From: Greg Kroah-Hartman Date: Mon, 29 Apr 2024 11:46:22 +0000 (+0200) Subject: 6.8-stable patches X-Git-Tag: v4.19.313~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ea0374e8058c67876e84532ce245d7db9506a25;p=thirdparty%2Fkernel%2Fstable-queue.git 6.8-stable patches added patches: arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch bluetooth-qca-fix-invalid-device-address-check.patch bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch btrfs-fallback-if-compressed-io-fails-for-enospc.patch btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch btrfs-scrub-run-relocation-repair-when-only-needed.patch cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch dmaengine-revert-dmaengine-pl330-issue_pending-waits-until-wfp-state.patch dmaengine-xilinx-xdma-fix-synchronization-issue.patch dmaengine-xilinx-xdma-fix-wrong-offsets-in-the-buffers-addresses-in-dma-descriptor.patch drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch drm-amdgpu-pm-remove-gpu_od-if-it-s-an-empty-directory.patch drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch drm-amdgpu-umsch-don-t-execute-umsch-test-when-gpu-is-in-reset-suspend.patch drm-amdkfd-fix-eviction-fence-handling.patch drm-amdkfd-fix-rescheduling-of-restore-worker.patch drm-atomic-helper-fix-parameter-order-in-drm_format_conv_state_copy-call.patch eeprom-at24-fix-memory-corruption-race-condition.patch hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch hid-i2c-hid-revert-to-await-reset-ack-before-reading-report-descriptor.patch kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch mm-create-folio_flag_false-and-folio_type_ops-macros.patch mm-hugetlb-fix-debug_locks_warn_on-1-when-dissolve_free_hugetlb_folio.patch mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch mm-support-page_mapcount-on-page_has_type-pages.patch mmc-sdhci-msm-pervent-access-to-suspended-controller.patch mmc-sdhci-of-dwcmshc-th1520-increase-tuning-loop-count-to-128.patch mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch rust-don-t-select-constructors.patch rust-init-remove-impl-zeroable-for-infallible.patch rust-kernel-require-send-for-module-implementations.patch rust-make-mutually-exclusive-with-cfi_clang.patch rust-remove-params-from-module-macro-example.patch smb-client-fix-struct_group-usage-in-__packed-structs.patch smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch smb3-missing-lock-when-picking-channel.patch x86-tdx-preserve-shared-bit-on-mprotect.patch --- diff --git a/queue-6.8/arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch b/queue-6.8/arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch new file mode 100644 index 00000000000..a033c461d58 --- /dev/null +++ b/queue-6.8/arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch @@ -0,0 +1,67 @@ +From 8b8ec83a1d7d3b6605d9163d2e306971295a4ce8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 6 Mar 2024 10:56:50 +0100 +Subject: arm64: dts: qcom: sc8280xp: add missing PCIe minimum OPP + +From: Johan Hovold + +commit 8b8ec83a1d7d3b6605d9163d2e306971295a4ce8 upstream. + +Add the missing PCIe CX performance level votes to avoid relying on +other drivers (e.g. USB or UFS) to maintain the nominal performance +level required for Gen3 speeds. + +Fixes: 813e83157001 ("arm64: dts: qcom: sc8280xp/sa8540p: add PCIe2-4 nodes") +Cc: stable@vger.kernel.org # 6.2 +Reviewed-by: Konrad Dybcio +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20240306095651.4551-5-johan+linaro@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm64/boot/dts/qcom/sc8280xp.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc8280xp.dtsi +@@ -1774,6 +1774,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_4_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie4_phy>; + phy-names = "pciephy"; +@@ -1872,6 +1873,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_3B_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie3b_phy>; + phy-names = "pciephy"; +@@ -1970,6 +1972,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_3A_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie3a_phy>; + phy-names = "pciephy"; +@@ -2071,6 +2074,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_2B_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie2b_phy>; + phy-names = "pciephy"; +@@ -2169,6 +2173,7 @@ + reset-names = "pci"; + + power-domains = <&gcc PCIE_2A_GDSC>; ++ required-opps = <&rpmhpd_opp_nom>; + + phys = <&pcie2a_phy>; + phy-names = "pciephy"; diff --git a/queue-6.8/arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch b/queue-6.8/arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch new file mode 100644 index 00000000000..bda8b231a32 --- /dev/null +++ b/queue-6.8/arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch @@ -0,0 +1,61 @@ +From ecc3ac293ed15ac2536e9fde2810154486f84010 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 18 Mar 2024 12:49:03 +0530 +Subject: arm64: dts: qcom: sm8450: Fix the msi-map entries + +From: Manivannan Sadhasivam + +commit ecc3ac293ed15ac2536e9fde2810154486f84010 upstream. + +While adding the GIC ITS MSI support, it was found that the msi-map entries +needed to be swapped to receive MSIs from the endpoint. + +But later it was identified that the swapping was needed due to a bug in +the Qualcomm PCIe controller driver. And since the bug is now fixed with +commit bf79e33cdd89 ("PCI: qcom: Enable BDF to SID translation properly"), +let's fix the msi-map entries also to reflect the actual mapping in the +hardware. + +Cc: stable@vger.kernel.org # 6.3: bf79e33cdd89 ("PCI: qcom: Enable BDF to SID translation properly") +Fixes: ff384ab56f16 ("arm64: dts: qcom: sm8450: Use GIC-ITS for PCIe0 and PCIe1") +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20240318-pci-bdf-sid-fix-v1-1-acca6c5d9cf1@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sm8450.dtsi | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi +@@ -1777,12 +1777,8 @@ + ranges = <0x01000000 0x0 0x00000000 0x0 0x60200000 0x0 0x100000>, + <0x02000000 0x0 0x60300000 0x0 0x60300000 0x0 0x3d00000>; + +- /* +- * MSIs for BDF (1:0.0) only works with Device ID 0x5980. +- * Hence, the IDs are swapped. +- */ +- msi-map = <0x0 &gic_its 0x5981 0x1>, +- <0x100 &gic_its 0x5980 0x1>; ++ msi-map = <0x0 &gic_its 0x5980 0x1>, ++ <0x100 &gic_its 0x5981 0x1>; + msi-map-mask = <0xff00>; + interrupts = ; + interrupt-names = "msi"; +@@ -1886,12 +1882,8 @@ + ranges = <0x01000000 0x0 0x00000000 0x0 0x40200000 0x0 0x100000>, + <0x02000000 0x0 0x40300000 0x0 0x40300000 0x0 0x1fd00000>; + +- /* +- * MSIs for BDF (1:0.0) only works with Device ID 0x5a00. +- * Hence, the IDs are swapped. +- */ +- msi-map = <0x0 &gic_its 0x5a01 0x1>, +- <0x100 &gic_its 0x5a00 0x1>; ++ msi-map = <0x0 &gic_its 0x5a00 0x1>, ++ <0x100 &gic_its 0x5a01 0x1>; + msi-map-mask = <0xff00>; + interrupts = ; + interrupt-names = "msi"; diff --git a/queue-6.8/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch b/queue-6.8/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch new file mode 100644 index 00000000000..b7bda4c9710 --- /dev/null +++ b/queue-6.8/arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch @@ -0,0 +1,45 @@ +From 0ac417b8f124427c90ec8c2ef4f632b821d924cc Mon Sep 17 00:00:00 2001 +From: Iskander Amara +Date: Fri, 8 Mar 2024 09:52:42 +0100 +Subject: arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma + +From: Iskander Amara + +commit 0ac417b8f124427c90ec8c2ef4f632b821d924cc upstream. + +Q7_THRM# pin is connected to a diode on the module which is used +as a level shifter, and the pin have a pull-down enabled by +default. We need to configure it to internal pull-up, other- +wise whenever the pin is configured as INPUT and we try to +control it externally the value will always remain zero. + +Signed-off-by: Iskander Amara +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Reviewed-by: Quentin Schulz +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240308085243.69903-1-iskander.amara@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi +@@ -422,6 +422,16 @@ + }; + + &pinctrl { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&q7_thermal_pin>; ++ ++ gpios { ++ q7_thermal_pin: q7-thermal-pin { ++ rockchip,pins = ++ <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>; ++ }; ++ }; ++ + i2c8 { + i2c8_xfer_a: i2c8-xfer { + rockchip,pins = diff --git a/queue-6.8/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch b/queue-6.8/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch new file mode 100644 index 00000000000..e238deab48f --- /dev/null +++ b/queue-6.8/bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch @@ -0,0 +1,69 @@ +From d1a5a7eede2977da3d2002d5ea3b519019cc1a98 Mon Sep 17 00:00:00 2001 +From: WangYuli +Date: Fri, 29 Mar 2024 10:34:39 +0800 +Subject: Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 + +From: WangYuli + +commit d1a5a7eede2977da3d2002d5ea3b519019cc1a98 upstream. + +Add the support ID(0x0bda, 0x4853) to usb_device_id table for +Realtek RTL8852BE. + +Without this change the device utilizes an obsolete version of +the firmware that is encoded in it rather than the updated Realtek +firmware and config files from the firmware directory. The latter +files implement many new features. + +The device table is as follows: + +T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=4853 Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Cc: stable@vger.kernel.org +Signed-off-by: Larry Finger +Signed-off-by: WangYuli +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -542,6 +542,8 @@ static const struct usb_device_id quirks + /* Realtek 8852BE Bluetooth devices */ + { USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK | diff --git a/queue-6.8/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch b/queue-6.8/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch new file mode 100644 index 00000000000..0506e1cef99 --- /dev/null +++ b/queue-6.8/bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch @@ -0,0 +1,128 @@ +From 9bf4e919ccad613b3596eebf1ff37b05b6405307 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 1 Apr 2024 11:24:17 -0700 +Subject: Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() + +From: Nathan Chancellor + +commit 9bf4e919ccad613b3596eebf1ff37b05b6405307 upstream. + +After an innocuous optimization change in LLVM main (19.0.0), x86_64 +allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to +build due to the checks in check_copy_size(): + + In file included from net/bluetooth/sco.c:27: + In file included from include/linux/module.h:13: + In file included from include/linux/stat.h:19: + In file included from include/linux/time.h:60: + In file included from include/linux/time32.h:13: + In file included from include/linux/timex.h:67: + In file included from arch/x86/include/asm/timex.h:6: + In file included from arch/x86/include/asm/tsc.h:10: + In file included from arch/x86/include/asm/msr.h:15: + In file included from include/linux/percpu.h:7: + In file included from include/linux/smp.h:118: + include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' + declared with 'error' attribute: copy source size is too small + 244 | __bad_copy_from(); + | ^ + +The same exact error occurs in l2cap_sock.c. The copy_to_user() +statements that are failing come from l2cap_sock_getsockopt_old() and +sco_sock_getsockopt_old(). This does not occur with GCC with or without +KCSAN or Clang without KCSAN enabled. + +len is defined as an 'int' because it is assigned from +'__user int *optlen'. However, it is clamped against the result of +sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +platforms). This is done with min_t() because min() requires compatible +types, which results in both len and the result of sizeof() being casted +to 'unsigned int', meaning len changes signs and the result of sizeof() +is truncated. From there, len is passed to copy_to_user(), which has a +third parameter type of 'unsigned long', so it is widened and changes +signs again. This excessive casting in combination with the KCSAN +instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +call, failing the build. + +The official recommendation from LLVM developers is to consistently use +long types for all size variables to avoid the unnecessary casting in +the first place. Change the type of len to size_t in both +l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears +up the error while allowing min_t() to be replaced with min(), resulting +in simpler code with no casts and fewer implicit conversions. While len +is a different type than optlen now, it should result in no functional +change because the result of sizeof() will clamp all values of optlen in +the same manner as before. + +Cc: stable@vger.kernel.org +Closes: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Nathan Chancellor +Reviewed-by: Justin Stitt +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + net/bluetooth/sco.c | 7 ++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -439,7 +439,8 @@ static int l2cap_sock_getsockopt_old(str + struct l2cap_chan *chan = l2cap_pi(sk)->chan; + struct l2cap_options opts; + struct l2cap_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -486,7 +487,7 @@ static int l2cap_sock_getsockopt_old(str + + BT_DBG("mode 0x%2.2x", chan->mode); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *) &opts, len)) + err = -EFAULT; + +@@ -536,7 +537,7 @@ static int l2cap_sock_getsockopt_old(str + cinfo.hci_handle = chan->conn->hcon->handle; + memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -964,7 +964,8 @@ static int sco_sock_getsockopt_old(struc + struct sock *sk = sock->sk; + struct sco_options opts; + struct sco_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -986,7 +987,7 @@ static int sco_sock_getsockopt_old(struc + + BT_DBG("mtu %u", opts.mtu); + +- len = min_t(unsigned int, len, sizeof(opts)); ++ len = min(len, sizeof(opts)); + if (copy_to_user(optval, (char *)&opts, len)) + err = -EFAULT; + +@@ -1004,7 +1005,7 @@ static int sco_sock_getsockopt_old(struc + cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *)&cinfo, len)) + err = -EFAULT; + diff --git a/queue-6.8/bluetooth-qca-fix-invalid-device-address-check.patch b/queue-6.8/bluetooth-qca-fix-invalid-device-address-check.patch new file mode 100644 index 00000000000..b4caf5f0421 --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-invalid-device-address-check.patch @@ -0,0 +1,116 @@ +From 32868e126c78876a8a5ddfcb6ac8cb2fffcf4d27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 16 Apr 2024 11:15:09 +0200 +Subject: Bluetooth: qca: fix invalid device address check + +From: Johan Hovold + +commit 32868e126c78876a8a5ddfcb6ac8cb2fffcf4d27 upstream. + +Qualcomm Bluetooth controllers may not have been provisioned with a +valid device address and instead end up using the default address +00:00:00:00:5a:ad. + +This was previously believed to be due to lack of persistent storage for +the address but it may also be due to integrators opting to not use the +on-chip OTP memory and instead store the address elsewhere (e.g. in +storage managed by secure world firmware). + +According to Qualcomm, at least WCN6750, WCN6855 and WCN7850 have +on-chip OTP storage for the address. + +As the device type alone cannot be used to determine when the address is +valid, instead read back the address during setup() and only set the +HCI_QUIRK_USE_BDADDR_PROPERTY flag when needed. + +This specifically makes sure that controllers that have been provisioned +with an address do not start as unconfigured. + +Reported-by: Janaki Ramaiah Thota +Link: https://lore.kernel.org/r/124a7d54-5a18-4be7-9a76-a12017f6cce5@quicinc.com/ +Fixes: 5971752de44c ("Bluetooth: hci_qca: Set HCI_QUIRK_USE_BDADDR_PROPERTY for wcn3990") +Fixes: e668eb1e1578 ("Bluetooth: hci_core: Don't stop BT if the BD address missing in dts") +Fixes: 6945795bc81a ("Bluetooth: fix use-bdaddr-property quirk") +Cc: stable@vger.kernel.org # 6.5 +Cc: Matthias Kaehlcke +Signed-off-by: Johan Hovold +Reported-by: Janaki Ramaiah Thota +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++++++++ + drivers/bluetooth/hci_qca.c | 2 -- + 2 files changed, 38 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btqca.c ++++ b/drivers/bluetooth/btqca.c +@@ -15,6 +15,8 @@ + + #define VERSION "0.1" + ++#define QCA_BDADDR_DEFAULT (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x00, 0x00 }}) ++ + int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, + enum qca_btsoc_type soc_type) + { +@@ -612,6 +614,38 @@ int qca_set_bdaddr_rome(struct hci_dev * + } + EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); + ++static int qca_check_bdaddr(struct hci_dev *hdev) ++{ ++ struct hci_rp_read_bd_addr *bda; ++ struct sk_buff *skb; ++ int err; ++ ++ if (bacmp(&hdev->public_addr, BDADDR_ANY)) ++ return 0; ++ ++ skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, ++ HCI_INIT_TIMEOUT); ++ if (IS_ERR(skb)) { ++ err = PTR_ERR(skb); ++ bt_dev_err(hdev, "Failed to read device address (%d)", err); ++ return err; ++ } ++ ++ if (skb->len != sizeof(*bda)) { ++ bt_dev_err(hdev, "Device address length mismatch"); ++ kfree_skb(skb); ++ return -EIO; ++ } ++ ++ bda = (struct hci_rp_read_bd_addr *)skb->data; ++ if (!bacmp(&bda->bdaddr, QCA_BDADDR_DEFAULT)) ++ set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); ++ ++ kfree_skb(skb); ++ ++ return 0; ++} ++ + static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size, + struct qca_btsoc_version ver, u8 rom_ver, u16 bid) + { +@@ -818,6 +852,10 @@ int qca_uart_setup(struct hci_dev *hdev, + break; + } + ++ err = qca_check_bdaddr(hdev); ++ if (err) ++ return err; ++ + bt_dev_info(hdev, "QCA setup on UART is completed"); + + return 0; +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1905,8 +1905,6 @@ retry: + case QCA_WCN6750: + case QCA_WCN6855: + case QCA_WCN7850: +- set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks); +- + qcadev = serdev_device_get_drvdata(hu->serdev); + if (qcadev->bdaddr_property_broken) + set_bit(HCI_QUIRK_BDADDR_PROPERTY_BROKEN, &hdev->quirks); diff --git a/queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch b/queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch new file mode 100644 index 00000000000..362ab43a25b --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch @@ -0,0 +1,40 @@ +From 7ddb9de6af0f1c71147785b12fd7c8ec3f06cc86 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 22 Apr 2024 15:57:48 +0200 +Subject: Bluetooth: qca: fix NULL-deref on non-serdev setup + +From: Johan Hovold + +commit 7ddb9de6af0f1c71147785b12fd7c8ec3f06cc86 upstream. + +Qualcomm ROME controllers can be registered from the Bluetooth line +discipline and in this case the HCI UART serdev pointer is NULL. + +Add the missing sanity check to prevent a NULL-pointer dereference when +setup() is called for a non-serdev controller. + +Fixes: e9b3e5b8c657 ("Bluetooth: hci_qca: only assign wakeup with serial port support") +Cc: stable@vger.kernel.org # 6.2 +Cc: Zhengping Jiang +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_qca.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1958,8 +1958,10 @@ retry: + qca_debugfs_init(hdev); + hu->hdev->hw_error = qca_hw_error; + hu->hdev->cmd_timeout = qca_cmd_timeout; +- if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) +- hu->hdev->wakeup = qca_wakeup; ++ if (hu->serdev) { ++ if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) ++ hu->hdev->wakeup = qca_wakeup; ++ } + } else if (ret == -ENOENT) { + /* No patch/nvm-config found, run with original fw/config */ + set_bit(QCA_ROM_FW, &qca->flags); diff --git a/queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch b/queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch new file mode 100644 index 00000000000..64e9378f311 --- /dev/null +++ b/queue-6.8/bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch @@ -0,0 +1,41 @@ +From 73e87c0a49fda31d7b589edccf4c72e924411371 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 22 Apr 2024 15:57:47 +0200 +Subject: Bluetooth: qca: fix NULL-deref on non-serdev suspend + +From: Johan Hovold + +commit 73e87c0a49fda31d7b589edccf4c72e924411371 upstream. + +Qualcomm ROME controllers can be registered from the Bluetooth line +discipline and in this case the HCI UART serdev pointer is NULL. + +Add the missing sanity check to prevent a NULL-pointer dereference when +wakeup() is called for a non-serdev controller during suspend. + +Just return true for now to restore the original behaviour and address +the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657 +("Bluetooth: hci_qca: only assign wakeup with serial port support") that +causes the crash to happen already at setup() time. + +Fixes: c1a74160eaf1 ("Bluetooth: hci_qca: Add device_may_wakeup support") +Cc: stable@vger.kernel.org # 5.13 +Signed-off-by: Johan Hovold +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_qca.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -1672,6 +1672,9 @@ static bool qca_wakeup(struct hci_dev *h + struct hci_uart *hu = hci_get_drvdata(hdev); + bool wakeup; + ++ if (!hu->serdev) ++ return true; ++ + /* BT SoC attached through the serial bus is handled by the serdev driver. + * So we need to use the device handle of the serdev driver to get the + * status of device may wakeup. diff --git a/queue-6.8/btrfs-fallback-if-compressed-io-fails-for-enospc.patch b/queue-6.8/btrfs-fallback-if-compressed-io-fails-for-enospc.patch new file mode 100644 index 00000000000..6cd9d83eace --- /dev/null +++ b/queue-6.8/btrfs-fallback-if-compressed-io-fails-for-enospc.patch @@ -0,0 +1,71 @@ +From 131a821a243f89be312ced9e62ccc37b2cf3846c Mon Sep 17 00:00:00 2001 +From: Sweet Tea Dorminy +Date: Sat, 6 Apr 2024 04:45:02 -0400 +Subject: btrfs: fallback if compressed IO fails for ENOSPC + +From: Sweet Tea Dorminy + +commit 131a821a243f89be312ced9e62ccc37b2cf3846c upstream. + +In commit b4ccace878f4 ("btrfs: refactor submit_compressed_extents()"), if +an async extent compressed but failed to find enough space, we changed +from falling back to an uncompressed write to just failing the write +altogether. The principle was that if there's not enough space to write +the compressed version of the data, there can't possibly be enough space +to write the larger, uncompressed version of the data. + +However, this isn't necessarily true: due to fragmentation, there could +be enough discontiguous free blocks to write the uncompressed version, +but not enough contiguous free blocks to write the smaller but +unsplittable compressed version. + +This has occurred to an internal workload which relied on write()'s +return value indicating there was space. While rare, it has happened a +few times. + +Thus, in order to prevent early ENOSPC, re-add a fallback to +uncompressed writing. + +Fixes: b4ccace878f4 ("btrfs: refactor submit_compressed_extents()") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Co-developed-by: Neal Gompa +Signed-off-by: Neal Gompa +Signed-off-by: Sweet Tea Dorminy +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1144,13 +1144,13 @@ static void submit_one_async_extent(stru + 0, *alloc_hint, &ins, 1, 1); + if (ret) { + /* +- * Here we used to try again by going back to non-compressed +- * path for ENOSPC. But we can't reserve space even for +- * compressed size, how could it work for uncompressed size +- * which requires larger size? So here we directly go error +- * path. ++ * We can't reserve contiguous space for the compressed size. ++ * Unlikely, but it's possible that we could have enough ++ * non-contiguous space for the uncompressed size instead. So ++ * fall back to uncompressed. + */ +- goto out_free; ++ submit_uncompressed_range(inode, async_extent, locked_page); ++ goto done; + } + + /* Here we're doing allocation and writeback of the compressed pages */ +@@ -1202,7 +1202,6 @@ done: + out_free_reserve: + btrfs_dec_block_group_reservations(fs_info, ins.objectid); + btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 1); +-out_free: + mapping_set_error(inode->vfs_inode.i_mapping, -EIO); + extent_clear_unlock_delalloc(inode, start, end, + NULL, EXTENT_LOCKED | EXTENT_DELALLOC | diff --git a/queue-6.8/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch b/queue-6.8/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch new file mode 100644 index 00000000000..2dd0677a5d1 --- /dev/null +++ b/queue-6.8/btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch @@ -0,0 +1,95 @@ +From 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 17 Apr 2024 10:45:47 +0200 +Subject: btrfs: fix information leak in btrfs_ioctl_logical_to_ino() + +From: Johannes Thumshirn + +commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf upstream. + +Syzbot reported the following information leak for in +btrfs_ioctl_logical_to_ino(): + + BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] + BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + _copy_to_user+0xbc/0x110 lib/usercopy.c:40 + copy_to_user include/linux/uaccess.h:191 [inline] + btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Uninit was created at: + __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 + __do_kmalloc_node mm/slub.c:3954 [inline] + __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 + kmalloc_node include/linux/slab.h:648 [inline] + kvmalloc_node+0xc0/0x2d0 mm/util.c:634 + kvmalloc include/linux/slab.h:766 [inline] + init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 + btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 + btrfs_ioctl+0x714/0x1260 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:904 [inline] + __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 + __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 + x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + Bytes 40-65535 of 65536 are uninitialized + Memory access of size 65536 starts at ffff888045a40000 + +This happens, because we're copying a 'struct btrfs_data_container' back +to user-space. This btrfs_data_container is allocated in +'init_data_container()' via kvmalloc(), which does not zero-fill the +memory. + +Fix this by using kvzalloc() which zeroes out the memory on allocation. + +CC: stable@vger.kernel.org # 4.14+ +Reported-by: +Reviewed-by: Qu Wenruo +Reviewed-by: Filipe Manana +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/backref.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -2773,20 +2773,14 @@ struct btrfs_data_container *init_data_c + size_t alloc_bytes; + + alloc_bytes = max_t(size_t, total_bytes, sizeof(*data)); +- data = kvmalloc(alloc_bytes, GFP_KERNEL); ++ data = kvzalloc(alloc_bytes, GFP_KERNEL); + if (!data) + return ERR_PTR(-ENOMEM); + +- if (total_bytes >= sizeof(*data)) { ++ if (total_bytes >= sizeof(*data)) + data->bytes_left = total_bytes - sizeof(*data); +- data->bytes_missing = 0; +- } else { ++ else + data->bytes_missing = sizeof(*data) - total_bytes; +- data->bytes_left = 0; +- } +- +- data->elem_cnt = 0; +- data->elem_missed = 0; + + return data; + } diff --git a/queue-6.8/btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch b/queue-6.8/btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch new file mode 100644 index 00000000000..a7bf7a998f6 --- /dev/null +++ b/queue-6.8/btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch @@ -0,0 +1,103 @@ +From fe1c6c7acce10baf9521d6dccc17268d91ee2305 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 9 Apr 2024 20:32:34 +0930 +Subject: btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range() + +From: Qu Wenruo + +commit fe1c6c7acce10baf9521d6dccc17268d91ee2305 upstream. + +[BUG] +During my extent_map cleanup/refactor, with extra sanity checks, +extent-map-tests::test_case_7() would not pass the checks. + +The problem is, after btrfs_drop_extent_map_range(), the resulted +extent_map has a @block_start way too large. +Meanwhile my btrfs_file_extent_item based members are returning a +correct @disk_bytenr/@offset combination. + +The extent map layout looks like this: + + 0 16K 32K 48K + | PINNED | | Regular | + +The regular em at [32K, 48K) also has 32K @block_start. + +Then drop range [0, 36K), which should shrink the regular one to be +[36K, 48K). +However the @block_start is incorrect, we expect 32K + 4K, but got 52K. + +[CAUSE] +Inside btrfs_drop_extent_map_range() function, if we hit an extent_map +that covers the target range but is still beyond it, we need to split +that extent map into half: + + |<-- drop range -->| + |<----- existing extent_map --->| + +And if the extent map is not compressed, we need to forward +extent_map::block_start by the difference between the end of drop range +and the extent map start. + +However in that particular case, the difference is calculated using +(start + len - em->start). + +The problem is @start can be modified if the drop range covers any +pinned extent. + +This leads to wrong calculation, and would be caught by my later +extent_map sanity checks, which checks the em::block_start against +btrfs_file_extent_item::disk_bytenr + btrfs_file_extent_item::offset. + +This is a regression caused by commit c962098ca4af ("btrfs: fix +incorrect splitting in btrfs_drop_extent_map_range"), which removed the +@len update for pinned extents. + +[FIX] +Fix it by avoiding using @start completely, and use @end - em->start +instead, which @end is exclusive bytenr number. + +And update the test case to verify the @block_start to prevent such +problem from happening. + +Thankfully this is not going to lead to any data corruption, as IO path +does not utilize btrfs_drop_extent_map_range() with @skip_pinned set. + +So this fix is only here for the sake of consistency/correctness. + +CC: stable@vger.kernel.org # 6.5+ +Fixes: c962098ca4af ("btrfs: fix incorrect splitting in btrfs_drop_extent_map_range") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_map.c | 2 +- + fs/btrfs/tests/extent-map-tests.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/extent_map.c ++++ b/fs/btrfs/extent_map.c +@@ -818,7 +818,7 @@ void btrfs_drop_extent_map_range(struct + split->block_len = em->block_len; + split->orig_start = em->orig_start; + } else { +- const u64 diff = start + len - em->start; ++ const u64 diff = end - em->start; + + split->block_len = split->len; + split->block_start += diff; +--- a/fs/btrfs/tests/extent-map-tests.c ++++ b/fs/btrfs/tests/extent-map-tests.c +@@ -847,6 +847,11 @@ static int test_case_7(struct btrfs_fs_i + goto out; + } + ++ if (em->block_start != SZ_32K + SZ_4K) { ++ test_err("em->block_start is %llu, expected 36K", em->block_start); ++ goto out; ++ } ++ + free_extent_map(em); + + read_lock(&em_tree->lock); diff --git a/queue-6.8/btrfs-scrub-run-relocation-repair-when-only-needed.patch b/queue-6.8/btrfs-scrub-run-relocation-repair-when-only-needed.patch new file mode 100644 index 00000000000..d7099fda255 --- /dev/null +++ b/queue-6.8/btrfs-scrub-run-relocation-repair-when-only-needed.patch @@ -0,0 +1,69 @@ +From 7192833c4e55b26e8f15ef58577867a1bc808036 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Tue, 9 Apr 2024 23:18:52 +0900 +Subject: btrfs: scrub: run relocation repair when/only needed + +From: Naohiro Aota + +commit 7192833c4e55b26e8f15ef58577867a1bc808036 upstream. + +When btrfs scrub finds an error, it reads mirrors to find correct data. If +all the errors are fixed, sctx->error_bitmap is cleared for the stripe +range. However, in the zoned mode, it runs relocation to repair scrub +errors when the bitmap is *not* empty, which is a flipped condition. + +Also, it runs the relocation even if the scrub is read-only. This was +missed by a fix in commit 1f2030ff6e49 ("btrfs: scrub: respect the +read-only flag during repair"). + +The repair is only necessary when there is a repaired sector and should be +done on read-write scrub. So, tweak the condition for both regular and +zoned case. + +Fixes: 54765392a1b9 ("btrfs: scrub: introduce helper to queue a stripe for scrub") +Fixes: 1f2030ff6e49 ("btrfs: scrub: respect the read-only flag during repair") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Qu Wenruo +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/scrub.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -1012,6 +1012,7 @@ static void scrub_stripe_read_repair_wor + struct btrfs_fs_info *fs_info = sctx->fs_info; + int num_copies = btrfs_num_copies(fs_info, stripe->bg->start, + stripe->bg->length); ++ unsigned long repaired; + int mirror; + int i; + +@@ -1078,16 +1079,15 @@ out: + * Submit the repaired sectors. For zoned case, we cannot do repair + * in-place, but queue the bg to be relocated. + */ +- if (btrfs_is_zoned(fs_info)) { +- if (!bitmap_empty(&stripe->error_bitmap, stripe->nr_sectors)) ++ bitmap_andnot(&repaired, &stripe->init_error_bitmap, &stripe->error_bitmap, ++ stripe->nr_sectors); ++ if (!sctx->readonly && !bitmap_empty(&repaired, stripe->nr_sectors)) { ++ if (btrfs_is_zoned(fs_info)) { + btrfs_repair_one_zone(fs_info, sctx->stripes[0].bg->start); +- } else if (!sctx->readonly) { +- unsigned long repaired; +- +- bitmap_andnot(&repaired, &stripe->init_error_bitmap, +- &stripe->error_bitmap, stripe->nr_sectors); +- scrub_write_sectors(sctx, stripe, repaired, false); +- wait_scrub_stripe_io(stripe); ++ } else { ++ scrub_write_sectors(sctx, stripe, repaired, false); ++ wait_scrub_stripe_io(stripe); ++ } + } + + scrub_stripe_report_errors(sctx, stripe); diff --git a/queue-6.8/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch b/queue-6.8/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch new file mode 100644 index 00000000000..e527e8ed7d1 --- /dev/null +++ b/queue-6.8/cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch @@ -0,0 +1,108 @@ +From fe42754b94a42d08cf9501790afc25c4f6a5f631 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 19 Apr 2024 17:05:54 -0700 +Subject: cpu: Re-enable CPU mitigations by default for !X86 architectures + +From: Sean Christopherson + +commit fe42754b94a42d08cf9501790afc25c4f6a5f631 upstream. + +Rename x86's to CPU_MITIGATIONS, define it in generic code, and force it +on for all architectures exception x86. A recent commit to turn +mitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta +missed that "cpu_mitigations" is completely generic, whereas +SPECULATION_MITIGATIONS is x86-specific. + +Rename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it +select CPU_MITIGATIONS, as having two configs for the same thing is +unnecessary and confusing. This will also allow x86 to use the knob to +manage mitigations that aren't strictly related to speculative +execution. + +Use another Kconfig to communicate to common code that CPU_MITIGATIONS +is already defined instead of having x86's menu depend on the common +CPU_MITIGATIONS. This allows keeping a single point of contact for all +of x86's mitigations, and it's not clear that other architectures *want* +to allow disabling mitigations at compile-time. + +Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n") +Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au +Reported-by: Stephen Rothwell +Reported-by: Michael Ellerman +Reported-by: Geert Uytterhoeven +Signed-off-by: Sean Christopherson +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Josh Poimboeuf +Acked-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240420000556.2645001-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 8 ++++++++ + arch/x86/Kconfig | 11 ++++++----- + kernel/cpu.c | 4 ++-- + 3 files changed, 16 insertions(+), 7 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -9,6 +9,14 @@ + # + source "arch/$(SRCARCH)/Kconfig" + ++config ARCH_CONFIGURES_CPU_MITIGATIONS ++ bool ++ ++if !ARCH_CONFIGURES_CPU_MITIGATIONS ++config CPU_MITIGATIONS ++ def_bool y ++endif ++ + menu "General architecture-dependent options" + + config ARCH_HAS_SUBPAGE_FAULTS +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -62,6 +62,7 @@ config X86 + select ACPI_HOTPLUG_CPU if ACPI_PROCESSOR && HOTPLUG_CPU + select ARCH_32BIT_OFF_T if X86_32 + select ARCH_CLOCKSOURCE_INIT ++ select ARCH_CONFIGURES_CPU_MITIGATIONS + select ARCH_CORRECT_STACKTRACE_ON_KRETPROBE + select ARCH_ENABLE_HUGEPAGE_MIGRATION if X86_64 && HUGETLB_PAGE && MIGRATION + select ARCH_ENABLE_MEMORY_HOTPLUG if X86_64 +@@ -2467,17 +2468,17 @@ config PREFIX_SYMBOLS + def_bool y + depends on CALL_PADDING && !CFI_CLANG + +-menuconfig SPECULATION_MITIGATIONS +- bool "Mitigations for speculative execution vulnerabilities" ++menuconfig CPU_MITIGATIONS ++ bool "Mitigations for CPU vulnerabilities" + default y + help +- Say Y here to enable options which enable mitigations for +- speculative execution hardware vulnerabilities. ++ Say Y here to enable options which enable mitigations for hardware ++ vulnerabilities (usually related to speculative execution). + + If you say N, all mitigations will be disabled. You really + should know what you are doing to say so. + +-if SPECULATION_MITIGATIONS ++if CPU_MITIGATIONS + + config PAGE_TABLE_ISOLATION + bool "Remove the kernel mapping in user mode" +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -3207,8 +3207,8 @@ enum cpu_mitigations { + }; + + static enum cpu_mitigations cpu_mitigations __ro_after_init = +- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : +- CPU_MITIGATIONS_OFF; ++ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : ++ CPU_MITIGATIONS_OFF; + + static int __init mitigations_parse_cmdline(char *arg) + { diff --git a/queue-6.8/dmaengine-revert-dmaengine-pl330-issue_pending-waits-until-wfp-state.patch b/queue-6.8/dmaengine-revert-dmaengine-pl330-issue_pending-waits-until-wfp-state.patch new file mode 100644 index 00000000000..9c9bfb41680 --- /dev/null +++ b/queue-6.8/dmaengine-revert-dmaengine-pl330-issue_pending-waits-until-wfp-state.patch @@ -0,0 +1,33 @@ +From afc89870ea677bd5a44516eb981f7a259b74280c Mon Sep 17 00:00:00 2001 +From: Vinod Koul +Date: Thu, 28 Mar 2024 12:21:51 +0530 +Subject: dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state" + +From: Vinod Koul + +commit afc89870ea677bd5a44516eb981f7a259b74280c upstream. + +This reverts commit 22a9d9585812 ("dmaengine: pl330: issue_pending waits +until WFP state") as it seems to cause regression in pl330 driver. +Note the issue now exists in mainline so a fix to be done. + +Cc: stable@vger.kernel.org +Reported-by: karthikeyan +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1053,9 +1053,6 @@ static bool _trigger(struct pl330_thread + + thrd->req_running = idx; + +- if (desc->rqtype == DMA_MEM_TO_DEV || desc->rqtype == DMA_DEV_TO_MEM) +- UNTIL(thrd, PL330_STATE_WFP); +- + return true; + } + diff --git a/queue-6.8/dmaengine-xilinx-xdma-fix-synchronization-issue.patch b/queue-6.8/dmaengine-xilinx-xdma-fix-synchronization-issue.patch new file mode 100644 index 00000000000..1d1f8df57fd --- /dev/null +++ b/queue-6.8/dmaengine-xilinx-xdma-fix-synchronization-issue.patch @@ -0,0 +1,129 @@ +From 6a40fb8245965b481b4dcce011cd63f20bf91ee0 Mon Sep 17 00:00:00 2001 +From: Louis Chauvet +Date: Wed, 27 Mar 2024 10:58:49 +0100 +Subject: dmaengine: xilinx: xdma: Fix synchronization issue + +From: Louis Chauvet + +commit 6a40fb8245965b481b4dcce011cd63f20bf91ee0 upstream. + +The current xdma_synchronize method does not properly wait for the last +transfer to be done. Due to limitations of the XMDA engine, it is not +possible to stop a transfer in the middle of a descriptor. Said +otherwise, if a stop is requested at the end of descriptor "N" and the OS +is fast enough, the DMA controller will effectively stop immediately. +However, if the OS is slightly too slow to request the stop and the DMA +engine starts descriptor "N+1", the N+1 transfer will be performed until +its end. This means that after a terminate_all, the last descriptor must +remain valid and the synchronization must wait for this last descriptor to +be terminated. + +Fixes: 855c2e1d1842 ("dmaengine: xilinx: xdma: Rework xdma_terminate_all()") +Fixes: f5c392d106e7 ("dmaengine: xilinx: xdma: Add terminate_all/synchronize callbacks") +Cc: stable@vger.kernel.org +Suggested-by: Miquel Raynal +Signed-off-by: Louis Chauvet +Link: https://lore.kernel.org/r/20240327-digigram-xdma-fixes-v1-2-45f4a52c0283@bootlin.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/xilinx/xdma-regs.h | 3 +++ + drivers/dma/xilinx/xdma.c | 26 ++++++++++++++++++-------- + 2 files changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/dma/xilinx/xdma-regs.h ++++ b/drivers/dma/xilinx/xdma-regs.h +@@ -117,6 +117,9 @@ struct xdma_hw_desc { + CHAN_CTRL_IE_WRITE_ERROR | \ + CHAN_CTRL_IE_DESC_ERROR) + ++/* bits of the channel status register */ ++#define XDMA_CHAN_STATUS_BUSY BIT(0) ++ + #define XDMA_CHAN_STATUS_MASK CHAN_CTRL_START + + #define XDMA_CHAN_ERROR_MASK (CHAN_CTRL_IE_DESC_ALIGN_MISMATCH | \ +--- a/drivers/dma/xilinx/xdma.c ++++ b/drivers/dma/xilinx/xdma.c +@@ -71,6 +71,8 @@ struct xdma_chan { + enum dma_transfer_direction dir; + struct dma_slave_config cfg; + u32 irq; ++ struct completion last_interrupt; ++ bool stop_requested; + }; + + /** +@@ -376,6 +378,8 @@ static int xdma_xfer_start(struct xdma_c + return ret; + + xchan->busy = true; ++ xchan->stop_requested = false; ++ reinit_completion(&xchan->last_interrupt); + + return 0; + } +@@ -387,7 +391,6 @@ static int xdma_xfer_start(struct xdma_c + static int xdma_xfer_stop(struct xdma_chan *xchan) + { + int ret; +- u32 val; + struct xdma_device *xdev = xchan->xdev_hdl; + + /* clear run stop bit to prevent any further auto-triggering */ +@@ -395,13 +398,7 @@ static int xdma_xfer_stop(struct xdma_ch + CHAN_CTRL_RUN_STOP); + if (ret) + return ret; +- +- /* Clear the channel status register */ +- ret = regmap_read(xdev->rmap, xchan->base + XDMA_CHAN_STATUS_RC, &val); +- if (ret) +- return ret; +- +- return 0; ++ return ret; + } + + /** +@@ -474,6 +471,8 @@ static int xdma_alloc_channels(struct xd + xchan->xdev_hdl = xdev; + xchan->base = base + i * XDMA_CHAN_STRIDE; + xchan->dir = dir; ++ xchan->stop_requested = false; ++ init_completion(&xchan->last_interrupt); + + ret = xdma_channel_init(xchan); + if (ret) +@@ -521,6 +520,7 @@ static int xdma_terminate_all(struct dma + spin_lock_irqsave(&xdma_chan->vchan.lock, flags); + + xdma_chan->busy = false; ++ xdma_chan->stop_requested = true; + vd = vchan_next_desc(&xdma_chan->vchan); + if (vd) { + list_del(&vd->node); +@@ -542,6 +542,13 @@ static int xdma_terminate_all(struct dma + static void xdma_synchronize(struct dma_chan *chan) + { + struct xdma_chan *xdma_chan = to_xdma_chan(chan); ++ struct xdma_device *xdev = xdma_chan->xdev_hdl; ++ int st = 0; ++ ++ /* If the engine continues running, wait for the last interrupt */ ++ regmap_read(xdev->rmap, xdma_chan->base + XDMA_CHAN_STATUS, &st); ++ if (st & XDMA_CHAN_STATUS_BUSY) ++ wait_for_completion_timeout(&xdma_chan->last_interrupt, msecs_to_jiffies(1000)); + + vchan_synchronize(&xdma_chan->vchan); + } +@@ -876,6 +883,9 @@ static irqreturn_t xdma_channel_isr(int + u32 st; + bool repeat_tx; + ++ if (xchan->stop_requested) ++ complete(&xchan->last_interrupt); ++ + spin_lock(&xchan->vchan.lock); + + /* get submitted request */ diff --git a/queue-6.8/dmaengine-xilinx-xdma-fix-wrong-offsets-in-the-buffers-addresses-in-dma-descriptor.patch b/queue-6.8/dmaengine-xilinx-xdma-fix-wrong-offsets-in-the-buffers-addresses-in-dma-descriptor.patch new file mode 100644 index 00000000000..9ef9b6d7a13 --- /dev/null +++ b/queue-6.8/dmaengine-xilinx-xdma-fix-wrong-offsets-in-the-buffers-addresses-in-dma-descriptor.patch @@ -0,0 +1,35 @@ +From 5b9706bfc094314c600ab810a61208a7cbaa4cb3 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 27 Mar 2024 10:58:48 +0100 +Subject: dmaengine: xilinx: xdma: Fix wrong offsets in the buffers addresses in dma descriptor + +From: Miquel Raynal + +commit 5b9706bfc094314c600ab810a61208a7cbaa4cb3 upstream. + +The addition of interleaved transfers slightly changed the way +addresses inside DMA descriptors are derived, breaking cyclic +transfers. + +Fixes: 3e184e64c2e5 ("dmaengine: xilinx: xdma: Prepare the introduction of interleaved DMA transfers") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Signed-off-by: Louis Chauvet +Link: https://lore.kernel.org/r/20240327-digigram-xdma-fixes-v1-1-45f4a52c0283@bootlin.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/xilinx/xdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/xilinx/xdma.c ++++ b/drivers/dma/xilinx/xdma.c +@@ -704,7 +704,7 @@ xdma_prep_dma_cyclic(struct dma_chan *ch + desc_num = 0; + for (i = 0; i < periods; i++) { + desc_num += xdma_fill_descs(sw_desc, *src, *dst, period_size, desc_num); +- addr += i * period_size; ++ addr += period_size; + } + + tx_desc = vchan_tx_prep(&xdma_chan->vchan, &sw_desc->vdesc, flags); diff --git a/queue-6.8/drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch b/queue-6.8/drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch new file mode 100644 index 00000000000..c92a9f88151 --- /dev/null +++ b/queue-6.8/drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch @@ -0,0 +1,33 @@ +From aebd3eb9d3ae017e6260043f6bcace2f5ef60694 Mon Sep 17 00:00:00 2001 +From: Lijo Lazar +Date: Wed, 10 Apr 2024 19:30:46 +0530 +Subject: drm/amdgpu: Assign correct bits for SDMA HDP flush + +From: Lijo Lazar + +commit aebd3eb9d3ae017e6260043f6bcace2f5ef60694 upstream. + +HDP Flush request bit can be kept unique per AID, and doesn't need to be +unique SOC-wide. Assign only bits 10-13 for SDMA v4.4.2. + +Signed-off-by: Lijo Lazar +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c +@@ -366,7 +366,8 @@ static void sdma_v4_4_2_ring_emit_hdp_fl + u32 ref_and_mask = 0; + const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg; + +- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; ++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 ++ << (ring->me % adev->sdma.num_inst_per_aid); + + sdma_v4_4_2_wait_reg_mem(ring, 0, 1, + adev->nbio.funcs->get_hdp_flush_done_offset(adev), diff --git a/queue-6.8/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch b/queue-6.8/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch new file mode 100644 index 00000000000..a682983a9b2 --- /dev/null +++ b/queue-6.8/drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch @@ -0,0 +1,31 @@ +From 25e9227c6afd200bed6774c866980b8e36d033af Mon Sep 17 00:00:00 2001 +From: Mukul Joshi +Date: Thu, 18 Apr 2024 11:32:34 -0400 +Subject: drm/amdgpu: Fix leak when GPU memory allocation fails + +From: Mukul Joshi + +commit 25e9227c6afd200bed6774c866980b8e36d033af upstream. + +Free the sync object if the memory allocation fails for any +reason. + +Signed-off-by: Mukul Joshi +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1851,6 +1851,7 @@ err_node_allow: + err_bo_create: + amdgpu_amdkfd_unreserve_mem_limit(adev, aligned_size, flags, xcp_id); + err_reserve_limit: ++ amdgpu_sync_free(&(*mem)->sync); + mutex_destroy(&(*mem)->lock); + if (gobj) + drm_gem_object_put(gobj); diff --git a/queue-6.8/drm-amdgpu-pm-remove-gpu_od-if-it-s-an-empty-directory.patch b/queue-6.8/drm-amdgpu-pm-remove-gpu_od-if-it-s-an-empty-directory.patch new file mode 100644 index 00000000000..4ca90e858a2 --- /dev/null +++ b/queue-6.8/drm-amdgpu-pm-remove-gpu_od-if-it-s-an-empty-directory.patch @@ -0,0 +1,38 @@ +From 0e95ed6452cb079cf9587c774a475a7d83c7e040 Mon Sep 17 00:00:00 2001 +From: Ma Jun +Date: Tue, 16 Apr 2024 17:30:12 +0800 +Subject: drm/amdgpu/pm: Remove gpu_od if it's an empty directory + +From: Ma Jun + +commit 0e95ed6452cb079cf9587c774a475a7d83c7e040 upstream. + +gpu_od should be removed if it's an empty directory + +Signed-off-by: Ma Jun +Reported-by: Yang Wang +Reviewed-by: Yang Wang +Suggested-by: Lijo Lazar +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/amdgpu_pm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +@@ -4217,6 +4217,13 @@ static int amdgpu_od_set_init(struct amd + } + } + ++ /* ++ * If gpu_od is the only member in the list, that means gpu_od is an ++ * empty directory, so remove it. ++ */ ++ if (list_is_singular(&adev->pm.od_kobj_list)) ++ goto err_out; ++ + return 0; + + err_out: diff --git a/queue-6.8/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch b/queue-6.8/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch new file mode 100644 index 00000000000..09e1b029d78 --- /dev/null +++ b/queue-6.8/drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch @@ -0,0 +1,57 @@ +From 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Sun, 14 Apr 2024 21:20:56 -0400 +Subject: drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d upstream. + +This avoids a potential conflict with firmwares with the newer +HDP flush mechanism. + +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c +@@ -292,17 +292,21 @@ static void sdma_v5_2_ring_emit_hdp_flus + u32 ref_and_mask = 0; + const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg; + +- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; ++ if (ring->me > 1) { ++ amdgpu_asic_flush_hdp(adev, ring); ++ } else { ++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me; + +- amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) | +- SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) | +- SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */ +- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2); +- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2); +- amdgpu_ring_write(ring, ref_and_mask); /* reference */ +- amdgpu_ring_write(ring, ref_and_mask); /* mask */ +- amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) | +- SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */ ++ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) | ++ SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) | ++ SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */ ++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2); ++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2); ++ amdgpu_ring_write(ring, ref_and_mask); /* reference */ ++ amdgpu_ring_write(ring, ref_and_mask); /* mask */ ++ amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) | ++ SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */ ++ } + } + + /** diff --git a/queue-6.8/drm-amdgpu-umsch-don-t-execute-umsch-test-when-gpu-is-in-reset-suspend.patch b/queue-6.8/drm-amdgpu-umsch-don-t-execute-umsch-test-when-gpu-is-in-reset-suspend.patch new file mode 100644 index 00000000000..ac23510d6ad --- /dev/null +++ b/queue-6.8/drm-amdgpu-umsch-don-t-execute-umsch-test-when-gpu-is-in-reset-suspend.patch @@ -0,0 +1,38 @@ +From 661d71ee5a010bdc0663e0db701931aff920e8e1 Mon Sep 17 00:00:00 2001 +From: Lang Yu +Date: Fri, 19 Apr 2024 15:40:08 +0800 +Subject: drm/amdgpu/umsch: don't execute umsch test when GPU is in reset/suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lang Yu + +commit 661d71ee5a010bdc0663e0db701931aff920e8e1 upstream. + +umsch test needs full GPU functionality(e.g., VM update, TLB flush, +possibly buffer moving under memory pressure) which may be not ready +under these states. Just skip it to avoid potential issues. + +Signed-off-by: Lang Yu +Reviewed-by: Christian König +Reviewed-by: Veerabadhran Gopalakrishnan +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c +@@ -766,6 +766,9 @@ static int umsch_mm_late_init(void *hand + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ if (amdgpu_in_reset(adev) || adev->in_s0ix || adev->in_suspend) ++ return 0; ++ + return umsch_mm_test(adev); + } + diff --git a/queue-6.8/drm-amdkfd-fix-eviction-fence-handling.patch b/queue-6.8/drm-amdkfd-fix-eviction-fence-handling.patch new file mode 100644 index 00000000000..08d58b7dd14 --- /dev/null +++ b/queue-6.8/drm-amdkfd-fix-eviction-fence-handling.patch @@ -0,0 +1,56 @@ +From 37865e02e6ccecdda240f33b4332105a5c734984 Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Wed, 17 Apr 2024 21:13:59 -0400 +Subject: drm/amdkfd: Fix eviction fence handling + +From: Felix Kuehling + +commit 37865e02e6ccecdda240f33b4332105a5c734984 upstream. + +Handle case that dma_fence_get_rcu_safe returns NULL. + +If restore work is already scheduled, only update its timer. The same +work item cannot be queued twice, so undo the extra queue eviction. + +Fixes: 9a1c1339abf9 ("drm/amdkfd: Run restore_workers on freezable WQs") +Signed-off-by: Felix Kuehling +Reviewed-by: Philip Yang +Tested-by: Gang BA +Reviewed-by: Gang BA +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +index b79986412cd8..aafdf064651f 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -1922,6 +1922,8 @@ static int signal_eviction_fence(struct kfd_process *p) + rcu_read_lock(); + ef = dma_fence_get_rcu_safe(&p->ef); + rcu_read_unlock(); ++ if (!ef) ++ return -EINVAL; + + ret = dma_fence_signal(ef); + dma_fence_put(ef); +@@ -1949,10 +1951,9 @@ static void evict_process_worker(struct work_struct *work) + * they are responsible stopping the queues and scheduling + * the restore work. + */ +- if (!signal_eviction_fence(p)) +- queue_delayed_work(kfd_restore_wq, &p->restore_work, +- msecs_to_jiffies(PROCESS_RESTORE_TIME_MS)); +- else ++ if (signal_eviction_fence(p) || ++ mod_delayed_work(kfd_restore_wq, &p->restore_work, ++ msecs_to_jiffies(PROCESS_RESTORE_TIME_MS))) + kfd_process_restore_queues(p); + + pr_debug("Finished evicting pasid 0x%x\n", p->pasid); +-- +2.44.0 + diff --git a/queue-6.8/drm-amdkfd-fix-rescheduling-of-restore-worker.patch b/queue-6.8/drm-amdkfd-fix-rescheduling-of-restore-worker.patch new file mode 100644 index 00000000000..34b493e42da --- /dev/null +++ b/queue-6.8/drm-amdkfd-fix-rescheduling-of-restore-worker.patch @@ -0,0 +1,38 @@ +From e26305f369ed0e087a043c2cdc76f3d9a6efb3bd Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Fri, 19 Apr 2024 13:25:58 -0400 +Subject: drm/amdkfd: Fix rescheduling of restore worker + +From: Felix Kuehling + +commit e26305f369ed0e087a043c2cdc76f3d9a6efb3bd upstream. + +Handle the case that the restore worker was already scheduled by another +eviction while the restore was in progress. + +Fixes: 9a1c1339abf9 ("drm/amdkfd: Run restore_workers on freezable WQs") +Signed-off-by: Felix Kuehling +Reviewed-by: Philip Yang +Tested-by: Yunxiang Li +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -2011,9 +2011,9 @@ static void restore_process_worker(struc + if (ret) { + pr_debug("Failed to restore BOs of pasid 0x%x, retry after %d ms\n", + p->pasid, PROCESS_BACK_OFF_TIME_MS); +- ret = queue_delayed_work(kfd_restore_wq, &p->restore_work, +- msecs_to_jiffies(PROCESS_BACK_OFF_TIME_MS)); +- WARN(!ret, "reschedule restore work failed\n"); ++ if (mod_delayed_work(kfd_restore_wq, &p->restore_work, ++ msecs_to_jiffies(PROCESS_RESTORE_TIME_MS))) ++ kfd_process_restore_queues(p); + } + } + diff --git a/queue-6.8/drm-atomic-helper-fix-parameter-order-in-drm_format_conv_state_copy-call.patch b/queue-6.8/drm-atomic-helper-fix-parameter-order-in-drm_format_conv_state_copy-call.patch new file mode 100644 index 00000000000..d85da9dac03 --- /dev/null +++ b/queue-6.8/drm-atomic-helper-fix-parameter-order-in-drm_format_conv_state_copy-call.patch @@ -0,0 +1,45 @@ +From a386c30410450ea87cd38070f9feaca49dadce29 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Thu, 4 Apr 2024 10:17:56 +0200 +Subject: drm/atomic-helper: fix parameter order in drm_format_conv_state_copy() call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lucas Stach + +commit a386c30410450ea87cd38070f9feaca49dadce29 upstream. + +Old and new state parameters are swapped, so the old state was cleared +instead of the new duplicated state. + +Fixes: 903674588a48 ("drm/atomic-helper: Add format-conversion state to shadow-plane state") +Signed-off-by: Lucas Stach +Tested-by: Leonard Göhrs +Reviewed-by: Thomas Zimmermann +Cc: # v6.8+ +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20240404081756.2714424-1-l.stach@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_atomic_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_gem_atomic_helper.c b/drivers/gpu/drm/drm_gem_atomic_helper.c +index e440f458b663..93337543aac3 100644 +--- a/drivers/gpu/drm/drm_gem_atomic_helper.c ++++ b/drivers/gpu/drm/drm_gem_atomic_helper.c +@@ -224,8 +224,8 @@ __drm_gem_duplicate_shadow_plane_state(struct drm_plane *plane, + + __drm_atomic_helper_plane_duplicate_state(plane, &new_shadow_plane_state->base); + +- drm_format_conv_state_copy(&shadow_plane_state->fmtcnv_state, +- &new_shadow_plane_state->fmtcnv_state); ++ drm_format_conv_state_copy(&new_shadow_plane_state->fmtcnv_state, ++ &shadow_plane_state->fmtcnv_state); + } + EXPORT_SYMBOL(__drm_gem_duplicate_shadow_plane_state); + +-- +2.44.0 + diff --git a/queue-6.8/eeprom-at24-fix-memory-corruption-race-condition.patch b/queue-6.8/eeprom-at24-fix-memory-corruption-race-condition.patch new file mode 100644 index 00000000000..5afd59091d4 --- /dev/null +++ b/queue-6.8/eeprom-at24-fix-memory-corruption-race-condition.patch @@ -0,0 +1,60 @@ +From f42c97027fb75776e2e9358d16bf4a99aeb04cf2 Mon Sep 17 00:00:00 2001 +From: Daniel Okazaki +Date: Mon, 22 Apr 2024 17:43:36 +0000 +Subject: eeprom: at24: fix memory corruption race condition + +From: Daniel Okazaki + +commit f42c97027fb75776e2e9358d16bf4a99aeb04cf2 upstream. + +If the eeprom is not accessible, an nvmem device will be registered, the +read will fail, and the device will be torn down. If another driver +accesses the nvmem device after the teardown, it will reference +invalid memory. + +Move the failure point before registering the nvmem device. + +Signed-off-by: Daniel Okazaki +Fixes: b20eb4c1f026 ("eeprom: at24: drop unnecessary label") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240422174337.2487142-1-dtokazaki@google.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/eeprom/at24.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/misc/eeprom/at24.c ++++ b/drivers/misc/eeprom/at24.c +@@ -758,15 +758,6 @@ static int at24_probe(struct i2c_client + } + pm_runtime_enable(dev); + +- at24->nvmem = devm_nvmem_register(dev, &nvmem_config); +- if (IS_ERR(at24->nvmem)) { +- pm_runtime_disable(dev); +- if (!pm_runtime_status_suspended(dev)) +- regulator_disable(at24->vcc_reg); +- return dev_err_probe(dev, PTR_ERR(at24->nvmem), +- "failed to register nvmem\n"); +- } +- + /* + * Perform a one-byte test read to verify that the chip is functional, + * unless powering on the device is to be avoided during probe (i.e. +@@ -782,6 +773,15 @@ static int at24_probe(struct i2c_client + } + } + ++ at24->nvmem = devm_nvmem_register(dev, &nvmem_config); ++ if (IS_ERR(at24->nvmem)) { ++ pm_runtime_disable(dev); ++ if (!pm_runtime_status_suspended(dev)) ++ regulator_disable(at24->vcc_reg); ++ return dev_err_probe(dev, PTR_ERR(at24->nvmem), ++ "failed to register nvmem\n"); ++ } ++ + /* If this a SPD EEPROM, probe for DDR3 thermal sensor */ + if (cdata == &at24_data_spd) + at24_probe_temp_sensor(client); diff --git a/queue-6.8/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch b/queue-6.8/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch new file mode 100644 index 00000000000..cded565a27e --- /dev/null +++ b/queue-6.8/hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch @@ -0,0 +1,71 @@ +From 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 18 Mar 2024 11:59:02 +0100 +Subject: HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up + +From: Nam Cao + +commit 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e upstream. + +The flag I2C_HID_READ_PENDING is used to serialize I2C operations. +However, this is not necessary, because I2C core already has its own +locking for that. + +More importantly, this flag can cause a lock-up: if the flag is set in +i2c_hid_xfer() and an interrupt happens, the interrupt handler +(i2c_hid_irq) will check this flag and return immediately without doing +anything, then the interrupt handler will be invoked again in an +infinite loop. + +Since interrupt handler is an RT task, it takes over the CPU and the +flag-clearing task never gets scheduled, thus we have a lock-up. + +Delete this unnecessary flag. + +Reported-and-tested-by: Eva Kurchatova +Closes: https://lore.kernel.org/r/CA+eeCSPUDpUg76ZO8dszSbAGn+UHjcyv8F1J-CUPVARAzEtW9w@mail.gmail.com +Fixes: 4a200c3b9a40 ("HID: i2c-hid: introduce HID over i2c specification implementation") +Cc: +Signed-off-by: Nam Cao +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -64,7 +64,6 @@ + /* flags */ + #define I2C_HID_STARTED 0 + #define I2C_HID_RESET_PENDING 1 +-#define I2C_HID_READ_PENDING 2 + + #define I2C_HID_PWR_ON 0x00 + #define I2C_HID_PWR_SLEEP 0x01 +@@ -190,15 +189,10 @@ static int i2c_hid_xfer(struct i2c_hid * + msgs[n].len = recv_len; + msgs[n].buf = recv_buf; + n++; +- +- set_bit(I2C_HID_READ_PENDING, &ihid->flags); + } + + ret = i2c_transfer(client->adapter, msgs, n); + +- if (recv_len) +- clear_bit(I2C_HID_READ_PENDING, &ihid->flags); +- + if (ret != n) + return ret < 0 ? ret : -EIO; + +@@ -556,9 +550,6 @@ static irqreturn_t i2c_hid_irq(int irq, + { + struct i2c_hid *ihid = dev_id; + +- if (test_bit(I2C_HID_READ_PENDING, &ihid->flags)) +- return IRQ_HANDLED; +- + i2c_hid_get_input(ihid); + + return IRQ_HANDLED; diff --git a/queue-6.8/hid-i2c-hid-revert-to-await-reset-ack-before-reading-report-descriptor.patch b/queue-6.8/hid-i2c-hid-revert-to-await-reset-ack-before-reading-report-descriptor.patch new file mode 100644 index 00000000000..e0e9290a43f --- /dev/null +++ b/queue-6.8/hid-i2c-hid-revert-to-await-reset-ack-before-reading-report-descriptor.patch @@ -0,0 +1,116 @@ +From ea36bf1827462e4a52365bf8e3f7d1712c5d9600 Mon Sep 17 00:00:00 2001 +From: Kenny Levinsen +Date: Tue, 2 Apr 2024 13:10:04 +0200 +Subject: HID: i2c-hid: Revert to await reset ACK before reading report descriptor + +From: Kenny Levinsen + +commit ea36bf1827462e4a52365bf8e3f7d1712c5d9600 upstream. + +In af93a167eda9, i2c_hid_parse was changed to continue with reading the +report descriptor before waiting for reset to be acknowledged. + +This has lead to two regressions: + +1. We fail to handle reset acknowledgment if it happens while reading + the report descriptor. The transfer sets I2C_HID_READ_PENDING, which + causes the IRQ handler to return without doing anything. + + This affects both a Wacom touchscreen and a Sensel touchpad. + +2. On a Sensel touchpad, reading the report descriptor this quickly + after reset results in all zeroes or partial zeroes. + +The issues were observed on the Lenovo Thinkpad Z16 Gen 2. + +The change in question was made based on a Microsoft article[0] stating +that Windows 8 *may* read the report descriptor in parallel with +awaiting reset acknowledgment, intended as a slight reset performance +optimization. Perhaps they only do this if reset is not completing +quickly enough for their tastes? + +As the code is not currently ready to read registers in parallel with a +pending reset acknowledgment, and as reading quickly breaks the report +descriptor on the Sensel touchpad, revert to waiting for reset +acknowledgment before proceeding to read the report descriptor. + +[0]: https://learn.microsoft.com/en-us/windows-hardware/drivers/hid/plug-and-play-support-and-power-management + +Fixes: af93a167eda9 ("HID: i2c-hid: Move i2c_hid_finish_hwreset() to after reading the report-descriptor") +Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2271136 +Cc: stable@vger.kernel.org +Signed-off-by: Kenny Levinsen +Link: https://lore.kernel.org/r/20240331182440.14477-1-kl@kl.wtf +[hdegoede@redhat.com Drop no longer necessary abort_reset error exit path] +Signed-off-by: Hans de Goede +Tested-by: Mark Pearson +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 29 ++++++++--------------------- + 1 file changed, 8 insertions(+), 21 deletions(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 1c86c97688e9..d965382196c6 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -726,12 +726,15 @@ static int i2c_hid_parse(struct hid_device *hid) + mutex_lock(&ihid->reset_lock); + do { + ret = i2c_hid_start_hwreset(ihid); +- if (ret) ++ if (ret == 0) ++ ret = i2c_hid_finish_hwreset(ihid); ++ else + msleep(1000); + } while (tries-- > 0 && ret); ++ mutex_unlock(&ihid->reset_lock); + + if (ret) +- goto abort_reset; ++ return ret; + + use_override = i2c_hid_get_dmi_hid_report_desc_override(client->name, + &rsize); +@@ -741,11 +744,8 @@ static int i2c_hid_parse(struct hid_device *hid) + i2c_hid_dbg(ihid, "Using a HID report descriptor override\n"); + } else { + rdesc = kzalloc(rsize, GFP_KERNEL); +- +- if (!rdesc) { +- ret = -ENOMEM; +- goto abort_reset; +- } ++ if (!rdesc) ++ return -ENOMEM; + + i2c_hid_dbg(ihid, "asking HID report descriptor\n"); + +@@ -754,23 +754,10 @@ static int i2c_hid_parse(struct hid_device *hid) + rdesc, rsize); + if (ret) { + hid_err(hid, "reading report descriptor failed\n"); +- goto abort_reset; ++ goto out; + } + } + +- /* +- * Windows directly reads the report-descriptor after sending reset +- * and then waits for resets completion afterwards. Some touchpads +- * actually wait for the report-descriptor to be read before signalling +- * reset completion. +- */ +- ret = i2c_hid_finish_hwreset(ihid); +-abort_reset: +- clear_bit(I2C_HID_RESET_PENDING, &ihid->flags); +- mutex_unlock(&ihid->reset_lock); +- if (ret) +- goto out; +- + i2c_hid_dbg(ihid, "Report Descriptor: %*ph\n", rsize, rdesc); + + ret = hid_parse_report(hid, rdesc, rsize); +-- +2.44.0 + diff --git a/queue-6.8/kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch b/queue-6.8/kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch new file mode 100644 index 00000000000..67753097bf5 --- /dev/null +++ b/queue-6.8/kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch @@ -0,0 +1,67 @@ +From ded103c7eb23753f22597afa500a7c1ad34116ba Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Mon, 22 Apr 2024 11:06:44 +0200 +Subject: kbuild: rust: force `alloc` extern to allow "empty" Rust files + +From: Miguel Ojeda + +commit ded103c7eb23753f22597afa500a7c1ad34116ba upstream. + +If one attempts to build an essentially empty file somewhere in the +kernel tree, it leads to a build error because the compiler does not +recognize the `new_uninit` unstable feature: + + error[E0635]: unknown feature `new_uninit` + --> :1:9 + | + 1 | feature(new_uninit) + | ^^^^^^^^^^ + +The reason is that we pass `-Zcrate-attr='feature(new_uninit)'` (together +with `-Zallow-features=new_uninit`) to let non-`rust/` code use that +unstable feature. + +However, the compiler only recognizes the feature if the `alloc` crate +is resolved (the feature is an `alloc` one). `--extern alloc`, which we +pass, is not enough to resolve the crate. + +Introducing a reference like `use alloc;` or `extern crate alloc;` +solves the issue, thus this is not seen in normal files. For instance, +`use`ing the `kernel` prelude introduces such a reference, since `alloc` +is used inside. + +While normal use of the build system is not impacted by this, it can still +be fairly confusing for kernel developers [1], thus use the unstable +`force` option of `--extern` [2] (added in Rust 1.71 [3]) to force the +compiler to resolve `alloc`. + +This new unstable feature is only needed meanwhile we use the other +unstable feature, since then we will not need `-Zcrate-attr`. + +Cc: stable@vger.kernel.org # v6.6+ +Reported-by: Daniel Almeida +Reported-by: Julian Stecklina +Closes: https://rust-for-linux.zulipchat.com/#narrow/stream/288089-General/topic/x/near/424096982 [1] +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Link: https://github.com/rust-lang/rust/issues/111302 [2] +Link: https://github.com/rust-lang/rust/pull/109421 [3] +Reviewed-by: Alice Ryhl +Reviewed-by: Gary Guo +Link: https://lore.kernel.org/r/20240422090644.525520-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -272,7 +272,7 @@ rust_common_cmd = \ + -Zallow-features=$(rust_allowed_features) \ + -Zcrate-attr=no_std \ + -Zcrate-attr='feature($(rust_allowed_features))' \ +- --extern alloc --extern kernel \ ++ -Zunstable-options --extern force:alloc --extern kernel \ + --crate-type rlib -L $(objtree)/rust/ \ + --crate-name $(basename $(notdir $@)) \ + --sysroot=/dev/null \ diff --git a/queue-6.8/kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch b/queue-6.8/kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch new file mode 100644 index 00000000000..64c3f60591a --- /dev/null +++ b/queue-6.8/kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch @@ -0,0 +1,46 @@ +From 50cfe93b01475ba36878b65d35d812e1bb48ac71 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Mon, 22 Apr 2024 11:12:15 +0200 +Subject: kbuild: rust: remove unneeded `@rustc_cfg` to avoid ICE + +From: Miguel Ojeda + +commit 50cfe93b01475ba36878b65d35d812e1bb48ac71 upstream. + +When KUnit tests are enabled, under very big kernel configurations +(e.g. `allyesconfig`), we can trigger a `rustdoc` ICE [1]: + + RUSTDOC TK rust/kernel/lib.rs + error: the compiler unexpectedly panicked. this is a bug. + +The reason is that this build step has a duplicated `@rustc_cfg` argument, +which contains the kernel configuration, and thus a lot of arguments. The +factor 2 happens to be enough to reach the ICE. + +Thus remove the unneeded `@rustc_cfg`. By doing so, we clean up the +command and workaround the ICE. + +The ICE has been fixed in the upcoming Rust 1.79 [2]. + +Cc: stable@vger.kernel.org +Fixes: a66d733da801 ("rust: support running Rust documentation tests as KUnit ones") +Link: https://github.com/rust-lang/rust/issues/122722 [1] +Link: https://github.com/rust-lang/rust/pull/122840 [2] +Reviewed-by: Alice Ryhl +Link: https://lore.kernel.org/r/20240422091215.526688-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/Makefile | 1 - + 1 file changed, 1 deletion(-) + +--- a/rust/Makefile ++++ b/rust/Makefile +@@ -175,7 +175,6 @@ quiet_cmd_rustdoc_test_kernel = RUSTDOC + mkdir -p $(objtree)/$(obj)/test/doctests/kernel; \ + OBJTREE=$(abspath $(objtree)) \ + $(RUSTDOC) --test $(rust_flags) \ +- @$(objtree)/include/generated/rustc_cfg \ + -L$(objtree)/$(obj) --extern alloc --extern kernel \ + --extern build_error --extern macros \ + --extern bindings --extern uapi \ diff --git a/queue-6.8/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch b/queue-6.8/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch new file mode 100644 index 00000000000..f3d0df0acad --- /dev/null +++ b/queue-6.8/loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch @@ -0,0 +1,42 @@ +From efb44ff64c95340b06331fc48634b99efc9dd77c Mon Sep 17 00:00:00 2001 +From: Jiantao Shan +Date: Wed, 24 Apr 2024 12:36:07 +0800 +Subject: LoongArch: Fix access error when read fault on a write-only VMA + +From: Jiantao Shan + +commit efb44ff64c95340b06331fc48634b99efc9dd77c upstream. + +As with most architectures, allow handling of read faults in VMAs that +have VM_WRITE but without VM_READ (WRITE implies READ). + +Otherwise, reading before writing a write-only memory will error while +reading after writing everything is fine. + +BTW, move the VM_EXEC judgement before VM_READ/VM_WRITE to make logic a +little clearer. + +Cc: stable@vger.kernel.org +Fixes: 09cfefb7fa70c3af01 ("LoongArch: Add memory management") +Signed-off-by: Jiantao Shan +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/mm/fault.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/mm/fault.c ++++ b/arch/loongarch/mm/fault.c +@@ -202,10 +202,10 @@ good_area: + if (!(vma->vm_flags & VM_WRITE)) + goto bad_area; + } else { +- if (!(vma->vm_flags & VM_READ) && address != exception_era(regs)) +- goto bad_area; + if (!(vma->vm_flags & VM_EXEC) && address == exception_era(regs)) + goto bad_area; ++ if (!(vma->vm_flags & (VM_READ | VM_WRITE)) && address != exception_era(regs)) ++ goto bad_area; + } + + /* diff --git a/queue-6.8/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch b/queue-6.8/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch new file mode 100644 index 00000000000..29afea41650 --- /dev/null +++ b/queue-6.8/loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch @@ -0,0 +1,112 @@ +From d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 24 Apr 2024 12:36:07 +0800 +Subject: LoongArch: Fix callchain parse error with kernel tracepoint events + +From: Huacai Chen + +commit d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 upstream. + +In order to fix perf's callchain parse error for LoongArch, we implement +perf_arch_fetch_caller_regs() which fills several necessary registers +used for callchain unwinding, including sp, fp, and era. This is similar +to the following commits. + +commit b3eac0265bf6: +("arm: perf: Fix callchain parse error with kernel tracepoint events") + +commit 5b09a094f2fb: +("arm64: perf: Fix callchain parse error with kernel tracepoint events") + +commit 9a7e8ec0d4cc: +("riscv: perf: Fix callchain parse error with kernel tracepoint events") + +Test with commands: + + perf record -e sched:sched_switch -g --call-graph dwarf + perf report + +Without this patch: + + Children Self Command Shared Object Symbol + ........ ........ ............. ................. .................... + + 43.41% 43.41% swapper [unknown] [k] 0000000000000000 + + 10.94% 10.94% loong-container [unknown] [k] 0000000000000000 + | + |--5.98%--0x12006ba38 + | + |--2.56%--0x12006bb84 + | + --2.40%--0x12006b6b8 + +With this patch, callchain can be parsed correctly: + + Children Self Command Shared Object Symbol + ........ ........ ............. ................. .................... + + 47.57% 47.57% swapper [kernel.vmlinux] [k] __schedule + | + ---__schedule + + 26.76% 26.76% loong-container [kernel.vmlinux] [k] __schedule + | + |--13.78%--0x12006ba38 + | | + | |--9.19%--__schedule + | | + | --4.59%--handle_syscall + | do_syscall + | sys_futex + | do_futex + | futex_wait + | futex_wait_queue_me + | hrtimer_start_range_ns + | __schedule + | + |--8.38%--0x12006bb84 + | handle_syscall + | do_syscall + | sys_epoll_pwait + | do_epoll_wait + | schedule_hrtimeout_range_clock + | hrtimer_start_range_ns + | __schedule + | + --4.59%--0x12006b6b8 + handle_syscall + do_syscall + sys_nanosleep + hrtimer_nanosleep + do_nanosleep + hrtimer_start_range_ns + __schedule + +Cc: stable@vger.kernel.org +Fixes: b37042b2bb7cd751f0 ("LoongArch: Add perf events support") +Reported-by: Youling Tang +Suggested-by: Youling Tang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/perf_event.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/loongarch/include/asm/perf_event.h ++++ b/arch/loongarch/include/asm/perf_event.h +@@ -7,6 +7,14 @@ + #ifndef __LOONGARCH_PERF_EVENT_H__ + #define __LOONGARCH_PERF_EVENT_H__ + ++#include ++ + #define perf_arch_bpf_user_pt_regs(regs) (struct user_pt_regs *)regs + ++#define perf_arch_fetch_caller_regs(regs, __ip) { \ ++ (regs)->csr_era = (__ip); \ ++ (regs)->regs[3] = current_stack_pointer; \ ++ (regs)->regs[22] = (unsigned long) __builtin_frame_address(0); \ ++} ++ + #endif /* __LOONGARCH_PERF_EVENT_H__ */ diff --git a/queue-6.8/mm-create-folio_flag_false-and-folio_type_ops-macros.patch b/queue-6.8/mm-create-folio_flag_false-and-folio_type_ops-macros.patch new file mode 100644 index 00000000000..e5ecb35c5f1 --- /dev/null +++ b/queue-6.8/mm-create-folio_flag_false-and-folio_type_ops-macros.patch @@ -0,0 +1,144 @@ +From 12bbaae7635a56049779db3bef6e7140d9aa5f67 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 21 Mar 2024 14:24:40 +0000 +Subject: mm: create FOLIO_FLAG_FALSE and FOLIO_TYPE_OPS macros + +From: Matthew Wilcox (Oracle) + +commit 12bbaae7635a56049779db3bef6e7140d9aa5f67 upstream. + +Following the separation of FOLIO_FLAGS from PAGEFLAGS, separate +FOLIO_FLAG_FALSE from PAGEFLAG_FALSE and FOLIO_TYPE_OPS from +PAGE_TYPE_OPS. + +Link: https://lkml.kernel.org/r/20240321142448.1645400-3-willy@infradead.org +Fixes: 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR") +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: David Hildenbrand +Acked-by: Vlastimil Babka +Cc: Miaohe Lin +Cc: Muchun Song +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/page-flags.h | 70 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 47 insertions(+), 23 deletions(-) + +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -432,30 +432,51 @@ static __always_inline int TestClearPage + TESTSETFLAG(uname, lname, policy) \ + TESTCLEARFLAG(uname, lname, policy) + ++#define FOLIO_TEST_FLAG_FALSE(name) \ ++static inline bool folio_test_##name(const struct folio *folio) \ ++{ return false; } ++#define FOLIO_SET_FLAG_NOOP(name) \ ++static inline void folio_set_##name(struct folio *folio) { } ++#define FOLIO_CLEAR_FLAG_NOOP(name) \ ++static inline void folio_clear_##name(struct folio *folio) { } ++#define __FOLIO_SET_FLAG_NOOP(name) \ ++static inline void __folio_set_##name(struct folio *folio) { } ++#define __FOLIO_CLEAR_FLAG_NOOP(name) \ ++static inline void __folio_clear_##name(struct folio *folio) { } ++#define FOLIO_TEST_SET_FLAG_FALSE(name) \ ++static inline bool folio_test_set_##name(struct folio *folio) \ ++{ return false; } ++#define FOLIO_TEST_CLEAR_FLAG_FALSE(name) \ ++static inline bool folio_test_clear_##name(struct folio *folio) \ ++{ return false; } ++ ++#define FOLIO_FLAG_FALSE(name) \ ++FOLIO_TEST_FLAG_FALSE(name) \ ++FOLIO_SET_FLAG_NOOP(name) \ ++FOLIO_CLEAR_FLAG_NOOP(name) ++ + #define TESTPAGEFLAG_FALSE(uname, lname) \ +-static inline bool folio_test_##lname(const struct folio *folio) { return false; } \ ++FOLIO_TEST_FLAG_FALSE(lname) \ + static inline int Page##uname(const struct page *page) { return 0; } + + #define SETPAGEFLAG_NOOP(uname, lname) \ +-static inline void folio_set_##lname(struct folio *folio) { } \ ++FOLIO_SET_FLAG_NOOP(lname) \ + static inline void SetPage##uname(struct page *page) { } + + #define CLEARPAGEFLAG_NOOP(uname, lname) \ +-static inline void folio_clear_##lname(struct folio *folio) { } \ ++FOLIO_CLEAR_FLAG_NOOP(lname) \ + static inline void ClearPage##uname(struct page *page) { } + + #define __CLEARPAGEFLAG_NOOP(uname, lname) \ +-static inline void __folio_clear_##lname(struct folio *folio) { } \ ++__FOLIO_CLEAR_FLAG_NOOP(lname) \ + static inline void __ClearPage##uname(struct page *page) { } + + #define TESTSETFLAG_FALSE(uname, lname) \ +-static inline bool folio_test_set_##lname(struct folio *folio) \ +-{ return 0; } \ ++FOLIO_TEST_SET_FLAG_FALSE(lname) \ + static inline int TestSetPage##uname(struct page *page) { return 0; } + + #define TESTCLEARFLAG_FALSE(uname, lname) \ +-static inline bool folio_test_clear_##lname(struct folio *folio) \ +-{ return 0; } \ ++FOLIO_TEST_CLEAR_FLAG_FALSE(lname) \ + static inline int TestClearPage##uname(struct page *page) { return 0; } + + #define PAGEFLAG_FALSE(uname, lname) TESTPAGEFLAG_FALSE(uname, lname) \ +@@ -951,35 +972,38 @@ static inline int page_has_type(struct p + return page_type_has_type(page->page_type); + } + ++#define FOLIO_TYPE_OPS(lname, fname) \ ++static __always_inline bool folio_test_##fname(const struct folio *folio)\ ++{ \ ++ return folio_test_type(folio, PG_##lname); \ ++} \ ++static __always_inline void __folio_set_##fname(struct folio *folio) \ ++{ \ ++ VM_BUG_ON_FOLIO(!folio_test_type(folio, 0), folio); \ ++ folio->page.page_type &= ~PG_##lname; \ ++} \ ++static __always_inline void __folio_clear_##fname(struct folio *folio) \ ++{ \ ++ VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \ ++ folio->page.page_type |= PG_##lname; \ ++} ++ + #define PAGE_TYPE_OPS(uname, lname, fname) \ ++FOLIO_TYPE_OPS(lname, fname) \ + static __always_inline int Page##uname(const struct page *page) \ + { \ + return PageType(page, PG_##lname); \ + } \ +-static __always_inline int folio_test_##fname(const struct folio *folio)\ +-{ \ +- return folio_test_type(folio, PG_##lname); \ +-} \ + static __always_inline void __SetPage##uname(struct page *page) \ + { \ + VM_BUG_ON_PAGE(!PageType(page, 0), page); \ + page->page_type &= ~PG_##lname; \ + } \ +-static __always_inline void __folio_set_##fname(struct folio *folio) \ +-{ \ +- VM_BUG_ON_FOLIO(!folio_test_type(folio, 0), folio); \ +- folio->page.page_type &= ~PG_##lname; \ +-} \ + static __always_inline void __ClearPage##uname(struct page *page) \ + { \ + VM_BUG_ON_PAGE(!Page##uname(page), page); \ + page->page_type |= PG_##lname; \ +-} \ +-static __always_inline void __folio_clear_##fname(struct folio *folio) \ +-{ \ +- VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \ +- folio->page.page_type |= PG_##lname; \ +-} \ ++} + + /* + * PageBuddy() indicates that the page is free and in the buddy system diff --git a/queue-6.8/mm-hugetlb-fix-debug_locks_warn_on-1-when-dissolve_free_hugetlb_folio.patch b/queue-6.8/mm-hugetlb-fix-debug_locks_warn_on-1-when-dissolve_free_hugetlb_folio.patch new file mode 100644 index 00000000000..d8cf4618fa5 --- /dev/null +++ b/queue-6.8/mm-hugetlb-fix-debug_locks_warn_on-1-when-dissolve_free_hugetlb_folio.patch @@ -0,0 +1,138 @@ +From 52ccdde16b6540abe43b6f8d8e1e1ec90b0983af Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Fri, 19 Apr 2024 16:58:19 +0800 +Subject: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() + +From: Miaohe Lin + +commit 52ccdde16b6540abe43b6f8d8e1e1ec90b0983af upstream. + +When I did memory failure tests recently, below warning occurs: + +DEBUG_LOCKS_WARN_ON(1) +WARNING: CPU: 8 PID: 1011 at kernel/locking/lockdep.c:232 __lock_acquire+0xccb/0x1ca0 +Modules linked in: mce_inject hwpoison_inject +CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__lock_acquire+0xccb/0x1ca0 +RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 +RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 +RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0 +RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb +R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10 +R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004 +FS: 00007ff9f32aa740(0000) GS:ffffa1ce5fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ff9f3134ba0 CR3: 00000008484e4000 CR4: 00000000000006f0 +Call Trace: + + lock_acquire+0xbe/0x2d0 + _raw_spin_lock_irqsave+0x3a/0x60 + hugepage_subpool_put_pages.part.0+0xe/0xc0 + free_huge_folio+0x253/0x3f0 + dissolve_free_huge_page+0x147/0x210 + __page_handle_poison+0x9/0x70 + memory_failure+0x4e6/0x8c0 + hard_offline_page_store+0x55/0xa0 + kernfs_fop_write_iter+0x12c/0x1d0 + vfs_write+0x380/0x540 + ksys_write+0x64/0xe0 + do_syscall_64+0xbc/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7ff9f3114887 +RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 +RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001 +RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c +R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 + +Kernel panic - not syncing: kernel: panic_on_warn set ... +CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +Call Trace: + + panic+0x326/0x350 + check_panic_on_warn+0x4f/0x50 + __warn+0x98/0x190 + report_bug+0x18e/0x1a0 + handle_bug+0x3d/0x70 + exc_invalid_op+0x18/0x70 + asm_exc_invalid_op+0x1a/0x20 +RIP: 0010:__lock_acquire+0xccb/0x1ca0 +RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 +RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 +RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0 +RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb +R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10 +R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004 + lock_acquire+0xbe/0x2d0 + _raw_spin_lock_irqsave+0x3a/0x60 + hugepage_subpool_put_pages.part.0+0xe/0xc0 + free_huge_folio+0x253/0x3f0 + dissolve_free_huge_page+0x147/0x210 + __page_handle_poison+0x9/0x70 + memory_failure+0x4e6/0x8c0 + hard_offline_page_store+0x55/0xa0 + kernfs_fop_write_iter+0x12c/0x1d0 + vfs_write+0x380/0x540 + ksys_write+0x64/0xe0 + do_syscall_64+0xbc/0x1d0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7ff9f3114887 +RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 +RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001 +RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c +R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 + + +After git bisecting and digging into the code, I believe the root cause is +that _deferred_list field of folio is unioned with _hugetlb_subpool field. +In __update_and_free_hugetlb_folio(), folio->_deferred_list is +initialized leading to corrupted folio->_hugetlb_subpool when folio is +hugetlb. Later free_huge_folio() will use _hugetlb_subpool and above +warning happens. + +But it is assumed hugetlb flag must have been cleared when calling +folio_put() in update_and_free_hugetlb_folio(). This assumption is broken +due to below race: + +CPU1 CPU2 +dissolve_free_huge_page update_and_free_pages_bulk + update_and_free_hugetlb_folio hugetlb_vmemmap_restore_folios + folio_clear_hugetlb_vmemmap_optimized + clear_flag = folio_test_hugetlb_vmemmap_optimized + if (clear_flag) <-- False, it's already cleared. + __folio_clear_hugetlb(folio) <-- Hugetlb is not cleared. + folio_put + free_huge_folio <-- free_the_page is expected. + list_for_each_entry() + __folio_clear_hugetlb <-- Too late. + +Fix this issue by checking whether folio is hugetlb directly instead of +checking clear_flag to close the race window. + +Link: https://lkml.kernel.org/r/20240419085819.1901645-1-linmiaohe@huawei.com +Fixes: 32c877191e02 ("hugetlb: do not clear hugetlb dtor until allocating vmemmap") +Signed-off-by: Miaohe Lin +Reviewed-by: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1780,7 +1780,7 @@ static void __update_and_free_hugetlb_fo + * If vmemmap pages were allocated above, then we need to clear the + * hugetlb destructor under the hugetlb lock. + */ +- if (clear_dtor) { ++ if (folio_test_hugetlb(folio)) { + spin_lock_irq(&hugetlb_lock); + __clear_hugetlb_destructor(h, folio); + spin_unlock_irq(&hugetlb_lock); diff --git a/queue-6.8/mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch b/queue-6.8/mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch new file mode 100644 index 00000000000..934e8c2e3f8 --- /dev/null +++ b/queue-6.8/mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch @@ -0,0 +1,51 @@ +From b76b46902c2d0395488c8412e1116c2486cdfcb2 Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Wed, 17 Apr 2024 17:18:35 -0400 +Subject: mm/hugetlb: fix missing hugetlb_lock for resv uncharge + +From: Peter Xu + +commit b76b46902c2d0395488c8412e1116c2486cdfcb2 upstream. + +There is a recent report on UFFDIO_COPY over hugetlb: + +https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/ + +350: lockdep_assert_held(&hugetlb_lock); + +Should be an issue in hugetlb but triggered in an userfault context, where +it goes into the unlikely path where two threads modifying the resv map +together. Mike has a fix in that path for resv uncharge but it looks like +the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd() +will update the cgroup pointer, so it requires to be called with the lock +held. + +Link: https://lkml.kernel.org/r/20240417211836.2742593-3-peterx@redhat.com +Fixes: 79aa925bf239 ("hugetlb_cgroup: fix reservation accounting") +Signed-off-by: Peter Xu +Reported-by: syzbot+4b8077a5fccc61c385a1@syzkaller.appspotmail.com +Reviewed-by: Mina Almasry +Cc: David Hildenbrand +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3266,9 +3266,12 @@ struct folio *alloc_hugetlb_folio(struct + + rsv_adjust = hugepage_subpool_put_pages(spool, 1); + hugetlb_acct_memory(h, -rsv_adjust); +- if (deferred_reserve) ++ if (deferred_reserve) { ++ spin_lock_irq(&hugetlb_lock); + hugetlb_cgroup_uncharge_folio_rsvd(hstate_index(h), + pages_per_huge_page(h), folio); ++ spin_unlock_irq(&hugetlb_lock); ++ } + } + + if (!memcg_charge_ret) diff --git a/queue-6.8/mm-support-page_mapcount-on-page_has_type-pages.patch b/queue-6.8/mm-support-page_mapcount-on-page_has_type-pages.patch new file mode 100644 index 00000000000..21f0485c22d --- /dev/null +++ b/queue-6.8/mm-support-page_mapcount-on-page_has_type-pages.patch @@ -0,0 +1,93 @@ +From fd1a745ce03e37945674c14833870a9af0882e2d Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Thu, 21 Mar 2024 14:24:42 +0000 +Subject: mm: support page_mapcount() on page_has_type() pages + +From: Matthew Wilcox (Oracle) + +commit fd1a745ce03e37945674c14833870a9af0882e2d upstream. + +Return 0 for pages which can't be mapped. This matches how page_mapped() +works. It is more convenient for users to not have to filter out these +pages. + +Link: https://lkml.kernel.org/r/20240321142448.1645400-5-willy@infradead.org +Fixes: 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR") +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: David Hildenbrand +Acked-by: Vlastimil Babka +Cc: Miaohe Lin +Cc: Muchun Song +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/page.c | 7 ++----- + include/linux/mm.h | 8 +++++--- + include/linux/page-flags.h | 4 ++-- + 3 files changed, 9 insertions(+), 10 deletions(-) + +--- a/fs/proc/page.c ++++ b/fs/proc/page.c +@@ -67,7 +67,7 @@ static ssize_t kpagecount_read(struct fi + */ + ppage = pfn_to_online_page(pfn); + +- if (!ppage || PageSlab(ppage) || page_has_type(ppage)) ++ if (!ppage) + pcount = 0; + else + pcount = page_mapcount(ppage); +@@ -124,11 +124,8 @@ u64 stable_page_flags(struct page *page) + + /* + * pseudo flags for the well known (anonymous) memory mapped pages +- * +- * Note that page->_mapcount is overloaded in SLAB, so the +- * simple test in page_mapped() is not enough. + */ +- if (!PageSlab(page) && page_mapped(page)) ++ if (page_mapped(page)) + u |= 1 << KPF_MMAP; + if (PageAnon(page)) + u |= 1 << KPF_ANON; +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1204,14 +1204,16 @@ static inline void page_mapcount_reset(s + * a large folio, it includes the number of times this page is mapped + * as part of that folio. + * +- * The result is undefined for pages which cannot be mapped into userspace. +- * For example SLAB or special types of pages. See function page_has_type(). +- * They use this field in struct page differently. ++ * Will report 0 for pages which cannot be mapped into userspace, eg ++ * slab, page tables and similar. + */ + static inline int page_mapcount(struct page *page) + { + int mapcount = atomic_read(&page->_mapcount) + 1; + ++ /* Handle page_has_type() pages */ ++ if (mapcount < 0) ++ mapcount = 0; + if (unlikely(PageCompound(page))) + mapcount += folio_entire_mapcount(page_folio(page)); + +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -945,12 +945,12 @@ static inline bool is_page_hwpoison(stru + * page_type may be used. Because it is initialised to -1, we invert the + * sense of the bit, so __SetPageFoo *clears* the bit used for PageFoo, and + * __ClearPageFoo *sets* the bit used for PageFoo. We reserve a few high and +- * low bits so that an underflow or overflow of page_mapcount() won't be ++ * low bits so that an underflow or overflow of _mapcount won't be + * mistaken for a page type value. + */ + + #define PAGE_TYPE_BASE 0xf0000000 +-/* Reserve 0x0000007f to catch underflows of page_mapcount */ ++/* Reserve 0x0000007f to catch underflows of _mapcount */ + #define PAGE_MAPCOUNT_RESERVE -128 + #define PG_buddy 0x00000080 + #define PG_offline 0x00000100 diff --git a/queue-6.8/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch b/queue-6.8/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch new file mode 100644 index 00000000000..ee7a6c58dfd --- /dev/null +++ b/queue-6.8/mmc-sdhci-msm-pervent-access-to-suspended-controller.patch @@ -0,0 +1,64 @@ +From f8def10f73a516b771051a2f70f2f0446902cb4f Mon Sep 17 00:00:00 2001 +From: Mantas Pucka +Date: Thu, 21 Mar 2024 14:30:01 +0000 +Subject: mmc: sdhci-msm: pervent access to suspended controller + +From: Mantas Pucka + +commit f8def10f73a516b771051a2f70f2f0446902cb4f upstream. + +Generic sdhci code registers LED device and uses host->runtime_suspended +flag to protect access to it. The sdhci-msm driver doesn't set this flag, +which causes a crash when LED is accessed while controller is runtime +suspended. Fix this by setting the flag correctly. + +Cc: stable@vger.kernel.org +Fixes: 67e6db113c90 ("mmc: sdhci-msm: Add pm_runtime and system PM support") +Signed-off-by: Mantas Pucka +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20240321-sdhci-mmc-suspend-v1-1-fbc555a64400@8devices.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-msm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -2694,6 +2694,11 @@ static __maybe_unused int sdhci_msm_runt + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&host->lock, flags); ++ host->runtime_suspended = true; ++ spin_unlock_irqrestore(&host->lock, flags); + + /* Drop the performance vote */ + dev_pm_opp_set_rate(dev, 0); +@@ -2708,6 +2713,7 @@ static __maybe_unused int sdhci_msm_runt + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ unsigned long flags; + int ret; + + ret = clk_bulk_prepare_enable(ARRAY_SIZE(msm_host->bulk_clks), +@@ -2726,7 +2732,15 @@ static __maybe_unused int sdhci_msm_runt + + dev_pm_opp_set_rate(dev, msm_host->clk_rate); + +- return sdhci_msm_ice_resume(msm_host); ++ ret = sdhci_msm_ice_resume(msm_host); ++ if (ret) ++ return ret; ++ ++ spin_lock_irqsave(&host->lock, flags); ++ host->runtime_suspended = false; ++ spin_unlock_irqrestore(&host->lock, flags); ++ ++ return ret; + } + + static const struct dev_pm_ops sdhci_msm_pm_ops = { diff --git a/queue-6.8/mmc-sdhci-of-dwcmshc-th1520-increase-tuning-loop-count-to-128.patch b/queue-6.8/mmc-sdhci-of-dwcmshc-th1520-increase-tuning-loop-count-to-128.patch new file mode 100644 index 00000000000..c679b22f51b --- /dev/null +++ b/queue-6.8/mmc-sdhci-of-dwcmshc-th1520-increase-tuning-loop-count-to-128.patch @@ -0,0 +1,39 @@ +From ace323f80b9bc6734289a4e8a77938a3ce964c7d Mon Sep 17 00:00:00 2001 +From: Maksim Kiselev +Date: Tue, 2 Apr 2024 12:35:39 +0300 +Subject: mmc: sdhci-of-dwcmshc: th1520: Increase tuning loop count to 128 + +From: Maksim Kiselev + +commit ace323f80b9bc6734289a4e8a77938a3ce964c7d upstream. + +Fix SD card tuning error by increasing tuning loop count +from 40(MAX_TUNING_LOOP) to 128. + +For some reason the tuning algorithm requires to move through all the taps +of delay line even if the THRESHOLD_MODE (bit 2 in AT_CTRL_R) is used +instead of the LARGEST_WIN_MODE. + +Tested-by: Drew Fustini +Tested-by: Xi Ruoyao +Signed-off-by: Maksim Kiselev +Acked-by: Adrian Hunter +Fixes: 43658a542ebf ("mmc: sdhci-of-dwcmshc: Add support for T-Head TH1520") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240402093539.184287-1-bigunclemax@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-dwcmshc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/sdhci-of-dwcmshc.c ++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c +@@ -612,6 +612,7 @@ static int th1520_execute_tuning(struct + + /* perform tuning */ + sdhci_start_tuning(host); ++ host->tuning_loop_count = 128; + host->tuning_err = __sdhci_execute_tuning(host, opcode); + if (host->tuning_err) { + /* disable auto-tuning upon tuning error */ diff --git a/queue-6.8/mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch b/queue-6.8/mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch new file mode 100644 index 00000000000..0b3bba6437d --- /dev/null +++ b/queue-6.8/mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch @@ -0,0 +1,54 @@ +From b61bb5bc2c1cd00bb53db42f705735db6e8700f0 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Thu, 4 Apr 2024 10:31:55 +0200 +Subject: mtd: rawnand: qcom: Fix broken OP_RESET_DEVICE command in qcom_misc_cmd_type_exec() + +From: Christian Marangi + +commit b61bb5bc2c1cd00bb53db42f705735db6e8700f0 upstream. + +While migrating to exec_ops in commit a82990c8a409 ("mtd: rawnand: qcom: +Add read/read_start ops in exec_op path"), OP_RESET_DEVICE command handling +got broken unintentionally. Right now for the OP_RESET_DEVICE command, +qcom_misc_cmd_type_exec() will simply return 0 without handling it. Even, +if that gets fixed, an unnecessary FLASH_STATUS read descriptor command is +being added in the middle and that seems to be causing the command to fail +on IPQ806x devices. + +So let's fix the above two issues to make OP_RESET_DEVICE command working +again. + +Fixes: a82990c8a409 ("mtd: rawnand: qcom: Add read/read_start ops in exec_op path") +Cc: stable@vger.kernel.org +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Christian Marangi +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240404083157.940-1-ansuelsmth@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/qcom_nandc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -2815,7 +2815,7 @@ static int qcom_misc_cmd_type_exec(struc + host->cfg0_raw & ~(7 << CW_PER_PAGE)); + nandc_set_reg(chip, NAND_DEV0_CFG1, host->cfg1_raw); + instrs = 3; +- } else { ++ } else if (q_op.cmd_reg != OP_RESET_DEVICE) { + return 0; + } + +@@ -2830,9 +2830,8 @@ static int qcom_misc_cmd_type_exec(struc + nandc_set_reg(chip, NAND_EXEC_CMD, 1); + + write_reg_dma(nandc, NAND_FLASH_CMD, instrs, NAND_BAM_NEXT_SGL); +- (q_op.cmd_reg == OP_BLOCK_ERASE) ? write_reg_dma(nandc, NAND_DEV0_CFG0, +- 2, NAND_BAM_NEXT_SGL) : read_reg_dma(nandc, +- NAND_FLASH_STATUS, 1, NAND_BAM_NEXT_SGL); ++ if (q_op.cmd_reg == OP_BLOCK_ERASE) ++ write_reg_dma(nandc, NAND_DEV0_CFG0, 2, NAND_BAM_NEXT_SGL); + + write_reg_dma(nandc, NAND_EXEC_CMD, 1, NAND_BAM_NEXT_SGL); + read_reg_dma(nandc, NAND_FLASH_STATUS, 1, NAND_BAM_NEXT_SGL); diff --git a/queue-6.8/rust-don-t-select-constructors.patch b/queue-6.8/rust-don-t-select-constructors.patch new file mode 100644 index 00000000000..c5bd24d1f13 --- /dev/null +++ b/queue-6.8/rust-don-t-select-constructors.patch @@ -0,0 +1,40 @@ +From 7d49f53af4b988b188d3932deac2c9c80fd7d9ce Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Fri, 8 Mar 2024 09:36:31 +0000 +Subject: rust: don't select CONSTRUCTORS + +From: Alice Ryhl + +commit 7d49f53af4b988b188d3932deac2c9c80fd7d9ce upstream. + +This was originally part of commit 4b9a68f2e59a0 ("rust: add support for +static synchronisation primitives") from the old Rust branch, which used +module constructors to initialize globals containing various +synchronisation primitives with pin-init. That commit has never been +upstreamed, but the `select CONSTRUCTORS` statement ended up being +included in the patch that initially added Rust support to the Linux +Kernel. + +We are not using module constructors, so let's remove the select. + +Signed-off-by: Alice Ryhl +Reviewed-by: Benno Lossin +Cc: stable@vger.kernel.org +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Link: https://lore.kernel.org/r/20240308-constructors-v1-1-4c811342391c@google.com +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1908,7 +1908,6 @@ config RUST + depends on !GCC_PLUGINS + depends on !RANDSTRUCT + depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE +- select CONSTRUCTORS + help + Enables Rust support in the kernel. + diff --git a/queue-6.8/rust-init-remove-impl-zeroable-for-infallible.patch b/queue-6.8/rust-init-remove-impl-zeroable-for-infallible.patch new file mode 100644 index 00000000000..83e515a78c8 --- /dev/null +++ b/queue-6.8/rust-init-remove-impl-zeroable-for-infallible.patch @@ -0,0 +1,59 @@ +From 49ceae68a0df9a92617a61e9ce8a0efcf6419585 Mon Sep 17 00:00:00 2001 +From: Laine Taffin Altman +Date: Wed, 3 Apr 2024 14:06:59 -0700 +Subject: rust: init: remove impl Zeroable for Infallible + +From: Laine Taffin Altman + +commit 49ceae68a0df9a92617a61e9ce8a0efcf6419585 upstream. + +In Rust, producing an invalid value of any type is immediate undefined +behavior (UB); this includes via zeroing memory. Therefore, since an +uninhabited type has no valid values, producing any values at all for it is +UB. + +The Rust standard library type `core::convert::Infallible` is uninhabited, +by virtue of having been declared as an enum with no cases, which always +produces uninhabited types in Rust. + +The current kernel code allows this UB to be triggered, for example by code +like `Box::::init(kernel::init::zeroed())`. + +Thus, remove the implementation of `Zeroable` for `Infallible`, thereby +avoiding the unsoundness (potential for future UB). + +Cc: stable@vger.kernel.org +Fixes: 38cde0bd7b67 ("rust: init: add `Zeroable` trait and `init::zeroed` function") +Closes: https://github.com/Rust-for-Linux/pinned-init/pull/13 +Signed-off-by: Laine Taffin Altman +Reviewed-by: Alice Ryhl +Reviewed-by: Boqun Feng +Reviewed-by: Benno Lossin +Link: https://lore.kernel.org/r/CA160A4E-561E-4918-837E-3DCEBA74F808@me.com +[ Reformatted the comment slightly. ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/init.rs | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/rust/kernel/init.rs ++++ b/rust/kernel/init.rs +@@ -1292,8 +1292,15 @@ impl_zeroable! { + i8, i16, i32, i64, i128, isize, + f32, f64, + +- // SAFETY: These are ZSTs, there is nothing to zero. +- {} PhantomData, core::marker::PhantomPinned, Infallible, (), ++ // Note: do not add uninhabited types (such as `!` or `core::convert::Infallible`) to this list; ++ // creating an instance of an uninhabited type is immediate undefined behavior. For more on ++ // uninhabited/empty types, consult The Rustonomicon: ++ // . The Rust Reference ++ // also has information on undefined behavior: ++ // . ++ // ++ // SAFETY: These are inhabited ZSTs; there is nothing to zero and a valid value exists. ++ {} PhantomData, core::marker::PhantomPinned, (), + + // SAFETY: Type is allowed to take any value, including all zeros. + {} MaybeUninit, diff --git a/queue-6.8/rust-kernel-require-send-for-module-implementations.patch b/queue-6.8/rust-kernel-require-send-for-module-implementations.patch new file mode 100644 index 00000000000..d0ff35d7138 --- /dev/null +++ b/queue-6.8/rust-kernel-require-send-for-module-implementations.patch @@ -0,0 +1,39 @@ +From 323617f649c0966ad5e741e47e27e06d3a680d8f Mon Sep 17 00:00:00 2001 +From: Wedson Almeida Filho +Date: Thu, 28 Mar 2024 16:54:54 -0300 +Subject: rust: kernel: require `Send` for `Module` implementations + +From: Wedson Almeida Filho + +commit 323617f649c0966ad5e741e47e27e06d3a680d8f upstream. + +The thread that calls the module initialisation code when a module is +loaded is not guaranteed [in fact, it is unlikely] to be the same one +that calls the module cleanup code on module unload, therefore, `Module` +implementations must be `Send` to account for them moving from one +thread to another implicitly. + +Signed-off-by: Wedson Almeida Filho +Reviewed-by: Alice Ryhl +Reviewed-by: Benno Lossin +Cc: stable@vger.kernel.org # 6.8.x: df70d04d5697: rust: phy: implement `Send` for `Registration` +Cc: stable@vger.kernel.org +Fixes: 247b365dc8dc ("rust: add `kernel` crate") +Link: https://lore.kernel.org/r/20240328195457.225001-3-wedsonaf@gmail.com +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/lib.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/rust/kernel/lib.rs ++++ b/rust/kernel/lib.rs +@@ -66,7 +66,7 @@ const __LOG_PREFIX: &[u8] = b"rust_kerne + /// The top level entrypoint to implementing a kernel module. + /// + /// For any teardown or cleanup operations, your type may implement [`Drop`]. +-pub trait Module: Sized + Sync { ++pub trait Module: Sized + Sync + Send { + /// Called at module initialization time. + /// + /// Use this method to perform whatever setup or registration your module diff --git a/queue-6.8/rust-make-mutually-exclusive-with-cfi_clang.patch b/queue-6.8/rust-make-mutually-exclusive-with-cfi_clang.patch new file mode 100644 index 00000000000..4e122fe1175 --- /dev/null +++ b/queue-6.8/rust-make-mutually-exclusive-with-cfi_clang.patch @@ -0,0 +1,50 @@ +From 8933cf4651e02853ca679be7b2d978dfcdcc5e0c Mon Sep 17 00:00:00 2001 +From: Conor Dooley +Date: Thu, 4 Apr 2024 15:17:02 +0100 +Subject: rust: make mutually exclusive with CFI_CLANG + +From: Conor Dooley + +commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream. + +On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled, +loading a rust module will trigger a kernel panic. Support for +sanitisers, including kcfi (CFI_CLANG), is in the works, but for now +they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG +to prevent configuring a kernel without symmetrical support for kfi. + +[ Matthew Maurer writes [1]: + + This patch is fine by me - the last patch needed for KCFI to be + functional in Rust just landed upstream last night, so we should + revisit this (in the form of enabling it) once we move to + `rustc-1.79.0` or later. + + Ramon de C Valle also gave feedback [2] on the status of KCFI for + Rust and created a tracking issue [3] in upstream Rust. - Miguel ] + +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Cc: stable@vger.kernel.org +Signed-off-by: Conor Dooley +Acked-by: Nathan Chancellor +Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1] +Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2] +Link: https://github.com/rust-lang/rust/issues/123479 [3] +Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud +[ Added feedback from the list, links, and used Cc for the tag. ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1904,6 +1904,7 @@ config RUST + bool "Rust support" + depends on HAVE_RUST + depends on RUST_IS_AVAILABLE ++ depends on !CFI_CLANG + depends on !MODVERSIONS + depends on !GCC_PLUGINS + depends on !RANDSTRUCT diff --git a/queue-6.8/rust-remove-params-from-module-macro-example.patch b/queue-6.8/rust-remove-params-from-module-macro-example.patch new file mode 100644 index 00000000000..b5ce994cd78 --- /dev/null +++ b/queue-6.8/rust-remove-params-from-module-macro-example.patch @@ -0,0 +1,46 @@ +From 19843452dca40e28d6d3f4793d998b681d505c7f Mon Sep 17 00:00:00 2001 +From: Aswin Unnikrishnan +Date: Fri, 19 Apr 2024 21:50:13 +0000 +Subject: rust: remove `params` from `module` macro example + +From: Aswin Unnikrishnan + +commit 19843452dca40e28d6d3f4793d998b681d505c7f upstream. + +Remove argument `params` from the `module` macro example, because the +macro does not currently support module parameters since it was not sent +with the initial merge. + +Signed-off-by: Aswin Unnikrishnan +Reviewed-by: Alice Ryhl +Cc: stable@vger.kernel.org +Fixes: 1fbde52bde73 ("rust: add `macros` crate") +Link: https://lore.kernel.org/r/20240419215015.157258-1-aswinunni01@gmail.com +[ Reworded slightly. ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/macros/lib.rs | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/rust/macros/lib.rs ++++ b/rust/macros/lib.rs +@@ -35,18 +35,6 @@ use proc_macro::TokenStream; + /// author: "Rust for Linux Contributors", + /// description: "My very own kernel module!", + /// license: "GPL", +-/// params: { +-/// my_i32: i32 { +-/// default: 42, +-/// permissions: 0o000, +-/// description: "Example of i32", +-/// }, +-/// writeable_i32: i32 { +-/// default: 42, +-/// permissions: 0o644, +-/// description: "Example of i32", +-/// }, +-/// }, + /// } + /// + /// struct MyModule; diff --git a/queue-6.8/series b/queue-6.8/series index 37e62271ef9..0bb0bd09593 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -131,3 +131,50 @@ selftests-seccomp-change-the-syscall-used-in-kill_thread-test.patch selftests-seccomp-handle-einval-on-unshare-clone_newpid.patch x86-cpu-amd-add-models-0x10-0x1f-to-the-zen5-range.patch x86-cpu-fix-check-for-rdpkru-in-__show_regs.patch +rust-kernel-require-send-for-module-implementations.patch +rust-don-t-select-constructors.patch +rust-init-remove-impl-zeroable-for-infallible.patch +rust-make-mutually-exclusive-with-cfi_clang.patch +kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch +kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch +rust-remove-params-from-module-macro-example.patch +bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch +bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch +bluetooth-qca-fix-invalid-device-address-check.patch +bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch +bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch +mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch +mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch +mmc-sdhci-msm-pervent-access-to-suspended-controller.patch +mmc-sdhci-of-dwcmshc-th1520-increase-tuning-loop-count-to-128.patch +mm-create-folio_flag_false-and-folio_type_ops-macros.patch +mm-support-page_mapcount-on-page_has_type-pages.patch +mm-hugetlb-fix-debug_locks_warn_on-1-when-dissolve_free_hugetlb_folio.patch +smb-client-fix-struct_group-usage-in-__packed-structs.patch +smb3-missing-lock-when-picking-channel.patch +smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch +hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch +hid-i2c-hid-revert-to-await-reset-ack-before-reading-report-descriptor.patch +btrfs-fallback-if-compressed-io-fails-for-enospc.patch +btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch +btrfs-scrub-run-relocation-repair-when-only-needed.patch +btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch +x86-tdx-preserve-shared-bit-on-mprotect.patch +cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch +eeprom-at24-fix-memory-corruption-race-condition.patch +loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch +loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch +arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch +arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch +arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch +dmaengine-revert-dmaengine-pl330-issue_pending-waits-until-wfp-state.patch +dmaengine-xilinx-xdma-fix-wrong-offsets-in-the-buffers-addresses-in-dma-descriptor.patch +dmaengine-xilinx-xdma-fix-synchronization-issue.patch +drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch +drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch +drm-atomic-helper-fix-parameter-order-in-drm_format_conv_state_copy-call.patch +drm-amdgpu-pm-remove-gpu_od-if-it-s-an-empty-directory.patch +drm-amdgpu-umsch-don-t-execute-umsch-test-when-gpu-is-in-reset-suspend.patch +drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch +drm-amdkfd-fix-rescheduling-of-restore-worker.patch +drm-amdkfd-fix-eviction-fence-handling.patch diff --git a/queue-6.8/smb-client-fix-struct_group-usage-in-__packed-structs.patch b/queue-6.8/smb-client-fix-struct_group-usage-in-__packed-structs.patch new file mode 100644 index 00000000000..8e5ec699a08 --- /dev/null +++ b/queue-6.8/smb-client-fix-struct_group-usage-in-__packed-structs.patch @@ -0,0 +1,219 @@ +From 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 23 Apr 2024 20:41:22 -0600 +Subject: smb: client: Fix struct_group() usage in __packed structs + +From: Gustavo A. R. Silva + +commit 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 upstream. + +Use struct_group_attr() in __packed structs, instead of struct_group(). + +Below you can see the pahole output before/after changes: + +pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o +struct smb2_file_network_open_info { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + }; /* 0 56 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } network_open_info; /* 0 56 */ + }; /* 0 56 */ + __le32 Reserved; /* 56 4 */ + + /* size: 60, cachelines: 1, members: 2 */ + /* last cacheline: 60 bytes */ +} __attribute__((__packed__)); + +pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o +struct smb2_file_network_open_info { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } __attribute__((__packed__)); /* 0 52 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le64 AllocationSize; /* 32 8 */ + __le64 EndOfFile; /* 40 8 */ + __le32 Attributes; /* 48 4 */ + } __attribute__((__packed__)) network_open_info; /* 0 52 */ + }; /* 0 52 */ + __le32 Reserved; /* 52 4 */ + + /* size: 56, cachelines: 1, members: 2 */ + /* last cacheline: 56 bytes */ +}; + +pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o +struct smb_com_open_rsp { + ... + + union { + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + }; /* 48 40 */ + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } common_attributes; /* 48 40 */ + }; /* 48 40 */ + + ... + + /* size: 111, cachelines: 2, members: 14 */ + /* last cacheline: 47 bytes */ +} __attribute__((__packed__)); + +pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o +struct smb_com_open_rsp { + ... + + union { + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } __attribute__((__packed__)); /* 48 36 */ + struct { + __le64 CreationTime; /* 48 8 */ + __le64 LastAccessTime; /* 56 8 */ + /* --- cacheline 1 boundary (64 bytes) --- */ + __le64 LastWriteTime; /* 64 8 */ + __le64 ChangeTime; /* 72 8 */ + __le32 FileAttributes; /* 80 4 */ + } __attribute__((__packed__)) common_attributes; /* 48 36 */ + }; /* 48 36 */ + + ... + + /* size: 107, cachelines: 2, members: 14 */ + /* last cacheline: 43 bytes */ +} __attribute__((__packed__)); + +pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o +typedef struct { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + }; /* 0 40 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } common_attributes; /* 0 40 */ + }; /* 0 40 */ + + ... + + /* size: 113, cachelines: 2, members: 17 */ + /* last cacheline: 49 bytes */ +} __attribute__((__packed__)) FILE_ALL_INFO; + +pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o +typedef struct { + union { + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } __attribute__((__packed__)); /* 0 36 */ + struct { + __le64 CreationTime; /* 0 8 */ + __le64 LastAccessTime; /* 8 8 */ + __le64 LastWriteTime; /* 16 8 */ + __le64 ChangeTime; /* 24 8 */ + __le32 Attributes; /* 32 4 */ + } __attribute__((__packed__)) common_attributes; /* 0 36 */ + }; /* 0 36 */ + + ... + + /* size: 109, cachelines: 2, members: 17 */ + /* last cacheline: 45 bytes */ +} __attribute__((__packed__)) FILE_ALL_INFO; + +Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings") +Cc: stable@vger.kernel.org +Reviewed-by: Namjae Jeon +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifspdu.h | 4 ++-- + fs/smb/client/smb2pdu.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/cifspdu.h ++++ b/fs/smb/client/cifspdu.h +@@ -882,7 +882,7 @@ typedef struct smb_com_open_rsp { + __u8 OplockLevel; + __u16 Fid; + __le32 CreateAction; +- struct_group(common_attributes, ++ struct_group_attr(common_attributes, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; +@@ -2266,7 +2266,7 @@ typedef struct { + /* QueryFileInfo/QueryPathinfo (also for SetPath/SetFile) data buffer formats */ + /******************************************************************************/ + typedef struct { /* data block encoding of response to level 263 QPathInfo */ +- struct_group(common_attributes, ++ struct_group_attr(common_attributes, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; +--- a/fs/smb/client/smb2pdu.h ++++ b/fs/smb/client/smb2pdu.h +@@ -319,7 +319,7 @@ struct smb2_file_reparse_point_info { + } __packed; + + struct smb2_file_network_open_info { +- struct_group(network_open_info, ++ struct_group_attr(network_open_info, __packed, + __le64 CreationTime; + __le64 LastAccessTime; + __le64 LastWriteTime; diff --git a/queue-6.8/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch b/queue-6.8/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch new file mode 100644 index 00000000000..a0203b0b52f --- /dev/null +++ b/queue-6.8/smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch @@ -0,0 +1,41 @@ +From 8861fd5180476f45f9e8853db154600469a0284f Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Apr 2024 12:49:50 -0500 +Subject: smb3: fix lock ordering potential deadlock in cifs_sync_mid_result + +From: Steve French + +commit 8861fd5180476f45f9e8853db154600469a0284f upstream. + +Coverity spotted that the cifs_sync_mid_result function could deadlock + +"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires +lock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock" + +Addresses-Coverity: 1590401 ("Thread deadlock (ORDER_REVERSAL)") +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -909,12 +909,15 @@ cifs_sync_mid_result(struct mid_q_entry + list_del_init(&mid->qhead); + mid->mid_flags |= MID_DELETED; + } ++ spin_unlock(&server->mid_lock); + cifs_server_dbg(VFS, "%s: invalid mid state mid=%llu state=%d\n", + __func__, mid->mid, mid->mid_state); + rc = -EIO; ++ goto sync_mid_done; + } + spin_unlock(&server->mid_lock); + ++sync_mid_done: + release_mid(mid); + return rc; + } diff --git a/queue-6.8/smb3-missing-lock-when-picking-channel.patch b/queue-6.8/smb3-missing-lock-when-picking-channel.patch new file mode 100644 index 00000000000..d0755263599 --- /dev/null +++ b/queue-6.8/smb3-missing-lock-when-picking-channel.patch @@ -0,0 +1,36 @@ +From 8094a600245e9b28eb36a13036f202ad67c1f887 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Apr 2024 11:30:16 -0500 +Subject: smb3: missing lock when picking channel + +From: Steve French + +commit 8094a600245e9b28eb36a13036f202ad67c1f887 upstream. + +Coverity spotted a place where we should have been holding the +channel lock when accessing the ses channel index. + +Addresses-Coverity: 1582039 ("Data race condition (MISSING_LOCK)") +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/transport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -1057,9 +1057,11 @@ struct TCP_Server_Info *cifs_pick_channe + index = (uint)atomic_inc_return(&ses->chan_seq); + index %= ses->chan_count; + } ++ ++ server = ses->chans[index].server; + spin_unlock(&ses->chan_lock); + +- return ses->chans[index].server; ++ return server; + } + + int diff --git a/queue-6.8/x86-tdx-preserve-shared-bit-on-mprotect.patch b/queue-6.8/x86-tdx-preserve-shared-bit-on-mprotect.patch new file mode 100644 index 00000000000..937c4d40d46 --- /dev/null +++ b/queue-6.8/x86-tdx-preserve-shared-bit-on-mprotect.patch @@ -0,0 +1,66 @@ +From a0a8d15a798be4b8f20aca2ba91bf6b688c6a640 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Wed, 24 Apr 2024 11:20:35 +0300 +Subject: x86/tdx: Preserve shared bit on mprotect() + +From: Kirill A. Shutemov + +commit a0a8d15a798be4b8f20aca2ba91bf6b688c6a640 upstream. + +The TDX guest platform takes one bit from the physical address to +indicate if the page is shared (accessible by VMM). This bit is not part +of the physical_mask and is not preserved during mprotect(). As a +result, the 'shared' bit is lost during mprotect() on shared mappings. + +_COMMON_PAGE_CHG_MASK specifies which PTE bits need to be preserved +during modification. AMD includes 'sme_me_mask' in the define to +preserve the 'encrypt' bit. + +To cover both Intel and AMD cases, include 'cc_mask' in +_COMMON_PAGE_CHG_MASK instead of 'sme_me_mask'. + +Reported-and-tested-by: Chris Oo + +Fixes: 41394e33f3a0 ("x86/tdx: Extend the confidential computing API to support TDX guests") +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Dave Hansen +Reviewed-by: Rick Edgecombe +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Tom Lendacky +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240424082035.4092071-1-kirill.shutemov%40linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/coco.h | 1 + + arch/x86/include/asm/pgtable_types.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/coco.h ++++ b/arch/x86/include/asm/coco.h +@@ -24,6 +24,7 @@ u64 cc_mkdec(u64 val); + void cc_random_init(void); + #else + #define cc_vendor (CC_VENDOR_NONE) ++static const u64 cc_mask = 0; + + static inline u64 cc_mkenc(u64 val) + { +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -148,7 +148,7 @@ + #define _COMMON_PAGE_CHG_MASK (PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT | \ + _PAGE_SPECIAL | _PAGE_ACCESSED | \ + _PAGE_DIRTY_BITS | _PAGE_SOFT_DIRTY | \ +- _PAGE_DEVMAP | _PAGE_ENC | _PAGE_UFFD_WP) ++ _PAGE_DEVMAP | _PAGE_CC | _PAGE_UFFD_WP) + #define _PAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PAT) + #define _HPAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PSE | _PAGE_PAT_LARGE) + +@@ -173,6 +173,7 @@ enum page_cache_mode { + }; + #endif + ++#define _PAGE_CC (_AT(pteval_t, cc_mask)) + #define _PAGE_ENC (_AT(pteval_t, sme_me_mask)) + + #define _PAGE_CACHE_MASK (_PAGE_PWT | _PAGE_PCD | _PAGE_PAT)