From 6889e99ca72ebfa78731dbeef8d508e13b603727 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 11 Aug 2024 18:04:41 +0200 Subject: [PATCH] 6.10-stable patches added patches: clocksource-fix-brown-bag-boolean-thinko-in-cs_watchdog_read.patch irqchip-loongarch-cpu-fix-return-value-of-lpic_gsi_to_irq.patch irqchip-meson-gpio-convert-meson_gpio_irq_controller-lock-to-raw_spinlock_t.patch media-intel-ipu6-select-auxiliary_bus-in-kconfig.patch media-ipu-bridge-fix-ipu6-kconfig-dependencies.patch mm-slub-do-not-call-do_slab_free-for-kfence-object.patch net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch profiling-remove-profile-sleep-support.patch sched-cputime-fix-mul_u64_u64_div_u64-precision-for-cputime.patch scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch scsi-revert-scsi-sd-do-not-repeat-the-starting-disk-message.patch --- ...g-boolean-thinko-in-cs_watchdog_read.patch | 38 +++++ ...-fix-return-value-of-lpic_gsi_to_irq.patch | 46 ++++++ ...rq_controller-lock-to-raw_spinlock_t.patch | 105 +++++++++++++ ...ipu6-select-auxiliary_bus-in-kconfig.patch | 39 +++++ ...bridge-fix-ipu6-kconfig-dependencies.patch | 55 +++++++ ...-call-do_slab_free-for-kfence-object.patch | 51 ++++++ ...m_start-and-offset-in-virtio_net_hdr.patch | 147 ++++++++++++++++++ ...ofiling-remove-profile-sleep-support.patch | 125 +++++++++++++++ ...64_u64_div_u64-precision-for-cputime.patch | 58 +++++++ ...id-iommu-page-faults-on-report-zones.patch | 96 ++++++++++++ ...not-repeat-the-starting-disk-message.patch | 70 +++++++++ queue-6.10/series | 11 ++ 12 files changed, 841 insertions(+) create mode 100644 queue-6.10/clocksource-fix-brown-bag-boolean-thinko-in-cs_watchdog_read.patch create mode 100644 queue-6.10/irqchip-loongarch-cpu-fix-return-value-of-lpic_gsi_to_irq.patch create mode 100644 queue-6.10/irqchip-meson-gpio-convert-meson_gpio_irq_controller-lock-to-raw_spinlock_t.patch create mode 100644 queue-6.10/media-intel-ipu6-select-auxiliary_bus-in-kconfig.patch create mode 100644 queue-6.10/media-ipu-bridge-fix-ipu6-kconfig-dependencies.patch create mode 100644 queue-6.10/mm-slub-do-not-call-do_slab_free-for-kfence-object.patch create mode 100644 queue-6.10/net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch create mode 100644 queue-6.10/profiling-remove-profile-sleep-support.patch create mode 100644 queue-6.10/sched-cputime-fix-mul_u64_u64_div_u64-precision-for-cputime.patch create mode 100644 queue-6.10/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch create mode 100644 queue-6.10/scsi-revert-scsi-sd-do-not-repeat-the-starting-disk-message.patch diff --git a/queue-6.10/clocksource-fix-brown-bag-boolean-thinko-in-cs_watchdog_read.patch b/queue-6.10/clocksource-fix-brown-bag-boolean-thinko-in-cs_watchdog_read.patch new file mode 100644 index 00000000000..9bdf2f4b593 --- /dev/null +++ b/queue-6.10/clocksource-fix-brown-bag-boolean-thinko-in-cs_watchdog_read.patch @@ -0,0 +1,38 @@ +From f2655ac2c06a15558e51ed6529de280e1553c86e Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Fri, 2 Aug 2024 08:46:15 -0700 +Subject: clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() + +From: Paul E. McKenney + +commit f2655ac2c06a15558e51ed6529de280e1553c86e upstream. + +The current "nretries > 1 || nretries >= max_retries" check in +cs_watchdog_read() will always evaluate to true, and thus pr_warn(), if +nretries is greater than 1. The intent is instead to never warn on the +first try, but otherwise warn if the successful retry was the last retry. + +Therefore, change that "||" to "&&". + +Fixes: db3a34e17433 ("clocksource: Retry clock read if long delays detected") +Reported-by: Borislav Petkov +Signed-off-by: Paul E. McKenney +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240802154618.4149953-2-paulmck@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/clocksource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -246,7 +246,7 @@ static enum wd_read_status cs_watchdog_r + + wd_delay = cycles_to_nsec_safe(watchdog, *wdnow, wd_end); + if (wd_delay <= WATCHDOG_MAX_SKEW) { +- if (nretries > 1 || nretries >= max_retries) { ++ if (nretries > 1 && nretries >= max_retries) { + pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n", + smp_processor_id(), watchdog->name, nretries); + } diff --git a/queue-6.10/irqchip-loongarch-cpu-fix-return-value-of-lpic_gsi_to_irq.patch b/queue-6.10/irqchip-loongarch-cpu-fix-return-value-of-lpic_gsi_to_irq.patch new file mode 100644 index 00000000000..08b8be26712 --- /dev/null +++ b/queue-6.10/irqchip-loongarch-cpu-fix-return-value-of-lpic_gsi_to_irq.patch @@ -0,0 +1,46 @@ +From 81a91abab1307d7725fa4620952c0767beae7753 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 23 Jul 2024 14:45:08 +0800 +Subject: irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq() + +From: Huacai Chen + +commit 81a91abab1307d7725fa4620952c0767beae7753 upstream. + +lpic_gsi_to_irq() should return a valid Linux interrupt number if +acpi_register_gsi() succeeds, and return 0 otherwise. But lpic_gsi_to_irq() +converts a negative return value of acpi_register_gsi() to a positive value +silently. + +Convert the return value explicitly. + +Fixes: e8bba72b396c ("irqchip / ACPI: Introduce ACPI_IRQ_MODEL_LPIC for LoongArch") +Reported-by: Miao Wang +Signed-off-by: Huacai Chen +Signed-off-by: Thomas Gleixner +Reviewed-by: Jiaxun Yang +Cc: +Link: https://lore.kernel.org/r/20240723064508.35560-1-chenhuacai@loongson.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-loongarch-cpu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/irqchip/irq-loongarch-cpu.c ++++ b/drivers/irqchip/irq-loongarch-cpu.c +@@ -18,11 +18,13 @@ struct fwnode_handle *cpuintc_handle; + + static u32 lpic_gsi_to_irq(u32 gsi) + { ++ int irq = 0; ++ + /* Only pch irqdomain transferring is required for LoongArch. */ + if (gsi >= GSI_MIN_PCH_IRQ && gsi <= GSI_MAX_PCH_IRQ) +- return acpi_register_gsi(NULL, gsi, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_HIGH); ++ irq = acpi_register_gsi(NULL, gsi, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_HIGH); + +- return 0; ++ return (irq > 0) ? irq : 0; + } + + static struct fwnode_handle *lpic_get_gsi_domain_id(u32 gsi) diff --git a/queue-6.10/irqchip-meson-gpio-convert-meson_gpio_irq_controller-lock-to-raw_spinlock_t.patch b/queue-6.10/irqchip-meson-gpio-convert-meson_gpio_irq_controller-lock-to-raw_spinlock_t.patch new file mode 100644 index 00000000000..b950274267c --- /dev/null +++ b/queue-6.10/irqchip-meson-gpio-convert-meson_gpio_irq_controller-lock-to-raw_spinlock_t.patch @@ -0,0 +1,105 @@ +From f872d4af79fe8c71ae291ce8875b477e1669a6c7 Mon Sep 17 00:00:00 2001 +From: Arseniy Krasnov +Date: Mon, 29 Jul 2024 16:18:50 +0300 +Subject: irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t' + +From: Arseniy Krasnov + +commit f872d4af79fe8c71ae291ce8875b477e1669a6c7 upstream. + +This lock is acquired under irq_desc::lock with interrupts disabled. + +When PREEMPT_RT is enabled, 'spinlock_t' becomes preemptible, which results +in invalid lock acquire context; + + [ BUG: Invalid wait context ] + swapper/0/1 is trying to lock: + ffff0000008fed30 (&ctl->lock){....}-{3:3}, at: meson_gpio_irq_update_bits0 + other info that might help us debug this: + context-{5:5} + 3 locks held by swapper/0/1: + #0: ffff0000003cd0f8 (&dev->mutex){....}-{4:4}, at: __driver_attach+0x90c + #1: ffff000004714650 (&desc->request_mutex){+.+.}-{4:4}, at: __setup_irq0 + #2: ffff0000047144c8 (&irq_desc_lock_class){-.-.}-{2:2}, at: __setup_irq0 + stack backtrace: + CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.9-sdkernel #1 + Call trace: + _raw_spin_lock_irqsave+0x60/0x88 + meson_gpio_irq_update_bits+0x34/0x70 + meson8_gpio_irq_set_type+0x78/0xc4 + meson_gpio_irq_set_type+0x30/0x60 + __irq_set_trigger+0x60/0x180 + __setup_irq+0x30c/0x6e0 + request_threaded_irq+0xec/0x1a4 + +Fixes: 215f4cc0fb20 ("irqchip/meson: Add support for gpio interrupt controller") +Signed-off-by: Arseniy Krasnov +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240729131850.3015508-1-avkrasnov@salutedevices.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-meson-gpio.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/irqchip/irq-meson-gpio.c ++++ b/drivers/irqchip/irq-meson-gpio.c +@@ -178,7 +178,7 @@ struct meson_gpio_irq_controller { + void __iomem *base; + u32 channel_irqs[MAX_NUM_CHANNEL]; + DECLARE_BITMAP(channel_map, MAX_NUM_CHANNEL); +- spinlock_t lock; ++ raw_spinlock_t lock; + }; + + static void meson_gpio_irq_update_bits(struct meson_gpio_irq_controller *ctl, +@@ -187,14 +187,14 @@ static void meson_gpio_irq_update_bits(s + unsigned long flags; + u32 tmp; + +- spin_lock_irqsave(&ctl->lock, flags); ++ raw_spin_lock_irqsave(&ctl->lock, flags); + + tmp = readl_relaxed(ctl->base + reg); + tmp &= ~mask; + tmp |= val; + writel_relaxed(tmp, ctl->base + reg); + +- spin_unlock_irqrestore(&ctl->lock, flags); ++ raw_spin_unlock_irqrestore(&ctl->lock, flags); + } + + static void meson_gpio_irq_init_dummy(struct meson_gpio_irq_controller *ctl) +@@ -244,12 +244,12 @@ meson_gpio_irq_request_channel(struct me + unsigned long flags; + unsigned int idx; + +- spin_lock_irqsave(&ctl->lock, flags); ++ raw_spin_lock_irqsave(&ctl->lock, flags); + + /* Find a free channel */ + idx = find_first_zero_bit(ctl->channel_map, ctl->params->nr_channels); + if (idx >= ctl->params->nr_channels) { +- spin_unlock_irqrestore(&ctl->lock, flags); ++ raw_spin_unlock_irqrestore(&ctl->lock, flags); + pr_err("No channel available\n"); + return -ENOSPC; + } +@@ -257,7 +257,7 @@ meson_gpio_irq_request_channel(struct me + /* Mark the channel as used */ + set_bit(idx, ctl->channel_map); + +- spin_unlock_irqrestore(&ctl->lock, flags); ++ raw_spin_unlock_irqrestore(&ctl->lock, flags); + + /* + * Setup the mux of the channel to route the signal of the pad +@@ -567,7 +567,7 @@ static int meson_gpio_irq_of_init(struct + if (!ctl) + return -ENOMEM; + +- spin_lock_init(&ctl->lock); ++ raw_spin_lock_init(&ctl->lock); + + ctl->base = of_iomap(node, 0); + if (!ctl->base) { diff --git a/queue-6.10/media-intel-ipu6-select-auxiliary_bus-in-kconfig.patch b/queue-6.10/media-intel-ipu6-select-auxiliary_bus-in-kconfig.patch new file mode 100644 index 00000000000..78764d543d4 --- /dev/null +++ b/queue-6.10/media-intel-ipu6-select-auxiliary_bus-in-kconfig.patch @@ -0,0 +1,39 @@ +From 423a77ae3a3f916809ff3ab1c8db6d3d580c3120 Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Wed, 17 Jul 2024 15:40:50 +0800 +Subject: media: intel/ipu6: select AUXILIARY_BUS in Kconfig + +From: Bingbu Cao + +commit 423a77ae3a3f916809ff3ab1c8db6d3d580c3120 upstream. + +Intel IPU6 PCI driver need register its devices on auxiliary +bus, so it needs to select the AUXILIARY_BUS in Kconfig. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202407161833.7BEFXejx-lkp@intel.com/ +Fixes: c70281cc83d6 ("media: intel/ipu6: add Kconfig and Makefile") +Signed-off-by: Bingbu Cao +Cc: stable@vger.kernel.org # for v6.10 +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu6/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/pci/intel/ipu6/Kconfig b/drivers/media/pci/intel/ipu6/Kconfig +index b7ab24b89836..40e20f0aa5ae 100644 +--- a/drivers/media/pci/intel/ipu6/Kconfig ++++ b/drivers/media/pci/intel/ipu6/Kconfig +@@ -4,6 +4,7 @@ config VIDEO_INTEL_IPU6 + depends on VIDEO_DEV + depends on X86 && X86_64 && HAS_DMA + depends on IPU_BRIDGE || !IPU_BRIDGE ++ select AUXILIARY_BUS + select DMA_OPS + select IOMMU_IOVA + select VIDEO_V4L2_SUBDEV_API +-- +2.46.0 + diff --git a/queue-6.10/media-ipu-bridge-fix-ipu6-kconfig-dependencies.patch b/queue-6.10/media-ipu-bridge-fix-ipu6-kconfig-dependencies.patch new file mode 100644 index 00000000000..ab656524294 --- /dev/null +++ b/queue-6.10/media-ipu-bridge-fix-ipu6-kconfig-dependencies.patch @@ -0,0 +1,55 @@ +From d7b5f7537c8282e1e1919408d0b6c69877fd35f8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 19 Jul 2024 11:53:50 +0200 +Subject: media: ipu-bridge: fix ipu6 Kconfig dependencies + +From: Arnd Bergmann + +commit d7b5f7537c8282e1e1919408d0b6c69877fd35f8 upstream. + +Commit 4670c8c3fb04 ("media: ipu-bridge: Fix Kconfig dependencies") changed +how IPU_BRIDGE dependencies are handled for all drivers, but the IPU6 +variant was added the old way, which causes build time warnings when I2C is +turned off: + +WARNING: unmet direct dependencies detected for IPU_BRIDGE + Depends on [n]: MEDIA_SUPPORT [=m] && PCI [=y] && MEDIA_PCI_SUPPORT [=y] && (ACPI [=y] || COMPILE_TEST [=y]) && I2C [=n] + Selected by [m]: + - VIDEO_INTEL_IPU6 [=m] && MEDIA_SUPPORT [=m] && PCI [=y] && MEDIA_PCI_SUPPORT [=y] && (ACPI [=y] || COMPILE_TEST [=y]) && VIDEO_DEV [=m] && X86 [=y] && X86_64 [=y] && HAS_DMA [=y] + +To make it consistent with the other IPU drivers as well as avoid this +warning, change the 'select' into 'depends on'. + +Fixes: c70281cc83d6 ("media: intel/ipu6: add Kconfig and Makefile") +Signed-off-by: Arnd Bergmann +[Sakari Ailus: Alternatively depend on !IPU_BRIDGE.] +Cc: stable@vger.kernel.org # for v6.10 +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu6/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/intel/ipu6/Kconfig b/drivers/media/pci/intel/ipu6/Kconfig +index 154343080c82..b7ab24b89836 100644 +--- a/drivers/media/pci/intel/ipu6/Kconfig ++++ b/drivers/media/pci/intel/ipu6/Kconfig +@@ -3,13 +3,13 @@ config VIDEO_INTEL_IPU6 + depends on ACPI || COMPILE_TEST + depends on VIDEO_DEV + depends on X86 && X86_64 && HAS_DMA ++ depends on IPU_BRIDGE || !IPU_BRIDGE + select DMA_OPS + select IOMMU_IOVA + select VIDEO_V4L2_SUBDEV_API + select MEDIA_CONTROLLER + select VIDEOBUF2_DMA_CONTIG + select V4L2_FWNODE +- select IPU_BRIDGE + help + This is the 6th Gen Intel Image Processing Unit, found in Intel SoCs + and used for capturing images and video from camera sensors. +-- +2.46.0 + diff --git a/queue-6.10/mm-slub-do-not-call-do_slab_free-for-kfence-object.patch b/queue-6.10/mm-slub-do-not-call-do_slab_free-for-kfence-object.patch new file mode 100644 index 00000000000..243c3977c2a --- /dev/null +++ b/queue-6.10/mm-slub-do-not-call-do_slab_free-for-kfence-object.patch @@ -0,0 +1,51 @@ +From a371d558e6f3aed977a8a7346350557de5d25190 Mon Sep 17 00:00:00 2001 +From: Rik van Riel +Date: Mon, 29 Jul 2024 14:19:28 -0400 +Subject: mm, slub: do not call do_slab_free for kfence object + +From: Rik van Riel + +commit a371d558e6f3aed977a8a7346350557de5d25190 upstream. + +In 782f8906f805 the freeing of kfence objects was moved from deep +inside do_slab_free to the wrapper functions outside. This is a nice +change, but unfortunately it missed one spot in __kmem_cache_free_bulk. + +This results in a crash like this: + +BUG skbuff_head_cache (Tainted: G S B E ): Padding overwritten. 0xffff88907fea0f00-0xffff88907fea0fff @offset=3840 + +slab_err (mm/slub.c:1129) +free_to_partial_list (mm/slub.c:? mm/slub.c:4036) +slab_pad_check (mm/slub.c:864 mm/slub.c:1290) +check_slab (mm/slub.c:?) +free_to_partial_list (mm/slub.c:3171 mm/slub.c:4036) +kmem_cache_alloc_bulk (mm/slub.c:? mm/slub.c:4495 mm/slub.c:4586 mm/slub.c:4635) +napi_build_skb (net/core/skbuff.c:348 net/core/skbuff.c:527 net/core/skbuff.c:549) + +All the other callers to do_slab_free appear to be ok. + +Add a kfence_free check in __kmem_cache_free_bulk to avoid the crash. + +Reported-by: Chris Mason +Fixes: 782f8906f805 ("mm/slub: free KFENCE objects in slab_free_hook()") +Cc: stable@kernel.org +Signed-off-by: Rik van Riel +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4655,6 +4655,9 @@ static void __kmem_cache_free_bulk(struc + if (!df.slab) + continue; + ++ if (kfence_free(df.freelist)) ++ continue; ++ + do_slab_free(df.s, df.slab, df.freelist, df.tail, df.cnt, + _RET_IP_); + } while (likely(size)); diff --git a/queue-6.10/net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch b/queue-6.10/net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch new file mode 100644 index 00000000000..b7c733196c1 --- /dev/null +++ b/queue-6.10/net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch @@ -0,0 +1,147 @@ +From 89add40066f9ed9abe5f7f886fe5789ff7e0c50e Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Mon, 29 Jul 2024 16:10:12 -0400 +Subject: net: drop bad gso csum_start and offset in virtio_net_hdr + +From: Willem de Bruijn + +commit 89add40066f9ed9abe5f7f886fe5789ff7e0c50e upstream. + +Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb +for GSO packets. + +The function already checks that a checksum requested with +VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets +this might not hold for segs after segmentation. + +Syzkaller demonstrated to reach this warning in skb_checksum_help + + offset = skb_checksum_start_offset(skb); + ret = -EINVAL; + if (WARN_ON_ONCE(offset >= skb_headlen(skb))) + +By injecting a TSO packet: + +WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 + ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 + ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] + __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 + iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 + ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 + __gre_xmit net/ipv4/ip_gre.c:469 [inline] + ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 + __netdev_start_xmit include/linux/netdevice.h:4850 [inline] + netdev_start_xmit include/linux/netdevice.h:4864 [inline] + xmit_one net/core/dev.c:3595 [inline] + dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 + __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 + packet_snd net/packet/af_packet.c:3073 [inline] + +The geometry of the bad input packet at tcp_gso_segment: + +[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 +[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 +[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) +[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 +ip_summed=3 complete_sw=0 valid=0 level=0) + +Mitigate with stricter input validation. + +csum_offset: for GSO packets, deduce the correct value from gso_type. +This is already done for USO. Extend it to TSO. Let UFO be: +udp[46]_ufo_fragment ignores these fields and always computes the +checksum in software. + +csum_start: finding the real offset requires parsing to the transport +header. Do not add a parser, use existing segmentation parsing. Thanks +to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. +Again test both TSO and USO. Do not test UFO for the above reason, and +do not test UDP tunnel offload. + +GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be +CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit +from devices with no checksum offload"), but then still these fields +are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no +need to test for ip_summed == CHECKSUM_PARTIAL first. + +This revises an existing fix mentioned in the Fixes tag, which broke +small packets with GSO offload, as detected by kselftests. + +Link: https://syzkaller.appspot.com/bug?extid=e1db31216c789f552871 +Link: https://lore.kernel.org/netdev/20240723223109.2196886-1-kuba@kernel.org +Fixes: e269d79c7d35 ("net: missing check virtio") +Cc: stable@vger.kernel.org +Signed-off-by: Willem de Bruijn +Link: https://patch.msgid.link/20240729201108.1615114-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/virtio_net.h | 16 +++++----------- + net/ipv4/tcp_offload.c | 3 +++ + net/ipv4/udp_offload.c | 4 ++++ + 3 files changed, 12 insertions(+), 11 deletions(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -56,7 +56,6 @@ static inline int virtio_net_hdr_to_skb( + unsigned int thlen = 0; + unsigned int p_off = 0; + unsigned int ip_proto; +- u64 ret, remainder, gso_size; + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { + switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { +@@ -99,16 +98,6 @@ static inline int virtio_net_hdr_to_skb( + u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset); + u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16)); + +- if (hdr->gso_size) { +- gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); +- ret = div64_u64_rem(skb->len, gso_size, &remainder); +- if (!(ret && (hdr->gso_size > needed) && +- ((remainder > needed) || (remainder == 0)))) { +- return -EINVAL; +- } +- skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG; +- } +- + if (!pskb_may_pull(skb, needed)) + return -EINVAL; + +@@ -182,6 +171,11 @@ retry: + if (gso_type != SKB_GSO_UDP_L4) + return -EINVAL; + break; ++ case SKB_GSO_TCPV4: ++ case SKB_GSO_TCPV6: ++ if (skb->csum_offset != offsetof(struct tcphdr, check)) ++ return -EINVAL; ++ break; + } + + /* Kernel has a special handling for GSO_BY_FRAGS. */ +--- a/net/ipv4/tcp_offload.c ++++ b/net/ipv4/tcp_offload.c +@@ -140,6 +140,9 @@ struct sk_buff *tcp_gso_segment(struct s + if (thlen < sizeof(*th)) + goto out; + ++ if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb))) ++ goto out; ++ + if (!pskb_may_pull(skb, thlen)) + goto out; + +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -278,6 +278,10 @@ struct sk_buff *__udp_gso_segment(struct + if (gso_skb->len <= sizeof(*uh) + mss) + return ERR_PTR(-EINVAL); + ++ if (unlikely(skb_checksum_start(gso_skb) != ++ skb_transport_header(gso_skb))) ++ return ERR_PTR(-EINVAL); ++ + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { + /* Packet is from an untrusted source, reset gso_segs. */ + skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), diff --git a/queue-6.10/profiling-remove-profile-sleep-support.patch b/queue-6.10/profiling-remove-profile-sleep-support.patch new file mode 100644 index 00000000000..ce9ccbcd561 --- /dev/null +++ b/queue-6.10/profiling-remove-profile-sleep-support.patch @@ -0,0 +1,125 @@ +From b88f55389ad27f05ed84af9e1026aa64dbfabc9a Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sun, 4 Aug 2024 18:48:10 +0900 +Subject: profiling: remove profile=sleep support + +From: Tetsuo Handa + +commit b88f55389ad27f05ed84af9e1026aa64dbfabc9a upstream. + +The kernel sleep profile is no longer working due to a recursive locking +bug introduced by commit 42a20f86dc19 ("sched: Add wrapper for get_wchan() +to keep task blocked") + +Booting with the 'profile=sleep' kernel command line option added or +executing + + # echo -n sleep > /sys/kernel/profiling + +after boot causes the system to lock up. + +Lockdep reports + + kthreadd/3 is trying to acquire lock: + ffff93ac82e08d58 (&p->pi_lock){....}-{2:2}, at: get_wchan+0x32/0x70 + + but task is already holding lock: + ffff93ac82e08d58 (&p->pi_lock){....}-{2:2}, at: try_to_wake_up+0x53/0x370 + +with the call trace being + + lock_acquire+0xc8/0x2f0 + get_wchan+0x32/0x70 + __update_stats_enqueue_sleeper+0x151/0x430 + enqueue_entity+0x4b0/0x520 + enqueue_task_fair+0x92/0x6b0 + ttwu_do_activate+0x73/0x140 + try_to_wake_up+0x213/0x370 + swake_up_locked+0x20/0x50 + complete+0x2f/0x40 + kthread+0xfb/0x180 + +However, since nobody noticed this regression for more than two years, +let's remove 'profile=sleep' support based on the assumption that nobody +needs this functionality. + +Fixes: 42a20f86dc19 ("sched: Add wrapper for get_wchan() to keep task blocked") +Cc: stable@vger.kernel.org # v5.16+ +Signed-off-by: Tetsuo Handa +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/kernel-parameters.txt | 4 +--- + include/linux/profile.h | 1 - + kernel/profile.c | 11 +---------- + kernel/sched/stats.c | 10 ---------- + 4 files changed, 2 insertions(+), 24 deletions(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -4801,11 +4801,9 @@ + + profile= [KNL] Enable kernel profiling via /proc/profile + Format: [,] +- Param: : "schedule", "sleep", or "kvm" ++ Param: : "schedule" or "kvm" + [defaults to kernel profiling] + Param: "schedule" - profile schedule points. +- Param: "sleep" - profile D-state sleeping (millisecs). +- Requires CONFIG_SCHEDSTATS + Param: "kvm" - profile VM exits. + Param: - step/bucket size as a power of 2 for + statistical time based profiling. +--- a/include/linux/profile.h ++++ b/include/linux/profile.h +@@ -11,7 +11,6 @@ + + #define CPU_PROFILING 1 + #define SCHED_PROFILING 2 +-#define SLEEP_PROFILING 3 + #define KVM_PROFILING 4 + + struct proc_dir_entry; +--- a/kernel/profile.c ++++ b/kernel/profile.c +@@ -57,20 +57,11 @@ static DEFINE_MUTEX(profile_flip_mutex); + int profile_setup(char *str) + { + static const char schedstr[] = "schedule"; +- static const char sleepstr[] = "sleep"; + static const char kvmstr[] = "kvm"; + const char *select = NULL; + int par; + +- if (!strncmp(str, sleepstr, strlen(sleepstr))) { +-#ifdef CONFIG_SCHEDSTATS +- force_schedstat_enabled(); +- prof_on = SLEEP_PROFILING; +- select = sleepstr; +-#else +- pr_warn("kernel sleep profiling requires CONFIG_SCHEDSTATS\n"); +-#endif /* CONFIG_SCHEDSTATS */ +- } else if (!strncmp(str, schedstr, strlen(schedstr))) { ++ if (!strncmp(str, schedstr, strlen(schedstr))) { + prof_on = SCHED_PROFILING; + select = schedstr; + } else if (!strncmp(str, kvmstr, strlen(kvmstr))) { +--- a/kernel/sched/stats.c ++++ b/kernel/sched/stats.c +@@ -92,16 +92,6 @@ void __update_stats_enqueue_sleeper(stru + + trace_sched_stat_blocked(p, delta); + +- /* +- * Blocking time is in units of nanosecs, so shift by +- * 20 to get a milliseconds-range estimation of the +- * amount of time that the task spent sleeping: +- */ +- if (unlikely(prof_on == SLEEP_PROFILING)) { +- profile_hits(SLEEP_PROFILING, +- (void *)get_wchan(p), +- delta >> 20); +- } + account_scheduler_latency(p, delta >> 10, 0); + } + } diff --git a/queue-6.10/sched-cputime-fix-mul_u64_u64_div_u64-precision-for-cputime.patch b/queue-6.10/sched-cputime-fix-mul_u64_u64_div_u64-precision-for-cputime.patch new file mode 100644 index 00000000000..0465da6a292 --- /dev/null +++ b/queue-6.10/sched-cputime-fix-mul_u64_u64_div_u64-precision-for-cputime.patch @@ -0,0 +1,58 @@ +From 77baa5bafcbe1b2a15ef9c37232c21279c95481c Mon Sep 17 00:00:00 2001 +From: Zheng Zucheng +Date: Fri, 26 Jul 2024 02:32:35 +0000 +Subject: sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime + +From: Zheng Zucheng + +commit 77baa5bafcbe1b2a15ef9c37232c21279c95481c upstream. + +In extreme test scenarios: +the 14th field utime in /proc/xx/stat is greater than sum_exec_runtime, +utime = 18446744073709518790 ns, rtime = 135989749728000 ns + +In cputime_adjust() process, stime is greater than rtime due to +mul_u64_u64_div_u64() precision problem. +before call mul_u64_u64_div_u64(), +stime = 175136586720000, rtime = 135989749728000, utime = 1416780000. +after call mul_u64_u64_div_u64(), +stime = 135989949653530 + +unsigned reversion occurs because rtime is less than stime. +utime = rtime - stime = 135989749728000 - 135989949653530 + = -199925530 + = (u64)18446744073709518790 + +Trigger condition: + 1). User task run in kernel mode most of time + 2). ARM64 architecture + 3). TICK_CPU_ACCOUNTING=y + CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set + +Fix mul_u64_u64_div_u64() conversion precision by reset stime to rtime + +Fixes: 3dc167ba5729 ("sched/cputime: Improve cputime_adjust()") +Signed-off-by: Zheng Zucheng +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Link: https://lkml.kernel.org/r/20240726023235.217771-1-zhengzucheng@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/cputime.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/sched/cputime.c ++++ b/kernel/sched/cputime.c +@@ -582,6 +582,12 @@ void cputime_adjust(struct task_cputime + } + + stime = mul_u64_u64_div_u64(stime, rtime, stime + utime); ++ /* ++ * Because mul_u64_u64_div_u64() can approximate on some ++ * achitectures; enforce the constraint that: a*b/(b+c) <= a. ++ */ ++ if (unlikely(stime > rtime)) ++ stime = rtime; + + update: + /* diff --git a/queue-6.10/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch b/queue-6.10/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch new file mode 100644 index 00000000000..91d709411b0 --- /dev/null +++ b/queue-6.10/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch @@ -0,0 +1,96 @@ +From 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 19 Jul 2024 16:39:12 +0900 +Subject: scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES + +From: Damien Le Moal + +commit 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 upstream. + +Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT +ZONES command reply buffer from ATA-ZAC devices by directly accessing the +buffer in the host memory. This does not respect the default command DMA +direction and causes IOMMU page faults on architectures with an IOMMU +enforcing write-only mappings for DMA_FROM_DEVICE DMA driection (e.g. AMD +hosts). + +scsi 18:0:0:0: Direct-Access-ZBC ATA WDC WSH722020AL W870 PQ: 0 ANSI: 6 +scsi 18:0:0:0: SATA: handle(0x0027), sas_addr(0x300062b2083e7c40), phy(0), device_name(0x5000cca29dc35e11) +scsi 18:0:0:0: enclosure logical id (0x300062b208097c40), slot(0) +scsi 18:0:0:0: enclosure level(0x0000), connector name( C0.0) +scsi 18:0:0:0: atapi(n), ncq(y), asyn_notify(n), smart(y), fua(y), sw_preserve(y) +scsi 18:0:0:0: qdepth(32), tagged(1), scsi_level(7), cmd_que(1) +sd 18:0:0:0: Attached scsi generic sg2 type 20 +sd 18:0:0:0: [sdc] Host-managed zoned block device +mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b200 flags=0x0050] +mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b300 flags=0x0050] +mpt3sas_cm0: mpt3sas_ctl_pre_reset_handler: Releasing the trace buffer due to adapter reset. +mpt3sas_cm0 fault info from func: mpt3sas_base_make_ioc_ready +mpt3sas_cm0: fault_state(0x2666)! +mpt3sas_cm0: sending diag reset !! +mpt3sas_cm0: diag reset: SUCCESS +sd 18:0:0:0: [sdc] REPORT ZONES start lba 0 failed +sd 18:0:0:0: [sdc] REPORT ZONES: Result: hostbyte=DID_RESET driverbyte=DRIVER_OK +sd 18:0:0:0: [sdc] 0 4096-byte logical blocks: (0 B/0 B) + +Avoid such issue by always mapping the buffer of REPORT ZONES commands +using DMA_BIDIRECTIONAL (read+write IOMMU mapping). This is done by +introducing the helper function _base_scsi_dma_map() and using this helper +in _base_build_sg_scmd() and _base_build_sg_scmd_ieee() instead of calling +directly scsi_dma_map(). + +Fixes: 471ef9d4e498 ("mpt3sas: Build MPI SGL LIST on GEN2 HBAs and IEEE SGL LIST on GEN3 HBAs") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20240719073913.179559-3-dlemoal@kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -2671,6 +2671,22 @@ _base_build_zero_len_sge_ieee(struct MPT + _base_add_sg_single_ieee(paddr, sgl_flags, 0, 0, -1); + } + ++static inline int _base_scsi_dma_map(struct scsi_cmnd *cmd) ++{ ++ /* ++ * Some firmware versions byte-swap the REPORT ZONES command reply from ++ * ATA-ZAC devices by directly accessing in the host buffer. This does ++ * not respect the default command DMA direction and causes IOMMU page ++ * faults on some architectures with an IOMMU enforcing write mappings ++ * (e.g. AMD hosts). Avoid such issue by making the report zones buffer ++ * mapping bi-directional. ++ */ ++ if (cmd->cmnd[0] == ZBC_IN && cmd->cmnd[1] == ZI_REPORT_ZONES) ++ cmd->sc_data_direction = DMA_BIDIRECTIONAL; ++ ++ return scsi_dma_map(cmd); ++} ++ + /** + * _base_build_sg_scmd - main sg creation routine + * pcie_device is unused here! +@@ -2717,7 +2733,7 @@ _base_build_sg_scmd(struct MPT3SAS_ADAPT + sgl_flags = sgl_flags << MPI2_SGE_FLAGS_SHIFT; + + sg_scmd = scsi_sglist(scmd); +- sges_left = scsi_dma_map(scmd); ++ sges_left = _base_scsi_dma_map(scmd); + if (sges_left < 0) + return -ENOMEM; + +@@ -2861,7 +2877,7 @@ _base_build_sg_scmd_ieee(struct MPT3SAS_ + } + + sg_scmd = scsi_sglist(scmd); +- sges_left = scsi_dma_map(scmd); ++ sges_left = _base_scsi_dma_map(scmd); + if (sges_left < 0) + return -ENOMEM; + diff --git a/queue-6.10/scsi-revert-scsi-sd-do-not-repeat-the-starting-disk-message.patch b/queue-6.10/scsi-revert-scsi-sd-do-not-repeat-the-starting-disk-message.patch new file mode 100644 index 00000000000..5ce185455bd --- /dev/null +++ b/queue-6.10/scsi-revert-scsi-sd-do-not-repeat-the-starting-disk-message.patch @@ -0,0 +1,70 @@ +From da3e19ef0b3de0aa4b25595bdc214c02a04f19b8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 16 Jul 2024 18:11:01 +0200 +Subject: scsi: Revert "scsi: sd: Do not repeat the starting disk message" + +From: Johan Hovold + +commit da3e19ef0b3de0aa4b25595bdc214c02a04f19b8 upstream. + +This reverts commit 7a6bbc2829d4ab592c7e440a6f6f5deb3cd95db4. + +The offending commit tried to suppress a double "Starting disk" message for +some drivers, but instead started spamming the log with bogus messages +every five seconds: + + [ 311.798956] sd 0:0:0:0: [sda] Starting disk + [ 316.919103] sd 0:0:0:0: [sda] Starting disk + [ 322.040775] sd 0:0:0:0: [sda] Starting disk + [ 327.161140] sd 0:0:0:0: [sda] Starting disk + [ 332.281352] sd 0:0:0:0: [sda] Starting disk + [ 337.401878] sd 0:0:0:0: [sda] Starting disk + [ 342.521527] sd 0:0:0:0: [sda] Starting disk + [ 345.850401] sd 0:0:0:0: [sda] Starting disk + [ 350.967132] sd 0:0:0:0: [sda] Starting disk + [ 356.090454] sd 0:0:0:0: [sda] Starting disk + ... + +on machines that do not actually stop the disk on runtime suspend (e.g. +the Qualcomm sc8280xp CRD with UFS). + +Let's just revert for now to address the regression. + +Fixes: 7a6bbc2829d4 ("scsi: sd: Do not repeat the starting disk message") +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20240716161101.30692-1-johan+linaro@kernel.org +Reviewed-by: Bart Van Assche +Reviewed-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -4119,6 +4119,8 @@ static int sd_resume(struct device *dev) + { + struct scsi_disk *sdkp = dev_get_drvdata(dev); + ++ sd_printk(KERN_NOTICE, sdkp, "Starting disk\n"); ++ + if (opal_unlock_from_suspend(sdkp->opal_dev)) { + sd_printk(KERN_NOTICE, sdkp, "OPAL unlock failed\n"); + return -EIO; +@@ -4135,13 +4137,12 @@ static int sd_resume_common(struct devic + if (!sdkp) /* E.g.: runtime resume at the start of sd_probe() */ + return 0; + +- sd_printk(KERN_NOTICE, sdkp, "Starting disk\n"); +- + if (!sd_do_start_stop(sdkp->device, runtime)) { + sdkp->suspended = false; + return 0; + } + ++ sd_printk(KERN_NOTICE, sdkp, "Starting disk\n"); + ret = sd_start_stop_device(sdkp, 1); + if (!ret) { + sd_resume(dev); diff --git a/queue-6.10/series b/queue-6.10/series index 879710093d9..ee1cb5c58ec 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -121,3 +121,14 @@ drm-amd-display-fix-null-pointer-deref-in-dcn20_reso.patch s390-sclp-prevent-release-of-buffer-in-i-o.patch ext4-sanity-check-for-null-pointer-after-ext4_force_.patch sunrpc-fix-a-race-to-wake-a-sync-task.patch +mm-slub-do-not-call-do_slab_free-for-kfence-object.patch +profiling-remove-profile-sleep-support.patch +clocksource-fix-brown-bag-boolean-thinko-in-cs_watchdog_read.patch +scsi-revert-scsi-sd-do-not-repeat-the-starting-disk-message.patch +scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch +media-ipu-bridge-fix-ipu6-kconfig-dependencies.patch +media-intel-ipu6-select-auxiliary_bus-in-kconfig.patch +irqchip-meson-gpio-convert-meson_gpio_irq_controller-lock-to-raw_spinlock_t.patch +irqchip-loongarch-cpu-fix-return-value-of-lpic_gsi_to_irq.patch +sched-cputime-fix-mul_u64_u64_div_u64-precision-for-cputime.patch +net-drop-bad-gso-csum_start-and-offset-in-virtio_net_hdr.patch -- 2.47.3