This is the start of the stable review cycle for the 5.4.265 release.
There are 40 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 20 Dec 2023 13:50:31 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.265-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 5.4.265-rc1
Naveen N Rao <naveen(a)kernel.org>
powerpc/ftrace: Fix stack teardown in ftrace_no_trace
Naveen N Rao <naveen(a)kernel.org>
powerpc/ftrace: Create a dummy stackframe to fix stack unwind
Adrian Hunter <adrian.hunter(a)intel.com>
mmc: block: Be sure to wait while busy in CQE error recovery
Steven Rostedt (Google) <rostedt(a)goodmis.org>
ring-buffer: Fix memory leak of free page
Florent Revest <revest(a)chromium.org>
team: Fix use-after-free when an option instance allocation fails
James Houghton <jthoughton(a)google.com>
arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
Baokun Li <libaokun1(a)huawei.com>
ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>
soundwire: stream: fix NULL pointer dereference for multi_link
Mark Rutland <mark.rutland(a)arm.com>
perf: Fix perf_event_validate_size() lockdep splat
Denis Benato <benato.denis96(a)gmail.com>
HID: hid-asus: add const to read-only outgoing usb buffer
Lech Perczak <lech.perczak(a)gmail.com>
net: usb: qmi_wwan: claim interface 4 for ZTE MF290
Linus Torvalds <torvalds(a)linux-foundation.org>
asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
Aoba K <nexp_0x17(a)outlook.com>
HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
Denis Benato <benato.denis96(a)gmail.com>
HID: hid-asus: reset the backlight brightness level on resume
Oliver Neukum <oneukum(a)suse.com>
HID: add ALWAYS_POLL quirk for Apple kb
Andy Shevchenko <andriy.shevchenko(a)linux.intel.com>
platform/x86: intel_telemetry: Fix kernel doc descriptions
Coly Li <colyli(a)suse.de>
bcache: avoid NULL checking to c->root in run_cache_set()
Coly Li <colyli(a)suse.de>
bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc()
Coly Li <colyli(a)suse.de>
bcache: avoid oversize memory allocation by small stripe_size
Ming Lei <ming.lei(a)redhat.com>
blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!"
Oliver Neukum <oneukum(a)suse.com>
usb: aqc111: check packet for fixup for true limit
Bjorn Helgaas <bhelgaas(a)google.com>
Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
Kai Vehmanen <kai.vehmanen(a)linux.intel.com>
ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
Jens Axboe <axboe(a)kernel.dk>
cred: switch to using atomic_long_t
Hyunwoo Kim <v4bel(a)theori.io>
appletalk: Fix Use-After-Free in atalk_ioctl
Andrew Halaney <ahalaney(a)redhat.com>
net: stmmac: Handle disabled MDIO busses from devicetree
Rasmus Villemoes <linux(a)rasmusvillemoes.dk>
net: stmmac: use dev_err_probe() for reporting mdio bus registration failure
Nikolay Kuratov <kniv(a)yandex-team.ru>
vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
Yusong Gao <a869920004(a)gmail.com>
sign-file: Fix incorrect return values check
Dong Chenchen <dongchenchen2(a)huawei.com>
net: Remove acked SYN flag from packet in the transmit queue correctly
Dinghao Liu <dinghao.liu(a)zju.edu.cn>
qed: Fix a potential use-after-free in qed_cxt_tables_alloc
Hyunwoo Kim <v4bel(a)theori.io>
net/rose: Fix Use-After-Free in rose_ioctl
Hyunwoo Kim <v4bel(a)theori.io>
atm: Fix Use-After-Free in do_vcc_ioctl
Chengfeng Ye <dg573847474(a)gmail.com>
atm: solos-pci: Fix potential deadlock on &tx_queue_lock
Chengfeng Ye <dg573847474(a)gmail.com>
atm: solos-pci: Fix potential deadlock on &cli_queue_lock
Stefan Wahren <wahrenst(a)gmx.net>
qca_spi: Fix reset behavior
Stefan Wahren <wahrenst(a)gmx.net>
qca_debug: Fix ethtool -G iface tx behavior
Stefan Wahren <wahrenst(a)gmx.net>
qca_debug: Prevent crash on TX ring changes
Maciej Żenczykowski <maze(a)google.com>
net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
David Howells <dhowells(a)redhat.com>
afs: Fix refcount underflow from error handling race
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/include/asm/pgtable.h | 6 +++
arch/powerpc/kernel/trace/ftrace_64_mprofile.S | 17 ++++--
block/blk-throttle.c | 2 +
drivers/atm/solos-pci.c | 8 +--
drivers/hid/hid-asus.c | 25 +++++++--
drivers/hid/hid-multitouch.c | 5 ++
drivers/hid/hid-quirks.c | 1 +
drivers/md/bcache/bcache.h | 1 +
drivers/md/bcache/btree.c | 7 +++
drivers/md/bcache/super.c | 4 +-
drivers/mmc/core/core.c | 2 +
drivers/mmc/core/mmc_ops.c | 5 +-
drivers/mmc/core/mmc_ops.h | 2 +
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 1 +
drivers/net/ethernet/qualcomm/qca_debug.c | 17 +++---
drivers/net/ethernet/qualcomm/qca_spi.c | 20 ++++++-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +--
drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 8 ++-
drivers/net/team/team.c | 4 +-
drivers/net/usb/aqc111.c | 8 +--
drivers/net/usb/qmi_wwan.c | 1 +
drivers/pci/hotplug/acpiphp_glue.c | 9 ++--
drivers/platform/x86/intel_telemetry_core.c | 4 +-
drivers/soundwire/stream.c | 7 +--
fs/afs/rxrpc.c | 2 +-
fs/ext4/mballoc.c | 4 ++
include/asm-generic/qspinlock.h | 2 +-
include/linux/cred.h | 8 +--
include/net/addrconf.h | 12 ++++-
include/net/if_inet6.h | 4 --
kernel/cred.c | 64 +++++++++++------------
kernel/events/core.c | 10 ++++
kernel/trace/ring_buffer.c | 2 +
net/appletalk/ddp.c | 9 ++--
net/atm/ioctl.c | 7 ++-
net/ipv4/tcp_output.c | 6 +++
net/ipv6/addrconf.c | 6 +--
net/rose/af_rose.c | 4 +-
net/vmw_vsock/virtio_transport_common.c | 2 +-
scripts/sign-file.c | 12 ++---
sound/pci/hda/patch_hdmi.c | 2 +
42 files changed, 220 insertions(+), 110 deletions(-)
Add an erratum for versions [v0.8 to v1.3) of OpenSBI which fail to add
the "no-map" property to the reserved memory nodes for the regions it
has protected using PMPs.
Our existing fix sweeping hibernation under the carpet by marking it
NONPORTABLE is insufficient as there are other ways to generate
accesses to these reserved memory regions, as Petr discovered [1]
while testing crash kernels & kdump.
Intercede during the boot process when the afflicted versions of OpenSBI
are present & set the "no-map" property in all "mmode_resv" nodes before
the kernel does its reserved memory region initialisation.
Reported-by: Song Shuai <suagrfillet(a)gmail.com>
Link: https://lore.kernel.org/all/CAAYs2=gQvkhTeioMmqRDVGjdtNF_vhB+vm_1dHJxPNi75Y…
Reported-by: JeeHeng Sia <jeeheng.sia(a)starfivetech.com>
Link: https://groups.google.com/a/groups.riscv.org/g/sw-dev/c/ITXwaKfA6z8
Reported-by: Petr Tesarik <petrtesarik(a)huaweicloud.com>
Closes: https://lore.kernel.org/linux-riscv/76ff0f51-d6c1-580d-f943-061e93073306@hu… [1]
CC: stable(a)vger.kernel.org
Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com>
---
arch/riscv/include/asm/sbi.h | 5 +++++
arch/riscv/kernel/sbi.c | 42 +++++++++++++++++++++++++++++++++++-
arch/riscv/mm/init.c | 3 +++
3 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/arch/riscv/include/asm/sbi.h b/arch/riscv/include/asm/sbi.h
index 5b4a1bf5f439..5360f3476278 100644
--- a/arch/riscv/include/asm/sbi.h
+++ b/arch/riscv/include/asm/sbi.h
@@ -252,6 +252,9 @@ enum sbi_pmu_ctr_type {
#define SBI_ERR_ALREADY_STARTED -7
#define SBI_ERR_ALREADY_STOPPED -8
+/* SBI implementation IDs */
+#define SBI_IMP_OPENSBI 1
+
extern unsigned long sbi_spec_version;
struct sbiret {
long error;
@@ -259,6 +262,8 @@ struct sbiret {
};
void sbi_init(void);
+void sbi_apply_reserved_mem_erratum(void *dtb_va);
+
struct sbiret sbi_ecall(int ext, int fid, unsigned long arg0,
unsigned long arg1, unsigned long arg2,
unsigned long arg3, unsigned long arg4,
diff --git a/arch/riscv/kernel/sbi.c b/arch/riscv/kernel/sbi.c
index c672c8ba9a2a..aeb27263fa53 100644
--- a/arch/riscv/kernel/sbi.c
+++ b/arch/riscv/kernel/sbi.c
@@ -5,8 +5,10 @@
* Copyright (c) 2020 Western Digital Corporation or its affiliates.
*/
+#include <linux/acpi.h>
#include <linux/bits.h>
#include <linux/init.h>
+#include <linux/libfdt.h>
#include <linux/pm.h>
#include <linux/reboot.h>
#include <asm/sbi.h>
@@ -583,6 +585,40 @@ long sbi_get_mimpid(void)
}
EXPORT_SYMBOL_GPL(sbi_get_mimpid);
+static long sbi_firmware_id;
+static long sbi_firmware_version;
+
+/*
+ * For devicetrees patched by OpenSBI a "mmode_resv" node is added to cover
+ * the region OpenSBI has protected by means of a PMP. Some versions of OpenSBI,
+ * [v0.8 to v1.3), omitted the "no-map" property, but this trips up hibernation
+ * among other things.
+ */
+void __init sbi_apply_reserved_mem_erratum(void *dtb_pa)
+{
+ int child, reserved_mem;
+
+ if (sbi_firmware_id != SBI_IMP_OPENSBI)
+ return;
+
+ if (!acpi_disabled)
+ return;
+
+ if (sbi_firmware_version >= 0x10003 || sbi_firmware_version < 0x8)
+ return;
+
+ reserved_mem = fdt_path_offset((void *)dtb_pa, "/reserved-memory");
+ if (reserved_mem < 0)
+ return;
+
+ fdt_for_each_subnode(child, (void *)dtb_pa, reserved_mem) {
+ const char *name = fdt_get_name((void *)dtb_pa, child, NULL);
+
+ if (!strncmp(name, "mmode_resv", 10))
+ fdt_setprop((void *)dtb_pa, child, "no-map", NULL, 0);
+ }
+};
+
void __init sbi_init(void)
{
int ret;
@@ -596,8 +632,12 @@ void __init sbi_init(void)
sbi_major_version(), sbi_minor_version());
if (!sbi_spec_is_0_1()) {
+ sbi_firmware_id = sbi_get_firmware_id();
+ sbi_firmware_version = sbi_get_firmware_version();
+
pr_info("SBI implementation ID=0x%lx Version=0x%lx\n",
- sbi_get_firmware_id(), sbi_get_firmware_version());
+ sbi_firmware_id, sbi_firmware_version);
+
if (sbi_probe_extension(SBI_EXT_TIME)) {
__sbi_set_timer = __sbi_set_timer_v02;
pr_info("SBI TIME extension detected\n");
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 70fb31960b63..cb16bfdeacdb 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -29,6 +29,7 @@
#include <asm/tlbflush.h>
#include <asm/sections.h>
#include <asm/soc.h>
+#include <asm/sbi.h>
#include <asm/io.h>
#include <asm/ptdump.h>
#include <asm/numa.h>
@@ -253,6 +254,8 @@ static void __init setup_bootmem(void)
* in the device tree, otherwise the allocation could end up in a
* reserved region.
*/
+
+ sbi_apply_reserved_mem_erratum(dtb_early_va);
early_init_fdt_scan_reserved_mem();
/*
--
2.40.1
While convering the binding to new format, serdes address specified in the
old binding was used as the base address. This causes a boot hang as the
driver tries to access memory region outside of the specified address. Fix
it!
Cc: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>
Cc: stable(a)vger.kernel.org # 6.6
Fixes: bb56cff4ac03 ("ARM: dts: qcom-sdx55: switch PCIe QMP PHY to new style of bindings")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org>
---
arch/arm/boot/dts/qcom/qcom-sdx55.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi b/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi
index 2aa5089a8513..a88f186fcf03 100644
--- a/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi
+++ b/arch/arm/boot/dts/qcom/qcom-sdx55.dtsi
@@ -436,9 +436,9 @@ pcie_ep: pcie-ep@1c00000 {
status = "disabled";
};
- pcie_phy: phy@1c07000 {
+ pcie_phy: phy@1c06000 {
compatible = "qcom,sdx55-qmp-pcie-phy";
- reg = <0x01c07000 0x2000>;
+ reg = <0x01c06000 0x2000>;
#address-cells = <1>;
#size-cells = <1>;
ranges;
--
2.25.1
The helper, cxl_dpa_resource_start(), snapshots the dpa-address of an
endpoint-decoder after acquiring the cxl_dpa_rwsem. However, it is
sufficient to assert that cxl_dpa_rwsem is held rather than acquire it
in the helper. Otherwise, it triggers multiple lockdep reports:
1/ Tracing callbacks are in an atomic context that can not acquire sleeping
locks:
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1525
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1288, name: bash
preempt_count: 2, expected: 0
RCU nest depth: 0, expected: 0
[..]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023
Call Trace:
<TASK>
dump_stack_lvl+0x71/0x90
__might_resched+0x1b2/0x2c0
down_read+0x1a/0x190
cxl_dpa_resource_start+0x15/0x50 [cxl_core]
cxl_trace_hpa+0x122/0x300 [cxl_core]
trace_event_raw_event_cxl_poison+0x1c9/0x2d0 [cxl_core]
2/ The rwsem is already held in the inject poison path:
WARNING: possible recursive locking detected
6.7.0-rc2+ #12 Tainted: G W OE N
--------------------------------------------
bash/1288 is trying to acquire lock:
ffffffffc05f73d0 (cxl_dpa_rwsem){++++}-{3:3}, at: cxl_dpa_resource_start+0x15/0x50 [cxl_core]
but task is already holding lock:
ffffffffc05f73d0 (cxl_dpa_rwsem){++++}-{3:3}, at: cxl_inject_poison+0x7d/0x1e0 [cxl_core]
[..]
Call Trace:
<TASK>
dump_stack_lvl+0x71/0x90
__might_resched+0x1b2/0x2c0
down_read+0x1a/0x190
cxl_dpa_resource_start+0x15/0x50 [cxl_core]
cxl_trace_hpa+0x122/0x300 [cxl_core]
trace_event_raw_event_cxl_poison+0x1c9/0x2d0 [cxl_core]
__traceiter_cxl_poison+0x5c/0x80 [cxl_core]
cxl_inject_poison+0x1bc/0x1e0 [cxl_core]
This appears to have been an issue since the initial implementation and
uncovered by the new cxl-poison.sh test [1]. That test is now passing with
these changes.
Fixes: 28a3ae4ff66c ("cxl/trace: Add an HPA to cxl_poison trace events")
Link: http://lore.kernel.org/r/e4f2716646918135ddbadf4146e92abb659de734.170061515… [1]
Cc: <stable(a)vger.kernel.org>
Cc: Alison Schofield <alison.schofield(a)intel.com>
Cc: Jonathan Cameron <Jonathan.Cameron(a)huawei.com>
Cc: Dave Jiang <dave.jiang(a)intel.com>
Cc: Ira Weiny <ira.weiny(a)intel.com>
Signed-off-by: Dan Williams <dan.j.williams(a)intel.com>
---
drivers/cxl/core/hdm.c | 3 +--
drivers/cxl/core/port.c | 4 ++--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c
index 529baa8a1759..7d97790b893d 100644
--- a/drivers/cxl/core/hdm.c
+++ b/drivers/cxl/core/hdm.c
@@ -363,10 +363,9 @@ resource_size_t cxl_dpa_resource_start(struct cxl_endpoint_decoder *cxled)
{
resource_size_t base = -1;
- down_read(&cxl_dpa_rwsem);
+ lockdep_assert_held(&cxl_dpa_rwsem);
if (cxled->dpa_res)
base = cxled->dpa_res->start;
- up_read(&cxl_dpa_rwsem);
return base;
}
diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c
index 38441634e4c6..f6e9b2986a9a 100644
--- a/drivers/cxl/core/port.c
+++ b/drivers/cxl/core/port.c
@@ -226,9 +226,9 @@ static ssize_t dpa_resource_show(struct device *dev, struct device_attribute *at
char *buf)
{
struct cxl_endpoint_decoder *cxled = to_cxl_endpoint_decoder(dev);
- u64 base = cxl_dpa_resource_start(cxled);
- return sysfs_emit(buf, "%#llx\n", base);
+ guard(rwsem_read)(&cxl_dpa_rwsem);
+ return sysfs_emit(buf, "%#llx\n", cxl_dpa_resource_start(cxled));
}
static DEVICE_ATTR_RO(dpa_resource);
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x 5a6c9a05e55cb2972396cc991af9d74c8c15029a
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023121851-roamer-gravel-ddbe@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
5a6c9a05e55c ("drm: Fix FD ownership check in drm_master_check_perm()")
1c7a387ffef8 ("drm: Update file owner during use")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 5a6c9a05e55cb2972396cc991af9d74c8c15029a Mon Sep 17 00:00:00 2001
From: Lingkai Dong <Lingkai.Dong(a)arm.com>
Date: Wed, 6 Dec 2023 13:51:58 +0000
Subject: [PATCH] drm: Fix FD ownership check in drm_master_check_perm()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The DRM subsystem keeps a record of the owner of a DRM device file
descriptor using thread group ID (TGID) instead of process ID (PID), to
ensures all threads within the same userspace process are considered the
owner. However, the DRM master ownership check compares the current
thread's PID against the record, so the thread is incorrectly considered to
be not the FD owner if the PID is not equal to the TGID. This causes DRM
ioctls to be denied master privileges, even if the same thread that opened
the FD performs an ioctl. Fix this by checking TGID.
Fixes: 4230cea89cafb ("drm: Track clients by tgid and not tid")
Signed-off-by: Lingkai Dong <lingkai.dong(a)arm.com>
Reviewed-by: Christian König <christian.koenig(a)amd.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v6.4+
Link: https://patchwork.freedesktop.org/patch/msgid/PA6PR08MB107665920BE9A96658CD…
Signed-off-by: Christian König <christian.koenig(a)amd.com>
diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
index 2ed2585ded37..6899b3dc1f12 100644
--- a/drivers/gpu/drm/drm_auth.c
+++ b/drivers/gpu/drm/drm_auth.c
@@ -236,7 +236,7 @@ static int
drm_master_check_perm(struct drm_device *dev, struct drm_file *file_priv)
{
if (file_priv->was_master &&
- rcu_access_pointer(file_priv->pid) == task_pid(current))
+ rcu_access_pointer(file_priv->pid) == task_tgid(current))
return 0;
if (!capable(CAP_SYS_ADMIN))