From: Greg Kroah-Hartman Date: Sat, 30 Mar 2024 09:52:57 +0000 (+0100) Subject: 6.8-stable patches X-Git-Tag: v6.7.12~109 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aab3040bcd7bb11638da8329a724be819af36e60;p=thirdparty%2Fkernel%2Fstable-queue.git 6.8-stable patches added patches: block-do-not-force-full-zone-append-completion-in-req_bio_endio.patch btrfs-zoned-don-t-skip-block-groups-with-100-zone-unusable.patch btrfs-zoned-fix-use-after-free-in-do_zone_finish.patch btrfs-zoned-use-zone-aware-sb-location-for-scrub.patch drm-amd-display-remove-mpc-rate-control-logic-from-dcn30-and-above.patch drm-amd-display-set-dcn351-bb-and-ip-the-same-as-dcn35.patch drm-amdgpu-fix-deadlock-while-reading-mqd-from-debugfs.patch drm-amdkfd-fix-tlb-flush-after-unmap-for-gfx9.4.2.patch drm-dp-fix-divide-by-zero-regression-on-dp-mst-unplug-with-nouveau.patch drm-vmwgfx-create-debugfs-ttm_resource_manager-entry-only-if-needed.patch drm-xe-query-fix-gt_id-bounds-check.patch exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch fbdev-select-i-o-memory-framebuffer-ops-for-sbus.patch gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch hexagon-vmlinux.lds.s-handle-attributes-section.patch mm-cachestat-fix-two-shmem-bugs.patch mmc-core-avoid-negative-index-with-array-access.patch mmc-core-initialize-mmc_blk_ioc_data.patch mmc-sdhci-omap-re-tuning-is-needed-after-a-pm-transition-to-support-emmc-hs200-mode.patch net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch net-phy-qcom-at803x-fix-kernel-panic-with-at8031_probe.patch net-wan-framer-add-missing-static-inline-qualifiers.patch nouveau-dmem-handle-kcalloc-allocation-failure.patch revert-drm-amd-display-fix-sending-vsc-colorimetry-packets-for-dp-edp-displays-without-psr.patch revert-thermal-core-don-t-update-trip-points-inside-the-hysteresis-range.patch sdhci-of-dwcmshc-disable-pm-runtime-in-dwcmshc_remove.patch selftests-mm-fix-arm-related-issue-with-fork-after-pthread_create.patch selftests-mm-sigbus-wp-test-requires-uffd_feature_wp_hugetlbfs_shmem.patch thermal-devfreq_cooling-fix-perf-state-when-calculate-dfc-res_util.patch wifi-cfg80211-add-a-flag-to-disable-wireless-extensions.patch wifi-iwlwifi-fw-don-t-always-use-fw-dump-trig.patch wifi-iwlwifi-mvm-disable-mlo-for-the-time-being.patch wifi-iwlwifi-mvm-handle-debugfs-names-more-carefully.patch wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch --- diff --git a/queue-6.8/block-do-not-force-full-zone-append-completion-in-req_bio_endio.patch b/queue-6.8/block-do-not-force-full-zone-append-completion-in-req_bio_endio.patch new file mode 100644 index 00000000000..80f5ac2a323 --- /dev/null +++ b/queue-6.8/block-do-not-force-full-zone-append-completion-in-req_bio_endio.patch @@ -0,0 +1,53 @@ +From 55251fbdf0146c252ceff146a1bb145546f3e034 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Thu, 28 Mar 2024 09:43:40 +0900 +Subject: block: Do not force full zone append completion in req_bio_endio() + +From: Damien Le Moal + +commit 55251fbdf0146c252ceff146a1bb145546f3e034 upstream. + +This reverts commit 748dc0b65ec2b4b7b3dbd7befcc4a54fdcac7988. + +Partial zone append completions cannot be supported as there is no +guarantees that the fragmented data will be written sequentially in the +same manner as with a full command. Commit 748dc0b65ec2 ("block: fix +partial zone append completion handling in req_bio_endio()") changed +req_bio_endio() to always advance a partially failed BIO by its full +length, but this can lead to incorrect accounting. So revert this +change and let low level device drivers handle this case by always +failing completely zone append operations. With this revert, users will +still see an IO error for a partially completed zone append BIO. + +Fixes: 748dc0b65ec2 ("block: fix partial zone append completion handling in req_bio_endio()") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20240328004409.594888-2-dlemoal@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -771,16 +771,11 @@ static void req_bio_endio(struct request + /* + * Partial zone append completions cannot be supported as the + * BIO fragments may end up not being written sequentially. +- * For such case, force the completed nbytes to be equal to +- * the BIO size so that bio_advance() sets the BIO remaining +- * size to 0 and we end up calling bio_endio() before returning. + */ +- if (bio->bi_iter.bi_size != nbytes) { ++ if (bio->bi_iter.bi_size != nbytes) + bio->bi_status = BLK_STS_IOERR; +- nbytes = bio->bi_iter.bi_size; +- } else { ++ else + bio->bi_iter.bi_sector = rq->__sector; +- } + } + + bio_advance(bio, nbytes); diff --git a/queue-6.8/btrfs-zoned-don-t-skip-block-groups-with-100-zone-unusable.patch b/queue-6.8/btrfs-zoned-don-t-skip-block-groups-with-100-zone-unusable.patch new file mode 100644 index 00000000000..2a254765f56 --- /dev/null +++ b/queue-6.8/btrfs-zoned-don-t-skip-block-groups-with-100-zone-unusable.patch @@ -0,0 +1,45 @@ +From a8b70c7f8600bc77d03c0b032c0662259b9e615e Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 21 Feb 2024 07:35:52 -0800 +Subject: btrfs: zoned: don't skip block groups with 100% zone unusable + +From: Johannes Thumshirn + +commit a8b70c7f8600bc77d03c0b032c0662259b9e615e upstream. + +Commit f4a9f219411f ("btrfs: do not delete unused block group if it may be +used soon") changed the behaviour of deleting unused block-groups on zoned +filesystems. Starting with this commit, we're using +btrfs_space_info_used() to calculate the number of used bytes in a +space_info. But btrfs_space_info_used() also accounts +btrfs_space_info::bytes_zone_unusable as used bytes. + +So if a block group is 100% zone_unusable it is skipped from the deletion +step. + +In order not to skip fully zone_unusable block-groups, also check if the +block-group has bytes left that can be used on a zoned filesystem. + +Fixes: f4a9f219411f ("btrfs: do not delete unused block group if it may be used soon") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Filipe Manana +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1550,7 +1550,8 @@ void btrfs_delete_unused_bgs(struct btrf + * needing to allocate extents from the block group. + */ + used = btrfs_space_info_used(space_info, true); +- if (space_info->total_bytes - block_group->length < used) { ++ if (space_info->total_bytes - block_group->length < used && ++ block_group->zone_unusable < block_group->length) { + /* + * Add a reference for the list, compensate for the ref + * drop under the "next" label for the diff --git a/queue-6.8/btrfs-zoned-fix-use-after-free-in-do_zone_finish.patch b/queue-6.8/btrfs-zoned-fix-use-after-free-in-do_zone_finish.patch new file mode 100644 index 00000000000..f3e495b2574 --- /dev/null +++ b/queue-6.8/btrfs-zoned-fix-use-after-free-in-do_zone_finish.patch @@ -0,0 +1,195 @@ +From 1ec17ef59168a1a6f1105f5dc517f783839a5302 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 28 Feb 2024 12:13:27 +0100 +Subject: btrfs: zoned: fix use-after-free in do_zone_finish() + +From: Johannes Thumshirn + +commit 1ec17ef59168a1a6f1105f5dc517f783839a5302 upstream. + +Shinichiro reported the following use-after-free triggered by the device +replace operation in fstests btrfs/070. + + BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 + ================================================================== + BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] + Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 + + CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 + Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 + Call Trace: + + dump_stack_lvl+0x5b/0x90 + print_report+0xcf/0x670 + ? __virt_addr_valid+0x200/0x3e0 + kasan_report+0xd8/0x110 + ? do_zone_finish+0x91a/0xb90 [btrfs] + ? do_zone_finish+0x91a/0xb90 [btrfs] + do_zone_finish+0x91a/0xb90 [btrfs] + btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] + ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] + ? btrfs_put_root+0x2d/0x220 [btrfs] + ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] + cleaner_kthread+0x21e/0x380 [btrfs] + ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] + kthread+0x2e3/0x3c0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x31/0x70 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + + Allocated by task 3493983: + kasan_save_stack+0x33/0x60 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0xaa/0xb0 + btrfs_alloc_device+0xb3/0x4e0 [btrfs] + device_list_add.constprop.0+0x993/0x1630 [btrfs] + btrfs_scan_one_device+0x219/0x3d0 [btrfs] + btrfs_control_ioctl+0x26e/0x310 [btrfs] + __x64_sys_ioctl+0x134/0x1b0 + do_syscall_64+0x99/0x190 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + + Freed by task 3494056: + kasan_save_stack+0x33/0x60 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3f/0x60 + poison_slab_object+0x102/0x170 + __kasan_slab_free+0x32/0x70 + kfree+0x11b/0x320 + btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] + btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] + btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] + btrfs_ioctl+0xb27/0x57d0 [btrfs] + __x64_sys_ioctl+0x134/0x1b0 + do_syscall_64+0x99/0x190 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + + The buggy address belongs to the object at ffff8881543c8000 + which belongs to the cache kmalloc-1k of size 1024 + The buggy address is located 96 bytes inside of + freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) + + The buggy address belongs to the physical page: + page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 + head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) + page_type: 0xffffffff() + raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 + raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +This UAF happens because we're accessing stale zone information of a +already removed btrfs_device in do_zone_finish(). + +The sequence of events is as follows: + +btrfs_dev_replace_start + btrfs_scrub_dev + btrfs_dev_replace_finishing + btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced + btrfs_rm_dev_replace_free_srcdev + btrfs_free_device <-- device freed + +cleaner_kthread + btrfs_delete_unused_bgs + btrfs_zone_finish + do_zone_finish <-- refers the freed device + +The reason for this is that we're using a cached pointer to the chunk_map +from the block group, but on device replace this cached pointer can +contain stale device entries. + +The staleness comes from the fact, that btrfs_block_group::physical_map is +not a pointer to a btrfs_chunk_map but a memory copy of it. + +Also take the fs_info::dev_replace::rwsem to prevent +btrfs_dev_replace_update_device_in_mapping_tree() from changing the device +underneath us again. + +Note: btrfs_dev_replace_update_device_in_mapping_tree() is holding +fs_info::mapping_tree_lock, but as this is a spinning read/write lock we +cannot take it as the call to blkdev_zone_mgmt() requires a memory +allocation which may not sleep. +But btrfs_dev_replace_update_device_in_mapping_tree() is always called with +the fs_info::dev_replace::rwsem held in write mode. + +Many thanks to Shinichiro for analyzing the bug. + +Reported-by: Shinichiro Kawasaki +CC: stable@vger.kernel.org # 6.8 +Reviewed-by: Filipe Manana +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -1563,11 +1563,7 @@ int btrfs_load_block_group_zone_info(str + if (!map) + return -EINVAL; + +- cache->physical_map = btrfs_clone_chunk_map(map, GFP_NOFS); +- if (!cache->physical_map) { +- ret = -ENOMEM; +- goto out; +- } ++ cache->physical_map = map; + + zone_info = kcalloc(map->num_stripes, sizeof(*zone_info), GFP_NOFS); + if (!zone_info) { +@@ -1679,7 +1675,6 @@ out: + } + bitmap_free(active); + kfree(zone_info); +- btrfs_free_chunk_map(map); + + return ret; + } +@@ -2164,6 +2159,7 @@ static int do_zone_finish(struct btrfs_b + struct btrfs_chunk_map *map; + const bool is_metadata = (block_group->flags & + (BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_SYSTEM)); ++ struct btrfs_dev_replace *dev_replace = &fs_info->dev_replace; + int ret = 0; + int i; + +@@ -2239,6 +2235,7 @@ static int do_zone_finish(struct btrfs_b + btrfs_clear_data_reloc_bg(block_group); + spin_unlock(&block_group->lock); + ++ down_read(&dev_replace->rwsem); + map = block_group->physical_map; + for (i = 0; i < map->num_stripes; i++) { + struct btrfs_device *device = map->stripes[i].dev; +@@ -2253,13 +2250,16 @@ static int do_zone_finish(struct btrfs_b + zinfo->zone_size >> SECTOR_SHIFT, + GFP_NOFS); + +- if (ret) ++ if (ret) { ++ up_read(&dev_replace->rwsem); + return ret; ++ } + + if (!(block_group->flags & BTRFS_BLOCK_GROUP_DATA)) + zinfo->reserved_active_zones++; + btrfs_dev_clear_active_zone(device, physical); + } ++ up_read(&dev_replace->rwsem); + + if (!fully_written) + btrfs_dec_block_group_ro(block_group); diff --git a/queue-6.8/btrfs-zoned-use-zone-aware-sb-location-for-scrub.patch b/queue-6.8/btrfs-zoned-use-zone-aware-sb-location-for-scrub.patch new file mode 100644 index 00000000000..34c9b0882bb --- /dev/null +++ b/queue-6.8/btrfs-zoned-use-zone-aware-sb-location-for-scrub.patch @@ -0,0 +1,52 @@ +From 74098a989b9c3370f768140b7783a7aaec2759b3 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Mon, 26 Feb 2024 16:39:13 +0100 +Subject: btrfs: zoned: use zone aware sb location for scrub + +From: Johannes Thumshirn + +commit 74098a989b9c3370f768140b7783a7aaec2759b3 upstream. + +At the moment scrub_supers() doesn't grab the super block's location via +the zoned device aware btrfs_sb_log_location() but via btrfs_sb_offset(). + +This leads to checksum errors on 'scrub' as we're not accessing the +correct location of the super block. + +So use btrfs_sb_log_location() for getting the super blocks location on +scrub. + +Reported-by: WA AM +Link: http://lore.kernel.org/linux-btrfs/CANU2Z0EvUzfYxczLgGUiREoMndE9WdQnbaawV5Fv5gNXptPUKw@mail.gmail.com +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Qu Wenruo +Reviewed-by: Naohiro Aota +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/scrub.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2805,7 +2805,17 @@ static noinline_for_stack int scrub_supe + gen = btrfs_get_last_trans_committed(fs_info); + + for (i = 0; i < BTRFS_SUPER_MIRROR_MAX; i++) { +- bytenr = btrfs_sb_offset(i); ++ ret = btrfs_sb_log_location(scrub_dev, i, 0, &bytenr); ++ if (ret == -ENOENT) ++ break; ++ ++ if (ret) { ++ spin_lock(&sctx->stat_lock); ++ sctx->stat.super_errors++; ++ spin_unlock(&sctx->stat_lock); ++ continue; ++ } ++ + if (bytenr + BTRFS_SUPER_INFO_SIZE > + scrub_dev->commit_total_bytes) + break; diff --git a/queue-6.8/drm-amd-display-remove-mpc-rate-control-logic-from-dcn30-and-above.patch b/queue-6.8/drm-amd-display-remove-mpc-rate-control-logic-from-dcn30-and-above.patch new file mode 100644 index 00000000000..db4efcb47e1 --- /dev/null +++ b/queue-6.8/drm-amd-display-remove-mpc-rate-control-logic-from-dcn30-and-above.patch @@ -0,0 +1,369 @@ +From edfa93d87fc46913868481fe8ed3fb62c891ffb5 Mon Sep 17 00:00:00 2001 +From: George Shen +Date: Fri, 16 Feb 2024 19:37:03 -0500 +Subject: drm/amd/display: Remove MPC rate control logic from DCN30 and above + +From: George Shen + +commit edfa93d87fc46913868481fe8ed3fb62c891ffb5 upstream. + +[Why] +MPC flow rate control is not needed for DCN30 and above. Current logic +that uses it can result in underflow for certain edge cases (such as +DSC N422 + ODM combine + 422 left edge pixel). + +[How] +Remove MPC flow rate control logic and programming for DCN30 and above. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Wenjing Liu +Acked-by: Tom Chung +Signed-off-by: George Shen +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_mpc.c | 54 ++++++++------ + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_mpc.h | 14 +-- + drivers/gpu/drm/amd/display/dc/dcn32/dcn32_mpc.c | 5 - + drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c | 41 ---------- + drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c | 41 ---------- + drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 41 ---------- + 6 files changed, 41 insertions(+), 155 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_mpc.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_mpc.c +@@ -44,6 +44,36 @@ + #define NUM_ELEMENTS(a) (sizeof(a) / sizeof((a)[0])) + + ++void mpc3_mpc_init(struct mpc *mpc) ++{ ++ struct dcn30_mpc *mpc30 = TO_DCN30_MPC(mpc); ++ int opp_id; ++ ++ mpc1_mpc_init(mpc); ++ ++ for (opp_id = 0; opp_id < MAX_OPP; opp_id++) { ++ if (REG(MUX[opp_id])) ++ /* disable mpc out rate and flow control */ ++ REG_UPDATE_2(MUX[opp_id], MPC_OUT_RATE_CONTROL_DISABLE, ++ 1, MPC_OUT_FLOW_CONTROL_COUNT, 0); ++ } ++} ++ ++void mpc3_mpc_init_single_inst(struct mpc *mpc, unsigned int mpcc_id) ++{ ++ struct dcn30_mpc *mpc30 = TO_DCN30_MPC(mpc); ++ ++ mpc1_mpc_init_single_inst(mpc, mpcc_id); ++ ++ /* assuming mpc out mux is connected to opp with the same index at this ++ * point in time (e.g. transitioning from vbios to driver) ++ */ ++ if (mpcc_id < MAX_OPP && REG(MUX[mpcc_id])) ++ /* disable mpc out rate and flow control */ ++ REG_UPDATE_2(MUX[mpcc_id], MPC_OUT_RATE_CONTROL_DISABLE, ++ 1, MPC_OUT_FLOW_CONTROL_COUNT, 0); ++} ++ + bool mpc3_is_dwb_idle( + struct mpc *mpc, + int dwb_id) +@@ -80,25 +110,6 @@ void mpc3_disable_dwb_mux( + MPC_DWB0_MUX, 0xf); + } + +-void mpc3_set_out_rate_control( +- struct mpc *mpc, +- int opp_id, +- bool enable, +- bool rate_2x_mode, +- struct mpc_dwb_flow_control *flow_control) +-{ +- struct dcn30_mpc *mpc30 = TO_DCN30_MPC(mpc); +- +- REG_UPDATE_2(MUX[opp_id], +- MPC_OUT_RATE_CONTROL_DISABLE, !enable, +- MPC_OUT_RATE_CONTROL, rate_2x_mode); +- +- if (flow_control) +- REG_UPDATE_2(MUX[opp_id], +- MPC_OUT_FLOW_CONTROL_MODE, flow_control->flow_ctrl_mode, +- MPC_OUT_FLOW_CONTROL_COUNT, flow_control->flow_ctrl_cnt1); +-} +- + enum dc_lut_mode mpc3_get_ogam_current(struct mpc *mpc, int mpcc_id) + { + /*Contrary to DCN2 and DCN1 wherein a single status register field holds this info; +@@ -1386,8 +1397,8 @@ static const struct mpc_funcs dcn30_mpc_ + .read_mpcc_state = mpc1_read_mpcc_state, + .insert_plane = mpc1_insert_plane, + .remove_mpcc = mpc1_remove_mpcc, +- .mpc_init = mpc1_mpc_init, +- .mpc_init_single_inst = mpc1_mpc_init_single_inst, ++ .mpc_init = mpc3_mpc_init, ++ .mpc_init_single_inst = mpc3_mpc_init_single_inst, + .update_blending = mpc2_update_blending, + .cursor_lock = mpc1_cursor_lock, + .get_mpcc_for_dpp = mpc1_get_mpcc_for_dpp, +@@ -1404,7 +1415,6 @@ static const struct mpc_funcs dcn30_mpc_ + .set_dwb_mux = mpc3_set_dwb_mux, + .disable_dwb_mux = mpc3_disable_dwb_mux, + .is_dwb_idle = mpc3_is_dwb_idle, +- .set_out_rate_control = mpc3_set_out_rate_control, + .set_gamut_remap = mpc3_set_gamut_remap, + .program_shaper = mpc3_program_shaper, + .acquire_rmu = mpcc3_acquire_rmu, +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_mpc.h ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_mpc.h +@@ -1007,6 +1007,13 @@ void dcn30_mpc_construct(struct dcn30_mp + int num_mpcc, + int num_rmu); + ++void mpc3_mpc_init( ++ struct mpc *mpc); ++ ++void mpc3_mpc_init_single_inst( ++ struct mpc *mpc, ++ unsigned int mpcc_id); ++ + bool mpc3_program_shaper( + struct mpc *mpc, + const struct pwl_params *params, +@@ -1074,13 +1081,6 @@ bool mpc3_is_dwb_idle( + struct mpc *mpc, + int dwb_id); + +-void mpc3_set_out_rate_control( +- struct mpc *mpc, +- int opp_id, +- bool enable, +- bool rate_2x_mode, +- struct mpc_dwb_flow_control *flow_control); +- + void mpc3_power_on_ogam_lut( + struct mpc *mpc, int mpcc_id, + bool power_on); +--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_mpc.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_mpc.c +@@ -47,7 +47,7 @@ void mpc32_mpc_init(struct mpc *mpc) + struct dcn30_mpc *mpc30 = TO_DCN30_MPC(mpc); + int mpcc_id; + +- mpc1_mpc_init(mpc); ++ mpc3_mpc_init(mpc); + + if (mpc->ctx->dc->debug.enable_mem_low_power.bits.mpc) { + if (mpc30->mpc_mask->MPCC_MCM_SHAPER_MEM_LOW_PWR_MODE && mpc30->mpc_mask->MPCC_MCM_3DLUT_MEM_LOW_PWR_MODE) { +@@ -991,7 +991,7 @@ static const struct mpc_funcs dcn32_mpc_ + .insert_plane = mpc1_insert_plane, + .remove_mpcc = mpc1_remove_mpcc, + .mpc_init = mpc32_mpc_init, +- .mpc_init_single_inst = mpc1_mpc_init_single_inst, ++ .mpc_init_single_inst = mpc3_mpc_init_single_inst, + .update_blending = mpc2_update_blending, + .cursor_lock = mpc1_cursor_lock, + .get_mpcc_for_dpp = mpc1_get_mpcc_for_dpp, +@@ -1008,7 +1008,6 @@ static const struct mpc_funcs dcn32_mpc_ + .set_dwb_mux = mpc3_set_dwb_mux, + .disable_dwb_mux = mpc3_disable_dwb_mux, + .is_dwb_idle = mpc3_is_dwb_idle, +- .set_out_rate_control = mpc3_set_out_rate_control, + .set_gamut_remap = mpc3_set_gamut_remap, + .program_shaper = mpc32_program_shaper, + .program_3dlut = mpc32_program_3dlut, +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c +@@ -69,29 +69,6 @@ + #define FN(reg_name, field_name) \ + hws->shifts->field_name, hws->masks->field_name + +-static int calc_mpc_flow_ctrl_cnt(const struct dc_stream_state *stream, +- int opp_cnt) +-{ +- bool hblank_halved = optc2_is_two_pixels_per_containter(&stream->timing); +- int flow_ctrl_cnt; +- +- if (opp_cnt >= 2) +- hblank_halved = true; +- +- flow_ctrl_cnt = stream->timing.h_total - stream->timing.h_addressable - +- stream->timing.h_border_left - +- stream->timing.h_border_right; +- +- if (hblank_halved) +- flow_ctrl_cnt /= 2; +- +- /* ODM combine 4:1 case */ +- if (opp_cnt == 4) +- flow_ctrl_cnt /= 2; +- +- return flow_ctrl_cnt; +-} +- + static void update_dsc_on_stream(struct pipe_ctx *pipe_ctx, bool enable) + { + struct display_stream_compressor *dsc = pipe_ctx->stream_res.dsc; +@@ -183,10 +160,6 @@ void dcn314_update_odm(struct dc *dc, st + struct pipe_ctx *odm_pipe; + int opp_cnt = 0; + int opp_inst[MAX_PIPES] = {0}; +- bool rate_control_2x_pclk = (pipe_ctx->stream->timing.flags.INTERLACE || optc2_is_two_pixels_per_containter(&pipe_ctx->stream->timing)); +- struct mpc_dwb_flow_control flow_control; +- struct mpc *mpc = dc->res_pool->mpc; +- int i; + + opp_cnt = get_odm_config(pipe_ctx, opp_inst); + +@@ -199,20 +172,6 @@ void dcn314_update_odm(struct dc *dc, st + pipe_ctx->stream_res.tg->funcs->set_odm_bypass( + pipe_ctx->stream_res.tg, &pipe_ctx->stream->timing); + +- rate_control_2x_pclk = rate_control_2x_pclk || opp_cnt > 1; +- flow_control.flow_ctrl_mode = 0; +- flow_control.flow_ctrl_cnt0 = 0x80; +- flow_control.flow_ctrl_cnt1 = calc_mpc_flow_ctrl_cnt(pipe_ctx->stream, opp_cnt); +- if (mpc->funcs->set_out_rate_control) { +- for (i = 0; i < opp_cnt; ++i) { +- mpc->funcs->set_out_rate_control( +- mpc, opp_inst[i], +- true, +- rate_control_2x_pclk, +- &flow_control); +- } +- } +- + for (odm_pipe = pipe_ctx->next_odm_pipe; odm_pipe; odm_pipe = odm_pipe->next_odm_pipe) { + odm_pipe->stream_res.opp->funcs->opp_pipe_clock_control( + odm_pipe->stream_res.opp, +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c +@@ -966,29 +966,6 @@ void dcn32_init_hw(struct dc *dc) + } + } + +-static int calc_mpc_flow_ctrl_cnt(const struct dc_stream_state *stream, +- int opp_cnt) +-{ +- bool hblank_halved = optc2_is_two_pixels_per_containter(&stream->timing); +- int flow_ctrl_cnt; +- +- if (opp_cnt >= 2) +- hblank_halved = true; +- +- flow_ctrl_cnt = stream->timing.h_total - stream->timing.h_addressable - +- stream->timing.h_border_left - +- stream->timing.h_border_right; +- +- if (hblank_halved) +- flow_ctrl_cnt /= 2; +- +- /* ODM combine 4:1 case */ +- if (opp_cnt == 4) +- flow_ctrl_cnt /= 2; +- +- return flow_ctrl_cnt; +-} +- + static void update_dsc_on_stream(struct pipe_ctx *pipe_ctx, bool enable) + { + struct display_stream_compressor *dsc = pipe_ctx->stream_res.dsc; +@@ -1103,10 +1080,6 @@ void dcn32_update_odm(struct dc *dc, str + struct pipe_ctx *odm_pipe; + int opp_cnt = 0; + int opp_inst[MAX_PIPES] = {0}; +- bool rate_control_2x_pclk = (pipe_ctx->stream->timing.flags.INTERLACE || optc2_is_two_pixels_per_containter(&pipe_ctx->stream->timing)); +- struct mpc_dwb_flow_control flow_control; +- struct mpc *mpc = dc->res_pool->mpc; +- int i; + + opp_cnt = get_odm_config(pipe_ctx, opp_inst); + +@@ -1119,20 +1092,6 @@ void dcn32_update_odm(struct dc *dc, str + pipe_ctx->stream_res.tg->funcs->set_odm_bypass( + pipe_ctx->stream_res.tg, &pipe_ctx->stream->timing); + +- rate_control_2x_pclk = rate_control_2x_pclk || opp_cnt > 1; +- flow_control.flow_ctrl_mode = 0; +- flow_control.flow_ctrl_cnt0 = 0x80; +- flow_control.flow_ctrl_cnt1 = calc_mpc_flow_ctrl_cnt(pipe_ctx->stream, opp_cnt); +- if (mpc->funcs->set_out_rate_control) { +- for (i = 0; i < opp_cnt; ++i) { +- mpc->funcs->set_out_rate_control( +- mpc, opp_inst[i], +- true, +- rate_control_2x_pclk, +- &flow_control); +- } +- } +- + for (odm_pipe = pipe_ctx->next_odm_pipe; odm_pipe; odm_pipe = odm_pipe->next_odm_pipe) { + odm_pipe->stream_res.opp->funcs->opp_pipe_clock_control( + odm_pipe->stream_res.opp, +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +@@ -358,29 +358,6 @@ void dcn35_init_hw(struct dc *dc) + } + } + +-static int calc_mpc_flow_ctrl_cnt(const struct dc_stream_state *stream, +- int opp_cnt) +-{ +- bool hblank_halved = optc2_is_two_pixels_per_containter(&stream->timing); +- int flow_ctrl_cnt; +- +- if (opp_cnt >= 2) +- hblank_halved = true; +- +- flow_ctrl_cnt = stream->timing.h_total - stream->timing.h_addressable - +- stream->timing.h_border_left - +- stream->timing.h_border_right; +- +- if (hblank_halved) +- flow_ctrl_cnt /= 2; +- +- /* ODM combine 4:1 case */ +- if (opp_cnt == 4) +- flow_ctrl_cnt /= 2; +- +- return flow_ctrl_cnt; +-} +- + static void update_dsc_on_stream(struct pipe_ctx *pipe_ctx, bool enable) + { + struct display_stream_compressor *dsc = pipe_ctx->stream_res.dsc; +@@ -474,10 +451,6 @@ void dcn35_update_odm(struct dc *dc, str + struct pipe_ctx *odm_pipe; + int opp_cnt = 0; + int opp_inst[MAX_PIPES] = {0}; +- bool rate_control_2x_pclk = (pipe_ctx->stream->timing.flags.INTERLACE || optc2_is_two_pixels_per_containter(&pipe_ctx->stream->timing)); +- struct mpc_dwb_flow_control flow_control; +- struct mpc *mpc = dc->res_pool->mpc; +- int i; + + opp_cnt = get_odm_config(pipe_ctx, opp_inst); + +@@ -490,20 +463,6 @@ void dcn35_update_odm(struct dc *dc, str + pipe_ctx->stream_res.tg->funcs->set_odm_bypass( + pipe_ctx->stream_res.tg, &pipe_ctx->stream->timing); + +- rate_control_2x_pclk = rate_control_2x_pclk || opp_cnt > 1; +- flow_control.flow_ctrl_mode = 0; +- flow_control.flow_ctrl_cnt0 = 0x80; +- flow_control.flow_ctrl_cnt1 = calc_mpc_flow_ctrl_cnt(pipe_ctx->stream, opp_cnt); +- if (mpc->funcs->set_out_rate_control) { +- for (i = 0; i < opp_cnt; ++i) { +- mpc->funcs->set_out_rate_control( +- mpc, opp_inst[i], +- true, +- rate_control_2x_pclk, +- &flow_control); +- } +- } +- + for (odm_pipe = pipe_ctx->next_odm_pipe; odm_pipe; odm_pipe = odm_pipe->next_odm_pipe) { + odm_pipe->stream_res.opp->funcs->opp_pipe_clock_control( + odm_pipe->stream_res.opp, diff --git a/queue-6.8/drm-amd-display-set-dcn351-bb-and-ip-the-same-as-dcn35.patch b/queue-6.8/drm-amd-display-set-dcn351-bb-and-ip-the-same-as-dcn35.patch new file mode 100644 index 00000000000..eae5e5e25f3 --- /dev/null +++ b/queue-6.8/drm-amd-display-set-dcn351-bb-and-ip-the-same-as-dcn35.patch @@ -0,0 +1,46 @@ +From 0ccc2b30f4feadc0b1a282dbcc06e396382e5d74 Mon Sep 17 00:00:00 2001 +From: Xi Liu +Date: Tue, 27 Feb 2024 13:39:00 -0500 +Subject: drm/amd/display: Set DCN351 BB and IP the same as DCN35 + +From: Xi Liu + +commit 0ccc2b30f4feadc0b1a282dbcc06e396382e5d74 upstream. + +[WHY & HOW] +DCN351 and DCN35 should use the same bounding box and IP settings. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Jun Lei +Acked-by: Alex Hung +Signed-off-by: Xi Liu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c +@@ -228,17 +228,13 @@ void dml2_init_socbb_params(struct dml2_ + break; + + case dml_project_dcn35: ++ case dml_project_dcn351: + out->num_chans = 4; + out->round_trip_ping_latency_dcfclk_cycles = 106; + out->smn_latency_us = 2; + out->dispclk_dppclk_vco_speed_mhz = 3600; + break; + +- case dml_project_dcn351: +- out->num_chans = 16; +- out->round_trip_ping_latency_dcfclk_cycles = 1100; +- out->smn_latency_us = 2; +- break; + } + /* ---Overrides if available--- */ + if (dml2->config.bbox_overrides.dram_num_chan) diff --git a/queue-6.8/drm-amdgpu-fix-deadlock-while-reading-mqd-from-debugfs.patch b/queue-6.8/drm-amdgpu-fix-deadlock-while-reading-mqd-from-debugfs.patch new file mode 100644 index 00000000000..644e5aa562e --- /dev/null +++ b/queue-6.8/drm-amdgpu-fix-deadlock-while-reading-mqd-from-debugfs.patch @@ -0,0 +1,207 @@ +From 8678b1060ae2b75feb60b87e5b75e17374e3c1c5 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Thu, 7 Mar 2024 17:07:37 -0500 +Subject: drm/amdgpu: fix deadlock while reading mqd from debugfs + +From: Johannes Weiner + +commit 8678b1060ae2b75feb60b87e5b75e17374e3c1c5 upstream. + +An errant disk backup on my desktop got into debugfs and triggered the +following deadlock scenario in the amdgpu debugfs files. The machine +also hard-resets immediately after those lines are printed (although I +wasn't able to reproduce that part when reading by hand): + +[ 1318.016074][ T1082] ====================================================== +[ 1318.016607][ T1082] WARNING: possible circular locking dependency detected +[ 1318.017107][ T1082] 6.8.0-rc7-00015-ge0c8221b72c0 #17 Not tainted +[ 1318.017598][ T1082] ------------------------------------------------------ +[ 1318.018096][ T1082] tar/1082 is trying to acquire lock: +[ 1318.018585][ T1082] ffff98c44175d6a0 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0x40/0x80 +[ 1318.019084][ T1082] +[ 1318.019084][ T1082] but task is already holding lock: +[ 1318.020052][ T1082] ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu] +[ 1318.020607][ T1082] +[ 1318.020607][ T1082] which lock already depends on the new lock. +[ 1318.020607][ T1082] +[ 1318.022081][ T1082] +[ 1318.022081][ T1082] the existing dependency chain (in reverse order) is: +[ 1318.023083][ T1082] +[ 1318.023083][ T1082] -> #2 (reservation_ww_class_mutex){+.+.}-{3:3}: +[ 1318.024114][ T1082] __ww_mutex_lock.constprop.0+0xe0/0x12f0 +[ 1318.024639][ T1082] ww_mutex_lock+0x32/0x90 +[ 1318.025161][ T1082] dma_resv_lockdep+0x18a/0x330 +[ 1318.025683][ T1082] do_one_initcall+0x6a/0x350 +[ 1318.026210][ T1082] kernel_init_freeable+0x1a3/0x310 +[ 1318.026728][ T1082] kernel_init+0x15/0x1a0 +[ 1318.027242][ T1082] ret_from_fork+0x2c/0x40 +[ 1318.027759][ T1082] ret_from_fork_asm+0x11/0x20 +[ 1318.028281][ T1082] +[ 1318.028281][ T1082] -> #1 (reservation_ww_class_acquire){+.+.}-{0:0}: +[ 1318.029297][ T1082] dma_resv_lockdep+0x16c/0x330 +[ 1318.029790][ T1082] do_one_initcall+0x6a/0x350 +[ 1318.030263][ T1082] kernel_init_freeable+0x1a3/0x310 +[ 1318.030722][ T1082] kernel_init+0x15/0x1a0 +[ 1318.031168][ T1082] ret_from_fork+0x2c/0x40 +[ 1318.031598][ T1082] ret_from_fork_asm+0x11/0x20 +[ 1318.032011][ T1082] +[ 1318.032011][ T1082] -> #0 (&mm->mmap_lock){++++}-{3:3}: +[ 1318.032778][ T1082] __lock_acquire+0x14bf/0x2680 +[ 1318.033141][ T1082] lock_acquire+0xcd/0x2c0 +[ 1318.033487][ T1082] __might_fault+0x58/0x80 +[ 1318.033814][ T1082] amdgpu_debugfs_mqd_read+0x103/0x250 [amdgpu] +[ 1318.034181][ T1082] full_proxy_read+0x55/0x80 +[ 1318.034487][ T1082] vfs_read+0xa7/0x360 +[ 1318.034788][ T1082] ksys_read+0x70/0xf0 +[ 1318.035085][ T1082] do_syscall_64+0x94/0x180 +[ 1318.035375][ T1082] entry_SYSCALL_64_after_hwframe+0x46/0x4e +[ 1318.035664][ T1082] +[ 1318.035664][ T1082] other info that might help us debug this: +[ 1318.035664][ T1082] +[ 1318.036487][ T1082] Chain exists of: +[ 1318.036487][ T1082] &mm->mmap_lock --> reservation_ww_class_acquire --> reservation_ww_class_mutex +[ 1318.036487][ T1082] +[ 1318.037310][ T1082] Possible unsafe locking scenario: +[ 1318.037310][ T1082] +[ 1318.037838][ T1082] CPU0 CPU1 +[ 1318.038101][ T1082] ---- ---- +[ 1318.038350][ T1082] lock(reservation_ww_class_mutex); +[ 1318.038590][ T1082] lock(reservation_ww_class_acquire); +[ 1318.038839][ T1082] lock(reservation_ww_class_mutex); +[ 1318.039083][ T1082] rlock(&mm->mmap_lock); +[ 1318.039328][ T1082] +[ 1318.039328][ T1082] *** DEADLOCK *** +[ 1318.039328][ T1082] +[ 1318.040029][ T1082] 1 lock held by tar/1082: +[ 1318.040259][ T1082] #0: ffff98c4c13f55f8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: amdgpu_debugfs_mqd_read+0x6a/0x250 [amdgpu] +[ 1318.040560][ T1082] +[ 1318.040560][ T1082] stack backtrace: +[ 1318.041053][ T1082] CPU: 22 PID: 1082 Comm: tar Not tainted 6.8.0-rc7-00015-ge0c8221b72c0 #17 3316c85d50e282c5643b075d1f01a4f6365e39c2 +[ 1318.041329][ T1082] Hardware name: Gigabyte Technology Co., Ltd. B650 AORUS PRO AX/B650 AORUS PRO AX, BIOS F20 12/14/2023 +[ 1318.041614][ T1082] Call Trace: +[ 1318.041895][ T1082] +[ 1318.042175][ T1082] dump_stack_lvl+0x4a/0x80 +[ 1318.042460][ T1082] check_noncircular+0x145/0x160 +[ 1318.042743][ T1082] __lock_acquire+0x14bf/0x2680 +[ 1318.043022][ T1082] lock_acquire+0xcd/0x2c0 +[ 1318.043301][ T1082] ? __might_fault+0x40/0x80 +[ 1318.043580][ T1082] ? __might_fault+0x40/0x80 +[ 1318.043856][ T1082] __might_fault+0x58/0x80 +[ 1318.044131][ T1082] ? __might_fault+0x40/0x80 +[ 1318.044408][ T1082] amdgpu_debugfs_mqd_read+0x103/0x250 [amdgpu 8fe2afaa910cbd7654c8cab23563a94d6caebaab] +[ 1318.044749][ T1082] full_proxy_read+0x55/0x80 +[ 1318.045042][ T1082] vfs_read+0xa7/0x360 +[ 1318.045333][ T1082] ksys_read+0x70/0xf0 +[ 1318.045623][ T1082] do_syscall_64+0x94/0x180 +[ 1318.045913][ T1082] ? do_syscall_64+0xa0/0x180 +[ 1318.046201][ T1082] ? lockdep_hardirqs_on+0x7d/0x100 +[ 1318.046487][ T1082] ? do_syscall_64+0xa0/0x180 +[ 1318.046773][ T1082] ? do_syscall_64+0xa0/0x180 +[ 1318.047057][ T1082] ? do_syscall_64+0xa0/0x180 +[ 1318.047337][ T1082] ? do_syscall_64+0xa0/0x180 +[ 1318.047611][ T1082] entry_SYSCALL_64_after_hwframe+0x46/0x4e +[ 1318.047887][ T1082] RIP: 0033:0x7f480b70a39d +[ 1318.048162][ T1082] Code: 91 ba 0d 00 f7 d8 64 89 02 b8 ff ff ff ff eb b2 e8 18 a3 01 00 0f 1f 84 00 00 00 00 00 80 3d a9 3c 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 53 48 83 +[ 1318.048769][ T1082] RSP: 002b:00007ffde77f5c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 1318.049083][ T1082] RAX: ffffffffffffffda RBX: 0000000000000800 RCX: 00007f480b70a39d +[ 1318.049392][ T1082] RDX: 0000000000000800 RSI: 000055c9f2120c00 RDI: 0000000000000008 +[ 1318.049703][ T1082] RBP: 0000000000000800 R08: 000055c9f2120a94 R09: 0000000000000007 +[ 1318.050011][ T1082] R10: 0000000000000000 R11: 0000000000000246 R12: 000055c9f2120c00 +[ 1318.050324][ T1082] R13: 0000000000000008 R14: 0000000000000008 R15: 0000000000000800 +[ 1318.050638][ T1082] + +amdgpu_debugfs_mqd_read() holds a reservation when it calls +put_user(), which may fault and acquire the mmap_sem. This violates +the established locking order. + +Bounce the mqd data through a kernel buffer to get put_user() out of +the illegal section. + +Fixes: 445d85e3c1df ("drm/amdgpu: add debugfs interface for reading MQDs") +Cc: stable@vger.kernel.org # v6.5+ +Reviewed-by: Shashank Sharma +Signed-off-by: Johannes Weiner +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 46 +++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 17 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -524,46 +524,58 @@ static ssize_t amdgpu_debugfs_mqd_read(s + { + struct amdgpu_ring *ring = file_inode(f)->i_private; + volatile u32 *mqd; +- int r; ++ u32 *kbuf; ++ int r, i; + uint32_t value, result; + + if (*pos & 3 || size & 3) + return -EINVAL; + +- result = 0; ++ kbuf = kmalloc(ring->mqd_size, GFP_KERNEL); ++ if (!kbuf) ++ return -ENOMEM; + + r = amdgpu_bo_reserve(ring->mqd_obj, false); + if (unlikely(r != 0)) +- return r; ++ goto err_free; + + r = amdgpu_bo_kmap(ring->mqd_obj, (void **)&mqd); +- if (r) { +- amdgpu_bo_unreserve(ring->mqd_obj); +- return r; +- } ++ if (r) ++ goto err_unreserve; ++ ++ /* ++ * Copy to local buffer to avoid put_user(), which might fault ++ * and acquire mmap_sem, under reservation_ww_class_mutex. ++ */ ++ for (i = 0; i < ring->mqd_size/sizeof(u32); i++) ++ kbuf[i] = mqd[i]; ++ ++ amdgpu_bo_kunmap(ring->mqd_obj); ++ amdgpu_bo_unreserve(ring->mqd_obj); + ++ result = 0; + while (size) { + if (*pos >= ring->mqd_size) +- goto done; ++ break; + +- value = mqd[*pos/4]; ++ value = kbuf[*pos/4]; + r = put_user(value, (uint32_t *)buf); + if (r) +- goto done; ++ goto err_free; + buf += 4; + result += 4; + size -= 4; + *pos += 4; + } + +-done: +- amdgpu_bo_kunmap(ring->mqd_obj); +- mqd = NULL; +- amdgpu_bo_unreserve(ring->mqd_obj); +- if (r) +- return r; +- ++ kfree(kbuf); + return result; ++ ++err_unreserve: ++ amdgpu_bo_unreserve(ring->mqd_obj); ++err_free: ++ kfree(kbuf); ++ return r; + } + + static const struct file_operations amdgpu_debugfs_mqd_fops = { diff --git a/queue-6.8/drm-amdkfd-fix-tlb-flush-after-unmap-for-gfx9.4.2.patch b/queue-6.8/drm-amdkfd-fix-tlb-flush-after-unmap-for-gfx9.4.2.patch new file mode 100644 index 00000000000..62abd3becce --- /dev/null +++ b/queue-6.8/drm-amdkfd-fix-tlb-flush-after-unmap-for-gfx9.4.2.patch @@ -0,0 +1,32 @@ +From 1210e2f1033dc56b666c9f6dfb761a2d3f9f5d6c Mon Sep 17 00:00:00 2001 +From: Eric Huang +Date: Wed, 20 Mar 2024 15:53:47 -0400 +Subject: drm/amdkfd: fix TLB flush after unmap for GFX9.4.2 + +From: Eric Huang + +commit 1210e2f1033dc56b666c9f6dfb761a2d3f9f5d6c upstream. + +TLB flush after unmap accidentially was removed on +gfx9.4.2. It is to add it back. + +Signed-off-by: Eric Huang +Reviewed-by: Harish Kasiviswanathan +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -1473,7 +1473,7 @@ static inline void kfd_flush_tlb(struct + + static inline bool kfd_flush_tlb_after_unmap(struct kfd_dev *dev) + { +- return KFD_GC_VERSION(dev) > IP_VERSION(9, 4, 2) || ++ return KFD_GC_VERSION(dev) >= IP_VERSION(9, 4, 2) || + (KFD_GC_VERSION(dev) == IP_VERSION(9, 4, 1) && dev->sdma_fw_version >= 18) || + KFD_GC_VERSION(dev) == IP_VERSION(9, 4, 0); + } diff --git a/queue-6.8/drm-dp-fix-divide-by-zero-regression-on-dp-mst-unplug-with-nouveau.patch b/queue-6.8/drm-dp-fix-divide-by-zero-regression-on-dp-mst-unplug-with-nouveau.patch new file mode 100644 index 00000000000..f1b3a8b9930 --- /dev/null +++ b/queue-6.8/drm-dp-fix-divide-by-zero-regression-on-dp-mst-unplug-with-nouveau.patch @@ -0,0 +1,107 @@ +From 9cbd1dae842737bfafa4b10a87909fa209dde250 Mon Sep 17 00:00:00 2001 +From: Chris Bainbridge +Date: Sat, 16 Mar 2024 12:05:59 +0000 +Subject: drm/dp: Fix divide-by-zero regression on DP MST unplug with nouveau + +From: Chris Bainbridge + +commit 9cbd1dae842737bfafa4b10a87909fa209dde250 upstream. + +Fix a regression when using nouveau and unplugging a StarTech MSTDP122DP +DisplayPort 1.2 MST hub (the same regression does not appear when using +a Cable Matters DisplayPort 1.4 MST hub). Trace: + + divide error: 0000 [#1] PREEMPT SMP PTI + CPU: 7 PID: 2962 Comm: Xorg Not tainted 6.8.0-rc3+ #744 + Hardware name: Razer Blade/DANA_MB, BIOS 01.01 08/31/2018 + RIP: 0010:drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper] + Code: c6 b8 01 00 00 00 75 61 01 c6 41 0f af f3 41 0f af f1 c1 e1 04 48 63 c7 31 d2 89 ff 48 8b 5d f8 c9 48 0f af f1 48 8d 44 06 ff <48> f7 f7 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 45 31 + RSP: 0018:ffffb2c5c211fa30 EFLAGS: 00010206 + RAX: ffffffffffffffff RBX: 0000000000000000 RCX: 0000000000f59b00 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffb2c5c211fa48 R08: 0000000000000001 R09: 0000000000000020 + R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000023b4a + R13: ffff91d37d165800 R14: ffff91d36fac6d80 R15: ffff91d34a764010 + FS: 00007f4a1ca3fa80(0000) GS:ffff91d6edbc0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000559491d49000 CR3: 000000011d180002 CR4: 00000000003706f0 + Call Trace: + + ? show_regs+0x6d/0x80 + ? die+0x37/0xa0 + ? do_trap+0xd4/0xf0 + ? do_error_trap+0x71/0xb0 + ? drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper] + ? exc_divide_error+0x3a/0x70 + ? drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper] + ? asm_exc_divide_error+0x1b/0x20 + ? drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper] + ? drm_dp_calc_pbn_mode+0x2e/0x70 [drm_display_helper] + nv50_msto_atomic_check+0xda/0x120 [nouveau] + drm_atomic_helper_check_modeset+0xa87/0xdf0 [drm_kms_helper] + drm_atomic_helper_check+0x19/0xa0 [drm_kms_helper] + nv50_disp_atomic_check+0x13f/0x2f0 [nouveau] + drm_atomic_check_only+0x668/0xb20 [drm] + ? drm_connector_list_iter_next+0x86/0xc0 [drm] + drm_atomic_commit+0x58/0xd0 [drm] + ? __pfx___drm_printfn_info+0x10/0x10 [drm] + drm_atomic_connector_commit_dpms+0xd7/0x100 [drm] + drm_mode_obj_set_property_ioctl+0x1c5/0x450 [drm] + ? __pfx_drm_connector_property_set_ioctl+0x10/0x10 [drm] + drm_connector_property_set_ioctl+0x3b/0x60 [drm] + drm_ioctl_kernel+0xb9/0x120 [drm] + drm_ioctl+0x2d0/0x550 [drm] + ? __pfx_drm_connector_property_set_ioctl+0x10/0x10 [drm] + nouveau_drm_ioctl+0x61/0xc0 [nouveau] + __x64_sys_ioctl+0xa0/0xf0 + do_syscall_64+0x76/0x140 + ? do_syscall_64+0x85/0x140 + ? do_syscall_64+0x85/0x140 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + RIP: 0033:0x7f4a1cd1a94f + Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 + RSP: 002b:00007ffd2f1df520 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00007ffd2f1df5b0 RCX: 00007f4a1cd1a94f + RDX: 00007ffd2f1df5b0 RSI: 00000000c01064ab RDI: 000000000000000f + RBP: 00000000c01064ab R08: 000056347932deb8 R09: 000056347a7d99c0 + R10: 0000000000000000 R11: 0000000000000246 R12: 000056347938a220 + R13: 000000000000000f R14: 0000563479d9f3f0 R15: 0000000000000000 + + Modules linked in: rfcomm xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat nf_tables nfnetlink br_netfilter bridge stp llc ccm cmac algif_hash overlay algif_skcipher af_alg bnep binfmt_misc snd_sof_pci_intel_cnl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda snd_sof snd_sof_utils snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress snd_sof_intel_hda_mlink snd_hda_ext_core iwlmvm intel_rapl_msr intel_rapl_common intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp mac80211 coretemp kvm_intel snd_hda_codec_hdmi kvm snd_hda_codec_realtek snd_hda_codec_generic uvcvideo libarc4 snd_hda_intel snd_intel_dspcfg snd_hda_codec iwlwifi videobuf2_vmalloc videobuf2_memops uvc irqbypass btusb videobuf2_v4l2 snd_seq_midi crct10dif_pclmul hid_multitouch crc32_pclmul snd_seq_midi_event btrtl snd_hwdep videodev polyval_clmulni polyval_generic snd_rawmidi + ghash_clmulni_intel aesni_intel btintel crypto_simd snd_hda_core cryptd snd_seq btbcm ee1004 8250_dw videobuf2_common btmtk rapl nls_iso8859_1 mei_hdcp thunderbolt bluetooth intel_cstate wmi_bmof intel_wmi_thunderbolt cfg80211 snd_pcm mc snd_seq_device i2c_i801 r8169 ecdh_generic snd_timer i2c_smbus ecc snd mei_me intel_lpss_pci mei ahci intel_lpss soundcore realtek libahci idma64 intel_pch_thermal i2c_hid_acpi i2c_hid acpi_pad sch_fq_codel msr parport_pc ppdev lp parport efi_pstore ip_tables x_tables autofs4 dm_crypt raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 joydev input_leds hid_generic usbhid hid nouveau i915 drm_ttm_helper gpu_sched drm_gpuvm drm_exec i2c_algo_bit drm_buddy ttm drm_display_helper drm_kms_helper cec rc_core drm nvme nvme_core mxm_wmi xhci_pci xhci_pci_renesas video wmi pinctrl_cannonlake mac_hid + ---[ end trace 0000000000000000 ]--- + +Fix this by avoiding the divide if bpp is 0. + +Fixes: c1d6a22b7219 ("drm/dp: Add helpers to calculate the link BW overhead") +Cc: stable@vger.kernel.org +Acked-by: Imre Deak +Signed-off-by: Chris Bainbridge +Signed-off-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/ZfWLJwYikw2K7B6c@debian.local +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/display/drm_dp_helper.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c +index b1ca3a1100da..26c188ce5f1c 100644 +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -3982,6 +3982,13 @@ int drm_dp_bw_overhead(int lane_count, int hactive, + u32 overhead = 1000000; + int symbol_cycles; + ++ if (lane_count == 0 || hactive == 0 || bpp_x16 == 0) { ++ DRM_DEBUG_KMS("Invalid BW overhead params: lane_count %d, hactive %d, bpp_x16 %d.%04d\n", ++ lane_count, hactive, ++ bpp_x16 >> 4, (bpp_x16 & 0xf) * 625); ++ return 0; ++ } ++ + /* + * DP Standard v2.1 2.6.4.1 + * SSC downspread and ref clock variation margin: +-- +2.44.0 + diff --git a/queue-6.8/drm-vmwgfx-create-debugfs-ttm_resource_manager-entry-only-if-needed.patch b/queue-6.8/drm-vmwgfx-create-debugfs-ttm_resource_manager-entry-only-if-needed.patch new file mode 100644 index 00000000000..c774ebeba11 --- /dev/null +++ b/queue-6.8/drm-vmwgfx-create-debugfs-ttm_resource_manager-entry-only-if-needed.patch @@ -0,0 +1,78 @@ +From 4be9075fec0a639384ed19975634b662bfab938f Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 12 Mar 2024 10:35:12 +0100 +Subject: drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed + +From: Jocelyn Falempe + +commit 4be9075fec0a639384ed19975634b662bfab938f upstream. + +The driver creates /sys/kernel/debug/dri/0/mob_ttm even when the +corresponding ttm_resource_manager is not allocated. +This leads to a crash when trying to read from this file. + +Add a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file +only when the corresponding ttm_resource_manager is allocated. + +crash> bt +PID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: "grep" + #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3 + #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a + #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1 + #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1 + #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913 + #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c + #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887 + #7 [ffffb954506b3d40] page_fault at ffffffffb360116e + [exception RIP: ttm_resource_manager_debug+0x11] + RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246 + RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940 + RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000 + RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000 + R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff + R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm] + #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3 + RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246 + RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985 + RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003 + RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30 + R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000 + R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003 + ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b + +Signed-off-by: Jocelyn Falempe +Fixes: af4a25bbe5e7 ("drm/vmwgfx: Add debugfs entries for various ttm resource managers") +Cc: +Reviewed-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20240312093551.196609-1-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -1444,12 +1444,15 @@ static void vmw_debugfs_resource_manager + root, "system_ttm"); + ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, TTM_PL_VRAM), + root, "vram_ttm"); +- ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_GMR), +- root, "gmr_ttm"); +- ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_MOB), +- root, "mob_ttm"); +- ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_SYSTEM), +- root, "system_mob_ttm"); ++ if (vmw->has_gmr) ++ ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_GMR), ++ root, "gmr_ttm"); ++ if (vmw->has_mob) { ++ ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_MOB), ++ root, "mob_ttm"); ++ ttm_resource_manager_create_debugfs(ttm_manager_type(&vmw->bdev, VMW_PL_SYSTEM), ++ root, "system_mob_ttm"); ++ } + } + + static int vmwgfx_pm_notifier(struct notifier_block *nb, unsigned long val, diff --git a/queue-6.8/drm-xe-query-fix-gt_id-bounds-check.patch b/queue-6.8/drm-xe-query-fix-gt_id-bounds-check.patch new file mode 100644 index 00000000000..d435c86ed6d --- /dev/null +++ b/queue-6.8/drm-xe-query-fix-gt_id-bounds-check.patch @@ -0,0 +1,42 @@ +From 45c30b2923e5c53e0ef057a8a525b0456adde18e Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Thu, 21 Mar 2024 11:06:30 +0000 +Subject: drm/xe/query: fix gt_id bounds check + +From: Matthew Auld + +commit 45c30b2923e5c53e0ef057a8a525b0456adde18e upstream. + +The user provided gt_id should always be less than the +XE_MAX_GT_PER_TILE. + +Fixes: 7793d00d1bf5 ("drm/xe: Correlate engine and cpu timestamps with better accuracy") +Signed-off-by: Matthew Auld +Cc: Nirmoy Das +Cc: # v6.8+ +Reviewed-by: Nirmoy Das +Acked-by: Himal Prasad Ghimiray +Link: https://patchwork.freedesktop.org/patch/msgid/20240321110629.334701-2-matthew.auld@intel.com +(cherry picked from commit 4b275f502a0d3668195762fb55fa00e659ad1b0b) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_query.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c +index 92bb06c0586e..075f9eaef031 100644 +--- a/drivers/gpu/drm/xe/xe_query.c ++++ b/drivers/gpu/drm/xe/xe_query.c +@@ -132,7 +132,7 @@ query_engine_cycles(struct xe_device *xe, + return -EINVAL; + + eci = &resp.eci; +- if (eci->gt_id > XE_MAX_GT_PER_TILE) ++ if (eci->gt_id >= XE_MAX_GT_PER_TILE) + return -EINVAL; + + gt = xe_device_get_gt(xe, eci->gt_id); +-- +2.44.0 + diff --git a/queue-6.8/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch b/queue-6.8/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch new file mode 100644 index 00000000000..092240fcd32 --- /dev/null +++ b/queue-6.8/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch @@ -0,0 +1,42 @@ +From 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Wed, 20 Mar 2024 11:26:07 -0700 +Subject: exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() + +From: Max Filippov + +commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream. + +In NOMMU kernel the value of linux_binprm::p is the offset inside the +temporary program arguments array maintained in separate pages in the +linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p +thus must be adjusted when that array is copied to the user stack. +Without that adjustment the value passed by the NOMMU kernel to the ELF +program in the AT_EXECFN entry of the aux array doesn't make any sense +and it may break programs that try to access memory pointed to by that +entry. + +Adjust linux_binprm::exec before the successful return from the +transfer_args_to_stack(). + +Cc: +Fixes: b6a2fea39318 ("mm: variable length argument support") +Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE") +Signed-off-by: Max Filippov +Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@gmail.com +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -895,6 +895,7 @@ int transfer_args_to_stack(struct linux_ + goto out; + } + ++ bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE; + *sp_location = sp; + + out: diff --git a/queue-6.8/fbdev-select-i-o-memory-framebuffer-ops-for-sbus.patch b/queue-6.8/fbdev-select-i-o-memory-framebuffer-ops-for-sbus.patch new file mode 100644 index 00000000000..27e83053f3e --- /dev/null +++ b/queue-6.8/fbdev-select-i-o-memory-framebuffer-ops-for-sbus.patch @@ -0,0 +1,60 @@ +From a8eb93b42d7e068306ca07f51055cbcde893fea3 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Fri, 22 Mar 2024 09:29:46 +0100 +Subject: fbdev: Select I/O-memory framebuffer ops for SBus + +From: Thomas Zimmermann + +commit a8eb93b42d7e068306ca07f51055cbcde893fea3 upstream. + +Framebuffer I/O on the Sparc Sbus requires read/write helpers for +I/O memory. Select FB_IOMEM_FOPS accordingly. + +Reported-by: Nick Bowler +Closes: https://lore.kernel.org/lkml/5bc21364-41da-a339-676e-5bb0f4faebfb@draconx.ca/ +Signed-off-by: Thomas Zimmermann +Fixes: 8813e86f6d82 ("fbdev: Remove default file-I/O implementations") +Cc: Thomas Zimmermann +Cc: Javier Martinez Canillas +Cc: Daniel Vetter +Cc: Helge Deller +Cc: Sam Ravnborg +Cc: Arnd Bergmann +Cc: Geert Uytterhoeven +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.8+ +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20240322083005.24269-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -501,6 +501,7 @@ config FB_SBUS_HELPERS + select FB_CFB_COPYAREA + select FB_CFB_FILLRECT + select FB_CFB_IMAGEBLIT ++ select FB_IOMEM_FOPS + + config FB_BW2 + bool "BWtwo support" +@@ -521,6 +522,7 @@ config FB_CG6 + depends on (FB = y) && (SPARC && FB_SBUS) + select FB_CFB_COPYAREA + select FB_CFB_IMAGEBLIT ++ select FB_IOMEM_FOPS + help + This is the frame buffer device driver for the CGsix (GX, TurboGX) + frame buffer. +@@ -530,6 +532,7 @@ config FB_FFB + depends on FB_SBUS && SPARC64 + select FB_CFB_COPYAREA + select FB_CFB_IMAGEBLIT ++ select FB_IOMEM_FOPS + help + This is the frame buffer device driver for the Creator, Creator3D, + and Elite3D graphics boards. diff --git a/queue-6.8/gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch b/queue-6.8/gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch new file mode 100644 index 00000000000..402d8c5a501 --- /dev/null +++ b/queue-6.8/gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch @@ -0,0 +1,126 @@ +From b34490879baa847d16fc529c8ea6e6d34f004b38 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Mon, 25 Mar 2024 10:02:42 +0100 +Subject: gpio: cdev: sanitize the label before requesting the interrupt + +From: Bartosz Golaszewski + +commit b34490879baa847d16fc529c8ea6e6d34f004b38 upstream. + +When an interrupt is requested, a procfs directory is created under +"/proc/irq//