From: Sasha Levin Date: Mon, 17 Feb 2025 16:47:42 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.12.15~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3cc13a853bd92cea7de3d83a1448bd510c88e430;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch b/queue-5.15/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch new file mode 100644 index 0000000000..17d14934f7 --- /dev/null +++ b/queue-5.15/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch @@ -0,0 +1,55 @@ +From 3cf615bf5544c1b35ee99172ecf04df9226871c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 12:44:20 -0500 +Subject: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array + +From: Radu Rendec + +[ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ] + +The loop that detects/populates cache information already has a bounds +check on the array size but does not account for cache levels with +separate data/instructions cache. Fix this by incrementing the index +for any populated leaf (instead of any populated level). + +Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information") + +Signed-off-by: Radu Rendec +Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cacheinfo.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c +index 97c42be71338a..1510f457b6154 100644 +--- a/arch/arm64/kernel/cacheinfo.c ++++ b/arch/arm64/kernel/cacheinfo.c +@@ -87,16 +87,18 @@ int populate_cache_leaves(unsigned int cpu) + unsigned int level, idx; + enum cache_type type; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +- struct cacheinfo *this_leaf = this_cpu_ci->info_list; ++ struct cacheinfo *infos = this_cpu_ci->info_list; + + for (idx = 0, level = 1; level <= this_cpu_ci->num_levels && +- idx < this_cpu_ci->num_leaves; idx++, level++) { ++ idx < this_cpu_ci->num_leaves; level++) { + type = get_cache_type(level); + if (type == CACHE_TYPE_SEPARATE) { +- ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); +- ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); ++ if (idx + 1 >= this_cpu_ci->num_leaves) ++ break; ++ ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level); ++ ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level); + } else { +- ci_leaf_init(this_leaf++, type, level); ++ ci_leaf_init(&infos[idx++], type, level); + } + } + return 0; +-- +2.39.5 + diff --git a/queue-5.15/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch b/queue-5.15/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch new file mode 100644 index 0000000000..81f2b5598b --- /dev/null +++ b/queue-5.15/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch @@ -0,0 +1,60 @@ +From 34281e8a9e3a21928639f90d684f1aa2855dda2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 14:25:07 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet + 5V + +From: Hans de Goede + +[ Upstream commit 6917192378c1ce17ba31df51c4e0d8b1c97a453b ] + +The Vexia EDU ATLA 10 tablet comes in 2 different versions with +significantly different mainboards. The only outward difference is that +the charging barrel on one is marked 5V and the other is marked 9V. + +The 5V version mostly works with the BYTCR defaults, except that it is +missing a CHAN package in its ACPI tables and the default of using +SSP0-AIF2 is wrong, instead SSP0-AIF1 must be used. That and its jack +detect signal is not inverted as it usually is. + +Add a DMI quirk for the 5V version to fix sound not working. + +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20250123132507.18434-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 8706fef8ccce8..721b9971fd744 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -1102,7 +1102,22 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF2 | + BYT_RT5640_MCLK_EN), + }, +- { /* Vexia Edu Atla 10 tablet */ ++ { ++ /* Vexia Edu Atla 10 tablet 5V version */ ++ .matches = { ++ /* Having all 3 of these not set is somewhat unique */ ++ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."), ++ /* Above strings are too generic, also match on BIOS date */ ++ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"), ++ }, ++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS | ++ BYT_RT5640_JD_NOT_INV | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, ++ { /* Vexia Edu Atla 10 tablet 9V version */ + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), + DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"), +-- +2.39.5 + diff --git a/queue-5.15/drm-i915-selftests-avoid-using-uninitialized-context.patch b/queue-5.15/drm-i915-selftests-avoid-using-uninitialized-context.patch new file mode 100644 index 0000000000..6608afae77 --- /dev/null +++ b/queue-5.15/drm-i915-selftests-avoid-using-uninitialized-context.patch @@ -0,0 +1,52 @@ +From 007bb80a8c0e4742a3c8bbfd6175f4584f9687c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2025 09:19:31 +0000 +Subject: drm/i915/selftests: avoid using uninitialized context + +From: Krzysztof Karas + +[ Upstream commit 53139b3f9998ea07289e7b70b909fea2264a0de9 ] + +There is an error path in igt_ppgtt_alloc(), which leads +to ww object being passed down to i915_gem_ww_ctx_fini() without +initialization. Correct that by only putting ppgtt->vm and +returning early. + +Fixes: 480ae79537b2 ("drm/i915/selftests: Prepare gtt tests for obj->mm.lock removal") +Signed-off-by: Krzysztof Karas +Reviewed-by: Mikolaj Wasiak +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/iuaonpjc3rywmvhna6umjlvzilocn2uqsrxfxfob24e2taocbi@lkaivvfp4777 +(cherry picked from commit 8d8334632ea62424233ac6529712868241d0f8df) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +index f843a5040706a..df3934a990d08 100644 +--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +@@ -160,7 +160,7 @@ static int igt_ppgtt_alloc(void *arg) + return PTR_ERR(ppgtt); + + if (!ppgtt->vm.allocate_va_range) +- goto err_ppgtt_cleanup; ++ goto ppgtt_vm_put; + + /* + * While we only allocate the page tables here and so we could +@@ -228,7 +228,7 @@ static int igt_ppgtt_alloc(void *arg) + goto retry; + } + i915_gem_ww_ctx_fini(&ww); +- ++ppgtt_vm_put: + i915_vm_put(&ppgtt->vm); + return err; + } +-- +2.39.5 + diff --git a/queue-5.15/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch b/queue-5.15/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch new file mode 100644 index 0000000000..6fa513b591 --- /dev/null +++ b/queue-5.15/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch @@ -0,0 +1,40 @@ +From 09524fa6f0df43793ff063ff0e806ca4b0de0ee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:02 +0100 +Subject: gpio: bcm-kona: Add missing newline to dev_err format string + +From: Artur Weber + +[ Upstream commit 615279db222c3ac56d5c93716efd72b843295c1f ] + +Add a missing newline to the format string of the "Couldn't get IRQ +for bank..." error message. + +Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-3-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index 4734749b90860..0c97a8c95e06c 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -675,7 +675,7 @@ static int bcm_kona_gpio_probe(struct platform_device *pdev) + bank->irq = platform_get_irq(pdev, i); + bank->kona_gpio = kona_gpio; + if (bank->irq < 0) { +- dev_err(dev, "Couldn't get IRQ for bank %d", i); ++ dev_err(dev, "Couldn't get IRQ for bank %d\n", i); + ret = -ENOENT; + goto err_irq_domain; + } +-- +2.39.5 + diff --git a/queue-5.15/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch b/queue-5.15/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch new file mode 100644 index 0000000000..cbabe71cbb --- /dev/null +++ b/queue-5.15/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch @@ -0,0 +1,64 @@ +From 475153a39743172d7c0afb4f41e14a394c8fb42b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:00 +0100 +Subject: gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 + +From: Artur Weber + +[ Upstream commit de1d0d160f64ee76df1d364d521b2faf465a091c ] + +The GPIO lock/unlock functions clear/write a bit to the relevant +register for each bank. However, due to an oversight the bit that +was being written was based on the total GPIO number, not the index +of the GPIO within the relevant bank, causing it to fail for any +GPIO above 32 (thus any GPIO for banks above bank 0). + +Fix lock/unlock for these banks by using the correct bit. + +Fixes: bdb93c03c550 ("gpio: bcm281xx: Centralize register locking") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-1-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index d329a143f5ec9..c83968384904e 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -93,11 +93,12 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio, + u32 val; + unsigned long flags; + int bank_id = GPIO_BANK(gpio); ++ int bit = GPIO_BIT(gpio); + + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val |= BIT(gpio); ++ val |= BIT(bit); + bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + + raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); +@@ -109,11 +110,12 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, + u32 val; + unsigned long flags; + int bank_id = GPIO_BANK(gpio); ++ int bit = GPIO_BIT(gpio); + + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val &= ~BIT(gpio); ++ val &= ~BIT(bit); + bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + + raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); +-- +2.39.5 + diff --git a/queue-5.15/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch b/queue-5.15/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch new file mode 100644 index 0000000000..b561b50b9a --- /dev/null +++ b/queue-5.15/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch @@ -0,0 +1,160 @@ +From 266779ebcd5ffc5c0c568b92324483c161e6af46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:01 +0100 +Subject: gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ + +From: Artur Weber + +[ Upstream commit 57f5db77a915cc29461a679a6bcae7097967be1a ] + +The settings for all GPIOs are locked by default in bcm_kona_gpio_reset. +The settings for a GPIO are unlocked when requesting it as a GPIO, but +not when requesting it as an interrupt, causing the IRQ settings to not +get applied. + +Fix this by making sure to unlock the right bits when an IRQ is requested. +To avoid a situation where an IRQ being released causes a lock despite +the same GPIO being used by a GPIO request or vice versa, add an unlock +counter and only lock if it reaches 0. + +Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-2-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 67 +++++++++++++++++++++++++++++------- + 1 file changed, 55 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index c83968384904e..4734749b90860 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -76,6 +76,22 @@ struct bcm_kona_gpio { + struct bcm_kona_gpio_bank { + int id; + int irq; ++ /* ++ * Used to keep track of lock/unlock operations for each GPIO in the ++ * bank. ++ * ++ * All GPIOs are locked by default (see bcm_kona_gpio_reset), and the ++ * unlock count for all GPIOs is 0 by default. Each unlock increments ++ * the counter, and each lock decrements the counter. ++ * ++ * The lock function only locks the GPIO once its unlock counter is ++ * down to 0. This is necessary because the GPIO is unlocked in two ++ * places in this driver: once for requested GPIOs, and once for ++ * requested IRQs. Since it is possible for a GPIO to be requested ++ * as both a GPIO and an IRQ, we need to ensure that we don't lock it ++ * too early. ++ */ ++ u8 gpio_unlock_count[GPIO_PER_BANK]; + /* Used in the interrupt handler */ + struct bcm_kona_gpio *kona_gpio; + }; +@@ -94,14 +110,23 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio, + unsigned long flags; + int bank_id = GPIO_BANK(gpio); + int bit = GPIO_BIT(gpio); ++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id]; + +- raw_spin_lock_irqsave(&kona_gpio->lock, flags); ++ if (bank->gpio_unlock_count[bit] == 0) { ++ dev_err(kona_gpio->gpio_chip.parent, ++ "Unbalanced locks for GPIO %u\n", gpio); ++ return; ++ } + +- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val |= BIT(bit); +- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ if (--bank->gpio_unlock_count[bit] == 0) { ++ raw_spin_lock_irqsave(&kona_gpio->lock, flags); + +- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); ++ val |= BIT(bit); ++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ ++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ } + } + + static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, +@@ -111,14 +136,19 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, + unsigned long flags; + int bank_id = GPIO_BANK(gpio); + int bit = GPIO_BIT(gpio); ++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id]; + +- raw_spin_lock_irqsave(&kona_gpio->lock, flags); ++ if (bank->gpio_unlock_count[bit] == 0) { ++ raw_spin_lock_irqsave(&kona_gpio->lock, flags); + +- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val &= ~BIT(bit); +- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); ++ val &= ~BIT(bit); ++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + +- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ } ++ ++ ++bank->gpio_unlock_count[bit]; + } + + static int bcm_kona_gpio_get_dir(struct gpio_chip *chip, unsigned gpio) +@@ -369,6 +399,7 @@ static void bcm_kona_gpio_irq_mask(struct irq_data *d) + + kona_gpio = irq_data_get_irq_chip_data(d); + reg_base = kona_gpio->reg_base; ++ + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(reg_base + GPIO_INT_MASK(bank_id)); +@@ -391,6 +422,7 @@ static void bcm_kona_gpio_irq_unmask(struct irq_data *d) + + kona_gpio = irq_data_get_irq_chip_data(d); + reg_base = kona_gpio->reg_base; ++ + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(reg_base + GPIO_INT_MSKCLR(bank_id)); +@@ -486,15 +518,26 @@ static void bcm_kona_gpio_irq_handler(struct irq_desc *desc) + static int bcm_kona_gpio_irq_reqres(struct irq_data *d) + { + struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d); ++ unsigned int gpio = d->hwirq; ++ ++ /* ++ * We need to unlock the GPIO before any other operations are performed ++ * on the relevant GPIO configuration registers ++ */ ++ bcm_kona_gpio_unlock_gpio(kona_gpio, gpio); + +- return gpiochip_reqres_irq(&kona_gpio->gpio_chip, d->hwirq); ++ return gpiochip_reqres_irq(&kona_gpio->gpio_chip, gpio); + } + + static void bcm_kona_gpio_irq_relres(struct irq_data *d) + { + struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d); ++ unsigned int gpio = d->hwirq; ++ ++ /* Once we no longer use it, lock the GPIO again */ ++ bcm_kona_gpio_lock_gpio(kona_gpio, gpio); + +- gpiochip_relres_irq(&kona_gpio->gpio_chip, d->hwirq); ++ gpiochip_relres_irq(&kona_gpio->gpio_chip, gpio); + } + + static struct irq_chip bcm_gpio_irq_chip = { +-- +2.39.5 + diff --git a/queue-5.15/grab-mm-lock-before-grabbing-pt-lock.patch b/queue-5.15/grab-mm-lock-before-grabbing-pt-lock.patch new file mode 100644 index 0000000000..1224cecb38 --- /dev/null +++ b/queue-5.15/grab-mm-lock-before-grabbing-pt-lock.patch @@ -0,0 +1,156 @@ +From bfdb741fb4717272b9d3bb0199f4ff8a007cd87a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 11:35:15 +0100 +Subject: Grab mm lock before grabbing pt lock + +From: Maksym Planeta + +[ Upstream commit 6d002348789bc16e9203e9818b7a3688787e3b29 ] + +Function xen_pin_page calls xen_pte_lock, which in turn grab page +table lock (ptlock). When locking, xen_pte_lock expect mm->page_table_lock +to be held before grabbing ptlock, but this does not happen when pinning +is caused by xen_mm_pin_all. + +This commit addresses lockdep warning below, which shows up when +suspending a Xen VM. + +[ 3680.658422] Freezing user space processes +[ 3680.660156] Freezing user space processes completed (elapsed 0.001 seconds) +[ 3680.660182] OOM killer disabled. +[ 3680.660192] Freezing remaining freezable tasks +[ 3680.661485] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 3680.685254] +[ 3680.685265] ================================== +[ 3680.685269] WARNING: Nested lock was not taken +[ 3680.685274] 6.12.0+ #16 Tainted: G W +[ 3680.685279] ---------------------------------- +[ 3680.685283] migration/0/19 is trying to lock: +[ 3680.685288] ffff88800bac33c0 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: xen_pin_page+0x175/0x1d0 +[ 3680.685303] +[ 3680.685303] but this task is not holding: +[ 3680.685308] init_mm.page_table_lock +[ 3680.685311] +[ 3680.685311] stack backtrace: +[ 3680.685316] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16 +[ 3680.685324] Tainted: [W]=WARN +[ 3680.685328] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0 +[ 3680.685339] Call Trace: +[ 3680.685344] +[ 3680.685347] dump_stack_lvl+0x77/0xb0 +[ 3680.685356] __lock_acquire+0x917/0x2310 +[ 3680.685364] lock_acquire+0xce/0x2c0 +[ 3680.685369] ? xen_pin_page+0x175/0x1d0 +[ 3680.685373] _raw_spin_lock_nest_lock+0x2f/0x70 +[ 3680.685381] ? xen_pin_page+0x175/0x1d0 +[ 3680.685386] xen_pin_page+0x175/0x1d0 +[ 3680.685390] ? __pfx_xen_pin_page+0x10/0x10 +[ 3680.685394] __xen_pgd_walk+0x233/0x2c0 +[ 3680.685401] ? stop_one_cpu+0x91/0x100 +[ 3680.685405] __xen_pgd_pin+0x5d/0x250 +[ 3680.685410] xen_mm_pin_all+0x70/0xa0 +[ 3680.685415] xen_pv_pre_suspend+0xf/0x280 +[ 3680.685420] xen_suspend+0x57/0x1a0 +[ 3680.685428] multi_cpu_stop+0x6b/0x120 +[ 3680.685432] ? update_cpumasks_hier+0x7c/0xa60 +[ 3680.685439] ? __pfx_multi_cpu_stop+0x10/0x10 +[ 3680.685443] cpu_stopper_thread+0x8c/0x140 +[ 3680.685448] ? smpboot_thread_fn+0x20/0x1f0 +[ 3680.685454] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 3680.685458] smpboot_thread_fn+0xed/0x1f0 +[ 3680.685462] kthread+0xde/0x110 +[ 3680.685467] ? __pfx_kthread+0x10/0x10 +[ 3680.685471] ret_from_fork+0x2f/0x50 +[ 3680.685478] ? __pfx_kthread+0x10/0x10 +[ 3680.685482] ret_from_fork_asm+0x1a/0x30 +[ 3680.685489] +[ 3680.685491] +[ 3680.685491] other info that might help us debug this: +[ 3680.685497] 1 lock held by migration/0/19: +[ 3680.685500] #0: ffffffff8284df38 (pgd_lock){+.+.}-{3:3}, at: xen_mm_pin_all+0x14/0xa0 +[ 3680.685512] +[ 3680.685512] stack backtrace: +[ 3680.685518] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16 +[ 3680.685528] Tainted: [W]=WARN +[ 3680.685531] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0 +[ 3680.685538] Call Trace: +[ 3680.685541] +[ 3680.685544] dump_stack_lvl+0x77/0xb0 +[ 3680.685549] __lock_acquire+0x93c/0x2310 +[ 3680.685554] lock_acquire+0xce/0x2c0 +[ 3680.685558] ? xen_pin_page+0x175/0x1d0 +[ 3680.685562] _raw_spin_lock_nest_lock+0x2f/0x70 +[ 3680.685568] ? xen_pin_page+0x175/0x1d0 +[ 3680.685572] xen_pin_page+0x175/0x1d0 +[ 3680.685578] ? __pfx_xen_pin_page+0x10/0x10 +[ 3680.685582] __xen_pgd_walk+0x233/0x2c0 +[ 3680.685588] ? stop_one_cpu+0x91/0x100 +[ 3680.685592] __xen_pgd_pin+0x5d/0x250 +[ 3680.685596] xen_mm_pin_all+0x70/0xa0 +[ 3680.685600] xen_pv_pre_suspend+0xf/0x280 +[ 3680.685607] xen_suspend+0x57/0x1a0 +[ 3680.685611] multi_cpu_stop+0x6b/0x120 +[ 3680.685615] ? update_cpumasks_hier+0x7c/0xa60 +[ 3680.685620] ? __pfx_multi_cpu_stop+0x10/0x10 +[ 3680.685625] cpu_stopper_thread+0x8c/0x140 +[ 3680.685629] ? smpboot_thread_fn+0x20/0x1f0 +[ 3680.685634] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 3680.685638] smpboot_thread_fn+0xed/0x1f0 +[ 3680.685642] kthread+0xde/0x110 +[ 3680.685645] ? __pfx_kthread+0x10/0x10 +[ 3680.685649] ret_from_fork+0x2f/0x50 +[ 3680.685654] ? __pfx_kthread+0x10/0x10 +[ 3680.685657] ret_from_fork_asm+0x1a/0x30 +[ 3680.685662] +[ 3680.685267] xen:grant_table: Grant tables using version 1 layout +[ 3680.685921] OOM killer enabled. +[ 3680.685934] Restarting tasks ... done. + +Signed-off-by: Maksym Planeta +Reviewed-by: Juergen Gross +Message-ID: <20241204103516.3309112-1-maksym@exostellar.io> +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index f88071566cac5..4eb6a6bb609f4 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -807,6 +807,7 @@ void xen_mm_pin_all(void) + { + struct page *page; + ++ spin_lock(&init_mm.page_table_lock); + spin_lock(&pgd_lock); + + list_for_each_entry(page, &pgd_list, lru) { +@@ -817,6 +818,7 @@ void xen_mm_pin_all(void) + } + + spin_unlock(&pgd_lock); ++ spin_unlock(&init_mm.page_table_lock); + } + + static void __init xen_mark_pinned(struct mm_struct *mm, struct page *page, +@@ -914,6 +916,7 @@ void xen_mm_unpin_all(void) + { + struct page *page; + ++ spin_lock(&init_mm.page_table_lock); + spin_lock(&pgd_lock); + + list_for_each_entry(page, &pgd_list, lru) { +@@ -925,6 +928,7 @@ void xen_mm_unpin_all(void) + } + + spin_unlock(&pgd_lock); ++ spin_unlock(&init_mm.page_table_lock); + } + + static void xen_activate_mm(struct mm_struct *prev, struct mm_struct *next) +-- +2.39.5 + diff --git a/queue-5.15/hid-multitouch-add-null-check-in-mt_input_configured.patch b/queue-5.15/hid-multitouch-add-null-check-in-mt_input_configured.patch new file mode 100644 index 0000000000..9f758be2ca --- /dev/null +++ b/queue-5.15/hid-multitouch-add-null-check-in-mt_input_configured.patch @@ -0,0 +1,43 @@ +From c6f1e67f3c203922ebb186c37c0c914ef157f04c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 14:26:21 +0800 +Subject: HID: multitouch: Add NULL check in mt_input_configured + +From: Charles Han + +[ Upstream commit 9b8e2220d3a052a690b1d1b23019673e612494c5 ] + +devm_kasprintf() can return a NULL pointer on failure,but this +returned value in mt_input_configured() is not checked. +Add NULL check in mt_input_configured(), to handle kernel NULL +pointer dereference error. + +Fixes: 479439463529 ("HID: multitouch: Correct devm device reference for hidinput input_dev name") +Signed-off-by: Charles Han +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index df7b620fa23ee..bc9ba011ff607 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1671,9 +1671,12 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + break; + } + +- if (suffix) ++ if (suffix) { + hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, + "%s %s", hdev->name, suffix); ++ if (!hi->input->name) ++ return -ENOMEM; ++ } + + return 0; + } +-- +2.39.5 + diff --git a/queue-5.15/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch b/queue-5.15/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch new file mode 100644 index 0000000000..b4913f9678 --- /dev/null +++ b/queue-5.15/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch @@ -0,0 +1,53 @@ +From 7dac82b21143ae44f532c77be8fded71bf804123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 11:41:42 +0100 +Subject: media: cxd2841er: fix 64-bit division on gcc-9 + +From: Arnd Bergmann + +[ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] + +It appears that do_div() once more gets confused by a complex +expression that ends up not quite being constant despite +__builtin_constant_p() thinking it is: + +ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! + +Use div_u64() instead, forcing the expression to be evaluated +first, and making it a bit more readable. + +Cc: Dan Carpenter +Reported-by: Naresh Kamboju +Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/ +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +[hverkuil: added Closes tags] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c +index e9d1eef40c627..798da50421368 100644 +--- a/drivers/media/dvb-frontends/cxd2841er.c ++++ b/drivers/media/dvb-frontends/cxd2841er.c +@@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, + + static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) + { +- u64 tmp; +- +- tmp = (u64) ifhz * 16777216; +- do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); +- +- return (u32) tmp; ++ return div_u64(ifhz * 16777216ull, ++ (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); + } + + static u32 cxd2841er_calc_iffreq(u32 ifhz) +-- +2.39.5 + diff --git a/queue-5.15/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch b/queue-5.15/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch new file mode 100644 index 0000000000..8bd91b0310 --- /dev/null +++ b/queue-5.15/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch @@ -0,0 +1,96 @@ +From 716f6b194ec9a119de82eb524843cbcbb8446d67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Dec 2024 18:50:39 +0800 +Subject: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread + +From: Edward Adam Davis + +[ Upstream commit 1221989555db711578a327a9367f1be46500cb48 ] + +syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1] + +If dvb->mux is not initialized successfully by vidtv_mux_init() in the +vidtv_start_streaming(), it will trigger null pointer dereference about mux +in vidtv_mux_stop_thread(). + +Adjust the timing of streaming initialization and check it before +stopping it. + +[1] +KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] +CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 +Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 +RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125 +RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128 +RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188 +R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710 +FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] + vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 + dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000 + dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486 + dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559 + dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] + dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 + __fput+0x3f8/0xb60 fs/file_table.c:450 + task_work_run+0x14e/0x250 kernel/task_work.c:239 + get_signal+0x1d3/0x2610 kernel/signal.c:2790 + arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop kernel/entry/common.c:111 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 + do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-by: syzbot+5e248227c80a3be8e96a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5e248227c80a3be8e96a +Signed-off-by: Edward Adam Davis +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +index dff7265a42ca2..c1621680ec570 100644 +--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +@@ -191,10 +191,11 @@ static int vidtv_start_streaming(struct vidtv_dvb *dvb) + + mux_args.mux_buf_sz = mux_buf_sz; + +- dvb->streaming = true; + dvb->mux = vidtv_mux_init(dvb->fe[0], dev, &mux_args); + if (!dvb->mux) + return -ENOMEM; ++ ++ dvb->streaming = true; + vidtv_mux_start_thread(dvb->mux); + + dev_dbg_ratelimited(dev, "Started streaming\n"); +@@ -205,6 +206,11 @@ static int vidtv_stop_streaming(struct vidtv_dvb *dvb) + { + struct device *dev = &dvb->pdev->dev; + ++ if (!dvb->streaming) { ++ dev_warn_ratelimited(dev, "No streaming. Skipping.\n"); ++ return 0; ++ } ++ + dvb->streaming = false; + vidtv_mux_stop_thread(dvb->mux); + vidtv_mux_destroy(dvb->mux); +-- +2.39.5 + diff --git a/queue-5.15/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch b/queue-5.15/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch new file mode 100644 index 0000000000..eab9a0b34e --- /dev/null +++ b/queue-5.15/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch @@ -0,0 +1,41 @@ +From 1be56391dbf45ee00f448c37d608d9b9ee534030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 13:58:33 +0000 +Subject: ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() + +From: Eric Dumazet + +[ Upstream commit 48145a57d4bbe3496e8e4880b23ea6b511e6e519 ] + +ndisc_send_redirect() is called under RCU protection, not RTNL. + +It must use dev_get_by_index_rcu() instead of __dev_get_by_index() + +Fixes: 2f17becfbea5 ("vrf: check the original netdevice for generating redirect") +Signed-off-by: Eric Dumazet +Cc: Stephen Suryaputra +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250207135841.1948589-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index d56e80741c5ba..63c1420c58249 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1619,7 +1619,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target) + bool ret; + + if (netif_is_l3_master(skb->dev)) { +- dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif); ++ dev = dev_get_by_index_rcu(dev_net(skb->dev), IPCB(skb)->iif); + if (!dev) + return; + } +-- +2.39.5 + diff --git a/queue-5.15/orangefs-fix-a-oob-in-orangefs_debug_write.patch b/queue-5.15/orangefs-fix-a-oob-in-orangefs_debug_write.patch new file mode 100644 index 0000000000..b669e3a1fc --- /dev/null +++ b/queue-5.15/orangefs-fix-a-oob-in-orangefs_debug_write.patch @@ -0,0 +1,39 @@ +From 9e02e89f4ae0f12e4180b3deb828b77fa9e1488c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 14:21:08 -0500 +Subject: orangefs: fix a oob in orangefs_debug_write + +From: Mike Marshall + +[ Upstream commit f7c848431632598ff9bce57a659db6af60d75b39 ] + +I got a syzbot report: slab-out-of-bounds Read in +orangefs_debug_write... several people suggested fixes, +I tested Al Viro's suggestion and made this patch. + +Signed-off-by: Mike Marshall +Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index 1b508f5433846..fa41db0884880 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file, + * Thwart users who try to jamb a ridiculous number + * of bytes into the debug file... + */ +- if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) { ++ if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) { + silly = count; +- count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1; ++ count = ORANGEFS_MAX_DEBUG_STRING_LEN; + } + + buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.15/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch b/queue-5.15/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch new file mode 100644 index 0000000000..f40f980838 --- /dev/null +++ b/queue-5.15/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch @@ -0,0 +1,53 @@ +From 45760fdb96cc8f68940194b2dce8a18365338b7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 17:43:13 +0100 +Subject: PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit b198499c7d2508a76243b98e7cca992f6fd2b7f7 ] + +Apparently the Raptor Lake-P reference firmware configures the PIO log size +correctly, but some vendor BIOSes, including at least ASUSTeK COMPUTER INC. +Zenbook UX3402VA_UX3402VA, do not. + +Apply the quirk for Raptor Lake-P. This prevents kernel complaints like: + + DPC: RP PIO log size 0 is invalid + +and also enables the DPC driver to dump the RP PIO Log registers when DPC +is triggered. + +Note that the bug report also mentions 8086:a76e, which has been already +added by 627c6db20703 ("PCI/DPC: Quirk PIO log size for Intel Raptor Lake +Root Ports"). + +Link: https://lore.kernel.org/r/20250102164315.7562-1-tiwai@suse.de +Link: https://bugzilla.suse.com/show_bug.cgi?id=1234623 +Signed-off-by: Takashi Iwai +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 24fde99c11a70..a1f85120f97e6 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -6005,6 +6005,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2b, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2d, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a31, dpc_log_size); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa72f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa73f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa76e, dpc_log_size); + #endif +-- +2.39.5 + diff --git a/queue-5.15/series b/queue-5.15/series index b1f5760b28..83b90bbe34 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -340,3 +340,22 @@ mptcp-prevent-excessive-coalescing-on-receive.patch tty-xilinx_uartps-split-sysrq-handling.patch nfsd-clear-acl_access-acl_default-after-releasing-them.patch nfsd-fix-hang-in-nfsd4_shutdown_callback.patch +hid-multitouch-add-null-check-in-mt_input_configured.patch +ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch +vrf-use-rcu-protection-in-l3mdev_l3_out.patch +team-better-team_option_type_string-validation.patch +arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch +drm-i915-selftests-avoid-using-uninitialized-context.patch +gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch +gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch +gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch +xen-remove-a-confusing-comment-on-auto-translated-gu.patch +x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch +media-cxd2841er-fix-64-bit-division-on-gcc-9.patch +media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch +pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch +vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch +grab-mm-lock-before-grabbing-pt-lock.patch +x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch +orangefs-fix-a-oob-in-orangefs_debug_write.patch +asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch diff --git a/queue-5.15/team-better-team_option_type_string-validation.patch b/queue-5.15/team-better-team_option_type_string-validation.patch new file mode 100644 index 0000000000..431b0702a9 --- /dev/null +++ b/queue-5.15/team-better-team_option_type_string-validation.patch @@ -0,0 +1,76 @@ +From bace5eab00b09af3276b263f10e119e069d0d020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 13:49:28 +0000 +Subject: team: better TEAM_OPTION_TYPE_STRING validation + +From: Eric Dumazet + +[ Upstream commit 5bef3ac184b5626ea62385d6b82a1992b89d7940 ] + +syzbot reported following splat [1] + +Make sure user-provided data contains one nul byte. + +[1] + BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] + BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 + string_nocheck lib/vsprintf.c:633 [inline] + string+0x3ec/0x5f0 lib/vsprintf.c:714 + vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843 + __request_module+0x252/0x9f0 kernel/module/kmod.c:149 + team_mode_get drivers/net/team/team_core.c:480 [inline] + team_change_mode drivers/net/team/team_core.c:607 [inline] + team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401 + team_option_set drivers/net/team/team_core.c:375 [inline] + team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662 + genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543 + genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:718 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:733 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2573 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627 + __sys_sendmsg net/socket.c:2659 [inline] + __do_sys_sendmsg net/socket.c:2664 [inline] + __se_sys_sendmsg net/socket.c:2662 [inline] + __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662 + x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Reported-by: syzbot+1fcd957a82e3a1baa94d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1fcd957a82e3a1baa94d +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20250212134928.1541609-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 015151cd22220..1e0adeb5e177c 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2665,7 +2665,9 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + ctx.data.u32_val = nla_get_u32(attr_data); + break; + case TEAM_OPTION_TYPE_STRING: +- if (nla_len(attr_data) > TEAM_STRING_MAX_LEN) { ++ if (nla_len(attr_data) > TEAM_STRING_MAX_LEN || ++ !memchr(nla_data(attr_data), '\0', ++ nla_len(attr_data))) { + err = -EINVAL; + goto team_put; + } +-- +2.39.5 + diff --git a/queue-5.15/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch b/queue-5.15/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch new file mode 100644 index 0000000000..66b91b55b4 --- /dev/null +++ b/queue-5.15/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch @@ -0,0 +1,49 @@ +From c4964536513f5315848e8962807540c14aa1956c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 05:19:37 -0800 +Subject: vfio/pci: Enable iowrite64 and ioread64 for vfio pci + +From: Ramesh Thomas + +[ Upstream commit 2b938e3db335e3670475e31a722c2bee34748c5a ] + +Definitions of ioread64 and iowrite64 macros in asm/io.h called by vfio +pci implementations are enclosed inside check for CONFIG_GENERIC_IOMAP. +They don't get defined if CONFIG_GENERIC_IOMAP is defined. Include +linux/io-64-nonatomic-lo-hi.h to define iowrite64 and ioread64 macros +when they are not defined. io-64-nonatomic-lo-hi.h maps the macros to +generic implementation in lib/iomap.c. The generic implementation does +64 bit rw if readq/writeq is defined for the architecture, otherwise it +would do 32 bit back to back rw. + +Note that there are two versions of the generic implementation that +differs in the order the 32 bit words are written if 64 bit support is +not present. This is not the little/big endian ordering, which is +handled separately. This patch uses the lo followed by hi word ordering +which is consistent with current back to back implementation in the +vfio/pci code. + +Signed-off-by: Ramesh Thomas +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20241210131938.303500-2-ramesh.thomas@intel.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_rdwr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index 82ac1569deb05..e45c15e210ffd 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include + +-- +2.39.5 + diff --git a/queue-5.15/vrf-use-rcu-protection-in-l3mdev_l3_out.patch b/queue-5.15/vrf-use-rcu-protection-in-l3mdev_l3_out.patch new file mode 100644 index 0000000000..2cb3fc5bc3 --- /dev/null +++ b/queue-5.15/vrf-use-rcu-protection-in-l3mdev_l3_out.patch @@ -0,0 +1,52 @@ +From c012f622d897ddf0ba9ffd6d555e7e49341781a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 13:58:38 +0000 +Subject: vrf: use RCU protection in l3mdev_l3_out() + +From: Eric Dumazet + +[ Upstream commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 ] + +l3mdev_l3_out() can be called without RCU being held: + +raw_sendmsg() + ip_push_pending_frames() + ip_send_skb() + ip_local_out() + __ip_local_out() + l3mdev_ip_out() + +Add rcu_read_lock() / rcu_read_unlock() pair to avoid +a potential UAF. + +Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/l3mdev.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h +index 031c661aa14df..bdfa9d414360c 100644 +--- a/include/net/l3mdev.h ++++ b/include/net/l3mdev.h +@@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto) + if (netif_is_l3_slave(dev)) { + struct net_device *master; + ++ rcu_read_lock(); + master = netdev_master_upper_dev_get_rcu(dev); + if (master && master->l3mdev_ops->l3mdev_l3_out) + skb = master->l3mdev_ops->l3mdev_l3_out(master, sk, + skb, proto); ++ rcu_read_unlock(); + } + + return skb; +-- +2.39.5 + diff --git a/queue-5.15/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch b/queue-5.15/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch new file mode 100644 index 0000000000..4c47ff08b7 --- /dev/null +++ b/queue-5.15/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch @@ -0,0 +1,152 @@ +From 59c102ad7cb7eda4e29a34629efded11fece904c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 21:03:16 -0500 +Subject: x86/mm/tlb: Only trim the mm_cpumask once a second + +From: Rik van Riel + +[ Upstream commit 6db2526c1d694c91c6e05e2f186c085e9460f202 ] + +Setting and clearing CPU bits in the mm_cpumask is only ever done +by the CPU itself, from the context switch code or the TLB flush +code. + +Synchronization is handled by switch_mm_irqs_off() blocking interrupts. + +Sending TLB flush IPIs to CPUs that are in the mm_cpumask, but no +longer running the program causes a regression in the will-it-scale +tlbflush2 test. This test is contrived, but a large regression here +might cause a small regression in some real world workload. + +Instead of always sending IPIs to CPUs that are in the mm_cpumask, +but no longer running the program, send these IPIs only once a second. + +The rest of the time we can skip over CPUs where the loaded_mm is +different from the target mm. + +Reported-by: kernel test roboto +Signed-off-by: Rik van Riel +Signed-off-by: Ingo Molnar +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20241204210316.612ee573@fangorn +Closes: https://lore.kernel.org/oe-lkp/202411282207.6bd28eae-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/mmu.h | 2 ++ + arch/x86/include/asm/mmu_context.h | 1 + + arch/x86/include/asm/tlbflush.h | 1 + + arch/x86/mm/tlb.c | 35 +++++++++++++++++++++++++++--- + 4 files changed, 36 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h +index 5d7494631ea95..c07c018a1c139 100644 +--- a/arch/x86/include/asm/mmu.h ++++ b/arch/x86/include/asm/mmu.h +@@ -33,6 +33,8 @@ typedef struct { + */ + atomic64_t tlb_gen; + ++ unsigned long next_trim_cpumask; ++ + #ifdef CONFIG_MODIFY_LDT_SYSCALL + struct rw_semaphore ldt_usr_sem; + struct ldt_struct *ldt; +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index 27516046117a3..1d11aeb597542 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -106,6 +106,7 @@ static inline int init_new_context(struct task_struct *tsk, + + mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id); + atomic64_set(&mm->context.tlb_gen, 0); ++ mm->context.next_trim_cpumask = jiffies + HZ; + + #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS + if (cpu_feature_enabled(X86_FEATURE_OSPKE)) { +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index b587a9ee9cb25..22b93e35fa886 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -207,6 +207,7 @@ struct flush_tlb_info { + unsigned int initiating_cpu; + u8 stride_shift; + u8 freed_tables; ++ u8 trim_cpumask; + }; + + void flush_tlb_local(void); +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 511172d70825c..19d083ad2de79 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -854,9 +854,36 @@ static void flush_tlb_func(void *info) + nr_invalidate); + } + +-static bool tlb_is_not_lazy(int cpu, void *data) ++static bool should_flush_tlb(int cpu, void *data) + { +- return !per_cpu(cpu_tlbstate_shared.is_lazy, cpu); ++ struct flush_tlb_info *info = data; ++ ++ /* Lazy TLB will get flushed at the next context switch. */ ++ if (per_cpu(cpu_tlbstate_shared.is_lazy, cpu)) ++ return false; ++ ++ /* No mm means kernel memory flush. */ ++ if (!info->mm) ++ return true; ++ ++ /* The target mm is loaded, and the CPU is not lazy. */ ++ if (per_cpu(cpu_tlbstate.loaded_mm, cpu) == info->mm) ++ return true; ++ ++ /* In cpumask, but not the loaded mm? Periodically remove by flushing. */ ++ if (info->trim_cpumask) ++ return true; ++ ++ return false; ++} ++ ++static bool should_trim_cpumask(struct mm_struct *mm) ++{ ++ if (time_after(jiffies, READ_ONCE(mm->context.next_trim_cpumask))) { ++ WRITE_ONCE(mm->context.next_trim_cpumask, jiffies + HZ); ++ return true; ++ } ++ return false; + } + + DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state_shared, cpu_tlbstate_shared); +@@ -890,7 +917,7 @@ STATIC_NOPV void native_flush_tlb_multi(const struct cpumask *cpumask, + if (info->freed_tables) + on_each_cpu_mask(cpumask, flush_tlb_func, (void *)info, true); + else +- on_each_cpu_cond_mask(tlb_is_not_lazy, flush_tlb_func, ++ on_each_cpu_cond_mask(should_flush_tlb, flush_tlb_func, + (void *)info, 1, cpumask); + } + +@@ -941,6 +968,7 @@ static struct flush_tlb_info *get_flush_tlb_info(struct mm_struct *mm, + info->freed_tables = freed_tables; + info->new_tlb_gen = new_tlb_gen; + info->initiating_cpu = smp_processor_id(); ++ info->trim_cpumask = 0; + + return info; + } +@@ -983,6 +1011,7 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + * flush_tlb_func_local() directly in this case. + */ + if (cpumask_any_but(mm_cpumask(mm), cpu) < nr_cpu_ids) { ++ info->trim_cpumask = should_trim_cpumask(mm); + flush_tlb_multi(mm_cpumask(mm), info); + } else if (mm == this_cpu_read(cpu_tlbstate.loaded_mm)) { + lockdep_assert_irqs_enabled(); +-- +2.39.5 + diff --git a/queue-5.15/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch b/queue-5.15/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch new file mode 100644 index 0000000000..15a1f93a25 --- /dev/null +++ b/queue-5.15/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch @@ -0,0 +1,171 @@ +From 9918e7f187a8266e2594f9fd41b673b8dfc878b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 11:16:28 +0100 +Subject: x86/xen: allow larger contiguous memory regions in PV guests + +From: Juergen Gross + +[ Upstream commit e93ec87286bd1fd30b7389e7a387cfb259f297e3 ] + +Today a PV guest (including dom0) can create 2MB contiguous memory +regions for DMA buffers at max. This has led to problems at least +with the megaraid_sas driver, which wants to allocate a 2.3MB DMA +buffer. + +The limiting factor is the frame array used to do the hypercall for +making the memory contiguous, which has 512 entries and is just a +static array in mmu_pv.c. + +In order to not waste memory for non-PV guests, put the initial +frame array into .init.data section and dynamically allocate an array +from the .init_after_bootmem hook of PV guests. + +In case a contiguous memory area larger than the initially supported +2MB is requested, allocate a larger buffer for the frame list. Note +that such an allocation is tried only after memory management has been +initialized properly, which is tested via a flag being set in the +.init_after_bootmem hook. + +Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers") +Signed-off-by: Juergen Gross +Tested-by: Alan Robinson +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 71 +++++++++++++++++++++++++++++++++++++------ + 1 file changed, 62 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index 03c9ec0212c9e..f88071566cac5 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -95,6 +95,51 @@ static pud_t level3_user_vsyscall[PTRS_PER_PUD] __page_aligned_bss; + */ + static DEFINE_SPINLOCK(xen_reservation_lock); + ++/* Protected by xen_reservation_lock. */ ++#define MIN_CONTIG_ORDER 9 /* 2MB */ ++static unsigned int discontig_frames_order = MIN_CONTIG_ORDER; ++static unsigned long discontig_frames_early[1UL << MIN_CONTIG_ORDER] __initdata; ++static unsigned long *discontig_frames __refdata = discontig_frames_early; ++static bool discontig_frames_dyn; ++ ++static int alloc_discontig_frames(unsigned int order) ++{ ++ unsigned long *new_array, *old_array; ++ unsigned int old_order; ++ unsigned long flags; ++ ++ BUG_ON(order < MIN_CONTIG_ORDER); ++ BUILD_BUG_ON(sizeof(discontig_frames_early) != PAGE_SIZE); ++ ++ new_array = (unsigned long *)__get_free_pages(GFP_KERNEL, ++ order - MIN_CONTIG_ORDER); ++ if (!new_array) ++ return -ENOMEM; ++ ++ spin_lock_irqsave(&xen_reservation_lock, flags); ++ ++ old_order = discontig_frames_order; ++ ++ if (order > discontig_frames_order || !discontig_frames_dyn) { ++ if (!discontig_frames_dyn) ++ old_array = NULL; ++ else ++ old_array = discontig_frames; ++ ++ discontig_frames = new_array; ++ discontig_frames_order = order; ++ discontig_frames_dyn = true; ++ } else { ++ old_array = new_array; ++ } ++ ++ spin_unlock_irqrestore(&xen_reservation_lock, flags); ++ ++ free_pages((unsigned long)old_array, old_order - MIN_CONTIG_ORDER); ++ ++ return 0; ++} ++ + /* + * Note about cr3 (pagetable base) values: + * +@@ -791,6 +836,9 @@ static void __init xen_after_bootmem(void) + static_branch_enable(&xen_struct_pages_ready); + SetPagePinned(virt_to_page(level3_user_vsyscall)); + xen_pgd_walk(&init_mm, xen_mark_pinned, FIXADDR_TOP); ++ ++ if (alloc_discontig_frames(MIN_CONTIG_ORDER)) ++ BUG(); + } + + static void xen_unpin_page(struct mm_struct *mm, struct page *page, +@@ -2151,10 +2199,6 @@ void __init xen_init_mmu_ops(void) + memset(dummy_mapping, 0xff, PAGE_SIZE); + } + +-/* Protected by xen_reservation_lock. */ +-#define MAX_CONTIG_ORDER 9 /* 2MB */ +-static unsigned long discontig_frames[1< MAX_CONTIG_ORDER)) +- return -ENOMEM; ++ if (unlikely(order > discontig_frames_order)) { ++ if (!discontig_frames_dyn) ++ return -ENOMEM; ++ ++ if (alloc_discontig_frames(order)) ++ return -ENOMEM; ++ } + + memset((void *) vstart, 0, PAGE_SIZE << order); + + spin_lock_irqsave(&xen_reservation_lock, flags); + ++ in_frames = discontig_frames; ++ + /* 1. Zap current PTEs, remembering MFNs. */ + xen_zap_pfn_range(vstart, order, in_frames, NULL); + +@@ -2306,12 +2357,12 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order, + + void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order) + { +- unsigned long *out_frames = discontig_frames, in_frame; ++ unsigned long *out_frames, in_frame; + unsigned long flags; + int success; + unsigned long vstart; + +- if (unlikely(order > MAX_CONTIG_ORDER)) ++ if (unlikely(order > discontig_frames_order)) + return; + + vstart = (unsigned long)phys_to_virt(pstart); +@@ -2319,6 +2370,8 @@ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order) + + spin_lock_irqsave(&xen_reservation_lock, flags); + ++ out_frames = discontig_frames; ++ + /* 1. Find start MFN of contiguous extent. */ + in_frame = virt_to_mfn(vstart); + +-- +2.39.5 + diff --git a/queue-5.15/xen-remove-a-confusing-comment-on-auto-translated-gu.patch b/queue-5.15/xen-remove-a-confusing-comment-on-auto-translated-gu.patch new file mode 100644 index 0000000000..5c5f673485 --- /dev/null +++ b/queue-5.15/xen-remove-a-confusing-comment-on-auto-translated-gu.patch @@ -0,0 +1,44 @@ +From fc9bf8952222440d531aeb55b403aa50fcca90e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 18:31:51 +0200 +Subject: xen: remove a confusing comment on auto-translated guest I/O + +From: Petr Tesarik + +[ Upstream commit d826c9e61c99120f8996f8fed6417167e32eb922 ] + +After removing the conditional return from xen_create_contiguous_region(), +the accompanying comment was left in place, but it now precedes an +unrelated conditional and confuses readers. + +Fixes: 989513a735f5 ("xen: cleanup pvh leftovers from pv-only sources") +Signed-off-by: Petr Tesarik +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20230802163151.1486-1-petrtesarik@huaweicloud.com +Signed-off-by: Juergen Gross +Stable-dep-of: e93ec87286bd ("x86/xen: allow larger contiguous memory regions in PV guests") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index 3359c23573c50..03c9ec0212c9e 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -2276,12 +2276,6 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order, + int success; + unsigned long vstart = (unsigned long)phys_to_virt(pstart); + +- /* +- * Currently an auto-translated guest will not perform I/O, nor will +- * it require PAE page directories below 4GB. Therefore any calls to +- * this function are redundant and can be ignored. +- */ +- + if (unlikely(order > MAX_CONTIG_ORDER)) + return -ENOMEM; + +-- +2.39.5 +