From: Sasha Levin Date: Thu, 9 May 2024 17:27:46 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v4.19.314~106 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83cc627786e1f80bfbda368922fa51442a3f2fe1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/9p-explicitly-deny-setlease-attempts.patch b/queue-6.1/9p-explicitly-deny-setlease-attempts.patch new file mode 100644 index 00000000000..63011b8e61d --- /dev/null +++ b/queue-6.1/9p-explicitly-deny-setlease-attempts.patch @@ -0,0 +1,42 @@ +From e5f68d338959fddc116cbfe94ce3b94a9ab33f50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 12:34:45 -0400 +Subject: 9p: explicitly deny setlease attempts + +From: Jeff Layton + +[ Upstream commit 7a84602297d36617dbdadeba55a2567031e5165b ] + +9p is a remote network protocol, and it doesn't support asynchronous +notifications from the server. Ensure that we don't hand out any leases +since we can't guarantee they'll be broken when a file's contents +change. + +Signed-off-by: Jeff Layton +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c +index aec43ba837992..87222067fe5de 100644 +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -667,6 +667,7 @@ const struct file_operations v9fs_file_operations = { + .splice_read = generic_file_splice_read, + .splice_write = iter_file_splice_write, + .fsync = v9fs_file_fsync, ++ .setlease = simple_nosetlease, + }; + + const struct file_operations v9fs_file_operations_dotl = { +@@ -708,4 +709,5 @@ const struct file_operations v9fs_mmap_file_operations_dotl = { + .splice_read = generic_file_splice_read, + .splice_write = iter_file_splice_write, + .fsync = v9fs_file_fsync_dotl, ++ .setlease = simple_nosetlease, + }; +-- +2.43.0 + diff --git a/queue-6.1/alsa-line6-zero-initialize-message-buffers.patch b/queue-6.1/alsa-line6-zero-initialize-message-buffers.patch new file mode 100644 index 00000000000..2775b7520a1 --- /dev/null +++ b/queue-6.1/alsa-line6-zero-initialize-message-buffers.patch @@ -0,0 +1,57 @@ +From 40858c413a6166acd5c210eb5b768f6a2fcbce1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 08:36:25 +0200 +Subject: ALSA: line6: Zero-initialize message buffers + +From: Takashi Iwai + +[ Upstream commit c4e51e424e2c772ce1836912a8b0b87cd61bc9d5 ] + +For shutting up spurious KMSAN uninit-value warnings, just replace +kmalloc() calls with kzalloc() for the buffers used for +communications. There should be no real issue with the original code, +but it's still better to cover. + +Reported-by: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/00000000000084b18706150bcca5@google.com +Message-ID: <20240402063628.26609-1-tiwai@suse.de> +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/line6/driver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c +index b67617b68e509..f4437015d43a7 100644 +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -202,7 +202,7 @@ int line6_send_raw_message_async(struct usb_line6 *line6, const char *buffer, + struct urb *urb; + + /* create message: */ +- msg = kmalloc(sizeof(struct message), GFP_ATOMIC); ++ msg = kzalloc(sizeof(struct message), GFP_ATOMIC); + if (msg == NULL) + return -ENOMEM; + +@@ -688,7 +688,7 @@ static int line6_init_cap_control(struct usb_line6 *line6) + int ret; + + /* initialize USB buffers: */ +- line6->buffer_listen = kmalloc(LINE6_BUFSIZE_LISTEN, GFP_KERNEL); ++ line6->buffer_listen = kzalloc(LINE6_BUFSIZE_LISTEN, GFP_KERNEL); + if (!line6->buffer_listen) + return -ENOMEM; + +@@ -697,7 +697,7 @@ static int line6_init_cap_control(struct usb_line6 *line6) + return -ENOMEM; + + if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) { +- line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); ++ line6->buffer_message = kzalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); + if (!line6->buffer_message) + return -ENOMEM; + +-- +2.43.0 + diff --git a/queue-6.1/ata-sata_gemini-check-clk_enable-result.patch b/queue-6.1/ata-sata_gemini-check-clk_enable-result.patch new file mode 100644 index 00000000000..9ba0320ecdc --- /dev/null +++ b/queue-6.1/ata-sata_gemini-check-clk_enable-result.patch @@ -0,0 +1,38 @@ +From 855ca1df05db217ec6ddc700e059e6a931e6f3c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2024 04:33:49 +0000 +Subject: ata: sata_gemini: Check clk_enable() result + +From: Chen Ni + +[ Upstream commit e85006ae7430aef780cc4f0849692e266a102ec0 ] + +The call to clk_enable() in gemini_sata_start_bridge() can fail. +Add a check to detect such failure. + +Signed-off-by: Chen Ni +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_gemini.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/sata_gemini.c b/drivers/ata/sata_gemini.c +index c96fcf9ee3c07..01f050b1bc93b 100644 +--- a/drivers/ata/sata_gemini.c ++++ b/drivers/ata/sata_gemini.c +@@ -201,7 +201,10 @@ int gemini_sata_start_bridge(struct sata_gemini *sg, unsigned int bridge) + pclk = sg->sata0_pclk; + else + pclk = sg->sata1_pclk; +- clk_enable(pclk); ++ ret = clk_enable(pclk); ++ if (ret) ++ return ret; ++ + msleep(10); + + /* Do not keep clocking a bridge that is not online */ +-- +2.43.0 + diff --git a/queue-6.1/blk-iocost-avoid-out-of-bounds-shift.patch b/queue-6.1/blk-iocost-avoid-out-of-bounds-shift.patch new file mode 100644 index 00000000000..9c51d9a650e --- /dev/null +++ b/queue-6.1/blk-iocost-avoid-out-of-bounds-shift.patch @@ -0,0 +1,74 @@ +From 5ab3d6595974abd6976b9114bb8853c526562dda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 12:32:53 -0400 +Subject: blk-iocost: avoid out of bounds shift + +From: Rik van Riel + +[ Upstream commit beaa51b36012fad5a4d3c18b88a617aea7a9b96d ] + +UBSAN catches undefined behavior in blk-iocost, where sometimes +iocg->delay is shifted right by a number that is too large, +resulting in undefined behavior on some architectures. + +[ 186.556576] ------------[ cut here ]------------ +UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 +shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') +CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 +Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020 +Call Trace: + + dump_stack_lvl+0x8f/0xe0 + __ubsan_handle_shift_out_of_bounds+0x22c/0x280 + iocg_kick_delay+0x30b/0x310 + ioc_timer_fn+0x2fb/0x1f80 + __run_timer_base+0x1b6/0x250 +... + +Avoid that undefined behavior by simply taking the +"delay = 0" branch if the shift is too large. + +I am not sure what the symptoms of an undefined value +delay will be, but I suspect it could be more than a +little annoying to debug. + +Signed-off-by: Rik van Riel +Cc: Tejun Heo +Cc: Josef Bacik +Cc: Jens Axboe +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20240404123253.0f58010f@imladris.surriel.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iocost.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index e6557024e3da8..64b594d660b79 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -1331,7 +1331,7 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) + { + struct ioc *ioc = iocg->ioc; + struct blkcg_gq *blkg = iocg_to_blkg(iocg); +- u64 tdelta, delay, new_delay; ++ u64 tdelta, delay, new_delay, shift; + s64 vover, vover_pct; + u32 hwa; + +@@ -1346,8 +1346,9 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) + + /* calculate the current delay in effect - 1/2 every second */ + tdelta = now->now - iocg->delay_at; +- if (iocg->delay) +- delay = iocg->delay >> div64_u64(tdelta, USEC_PER_SEC); ++ shift = div64_u64(tdelta, USEC_PER_SEC); ++ if (iocg->delay && shift < BITS_PER_LONG) ++ delay = iocg->delay >> shift; + else + delay = 0; + +-- +2.43.0 + diff --git a/queue-6.1/block-fix-overflow-in-blk_ioctl_discard.patch b/queue-6.1/block-fix-overflow-in-blk_ioctl_discard.patch new file mode 100644 index 00000000000..eb58e7473e5 --- /dev/null +++ b/queue-6.1/block-fix-overflow-in-blk_ioctl_discard.patch @@ -0,0 +1,49 @@ +From 7aacccd1badd5e88eb0ac9a6c160eb9f77d3bf2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:23:19 +0800 +Subject: block: fix overflow in blk_ioctl_discard() + +From: Li Nan + +[ Upstream commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 ] + +There is no check for overflow of 'start + len' in blk_ioctl_discard(). +Hung task occurs if submit an discard ioctl with the following param: + start = 0x80000000000ff000, len = 0x8000000000fff000; +Add the overflow validation now. + +Signed-off-by: Li Nan +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20240329012319.2034550-1-linan666@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/ioctl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/ioctl.c b/block/ioctl.c +index 47567ba1185a6..99b8e2e448729 100644 +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -89,7 +89,7 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode, + unsigned long arg) + { + uint64_t range[2]; +- uint64_t start, len; ++ uint64_t start, len, end; + struct inode *inode = bdev->bd_inode; + int err; + +@@ -110,7 +110,8 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode, + if (len & 511) + return -EINVAL; + +- if (start + len > bdev_nr_bytes(bdev)) ++ if (check_add_overflow(start, len, &end) || ++ end > bdev_nr_bytes(bdev)) + return -EINVAL; + + filemap_invalidate_lock(inode->i_mapping); +-- +2.43.0 + diff --git a/queue-6.1/bpf-check-bloom-filter-map-value-size.patch b/queue-6.1/bpf-check-bloom-filter-map-value-size.patch new file mode 100644 index 00000000000..e33f0925413 --- /dev/null +++ b/queue-6.1/bpf-check-bloom-filter-map-value-size.patch @@ -0,0 +1,85 @@ +From 4f37194620b9e81d10c9aeed7049a120065cade2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 22:42:44 -0400 +Subject: bpf: Check bloom filter map value size + +From: Andrei Matei + +[ Upstream commit a8d89feba7e54e691ca7c4efc2a6264fa83f3687 ] + +This patch adds a missing check to bloom filter creating, rejecting +values above KMALLOC_MAX_SIZE. This brings the bloom map in line with +many other map types. + +The lack of this protection can cause kernel crashes for value sizes +that overflow int's. Such a crash was caught by syzkaller. The next +patch adds more guard-rails at a lower level. + +Signed-off-by: Andrei Matei +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20240327024245.318299-2-andreimatei1@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bloom_filter.c | 13 +++++++++++++ + .../selftests/bpf/prog_tests/bloom_filter_map.c | 6 ++++++ + 2 files changed, 19 insertions(+) + +diff --git a/kernel/bpf/bloom_filter.c b/kernel/bpf/bloom_filter.c +index 48ee750849f25..78e810f49c445 100644 +--- a/kernel/bpf/bloom_filter.c ++++ b/kernel/bpf/bloom_filter.c +@@ -88,6 +88,18 @@ static int bloom_map_get_next_key(struct bpf_map *map, void *key, void *next_key + return -EOPNOTSUPP; + } + ++/* Called from syscall */ ++static int bloom_map_alloc_check(union bpf_attr *attr) ++{ ++ if (attr->value_size > KMALLOC_MAX_SIZE) ++ /* if value_size is bigger, the user space won't be able to ++ * access the elements. ++ */ ++ return -E2BIG; ++ ++ return 0; ++} ++ + static struct bpf_map *bloom_map_alloc(union bpf_attr *attr) + { + u32 bitset_bytes, bitset_mask, nr_hash_funcs, nr_bits; +@@ -196,6 +208,7 @@ static int bloom_map_check_btf(const struct bpf_map *map, + BTF_ID_LIST_SINGLE(bpf_bloom_map_btf_ids, struct, bpf_bloom_filter) + const struct bpf_map_ops bloom_filter_map_ops = { + .map_meta_equal = bpf_map_meta_equal, ++ .map_alloc_check = bloom_map_alloc_check, + .map_alloc = bloom_map_alloc, + .map_free = bloom_map_free, + .map_get_next_key = bloom_map_get_next_key, +diff --git a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c +index d2d9e965eba59..f79815b7e951b 100644 +--- a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c ++++ b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c +@@ -2,6 +2,7 @@ + /* Copyright (c) 2021 Facebook */ + + #include ++#include + #include + #include "bloom_filter_map.skel.h" + +@@ -21,6 +22,11 @@ static void test_fail_cases(void) + if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value size 0")) + close(fd); + ++ /* Invalid value size: too big */ ++ fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, INT32_MAX, 100, NULL); ++ if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid value too large")) ++ close(fd); ++ + /* Invalid max entries size */ + fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, sizeof(value), 0, NULL); + if (!ASSERT_LT(fd, 0, "bpf_map_create bloom filter invalid max entries size")) +-- +2.43.0 + diff --git a/queue-6.1/btrfs-always-clear-pertrans-metadata-during-commit.patch b/queue-6.1/btrfs-always-clear-pertrans-metadata-during-commit.patch new file mode 100644 index 00000000000..d6063df4bf4 --- /dev/null +++ b/queue-6.1/btrfs-always-clear-pertrans-metadata-during-commit.patch @@ -0,0 +1,44 @@ +From 7376ddaa119005ea90998dc53bf5be7f55731814 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 12:01:28 -0700 +Subject: btrfs: always clear PERTRANS metadata during commit + +From: Boris Burkov + +[ Upstream commit 6e68de0bb0ed59e0554a0c15ede7308c47351e2d ] + +It is possible to clear a root's IN_TRANS tag from the radix tree, but +not clear its PERTRANS, if there is some error in between. Eliminate +that possibility by moving the free up to where we clear the tag. + +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/transaction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 5549c843f0d3f..a7853a3a57190 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1440,6 +1440,7 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans) + radix_tree_tag_clear(&fs_info->fs_roots_radix, + (unsigned long)root->root_key.objectid, + BTRFS_ROOT_TRANS_TAG); ++ btrfs_qgroup_free_meta_all_pertrans(root); + spin_unlock(&fs_info->fs_roots_radix_lock); + + btrfs_free_log(trans, root); +@@ -1464,7 +1465,6 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans) + if (ret2) + return ret2; + spin_lock(&fs_info->fs_roots_radix_lock); +- btrfs_qgroup_free_meta_all_pertrans(root); + } + } + spin_unlock(&fs_info->fs_roots_radix_lock); +-- +2.43.0 + diff --git a/queue-6.1/btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch b/queue-6.1/btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch new file mode 100644 index 00000000000..9408337f360 --- /dev/null +++ b/queue-6.1/btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch @@ -0,0 +1,41 @@ +From 624bb8570038ba62e5d2901a8de96f03c0bb9179 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 11:55:22 -0700 +Subject: btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve + +From: Boris Burkov + +[ Upstream commit 3c6f0c5ecc8910d4ffb0dfe85609ebc0c91c8f34 ] + +Currently, this call site in btrfs_clear_delalloc_extent() only converts +the reservation. We are marking it not delalloc, so I don't think it +makes sense to keep the rsv around. This is a path where we are not +sure to join a transaction, so it leads to incorrect free-ing during +umount. + +Helps with the pass rate of generic/269 and generic/475. + +Reviewed-by: Qu Wenruo +Signed-off-by: Boris Burkov +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index f7f4bcc094642..10ded9c2be03b 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -2472,7 +2472,7 @@ void btrfs_clear_delalloc_extent(struct inode *vfs_inode, + */ + if (bits & EXTENT_CLEAR_META_RESV && + root != fs_info->tree_root) +- btrfs_delalloc_release_metadata(inode, len, false); ++ btrfs_delalloc_release_metadata(inode, len, true); + + /* For sanity tests. */ + if (btrfs_is_testing(fs_info)) +-- +2.43.0 + diff --git a/queue-6.1/btrfs-return-accurate-error-code-on-open-failure-in-.patch b/queue-6.1/btrfs-return-accurate-error-code-on-open-failure-in-.patch new file mode 100644 index 00000000000..28098d5141e --- /dev/null +++ b/queue-6.1/btrfs-return-accurate-error-code-on-open-failure-in-.patch @@ -0,0 +1,76 @@ +From d3fb1fdadb6a95bf3a07c0dc8efd26d548628aa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 08:28:18 +0530 +Subject: btrfs: return accurate error code on open failure in + open_fs_devices() + +From: Anand Jain + +[ Upstream commit 2f1aeab9fca1a5f583be1add175d1ee95c213cfa ] + +When attempting to exclusive open a device which has no exclusive open +permission, such as a physical device associated with the flakey dm +device, the open operation will fail, resulting in a mount failure. + +In this particular scenario, we erroneously return -EINVAL instead of the +correct error code provided by the bdev_open_by_path() function, which is +-EBUSY. + +Fix this, by returning error code from the bdev_open_by_path() function. +With this correction, the mount error message will align with that of +ext4 and xfs. + +Reviewed-by: Boris Burkov +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index ab5d410d560e7..a92069fbc0287 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1233,25 +1233,32 @@ static int open_fs_devices(struct btrfs_fs_devices *fs_devices, + struct btrfs_device *device; + struct btrfs_device *latest_dev = NULL; + struct btrfs_device *tmp_device; ++ int ret = 0; + + flags |= FMODE_EXCL; + + list_for_each_entry_safe(device, tmp_device, &fs_devices->devices, + dev_list) { +- int ret; ++ int ret2; + +- ret = btrfs_open_one_device(fs_devices, device, flags, holder); +- if (ret == 0 && ++ ret2 = btrfs_open_one_device(fs_devices, device, flags, holder); ++ if (ret2 == 0 && + (!latest_dev || device->generation > latest_dev->generation)) { + latest_dev = device; +- } else if (ret == -ENODATA) { ++ } else if (ret2 == -ENODATA) { + fs_devices->num_devices--; + list_del(&device->dev_list); + btrfs_free_device(device); + } ++ if (ret == 0 && ret2 != 0) ++ ret = ret2; + } +- if (fs_devices->open_devices == 0) ++ ++ if (fs_devices->open_devices == 0) { ++ if (ret) ++ return ret; + return -EINVAL; ++ } + + fs_devices->opened = 1; + fs_devices->latest_dev = latest_dev; +-- +2.43.0 + diff --git a/queue-6.1/clk-don-t-hold-prepare_lock-when-calling-kref_put.patch b/queue-6.1/clk-don-t-hold-prepare_lock-when-calling-kref_put.patch new file mode 100644 index 00000000000..bdafeab1d8a --- /dev/null +++ b/queue-6.1/clk-don-t-hold-prepare_lock-when-calling-kref_put.patch @@ -0,0 +1,71 @@ +From 95cc6589a045efac31ca36daeb25a52698015eb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 11:41:56 -0700 +Subject: clk: Don't hold prepare_lock when calling kref_put() + +From: Stephen Boyd + +[ Upstream commit 6f63af7511e7058f3fa4ad5b8102210741c9f947 ] + +We don't need to hold the prepare_lock when dropping a ref on a struct +clk_core. The release function is only freeing memory and any code with +a pointer reference has already unlinked anything pointing to the +clk_core. This reduces the holding area of the prepare_lock a bit. + +Note that we also don't call free_clk() with the prepare_lock held. +There isn't any reason to do that. + +Reviewed-by: Douglas Anderson +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20240325184204.745706-3-sboyd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index fe1d45eac837c..8ecbb8f494655 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -4435,7 +4435,8 @@ void clk_unregister(struct clk *clk) + if (ops == &clk_nodrv_ops) { + pr_err("%s: unregistered clock: %s\n", __func__, + clk->core->name); +- goto unlock; ++ clk_prepare_unlock(); ++ return; + } + /* + * Assign empty clock ops for consumers that might still hold +@@ -4469,11 +4470,10 @@ void clk_unregister(struct clk *clk) + if (clk->core->protect_count) + pr_warn("%s: unregistering protected clock: %s\n", + __func__, clk->core->name); ++ clk_prepare_unlock(); + + kref_put(&clk->core->ref, __clk_release); + free_clk(clk); +-unlock: +- clk_prepare_unlock(); + } + EXPORT_SYMBOL_GPL(clk_unregister); + +@@ -4632,13 +4632,11 @@ void __clk_put(struct clk *clk) + if (clk->min_rate > 0 || clk->max_rate < ULONG_MAX) + clk_set_rate_range_nolock(clk, 0, ULONG_MAX); + +- owner = clk->core->owner; +- kref_put(&clk->core->ref, __clk_release); +- + clk_prepare_unlock(); + ++ owner = clk->core->owner; ++ kref_put(&clk->core->ref, __clk_release); + module_put(owner); +- + free_clk(clk); + } + +-- +2.43.0 + diff --git a/queue-6.1/drivers-hv-vmbus-don-t-free-ring-buffers-that-couldn.patch b/queue-6.1/drivers-hv-vmbus-don-t-free-ring-buffers-that-couldn.patch new file mode 100644 index 00000000000..c0dd2db1fc7 --- /dev/null +++ b/queue-6.1/drivers-hv-vmbus-don-t-free-ring-buffers-that-couldn.patch @@ -0,0 +1,50 @@ +From 00b746e830dda38de5c0e8de0437e69240b8a357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 09:15:58 -0700 +Subject: Drivers: hv: vmbus: Don't free ring buffers that couldn't be + re-encrypted + +From: Michael Kelley + +[ Upstream commit 30d18df6567be09c1433e81993e35e3da573ac48 ] + +In CoCo VMs it is possible for the untrusted host to cause +set_memory_encrypted() or set_memory_decrypted() to fail such that an +error is returned and the resulting memory is shared. Callers need to +take care to handle these errors to avoid returning decrypted (shared) +memory to the page allocator, which could lead to functional or security +issues. + +The VMBus ring buffer code could free decrypted/shared pages if +set_memory_decrypted() fails. Check the decrypted field in the struct +vmbus_gpadl for the ring buffers to decide whether to free the memory. + +Signed-off-by: Michael Kelley +Reviewed-by: Kuppuswamy Sathyanarayanan +Acked-by: Kirill A. Shutemov +Link: https://lore.kernel.org/r/20240311161558.1310-6-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20240311161558.1310-6-mhklinux@outlook.com> +Signed-off-by: Sasha Levin +--- + drivers/hv/channel.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c +index bb5abdcda18f8..47e1bd8de9fcf 100644 +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -153,7 +153,9 @@ void vmbus_free_ring(struct vmbus_channel *channel) + hv_ringbuffer_cleanup(&channel->inbound); + + if (channel->ringbuffer_page) { +- __free_pages(channel->ringbuffer_page, ++ /* In a CoCo VM leak the memory if it didn't get re-encrypted */ ++ if (!channel->ringbuffer_gpadlhandle.decrypted) ++ __free_pages(channel->ringbuffer_page, + get_order(channel->ringbuffer_pagecount + << PAGE_SHIFT)); + channel->ringbuffer_page = NULL; +-- +2.43.0 + diff --git a/queue-6.1/drivers-hv-vmbus-track-decrypted-status-in-vmbus_gpa.patch b/queue-6.1/drivers-hv-vmbus-track-decrypted-status-in-vmbus_gpa.patch new file mode 100644 index 00000000000..73f85a7c029 --- /dev/null +++ b/queue-6.1/drivers-hv-vmbus-track-decrypted-status-in-vmbus_gpa.patch @@ -0,0 +1,102 @@ +From df1d6d5c996b51f7d60059034221fc39dd574992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 09:15:55 -0700 +Subject: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl + +From: Rick Edgecombe + +[ Upstream commit 211f514ebf1ef5de37b1cf6df9d28a56cfd242ca ] + +In CoCo VMs it is possible for the untrusted host to cause +set_memory_encrypted() or set_memory_decrypted() to fail such that an +error is returned and the resulting memory is shared. Callers need to +take care to handle these errors to avoid returning decrypted (shared) +memory to the page allocator, which could lead to functional or security +issues. + +In order to make sure callers of vmbus_establish_gpadl() and +vmbus_teardown_gpadl() don't return decrypted/shared pages to +allocators, add a field in struct vmbus_gpadl to keep track of the +decryption status of the buffers. This will allow the callers to +know if they should free or leak the pages. + +Signed-off-by: Rick Edgecombe +Signed-off-by: Michael Kelley +Reviewed-by: Kuppuswamy Sathyanarayanan +Acked-by: Kirill A. Shutemov +Link: https://lore.kernel.org/r/20240311161558.1310-3-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20240311161558.1310-3-mhklinux@outlook.com> +Signed-off-by: Sasha Levin +--- + drivers/hv/channel.c | 25 +++++++++++++++++++++---- + include/linux/hyperv.h | 1 + + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c +index 56f7e06c673e4..bb5abdcda18f8 100644 +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -472,9 +472,18 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, + (atomic_inc_return(&vmbus_connection.next_gpadl_handle) - 1); + + ret = create_gpadl_header(type, kbuffer, size, send_offset, &msginfo); +- if (ret) ++ if (ret) { ++ gpadl->decrypted = false; + return ret; ++ } + ++ /* ++ * Set the "decrypted" flag to true for the set_memory_decrypted() ++ * success case. In the failure case, the encryption state of the ++ * memory is unknown. Leave "decrypted" as true to ensure the ++ * memory will be leaked instead of going back on the free list. ++ */ ++ gpadl->decrypted = true; + ret = set_memory_decrypted((unsigned long)kbuffer, + PFN_UP(size)); + if (ret) { +@@ -563,9 +572,15 @@ static int __vmbus_establish_gpadl(struct vmbus_channel *channel, + + kfree(msginfo); + +- if (ret) +- set_memory_encrypted((unsigned long)kbuffer, +- PFN_UP(size)); ++ if (ret) { ++ /* ++ * If set_memory_encrypted() fails, the decrypted flag is ++ * left as true so the memory is leaked instead of being ++ * put back on the free list. ++ */ ++ if (!set_memory_encrypted((unsigned long)kbuffer, PFN_UP(size))) ++ gpadl->decrypted = false; ++ } + + return ret; + } +@@ -886,6 +901,8 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, struct vmbus_gpadl *gpad + if (ret) + pr_warn("Fail to set mem host visibility in GPADL teardown %d.\n", ret); + ++ gpadl->decrypted = ret; ++ + return ret; + } + EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index 4fbd5d8417111..811d59cf891ba 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -832,6 +832,7 @@ struct vmbus_gpadl { + u32 gpadl_handle; + u32 size; + void *buffer; ++ bool decrypted; + }; + + struct vmbus_channel { +-- +2.43.0 + diff --git a/queue-6.1/drm-amdgpu-refine-ib-schedule-error-logging.patch b/queue-6.1/drm-amdgpu-refine-ib-schedule-error-logging.patch new file mode 100644 index 00000000000..f443feee0cf --- /dev/null +++ b/queue-6.1/drm-amdgpu-refine-ib-schedule-error-logging.patch @@ -0,0 +1,49 @@ +From c59c8168b5b3fd91070ec27202d35b952b54d0db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 17:46:36 +0530 +Subject: drm/amdgpu: Refine IB schedule error logging +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lijo Lazar + +[ Upstream commit 4b18a91faf1752f9bd69a4ed3aed2c8f6e5b0528 ] + +Downgrade to debug information when IBs are skipped. Also, use dev_* to +identify the device. + +Signed-off-by: Lijo Lazar +Reviewed-by: Christian König +Reviewed-by: Asad Kamal +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +index 3bf0e893c07df..f34bc9bb7045a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +@@ -301,12 +301,15 @@ static struct dma_fence *amdgpu_job_run(struct drm_sched_job *sched_job) + dma_fence_set_error(finished, -ECANCELED); + + if (finished->error < 0) { +- DRM_INFO("Skip scheduling IBs!\n"); ++ dev_dbg(adev->dev, "Skip scheduling IBs in ring(%s)", ++ ring->name); + } else { + r = amdgpu_ib_schedule(ring, job->num_ibs, job->ibs, job, + &fence); + if (r) +- DRM_ERROR("Error scheduling IBs (%d)\n", r); ++ dev_err(adev->dev, ++ "Error scheduling IBs (%d) in ring(%s)", r, ++ ring->name); + } + + job->job_run_counter++; +-- +2.43.0 + diff --git a/queue-6.1/drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch b/queue-6.1/drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch new file mode 100644 index 00000000000..42ac337a7fa --- /dev/null +++ b/queue-6.1/drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch @@ -0,0 +1,57 @@ +From 9c9799df36fd98aa5cb28e7ea7e1c867ee77338a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 19:35:54 -0400 +Subject: drm/nouveau/dp: Don't probe eDP ports twice harder + +From: Lyude Paul + +[ Upstream commit bf52d7f9b2067f02efe7e32697479097aba4a055 ] + +I didn't pay close enough attention the last time I tried to fix this +problem - while we currently do correctly take care to make sure we don't +probe a connected eDP port more then once, we don't do the same thing for +eDP ports we found to be disconnected. + +So, fix this and make sure we only ever probe eDP ports once and then leave +them at that connector state forever (since without HPD, it's not going to +change on its own anyway). This should get rid of the last few GSP errors +getting spit out during runtime suspend and resume on some machines, as we +tried to reprobe eDP ports in response to ACPI hotplug probe events. + +Signed-off-by: Lyude Paul +Reviewed-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20240404233736.7946-3-lyude@redhat.com +(cherry picked from commit fe6660b661c3397af0867d5d098f5b26581f1290) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_dp.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_dp.c b/drivers/gpu/drm/nouveau/nouveau_dp.c +index 53185746fb3d1..17e1e23a780e0 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_dp.c ++++ b/drivers/gpu/drm/nouveau/nouveau_dp.c +@@ -109,12 +109,15 @@ nouveau_dp_detect(struct nouveau_connector *nv_connector, + u8 *dpcd = nv_encoder->dp.dpcd; + int ret = NOUVEAU_DP_NONE, hpd; + +- /* If we've already read the DPCD on an eDP device, we don't need to +- * reread it as it won't change ++ /* eDP ports don't support hotplugging - so there's no point in probing eDP ports unless we ++ * haven't probed them once before. + */ +- if (connector->connector_type == DRM_MODE_CONNECTOR_eDP && +- dpcd[DP_DPCD_REV] != 0) +- return NOUVEAU_DP_SST; ++ if (connector->connector_type == DRM_MODE_CONNECTOR_eDP) { ++ if (connector->status == connector_status_connected) ++ return NOUVEAU_DP_SST; ++ else if (connector->status == connector_status_disconnected) ++ return NOUVEAU_DP_NONE; ++ } + + mutex_lock(&nv_encoder->dp.hpd_irq_lock); + if (mstm) { +-- +2.43.0 + diff --git a/queue-6.1/firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch b/queue-6.1/firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch new file mode 100644 index 00000000000..c65f2c4e605 --- /dev/null +++ b/queue-6.1/firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch @@ -0,0 +1,87 @@ +From 3660e703d6b085adb4871dc2f5d50925606ea092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Mar 2024 07:38:41 +0900 +Subject: firewire: ohci: mask bus reset interrupts between ISR and bottom half + +From: Adam Goldman + +[ Upstream commit 752e3c53de0fa3b7d817a83050b6699b8e9c6ec9 ] + +In the FireWire OHCI interrupt handler, if a bus reset interrupt has +occurred, mask bus reset interrupts until bus_reset_work has serviced and +cleared the interrupt. + +Normally, we always leave bus reset interrupts masked. We infer the bus +reset from the self-ID interrupt that happens shortly thereafter. A +scenario where we unmask bus reset interrupts was introduced in 2008 in +a007bb857e0b26f5d8b73c2ff90782d9c0972620: If +OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we +will unmask bus reset interrupts so we can log them. + +irq_handler logs the bus reset interrupt. However, we can't clear the bus +reset event flag in irq_handler, because we won't service the event until +later. irq_handler exits with the event flag still set. If the +corresponding interrupt is still unmasked, the first bus reset will +usually freeze the system due to irq_handler being called again each +time it exits. This freeze can be reproduced by loading firewire_ohci +with "modprobe firewire_ohci debug=-1" (to enable all debugging output). +Apparently there are also some cases where bus_reset_work will get called +soon enough to clear the event, and operation will continue normally. + +This freeze was first reported a few months after a007bb85 was committed, +but until now it was never fixed. The debug level could safely be set +to -1 through sysfs after the module was loaded, but this would be +ineffectual in logging bus reset interrupts since they were only +unmasked during initialization. + +irq_handler will now leave the event flag set but mask bus reset +interrupts, so irq_handler won't be called again and there will be no +freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will +unmask the interrupt after servicing the event, so future interrupts +will be caught as desired. + +As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be +enabled through sysfs in addition to during initial module loading. +However, when enabled through sysfs, logging of bus reset interrupts will +be effective only starting with the second bus reset, after +bus_reset_work has executed. + +Signed-off-by: Adam Goldman +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/ohci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c +index 667ff40f39353..7d94e1cbc0ed3 100644 +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -2049,6 +2049,8 @@ static void bus_reset_work(struct work_struct *work) + + ohci->generation = generation; + reg_write(ohci, OHCI1394_IntEventClear, OHCI1394_busReset); ++ if (param_debug & OHCI_PARAM_DEBUG_BUSRESETS) ++ reg_write(ohci, OHCI1394_IntMaskSet, OHCI1394_busReset); + + if (ohci->quirks & QUIRK_RESET_PACKET) + ohci->request_generation = generation; +@@ -2115,12 +2117,14 @@ static irqreturn_t irq_handler(int irq, void *data) + return IRQ_NONE; + + /* +- * busReset and postedWriteErr must not be cleared yet ++ * busReset and postedWriteErr events must not be cleared yet + * (OHCI 1.1 clauses 7.2.3.2 and 13.2.8.1) + */ + reg_write(ohci, OHCI1394_IntEventClear, + event & ~(OHCI1394_busReset | OHCI1394_postedWriteErr)); + log_irqs(ohci, event); ++ if (event & OHCI1394_busReset) ++ reg_write(ohci, OHCI1394_IntMaskClear, OHCI1394_busReset); + + if (event & OHCI1394_selfIDComplete) + queue_work(selfid_workqueue, &ohci->bus_reset_work); +-- +2.43.0 + diff --git a/queue-6.1/fs-9p-drop-inodes-immediately-on-non-.l-too.patch b/queue-6.1/fs-9p-drop-inodes-immediately-on-non-.l-too.patch new file mode 100644 index 00000000000..908923a4a1c --- /dev/null +++ b/queue-6.1/fs-9p-drop-inodes-immediately-on-non-.l-too.patch @@ -0,0 +1,31 @@ +From 74329ab1e5110178dcacc60c3df65728abb21ffc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 12:22:32 +0100 +Subject: fs/9p: drop inodes immediately on non-.L too + +From: Joakim Sindholt + +[ Upstream commit 7fd524b9bd1be210fe79035800f4bd78a41b349f ] + +Signed-off-by: Joakim Sindholt +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_super.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/9p/vfs_super.c b/fs/9p/vfs_super.c +index 2d9ee073d12c3..7c35347f1d9be 100644 +--- a/fs/9p/vfs_super.c ++++ b/fs/9p/vfs_super.c +@@ -342,6 +342,7 @@ static const struct super_operations v9fs_super_ops = { + .alloc_inode = v9fs_alloc_inode, + .free_inode = v9fs_free_inode, + .statfs = simple_statfs, ++ .drop_inode = v9fs_drop_inode, + .evict_inode = v9fs_evict_inode, + .show_options = v9fs_show_options, + .umount_begin = v9fs_umount_begin, +-- +2.43.0 + diff --git a/queue-6.1/fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch b/queue-6.1/fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch new file mode 100644 index 00000000000..c4c993bc321 --- /dev/null +++ b/queue-6.1/fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch @@ -0,0 +1,37 @@ +From 7c911292360e89b8492ab45e081ec145b6e82d9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 12:22:31 +0100 +Subject: fs/9p: only translate RWX permissions for plain 9P2000 + +From: Joakim Sindholt + +[ Upstream commit cd25e15e57e68a6b18dc9323047fe9c68b99290b ] + +Garbage in plain 9P2000's perm bits is allowed through, which causes it +to be able to set (among others) the suid bit. This was presumably not +the intent since the unix extended bits are handled explicitly and +conditionally on .u. + +Signed-off-by: Joakim Sindholt +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index 5e2657c1dbbe6..a0c5a372dcf62 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -85,7 +85,7 @@ static int p9mode2perm(struct v9fs_session_info *v9ses, + int res; + int mode = stat->mode; + +- res = mode & S_IALLUGO; ++ res = mode & 0777; /* S_IRWXUGO */ + if (v9fs_proto_dotu(v9ses)) { + if ((mode & P9_DMSETUID) == P9_DMSETUID) + res |= S_ISUID; +-- +2.43.0 + diff --git a/queue-6.1/fs-9p-translate-o_trunc-into-otrunc.patch b/queue-6.1/fs-9p-translate-o_trunc-into-otrunc.patch new file mode 100644 index 00000000000..2742c830272 --- /dev/null +++ b/queue-6.1/fs-9p-translate-o_trunc-into-otrunc.patch @@ -0,0 +1,36 @@ +From 9c8d37b6d1dd8ca67faf942d4443fae79622f478 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 12:22:33 +0100 +Subject: fs/9p: translate O_TRUNC into OTRUNC + +From: Joakim Sindholt + +[ Upstream commit 87de39e70503e04ddb58965520b15eb9efa7eef3 ] + +This one hits both 9P2000 and .u as it appears v9fs has never translated +the O_TRUNC flag. + +Signed-off-by: Joakim Sindholt +Signed-off-by: Eric Van Hensbergen +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index a0c5a372dcf62..8f287009545c9 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -181,6 +181,9 @@ int v9fs_uflags2omode(int uflags, int extended) + break; + } + ++ if (uflags & O_TRUNC) ++ ret |= P9_OTRUNC; ++ + if (extended) { + if (uflags & O_EXCL) + ret |= P9_OEXCL; +-- +2.43.0 + diff --git a/queue-6.1/gfs2-fix-invalid-metadata-access-in-punch_hole.patch b/queue-6.1/gfs2-fix-invalid-metadata-access-in-punch_hole.patch new file mode 100644 index 00000000000..99014aca260 --- /dev/null +++ b/queue-6.1/gfs2-fix-invalid-metadata-access-in-punch_hole.patch @@ -0,0 +1,47 @@ +From 7c8db630ad98800ddf3a040b0f222688a8e3240a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 16:40:36 +0100 +Subject: gfs2: Fix invalid metadata access in punch_hole + +From: Andrew Price + +[ Upstream commit c95346ac918c5badf51b9a7ac58a26d3bd5bb224 ] + +In punch_hole(), when the offset lies in the final block for a given +height, there is no hole to punch, but the maximum size check fails to +detect that. Consequently, punch_hole() will try to punch a hole beyond +the end of the metadata and fail. Fix the maximum size check. + +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/bmap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c +index e7537fd305dd2..9ad11e5bf14c3 100644 +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1702,7 +1702,8 @@ static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length) + struct buffer_head *dibh, *bh; + struct gfs2_holder rd_gh; + unsigned int bsize_shift = sdp->sd_sb.sb_bsize_shift; +- u64 lblock = (offset + (1 << bsize_shift) - 1) >> bsize_shift; ++ unsigned int bsize = 1 << bsize_shift; ++ u64 lblock = (offset + bsize - 1) >> bsize_shift; + __u16 start_list[GFS2_MAX_META_HEIGHT]; + __u16 __end_list[GFS2_MAX_META_HEIGHT], *end_list = NULL; + unsigned int start_aligned, end_aligned; +@@ -1713,7 +1714,7 @@ static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length) + u64 prev_bnr = 0; + __be64 *start, *end; + +- if (offset >= maxsize) { ++ if (offset + bsize - 1 >= maxsize) { + /* + * The starting point lies beyond the allocated meta-data; + * there are no blocks do deallocate. +-- +2.43.0 + diff --git a/queue-6.1/gpio-crystalcove-use-enotsupp-consistently.patch b/queue-6.1/gpio-crystalcove-use-enotsupp-consistently.patch new file mode 100644 index 00000000000..1004e35961e --- /dev/null +++ b/queue-6.1/gpio-crystalcove-use-enotsupp-consistently.patch @@ -0,0 +1,35 @@ +From beb6a032e2b7e282fe10c115429020ceb7efc193 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 19:26:22 +0300 +Subject: gpio: crystalcove: Use -ENOTSUPP consistently + +From: Andy Shevchenko + +[ Upstream commit ace0ebe5c98d66889f19e0f30e2518d0c58d0e04 ] + +The GPIO library expects the drivers to return -ENOTSUPP in some +cases and not using analogue POSIX code. Make the driver to follow +this. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-crystalcove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-crystalcove.c b/drivers/gpio/gpio-crystalcove.c +index 1ee62cd58582b..25db014494a4d 100644 +--- a/drivers/gpio/gpio-crystalcove.c ++++ b/drivers/gpio/gpio-crystalcove.c +@@ -92,7 +92,7 @@ static inline int to_reg(int gpio, enum ctrl_register reg_type) + case 0x5e: + return GPIOPANELCTL; + default: +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + } + } + +-- +2.43.0 + diff --git a/queue-6.1/gpio-wcove-use-enotsupp-consistently.patch b/queue-6.1/gpio-wcove-use-enotsupp-consistently.patch new file mode 100644 index 00000000000..73676070e76 --- /dev/null +++ b/queue-6.1/gpio-wcove-use-enotsupp-consistently.patch @@ -0,0 +1,36 @@ +From b03274645ed173e28bb16afd9737af2ee02baed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Apr 2024 19:25:21 +0300 +Subject: gpio: wcove: Use -ENOTSUPP consistently + +From: Andy Shevchenko + +[ Upstream commit 0c3b532ad3fbf82884a2e7e83e37c7dcdd4d1d99 ] + +The GPIO library expects the drivers to return -ENOTSUPP in some +cases and not using analogue POSIX code. Make the driver to follow +this. + +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-wcove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-wcove.c b/drivers/gpio/gpio-wcove.c +index c18b6b47384f1..94ca9d03c0949 100644 +--- a/drivers/gpio/gpio-wcove.c ++++ b/drivers/gpio/gpio-wcove.c +@@ -104,7 +104,7 @@ static inline int to_reg(int gpio, enum ctrl_register type) + unsigned int reg = type == CTRL_IN ? GPIO_IN_CTRL_BASE : GPIO_OUT_CTRL_BASE; + + if (gpio >= WCOVE_GPIO_NUM) +- return -EOPNOTSUPP; ++ return -ENOTSUPP; + + return reg + gpio; + } +-- +2.43.0 + diff --git a/queue-6.1/gpu-host1x-do-not-setup-dma-for-virtual-devices.patch b/queue-6.1/gpu-host1x-do-not-setup-dma-for-virtual-devices.patch new file mode 100644 index 00000000000..4f5b6ef0cda --- /dev/null +++ b/queue-6.1/gpu-host1x-do-not-setup-dma-for-virtual-devices.patch @@ -0,0 +1,61 @@ +From d52cc553791795688c221d26b7eb60282d68c4dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 16:49:43 +0100 +Subject: gpu: host1x: Do not setup DMA for virtual devices + +From: Thierry Reding + +[ Upstream commit 8ab58f6841b19423231c5db3378691ec80c778f8 ] + +The host1x devices are virtual compound devices and do not perform DMA +accesses themselves, so they do not need to be set up for DMA. + +Ideally we would also not need to set up DMA masks for the virtual +devices, but we currently still need those for legacy support on old +hardware. + +Tested-by: Jon Hunter +Acked-by: Jon Hunter +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20240314154943.2487549-1-thierry.reding@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/bus.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c +index bdee16a0bb8e2..ba622fb5e4822 100644 +--- a/drivers/gpu/host1x/bus.c ++++ b/drivers/gpu/host1x/bus.c +@@ -368,11 +368,6 @@ static int host1x_device_uevent(struct device *dev, + return 0; + } + +-static int host1x_dma_configure(struct device *dev) +-{ +- return of_dma_configure(dev, dev->of_node, true); +-} +- + static const struct dev_pm_ops host1x_device_pm_ops = { + .suspend = pm_generic_suspend, + .resume = pm_generic_resume, +@@ -386,7 +381,6 @@ struct bus_type host1x_bus_type = { + .name = "host1x", + .match = host1x_device_match, + .uevent = host1x_device_uevent, +- .dma_configure = host1x_dma_configure, + .pm = &host1x_device_pm_ops, + }; + +@@ -475,8 +469,6 @@ static int host1x_device_add(struct host1x *host1x, + device->dev.bus = &host1x_bus_type; + device->dev.parent = host1x->dev; + +- of_dma_configure(&device->dev, host1x->dev->of_node, true); +- + device->dev.dma_parms = &device->dma_parms; + dma_set_max_seg_size(&device->dev, UINT_MAX); + +-- +2.43.0 + diff --git a/queue-6.1/iommu-mtk-fix-module-autoloading.patch b/queue-6.1/iommu-mtk-fix-module-autoloading.patch new file mode 100644 index 00000000000..58f667fc595 --- /dev/null +++ b/queue-6.1/iommu-mtk-fix-module-autoloading.patch @@ -0,0 +1,48 @@ +From 5ba626aa42212c82422fef70553907d2f2b9d1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Apr 2024 18:41:09 +0200 +Subject: iommu: mtk: fix module autoloading + +From: Krzysztof Kozlowski + +[ Upstream commit 7537e31df80cb58c27f3b6fef702534ea87a5957 ] + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded +based on the alias from of_device_id table. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240410164109.233308-1-krzk@kernel.org +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 1 + + drivers/iommu/mtk_iommu_v1.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index 0ba2a63a9538a..576163f88a4a5 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -1570,6 +1570,7 @@ static const struct of_device_id mtk_iommu_of_ids[] = { + { .compatible = "mediatek,mt8195-iommu-vpp", .data = &mt8195_data_vpp}, + {} + }; ++MODULE_DEVICE_TABLE(of, mtk_iommu_of_ids); + + static struct platform_driver mtk_iommu_driver = { + .probe = mtk_iommu_probe, +diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c +index a978220eb620e..5dd06bcb507f6 100644 +--- a/drivers/iommu/mtk_iommu_v1.c ++++ b/drivers/iommu/mtk_iommu_v1.c +@@ -602,6 +602,7 @@ static const struct of_device_id mtk_iommu_v1_of_ids[] = { + { .compatible = "mediatek,mt2701-m4u", }, + {} + }; ++MODULE_DEVICE_TABLE(of, mtk_iommu_v1_of_ids); + + static const struct component_master_ops mtk_iommu_v1_com_ops = { + .bind = mtk_iommu_v1_bind, +-- +2.43.0 + diff --git a/queue-6.1/kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch b/queue-6.1/kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch new file mode 100644 index 00000000000..46c440cffb4 --- /dev/null +++ b/queue-6.1/kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch @@ -0,0 +1,100 @@ +From d7f24306f9f690edebec84995576bae72c100241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2024 21:25:48 +0100 +Subject: kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries + +From: Borislav Petkov (AMD) + +[ Upstream commit 54babdc0343fff2f32dfaafaaa9e42c4db278204 ] + +When KCSAN and CONSTRUCTORS are enabled, one can trigger the + + "Unpatched return thunk in use. This should not happen!" + +catch-all warning. + +Usually, when objtool runs on the .o objects, it does generate a section +.return_sites which contains all offsets in the objects to the return +thunks of the functions present there. Those return thunks then get +patched at runtime by the alternatives. + +KCSAN and CONSTRUCTORS add this to the object file's .text.startup +section: + + ------------------- + Disassembly of section .text.startup: + + ... + + 0000000000000010 <_sub_I_00099_0>: + 10: f3 0f 1e fa endbr64 + 14: e8 00 00 00 00 call 19 <_sub_I_00099_0+0x9> + 15: R_X86_64_PLT32 __tsan_init-0x4 + 19: e9 00 00 00 00 jmp 1e <__UNIQUE_ID___addressable_cryptd_alloc_aead349+0x6> + 1a: R_X86_64_PLT32 __x86_return_thunk-0x4 + ------------------- + +which, if it is built as a module goes through the intermediary stage of +creating a .mod.c file which, when translated, receives a second +constructor: + + ------------------- + Disassembly of section .text.startup: + + 0000000000000010 <_sub_I_00099_0>: + 10: f3 0f 1e fa endbr64 + 14: e8 00 00 00 00 call 19 <_sub_I_00099_0+0x9> + 15: R_X86_64_PLT32 __tsan_init-0x4 + 19: e9 00 00 00 00 jmp 1e <_sub_I_00099_0+0xe> + 1a: R_X86_64_PLT32 __x86_return_thunk-0x4 + + ... + + 0000000000000030 <_sub_I_00099_0>: + 30: f3 0f 1e fa endbr64 + 34: e8 00 00 00 00 call 39 <_sub_I_00099_0+0x9> + 35: R_X86_64_PLT32 __tsan_init-0x4 + 39: e9 00 00 00 00 jmp 3e <__ksymtab_cryptd_alloc_ahash+0x2> + 3a: R_X86_64_PLT32 __x86_return_thunk-0x4 + ------------------- + +in the .ko file. + +Objtool has run already so that second constructor's return thunk cannot +be added to the .return_sites section and thus the return thunk remains +unpatched and the warning rightfully fires. + +Drop KCSAN flags from the mod.c generation stage as those constructors +do not contain data races one would be interested about. + +Debugged together with David Kaplan and Nikolay +Borisov . + +Reported-by: Paul Menzel +Closes: https://lore.kernel.org/r/0851a207-7143-417e-be31-8bf2b3afb57d@molgen.mpg.de +Signed-off-by: Borislav Petkov (AMD) +Tested-by: Paul Menzel # Dell XPS 13 +Reviewed-by: Nikolay Borisov +Reviewed-by: Marco Elver +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.modfinal | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal +index 3af5e5807983a..650d59388336f 100644 +--- a/scripts/Makefile.modfinal ++++ b/scripts/Makefile.modfinal +@@ -23,7 +23,7 @@ modname = $(notdir $(@:.mod.o=)) + part-of-module = y + + quiet_cmd_cc_o_c = CC [M] $@ +- cmd_cc_o_c = $(CC) $(filter-out $(CC_FLAGS_CFI) $(CFLAGS_GCOV), $(c_flags)) -c -o $@ $< ++ cmd_cc_o_c = $(CC) $(filter-out $(CC_FLAGS_CFI) $(CFLAGS_GCOV) $(CFLAGS_KCSAN), $(c_flags)) -c -o $@ $< + + %.mod.o: %.mod.c FORCE + $(call if_changed_dep,cc_o_c) +-- +2.43.0 + diff --git a/queue-6.1/kbuild-rust-avoid-creating-temporary-files.patch b/queue-6.1/kbuild-rust-avoid-creating-temporary-files.patch new file mode 100644 index 00000000000..fd0bf525e64 --- /dev/null +++ b/queue-6.1/kbuild-rust-avoid-creating-temporary-files.patch @@ -0,0 +1,81 @@ +From 52c90d5dc37f0d8c14b282d189215706cf57b824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jul 2023 16:21:28 +0200 +Subject: kbuild: rust: avoid creating temporary files + +From: Miguel Ojeda + +[ Upstream commit df01b7cfcef08bf3fdcac2909d0e1910781d6bfd ] + +`rustc` outputs by default the temporary files (i.e. the ones saved +by `-Csave-temps`, such as `*.rcgu*` files) in the current working +directory when `-o` and `--out-dir` are not given (even if +`--emit=x=path` is given, i.e. it does not use those for temporaries). + +Since out-of-tree modules are compiled from the `linux` tree, +`rustc` then tries to create them there, which may not be accessible. + +Thus pass `--out-dir` explicitly, even if it is just for the temporary +files. + +Similarly, do so for Rust host programs too. + +Reported-by: Raphael Nestler +Closes: https://github.com/Rust-for-Linux/linux/issues/1015 +Reported-by: Andrea Righi +Tested-by: Raphael Nestler # non-hostprogs +Tested-by: Andrea Righi # non-hostprogs +Fixes: 295d8398c67e ("kbuild: specify output names separately for each emission type from rustc") +Cc: stable@vger.kernel.org +Signed-off-by: Miguel Ojeda +Tested-by: Martin Rodriguez Reboredo +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.build | 5 ++++- + scripts/Makefile.host | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/scripts/Makefile.build b/scripts/Makefile.build +index 9ae02542b9389..1827bc1db1e98 100644 +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -277,6 +277,9 @@ $(obj)/%.lst: $(src)/%.c FORCE + + rust_allowed_features := core_ffi_c + ++# `--out-dir` is required to avoid temporaries being created by `rustc` in the ++# current working directory, which may be not accessible in the out-of-tree ++# modules case. + rust_common_cmd = \ + RUST_MODFILE=$(modfile) $(RUSTC_OR_CLIPPY) $(rust_flags) \ + -Zallow-features=$(rust_allowed_features) \ +@@ -285,7 +288,7 @@ rust_common_cmd = \ + --extern alloc --extern kernel \ + --crate-type rlib -L $(objtree)/rust/ \ + --crate-name $(basename $(notdir $@)) \ +- --emit=dep-info=$(depfile) ++ --out-dir $(dir $@) --emit=dep-info=$(depfile) + + rust_handle_depfile = \ + sed -i '/^\#/d' $(depfile) +diff --git a/scripts/Makefile.host b/scripts/Makefile.host +index d812241144d44..a447c91893de6 100644 +--- a/scripts/Makefile.host ++++ b/scripts/Makefile.host +@@ -86,7 +86,11 @@ hostc_flags = -Wp,-MMD,$(depfile) \ + hostcxx_flags = -Wp,-MMD,$(depfile) \ + $(KBUILD_HOSTCXXFLAGS) $(HOST_EXTRACXXFLAGS) \ + $(HOSTCXXFLAGS_$(target-stem).o) +-hostrust_flags = --emit=dep-info=$(depfile) \ ++ ++# `--out-dir` is required to avoid temporaries being created by `rustc` in the ++# current working directory, which may be not accessible in the out-of-tree ++# modules case. ++hostrust_flags = --out-dir $(dir $@) --emit=dep-info=$(depfile) \ + $(KBUILD_HOSTRUSTFLAGS) $(HOST_EXTRARUSTFLAGS) \ + $(HOSTRUSTFLAGS_$(target-stem)) + +-- +2.43.0 + diff --git a/queue-6.1/memblock-tests-fix-undefined-reference-to-bit.patch b/queue-6.1/memblock-tests-fix-undefined-reference-to-bit.patch new file mode 100644 index 00000000000..5fc4f1be54a --- /dev/null +++ b/queue-6.1/memblock-tests-fix-undefined-reference-to-bit.patch @@ -0,0 +1,41 @@ +From 49443bd96d7a996bf345f14e6c7cc929cb4a5678 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 13:27:01 +0000 +Subject: memblock tests: fix undefined reference to `BIT' + +From: Wei Yang + +[ Upstream commit 592447f6cb3c20d606d6c5d8e6af68e99707b786 ] + +commit 772dd0342727 ("mm: enumerate all gfp flags") define gfp flags +with the help of BIT, while gfp_types.h doesn't include header file for +the definition. This through an error on building memblock tests. + +Let's include linux/bits.h to fix it. + +Signed-off-by: Wei Yang +CC: Suren Baghdasaryan +CC: Michal Hocko +Link: https://lore.kernel.org/r/20240402132701.29744-4-richard.weiyang@gmail.com +Signed-off-by: Mike Rapoport (IBM) +Signed-off-by: Sasha Levin +--- + include/linux/gfp_types.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/gfp_types.h b/include/linux/gfp_types.h +index d88c46ca82e17..6811ab702e8dc 100644 +--- a/include/linux/gfp_types.h ++++ b/include/linux/gfp_types.h +@@ -2,6 +2,8 @@ + #ifndef __LINUX_GFP_TYPES_H + #define __LINUX_GFP_TYPES_H + ++#include ++ + /* The typedef is in types.h but we want the documentation here */ + #if 0 + /** +-- +2.43.0 + diff --git a/queue-6.1/memblock-tests-fix-undefined-reference-to-early_pfn_.patch b/queue-6.1/memblock-tests-fix-undefined-reference-to-early_pfn_.patch new file mode 100644 index 00000000000..46e9d78100d --- /dev/null +++ b/queue-6.1/memblock-tests-fix-undefined-reference-to-early_pfn_.patch @@ -0,0 +1,43 @@ +From 268a846a21e0707a5c6827541e933953d5f9fd3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 13:26:59 +0000 +Subject: memblock tests: fix undefined reference to `early_pfn_to_nid' + +From: Wei Yang + +[ Upstream commit 7d8ed162e6a92268d4b2b84d364a931216102c8e ] + +commit 6a9531c3a880 ("memblock: fix crash when reserved memory is not +added to memory") introduce the usage of early_pfn_to_nid, which is not +defined in memblock tests. + +The original definition of early_pfn_to_nid is defined in mm.h, so let +add this in the corresponding mm.h. + +Signed-off-by: Wei Yang +CC: Yajun Deng +CC: Mike Rapoport +Link: https://lore.kernel.org/r/20240402132701.29744-2-richard.weiyang@gmail.com +Signed-off-by: Mike Rapoport (IBM) +Signed-off-by: Sasha Levin +--- + tools/include/linux/mm.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/include/linux/mm.h b/tools/include/linux/mm.h +index 43be27bcc897d..2f401e8c6c0bb 100644 +--- a/tools/include/linux/mm.h ++++ b/tools/include/linux/mm.h +@@ -37,4 +37,9 @@ static inline void totalram_pages_add(long count) + { + } + ++static inline int early_pfn_to_nid(unsigned long pfn) ++{ ++ return 0; ++} ++ + #endif +-- +2.43.0 + diff --git a/queue-6.1/memblock-tests-fix-undefined-reference-to-panic.patch b/queue-6.1/memblock-tests-fix-undefined-reference-to-panic.patch new file mode 100644 index 00000000000..6b0857c5000 --- /dev/null +++ b/queue-6.1/memblock-tests-fix-undefined-reference-to-panic.patch @@ -0,0 +1,67 @@ +From f4c5d2672aa6fc4df1a75da837942288671f8411 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 13:27:00 +0000 +Subject: memblock tests: fix undefined reference to `panic' + +From: Wei Yang + +[ Upstream commit e0f5a8e74be88f2476e58b25d3b49a9521bdc4ec ] + +commit e96c6b8f212a ("memblock: report failures when memblock_can_resize +is not set") introduced the usage of panic, which is not defined in +memblock test. + +Let's define it directly in panic.h to fix it. + +Signed-off-by: Wei Yang +CC: Song Shuai +CC: Mike Rapoport +Link: https://lore.kernel.org/r/20240402132701.29744-3-richard.weiyang@gmail.com +Signed-off-by: Mike Rapoport (IBM) +Signed-off-by: Sasha Levin +--- + tools/include/linux/kernel.h | 1 + + tools/include/linux/panic.h | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + create mode 100644 tools/include/linux/panic.h + +diff --git a/tools/include/linux/kernel.h b/tools/include/linux/kernel.h +index 4b0673bf52c2e..07cfad817d539 100644 +--- a/tools/include/linux/kernel.h ++++ b/tools/include/linux/kernel.h +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + +diff --git a/tools/include/linux/panic.h b/tools/include/linux/panic.h +new file mode 100644 +index 0000000000000..9c8f17a41ce8e +--- /dev/null ++++ b/tools/include/linux/panic.h +@@ -0,0 +1,19 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _TOOLS_LINUX_PANIC_H ++#define _TOOLS_LINUX_PANIC_H ++ ++#include ++#include ++#include ++ ++static inline void panic(const char *fmt, ...) ++{ ++ va_list argp; ++ ++ va_start(argp, fmt); ++ vfprintf(stderr, fmt, argp); ++ va_end(argp); ++ exit(-1); ++} ++ ++#endif +-- +2.43.0 + diff --git a/queue-6.1/mips-scall-save-thread_info.syscall-unconditionally-.patch b/queue-6.1/mips-scall-save-thread_info.syscall-unconditionally-.patch new file mode 100644 index 00000000000..8fc63157340 --- /dev/null +++ b/queue-6.1/mips-scall-save-thread_info.syscall-unconditionally-.patch @@ -0,0 +1,255 @@ +From 285db6b4fc9f34edf6dfae71367d1e4f77d1b724 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 14:27:56 +0000 +Subject: MIPS: scall: Save thread_info.syscall unconditionally on entry + +From: Jiaxun Yang + +[ Upstream commit 4370b673ccf240bf7587b0cb8e6726a5ccaf1f17 ] + +thread_info.syscall is used by syscall_get_nr to supply syscall nr +over a thread stack frame. + +Previously, thread_info.syscall is only saved at syscall_trace_enter +when syscall tracing is enabled. However rest of the kernel code do +expect syscall_get_nr to be available without syscall tracing. The +previous design breaks collect_syscall. + +Move saving process to syscall entry to fix it. + +Reported-by: Xi Ruoyao +Link: https://github.com/util-linux/util-linux/issues/2867 +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/ptrace.h | 2 +- + arch/mips/kernel/asm-offsets.c | 1 + + arch/mips/kernel/ptrace.c | 15 ++++++--------- + arch/mips/kernel/scall32-o32.S | 23 +++++++++++++---------- + arch/mips/kernel/scall64-n32.S | 3 ++- + arch/mips/kernel/scall64-n64.S | 3 ++- + arch/mips/kernel/scall64-o32.S | 33 +++++++++++++++++---------------- + 7 files changed, 42 insertions(+), 38 deletions(-) + +diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h +index b3e4dd6be7e20..428b9f1cf1de2 100644 +--- a/arch/mips/include/asm/ptrace.h ++++ b/arch/mips/include/asm/ptrace.h +@@ -157,7 +157,7 @@ static inline long regs_return_value(struct pt_regs *regs) + #define instruction_pointer(regs) ((regs)->cp0_epc) + #define profile_pc(regs) instruction_pointer(regs) + +-extern asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall); ++extern asmlinkage long syscall_trace_enter(struct pt_regs *regs); + extern asmlinkage void syscall_trace_leave(struct pt_regs *regs); + + extern void die(const char *, struct pt_regs *) __noreturn; +diff --git a/arch/mips/kernel/asm-offsets.c b/arch/mips/kernel/asm-offsets.c +index c4501897b870b..08342b9eccdbd 100644 +--- a/arch/mips/kernel/asm-offsets.c ++++ b/arch/mips/kernel/asm-offsets.c +@@ -98,6 +98,7 @@ void output_thread_info_defines(void) + OFFSET(TI_CPU, thread_info, cpu); + OFFSET(TI_PRE_COUNT, thread_info, preempt_count); + OFFSET(TI_REGS, thread_info, regs); ++ OFFSET(TI_SYSCALL, thread_info, syscall); + DEFINE(_THREAD_SIZE, THREAD_SIZE); + DEFINE(_THREAD_MASK, THREAD_MASK); + DEFINE(_IRQ_STACK_SIZE, IRQ_STACK_SIZE); +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 567aec4abac0f..a8e569830ec8d 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -1309,16 +1309,13 @@ long arch_ptrace(struct task_struct *child, long request, + * Notification of system call entry/exit + * - triggered by current->work.syscall_trace + */ +-asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) ++asmlinkage long syscall_trace_enter(struct pt_regs *regs) + { + user_exit(); + +- current_thread_info()->syscall = syscall; +- + if (test_thread_flag(TIF_SYSCALL_TRACE)) { + if (ptrace_report_syscall_entry(regs)) + return -1; +- syscall = current_thread_info()->syscall; + } + + #ifdef CONFIG_SECCOMP +@@ -1327,7 +1324,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) + struct seccomp_data sd; + unsigned long args[6]; + +- sd.nr = syscall; ++ sd.nr = current_thread_info()->syscall; + sd.arch = syscall_get_arch(current); + syscall_get_arguments(current, regs, args); + for (i = 0; i < 6; i++) +@@ -1337,23 +1334,23 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall) + ret = __secure_computing(&sd); + if (ret == -1) + return ret; +- syscall = current_thread_info()->syscall; + } + #endif + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) + trace_sys_enter(regs, regs->regs[2]); + +- audit_syscall_entry(syscall, regs->regs[4], regs->regs[5], ++ audit_syscall_entry(current_thread_info()->syscall, ++ regs->regs[4], regs->regs[5], + regs->regs[6], regs->regs[7]); + + /* + * Negative syscall numbers are mistaken for rejected syscalls, but + * won't have had the return value set appropriately, so we do so now. + */ +- if (syscall < 0) ++ if (current_thread_info()->syscall < 0) + syscall_set_return_value(current, regs, -ENOSYS, 0); +- return syscall; ++ return current_thread_info()->syscall; + } + + /* +diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S +index 18dc9b3450561..2c604717e6308 100644 +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -77,6 +77,18 @@ loads_done: + PTR_WD load_a7, bad_stack_a7 + .previous + ++ /* ++ * syscall number is in v0 unless we called syscall(__NR_###) ++ * where the real syscall number is in a0 ++ */ ++ subu t2, v0, __NR_O32_Linux ++ bnez t2, 1f /* __NR_syscall at offset 0 */ ++ LONG_S a0, TI_SYSCALL($28) # Save a0 as syscall number ++ b 2f ++1: ++ LONG_S v0, TI_SYSCALL($28) # Save v0 as syscall number ++2: ++ + lw t0, TI_FLAGS($28) # syscall tracing enabled? + li t1, _TIF_WORK_SYSCALL_ENTRY + and t0, t1 +@@ -114,16 +126,7 @@ syscall_trace_entry: + SAVE_STATIC + move a0, sp + +- /* +- * syscall number is in v0 unless we called syscall(__NR_###) +- * where the real syscall number is in a0 +- */ +- move a1, v0 +- subu t2, v0, __NR_O32_Linux +- bnez t2, 1f /* __NR_syscall at offset 0 */ +- lw a1, PT_R4(sp) +- +-1: jal syscall_trace_enter ++ jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall + +diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S +index 97456b2ca7dc3..97788859238c3 100644 +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -44,6 +44,8 @@ NESTED(handle_sysn32, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + ++ LONG_S v0, TI_SYSCALL($28) # Store syscall number ++ + li t1, _TIF_WORK_SYSCALL_ENTRY + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 +@@ -72,7 +74,6 @@ syscall_common: + n32_syscall_trace_entry: + SAVE_STATIC + move a0, sp +- move a1, v0 + jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall +diff --git a/arch/mips/kernel/scall64-n64.S b/arch/mips/kernel/scall64-n64.S +index e6264aa62e457..be11ea5cc67e0 100644 +--- a/arch/mips/kernel/scall64-n64.S ++++ b/arch/mips/kernel/scall64-n64.S +@@ -46,6 +46,8 @@ NESTED(handle_sys64, PT_SIZE, sp) + + sd a3, PT_R26(sp) # save a3 for syscall restarting + ++ LONG_S v0, TI_SYSCALL($28) # Store syscall number ++ + li t1, _TIF_WORK_SYSCALL_ENTRY + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 +@@ -82,7 +84,6 @@ n64_syscall_exit: + syscall_trace_entry: + SAVE_STATIC + move a0, sp +- move a1, v0 + jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index d3c2616cba226..7a5abb73e5312 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -79,6 +79,22 @@ loads_done: + PTR_WD load_a7, bad_stack_a7 + .previous + ++ /* ++ * absolute syscall number is in v0 unless we called syscall(__NR_###) ++ * where the real syscall number is in a0 ++ * note: NR_syscall is the first O32 syscall but the macro is ++ * only defined when compiling with -mabi=32 (CONFIG_32BIT) ++ * therefore __NR_O32_Linux is used (4000) ++ */ ++ ++ subu t2, v0, __NR_O32_Linux ++ bnez t2, 1f /* __NR_syscall at offset 0 */ ++ LONG_S a0, TI_SYSCALL($28) # Save a0 as syscall number ++ b 2f ++1: ++ LONG_S v0, TI_SYSCALL($28) # Save v0 as syscall number ++2: ++ + li t1, _TIF_WORK_SYSCALL_ENTRY + LONG_L t0, TI_FLAGS($28) # syscall tracing enabled? + and t0, t1, t0 +@@ -113,22 +129,7 @@ trace_a_syscall: + sd a7, PT_R11(sp) # For indirect syscalls + + move a0, sp +- /* +- * absolute syscall number is in v0 unless we called syscall(__NR_###) +- * where the real syscall number is in a0 +- * note: NR_syscall is the first O32 syscall but the macro is +- * only defined when compiling with -mabi=32 (CONFIG_32BIT) +- * therefore __NR_O32_Linux is used (4000) +- */ +- .set push +- .set reorder +- subu t1, v0, __NR_O32_Linux +- move a1, v0 +- bnez t1, 1f /* __NR_syscall at offset 0 */ +- ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ +- .set pop +- +-1: jal syscall_trace_enter ++ jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall + +-- +2.43.0 + diff --git a/queue-6.1/net-bcmgenet-reset-rbuf-on-first-open.patch b/queue-6.1/net-bcmgenet-reset-rbuf-on-first-open.patch new file mode 100644 index 00000000000..bb332faf331 --- /dev/null +++ b/queue-6.1/net-bcmgenet-reset-rbuf-on-first-open.patch @@ -0,0 +1,83 @@ +From 3f6fde5d9069fead10264bcb0af75bfc392fe9c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Apr 2024 13:09:33 +0200 +Subject: net: bcmgenet: Reset RBUF on first open + +From: Phil Elwell + +[ Upstream commit 0a6380cb4c6b5c1d6dad226ba3130f9090f0ccea ] + +If the RBUF logic is not reset when the kernel starts then there +may be some data left over from any network boot loader. If the +64-byte packet headers are enabled then this can be fatal. + +Extend bcmgenet_dma_disable to do perform the reset, but not when +called from bcmgenet_resume in order to preserve a wake packet. + +N.B. This different handling of resume is just based on a hunch - +why else wouldn't one reset the RBUF as well as the TBUF? If this +isn't the case then it's easy to change the patch to make the RBUF +reset unconditional. + +See: https://github.com/raspberrypi/linux/issues/3850 +See: https://github.com/raspberrypi/firmware/issues/1882 + +Signed-off-by: Phil Elwell +Signed-off-by: Maarten Vanraes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index c2a9913082153..4b8574acf848e 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3298,7 +3298,7 @@ static void bcmgenet_get_hw_addr(struct bcmgenet_priv *priv, + } + + /* Returns a reusable dma control register value */ +-static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv) ++static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv, bool flush_rx) + { + unsigned int i; + u32 reg; +@@ -3323,6 +3323,14 @@ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv) + udelay(10); + bcmgenet_umac_writel(priv, 0, UMAC_TX_FLUSH); + ++ if (flush_rx) { ++ reg = bcmgenet_rbuf_ctrl_get(priv); ++ bcmgenet_rbuf_ctrl_set(priv, reg | BIT(0)); ++ udelay(10); ++ bcmgenet_rbuf_ctrl_set(priv, reg); ++ udelay(10); ++ } ++ + return dma_ctrl; + } + +@@ -3386,8 +3394,8 @@ static int bcmgenet_open(struct net_device *dev) + + bcmgenet_set_hw_addr(priv, dev->dev_addr); + +- /* Disable RX/TX DMA and flush TX queues */ +- dma_ctrl = bcmgenet_dma_disable(priv); ++ /* Disable RX/TX DMA and flush TX and RX queues */ ++ dma_ctrl = bcmgenet_dma_disable(priv, true); + + /* Reinitialize TDMA and RDMA and SW housekeeping */ + ret = bcmgenet_init_dma(priv); +@@ -4258,7 +4266,7 @@ static int bcmgenet_resume(struct device *d) + bcmgenet_hfb_create_rxnfc_filter(priv, rule); + + /* Disable RX/TX DMA and flush TX queues */ +- dma_ctrl = bcmgenet_dma_disable(priv); ++ dma_ctrl = bcmgenet_dma_disable(priv, false); + + /* Reinitialize TDMA and RDMA and SW housekeeping */ + ret = bcmgenet_init_dma(priv); +-- +2.43.0 + diff --git a/queue-6.1/net-mark-racy-access-on-sk-sk_rcvbuf.patch b/queue-6.1/net-mark-racy-access-on-sk-sk_rcvbuf.patch new file mode 100644 index 00000000000..74f6a753dc8 --- /dev/null +++ b/queue-6.1/net-mark-racy-access-on-sk-sk_rcvbuf.patch @@ -0,0 +1,48 @@ +From f1d918eff4edb03529094d1b9f614f3c056f49a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 16:44:10 +0800 +Subject: net: mark racy access on sk->sk_rcvbuf + +From: linke li + +[ Upstream commit c2deb2e971f5d9aca941ef13ee05566979e337a4 ] + +sk->sk_rcvbuf in __sock_queue_rcv_skb() and __sk_receive_skb() can be +changed by other threads. Mark this as benign using READ_ONCE(). + +This patch is aimed at reducing the number of benign races reported by +KCSAN in order to focus future debugging effort on harmful races. + +Signed-off-by: linke li +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 550af616f5359..48199e6e8f161 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -482,7 +482,7 @@ int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) + unsigned long flags; + struct sk_buff_head *list = &sk->sk_receive_queue; + +- if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) { ++ if (atomic_read(&sk->sk_rmem_alloc) >= READ_ONCE(sk->sk_rcvbuf)) { + atomic_inc(&sk->sk_drops); + trace_sock_rcvqueue_full(sk, skb); + return -ENOMEM; +@@ -552,7 +552,7 @@ int __sk_receive_skb(struct sock *sk, struct sk_buff *skb, + + skb->dev = NULL; + +- if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { ++ if (sk_rcvqueues_full(sk, READ_ONCE(sk->sk_rcvbuf))) { + atomic_inc(&sk->sk_drops); + goto discard_and_relse; + } +-- +2.43.0 + diff --git a/queue-6.1/net-usb-qmi_wwan-support-rolling-modules.patch b/queue-6.1/net-usb-qmi_wwan-support-rolling-modules.patch new file mode 100644 index 00000000000..5c32b913651 --- /dev/null +++ b/queue-6.1/net-usb-qmi_wwan-support-rolling-modules.patch @@ -0,0 +1,70 @@ +From aa8708fd9e0c296978587476c00e95154ed21443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 20:07:13 +0800 +Subject: net:usb:qmi_wwan: support Rolling modules + +From: Vanillan Wang + +[ Upstream commit d362046021ea122309da8c8e0b6850c792ca97b5 ] + +Update the qmi_wwan driver support for the Rolling +LTE modules. + +- VID:PID 33f8:0104, RW101-GL for laptop debug M.2 cards(with RMNET +interface for /Linux/Chrome OS) +0x0104: RMNET, diag, at, pipe + +Here are the outputs of usb-devices: +T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=33f8 ProdID=0104 Rev=05.04 +S: Manufacturer=Rolling Wireless S.a.r.l. +S: Product=Rolling Module +S: SerialNumber=ba2eb033 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Signed-off-by: Vanillan Wang +Link: https://lore.kernel.org/r/20240416120713.24777-1-vanillanwang@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 2d82481d34e6b..45a542659a814 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1429,6 +1429,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x0489, 0xe0b5, 0)}, /* Foxconn T77W968 LTE with eSIM support*/ + {QMI_FIXED_INTF(0x2692, 0x9025, 4)}, /* Cellient MPL200 (rebranded Qualcomm 05c6:9025) */ + {QMI_QUIRK_SET_DTR(0x1546, 0x1342, 4)}, /* u-blox LARA-L6 */ ++ {QMI_QUIRK_SET_DTR(0x33f8, 0x0104, 4)}, /* Rolling RW101 RMNET */ + + /* 4. Gobi 1000 devices */ + {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ +-- +2.43.0 + diff --git a/queue-6.1/perf-unwind-libdw-handle-jit-generated-dsos-properly.patch b/queue-6.1/perf-unwind-libdw-handle-jit-generated-dsos-properly.patch new file mode 100644 index 00000000000..f000cc31db2 --- /dev/null +++ b/queue-6.1/perf-unwind-libdw-handle-jit-generated-dsos-properly.patch @@ -0,0 +1,90 @@ +From fd99294b1f16f70223923bf23ee5ae7de88ec3c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 14:00:56 -0700 +Subject: perf unwind-libdw: Handle JIT-generated DSOs properly + +From: Namhyung Kim + +[ Upstream commit c966d23a351a33f8a977fd7efbb6f467132f7383 ] + +Usually DSOs are mapped from the beginning of the file, so the base +address of the DSO can be calculated by map->start - map->pgoff. + +However, JIT DSOs which are generated by `perf inject -j`, are mapped +only the code segment. This makes unwind-libdw code confusing and +rejects processing unwinds in the JIT DSOs. It should use the map +start address as base for them to fix the confusion. + +Fixes: 1fe627da30331024 ("perf unwind: Take pgoff into account when reporting elf to libdwfl") +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Fangrui Song +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Milian Wolff +Cc: Pablo Galindo +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231212070547.612536-3-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/unwind-libdw.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c +index 94aa40f6e3482..9a7bdc0e14cc2 100644 +--- a/tools/perf/util/unwind-libdw.c ++++ b/tools/perf/util/unwind-libdw.c +@@ -45,6 +45,7 @@ static int __report_module(struct addr_location *al, u64 ip, + { + Dwfl_Module *mod; + struct dso *dso = NULL; ++ Dwarf_Addr base; + /* + * Some callers will use al->sym, so we can't just use the + * cheaper thread__find_map() here. +@@ -57,24 +58,36 @@ static int __report_module(struct addr_location *al, u64 ip, + if (!dso) + return 0; + ++ /* ++ * The generated JIT DSO files only map the code segment without ++ * ELF headers. Since JIT codes used to be packed in a memory ++ * segment, calculating the base address using pgoff falls info ++ * a different code in another DSO. So just use the map->start ++ * directly to pick the correct one. ++ */ ++ if (!strncmp(dso->long_name, "/tmp/jitted-", 12)) ++ base = al->map->start; ++ else ++ base = al->map->start - al->map->pgoff; ++ + mod = dwfl_addrmodule(ui->dwfl, ip); + if (mod) { + Dwarf_Addr s; + + dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL); +- if (s != al->map->start - al->map->pgoff) +- mod = 0; ++ if (s != base) ++ mod = NULL; + } + + if (!mod) + mod = dwfl_report_elf(ui->dwfl, dso->short_name, dso->long_name, -1, +- al->map->start - al->map->pgoff, false); ++ base, false); + if (!mod) { + char filename[PATH_MAX]; + + if (dso__build_id_filename(dso, filename, sizeof(filename), false)) + mod = dwfl_report_elf(ui->dwfl, dso->short_name, filename, -1, +- al->map->start - al->map->pgoff, false); ++ base, false); + } + + if (mod) { +-- +2.43.0 + diff --git a/queue-6.1/perf-unwind-libunwind-fix-base-address-for-.eh_frame.patch b/queue-6.1/perf-unwind-libunwind-fix-base-address-for-.eh_frame.patch new file mode 100644 index 00000000000..2e4673a63e6 --- /dev/null +++ b/queue-6.1/perf-unwind-libunwind-fix-base-address-for-.eh_frame.patch @@ -0,0 +1,49 @@ +From 942502a8614c0f6d2f4e2a0d1fdb9d7e24970811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 14:00:55 -0700 +Subject: perf unwind-libunwind: Fix base address for .eh_frame + +From: Namhyung Kim + +[ Upstream commit 4fb54994b2360ab5029ee3a959161f6fe6bbb349 ] + +The base address of a DSO mapping should start at the start of the file. +Usually DSOs are mapped from the pgoff 0 so it doesn't matter when it +uses the start of the map address. + +But generated DSOs for JIT codes doesn't start from the 0 so it should +subtract the offset to calculate the .eh_frame table offsets correctly. + +Fixes: dc2cf4ca866f5715 ("perf unwind: Fix segbase for ld.lld linked objects") +Reviewed-by: Ian Rogers +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Fangrui Song +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Milian Wolff +Cc: Pablo Galindo +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20231212070547.612536-4-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/unwind-libunwind-local.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/unwind-libunwind-local.c b/tools/perf/util/unwind-libunwind-local.c +index 81b6bd6e1536a..b276e36e3fb41 100644 +--- a/tools/perf/util/unwind-libunwind-local.c ++++ b/tools/perf/util/unwind-libunwind-local.c +@@ -327,7 +327,7 @@ static int read_unwind_spec_eh_frame(struct dso *dso, struct unwind_info *ui, + + maps__for_each_entry(ui->thread->maps, map) { + if (map->dso == dso && map->start < base_addr) +- base_addr = map->start; ++ base_addr = map->start - map->pgoff; + } + base_addr -= dso->data.elf_base_addr; + /* Address of .eh_frame_hdr */ +-- +2.43.0 + diff --git a/queue-6.1/scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch b/queue-6.1/scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch new file mode 100644 index 00000000000..1a0b48a1f80 --- /dev/null +++ b/queue-6.1/scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch @@ -0,0 +1,86 @@ +From 7c0bfd28352ac5d36eb03501ec0745671434c0b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 12:44:27 +0530 +Subject: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after + upload + +From: Saurav Kashyap + +[ Upstream commit c214ed2a4dda35b308b0b28eed804d7ae66401f9 ] + +The session resources are used by FW and driver when session is offloaded, +once session is uploaded these resources are not used. The lock is not +required as these fields won't be used any longer. The offload and upload +calls are sequential, hence lock is not required. + +This will suppress following BUG_ON(): + +[ 449.843143] ------------[ cut here ]------------ +[ 449.848302] kernel BUG at mm/vmalloc.c:2727! +[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI +[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1 +Rebooting. +[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016 +[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc] +[ 449.882910] RIP: 0010:vunmap+0x2e/0x30 +[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41 +[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206 +[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005 +[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000 +[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf +[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000 +[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0 +[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000 +[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0 +[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 449.993028] Call Trace: +[ 449.995756] __iommu_dma_free+0x96/0x100 +[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc] +[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc] +[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc] +[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc] +[ 450.023103] process_one_work+0x1e8/0x3c0 +[ 450.027581] worker_thread+0x50/0x3b0 +[ 450.031669] ? rescuer_thread+0x370/0x370 +[ 450.036143] kthread+0x149/0x170 +[ 450.039744] ? set_kthread_struct+0x40/0x40 +[ 450.044411] ret_from_fork+0x22/0x30 +[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls +[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler +[ 450.159753] ---[ end trace 712de2c57c64abc8 ]--- + +Reported-by: Guangwu Zhang +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20240315071427.31842-1-skashyap@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_tgt.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_tgt.c b/drivers/scsi/bnx2fc/bnx2fc_tgt.c +index 2c246e80c1c4d..d91659811eb3c 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_tgt.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_tgt.c +@@ -833,7 +833,6 @@ static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba, + + BNX2FC_TGT_DBG(tgt, "Freeing up session resources\n"); + +- spin_lock_bh(&tgt->cq_lock); + ctx_base_ptr = tgt->ctx_base; + tgt->ctx_base = NULL; + +@@ -889,7 +888,6 @@ static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba, + tgt->sq, tgt->sq_dma); + tgt->sq = NULL; + } +- spin_unlock_bh(&tgt->cq_lock); + + if (ctx_base_ptr) + iounmap(ctx_base_ptr); +-- +2.43.0 + diff --git a/queue-6.1/scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch b/queue-6.1/scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch new file mode 100644 index 00000000000..ee211531bf3 --- /dev/null +++ b/queue-6.1/scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch @@ -0,0 +1,60 @@ +From 3501c7f147e18a6fbca2491bdf743f8acc6f6544 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:04:53 -0800 +Subject: scsi: lpfc: Move NPIV's transport unregistration to after resource + clean up + +From: Justin Tee + +[ Upstream commit 4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c ] + +There are cases after NPIV deletion where the fabric switch still believes +the NPIV is logged into the fabric. This occurs when a vport is +unregistered before the Remove All DA_ID CT and LOGO ELS are sent to the +fabric. + +Currently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including +the fabric D_ID, removes the last ndlp reference and frees the ndlp rport +object. This sometimes causes the race condition where the final DA_ID and +LOGO are skipped from being sent to the fabric switch. + +Fix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID +and LOGO are sent. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240305200503.57317-3-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_vport.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c +index 4d171f5c213f7..6b4259894584f 100644 +--- a/drivers/scsi/lpfc/lpfc_vport.c ++++ b/drivers/scsi/lpfc/lpfc_vport.c +@@ -693,10 +693,6 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + lpfc_free_sysfs_attr(vport); + lpfc_debugfs_terminate(vport); + +- /* Remove FC host to break driver binding. */ +- fc_remove_host(shost); +- scsi_remove_host(shost); +- + /* Send the DA_ID and Fabric LOGO to cleanup Nameserver entries. */ + ndlp = lpfc_findnode_did(vport, Fabric_DID); + if (!ndlp) +@@ -740,6 +736,10 @@ lpfc_vport_delete(struct fc_vport *fc_vport) + + skip_logo: + ++ /* Remove FC host to break driver binding. */ ++ fc_remove_host(shost); ++ scsi_remove_host(shost); ++ + lpfc_cleanup(vport); + + /* Remove scsi host now. The nodes are cleaned up. */ +-- +2.43.0 + diff --git a/queue-6.1/scsi-lpfc-release-hbalock-before-calling-lpfc_worker.patch b/queue-6.1/scsi-lpfc-release-hbalock-before-calling-lpfc_worker.patch new file mode 100644 index 00000000000..5e189193b04 --- /dev/null +++ b/queue-6.1/scsi-lpfc-release-hbalock-before-calling-lpfc_worker.patch @@ -0,0 +1,129 @@ +From 89e4e8d4b0fac65ae409d10ba6f417e2222f14fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:04:57 -0800 +Subject: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() + +From: Justin Tee + +[ Upstream commit ded20192dff31c91cef2a04f7e20e60e9bb887d3 ] + +lpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes the +hbalock. Thus, lpfc_worker_wake_up() should not be called while holding the +hbalock to avoid potential deadlock. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240305200503.57317-7-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 20 ++++++++++---------- + drivers/scsi/lpfc/lpfc_hbadisc.c | 5 ++--- + drivers/scsi/lpfc/lpfc_sli.c | 14 +++++++------- + 3 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 6b5ce9869e6b4..05764008f6e70 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -4384,23 +4384,23 @@ lpfc_els_retry_delay(struct timer_list *t) + unsigned long flags; + struct lpfc_work_evt *evtp = &ndlp->els_retry_evt; + ++ /* Hold a node reference for outstanding queued work */ ++ if (!lpfc_nlp_get(ndlp)) ++ return; ++ + spin_lock_irqsave(&phba->hbalock, flags); + if (!list_empty(&evtp->evt_listp)) { + spin_unlock_irqrestore(&phba->hbalock, flags); ++ lpfc_nlp_put(ndlp); + return; + } + +- /* We need to hold the node by incrementing the reference +- * count until the queued work is done +- */ +- evtp->evt_arg1 = lpfc_nlp_get(ndlp); +- if (evtp->evt_arg1) { +- evtp->evt = LPFC_EVT_ELS_RETRY; +- list_add_tail(&evtp->evt_listp, &phba->work_list); +- lpfc_worker_wake_up(phba); +- } ++ evtp->evt_arg1 = ndlp; ++ evtp->evt = LPFC_EVT_ELS_RETRY; ++ list_add_tail(&evtp->evt_listp, &phba->work_list); + spin_unlock_irqrestore(&phba->hbalock, flags); +- return; ++ ++ lpfc_worker_wake_up(phba); + } + + /** +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 549fa7d6c0f6f..aaa98a006fdcb 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -241,7 +241,9 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) + if (evtp->evt_arg1) { + evtp->evt = LPFC_EVT_DEV_LOSS; + list_add_tail(&evtp->evt_listp, &phba->work_list); ++ spin_unlock_irqrestore(&phba->hbalock, iflags); + lpfc_worker_wake_up(phba); ++ return; + } + spin_unlock_irqrestore(&phba->hbalock, iflags); + } else { +@@ -259,10 +261,7 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) + lpfc_disc_state_machine(vport, ndlp, NULL, + NLP_EVT_DEVICE_RM); + } +- + } +- +- return; + } + + /** +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 427a6ac803e50..47b8102a7063a 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -1217,9 +1217,9 @@ lpfc_set_rrq_active(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp, + empty = list_empty(&phba->active_rrq_list); + list_add_tail(&rrq->list, &phba->active_rrq_list); + phba->hba_flag |= HBA_RRQ_ACTIVE; ++ spin_unlock_irqrestore(&phba->hbalock, iflags); + if (empty) + lpfc_worker_wake_up(phba); +- spin_unlock_irqrestore(&phba->hbalock, iflags); + return 0; + out: + spin_unlock_irqrestore(&phba->hbalock, iflags); +@@ -11361,18 +11361,18 @@ lpfc_sli_post_recovery_event(struct lpfc_hba *phba, + unsigned long iflags; + struct lpfc_work_evt *evtp = &ndlp->recovery_evt; + ++ /* Hold a node reference for outstanding queued work */ ++ if (!lpfc_nlp_get(ndlp)) ++ return; ++ + spin_lock_irqsave(&phba->hbalock, iflags); + if (!list_empty(&evtp->evt_listp)) { + spin_unlock_irqrestore(&phba->hbalock, iflags); ++ lpfc_nlp_put(ndlp); + return; + } + +- /* Incrementing the reference count until the queued work is done. */ +- evtp->evt_arg1 = lpfc_nlp_get(ndlp); +- if (!evtp->evt_arg1) { +- spin_unlock_irqrestore(&phba->hbalock, iflags); +- return; +- } ++ evtp->evt_arg1 = ndlp; + evtp->evt = LPFC_EVT_RECOVER_PORT; + list_add_tail(&evtp->evt_listp, &phba->work_list); + spin_unlock_irqrestore(&phba->hbalock, iflags); +-- +2.43.0 + diff --git a/queue-6.1/scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch b/queue-6.1/scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch new file mode 100644 index 00000000000..165713095bd --- /dev/null +++ b/queue-6.1/scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch @@ -0,0 +1,40 @@ +From ee0cbc4212c229f3f7199d63afdcf39fdf994dcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:04:56 -0800 +Subject: scsi: lpfc: Replace hbalock with ndlp lock in + lpfc_nvme_unregister_port() + +From: Justin Tee + +[ Upstream commit d11272be497e48a8e8f980470eb6b70e92eed0ce ] + +The ndlp object update in lpfc_nvme_unregister_port() should be protected +by the ndlp lock rather than hbalock. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240305200503.57317-6-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nvme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index 152245f7cacc7..7e9e0d969256a 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -2621,9 +2621,9 @@ lpfc_nvme_unregister_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + /* No concern about the role change on the nvme remoteport. + * The transport will update it. + */ +- spin_lock_irq(&vport->phba->hbalock); ++ spin_lock_irq(&ndlp->lock); + ndlp->fc4_xpt_flags |= NVME_XPT_UNREG_WAIT; +- spin_unlock_irq(&vport->phba->hbalock); ++ spin_unlock_irq(&ndlp->lock); + + /* Don't let the host nvme transport keep sending keep-alives + * on this remoteport. Vport is unloading, no recovery. The +-- +2.43.0 + diff --git a/queue-6.1/scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch b/queue-6.1/scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch new file mode 100644 index 00000000000..41a9e6fe640 --- /dev/null +++ b/queue-6.1/scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch @@ -0,0 +1,92 @@ +From 946e527f2aa24e75f891da0488058213f484618b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Mar 2024 12:04:55 -0800 +Subject: scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic + +From: Justin Tee + +[ Upstream commit bb011631435c705cdeddca68d5c85fd40a4320f9 ] + +Typically when an out of resource CQE status is detected, the +lpfc_ramp_down_queue_handler() logic is called to help reduce I/O load by +reducing an sdev's queue_depth. + +However, the current lpfc_rampdown_queue_depth() logic does not help reduce +queue_depth. num_cmd_success is never updated and is always zero, which +means new_queue_depth will always be set to sdev->queue_depth. So, +new_queue_depth = sdev->queue_depth - new_queue_depth always sets +new_queue_depth to zero. And, scsi_change_queue_depth(sdev, 0) is +essentially a no-op. + +Change the lpfc_ramp_down_queue_handler() logic to set new_queue_depth +equal to sdev->queue_depth subtracted from number of times num_rsrc_err was +incremented. If num_rsrc_err is >= sdev->queue_depth, then set +new_queue_depth equal to 1. Eventually, the frequency of Good_Status +frames will signal SCSI upper layer to auto increase the queue_depth back +to the driver default of 64 via scsi_handle_queue_ramp_up(). + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240305200503.57317-5-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc.h | 1 - + drivers/scsi/lpfc/lpfc_scsi.c | 13 ++++--------- + 2 files changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index dc5ac3cc70f6d..6f08fbe103cb9 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -1355,7 +1355,6 @@ struct lpfc_hba { + struct timer_list fabric_block_timer; + unsigned long bit_flags; + atomic_t num_rsrc_err; +- atomic_t num_cmd_success; + unsigned long last_rsrc_error_time; + unsigned long last_ramp_down_time; + #ifdef CONFIG_SCSI_LPFC_DEBUG_FS +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 0bb7e164b525f..2a81a42de5c14 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -167,11 +167,10 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) + struct Scsi_Host *shost; + struct scsi_device *sdev; + unsigned long new_queue_depth; +- unsigned long num_rsrc_err, num_cmd_success; ++ unsigned long num_rsrc_err; + int i; + + num_rsrc_err = atomic_read(&phba->num_rsrc_err); +- num_cmd_success = atomic_read(&phba->num_cmd_success); + + /* + * The error and success command counters are global per +@@ -186,20 +185,16 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba) + for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) { + shost = lpfc_shost_from_vport(vports[i]); + shost_for_each_device(sdev, shost) { +- new_queue_depth = +- sdev->queue_depth * num_rsrc_err / +- (num_rsrc_err + num_cmd_success); +- if (!new_queue_depth) +- new_queue_depth = sdev->queue_depth - 1; ++ if (num_rsrc_err >= sdev->queue_depth) ++ new_queue_depth = 1; + else + new_queue_depth = sdev->queue_depth - +- new_queue_depth; ++ num_rsrc_err; + scsi_change_queue_depth(sdev, new_queue_depth); + } + } + lpfc_destroy_vport_work_array(phba, vports); + atomic_set(&phba->num_rsrc_err, 0); +- atomic_set(&phba->num_cmd_success, 0); + } + + /** +-- +2.43.0 + diff --git a/queue-6.1/scsi-mpi3mr-avoid-memcpy-field-spanning-write-warnin.patch b/queue-6.1/scsi-mpi3mr-avoid-memcpy-field-spanning-write-warnin.patch new file mode 100644 index 00000000000..20e40930523 --- /dev/null +++ b/queue-6.1/scsi-mpi3mr-avoid-memcpy-field-spanning-write-warnin.patch @@ -0,0 +1,62 @@ +From 2415ec7af7c85b4e292bb3fded428d5d265b3cce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Mar 2024 17:41:55 +0900 +Subject: scsi: mpi3mr: Avoid memcpy field-spanning write WARNING + +From: Shin'ichiro Kawasaki + +[ Upstream commit 429846b4b6ce9853e0d803a2357bb2e55083adf0 ] + +When the "storcli2 show" command is executed for eHBA-9600, mpi3mr driver +prints this WARNING message: + + memcpy: detected field-spanning write (size 128) of single field "bsg_reply_buf->reply_buf" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1) + WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr] + +The cause of the WARN is 128 bytes memcpy to the 1 byte size array "__u8 +replay_buf[1]" in the struct mpi3mr_bsg_in_reply_buf. The array is intended +to be a flexible length array, so the WARN is a false positive. + +To suppress the WARN, remove the constant number '1' from the array +declaration and clarify that it has flexible length. Also, adjust the +memory allocation size to match the change. + +Suggested-by: Sathya Prakash Veerichetty +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20240323084155.166835-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpi3mr/mpi3mr_app.c | 2 +- + include/uapi/scsi/scsi_bsg_mpi3mr.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c +index 8c662d08706f1..42600e5c457a1 100644 +--- a/drivers/scsi/mpi3mr/mpi3mr_app.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_app.c +@@ -1344,7 +1344,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job, unsigned int *reply + if ((mpirep_offset != 0xFF) && + drv_bufs[mpirep_offset].bsg_buf_len) { + drv_buf_iter = &drv_bufs[mpirep_offset]; +- drv_buf_iter->kern_buf_len = (sizeof(*bsg_reply_buf) - 1 + ++ drv_buf_iter->kern_buf_len = (sizeof(*bsg_reply_buf) + + mrioc->reply_sz); + bsg_reply_buf = kzalloc(drv_buf_iter->kern_buf_len, GFP_KERNEL); + +diff --git a/include/uapi/scsi/scsi_bsg_mpi3mr.h b/include/uapi/scsi/scsi_bsg_mpi3mr.h +index fdc3517f9e199..c48c5d08c0fa0 100644 +--- a/include/uapi/scsi/scsi_bsg_mpi3mr.h ++++ b/include/uapi/scsi/scsi_bsg_mpi3mr.h +@@ -382,7 +382,7 @@ struct mpi3mr_bsg_in_reply_buf { + __u8 mpi_reply_type; + __u8 rsvd1; + __u16 rsvd2; +- __u8 reply_buf[1]; ++ __u8 reply_buf[]; + }; + + /** +-- +2.43.0 + diff --git a/queue-6.1/scsi-target-fix-selinux-error-when-systemd-modules-l.patch b/queue-6.1/scsi-target-fix-selinux-error-when-systemd-modules-l.patch new file mode 100644 index 00000000000..d5e4108eb91 --- /dev/null +++ b/queue-6.1/scsi-target-fix-selinux-error-when-systemd-modules-l.patch @@ -0,0 +1,68 @@ +From c5022ab4a0a704cedc3ba29819312181a49db4b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Feb 2024 15:39:43 +0100 +Subject: scsi: target: Fix SELinux error when systemd-modules loads the target + module + +From: Maurizio Lombardi + +[ Upstream commit 97a54ef596c3fd24ec2b227ba8aaf2cf5415e779 ] + +If the systemd-modules service loads the target module, the credentials of +that userspace process will be used to validate the access to the target db +directory. SELinux will prevent it, reporting an error like the following: + +kernel: audit: type=1400 audit(1676301082.205:4): avc: denied { read } +for pid=1020 comm="systemd-modules" name="target" dev="dm-3" +ino=4657583 scontext=system_u:system_r:systemd_modules_load_t:s0 +tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0 + +Fix the error by using the kernel credentials to access the db directory + +Signed-off-by: Maurizio Lombardi +Link: https://lore.kernel.org/r/20240215143944.847184-2-mlombard@redhat.com +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_configfs.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c +index 416514c5c7acd..1a26dd0d56662 100644 +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -3587,6 +3587,8 @@ static int __init target_core_init_configfs(void) + { + struct configfs_subsystem *subsys = &target_core_fabrics; + struct t10_alua_lu_gp *lu_gp; ++ struct cred *kern_cred; ++ const struct cred *old_cred; + int ret; + + pr_debug("TARGET_CORE[0]: Loading Generic Kernel Storage" +@@ -3663,11 +3665,21 @@ static int __init target_core_init_configfs(void) + if (ret < 0) + goto out; + ++ /* We use the kernel credentials to access the target directory */ ++ kern_cred = prepare_kernel_cred(&init_task); ++ if (!kern_cred) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ old_cred = override_creds(kern_cred); + target_init_dbroot(); ++ revert_creds(old_cred); ++ put_cred(kern_cred); + + return 0; + + out: ++ target_xcopy_release_pt(); + configfs_unregister_subsystem(subsys); + core_dev_release_virtual_lun0(); + rd_module_exit(); +-- +2.43.0 + diff --git a/queue-6.1/scsi-ufs-core-wlun-suspend-dev-link-state-error-reco.patch b/queue-6.1/scsi-ufs-core-wlun-suspend-dev-link-state-error-reco.patch new file mode 100644 index 00000000000..1f582f3d57f --- /dev/null +++ b/queue-6.1/scsi-ufs-core-wlun-suspend-dev-link-state-error-reco.patch @@ -0,0 +1,45 @@ +From 84b2286de0100842090a67d6bdaa7d7b095bfcc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Mar 2024 09:50:36 +0800 +Subject: scsi: ufs: core: WLUN suspend dev/link state error recovery + +From: Peter Wang + +[ Upstream commit 6bc5e70b1c792b31b497e48b4668a9a2909aca0d ] + +When wl suspend error occurs, for example BKOP or SSU timeout, the host +triggers an error handler and returns -EBUSY to break the wl suspend +process. However, it is possible for the runtime PM to enter wl suspend +again before the error handler has finished, and return -EINVAL because the +device is in an error state. To address this, ensure that the rumtime PM +waits for the error handler to finish, or trigger the error handler in such +cases, because returning -EINVAL can cause the I/O to hang. + +Signed-off-by: Peter Wang +Link: https://lore.kernel.org/r/20240329015036.15707-1-peter.wang@mediatek.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index f3c25467e571f..948449a13247c 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -9044,7 +9044,10 @@ static int __ufshcd_wl_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op) + + /* UFS device & link must be active before we enter in this function */ + if (!ufshcd_is_ufs_dev_active(hba) || !ufshcd_is_link_active(hba)) { +- ret = -EINVAL; ++ /* Wait err handler finish or trigger err recovery */ ++ if (!ufshcd_eh_in_progress(hba)) ++ ufshcd_force_error_recovery(hba); ++ ret = -EBUSY; + goto enable_scaling; + } + +-- +2.43.0 + diff --git a/queue-6.1/selftests-timers-fix-valid-adjtimex-signed-left-shif.patch b/queue-6.1/selftests-timers-fix-valid-adjtimex-signed-left-shif.patch new file mode 100644 index 00000000000..1b8ca2878cb --- /dev/null +++ b/queue-6.1/selftests-timers-fix-valid-adjtimex-signed-left-shif.patch @@ -0,0 +1,139 @@ +From 31117ba80d40fc95c9c06d12f78d3be2453b0d30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2024 13:22:12 -0700 +Subject: selftests: timers: Fix valid-adjtimex signed left-shift undefined + behavior + +From: John Stultz + +[ Upstream commit 076361362122a6d8a4c45f172ced5576b2d4a50d ] + +The struct adjtimex freq field takes a signed value who's units are in +shifted (<<16) parts-per-million. + +Unfortunately for negative adjustments, the straightforward use of: + + freq = ppm << 16 trips undefined behavior warnings with clang: + +valid-adjtimex.c:66:6: warning: shifting a negative signed value is undefined [-Wshift-negative-value] + -499<<16, + ~~~~^ +valid-adjtimex.c:67:6: warning: shifting a negative signed value is undefined [-Wshift-negative-value] + -450<<16, + ~~~~^ +.. + +Fix it by using a multiply by (1 << 16) instead of shifting negative values +in the valid-adjtimex test case. Align the values for better readability. + +Reported-by: Lee Jones +Reported-by: Muhammad Usama Anjum +Signed-off-by: John Stultz +Signed-off-by: Thomas Gleixner +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/r/20240409202222.2830476-1-jstultz@google.com +Link: https://lore.kernel.org/lkml/0c6d4f0d-2064-4444-986b-1d1ed782135f@collabora.com/ +Signed-off-by: Sasha Levin +--- + .../testing/selftests/timers/valid-adjtimex.c | 73 +++++++++---------- + 1 file changed, 36 insertions(+), 37 deletions(-) + +diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c +index 48b9a803235a8..d13ebde203221 100644 +--- a/tools/testing/selftests/timers/valid-adjtimex.c ++++ b/tools/testing/selftests/timers/valid-adjtimex.c +@@ -21,9 +21,6 @@ + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ +- +- +- + #include + #include + #include +@@ -62,45 +59,47 @@ int clear_time_state(void) + #define NUM_FREQ_OUTOFRANGE 4 + #define NUM_FREQ_INVALID 2 + ++#define SHIFTED_PPM (1 << 16) ++ + long valid_freq[NUM_FREQ_VALID] = { +- -499<<16, +- -450<<16, +- -400<<16, +- -350<<16, +- -300<<16, +- -250<<16, +- -200<<16, +- -150<<16, +- -100<<16, +- -75<<16, +- -50<<16, +- -25<<16, +- -10<<16, +- -5<<16, +- -1<<16, ++ -499 * SHIFTED_PPM, ++ -450 * SHIFTED_PPM, ++ -400 * SHIFTED_PPM, ++ -350 * SHIFTED_PPM, ++ -300 * SHIFTED_PPM, ++ -250 * SHIFTED_PPM, ++ -200 * SHIFTED_PPM, ++ -150 * SHIFTED_PPM, ++ -100 * SHIFTED_PPM, ++ -75 * SHIFTED_PPM, ++ -50 * SHIFTED_PPM, ++ -25 * SHIFTED_PPM, ++ -10 * SHIFTED_PPM, ++ -5 * SHIFTED_PPM, ++ -1 * SHIFTED_PPM, + -1000, +- 1<<16, +- 5<<16, +- 10<<16, +- 25<<16, +- 50<<16, +- 75<<16, +- 100<<16, +- 150<<16, +- 200<<16, +- 250<<16, +- 300<<16, +- 350<<16, +- 400<<16, +- 450<<16, +- 499<<16, ++ 1 * SHIFTED_PPM, ++ 5 * SHIFTED_PPM, ++ 10 * SHIFTED_PPM, ++ 25 * SHIFTED_PPM, ++ 50 * SHIFTED_PPM, ++ 75 * SHIFTED_PPM, ++ 100 * SHIFTED_PPM, ++ 150 * SHIFTED_PPM, ++ 200 * SHIFTED_PPM, ++ 250 * SHIFTED_PPM, ++ 300 * SHIFTED_PPM, ++ 350 * SHIFTED_PPM, ++ 400 * SHIFTED_PPM, ++ 450 * SHIFTED_PPM, ++ 499 * SHIFTED_PPM, + }; + + long outofrange_freq[NUM_FREQ_OUTOFRANGE] = { +- -1000<<16, +- -550<<16, +- 550<<16, +- 1000<<16, ++ -1000 * SHIFTED_PPM, ++ -550 * SHIFTED_PPM, ++ 550 * SHIFTED_PPM, ++ 1000 * SHIFTED_PPM, + }; + + #define LONG_MAX (~0UL>>1) +-- +2.43.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 9fe4e5b045f..0866ed22bc7 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -91,3 +91,56 @@ powerpc-pseries-make-max-polling-consistent-for-long.patch powerpc-pseries-iommu-lpar-panics-during-boot-up-wit.patch kvm-arm64-vgic-v2-use-cpuid-from-userspace-as-vcpu_i.patch kvm-arm64-vgic-v2-check-for-non-null-vcpu-in-vgic_v2.patch +usb-typec-ucsi-limit-read-size-on-v1.2.patch +x86-xen-attempt-to-inflate-the-memory-balloon-on-pvh.patch +scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch +scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch +scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch +scsi-lpfc-release-hbalock-before-calling-lpfc_worker.patch +gfs2-fix-invalid-metadata-access-in-punch_hole.patch +wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch +wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch +net-mark-racy-access-on-sk-sk_rcvbuf.patch +scsi-mpi3mr-avoid-memcpy-field-spanning-write-warnin.patch +scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch +btrfs-return-accurate-error-code-on-open-failure-in-.patch +bpf-check-bloom-filter-map-value-size.patch +kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch +scsi-ufs-core-wlun-suspend-dev-link-state-error-reco.patch +alsa-line6-zero-initialize-message-buffers.patch +block-fix-overflow-in-blk_ioctl_discard.patch +net-bcmgenet-reset-rbuf-on-first-open.patch +ata-sata_gemini-check-clk_enable-result.patch +firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch +tools-power-turbostat-fix-added-raw-msr-output.patch +tools-power-turbostat-increase-the-limit-for-fd-open.patch +tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch +btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch +btrfs-always-clear-pertrans-metadata-during-commit.patch +memblock-tests-fix-undefined-reference-to-early_pfn_.patch +memblock-tests-fix-undefined-reference-to-panic.patch +memblock-tests-fix-undefined-reference-to-bit.patch +scsi-target-fix-selinux-error-when-systemd-modules-l.patch +blk-iocost-avoid-out-of-bounds-shift.patch +gpu-host1x-do-not-setup-dma-for-virtual-devices.patch +mips-scall-save-thread_info.syscall-unconditionally-.patch +tools-power-turbostat-fix-uncore-frequency-file-stri.patch +drm-amdgpu-refine-ib-schedule-error-logging.patch +selftests-timers-fix-valid-adjtimex-signed-left-shif.patch +drivers-hv-vmbus-track-decrypted-status-in-vmbus_gpa.patch +uio_hv_generic-don-t-free-decrypted-memory.patch +drivers-hv-vmbus-don-t-free-ring-buffers-that-couldn.patch +iommu-mtk-fix-module-autoloading.patch +fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch +fs-9p-translate-o_trunc-into-otrunc.patch +9p-explicitly-deny-setlease-attempts.patch +gpio-wcove-use-enotsupp-consistently.patch +gpio-crystalcove-use-enotsupp-consistently.patch +clk-don-t-hold-prepare_lock-when-calling-kref_put.patch +fs-9p-drop-inodes-immediately-on-non-.l-too.patch +drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch +net-usb-qmi_wwan-support-rolling-modules.patch +kbuild-rust-avoid-creating-temporary-files.patch +spi-merge-spi_controller.-slave-target-_abort.patch +perf-unwind-libunwind-fix-base-address-for-.eh_frame.patch +perf-unwind-libdw-handle-jit-generated-dsos-properly.patch diff --git a/queue-6.1/spi-merge-spi_controller.-slave-target-_abort.patch b/queue-6.1/spi-merge-spi_controller.-slave-target-_abort.patch new file mode 100644 index 00000000000..5c80e2094c9 --- /dev/null +++ b/queue-6.1/spi-merge-spi_controller.-slave-target-_abort.patch @@ -0,0 +1,47 @@ +From 361b669971bbb8d69f8ba7fc91ef751e6d94c65d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:01:27 +0100 +Subject: spi: Merge spi_controller.{slave,target}_abort() + +From: Geert Uytterhoeven + +[ Upstream commit 6c6871cdaef96361f6b79a3e45d451a6475df4d6 ] + +Mixing SPI slave/target handlers and SPI slave/target controllers using +legacy and modern naming does not work well: there are now two different +callbacks for aborting a slave/target operation, of which only one is +populated, while spi_{slave,target}_abort() check and use only one, +which may be the unpopulated one. + +Fix this by merging the slave/target abort callbacks into a single +callback using a union, like is already done for the slave/target flags. + +Fixes: b8d3b056a78dcc94 ("spi: introduce new helpers with using modern naming") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/809c82d54b85dd87ef7ee69fc93016085be85cec.1667555967.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/linux/spi/spi.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h +index 6edf8a2962d4a..0ce659d6fcb75 100644 +--- a/include/linux/spi/spi.h ++++ b/include/linux/spi/spi.h +@@ -676,8 +676,10 @@ struct spi_controller { + struct spi_message *message); + int (*unprepare_message)(struct spi_controller *ctlr, + struct spi_message *message); +- int (*slave_abort)(struct spi_controller *ctlr); +- int (*target_abort)(struct spi_controller *ctlr); ++ union { ++ int (*slave_abort)(struct spi_controller *ctlr); ++ int (*target_abort)(struct spi_controller *ctlr); ++ }; + + /* + * These hooks are for drivers that use a generic implementation +-- +2.43.0 + diff --git a/queue-6.1/tools-power-turbostat-fix-added-raw-msr-output.patch b/queue-6.1/tools-power-turbostat-fix-added-raw-msr-output.patch new file mode 100644 index 00000000000..d8cd8c5bb5b --- /dev/null +++ b/queue-6.1/tools-power-turbostat-fix-added-raw-msr-output.patch @@ -0,0 +1,87 @@ +From 15e54bc38e020781d7c429923d946e8d843551d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 14:11:38 -0700 +Subject: tools/power turbostat: Fix added raw MSR output + +From: Doug Smythies + +[ Upstream commit e5f4e68eed85fa8495d78cd966eecc2b27bb9e53 ] + +When using --Summary mode, added MSRs in raw mode always +print zeros. Print the actual register contents. + +Example, with patch: + +note the added column: +--add msr0x64f,u32,package,raw,REASON + +Where: + +0x64F is MSR_CORE_PERF_LIMIT_REASONS + +Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON +0.00 4800 35 1.42 0.76 0x00000000 +0.00 4801 34 1.42 0.76 0x00000000 +80.08 4531 66 108.17 107.52 0x08000000 +98.69 4530 66 133.21 132.54 0x08000000 +99.28 4505 66 128.26 127.60 0x0c000400 +99.65 4486 68 124.91 124.25 0x0c000400 +99.63 4483 68 124.90 124.25 0x0c000400 +79.34 4481 41 99.80 99.13 0x0c000000 +0.00 4801 41 1.40 0.73 0x0c000000 + +Where, for the test processor (i5-10600K): + +PKG Limit #1: 125.000 Watts, 8.000000 sec +MSR bit 26 = log; bit 10 = status + +PKG Limit #2: 136.000 Watts, 0.002441 sec +MSR bit 27 = log; bit 11 = status + +Example, without patch: + +Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON +0.01 4800 35 1.43 0.77 0x00000000 +0.00 4801 35 1.39 0.73 0x00000000 +83.49 4531 66 112.71 112.06 0x00000000 +98.69 4530 68 133.35 132.69 0x00000000 +99.31 4500 67 127.96 127.30 0x00000000 +99.63 4483 69 124.91 124.25 0x00000000 +99.61 4481 69 124.90 124.25 0x00000000 +99.61 4481 71 124.92 124.25 0x00000000 +59.35 4479 42 75.03 74.37 0x00000000 +0.00 4800 42 1.39 0.73 0x00000000 +0.00 4801 42 1.42 0.76 0x00000000 + +c000000 + +[lenb: simplified patch to apply only to package scope] + +Signed-off-by: Doug Smythies +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index b113900d94879..9018e47e0bc26 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -1811,9 +1811,10 @@ int sum_counters(struct thread_data *t, struct core_data *c, struct pkg_data *p) + average.packages.rapl_dram_perf_status += p->rapl_dram_perf_status; + + for (i = 0, mp = sys.pp; mp; i++, mp = mp->next) { +- if (mp->format == FORMAT_RAW) +- continue; +- average.packages.counter[i] += p->counter[i]; ++ if ((mp->format == FORMAT_RAW) && (topo.num_packages == 0)) ++ average.packages.counter[i] = p->counter[i]; ++ else ++ average.packages.counter[i] += p->counter[i]; + } + return 0; + } +-- +2.43.0 + diff --git a/queue-6.1/tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch b/queue-6.1/tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch new file mode 100644 index 00000000000..7c0916c81c5 --- /dev/null +++ b/queue-6.1/tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch @@ -0,0 +1,35 @@ +From da2cd47ce5bf1ccab2ce0d856f089010e3a2407c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 13:46:22 +0800 +Subject: tools/power turbostat: Fix Bzy_MHz documentation typo + +From: Peng Liu + +[ Upstream commit 0b13410b52c4636aacb6964a4253a797c0fa0d16 ] + +The code calculates Bzy_MHz by multiplying TSC_delta * APERF_delta/MPERF_delta +The man page erroneously showed that TSC_delta was divided. + +Signed-off-by: Peng Liu +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8 +index 3e1a4c4be001a..7112d4732d287 100644 +--- a/tools/power/x86/turbostat/turbostat.8 ++++ b/tools/power/x86/turbostat/turbostat.8 +@@ -370,7 +370,7 @@ below the processor's base frequency. + + Busy% = MPERF_delta/TSC_delta + +-Bzy_MHz = TSC_delta/APERF_delta/MPERF_delta/measurement_interval ++Bzy_MHz = TSC_delta*APERF_delta/MPERF_delta/measurement_interval + + Note that these calculations depend on TSC_delta, so they + are not reliable during intervals when TSC_MHz is not running at the base frequency. +-- +2.43.0 + diff --git a/queue-6.1/tools-power-turbostat-fix-uncore-frequency-file-stri.patch b/queue-6.1/tools-power-turbostat-fix-uncore-frequency-file-stri.patch new file mode 100644 index 00000000000..0e1553b0d02 --- /dev/null +++ b/queue-6.1/tools-power-turbostat-fix-uncore-frequency-file-stri.patch @@ -0,0 +1,53 @@ +From 93a88db3b314526386128f265c15e6dd48af75e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 13:40:29 -0400 +Subject: tools/power/turbostat: Fix uncore frequency file string + +From: Justin Ernst + +[ Upstream commit 60add818ab2543b7e4f2bfeaacf2504743c1eb50 ] + +Running turbostat on a 16 socket HPE Scale-up Compute 3200 (SapphireRapids) fails with: +turbostat: /sys/devices/system/cpu/intel_uncore_frequency/package_010_die_00/current_freq_khz: open failed: No such file or directory + +We observe the sysfs uncore frequency directories named: +... +package_09_die_00/ +package_10_die_00/ +package_11_die_00/ +... +package_15_die_00/ + +The culprit is an incorrect sprintf format string "package_0%d_die_0%d" used +with each instance of reading uncore frequency files. uncore-frequency-common.c +creates the sysfs directory with the format "package_%02d_die_%02d". Once the +package value reaches double digits, the formats diverge. + +Change each instance of "package_0%d_die_0%d" to "package_%02d_die_%02d". + +[lenb: deleted the probe part of this patch, as it was already fixed] + +Signed-off-by: Justin Ernst +Reviewed-by: Thomas Renninger +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index a674500e7e63d..a41bad8e653bb 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -1969,7 +1969,7 @@ unsigned long long get_uncore_mhz(int package, int die) + { + char path[128]; + +- sprintf(path, "/sys/devices/system/cpu/intel_uncore_frequency/package_0%d_die_0%d/current_freq_khz", package, ++ sprintf(path, "/sys/devices/system/cpu/intel_uncore_frequency/package_%02d_die_%02d/current_freq_khz", package, + die); + + return (snapshot_sysfs_counter(path) / 1000); +-- +2.43.0 + diff --git a/queue-6.1/tools-power-turbostat-increase-the-limit-for-fd-open.patch b/queue-6.1/tools-power-turbostat-increase-the-limit-for-fd-open.patch new file mode 100644 index 00000000000..3d67cad40c1 --- /dev/null +++ b/queue-6.1/tools-power-turbostat-increase-the-limit-for-fd-open.patch @@ -0,0 +1,86 @@ +From bf0ccf06509008ab40f6b4e05bd0067431593338 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 05:07:51 +0000 +Subject: tools/power turbostat: Increase the limit for fd opened + +From: Wyes Karny + +[ Upstream commit 3ac1d14d0583a2de75d49a5234d767e2590384dd ] + +When running turbostat, a system with 512 cpus reaches the limit for +maximum number of file descriptors that can be opened. To solve this +problem, the limit is raised to 2^15, which is a large enough number. + +Below data is collected from AMD server systems while running turbostat: + +|-----------+-------------------------------| +| # of cpus | # of opened fds for turbostat | +|-----------+-------------------------------| +| 128 | 260 | +|-----------+-------------------------------| +| 192 | 388 | +|-----------+-------------------------------| +| 512 | 1028 | +|-----------+-------------------------------| + +So, the new max limit would be sufficient up to 2^14 cpus (but this +also depends on how many counters are enabled). + +Reviewed-by: Doug Smythies +Tested-by: Doug Smythies +Signed-off-by: Wyes Karny +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 9018e47e0bc26..a674500e7e63d 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -53,6 +53,8 @@ + #define NAME_BYTES 20 + #define PATH_BYTES 128 + ++#define MAX_NOFILE 0x8000 ++ + enum counter_scope { SCOPE_CPU, SCOPE_CORE, SCOPE_PACKAGE }; + enum counter_type { COUNTER_ITEMS, COUNTER_CYCLES, COUNTER_SECONDS, COUNTER_USEC }; + enum counter_format { FORMAT_RAW, FORMAT_DELTA, FORMAT_PERCENT }; +@@ -6719,6 +6721,22 @@ void cmdline(int argc, char **argv) + } + } + ++void set_rlimit(void) ++{ ++ struct rlimit limit; ++ ++ if (getrlimit(RLIMIT_NOFILE, &limit) < 0) ++ err(1, "Failed to get rlimit"); ++ ++ if (limit.rlim_max < MAX_NOFILE) ++ limit.rlim_max = MAX_NOFILE; ++ if (limit.rlim_cur < MAX_NOFILE) ++ limit.rlim_cur = MAX_NOFILE; ++ ++ if (setrlimit(RLIMIT_NOFILE, &limit) < 0) ++ err(1, "Failed to set rlimit"); ++} ++ + int main(int argc, char **argv) + { + outf = stderr; +@@ -6731,6 +6749,9 @@ int main(int argc, char **argv) + + probe_sysfs(); + ++ if (!getuid()) ++ set_rlimit(); ++ + turbostat_init(); + + msr_sum_record(); +-- +2.43.0 + diff --git a/queue-6.1/uio_hv_generic-don-t-free-decrypted-memory.patch b/queue-6.1/uio_hv_generic-don-t-free-decrypted-memory.patch new file mode 100644 index 00000000000..d9c019ff7a8 --- /dev/null +++ b/queue-6.1/uio_hv_generic-don-t-free-decrypted-memory.patch @@ -0,0 +1,76 @@ +From c7401314177d1f97af83c32ccf303007aab70fcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 09:15:57 -0700 +Subject: uio_hv_generic: Don't free decrypted memory + +From: Rick Edgecombe + +[ Upstream commit 3d788b2fbe6a1a1a9e3db09742b90809d51638b7 ] + +In CoCo VMs it is possible for the untrusted host to cause +set_memory_encrypted() or set_memory_decrypted() to fail such that an +error is returned and the resulting memory is shared. Callers need to +take care to handle these errors to avoid returning decrypted (shared) +memory to the page allocator, which could lead to functional or security +issues. + +The VMBus device UIO driver could free decrypted/shared pages if +set_memory_decrypted() fails. Check the decrypted field in the gpadl +to decide whether to free the memory. + +Signed-off-by: Rick Edgecombe +Signed-off-by: Michael Kelley +Reviewed-by: Kuppuswamy Sathyanarayanan +Acked-by: Kirill A. Shutemov +Link: https://lore.kernel.org/r/20240311161558.1310-5-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20240311161558.1310-5-mhklinux@outlook.com> +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_hv_generic.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c +index c08a6cfd119f2..e5789dfcaff61 100644 +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -181,12 +181,14 @@ hv_uio_cleanup(struct hv_device *dev, struct hv_uio_private_data *pdata) + { + if (pdata->send_gpadl.gpadl_handle) { + vmbus_teardown_gpadl(dev->channel, &pdata->send_gpadl); +- vfree(pdata->send_buf); ++ if (!pdata->send_gpadl.decrypted) ++ vfree(pdata->send_buf); + } + + if (pdata->recv_gpadl.gpadl_handle) { + vmbus_teardown_gpadl(dev->channel, &pdata->recv_gpadl); +- vfree(pdata->recv_buf); ++ if (!pdata->recv_gpadl.decrypted) ++ vfree(pdata->recv_buf); + } + } + +@@ -295,7 +297,8 @@ hv_uio_probe(struct hv_device *dev, + ret = vmbus_establish_gpadl(channel, pdata->recv_buf, + RECV_BUFFER_SIZE, &pdata->recv_gpadl); + if (ret) { +- vfree(pdata->recv_buf); ++ if (!pdata->recv_gpadl.decrypted) ++ vfree(pdata->recv_buf); + goto fail_close; + } + +@@ -317,7 +320,8 @@ hv_uio_probe(struct hv_device *dev, + ret = vmbus_establish_gpadl(channel, pdata->send_buf, + SEND_BUFFER_SIZE, &pdata->send_gpadl); + if (ret) { +- vfree(pdata->send_buf); ++ if (!pdata->send_gpadl.decrypted) ++ vfree(pdata->send_buf); + goto fail_close; + } + +-- +2.43.0 + diff --git a/queue-6.1/usb-typec-ucsi-limit-read-size-on-v1.2.patch b/queue-6.1/usb-typec-ucsi-limit-read-size-on-v1.2.patch new file mode 100644 index 00000000000..2d24ecc983c --- /dev/null +++ b/queue-6.1/usb-typec-ucsi-limit-read-size-on-v1.2.patch @@ -0,0 +1,109 @@ +From 9d6d165b5286de45fa1623f8947c98dd50f348da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Feb 2024 14:37:30 -0800 +Subject: usb: typec: ucsi: Limit read size on v1.2 + +From: Abhishek Pandit-Subedi + +[ Upstream commit b3db266fb031fba88c423d4bb8983a73a3db6527 ] + +Between UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was +increased from 16 to 256. In order to avoid overflowing reads for older +systems, add a mechanism to use the read UCSI version to truncate read +sizes on UCSI v1.2. + +Tested-by: Neil Armstrong +Reviewed-by: Prashant Malani +Reviewed-by: Heikki Krogerus +Signed-off-by: Abhishek Pandit-Subedi +Link: https://lore.kernel.org/r/20240209143723.v5.1.Iacf5570a66b82b73ef03daa6557e2fc0db10266a@changeid +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/ucsi.c | 26 ++++++++++++++++++++++++-- + drivers/usb/typec/ucsi/ucsi.h | 11 +++++++++++ + 2 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c +index 98f335cbbcdea..da457cf3cc457 100644 +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -36,6 +36,19 @@ + */ + #define UCSI_SWAP_TIMEOUT_MS 5000 + ++static int ucsi_read_message_in(struct ucsi *ucsi, void *buf, ++ size_t buf_size) ++{ ++ /* ++ * Below UCSI 2.0, MESSAGE_IN was limited to 16 bytes. Truncate the ++ * reads here. ++ */ ++ if (ucsi->version <= UCSI_VERSION_1_2) ++ buf_size = clamp(buf_size, 0, 16); ++ ++ return ucsi->ops->read(ucsi, UCSI_MESSAGE_IN, buf, buf_size); ++} ++ + static int ucsi_acknowledge_command(struct ucsi *ucsi) + { + u64 ctrl; +@@ -72,7 +85,7 @@ static int ucsi_read_error(struct ucsi *ucsi) + if (ret < 0) + return ret; + +- ret = ucsi->ops->read(ucsi, UCSI_MESSAGE_IN, &error, sizeof(error)); ++ ret = ucsi_read_message_in(ucsi, &error, sizeof(error)); + if (ret) + return ret; + +@@ -174,7 +187,7 @@ int ucsi_send_command(struct ucsi *ucsi, u64 command, + length = ret; + + if (data) { +- ret = ucsi->ops->read(ucsi, UCSI_MESSAGE_IN, data, size); ++ ret = ucsi_read_message_in(ucsi, data, size); + if (ret) + goto out; + } +@@ -1441,6 +1454,15 @@ int ucsi_register(struct ucsi *ucsi) + if (!ucsi->version) + return -ENODEV; + ++ /* ++ * Version format is JJ.M.N (JJ = Major version, M = Minor version, ++ * N = sub-minor version). ++ */ ++ dev_dbg(ucsi->dev, "Registered UCSI interface with version %x.%x.%x", ++ UCSI_BCD_GET_MAJOR(ucsi->version), ++ UCSI_BCD_GET_MINOR(ucsi->version), ++ UCSI_BCD_GET_SUBMINOR(ucsi->version)); ++ + queue_delayed_work(system_long_wq, &ucsi->work, 0); + + return 0; +diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h +index dbb10cb310d4c..304939a712bf8 100644 +--- a/drivers/usb/typec/ucsi/ucsi.h ++++ b/drivers/usb/typec/ucsi/ucsi.h +@@ -22,6 +22,17 @@ struct ucsi_altmode; + #define UCSI_CONTROL 8 + #define UCSI_MESSAGE_IN 16 + #define UCSI_MESSAGE_OUT 32 ++#define UCSIv2_MESSAGE_OUT 272 ++ ++/* UCSI versions */ ++#define UCSI_VERSION_1_2 0x0120 ++#define UCSI_VERSION_2_0 0x0200 ++#define UCSI_VERSION_2_1 0x0210 ++#define UCSI_VERSION_3_0 0x0300 ++ ++#define UCSI_BCD_GET_MAJOR(_v_) (((_v_) >> 8) & 0xFF) ++#define UCSI_BCD_GET_MINOR(_v_) (((_v_) >> 4) & 0x0F) ++#define UCSI_BCD_GET_SUBMINOR(_v_) ((_v_) & 0x0F) + + /* Command Status and Connector Change Indication (CCI) bits */ + #define UCSI_CCI_CONNECTOR(_c_) (((_c_) & GENMASK(7, 1)) >> 1) +-- +2.43.0 + diff --git a/queue-6.1/wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch b/queue-6.1/wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch new file mode 100644 index 00000000000..ee81651edc7 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch @@ -0,0 +1,38 @@ +From bd9de2226763d70340a9350016462961885214b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Mar 2024 19:45:19 +0300 +Subject: wifi: cfg80211: fix rdev_dump_mpp() arguments order + +From: Igor Artemiev + +[ Upstream commit ec50f3114e55406a1aad24b7dfaa1c3f4336d8eb ] + +Fix the order of arguments in the TP_ARGS macro +for the rdev_dump_mpp tracepoint event. + +Found by Linux Verification Center (linuxtesting.org). + +Signed-off-by: Igor Artemiev +Link: https://msgid.link/20240311164519.118398-1-Igor.A.Artemiev@mcst.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/trace.h b/net/wireless/trace.h +index a405c3edbc47e..cb5c3224e038a 100644 +--- a/net/wireless/trace.h ++++ b/net/wireless/trace.h +@@ -1018,7 +1018,7 @@ TRACE_EVENT(rdev_get_mpp, + TRACE_EVENT(rdev_dump_mpp, + TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int _idx, + u8 *dst, u8 *mpp), +- TP_ARGS(wiphy, netdev, _idx, mpp, dst), ++ TP_ARGS(wiphy, netdev, _idx, dst, mpp), + TP_STRUCT__entry( + WIPHY_ENTRY + NETDEV_ENTRY +-- +2.43.0 + diff --git a/queue-6.1/wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch b/queue-6.1/wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch new file mode 100644 index 00000000000..6eee4629fe9 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch @@ -0,0 +1,49 @@ +From 86f42beb16ca743dd8ea77c324488c3c8a72514e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 14:23:00 -0700 +Subject: wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc + +From: Jeff Johnson + +[ Upstream commit 774f8841f55d7ac4044c79812691649da203584a ] + +Running kernel-doc on ieee80211_i.h flagged the following: +net/mac80211/ieee80211_i.h:145: warning: expecting prototype for enum ieee80211_corrupt_data_flags. Prototype was for enum ieee80211_bss_corrupt_data_flags instead +net/mac80211/ieee80211_i.h:162: warning: expecting prototype for enum ieee80211_valid_data_flags. Prototype was for enum ieee80211_bss_valid_data_flags instead + +Fix these warnings. + +Signed-off-by: Jeff Johnson +Reviewed-by: Simon Horman +Link: https://msgid.link/20240314-kdoc-ieee80211_i-v1-1-72b91b55b257@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index d5dd2d9e89b48..3e14d5c9aa1b4 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -120,7 +120,7 @@ struct ieee80211_bss { + }; + + /** +- * enum ieee80211_corrupt_data_flags - BSS data corruption flags ++ * enum ieee80211_bss_corrupt_data_flags - BSS data corruption flags + * @IEEE80211_BSS_CORRUPT_BEACON: last beacon frame received was corrupted + * @IEEE80211_BSS_CORRUPT_PROBE_RESP: last probe response received was corrupted + * +@@ -133,7 +133,7 @@ enum ieee80211_bss_corrupt_data_flags { + }; + + /** +- * enum ieee80211_valid_data_flags - BSS valid data flags ++ * enum ieee80211_bss_valid_data_flags - BSS valid data flags + * @IEEE80211_BSS_VALID_WMM: WMM/UAPSD data was gathered from non-corrupt IE + * @IEEE80211_BSS_VALID_RATES: Supported rates were gathered from non-corrupt IE + * @IEEE80211_BSS_VALID_ERP: ERP flag was gathered from non-corrupt IE +-- +2.43.0 + diff --git a/queue-6.1/x86-xen-attempt-to-inflate-the-memory-balloon-on-pvh.patch b/queue-6.1/x86-xen-attempt-to-inflate-the-memory-balloon-on-pvh.patch new file mode 100644 index 00000000000..246e8cea900 --- /dev/null +++ b/queue-6.1/x86-xen-attempt-to-inflate-the-memory-balloon-on-pvh.patch @@ -0,0 +1,325 @@ +From 2b7dac8c8d8bff1282823c9c9f8d424f1c610650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Feb 2024 18:43:41 +0100 +Subject: x86/xen: attempt to inflate the memory balloon on PVH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 38620fc4e8934f1801c7811ef39a041914ac4c1d ] + +When running as PVH or HVM Linux will use holes in the memory map as scratch +space to map grants, foreign domain pages and possibly miscellaneous other +stuff. However the usage of such memory map holes for Xen purposes can be +problematic. The request of holesby Xen happen quite early in the kernel boot +process (grant table setup already uses scratch map space), and it's possible +that by then not all devices have reclaimed their MMIO space. It's not +unlikely for chunks of Xen scratch map space to end up using PCI bridge MMIO +window memory, which (as expected) causes quite a lot of issues in the system. + +At least for PVH dom0 we have the possibility of using regions marked as +UNUSABLE in the e820 memory map. Either if the region is UNUSABLE in the +native memory map, or it has been converted into UNUSABLE in order to hide RAM +regions from dom0, the second stage translation page-tables can populate those +areas without issues. + +PV already has this kind of logic, where the balloon driver is inflated at +boot. Re-use the current logic in order to also inflate it when running as +PVH. onvert UNUSABLE regions up to the ratio specified in EXTRA_MEM_RATIO to +RAM, while reserving them using xen_add_extra_mem() (which is also moved so +it's no longer tied to CONFIG_PV). + +[jgross: fixed build for CONFIG_PVH without CONFIG_XEN_PVH] + +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20240220174341.56131-1-roger.pau@citrix.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/xen/hypervisor.h | 5 ++ + arch/x86/platform/pvh/enlighten.c | 3 ++ + arch/x86/xen/enlighten.c | 32 +++++++++++++ + arch/x86/xen/enlighten_pvh.c | 68 +++++++++++++++++++++++++++ + arch/x86/xen/setup.c | 44 ----------------- + arch/x86/xen/xen-ops.h | 14 ++++++ + drivers/xen/balloon.c | 2 - + 7 files changed, 122 insertions(+), 46 deletions(-) + +diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h +index 16f548a661cf6..b3bfefdb7793a 100644 +--- a/arch/x86/include/asm/xen/hypervisor.h ++++ b/arch/x86/include/asm/xen/hypervisor.h +@@ -59,6 +59,11 @@ void xen_arch_unregister_cpu(int num); + #ifdef CONFIG_PVH + void __init xen_pvh_init(struct boot_params *boot_params); + void __init mem_map_via_hcall(struct boot_params *boot_params_p); ++#ifdef CONFIG_XEN_PVH ++void __init xen_reserve_extra_memory(struct boot_params *bootp); ++#else ++static inline void xen_reserve_extra_memory(struct boot_params *bootp) { } ++#endif + #endif + + #endif /* _ASM_X86_XEN_HYPERVISOR_H */ +diff --git a/arch/x86/platform/pvh/enlighten.c b/arch/x86/platform/pvh/enlighten.c +index ed0442e354344..f15dc1e3ad7dd 100644 +--- a/arch/x86/platform/pvh/enlighten.c ++++ b/arch/x86/platform/pvh/enlighten.c +@@ -74,6 +74,9 @@ static void __init init_pvh_bootparams(bool xen_guest) + } else + xen_raw_printk("Warning: Can fit ISA range into e820\n"); + ++ if (xen_guest) ++ xen_reserve_extra_memory(&pvh_bootparams); ++ + pvh_bootparams.hdr.cmd_line_ptr = + pvh_start_info.cmdline_paddr; + +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 3c61bb98c10e2..a01ca255b0c64 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -350,3 +351,34 @@ void xen_arch_unregister_cpu(int num) + } + EXPORT_SYMBOL(xen_arch_unregister_cpu); + #endif ++ ++/* Amount of extra memory space we add to the e820 ranges */ ++struct xen_memory_region xen_extra_mem[XEN_EXTRA_MEM_MAX_REGIONS] __initdata; ++ ++void __init xen_add_extra_mem(unsigned long start_pfn, unsigned long n_pfns) ++{ ++ unsigned int i; ++ ++ /* ++ * No need to check for zero size, should happen rarely and will only ++ * write a new entry regarded to be unused due to zero size. ++ */ ++ for (i = 0; i < XEN_EXTRA_MEM_MAX_REGIONS; i++) { ++ /* Add new region. */ ++ if (xen_extra_mem[i].n_pfns == 0) { ++ xen_extra_mem[i].start_pfn = start_pfn; ++ xen_extra_mem[i].n_pfns = n_pfns; ++ break; ++ } ++ /* Append to existing region. */ ++ if (xen_extra_mem[i].start_pfn + xen_extra_mem[i].n_pfns == ++ start_pfn) { ++ xen_extra_mem[i].n_pfns += n_pfns; ++ break; ++ } ++ } ++ if (i == XEN_EXTRA_MEM_MAX_REGIONS) ++ printk(KERN_WARNING "Warning: not enough extra memory regions\n"); ++ ++ memblock_reserve(PFN_PHYS(start_pfn), PFN_PHYS(n_pfns)); ++} +diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c +index ada3868c02c23..c28f073c1df52 100644 +--- a/arch/x86/xen/enlighten_pvh.c ++++ b/arch/x86/xen/enlighten_pvh.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + + #include + +@@ -72,3 +73,70 @@ void __init mem_map_via_hcall(struct boot_params *boot_params_p) + } + boot_params_p->e820_entries = memmap.nr_entries; + } ++ ++/* ++ * Reserve e820 UNUSABLE regions to inflate the memory balloon. ++ * ++ * On PVH dom0 the host memory map is used, RAM regions available to dom0 are ++ * located as the same place as in the native memory map, but since dom0 gets ++ * less memory than the total amount of host RAM the ranges that can't be ++ * populated are converted from RAM -> UNUSABLE. Use such regions (up to the ++ * ratio signaled in EXTRA_MEM_RATIO) in order to inflate the balloon driver at ++ * boot. Doing so prevents the guest (even if just temporary) from using holes ++ * in the memory map in order to map grants or foreign addresses, and ++ * hopefully limits the risk of a clash with a device MMIO region. Ideally the ++ * hypervisor should notify us which memory ranges are suitable for creating ++ * foreign mappings, but that's not yet implemented. ++ */ ++void __init xen_reserve_extra_memory(struct boot_params *bootp) ++{ ++ unsigned int i, ram_pages = 0, extra_pages; ++ ++ for (i = 0; i < bootp->e820_entries; i++) { ++ struct boot_e820_entry *e = &bootp->e820_table[i]; ++ ++ if (e->type != E820_TYPE_RAM) ++ continue; ++ ram_pages += PFN_DOWN(e->addr + e->size) - PFN_UP(e->addr); ++ } ++ ++ /* Max amount of extra memory. */ ++ extra_pages = EXTRA_MEM_RATIO * ram_pages; ++ ++ /* ++ * Convert UNUSABLE ranges to RAM and reserve them for foreign mapping ++ * purposes. ++ */ ++ for (i = 0; i < bootp->e820_entries && extra_pages; i++) { ++ struct boot_e820_entry *e = &bootp->e820_table[i]; ++ unsigned long pages; ++ ++ if (e->type != E820_TYPE_UNUSABLE) ++ continue; ++ ++ pages = min(extra_pages, ++ PFN_DOWN(e->addr + e->size) - PFN_UP(e->addr)); ++ ++ if (pages != (PFN_DOWN(e->addr + e->size) - PFN_UP(e->addr))) { ++ struct boot_e820_entry *next; ++ ++ if (bootp->e820_entries == ++ ARRAY_SIZE(bootp->e820_table)) ++ /* No space left to split - skip region. */ ++ continue; ++ ++ /* Split entry. */ ++ next = e + 1; ++ memmove(next, e, ++ (bootp->e820_entries - i) * sizeof(*e)); ++ bootp->e820_entries++; ++ next->addr = PAGE_ALIGN(e->addr) + PFN_PHYS(pages); ++ e->size = next->addr - e->addr; ++ next->size -= e->size; ++ } ++ e->type = E820_TYPE_RAM; ++ extra_pages -= pages; ++ ++ xen_add_extra_mem(PFN_UP(e->addr), pages); ++ } ++} +diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c +index 8db26f10fb1d9..72ab4a2f029bb 100644 +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -37,9 +37,6 @@ + + #define GB(x) ((uint64_t)(x) * 1024 * 1024 * 1024) + +-/* Amount of extra memory space we add to the e820 ranges */ +-struct xen_memory_region xen_extra_mem[XEN_EXTRA_MEM_MAX_REGIONS] __initdata; +- + /* Number of pages released from the initial allocation. */ + unsigned long xen_released_pages; + +@@ -60,18 +57,6 @@ static struct { + } xen_remap_buf __initdata __aligned(PAGE_SIZE); + static unsigned long xen_remap_mfn __initdata = INVALID_P2M_ENTRY; + +-/* +- * The maximum amount of extra memory compared to the base size. The +- * main scaling factor is the size of struct page. At extreme ratios +- * of base:extra, all the base memory can be filled with page +- * structures for the extra memory, leaving no space for anything +- * else. +- * +- * 10x seems like a reasonable balance between scaling flexibility and +- * leaving a practically usable system. +- */ +-#define EXTRA_MEM_RATIO (10) +- + static bool xen_512gb_limit __initdata = IS_ENABLED(CONFIG_XEN_512GB); + + static void __init xen_parse_512gb(void) +@@ -92,35 +77,6 @@ static void __init xen_parse_512gb(void) + xen_512gb_limit = val; + } + +-static void __init xen_add_extra_mem(unsigned long start_pfn, +- unsigned long n_pfns) +-{ +- int i; +- +- /* +- * No need to check for zero size, should happen rarely and will only +- * write a new entry regarded to be unused due to zero size. +- */ +- for (i = 0; i < XEN_EXTRA_MEM_MAX_REGIONS; i++) { +- /* Add new region. */ +- if (xen_extra_mem[i].n_pfns == 0) { +- xen_extra_mem[i].start_pfn = start_pfn; +- xen_extra_mem[i].n_pfns = n_pfns; +- break; +- } +- /* Append to existing region. */ +- if (xen_extra_mem[i].start_pfn + xen_extra_mem[i].n_pfns == +- start_pfn) { +- xen_extra_mem[i].n_pfns += n_pfns; +- break; +- } +- } +- if (i == XEN_EXTRA_MEM_MAX_REGIONS) +- printk(KERN_WARNING "Warning: not enough extra memory regions\n"); +- +- memblock_reserve(PFN_PHYS(start_pfn), PFN_PHYS(n_pfns)); +-} +- + static void __init xen_del_extra_mem(unsigned long start_pfn, + unsigned long n_pfns) + { +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index b2b2f4315b78d..8c715a4f06c02 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -162,4 +162,18 @@ void xen_hvm_post_suspend(int suspend_cancelled); + static inline void xen_hvm_post_suspend(int suspend_cancelled) {} + #endif + ++/* ++ * The maximum amount of extra memory compared to the base size. The ++ * main scaling factor is the size of struct page. At extreme ratios ++ * of base:extra, all the base memory can be filled with page ++ * structures for the extra memory, leaving no space for anything ++ * else. ++ * ++ * 10x seems like a reasonable balance between scaling flexibility and ++ * leaving a practically usable system. ++ */ ++#define EXTRA_MEM_RATIO (10) ++ ++void xen_add_extra_mem(unsigned long start_pfn, unsigned long n_pfns); ++ + #endif /* XEN_OPS_H */ +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 617a7f4f07a80..4e23b398e2882 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -691,7 +691,6 @@ EXPORT_SYMBOL(xen_free_ballooned_pages); + + static void __init balloon_add_regions(void) + { +-#if defined(CONFIG_XEN_PV) + unsigned long start_pfn, pages; + unsigned long pfn, extra_pfn_end; + unsigned int i; +@@ -715,7 +714,6 @@ static void __init balloon_add_regions(void) + + balloon_stats.total_pages += extra_pfn_end - start_pfn; + } +-#endif + } + + static int __init balloon_init(void) +-- +2.43.0 +