From: Greg Kroah-Hartman Date: Mon, 15 Apr 2024 12:43:45 +0000 (+0200) Subject: 6.8-stable patches X-Git-Tag: v5.15.156~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a4d09c8aa93da9f80969bb88ad3b5fd7c1344de;p=thirdparty%2Fkernel%2Fstable-queue.git 6.8-stable patches added patches: accel-ivpu-check-return-code-of-ipc-lock-init.patch accel-ivpu-fix-deadlock-in-context_xa.patch accel-ivpu-fix-pci-d0-state-entry-in-resume.patch accel-ivpu-put-npu-back-to-d3hot-after-failed-resume.patch accel-ivpu-return-max-freq-for-drm_ivpu_param_core_clock_rate.patch arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch arm64-dts-imx8-ss-dma-fix-pwm-lpcg-indices.patch arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch btrfs-record-delayed-inode-root-in-transaction.patch drm-amdgpu-umsch-reinitialize-write-pointer-in-hw-init.patch drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch drm-ast-fix-soft-lockup.patch drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch drm-msm-dp-fix-runtime-pm-leak-on-connect-failure.patch drm-msm-dp-fix-runtime-pm-leak-on-disconnect.patch drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch drm-vmwgfx-enable-dma-mappings-with-sev.patch fs-proc-remove-redundant-comments-from-proc-bootconfig.patch fs-proc-skip-bootloader-comment-if-no-embedded-kernel-parameters.patch io_uring-net-restore-msg_control-on-sendzc-retry.patch kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch perf-x86-fix-out-of-range-data.patch scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch scsi-sg-avoid-sg-device-teardown-race.patch selftests-timers-posix_timers-reimplement-check_timer_distribution.patch vhost-add-smp_rmb-in-vhost_enable_notify.patch vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch --- diff --git a/queue-6.8/accel-ivpu-check-return-code-of-ipc-lock-init.patch b/queue-6.8/accel-ivpu-check-return-code-of-ipc-lock-init.patch new file mode 100644 index 00000000000..a3438b55adf --- /dev/null +++ b/queue-6.8/accel-ivpu-check-return-code-of-ipc-lock-init.patch @@ -0,0 +1,45 @@ +From f0cf7ffcd02953c72fed5995378805883d16203e Mon Sep 17 00:00:00 2001 +From: "Wachowski, Karol" +Date: Tue, 2 Apr 2024 12:49:22 +0200 +Subject: accel/ivpu: Check return code of ipc->lock init + +From: Wachowski, Karol + +commit f0cf7ffcd02953c72fed5995378805883d16203e upstream. + +Return value of drmm_mutex_init(ipc->lock) was unchecked. + +Fixes: 5d7422cfb498 ("accel/ivpu: Add IPC driver and JSM messages") +Cc: # v6.3+ +Signed-off-by: Wachowski, Karol +Signed-off-by: Jacek Lawrynowicz +Reviewed-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-2-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_ipc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/accel/ivpu/ivpu_ipc.c ++++ b/drivers/accel/ivpu/ivpu_ipc.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (C) 2020-2023 Intel Corporation ++ * Copyright (C) 2020-2024 Intel Corporation + */ + + #include +@@ -501,7 +501,11 @@ int ivpu_ipc_init(struct ivpu_device *vd + spin_lock_init(&ipc->cons_lock); + INIT_LIST_HEAD(&ipc->cons_list); + INIT_LIST_HEAD(&ipc->cb_msg_list); +- drmm_mutex_init(&vdev->drm, &ipc->lock); ++ ret = drmm_mutex_init(&vdev->drm, &ipc->lock); ++ if (ret) { ++ ivpu_err(vdev, "Failed to initialize ipc->lock, ret %d\n", ret); ++ goto err_free_rx; ++ } + ivpu_ipc_reset(vdev); + return 0; + diff --git a/queue-6.8/accel-ivpu-fix-deadlock-in-context_xa.patch b/queue-6.8/accel-ivpu-fix-deadlock-in-context_xa.patch new file mode 100644 index 00000000000..4497620f642 --- /dev/null +++ b/queue-6.8/accel-ivpu-fix-deadlock-in-context_xa.patch @@ -0,0 +1,37 @@ +From fd7726e75968b27fe98534ccbf47ccd6fef686f3 Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Tue, 2 Apr 2024 12:49:29 +0200 +Subject: accel/ivpu: Fix deadlock in context_xa + +From: Jacek Lawrynowicz + +commit fd7726e75968b27fe98534ccbf47ccd6fef686f3 upstream. + +ivpu_device->context_xa is locked both in kernel thread and IRQ context. +It requires XA_FLAGS_LOCK_IRQ flag to be passed during initialization +otherwise the lock could be acquired from a thread and interrupted by +an IRQ that locks it for the second time causing the deadlock. + +This deadlock was reported by lockdep and observed in internal tests. + +Fixes: 35b137630f08 ("accel/ivpu: Introduce a new DRM driver for Intel VPU") +Cc: # v6.3+ +Signed-off-by: Jacek Lawrynowicz +Reviewed-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-9-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accel/ivpu/ivpu_drv.c ++++ b/drivers/accel/ivpu/ivpu_drv.c +@@ -514,7 +514,7 @@ static int ivpu_dev_init(struct ivpu_dev + vdev->context_xa_limit.min = IVPU_USER_CONTEXT_MIN_SSID; + vdev->context_xa_limit.max = IVPU_USER_CONTEXT_MAX_SSID; + atomic64_set(&vdev->unique_id_counter, 0); +- xa_init_flags(&vdev->context_xa, XA_FLAGS_ALLOC); ++ xa_init_flags(&vdev->context_xa, XA_FLAGS_ALLOC | XA_FLAGS_LOCK_IRQ); + xa_init_flags(&vdev->submitted_jobs_xa, XA_FLAGS_ALLOC1); + lockdep_set_class(&vdev->submitted_jobs_xa.xa_lock, &submitted_jobs_xa_lock_class_key); + INIT_LIST_HEAD(&vdev->bo_list); diff --git a/queue-6.8/accel-ivpu-fix-pci-d0-state-entry-in-resume.patch b/queue-6.8/accel-ivpu-fix-pci-d0-state-entry-in-resume.patch new file mode 100644 index 00000000000..8d2b3a44942 --- /dev/null +++ b/queue-6.8/accel-ivpu-fix-pci-d0-state-entry-in-resume.patch @@ -0,0 +1,39 @@ +From 3534eacbf101f6e66105f03d869a03893407c384 Mon Sep 17 00:00:00 2001 +From: "Wachowski, Karol" +Date: Tue, 2 Apr 2024 12:49:24 +0200 +Subject: accel/ivpu: Fix PCI D0 state entry in resume + +From: Wachowski, Karol + +commit 3534eacbf101f6e66105f03d869a03893407c384 upstream. + +In case of failed power up we end up left in PCI D3hot +state making it impossible to access NPU registers on retry. +Enter D0 state on retry before proceeding with power up sequence. + +Fixes: 28083ff18d3f ("accel/ivpu: Fix DevTLB errors on suspend/resume and recovery") +Cc: # v6.8+ +Signed-off-by: Wachowski, Karol +Signed-off-by: Jacek Lawrynowicz +Reviewed-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-4-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_pm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/accel/ivpu/ivpu_pm.c ++++ b/drivers/accel/ivpu/ivpu_pm.c +@@ -74,10 +74,10 @@ static int ivpu_resume(struct ivpu_devic + { + int ret; + +- pci_set_power_state(to_pci_dev(vdev->drm.dev), PCI_D0); ++retry: + pci_restore_state(to_pci_dev(vdev->drm.dev)); ++ pci_set_power_state(to_pci_dev(vdev->drm.dev), PCI_D0); + +-retry: + ret = ivpu_hw_power_up(vdev); + if (ret) { + ivpu_err(vdev, "Failed to power up HW: %d\n", ret); diff --git a/queue-6.8/accel-ivpu-put-npu-back-to-d3hot-after-failed-resume.patch b/queue-6.8/accel-ivpu-put-npu-back-to-d3hot-after-failed-resume.patch new file mode 100644 index 00000000000..937194cb8ff --- /dev/null +++ b/queue-6.8/accel-ivpu-put-npu-back-to-d3hot-after-failed-resume.patch @@ -0,0 +1,33 @@ +From 875bc9cd1b33eb027a5663f5e6878a43d98e9a16 Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Tue, 2 Apr 2024 12:49:25 +0200 +Subject: accel/ivpu: Put NPU back to D3hot after failed resume + +From: Jacek Lawrynowicz + +commit 875bc9cd1b33eb027a5663f5e6878a43d98e9a16 upstream. + +Put NPU in D3hot after ivpu_resume() fails to power up the device. +This will assure that D3->D0 power cycle will be performed before +the next resume and also will minimize power usage in this corner case. + +Fixes: 28083ff18d3f ("accel/ivpu: Fix DevTLB errors on suspend/resume and recovery") +Cc: # v6.8+ +Signed-off-by: Jacek Lawrynowicz +Reviewed-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-5-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_pm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/accel/ivpu/ivpu_pm.c ++++ b/drivers/accel/ivpu/ivpu_pm.c +@@ -100,6 +100,7 @@ err_mmu_disable: + ivpu_mmu_disable(vdev); + err_power_down: + ivpu_hw_power_down(vdev); ++ pci_set_power_state(to_pci_dev(vdev->drm.dev), PCI_D3hot); + + if (!ivpu_fw_is_cold_boot(vdev)) { + ivpu_pm_prepare_cold_boot(vdev); diff --git a/queue-6.8/accel-ivpu-return-max-freq-for-drm_ivpu_param_core_clock_rate.patch b/queue-6.8/accel-ivpu-return-max-freq-for-drm_ivpu_param_core_clock_rate.patch new file mode 100644 index 00000000000..e2facb93e1d --- /dev/null +++ b/queue-6.8/accel-ivpu-return-max-freq-for-drm_ivpu_param_core_clock_rate.patch @@ -0,0 +1,139 @@ +From c52c35e5b404b95a5bcff39af9be1b9293be3434 Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Tue, 2 Apr 2024 12:49:27 +0200 +Subject: accel/ivpu: Return max freq for DRM_IVPU_PARAM_CORE_CLOCK_RATE + +From: Jacek Lawrynowicz + +commit c52c35e5b404b95a5bcff39af9be1b9293be3434 upstream. + +DRM_IVPU_PARAM_CORE_CLOCK_RATE returns current NPU frequency which +could be 0 if device was sleeping. This value isn't really useful to +the user space, so return max freq instead which can be used to estimate +NPU performance. + +Fixes: c39dc15191c4 ("accel/ivpu: Read clock rate only if device is up") +Cc: # v6.7 +Signed-off-by: Jacek Lawrynowicz +Reviewed-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/20240402104929.941186-7-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_drv.c | 18 +----------------- + drivers/accel/ivpu/ivpu_hw.h | 6 ++++++ + drivers/accel/ivpu/ivpu_hw_37xx.c | 7 ++++--- + drivers/accel/ivpu/ivpu_hw_40xx.c | 6 ++++++ + 4 files changed, 17 insertions(+), 20 deletions(-) + +--- a/drivers/accel/ivpu/ivpu_drv.c ++++ b/drivers/accel/ivpu/ivpu_drv.c +@@ -131,22 +131,6 @@ static int ivpu_get_capabilities(struct + return 0; + } + +-static int ivpu_get_core_clock_rate(struct ivpu_device *vdev, u64 *clk_rate) +-{ +- int ret; +- +- ret = ivpu_rpm_get_if_active(vdev); +- if (ret < 0) +- return ret; +- +- *clk_rate = ret ? ivpu_hw_reg_pll_freq_get(vdev) : 0; +- +- if (ret) +- ivpu_rpm_put(vdev); +- +- return 0; +-} +- + static int ivpu_get_param_ioctl(struct drm_device *dev, void *data, struct drm_file *file) + { + struct ivpu_file_priv *file_priv = file->driver_priv; +@@ -170,7 +154,7 @@ static int ivpu_get_param_ioctl(struct d + args->value = vdev->platform; + break; + case DRM_IVPU_PARAM_CORE_CLOCK_RATE: +- ret = ivpu_get_core_clock_rate(vdev, &args->value); ++ args->value = ivpu_hw_ratio_to_freq(vdev, vdev->hw->pll.max_ratio); + break; + case DRM_IVPU_PARAM_NUM_CONTEXTS: + args->value = ivpu_get_context_count(vdev); +--- a/drivers/accel/ivpu/ivpu_hw.h ++++ b/drivers/accel/ivpu/ivpu_hw.h +@@ -21,6 +21,7 @@ struct ivpu_hw_ops { + u32 (*profiling_freq_get)(struct ivpu_device *vdev); + void (*profiling_freq_drive)(struct ivpu_device *vdev, bool enable); + u32 (*reg_pll_freq_get)(struct ivpu_device *vdev); ++ u32 (*ratio_to_freq)(struct ivpu_device *vdev, u32 ratio); + u32 (*reg_telemetry_offset_get)(struct ivpu_device *vdev); + u32 (*reg_telemetry_size_get)(struct ivpu_device *vdev); + u32 (*reg_telemetry_enable_get)(struct ivpu_device *vdev); +@@ -130,6 +131,11 @@ static inline u32 ivpu_hw_reg_pll_freq_g + return vdev->hw->ops->reg_pll_freq_get(vdev); + }; + ++static inline u32 ivpu_hw_ratio_to_freq(struct ivpu_device *vdev, u32 ratio) ++{ ++ return vdev->hw->ops->ratio_to_freq(vdev, ratio); ++} ++ + static inline u32 ivpu_hw_reg_telemetry_offset_get(struct ivpu_device *vdev) + { + return vdev->hw->ops->reg_telemetry_offset_get(vdev); +--- a/drivers/accel/ivpu/ivpu_hw_37xx.c ++++ b/drivers/accel/ivpu/ivpu_hw_37xx.c +@@ -805,12 +805,12 @@ static void ivpu_hw_37xx_profiling_freq_ + /* Profiling freq - is a debug feature. Unavailable on VPU 37XX. */ + } + +-static u32 ivpu_hw_37xx_pll_to_freq(u32 ratio, u32 config) ++static u32 ivpu_hw_37xx_ratio_to_freq(struct ivpu_device *vdev, u32 ratio) + { + u32 pll_clock = PLL_REF_CLK_FREQ * ratio; + u32 cpu_clock; + +- if ((config & 0xff) == PLL_RATIO_4_3) ++ if ((vdev->hw->config & 0xff) == PLL_RATIO_4_3) + cpu_clock = pll_clock * 2 / 4; + else + cpu_clock = pll_clock * 2 / 5; +@@ -829,7 +829,7 @@ static u32 ivpu_hw_37xx_reg_pll_freq_get + if (!ivpu_is_silicon(vdev)) + return PLL_SIMULATION_FREQ; + +- return ivpu_hw_37xx_pll_to_freq(pll_curr_ratio, vdev->hw->config); ++ return ivpu_hw_37xx_ratio_to_freq(vdev, pll_curr_ratio); + } + + static u32 ivpu_hw_37xx_reg_telemetry_offset_get(struct ivpu_device *vdev) +@@ -1052,6 +1052,7 @@ const struct ivpu_hw_ops ivpu_hw_37xx_op + .profiling_freq_get = ivpu_hw_37xx_profiling_freq_get, + .profiling_freq_drive = ivpu_hw_37xx_profiling_freq_drive, + .reg_pll_freq_get = ivpu_hw_37xx_reg_pll_freq_get, ++ .ratio_to_freq = ivpu_hw_37xx_ratio_to_freq, + .reg_telemetry_offset_get = ivpu_hw_37xx_reg_telemetry_offset_get, + .reg_telemetry_size_get = ivpu_hw_37xx_reg_telemetry_size_get, + .reg_telemetry_enable_get = ivpu_hw_37xx_reg_telemetry_enable_get, +--- a/drivers/accel/ivpu/ivpu_hw_40xx.c ++++ b/drivers/accel/ivpu/ivpu_hw_40xx.c +@@ -980,6 +980,11 @@ static u32 ivpu_hw_40xx_reg_pll_freq_get + return PLL_RATIO_TO_FREQ(pll_curr_ratio); + } + ++static u32 ivpu_hw_40xx_ratio_to_freq(struct ivpu_device *vdev, u32 ratio) ++{ ++ return PLL_RATIO_TO_FREQ(ratio); ++} ++ + static u32 ivpu_hw_40xx_reg_telemetry_offset_get(struct ivpu_device *vdev) + { + return REGB_RD32(VPU_40XX_BUTTRESS_VPU_TELEMETRY_OFFSET); +@@ -1230,6 +1235,7 @@ const struct ivpu_hw_ops ivpu_hw_40xx_op + .profiling_freq_get = ivpu_hw_40xx_profiling_freq_get, + .profiling_freq_drive = ivpu_hw_40xx_profiling_freq_drive, + .reg_pll_freq_get = ivpu_hw_40xx_reg_pll_freq_get, ++ .ratio_to_freq = ivpu_hw_40xx_ratio_to_freq, + .reg_telemetry_offset_get = ivpu_hw_40xx_reg_telemetry_offset_get, + .reg_telemetry_size_get = ivpu_hw_40xx_reg_telemetry_size_get, + .reg_telemetry_enable_get = ivpu_hw_40xx_reg_telemetry_enable_get, diff --git a/queue-6.8/arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch b/queue-6.8/arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch new file mode 100644 index 00000000000..15c18e55d76 --- /dev/null +++ b/queue-6.8/arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch @@ -0,0 +1,66 @@ +From 808e7716edcdb39d3498b9f567ef6017858b49aa Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:04 -0400 +Subject: arm64: dts: imx8-ss-conn: fix usb lpcg indices + +From: Frank Li + +commit 808e7716edcdb39d3498b9f567ef6017858b49aa upstream. + +usb2_lpcg: clock-controller@5b270000 { + ... Col1 Col2 + clocks = <&conn_ahb_clk>, <&conn_ipg_clk>; // 0 6 + clock-indices = , ; // 0 7 + ... +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +usbotg1: usb@5b0d0000 { + ... + clocks = <&usb2_lpcg 0>; + ^^ +Should be: + clocks = <&usb2_lpcg IMX_LPCG_CLK_6>; +}; + +usbphy1: usbphy@5b100000 { + clocks = <&usb2_lpcg 1>; + ^^ +SHould be: + clocks = <&usb2_lpcg IMX_LPCG_CLK_7>; +}; + +Arg0 is divided by 4 in lpcg driver. So lpcg will do dummy enable. Fix it +by use correct clock indices. + +Cc: stable@vger.kernel.org +Fixes: 8065fc937f0f ("arm64: dts: imx8dxl: add usb1 and usb2 support") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-conn.dtsi +@@ -41,7 +41,7 @@ conn_subsys: bus@5b000000 { + interrupts = ; + fsl,usbphy = <&usbphy1>; + fsl,usbmisc = <&usbmisc1 0>; +- clocks = <&usb2_lpcg 0>; ++ clocks = <&usb2_lpcg IMX_LPCG_CLK_6>; + ahb-burst-config = <0x0>; + tx-burst-size-dword = <0x10>; + rx-burst-size-dword = <0x10>; +@@ -58,7 +58,7 @@ conn_subsys: bus@5b000000 { + usbphy1: usbphy@5b100000 { + compatible = "fsl,imx7ulp-usbphy"; + reg = <0x5b100000 0x1000>; +- clocks = <&usb2_lpcg 1>; ++ clocks = <&usb2_lpcg IMX_LPCG_CLK_7>; + power-domains = <&pd IMX_SC_R_USB_0_PHY>; + status = "disabled"; + }; diff --git a/queue-6.8/arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch b/queue-6.8/arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch new file mode 100644 index 00000000000..ef1f48b2559 --- /dev/null +++ b/queue-6.8/arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch @@ -0,0 +1,61 @@ +From 81975080f14167610976e968e8016e92d836266f Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:07 -0400 +Subject: arm64: dts: imx8-ss-dma: fix adc lpcg indices + +From: Frank Li + +commit 81975080f14167610976e968e8016e92d836266f upstream. + +adc0_lpcg: clock-controller@5ac80000 { + ... Col1 Col2 + clocks = <&clk IMX_SC_R_ADC_0 IMX_SC_PM_CLK_PER>, // 0 0 + <&dma_ipg_clk>; // 1 4 + clock-indices = , ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +adc0: adc@5a880000 { + clocks = <&adc0_lpcg 0>, <&adc0_lpcg 1>; + ^^ ^^ + clocks = <&adc0_lpcg IMX_LPCG_CLK_0>, <&adc0_lpcg IMX_LPCG_CLK_4>; + +Arg0 is divided by 4 in lpcg driver. So adc get IMX_SC_PM_CLK_PER by +<&adc0_lpcg 0>, <&adc0_lpcg 1>. Although function can work, code logic is +wrong. Fix it by using correct indices. + +Cc: stable@vger.kernel.org +Fixes: 1db044b25d2e ("arm64: dts: imx8dxl: add adc0 support") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -377,8 +377,8 @@ dma_subsys: bus@5a000000 { + reg = <0x5a880000 0x10000>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&adc0_lpcg 0>, +- <&adc0_lpcg 1>; ++ clocks = <&adc0_lpcg IMX_LPCG_CLK_0>, ++ <&adc0_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_ADC_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; +@@ -392,8 +392,8 @@ dma_subsys: bus@5a000000 { + reg = <0x5a890000 0x10000>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&adc1_lpcg 0>, +- <&adc1_lpcg 1>; ++ clocks = <&adc1_lpcg IMX_LPCG_CLK_0>, ++ <&adc1_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_ADC_1 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; diff --git a/queue-6.8/arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch b/queue-6.8/arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch new file mode 100644 index 00000000000..aef47dc98a0 --- /dev/null +++ b/queue-6.8/arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch @@ -0,0 +1,77 @@ +From 0893392334b5dffdf616a53679c6a2942c46391b Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:08 -0400 +Subject: arm64: dts: imx8-ss-dma: fix can lpcg indices + +From: Frank Li + +commit 0893392334b5dffdf616a53679c6a2942c46391b upstream. + +can0_lpcg: clock-controller@5acd0000 { + ... Col1 Col2 + clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>, // 0 0 + <&dma_ipg_clk>, // 1 4 + <&dma_ipg_clk>; // 2 5 + clock-indices = , + , + ; +} + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +flexcan1: can@5a8d0000 { + clocks = <&can0_lpcg 1>, <&can0_lpcg 0>; + ^^ ^^ +Should be: + clocks = <&can0_lpcg IMX_LPCG_CLK_4>, <&can0_lpcg IMX_LPCG_CLK_0>; +}; + +Arg0 is divided by 4 in lpcg driver. flexcan driver get IMX_SC_PM_CLK_PER +by <&can0_lpcg 1> and <&can0_lpcg 0>. Although function can work, code +logic is wrong. Fix it by using correct clock indices. + +Cc: stable@vger.kernel.org +Fixes: 5e7d5b023e03 ("arm64: dts: imx8qxp: add flexcan in adma") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -406,8 +406,8 @@ dma_subsys: bus@5a000000 { + reg = <0x5a8d0000 0x10000>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&can0_lpcg 1>, +- <&can0_lpcg 0>; ++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>, ++ <&can0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "per"; + assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <40000000>; +@@ -427,8 +427,8 @@ dma_subsys: bus@5a000000 { + * CAN1 shares CAN0's clock and to enable CAN0's clock it + * has to be powered on. + */ +- clocks = <&can0_lpcg 1>, +- <&can0_lpcg 0>; ++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>, ++ <&can0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "per"; + assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <40000000>; +@@ -448,8 +448,8 @@ dma_subsys: bus@5a000000 { + * CAN2 shares CAN0's clock and to enable CAN0's clock it + * has to be powered on. + */ +- clocks = <&can0_lpcg 1>, +- <&can0_lpcg 0>; ++ clocks = <&can0_lpcg IMX_LPCG_CLK_4>, ++ <&can0_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "per"; + assigned-clocks = <&clk IMX_SC_R_CAN_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <40000000>; diff --git a/queue-6.8/arm64-dts-imx8-ss-dma-fix-pwm-lpcg-indices.patch b/queue-6.8/arm64-dts-imx8-ss-dma-fix-pwm-lpcg-indices.patch new file mode 100644 index 00000000000..4aba474ed18 --- /dev/null +++ b/queue-6.8/arm64-dts-imx8-ss-dma-fix-pwm-lpcg-indices.patch @@ -0,0 +1,55 @@ +From 9055d87bce7276234173fa90e9702af31b3f5353 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:06 -0400 +Subject: arm64: dts: imx8-ss-dma: fix pwm lpcg indices + +From: Frank Li + +commit 9055d87bce7276234173fa90e9702af31b3f5353 upstream. + +adma_pwm_lpcg: clock-controller@5a590000 { + ... col1 col2 + clocks = <&clk IMX_SC_R_LCD_0_PWM_0 IMX_SC_PM_CLK_PER>,// 0 0 + <&dma_ipg_clk>; // 1 4 + clock-indices = , ; + ... +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +adma_pwm: pwm@5a190000 { + ... + clocks = <&adma_pwm_lpcg 1>, <&adma_pwm_lpcg 0>; + ^^ ^^ +Should be + clocks = <&adma_pwm_lpcg IMX_LPCG_CLK_4>, + <&adma_pwm_lpcg IMX_LPCG_CLK_0>; +}; + +Arg0 will be divided by 4 in lcpg driver, so pwm will get IMX_SC_PM_CLK_PER +by <&adma_pwm_lpcg 1>, <&adma_pwm_lpcg 0>. Although function can work, code +logic is wrong. Fix it by use correct indices. + +Cc: stable@vger.kernel.org +Fixes: f1d6a6b991ef ("arm64: dts: imx8qxp: add adma_pwm in adma") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -144,8 +144,8 @@ dma_subsys: bus@5a000000 { + compatible = "fsl,imx8qxp-pwm", "fsl,imx27-pwm"; + reg = <0x5a190000 0x1000>; + interrupts = ; +- clocks = <&adma_pwm_lpcg 1>, +- <&adma_pwm_lpcg 0>; ++ clocks = <&adma_pwm_lpcg IMX_LPCG_CLK_4>, ++ <&adma_pwm_lpcg IMX_LPCG_CLK_0>; + clock-names = "ipg", "per"; + assigned-clocks = <&clk IMX_SC_R_LCD_0_PWM_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; diff --git a/queue-6.8/arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch b/queue-6.8/arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch new file mode 100644 index 00000000000..fdd81f58cca --- /dev/null +++ b/queue-6.8/arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch @@ -0,0 +1,86 @@ +From f72b544a514c07d34a0d9d5380f5905b3731e647 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:05 -0400 +Subject: arm64: dts: imx8-ss-dma: fix spi lpcg indices + +From: Frank Li + +commit f72b544a514c07d34a0d9d5380f5905b3731e647 upstream. + +spi0_lpcg: clock-controller@5a400000 { + ... Col0 Col1 + clocks = <&clk IMX_SC_R_SPI_0 IMX_SC_PM_CLK_PER>,// 0 1 + <&dma_ipg_clk>; // 1 4 + clock-indices = , ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +lpspi0: spi@5a000000 { + ... + clocks = <&spi0_lpcg 0>, <&spi0_lpcg 1>; + ^ ^ +Should be: + clocks = <&spi0_lpcg IMX_LPCG_CLK_0>, <&spi0_lpcg IMX_LPCG_CLK_4>; +}; + +Arg0 is divided by 4 in lpcg driver. <&spi0_lpcg 0> and <&spi0_lpcg 1> are +IMX_SC_PM_CLK_PER. Although code can work, code logic is wrong. It should +use IMX_LPCG_CLK_0 and IMX_LPCG_CLK_4 for lpcg arg0. + +Cc: stable@vger.kernel.org +Fixes: c4098885e790 ("arm64: dts: imx8dxl: add lpspi support") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-dma.dtsi +@@ -27,8 +27,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi0_lpcg 0>, +- <&spi0_lpcg 1>; ++ clocks = <&spi0_lpcg IMX_LPCG_CLK_0>, ++ <&spi0_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; +@@ -43,8 +43,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi1_lpcg 0>, +- <&spi1_lpcg 1>; ++ clocks = <&spi1_lpcg IMX_LPCG_CLK_0>, ++ <&spi1_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_1 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; +@@ -59,8 +59,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi2_lpcg 0>, +- <&spi2_lpcg 1>; ++ clocks = <&spi2_lpcg IMX_LPCG_CLK_0>, ++ <&spi2_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_2 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; +@@ -75,8 +75,8 @@ dma_subsys: bus@5a000000 { + #size-cells = <0>; + interrupts = ; + interrupt-parent = <&gic>; +- clocks = <&spi3_lpcg 0>, +- <&spi3_lpcg 1>; ++ clocks = <&spi3_lpcg IMX_LPCG_CLK_0>, ++ <&spi3_lpcg IMX_LPCG_CLK_4>; + clock-names = "per", "ipg"; + assigned-clocks = <&clk IMX_SC_R_SPI_3 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <60000000>; diff --git a/queue-6.8/arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch b/queue-6.8/arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch new file mode 100644 index 00000000000..3422454982b --- /dev/null +++ b/queue-6.8/arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch @@ -0,0 +1,94 @@ +From 1d86c2b3946e69d6b0b93568d312aae6247847c0 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:03 -0400 +Subject: arm64: dts: imx8-ss-lsio: fix pwm lpcg indices + +From: Frank Li + +commit 1d86c2b3946e69d6b0b93568d312aae6247847c0 upstream. + +lpcg's arg0 should use clock indices instead of index. + +pwm0_lpcg: clock-controller@5d400000 { + ... // Col1 Col2 + clocks = <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 0 0 + <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 1 1 + <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>, // 2 4 + <&lsio_bus_clk>, // 3 5 + <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>; // 4 6 + clock-indices = , , + , , + ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver. + +pwm1 { + .... + clocks = <&pwm1_lpcg 4>, <&pwm1_lpcg 1>; + ^^ ^^ +should be: + + clocks = <&pwm1_lpcg IMX_LPCG_CLK_6>, <&pwm1_lpcg IMX_LPCG_CLK_1>; +}; + +Arg0 is divided by 4 in lpcg driver, so index 0 and 1 will be get by pwm +driver, which are same as IMX_LPCG_CLK_6 and IMX_LPCG_CLK_1. Even it can +work, but code logic is wrong. Fixed it by use correct indices. + +Cc: stable@vger.kernel.org +Fixes: 23fa99b205ea ("arm64: dts: freescale: imx8-ss-lsio: add support for lsio_pwm0-3") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8-ss-lsio.dtsi +@@ -25,8 +25,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d000000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm0_lpcg 4>, +- <&pwm0_lpcg 1>; ++ clocks = <&pwm0_lpcg IMX_LPCG_CLK_6>, ++ <&pwm0_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_0 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; +@@ -38,8 +38,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d010000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm1_lpcg 4>, +- <&pwm1_lpcg 1>; ++ clocks = <&pwm1_lpcg IMX_LPCG_CLK_6>, ++ <&pwm1_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_1 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; +@@ -51,8 +51,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d020000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm2_lpcg 4>, +- <&pwm2_lpcg 1>; ++ clocks = <&pwm2_lpcg IMX_LPCG_CLK_6>, ++ <&pwm2_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_2 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; +@@ -64,8 +64,8 @@ lsio_subsys: bus@5d000000 { + compatible = "fsl,imx27-pwm"; + reg = <0x5d030000 0x10000>; + clock-names = "ipg", "per"; +- clocks = <&pwm3_lpcg 4>, +- <&pwm3_lpcg 1>; ++ clocks = <&pwm3_lpcg IMX_LPCG_CLK_6>, ++ <&pwm3_lpcg IMX_LPCG_CLK_1>; + assigned-clocks = <&clk IMX_SC_R_PWM_3 IMX_SC_PM_CLK_PER>; + assigned-clock-rates = <24000000>; + #pwm-cells = <3>; diff --git a/queue-6.8/arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch b/queue-6.8/arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch new file mode 100644 index 00000000000..b60bdb292eb --- /dev/null +++ b/queue-6.8/arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch @@ -0,0 +1,64 @@ +From 00b436182138310bb8d362b912b12a9df8f72ca3 Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Mon, 1 Apr 2024 18:25:09 -0400 +Subject: arm64: dts: imx8qm-ss-dma: fix can lpcg indices + +From: Frank Li + +commit 00b436182138310bb8d362b912b12a9df8f72ca3 upstream. + +can1_lpcg: clock-controller@5ace0000 { + ... Col1 Col2 + clocks = <&clk IMX_SC_R_CAN_1 IMX_SC_PM_CLK_PER>,// 0 0 + <&dma_ipg_clk>, // 1 4 + <&dma_ipg_clk>; // 2 5 + clock-indices = , + , + ; +}; + +Col1: index, which existing dts try to get. +Col2: actual index in lpcg driver + +&flexcan2 { + clocks = <&can1_lpcg 1>, <&can1_lpcg 0>; + ^^ ^^ +Should be: + clocks = <&can1_lpcg IMX_LPCG_CLK_4>, <&can1_lpcg IMX_LPCG_CLK_0>; +}; + +Arg0 is divided by 4 in lpcg driver. So flexcan get IMX_SC_PM_CLK_PER by +<&can1_lpcg 1> and <&can1_lpcg 0>. Although function work, code logic is +wrong. Fix it by using correct clock indices. + +Cc: stable@vger.kernel.org +Fixes: be85831de020 ("arm64: dts: imx8qm: add can node in devicetree") +Signed-off-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi +@@ -127,15 +127,15 @@ + }; + + &flexcan2 { +- clocks = <&can1_lpcg 1>, +- <&can1_lpcg 0>; ++ clocks = <&can1_lpcg IMX_LPCG_CLK_4>, ++ <&can1_lpcg IMX_LPCG_CLK_0>; + assigned-clocks = <&clk IMX_SC_R_CAN_1 IMX_SC_PM_CLK_PER>; + fsl,clk-source = /bits/ 8 <1>; + }; + + &flexcan3 { +- clocks = <&can2_lpcg 1>, +- <&can2_lpcg 0>; ++ clocks = <&can2_lpcg IMX_LPCG_CLK_4>, ++ <&can2_lpcg IMX_LPCG_CLK_0>; + assigned-clocks = <&clk IMX_SC_R_CAN_2 IMX_SC_PM_CLK_PER>; + fsl,clk-source = /bits/ 8 <1>; + }; diff --git a/queue-6.8/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch b/queue-6.8/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch new file mode 100644 index 00000000000..e19bf184997 --- /dev/null +++ b/queue-6.8/btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch @@ -0,0 +1,65 @@ +From 211de93367304ab395357f8cb12568a4d1e20701 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:18:39 -0700 +Subject: btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans + +From: Boris Burkov + +commit 211de93367304ab395357f8cb12568a4d1e20701 upstream. + +The transaction is only able to free PERTRANS reservations for a root +once that root has been recorded with the TRANS tag on the roots radix +tree. Therefore, until we are sure that this root will get tagged, it +isn't safe to convert. Generally, this is not an issue as *some* +transaction will likely tag the root before long and this reservation +will get freed in that transaction, but technically it could stick +around until unmount and result in a warning about leaked metadata +reservation space. + +This path is most exercised by running the generic/269 fstest with +CONFIG_BTRFS_DEBUG. + +Fixes: a6496849671a ("btrfs: fix start transaction qgroup rsv double free") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -747,14 +747,6 @@ again: + h->reloc_reserved = reloc_reserved; + } + +- /* +- * Now that we have found a transaction to be a part of, convert the +- * qgroup reservation from prealloc to pertrans. A different transaction +- * can't race in and free our pertrans out from under us. +- */ +- if (qgroup_reserved) +- btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); +- + got_it: + if (!current->journal_info) + current->journal_info = h; +@@ -788,8 +780,15 @@ got_it: + * not just freed. + */ + btrfs_end_transaction(h); +- return ERR_PTR(ret); ++ goto reserve_fail; + } ++ /* ++ * Now that we have found a transaction to be a part of, convert the ++ * qgroup reservation from prealloc to pertrans. A different transaction ++ * can't race in and free our pertrans out from under us. ++ */ ++ if (qgroup_reserved) ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); + + return h; + diff --git a/queue-6.8/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch b/queue-6.8/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch new file mode 100644 index 00000000000..8ca6ccef70e --- /dev/null +++ b/queue-6.8/btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch @@ -0,0 +1,38 @@ +From 141fb8cd206ace23c02cd2791c6da52c1d77d42a Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Tue, 19 Mar 2024 10:54:22 -0700 +Subject: btrfs: qgroup: correctly model root qgroup rsv in convert + +From: Boris Burkov + +commit 141fb8cd206ace23c02cd2791c6da52c1d77d42a upstream. + +We use add_root_meta_rsv and sub_root_meta_rsv to track prealloc and +pertrans reservations for subvolumes when quotas are enabled. The +convert function does not properly increment pertrans after decrementing +prealloc, so the count is not accurate. + +Note: we check that the fs is not read-only to mirror the logic in +qgroup_convert_meta, which checks that before adding to the pertrans rsv. + +Fixes: 8287475a2055 ("btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4432,6 +4432,8 @@ void btrfs_qgroup_convert_reserved_meta( + BTRFS_QGROUP_RSV_META_PREALLOC); + trace_qgroup_meta_convert(root, num_bytes); + qgroup_convert_meta(fs_info, root->root_key.objectid, num_bytes); ++ if (!sb_rdonly(fs_info->sb)) ++ add_root_meta_rsv(root, num_bytes, BTRFS_QGROUP_RSV_META_PERTRANS); + } + + /* diff --git a/queue-6.8/btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch b/queue-6.8/btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch new file mode 100644 index 00000000000..6f497043674 --- /dev/null +++ b/queue-6.8/btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch @@ -0,0 +1,226 @@ +From 74e97958121aa1f5854da6effba70143f051b0cd Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:02:04 -0700 +Subject: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations + +From: Boris Burkov + +commit 74e97958121aa1f5854da6effba70143f051b0cd upstream. + +Create subvolume, create snapshot and delete subvolume all use +btrfs_subvolume_reserve_metadata() to reserve metadata for the changes +done to the parent subvolume's fs tree, which cannot be mediated in the +normal way via start_transaction. When quota groups (squota or qgroups) +are enabled, this reserves qgroup metadata of type PREALLOC. Once the +operation is associated to a transaction, we convert PREALLOC to +PERTRANS, which gets cleared in bulk at the end of the transaction. + +However, the error paths of these three operations were not implementing +this lifecycle correctly. They unconditionally converted the PREALLOC to +PERTRANS in a generic cleanup step regardless of errors or whether the +operation was fully associated to a transaction or not. This resulted in +error paths occasionally converting this rsv to PERTRANS without calling +record_root_in_trans successfully, which meant that unless that root got +recorded in the transaction by some other thread, the end of the +transaction would not free that root's PERTRANS, leaking it. Ultimately, +this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount +for the leaked reservation. + +The fix is to ensure that every qgroup PREALLOC reservation observes the +following properties: + +1. any failure before record_root_in_trans is called successfully + results in freeing the PREALLOC reservation. +2. after record_root_in_trans, we convert to PERTRANS, and now the + transaction owns freeing the reservation. + +This patch enforces those properties on the three operations. Without +it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 +runs on my system. With this patch, it ran successfully 1000 times in a +row. + +Fixes: e85fde5162bf ("btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 13 ++++++++++++- + fs/btrfs/ioctl.c | 37 ++++++++++++++++++++++++++++--------- + fs/btrfs/root-tree.c | 10 ---------- + fs/btrfs/root-tree.h | 2 -- + 4 files changed, 40 insertions(+), 22 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4476,6 +4476,7 @@ int btrfs_delete_subvolume(struct btrfs_ + struct btrfs_trans_handle *trans; + struct btrfs_block_rsv block_rsv; + u64 root_flags; ++ u64 qgroup_reserved = 0; + int ret; + + down_write(&fs_info->subvol_sem); +@@ -4520,12 +4521,20 @@ int btrfs_delete_subvolume(struct btrfs_ + ret = btrfs_subvolume_reserve_metadata(root, &block_rsv, 5, true); + if (ret) + goto out_undead; ++ qgroup_reserved = block_rsv.qgroup_rsv_reserved; + + trans = btrfs_start_transaction(root, 0); + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); + goto out_release; + } ++ ret = btrfs_record_root_in_trans(trans, root); ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); ++ goto out_end_trans; ++ } ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); ++ qgroup_reserved = 0; + trans->block_rsv = &block_rsv; + trans->bytes_reserved = block_rsv.size; + +@@ -4584,7 +4593,9 @@ out_end_trans: + ret = btrfs_end_transaction(trans); + inode->i_flags |= S_DEAD; + out_release: +- btrfs_subvolume_release_metadata(root, &block_rsv); ++ btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL); ++ if (qgroup_reserved) ++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); + out_undead: + if (ret) { + spin_lock(&dest->root_item_lock); +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -603,6 +603,7 @@ static noinline int create_subvol(struct + int ret; + dev_t anon_dev; + u64 objectid; ++ u64 qgroup_reserved = 0; + + root_item = kzalloc(sizeof(*root_item), GFP_KERNEL); + if (!root_item) +@@ -640,13 +641,18 @@ static noinline int create_subvol(struct + trans_num_items, false); + if (ret) + goto out_new_inode_args; ++ qgroup_reserved = block_rsv.qgroup_rsv_reserved; + + trans = btrfs_start_transaction(root, 0); + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); +- btrfs_subvolume_release_metadata(root, &block_rsv); +- goto out_new_inode_args; ++ goto out_release_rsv; + } ++ ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root); ++ if (ret) ++ goto out; ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); ++ qgroup_reserved = 0; + trans->block_rsv = &block_rsv; + trans->bytes_reserved = block_rsv.size; + /* Tree log can't currently deal with an inode which is a new root. */ +@@ -757,9 +763,11 @@ static noinline int create_subvol(struct + out: + trans->block_rsv = NULL; + trans->bytes_reserved = 0; +- btrfs_subvolume_release_metadata(root, &block_rsv); +- + btrfs_end_transaction(trans); ++out_release_rsv: ++ btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL); ++ if (qgroup_reserved) ++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); + out_new_inode_args: + btrfs_new_inode_args_destroy(&new_inode_args); + out_inode: +@@ -781,6 +789,8 @@ static int create_snapshot(struct btrfs_ + struct btrfs_pending_snapshot *pending_snapshot; + unsigned int trans_num_items; + struct btrfs_trans_handle *trans; ++ struct btrfs_block_rsv *block_rsv; ++ u64 qgroup_reserved = 0; + int ret; + + /* We do not support snapshotting right now. */ +@@ -817,19 +827,19 @@ static int create_snapshot(struct btrfs_ + goto free_pending; + } + +- btrfs_init_block_rsv(&pending_snapshot->block_rsv, +- BTRFS_BLOCK_RSV_TEMP); ++ block_rsv = &pending_snapshot->block_rsv; ++ btrfs_init_block_rsv(block_rsv, BTRFS_BLOCK_RSV_TEMP); + /* + * 1 to add dir item + * 1 to add dir index + * 1 to update parent inode item + */ + trans_num_items = create_subvol_num_items(inherit) + 3; +- ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root, +- &pending_snapshot->block_rsv, ++ ret = btrfs_subvolume_reserve_metadata(BTRFS_I(dir)->root, block_rsv, + trans_num_items, false); + if (ret) + goto free_pending; ++ qgroup_reserved = block_rsv->qgroup_rsv_reserved; + + pending_snapshot->dentry = dentry; + pending_snapshot->root = root; +@@ -842,6 +852,13 @@ static int create_snapshot(struct btrfs_ + ret = PTR_ERR(trans); + goto fail; + } ++ ret = btrfs_record_root_in_trans(trans, BTRFS_I(dir)->root); ++ if (ret) { ++ btrfs_end_transaction(trans); ++ goto fail; ++ } ++ btrfs_qgroup_convert_reserved_meta(root, qgroup_reserved); ++ qgroup_reserved = 0; + + trans->pending_snapshot = pending_snapshot; + +@@ -871,7 +888,9 @@ fail: + if (ret && pending_snapshot->snap) + pending_snapshot->snap->anon_dev = 0; + btrfs_put_root(pending_snapshot->snap); +- btrfs_subvolume_release_metadata(root, &pending_snapshot->block_rsv); ++ btrfs_block_rsv_release(fs_info, block_rsv, (u64)-1, NULL); ++ if (qgroup_reserved) ++ btrfs_qgroup_free_meta_prealloc(root, qgroup_reserved); + free_pending: + if (pending_snapshot->anon_dev) + free_anon_bdev(pending_snapshot->anon_dev); +--- a/fs/btrfs/root-tree.c ++++ b/fs/btrfs/root-tree.c +@@ -539,13 +539,3 @@ int btrfs_subvolume_reserve_metadata(str + } + return ret; + } +- +-void btrfs_subvolume_release_metadata(struct btrfs_root *root, +- struct btrfs_block_rsv *rsv) +-{ +- struct btrfs_fs_info *fs_info = root->fs_info; +- u64 qgroup_to_release; +- +- btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); +- btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); +-} +--- a/fs/btrfs/root-tree.h ++++ b/fs/btrfs/root-tree.h +@@ -8,8 +8,6 @@ struct fscrypt_str; + int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, + struct btrfs_block_rsv *rsv, + int nitems, bool use_global_rsv); +-void btrfs_subvolume_release_metadata(struct btrfs_root *root, +- struct btrfs_block_rsv *rsv); + int btrfs_add_root_ref(struct btrfs_trans_handle *trans, u64 root_id, + u64 ref_id, u64 dirid, u64 sequence, + const struct fscrypt_str *name); diff --git a/queue-6.8/btrfs-record-delayed-inode-root-in-transaction.patch b/queue-6.8/btrfs-record-delayed-inode-root-in-transaction.patch new file mode 100644 index 00000000000..6cef1debc4d --- /dev/null +++ b/queue-6.8/btrfs-record-delayed-inode-root-in-transaction.patch @@ -0,0 +1,36 @@ +From 71537e35c324ea6fbd68377a4f26bb93a831ae35 Mon Sep 17 00:00:00 2001 +From: Boris Burkov +Date: Thu, 21 Mar 2024 10:14:24 -0700 +Subject: btrfs: record delayed inode root in transaction + +From: Boris Burkov + +commit 71537e35c324ea6fbd68377a4f26bb93a831ae35 upstream. + +When running delayed inode updates, we do not record the inode's root in +the transaction, but we do allocate PREALLOC and thus converted PERTRANS +space for it. To be sure we free that PERTRANS meta rsv, we must ensure +that we record the root in the transaction. + +Fixes: 4f5427ccce5d ("btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/delayed-inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -1128,6 +1128,9 @@ __btrfs_commit_inode_delayed_items(struc + if (ret) + return ret; + ++ ret = btrfs_record_root_in_trans(trans, node->root); ++ if (ret) ++ return ret; + ret = btrfs_update_delayed_inode(trans, node->root, path, node); + return ret; + } diff --git a/queue-6.8/drm-amdgpu-umsch-reinitialize-write-pointer-in-hw-init.patch b/queue-6.8/drm-amdgpu-umsch-reinitialize-write-pointer-in-hw-init.patch new file mode 100644 index 00000000000..1f9da77822f --- /dev/null +++ b/queue-6.8/drm-amdgpu-umsch-reinitialize-write-pointer-in-hw-init.patch @@ -0,0 +1,32 @@ +From 0f1bbcc2bab25d5fb2dfb1ee3e08131437690d3d Mon Sep 17 00:00:00 2001 +From: Lang Yu +Date: Mon, 25 Mar 2024 13:24:31 +0800 +Subject: drm/amdgpu/umsch: reinitialize write pointer in hw init + +From: Lang Yu + +commit 0f1bbcc2bab25d5fb2dfb1ee3e08131437690d3d upstream. + +Otherwise the old one will be used during GPU reset. +That's not expected. + +Signed-off-by: Lang Yu +Reviewed-by: Feifei Xu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/umsch_mm_v4_0.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/umsch_mm_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/umsch_mm_v4_0.c +@@ -225,6 +225,8 @@ static int umsch_mm_v4_0_ring_start(stru + + WREG32_SOC15(VCN, 0, regVCN_UMSCH_RB_SIZE, ring->ring_size); + ++ ring->wptr = 0; ++ + data = RREG32_SOC15(VCN, 0, regVCN_RB_ENABLE); + data &= ~(VCN_RB_ENABLE__AUDIO_RB_EN_MASK); + WREG32_SOC15(VCN, 0, regVCN_RB_ENABLE, data); diff --git a/queue-6.8/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch b/queue-6.8/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch new file mode 100644 index 00000000000..4c8e4b345be --- /dev/null +++ b/queue-6.8/drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch @@ -0,0 +1,35 @@ +From 8bdfb4ea95ca738d33ef71376c21eba20130f2eb Mon Sep 17 00:00:00 2001 +From: Harish Kasiviswanathan +Date: Tue, 26 Mar 2024 15:32:46 -0400 +Subject: drm/amdkfd: Reset GPU on queue preemption failure + +From: Harish Kasiviswanathan + +commit 8bdfb4ea95ca738d33ef71376c21eba20130f2eb upstream. + +Currently, with F32 HWS GPU reset is only when unmap queue fails. + +However, if compute queue doesn't repond to preemption request in time +unmap will return without any error. In this case, only preemption error +is logged and Reset is not triggered. Call GPU reset in this case also. + +Reviewed-by: Alex Deucher +Signed-off-by: Harish Kasiviswanathan +Reviewed-by: Mukul Joshi +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1997,6 +1997,7 @@ static int unmap_queues_cpsch(struct dev + dev_err(dev, "HIQ MQD's queue_doorbell_id0 is not 0, Queue preemption time out\n"); + while (halt_if_hws_hang) + schedule(); ++ kfd_hws_hang(dqm); + return -ETIME; + } + diff --git a/queue-6.8/drm-ast-fix-soft-lockup.patch b/queue-6.8/drm-ast-fix-soft-lockup.patch new file mode 100644 index 00000000000..d28e803ea22 --- /dev/null +++ b/queue-6.8/drm-ast-fix-soft-lockup.patch @@ -0,0 +1,58 @@ +From bc004f5038220b1891ef4107134ccae44be55109 Mon Sep 17 00:00:00 2001 +From: Jammy Huang +Date: Wed, 3 Apr 2024 17:02:46 +0800 +Subject: drm/ast: Fix soft lockup + +From: Jammy Huang + +commit bc004f5038220b1891ef4107134ccae44be55109 upstream. + +There is a while-loop in ast_dp_set_on_off() that could lead to +infinite-loop. This is because the register, VGACRI-Dx, checked in +this API is a scratch register actually controlled by a MCU, named +DPMCU, in BMC. + +These scratch registers are protected by scu-lock. If suc-lock is not +off, DPMCU can not update these registers and then host will have soft +lockup due to never updated status. + +DPMCU is used to control DP and relative registers to handshake with +host's VGA driver. Even the most time-consuming task, DP's link +training, is less than 100ms. 200ms should be enough. + +Signed-off-by: Jammy Huang +Fixes: 594e9c04b586 ("drm/ast: Create the driver for ASPEED proprietory Display-Port") +Reviewed-by: Jocelyn Falempe +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Cc: KuoHsiang Chou +Cc: Thomas Zimmermann +Cc: Dave Airlie +Cc: Jocelyn Falempe +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.19+ +Link: https://patchwork.freedesktop.org/patch/msgid/20240403090246.1495487-1-jammy_huang@aspeedtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_dp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/ast/ast_dp.c ++++ b/drivers/gpu/drm/ast/ast_dp.c +@@ -180,6 +180,7 @@ void ast_dp_set_on_off(struct drm_device + { + struct ast_device *ast = to_ast_device(dev); + u8 video_on_off = on; ++ u32 i = 0; + + // Video On/Off + ast_set_index_reg_mask(ast, AST_IO_VGACRI, 0xE3, (u8) ~AST_DP_VIDEO_ENABLE, on); +@@ -192,6 +193,8 @@ void ast_dp_set_on_off(struct drm_device + ASTDP_MIRROR_VIDEO_ENABLE) != video_on_off) { + // wait 1 ms + mdelay(1); ++ if (++i > 200) ++ break; + } + } + } diff --git a/queue-6.8/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch b/queue-6.8/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch new file mode 100644 index 00000000000..14e95ed0e52 --- /dev/null +++ b/queue-6.8/drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch @@ -0,0 +1,56 @@ +From 3eadd887dbac1df8f25f701e5d404d1b90fd0fea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 4 Apr 2024 23:33:25 +0300 +Subject: drm/client: Fully protect modes[] with dev->mode_config.mutex +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream. + +The modes[] array contains pointers to modes on the connectors' +mode lists, which are protected by dev->mode_config.mutex. +Thus we need to extend modes[] the same protection or by the +time we use it the elements may already be pointing to +freed/reused memory. + +Cc: stable@vger.kernel.org +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.syrjala@linux.intel.com +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Jani Nikula +Reviewed-by: Thomas Zimmermann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -777,6 +777,7 @@ int drm_client_modeset_probe(struct drm_ + unsigned int total_modes_count = 0; + struct drm_client_offset *offsets; + unsigned int connector_count = 0; ++ /* points to modes protected by mode_config.mutex */ + struct drm_display_mode **modes; + struct drm_crtc **crtcs; + int i, ret = 0; +@@ -845,7 +846,6 @@ int drm_client_modeset_probe(struct drm_ + drm_client_pick_crtcs(client, connectors, connector_count, + crtcs, modes, 0, width, height); + } +- mutex_unlock(&dev->mode_config.mutex); + + drm_client_modeset_release(client); + +@@ -875,6 +875,7 @@ int drm_client_modeset_probe(struct drm_ + modeset->y = offset->y; + } + } ++ mutex_unlock(&dev->mode_config.mutex); + + mutex_unlock(&client->modeset_mutex); + out: diff --git a/queue-6.8/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch b/queue-6.8/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch new file mode 100644 index 00000000000..46009ef75d4 --- /dev/null +++ b/queue-6.8/drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch @@ -0,0 +1,46 @@ +From dcd8992e47f13afb5c11a61e8d9c141c35e23751 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 5 Apr 2024 00:34:29 +0300 +Subject: drm/i915/vrr: Disable VRR when using bigjoiner +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit dcd8992e47f13afb5c11a61e8d9c141c35e23751 upstream. + +All joined pipes share the same transcoder/timing generator. +Currently we just do the commits per-pipe, which doesn't really +work if we need to change switch between non-VRR and VRR timings +generators on the fly, or even when sending the push to the +transcoder. For now just disable VRR when bigjoiner is needed. + +Cc: stable@vger.kernel.org +Tested-by: Vidya Srinivas +Reviewed-by: Vandita Kulkarni +Link: https://patchwork.freedesktop.org/patch/msgid/20240404213441.17637-6-ville.syrjala@linux.intel.com +Signed-off-by: Ville Syrjälä +(cherry picked from commit f9d5e51db65652dbd8a2102fd7619440e3599fd2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_vrr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_vrr.c ++++ b/drivers/gpu/drm/i915/display/intel_vrr.c +@@ -117,6 +117,13 @@ intel_vrr_compute_config(struct intel_cr + const struct drm_display_info *info = &connector->base.display_info; + int vmin, vmax; + ++ /* ++ * FIXME all joined pipes share the same transcoder. ++ * Need to account for that during VRR toggle/push/etc. ++ */ ++ if (crtc_state->bigjoiner_pipes) ++ return; ++ + if (adjusted_mode->flags & DRM_MODE_FLAG_INTERLACE) + return; + diff --git a/queue-6.8/drm-msm-dp-fix-runtime-pm-leak-on-connect-failure.patch b/queue-6.8/drm-msm-dp-fix-runtime-pm-leak-on-connect-failure.patch new file mode 100644 index 00000000000..6aa7d742aa1 --- /dev/null +++ b/queue-6.8/drm-msm-dp-fix-runtime-pm-leak-on-connect-failure.patch @@ -0,0 +1,36 @@ +From e86750b01a1560f198e4b3e21bb3f78bfd5bb2c3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Mar 2024 17:43:06 +0100 +Subject: drm/msm/dp: fix runtime PM leak on connect failure + +From: Johan Hovold + +commit e86750b01a1560f198e4b3e21bb3f78bfd5bb2c3 upstream. + +Make sure to balance the runtime PM usage counter (and suspend) before +returning on connect failures (e.g. DPCD read failures after a spurious +connect event or if link training fails). + +Fixes: 5814b8bf086a ("drm/msm/dp: incorporate pm_runtime framework into DP driver") +Cc: stable@vger.kernel.org # 6.8 +Cc: Kuogee Hsieh +Signed-off-by: Johan Hovold +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/582746/ +Link: https://lore.kernel.org/r/20240313164306.23133-3-johan+linaro@kernel.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dp/dp_display.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -598,6 +598,7 @@ static int dp_hpd_plug_handle(struct dp_ + ret = dp_display_usbpd_configure_cb(&pdev->dev); + if (ret) { /* link train failed */ + dp->hpd_state = ST_DISCONNECTED; ++ pm_runtime_put_sync(&pdev->dev); + } else { + dp->hpd_state = ST_MAINLINK_READY; + } diff --git a/queue-6.8/drm-msm-dp-fix-runtime-pm-leak-on-disconnect.patch b/queue-6.8/drm-msm-dp-fix-runtime-pm-leak-on-disconnect.patch new file mode 100644 index 00000000000..073db124b19 --- /dev/null +++ b/queue-6.8/drm-msm-dp-fix-runtime-pm-leak-on-disconnect.patch @@ -0,0 +1,39 @@ +From 0640f47b742667fca6aac174f7cd62b6c2c7532c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Mar 2024 17:43:05 +0100 +Subject: drm/msm/dp: fix runtime PM leak on disconnect + +From: Johan Hovold + +commit 0640f47b742667fca6aac174f7cd62b6c2c7532c upstream. + +Make sure to put the runtime PM usage count (and suspend) also when +receiving a disconnect event while in the ST_MAINLINK_READY state. + +This specifically avoids leaking a runtime PM usage count on every +disconnect with display servers that do not automatically enable +external displays when receiving a hotplug notification. + +Fixes: 5814b8bf086a ("drm/msm/dp: incorporate pm_runtime framework into DP driver") +Cc: stable@vger.kernel.org # 6.8 +Cc: Kuogee Hsieh +Signed-off-by: Johan Hovold +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/582744/ +Link: https://lore.kernel.org/r/20240313164306.23133-2-johan+linaro@kernel.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dp/dp_display.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -655,6 +655,7 @@ static int dp_hpd_unplug_handle(struct d + dp_display_host_phy_exit(dp); + dp->hpd_state = ST_DISCONNECTED; + dp_display_notify_disconnect(&dp->dp_display.pdev->dev); ++ pm_runtime_put_sync(&pdev->dev); + mutex_unlock(&dp->event_mutex); + return 0; + } diff --git a/queue-6.8/drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch b/queue-6.8/drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch new file mode 100644 index 00000000000..4dad40c4d3a --- /dev/null +++ b/queue-6.8/drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch @@ -0,0 +1,70 @@ +From 1fc9af813b25e146d3607669247d0f970f5a87c3 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 5 Jan 2024 21:46:11 +0300 +Subject: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() + +From: Boris Brezillon + +commit 1fc9af813b25e146d3607669247d0f970f5a87c3 upstream. + +Subject: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() + +If some the pages or sgt allocation failed, we shouldn't release the +pages ref we got earlier, otherwise we will end up with unbalanced +get/put_pages() calls. We should instead leave everything in place +and let the BO release function deal with extra cleanup when the object +is destroyed, or let the fault handler try again next time it's called. + +Fixes: 187d2929206e ("drm/panfrost: Add support for GPU heap allocations") +Cc: +Reviewed-by: Steven Price +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Boris Brezillon +Co-developed-by: Dmitry Osipenko +Signed-off-by: Dmitry Osipenko +Link: https://patchwork.freedesktop.org/patch/msgid/20240105184624.508603-18-dmitry.osipenko@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_mmu.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c +@@ -502,11 +502,18 @@ static int panfrost_mmu_map_fault_addr(s + mapping_set_unevictable(mapping); + + for (i = page_offset; i < page_offset + NUM_FAULT_PAGES; i++) { ++ /* Can happen if the last fault only partially filled this ++ * section of the pages array before failing. In that case ++ * we skip already filled pages. ++ */ ++ if (pages[i]) ++ continue; ++ + pages[i] = shmem_read_mapping_page(mapping, i); + if (IS_ERR(pages[i])) { + ret = PTR_ERR(pages[i]); + pages[i] = NULL; +- goto err_pages; ++ goto err_unlock; + } + } + +@@ -514,7 +521,7 @@ static int panfrost_mmu_map_fault_addr(s + ret = sg_alloc_table_from_pages(sgt, pages + page_offset, + NUM_FAULT_PAGES, 0, SZ_2M, GFP_KERNEL); + if (ret) +- goto err_pages; ++ goto err_unlock; + + ret = dma_map_sgtable(pfdev->dev, sgt, DMA_BIDIRECTIONAL, 0); + if (ret) +@@ -537,8 +544,6 @@ out: + + err_map: + sg_free_table(sgt); +-err_pages: +- drm_gem_shmem_put_pages(&bo->base); + err_unlock: + dma_resv_unlock(obj->resv); + err_bo: diff --git a/queue-6.8/drm-vmwgfx-enable-dma-mappings-with-sev.patch b/queue-6.8/drm-vmwgfx-enable-dma-mappings-with-sev.patch new file mode 100644 index 00000000000..45f28874ee7 --- /dev/null +++ b/queue-6.8/drm-vmwgfx-enable-dma-mappings-with-sev.patch @@ -0,0 +1,49 @@ +From 4c08f01934ab67d1d283d5cbaa52b923abcfe4cd Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Sun, 7 Apr 2024 22:28:02 -0400 +Subject: drm/vmwgfx: Enable DMA mappings with SEV + +From: Zack Rusin + +commit 4c08f01934ab67d1d283d5cbaa52b923abcfe4cd upstream. + +Enable DMA mappings in vmwgfx after TTM has been fixed in commit +3bf3710e3718 ("drm/ttm: Add a generic TTM memcpy move for page-based iomem") + +This enables full guest-backed memory support and in particular allows +usage of screen targets as the presentation mechanism. + +Signed-off-by: Zack Rusin +Reported-by: Ye Li +Tested-by: Ye Li +Fixes: 3b0d6458c705 ("drm/vmwgfx: Refuse DMA operation when SEV encryption is active") +Cc: Broadcom internal kernel review list +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.6+ +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20240408022802.358641-1-zack.rusin@broadcom.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -666,11 +666,12 @@ static int vmw_dma_select_mode(struct vm + [vmw_dma_map_populate] = "Caching DMA mappings.", + [vmw_dma_map_bind] = "Giving up DMA mappings early."}; + +- /* TTM currently doesn't fully support SEV encryption. */ +- if (cc_platform_has(CC_ATTR_MEM_ENCRYPT)) +- return -EINVAL; +- +- if (vmw_force_coherent) ++ /* ++ * When running with SEV we always want dma mappings, because ++ * otherwise ttm tt pool pages will bounce through swiotlb running ++ * out of available space. ++ */ ++ if (vmw_force_coherent || cc_platform_has(CC_ATTR_MEM_ENCRYPT)) + dev_priv->map_mode = vmw_dma_alloc_coherent; + else if (vmw_restrict_iommu) + dev_priv->map_mode = vmw_dma_map_bind; diff --git a/queue-6.8/fs-proc-remove-redundant-comments-from-proc-bootconfig.patch b/queue-6.8/fs-proc-remove-redundant-comments-from-proc-bootconfig.patch new file mode 100644 index 00000000000..481fcf68f2a --- /dev/null +++ b/queue-6.8/fs-proc-remove-redundant-comments-from-proc-bootconfig.patch @@ -0,0 +1,72 @@ +From fbbdc255fbee59b4207a5398fdb4f04590681a79 Mon Sep 17 00:00:00 2001 +From: Zhenhua Huang +Date: Mon, 8 Apr 2024 21:43:57 -0700 +Subject: fs/proc: remove redundant comments from /proc/bootconfig + +From: Zhenhua Huang + +commit fbbdc255fbee59b4207a5398fdb4f04590681a79 upstream. + +commit 717c7c894d4b ("fs/proc: Add boot loader arguments as comment to +/proc/bootconfig") adds bootloader argument comments into /proc/bootconfig. + +/proc/bootconfig shows boot_command_line[] multiple times following +every xbc key value pair, that's duplicated and not necessary. +Remove redundant ones. + +Output before and after the fix is like: +key1 = value1 +*bootloader argument comments* +key2 = value2 +*bootloader argument comments* +key3 = value3 +*bootloader argument comments* +... + +key1 = value1 +key2 = value2 +key3 = value3 +*bootloader argument comments* +... + +Link: https://lore.kernel.org/all/20240409044358.1156477-1-paulmck@kernel.org/ + +Fixes: 717c7c894d4b ("fs/proc: Add boot loader arguments as comment to /proc/bootconfig") +Signed-off-by: Zhenhua Huang +Signed-off-by: Paul E. McKenney +Cc: +Cc: +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/bootconfig.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/proc/bootconfig.c b/fs/proc/bootconfig.c +index 902b326e1e56..e5635a6b127b 100644 +--- a/fs/proc/bootconfig.c ++++ b/fs/proc/bootconfig.c +@@ -62,12 +62,12 @@ static int __init copy_xbc_key_value_list(char *dst, size_t size) + break; + dst += ret; + } +- if (ret >= 0 && boot_command_line[0]) { +- ret = snprintf(dst, rest(dst, end), "# Parameters from bootloader:\n# %s\n", +- boot_command_line); +- if (ret > 0) +- dst += ret; +- } ++ } ++ if (ret >= 0 && boot_command_line[0]) { ++ ret = snprintf(dst, rest(dst, end), "# Parameters from bootloader:\n# %s\n", ++ boot_command_line); ++ if (ret > 0) ++ dst += ret; + } + out: + kfree(key); +-- +2.44.0 + diff --git a/queue-6.8/fs-proc-skip-bootloader-comment-if-no-embedded-kernel-parameters.patch b/queue-6.8/fs-proc-skip-bootloader-comment-if-no-embedded-kernel-parameters.patch new file mode 100644 index 00000000000..04c8fffcd6d --- /dev/null +++ b/queue-6.8/fs-proc-skip-bootloader-comment-if-no-embedded-kernel-parameters.patch @@ -0,0 +1,66 @@ +From c722cea208789d9e2660992bcd05fb9fac3adb56 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Mon, 8 Apr 2024 21:43:58 -0700 +Subject: fs/proc: Skip bootloader comment if no embedded kernel parameters + +From: Masami Hiramatsu + +commit c722cea208789d9e2660992bcd05fb9fac3adb56 upstream. + +If the "bootconfig" kernel command-line argument was specified or if +the kernel was built with CONFIG_BOOT_CONFIG_FORCE, but if there are +no embedded kernel parameter, omit the "# Parameters from bootloader:" +comment from the /proc/bootconfig file. This will cause automation +to fall back to the /proc/cmdline file, which will be identical to the +comment in this no-embedded-kernel-parameters case. + +Link: https://lore.kernel.org/all/20240409044358.1156477-2-paulmck@kernel.org/ + +Fixes: 8b8ce6c75430 ("fs/proc: remove redundant comments from /proc/bootconfig") +Signed-off-by: Masami Hiramatsu +Signed-off-by: Paul E. McKenney +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/bootconfig.c | 2 +- + include/linux/bootconfig.h | 1 + + init/main.c | 5 +++++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/proc/bootconfig.c ++++ b/fs/proc/bootconfig.c +@@ -63,7 +63,7 @@ static int __init copy_xbc_key_value_lis + dst += ret; + } + } +- if (ret >= 0 && boot_command_line[0]) { ++ if (cmdline_has_extra_options() && ret >= 0 && boot_command_line[0]) { + ret = snprintf(dst, rest(dst, end), "# Parameters from bootloader:\n# %s\n", + boot_command_line); + if (ret > 0) +--- a/include/linux/bootconfig.h ++++ b/include/linux/bootconfig.h +@@ -10,6 +10,7 @@ + #ifdef __KERNEL__ + #include + #include ++bool __init cmdline_has_extra_options(void); + #else /* !__KERNEL__ */ + /* + * NOTE: This is only for tools/bootconfig, because tools/bootconfig will +--- a/init/main.c ++++ b/init/main.c +@@ -485,6 +485,11 @@ static int __init warn_bootconfig(char * + + early_param("bootconfig", warn_bootconfig); + ++bool __init cmdline_has_extra_options(void) ++{ ++ return extra_command_line || extra_init_args; ++} ++ + /* Change NUL term back to "=", to make "param" the whole string. */ + static void __init repair_env_string(char *param, char *val) + { diff --git a/queue-6.8/io_uring-net-restore-msg_control-on-sendzc-retry.patch b/queue-6.8/io_uring-net-restore-msg_control-on-sendzc-retry.patch new file mode 100644 index 00000000000..533dcebbd71 --- /dev/null +++ b/queue-6.8/io_uring-net-restore-msg_control-on-sendzc-retry.patch @@ -0,0 +1,35 @@ +From 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 8 Apr 2024 18:11:09 +0100 +Subject: io_uring/net: restore msg_control on sendzc retry + +From: Pavel Begunkov + +commit 4fe82aedeb8a8cb09bfa60f55ab57b5c10a74ac4 upstream. + +cac9e4418f4cb ("io_uring/net: save msghdr->msg_control for retries") +reinstatiates msg_control before every __sys_sendmsg_sock(), since the +function can overwrite the value in msghdr. We need to do same for +zerocopy sendmsg. + +Cc: stable@vger.kernel.org +Fixes: 493108d95f146 ("io_uring/net: zerocopy sendmsg") +Link: https://github.com/axboe/liburing/issues/1067 +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/cc1d5d9df0576fa66ddad4420d240a98a020b267.1712596179.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1255,6 +1255,7 @@ int io_sendmsg_zc(struct io_kiocb *req, + + if (req_has_async_data(req)) { + kmsg = req->async_data; ++ kmsg->msg.msg_control_user = sr->msg_control; + } else { + ret = io_sendmsg_copy_hdr(req, &iomsg); + if (ret) diff --git a/queue-6.8/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch b/queue-6.8/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch new file mode 100644 index 00000000000..72855b70dbc --- /dev/null +++ b/queue-6.8/kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch @@ -0,0 +1,74 @@ +From 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Wed, 10 Apr 2024 09:58:02 +0800 +Subject: kprobes: Fix possible use-after-free issue on kprobe registration + +From: Zheng Yejian + +commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream. + +When unloading a module, its state is changing MODULE_STATE_LIVE -> + MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take +a time. `is_module_text_address()` and `__module_text_address()` +works with MODULE_STATE_LIVE and MODULE_STATE_GOING. +If we use `is_module_text_address()` and `__module_text_address()` +separately, there is a chance that the first one is succeeded but the +next one is failed because module->state becomes MODULE_STATE_UNFORMED +between those operations. + +In `check_kprobe_address_safe()`, if the second `__module_text_address()` +is failed, that is ignored because it expected a kernel_text address. +But it may have failed simply because module->state has been changed +to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify +non-exist module text address (use-after-free). + +To fix this problem, we should not use separated `is_module_text_address()` +and `__module_text_address()`, but use only `__module_text_address()` +once and do `try_module_get(module)` which is only available with +MODULE_STATE_LIVE. + +Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/ + +Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Yejian +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1567,10 +1567,17 @@ static int check_kprobe_address_safe(str + jump_label_lock(); + preempt_disable(); + +- /* Ensure it is not in reserved area nor out of text */ +- if (!(core_kernel_text((unsigned long) p->addr) || +- is_module_text_address((unsigned long) p->addr)) || +- in_gate_area_no_mm((unsigned long) p->addr) || ++ /* Ensure the address is in a text area, and find a module if exists. */ ++ *probed_mod = NULL; ++ if (!core_kernel_text((unsigned long) p->addr)) { ++ *probed_mod = __module_text_address((unsigned long) p->addr); ++ if (!(*probed_mod)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ } ++ /* Ensure it is not in reserved area. */ ++ if (in_gate_area_no_mm((unsigned long) p->addr) || + within_kprobe_blacklist((unsigned long) p->addr) || + jump_label_text_reserved(p->addr, p->addr) || + static_call_text_reserved(p->addr, p->addr) || +@@ -1580,8 +1587,7 @@ static int check_kprobe_address_safe(str + goto out; + } + +- /* Check if 'p' is probing a module. */ +- *probed_mod = __module_text_address((unsigned long) p->addr); ++ /* Get module refcount and reject __init functions for loaded modules. */ + if (*probed_mod) { + /* + * We must hold a refcount of the probed module while updating diff --git a/queue-6.8/perf-x86-fix-out-of-range-data.patch b/queue-6.8/perf-x86-fix-out-of-range-data.patch new file mode 100644 index 00000000000..af5f4762cf5 --- /dev/null +++ b/queue-6.8/perf-x86-fix-out-of-range-data.patch @@ -0,0 +1,109 @@ +From dec8ced871e17eea46f097542dd074d022be4bd1 Mon Sep 17 00:00:00 2001 +From: Namhyung Kim +Date: Tue, 5 Mar 2024 22:10:03 -0800 +Subject: perf/x86: Fix out of range data + +From: Namhyung Kim + +commit dec8ced871e17eea46f097542dd074d022be4bd1 upstream. + +On x86 each struct cpu_hw_events maintains a table for counter assignment but +it missed to update one for the deleted event in x86_pmu_del(). This +can make perf_clear_dirty_counters() reset used counter if it's called +before event scheduling or enabling. Then it would return out of range +data which doesn't make sense. + +The following code can reproduce the problem. + + $ cat repro.c + #include + #include + #include + #include + #include + #include + #include + #include + + struct perf_event_attr attr = { + .type = PERF_TYPE_HARDWARE, + .config = PERF_COUNT_HW_CPU_CYCLES, + .disabled = 1, + }; + + void *worker(void *arg) + { + int cpu = (long)arg; + int fd1 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); + int fd2 = syscall(SYS_perf_event_open, &attr, -1, cpu, -1, 0); + void *p; + + do { + ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0); + p = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd1, 0); + ioctl(fd2, PERF_EVENT_IOC_ENABLE, 0); + + ioctl(fd2, PERF_EVENT_IOC_DISABLE, 0); + munmap(p, 4096); + ioctl(fd1, PERF_EVENT_IOC_DISABLE, 0); + } while (1); + + return NULL; + } + + int main(void) + { + int i; + int n = sysconf(_SC_NPROCESSORS_ONLN); + pthread_t *th = calloc(n, sizeof(*th)); + + for (i = 0; i < n; i++) + pthread_create(&th[i], NULL, worker, (void *)(long)i); + for (i = 0; i < n; i++) + pthread_join(th[i], NULL); + + free(th); + return 0; + } + +And you can see the out of range data using perf stat like this. +Probably it'd be easier to see on a large machine. + + $ gcc -o repro repro.c -pthread + $ ./repro & + $ sudo perf stat -A -I 1000 2>&1 | awk '{ if (length($3) > 15) print }' + 1.001028462 CPU6 196,719,295,683,763 cycles # 194290.996 GHz (71.54%) + 1.001028462 CPU3 396,077,485,787,730 branch-misses # 15804359784.80% of all branches (71.07%) + 1.001028462 CPU17 197,608,350,727,877 branch-misses # 14594186554.56% of all branches (71.22%) + 2.020064073 CPU4 198,372,472,612,140 cycles # 194681.113 GHz (70.95%) + 2.020064073 CPU6 199,419,277,896,696 cycles # 195720.007 GHz (70.57%) + 2.020064073 CPU20 198,147,174,025,639 cycles # 194474.654 GHz (71.03%) + 2.020064073 CPU20 198,421,240,580,145 stalled-cycles-frontend # 100.14% frontend cycles idle (70.93%) + 3.037443155 CPU4 197,382,689,923,416 cycles # 194043.065 GHz (71.30%) + 3.037443155 CPU20 196,324,797,879,414 cycles # 193003.773 GHz (71.69%) + 3.037443155 CPU5 197,679,956,608,205 stalled-cycles-backend # 1315606428.66% backend cycles idle (71.19%) + 3.037443155 CPU5 198,571,860,474,851 instructions # 13215422.58 insn per cycle + +It should move the contents in the cpuc->assign as well. + +Fixes: 5471eea5d3bf ("perf/x86: Reset the dirty counter to prevent the leak for an RDPMC task") +Signed-off-by: Namhyung Kim +Signed-off-by: Ingo Molnar +Reviewed-by: Kan Liang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240306061003.1894224-1-namhyung@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1644,6 +1644,7 @@ static void x86_pmu_del(struct perf_even + while (++i < cpuc->n_events) { + cpuc->event_list[i-1] = cpuc->event_list[i]; + cpuc->event_constraint[i-1] = cpuc->event_constraint[i]; ++ cpuc->assign[i-1] = cpuc->assign[i]; + } + cpuc->event_constraint[i-1] = NULL; + --cpuc->n_events; diff --git a/queue-6.8/scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch b/queue-6.8/scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch new file mode 100644 index 00000000000..aecd97161e6 --- /dev/null +++ b/queue-6.8/scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch @@ -0,0 +1,100 @@ +From d4e655c49f474deffaf5ed7e65034b8167ee39c8 Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Mon, 1 Apr 2024 21:10:38 +0200 +Subject: scsi: sg: Avoid race in error handling & drop bogus warn + +From: Alexander Wetzel + +commit d4e655c49f474deffaf5ed7e65034b8167ee39c8 upstream. + +Commit 27f58c04a8f4 ("scsi: sg: Avoid sg device teardown race") introduced +an incorrect WARN_ON_ONCE() and missed a sequence where sg_device_destroy() +was used after scsi_device_put(). + +sg_device_destroy() is accessing the parent scsi_device request_queue which +will already be set to NULL when the preceding call to scsi_device_put() +removed the last reference to the parent scsi_device. + +Drop the incorrect WARN_ON_ONCE() - allowing more than one concurrent +access to the sg device - and make sure sg_device_destroy() is not used +after scsi_device_put() in the error handling. + +Link: https://lore.kernel.org/all/5375B275-D137-4D5F-BE25-6AF8ACAE41EF@linux.ibm.com +Fixes: 27f58c04a8f4 ("scsi: sg: Avoid sg device teardown race") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Wetzel +Link: https://lore.kernel.org/r/20240401191038.18359-1-Alexander@wetzel-home.de +Tested-by: Sachin Sant +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -285,6 +285,7 @@ sg_open(struct inode *inode, struct file + int dev = iminor(inode); + int flags = filp->f_flags; + struct request_queue *q; ++ struct scsi_device *device; + Sg_device *sdp; + Sg_fd *sfp; + int retval; +@@ -301,11 +302,12 @@ sg_open(struct inode *inode, struct file + + /* This driver's module count bumped by fops_get in */ + /* Prevent the device driver from vanishing while we sleep */ +- retval = scsi_device_get(sdp->device); ++ device = sdp->device; ++ retval = scsi_device_get(device); + if (retval) + goto sg_put; + +- retval = scsi_autopm_get_device(sdp->device); ++ retval = scsi_autopm_get_device(device); + if (retval) + goto sdp_put; + +@@ -313,7 +315,7 @@ sg_open(struct inode *inode, struct file + * check if O_NONBLOCK. Permits SCSI commands to be issued + * during error recovery. Tread carefully. */ + if (!((flags & O_NONBLOCK) || +- scsi_block_when_processing_errors(sdp->device))) { ++ scsi_block_when_processing_errors(device))) { + retval = -ENXIO; + /* we are in error recovery for this device */ + goto error_out; +@@ -344,7 +346,7 @@ sg_open(struct inode *inode, struct file + + if (sdp->open_cnt < 1) { /* no existing opens */ + sdp->sgdebug = 0; +- q = sdp->device->request_queue; ++ q = device->request_queue; + sdp->sg_tablesize = queue_max_segments(q); + } + sfp = sg_add_sfp(sdp); +@@ -370,10 +372,11 @@ out_undo: + error_mutex_locked: + mutex_unlock(&sdp->open_rel_lock); + error_out: +- scsi_autopm_put_device(sdp->device); ++ scsi_autopm_put_device(device); + sdp_put: +- scsi_device_put(sdp->device); +- goto sg_put; ++ kref_put(&sdp->d_ref, sg_device_destroy); ++ scsi_device_put(device); ++ return retval; + } + + /* Release resources associated with a successful sg_open() +@@ -2233,7 +2236,6 @@ sg_remove_sfp_usercontext(struct work_st + "sg_remove_sfp: sfp=0x%p\n", sfp)); + kfree(sfp); + +- WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1); + kref_put(&sdp->d_ref, sg_device_destroy); + scsi_device_put(device); + module_put(THIS_MODULE); diff --git a/queue-6.8/scsi-sg-avoid-sg-device-teardown-race.patch b/queue-6.8/scsi-sg-avoid-sg-device-teardown-race.patch new file mode 100644 index 00000000000..940437e82ea --- /dev/null +++ b/queue-6.8/scsi-sg-avoid-sg-device-teardown-race.patch @@ -0,0 +1,51 @@ +From 27f58c04a8f438078583041468ec60597841284d Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Wed, 20 Mar 2024 22:30:32 +0100 +Subject: scsi: sg: Avoid sg device teardown race + +From: Alexander Wetzel + +commit 27f58c04a8f438078583041468ec60597841284d upstream. + +sg_remove_sfp_usercontext() must not use sg_device_destroy() after calling +scsi_device_put(). + +sg_device_destroy() is accessing the parent scsi_device request_queue which +will already be set to NULL when the preceding call to scsi_device_put() +removed the last reference to the parent scsi_device. + +The resulting NULL pointer exception will then crash the kernel. + +Link: https://lore.kernel.org/r/20240305150509.23896-1-Alexander@wetzel-home.de +Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Wetzel +Link: https://lore.kernel.org/r/20240320213032.18221-1-Alexander@wetzel-home.de +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -2207,6 +2207,7 @@ sg_remove_sfp_usercontext(struct work_st + { + struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work); + struct sg_device *sdp = sfp->parentdp; ++ struct scsi_device *device = sdp->device; + Sg_request *srp; + unsigned long iflags; + +@@ -2232,8 +2233,9 @@ sg_remove_sfp_usercontext(struct work_st + "sg_remove_sfp: sfp=0x%p\n", sfp)); + kfree(sfp); + +- scsi_device_put(sdp->device); ++ WARN_ON_ONCE(kref_read(&sdp->d_ref) != 1); + kref_put(&sdp->d_ref, sg_device_destroy); ++ scsi_device_put(device); + module_put(THIS_MODULE); + } + diff --git a/queue-6.8/selftests-timers-posix_timers-reimplement-check_timer_distribution.patch b/queue-6.8/selftests-timers-posix_timers-reimplement-check_timer_distribution.patch new file mode 100644 index 00000000000..c08167a2f0f --- /dev/null +++ b/queue-6.8/selftests-timers-posix_timers-reimplement-check_timer_distribution.patch @@ -0,0 +1,215 @@ +From 6d029c25b71f2de2838a6f093ce0fa0e69336154 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Tue, 9 Apr 2024 15:38:03 +0200 +Subject: selftests/timers/posix_timers: Reimplement check_timer_distribution() + +From: Oleg Nesterov + +commit 6d029c25b71f2de2838a6f093ce0fa0e69336154 upstream. + +check_timer_distribution() runs ten threads in a busy loop and tries to +test that the kernel distributes a process posix CPU timer signal to every +thread over time. + +There is not guarantee that this is true even after commit bcb7ee79029d +("posix-timers: Prefer delivery of signals to the current thread") because +that commit only avoids waking up the sleeping process leader thread, but +that has nothing to do with the actual signal delivery. + +As the signal is process wide the first thread which observes sigpending +and wins the race to lock sighand will deliver the signal. Testing shows +that this hangs on a regular base because some threads never win the race. + +The comment "This primarily tests that the kernel does not favour any one." +is wrong. The kernel does favour a thread which hits the timer interrupt +when CLOCK_PROCESS_CPUTIME_ID expires. + +Rewrite the test so it only checks that the group leader sleeping in join() +never receives SIGALRM and the thread which burns CPU cycles receives all +signals. + +In older kernels which do not have commit bcb7ee79029d ("posix-timers: +Prefer delivery of signals to the current thread") the test-case fails +immediately, the very 1st tick wakes the leader up. Otherwise it quickly +succeeds after 100 ticks. + +CI testing wants to use newer selftest versions on stable kernels. In this +case the test is guaranteed to fail. + +So check in the failure case whether the kernel version is less than v6.3 +and skip the test result in that case. + +[ tglx: Massaged change log, renamed the version check helper ] + +Fixes: e797203fb3ba ("selftests/timers/posix_timers: Test delivery of signals across threads") +Signed-off-by: Oleg Nesterov +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20240409133802.GD29396@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/kselftest.h | 13 +++ + tools/testing/selftests/timers/posix_timers.c | 111 +++++++++++--------------- + 2 files changed, 64 insertions(+), 60 deletions(-) + +--- a/tools/testing/selftests/kselftest.h ++++ b/tools/testing/selftests/kselftest.h +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include + #endif + + #ifndef ARRAY_SIZE +@@ -343,4 +344,16 @@ static inline __printf(1, 2) int ksft_ex + exit(KSFT_SKIP); + } + ++static inline int ksft_min_kernel_version(unsigned int min_major, ++ unsigned int min_minor) ++{ ++ unsigned int major, minor; ++ struct utsname info; ++ ++ if (uname(&info) || sscanf(info.release, "%u.%u.", &major, &minor) != 2) ++ ksft_exit_fail_msg("Can't parse kernel version\n"); ++ ++ return major > min_major || (major == min_major && minor >= min_minor); ++} ++ + #endif /* __KSELFTEST_H */ +--- a/tools/testing/selftests/timers/posix_timers.c ++++ b/tools/testing/selftests/timers/posix_timers.c +@@ -184,80 +184,71 @@ static int check_timer_create(int which) + return 0; + } + +-int remain; +-__thread int got_signal; ++static pthread_t ctd_thread; ++static volatile int ctd_count, ctd_failed; + +-static void *distribution_thread(void *arg) ++static void ctd_sighandler(int sig) + { +- while (__atomic_load_n(&remain, __ATOMIC_RELAXED)); +- return NULL; ++ if (pthread_self() != ctd_thread) ++ ctd_failed = 1; ++ ctd_count--; + } + +-static void distribution_handler(int nr) ++static void *ctd_thread_func(void *arg) + { +- if (!__atomic_exchange_n(&got_signal, 1, __ATOMIC_RELAXED)) +- __atomic_fetch_sub(&remain, 1, __ATOMIC_RELAXED); +-} +- +-/* +- * Test that all running threads _eventually_ receive CLOCK_PROCESS_CPUTIME_ID +- * timer signals. This primarily tests that the kernel does not favour any one. +- */ +-static int check_timer_distribution(void) +-{ +- int err, i; +- timer_t id; +- const int nthreads = 10; +- pthread_t threads[nthreads]; + struct itimerspec val = { + .it_value.tv_sec = 0, + .it_value.tv_nsec = 1000 * 1000, + .it_interval.tv_sec = 0, + .it_interval.tv_nsec = 1000 * 1000, + }; ++ timer_t id; ++ ++ /* 1/10 seconds to ensure the leader sleeps */ ++ usleep(10000); ++ ++ ctd_count = 100; ++ if (timer_create(CLOCK_PROCESS_CPUTIME_ID, NULL, &id)) ++ return "Can't create timer\n"; ++ if (timer_settime(id, 0, &val, NULL)) ++ return "Can't set timer\n"; ++ ++ while (ctd_count > 0 && !ctd_failed) ++ ; ++ ++ if (timer_delete(id)) ++ return "Can't delete timer\n"; ++ ++ return NULL; ++} ++ ++/* ++ * Test that only the running thread receives the timer signal. ++ */ ++static int check_timer_distribution(void) ++{ ++ const char *errmsg; + +- remain = nthreads + 1; /* worker threads + this thread */ +- signal(SIGALRM, distribution_handler); +- err = timer_create(CLOCK_PROCESS_CPUTIME_ID, NULL, &id); +- if (err < 0) { +- ksft_perror("Can't create timer"); +- return -1; +- } +- err = timer_settime(id, 0, &val, NULL); +- if (err < 0) { +- ksft_perror("Can't set timer"); +- return -1; +- } +- +- for (i = 0; i < nthreads; i++) { +- err = pthread_create(&threads[i], NULL, distribution_thread, +- NULL); +- if (err) { +- ksft_print_msg("Can't create thread: %s (%d)\n", +- strerror(errno), errno); +- return -1; +- } +- } +- +- /* Wait for all threads to receive the signal. */ +- while (__atomic_load_n(&remain, __ATOMIC_RELAXED)); +- +- for (i = 0; i < nthreads; i++) { +- err = pthread_join(threads[i], NULL); +- if (err) { +- ksft_print_msg("Can't join thread: %s (%d)\n", +- strerror(errno), errno); +- return -1; +- } +- } +- +- if (timer_delete(id)) { +- ksft_perror("Can't delete timer"); +- return -1; +- } ++ signal(SIGALRM, ctd_sighandler); + +- ksft_test_result_pass("check_timer_distribution\n"); ++ errmsg = "Can't create thread\n"; ++ if (pthread_create(&ctd_thread, NULL, ctd_thread_func, NULL)) ++ goto err; ++ ++ errmsg = "Can't join thread\n"; ++ if (pthread_join(ctd_thread, (void **)&errmsg) || errmsg) ++ goto err; ++ ++ if (!ctd_failed) ++ ksft_test_result_pass("check signal distribution\n"); ++ else if (ksft_min_kernel_version(6, 3)) ++ ksft_test_result_fail("check signal distribution\n"); ++ else ++ ksft_test_result_skip("check signal distribution (old kernel)\n"); + return 0; ++err: ++ ksft_print_msg(errmsg); ++ return -1; + } + + int main(int argc, char **argv) diff --git a/queue-6.8/series b/queue-6.8/series index b8be2ebf2fb..ac855ac6a93 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -106,3 +106,39 @@ iommu-vt-d-allocate-local-memory-for-page-request-qu.patch iommu-vt-d-fix-warn_on-in-iommu-probe-path.patch io_uring-refactor-defer_taskrun-multishot-checks.patch io_uring-disable-io-wq-execution-of-multishot-nowait-requests.patch +btrfs-qgroup-correctly-model-root-qgroup-rsv-in-convert.patch +btrfs-qgroup-fix-qgroup-prealloc-rsv-leak-in-subvolume-operations.patch +btrfs-record-delayed-inode-root-in-transaction.patch +btrfs-qgroup-convert-prealloc-to-pertrans-after-record_root_in_trans.patch +io_uring-net-restore-msg_control-on-sendzc-retry.patch +kprobes-fix-possible-use-after-free-issue-on-kprobe-registration.patch +fs-proc-remove-redundant-comments-from-proc-bootconfig.patch +fs-proc-skip-bootloader-comment-if-no-embedded-kernel-parameters.patch +scsi-sg-avoid-sg-device-teardown-race.patch +scsi-sg-avoid-race-in-error-handling-drop-bogus-warn.patch +accel-ivpu-check-return-code-of-ipc-lock-init.patch +accel-ivpu-fix-pci-d0-state-entry-in-resume.patch +accel-ivpu-put-npu-back-to-d3hot-after-failed-resume.patch +accel-ivpu-return-max-freq-for-drm_ivpu_param_core_clock_rate.patch +accel-ivpu-fix-deadlock-in-context_xa.patch +drm-vmwgfx-enable-dma-mappings-with-sev.patch +drm-i915-vrr-disable-vrr-when-using-bigjoiner.patch +drm-amdkfd-reset-gpu-on-queue-preemption-failure.patch +drm-ast-fix-soft-lockup.patch +drm-panfrost-fix-the-error-path-in-panfrost_mmu_map_fault_addr.patch +drm-client-fully-protect-modes-with-dev-mode_config.mutex.patch +drm-msm-dp-fix-runtime-pm-leak-on-disconnect.patch +drm-msm-dp-fix-runtime-pm-leak-on-connect-failure.patch +drm-amdgpu-umsch-reinitialize-write-pointer-in-hw-init.patch +arm64-dts-imx8qm-ss-dma-fix-can-lpcg-indices.patch +arm64-dts-imx8-ss-dma-fix-can-lpcg-indices.patch +arm64-dts-imx8-ss-dma-fix-adc-lpcg-indices.patch +arm64-dts-imx8-ss-conn-fix-usb-lpcg-indices.patch +arm64-dts-imx8-ss-dma-fix-pwm-lpcg-indices.patch +arm64-dts-imx8-ss-lsio-fix-pwm-lpcg-indices.patch +arm64-dts-imx8-ss-dma-fix-spi-lpcg-indices.patch +vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch +vhost-add-smp_rmb-in-vhost_enable_notify.patch +perf-x86-fix-out-of-range-data.patch +x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch +selftests-timers-posix_timers-reimplement-check_timer_distribution.patch diff --git a/queue-6.8/vhost-add-smp_rmb-in-vhost_enable_notify.patch b/queue-6.8/vhost-add-smp_rmb-in-vhost_enable_notify.patch new file mode 100644 index 00000000000..eca78a0097e --- /dev/null +++ b/queue-6.8/vhost-add-smp_rmb-in-vhost_enable_notify.patch @@ -0,0 +1,70 @@ +From df9ace7647d4123209395bb9967e998d5758c645 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 28 Mar 2024 10:21:48 +1000 +Subject: vhost: Add smp_rmb() in vhost_enable_notify() + +From: Gavin Shan + +commit df9ace7647d4123209395bb9967e998d5758c645 upstream. + +A smp_rmb() has been missed in vhost_enable_notify(), inspired by +Will. Otherwise, it's not ensured the available ring entries pushed +by guest can be observed by vhost in time, leading to stale available +ring entries fetched by vhost in vhost_get_vq_desc(), as reported by +Yihuang Yu on NVidia's grace-hopper (ARM64) platform. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \ + -m 4096M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=4096M \ + : \ + -netdev tap,id=vnet0,vhost=true \ + -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0 + : + guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM + virtio_net virtio0: output.0:id 100 is not a head! + +Add the missed smp_rmb() in vhost_enable_notify(). When it returns true, +it means there's still pending tx buffers. Since it might read indices, +so it still can bypass the smp_rmb() in vhost_get_vq_desc(). Note that +it should be safe until vq->avail_idx is changed by commit d3bb267bbdcb +("vhost: cache avail index in vhost_enable_notify()"). + +Fixes: d3bb267bbdcb ("vhost: cache avail index in vhost_enable_notify()") +Cc: # v5.18+ +Reported-by: Yihuang Yu +Suggested-by: Will Deacon +Signed-off-by: Gavin Shan +Acked-by: Jason Wang +Message-Id: <20240328002149.1141302-3-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2848,9 +2848,19 @@ bool vhost_enable_notify(struct vhost_de + &vq->avail->idx, r); + return false; + } ++ + vq->avail_idx = vhost16_to_cpu(vq, avail_idx); ++ if (vq->avail_idx != vq->last_avail_idx) { ++ /* Since we have updated avail_idx, the following ++ * call to vhost_get_vq_desc() will read available ++ * ring entries. Make sure that read happens after ++ * the avail_idx read. ++ */ ++ smp_rmb(); ++ return true; ++ } + +- return vq->avail_idx != vq->last_avail_idx; ++ return false; + } + EXPORT_SYMBOL_GPL(vhost_enable_notify); + diff --git a/queue-6.8/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch b/queue-6.8/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch new file mode 100644 index 00000000000..f86808e1a40 --- /dev/null +++ b/queue-6.8/vhost-add-smp_rmb-in-vhost_vq_avail_empty.patch @@ -0,0 +1,70 @@ +From 22e1992cf7b034db5325660e98c41ca5afa5f519 Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 28 Mar 2024 10:21:47 +1000 +Subject: vhost: Add smp_rmb() in vhost_vq_avail_empty() + +From: Gavin Shan + +commit 22e1992cf7b034db5325660e98c41ca5afa5f519 upstream. + +A smp_rmb() has been missed in vhost_vq_avail_empty(), spotted by +Will. Otherwise, it's not ensured the available ring entries pushed +by guest can be observed by vhost in time, leading to stale available +ring entries fetched by vhost in vhost_get_vq_desc(), as reported by +Yihuang Yu on NVidia's grace-hopper (ARM64) platform. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=1,cpus=1,sockets=1,clusters=1,cores=1,threads=1 \ + -m 4096M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=4096M \ + : \ + -netdev tap,id=vnet0,vhost=true \ + -device virtio-net-pci,bus=pcie.8,netdev=vnet0,mac=52:54:00:f1:26:b0 + : + guest# netperf -H 10.26.1.81 -l 60 -C -c -t UDP_STREAM + virtio_net virtio0: output.0:id 100 is not a head! + +Add the missed smp_rmb() in vhost_vq_avail_empty(). When tx_can_batch() +returns true, it means there's still pending tx buffers. Since it might +read indices, so it still can bypass the smp_rmb() in vhost_get_vq_desc(). +Note that it should be safe until vq->avail_idx is changed by commit +275bf960ac697 ("vhost: better detection of available buffers"). + +Fixes: 275bf960ac69 ("vhost: better detection of available buffers") +Cc: # v4.11+ +Reported-by: Yihuang Yu +Suggested-by: Will Deacon +Signed-off-by: Gavin Shan +Acked-by: Jason Wang +Message-Id: <20240328002149.1141302-2-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2799,9 +2799,19 @@ bool vhost_vq_avail_empty(struct vhost_d + r = vhost_get_avail_idx(vq, &avail_idx); + if (unlikely(r)) + return false; ++ + vq->avail_idx = vhost16_to_cpu(vq, avail_idx); ++ if (vq->avail_idx != vq->last_avail_idx) { ++ /* Since we have updated avail_idx, the following ++ * call to vhost_get_vq_desc() will read available ++ * ring entries. Make sure that read happens after ++ * the avail_idx read. ++ */ ++ smp_rmb(); ++ return false; ++ } + +- return vq->avail_idx == vq->last_avail_idx; ++ return true; + } + EXPORT_SYMBOL_GPL(vhost_vq_avail_empty); + diff --git a/queue-6.8/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch b/queue-6.8/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch new file mode 100644 index 00000000000..7b7d3f882a0 --- /dev/null +++ b/queue-6.8/x86-cpu-actually-turn-off-mitigations-by-default-for-speculation_mitigations-n.patch @@ -0,0 +1,47 @@ +From f337a6a21e2fd67eadea471e93d05dd37baaa9be Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 9 Apr 2024 10:51:05 -0700 +Subject: x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit f337a6a21e2fd67eadea471e93d05dd37baaa9be upstream. + +Initialize cpu_mitigations to CPU_MITIGATIONS_OFF if the kernel is built +with CONFIG_SPECULATION_MITIGATIONS=n, as the help text quite clearly +states that disabling SPECULATION_MITIGATIONS is supposed to turn off all +mitigations by default. + + │ If you say N, all mitigations will be disabled. You really + │ should know what you are doing to say so. + +As is, the kernel still defaults to CPU_MITIGATIONS_AUTO, which results in +some mitigations being enabled in spite of SPECULATION_MITIGATIONS=n. + +Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs") +Signed-off-by: Sean Christopherson +Signed-off-by: Ingo Molnar +Reviewed-by: Daniel Sneddon +Cc: stable@vger.kernel.org +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20240409175108.1512861-2-seanjc@google.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -3207,7 +3207,8 @@ enum cpu_mitigations { + }; + + static enum cpu_mitigations cpu_mitigations __ro_after_init = +- CPU_MITIGATIONS_AUTO; ++ IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO : ++ CPU_MITIGATIONS_OFF; + + static int __init mitigations_parse_cmdline(char *arg) + {