From 8a6d6ab590d747a2978045f5b2749b94d0bb2b2c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 7 Aug 2024 16:35:42 +0200 Subject: [PATCH] 6.1-stable patches added patches: alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch btrfs-zoned-fix-zone_unusable-accounting-on-making-block-group-read-write-again.patch drm-i915-fix-possible-int-overflow-in-skl_ddi_calculate_wrpll.patch drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch hid-wacom-modify-pen-ids.patch mptcp-distinguish-rcv-vs-sent-backup-flag-in-requests.patch mptcp-fix-bad-rcvpruned-mib-accounting.patch mptcp-fix-duplicate-data-handling.patch mptcp-fix-nl-pm-announced-address-accounting.patch mptcp-fix-user-space-pm-announced-address-accounting.patch mptcp-pm-only-set-request_bkup-flag-when-sending-mp_prio.patch mptcp-sched-check-both-directions-for-backup.patch net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch rust-shadow_call_stack-is-incompatible-with-rust.patch selftests-mptcp-always-close-input-s-fd-if-opened.patch --- ...ek-add-quirk-for-acer-aspire-e5-574g.patch | 31 ++++ ...urround-channels-in-uac1-channel-map.patch | 41 +++++ ...-making-block-group-read-write-again.patch | 147 ++++++++++++++++++ ...-overflow-in-skl_ddi_calculate_wrpll.patch | 65 ++++++++ ...-a-deadlock-in-dma-buf-fence-polling.patch | 104 +++++++++++++ queue-6.1/hid-wacom-modify-pen-ids.patch | 43 +++++ ...-rcv-vs-sent-backup-flag-in-requests.patch | 62 ++++++++ ...tcp-fix-bad-rcvpruned-mib-accounting.patch | 53 +++++++ .../mptcp-fix-duplicate-data-handling.patch | 62 ++++++++ ...x-nl-pm-announced-address-accounting.patch | 62 ++++++++ ...pace-pm-announced-address-accounting.patch | 59 +++++++ ...quest_bkup-flag-when-sending-mp_prio.patch | 33 ++++ ...hed-check-both-directions-for-backup.patch | 80 ++++++++++ ...ialized-variable-use-in-sr_mdio_read.patch | 60 +++++++ ...ck-device-when-updating-mkbp-version.patch | 42 +++++ ...of-fd-in-do_dup2-from-mispredictions.patch | 34 ++++ ...tx_dropped-in-case-of-netdev_tx_busy.patch | 48 ++++++ ...obsolete-workqueue-for-period-update.patch | 89 +++++++++++ ...riod-elapse-event-in-process-context.patch | 118 ++++++++++++++ ...call_stack-is-incompatible-with-rust.patch | 42 +++++ ...cp-always-close-input-s-fd-if-opened.patch | 42 +++++ queue-6.1/series | 21 +++ 22 files changed, 1338 insertions(+) create mode 100644 queue-6.1/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch create mode 100644 queue-6.1/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch create mode 100644 queue-6.1/btrfs-zoned-fix-zone_unusable-accounting-on-making-block-group-read-write-again.patch create mode 100644 queue-6.1/drm-i915-fix-possible-int-overflow-in-skl_ddi_calculate_wrpll.patch create mode 100644 queue-6.1/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch create mode 100644 queue-6.1/hid-wacom-modify-pen-ids.patch create mode 100644 queue-6.1/mptcp-distinguish-rcv-vs-sent-backup-flag-in-requests.patch create mode 100644 queue-6.1/mptcp-fix-bad-rcvpruned-mib-accounting.patch create mode 100644 queue-6.1/mptcp-fix-duplicate-data-handling.patch create mode 100644 queue-6.1/mptcp-fix-nl-pm-announced-address-accounting.patch create mode 100644 queue-6.1/mptcp-fix-user-space-pm-announced-address-accounting.patch create mode 100644 queue-6.1/mptcp-pm-only-set-request_bkup-flag-when-sending-mp_prio.patch create mode 100644 queue-6.1/mptcp-sched-check-both-directions-for-backup.patch create mode 100644 queue-6.1/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch create mode 100644 queue-6.1/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch create mode 100644 queue-6.1/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch create mode 100644 queue-6.1/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch create mode 100644 queue-6.1/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch create mode 100644 queue-6.1/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch create mode 100644 queue-6.1/rust-shadow_call_stack-is-incompatible-with-rust.patch create mode 100644 queue-6.1/selftests-mptcp-always-close-input-s-fd-if-opened.patch diff --git a/queue-6.1/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch b/queue-6.1/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch new file mode 100644 index 00000000000..7e5dfb9793d --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch @@ -0,0 +1,31 @@ +From 3c0b6f924e1259ade38587ea719b693f6f6f2f3e Mon Sep 17 00:00:00 2001 +From: Mavroudis Chatzilazaridis +Date: Sun, 28 Jul 2024 12:36:04 +0000 +Subject: ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G + +From: Mavroudis Chatzilazaridis + +commit 3c0b6f924e1259ade38587ea719b693f6f6f2f3e upstream. + +ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST fixes combo jack detection and +limits the internal microphone boost that causes clipping on this model. + +Signed-off-by: Mavroudis Chatzilazaridis +Cc: +Link: https://patch.msgid.link/20240728123601.144017-1-mavchatz@protonmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9496,6 +9496,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS), + SND_PCI_QUIRK(0x1025, 0x080d, "Acer Aspire V5-122P", ALC269_FIXUP_ASPIRE_HEADSET_MIC), + SND_PCI_QUIRK(0x1025, 0x0840, "Acer Aspire E1", ALC269VB_FIXUP_ASPIRE_E1_COEF), ++ SND_PCI_QUIRK(0x1025, 0x100c, "Acer Aspire E5-574G", ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x1025, 0x101c, "Acer Veriton N2510G", ALC269_FIXUP_LIFEBOOK), + SND_PCI_QUIRK(0x1025, 0x102b, "Acer Aspire C24-860", ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1025, 0x1065, "Acer Aspire C20-820", ALC269VC_FIXUP_ACER_HEADSET_MIC), diff --git a/queue-6.1/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch b/queue-6.1/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch new file mode 100644 index 00000000000..050df035ae5 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch @@ -0,0 +1,41 @@ +From b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 31 Jul 2024 16:19:41 +0200 +Subject: ALSA: usb-audio: Correct surround channels in UAC1 channel map + +From: Takashi Iwai + +commit b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d upstream. + +USB-audio driver puts SNDRV_CHMAP_SL and _SR as left and right +surround channels for UAC1 channel map, respectively. But they should +have been SNDRV_CHMAP_RL and _RR; the current value *_SL and _SR are +rather "side" channels, not "surround". I guess I took those +mistakenly when I read the spec mentioning "surround left". + +This patch corrects those entries to be the right channels. + +Suggested-by: Sylvain BERTRAND +Closes: https://lore.kernel.orgZ/qIyJD8lhd8hFhlC@freedom +Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") +Cc: +Link: https://patch.msgid.link/20240731142018.24750-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -244,8 +244,8 @@ static struct snd_pcm_chmap_elem *conver + SNDRV_CHMAP_FR, /* right front */ + SNDRV_CHMAP_FC, /* center front */ + SNDRV_CHMAP_LFE, /* LFE */ +- SNDRV_CHMAP_SL, /* left surround */ +- SNDRV_CHMAP_SR, /* right surround */ ++ SNDRV_CHMAP_RL, /* left surround */ ++ SNDRV_CHMAP_RR, /* right surround */ + SNDRV_CHMAP_FLC, /* left of center */ + SNDRV_CHMAP_FRC, /* right of center */ + SNDRV_CHMAP_RC, /* surround */ diff --git a/queue-6.1/btrfs-zoned-fix-zone_unusable-accounting-on-making-block-group-read-write-again.patch b/queue-6.1/btrfs-zoned-fix-zone_unusable-accounting-on-making-block-group-read-write-again.patch new file mode 100644 index 00000000000..6a47db81aa5 --- /dev/null +++ b/queue-6.1/btrfs-zoned-fix-zone_unusable-accounting-on-making-block-group-read-write-again.patch @@ -0,0 +1,147 @@ +From 8cd44dd1d17a23d5cc8c443c659ca57aa76e2fa5 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Wed, 15 Feb 2023 09:18:02 +0900 +Subject: btrfs: zoned: fix zone_unusable accounting on making block group read-write again + +From: Naohiro Aota + +commit 8cd44dd1d17a23d5cc8c443c659ca57aa76e2fa5 upstream. + +When btrfs makes a block group read-only, it adds all free regions in the +block group to space_info->bytes_readonly. That free space excludes +reserved and pinned regions. OTOH, when btrfs makes the block group +read-write again, it moves all the unused regions into the block group's +zone_unusable. That unused region includes reserved and pinned regions. +As a result, it counts too much zone_unusable bytes. + +Fortunately (or unfortunately), having erroneous zone_unusable does not +affect the calculation of space_info->bytes_readonly, because free +space (num_bytes in btrfs_dec_block_group_ro) calculation is done based on +the erroneous zone_unusable and it reduces the num_bytes just to cancel the +error. + +This behavior can be easily discovered by adding a WARN_ON to check e.g, +"bg->pinned > 0" in btrfs_dec_block_group_ro(), and running fstests test +case like btrfs/282. + +Fix it by properly considering pinned and reserved in +btrfs_dec_block_group_ro(). Also, add a WARN_ON and introduce +btrfs_space_info_update_bytes_zone_unusable() to catch a similar mistake. + +Fixes: 169e0da91a21 ("btrfs: zoned: track unusable bytes for zones") +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Naohiro Aota +Reviewed-by: Josef Bacik +Reviewed-by: Johannes Thumshirn +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 13 ++++++++----- + fs/btrfs/extent-tree.c | 3 ++- + fs/btrfs/free-space-cache.c | 4 +++- + fs/btrfs/space-info.c | 2 +- + fs/btrfs/space-info.h | 1 + + include/trace/events/btrfs.h | 8 ++++++++ + 6 files changed, 23 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1065,8 +1065,8 @@ int btrfs_remove_block_group(struct btrf + block_group->space_info->active_total_bytes -= block_group->length; + block_group->space_info->bytes_readonly -= + (block_group->length - block_group->zone_unusable); +- block_group->space_info->bytes_zone_unusable -= +- block_group->zone_unusable; ++ btrfs_space_info_update_bytes_zone_unusable(fs_info, block_group->space_info, ++ -block_group->zone_unusable); + block_group->space_info->disk_total -= block_group->length * factor; + + spin_unlock(&block_group->space_info->lock); +@@ -1250,7 +1250,8 @@ static int inc_block_group_ro(struct btr + if (btrfs_is_zoned(cache->fs_info)) { + /* Migrate zone_unusable bytes to readonly */ + sinfo->bytes_readonly += cache->zone_unusable; +- sinfo->bytes_zone_unusable -= cache->zone_unusable; ++ btrfs_space_info_update_bytes_zone_unusable(cache->fs_info, sinfo, ++ -cache->zone_unusable); + cache->zone_unusable = 0; + } + cache->ro++; +@@ -2812,9 +2813,11 @@ void btrfs_dec_block_group_ro(struct btr + if (btrfs_is_zoned(cache->fs_info)) { + /* Migrate zone_unusable bytes back */ + cache->zone_unusable = +- (cache->alloc_offset - cache->used) + ++ (cache->alloc_offset - cache->used - cache->pinned - ++ cache->reserved) + + (cache->length - cache->zone_capacity); +- sinfo->bytes_zone_unusable += cache->zone_unusable; ++ btrfs_space_info_update_bytes_zone_unusable(cache->fs_info, sinfo, ++ cache->zone_unusable); + sinfo->bytes_readonly -= cache->zone_unusable; + } + num_bytes = cache->length - cache->reserved - +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -2731,7 +2731,8 @@ static int unpin_extent_range(struct btr + readonly = true; + } else if (btrfs_is_zoned(fs_info)) { + /* Need reset before reusing in a zoned block group */ +- space_info->bytes_zone_unusable += len; ++ btrfs_space_info_update_bytes_zone_unusable(fs_info, space_info, ++ len); + readonly = true; + } + spin_unlock(&cache->lock); +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -2702,8 +2702,10 @@ static int __btrfs_add_free_space_zoned( + * If the block group is read-only, we should account freed space into + * bytes_readonly. + */ +- if (!block_group->ro) ++ if (!block_group->ro) { + block_group->zone_unusable += to_unusable; ++ WARN_ON(block_group->zone_unusable > block_group->length); ++ } + spin_unlock(&ctl->tree_lock); + if (!used) { + spin_lock(&block_group->lock); +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -311,7 +311,7 @@ void btrfs_add_bg_to_space_info(struct b + found->bytes_used += block_group->used; + found->disk_used += block_group->used * factor; + found->bytes_readonly += block_group->bytes_super; +- found->bytes_zone_unusable += block_group->zone_unusable; ++ btrfs_space_info_update_bytes_zone_unusable(info, found, block_group->zone_unusable); + if (block_group->length > 0) + found->full = 0; + btrfs_try_granting_tickets(info, found); +--- a/fs/btrfs/space-info.h ++++ b/fs/btrfs/space-info.h +@@ -121,6 +121,7 @@ btrfs_space_info_update_##name(struct bt + + DECLARE_SPACE_INFO_UPDATE(bytes_may_use, "space_info"); + DECLARE_SPACE_INFO_UPDATE(bytes_pinned, "pinned"); ++DECLARE_SPACE_INFO_UPDATE(bytes_zone_unusable, "zone_unusable"); + + int btrfs_init_space_info(struct btrfs_fs_info *fs_info); + void btrfs_add_bg_to_space_info(struct btrfs_fs_info *info, +--- a/include/trace/events/btrfs.h ++++ b/include/trace/events/btrfs.h +@@ -2322,6 +2322,14 @@ DEFINE_EVENT(btrfs__space_info_update, u + TP_ARGS(fs_info, sinfo, old, diff) + ); + ++DEFINE_EVENT(btrfs__space_info_update, update_bytes_zone_unusable, ++ ++ TP_PROTO(const struct btrfs_fs_info *fs_info, ++ const struct btrfs_space_info *sinfo, u64 old, s64 diff), ++ ++ TP_ARGS(fs_info, sinfo, old, diff) ++); ++ + DECLARE_EVENT_CLASS(btrfs_raid56_bio, + + TP_PROTO(const struct btrfs_raid_bio *rbio, diff --git a/queue-6.1/drm-i915-fix-possible-int-overflow-in-skl_ddi_calculate_wrpll.patch b/queue-6.1/drm-i915-fix-possible-int-overflow-in-skl_ddi_calculate_wrpll.patch new file mode 100644 index 00000000000..d1825378443 --- /dev/null +++ b/queue-6.1/drm-i915-fix-possible-int-overflow-in-skl_ddi_calculate_wrpll.patch @@ -0,0 +1,65 @@ +From 5b511572660190db1dc8ba412efd0be0d3781ab6 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Mon, 29 Jul 2024 10:40:35 -0700 +Subject: drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll() + +From: Nikita Zhandarovich + +commit 5b511572660190db1dc8ba412efd0be0d3781ab6 upstream. + +On the off chance that clock value ends up being too high (by means +of skl_ddi_calculate_wrpll() having been called with big enough +value of crtc_state->port_clock * 1000), one possible consequence +may be that the result will not be able to fit into signed int. + +Fix this issue by moving conversion of clock parameter from kHz to Hz +into the body of skl_ddi_calculate_wrpll(), as well as casting the +same parameter to u64 type while calculating the value for AFE clock. +This both mitigates the overflow problem and avoids possible erroneous +integer promotion mishaps. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 82d354370189 ("drm/i915/skl: Implementation of SKL DPLL programming") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20240729174035.25727-1-n.zhandarovich@fintech.ru +(cherry picked from commit 833cf12846aa19adf9b76bc79c40747726f3c0c1) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dpll_mgr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_dpll_mgr.c ++++ b/drivers/gpu/drm/i915/display/intel_dpll_mgr.c +@@ -1552,7 +1552,7 @@ static void skl_wrpll_params_populate(st + } + + static int +-skl_ddi_calculate_wrpll(int clock /* in Hz */, ++skl_ddi_calculate_wrpll(int clock, + int ref_clock, + struct skl_wrpll_params *wrpll_params) + { +@@ -1577,7 +1577,7 @@ skl_ddi_calculate_wrpll(int clock /* in + }; + unsigned int dco, d, i; + unsigned int p0, p1, p2; +- u64 afe_clock = clock * 5; /* AFE Clock is 5x Pixel clock */ ++ u64 afe_clock = (u64)clock * 1000 * 5; /* AFE Clock is 5x Pixel clock, in Hz */ + + for (d = 0; d < ARRAY_SIZE(dividers); d++) { + for (dco = 0; dco < ARRAY_SIZE(dco_central_freq); dco++) { +@@ -1709,7 +1709,7 @@ static int skl_ddi_hdmi_pll_dividers(str + + ctrl1 |= DPLL_CTRL1_HDMI_MODE(0); + +- ret = skl_ddi_calculate_wrpll(crtc_state->port_clock * 1000, ++ ret = skl_ddi_calculate_wrpll(crtc_state->port_clock, + i915->display.dpll.ref_clks.nssc, &wrpll_params); + if (ret) + return ret; diff --git a/queue-6.1/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch b/queue-6.1/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch new file mode 100644 index 00000000000..2be9d2501e7 --- /dev/null +++ b/queue-6.1/drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch @@ -0,0 +1,104 @@ +From e58337100721f3cc0c7424a18730e4f39844934f Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Mon, 22 Jul 2024 14:41:13 -0400 +Subject: drm/vmwgfx: Fix a deadlock in dma buf fence polling + +From: Zack Rusin + +commit e58337100721f3cc0c7424a18730e4f39844934f upstream. + +Introduce a version of the fence ops that on release doesn't remove +the fence from the pending list, and thus doesn't require a lock to +fix poll->fence wait->fence unref deadlocks. + +vmwgfx overwrites the wait callback to iterate over the list of all +fences and update their status, to do that it holds a lock to prevent +the list modifcations from other threads. The fence destroy callback +both deletes the fence and removes it from the list of pending +fences, for which it holds a lock. + +dma buf polling cb unrefs a fence after it's been signaled: so the poll +calls the wait, which signals the fences, which are being destroyed. +The destruction tries to acquire the lock on the pending fences list +which it can never get because it's held by the wait from which it +was called. + +Old bug, but not a lot of userspace apps were using dma-buf polling +interfaces. Fix those, in particular this fixes KDE stalls/deadlock. + +Signed-off-by: Zack Rusin +Fixes: 2298e804e96e ("drm/vmwgfx: rework to new fence interface, v2") +Cc: Broadcom internal kernel review list +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.2+ +Reviewed-by: Maaz Mombasawala +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20240722184313.181318-2-zack.rusin@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +@@ -32,7 +32,6 @@ + #define VMW_FENCE_WRAP (1 << 31) + + struct vmw_fence_manager { +- int num_fence_objects; + struct vmw_private *dev_priv; + spinlock_t lock; + struct list_head fence_list; +@@ -124,13 +123,13 @@ static void vmw_fence_obj_destroy(struct + { + struct vmw_fence_obj *fence = + container_of(f, struct vmw_fence_obj, base); +- + struct vmw_fence_manager *fman = fman_from_fence(fence); + +- spin_lock(&fman->lock); +- list_del_init(&fence->head); +- --fman->num_fence_objects; +- spin_unlock(&fman->lock); ++ if (!list_empty(&fence->head)) { ++ spin_lock(&fman->lock); ++ list_del_init(&fence->head); ++ spin_unlock(&fman->lock); ++ } + fence->destroy(fence); + } + +@@ -257,7 +256,6 @@ static const struct dma_fence_ops vmw_fe + .release = vmw_fence_obj_destroy, + }; + +- + /* + * Execute signal actions on fences recently signaled. + * This is done from a workqueue so we don't have to execute +@@ -355,7 +353,6 @@ static int vmw_fence_obj_init(struct vmw + goto out_unlock; + } + list_add_tail(&fence->head, &fman->fence_list); +- ++fman->num_fence_objects; + + out_unlock: + spin_unlock(&fman->lock); +@@ -403,7 +400,7 @@ static bool vmw_fence_goal_new_locked(st + u32 passed_seqno) + { + u32 goal_seqno; +- struct vmw_fence_obj *fence; ++ struct vmw_fence_obj *fence, *next_fence; + + if (likely(!fman->seqno_valid)) + return false; +@@ -413,7 +410,7 @@ static bool vmw_fence_goal_new_locked(st + return false; + + fman->seqno_valid = false; +- list_for_each_entry(fence, &fman->fence_list, head) { ++ list_for_each_entry_safe(fence, next_fence, &fman->fence_list, head) { + if (!list_empty(&fence->seq_passed_actions)) { + fman->seqno_valid = true; + vmw_fence_goal_write(fman->dev_priv, diff --git a/queue-6.1/hid-wacom-modify-pen-ids.patch b/queue-6.1/hid-wacom-modify-pen-ids.patch new file mode 100644 index 00000000000..fc5844d7d88 --- /dev/null +++ b/queue-6.1/hid-wacom-modify-pen-ids.patch @@ -0,0 +1,43 @@ +From f0d17d696dfce77c9abc830e4ac2d677890a2dad Mon Sep 17 00:00:00 2001 +From: Tatsunosuke Tobita +Date: Tue, 9 Jul 2024 14:57:28 +0900 +Subject: HID: wacom: Modify pen IDs + +From: Tatsunosuke Tobita + +commit f0d17d696dfce77c9abc830e4ac2d677890a2dad upstream. + +The pen ID, 0x80842, was not the correct ID for wacom driver to +treat. The ID was corrected to 0x8842. +Also, 0x4200 was not the expected ID used on any Wacom device. +Therefore, 0x4200 was removed. + +Signed-off-by: Tatsunosuke Tobita +Signed-off-by: Tatsunosuke Tobita +Fixes: bfdc750c4cb2 ("HID: wacom: add three styli to wacom_intuos_get_tool_type") +Cc: stable@kernel.org #6.2 +Reviewed-by: Ping Cheng +Link: https://patch.msgid.link/20240709055729.17158-1-tatsunosuke.wacom@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -709,13 +709,12 @@ static int wacom_intuos_get_tool_type(in + case 0x8e2: /* IntuosHT2 pen */ + case 0x022: + case 0x200: /* Pro Pen 3 */ +- case 0x04200: /* Pro Pen 3 */ + case 0x10842: /* MobileStudio Pro Pro Pen slim */ + case 0x14802: /* Intuos4/5 13HD/24HD Classic Pen */ + case 0x16802: /* Cintiq 13HD Pro Pen */ + case 0x18802: /* DTH2242 Pen */ + case 0x10802: /* Intuos4/5 13HD/24HD General Pen */ +- case 0x80842: /* Intuos Pro and Cintiq Pro 3D Pen */ ++ case 0x8842: /* Intuos Pro and Cintiq Pro 3D Pen */ + tool_type = BTN_TOOL_PEN; + break; + diff --git a/queue-6.1/mptcp-distinguish-rcv-vs-sent-backup-flag-in-requests.patch b/queue-6.1/mptcp-distinguish-rcv-vs-sent-backup-flag-in-requests.patch new file mode 100644 index 00000000000..6c6d09752c4 --- /dev/null +++ b/queue-6.1/mptcp-distinguish-rcv-vs-sent-backup-flag-in-requests.patch @@ -0,0 +1,62 @@ +From efd340bf3d7779a3a8ec954d8ec0fb8a10f24982 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Sat, 27 Jul 2024 12:01:24 +0200 +Subject: mptcp: distinguish rcv vs sent backup flag in requests + +From: Matthieu Baerts (NGI0) + +commit efd340bf3d7779a3a8ec954d8ec0fb8a10f24982 upstream. + +When sending an MP_JOIN + SYN + ACK, it is possible to mark the subflow +as 'backup' by setting the flag with the same name. Before this patch, +the backup was set if the other peer set it in its MP_JOIN + SYN +request. + +It is not correct: the backup flag should be set in the MPJ+SYN+ACK only +if the host asks for it, and not mirroring what was done by the other +peer. It is then required to have a dedicated bit for each direction, +similar to what is done in the subflow context. + +Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 2 +- + net/mptcp/protocol.h | 1 + + net/mptcp/subflow.c | 1 + + 3 files changed, 3 insertions(+), 1 deletion(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -904,7 +904,7 @@ bool mptcp_synack_options(const struct r + return true; + } else if (subflow_req->mp_join) { + opts->suboptions = OPTION_MPTCP_MPJ_SYNACK; +- opts->backup = subflow_req->backup; ++ opts->backup = subflow_req->request_bkup; + opts->join_id = subflow_req->local_id; + opts->thmac = subflow_req->thmac; + opts->nonce = subflow_req->local_nonce; +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -400,6 +400,7 @@ struct mptcp_subflow_request_sock { + u16 mp_capable : 1, + mp_join : 1, + backup : 1, ++ request_bkup : 1, + csum_reqd : 1, + allow_join_id0 : 1; + u8 local_id; +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1876,6 +1876,7 @@ static void subflow_ulp_clone(const stru + new_ctx->mp_join = 1; + new_ctx->fully_established = 1; + new_ctx->backup = subflow_req->backup; ++ new_ctx->request_bkup = subflow_req->request_bkup; + WRITE_ONCE(new_ctx->remote_id, subflow_req->remote_id); + new_ctx->token = subflow_req->token; + new_ctx->thmac = subflow_req->thmac; diff --git a/queue-6.1/mptcp-fix-bad-rcvpruned-mib-accounting.patch b/queue-6.1/mptcp-fix-bad-rcvpruned-mib-accounting.patch new file mode 100644 index 00000000000..8f3ddd03cbf --- /dev/null +++ b/queue-6.1/mptcp-fix-bad-rcvpruned-mib-accounting.patch @@ -0,0 +1,53 @@ +From 0a567c2a10033bf04ed618368d179bce6977984b Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 31 Jul 2024 12:10:14 +0200 +Subject: mptcp: fix bad RCVPRUNED mib accounting + +From: Paolo Abeni + +commit 0a567c2a10033bf04ed618368d179bce6977984b upstream. + +Since its introduction, the mentioned MIB accounted for the wrong +event: wake-up being skipped as not-needed on some edge condition +instead of incoming skb being dropped after landing in the (subflow) +receive queue. + +Move the increment in the correct location. + +Fixes: ce599c516386 ("mptcp: properly account bulk freed memory") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -363,8 +363,10 @@ static bool __mptcp_move_skb(struct mptc + skb_orphan(skb); + + /* try to fetch required memory from subflow */ +- if (!mptcp_rmem_schedule(sk, ssk, skb->truesize)) ++ if (!mptcp_rmem_schedule(sk, ssk, skb->truesize)) { ++ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_RCVPRUNED); + goto drop; ++ } + + has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp; + +@@ -851,10 +853,8 @@ void mptcp_data_ready(struct sock *sk, s + sk_rbuf = ssk_rbuf; + + /* over limit? can't append more skbs to msk, Also, no need to wake-up*/ +- if (__mptcp_rmem(sk) > sk_rbuf) { +- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_RCVPRUNED); ++ if (__mptcp_rmem(sk) > sk_rbuf) + return; +- } + + /* Wake-up the reader only for in-sequence data */ + mptcp_data_lock(sk); diff --git a/queue-6.1/mptcp-fix-duplicate-data-handling.patch b/queue-6.1/mptcp-fix-duplicate-data-handling.patch new file mode 100644 index 00000000000..b0cd74c043d --- /dev/null +++ b/queue-6.1/mptcp-fix-duplicate-data-handling.patch @@ -0,0 +1,62 @@ +From 68cc924729ffcfe90d0383177192030a9aeb2ee4 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Wed, 31 Jul 2024 12:10:15 +0200 +Subject: mptcp: fix duplicate data handling + +From: Paolo Abeni + +commit 68cc924729ffcfe90d0383177192030a9aeb2ee4 upstream. + +When a subflow receives and discards duplicate data, the mptcp +stack assumes that the consumed offset inside the current skb is +zero. + +With multiple subflows receiving data simultaneously such assertion +does not held true. As a result the subflow-level copied_seq will +be incorrectly increased and later on the same subflow will observe +a bad mapping, leading to subflow reset. + +Address the issue taking into account the skb consumed offset in +mptcp_subflow_discard_data(). + +Fixes: 04e4cd4f7ca4 ("mptcp: cleanup mptcp_subflow_discard_data()") +Cc: stable@vger.kernel.org +Link: https://github.com/multipath-tcp/mptcp_net-next/issues/501 +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1103,14 +1103,22 @@ static void mptcp_subflow_discard_data(s + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); + bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN; +- u32 incr; ++ struct tcp_sock *tp = tcp_sk(ssk); ++ u32 offset, incr, avail_len; + +- incr = limit >= skb->len ? skb->len + fin : limit; ++ offset = tp->copied_seq - TCP_SKB_CB(skb)->seq; ++ if (WARN_ON_ONCE(offset > skb->len)) ++ goto out; + +- pr_debug("discarding=%d len=%d seq=%d", incr, skb->len, +- subflow->map_subflow_seq); ++ avail_len = skb->len - offset; ++ incr = limit >= avail_len ? avail_len + fin : limit; ++ ++ pr_debug("discarding=%d len=%d offset=%d seq=%d", incr, skb->len, ++ offset, subflow->map_subflow_seq); + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DUPDATA); + tcp_sk(ssk)->copied_seq += incr; ++ ++out: + if (!before(tcp_sk(ssk)->copied_seq, TCP_SKB_CB(skb)->end_seq)) + sk_eat_skb(ssk, skb); + if (mptcp_subflow_get_map_offset(subflow) >= subflow->map_data_len) diff --git a/queue-6.1/mptcp-fix-nl-pm-announced-address-accounting.patch b/queue-6.1/mptcp-fix-nl-pm-announced-address-accounting.patch new file mode 100644 index 00000000000..3fdf06b02b2 --- /dev/null +++ b/queue-6.1/mptcp-fix-nl-pm-announced-address-accounting.patch @@ -0,0 +1,62 @@ +From 4b317e0eb287bd30a1b329513531157c25e8b692 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Sat, 27 Jul 2024 11:04:00 +0200 +Subject: mptcp: fix NL PM announced address accounting + +From: Paolo Abeni + +commit 4b317e0eb287bd30a1b329513531157c25e8b692 upstream. + +Currently the per connection announced address counter is never +decreased. As a consequence, after connection establishment, if +the NL PM deletes an endpoint and adds a new/different one, no +additional subflow is created for the new endpoint even if the +current limits allow that. + +Address the issue properly updating the signaled address counter +every time the NL PM removes such addresses. + +Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1445,6 +1445,7 @@ static bool mptcp_pm_remove_anno_addr(st + ret = remove_anno_list_by_saddr(msk, addr); + if (ret || force) { + spin_lock_bh(&msk->pm.lock); ++ msk->pm.add_addr_signaled -= ret; + mptcp_pm_remove_addr(msk, &list); + spin_unlock_bh(&msk->pm.lock); + } +@@ -1609,17 +1610,18 @@ void mptcp_pm_remove_addrs_and_subflows( + struct mptcp_pm_addr_entry *entry; + + list_for_each_entry(entry, rm_list, list) { +- if (lookup_subflow_by_saddr(&msk->conn_list, &entry->addr) && +- slist.nr < MPTCP_RM_IDS_MAX) ++ if (slist.nr < MPTCP_RM_IDS_MAX && ++ lookup_subflow_by_saddr(&msk->conn_list, &entry->addr)) + slist.ids[slist.nr++] = entry->addr.id; + +- if (remove_anno_list_by_saddr(msk, &entry->addr) && +- alist.nr < MPTCP_RM_IDS_MAX) ++ if (alist.nr < MPTCP_RM_IDS_MAX && ++ remove_anno_list_by_saddr(msk, &entry->addr)) + alist.ids[alist.nr++] = entry->addr.id; + } + + if (alist.nr) { + spin_lock_bh(&msk->pm.lock); ++ msk->pm.add_addr_signaled -= alist.nr; + mptcp_pm_remove_addr(msk, &alist); + spin_unlock_bh(&msk->pm.lock); + } diff --git a/queue-6.1/mptcp-fix-user-space-pm-announced-address-accounting.patch b/queue-6.1/mptcp-fix-user-space-pm-announced-address-accounting.patch new file mode 100644 index 00000000000..9152f62428b --- /dev/null +++ b/queue-6.1/mptcp-fix-user-space-pm-announced-address-accounting.patch @@ -0,0 +1,59 @@ +From 167b93258d1e2230ee3e8a97669b4db4cc9e90aa Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Sat, 27 Jul 2024 11:03:59 +0200 +Subject: mptcp: fix user-space PM announced address accounting + +From: Paolo Abeni + +commit 167b93258d1e2230ee3e8a97669b4db4cc9e90aa upstream. + +Currently the per-connection announced address counter is never +decreased. When the user-space PM is in use, this just affect +the information exposed via diag/sockopt, but it could still foul +the PM to wrong decision. + +Add the missing accounting for the user-space PM's sake. + +Fixes: 8b1c94da1e48 ("mptcp: only send RM_ADDR in nl_cmd_remove") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1578,16 +1578,25 @@ void mptcp_pm_remove_addrs(struct mptcp_ + { + struct mptcp_rm_list alist = { .nr = 0 }; + struct mptcp_pm_addr_entry *entry; ++ int anno_nr = 0; + + list_for_each_entry(entry, rm_list, list) { +- if ((remove_anno_list_by_saddr(msk, &entry->addr) || +- lookup_subflow_by_saddr(&msk->conn_list, &entry->addr)) && +- alist.nr < MPTCP_RM_IDS_MAX) +- alist.ids[alist.nr++] = entry->addr.id; ++ if (alist.nr >= MPTCP_RM_IDS_MAX) ++ break; ++ ++ /* only delete if either announced or matching a subflow */ ++ if (remove_anno_list_by_saddr(msk, &entry->addr)) ++ anno_nr++; ++ else if (!lookup_subflow_by_saddr(&msk->conn_list, ++ &entry->addr)) ++ continue; ++ ++ alist.ids[alist.nr++] = entry->addr.id; + } + + if (alist.nr) { + spin_lock_bh(&msk->pm.lock); ++ msk->pm.add_addr_signaled -= anno_nr; + mptcp_pm_remove_addr(msk, &alist); + spin_unlock_bh(&msk->pm.lock); + } diff --git a/queue-6.1/mptcp-pm-only-set-request_bkup-flag-when-sending-mp_prio.patch b/queue-6.1/mptcp-pm-only-set-request_bkup-flag-when-sending-mp_prio.patch new file mode 100644 index 00000000000..81473120d9c --- /dev/null +++ b/queue-6.1/mptcp-pm-only-set-request_bkup-flag-when-sending-mp_prio.patch @@ -0,0 +1,33 @@ +From 4258b94831bb7ff28ab80e3c8d94db37db930728 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Sat, 27 Jul 2024 12:01:25 +0200 +Subject: mptcp: pm: only set request_bkup flag when sending MP_PRIO + +From: Matthieu Baerts (NGI0) + +commit 4258b94831bb7ff28ab80e3c8d94db37db930728 upstream. + +The 'backup' flag from mptcp_subflow_context structure is supposed to be +set only when the other peer flagged a subflow as backup, not the +opposite. + +Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -481,7 +481,6 @@ static void __mptcp_pm_send_ack(struct m + msk->last_snd = NULL; + + subflow->send_mp_prio = 1; +- subflow->backup = backup; + subflow->request_bkup = backup; + } + diff --git a/queue-6.1/mptcp-sched-check-both-directions-for-backup.patch b/queue-6.1/mptcp-sched-check-both-directions-for-backup.patch new file mode 100644 index 00000000000..bf7cf0fac54 --- /dev/null +++ b/queue-6.1/mptcp-sched-check-both-directions-for-backup.patch @@ -0,0 +1,80 @@ +From b6a66e521a2032f7fcba2af5a9bcbaeaa19b7ca3 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Sat, 27 Jul 2024 12:01:23 +0200 +Subject: mptcp: sched: check both directions for backup + +From: Matthieu Baerts (NGI0) + +commit b6a66e521a2032f7fcba2af5a9bcbaeaa19b7ca3 upstream. + +The 'mptcp_subflow_context' structure has two items related to the +backup flags: + + - 'backup': the subflow has been marked as backup by the other peer + + - 'request_bkup': the backup flag has been set by the host + +Before this patch, the scheduler was only looking at the 'backup' flag. +That can make sense in some cases, but it looks like that's not what we +wanted for the general use, because either the path-manager was setting +both of them when sending an MP_PRIO, or the receiver was duplicating +the 'backup' flag in the subflow request. + +Note that the use of these two flags in the path-manager are going to be +fixed in the next commits, but this change here is needed not to modify +the behaviour. + +Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/mptcp.h | 2 +- + net/mptcp/protocol.c | 10 ++++++---- + 2 files changed, 7 insertions(+), 5 deletions(-) + +--- a/include/trace/events/mptcp.h ++++ b/include/trace/events/mptcp.h +@@ -34,7 +34,7 @@ TRACE_EVENT(mptcp_subflow_get_send, + struct sock *ssk; + + __entry->active = mptcp_subflow_active(subflow); +- __entry->backup = subflow->backup; ++ __entry->backup = subflow->backup || subflow->request_bkup; + + if (subflow->tcp_sock && sk_fullsock(subflow->tcp_sock)) + __entry->free = sk_stream_memory_free(subflow->tcp_sock); +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1491,13 +1491,15 @@ static struct sock *mptcp_subflow_get_se + } + + mptcp_for_each_subflow(msk, subflow) { ++ bool backup = subflow->backup || subflow->request_bkup; ++ + trace_mptcp_subflow_get_send(subflow); + ssk = mptcp_subflow_tcp_sock(subflow); + if (!mptcp_subflow_active(subflow)) + continue; + + tout = max(tout, mptcp_timeout_from_subflow(subflow)); +- nr_active += !subflow->backup; ++ nr_active += !backup; + pace = subflow->avg_pacing_rate; + if (unlikely(!pace)) { + /* init pacing rate from socket */ +@@ -1508,9 +1510,9 @@ static struct sock *mptcp_subflow_get_se + } + + linger_time = div_u64((u64)READ_ONCE(ssk->sk_wmem_queued) << 32, pace); +- if (linger_time < send_info[subflow->backup].linger_time) { +- send_info[subflow->backup].ssk = ssk; +- send_info[subflow->backup].linger_time = linger_time; ++ if (linger_time < send_info[backup].linger_time) { ++ send_info[backup].ssk = ssk; ++ send_info[backup].linger_time = linger_time; + } + } + __mptcp_set_timeout(sk, tout); diff --git a/queue-6.1/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch b/queue-6.1/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch new file mode 100644 index 00000000000..65bb4c8ecc0 --- /dev/null +++ b/queue-6.1/net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch @@ -0,0 +1,60 @@ +From 08f3a5c38087d1569e982a121aad1e6acbf145ce Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 25 Jul 2024 10:29:42 +0800 +Subject: net: usb: sr9700: fix uninitialized variable use in sr_mdio_read + +From: Ma Ke + +commit 08f3a5c38087d1569e982a121aad1e6acbf145ce upstream. + +It could lead to error happen because the variable res is not updated if +the call to sr_share_read_word returns an error. In this particular case +error code was returned and res stayed uninitialized. Same issue also +applies to sr_read_reg. + +This can be avoided by checking the return value of sr_share_read_word +and sr_read_reg, and propagating the error if the read operation failed. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") +Signed-off-by: Ma Ke +Reviewed-by: Shigeru Yoshida +Reviewed-by: Hariprasad Kelam +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/sr9700.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -179,6 +179,7 @@ static int sr_mdio_read(struct net_devic + struct usbnet *dev = netdev_priv(netdev); + __le16 res; + int rc = 0; ++ int err; + + if (phy_id) { + netdev_dbg(netdev, "Only internal phy supported\n"); +@@ -189,11 +190,17 @@ static int sr_mdio_read(struct net_devic + if (loc == MII_BMSR) { + u8 value; + +- sr_read_reg(dev, SR_NSR, &value); ++ err = sr_read_reg(dev, SR_NSR, &value); ++ if (err < 0) ++ return err; ++ + if (value & NSR_LINKST) + rc = 1; + } +- sr_share_read_word(dev, 1, loc, &res); ++ err = sr_share_read_word(dev, 1, loc, &res); ++ if (err < 0) ++ return err; ++ + if (rc == 1) + res = le16_to_cpu(res) | BMSR_LSTATUS; + else diff --git a/queue-6.1/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch b/queue-6.1/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch new file mode 100644 index 00000000000..53135f1da62 --- /dev/null +++ b/queue-6.1/platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch @@ -0,0 +1,42 @@ +From df615907f1bf907260af01ccb904d0e9304b5278 Mon Sep 17 00:00:00 2001 +From: Patryk Duda +Date: Tue, 30 Jul 2024 10:44:25 +0000 +Subject: platform/chrome: cros_ec_proto: Lock device when updating MKBP version + +From: Patryk Duda + +commit df615907f1bf907260af01ccb904d0e9304b5278 upstream. + +The cros_ec_get_host_command_version_mask() function requires that the +caller must have ec_dev->lock mutex before calling it. This requirement +was not met and as a result it was possible that two commands were sent +to the device at the same time. + +The problem was observed while using UART backend which doesn't use any +additional locks, unlike SPI backend which locks the controller until +response is received. + +Fixes: f74c7557ed0d ("platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure") +Cc: stable@vger.kernel.org +Signed-off-by: Patryk Duda +Link: https://lore.kernel.org/r/20240730104425.607083-1-patrykd@google.com +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/platform/chrome/cros_ec_proto.c ++++ b/drivers/platform/chrome/cros_ec_proto.c +@@ -805,9 +805,11 @@ int cros_ec_get_next_event(struct cros_e + if (ret == -ENOPROTOOPT) { + dev_dbg(ec_dev->dev, + "GET_NEXT_EVENT returned invalid version error.\n"); ++ mutex_lock(&ec_dev->lock); + ret = cros_ec_get_host_command_version_mask(ec_dev, + EC_CMD_GET_NEXT_EVENT, + &ver_mask); ++ mutex_unlock(&ec_dev->lock); + if (ret < 0 || ver_mask == 0) + /* + * Do not change the MKBP supported version if we can't diff --git a/queue-6.1/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch b/queue-6.1/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch new file mode 100644 index 00000000000..210960fdd2f --- /dev/null +++ b/queue-6.1/protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch @@ -0,0 +1,34 @@ +From 8aa37bde1a7b645816cda8b80df4753ecf172bf1 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 1 Aug 2024 15:22:22 -0400 +Subject: protect the fetch of ->fd[fd] in do_dup2() from mispredictions + +From: Al Viro + +commit 8aa37bde1a7b645816cda8b80df4753ecf172bf1 upstream. + +both callers have verified that fd is not greater than ->max_fds; +however, misprediction might end up with + tofree = fdt->fd[fd]; +being speculatively executed. That's wrong for the same reasons +why it's wrong in close_fd()/file_close_fd_locked(); the same +solution applies - array_index_nospec(fd, fdt->max_fds) could differ +from fd only in case of speculative execution on mispredicted path. + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -1122,6 +1122,7 @@ __releases(&files->file_lock) + * tables and this condition does not arise without those. + */ + fdt = files_fdtable(files); ++ fd = array_index_nospec(fd, fdt->max_fds); + tofree = fdt->fd[fd]; + if (!tofree && fd_is_open(fd, fdt)) + goto Ebusy; diff --git a/queue-6.1/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch b/queue-6.1/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch new file mode 100644 index 00000000000..8d69b85f4ed --- /dev/null +++ b/queue-6.1/r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch @@ -0,0 +1,48 @@ +From d516b187a9cc2e842030dd005be2735db3e8f395 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Tue, 30 Jul 2024 21:51:52 +0200 +Subject: r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY + +From: Heiner Kallweit + +commit d516b187a9cc2e842030dd005be2735db3e8f395 upstream. + +The skb isn't consumed in case of NETDEV_TX_BUSY, therefore don't +increment the tx_dropped counter. + +Fixes: 188f4af04618 ("r8169: use NETDEV_TX_{BUSY/OK}") +Cc: stable@vger.kernel.org +Suggested-by: Jakub Kicinski +Signed-off-by: Heiner Kallweit +Reviewed-by: Wojciech Drewek +Link: https://patch.msgid.link/bbba9c48-8bac-4932-9aa1-d2ed63bc9433@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4273,7 +4273,8 @@ static netdev_tx_t rtl8169_start_xmit(st + if (unlikely(!rtl_tx_slots_avail(tp))) { + if (net_ratelimit()) + netdev_err(dev, "BUG! Tx Ring full when queue awake!\n"); +- goto err_stop_0; ++ netif_stop_queue(dev); ++ return NETDEV_TX_BUSY; + } + + opts[1] = rtl8169_tx_vlan_tag(skb); +@@ -4346,11 +4347,6 @@ err_dma_0: + dev_kfree_skb_any(skb); + dev->stats.tx_dropped++; + return NETDEV_TX_OK; +- +-err_stop_0: +- netif_stop_queue(dev); +- dev->stats.tx_dropped++; +- return NETDEV_TX_BUSY; + } + + static unsigned int rtl_last_frag_len(struct sk_buff *skb) diff --git a/queue-6.1/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch b/queue-6.1/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch new file mode 100644 index 00000000000..1966f95be3d --- /dev/null +++ b/queue-6.1/revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch @@ -0,0 +1,89 @@ +From 6ccf9984d6be3c2f804087b736db05c2ec42664b Mon Sep 17 00:00:00 2001 +From: Edmund Raile +Date: Tue, 30 Jul 2024 19:53:26 +0000 +Subject: Revert "ALSA: firewire-lib: obsolete workqueue for period update" + +From: Edmund Raile + +commit 6ccf9984d6be3c2f804087b736db05c2ec42664b upstream. + +prepare resolution of AB/BA deadlock competition for substream lock: +restore workqueue previously used for process context: + +revert commit b5b519965c4c ("ALSA: firewire-lib: obsolete workqueue +for period update") + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/kwryofzdmjvzkuw6j3clftsxmoolynljztxqwg76hzeo4simnl@jn3eo7pe642q/ +Signed-off-by: Edmund Raile +Reviewed-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20240730195318.869840-2-edmund.raile@protonmail.com +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 15 +++++++++++++++ + sound/firewire/amdtp-stream.h | 1 + + 2 files changed, 16 insertions(+) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -77,6 +77,8 @@ + // overrun. Actual device can skip more, then this module stops the packet streaming. + #define IR_JUMBO_PAYLOAD_MAX_SKIP_CYCLES 5 + ++static void pcm_period_work(struct work_struct *work); ++ + /** + * amdtp_stream_init - initialize an AMDTP stream structure + * @s: the AMDTP stream to initialize +@@ -105,6 +107,7 @@ int amdtp_stream_init(struct amdtp_strea + s->flags = flags; + s->context = ERR_PTR(-1); + mutex_init(&s->mutex); ++ INIT_WORK(&s->period_work, pcm_period_work); + s->packet_index = 0; + + init_waitqueue_head(&s->ready_wait); +@@ -343,6 +346,7 @@ EXPORT_SYMBOL(amdtp_stream_get_max_paylo + */ + void amdtp_stream_pcm_prepare(struct amdtp_stream *s) + { ++ cancel_work_sync(&s->period_work); + s->pcm_buffer_pointer = 0; + s->pcm_period_pointer = 0; + } +@@ -622,6 +626,16 @@ static void update_pcm_pointers(struct a + } + } + ++static void pcm_period_work(struct work_struct *work) ++{ ++ struct amdtp_stream *s = container_of(work, struct amdtp_stream, ++ period_work); ++ struct snd_pcm_substream *pcm = READ_ONCE(s->pcm); ++ ++ if (pcm) ++ snd_pcm_period_elapsed(pcm); ++} ++ + static int queue_packet(struct amdtp_stream *s, struct fw_iso_packet *params, + bool sched_irq) + { +@@ -1798,6 +1812,7 @@ static void amdtp_stream_stop(struct amd + return; + } + ++ cancel_work_sync(&s->period_work); + fw_iso_context_stop(s->context); + fw_iso_context_destroy(s->context); + s->context = ERR_PTR(-1); +--- a/sound/firewire/amdtp-stream.h ++++ b/sound/firewire/amdtp-stream.h +@@ -190,6 +190,7 @@ struct amdtp_stream { + + /* For a PCM substream processing. */ + struct snd_pcm_substream *pcm; ++ struct work_struct period_work; + snd_pcm_uframes_t pcm_buffer_pointer; + unsigned int pcm_period_pointer; + diff --git a/queue-6.1/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch b/queue-6.1/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch new file mode 100644 index 00000000000..a5663a858cb --- /dev/null +++ b/queue-6.1/revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch @@ -0,0 +1,118 @@ +From 3dab73ab925a51ab05543b491bf17463a48ca323 Mon Sep 17 00:00:00 2001 +From: Edmund Raile +Date: Tue, 30 Jul 2024 19:53:29 +0000 +Subject: Revert "ALSA: firewire-lib: operate for period elapse event in process context" + +From: Edmund Raile + +commit 3dab73ab925a51ab05543b491bf17463a48ca323 upstream. + +Commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event +in process context") removed the process context workqueue from +amdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove +its overhead. + +With RME Fireface 800, this lead to a regression since +Kernels 5.14.0, causing an AB/BA deadlock competition for the +substream lock with eventual system freeze under ALSA operation: + +thread 0: + * (lock A) acquire substream lock by + snd_pcm_stream_lock_irq() in + snd_pcm_status64() + * (lock B) wait for tasklet to finish by calling + tasklet_unlock_spin_wait() in + tasklet_disable_in_atomic() in + ohci_flush_iso_completions() of ohci.c + +thread 1: + * (lock B) enter tasklet + * (lock A) attempt to acquire substream lock, + waiting for it to be released: + snd_pcm_stream_lock_irqsave() in + snd_pcm_period_elapsed() in + update_pcm_pointers() in + process_ctx_payloads() in + process_rx_packets() of amdtp-stream.c + +? tasklet_unlock_spin_wait + + +ohci_flush_iso_completions firewire_ohci +amdtp_domain_stream_pcm_pointer snd_firewire_lib +snd_pcm_update_hw_ptr0 snd_pcm +snd_pcm_status64 snd_pcm + +? native_queued_spin_lock_slowpath + + +_raw_spin_lock_irqsave +snd_pcm_period_elapsed snd_pcm +process_rx_packets snd_firewire_lib +irq_target_callback snd_firewire_lib +handle_it_packet firewire_ohci +context_tasklet firewire_ohci + +Restore the process context work queue to prevent deadlock +AB/BA deadlock competition for ALSA substream lock of +snd_pcm_stream_lock_irq() in snd_pcm_status64() +and snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed(). + +revert commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period +elapse event in process context") + +Replace inline description to prevent future deadlock. + +Cc: stable@vger.kernel.org +Fixes: 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event in process context") +Reported-by: edmund.raile +Closes: https://lore.kernel.org/r/kwryofzdmjvzkuw6j3clftsxmoolynljztxqwg76hzeo4simnl@jn3eo7pe642q/ +Signed-off-by: Edmund Raile +Reviewed-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20240730195318.869840-3-edmund.raile@protonmail.com +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -613,16 +613,8 @@ static void update_pcm_pointers(struct a + // The program in user process should periodically check the status of intermediate + // buffer associated to PCM substream to process PCM frames in the buffer, instead + // of receiving notification of period elapsed by poll wait. +- if (!pcm->runtime->no_period_wakeup) { +- if (in_softirq()) { +- // In software IRQ context for 1394 OHCI. +- snd_pcm_period_elapsed(pcm); +- } else { +- // In process context of ALSA PCM application under acquired lock of +- // PCM substream. +- snd_pcm_period_elapsed_under_stream_lock(pcm); +- } +- } ++ if (!pcm->runtime->no_period_wakeup) ++ queue_work(system_highpri_wq, &s->period_work); + } + } + +@@ -1752,11 +1744,14 @@ unsigned long amdtp_domain_stream_pcm_po + { + struct amdtp_stream *irq_target = d->irq_target; + +- // Process isochronous packets queued till recent isochronous cycle to handle PCM frames. + if (irq_target && amdtp_stream_running(irq_target)) { +- // In software IRQ context, the call causes dead-lock to disable the tasklet +- // synchronously. +- if (!in_softirq()) ++ // use wq to prevent AB/BA deadlock competition for ++ // substream lock: ++ // fw_iso_context_flush_completions() acquires ++ // lock by ohci_flush_iso_completions(), ++ // amdtp-stream process_rx_packets() attempts to ++ // acquire same lock by snd_pcm_elapsed() ++ if (current_work() != &s->period_work) + fw_iso_context_flush_completions(irq_target->context); + } + diff --git a/queue-6.1/rust-shadow_call_stack-is-incompatible-with-rust.patch b/queue-6.1/rust-shadow_call_stack-is-incompatible-with-rust.patch new file mode 100644 index 00000000000..cb341a4134f --- /dev/null +++ b/queue-6.1/rust-shadow_call_stack-is-incompatible-with-rust.patch @@ -0,0 +1,42 @@ +From f126745da81783fb1d082e67bf14c6795e489a88 Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Mon, 29 Jul 2024 14:22:49 +0000 +Subject: rust: SHADOW_CALL_STACK is incompatible with Rust + +From: Alice Ryhl + +commit f126745da81783fb1d082e67bf14c6795e489a88 upstream. + +When using the shadow call stack sanitizer, all code must be compiled +with the -ffixed-x18 flag, but this flag is not currently being passed +to Rust. This results in crashes that are extremely difficult to debug. + +To ensure that nobody else has to go through the same debugging session +that I had to, prevent configurations that enable both SHADOW_CALL_STACK +and RUST. + +It is rather common for people to backport 724a75ac9542 ("arm64: rust: +Enable Rust support for AArch64"), so I recommend applying this fix all +the way back to 6.1. + +Cc: stable@vger.kernel.org # 6.1 and later +Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64") +Signed-off-by: Alice Ryhl +Acked-by: Miguel Ojeda +Link: https://lore.kernel.org/r/20240729-shadow-call-stack-v4-1-2a664b082ea4@google.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1924,6 +1924,7 @@ config RUST + depends on !MODVERSIONS + depends on !GCC_PLUGINS + depends on !RANDSTRUCT ++ depends on !SHADOW_CALL_STACK + depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE + help + Enables Rust support in the kernel. diff --git a/queue-6.1/selftests-mptcp-always-close-input-s-fd-if-opened.patch b/queue-6.1/selftests-mptcp-always-close-input-s-fd-if-opened.patch new file mode 100644 index 00000000000..7247d05920d --- /dev/null +++ b/queue-6.1/selftests-mptcp-always-close-input-s-fd-if-opened.patch @@ -0,0 +1,42 @@ +From 7c70bcc2a84cf925f655ea1ac4b8088062b144a3 Mon Sep 17 00:00:00 2001 +From: Liu Jing +Date: Sat, 27 Jul 2024 11:04:03 +0200 +Subject: selftests: mptcp: always close input's FD if opened + +From: Liu Jing + +commit 7c70bcc2a84cf925f655ea1ac4b8088062b144a3 upstream. + +In main_loop_s function, when the open(cfg_input, O_RDONLY) function is +run, the last fd is not closed if the "--cfg_repeat > 0" branch is not +taken. + +Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") +Cc: stable@vger.kernel.org +Signed-off-by: Liu Jing +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1040,11 +1040,11 @@ again: + return 1; + } + +- if (--cfg_repeat > 0) { +- if (cfg_input) +- close(fd); ++ if (cfg_input) ++ close(fd); ++ ++ if (--cfg_repeat > 0) + goto again; +- } + + return 0; + } diff --git a/queue-6.1/series b/queue-6.1/series index 4143b829f49..19b65df23ee 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -63,3 +63,24 @@ net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch ipv6-fix-ndisc_is_useropt-handling-for-pio.patch riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch arm64-jump_label-ensure-patched-jump_labels-are-visi.patch +rust-shadow_call_stack-is-incompatible-with-rust.patch +platform-chrome-cros_ec_proto-lock-device-when-updating-mkbp-version.patch +hid-wacom-modify-pen-ids.patch +btrfs-zoned-fix-zone_unusable-accounting-on-making-block-group-read-write-again.patch +protect-the-fetch-of-fd-in-do_dup2-from-mispredictions.patch +mptcp-sched-check-both-directions-for-backup.patch +alsa-usb-audio-correct-surround-channels-in-uac1-channel-map.patch +alsa-hda-realtek-add-quirk-for-acer-aspire-e5-574g.patch +revert-alsa-firewire-lib-obsolete-workqueue-for-period-update.patch +revert-alsa-firewire-lib-operate-for-period-elapse-event-in-process-context.patch +drm-vmwgfx-fix-a-deadlock-in-dma-buf-fence-polling.patch +drm-i915-fix-possible-int-overflow-in-skl_ddi_calculate_wrpll.patch +net-usb-sr9700-fix-uninitialized-variable-use-in-sr_mdio_read.patch +r8169-don-t-increment-tx_dropped-in-case-of-netdev_tx_busy.patch +mptcp-fix-user-space-pm-announced-address-accounting.patch +mptcp-distinguish-rcv-vs-sent-backup-flag-in-requests.patch +mptcp-fix-nl-pm-announced-address-accounting.patch +mptcp-fix-bad-rcvpruned-mib-accounting.patch +mptcp-pm-only-set-request_bkup-flag-when-sending-mp_prio.patch +mptcp-fix-duplicate-data-handling.patch +selftests-mptcp-always-close-input-s-fd-if-opened.patch -- 2.47.3