From: Greg Kroah-Hartman Date: Mon, 10 Feb 2025 13:31:40 +0000 (+0100) Subject: 6.13-stable patches X-Git-Tag: v6.6.77~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=62bfa9e21081c8d921fe640151c99fa525d057db;p=thirdparty%2Fkernel%2Fstable-queue.git 6.13-stable patches added patches: accel-ivpu-fix-qemu-crash-when-running-in-passthrough.patch alsa-hda-realtek-enable-mute-led-on-hp-laptop-14s-fq1xxx.patch arm64-dts-rockchip-increase-gmac-rx_delay-on-rk3399-puma.patch arm64-filter-out-sve-hwcaps-when-feat_sve-isn-t-implemented.patch arm64-kvm-configure-hyp-tcr.ps-ds-based-on-host-stage1.patch arm64-mm-override-parange-for-lpa2-and-use-it-consistently.patch arm64-mm-reduce-pa-space-to-48-bits-when-lpa2-is-not-enabled.patch arm64-sme-move-storage-of-reg_smidr-to-__cpuinfo_store_cpu.patch binfmt_flat-fix-integer-overflow-bug-on-32-bit-systems.patch block-mark-gfp_noio-around-sysfs-store.patch bluetooth-l2cap-accept-zero-as-a-special-value-for-mtu-auto-selection.patch bluetooth-l2cap-handle-null-sock-pointer-in-l2cap_sock_alloc.patch cifs-remove-intermediate-object-of-failed-create-sfu-call.patch clk-clk-loongson2-fix-the-number-count-of-clk-provider.patch clk-mediatek-mt2701-aud-fix-conversion-to-mtk_clk_simple_probe.patch clk-mediatek-mt2701-bdp-add-missing-dummy-clk.patch clk-mediatek-mt2701-img-add-missing-dummy-clk.patch clk-mediatek-mt2701-mm-add-missing-dummy-clk.patch clk-mediatek-mt2701-vdec-fix-conversion-to-mtk_clk_simple_probe.patch clk-mmp2-call-pm_genpd_init-only-after-genpd.name-is-set.patch clk-qcom-clk-alpha-pll-fix-alpha-mode-configuration.patch clk-qcom-clk-rpmh-prevent-integer-overflow-in-recalc_rate.patch clk-qcom-dispcc-sm6350-add-missing-parent_map-for-a-clock.patch clk-qcom-gcc-mdm9607-fix-cmd_rcgr-offset-for-blsp1_uart6-rcg.patch clk-qcom-gcc-sm6350-add-missing-parent_map-for-two-clocks.patch clk-qcom-gcc-sm8550-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch clk-qcom-gcc-sm8650-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch clk-sunxi-ng-a100-enable-mmc-clock-reparenting.patch cpufreq-fix-using-cpufreq-dt-as-module.patch cpufreq-s3c64xx-fix-compilation-warning.patch drm-amd-amdgpu-change-the-config-of-cgcg-on-gfx12.patch drm-amd-display-fix-seamless-boot-sequence.patch drm-amd-display-optimize-cursor-position-updates.patch drm-amd-pm-mark-mm-activity-as-unsupported.patch drm-amdgpu-add-a-bo-metadata-flag-to-disable-write-compression-for-vulkan.patch drm-amdkfd-block-per-queue-reset-when-halt_if_hws_hang-1.patch drm-amdkfd-only-flush-the-validate-mes-contex.patch drm-ast-astdp-fix-timeout-for-enabling-video-signal.patch drm-client-handle-tiled-displays-better.patch drm-i915-dp-iterate-dsc-bpp-from-high-to-low-on-all-platforms.patch drm-i915-drop-64bpp-yuv-formats-from-icl-sdr-planes.patch drm-i915-fix-page-cleanup-on-dma-remap-failure.patch drm-i915-guc-debug-print-lrc-state-entries-only-if-the-context-is-pinned.patch drm-komeda-add-check-for-komeda_get_layer_fourcc_list.patch drm-modeset-handle-tiled-displays-in-pan_display_atomic.patch drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq_event.patch drm-xe-devcoredump-move-exec-queue-snapshot-to-contexts-section.patch drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch input-synaptics-fix-crash-when-enabling-pass-through-port.patch keys-trusted-dcp-fix-improper-sg-use-with-config_vmap_stack-y.patch ksmbd-fix-integer-overflows-on-32-bit-systems.patch kvm-arm64-timer-always-evaluate-the-need-for-a-soft-timer.patch kvm-defer-huge-page-recovery-vhost-task-to-later.patch kvm-explicitly-verify-target-vcpu-is-online-in-kvm_get_vcpu.patch kvm-nvmx-defer-svi-update-to-vmcs01-on-eoi-when-l2-is-active-w-o-vid.patch kvm-s390-vsie-fix-some-corner-cases-when-grabbing-vsie-pages.patch leds-lp8860-write-full-eeprom-not-only-half-of-it.patch m68k-vga-fix-i-o-defines.patch md-reintroduce-md-linear.patch media-i2c-ds90ub960-fix-ub9702-refclk-register-access.patch perf-imx9_perf-introduce-axi-filter-version-to-refactor-the-driver-and-better-extension.patch remoteproc-omap-handle-arm-dma_iommu_mapping.patch revert-drm-amd-display-use-hw-lock-mgr-for-psr1.patch s390-futex-fix-futex_op_andn-implementation.patch smb-client-change-lease-epoch-type-from-unsigned-int-to-__u16.patch smb-client-fix-order-of-arguments-of-tracepoints.patch --- diff --git a/queue-6.13/accel-ivpu-fix-qemu-crash-when-running-in-passthrough.patch b/queue-6.13/accel-ivpu-fix-qemu-crash-when-running-in-passthrough.patch new file mode 100644 index 0000000000..2711138277 --- /dev/null +++ b/queue-6.13/accel-ivpu-fix-qemu-crash-when-running-in-passthrough.patch @@ -0,0 +1,35 @@ +From 901dd2617c9c3554b2449c8844b6338009112fcf Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Wed, 6 Nov 2024 11:55:49 +0100 +Subject: accel/ivpu: Fix Qemu crash when running in passthrough + +From: Jacek Lawrynowicz + +commit 901dd2617c9c3554b2449c8844b6338009112fcf upstream. + +Restore PCI state after putting the NPU in D0. +Restoring state before powering up the device caused a Qemu crash +if NPU was running in passthrough mode and recovery was performed. + +Fixes: 3534eacbf101 ("accel/ivpu: Fix PCI D0 state entry in resume") +Cc: stable@vger.kernel.org # v6.8+ +Reviewed-by: Karol Wachowski +Signed-off-by: Jacek Lawrynowicz +Link: https://patchwork.freedesktop.org/patch/msgid/20241106105549.2757115-1-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accel/ivpu/ivpu_pm.c ++++ b/drivers/accel/ivpu/ivpu_pm.c +@@ -78,8 +78,8 @@ static int ivpu_resume(struct ivpu_devic + int ret; + + retry: +- pci_restore_state(to_pci_dev(vdev->drm.dev)); + pci_set_power_state(to_pci_dev(vdev->drm.dev), PCI_D0); ++ pci_restore_state(to_pci_dev(vdev->drm.dev)); + + ret = ivpu_hw_power_up(vdev); + if (ret) { diff --git a/queue-6.13/alsa-hda-realtek-enable-mute-led-on-hp-laptop-14s-fq1xxx.patch b/queue-6.13/alsa-hda-realtek-enable-mute-led-on-hp-laptop-14s-fq1xxx.patch new file mode 100644 index 0000000000..fbd6a0353b --- /dev/null +++ b/queue-6.13/alsa-hda-realtek-enable-mute-led-on-hp-laptop-14s-fq1xxx.patch @@ -0,0 +1,31 @@ +From 711aad3c43a9853657e00225466d204e46ae528b Mon Sep 17 00:00:00 2001 +From: Sebastian Wiese-Wagner +Date: Mon, 20 Jan 2025 19:12:40 +0100 +Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 14s-fq1xxx + +From: Sebastian Wiese-Wagner + +commit 711aad3c43a9853657e00225466d204e46ae528b upstream. + +This HP Laptop uses ALC236 codec with COEF 0x07 controlling the mute +LED. Enable existing quirk for this device. + +Signed-off-by: Sebastian Wiese-Wagner +Cc: +Link: https://patch.msgid.link/20250120181240.13106-1-seb@fastmail.to +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10389,6 +10389,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x887a, "HP Laptop 15s-eq2xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), ++ SND_PCI_QUIRK(0x103c, 0x887c, "HP Laptop 14s-fq1xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x888a, "HP ENVY x360 Convertible 15-eu0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), + SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8895, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED), diff --git a/queue-6.13/arm64-dts-rockchip-increase-gmac-rx_delay-on-rk3399-puma.patch b/queue-6.13/arm64-dts-rockchip-increase-gmac-rx_delay-on-rk3399-puma.patch new file mode 100644 index 0000000000..0b6ef47128 --- /dev/null +++ b/queue-6.13/arm64-dts-rockchip-increase-gmac-rx_delay-on-rk3399-puma.patch @@ -0,0 +1,60 @@ +From 9d241b06802c6c2176ae7aa4f9f17f8a577ed337 Mon Sep 17 00:00:00 2001 +From: Jakob Unterwurzacher +Date: Fri, 13 Dec 2024 10:54:58 +0100 +Subject: arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma + +From: Jakob Unterwurzacher + +commit 9d241b06802c6c2176ae7aa4f9f17f8a577ed337 upstream. + +During mass manufacturing, we noticed the mmc_rx_crc_error counter, +as reported by "ethtool -S eth0 | grep mmc_rx_crc_error", to increase +above zero during nuttcp speedtests. Most of the time, this did not +affect the achieved speed, but it prompted this investigation. + +Cycling through the rx_delay range on six boards (see table below) of +various ages shows that there is a large good region from 0x12 to 0x35 +where we see zero crc errors on all tested boards. + +The old rx_delay value (0x10) seems to have always been on the edge for +the KSZ9031RNX that is usually placed on Puma. + +Choose "rx_delay = 0x23" to put us smack in the middle of the good +region. This works fine as well with the KSZ9131RNX PHY that was used +for a small number of boards during the COVID chip shortages. + + Board S/N PHY rx_delay good region + --------- --- -------------------- + Puma TT0069903 KSZ9031RNX 0x11 0x35 + Puma TT0157733 KSZ9031RNX 0x11 0x35 + Puma TT0681551 KSZ9031RNX 0x12 0x37 + Puma TT0681156 KSZ9031RNX 0x10 0x38 + Puma 17496030079 KSZ9031RNX 0x10 0x37 (Puma v1.2 from 2017) + Puma TT0681720 KSZ9131RNX 0x02 0x39 (alternative PHY used in very few boards) + + Intersection of good regions = 0x12 0x35 + Middle of good region = 0x23 + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Cc: stable@vger.kernel.org +Reviewed-by: Quentin Schulz +Tested-by: Quentin Schulz # Puma v2.1 and v2.3 with KSZ9031 +Signed-off-by: Jakob Unterwurzacher +Link: https://lore.kernel.org/r/20241213-puma_rx_delay-v4-1-8e8e11cc6ed7@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -182,7 +182,7 @@ + snps,reset-active-low; + snps,reset-delays-us = <0 10000 50000>; + tx_delay = <0x10>; +- rx_delay = <0x10>; ++ rx_delay = <0x23>; + status = "okay"; + }; + diff --git a/queue-6.13/arm64-filter-out-sve-hwcaps-when-feat_sve-isn-t-implemented.patch b/queue-6.13/arm64-filter-out-sve-hwcaps-when-feat_sve-isn-t-implemented.patch new file mode 100644 index 0000000000..3d19093078 --- /dev/null +++ b/queue-6.13/arm64-filter-out-sve-hwcaps-when-feat_sve-isn-t-implemented.patch @@ -0,0 +1,202 @@ +From 064737920bdbca86df91b96aed256e88018fef3a Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 7 Jan 2025 22:59:41 +0000 +Subject: arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented + +From: Marc Zyngier + +commit 064737920bdbca86df91b96aed256e88018fef3a upstream. + +The hwcaps code that exposes SVE features to userspace only +considers ID_AA64ZFR0_EL1, while this is only valid when +ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported. + +The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the +ID_AA64ZFR0_EL1 register is also 0. So far, so good. + +Things become a bit more interesting if the HW implements SME. +In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME* +features. And these fields overlap with their SVE interpretations. +But the architecture says that the SME and SVE feature sets must +match, so we're still hunky-dory. + +This goes wrong if the HW implements SME, but not SVE. In this +case, we end-up advertising some SVE features to userspace, even +if the HW has none. That's because we never consider whether SVE +is actually implemented. Oh well. + +Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE +being non-zero. The HWCAPS documentation is amended to reflect the +actually checks performed by the kernel. + +Fixes: 06a916feca2b ("arm64: Expose SVE2 features for userspace") +Reported-by: Catalin Marinas +Signed-off-by: Marc Zyngier +Signed-off-by: Mark Brown +Cc: Will Deacon +Cc: Mark Rutland +Cc: stable@vger.kernel.org +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250107-arm64-2024-dpisa-v5-1-7578da51fc3d@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arch/arm64/elf_hwcaps.rst | 39 ++++++++++++++++++++----------- + arch/arm64/kernel/cpufeature.c | 40 +++++++++++++++++++++----------- + 2 files changed, 53 insertions(+), 26 deletions(-) + +--- a/Documentation/arch/arm64/elf_hwcaps.rst ++++ b/Documentation/arch/arm64/elf_hwcaps.rst +@@ -178,22 +178,28 @@ HWCAP2_DCPODP + Functionality implied by ID_AA64ISAR1_EL1.DPB == 0b0010. + + HWCAP2_SVE2 +- Functionality implied by ID_AA64ZFR0_EL1.SVEver == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.SVEver == 0b0001. + + HWCAP2_SVEAES +- Functionality implied by ID_AA64ZFR0_EL1.AES == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.AES == 0b0001. + + HWCAP2_SVEPMULL +- Functionality implied by ID_AA64ZFR0_EL1.AES == 0b0010. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.AES == 0b0010. + + HWCAP2_SVEBITPERM +- Functionality implied by ID_AA64ZFR0_EL1.BitPerm == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.BitPerm == 0b0001. + + HWCAP2_SVESHA3 +- Functionality implied by ID_AA64ZFR0_EL1.SHA3 == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.SHA3 == 0b0001. + + HWCAP2_SVESM4 +- Functionality implied by ID_AA64ZFR0_EL1.SM4 == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.SM4 == 0b0001. + + HWCAP2_FLAGM2 + Functionality implied by ID_AA64ISAR0_EL1.TS == 0b0010. +@@ -202,16 +208,20 @@ HWCAP2_FRINT + Functionality implied by ID_AA64ISAR1_EL1.FRINTTS == 0b0001. + + HWCAP2_SVEI8MM +- Functionality implied by ID_AA64ZFR0_EL1.I8MM == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.I8MM == 0b0001. + + HWCAP2_SVEF32MM +- Functionality implied by ID_AA64ZFR0_EL1.F32MM == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.F32MM == 0b0001. + + HWCAP2_SVEF64MM +- Functionality implied by ID_AA64ZFR0_EL1.F64MM == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.F64MM == 0b0001. + + HWCAP2_SVEBF16 +- Functionality implied by ID_AA64ZFR0_EL1.BF16 == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.BF16 == 0b0001. + + HWCAP2_I8MM + Functionality implied by ID_AA64ISAR1_EL1.I8MM == 0b0001. +@@ -277,7 +287,8 @@ HWCAP2_EBF16 + Functionality implied by ID_AA64ISAR1_EL1.BF16 == 0b0010. + + HWCAP2_SVE_EBF16 +- Functionality implied by ID_AA64ZFR0_EL1.BF16 == 0b0010. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.BF16 == 0b0010. + + HWCAP2_CSSC + Functionality implied by ID_AA64ISAR2_EL1.CSSC == 0b0001. +@@ -286,7 +297,8 @@ HWCAP2_RPRFM + Functionality implied by ID_AA64ISAR2_EL1.RPRFM == 0b0001. + + HWCAP2_SVE2P1 +- Functionality implied by ID_AA64ZFR0_EL1.SVEver == 0b0010. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.SVEver == 0b0010. + + HWCAP2_SME2 + Functionality implied by ID_AA64SMFR0_EL1.SMEver == 0b0001. +@@ -313,7 +325,8 @@ HWCAP2_HBC + Functionality implied by ID_AA64ISAR2_EL1.BC == 0b0001. + + HWCAP2_SVE_B16B16 +- Functionality implied by ID_AA64ZFR0_EL1.B16B16 == 0b0001. ++ Functionality implied by ID_AA64PFR0_EL1.SVE == 0b0001 and ++ ID_AA64ZFR0_EL1.B16B16 == 0b0001. + + HWCAP2_LRCPC3 + Functionality implied by ID_AA64ISAR1_EL1.LRCPC == 0b0011. +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -3022,6 +3022,13 @@ static const struct arm64_cpu_capabiliti + .matches = match, \ + } + ++#define HWCAP_CAP_MATCH_ID(match, reg, field, min_value, cap_type, cap) \ ++ { \ ++ __HWCAP_CAP(#cap, cap_type, cap) \ ++ HWCAP_CPUID_MATCH(reg, field, min_value) \ ++ .matches = match, \ ++ } ++ + #ifdef CONFIG_ARM64_PTR_AUTH + static const struct arm64_cpu_capabilities ptr_auth_hwcap_addr_matches[] = { + { +@@ -3050,6 +3057,13 @@ static const struct arm64_cpu_capabiliti + }; + #endif + ++#ifdef CONFIG_ARM64_SVE ++static bool has_sve_feature(const struct arm64_cpu_capabilities *cap, int scope) ++{ ++ return system_supports_sve() && has_user_cpuid_feature(cap, scope); ++} ++#endif ++ + static const struct arm64_cpu_capabilities arm64_elf_hwcaps[] = { + HWCAP_CAP(ID_AA64ISAR0_EL1, AES, PMULL, CAP_HWCAP, KERNEL_HWCAP_PMULL), + HWCAP_CAP(ID_AA64ISAR0_EL1, AES, AES, CAP_HWCAP, KERNEL_HWCAP_AES), +@@ -3092,19 +3106,19 @@ static const struct arm64_cpu_capabiliti + HWCAP_CAP(ID_AA64MMFR2_EL1, AT, IMP, CAP_HWCAP, KERNEL_HWCAP_USCAT), + #ifdef CONFIG_ARM64_SVE + HWCAP_CAP(ID_AA64PFR0_EL1, SVE, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE), +- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), +- HWCAP_CAP(ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), +- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), +- HWCAP_CAP(ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), +- HWCAP_CAP(ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), +- HWCAP_CAP(ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), +- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), +- HWCAP_CAP(ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), +- HWCAP_CAP(ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), +- HWCAP_CAP(ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), +- HWCAP_CAP(ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), +- HWCAP_CAP(ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), +- HWCAP_CAP(ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2p1, CAP_HWCAP, KERNEL_HWCAP_SVE2P1), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SVEver, SVE2, CAP_HWCAP, KERNEL_HWCAP_SVE2), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEAES), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, AES, PMULL128, CAP_HWCAP, KERNEL_HWCAP_SVEPMULL), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BitPerm, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBITPERM), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, B16B16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVE_B16B16), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEBF16), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, BF16, EBF16, CAP_HWCAP, KERNEL_HWCAP_SVE_EBF16), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SHA3, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESHA3), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, SM4, IMP, CAP_HWCAP, KERNEL_HWCAP_SVESM4), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, I8MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEI8MM), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F32MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF32MM), ++ HWCAP_CAP_MATCH_ID(has_sve_feature, ID_AA64ZFR0_EL1, F64MM, IMP, CAP_HWCAP, KERNEL_HWCAP_SVEF64MM), + #endif + #ifdef CONFIG_ARM64_GCS + HWCAP_CAP(ID_AA64PFR1_EL1, GCS, IMP, CAP_HWCAP, KERNEL_HWCAP_GCS), diff --git a/queue-6.13/arm64-kvm-configure-hyp-tcr.ps-ds-based-on-host-stage1.patch b/queue-6.13/arm64-kvm-configure-hyp-tcr.ps-ds-based-on-host-stage1.patch new file mode 100644 index 0000000000..d9bccd98da --- /dev/null +++ b/queue-6.13/arm64-kvm-configure-hyp-tcr.ps-ds-based-on-host-stage1.patch @@ -0,0 +1,64 @@ +From f0da16992aef7e246b2f3bba1492e3a52c38ca0e Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 12 Dec 2024 09:18:45 +0100 +Subject: arm64/kvm: Configure HYP TCR.PS/DS based on host stage1 + +From: Ard Biesheuvel + +commit f0da16992aef7e246b2f3bba1492e3a52c38ca0e upstream. + +When the host stage1 is configured for LPA2, the value currently being +programmed into TCR_EL2.T0SZ may be invalid unless LPA2 is configured +at HYP as well. This means kvm_lpa2_is_enabled() is not the right +condition to test when setting TCR_EL2.DS, as it will return false if +LPA2 is only available for stage 1 but not for stage 2. + +Similary, programming TCR_EL2.PS based on a limited IPA range due to +lack of stage2 LPA2 support could potentially result in problems. + +So use lpa2_is_enabled() instead, and set the PS field according to the +host's IPS, which is capped at 48 bits if LPA2 support is absent or +disabled. Whether or not we can make meaningful use of such a +configuration is a different question. + +Cc: stable@vger.kernel.org +Signed-off-by: Ard Biesheuvel +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20241212081841.2168124-11-ardb+git@google.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/arm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -1990,8 +1990,7 @@ static int kvm_init_vector_slots(void) + static void __init cpu_prepare_hyp_mode(int cpu, u32 hyp_va_bits) + { + struct kvm_nvhe_init_params *params = per_cpu_ptr_nvhe_sym(kvm_init_params, cpu); +- u64 mmfr0 = read_sanitised_ftr_reg(SYS_ID_AA64MMFR0_EL1); +- unsigned long tcr; ++ unsigned long tcr, ips; + + /* + * Calculate the raw per-cpu offset without a translation from the +@@ -2005,6 +2004,7 @@ static void __init cpu_prepare_hyp_mode( + params->mair_el2 = read_sysreg(mair_el1); + + tcr = read_sysreg(tcr_el1); ++ ips = FIELD_GET(TCR_IPS_MASK, tcr); + if (cpus_have_final_cap(ARM64_KVM_HVHE)) { + tcr |= TCR_EPD1_MASK; + } else { +@@ -2014,8 +2014,8 @@ static void __init cpu_prepare_hyp_mode( + tcr &= ~TCR_T0SZ_MASK; + tcr |= TCR_T0SZ(hyp_va_bits); + tcr &= ~TCR_EL2_PS_MASK; +- tcr |= FIELD_PREP(TCR_EL2_PS_MASK, kvm_get_parange(mmfr0)); +- if (kvm_lpa2_is_enabled()) ++ tcr |= FIELD_PREP(TCR_EL2_PS_MASK, ips); ++ if (lpa2_is_enabled()) + tcr |= TCR_EL2_DS; + params->tcr_el2 = tcr; + diff --git a/queue-6.13/arm64-mm-override-parange-for-lpa2-and-use-it-consistently.patch b/queue-6.13/arm64-mm-override-parange-for-lpa2-and-use-it-consistently.patch new file mode 100644 index 0000000000..f0db768c1f --- /dev/null +++ b/queue-6.13/arm64-mm-override-parange-for-lpa2-and-use-it-consistently.patch @@ -0,0 +1,111 @@ +From 62cffa496aac0c2c4eeca00d080058affd7a0172 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 12 Dec 2024 09:18:44 +0100 +Subject: arm64/mm: Override PARange for !LPA2 and use it consistently + +From: Ard Biesheuvel + +commit 62cffa496aac0c2c4eeca00d080058affd7a0172 upstream. + +When FEAT_LPA{,2} are not implemented, the ID_AA64MMFR0_EL1.PARange and +TCR.IPS values corresponding with 52-bit physical addressing are +reserved. + +Setting the TCR.IPS field to 0b110 (52-bit physical addressing) has side +effects, such as how the TTBRn_ELx.BADDR fields are interpreted, and so +it is important that disabling FEAT_LPA2 (by overriding the +ID_AA64MMFR0.TGran fields) also presents a PARange field consistent with +that. + +So limit the field to 48 bits unless LPA2 is enabled, and update +existing references to use the override consistently. + +Fixes: 352b0395b505 ("arm64: Enable 52-bit virtual addressing for 4k and 16k granule configs") +Cc: stable@vger.kernel.org +Signed-off-by: Ard Biesheuvel +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20241212081841.2168124-10-ardb+git@google.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/assembler.h | 5 +++++ + arch/arm64/kernel/cpufeature.c | 2 +- + arch/arm64/kernel/pi/idreg-override.c | 9 +++++++++ + arch/arm64/kernel/pi/map_kernel.c | 6 ++++++ + arch/arm64/mm/init.c | 7 ++++++- + 5 files changed, 27 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -343,6 +343,11 @@ alternative_cb_end + // Narrow PARange to fit the PS field in TCR_ELx + ubfx \tmp0, \tmp0, #ID_AA64MMFR0_EL1_PARANGE_SHIFT, #3 + mov \tmp1, #ID_AA64MMFR0_EL1_PARANGE_MAX ++#ifdef CONFIG_ARM64_LPA2 ++alternative_if_not ARM64_HAS_VA52 ++ mov \tmp1, #ID_AA64MMFR0_EL1_PARANGE_48 ++alternative_else_nop_endif ++#endif + cmp \tmp0, \tmp1 + csel \tmp0, \tmp1, \tmp0, hi + bfi \tcr, \tmp0, \pos, #3 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -3492,7 +3492,7 @@ static void verify_hyp_capabilities(void + return; + + safe_mmfr1 = read_sanitised_ftr_reg(SYS_ID_AA64MMFR1_EL1); +- mmfr0 = read_cpuid(ID_AA64MMFR0_EL1); ++ mmfr0 = read_sanitised_ftr_reg(SYS_ID_AA64MMFR0_EL1); + mmfr1 = read_cpuid(ID_AA64MMFR1_EL1); + + /* Verify VMID bits */ +--- a/arch/arm64/kernel/pi/idreg-override.c ++++ b/arch/arm64/kernel/pi/idreg-override.c +@@ -83,6 +83,15 @@ static bool __init mmfr2_varange_filter( + id_aa64mmfr0_override.val |= + (ID_AA64MMFR0_EL1_TGRAN_LPA2 - 1) << ID_AA64MMFR0_EL1_TGRAN_SHIFT; + id_aa64mmfr0_override.mask |= 0xfU << ID_AA64MMFR0_EL1_TGRAN_SHIFT; ++ ++ /* ++ * Override PARange to 48 bits - the override will just be ++ * ignored if the actual PARange is smaller, but this is ++ * unlikely to be the case for LPA2 capable silicon. ++ */ ++ id_aa64mmfr0_override.val |= ++ ID_AA64MMFR0_EL1_PARANGE_48 << ID_AA64MMFR0_EL1_PARANGE_SHIFT; ++ id_aa64mmfr0_override.mask |= 0xfU << ID_AA64MMFR0_EL1_PARANGE_SHIFT; + } + #endif + return true; +--- a/arch/arm64/kernel/pi/map_kernel.c ++++ b/arch/arm64/kernel/pi/map_kernel.c +@@ -136,6 +136,12 @@ static void noinline __section(".idmap.t + { + u64 sctlr = read_sysreg(sctlr_el1); + u64 tcr = read_sysreg(tcr_el1) | TCR_DS; ++ u64 mmfr0 = read_sysreg(id_aa64mmfr0_el1); ++ u64 parange = cpuid_feature_extract_unsigned_field(mmfr0, ++ ID_AA64MMFR0_EL1_PARANGE_SHIFT); ++ ++ tcr &= ~TCR_IPS_MASK; ++ tcr |= parange << TCR_IPS_SHIFT; + + asm(" msr sctlr_el1, %0 ;" + " isb ;" +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -279,7 +279,12 @@ void __init arm64_memblock_init(void) + + if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) { + extern u16 memstart_offset_seed; +- u64 mmfr0 = read_cpuid(ID_AA64MMFR0_EL1); ++ ++ /* ++ * Use the sanitised version of id_aa64mmfr0_el1 so that linear ++ * map randomization can be enabled by shrinking the IPA space. ++ */ ++ u64 mmfr0 = read_sanitised_ftr_reg(SYS_ID_AA64MMFR0_EL1); + int parange = cpuid_feature_extract_unsigned_field( + mmfr0, ID_AA64MMFR0_EL1_PARANGE_SHIFT); + s64 range = linear_region_size - diff --git a/queue-6.13/arm64-mm-reduce-pa-space-to-48-bits-when-lpa2-is-not-enabled.patch b/queue-6.13/arm64-mm-reduce-pa-space-to-48-bits-when-lpa2-is-not-enabled.patch new file mode 100644 index 0000000000..403c6ac3ab --- /dev/null +++ b/queue-6.13/arm64-mm-reduce-pa-space-to-48-bits-when-lpa2-is-not-enabled.patch @@ -0,0 +1,93 @@ +From bf74bb73cd87c64bd5afc1fd4b749029997b6170 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 12 Dec 2024 09:18:43 +0100 +Subject: arm64/mm: Reduce PA space to 48 bits when LPA2 is not enabled + +From: Ard Biesheuvel + +commit bf74bb73cd87c64bd5afc1fd4b749029997b6170 upstream. + +Currently, LPA2 kernel support implies support for up to 52 bits of +physical addressing, and this is reflected in global definitions such as +PHYS_MASK_SHIFT and MAX_PHYSMEM_BITS. + +This is potentially problematic, given that LPA2 hardware support is +modeled as a CPU feature which can be overridden, and with LPA2 hardware +support turned off, attempting to map physical regions with address bits +[51:48] set (which may exist on LPA2 capable systems booting with +arm64.nolva) will result in corrupted mappings with a truncated output +address and bogus shareability attributes. + +This means that the accepted physical address range in the mapping +routines should be at most 48 bits wide when LPA2 support is configured +but not enabled at runtime. + +Fixes: 352b0395b505 ("arm64: Enable 52-bit virtual addressing for 4k and 16k granule configs") +Cc: stable@vger.kernel.org +Reviewed-by: Anshuman Khandual +Signed-off-by: Ard Biesheuvel +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20241212081841.2168124-9-ardb+git@google.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/pgtable-hwdef.h | 6 ------ + arch/arm64/include/asm/pgtable-prot.h | 7 +++++++ + arch/arm64/include/asm/sparsemem.h | 5 ++++- + 3 files changed, 11 insertions(+), 7 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-hwdef.h ++++ b/arch/arm64/include/asm/pgtable-hwdef.h +@@ -222,12 +222,6 @@ + */ + #define S1_TABLE_AP (_AT(pmdval_t, 3) << 61) + +-/* +- * Highest possible physical address supported. +- */ +-#define PHYS_MASK_SHIFT (CONFIG_ARM64_PA_BITS) +-#define PHYS_MASK ((UL(1) << PHYS_MASK_SHIFT) - 1) +- + #define TTBR_CNP_BIT (UL(1) << 0) + + /* +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -81,6 +81,7 @@ extern unsigned long prot_ns_shared; + #define lpa2_is_enabled() false + #define PTE_MAYBE_SHARED PTE_SHARED + #define PMD_MAYBE_SHARED PMD_SECT_S ++#define PHYS_MASK_SHIFT (CONFIG_ARM64_PA_BITS) + #else + static inline bool __pure lpa2_is_enabled(void) + { +@@ -89,9 +90,15 @@ static inline bool __pure lpa2_is_enable + + #define PTE_MAYBE_SHARED (lpa2_is_enabled() ? 0 : PTE_SHARED) + #define PMD_MAYBE_SHARED (lpa2_is_enabled() ? 0 : PMD_SECT_S) ++#define PHYS_MASK_SHIFT (lpa2_is_enabled() ? CONFIG_ARM64_PA_BITS : 48) + #endif + + /* ++ * Highest possible physical address supported. ++ */ ++#define PHYS_MASK ((UL(1) << PHYS_MASK_SHIFT) - 1) ++ ++/* + * If we have userspace only BTI we don't want to mark kernel pages + * guarded even if the system does support BTI. + */ +--- a/arch/arm64/include/asm/sparsemem.h ++++ b/arch/arm64/include/asm/sparsemem.h +@@ -5,7 +5,10 @@ + #ifndef __ASM_SPARSEMEM_H + #define __ASM_SPARSEMEM_H + +-#define MAX_PHYSMEM_BITS CONFIG_ARM64_PA_BITS ++#include ++ ++#define MAX_PHYSMEM_BITS PHYS_MASK_SHIFT ++#define MAX_POSSIBLE_PHYSMEM_BITS (52) + + /* + * Section size must be at least 512MB for 64K base diff --git a/queue-6.13/arm64-sme-move-storage-of-reg_smidr-to-__cpuinfo_store_cpu.patch b/queue-6.13/arm64-sme-move-storage-of-reg_smidr-to-__cpuinfo_store_cpu.patch new file mode 100644 index 0000000000..2ffdcb2d9f --- /dev/null +++ b/queue-6.13/arm64-sme-move-storage-of-reg_smidr-to-__cpuinfo_store_cpu.patch @@ -0,0 +1,101 @@ +From d3c7c48d004f6c8d892f39b5d69884fd0fe98c81 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Tue, 17 Dec 2024 21:59:48 +0000 +Subject: arm64/sme: Move storage of reg_smidr to __cpuinfo_store_cpu() + +From: Mark Brown + +commit d3c7c48d004f6c8d892f39b5d69884fd0fe98c81 upstream. + +In commit 892f7237b3ff ("arm64: Delay initialisation of +cpuinfo_arm64::reg_{zcr,smcr}") we moved access to ZCR, SMCR and SMIDR +later in the boot process in order to ensure that we don't attempt to +interact with them if SVE or SME is disabled on the command line. +Unfortunately when initialising the boot CPU in init_cpu_features() we work +on a copy of the struct cpuinfo_arm64 for the boot CPU used only during +boot, not the percpu copy used by the sysfs code. The expectation of the +feature identification code was that the ID registers would be read in +__cpuinfo_store_cpu() and the values not modified by init_cpu_features(). + +The main reason for the original change was to avoid early accesses to +ZCR on practical systems that were seen shipping with SVE reported in ID +registers but traps enabled at EL3 and handled as fatal errors, SME was +rolled in due to the similarity with SVE. Since then we have removed the +early accesses to ZCR and SMCR in commits: + + abef0695f9665c3d ("arm64/sve: Remove ZCR pseudo register from cpufeature code") + 391208485c3ad50f ("arm64/sve: Remove SMCR pseudo register from cpufeature code") + +so only the SMIDR_EL1 part of the change remains. Since SMIDR_EL1 is +only trapped via FEAT_IDST and not the SME trap it is less likely to be +affected by similar issues, and the factors that lead to issues with SVE +are less likely to apply to SME. + +Since we have not yet seen practical SME systems that need to use a +command line override (and are only just beginning to see SME systems at +all) and the ID register read is much more likely to be safe let's just +store SMIDR_EL1 along with all the other ID register reads in +__cpuinfo_store_cpu(). + +This issue wasn't apparent when testing on emulated platforms that do not +report values in SMIDR_EL1. + +Fixes: 892f7237b3ff ("arm64: Delay initialisation of cpuinfo_arm64::reg_{zcr,smcr}") +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241217-arm64-fix-boot-cpu-smidr-v3-1-7be278a85623@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/cpufeature.c | 13 ------------- + arch/arm64/kernel/cpuinfo.c | 10 ++++++++++ + 2 files changed, 10 insertions(+), 13 deletions(-) + +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -1167,12 +1167,6 @@ void __init init_cpu_features(struct cpu + id_aa64pfr1_sme(read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1))) { + unsigned long cpacr = cpacr_save_enable_kernel_sme(); + +- /* +- * We mask out SMPS since even if the hardware +- * supports priorities the kernel does not at present +- * and we block access to them. +- */ +- info->reg_smidr = read_cpuid(SMIDR_EL1) & ~SMIDR_EL1_SMPS; + vec_init_vq_map(ARM64_VEC_SME); + + cpacr_restore(cpacr); +@@ -1423,13 +1417,6 @@ void update_cpu_features(int cpu, + id_aa64pfr1_sme(read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1))) { + unsigned long cpacr = cpacr_save_enable_kernel_sme(); + +- /* +- * We mask out SMPS since even if the hardware +- * supports priorities the kernel does not at present +- * and we block access to them. +- */ +- info->reg_smidr = read_cpuid(SMIDR_EL1) & ~SMIDR_EL1_SMPS; +- + /* Probe vector lengths */ + if (!system_capabilities_finalized()) + vec_update_vq_map(ARM64_VEC_SME); +--- a/arch/arm64/kernel/cpuinfo.c ++++ b/arch/arm64/kernel/cpuinfo.c +@@ -482,6 +482,16 @@ static void __cpuinfo_store_cpu(struct c + if (id_aa64pfr0_mpam(info->reg_id_aa64pfr0)) + info->reg_mpamidr = read_cpuid(MPAMIDR_EL1); + ++ if (IS_ENABLED(CONFIG_ARM64_SME) && ++ id_aa64pfr1_sme(info->reg_id_aa64pfr1)) { ++ /* ++ * We mask out SMPS since even if the hardware ++ * supports priorities the kernel does not at present ++ * and we block access to them. ++ */ ++ info->reg_smidr = read_cpuid(SMIDR_EL1) & ~SMIDR_EL1_SMPS; ++ } ++ + cpuinfo_detect_icache_policy(info); + } + diff --git a/queue-6.13/binfmt_flat-fix-integer-overflow-bug-on-32-bit-systems.patch b/queue-6.13/binfmt_flat-fix-integer-overflow-bug-on-32-bit-systems.patch new file mode 100644 index 0000000000..e78dfbdd10 --- /dev/null +++ b/queue-6.13/binfmt_flat-fix-integer-overflow-bug-on-32-bit-systems.patch @@ -0,0 +1,38 @@ +From 55cf2f4b945f6a6416cc2524ba740b83cc9af25a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 4 Dec 2024 15:07:15 +0300 +Subject: binfmt_flat: Fix integer overflow bug on 32 bit systems + +From: Dan Carpenter + +commit 55cf2f4b945f6a6416cc2524ba740b83cc9af25a upstream. + +Most of these sizes and counts are capped at 256MB so the math doesn't +result in an integer overflow. The "relocs" count needs to be checked +as well. Otherwise on 32bit systems the calculation of "full_data" +could be wrong. + + full_data = data_len + relocs * sizeof(unsigned long); + +Fixes: c995ee28d29d ("binfmt_flat: prevent kernel dammage from corrupted executable headers") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Acked-by: Nicolas Pitre +Link: https://lore.kernel.org/r/5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_flat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/binfmt_flat.c ++++ b/fs/binfmt_flat.c +@@ -478,7 +478,7 @@ static int load_flat_file(struct linux_b + * 28 bits (256 MB) is way more than reasonable in this case. + * If some top bits are set we have probable binary corruption. + */ +- if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) { ++ if ((text_len | data_len | bss_len | stack_len | relocs | full_data) >> 28) { + pr_err("bad header\n"); + ret = -ENOEXEC; + goto err; diff --git a/queue-6.13/block-mark-gfp_noio-around-sysfs-store.patch b/queue-6.13/block-mark-gfp_noio-around-sysfs-store.patch new file mode 100644 index 0000000000..7c653054d2 --- /dev/null +++ b/queue-6.13/block-mark-gfp_noio-around-sysfs-store.patch @@ -0,0 +1,52 @@ +From 7c0be4ead1f8f5f8be0803f347de0de81e3b8e1c Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Mon, 13 Jan 2025 09:58:33 +0800 +Subject: block: mark GFP_NOIO around sysfs ->store() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ming Lei + +commit 7c0be4ead1f8f5f8be0803f347de0de81e3b8e1c upstream. + +sysfs ->store is called with queue freezed, meantime we have several +->store() callbacks(update_nr_requests, wbt, scheduler) to allocate +memory with GFP_KERNEL which may run into direct reclaim code path, +then potential deadlock can be caused. + +Fix the issue by marking NOIO around sysfs ->store() + +Reported-by: Thomas Hellström +Cc: stable@vger.kernel.org +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20250113015833.698458-1-ming.lei@redhat.com +Link: https://lore.kernel.org/linux-block/Z4RkemI9f6N5zoEF@fedora/T/#mc774c65eeca5c024d29695f9ac6152b87763f305 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -681,6 +681,7 @@ queue_attr_store(struct kobject *kobj, s + struct queue_sysfs_entry *entry = to_queue(attr); + struct gendisk *disk = container_of(kobj, struct gendisk, queue_kobj); + struct request_queue *q = disk->queue; ++ unsigned int noio_flag; + ssize_t res; + + if (!entry->store_limit && !entry->store) +@@ -711,7 +712,9 @@ queue_attr_store(struct kobject *kobj, s + + mutex_lock(&q->sysfs_lock); + blk_mq_freeze_queue(q); ++ noio_flag = memalloc_noio_save(); + res = entry->store(disk, page, length); ++ memalloc_noio_restore(noio_flag); + blk_mq_unfreeze_queue(q); + mutex_unlock(&q->sysfs_lock); + return res; diff --git a/queue-6.13/bluetooth-l2cap-accept-zero-as-a-special-value-for-mtu-auto-selection.patch b/queue-6.13/bluetooth-l2cap-accept-zero-as-a-special-value-for-mtu-auto-selection.patch new file mode 100644 index 0000000000..a5168851d5 --- /dev/null +++ b/queue-6.13/bluetooth-l2cap-accept-zero-as-a-special-value-for-mtu-auto-selection.patch @@ -0,0 +1,48 @@ +From 5c61419e02033eaf01733d66e2fcd4044808f482 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 29 Jan 2025 00:08:14 +0300 +Subject: Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection + +From: Fedor Pchelkin + +commit 5c61419e02033eaf01733d66e2fcd4044808f482 upstream. + +One of the possible ways to enable the input MTU auto-selection for L2CAP +connections is supposed to be through passing a special "0" value for it +as a socket option. Commit [1] added one of those into avdtp. However, it +simply wouldn't work because the kernel still treats the specified value +as invalid and denies the setting attempt. Recorded BlueZ logs include the +following: + + bluetoothd[496]: profiles/audio/avdtp.c:l2cap_connect() setsockopt(L2CAP_OPTIONS): Invalid argument (22) + +[1]: https://github.com/bluez/bluez/commit/ae5be371a9f53fed33d2b34748a95a5498fd4b77 + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 4b6e228e297b ("Bluetooth: Auto tune if input MTU is set to 0") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -710,12 +710,12 @@ static bool l2cap_valid_mtu(struct l2cap + { + switch (chan->scid) { + case L2CAP_CID_ATT: +- if (mtu < L2CAP_LE_MIN_MTU) ++ if (mtu && mtu < L2CAP_LE_MIN_MTU) + return false; + break; + + default: +- if (mtu < L2CAP_DEFAULT_MIN_MTU) ++ if (mtu && mtu < L2CAP_DEFAULT_MIN_MTU) + return false; + } + diff --git a/queue-6.13/bluetooth-l2cap-handle-null-sock-pointer-in-l2cap_sock_alloc.patch b/queue-6.13/bluetooth-l2cap-handle-null-sock-pointer-in-l2cap_sock_alloc.patch new file mode 100644 index 0000000000..9edba18ee1 --- /dev/null +++ b/queue-6.13/bluetooth-l2cap-handle-null-sock-pointer-in-l2cap_sock_alloc.patch @@ -0,0 +1,46 @@ +From 5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 18 Dec 2024 00:19:59 +0300 +Subject: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc + +From: Fedor Pchelkin + +commit 5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1 upstream. + +A NULL sock pointer is passed into l2cap_sock_alloc() when it is called +from l2cap_sock_new_connection_cb() and the error handling paths should +also be aware of it. + +Seemingly a more elegant solution would be to swap bt_sock_alloc() and +l2cap_chan_create() calls since they are not interdependent to that moment +but then l2cap_chan_create() adds the soon to be deallocated and still +dummy-initialized channel to the global list accessible by many L2CAP +paths. The channel would be removed from the list in short period of time +but be a bit more straight-forward here and just check for NULL instead of +changing the order of function calls. + +Found by Linux Verification Center (linuxtesting.org) with SVACE static +analysis tool. + +Fixes: 7c4f78cdb8e7 ("Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1888,7 +1888,8 @@ static struct sock *l2cap_sock_alloc(str + chan = l2cap_chan_create(); + if (!chan) { + sk_free(sk); +- sock->sk = NULL; ++ if (sock) ++ sock->sk = NULL; + return NULL; + } + diff --git a/queue-6.13/cifs-remove-intermediate-object-of-failed-create-sfu-call.patch b/queue-6.13/cifs-remove-intermediate-object-of-failed-create-sfu-call.patch new file mode 100644 index 0000000000..d06bc0b16e --- /dev/null +++ b/queue-6.13/cifs-remove-intermediate-object-of-failed-create-sfu-call.patch @@ -0,0 +1,87 @@ +From 25f6184e24b3991eae977a29ecf27d537cc930b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Wed, 25 Dec 2024 14:00:39 +0100 +Subject: cifs: Remove intermediate object of failed create SFU call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit 25f6184e24b3991eae977a29ecf27d537cc930b2 upstream. + +Check if the server honored ATTR_SYSTEM flag by CREATE_OPTION_SPECIAL +option. If not then server does not support ATTR_SYSTEM and newly +created file is not SFU compatible, which means that the call failed. + +If CREATE was successful but either setting ATTR_SYSTEM failed or +writing type/data information failed then remove the intermediate +object created by CREATE. Otherwise intermediate empty object stay +on the server. + +This ensures that if the creating of SFU files with system attribute is +unsupported by the server then no empty file stay on the server as a result +of unsupported operation. + +This is for example case with Samba server and Linux tmpfs storage without +enabled xattr support (where Samba stores ATTR_SYSTEM bit). + +Cc: stable@vger.kernel.org +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -5077,6 +5077,7 @@ int __cifs_sfu_make_node(unsigned int xi + { + struct TCP_Server_Info *server = tcon->ses->server; + struct cifs_open_parms oparms; ++ struct cifs_open_info_data idata; + struct cifs_io_parms io_parms = {}; + struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb); + struct cifs_fid fid; +@@ -5146,10 +5147,20 @@ int __cifs_sfu_make_node(unsigned int xi + CREATE_OPTION_SPECIAL, ACL_NO_MODE); + oparms.fid = &fid; + +- rc = server->ops->open(xid, &oparms, &oplock, NULL); ++ rc = server->ops->open(xid, &oparms, &oplock, &idata); + if (rc) + goto out; + ++ /* ++ * Check if the server honored ATTR_SYSTEM flag by CREATE_OPTION_SPECIAL ++ * option. If not then server does not support ATTR_SYSTEM and newly ++ * created file is not SFU compatible, which means that the call failed. ++ */ ++ if (!(le32_to_cpu(idata.fi.Attributes) & ATTR_SYSTEM)) { ++ rc = -EOPNOTSUPP; ++ goto out_close; ++ } ++ + if (type_len + data_len > 0) { + io_parms.pid = current->tgid; + io_parms.tcon = tcon; +@@ -5164,8 +5175,18 @@ int __cifs_sfu_make_node(unsigned int xi + iov, ARRAY_SIZE(iov)-1); + } + ++out_close: + server->ops->close(xid, tcon, &fid); + ++ /* ++ * If CREATE was successful but either setting ATTR_SYSTEM failed or ++ * writing type/data information failed then remove the intermediate ++ * object created by CREATE. Otherwise intermediate empty object stay ++ * on the server. ++ */ ++ if (rc) ++ server->ops->unlink(xid, tcon, full_path, cifs_sb, NULL); ++ + out: + kfree(symname_utf16); + return rc; diff --git a/queue-6.13/clk-clk-loongson2-fix-the-number-count-of-clk-provider.patch b/queue-6.13/clk-clk-loongson2-fix-the-number-count-of-clk-provider.patch new file mode 100644 index 0000000000..4cfef7cb27 --- /dev/null +++ b/queue-6.13/clk-clk-loongson2-fix-the-number-count-of-clk-provider.patch @@ -0,0 +1,58 @@ +From 5fb33b6797633ce60908d13dc06c54a101621845 Mon Sep 17 00:00:00 2001 +From: Binbin Zhou +Date: Tue, 14 Jan 2025 21:00:29 +0800 +Subject: clk: clk-loongson2: Fix the number count of clk provider + +From: Binbin Zhou + +commit 5fb33b6797633ce60908d13dc06c54a101621845 upstream. + +Since commit 02fb4f008433 ("clk: clk-loongson2: Fix potential buffer +overflow in flexible-array member access"), the clk provider register is +failed. + +The count of `clks_num` is shown below: + + for (p = data; p->name; p++) + clks_num++; + +In fact, `clks_num` represents the number of SoC clocks and should be +expressed as the maximum value of the clock binding id in use (p->id + 1). + +Now we fix it to avoid the following error when trying to register a clk +provider: + +[ 13.409595] of_clk_hw_onecell_get: invalid index 17 + +Cc: stable@vger.kernel.org +Cc: Gustavo A. R. Silva +Fixes: 02fb4f008433 ("clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access") +Signed-off-by: Binbin Zhou +Link: https://lore.kernel.org/r/82e43d89a9a6791129cf8ea14f4eeb666cd87be4.1736856470.git.zhoubinbin@loongson.cn +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-loongson2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/clk/clk-loongson2.c ++++ b/drivers/clk/clk-loongson2.c +@@ -294,7 +294,7 @@ static int loongson2_clk_probe(struct pl + return -EINVAL; + + for (p = data; p->name; p++) +- clks_num++; ++ clks_num = max(clks_num, p->id + 1); + + clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), + GFP_KERNEL); +@@ -309,6 +309,9 @@ static int loongson2_clk_probe(struct pl + clp->clk_data.num = clks_num; + clp->dev = dev; + ++ /* Avoid returning NULL for unused id */ ++ memset_p((void **)clp->clk_data.hws, ERR_PTR(-ENOENT), clks_num); ++ + for (i = 0; i < clks_num; i++) { + p = &data[i]; + switch (p->type) { diff --git a/queue-6.13/clk-mediatek-mt2701-aud-fix-conversion-to-mtk_clk_simple_probe.patch b/queue-6.13/clk-mediatek-mt2701-aud-fix-conversion-to-mtk_clk_simple_probe.patch new file mode 100644 index 0000000000..fbfc5f4ef9 --- /dev/null +++ b/queue-6.13/clk-mediatek-mt2701-aud-fix-conversion-to-mtk_clk_simple_probe.patch @@ -0,0 +1,69 @@ +From 5fba40be5fbad563914e3ce9d5129a6baaea1ff5 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sun, 15 Dec 2024 22:14:11 +0000 +Subject: clk: mediatek: mt2701-aud: fix conversion to mtk_clk_simple_probe + +From: Daniel Golle + +commit 5fba40be5fbad563914e3ce9d5129a6baaea1ff5 upstream. + +Some of the audio subsystem clocks defined in clk-mt2701.h aren't +actually used by the driver. This broke conversion to +mtk_clk_simple_probe which expects that the highest possible clk id is +defined by the ARRAY_SIZE. + +Add additional dummy clocks to fill the gaps and remain compatible with +the existing DT bindings. + +Fixes: 0f69a423c458 ("clk: mediatek: Switch to mtk_clk_simple_probe() where possible") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Golle +Link: https://lore.kernel.org/r/a07584d803af57b9ce4b5df5e122c09bf5a56ac9.1734300668.git.daniel@makrotopia.org +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mediatek/clk-mt2701-aud.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/clk/mediatek/clk-mt2701-aud.c ++++ b/drivers/clk/mediatek/clk-mt2701-aud.c +@@ -55,10 +55,16 @@ static const struct mtk_gate audio_clks[ + GATE_DUMMY(CLK_DUMMY, "aud_dummy"), + /* AUDIO0 */ + GATE_AUDIO0(CLK_AUD_AFE, "audio_afe", "aud_intbus_sel", 2), ++ GATE_DUMMY(CLK_AUD_LRCK_DETECT, "audio_lrck_detect_dummy"), ++ GATE_DUMMY(CLK_AUD_I2S, "audio_i2c_dummy"), ++ GATE_DUMMY(CLK_AUD_APLL_TUNER, "audio_apll_tuner_dummy"), + GATE_AUDIO0(CLK_AUD_HDMI, "audio_hdmi", "audpll_sel", 20), + GATE_AUDIO0(CLK_AUD_SPDF, "audio_spdf", "audpll_sel", 21), + GATE_AUDIO0(CLK_AUD_SPDF2, "audio_spdf2", "audpll_sel", 22), + GATE_AUDIO0(CLK_AUD_APLL, "audio_apll", "audpll_sel", 23), ++ GATE_DUMMY(CLK_AUD_TML, "audio_tml_dummy"), ++ GATE_DUMMY(CLK_AUD_AHB_IDLE_EXT, "audio_ahb_idle_ext_dummy"), ++ GATE_DUMMY(CLK_AUD_AHB_IDLE_INT, "audio_ahb_idle_int_dummy"), + /* AUDIO1 */ + GATE_AUDIO1(CLK_AUD_I2SIN1, "audio_i2sin1", "aud_mux1_sel", 0), + GATE_AUDIO1(CLK_AUD_I2SIN2, "audio_i2sin2", "aud_mux1_sel", 1), +@@ -76,10 +82,12 @@ static const struct mtk_gate audio_clks[ + GATE_AUDIO1(CLK_AUD_ASRCI2, "audio_asrci2", "asm_h_sel", 13), + GATE_AUDIO1(CLK_AUD_ASRCO1, "audio_asrco1", "asm_h_sel", 14), + GATE_AUDIO1(CLK_AUD_ASRCO2, "audio_asrco2", "asm_h_sel", 15), ++ GATE_DUMMY(CLK_AUD_HDMIRX, "audio_hdmirx_dummy"), + GATE_AUDIO1(CLK_AUD_INTDIR, "audio_intdir", "intdir_sel", 20), + GATE_AUDIO1(CLK_AUD_A1SYS, "audio_a1sys", "aud_mux1_sel", 21), + GATE_AUDIO1(CLK_AUD_A2SYS, "audio_a2sys", "aud_mux2_sel", 22), + GATE_AUDIO1(CLK_AUD_AFE_CONN, "audio_afe_conn", "aud_mux1_sel", 23), ++ GATE_DUMMY(CLK_AUD_AFE_PCMIF, "audio_afe_pcmif_dummy"), + GATE_AUDIO1(CLK_AUD_AFE_MRGIF, "audio_afe_mrgif", "aud_mux1_sel", 25), + /* AUDIO2 */ + GATE_AUDIO2(CLK_AUD_MMIF_UL1, "audio_ul1", "aud_mux1_sel", 0), +@@ -100,6 +108,8 @@ static const struct mtk_gate audio_clks[ + GATE_AUDIO2(CLK_AUD_MMIF_AWB2, "audio_awb2", "aud_mux1_sel", 15), + GATE_AUDIO2(CLK_AUD_MMIF_DAI, "audio_dai", "aud_mux1_sel", 16), + /* AUDIO3 */ ++ GATE_DUMMY(CLK_AUD_DMIC1, "audio_dmic1_dummy"), ++ GATE_DUMMY(CLK_AUD_DMIC2, "audio_dmic2_dummy"), + GATE_AUDIO3(CLK_AUD_ASRCI3, "audio_asrci3", "asm_h_sel", 2), + GATE_AUDIO3(CLK_AUD_ASRCI4, "audio_asrci4", "asm_h_sel", 3), + GATE_AUDIO3(CLK_AUD_ASRCI5, "audio_asrci5", "asm_h_sel", 4), diff --git a/queue-6.13/clk-mediatek-mt2701-bdp-add-missing-dummy-clk.patch b/queue-6.13/clk-mediatek-mt2701-bdp-add-missing-dummy-clk.patch new file mode 100644 index 0000000000..ad074382ad --- /dev/null +++ b/queue-6.13/clk-mediatek-mt2701-bdp-add-missing-dummy-clk.patch @@ -0,0 +1,33 @@ +From fd291adc5e9a4ee6cd91e57f148f3b427f80647b Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sun, 15 Dec 2024 22:14:24 +0000 +Subject: clk: mediatek: mt2701-bdp: add missing dummy clk + +From: Daniel Golle + +commit fd291adc5e9a4ee6cd91e57f148f3b427f80647b upstream. + +Add dummy clk for index 0 which was missed during the conversion to +mtk_clk_simple_probe(). + +Fixes: 973d1607d936 ("clk: mediatek: mt2701: use mtk_clk_simple_probe to simplify driver") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Golle +Link: https://lore.kernel.org/r/b8526c882a50f2b158df0eccb4a165956fd8fa13.1734300668.git.daniel@makrotopia.org +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mediatek/clk-mt2701-bdp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/mediatek/clk-mt2701-bdp.c ++++ b/drivers/clk/mediatek/clk-mt2701-bdp.c +@@ -31,6 +31,7 @@ static const struct mtk_gate_regs bdp1_c + GATE_MTK(_id, _name, _parent, &bdp1_cg_regs, _shift, &mtk_clk_gate_ops_setclr_inv) + + static const struct mtk_gate bdp_clks[] = { ++ GATE_DUMMY(CLK_DUMMY, "bdp_dummy"), + GATE_BDP0(CLK_BDP_BRG_BA, "brg_baclk", "mm_sel", 0), + GATE_BDP0(CLK_BDP_BRG_DRAM, "brg_dram", "mm_sel", 1), + GATE_BDP0(CLK_BDP_LARB_DRAM, "larb_dram", "mm_sel", 2), diff --git a/queue-6.13/clk-mediatek-mt2701-img-add-missing-dummy-clk.patch b/queue-6.13/clk-mediatek-mt2701-img-add-missing-dummy-clk.patch new file mode 100644 index 0000000000..8931639e2f --- /dev/null +++ b/queue-6.13/clk-mediatek-mt2701-img-add-missing-dummy-clk.patch @@ -0,0 +1,33 @@ +From 366640868ccb4a7991aebe8442b01340fab218e2 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sun, 15 Dec 2024 22:14:48 +0000 +Subject: clk: mediatek: mt2701-img: add missing dummy clk + +From: Daniel Golle + +commit 366640868ccb4a7991aebe8442b01340fab218e2 upstream. + +Add dummy clk for index 0 which was missed during the conversion to +mtk_clk_simple_probe(). + +Fixes: 973d1607d936 ("clk: mediatek: mt2701: use mtk_clk_simple_probe to simplify driver") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Golle +Link: https://lore.kernel.org/r/d677486a5c563fe5c47aa995841adc2aaa183b8a.1734300668.git.daniel@makrotopia.org +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mediatek/clk-mt2701-img.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/mediatek/clk-mt2701-img.c ++++ b/drivers/clk/mediatek/clk-mt2701-img.c +@@ -22,6 +22,7 @@ static const struct mtk_gate_regs img_cg + GATE_MTK(_id, _name, _parent, &img_cg_regs, _shift, &mtk_clk_gate_ops_setclr) + + static const struct mtk_gate img_clks[] = { ++ GATE_DUMMY(CLK_DUMMY, "img_dummy"), + GATE_IMG(CLK_IMG_SMI_COMM, "img_smi_comm", "mm_sel", 0), + GATE_IMG(CLK_IMG_RESZ, "img_resz", "mm_sel", 1), + GATE_IMG(CLK_IMG_JPGDEC_SMI, "img_jpgdec_smi", "mm_sel", 5), diff --git a/queue-6.13/clk-mediatek-mt2701-mm-add-missing-dummy-clk.patch b/queue-6.13/clk-mediatek-mt2701-mm-add-missing-dummy-clk.patch new file mode 100644 index 0000000000..048414ff86 --- /dev/null +++ b/queue-6.13/clk-mediatek-mt2701-mm-add-missing-dummy-clk.patch @@ -0,0 +1,34 @@ +From 67aea188f23a5dde51c31a720ccf66aed0ce4187 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sun, 15 Dec 2024 22:14:34 +0000 +Subject: clk: mediatek: mt2701-mm: add missing dummy clk + +From: Daniel Golle + +commit 67aea188f23a5dde51c31a720ccf66aed0ce4187 upstream. + +Add dummy clk which was missed during the conversion to +mtk_clk_pdev_probe() and is required for the existing DT bindings to +keep working. + +Fixes: 65c10c50c9c7 ("clk: mediatek: Migrate to mtk_clk_pdev_probe() for multimedia clocks") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Golle +Link: https://lore.kernel.org/r/9de23440fcba1ffef9e77d58c9f505105e57a250.1734300668.git.daniel@makrotopia.org +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mediatek/clk-mt2701-mm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/mediatek/clk-mt2701-mm.c ++++ b/drivers/clk/mediatek/clk-mt2701-mm.c +@@ -31,6 +31,7 @@ static const struct mtk_gate_regs disp1_ + GATE_MTK(_id, _name, _parent, &disp1_cg_regs, _shift, &mtk_clk_gate_ops_setclr) + + static const struct mtk_gate mm_clks[] = { ++ GATE_DUMMY(CLK_DUMMY, "mm_dummy"), + GATE_DISP0(CLK_MM_SMI_COMMON, "mm_smi_comm", "mm_sel", 0), + GATE_DISP0(CLK_MM_SMI_LARB0, "mm_smi_larb0", "mm_sel", 1), + GATE_DISP0(CLK_MM_CMDQ, "mm_cmdq", "mm_sel", 2), diff --git a/queue-6.13/clk-mediatek-mt2701-vdec-fix-conversion-to-mtk_clk_simple_probe.patch b/queue-6.13/clk-mediatek-mt2701-vdec-fix-conversion-to-mtk_clk_simple_probe.patch new file mode 100644 index 0000000000..6e2cf08086 --- /dev/null +++ b/queue-6.13/clk-mediatek-mt2701-vdec-fix-conversion-to-mtk_clk_simple_probe.patch @@ -0,0 +1,37 @@ +From 7c8746126a4e256fcf1af9174ee7d92cc3f3bc31 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sun, 15 Dec 2024 22:13:49 +0000 +Subject: clk: mediatek: mt2701-vdec: fix conversion to mtk_clk_simple_probe + +From: Daniel Golle + +commit 7c8746126a4e256fcf1af9174ee7d92cc3f3bc31 upstream. + +Commit 973d1607d936 ("clk: mediatek: mt2701: use mtk_clk_simple_probe to +simplify driver") broke DT bindings as the highest index was reduced by +1 because the id count starts from 1 and not from 0. + +Fix this, like for other drivers which had the same issue, by adding a +dummy clk at index 0. + +Fixes: 973d1607d936 ("clk: mediatek: mt2701: use mtk_clk_simple_probe to simplify driver") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Golle +Link: https://lore.kernel.org/r/b126a5577f3667ef19b1b5feea5e70174084fb03.1734300668.git.daniel@makrotopia.org +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mediatek/clk-mt2701-vdec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/mediatek/clk-mt2701-vdec.c ++++ b/drivers/clk/mediatek/clk-mt2701-vdec.c +@@ -31,6 +31,7 @@ static const struct mtk_gate_regs vdec1_ + GATE_MTK(_id, _name, _parent, &vdec1_cg_regs, _shift, &mtk_clk_gate_ops_setclr_inv) + + static const struct mtk_gate vdec_clks[] = { ++ GATE_DUMMY(CLK_DUMMY, "vdec_dummy"), + GATE_VDEC0(CLK_VDEC_CKGEN, "vdec_cken", "vdec_sel", 0), + GATE_VDEC1(CLK_VDEC_LARB, "vdec_larb_cken", "mm_sel", 0), + }; diff --git a/queue-6.13/clk-mmp2-call-pm_genpd_init-only-after-genpd.name-is-set.patch b/queue-6.13/clk-mmp2-call-pm_genpd_init-only-after-genpd.name-is-set.patch new file mode 100644 index 0000000000..e60162a10f --- /dev/null +++ b/queue-6.13/clk-mmp2-call-pm_genpd_init-only-after-genpd.name-is-set.patch @@ -0,0 +1,53 @@ +From e24b15d4704dcb73920c3d18a6157abd18df08c1 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Tue, 31 Dec 2024 20:03:35 +0100 +Subject: clk: mmp2: call pm_genpd_init() only after genpd.name is set + +From: Lubomir Rintel + +commit e24b15d4704dcb73920c3d18a6157abd18df08c1 upstream. + +Setting the genpd's struct device's name with dev_set_name() is +happening within pm_genpd_init(). If it remains NULL, things can blow up +later, such as when crafting the devfs hierarchy for the power domain: + + Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read + ... + Call trace: + strlen from start_creating+0x90/0x138 + start_creating from debugfs_create_dir+0x20/0x178 + debugfs_create_dir from genpd_debug_add.part.0+0x4c/0x144 + genpd_debug_add.part.0 from genpd_debug_init+0x74/0x90 + genpd_debug_init from do_one_initcall+0x5c/0x244 + do_one_initcall from kernel_init_freeable+0x19c/0x1f4 + kernel_init_freeable from kernel_init+0x1c/0x12c + kernel_init from ret_from_fork+0x14/0x28 + +Bisecting tracks this crash back to commit 899f44531fe6 ("pmdomain: core: +Add GENPD_FLAG_DEV_NAME_FW flag"), which exchanges use of genpd->name +with dev_name(&genpd->dev) in genpd_debug_add.part(). + +Fixes: 899f44531fe6 ("pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag") +Signed-off-by: Lubomir Rintel +Cc: stable@vger.kernel.org # v6.12+ +Link: https://lore.kernel.org/r/20241231190336.423172-1-lkundrak@v3.sk +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mmp/pwr-island.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/mmp/pwr-island.c ++++ b/drivers/clk/mmp/pwr-island.c +@@ -106,10 +106,10 @@ struct generic_pm_domain *mmp_pm_domain_ + pm_domain->flags = flags; + pm_domain->lock = lock; + +- pm_genpd_init(&pm_domain->genpd, NULL, true); + pm_domain->genpd.name = name; + pm_domain->genpd.power_on = mmp_pm_domain_power_on; + pm_domain->genpd.power_off = mmp_pm_domain_power_off; ++ pm_genpd_init(&pm_domain->genpd, NULL, true); + + return &pm_domain->genpd; + } diff --git a/queue-6.13/clk-qcom-clk-alpha-pll-fix-alpha-mode-configuration.patch b/queue-6.13/clk-qcom-clk-alpha-pll-fix-alpha-mode-configuration.patch new file mode 100644 index 0000000000..ef8c7a0a7f --- /dev/null +++ b/queue-6.13/clk-qcom-clk-alpha-pll-fix-alpha-mode-configuration.patch @@ -0,0 +1,81 @@ +From 33f1722eb86e45320a3dd7b3d42f6593a1d595c2 Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Mon, 21 Oct 2024 19:32:48 +0200 +Subject: clk: qcom: clk-alpha-pll: fix alpha mode configuration + +From: Gabor Juhos + +commit 33f1722eb86e45320a3dd7b3d42f6593a1d595c2 upstream. + +Commit c45ae598fc16 ("clk: qcom: support for alpha mode configuration") +added support for configuring alpha mode, but it seems that the feature +was never working in practice. + +The value of the alpha_{en,mode}_mask members of the configuration gets +added to the value parameter passed to the regmap_update_bits() function, +however the same values are not getting applied to the bitmask. As the +result, the respective bits in the USER_CTL register are never modifed +which leads to improper configuration of several PLLs. + +The following table shows the PLL configurations where the 'alpha_en_mask' +member is set and which are passed as a parameter for the +clk_alpha_pll_configure() function. In the table the 'expected rate' column +shows the rate the PLL should run at with the given configuration, and +the 'real rate' column shows the rate the PLL runs at actually. The real +rates has been verified on hardwareOn IPQ* platforms, on other platforms, +those are computed values only. + + file pll expected rate real rate + dispcc-qcm2290.c disp_cc_pll0 768.0 MHz 768.0 MHz + dispcc-sm6115.c disp_cc_pll0 768.0 MHz 768.0 MHz + gcc-ipq5018.c ubi32_pll 1000.0 MHz != 984.0 MHz + gcc-ipq6018.c nss_crypto_pll 1200.0 MHz 1200.0 MHz + gcc-ipq6018.c ubi32_pll 1497.6 MHz != 1488.0 MHz + gcc-ipq8074.c nss_crypto_pll 1200.0 MHz != 1190.4 MHz + gcc-qcm2290.c gpll11 532.0 MHz != 518.4 MHz + gcc-qcm2290.c gpll8 533.2 MHz != 518.4 MHz + gcc-qcs404.c gpll3 921.6 MHz 921.6 MHz + gcc-sm6115.c gpll11 600.0 MHz != 595.2 MHz + gcc-sm6115.c gpll8 800.0 MHz != 787.2 MHz + gpucc-sdm660.c gpu_cc_pll0 800.0 MHz != 787.2 MHz + gpucc-sdm660.c gpu_cc_pll1 740.0 MHz != 729.6 MHz + gpucc-sm6115.c gpu_cc_pll0 1200.0 MHz != 1190.4 MHz + gpucc-sm6115.c gpu_cc_pll1 640.0 MHz != 633.6 MHz + gpucc-sm6125.c gpu_pll0 1020.0 MHz != 1017.6 MHz + gpucc-sm6125.c gpu_pll1 930.0 MHz != 921.6 MHz + mmcc-sdm660.c mmpll8 930.0 MHz != 921.6 MHz + mmcc-sdm660.c mmpll5 825.0 MHz != 806.4 MHz + +As it can be seen from the above, there are several PLLs which are +configured incorrectly. + +Change the code to apply both 'alpha_en_mask' and 'alpha_mode_mask' +values to the bitmask in order to configure the alpha mode correctly. + +Applying the 'alpha_en_mask' fixes the initial rate of the PLLs showed +in the table above. Since the 'alpha_mode_mask' is not used by any driver +currently, that part of the change causes no functional changes. + +Cc: stable@vger.kernel.org +Fixes: c45ae598fc16 ("clk: qcom: support for alpha mode configuration") +Signed-off-by: Gabor Juhos +Reviewed-by: Dmitry Baryshkov +Tested-by: Gabor Juhos +Link: https://lore.kernel.org/r/20241021-fix-alpha-mode-config-v1-1-f32c254e02bc@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-alpha-pll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/qcom/clk-alpha-pll.c ++++ b/drivers/clk/qcom/clk-alpha-pll.c +@@ -432,6 +432,8 @@ void clk_alpha_pll_configure(struct clk_ + mask |= config->pre_div_mask; + mask |= config->post_div_mask; + mask |= config->vco_mask; ++ mask |= config->alpha_en_mask; ++ mask |= config->alpha_mode_mask; + + regmap_update_bits(regmap, PLL_USER_CTL(pll), mask, val); + diff --git a/queue-6.13/clk-qcom-clk-rpmh-prevent-integer-overflow-in-recalc_rate.patch b/queue-6.13/clk-qcom-clk-rpmh-prevent-integer-overflow-in-recalc_rate.patch new file mode 100644 index 0000000000..7809b7ff60 --- /dev/null +++ b/queue-6.13/clk-qcom-clk-rpmh-prevent-integer-overflow-in-recalc_rate.patch @@ -0,0 +1,37 @@ +From 89aa5925d201b90a48416784831916ca203658f9 Mon Sep 17 00:00:00 2001 +From: Anastasia Belova +Date: Tue, 3 Dec 2024 11:42:31 +0300 +Subject: clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate + +From: Anastasia Belova + +commit 89aa5925d201b90a48416784831916ca203658f9 upstream. + +aggr_state and unit fields are u32. The result of their +multiplication may not fit in this type. + +Add explicit casting to prevent overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support") +Cc: stable@vger.kernel.org # 5.4+ +Signed-off-by: Anastasia Belova +Link: https://lore.kernel.org/r/20241203084231.6001-1-abelova@astralinux.ru +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-rpmh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/qcom/clk-rpmh.c ++++ b/drivers/clk/qcom/clk-rpmh.c +@@ -329,7 +329,7 @@ static unsigned long clk_rpmh_bcm_recalc + { + struct clk_rpmh *c = to_clk_rpmh(hw); + +- return c->aggr_state * c->unit; ++ return (unsigned long)c->aggr_state * c->unit; + } + + static const struct clk_ops clk_rpmh_bcm_ops = { diff --git a/queue-6.13/clk-qcom-dispcc-sm6350-add-missing-parent_map-for-a-clock.patch b/queue-6.13/clk-qcom-dispcc-sm6350-add-missing-parent_map-for-a-clock.patch new file mode 100644 index 0000000000..ec303aa903 --- /dev/null +++ b/queue-6.13/clk-qcom-dispcc-sm6350-add-missing-parent_map-for-a-clock.patch @@ -0,0 +1,58 @@ +From d4cdb196f182d2fbe336c968228be00d8c3fed05 Mon Sep 17 00:00:00 2001 +From: Luca Weiss +Date: Fri, 20 Dec 2024 10:03:31 +0100 +Subject: clk: qcom: dispcc-sm6350: Add missing parent_map for a clock + +From: Luca Weiss + +commit d4cdb196f182d2fbe336c968228be00d8c3fed05 upstream. + +If a clk_rcg2 has a parent, it should also have parent_map defined, +otherwise we'll get a NULL pointer dereference when calling clk_set_rate +like the following: + + [ 3.388105] Call trace: + [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) + [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) + [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 + [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 + [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 + [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc + [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc + [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 + [ 3.455886] clk_set_rate+0x38/0x14c + +Add the parent_map property for the clock where it's missing and also +un-inline the parent_data as well to keep the matching parent_map and +parent_data together. + +Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350") +Cc: stable@vger.kernel.org +Signed-off-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20241220-sm6350-parent_map-v1-2-64f3d04cb2eb@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/dispcc-sm6350.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/clk/qcom/dispcc-sm6350.c ++++ b/drivers/clk/qcom/dispcc-sm6350.c +@@ -187,13 +187,12 @@ static struct clk_rcg2 disp_cc_mdss_dp_a + .cmd_rcgr = 0x1144, + .mnd_width = 0, + .hid_width = 5, ++ .parent_map = disp_cc_parent_map_6, + .freq_tbl = ftbl_disp_cc_mdss_dp_aux_clk_src, + .clkr.hw.init = &(struct clk_init_data){ + .name = "disp_cc_mdss_dp_aux_clk_src", +- .parent_data = &(const struct clk_parent_data){ +- .fw_name = "bi_tcxo", +- }, +- .num_parents = 1, ++ .parent_data = disp_cc_parent_data_6, ++ .num_parents = ARRAY_SIZE(disp_cc_parent_data_6), + .ops = &clk_rcg2_ops, + }, + }; diff --git a/queue-6.13/clk-qcom-gcc-mdm9607-fix-cmd_rcgr-offset-for-blsp1_uart6-rcg.patch b/queue-6.13/clk-qcom-gcc-mdm9607-fix-cmd_rcgr-offset-for-blsp1_uart6-rcg.patch new file mode 100644 index 0000000000..a0be688d87 --- /dev/null +++ b/queue-6.13/clk-qcom-gcc-mdm9607-fix-cmd_rcgr-offset-for-blsp1_uart6-rcg.patch @@ -0,0 +1,33 @@ +From 88d9dca36aac9659446be1e569d8fbe3462b5741 Mon Sep 17 00:00:00 2001 +From: Satya Priya Kakitapalli +Date: Fri, 20 Dec 2024 15:20:48 +0530 +Subject: clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg + +From: Satya Priya Kakitapalli + +commit 88d9dca36aac9659446be1e569d8fbe3462b5741 upstream. + +Fix cmd_rcgr offset for blsp1_uart6_apps_clk_src on mdm9607 platform. + +Fixes: 48b7253264ea ("clk: qcom: Add MDM9607 GCC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Satya Priya Kakitapalli +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20241220095048.248425-1-quic_skakitap@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-mdm9607.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/qcom/gcc-mdm9607.c ++++ b/drivers/clk/qcom/gcc-mdm9607.c +@@ -535,7 +535,7 @@ static struct clk_rcg2 blsp1_uart5_apps_ + }; + + static struct clk_rcg2 blsp1_uart6_apps_clk_src = { +- .cmd_rcgr = 0x6044, ++ .cmd_rcgr = 0x7044, + .mnd_width = 16, + .hid_width = 5, + .parent_map = gcc_xo_gpll0_map, diff --git a/queue-6.13/clk-qcom-gcc-sm6350-add-missing-parent_map-for-two-clocks.patch b/queue-6.13/clk-qcom-gcc-sm6350-add-missing-parent_map-for-two-clocks.patch new file mode 100644 index 0000000000..5a4209f8b1 --- /dev/null +++ b/queue-6.13/clk-qcom-gcc-sm6350-add-missing-parent_map-for-two-clocks.patch @@ -0,0 +1,90 @@ +From 96fe1a7ee477d701cfc98ab9d3c730c35d966861 Mon Sep 17 00:00:00 2001 +From: Luca Weiss +Date: Fri, 20 Dec 2024 10:03:30 +0100 +Subject: clk: qcom: gcc-sm6350: Add missing parent_map for two clocks + +From: Luca Weiss + +commit 96fe1a7ee477d701cfc98ab9d3c730c35d966861 upstream. + +If a clk_rcg2 has a parent, it should also have parent_map defined, +otherwise we'll get a NULL pointer dereference when calling clk_set_rate +like the following: + + [ 3.388105] Call trace: + [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) + [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) + [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 + [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 + [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 + [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc + [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc + [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 + [ 3.455886] clk_set_rate+0x38/0x14c + +Add the parent_map property for two clocks where it's missing and also +un-inline the parent_data as well to keep the matching parent_map and +parent_data together. + +Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Luca Weiss +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20241220-sm6350-parent_map-v1-1-64f3d04cb2eb@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sm6350.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/clk/qcom/gcc-sm6350.c ++++ b/drivers/clk/qcom/gcc-sm6350.c +@@ -182,6 +182,14 @@ static const struct clk_parent_data gcc_ + { .hw = &gpll0_out_odd.clkr.hw }, + }; + ++static const struct parent_map gcc_parent_map_3[] = { ++ { P_BI_TCXO, 0 }, ++}; ++ ++static const struct clk_parent_data gcc_parent_data_3[] = { ++ { .fw_name = "bi_tcxo" }, ++}; ++ + static const struct parent_map gcc_parent_map_4[] = { + { P_BI_TCXO, 0 }, + { P_GPLL0_OUT_MAIN, 1 }, +@@ -701,13 +709,12 @@ static struct clk_rcg2 gcc_ufs_phy_phy_a + .cmd_rcgr = 0x3a0b0, + .mnd_width = 0, + .hid_width = 5, ++ .parent_map = gcc_parent_map_3, + .freq_tbl = ftbl_gcc_ufs_phy_phy_aux_clk_src, + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_ufs_phy_phy_aux_clk_src", +- .parent_data = &(const struct clk_parent_data){ +- .fw_name = "bi_tcxo", +- }, +- .num_parents = 1, ++ .parent_data = gcc_parent_data_3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_3), + .ops = &clk_rcg2_ops, + }, + }; +@@ -764,13 +771,12 @@ static struct clk_rcg2 gcc_usb30_prim_mo + .cmd_rcgr = 0x1a034, + .mnd_width = 0, + .hid_width = 5, ++ .parent_map = gcc_parent_map_3, + .freq_tbl = ftbl_gcc_usb30_prim_mock_utmi_clk_src, + .clkr.hw.init = &(struct clk_init_data){ + .name = "gcc_usb30_prim_mock_utmi_clk_src", +- .parent_data = &(const struct clk_parent_data){ +- .fw_name = "bi_tcxo", +- }, +- .num_parents = 1, ++ .parent_data = gcc_parent_data_3, ++ .num_parents = ARRAY_SIZE(gcc_parent_data_3), + .ops = &clk_rcg2_ops, + }, + }; diff --git a/queue-6.13/clk-qcom-gcc-sm8550-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch b/queue-6.13/clk-qcom-gcc-sm8550-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch new file mode 100644 index 0000000000..9a20341fc2 --- /dev/null +++ b/queue-6.13/clk-qcom-gcc-sm8550-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch @@ -0,0 +1,69 @@ +From 967e011013eda287dbec9e8bd3a19ebe730b8a08 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 19 Dec 2024 22:30:10 +0530 +Subject: clk: qcom: gcc-sm8550: Do not turn off PCIe GDSCs during gdsc_disable() + +From: Manivannan Sadhasivam + +commit 967e011013eda287dbec9e8bd3a19ebe730b8a08 upstream. + +With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This +can happen during scenarios such as system suspend and breaks the resume +of PCIe controllers from suspend. + +So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs +during gdsc_disable() and allow the hardware to transition the GDSCs to +retention when the parent domain enters low power state during system +suspend. + +Cc: stable@vger.kernel.org # 6.2 +Fixes: 955f2ea3b9e9 ("clk: qcom: Add GCC driver for SM8550") +Reported-by: Neil Armstrong +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Neil Armstrong +Tested-by: Neil Armstrong # on QRD8550 +Link: https://lore.kernel.org/r/20241219170011.70140-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sm8550.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clk/qcom/gcc-sm8550.c ++++ b/drivers/clk/qcom/gcc-sm8550.c +@@ -3003,7 +3003,7 @@ static struct gdsc pcie_0_gdsc = { + .pd = { + .name = "pcie_0_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, + }; + +@@ -3014,7 +3014,7 @@ static struct gdsc pcie_0_phy_gdsc = { + .pd = { + .name = "pcie_0_phy_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, + }; + +@@ -3025,7 +3025,7 @@ static struct gdsc pcie_1_gdsc = { + .pd = { + .name = "pcie_1_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, + }; + +@@ -3036,7 +3036,7 @@ static struct gdsc pcie_1_phy_gdsc = { + .pd = { + .name = "pcie_1_phy_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = VOTABLE | POLL_CFG_GDSCR | RETAIN_FF_ENABLE, + }; + diff --git a/queue-6.13/clk-qcom-gcc-sm8650-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch b/queue-6.13/clk-qcom-gcc-sm8650-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch new file mode 100644 index 0000000000..2e8495508c --- /dev/null +++ b/queue-6.13/clk-qcom-gcc-sm8650-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch @@ -0,0 +1,69 @@ +From a57465766a91c6e173876f9cbb424340e214313f Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 19 Dec 2024 22:30:11 +0530 +Subject: clk: qcom: gcc-sm8650: Do not turn off PCIe GDSCs during gdsc_disable() + +From: Manivannan Sadhasivam + +commit a57465766a91c6e173876f9cbb424340e214313f upstream. + +With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This +can happen during scenarios such as system suspend and breaks the resume +of PCIe controllers from suspend. + +So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs +during gdsc_disable() and allow the hardware to transition the GDSCs to +retention when the parent domain enters low power state during system +suspend. + +Cc: stable@vger.kernel.org # 6.8 +Fixes: c58225b7e3d7 ("clk: qcom: add the SM8650 Global Clock Controller driver, part 1") +Reported-by: Neil Armstrong +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Neil Armstrong +Tested-by: Neil Armstrong # on QRD8650 +Link: https://lore.kernel.org/r/20241219170011.70140-2-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-sm8650.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clk/qcom/gcc-sm8650.c ++++ b/drivers/clk/qcom/gcc-sm8650.c +@@ -3437,7 +3437,7 @@ static struct gdsc pcie_0_gdsc = { + .pd = { + .name = "pcie_0_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE | VOTABLE, + }; + +@@ -3448,7 +3448,7 @@ static struct gdsc pcie_0_phy_gdsc = { + .pd = { + .name = "pcie_0_phy_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE | VOTABLE, + }; + +@@ -3459,7 +3459,7 @@ static struct gdsc pcie_1_gdsc = { + .pd = { + .name = "pcie_1_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE | VOTABLE, + }; + +@@ -3470,7 +3470,7 @@ static struct gdsc pcie_1_phy_gdsc = { + .pd = { + .name = "pcie_1_phy_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE | VOTABLE, + }; + diff --git a/queue-6.13/clk-sunxi-ng-a100-enable-mmc-clock-reparenting.patch b/queue-6.13/clk-sunxi-ng-a100-enable-mmc-clock-reparenting.patch new file mode 100644 index 0000000000..cad89b820c --- /dev/null +++ b/queue-6.13/clk-sunxi-ng-a100-enable-mmc-clock-reparenting.patch @@ -0,0 +1,59 @@ +From 16414720045de30945b8d14b7907e0cbf81a4b49 Mon Sep 17 00:00:00 2001 +From: Cody Eksal +Date: Fri, 8 Nov 2024 20:37:37 -0400 +Subject: clk: sunxi-ng: a100: enable MMC clock reparenting + +From: Cody Eksal + +commit 16414720045de30945b8d14b7907e0cbf81a4b49 upstream. + +While testing the MMC nodes proposed in [1], it was noted that mmc0/1 +would fail to initialize, with "mmc: fatal err update clk timeout" in +the kernel logs. A closer look at the clock definitions showed that the MMC +MPs had the "CLK_SET_RATE_NO_REPARENT" flag set. No reason was given for +adding this flag in the first place, and its original purpose is unknown, +but it doesn't seem to make sense and results in severe limitations to MMC +speeds. Thus, remove this flag from the 3 MMC MPs. + +[1] https://msgid.link/20241024170540.2721307-10-masterr3c0rd@epochal.quest + +Fixes: fb038ce4db55 ("clk: sunxi-ng: add support for the Allwinner A100 CCU") +Cc: stable@vger.kernel.org +Signed-off-by: Cody Eksal +Reviewed-by: Andre Przywara +Link: https://patch.msgid.link/20241109003739.3440904-1-masterr3c0rd@epochal.quest +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/sunxi-ng/ccu-sun50i-a100.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/clk/sunxi-ng/ccu-sun50i-a100.c ++++ b/drivers/clk/sunxi-ng/ccu-sun50i-a100.c +@@ -436,7 +436,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDI + 24, 2, /* mux */ + BIT(31), /* gate */ + 2, /* post-div */ +- CLK_SET_RATE_NO_REPARENT); ++ 0); + + static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc1_clk, "mmc1", mmc_parents, 0x834, + 0, 4, /* M */ +@@ -444,7 +444,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDI + 24, 2, /* mux */ + BIT(31), /* gate */ + 2, /* post-div */ +- CLK_SET_RATE_NO_REPARENT); ++ 0); + + static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDIV(mmc2_clk, "mmc2", mmc_parents, 0x838, + 0, 4, /* M */ +@@ -452,7 +452,7 @@ static SUNXI_CCU_MP_WITH_MUX_GATE_POSTDI + 24, 2, /* mux */ + BIT(31), /* gate */ + 2, /* post-div */ +- CLK_SET_RATE_NO_REPARENT); ++ 0); + + static SUNXI_CCU_GATE(bus_mmc0_clk, "bus-mmc0", "ahb3", 0x84c, BIT(0), 0); + static SUNXI_CCU_GATE(bus_mmc1_clk, "bus-mmc1", "ahb3", 0x84c, BIT(1), 0); diff --git a/queue-6.13/cpufreq-fix-using-cpufreq-dt-as-module.patch b/queue-6.13/cpufreq-fix-using-cpufreq-dt-as-module.patch new file mode 100644 index 0000000000..fb1fd69e0f --- /dev/null +++ b/queue-6.13/cpufreq-fix-using-cpufreq-dt-as-module.patch @@ -0,0 +1,60 @@ +From f1f010c9d9c62c865d9f54e94075800ba764b4d9 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Sun, 3 Nov 2024 22:02:51 +0100 +Subject: cpufreq: fix using cpufreq-dt as module + +From: Andreas Kemnade + +commit f1f010c9d9c62c865d9f54e94075800ba764b4d9 upstream. + +This driver can be built as a module since commit 3b062a086984 ("cpufreq: +dt-platdev: Support building as module"), but unfortunately this caused +a regression because the cputfreq-dt-platdev.ko module does not autoload. + +Usually, this is solved by just using the MODULE_DEVICE_TABLE() macro to +export all the device IDs as module aliases. But this driver is special +due how matches with devices and decides what platform supports. + +There are two of_device_id lists, an allow list that are for CPU devices +that always match and a deny list that's for devices that must not match. + +The driver registers a cpufreq-dt platform device for all the CPU device +nodes that either are in the allow list or contain an operating-points-v2 +property and are not in the deny list. + +Enforce builtin compile of cpufreq-dt-platdev to make autoload work. + +Fixes: 3b062a086984 ("cpufreq: dt-platdev: Support building as module") +Link: https://lore.kernel.org/all/20241104201424.2a42efdd@akair/ +Link: https://lore.kernel.org/all/20241119111918.1732531-1-javierm@redhat.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Andreas Kemnade +Reported-by: Radu Rendec +Reported-by: Javier Martinez Canillas +[ Viresh: Picked commit log from Javier, updated tags ] +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/Kconfig | 2 +- + drivers/cpufreq/cpufreq-dt-platdev.c | 2 -- + 2 files changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/cpufreq/Kconfig ++++ b/drivers/cpufreq/Kconfig +@@ -232,7 +232,7 @@ config CPUFREQ_VIRT + If in doubt, say N. + + config CPUFREQ_DT_PLATDEV +- tristate "Generic DT based cpufreq platdev driver" ++ bool "Generic DT based cpufreq platdev driver" + depends on OF + help + This adds a generic DT based cpufreq platdev driver for frequency +--- a/drivers/cpufreq/cpufreq-dt-platdev.c ++++ b/drivers/cpufreq/cpufreq-dt-platdev.c +@@ -235,5 +235,3 @@ create_pdev: + sizeof(struct cpufreq_dt_platform_data))); + } + core_initcall(cpufreq_dt_platdev_init); +-MODULE_DESCRIPTION("Generic DT based cpufreq platdev driver"); +-MODULE_LICENSE("GPL"); diff --git a/queue-6.13/cpufreq-s3c64xx-fix-compilation-warning.patch b/queue-6.13/cpufreq-s3c64xx-fix-compilation-warning.patch new file mode 100644 index 0000000000..08f8b3f8ec --- /dev/null +++ b/queue-6.13/cpufreq-s3c64xx-fix-compilation-warning.patch @@ -0,0 +1,70 @@ +From 43855ac61483cb914f060851535ea753c094b3e0 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Wed, 22 Jan 2025 11:36:16 +0530 +Subject: cpufreq: s3c64xx: Fix compilation warning + +From: Viresh Kumar + +commit 43855ac61483cb914f060851535ea753c094b3e0 upstream. + +The driver generates following warning when regulator support isn't +enabled in the kernel. Fix it. + + drivers/cpufreq/s3c64xx-cpufreq.c: In function 's3c64xx_cpufreq_set_target': +>> drivers/cpufreq/s3c64xx-cpufreq.c:55:22: warning: variable 'old_freq' set but not used [-Wunused-but-set-variable] + 55 | unsigned int old_freq, new_freq; + | ^~~~~~~~ +>> drivers/cpufreq/s3c64xx-cpufreq.c:54:30: warning: variable 'dvfs' set but not used [-Wunused-but-set-variable] + 54 | struct s3c64xx_dvfs *dvfs; + | ^~~~ + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501191803.CtfT7b2o-lkp@intel.com/ +Cc: 5.4+ # v5.4+ +Signed-off-by: Viresh Kumar +Link: https://patch.msgid.link/236b227e929e5adc04d1e9e7af6845a46c8e9432.1737525916.git.viresh.kumar@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/s3c64xx-cpufreq.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/cpufreq/s3c64xx-cpufreq.c ++++ b/drivers/cpufreq/s3c64xx-cpufreq.c +@@ -24,6 +24,7 @@ struct s3c64xx_dvfs { + unsigned int vddarm_max; + }; + ++#ifdef CONFIG_REGULATOR + static struct s3c64xx_dvfs s3c64xx_dvfs_table[] = { + [0] = { 1000000, 1150000 }, + [1] = { 1050000, 1150000 }, +@@ -31,6 +32,7 @@ static struct s3c64xx_dvfs s3c64xx_dvfs_ + [3] = { 1200000, 1350000 }, + [4] = { 1300000, 1350000 }, + }; ++#endif + + static struct cpufreq_frequency_table s3c64xx_freq_table[] = { + { 0, 0, 66000 }, +@@ -51,15 +53,16 @@ static struct cpufreq_frequency_table s3 + static int s3c64xx_cpufreq_set_target(struct cpufreq_policy *policy, + unsigned int index) + { +- struct s3c64xx_dvfs *dvfs; +- unsigned int old_freq, new_freq; ++ unsigned int new_freq = s3c64xx_freq_table[index].frequency; + int ret; + ++#ifdef CONFIG_REGULATOR ++ struct s3c64xx_dvfs *dvfs; ++ unsigned int old_freq; ++ + old_freq = clk_get_rate(policy->clk) / 1000; +- new_freq = s3c64xx_freq_table[index].frequency; + dvfs = &s3c64xx_dvfs_table[s3c64xx_freq_table[index].driver_data]; + +-#ifdef CONFIG_REGULATOR + if (vddarm && new_freq > old_freq) { + ret = regulator_set_voltage(vddarm, + dvfs->vddarm_min, diff --git a/queue-6.13/drm-amd-amdgpu-change-the-config-of-cgcg-on-gfx12.patch b/queue-6.13/drm-amd-amdgpu-change-the-config-of-cgcg-on-gfx12.patch new file mode 100644 index 0000000000..8266ae2f82 --- /dev/null +++ b/queue-6.13/drm-amd-amdgpu-change-the-config-of-cgcg-on-gfx12.patch @@ -0,0 +1,40 @@ +From 5cda56bd86c455341087dca29c65dc7c87f84340 Mon Sep 17 00:00:00 2001 +From: Kenneth Feng +Date: Mon, 20 Jan 2025 15:33:03 +0800 +Subject: drm/amd/amdgpu: change the config of cgcg on gfx12 + +From: Kenneth Feng + +commit 5cda56bd86c455341087dca29c65dc7c87f84340 upstream. + +change the config of cgcg on gfx12 + +Signed-off-by: Kenneth Feng +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.12.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c +@@ -3999,17 +3999,6 @@ static void gfx_v12_0_update_coarse_grai + + if (def != data) + WREG32_SOC15(GC, 0, regRLC_CGCG_CGLS_CTRL_3D, data); +- +- data = RREG32_SOC15(GC, 0, regSDMA0_RLC_CGCG_CTRL); +- data &= ~SDMA0_RLC_CGCG_CTRL__CGCG_INT_ENABLE_MASK; +- WREG32_SOC15(GC, 0, regSDMA0_RLC_CGCG_CTRL, data); +- +- /* Some ASICs only have one SDMA instance, not need to configure SDMA1 */ +- if (adev->sdma.num_instances > 1) { +- data = RREG32_SOC15(GC, 0, regSDMA1_RLC_CGCG_CTRL); +- data &= ~SDMA1_RLC_CGCG_CTRL__CGCG_INT_ENABLE_MASK; +- WREG32_SOC15(GC, 0, regSDMA1_RLC_CGCG_CTRL, data); +- } + } + } + diff --git a/queue-6.13/drm-amd-display-fix-seamless-boot-sequence.patch b/queue-6.13/drm-amd-display-fix-seamless-boot-sequence.patch new file mode 100644 index 0000000000..368a702afc --- /dev/null +++ b/queue-6.13/drm-amd-display-fix-seamless-boot-sequence.patch @@ -0,0 +1,133 @@ +From e01f07cb92513ca4b9b219ab9caa34d607bc1e2d Mon Sep 17 00:00:00 2001 +From: Lo-an Chen +Date: Fri, 17 Jan 2025 17:56:25 +0800 +Subject: drm/amd/display: Fix seamless boot sequence + +From: Lo-an Chen + +commit e01f07cb92513ca4b9b219ab9caa34d607bc1e2d upstream. + +[WHY] +When the system powers up eDP with external monitors in seamless boot +sequence, stutter get enabled before TTU and HUBP registers being +programmed, which resulting in underflow. + +[HOW] +Enable TTU in hubp_init. +Change the sequence that do not perpare_bandwidth and optimize_bandwidth +while having seamless boot streams. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Lo-an Chen +Signed-off-by: Paul Hsieh +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- + drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c | 3 ++- + drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c | 3 ++- + drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c | 3 ++- + drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c | 3 ++- + drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c | 2 ++ + drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c | 2 ++ + drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 3 ++- + 8 files changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -2063,7 +2063,7 @@ static enum dc_status dc_commit_state_no + + dc_enable_stereo(dc, context, dc_streams, context->stream_count); + +- if (context->stream_count > get_seamless_boot_stream_count(context) || ++ if (get_seamless_boot_stream_count(context) == 0 || + context->stream_count == 0) { + /* Must wait for no flips to be pending before doing optimize bw */ + hwss_wait_for_no_pipes_pending(dc, context); +--- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c ++++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c +@@ -129,7 +129,8 @@ bool hubbub3_program_watermarks( + REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, + DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF); + +- hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); ++ if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) ++ hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + + return wm_pending; + } +--- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c ++++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c +@@ -750,7 +750,8 @@ static bool hubbub31_program_watermarks( + REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, + DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF);*/ + +- hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); ++ if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) ++ hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + return wm_pending; + } + +--- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c ++++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c +@@ -786,7 +786,8 @@ static bool hubbub32_program_watermarks( + REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, + DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF);*/ + +- hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); ++ if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) ++ hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + + hubbub32_force_usr_retraining_allow(hubbub, hubbub->ctx->dc->debug.force_usr_allow); + +--- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c ++++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c +@@ -326,7 +326,8 @@ static bool hubbub35_program_watermarks( + DCHUBBUB_ARB_MIN_REQ_OUTSTAND_COMMIT_THRESHOLD, 0xA);/*hw delta*/ + REG_UPDATE(DCHUBBUB_ARB_HOSTVM_CNTL, DCHUBBUB_ARB_MAX_QOS_COMMIT_THRESHOLD, 0xF); + +- hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); ++ if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) ++ hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + + hubbub32_force_usr_retraining_allow(hubbub, hubbub->ctx->dc->debug.force_usr_allow); + +--- a/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c +@@ -484,6 +484,8 @@ void hubp3_init(struct hubp *hubp) + //hubp[i].HUBPREQ_DEBUG.HUBPREQ_DEBUG[26] = 1; + REG_WRITE(HUBPREQ_DEBUG, 1 << 26); + ++ REG_UPDATE(DCHUBP_CNTL, HUBP_TTU_DISABLE, 0); ++ + hubp_reset(hubp); + } + +--- a/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c +@@ -168,6 +168,8 @@ void hubp32_init(struct hubp *hubp) + { + struct dcn20_hubp *hubp2 = TO_DCN20_HUBP(hubp); + REG_WRITE(HUBPREQ_DEBUG_DB, 1 << 8); ++ ++ REG_UPDATE(DCHUBP_CNTL, HUBP_TTU_DISABLE, 0); + } + static struct hubp_funcs dcn32_hubp_funcs = { + .hubp_enable_tripleBuffer = hubp2_enable_triplebuffer, +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +@@ -236,7 +236,8 @@ void dcn35_init_hw(struct dc *dc) + } + + hws->funcs.init_pipes(dc, dc->current_state); +- if (dc->res_pool->hubbub->funcs->allow_self_refresh_control) ++ if (dc->res_pool->hubbub->funcs->allow_self_refresh_control && ++ !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter) + dc->res_pool->hubbub->funcs->allow_self_refresh_control(dc->res_pool->hubbub, + !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter); + } diff --git a/queue-6.13/drm-amd-display-optimize-cursor-position-updates.patch b/queue-6.13/drm-amd-display-optimize-cursor-position-updates.patch new file mode 100644 index 0000000000..e610c7dc39 --- /dev/null +++ b/queue-6.13/drm-amd-display-optimize-cursor-position-updates.patch @@ -0,0 +1,108 @@ +From 024771f3fb75dc817e9429d5763f1a6eb84b6f21 Mon Sep 17 00:00:00 2001 +From: Aric Cyr +Date: Tue, 10 Dec 2024 18:38:15 -0500 +Subject: drm/amd/display: Optimize cursor position updates + +From: Aric Cyr + +commit 024771f3fb75dc817e9429d5763f1a6eb84b6f21 upstream. + +[why] +Updating the cursor enablement register can be a slow operation and accumulates +when high polling rate cursors cause frequent updates asynchronously to the +cursor position. + +[how] +Since the cursor enable bit is cached there is no need to update the +enablement register if there is no change to it. This removes the +read-modify-write from the cursor position programming path in HUBP and +DPP, leaving only the register writes. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Sung Lee +Signed-off-by: Aric Cyr +Signed-off-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 7 ++++--- + drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c | 6 ++++-- + drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c | 8 +++++--- + drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c | 10 ++++++---- + 4 files changed, 19 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c ++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c +@@ -483,10 +483,11 @@ void dpp1_set_cursor_position( + if (src_y_offset + cursor_height <= 0) + cur_en = 0; /* not visible beyond top edge*/ + +- REG_UPDATE(CURSOR0_CONTROL, +- CUR0_ENABLE, cur_en); ++ if (dpp_base->pos.cur0_ctl.bits.cur0_enable != cur_en) { ++ REG_UPDATE(CURSOR0_CONTROL, CUR0_ENABLE, cur_en); + +- dpp_base->pos.cur0_ctl.bits.cur0_enable = cur_en; ++ dpp_base->pos.cur0_ctl.bits.cur0_enable = cur_en; ++ } + } + + void dpp1_cnv_set_optional_cursor_attributes( +--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c ++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c +@@ -154,9 +154,11 @@ void dpp401_set_cursor_position( + struct dcn401_dpp *dpp = TO_DCN401_DPP(dpp_base); + uint32_t cur_en = pos->enable ? 1 : 0; + +- REG_UPDATE(CURSOR0_CONTROL, CUR0_ENABLE, cur_en); ++ if (dpp_base->pos.cur0_ctl.bits.cur0_enable != cur_en) { ++ REG_UPDATE(CURSOR0_CONTROL, CUR0_ENABLE, cur_en); + +- dpp_base->pos.cur0_ctl.bits.cur0_enable = cur_en; ++ dpp_base->pos.cur0_ctl.bits.cur0_enable = cur_en; ++ } + } + + void dpp401_set_optional_cursor_attributes( +--- a/drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c +@@ -1044,11 +1044,13 @@ void hubp2_cursor_set_position( + if (src_y_offset + cursor_height <= 0) + cur_en = 0; /* not visible beyond top edge*/ + +- if (cur_en && REG_READ(CURSOR_SURFACE_ADDRESS) == 0) +- hubp->funcs->set_cursor_attributes(hubp, &hubp->curs_attr); ++ if (hubp->pos.cur_ctl.bits.cur_enable != cur_en) { ++ if (cur_en && REG_READ(CURSOR_SURFACE_ADDRESS) == 0) ++ hubp->funcs->set_cursor_attributes(hubp, &hubp->curs_attr); + +- REG_UPDATE(CURSOR_CONTROL, ++ REG_UPDATE(CURSOR_CONTROL, + CURSOR_ENABLE, cur_en); ++ } + + REG_SET_2(CURSOR_POSITION, 0, + CURSOR_X_POSITION, pos->x, +--- a/drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c +@@ -718,11 +718,13 @@ void hubp401_cursor_set_position( + dc_fixpt_from_int(dst_x_offset), + param->h_scale_ratio)); + +- if (cur_en && REG_READ(CURSOR_SURFACE_ADDRESS) == 0) +- hubp->funcs->set_cursor_attributes(hubp, &hubp->curs_attr); ++ if (hubp->pos.cur_ctl.bits.cur_enable != cur_en) { ++ if (cur_en && REG_READ(CURSOR_SURFACE_ADDRESS) == 0) ++ hubp->funcs->set_cursor_attributes(hubp, &hubp->curs_attr); + +- REG_UPDATE(CURSOR_CONTROL, +- CURSOR_ENABLE, cur_en); ++ REG_UPDATE(CURSOR_CONTROL, ++ CURSOR_ENABLE, cur_en); ++ } + + REG_SET_2(CURSOR_POSITION, 0, + CURSOR_X_POSITION, x_pos, diff --git a/queue-6.13/drm-amd-pm-mark-mm-activity-as-unsupported.patch b/queue-6.13/drm-amd-pm-mark-mm-activity-as-unsupported.patch new file mode 100644 index 0000000000..b703f8e9e1 --- /dev/null +++ b/queue-6.13/drm-amd-pm-mark-mm-activity-as-unsupported.patch @@ -0,0 +1,31 @@ +From 819bf6662b93a5a8b0c396d2c7e7fab6264c9808 Mon Sep 17 00:00:00 2001 +From: Lijo Lazar +Date: Wed, 22 Jan 2025 09:12:41 +0530 +Subject: drm/amd/pm: Mark MM activity as unsupported + +From: Lijo Lazar + +commit 819bf6662b93a5a8b0c396d2c7e7fab6264c9808 upstream. + +Aldebaran doesn't support querying MM activity percentage. Keep the +field as 0xFFs to mark it as unsupported. + +Signed-off-by: Lijo Lazar +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c +@@ -1732,7 +1732,6 @@ static ssize_t aldebaran_get_gpu_metrics + + gpu_metrics->average_gfx_activity = metrics.AverageGfxActivity; + gpu_metrics->average_umc_activity = metrics.AverageUclkActivity; +- gpu_metrics->average_mm_activity = 0; + + /* Valid power data is available only from primary die */ + if (aldebaran_is_primary(smu)) { diff --git a/queue-6.13/drm-amdgpu-add-a-bo-metadata-flag-to-disable-write-compression-for-vulkan.patch b/queue-6.13/drm-amdgpu-add-a-bo-metadata-flag-to-disable-write-compression-for-vulkan.patch new file mode 100644 index 0000000000..5a63defdd5 --- /dev/null +++ b/queue-6.13/drm-amdgpu-add-a-bo-metadata-flag-to-disable-write-compression-for-vulkan.patch @@ -0,0 +1,131 @@ +From 2255b40cacc2e5ef1b127770fc1808c60de4a2fc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= +Date: Fri, 24 Jan 2025 09:43:45 -0500 +Subject: drm/amdgpu: add a BO metadata flag to disable write compression for Vulkan +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Olšák + +commit 2255b40cacc2e5ef1b127770fc1808c60de4a2fc upstream. + +Vulkan can't support DCC and Z/S compression on GFX12 without +WRITE_COMPRESS_DISABLE in this commit or a completely different DCC +interface. + +AMDGPU_TILING_GFX12_SCANOUT is added because it's already used by userspace. + +Cc: stable@vger.kernel.org # 6.12.x +Signed-off-by: Marek Olšák +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 ++- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 8 ++++++-- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 2 ++ + drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c | 5 +++-- + include/uapi/drm/amdgpu_drm.h | 9 ++++++++- + 5 files changed, 21 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -119,9 +119,10 @@ + * - 3.57.0 - Compute tunneling on GFX10+ + * - 3.58.0 - Add GFX12 DCC support + * - 3.59.0 - Cleared VRAM ++ * - 3.60.0 - Add AMDGPU_TILING_GFX12_DCC_WRITE_COMPRESS_DISABLE (Vulkan requirement) + */ + #define KMS_DRIVER_MAJOR 3 +-#define KMS_DRIVER_MINOR 59 ++#define KMS_DRIVER_MINOR 60 + #define KMS_DRIVER_PATCHLEVEL 0 + + /* +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -309,7 +309,7 @@ int amdgpu_ttm_copy_mem_to_mem(struct am + mutex_lock(&adev->mman.gtt_window_lock); + while (src_mm.remaining) { + uint64_t from, to, cur_size, tiling_flags; +- uint32_t num_type, data_format, max_com; ++ uint32_t num_type, data_format, max_com, write_compress_disable; + struct dma_fence *next; + + /* Never copy more than 256MiB at once to avoid a timeout */ +@@ -340,9 +340,13 @@ int amdgpu_ttm_copy_mem_to_mem(struct am + max_com = AMDGPU_TILING_GET(tiling_flags, GFX12_DCC_MAX_COMPRESSED_BLOCK); + num_type = AMDGPU_TILING_GET(tiling_flags, GFX12_DCC_NUMBER_TYPE); + data_format = AMDGPU_TILING_GET(tiling_flags, GFX12_DCC_DATA_FORMAT); ++ write_compress_disable = ++ AMDGPU_TILING_GET(tiling_flags, GFX12_DCC_WRITE_COMPRESS_DISABLE); + copy_flags |= (AMDGPU_COPY_FLAGS_SET(MAX_COMPRESSED, max_com) | + AMDGPU_COPY_FLAGS_SET(NUMBER_TYPE, num_type) | +- AMDGPU_COPY_FLAGS_SET(DATA_FORMAT, data_format)); ++ AMDGPU_COPY_FLAGS_SET(DATA_FORMAT, data_format) | ++ AMDGPU_COPY_FLAGS_SET(WRITE_COMPRESS_DISABLE, ++ write_compress_disable)); + } + + r = amdgpu_copy_buffer(ring, from, to, cur_size, resv, +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +@@ -119,6 +119,8 @@ struct amdgpu_copy_mem { + #define AMDGPU_COPY_FLAGS_NUMBER_TYPE_MASK 0x07 + #define AMDGPU_COPY_FLAGS_DATA_FORMAT_SHIFT 8 + #define AMDGPU_COPY_FLAGS_DATA_FORMAT_MASK 0x3f ++#define AMDGPU_COPY_FLAGS_WRITE_COMPRESS_DISABLE_SHIFT 14 ++#define AMDGPU_COPY_FLAGS_WRITE_COMPRESS_DISABLE_MASK 0x1 + + #define AMDGPU_COPY_FLAGS_SET(field, value) \ + (((__u32)(value) & AMDGPU_COPY_FLAGS_##field##_MASK) << AMDGPU_COPY_FLAGS_##field##_SHIFT) +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c +@@ -1684,11 +1684,12 @@ static void sdma_v7_0_emit_copy_buffer(s + uint32_t byte_count, + uint32_t copy_flags) + { +- uint32_t num_type, data_format, max_com; ++ uint32_t num_type, data_format, max_com, write_cm; + + max_com = AMDGPU_COPY_FLAGS_GET(copy_flags, MAX_COMPRESSED); + data_format = AMDGPU_COPY_FLAGS_GET(copy_flags, DATA_FORMAT); + num_type = AMDGPU_COPY_FLAGS_GET(copy_flags, NUMBER_TYPE); ++ write_cm = AMDGPU_COPY_FLAGS_GET(copy_flags, WRITE_COMPRESS_DISABLE) ? 2 : 1; + + ib->ptr[ib->length_dw++] = SDMA_PKT_COPY_LINEAR_HEADER_OP(SDMA_OP_COPY) | + SDMA_PKT_COPY_LINEAR_HEADER_SUB_OP(SDMA_SUBOP_COPY_LINEAR) | +@@ -1705,7 +1706,7 @@ static void sdma_v7_0_emit_copy_buffer(s + if ((copy_flags & (AMDGPU_COPY_FLAGS_READ_DECOMPRESSED | AMDGPU_COPY_FLAGS_WRITE_COMPRESSED))) + ib->ptr[ib->length_dw++] = SDMA_DCC_DATA_FORMAT(data_format) | SDMA_DCC_NUM_TYPE(num_type) | + ((copy_flags & AMDGPU_COPY_FLAGS_READ_DECOMPRESSED) ? SDMA_DCC_READ_CM(2) : 0) | +- ((copy_flags & AMDGPU_COPY_FLAGS_WRITE_COMPRESSED) ? SDMA_DCC_WRITE_CM(1) : 0) | ++ ((copy_flags & AMDGPU_COPY_FLAGS_WRITE_COMPRESSED) ? SDMA_DCC_WRITE_CM(write_cm) : 0) | + SDMA_DCC_MAX_COM(max_com) | SDMA_DCC_MAX_UCOM(1); + else + ib->ptr[ib->length_dw++] = 0; +--- a/include/uapi/drm/amdgpu_drm.h ++++ b/include/uapi/drm/amdgpu_drm.h +@@ -411,13 +411,20 @@ struct drm_amdgpu_gem_userptr { + /* GFX12 and later: */ + #define AMDGPU_TILING_GFX12_SWIZZLE_MODE_SHIFT 0 + #define AMDGPU_TILING_GFX12_SWIZZLE_MODE_MASK 0x7 +-/* These are DCC recompression setting for memory management: */ ++/* These are DCC recompression settings for memory management: */ + #define AMDGPU_TILING_GFX12_DCC_MAX_COMPRESSED_BLOCK_SHIFT 3 + #define AMDGPU_TILING_GFX12_DCC_MAX_COMPRESSED_BLOCK_MASK 0x3 /* 0:64B, 1:128B, 2:256B */ + #define AMDGPU_TILING_GFX12_DCC_NUMBER_TYPE_SHIFT 5 + #define AMDGPU_TILING_GFX12_DCC_NUMBER_TYPE_MASK 0x7 /* CB_COLOR0_INFO.NUMBER_TYPE */ + #define AMDGPU_TILING_GFX12_DCC_DATA_FORMAT_SHIFT 8 + #define AMDGPU_TILING_GFX12_DCC_DATA_FORMAT_MASK 0x3f /* [0:4]:CB_COLOR0_INFO.FORMAT, [5]:MM */ ++/* When clearing the buffer or moving it from VRAM to GTT, don't compress and set DCC metadata ++ * to uncompressed. Set when parts of an allocation bypass DCC and read raw data. */ ++#define AMDGPU_TILING_GFX12_DCC_WRITE_COMPRESS_DISABLE_SHIFT 14 ++#define AMDGPU_TILING_GFX12_DCC_WRITE_COMPRESS_DISABLE_MASK 0x1 ++/* bit gap */ ++#define AMDGPU_TILING_GFX12_SCANOUT_SHIFT 63 ++#define AMDGPU_TILING_GFX12_SCANOUT_MASK 0x1 + + /* Set/Get helpers for tiling flags. */ + #define AMDGPU_TILING_SET(field, value) \ diff --git a/queue-6.13/drm-amdkfd-block-per-queue-reset-when-halt_if_hws_hang-1.patch b/queue-6.13/drm-amdkfd-block-per-queue-reset-when-halt_if_hws_hang-1.patch new file mode 100644 index 0000000000..b4e6ae254b --- /dev/null +++ b/queue-6.13/drm-amdkfd-block-per-queue-reset-when-halt_if_hws_hang-1.patch @@ -0,0 +1,36 @@ +From f214b7beb00621b983e67ce97477afc3ab4b38f4 Mon Sep 17 00:00:00 2001 +From: Jay Cornwall +Date: Thu, 16 Jan 2025 14:36:39 -0600 +Subject: drm/amdkfd: Block per-queue reset when halt_if_hws_hang=1 + +From: Jay Cornwall + +commit f214b7beb00621b983e67ce97477afc3ab4b38f4 upstream. + +The purpose of halt_if_hws_hang is to preserve GPU state for driver +debugging when queue preemption fails. Issuing per-queue reset may +kill wavefronts which caused the preemption failure. + +Signed-off-by: Jay Cornwall +Reviewed-by: Jonathan Kim +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.12.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -2325,9 +2325,9 @@ static int unmap_queues_cpsch(struct dev + */ + mqd_mgr = dqm->mqd_mgrs[KFD_MQD_TYPE_HIQ]; + if (mqd_mgr->check_preemption_failed(mqd_mgr, dqm->packet_mgr.priv_queue->queue->mqd)) { ++ while (halt_if_hws_hang) ++ schedule(); + if (reset_queues_on_hws_hang(dqm)) { +- while (halt_if_hws_hang) +- schedule(); + dqm->is_hws_hang = true; + kfd_hws_hang(dqm); + retval = -ETIME; diff --git a/queue-6.13/drm-amdkfd-only-flush-the-validate-mes-contex.patch b/queue-6.13/drm-amdkfd-only-flush-the-validate-mes-contex.patch new file mode 100644 index 0000000000..c4d2e74b76 --- /dev/null +++ b/queue-6.13/drm-amdkfd-only-flush-the-validate-mes-contex.patch @@ -0,0 +1,53 @@ +From 9078a5bfa21e78ae68b6d7c365d1b92f26720c55 Mon Sep 17 00:00:00 2001 +From: Prike Liang +Date: Tue, 14 Jan 2025 11:20:17 +0800 +Subject: drm/amdkfd: only flush the validate MES contex + +From: Prike Liang + +commit 9078a5bfa21e78ae68b6d7c365d1b92f26720c55 upstream. + +The following page fault was observed duringthe KFD process release. +In this particular error case, the HIP test (./MemcpyPerformance -h) +does not require the queue. As a result, the process_context_addr was +not assigned when the KFD process was released, ultimately leading to +this page fault during the execution of the function +kfd_process_dequeue_from_all_devices(). + +[345962.294891] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:153 vmid:0 pasid:0) +[345962.295333] amdgpu 0000:03:00.0: amdgpu: in page starting at address 0x0000000000000000 from client 10 +[345962.295775] amdgpu 0000:03:00.0: amdgpu: GCVM_L2_PROTECTION_FAULT_STATUS:0x00000B33 +[345962.296097] amdgpu 0000:03:00.0: amdgpu: Faulty UTCL2 client ID: CPC (0x5) +[345962.296394] amdgpu 0000:03:00.0: amdgpu: MORE_FAULTS: 0x1 +[345962.296633] amdgpu 0000:03:00.0: amdgpu: WALKER_ERROR: 0x1 +[345962.296876] amdgpu 0000:03:00.0: amdgpu: PERMISSION_FAULTS: 0x3 +[345962.297135] amdgpu 0000:03:00.0: amdgpu: MAPPING_ERROR: 0x1 +[345962.297377] amdgpu 0000:03:00.0: amdgpu: RW: 0x0 +[345962.297682] amdgpu 0000:03:00.0: amdgpu: [gfxhub] page fault (src_id:0 ring:169 vmid:0 pasid:0) + +Signed-off-by: Prike Liang +Reviewed-by: Jonathan Kim +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -86,9 +86,12 @@ void kfd_process_dequeue_from_device(str + + if (pdd->already_dequeued) + return; +- ++ /* The MES context flush needs to filter out the case which the ++ * KFD process is created without setting up the MES context and ++ * queue for creating a compute queue. ++ */ + dev->dqm->ops.process_termination(dev->dqm, &pdd->qpd); +- if (dev->kfd->shared_resources.enable_mes && ++ if (dev->kfd->shared_resources.enable_mes && !!pdd->proc_ctx_gpu_addr && + down_read_trylock(&dev->adev->reset_domain->sem)) { + amdgpu_mes_flush_shader_debugger(dev->adev, + pdd->proc_ctx_gpu_addr); diff --git a/queue-6.13/drm-ast-astdp-fix-timeout-for-enabling-video-signal.patch b/queue-6.13/drm-ast-astdp-fix-timeout-for-enabling-video-signal.patch new file mode 100644 index 0000000000..32458e20b2 --- /dev/null +++ b/queue-6.13/drm-ast-astdp-fix-timeout-for-enabling-video-signal.patch @@ -0,0 +1,70 @@ +From fd39c41bcd82d5ebaaebadb944eab5598c668a90 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 27 Jan 2025 14:44:14 +0100 +Subject: drm/ast: astdp: Fix timeout for enabling video signal + +From: Thomas Zimmermann + +commit fd39c41bcd82d5ebaaebadb944eab5598c668a90 upstream. + +The ASTDP transmitter sometimes takes up to 1 second for enabling the +video signal, while the timeout is only 200 msec. This results in a +kernel error message. Increase the timeout to 1 second. An example +of the error message is shown below. + +[ 697.084433] ------------[ cut here ]------------ +[ 697.091115] ast 0000:02:00.0: [drm] drm_WARN_ON(!__ast_dp_wait_enable(ast, enabled)) +[ 697.091233] WARNING: CPU: 1 PID: 160 at drivers/gpu/drm/ast/ast_dp.c:232 ast_dp_set_enable+0x123/0x140 [ast] +[...] +[ 697.272469] RIP: 0010:ast_dp_set_enable+0x123/0x140 [ast] +[...] +[ 697.415283] Call Trace: +[ 697.420727] +[ 697.425908] ? show_trace_log_lvl+0x196/0x2c0 +[ 697.433304] ? show_trace_log_lvl+0x196/0x2c0 +[ 697.440693] ? drm_atomic_helper_commit_modeset_enables+0x30a/0x470 +[ 697.450115] ? ast_dp_set_enable+0x123/0x140 [ast] +[ 697.458059] ? __warn.cold+0xaf/0xca +[ 697.464713] ? ast_dp_set_enable+0x123/0x140 [ast] +[ 697.472633] ? report_bug+0x134/0x1d0 +[ 697.479544] ? handle_bug+0x58/0x90 +[ 697.486127] ? exc_invalid_op+0x13/0x40 +[ 697.492975] ? asm_exc_invalid_op+0x16/0x20 +[ 697.500224] ? preempt_count_sub+0x14/0xc0 +[ 697.507473] ? ast_dp_set_enable+0x123/0x140 [ast] +[ 697.515377] ? ast_dp_set_enable+0x123/0x140 [ast] +[ 697.523227] drm_atomic_helper_commit_modeset_enables+0x30a/0x470 +[ 697.532388] drm_atomic_helper_commit_tail+0x58/0x90 +[ 697.540400] ast_mode_config_helper_atomic_commit_tail+0x30/0x40 [ast] +[ 697.550009] commit_tail+0xfe/0x1d0 +[ 697.556547] drm_atomic_helper_commit+0x198/0x1c0 + +This is a cosmetical problem. Enabling the video signal still works +even with the error message. The problem has always been present, but +only recent versions of the ast driver warn about missing the timeout. + +Signed-off-by: Thomas Zimmermann +Fixes: 4e29cc7c5c67 ("drm/ast: astdp: Replace ast_dp_set_on_off()") +Cc: Thomas Zimmermann +Cc: Jocelyn Falempe +Cc: Dave Airlie +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.13+ +Reviewed-by: Jocelyn Falempe +Link: https://patchwork.freedesktop.org/patch/msgid/20250127134423.84266-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_dp.c ++++ b/drivers/gpu/drm/ast/ast_dp.c +@@ -195,7 +195,7 @@ static bool __ast_dp_wait_enable(struct + if (enabled) + vgacrdf_test |= AST_IO_VGACRDF_DP_VIDEO_ENABLE; + +- for (i = 0; i < 200; ++i) { ++ for (i = 0; i < 1000; ++i) { + if (i) + mdelay(1); + vgacrdf = ast_get_index_reg_mask(ast, AST_IO_VGACRI, 0xdf, diff --git a/queue-6.13/drm-client-handle-tiled-displays-better.patch b/queue-6.13/drm-client-handle-tiled-displays-better.patch new file mode 100644 index 0000000000..86f9c3d548 --- /dev/null +++ b/queue-6.13/drm-client-handle-tiled-displays-better.patch @@ -0,0 +1,57 @@ +From 10026f536843eb8c9148ef6ffb4c6deeebc26838 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Thu, 16 Jan 2025 15:28:25 +0100 +Subject: drm/client: Handle tiled displays better + +From: Maarten Lankhorst + +commit 10026f536843eb8c9148ef6ffb4c6deeebc26838 upstream. + +When testing on my tiled display, initially the tiled display is +detected correctly: +[90376.523692] xe 0000:67:00.0: [drm:drm_client_firmware_config.isra.0 [drm]] fallback: Not all outputs enabled +[90376.523713] xe 0000:67:00.0: [drm:drm_client_firmware_config.isra.0 [drm]] Enabled: 0, detected: 2 +... +[90376.523967] xe 0000:67:00.0: [drm:drm_client_modeset_probe [drm]] [CRTC:82:pipe A] desired mode 1920x2160 set (1920,0) +[90376.524020] xe 0000:67:00.0: [drm:drm_client_modeset_probe [drm]] [CRTC:134:pipe B] desired mode 1920x2160 set (0,0) + +But then, when modes have been set: +[90379.729525] xe 0000:67:00.0: [drm:drm_client_firmware_config.isra.0 [drm]] [CONNECTOR:287:DP-4] on [CRTC:82:pipe A]: 1920x2160 +[90379.729640] xe 0000:67:00.0: [drm:drm_client_firmware_config.isra.0 [drm]] [CONNECTOR:289:DP-5] on [CRTC:134:pipe B]: 1920x2160 +... +[90379.730036] xe 0000:67:00.0: [drm:drm_client_modeset_probe [drm]] [CRTC:82:pipe A] desired mode 1920x2160 set (0,0) +[90379.730124] xe 0000:67:00.0: [drm:drm_client_modeset_probe [drm]] [CRTC:134:pipe B] desired mode 1920x2160 set (0,0) + +Call drm_client_get_tile_offsets() in drm_client_firmware_config() as +well, to ensure that the offset is set correctly. + +This has to be done as a separate pass, as the tile order may not be +equal to the drm connector order. + +Acked-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20250116142825.3933-2-dev@lankhorst.se +Signed-off-by: Maarten Lankhorst +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -743,6 +743,15 @@ retry: + if ((conn_configured & mask) != mask && conn_configured != conn_seq) + goto retry; + ++ for (i = 0; i < count; i++) { ++ struct drm_connector *connector = connectors[i]; ++ ++ if (connector->has_tile) ++ drm_client_get_tile_offsets(dev, connectors, connector_count, ++ modes, offsets, i, ++ connector->tile_h_loc, connector->tile_v_loc); ++ } ++ + /* + * If the BIOS didn't enable everything it could, fall back to have the + * same user experiencing of lighting up as much as possible like the diff --git a/queue-6.13/drm-i915-dp-iterate-dsc-bpp-from-high-to-low-on-all-platforms.patch b/queue-6.13/drm-i915-dp-iterate-dsc-bpp-from-high-to-low-on-all-platforms.patch new file mode 100644 index 0000000000..213f283d9b --- /dev/null +++ b/queue-6.13/drm-i915-dp-iterate-dsc-bpp-from-high-to-low-on-all-platforms.patch @@ -0,0 +1,50 @@ +From 230b19bc2bcc5897d0e20b4ce7e9790a469a2db0 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Fri, 31 Jan 2025 14:49:54 +0200 +Subject: drm/i915/dp: Iterate DSC BPP from high to low on all platforms + +From: Jani Nikula + +commit 230b19bc2bcc5897d0e20b4ce7e9790a469a2db0 upstream. + +Commit 1c56e9a39833 ("drm/i915/dp: Get optimal link config to have best +compressed bpp") tries to find the best compressed bpp for the +link. However, it iterates from max to min bpp on display 13+, and from +min to max on other platforms. This presumably leads to minimum +compressed bpp always being chosen on display 11-12. + +Iterate from high to low on all platforms to actually use the best +possible compressed bpp. + +Fixes: 1c56e9a39833 ("drm/i915/dp: Get optimal link config to have best compressed bpp") +Cc: Ankit Nautiyal +Cc: Imre Deak +Cc: # v6.7+ +Reviewed-by: Imre Deak +Reviewed-by: Ankit Nautiyal +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/3bba67923cbcd13a59d26ef5fa4bb042b13c8a9b.1738327620.git.jani.nikula@intel.com +(cherry picked from commit 56b0337d429356c3b9ecc36a03023c8cc856b196) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -2049,11 +2049,10 @@ icl_dsc_compute_link_config(struct intel + /* Compressed BPP should be less than the Input DSC bpp */ + dsc_max_bpp = min(dsc_max_bpp, pipe_bpp - 1); + +- for (i = 0; i < ARRAY_SIZE(valid_dsc_bpp); i++) { +- if (valid_dsc_bpp[i] < dsc_min_bpp) ++ for (i = ARRAY_SIZE(valid_dsc_bpp) - 1; i >= 0; i--) { ++ if (valid_dsc_bpp[i] < dsc_min_bpp || ++ valid_dsc_bpp[i] > dsc_max_bpp) + continue; +- if (valid_dsc_bpp[i] > dsc_max_bpp) +- break; + + ret = dsc_compute_link_config(intel_dp, + pipe_config, diff --git a/queue-6.13/drm-i915-drop-64bpp-yuv-formats-from-icl-sdr-planes.patch b/queue-6.13/drm-i915-drop-64bpp-yuv-formats-from-icl-sdr-planes.patch new file mode 100644 index 0000000000..db95a26d78 --- /dev/null +++ b/queue-6.13/drm-i915-drop-64bpp-yuv-formats-from-icl-sdr-planes.patch @@ -0,0 +1,59 @@ +From c7b49506b3ba7a62335e6f666a43f67d5cd9fd1e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 18 Dec 2024 19:36:47 +0200 +Subject: drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit c7b49506b3ba7a62335e6f666a43f67d5cd9fd1e upstream. + +I'm seeing underruns with these 64bpp YUV formats on TGL. + +The weird details: +- only happens on pipe B/C/D SDR planes, pipe A SDR planes + seem fine, as do all HDR planes +- somehow CDCLK related, higher CDCLK allows for bigger plane + with these formats without underruns. With 300MHz CDCLK I + can only go up to 1200 pixels wide or so, with 650MHz even + a 3840 pixel wide plane was OK +- ICL and ADL so far appear unaffected + +So not really sure what's the deal with this, but bspec does +state "64-bit formats supported only on the HDR planes" so +let's just drop these formats from the SDR planes. We already +disallow 64bpp RGB formats. + +Cc: stable@vger.kernel.org +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20241218173650.19782-2-ville.syrjala@linux.intel.com +Reviewed-by: Juha-Pekka Heikkila +(cherry picked from commit 35e1aacfe536d6e8d8d440cd7155366da2541ad4) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/skl_universal_plane.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/gpu/drm/i915/display/skl_universal_plane.c ++++ b/drivers/gpu/drm/i915/display/skl_universal_plane.c +@@ -106,8 +106,6 @@ static const u32 icl_sdr_y_plane_formats + DRM_FORMAT_Y216, + DRM_FORMAT_XYUV8888, + DRM_FORMAT_XVYU2101010, +- DRM_FORMAT_XVYU12_16161616, +- DRM_FORMAT_XVYU16161616, + }; + + static const u32 icl_sdr_uv_plane_formats[] = { +@@ -134,8 +132,6 @@ static const u32 icl_sdr_uv_plane_format + DRM_FORMAT_Y216, + DRM_FORMAT_XYUV8888, + DRM_FORMAT_XVYU2101010, +- DRM_FORMAT_XVYU12_16161616, +- DRM_FORMAT_XVYU16161616, + }; + + static const u32 icl_hdr_plane_formats[] = { diff --git a/queue-6.13/drm-i915-fix-page-cleanup-on-dma-remap-failure.patch b/queue-6.13/drm-i915-fix-page-cleanup-on-dma-remap-failure.patch new file mode 100644 index 0000000000..397b70f8fc --- /dev/null +++ b/queue-6.13/drm-i915-fix-page-cleanup-on-dma-remap-failure.patch @@ -0,0 +1,67 @@ +From fa6182c8b13ebfdc70ebdc09161a70dd8131f3b1 Mon Sep 17 00:00:00 2001 +From: Brian Geffon +Date: Mon, 27 Jan 2025 15:43:32 -0500 +Subject: drm/i915: Fix page cleanup on DMA remap failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Brian Geffon + +commit fa6182c8b13ebfdc70ebdc09161a70dd8131f3b1 upstream. + +When converting to folios the cleanup path of shmem_get_pages() was +missed. When a DMA remap fails and the max segment size is greater than +PAGE_SIZE it will attempt to retry the remap with a PAGE_SIZEd segment +size. The cleanup code isn't properly using the folio apis and as a +result isn't handling compound pages correctly. + +v2 -> v3: +(Ville) Just use shmem_sg_free_table() as-is in the failure path of +shmem_get_pages(). shmem_sg_free_table() will clear mapping unevictable +but it will be reset when it retries in shmem_sg_alloc_table(). + +v1 -> v2: +(Ville) Fixed locations where we were not clearing mapping unevictable. + +Cc: stable@vger.kernel.org +Cc: Ville Syrjala +Cc: Vidya Srinivas +Link: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13487 +Link: https://lore.kernel.org/lkml/20250116135636.410164-1-bgeffon@google.com/ +Fixes: 0b62af28f249 ("i915: convert shmem_sg_free_table() to use a folio_batch") +Signed-off-by: Brian Geffon +Suggested-by: Tomasz Figa +Link: https://patchwork.freedesktop.org/patch/msgid/20250127204332.336665-1-bgeffon@google.com +Reviewed-by: Jonathan Cavitt +Tested-by: Vidya Srinivas +Signed-off-by: Ville Syrjälä +(cherry picked from commit 9e304a18630875352636ad52a3d2af47c3bde824) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +@@ -209,8 +209,6 @@ static int shmem_get_pages(struct drm_i9 + struct address_space *mapping = obj->base.filp->f_mapping; + unsigned int max_segment = i915_sg_segment_size(i915->drm.dev); + struct sg_table *st; +- struct sgt_iter sgt_iter; +- struct page *page; + int ret; + + /* +@@ -239,9 +237,7 @@ rebuild_st: + * for PAGE_SIZE chunks instead may be helpful. + */ + if (max_segment > PAGE_SIZE) { +- for_each_sgt_page(page, sgt_iter, st) +- put_page(page); +- sg_free_table(st); ++ shmem_sg_free_table(st, mapping, false, false); + kfree(st); + + max_segment = PAGE_SIZE; diff --git a/queue-6.13/drm-i915-guc-debug-print-lrc-state-entries-only-if-the-context-is-pinned.patch b/queue-6.13/drm-i915-guc-debug-print-lrc-state-entries-only-if-the-context-is-pinned.patch new file mode 100644 index 0000000000..66e0f98977 --- /dev/null +++ b/queue-6.13/drm-i915-guc-debug-print-lrc-state-entries-only-if-the-context-is-pinned.patch @@ -0,0 +1,59 @@ +From 57965269896313e1629a518d3971ad55f599b792 Mon Sep 17 00:00:00 2001 +From: Daniele Ceraolo Spurio +Date: Tue, 14 Jan 2025 16:13:34 -0800 +Subject: drm/i915/guc: Debug print LRC state entries only if the context is pinned + +From: Daniele Ceraolo Spurio + +commit 57965269896313e1629a518d3971ad55f599b792 upstream. + +After the context is unpinned the backing memory can also be unpinned, +so any accesses via the lrc_reg_state pointer can end up in unmapped +memory. To avoid that, make sure to only access that memory if the +context is pinned when printing its info. + +v2: fix newline alignment + +Fixes: 28ff6520a34d ("drm/i915/guc: Update GuC debugfs to support new GuC") +Signed-off-by: Daniele Ceraolo Spurio +Cc: John Harrison +Cc: Matthew Brost +Cc: # v5.15+ +Reviewed-by: John Harrison +Link: https://patchwork.freedesktop.org/patch/msgid/20250115001334.3875347-1-daniele.ceraolospurio@intel.com +(cherry picked from commit 5bea40687c5cf2a33bf04e9110eb2e2b80222ef5) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -5511,12 +5511,20 @@ static inline void guc_log_context(struc + { + drm_printf(p, "GuC lrc descriptor %u:\n", ce->guc_id.id); + drm_printf(p, "\tHW Context Desc: 0x%08x\n", ce->lrc.lrca); +- drm_printf(p, "\t\tLRC Head: Internal %u, Memory %u\n", +- ce->ring->head, +- ce->lrc_reg_state[CTX_RING_HEAD]); +- drm_printf(p, "\t\tLRC Tail: Internal %u, Memory %u\n", +- ce->ring->tail, +- ce->lrc_reg_state[CTX_RING_TAIL]); ++ if (intel_context_pin_if_active(ce)) { ++ drm_printf(p, "\t\tLRC Head: Internal %u, Memory %u\n", ++ ce->ring->head, ++ ce->lrc_reg_state[CTX_RING_HEAD]); ++ drm_printf(p, "\t\tLRC Tail: Internal %u, Memory %u\n", ++ ce->ring->tail, ++ ce->lrc_reg_state[CTX_RING_TAIL]); ++ intel_context_unpin(ce); ++ } else { ++ drm_printf(p, "\t\tLRC Head: Internal %u, Memory not pinned\n", ++ ce->ring->head); ++ drm_printf(p, "\t\tLRC Tail: Internal %u, Memory not pinned\n", ++ ce->ring->tail); ++ } + drm_printf(p, "\t\tContext Pin Count: %u\n", + atomic_read(&ce->pin_count)); + drm_printf(p, "\t\tGuC ID Ref Count: %u\n", diff --git a/queue-6.13/drm-komeda-add-check-for-komeda_get_layer_fourcc_list.patch b/queue-6.13/drm-komeda-add-check-for-komeda_get_layer_fourcc_list.patch new file mode 100644 index 0000000000..871fa082a6 --- /dev/null +++ b/queue-6.13/drm-komeda-add-check-for-komeda_get_layer_fourcc_list.patch @@ -0,0 +1,36 @@ +From 79fc672a092d93a7eac24fe20a571d4efd8fa5a4 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 19 Dec 2024 17:02:56 +0800 +Subject: drm/komeda: Add check for komeda_get_layer_fourcc_list() + +From: Haoxiang Li + +commit 79fc672a092d93a7eac24fe20a571d4efd8fa5a4 upstream. + +Add check for the return value of komeda_get_layer_fourcc_list() +to catch the potential exception. + +Fixes: 5d51f6c0da1b ("drm/komeda: Add writeback support") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Acked-by: Liviu Dudau +Link: https://lore.kernel.org/r/20241219090256.146424-1-haoxiang_li2024@163.com +Signed-off-by: Liviu Dudau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c ++++ b/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c +@@ -160,6 +160,10 @@ static int komeda_wb_connector_add(struc + formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl, + kwb_conn->wb_layer->layer_type, + &n_formats); ++ if (!formats) { ++ kfree(kwb_conn); ++ return -ENOMEM; ++ } + + err = drm_writeback_connector_init(&kms->base, wb_conn, + &komeda_wb_connector_funcs, diff --git a/queue-6.13/drm-modeset-handle-tiled-displays-in-pan_display_atomic.patch b/queue-6.13/drm-modeset-handle-tiled-displays-in-pan_display_atomic.patch new file mode 100644 index 0000000000..37ead25c7d --- /dev/null +++ b/queue-6.13/drm-modeset-handle-tiled-displays-in-pan_display_atomic.patch @@ -0,0 +1,66 @@ +From f4a9dd57e549a17a7dac1c1defec26abd7e5c2d4 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Thu, 16 Jan 2025 15:28:24 +0100 +Subject: drm/modeset: Handle tiled displays in pan_display_atomic. + +From: Maarten Lankhorst + +commit f4a9dd57e549a17a7dac1c1defec26abd7e5c2d4 upstream. + +Tiled displays have a different x/y offset to begin with. Instead of +attempting to remember this, just apply a delta instead. + +This fixes the first tile being duplicated on other tiles when vt +switching. + +Acked-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20250116142825.3933-1-dev@lankhorst.se +Signed-off-by: Maarten Lankhorst +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_fb_helper.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -1354,14 +1354,14 @@ int drm_fb_helper_set_par(struct fb_info + } + EXPORT_SYMBOL(drm_fb_helper_set_par); + +-static void pan_set(struct drm_fb_helper *fb_helper, int x, int y) ++static void pan_set(struct drm_fb_helper *fb_helper, int dx, int dy) + { + struct drm_mode_set *mode_set; + + mutex_lock(&fb_helper->client.modeset_mutex); + drm_client_for_each_modeset(mode_set, &fb_helper->client) { +- mode_set->x = x; +- mode_set->y = y; ++ mode_set->x += dx; ++ mode_set->y += dy; + } + mutex_unlock(&fb_helper->client.modeset_mutex); + } +@@ -1370,16 +1370,18 @@ static int pan_display_atomic(struct fb_ + struct fb_info *info) + { + struct drm_fb_helper *fb_helper = info->par; +- int ret; ++ int ret, dx, dy; + +- pan_set(fb_helper, var->xoffset, var->yoffset); ++ dx = var->xoffset - info->var.xoffset; ++ dy = var->yoffset - info->var.yoffset; ++ pan_set(fb_helper, dx, dy); + + ret = drm_client_modeset_commit_locked(&fb_helper->client); + if (!ret) { + info->var.xoffset = var->xoffset; + info->var.yoffset = var->yoffset; + } else +- pan_set(fb_helper, info->var.xoffset, info->var.yoffset); ++ pan_set(fb_helper, -dx, -dy); + + return ret; + } diff --git a/queue-6.13/drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq_event.patch b/queue-6.13/drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq_event.patch new file mode 100644 index 0000000000..1176a57eb9 --- /dev/null +++ b/queue-6.13/drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq_event.patch @@ -0,0 +1,73 @@ +From 666e1960464140cc4bc9203c203097e70b54c95a Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Tue, 5 Nov 2024 14:38:16 +0100 +Subject: drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Zimmermann + +commit 666e1960464140cc4bc9203c203097e70b54c95a upstream. + +The code for detecting and updating the connector status in +cdn_dp_pd_event_work() has a number of problems. + +- It does not aquire the locks to call the detect helper and update +the connector status. These are struct drm_mode_config.connection_mutex +and struct drm_mode_config.mutex. + +- It does not use drm_helper_probe_detect(), which helps with the +details of locking and detection. + +- It uses the connector's status field to determine a change to +the connector status. The epoch_counter field is the correct one. The +field signals a change even if the connector status' value did not +change. + +Replace the code with a call to drm_connector_helper_hpd_irq_event(), +which fixes all these problems. + +Signed-off-by: Thomas Zimmermann +Fixes: 81632df69772 ("drm/rockchip: cdn-dp: do not use drm_helper_hpd_irq_event") +Cc: Chris Zhong +Cc: Guenter Roeck +Cc: Sandy Huang +Cc: "Heiko Stübner" +Cc: Andy Yan +Cc: dri-devel@lists.freedesktop.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-rockchip@lists.infradead.org +Cc: # v4.11+ +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20241105133848.480407-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/cdn-dp-core.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c +@@ -947,9 +947,6 @@ static void cdn_dp_pd_event_work(struct + { + struct cdn_dp_device *dp = container_of(work, struct cdn_dp_device, + event_work); +- struct drm_connector *connector = &dp->connector; +- enum drm_connector_status old_status; +- + int ret; + + mutex_lock(&dp->lock); +@@ -1009,11 +1006,7 @@ static void cdn_dp_pd_event_work(struct + + out: + mutex_unlock(&dp->lock); +- +- old_status = connector->status; +- connector->status = connector->funcs->detect(connector, false); +- if (old_status != connector->status) +- drm_kms_helper_hotplug_event(dp->drm_dev); ++ drm_connector_helper_hpd_irq_event(&dp->connector); + } + + static int cdn_dp_pd_event(struct notifier_block *nb, diff --git a/queue-6.13/drm-xe-devcoredump-move-exec-queue-snapshot-to-contexts-section.patch b/queue-6.13/drm-xe-devcoredump-move-exec-queue-snapshot-to-contexts-section.patch new file mode 100644 index 0000000000..3f58cee31d --- /dev/null +++ b/queue-6.13/drm-xe-devcoredump-move-exec-queue-snapshot-to-contexts-section.patch @@ -0,0 +1,53 @@ +From 042c48b73699c47d84b6ace73036e5a31a0d4cfc Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Wed, 22 Jan 2025 21:11:11 -0800 +Subject: drm/xe/devcoredump: Move exec queue snapshot to Contexts section +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas De Marchi + +commit 042c48b73699c47d84b6ace73036e5a31a0d4cfc upstream. + +Having the exec queue snapshot inside a "GuC CT" section was always +wrong. Commit c28fd6c358db ("drm/xe/devcoredump: Improve section +headings and add tile info") tried to fix that bug, but with that also +broke the mesa tool that parses the devcoredump, hence it was reverted +in commit a53da2fb25a3 ("drm/xe: Revert some changes that break a mesa +debug tool"). + +With the mesa tool also fixed, this can propagate as a fix on both +kernel and userspace side to avoid unnecessary headache for a debug +feature. + +Cc: John Harrison +Cc: Julia Filipchuk +Cc: José Roberto de Souza +Cc: stable@vger.kernel.org +Fixes: a53da2fb25a3 ("drm/xe: Revert some changes that break a mesa debug tool") +Reviewed-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20250123051112.1938193-2-lucas.demarchi@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit a37934ea75d331fafa7fe80b6180642ba5193422) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_devcoredump.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_devcoredump.c ++++ b/drivers/gpu/drm/xe/xe_devcoredump.c +@@ -109,11 +109,7 @@ static ssize_t __xe_devcoredump_read(cha + drm_puts(&p, "\n**** GuC CT ****\n"); + xe_guc_ct_snapshot_print(ss->guc.ct, &p); + +- /* +- * Don't add a new section header here because the mesa debug decoder +- * tool expects the context information to be in the 'GuC CT' section. +- */ +- /* drm_puts(&p, "\n**** Contexts ****\n"); */ ++ drm_puts(&p, "\n**** Contexts ****\n"); + xe_guc_exec_queue_snapshot_print(ss->ge, &p); + + drm_puts(&p, "\n**** Job ****\n"); diff --git a/queue-6.13/drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch b/queue-6.13/drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch new file mode 100644 index 0000000000..234a9542e4 --- /dev/null +++ b/queue-6.13/drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch @@ -0,0 +1,161 @@ +From a9ab6591b45258b79af1cb66112fd9f83c8855da Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Thu, 23 Jan 2025 12:22:03 -0800 +Subject: drm/xe: Fix and re-enable xe_print_blob_ascii85() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas De Marchi + +commit a9ab6591b45258b79af1cb66112fd9f83c8855da upstream. + +Commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa +debug tool") partially reverted some changes to workaround breakage +caused to mesa tools. However, in doing so it also broke fetching the +GuC log via debugfs since xe_print_blob_ascii85() simply bails out. + +The fix is to avoid the extra newlines: the devcoredump interface is +line-oriented and adding random newlines in the middle breaks it. If a +tool is able to parse it by looking at the data and checking for chars +that are out of the ascii85 space, it can still do so. A format change +that breaks the line-oriented output on devcoredump however needs better +coordination with existing tools. + +v2: Add suffix description comment +v3: Reword explanation of xe_print_blob_ascii85() calling drm_puts() + in a loop + +Reviewed-by: José Roberto de Souza +Cc: John Harrison +Cc: Julia Filipchuk +Cc: José Roberto de Souza +Cc: stable@vger.kernel.org +Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") +Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") +Link: https://patchwork.freedesktop.org/patch/msgid/20250123202307.95103-2-jose.souza@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 2c95bbf5002776117a69caed3b31c10bf7341bec) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_devcoredump.c | 34 +++++++++++++--------------------- + drivers/gpu/drm/xe/xe_devcoredump.h | 2 +- + drivers/gpu/drm/xe/xe_guc_ct.c | 3 ++- + drivers/gpu/drm/xe/xe_guc_log.c | 4 +++- + 4 files changed, 19 insertions(+), 24 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_devcoredump.c ++++ b/drivers/gpu/drm/xe/xe_devcoredump.c +@@ -338,42 +338,34 @@ int xe_devcoredump_init(struct xe_device + /** + * xe_print_blob_ascii85 - print a BLOB to some useful location in ASCII85 + * +- * The output is split to multiple lines because some print targets, e.g. dmesg +- * cannot handle arbitrarily long lines. Note also that printing to dmesg in +- * piece-meal fashion is not possible, each separate call to drm_puts() has a +- * line-feed automatically added! Therefore, the entire output line must be +- * constructed in a local buffer first, then printed in one atomic output call. ++ * The output is split into multiple calls to drm_puts() because some print ++ * targets, e.g. dmesg, cannot handle arbitrarily long lines. These targets may ++ * add newlines, as is the case with dmesg: each drm_puts() call creates a ++ * separate line. + * + * There is also a scheduler yield call to prevent the 'task has been stuck for + * 120s' kernel hang check feature from firing when printing to a slow target + * such as dmesg over a serial port. + * +- * TODO: Add compression prior to the ASCII85 encoding to shrink huge buffers down. +- * + * @p: the printer object to output to + * @prefix: optional prefix to add to output string ++ * @suffix: optional suffix to add at the end. 0 disables it and is ++ * not added to the output, which is useful when using multiple calls ++ * to dump data to @p + * @blob: the Binary Large OBject to dump out + * @offset: offset in bytes to skip from the front of the BLOB, must be a multiple of sizeof(u32) + * @size: the size in bytes of the BLOB, must be a multiple of sizeof(u32) + */ +-void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, ++void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, + const void *blob, size_t offset, size_t size) + { + const u32 *blob32 = (const u32 *)blob; + char buff[ASCII85_BUFSZ], *line_buff; + size_t line_pos = 0; + +- /* +- * Splitting blobs across multiple lines is not compatible with the mesa +- * debug decoder tool. Note that even dropping the explicit '\n' below +- * doesn't help because the GuC log is so big some underlying implementation +- * still splits the lines at 512K characters. So just bail completely for +- * the moment. +- */ +- return; +- + #define DMESG_MAX_LINE_LEN 800 +-#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\n\0" */ ++ /* Always leave space for the suffix char and the \0 */ ++#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\0" */ + + if (size & 3) + drm_printf(p, "Size not word aligned: %zu", size); +@@ -405,7 +397,6 @@ void xe_print_blob_ascii85(struct drm_pr + line_pos += strlen(line_buff + line_pos); + + if ((line_pos + MIN_SPACE) >= DMESG_MAX_LINE_LEN) { +- line_buff[line_pos++] = '\n'; + line_buff[line_pos++] = 0; + + drm_puts(p, line_buff); +@@ -417,10 +408,11 @@ void xe_print_blob_ascii85(struct drm_pr + } + } + ++ if (suffix) ++ line_buff[line_pos++] = suffix; ++ + if (line_pos) { +- line_buff[line_pos++] = '\n'; + line_buff[line_pos++] = 0; +- + drm_puts(p, line_buff); + } + +--- a/drivers/gpu/drm/xe/xe_devcoredump.h ++++ b/drivers/gpu/drm/xe/xe_devcoredump.h +@@ -26,7 +26,7 @@ static inline int xe_devcoredump_init(st + } + #endif + +-void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, ++void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, + const void *blob, size_t offset, size_t size); + + #endif +--- a/drivers/gpu/drm/xe/xe_guc_ct.c ++++ b/drivers/gpu/drm/xe/xe_guc_ct.c +@@ -1700,7 +1700,8 @@ void xe_guc_ct_snapshot_print(struct xe_ + snapshot->g2h_outstanding); + + if (snapshot->ctb) +- xe_print_blob_ascii85(p, "CTB data", snapshot->ctb, 0, snapshot->ctb_size); ++ xe_print_blob_ascii85(p, "CTB data", '\n', ++ snapshot->ctb, 0, snapshot->ctb_size); + } else { + drm_puts(p, "CT disabled\n"); + } +--- a/drivers/gpu/drm/xe/xe_guc_log.c ++++ b/drivers/gpu/drm/xe/xe_guc_log.c +@@ -211,8 +211,10 @@ void xe_guc_log_snapshot_print(struct xe + remain = snapshot->size; + for (i = 0; i < snapshot->num_chunks; i++) { + size_t size = min(GUC_LOG_CHUNK_SIZE, remain); ++ const char *prefix = i ? NULL : "Log data"; ++ char suffix = i == snapshot->num_chunks - 1 ? '\n' : 0; + +- xe_print_blob_ascii85(p, i ? NULL : "Log data", snapshot->copy[i], 0, size); ++ xe_print_blob_ascii85(p, prefix, suffix, snapshot->copy[i], 0, size); + remain -= size; + } + } diff --git a/queue-6.13/fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch b/queue-6.13/fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch new file mode 100644 index 0000000000..93ea336443 --- /dev/null +++ b/queue-6.13/fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch @@ -0,0 +1,62 @@ +From ab251dacfbae28772c897f068a4184f478189ff2 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Thu, 2 Jan 2025 09:22:56 +0100 +Subject: fs/proc: do_task_stat: Fix ESP not readable during coredump + +From: Nam Cao + +commit ab251dacfbae28772c897f068a4184f478189ff2 upstream. + +The field "eip" (instruction pointer) and "esp" (stack pointer) of a task +can be read from /proc/PID/stat. These fields can be interesting for +coredump. + +However, these fields were disabled by commit 0a1eb2d474ed ("fs/proc: Stop +reporting eip and esp in /proc/PID/stat"), because it is generally unsafe +to do so. But it is safe for a coredumping process, and therefore +exceptions were made: + + - for a coredumping thread by commit fd7d56270b52 ("fs/proc: Report + eip/esp in /prod/PID/stat for coredumping"). + + - for all other threads in a coredumping process by commit cb8f381f1613 + ("fs/proc/array.c: allow reporting eip/esp for all coredumping + threads"). + +The above two commits check the PF_DUMPCORE flag to determine a coredump thread +and the PF_EXITING flag for the other threads. + +Unfortunately, commit 92307383082d ("coredump: Don't perform any cleanups +before dumping core") moved coredump to happen earlier and before PF_EXITING is +set. Thus, checking PF_EXITING is no longer the correct way to determine +threads in a coredumping process. + +Instead of PF_EXITING, use PF_POSTCOREDUMP to determine the other threads. + +Checking of PF_EXITING was added for coredumping, so it probably can now be +removed. But it doesn't hurt to keep. + +Fixes: 92307383082d ("coredump: Don't perform any cleanups before dumping core") +Cc: stable@vger.kernel.org +Cc: Eric W. Biederman +Acked-by: Oleg Nesterov +Acked-by: Kees Cook +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/d89af63d478d6c64cc46a01420b46fd6eb147d6f.1735805772.git.namcao@linutronix.de +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/array.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -500,7 +500,7 @@ static int do_task_stat(struct seq_file + * a program is not able to use ptrace(2) in that case. It is + * safe because the task has stopped executing permanently. + */ +- if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE))) { ++ if (permitted && (task->flags & (PF_EXITING|PF_DUMPCORE|PF_POSTCOREDUMP))) { + if (try_get_task_stack(task)) { + eip = KSTK_EIP(task); + esp = KSTK_ESP(task); diff --git a/queue-6.13/input-synaptics-fix-crash-when-enabling-pass-through-port.patch b/queue-6.13/input-synaptics-fix-crash-when-enabling-pass-through-port.patch new file mode 100644 index 0000000000..aeb6ce97cb --- /dev/null +++ b/queue-6.13/input-synaptics-fix-crash-when-enabling-pass-through-port.patch @@ -0,0 +1,131 @@ +From 08bd5b7c9a2401faabdaa1472d45c7de0755fd7e Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 17 Jan 2025 09:23:40 -0800 +Subject: Input: synaptics - fix crash when enabling pass-through port + +From: Dmitry Torokhov + +commit 08bd5b7c9a2401faabdaa1472d45c7de0755fd7e upstream. + +When enabling a pass-through port an interrupt might come before psmouse +driver binds to the pass-through port. However synaptics sub-driver +tries to access psmouse instance presumably associated with the +pass-through port to figure out if only 1 byte of response or entire +protocol packet needs to be forwarded to the pass-through port and may +crash if psmouse instance has not been attached to the port yet. + +Fix the crash by introducing open() and close() methods for the port and +check if the port is open before trying to access psmouse instance. +Because psmouse calls serio_open() only after attaching psmouse instance +to serio port instance this prevents the potential crash. + +Reported-by: Takashi Iwai +Fixes: 100e16959c3c ("Input: libps2 - attach ps2dev instances as serio port's drvdata") +Link: https://bugzilla.suse.com/show_bug.cgi?id=1219522 +Cc: stable@vger.kernel.org +Reviewed-by: Takashi Iwai +Link: https://lore.kernel.org/r/Z4qSHORvPn7EU2j1@google.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/synaptics.c | 56 ++++++++++++++++++++++++++++++---------- + drivers/input/mouse/synaptics.h | 1 + 2 files changed, 43 insertions(+), 14 deletions(-) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -665,23 +665,50 @@ static void synaptics_pt_stop(struct ser + priv->pt_port = NULL; + } + ++static int synaptics_pt_open(struct serio *serio) ++{ ++ struct psmouse *parent = psmouse_from_serio(serio->parent); ++ struct synaptics_data *priv = parent->private; ++ ++ guard(serio_pause_rx)(parent->ps2dev.serio); ++ priv->pt_port_open = true; ++ ++ return 0; ++} ++ ++static void synaptics_pt_close(struct serio *serio) ++{ ++ struct psmouse *parent = psmouse_from_serio(serio->parent); ++ struct synaptics_data *priv = parent->private; ++ ++ guard(serio_pause_rx)(parent->ps2dev.serio); ++ priv->pt_port_open = false; ++} ++ + static int synaptics_is_pt_packet(u8 *buf) + { + return (buf[0] & 0xFC) == 0x84 && (buf[3] & 0xCC) == 0xC4; + } + +-static void synaptics_pass_pt_packet(struct serio *ptport, u8 *packet) ++static void synaptics_pass_pt_packet(struct synaptics_data *priv, u8 *packet) + { +- struct psmouse *child = psmouse_from_serio(ptport); ++ struct serio *ptport; + +- if (child && child->state == PSMOUSE_ACTIVATED) { +- serio_interrupt(ptport, packet[1], 0); +- serio_interrupt(ptport, packet[4], 0); +- serio_interrupt(ptport, packet[5], 0); +- if (child->pktsize == 4) +- serio_interrupt(ptport, packet[2], 0); +- } else { +- serio_interrupt(ptport, packet[1], 0); ++ ptport = priv->pt_port; ++ if (!ptport) ++ return; ++ ++ serio_interrupt(ptport, packet[1], 0); ++ ++ if (priv->pt_port_open) { ++ struct psmouse *child = psmouse_from_serio(ptport); ++ ++ if (child->state == PSMOUSE_ACTIVATED) { ++ serio_interrupt(ptport, packet[4], 0); ++ serio_interrupt(ptport, packet[5], 0); ++ if (child->pktsize == 4) ++ serio_interrupt(ptport, packet[2], 0); ++ } + } + } + +@@ -720,6 +747,8 @@ static void synaptics_pt_create(struct p + serio->write = synaptics_pt_write; + serio->start = synaptics_pt_start; + serio->stop = synaptics_pt_stop; ++ serio->open = synaptics_pt_open; ++ serio->close = synaptics_pt_close; + serio->parent = psmouse->ps2dev.serio; + + psmouse->pt_activate = synaptics_pt_activate; +@@ -1216,11 +1245,10 @@ static psmouse_ret_t synaptics_process_b + + if (SYN_CAP_PASS_THROUGH(priv->info.capabilities) && + synaptics_is_pt_packet(psmouse->packet)) { +- if (priv->pt_port) +- synaptics_pass_pt_packet(priv->pt_port, +- psmouse->packet); +- } else ++ synaptics_pass_pt_packet(priv, psmouse->packet); ++ } else { + synaptics_process_packet(psmouse); ++ } + + return PSMOUSE_FULL_PACKET; + } +--- a/drivers/input/mouse/synaptics.h ++++ b/drivers/input/mouse/synaptics.h +@@ -188,6 +188,7 @@ struct synaptics_data { + bool disable_gesture; /* disable gestures */ + + struct serio *pt_port; /* Pass-through serio port */ ++ bool pt_port_open; + + /* + * Last received Advanced Gesture Mode (AGM) packet. An AGM packet diff --git a/queue-6.13/keys-trusted-dcp-fix-improper-sg-use-with-config_vmap_stack-y.patch b/queue-6.13/keys-trusted-dcp-fix-improper-sg-use-with-config_vmap_stack-y.patch new file mode 100644 index 0000000000..68356608a3 --- /dev/null +++ b/queue-6.13/keys-trusted-dcp-fix-improper-sg-use-with-config_vmap_stack-y.patch @@ -0,0 +1,91 @@ +From e8d9fab39d1f87b52932646b2f1e7877aa3fc0f4 Mon Sep 17 00:00:00 2001 +From: David Gstir +Date: Wed, 13 Nov 2024 22:27:54 +0100 +Subject: KEYS: trusted: dcp: fix improper sg use with CONFIG_VMAP_STACK=y + +From: David Gstir + +commit e8d9fab39d1f87b52932646b2f1e7877aa3fc0f4 upstream. + +With vmalloc stack addresses enabled (CONFIG_VMAP_STACK=y) DCP trusted +keys can crash during en- and decryption of the blob encryption key via +the DCP crypto driver. This is caused by improperly using sg_init_one() +with vmalloc'd stack buffers (plain_key_blob). + +Fix this by always using kmalloc() for buffers we give to the DCP crypto +driver. + +Cc: stable@vger.kernel.org # v6.10+ +Fixes: 0e28bf61a5f9 ("KEYS: trusted: dcp: fix leak of blob encryption key") +Signed-off-by: David Gstir +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_dcp.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +--- a/security/keys/trusted-keys/trusted_dcp.c ++++ b/security/keys/trusted-keys/trusted_dcp.c +@@ -201,12 +201,16 @@ static int trusted_dcp_seal(struct trust + { + struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob; + int blen, ret; +- u8 plain_blob_key[AES_KEYSIZE_128]; ++ u8 *plain_blob_key; + + blen = calc_blob_len(p->key_len); + if (blen > MAX_BLOB_SIZE) + return -E2BIG; + ++ plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL); ++ if (!plain_blob_key) ++ return -ENOMEM; ++ + b->fmt_version = DCP_BLOB_VERSION; + get_random_bytes(b->nonce, AES_KEYSIZE_128); + get_random_bytes(plain_blob_key, AES_KEYSIZE_128); +@@ -229,7 +233,8 @@ static int trusted_dcp_seal(struct trust + ret = 0; + + out: +- memzero_explicit(plain_blob_key, sizeof(plain_blob_key)); ++ memzero_explicit(plain_blob_key, AES_KEYSIZE_128); ++ kfree(plain_blob_key); + + return ret; + } +@@ -238,7 +243,7 @@ static int trusted_dcp_unseal(struct tru + { + struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob; + int blen, ret; +- u8 plain_blob_key[AES_KEYSIZE_128]; ++ u8 *plain_blob_key = NULL; + + if (b->fmt_version != DCP_BLOB_VERSION) { + pr_err("DCP blob has bad version: %i, expected %i\n", +@@ -256,6 +261,12 @@ static int trusted_dcp_unseal(struct tru + goto out; + } + ++ plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL); ++ if (!plain_blob_key) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ + ret = decrypt_blob_key(b->blob_key, plain_blob_key); + if (ret) { + pr_err("Unable to decrypt blob key: %i\n", ret); +@@ -271,7 +282,10 @@ static int trusted_dcp_unseal(struct tru + + ret = 0; + out: +- memzero_explicit(plain_blob_key, sizeof(plain_blob_key)); ++ if (plain_blob_key) { ++ memzero_explicit(plain_blob_key, AES_KEYSIZE_128); ++ kfree(plain_blob_key); ++ } + + return ret; + } diff --git a/queue-6.13/ksmbd-fix-integer-overflows-on-32-bit-systems.patch b/queue-6.13/ksmbd-fix-integer-overflows-on-32-bit-systems.patch new file mode 100644 index 0000000000..50c115d29f --- /dev/null +++ b/queue-6.13/ksmbd-fix-integer-overflows-on-32-bit-systems.patch @@ -0,0 +1,55 @@ +From aab98e2dbd648510f8f51b83fbf4721206ccae45 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 15 Jan 2025 09:28:35 +0900 +Subject: ksmbd: fix integer overflows on 32 bit systems + +From: Dan Carpenter + +commit aab98e2dbd648510f8f51b83fbf4721206ccae45 upstream. + +On 32bit systems the addition operations in ipc_msg_alloc() can +potentially overflow leading to memory corruption. +Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow. + +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_ipc.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/smb/server/transport_ipc.c ++++ b/fs/smb/server/transport_ipc.c +@@ -626,6 +626,9 @@ ksmbd_ipc_spnego_authen_request(const ch + struct ksmbd_spnego_authen_request *req; + struct ksmbd_spnego_authen_response *resp; + ++ if (blob_len > KSMBD_IPC_MAX_PAYLOAD) ++ return NULL; ++ + msg = ipc_msg_alloc(sizeof(struct ksmbd_spnego_authen_request) + + blob_len + 1); + if (!msg) +@@ -805,6 +808,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_writ + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + ++ if (payload_sz > KSMBD_IPC_MAX_PAYLOAD) ++ return NULL; ++ + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1); + if (!msg) + return NULL; +@@ -853,6 +859,9 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioct + struct ksmbd_rpc_command *req; + struct ksmbd_rpc_command *resp; + ++ if (payload_sz > KSMBD_IPC_MAX_PAYLOAD) ++ return NULL; ++ + msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1); + if (!msg) + return NULL; diff --git a/queue-6.13/kvm-arm64-timer-always-evaluate-the-need-for-a-soft-timer.patch b/queue-6.13/kvm-arm64-timer-always-evaluate-the-need-for-a-soft-timer.patch new file mode 100644 index 0000000000..f7ecd47a68 --- /dev/null +++ b/queue-6.13/kvm-arm64-timer-always-evaluate-the-need-for-a-soft-timer.patch @@ -0,0 +1,52 @@ +From b450dcce93bc2cf6d2bfaf5a0de88a94ebad8f89 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 4 Feb 2025 11:00:48 +0000 +Subject: KVM: arm64: timer: Always evaluate the need for a soft timer + +From: Marc Zyngier + +commit b450dcce93bc2cf6d2bfaf5a0de88a94ebad8f89 upstream. + +When updating the interrupt state for an emulated timer, we return +early and skip the setup of a soft timer that runs in parallel +with the guest. + +While this is OK if we have set the interrupt pending, it is pretty +wrong if the guest moved CVAL into the future. In that case, +no timer is armed and the guest can wait for a very long time +(it will take a full put/load cycle for the situation to resolve). + +This is specially visible with EDK2 running at EL2, but still +using the EL1 virtual timer, which in that case is fully emulated. +Any key-press takes ages to be captured, as there is no UART +interrupt and EDK2 relies on polling from a timer... + +The fix is simply to drop the early return. If the timer interrupt +is pending, we will still return early, and otherwise arm the soft +timer. + +Fixes: 4d74ecfa6458b ("KVM: arm64: Don't arm a hrtimer for an already pending timer") +Cc: stable@vger.kernel.org +Tested-by: Dmytro Terletskyi +Reviewed-by: Oliver Upton +Link: https://lore.kernel.org/r/20250204110050.150560-2-maz@kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/arch_timer.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arm64/kvm/arch_timer.c ++++ b/arch/arm64/kvm/arch_timer.c +@@ -466,10 +466,8 @@ static void timer_emulate(struct arch_ti + + trace_kvm_timer_emulate(ctx, should_fire); + +- if (should_fire != ctx->irq.level) { ++ if (should_fire != ctx->irq.level) + kvm_timer_update_irq(ctx->vcpu, should_fire, ctx); +- return; +- } + + /* + * If the timer can fire now, we don't need to have a soft timer diff --git a/queue-6.13/kvm-defer-huge-page-recovery-vhost-task-to-later.patch b/queue-6.13/kvm-defer-huge-page-recovery-vhost-task-to-later.patch new file mode 100644 index 0000000000..1c3312c2a3 --- /dev/null +++ b/queue-6.13/kvm-defer-huge-page-recovery-vhost-task-to-later.patch @@ -0,0 +1,163 @@ +From 931656b9e2ff7029aee0b36e17780621948a6ac1 Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Thu, 23 Jan 2025 07:35:43 -0800 +Subject: kvm: defer huge page recovery vhost task to later + +From: Keith Busch + +commit 931656b9e2ff7029aee0b36e17780621948a6ac1 upstream. + +Some libraries want to ensure they are single threaded before forking, +so making the kernel's kvm huge page recovery process a vhost task of +the user process breaks those. The minijail library used by crosvm is +one such affected application. + +Defer the task to after the first VM_RUN call, which occurs after the +parent process has forked all its jailed processes. This needs to happen +only once for the kvm instance, so introduce some general-purpose +infrastructure for that, too. It's similar in concept to pthread_once; +except it is actually usable, because the callback takes a parameter. + +Cc: Sean Christopherson +Cc: Paolo Bonzini +Tested-by: Alyssa Ross +Signed-off-by: Keith Busch +Message-ID: <20250123153543.2769928-1-kbusch@meta.com> +[Move call_once API to include/linux. - Paolo] +Cc: stable@vger.kernel.org +Fixes: d96c77bd4eeb ("KVM: x86: switch hugepage recovery thread to vhost_task") +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 2 + + arch/x86/kvm/mmu/mmu.c | 18 +++++++++++----- + arch/x86/kvm/x86.c | 7 +++++- + include/linux/call_once.h | 45 ++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 6 deletions(-) + create mode 100644 include/linux/call_once.h + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1445,6 +1446,7 @@ struct kvm_arch { + struct kvm_x86_pmu_event_filter __rcu *pmu_event_filter; + struct vhost_task *nx_huge_page_recovery_thread; + u64 nx_huge_page_last; ++ struct once nx_once; + + #ifdef CONFIG_X86_64 + /* The number of TDP MMU pages across all roots. */ +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -7411,20 +7411,28 @@ static bool kvm_nx_huge_page_recovery_wo + return true; + } + +-int kvm_mmu_post_init_vm(struct kvm *kvm) ++static void kvm_mmu_start_lpage_recovery(struct once *once) + { +- if (nx_hugepage_mitigation_hard_disabled) +- return 0; ++ struct kvm_arch *ka = container_of(once, struct kvm_arch, nx_once); ++ struct kvm *kvm = container_of(ka, struct kvm, arch); + + kvm->arch.nx_huge_page_last = get_jiffies_64(); + kvm->arch.nx_huge_page_recovery_thread = vhost_task_create( + kvm_nx_huge_page_recovery_worker, kvm_nx_huge_page_recovery_worker_kill, + kvm, "kvm-nx-lpage-recovery"); + ++ if (kvm->arch.nx_huge_page_recovery_thread) ++ vhost_task_start(kvm->arch.nx_huge_page_recovery_thread); ++} ++ ++int kvm_mmu_post_init_vm(struct kvm *kvm) ++{ ++ if (nx_hugepage_mitigation_hard_disabled) ++ return 0; ++ ++ call_once(&kvm->arch.nx_once, kvm_mmu_start_lpage_recovery); + if (!kvm->arch.nx_huge_page_recovery_thread) + return -ENOMEM; +- +- vhost_task_start(kvm->arch.nx_huge_page_recovery_thread); + return 0; + } + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -11463,6 +11463,10 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v + struct kvm_run *kvm_run = vcpu->run; + int r; + ++ r = kvm_mmu_post_init_vm(vcpu->kvm); ++ if (r) ++ return r; ++ + vcpu_load(vcpu); + kvm_sigset_activate(vcpu); + kvm_run->flags = 0; +@@ -12742,7 +12746,8 @@ out: + + int kvm_arch_post_init_vm(struct kvm *kvm) + { +- return kvm_mmu_post_init_vm(kvm); ++ once_init(&kvm->arch.nx_once); ++ return 0; + } + + static void kvm_unload_vcpu_mmu(struct kvm_vcpu *vcpu) +--- /dev/null ++++ b/include/linux/call_once.h +@@ -0,0 +1,45 @@ ++#ifndef _LINUX_CALL_ONCE_H ++#define _LINUX_CALL_ONCE_H ++ ++#include ++#include ++ ++#define ONCE_NOT_STARTED 0 ++#define ONCE_RUNNING 1 ++#define ONCE_COMPLETED 2 ++ ++struct once { ++ atomic_t state; ++ struct mutex lock; ++}; ++ ++static inline void __once_init(struct once *once, const char *name, ++ struct lock_class_key *key) ++{ ++ atomic_set(&once->state, ONCE_NOT_STARTED); ++ __mutex_init(&once->lock, name, key); ++} ++ ++#define once_init(once) \ ++do { \ ++ static struct lock_class_key __key; \ ++ __once_init((once), #once, &__key); \ ++} while (0) ++ ++static inline void call_once(struct once *once, void (*cb)(struct once *)) ++{ ++ /* Pairs with atomic_set_release() below. */ ++ if (atomic_read_acquire(&once->state) == ONCE_COMPLETED) ++ return; ++ ++ guard(mutex)(&once->lock); ++ WARN_ON(atomic_read(&once->state) == ONCE_RUNNING); ++ if (atomic_read(&once->state) != ONCE_NOT_STARTED) ++ return; ++ ++ atomic_set(&once->state, ONCE_RUNNING); ++ cb(once); ++ atomic_set_release(&once->state, ONCE_COMPLETED); ++} ++ ++#endif /* _LINUX_CALL_ONCE_H */ diff --git a/queue-6.13/kvm-explicitly-verify-target-vcpu-is-online-in-kvm_get_vcpu.patch b/queue-6.13/kvm-explicitly-verify-target-vcpu-is-online-in-kvm_get_vcpu.patch new file mode 100644 index 0000000000..8b910be8f8 --- /dev/null +++ b/queue-6.13/kvm-explicitly-verify-target-vcpu-is-online-in-kvm_get_vcpu.patch @@ -0,0 +1,62 @@ +From 1e7381f3617d14b3c11da80ff5f8a93ab14cfc46 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 9 Oct 2024 08:04:50 -0700 +Subject: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() + +From: Sean Christopherson + +commit 1e7381f3617d14b3c11da80ff5f8a93ab14cfc46 upstream. + +Explicitly verify the target vCPU is fully online _prior_ to clamping the +index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will +generate '0', i.e. KVM will return vCPU0 instead of NULL. + +In practice, the bug is unlikely to cause problems, as it will only come +into play if userspace or the guest is buggy or misbehaving, e.g. KVM may +send interrupts to vCPU0 instead of dropping them on the floor. + +However, returning vCPU0 when it shouldn't exist per online_vcpus is +problematic now that KVM uses an xarray for the vCPUs array, as KVM needs +to insert into the xarray before publishing the vCPU to userspace (see +commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), +i.e. before vCPU creation is guaranteed to succeed. + +As a result, incorrectly providing access to vCPU0 will trigger a +use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() +bails out of vCPU creation due to an error and frees vCPU0. Commit +afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but +in doing so introduced an unsolvable teardown conundrum. Preventing +accesses to vCPU0 before it's fully online will allow reverting commit +afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race. + +Fixes: 1d487e9bf8ba ("KVM: fix spectrev1 gadgets") +Cc: stable@vger.kernel.org +Cc: Will Deacon +Cc: Michal Luczaj +Reviewed-by: Pankaj Gupta +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20241009150455.1057573-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -963,6 +963,15 @@ static inline struct kvm_io_bus *kvm_get + static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) + { + int num_vcpus = atomic_read(&kvm->online_vcpus); ++ ++ /* ++ * Explicitly verify the target vCPU is online, as the anti-speculation ++ * logic only limits the CPU's ability to speculate, e.g. given a "bad" ++ * index, clamping the index to 0 would return vCPU0, not NULL. ++ */ ++ if (i >= num_vcpus) ++ return NULL; ++ + i = array_index_nospec(i, num_vcpus); + + /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ diff --git a/queue-6.13/kvm-nvmx-defer-svi-update-to-vmcs01-on-eoi-when-l2-is-active-w-o-vid.patch b/queue-6.13/kvm-nvmx-defer-svi-update-to-vmcs01-on-eoi-when-l2-is-active-w-o-vid.patch new file mode 100644 index 0000000000..df177159d3 --- /dev/null +++ b/queue-6.13/kvm-nvmx-defer-svi-update-to-vmcs01-on-eoi-when-l2-is-active-w-o-vid.patch @@ -0,0 +1,144 @@ +From 04bc93cf49d16d01753b95ddb5d4f230b809a991 Mon Sep 17 00:00:00 2001 +From: Chao Gao +Date: Wed, 27 Nov 2024 16:00:10 -0800 +Subject: KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chao Gao + +commit 04bc93cf49d16d01753b95ddb5d4f230b809a991 upstream. + +If KVM emulates an EOI for L1's virtual APIC while L2 is active, defer +updating GUEST_INTERUPT_STATUS.SVI, i.e. the VMCS's cache of the highest +in-service IRQ, until L1 is active, as vmcs01, not vmcs02, needs to track +vISR. The missed SVI update for vmcs01 can result in L1 interrupts being +incorrectly blocked, e.g. if there is a pending interrupt with lower +priority than the interrupt that was EOI'd. + +This bug only affects use cases where L1's vAPIC is effectively passed +through to L2, e.g. in a pKVM scenario where L2 is L1's depriveleged host, +as KVM will only emulate an EOI for L1's vAPIC if Virtual Interrupt +Delivery (VID) is disabled in vmc12, and L1 isn't intercepting L2 accesses +to its (virtual) APIC page (or if x2APIC is enabled, the EOI MSR). + +WARN() if KVM updates L1's ISR while L2 is active with VID enabled, as an +EOI from L2 is supposed to affect L2's vAPIC, but still defer the update, +to try to keep L1 alive. Specifically, KVM forwards all APICv-related +VM-Exits to L1 via nested_vmx_l1_wants_exit(): + + case EXIT_REASON_APIC_ACCESS: + case EXIT_REASON_APIC_WRITE: + case EXIT_REASON_EOI_INDUCED: + /* + * The controls for "virtualize APIC accesses," "APIC- + * register virtualization," and "virtual-interrupt + * delivery" only come from vmcs12. + */ + return true; + +Fixes: c7c9c56ca26f ("x86, apicv: add virtual interrupt delivery support") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/kvm/20230312180048.1778187-1-jason.cj.chen@intel.com +Reported-by: Markku Ahvenjärvi +Closes: https://lore.kernel.org/all/20240920080012.74405-1-mankku@gmail.com +Cc: Janne Karhunen +Signed-off-by: Chao Gao +[sean: drop request, handle in VMX, write changelog] +Tested-by: Chao Gao +Link: https://lore.kernel.org/r/20241128000010.4051275-3-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 11 +++++++++++ + arch/x86/kvm/lapic.h | 1 + + arch/x86/kvm/vmx/nested.c | 5 +++++ + arch/x86/kvm/vmx/vmx.c | 21 +++++++++++++++++++++ + arch/x86/kvm/vmx/vmx.h | 1 + + 5 files changed, 39 insertions(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -816,6 +816,17 @@ static inline void apic_clear_isr(int ve + } + } + ++void kvm_apic_update_hwapic_isr(struct kvm_vcpu *vcpu) ++{ ++ struct kvm_lapic *apic = vcpu->arch.apic; ++ ++ if (WARN_ON_ONCE(!lapic_in_kernel(vcpu)) || !apic->apicv_active) ++ return; ++ ++ kvm_x86_call(hwapic_isr_update)(vcpu, apic_find_highest_isr(apic)); ++} ++EXPORT_SYMBOL_GPL(kvm_apic_update_hwapic_isr); ++ + int kvm_lapic_find_highest_irr(struct kvm_vcpu *vcpu) + { + /* This may race with setting of irr in __apic_accept_irq() and +--- a/arch/x86/kvm/lapic.h ++++ b/arch/x86/kvm/lapic.h +@@ -118,6 +118,7 @@ void kvm_apic_send_ipi(struct kvm_lapic + int kvm_apic_set_base(struct kvm_vcpu *vcpu, u64 value, bool host_initiated); + int kvm_apic_get_state(struct kvm_vcpu *vcpu, struct kvm_lapic_state *s); + int kvm_apic_set_state(struct kvm_vcpu *vcpu, struct kvm_lapic_state *s); ++void kvm_apic_update_hwapic_isr(struct kvm_vcpu *vcpu); + int kvm_lapic_find_highest_irr(struct kvm_vcpu *vcpu); + + u64 kvm_get_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -5050,6 +5050,11 @@ void nested_vmx_vmexit(struct kvm_vcpu * + kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu); + } + ++ if (vmx->nested.update_vmcs01_hwapic_isr) { ++ vmx->nested.update_vmcs01_hwapic_isr = false; ++ kvm_apic_update_hwapic_isr(vcpu); ++ } ++ + if ((vm_exit_reason != -1) && + (enable_shadow_vmcs || nested_vmx_is_evmptr12_valid(vmx))) + vmx->nested.need_vmcs12_to_shadow_sync = true; +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -6867,6 +6867,27 @@ void vmx_hwapic_isr_update(struct kvm_vc + u16 status; + u8 old; + ++ /* ++ * If L2 is active, defer the SVI update until vmcs01 is loaded, as SVI ++ * is only relevant for if and only if Virtual Interrupt Delivery is ++ * enabled in vmcs12, and if VID is enabled then L2 EOIs affect L2's ++ * vAPIC, not L1's vAPIC. KVM must update vmcs01 on the next nested ++ * VM-Exit, otherwise L1 with run with a stale SVI. ++ */ ++ if (is_guest_mode(vcpu)) { ++ /* ++ * KVM is supposed to forward intercepted L2 EOIs to L1 if VID ++ * is enabled in vmcs12; as above, the EOIs affect L2's vAPIC. ++ * Note, userspace can stuff state while L2 is active; assert ++ * that VID is disabled if and only if the vCPU is in KVM_RUN ++ * to avoid false positives if userspace is setting APIC state. ++ */ ++ WARN_ON_ONCE(vcpu->wants_to_run && ++ nested_cpu_has_vid(get_vmcs12(vcpu))); ++ to_vmx(vcpu)->nested.update_vmcs01_hwapic_isr = true; ++ return; ++ } ++ + if (max_isr == -1) + max_isr = 0; + +--- a/arch/x86/kvm/vmx/vmx.h ++++ b/arch/x86/kvm/vmx/vmx.h +@@ -176,6 +176,7 @@ struct nested_vmx { + bool reload_vmcs01_apic_access_page; + bool update_vmcs01_cpu_dirty_logging; + bool update_vmcs01_apicv_status; ++ bool update_vmcs01_hwapic_isr; + + /* + * Enlightened VMCS has been enabled. It does not mean that L1 has to diff --git a/queue-6.13/kvm-s390-vsie-fix-some-corner-cases-when-grabbing-vsie-pages.patch b/queue-6.13/kvm-s390-vsie-fix-some-corner-cases-when-grabbing-vsie-pages.patch new file mode 100644 index 0000000000..8f3b0cb4cb --- /dev/null +++ b/queue-6.13/kvm-s390-vsie-fix-some-corner-cases-when-grabbing-vsie-pages.patch @@ -0,0 +1,106 @@ +From 5f230f41fdd9e799f43a699348dc572bca7159aa Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Tue, 7 Jan 2025 16:43:41 +0100 +Subject: KVM: s390: vsie: fix some corner-cases when grabbing vsie pages + +From: David Hildenbrand + +commit 5f230f41fdd9e799f43a699348dc572bca7159aa upstream. + +We try to reuse the same vsie page when re-executing the vsie with a +given SCB address. The result is that we use the same shadow SCB -- +residing in the vsie page -- and can avoid flushing the TLB when +re-running the vsie on a CPU. + +So, when we allocate a fresh vsie page, or when we reuse a vsie page for +a different SCB address -- reusing the shadow SCB in different context -- +we set ihcpu=0xffff to trigger the flush. + +However, after we looked up the SCB address in the radix tree, but before +we grabbed the vsie page by raising the refcount to 2, someone could reuse +the vsie page for a different SCB address, adjusting page->index and the +radix tree. In that case, we would be reusing the vsie page with a +wrong page->index. + +Another corner case is that we might set the SCB address for a vsie +page, but fail the insertion into the radix tree. Whoever would reuse +that page would remove the corresponding radix tree entry -- which might +now be a valid entry pointing at another page, resulting in the wrong +vsie page getting removed from the radix tree. + +Let's handle such races better, by validating that the SCB address of a +vsie page didn't change after we grabbed it (not reuse for a different +SCB; the alternative would be performing another tree lookup), and by +setting the SCB address to invalid until the insertion in the tree +succeeded (SCB addresses are aligned to 512, so ULONG_MAX is invalid). + +These scenarios are rare, the effects a bit unclear, and these issues were +only found by code inspection. Let's CC stable to be safe. + +Fixes: a3508fbe9dc6 ("KVM: s390: vsie: initial support for nested virtualization") +Cc: stable@vger.kernel.org +Signed-off-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Reviewed-by: Christoph Schlameuss +Tested-by: Christoph Schlameuss +Message-ID: <20250107154344.1003072-2-david@redhat.com> +Signed-off-by: Claudio Imbrenda +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/vsie.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -1362,8 +1362,14 @@ static struct vsie_page *get_vsie_page(s + page = radix_tree_lookup(&kvm->arch.vsie.addr_to_page, addr >> 9); + rcu_read_unlock(); + if (page) { +- if (page_ref_inc_return(page) == 2) +- return page_to_virt(page); ++ if (page_ref_inc_return(page) == 2) { ++ if (page->index == addr) ++ return page_to_virt(page); ++ /* ++ * We raced with someone reusing + putting this vsie ++ * page before we grabbed it. ++ */ ++ } + page_ref_dec(page); + } + +@@ -1393,15 +1399,20 @@ static struct vsie_page *get_vsie_page(s + kvm->arch.vsie.next++; + kvm->arch.vsie.next %= nr_vcpus; + } +- radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9); ++ if (page->index != ULONG_MAX) ++ radix_tree_delete(&kvm->arch.vsie.addr_to_page, ++ page->index >> 9); + } +- page->index = addr; +- /* double use of the same address */ ++ /* Mark it as invalid until it resides in the tree. */ ++ page->index = ULONG_MAX; ++ ++ /* Double use of the same address or allocation failure. */ + if (radix_tree_insert(&kvm->arch.vsie.addr_to_page, addr >> 9, page)) { + page_ref_dec(page); + mutex_unlock(&kvm->arch.vsie.mutex); + return NULL; + } ++ page->index = addr; + mutex_unlock(&kvm->arch.vsie.mutex); + + vsie_page = page_to_virt(page); +@@ -1496,7 +1507,9 @@ void kvm_s390_vsie_destroy(struct kvm *k + vsie_page = page_to_virt(page); + release_gmap_shadow(vsie_page); + /* free the radix tree entry */ +- radix_tree_delete(&kvm->arch.vsie.addr_to_page, page->index >> 9); ++ if (page->index != ULONG_MAX) ++ radix_tree_delete(&kvm->arch.vsie.addr_to_page, ++ page->index >> 9); + __free_page(page); + } + kvm->arch.vsie.page_count = 0; diff --git a/queue-6.13/leds-lp8860-write-full-eeprom-not-only-half-of-it.patch b/queue-6.13/leds-lp8860-write-full-eeprom-not-only-half-of-it.patch new file mode 100644 index 0000000000..f3e9c8340c --- /dev/null +++ b/queue-6.13/leds-lp8860-write-full-eeprom-not-only-half-of-it.patch @@ -0,0 +1,34 @@ +From 0d2e820a86793595e2a776855d04701109e46663 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Thu, 14 Nov 2024 11:13:59 +0100 +Subject: leds: lp8860: Write full EEPROM, not only half of it + +From: Alexander Sverdlin + +commit 0d2e820a86793595e2a776855d04701109e46663 upstream. + +I struggle to explain dividing an ARRAY_SIZE() by the size of an element +once again. As the latter equals to 2, only the half of EEPROM was ever +written. Drop the unexplainable division and write full ARRAY_SIZE(). + +Cc: stable@vger.kernel.org +Fixes: 7a8685accb95 ("leds: lp8860: Introduce TI lp8860 4 channel LED driver") +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20241114101402.2562878-1-alexander.sverdlin@siemens.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-lp8860.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/leds/leds-lp8860.c ++++ b/drivers/leds/leds-lp8860.c +@@ -265,7 +265,7 @@ static int lp8860_init(struct lp8860_led + goto out; + } + +- reg_count = ARRAY_SIZE(lp8860_eeprom_disp_regs) / sizeof(lp8860_eeprom_disp_regs[0]); ++ reg_count = ARRAY_SIZE(lp8860_eeprom_disp_regs); + for (i = 0; i < reg_count; i++) { + ret = regmap_write(led->eeprom_regmap, + lp8860_eeprom_disp_regs[i].reg, diff --git a/queue-6.13/m68k-vga-fix-i-o-defines.patch b/queue-6.13/m68k-vga-fix-i-o-defines.patch new file mode 100644 index 0000000000..8180d27fe2 --- /dev/null +++ b/queue-6.13/m68k-vga-fix-i-o-defines.patch @@ -0,0 +1,83 @@ +From 53036937a101b5faeaf98e7438555fa854a1a844 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Tue, 7 Jan 2025 10:58:56 +0100 +Subject: m68k: vga: Fix I/O defines + +From: Thomas Zimmermann + +commit 53036937a101b5faeaf98e7438555fa854a1a844 upstream. + +Including m68k's in vga.h on nommu platforms results +in conflicting defines with io_no.h for various I/O macros from the +__raw_read and __raw_write families. An example error is + + In file included from arch/m68k/include/asm/vga.h:12, + from include/video/vga.h:22, + from include/linux/vgaarb.h:34, + from drivers/video/aperture.c:12: +>> arch/m68k/include/asm/raw_io.h:39: warning: "__raw_readb" redefined + 39 | #define __raw_readb in_8 + | + In file included from arch/m68k/include/asm/io.h:6, + from include/linux/io.h:13, + from include/linux/irq.h:20, + from include/asm-generic/hardirq.h:17, + from ./arch/m68k/include/generated/asm/hardirq.h:1, + from include/linux/hardirq.h:11, + from include/linux/interrupt.h:11, + from include/linux/trace_recursion.h:5, + from include/linux/ftrace.h:10, + from include/linux/kprobes.h:28, + from include/linux/kgdb.h:19, + from include/linux/fb.h:6, + from drivers/video/aperture.c:5: + arch/m68k/include/asm/io_no.h:16: note: this is the location of the previous definition + 16 | #define __raw_readb(addr) \ + | + +Include , which avoids raw_io.h on nommu platforms. +Also change the defined values of some of the read/write symbols in +vga.h to __raw_read/__raw_write as the raw_in/raw_out symbols are not +generally available. + +Signed-off-by: Thomas Zimmermann +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501071629.DNEswlm8-lkp@intel.com/ +Fixes: 5c3f968712ce ("m68k/video: Create ") +Cc: Geert Uytterhoeven +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: Helge Deller +Cc: stable@vger.kernel.org # v3.5+ +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250107095912.130530-1-tzimmermann@suse.de +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/include/asm/vga.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/m68k/include/asm/vga.h ++++ b/arch/m68k/include/asm/vga.h +@@ -9,7 +9,7 @@ + */ + #ifndef CONFIG_PCI + +-#include ++#include + #include + + /* +@@ -29,9 +29,9 @@ + #define inw_p(port) 0 + #define outb_p(port, val) do { } while (0) + #define outw(port, val) do { } while (0) +-#define readb raw_inb +-#define writeb raw_outb +-#define writew raw_outw ++#define readb __raw_readb ++#define writeb __raw_writeb ++#define writew __raw_writew + + #endif /* CONFIG_PCI */ + #endif /* _ASM_M68K_VGA_H */ diff --git a/queue-6.13/md-reintroduce-md-linear.patch b/queue-6.13/md-reintroduce-md-linear.patch new file mode 100644 index 0000000000..efdfab1b79 --- /dev/null +++ b/queue-6.13/md-reintroduce-md-linear.patch @@ -0,0 +1,499 @@ +From 127186cfb184eaccdfe948e6da66940cfa03efc5 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Thu, 2 Jan 2025 19:28:41 +0800 +Subject: md: reintroduce md-linear + +From: Yu Kuai + +commit 127186cfb184eaccdfe948e6da66940cfa03efc5 upstream. + +THe md-linear is removed by commit 849d18e27be9 ("md: Remove deprecated +CONFIG_MD_LINEAR") because it has been marked as deprecated for a long +time. + +However, md-linear is used widely for underlying disks with different size, +sadly we didn't know this until now, and it's true useful to create +partitions and assemble multiple raid and then append one to the other. + +People have to use dm-linear in this case now, however, they will prefer +to minimize the number of involved modules. + +Fixes: 849d18e27be9 ("md: Remove deprecated CONFIG_MD_LINEAR") +Cc: stable@vger.kernel.org +Signed-off-by: Yu Kuai +Acked-by: Coly Li +Acked-by: Mike Snitzer +Link: https://lore.kernel.org/r/20250102112841.1227111-1-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/Kconfig | 13 + + drivers/md/Makefile | 2 + drivers/md/md-autodetect.c | 8 + drivers/md/md-linear.c | 354 +++++++++++++++++++++++++++++++++++++++++ + drivers/md/md.c | 2 + include/uapi/linux/raid/md_p.h | 2 + include/uapi/linux/raid/md_u.h | 2 + 7 files changed, 379 insertions(+), 4 deletions(-) + create mode 100644 drivers/md/md-linear.c + +--- a/drivers/md/Kconfig ++++ b/drivers/md/Kconfig +@@ -61,6 +61,19 @@ config MD_BITMAP_FILE + various kernel APIs and can only work with files on a file system not + actually sitting on the MD device. + ++config MD_LINEAR ++ tristate "Linear (append) mode" ++ depends on BLK_DEV_MD ++ help ++ If you say Y here, then your multiple devices driver will be able to ++ use the so-called linear mode, i.e. it will combine the hard disk ++ partitions by simply appending one to the other. ++ ++ To compile this as a module, choose M here: the module ++ will be called linear. ++ ++ If unsure, say Y. ++ + config MD_RAID0 + tristate "RAID-0 (striping) mode" + depends on BLK_DEV_MD +--- a/drivers/md/Makefile ++++ b/drivers/md/Makefile +@@ -29,12 +29,14 @@ dm-zoned-y += dm-zoned-target.o dm-zoned + + md-mod-y += md.o md-bitmap.o + raid456-y += raid5.o raid5-cache.o raid5-ppl.o ++linear-y += md-linear.o + + # Note: link order is important. All raid personalities + # and must come before md.o, as they each initialise + # themselves, and md.o may use the personalities when it + # auto-initialised. + ++obj-$(CONFIG_MD_LINEAR) += linear.o + obj-$(CONFIG_MD_RAID0) += raid0.o + obj-$(CONFIG_MD_RAID1) += raid1.o + obj-$(CONFIG_MD_RAID10) += raid10.o +--- a/drivers/md/md-autodetect.c ++++ b/drivers/md/md-autodetect.c +@@ -49,6 +49,7 @@ static int md_setup_ents __initdata; + * instead of just one. -- KTK + * 18May2000: Added support for persistent-superblock arrays: + * md=n,0,factor,fault,device-list uses RAID0 for device n ++ * md=n,-1,factor,fault,device-list uses LINEAR for device n + * md=n,device-list reads a RAID superblock from the devices + * elements in device-list are read by name_to_kdev_t so can be + * a hex number or something like /dev/hda1 /dev/sdb +@@ -87,7 +88,7 @@ static int __init md_setup(char *str) + md_setup_ents++; + switch (get_option(&str, &level)) { /* RAID level */ + case 2: /* could be 0 or -1.. */ +- if (level == 0) { ++ if (level == 0 || level == LEVEL_LINEAR) { + if (get_option(&str, &factor) != 2 || /* Chunk Size */ + get_option(&str, &fault) != 2) { + printk(KERN_WARNING "md: Too few arguments supplied to md=.\n"); +@@ -95,7 +96,10 @@ static int __init md_setup(char *str) + } + md_setup_args[ent].level = level; + md_setup_args[ent].chunk = 1 << (factor+12); +- pername = "raid0"; ++ if (level == LEVEL_LINEAR) ++ pername = "linear"; ++ else ++ pername = "raid0"; + break; + } + fallthrough; +--- /dev/null ++++ b/drivers/md/md-linear.c +@@ -0,0 +1,354 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++/* ++ * linear.c : Multiple Devices driver for Linux Copyright (C) 1994-96 Marc ++ * ZYNGIER or ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "md.h" ++ ++struct dev_info { ++ struct md_rdev *rdev; ++ sector_t end_sector; ++}; ++ ++struct linear_conf { ++ struct rcu_head rcu; ++ sector_t array_sectors; ++ /* a copy of mddev->raid_disks */ ++ int raid_disks; ++ struct dev_info disks[] __counted_by(raid_disks); ++}; ++ ++/* ++ * find which device holds a particular offset ++ */ ++static inline struct dev_info *which_dev(struct mddev *mddev, sector_t sector) ++{ ++ int lo, mid, hi; ++ struct linear_conf *conf; ++ ++ lo = 0; ++ hi = mddev->raid_disks - 1; ++ conf = mddev->private; ++ ++ /* ++ * Binary Search ++ */ ++ ++ while (hi > lo) { ++ ++ mid = (hi + lo) / 2; ++ if (sector < conf->disks[mid].end_sector) ++ hi = mid; ++ else ++ lo = mid + 1; ++ } ++ ++ return conf->disks + lo; ++} ++ ++static sector_t linear_size(struct mddev *mddev, sector_t sectors, int raid_disks) ++{ ++ struct linear_conf *conf; ++ sector_t array_sectors; ++ ++ conf = mddev->private; ++ WARN_ONCE(sectors || raid_disks, ++ "%s does not support generic reshape\n", __func__); ++ array_sectors = conf->array_sectors; ++ ++ return array_sectors; ++} ++ ++static int linear_set_limits(struct mddev *mddev) ++{ ++ struct queue_limits lim; ++ int err; ++ ++ md_init_stacking_limits(&lim); ++ lim.max_hw_sectors = mddev->chunk_sectors; ++ lim.max_write_zeroes_sectors = mddev->chunk_sectors; ++ lim.io_min = mddev->chunk_sectors << 9; ++ err = mddev_stack_rdev_limits(mddev, &lim, MDDEV_STACK_INTEGRITY); ++ if (err) { ++ queue_limits_cancel_update(mddev->gendisk->queue); ++ return err; ++ } ++ ++ return queue_limits_set(mddev->gendisk->queue, &lim); ++} ++ ++static struct linear_conf *linear_conf(struct mddev *mddev, int raid_disks) ++{ ++ struct linear_conf *conf; ++ struct md_rdev *rdev; ++ int ret = -EINVAL; ++ int cnt; ++ int i; ++ ++ conf = kzalloc(struct_size(conf, disks, raid_disks), GFP_KERNEL); ++ if (!conf) ++ return ERR_PTR(-ENOMEM); ++ ++ /* ++ * conf->raid_disks is copy of mddev->raid_disks. The reason to ++ * keep a copy of mddev->raid_disks in struct linear_conf is, ++ * mddev->raid_disks may not be consistent with pointers number of ++ * conf->disks[] when it is updated in linear_add() and used to ++ * iterate old conf->disks[] earray in linear_congested(). ++ * Here conf->raid_disks is always consitent with number of ++ * pointers in conf->disks[] array, and mddev->private is updated ++ * with rcu_assign_pointer() in linear_addr(), such race can be ++ * avoided. ++ */ ++ conf->raid_disks = raid_disks; ++ ++ cnt = 0; ++ conf->array_sectors = 0; ++ ++ rdev_for_each(rdev, mddev) { ++ int j = rdev->raid_disk; ++ struct dev_info *disk = conf->disks + j; ++ sector_t sectors; ++ ++ if (j < 0 || j >= raid_disks || disk->rdev) { ++ pr_warn("md/linear:%s: disk numbering problem. Aborting!\n", ++ mdname(mddev)); ++ goto out; ++ } ++ ++ disk->rdev = rdev; ++ if (mddev->chunk_sectors) { ++ sectors = rdev->sectors; ++ sector_div(sectors, mddev->chunk_sectors); ++ rdev->sectors = sectors * mddev->chunk_sectors; ++ } ++ ++ conf->array_sectors += rdev->sectors; ++ cnt++; ++ } ++ if (cnt != raid_disks) { ++ pr_warn("md/linear:%s: not enough drives present. Aborting!\n", ++ mdname(mddev)); ++ goto out; ++ } ++ ++ /* ++ * Here we calculate the device offsets. ++ */ ++ conf->disks[0].end_sector = conf->disks[0].rdev->sectors; ++ ++ for (i = 1; i < raid_disks; i++) ++ conf->disks[i].end_sector = ++ conf->disks[i-1].end_sector + ++ conf->disks[i].rdev->sectors; ++ ++ if (!mddev_is_dm(mddev)) { ++ ret = linear_set_limits(mddev); ++ if (ret) ++ goto out; ++ } ++ ++ return conf; ++ ++out: ++ kfree(conf); ++ return ERR_PTR(ret); ++} ++ ++static int linear_run(struct mddev *mddev) ++{ ++ struct linear_conf *conf; ++ int ret; ++ ++ if (md_check_no_bitmap(mddev)) ++ return -EINVAL; ++ ++ conf = linear_conf(mddev, mddev->raid_disks); ++ if (IS_ERR(conf)) ++ return PTR_ERR(conf); ++ ++ mddev->private = conf; ++ md_set_array_sectors(mddev, linear_size(mddev, 0, 0)); ++ ++ ret = md_integrity_register(mddev); ++ if (ret) { ++ kfree(conf); ++ mddev->private = NULL; ++ } ++ return ret; ++} ++ ++static int linear_add(struct mddev *mddev, struct md_rdev *rdev) ++{ ++ /* Adding a drive to a linear array allows the array to grow. ++ * It is permitted if the new drive has a matching superblock ++ * already on it, with raid_disk equal to raid_disks. ++ * It is achieved by creating a new linear_private_data structure ++ * and swapping it in in-place of the current one. ++ * The current one is never freed until the array is stopped. ++ * This avoids races. ++ */ ++ struct linear_conf *newconf, *oldconf; ++ ++ if (rdev->saved_raid_disk != mddev->raid_disks) ++ return -EINVAL; ++ ++ rdev->raid_disk = rdev->saved_raid_disk; ++ rdev->saved_raid_disk = -1; ++ ++ newconf = linear_conf(mddev, mddev->raid_disks + 1); ++ if (!newconf) ++ return -ENOMEM; ++ ++ /* newconf->raid_disks already keeps a copy of * the increased ++ * value of mddev->raid_disks, WARN_ONCE() is just used to make ++ * sure of this. It is possible that oldconf is still referenced ++ * in linear_congested(), therefore kfree_rcu() is used to free ++ * oldconf until no one uses it anymore. ++ */ ++ oldconf = rcu_dereference_protected(mddev->private, ++ lockdep_is_held(&mddev->reconfig_mutex)); ++ mddev->raid_disks++; ++ WARN_ONCE(mddev->raid_disks != newconf->raid_disks, ++ "copied raid_disks doesn't match mddev->raid_disks"); ++ rcu_assign_pointer(mddev->private, newconf); ++ md_set_array_sectors(mddev, linear_size(mddev, 0, 0)); ++ set_capacity_and_notify(mddev->gendisk, mddev->array_sectors); ++ kfree_rcu(oldconf, rcu); ++ return 0; ++} ++ ++static void linear_free(struct mddev *mddev, void *priv) ++{ ++ struct linear_conf *conf = priv; ++ ++ kfree(conf); ++} ++ ++static bool linear_make_request(struct mddev *mddev, struct bio *bio) ++{ ++ struct dev_info *tmp_dev; ++ sector_t start_sector, end_sector, data_offset; ++ sector_t bio_sector = bio->bi_iter.bi_sector; ++ ++ if (unlikely(bio->bi_opf & REQ_PREFLUSH) ++ && md_flush_request(mddev, bio)) ++ return true; ++ ++ tmp_dev = which_dev(mddev, bio_sector); ++ start_sector = tmp_dev->end_sector - tmp_dev->rdev->sectors; ++ end_sector = tmp_dev->end_sector; ++ data_offset = tmp_dev->rdev->data_offset; ++ ++ if (unlikely(bio_sector >= end_sector || ++ bio_sector < start_sector)) ++ goto out_of_bounds; ++ ++ if (unlikely(is_rdev_broken(tmp_dev->rdev))) { ++ md_error(mddev, tmp_dev->rdev); ++ bio_io_error(bio); ++ return true; ++ } ++ ++ if (unlikely(bio_end_sector(bio) > end_sector)) { ++ /* This bio crosses a device boundary, so we have to split it */ ++ struct bio *split = bio_split(bio, end_sector - bio_sector, ++ GFP_NOIO, &mddev->bio_set); ++ ++ if (IS_ERR(split)) { ++ bio->bi_status = errno_to_blk_status(PTR_ERR(split)); ++ bio_endio(bio); ++ return true; ++ } ++ ++ bio_chain(split, bio); ++ submit_bio_noacct(bio); ++ bio = split; ++ } ++ ++ md_account_bio(mddev, &bio); ++ bio_set_dev(bio, tmp_dev->rdev->bdev); ++ bio->bi_iter.bi_sector = bio->bi_iter.bi_sector - ++ start_sector + data_offset; ++ ++ if (unlikely((bio_op(bio) == REQ_OP_DISCARD) && ++ !bdev_max_discard_sectors(bio->bi_bdev))) { ++ /* Just ignore it */ ++ bio_endio(bio); ++ } else { ++ if (mddev->gendisk) ++ trace_block_bio_remap(bio, disk_devt(mddev->gendisk), ++ bio_sector); ++ mddev_check_write_zeroes(mddev, bio); ++ submit_bio_noacct(bio); ++ } ++ return true; ++ ++out_of_bounds: ++ pr_err("md/linear:%s: make_request: Sector %llu out of bounds on dev %pg: %llu sectors, offset %llu\n", ++ mdname(mddev), ++ (unsigned long long)bio->bi_iter.bi_sector, ++ tmp_dev->rdev->bdev, ++ (unsigned long long)tmp_dev->rdev->sectors, ++ (unsigned long long)start_sector); ++ bio_io_error(bio); ++ return true; ++} ++ ++static void linear_status(struct seq_file *seq, struct mddev *mddev) ++{ ++ seq_printf(seq, " %dk rounding", mddev->chunk_sectors / 2); ++} ++ ++static void linear_error(struct mddev *mddev, struct md_rdev *rdev) ++{ ++ if (!test_and_set_bit(MD_BROKEN, &mddev->flags)) { ++ char *md_name = mdname(mddev); ++ ++ pr_crit("md/linear%s: Disk failure on %pg detected, failing array.\n", ++ md_name, rdev->bdev); ++ } ++} ++ ++static void linear_quiesce(struct mddev *mddev, int state) ++{ ++} ++ ++static struct md_personality linear_personality = { ++ .name = "linear", ++ .level = LEVEL_LINEAR, ++ .owner = THIS_MODULE, ++ .make_request = linear_make_request, ++ .run = linear_run, ++ .free = linear_free, ++ .status = linear_status, ++ .hot_add_disk = linear_add, ++ .size = linear_size, ++ .quiesce = linear_quiesce, ++ .error_handler = linear_error, ++}; ++ ++static int __init linear_init(void) ++{ ++ return register_md_personality(&linear_personality); ++} ++ ++static void linear_exit(void) ++{ ++ unregister_md_personality(&linear_personality); ++} ++ ++module_init(linear_init); ++module_exit(linear_exit); ++MODULE_LICENSE("GPL"); ++MODULE_DESCRIPTION("Linear device concatenation personality for MD (deprecated)"); ++MODULE_ALIAS("md-personality-1"); /* LINEAR - deprecated*/ ++MODULE_ALIAS("md-linear"); ++MODULE_ALIAS("md-level--1"); +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8124,7 +8124,7 @@ void md_error(struct mddev *mddev, struc + return; + mddev->pers->error_handler(mddev, rdev); + +- if (mddev->pers->level == 0) ++ if (mddev->pers->level == 0 || mddev->pers->level == LEVEL_LINEAR) + return; + + if (mddev->degraded && !test_bit(MD_BROKEN, &mddev->flags)) +--- a/include/uapi/linux/raid/md_p.h ++++ b/include/uapi/linux/raid/md_p.h +@@ -233,7 +233,7 @@ struct mdp_superblock_1 { + char set_name[32]; /* set and interpreted by user-space */ + + __le64 ctime; /* lo 40 bits are seconds, top 24 are microseconds or 0*/ +- __le32 level; /* 0,1,4,5 */ ++ __le32 level; /* 0,1,4,5, -1 (linear) */ + __le32 layout; /* only for raid5 and raid10 currently */ + __le64 size; /* used size of component devices, in 512byte sectors */ + +--- a/include/uapi/linux/raid/md_u.h ++++ b/include/uapi/linux/raid/md_u.h +@@ -103,6 +103,8 @@ typedef struct mdu_array_info_s { + + } mdu_array_info_t; + ++#define LEVEL_LINEAR (-1) ++ + /* we need a value for 'no level specified' and 0 + * means 'raid0', so we need something else. This is + * for internal use only diff --git a/queue-6.13/media-i2c-ds90ub960-fix-ub9702-refclk-register-access.patch b/queue-6.13/media-i2c-ds90ub960-fix-ub9702-refclk-register-access.patch new file mode 100644 index 0000000000..66c480bdbc --- /dev/null +++ b/queue-6.13/media-i2c-ds90ub960-fix-ub9702-refclk-register-access.patch @@ -0,0 +1,49 @@ +From ba3bdb93947c90f098061de1fb2458e2ca040093 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Fri, 6 Dec 2024 10:26:38 +0200 +Subject: media: i2c: ds90ub960: Fix UB9702 refclk register access + +From: Tomi Valkeinen + +commit ba3bdb93947c90f098061de1fb2458e2ca040093 upstream. + +UB9702 has the refclk freq register at a different offset than UB960, +but the code uses the UB960's offset for both chips. Fix this. + +The refclk freq is only used for a debug print, so there's no functional +change here. + +Cc: stable@vger.kernel.org +Fixes: afe267f2d368 ("media: i2c: add DS90UB960 driver") +Reviewed-by: Jai Luthra +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ds90ub960.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/ds90ub960.c ++++ b/drivers/media/i2c/ds90ub960.c +@@ -351,6 +351,8 @@ + + #define UB960_SR_I2C_RX_ID(n) (0xf8 + (n)) /* < UB960_FPD_RX_NPORTS */ + ++#define UB9702_SR_REFCLK_FREQ 0x3d ++ + /* Indirect register blocks */ + #define UB960_IND_TARGET_PAT_GEN 0x00 + #define UB960_IND_TARGET_RX_ANA(n) (0x01 + (n)) +@@ -3834,7 +3836,10 @@ static int ub960_enable_core_hw(struct u + if (ret) + goto err_pd_gpio; + +- ret = ub960_read(priv, UB960_XR_REFCLK_FREQ, &refclk_freq); ++ if (priv->hw_data->is_ub9702) ++ ret = ub960_read(priv, UB9702_SR_REFCLK_FREQ, &refclk_freq); ++ else ++ ret = ub960_read(priv, UB960_XR_REFCLK_FREQ, &refclk_freq); + if (ret) + goto err_pd_gpio; + diff --git a/queue-6.13/perf-imx9_perf-introduce-axi-filter-version-to-refactor-the-driver-and-better-extension.patch b/queue-6.13/perf-imx9_perf-introduce-axi-filter-version-to-refactor-the-driver-and-better-extension.patch new file mode 100644 index 0000000000..297ae0c01c --- /dev/null +++ b/queue-6.13/perf-imx9_perf-introduce-axi-filter-version-to-refactor-the-driver-and-better-extension.patch @@ -0,0 +1,127 @@ +From f3edf03a4c59e59e52c0c1fd958f64a76a038302 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 12 Dec 2024 14:57:08 +0800 +Subject: perf: imx9_perf: Introduce AXI filter version to refactor the driver and better extension + +From: Xu Yang + +commit f3edf03a4c59e59e52c0c1fd958f64a76a038302 upstream. + +The imx93 is the first supported DDR PMU that supports read transaction, +write transaction and read beats events which corresponding respecitively +to counter 2, 3 and 4. + +However, transaction-based AXI match has low accuracy when get total bits +compared to beats-based. And imx93 doesn't assign AXI_ID to each master. +So axi filter is not used widely on imx93. This could be regards as AXI +filter version 1. + +To improve the AXI filter capability, imx95 supports 1 read beats and 3 +write beats event which corresponding respecitively to counter 2-5. imx95 +also detailed AXI_ID allocation so that most of the master could be count +individually. This could be regards as AXI filter version 2. + +This will introduce AXI filter version to refactor the driver and support +better extension, such as coming imx943. This is also a potential fix on +imx91 when configure axi filter. + +Fixes: 44798fe136dc ("perf: imx_perf: add support for i.MX91 platform") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Xu Yang +Link: https://lore.kernel.org/r/20241212065708.1353513-1-xu.yang_2@nxp.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/perf/fsl_imx9_ddr_perf.c | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/perf/fsl_imx9_ddr_perf.c ++++ b/drivers/perf/fsl_imx9_ddr_perf.c +@@ -63,8 +63,21 @@ + + static DEFINE_IDA(ddr_ida); + ++/* ++ * V1 support 1 read transaction, 1 write transaction and 1 read beats ++ * event which corresponding respecitively to counter 2, 3 and 4. ++ */ ++#define DDR_PERF_AXI_FILTER_V1 0x1 ++ ++/* ++ * V2 support 1 read beats and 3 write beats events which corresponding ++ * respecitively to counter 2-5. ++ */ ++#define DDR_PERF_AXI_FILTER_V2 0x2 ++ + struct imx_ddr_devtype_data { + const char *identifier; /* system PMU identifier for userspace */ ++ unsigned int filter_ver; /* AXI filter version */ + }; + + struct ddr_pmu { +@@ -83,24 +96,27 @@ struct ddr_pmu { + + static const struct imx_ddr_devtype_data imx91_devtype_data = { + .identifier = "imx91", ++ .filter_ver = DDR_PERF_AXI_FILTER_V1 + }; + + static const struct imx_ddr_devtype_data imx93_devtype_data = { + .identifier = "imx93", ++ .filter_ver = DDR_PERF_AXI_FILTER_V1 + }; + + static const struct imx_ddr_devtype_data imx95_devtype_data = { + .identifier = "imx95", ++ .filter_ver = DDR_PERF_AXI_FILTER_V2 + }; + +-static inline bool is_imx93(struct ddr_pmu *pmu) ++static inline bool axi_filter_v1(struct ddr_pmu *pmu) + { +- return pmu->devtype_data == &imx93_devtype_data; ++ return pmu->devtype_data->filter_ver == DDR_PERF_AXI_FILTER_V1; + } + +-static inline bool is_imx95(struct ddr_pmu *pmu) ++static inline bool axi_filter_v2(struct ddr_pmu *pmu) + { +- return pmu->devtype_data == &imx95_devtype_data; ++ return pmu->devtype_data->filter_ver == DDR_PERF_AXI_FILTER_V2; + } + + static const struct of_device_id imx_ddr_pmu_dt_ids[] = { +@@ -155,7 +171,7 @@ static const struct attribute_group ddr_ + struct imx9_pmu_events_attr { + struct device_attribute attr; + u64 id; +- const void *devtype_data; ++ const struct imx_ddr_devtype_data *devtype_data; + }; + + static ssize_t ddr_pmu_event_show(struct device *dev, +@@ -307,7 +323,8 @@ ddr_perf_events_attrs_is_visible(struct + if (!eattr->devtype_data) + return attr->mode; + +- if (eattr->devtype_data != ddr_pmu->devtype_data) ++ if (eattr->devtype_data != ddr_pmu->devtype_data && ++ eattr->devtype_data->filter_ver != ddr_pmu->devtype_data->filter_ver) + return 0; + + return attr->mode; +@@ -624,11 +641,11 @@ static int ddr_perf_event_add(struct per + hwc->idx = counter; + hwc->state |= PERF_HES_STOPPED; + +- if (is_imx93(pmu)) ++ if (axi_filter_v1(pmu)) + /* read trans, write trans, read beat */ + imx93_ddr_perf_monitor_config(pmu, event_id, counter, cfg1, cfg2); + +- if (is_imx95(pmu)) ++ if (axi_filter_v2(pmu)) + /* write beat, read beat2, read beat1, read beat */ + imx95_ddr_perf_monitor_config(pmu, event_id, counter, cfg1, cfg2); + diff --git a/queue-6.13/remoteproc-omap-handle-arm-dma_iommu_mapping.patch b/queue-6.13/remoteproc-omap-handle-arm-dma_iommu_mapping.patch new file mode 100644 index 0000000000..a5fd658f3b --- /dev/null +++ b/queue-6.13/remoteproc-omap-handle-arm-dma_iommu_mapping.patch @@ -0,0 +1,59 @@ +From 1dc7c8ed7cb378dd3974387692dfa833aee718d4 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Mon, 28 Oct 2024 17:58:35 +0000 +Subject: remoteproc: omap: Handle ARM dma_iommu_mapping + +From: Robin Murphy + +commit 1dc7c8ed7cb378dd3974387692dfa833aee718d4 upstream. + +It's no longer practical for the OMAP IOMMU driver to trick +arm_setup_iommu_dma_ops() into ignoring its presence, so let's use the +same tactic as other IOMMU API users on 32-bit ARM and explicitly kick +the arch code's dma_iommu_mapping out of the way to avoid problems. + +Fixes: 4720287c7bf7 ("iommu: Remove struct iommu_ops *iommu from arch_setup_dma_ops()") +Signed-off-by: Robin Murphy +Tested-by: Beleswar Padhi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/6186e311cb6f64a787f87fd41e49a73f409b789c.1730136799.git.robin.murphy@arm.com +[Fixed changelog title] +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/omap_remoteproc.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/remoteproc/omap_remoteproc.c ++++ b/drivers/remoteproc/omap_remoteproc.c +@@ -37,6 +37,10 @@ + + #include + ++#ifdef CONFIG_ARM_DMA_USE_IOMMU ++#include ++#endif ++ + #include "omap_remoteproc.h" + #include "remoteproc_internal.h" + +@@ -1323,6 +1327,19 @@ static int omap_rproc_probe(struct platf + /* All existing OMAP IPU and DSP processors have an MMU */ + rproc->has_iommu = true; + ++#ifdef CONFIG_ARM_DMA_USE_IOMMU ++ /* ++ * Throw away the ARM DMA mapping that we'll never use, so it doesn't ++ * interfere with the core rproc->domain and we get the right DMA ops. ++ */ ++ if (pdev->dev.archdata.mapping) { ++ struct dma_iommu_mapping *mapping = to_dma_iommu_mapping(&pdev->dev); ++ ++ arm_iommu_detach_device(&pdev->dev); ++ arm_iommu_release_mapping(mapping); ++ } ++#endif ++ + ret = omap_rproc_of_get_internal_memories(pdev, rproc); + if (ret) + return ret; diff --git a/queue-6.13/revert-drm-amd-display-use-hw-lock-mgr-for-psr1.patch b/queue-6.13/revert-drm-amd-display-use-hw-lock-mgr-for-psr1.patch new file mode 100644 index 0000000000..2a0fb20a53 --- /dev/null +++ b/queue-6.13/revert-drm-amd-display-use-hw-lock-mgr-for-psr1.patch @@ -0,0 +1,34 @@ +From f245b400a223a71d6d5f4c72a2cb9b573a7fc2b6 Mon Sep 17 00:00:00 2001 +From: Tom Chung +Date: Tue, 4 Feb 2025 15:07:44 +0800 +Subject: Revert "drm/amd/display: Use HW lock mgr for PSR1" + +From: Tom Chung + +commit f245b400a223a71d6d5f4c72a2cb9b573a7fc2b6 upstream. + +This reverts commit +a2b5a9956269 ("drm/amd/display: Use HW lock mgr for PSR1") + +Because it may cause system hang while connect with two edp panel. + +Acked-by: Wayne Lin +Signed-off-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +@@ -63,8 +63,7 @@ void dmub_hw_lock_mgr_inbox0_cmd(struct + + bool should_use_dmub_lock(struct dc_link *link) + { +- if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1 || +- link->psr_settings.psr_version == DC_PSR_VERSION_1) ++ if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) + return true; + + if (link->replay_settings.replay_feature_enabled) diff --git a/queue-6.13/s390-futex-fix-futex_op_andn-implementation.patch b/queue-6.13/s390-futex-fix-futex_op_andn-implementation.patch new file mode 100644 index 0000000000..4dd5733ce4 --- /dev/null +++ b/queue-6.13/s390-futex-fix-futex_op_andn-implementation.patch @@ -0,0 +1,40 @@ +From 26701574cee6777f867f89b4a5c667817e1ee0dd Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 7 Jan 2025 11:28:58 +0100 +Subject: s390/futex: Fix FUTEX_OP_ANDN implementation + +From: Heiko Carstens + +commit 26701574cee6777f867f89b4a5c667817e1ee0dd upstream. + +The futex operation FUTEX_OP_ANDN is supposed to implement + +*(int *)UADDR2 &= ~OPARG; + +The s390 implementation just implements an AND instead of ANDN. +Add the missing bitwise not operation to oparg to fix this. + +This is broken since nearly 19 years, so it looks like user space is +not making use of this operation. + +Fixes: 3363fbdd6fb4 ("[PATCH] s390: futex atomic operations") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Acked-by: Alexander Gordeev +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/futex.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/futex.h ++++ b/arch/s390/include/asm/futex.h +@@ -44,7 +44,7 @@ static inline int arch_futex_atomic_op_i + break; + case FUTEX_OP_ANDN: + __futex_atomic_op("lr %2,%1\nnr %2,%5\n", +- ret, oldval, newval, uaddr, oparg); ++ ret, oldval, newval, uaddr, ~oparg); + break; + case FUTEX_OP_XOR: + __futex_atomic_op("lr %2,%1\nxr %2,%5\n", diff --git a/queue-6.13/series b/queue-6.13/series index a537c62931..d4db5d6e46 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -139,3 +139,70 @@ tun-revert-fix-group-permission-check.patch net-sched-fix-truncation-of-offloaded-action-statist.patch rxrpc-fix-call-state-set-to-not-include-the-server_s.patch pci-tph-restore-tph-requester-enable-correctly.patch +cpufreq-fix-using-cpufreq-dt-as-module.patch +cpufreq-s3c64xx-fix-compilation-warning.patch +leds-lp8860-write-full-eeprom-not-only-half-of-it.patch +alsa-hda-realtek-enable-mute-led-on-hp-laptop-14s-fq1xxx.patch +cifs-remove-intermediate-object-of-failed-create-sfu-call.patch +drm-modeset-handle-tiled-displays-in-pan_display_atomic.patch +drm-client-handle-tiled-displays-better.patch +smb-client-fix-order-of-arguments-of-tracepoints.patch +smb-client-change-lease-epoch-type-from-unsigned-int-to-__u16.patch +md-reintroduce-md-linear.patch +s390-futex-fix-futex_op_andn-implementation.patch +arm64-filter-out-sve-hwcaps-when-feat_sve-isn-t-implemented.patch +m68k-vga-fix-i-o-defines.patch +fs-proc-do_task_stat-fix-esp-not-readable-during-coredump.patch +block-mark-gfp_noio-around-sysfs-store.patch +binfmt_flat-fix-integer-overflow-bug-on-32-bit-systems.patch +perf-imx9_perf-introduce-axi-filter-version-to-refactor-the-driver-and-better-extension.patch +accel-ivpu-fix-qemu-crash-when-running-in-passthrough.patch +arm64-kvm-configure-hyp-tcr.ps-ds-based-on-host-stage1.patch +arm64-mm-override-parange-for-lpa2-and-use-it-consistently.patch +arm64-sme-move-storage-of-reg_smidr-to-__cpuinfo_store_cpu.patch +arm64-mm-reduce-pa-space-to-48-bits-when-lpa2-is-not-enabled.patch +kvm-arm64-timer-always-evaluate-the-need-for-a-soft-timer.patch +drm-rockchip-cdn-dp-use-drm_connector_helper_hpd_irq_event.patch +arm64-dts-rockchip-increase-gmac-rx_delay-on-rk3399-puma.patch +remoteproc-omap-handle-arm-dma_iommu_mapping.patch +kvm-nvmx-defer-svi-update-to-vmcs01-on-eoi-when-l2-is-active-w-o-vid.patch +kvm-explicitly-verify-target-vcpu-is-online-in-kvm_get_vcpu.patch +kvm-defer-huge-page-recovery-vhost-task-to-later.patch +kvm-s390-vsie-fix-some-corner-cases-when-grabbing-vsie-pages.patch +ksmbd-fix-integer-overflows-on-32-bit-systems.patch +drm-amd-display-optimize-cursor-position-updates.patch +drm-amd-pm-mark-mm-activity-as-unsupported.patch +drm-amd-amdgpu-change-the-config-of-cgcg-on-gfx12.patch +drm-amdkfd-only-flush-the-validate-mes-contex.patch +drm-amdkfd-block-per-queue-reset-when-halt_if_hws_hang-1.patch +revert-drm-amd-display-use-hw-lock-mgr-for-psr1.patch +drm-i915-guc-debug-print-lrc-state-entries-only-if-the-context-is-pinned.patch +drm-i915-fix-page-cleanup-on-dma-remap-failure.patch +drm-ast-astdp-fix-timeout-for-enabling-video-signal.patch +drm-komeda-add-check-for-komeda_get_layer_fourcc_list.patch +drm-xe-devcoredump-move-exec-queue-snapshot-to-contexts-section.patch +drm-i915-dp-iterate-dsc-bpp-from-high-to-low-on-all-platforms.patch +drm-i915-drop-64bpp-yuv-formats-from-icl-sdr-planes.patch +drm-amdgpu-add-a-bo-metadata-flag-to-disable-write-compression-for-vulkan.patch +drm-amd-display-fix-seamless-boot-sequence.patch +drm-xe-fix-and-re-enable-xe_print_blob_ascii85.patch +bluetooth-l2cap-handle-null-sock-pointer-in-l2cap_sock_alloc.patch +bluetooth-l2cap-accept-zero-as-a-special-value-for-mtu-auto-selection.patch +keys-trusted-dcp-fix-improper-sg-use-with-config_vmap_stack-y.patch +input-synaptics-fix-crash-when-enabling-pass-through-port.patch +clk-sunxi-ng-a100-enable-mmc-clock-reparenting.patch +clk-mmp2-call-pm_genpd_init-only-after-genpd.name-is-set.patch +media-i2c-ds90ub960-fix-ub9702-refclk-register-access.patch +clk-clk-loongson2-fix-the-number-count-of-clk-provider.patch +clk-qcom-clk-alpha-pll-fix-alpha-mode-configuration.patch +clk-qcom-gcc-sm8550-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch +clk-qcom-gcc-sm8650-do-not-turn-off-pcie-gdscs-during-gdsc_disable.patch +clk-qcom-gcc-sm6350-add-missing-parent_map-for-two-clocks.patch +clk-qcom-dispcc-sm6350-add-missing-parent_map-for-a-clock.patch +clk-qcom-gcc-mdm9607-fix-cmd_rcgr-offset-for-blsp1_uart6-rcg.patch +clk-qcom-clk-rpmh-prevent-integer-overflow-in-recalc_rate.patch +clk-mediatek-mt2701-vdec-fix-conversion-to-mtk_clk_simple_probe.patch +clk-mediatek-mt2701-aud-fix-conversion-to-mtk_clk_simple_probe.patch +clk-mediatek-mt2701-bdp-add-missing-dummy-clk.patch +clk-mediatek-mt2701-img-add-missing-dummy-clk.patch +clk-mediatek-mt2701-mm-add-missing-dummy-clk.patch diff --git a/queue-6.13/smb-client-change-lease-epoch-type-from-unsigned-int-to-__u16.patch b/queue-6.13/smb-client-change-lease-epoch-type-from-unsigned-int-to-__u16.patch new file mode 100644 index 0000000000..c58224d696 --- /dev/null +++ b/queue-6.13/smb-client-change-lease-epoch-type-from-unsigned-int-to-__u16.patch @@ -0,0 +1,189 @@ +From 57e4a9bd61c308f607bc3e55e8fa02257b06b552 Mon Sep 17 00:00:00 2001 +From: Meetakshi Setiya +Date: Thu, 6 Feb 2025 01:50:41 -0500 +Subject: smb: client: change lease epoch type from unsigned int to __u16 + +From: Meetakshi Setiya + +commit 57e4a9bd61c308f607bc3e55e8fa02257b06b552 upstream. + +MS-SMB2 section 2.2.13.2.10 specifies that 'epoch' should be a 16-bit +unsigned integer used to track lease state changes. Change the data +type of all instances of 'epoch' from unsigned int to __u16. This +simplifies the epoch change comparisons and makes the code more +compliant with the protocol spec. + +Cc: stable@vger.kernel.org +Signed-off-by: Meetakshi Setiya +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsglob.h | 14 +++++++------- + fs/smb/client/smb1ops.c | 2 +- + fs/smb/client/smb2ops.c | 18 +++++++++--------- + fs/smb/client/smb2pdu.c | 2 +- + fs/smb/client/smb2proto.h | 2 +- + 5 files changed, 19 insertions(+), 19 deletions(-) + +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -326,7 +326,7 @@ struct smb_version_operations { + int (*handle_cancelled_mid)(struct mid_q_entry *, struct TCP_Server_Info *); + void (*downgrade_oplock)(struct TCP_Server_Info *server, + struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache); ++ __u16 epoch, bool *purge_cache); + /* process transaction2 response */ + bool (*check_trans2)(struct mid_q_entry *, struct TCP_Server_Info *, + char *, int); +@@ -521,12 +521,12 @@ struct smb_version_operations { + /* if we can do cache read operations */ + bool (*is_read_op)(__u32); + /* set oplock level for the inode */ +- void (*set_oplock_level)(struct cifsInodeInfo *, __u32, unsigned int, +- bool *); ++ void (*set_oplock_level)(struct cifsInodeInfo *cinode, __u32 oplock, __u16 epoch, ++ bool *purge_cache); + /* create lease context buffer for CREATE request */ + char * (*create_lease_buf)(u8 *lease_key, u8 oplock); + /* parse lease context buffer and return oplock/epoch info */ +- __u8 (*parse_lease_buf)(void *buf, unsigned int *epoch, char *lkey); ++ __u8 (*parse_lease_buf)(void *buf, __u16 *epoch, char *lkey); + ssize_t (*copychunk_range)(const unsigned int, + struct cifsFileInfo *src_file, + struct cifsFileInfo *target_file, +@@ -1422,7 +1422,7 @@ struct cifs_fid { + __u8 create_guid[16]; + __u32 access; + struct cifs_pending_open *pending_open; +- unsigned int epoch; ++ __u16 epoch; + #ifdef CONFIG_CIFS_DEBUG2 + __u64 mid; + #endif /* CIFS_DEBUG2 */ +@@ -1455,7 +1455,7 @@ struct cifsFileInfo { + bool oplock_break_cancelled:1; + bool status_file_deleted:1; /* file has been deleted */ + bool offload:1; /* offload final part of _put to a wq */ +- unsigned int oplock_epoch; /* epoch from the lease break */ ++ __u16 oplock_epoch; /* epoch from the lease break */ + __u32 oplock_level; /* oplock/lease level from the lease break */ + int count; + spinlock_t file_info_lock; /* protects four flag/count fields above */ +@@ -1552,7 +1552,7 @@ struct cifsInodeInfo { + spinlock_t open_file_lock; /* protects openFileList */ + __u32 cifsAttrs; /* e.g. DOS archive bit, sparse, compressed, system */ + unsigned int oplock; /* oplock/lease level we have */ +- unsigned int epoch; /* used to track lease state changes */ ++ __u16 epoch; /* used to track lease state changes */ + #define CIFS_INODE_PENDING_OPLOCK_BREAK (0) /* oplock break in progress */ + #define CIFS_INODE_PENDING_WRITERS (1) /* Writes in progress */ + #define CIFS_INODE_FLAG_UNUSED (2) /* Unused flag */ +--- a/fs/smb/client/smb1ops.c ++++ b/fs/smb/client/smb1ops.c +@@ -377,7 +377,7 @@ coalesce_t2(char *second_buf, struct smb + static void + cifs_downgrade_oplock(struct TCP_Server_Info *server, + struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache) ++ __u16 epoch, bool *purge_cache) + { + cifs_set_oplock_level(cinode, oplock); + } +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -3904,22 +3904,22 @@ static long smb3_fallocate(struct file * + static void + smb2_downgrade_oplock(struct TCP_Server_Info *server, + struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache) ++ __u16 epoch, bool *purge_cache) + { + server->ops->set_oplock_level(cinode, oplock, 0, NULL); + } + + static void + smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache); ++ __u16 epoch, bool *purge_cache); + + static void + smb3_downgrade_oplock(struct TCP_Server_Info *server, + struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache) ++ __u16 epoch, bool *purge_cache) + { + unsigned int old_state = cinode->oplock; +- unsigned int old_epoch = cinode->epoch; ++ __u16 old_epoch = cinode->epoch; + unsigned int new_state; + + if (epoch > old_epoch) { +@@ -3939,7 +3939,7 @@ smb3_downgrade_oplock(struct TCP_Server_ + + static void + smb2_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache) ++ __u16 epoch, bool *purge_cache) + { + oplock &= 0xFF; + cinode->lease_granted = false; +@@ -3963,7 +3963,7 @@ smb2_set_oplock_level(struct cifsInodeIn + + static void + smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache) ++ __u16 epoch, bool *purge_cache) + { + char message[5] = {0}; + unsigned int new_oplock = 0; +@@ -4000,7 +4000,7 @@ smb21_set_oplock_level(struct cifsInodeI + + static void + smb3_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, +- unsigned int epoch, bool *purge_cache) ++ __u16 epoch, bool *purge_cache) + { + unsigned int old_oplock = cinode->oplock; + +@@ -4114,7 +4114,7 @@ smb3_create_lease_buf(u8 *lease_key, u8 + } + + static __u8 +-smb2_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key) ++smb2_parse_lease_buf(void *buf, __u16 *epoch, char *lease_key) + { + struct create_lease *lc = (struct create_lease *)buf; + +@@ -4125,7 +4125,7 @@ smb2_parse_lease_buf(void *buf, unsigned + } + + static __u8 +-smb3_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key) ++smb3_parse_lease_buf(void *buf, __u16 *epoch, char *lease_key) + { + struct create_lease_v2 *lc = (struct create_lease_v2 *)buf; + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -2329,7 +2329,7 @@ parse_posix_ctxt(struct create_context * + + int smb2_parse_contexts(struct TCP_Server_Info *server, + struct kvec *rsp_iov, +- unsigned int *epoch, ++ __u16 *epoch, + char *lease_key, __u8 *oplock, + struct smb2_file_all_info *buf, + struct create_posix_rsp *posix) +--- a/fs/smb/client/smb2proto.h ++++ b/fs/smb/client/smb2proto.h +@@ -282,7 +282,7 @@ extern enum securityEnum smb2_select_sec + enum securityEnum); + int smb2_parse_contexts(struct TCP_Server_Info *server, + struct kvec *rsp_iov, +- unsigned int *epoch, ++ __u16 *epoch, + char *lease_key, __u8 *oplock, + struct smb2_file_all_info *buf, + struct create_posix_rsp *posix); diff --git a/queue-6.13/smb-client-fix-order-of-arguments-of-tracepoints.patch b/queue-6.13/smb-client-fix-order-of-arguments-of-tracepoints.patch new file mode 100644 index 0000000000..35e888ef0e --- /dev/null +++ b/queue-6.13/smb-client-fix-order-of-arguments-of-tracepoints.patch @@ -0,0 +1,330 @@ +From 11f8b80ab9f99291dc88d09855b9f8f43b772335 Mon Sep 17 00:00:00 2001 +From: Ruben Devos +Date: Sat, 18 Jan 2025 21:03:30 +0100 +Subject: smb: client: fix order of arguments of tracepoints + +From: Ruben Devos + +commit 11f8b80ab9f99291dc88d09855b9f8f43b772335 upstream. + +The tracepoints based on smb3_inf_compound_*_class have tcon id and +session id swapped around. This results in incorrect output in +`trace-cmd report`. + +Fix the order of arguments to resolve this issue. The trace-cmd output +below shows the before and after of the smb3_delete_enter and +smb3_delete_done events as an example. The smb3_cmd_* events show the +correct session and tcon id for reference. + +Also fix tracepoint set -> get in the SMB2_OP_GET_REPARSE case. + +BEFORE: +rm-2211 [001] ..... 1839.550888: smb3_delete_enter: xid=281 sid=0x5 tid=0x3d path=\hello2.txt +rm-2211 [001] ..... 1839.550894: smb3_cmd_enter: sid=0x1ac000000003d tid=0x5 cmd=5 mid=61 +rm-2211 [001] ..... 1839.550896: smb3_cmd_enter: sid=0x1ac000000003d tid=0x5 cmd=6 mid=62 +rm-2211 [001] ..... 1839.552091: smb3_cmd_done: sid=0x1ac000000003d tid=0x5 cmd=5 mid=61 +rm-2211 [001] ..... 1839.552093: smb3_cmd_done: sid=0x1ac000000003d tid=0x5 cmd=6 mid=62 +rm-2211 [001] ..... 1839.552103: smb3_delete_done: xid=281 sid=0x5 tid=0x3d + +AFTER: +rm-2501 [001] ..... 3237.656110: smb3_delete_enter: xid=88 sid=0x1ac0000000041 tid=0x5 path=\hello2.txt +rm-2501 [001] ..... 3237.656122: smb3_cmd_enter: sid=0x1ac0000000041 tid=0x5 cmd=5 mid=84 +rm-2501 [001] ..... 3237.656123: smb3_cmd_enter: sid=0x1ac0000000041 tid=0x5 cmd=6 mid=85 +rm-2501 [001] ..... 3237.657909: smb3_cmd_done: sid=0x1ac0000000041 tid=0x5 cmd=5 mid=84 +rm-2501 [001] ..... 3237.657909: smb3_cmd_done: sid=0x1ac0000000041 tid=0x5 cmd=6 mid=85 +rm-2501 [001] ..... 3237.657922: smb3_delete_done: xid=88 sid=0x1ac0000000041 tid=0x5 + +Cc: stable@vger.kernel.org +Signed-off-by: Ruben Devos +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/dir.c | 6 +- + fs/smb/client/smb2inode.c | 108 +++++++++++++++++++++++----------------------- + 2 files changed, 57 insertions(+), 57 deletions(-) + +--- a/fs/smb/client/dir.c ++++ b/fs/smb/client/dir.c +@@ -627,7 +627,7 @@ int cifs_mknod(struct mnt_idmap *idmap, + goto mknod_out; + } + +- trace_smb3_mknod_enter(xid, tcon->ses->Suid, tcon->tid, full_path); ++ trace_smb3_mknod_enter(xid, tcon->tid, tcon->ses->Suid, full_path); + + rc = tcon->ses->server->ops->make_node(xid, inode, direntry, tcon, + full_path, mode, +@@ -635,9 +635,9 @@ int cifs_mknod(struct mnt_idmap *idmap, + + mknod_out: + if (rc) +- trace_smb3_mknod_err(xid, tcon->ses->Suid, tcon->tid, rc); ++ trace_smb3_mknod_err(xid, tcon->tid, tcon->ses->Suid, rc); + else +- trace_smb3_mknod_done(xid, tcon->ses->Suid, tcon->tid); ++ trace_smb3_mknod_done(xid, tcon->tid, tcon->ses->Suid); + + free_dentry_path(page); + free_xid(xid); +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -298,8 +298,8 @@ replay_again: + goto finished; + } + num_rqst++; +- trace_smb3_query_info_compound_enter(xid, ses->Suid, +- tcon->tid, full_path); ++ trace_smb3_query_info_compound_enter(xid, tcon->tid, ++ ses->Suid, full_path); + break; + case SMB2_OP_POSIX_QUERY_INFO: + rqst[num_rqst].rq_iov = &vars->qi_iov; +@@ -334,18 +334,18 @@ replay_again: + goto finished; + } + num_rqst++; +- trace_smb3_posix_query_info_compound_enter(xid, ses->Suid, +- tcon->tid, full_path); ++ trace_smb3_posix_query_info_compound_enter(xid, tcon->tid, ++ ses->Suid, full_path); + break; + case SMB2_OP_DELETE: +- trace_smb3_delete_enter(xid, ses->Suid, tcon->tid, full_path); ++ trace_smb3_delete_enter(xid, tcon->tid, ses->Suid, full_path); + break; + case SMB2_OP_MKDIR: + /* + * Directories are created through parameters in the + * SMB2_open() call. + */ +- trace_smb3_mkdir_enter(xid, ses->Suid, tcon->tid, full_path); ++ trace_smb3_mkdir_enter(xid, tcon->tid, ses->Suid, full_path); + break; + case SMB2_OP_RMDIR: + rqst[num_rqst].rq_iov = &vars->si_iov[0]; +@@ -363,7 +363,7 @@ replay_again: + goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); +- trace_smb3_rmdir_enter(xid, ses->Suid, tcon->tid, full_path); ++ trace_smb3_rmdir_enter(xid, tcon->tid, ses->Suid, full_path); + break; + case SMB2_OP_SET_EOF: + rqst[num_rqst].rq_iov = &vars->si_iov[0]; +@@ -398,7 +398,7 @@ replay_again: + goto finished; + } + num_rqst++; +- trace_smb3_set_eof_enter(xid, ses->Suid, tcon->tid, full_path); ++ trace_smb3_set_eof_enter(xid, tcon->tid, ses->Suid, full_path); + break; + case SMB2_OP_SET_INFO: + rqst[num_rqst].rq_iov = &vars->si_iov[0]; +@@ -429,8 +429,8 @@ replay_again: + goto finished; + } + num_rqst++; +- trace_smb3_set_info_compound_enter(xid, ses->Suid, +- tcon->tid, full_path); ++ trace_smb3_set_info_compound_enter(xid, tcon->tid, ++ ses->Suid, full_path); + break; + case SMB2_OP_RENAME: + rqst[num_rqst].rq_iov = &vars->si_iov[0]; +@@ -469,7 +469,7 @@ replay_again: + goto finished; + } + num_rqst++; +- trace_smb3_rename_enter(xid, ses->Suid, tcon->tid, full_path); ++ trace_smb3_rename_enter(xid, tcon->tid, ses->Suid, full_path); + break; + case SMB2_OP_HARDLINK: + rqst[num_rqst].rq_iov = &vars->si_iov[0]; +@@ -496,7 +496,7 @@ replay_again: + goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); +- trace_smb3_hardlink_enter(xid, ses->Suid, tcon->tid, full_path); ++ trace_smb3_hardlink_enter(xid, tcon->tid, ses->Suid, full_path); + break; + case SMB2_OP_SET_REPARSE: + rqst[num_rqst].rq_iov = vars->io_iov; +@@ -523,8 +523,8 @@ replay_again: + goto finished; + } + num_rqst++; +- trace_smb3_set_reparse_compound_enter(xid, ses->Suid, +- tcon->tid, full_path); ++ trace_smb3_set_reparse_compound_enter(xid, tcon->tid, ++ ses->Suid, full_path); + break; + case SMB2_OP_GET_REPARSE: + rqst[num_rqst].rq_iov = vars->io_iov; +@@ -549,8 +549,8 @@ replay_again: + goto finished; + } + num_rqst++; +- trace_smb3_get_reparse_compound_enter(xid, ses->Suid, +- tcon->tid, full_path); ++ trace_smb3_get_reparse_compound_enter(xid, tcon->tid, ++ ses->Suid, full_path); + break; + case SMB2_OP_QUERY_WSL_EA: + rqst[num_rqst].rq_iov = &vars->ea_iov; +@@ -663,11 +663,11 @@ finished: + } + SMB2_query_info_free(&rqst[num_rqst++]); + if (rc) +- trace_smb3_query_info_compound_err(xid, ses->Suid, +- tcon->tid, rc); ++ trace_smb3_query_info_compound_err(xid, tcon->tid, ++ ses->Suid, rc); + else +- trace_smb3_query_info_compound_done(xid, ses->Suid, +- tcon->tid); ++ trace_smb3_query_info_compound_done(xid, tcon->tid, ++ ses->Suid); + break; + case SMB2_OP_POSIX_QUERY_INFO: + idata = in_iov[i].iov_base; +@@ -690,15 +690,15 @@ finished: + + SMB2_query_info_free(&rqst[num_rqst++]); + if (rc) +- trace_smb3_posix_query_info_compound_err(xid, ses->Suid, +- tcon->tid, rc); ++ trace_smb3_posix_query_info_compound_err(xid, tcon->tid, ++ ses->Suid, rc); + else +- trace_smb3_posix_query_info_compound_done(xid, ses->Suid, +- tcon->tid); ++ trace_smb3_posix_query_info_compound_done(xid, tcon->tid, ++ ses->Suid); + break; + case SMB2_OP_DELETE: + if (rc) +- trace_smb3_delete_err(xid, ses->Suid, tcon->tid, rc); ++ trace_smb3_delete_err(xid, tcon->tid, ses->Suid, rc); + else { + /* + * If dentry (hence, inode) is NULL, lease break is going to +@@ -706,59 +706,59 @@ finished: + */ + if (inode) + cifs_mark_open_handles_for_deleted_file(inode, full_path); +- trace_smb3_delete_done(xid, ses->Suid, tcon->tid); ++ trace_smb3_delete_done(xid, tcon->tid, ses->Suid); + } + break; + case SMB2_OP_MKDIR: + if (rc) +- trace_smb3_mkdir_err(xid, ses->Suid, tcon->tid, rc); ++ trace_smb3_mkdir_err(xid, tcon->tid, ses->Suid, rc); + else +- trace_smb3_mkdir_done(xid, ses->Suid, tcon->tid); ++ trace_smb3_mkdir_done(xid, tcon->tid, ses->Suid); + break; + case SMB2_OP_HARDLINK: + if (rc) +- trace_smb3_hardlink_err(xid, ses->Suid, tcon->tid, rc); ++ trace_smb3_hardlink_err(xid, tcon->tid, ses->Suid, rc); + else +- trace_smb3_hardlink_done(xid, ses->Suid, tcon->tid); ++ trace_smb3_hardlink_done(xid, tcon->tid, ses->Suid); + SMB2_set_info_free(&rqst[num_rqst++]); + break; + case SMB2_OP_RENAME: + if (rc) +- trace_smb3_rename_err(xid, ses->Suid, tcon->tid, rc); ++ trace_smb3_rename_err(xid, tcon->tid, ses->Suid, rc); + else +- trace_smb3_rename_done(xid, ses->Suid, tcon->tid); ++ trace_smb3_rename_done(xid, tcon->tid, ses->Suid); + SMB2_set_info_free(&rqst[num_rqst++]); + break; + case SMB2_OP_RMDIR: + if (rc) +- trace_smb3_rmdir_err(xid, ses->Suid, tcon->tid, rc); ++ trace_smb3_rmdir_err(xid, tcon->tid, ses->Suid, rc); + else +- trace_smb3_rmdir_done(xid, ses->Suid, tcon->tid); ++ trace_smb3_rmdir_done(xid, tcon->tid, ses->Suid); + SMB2_set_info_free(&rqst[num_rqst++]); + break; + case SMB2_OP_SET_EOF: + if (rc) +- trace_smb3_set_eof_err(xid, ses->Suid, tcon->tid, rc); ++ trace_smb3_set_eof_err(xid, tcon->tid, ses->Suid, rc); + else +- trace_smb3_set_eof_done(xid, ses->Suid, tcon->tid); ++ trace_smb3_set_eof_done(xid, tcon->tid, ses->Suid); + SMB2_set_info_free(&rqst[num_rqst++]); + break; + case SMB2_OP_SET_INFO: + if (rc) +- trace_smb3_set_info_compound_err(xid, ses->Suid, +- tcon->tid, rc); ++ trace_smb3_set_info_compound_err(xid, tcon->tid, ++ ses->Suid, rc); + else +- trace_smb3_set_info_compound_done(xid, ses->Suid, +- tcon->tid); ++ trace_smb3_set_info_compound_done(xid, tcon->tid, ++ ses->Suid); + SMB2_set_info_free(&rqst[num_rqst++]); + break; + case SMB2_OP_SET_REPARSE: + if (rc) { +- trace_smb3_set_reparse_compound_err(xid, ses->Suid, +- tcon->tid, rc); ++ trace_smb3_set_reparse_compound_err(xid, tcon->tid, ++ ses->Suid, rc); + } else { +- trace_smb3_set_reparse_compound_done(xid, ses->Suid, +- tcon->tid); ++ trace_smb3_set_reparse_compound_done(xid, tcon->tid, ++ ses->Suid); + } + SMB2_ioctl_free(&rqst[num_rqst++]); + break; +@@ -771,18 +771,18 @@ finished: + rbuf = reparse_buf_ptr(iov); + if (IS_ERR(rbuf)) { + rc = PTR_ERR(rbuf); +- trace_smb3_set_reparse_compound_err(xid, ses->Suid, +- tcon->tid, rc); ++ trace_smb3_get_reparse_compound_err(xid, tcon->tid, ++ ses->Suid, rc); + } else { + idata->reparse.tag = le32_to_cpu(rbuf->ReparseTag); +- trace_smb3_set_reparse_compound_done(xid, ses->Suid, +- tcon->tid); ++ trace_smb3_get_reparse_compound_done(xid, tcon->tid, ++ ses->Suid); + } + memset(iov, 0, sizeof(*iov)); + resp_buftype[i + 1] = CIFS_NO_BUFFER; + } else { +- trace_smb3_set_reparse_compound_err(xid, ses->Suid, +- tcon->tid, rc); ++ trace_smb3_get_reparse_compound_err(xid, tcon->tid, ++ ses->Suid, rc); + } + SMB2_ioctl_free(&rqst[num_rqst++]); + break; +@@ -799,11 +799,11 @@ finished: + } + } + if (!rc) { +- trace_smb3_query_wsl_ea_compound_done(xid, ses->Suid, +- tcon->tid); ++ trace_smb3_query_wsl_ea_compound_done(xid, tcon->tid, ++ ses->Suid); + } else { +- trace_smb3_query_wsl_ea_compound_err(xid, ses->Suid, +- tcon->tid, rc); ++ trace_smb3_query_wsl_ea_compound_err(xid, tcon->tid, ++ ses->Suid, rc); + } + SMB2_query_info_free(&rqst[num_rqst++]); + break;