From: Sasha Levin Date: Sat, 4 Jan 2025 18:04:20 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v5.4.289~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=065e35baad166394f19a96b1e5d425ecce230756;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch b/queue-6.1/alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch new file mode 100644 index 00000000000..e9ce0ef203c --- /dev/null +++ b/queue-6.1/alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch @@ -0,0 +1,40 @@ +From 68b48fc41c1dffb28406b31459ef3788e948f945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Dec 2024 23:18:36 +0300 +Subject: ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model + +From: Vasiliy Kovalev + +[ Upstream commit 50db91fccea0da5c669bc68e2429e8de303758d3 ] + +Introduces the alc2xx-fixup-headset-mic model to simplify enabling +headset microphones on ALC2XX codecs. + +Many recent configurations, as well as older systems that lacked this +fix for a long time, leave headset microphones inactive by default. +This addition provides a flexible workaround using the existing +ALC2XX_FIXUP_HEADSET_MIC quirk. + +Signed-off-by: Vasiliy Kovalev +Link: https://patch.msgid.link/20241207201836.6879-1-kovalev@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index ef9b0cc339f2..0fd61a165edb 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10443,6 +10443,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {.id = ALC255_FIXUP_ACER_HEADPHONE_AND_MIC, .name = "alc255-acer-headphone-and-mic"}, + {.id = ALC285_FIXUP_HP_GPIO_AMP_INIT, .name = "alc285-hp-amp-init"}, + {.id = ALC236_FIXUP_LENOVO_INV_DMIC, .name = "alc236-fixup-lenovo-inv-mic"}, ++ {.id = ALC2XX_FIXUP_HEADSET_MIC, .name = "alc2xx-fixup-headset-mic"}, + {} + }; + #define ALC225_STANDARD_PINS \ +-- +2.39.5 + diff --git a/queue-6.1/arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch b/queue-6.1/arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch new file mode 100644 index 00000000000..f39f01bd66f --- /dev/null +++ b/queue-6.1/arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch @@ -0,0 +1,50 @@ +From 5ff67cd772dfeb2b868246d7e7f8c80fcdaf0d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 14:37:15 +0200 +Subject: ARC: build: Try to guess GCC variant of cross compiler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +[ Upstream commit 824927e88456331c7a999fdf5d9d27923b619590 ] + +ARC GCC compiler is packaged starting from Fedora 39i and the GCC +variant of cross compile tools has arc-linux-gnu- prefix and not +arc-linux-. This is causing that CROSS_COMPILE variable is left unset. + +This change allows builds without need to supply CROSS_COMPILE argument +if distro package is used. + +Before this change: +$ make -j 128 ARCH=arc W=1 drivers/infiniband/hw/mlx4/ + gcc: warning: ‘-mcpu=’ is deprecated; use ‘-mtune=’ or ‘-march=’ instead + gcc: error: unrecognized command-line option ‘-mmedium-calls’ + gcc: error: unrecognized command-line option ‘-mlock’ + gcc: error: unrecognized command-line option ‘-munaligned-access’ + +[1] https://packages.fedoraproject.org/pkgs/cross-gcc/gcc-arc-linux-gnu/index.html +Signed-off-by: Leon Romanovsky +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arc/Makefile b/arch/arc/Makefile +index 329400a1c355..8e6f52c6626d 100644 +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -6,7 +6,7 @@ + KBUILD_DEFCONFIG := haps_hs_smp_defconfig + + ifeq ($(CROSS_COMPILE),) +-CROSS_COMPILE := $(call cc-cross-prefix, arc-linux- arceb-linux-) ++CROSS_COMPILE := $(call cc-cross-prefix, arc-linux- arceb-linux- arc-linux-gnu-) + endif + + cflags-y += -fno-common -pipe -fno-builtin -mmedium-calls -D__linux__ +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-hci_core-fix-sleeping-function-called-from.patch b/queue-6.1/bluetooth-hci_core-fix-sleeping-function-called-from.patch new file mode 100644 index 00000000000..a9d5591d11f --- /dev/null +++ b/queue-6.1/bluetooth-hci_core-fix-sleeping-function-called-from.patch @@ -0,0 +1,424 @@ +From f5f388c82191050e178143774eff96f3edee92b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 16:07:32 -0500 +Subject: Bluetooth: hci_core: Fix sleeping function called from invalid + context + +From: Luiz Augusto von Dentz + +[ Upstream commit 4d94f05558271654670d18c26c912da0c1c15549 ] + +This reworks hci_cb_list to not use mutex hci_cb_list_lock to avoid bugs +like the bellow: + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5070, name: kworker/u9:2 +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +4 locks held by kworker/u9:2/5070: + #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline] + #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335 + #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline] + #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335 + #2: ffff8880665d0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 net/bluetooth/hci_event.c:6914 + #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] + #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] + #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 net/bluetooth/hci_event.c:6915 +CPU: 0 PID: 5070 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 +Workqueue: hci0 hci_rx_work +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + __might_resched+0x5d4/0x780 kernel/sched/core.c:10187 + __mutex_lock_common kernel/locking/mutex.c:585 [inline] + __mutex_lock+0xc1/0xd70 kernel/locking/mutex.c:752 + hci_connect_cfm include/net/bluetooth/hci_core.h:2004 [inline] + hci_le_create_big_complete_evt+0x3d9/0xae0 net/bluetooth/hci_event.c:6939 + hci_event_func net/bluetooth/hci_event.c:7514 [inline] + hci_event_packet+0xa53/0x1540 net/bluetooth/hci_event.c:7569 + hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171 + process_one_work kernel/workqueue.c:3254 [inline] + process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335 + worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 + kthread+0x2f0/0x390 kernel/kthread.c:388 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 + + +Reported-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com +Tested-by: syzbot+2fb0835e0c9cefc34614@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2fb0835e0c9cefc34614 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 108 ++++++++++++++++++++----------- + net/bluetooth/hci_core.c | 10 +-- + net/bluetooth/iso.c | 6 ++ + net/bluetooth/l2cap_core.c | 12 ++-- + net/bluetooth/rfcomm/core.c | 6 ++ + net/bluetooth/sco.c | 12 ++-- + 6 files changed, 97 insertions(+), 57 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index d26b57e87f7f..b37e95554271 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -815,7 +815,6 @@ struct hci_conn_params { + extern struct list_head hci_dev_list; + extern struct list_head hci_cb_list; + extern rwlock_t hci_dev_list_lock; +-extern struct mutex hci_cb_list_lock; + + #define hci_dev_set_flag(hdev, nr) set_bit((nr), (hdev)->dev_flags) + #define hci_dev_clear_flag(hdev, nr) clear_bit((nr), (hdev)->dev_flags) +@@ -1769,24 +1768,47 @@ struct hci_cb { + + char *name; + ++ bool (*match) (struct hci_conn *conn); + void (*connect_cfm) (struct hci_conn *conn, __u8 status); + void (*disconn_cfm) (struct hci_conn *conn, __u8 status); + void (*security_cfm) (struct hci_conn *conn, __u8 status, +- __u8 encrypt); ++ __u8 encrypt); + void (*key_change_cfm) (struct hci_conn *conn, __u8 status); + void (*role_switch_cfm) (struct hci_conn *conn, __u8 status, __u8 role); + }; + ++static inline void hci_cb_lookup(struct hci_conn *conn, struct list_head *list) ++{ ++ struct hci_cb *cb, *cpy; ++ ++ rcu_read_lock(); ++ list_for_each_entry_rcu(cb, &hci_cb_list, list) { ++ if (cb->match && cb->match(conn)) { ++ cpy = kmalloc(sizeof(*cpy), GFP_ATOMIC); ++ if (!cpy) ++ break; ++ ++ *cpy = *cb; ++ INIT_LIST_HEAD(&cpy->list); ++ list_add_rcu(&cpy->list, list); ++ } ++ } ++ rcu_read_unlock(); ++} ++ + static inline void hci_connect_cfm(struct hci_conn *conn, __u8 status) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->connect_cfm) + cb->connect_cfm(conn, status); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + + if (conn->connect_cfm_cb) + conn->connect_cfm_cb(conn, status); +@@ -1794,43 +1816,55 @@ static inline void hci_connect_cfm(struct hci_conn *conn, __u8 status) + + static inline void hci_disconn_cfm(struct hci_conn *conn, __u8 reason) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->disconn_cfm) + cb->disconn_cfm(conn, reason); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + + if (conn->disconn_cfm_cb) + conn->disconn_cfm_cb(conn, reason); + } + +-static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) ++static inline void hci_security_cfm(struct hci_conn *conn, __u8 status, ++ __u8 encrypt) + { +- struct hci_cb *cb; +- __u8 encrypt; +- +- if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) +- return; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; + +- encrypt = test_bit(HCI_CONN_ENCRYPT, &conn->flags) ? 0x01 : 0x00; ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->security_cfm) + cb->security_cfm(conn, status, encrypt); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + + if (conn->security_cfm_cb) + conn->security_cfm_cb(conn, status); + } + ++static inline void hci_auth_cfm(struct hci_conn *conn, __u8 status) ++{ ++ __u8 encrypt; ++ ++ if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) ++ return; ++ ++ encrypt = test_bit(HCI_CONN_ENCRYPT, &conn->flags) ? 0x01 : 0x00; ++ ++ hci_security_cfm(conn, status, encrypt); ++} ++ + static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status) + { +- struct hci_cb *cb; + __u8 encrypt; + + if (conn->state == BT_CONFIG) { +@@ -1857,40 +1891,38 @@ static inline void hci_encrypt_cfm(struct hci_conn *conn, __u8 status) + conn->sec_level = conn->pending_sec_level; + } + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { +- if (cb->security_cfm) +- cb->security_cfm(conn, status, encrypt); +- } +- mutex_unlock(&hci_cb_list_lock); +- +- if (conn->security_cfm_cb) +- conn->security_cfm_cb(conn, status); ++ hci_security_cfm(conn, status, encrypt); + } + + static inline void hci_key_change_cfm(struct hci_conn *conn, __u8 status) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->key_change_cfm) + cb->key_change_cfm(conn, status); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + } + + static inline void hci_role_switch_cfm(struct hci_conn *conn, __u8 status, + __u8 role) + { +- struct hci_cb *cb; ++ struct list_head list; ++ struct hci_cb *cb, *tmp; ++ ++ INIT_LIST_HEAD(&list); ++ hci_cb_lookup(conn, &list); + +- mutex_lock(&hci_cb_list_lock); +- list_for_each_entry(cb, &hci_cb_list, list) { ++ list_for_each_entry_safe(cb, tmp, &list, list) { + if (cb->role_switch_cfm) + cb->role_switch_cfm(conn, status, role); ++ kfree(cb); + } +- mutex_unlock(&hci_cb_list_lock); + } + + static inline bool hci_bdaddr_is_rpa(bdaddr_t *bdaddr, u8 addr_type) +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 3cd7c212375f..496dac042b9c 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -58,7 +58,6 @@ DEFINE_RWLOCK(hci_dev_list_lock); + + /* HCI callback list */ + LIST_HEAD(hci_cb_list); +-DEFINE_MUTEX(hci_cb_list_lock); + + /* HCI ID Numbering */ + static DEFINE_IDA(hci_index_ida); +@@ -2978,9 +2977,7 @@ int hci_register_cb(struct hci_cb *cb) + { + BT_DBG("%p name %s", cb, cb->name); + +- mutex_lock(&hci_cb_list_lock); +- list_add_tail(&cb->list, &hci_cb_list); +- mutex_unlock(&hci_cb_list_lock); ++ list_add_tail_rcu(&cb->list, &hci_cb_list); + + return 0; + } +@@ -2990,9 +2987,8 @@ int hci_unregister_cb(struct hci_cb *cb) + { + BT_DBG("%p name %s", cb, cb->name); + +- mutex_lock(&hci_cb_list_lock); +- list_del(&cb->list); +- mutex_unlock(&hci_cb_list_lock); ++ list_del_rcu(&cb->list); ++ synchronize_rcu(); + + return 0; + } +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 437cbeaa9619..f62df9097f5e 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1579,6 +1579,11 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + return lm; + } + ++static bool iso_match(struct hci_conn *hcon) ++{ ++ return hcon->type == ISO_LINK || hcon->type == LE_LINK; ++} ++ + static void iso_connect_cfm(struct hci_conn *hcon, __u8 status) + { + if (hcon->type != ISO_LINK) { +@@ -1748,6 +1753,7 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) + + static struct hci_cb iso_cb = { + .name = "ISO", ++ .match = iso_match, + .connect_cfm = iso_connect_cfm, + .disconn_cfm = iso_disconn_cfm, + }; +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 187c91843876..2a8051fae08c 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -8273,6 +8273,11 @@ static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, + return NULL; + } + ++static bool l2cap_match(struct hci_conn *hcon) ++{ ++ return hcon->type == ACL_LINK || hcon->type == LE_LINK; ++} ++ + static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) + { + struct hci_dev *hdev = hcon->hdev; +@@ -8280,9 +8285,6 @@ static void l2cap_connect_cfm(struct hci_conn *hcon, u8 status) + struct l2cap_chan *pchan; + u8 dst_type; + +- if (hcon->type != ACL_LINK && hcon->type != LE_LINK) +- return; +- + BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); + + if (status) { +@@ -8347,9 +8349,6 @@ int l2cap_disconn_ind(struct hci_conn *hcon) + + static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) + { +- if (hcon->type != ACL_LINK && hcon->type != LE_LINK) +- return; +- + BT_DBG("hcon %p reason %d", hcon, reason); + + l2cap_conn_del(hcon, bt_to_errno(reason)); +@@ -8637,6 +8636,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) + + static struct hci_cb l2cap_cb = { + .name = "L2CAP", ++ .match = l2cap_match, + .connect_cfm = l2cap_connect_cfm, + .disconn_cfm = l2cap_disconn_cfm, + .security_cfm = l2cap_security_cfm, +diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c +index 4f54c7df3a94..1686fa60e278 100644 +--- a/net/bluetooth/rfcomm/core.c ++++ b/net/bluetooth/rfcomm/core.c +@@ -2130,6 +2130,11 @@ static int rfcomm_run(void *unused) + return 0; + } + ++static bool rfcomm_match(struct hci_conn *hcon) ++{ ++ return hcon->type == ACL_LINK; ++} ++ + static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) + { + struct rfcomm_session *s; +@@ -2176,6 +2181,7 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) + + static struct hci_cb rfcomm_cb = { + .name = "RFCOMM", ++ .match = rfcomm_match, + .security_cfm = rfcomm_security_cfm + }; + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index fe8728041ad0..127479bf475b 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -1367,11 +1367,13 @@ int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + return lm; + } + +-static void sco_connect_cfm(struct hci_conn *hcon, __u8 status) ++static bool sco_match(struct hci_conn *hcon) + { +- if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) +- return; ++ return hcon->type == SCO_LINK || hcon->type == ESCO_LINK; ++} + ++static void sco_connect_cfm(struct hci_conn *hcon, __u8 status) ++{ + BT_DBG("hcon %p bdaddr %pMR status %u", hcon, &hcon->dst, status); + + if (!status) { +@@ -1386,9 +1388,6 @@ static void sco_connect_cfm(struct hci_conn *hcon, __u8 status) + + static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason) + { +- if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK) +- return; +- + BT_DBG("hcon %p reason %d", hcon, reason); + + sco_conn_del(hcon, bt_to_errno(reason)); +@@ -1414,6 +1413,7 @@ void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb) + + static struct hci_cb sco_cb = { + .name = "SCO", ++ .match = sco_match, + .connect_cfm = sco_connect_cfm, + .disconn_cfm = sco_disconn_cfm, + }; +-- +2.39.5 + diff --git a/queue-6.1/bpf-fix-potential-error-return.patch b/queue-6.1/bpf-fix-potential-error-return.patch new file mode 100644 index 00000000000..2ccaf8a4155 --- /dev/null +++ b/queue-6.1/bpf-fix-potential-error-return.patch @@ -0,0 +1,52 @@ +From 2d62772de4884bf87656afa2d276ddf7c3c7a0c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 11:42:45 +0000 +Subject: bpf: fix potential error return + +From: Anton Protopopov + +[ Upstream commit c4441ca86afe4814039ee1b32c39d833c1a16bbc ] + +The bpf_remove_insns() function returns WARN_ON_ONCE(error), where +error is a result of bpf_adj_branches(), and thus should be always 0 +However, if for any reason it is not 0, then it will be converted to +boolean by WARN_ON_ONCE and returned to user space as 1, not an actual +error value. Fix this by returning the original err after the WARN check. + +Signed-off-by: Anton Protopopov +Acked-by: Jiri Olsa +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20241210114245.836164-1-aspsk@isovalent.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 0ea0d50a7c16..83b416af4da1 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -523,6 +523,8 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, + + int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt) + { ++ int err; ++ + /* Branch offsets can't overflow when program is shrinking, no need + * to call bpf_adj_branches(..., true) here + */ +@@ -530,7 +532,9 @@ int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt) + sizeof(struct bpf_insn) * (prog->len - off - cnt)); + prog->len -= cnt; + +- return WARN_ON_ONCE(bpf_adj_branches(prog, off, off + cnt, off, false)); ++ err = bpf_adj_branches(prog, off, off + cnt, off, false); ++ WARN_ON_ONCE(err); ++ return err; + } + + static void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp) +-- +2.39.5 + diff --git a/queue-6.1/btrfs-fix-use-after-free-when-cowing-tree-bock-and-t.patch b/queue-6.1/btrfs-fix-use-after-free-when-cowing-tree-bock-and-t.patch new file mode 100644 index 00000000000..42f21c97044 --- /dev/null +++ b/queue-6.1/btrfs-fix-use-after-free-when-cowing-tree-bock-and-t.patch @@ -0,0 +1,79 @@ +From 4756a8c55cd6fd0b5a9edbb1dc2c815fe4424a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 16:08:07 +0000 +Subject: btrfs: fix use-after-free when COWing tree bock and tracing is + enabled + +From: Filipe Manana + +[ Upstream commit 44f52bbe96dfdbe4aca3818a2534520082a07040 ] + +When a COWing a tree block, at btrfs_cow_block(), and we have the +tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled +(CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent +buffer while inside the tracepoint code. This is because in some paths +that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding +the last reference on the extent buffer @buf so btrfs_force_cow_block() +drops the last reference on the @buf extent buffer when it calls +free_extent_buffer_stale(buf), which schedules the release of the extent +buffer with RCU. This means that if we are on a kernel with preemption, +the current task may be preempted before calling trace_btrfs_cow_block() +and the extent buffer already released by the time trace_btrfs_cow_block() +is called, resulting in a use-after-free. + +Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to +btrfs_force_cow_block() before the COWed extent buffer is freed. +This also has a side effect of invoking the tracepoint in the tree defrag +code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is +called there, but this is fine and it was actually missing there. + +Reported-by: syzbot+8517da8635307182c8a5@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/6759a9b9.050a0220.1ac542.000d.GAE@google.com/ +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index a02b41106257..c7171b286de7 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -520,6 +520,8 @@ int btrfs_force_cow_block(struct btrfs_trans_handle *trans, + btrfs_free_tree_block(trans, btrfs_root_id(root), buf, + parent_start, last_ref); + } ++ ++ trace_btrfs_cow_block(root, buf, cow); + if (unlock_orig) + btrfs_tree_unlock(buf); + free_extent_buffer_stale(buf); +@@ -571,7 +573,6 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans, + { + struct btrfs_fs_info *fs_info = root->fs_info; + u64 search_start; +- int ret; + + if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) { + btrfs_abort_transaction(trans, -EUCLEAN); +@@ -612,12 +613,8 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans, + * Also We don't care about the error, as it's handled internally. + */ + btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); +- ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, +- cow_ret, search_start, 0, nest); +- +- trace_btrfs_cow_block(root, buf, *cow_ret); +- +- return ret; ++ return btrfs_force_cow_block(trans, root, buf, parent, parent_slot, ++ cow_ret, search_start, 0, nest); + } + ALLOW_ERROR_INJECTION(btrfs_cow_block, ERRNO); + +-- +2.39.5 + diff --git a/queue-6.1/btrfs-flush-delalloc-workers-queue-before-stopping-c.patch b/queue-6.1/btrfs-flush-delalloc-workers-queue-before-stopping-c.patch new file mode 100644 index 00000000000..3c5b75f4d75 --- /dev/null +++ b/queue-6.1/btrfs-flush-delalloc-workers-queue-before-stopping-c.patch @@ -0,0 +1,213 @@ +From a4eac77947b1021d66dfa5dc3e7a3ebb61e717f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 11:53:27 +0000 +Subject: btrfs: flush delalloc workers queue before stopping cleaner kthread + during unmount + +From: Filipe Manana + +[ Upstream commit f10bef73fb355e3fc85e63a50386798be68ff486 ] + +During the unmount path, at close_ctree(), we first stop the cleaner +kthread, using kthread_stop() which frees the associated task_struct, and +then stop and destroy all the work queues. However after we stopped the +cleaner we may still have a worker from the delalloc_workers queue running +inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(), +which in turn tries to wake up the cleaner kthread - which was already +destroyed before, resulting in a use-after-free on the task_struct. + +Syzbot reported this with the following stack traces: + + BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 + Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52 + + CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + Workqueue: btrfs-delalloc btrfs_work_helper + Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 + lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 + class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] + try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205 + submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615 + run_ordered_work fs/btrfs/async-thread.c:288 [inline] + btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + + Allocated by task 2: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + unpoison_slab_object mm/kasan/common.c:319 [inline] + __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 + kasan_slab_alloc include/linux/kasan.h:250 [inline] + slab_post_alloc_hook mm/slub.c:4104 [inline] + slab_alloc_node mm/slub.c:4153 [inline] + kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 + alloc_task_struct_node kernel/fork.c:180 [inline] + dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 + copy_process+0x5d1/0x3d50 kernel/fork.c:2225 + kernel_clone+0x223/0x870 kernel/fork.c:2807 + kernel_thread+0x1bc/0x240 kernel/fork.c:2869 + create_kthread kernel/kthread.c:412 [inline] + kthreadd+0x60d/0x810 kernel/kthread.c:767 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + Freed by task 24: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2338 [inline] + slab_free mm/slub.c:4598 [inline] + kmem_cache_free+0x195/0x410 mm/slub.c:4700 + put_task_struct include/linux/sched/task.h:144 [inline] + delayed_put_task_struct+0x125/0x300 kernel/exit.c:227 + rcu_do_batch kernel/rcu/tree.c:2567 [inline] + rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 + handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554 + run_ksoftirqd+0xca/0x130 kernel/softirq.c:943 + smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 + kthread+0x2f0/0x390 kernel/kthread.c:389 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + Last potentially related work creation: + kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 + __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:544 + __call_rcu_common kernel/rcu/tree.c:3086 [inline] + call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190 + context_switch kernel/sched/core.c:5372 [inline] + __schedule+0x1803/0x4be0 kernel/sched/core.c:6756 + __schedule_loop kernel/sched/core.c:6833 [inline] + schedule+0x14b/0x320 kernel/sched/core.c:6848 + schedule_timeout+0xb0/0x290 kernel/time/sleep_timeout.c:75 + do_wait_for_common kernel/sched/completion.c:95 [inline] + __wait_for_common kernel/sched/completion.c:116 [inline] + wait_for_common kernel/sched/completion.c:127 [inline] + wait_for_completion+0x355/0x620 kernel/sched/completion.c:148 + kthread_stop+0x19e/0x640 kernel/kthread.c:712 + close_ctree+0x524/0xd60 fs/btrfs/disk-io.c:4328 + generic_shutdown_super+0x139/0x2d0 fs/super.c:642 + kill_anon_super+0x3b/0x70 fs/super.c:1237 + btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2112 + deactivate_locked_super+0xc4/0x130 fs/super.c:473 + cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 + task_work_run+0x24f/0x310 kernel/task_work.c:239 + ptrace_notify+0x2d2/0x380 kernel/signal.c:2503 + ptrace_report_syscall include/linux/ptrace.h:415 [inline] + ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] + syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173 + syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] + syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218 + do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + The buggy address belongs to the object at ffff8880259d1e00 + which belongs to the cache task_struct of size 7424 + The buggy address is located 2584 bytes inside of + freed 7424-byte region [ffff8880259d1e00, ffff8880259d3b00) + + The buggy address belongs to the physical page: + page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x259d0 + head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + memcg:ffff88802f4b56c1 + flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) + page_type: f5(slab) + raw: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122 + raw: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1 + head: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122 + head: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1 + head: 00fff00000000003 ffffea0000967401 ffffffffffffffff 0000000000000000 + head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + page_owner tracks the page as allocated + page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, tgid 12 (kworker/u8:1), ts 7328037942, free_ts 0 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556 + prep_new_page mm/page_alloc.c:1564 [inline] + get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3474 + __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751 + alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 + alloc_slab_page+0x6a/0x140 mm/slub.c:2408 + allocate_slab+0x5a/0x2f0 mm/slub.c:2574 + new_slab mm/slub.c:2627 [inline] + ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815 + __slab_alloc+0x58/0xa0 mm/slub.c:3905 + __slab_alloc_node mm/slub.c:3980 [inline] + slab_alloc_node mm/slub.c:4141 [inline] + kmem_cache_alloc_node_noprof+0x269/0x380 mm/slub.c:4205 + alloc_task_struct_node kernel/fork.c:180 [inline] + dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 + copy_process+0x5d1/0x3d50 kernel/fork.c:2225 + kernel_clone+0x223/0x870 kernel/fork.c:2807 + user_mode_thread+0x132/0x1a0 kernel/fork.c:2885 + call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171 + process_one_work kernel/workqueue.c:3229 [inline] + process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 + worker_thread+0x870/0xd30 kernel/workqueue.c:3391 + page_owner free stack trace missing + + Memory state around the buggy address: + ffff8880259d2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880259d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + >ffff8880259d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880259d2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880259d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +Fix this by flushing the delalloc workers queue before stopping the +cleaner kthread. + +Reported-by: syzbot+b7cf50a0c173770dcb14@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/674ed7e8.050a0220.48a03.0031.GAE@google.com/ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index b7ec38f7e4b9..30fe5ebc3650 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4651,6 +4651,15 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info) + * already the cleaner, but below we run all pending delayed iputs. + */ + btrfs_flush_workqueue(fs_info->fixup_workers); ++ /* ++ * Similar case here, we have to wait for delalloc workers before we ++ * proceed below and stop the cleaner kthread, otherwise we trigger a ++ * use-after-tree on the cleaner kthread task_struct when a delalloc ++ * worker running submit_compressed_extents() adds a delayed iput, which ++ * does a wake up on the cleaner kthread, which was already freed below ++ * when we call kthread_stop(). ++ */ ++ btrfs_flush_workqueue(fs_info->delalloc_workers); + + /* + * After we parked the cleaner kthread, ordered extents may have +-- +2.39.5 + diff --git a/queue-6.1/btrfs-rename-and-export-__btrfs_cow_block.patch b/queue-6.1/btrfs-rename-and-export-__btrfs_cow_block.patch new file mode 100644 index 00000000000..dce8d13da4c --- /dev/null +++ b/queue-6.1/btrfs-rename-and-export-__btrfs_cow_block.patch @@ -0,0 +1,106 @@ +From 547f5f1739e3299db860c9bf8f4410a41f506c44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 12:09:26 +0100 +Subject: btrfs: rename and export __btrfs_cow_block() + +From: Filipe Manana + +[ Upstream commit 95f93bc4cbcac6121a5ee85cd5019ee8e7447e0b ] + +Rename and export __btrfs_cow_block() as btrfs_force_cow_block(). This is +to allow to move defrag specific code out of ctree.c and into defrag.c in +one of the next patches. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: 44f52bbe96df ("btrfs: fix use-after-free when COWing tree bock and tracing is enabled") +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 30 +++++++++++++++--------------- + fs/btrfs/ctree.h | 7 +++++++ + 2 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index 347934eb5198..a02b41106257 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -404,13 +404,13 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, + * bytes the allocator should try to find free next to the block it returns. + * This is just a hint and may be ignored by the allocator. + */ +-static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans, +- struct btrfs_root *root, +- struct extent_buffer *buf, +- struct extent_buffer *parent, int parent_slot, +- struct extent_buffer **cow_ret, +- u64 search_start, u64 empty_size, +- enum btrfs_lock_nesting nest) ++int btrfs_force_cow_block(struct btrfs_trans_handle *trans, ++ struct btrfs_root *root, ++ struct extent_buffer *buf, ++ struct extent_buffer *parent, int parent_slot, ++ struct extent_buffer **cow_ret, ++ u64 search_start, u64 empty_size, ++ enum btrfs_lock_nesting nest) + { + struct btrfs_fs_info *fs_info = root->fs_info; + struct btrfs_disk_key disk_key; +@@ -559,7 +559,7 @@ static inline int should_cow_block(struct btrfs_trans_handle *trans, + } + + /* +- * cows a single block, see __btrfs_cow_block for the real work. ++ * COWs a single block, see btrfs_force_cow_block() for the real work. + * This version of it has extra checks so that a block isn't COWed more than + * once per transaction, as long as it hasn't been written yet + */ +@@ -612,8 +612,8 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans, + * Also We don't care about the error, as it's handled internally. + */ + btrfs_qgroup_trace_subtree_after_cow(trans, root, buf); +- ret = __btrfs_cow_block(trans, root, buf, parent, +- parent_slot, cow_ret, search_start, 0, nest); ++ ret = btrfs_force_cow_block(trans, root, buf, parent, parent_slot, ++ cow_ret, search_start, 0, nest); + + trace_btrfs_cow_block(root, buf, *cow_ret); + +@@ -764,11 +764,11 @@ int btrfs_realloc_node(struct btrfs_trans_handle *trans, + search_start = last_block; + + btrfs_tree_lock(cur); +- err = __btrfs_cow_block(trans, root, cur, parent, i, +- &cur, search_start, +- min(16 * blocksize, +- (end_slot - i) * blocksize), +- BTRFS_NESTING_COW); ++ err = btrfs_force_cow_block(trans, root, cur, parent, i, ++ &cur, search_start, ++ min(16 * blocksize, ++ (end_slot - i) * blocksize), ++ BTRFS_NESTING_COW); + if (err) { + btrfs_tree_unlock(cur); + free_extent_buffer(cur); +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index cab023927b43..da8986e0c422 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3032,6 +3032,13 @@ int btrfs_cow_block(struct btrfs_trans_handle *trans, + struct extent_buffer *parent, int parent_slot, + struct extent_buffer **cow_ret, + enum btrfs_lock_nesting nest); ++int btrfs_force_cow_block(struct btrfs_trans_handle *trans, ++ struct btrfs_root *root, ++ struct extent_buffer *buf, ++ struct extent_buffer *parent, int parent_slot, ++ struct extent_buffer **cow_ret, ++ u64 search_start, u64 empty_size, ++ enum btrfs_lock_nesting nest); + int btrfs_copy_root(struct btrfs_trans_handle *trans, + struct btrfs_root *root, + struct extent_buffer *buf, +-- +2.39.5 + diff --git a/queue-6.1/drm-amdkfd-correct-the-migration-dma-map-direction.patch b/queue-6.1/drm-amdkfd-correct-the-migration-dma-map-direction.patch new file mode 100644 index 00000000000..3a437dc75fd --- /dev/null +++ b/queue-6.1/drm-amdkfd-correct-the-migration-dma-map-direction.patch @@ -0,0 +1,116 @@ +From 59563c13d220ede3106deb40452f9c710f39d265 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2024 09:57:42 +0800 +Subject: drm/amdkfd: Correct the migration DMA map direction + +From: Prike Liang + +[ Upstream commit 5c3de6b02d38eb9386edf50490e050bb44398e40 ] + +The SVM DMA device map direction should be set the same as +the DMA unmap setting, otherwise the DMA core will report +the following warning. + +Before finialize this solution, there're some discussion on +the DMA mapping type(stream-based or coherent) in this KFD +migration case, followed by https://lore.kernel.org/all/04d4ab32 +-45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/. + +As there's no dma_sync_single_for_*() in the DMA buffer accessed +that because this migration operation should be sync properly and +automatically. Give that there's might not be a performance problem +in various cache sync policy of DMA sync. Therefore, in order to +simplify the DMA direction setting alignment, let's set the DMA map +direction as BIDIRECTIONAL. + +[ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930 +[ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds +[ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii +[ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492 +[ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 +[ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930 +[ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50 +[ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086 +[ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027 +[ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680 +[ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850 +[ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40 +[ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b +[ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000 +[ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0 +[ 150.834383] Call Trace: +[ 150.834385] +[ 150.834387] ? show_regs+0x6d/0x80 +[ 150.834393] ? __warn+0x8c/0x140 +[ 150.834397] ? check_unmap+0x1cc/0x930 +[ 150.834400] ? report_bug+0x193/0x1a0 +[ 150.834406] ? handle_bug+0x46/0x80 +[ 150.834410] ? exc_invalid_op+0x1d/0x80 +[ 150.834413] ? asm_exc_invalid_op+0x1f/0x30 +[ 150.834420] ? check_unmap+0x1cc/0x930 +[ 150.834425] debug_dma_unmap_page+0x86/0x90 +[ 150.834431] ? srso_return_thunk+0x5/0x5f +[ 150.834435] ? rmap_walk+0x28/0x50 +[ 150.834438] ? srso_return_thunk+0x5/0x5f +[ 150.834441] ? remove_migration_ptes+0x79/0x80 +[ 150.834445] ? srso_return_thunk+0x5/0x5f +[ 150.834448] dma_unmap_page_attrs+0xfa/0x1d0 +[ 150.834453] svm_range_dma_unmap_dev+0x8a/0xf0 [amdgpu] +[ 150.834710] svm_migrate_ram_to_vram+0x361/0x740 [amdgpu] +[ 150.834914] svm_migrate_to_vram+0xa8/0xe0 [amdgpu] +[ 150.835111] svm_range_set_attr+0xff2/0x1450 [amdgpu] +[ 150.835311] svm_ioctl+0x4a/0x50 [amdgpu] +[ 150.835510] kfd_ioctl_svm+0x54/0x90 [amdgpu] +[ 150.835701] kfd_ioctl+0x3c2/0x530 [amdgpu] +[ 150.835888] ? __pfx_kfd_ioctl_svm+0x10/0x10 [amdgpu] +[ 150.836075] ? srso_return_thunk+0x5/0x5f +[ 150.836080] ? tomoyo_file_ioctl+0x20/0x30 +[ 150.836086] __x64_sys_ioctl+0x9c/0xd0 +[ 150.836091] x64_sys_call+0x1219/0x20d0 +[ 150.836095] do_syscall_64+0x51/0x120 +[ 150.836098] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 150.836102] RIP: 0033:0x7faf0f11a94f +[ 150.836105] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 +[ 150.836107] RSP: 002b:00007ffeced26bc0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 150.836110] RAX: ffffffffffffffda RBX: 000055c683528fb0 RCX: 00007faf0f11a94f +[ 150.836112] RDX: 00007ffeced26c60 RSI: 00000000c0484b20 RDI: 0000000000000003 +[ 150.836114] RBP: 00007ffeced26c50 R08: 0000000000000000 R09: 0000000000000001 +[ 150.836115] R10: 0000000000000032 R11: 0000000000000246 R12: 000055c683528bd0 +[ 150.836117] R13: 0000000000000000 R14: 0000000000000021 R15: 0000000000000000 +[ 150.836122] +[ 150.836124] ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Prike Liang +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c +index 8a7705db0b9a..a7ed47cb5bf6 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_migrate.c +@@ -324,7 +324,7 @@ svm_migrate_copy_to_vram(struct amdgpu_device *adev, struct svm_range *prange, + spage = migrate_pfn_to_page(migrate->src[i]); + if (spage && !is_zone_device_page(spage)) { + src[i] = dma_map_page(dev, spage, 0, PAGE_SIZE, +- DMA_TO_DEVICE); ++ DMA_BIDIRECTIONAL); + r = dma_mapping_error(dev, src[i]); + if (r) { + dev_err(adev->dev, "%s: fail %d dma_map_page\n", +@@ -623,7 +623,7 @@ svm_migrate_copy_to_ram(struct amdgpu_device *adev, struct svm_range *prange, + goto out_oom; + } + +- dst[i] = dma_map_page(dev, dpage, 0, PAGE_SIZE, DMA_FROM_DEVICE); ++ dst[i] = dma_map_page(dev, dpage, 0, PAGE_SIZE, DMA_BIDIRECTIONAL); + r = dma_mapping_error(dev, dst[i]); + if (r) { + dev_err(adev->dev, "%s: fail %d dma_map_page\n", __func__, r); +-- +2.39.5 + diff --git a/queue-6.1/irqchip-gic-correct-declaration-of-percpu_base-point.patch b/queue-6.1/irqchip-gic-correct-declaration-of-percpu_base-point.patch new file mode 100644 index 00000000000..cbac1d969d9 --- /dev/null +++ b/queue-6.1/irqchip-gic-correct-declaration-of-percpu_base-point.patch @@ -0,0 +1,54 @@ +From 0c54b52afce79423920e6a0b54706905fc1b29a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 15:57:53 +0100 +Subject: irqchip/gic: Correct declaration of *percpu_base pointer in union + gic_base + +From: Uros Bizjak + +[ Upstream commit a1855f1b7c33642c9f7a01991fb763342a312e9b ] + +percpu_base is used in various percpu functions that expect variable in +__percpu address space. Correct the declaration of percpu_base to + +void __iomem * __percpu *percpu_base; + +to declare the variable as __percpu pointer. + +The patch fixes several sparse warnings: + +irq-gic.c:1172:44: warning: incorrect type in assignment (different address spaces) +irq-gic.c:1172:44: expected void [noderef] __percpu *[noderef] __iomem *percpu_base +irq-gic.c:1172:44: got void [noderef] __iomem *[noderef] __percpu * +... +irq-gic.c:1231:43: warning: incorrect type in argument 1 (different address spaces) +irq-gic.c:1231:43: expected void [noderef] __percpu *__pdata +irq-gic.c:1231:43: got void [noderef] __percpu *[noderef] __iomem *percpu_base + +There were no changes in the resulting object files. + +Signed-off-by: Uros Bizjak +Signed-off-by: Thomas Gleixner +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/all/20241213145809.2918-2-ubizjak@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c +index 4c7bae0ec8f9..867b282fa95d 100644 +--- a/drivers/irqchip/irq-gic.c ++++ b/drivers/irqchip/irq-gic.c +@@ -63,7 +63,7 @@ static void gic_check_cpu_features(void) + + union gic_base { + void __iomem *common_base; +- void __percpu * __iomem *percpu_base; ++ void __iomem * __percpu *percpu_base; + }; + + struct gic_chip_data { +-- +2.39.5 + diff --git a/queue-6.1/ksmbd-retry-iterate_dir-in-smb2_query_dir.patch b/queue-6.1/ksmbd-retry-iterate_dir-in-smb2_query_dir.patch new file mode 100644 index 00000000000..45724d28961 --- /dev/null +++ b/queue-6.1/ksmbd-retry-iterate_dir-in-smb2_query_dir.patch @@ -0,0 +1,75 @@ +From 22f48894c84e685a635947acdc1ce9bdb86f185e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 11:31:19 +0900 +Subject: ksmbd: retry iterate_dir in smb2_query_dir + +From: Hobin Woo + +[ Upstream commit 2b904d61a97e8ba79e3bc216ba290fd7e1d85028 ] + +Some file systems do not ensure that the single call of iterate_dir +reaches the end of the directory. For example, FUSE fetches entries from +a daemon using 4KB buffer and stops fetching if entries exceed the +buffer. And then an actor of caller, KSMBD, is used to fill the entries +from the buffer. +Thus, pattern searching on FUSE, files located after the 4KB could not +be found and STATUS_NO_SUCH_FILE was returned. + +Signed-off-by: Hobin Woo +Reviewed-by: Sungjong Seo +Reviewed-by: Namjae Jeon +Tested-by: Yoonho Shin +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 12 +++++++++++- + fs/smb/server/vfs.h | 1 + + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 96d441ca511d..71478a590e83 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3988,6 +3988,7 @@ static bool __query_dir(struct dir_context *ctx, const char *name, int namlen, + /* dot and dotdot entries are already reserved */ + if (!strcmp(".", name) || !strcmp("..", name)) + return true; ++ d_info->num_scan++; + if (ksmbd_share_veto_filename(priv->work->tcon->share_conf, name)) + return true; + if (!match_pattern(name, namlen, priv->search_pattern)) +@@ -4148,8 +4149,17 @@ int smb2_query_dir(struct ksmbd_work *work) + query_dir_private.info_level = req->FileInformationClass; + dir_fp->readdir_data.private = &query_dir_private; + set_ctx_actor(&dir_fp->readdir_data.ctx, __query_dir); +- ++again: ++ d_info.num_scan = 0; + rc = iterate_dir(dir_fp->filp, &dir_fp->readdir_data.ctx); ++ /* ++ * num_entry can be 0 if the directory iteration stops before reaching ++ * the end of the directory and no file is matched with the search ++ * pattern. ++ */ ++ if (rc >= 0 && !d_info.num_entry && d_info.num_scan && ++ d_info.out_buf_len > 0) ++ goto again; + /* + * req->OutputBufferLength is too small to contain even one entry. + * In this case, it immediately returns OutputBufferLength 0 to client. +diff --git a/fs/smb/server/vfs.h b/fs/smb/server/vfs.h +index e761dde2443e..cc47e71c4de1 100644 +--- a/fs/smb/server/vfs.h ++++ b/fs/smb/server/vfs.h +@@ -43,6 +43,7 @@ struct ksmbd_dir_info { + char *rptr; + int name_len; + int out_buf_len; ++ int num_scan; + int num_entry; + int data_count; + int last_entry_offset; +-- +2.39.5 + diff --git a/queue-6.1/net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch b/queue-6.1/net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch new file mode 100644 index 00000000000..2bdc1b75254 --- /dev/null +++ b/queue-6.1/net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch @@ -0,0 +1,109 @@ +From b0df3e60ae198b9bceeffe6b6e44ad917c2c79cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 16:18:21 +0100 +Subject: net: usb: qmi_wwan: add Telit FE910C04 compositions + +From: Daniele Palmas + +[ Upstream commit 3b58b53a26598209a7ad8259a5114ce71f7c3d64 ] + +Add the following Telit FE910C04 compositions: + +0x10c0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c0 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c4: rmnet + tty (AT) + tty (AT) + tty (diag) +T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c4 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10c8: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb +T: Bus=02 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10c8 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FE910 +S: SerialNumber=f71b8b32 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniele Palmas +Link: https://patch.msgid.link/20241209151821.3688829-1-dnlplm@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 8b9e2888b310..65aefebdf9a9 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1372,6 +1372,9 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c0, 0)}, /* Telit FE910C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c4, 0)}, /* Telit FE910C04 */ ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x10c8, 0)}, /* Telit FE910C04 */ + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 31d283e383c..10b5401fe20 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -48,3 +48,18 @@ net-wwan-iosm-properly-check-for-valid-exec-stage-in.patch af_packet-fix-vlan_get_tci-vs-msg_peek.patch af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch ila-serialize-calls-to-nf_register_net_hooks.patch +btrfs-rename-and-export-__btrfs_cow_block.patch +btrfs-fix-use-after-free-when-cowing-tree-bock-and-t.patch +wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch +drm-amdkfd-correct-the-migration-dma-map-direction.patch +btrfs-flush-delalloc-workers-queue-before-stopping-c.patch +alsa-hda-realtek-add-new-alc2xx-fixup-headset-mic-mo.patch +sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch +sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch +bpf-fix-potential-error-return.patch +ksmbd-retry-iterate_dir-in-smb2_query_dir.patch +net-usb-qmi_wwan-add-telit-fe910c04-compositions.patch +bluetooth-hci_core-fix-sleeping-function-called-from.patch +irqchip-gic-correct-declaration-of-percpu_base-point.patch +arc-build-try-to-guess-gcc-variant-of-cross-compiler.patch +usb-xhci-avoid-queuing-redundant-stop-endpoint-comma.patch diff --git a/queue-6.1/sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch b/queue-6.1/sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch new file mode 100644 index 00000000000..8bcea384718 --- /dev/null +++ b/queue-6.1/sound-usb-enable-dsd-output-for-ddhifi-tc44c.patch @@ -0,0 +1,74 @@ +From e0f8403d1851bb38beee030e5984721ef14b07ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 11:05:28 +0200 +Subject: sound: usb: enable DSD output for ddHiFi TC44C + +From: Adrian Ratiu + +[ Upstream commit c84bd6c810d1880194fea2229c7086e4b73fddc1 ] + +This is a UAC 2 DAC capable of raw DSD on intf 2 alt 4: + +Bus 007 Device 004: ID 262a:9302 SAVITECH Corp. TC44C +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 [unknown] + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x262a SAVITECH Corp. + idProduct 0x9302 TC44C + bcdDevice 0.01 + iManufacturer 1 DDHIFI + iProduct 2 TC44C + iSerial 6 5000000001 +....... + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 2 + bAlternateSetting 4 + bNumEndpoints 2 + bInterfaceClass 1 Audio + bInterfaceSubClass 2 Streaming + bInterfaceProtocol 32 + iInterface 0 + AudioStreaming Interface Descriptor: + bLength 16 + bDescriptorType 36 + bDescriptorSubtype 1 (AS_GENERAL) + bTerminalLink 3 + bmControls 0x00 + bFormatType 1 + bmFormats 0x80000000 + bNrChannels 2 + bmChannelConfig 0x00000000 + iChannelNames 0 +....... + +Signed-off-by: Adrian Ratiu +Link: https://patch.msgid.link/20241209090529.16134-1-adrian.ratiu@collabora.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 673591fbf917..6525b02af1b0 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2223,6 +2223,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_DSD_RAW), + DEVICE_FLG(0x2522, 0x0007, /* LH Labs Geek Out HD Audio 1V5 */ + QUIRK_FLAG_SET_IFACE_FIRST), ++ DEVICE_FLG(0x262a, 0x9302, /* ddHiFi TC44C */ ++ QUIRK_FLAG_DSD_RAW), + DEVICE_FLG(0x2708, 0x0002, /* Audient iD14 */ + QUIRK_FLAG_IGNORE_CTL_ERROR), + DEVICE_FLG(0x2912, 0x30c8, /* Audioengine D1 */ +-- +2.39.5 + diff --git a/queue-6.1/sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch b/queue-6.1/sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch new file mode 100644 index 00000000000..a9e98b0cb97 --- /dev/null +++ b/queue-6.1/sound-usb-format-don-t-warn-that-raw-dsd-is-unsuppor.patch @@ -0,0 +1,75 @@ +From d56a7632a13f87c266faf16118eabde7e3d0ab1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 11:05:29 +0200 +Subject: sound: usb: format: don't warn that raw DSD is unsupported + +From: Adrian Ratiu + +[ Upstream commit b50a3e98442b8d72f061617c7f7a71f7dba19484 ] + +UAC 2 & 3 DAC's set bit 31 of the format to signal support for a +RAW_DATA type, typically used for DSD playback. + +This is correctly tested by (format & UAC*_FORMAT_TYPE_I_RAW_DATA), +fp->dsd_raw = true; and call snd_usb_interface_dsd_format_quirks(), +however a confusing and unnecessary message gets printed because +the bit is not properly tested in the last "unsupported" if test: +if (format & ~0x3F) { ... } + +For example the output: + +usb 7-1: new high-speed USB device number 5 using xhci_hcd +usb 7-1: New USB device found, idVendor=262a, idProduct=9302, bcdDevice=0.01 +usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6 +usb 7-1: Product: TC44C +usb 7-1: Manufacturer: TC44C +usb 7-1: SerialNumber: 5000000001 +hid-generic 0003:262A:9302.001E: No inputs registered, leaving +hid-generic 0003:262A:9302.001E: hidraw6: USB HID v1.00 Device [DDHIFI TC44C] on usb-0000:08:00.3-1/input0 +usb 7-1: 2:4 : unsupported format bits 0x100000000 + +This last "unsupported format" is actually wrong: we know the +format is a RAW_DATA which we assume is DSD, so there is no need +to print the confusing message. + +This we unset bit 31 of the format after recognizing it, to avoid +the message. + +Suggested-by: Takashi Iwai +Signed-off-by: Adrian Ratiu +Link: https://patch.msgid.link/20241209090529.16134-2-adrian.ratiu@collabora.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/format.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/format.c b/sound/usb/format.c +index 3b45d0ee7693..3b3a5ea6fcbf 100644 +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -60,6 +60,8 @@ static u64 parse_audio_format_i_type(struct snd_usb_audio *chip, + pcm_formats |= SNDRV_PCM_FMTBIT_SPECIAL; + /* flag potentially raw DSD capable altsettings */ + fp->dsd_raw = true; ++ /* clear special format bit to avoid "unsupported format" msg below */ ++ format &= ~UAC2_FORMAT_TYPE_I_RAW_DATA; + } + + format <<= 1; +@@ -71,8 +73,11 @@ static u64 parse_audio_format_i_type(struct snd_usb_audio *chip, + sample_width = as->bBitResolution; + sample_bytes = as->bSubslotSize; + +- if (format & UAC3_FORMAT_TYPE_I_RAW_DATA) ++ if (format & UAC3_FORMAT_TYPE_I_RAW_DATA) { + pcm_formats |= SNDRV_PCM_FMTBIT_SPECIAL; ++ /* clear special format bit to avoid "unsupported format" msg below */ ++ format &= ~UAC3_FORMAT_TYPE_I_RAW_DATA; ++ } + + format <<= 1; + break; +-- +2.39.5 + diff --git a/queue-6.1/usb-xhci-avoid-queuing-redundant-stop-endpoint-comma.patch b/queue-6.1/usb-xhci-avoid-queuing-redundant-stop-endpoint-comma.patch new file mode 100644 index 00000000000..1cd9ad09be9 --- /dev/null +++ b/queue-6.1/usb-xhci-avoid-queuing-redundant-stop-endpoint-comma.patch @@ -0,0 +1,121 @@ +From db66bee3322c0856cc7df385602f69ae6784d999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2024 12:14:59 +0200 +Subject: usb: xhci: Avoid queuing redundant Stop Endpoint commands + +From: Michal Pecio + +[ Upstream commit 474538b8dd1cd9c666e56cfe8ef60fbb0fb513f4 ] + +Stop Endpoint command on an already stopped endpoint fails and may be +misinterpreted as a known hardware bug by the completion handler. This +results in an unnecessary delay with repeated retries of the command. + +Avoid queuing this command when endpoint state flags indicate that it's +stopped or halted and the command will fail. If commands are pending on +the endpoint, their completion handlers will process cancelled TDs so +it's done. In case of waiting for external operations like clearing TT +buffer, the endpoint is stopped and cancelled TDs can be processed now. + +This eliminates practically all unnecessary retries because an endpoint +with pending URBs is maintained in Running state by the driver, unless +aforementioned commands or other operations are pending on it. This is +guaranteed by xhci_ring_ep_doorbell() and by the fact that it is called +every time any of those operations completes. + +The only known exceptions are hardware bugs (the endpoint never starts +at all) and Stream Protocol errors not associated with any TRB, which +cause an endpoint reset not followed by restart. Sounds like a bug. + +Generally, these retries are only expected to happen when the endpoint +fails to start for unknown/no reason, which is a worse problem itself, +and fixing the bug eliminates the retries too. + +All cases were tested and found to work as expected. SET_DEQ_PENDING +was produced by patching uvcvideo to unlink URBs in 100us intervals, +which then runs into this case very often. EP_HALTED was produced by +restarting 'cat /dev/ttyUSB0' on a serial dongle with broken cable. +EP_CLEARING_TT by the same, with the dongle on an external hub. + +Fixes: fd9d55d190c0 ("xhci: retry Stop Endpoint on buggy NEC controllers") +CC: stable@vger.kernel.org +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-34-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 13 +++++++++++++ + drivers/usb/host/xhci.c | 19 +++++++++++++++---- + drivers/usb/host/xhci.h | 1 + + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index e5b2a3b551e3..2503022a3123 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1052,6 +1052,19 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) + return 0; + } + ++/* ++ * Erase queued TDs from transfer ring(s) and give back those the xHC didn't ++ * stop on. If necessary, queue commands to move the xHC off cancelled TDs it ++ * stopped on. Those will be given back later when the commands complete. ++ * ++ * Call under xhci->lock on a stopped endpoint. ++ */ ++void xhci_process_cancelled_tds(struct xhci_virt_ep *ep) ++{ ++ xhci_invalidate_cancelled_tds(ep); ++ xhci_giveback_invalidated_tds(ep); ++} ++ + /* + * Returns the TD the endpoint ring halted on. + * Only call for non-running rings without streams. +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index ae14c7ade9bc..e726c5edee03 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1903,10 +1903,21 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + } + } + +- /* Queue a stop endpoint command, but only if this is +- * the first cancellation to be handled. +- */ +- if (!(ep->ep_state & EP_STOP_CMD_PENDING)) { ++ /* These completion handlers will sort out cancelled TDs for us */ ++ if (ep->ep_state & (EP_STOP_CMD_PENDING | EP_HALTED | SET_DEQ_PENDING)) { ++ xhci_dbg(xhci, "Not queuing Stop Endpoint on slot %d ep %d in state 0x%x\n", ++ urb->dev->slot_id, ep_index, ep->ep_state); ++ goto done; ++ } ++ ++ /* In this case no commands are pending but the endpoint is stopped */ ++ if (ep->ep_state & EP_CLEARING_TT) { ++ /* and cancelled TDs can be given back right away */ ++ xhci_dbg(xhci, "Invalidating TDs instantly on slot %d ep %d in state 0x%x\n", ++ urb->dev->slot_id, ep_index, ep->ep_state); ++ xhci_process_cancelled_tds(ep); ++ } else { ++ /* Otherwise, queue a new Stop Endpoint command */ + command = xhci_alloc_command(xhci, false, GFP_ATOMIC); + if (!command) { + ret = -ENOMEM; +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index a75b8122538d..1a641f281c00 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1952,6 +1952,7 @@ void xhci_ring_doorbell_for_active_rings(struct xhci_hcd *xhci, + void xhci_cleanup_command_queue(struct xhci_hcd *xhci); + void inc_deq(struct xhci_hcd *xhci, struct xhci_ring *ring); + unsigned int count_trbs(u64 addr, u64 len); ++void xhci_process_cancelled_tds(struct xhci_virt_ep *ep); + + /* xHCI roothub code */ + void xhci_set_link_state(struct xhci_hcd *xhci, struct xhci_port *port, +-- +2.39.5 + diff --git a/queue-6.1/wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch b/queue-6.1/wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch new file mode 100644 index 00000000000..5ed55e2661e --- /dev/null +++ b/queue-6.1/wifi-mac80211-wake-the-queues-in-case-of-failure-in-.patch @@ -0,0 +1,44 @@ +From 90bb0c4d68e1433e5fe358f328eb171e502a444d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 17:35:39 +0200 +Subject: wifi: mac80211: wake the queues in case of failure in resume + +From: Emmanuel Grumbach + +[ Upstream commit 220bf000530f9b1114fa2a1022a871c7ce8a0b38 ] + +In case we fail to resume, we'll WARN with +"Hardware became unavailable during restart." and we'll wait until user +space does something. It'll typically bring the interface down and up to +recover. This won't work though because the queues are still stopped on +IEEE80211_QUEUE_STOP_REASON_SUSPEND reason. +Make sure we clear that reason so that we give a chance to the recovery +to succeed. + +Signed-off-by: Emmanuel Grumbach +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219447 +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20241119173108.cd628f560f97.I76a15fdb92de450e5329940125f3c58916be3942@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 738f1f139a90..e8326e09d1b3 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2436,6 +2436,9 @@ int ieee80211_reconfig(struct ieee80211_local *local) + WARN(1, "Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.\n"); + else + WARN(1, "Hardware became unavailable during restart.\n"); ++ ieee80211_wake_queues_by_reason(hw, IEEE80211_MAX_QUEUE_MAP, ++ IEEE80211_QUEUE_STOP_REASON_SUSPEND, ++ false); + ieee80211_handle_reconfig_failure(local); + return res; + } +-- +2.39.5 +