--- /dev/null
+From 2b28fe75c7dbe7ec322e706eed4622964409e21d Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <florian.fainelli@broadcom.com>
+Date: Fri, 26 Jul 2024 16:34:14 -0700
+Subject: ARM: bcm: Select ARM_GIC_V3 for ARCH_BRCMSTB
+
+From: Florian Fainelli <florian.fainelli@broadcom.com>
+
+commit 2b28fe75c7dbe7ec322e706eed4622964409e21d upstream.
+
+A number of recent Broadcom STB SoCs utilize a GIC-600 interrupt
+controller thus requiring the use of the GICv3 driver.
+
+Link: https://lore.kernel.org/r/20240726233414.2305526-1-florian.fainelli@broadcom.com
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-bcm/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-bcm/Kconfig
++++ b/arch/arm/mach-bcm/Kconfig
+@@ -186,6 +186,7 @@ config ARCH_BRCMSTB
+ select ARCH_HAS_RESET_CONTROLLER
+ select ARM_AMBA
+ select ARM_GIC
++ select ARM_GIC_V3
+ select ARM_ERRATA_798181 if SMP
+ select HAVE_ARM_ARCH_TIMER
+ select ZONE_DMA if ARM_LPAE
--- /dev/null
+From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Mon, 10 Feb 2025 17:13:17 +0100
+Subject: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 41cddf83d8b00f29fd105e7a0777366edc69a5cf upstream.
+
+If migration succeeded, we called
+folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the
+old to the new folio. This will set memcg_data of the old folio to 0.
+
+Similarly, if migration failed, memcg_data of the dst folio is left unset.
+
+If we call folio_putback_lru() on such folios (memcg_data == 0), we will
+add the folio to be freed to the LRU, making memcg code unhappy. Running
+the hmm selftests:
+
+ # ./hmm-tests
+ ...
+ # RUN hmm.hmm_device_private.migrate ...
+ [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00
+ [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)
+ [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9
+ [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000
+ [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())
+ [ 102.087230][T14893] ------------[ cut here ]------------
+ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.090478][T14893] Modules linked in:
+ [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151
+ [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+ [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.096104][T14893] Code: ...
+ [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293
+ [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426
+ [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880
+ [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+ [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8
+ [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000
+ [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
+ [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0
+ [ 102.113478][T14893] PKRU: 55555554
+ [ 102.114172][T14893] Call Trace:
+ [ 102.114805][T14893] <TASK>
+ [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.116547][T14893] ? __warn.cold+0x110/0x210
+ [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.118667][T14893] ? report_bug+0x1b9/0x320
+ [ 102.119571][T14893] ? handle_bug+0x54/0x90
+ [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50
+ [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20
+ [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0
+ [ 102.123506][T14893] ? dump_page+0x4f/0x60
+ [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200
+ [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10
+ [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720
+ [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10
+ [ 102.129550][T14893] folio_putback_lru+0x16/0x80
+ [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530
+ [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0
+ [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80
+
+Likely, nothing else goes wrong: putting the last folio reference will
+remove the folio from the LRU again. So besides memcg complaining, adding
+the folio to be freed to the LRU is just an unnecessary step.
+
+The new flow resembles what we have in migrate_folio_move(): add the dst
+to the lru, remove migration ptes, unlock and unref dst.
+
+Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com
+Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Cc: Jérôme Glisse <jglisse@redhat.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/migrate_device.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/mm/migrate_device.c
++++ b/mm/migrate_device.c
+@@ -839,20 +839,15 @@ void migrate_device_finalize(unsigned lo
+ dst = src;
+ }
+
++ if (!folio_is_zone_device(dst))
++ folio_add_lru(dst);
+ remove_migration_ptes(src, dst, false);
+ folio_unlock(src);
+-
+- if (folio_is_zone_device(src))
+- folio_put(src);
+- else
+- folio_putback_lru(src);
++ folio_put(src);
+
+ if (dst != src) {
+ folio_unlock(dst);
+- if (folio_is_zone_device(dst))
+- folio_put(dst);
+- else
+- folio_putback_lru(dst);
++ folio_put(dst);
+ }
+ }
+ }
--- /dev/null
+From 58bf8c2bf47550bc94fea9cafd2bc7304d97102c Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Mon, 26 Aug 2024 14:58:12 +0800
+Subject: mm: migrate_device: use more folio in migrate_device_finalize()
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit 58bf8c2bf47550bc94fea9cafd2bc7304d97102c upstream.
+
+Saves a couple of calls to compound_head() and remove last two callers of
+putback_lru_page().
+
+Link: https://lkml.kernel.org/r/20240826065814.1336616-5-wangkefeng.wang@huawei.com
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reviewed-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Reviewed-by: Alistair Popple <apopple@nvidia.com>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Zi Yan <ziy@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/migrate_device.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+--- a/mm/migrate_device.c
++++ b/mm/migrate_device.c
+@@ -814,42 +814,45 @@ void migrate_device_finalize(unsigned lo
+ unsigned long i;
+
+ for (i = 0; i < npages; i++) {
+- struct folio *dst, *src;
++ struct folio *dst = NULL, *src = NULL;
+ struct page *newpage = migrate_pfn_to_page(dst_pfns[i]);
+ struct page *page = migrate_pfn_to_page(src_pfns[i]);
+
++ if (newpage)
++ dst = page_folio(newpage);
++
+ if (!page) {
+- if (newpage) {
+- unlock_page(newpage);
+- put_page(newpage);
++ if (dst) {
++ folio_unlock(dst);
++ folio_put(dst);
+ }
+ continue;
+ }
+
+- if (!(src_pfns[i] & MIGRATE_PFN_MIGRATE) || !newpage) {
+- if (newpage) {
+- unlock_page(newpage);
+- put_page(newpage);
++ src = page_folio(page);
++
++ if (!(src_pfns[i] & MIGRATE_PFN_MIGRATE) || !dst) {
++ if (dst) {
++ folio_unlock(dst);
++ folio_put(dst);
+ }
+- newpage = page;
++ dst = src;
+ }
+
+- src = page_folio(page);
+- dst = page_folio(newpage);
+ remove_migration_ptes(src, dst, false);
+ folio_unlock(src);
+
+- if (is_zone_device_page(page))
+- put_page(page);
++ if (folio_is_zone_device(src))
++ folio_put(src);
+ else
+- putback_lru_page(page);
++ folio_putback_lru(src);
+
+- if (newpage != page) {
+- unlock_page(newpage);
+- if (is_zone_device_page(newpage))
+- put_page(newpage);
++ if (dst != src) {
++ folio_unlock(dst);
++ if (folio_is_zone_device(dst))
++ folio_put(dst);
+ else
+- putback_lru_page(newpage);
++ folio_putback_lru(dst);
+ }
+ }
+ }
--- /dev/null
+From nathan@kernel.org Mon Sep 29 15:28:48 2025
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 22 Sep 2025 14:15:50 -0700
+Subject: s390/cpum_cf: Fix uninitialized warning after backport of ce971233242b
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Cc: stable@vger.kernel.org, linux-s390@vger.kernel.org, Nathan Chancellor <nathan@kernel.org>
+Message-ID: <20250922-6-6-s390-cpum_cf-fix-uninit-err-v1-1-5183aa9af417@kernel.org>
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+Upstream commit ce971233242b ("s390/cpum_cf: Deny all sampling events by
+counter PMU"), backported to 6.6 as commit d660c8d8142e ("s390/cpum_cf:
+Deny all sampling events by counter PMU"), implicitly depends on the
+unconditional initialization of err to -ENOENT added by upstream
+commit aa1ac98268cd ("s390/cpumf: Fix double free on error in
+cpumf_pmu_event_init()"). The latter change is missing from 6.6,
+resulting in an instance of -Wuninitialized, which is fairly obvious
+from looking at the actual diff.
+
+ arch/s390/kernel/perf_cpum_cf.c:858:10: warning: variable 'err' is uninitialized when used here [-Wuninitialized]
+ 858 | return err;
+ | ^~~
+
+Commit aa1ac98268cd ("s390/cpumf: Fix double free on error in
+cpumf_pmu_event_init()") depends on commit c70ca298036c ("perf/core:
+Simplify the perf_event_alloc() error path"), which is a part of a much
+larger series unsuitable for stable.
+
+Extract the unconditional initialization of err to -ENOENT from
+commit aa1ac98268cd ("s390/cpumf: Fix double free on error in
+cpumf_pmu_event_init()") and apply it to 6.6 as a standalone change to
+resolve the warning.
+
+Fixes: d660c8d8142e ("s390/cpum_cf: Deny all sampling events by counter PMU")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/perf_cpum_cf.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/perf_cpum_cf.c
++++ b/arch/s390/kernel/perf_cpum_cf.c
+@@ -852,7 +852,7 @@ static int cpumf_pmu_event_type(struct p
+ static int cpumf_pmu_event_init(struct perf_event *event)
+ {
+ unsigned int type = event->attr.type;
+- int err;
++ int err = -ENOENT;
+
+ if (is_sampling_event(event)) /* No sampling support */
+ return err;
+@@ -861,8 +861,6 @@ static int cpumf_pmu_event_init(struct p
+ else if (event->pmu->type == type)
+ /* Registered as unknown PMU */
+ err = __hw_perf_event_init(event, cpumf_pmu_event_type(event));
+- else
+- return -ENOENT;
+
+ if (unlikely(err) && event->destroy)
+ event->destroy(event);
mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch
fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch
fbcon-fix-oob-access-in-font-allocation.patch
+s390-cpum_cf-fix-uninitialized-warning-after-backport-of-ce971233242b.patch
+arm-bcm-select-arm_gic_v3-for-arch_brcmstb.patch
+mm-migrate_device-use-more-folio-in-migrate_device_finalize.patch
+mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
