From: Greg Kroah-Hartman Date: Mon, 15 Apr 2024 12:47:39 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.15.156~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65e96c712d3c639ab977060bc9092180af490f24;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: accel-ivpu-fix-deadlock-in-context_xa.patch arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch btrfs-record-delayed-inode-root-in-transaction.patch drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch drm-ast-fix-soft-lockup.patch drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch drm-vmwgfx-enable-dma-mappings-with-sev.patch io_uring-net-restore-msg_control-on-sendzc-retry.patch kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch perf-x86-fix-out-of-range-data.patch scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch scsi-sg-avoid-sg-device-teardown-race.patch vhost-add-smp_rmb-in-vhost_enable_notify.patch vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch --- diff --git a/queue-6.6/accel-ivpu-fix-deadlock-in-context_xa.patch b/queue-6.6/accel-ivpu-fix-deadlock-in-context_xa.patch new file mode 100644 index 00000000000..a6d04a9123e --- /dev/null +++ b/queue-6.6/accel-ivpu-fix-deadlock-in-context_xa.patch @@ -0,0 +1,37 @@ +From fd7726e75968b27fe98534ccbf47ccd6fef686f3 Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Tue, 2 Apr 2024 12:49:29 +0200 +Subject: accel/ivpu: Fix deadlock in context_xa + +From: Jacek Lawrynowicz + +commit fd7726e75968b27fe98534ccbf47ccd6fef686f3 upstream. + +ivpu_device->context_xa is locked both in kernel thread and IRQ context. +It requires XA_FLAGS_LOCK_IRQ flag to be passed during initialization +otherwise the lock could be acquired from a thread and interrupted by +an IRQ that locks it for the second time causing the deadlock. + +This deadlock was reported by lockdep and observed in internal tests. + +Fixes: 35b137630f08 ("accel/ivpu: Introduce a new DRM driver for Intel VPU") +Cc: # v6.3+ +Signed-off-by: Jacek Lawrynowicz +Reviewed-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-9-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accel/ivpu/ivpu_drv.c ++++ b/drivers/accel/ivpu/ivpu_drv.c +@@ -517,7 +517,7 @@ static int ivpu_dev_init(struct ivpu_dev + vdev->context_xa_limit.min = IVPU_USER_CONTEXT_MIN_SSID; + vdev->context_xa_limit.max = IVPU_USER_CONTEXT_MAX_SSID; + atomic64_set(&vdev->unique_id_counter, 0); +- xa_init_flags(&vdev->context_xa, XA_FLAGS_ALLOC); ++ xa_init_flags(&vdev->context_xa, XA_FLAGS_ALLOC | XA_FLAGS_LOCK_IRQ); + xa_init_flags(&vdev->submitted_jobs_xa, XA_FLAGS_ALLOC1); + lockdep_set_class(&vdev->submitted_jobs_xa.xa_lock, &submitted_jobs_xa_lock_class_key); + diff --git a/queue-6.6/arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch b/queue-6.6/arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch new file mode 100644 index 00000000000..15c18e55d76 --- /dev/null +++ b/queue-6.6/arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch @@ -0,0 +1,66 @@ +From 808e7716edcdb39d3498b9f567ef6017858b49aa Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:04 -0400 +Subject: arm64: dts: imx8-ss-conn: fix usb lpcg indices + +From: Frank Li + +commit 808e7716edcdb39d3498b9f567ef6017858b49aa upstream. + +usb2_lpcg: clock-controller@5b270000 { + ... Col1 Col2 + clocks = <&conn_ahb_clk>, <&conn_ipg_clk>; // 0 6 + clock-indices = , ; // 0 7 + ... +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +usbotg1: usb@5b0d0000 { + ... + clocks = <&usb2_lpcg 0>; + ^^ +Should be: + clocks = <&usb2_lpcg IMX_LPCG_CLK_6>; +}; + +usbphy1: usbphy@5b100000 { + clocks = <&usb2_lpcg 1>; + ^^ +SHould be: + clocks = <&usb2_lpcg IMX_LPCG_CLK_7>; +}; + +Arg0 is divided by 4 in lpcg driver. So lpcg will do dummy enable. Fix it +by use correct clock indices. + +Cc: stable@vger.kernel.org +Fixes: 8065fc937f0f ("arm64: dts: imx8dxl: add usb1 and usb2 support") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi +@@ -41,7 +41,7 @@ conn_subsys: bus@5b000000 { + interrupts = ; + fsl,usbphy = <&usbphy1>; + fsl,usbmisc = <&usbmisc1 0>; +- clocks = <&usb2_lpcg 0>; ++ clocks = <&usb2_lpcg IMX_LPCG_CLK_6>; + ahb-burst-config = <0x0>; + tx-burst-size-dword = <0x10>; + rx-burst-size-dword = <0x10>; +@@ -58,7 +58,7 @@ conn_subsys: bus@5b000000 { + usbphy1: usbphy@5b100000 { + compatible = "fsl,imx7ulp-usbphy"; + reg = <0x5b100000 0x1000>; +- clocks = <&usb2_lpcg 1>; ++ clocks = <&usb2_lpcg IMX_LPCG_CLK_7>; + power-domains = <&pd IMX_SC_R_USB_0_PHY>; + status = "disabled"; + }; diff --git a/queue-6.6/arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch b/queue-6.6/arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch new file mode 100644 index 00000000000..caaf7f8aadd --- /dev/null +++ b/queue-6.6/arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch @@ -0,0 +1,61 @@ +From 81975080f14167610976e968e8016e92d836266f Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:07 -0400 +Subject: arm64: dts: imx8-ss-dma: fix adc lpcg indices + +From: Frank Li + +commit 81975080f14167610976e968e8016e92d836266f upstream. + +adc0_lpcg: clock-controller@5ac80000 { + ... Col1 Col2 + clocks = <&clk IMX_SC_R_ADC_0 IMX_SC_PM_CLK_PER>, // 0 0 + <&dma_ipg_clk>; // 1 4 + clock-indices = , ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +adc0: adc@5a880000 { + clocks = <&adc0_lpcg 0>, <&adc0_lpcg 1>; + ^^ ^^ + clocks = <&adc0_lpcg IMX_LPCG_CLK_0>, <&adc0_lpcg IMX_LPCG_CLK_4>; + +Arg0 is divided by 4 in lpcg driver. So adc get IMX_SC_PM_CLK_PER by +<&adc0_lpcg 0>, <&adc0_lpcg 1>. Although function can work, code logic is +wrong. Fix it by using correct indices. + +Cc: stable@vger.kernel.org +Fixes: 1db044b25d2e ("arm64: dts: imx8dxl: add adc0 support") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -282,8 +282,8 @@ dma_subsys: bus@5a000000 { + reg = <0x5a880000 0x10000>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&adc0_lpcg 0>, +- <&adc0_lpcg 1>; ++ clocks = <&adc0_lpcg IMX_LPCG_CLK_0>, ++ <&adc0_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_ADC_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; +@@ -297,8 +297,8 @@ dma_subsys: bus@5a000000 { + reg = <0x5a890000 0x10000>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&adc1_lpcg 0>, +- <&adc1_lpcg 1>; ++ clocks = <&adc1_lpcg IMX_LPCG_CLK_0>, ++ <&adc1_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_ADC_1 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; diff --git a/queue-6.6/arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch b/queue-6.6/arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch new file mode 100644 index 00000000000..57b72bdca63 --- /dev/null +++ b/queue-6.6/arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch @@ -0,0 +1,77 @@ +From 0893392334b5dffdf616a53679c6a2942c46391b Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:08 -0400 +Subject: arm64: dts: imx8-ss-dma: fix can lpcg indices + +From: Frank Li + +commit 0893392334b5dffdf616a53679c6a2942c46391b upstream. + +can0_lpcg: clock-controller@5acd0000 { + ... Col1 Col2 + clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>, // 0 0 + <&dma_ipg_clk>, // 1 4 + <&dma_ipg_clk>; // 2 5 + clock-indices = , + , + ; +} + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +flexcan1: can@5a8d0000 { + clocks = <&can0_lpcg 1>, <&can0_lpcg 0>; + ^^ ^^ +Should be: + clocks = <&can0_lpcg IMX_LPCG_CLK_4>, <&can0_lpcg IMX_LPCG_CLK_0>; +}; + +Arg0 is divided by 4 in lpcg driver. flexcan driver get IMX_SC_PM_CLK_PER +by <&can0_lpcg 1> and <&can0_lpcg 0>. Although function can work, code +logic is wrong. Fix it by using correct clock indices. + +Cc: stable@vger.kernel.org +Fixes: 5e7d5b023e03 ("arm64: dts: imx8qxp: add flexcan in adma") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -311,8 +311,8 @@ dma_subsys: bus@5a000000 { + reg = <0x5a8d0000 0x10000>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&can0_lpcg 1>, +- <&can0_lpcg 0>; ++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>, ++ <&can0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "per"; + assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <40000000>; +@@ -332,8 +332,8 @@ dma_subsys: bus@5a000000 { + * CAN1 shares CAN0's clock and to enable CAN0's clock it + * has to be powered on. + */ +- clocks = <&can0_lpcg 1>, +- <&can0_lpcg 0>; ++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>, ++ <&can0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "per"; + assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <40000000>; +@@ -353,8 +353,8 @@ dma_subsys: bus@5a000000 { + * CAN2 shares CAN0's clock and to enable CAN0's clock it + * has to be powered on. + */ +- clocks = <&can0_lpcg 1>, +- <&can0_lpcg 0>; ++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>, ++ <&can0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "per"; + assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <40000000>; diff --git a/queue-6.6/arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch b/queue-6.6/arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch new file mode 100644 index 00000000000..fdd81f58cca --- /dev/null +++ b/queue-6.6/arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch @@ -0,0 +1,86 @@ +From f72b544a514c07d34a0d9d5380f5905b3731e647 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:05 -0400 +Subject: arm64: dts: imx8-ss-dma: fix spi lpcg indices + +From: Frank Li + +commit f72b544a514c07d34a0d9d5380f5905b3731e647 upstream. + +spi0_lpcg: clock-controller@5a400000 { + ... Col0 Col1 + clocks = <&clk IMX_SC_R_SPI_0 IMX_SC_PM_CLK_PER>,// 0 1 + <&dma_ipg_clk>; // 1 4 + clock-indices = , ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +lpspi0: spi@5a000000 { + ... + clocks = <&spi0_lpcg 0>, <&spi0_lpcg 1>; + ^ ^ +Should be: + clocks = <&spi0_lpcg IMX_LPCG_CLK_0>, <&spi0_lpcg IMX_LPCG_CLK_4>; +}; + +Arg0 is divided by 4 in lpcg driver. <&spi0_lpcg 0> and <&spi0_lpcg 1> are +IMX_SC_PM_CLK_PER. Although code can work, code logic is wrong. It should +use IMX_LPCG_CLK_0 and IMX_LPCG_CLK_4 for lpcg arg0. + +Cc: stable@vger.kernel.org +Fixes: c4098885e790 ("arm64: dts: imx8dxl: add lpspi support") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -27,8 +27,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi0_lpcg 0>, +- <&spi0_lpcg 1>; ++ clocks = <&spi0_lpcg IMX_LPCG_CLK_0>, ++ <&spi0_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; +@@ -43,8 +43,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi1_lpcg 0>, +- <&spi1_lpcg 1>; ++ clocks = <&spi1_lpcg IMX_LPCG_CLK_0>, ++ <&spi1_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_1 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; +@@ -59,8 +59,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi2_lpcg 0>, +- <&spi2_lpcg 1>; ++ clocks = <&spi2_lpcg IMX_LPCG_CLK_0>, ++ <&spi2_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_2 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; +@@ -75,8 +75,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi3_lpcg 0>, +- <&spi3_lpcg 1>; ++ clocks = <&spi3_lpcg IMX_LPCG_CLK_0>, ++ <&spi3_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_3 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; diff --git a/queue-6.6/arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch b/queue-6.6/arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch new file mode 100644 index 00000000000..bee8a7f4a7a --- /dev/null +++ b/queue-6.6/arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch @@ -0,0 +1,94 @@ +From 1d86c2b3946e69d6b0b93568d312aae6247847c0 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:03 -0400 +Subject: arm64: dts: imx8-ss-lsio: fix pwm lpcg indices + +From: Frank Li + +commit 1d86c2b3946e69d6b0b93568d312aae6247847c0 upstream. + +lpcg's arg0 should use clock indices instead of index. + +pwm0_lpcg: clock-controller@5d400000 { + ... // Col1 Col2 + clocks = <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 0 0 + <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 1 1 + <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 2 4 + <&lsio_bus_clk>, // 3 5 + <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>; // 4 6 + clock-indices = , , + , , + ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +pwm1 { + .... + clocks = <&pwm1_lpcg 4>, <&pwm1_lpcg 1>; + ^^ ^^ +should be: + + clocks = <&pwm1_lpcg IMX_LPCG_CLK_6>, <&pwm1_lpcg IMX_LPCG_CLK_1>; +}; + +Arg0 is divided by 4 in lpcg driver, so index 0 and 1 will be get by pwm +driver, which are same as IMX_LPCG_CLK_6 and IMX_LPCG_CLK_1. Even it can +work, but code logic is wrong. Fixed it by use correct indices. + +Cc: stable@vger.kernel.org +Fixes: 23fa99b205ea ("arm64: dts: freescale: imx8-ss-lsio: add support for lsio_pwm0-3") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi +@@ -32,8 +32,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d000000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm0_lpcg 4>, +- <&pwm0_lpcg 1>; ++ clocks = <&pwm0_lpcg IMX_LPCG_CLK_6>, ++ <&pwm0_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; +@@ -45,8 +45,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d010000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm1_lpcg 4>, +- <&pwm1_lpcg 1>; ++ clocks = <&pwm1_lpcg IMX_LPCG_CLK_6>, ++ <&pwm1_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_1 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; +@@ -58,8 +58,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d020000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm2_lpcg 4>, +- <&pwm2_lpcg 1>; ++ clocks = <&pwm2_lpcg IMX_LPCG_CLK_6>, ++ <&pwm2_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_2 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; +@@ -71,8 +71,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d030000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm3_lpcg 4>, +- <&pwm3_lpcg 1>; ++ clocks = <&pwm3_lpcg IMX_LPCG_CLK_6>, ++ <&pwm3_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_3 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; diff --git a/queue-6.6/arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch b/queue-6.6/arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch new file mode 100644 index 00000000000..ea418542af9 --- /dev/null +++ b/queue-6.6/arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch @@ -0,0 +1,64 @@ +From 00b436182138310bb8d362b912b12a9df8f72ca3 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:09 -0400 +Subject: arm64: dts: imx8qm-ss-dma: fix can lpcg indices + +From: Frank Li + +commit 00b436182138310bb8d362b912b12a9df8f72ca3 upstream. + +can1_lpcg: clock-controller@5ace0000 { + ... Col1 Col2 + clocks = <&clk IMX_SC_R_CAN_1 IMX_SC_PM_CLK_PER>,// 0 0 + <&dma_ipg_clk>, // 1 4 + <&dma_ipg_clk>; // 2 5 + clock-indices = , + , + ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver + +&flexcan2 { + clocks = <&can1_lpcg 1>, <&can1_lpcg 0>; + ^^ ^^ +Should be: + clocks = <&can1_lpcg IMX_LPCG_CLK_4>, <&can1_lpcg IMX_LPCG_CLK_0>; +}; + +Arg0 is divided by 4 in lpcg driver. So flexcan get IMX_SC_PM_CLK_PER by +<&can1_lpcg 1> and <&can1_lpcg 0>. Although function work, code logic is +wrong. Fix it by using correct clock indices. + +Cc: stable@vger.kernel.org +Fixes: be85831de020 ("arm64: dts: imx8qm: add can node in devicetree") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi +@@ -49,15 +49,15 @@ + }; + + &flexcan2 { +- clocks = <&can1_lpcg 1>, +- <&can1_lpcg 0>; ++ clocks = <&can1_lpcg IMX_LPCG_CLK_4>, ++ <&can1_lpcg IMX_LPCG_CLK_0>; + assigned-clocks = <&clk IMX_SC_R_CAN_1 IMX_SC_PM_CLK_PER>; + fsl,clk-source = /bits/ 8 <1>; + }; + + &flexcan3 { +- clocks = <&can2_lpcg 1>, +- <&can2_lpcg 0>; ++ clocks = <&can2_lpcg IMX_LPCG_CLK_4>, ++ <&can2_lpcg IMX_LPCG_CLK_0>; + assigned-clocks = <&clk IMX_SC_R_CAN_2 IMX_SC_PM_CLK_PER>; + fsl,clk-source = /bits/ 8 <1>; + }; diff --git a/queue-6.6/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch b/queue-6.6/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch new file mode 100644 index 00000000000..6429a049474 --- /dev/null +++ b/queue-6.6/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch @@ -0,0 +1,65 @@ +From 211de93367304ab395357f8cb12568a4d1e20701 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:18:39 -0700 +Subject: btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans + +From: Boris Burkov + +commit 211de93367304ab395357f8cb12568a4d1e20701 upstream. + +The transaction is only able to free PERTRANS reservations for a root +once that root has been recorded with the TRANS tag on the roots radix +tree. Therefore, until we are sure that this root will get tagged, it +isn't safe to convert. Generally, this is not an issue as *some* +transaction will likely tag the root before long and this reservation +will get freed in that transaction, but technically it could stick +around until unmount and result in a warning about leaked metadata +reservation space. + +This path is most exercised by running the generic/269 fstest with +CONFIG_BTRFS_DEBUG. + +Fixes: a6496849671a ("btrfs: fix start transaction qgroup rsv double free") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -715,14 +715,6 @@ again: + h->reloc_reserved = reloc_reserved; + } + +- /* +- * Now that we have found a transaction to be a part of, convert the +- * qgroup reservation from prealloc to pertrans. A different transaction +- * can't race in and free our pertrans out from under us. +- */ +- if (qgroup_reserved) +- btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); +- + got_it: + if (!current->journal_info) + current->journal_info = h; +@@ -756,8 +748,15 @@ got_it: + * not just freed. + */ + btrfs_end_transaction(h); +- return ERR_PTR(ret); ++ goto reserve_fail; + } ++ /* ++ * Now that we have found a transaction to be a part of, convert the ++ * qgroup reservation from prealloc to pertrans. A different transaction ++ * can't race in and free our pertrans out from under us. ++ */ ++ if (qgroup_reserved) ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); + + return h; + diff --git a/queue-6.6/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch b/queue-6.6/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch new file mode 100644 index 00000000000..e2ad803a1c7 --- /dev/null +++ b/queue-6.6/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch @@ -0,0 +1,38 @@ +From 141fb8cd206ace23c02cd2791c6da52c1d77d42a Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Tue, 19 Mar 2024 10:54:22 -0700 +Subject: btrfs: qgroup: correctly model root qgroup rsv in convert + +From: Boris Burkov + +commit 141fb8cd206ace23c02cd2791c6da52c1d77d42a upstream. + +We use add_root_meta_rsv and sub_root_meta_rsv to track prealloc and +pertrans reservations for subvolumes when quotas are enabled. The +convert function does not properly increment pertrans after decrementing +prealloc, so the count is not accurate. + +Note: we check that the fs is not read-only to mirror the logic in +qgroup_convert_meta, which checks that before adding to the pertrans rsv. + +Fixes: 8287475a2055 ("btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4162,6 +4162,8 @@ void btrfs_qgroup_convert_reserved_meta( + BTRFS_QGROUP_RSV_META_PREALLOC); + trace_qgroup_meta_convert(root, num_bytes); + qgroup_convert_meta(fs_info, root->root_key.objectid, num_bytes); ++ if (!sb_rdonly(fs_info->sb)) ++ add_root_meta_rsv(root, num_bytes, BTRFS_QGROUP_RSV_META_PERTRANS); + } + + /* diff --git a/queue-6.6/btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch b/queue-6.6/btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch new file mode 100644 index 00000000000..d649ffe36ad --- /dev/null +++ b/queue-6.6/btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch @@ -0,0 +1,226 @@ +From 74e97958121aa1f5854da6effba70143f051b0cd Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:02:04 -0700 +Subject: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations + +From: Boris Burkov + +commit 74e97958121aa1f5854da6effba70143f051b0cd upstream. + +Create subvolume, create snapshot and delete subvolume all use +btrfs_subvolume_reserve_metadata() to reserve metadata for the changes +done to the parent subvolume's fs tree, which cannot be mediated in the +normal way via start_transaction. When quota groups (squota or qgroups) +are enabled, this reserves qgroup metadata of type PREALLOC. Once the +operation is associated to a transaction, we convert PREALLOC to +PERTRANS, which gets cleared in bulk at the end of the transaction. + +However, the error paths of these three operations were not implementing +this lifecycle correctly. They unconditionally converted the PREALLOC to +PERTRANS in a generic cleanup step regardless of errors or whether the +operation was fully associated to a transaction or not. This resulted in +error paths occasionally converting this rsv to PERTRANS without calling +record_root_in_trans successfully, which meant that unless that root got +recorded in the transaction by some other thread, the end of the +transaction would not free that root's PERTRANS, leaking it. Ultimately, +this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount +for the leaked reservation. + +The fix is to ensure that every qgroup PREALLOC reservation observes the +following properties: + +1. any failure before record_root_in_trans is called successfully + results in freeing the PREALLOC reservation. +2. after record_root_in_trans, we convert to PERTRANS, and now the + transaction owns freeing the reservation. + +This patch enforces those properties on the three operations. Without +it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 +runs on my system. With this patch, it ran successfully 1000 times in a +row. + +Fixes: e85fde5162bf ("btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 13 ++++++++++++- + fs/btrfs/ioctl.c | 37 ++++++++++++++++++++++++++++--------- + fs/btrfs/root-tree.c | 10 ---------- + fs/btrfs/root-tree.h | 2 -- + 4 files changed, 40 insertions(+), 22 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4460,6 +4460,7 @@ int btrfs_delete_subvolume(struct btrfs_ + struct btrfs_trans_handle *trans; + struct btrfs_block_rsv block_rsv; + u64 root_flags; ++ u64 qgroup_reserved = 0; + int ret; + + down_write(&fs_info->subvol_sem); +@@ -4504,12 +4505,20 @@ int btrfs_delete_subvolume(struct btrfs_ + ret = btrfs_subvolume_reserve_metadata(root, &block_rsv, 5, true); + if (ret) + goto out_undead; ++ qgroup_reserved = block_rsv.qgroup_rsv_reserved; + + trans = btrfs_start_transaction(root, 0); + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); + goto out_release; + } ++ ret = btrfs_record_root_in_trans(trans, root); ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); ++ goto out_end_trans; ++ } ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); ++ qgroup_reserved = 0; + trans->block_rsv = &block_rsv; + trans->bytes_reserved = block_rsv.size; + +@@ -4568,7 +4577,9 @@ out_end_trans: + ret = btrfs_end_transaction(trans); + inode->i_flags |= S_DEAD; + out_release: +- btrfs_subvolume_release_metadata(root, &block_rsv); ++ btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL); ++ if (qgroup_reserved) ++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); + out_undead: + if (ret) { + spin_lock(&dest->root_item_lock); +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -603,6 +603,7 @@ static noinline int create_subvol(struct + int ret; + dev_t anon_dev; + u64 objectid; ++ u64 qgroup_reserved = 0; + + root_item = kzalloc(sizeof(*root_item), GFP_KERNEL); + if (!root_item) +@@ -640,13 +641,18 @@ static noinline int create_subvol(struct + trans_num_items, false); + if (ret) + goto out_new_inode_args; ++ qgroup_reserved = block_rsv.qgroup_rsv_reserved; + + trans = btrfs_start_transaction(root, 0); + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); +- btrfs_subvolume_release_metadata(root, &block_rsv); +- goto out_new_inode_args; ++ goto out_release_rsv; + } ++ ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root); ++ if (ret) ++ goto out; ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); ++ qgroup_reserved = 0; + trans->block_rsv = &block_rsv; + trans->bytes_reserved = block_rsv.size; + /* Tree log can't currently deal with an inode which is a new root. */ +@@ -757,9 +763,11 @@ static noinline int create_subvol(struct + out: + trans->block_rsv = NULL; + trans->bytes_reserved = 0; +- btrfs_subvolume_release_metadata(root, &block_rsv); +- + btrfs_end_transaction(trans); ++out_release_rsv: ++ btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL); ++ if (qgroup_reserved) ++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); + out_new_inode_args: + btrfs_new_inode_args_destroy(&new_inode_args); + out_inode: +@@ -781,6 +789,8 @@ static int create_snapshot(struct btrfs_ + struct btrfs_pending_snapshot *pending_snapshot; + unsigned int trans_num_items; + struct btrfs_trans_handle *trans; ++ struct btrfs_block_rsv *block_rsv; ++ u64 qgroup_reserved = 0; + int ret; + + /* We do not support snapshotting right now. */ +@@ -817,19 +827,19 @@ static int create_snapshot(struct btrfs_ + goto free_pending; + } + +- btrfs_init_block_rsv(&pending_snapshot->block_rsv, +- BTRFS_BLOCK_RSV_TEMP); ++ block_rsv = &pending_snapshot->block_rsv; ++ btrfs_init_block_rsv(block_rsv, BTRFS_BLOCK_RSV_TEMP); + /* + * 1 to add dir item + * 1 to add dir index + * 1 to update parent inode item + */ + trans_num_items = create_subvol_num_items(inherit) + 3; +- ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root, +- &pending_snapshot->block_rsv, ++ ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root, block_rsv, + trans_num_items, false); + if (ret) + goto free_pending; ++ qgroup_reserved = block_rsv->qgroup_rsv_reserved; + + pending_snapshot->dentry = dentry; + pending_snapshot->root = root; +@@ -842,6 +852,13 @@ static int create_snapshot(struct btrfs_ + ret = PTR_ERR(trans); + goto fail; + } ++ ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root); ++ if (ret) { ++ btrfs_end_transaction(trans); ++ goto fail; ++ } ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); ++ qgroup_reserved = 0; + + trans->pending_snapshot = pending_snapshot; + +@@ -871,7 +888,9 @@ fail: + if (ret && pending_snapshot->snap) + pending_snapshot->snap->anon_dev = 0; + btrfs_put_root(pending_snapshot->snap); +- btrfs_subvolume_release_metadata(root, &pending_snapshot->block_rsv); ++ btrfs_block_rsv_release(fs_info, block_rsv, (u64)-1, NULL); ++ if (qgroup_reserved) ++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); + free_pending: + if (pending_snapshot->anon_dev) + free_anon_bdev(pending_snapshot->anon_dev); +--- a/fs/btrfs/root-tree.c ++++ b/fs/btrfs/root-tree.c +@@ -537,13 +537,3 @@ int btrfs_subvolume_reserve_metadata(str + } + return ret; + } +- +-void btrfs_subvolume_release_metadata(struct btrfs_root *root, +- struct btrfs_block_rsv *rsv) +-{ +- struct btrfs_fs_info *fs_info = root->fs_info; +- u64 qgroup_to_release; +- +- btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); +- btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); +-} +--- a/fs/btrfs/root-tree.h ++++ b/fs/btrfs/root-tree.h +@@ -6,8 +6,6 @@ + int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, + struct btrfs_block_rsv *rsv, + int nitems, bool use_global_rsv); +-void btrfs_subvolume_release_metadata(struct btrfs_root *root, +- struct btrfs_block_rsv *rsv); + int btrfs_add_root_ref(struct btrfs_trans_handle *trans, u64 root_id, + u64 ref_id, u64 dirid, u64 sequence, + const struct fscrypt_str *name); diff --git a/queue-6.6/btrfs-record-delayed-inode-root-in-transaction.patch b/queue-6.6/btrfs-record-delayed-inode-root-in-transaction.patch new file mode 100644 index 00000000000..d3ccac47b45 --- /dev/null +++ b/queue-6.6/btrfs-record-delayed-inode-root-in-transaction.patch @@ -0,0 +1,36 @@ +From 71537e35c324ea6fbd68377a4f26bb93a831ae35 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:14:24 -0700 +Subject: btrfs: record delayed inode root in transaction + +From: Boris Burkov + +commit 71537e35c324ea6fbd68377a4f26bb93a831ae35 upstream. + +When running delayed inode updates, we do not record the inode's root in +the transaction, but we do allocate PREALLOC and thus converted PERTRANS +space for it. To be sure we free that PERTRANS meta rsv, we must ensure +that we record the root in the transaction. + +Fixes: 4f5427ccce5d ("btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/delayed-inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -1120,6 +1120,9 @@ __btrfs_commit_inode_delayed_items(struc + if (ret) + return ret; + ++ ret = btrfs_record_root_in_trans(trans, node->root); ++ if (ret) ++ return ret; + ret = btrfs_update_delayed_inode(trans, node->root, path, node); + return ret; + } diff --git a/queue-6.6/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch b/queue-6.6/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch new file mode 100644 index 00000000000..5199ac6bd76 --- /dev/null +++ b/queue-6.6/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch @@ -0,0 +1,35 @@ +From 8bdfb4ea95ca738d33ef71376c21eba20130f2eb Mon Sep 17 00:00:00 2001 +From: Harish Kasiviswanathan +Date: Tue, 26 Mar 2024 15:32:46 -0400 +Subject: drm/amdkfd: Reset GPU on queue preemption failure + +From: Harish Kasiviswanathan + +commit 8bdfb4ea95ca738d33ef71376c21eba20130f2eb upstream. + +Currently, with F32 HWS GPU reset is only when unmap queue fails. + +However, if compute queue doesn't repond to preemption request in time +unmap will return without any error. In this case, only preemption error +is logged and Reset is not triggered. Call GPU reset in this case also. + +Reviewed-by: Alex Deucher +Signed-off-by: Harish Kasiviswanathan +Reviewed-by: Mukul Joshi +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1980,6 +1980,7 @@ static int unmap_queues_cpsch(struct dev + pr_err("HIQ MQD's queue_doorbell_id0 is not 0, Queue preemption time out\n"); + while (halt_if_hws_hang) + schedule(); ++ kfd_hws_hang(dqm); + return -ETIME; + } + diff --git a/queue-6.6/drm-ast-fix-soft-lockup.patch b/queue-6.6/drm-ast-fix-soft-lockup.patch new file mode 100644 index 00000000000..b59844568a2 --- /dev/null +++ b/queue-6.6/drm-ast-fix-soft-lockup.patch @@ -0,0 +1,58 @@ +From bc004f5038220b1891ef4107134ccae44be55109 Mon Sep 17 00:00:00 2001 +From: Jammy Huang +Date: Wed, 3 Apr 2024 17:02:46 +0800 +Subject: drm/ast: Fix soft lockup + +From: Jammy Huang + +commit bc004f5038220b1891ef4107134ccae44be55109 upstream. + +There is a while-loop in ast_dp_set_on_off() that could lead to +infinite-loop. This is because the register, VGACRI-Dx, checked in +this API is a scratch register actually controlled by a MCU, named +DPMCU, in BMC. + +These scratch registers are protected by scu-lock. If suc-lock is not +off, DPMCU can not update these registers and then host will have soft +lockup due to never updated status. + +DPMCU is used to control DP and relative registers to handshake with +host's VGA driver. Even the most time-consuming task, DP's link +training, is less than 100ms. 200ms should be enough. + +Signed-off-by: Jammy Huang +Fixes: 594e9c04b586 ("drm/ast: Create the driver for ASPEED proprietory Display-Port") +Reviewed-by: Jocelyn Falempe +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Cc: KuoHsiang Chou +Cc: Thomas Zimmermann +Cc: Dave Airlie +Cc: Jocelyn Falempe +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.19+ +Link: https://patchwork.freedesktop.org/patch/msgid/20240403090246.1495487-1-jammy_huang@aspeedtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_dp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/ast/ast_dp.c ++++ b/drivers/gpu/drm/ast/ast_dp.c +@@ -180,6 +180,7 @@ void ast_dp_set_on_off(struct drm_device + { + struct ast_device *ast = to_ast_device(dev); + u8 video_on_off = on; ++ u32 i = 0; + + // Video On/Off + ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xE3, (u8) ~AST_DP_VIDEO_ENABLE, on); +@@ -192,6 +193,8 @@ void ast_dp_set_on_off(struct drm_device + ASTDP_MIRROR_VIDEO_ENABLE) != video_on_off) { + // wait 1 ms + mdelay(1); ++ if (++i > 200) ++ break; + } + } + } diff --git a/queue-6.6/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch b/queue-6.6/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch new file mode 100644 index 00000000000..14e95ed0e52 --- /dev/null +++ b/queue-6.6/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch @@ -0,0 +1,56 @@ +From 3eadd887dbac1df8f25f701e5d404d1b90fd0fea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 4 Apr 2024 23:33:25 +0300 +Subject: drm/client: Fully protect modes[] with dev->mode_config.mutex +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream. + +The modes[] array contains pointers to modes on the connectors' +mode lists, which are protected by dev->mode_config.mutex. +Thus we need to extend modes[] the same protection or by the +time we use it the elements may already be pointing to +freed/reused memory. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Jani Nikula +Reviewed-by: Thomas Zimmermann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -777,6 +777,7 @@ int drm_client_modeset_probe(struct drm_ + unsigned int total_modes_count = 0; + struct drm_client_offset *offsets; + unsigned int connector_count = 0; ++ /* points to modes protected by mode_config.mutex */ + struct drm_display_mode **modes; + struct drm_crtc **crtcs; + int i, ret = 0; +@@ -845,7 +846,6 @@ int drm_client_modeset_probe(struct drm_ + drm_client_pick_crtcs(client, connectors, connector_count, + crtcs, modes, 0, width, height); + } +- mutex_unlock(&dev->mode_config.mutex); + + drm_client_modeset_release(client); + +@@ -875,6 +875,7 @@ int drm_client_modeset_probe(struct drm_ + modeset->y = offset->y; + } + } ++ mutex_unlock(&dev->mode_config.mutex); + + mutex_unlock(&client->modeset_mutex); + out: diff --git a/queue-6.6/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch b/queue-6.6/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch new file mode 100644 index 00000000000..c17669fdbc0 --- /dev/null +++ b/queue-6.6/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch @@ -0,0 +1,46 @@ +From dcd8992e47f13afb5c11a61e8d9c141c35e23751 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 5 Apr 2024 00:34:29 +0300 +Subject: drm/i915/vrr: Disable VRR when using bigjoiner +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit dcd8992e47f13afb5c11a61e8d9c141c35e23751 upstream. + +All joined pipes share the same transcoder/timing generator. +Currently we just do the commits per-pipe, which doesn't really +work if we need to change switch between non-VRR and VRR timings +generators on the fly, or even when sending the push to the +transcoder. For now just disable VRR when bigjoiner is needed. + +Cc: stable@vger.kernel.org +Tested-by: Vidya Srinivas +Reviewed-by: Vandita Kulkarni +Link: https://patchwork.freedesktop.org/patch/msgid/20240404213441.17637-6-ville.syrjala@linux.intel.com +Signed-off-by: Ville Syrjälä +(cherry picked from commit f9d5e51db65652dbd8a2102fd7619440e3599fd2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_vrr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_vrr.c ++++ b/drivers/gpu/drm/i915/display/intel_vrr.c +@@ -111,6 +111,13 @@ intel_vrr_compute_config(struct intel_cr + if (!intel_vrr_is_capable(connector)) + return; + ++ /* ++ * FIXME all joined pipes share the same transcoder. ++ * Need to account for that during VRR toggle/push/etc. ++ */ ++ if (crtc_state->bigjoiner_pipes) ++ return; ++ + if (adjusted_mode->flags & DRM_MODE_FLAG_INTERLACE) + return; + diff --git a/queue-6.6/drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch b/queue-6.6/drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch new file mode 100644 index 00000000000..9876a56d377 --- /dev/null +++ b/queue-6.6/drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch @@ -0,0 +1,70 @@ +From 1fc9af813b25e146d3607669247d0f970f5a87c3 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 5 Jan 2024 21:46:11 +0300 +Subject: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() + +From: Boris Brezillon + +commit 1fc9af813b25e146d3607669247d0f970f5a87c3 upstream. + +Subject: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() + +If some the pages or sgt allocation failed, we shouldn't release the +pages ref we got earlier, otherwise we will end up with unbalanced +get/put_pages() calls. We should instead leave everything in place +and let the BO release function deal with extra cleanup when the object +is destroyed, or let the fault handler try again next time it's called. + +Fixes: 187d2929206e ("drm/panfrost: Add support for GPU heap allocations") +Cc: +Reviewed-by: Steven Price +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Boris Brezillon +Co-developed-by: Dmitry Osipenko +Signed-off-by: Dmitry Osipenko +Link: https://patchwork.freedesktop.org/patch/msgid/20240105184624.508603-18-dmitry.osipenko@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -500,11 +500,18 @@ static int panfrost_mmu_map_fault_addr(s + mapping_set_unevictable(mapping); + + for (i = page_offset; i < page_offset + NUM_FAULT_PAGES; i++) { ++ /* Can happen if the last fault only partially filled this ++ * section of the pages array before failing. In that case ++ * we skip already filled pages. ++ */ ++ if (pages[i]) ++ continue; ++ + pages[i] = shmem_read_mapping_page(mapping, i); + if (IS_ERR(pages[i])) { + ret = PTR_ERR(pages[i]); + pages[i] = NULL; +- goto err_pages; ++ goto err_unlock; + } + } + +@@ -512,7 +519,7 @@ static int panfrost_mmu_map_fault_addr(s + ret = sg_alloc_table_from_pages(sgt, pages + page_offset, + NUM_FAULT_PAGES, 0, SZ_2M, GFP_KERNEL); + if (ret) +- goto err_pages; ++ goto err_unlock; + + ret = dma_map_sgtable(pfdev->dev, sgt, DMA_BIDIRECTIONAL, 0); + if (ret) +@@ -534,8 +541,6 @@ out: + + err_map: + sg_free_table(sgt); +-err_pages: +- drm_gem_shmem_put_pages(&bo->base); + err_unlock: + dma_resv_unlock(obj->resv); + err_bo: diff --git a/queue-6.6/drm-vmwgfx-enable-dma-mappings-with-sev.patch b/queue-6.6/drm-vmwgfx-enable-dma-mappings-with-sev.patch new file mode 100644 index 00000000000..45f28874ee7 --- /dev/null +++ b/queue-6.6/drm-vmwgfx-enable-dma-mappings-with-sev.patch @@ -0,0 +1,49 @@ +From 4c08f01934ab67d1d283d5cbaa52b923abcfe4cd Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Sun, 7 Apr 2024 22:28:02 -0400 +Subject: drm/vmwgfx: Enable DMA mappings with SEV + +From: Zack Rusin + +commit 4c08f01934ab67d1d283d5cbaa52b923abcfe4cd upstream. + +Enable DMA mappings in vmwgfx after TTM has been fixed in commit +3bf3710e3718 ("drm/ttm: Add a generic TTM memcpy move for page-based iomem") + +This enables full guest-backed memory support and in particular allows +usage of screen targets as the presentation mechanism. + +Signed-off-by: Zack Rusin +Reported-by: Ye Li +Tested-by: Ye Li +Fixes: 3b0d6458c705 ("drm/vmwgfx: Refuse DMA operation when SEV encryption is active") +Cc: Broadcom internal kernel review list +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.6+ +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20240408022802.358641-1-zack.rusin@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -666,11 +666,12 @@ static int vmw_dma_select_mode(struct vm + [vmw_dma_map_populate] = "Caching DMA mappings.", + [vmw_dma_map_bind] = "Giving up DMA mappings early."}; + +- /* TTM currently doesn't fully support SEV encryption. */ +- if (cc_platform_has(CC_ATTR_MEM_ENCRYPT)) +- return -EINVAL; +- +- if (vmw_force_coherent) ++ /* ++ * When running with SEV we always want dma mappings, because ++ * otherwise ttm tt pool pages will bounce through swiotlb running ++ * out of available space. ++ */ ++ if (vmw_force_coherent || cc_platform_has(CC_ATTR_MEM_ENCRYPT)) + dev_priv->map_mode = vmw_dma_alloc_coherent; + else if (vmw_restrict_iommu) + dev_priv->map_mode = vmw_dma_map_bind; diff --git a/queue-6.6/io_uring-net-restore-msg_control-on-sendzc-retry.patch b/queue-6.6/io_uring-net-restore-msg_control-on-sendzc-retry.patch new file mode 100644 index 00000000000..86ac38706b0 --- /dev/null +++ b/queue-6.6/io_uring-net-restore-msg_control-on-sendzc-retry.patch @@ -0,0 +1,35 @@ +From 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 8 Apr 2024 18:11:09 +0100 +Subject: io_uring/net: restore msg_control on sendzc retry + +From: Pavel Begunkov + +commit 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 upstream. + +cac9e4418f4cb ("io_uring/net: save msghdr->msg_control for retries") +reinstatiates msg_control before every __sys_sendmsg_sock(), since the +function can overwrite the value in msghdr. We need to do same for +zerocopy sendmsg. + +Cc: stable@vger.kernel.org +Fixes: 493108d95f146 ("io_uring/net: zerocopy sendmsg") +Link: https://github.com/axboe/liburing/issues/1067 +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/cc1d5d9df0576fa66ddad4420d240a98a020b267.1712596179.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1274,6 +1274,7 @@ int io_sendmsg_zc(struct io_kiocb *req, + + if (req_has_async_data(req)) { + kmsg = req->async_data; ++ kmsg->msg.msg_control_user = sr->msg_control; + } else { + ret = io_sendmsg_copy_hdr(req, &iomsg); + if (ret) diff --git a/queue-6.6/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch b/queue-6.6/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch new file mode 100644 index 00000000000..72855b70dbc --- /dev/null +++ b/queue-6.6/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch @@ -0,0 +1,74 @@ +From 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Wed, 10 Apr 2024 09:58:02 +0800 +Subject: kprobes: Fix possible use-after-free issue on kprobe registration + +From: Zheng Yejian + +commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream. + +When unloading a module, its state is changing MODULE_STATE_LIVE -> + MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take +a time. `is_module_text_address()` and `__module_text_address()` +works with MODULE_STATE_LIVE and MODULE_STATE_GOING. +If we use `is_module_text_address()` and `__module_text_address()` +separately, there is a chance that the first one is succeeded but the +next one is failed because module->state becomes MODULE_STATE_UNFORMED +between those operations. + +In `check_kprobe_address_safe()`, if the second `__module_text_address()` +is failed, that is ignored because it expected a kernel_text address. +But it may have failed simply because module->state has been changed +to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify +non-exist module text address (use-after-free). + +To fix this problem, we should not use separated `is_module_text_address()` +and `__module_text_address()`, but use only `__module_text_address()` +once and do `try_module_get(module)` which is only available with +MODULE_STATE_LIVE. + +Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/ + +Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Yejian +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1567,10 +1567,17 @@ static int check_kprobe_address_safe(str + jump_label_lock(); + preempt_disable(); + +- /* Ensure it is not in reserved area nor out of text */ +- if (!(core_kernel_text((unsigned long) p->addr) || +- is_module_text_address((unsigned long) p->addr)) || +- in_gate_area_no_mm((unsigned long) p->addr) || ++ /* Ensure the address is in a text area, and find a module if exists. */ ++ *probed_mod = NULL; ++ if (!core_kernel_text((unsigned long) p->addr)) { ++ *probed_mod = __module_text_address((unsigned long) p->addr); ++ if (!(*probed_mod)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ } ++ /* Ensure it is not in reserved area. */ ++ if (in_gate_area_no_mm((unsigned long) p->addr) || + within_kprobe_blacklist((unsigned long) p->addr) || + jump_label_text_reserved(p->addr, p->addr) || + static_call_text_reserved(p->addr, p->addr) || +@@ -1580,8 +1587,7 @@ static int check_kprobe_address_safe(str + goto out; + } + +- /* Check if 'p' is probing a module. */ +- *probed_mod = __module_text_address((unsigned long) p->addr); ++ /* Get module refcount and reject __init functions for loaded modules. */ + if (*probed_mod) { + /* + * We must hold a refcount of the probed module while updating diff --git a/queue-6.6/perf-x86-fix-out-of-range-data.patch b/queue-6.6/perf-x86-fix-out-of-range-data.patch new file mode 100644 index 00000000000..af5f4762cf5 --- /dev/null +++ b/queue-6.6/perf-x86-fix-out-of-range-data.patch @@ -0,0 +1,109 @@ +From dec8ced871e17eea46f097542dd074d022be4bd1 Mon Sep 17 00:00:00 2001 +From: Namhyung Kim +Date: Tue, 5 Mar 2024 22:10:03 -0800 +Subject: perf/x86: Fix out of range data + +From: Namhyung Kim + +commit dec8ced871e17eea46f097542dd074d022be4bd1 upstream. + +On x86 each struct cpu_hw_events maintains a table for counter assignment but +it missed to update one for the deleted event in x86_pmu_del(). This +can make perf_clear_dirty_counters() reset used counter if it's called +before event scheduling or enabling. Then it would return out of range +data which doesn't make sense. + +The following code can reproduce the problem. + + $ cat repro.c + #include + #include + #include + #include + #include + #include + #include + #include + + struct perf_event_attr attr = { + .type = PERF_TYPE_HARDWARE, + .config = PERF_COUNT_HW_CPU_CYCLES, + .disabled = 1, + }; + + void *worker(void *arg) + { + int cpu = (long)arg; + int fd1 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); + int fd2 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); + void *p; + + do { + ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0); + p = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd1, 0); + ioctl(fd2, PERF_EVENT_IOC_ENABLE, 0); + + ioctl(fd2, PERF_EVENT_IOC_DISABLE, 0); + munmap(p, 4096); + ioctl(fd1, PERF_EVENT_IOC_DISABLE, 0); + } while (1); + + return NULL; + } + + int main(void) + { + int i; + int n = sysconf(_SC_NPROCESSORS_ONLN); + pthread_t *th = calloc(n, sizeof(*th)); + + for (i = 0; i < n; i++) + pthread_create(&th[i], NULL, worker, (void *)(long)i); + for (i = 0; i < n; i++) + pthread_join(th[i], NULL); + + free(th); + return 0; + } + +And you can see the out of range data using perf stat like this. +Probably it'd be easier to see on a large machine. + + $ gcc -o repro repro.c -pthread + $ ./repro & + $ sudo perf stat -A -I 1000 2>&1 | awk '{ if (length($3) > 15) print }' + 1.001028462 CPU6 196,719,295,683,763 cycles # 194290.996 GHz (71.54%) + 1.001028462 CPU3 396,077,485,787,730 branch-misses # 15804359784.80% of all branches (71.07%) + 1.001028462 CPU17 197,608,350,727,877 branch-misses # 14594186554.56% of all branches (71.22%) + 2.020064073 CPU4 198,372,472,612,140 cycles # 194681.113 GHz (70.95%) + 2.020064073 CPU6 199,419,277,896,696 cycles # 195720.007 GHz (70.57%) + 2.020064073 CPU20 198,147,174,025,639 cycles # 194474.654 GHz (71.03%) + 2.020064073 CPU20 198,421,240,580,145 stalled-cycles-frontend # 100.14% frontend cycles idle (70.93%) + 3.037443155 CPU4 197,382,689,923,416 cycles # 194043.065 GHz (71.30%) + 3.037443155 CPU20 196,324,797,879,414 cycles # 193003.773 GHz (71.69%) + 3.037443155 CPU5 197,679,956,608,205 stalled-cycles-backend # 1315606428.66% backend cycles idle (71.19%) + 3.037443155 CPU5 198,571,860,474,851 instructions # 13215422.58 insn per cycle + +It should move the contents in the cpuc->assign as well. + +Fixes: 5471eea5d3bf ("perf/x86: Reset the dirty counter to prevent the leak for an RDPMC task") +Signed-off-by: Namhyung Kim +Signed-off-by: Ingo Molnar +Reviewed-by: Kan Liang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240306061003.1894224-1-namhyung@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1644,6 +1644,7 @@ static void x86_pmu_del(struct perf_even + while (++i < cpuc->n_events) { + cpuc->event_list[i-1] = cpuc->event_list[i]; + cpuc->event_constraint[i-1] = cpuc->event_constraint[i]; ++ cpuc->assign[i-1] = cpuc->assign[i]; + } + cpuc->event_constraint[i-1] = NULL; + --cpuc->n_events; diff --git a/queue-6.6/scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch b/queue-6.6/scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch new file mode 100644 index 00000000000..6de7dac18bb --- /dev/null +++ b/queue-6.6/scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch @@ -0,0 +1,100 @@ +From d4e655c49f474deffaf5ed7e65034b8167ee39c8 Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Mon, 1 Apr 2024 21:10:38 +0200 +Subject: scsi: sg: Avoid race in error handling & drop bogus warn + +From: Alexander Wetzel + +commit d4e655c49f474deffaf5ed7e65034b8167ee39c8 upstream. + +Commit 27f58c04a8f4 ("scsi: sg: Avoid sg device teardown race") introduced +an incorrect WARN_ON_ONCE() and missed a sequence where sg_device_destroy() +was used after scsi_device_put(). + +sg_device_destroy() is accessing the parent scsi_device request_queue which +will already be set to NULL when the preceding call to scsi_device_put() +removed the last reference to the parent scsi_device. + +Drop the incorrect WARN_ON_ONCE() - allowing more than one concurrent +access to the sg device - and make sure sg_device_destroy() is not used +after scsi_device_put() in the error handling. + +Link: https://lore.kernel.org/all/5375B275-D137-4D5F-BE25-6AF8ACAE41EF@linux.ibm.com +Fixes: 27f58c04a8f4 ("scsi: sg: Avoid sg device teardown race") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Wetzel +Link: https://lore.kernel.org/r/20240401191038.18359-1-Alexander@wetzel-home.de +Tested-by: Sachin Sant +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -285,6 +285,7 @@ sg_open(struct inode *inode, struct file + int dev = iminor(inode); + int flags = filp->f_flags; + struct request_queue *q; ++ struct scsi_device *device; + Sg_device *sdp; + Sg_fd *sfp; + int retval; +@@ -301,11 +302,12 @@ sg_open(struct inode *inode, struct file + + /* This driver's module count bumped by fops_get in */ + /* Prevent the device driver from vanishing while we sleep */ +- retval = scsi_device_get(sdp->device); ++ device = sdp->device; ++ retval = scsi_device_get(device); + if (retval) + goto sg_put; + +- retval = scsi_autopm_get_device(sdp->device); ++ retval = scsi_autopm_get_device(device); + if (retval) + goto sdp_put; + +@@ -313,7 +315,7 @@ sg_open(struct inode *inode, struct file + * check if O_NONBLOCK. Permits SCSI commands to be issued + * during error recovery. Tread carefully. */ + if (!((flags & O_NONBLOCK) || +- scsi_block_when_processing_errors(sdp->device))) { ++ scsi_block_when_processing_errors(device))) { + retval = -ENXIO; + /* we are in error recovery for this device */ + goto error_out; +@@ -344,7 +346,7 @@ sg_open(struct inode *inode, struct file + + if (sdp->open_cnt < 1) { /* no existing opens */ + sdp->sgdebug = 0; +- q = sdp->device->request_queue; ++ q = device->request_queue; + sdp->sg_tablesize = queue_max_segments(q); + } + sfp = sg_add_sfp(sdp); +@@ -370,10 +372,11 @@ out_undo: + error_mutex_locked: + mutex_unlock(&sdp->open_rel_lock); + error_out: +- scsi_autopm_put_device(sdp->device); ++ scsi_autopm_put_device(device); + sdp_put: +- scsi_device_put(sdp->device); +- goto sg_put; ++ kref_put(&sdp->d_ref, sg_device_destroy); ++ scsi_device_put(device); ++ return retval; + } + + /* Release resources associated with a successful sg_open() +@@ -2234,7 +2237,6 @@ sg_remove_sfp_usercontext(struct work_st + "sg_remove_sfp: sfp=0x%p\n", sfp)); + kfree(sfp); + +- WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1); + kref_put(&sdp->d_ref, sg_device_destroy); + scsi_device_put(device); + module_put(THIS_MODULE); diff --git a/queue-6.6/scsi-sg-avoid-sg-device-teardown-race.patch b/queue-6.6/scsi-sg-avoid-sg-device-teardown-race.patch new file mode 100644 index 00000000000..c6e024b2190 --- /dev/null +++ b/queue-6.6/scsi-sg-avoid-sg-device-teardown-race.patch @@ -0,0 +1,51 @@ +From 27f58c04a8f438078583041468ec60597841284d Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Wed, 20 Mar 2024 22:30:32 +0100 +Subject: scsi: sg: Avoid sg device teardown race + +From: Alexander Wetzel + +commit 27f58c04a8f438078583041468ec60597841284d upstream. + +sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling +scsi_device_put(). + +sg_device_destroy() is accessing the parent scsi_device request_queue which +will already be set to NULL when the preceding call to scsi_device_put() +removed the last reference to the parent scsi_device. + +The resulting NULL pointer exception will then crash the kernel. + +Link: https://lore.kernel.org/r/20240305150509.23896-1-Alexander@wetzel-home.de +Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Wetzel +Link: https://lore.kernel.org/r/20240320213032.18221-1-Alexander@wetzel-home.de +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2208,6 +2208,7 @@ sg_remove_sfp_usercontext(struct work_st + { + struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work); + struct sg_device *sdp = sfp->parentdp; ++ struct scsi_device *device = sdp->device; + Sg_request *srp; + unsigned long iflags; + +@@ -2233,8 +2234,9 @@ sg_remove_sfp_usercontext(struct work_st + "sg_remove_sfp: sfp=0x%p\n", sfp)); + kfree(sfp); + +- scsi_device_put(sdp->device); ++ WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1); + kref_put(&sdp->d_ref, sg_device_destroy); ++ scsi_device_put(device); + module_put(THIS_MODULE); + } + diff --git a/queue-6.6/series b/queue-6.6/series index da923e157c2..597184d372c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -77,3 +77,28 @@ tracing-hide-unused-ftrace_event_id_fops.patch iommu-vt-d-fix-wrong-use-of-pasid-config.patch iommu-vt-d-allocate-local-memory-for-page-request-qu.patch selftests-mptcp-use-operator-to-append-strings.patch +btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch +btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch +btrfs-record-delayed-inode-root-in-transaction.patch +btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch +io_uring-net-restore-msg_control-on-sendzc-retry.patch +kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch +scsi-sg-avoid-sg-device-teardown-race.patch +scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch +accel-ivpu-fix-deadlock-in-context_xa.patch +drm-vmwgfx-enable-dma-mappings-with-sev.patch +drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch +drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch +drm-ast-fix-soft-lockup.patch +drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch +drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch +arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch +arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch +arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch +arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch +arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch +arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch +vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch +vhost-add-smp_rmb-in-vhost_enable_notify.patch +perf-x86-fix-out-of-range-data.patch +x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch diff --git a/queue-6.6/vhost-add-smp_rmb-in-vhost_enable_notify.patch b/queue-6.6/vhost-add-smp_rmb-in-vhost_enable_notify.patch new file mode 100644 index 00000000000..eca78a0097e --- /dev/null +++ b/queue-6.6/vhost-add-smp_rmb-in-vhost_enable_notify.patch @@ -0,0 +1,70 @@ +From df9ace7647d4123209395bb9967e998d5758c645 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 28 Mar 2024 10:21:48 +1000 +Subject: vhost: Add smp_rmb() in vhost_enable_notify() + +From: Gavin Shan + +commit df9ace7647d4123209395bb9967e998d5758c645 upstream. + +A smp_rmb() has been missed in vhost_enable_notify(), inspired by +Will. Otherwise, it's not ensured the available ring entries pushed +by guest can be observed by vhost in time, leading to stale available +ring entries fetched by vhost in vhost_get_vq_desc(), as reported by +Yihuang Yu on NVidia's grace-hopper (ARM64) platform. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \ + -m 4096M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=4096M \ + : \ + -netdev tap,id=vnet0,vhost=true \ + -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0 + : + guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM + virtio_net virtio0: output.0:id 100 is not a head! + +Add the missed smp_rmb() in vhost_enable_notify(). When it returns true, +it means there's still pending tx buffers. Since it might read indices, +so it still can bypass the smp_rmb() in vhost_get_vq_desc(). Note that +it should be safe until vq->avail_idx is changed by commit d3bb267bbdcb +("vhost: cache avail index in vhost_enable_notify()"). + +Fixes: d3bb267bbdcb ("vhost: cache avail index in vhost_enable_notify()") +Cc: # v5.18+ +Reported-by: Yihuang Yu +Suggested-by: Will Deacon +Signed-off-by: Gavin Shan +Acked-by: Jason Wang +Message-Id: <20240328002149.1141302-3-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2848,9 +2848,19 @@ bool vhost_enable_notify(struct vhost_de + &vq->avail->idx, r); + return false; + } ++ + vq->avail_idx = vhost16_to_cpu(vq, avail_idx); ++ if (vq->avail_idx != vq->last_avail_idx) { ++ /* Since we have updated avail_idx, the following ++ * call to vhost_get_vq_desc() will read available ++ * ring entries. Make sure that read happens after ++ * the avail_idx read. ++ */ ++ smp_rmb(); ++ return true; ++ } + +- return vq->avail_idx != vq->last_avail_idx; ++ return false; + } + EXPORT_SYMBOL_GPL(vhost_enable_notify); + diff --git a/queue-6.6/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch b/queue-6.6/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch new file mode 100644 index 00000000000..f86808e1a40 --- /dev/null +++ b/queue-6.6/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch @@ -0,0 +1,70 @@ +From 22e1992cf7b034db5325660e98c41ca5afa5f519 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 28 Mar 2024 10:21:47 +1000 +Subject: vhost: Add smp_rmb() in vhost_vq_avail_empty() + +From: Gavin Shan + +commit 22e1992cf7b034db5325660e98c41ca5afa5f519 upstream. + +A smp_rmb() has been missed in vhost_vq_avail_empty(), spotted by +Will. Otherwise, it's not ensured the available ring entries pushed +by guest can be observed by vhost in time, leading to stale available +ring entries fetched by vhost in vhost_get_vq_desc(), as reported by +Yihuang Yu on NVidia's grace-hopper (ARM64) platform. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \ + -m 4096M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=4096M \ + : \ + -netdev tap,id=vnet0,vhost=true \ + -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0 + : + guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM + virtio_net virtio0: output.0:id 100 is not a head! + +Add the missed smp_rmb() in vhost_vq_avail_empty(). When tx_can_batch() +returns true, it means there's still pending tx buffers. Since it might +read indices, so it still can bypass the smp_rmb() in vhost_get_vq_desc(). +Note that it should be safe until vq->avail_idx is changed by commit +275bf960ac697 ("vhost: better detection of available buffers"). + +Fixes: 275bf960ac69 ("vhost: better detection of available buffers") +Cc: # v4.11+ +Reported-by: Yihuang Yu +Suggested-by: Will Deacon +Signed-off-by: Gavin Shan +Acked-by: Jason Wang +Message-Id: <20240328002149.1141302-2-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2799,9 +2799,19 @@ bool vhost_vq_avail_empty(struct vhost_d + r = vhost_get_avail_idx(vq, &avail_idx); + if (unlikely(r)) + return false; ++ + vq->avail_idx = vhost16_to_cpu(vq, avail_idx); ++ if (vq->avail_idx != vq->last_avail_idx) { ++ /* Since we have updated avail_idx, the following ++ * call to vhost_get_vq_desc() will read available ++ * ring entries. Make sure that read happens after ++ * the avail_idx read. ++ */ ++ smp_rmb(); ++ return false; ++ } + +- return vq->avail_idx == vq->last_avail_idx; ++ return true; + } + EXPORT_SYMBOL_GPL(vhost_vq_avail_empty); + diff --git a/queue-6.6/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch b/queue-6.6/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch new file mode 100644 index 00000000000..495a1ce9742 --- /dev/null +++ b/queue-6.6/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch @@ -0,0 +1,47 @@ +From f337a6a21e2fd67eadea471e93d05dd37baaa9be Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 9 Apr 2024 10:51:05 -0700 +Subject: x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit f337a6a21e2fd67eadea471e93d05dd37baaa9be upstream. + +Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built +with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly +states that disabling SPECULATION_MITIGATIONS is supposed to turn off all +mitigations by default. + + │ If you say N, all mitigations will be disabled. You really + │ should know what you are doing to say so. + +As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in +some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n. + +Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs") +Signed-off-by: Sean Christopherson +Signed-off-by: Ingo Molnar +Reviewed-by: Daniel Sneddon +Cc: stable@vger.kernel.org +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20240409175108.1512861-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -3208,7 +3208,8 @@ enum cpu_mitigations { + }; + + static enum cpu_mitigations cpu_mitigations __ro_after_init = +- CPU_MITIGATIONS_AUTO; ++ IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : ++ CPU_MITIGATIONS_OFF; + + static int __init mitigations_parse_cmdline(char *arg) + {