From: Sasha Levin Date: Fri, 29 Mar 2024 11:55:33 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v6.7.12~167^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5f57d2e7b8aa86ee751502f21308789f544d0ebb;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/clocksource-drivers-arm_global_timer-fix-maximum-pre.patch b/queue-6.1/clocksource-drivers-arm_global_timer-fix-maximum-pre.patch new file mode 100644 index 00000000000..d8635257521 --- /dev/null +++ b/queue-6.1/clocksource-drivers-arm_global_timer-fix-maximum-pre.patch @@ -0,0 +1,38 @@ +From 5753b6690658e50d90d036f20bf801f5f272a82d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Feb 2024 18:41:37 +0100 +Subject: clocksource/drivers/arm_global_timer: Fix maximum prescaler value + +From: Martin Blumenstingl + +[ Upstream commit b34b9547cee41575a4fddf390f615570759dc999 ] + +The prescaler in the "Global Timer Control Register bit assignments" is +documented to use bits [15:8], which means that the maximum prescaler +register value is 0xff. + +Fixes: 171b45a4a70e ("clocksource/drivers/arm_global_timer: Implement rate compensation whenever source clock changes") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20240218174138.1942418-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/arm_global_timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/arm_global_timer.c b/drivers/clocksource/arm_global_timer.c +index 44a61dc6f9320..e1c773bb55359 100644 +--- a/drivers/clocksource/arm_global_timer.c ++++ b/drivers/clocksource/arm_global_timer.c +@@ -32,7 +32,7 @@ + #define GT_CONTROL_IRQ_ENABLE BIT(2) /* banked */ + #define GT_CONTROL_AUTO_INC BIT(3) /* banked */ + #define GT_CONTROL_PRESCALER_SHIFT 8 +-#define GT_CONTROL_PRESCALER_MAX 0xF ++#define GT_CONTROL_PRESCALER_MAX 0xFF + #define GT_CONTROL_PRESCALER_MASK (GT_CONTROL_PRESCALER_MAX << \ + GT_CONTROL_PRESCALER_SHIFT) + +-- +2.43.0 + diff --git a/queue-6.1/efi-fix-panic-in-kdump-kernel.patch b/queue-6.1/efi-fix-panic-in-kdump-kernel.patch new file mode 100644 index 00000000000..2145155e360 --- /dev/null +++ b/queue-6.1/efi-fix-panic-in-kdump-kernel.patch @@ -0,0 +1,39 @@ +From bcaa194d46de8ff6ba661d83ff4c3bd662c46100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Mar 2024 06:33:33 +0000 +Subject: efi: fix panic in kdump kernel + +From: Oleksandr Tymoshenko + +[ Upstream commit 62b71cd73d41ddac6b1760402bbe8c4932e23531 ] + +Check if get_next_variable() is actually valid pointer before +calling it. In kdump kernel this method is set to NULL that causes +panic during the kexec-ed kernel boot. + +Tested with QEMU and OVMF firmware. + +Fixes: bad267f9e18f ("efi: verify that variable services are supported") +Signed-off-by: Oleksandr Tymoshenko +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/efi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index 9077353d1c98d..28d4defc5d0cd 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -194,6 +194,8 @@ static bool generic_ops_supported(void) + + name_size = sizeof(name); + ++ if (!efi.get_next_variable) ++ return false; + status = efi.get_next_variable(&name_size, &name, &guid); + if (status == EFI_UNSUPPORTED) + return false; +-- +2.43.0 + diff --git a/queue-6.1/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch b/queue-6.1/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch new file mode 100644 index 00000000000..cf1e973b011 --- /dev/null +++ b/queue-6.1/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch @@ -0,0 +1,75 @@ +From d8d76d04be2a2cdb8bd0fc30d4fcee22ade169cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 10:47:02 +0000 +Subject: efi/libstub: fix efi_random_alloc() to allocate memory at alloc_min + or higher address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: KONDO KAZUMA(近藤 和真) + +[ Upstream commit 3cb4a4827596abc82e55b80364f509d0fefc3051 ] + +Following warning is sometimes observed while booting my servers: + [ 3.594838] DMA: preallocated 4096 KiB GFP_KERNEL pool for atomic allocations + [ 3.602918] swapper/0: page allocation failure: order:10, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0-1 + ... + [ 3.851862] DMA: preallocated 1024 KiB GFP_KERNEL|GFP_DMA pool for atomic allocation + +If 'nokaslr' boot option is set, the warning always happens. + +On x86, ZONE_DMA is small zone at the first 16MB of physical address +space. When this problem happens, most of that space seems to be used by +decompressed kernel. Thereby, there is not enough space at DMA_ZONE to +meet the request of DMA pool allocation. + +The commit 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below +LOAD_PHYSICAL_ADDR") tried to fix this problem by introducing lower +bound of allocation. + +But the fix is not complete. + +efi_random_alloc() allocates pages by following steps. +1. Count total available slots ('total_slots') +2. Select a slot ('target_slot') to allocate randomly +3. Calculate a starting address ('target') to be included target_slot +4. Allocate pages, which starting address is 'target' + +In step 1, 'alloc_min' is used to offset the starting address of memory +chunk. But in step 3 'alloc_min' is not considered at all. As the +result, 'target' can be miscalculated and become lower than 'alloc_min'. + +When KASLR is disabled, 'target_slot' is always 0 and the problem +happens everytime if the EFI memory map of the system meets the +condition. + +Fix this problem by calculating 'target' considering 'alloc_min'. + +Cc: linux-efi@vger.kernel.org +Cc: Tom Englund +Cc: linux-kernel@vger.kernel.org +Fixes: 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR") +Signed-off-by: Kazuma Kondo +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/randomalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c +index 7ba05719a53ba..0d7b11b55ff31 100644 +--- a/drivers/firmware/efi/libstub/randomalloc.c ++++ b/drivers/firmware/efi/libstub/randomalloc.c +@@ -119,7 +119,7 @@ efi_status_t efi_random_alloc(unsigned long size, + continue; + } + +- target = round_up(md->phys_addr, align) + target_slot * align; ++ target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align; + pages = size / EFI_PAGE_SIZE; + + status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS, +-- +2.43.0 + diff --git a/queue-6.1/entry-respect-changes-to-system-call-number-by-trace.patch b/queue-6.1/entry-respect-changes-to-system-call-number-by-trace.patch new file mode 100644 index 00000000000..b2c7b70b934 --- /dev/null +++ b/queue-6.1/entry-respect-changes-to-system-call-number-by-trace.patch @@ -0,0 +1,57 @@ +From cd4a3be5ff3d6be1457198758afb54ffeb002e6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 21:17:04 +0000 +Subject: entry: Respect changes to system call number by trace_sys_enter() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Rösti + +[ Upstream commit fb13b11d53875e28e7fbf0c26b288e4ea676aa9f ] + +When a probe is registered at the trace_sys_enter() tracepoint, and that +probe changes the system call number, the old system call still gets +executed. This worked correctly until commit b6ec41346103 ("core/entry: +Report syscall correctly for trace and audit"), which removed the +re-evaluation of the syscall number after the trace point. + +Restore the original semantics by re-evaluating the system call number +after trace_sys_enter(). + +The performance impact of this re-evaluation is minimal because it only +takes place when a trace point is active, and compared to the actual trace +point overhead the read from a cache hot variable is negligible. + +Fixes: b6ec41346103 ("core/entry: Report syscall correctly for trace and audit") +Signed-off-by: André Rösti +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240311211704.7262-1-an.roesti@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/entry/common.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/entry/common.c b/kernel/entry/common.c +index be61332c66b54..ccf2b1e1b40be 100644 +--- a/kernel/entry/common.c ++++ b/kernel/entry/common.c +@@ -77,8 +77,14 @@ static long syscall_trace_enter(struct pt_regs *regs, long syscall, + /* Either of the above might have changed the syscall number */ + syscall = syscall_get_nr(current, regs); + +- if (unlikely(work & SYSCALL_WORK_SYSCALL_TRACEPOINT)) ++ if (unlikely(work & SYSCALL_WORK_SYSCALL_TRACEPOINT)) { + trace_sys_enter(regs, syscall); ++ /* ++ * Probes or BPF hooks in the tracepoint may have changed the ++ * system call number as well. ++ */ ++ syscall = syscall_get_nr(current, regs); ++ } + + syscall_enter_audit(regs, syscall); + +-- +2.43.0 + diff --git a/queue-6.1/iommu-dma-force-swiotlb_max_mapping_size-on-an-untru.patch b/queue-6.1/iommu-dma-force-swiotlb_max_mapping_size-on-an-untru.patch new file mode 100644 index 00000000000..d490902bb4d --- /dev/null +++ b/queue-6.1/iommu-dma-force-swiotlb_max_mapping_size-on-an-untru.patch @@ -0,0 +1,96 @@ +From 01e0e7f7dcc492f6ceb9c52e7552b9f24116d677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 15:28:28 +0000 +Subject: iommu/dma: Force swiotlb_max_mapping_size on an untrusted device + +From: Nicolin Chen + +[ Upstream commit afc5aa46ed560f01ceda897c053c6a40c77ce5c4 ] + +The swiotlb does not support a mapping size > swiotlb_max_mapping_size(). +On the other hand, with a 64KB PAGE_SIZE configuration, it's observed that +an NVME device can map a size between 300KB~512KB, which certainly failed +the swiotlb mappings, though the default pool of swiotlb has many slots: + systemd[1]: Started Journal Service. + => nvme 0000:00:01.0: swiotlb buffer is full (sz: 327680 bytes), total 32768 (slots), used 32 (slots) + note: journal-offline[392] exited with irqs disabled + note: journal-offline[392] exited with preempt_count 1 + +Call trace: +[ 3.099918] swiotlb_tbl_map_single+0x214/0x240 +[ 3.099921] iommu_dma_map_page+0x218/0x328 +[ 3.099928] dma_map_page_attrs+0x2e8/0x3a0 +[ 3.101985] nvme_prep_rq.part.0+0x408/0x878 [nvme] +[ 3.102308] nvme_queue_rqs+0xc0/0x300 [nvme] +[ 3.102313] blk_mq_flush_plug_list.part.0+0x57c/0x600 +[ 3.102321] blk_add_rq_to_plug+0x180/0x2a0 +[ 3.102323] blk_mq_submit_bio+0x4c8/0x6b8 +[ 3.103463] __submit_bio+0x44/0x220 +[ 3.103468] submit_bio_noacct_nocheck+0x2b8/0x360 +[ 3.103470] submit_bio_noacct+0x180/0x6c8 +[ 3.103471] submit_bio+0x34/0x130 +[ 3.103473] ext4_bio_write_folio+0x5a4/0x8c8 +[ 3.104766] mpage_submit_folio+0xa0/0x100 +[ 3.104769] mpage_map_and_submit_buffers+0x1a4/0x400 +[ 3.104771] ext4_do_writepages+0x6a0/0xd78 +[ 3.105615] ext4_writepages+0x80/0x118 +[ 3.105616] do_writepages+0x90/0x1e8 +[ 3.105619] filemap_fdatawrite_wbc+0x94/0xe0 +[ 3.105622] __filemap_fdatawrite_range+0x68/0xb8 +[ 3.106656] file_write_and_wait_range+0x84/0x120 +[ 3.106658] ext4_sync_file+0x7c/0x4c0 +[ 3.106660] vfs_fsync_range+0x3c/0xa8 +[ 3.106663] do_fsync+0x44/0xc0 + +Since untrusted devices might go down the swiotlb pathway with dma-iommu, +these devices should not map a size larger than swiotlb_max_mapping_size. + +To fix this bug, add iommu_dma_max_mapping_size() for untrusted devices to +take into account swiotlb_max_mapping_size() v.s. iova_rcache_range() from +the iommu_dma_opt_mapping_size(). + +Fixes: 82612d66d51d ("iommu: Allow the dma-iommu api to use bounce buffers") +Link: https://lore.kernel.org/r/ee51a3a5c32cf885b18f6416171802669f4a718a.1707851466.git.nicolinc@nvidia.com +Signed-off-by: Nicolin Chen +[will: Drop redundant is_swiotlb_active(dev) check] +Signed-off-by: Will Deacon +Reviewed-by: Michael Kelley +Acked-by: Robin Murphy +Tested-by: Nicolin Chen +Tested-by: Michael Kelley +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/iommu/dma-iommu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c +index aa6d62cc567ae..3fa66dba0a326 100644 +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -1547,6 +1547,14 @@ static size_t iommu_dma_opt_mapping_size(void) + return iova_rcache_range(); + } + ++static size_t iommu_dma_max_mapping_size(struct device *dev) ++{ ++ if (dev_is_untrusted(dev)) ++ return swiotlb_max_mapping_size(dev); ++ ++ return SIZE_MAX; ++} ++ + static const struct dma_map_ops iommu_dma_ops = { + .flags = DMA_F_PCI_P2PDMA_SUPPORTED, + .alloc = iommu_dma_alloc, +@@ -1569,6 +1577,7 @@ static const struct dma_map_ops iommu_dma_ops = { + .unmap_resource = iommu_dma_unmap_resource, + .get_merge_boundary = iommu_dma_get_merge_boundary, + .opt_mapping_size = iommu_dma_opt_mapping_size, ++ .max_mapping_size = iommu_dma_max_mapping_size, + }; + + /* +-- +2.43.0 + diff --git a/queue-6.1/irqchip-renesas-rzg2l-add-macro-to-retrieve-titsr-re.patch b/queue-6.1/irqchip-renesas-rzg2l-add-macro-to-retrieve-titsr-re.patch new file mode 100644 index 00000000000..8e36a72eb8e --- /dev/null +++ b/queue-6.1/irqchip-renesas-rzg2l-add-macro-to-retrieve-titsr-re.patch @@ -0,0 +1,74 @@ +From c7a83b3e1ab62cba737f47735b8f0e850b21cb76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:18:17 +0200 +Subject: irqchip/renesas-rzg2l: Add macro to retrieve TITSR register offset + based on register's index + +From: Claudiu Beznea + +[ Upstream commit 2eca4731cc66563b3919d8753dbd74d18c39f662 ] + +There are 2 TITSR registers available on the IA55 interrupt controller. + +Add a macro that retrieves the TITSR register offset based on it's +index. This macro is useful in when adding suspend/resume support so both +TITSR registers can be accessed in a for loop. + +Signed-off-by: Claudiu Beznea +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20231120111820.87398-7-claudiu.beznea.uj@bp.renesas.com +Stable-dep-of: 853a6030303f ("irqchip/renesas-rzg2l: Prevent spurious interrupts when setting trigger type") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index 454af6faf42bc..a74391615ab38 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -28,8 +28,7 @@ + #define ISCR 0x10 + #define IITSR 0x14 + #define TSCR 0x20 +-#define TITSR0 0x24 +-#define TITSR1 0x28 ++#define TITSR(n) (0x24 + (n) * 4) + #define TITSR0_MAX_INT 16 + #define TITSEL_WIDTH 0x2 + #define TSSR(n) (0x30 + ((n) * 4)) +@@ -206,8 +205,7 @@ static int rzg2l_tint_set_edge(struct irq_data *d, unsigned int type) + struct rzg2l_irqc_priv *priv = irq_data_to_priv(d); + unsigned int hwirq = irqd_to_hwirq(d); + u32 titseln = hwirq - IRQC_TINT_START; +- u32 offset; +- u8 sense; ++ u8 index, sense; + u32 reg; + + switch (type & IRQ_TYPE_SENSE_MASK) { +@@ -223,17 +221,17 @@ static int rzg2l_tint_set_edge(struct irq_data *d, unsigned int type) + return -EINVAL; + } + +- offset = TITSR0; ++ index = 0; + if (titseln >= TITSR0_MAX_INT) { + titseln -= TITSR0_MAX_INT; +- offset = TITSR1; ++ index = 1; + } + + raw_spin_lock(&priv->lock); +- reg = readl_relaxed(priv->base + offset); ++ reg = readl_relaxed(priv->base + TITSR(index)); + reg &= ~(IRQ_MASK << (titseln * TITSEL_WIDTH)); + reg |= sense << (titseln * TITSEL_WIDTH); +- writel_relaxed(reg, priv->base + offset); ++ writel_relaxed(reg, priv->base + TITSR(index)); + raw_spin_unlock(&priv->lock); + + return 0; +-- +2.43.0 + diff --git a/queue-6.1/irqchip-renesas-rzg2l-flush-posted-write-in-irq_eoi.patch b/queue-6.1/irqchip-renesas-rzg2l-flush-posted-write-in-irq_eoi.patch new file mode 100644 index 00000000000..e719dd89486 --- /dev/null +++ b/queue-6.1/irqchip-renesas-rzg2l-flush-posted-write-in-irq_eoi.patch @@ -0,0 +1,66 @@ +From 5d6c96a7440e735911511546e0596e93428c0a29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 18:39:18 +0000 +Subject: irqchip/renesas-rzg2l: Flush posted write in irq_eoi() + +From: Biju Das + +[ Upstream commit 9eec61df55c51415409c7cc47e9a1c8de94a0522 ] + +The irq_eoi() callback of the RZ/G2L interrupt chip clears the relevant +interrupt cause bit in the TSCR register by writing to it. + +This write is not sufficient because the write is posted and therefore not +guaranteed to immediately clear the bit. Due to that delay the CPU can +raise the just handled interrupt again. + +Prevent this by reading the register back which causes the posted write to +be flushed to the hardware before the read completes. + +Fixes: 3fed09559cd8 ("irqchip: Add RZ/G2L IA55 Interrupt Controller driver") +Signed-off-by: Biju Das +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index fbd1766f6aaa5..454af6faf42bc 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -81,8 +81,14 @@ static void rzg2l_irq_eoi(struct irq_data *d) + * ISCR can only be cleared if the type is falling-edge, rising-edge or + * falling/rising-edge. + */ +- if ((iscr & bit) && (iitsr & IITSR_IITSEL_MASK(hw_irq))) ++ if ((iscr & bit) && (iitsr & IITSR_IITSEL_MASK(hw_irq))) { + writel_relaxed(iscr & ~bit, priv->base + ISCR); ++ /* ++ * Enforce that the posted write is flushed to prevent that the ++ * just handled interrupt is raised again. ++ */ ++ readl_relaxed(priv->base + ISCR); ++ } + } + + static void rzg2l_tint_eoi(struct irq_data *d) +@@ -93,8 +99,14 @@ static void rzg2l_tint_eoi(struct irq_data *d) + u32 reg; + + reg = readl_relaxed(priv->base + TSCR); +- if (reg & bit) ++ if (reg & bit) { + writel_relaxed(reg & ~bit, priv->base + TSCR); ++ /* ++ * Enforce that the posted write is flushed to prevent that the ++ * just handled interrupt is raised again. ++ */ ++ readl_relaxed(priv->base + TSCR); ++ } + } + + static void rzg2l_irqc_eoi(struct irq_data *d) +-- +2.43.0 + diff --git a/queue-6.1/irqchip-renesas-rzg2l-implement-restriction-when-wri.patch b/queue-6.1/irqchip-renesas-rzg2l-implement-restriction-when-wri.patch new file mode 100644 index 00000000000..d828f80b299 --- /dev/null +++ b/queue-6.1/irqchip-renesas-rzg2l-implement-restriction-when-wri.patch @@ -0,0 +1,69 @@ +From 27ce0217527ee7b3e91694731c7320c35a41f638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2023 13:18:16 +0200 +Subject: irqchip/renesas-rzg2l: Implement restriction when writing ISCR + register + +From: Claudiu Beznea + +[ Upstream commit ef88eefb1a81a8701eabb7d5ced761a66a465a49 ] + +The RZ/G2L manual (chapter "IRQ Status Control Register (ISCR)") describes +the operation to clear interrupts through the ISCR register as follows: + +[Write operation] + + When "Falling-edge detection", "Rising-edge detection" or + "Falling/Rising-edge detection" is set in IITSR: + + - In case ISTAT is 1 + 0: IRQn interrupt detection status is cleared. + 1: Invalid to write. + - In case ISTAT is 0 + Invalid to write. + + When "Low-level detection" is set in IITSR.: + Invalid to write. + +Take the interrupt type into account when clearing interrupts through the +ISCR register to avoid writing the ISCR when the interrupt type is level. + +Signed-off-by: Claudiu Beznea +Signed-off-by: Thomas Gleixner +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20231120111820.87398-6-claudiu.beznea.uj@bp.renesas.com +Stable-dep-of: 9eec61df55c5 ("irqchip/renesas-rzg2l: Flush posted write in irq_eoi()") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index 10c3e85c90c23..fbd1766f6aaa5 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -72,11 +72,17 @@ static void rzg2l_irq_eoi(struct irq_data *d) + unsigned int hw_irq = irqd_to_hwirq(d) - IRQC_IRQ_START; + struct rzg2l_irqc_priv *priv = irq_data_to_priv(d); + u32 bit = BIT(hw_irq); +- u32 reg; ++ u32 iitsr, iscr; + +- reg = readl_relaxed(priv->base + ISCR); +- if (reg & bit) +- writel_relaxed(reg & ~bit, priv->base + ISCR); ++ iscr = readl_relaxed(priv->base + ISCR); ++ iitsr = readl_relaxed(priv->base + IITSR); ++ ++ /* ++ * ISCR can only be cleared if the type is falling-edge, rising-edge or ++ * falling/rising-edge. ++ */ ++ if ((iscr & bit) && (iitsr & IITSR_IITSEL_MASK(hw_irq))) ++ writel_relaxed(iscr & ~bit, priv->base + ISCR); + } + + static void rzg2l_tint_eoi(struct irq_data *d) +-- +2.43.0 + diff --git a/queue-6.1/irqchip-renesas-rzg2l-prevent-spurious-interrupts-wh.patch b/queue-6.1/irqchip-renesas-rzg2l-prevent-spurious-interrupts-wh.patch new file mode 100644 index 00000000000..29baf156144 --- /dev/null +++ b/queue-6.1/irqchip-renesas-rzg2l-prevent-spurious-interrupts-wh.patch @@ -0,0 +1,133 @@ +From 67856bebffe33f1ffe819cbbc135c941321a06ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 18:39:21 +0000 +Subject: irqchip/renesas-rzg2l: Prevent spurious interrupts when setting + trigger type + +From: Biju Das + +[ Upstream commit 853a6030303f8a8fa54929b68e5665d9b21aa405 ] + +RZ/G2L interrupt chips require that the interrupt is masked before changing +the NMI, IRQ, TINT interrupt settings. Aside of that, after setting an edge +trigger type it is required to clear the interrupt status register in order +to avoid spurious interrupts. + +The current implementation fails to do either of that and therefore is +prone to generate spurious interrupts when setting the trigger type. + +Address this by: + + - Ensuring that the interrupt is masked at the chip level across the + update for the TINT chip + + - Clearing the interrupt status register after updating the trigger mode + for edge type interrupts + +[ tglx: Massaged changelog and reverted the spin_lock_irqsave() change as + the set_type() callback is always called with interrupts disabled. ] + +Fixes: 3fed09559cd8 ("irqchip: Add RZ/G2L IA55 Interrupt Controller driver") +Signed-off-by: Biju Das +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 36 +++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index aa27335ab2eec..be71459c7465a 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -162,8 +162,10 @@ static void rzg2l_irqc_irq_enable(struct irq_data *d) + + static int rzg2l_irq_set_type(struct irq_data *d, unsigned int type) + { +- unsigned int hw_irq = irqd_to_hwirq(d) - IRQC_IRQ_START; + struct rzg2l_irqc_priv *priv = irq_data_to_priv(d); ++ unsigned int hwirq = irqd_to_hwirq(d); ++ u32 iitseln = hwirq - IRQC_IRQ_START; ++ bool clear_irq_int = false; + u16 sense, tmp; + + switch (type & IRQ_TYPE_SENSE_MASK) { +@@ -173,14 +175,17 @@ static int rzg2l_irq_set_type(struct irq_data *d, unsigned int type) + + case IRQ_TYPE_EDGE_FALLING: + sense = IITSR_IITSEL_EDGE_FALLING; ++ clear_irq_int = true; + break; + + case IRQ_TYPE_EDGE_RISING: + sense = IITSR_IITSEL_EDGE_RISING; ++ clear_irq_int = true; + break; + + case IRQ_TYPE_EDGE_BOTH: + sense = IITSR_IITSEL_EDGE_BOTH; ++ clear_irq_int = true; + break; + + default: +@@ -189,21 +194,40 @@ static int rzg2l_irq_set_type(struct irq_data *d, unsigned int type) + + raw_spin_lock(&priv->lock); + tmp = readl_relaxed(priv->base + IITSR); +- tmp &= ~IITSR_IITSEL_MASK(hw_irq); +- tmp |= IITSR_IITSEL(hw_irq, sense); ++ tmp &= ~IITSR_IITSEL_MASK(iitseln); ++ tmp |= IITSR_IITSEL(iitseln, sense); ++ if (clear_irq_int) ++ rzg2l_clear_irq_int(priv, hwirq); + writel_relaxed(tmp, priv->base + IITSR); + raw_spin_unlock(&priv->lock); + + return 0; + } + ++static u32 rzg2l_disable_tint_and_set_tint_source(struct irq_data *d, struct rzg2l_irqc_priv *priv, ++ u32 reg, u32 tssr_offset, u8 tssr_index) ++{ ++ u32 tint = (u32)(uintptr_t)irq_data_get_irq_chip_data(d); ++ u32 tien = reg & (TIEN << TSSEL_SHIFT(tssr_offset)); ++ ++ /* Clear the relevant byte in reg */ ++ reg &= ~(TSSEL_MASK << TSSEL_SHIFT(tssr_offset)); ++ /* Set TINT and leave TIEN clear */ ++ reg |= tint << TSSEL_SHIFT(tssr_offset); ++ writel_relaxed(reg, priv->base + TSSR(tssr_index)); ++ ++ return reg | tien; ++} ++ + static int rzg2l_tint_set_edge(struct irq_data *d, unsigned int type) + { + struct rzg2l_irqc_priv *priv = irq_data_to_priv(d); + unsigned int hwirq = irqd_to_hwirq(d); + u32 titseln = hwirq - IRQC_TINT_START; ++ u32 tssr_offset = TSSR_OFFSET(titseln); ++ u8 tssr_index = TSSR_INDEX(titseln); + u8 index, sense; +- u32 reg; ++ u32 reg, tssr; + + switch (type & IRQ_TYPE_SENSE_MASK) { + case IRQ_TYPE_EDGE_RISING: +@@ -225,10 +249,14 @@ static int rzg2l_tint_set_edge(struct irq_data *d, unsigned int type) + } + + raw_spin_lock(&priv->lock); ++ tssr = readl_relaxed(priv->base + TSSR(tssr_index)); ++ tssr = rzg2l_disable_tint_and_set_tint_source(d, priv, tssr, tssr_offset, tssr_index); + reg = readl_relaxed(priv->base + TITSR(index)); + reg &= ~(IRQ_MASK << (titseln * TITSEL_WIDTH)); + reg |= sense << (titseln * TITSEL_WIDTH); + writel_relaxed(reg, priv->base + TITSR(index)); ++ rzg2l_clear_tint_int(priv, hwirq); ++ writel_relaxed(tssr, priv->base + TSSR(tssr_index)); + raw_spin_unlock(&priv->lock); + + return 0; +-- +2.43.0 + diff --git a/queue-6.1/irqchip-renesas-rzg2l-rename-rzg2l_irq_eoi.patch b/queue-6.1/irqchip-renesas-rzg2l-rename-rzg2l_irq_eoi.patch new file mode 100644 index 00000000000..13ebe44503e --- /dev/null +++ b/queue-6.1/irqchip-renesas-rzg2l-rename-rzg2l_irq_eoi.patch @@ -0,0 +1,50 @@ +From b804074250a4894e1b44ec794da13a26e75499d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 18:39:20 +0000 +Subject: irqchip/renesas-rzg2l: Rename rzg2l_irq_eoi() + +From: Biju Das + +[ Upstream commit b4b5cd61a6fdd92ede0dc39f0850a182affd1323 ] + +Rename rzg2l_irq_eoi()->rzg2l_clear_irq_int() and simplify the code by +removing redundant priv local variable. + +Suggested-by: Geert Uytterhoeven +Signed-off-by: Biju Das +Signed-off-by: Thomas Gleixner +Stable-dep-of: 853a6030303f ("irqchip/renesas-rzg2l: Prevent spurious interrupts when setting trigger type") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index ced5064eb0e9d..aa27335ab2eec 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -66,10 +66,9 @@ static struct rzg2l_irqc_priv *irq_data_to_priv(struct irq_data *data) + return data->domain->host_data; + } + +-static void rzg2l_irq_eoi(struct irq_data *d) ++static void rzg2l_clear_irq_int(struct rzg2l_irqc_priv *priv, unsigned int hwirq) + { +- unsigned int hw_irq = irqd_to_hwirq(d) - IRQC_IRQ_START; +- struct rzg2l_irqc_priv *priv = irq_data_to_priv(d); ++ unsigned int hw_irq = hwirq - IRQC_IRQ_START; + u32 bit = BIT(hw_irq); + u32 iitsr, iscr; + +@@ -113,7 +112,7 @@ static void rzg2l_irqc_eoi(struct irq_data *d) + + raw_spin_lock(&priv->lock); + if (hw_irq >= IRQC_IRQ_START && hw_irq <= IRQC_IRQ_COUNT) +- rzg2l_irq_eoi(d); ++ rzg2l_clear_irq_int(priv, hw_irq); + else if (hw_irq >= IRQC_TINT_START && hw_irq < IRQC_NUM_IRQ) + rzg2l_clear_tint_int(priv, hw_irq); + raw_spin_unlock(&priv->lock); +-- +2.43.0 + diff --git a/queue-6.1/irqchip-renesas-rzg2l-rename-rzg2l_tint_eoi.patch b/queue-6.1/irqchip-renesas-rzg2l-rename-rzg2l_tint_eoi.patch new file mode 100644 index 00000000000..5230c0e9e75 --- /dev/null +++ b/queue-6.1/irqchip-renesas-rzg2l-rename-rzg2l_tint_eoi.patch @@ -0,0 +1,51 @@ +From 03c00bbe69b471fbcdde386489aa2a28052b55ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 18:39:19 +0000 +Subject: irqchip/renesas-rzg2l: Rename rzg2l_tint_eoi() + +From: Biju Das + +[ Upstream commit 7cb6362c63df233172eaecddaf9ce2ce2f769112 ] + +Rename rzg2l_tint_eoi()->rzg2l_clear_tint_int() and simplify the code by +removing redundant priv and hw_irq local variables. + +Signed-off-by: Biju Das +Signed-off-by: Thomas Gleixner +Reviewed-by: Geert Uytterhoeven +Stable-dep-of: 853a6030303f ("irqchip/renesas-rzg2l: Prevent spurious interrupts when setting trigger type") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-renesas-rzg2l.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c +index a74391615ab38..ced5064eb0e9d 100644 +--- a/drivers/irqchip/irq-renesas-rzg2l.c ++++ b/drivers/irqchip/irq-renesas-rzg2l.c +@@ -90,11 +90,9 @@ static void rzg2l_irq_eoi(struct irq_data *d) + } + } + +-static void rzg2l_tint_eoi(struct irq_data *d) ++static void rzg2l_clear_tint_int(struct rzg2l_irqc_priv *priv, unsigned int hwirq) + { +- unsigned int hw_irq = irqd_to_hwirq(d) - IRQC_TINT_START; +- struct rzg2l_irqc_priv *priv = irq_data_to_priv(d); +- u32 bit = BIT(hw_irq); ++ u32 bit = BIT(hwirq - IRQC_TINT_START); + u32 reg; + + reg = readl_relaxed(priv->base + TSCR); +@@ -117,7 +115,7 @@ static void rzg2l_irqc_eoi(struct irq_data *d) + if (hw_irq >= IRQC_IRQ_START && hw_irq <= IRQC_IRQ_COUNT) + rzg2l_irq_eoi(d); + else if (hw_irq >= IRQC_TINT_START && hw_irq < IRQC_NUM_IRQ) +- rzg2l_tint_eoi(d); ++ rzg2l_clear_tint_int(priv, hw_irq); + raw_spin_unlock(&priv->lock); + irq_chip_eoi_parent(d); + } +-- +2.43.0 + diff --git a/queue-6.1/kprobes-x86-use-copy_from_kernel_nofault-to-read-fro.patch b/queue-6.1/kprobes-x86-use-copy_from_kernel_nofault-to-read-fro.patch new file mode 100644 index 00000000000..89ba4e7ed64 --- /dev/null +++ b/queue-6.1/kprobes-x86-use-copy_from_kernel_nofault-to-read-fro.patch @@ -0,0 +1,54 @@ +From bc425bfd6e848cc5a234adfbd5b224f223fa9f0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 00:17:30 +0900 +Subject: kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe + address + +From: Masami Hiramatsu (Google) + +[ Upstream commit 4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b ] + +Read from an unsafe address with copy_from_kernel_nofault() in +arch_adjust_kprobe_addr() because this function is used before checking +the address is in text or not. Syzcaller bot found a bug and reported +the case if user specifies inaccessible data area, +arch_adjust_kprobe_addr() will cause a kernel panic. + +[ mingo: Clarified the comment. ] + +Fixes: cc66bb914578 ("x86/ibt,kprobes: Cure sym+0 equals fentry woes") +Reported-by: Qiang Zhang +Tested-by: Jinghao Jia +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/171042945004.154897.2221804961882915806.stgit@devnote2 +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kprobes/core.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index 6120f25b0d5cc..991f00c817e6c 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -301,7 +301,16 @@ static int can_probe(unsigned long paddr) + kprobe_opcode_t *arch_adjust_kprobe_addr(unsigned long addr, unsigned long offset, + bool *on_func_entry) + { +- if (is_endbr(*(u32 *)addr)) { ++ u32 insn; ++ ++ /* ++ * Since 'addr' is not guaranteed to be safe to access, use ++ * copy_from_kernel_nofault() to read the instruction: ++ */ ++ if (copy_from_kernel_nofault(&insn, (void *)addr, sizeof(u32))) ++ return NULL; ++ ++ if (is_endbr(insn)) { + *on_func_entry = !offset || offset == 4; + if (*on_func_entry) + offset = 4; +-- +2.43.0 + diff --git a/queue-6.1/minmax-add-umin-a-b-and-umax-a-b.patch b/queue-6.1/minmax-add-umin-a-b-and-umax-a-b.patch new file mode 100644 index 00000000000..b7138234673 --- /dev/null +++ b/queue-6.1/minmax-add-umin-a-b-and-umax-a-b.patch @@ -0,0 +1,142 @@ +From ba21c0c1cc0bd51ab8e080bde75bc43db7a5ce55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Sep 2023 08:16:30 +0000 +Subject: minmax: add umin(a, b) and umax(a, b) + +From: David Laight + +[ Upstream commit 80fcac55385ccb710d33a20dc1caaef29bd5a921 ] + +Patch series "minmax: Relax type checks in min() and max()", v4. + +The min() (etc) functions in minmax.h require that the arguments have +exactly the same types. + +However when the type check fails, rather than look at the types and fix +the type of a variable/constant, everyone seems to jump on min_t(). In +reality min_t() ought to be rare - when something unusual is being done, +not normality. + +The orginal min() (added in 2.4.9) replaced several inline functions and +included the type - so matched the implicit casting of the function call. +This was renamed min_t() in 2.4.10 and the current min() added. There is +no actual indication that the conversion of negatve values to large +unsigned values has ever been an actual problem. + +A quick grep shows 5734 min() and 4597 min_t(). Having the casts on +almost half of the calls shows that something is clearly wrong. + +If the wrong type is picked (and it is far too easy to pick the type of +the result instead of the larger input) then significant bits can get +discarded. + +Pretty much the worst example is in the derived clamp_val(), consider: + unsigned char x = 200u; + y = clamp_val(x, 10u, 300u); + +I also suspect that many of the min_t(u16, ...) are actually wrong. For +example copy_data() in printk_ringbuffer.c contains: + + data_size = min_t(u16, buf_size, len); + +Here buf_size is 'unsigned int' and len 'u16', pass a 64k buffer (can you +prove that doesn't happen?) and no data is returned. Apparantly it did - +and has since been fixed. + +The only reason that most of the min_t() are 'fine' is that pretty much +all the values in the kernel are between 0 and INT_MAX. + +Patch 1 adds umin(), this uses integer promotions to convert both +arguments to 'unsigned long long'. It can be used to compare a signed +type that is known to contain a non-negative value with an unsigned type. +The compiler typically optimises it all away. Added first so that it can +be referred to in patch 2. + +Patch 2 replaces the 'same type' check with a 'same signedness' one. This +makes min(unsigned_int_var, sizeof()) be ok. The error message is also +improved and will contain the expanded form of both arguments (useful for +seeing how constants are defined). + +Patch 3 just fixes some whitespace. + +Patch 4 allows comparisons of 'unsigned char' and 'unsigned short' to +signed types. The integer promotion rules convert them both to 'signed +int' prior to the comparison so they can never cause a negative value be +converted to a large positive one. + +Patch 5 (rewritted for v4) allows comparisons of unsigned values against +non-negative constant integer expressions. This makes +min(unsigned_int_var, 4) be ok. + +The only common case that is still errored is the comparison of signed +values against unsigned constant integer expressions below __INT_MAX__. +Typcally min(int_val, sizeof (foo)), the real fix for this is casting the +constant: min(int_var, (int)sizeof (foo)). + +With all the patches applied pretty much all the min_t() could be replaced +by min(), and most of the rest by umin(). However they all need careful +inspection due to code like: + + sz = min_t(unsigned char, sz - 1, LIM - 1) + 1; + +which converts 0 to LIM. + +This patch (of 6): + +umin() and umax() can be used when min()/max() errors a signed v unsigned +compare when the signed value is known to be non-negative. + +Unlike min_t(some_unsigned_type, a, b) umin() will never mask off high +bits if an inappropriate type is selected. + +The '+ 0u + 0ul + 0ull' may look strange. +The '+ 0u' is needed for 'signed int' on 64bit systems. +The '+ 0ul' is needed for 'signed long' on 32bit systems. +The '+ 0ull' is needed for 'signed long long'. + +Link: https://lkml.kernel.org/r/b97faef60ad24922b530241c5d7c933c@AcuMS.aculab.com +Link: https://lkml.kernel.org/r/41d93ca827a248698ec64bf57e0c05a5@AcuMS.aculab.com +Signed-off-by: David Laight +Cc: Andy Shevchenko +Cc: Christoph Hellwig +Cc: Jason A. Donenfeld +Cc: Linus Torvalds +Cc: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: 51b30ecb73b4 ("swiotlb: Fix alignment checks when both allocation and DMA masks are present") +Signed-off-by: Sasha Levin +--- + include/linux/minmax.h | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/include/linux/minmax.h b/include/linux/minmax.h +index 5433c08fcc685..1aea34b8f19bf 100644 +--- a/include/linux/minmax.h ++++ b/include/linux/minmax.h +@@ -51,6 +51,23 @@ + */ + #define max(x, y) __careful_cmp(x, y, >) + ++/** ++ * umin - return minimum of two non-negative values ++ * Signed types are zero extended to match a larger unsigned type. ++ * @x: first value ++ * @y: second value ++ */ ++#define umin(x, y) \ ++ __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, <) ++ ++/** ++ * umax - return maximum of two non-negative values ++ * @x: first value ++ * @y: second value ++ */ ++#define umax(x, y) \ ++ __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, >) ++ + /** + * min3 - return minimum of three values + * @x: first value +-- +2.43.0 + diff --git a/queue-6.1/printk-update-console_may_schedule-in-console_tryloc.patch b/queue-6.1/printk-update-console_may_schedule-in-console_tryloc.patch new file mode 100644 index 00000000000..787c54c9fa9 --- /dev/null +++ b/queue-6.1/printk-update-console_may_schedule-in-console_tryloc.patch @@ -0,0 +1,46 @@ +From 8f47e8cb1a5b9de7378d129edf0c9e244d3b8432 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Feb 2024 13:07:24 +0106 +Subject: printk: Update @console_may_schedule in console_trylock_spinning() + +From: John Ogness + +[ Upstream commit 8076972468584d4a21dab9aa50e388b3ea9ad8c7 ] + +console_trylock_spinning() may takeover the console lock from a +schedulable context. Update @console_may_schedule to make sure it +reflects a trylock acquire. + +Reported-by: Mukesh Ojha +Closes: https://lore.kernel.org/lkml/20240222090538.23017-1-quic_mojha@quicinc.com +Fixes: dbdda842fe96 ("printk: Add console owner and waiter logic to load balance console writes") +Signed-off-by: John Ogness +Reviewed-by: Mukesh Ojha +Reviewed-by: Petr Mladek +Link: https://lore.kernel.org/r/875xybmo2z.fsf@jogness.linutronix.de +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index c55ee859dbd08..0ae06d5046bb0 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1947,6 +1947,12 @@ static int console_trylock_spinning(void) + */ + mutex_acquire(&console_lock_dep_map, 0, 1, _THIS_IP_); + ++ /* ++ * Update @console_may_schedule for trylock because the previous ++ * owner may have been schedulable. ++ */ ++ console_may_schedule = 0; ++ + return 1; + } + +-- +2.43.0 + diff --git a/queue-6.1/pwm-img-fix-pwm-clock-lookup.patch b/queue-6.1/pwm-img-fix-pwm-clock-lookup.patch new file mode 100644 index 00000000000..9b051226a38 --- /dev/null +++ b/queue-6.1/pwm-img-fix-pwm-clock-lookup.patch @@ -0,0 +1,49 @@ +From 1f99d14117091481c71060c479885a2033894b1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2024 09:36:02 +0100 +Subject: pwm: img: fix pwm clock lookup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zoltan HERPAI + +[ Upstream commit 9eb05877dbee03064d3d3483cd6702f610d5a358 ] + +22e8e19 has introduced a regression in the imgchip->pwm_clk lookup, whereas +the clock name has also been renamed to "imgchip". This causes the driver +failing to load: + +[ 0.546905] img-pwm 18101300.pwm: failed to get imgchip clock +[ 0.553418] img-pwm: probe of 18101300.pwm failed with error -2 + +Fix this lookup by reverting the clock name back to "pwm". + +Signed-off-by: Zoltan HERPAI +Link: https://lore.kernel.org/r/20240320083602.81592-1-wigyori@uid0.hu +Fixes: 22e8e19a46f7 ("pwm: img: Rename variable pointing to driver private data") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-img.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-img.c b/drivers/pwm/pwm-img.c +index 0fccf061ab958..8ce6c453adf07 100644 +--- a/drivers/pwm/pwm-img.c ++++ b/drivers/pwm/pwm-img.c +@@ -289,9 +289,9 @@ static int img_pwm_probe(struct platform_device *pdev) + return PTR_ERR(imgchip->sys_clk); + } + +- imgchip->pwm_clk = devm_clk_get(&pdev->dev, "imgchip"); ++ imgchip->pwm_clk = devm_clk_get(&pdev->dev, "pwm"); + if (IS_ERR(imgchip->pwm_clk)) { +- dev_err(&pdev->dev, "failed to get imgchip clock\n"); ++ dev_err(&pdev->dev, "failed to get pwm clock\n"); + return PTR_ERR(imgchip->pwm_clk); + } + +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 7d3e6722981..14528a8454b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -178,3 +178,20 @@ x86-efistub-call-mixed-mode-boot-services-on-the-firmware-s-stack.patch net-tls-handle-backlogging-of-crypto-requests.patch asoc-amd-yc-revert-fix-non-functional-mic-on-lenovo-21j2.patch iommu-avoid-races-around-default-domain-allocations.patch +clocksource-drivers-arm_global_timer-fix-maximum-pre.patch +entry-respect-changes-to-system-call-number-by-trace.patch +minmax-add-umin-a-b-and-umax-a-b.patch +swiotlb-fix-alignment-checks-when-both-allocation-an.patch +iommu-dma-force-swiotlb_max_mapping_size-on-an-untru.patch +printk-update-console_may_schedule-in-console_tryloc.patch +irqchip-renesas-rzg2l-implement-restriction-when-wri.patch +irqchip-renesas-rzg2l-flush-posted-write-in-irq_eoi.patch +irqchip-renesas-rzg2l-add-macro-to-retrieve-titsr-re.patch +irqchip-renesas-rzg2l-rename-rzg2l_tint_eoi.patch +irqchip-renesas-rzg2l-rename-rzg2l_irq_eoi.patch +irqchip-renesas-rzg2l-prevent-spurious-interrupts-wh.patch +kprobes-x86-use-copy_from_kernel_nofault-to-read-fro.patch +efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch +x86-fpu-keep-xfd_state-in-sync-with-msr_ia32_xfd.patch +efi-fix-panic-in-kdump-kernel.patch +pwm-img-fix-pwm-clock-lookup.patch diff --git a/queue-6.1/swiotlb-fix-alignment-checks-when-both-allocation-an.patch b/queue-6.1/swiotlb-fix-alignment-checks-when-both-allocation-an.patch new file mode 100644 index 00000000000..f5ee614c223 --- /dev/null +++ b/queue-6.1/swiotlb-fix-alignment-checks-when-both-allocation-an.patch @@ -0,0 +1,67 @@ +From f8cbe8b15fb95ab1653dc22c55680a7f051c692c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 15:28:27 +0000 +Subject: swiotlb: Fix alignment checks when both allocation and DMA masks are + present + +From: Will Deacon + +[ Upstream commit 51b30ecb73b481d5fac6ccf2ecb4a309c9ee3310 ] + +Nicolin reports that swiotlb buffer allocations fail for an NVME device +behind an IOMMU using 64KiB pages. This is because we end up with a +minimum allocation alignment of 64KiB (for the IOMMU to map the buffer +safely) but a minimum DMA alignment mask corresponding to a 4KiB NVME +page (i.e. preserving the 4KiB page offset from the original allocation). +If the original address is not 4KiB-aligned, the allocation will fail +because swiotlb_search_pool_area() erroneously compares these unmasked +bits with the 64KiB-aligned candidate allocation. + +Tweak swiotlb_search_pool_area() so that the DMA alignment mask is +reduced based on the required alignment of the allocation. + +Fixes: 82612d66d51d ("iommu: Allow the dma-iommu api to use bounce buffers") +Link: https://lore.kernel.org/r/cover.1707851466.git.nicolinc@nvidia.com +Reported-by: Nicolin Chen +Signed-off-by: Will Deacon +Reviewed-by: Michael Kelley +Tested-by: Nicolin Chen +Tested-by: Michael Kelley +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/swiotlb.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c +index ad6333c3fe1ff..db89ac94e7db4 100644 +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -654,8 +654,7 @@ static int swiotlb_do_find_slots(struct device *dev, int area_index, + dma_addr_t tbl_dma_addr = + phys_to_dma_unencrypted(dev, mem->start) & boundary_mask; + unsigned long max_slots = get_max_slots(boundary_mask); +- unsigned int iotlb_align_mask = +- dma_get_min_align_mask(dev) & ~(IO_TLB_SIZE - 1); ++ unsigned int iotlb_align_mask = dma_get_min_align_mask(dev); + unsigned int nslots = nr_slots(alloc_size), stride; + unsigned int index, wrap, count = 0, i; + unsigned int offset = swiotlb_align_offset(dev, orig_addr); +@@ -666,6 +665,14 @@ static int swiotlb_do_find_slots(struct device *dev, int area_index, + BUG_ON(!nslots); + BUG_ON(area_index >= mem->nareas); + ++ /* ++ * Ensure that the allocation is at least slot-aligned and update ++ * 'iotlb_align_mask' to ignore bits that will be preserved when ++ * offsetting into the allocation. ++ */ ++ alloc_align_mask |= (IO_TLB_SIZE - 1); ++ iotlb_align_mask &= ~alloc_align_mask; ++ + /* + * For mappings with an alignment requirement don't bother looping to + * unaligned slots once we found an aligned one. For allocations of +-- +2.43.0 + diff --git a/queue-6.1/x86-fpu-keep-xfd_state-in-sync-with-msr_ia32_xfd.patch b/queue-6.1/x86-fpu-keep-xfd_state-in-sync-with-msr_ia32_xfd.patch new file mode 100644 index 00000000000..5c362c20297 --- /dev/null +++ b/queue-6.1/x86-fpu-keep-xfd_state-in-sync-with-msr_ia32_xfd.patch @@ -0,0 +1,95 @@ +From a6128f9b4209ce7d9611e0a8c1f11b3ade390664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 16:04:39 -0700 +Subject: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD + +From: Adamos Ttofari + +[ Upstream commit 10e4b5166df9ff7a2d5316138ca668b42d004422 ] + +Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and +commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a +per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in +order to avoid unnecessary writes to the MSR. + +On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which +wipes out any stale state. But the per CPU cached xfd value is not +reset, which brings them out of sync. + +As a consequence a subsequent xfd_update_state() might fail to update +the MSR which in turn can result in XRSTOR raising a #NM in kernel +space, which crashes the kernel. + +To fix this, introduce xfd_set_state() to write xfd_state together +with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD. + +Fixes: 672365477ae8 ("x86/fpu: Update XFD state where required") +Signed-off-by: Adamos Ttofari +Signed-off-by: Chang S. Bae +Signed-off-by: Ingo Molnar +Reviewed-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20240322230439.456571-1-chang.seok.bae@intel.com + +Closes: https://lore.kernel.org/lkml/20230511152818.13839-1-attofari@amazon.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/xstate.c | 5 +++-- + arch/x86/kernel/fpu/xstate.h | 14 ++++++++++---- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index ebe698f8af73b..2aa849705bb68 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -177,10 +177,11 @@ void fpu__init_cpu_xstate(void) + * Must happen after CR4 setup and before xsetbv() to allow KVM + * lazy passthrough. Write independent of the dynamic state static + * key as that does not work on the boot CPU. This also ensures +- * that any stale state is wiped out from XFD. ++ * that any stale state is wiped out from XFD. Reset the per CPU ++ * xfd cache too. + */ + if (cpu_feature_enabled(X86_FEATURE_XFD)) +- wrmsrl(MSR_IA32_XFD, init_fpstate.xfd); ++ xfd_set_state(init_fpstate.xfd); + + /* + * XCR_XFEATURE_ENABLED_MASK (aka. XCR0) sets user features +diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h +index 3518fb26d06b0..19ca623ffa2ac 100644 +--- a/arch/x86/kernel/fpu/xstate.h ++++ b/arch/x86/kernel/fpu/xstate.h +@@ -148,20 +148,26 @@ static inline void xfd_validate_state(struct fpstate *fpstate, u64 mask, bool rs + #endif + + #ifdef CONFIG_X86_64 ++static inline void xfd_set_state(u64 xfd) ++{ ++ wrmsrl(MSR_IA32_XFD, xfd); ++ __this_cpu_write(xfd_state, xfd); ++} ++ + static inline void xfd_update_state(struct fpstate *fpstate) + { + if (fpu_state_size_dynamic()) { + u64 xfd = fpstate->xfd; + +- if (__this_cpu_read(xfd_state) != xfd) { +- wrmsrl(MSR_IA32_XFD, xfd); +- __this_cpu_write(xfd_state, xfd); +- } ++ if (__this_cpu_read(xfd_state) != xfd) ++ xfd_set_state(xfd); + } + } + + extern int __xfd_enable_feature(u64 which, struct fpu_guest *guest_fpu); + #else ++static inline void xfd_set_state(u64 xfd) { } ++ + static inline void xfd_update_state(struct fpstate *fpstate) { } + + static inline int __xfd_enable_feature(u64 which, struct fpu_guest *guest_fpu) { +-- +2.43.0 +