From 2e3b81250a6b4432bf99ea1aafaf4eadda73f76b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 29 Apr 2025 17:34:22 +0200 Subject: [PATCH] 5.15-stable patches added patches: mips-cm-fix-warning-if-mips_cm-is-disabled.patch nvme-fixup-scan-failure-for-non-ana-multipath-controllers.patch pci-fix-dropping-valid-root-bus-resources-with-.end-zero.patch pci-fix-use-after-free-in-pci_bus_release_domain_nr.patch pci-release-resource-invalidated-by-coalescing.patch --- ...m-fix-warning-if-mips_cm-is-disabled.patch | 38 +++++++ ...re-for-non-ana-multipath-controllers.patch | 36 +++++++ ...id-root-bus-resources-with-.end-zero.patch | 69 ++++++++++++ ...er-free-in-pci_bus_release_domain_nr.patch | 100 ++++++++++++++++++ ...e-resource-invalidated-by-coalescing.patch | 55 ++++++++++ queue-5.15/series | 5 + 6 files changed, 303 insertions(+) create mode 100644 queue-5.15/mips-cm-fix-warning-if-mips_cm-is-disabled.patch create mode 100644 queue-5.15/nvme-fixup-scan-failure-for-non-ana-multipath-controllers.patch create mode 100644 queue-5.15/pci-fix-dropping-valid-root-bus-resources-with-.end-zero.patch create mode 100644 queue-5.15/pci-fix-use-after-free-in-pci_bus_release_domain_nr.patch create mode 100644 queue-5.15/pci-release-resource-invalidated-by-coalescing.patch diff --git a/queue-5.15/mips-cm-fix-warning-if-mips_cm-is-disabled.patch b/queue-5.15/mips-cm-fix-warning-if-mips_cm-is-disabled.patch new file mode 100644 index 00000000000..272bbfb37c6 --- /dev/null +++ b/queue-5.15/mips-cm-fix-warning-if-mips_cm-is-disabled.patch @@ -0,0 +1,38 @@ +From b73c3ccdca95c237750c981054997c71d33e09d7 Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Fri, 28 Feb 2025 15:37:02 +0100 +Subject: MIPS: cm: Fix warning if MIPS_CM is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Bogendoerfer + +commit b73c3ccdca95c237750c981054997c71d33e09d7 upstream. + +Commit e27fbe16af5c ("MIPS: cm: Detect CM quirks from device tree") +introduced + +arch/mips/include/asm/mips-cm.h:119:13: error: ‘mips_cm_update_property’ + defined but not used [-Werror=unused-function] + +Fix this by making empty function implementation inline + +Fixes: e27fbe16af5c ("MIPS: cm: Detect CM quirks from device tree") +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mips-cm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -104,7 +104,7 @@ static inline bool mips_cm_present(void) + #ifdef CONFIG_MIPS_CM + extern void mips_cm_update_property(void); + #else +-static void mips_cm_update_property(void) {} ++static inline void mips_cm_update_property(void) {} + #endif + + /** diff --git a/queue-5.15/nvme-fixup-scan-failure-for-non-ana-multipath-controllers.patch b/queue-5.15/nvme-fixup-scan-failure-for-non-ana-multipath-controllers.patch new file mode 100644 index 00000000000..1c9e5eeb12e --- /dev/null +++ b/queue-5.15/nvme-fixup-scan-failure-for-non-ana-multipath-controllers.patch @@ -0,0 +1,36 @@ +From 26d7fb4fd4ca1180e2fa96587dea544563b4962a Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Mon, 14 Apr 2025 14:05:09 +0200 +Subject: nvme: fixup scan failure for non-ANA multipath controllers + +From: Hannes Reinecke + +commit 26d7fb4fd4ca1180e2fa96587dea544563b4962a upstream. + +Commit 62baf70c3274 caused the ANA log page to be re-read, even on +controllers that do not support ANA. While this should generally +harmless, some controllers hang on the unsupported log page and +never finish probing. + +Fixes: 62baf70c3274 ("nvme: re-read ANA log page after ns scan completes") +Signed-off-by: Hannes Reinecke +Tested-by: Srikanth Aithal +[hch: more detailed commit message] +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4226,7 +4226,7 @@ static void nvme_scan_work(struct work_s + if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) + nvme_queue_scan(ctrl); + #ifdef CONFIG_NVME_MULTIPATH +- else ++ else if (ctrl->ana_log_buf) + /* Re-read the ANA log page to not miss updates */ + queue_work(nvme_wq, &ctrl->ana_work); + #endif diff --git a/queue-5.15/pci-fix-dropping-valid-root-bus-resources-with-.end-zero.patch b/queue-5.15/pci-fix-dropping-valid-root-bus-resources-with-.end-zero.patch new file mode 100644 index 00000000000..97a89d5c43b --- /dev/null +++ b/queue-5.15/pci-fix-dropping-valid-root-bus-resources-with-.end-zero.patch @@ -0,0 +1,69 @@ +From 9d8ba74a181b1c81def21168795ed96cbe6f05ed Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Fri, 10 Feb 2023 14:46:39 +0100 +Subject: PCI: Fix dropping valid root bus resources with .end = zero + +From: Geert Uytterhoeven + +commit 9d8ba74a181b1c81def21168795ed96cbe6f05ed upstream. + +On r8a7791/koelsch: + + kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) + # cat /sys/kernel/debug/kmemleak + unreferenced object 0xc3a34e00 (size 64): + comm "swapper/0", pid 1, jiffies 4294937460 (age 199.080s) + hex dump (first 32 bytes): + b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]...].......... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __kmalloc+0xf0/0x140 + [<34bd6bc0>] resource_list_create_entry+0x18/0x38 + [<767046bc>] pci_add_resource_offset+0x20/0x68 + [] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390 + +When coalescing two resources for a contiguous aperture, the second +resource is enlarged to cover the full contiguous range, while the first +resource is marked invalid. This invalidation is done by clearing the +flags, start, and end members. + +When adding the initial resources to the bus later, invalid resources are +skipped. Unfortunately, the check for an invalid resource considers only +the end member, causing false positives. + +E.g. on r8a7791/koelsch, root bus resource 0 ("bus 00") is skipped, and no +longer registered with pci_bus_insert_busn_res() (causing the memory leak), +nor printed: + + pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges: + pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -> 0x00ee080000 + pci-rcar-gen2 ee090000.pci: PCI: revision 11 + pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00 + -pci_bus 0000:00: root bus resource [bus 00] + pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff] + +Fix this by only skipping resources where all of the flags, start, and end +members are zero. + +Fixes: 7c3855c423b17f6c ("PCI: Coalesce host bridge contiguous apertures") +Link: https://lore.kernel.org/r/da0fcd5e86c74239be79c7cb03651c0fce31b515.1676036673.git.geert+renesas@glider.be +Tested-by: Niklas Schnelle +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Bjorn Helgaas +Acked-by: Kai-Heng Feng +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -999,7 +999,7 @@ static int pci_register_host_bridge(stru + resource_list_for_each_entry_safe(window, n, &resources) { + offset = window->offset; + res = window->res; +- if (!res->end) ++ if (!res->flags && !res->start && !res->end) + continue; + + list_move_tail(&window->node, &bridge->windows); diff --git a/queue-5.15/pci-fix-use-after-free-in-pci_bus_release_domain_nr.patch b/queue-5.15/pci-fix-use-after-free-in-pci_bus_release_domain_nr.patch new file mode 100644 index 00000000000..b4be729ac47 --- /dev/null +++ b/queue-5.15/pci-fix-use-after-free-in-pci_bus_release_domain_nr.patch @@ -0,0 +1,100 @@ +From 30ba2d09edb5ea857a1473ae3d820911347ada62 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Wed, 29 Mar 2023 07:38:35 -0500 +Subject: PCI: Fix use-after-free in pci_bus_release_domain_nr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Herring + +commit 30ba2d09edb5ea857a1473ae3d820911347ada62 upstream. + +Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") +introduced a use-after-free bug in the bus removal cleanup. The issue was +found with kfence: + + [ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70 + + [ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115): + [ 19.309677] pci_bus_release_domain_nr+0x10/0x70 + [ 19.309691] dw_pcie_host_deinit+0x28/0x78 + [ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] + [ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] + [ 19.309752] platform_probe+0x90/0xd8 + ... + + [ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k + + [ 19.311469] allocated by task 96 on cpu 10 at 19.279323s: + [ 19.311562] __kmem_cache_alloc_node+0x260/0x278 + [ 19.311571] kmalloc_trace+0x24/0x30 + [ 19.311580] pci_alloc_bus+0x24/0xa0 + [ 19.311590] pci_register_host_bridge+0x48/0x4b8 + [ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8 + [ 19.311613] pci_host_probe+0x18/0xc0 + [ 19.311623] dw_pcie_host_init+0x2c0/0x568 + [ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194] + [ 19.311647] platform_probe+0x90/0xd8 + ... + + [ 19.311782] freed by task 96 on cpu 10 at 19.285833s: + [ 19.311799] release_pcibus_dev+0x30/0x40 + [ 19.311808] device_release+0x30/0x90 + [ 19.311814] kobject_put+0xa8/0x120 + [ 19.311832] device_unregister+0x20/0x30 + [ 19.311839] pci_remove_bus+0x78/0x88 + [ 19.311850] pci_remove_root_bus+0x5c/0x98 + [ 19.311860] dw_pcie_host_deinit+0x28/0x78 + [ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] + [ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] + [ 19.311900] platform_probe+0x90/0xd8 + ... + + [ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4 + [ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022 + [ 19.325852] Workqueue: events_unbound deferred_probe_work_func + +The stack trace is a bit misleading as dw_pcie_host_deinit() doesn't +directly call pci_bus_release_domain_nr(). The issue turns out to be in +pci_remove_root_bus() which first calls pci_remove_bus() which frees the +struct pci_bus when its struct device is released. Then +pci_bus_release_domain_nr() is called and accesses the freed struct +pci_bus. Reordering these fixes the issue. + +Fixes: c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") +Link: https://lore.kernel.org/r/20230329123835.2724518-1-robh@kernel.org +Link: https://lore.kernel.org/r/b529cb69-0602-9eed-fc02-2f068707a006@nvidia.com +Reported-by: Jon Hunter +Tested-by: Jon Hunter +Signed-off-by: Rob Herring +Signed-off-by: Bjorn Helgaas +Reviewed-by: Kuppuswamy Sathyanarayanan +Cc: stable@vger.kernel.org # v6.2+ +Cc: Pali Rohár +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/remove.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pci/remove.c ++++ b/drivers/pci/remove.c +@@ -157,8 +157,6 @@ void pci_remove_root_bus(struct pci_bus + list_for_each_entry_safe(child, tmp, + &bus->devices, bus_list) + pci_remove_bus_device(child); +- pci_remove_bus(bus); +- host_bridge->bus = NULL; + + #ifdef CONFIG_PCI_DOMAINS_GENERIC + /* Release domain_nr if it was dynamically allocated */ +@@ -166,6 +164,9 @@ void pci_remove_root_bus(struct pci_bus + pci_bus_release_domain_nr(bus, host_bridge->dev.parent); + #endif + ++ pci_remove_bus(bus); ++ host_bridge->bus = NULL; ++ + /* remove the host bridge */ + device_del(&host_bridge->dev); + } diff --git a/queue-5.15/pci-release-resource-invalidated-by-coalescing.patch b/queue-5.15/pci-release-resource-invalidated-by-coalescing.patch new file mode 100644 index 00000000000..61d7a2fdbe6 --- /dev/null +++ b/queue-5.15/pci-release-resource-invalidated-by-coalescing.patch @@ -0,0 +1,55 @@ +From e54223275ba1bc6f704a6bab015fcd2ae4f72572 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 25 May 2023 16:32:48 +0100 +Subject: PCI: Release resource invalidated by coalescing + +From: Ross Lagerwall + +commit e54223275ba1bc6f704a6bab015fcd2ae4f72572 upstream. + +When contiguous windows are coalesced by pci_register_host_bridge(), the +second resource is expanded to include the first, and the first is +invalidated and consequently not added to the bus. However, it remains in +the resource hierarchy. For example, these windows: + + fec00000-fec7ffff : PCI Bus 0000:00 + fec80000-fecbffff : PCI Bus 0000:00 + +are coalesced into this, where the first resource remains in the tree with +start/end zeroed out: + + 00000000-00000000 : PCI Bus 0000:00 + fec00000-fecbffff : PCI Bus 0000:00 + +In some cases (e.g. the Xen scratch region), this causes future calls to +allocate_resource() to choose an inappropriate location which the caller +cannot handle. + +Fix by releasing the zeroed-out resource and removing it from the resource +hierarchy. + +[bhelgaas: commit log] +Fixes: 7c3855c423b1 ("PCI: Coalesce host bridge contiguous apertures") +Link: https://lore.kernel.org/r/20230525153248.712779-1-ross.lagerwall@citrix.com +Signed-off-by: Ross Lagerwall +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v5.16+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -999,8 +999,10 @@ static int pci_register_host_bridge(stru + resource_list_for_each_entry_safe(window, n, &resources) { + offset = window->offset; + res = window->res; +- if (!res->flags && !res->start && !res->end) ++ if (!res->flags && !res->start && !res->end) { ++ release_resource(res); + continue; ++ } + + list_move_tail(&window->node, &bridge->windows); + diff --git a/queue-5.15/series b/queue-5.15/series index a89e21255d7..1a98f931aca 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -366,3 +366,8 @@ net-dsa-mv88e6xxx-enable-pvt-for-6321-switch.patch net-dsa-mv88e6xxx-enable-.port_set_policy-for-6320-family.patch drm-amd-display-fix-double-free-issue-during-amdgpu-module-unload.patch xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch +mips-cm-fix-warning-if-mips_cm-is-disabled.patch +nvme-fixup-scan-failure-for-non-ana-multipath-controllers.patch +pci-fix-use-after-free-in-pci_bus_release_domain_nr.patch +pci-fix-dropping-valid-root-bus-resources-with-.end-zero.patch +pci-release-resource-invalidated-by-coalescing.patch -- 2.47.3