diff options
13 files changed, 899 insertions, 0 deletions
diff --git a/queue-6.12/arm64-ptrace-fix-stack-out-of-bounds-read-in-regs_ge.patch b/queue-6.12/arm64-ptrace-fix-stack-out-of-bounds-read-in-regs_ge.patch new file mode 100644 index 0000000000..52af6a46aa --- /dev/null +++ b/queue-6.12/arm64-ptrace-fix-stack-out-of-bounds-read-in-regs_ge.patch @@ -0,0 +1,107 @@ +From 409cda7196eeb620c1c49c829f8d5aa56cb87900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 4 Jun 2025 00:55:33 +0000 +Subject: arm64/ptrace: Fix stack-out-of-bounds read in + regs_get_kernel_stack_nth() + +From: Tengda Wu <wutengda@huaweicloud.com> + +[ Upstream commit 39dfc971e42d886e7df01371cd1bef505076d84c ] + +KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth(). + +Call Trace: +[ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8 +[ 97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550 +[ 97.285732] +[ 97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11 +[ 97.287032] Hardware name: linux,dummy-virt (DT) +[ 97.287815] Call trace: +[ 97.288279] dump_backtrace+0xa0/0x128 +[ 97.288946] show_stack+0x20/0x38 +[ 97.289551] dump_stack_lvl+0x78/0xc8 +[ 97.290203] print_address_description.constprop.0+0x84/0x3c8 +[ 97.291159] print_report+0xb0/0x280 +[ 97.291792] kasan_report+0x84/0xd0 +[ 97.292421] __asan_load8+0x9c/0xc0 +[ 97.293042] regs_get_kernel_stack_nth+0xa8/0xc8 +[ 97.293835] process_fetch_insn+0x770/0xa30 +[ 97.294562] kprobe_trace_func+0x254/0x3b0 +[ 97.295271] kprobe_dispatcher+0x98/0xe0 +[ 97.295955] kprobe_breakpoint_handler+0x1b0/0x210 +[ 97.296774] call_break_hook+0xc4/0x100 +[ 97.297451] brk_handler+0x24/0x78 +[ 97.298073] do_debug_exception+0xac/0x178 +[ 97.298785] el1_dbg+0x70/0x90 +[ 97.299344] el1h_64_sync_handler+0xcc/0xe8 +[ 97.300066] el1h_64_sync+0x78/0x80 +[ 97.300699] kernel_clone+0x0/0x500 +[ 97.301331] __arm64_sys_clone+0x70/0x90 +[ 97.302084] invoke_syscall+0x68/0x198 +[ 97.302746] el0_svc_common.constprop.0+0x11c/0x150 +[ 97.303569] do_el0_svc+0x38/0x50 +[ 97.304164] el0_svc+0x44/0x1d8 +[ 97.304749] el0t_64_sync_handler+0x100/0x130 +[ 97.305500] el0t_64_sync+0x188/0x190 +[ 97.306151] +[ 97.306475] The buggy address belongs to stack of task 1.sh/2550 +[ 97.307461] and is located at offset 0 in frame: +[ 97.308257] __se_sys_clone+0x0/0x138 +[ 97.308910] +[ 97.309241] This frame has 1 object: +[ 97.309873] [48, 184) 'args' +[ 97.309876] +[ 97.310749] The buggy address belongs to the virtual mapping at +[ 97.310749] [ffff800089270000, ffff800089279000) created by: +[ 97.310749] dup_task_struct+0xc0/0x2e8 +[ 97.313347] +[ 97.313674] The buggy address belongs to the physical page: +[ 97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a +[ 97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff) +[ 97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000 +[ 97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +[ 97.319445] page dumped because: kasan: bad access detected +[ 97.320371] +[ 97.320694] Memory state around the buggy address: +[ 97.321511] ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 97.322681] ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00 +[ 97.325023] ^ +[ 97.325683] ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 +[ 97.326856] ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +This issue seems to be related to the behavior of some gcc compilers and +was also fixed on the s390 architecture before: + + commit d93a855c31b7 ("s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()") + +As described in that commit, regs_get_kernel_stack_nth() has confirmed that +`addr` is on the stack, so reading the value at `*addr` should be allowed. +Use READ_ONCE_NOCHECK() helper to silence the KASAN check for this case. + +Fixes: 0a8ea52c3eb1 ("arm64: Add HAVE_REGS_AND_STACK_ACCESS_API feature") +Signed-off-by: Tengda Wu <wutengda@huaweicloud.com> +Link: https://lore.kernel.org/r/20250604005533.1278992-1-wutengda@huaweicloud.com +[will: Use '*addr' as the argument to READ_ONCE_NOCHECK()] +Signed-off-by: Will Deacon <will@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/arm64/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c +index 1559a239137f3..1a8f4284cb69a 100644 +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -140,7 +140,7 @@ unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs, unsigned int n) + + addr += n; + if (regs_within_kernel_stack(regs, (unsigned long)addr)) +- return *addr; ++ return READ_ONCE_NOCHECK(*addr); + else + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/cifs-remove-duplicate-fattr-cf_dtype-assignment-from.patch b/queue-6.12/cifs-remove-duplicate-fattr-cf_dtype-assignment-from.patch new file mode 100644 index 0000000000..c1b5708713 --- /dev/null +++ b/queue-6.12/cifs-remove-duplicate-fattr-cf_dtype-assignment-from.patch @@ -0,0 +1,41 @@ +From 5a001563975f4cc8e4f1c743bfb965cc8e7e5571 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 8 Jun 2025 16:10:33 +0200 +Subject: cifs: Remove duplicate fattr->cf_dtype assignment from wsl_to_fattr() + function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár <pali@kernel.org> + +[ Upstream commit 840738eae94864993a735ab677b9795bb8f3b961 ] + +Commit 8bd25b61c5a5 ("smb: client: set correct d_type for reparse DFS/DFSR +and mount point") deduplicated assignment of fattr->cf_dtype member from +all places to end of the function cifs_reparse_point_to_fattr(). The only +one missing place which was not deduplicated is wsl_to_fattr(). Fix it. + +Fixes: 8bd25b61c5a5 ("smb: client: set correct d_type for reparse DFS/DFSR and mount point") +Signed-off-by: Pali Rohár <pali@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/smb/client/reparse.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c +index b6556fe3dfa11..4d45c31336df1 100644 +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -738,7 +738,6 @@ static bool wsl_to_fattr(struct cifs_open_info_data *data, + if (!have_xattr_dev && (tag == IO_REPARSE_TAG_LX_CHR || tag == IO_REPARSE_TAG_LX_BLK)) + return false; + +- fattr->cf_dtype = S_DT(fattr->cf_mode); + return true; + } + +-- +2.39.5 + diff --git a/queue-6.12/gpio-mlxbf3-only-get-irq-for-device-instance-0.patch b/queue-6.12/gpio-mlxbf3-only-get-irq-for-device-instance-0.patch new file mode 100644 index 0000000000..0c5bb93d89 --- /dev/null +++ b/queue-6.12/gpio-mlxbf3-only-get-irq-for-device-instance-0.patch @@ -0,0 +1,103 @@ +From 93d35816b07708657960acf2c1940075c09a72bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 13 Jun 2025 16:34:43 +0000 +Subject: gpio: mlxbf3: only get IRQ for device instance 0 + +From: David Thompson <davthompson@nvidia.com> + +[ Upstream commit 10af0273a35ab4513ca1546644b8c853044da134 ] + +The gpio-mlxbf3 driver interfaces with two GPIO controllers, +device instance 0 and 1. There is a single IRQ resource shared +between the two controllers, and it is found in the ACPI table for +device instance 0. The driver should not attempt to get an IRQ +resource when probing device instance 1, otherwise the following +error is logged: + mlxbf3_gpio MLNXBF33:01: error -ENXIO: IRQ index 0 not found + +Signed-off-by: David Thompson <davthompson@nvidia.com> +Reviewed-by: Shravan Kumar Ramani <shravankr@nvidia.com> +Fixes: cd33f216d241 ("gpio: mlxbf3: Add gpio driver support") +Link: https://lore.kernel.org/r/20250613163443.1065217-1-davthompson@nvidia.com +Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpio/gpio-mlxbf3.c | 54 ++++++++++++++++++++++++-------------- + 1 file changed, 35 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpio/gpio-mlxbf3.c b/drivers/gpio/gpio-mlxbf3.c +index 10ea71273c891..9875e34bde72a 100644 +--- a/drivers/gpio/gpio-mlxbf3.c ++++ b/drivers/gpio/gpio-mlxbf3.c +@@ -190,7 +190,9 @@ static int mlxbf3_gpio_probe(struct platform_device *pdev) + struct mlxbf3_gpio_context *gs; + struct gpio_irq_chip *girq; + struct gpio_chip *gc; ++ char *colon_ptr; + int ret, irq; ++ long num; + + gs = devm_kzalloc(dev, sizeof(*gs), GFP_KERNEL); + if (!gs) +@@ -227,25 +229,39 @@ static int mlxbf3_gpio_probe(struct platform_device *pdev) + gc->owner = THIS_MODULE; + gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges; + +- irq = platform_get_irq(pdev, 0); +- if (irq >= 0) { +- girq = &gs->gc.irq; +- gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); +- girq->default_type = IRQ_TYPE_NONE; +- /* This will let us handle the parent IRQ in the driver */ +- girq->num_parents = 0; +- girq->parents = NULL; +- girq->parent_handler = NULL; +- girq->handler = handle_bad_irq; +- +- /* +- * Directly request the irq here instead of passing +- * a flow-handler because the irq is shared. +- */ +- ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler, +- IRQF_SHARED, dev_name(dev), gs); +- if (ret) +- return dev_err_probe(dev, ret, "failed to request IRQ"); ++ colon_ptr = strchr(dev_name(dev), ':'); ++ if (!colon_ptr) { ++ dev_err(dev, "invalid device name format\n"); ++ return -EINVAL; ++ } ++ ++ ret = kstrtol(++colon_ptr, 16, &num); ++ if (ret) { ++ dev_err(dev, "invalid device instance\n"); ++ return ret; ++ } ++ ++ if (!num) { ++ irq = platform_get_irq(pdev, 0); ++ if (irq >= 0) { ++ girq = &gs->gc.irq; ++ gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); ++ girq->default_type = IRQ_TYPE_NONE; ++ /* This will let us handle the parent IRQ in the driver */ ++ girq->num_parents = 0; ++ girq->parents = NULL; ++ girq->parent_handler = NULL; ++ girq->handler = handle_bad_irq; ++ ++ /* ++ * Directly request the irq here instead of passing ++ * a flow-handler because the irq is shared. ++ */ ++ ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler, ++ IRQF_SHARED, dev_name(dev), gs); ++ if (ret) ++ return dev_err_probe(dev, ret, "failed to request IRQ"); ++ } + } + + platform_set_drvdata(pdev, gs); +-- +2.39.5 + diff --git a/queue-6.12/gpio-pca953x-fix-wrong-error-probe-return-value.patch b/queue-6.12/gpio-pca953x-fix-wrong-error-probe-return-value.patch new file mode 100644 index 0000000000..1ae58cf7e1 --- /dev/null +++ b/queue-6.12/gpio-pca953x-fix-wrong-error-probe-return-value.patch @@ -0,0 +1,38 @@ +From b5c8518aa6602781584369a6b567aed368269553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 16 Jun 2025 15:45:03 +0200 +Subject: gpio: pca953x: fix wrong error probe return value + +From: Sascha Hauer <s.hauer@pengutronix.de> + +[ Upstream commit 0a1db19f66c0960eb00e1f2ccd40708b6747f5b1 ] + +The second argument to dev_err_probe() is the error value. Pass the +return value of devm_request_threaded_irq() there instead of the irq +number. + +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +Fixes: c47f7ff0fe61 ("gpio: pca953x: Utilise dev_err_probe() where it makes sense") +Link: https://lore.kernel.org/r/20250616134503.1201138-1-s.hauer@pengutronix.de +Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/gpio/gpio-pca953x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index ef3aee1cabcfd..bb7c1bf5f856e 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -951,7 +951,7 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base) + IRQF_ONESHOT | IRQF_SHARED, dev_name(dev), + chip); + if (ret) +- return dev_err_probe(dev, client->irq, "failed to request irq\n"); ++ return dev_err_probe(dev, ret, "failed to request irq\n"); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/perf-core-fix-warn-in-perf_cgroup_switch.patch b/queue-6.12/perf-core-fix-warn-in-perf_cgroup_switch.patch new file mode 100644 index 0000000000..e9b14e4ea2 --- /dev/null +++ b/queue-6.12/perf-core-fix-warn-in-perf_cgroup_switch.patch @@ -0,0 +1,104 @@ +From 0d5d730479c2bd19ac5a511f14a0415e633fa0bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 4 Jun 2025 03:39:24 +0000 +Subject: perf/core: Fix WARN in perf_cgroup_switch() + +From: Luo Gengkun <luogengkun@huaweicloud.com> + +[ Upstream commit 3172fb986666dfb71bf483b6d3539e1e587fa197 ] + +There may be concurrency between perf_cgroup_switch and +perf_cgroup_event_disable. Consider the following scenario: after a new +perf cgroup event is created on CPU0, the new event may not trigger +a reprogramming, causing ctx->is_active to be 0. In this case, when CPU1 +disables this perf event, it executes __perf_remove_from_context-> +list _del_event->perf_cgroup_event_disable on CPU1, which causes a race +with perf_cgroup_switch running on CPU0. + +The following describes the details of this concurrency scenario: + +CPU0 CPU1 + +perf_cgroup_switch: + ... + # cpuctx->cgrp is not NULL here + if (READ_ONCE(cpuctx->cgrp) == NULL) + return; + + perf_remove_from_context: + ... + raw_spin_lock_irq(&ctx->lock); + ... + # ctx->is_active == 0 because reprogramm is not + # tigger, so CPU1 can do __perf_remove_from_context + # for CPU0 + __perf_remove_from_context: + perf_cgroup_event_disable: + ... + if (--ctx->nr_cgroups) + ... + + # this warning will happened because CPU1 changed + # ctx.nr_cgroups to 0. + WARN_ON_ONCE(cpuctx->ctx.nr_cgroups == 0); + +[peterz: use guard instead of goto unlock] +Fixes: db4a835601b7 ("perf/core: Set cgroup in CPU contexts for new cgroup events") +Signed-off-by: Luo Gengkun <luogengkun@huaweicloud.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Link: https://lkml.kernel.org/r/20250604033924.3914647-3-luogengkun@huaweicloud.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + kernel/events/core.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 3389a5a2724df..7210104b3345c 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -206,6 +206,19 @@ static void perf_ctx_unlock(struct perf_cpu_context *cpuctx, + __perf_ctx_unlock(&cpuctx->ctx); + } + ++typedef struct { ++ struct perf_cpu_context *cpuctx; ++ struct perf_event_context *ctx; ++} class_perf_ctx_lock_t; ++ ++static inline void class_perf_ctx_lock_destructor(class_perf_ctx_lock_t *_T) ++{ perf_ctx_unlock(_T->cpuctx, _T->ctx); } ++ ++static inline class_perf_ctx_lock_t ++class_perf_ctx_lock_constructor(struct perf_cpu_context *cpuctx, ++ struct perf_event_context *ctx) ++{ perf_ctx_lock(cpuctx, ctx); return (class_perf_ctx_lock_t){ cpuctx, ctx }; } ++ + #define TASK_TOMBSTONE ((void *)-1L) + + static bool is_kernel_event(struct perf_event *event) +@@ -898,7 +911,13 @@ static void perf_cgroup_switch(struct task_struct *task) + if (READ_ONCE(cpuctx->cgrp) == cgrp) + return; + +- perf_ctx_lock(cpuctx, cpuctx->task_ctx); ++ guard(perf_ctx_lock)(cpuctx, cpuctx->task_ctx); ++ /* ++ * Re-check, could've raced vs perf_remove_from_context(). ++ */ ++ if (READ_ONCE(cpuctx->cgrp) == NULL) ++ return; ++ + perf_ctx_disable(&cpuctx->ctx, true); + + ctx_sched_out(&cpuctx->ctx, NULL, EVENT_ALL|EVENT_CGROUP); +@@ -916,7 +935,6 @@ static void perf_cgroup_switch(struct task_struct *task) + ctx_sched_in(&cpuctx->ctx, NULL, EVENT_ALL|EVENT_CGROUP); + + perf_ctx_enable(&cpuctx->ctx, true); +- perf_ctx_unlock(cpuctx, cpuctx->task_ctx); + } + + static int perf_cgroup_ensure_storage(struct perf_event *event, +-- +2.39.5 + diff --git a/queue-6.12/perf-evsel-missed-close-when-probing-hybrid-core-pmu.patch b/queue-6.12/perf-evsel-missed-close-when-probing-hybrid-core-pmu.patch new file mode 100644 index 0000000000..8914e03309 --- /dev/null +++ b/queue-6.12/perf-evsel-missed-close-when-probing-hybrid-core-pmu.patch @@ -0,0 +1,54 @@ +From 7f07aad24c4a50f20613af0a3de14de54f4c2c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 13 Jun 2025 17:41:05 -0700 +Subject: perf evsel: Missed close() when probing hybrid core PMUs + +From: Ian Rogers <irogers@google.com> + +[ Upstream commit ebec62bc7ec435b475722a5467d67c720a1ad79f ] + +Add missing close() to avoid leaking perf events. + +In past perfs this mattered little as the function was just used by 'perf +list'. + +As the function is now used to detect hybrid PMUs leaking the perf event +is somewhat more painful. + +Fixes: b41f1cec91c37eee ("perf list: Skip unsupported events") +Signed-off-by: Ian Rogers <irogers@google.com> +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Andi Kleen <ak@linux.intel.com> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Jiapeng Chong <jiapeng.chong@linux.alibaba.com> +Cc: Jiri Olsa <jolsa@kernel.org> +Cc: Kan Liang <kan.liang@linux.intel.com> +Cc: Mark Rutland <mark.rutland@arm.com> +Cc: Michael Petlan <mpetlan@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Namhyung Kim <namhyung.kim@lge.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Tiezhu Yang <yangtiezhu@loongson.cn> +Link: https://lore.kernel.org/r/20250614004108.1650988-2-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + tools/perf/util/print-events.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/print-events.c b/tools/perf/util/print-events.c +index 81e0135cddf01..a1c71d9793bd8 100644 +--- a/tools/perf/util/print-events.c ++++ b/tools/perf/util/print-events.c +@@ -282,6 +282,7 @@ bool is_event_supported(u8 type, u64 config) + ret = evsel__open(evsel, NULL, tmap) >= 0; + } + ++ evsel__close(evsel); + evsel__delete(evsel); + } + +-- +2.39.5 + diff --git a/queue-6.12/perf-fix-cgroup-state-vs-error.patch b/queue-6.12/perf-fix-cgroup-state-vs-error.patch new file mode 100644 index 0000000000..17c192725b --- /dev/null +++ b/queue-6.12/perf-fix-cgroup-state-vs-error.patch @@ -0,0 +1,132 @@ +From 153c18fc8d287a66b012e255b8a45b9625cd9226 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 5 Jun 2025 12:37:11 +0200 +Subject: perf: Fix cgroup state vs ERROR + +From: Peter Zijlstra <peterz@infradead.org> + +[ Upstream commit 61988e36dc5457cdff7ae7927e8d9ad1419ee998 ] + +While chasing down a missing perf_cgroup_event_disable() elsewhere, +Leo Yan found that both perf_put_aux_event() and +perf_remove_sibling_event() were also missing one. + +Specifically, the rule is that events that switch to OFF,ERROR need to +call perf_cgroup_event_disable(). + +Unify the disable paths to ensure this. + +Fixes: ab43762ef010 ("perf: Allow normal events to output AUX data") +Fixes: 9f0c4fa111dc ("perf/core: Add a new PERF_EV_CAP_SIBLING event capability") +Reported-by: Leo Yan <leo.yan@arm.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Link: https://lkml.kernel.org/r/20250605123343.GD35970@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + kernel/events/core.c | 51 ++++++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 21 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index ed3bc2e390511..3389a5a2724df 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2111,8 +2111,9 @@ perf_aux_output_match(struct perf_event *event, struct perf_event *aux_event) + } + + static void put_event(struct perf_event *event); +-static void event_sched_out(struct perf_event *event, +- struct perf_event_context *ctx); ++static void __event_disable(struct perf_event *event, ++ struct perf_event_context *ctx, ++ enum perf_event_state state); + + static void perf_put_aux_event(struct perf_event *event) + { +@@ -2145,8 +2146,7 @@ static void perf_put_aux_event(struct perf_event *event) + * state so that we don't try to schedule it again. Note + * that perf_event_enable() will clear the ERROR status. + */ +- event_sched_out(iter, ctx); +- perf_event_set_state(event, PERF_EVENT_STATE_ERROR); ++ __event_disable(iter, ctx, PERF_EVENT_STATE_ERROR); + } + } + +@@ -2204,18 +2204,6 @@ static inline struct list_head *get_event_list(struct perf_event *event) + &event->pmu_ctx->flexible_active; + } + +-/* +- * Events that have PERF_EV_CAP_SIBLING require being part of a group and +- * cannot exist on their own, schedule them out and move them into the ERROR +- * state. Also see _perf_event_enable(), it will not be able to recover +- * this ERROR state. +- */ +-static inline void perf_remove_sibling_event(struct perf_event *event) +-{ +- event_sched_out(event, event->ctx); +- perf_event_set_state(event, PERF_EVENT_STATE_ERROR); +-} +- + static void perf_group_detach(struct perf_event *event) + { + struct perf_event *leader = event->group_leader; +@@ -2251,8 +2239,15 @@ static void perf_group_detach(struct perf_event *event) + */ + list_for_each_entry_safe(sibling, tmp, &event->sibling_list, sibling_list) { + ++ /* ++ * Events that have PERF_EV_CAP_SIBLING require being part of ++ * a group and cannot exist on their own, schedule them out ++ * and move them into the ERROR state. Also see ++ * _perf_event_enable(), it will not be able to recover this ++ * ERROR state. ++ */ + if (sibling->event_caps & PERF_EV_CAP_SIBLING) +- perf_remove_sibling_event(sibling); ++ __event_disable(sibling, ctx, PERF_EVENT_STATE_ERROR); + + sibling->group_leader = sibling; + list_del_init(&sibling->sibling_list); +@@ -2512,6 +2507,15 @@ static void perf_remove_from_context(struct perf_event *event, unsigned long fla + event_function_call(event, __perf_remove_from_context, (void *)flags); + } + ++static void __event_disable(struct perf_event *event, ++ struct perf_event_context *ctx, ++ enum perf_event_state state) ++{ ++ event_sched_out(event, ctx); ++ perf_cgroup_event_disable(event, ctx); ++ perf_event_set_state(event, state); ++} ++ + /* + * Cross CPU call to disable a performance event + */ +@@ -2526,13 +2530,18 @@ static void __perf_event_disable(struct perf_event *event, + perf_pmu_disable(event->pmu_ctx->pmu); + ctx_time_update_event(ctx, event); + ++ /* ++ * When disabling a group leader, the whole group becomes ineligible ++ * to run, so schedule out the full group. ++ */ + if (event == event->group_leader) + group_sched_out(event, ctx); +- else +- event_sched_out(event, ctx); + +- perf_event_set_state(event, PERF_EVENT_STATE_OFF); +- perf_cgroup_event_disable(event, ctx); ++ /* ++ * But only mark the leader OFF; the siblings will remain ++ * INACTIVE. ++ */ ++ __event_disable(event, ctx, PERF_EVENT_STATE_OFF); + + perf_pmu_enable(event->pmu_ctx->pmu); + } +-- +2.39.5 + diff --git a/queue-6.12/perf-fix-sample-vs-do_exit.patch b/queue-6.12/perf-fix-sample-vs-do_exit.patch new file mode 100644 index 0000000000..b6ced968df --- /dev/null +++ b/queue-6.12/perf-fix-sample-vs-do_exit.patch @@ -0,0 +1,102 @@ +From 523b54c468835cb7cb9b0c81bf10b7ab5c32e384 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 5 Jun 2025 12:31:45 +0200 +Subject: perf: Fix sample vs do_exit() + +From: Peter Zijlstra <peterz@infradead.org> + +[ Upstream commit 4f6fc782128355931527cefe3eb45338abd8ab39 ] + +Baisheng Gao reported an ARM64 crash, which Mark decoded as being a +synchronous external abort -- most likely due to trying to access +MMIO in bad ways. + +The crash further shows perf trying to do a user stack sample while in +exit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address +space it is trying to access. + +It turns out that we stop perf after we tear down the userspace mm; a +receipie for disaster, since perf likes to access userspace for +various reasons. + +Flip this order by moving up where we stop perf in do_exit(). + +Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER +to abort when the current task does not have an mm (exit_mm() makes +sure to set current->mm = NULL; before commencing with the actual +teardown). Such that CPU wide events don't trip on this same problem. + +Fixes: c5ebcedb566e ("perf: Add ability to attach user stack dump to sample") +Reported-by: Baisheng Gao <baisheng.gao@unisoc.com> +Suggested-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Link: https://lkml.kernel.org/r/20250605110815.GQ39944@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + kernel/events/core.c | 7 +++++++ + kernel/exit.c | 17 +++++++++-------- + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 9ce82904f761d..ed3bc2e390511 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7097,6 +7097,10 @@ perf_sample_ustack_size(u16 stack_size, u16 header_size, + if (!regs) + return 0; + ++ /* No mm, no stack, no dump. */ ++ if (!current->mm) ++ return 0; ++ + /* + * Check if we fit in with the requested stack size into the: + * - TASK_SIZE +@@ -7808,6 +7812,9 @@ perf_callchain(struct perf_event *event, struct pt_regs *regs) + const u32 max_stack = event->attr.sample_max_stack; + struct perf_callchain_entry *callchain; + ++ if (!current->mm) ++ user = false; ++ + if (!kernel && !user) + return &__empty_callchain; + +diff --git a/kernel/exit.c b/kernel/exit.c +index 56b8bd9487b4b..d465b36bcc869 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -923,6 +923,15 @@ void __noreturn do_exit(long code) + tsk->exit_code = code; + taskstats_exit(tsk, group_dead); + ++ /* ++ * Since sampling can touch ->mm, make sure to stop everything before we ++ * tear it down. ++ * ++ * Also flushes inherited counters to the parent - before the parent ++ * gets woken up by child-exit notifications. ++ */ ++ perf_event_exit_task(tsk); ++ + exit_mm(); + + if (group_dead) +@@ -939,14 +948,6 @@ void __noreturn do_exit(long code) + exit_task_work(tsk); + exit_thread(tsk); + +- /* +- * Flush inherited counters to the parent - before the parent +- * gets woken up by child-exit notifications. +- * +- * because of cgroup mode, must be called before cgroup_exit() +- */ +- perf_event_exit_task(tsk); +- + sched_autogroup_exit_task(tsk); + cgroup_exit(tsk); + +-- +2.39.5 + diff --git a/queue-6.12/perf-test-directory-file-descriptor-leak.patch b/queue-6.12/perf-test-directory-file-descriptor-leak.patch new file mode 100644 index 0000000000..cf6c730ebb --- /dev/null +++ b/queue-6.12/perf-test-directory-file-descriptor-leak.patch @@ -0,0 +1,47 @@ +From 3deb850a79b1e33688210948509804426894b7af Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 13 Jun 2025 17:41:04 -0700 +Subject: perf test: Directory file descriptor leak + +From: Ian Rogers <irogers@google.com> + +[ Upstream commit 19f4422d485b2d0a935117a1a16015328f99be25 ] + +Add missed close when iterating over the script directories. + +Fixes: f3295f5b067d3c26 ("perf tests: Use scandirat for shell script finding") +Signed-off-by: Ian Rogers <irogers@google.com> +Cc: Adrian Hunter <adrian.hunter@intel.com> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Andi Kleen <ak@linux.intel.com> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Jiapeng Chong <jiapeng.chong@linux.alibaba.com> +Cc: Jiri Olsa <jolsa@kernel.org> +Cc: Kan Liang <kan.liang@linux.intel.com> +Cc: Mark Rutland <mark.rutland@arm.com> +Cc: Michael Petlan <mpetlan@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Tiezhu Yang <yangtiezhu@loongson.cn> +Link: https://lore.kernel.org/r/20250614004108.1650988-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + tools/perf/tests/tests-scripts.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/tests-scripts.c b/tools/perf/tests/tests-scripts.c +index ed114b0442936..b6986d50dde6c 100644 +--- a/tools/perf/tests/tests-scripts.c ++++ b/tools/perf/tests/tests-scripts.c +@@ -255,6 +255,7 @@ static void append_scripts_in_dir(int dir_fd, + continue; /* Skip scripts that have a separate driver. */ + fd = openat(dir_fd, ent->d_name, O_PATH); + append_scripts_in_dir(fd, result, result_sz); ++ close(fd); + } + for (i = 0; i < n_dirs; i++) /* Clean up */ + zfree(&entlist[i]); +-- +2.39.5 + diff --git a/queue-6.12/risc-v-kvm-don-t-treat-sbi-hfence-calls-as-nops.patch b/queue-6.12/risc-v-kvm-don-t-treat-sbi-hfence-calls-as-nops.patch new file mode 100644 index 0000000000..9251363b35 --- /dev/null +++ b/queue-6.12/risc-v-kvm-don-t-treat-sbi-hfence-calls-as-nops.patch @@ -0,0 +1,46 @@ +From 9404122465cc64124cc1d7bf373d1a06ebc4b326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 5 Jun 2025 11:44:47 +0530 +Subject: RISC-V: KVM: Don't treat SBI HFENCE calls as NOPs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anup Patel <apatel@ventanamicro.com> + +[ Upstream commit 2e7be162996640bbe3b6da694cc064c511b8a5d9 ] + +The SBI specification clearly states that SBI HFENCE calls should +return SBI_ERR_NOT_SUPPORTED when one of the target hart doesn’t +support hypervisor extension (aka nested virtualization in-case +of KVM RISC-V). + +Fixes: c7fa3c48de86 ("RISC-V: KVM: Treat SBI HFENCE calls as NOPs") +Reviewed-by: Atish Patra <atishp@rivosinc.com> +Signed-off-by: Anup Patel <apatel@ventanamicro.com> +Link: https://lore.kernel.org/r/20250605061458.196003-3-apatel@ventanamicro.com +Signed-off-by: Anup Patel <anup@brainfault.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/riscv/kvm/vcpu_sbi_replace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kvm/vcpu_sbi_replace.c b/arch/riscv/kvm/vcpu_sbi_replace.c +index 9752d2ffff683..b17fad091babd 100644 +--- a/arch/riscv/kvm/vcpu_sbi_replace.c ++++ b/arch/riscv/kvm/vcpu_sbi_replace.c +@@ -127,9 +127,9 @@ static int kvm_sbi_ext_rfence_handler(struct kvm_vcpu *vcpu, struct kvm_run *run + case SBI_EXT_RFENCE_REMOTE_HFENCE_VVMA_ASID: + /* + * Until nested virtualization is implemented, the +- * SBI HFENCE calls should be treated as NOPs ++ * SBI HFENCE calls should return not supported ++ * hence fallthrough. + */ +- break; + default: + retdata->err_val = SBI_ERR_NOT_SUPPORTED; + } +-- +2.39.5 + diff --git a/queue-6.12/risc-v-kvm-fix-the-size-parameter-check-in-sbi-sfenc.patch b/queue-6.12/risc-v-kvm-fix-the-size-parameter-check-in-sbi-sfenc.patch new file mode 100644 index 0000000000..b4d48c1bfb --- /dev/null +++ b/queue-6.12/risc-v-kvm-fix-the-size-parameter-check-in-sbi-sfenc.patch @@ -0,0 +1,52 @@ +From ae0502cf9c6c8cdd7c93ec59ac9ddbc49d2aaa5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 5 Jun 2025 11:44:46 +0530 +Subject: RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls + +From: Anup Patel <apatel@ventanamicro.com> + +[ Upstream commit 6aba0cb5bba6141158d5449f2cf53187b7f755f9 ] + +As-per the SBI specification, an SBI remote fence operation applies +to the entire address space if either: +1) start_addr and size are both 0 +2) size is equal to 2^XLEN-1 + +>From the above, only #1 is checked by SBI SFENCE calls so fix the +size parameter check in SBI SFENCE calls to cover #2 as well. + +Fixes: 13acfec2dbcc ("RISC-V: KVM: Add remote HFENCE functions based on VCPU requests") +Reviewed-by: Atish Patra <atishp@rivosinc.com> +Signed-off-by: Anup Patel <apatel@ventanamicro.com> +Link: https://lore.kernel.org/r/20250605061458.196003-2-apatel@ventanamicro.com +Signed-off-by: Anup Patel <anup@brainfault.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/riscv/kvm/vcpu_sbi_replace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kvm/vcpu_sbi_replace.c b/arch/riscv/kvm/vcpu_sbi_replace.c +index 5fbf3f94f1e85..9752d2ffff683 100644 +--- a/arch/riscv/kvm/vcpu_sbi_replace.c ++++ b/arch/riscv/kvm/vcpu_sbi_replace.c +@@ -103,7 +103,7 @@ static int kvm_sbi_ext_rfence_handler(struct kvm_vcpu *vcpu, struct kvm_run *run + kvm_riscv_vcpu_pmu_incr_fw(vcpu, SBI_PMU_FW_FENCE_I_SENT); + break; + case SBI_EXT_RFENCE_REMOTE_SFENCE_VMA: +- if (cp->a2 == 0 && cp->a3 == 0) ++ if ((cp->a2 == 0 && cp->a3 == 0) || cp->a3 == -1UL) + kvm_riscv_hfence_vvma_all(vcpu->kvm, hbase, hmask); + else + kvm_riscv_hfence_vvma_gva(vcpu->kvm, hbase, hmask, +@@ -111,7 +111,7 @@ static int kvm_sbi_ext_rfence_handler(struct kvm_vcpu *vcpu, struct kvm_run *run + kvm_riscv_vcpu_pmu_incr_fw(vcpu, SBI_PMU_FW_HFENCE_VVMA_SENT); + break; + case SBI_EXT_RFENCE_REMOTE_SFENCE_VMA_ASID: +- if (cp->a2 == 0 && cp->a3 == 0) ++ if ((cp->a2 == 0 && cp->a3 == 0) || cp->a3 == -1UL) + kvm_riscv_hfence_vvma_asid_all(vcpu->kvm, + hbase, hmask, cp->a4); + else +-- +2.39.5 + diff --git a/queue-6.12/scsi-elx-efct-fix-memory-leak-in-efct_hw_parse_filte.patch b/queue-6.12/scsi-elx-efct-fix-memory-leak-in-efct_hw_parse_filte.patch new file mode 100644 index 0000000000..c30d2010bd --- /dev/null +++ b/queue-6.12/scsi-elx-efct-fix-memory-leak-in-efct_hw_parse_filte.patch @@ -0,0 +1,61 @@ +From fb98abda8448ded5907bc1743d1dafe893b812df Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 12 Jun 2025 21:35:18 +0500 +Subject: scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() + +From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru> + +[ Upstream commit 2a8a5a5dd06eef580f9818567773fd75057cb875 ] + +strsep() modifies the address of the pointer passed to it so that it no +longer points to the original address. This means kfree() gets the wrong +pointer. + +Fix this by passing unmodified pointer returned from kstrdup() to +kfree(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 4df84e846624 ("scsi: elx: efct: Driver initialization routines") +Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru> +Link: https://lore.kernel.org/r/20250612163616.24298-1-v.shevtsov@mt-integration.ru +Reviewed-by: Daniel Wagner <dwagner@suse.de> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/scsi/elx/efct/efct_hw.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/elx/efct/efct_hw.c b/drivers/scsi/elx/efct/efct_hw.c +index 5a5525054d71c..5b079b8b7a082 100644 +--- a/drivers/scsi/elx/efct/efct_hw.c ++++ b/drivers/scsi/elx/efct/efct_hw.c +@@ -1120,7 +1120,7 @@ int + efct_hw_parse_filter(struct efct_hw *hw, void *value) + { + int rc = 0; +- char *p = NULL; ++ char *p = NULL, *pp = NULL; + char *token; + u32 idx = 0; + +@@ -1132,6 +1132,7 @@ efct_hw_parse_filter(struct efct_hw *hw, void *value) + efc_log_err(hw->os, "p is NULL\n"); + return -ENOMEM; + } ++ pp = p; + + idx = 0; + while ((token = strsep(&p, ",")) && *token) { +@@ -1144,7 +1145,7 @@ efct_hw_parse_filter(struct efct_hw *hw, void *value) + if (idx == ARRAY_SIZE(hw->config.filter_def)) + break; + } +- kfree(p); ++ kfree(pp); + + return rc; + } +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series index 97ee8ea030..cffbf4a153 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -400,3 +400,15 @@ serial-sh-sci-increment-the-runtime-usage-counter-for-the-earlycon-device.patch smb-client-fix-first-command-failure-during-re-negotiation.patch smb-client-fix-max_sge-overflow-in-smb_extract_folioq_to_rdma.patch s390-pci-fix-__pcilg_mio_inuser-inline-assembly.patch +perf-fix-sample-vs-do_exit.patch +perf-fix-cgroup-state-vs-error.patch +perf-core-fix-warn-in-perf_cgroup_switch.patch +arm64-ptrace-fix-stack-out-of-bounds-read-in-regs_ge.patch +scsi-elx-efct-fix-memory-leak-in-efct_hw_parse_filte.patch +risc-v-kvm-fix-the-size-parameter-check-in-sbi-sfenc.patch +risc-v-kvm-don-t-treat-sbi-hfence-calls-as-nops.patch +gpio-pca953x-fix-wrong-error-probe-return-value.patch +perf-evsel-missed-close-when-probing-hybrid-core-pmu.patch +perf-test-directory-file-descriptor-leak.patch +gpio-mlxbf3-only-get-irq-for-device-instance-0.patch +cifs-remove-duplicate-fattr-cf_dtype-assignment-from.patch |