From: Sasha Levin Date: Mon, 17 Feb 2025 16:47:41 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v6.12.15~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa2eb19fc50f0cacc1e31d24b36ab16c1c9be477;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch b/queue-6.1/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch new file mode 100644 index 0000000000..c084f14559 --- /dev/null +++ b/queue-6.1/arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch @@ -0,0 +1,55 @@ +From 10fafef2f947c16444c6240ee0febe14f64b7370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 12:44:20 -0500 +Subject: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array + +From: Radu Rendec + +[ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ] + +The loop that detects/populates cache information already has a bounds +check on the array size but does not account for cache levels with +separate data/instructions cache. Fix this by incrementing the index +for any populated leaf (instead of any populated level). + +Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information") + +Signed-off-by: Radu Rendec +Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cacheinfo.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c +index 97c42be71338a..1510f457b6154 100644 +--- a/arch/arm64/kernel/cacheinfo.c ++++ b/arch/arm64/kernel/cacheinfo.c +@@ -87,16 +87,18 @@ int populate_cache_leaves(unsigned int cpu) + unsigned int level, idx; + enum cache_type type; + struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); +- struct cacheinfo *this_leaf = this_cpu_ci->info_list; ++ struct cacheinfo *infos = this_cpu_ci->info_list; + + for (idx = 0, level = 1; level <= this_cpu_ci->num_levels && +- idx < this_cpu_ci->num_leaves; idx++, level++) { ++ idx < this_cpu_ci->num_leaves; level++) { + type = get_cache_type(level); + if (type == CACHE_TYPE_SEPARATE) { +- ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); +- ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); ++ if (idx + 1 >= this_cpu_ci->num_leaves) ++ break; ++ ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level); ++ ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level); + } else { +- ci_leaf_init(this_leaf++, type, level); ++ ci_leaf_init(&infos[idx++], type, level); + } + } + return 0; +-- +2.39.5 + diff --git a/queue-6.1/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch b/queue-6.1/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch new file mode 100644 index 0000000000..9d6f54b993 --- /dev/null +++ b/queue-6.1/asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch @@ -0,0 +1,60 @@ +From 38be1f4ba385cba06618d26529afb014bc9a2b27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 14:25:07 +0100 +Subject: ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet + 5V + +From: Hans de Goede + +[ Upstream commit 6917192378c1ce17ba31df51c4e0d8b1c97a453b ] + +The Vexia EDU ATLA 10 tablet comes in 2 different versions with +significantly different mainboards. The only outward difference is that +the charging barrel on one is marked 5V and the other is marked 9V. + +The 5V version mostly works with the BYTCR defaults, except that it is +missing a CHAN package in its ACPI tables and the default of using +SSP0-AIF2 is wrong, instead SSP0-AIF1 must be used. That and its jack +detect signal is not inverted as it usually is. + +Add a DMI quirk for the 5V version to fix sound not working. + +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20250123132507.18434-1-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index e7d20011e2884..67b343632a10d 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -1122,7 +1122,22 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF2 | + BYT_RT5640_MCLK_EN), + }, +- { /* Vexia Edu Atla 10 tablet */ ++ { ++ /* Vexia Edu Atla 10 tablet 5V version */ ++ .matches = { ++ /* Having all 3 of these not set is somewhat unique */ ++ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."), ++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."), ++ /* Above strings are too generic, also match on BIOS date */ ++ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"), ++ }, ++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS | ++ BYT_RT5640_JD_NOT_INV | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, ++ { /* Vexia Edu Atla 10 tablet 9V version */ + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"), + DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"), +-- +2.39.5 + diff --git a/queue-6.1/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch b/queue-6.1/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch new file mode 100644 index 0000000000..846d13451c --- /dev/null +++ b/queue-6.1/ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch @@ -0,0 +1,94 @@ +From bcecb48c1fd8413492a9b1355f9dc63a39de2f4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2025 12:12:03 +0300 +Subject: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt + +From: Murad Masimov + +[ Upstream commit bca0902e61731a75fc4860c8720168d9f1bae3b6 ] + +If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE +socket option, a refcount leak will occur in ax25_release(). + +Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") +added decrement of device refcounts in ax25_release(). In order for that +to work correctly the refcounts must already be incremented when the +device is bound to the socket. An AX25 device can be bound to a socket +by either calling ax25_bind() or setting SO_BINDTODEVICE socket option. +In both cases the refcounts should be incremented, but in fact it is done +only in ax25_bind(). + +This bug leads to the following issue reported by Syzkaller: + +================================================================ +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 +Modules linked in: +CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 +Call Trace: + + __refcount_dec include/linux/refcount.h:336 [inline] + refcount_dec include/linux/refcount.h:351 [inline] + ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236 + netdev_tracker_free include/linux/netdevice.h:4156 [inline] + netdev_put include/linux/netdevice.h:4173 [inline] + netdev_put include/linux/netdevice.h:4169 [inline] + ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069 + __sock_release+0xb0/0x270 net/socket.c:640 + sock_close+0x1c/0x30 net/socket.c:1408 + ... + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + ... + +================================================================ + +Fix the implementation of ax25_setsockopt() by adding increment of +refcounts for the new device bound, and decrement of refcounts for +the old unbound device. + +Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") +Reported-by: syzbot+33841dc6aa3e1d86b78a@syzkaller.appspotmail.com +Signed-off-by: Murad Masimov +Link: https://patch.msgid.link/20250203091203.1744-1-m.masimov@mt-integration.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ax25/af_ax25.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 4b96dedcc3c9c..862e03493b7ed 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -685,6 +685,15 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + } + ++ if (ax25->ax25_dev) { ++ if (dev == ax25->ax25_dev->dev) { ++ rcu_read_unlock(); ++ break; ++ } ++ netdev_put(ax25->ax25_dev->dev, &ax25->dev_tracker); ++ ax25_dev_put(ax25->ax25_dev); ++ } ++ + ax25->ax25_dev = ax25_dev_ax25dev(dev); + if (!ax25->ax25_dev) { + rcu_read_unlock(); +@@ -692,6 +701,8 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + } + ax25_fillin_cb(ax25, ax25->ax25_dev); ++ netdev_hold(dev, &ax25->dev_tracker, GFP_ATOMIC); ++ ax25_dev_hold(ax25->ax25_dev); + rcu_read_unlock(); + break; + +-- +2.39.5 + diff --git a/queue-6.1/cgroup-remove-steal-time-from-usage_usec.patch b/queue-6.1/cgroup-remove-steal-time-from-usage_usec.patch new file mode 100644 index 0000000000..b31867768f --- /dev/null +++ b/queue-6.1/cgroup-remove-steal-time-from-usage_usec.patch @@ -0,0 +1,42 @@ +From 6ac2d44c8ba9d7f6e41897a79f3603fe2e420abe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 14:24:32 +0000 +Subject: cgroup: Remove steal time from usage_usec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Muhammad Adeel + +[ Upstream commit db5fd3cf8bf41b84b577b8ad5234ea95f327c9be ] + +The CPU usage time is the time when user, system or both are using the CPU. +Steal time is the time when CPU is waiting to be run by the Hypervisor. It +should not be added to the CPU usage time, hence removing it from the +usage_usec entry. + +Fixes: 936f2a70f2077 ("cgroup: add cpu.stat file to root cgroup") +Acked-by: Axel Busch +Acked-by: Michal Koutný +Signed-off-by: Muhammad Adeel +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/rstat.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c +index 7006fc8dd6774..0ae90c15cad85 100644 +--- a/kernel/cgroup/rstat.c ++++ b/kernel/cgroup/rstat.c +@@ -477,7 +477,6 @@ static void root_cgroup_cputime(struct cgroup_base_stat *bstat) + + cputime->sum_exec_runtime += user; + cputime->sum_exec_runtime += sys; +- cputime->sum_exec_runtime += cpustat[CPUTIME_STEAL]; + + #ifdef CONFIG_SCHED_CORE + bstat->forceidle_sum += cpustat[CPUTIME_FORCEIDLE]; +-- +2.39.5 + diff --git a/queue-6.1/drm-i915-selftests-avoid-using-uninitialized-context.patch b/queue-6.1/drm-i915-selftests-avoid-using-uninitialized-context.patch new file mode 100644 index 0000000000..1a60815ee5 --- /dev/null +++ b/queue-6.1/drm-i915-selftests-avoid-using-uninitialized-context.patch @@ -0,0 +1,52 @@ +From f4534a0abc80a70771822d798b8517fda0feb26f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2025 09:19:31 +0000 +Subject: drm/i915/selftests: avoid using uninitialized context + +From: Krzysztof Karas + +[ Upstream commit 53139b3f9998ea07289e7b70b909fea2264a0de9 ] + +There is an error path in igt_ppgtt_alloc(), which leads +to ww object being passed down to i915_gem_ww_ctx_fini() without +initialization. Correct that by only putting ppgtt->vm and +returning early. + +Fixes: 480ae79537b2 ("drm/i915/selftests: Prepare gtt tests for obj->mm.lock removal") +Signed-off-by: Krzysztof Karas +Reviewed-by: Mikolaj Wasiak +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/iuaonpjc3rywmvhna6umjlvzilocn2uqsrxfxfob24e2taocbi@lkaivvfp4777 +(cherry picked from commit 8d8334632ea62424233ac6529712868241d0f8df) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +index e050a2de5fd1d..e25f76b46b0a4 100644 +--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c +@@ -164,7 +164,7 @@ static int igt_ppgtt_alloc(void *arg) + return PTR_ERR(ppgtt); + + if (!ppgtt->vm.allocate_va_range) +- goto err_ppgtt_cleanup; ++ goto ppgtt_vm_put; + + /* + * While we only allocate the page tables here and so we could +@@ -232,7 +232,7 @@ static int igt_ppgtt_alloc(void *arg) + goto retry; + } + i915_gem_ww_ctx_fini(&ww); +- ++ppgtt_vm_put: + i915_vm_put(&ppgtt->vm); + return err; + } +-- +2.39.5 + diff --git a/queue-6.1/fbdev-omap-use-threaded-irq-for-lcd-dma.patch b/queue-6.1/fbdev-omap-use-threaded-irq-for-lcd-dma.patch new file mode 100644 index 0000000000..a5c086230a --- /dev/null +++ b/queue-6.1/fbdev-omap-use-threaded-irq-for-lcd-dma.patch @@ -0,0 +1,85 @@ +From 36453e2a1856a3217afeadfe66f80810ba778068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 20:19:51 +0200 +Subject: fbdev: omap: use threaded IRQ for LCD DMA + +From: Aaro Koskinen + +[ Upstream commit e4b6b665df815b4841e71b72f06446884e8aad40 ] + +When using touchscreen and framebuffer, Nokia 770 crashes easily with: + + BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000 + Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd + CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2 + Hardware name: Nokia 770 + Call trace: + unwind_backtrace from show_stack+0x10/0x14 + show_stack from dump_stack_lvl+0x54/0x5c + dump_stack_lvl from __schedule_bug+0x50/0x70 + __schedule_bug from __schedule+0x4d4/0x5bc + __schedule from schedule+0x34/0xa0 + schedule from schedule_preempt_disabled+0xc/0x10 + schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4 + __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4 + clk_prepare_lock from clk_set_rate+0x18/0x154 + clk_set_rate from sossi_read_data+0x4c/0x168 + sossi_read_data from hwa742_read_reg+0x5c/0x8c + hwa742_read_reg from send_frame_handler+0xfc/0x300 + send_frame_handler from process_pending_requests+0x74/0xd0 + process_pending_requests from lcd_dma_irq_handler+0x50/0x74 + lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130 + __handle_irq_event_percpu from handle_irq_event+0x28/0x68 + handle_irq_event from handle_level_irq+0x9c/0x170 + handle_level_irq from generic_handle_domain_irq+0x2c/0x3c + generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c + omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c + generic_handle_arch_irq from call_with_stack+0x1c/0x24 + call_with_stack from __irq_svc+0x94/0xa8 + Exception stack(0xc5255da0 to 0xc5255de8) + 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248 + 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94 + 5de0: 60000013 ffffffff + __irq_svc from clk_prepare_lock+0x4c/0xe4 + clk_prepare_lock from clk_get_rate+0x10/0x74 + clk_get_rate from uwire_setup_transfer+0x40/0x180 + uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c + spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664 + spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498 + __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8 + __spi_sync from spi_sync+0x24/0x40 + spi_sync from ads7846_halfd_read_state+0x5c/0x1c0 + ads7846_halfd_read_state from ads7846_irq+0x58/0x348 + ads7846_irq from irq_thread_fn+0x1c/0x78 + irq_thread_fn from irq_thread+0x120/0x228 + irq_thread from kthread+0xc8/0xe8 + kthread from ret_from_fork+0x14/0x28 + +As a quick fix, switch to a threaded IRQ which provides a stable system. + +Signed-off-by: Aaro Koskinen +Reviewed-by: Linus Walleij +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/omap/lcd_dma.c b/drivers/video/fbdev/omap/lcd_dma.c +index f85817635a8c2..0da23c57e4757 100644 +--- a/drivers/video/fbdev/omap/lcd_dma.c ++++ b/drivers/video/fbdev/omap/lcd_dma.c +@@ -432,8 +432,8 @@ static int __init omap_init_lcd_dma(void) + + spin_lock_init(&lcd_dma.lock); + +- r = request_irq(INT_DMA_LCD, lcd_dma_irq_handler, 0, +- "LCD DMA", NULL); ++ r = request_threaded_irq(INT_DMA_LCD, NULL, lcd_dma_irq_handler, ++ IRQF_ONESHOT, "LCD DMA", NULL); + if (r != 0) + pr_err("unable to request IRQ for LCD DMA (error %d)\n", r); + +-- +2.39.5 + diff --git a/queue-6.1/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch b/queue-6.1/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch new file mode 100644 index 0000000000..b9bd4d2dc3 --- /dev/null +++ b/queue-6.1/gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch @@ -0,0 +1,40 @@ +From da223d6518314ac04bfa0e0a5d5f8f92df5bd5b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:02 +0100 +Subject: gpio: bcm-kona: Add missing newline to dev_err format string + +From: Artur Weber + +[ Upstream commit 615279db222c3ac56d5c93716efd72b843295c1f ] + +Add a missing newline to the format string of the "Couldn't get IRQ +for bank..." error message. + +Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-3-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index 602021e3e683e..3373e46e3ba0f 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -667,7 +667,7 @@ static int bcm_kona_gpio_probe(struct platform_device *pdev) + bank->irq = platform_get_irq(pdev, i); + bank->kona_gpio = kona_gpio; + if (bank->irq < 0) { +- dev_err(dev, "Couldn't get IRQ for bank %d", i); ++ dev_err(dev, "Couldn't get IRQ for bank %d\n", i); + ret = -ENOENT; + goto err_irq_domain; + } +-- +2.39.5 + diff --git a/queue-6.1/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch b/queue-6.1/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch new file mode 100644 index 0000000000..b995440290 --- /dev/null +++ b/queue-6.1/gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch @@ -0,0 +1,64 @@ +From 02932a451cc9f348c180b965e2782ae8e94b8cd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:00 +0100 +Subject: gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 + +From: Artur Weber + +[ Upstream commit de1d0d160f64ee76df1d364d521b2faf465a091c ] + +The GPIO lock/unlock functions clear/write a bit to the relevant +register for each bank. However, due to an oversight the bit that +was being written was based on the total GPIO number, not the index +of the GPIO within the relevant bank, causing it to fail for any +GPIO above 32 (thus any GPIO for banks above bank 0). + +Fix lock/unlock for these banks by using the correct bit. + +Fixes: bdb93c03c550 ("gpio: bcm281xx: Centralize register locking") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-1-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index 70770429ba483..7e8adc5cc15a0 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -85,11 +85,12 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio, + u32 val; + unsigned long flags; + int bank_id = GPIO_BANK(gpio); ++ int bit = GPIO_BIT(gpio); + + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val |= BIT(gpio); ++ val |= BIT(bit); + bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + + raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); +@@ -101,11 +102,12 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, + u32 val; + unsigned long flags; + int bank_id = GPIO_BANK(gpio); ++ int bit = GPIO_BIT(gpio); + + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val &= ~BIT(gpio); ++ val &= ~BIT(bit); + bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + + raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); +-- +2.39.5 + diff --git a/queue-6.1/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch b/queue-6.1/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch new file mode 100644 index 0000000000..7226c40b66 --- /dev/null +++ b/queue-6.1/gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch @@ -0,0 +1,160 @@ +From 1d613320d6922c1def4437b96e8b021018e38965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 18:46:01 +0100 +Subject: gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ + +From: Artur Weber + +[ Upstream commit 57f5db77a915cc29461a679a6bcae7097967be1a ] + +The settings for all GPIOs are locked by default in bcm_kona_gpio_reset. +The settings for a GPIO are unlocked when requesting it as a GPIO, but +not when requesting it as an interrupt, causing the IRQ settings to not +get applied. + +Fix this by making sure to unlock the right bits when an IRQ is requested. +To avoid a situation where an IRQ being released causes a lock despite +the same GPIO being used by a GPIO request or vice versa, add an unlock +counter and only lock if it reaches 0. + +Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver") +Reviewed-by: Florian Fainelli +Reviewed-by: Markus Mayer +Signed-off-by: Artur Weber +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-2-409135eab780@gmail.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-bcm-kona.c | 67 +++++++++++++++++++++++++++++------- + 1 file changed, 55 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c +index 7e8adc5cc15a0..602021e3e683e 100644 +--- a/drivers/gpio/gpio-bcm-kona.c ++++ b/drivers/gpio/gpio-bcm-kona.c +@@ -68,6 +68,22 @@ struct bcm_kona_gpio { + struct bcm_kona_gpio_bank { + int id; + int irq; ++ /* ++ * Used to keep track of lock/unlock operations for each GPIO in the ++ * bank. ++ * ++ * All GPIOs are locked by default (see bcm_kona_gpio_reset), and the ++ * unlock count for all GPIOs is 0 by default. Each unlock increments ++ * the counter, and each lock decrements the counter. ++ * ++ * The lock function only locks the GPIO once its unlock counter is ++ * down to 0. This is necessary because the GPIO is unlocked in two ++ * places in this driver: once for requested GPIOs, and once for ++ * requested IRQs. Since it is possible for a GPIO to be requested ++ * as both a GPIO and an IRQ, we need to ensure that we don't lock it ++ * too early. ++ */ ++ u8 gpio_unlock_count[GPIO_PER_BANK]; + /* Used in the interrupt handler */ + struct bcm_kona_gpio *kona_gpio; + }; +@@ -86,14 +102,23 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio, + unsigned long flags; + int bank_id = GPIO_BANK(gpio); + int bit = GPIO_BIT(gpio); ++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id]; + +- raw_spin_lock_irqsave(&kona_gpio->lock, flags); ++ if (bank->gpio_unlock_count[bit] == 0) { ++ dev_err(kona_gpio->gpio_chip.parent, ++ "Unbalanced locks for GPIO %u\n", gpio); ++ return; ++ } + +- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val |= BIT(bit); +- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ if (--bank->gpio_unlock_count[bit] == 0) { ++ raw_spin_lock_irqsave(&kona_gpio->lock, flags); + +- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); ++ val |= BIT(bit); ++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ ++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ } + } + + static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, +@@ -103,14 +128,19 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio, + unsigned long flags; + int bank_id = GPIO_BANK(gpio); + int bit = GPIO_BIT(gpio); ++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id]; + +- raw_spin_lock_irqsave(&kona_gpio->lock, flags); ++ if (bank->gpio_unlock_count[bit] == 0) { ++ raw_spin_lock_irqsave(&kona_gpio->lock, flags); + +- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); +- val &= ~BIT(bit); +- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); ++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id)); ++ val &= ~BIT(bit); ++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val); + +- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags); ++ } ++ ++ ++bank->gpio_unlock_count[bit]; + } + + static int bcm_kona_gpio_get_dir(struct gpio_chip *chip, unsigned gpio) +@@ -361,6 +391,7 @@ static void bcm_kona_gpio_irq_mask(struct irq_data *d) + + kona_gpio = irq_data_get_irq_chip_data(d); + reg_base = kona_gpio->reg_base; ++ + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(reg_base + GPIO_INT_MASK(bank_id)); +@@ -383,6 +414,7 @@ static void bcm_kona_gpio_irq_unmask(struct irq_data *d) + + kona_gpio = irq_data_get_irq_chip_data(d); + reg_base = kona_gpio->reg_base; ++ + raw_spin_lock_irqsave(&kona_gpio->lock, flags); + + val = readl(reg_base + GPIO_INT_MSKCLR(bank_id)); +@@ -478,15 +510,26 @@ static void bcm_kona_gpio_irq_handler(struct irq_desc *desc) + static int bcm_kona_gpio_irq_reqres(struct irq_data *d) + { + struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d); ++ unsigned int gpio = d->hwirq; ++ ++ /* ++ * We need to unlock the GPIO before any other operations are performed ++ * on the relevant GPIO configuration registers ++ */ ++ bcm_kona_gpio_unlock_gpio(kona_gpio, gpio); + +- return gpiochip_reqres_irq(&kona_gpio->gpio_chip, d->hwirq); ++ return gpiochip_reqres_irq(&kona_gpio->gpio_chip, gpio); + } + + static void bcm_kona_gpio_irq_relres(struct irq_data *d) + { + struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d); ++ unsigned int gpio = d->hwirq; ++ ++ /* Once we no longer use it, lock the GPIO again */ ++ bcm_kona_gpio_lock_gpio(kona_gpio, gpio); + +- gpiochip_relres_irq(&kona_gpio->gpio_chip, d->hwirq); ++ gpiochip_relres_irq(&kona_gpio->gpio_chip, gpio); + } + + static struct irq_chip bcm_gpio_irq_chip = { +-- +2.39.5 + diff --git a/queue-6.1/grab-mm-lock-before-grabbing-pt-lock.patch b/queue-6.1/grab-mm-lock-before-grabbing-pt-lock.patch new file mode 100644 index 0000000000..93fc2ff629 --- /dev/null +++ b/queue-6.1/grab-mm-lock-before-grabbing-pt-lock.patch @@ -0,0 +1,156 @@ +From 489d87004a3451fbf0c388776a09d281fbfe4441 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 11:35:15 +0100 +Subject: Grab mm lock before grabbing pt lock + +From: Maksym Planeta + +[ Upstream commit 6d002348789bc16e9203e9818b7a3688787e3b29 ] + +Function xen_pin_page calls xen_pte_lock, which in turn grab page +table lock (ptlock). When locking, xen_pte_lock expect mm->page_table_lock +to be held before grabbing ptlock, but this does not happen when pinning +is caused by xen_mm_pin_all. + +This commit addresses lockdep warning below, which shows up when +suspending a Xen VM. + +[ 3680.658422] Freezing user space processes +[ 3680.660156] Freezing user space processes completed (elapsed 0.001 seconds) +[ 3680.660182] OOM killer disabled. +[ 3680.660192] Freezing remaining freezable tasks +[ 3680.661485] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) +[ 3680.685254] +[ 3680.685265] ================================== +[ 3680.685269] WARNING: Nested lock was not taken +[ 3680.685274] 6.12.0+ #16 Tainted: G W +[ 3680.685279] ---------------------------------- +[ 3680.685283] migration/0/19 is trying to lock: +[ 3680.685288] ffff88800bac33c0 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: xen_pin_page+0x175/0x1d0 +[ 3680.685303] +[ 3680.685303] but this task is not holding: +[ 3680.685308] init_mm.page_table_lock +[ 3680.685311] +[ 3680.685311] stack backtrace: +[ 3680.685316] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16 +[ 3680.685324] Tainted: [W]=WARN +[ 3680.685328] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0 +[ 3680.685339] Call Trace: +[ 3680.685344] +[ 3680.685347] dump_stack_lvl+0x77/0xb0 +[ 3680.685356] __lock_acquire+0x917/0x2310 +[ 3680.685364] lock_acquire+0xce/0x2c0 +[ 3680.685369] ? xen_pin_page+0x175/0x1d0 +[ 3680.685373] _raw_spin_lock_nest_lock+0x2f/0x70 +[ 3680.685381] ? xen_pin_page+0x175/0x1d0 +[ 3680.685386] xen_pin_page+0x175/0x1d0 +[ 3680.685390] ? __pfx_xen_pin_page+0x10/0x10 +[ 3680.685394] __xen_pgd_walk+0x233/0x2c0 +[ 3680.685401] ? stop_one_cpu+0x91/0x100 +[ 3680.685405] __xen_pgd_pin+0x5d/0x250 +[ 3680.685410] xen_mm_pin_all+0x70/0xa0 +[ 3680.685415] xen_pv_pre_suspend+0xf/0x280 +[ 3680.685420] xen_suspend+0x57/0x1a0 +[ 3680.685428] multi_cpu_stop+0x6b/0x120 +[ 3680.685432] ? update_cpumasks_hier+0x7c/0xa60 +[ 3680.685439] ? __pfx_multi_cpu_stop+0x10/0x10 +[ 3680.685443] cpu_stopper_thread+0x8c/0x140 +[ 3680.685448] ? smpboot_thread_fn+0x20/0x1f0 +[ 3680.685454] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 3680.685458] smpboot_thread_fn+0xed/0x1f0 +[ 3680.685462] kthread+0xde/0x110 +[ 3680.685467] ? __pfx_kthread+0x10/0x10 +[ 3680.685471] ret_from_fork+0x2f/0x50 +[ 3680.685478] ? __pfx_kthread+0x10/0x10 +[ 3680.685482] ret_from_fork_asm+0x1a/0x30 +[ 3680.685489] +[ 3680.685491] +[ 3680.685491] other info that might help us debug this: +[ 3680.685497] 1 lock held by migration/0/19: +[ 3680.685500] #0: ffffffff8284df38 (pgd_lock){+.+.}-{3:3}, at: xen_mm_pin_all+0x14/0xa0 +[ 3680.685512] +[ 3680.685512] stack backtrace: +[ 3680.685518] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16 +[ 3680.685528] Tainted: [W]=WARN +[ 3680.685531] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0 +[ 3680.685538] Call Trace: +[ 3680.685541] +[ 3680.685544] dump_stack_lvl+0x77/0xb0 +[ 3680.685549] __lock_acquire+0x93c/0x2310 +[ 3680.685554] lock_acquire+0xce/0x2c0 +[ 3680.685558] ? xen_pin_page+0x175/0x1d0 +[ 3680.685562] _raw_spin_lock_nest_lock+0x2f/0x70 +[ 3680.685568] ? xen_pin_page+0x175/0x1d0 +[ 3680.685572] xen_pin_page+0x175/0x1d0 +[ 3680.685578] ? __pfx_xen_pin_page+0x10/0x10 +[ 3680.685582] __xen_pgd_walk+0x233/0x2c0 +[ 3680.685588] ? stop_one_cpu+0x91/0x100 +[ 3680.685592] __xen_pgd_pin+0x5d/0x250 +[ 3680.685596] xen_mm_pin_all+0x70/0xa0 +[ 3680.685600] xen_pv_pre_suspend+0xf/0x280 +[ 3680.685607] xen_suspend+0x57/0x1a0 +[ 3680.685611] multi_cpu_stop+0x6b/0x120 +[ 3680.685615] ? update_cpumasks_hier+0x7c/0xa60 +[ 3680.685620] ? __pfx_multi_cpu_stop+0x10/0x10 +[ 3680.685625] cpu_stopper_thread+0x8c/0x140 +[ 3680.685629] ? smpboot_thread_fn+0x20/0x1f0 +[ 3680.685634] ? __pfx_smpboot_thread_fn+0x10/0x10 +[ 3680.685638] smpboot_thread_fn+0xed/0x1f0 +[ 3680.685642] kthread+0xde/0x110 +[ 3680.685645] ? __pfx_kthread+0x10/0x10 +[ 3680.685649] ret_from_fork+0x2f/0x50 +[ 3680.685654] ? __pfx_kthread+0x10/0x10 +[ 3680.685657] ret_from_fork_asm+0x1a/0x30 +[ 3680.685662] +[ 3680.685267] xen:grant_table: Grant tables using version 1 layout +[ 3680.685921] OOM killer enabled. +[ 3680.685934] Restarting tasks ... done. + +Signed-off-by: Maksym Planeta +Reviewed-by: Juergen Gross +Message-ID: <20241204103516.3309112-1-maksym@exostellar.io> +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index 6abce0816ca39..7dabdb9995659 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -811,6 +811,7 @@ void xen_mm_pin_all(void) + { + struct page *page; + ++ spin_lock(&init_mm.page_table_lock); + spin_lock(&pgd_lock); + + list_for_each_entry(page, &pgd_list, lru) { +@@ -821,6 +822,7 @@ void xen_mm_pin_all(void) + } + + spin_unlock(&pgd_lock); ++ spin_unlock(&init_mm.page_table_lock); + } + + static void __init xen_mark_pinned(struct mm_struct *mm, struct page *page, +@@ -920,6 +922,7 @@ void xen_mm_unpin_all(void) + { + struct page *page; + ++ spin_lock(&init_mm.page_table_lock); + spin_lock(&pgd_lock); + + list_for_each_entry(page, &pgd_list, lru) { +@@ -931,6 +934,7 @@ void xen_mm_unpin_all(void) + } + + spin_unlock(&pgd_lock); ++ spin_unlock(&init_mm.page_table_lock); + } + + static void xen_activate_mm(struct mm_struct *prev, struct mm_struct *next) +-- +2.39.5 + diff --git a/queue-6.1/hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch b/queue-6.1/hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch new file mode 100644 index 0000000000..077f9fa223 --- /dev/null +++ b/queue-6.1/hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch @@ -0,0 +1,49 @@ +From bc6809d68bde4922d2afcd09d07c7828f96b1a42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 18:50:34 -0300 +Subject: HID: hid-thrustmaster: fix stack-out-of-bounds read in + usb_check_int_endpoints() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tulio Fernandes + +[ Upstream commit 0b43d98ff29be3144e86294486b1373b5df74c0e ] + +Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from +hid-thrustmaster driver. This array is passed to usb_check_int_endpoints +function from usb.c core driver, which executes a for loop that iterates +over the elements of the passed array. Not finding a null element at the end of +the array, it tries to read the next, non-existent element, crashing the kernel. + +To fix this, a 0 element was added at the end of the array to break the for +loop. + +[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad + +Reported-by: syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com +Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check") +Signed-off-by: Túlio Fernandes +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-thrustmaster.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c +index 6c3e758bbb09e..3b81468a1df29 100644 +--- a/drivers/hid/hid-thrustmaster.c ++++ b/drivers/hid/hid-thrustmaster.c +@@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev) + b_ep = ep->desc.bEndpointAddress; + + /* Are the expected endpoints present? */ +- u8 ep_addr[1] = {b_ep}; ++ u8 ep_addr[2] = {b_ep, 0}; + + if (!usb_check_int_endpoints(usbif, ep_addr)) { + hid_err(hdev, "Unexpected non-int endpoint\n"); +-- +2.39.5 + diff --git a/queue-6.1/hid-multitouch-add-null-check-in-mt_input_configured.patch b/queue-6.1/hid-multitouch-add-null-check-in-mt_input_configured.patch new file mode 100644 index 0000000000..929aee0ad4 --- /dev/null +++ b/queue-6.1/hid-multitouch-add-null-check-in-mt_input_configured.patch @@ -0,0 +1,43 @@ +From ab220954d014247a4c0329fce7f14401d13d1820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 14:26:21 +0800 +Subject: HID: multitouch: Add NULL check in mt_input_configured + +From: Charles Han + +[ Upstream commit 9b8e2220d3a052a690b1d1b23019673e612494c5 ] + +devm_kasprintf() can return a NULL pointer on failure,but this +returned value in mt_input_configured() is not checked. +Add NULL check in mt_input_configured(), to handle kernel NULL +pointer dereference error. + +Fixes: 479439463529 ("HID: multitouch: Correct devm device reference for hidinput input_dev name") +Signed-off-by: Charles Han +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-multitouch.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 5ad871a7d1a44..6386043aab0bb 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1668,9 +1668,12 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi) + break; + } + +- if (suffix) ++ if (suffix) { + hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, + "%s %s", hdev->name, suffix); ++ if (!hi->input->name) ++ return -ENOMEM; ++ } + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.1/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch b/queue-6.1/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch new file mode 100644 index 0000000000..e0aa3f0d83 --- /dev/null +++ b/queue-6.1/media-cxd2841er-fix-64-bit-division-on-gcc-9.patch @@ -0,0 +1,53 @@ +From a1315a7a9a55b7927d8398652f24cb19b6eeaef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 11:41:42 +0100 +Subject: media: cxd2841er: fix 64-bit division on gcc-9 + +From: Arnd Bergmann + +[ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] + +It appears that do_div() once more gets confused by a complex +expression that ends up not quite being constant despite +__builtin_constant_p() thinking it is: + +ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! + +Use div_u64() instead, forcing the expression to be evaluated +first, and making it a bit more readable. + +Cc: Dan Carpenter +Reported-by: Naresh Kamboju +Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/ +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +[hverkuil: added Closes tags] +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c +index e9d1eef40c627..798da50421368 100644 +--- a/drivers/media/dvb-frontends/cxd2841er.c ++++ b/drivers/media/dvb-frontends/cxd2841er.c +@@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, + + static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) + { +- u64 tmp; +- +- tmp = (u64) ifhz * 16777216; +- do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); +- +- return (u32) tmp; ++ return div_u64(ifhz * 16777216ull, ++ (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); + } + + static u32 cxd2841er_calc_iffreq(u32 ifhz) +-- +2.39.5 + diff --git a/queue-6.1/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch b/queue-6.1/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch new file mode 100644 index 0000000000..236a6dedb1 --- /dev/null +++ b/queue-6.1/media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch @@ -0,0 +1,96 @@ +From 5feec39bdc6331e4d76e0467b56337299f81ad20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Dec 2024 18:50:39 +0800 +Subject: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread + +From: Edward Adam Davis + +[ Upstream commit 1221989555db711578a327a9367f1be46500cb48 ] + +syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1] + +If dvb->mux is not initialized successfully by vidtv_mux_init() in the +vidtv_start_streaming(), it will trigger null pointer dereference about mux +in vidtv_mux_stop_thread(). + +Adjust the timing of streaming initialization and check it before +stopping it. + +[1] +KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] +CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 +Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 +RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125 +RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128 +RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188 +R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710 +FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] + vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 + dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000 + dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486 + dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559 + dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] + dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 + __fput+0x3f8/0xb60 fs/file_table.c:450 + task_work_run+0x14e/0x250 kernel/task_work.c:239 + get_signal+0x1d3/0x2610 kernel/signal.c:2790 + arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop kernel/entry/common.c:111 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 + do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-by: syzbot+5e248227c80a3be8e96a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5e248227c80a3be8e96a +Signed-off-by: Edward Adam Davis +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +index dff7265a42ca2..c1621680ec570 100644 +--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +@@ -191,10 +191,11 @@ static int vidtv_start_streaming(struct vidtv_dvb *dvb) + + mux_args.mux_buf_sz = mux_buf_sz; + +- dvb->streaming = true; + dvb->mux = vidtv_mux_init(dvb->fe[0], dev, &mux_args); + if (!dvb->mux) + return -ENOMEM; ++ ++ dvb->streaming = true; + vidtv_mux_start_thread(dvb->mux); + + dev_dbg_ratelimited(dev, "Started streaming\n"); +@@ -205,6 +206,11 @@ static int vidtv_stop_streaming(struct vidtv_dvb *dvb) + { + struct device *dev = &dvb->pdev->dev; + ++ if (!dvb->streaming) { ++ dev_warn_ratelimited(dev, "No streaming. Skipping.\n"); ++ return 0; ++ } ++ + dvb->streaming = false; + vidtv_mux_stop_thread(dvb->mux); + vidtv_mux_destroy(dvb->mux); +-- +2.39.5 + diff --git a/queue-6.1/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch b/queue-6.1/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch new file mode 100644 index 0000000000..2ebf43249e --- /dev/null +++ b/queue-6.1/ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch @@ -0,0 +1,41 @@ +From e354a0d4a91f7ce41c3acbffc13f050cdb248629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 13:58:33 +0000 +Subject: ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() + +From: Eric Dumazet + +[ Upstream commit 48145a57d4bbe3496e8e4880b23ea6b511e6e519 ] + +ndisc_send_redirect() is called under RCU protection, not RTNL. + +It must use dev_get_by_index_rcu() instead of __dev_get_by_index() + +Fixes: 2f17becfbea5 ("vrf: check the original netdevice for generating redirect") +Signed-off-by: Eric Dumazet +Cc: Stephen Suryaputra +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250207135841.1948589-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 44d3e6ab0c7d4..6df3f4aadf641 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1684,7 +1684,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target) + bool ret; + + if (netif_is_l3_master(skb->dev)) { +- dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif); ++ dev = dev_get_by_index_rcu(dev_net(skb->dev), IPCB(skb)->iif); + if (!dev) + return; + } +-- +2.39.5 + diff --git a/queue-6.1/orangefs-fix-a-oob-in-orangefs_debug_write.patch b/queue-6.1/orangefs-fix-a-oob-in-orangefs_debug_write.patch new file mode 100644 index 0000000000..2ad6265f3e --- /dev/null +++ b/queue-6.1/orangefs-fix-a-oob-in-orangefs_debug_write.patch @@ -0,0 +1,39 @@ +From a5efe9a2ba760ec32120fa5218f8537796ed6566 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 14:21:08 -0500 +Subject: orangefs: fix a oob in orangefs_debug_write + +From: Mike Marshall + +[ Upstream commit f7c848431632598ff9bce57a659db6af60d75b39 ] + +I got a syzbot report: slab-out-of-bounds Read in +orangefs_debug_write... several people suggested fixes, +I tested Al Viro's suggestion and made this patch. + +Signed-off-by: Mike Marshall +Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index 1b508f5433846..fa41db0884880 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file, + * Thwart users who try to jamb a ridiculous number + * of bytes into the debug file... + */ +- if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) { ++ if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) { + silly = count; +- count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1; ++ count = ORANGEFS_MAX_DEBUG_STRING_LEN; + } + + buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.1/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch b/queue-6.1/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch new file mode 100644 index 0000000000..bb2d7aea9b --- /dev/null +++ b/queue-6.1/pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch @@ -0,0 +1,53 @@ +From 38a7008cdd7624799c935fbdd867bd065fc9dff3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 17:43:13 +0100 +Subject: PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit b198499c7d2508a76243b98e7cca992f6fd2b7f7 ] + +Apparently the Raptor Lake-P reference firmware configures the PIO log size +correctly, but some vendor BIOSes, including at least ASUSTeK COMPUTER INC. +Zenbook UX3402VA_UX3402VA, do not. + +Apply the quirk for Raptor Lake-P. This prevents kernel complaints like: + + DPC: RP PIO log size 0 is invalid + +and also enables the DPC driver to dump the RP PIO Log registers when DPC +is triggered. + +Note that the bug report also mentions 8086:a76e, which has been already +added by 627c6db20703 ("PCI/DPC: Quirk PIO log size for Intel Raptor Lake +Root Ports"). + +Link: https://lore.kernel.org/r/20250102164315.7562-1-tiwai@suse.de +Link: https://bugzilla.suse.com/show_bug.cgi?id=1234623 +Signed-off-by: Takashi Iwai +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 2b3df65005ca8..c16c8507d048e 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -6139,6 +6139,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2b, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2d, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a31, dpc_log_size); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa72f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa73f, dpc_log_size); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa76e, dpc_log_size); + #endif +-- +2.39.5 + diff --git a/queue-6.1/pci-switchtec-add-microchip-pci100x-device-ids.patch b/queue-6.1/pci-switchtec-add-microchip-pci100x-device-ids.patch new file mode 100644 index 0000000000..c4f2b77858 --- /dev/null +++ b/queue-6.1/pci-switchtec-add-microchip-pci100x-device-ids.patch @@ -0,0 +1,112 @@ +From 7d8e7dd0f347b67db501a4b36c46c2ca84d4221c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 15:25:24 +0530 +Subject: PCI: switchtec: Add Microchip PCI100X device IDs + +From: Rakesh Babu Saladi + +[ Upstream commit a3282f84b2151d254dc4abf24d1255c6382be774 ] + +Add Microchip parts to the Device ID table so the driver supports PCI100x +devices. + +Add a new macro to quirk the Microchip Switchtec PCI100x parts to allow DMA +access via NTB to work when the IOMMU is turned on. + +PCI100x family has 6 variants; each variant is designed for different +application usages, different port counts and lane counts: + + PCI1001 has 1 x4 upstream port and 3 x4 downstream ports + PCI1002 has 1 x4 upstream port and 4 x2 downstream ports + PCI1003 has 2 x4 upstream ports, 2 x2 upstream ports, and 2 x2 + downstream ports + PCI1004 has 4 x4 upstream ports + PCI1005 has 1 x4 upstream port and 6 x2 downstream ports + PCI1006 has 6 x2 upstream ports and 2 x2 downstream ports + +[Historical note: these parts use PCI_VENDOR_ID_EFAR (0x1055), from EFAR +Microsystems, which was acquired in 1996 by Standard Microsystems Corp, +which was acquired by Microchip Technology in 2012. The PCI-SIG confirms +that Vendor ID 0x1055 is assigned to Microchip even though it's not +visible via https://pcisig.com/membership/member-companies] + +Link: https://lore.kernel.org/r/20250120095524.243103-1-Saladi.Rakeshbabu@microchip.com +Signed-off-by: Rakesh Babu Saladi +[bhelgaas: Vendor ID history] +Signed-off-by: Bjorn Helgaas +Acked-By: Logan Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 11 +++++++++++ + drivers/pci/switch/switchtec.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 37 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index c16c8507d048e..fb115b8ba342d 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5870,6 +5870,17 @@ SWITCHTEC_QUIRK(0x5552); /* PAXA 52XG5 */ + SWITCHTEC_QUIRK(0x5536); /* PAXA 36XG5 */ + SWITCHTEC_QUIRK(0x5528); /* PAXA 28XG5 */ + ++#define SWITCHTEC_PCI100X_QUIRK(vid) \ ++ DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_EFAR, vid, \ ++ PCI_CLASS_BRIDGE_OTHER, 8, quirk_switchtec_ntb_dma_alias) ++SWITCHTEC_PCI100X_QUIRK(0x1001); /* PCI1001XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1002); /* PCI1002XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1003); /* PCI1003XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1004); /* PCI1004XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1005); /* PCI1005XG4 */ ++SWITCHTEC_PCI100X_QUIRK(0x1006); /* PCI1006XG4 */ ++ ++ + /* + * The PLX NTB uses devfn proxy IDs to move TLPs between NT endpoints. + * These IDs are used to forward responses to the originator on the other +diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c +index 332af6938d7fd..9011518b1d132 100644 +--- a/drivers/pci/switch/switchtec.c ++++ b/drivers/pci/switch/switchtec.c +@@ -1739,6 +1739,26 @@ static void switchtec_pci_remove(struct pci_dev *pdev) + .driver_data = gen, \ + } + ++#define SWITCHTEC_PCI100X_DEVICE(device_id, gen) \ ++ { \ ++ .vendor = PCI_VENDOR_ID_EFAR, \ ++ .device = device_id, \ ++ .subvendor = PCI_ANY_ID, \ ++ .subdevice = PCI_ANY_ID, \ ++ .class = (PCI_CLASS_MEMORY_OTHER << 8), \ ++ .class_mask = 0xFFFFFFFF, \ ++ .driver_data = gen, \ ++ }, \ ++ { \ ++ .vendor = PCI_VENDOR_ID_EFAR, \ ++ .device = device_id, \ ++ .subvendor = PCI_ANY_ID, \ ++ .subdevice = PCI_ANY_ID, \ ++ .class = (PCI_CLASS_BRIDGE_OTHER << 8), \ ++ .class_mask = 0xFFFFFFFF, \ ++ .driver_data = gen, \ ++ } ++ + static const struct pci_device_id switchtec_pci_tbl[] = { + SWITCHTEC_PCI_DEVICE(0x8531, SWITCHTEC_GEN3), /* PFX 24xG3 */ + SWITCHTEC_PCI_DEVICE(0x8532, SWITCHTEC_GEN3), /* PFX 32xG3 */ +@@ -1833,6 +1853,12 @@ static const struct pci_device_id switchtec_pci_tbl[] = { + SWITCHTEC_PCI_DEVICE(0x5552, SWITCHTEC_GEN5), /* PAXA 52XG5 */ + SWITCHTEC_PCI_DEVICE(0x5536, SWITCHTEC_GEN5), /* PAXA 36XG5 */ + SWITCHTEC_PCI_DEVICE(0x5528, SWITCHTEC_GEN5), /* PAXA 28XG5 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1001, SWITCHTEC_GEN4), /* PCI1001 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1002, SWITCHTEC_GEN4), /* PCI1002 12XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1003, SWITCHTEC_GEN4), /* PCI1003 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1004, SWITCHTEC_GEN4), /* PCI1004 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1005, SWITCHTEC_GEN4), /* PCI1005 16XG4 */ ++ SWITCHTEC_PCI100X_DEVICE(0x1006, SWITCHTEC_GEN4), /* PCI1006 16XG4 */ + {0} + }; + MODULE_DEVICE_TABLE(pci, switchtec_pci_tbl); +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch b/queue-6.1/pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch new file mode 100644 index 0000000000..eaecbdaec4 --- /dev/null +++ b/queue-6.1/pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch @@ -0,0 +1,49 @@ +From 9c8dd400195c1fb08cb683d4a7f4507150d6c7cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2025 16:21:45 +0200 +Subject: pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware + +From: Andy Shevchenko + +[ Upstream commit 1ddee69108d305bbc059cbf31c0b47626796be77 ] + +Some of the platforms may connect the INT pin via inversion logic +effectively make the triggering to be active-low. +Remove explicit trigger flag to respect the settings from firmware. + +Without this change even idling chip produces spurious interrupts +and kernel disables the line in the result: + + irq 33: nobody cared (try booting with the "irqpoll" option) + CPU: 0 UID: 0 PID: 125 Comm: irq/33-i2c-INT3 Not tainted 6.12.0-00236-g8b874ed11dae #64 + Hardware name: Intel Corp. QUARK/Galileo, BIOS 0x01000900 01/01/2014 + ... + handlers: + [<86e86bea>] irq_default_primary_handler threaded [] cy8c95x0_irq_handler [pinctrl_cy8c95x0] + Disabling IRQ #33 + +Fixes: e6cbbe42944d ("pinctrl: Add Cypress cy8c95x0 support") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/20250117142304.596106-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-cy8c95x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c +index 5abab6bc763ae..f7c8ae9808133 100644 +--- a/drivers/pinctrl/pinctrl-cy8c95x0.c ++++ b/drivers/pinctrl/pinctrl-cy8c95x0.c +@@ -1234,7 +1234,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq) + + ret = devm_request_threaded_irq(chip->dev, irq, + NULL, cy8c95x0_irq_handler, +- IRQF_ONESHOT | IRQF_SHARED | IRQF_TRIGGER_HIGH, ++ IRQF_ONESHOT | IRQF_SHARED, + dev_name(chip->dev), chip); + if (ret) { + dev_err(chip->dev, "failed to request irq %d\n", irq); +-- +2.39.5 + diff --git a/queue-6.1/rdma-efa-reset-device-on-probe-failure.patch b/queue-6.1/rdma-efa-reset-device-on-probe-failure.patch new file mode 100644 index 0000000000..aa5a9d0655 --- /dev/null +++ b/queue-6.1/rdma-efa-reset-device-on-probe-failure.patch @@ -0,0 +1,73 @@ +From 42e865edf01b2eaa3c71d6e60fc43f2fce8846f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Dec 2024 13:15:48 +0000 +Subject: RDMA/efa: Reset device on probe failure + +From: Michael Margolin + +[ Upstream commit 123c13f10ed3627ba112172d8bd122a72cae226d ] + +Make sure the device is being reset on driver exit whatever the reason +is, to keep the device aligned and allow it to close shared resources +(e.g. admin queue). + +Reviewed-by: Firas Jahjah +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Link: https://patch.msgid.link/20241225131548.15155-1-mrgolin@amazon.com +Reviewed-by: Gal Pressman +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c +index 15ee920811187..924940ca9de0a 100644 +--- a/drivers/infiniband/hw/efa/efa_main.c ++++ b/drivers/infiniband/hw/efa/efa_main.c +@@ -452,7 +452,6 @@ static void efa_ib_device_remove(struct efa_dev *dev) + ibdev_info(&dev->ibdev, "Unregister ib device\n"); + ib_unregister_device(&dev->ibdev); + efa_destroy_eqs(dev); +- efa_com_dev_reset(&dev->edev, EFA_REGS_RESET_NORMAL); + efa_release_doorbell_bar(dev); + } + +@@ -623,12 +622,14 @@ static struct efa_dev *efa_probe_device(struct pci_dev *pdev) + return ERR_PTR(err); + } + +-static void efa_remove_device(struct pci_dev *pdev) ++static void efa_remove_device(struct pci_dev *pdev, ++ enum efa_regs_reset_reason_types reset_reason) + { + struct efa_dev *dev = pci_get_drvdata(pdev); + struct efa_com_dev *edev; + + edev = &dev->edev; ++ efa_com_dev_reset(edev, reset_reason); + efa_com_admin_destroy(edev); + efa_free_irq(dev, &dev->admin_irq); + efa_disable_msix(dev); +@@ -656,7 +657,7 @@ static int efa_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + return 0; + + err_remove_device: +- efa_remove_device(pdev); ++ efa_remove_device(pdev, EFA_REGS_RESET_INIT_ERR); + return err; + } + +@@ -665,7 +666,7 @@ static void efa_remove(struct pci_dev *pdev) + struct efa_dev *dev = pci_get_drvdata(pdev); + + efa_ib_device_remove(dev); +- efa_remove_device(pdev); ++ efa_remove_device(pdev, EFA_REGS_RESET_NORMAL); + } + + static struct pci_driver efa_pci_driver = { +-- +2.39.5 + diff --git a/queue-6.1/rtla-timerlat_hist-abort-event-processing-on-second-.patch b/queue-6.1/rtla-timerlat_hist-abort-event-processing-on-second-.patch new file mode 100644 index 0000000000..c70c030329 --- /dev/null +++ b/queue-6.1/rtla-timerlat_hist-abort-event-processing-on-second-.patch @@ -0,0 +1,50 @@ +From 6dc3b18f7978a9bc79a3a69694af9d6476834e53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 15:49:30 +0100 +Subject: rtla/timerlat_hist: Abort event processing on second signal + +From: Tomas Glozar + +[ Upstream commit d6899e560366e10141189697502bc5521940c588 ] + +If either SIGINT is received twice, or after a SIGALRM (that is, after +timerlat was supposed to stop), abort processing events currently left +in the tracefs buffer and exit immediately. + +This allows the user to exit rtla without waiting for processing all +events, should that take longer than wanted, at the cost of not +processing all samples. + +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-5-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_hist.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/rtla/src/timerlat_hist.c b/tools/tracing/rtla/src/timerlat_hist.c +index 83cc7ef3d36b3..b7a7dcd68b570 100644 +--- a/tools/tracing/rtla/src/timerlat_hist.c ++++ b/tools/tracing/rtla/src/timerlat_hist.c +@@ -786,6 +786,14 @@ static int stop_tracing; + static struct trace_instance *hist_inst = NULL; + static void stop_hist(int sig) + { ++ if (stop_tracing) { ++ /* ++ * Stop requested twice in a row; abort event processing and ++ * exit immediately ++ */ ++ tracefs_iterate_stop(hist_inst->inst); ++ return; ++ } + stop_tracing = 1; + if (hist_inst) + trace_instance_stop(hist_inst); +-- +2.39.5 + diff --git a/queue-6.1/rtla-timerlat_top-abort-event-processing-on-second-s.patch b/queue-6.1/rtla-timerlat_top-abort-event-processing-on-second-s.patch new file mode 100644 index 0000000000..df4323271c --- /dev/null +++ b/queue-6.1/rtla-timerlat_top-abort-event-processing-on-second-s.patch @@ -0,0 +1,50 @@ +From 4cab13a1d1e9ee25b200c345e3ae100fb03727c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 15:49:31 +0100 +Subject: rtla/timerlat_top: Abort event processing on second signal + +From: Tomas Glozar + +[ Upstream commit 80967b354a76b360943af384c10d807d98bea5c4 ] + +If either SIGINT is received twice, or after a SIGALRM (that is, after +timerlat was supposed to stop), abort processing events currently left +in the tracefs buffer and exit immediately. + +This allows the user to exit rtla without waiting for processing all +events, should that take longer than wanted, at the cost of not +processing all samples. + +Cc: John Kacur +Cc: Luis Goncalves +Cc: Gabriele Monaco +Link: https://lore.kernel.org/20250116144931.649593-6-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + tools/tracing/rtla/src/timerlat_top.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tools/tracing/rtla/src/timerlat_top.c b/tools/tracing/rtla/src/timerlat_top.c +index 08e940ecdc966..46c3405a356f5 100644 +--- a/tools/tracing/rtla/src/timerlat_top.c ++++ b/tools/tracing/rtla/src/timerlat_top.c +@@ -578,6 +578,14 @@ static int stop_tracing; + static struct trace_instance *top_inst = NULL; + static void stop_top(int sig) + { ++ if (stop_tracing) { ++ /* ++ * Stop requested twice in a row; abort event processing and ++ * exit immediately ++ */ ++ tracefs_iterate_stop(top_inst->inst); ++ return; ++ } + stop_tracing = 1; + if (top_inst) + trace_instance_stop(top_inst); +-- +2.39.5 + diff --git a/queue-6.1/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch b/queue-6.1/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch new file mode 100644 index 0000000000..3abfb61767 --- /dev/null +++ b/queue-6.1/scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch @@ -0,0 +1,37 @@ +From f67aed603e21169a31e49d79af66a06957c4d5f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 09:42:14 +0800 +Subject: scsi: ufs: bsg: Set bsg_queue to NULL after removal + +From: Guixin Liu + +[ Upstream commit 1e95c798d8a7f70965f0f88d4657b682ff0ec75f ] + +Currently, this does not cause any issues, but I believe it is necessary to +set bsg_queue to NULL after removing it to prevent potential use-after-free +(UAF) access. + +Signed-off-by: Guixin Liu +Link: https://lore.kernel.org/r/20241218014214.64533-3-kanie@linux.alibaba.com +Reviewed-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs_bsg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c +index 87d89136cab90..ead55e063d2b5 100644 +--- a/drivers/ufs/core/ufs_bsg.c ++++ b/drivers/ufs/core/ufs_bsg.c +@@ -181,6 +181,7 @@ void ufs_bsg_remove(struct ufs_hba *hba) + return; + + bsg_remove_queue(hba->bsg_queue); ++ hba->bsg_queue = NULL; + + device_del(bsg_dev); + put_device(bsg_dev); +-- +2.39.5 + diff --git a/queue-6.1/selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch b/queue-6.1/selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch new file mode 100644 index 0000000000..446657328e --- /dev/null +++ b/queue-6.1/selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch @@ -0,0 +1,203 @@ +From 904a5f8979da96c4ed5c4710a82482eccd8f62d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2025 13:33:09 +0900 +Subject: selftests: gpio: gpio-sim: Fix missing chip disablements + +From: Koichiro Den + +[ Upstream commit f8524ac33cd452aef5384504b3264db6039a455e ] + +Since upstream commit 8bd76b3d3f3a ("gpio: sim: lock up configfs that an +instantiated device depends on"), rmdir for an active virtual devices +been prohibited. + +Update gpio-sim selftest to align with the change. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202501221006.a1ca5dfa-lkp@intel.com +Signed-off-by: Koichiro Den +Link: https://lore.kernel.org/r/20250122043309.304621-1-koichiro.den@canonical.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/gpio/gpio-sim.sh | 31 +++++++++++++++++++----- + 1 file changed, 25 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/gpio/gpio-sim.sh b/tools/testing/selftests/gpio/gpio-sim.sh +index bf67b23ed29ac..46101a800bebf 100755 +--- a/tools/testing/selftests/gpio/gpio-sim.sh ++++ b/tools/testing/selftests/gpio/gpio-sim.sh +@@ -46,12 +46,6 @@ remove_chip() { + rmdir $CONFIGFS_DIR/$CHIP || fail "Unable to remove the chip" + } + +-configfs_cleanup() { +- for CHIP in `ls $CONFIGFS_DIR/`; do +- remove_chip $CHIP +- done +-} +- + create_chip() { + local CHIP=$1 + +@@ -105,6 +99,13 @@ disable_chip() { + echo 0 > $CONFIGFS_DIR/$CHIP/live || fail "Unable to disable the chip" + } + ++configfs_cleanup() { ++ for CHIP in `ls $CONFIGFS_DIR/`; do ++ disable_chip $CHIP ++ remove_chip $CHIP ++ done ++} ++ + configfs_chip_name() { + local CHIP=$1 + local BANK=$2 +@@ -181,6 +182,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test -n `cat $CONFIGFS_DIR/chip/bank/chip_name` || fail "chip_name doesn't work" ++disable_chip chip + remove_chip chip + + echo "1.2. chip_name returns 'none' if the chip is still pending" +@@ -195,6 +197,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test -n `cat $CONFIGFS_DIR/chip/dev_name` || fail "dev_name doesn't work" ++disable_chip chip + remove_chip chip + + echo "2. Creating and configuring simulated chips" +@@ -204,6 +207,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test "`get_chip_num_lines chip bank`" = "1" || fail "default number of lines is not 1" ++disable_chip chip + remove_chip chip + + echo "2.2. Number of lines can be specified" +@@ -212,6 +216,7 @@ create_bank chip bank + set_num_lines chip bank 16 + enable_chip chip + test "`get_chip_num_lines chip bank`" = "16" || fail "number of lines is not 16" ++disable_chip chip + remove_chip chip + + echo "2.3. Label can be set" +@@ -220,6 +225,7 @@ create_bank chip bank + set_label chip bank foobar + enable_chip chip + test "`get_chip_label chip bank`" = "foobar" || fail "label is incorrect" ++disable_chip chip + remove_chip chip + + echo "2.4. Label can be left empty" +@@ -227,6 +233,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + test -z "`cat $CONFIGFS_DIR/chip/bank/label`" || fail "label is not empty" ++disable_chip chip + remove_chip chip + + echo "2.5. Line names can be configured" +@@ -238,6 +245,7 @@ set_line_name chip bank 2 bar + enable_chip chip + test "`get_line_name chip bank 0`" = "foo" || fail "line name is incorrect" + test "`get_line_name chip bank 2`" = "bar" || fail "line name is incorrect" ++disable_chip chip + remove_chip chip + + echo "2.6. Line config can remain unused if offset is greater than number of lines" +@@ -248,6 +256,7 @@ set_line_name chip bank 5 foobar + enable_chip chip + test "`get_line_name chip bank 0`" = "" || fail "line name is incorrect" + test "`get_line_name chip bank 1`" = "" || fail "line name is incorrect" ++disable_chip chip + remove_chip chip + + echo "2.7. Line configfs directory names are sanitized" +@@ -267,6 +276,7 @@ for CHIP in $CHIPS; do + enable_chip $CHIP + done + for CHIP in $CHIPS; do ++ disable_chip $CHIP + remove_chip $CHIP + done + +@@ -278,6 +288,7 @@ echo foobar > $CONFIGFS_DIR/chip/bank/label 2> /dev/null && \ + fail "Setting label of a live chip should fail" + echo 8 > $CONFIGFS_DIR/chip/bank/num_lines 2> /dev/null && \ + fail "Setting number of lines of a live chip should fail" ++disable_chip chip + remove_chip chip + + echo "2.10. Can't create line items when chip is live" +@@ -285,6 +296,7 @@ create_chip chip + create_bank chip bank + enable_chip chip + mkdir $CONFIGFS_DIR/chip/bank/line0 2> /dev/null && fail "Creating line item should fail" ++disable_chip chip + remove_chip chip + + echo "2.11. Probe errors are propagated to user-space" +@@ -316,6 +328,7 @@ mkdir -p $CONFIGFS_DIR/chip/bank/line4/hog + enable_chip chip + $BASE_DIR/gpio-mockup-cdev -s 1 /dev/`configfs_chip_name chip bank` 4 2> /dev/null && \ + fail "Setting the value of a hogged line shouldn't succeed" ++disable_chip chip + remove_chip chip + + echo "3. Controlling simulated chips" +@@ -331,6 +344,7 @@ test "$?" = "1" || fail "pull set incorrectly" + sysfs_set_pull chip bank 0 pull-down + $BASE_DIR/gpio-mockup-cdev /dev/`configfs_chip_name chip bank` 1 + test "$?" = "0" || fail "pull set incorrectly" ++disable_chip chip + remove_chip chip + + echo "3.2. Pull can be read from sysfs" +@@ -344,6 +358,7 @@ SYSFS_PATH=/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/pull + test `cat $SYSFS_PATH` = "pull-down" || fail "reading the pull failed" + sysfs_set_pull chip bank 0 pull-up + test `cat $SYSFS_PATH` = "pull-up" || fail "reading the pull failed" ++disable_chip chip + remove_chip chip + + echo "3.3. Incorrect input in sysfs is rejected" +@@ -355,6 +370,7 @@ DEVNAME=`configfs_dev_name chip` + CHIPNAME=`configfs_chip_name chip bank` + SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/pull" + echo foobar > $SYSFS_PATH 2> /dev/null && fail "invalid input not detected" ++disable_chip chip + remove_chip chip + + echo "3.4. Can't write to value" +@@ -365,6 +381,7 @@ DEVNAME=`configfs_dev_name chip` + CHIPNAME=`configfs_chip_name chip bank` + SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/value" + echo 1 > $SYSFS_PATH 2> /dev/null && fail "writing to 'value' succeeded unexpectedly" ++disable_chip chip + remove_chip chip + + echo "4. Simulated GPIO chips are functional" +@@ -382,6 +399,7 @@ $BASE_DIR/gpio-mockup-cdev -s 1 /dev/`configfs_chip_name chip bank` 0 & + sleep 0.1 # FIXME Any better way? + test `cat $SYSFS_PATH` = "1" || fail "incorrect value read from sysfs" + kill $! ++disable_chip chip + remove_chip chip + + echo "4.2. Bias settings work correctly" +@@ -394,6 +412,7 @@ CHIPNAME=`configfs_chip_name chip bank` + SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/value" + $BASE_DIR/gpio-mockup-cdev -b pull-up /dev/`configfs_chip_name chip bank` 0 + test `cat $SYSFS_PATH` = "1" || fail "bias setting does not work" ++disable_chip chip + remove_chip chip + + echo "GPIO $MODULE test PASS" +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 96ca4b0094..993f98ab77 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -463,3 +463,35 @@ revert-btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch nfsd-clear-acl_access-acl_default-after-releasing-them.patch nfsd-fix-hang-in-nfsd4_shutdown_callback.patch +pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch +hid-multitouch-add-null-check-in-mt_input_configured.patch +hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch +ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch +ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch +vrf-use-rcu-protection-in-l3mdev_l3_out.patch +vxlan-check-vxlan_vnigroup_init-return-value.patch +team-better-team_option_type_string-validation.patch +arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch +cgroup-remove-steal-time-from-usage_usec.patch +drm-i915-selftests-avoid-using-uninitialized-context.patch +gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch +gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch +gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch +xen-swiotlb-relax-alignment-requirements.patch +xen-remove-a-confusing-comment-on-auto-translated-gu.patch +x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch +rdma-efa-reset-device-on-probe-failure.patch +fbdev-omap-use-threaded-irq-for-lcd-dma.patch +media-cxd2841er-fix-64-bit-division-on-gcc-9.patch +media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch +pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch +pci-switchtec-add-microchip-pci100x-device-ids.patch +scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch +rtla-timerlat_hist-abort-event-processing-on-second-.patch +rtla-timerlat_top-abort-event-processing-on-second-s.patch +vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch +grab-mm-lock-before-grabbing-pt-lock.patch +selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch +x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch +orangefs-fix-a-oob-in-orangefs_debug_write.patch +asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch diff --git a/queue-6.1/team-better-team_option_type_string-validation.patch b/queue-6.1/team-better-team_option_type_string-validation.patch new file mode 100644 index 0000000000..4bd30842eb --- /dev/null +++ b/queue-6.1/team-better-team_option_type_string-validation.patch @@ -0,0 +1,76 @@ +From 3001dc95bcf62328a61ad5e06a6861c1485d03c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 13:49:28 +0000 +Subject: team: better TEAM_OPTION_TYPE_STRING validation + +From: Eric Dumazet + +[ Upstream commit 5bef3ac184b5626ea62385d6b82a1992b89d7940 ] + +syzbot reported following splat [1] + +Make sure user-provided data contains one nul byte. + +[1] + BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] + BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 + string_nocheck lib/vsprintf.c:633 [inline] + string+0x3ec/0x5f0 lib/vsprintf.c:714 + vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843 + __request_module+0x252/0x9f0 kernel/module/kmod.c:149 + team_mode_get drivers/net/team/team_core.c:480 [inline] + team_change_mode drivers/net/team/team_core.c:607 [inline] + team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401 + team_option_set drivers/net/team/team_core.c:375 [inline] + team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662 + genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543 + genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:718 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:733 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2573 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627 + __sys_sendmsg net/socket.c:2659 [inline] + __do_sys_sendmsg net/socket.c:2664 [inline] + __se_sys_sendmsg net/socket.c:2662 [inline] + __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662 + x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Reported-by: syzbot+1fcd957a82e3a1baa94d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1fcd957a82e3a1baa94d +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20250212134928.1541609-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index b23aa3c8bdf8e..c2327fa10747c 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -2670,7 +2670,9 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + ctx.data.u32_val = nla_get_u32(attr_data); + break; + case TEAM_OPTION_TYPE_STRING: +- if (nla_len(attr_data) > TEAM_STRING_MAX_LEN) { ++ if (nla_len(attr_data) > TEAM_STRING_MAX_LEN || ++ !memchr(nla_data(attr_data), '\0', ++ nla_len(attr_data))) { + err = -EINVAL; + goto team_put; + } +-- +2.39.5 + diff --git a/queue-6.1/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch b/queue-6.1/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch new file mode 100644 index 0000000000..fc5a8828e0 --- /dev/null +++ b/queue-6.1/vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch @@ -0,0 +1,49 @@ +From 3848cb371d5e6ed5233ec0f8bc4a34df1ed89eaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 05:19:37 -0800 +Subject: vfio/pci: Enable iowrite64 and ioread64 for vfio pci + +From: Ramesh Thomas + +[ Upstream commit 2b938e3db335e3670475e31a722c2bee34748c5a ] + +Definitions of ioread64 and iowrite64 macros in asm/io.h called by vfio +pci implementations are enclosed inside check for CONFIG_GENERIC_IOMAP. +They don't get defined if CONFIG_GENERIC_IOMAP is defined. Include +linux/io-64-nonatomic-lo-hi.h to define iowrite64 and ioread64 macros +when they are not defined. io-64-nonatomic-lo-hi.h maps the macros to +generic implementation in lib/iomap.c. The generic implementation does +64 bit rw if readq/writeq is defined for the architecture, otherwise it +would do 32 bit back to back rw. + +Note that there are two versions of the generic implementation that +differs in the order the 32 bit words are written if 64 bit support is +not present. This is not the little/big endian ordering, which is +handled separately. This patch uses the lo followed by hi word ordering +which is consistent with current back to back implementation in the +vfio/pci code. + +Signed-off-by: Ramesh Thomas +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20241210131938.303500-2-ramesh.thomas@intel.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_rdwr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c +index e27de61ac9fe7..8191c8fcfb256 100644 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include "vfio_pci_priv.h" + +-- +2.39.5 + diff --git a/queue-6.1/vrf-use-rcu-protection-in-l3mdev_l3_out.patch b/queue-6.1/vrf-use-rcu-protection-in-l3mdev_l3_out.patch new file mode 100644 index 0000000000..50fa137626 --- /dev/null +++ b/queue-6.1/vrf-use-rcu-protection-in-l3mdev_l3_out.patch @@ -0,0 +1,52 @@ +From be38038e7835d25348daf2644dab1f13f209eef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 13:58:38 +0000 +Subject: vrf: use RCU protection in l3mdev_l3_out() + +From: Eric Dumazet + +[ Upstream commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 ] + +l3mdev_l3_out() can be called without RCU being held: + +raw_sendmsg() + ip_push_pending_frames() + ip_send_skb() + ip_local_out() + __ip_local_out() + l3mdev_ip_out() + +Add rcu_read_lock() / rcu_read_unlock() pair to avoid +a potential UAF. + +Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/l3mdev.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h +index 031c661aa14df..bdfa9d414360c 100644 +--- a/include/net/l3mdev.h ++++ b/include/net/l3mdev.h +@@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto) + if (netif_is_l3_slave(dev)) { + struct net_device *master; + ++ rcu_read_lock(); + master = netdev_master_upper_dev_get_rcu(dev); + if (master && master->l3mdev_ops->l3mdev_l3_out) + skb = master->l3mdev_ops->l3mdev_l3_out(master, sk, + skb, proto); ++ rcu_read_unlock(); + } + + return skb; +-- +2.39.5 + diff --git a/queue-6.1/vxlan-check-vxlan_vnigroup_init-return-value.patch b/queue-6.1/vxlan-check-vxlan_vnigroup_init-return-value.patch new file mode 100644 index 0000000000..cd813e8b46 --- /dev/null +++ b/queue-6.1/vxlan-check-vxlan_vnigroup_init-return-value.patch @@ -0,0 +1,75 @@ +From 916cb7d03248b4b6c4b72b69f7574934324cab0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 10:52:42 +0000 +Subject: vxlan: check vxlan_vnigroup_init() return value + +From: Eric Dumazet + +[ Upstream commit 5805402dcc56241987bca674a1b4da79a249bab7 ] + +vxlan_init() must check vxlan_vnigroup_init() success +otherwise a crash happens later, spotted by syzbot. + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167] +CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912 +Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00 +RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb +RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18 +RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 +R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000 +FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942 + unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824 + unregister_netdevice_many net/core/dev.c:11866 [inline] + unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736 + register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901 + __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981 + vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407 + rtnl_newlink_create net/core/rtnetlink.c:3795 [inline] + __rtnl_newlink net/core/rtnetlink.c:3906 [inline] + +Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device") +Reported-by: syzbot+6a9624592218c2c5e7aa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67a9d9b4.050a0220.110943.002d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Roopa Prabhu +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250210105242.883482-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 155d335c80a7e..50be5a3c47795 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -2982,8 +2982,11 @@ static int vxlan_init(struct net_device *dev) + struct vxlan_dev *vxlan = netdev_priv(dev); + int err; + +- if (vxlan->cfg.flags & VXLAN_F_VNIFILTER) +- vxlan_vnigroup_init(vxlan); ++ if (vxlan->cfg.flags & VXLAN_F_VNIFILTER) { ++ err = vxlan_vnigroup_init(vxlan); ++ if (err) ++ return err; ++ } + + dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); + if (!dev->tstats) { +-- +2.39.5 + diff --git a/queue-6.1/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch b/queue-6.1/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch new file mode 100644 index 0000000000..06719df19c --- /dev/null +++ b/queue-6.1/x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch @@ -0,0 +1,152 @@ +From 2f443ef2aaa07f774ef5d42a9576cac1491d887d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 21:03:16 -0500 +Subject: x86/mm/tlb: Only trim the mm_cpumask once a second + +From: Rik van Riel + +[ Upstream commit 6db2526c1d694c91c6e05e2f186c085e9460f202 ] + +Setting and clearing CPU bits in the mm_cpumask is only ever done +by the CPU itself, from the context switch code or the TLB flush +code. + +Synchronization is handled by switch_mm_irqs_off() blocking interrupts. + +Sending TLB flush IPIs to CPUs that are in the mm_cpumask, but no +longer running the program causes a regression in the will-it-scale +tlbflush2 test. This test is contrived, but a large regression here +might cause a small regression in some real world workload. + +Instead of always sending IPIs to CPUs that are in the mm_cpumask, +but no longer running the program, send these IPIs only once a second. + +The rest of the time we can skip over CPUs where the loaded_mm is +different from the target mm. + +Reported-by: kernel test roboto +Signed-off-by: Rik van Riel +Signed-off-by: Ingo Molnar +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20241204210316.612ee573@fangorn +Closes: https://lore.kernel.org/oe-lkp/202411282207.6bd28eae-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/mmu.h | 2 ++ + arch/x86/include/asm/mmu_context.h | 1 + + arch/x86/include/asm/tlbflush.h | 1 + + arch/x86/mm/tlb.c | 35 +++++++++++++++++++++++++++--- + 4 files changed, 36 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h +index 5d7494631ea95..c07c018a1c139 100644 +--- a/arch/x86/include/asm/mmu.h ++++ b/arch/x86/include/asm/mmu.h +@@ -33,6 +33,8 @@ typedef struct { + */ + atomic64_t tlb_gen; + ++ unsigned long next_trim_cpumask; ++ + #ifdef CONFIG_MODIFY_LDT_SYSCALL + struct rw_semaphore ldt_usr_sem; + struct ldt_struct *ldt; +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index b8d40ddeab00f..6f5c7584fe1e3 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -106,6 +106,7 @@ static inline int init_new_context(struct task_struct *tsk, + + mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id); + atomic64_set(&mm->context.tlb_gen, 0); ++ mm->context.next_trim_cpumask = jiffies + HZ; + + #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS + if (cpu_feature_enabled(X86_FEATURE_OSPKE)) { +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h +index cda3118f3b27d..d1eb6bbfd39e3 100644 +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -208,6 +208,7 @@ struct flush_tlb_info { + unsigned int initiating_cpu; + u8 stride_shift; + u8 freed_tables; ++ u8 trim_cpumask; + }; + + void flush_tlb_local(void); +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index c1e31e9a85d76..b07e2167fcebf 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -878,9 +878,36 @@ static void flush_tlb_func(void *info) + nr_invalidate); + } + +-static bool tlb_is_not_lazy(int cpu, void *data) ++static bool should_flush_tlb(int cpu, void *data) + { +- return !per_cpu(cpu_tlbstate_shared.is_lazy, cpu); ++ struct flush_tlb_info *info = data; ++ ++ /* Lazy TLB will get flushed at the next context switch. */ ++ if (per_cpu(cpu_tlbstate_shared.is_lazy, cpu)) ++ return false; ++ ++ /* No mm means kernel memory flush. */ ++ if (!info->mm) ++ return true; ++ ++ /* The target mm is loaded, and the CPU is not lazy. */ ++ if (per_cpu(cpu_tlbstate.loaded_mm, cpu) == info->mm) ++ return true; ++ ++ /* In cpumask, but not the loaded mm? Periodically remove by flushing. */ ++ if (info->trim_cpumask) ++ return true; ++ ++ return false; ++} ++ ++static bool should_trim_cpumask(struct mm_struct *mm) ++{ ++ if (time_after(jiffies, READ_ONCE(mm->context.next_trim_cpumask))) { ++ WRITE_ONCE(mm->context.next_trim_cpumask, jiffies + HZ); ++ return true; ++ } ++ return false; + } + + DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state_shared, cpu_tlbstate_shared); +@@ -914,7 +941,7 @@ STATIC_NOPV void native_flush_tlb_multi(const struct cpumask *cpumask, + if (info->freed_tables) + on_each_cpu_mask(cpumask, flush_tlb_func, (void *)info, true); + else +- on_each_cpu_cond_mask(tlb_is_not_lazy, flush_tlb_func, ++ on_each_cpu_cond_mask(should_flush_tlb, flush_tlb_func, + (void *)info, 1, cpumask); + } + +@@ -965,6 +992,7 @@ static struct flush_tlb_info *get_flush_tlb_info(struct mm_struct *mm, + info->freed_tables = freed_tables; + info->new_tlb_gen = new_tlb_gen; + info->initiating_cpu = smp_processor_id(); ++ info->trim_cpumask = 0; + + return info; + } +@@ -1007,6 +1035,7 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + * flush_tlb_func_local() directly in this case. + */ + if (cpumask_any_but(mm_cpumask(mm), cpu) < nr_cpu_ids) { ++ info->trim_cpumask = should_trim_cpumask(mm); + flush_tlb_multi(mm_cpumask(mm), info); + } else if (mm == this_cpu_read(cpu_tlbstate.loaded_mm)) { + lockdep_assert_irqs_enabled(); +-- +2.39.5 + diff --git a/queue-6.1/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch b/queue-6.1/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch new file mode 100644 index 0000000000..e66fadaada --- /dev/null +++ b/queue-6.1/x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch @@ -0,0 +1,171 @@ +From b1ea8b7b9e7ede4aa679756c2c6a9b9508ad42ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 11:16:28 +0100 +Subject: x86/xen: allow larger contiguous memory regions in PV guests + +From: Juergen Gross + +[ Upstream commit e93ec87286bd1fd30b7389e7a387cfb259f297e3 ] + +Today a PV guest (including dom0) can create 2MB contiguous memory +regions for DMA buffers at max. This has led to problems at least +with the megaraid_sas driver, which wants to allocate a 2.3MB DMA +buffer. + +The limiting factor is the frame array used to do the hypercall for +making the memory contiguous, which has 512 entries and is just a +static array in mmu_pv.c. + +In order to not waste memory for non-PV guests, put the initial +frame array into .init.data section and dynamically allocate an array +from the .init_after_bootmem hook of PV guests. + +In case a contiguous memory area larger than the initially supported +2MB is requested, allocate a larger buffer for the frame list. Note +that such an allocation is tried only after memory management has been +initialized properly, which is tested via a flag being set in the +.init_after_bootmem hook. + +Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers") +Signed-off-by: Juergen Gross +Tested-by: Alan Robinson +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 71 +++++++++++++++++++++++++++++++++++++------ + 1 file changed, 62 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index 22b619f89a1d7..6abce0816ca39 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -97,6 +97,51 @@ static pud_t level3_user_vsyscall[PTRS_PER_PUD] __page_aligned_bss; + */ + static DEFINE_SPINLOCK(xen_reservation_lock); + ++/* Protected by xen_reservation_lock. */ ++#define MIN_CONTIG_ORDER 9 /* 2MB */ ++static unsigned int discontig_frames_order = MIN_CONTIG_ORDER; ++static unsigned long discontig_frames_early[1UL << MIN_CONTIG_ORDER] __initdata; ++static unsigned long *discontig_frames __refdata = discontig_frames_early; ++static bool discontig_frames_dyn; ++ ++static int alloc_discontig_frames(unsigned int order) ++{ ++ unsigned long *new_array, *old_array; ++ unsigned int old_order; ++ unsigned long flags; ++ ++ BUG_ON(order < MIN_CONTIG_ORDER); ++ BUILD_BUG_ON(sizeof(discontig_frames_early) != PAGE_SIZE); ++ ++ new_array = (unsigned long *)__get_free_pages(GFP_KERNEL, ++ order - MIN_CONTIG_ORDER); ++ if (!new_array) ++ return -ENOMEM; ++ ++ spin_lock_irqsave(&xen_reservation_lock, flags); ++ ++ old_order = discontig_frames_order; ++ ++ if (order > discontig_frames_order || !discontig_frames_dyn) { ++ if (!discontig_frames_dyn) ++ old_array = NULL; ++ else ++ old_array = discontig_frames; ++ ++ discontig_frames = new_array; ++ discontig_frames_order = order; ++ discontig_frames_dyn = true; ++ } else { ++ old_array = new_array; ++ } ++ ++ spin_unlock_irqrestore(&xen_reservation_lock, flags); ++ ++ free_pages((unsigned long)old_array, old_order - MIN_CONTIG_ORDER); ++ ++ return 0; ++} ++ + /* + * Note about cr3 (pagetable base) values: + * +@@ -797,6 +842,9 @@ static void __init xen_after_bootmem(void) + SetPagePinned(virt_to_page(level3_user_vsyscall)); + #endif + xen_pgd_walk(&init_mm, xen_mark_pinned, FIXADDR_TOP); ++ ++ if (alloc_discontig_frames(MIN_CONTIG_ORDER)) ++ BUG(); + } + + static void xen_unpin_page(struct mm_struct *mm, struct page *page, +@@ -2177,10 +2225,6 @@ void __init xen_init_mmu_ops(void) + memset(dummy_mapping, 0xff, PAGE_SIZE); + } + +-/* Protected by xen_reservation_lock. */ +-#define MAX_CONTIG_ORDER 9 /* 2MB */ +-static unsigned long discontig_frames[1< MAX_CONTIG_ORDER)) +- return -ENOMEM; ++ if (unlikely(order > discontig_frames_order)) { ++ if (!discontig_frames_dyn) ++ return -ENOMEM; ++ ++ if (alloc_discontig_frames(order)) ++ return -ENOMEM; ++ } + + memset((void *) vstart, 0, PAGE_SIZE << order); + + spin_lock_irqsave(&xen_reservation_lock, flags); + ++ in_frames = discontig_frames; ++ + /* 1. Zap current PTEs, remembering MFNs. */ + xen_zap_pfn_range(vstart, order, in_frames, NULL); + +@@ -2332,12 +2383,12 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order, + + void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order) + { +- unsigned long *out_frames = discontig_frames, in_frame; ++ unsigned long *out_frames, in_frame; + unsigned long flags; + int success; + unsigned long vstart; + +- if (unlikely(order > MAX_CONTIG_ORDER)) ++ if (unlikely(order > discontig_frames_order)) + return; + + vstart = (unsigned long)phys_to_virt(pstart); +@@ -2345,6 +2396,8 @@ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order) + + spin_lock_irqsave(&xen_reservation_lock, flags); + ++ out_frames = discontig_frames; ++ + /* 1. Find start MFN of contiguous extent. */ + in_frame = virt_to_mfn(vstart); + +-- +2.39.5 + diff --git a/queue-6.1/xen-remove-a-confusing-comment-on-auto-translated-gu.patch b/queue-6.1/xen-remove-a-confusing-comment-on-auto-translated-gu.patch new file mode 100644 index 0000000000..0251f40247 --- /dev/null +++ b/queue-6.1/xen-remove-a-confusing-comment-on-auto-translated-gu.patch @@ -0,0 +1,44 @@ +From c19e0e0c894a6fbd15846c09ddb5e1a213c9ea8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Aug 2023 18:31:51 +0200 +Subject: xen: remove a confusing comment on auto-translated guest I/O + +From: Petr Tesarik + +[ Upstream commit d826c9e61c99120f8996f8fed6417167e32eb922 ] + +After removing the conditional return from xen_create_contiguous_region(), +the accompanying comment was left in place, but it now precedes an +unrelated conditional and confuses readers. + +Fixes: 989513a735f5 ("xen: cleanup pvh leftovers from pv-only sources") +Signed-off-by: Petr Tesarik +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20230802163151.1486-1-petrtesarik@huaweicloud.com +Signed-off-by: Juergen Gross +Stable-dep-of: e93ec87286bd ("x86/xen: allow larger contiguous memory regions in PV guests") +Signed-off-by: Sasha Levin +--- + arch/x86/xen/mmu_pv.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c +index ee29fb558f2e6..22b619f89a1d7 100644 +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -2302,12 +2302,6 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order, + int success; + unsigned long vstart = (unsigned long)phys_to_virt(pstart); + +- /* +- * Currently an auto-translated guest will not perform I/O, nor will +- * it require PAE page directories below 4GB. Therefore any calls to +- * this function are redundant and can be ignored. +- */ +- + if (unlikely(order > MAX_CONTIG_ORDER)) + return -ENOMEM; + +-- +2.39.5 + diff --git a/queue-6.1/xen-swiotlb-relax-alignment-requirements.patch b/queue-6.1/xen-swiotlb-relax-alignment-requirements.patch new file mode 100644 index 0000000000..b6404187a2 --- /dev/null +++ b/queue-6.1/xen-swiotlb-relax-alignment-requirements.patch @@ -0,0 +1,84 @@ +From 1883489892fb48fb1e296900de296030d2ecbd21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 08:43:39 +0100 +Subject: xen/swiotlb: relax alignment requirements + +From: Juergen Gross + +[ Upstream commit 85fcb57c983f423180ba6ec5d0034242da05cc54 ] + +When mapping a buffer for DMA via .map_page or .map_sg DMA operations, +there is no need to check the machine frames to be aligned according +to the mapped areas size. All what is needed in these cases is that the +buffer is contiguous at machine level. + +So carve out the alignment check from range_straddles_page_boundary() +and move it to a helper called by xen_swiotlb_alloc_coherent() and +xen_swiotlb_free_coherent() directly. + +Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers") +Reported-by: Jan Vejvalka +Tested-by: Jan Vejvalka +Signed-off-by: Juergen Gross +Reviewed-by: Stefano Stabellini +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/swiotlb-xen.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c +index 0451e6ebc21a3..0893c1012de62 100644 +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -74,19 +74,21 @@ static inline phys_addr_t xen_dma_to_phys(struct device *dev, + return xen_bus_to_phys(dev, dma_to_phys(dev, dma_addr)); + } + ++static inline bool range_requires_alignment(phys_addr_t p, size_t size) ++{ ++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT); ++ phys_addr_t bus_addr = pfn_to_bfn(XEN_PFN_DOWN(p)) << XEN_PAGE_SHIFT; ++ ++ return IS_ALIGNED(p, algn) && !IS_ALIGNED(bus_addr, algn); ++} ++ + static inline int range_straddles_page_boundary(phys_addr_t p, size_t size) + { + unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p); + unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size); +- phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT); + + next_bfn = pfn_to_bfn(xen_pfn); + +- /* If buffer is physically aligned, ensure DMA alignment. */ +- if (IS_ALIGNED(p, algn) && +- !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn)) +- return 1; +- + for (i = 1; i < nr_pages; i++) + if (pfn_to_bfn(++xen_pfn) != ++next_bfn) + return 1; +@@ -155,7 +157,8 @@ xen_swiotlb_alloc_coherent(struct device *dev, size_t size, + + *dma_handle = xen_phys_to_dma(dev, phys); + if (*dma_handle + size - 1 > dma_mask || +- range_straddles_page_boundary(phys, size)) { ++ range_straddles_page_boundary(phys, size) || ++ range_requires_alignment(phys, size)) { + if (xen_create_contiguous_region(phys, order, fls64(dma_mask), + dma_handle) != 0) + goto out_free_pages; +@@ -181,7 +184,8 @@ xen_swiotlb_free_coherent(struct device *dev, size_t size, void *vaddr, + size = ALIGN(size, XEN_PAGE_SIZE); + + if (WARN_ON_ONCE(dma_handle + size - 1 > dev->coherent_dma_mask) || +- WARN_ON_ONCE(range_straddles_page_boundary(phys, size))) ++ WARN_ON_ONCE(range_straddles_page_boundary(phys, size) || ++ range_requires_alignment(phys, size))) + return; + + if (TestClearPageXenRemapped(virt_to_page(vaddr))) +-- +2.39.5 +