_is_valid(edid)) { + rdev->mode_info.bios_hardcoded_edid = edid; + rdev->mode_info.bios_hardcoded_edid_size = edid_size; +- } else ++ } else { + kfree(edid); ++ } + } ++ record += struct_size(fake_edid_record, ++ ucFakeEDIDString, ++ edid_size); ++ } else { ++ /* empty fake edid record must be 3 bytes long */ ++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + } +- record += fake_edid_record->ucFakeEDIDLength ? +- struct_size(fake_edid_record, +- ucFakeEDIDString, +- fake_edid_record->ucFakeEDIDLength) : +- /* empty fake edid record must be 3 bytes long */ +- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + break; + case LCD_PANEL_RESOLUTION_RECORD_TYPE: + panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record; +-- +2.43.0 + diff --git a/queue-5.4/drm-radeon-replace-one-element-array-with-flexible-a.patch b/queue-5.4/drm-radeon-replace-one-element-array-with-flexible-a.patch new file mode 100644 index 00000000000..309176c8aca --- /dev/null +++ b/queue-5.4/drm-radeon-replace-one-element-array-with-flexible-a.patch @@ -0,0 +1,69 @@ +From 63b306de19c56761754cedb5e425156916ad5c75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 16:32:05 +1300 +Subject: drm/radeon: Replace one-element array with flexible-array member + +From: Paulo Miguel Almeida + +[ Upstream commit c81c5bd5cf2f428867e0bcfcccd4e4d2f8c68f51 ] + +One-element arrays are deprecated, and we are replacing them with +flexible array members instead. So, replace one-element array with +flexible-array member in struct _ATOM_FAKE_EDID_PATCH_RECORD and +refactor the rest of the code accordingly. + +It's worth mentioning that doing a build before/after this patch results +in no binary output differences. + +This helps with the ongoing efforts to tighten the FORTIFY_SOURCE +routines on memcpy() and help us make progress towards globally +enabling -fstrict-flex-arrays=3 [1]. + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/239 +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1] + +Reviewed-by: Kees Cook +Signed-off-by: Paulo Miguel Almeida +Signed-off-by: Alex Deucher +Stable-dep-of: 17c6baff3d5f ("drm/radeon: properly handle vbios fake edid sizing") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/atombios.h | 2 +- + drivers/gpu/drm/radeon/radeon_atombios.c | 7 +++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/atombios.h b/drivers/gpu/drm/radeon/atombios.h +index 4b86e8b450090..e3f4964647641 100644 +--- a/drivers/gpu/drm/radeon/atombios.h ++++ b/drivers/gpu/drm/radeon/atombios.h +@@ -3615,7 +3615,7 @@ typedef struct _ATOM_FAKE_EDID_PATCH_RECORD + { + UCHAR ucRecordType; + UCHAR ucFakeEDIDLength; +- UCHAR ucFakeEDIDString[1]; // This actually has ucFakeEdidLength elements. ++ UCHAR ucFakeEDIDString[]; // This actually has ucFakeEdidLength elements. + } ATOM_FAKE_EDID_PATCH_RECORD; + + typedef struct _ATOM_PANEL_RESOLUTION_PATCH_RECORD +diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c +index 9e0aa357585fd..2b3f702ef8c9b 100644 +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -1745,8 +1745,11 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct + } + } + record += fake_edid_record->ucFakeEDIDLength ? +- fake_edid_record->ucFakeEDIDLength + 2 : +- sizeof(ATOM_FAKE_EDID_PATCH_RECORD); ++ struct_size(fake_edid_record, ++ ucFakeEDIDString, ++ fake_edid_record->ucFakeEDIDLength) : ++ /* empty fake edid record must be 3 bytes long */ ++ sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1; + break; + case LCD_PANEL_RESOLUTION_RECORD_TYPE: + panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record; +-- +2.43.0 + diff --git a/queue-5.4/drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch b/queue-5.4/drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch new file mode 100644 index 00000000000..4104538a309 --- /dev/null +++ b/queue-5.4/drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch @@ -0,0 +1,45 @@ +From 05d6db5730ccd1fd0c6df1b3a45829be9373a8c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 17:03:55 +0000 +Subject: drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode + +From: Jonas Karlman + +[ Upstream commit a5d024541ec466f428e6c514577d511a40779c7b ] + +EDID cannot be read on RK3328 until after read_hpd has been called and +correct io voltage has been configured based on connection status. + +When a forced mode is used, e.g. video=1920x1080@60e, the connector +detect ops, that in turn normally calls the read_hpd, never gets called. + +This result in reading EDID to fail in connector get_modes ops. + +Call dw_hdmi_rk3328_read_hpd at end of dw_hdmi_rk3328_setup_hpd to +correct io voltage and allow reading EDID after setup_hpd. + +Fixes: 1c53ba8f22a1 ("drm/rockchip: dw_hdmi: add dw-hdmi support for the rk3328") +Signed-off-by: Jonas Karlman +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-5-jonas@kwiboo.se +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c +index 7805091bac32d..51ac0a0cd995a 100644 +--- a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c +@@ -390,6 +390,8 @@ static void dw_hdmi_rk3328_setup_hpd(struct dw_hdmi *dw_hdmi, void *data) + HIWORD_UPDATE(RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK, + RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK | + RK3328_HDMI_HPD_IOE)); ++ ++ dw_hdmi_rk3328_read_hpd(dw_hdmi, data); + } + + static const struct dw_hdmi_phy_ops rk3228_hdmi_phy_ops = { +-- +2.43.0 + diff --git a/queue-5.4/drm-rockchip-vop-allow-4096px-width-scaling.patch b/queue-5.4/drm-rockchip-vop-allow-4096px-width-scaling.patch new file mode 100644 index 00000000000..25a729a1b64 --- /dev/null +++ b/queue-5.4/drm-rockchip-vop-allow-4096px-width-scaling.patch @@ -0,0 +1,43 @@ +From 21627ebb03b74e6fbafd349268685ff2c052981c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jun 2024 17:03:54 +0000 +Subject: drm/rockchip: vop: Allow 4096px width scaling + +From: Alex Bee + +[ Upstream commit 0ef968d91a20b5da581839f093f98f7a03a804f7 ] + +There is no reason to limit VOP scaling to 3840px width, the limit of +RK3288, when there are newer VOP versions that support 4096px width. + +Change to enforce a maximum of 4096px width plane scaling, the maximum +supported output width of the VOP versions supported by this driver. + +Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale") +Signed-off-by: Alex Bee +Signed-off-by: Jonas Karlman +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-4-jonas@kwiboo.se +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index f2edb94214761..20da0c993039a 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -333,8 +333,8 @@ static void scl_vop_cal_scl_fac(struct vop *vop, const struct vop_win_data *win, + if (info->is_yuv) + is_yuv = true; + +- if (dst_w > 3840) { +- DRM_DEV_ERROR(vop->dev, "Maximum dst width (3840) exceeded\n"); ++ if (dst_w > 4096) { ++ DRM_DEV_ERROR(vop->dev, "Maximum dst width (4096) exceeded\n"); + return; + } + +-- +2.43.0 + diff --git a/queue-5.4/drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch b/queue-5.4/drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch new file mode 100644 index 00000000000..c5088be03ba --- /dev/null +++ b/queue-5.4/drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch @@ -0,0 +1,45 @@ +From a3bdfba14ca62aab38e457663f6842f49cc96bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Jan 2024 17:54:32 +0100 +Subject: drm/stm: Fix an error handling path in stm_drm_platform_probe() + +From: Christophe JAILLET + +[ Upstream commit ce7c90bfda2656418c69ba0dd8f8a7536b8928d4 ] + +If drm_dev_register() fails, a call to drv_load() must be undone, as +already done in the remove function. + +Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver") +Signed-off-by: Christophe JAILLET +Acked-by: Raphael Gallais-Pou +Link: https://patchwork.freedesktop.org/patch/msgid/20fff7f853f20a48a96db8ff186124470ec4d976.1704560028.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Raphael Gallais-Pou +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/stm/drv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c +index 5a9f9aca8bc24..c7203fd7c85ec 100644 +--- a/drivers/gpu/drm/stm/drv.c ++++ b/drivers/gpu/drm/stm/drv.c +@@ -208,12 +208,14 @@ static int stm_drm_platform_probe(struct platform_device *pdev) + + ret = drm_dev_register(ddev, 0); + if (ret) +- goto err_put; ++ goto err_unload; + + drm_fbdev_generic_setup(ddev, 16); + + return 0; + ++err_unload: ++ drv_unload(ddev); + err_put: + drm_dev_put(ddev); + +-- +2.43.0 + diff --git a/queue-5.4/ext4-avoid-negative-min_clusters-in-find_group_orlov.patch b/queue-5.4/ext4-avoid-negative-min_clusters-in-find_group_orlov.patch new file mode 100644 index 00000000000..0b208a984ff --- /dev/null +++ b/queue-5.4/ext4-avoid-negative-min_clusters-in-find_group_orlov.patch @@ -0,0 +1,41 @@ +From 79bed93830f98596e9eff2a1a3db8bf70219d1a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 21:22:30 +0800 +Subject: ext4: avoid negative min_clusters in find_group_orlov() + +From: Kemeng Shi + +[ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ] + +min_clusters is signed integer and will be converted to unsigned +integer when compared with unsigned number stats.free_clusters. +If min_clusters is negative, it will be converted to a huge unsigned +value in which case all groups may not meet the actual desired free +clusters. +Set negative min_clusters to 0 to avoid unexpected behavior. + +Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3") +Signed-off-by: Kemeng Shi +Link: https://patch.msgid.link/20240820132234.2759926-4-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ialloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index cbde5a096c7bf..48e4406fd59a3 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -505,6 +505,8 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent, + if (min_inodes < 1) + min_inodes = 1; + min_clusters = avefreec - EXT4_CLUSTERS_PER_GROUP(sb)*flex_size / 4; ++ if (min_clusters < 0) ++ min_clusters = 0; + + /* + * Start looking in the flex group where we last allocated an +-- +2.43.0 + diff --git a/queue-5.4/ext4-avoid-oob-when-system.data-xattr-changes-undern.patch b/queue-5.4/ext4-avoid-oob-when-system.data-xattr-changes-undern.patch new file mode 100644 index 00000000000..a85b88c6267 --- /dev/null +++ b/queue-5.4/ext4-avoid-oob-when-system.data-xattr-changes-undern.patch @@ -0,0 +1,146 @@ +From bb5bf7040cd48aeb709869498aaf2fe8e4701c64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 12:23:24 -0300 +Subject: ext4: avoid OOB when system.data xattr changes underneath the + filesystem + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ] + +When looking up for an entry in an inlined directory, if e_value_offs is +changed underneath the filesystem by some change in the block device, it +will lead to an out-of-bounds access that KASAN detects as an UAF. + +EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. +loop0: detected capacity change from 2048 to 2047 +================================================================== +BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 +Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 + +CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:93 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 + ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 + __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 + ext4_lookup_entry fs/ext4/namei.c:1727 [inline] + ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 + lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 + filename_create+0x297/0x540 fs/namei.c:3980 + do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 + __do_sys_symlinkat fs/namei.c:4610 [inline] + __se_sys_symlinkat fs/namei.c:4607 [inline] + __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f3e73ced469 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a +RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 +RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 +RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 +R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c +R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 + + +Calling ext4_xattr_ibody_find right after reading the inode with +ext4_get_inode_loc will lead to a check of the validity of the xattrs, +avoiding this problem. + +Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79 +Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data") +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 95ac5bcb2882e..7e250ceacb8eb 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1646,25 +1646,36 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + struct ext4_dir_entry_2 **res_dir, + int *has_inline_data) + { ++ struct ext4_xattr_ibody_find is = { ++ .s = { .not_found = -ENODATA, }, ++ }; ++ struct ext4_xattr_info i = { ++ .name_index = EXT4_XATTR_INDEX_SYSTEM, ++ .name = EXT4_XATTR_SYSTEM_DATA, ++ }; + int ret; +- struct ext4_iloc iloc; + void *inline_start; + int inline_size; + +- ret = ext4_get_inode_loc(dir, &iloc); ++ ret = ext4_get_inode_loc(dir, &is.iloc); + if (ret) + return ERR_PTR(ret); + + down_read(&EXT4_I(dir)->xattr_sem); ++ ++ ret = ext4_xattr_ibody_find(dir, &i, &is); ++ if (ret) ++ goto out; ++ + if (!ext4_has_inline_data(dir)) { + *has_inline_data = 0; + goto out; + } + +- inline_start = (void *)ext4_raw_inode(&iloc)->i_block + ++ inline_start = (void *)ext4_raw_inode(&is.iloc)->i_block + + EXT4_INLINE_DOTDOT_SIZE; + inline_size = EXT4_MIN_INLINE_DATA_SIZE - EXT4_INLINE_DOTDOT_SIZE; +- ret = ext4_search_dir(iloc.bh, inline_start, inline_size, ++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, + dir, fname, 0, res_dir); + if (ret == 1) + goto out_find; +@@ -1674,23 +1685,23 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE) + goto out; + +- inline_start = ext4_get_inline_xattr_pos(dir, &iloc); ++ inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc); + inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE; + +- ret = ext4_search_dir(iloc.bh, inline_start, inline_size, ++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size, + dir, fname, 0, res_dir); + if (ret == 1) + goto out_find; + + out: +- brelse(iloc.bh); ++ brelse(is.iloc.bh); + if (ret < 0) +- iloc.bh = ERR_PTR(ret); ++ is.iloc.bh = ERR_PTR(ret); + else +- iloc.bh = NULL; ++ is.iloc.bh = NULL; + out_find: + up_read(&EXT4_I(dir)->xattr_sem); +- return iloc.bh; ++ return is.iloc.bh; + } + + int ext4_delete_inline_entry(handle_t *handle, +-- +2.43.0 + diff --git a/queue-5.4/ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch b/queue-5.4/ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch new file mode 100644 index 00000000000..21a5ed976d8 --- /dev/null +++ b/queue-5.4/ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch @@ -0,0 +1,69 @@ +From 15a83bdd98927ec717ef381943510a19b6429575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Aug 2024 16:55:10 +0800 +Subject: ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard + +From: yangerkun + +[ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ] + +Commit 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in +ext4_group_info") speed up fstrim by skipping trim trimmed group. We +also has the chance to clear trimmed once there exists some block free +for this group(mount without discard), and the next trim for this group +will work well too. + +For mount with discard, we will issue dicard when we free blocks, so +leave trimmed flag keep alive to skip useless trim trigger from +userspace seems reasonable. But for some case like ext4 build on +dm-thinpool(ext4 blocksize 4K, pool blocksize 128K), discard from ext4 +maybe unaligned for dm thinpool, and thinpool will just finish this +discard(see process_discard_bio when begein equals to end) without +actually process discard. For this case, trim from userspace can really +help us to free some thinpool block. + +So convert to clear trimmed flag for all case no matter mounted with +discard or not. + +Fixes: 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info") +Signed-off-by: yangerkun +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20240817085510.2084444-1-yangerkun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/mballoc.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index b268dc0e1df44..032e6519865cd 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2836,11 +2836,8 @@ static void ext4_free_data_in_buddy(struct super_block *sb, + /* + * Clear the trimmed flag for the group so that the next + * ext4_trim_fs can trim it. +- * If the volume is mounted with -o discard, online discard +- * is supported and the free blocks will be trimmed online. + */ +- if (!test_opt(sb, DISCARD)) +- EXT4_MB_GRP_CLEAR_TRIMMED(db); ++ EXT4_MB_GRP_CLEAR_TRIMMED(db); + + if (!db->bb_free_root.rb_node) { + /* No more items in the per group rb tree +@@ -4962,8 +4959,9 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, + " group:%d block:%d count:%lu failed" + " with %d", block_group, bit, count, + err); +- } else +- EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info); ++ } ++ ++ EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info); + + ext4_lock_group(sb, block_group); + mb_clear_bits(bitmap_bh->b_data, bit, count_clusters); +-- +2.43.0 + diff --git a/queue-5.4/ext4-return-error-on-ext4_find_inline_entry.patch b/queue-5.4/ext4-return-error-on-ext4_find_inline_entry.patch new file mode 100644 index 00000000000..c9b9c325c13 --- /dev/null +++ b/queue-5.4/ext4-return-error-on-ext4_find_inline_entry.patch @@ -0,0 +1,54 @@ +From 449e43d5c56dad8dc7ca561e23ff29927b587ccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 12:23:22 -0300 +Subject: ext4: return error on ext4_find_inline_entry + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ] + +In case of errors when reading an inode from disk or traversing inline +directory entries, return an error-encoded ERR_PTR instead of returning +NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns +such encoded errors. + +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem") +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 549ceac9099ca..95ac5bcb2882e 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1651,8 +1651,9 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + void *inline_start; + int inline_size; + +- if (ext4_get_inode_loc(dir, &iloc)) +- return NULL; ++ ret = ext4_get_inode_loc(dir, &iloc); ++ if (ret) ++ return ERR_PTR(ret); + + down_read(&EXT4_I(dir)->xattr_sem); + if (!ext4_has_inline_data(dir)) { +@@ -1683,7 +1684,10 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir, + + out: + brelse(iloc.bh); +- iloc.bh = NULL; ++ if (ret < 0) ++ iloc.bh = ERR_PTR(ret); ++ else ++ iloc.bh = NULL; + out_find: + up_read(&EXT4_I(dir)->xattr_sem); + return iloc.bh; +-- +2.43.0 + diff --git a/queue-5.4/f2fs-enhance-to-update-i_mode-and-acl-atomically-in-.patch b/queue-5.4/f2fs-enhance-to-update-i_mode-and-acl-atomically-in-.patch new file mode 100644 index 00000000000..e443fbb257c --- /dev/null +++ b/queue-5.4/f2fs-enhance-to-update-i_mode-and-acl-atomically-in-.patch @@ -0,0 +1,124 @@ +From 1c6ec3814084c8803157d23313dd6a42edcad988 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Dec 2020 16:52:27 +0800 +Subject: f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() + +From: Chao Yu + +[ Upstream commit 17232e830afb800acdcc22ae8980bf9d330393ef ] + +Previously, in f2fs_setattr(), we don't update S_ISUID|S_ISGID|S_ISVTX +bits with S_IRWXUGO bits and acl entries atomically, so in error path, +chmod() may partially success, this patch enhances to make chmod() flow +being atomical. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency") +Signed-off-by: Sasha Levin +--- + fs/f2fs/acl.c | 23 ++++++++++++++++++++++- + fs/f2fs/file.c | 6 ++++-- + fs/f2fs/xattr.c | 15 +++++++++------ + 3 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c +index 217b290ae3a55..51313fe36d018 100644 +--- a/fs/f2fs/acl.c ++++ b/fs/f2fs/acl.c +@@ -200,6 +200,27 @@ struct posix_acl *f2fs_get_acl(struct inode *inode, int type) + return __f2fs_get_acl(inode, type, NULL); + } + ++static int f2fs_acl_update_mode(struct inode *inode, umode_t *mode_p, ++ struct posix_acl **acl) ++{ ++ umode_t mode = inode->i_mode; ++ int error; ++ ++ if (is_inode_flag_set(inode, FI_ACL_MODE)) ++ mode = F2FS_I(inode)->i_acl_mode; ++ ++ error = posix_acl_equiv_mode(*acl, &mode); ++ if (error < 0) ++ return error; ++ if (error == 0) ++ *acl = NULL; ++ if (!in_group_p(inode->i_gid) && ++ !capable_wrt_inode_uidgid(inode, CAP_FSETID)) ++ mode &= ~S_ISGID; ++ *mode_p = mode; ++ return 0; ++} ++ + static int __f2fs_set_acl(struct inode *inode, int type, + struct posix_acl *acl, struct page *ipage) + { +@@ -213,7 +234,7 @@ static int __f2fs_set_acl(struct inode *inode, int type, + case ACL_TYPE_ACCESS: + name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS; + if (acl && !ipage) { +- error = posix_acl_update_mode(inode, &mode, &acl); ++ error = f2fs_acl_update_mode(inode, &mode, &acl); + if (error) + return error; + set_acl_inode(inode, mode); +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 2330600dbe02e..ce17f39268598 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -863,8 +863,10 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr) + + if (attr->ia_valid & ATTR_MODE) { + err = posix_acl_chmod(inode, f2fs_get_inode_mode(inode)); +- if (err || is_inode_flag_set(inode, FI_ACL_MODE)) { +- inode->i_mode = F2FS_I(inode)->i_acl_mode; ++ ++ if (is_inode_flag_set(inode, FI_ACL_MODE)) { ++ if (!err) ++ inode->i_mode = F2FS_I(inode)->i_acl_mode; + clear_inode_flag(inode, FI_ACL_MODE); + } + } +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index cef2825ff069b..95b2c05a7035d 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -654,7 +654,7 @@ static int __f2fs_setxattr(struct inode *inode, int index, + } + + if (value && f2fs_xattr_value_same(here, value, size)) +- goto exit; ++ goto same; + } else if ((flags & XATTR_REPLACE)) { + error = -ENODATA; + goto exit; +@@ -734,17 +734,20 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (error) + goto exit; + +- if (is_inode_flag_set(inode, FI_ACL_MODE)) { +- inode->i_mode = F2FS_I(inode)->i_acl_mode; +- inode->i_ctime = current_time(inode); +- clear_inode_flag(inode, FI_ACL_MODE); +- } + if (index == F2FS_XATTR_INDEX_ENCRYPTION && + !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT)) + f2fs_set_encrypted_inode(inode); + f2fs_mark_inode_dirty_sync(inode, true); + if (!error && S_ISDIR(inode->i_mode)) + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP); ++ ++same: ++ if (is_inode_flag_set(inode, FI_ACL_MODE)) { ++ inode->i_mode = F2FS_I(inode)->i_acl_mode; ++ inode->i_ctime = current_time(inode); ++ clear_inode_flag(inode, FI_ACL_MODE); ++ } ++ + exit: + kvfree(base_addr); + return error; +-- +2.43.0 + diff --git a/queue-5.4/f2fs-fix-to-update-i_ctime-in-__f2fs_setxattr.patch b/queue-5.4/f2fs-fix-to-update-i_ctime-in-__f2fs_setxattr.patch new file mode 100644 index 00000000000..ded1bdf4c8a --- /dev/null +++ b/queue-5.4/f2fs-fix-to-update-i_ctime-in-__f2fs_setxattr.patch @@ -0,0 +1,57 @@ +From 2616088e69692181da939ece3f256e0d41e8c8a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:50:45 +0800 +Subject: f2fs: fix to update i_ctime in __f2fs_setxattr() + +From: Chao Yu + +[ Upstream commit 8874ad7dae8d91d24cc87c545c0073b3b2da5688 ] + +generic/728 - output mismatch (see /media/fstests/results//generic/728.out.bad) + --- tests/generic/728.out 2023-07-19 07:10:48.362711407 +0000 + +++ /media/fstests/results//generic/728.out.bad 2023-07-19 08:39:57.000000000 +0000 + QA output created by 728 + +Expected ctime to change after setxattr. + +Expected ctime to change after removexattr. + Silence is golden + ... + (Run 'diff -u /media/fstests/tests/generic/728.out /media/fstests/results//generic/728.out.bad' to see the entire diff) +generic/729 1s + +It needs to update i_ctime after {set,remove}xattr, fix it. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency") +Signed-off-by: Sasha Levin +--- + fs/f2fs/xattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 95b2c05a7035d..1e0fc35887f5d 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -737,17 +737,17 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (index == F2FS_XATTR_INDEX_ENCRYPTION && + !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT)) + f2fs_set_encrypted_inode(inode); +- f2fs_mark_inode_dirty_sync(inode, true); + if (!error && S_ISDIR(inode->i_mode)) + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP); + + same: + if (is_inode_flag_set(inode, FI_ACL_MODE)) { + inode->i_mode = F2FS_I(inode)->i_acl_mode; +- inode->i_ctime = current_time(inode); + clear_inode_flag(inode, FI_ACL_MODE); + } + ++ inode->i_ctime = current_time(inode); ++ f2fs_mark_inode_dirty_sync(inode, true); + exit: + kvfree(base_addr); + return error; +-- +2.43.0 + diff --git a/queue-5.4/f2fs-fix-typo.patch b/queue-5.4/f2fs-fix-typo.patch new file mode 100644 index 00000000000..e39232146b8 --- /dev/null +++ b/queue-5.4/f2fs-fix-typo.patch @@ -0,0 +1,36 @@ +From c351d4cb6c669a7480b9b6e3c42894a394c9a6c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 11:07:49 +0900 +Subject: f2fs: fix typo + +From: Yonggil Song + +[ Upstream commit d382e36970ecf8242921400db2afde15fb6ed49e ] + +Fix typo in f2fs.h +Detected by Jaeyoon Choi + +Signed-off-by: Yonggil Song +Signed-off-by: Jaegeuk Kim +Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency") +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index f75d256827346..2143b0f762d56 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -237,7 +237,7 @@ enum { + ORPHAN_INO, /* for orphan ino list */ + APPEND_INO, /* for append ino list */ + UPDATE_INO, /* for update ino list */ +- TRANS_DIR_INO, /* for trasactions dir ino list */ ++ TRANS_DIR_INO, /* for transactions dir ino list */ + FLUSH_INO, /* for multiple device flushing */ + MAX_INO_ENTRY, /* max. list */ + }; +-- +2.43.0 + diff --git a/queue-5.4/f2fs-reduce-expensive-checkpoint-trigger-frequency.patch b/queue-5.4/f2fs-reduce-expensive-checkpoint-trigger-frequency.patch new file mode 100644 index 00000000000..0792419311f --- /dev/null +++ b/queue-5.4/f2fs-reduce-expensive-checkpoint-trigger-frequency.patch @@ -0,0 +1,131 @@ +From f5507fd72e12ce36c595514f15729e2eea6d11ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Jun 2024 09:47:27 +0800 +Subject: f2fs: reduce expensive checkpoint trigger frequency + +From: Chao Yu + +[ Upstream commit aaf8c0b9ae042494cb4585883b15c1332de77840 ] + +We may trigger high frequent checkpoint for below case: +1. mkdir /mnt/dir1; set dir1 encrypted +2. touch /mnt/file1; fsync /mnt/file1 +3. mkdir /mnt/dir2; set dir2 encrypted +4. touch /mnt/file2; fsync /mnt/file2 +... + +Although, newly created dir and file are not related, due to +commit bbf156f7afa7 ("f2fs: fix lost xattrs of directories"), we will +trigger checkpoint whenever fsync() comes after a new encrypted dir +created. + +In order to avoid such performance regression issue, let's record an +entry including directory's ino in global cache whenever we update +directory's xattr data, and then triggerring checkpoint() only if +xattr metadata of target file's parent was updated. + +This patch updates to cover below no encryption case as well: +1) parent is checkpointed +2) set_xattr(dir) w/ new xnid +3) create(file) +4) fsync(file) + +Fixes: bbf156f7afa7 ("f2fs: fix lost xattrs of directories") +Reported-by: wangzijie +Reported-by: Zhiguo Niu +Tested-by: Zhiguo Niu +Reported-by: Yunlei He +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 ++ + fs/f2fs/file.c | 3 +++ + fs/f2fs/xattr.c | 14 ++++++++++++-- + include/trace/events/f2fs.h | 3 ++- + 4 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 2143b0f762d56..44c849bebd2ef 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -238,6 +238,7 @@ enum { + APPEND_INO, /* for append ino list */ + UPDATE_INO, /* for update ino list */ + TRANS_DIR_INO, /* for transactions dir ino list */ ++ XATTR_DIR_INO, /* for xattr updated dir ino list */ + FLUSH_INO, /* for multiple device flushing */ + MAX_INO_ENTRY, /* max. list */ + }; +@@ -1038,6 +1039,7 @@ enum cp_reason_type { + CP_FASTBOOT_MODE, + CP_SPEC_LOG_NUM, + CP_RECOVER_DIR, ++ CP_XATTR_DIR, + }; + + enum iostat_type { +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index ce17f39268598..030152219c4d6 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -175,6 +175,9 @@ static inline enum cp_reason_type need_do_checkpoint(struct inode *inode) + f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino, + TRANS_DIR_INO)) + cp_reason = CP_RECOVER_DIR; ++ else if (f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino, ++ XATTR_DIR_INO)) ++ cp_reason = CP_XATTR_DIR; + + return cp_reason; + } +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 731f97c7d4023..dbb0634d91729 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -607,6 +607,7 @@ static int __f2fs_setxattr(struct inode *inode, int index, + const char *name, const void *value, size_t size, + struct page *ipage, int flags) + { ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct f2fs_xattr_entry *here, *last; + void *base_addr, *last_base_addr; + nid_t xnid = F2FS_I(inode)->i_xattr_nid; +@@ -737,9 +738,18 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (index == F2FS_XATTR_INDEX_ENCRYPTION && + !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT)) + f2fs_set_encrypted_inode(inode); +- if (S_ISDIR(inode->i_mode)) +- set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP); + ++ if (!S_ISDIR(inode->i_mode)) ++ goto same; ++ /* ++ * In restrict mode, fsync() always try to trigger checkpoint for all ++ * metadata consistency, in other mode, it triggers checkpoint when ++ * parent's xattr metadata was updated. ++ */ ++ if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT) ++ set_sbi_flag(sbi, SBI_NEED_CP); ++ else ++ f2fs_add_ino_entry(sbi, inode->i_ino, XATTR_DIR_INO); + same: + if (is_inode_flag_set(inode, FI_ACL_MODE)) { + inode->i_mode = F2FS_I(inode)->i_acl_mode; +diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h +index 88266a7fbad26..986e91cce4450 100644 +--- a/include/trace/events/f2fs.h ++++ b/include/trace/events/f2fs.h +@@ -138,7 +138,8 @@ TRACE_DEFINE_ENUM(CP_TRIMMED); + { CP_NODE_NEED_CP, "node needs cp" }, \ + { CP_FASTBOOT_MODE, "fastboot mode" }, \ + { CP_SPEC_LOG_NUM, "log type is 2" }, \ +- { CP_RECOVER_DIR, "dir needs recovery" }) ++ { CP_RECOVER_DIR, "dir needs recovery" }, \ ++ { CP_XATTR_DIR, "dir's xattr updated" }) + + #define show_shutdown_mode(type) \ + __print_symbolic(type, \ +-- +2.43.0 + diff --git a/queue-5.4/f2fs-remove-unneeded-check-condition-in-__f2fs_setxa.patch b/queue-5.4/f2fs-remove-unneeded-check-condition-in-__f2fs_setxa.patch new file mode 100644 index 00000000000..531f6f9dbe7 --- /dev/null +++ b/queue-5.4/f2fs-remove-unneeded-check-condition-in-__f2fs_setxa.patch @@ -0,0 +1,36 @@ +From ebc1e34efd258e2596512795d0c247e5b6a806c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:50:46 +0800 +Subject: f2fs: remove unneeded check condition in __f2fs_setxattr() + +From: Chao Yu + +[ Upstream commit bc3994ffa4cf23f55171943c713366132c3ff45d ] + +It has checked return value of write_all_xattrs(), remove unneeded +following check condition. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency") +Signed-off-by: Sasha Levin +--- + fs/f2fs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 1e0fc35887f5d..731f97c7d4023 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -737,7 +737,7 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (index == F2FS_XATTR_INDEX_ENCRYPTION && + !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT)) + f2fs_set_encrypted_inode(inode); +- if (!error && S_ISDIR(inode->i_mode)) ++ if (S_ISDIR(inode->i_mode)) + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP); + + same: +-- +2.43.0 + diff --git a/queue-5.4/fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch b/queue-5.4/fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch new file mode 100644 index 00000000000..eb74be629fa --- /dev/null +++ b/queue-5.4/fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch @@ -0,0 +1,36 @@ +From bba990725b5b50e0c333bb691c8c341501b43ea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 22:34:39 +0200 +Subject: fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() + +From: Christophe JAILLET + +[ Upstream commit aa578e897520f32ae12bec487f2474357d01ca9c ] + +If an error occurs after request_mem_region(), a corresponding +release_mem_region() should be called, as already done in the remove +function. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/hpfb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/hpfb.c b/drivers/video/fbdev/hpfb.c +index a79af8f069d16..40e51a2fc34d0 100644 +--- a/drivers/video/fbdev/hpfb.c ++++ b/drivers/video/fbdev/hpfb.c +@@ -344,6 +344,7 @@ static int hpfb_dio_probe(struct dio_dev *d, const struct dio_device_id *ent) + if (hpfb_init_one(paddr, vaddr)) { + if (d->scode >= DIOII_SCBASE) + iounmap((void *)vaddr); ++ release_mem_region(d->resource.start, resource_size(&d->resource)); + return -ENOMEM; + } + return 0; +-- +2.43.0 + diff --git a/queue-5.4/fs-explicitly-unregister-per-superblock-bdis.patch b/queue-5.4/fs-explicitly-unregister-per-superblock-bdis.patch new file mode 100644 index 00000000000..35ac84a5e13 --- /dev/null +++ b/queue-5.4/fs-explicitly-unregister-per-superblock-bdis.patch @@ -0,0 +1,64 @@ +From fa71353407c2d010fcc9b0cd4ec7599ec411a45c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 13:36:58 -0700 +Subject: fs: explicitly unregister per-superblock BDIs + +From: Christoph Hellwig + +[ Upstream commit 0b3ea0926afb8dde70cfab00316ae0a70b93a7cc ] + +Add a new SB_I_ flag to mark superblocks that have an ephemeral bdi +associated with them, and unregister it when the superblock is shut +down. + +Link: https://lkml.kernel.org/r/20211021124441.668816-4-hch@lst.de +Signed-off-by: Christoph Hellwig +Reviewed-by: Jan Kara +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 4bcda1eaf184 ("mount: handle OOM on mnt_warn_timestamp_expiry") +Signed-off-by: Sasha Levin +--- + fs/super.c | 3 +++ + include/linux/fs.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/fs/super.c b/fs/super.c +index 47ca7dc0e6c3d..8edf44a2d3dcc 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -475,6 +475,8 @@ void generic_shutdown_super(struct super_block *sb) + spin_unlock(&sb_lock); + up_write(&sb->s_umount); + if (sb->s_bdi != &noop_backing_dev_info) { ++ if (sb->s_iflags & SB_I_PERSB_BDI) ++ bdi_unregister(sb->s_bdi); + bdi_put(sb->s_bdi); + sb->s_bdi = &noop_backing_dev_info; + } +@@ -1622,6 +1624,7 @@ int super_setup_bdi_name(struct super_block *sb, char *fmt, ...) + } + WARN_ON(sb->s_bdi != &noop_backing_dev_info); + sb->s_bdi = bdi; ++ sb->s_iflags |= SB_I_PERSB_BDI; + + return 0; + } +diff --git a/include/linux/fs.h b/include/linux/fs.h +index d4f5fcc60744d..b21fdce37c37a 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1407,6 +1407,7 @@ extern int send_sigurg(struct fown_struct *fown); + #define SB_I_UNTRUSTED_MOUNTER 0x00000040 + + #define SB_I_SKIP_SYNC 0x00000100 /* Skip superblock at global sync */ ++#define SB_I_PERSB_BDI 0x00000200 /* has a per-sb bdi */ + + /* Possible states of 'frozen' field */ + enum { +-- +2.43.0 + diff --git a/queue-5.4/fs-namespace-fnic-switch-to-use-pttd.patch b/queue-5.4/fs-namespace-fnic-switch-to-use-pttd.patch new file mode 100644 index 00000000000..15cdb87e94f --- /dev/null +++ b/queue-5.4/fs-namespace-fnic-switch-to-use-pttd.patch @@ -0,0 +1,46 @@ +From 561a9b6db5a90a6e5dd755bf6164b00fe8b33050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 17:09:06 +0200 +Subject: fs/namespace: fnic: Switch to use %ptTd + +From: Andy Shevchenko + +[ Upstream commit 74e60b8b2f0fe3702710e648a31725ee8224dbdf ] + +Use %ptTd instead of open-coded variant to print contents +of time64_t type in human readable form. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Christian Brauner (Microsoft) +Stable-dep-of: 4bcda1eaf184 ("mount: handle OOM on mnt_warn_timestamp_expiry") +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 3d8fbafc980ba..f1c0e0a705621 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2496,15 +2496,12 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * + (ktime_get_real_seconds() + TIME_UPTIME_SEC_MAX > sb->s_time_max)) { + char *buf = (char *)__get_free_page(GFP_KERNEL); + char *mntpath = buf ? d_path(mountpoint, buf, PAGE_SIZE) : ERR_PTR(-ENOMEM); +- struct tm tm; + +- time64_to_tm(sb->s_time_max, 0, &tm); +- +- pr_warn("%s filesystem being %s at %s supports timestamps until %04ld (0x%llx)\n", ++ pr_warn("%s filesystem being %s at %s supports timestamps until %ptTd (0x%llx)\n", + sb->s_type->name, + is_mounted(mnt) ? "remounted" : "mounted", +- mntpath, +- tm.tm_year+1900, (unsigned long long)sb->s_time_max); ++ mntpath, &sb->s_time_max, ++ (unsigned long long)sb->s_time_max); + + free_page((unsigned long)buf); + sb->s_iflags |= SB_I_TS_EXPIRY_WARNED; +-- +2.43.0 + diff --git a/queue-5.4/hwmon-max16065-fix-overflows-seen-when-writing-limit.patch b/queue-5.4/hwmon-max16065-fix-overflows-seen-when-writing-limit.patch new file mode 100644 index 00000000000..22a0ec7740a --- /dev/null +++ b/queue-5.4/hwmon-max16065-fix-overflows-seen-when-writing-limit.patch @@ -0,0 +1,46 @@ +From 972342401a1072e9652be54f17c95b8bf71a32cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 09:52:01 -0700 +Subject: hwmon: (max16065) Fix overflows seen when writing limits + +From: Guenter Roeck + +[ Upstream commit 744ec4477b11c42e2c8de9eb8364675ae7a0bd81 ] + +Writing large limits resulted in overflows as reported by module tests. + +in0_lcrit: Suspected overflow: [max=5538, read 0, written 2147483647] +in0_crit: Suspected overflow: [max=5538, read 0, written 2147483647] +in0_min: Suspected overflow: [max=5538, read 0, written 2147483647] + +Fix the problem by clamping prior to multiplications and the use of +DIV_ROUND_CLOSEST, and by using consistent variable types. + +Reviewed-by: Tzung-Bi Shih +Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max16065.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c +index 49b7e0b6d1bbe..5d0ecc8d56af1 100644 +--- a/drivers/hwmon/max16065.c ++++ b/drivers/hwmon/max16065.c +@@ -114,9 +114,10 @@ static inline int LIMIT_TO_MV(int limit, int range) + return limit * range / 256; + } + +-static inline int MV_TO_LIMIT(int mv, int range) ++static inline int MV_TO_LIMIT(unsigned long mv, int range) + { +- return clamp_val(DIV_ROUND_CLOSEST(mv * 256, range), 0, 255); ++ mv = clamp_val(mv, 0, ULONG_MAX / 256); ++ return DIV_ROUND_CLOSEST(clamp_val(mv * 256, 0, range * 255), range); + } + + static inline int ADC_TO_CURR(int adc, int gain) +-- +2.43.0 + diff --git a/queue-5.4/hwmon-ntc_thermistor-fix-module-autoloading.patch b/queue-5.4/hwmon-ntc_thermistor-fix-module-autoloading.patch new file mode 100644 index 00000000000..650197c45a3 --- /dev/null +++ b/queue-5.4/hwmon-ntc_thermistor-fix-module-autoloading.patch @@ -0,0 +1,36 @@ +From 86523948e14bf917517aa0900a982ba719d79e58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2024 08:30:21 +0000 +Subject: hwmon: (ntc_thermistor) fix module autoloading + +From: Yuntao Liu + +[ Upstream commit b6964d66a07a9003868e428a956949e17ab44d7e ] + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded +based on the alias from of_device_id table. + +Fixes: 9e8269de100d ("hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver") +Signed-off-by: Yuntao Liu +Message-ID: <20240815083021.756134-1-liuyuntao12@huawei.com> +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ntc_thermistor.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ntc_thermistor.c b/drivers/hwmon/ntc_thermistor.c +index 3aad62a0e6619..7e20beb8b11f3 100644 +--- a/drivers/hwmon/ntc_thermistor.c ++++ b/drivers/hwmon/ntc_thermistor.c +@@ -58,6 +58,7 @@ static const struct platform_device_id ntc_thermistor_id[] = { + [NTC_NCP21WB473] = { "ncp21wb473", TYPE_NCPXXWB473 }, + [NTC_LAST] = { }, + }; ++MODULE_DEVICE_TABLE(platform, ntc_thermistor_id); + + /* + * A compensation table should be sorted by the values of .ohm +-- +2.43.0 + diff --git a/queue-5.4/iio-adc-ad7606-fix-oversampling-gpio-array.patch b/queue-5.4/iio-adc-ad7606-fix-oversampling-gpio-array.patch new file mode 100644 index 00000000000..9f4de965209 --- /dev/null +++ b/queue-5.4/iio-adc-ad7606-fix-oversampling-gpio-array.patch @@ -0,0 +1,72 @@ +From 91c9a202d4115b44bcff903d32155aa85c5f1ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 17:34:10 +0000 +Subject: iio: adc: ad7606: fix oversampling gpio array + +From: Guillaume Stols + +[ Upstream commit 8dc4594b54dbaaba40dc8884ad3d42083de39434 ] + +gpiod_set_array_value was misused here: the implementation relied on the +assumption that an unsigned long was required for each gpio, while the +function expects a bit array stored in "as much unsigned long as needed +for storing one bit per GPIO", i.e it is using a bit field. + +This leaded to incorrect parameter passed to gpiod_set_array_value, that +would set 1 value instead of 3. +It also prevents to select the software mode correctly for the AD7606B. + +Fixes: d2a415c86c6b ("iio: adc: ad7606: Add support for AD7606B ADC") +Fixes: 41f71e5e7daf ("staging: iio: adc: ad7606: Use find_closest() macro") +Signed-off-by: Guillaume Stols +Reviewed-by: Nuno Sa +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606.c | 4 ++-- + drivers/iio/adc/ad7606_spi.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index e4683a68522a4..acd555b51fb9c 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -238,9 +238,9 @@ static int ad7606_write_os_hw(struct iio_dev *indio_dev, int val) + struct ad7606_state *st = iio_priv(indio_dev); + DECLARE_BITMAP(values, 3); + +- values[0] = val; ++ values[0] = val & GENMASK(2, 0); + +- gpiod_set_array_value(ARRAY_SIZE(values), st->gpio_os->desc, ++ gpiod_set_array_value(st->gpio_os->ndescs, st->gpio_os->desc, + st->gpio_os->info, values); + + /* AD7616 requires a reset to update value */ +diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c +index 29945ad07dca8..e1ad2cd61b7f9 100644 +--- a/drivers/iio/adc/ad7606_spi.c ++++ b/drivers/iio/adc/ad7606_spi.c +@@ -249,8 +249,9 @@ static int ad7616_sw_mode_config(struct iio_dev *indio_dev) + static int ad7606B_sw_mode_config(struct iio_dev *indio_dev) + { + struct ad7606_state *st = iio_priv(indio_dev); +- unsigned long os[3] = {1}; ++ DECLARE_BITMAP(os, 3); + ++ bitmap_fill(os, 3); + /* + * Software mode is enabled when all three oversampling + * pins are set to high. If oversampling gpios are defined +@@ -258,7 +259,7 @@ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev) + * otherwise, they must be hardwired to VDD + */ + if (st->gpio_os) { +- gpiod_set_array_value(ARRAY_SIZE(os), ++ gpiod_set_array_value(st->gpio_os->ndescs, + st->gpio_os->desc, st->gpio_os->info, os); + } + /* OS of 128 and 256 are available only in software mode */ +-- +2.43.0 + diff --git a/queue-5.4/iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch b/queue-5.4/iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch new file mode 100644 index 00000000000..7617b1a9a30 --- /dev/null +++ b/queue-5.4/iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch @@ -0,0 +1,48 @@ +From 76e300eecdba1bb1c7b51da87a9260e3be9d6ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jul 2024 17:34:11 +0000 +Subject: iio: adc: ad7606: fix standby gpio state to match the documentation + +From: Guillaume Stols + +[ Upstream commit 059fe4f8bbdf5cad212e1aeeb3e8968c80b9ff3b ] + +The binding's documentation specifies that "As the line is active low, it +should be marked GPIO_ACTIVE_LOW". However, in the driver, it was handled +the opposite way. This commit sets the driver's behaviour in sync with the +documentation + +Fixes: 722407a4e8c0 ("staging:iio:ad7606: Use GPIO descriptor API") +Signed-off-by: Guillaume Stols +Reviewed-by: Nuno Sa +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index acd555b51fb9c..806dd9cdbc649 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -445,7 +445,7 @@ static int ad7606_request_gpios(struct ad7606_state *st) + return PTR_ERR(st->gpio_range); + + st->gpio_standby = devm_gpiod_get_optional(dev, "standby", +- GPIOD_OUT_HIGH); ++ GPIOD_OUT_LOW); + if (IS_ERR(st->gpio_standby)) + return PTR_ERR(st->gpio_standby); + +@@ -706,7 +706,7 @@ static int ad7606_suspend(struct device *dev) + + if (st->gpio_standby) { + gpiod_set_value(st->gpio_range, 1); +- gpiod_set_value(st->gpio_standby, 0); ++ gpiod_set_value(st->gpio_standby, 1); + } + + return 0; +-- +2.43.0 + diff --git a/queue-5.4/input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch b/queue-5.4/input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch new file mode 100644 index 00000000000..66d129c6708 --- /dev/null +++ b/queue-5.4/input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch @@ -0,0 +1,49 @@ +From 39b6522b9a68064fcf6920c1f8abee90650b8585 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 11:30:13 +0800 +Subject: Input: ps2-gpio - use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit dcd18a3fb1228409dfc24373c5c6868a655810b0 ] + +disable_irq() after request_irq() still has a time gap in which +interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will +disable IRQ auto-enable when request IRQ. + +Fixes: 9ee0a0558819 ("Input: PS/2 gpio bit banging driver for serio bus") +Signed-off-by: Jinjie Ruan +Acked-by: Danilo Krummrich +Link: https://lore.kernel.org/r/20240912033013.2610949-1-ruanjinjie@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/ps2-gpio.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/serio/ps2-gpio.c b/drivers/input/serio/ps2-gpio.c +index 8970b49ea09a2..b0238a8b5c210 100644 +--- a/drivers/input/serio/ps2-gpio.c ++++ b/drivers/input/serio/ps2-gpio.c +@@ -374,16 +374,14 @@ static int ps2_gpio_probe(struct platform_device *pdev) + } + + error = devm_request_irq(dev, drvdata->irq, ps2_gpio_irq, +- IRQF_NO_THREAD, DRIVER_NAME, drvdata); ++ IRQF_NO_THREAD | IRQF_NO_AUTOEN, DRIVER_NAME, ++ drvdata); + if (error) { + dev_err(dev, "failed to request irq %d: %d\n", + drvdata->irq, error); + goto err_free_serio; + } + +- /* Keep irq disabled until serio->open is called. */ +- disable_irq(drvdata->irq); +- + serio->id.type = SERIO_8042; + serio->open = ps2_gpio_open; + serio->close = ps2_gpio_close; +-- +2.43.0 + diff --git a/queue-5.4/ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch b/queue-5.4/ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch new file mode 100644 index 00000000000..160c5326923 --- /dev/null +++ b/queue-5.4/ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch @@ -0,0 +1,39 @@ +From 74a84eba2eadb946ef7f9e177829ffd866eb9d24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Sep 2024 11:02:11 +0200 +Subject: ipmi: docs: don't advertise deprecated sysfs entries + +From: Wolfram Sang + +[ Upstream commit 64dce81f8c373c681e62d5ffe0397c45a35d48a2 ] + +"i2c-adapter" class entries are deprecated since 2009. Switch to the +proper location. + +Reported-by: Heiner Kallweit +Closes: https://lore.kernel.org/r/80c4a898-5867-4162-ac85-bdf7c7c68746@gmail.com +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") +Signed-off-by: Wolfram Sang +Message-Id: <20240901090211.3797-2-wsa+renesas@sang-engineering.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + Documentation/IPMI.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/IPMI.txt b/Documentation/IPMI.txt +index 5ef1047e2e663..f3c6530d9f354 100644 +--- a/Documentation/IPMI.txt ++++ b/Documentation/IPMI.txt +@@ -518,7 +518,7 @@ at module load time (for a module) with:: + [dbg_probe=1] + + The addresses are normal I2C addresses. The adapter is the string +-name of the adapter, as shown in /sys/class/i2c-adapter/i2c-/name. ++name of the adapter, as shown in /sys/bus/i2c/devices/i2c-/name. + It is *NOT* i2c- itself. Also, the comparison is done ignoring + spaces, so if the name is "This is an I2C chip" you can say + adapter_name=ThisisanI2cchip. This is because it's hard to pass in +-- +2.43.0 + diff --git a/queue-5.4/jbd2-introduce-export-functions-jbd2_journal_submit-.patch b/queue-5.4/jbd2-introduce-export-functions-jbd2_journal_submit-.patch new file mode 100644 index 00000000000..6ffb99d85cf --- /dev/null +++ b/queue-5.4/jbd2-introduce-export-functions-jbd2_journal_submit-.patch @@ -0,0 +1,150 @@ +From f476328b56a222d3bbc5fa015cc10c1cf3696fa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 21:48:38 -0300 +Subject: jbd2: introduce/export functions + jbd2_journal_submit|finish_inode_data_buffers() + +From: Mauricio Faria de Oliveira + +[ Upstream commit aa3c0c61f62d682259e3e66cdc01846290f9cd6c ] + +Export functions that implement the current behavior done +for an inode in journal_submit|finish_inode_data_buffers(). + +No functional change. + +Signed-off-by: Mauricio Faria de Oliveira +Suggested-by: Jan Kara +Reviewed-by: Jan Kara +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/20201006004841.600488-2-mfo@canonical.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 20cee68f5b44 ("ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard") +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 36 ++++++++++++++++-------------------- + fs/jbd2/journal.c | 2 ++ + include/linux/jbd2.h | 4 ++++ + 3 files changed, 22 insertions(+), 20 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 7bd4b1d4224ef..255026497b8cf 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -187,19 +187,17 @@ static int journal_wait_on_commit_record(journal_t *journal, + * use writepages() because with delayed allocation we may be doing + * block allocation in writepages(). + */ +-static int journal_submit_inode_data_buffers(struct address_space *mapping, +- loff_t dirty_start, loff_t dirty_end) ++int jbd2_journal_submit_inode_data_buffers(struct jbd2_inode *jinode) + { +- int ret; ++ struct address_space *mapping = jinode->i_vfs_inode->i_mapping; + struct writeback_control wbc = { + .sync_mode = WB_SYNC_ALL, + .nr_to_write = mapping->nrpages * 2, +- .range_start = dirty_start, +- .range_end = dirty_end, ++ .range_start = jinode->i_dirty_start, ++ .range_end = jinode->i_dirty_end, + }; + +- ret = generic_writepages(mapping, &wbc); +- return ret; ++ return generic_writepages(mapping, &wbc); + } + + /* +@@ -215,16 +213,11 @@ static int journal_submit_data_buffers(journal_t *journal, + { + struct jbd2_inode *jinode; + int err, ret = 0; +- struct address_space *mapping; + + spin_lock(&journal->j_list_lock); + list_for_each_entry(jinode, &commit_transaction->t_inode_list, i_list) { +- loff_t dirty_start = jinode->i_dirty_start; +- loff_t dirty_end = jinode->i_dirty_end; +- + if (!(jinode->i_flags & JI_WRITE_DATA)) + continue; +- mapping = jinode->i_vfs_inode->i_mapping; + jinode->i_flags |= JI_COMMIT_RUNNING; + spin_unlock(&journal->j_list_lock); + /* +@@ -234,8 +227,7 @@ static int journal_submit_data_buffers(journal_t *journal, + * only allocated blocks here. + */ + trace_jbd2_submit_inode_data(jinode->i_vfs_inode); +- err = journal_submit_inode_data_buffers(mapping, dirty_start, +- dirty_end); ++ err = jbd2_journal_submit_inode_data_buffers(jinode); + if (!ret) + ret = err; + spin_lock(&journal->j_list_lock); +@@ -248,6 +240,15 @@ static int journal_submit_data_buffers(journal_t *journal, + return ret; + } + ++int jbd2_journal_finish_inode_data_buffers(struct jbd2_inode *jinode) ++{ ++ struct address_space *mapping = jinode->i_vfs_inode->i_mapping; ++ ++ return filemap_fdatawait_range_keep_errors(mapping, ++ jinode->i_dirty_start, ++ jinode->i_dirty_end); ++} ++ + /* + * Wait for data submitted for writeout, refile inodes to proper + * transaction if needed. +@@ -262,16 +263,11 @@ static int journal_finish_inode_data_buffers(journal_t *journal, + /* For locking, see the comment in journal_submit_data_buffers() */ + spin_lock(&journal->j_list_lock); + list_for_each_entry(jinode, &commit_transaction->t_inode_list, i_list) { +- loff_t dirty_start = jinode->i_dirty_start; +- loff_t dirty_end = jinode->i_dirty_end; +- + if (!(jinode->i_flags & JI_WAIT_DATA)) + continue; + jinode->i_flags |= JI_COMMIT_RUNNING; + spin_unlock(&journal->j_list_lock); +- err = filemap_fdatawait_range_keep_errors( +- jinode->i_vfs_inode->i_mapping, dirty_start, +- dirty_end); ++ err = jbd2_journal_finish_inode_data_buffers(jinode); + if (!ret) + ret = err; + spin_lock(&journal->j_list_lock); +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index cfa21c29f3123..564aedbd867f1 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -91,6 +91,8 @@ EXPORT_SYMBOL(jbd2_journal_try_to_free_buffers); + EXPORT_SYMBOL(jbd2_journal_force_commit); + EXPORT_SYMBOL(jbd2_journal_inode_ranged_write); + EXPORT_SYMBOL(jbd2_journal_inode_ranged_wait); ++EXPORT_SYMBOL(jbd2_journal_submit_inode_data_buffers); ++EXPORT_SYMBOL(jbd2_journal_finish_inode_data_buffers); + EXPORT_SYMBOL(jbd2_journal_init_jbd_inode); + EXPORT_SYMBOL(jbd2_journal_release_jbd_inode); + EXPORT_SYMBOL(jbd2_journal_begin_ordered_truncate); +diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h +index b60adc4210b57..45c7e21ba1afc 100644 +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -1415,6 +1415,10 @@ extern int jbd2_journal_inode_ranged_write(handle_t *handle, + extern int jbd2_journal_inode_ranged_wait(handle_t *handle, + struct jbd2_inode *inode, loff_t start_byte, + loff_t length); ++extern int jbd2_journal_submit_inode_data_buffers( ++ struct jbd2_inode *jinode); ++extern int jbd2_journal_finish_inode_data_buffers( ++ struct jbd2_inode *jinode); + extern int jbd2_journal_begin_ordered_truncate(journal_t *journal, + struct jbd2_inode *inode, loff_t new_size); + extern void jbd2_journal_init_jbd_inode(struct jbd2_inode *jinode, struct inode *inode); +-- +2.43.0 + diff --git a/queue-5.4/jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch b/queue-5.4/jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch new file mode 100644 index 00000000000..1ce5d59d046 --- /dev/null +++ b/queue-5.4/jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch @@ -0,0 +1,68 @@ +From 8e089489253f71630c93a717ee2ef75259268b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 13:05:46 +0900 +Subject: jfs: fix out-of-bounds in dbNextAG() and diAlloc() + +From: Jeongjun Park + +[ Upstream commit e63866a475562810500ea7f784099bfe341e761a ] + +In dbNextAG() , there is no check for the case where bmp->db_numag is +greater or same than MAXAG due to a polluted image, which causes an +out-of-bounds. Therefore, a bounds check should be added in dbMount(). + +And in dbNextAG(), a check for the case where agpref is greater than +bmp->db_numag should be added, so an out-of-bounds exception should be +prevented. + +Additionally, a check for the case where agno is greater or same than +MAXAG should be added in diAlloc() to prevent out-of-bounds. + +Reported-by: Jeongjun Park +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jeongjun Park +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 4 ++-- + fs/jfs/jfs_imap.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index deb54efb56013..fe0b5a91356c4 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) + } + + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); +- if (!bmp->db_numag) { ++ if (!bmp->db_numag || bmp->db_numag >= MAXAG) { + err = -EINVAL; + goto err_release_metapage; + } +@@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap) + * average free space. + */ + for (i = 0 ; i < bmp->db_numag; i++, agpref++) { +- if (agpref == bmp->db_numag) ++ if (agpref >= bmp->db_numag) + agpref = 0; + + if (atomic_read(&bmp->db_active[agpref])) +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 36ed756820648..da3a1c27d3498 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -1362,7 +1362,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip) + /* get the ag number of this iag */ + agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb)); + dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag; +- if (agno < 0 || agno > dn_numag) ++ if (agno < 0 || agno > dn_numag || agno >= MAXAG) + return -EIO; + + if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) { +-- +2.43.0 + diff --git a/queue-5.4/kthread-add-kthread_work-tracepoints.patch b/queue-5.4/kthread-add-kthread_work-tracepoints.patch new file mode 100644 index 00000000000..3e8494794b3 --- /dev/null +++ b/queue-5.4/kthread-add-kthread_work-tracepoints.patch @@ -0,0 +1,177 @@ +From 884659532893307d110bc24e8da852a7a579ae71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Dec 2020 19:03:14 -0800 +Subject: kthread: add kthread_work tracepoints + +From: Rob Clark + +[ Upstream commit f630c7c6f10546ebff15c3a856e7949feb7a2372 ] + +While migrating some code from wq to kthread_worker, I found that I missed +the execute_start/end tracepoints. So add similar tracepoints for +kthread_work. And for completeness, queue_work tracepoint (although this +one differs slightly from the matching workqueue tracepoint). + +Link: https://lkml.kernel.org/r/20201010180323.126634-1-robdclark@gmail.com +Signed-off-by: Rob Clark +Cc: Rob Clark +Cc: Steven Rostedt +Cc: Ingo Molnar +Cc: "Peter Zijlstra (Intel)" +Cc: Phil Auld +Cc: Valentin Schneider +Cc: Thara Gopinath +Cc: Randy Dunlap +Cc: Vincent Donnefort +Cc: Mel Gorman +Cc: Jens Axboe +Cc: Marcelo Tosatti +Cc: Frederic Weisbecker +Cc: Ilias Stamatis +Cc: Liang Chen +Cc: Ben Dooks +Cc: Peter Zijlstra +Cc: "J. Bruce Fields" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: e16c7b07784f ("kthread: fix task state in kthread worker if being frozen") +Signed-off-by: Sasha Levin +--- + include/trace/events/sched.h | 84 ++++++++++++++++++++++++++++++++++++ + kernel/kthread.c | 9 ++++ + 2 files changed, 93 insertions(+) + +diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h +index 420e80e56e551..5a55ec2b72af0 100644 +--- a/include/trace/events/sched.h ++++ b/include/trace/events/sched.h +@@ -5,6 +5,7 @@ + #if !defined(_TRACE_SCHED_H) || defined(TRACE_HEADER_MULTI_READ) + #define _TRACE_SCHED_H + ++#include + #include + #include + #include +@@ -51,6 +52,89 @@ TRACE_EVENT(sched_kthread_stop_ret, + TP_printk("ret=%d", __entry->ret) + ); + ++/** ++ * sched_kthread_work_queue_work - called when a work gets queued ++ * @worker: pointer to the kthread_worker ++ * @work: pointer to struct kthread_work ++ * ++ * This event occurs when a work is queued immediately or once a ++ * delayed work is actually queued (ie: once the delay has been ++ * reached). ++ */ ++TRACE_EVENT(sched_kthread_work_queue_work, ++ ++ TP_PROTO(struct kthread_worker *worker, ++ struct kthread_work *work), ++ ++ TP_ARGS(worker, work), ++ ++ TP_STRUCT__entry( ++ __field( void *, work ) ++ __field( void *, function) ++ __field( void *, worker) ++ ), ++ ++ TP_fast_assign( ++ __entry->work = work; ++ __entry->function = work->func; ++ __entry->worker = worker; ++ ), ++ ++ TP_printk("work struct=%p function=%ps worker=%p", ++ __entry->work, __entry->function, __entry->worker) ++); ++ ++/** ++ * sched_kthread_work_execute_start - called immediately before the work callback ++ * @work: pointer to struct kthread_work ++ * ++ * Allows to track kthread work execution. ++ */ ++TRACE_EVENT(sched_kthread_work_execute_start, ++ ++ TP_PROTO(struct kthread_work *work), ++ ++ TP_ARGS(work), ++ ++ TP_STRUCT__entry( ++ __field( void *, work ) ++ __field( void *, function) ++ ), ++ ++ TP_fast_assign( ++ __entry->work = work; ++ __entry->function = work->func; ++ ), ++ ++ TP_printk("work struct %p: function %ps", __entry->work, __entry->function) ++); ++ ++/** ++ * sched_kthread_work_execute_end - called immediately after the work callback ++ * @work: pointer to struct work_struct ++ * @function: pointer to worker function ++ * ++ * Allows to track workqueue execution. ++ */ ++TRACE_EVENT(sched_kthread_work_execute_end, ++ ++ TP_PROTO(struct kthread_work *work, kthread_work_func_t function), ++ ++ TP_ARGS(work, function), ++ ++ TP_STRUCT__entry( ++ __field( void *, work ) ++ __field( void *, function) ++ ), ++ ++ TP_fast_assign( ++ __entry->work = work; ++ __entry->function = function; ++ ), ++ ++ TP_printk("work struct %p: function %ps", __entry->work, __entry->function) ++); ++ + /* + * Tracepoint for waking up a task: + */ +diff --git a/kernel/kthread.c b/kernel/kthread.c +index 63f7eb3c2640d..eb2b54ae93ee6 100644 +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -725,8 +725,15 @@ int kthread_worker_fn(void *worker_ptr) + raw_spin_unlock_irq(&worker->lock); + + if (work) { ++ kthread_work_func_t func = work->func; + __set_current_state(TASK_RUNNING); ++ trace_sched_kthread_work_execute_start(work); + work->func(work); ++ /* ++ * Avoid dereferencing work after this point. The trace ++ * event only cares about the address. ++ */ ++ trace_sched_kthread_work_execute_end(work, func); + } else if (!freezing(current)) + schedule(); + +@@ -855,6 +862,8 @@ static void kthread_insert_work(struct kthread_worker *worker, + { + kthread_insert_work_sanity_check(worker, work); + ++ trace_sched_kthread_work_queue_work(worker, work); ++ + list_add_tail(&work->node, pos); + work->worker = worker; + if (!worker->current_work && likely(worker->task)) +-- +2.43.0 + diff --git a/queue-5.4/kthread-fix-task-state-in-kthread-worker-if-being-fr.patch b/queue-5.4/kthread-fix-task-state-in-kthread-worker-if-being-fr.patch new file mode 100644 index 00000000000..f3dd766663b --- /dev/null +++ b/queue-5.4/kthread-fix-task-state-in-kthread-worker-if-being-fr.patch @@ -0,0 +1,91 @@ +From 9db66aeb6bfc725722b52edff65a264eb98ef3d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2024 19:23:08 +0800 +Subject: kthread: fix task state in kthread worker if being frozen +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Yu + +[ Upstream commit e16c7b07784f3fb03025939c4590b9a7c64970a7 ] + +When analyzing a kernel waring message, Peter pointed out that there is a +race condition when the kworker is being frozen and falls into +try_to_freeze() with TASK_INTERRUPTIBLE, which could trigger a +might_sleep() warning in try_to_freeze(). Although the root cause is not +related to freeze()[1], it is still worthy to fix this issue ahead. + +One possible race scenario: + + CPU 0 CPU 1 + ----- ----- + + // kthread_worker_fn + set_current_state(TASK_INTERRUPTIBLE); + suspend_freeze_processes() + freeze_processes + static_branch_inc(&freezer_active); + freeze_kernel_threads + pm_nosig_freezing = true; + if (work) { //false + __set_current_state(TASK_RUNNING); + + } else if (!freezing(current)) //false, been frozen + + freezing(): + if (static_branch_unlikely(&freezer_active)) + if (pm_nosig_freezing) + return true; + schedule() + } + + // state is still TASK_INTERRUPTIBLE + try_to_freeze() + might_sleep() <--- warning + +Fix this by explicitly set the TASK_RUNNING before entering +try_to_freeze(). + +Link: https://lore.kernel.org/lkml/Zs2ZoAcUsZMX2B%2FI@chenyu5-mobl2/ [1] +Link: https://lkml.kernel.org/r/20240827112308.181081-1-yu.c.chen@intel.com +Fixes: b56c0d8937e6 ("kthread: implement kthread_worker") +Signed-off-by: Chen Yu +Suggested-by: Peter Zijlstra +Suggested-by: Andrew Morton +Cc: Andreas Gruenbacher +Cc: David Gow +Cc: Mateusz Guzik +Cc: Mickaël Salaün +Cc: Tejun Heo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kthread.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/kernel/kthread.c b/kernel/kthread.c +index eb2b54ae93ee6..2423ae25b5666 100644 +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -734,8 +734,16 @@ int kthread_worker_fn(void *worker_ptr) + * event only cares about the address. + */ + trace_sched_kthread_work_execute_end(work, func); +- } else if (!freezing(current)) ++ } else if (!freezing(current)) { + schedule(); ++ } else { ++ /* ++ * Handle the case where the current remains ++ * TASK_INTERRUPTIBLE. try_to_freeze() expects ++ * the current to be TASK_RUNNING. ++ */ ++ __set_current_state(TASK_RUNNING); ++ } + + try_to_freeze(); + cond_resched(); +-- +2.43.0 + diff --git a/queue-5.4/mac80211-parse-radiotap-header-when-selecting-tx-que.patch b/queue-5.4/mac80211-parse-radiotap-header-when-selecting-tx-que.patch new file mode 100644 index 00000000000..e1ab7a23f19 --- /dev/null +++ b/queue-5.4/mac80211-parse-radiotap-header-when-selecting-tx-que.patch @@ -0,0 +1,200 @@ +From c5b17c0a3970340b1d3189139e73bff625e2ac4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 14:01:53 +0400 +Subject: mac80211: parse radiotap header when selecting Tx queue + +From: Mathy Vanhoef + +[ Upstream commit cb17ed29a7a5fea8c9bf70e8a05757d71650e025 ] + +Already parse the radiotap header in ieee80211_monitor_select_queue. +In a subsequent commit this will allow us to add a radiotap flag that +influences the queue on which injected packets will be sent. + +This also fixes the incomplete validation of the injected frame in +ieee80211_monitor_select_queue: currently an out of bounds memory +access may occur in in the called function ieee80211_select_queue_80211 +if the 802.11 header is too small. + +Note that in ieee80211_monitor_start_xmit the radiotap header is parsed +again, which is necessairy because ieee80211_monitor_select_queue is not +always called beforehand. + +Signed-off-by: Mathy Vanhoef +Link: https://lore.kernel.org/r/20200723100153.31631-6-Mathy.Vanhoef@kuleuven.be +Signed-off-by: Johannes Berg +Stable-dep-of: 9d301de12da6 ("wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()") +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 8 +++++++ + net/mac80211/iface.c | 15 ++++++++---- + net/mac80211/tx.c | 54 +++++++++++++++++++----------------------- + 3 files changed, 43 insertions(+), 34 deletions(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index d9ba9a77bcf29..cf67d7778d3d0 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -6134,6 +6134,14 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, struct sk_buff *skb, + int band, struct ieee80211_sta **sta); + ++/** ++ * Sanity-check and parse the radiotap header of injected frames ++ * @skb: packet injected by userspace ++ * @dev: the &struct device of this 802.11 device ++ */ ++bool ieee80211_parse_tx_radiotap(struct sk_buff *skb, ++ struct net_device *dev); ++ + /** + * struct ieee80211_noa_data - holds temporary data for tracking P2P NoA state + * +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index ddc001ad90555..1f691180e13db 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1175,17 +1175,24 @@ static u16 ieee80211_monitor_select_queue(struct net_device *dev, + { + struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); + struct ieee80211_local *local = sdata->local; ++ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_hdr *hdr; +- struct ieee80211_radiotap_header *rtap = (void *)skb->data; ++ int len_rthdr; + + if (local->hw.queues < IEEE80211_NUM_ACS) + return 0; + +- if (skb->len < 4 || +- skb->len < le16_to_cpu(rtap->it_len) + 2 /* frame control */) ++ /* reset flags and info before parsing radiotap header */ ++ memset(info, 0, sizeof(*info)); ++ ++ if (!ieee80211_parse_tx_radiotap(skb, dev)) + return 0; /* doesn't matter, frame will be dropped */ + +- hdr = (void *)((u8 *)skb->data + le16_to_cpu(rtap->it_len)); ++ len_rthdr = ieee80211_get_radiotap_len(skb->data); ++ hdr = (struct ieee80211_hdr *)(skb->data + len_rthdr); ++ if (skb->len < len_rthdr + 2 || ++ skb->len < len_rthdr + ieee80211_hdrlen(hdr->frame_control)) ++ return 0; /* doesn't matter, frame will be dropped */ + + return ieee80211_select_queue_80211(sdata, skb, hdr); + } +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 5fd9a6f752a1d..4afced0588bd4 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -2034,9 +2034,10 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, + ieee80211_tx(sdata, sta, skb, false, txdata_flags); + } + +-static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local, +- struct sk_buff *skb) ++bool ieee80211_parse_tx_radiotap(struct sk_buff *skb, ++ struct net_device *dev) + { ++ struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); + struct ieee80211_radiotap_iterator iterator; + struct ieee80211_radiotap_header *rthdr = + (struct ieee80211_radiotap_header *) skb->data; +@@ -2055,6 +2056,18 @@ static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local, + u8 vht_mcs = 0, vht_nss = 0; + int i; + ++ /* check for not even having the fixed radiotap header part */ ++ if (unlikely(skb->len < sizeof(struct ieee80211_radiotap_header))) ++ return false; /* too short to be possibly valid */ ++ ++ /* is it a header version we can trust to find length from? */ ++ if (unlikely(rthdr->it_version)) ++ return false; /* only version 0 is supported */ ++ ++ /* does the skb contain enough to deliver on the alleged length? */ ++ if (unlikely(skb->len < ieee80211_get_radiotap_len(skb->data))) ++ return false; /* skb too short for claimed rt header extent */ ++ + info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT | + IEEE80211_TX_CTL_DONTFRAG; + +@@ -2210,13 +2223,6 @@ static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local, + local->hw.max_rate_tries); + } + +- /* +- * remove the radiotap header +- * iterator->_max_length was sanity-checked against +- * skb->len by iterator init +- */ +- skb_pull(skb, iterator._max_length); +- + return true; + } + +@@ -2225,8 +2231,6 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, + { + struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); + struct ieee80211_chanctx_conf *chanctx_conf; +- struct ieee80211_radiotap_header *prthdr = +- (struct ieee80211_radiotap_header *)skb->data; + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_hdr *hdr; + struct ieee80211_sub_if_data *tmp_sdata, *sdata; +@@ -2234,21 +2238,17 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, + u16 len_rthdr; + int hdrlen; + +- /* check for not even having the fixed radiotap header part */ +- if (unlikely(skb->len < sizeof(struct ieee80211_radiotap_header))) +- goto fail; /* too short to be possibly valid */ ++ memset(info, 0, sizeof(*info)); ++ info->flags = IEEE80211_TX_CTL_REQ_TX_STATUS | ++ IEEE80211_TX_CTL_INJECTED; + +- /* is it a header version we can trust to find length from? */ +- if (unlikely(prthdr->it_version)) +- goto fail; /* only version 0 is supported */ ++ /* Sanity-check and process the injection radiotap header */ ++ if (!ieee80211_parse_tx_radiotap(skb, dev)) ++ goto fail; + +- /* then there must be a radiotap header with a length we can use */ ++ /* we now know there is a radiotap header with a length we can use */ + len_rthdr = ieee80211_get_radiotap_len(skb->data); + +- /* does the skb contain enough to deliver on the alleged length? */ +- if (unlikely(skb->len < len_rthdr)) +- goto fail; /* skb too short for claimed rt header extent */ +- + /* + * fix up the pointers accounting for the radiotap + * header still being in there. We are being given +@@ -2294,11 +2294,6 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, + skb->priority = *p & IEEE80211_QOS_CTL_TAG1D_MASK; + } + +- memset(info, 0, sizeof(*info)); +- +- info->flags = IEEE80211_TX_CTL_REQ_TX_STATUS | +- IEEE80211_TX_CTL_INJECTED; +- + rcu_read_lock(); + + /* +@@ -2361,9 +2356,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb, + + info->band = chandef->chan->band; + +- /* process and remove the injection radiotap header */ +- if (!ieee80211_parse_tx_radiotap(local, skb)) +- goto fail_rcu; ++ /* remove the injection radiotap header */ ++ skb_pull(skb, len_rthdr); + + ieee80211_xmit(sdata, NULL, skb, 0); + rcu_read_unlock(); +-- +2.43.0 + diff --git a/queue-5.4/minmax-avoid-overly-complex-min-max-macro-arguments-.patch b/queue-5.4/minmax-avoid-overly-complex-min-max-macro-arguments-.patch new file mode 100644 index 00000000000..2f91cd66d39 --- /dev/null +++ b/queue-5.4/minmax-avoid-overly-complex-min-max-macro-arguments-.patch @@ -0,0 +1,77 @@ +From 591f1dea020d6398bebbbf0eb10967d1eca8a53e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jul 2024 15:09:07 -0700 +Subject: minmax: avoid overly complex min()/max() macro arguments in xen + +From: Linus Torvalds + +[ Upstream commit e8432ac802a028eaee6b1e86383d7cd8e9fb8431 ] + +We have some very fancy min/max macros that have tons of sanity checking +to warn about mixed signedness etc. + +This is all things that a sane compiler should warn about, but there are +no sane compiler interfaces for this, and '-Wsign-compare' is broken [1] +and not useful. + +So then we compensate (some would say over-compensate) by doing the +checks manually with some truly horrid macro games. + +And no, we can't just use __builtin_types_compatible_p(), because the +whole question of "does it make sense to compare these two values" is a +lot more complicated than that. + +For example, it makes a ton of sense to compare unsigned values with +simple constants like "5", even if that is indeed a signed type. So we +have these very strange macros to try to make sensible type checking +decisions on the arguments to 'min()' and 'max()'. + +But that can cause enormous code expansion if the min()/max() macros are +used with complicated expressions, and particularly if you nest these +things so that you get the first big expansion then expanded again. + +The xen setup.c file ended up ballooning to over 50MB of preprocessed +noise that takes 15s to compile (obviously depending on the build host), +largely due to one single line. + +So let's split that one single line to just be simpler. I think it ends +up being more legible to humans too at the same time. Now that single +file compiles in under a second. + +Reported-and-reviewed-by: Lorenzo Stoakes +Link: https://lore.kernel.org/all/c83c17bb-be75-4c67-979d-54eee38774c6@lucifer.local/ +Link: https://staticthinking.wordpress.com/2023/07/25/wsign-compare-is-garbage/ [1] +Cc: David Laight +Signed-off-by: Linus Torvalds +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index d19fcca0b30b3..858de52cfacff 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -746,6 +746,7 @@ char * __init xen_memory_setup(void) + struct xen_memory_map memmap; + unsigned long max_pages; + unsigned long extra_pages = 0; ++ unsigned long maxmem_pages; + int i; + int op; + +@@ -815,8 +816,8 @@ char * __init xen_memory_setup(void) + * the initial memory is also very large with respect to + * lowmem, but we won't try to deal with that here. + */ +- extra_pages = min3(EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)), +- extra_pages, max_pages - max_pfn); ++ maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)); ++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn); + i = 0; + addr = xen_e820_table.entries[0].addr; + size = xen_e820_table.entries[0].size; +-- +2.43.0 + diff --git a/queue-5.4/mm-add-page_align_down-macro.patch b/queue-5.4/mm-add-page_align_down-macro.patch new file mode 100644 index 00000000000..e1774bf1e4d --- /dev/null +++ b/queue-5.4/mm-add-page_align_down-macro.patch @@ -0,0 +1,39 @@ +From 7b6f5179c8fee7072ab3aeb9a444db71a1490bf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 17:16:19 +0800 +Subject: mm: Add PAGE_ALIGN_DOWN macro + +From: David Gow + +[ Upstream commit 335e52c28cf9954d65b819cb68912fd32de3c844 ] + +This is just the same as PAGE_ALIGN(), but rounds the address down, not +up. + +Suggested-by: Dmitry Vyukov +Signed-off-by: David Gow +Acked-by: Andrew Morton +Signed-off-by: Richard Weinberger +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + include/linux/mm.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index d14aba548ff4e..7e26146938ec2 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -218,6 +218,9 @@ extern int overcommit_kbytes_handler(struct ctl_table *, int, void __user *, + /* to align the pointer to the (next) page boundary */ + #define PAGE_ALIGN(addr) ALIGN(addr, PAGE_SIZE) + ++/* to align the pointer to the (prev) page boundary */ ++#define PAGE_ALIGN_DOWN(addr) ALIGN_DOWN(addr, PAGE_SIZE) ++ + /* test whether an address (unsigned long or pointer) is aligned to PAGE_SIZE */ + #define PAGE_ALIGNED(addr) IS_ALIGNED((unsigned long)(addr), PAGE_SIZE) + +-- +2.43.0 + diff --git a/queue-5.4/mount-handle-oom-on-mnt_warn_timestamp_expiry.patch b/queue-5.4/mount-handle-oom-on-mnt_warn_timestamp_expiry.patch new file mode 100644 index 00000000000..788a4db19dc --- /dev/null +++ b/queue-5.4/mount-handle-oom-on-mnt_warn_timestamp_expiry.patch @@ -0,0 +1,61 @@ +From 1bccc6423b460e6bd38a953051ccc95b6a56a1b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jul 2024 10:58:13 +0200 +Subject: mount: handle OOM on mnt_warn_timestamp_expiry + +From: Olaf Hering + +[ Upstream commit 4bcda1eaf184e308f07f9c61d3a535f9ce477ce8 ] + +If no page could be allocated, an error pointer was used as format +string in pr_warn. + +Rearrange the code to return early in case of OOM. Also add a check +for the return value of d_path. + +Fixes: f8b92ba67c5d ("mount: Add mount warning for impending timestamp expiry") +Signed-off-by: Olaf Hering +Link: https://lore.kernel.org/r/20240730085856.32385-1-olaf@aepfle.de +[brauner: rewrite commit and commit message] +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index f1c0e0a705621..281f08eaba5b9 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2494,8 +2494,15 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * + if (!__mnt_is_readonly(mnt) && + (!(sb->s_iflags & SB_I_TS_EXPIRY_WARNED)) && + (ktime_get_real_seconds() + TIME_UPTIME_SEC_MAX > sb->s_time_max)) { +- char *buf = (char *)__get_free_page(GFP_KERNEL); +- char *mntpath = buf ? d_path(mountpoint, buf, PAGE_SIZE) : ERR_PTR(-ENOMEM); ++ char *buf, *mntpath; ++ ++ buf = (char *)__get_free_page(GFP_KERNEL); ++ if (buf) ++ mntpath = d_path(mountpoint, buf, PAGE_SIZE); ++ else ++ mntpath = ERR_PTR(-ENOMEM); ++ if (IS_ERR(mntpath)) ++ mntpath = "(unknown)"; + + pr_warn("%s filesystem being %s at %s supports timestamps until %ptTd (0x%llx)\n", + sb->s_type->name, +@@ -2503,8 +2510,9 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * + mntpath, &sb->s_time_max, + (unsigned long long)sb->s_time_max); + +- free_page((unsigned long)buf); + sb->s_iflags |= SB_I_TS_EXPIRY_WARNED; ++ if (buf) ++ free_page((unsigned long)buf); + } + } + +-- +2.43.0 + diff --git a/queue-5.4/mount-warn-only-once-about-timestamp-range-expiratio.patch b/queue-5.4/mount-warn-only-once-about-timestamp-range-expiratio.patch new file mode 100644 index 00000000000..906ab02b263 --- /dev/null +++ b/queue-5.4/mount-warn-only-once-about-timestamp-range-expiratio.patch @@ -0,0 +1,73 @@ +From 75df55ed74c6771f456ed5414dac0173b6c5d80e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:39:22 -0700 +Subject: mount: warn only once about timestamp range expiration + +From: Anthony Iliopoulos + +[ Upstream commit a128b054ce029554a4a52fc3abb8c1df8bafcaef ] + +Commit f8b92ba67c5d ("mount: Add mount warning for impending timestamp +expiry") introduced a mount warning regarding filesystem timestamp +limits, that is printed upon each writable mount or remount. + +This can result in a lot of unnecessary messages in the kernel log in +setups where filesystems are being frequently remounted (or mounted +multiple times). + +Avoid this by setting a superblock flag which indicates that the warning +has been emitted at least once for any particular mount, as suggested in +[1]. + +Link: https://lore.kernel.org/CAHk-=wim6VGnxQmjfK_tDg6fbHYKL4EFkmnTjVr9QnRqjDBAeA@mail.gmail.com/ [1] +Link: https://lkml.kernel.org/r/20220119202934.26495-1-ailiop@suse.com +Signed-off-by: Anthony Iliopoulos +Reviewed-by: Christoph Hellwig +Acked-by: Christian Brauner +Reviewed-by: Darrick J. Wong +Cc: Alexander Viro +Cc: Deepa Dinamani +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 4bcda1eaf184 ("mount: handle OOM on mnt_warn_timestamp_expiry") +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 2 ++ + include/linux/fs.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 5782cd55dfdbb..3d8fbafc980ba 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2492,6 +2492,7 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * + struct super_block *sb = mnt->mnt_sb; + + if (!__mnt_is_readonly(mnt) && ++ (!(sb->s_iflags & SB_I_TS_EXPIRY_WARNED)) && + (ktime_get_real_seconds() + TIME_UPTIME_SEC_MAX > sb->s_time_max)) { + char *buf = (char *)__get_free_page(GFP_KERNEL); + char *mntpath = buf ? d_path(mountpoint, buf, PAGE_SIZE) : ERR_PTR(-ENOMEM); +@@ -2506,6 +2507,7 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount * + tm.tm_year+1900, (unsigned long long)sb->s_time_max); + + free_page((unsigned long)buf); ++ sb->s_iflags |= SB_I_TS_EXPIRY_WARNED; + } + } + +diff --git a/include/linux/fs.h b/include/linux/fs.h +index b21fdce37c37a..c0967df137152 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1408,6 +1408,7 @@ extern int send_sigurg(struct fown_struct *fown); + + #define SB_I_SKIP_SYNC 0x00000100 /* Skip superblock at global sync */ + #define SB_I_PERSB_BDI 0x00000200 /* has a per-sb bdi */ ++#define SB_I_TS_EXPIRY_WARNED 0x00000400 /* warned about timestamp range expiry */ + + /* Possible states of 'frozen' field */ + enum { +-- +2.43.0 + diff --git a/queue-5.4/mtd-powernv-add-check-devm_kasprintf-returned-value.patch b/queue-5.4/mtd-powernv-add-check-devm_kasprintf-returned-value.patch new file mode 100644 index 00000000000..aa0212e0b25 --- /dev/null +++ b/queue-5.4/mtd-powernv-add-check-devm_kasprintf-returned-value.patch @@ -0,0 +1,38 @@ +From a2456447e527a11f37721c38521e09532ffb04d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2024 17:24:27 +0800 +Subject: mtd: powernv: Add check devm_kasprintf() returned value + +From: Charles Han + +[ Upstream commit 395999829880a106bb95f0ce34e6e4c2b43c6a5d ] + +devm_kasprintf() can return a NULL pointer on failure but this +returned value is not checked. + +Fixes: acfe63ec1c59 ("mtd: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Charles Han +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240828092427.128177-1-hanchunchao@inspur.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/devices/powernv_flash.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mtd/devices/powernv_flash.c b/drivers/mtd/devices/powernv_flash.c +index 0b757d9ba2f6b..0ab64a1cec09e 100644 +--- a/drivers/mtd/devices/powernv_flash.c ++++ b/drivers/mtd/devices/powernv_flash.c +@@ -204,6 +204,9 @@ static int powernv_flash_set_driver_info(struct device *dev, + * get them + */ + mtd->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFP", dev->of_node); ++ if (!mtd->name) ++ return -ENOMEM; ++ + mtd->type = MTD_NORFLASH; + mtd->flags = MTD_WRITEABLE; + mtd->size = size; +-- +2.43.0 + diff --git a/queue-5.4/mtd-slram-insert-break-after-errors-in-parsing-the-m.patch b/queue-5.4/mtd-slram-insert-break-after-errors-in-parsing-the-m.patch new file mode 100644 index 00000000000..a8559830c02 --- /dev/null +++ b/queue-5.4/mtd-slram-insert-break-after-errors-in-parsing-the-m.patch @@ -0,0 +1,72 @@ +From 4ae77e94509e94f34dbbee5bf18af1c2d9f9f621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jul 2024 01:43:20 +0200 +Subject: mtd: slram: insert break after errors in parsing the map +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirsad Todorovac + +[ Upstream commit 336c218dd7f0588ed8a7345f367975a00a4f003f ] + +GCC 12.3.0 compiler on linux-next next-20240709 tree found the execution +path in which, due to lazy evaluation, devlength isn't initialised with the +parsed string: + + 289 while (map) { + 290 devname = devstart = devlength = NULL; + 291 + 292 if (!(devname = strsep(&map, ","))) { + 293 E("slram: No devicename specified.\n"); + 294 break; + 295 } + 296 T("slram: devname = %s\n", devname); + 297 if ((!map) || (!(devstart = strsep(&map, ",")))) { + 298 E("slram: No devicestart specified.\n"); + 299 } + 300 T("slram: devstart = %s\n", devstart); + → 301 if ((!map) || (!(devlength = strsep(&map, ",")))) { + 302 E("slram: No devicelength / -end specified.\n"); + 303 } + → 304 T("slram: devlength = %s\n", devlength); + 305 if (parse_cmdline(devname, devstart, devlength) != 0) { + 306 return(-EINVAL); + 307 } + +Parsing should be finished after map == NULL, so a break is best inserted after +each E("slram: ... \n") error message. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: Vignesh Raghavendra +Cc: linux-mtd@lists.infradead.org +Signed-off-by: Mirsad Todorovac +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240711234319.637824-1-mtodorovac69@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/devices/slram.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c +index 28131a127d065..8297b366a0669 100644 +--- a/drivers/mtd/devices/slram.c ++++ b/drivers/mtd/devices/slram.c +@@ -296,10 +296,12 @@ static int __init init_slram(void) + T("slram: devname = %s\n", devname); + if ((!map) || (!(devstart = strsep(&map, ",")))) { + E("slram: No devicestart specified.\n"); ++ break; + } + T("slram: devstart = %s\n", devstart); + if ((!map) || (!(devlength = strsep(&map, ",")))) { + E("slram: No devicelength / -end specified.\n"); ++ break; + } + T("slram: devlength = %s\n", devlength); + if (parse_cmdline(devname, devstart, devlength) != 0) { +-- +2.43.0 + diff --git a/queue-5.4/net-qrtr-update-packets-cloning-when-broadcasting.patch b/queue-5.4/net-qrtr-update-packets-cloning-when-broadcasting.patch new file mode 100644 index 00000000000..4619c6637a1 --- /dev/null +++ b/queue-5.4/net-qrtr-update-packets-cloning-when-broadcasting.patch @@ -0,0 +1,49 @@ +From a4e866635e5f0b1be288bd3b8f42f52ef237875c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 19:08:58 +0200 +Subject: net: qrtr: Update packets cloning when broadcasting + +From: Youssef Samir + +[ Upstream commit f011b313e8ebd5b7abd8521b5119aecef403de45 ] + +When broadcasting data to multiple nodes via MHI, using skb_clone() +causes all nodes to receive the same header data. This can result in +packets being discarded by endpoints, leading to lost data. + +This issue occurs when a socket is closed, and a QRTR_TYPE_DEL_CLIENT +packet is broadcasted. All nodes receive the same destination node ID, +causing the node connected to the client to discard the packet and +remain unaware of the client's deletion. + +Replace skb_clone() with pskb_copy(), to create a separate copy of +the header for each sk_buff. + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Signed-off-by: Youssef Samir +Reviewed-by: Jeffery Hugo +Reviewed-by: Carl Vanderlip +Reviewed-by: Chris Lew +Link: https://patch.msgid.link/20240916170858.2382247-1-quic_yabdulra@quicinc.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c +index b97a786d048cc..2fb510a4124ba 100644 +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -711,7 +711,7 @@ static int qrtr_bcast_enqueue(struct qrtr_node *node, struct sk_buff *skb, + + mutex_lock(&qrtr_node_lock); + list_for_each_entry(node, &qrtr_all_nodes, item) { +- skbn = skb_clone(skb, GFP_KERNEL); ++ skbn = pskb_copy(skb, GFP_KERNEL); + if (!skbn) + break; + skb_set_owner_w(skbn, skb->sk); +-- +2.43.0 + diff --git a/queue-5.4/net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch b/queue-5.4/net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch new file mode 100644 index 00000000000..c21eba7cb0f --- /dev/null +++ b/queue-5.4/net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch @@ -0,0 +1,57 @@ +From fba3c7d283337b33ffdb372b36046ca102df5d7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Sep 2024 22:40:46 +0800 +Subject: net: seeq: Fix use after free vulnerability in ether3 Driver Due to + Race Condition + +From: Kaixin Wang + +[ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ] + +In the ether3_probe function, a timer is initialized with a callback +function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is +started, there is a risk of a race condition if the module or device +is removed, triggering the ether3_remove function to perform cleanup. +The sequence of operations that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | ether3_ledoff +ether3_remove | + free_netdev(dev); | + put_devic | + kfree(dev); | + | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); + | // use dev + +Fix it by ensuring that the timer is canceled before proceeding with +the cleanup in ether3_remove. + +Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()") +Signed-off-by: Kaixin Wang +Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@m.fudan.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/seeq/ether3.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c +index 632a7c85964df..b057a38d3217a 100644 +--- a/drivers/net/ethernet/seeq/ether3.c ++++ b/drivers/net/ethernet/seeq/ether3.c +@@ -848,9 +848,11 @@ static void ether3_remove(struct expansion_card *ec) + { + struct net_device *dev = ecard_get_drvdata(ec); + ++ ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); + ecard_set_drvdata(ec, NULL); + + unregister_netdev(dev); ++ del_timer_sync(&priv(dev)->timer); + free_netdev(dev); + ecard_release_resources(ec); + } +-- +2.43.0 + diff --git a/queue-5.4/net-tipc-avoid-possible-garbage-value.patch b/queue-5.4/net-tipc-avoid-possible-garbage-value.patch new file mode 100644 index 00000000000..0ef124ea3b5 --- /dev/null +++ b/queue-5.4/net-tipc-avoid-possible-garbage-value.patch @@ -0,0 +1,47 @@ +From 3025a53536c4658e0675630304a78ec8a90d89d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 19:01:20 +0800 +Subject: net: tipc: avoid possible garbage value + +From: Su Hui + +[ Upstream commit 99655a304e450baaae6b396cb942b9e47659d644 ] + +Clang static checker (scan-build) warning: +net/tipc/bcast.c:305:4: +The expression is an uninitialized value. The computed value will also +be garbage [core.uninitialized.Assign] + 305 | (*cong_link_cnt)++; + | ^~~~~~~~~~~~~~~~~~ + +tipc_rcast_xmit() will increase cong_link_cnt's value, but cong_link_cnt +is uninitialized. Although it won't really cause a problem, it's better +to fix it. + +Fixes: dca4a17d24ee ("tipc: fix potential hanging after b/rcast changing") +Signed-off-by: Su Hui +Reviewed-by: Justin Stitt +Link: https://patch.msgid.link/20240912110119.2025503-1-suhui@nfschina.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bcast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c +index 885ecf6ea65aa..72362fb63d853 100644 +--- a/net/tipc/bcast.c ++++ b/net/tipc/bcast.c +@@ -313,8 +313,8 @@ static int tipc_mcast_send_sync(struct net *net, struct sk_buff *skb, + { + struct tipc_msg *hdr, *_hdr; + struct sk_buff_head tmpq; ++ u16 cong_link_cnt = 0; + struct sk_buff *_skb; +- u16 cong_link_cnt; + int rc = 0; + + /* Is a cluster supporting with new capabilities ? */ +-- +2.43.0 + diff --git a/queue-5.4/netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch b/queue-5.4/netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch new file mode 100644 index 00000000000..29ed374168d --- /dev/null +++ b/queue-5.4/netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch @@ -0,0 +1,86 @@ +From 7095972ea9197365328dd38a0a71696153fcc314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 16:14:41 +0100 +Subject: netfilter: ctnetlink: compile ctnetlink_label_size with + CONFIG_NF_CONNTRACK_EVENTS + +From: Simon Horman + +[ Upstream commit e1f1ee0e9ad8cbe660f5c104e791c5f1a7cf4c31 ] + +Only provide ctnetlink_label_size when it is used, +which is when CONFIG_NF_CONNTRACK_EVENTS is configured. + +Flagged by clang-18 W=1 builds as: + +.../nf_conntrack_netlink.c:385:19: warning: unused function 'ctnetlink_label_size' [-Wunused-function] + 385 | static inline int ctnetlink_label_size(const struct nf_conn *ct) + | ^~~~~~~~~~~~~~~~~~~~ + +The condition on CONFIG_NF_CONNTRACK_LABELS being removed by +this patch guards compilation of non-trivial implementations +of ctnetlink_dump_labels() and ctnetlink_label_size(). + +However, this is not necessary as each of these functions +will always return 0 if CONFIG_NF_CONNTRACK_LABELS is not defined +as each function starts with the equivalent of: + + struct nf_conn_labels *labels = nf_ct_labels_find(ct); + + if (!labels) + return 0; + +And nf_ct_labels_find always returns NULL if CONFIG_NF_CONNTRACK_LABELS +is not enabled. So I believe that the compiler optimises the code away +in such cases anyway. + +Found by inspection. +Compile tested only. + +Originally splitted in two patches, Pablo Neira Ayuso collapsed them and +added Fixes: tag. + +Fixes: 0ceabd83875b ("netfilter: ctnetlink: deliver labels to userspace") +Link: https://lore.kernel.org/netfilter-devel/20240909151712.GZ2097826@kernel.org/ +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index c1401193a971b..eeb000e41ad77 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -357,7 +357,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) + #define ctnetlink_dump_secctx(a, b) (0) + #endif + +-#ifdef CONFIG_NF_CONNTRACK_LABELS ++#ifdef CONFIG_NF_CONNTRACK_EVENTS + static inline int ctnetlink_label_size(const struct nf_conn *ct) + { + struct nf_conn_labels *labels = nf_ct_labels_find(ct); +@@ -366,6 +366,7 @@ static inline int ctnetlink_label_size(const struct nf_conn *ct) + return 0; + return nla_total_size(sizeof(labels->bits)); + } ++#endif + + static int + ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) +@@ -386,10 +387,6 @@ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) + + return 0; + } +-#else +-#define ctnetlink_dump_labels(a, b) (0) +-#define ctnetlink_label_size(a) (0) +-#endif + + #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) + +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch b/queue-5.4/netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch new file mode 100644 index 00000000000..e660c686649 --- /dev/null +++ b/queue-5.4/netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch @@ -0,0 +1,191 @@ +From d08a9a4a2fe0b998c5828c2085d78c1298934862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 17:06:15 +0000 +Subject: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() + +From: Eric Dumazet + +[ Upstream commit 9c778fe48d20ef362047e3376dee56d77f8500d4 ] + +syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending +garbage on the four reserved tcp bits (th->res1) + +Use skb_put_zero() to clear the whole TCP header, +as done in nf_reject_ip_tcphdr_put() + +BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 + nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 + nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + do_softirq+0x9a/0x100 kernel/softirq.c:455 + __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 + local_bh_enable include/linux/bottom_half.h:33 [inline] + rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] + __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 + dev_queue_xmit include/linux/netdevice.h:3105 [inline] + neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 + neigh_output include/net/neighbour.h:542 [inline] + ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 + __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] + ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 + NF_HOOK_COND include/linux/netfilter.h:303 [inline] + ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 + dst_output include/net/dst.h:450 [inline] + NF_HOOK include/linux/netfilter.h:314 [inline] + ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 + inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 + __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 + tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] + tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 + tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 + __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 + inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 + __sys_connect_file net/socket.c:2061 [inline] + __sys_connect+0x606/0x690 net/socket.c:2078 + __do_sys_connect net/socket.c:2088 [inline] + __se_sys_connect net/socket.c:2085 [inline] + __x64_sys_connect+0x91/0xe0 net/socket.c:2085 + x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was stored to memory at: + nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 + nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + +Uninit was stored to memory at: + nf_reject_ip6_tcphdr_put+0x2ca/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:231 + nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3998 [inline] + slab_alloc_node mm/slub.c:4041 [inline] + kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4084 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583 + __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674 + alloc_skb include/linux/skbuff.h:1320 [inline] + nf_send_reset6+0x98d/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:327 + nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 + nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook include/linux/netfilter.h:269 [inline] + NF_HOOK include/linux/netfilter.h:312 [inline] + ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5661 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 + process_backlog+0x4ad/0xa50 net/core/dev.c:6108 + __napi_poll+0xe7/0x980 net/core/dev.c:6772 + napi_poll net/core/dev.c:6841 [inline] + net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 + handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 + __do_softirq+0x14/0x1a kernel/softirq.c:588 + +Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Reviewed-by: Pablo Neira Ayuso +Link: https://patch.msgid.link/20240913170615.3670897-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nf_reject_ipv6.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c +index 5fae66f666710..4fdd587e08742 100644 +--- a/net/ipv6/netfilter/nf_reject_ipv6.c ++++ b/net/ipv6/netfilter/nf_reject_ipv6.c +@@ -89,33 +89,23 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb, + const struct tcphdr *oth, unsigned int otcplen) + { + struct tcphdr *tcph; +- int needs_ack; + + skb_reset_transport_header(nskb); +- tcph = skb_put(nskb, sizeof(struct tcphdr)); ++ tcph = skb_put_zero(nskb, sizeof(struct tcphdr)); + /* Truncate to length (no data) */ + tcph->doff = sizeof(struct tcphdr)/4; + tcph->source = oth->dest; + tcph->dest = oth->source; + + if (oth->ack) { +- needs_ack = 0; + tcph->seq = oth->ack_seq; +- tcph->ack_seq = 0; + } else { +- needs_ack = 1; + tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin + + otcplen - (oth->doff<<2)); +- tcph->seq = 0; ++ tcph->ack = 1; + } + +- /* Reset flags */ +- ((u_int8_t *)tcph)[13] = 0; + tcph->rst = 1; +- tcph->ack = needs_ack; +- tcph->window = 0; +- tcph->urg_ptr = 0; +- tcph->check = 0; + + /* Adjust TCP checksum */ + tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr, +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-elements-with-timeout-below-conf.patch b/queue-5.4/netfilter-nf_tables-elements-with-timeout-below-conf.patch new file mode 100644 index 00000000000..bc91a463acb --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-elements-with-timeout-below-conf.patch @@ -0,0 +1,37 @@ +From 63b95dfba2012cc6dd04bfe69ea8477aebac6e8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 01:06:41 +0200 +Subject: netfilter: nf_tables: elements with timeout below CONFIG_HZ never + expire + +From: Pablo Neira Ayuso + +[ Upstream commit e0c47281723f301894c14e6f5cd5884fdfb813f9 ] + +Element timeout that is below CONFIG_HZ never expires because the +timeout extension is not allocated given that nf_msecs_to_jiffies64() +returns 0. Set timeout to the minimum value to honor timeout. + +Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1a132b800c8c2..f125d505c4519 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3489,7 +3489,7 @@ int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) + return -ERANGE; + + ms *= NSEC_PER_MSEC; +- *result = nsecs_to_jiffies64(ms); ++ *result = nsecs_to_jiffies64(ms) ? : !!ms; + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-reject-element-expiration-with-n.patch b/queue-5.4/netfilter-nf_tables-reject-element-expiration-with-n.patch new file mode 100644 index 00000000000..924daa82f48 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-reject-element-expiration-with-n.patch @@ -0,0 +1,40 @@ +From b2a39fbc62675ace55887a38795ca69fa7fb8053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 01:06:49 +0200 +Subject: netfilter: nf_tables: reject element expiration with no timeout + +From: Pablo Neira Ayuso + +[ Upstream commit d2dc429ecb4e79ad164028d965c00f689e6f6d06 ] + +If element timeout is unset and set provides no default timeout, the +element expiration is silently ignored, reject this instead to let user +know this is unsupported. + +Also prepare for supporting timeout that never expire, where zero +timeout and expiration must be also rejected. + +Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f125d505c4519..3c4cc2e58bf83 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4887,6 +4887,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { + if (!(set->flags & NFT_SET_TIMEOUT)) + return -EINVAL; ++ if (timeout == 0) ++ return -EOPNOTSUPP; ++ + err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], + &expiration); + if (err) +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-reject-expiration-higher-than-ti.patch b/queue-5.4/netfilter-nf_tables-reject-expiration-higher-than-ti.patch new file mode 100644 index 00000000000..c893bbbc0a2 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-reject-expiration-higher-than-ti.patch @@ -0,0 +1,36 @@ +From 8326f35f13682901fc93f575fa14a187c6bed3d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 01:06:58 +0200 +Subject: netfilter: nf_tables: reject expiration higher than timeout + +From: Pablo Neira Ayuso + +[ Upstream commit c0f38a8c60174368aed1d0f9965d733195f15033 ] + +Report ERANGE to userspace if user specifies an expiration larger than +the timeout. + +Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 3c4cc2e58bf83..7812cc3cc751b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4894,6 +4894,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + &expiration); + if (err) + return err; ++ ++ if (expiration > timeout) ++ return -ERANGE; + } + + err = nft_setelem_parse_key(ctx, set, &elem.key.val, +-- +2.43.0 + diff --git a/queue-5.4/nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch b/queue-5.4/nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch new file mode 100644 index 00000000000..d247fc8bd6f --- /dev/null +++ b/queue-5.4/nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch @@ -0,0 +1,58 @@ +From 151068cd5e250314c141db86a07de9bc89c553d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 22:03:18 +0800 +Subject: nfsd: call cache_put if xdr_reserve_space returns NULL + +From: Guoqing Jiang + +[ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ] + +If not enough buffer space available, but idmap_lookup has triggered +lookup_fn which calls cache_get and returns successfully. Then we +missed to call cache_put here which pairs with cache_get. + +Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding") +Signed-off-by: Guoqing Jiang +Reviwed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4idmap.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c +index d1f285245af80..06d7404354b99 100644 +--- a/fs/nfsd/nfs4idmap.c ++++ b/fs/nfsd/nfs4idmap.c +@@ -566,6 +566,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr, + .id = id, + .type = type, + }; ++ __be32 status = nfs_ok; + __be32 *p; + int ret; + struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); +@@ -578,12 +579,16 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr, + return nfserrno(ret); + ret = strlen(item->name); + WARN_ON_ONCE(ret > IDMAP_NAMESZ); ++ + p = xdr_reserve_space(xdr, ret + 4); +- if (!p) +- return nfserr_resource; +- p = xdr_encode_opaque(p, item->name, ret); ++ if (unlikely(!p)) { ++ status = nfserr_resource; ++ goto out_put; ++ } ++ xdr_encode_opaque(p, item->name, ret); ++out_put: + cache_put(&item->h, nn->idtoname_cache); +- return 0; ++ return status; + } + + static bool +-- +2.43.0 + diff --git a/queue-5.4/nfsd-return-einval-when-namelen-is-0.patch b/queue-5.4/nfsd-return-einval-when-namelen-is-0.patch new file mode 100644 index 00000000000..3ad1ff22c35 --- /dev/null +++ b/queue-5.4/nfsd-return-einval-when-namelen-is-0.patch @@ -0,0 +1,95 @@ +From a31f74d6c38f88e3d7e1d85d5e884003aabbbd2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Sep 2024 19:14:46 +0800 +Subject: nfsd: return -EINVAL when namelen is 0 + +From: Li Lingfeng + +[ Upstream commit 22451a16b7ab7debefce660672566be887db1637 ] + +When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may +result in namelen being 0, which will cause memdup_user() to return +ZERO_SIZE_PTR. +When we access the name.data that has been assigned the value of +ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is +triggered. + +[ T1205] ================================================================== +[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 +[ T1205] +[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 +[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 +[ T1205] Call Trace: +[ T1205] dump_stack+0x9a/0xd0 +[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] __kasan_report.cold+0x34/0x84 +[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] kasan_report+0x3a/0x50 +[ T1205] nfs4_client_to_reclaim+0xe9/0x260 +[ T1205] ? nfsd4_release_lockowner+0x410/0x410 +[ T1205] cld_pipe_downcall+0x5ca/0x760 +[ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 +[ T1205] ? down_write_killable_nested+0x170/0x170 +[ T1205] ? avc_policy_seqno+0x28/0x40 +[ T1205] ? selinux_file_permission+0x1b4/0x1e0 +[ T1205] rpc_pipe_write+0x84/0xb0 +[ T1205] vfs_write+0x143/0x520 +[ T1205] ksys_write+0xc9/0x170 +[ T1205] ? __ia32_sys_read+0x50/0x50 +[ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 +[ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 +[ T1205] do_syscall_64+0x33/0x40 +[ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 +[ T1205] RIP: 0033:0x7fdbdb761bc7 +[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 +[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 +[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 +[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 +[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b +[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 +[ T1205] ================================================================== + +Fix it by checking namelen. + +Signed-off-by: Li Lingfeng +Fixes: 74725959c33c ("nfsd: un-deprecate nfsdcld") +Reviewed-by: Jeff Layton +Reviewed-by: Scott Mayhew +Tested-by: Scott Mayhew +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4recover.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c +index 14463e107918f..1abddad2b7ae7 100644 +--- a/fs/nfsd/nfs4recover.c ++++ b/fs/nfsd/nfs4recover.c +@@ -816,6 +816,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg, + ci = &cmsg->cm_u.cm_clntinfo; + if (get_user(namelen, &ci->cc_name.cn_len)) + return -EFAULT; ++ if (!namelen) { ++ dprintk("%s: namelen should not be zero", __func__); ++ return -EINVAL; ++ } + name.data = memdup_user(&ci->cc_name.cn_id, namelen); + if (IS_ERR_OR_NULL(name.data)) + return -EFAULT; +@@ -838,6 +842,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg, + cnm = &cmsg->cm_u.cm_name; + if (get_user(namelen, &cnm->cn_len)) + return -EFAULT; ++ if (!namelen) { ++ dprintk("%s: namelen should not be zero", __func__); ++ return -EINVAL; ++ } + name.data = memdup_user(&cnm->cn_id, namelen); + if (IS_ERR_OR_NULL(name.data)) + return -EFAULT; +-- +2.43.0 + diff --git a/queue-5.4/nilfs2-determine-empty-node-blocks-as-corrupted.patch b/queue-5.4/nilfs2-determine-empty-node-blocks-as-corrupted.patch new file mode 100644 index 00000000000..356bd34bce4 --- /dev/null +++ b/queue-5.4/nilfs2-determine-empty-node-blocks-as-corrupted.patch @@ -0,0 +1,47 @@ +From a46ab0ad25c31b59734a5884464395727f88dc2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 17:13:08 +0900 +Subject: nilfs2: determine empty node blocks as corrupted + +From: Ryusuke Konishi + +[ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ] + +Due to the nature of b-trees, nilfs2 itself and admin tools such as +mkfs.nilfs2 will never create an intermediate b-tree node block with 0 +child nodes, nor will they delete (key, pointer)-entries that would result +in such a state. However, it is possible that a b-tree node block is +corrupted on the backing device and is read with 0 child nodes. + +Because operation is not guaranteed if the number of child nodes is 0 for +intermediate node blocks other than the root node, modify +nilfs_btree_node_broken(), which performs sanity checks when reading a +b-tree node block, so that such cases will be judged as metadata +corruption. + +Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com +Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") +Signed-off-by: Ryusuke Konishi +Cc: Lizhi Xu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index c2aca9cd78644..7cfff27b4b4a5 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -350,7 +350,7 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node, + if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN || + level >= NILFS_BTREE_LEVEL_MAX || + (flags & NILFS_BTREE_NODE_ROOT) || +- nchildren < 0 || ++ nchildren <= 0 || + nchildren > NILFS_BTREE_NODE_NCHILDREN_MAX(size))) { + nilfs_crit(inode->i_sb, + "bad btree node (ino=%lu, blocknr=%llu): level = %d, flags = 0x%x, nchildren = %d", +-- +2.43.0 + diff --git a/queue-5.4/nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch b/queue-5.4/nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch new file mode 100644 index 00000000000..f71008cc13e --- /dev/null +++ b/queue-5.4/nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch @@ -0,0 +1,66 @@ +From fb49543eecae490ac4d5844a1cbee8df2820bc4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 17:13:07 +0900 +Subject: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() + +From: Ryusuke Konishi + +[ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ] + +Patch series "nilfs2: fix potential issues with empty b-tree nodes". + +This series addresses three potential issues with empty b-tree nodes that +can occur with corrupted filesystem images, including one recently +discovered by syzbot. + +This patch (of 3): + +If a b-tree is broken on the device, and the b-tree height is greater than +2 (the level of the root node is greater than 1) even if the number of +child nodes of the b-tree root is 0, a NULL pointer dereference occurs in +nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert(). + +This is because, when the number of child nodes of the b-tree root is 0, +nilfs_btree_do_lookup() does not set the block buffer head in any of +path[x].bp_bh, leaving it as the initial value of NULL, but if the level +of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(), +which accesses the buffer memory of path[x].bp_bh, is called. + +Fix this issue by adding a check to nilfs_btree_root_broken(), which +performs sanity checks when reading the root node from the device, to +detect this inconsistency. + +Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause +early on. + +Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com +Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com +Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+9bff4c7b992038a7409f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9bff4c7b992038a7409f +Cc: Lizhi Xu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index a426e4e2acdac..c2aca9cd78644 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -381,7 +381,8 @@ static int nilfs_btree_root_broken(const struct nilfs_btree_node *node, + if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN || + level >= NILFS_BTREE_LEVEL_MAX || + nchildren < 0 || +- nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) { ++ nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX || ++ (nchildren == 0 && level > NILFS_BTREE_LEVEL_NODE_MIN))) { + nilfs_crit(inode->i_sb, + "bad btree root (ino=%lu): level = %d, flags = 0x%x, nchildren = %d", + inode->i_ino, level, flags, nchildren); +-- +2.43.0 + diff --git a/queue-5.4/nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch b/queue-5.4/nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch new file mode 100644 index 00000000000..e6e0bd5be50 --- /dev/null +++ b/queue-5.4/nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch @@ -0,0 +1,68 @@ +From 623103284970a2489e9faa1fbb64b24e4fdfeb3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2024 17:13:09 +0900 +Subject: nilfs2: fix potential oob read in nilfs_btree_check_delete() + +From: Ryusuke Konishi + +[ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ] + +The function nilfs_btree_check_delete(), which checks whether degeneration +to direct mapping occurs before deleting a b-tree entry, causes memory +access outside the block buffer when retrieving the maximum key if the +root node has no entries. + +This does not usually happen because b-tree mappings with 0 child nodes +are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen +if the b-tree root node read from a device is configured that way, so fix +this potential issue by adding a check for that case. + +Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com +Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") +Signed-off-by: Ryusuke Konishi +Cc: Lizhi Xu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index 7cfff27b4b4a5..7c9f4d79bdbc5 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -1660,13 +1660,16 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key) + int nchildren, ret; + + root = nilfs_btree_get_root(btree); ++ nchildren = nilfs_btree_node_get_nchildren(root); ++ if (unlikely(nchildren == 0)) ++ return 0; ++ + switch (nilfs_btree_height(btree)) { + case 2: + bh = NULL; + node = root; + break; + case 3: +- nchildren = nilfs_btree_node_get_nchildren(root); + if (nchildren > 1) + return 0; + ptr = nilfs_btree_node_get_ptr(root, nchildren - 1, +@@ -1675,12 +1678,12 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key) + if (ret < 0) + return ret; + node = (struct nilfs_btree_node *)bh->b_data; ++ nchildren = nilfs_btree_node_get_nchildren(node); + break; + default: + return 0; + } + +- nchildren = nilfs_btree_node_get_nchildren(node); + maxkey = nilfs_btree_node_get_key(node, nchildren - 1); + nextmaxkey = (nchildren > 1) ? + nilfs_btree_node_get_key(node, nchildren - 2) : 0; +-- +2.43.0 + diff --git a/queue-5.4/ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch b/queue-5.4/ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch new file mode 100644 index 00000000000..ed2918bc81a --- /dev/null +++ b/queue-5.4/ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch @@ -0,0 +1,37 @@ +From 3f755c503c6ea1f150f46f2086462640f065903b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 20:39:27 +0800 +Subject: ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() + +From: Jinjie Ruan + +[ Upstream commit e229897d373a87ee09ec5cc4ecd4bb2f895fc16b ] + +The debugfs_create_dir() function returns error pointers. +It never returns NULL. So use IS_ERR() to check it. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Jinjie Ruan +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 8d8739bff9f3c..6fd5d5e21e36a 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -775,7 +775,7 @@ static void ndev_init_debugfs(struct intel_ntb_dev *ndev) + ndev->debugfs_dir = + debugfs_create_dir(pci_name(ndev->ntb.pdev), + debugfs_dir); +- if (!ndev->debugfs_dir) ++ if (IS_ERR(ndev->debugfs_dir)) + ndev->debugfs_info = NULL; + else + ndev->debugfs_info = +-- +2.43.0 + diff --git a/queue-5.4/pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch b/queue-5.4/pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch new file mode 100644 index 00000000000..f7c6696f8b2 --- /dev/null +++ b/queue-5.4/pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch @@ -0,0 +1,45 @@ +From 01af42bfb8cecf42becda2f9582f065980ff862f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 18:53:26 -0500 +Subject: PCI: keystone: Fix if-statement expression in ks_pcie_quirk() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 6188a1c762eb9bbd444f47696eda77a5eae6207a ] + +This code accidentally uses && where || was intended. It potentially +results in a NULL dereference. + +Thus, fix the if-statement expression to use the correct condition. + +Fixes: 86f271f22bbb ("PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)") +Link: https://lore.kernel.org/linux-pci/1b762a93-e1b2-4af3-8c04-c8843905c279@stanley.mountain +Signed-off-by: Dan Carpenter +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Siddharth Vadapalli +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pci-keystone.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c +index a16fe2a558c7a..b28d3c4205fe4 100644 +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -595,7 +595,7 @@ static void ks_pcie_quirk(struct pci_dev *dev) + */ + if (pci_match_id(am6_pci_devids, bridge)) { + bridge_dev = pci_get_host_bridge_device(dev); +- if (!bridge_dev && !bridge_dev->parent) ++ if (!bridge_dev || !bridge_dev->parent) + return; + + ks_pcie = dev_get_drvdata(bridge_dev->parent); +-- +2.43.0 + diff --git a/queue-5.4/pci-xilinx-nwl-fix-register-misspelling.patch b/queue-5.4/pci-xilinx-nwl-fix-register-misspelling.patch new file mode 100644 index 00000000000..a7491cf5e9b --- /dev/null +++ b/queue-5.4/pci-xilinx-nwl-fix-register-misspelling.patch @@ -0,0 +1,62 @@ +From 268de71b99458abda63aa7b9f08571bcfa24c98b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 12:13:33 -0400 +Subject: PCI: xilinx-nwl: Fix register misspelling + +From: Sean Anderson + +[ Upstream commit a437027ae1730b8dc379c75fa0dd7d3036917400 ] + +MSIC -> MISC + +Fixes: c2a7ff18edcd ("PCI: xilinx-nwl: Expand error logging") +Link: https://lore.kernel.org/r/20240531161337.864994-4-sean.anderson@linux.dev +Signed-off-by: Sean Anderson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-xilinx-nwl.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c +index 11b046b20b92a..539bf53beb654 100644 +--- a/drivers/pci/controller/pcie-xilinx-nwl.c ++++ b/drivers/pci/controller/pcie-xilinx-nwl.c +@@ -79,8 +79,8 @@ + #define MSGF_MISC_SR_NON_FATAL_DEV BIT(22) + #define MSGF_MISC_SR_FATAL_DEV BIT(23) + #define MSGF_MISC_SR_LINK_DOWN BIT(24) +-#define MSGF_MSIC_SR_LINK_AUTO_BWIDTH BIT(25) +-#define MSGF_MSIC_SR_LINK_BWIDTH BIT(26) ++#define MSGF_MISC_SR_LINK_AUTO_BWIDTH BIT(25) ++#define MSGF_MISC_SR_LINK_BWIDTH BIT(26) + + #define MSGF_MISC_SR_MASKALL (MSGF_MISC_SR_RXMSG_AVAIL | \ + MSGF_MISC_SR_RXMSG_OVER | \ +@@ -95,8 +95,8 @@ + MSGF_MISC_SR_NON_FATAL_DEV | \ + MSGF_MISC_SR_FATAL_DEV | \ + MSGF_MISC_SR_LINK_DOWN | \ +- MSGF_MSIC_SR_LINK_AUTO_BWIDTH | \ +- MSGF_MSIC_SR_LINK_BWIDTH) ++ MSGF_MISC_SR_LINK_AUTO_BWIDTH | \ ++ MSGF_MISC_SR_LINK_BWIDTH) + + /* Legacy interrupt status mask bits */ + #define MSGF_LEG_SR_INTA BIT(0) +@@ -308,10 +308,10 @@ static irqreturn_t nwl_pcie_misc_handler(int irq, void *data) + if (misc_stat & MSGF_MISC_SR_FATAL_DEV) + dev_err(dev, "Fatal Error Detected\n"); + +- if (misc_stat & MSGF_MSIC_SR_LINK_AUTO_BWIDTH) ++ if (misc_stat & MSGF_MISC_SR_LINK_AUTO_BWIDTH) + dev_info(dev, "Link Autonomous Bandwidth Management Status bit set\n"); + +- if (misc_stat & MSGF_MSIC_SR_LINK_BWIDTH) ++ if (misc_stat & MSGF_MISC_SR_LINK_BWIDTH) + dev_info(dev, "Link Bandwidth Management Status bit set\n"); + + /* Clear misc interrupt status */ +-- +2.43.0 + diff --git a/queue-5.4/perf-sched-timehist-fix-missing-free-of-session-in-p.patch b/queue-5.4/perf-sched-timehist-fix-missing-free-of-session-in-p.patch new file mode 100644 index 00000000000..84d447b07ec --- /dev/null +++ b/queue-5.4/perf-sched-timehist-fix-missing-free-of-session-in-p.patch @@ -0,0 +1,49 @@ +From 18f5e3a01281458e74daf7288efaae19910b92cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:35:33 +0800 +Subject: perf sched timehist: Fix missing free of session in + perf_sched__timehist() + +From: Yang Jihong + +[ Upstream commit 6bdf5168b6fb19541b0c1862bdaa596d116c7bfb ] + +When perf_time__parse_str() fails in perf_sched__timehist(), +need to free session that was previously created, fix it. + +Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest") +Signed-off-by: Yang Jihong +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20240806023533.1316348-1-yangjihong@bytedance.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 0826893098ce4..9e2c7779f5b0a 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -3000,7 +3000,8 @@ static int perf_sched__timehist(struct perf_sched *sched) + + if (perf_time__parse_str(&sched->ptime, sched->time_str) != 0) { + pr_err("Invalid time string\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto out; + } + + if (timehist_check_attr(sched, evlist) != 0) +-- +2.43.0 + diff --git a/queue-5.4/perf-sched-timehist-fixed-timestamp-error-when-unabl.patch b/queue-5.4/perf-sched-timehist-fixed-timestamp-error-when-unabl.patch new file mode 100644 index 00000000000..7c6660ee982 --- /dev/null +++ b/queue-5.4/perf-sched-timehist-fixed-timestamp-error-when-unabl.patch @@ -0,0 +1,99 @@ +From 45632e48b51e98332806991b89b4c4fa6ef82859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 10:47:20 +0800 +Subject: perf sched timehist: Fixed timestamp error when unable to confirm + event sched_in time + +From: Yang Jihong + +[ Upstream commit 39c243411bdb8fb35777adf49ee32549633c4e12 ] + +If sched_in event for current task is not recorded, sched_in timestamp +will be set to end_time of time window interest, causing an error in +timestamp show. In this case, we choose to ignore this event. + +Test scenario: + + perf[1229608] does not record the first sched_in event, run time and sch delay are both 0 + + # perf sched timehist + Samples of sched_switch event do not have callchains. + time cpu task name wait time sch delay run time + [tid/pid] (msec) (msec) (msec) + --------------- ------ ------------------------------ --------- --------- --------- + 2090450.763231 [0000] perf[1229608] 0.000 0.000 0.000 + 2090450.763235 [0000] migration/0[15] 0.000 0.001 0.003 + 2090450.763263 [0001] perf[1229608] 0.000 0.000 0.000 + 2090450.763268 [0001] migration/1[21] 0.000 0.001 0.004 + 2090450.763302 [0002] perf[1229608] 0.000 0.000 0.000 + 2090450.763309 [0002] migration/2[27] 0.000 0.001 0.007 + 2090450.763338 [0003] perf[1229608] 0.000 0.000 0.000 + 2090450.763343 [0003] migration/3[33] 0.000 0.001 0.004 + +Before: + + arbitrarily specify a time window of interest, timestamp will be set to an incorrect value + + # perf sched timehist --time 100,200 + Samples of sched_switch event do not have callchains. + time cpu task name wait time sch delay run time + [tid/pid] (msec) (msec) (msec) + --------------- ------ ------------------------------ --------- --------- --------- + 200.000000 [0000] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0001] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0002] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0003] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0004] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0005] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0006] perf[1229608] 0.000 0.000 0.000 + 200.000000 [0007] perf[1229608] 0.000 0.000 0.000 + + After: + + # perf sched timehist --time 100,200 + Samples of sched_switch event do not have callchains. + time cpu task name wait time sch delay run time + [tid/pid] (msec) (msec) (msec) + --------------- ------ ------------------------------ --------- --------- --------- + +Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest") +Signed-off-by: Yang Jihong +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20240819024720.2405244-1-yangjihong@bytedance.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-sched.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c +index 9e2c7779f5b0a..09c14a0f93ec2 100644 +--- a/tools/perf/builtin-sched.c ++++ b/tools/perf/builtin-sched.c +@@ -2561,9 +2561,12 @@ static int timehist_sched_change_event(struct perf_tool *tool, + * - previous sched event is out of window - we are done + * - sample time is beyond window user cares about - reset it + * to close out stats for time window interest ++ * - If tprev is 0, that is, sched_in event for current task is ++ * not recorded, cannot determine whether sched_in event is ++ * within time window interest - ignore it + */ + if (ptime->end) { +- if (tprev > ptime->end) ++ if (!tprev || tprev > ptime->end) + goto out; + + if (t > ptime->end) +-- +2.43.0 + diff --git a/queue-5.4/perf-time-utils-fix-32-bit-nsec-parsing.patch b/queue-5.4/perf-time-utils-fix-32-bit-nsec-parsing.patch new file mode 100644 index 00000000000..85b29427898 --- /dev/null +++ b/queue-5.4/perf-time-utils-fix-32-bit-nsec-parsing.patch @@ -0,0 +1,70 @@ +From 4590eaf3575ce829448c904aaaa56d1861325eff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2024 00:04:11 -0700 +Subject: perf time-utils: Fix 32-bit nsec parsing + +From: Ian Rogers + +[ Upstream commit 38e2648a81204c9fc5b4c87a8ffce93a6ed91b65 ] + +The "time utils" test fails in 32-bit builds: + ... + parse_nsec_time("18446744073.709551615") + Failed. ptime 4294967295709551615 expected 18446744073709551615 + ... + +Switch strtoul to strtoull as an unsigned long in 32-bit build isn't +64-bits. + +Fixes: c284d669a20d408b ("perf tools: Move parse_nsec_time to time-utils.c") +Signed-off-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Athira Rajeev +Cc: Chaitanya S Prakash +Cc: Colin Ian King +Cc: David Ahern +Cc: Dominique Martinet +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: John Garry +Cc: Junhao He +Cc: Kan Liang +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Yang Jihong +Link: https://lore.kernel.org/r/20240831070415.506194-3-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/time-utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/time-utils.c b/tools/perf/util/time-utils.c +index 3024439216816..1b91ccd4d5234 100644 +--- a/tools/perf/util/time-utils.c ++++ b/tools/perf/util/time-utils.c +@@ -20,7 +20,7 @@ int parse_nsec_time(const char *str, u64 *ptime) + u64 time_sec, time_nsec; + char *end; + +- time_sec = strtoul(str, &end, 10); ++ time_sec = strtoull(str, &end, 10); + if (*end != '.' && *end != '\0') + return -1; + +@@ -38,7 +38,7 @@ int parse_nsec_time(const char *str, u64 *ptime) + for (i = strlen(nsec_buf); i < 9; i++) + nsec_buf[i] = '0'; + +- time_nsec = strtoul(nsec_buf, &end, 10); ++ time_nsec = strtoull(nsec_buf, &end, 10); + if (*end != '\0') + return -1; + } else +-- +2.43.0 + diff --git a/queue-5.4/pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch b/queue-5.4/pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch new file mode 100644 index 00000000000..afe311b30bc --- /dev/null +++ b/queue-5.4/pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch @@ -0,0 +1,119 @@ +From 104c3c70af958b68428c57ff395de99e48ad2fc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 14:48:23 +0800 +Subject: pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function + +From: Wang Jianzheng + +[ Upstream commit c25478419f6fd3f74c324a21ec007cf14f2688d7 ] + +When an error occurs during the execution of the function +__devinit_dove_pinctrl_probe, the clk is not properly disabled. + +Fix this by calling clk_disable_unprepare before return. + +Fixes: ba607b6238a1 ("pinctrl: mvebu: make pdma clock on dove mandatory") +Signed-off-by: Wang Jianzheng +Link: https://lore.kernel.org/20240829064823.19808-1-wangjianzheng@vivo.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-dove.c | 42 +++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c +index bd74daa9ed666..c84326dfe371c 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-dove.c ++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c +@@ -769,7 +769,7 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + of_match_device(dove_pinctrl_of_match, &pdev->dev); + struct mvebu_mpp_ctrl_data *mpp_data; + void __iomem *base; +- int i; ++ int i, ret; + + pdev->dev.platform_data = (void *)match->data; + +@@ -785,13 +785,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + clk_prepare_enable(clk); + + base = devm_platform_get_and_ioremap_resource(pdev, 0, &mpp_res); +- if (IS_ERR(base)) +- return PTR_ERR(base); ++ if (IS_ERR(base)) { ++ ret = PTR_ERR(base); ++ goto err_probe; ++ } + + mpp_data = devm_kcalloc(&pdev->dev, dove_pinctrl_info.ncontrols, + sizeof(*mpp_data), GFP_KERNEL); +- if (!mpp_data) +- return -ENOMEM; ++ if (!mpp_data) { ++ ret = -ENOMEM; ++ goto err_probe; ++ } + + dove_pinctrl_info.control_data = mpp_data; + for (i = 0; i < ARRAY_SIZE(dove_mpp_controls); i++) +@@ -810,8 +814,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + } + + mpp4_base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(mpp4_base)) +- return PTR_ERR(mpp4_base); ++ if (IS_ERR(mpp4_base)) { ++ ret = PTR_ERR(mpp4_base); ++ goto err_probe; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 2); + if (!res) { +@@ -822,8 +828,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + } + + pmu_base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(pmu_base)) +- return PTR_ERR(pmu_base); ++ if (IS_ERR(pmu_base)) { ++ ret = PTR_ERR(pmu_base); ++ goto err_probe; ++ } + + gconfmap = syscon_regmap_lookup_by_compatible("marvell,dove-global-config"); + if (IS_ERR(gconfmap)) { +@@ -833,12 +841,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + adjust_resource(&fb_res, + (mpp_res->start & INT_REGS_MASK) + GC_REGS_OFFS, 0x14); + gc_base = devm_ioremap_resource(&pdev->dev, &fb_res); +- if (IS_ERR(gc_base)) +- return PTR_ERR(gc_base); ++ if (IS_ERR(gc_base)) { ++ ret = PTR_ERR(gc_base); ++ goto err_probe; ++ } ++ + gconfmap = devm_regmap_init_mmio(&pdev->dev, + gc_base, &gc_regmap_config); +- if (IS_ERR(gconfmap)) +- return PTR_ERR(gconfmap); ++ if (IS_ERR(gconfmap)) { ++ ret = PTR_ERR(gconfmap); ++ goto err_probe; ++ } + } + + /* Warn on any missing DT resource */ +@@ -846,6 +859,9 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + dev_warn(&pdev->dev, FW_BUG "Missing pinctrl regs in DTB. Please update your firmware.\n"); + + return mvebu_pinctrl_probe(pdev); ++err_probe: ++ clk_disable_unprepare(clk); ++ return ret; + } + + static struct platform_driver dove_pinctrl_driver = { +-- +2.43.0 + diff --git a/queue-5.4/pinctrl-mvebu-use-devm_platform_get_and_ioremap_reso.patch b/queue-5.4/pinctrl-mvebu-use-devm_platform_get_and_ioremap_reso.patch new file mode 100644 index 00000000000..d776222974a --- /dev/null +++ b/queue-5.4/pinctrl-mvebu-use-devm_platform_get_and_ioremap_reso.patch @@ -0,0 +1,39 @@ +From 8ddcdda372eafc7eb01c16a62116a56cb68a57a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 20:47:40 +0800 +Subject: pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource() + +From: Yangtao Li + +[ Upstream commit 2d357f25663ddfef47ffe26da21155302153d168 ] + +Convert platform_get_resource(), devm_ioremap_resource() to a single +call to devm_platform_get_and_ioremap_resource(), as this is exactly +what this function does. + +Signed-off-by: Yangtao Li +Link: https://lore.kernel.org/r/20230704124742.9596-2-frank.li@vivo.com +Signed-off-by: Linus Walleij +Stable-dep-of: c25478419f6f ("pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function") +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-dove.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c +index 545486d98532d..bd74daa9ed666 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-dove.c ++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c +@@ -784,8 +784,7 @@ static int dove_pinctrl_probe(struct platform_device *pdev) + } + clk_prepare_enable(clk); + +- mpp_res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- base = devm_ioremap_resource(&pdev->dev, mpp_res); ++ base = devm_platform_get_and_ioremap_resource(pdev, 0, &mpp_res); + if (IS_ERR(base)) + return PTR_ERR(base); + +-- +2.43.0 + diff --git a/queue-5.4/pinctrl-single-fix-missing-error-code-in-pcs_probe.patch b/queue-5.4/pinctrl-single-fix-missing-error-code-in-pcs_probe.patch new file mode 100644 index 00000000000..2367eea33c4 --- /dev/null +++ b/queue-5.4/pinctrl-single-fix-missing-error-code-in-pcs_probe.patch @@ -0,0 +1,37 @@ +From 486fcb274e20c0ddded47035e78a43056769f031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2024 10:46:25 +0800 +Subject: pinctrl: single: fix missing error code in pcs_probe() + +From: Yang Yingliang + +[ Upstream commit cacd8cf79d7823b07619865e994a7916fcc8ae91 ] + +If pinctrl_enable() fails in pcs_probe(), it should return the error code. + +Fixes: 8f773bfbdd42 ("pinctrl: single: fix possible memory leak when pinctrl_enable() fails") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/20240819024625.154441-1-yangyingliang@huaweicloud.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index 43b25119efa2e..ec021e6580b2c 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1898,7 +1898,8 @@ static int pcs_probe(struct platform_device *pdev) + + dev_info(pcs->dev, "%i pins, size %u\n", pcs->desc.npins, pcs->size); + +- if (pinctrl_enable(pcs->pctl)) ++ ret = pinctrl_enable(pcs->pctl); ++ if (ret) + goto free; + + return 0; +-- +2.43.0 + diff --git a/queue-5.4/power-supply-axp20x_battery-allow-disabling-battery-.patch b/queue-5.4/power-supply-axp20x_battery-allow-disabling-battery-.patch new file mode 100644 index 00000000000..f04533f0985 --- /dev/null +++ b/queue-5.4/power-supply-axp20x_battery-allow-disabling-battery-.patch @@ -0,0 +1,69 @@ +From 03f8cd18f09b845440e4b8d2806bb4551481d163 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 12:58:56 +0200 +Subject: power: supply: axp20x_battery: allow disabling battery charging + +From: Hermann Lauer + +[ Upstream commit 6a0fcc87c9e35191d37a8819fdab9d30e523515b ] + +Allow disabling and re-enabling battery charging of an axp209 PMIC +through a writable status property. With the current driver code +charging is always on. + +This works on the axp209 of Banana {Pi M1+,Pro} and should work on all +AXP chips. + +Signed-off-by: Hermann.Lauer@uni-heidelberg.de +Signed-off-by: Sebastian Reichel +Stable-dep-of: 61978807b00f ("power: supply: axp20x_battery: Remove design from min and max voltage") +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp20x_battery.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/axp20x_battery.c b/drivers/power/supply/axp20x_battery.c +index 9fda98b950bab..335e12cc5e2f9 100644 +--- a/drivers/power/supply/axp20x_battery.c ++++ b/drivers/power/supply/axp20x_battery.c +@@ -40,6 +40,7 @@ + #define AXP209_FG_PERCENT GENMASK(6, 0) + #define AXP22X_FG_VALID BIT(7) + ++#define AXP20X_CHRG_CTRL1_ENABLE BIT(7) + #define AXP20X_CHRG_CTRL1_TGT_VOLT GENMASK(6, 5) + #define AXP20X_CHRG_CTRL1_TGT_4_1V (0 << 5) + #define AXP20X_CHRG_CTRL1_TGT_4_15V (1 << 5) +@@ -467,7 +468,18 @@ static int axp20x_battery_set_prop(struct power_supply *psy, + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX: + return axp20x_set_max_constant_charge_current(axp20x_batt, + val->intval); +- ++ case POWER_SUPPLY_PROP_STATUS: ++ switch (val->intval) { ++ case POWER_SUPPLY_STATUS_CHARGING: ++ return regmap_update_bits(axp20x_batt->regmap, AXP20X_CHRG_CTRL1, ++ AXP20X_CHRG_CTRL1_ENABLE, AXP20X_CHRG_CTRL1_ENABLE); ++ ++ case POWER_SUPPLY_STATUS_DISCHARGING: ++ case POWER_SUPPLY_STATUS_NOT_CHARGING: ++ return regmap_update_bits(axp20x_batt->regmap, AXP20X_CHRG_CTRL1, ++ AXP20X_CHRG_CTRL1_ENABLE, 0); ++ } ++ fallthrough; + default: + return -EINVAL; + } +@@ -490,7 +502,8 @@ static enum power_supply_property axp20x_battery_props[] = { + static int axp20x_battery_prop_writeable(struct power_supply *psy, + enum power_supply_property psp) + { +- return psp == POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN || ++ return psp == POWER_SUPPLY_PROP_STATUS || ++ psp == POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN || + psp == POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN || + psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT || + psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX; +-- +2.43.0 + diff --git a/queue-5.4/power-supply-axp20x_battery-remove-design-from-min-a.patch b/queue-5.4/power-supply-axp20x_battery-remove-design-from-min-a.patch new file mode 100644 index 00000000000..059cf57dd34 --- /dev/null +++ b/queue-5.4/power-supply-axp20x_battery-remove-design-from-min-a.patch @@ -0,0 +1,82 @@ +From e01866f805f55856401440a0df2ed985f5653330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2024 16:54:43 -0500 +Subject: power: supply: axp20x_battery: Remove design from min and max voltage + +From: Chris Morgan + +[ Upstream commit 61978807b00f8a1817b0e5580981af1cd2f428a5 ] + +The POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN and +POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN values should be immutable +properties of the battery, but for this driver they are writable values +and used as the minimum and maximum values for charging. Remove the +DESIGN designation from these values. + +Fixes: 46c202b5f25f ("power: supply: add battery driver for AXP20X and AXP22X PMICs") +Suggested-by: Chen-Yu Tsai +Signed-off-by: Chris Morgan +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240821215456.962564-3-macroalpha82@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp20x_battery.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/power/supply/axp20x_battery.c b/drivers/power/supply/axp20x_battery.c +index 335e12cc5e2f9..d62a249f65da0 100644 +--- a/drivers/power/supply/axp20x_battery.c ++++ b/drivers/power/supply/axp20x_battery.c +@@ -304,11 +304,11 @@ static int axp20x_battery_get_prop(struct power_supply *psy, + val->intval = reg & AXP209_FG_PERCENT; + break; + +- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MAX: + return axp20x_batt->data->get_max_voltage(axp20x_batt, + &val->intval); + +- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MIN: + ret = regmap_read(axp20x_batt->regmap, AXP20X_V_OFF, ®); + if (ret) + return ret; +@@ -456,10 +456,10 @@ static int axp20x_battery_set_prop(struct power_supply *psy, + struct axp20x_batt_ps *axp20x_batt = power_supply_get_drvdata(psy); + + switch (psp) { +- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MIN: + return axp20x_set_voltage_min_design(axp20x_batt, val->intval); + +- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN: ++ case POWER_SUPPLY_PROP_VOLTAGE_MAX: + return axp20x_batt->data->set_max_voltage(axp20x_batt, val->intval); + + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT: +@@ -494,8 +494,8 @@ static enum power_supply_property axp20x_battery_props[] = { + POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT, + POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX, + POWER_SUPPLY_PROP_HEALTH, +- POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN, +- POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN, ++ POWER_SUPPLY_PROP_VOLTAGE_MAX, ++ POWER_SUPPLY_PROP_VOLTAGE_MIN, + POWER_SUPPLY_PROP_CAPACITY, + }; + +@@ -503,8 +503,8 @@ static int axp20x_battery_prop_writeable(struct power_supply *psy, + enum power_supply_property psp) + { + return psp == POWER_SUPPLY_PROP_STATUS || +- psp == POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN || +- psp == POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN || ++ psp == POWER_SUPPLY_PROP_VOLTAGE_MIN || ++ psp == POWER_SUPPLY_PROP_VOLTAGE_MAX || + psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT || + psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX; + } +-- +2.43.0 + diff --git a/queue-5.4/power-supply-max17042_battery-fix-soc-threshold-calc.patch b/queue-5.4/power-supply-max17042_battery-fix-soc-threshold-calc.patch new file mode 100644 index 00000000000..93c86a40616 --- /dev/null +++ b/queue-5.4/power-supply-max17042_battery-fix-soc-threshold-calc.patch @@ -0,0 +1,59 @@ +From 2cbc71bcf564bdaa1b3d38ffe7eab0f6e0882ce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Aug 2024 12:51:14 +0200 +Subject: power: supply: max17042_battery: Fix SOC threshold calc w/ no current + sense + +From: Artur Weber + +[ Upstream commit 3a3acf839b2cedf092bdd1ff65b0e9895df1656b ] + +Commit 223a3b82834f ("power: supply: max17042_battery: use VFSOC for +capacity when no rsns") made it so that capacity on systems without +current sensing would be read from VFSOC instead of RepSOC. However, +the SOC threshold calculation still read RepSOC to get the SOC +regardless of the current sensing option state. + +Fix this by applying the same conditional to determine which register +should be read. + +This also seems to be the intended behavior as per the datasheet - SOC +alert config value in MiscCFG on setups without current sensing is set +to a value of 0b11, indicating SOC alerts being generated based on +VFSOC, instead of 0b00 which indicates SOC alerts being generated based +on RepSOC. + +This fixes an issue on the Galaxy S3/Midas boards, where the alert +interrupt would be constantly retriggered, causing high CPU usage +on idle (around ~12%-15%). + +Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC") +Signed-off-by: Artur Weber +Reviewed-by: Henrik Grimler +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240817-max17042-soc-threshold-fix-v1-1-72b45899c3cc@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max17042_battery.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c +index 170639a1e734a..b3afcc5ffd57b 100644 +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -834,7 +834,10 @@ static void max17042_set_soc_threshold(struct max17042_chip *chip, u16 off) + /* program interrupt thesholds such that we should + * get interrupt for every 'off' perc change in the soc + */ +- regmap_read(map, MAX17042_RepSOC, &soc); ++ if (chip->pdata->enable_current_sense) ++ regmap_read(map, MAX17042_RepSOC, &soc); ++ else ++ regmap_read(map, MAX17042_VFSOC, &soc); + soc >>= 8; + soc_tr = (soc + off) << 8; + if (off < soc) +-- +2.43.0 + diff --git a/queue-5.4/rdma-cxgb4-added-null-check-for-lookup_atid.patch b/queue-5.4/rdma-cxgb4-added-null-check-for-lookup_atid.patch new file mode 100644 index 00000000000..33e24ef8f24 --- /dev/null +++ b/queue-5.4/rdma-cxgb4-added-null-check-for-lookup_atid.patch @@ -0,0 +1,52 @@ +From 522578510f010bcefae576d7d3303e9943f575a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 10:58:39 -0400 +Subject: RDMA/cxgb4: Added NULL check for lookup_atid + +From: Mikhail Lobanov + +[ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ] + +The lookup_atid() function can return NULL if the ATID is +invalid or does not exist in the identifier table, which +could lead to dereferencing a null pointer without a +check in the `act_establish()` and `act_open_rpl()` functions. +Add a NULL check to prevent null pointer dereferencing. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") +Signed-off-by: Mikhail Lobanov +Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index c7214c49f202f..01750eb5458e0 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -1222,6 +1222,8 @@ static int act_establish(struct c4iw_dev *dev, struct sk_buff *skb) + int ret; + + ep = lookup_atid(t, atid); ++ if (!ep) ++ return -EINVAL; + + pr_debug("ep %p tid %u snd_isn %u rcv_isn %u\n", ep, tid, + be32_to_cpu(req->snd_isn), be32_to_cpu(req->rcv_isn)); +@@ -2279,6 +2281,9 @@ static int act_open_rpl(struct c4iw_dev *dev, struct sk_buff *skb) + int ret = 0; + + ep = lookup_atid(t, atid); ++ if (!ep) ++ return -EINVAL; ++ + la = (struct sockaddr_in *)&ep->com.local_addr; + ra = (struct sockaddr_in *)&ep->com.remote_addr; + la6 = (struct sockaddr_in6 *)&ep->com.local_addr; +-- +2.43.0 + diff --git a/queue-5.4/rdma-hns-optimize-hem-allocation-performance.patch b/queue-5.4/rdma-hns-optimize-hem-allocation-performance.patch new file mode 100644 index 00000000000..0531abb821a --- /dev/null +++ b/queue-5.4/rdma-hns-optimize-hem-allocation-performance.patch @@ -0,0 +1,57 @@ +From 67612aef383c1628057bfa3e1a9d674e0f98d403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 17:34:43 +0800 +Subject: RDMA/hns: Optimize hem allocation performance + +From: Junxian Huang + +[ Upstream commit fe51f6254d81f5a69c31df16353d6539b2b51630 ] + +When allocating MTT hem, for each hop level of each hem that is being +allocated, the driver iterates the hem list to find out whether the +bt page has been allocated in this hop level. If not, allocate a new +one and splice it to the list. The time complexity is O(n^2) in worst +cases. + +Currently the allocation for-loop uses 'unit' as the step size. This +actually has taken into account the reuse of last-hop-level MTT bt +pages by multiple buffer pages. Thus pages of last hop level will +never have been allocated, so there is no need to iterate the hem list +in last hop level. + +Removing this unnecessary iteration can reduce the time complexity to +O(n). + +Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20240906093444.3571619-9-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index e82215774032e..3aafe1e1a9987 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -1323,10 +1323,12 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev, + + /* config L1 bt to last bt and link them to corresponding parent */ + for (level = 1; level < hopnum; level++) { +- cur = hem_list_search_item(&mid_bt[level], offset); +- if (cur) { +- hem_ptrs[level] = cur; +- continue; ++ if (!hem_list_is_bottom_bt(hopnum, level)) { ++ cur = hem_list_search_item(&mid_bt[level], offset); ++ if (cur) { ++ hem_ptrs[level] = cur; ++ continue; ++ } + } + + step = hem_list_calc_ba_range(hopnum, level, unit); +-- +2.43.0 + diff --git a/queue-5.4/rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch b/queue-5.4/rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch new file mode 100644 index 00000000000..3c25ee64fcc --- /dev/null +++ b/queue-5.4/rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch @@ -0,0 +1,83 @@ +From 09f8fda2fbd84473107401e78d1a34dd7783be7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2024 13:33:36 +0200 +Subject: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency + +From: Zhu Yanjun + +[ Upstream commit 86dfdd8288907f03c18b7fb462e0e232c4f98d89 ] + +In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to +destroying CM IDs"), the function flush_workqueue is invoked to flush the +work queue iwcm_wq. + +But at that time, the work queue iwcm_wq was created via the function +alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM. + +Because the current process is trying to flush the whole iwcm_wq, if +iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current +process is not reclaiming memory or running on a workqueue which doesn't +have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee +leading to a deadlock. + +The call trace is as below: + +[ 125.350876][ T1430] Call Trace: +[ 125.356281][ T1430] +[ 125.361285][ T1430] ? __warn (kernel/panic.c:693) +[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) +[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219) +[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239) +[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) +[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) +[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) +[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) +[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970) +[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151) +[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm +[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910) +[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) +[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) +[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm +[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma +[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma +[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231) +[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393) +[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339) +[ 125.531837][ T1430] kthread (kernel/kthread.c:389) +[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342) +[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147) +[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342) +[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) +[ 125.566487][ T1430] +[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]--- + +Fixes: aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") +Link: https://patch.msgid.link/r/20240820113336.19860-1-yanjun.zhu@linux.dev +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202408151633.fc01893c-oliver.sang@intel.com +Tested-by: kernel test robot +Signed-off-by: Zhu Yanjun +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/iwcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 7a6747850aea8..44362f693df9f 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -1192,7 +1192,7 @@ static int __init iw_cm_init(void) + if (ret) + return ret; + +- iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0); ++ iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", WQ_MEM_RECLAIM); + if (!iwcm_wq) + goto err_alloc; + +-- +2.43.0 + diff --git a/queue-5.4/reset-berlin-fix-of-node-leak-in-probe-error-path.patch b/queue-5.4/reset-berlin-fix-of-node-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..dc398cb34d1 --- /dev/null +++ b/queue-5.4/reset-berlin-fix-of-node-leak-in-probe-error-path.patch @@ -0,0 +1,46 @@ +From 4ea9a3030d05f0b4b7f291c6b6b9ea65fd876594 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 16:14:24 +0200 +Subject: reset: berlin: fix OF node leak in probe() error path + +From: Krzysztof Kozlowski + +[ Upstream commit 5f58a88cc91075be38cec69b7cb70aaa4ba69e8b ] + +Driver is leaking OF node reference on memory allocation failure. +Acquire the OF node reference after memory allocation to fix this and +keep it simple. + +Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-1-03f6d834f8c0@linaro.org +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/reset-berlin.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/reset/reset-berlin.c b/drivers/reset/reset-berlin.c +index 371197bbd0556..542d32719b8ae 100644 +--- a/drivers/reset/reset-berlin.c ++++ b/drivers/reset/reset-berlin.c +@@ -68,13 +68,14 @@ static int berlin_reset_xlate(struct reset_controller_dev *rcdev, + + static int berlin2_reset_probe(struct platform_device *pdev) + { +- struct device_node *parent_np = of_get_parent(pdev->dev.of_node); ++ struct device_node *parent_np; + struct berlin_reset_priv *priv; + + priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + ++ parent_np = of_get_parent(pdev->dev.of_node); + priv->regmap = syscon_node_to_regmap(parent_np); + of_node_put(parent_np); + if (IS_ERR(priv->regmap)) +-- +2.43.0 + diff --git a/queue-5.4/riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch b/queue-5.4/riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch new file mode 100644 index 00000000000..7a739b63a40 --- /dev/null +++ b/queue-5.4/riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch @@ -0,0 +1,46 @@ +From 89417996bbf8dbf9704521eb906beacf44f4fb8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 11:28:46 +0800 +Subject: riscv: Fix fp alignment bug in perf_callchain_user() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jinjie Ruan + +[ Upstream commit 22ab08955ea13be04a8efd20cc30890e0afaa49c ] + +The standard RISC-V calling convention said: + "The stack grows downward and the stack pointer is always + kept 16-byte aligned". + +So perf_callchain_user() should check whether 16-byte aligned for fp. + +Link: https://riscv.org/wp-content/uploads/2015/01/riscv-calling.pdf + +Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support") +Signed-off-by: Jinjie Ruan +Cc: Björn Töpel +Link: https://lore.kernel.org/r/20240708032847.2998158-2-ruanjinjie@huawei.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/perf_callchain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/perf_callchain.c b/arch/riscv/kernel/perf_callchain.c +index 1de5991916eb9..11541cbe26b3d 100644 +--- a/arch/riscv/kernel/perf_callchain.c ++++ b/arch/riscv/kernel/perf_callchain.c +@@ -71,7 +71,7 @@ void perf_callchain_user(struct perf_callchain_entry_ctx *entry, + perf_callchain_store(entry, regs->sepc); + + fp = user_backtrace(entry, fp, regs->ra); +- while (fp && !(fp & 0x3) && entry->nr < entry->max_stack) ++ while (fp && !(fp & 0x7) && entry->nr < entry->max_stack) + fp = user_backtrace(entry, fp, 0); + } + +-- +2.43.0 + diff --git a/queue-5.4/selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch b/queue-5.4/selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch new file mode 100644 index 00000000000..3c2ee664e35 --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch @@ -0,0 +1,57 @@ +From 0b4979ea8f2ec4ec501dbcb4687bb14fa8e571ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:29 -0700 +Subject: selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c + +From: Tony Ambardar + +[ Upstream commit d393f9479d4aaab0fa4c3caf513f28685e831f13 ] + +Cast 'rlim_t' argument to match expected type of printf() format and avoid +compile errors seen building for mips64el/musl-libc: + + In file included from map_tests/sk_storage_map.c:20: + map_tests/sk_storage_map.c: In function 'test_sk_storage_map_stress_free': + map_tests/sk_storage_map.c:414:56: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'rlim_t' {aka 'long long unsigned int'} [-Werror=format=] + 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", + | ^~~~~~~~~~~~~~~~~~~~~~~ + 415 | rlim_new.rlim_cur, errno); + | ~~~~~~~~~~~~~~~~~ + | | + | rlim_t {aka long long unsigned int} + ./test_maps.h:12:24: note: in definition of macro 'CHECK' + 12 | printf(format); \ + | ^~~~~~ + map_tests/sk_storage_map.c:414:68: note: format string is defined here + 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", + | ~~^ + | | + | long unsigned int + | %llu + cc1: all warnings being treated as errors + +Fixes: 51a0e301a563 ("bpf: Add BPF_MAP_TYPE_SK_STORAGE test to test_maps") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/1e00a1fa7acf91b4ca135c4102dc796d518bad86.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/map_tests/sk_storage_map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c +index e569edc679d88..9228e33cc0db7 100644 +--- a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c ++++ b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c +@@ -416,7 +416,7 @@ static void test_sk_storage_map_stress_free(void) + rlim_new.rlim_max = rlim_new.rlim_cur + 128; + err = setrlimit(RLIMIT_NOFILE, &rlim_new); + CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", +- rlim_new.rlim_cur, errno); ++ (unsigned long) rlim_new.rlim_cur, errno); + } + + err = do_sk_storage_map_stress_free(); +-- +2.43.0 + diff --git a/queue-5.4/selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch b/queue-5.4/selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch new file mode 100644 index 00000000000..e2f3ab07d5b --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch @@ -0,0 +1,46 @@ +From 9ef917e8e5cc0c620ef5d1c6c6fff07470c468e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:40 -0700 +Subject: selftests/bpf: Fix compiling flow_dissector.c with musl-libc + +From: Tony Ambardar + +[ Upstream commit 5e4c43bcb85973243d7274e0058b6e8f5810e4f7 ] + +The GNU version of 'struct tcphdr' has members 'doff', 'source' and 'dest', +which are not exposed by musl libc headers unless _GNU_SOURCE is defined. + +Add this definition to fix errors seen compiling for mips64el/musl-libc: + + flow_dissector.c:118:30: error: 'struct tcphdr' has no member named 'doff' + 118 | .tcp.doff = 5, + | ^~~~ + flow_dissector.c:119:30: error: 'struct tcphdr' has no member named 'source' + 119 | .tcp.source = 80, + | ^~~~~~ + flow_dissector.c:120:30: error: 'struct tcphdr' has no member named 'dest' + 120 | .tcp.dest = 8080, + | ^~~~ + +Fixes: ae173a915785 ("selftests/bpf: support BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/8f7ab21a73f678f9cebd32b26c444a686e57414d.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +index 9f3634c9971d0..8a921686d304f 100644 +--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c ++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 ++#define _GNU_SOURCE + #include + #include + #include +-- +2.43.0 + diff --git a/queue-5.4/selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch b/queue-5.4/selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch new file mode 100644 index 00000000000..ad27da0b509 --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch @@ -0,0 +1,43 @@ +From b274116a6556739246cb5319af9dc278e9479f3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 22:54:41 -0700 +Subject: selftests/bpf: Fix compiling tcp_rtt.c with musl-libc + +From: Tony Ambardar + +[ Upstream commit 18826fb0b79c3c3cd1fe765d85f9c6f1a902c722 ] + +The GNU version of 'struct tcp_info' in 'netinet/tcp.h' is not exposed by +musl headers unless _GNU_SOURCE is defined. + +Add this definition to fix errors seen compiling for mips64el/musl-libc: + + tcp_rtt.c: In function 'wait_for_ack': + tcp_rtt.c:24:25: error: storage size of 'info' isn't known + 24 | struct tcp_info info; + | ^~~~ + tcp_rtt.c:24:25: error: unused variable 'info' [-Werror=unused-variable] + cc1: all warnings being treated as errors + +Fixes: 1f4f80fed217 ("selftests/bpf: test_progs: convert test_tcp_rtt") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/f2329767b15df206f08a5776d35a47c37da855ae.1721713597.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c +index f4cd60d6fba2e..ef052f7845b67 100644 +--- a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c ++++ b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c +@@ -1,4 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 ++#define _GNU_SOURCE + #include + #include "cgroup_helpers.h" + +-- +2.43.0 + diff --git a/queue-5.4/selftests-bpf-fix-error-compiling-test_lru_map.c.patch b/queue-5.4/selftests-bpf-fix-error-compiling-test_lru_map.c.patch new file mode 100644 index 00000000000..0a03f79cdad --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-error-compiling-test_lru_map.c.patch @@ -0,0 +1,46 @@ +From 00a22eec41e20a1465c044fb350c2c7c6bafd702 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jul 2024 02:24:19 -0700 +Subject: selftests/bpf: Fix error compiling test_lru_map.c + +From: Tony Ambardar + +[ Upstream commit cacf2a5a78cd1f5f616eae043ebc6f024104b721 ] + +Although the post-increment in macro 'CPU_SET(next++, &cpuset)' seems safe, +the sequencing can raise compile errors, so move the increment outside the +macro. This avoids an error seen using gcc 12.3.0 for mips64el/musl-libc: + + In file included from test_lru_map.c:11: + test_lru_map.c: In function 'sched_next_online': + test_lru_map.c:129:29: error: operation on 'next' may be undefined [-Werror=sequence-point] + 129 | CPU_SET(next++, &cpuset); + | ^ + cc1: all warnings being treated as errors + +Fixes: 3fbfadce6012 ("bpf: Fix test_lru_sanity5() in test_lru_map.c") +Signed-off-by: Tony Ambardar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/22993dfb11ccf27925a626b32672fd3324cb76c4.1722244708.git.tony.ambardar@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_lru_map.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_lru_map.c b/tools/testing/selftests/bpf/test_lru_map.c +index 6a5349f9eb148..7748d28e8b97a 100644 +--- a/tools/testing/selftests/bpf/test_lru_map.c ++++ b/tools/testing/selftests/bpf/test_lru_map.c +@@ -137,7 +137,8 @@ static int sched_next_online(int pid, int *next_to_try) + + while (next < nr_cpus) { + CPU_ZERO(&cpuset); +- CPU_SET(next++, &cpuset); ++ CPU_SET(next, &cpuset); ++ next++; + if (!sched_setaffinity(pid, sizeof(cpuset), &cpuset)) { + ret = 0; + break; +-- +2.43.0 + diff --git a/queue-5.4/selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch b/queue-5.4/selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch new file mode 100644 index 00000000000..1170987d49a --- /dev/null +++ b/queue-5.4/selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch @@ -0,0 +1,108 @@ +From e5d14dd91f71ff65cabe4316b341c061e4a7190f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2024 14:28:37 +0200 +Subject: selftests: vDSO: fix vDSO symbols lookup for powerpc64 + +From: Christophe Leroy + +[ Upstream commit ba83b3239e657469709d15dcea5f9b65bf9dbf34 ] + +On powerpc64, following tests fail locating vDSO functions: + + ~ # ./vdso_test_abi + TAP version 13 + 1..16 + # [vDSO kselftest] VDSO_VERSION: LINUX_2.6.15 + # Couldn't find __kernel_gettimeofday + ok 1 # SKIP __kernel_gettimeofday + # clock_id: CLOCK_REALTIME + # Couldn't find __kernel_clock_gettime + ok 2 # SKIP __kernel_clock_gettime CLOCK_REALTIME + # Couldn't find __kernel_clock_getres + ok 3 # SKIP __kernel_clock_getres CLOCK_REALTIME + ... + # Couldn't find __kernel_time + ok 16 # SKIP __kernel_time + # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:16 error:0 + + ~ # ./vdso_test_getrandom + __kernel_getrandom is missing! + + ~ # ./vdso_test_gettimeofday + Could not find __kernel_gettimeofday + + ~ # ./vdso_test_getcpu + Could not find __kernel_getcpu + +On powerpc64, as shown below by readelf, vDSO functions symbols have +type NOTYPE, so also accept that type when looking for symbols. + +$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg +ELF Header: + Magic: 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00 + Class: ELF64 + Data: 2's complement, big endian + Version: 1 (current) + OS/ABI: UNIX - System V + ABI Version: 0 + Type: DYN (Shared object file) + Machine: PowerPC64 + Version: 0x1 +... + +Symbol table '.dynsym' contains 12 entries: + Num: Value Size Type Bind Vis Ndx Name + 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND + 1: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 2: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 3: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 4: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15 + 5: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 6: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 7: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 8: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 9: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 10: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + 11: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15 + +Symbol table '.symtab' contains 56 entries: + Num: Value Size Type Bind Vis Ndx Name +... + 45: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15 + 46: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __kernel_getcpu + 47: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_getres + 48: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __kernel_get_tbfreq + 49: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __kernel_gettimeofday + 50: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __kernel_sync_dicache + 51: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_getrandom + 52: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __kernel_sigtram[...] + 53: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __kernel_time + 54: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_g[...] + 55: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __kernel_get_sys[...] + +Fixes: 98eedc3a9dbf ("Document the vDSO and add a reference parser") +Signed-off-by: Christophe Leroy +Acked-by: Shuah Khan +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/parse_vdso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c +index 9ef3ad3789c17..540f9a284e9f0 100644 +--- a/tools/testing/selftests/vDSO/parse_vdso.c ++++ b/tools/testing/selftests/vDSO/parse_vdso.c +@@ -238,7 +238,8 @@ void *vdso_sym(const char *version, const char *name) + ELF(Sym) *sym = &vdso_info.symtab[chain]; + + /* Check for a defined global or weak function w/ right name. */ +- if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC) ++ if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC && ++ ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE) + continue; + if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL && + ELF64_ST_BIND(sym->st_info) != STB_WEAK) +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index c6c115cef00..8e8021fd362 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -29,3 +29,117 @@ inet-inet_defrag-prevent-sk-release-while-still-in-use.patch bpf-fix-devmap_hash-overflow-check-on-32-bit-arches.patch usb-serial-pl2303-add-device-id-for-macrosilicon-ms3020.patch usb-usbtmc-prevent-kernel-usb-infoleak.patch +acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch +wifi-ath9k-fix-parameter-check-in-ath9k_init_debug.patch +wifi-ath9k-remove-error-checks-when-creating-debugfs.patch +fs-explicitly-unregister-per-superblock-bdis.patch +mount-warn-only-once-about-timestamp-range-expiratio.patch +fs-namespace-fnic-switch-to-use-pttd.patch +mount-handle-oom-on-mnt_warn_timestamp_expiry.patch +can-j1939-use-correct-function-name-in-comment.patch +netfilter-nf_tables-elements-with-timeout-below-conf.patch +netfilter-nf_tables-reject-element-expiration-with-n.patch +netfilter-nf_tables-reject-expiration-higher-than-ti.patch +wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch +wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch +mac80211-parse-radiotap-header-when-selecting-tx-que.patch +wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch +wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch +sock_map-add-a-cond_resched-in-sock_hash_free.patch +can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch +bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch +net-tipc-avoid-possible-garbage-value.patch +block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch +block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch +block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch +spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch +spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch +arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch +arm-versatile-fix-of-node-leak-in-cpus-prepare.patch +reset-berlin-fix-of-node-leak-in-probe-error-path.patch +clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch +hwmon-max16065-fix-overflows-seen-when-writing-limit.patch +mtd-slram-insert-break-after-errors-in-parsing-the-m.patch +hwmon-ntc_thermistor-fix-module-autoloading.patch +power-supply-axp20x_battery-allow-disabling-battery-.patch +power-supply-axp20x_battery-remove-design-from-min-a.patch +power-supply-max17042_battery-fix-soc-threshold-calc.patch +fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch +mtd-powernv-add-check-devm_kasprintf-returned-value.patch +drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch +drm-amdgpu-replace-one-element-array-with-flexible-a.patch +drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch +drm-radeon-replace-one-element-array-with-flexible-a.patch +drm-radeon-properly-handle-vbios-fake-edid-sizing.patch +drm-rockchip-vop-allow-4096px-width-scaling.patch +drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch +drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch +jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch +selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch +drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch +drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch +drm-msm-a5xx-properly-clear-preemption-records-on-re.patch +drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch +ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch +drm-msm-fix-s-null-argument-error.patch +drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch +xen-use-correct-end-address-of-kernel-for-conflict-c.patch +mm-add-page_align_down-macro.patch +minmax-avoid-overly-complex-min-max-macro-arguments-.patch +xen-introduce-generic-helper-checking-for-memory-map.patch +xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch +xen-add-capability-to-remap-non-ram-pages-to-differe.patch +xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch +xen-swiotlb-add-alignment-check-for-dma-buffers.patch +tpm-clean-up-tpm-space-after-command-failure.patch +selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch +selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch +selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch +selftests-bpf-fix-error-compiling-test_lru_map.c.patch +xz-cleanup-crc32-edits-from-2018.patch +kthread-add-kthread_work-tracepoints.patch +kthread-fix-task-state-in-kthread-worker-if-being-fr.patch +jbd2-introduce-export-functions-jbd2_journal_submit-.patch +ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch +smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch +ext4-avoid-negative-min_clusters-in-find_group_orlov.patch +ext4-return-error-on-ext4_find_inline_entry.patch +ext4-avoid-oob-when-system.data-xattr-changes-undern.patch +nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch +nilfs2-determine-empty-node-blocks-as-corrupted.patch +nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch +bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch +perf-sched-timehist-fix-missing-free-of-session-in-p.patch +perf-sched-timehist-fixed-timestamp-error-when-unabl.patch +perf-time-utils-fix-32-bit-nsec-parsing.patch +clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch +drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch +drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch +pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch +pci-xilinx-nwl-fix-register-misspelling.patch +rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch +pinctrl-single-fix-missing-error-code-in-pcs_probe.patch +clk-ti-dra7-atl-fix-leak-of-of_nodes.patch +pinctrl-mvebu-use-devm_platform_get_and_ioremap_reso.patch +pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch +watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch +rdma-hns-optimize-hem-allocation-performance.patch +input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch +riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch +rdma-cxgb4-added-null-check-for-lookup_atid.patch +ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch +nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch +nfsd-return-einval-when-namelen-is-0.patch +f2fs-enhance-to-update-i_mode-and-acl-atomically-in-.patch +f2fs-fix-typo.patch +f2fs-fix-to-update-i_ctime-in-__f2fs_setxattr.patch +f2fs-remove-unneeded-check-condition-in-__f2fs_setxa.patch +f2fs-reduce-expensive-checkpoint-trigger-frequency.patch +iio-adc-ad7606-fix-oversampling-gpio-array.patch +iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch +coresight-tmc-sg-do-not-leak-sg_table.patch +netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch +net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch +tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch +net-qrtr-update-packets-cloning-when-broadcasting.patch +netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch diff --git a/queue-5.4/smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch b/queue-5.4/smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch new file mode 100644 index 00000000000..58890bd967f --- /dev/null +++ b/queue-5.4/smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch @@ -0,0 +1,49 @@ +From ed8e32ade31570e63a2ec893b008e642b10d1e39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 08:47:26 +0000 +Subject: smackfs: Use rcu_assign_pointer() to ensure safe assignment in + smk_set_cipso + +From: Jiawei Ye + +[ Upstream commit 2749749afa071f8a0e405605de9da615e771a7ce ] + +In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat` +field is directly assigned to a new value without using the appropriate +RCU pointer assignment functions. According to RCU usage rules, this is +illegal and can lead to unpredictable behavior, including data +inconsistencies and impossible-to-diagnose memory corruption issues. + +This possible bug was identified using a static analysis tool developed +by myself, specifically designed to detect RCU-related issues. + +To address this, the assignment is now done using rcu_assign_pointer(), +which ensures that the pointer assignment is done safely, with the +necessary memory barriers and synchronization. This change prevents +potential RCU dereference issues by ensuring that the `cat` field is +safely updated while still adhering to RCU's requirements. + +Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()") +Signed-off-by: Jiawei Ye +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index a71975ea88a94..ddb0a292802ef 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -920,7 +920,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); + if (rc >= 0) { + old_cat = skp->smk_netlabel.attr.mls.cat; +- skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; ++ rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat); + skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; + synchronize_rcu(); + netlbl_catmap_free(old_cat); +-- +2.43.0 + diff --git a/queue-5.4/sock_map-add-a-cond_resched-in-sock_hash_free.patch b/queue-5.4/sock_map-add-a-cond_resched-in-sock_hash_free.patch new file mode 100644 index 00000000000..39410a92220 --- /dev/null +++ b/queue-5.4/sock_map-add-a-cond_resched-in-sock_hash_free.patch @@ -0,0 +1,41 @@ +From 5c265549c2479c5f8a8b9ec8267e5f77a759df39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 15:44:49 +0000 +Subject: sock_map: Add a cond_resched() in sock_hash_free() + +From: Eric Dumazet + +[ Upstream commit b1339be951ad31947ae19bc25cb08769bf255100 ] + +Several syzbot soft lockup reports all have in common sock_hash_free() + +If a map with a large number of buckets is destroyed, we need to yield +the cpu when needed. + +Fixes: 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20240906154449.3742932-1-edumazet@google.com +Signed-off-by: Sasha Levin +--- + net/core/sock_map.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index f9e9212ff7e5b..42d521443b338 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -945,6 +945,7 @@ static void sock_hash_free(struct bpf_map *map) + sock_put(elem->sk); + sock_hash_free_elem(htab, elem); + } ++ cond_resched(); + } + + /* wait for psock readers accessing its map link */ +-- +2.43.0 + diff --git a/queue-5.4/spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch b/queue-5.4/spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch new file mode 100644 index 00000000000..e6afaeea81d --- /dev/null +++ b/queue-5.4/spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch @@ -0,0 +1,50 @@ +From 469f84b74554ebd59f3d20fcf976c6d8b2123469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 17:45:12 +0300 +Subject: spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ + +From: Andy Shevchenko + +[ Upstream commit 7781f1d120fec8624fc654eda900fc8748262082 ] + +0 is incorrect error code when failed to parse and map IRQ. +Replace OF specific old API for IRQ retrieval with a generic +one to fix this issue. + +Fixes: 0f245463b01e ("spi: ppc4xx: handle irq_of_parse_and_map() errors") +Signed-off-by: Andy Shevchenko +Link: https://patch.msgid.link/20240814144525.2648450-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-ppc4xx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c +index 9e72ee73c2f61..2b844594a9e6d 100644 +--- a/drivers/spi/spi-ppc4xx.c ++++ b/drivers/spi/spi-ppc4xx.c +@@ -26,7 +26,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -491,9 +490,10 @@ static int spi_ppc4xx_of_probe(struct platform_device *op) + } + + /* Request IRQ */ +- hw->irqnum = irq_of_parse_and_map(np, 0); +- if (hw->irqnum <= 0) ++ ret = platform_get_irq(op, 0); ++ if (ret < 0) + goto free_host; ++ hw->irqnum = ret; + + ret = request_irq(hw->irqnum, spi_ppc4xx_int, + 0, "spi_ppc4xx_of", (void *)hw); +-- +2.43.0 + diff --git a/queue-5.4/spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch b/queue-5.4/spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch new file mode 100644 index 00000000000..2a498b26cd4 --- /dev/null +++ b/queue-5.4/spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch @@ -0,0 +1,39 @@ +From eb1a4a524fe26bc7ef5eb77d1995735fa9874f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 16:40:47 +0800 +Subject: spi: ppc4xx: handle irq_of_parse_and_map() errors + +From: Ma Ke + +[ Upstream commit 0f245463b01ea254ae90e1d0389e90b0e7d8dc75 ] + +Zero and negative number is not a valid IRQ for in-kernel code and the +irq_of_parse_and_map() function returns zero on error. So this check for +valid IRQs should only accept values > 0. + +Fixes: 44dab88e7cc9 ("spi: add spi_ppc4xx driver") +Signed-off-by: Ma Ke +Link: https://patch.msgid.link/20240724084047.1506084-1-make24@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-ppc4xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c +index 738a1e4e445e2..9e72ee73c2f61 100644 +--- a/drivers/spi/spi-ppc4xx.c ++++ b/drivers/spi/spi-ppc4xx.c +@@ -492,6 +492,9 @@ static int spi_ppc4xx_of_probe(struct platform_device *op) + + /* Request IRQ */ + hw->irqnum = irq_of_parse_and_map(np, 0); ++ if (hw->irqnum <= 0) ++ goto free_host; ++ + ret = request_irq(hw->irqnum, spi_ppc4xx_int, + 0, "spi_ppc4xx_of", (void *)hw); + if (ret) { +-- +2.43.0 + diff --git a/queue-5.4/tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch b/queue-5.4/tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch new file mode 100644 index 00000000000..07a5215d723 --- /dev/null +++ b/queue-5.4/tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch @@ -0,0 +1,351 @@ +From 43d752bf6b0190d714b8749e6eeb331b2506b400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Sep 2024 15:08:22 -0400 +Subject: tcp: check skb is non-NULL in tcp_rto_delta_us() + +From: Josh Hunt + +[ Upstream commit c8770db2d54437a5f49417ae7b46f7de23d14db6 ] + +We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic +kernel that are running ceph and recently hit a null ptr dereference in +tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also +saw it getting hit from the RACK case as well. Here are examples of the oops +messages we saw in each of those cases: + +Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020 +Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode +Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page +Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0 +Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI +Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu +Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 +Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 +Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 +Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 +Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 +Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 +Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 +Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 +Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 +Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 +Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554 +Jul 26 15:05:02 rx [11061395.916786] Call Trace: +Jul 26 15:05:02 rx [11061395.919488] +Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f +Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9 +Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380 +Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 +Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 +Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0 +Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20 +Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450 +Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 +Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 +Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 +Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 +Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220 +Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240 +Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0 +Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240 +Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 +Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 +Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 +Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 +Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_event+0x21/0x30 +Jul 26 15:05:02 rx [11061396.021984] ? clockevents_program_event+0x8f/0xe0 +Jul 26 15:05:02 rx [11061396.027035] run_timer_softirq+0x2a/0x50 +Jul 26 15:05:02 rx [11061396.031212] __do_softirq+0xd1/0x2c1 +Jul 26 15:05:02 rx [11061396.035044] do_softirq_own_stack+0x2a/0x40 +Jul 26 15:05:02 rx [11061396.039480] +Jul 26 15:05:02 rx [11061396.041840] do_softirq.part.0+0x46/0x50 +Jul 26 15:05:02 rx [11061396.046022] __local_bh_enable_ip+0x50/0x60 +Jul 26 15:05:02 rx [11061396.050460] _raw_spin_unlock_bh+0x1e/0x20 +Jul 26 15:05:02 rx [11061396.054817] nf_conntrack_tcp_packet+0x29e/0xbe0 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.060994] ? get_l4proto+0xe7/0x190 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.066220] nf_conntrack_in+0xe9/0x670 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.071618] ipv6_conntrack_local+0x14/0x20 [nf_conntrack] +Jul 26 15:05:02 rx [11061396.077356] nf_hook_slow+0x45/0xb0 +Jul 26 15:05:02 rx [11061396.081098] ip6_xmit+0x3f0/0x5d0 +Jul 26 15:05:02 rx [11061396.084670] ? ipv6_anycast_cleanup+0x50/0x50 +Jul 26 15:05:02 rx [11061396.089282] ? __sk_dst_check+0x38/0x70 +Jul 26 15:05:02 rx [11061396.093381] ? inet6_csk_route_socket+0x13b/0x200 +Jul 26 15:05:02 rx [11061396.098346] inet6_csk_xmit+0xa7/0xf0 +Jul 26 15:05:02 rx [11061396.102263] __tcp_transmit_skb+0x550/0xb30 +Jul 26 15:05:02 rx [11061396.106701] tcp_write_xmit+0x3c6/0xc20 +Jul 26 15:05:02 rx [11061396.110792] ? __alloc_skb+0x98/0x1d0 +Jul 26 15:05:02 rx [11061396.114708] __tcp_push_pending_frames+0x37/0x100 +Jul 26 15:05:02 rx [11061396.119667] tcp_push+0xfd/0x100 +Jul 26 15:05:02 rx [11061396.123150] tcp_sendmsg_locked+0xc70/0xdd0 +Jul 26 15:05:02 rx [11061396.127588] tcp_sendmsg+0x2d/0x50 +Jul 26 15:05:02 rx [11061396.131245] inet6_sendmsg+0x43/0x70 +Jul 26 15:05:02 rx [11061396.135075] __sock_sendmsg+0x48/0x70 +Jul 26 15:05:02 rx [11061396.138994] ____sys_sendmsg+0x212/0x280 +Jul 26 15:05:02 rx [11061396.143172] ___sys_sendmsg+0x88/0xd0 +Jul 26 15:05:02 rx [11061396.147098] ? __seccomp_filter+0x7e/0x6b0 +Jul 26 15:05:02 rx [11061396.151446] ? __switch_to+0x39c/0x460 +Jul 26 15:05:02 rx [11061396.155453] ? __switch_to_asm+0x42/0x80 +Jul 26 15:05:02 rx [11061396.159636] ? __switch_to_asm+0x5a/0x80 +Jul 26 15:05:02 rx [11061396.163816] __sys_sendmsg+0x5c/0xa0 +Jul 26 15:05:02 rx [11061396.167647] __x64_sys_sendmsg+0x1f/0x30 +Jul 26 15:05:02 rx [11061396.171832] do_syscall_64+0x57/0x190 +Jul 26 15:05:02 rx [11061396.175748] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 +Jul 26 15:05:02 rx [11061396.181055] RIP: 0033:0x7f1ef692618d +Jul 26 15:05:02 rx [11061396.184893] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48 +Jul 26 15:05:02 rx [11061396.203889] RSP: 002b:00007f1ef4a26aa0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e +Jul 26 15:05:02 rx [11061396.211708] RAX: ffffffffffffffda RBX: 000000000000084b RCX: 00007f1ef692618d +Jul 26 15:05:02 rx [11061396.219091] RDX: 0000000000004000 RSI: 00007f1ef4a26b10 RDI: 0000000000000275 +Jul 26 15:05:02 rx [11061396.226475] RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000020 +Jul 26 15:05:02 rx [11061396.233859] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000084b +Jul 26 15:05:02 rx [11061396.241243] R13: 00007f1ef4a26b10 R14: 0000000000000275 R15: 000055592030f1e8 +Jul 26 15:05:02 rx [11061396.248628] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler nft_ct sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 mlx5_core hid_generic pci_hyperv_intf crc32_pclmul tls usbhid ahci mlxfw bnxt_en libahci hid nvme i2c_piix4 nvme_core wmi +Jul 26 15:05:02 rx [11061396.324334] CR2: 0000000000000020 +Jul 26 15:05:02 rx [11061396.327944] ---[ end trace 68a2b679d1cfb4f1 ]--- +Jul 26 15:05:02 rx [11061396.433435] RIP: 0010:tcp_rearm_rto+0xe4/0x160 +Jul 26 15:05:02 rx [11061396.438137] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 +Jul 26 15:05:02 rx [11061396.457144] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 +Jul 26 15:05:02 rx [11061396.462629] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 +Jul 26 15:05:02 rx [11061396.470012] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 +Jul 26 15:05:02 rx [11061396.477396] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 +Jul 26 15:05:02 rx [11061396.484779] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 +Jul 26 15:05:02 rx [11061396.492164] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 +Jul 26 15:05:02 rx [11061396.499547] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 +Jul 26 15:05:02 rx [11061396.507886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Jul 26 15:05:02 rx [11061396.513884] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 +Jul 26 15:05:02 rx [11061396.521267] PKRU: 55555554 +Jul 26 15:05:02 rx [11061396.524230] Kernel panic - not syncing: Fatal exception in interrupt +Jul 26 15:05:02 rx [11061396.530885] Kernel Offset: 0x1b200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +Jul 26 15:05:03 rx [11061396.660181] ---[ end Kernel panic - not syncing: Fatal + exception in interrupt ]--- + +After we hit this we disabled TLP by setting tcp_early_retrans to 0 and then hit the crash in the RACK case: + +Aug 7 07:26:16 rx [1006006.265582] BUG: kernel NULL pointer dereference, address: 0000000000000020 +Aug 7 07:26:16 rx [1006006.272719] #PF: supervisor read access in kernel mode +Aug 7 07:26:16 rx [1006006.278030] #PF: error_code(0x0000) - not-present page +Aug 7 07:26:16 rx [1006006.283343] PGD 0 P4D 0 +Aug 7 07:26:16 rx [1006006.286057] Oops: 0000 [#1] SMP NOPTI +Aug 7 07:26:16 rx [1006006.289896] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.4.0-174-generic #193-Ubuntu +Aug 7 07:26:16 rx [1006006.299107] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 +Aug 7 07:26:16 rx [1006006.309970] RIP: 0010:tcp_rearm_rto+0xe4/0x160 +Aug 7 07:26:16 rx [1006006.314584] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 +Aug 7 07:26:16 rx [1006006.333499] RSP: 0018:ffffb42600a50960 EFLAGS: 00010246 +Aug 7 07:26:16 rx [1006006.338895] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 +Aug 7 07:26:16 rx [1006006.346193] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff92d687ed8160 +Aug 7 07:26:16 rx [1006006.353489] RBP: ffffb42600a50978 R08: 0000000000000000 R09: 00000000cd896dcc +Aug 7 07:26:16 rx [1006006.360786] R10: ffff92dc3404f400 R11: 0000000000000001 R12: ffff92d687ed8000 +Aug 7 07:26:16 rx [1006006.368084] R13: ffff92d687ed8160 R14: 00000000cd896dcc R15: 00000000cd8fca81 +Aug 7 07:26:16 rx [1006006.375381] FS: 0000000000000000(0000) GS:ffff93158ad40000(0000) knlGS:0000000000000000 +Aug 7 07:26:16 rx [1006006.383632] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Aug 7 07:26:16 rx [1006006.389544] CR2: 0000000000000020 CR3: 0000003e775ce006 CR4: 0000000000760ee0 +Aug 7 07:26:16 rx [1006006.396839] PKRU: 55555554 +Aug 7 07:26:16 rx [1006006.399717] Call Trace: +Aug 7 07:26:16 rx [1006006.402335] +Aug 7 07:26:16 rx [1006006.404525] ? show_regs.cold+0x1a/0x1f +Aug 7 07:26:16 rx [1006006.408532] ? __die+0x90/0xd9 +Aug 7 07:26:16 rx [1006006.411760] ? no_context+0x196/0x380 +Aug 7 07:26:16 rx [1006006.415599] ? __bad_area_nosemaphore+0x50/0x1a0 +Aug 7 07:26:16 rx [1006006.420392] ? _raw_spin_lock+0x1e/0x30 +Aug 7 07:26:16 rx [1006006.424401] ? bad_area_nosemaphore+0x16/0x20 +Aug 7 07:26:16 rx [1006006.428927] ? do_user_addr_fault+0x267/0x450 +Aug 7 07:26:16 rx [1006006.433450] ? __do_page_fault+0x58/0x90 +Aug 7 07:26:16 rx [1006006.437542] ? do_page_fault+0x2c/0xe0 +Aug 7 07:26:16 rx [1006006.441470] ? page_fault+0x34/0x40 +Aug 7 07:26:16 rx [1006006.445134] ? tcp_rearm_rto+0xe4/0x160 +Aug 7 07:26:16 rx [1006006.449145] tcp_ack+0xa32/0xb30 +Aug 7 07:26:16 rx [1006006.452542] tcp_rcv_established+0x13c/0x670 +Aug 7 07:26:16 rx [1006006.456981] ? sk_filter_trim_cap+0x48/0x220 +Aug 7 07:26:16 rx [1006006.461419] tcp_v6_do_rcv+0xdb/0x450 +Aug 7 07:26:16 rx [1006006.465257] tcp_v6_rcv+0xc2b/0xd10 +Aug 7 07:26:16 rx [1006006.468918] ip6_protocol_deliver_rcu+0xd3/0x4e0 +Aug 7 07:26:16 rx [1006006.473706] ip6_input_finish+0x15/0x20 +Aug 7 07:26:16 rx [1006006.477710] ip6_input+0xa2/0xb0 +Aug 7 07:26:16 rx [1006006.481109] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 +Aug 7 07:26:16 rx [1006006.486151] ip6_sublist_rcv_finish+0x3d/0x50 +Aug 7 07:26:16 rx [1006006.490679] ip6_sublist_rcv+0x1aa/0x250 +Aug 7 07:26:16 rx [1006006.494779] ? ip6_rcv_finish_core.isra.0+0xa0/0xa0 +Aug 7 07:26:16 rx [1006006.499828] ipv6_list_rcv+0x112/0x140 +Aug 7 07:26:16 rx [1006006.503748] __netif_receive_skb_list_core+0x1a4/0x250 +Aug 7 07:26:16 rx [1006006.509057] netif_receive_skb_list_internal+0x1a1/0x2b0 +Aug 7 07:26:16 rx [1006006.514538] gro_normal_list.part.0+0x1e/0x40 +Aug 7 07:26:16 rx [1006006.519068] napi_complete_done+0x91/0x130 +Aug 7 07:26:16 rx [1006006.523352] mlx5e_napi_poll+0x18e/0x610 [mlx5_core] +Aug 7 07:26:16 rx [1006006.528481] net_rx_action+0x142/0x390 +Aug 7 07:26:16 rx [1006006.532398] __do_softirq+0xd1/0x2c1 +Aug 7 07:26:16 rx [1006006.536142] irq_exit+0xae/0xb0 +Aug 7 07:26:16 rx [1006006.539452] do_IRQ+0x5a/0xf0 +Aug 7 07:26:16 rx [1006006.542590] common_interrupt+0xf/0xf +Aug 7 07:26:16 rx [1006006.546421] +Aug 7 07:26:16 rx [1006006.548695] RIP: 0010:native_safe_halt+0xe/0x10 +Aug 7 07:26:16 rx [1006006.553399] Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65 +Aug 7 07:26:16 rx [1006006.572309] RSP: 0018:ffffb42600177e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc2 +Aug 7 07:26:16 rx [1006006.580040] RAX: ffffffff8ed08b20 RBX: 0000000000000005 RCX: 0000000000000001 +Aug 7 07:26:16 rx [1006006.587337] RDX: 00000000f48eeca2 RSI: 0000000000000082 RDI: 0000000000000082 +Aug 7 07:26:16 rx [1006006.594635] RBP: ffffb42600177e90 R08: 0000000000000000 R09: 000000000000020f +Aug 7 07:26:16 rx [1006006.601931] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000005 +Aug 7 07:26:16 rx [1006006.609229] R13: ffff93157deb5f00 R14: 0000000000000000 R15: 0000000000000000 +Aug 7 07:26:16 rx [1006006.616530] ? __cpuidle_text_start+0x8/0x8 +Aug 7 07:26:16 rx [1006006.620886] ? default_idle+0x20/0x140 +Aug 7 07:26:16 rx [1006006.624804] arch_cpu_idle+0x15/0x20 +Aug 7 07:26:16 rx [1006006.628545] default_idle_call+0x23/0x30 +Aug 7 07:26:16 rx [1006006.632640] do_idle+0x1fb/0x270 +Aug 7 07:26:16 rx [1006006.636035] cpu_startup_entry+0x20/0x30 +Aug 7 07:26:16 rx [1006006.640126] start_secondary+0x178/0x1d0 +Aug 7 07:26:16 rx [1006006.644218] secondary_startup_64+0xa4/0xb0 +Aug 7 07:26:17 rx [1006006.648568] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet ast mii drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 hid_generic mlx5_core pci_hyperv_intf crc32_pclmul usbhid ahci tls mlxfw bnxt_en hid libahci nvme i2c_piix4 nvme_core wmi [last unloaded: cpuid] +Aug 7 07:26:17 rx [1006006.726180] CR2: 0000000000000020 +Aug 7 07:26:17 rx [1006006.729718] ---[ end trace e0e2e37e4e612984 ]--- + +Prior to seeing the first crash and on other machines we also see the warning in +tcp_send_loss_probe() where packets_out is non-zero, but both transmit and retrans +queues are empty so we know the box is seeing some accounting issue in this area: + +Jul 26 09:15:27 kernel: ------------[ cut here ]------------ +Jul 26 09:15:27 kernel: invalid inflight: 2 state 1 cwnd 68 mss 8988 +Jul 26 09:15:27 kernel: WARNING: CPU: 16 PID: 0 at net/ipv4/tcp_output.c:2605 tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif joydev input_leds rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_he> +Jul 26 09:15:27 kernel: CPU: 16 PID: 0 Comm: swapper/16 Not tainted 5.4.0-174-generic #193-Ubuntu +Jul 26 09:15:27 kernel: Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 +Jul 26 09:15:27 kernel: RIP: 0010:tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: Code: 08 26 01 00 75 e2 41 0f b6 54 24 12 41 8b 8c 24 c0 06 00 00 45 89 f0 48 c7 c7 e0 b4 20 a7 c6 05 8d 08 26 01 01 e8 4a c0 0f 00 <0f> 0b eb ba 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 +Jul 26 09:15:27 kernel: RSP: 0018:ffffb7838088ce00 EFLAGS: 00010286 +Jul 26 09:15:27 kernel: RAX: 0000000000000000 RBX: ffff9b84b5630430 RCX: 0000000000000006 +Jul 26 09:15:27 kernel: RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9b8e4621c8c0 +Jul 26 09:15:27 kernel: RBP: ffffb7838088ce18 R08: 0000000000000927 R09: 0000000000000004 +Jul 26 09:15:27 kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9b84b5630000 +Jul 26 09:15:27 kernel: R13: 0000000000000000 R14: 000000000000231c R15: ffff9b84b5630430 +Jul 26 09:15:27 kernel: FS: 0000000000000000(0000) GS:ffff9b8e46200000(0000) knlGS:0000000000000000 +Jul 26 09:15:27 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Jul 26 09:15:27 kernel: CR2: 000056238cec2380 CR3: 0000003e49ede005 CR4: 0000000000760ee0 +Jul 26 09:15:27 kernel: PKRU: 55555554 +Jul 26 09:15:27 kernel: Call Trace: +Jul 26 09:15:27 kernel: +Jul 26 09:15:27 kernel: ? show_regs.cold+0x1a/0x1f +Jul 26 09:15:27 kernel: ? __warn+0x98/0xe0 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: ? report_bug+0xd1/0x100 +Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0 +Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240 +Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0 +Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240 +Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130 +Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280 +Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0 +Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90 +Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0 +Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30 +Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 +Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240 +Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0 +Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240 +Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130 +Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280 +Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0 +Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90 +Jul 26 09:15:27 kernel: ? recalibrate_cpu_khz+0x10/0x10 +Jul 26 09:15:27 kernel: ? ktime_get+0x3e/0xa0 +Jul 26 09:15:27 kernel: ? native_x2apic_icr_write+0x30/0x30 +Jul 26 09:15:27 kernel: run_timer_softirq+0x2a/0x50 +Jul 26 09:15:27 kernel: __do_softirq+0xd1/0x2c1 +Jul 26 09:15:27 kernel: irq_exit+0xae/0xb0 +Jul 26 09:15:27 kernel: smp_apic_timer_interrupt+0x7b/0x140 +Jul 26 09:15:27 kernel: apic_timer_interrupt+0xf/0x20 +Jul 26 09:15:27 kernel: +Jul 26 09:15:27 kernel: RIP: 0010:native_safe_halt+0xe/0x10 +Jul 26 09:15:27 kernel: Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65 +Jul 26 09:15:27 kernel: RSP: 0018:ffffb783801cfe70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +Jul 26 09:15:27 kernel: RAX: ffffffffa6908b20 RBX: 0000000000000010 RCX: 0000000000000001 +Jul 26 09:15:27 kernel: RDX: 000000006fc0c97e RSI: 0000000000000082 RDI: 0000000000000082 +Jul 26 09:15:27 kernel: RBP: ffffb783801cfe90 R08: 0000000000000000 R09: 0000000000000225 +Jul 26 09:15:27 kernel: R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000010 +Jul 26 09:15:27 kernel: R13: ffff9b8e390b0000 R14: 0000000000000000 R15: 0000000000000000 +Jul 26 09:15:27 kernel: ? __cpuidle_text_start+0x8/0x8 +Jul 26 09:15:27 kernel: ? default_idle+0x20/0x140 +Jul 26 09:15:27 kernel: arch_cpu_idle+0x15/0x20 +Jul 26 09:15:27 kernel: default_idle_call+0x23/0x30 +Jul 26 09:15:27 kernel: do_idle+0x1fb/0x270 +Jul 26 09:15:27 kernel: cpu_startup_entry+0x20/0x30 +Jul 26 09:15:27 kernel: start_secondary+0x178/0x1d0 +Jul 26 09:15:27 kernel: secondary_startup_64+0xa4/0xb0 +Jul 26 09:15:27 kernel: ---[ end trace e7ac822987e33be1 ]--- + +The NULL ptr deref is coming from tcp_rto_delta_us() attempting to pull an skb +off the head of the retransmit queue and then dereferencing that skb to get the +skb_mstamp_ns value via tcp_skb_timestamp_us(skb). + +The crash is the same one that was reported a # of years ago here: +https://lore.kernel.org/netdev/86c0f836-9a7c-438b-d81a-839be45f1f58@gmail.com/T/#t + +and the kernel we're running has the fix which was added to resolve this issue. + +Unfortunately we've been unsuccessful so far in reproducing this problem in the +lab and do not have the luxury of pushing out a new kernel to try and test if +newer kernels resolve this issue at the moment. I realize this is a report +against both an Ubuntu kernel and also an older 5.4 kernel. I have reported this +issue to Ubuntu here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077657 +however I feel like since this issue has possibly cropped up again it makes +sense to build in some protection in this path (even on the latest kernel +versions) since the code in question just blindly assumes there's a valid skb +without testing if it's NULL b/f it looks at the timestamp. + +Given we have seen crashes in this path before and now this case it seems like +we should protect ourselves for when packets_out accounting is incorrect. +While we should fix that root cause we should also just make sure the skb +is not NULL before dereferencing it. Also add a warn once here to capture +some information if/when the problem case is hit again. + +Fixes: e1a10ef7fa87 ("tcp: introduce tcp_rto_delta_us() helper for xmit timer fix") +Signed-off-by: Josh Hunt +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 164ba7b77bd9f..199853b007abf 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2081,9 +2081,26 @@ static inline s64 tcp_rto_delta_us(const struct sock *sk) + { + const struct sk_buff *skb = tcp_rtx_queue_head(sk); + u32 rto = inet_csk(sk)->icsk_rto; +- u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto); + +- return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp; ++ if (likely(skb)) { ++ u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto); ++ ++ return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp; ++ } else { ++ WARN_ONCE(1, ++ "rtx queue emtpy: " ++ "out:%u sacked:%u lost:%u retrans:%u " ++ "tlp_high_seq:%u sk_state:%u ca_state:%u " ++ "advmss:%u mss_cache:%u pmtu:%u\n", ++ tcp_sk(sk)->packets_out, tcp_sk(sk)->sacked_out, ++ tcp_sk(sk)->lost_out, tcp_sk(sk)->retrans_out, ++ tcp_sk(sk)->tlp_high_seq, sk->sk_state, ++ inet_csk(sk)->icsk_ca_state, ++ tcp_sk(sk)->advmss, tcp_sk(sk)->mss_cache, ++ inet_csk(sk)->icsk_pmtu_cookie); ++ return jiffies_to_usecs(rto); ++ } ++ + } + + /* +-- +2.43.0 + diff --git a/queue-5.4/tpm-clean-up-tpm-space-after-command-failure.patch b/queue-5.4/tpm-clean-up-tpm-space-after-command-failure.patch new file mode 100644 index 00000000000..ba11f2dc2a4 --- /dev/null +++ b/queue-5.4/tpm-clean-up-tpm-space-after-command-failure.patch @@ -0,0 +1,57 @@ +From 9d1244a1ba751a487507d74b1ef0d3bc0b51536b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2024 12:55:46 +0100 +Subject: tpm: Clean up TPM space after command failure + +From: Jonathan McDowell + +[ Upstream commit e3aaebcbb7c6b403416f442d1de70d437ce313a7 ] + +tpm_dev_transmit prepares the TPM space before attempting command +transmission. However if the command fails no rollback of this +preparation is done. This can result in transient handles being leaked +if the device is subsequently closed with no further commands performed. + +Fix this by flushing the space in the event of command transmission +failure. + +Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") +Signed-off-by: Jonathan McDowell +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm-dev-common.c | 2 ++ + drivers/char/tpm/tpm2-space.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c +index b99e1941c52c9..fde81ecbd6a3b 100644 +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -48,6 +48,8 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, + + if (!ret) + ret = tpm2_commit_space(chip, space, buf, &len); ++ else ++ tpm2_flush_space(chip); + + out_rc: + return ret ? ret : len; +diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c +index ffb35f0154c16..c57404c6b98c9 100644 +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -166,6 +166,9 @@ void tpm2_flush_space(struct tpm_chip *chip) + struct tpm_space *space = &chip->work_space; + int i; + ++ if (!space) ++ return; ++ + for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++) + if (space->context_tbl[i] && ~space->context_tbl[i]) + tpm2_flush_context(chip, space->context_tbl[i]); +-- +2.43.0 + diff --git a/queue-5.4/watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch b/queue-5.4/watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch new file mode 100644 index 00000000000..b5cb8d77633 --- /dev/null +++ b/queue-5.4/watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch @@ -0,0 +1,73 @@ +From f73ef9b852a3980e158286375769941ced355a16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Aug 2024 14:18:45 +0200 +Subject: watchdog: imx_sc_wdt: Don't disable WDT in suspend + +From: Jonas Blixt + +[ Upstream commit 2d9d6d300fb0a4ae4431bb308027ac9385746d42 ] + +Parts of the suspend and resume chain is left unprotected if we disable +the WDT here. + +>From experiments we can see that the SCU disables and re-enables the WDT +when we enter and leave suspend to ram. By not touching the WDT here we +are protected by the WDT all the way to the SCU. + +Signed-off-by: Jonas Blixt +CC: Anson Huang +Fixes: 986857acbc9a ("watchdog: imx_sc: Add i.MX system controller watchdog support") +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20240801121845.1465765-1-jonas.blixt@actia.se +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/imx_sc_wdt.c | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/drivers/watchdog/imx_sc_wdt.c b/drivers/watchdog/imx_sc_wdt.c +index 8c9936e78bee0..f11f4c2bb0e50 100644 +--- a/drivers/watchdog/imx_sc_wdt.c ++++ b/drivers/watchdog/imx_sc_wdt.c +@@ -215,29 +215,6 @@ static int imx_sc_wdt_probe(struct platform_device *pdev) + return devm_watchdog_register_device(dev, wdog); + } + +-static int __maybe_unused imx_sc_wdt_suspend(struct device *dev) +-{ +- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev); +- +- if (watchdog_active(&imx_sc_wdd->wdd)) +- imx_sc_wdt_stop(&imx_sc_wdd->wdd); +- +- return 0; +-} +- +-static int __maybe_unused imx_sc_wdt_resume(struct device *dev) +-{ +- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev); +- +- if (watchdog_active(&imx_sc_wdd->wdd)) +- imx_sc_wdt_start(&imx_sc_wdd->wdd); +- +- return 0; +-} +- +-static SIMPLE_DEV_PM_OPS(imx_sc_wdt_pm_ops, +- imx_sc_wdt_suspend, imx_sc_wdt_resume); +- + static const struct of_device_id imx_sc_wdt_dt_ids[] = { + { .compatible = "fsl,imx-sc-wdt", }, + { /* sentinel */ } +@@ -249,7 +226,6 @@ static struct platform_driver imx_sc_wdt_driver = { + .driver = { + .name = "imx-sc-wdt", + .of_match_table = imx_sc_wdt_dt_ids, +- .pm = &imx_sc_wdt_pm_ops, + }, + }; + module_platform_driver(imx_sc_wdt_driver); +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath9k-fix-parameter-check-in-ath9k_init_debug.patch b/queue-5.4/wifi-ath9k-fix-parameter-check-in-ath9k_init_debug.patch new file mode 100644 index 00000000000..efcb757f1bb --- /dev/null +++ b/queue-5.4/wifi-ath9k-fix-parameter-check-in-ath9k_init_debug.patch @@ -0,0 +1,41 @@ +From 9027fcdc94f62f2cd5189876ce185ce8589f48af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 19:47:40 +0800 +Subject: wifi: ath9k: fix parameter check in ath9k_init_debug() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minjie Du + +[ Upstream commit 6edb4ba6fb5b946d112259f54f4657f82eb71e89 ] + +Make IS_ERR() judge the debugfs_create_dir() function return +in ath9k_init_debug() + +Signed-off-by: Minjie Du +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230712114740.13226-1-duminjie@vivo.com +Stable-dep-of: f6ffe7f01847 ("wifi: ath9k: Remove error checks when creating debugfs entries") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index 8d98347e0ddff..42f404119912f 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1371,7 +1371,7 @@ int ath9k_init_debug(struct ath_hw *ah) + + sc->debug.debugfs_phy = debugfs_create_dir("ath9k", + sc->hw->wiphy->debugfsdir); +- if (!sc->debug.debugfs_phy) ++ if (IS_ERR(sc->debug.debugfs_phy)) + return -ENOMEM; + + #ifdef CONFIG_ATH_DEBUG +-- +2.43.0 + diff --git a/queue-5.4/wifi-ath9k-remove-error-checks-when-creating-debugfs.patch b/queue-5.4/wifi-ath9k-remove-error-checks-when-creating-debugfs.patch new file mode 100644 index 00000000000..30a71daf05b --- /dev/null +++ b/queue-5.4/wifi-ath9k-remove-error-checks-when-creating-debugfs.patch @@ -0,0 +1,68 @@ +From 9fea57ef0c63bc54ef819f4cbaca4c620a44c74b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Aug 2024 13:02:22 +0200 +Subject: wifi: ath9k: Remove error checks when creating debugfs entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit f6ffe7f0184792c2f99aca6ae5b916683973d7d3 ] + +We should not be checking the return values from debugfs creation at all: the +debugfs functions are designed to handle errors of previously called functions +and just transparently abort the creation of debugfs entries when debugfs is +disabled. If we check the return value and abort driver initialisation, we break +the driver if debugfs is disabled (such as when booting with debugfs=off). + +Earlier versions of ath9k accidentally did the right thing by checking the +return value, but only for NULL, not for IS_ERR(). This was "fixed" by the two +commits referenced below, breaking ath9k with debugfs=off starting from the 6.6 +kernel (as reported in the Bugzilla linked below). + +Restore functionality by just getting rid of the return value check entirely. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219122 +Fixes: 1e4134610d93 ("wifi: ath9k: use IS_ERR() with debugfs_create_dir()") +Fixes: 6edb4ba6fb5b ("wifi: ath9k: fix parameter check in ath9k_init_debug()") +Reported-by: Daniel Tobias +Tested-by: Daniel Tobias +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20240805110225.19690-1-toke@toke.dk +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/debug.c | 2 -- + drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c +index 42f404119912f..f5773ce252dd1 100644 +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -1371,8 +1371,6 @@ int ath9k_init_debug(struct ath_hw *ah) + + sc->debug.debugfs_phy = debugfs_create_dir("ath9k", + sc->hw->wiphy->debugfsdir); +- if (IS_ERR(sc->debug.debugfs_phy)) +- return -ENOMEM; + + #ifdef CONFIG_ATH_DEBUG + debugfs_create_file("debug", 0600, sc->debug.debugfs_phy, +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +index e79bbcd3279af..81332086e2899 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c +@@ -491,8 +491,6 @@ int ath9k_htc_init_debug(struct ath_hw *ah) + + priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME, + priv->hw->wiphy->debugfsdir); +- if (IS_ERR(priv->debug.debugfs_phy)) +- return -ENOMEM; + + ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy); + +-- +2.43.0 + diff --git a/queue-5.4/wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch b/queue-5.4/wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch new file mode 100644 index 00000000000..42958ffb661 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch @@ -0,0 +1,57 @@ +From 4f1ec8814d26c6d9778b06a993e9d2db8362bbd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 12:08:06 +0300 +Subject: wifi: cfg80211: fix two more possible UBSAN-detected off-by-one + errors + +From: Dmitry Antipov + +[ Upstream commit 15ea13b1b1fbf6364d4cd568e65e4c8479632999 ] + +Although not reproduced in practice, these two cases may be +considered by UBSAN as off-by-one errors. So fix them in the +same way as in commit a26a5107bc52 ("wifi: cfg80211: fix UBSAN +noise in cfg80211_wext_siwscan()"). + +Fixes: 807f8a8c3004 ("cfg80211/nl80211: add support for scheduled scans") +Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20240909090806.1091956-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 3 ++- + net/wireless/sme.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index e85e8f7b48f92..77edb69384637 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -8018,7 +8018,8 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev, + return ERR_PTR(-ENOMEM); + + if (n_ssids) +- request->ssids = (void *)&request->channels[n_channels]; ++ request->ssids = (void *)request + ++ struct_size(request, channels, n_channels); + request->n_ssids = n_ssids; + if (ie_len) { + if (n_ssids) +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index a260cd60a7b99..55a04b30b8778 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -116,7 +116,8 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev) + n_channels = i; + } + request->n_channels = n_channels; +- request->ssids = (void *)&request->channels[n_channels]; ++ request->ssids = (void *)request + ++ struct_size(request, channels, n_channels); + request->n_ssids = 1; + + memcpy(request->ssids[0].ssid, wdev->conn->params.ssid, +-- +2.43.0 + diff --git a/queue-5.4/wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch b/queue-5.4/wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch new file mode 100644 index 00000000000..833f298ce2a --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch @@ -0,0 +1,69 @@ +From 51ab4cb0fbd7ac6353094d12ee64dc8777087de7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 18:04:00 +0300 +Subject: wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() + +From: Dmitry Antipov + +[ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ] + +Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 +and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the +following: + +[ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25 +[ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]' +<...skipped...> +[ T4985] Call Trace: +[ T4985] +[ T4985] dump_stack_lvl+0x1c2/0x2a0 +[ T4985] ? __pfx_dump_stack_lvl+0x10/0x10 +[ T4985] ? __pfx__printk+0x10/0x10 +[ T4985] __ubsan_handle_out_of_bounds+0x127/0x150 +[ T4985] cfg80211_wext_siwscan+0x11a4/0x1260 +<...the rest is not too useful...> + +Even if we do 'creq->n_channels = n_channels' before 'creq->ssids = +(void *)&creq->channels[n_channels]', UBSAN treats the latter as +off-by-one error. Fix this by using pointer arithmetic rather than +an expression with explicit array indexing and use convenient +'struct_size()' to simplify the math here and in 'kzalloc()' above. + +Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") +Signed-off-by: Dmitry Antipov +Reviewed-by: Kees Cook +Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru +[fix coding style for multi-line calculation] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index b28e652514e80..18398968b3ed7 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2243,8 +2243,8 @@ int cfg80211_wext_siwscan(struct net_device *dev, + n_channels = ieee80211_get_num_supported_channels(wiphy); + } + +- creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + +- n_channels * sizeof(void *), ++ creq = kzalloc(struct_size(creq, channels, n_channels) + ++ sizeof(struct cfg80211_ssid), + GFP_ATOMIC); + if (!creq) { + err = -ENOMEM; +@@ -2254,7 +2254,7 @@ int cfg80211_wext_siwscan(struct net_device *dev, + creq->wiphy = wiphy; + creq->wdev = dev->ieee80211_ptr; + /* SSIDs come after channels */ +- creq->ssids = (void *)&creq->channels[n_channels]; ++ creq->ssids = (void *)creq + struct_size(creq, channels, n_channels); + creq->n_channels = n_channels; + creq->n_ssids = 1; + creq->scan_start = jiffies; +-- +2.43.0 + diff --git a/queue-5.4/wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch b/queue-5.4/wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch new file mode 100644 index 00000000000..ed2e6e9417d --- /dev/null +++ b/queue-5.4/wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch @@ -0,0 +1,103 @@ +From 824bb808c0f80962ad5b39323e1bfdacd88728d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2024 15:31:51 +0300 +Subject: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() + +From: Dmitry Antipov + +[ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ] + +Since '__dev_queue_xmit()' should be called with interrupts enabled, +the following backtrace: + +ieee80211_do_stop() + ... + spin_lock_irqsave(&local->queue_stop_reason_lock, flags) + ... + ieee80211_free_txskb() + ieee80211_report_used_skb() + ieee80211_report_ack_skb() + cfg80211_mgmt_tx_status_ext() + nl80211_frame_tx_status() + genlmsg_multicast_netns() + genlmsg_multicast_netns_filtered() + nlmsg_multicast_filtered() + netlink_broadcast_filtered() + do_one_broadcast() + netlink_broadcast_deliver() + __netlink_sendskb() + netlink_deliver_tap() + __netlink_deliver_tap_skb() + dev_queue_xmit() + __dev_queue_xmit() ; with IRQS disabled + ... + spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags) + +issues the warning (as reported by syzbot reproducer): + +WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120 + +Fix this by implementing a two-phase skb reclamation in +'ieee80211_do_stop()', where actual work is performed +outside of a section with interrupts disabled. + +Fixes: 5061b0c2b906 ("mac80211: cooperate more with network namespaces") +Reported-by: syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/iface.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 1f691180e13db..e49b80a9de520 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -795,6 +795,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + { + struct ieee80211_local *local = sdata->local; + unsigned long flags; ++ struct sk_buff_head freeq; + struct sk_buff *skb, *tmp; + u32 hw_reconf_flags = 0; + int i, flushed; +@@ -993,18 +994,32 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + skb_queue_purge(&sdata->skb_queue); + } + ++ /* ++ * Since ieee80211_free_txskb() may issue __dev_queue_xmit() ++ * which should be called with interrupts enabled, reclamation ++ * is done in two phases: ++ */ ++ __skb_queue_head_init(&freeq); ++ ++ /* unlink from local queues... */ + spin_lock_irqsave(&local->queue_stop_reason_lock, flags); + for (i = 0; i < IEEE80211_MAX_QUEUES; i++) { + skb_queue_walk_safe(&local->pending[i], skb, tmp) { + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + if (info->control.vif == &sdata->vif) { + __skb_unlink(skb, &local->pending[i]); +- ieee80211_free_txskb(&local->hw, skb); ++ __skb_queue_tail(&freeq, skb); + } + } + } + spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags); + ++ /* ... and perform actual reclamation with interrupts enabled. */ ++ skb_queue_walk_safe(&freeq, skb, tmp) { ++ __skb_unlink(skb, &freeq); ++ ieee80211_free_txskb(&local->hw, skb); ++ } ++ + if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) + ieee80211_txq_remove_vlan(local, sdata); + +-- +2.43.0 + diff --git a/queue-5.4/wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch b/queue-5.4/wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch new file mode 100644 index 00000000000..8e53bb7af25 --- /dev/null +++ b/queue-5.4/wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch @@ -0,0 +1,69 @@ +From f9b9a9badd4a13e20300b6a68e531ff6759713eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 08:17:09 +0000 +Subject: wifi: wilc1000: fix potential RCU dereference issue in + wilc_parse_join_bss_param +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiawei Ye + +[ Upstream commit 6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8 ] + +In the `wilc_parse_join_bss_param` function, the TSF field of the `ies` +structure is accessed after the RCU read-side critical section is +unlocked. According to RCU usage rules, this is illegal. Reusing this +pointer can lead to unpredictable behavior, including accessing memory +that has been updated or causing use-after-free issues. + +This possible bug was identified using a static analysis tool developed +by myself, specifically designed to detect RCU-related issues. + +To address this, the TSF value is now stored in a local variable +`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is +then assigned using this local variable, ensuring that the TSF value is +safely accessed. + +Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") +Signed-off-by: Jiawei Ye +Reviewed-by: Alexis Lothoré +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/tencent_466225AA599BA49627FB26F707EE17BC5407@qq.com +Signed-off-by: Sasha Levin +--- + drivers/staging/wilc1000/wilc_hif.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/wilc1000/wilc_hif.c b/drivers/staging/wilc1000/wilc_hif.c +index 7f54665c0a0f6..98f1c3102d688 100644 +--- a/drivers/staging/wilc1000/wilc_hif.c ++++ b/drivers/staging/wilc1000/wilc_hif.c +@@ -448,6 +448,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + struct wilc_join_bss_param *param; + u8 rates_len = 0; + int ies_len; ++ u64 ies_tsf; + int ret; + + param = kzalloc(sizeof(*param), GFP_KERNEL); +@@ -463,6 +464,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + return NULL; + } + ies_len = ies->len; ++ ies_tsf = ies->tsf; + rcu_read_unlock(); + + param->beacon_period = cpu_to_le16(bss->beacon_interval); +@@ -518,7 +520,7 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + IEEE80211_P2P_ATTR_ABSENCE_NOTICE, + (u8 *)&noa_attr, sizeof(noa_attr)); + if (ret > 0) { +- param->tsf_lo = cpu_to_le32(ies->tsf); ++ param->tsf_lo = cpu_to_le32(ies_tsf); + param->noa_enabled = 1; + param->idx = noa_attr.index; + if (noa_attr.oppps_ctwindow & IEEE80211_P2P_OPPPS_ENABLE_BIT) { +-- +2.43.0 + diff --git a/queue-5.4/xen-add-capability-to-remap-non-ram-pages-to-differe.patch b/queue-5.4/xen-add-capability-to-remap-non-ram-pages-to-differe.patch new file mode 100644 index 00000000000..5d273e44737 --- /dev/null +++ b/queue-5.4/xen-add-capability-to-remap-non-ram-pages-to-differe.patch @@ -0,0 +1,130 @@ +From 293d92229a4dee751519ac8bb6a07ce39e8a5259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2024 16:47:25 +0200 +Subject: xen: add capability to remap non-RAM pages to different PFNs + +From: Juergen Gross + +[ Upstream commit d05208cf7f05420ad10cc7f9550f91d485523659 ] + +When running as a Xen PV dom0 it can happen that the kernel is being +loaded to a guest physical address conflicting with the host memory +map. + +In order to be able to resolve this conflict, add the capability to +remap non-RAM areas to different guest PFNs. A function to use this +remapping information for other purposes than doing the remap will be +added when needed. + +As the number of conflicts should be rather low (currently only +machines with max. 1 conflict are known), save the remap data in a +small statically allocated array. + +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/p2m.c | 63 ++++++++++++++++++++++++++++++++++++++++++ + arch/x86/xen/xen-ops.h | 3 ++ + 2 files changed, 66 insertions(+) + +diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c +index bfe6e862e13e2..3e9b655a26cae 100644 +--- a/arch/x86/xen/p2m.c ++++ b/arch/x86/xen/p2m.c +@@ -80,6 +80,7 @@ + #include + #include + #include ++#include + + #include "multicalls.h" + #include "xen-ops.h" +@@ -806,6 +807,68 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops, + } + EXPORT_SYMBOL_GPL(clear_foreign_p2m_mapping); + ++/* Remapped non-RAM areas */ ++#define NR_NONRAM_REMAP 4 ++static struct nonram_remap { ++ phys_addr_t maddr; ++ phys_addr_t paddr; ++ size_t size; ++} xen_nonram_remap[NR_NONRAM_REMAP] __ro_after_init; ++static unsigned int nr_nonram_remap __ro_after_init; ++ ++/* ++ * Do the real remapping of non-RAM regions as specified in the ++ * xen_nonram_remap[] array. ++ * In case of an error just crash the system. ++ */ ++void __init xen_do_remap_nonram(void) ++{ ++ unsigned int i; ++ unsigned int remapped = 0; ++ const struct nonram_remap *remap = xen_nonram_remap; ++ unsigned long pfn, mfn, end_pfn; ++ ++ for (i = 0; i < nr_nonram_remap; i++) { ++ end_pfn = PFN_UP(remap->paddr + remap->size); ++ pfn = PFN_DOWN(remap->paddr); ++ mfn = PFN_DOWN(remap->maddr); ++ while (pfn < end_pfn) { ++ if (!set_phys_to_machine(pfn, mfn)) ++ panic("Failed to set p2m mapping for pfn=%lx mfn=%lx\n", ++ pfn, mfn); ++ ++ pfn++; ++ mfn++; ++ remapped++; ++ } ++ ++ remap++; ++ } ++ ++ pr_info("Remapped %u non-RAM page(s)\n", remapped); ++} ++ ++/* ++ * Add a new non-RAM remap entry. ++ * In case of no free entry found, just crash the system. ++ */ ++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr, ++ unsigned long size) ++{ ++ BUG_ON((maddr & ~PAGE_MASK) != (paddr & ~PAGE_MASK)); ++ ++ if (nr_nonram_remap == NR_NONRAM_REMAP) { ++ xen_raw_console_write("Number of required E820 entry remapping actions exceed maximum value\n"); ++ BUG(); ++ } ++ ++ xen_nonram_remap[nr_nonram_remap].maddr = maddr; ++ xen_nonram_remap[nr_nonram_remap].paddr = paddr; ++ xen_nonram_remap[nr_nonram_remap].size = size; ++ ++ nr_nonram_remap++; ++} ++ + #ifdef CONFIG_XEN_DEBUG_FS + #include + #include "debugfs.h" +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 4e2cc1e23f843..5e398ae5943bd 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -45,6 +45,9 @@ void xen_mm_unpin_all(void); + #ifdef CONFIG_X86_64 + void __init xen_relocate_p2m(void); + #endif ++void __init xen_do_remap_nonram(void); ++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr, ++ unsigned long size); + + void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, + const char *component); +-- +2.43.0 + diff --git a/queue-5.4/xen-introduce-generic-helper-checking-for-memory-map.patch b/queue-5.4/xen-introduce-generic-helper-checking-for-memory-map.patch new file mode 100644 index 00000000000..cc0eda8a46c --- /dev/null +++ b/queue-5.4/xen-introduce-generic-helper-checking-for-memory-map.patch @@ -0,0 +1,138 @@ +From d5cf0018ba33cf6aae44de08cc0136d8951236e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 14:11:06 +0200 +Subject: xen: introduce generic helper checking for memory map conflicts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit ba88829706e2c5b7238638fc2b0713edf596495e ] + +When booting as a Xen PV dom0 the memory layout of the dom0 is +modified to match that of the host, as this requires less changes in +the kernel for supporting Xen. + +There are some cases, though, which are problematic, as it is the Xen +hypervisor selecting the kernel's load address plus some other data, +which might conflict with the host's memory map. + +These conflicts are detected at boot time and result in a boot error. +In order to support handling at least some of these conflicts in +future, introduce a generic helper function which will later gain the +ability to adapt the memory layout when possible. + +Add the missing check for the xen_start_info area. + +Note that possible p2m map and initrd memory conflicts are handled +already by copying the data to memory areas not conflicting with the +memory map. The initial stack allocated by Xen doesn't need to be +checked, as early boot code is switching to the statically allocated +initial kernel stack. Initial page tables and the kernel itself will +be handled later. + +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 5 +---- + arch/x86/xen/setup.c | 34 ++++++++++++++++++++++++++++------ + arch/x86/xen/xen-ops.h | 3 ++- + 3 files changed, 31 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index c8dbee62ec2ab..5792980317861 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -2284,10 +2284,7 @@ void __init xen_reserve_special_pages(void) + + void __init xen_pt_check_e820(void) + { +- if (xen_is_e820_reserved(xen_pt_base, xen_pt_size)) { +- xen_raw_console_write("Xen hypervisor allocated page table memory conflicts with E820 map\n"); +- BUG(); +- } ++ xen_chk_is_e820_usable(xen_pt_base, xen_pt_size, "page table"); + } + + static unsigned char dummy_mapping[PAGE_SIZE] __page_aligned_bss; +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 858de52cfacff..32ac3deb193b9 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -614,7 +614,7 @@ static void __init xen_ignore_unusable(void) + } + } + +-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size) ++static bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size) + { + struct e820_entry *entry; + unsigned mapcnt; +@@ -671,6 +671,23 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size) + return 0; + } + ++/* ++ * Check for an area in physical memory to be usable for non-movable purposes. ++ * An area is considered to usable if the used E820 map lists it to be RAM. ++ * In case the area is not usable, crash the system with an error message. ++ */ ++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, ++ const char *component) ++{ ++ if (!xen_is_e820_reserved(start, size)) ++ return; ++ ++ xen_raw_console_write("Xen hypervisor allocated "); ++ xen_raw_console_write(component); ++ xen_raw_console_write(" memory conflicts with E820 map\n"); ++ BUG(); ++} ++ + /* + * Like memcpy, but with physical addresses for dest and src. + */ +@@ -875,11 +892,16 @@ char * __init xen_memory_setup(void) + * Failing now is better than running into weird problems later due + * to relocating (and even reusing) pages with kernel text or data. + */ +- if (xen_is_e820_reserved(__pa_symbol(_text), +- __pa_symbol(_end) - __pa_symbol(_text))) { +- xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n"); +- BUG(); +- } ++ xen_chk_is_e820_usable(__pa_symbol(_text), ++ __pa_symbol(_end) - __pa_symbol(_text), ++ "kernel"); ++ ++ /* ++ * Check for a conflict of the xen_start_info memory with the target ++ * E820 map. ++ */ ++ xen_chk_is_e820_usable(__pa(xen_start_info), sizeof(*xen_start_info), ++ "xen_start_info"); + + /* + * Check for a conflict of the hypervisor supplied page tables with +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 120e2bcf20f88..4e2cc1e23f843 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -46,7 +46,8 @@ void xen_mm_unpin_all(void); + void __init xen_relocate_p2m(void); + #endif + +-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size); ++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, ++ const char *component); + unsigned long __ref xen_chk_extra_mem(unsigned long pfn); + void __init xen_inv_extra_mem(void); + void __init xen_remap_memory(void); +-- +2.43.0 + diff --git a/queue-5.4/xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch b/queue-5.4/xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch new file mode 100644 index 00000000000..f4a42ae19ad --- /dev/null +++ b/queue-5.4/xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch @@ -0,0 +1,195 @@ +From b01599fcf0d6790c680afb5b64b305062f65224e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Aug 2024 10:24:41 +0200 +Subject: xen: move max_pfn in xen_memory_setup() out of function scope +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit 43dc2a0f479b9cd30f6674986d7a40517e999d31 ] + +Instead of having max_pfn as a local variable of xen_memory_setup(), +make it a static variable in setup.c instead. This avoids having to +pass it to subfunctions, which will be needed in more cases in future. + +Rename it to ini_nr_pages, as the value denotes the currently usable +number of memory pages as passed from the hypervisor at boot time. + +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 52 ++++++++++++++++++++++---------------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 32ac3deb193b9..f77c268f8f019 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -45,6 +45,9 @@ unsigned long xen_released_pages; + /* E820 map used during setting up memory. */ + static struct e820_table xen_e820_table __initdata; + ++/* Number of initially usable memory pages. */ ++static unsigned long ini_nr_pages __initdata; ++ + /* + * Buffer used to remap identity mapped pages. We only need the virtual space. + * The physical page behind this address is remapped as needed to different +@@ -252,7 +255,7 @@ static int __init xen_free_mfn(unsigned long mfn) + * as a fallback if the remapping fails. + */ + static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn, +- unsigned long end_pfn, unsigned long nr_pages) ++ unsigned long end_pfn) + { + unsigned long pfn, end; + int ret; +@@ -260,7 +263,7 @@ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn, + WARN_ON(start_pfn > end_pfn); + + /* Release pages first. */ +- end = min(end_pfn, nr_pages); ++ end = min(end_pfn, ini_nr_pages); + for (pfn = start_pfn; pfn < end; pfn++) { + unsigned long mfn = pfn_to_mfn(pfn); + +@@ -385,15 +388,14 @@ static void __init xen_do_set_identity_and_remap_chunk( + * to Xen and not remapped. + */ + static unsigned long __init xen_set_identity_and_remap_chunk( +- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages, +- unsigned long remap_pfn) ++ unsigned long start_pfn, unsigned long end_pfn, unsigned long remap_pfn) + { + unsigned long pfn; + unsigned long i = 0; + unsigned long n = end_pfn - start_pfn; + + if (remap_pfn == 0) +- remap_pfn = nr_pages; ++ remap_pfn = ini_nr_pages; + + while (i < n) { + unsigned long cur_pfn = start_pfn + i; +@@ -402,19 +404,19 @@ static unsigned long __init xen_set_identity_and_remap_chunk( + unsigned long remap_range_size; + + /* Do not remap pages beyond the current allocation */ +- if (cur_pfn >= nr_pages) { ++ if (cur_pfn >= ini_nr_pages) { + /* Identity map remaining pages */ + set_phys_range_identity(cur_pfn, cur_pfn + size); + break; + } +- if (cur_pfn + size > nr_pages) +- size = nr_pages - cur_pfn; ++ if (cur_pfn + size > ini_nr_pages) ++ size = ini_nr_pages - cur_pfn; + + remap_range_size = xen_find_pfn_range(&remap_pfn); + if (!remap_range_size) { + pr_warning("Unable to find available pfn range, not remapping identity pages\n"); + xen_set_identity_and_release_chunk(cur_pfn, +- cur_pfn + left, nr_pages); ++ cur_pfn + left); + break; + } + /* Adjust size to fit in current e820 RAM region */ +@@ -441,18 +443,18 @@ static unsigned long __init xen_set_identity_and_remap_chunk( + } + + static unsigned long __init xen_count_remap_pages( +- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages, ++ unsigned long start_pfn, unsigned long end_pfn, + unsigned long remap_pages) + { +- if (start_pfn >= nr_pages) ++ if (start_pfn >= ini_nr_pages) + return remap_pages; + +- return remap_pages + min(end_pfn, nr_pages) - start_pfn; ++ return remap_pages + min(end_pfn, ini_nr_pages) - start_pfn; + } + +-static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages, ++static unsigned long __init xen_foreach_remap_area( + unsigned long (*func)(unsigned long start_pfn, unsigned long end_pfn, +- unsigned long nr_pages, unsigned long last_val)) ++ unsigned long last_val)) + { + phys_addr_t start = 0; + unsigned long ret_val = 0; +@@ -480,8 +482,7 @@ static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages, + end_pfn = PFN_UP(entry->addr); + + if (start_pfn < end_pfn) +- ret_val = func(start_pfn, end_pfn, nr_pages, +- ret_val); ++ ret_val = func(start_pfn, end_pfn, ret_val); + start = end; + } + } +@@ -756,7 +757,7 @@ static void __init xen_reserve_xen_mfnlist(void) + **/ + char * __init xen_memory_setup(void) + { +- unsigned long max_pfn, pfn_s, n_pfns; ++ unsigned long pfn_s, n_pfns; + phys_addr_t mem_end, addr, size, chunk_size; + u32 type; + int rc; +@@ -768,9 +769,8 @@ char * __init xen_memory_setup(void) + int op; + + xen_parse_512gb(); +- max_pfn = xen_get_pages_limit(); +- max_pfn = min(max_pfn, xen_start_info->nr_pages); +- mem_end = PFN_PHYS(max_pfn); ++ ini_nr_pages = min(xen_get_pages_limit(), xen_start_info->nr_pages); ++ mem_end = PFN_PHYS(ini_nr_pages); + + memmap.nr_entries = ARRAY_SIZE(xen_e820_table.entries); + set_xen_guest_handle(memmap.buffer, xen_e820_table.entries); +@@ -814,10 +814,10 @@ char * __init xen_memory_setup(void) + max_pages = xen_get_max_pages(); + + /* How many extra pages do we need due to remapping? */ +- max_pages += xen_foreach_remap_area(max_pfn, xen_count_remap_pages); ++ max_pages += xen_foreach_remap_area(xen_count_remap_pages); + +- if (max_pages > max_pfn) +- extra_pages += max_pages - max_pfn; ++ if (max_pages > ini_nr_pages) ++ extra_pages += max_pages - ini_nr_pages; + + /* + * Clamp the amount of extra memory to a EXTRA_MEM_RATIO +@@ -833,8 +833,8 @@ char * __init xen_memory_setup(void) + * the initial memory is also very large with respect to + * lowmem, but we won't try to deal with that here. + */ +- maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)); +- extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn); ++ maxmem_pages = EXTRA_MEM_RATIO * min(ini_nr_pages, PFN_DOWN(MAXMEM)); ++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - ini_nr_pages); + i = 0; + addr = xen_e820_table.entries[0].addr; + size = xen_e820_table.entries[0].size; +@@ -936,7 +936,7 @@ char * __init xen_memory_setup(void) + * Set identity map on non-RAM pages and prepare remapping the + * underlying RAM. + */ +- xen_foreach_remap_area(max_pfn, xen_set_identity_and_remap_chunk); ++ xen_foreach_remap_area(xen_set_identity_and_remap_chunk); + + pr_info("Released %ld page(s)\n", xen_released_pages); + +-- +2.43.0 + diff --git a/queue-5.4/xen-swiotlb-add-alignment-check-for-dma-buffers.patch b/queue-5.4/xen-swiotlb-add-alignment-check-for-dma-buffers.patch new file mode 100644 index 00000000000..0d3fc98b82c --- /dev/null +++ b/queue-5.4/xen-swiotlb-add-alignment-check-for-dma-buffers.patch @@ -0,0 +1,52 @@ +From c37743c90f448ffd20abaf8e145ec480882a49f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 12:05:02 +0200 +Subject: xen/swiotlb: add alignment check for dma buffers + +From: Juergen Gross + +[ Upstream commit 9f40ec84a7976d95c34e7cc070939deb103652b0 ] + +When checking a memory buffer to be consecutive in machine memory, +the alignment needs to be checked, too. Failing to do so might result +in DMA memory not being aligned according to its requested size, +leading to error messages like: + + 4xxx 0000:2b:00.0: enabling device (0140 -> 0142) + 4xxx 0000:2b:00.0: Ring address not aligned + 4xxx 0000:2b:00.0: Failed to initialise service qat_crypto + 4xxx 0000:2b:00.0: Resetting device qat_dev0 + 4xxx: probe of 0000:2b:00.0 failed with error -14 + +Fixes: 9435cce87950 ("xen/swiotlb: Add support for 64KB page granularity") +Signed-off-by: Juergen Gross +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/swiotlb-xen.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index 486d7978ea970..5bd29d0bffa2e 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -89,9 +89,15 @@ static inline int range_straddles_page_boundary(phys_addr_t p, size_t size) + { + unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p); + unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size); ++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT); + + next_bfn = pfn_to_bfn(xen_pfn); + ++ /* If buffer is physically aligned, ensure DMA alignment. */ ++ if (IS_ALIGNED(p, algn) && ++ !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn)) ++ return 1; ++ + for (i = 1; i < nr_pages; i++) + if (pfn_to_bfn(++xen_pfn) != ++next_bfn) + return 1; +-- +2.43.0 + diff --git a/queue-5.4/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch b/queue-5.4/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch new file mode 100644 index 00000000000..4cb785fe5ea --- /dev/null +++ b/queue-5.4/xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch @@ -0,0 +1,161 @@ +From 60d62babd18782bb7f551a963a557f1a1f57b4fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2024 20:14:22 +0200 +Subject: xen: tolerate ACPI NVS memory overlapping with Xen allocated memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ] + +In order to minimize required special handling for running as Xen PV +dom0, the memory layout is modified to match that of the host. This +requires to have only RAM at the locations where Xen allocated memory +is living. Unfortunately there seem to be some machines, where ACPI +NVS is located at 64 MB, resulting in a conflict with the loaded +kernel or the initial page tables built by Xen. + +Avoid this conflict by swapping the ACPI NVS area in the memory map +with unused RAM. This is possible via modification of the dom0 P2M map. +Accesses to the ACPI NVS area are done either for saving and restoring +it across suspend operations (this will work the same way as before), +or by ACPI code when NVS memory is referenced from other ACPI tables. +The latter case is handled by a Xen specific indirection of +acpi_os_ioremap(). + +While the E820 map can (and should) be modified right away, the P2M +map can be updated only after memory allocation is working, as the P2M +map might need to be extended. + +Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout") +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 92 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 91 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index f77c268f8f019..5e0913766a520 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -539,6 +539,8 @@ void __init xen_remap_memory(void) + set_pte_mfn(buf, mfn_save, PAGE_KERNEL); + + pr_info("Remapped %ld page(s)\n", remapped); ++ ++ xen_do_remap_nonram(); + } + + static unsigned long __init xen_get_pages_limit(void) +@@ -672,14 +674,102 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size) + return 0; + } + ++/* ++ * Swap a non-RAM E820 map entry with RAM above ini_nr_pages. ++ * Note that the E820 map is modified accordingly, but the P2M map isn't yet. ++ * The adaption of the P2M must be deferred until page allocation is possible. ++ */ ++static void __init xen_e820_swap_entry_with_ram(struct e820_entry *swap_entry) ++{ ++ struct e820_entry *entry; ++ unsigned int mapcnt; ++ phys_addr_t mem_end = PFN_PHYS(ini_nr_pages); ++ phys_addr_t swap_addr, swap_size, entry_end; ++ ++ swap_addr = PAGE_ALIGN_DOWN(swap_entry->addr); ++ swap_size = PAGE_ALIGN(swap_entry->addr - swap_addr + swap_entry->size); ++ entry = xen_e820_table.entries; ++ ++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) { ++ entry_end = entry->addr + entry->size; ++ if (entry->type == E820_TYPE_RAM && entry->size >= swap_size && ++ entry_end - swap_size >= mem_end) { ++ /* Reduce RAM entry by needed space (whole pages). */ ++ entry->size -= swap_size; ++ ++ /* Add new entry at the end of E820 map. */ ++ entry = xen_e820_table.entries + ++ xen_e820_table.nr_entries; ++ xen_e820_table.nr_entries++; ++ ++ /* Fill new entry (keep size and page offset). */ ++ entry->type = swap_entry->type; ++ entry->addr = entry_end - swap_size + ++ swap_addr - swap_entry->addr; ++ entry->size = swap_entry->size; ++ ++ /* Convert old entry to RAM, align to pages. */ ++ swap_entry->type = E820_TYPE_RAM; ++ swap_entry->addr = swap_addr; ++ swap_entry->size = swap_size; ++ ++ /* Remember PFN<->MFN relation for P2M update. */ ++ xen_add_remap_nonram(swap_addr, entry_end - swap_size, ++ swap_size); ++ ++ /* Order E820 table and merge entries. */ ++ e820__update_table(&xen_e820_table); ++ ++ return; ++ } ++ ++ entry++; ++ } ++ ++ xen_raw_console_write("No suitable area found for required E820 entry remapping action\n"); ++ BUG(); ++} ++ ++/* ++ * Look for non-RAM memory types in a specific guest physical area and move ++ * those away if possible (ACPI NVS only for now). ++ */ ++static void __init xen_e820_resolve_conflicts(phys_addr_t start, ++ phys_addr_t size) ++{ ++ struct e820_entry *entry; ++ unsigned int mapcnt; ++ phys_addr_t end; ++ ++ if (!size) ++ return; ++ ++ end = start + size; ++ entry = xen_e820_table.entries; ++ ++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) { ++ if (entry->addr >= end) ++ return; ++ ++ if (entry->addr + entry->size > start && ++ entry->type == E820_TYPE_NVS) ++ xen_e820_swap_entry_with_ram(entry); ++ ++ entry++; ++ } ++} ++ + /* + * Check for an area in physical memory to be usable for non-movable purposes. +- * An area is considered to usable if the used E820 map lists it to be RAM. ++ * An area is considered to usable if the used E820 map lists it to be RAM or ++ * some other type which can be moved to higher PFNs while keeping the MFNs. + * In case the area is not usable, crash the system with an error message. + */ + void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size, + const char *component) + { ++ xen_e820_resolve_conflicts(start, size); ++ + if (!xen_is_e820_reserved(start, size)) + return; + +-- +2.43.0 + diff --git a/queue-5.4/xen-use-correct-end-address-of-kernel-for-conflict-c.patch b/queue-5.4/xen-use-correct-end-address-of-kernel-for-conflict-c.patch new file mode 100644 index 00000000000..9f9f7a6df87 --- /dev/null +++ b/queue-5.4/xen-use-correct-end-address-of-kernel-for-conflict-c.patch @@ -0,0 +1,51 @@ +From c985033bc8df588b778d83d995e42ff17c9455da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Aug 2024 08:01:22 +0200 +Subject: xen: use correct end address of kernel for conflict checking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +[ Upstream commit fac1bceeeb04886fc2ee952672e6e6c85ce41dca ] + +When running as a Xen PV dom0 the kernel is loaded by the hypervisor +using a different memory map than that of the host. In order to +minimize the required changes in the kernel, the kernel adapts its +memory map to that of the host. In order to do that it is checking +for conflicts of its load address with the host memory map. + +Unfortunately the tested memory range does not include the .brk +area, which might result in crashes or memory corruption when this +area does conflict with the memory map of the host. + +Fix the test by using the _end label instead of __bss_stop. + +Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout") + +Signed-off-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 548d1e0a5ba10..d19fcca0b30b3 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -875,7 +875,7 @@ char * __init xen_memory_setup(void) + * to relocating (and even reusing) pages with kernel text or data. + */ + if (xen_is_e820_reserved(__pa_symbol(_text), +- __pa_symbol(__bss_stop) - __pa_symbol(_text))) { ++ __pa_symbol(_end) - __pa_symbol(_text))) { + xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n"); + BUG(); + } +-- +2.43.0 + diff --git a/queue-5.4/xz-cleanup-crc32-edits-from-2018.patch b/queue-5.4/xz-cleanup-crc32-edits-from-2018.patch new file mode 100644 index 00000000000..f0d472f732a --- /dev/null +++ b/queue-5.4/xz-cleanup-crc32-edits-from-2018.patch @@ -0,0 +1,78 @@ +From aade025b5475f6d79330e7e95deb9e5f389b068b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Jul 2024 16:36:24 +0300 +Subject: xz: cleanup CRC32 edits from 2018 + +From: Lasse Collin + +[ Upstream commit 2ee96abef214550d9e92f5143ee3ac1fd1323e67 ] + +In 2018, a dependency on was added to avoid +duplicating the same constant in multiple files. Two months later it was +found to be a bad idea and the definition of CRC32_POLY_LE macro was moved +into xz_private.h to avoid including . + +xz_private.h is a wrong place for it too. Revert back to the upstream +version which has the poly in xz_crc32_init() in xz_crc32.c. + +Link: https://lkml.kernel.org/r/20240721133633.47721-10-lasse.collin@tukaani.org +Fixes: faa16bc404d7 ("lib: Use existing define with polynomial") +Fixes: 242cdad873a7 ("lib/xz: Put CRC32_POLY_LE in xz_private.h") +Signed-off-by: Lasse Collin +Reviewed-by: Sam James +Tested-by: Michael Ellerman (powerpc) +Cc: Krzysztof Kozlowski +Cc: Herbert Xu +Cc: Joel Stanley +Cc: Albert Ou +Cc: Catalin Marinas +Cc: Emil Renner Berthing +Cc: Greg Kroah-Hartman +Cc: Jonathan Corbet +Cc: Jubin Zhong +Cc: Jules Maselbas +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Randy Dunlap +Cc: Rui Li +Cc: Simon Glass +Cc: Thomas Gleixner +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/xz/xz_crc32.c | 2 +- + lib/xz/xz_private.h | 4 ---- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/lib/xz/xz_crc32.c b/lib/xz/xz_crc32.c +index 912aae5fa09e1..34532d14fd4c2 100644 +--- a/lib/xz/xz_crc32.c ++++ b/lib/xz/xz_crc32.c +@@ -29,7 +29,7 @@ STATIC_RW_DATA uint32_t xz_crc32_table[256]; + + XZ_EXTERN void xz_crc32_init(void) + { +- const uint32_t poly = CRC32_POLY_LE; ++ const uint32_t poly = 0xEDB88320; + + uint32_t i; + uint32_t j; +diff --git a/lib/xz/xz_private.h b/lib/xz/xz_private.h +index 09360ebb510ef..482b90f363fe3 100644 +--- a/lib/xz/xz_private.h ++++ b/lib/xz/xz_private.h +@@ -102,10 +102,6 @@ + # endif + #endif + +-#ifndef CRC32_POLY_LE +-#define CRC32_POLY_LE 0xedb88320 +-#endif +- + /* + * Allocate memory for LZMA2 decoder. xz_dec_lzma2_reset() must be used + * before calling xz_dec_lzma2_run(). +-- +2.43.0 +