--- /dev/null
+From 16038474e3a0263572f36326ef85057aaf341814 Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Mon, 5 May 2025 21:20:07 +0200
+Subject: iio: accel: fxls8962af: Fix temperature calculation
+
+From: Sean Nyekjaer <sean@geanix.com>
+
+commit 16038474e3a0263572f36326ef85057aaf341814 upstream.
+
+According to spec temperature should be returned in milli degrees Celsius.
+Add in_temp_scale to calculate from Celsius to milli Celsius.
+
+Fixes: a3e0b51884ee ("iio: accel: add support for FXLS8962AF/FXLS8964AF accelerometers")
+Cc: stable@vger.kernel.org
+Reviewed-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Link: https://patch.msgid.link/20250505-fxls-v4-1-a38652e21738@geanix.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/fxls8962af-core.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/accel/fxls8962af-core.c
++++ b/drivers/iio/accel/fxls8962af-core.c
+@@ -20,6 +20,7 @@
+ #include <linux/pm_runtime.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/regmap.h>
++#include <linux/units.h>
+
+ #include <linux/iio/buffer.h>
+ #include <linux/iio/events.h>
+@@ -435,8 +436,16 @@ static int fxls8962af_read_raw(struct ii
+ *val = FXLS8962AF_TEMP_CENTER_VAL;
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_SCALE:
+- *val = 0;
+- return fxls8962af_read_full_scale(data, val2);
++ switch (chan->type) {
++ case IIO_TEMP:
++ *val = MILLIDEGREE_PER_DEGREE;
++ return IIO_VAL_INT;
++ case IIO_ACCEL:
++ *val = 0;
++ return fxls8962af_read_full_scale(data, val2);
++ default:
++ return -EINVAL;
++ }
+ case IIO_CHAN_INFO_SAMP_FREQ:
+ return fxls8962af_read_samp_freq(data, val, val2);
+ default:
+@@ -735,6 +744,7 @@ static const struct iio_event_spec fxls8
+ .type = IIO_TEMP, \
+ .address = FXLS8962AF_TEMP_OUT, \
+ .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | \
++ BIT(IIO_CHAN_INFO_SCALE) | \
+ BIT(IIO_CHAN_INFO_OFFSET),\
+ .scan_index = -1, \
+ .scan_type = { \
--- /dev/null
+From 1013af4f585fccc4d3e5c5824d174de2257f7d6d Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 27 May 2025 23:23:54 +0200
+Subject: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
+
+From: Jann Horn <jannh@google.com>
+
+commit 1013af4f585fccc4d3e5c5824d174de2257f7d6d upstream.
+
+huge_pmd_unshare() drops a reference on a page table that may have
+previously been shared across processes, potentially turning it into a
+normal page table used in another process in which unrelated VMAs can
+afterwards be installed.
+
+If this happens in the middle of a concurrent gup_fast(), gup_fast() could
+end up walking the page tables of another process. While I don't see any
+way in which that immediately leads to kernel memory corruption, it is
+really weird and unexpected.
+
+Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),
+just like we do in khugepaged when removing page tables for a THP
+collapse.
+
+Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-2-1329349bad1a@google.com
+Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-2-f4136f5ec58a@google.com
+Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -7162,6 +7162,13 @@ int huge_pmd_unshare(struct mm_struct *m
+ return 0;
+
+ pud_clear(pud);
++ /*
++ * Once our caller drops the rmap lock, some other process might be
++ * using this page table as a normal, non-hugetlb page table.
++ * Wait for pending gup_fast() in other threads to finish before letting
++ * that happen.
++ */
++ tlb_remove_table_sync_one();
+ atomic_dec(&virt_to_page(ptep)->pt_share_count);
+ mm_dec_nr_pmds(mm);
+ return 1;
--- /dev/null
+From 59d9094df3d79443937add8700b2ef1a866b1081 Mon Sep 17 00:00:00 2001
+From: Liu Shixin <liushixin2@huawei.com>
+Date: Mon, 16 Dec 2024 15:11:47 +0800
+Subject: mm: hugetlb: independent PMD page table shared count
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+commit 59d9094df3d79443937add8700b2ef1a866b1081 upstream.
+
+The folio refcount may be increased unexpectly through try_get_folio() by
+caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount
+to check whether a pmd page table is shared. The check is incorrect if
+the refcount is increased by the above caller, and this can cause the page
+table leaked:
+
+ BUG: Bad page state in process sh pfn:109324
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
+ flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
+ page_type: f2(table)
+ raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
+ raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
+ page dumped because: nonzero mapcount
+ ...
+ CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7
+ Tainted: [B]=BAD_PAGE
+ Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+ Call trace:
+ show_stack+0x20/0x38 (C)
+ dump_stack_lvl+0x80/0xf8
+ dump_stack+0x18/0x28
+ bad_page+0x8c/0x130
+ free_page_is_bad_report+0xa4/0xb0
+ free_unref_page+0x3cc/0x620
+ __folio_put+0xf4/0x158
+ split_huge_pages_all+0x1e0/0x3e8
+ split_huge_pages_write+0x25c/0x2d8
+ full_proxy_write+0x64/0xd8
+ vfs_write+0xcc/0x280
+ ksys_write+0x70/0x110
+ __arm64_sys_write+0x24/0x38
+ invoke_syscall+0x50/0x120
+ el0_svc_common.constprop.0+0xc8/0xf0
+ do_el0_svc+0x24/0x38
+ el0_svc+0x34/0x128
+ el0t_64_sync_handler+0xc8/0xd0
+ el0t_64_sync+0x190/0x198
+
+The issue may be triggered by damon, offline_page, page_idle, etc, which
+will increase the refcount of page table.
+
+1. The page table itself will be discarded after reporting the
+ "nonzero mapcount".
+
+2. The HugeTLB page mapped by the page table miss freeing since we
+ treat the page table as shared and a shared page table will not be
+ unmapped.
+
+Fix it by introducing independent PMD page table shared count. As
+described by comment, pt_index/pt_mm/pt_frag_refcount are used for s390
+gmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv
+pmds, so we can reuse the field as pt_share_count.
+
+Link: https://lkml.kernel.org/r/20241216071147.3984217-1-liushixin2@huawei.com
+Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Ken Chen <kenneth.w.chen@intel.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Nanyong Sun <sunnanyong@huawei.com>
+Cc: Jane Chu <jane.chu@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[backport note: struct ptdesc did not exist yet, stuff it equivalently
+into struct page instead]
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mm.h | 3 +++
+ include/linux/mm_types.h | 3 +++
+ mm/hugetlb.c | 16 +++++++---------
+ 3 files changed, 13 insertions(+), 9 deletions(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2537,6 +2537,9 @@ static inline bool pgtable_pmd_page_ctor
+ if (!pmd_ptlock_init(page))
+ return false;
+ __SetPageTable(page);
++#ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
++ atomic_set(&page->pt_share_count, 0);
++#endif
+ inc_lruvec_page_state(page, NR_PAGETABLE);
+ return true;
+ }
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -160,6 +160,9 @@ struct page {
+ union {
+ struct mm_struct *pt_mm; /* x86 pgds only */
+ atomic_t pt_frag_refcount; /* powerpc */
++#ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
++ atomic_t pt_share_count;
++#endif
+ };
+ #if ALLOC_SPLIT_PTLOCKS
+ spinlock_t *ptl;
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -7114,7 +7114,7 @@ pte_t *huge_pmd_share(struct mm_struct *
+ spte = huge_pte_offset(svma->vm_mm, saddr,
+ vma_mmu_pagesize(svma));
+ if (spte) {
+- get_page(virt_to_page(spte));
++ atomic_inc(&virt_to_page(spte)->pt_share_count);
+ break;
+ }
+ }
+@@ -7129,7 +7129,7 @@ pte_t *huge_pmd_share(struct mm_struct *
+ (pmd_t *)((unsigned long)spte & PAGE_MASK));
+ mm_inc_nr_pmds(mm);
+ } else {
+- put_page(virt_to_page(spte));
++ atomic_dec(&virt_to_page(spte)->pt_share_count);
+ }
+ spin_unlock(ptl);
+ out:
+@@ -7141,10 +7141,6 @@ out:
+ /*
+ * unmap huge page backed by shared pte.
+ *
+- * Hugetlb pte page is ref counted at the time of mapping. If pte is shared
+- * indicated by page_count > 1, unmap is achieved by clearing pud and
+- * decrementing the ref count. If count == 1, the pte page is not shared.
+- *
+ * Called with page table lock held.
+ *
+ * returns: 1 successfully unmapped a shared pte page
+@@ -7153,18 +7149,20 @@ out:
+ int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
+ unsigned long addr, pte_t *ptep)
+ {
++ unsigned long sz = huge_page_size(hstate_vma(vma));
+ pgd_t *pgd = pgd_offset(mm, addr);
+ p4d_t *p4d = p4d_offset(pgd, addr);
+ pud_t *pud = pud_offset(p4d, addr);
+
+ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
+ hugetlb_vma_assert_locked(vma);
+- BUG_ON(page_count(virt_to_page(ptep)) == 0);
+- if (page_count(virt_to_page(ptep)) == 1)
++ if (sz != PMD_SIZE)
++ return 0;
++ if (!atomic_read(&virt_to_page(ptep)->pt_share_count))
+ return 0;
+
+ pud_clear(pud);
+- put_page(virt_to_page(ptep));
++ atomic_dec(&virt_to_page(ptep)->pt_share_count);
+ mm_dec_nr_pmds(mm);
+ return 1;
+ }
--- /dev/null
+From 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 27 May 2025 23:23:53 +0200
+Subject: mm/hugetlb: unshare page tables during VMA split, not before
+
+From: Jann Horn <jannh@google.com>
+
+commit 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 upstream.
+
+Currently, __split_vma() triggers hugetlb page table unsharing through
+vm_ops->may_split(). This happens before the VMA lock and rmap locks are
+taken - which is too early, it allows racing VMA-locked page faults in our
+process and racing rmap walks from other processes to cause page tables to
+be shared again before we actually perform the split.
+
+Fix it by explicitly calling into the hugetlb unshare logic from
+__split_vma() in the same place where THP splitting also happens. At that
+point, both the VMA and the rmap(s) are write-locked.
+
+An annoying detail is that we can now call into the helper
+hugetlb_unshare_pmds() from two different locking contexts:
+
+1. from hugetlb_split(), holding:
+ - mmap lock (exclusively)
+ - VMA lock
+ - file rmap lock (exclusively)
+2. hugetlb_unshare_all_pmds(), which I think is designed to be able to
+ call us with only the mmap lock held (in shared mode), but currently
+ only runs while holding mmap lock (exclusively) and VMA lock
+
+Backporting note:
+This commit fixes a racy protection that was introduced in commit
+b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that
+commit claimed to fix an issue introduced in 5.13, but it should actually
+also go all the way back.
+
+[jannh@google.com: v2]
+ Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-1-1329349bad1a@google.com
+Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-0-1329349bad1a@google.com
+Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-1-f4136f5ec58a@google.com
+Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
+Signed-off-by: Jann Horn <jannh@google.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org> [b30c14cd6102: hugetlb: unshare some PMDs when splitting VMAs]
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[stable backport: code got moved around, VMA splitting is in __vma_adjust]
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h | 3 ++
+ mm/hugetlb.c | 60 +++++++++++++++++++++++++++++++++++-------------
+ mm/mmap.c | 8 ++++++
+ 3 files changed, 55 insertions(+), 16 deletions(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -239,6 +239,7 @@ unsigned long hugetlb_change_protection(
+
+ bool is_hugetlb_entry_migration(pte_t pte);
+ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma);
++void hugetlb_split(struct vm_area_struct *vma, unsigned long addr);
+
+ #else /* !CONFIG_HUGETLB_PAGE */
+
+@@ -472,6 +473,8 @@ static inline vm_fault_t hugetlb_fault(s
+
+ static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { }
+
++static inline void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) {}
++
+ #endif /* !CONFIG_HUGETLB_PAGE */
+ /*
+ * hugepages at page global directory. If arch support
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -95,7 +95,7 @@ static void hugetlb_vma_lock_free(struct
+ static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma);
+ static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma);
+ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+- unsigned long start, unsigned long end);
++ unsigned long start, unsigned long end, bool take_locks);
+ static struct resv_map *vma_resv_map(struct vm_area_struct *vma);
+
+ static inline bool subpool_is_free(struct hugepage_subpool *spool)
+@@ -4900,26 +4900,40 @@ static int hugetlb_vm_op_split(struct vm
+ {
+ if (addr & ~(huge_page_mask(hstate_vma(vma))))
+ return -EINVAL;
++ return 0;
++}
+
++void hugetlb_split(struct vm_area_struct *vma, unsigned long addr)
++{
+ /*
+ * PMD sharing is only possible for PUD_SIZE-aligned address ranges
+ * in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this
+ * split, unshare PMDs in the PUD_SIZE interval surrounding addr now.
++ * This function is called in the middle of a VMA split operation, with
++ * MM, VMA and rmap all write-locked to prevent concurrent page table
++ * walks (except hardware and gup_fast()).
+ */
++ mmap_assert_write_locked(vma->vm_mm);
++ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
++
+ if (addr & ~PUD_MASK) {
+- /*
+- * hugetlb_vm_op_split is called right before we attempt to
+- * split the VMA. We will need to unshare PMDs in the old and
+- * new VMAs, so let's unshare before we split.
+- */
+ unsigned long floor = addr & PUD_MASK;
+ unsigned long ceil = floor + PUD_SIZE;
+
+- if (floor >= vma->vm_start && ceil <= vma->vm_end)
+- hugetlb_unshare_pmds(vma, floor, ceil);
++ if (floor >= vma->vm_start && ceil <= vma->vm_end) {
++ /*
++ * Locking:
++ * Use take_locks=false here.
++ * The file rmap lock is already held.
++ * The hugetlb VMA lock can't be taken when we already
++ * hold the file rmap lock, and we don't need it because
++ * its purpose is to synchronize against concurrent page
++ * table walks, which are not possible thanks to the
++ * locks held by our caller.
++ */
++ hugetlb_unshare_pmds(vma, floor, ceil, /* take_locks = */ false);
++ }
+ }
+-
+- return 0;
+ }
+
+ static unsigned long hugetlb_vm_op_pagesize(struct vm_area_struct *vma)
+@@ -7495,9 +7509,16 @@ void move_hugetlb_state(struct page *old
+ }
+ }
+
++/*
++ * If @take_locks is false, the caller must ensure that no concurrent page table
++ * access can happen (except for gup_fast() and hardware page walks).
++ * If @take_locks is true, we take the hugetlb VMA lock (to lock out things like
++ * concurrent page fault handling) and the file rmap lock.
++ */
+ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+ unsigned long start,
+- unsigned long end)
++ unsigned long end,
++ bool take_locks)
+ {
+ struct hstate *h = hstate_vma(vma);
+ unsigned long sz = huge_page_size(h);
+@@ -7521,8 +7542,12 @@ static void hugetlb_unshare_pmds(struct
+ mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, mm,
+ start, end);
+ mmu_notifier_invalidate_range_start(&range);
+- hugetlb_vma_lock_write(vma);
+- i_mmap_lock_write(vma->vm_file->f_mapping);
++ if (take_locks) {
++ hugetlb_vma_lock_write(vma);
++ i_mmap_lock_write(vma->vm_file->f_mapping);
++ } else {
++ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
++ }
+ for (address = start; address < end; address += PUD_SIZE) {
+ ptep = huge_pte_offset(mm, address, sz);
+ if (!ptep)
+@@ -7532,8 +7557,10 @@ static void hugetlb_unshare_pmds(struct
+ spin_unlock(ptl);
+ }
+ flush_hugetlb_tlb_range(vma, start, end);
+- i_mmap_unlock_write(vma->vm_file->f_mapping);
+- hugetlb_vma_unlock_write(vma);
++ if (take_locks) {
++ i_mmap_unlock_write(vma->vm_file->f_mapping);
++ hugetlb_vma_unlock_write(vma);
++ }
+ /*
+ * No need to call mmu_notifier_invalidate_range(), see
+ * Documentation/mm/mmu_notifier.rst.
+@@ -7548,7 +7575,8 @@ static void hugetlb_unshare_pmds(struct
+ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma)
+ {
+ hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE),
+- ALIGN_DOWN(vma->vm_end, PUD_SIZE));
++ ALIGN_DOWN(vma->vm_end, PUD_SIZE),
++ /* take_locks = */ true);
+ }
+
+ #ifdef CONFIG_CMA
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -727,7 +727,15 @@ int __vma_adjust(struct vm_area_struct *
+ return -ENOMEM;
+ }
+
++ /*
++ * Get rid of huge pages and shared page tables straddling the split
++ * boundary.
++ */
+ vma_adjust_trans_huge(orig_vma, start, end, adjust_next);
++ if (is_vm_hugetlb_page(orig_vma)) {
++ hugetlb_split(orig_vma, start);
++ hugetlb_split(orig_vma, end);
++ }
+ if (file) {
+ mapping = file->f_mapping;
+ root = &mapping->i_mmap;
alsa-usb-audio-rename-alsa-kcontrol-pcm-and-pcm1-for-the-ktmicro-sound-card.patch
alsa-hda-intel-add-thinkpad-e15-to-pm-deny-list.patch
alsa-hda-realtek-enable-headset-mic-on-latitude-5420-rugged.patch
+iio-accel-fxls8962af-fix-temperature-calculation.patch
+mm-hugetlb-unshare-page-tables-during-vma-split-not-before.patch
+mm-hugetlb-independent-pmd-page-table-shared-count.patch
+mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
